ESP32S3 keep stuck on taking trusted digest key when combine secureboot and ota update

minhbka
Posts: 8
Joined: Mon Dec 18, 2023 3:15 am

ESP32S3 keep stuck on taking trusted digest key when combine secureboot and ota update

Postby minhbka » Mon Jan 15, 2024 6:13 am

Hi everybody,
I am working on project that enables secure boot v2 and supports ota update on esp32s3.
The patition table is:

Code: Select all

*******************************************************************************
# ESP-IDF Partition Table
# Name, Type, SubType, Offset, Size, Flags
nvs,data,nvs,0x11000,16K,
otadata,data,ota,0x15000,8K,
phy_init,data,phy,0x17000,4K,
factory,app,factory,0x20000,1M,
ota_0,app,ota_0,0x120000,1M,
ota_1,app,ota_1,0x220000,1M,
*******************************************************************************
The efuse sumary:

Code: Select all

SECURE_BOOT_KEY_REVOKE0 (BLOCK0)                   Revoke 1st secure boot key                         = False R/W (0b0)
SECURE_BOOT_KEY_REVOKE1 (BLOCK0)                   Revoke 2nd secure boot key                         = True R/W (0b1)
SECURE_BOOT_KEY_REVOKE2 (BLOCK0)                   Revoke 3rd secure boot key                         = True R/W (0b1)
KEY_PURPOSE_0 (BLOCK0)                             Purpose of Key0                                    = SECURE_BOOT_DIGEST0 R/- (0x9)  
KEY_PURPOSE_1 (BLOCK0)                             Purpose of Key1                                    = USER R/W (0x0)
KEY_PURPOSE_2 (BLOCK0)                             Purpose of Key2                                    = USER R/W (0x0)
KEY_PURPOSE_3 (BLOCK0)                             Purpose of Key3                                    = USER R/W (0x0)
KEY_PURPOSE_4 (BLOCK0)                             Purpose of Key4                                    = USER R/W (0x0)
KEY_PURPOSE_5 (BLOCK0)                             Purpose of Key5                                    = USER R/W (0x0)
SECURE_BOOT_EN (BLOCK0)                            Set this bit to enable secure boot                 = True R/W (0b1)
SECURE_BOOT_AGGRESSIVE_REVOKE (BLOCK0)             Set this bit to enable revoking aggressive secure  = False R/W (0b0)
                                                   boot
DIS_DOWNLOAD_MODE (BLOCK0)                         Set this bit to disable download mode (boot_mode[3 = False R/W (0b0)
                                                   :0] = 0; 1; 2; 3; 6; 7)
ENABLE_SECURITY_DOWNLOAD (BLOCK0)                  Set this bit to enable secure UART download mode   = False R/W (0b0)
SECURE_VERSION (BLOCK0)                            Secure version (used by ESP-IDF anti-rollback feat = 0 R/W (0x0000)
                                                   ure)
BLOCK_KEY0 (BLOCK4)
  Purpose: SECURE_BOOT_DIGEST0
  Key0 or user data
   = 06 ba 0a 9e db 75 aa 02 29 b1 90 ea 47 17 34 2e f5 64 d3 1f bf 30 c0 a4 2c 24 93 64 1f 7c 35 1a R/-
BLOCK_KEY1 (BLOCK5)
  Purpose: USER
               Key1 or user data
   = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
BLOCK_KEY2 (BLOCK6)
  Purpose: USER
               Key2 or user data
   = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
BLOCK_KEY3 (BLOCK7)
  Purpose: USER
               Key3 or user data
   = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
BLOCK_KEY4 (BLOCK8)
  Purpose: USER
               Key4 or user data
   = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
BLOCK_KEY5 (BLOCK9)
  Purpose: USER
               Key5 or user data
   = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
The factory app working properly but when it does ota update, app keeps stucking on

Code: Select all

I (103940) secure_boot_v2: Take trusted digest key(s) from eFuse block(s)
below is full log of app:

