feat(bootloader): Add bootloader from esp-idf

esp-idf commit: a3a0b01c

components/bootloader/Kconfig.projbuild

@@ -0,0 +1,319 @@
+menu "Bootloader config"
+choice LOG_BOOTLOADER_LEVEL
+   bool "Bootloader log verbosity"
+   default LOG_BOOTLOADER_LEVEL_INFO
+   help
+       Specify how much output to see in bootloader logs.
+
+config LOG_BOOTLOADER_LEVEL_NONE
+   bool "No output"
+config LOG_BOOTLOADER_LEVEL_ERROR
+   bool "Error"
+config LOG_BOOTLOADER_LEVEL_WARN
+   bool "Warning"
+config LOG_BOOTLOADER_LEVEL_INFO
+   bool "Info"
+config LOG_BOOTLOADER_LEVEL_DEBUG
+   bool "Debug"
+config LOG_BOOTLOADER_LEVEL_VERBOSE
+   bool "Verbose"
+endchoice
+
+config LOG_BOOTLOADER_LEVEL
+    int
+    default 0 if LOG_BOOTLOADER_LEVEL_NONE
+    default 1 if LOG_BOOTLOADER_LEVEL_ERROR
+    default 2 if LOG_BOOTLOADER_LEVEL_WARN
+    default 3 if LOG_BOOTLOADER_LEVEL_INFO
+    default 4 if LOG_BOOTLOADER_LEVEL_DEBUG
+    default 5 if LOG_BOOTLOADER_LEVEL_VERBOSE
+
+config BOOTLOADER_SPI_WP_PIN
+    int "SPI Flash WP Pin when customising pins via efuse (read help)"
+    range 0 33
+    default 7
+    depends on FLASHMODE_QIO || FLASHMODE_QOUT
+    help
+        This value is ignored unless flash mode is set to QIO or QOUT *and* the SPI flash pins have been
+        overriden by setting the efuses SPI_PAD_CONFIG_xxx.
+
+        When this is the case, the Efuse config only defines 3 of the 4 Quad I/O data pins. The WP pin (aka ESP32
+        pin "SD_DATA_3" or SPI flash pin "IO2") is not specified in Efuse. That pin number is compiled into the bootloader
+        instead.
+
+        The default value (GPIO 7) is correct for WP pin on ESP32-D2WD integrated flash.
+
+choice BOOTLOADER_VDDSDIO_BOOST
+    bool "VDDSDIO LDO voltage"
+    default BOOTLOADER_VDDSDIO_BOOST_1_9V
+    help
+        If this option is enabled, and VDDSDIO LDO is set to 1.8V (using EFUSE
+        or MTDI bootstrapping pin), bootloader will change LDO settings to
+        output 1.9V instead. This helps prevent flash chip from browning out
+        during flash programming operations.
+
+        This option has no effect if VDDSDIO is set to 3.3V, or if the internal
+        VDDSDIO regulator is disabled via efuse.
+
+config BOOTLOADER_VDDSDIO_BOOST_1_8V
+    bool "1.8V"
+    depends on !ESPTOOLPY_FLASHFREQ_80M
+config BOOTLOADER_VDDSDIO_BOOST_1_9V
+    bool "1.9V"
+endchoice
+
+config BOOTLOADER_FACTORY_RESET
+    bool "GPIO triggers factory reset"
+    default N
+    help
+        Allows to reset the device to factory settings:
+        - clear one or more data partitions;
+        - boot from "factory" partition.
+        The factory reset will occur if there is a GPIO input pulled low while device starts up.
+        See settings below.
+
+config BOOTLOADER_NUM_PIN_FACTORY_RESET
+    int "Number of the GPIO input for factory reset"
+    depends on BOOTLOADER_FACTORY_RESET
+    range 0 39
+    default 4
+    help
+        The selected GPIO will be configured as an input with internal pull-up enabled.
+        To trigger a factory reset, this GPIO must be pulled low on reset.
+        Note that GPIO34-39 do not have an internal pullup and an external one must be provided.
+
+config BOOTLOADER_OTA_DATA_ERASE
+    bool "Clear OTA data on factory reset (select factory partition)"
+    depends on BOOTLOADER_FACTORY_RESET
+    help
+        The device will boot from "factory" partition (or OTA slot 0 if no factory partition is present) after a factory reset.
+
+config BOOTLOADER_DATA_FACTORY_RESET
+     string "Comma-separated names of partitions to clear on factory reset"
+     depends on BOOTLOADER_FACTORY_RESET
+     default "nvs"
+     help
+        Allows customers to select which data partitions will be erased while factory reset.
+        
+        Specify the names of partitions as a comma-delimited with optional spaces for readability. (Like this: "nvs, phy_init, ...")
+        Make sure that the name specified in the partition table and here are the same. 
+        Partitions of type "app" cannot be specified here.
+
+config BOOTLOADER_APP_TEST
+    bool "GPIO triggers boot from test app partition"
+    default N
+    help
+        Allows to run the test app from "TEST" partition.
+        A boot from "test" partition will occur if there is a GPIO input pulled low while device starts up.
+        See settings below.
+
+config BOOTLOADER_NUM_PIN_APP_TEST
+    int "Number of the GPIO input to boot TEST partition"
+    depends on BOOTLOADER_APP_TEST
+    range 0 39
+    default 18
+    help
+        The selected GPIO will be configured as an input with internal pull-up enabled.
