mirror of
https://github.com/imjasonh/esp32
synced 2026-07-18 14:35:08 +00:00
Provision Wi-Fi creds + trust roots via NVS instead of compile-time embed
Implements provisioning-plan.md. The OTA-distributed firmware no longer contains any secrets or per-device config — those live in NVS and are written via USB by `make provision` from a (gitignored) `provisioning.toml`. Same firmware bytes can run on any device. Firmware changes: - src/main.rs reads wifi/ssid + wifi/pass from NVS namespace `wifi`. Strict-inert (sit-and-log) when missing; no compile-time fallback. WIFI_SSID/WIFI_PASS env! macros gone. - src/trust.rs becomes a `TrustConfig::load(nvs)` loader. Identities come from NVS namespace `trust`, key `identities` (JSON-encoded array). Sigstore root + intermediate PEMs come from `trust/fulcio_root` and `trust/fulcio_inter` blobs. include_str! gone. - src/sig.rs and src/ota.rs thread &TrustConfig through verify_bundle and the OTA loop instead of reading global consts. - build.rs no longer tracks WIFI_* env changes. New tool: - tools/provision/ host-side cargo crate. Reads provisioning.toml, emits an NVS CSV, shells out to ESP-IDF's nvs_partition_gen.py to produce a binary NVS image, optionally `espflash write-bin`'s it. Make targets: - `make provision` — build NVS image + flash it. - `make bootstrap` — flash-all + provision (new device setup). - `make build` no longer requires wifi.env. - wifi.env removed from prereqs / WIFI_ENV variable removed. Workflows: - ci.yml: drops the placeholder wifi.env step, adds a `build provision` job alongside the firmware + publisher jobs. - publish.yml: drops WIFI_SSID/WIFI_PASS secret reads. Only secret needed is the auto-injected GITHUB_TOKEN. Docs: - README updated to use `make bootstrap` + `make provision` flow. Project layout moved to a new repo-local CLAUDE.md. - provisioning.toml.example committed as the template the user copies. - wifi.env.example removed (no longer used). Migration: existing devices need `make bootstrap` over USB. The new firmware has no embedded creds; OTAing to it without provisioning would just sit in strict-inert. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
89a80d7ba3
commit
1928dcfd47
18 changed files with 1402 additions and 150 deletions
29
provisioning.toml.example
Normal file
29
provisioning.toml.example
Normal file
|
|
@ -0,0 +1,29 @@
|
|||
# Provisioning config for `make provision`. Copy to `provisioning.toml`
|
||||
# (gitignored) and fill in your values, then `make provision` to write
|
||||
# everything to the device's NVS partition over USB.
|
||||
|
||||
[wifi]
|
||||
ssid = "your-wifi-ssid"
|
||||
pass = "your-wifi-password"
|
||||
|
||||
[trust]
|
||||
# Bundled Sigstore Fulcio root + intermediate CA PEMs. These come from
|
||||
# https://github.com/sigstore/root-signing/tree/main/targets and need to
|
||||
# be re-fetched + re-provisioned if Sigstore rotates them (rare).
|
||||
fulcio_root_pem = "trust/fulcio_root.pem"
|
||||
fulcio_intermediate_pem = "trust/fulcio_intermediate.pem"
|
||||
|
||||
# Allowlist of (identity, issuer) pairs the OTA verifier accepts as
|
||||
# signers of incoming firmware. Identity is the SAN value in the Fulcio
|
||||
# leaf cert — an rfc822Name (email) for OIDC issuers like Google, or a
|
||||
# URI for workflow-based issuers like GitHub Actions.
|
||||
|
||||
# Manual `make publish` from a developer machine.
|
||||
[[trust.identities]]
|
||||
identity = "imjasonh@gmail.com"
|
||||
issuer = "https://accounts.google.com"
|
||||
|
||||
# Automated publishes from the GHA workflow on push to main.
|
||||
[[trust.identities]]
|
||||
identity = "https://github.com/imjasonh/esp32/.github/workflows/publish.yml@refs/heads/main"
|
||||
issuer = "https://token.actions.githubusercontent.com"
|
||||
Loading…
Add table
Add a link
Reference in a new issue