diff --git a/build-scripts/build_recovery_size.sh b/build-scripts/build_recovery_size.sh new file mode 100644 index 00000000..3f9fa5e3 --- /dev/null +++ b/build-scripts/build_recovery_size.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env bash +set -euo pipefail + +source /opt/esp/idf/export.sh >/dev/null 2>&1 + +BUILD_DIR="${1:-build-recovery-trim}" +DEFAULTS="sdkconfig.defaults;sdkconfig.recovery.defaults" + +# Build only the recovery ELF (skip squeezelite.elf target). +idf.py -B "${BUILD_DIR}" -D SDKCONFIG_DEFAULTS="${DEFAULTS}" recovery.elf + +# Generate a standalone recovery.bin from the built ELF. +python /opt/esp/idf/components/esptool_py/esptool/esptool.py \ + --chip esp32 elf2image -o "${BUILD_DIR}/recovery.bin" "${BUILD_DIR}/recovery.elf" >/dev/null + +# Print recovery image size summary from map. +python /opt/esp/idf/tools/idf_size.py "${BUILD_DIR}/recovery.map" + +# Print partition fit/overflow status for recovery.bin. +python /opt/esp/idf/components/partition_table/check_sizes.py \ + --offset 0x8000 partition --type app \ + "${BUILD_DIR}/partition_table/partition-table.bin" \ + "${BUILD_DIR}/recovery.bin" || true diff --git a/documentation/IDF55_REMEDIATION_IMPACTS.md b/documentation/IDF55_REMEDIATION_IMPACTS.md index 0dc7c4bb..9d60fd67 100644 --- a/documentation/IDF55_REMEDIATION_IMPACTS.md +++ b/documentation/IDF55_REMEDIATION_IMPACTS.md @@ -242,16 +242,21 @@ Baseline reference (handover): - `recovery` partition: `0x130000` - overflow: `0x19a60` -Measured changes applied: -1. Disable mbedTLS certificate bundle in `sdkconfig` +Measured changes (now moved to a recovery-only profile): +1. Disable mbedTLS certificate bundle in recovery profile - `# CONFIG_MBEDTLS_CERTIFICATE_BUNDLE is not set` - observed `recovery.bin`: `0x149ae0` (intermediate run) -2. Disable optional Wi-Fi auth feature families in `sdkconfig` +2. Disable optional Wi-Fi auth feature families in recovery profile - `# CONFIG_ESP_WIFI_ENABLE_WPA3_SAE is not set` - `# CONFIG_ESP_WIFI_ENABLE_WPA3_OWE_STA is not set` - `# CONFIG_ESP_WIFI_ENTERPRISE_SUPPORT is not set` - observed `recovery.bin`: `0x142e20` +Profile split applied: +- shared `sdkconfig` restored for full app compatibility +- recovery trims moved to `sdkconfig.recovery.defaults` +- helper script added: `build-scripts/build_recovery_size.sh` + Net result vs baseline: - `recovery.bin` delta: `-0x6c40` bytes (`-27,712`) - overflow delta: `-0x6c40` bytes (`-27,712`) @@ -270,3 +275,5 @@ Latest size snapshot (`build/recovery.map`): - For open blockers, refer to latest in-container build logs under: - `build/log/idf_py_stderr_output_*` - `build/log/idf_py_stdout_output_*` +- For recovery-only footprint experiments (without changing shared `sdkconfig`), use: + - `build-scripts/build_recovery_size.sh [build-dir]` diff --git a/sdkconfig b/sdkconfig index de18651c..f086a8d8 100644 --- a/sdkconfig +++ b/sdkconfig @@ -1561,8 +1561,11 @@ CONFIG_ESP_WIFI_MGMT_SBUF_NUM=32 # CONFIG_ESP_WIFI_IRAM_OPT