+        To trigger a test app, this GPIO must be pulled low on reset.
+        After the GPIO input is deactivated and the device reboots, the old application will boot. 
+        (factory or OTA[x]).
+        Note that GPIO34-39 do not have an internal pullup and an external one must be provided.
+
+config BOOTLOADER_HOLD_TIME_GPIO
+    int "Hold time of GPIO for reset/test mode (seconds)"
+    depends on BOOTLOADER_FACTORY_RESET || BOOTLOADER_APP_TEST
+    default 5
+    help
+        The GPIO must be held low continuously for this period of time after reset 
+        before a factory reset or test partition boot (as applicable) is performed.
+
+endmenu  # Bootloader
+
+
+menu "Security features"
+
+config SECURE_BOOT_ENABLED
+    bool "Enable secure boot in bootloader (READ DOCS FIRST)"
+    default N
+    help
+        Build a bootloader which enables secure boot on first boot.
+
+        Once enabled, secure boot will not boot a modified bootloader. The bootloader will only load a partition table or boot an app if the data has a verified digital signature. There are implications for reflashing updated apps once secure boot is enabled.
+
+        When enabling secure boot, JTAG and ROM BASIC Interpreter are permanently disabled by default.
+
+        Refer to https://esp-idf.readthedocs.io/en/latest/security/secure-boot.html before enabling.
+
+choice SECURE_BOOTLOADER_MODE
+    bool "Secure bootloader mode"
+    depends on SECURE_BOOT_ENABLED
+    default SECURE_BOOTLOADER_ONE_TIME_FLASH
+
+config SECURE_BOOTLOADER_ONE_TIME_FLASH
+       bool "One-time flash"
+       help
+           On first boot, the bootloader will generate a key which is not readable externally or by software. A digest is generated from the bootloader image itself. This digest will be verified on each subsequent boot.
+
+           Enabling this option means that the bootloader cannot be changed after the first time it is booted.
+
+config SECURE_BOOTLOADER_REFLASHABLE
+    bool "Reflashable"
+    help
+        Generate a reusable secure bootloader key, derived (via SHA-256) from the secure boot signing key.
+
+        This allows the secure bootloader to be re-flashed by anyone with access to the secure boot signing key.
+
+        This option is less secure than one-time flash, because a leak of the digest key from one device allows reflashing of any device that uses it.
+
+endchoice
+
+config SECURE_BOOT_BUILD_SIGNED_BINARIES
+     bool "Sign binaries during build"
+     depends on SECURE_BOOT_ENABLED
+     default y
+     help
+        Once secure boot is enabled, bootloader will only boot if partition table and app image are signed.
+
+        If enabled, these binary files are signed as part of the build process. The file named in "Secure boot private signing key" will be used to sign the image.
+
+        If disabled, unsigned app/partition data will be built. They must be signed manually using espsecure.py (for example, on a remote signing server.)
+
+config SECURE_BOOT_SIGNING_KEY
+     string "Secure boot private signing key"
+     depends on SECURE_BOOT_BUILD_SIGNED_BINARIES
+     default secure_boot_signing_key.pem
+     help
+        Path to the key file used to sign partition tables and app images for secure boot. Once secure boot is enabled, bootloader will only boot if partition table and app image are signed.
+
+        Key file is an ECDSA private key (NIST256p curve) in PEM format.
+
+        Path is evaluated relative to the project directory.
+
+        You can generate a new signing key by running the following command:
+        espsecure.py generate_signing_key secure_boot_signing_key.pem
+
+        See docs/security/secure-boot.rst for details.
+
+config SECURE_BOOT_VERIFICATION_KEY
+    string "Secure boot public signature verification key"
+    depends on SECURE_BOOT_ENABLED && !SECURE_BOOT_BUILD_SIGNED_BINARIES
+    default signature_verification_key.bin
+    help
+       Path to a public key file used to verify signed images. This key is compiled into the bootloader,
+       and may also be used to verify signatures on OTA images after download.
+
+       Key file is in raw binary format, and can be extracted from a
+       PEM formatted private key using the espsecure.py
+       extract_public_key command.
+
+       Refer to https://esp-idf.readthedocs.io/en/latest/security/secure-boot.html before enabling.
+
+config SECURE_BOOT_INSECURE
+    bool "Allow potentially insecure options"
+    depends on SECURE_BOOT_ENABLED
+    default N
+    help
+       You can disable some of the default protections offered by secure boot, in order to enable testing or a custom combination of security features.
