1
0
Fork 0
mirror of https://github.com/imjasonh/esp32 synced 2026-07-08 08:25:02 +00:00
esp32/provisioning.toml.example
Jason Hall 1928dcfd47 Provision Wi-Fi creds + trust roots via NVS instead of compile-time embed
Implements provisioning-plan.md. The OTA-distributed firmware no longer
contains any secrets or per-device config — those live in NVS and are
written via USB by `make provision` from a (gitignored)
`provisioning.toml`. Same firmware bytes can run on any device.

Firmware changes:
- src/main.rs reads wifi/ssid + wifi/pass from NVS namespace `wifi`.
  Strict-inert (sit-and-log) when missing; no compile-time fallback.
  WIFI_SSID/WIFI_PASS env! macros gone.
- src/trust.rs becomes a `TrustConfig::load(nvs)` loader. Identities
  come from NVS namespace `trust`, key `identities` (JSON-encoded
  array). Sigstore root + intermediate PEMs come from `trust/fulcio_root`
  and `trust/fulcio_inter` blobs. include_str! gone.
- src/sig.rs and src/ota.rs thread &TrustConfig through verify_bundle
  and the OTA loop instead of reading global consts.
- build.rs no longer tracks WIFI_* env changes.

New tool:
- tools/provision/ host-side cargo crate. Reads provisioning.toml,
  emits an NVS CSV, shells out to ESP-IDF's nvs_partition_gen.py to
  produce a binary NVS image, optionally `espflash write-bin`'s it.

Make targets:
- `make provision` — build NVS image + flash it.
- `make bootstrap` — flash-all + provision (new device setup).
- `make build` no longer requires wifi.env.
- wifi.env removed from prereqs / WIFI_ENV variable removed.

Workflows:
- ci.yml: drops the placeholder wifi.env step, adds a `build provision`
  job alongside the firmware + publisher jobs.
- publish.yml: drops WIFI_SSID/WIFI_PASS secret reads. Only secret
  needed is the auto-injected GITHUB_TOKEN.

Docs:
- README updated to use `make bootstrap` + `make provision` flow.
  Project layout moved to a new repo-local CLAUDE.md.
- provisioning.toml.example committed as the template the user copies.
- wifi.env.example removed (no longer used).

Migration: existing devices need `make bootstrap` over USB. The new
firmware has no embedded creds; OTAing to it without provisioning
would just sit in strict-inert.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-02 16:14:26 -04:00

29 lines
1.2 KiB
Text

# Provisioning config for `make provision`. Copy to `provisioning.toml`
# (gitignored) and fill in your values, then `make provision` to write
# everything to the device's NVS partition over USB.
[wifi]
ssid = "your-wifi-ssid"
pass = "your-wifi-password"
[trust]
# Bundled Sigstore Fulcio root + intermediate CA PEMs. These come from
# https://github.com/sigstore/root-signing/tree/main/targets and need to
# be re-fetched + re-provisioned if Sigstore rotates them (rare).
fulcio_root_pem = "trust/fulcio_root.pem"
fulcio_intermediate_pem = "trust/fulcio_intermediate.pem"
# Allowlist of (identity, issuer) pairs the OTA verifier accepts as
# signers of incoming firmware. Identity is the SAN value in the Fulcio
# leaf cert — an rfc822Name (email) for OIDC issuers like Google, or a
# URI for workflow-based issuers like GitHub Actions.
# Manual `make publish` from a developer machine.
[[trust.identities]]
identity = "imjasonh@gmail.com"
issuer = "https://accounts.google.com"
# Automated publishes from the GHA workflow on push to main.
[[trust.identities]]
identity = "https://github.com/imjasonh/esp32/.github/workflows/publish.yml@refs/heads/main"
issuer = "https://token.actions.githubusercontent.com"