is not set # CONFIG_ESP_WIFI_EXTRA_IRAM_OPT is not set # CONFIG_ESP_WIFI_RX_IRAM_OPT is not set -# CONFIG_ESP_WIFI_ENABLE_WPA3_SAE is not set -# CONFIG_ESP_WIFI_ENABLE_WPA3_OWE_STA is not set +CONFIG_ESP_WIFI_ENABLE_WPA3_SAE=y +CONFIG_ESP_WIFI_ENABLE_SAE_PK=y +CONFIG_ESP_WIFI_ENABLE_SAE_H2E=y +CONFIG_ESP_WIFI_SOFTAP_SAE_SUPPORT=y +CONFIG_ESP_WIFI_ENABLE_WPA3_OWE_STA=y # CONFIG_ESP_WIFI_SLP_IRAM_OPT is not set CONFIG_ESP_WIFI_SLP_DEFAULT_MIN_ACTIVE_TIME=50 # CONFIG_ESP_WIFI_BSS_MAX_IDLE_SUPPORT is not set @@ -1575,6 +1578,7 @@ CONFIG_ESP_WIFI_SOFTAP_SUPPORT=y CONFIG_ESP_WIFI_ESPNOW_MAX_ENCRYPT_NUM=7 # CONFIG_ESP_WIFI_NAN_ENABLE is not set CONFIG_ESP_WIFI_MBEDTLS_CRYPTO=y +CONFIG_ESP_WIFI_MBEDTLS_TLS_CLIENT=y # CONFIG_ESP_WIFI_WAPI_PSK is not set # CONFIG_ESP_WIFI_11KV_SUPPORT is not set # CONFIG_ESP_WIFI_MBO_SUPPORT is not set @@ -1591,7 +1595,8 @@ CONFIG_ESP_WIFI_MBEDTLS_CRYPTO=y # end of WPS Configuration Options # CONFIG_ESP_WIFI_DEBUG_PRINT is not set -# CONFIG_ESP_WIFI_ENTERPRISE_SUPPORT is not set +CONFIG_ESP_WIFI_ENTERPRISE_SUPPORT=y +# CONFIG_ESP_WIFI_ENT_FREE_DYNAMIC_BUFFER is not set # end of Wi-Fi # @@ -2028,7 +2033,13 @@ CONFIG_MBEDTLS_PKCS7_C=y # # Certificate Bundle # -# CONFIG_MBEDTLS_CERTIFICATE_BUNDLE is not set +CONFIG_MBEDTLS_CERTIFICATE_BUNDLE=y +CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_FULL=y +# CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN is not set +# CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_NONE is not set +# CONFIG_MBEDTLS_CUSTOM_CERTIFICATE_BUNDLE is not set +# CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEPRECATED_LIST is not set +CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_MAX_CERTS=200 # end of Certificate Bundle # CONFIG_MBEDTLS_ECP_RESTARTABLE is not set @@ -2623,9 +2634,10 @@ CONFIG_ESP32_WIFI_SOFTAP_BEACON_MAX_LEN=752 CONFIG_ESP32_WIFI_MGMT_SBUF_NUM=32 # CONFIG_ESP32_WIFI_IRAM_OPT is not set # CONFIG_ESP32_WIFI_RX_IRAM_OPT is not set -# CONFIG_ESP32_WIFI_ENABLE_WPA3_SAE is not set -# CONFIG_ESP32_WIFI_ENABLE_WPA3_OWE_STA is not set +CONFIG_ESP32_WIFI_ENABLE_WPA3_SAE=y +CONFIG_ESP32_WIFI_ENABLE_WPA3_OWE_STA=y CONFIG_WPA_MBEDTLS_CRYPTO=y +CONFIG_WPA_MBEDTLS_TLS_CLIENT=y # CONFIG_WPA_WAPI_PSK is not set # CONFIG_WPA_11KV_SUPPORT is not set # CONFIG_WPA_MBO_SUPPORT is not set diff --git a/sdkconfig.recovery.defaults b/sdkconfig.recovery.defaults new file mode 100644 index 00000000..63a72018 --- /dev/null +++ b/sdkconfig.recovery.defaults @@ -0,0 +1,10 @@ +# Recovery-only footprint trims. Keep global sdkconfig full-featured. +# Use with: -D SDKCONFIG_DEFAULTS="sdkconfig.defaults;sdkconfig.recovery.defaults" + +# TLS certificate bundle is large; disable in recovery profile. +# CONFIG_MBEDTLS_CERTIFICATE_BUNDLE is not set + +# Disable optional Wi-Fi auth feature families in recovery profile. +# CONFIG_ESP_WIFI_ENABLE_WPA3_SAE is not set +# CONFIG_ESP_WIFI_ENABLE_WPA3_OWE_STA is not set +# CONFIG_ESP_WIFI_ENTERPRISE_SUPPORT is not set