+
+       Only enable these options if you are very sure.
+
+       Refer to https://esp-idf.readthedocs.io/en/latest/security/secure-boot.html before enabling.
+
+config FLASH_ENCRYPTION_ENABLED
+    bool "Enable flash encryption on boot (READ DOCS FIRST)"
+    default N
+    help
+       If this option is set, flash contents will be encrypted by the bootloader on first boot.
+
+       Note: After first boot, the system will be permanently encrypted. Re-flashing an encrypted
+       system is complicated and not always possible.
+
+       Read https://esp-idf.readthedocs.io/en/latest/security/flash-encryption.html before enabling.
+
+config FLASH_ENCRYPTION_INSECURE
+    bool "Allow potentially insecure options"
+    depends on FLASH_ENCRYPTION_ENABLED
+    default N
+    help
+       You can disable some of the default protections offered by flash encryption, in order to enable testing or a custom combination of security features.
+
+       Only enable these options if you are very sure.
+
+       Refer to docs/security/secure-boot.rst and docs/security/flash-encryption.rst for details.
+
+menu "Potentially insecure options"
+    visible if FLASH_ENCRYPTION_INSECURE || SECURE_BOOT_INSECURE
+
+# NOTE: Options in this menu NEED to have SECURE_BOOT_INSECURE
+# and/or FLASH_ENCRYPTION_INSECURE in "depends on", as the menu
+# itself doesn't enable/disable its children (if it's not set,
+# it's possible for the insecure menu to be disabled but the insecure option
+# to remain on which is very bad.)
+
+config SECURE_BOOT_ALLOW_ROM_BASIC
+       bool "Leave ROM BASIC Interpreter available on reset"
+       depends on SECURE_BOOT_INSECURE || FLASH_ENCRYPTION_INSECURE
+       default N
+       help
+          By default, the BASIC ROM Console starts on reset if no valid bootloader is
+          read from the flash.
+
+          When either flash encryption or secure boot are enabled, the default is to
+          disable this BASIC fallback mode permanently via efuse.
+
+          If this option is set, this efuse is not burned and the BASIC ROM Console may
+          remain accessible.  Only set this option in testing environments.
+
+config SECURE_BOOT_ALLOW_JTAG
+       bool "Allow JTAG Debugging"
+       depends on SECURE_BOOT_INSECURE || FLASH_ENCRYPTION_INSECURE
+       default N
+       help
+          If not set (default), the bootloader will permanently disable JTAG (across entire chip) on first boot when either secure boot or flash encryption is enabled.
+
+          Setting this option leaves JTAG on for debugging, which negates all protections of flash encryption and some of the protections of secure boot.
+
+          Only set this option in testing environments.
+
+
+config FLASH_ENCRYPTION_UART_BOOTLOADER_ALLOW_ENCRYPT
+    bool "Leave UART bootloader encryption enabled"
+    depends on FLASH_ENCRYPTION_INSECURE
+    default N
+    help
+        If not set (default), the bootloader will permanently disable UART bootloader encryption access on first boot. If set, the UART bootloader will still be able to access hardware encryption.
+
+        It is recommended to only set this option in testing environments.
+
+config FLASH_ENCRYPTION_UART_BOOTLOADER_ALLOW_DECRYPT
+    bool "Leave UART bootloader decryption enabled"
+    depends on FLASH_ENCRYPTION_INSECURE
+    default N
+    help
+        If not set (default), the bootloader will permanently disable UART bootloader decryption access on first boot. If set, the UART bootloader will still be able to access hardware decryption.
+
+        Only set this option in testing environments. Setting this option allows complete bypass of flash encryption.
+
+config FLASH_ENCRYPTION_UART_BOOTLOADER_ALLOW_CACHE
+    bool "Leave UART bootloader flash cache enabled"
+    depends on FLASH_ENCRYPTION_INSECURE
+    default N
+    help
+        If not set (default), the bootloader will permanently disable UART bootloader flash cache access on first boot. If set, the UART bootloader will still be able to access the flash cache.
+
+        Only set this option in testing environments.
+
+config SECURE_BOOT_TEST_MODE
+       bool "Secure boot test mode: don't permanently set any efuses"
+       depends on SECURE_BOOT_INSECURE
+       default N
+       help
+          If this option is set, all permanent secure boot changes (via Efuse) are disabled.
+
+          Log output will state changes which would be applied, but they will not be.
+
+          This option is for testing purposes only - it completely disables secure boot protection.
+
+
+endmenu  # Potentially Insecure
+endmenu  # Security features

