Secure Boot CheckSum error, Help Please!

[shawn2019]

Friends, I refer to the following two articles for the operation of Secureboot and Flash Encrypt. The Flash Encrypt operation is successful, but Secureboot has always failed. I have tried many times.

In the following article, I mainly operate according to the second scheme.




https://docs.espressif.com/projects/esp ... -boot.html

In the following article, I mainly operate according to the second scheme.
https://github.com/espressif/esp-iot-so ... rypt_cn.md

The IDF version I am using is esp-idf-v4.0-beta1.
First I configure it using idf.py menuconfig,
Secrue configuration as shown below



I generated the key file using "openssl ecparam -name prime256v1 -genkey -noout -out secure_boot_signing_key.pem".

Partiontable configuration as shown below, I changed the Offset of partition table to 0x9000.

Partiontable CSV file as shown below

Use idf.py to generate bootloader.bin, use idf.py build to generate partition-table.bin ota_data_initial.bin native_ota.bin.


Then I used the ESP32 SECURE FLASHER TOOL tool to program the device. The configuration of ESP32 SECURE FLASHER TOOL is shown below.





The log after re-powering after burning is as shown below


After burning, EFUSE is as shown below

[WiFive]

How big is bootloader.bin file? Do you have the secure boot and flash encryption keys saved?

For one-time flash mode and release mode you should not enable the security features in the download tool, the bootloader will do it for you.

[shawn2019]

How big is bootloader.bin file? Do you have the secure boot and flash encryption keys saved?

For one-time flash mode and release mode you should not enable the security features in the download tool, the bootloader will do it for you.

Thanks WiFive!
1. I saw that the size of my bootloader.bin file is 36k, the starting address of the bootloader is 0x1000, and the starting position of the partion-table is 0x9000, which should be able to put the bootloader.

2. If an unexpected situation such as a power failure occurs during the initial initialization process, the chip will be locked and cannot be programmed and booted again.

3. “Do you have the secure boot and flash encryption keys saved?” I don’t quite understand what you said. I generated the key file with "openssl ecparam -name prime256v1 -genkey -noout -out secure_boot_signing_key.pem" and the name and path are the same in the KConfig Menu. I confirm that there is no problem.

[WiFive]

0x9000-0x1000 = 0x8000 = 32k

Sorry I don't use secure flasher tool but I guess it automates the rest of the process and it wrote partition table over bootloader.

[shawn2019]

0x9000-0x1000 = 0x8000 = 32k

Sorry I don't use secure flasher tool but I guess it automates the rest of the process and it wrote partition table over bootloader.

After I posted, I realized that I made a stupid mistake in the calculation of BIN size, thank you! The Secure bootloader does set ABS_DONE0 by itself, but I see the following article and found that you can use the esp flash tools to avoid problems with accidental power loss during the first boot. The article is linked as follows, but the article is written in Chinese.

[shawn2019]

0x9000-0x1000 = 0x8000 = 32k

Sorry I don't use secure flasher tool but I guess it automates the rest of the process and it wrote partition table over bootloader.

After I posted, I realized that I made a stupid mistake in the calculation of BIN size, thank you! The Secure bootloader does set ABS_DONE0 by itself, but I see the following article and found that you can use the esp flash tools to avoid problems with accidental power loss during the first boot. The article is linked as follows, but the article is written in Chinese.

https://github.com/espressif/esp-iot-so ... rypt_cn.md