The documentation regarding Secure Boot using espsecure.py to generate the digest for burning the eFuse signature block assumes that the private key is available. We are using an external HSM (Digicert, via PKS11) and we're wondering how we can do this from a pre-signed binary (or what other method ...

I know this is late, but my guess is that you are starting with a public PEM rather than the required private PEM.

Thanks for your answers.

Also note that you have to erase the flash (idf.py -p PORT erase_flash) before you start the procedure otherwise you can get ESP_ERR_NVS_CORRUPT_KEY_PART.

This also applies to ESP32's delivered from the factory as they are not always erased when received.

I have thoroughly read through your suggested documentation you suggested at https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/host-based-security-workflows.html#enable-flash-encryption-and-secure-boot-v2-externally We simply request a complete step-by-step with command lines . It...

Can someone PLEASE respond to this. It MUST have been done by Espressif at some point, so why not just show us EXACTLY what you did to prove it works.

Any updates?

?

We have found that FTDI serial cables work, but CP210x cables do NOT work.
It has to do with the timing of control signals and the problem with the Q1,Q2 design I highlighted above.

Can someone PLEASE respond to this. It MUST have been done by Espressif at some point, so why not just show us EXACTLY what you did to prove it works. I have now bricked 4 ESP32 dev boards because Espressif documentation is inadequate and poorly organised. To try and push things along, this is what ...

I don't believe it is as easy as you say. I can successfully program encrypted flash OR secure boot - but not both. (1) If I enable encrypted flash, let it boot and encrypt and reboot - then encrypted flash flash is working ok (2) If I then enable secure boot, then the header is invalid. I suspect t...