components/bootloader/Makefile.projbuild

@@ -0,0 +1,126 @@
+# Bootloader component (top-level project parts)
+#
+# The bootloader is not a real component that gets linked into the project.
+# Instead it is an entire standalone project (in subproject/) that gets
+# built in the upper project's build directory. This Makefile.projbuild provides
+# the glue to build the bootloader project from the original project. It
+# basically runs Make in the subproject/ directory but it needs to
+# zero some variables the ESP-IDF project.mk makefile exports first, to not
+# let them interfere.
+#
+BOOTLOADER_COMPONENT_PATH := $(COMPONENT_PATH)
+BOOTLOADER_BUILD_DIR=$(abspath $(BUILD_DIR_BASE)/bootloader)
+BOOTLOADER_BIN=$(BOOTLOADER_BUILD_DIR)/bootloader.bin
+
+# signing key path is resolved relative to the project directory
+CONFIG_SECURE_BOOT_SIGNING_KEY ?=
+SECURE_BOOT_SIGNING_KEY=$(abspath $(call dequote,$(CONFIG_SECURE_BOOT_SIGNING_KEY)))
+export SECURE_BOOT_SIGNING_KEY  # used by bootloader_support component
+
+# Has a matching value in bootloader_support esp_flash_partitions.h
+BOOTLOADER_OFFSET := 0x1000
+
+# Custom recursive make for bootloader sub-project
+#
+# NB: Some variables are cleared in the environment, not
+# overriden, because they need to be re-defined in the child
+# project.
+BOOTLOADER_MAKE= +\
+	PROJECT_PATH= \
+	COMPONENT_DIRS= \
+	$(MAKE) -C $(BOOTLOADER_COMPONENT_PATH)/subproject \
+	V=$(V) \
+	BUILD_DIR_BASE=$(BOOTLOADER_BUILD_DIR) \
+	TEST_COMPONENTS= \
+	TESTS_ALL=
+
+.PHONY: bootloader-clean bootloader-flash bootloader-list-components bootloader $(BOOTLOADER_BIN)
+
+$(BOOTLOADER_BIN): $(SDKCONFIG_MAKEFILE)
+	$(BOOTLOADER_MAKE) $@
+
+clean: bootloader-clean
+
+bootloader-list-components:
+	$(BOOTLOADER_MAKE) list-components
+
+ifndef CONFIG_SECURE_BOOT_ENABLED
+# If secure boot disabled, bootloader flashing is integrated
+# with 'make flash' and no warnings are printed.
+
+bootloader: $(BOOTLOADER_BIN)
+	@echo $(SEPARATOR)
+	@echo "Bootloader built. Default flash command is:"
+	@echo "$(ESPTOOLPY_WRITE_FLASH) $(BOOTLOADER_OFFSET) $^"
+
+ESPTOOL_ALL_FLASH_ARGS += $(BOOTLOADER_OFFSET) $(BOOTLOADER_BIN)
+
+bootloader-flash: $(BOOTLOADER_BIN) $(call prereq_if_explicit,erase_flash)
+	$(ESPTOOLPY_WRITE_FLASH) 0x1000 $^
+
+else ifdef CONFIG_SECURE_BOOTLOADER_ONE_TIME_FLASH
+
+# One time flashing requires user to run esptool.py command themselves,
+# and warning is printed about inability to reflash.
+#
+# The flashing command is deliberately printed without an auto-reset