Code: Select all

I (0) cpu_start: App cpu up.
I (276) cpu_start: Pro cpu start user code
I (276) cpu_start: cpu freq: 160000000 Hz
I (276) cpu_start: Application information:
I (279) cpu_start: Project name:     simple_ota
I (284) cpu_start: App version:      1
I (288) cpu_start: Compile time:     Jan 15 2024 12:55:43
I (295) cpu_start: ELF file SHA256:  e75022a1149faf85...
I (300) cpu_start: ESP-IDF:          v5.1.2-dirty
I (306) cpu_start: Min chip rev:     v0.0
I (311) cpu_start: Max chip rev:     v0.99 
I (315) cpu_start: Chip rev:         v0.1
I (320) heap_init: Initializing. RAM available for dynamic allocation:
I (327) heap_init: At 3FC9F6D8 len 0004A038 (296 KiB): DRAM
I (334) heap_init: At 3FCE9710 len 00005724 (21 KiB): STACK/DRAM
I (340) heap_init: At 3FCF0000 len 00008000 (32 KiB): DRAM
I (346) heap_init: At 600FE010 len 00001FD8 (7 KiB): RTCRAM
I (354) spi_flash: detected chip: gd
I (357) spi_flash: flash io: dio
I (362) sleep: Configure to isolate all GPIO pins in sleep state
I (368) sleep: Enable automatic switching of GPIO sleep configuration
I (375) app_start: Starting scheduler on CPU0
I (380) app_start: Starting scheduler on CPU1
I (380) main_task: Started on CPU0
I (390) main_task: Calling app_main()
I (390) simple_ota_example: secureBoot enabled!
I (400) simple_ota_example: OTA example app_main start
I (410) pp: pp rom version: e7ae62f
I (410) net80211: net80211 rom version: e7ae62f
I (440) wifi:wifi driver task: 3fca978c, prio:23, stack:6656, core=0
I (440) wifi:wifi firmware version: 91b9630
I (440) wifi:wifi certification version: v7.0
I (440) wifi:config NVS flash: enabled
I (440) wifi:config nano formating: disabled
I (450) wifi:Init data frame dynamic rx buffer num: 32
I (450) wifi:Init static rx mgmt buffer num: 5
I (460) wifi:Init management short buffer num: 32
I (460) wifi:Init dynamic tx buffer num: 32
I (470) wifi:Init static tx FG buffer num: 2
I (470) wifi:Init static rx buffer size: 1600
I (470) wifi:Init static rx buffer num: 10
I (480) wifi:Init dynamic rx buffer num: 32
I (480) wifi_init: rx ba win: 6
I (490) wifi_init: tcpip mbox: 32
I (490) wifi_init: udp mbox: 6
I (490) wifi_init: tcp mbox: 6
I (500) wifi_init: tcp tx win: 5744
I (500) wifi_init: tcp rx win: 5744
I (510) wifi_init: tcp mss: 1440
I (510) wifi_init: WiFi IRAM OP enabled
I (510) wifi_init: WiFi RX IRAM OP enabled
I (570) phy_init: phy_version 620,ec7ec30,Sep  5 2023,13:49:13
W (570) phy_init: failed to load RF calibration data (0x1102), falling back to full calibration
I (610) wifi:mode : sta (60:55:f9:f5:8f:70)
I (610) wifi:enable tsf
I (610) WIFI_LOG: wifi_init_sta finished.
I (620) wifi:new:<8,0>, old:<1,0>, ap:<255,255>, sta:<8,0>, prof:1
I (1110) wifi:state: init -> auth (b0)
I (1120) wifi:state: auth -> assoc (0)
I (1120) wifi:state: assoc -> run (10)
I (1130) wifi:<ba-add>idx:0 (ifx:0, 00:08:52:8b:43:01), tid:0, ssn:0, winSize:64
I (1150) wifi:connected with U+Net4303, aid = 3, channel 8, BW20, bssid = 00:08:52:8b:43:01
I (1150) wifi:security: WPA2-PSK, phy: bgn, rssi: -70
I (1200) wifi:pm start, type: 1

I (1200) wifi:set rx beacon pti, rx_bcn_pti: 0, bcn_timeout: 25000, mt_pti: 0, mt_time: 10000
I (1210) wifi:AP's beacon interval = 102400 us, DTIM period = 5
I (3200) esp_netif_handlers: sta ip: 192.168.219.116, mask: 255.255.255.0, gw: 192.168.219.1
I (3200) WIFI_LOG: got ip:192.168.219.116
I (3200) WIFI_LOG: connected to ap SSID:Myssid password:password
Looking for a new firmware...
I (3220) main_task: Returned from app_main()
I (3380) esp-x509-crt-bundle: Certificate validated
current firmware version (0.7) is lower than the available one (0.8), upgrading...
downloading and installing new firmware (https:${folder_url}/simple_ota.bin)...
I (4300) simple_ota_example: Attempting to download update from https:${folder_url}/simple_ota.bin
I (4310) simple_ota_example: OTA started
I (4850) esp-x509-crt-bundle: Certificate validated
I (5830) simple_ota_example: Connected to server
I (5830) esp_https_ota: Starting OTA...
I (5830) esp_https_ota: Writing to partition subtype 16 at offset 0x120000
I (5840) simple_ota_example: Verifying chip id of new image: 9
I (103800) esp_image: segment 0: paddr=00120020 vaddr=3c0a0020 size=2bc0ch (179212) map
I (103820) esp_image: segment 1: paddr=0014bc34 vaddr=3fc96d00 size=043e4h ( 17380) 
I (103830) esp_image: segment 2: paddr=00150020 vaddr=42000020 size=9f464h (652388) map
I (103920) esp_image: segment 3: paddr=001ef48c vaddr=3fc9b0e4 size=002c8h (   712) 
I (103920) esp_image: segment 4: paddr=001ef75c vaddr=40374000 size=12ce4h ( 77028)
I (103930) esp_image: segment 5: paddr=00202448 vaddr=00000000 size=0db88h ( 56200) 
I (103940) esp_image: Verifying image signature...
I (103940) secure_boot_v2: Take trusted digest key(s) from eFuse block(s)
Could you please help me to solve the problem.
Thank you.

Who is online

Users browsing this forum: No registered users and 396 guests