Hello everyone!
Recently, I came across the ESP Delta OTA Library and found it very interesting and useful for some projects I work on. Currently, the OTA update process is quite costly because we use mobile networks to download binaries, most of which exceed 1MB. Some projects have the limitation of having only a few megabytes available for internet use.
The problem faced is that these projects use Secure Boot and Flash Encryption. In my tests with Delta OTA, I simply cannot get a signed patch to work with Secure Boot. My question is whether this would be possible?
I have not yet tested with equipment running only Flash Encryption implemented, but I need to first resolve the issue with Secure Boot.
Looking forward to some guidance!
Esp delta ota + Secure Boot + Flash Encryption
-
renansoares
- Posts: 2
- Joined: Tue Jul 09, 2024 9:06 pm
Re: Esp delta ota + Secure Boot + Flash Encryption
Hello
Good to know that you are using ESP Delta OTA component. Can you please describe the workflow you are using to create the patch files when secure boot is also enabled.
Good to know that you are using ESP Delta OTA component. Can you please describe the workflow you are using to create the patch files when secure boot is also enabled.
Re: Esp delta ota + Secure Boot + Flash Encryption
I am also very interested in using the Delta OTA option with Secure Boot and Flash Encryption.
-
renansoares
- Posts: 2
- Joined: Tue Jul 09, 2024 9:06 pm
Re: Esp delta ota + Secure Boot + Flash Encryption
Sorry for the delay in responding. I did some tests with Delta OTA and realized that it was generating the patch with the wrong binaries. In the end, I managed to make it work in a project with Secure Boot and Flash Encryption.
Some things I did:
In menuconfig, I changed these parameters:
(To use with Secure Boot): The binaries used to generate the patch must be signed beforehand.
An example update flow to facilitate understanding:
Now I generate a patcher between version 0 (base) and 1:
Now I generate a patcher between version 1 (base) and 2:
And finally, for testing purposes, I reverted to version 0:
Some things I did:
In menuconfig, I changed these parameters:
- APP_REPRODUCIBLE_BUILD // ENABLE THIS OPTION
- CONFIG_APP_COMPILE_TIME_DATE // DISABLE THIS OPTION
(To use with Secure Boot): The binaries used to generate the patch must be signed beforehand.
An example update flow to facilitate understanding:
Code: Select all
mkdir -p ota/versions/ ota/patches/
// Considering version 0 as the first BASE
cp release_build/sign/main.bin ota/versions/0.bin
// Modified the code and generated version 1:
cp release_build/sign/main.bin ota/versions/1.bin
// Modified again and generated version 2:
cp release_build/sign/main.bin ota/versions/2.bin
Code: Select all
cd ota && python esp_delta_ota_patch_gen.py --chip esp32s3 --base_binary versions/0.bin --new_binary versions/1.bin --patch_file_name patches/patch_base_to_new.bin && cd ..
// And I use this patcher (patch_base_to_new.bin) to perform the update;
Code: Select all
cd ota && python esp_delta_ota_patch_gen.py --chip esp32s3 --base_binary versions/1.bin --new_binary versions/2.bin --patch_file_name patches/patch_base_to_new_1.bin && cd ..
// And I use this patcher (patch_base_to_new_1.bin) to perform the update;
Code: Select all
cd ota && python esp_delta_ota_patch_gen.py --chip esp32s3 --base_binary versions/2.bin --new_binary versions/0.bin --patch_file_name patches/patch_base_to_new_2.bin && cd ..
// And I use this patcher (patch_base_to_new_2.bin) to perform the update, creating the patch between version 2 (base) and 0, making it revert;
Who is online
Users browsing this forum: Bing [Bot], cpehonk and 227 guests