+# step, so the device doesn't immediately reset to flash itself.
+
+bootloader: $(BOOTLOADER_BIN)
+	@echo $(SEPARATOR)
+	@echo "Bootloader built. One-time flash command is:"
+	@echo "$(subst hard_reset,no_reset,$(ESPTOOLPY_WRITE_FLASH)) $(BOOTLOADER_OFFSET) $(BOOTLOADER_BIN)"
+	@echo $(SEPARATOR)
+	@echo "* IMPORTANT: After first boot, BOOTLOADER CANNOT BE RE-FLASHED on same device"
+
+else ifdef CONFIG_SECURE_BOOTLOADER_REFLASHABLE
+# Reflashable secure bootloader
+# generates a digest binary (bootloader + digest)
+
+BOOTLOADER_DIGEST_BIN := $(BOOTLOADER_BUILD_DIR)/bootloader-reflash-digest.bin
+SECURE_BOOTLOADER_KEY := $(BOOTLOADER_BUILD_DIR)/secure-bootloader-key.bin
+
+ifdef CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES
+$(SECURE_BOOTLOADER_KEY): $(SECURE_BOOT_SIGNING_KEY)
+	$(ESPSECUREPY) digest_private_key -k $< $@
+else
+$(SECURE_BOOTLOADER_KEY):
+	@echo "No pre-generated key for a reflashable secure bootloader is available, due to signing configuration."
+	@echo "To generate one, you can use this command:"
+	@echo "espsecure.py generate_flash_encryption_key $@"
+	@echo "then re-run make."
+	exit 1
+endif
+
+bootloader: $(BOOTLOADER_DIGEST_BIN)
+	@echo $(SEPARATOR)
+	@echo "Bootloader built and secure digest generated. First time flash command is:"
+	@echo "$(ESPEFUSEPY) burn_key secure_boot $(SECURE_BOOTLOADER_KEY)"
+	@echo "$(ESPTOOLPY_WRITE_FLASH) $(BOOTLOADER_OFFSET) $(BOOTLOADER_BIN)"
+	@echo $(SEPARATOR)
+	@echo "To reflash the bootloader after initial flash:"
+	@echo "$(ESPTOOLPY_WRITE_FLASH) 0x0 $(BOOTLOADER_DIGEST_BIN)"
+	@echo $(SEPARATOR)
+	@echo "* After first boot, only re-flashes of this kind (with same key) will be accepted."
+	@echo "* Not recommended to re-use the same secure boot keyfile on multiple production devices."
+
+$(BOOTLOADER_DIGEST_BIN): $(BOOTLOADER_BIN) $(SECURE_BOOTLOADER_KEY)
+	@echo "DIGEST $(notdir $@)"
+	$(Q) $(ESPSECUREPY) digest_secure_bootloader -k $(SECURE_BOOTLOADER_KEY) -o $@ $<
+
+else # CONFIG_SECURE_BOOT_ENABLED && !CONFIG_SECURE_BOOTLOADER_REFLASHABLE && !CONFIG_SECURE_BOOTLOADER_ONE_TIME_FLASH
+bootloader:
+	@echo "Invalid bootloader target: bad sdkconfig?"
+	@exit 1
+endif
+
+ifndef CONFIG_SECURE_BOOT_ENABLED
+# don't build bootloader by default is secure boot is enabled
+all_binaries: $(BOOTLOADER_BIN)
+endif
+
+bootloader-clean: $(SDKCONFIG_MAKEFILE)
+	$(BOOTLOADER_MAKE) app-clean
+ifdef CONFIG_SECURE_BOOTLOADER_REFLASHABLE
+	rm -f $(SECURE_BOOTLOADER_KEY) $(BOOTLOADER_DIGEST_BIN)
+endif

