I am looking to configure a production batch of devices (esp32-v3) with secure boot v2 enabled and unique keys generated on-chip on first boot. The steps outlined in the documentation for externally enabling the security features are considered too involved for the mass production facility we wish to use.
Ideally we supply the factory with simple instructions and a single .bin file for the entire flash. Use of idf framework and/or using a host to generate unique keys per device is infeasible. Use of esptool in binary form or better yet, the flash download tools are OK.
Therefore, I am looking for workflow where we flash a .bin containing signed bootloader + signed app0 (and partition table etc.), all unencrypted. Is it possible to configure the bootloader to then autonomously:
- burn BLOCK2 (using either bootloader's or application's pubkey digest, or calculated over flash contents
- burn ABS_DONE_1
- burn FLASH_CRYPT_CONFIG = 0xF
- burn FLASH_CRYPT_CONFIG = 0x7F
- burn UART_DOWNLOAD_DIS
- burn DISABLE_DL_ENCRYPT, DISABLE_DL_DECRYPT, JTAG_DISABLE
- during first boot, flash contents are encrypted with a unique key generated then and there
Secure boot v2 + unique key flash encryption on first boot
Who is online
Users browsing this forum: No registered users and 58 guests