ESP32-S3 - Combination Secure boot+Flash Encryption Failed on IDF 4.4.8/5.1.4

[dzungpv]

I have a project success enable Secure boot+Flash Encryption for ESP32, but when I change to ESP32-S3 it failed,
After I flash the boot loader and the application image, it show in the log:

Code: Select all

ESP-ROM:esp32s3-20210327
Build:Mar 27 2021
rst:0x15 (USB_UART_CHIP_RESET),boot:0x8 (SPI_FAST_FLASH_BOOT)
Saved PC:0x40048d46
invalid header: 0x20a36bad
invalid header: 0x20a36bad
invalid header: 0x20a36bad
invalid header: 0x20a36bad
invalid header: 0x20a36bad
invalid header: 0x20a36bad
invalid header: 0x20a36bad

Steps I use to enable both Secure boot and Flash encryption at the same time:
1, Flash Encryption, follow the official guide: https://docs.espressif.com/projects/esp ... lease-mode.
2, Secure boot v2, follow the official guide: https://docs.espressif.com/projects/esp ... re-boot-v2
3, Erase the flash and build the boot loader with command: idf.py bootloader and flash follow the output result.
4, Flash the remain part of the project with command: idf.py flash

Below is the screenshot with menuconfig:

secure_b_flash_en.jpg (188.47 KiB) Viewed 1043 times

This is the part of sdkconfig content to enable flash encryption and secure boot

Code: Select all

#
# Security features
#
CONFIG_SECURE_SIGNED_ON_BOOT=y
CONFIG_SECURE_SIGNED_ON_UPDATE=y
CONFIG_SECURE_SIGNED_APPS=y
CONFIG_SECURE_BOOT_SUPPORTS_RSA=y
CONFIG_SECURE_TARGET_HAS_SECURE_ROM_DL_MODE=y
CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=y
CONFIG_SECURE_BOOT=y
CONFIG_SECURE_BOOT_V2_ENABLED=y
CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y
CONFIG_SECURE_BOOT_SIGNING_KEY="sbv2_private.pem"
# CONFIG_SECURE_BOOT_ENABLE_AGGRESSIVE_KEY_REVOKE is not set
# CONFIG_SECURE_BOOT_INSECURE is not set
CONFIG_SECURE_FLASH_ENC_ENABLED=y
CONFIG_SECURE_FLASH_ENCRYPTION_AES128=y
# CONFIG_SECURE_FLASH_ENCRYPTION_AES256 is not set
# CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT is not set
CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE=y
CONFIG_SECURE_FLASH_CHECK_ENC_EN_IN_APP=y
# CONFIG_SECURE_DISABLE_ROM_DL_MODE is not set
CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE=y
# CONFIG_SECURE_INSECURE_ALLOW_DL_MODE is not set
# end of Security features

The modules I use is official ESP32-S3-WROOM-1 N8R2 and N8, I also try IDF 5.1.4

Output by the command: esptool.py --chip esp32s3 --no-stub get_security_info

Code: Select all

esptool.py --chip esp32s3 --no-stub get_security_info                    
esptool.py v3.3.4-dev
Found 2 serial ports
Serial port /dev/cu.usbmodem101
Connecting...
Chip is ESP32-S3 in Secure Download Mode
Enabling default SPI flash mode...
Flags: 0x000006f5 (0b11011110101)
Flash_Crypt_Cnt: 0x0
Key_Purposes: (9, 4, 0, 0, 0, 0, 12)
Chip_ID: 9
Api_Version: 0
Hard resetting via RTS pin...

Due to the result the flash encryption is not enable, but the secure boot is enabled, but I don't know what is the problem, the code working fine on the chip if secure mode and flash encryption disable.

I does not manual burn any Efuse key, just let it does automatically by the chip. I flash the boot loader first then flash all later. The guide too complex and I have bricked many ESP32 chip before it work, this time occur with the S3 too, QEMU not working with the S3, so I have some esp32s3 to try, but before try the second one, I need some more clear guide.

This also post on the github issue https://github.com/espressif/esp-idf/issues/14172