components/bootloader/component.mk

@@ -0,0 +1,7 @@
+# bootloader component is special, as bootloader is also a project.
+#
+# This top-level component is only configuration files for the IDF project.
+#
+# See Makefile.projbuild for the targets which actually build the bootloader.
+COMPONENT_CONFIG_ONLY := 1
+

components/bootloader/subproject/.gitignore

@@ -0,0 +1,2 @@
+build
+sdkconfig

components/bootloader/subproject/Makefile

@@ -0,0 +1,32 @@
+#
+# This is a project Makefile. It is assumed the directory this Makefile resides in is a
+# project subdirectory.
+#
+ifeq ("$(MAKELEVEL)","0")
+$(error Bootloader makefile expects to be run as part of 'make bootloader' from a top-level project.)
+endif
+
+PROJECT_NAME := bootloader
+
+COMPONENTS := esptool_py bootloader_support log spi_flash micro-ecc soc main
+
+# Clear C and CXX from top level project
+CFLAGS =
+CXXFLAGS =
+
+#We cannot include the esp32 component directly but we need its includes.
+CFLAGS += -I $(IDF_PATH)/components/esp32/include
+
+# The bootloader pseudo-component is also included in this build, for its Kconfig.projbuild to be included.
+#
+# IS_BOOTLOADER_BUILD tells the component Makefile.projbuild to be a no-op
+IS_BOOTLOADER_BUILD := 1
+export IS_BOOTLOADER_BUILD
+
+# BOOTLOADER_BUILD macro is the same, for source file changes
+CFLAGS += -D BOOTLOADER_BUILD=1
+
+# include the top-level "project" include directory, for sdkconfig.h
+CFLAGS += -I$(BUILD_DIR_BASE)/../include
+
+include $(IDF_PATH)/make/project.mk

components/bootloader/subproject/main/Makefile.projbuild

@@ -0,0 +1,4 @@
+# Submodules normally added in component.mk, but fully qualified
+# paths can be added at this level (we need binary librtc to be
+# available to link bootloader).
+COMPONENT_SUBMODULES += $(IDF_PATH)/components/esp32/lib

components/bootloader/subproject/main/bootloader_start.c

@@ -0,0 +1,122 @@
+// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+#include <string.h>
+#include <stdint.h>
+#include <stdbool.h>
+
+#include "esp_log.h"
+#include "rom/gpio.h"
+#include "rom/spi_flash.h"
+#include "bootloader_config.h"
+#include "bootloader_init.h"
+#include "bootloader_utility.h"
+#include "bootloader_common.h"
+#include "sdkconfig.h"
+#include "esp_image_format.h"
+
+static const char* TAG = "boot";
+
+static esp_err_t select_image (esp_image_metadata_t *image_data);
+static int selected_boot_partition(const bootloader_state_t *bs);
+/*
+ * We arrive here after the ROM bootloader finished loading this second stage bootloader from flash.
+ * The hardware is mostly uninitialized, flash cache is down and the app CPU is in reset.
+ * We do have a stack, so we can do the initialization in C.
+ */
+void call_start_cpu0()
+{
+    // 1. Hardware initialization
+    if(bootloader_init() != ESP_OK){
+        return;
+    }
+
+    // 2. Select image to boot
+    esp_image_metadata_t image_data;
+    if(select_image(&image_data) != ESP_OK){
+        return;
+    }
+
+    // 3. Loading the selected image
+    bootloader_utility_load_image(&image_data);
+}
+
+// Selects image to boot
+static esp_err_t select_image (esp_image_metadata_t *image_data)
+{
+    // 1. Load partition table
+    bootloader_state_t bs = { 0 };
+    if (!bootloader_utility_load_partition_table(&bs)) {
+        ESP_LOGE(TAG, "load partition table error!");
+        return ESP_FAIL;
+    }
+
+    // 2. Select boot partition
+    int boot_index = selected_boot_partition(&bs);
+    if(boot_index == INVALID_INDEX) {
+        return ESP_FAIL; // Unrecoverable failure (not due to corrupt ota data or bad partition contents)
+    }
+
+    // 3. Load the app image for booting
+    if (!bootloader_utility_load_boot_image(&bs, boot_index, image_data)) {
+        return ESP_FAIL;
+    }
+    return ESP_OK;
+}
+
+/*
+ * Selects a boot partition.
+ * The conditions for switching to another firmware are checked.
+ */
+static int selected_boot_partition(const bootloader_state_t *bs)
+{
+    int boot_index = bootloader_utility_get_selected_boot_partition(bs);
+    if (boot_index == INVALID_INDEX) {
+        return boot_index; // Unrecoverable failure (not due to corrupt ota data or bad partition contents)
+    } else {
+        // Factory firmware.
+#ifdef CONFIG_BOOTLOADER_FACTORY_RESET
+        if (bootloader_common_check_long_hold_gpio(CONFIG_BOOTLOADER_NUM_PIN_FACTORY_RESET, CONFIG_BOOTLOADER_HOLD_TIME_GPIO) == 1) {
+            ESP_LOGI(TAG, "Detect a condition of the factory reset");
+            bool ota_data_erase = false;
+#ifdef CONFIG_BOOTLOADER_OTA_DATA_ERASE
+            ota_data_erase = true;
+#endif
+            const char *list_erase = CONFIG_BOOTLOADER_DATA_FACTORY_RESET;
+            ESP_LOGI(TAG, "Data partitions to erase: %s", list_erase);
+            if (bootloader_common_erase_part_type_data(list_erase, ota_data_erase) == false) {
+                ESP_LOGE(TAG, "Not all partitions were erased");
+            }
+            return bootloader_utility_get_selected_boot_partition(bs);
+        }
+#endif
+       // TEST firmware.
+#ifdef CONFIG_BOOTLOADER_APP_TEST
+        if (bootloader_common_check_long_hold_gpio(CONFIG_BOOTLOADER_NUM_PIN_APP_TEST, CONFIG_BOOTLOADER_HOLD_TIME_GPIO) == 1) {
+            ESP_LOGI(TAG, "Detect a boot condition of the test firmware");
+            if (bs->test.offset != 0) {
+                boot_index = TEST_APP_INDEX;
+                return boot_index;
+            } else {
+                ESP_LOGE(TAG, "Test firmware is not found in partition table");
+                return INVALID_INDEX;
+            }
+        }
+#endif
+        // Customer implementation.
+        // if (gpio_pin_1 == true && ...){
+        //     boot_index = required_boot_partition;
+        // } ...
+    }
+    return boot_index;
+}

components/bootloader/subproject/main/component.mk

@@ -0,0 +1,21 @@
+#
+# Main bootloader Makefile.
+#
+# This is basically the same as a component makefile, but in the case of the bootloader
+# we pull in bootloader-specific linker arguments.
+#
+
+LINKER_SCRIPTS := \
+	esp32.bootloader.ld \
+	$(IDF_PATH)/components/esp32/ld/esp32.rom.ld \
+	$(IDF_PATH)/components/esp32/ld/esp32.rom.spiram_incompatible_fns.ld \
+	$(IDF_PATH)/components/esp32/ld/esp32.peripherals.ld \
+	esp32.bootloader.rom.ld
+
+ifndef CONFIG_SPI_FLASH_ROM_DRIVER_PATCH
+LINKER_SCRIPTS += $(IDF_PATH)/components/esp32/ld/esp32.rom.spiflash.ld
+endif
+
+COMPONENT_ADD_LDFLAGS += -L $(COMPONENT_PATH) $(addprefix -T ,$(LINKER_SCRIPTS))
+
+COMPONENT_ADD_LINKER_DEPS := $(LINKER_SCRIPTS)

components/bootloader/subproject/main/esp32.bootloader.ld

@@ -0,0 +1,132 @@
+/*
+Linker file used to link the bootloader.
+*/
+
+
+/* Simplified memory map for the bootloader
+
+   The main purpose is to make sure the bootloader can load into main memory
+   without overwriting itself.
+*/
+MEMORY
+{
+  /* I/O */
+  dport0_seg (RW) :                 	org = 0x3FF00000, len = 0x10
+  /* IRAM POOL1, used for APP CPU cache. We can abuse it in bootloader because APP CPU is still held in reset, the main app enables APP CPU cache */
+  iram_seg (RWX) :           org = 0x40078000, len = 0x8000
+  /* 64k at the end of DRAM, after ROM bootloader stack */
+  dram_seg (RW) :                  	org = 0x3FFF0000, len = 0x10000
+}
+
+/*  Default entry point:  */
+ENTRY(call_start_cpu0);
+
+
+SECTIONS
+{
+  .iram1.text :
+  {
+    . = ALIGN (16);
+    *(.entry.text)
+    *(.init.literal)
+    *(.init)
+  } > iram_seg
+
+
+  /* Shared RAM */
+  .dram0.bss (NOLOAD) :
+  {
+    . = ALIGN (8);
+    _bss_start = ABSOLUTE(.);
+    *(.dynsbss)
+    *(.sbss)
+    *(.sbss.*)
+    *(.gnu.linkonce.sb.*)
+    *(.scommon)
+    *(.sbss2)
+    *(.sbss2.*)
+    *(.gnu.linkonce.sb2.*)
+    *(.dynbss)
+    *(.bss)
+    *(.bss.*)
+    *(.gnu.linkonce.b.*)
+    *(COMMON)
+    . = ALIGN (8);
+    _bss_end = ABSOLUTE(.);
+  } >dram_seg
+
+  .dram0.data :
+  {
+    _data_start = ABSOLUTE(.);
+    *(.data)
+    *(.data.*)
+    *(.gnu.linkonce.d.*)
+    *(.data1)
+    *(.sdata)
+    *(.sdata.*)
+    *(.gnu.linkonce.s.*)
+    *(.sdata2)
+    *(.sdata2.*)
+    *(.gnu.linkonce.s2.*)
+    *(.jcr)
+    _data_end = ABSOLUTE(.);
+  } >dram_seg
+
+  .dram0.rodata :
+  {
+    _rodata_start = ABSOLUTE(.);
+    *(.rodata)
+    *(.rodata.*)
+    *(.gnu.linkonce.r.*)
+    *(.rodata1)
+    __XT_EXCEPTION_TABLE_ = ABSOLUTE(.);
+    *(.xt_except_table)
+    *(.gcc_except_table)
+    *(.gnu.linkonce.e.*)
+    *(.gnu.version_r)
+    *(.eh_frame)
+    . = (. + 3) & ~ 3;
+    /*  C++ constructor and destructor tables, properly ordered:  */
+    __init_array_start = ABSOLUTE(.);
+    KEEP (*crtbegin.o(.ctors))
+    KEEP (*(EXCLUDE_FILE (*crtend.o) .ctors))
+    KEEP (*(SORT(.ctors.*)))
+    KEEP (*(.ctors))
+    __init_array_end = ABSOLUTE(.);
+    KEEP (*crtbegin.o(.dtors))
+    KEEP (*(EXCLUDE_FILE (*crtend.o) .dtors))
+    KEEP (*(SORT(.dtors.*)))
+    KEEP (*(.dtors))
+    /*  C++ exception handlers table:  */
+    __XT_EXCEPTION_DESCS_ = ABSOLUTE(.);
+    *(.xt_except_desc)
+    *(.gnu.linkonce.h.*)
+    __XT_EXCEPTION_DESCS_END__ = ABSOLUTE(.);
+    *(.xt_except_desc_end)
+    *(.dynamic)
+    *(.gnu.version_d)
+    _rodata_end = ABSOLUTE(.);
+	/* Literals are also RO data. */
+    _lit4_start = ABSOLUTE(.);
+    *(*.lit4)
+    *(.lit4.*)
+    *(.gnu.linkonce.lit4.*)
+    _lit4_end = ABSOLUTE(.);
+    . = ALIGN(4);
+    _heap_start = ABSOLUTE(.);
+  } >dram_seg
+
+  .iram.text :
+  {
+    _stext = .;
+    _text_start = ABSOLUTE(.);
+    *(.literal .text .literal.* .text.* .stub .gnu.warning .gnu.linkonce.literal.* .gnu.linkonce.t.*.literal .gnu.linkonce.t.*)
+    *(.iram1 .iram1.*) /* catch stray IRAM_ATTR */
+    *(.fini.literal)
+    *(.fini)
+    *(.gnu.version)
+    _text_end = ABSOLUTE(.);
+    _etext = .;
+  } > iram_seg
+
+}

components/bootloader/subproject/main/esp32.bootloader.rom.ld

@@ -0,0 +1 @@
+PROVIDE ( ets_update_cpu_frequency = 0x40008550 ); /* Updates g_ticks_per_us on the current CPU only; not on the other core */