Does Secure Boot, Flash Encryption order matter?

Post Reply
HighVoltage
Posts: 52
Joined: Mon Oct 24, 2022 9:37 pm

Does Secure Boot, Flash Encryption order matter?

Postby HighVoltage » Fri Nov 18, 2022 6:32 pm

I bought some new ESP32E devkit modules from a different source. I wanted to check they were really the version advertised, so I enabled Secure Boot V2 in menuconfig. That worked alright. Then I wanted to enable Flash Encryption, but I like to use my own key, so I tried to write it manually. But I get:

Code: Select all

>espefuse.py -p com17 burn_key flash_encryption ECE3F0EF49C0.key
...

=== Run "burn_key" command ===
Burn keys to blocks:
 - BLOCK1 -> [ ... ]
        Reversing the byte order
        Disabling read to key block

A fatal error occurred: This efuse cannot be read-disabled due the to RD_DIS field is already write-disabled
Why do I get this error? Can you not enable Flash Encryption after Secure Boot is already on? Is this check and error above superfluous?

I decided to write my key from my application using esp_efuse_write_block API. That works. But now it is still readable.

If I try the API esp_efuse_set_read_protect, I now get another error

Code: Select all

E (21458) efuse: BURN BLOCK0 - ERROR (written bits != read bits)
E (21470) efuse: BURN BLOCK0 - ERROR (written bits != read bits)
E (21481) efuse: BURN BLOCK0 - ERROR (written bits != read bits)
E (21481) efuse: Written data are incorrect
This error isn't listed in the API doc, I'm not sure what it means. note, I am writing to "EFUSE_BLK_ENCRYPT_FLASH" not BLOCK0 but I guess the masks are in 0.

I tried turning on Flash Encryption in menuconfig, to see if the build system would complete the process, but I get this:

Code: Select all

I (412) secure_boot_v2: Signature verified successfully!
I (421) boot: Loaded app from partition at offset 0x20000
I (421) secure_boot_v2: enabling secure boot v2...
I (421) secure_boot_v2: secure boot v2 is already enabled, continuing..
I (426) boot: Checking flash encryption...
I (430) efuse: Batch mode of writing fields is enabled
E (435) flash_encrypt: Invalid key state, check read&write protection for key and keypurpose(if exists)
I (444) efuse: Batch mode of writing fields is cancelled
E (449) boot: Flash encryption check failed (259).
Any advice to finish setting up the Flash Encryption with my own key? This is the current state:

Code: Select all

=== Run "summary" command ===
EFUSE_NAME (Block) Description  = [Meaningful Value] [Readable/Writeable] (Hex Value)
----------------------------------------------------------------------------------------
Calibration fuses:
BLK3_PART_RESERVE (BLOCK0):                        BLOCK3 partially served for ADC calibration data   = False R/W (0b0)
ADC_VREF (BLOCK0):                                 Voltage reference calibration                      = 1128 R/- (0b00100)

Config fuses:
XPD_SDIO_FORCE (BLOCK0):                           Ignore MTDI pin (GPIO12) for VDD_SDIO on reset     = False R/W (0b0)
XPD_SDIO_REG (BLOCK0):                             If XPD_SDIO_FORCE, enable VDD_SDIO reg on reset    = False R/W (0b0)
XPD_SDIO_TIEH (BLOCK0):                            If XPD_SDIO_FORCE & XPD_SDIO_REG                   = 1.8V R/W (0b0)
CLK8M_FREQ (BLOCK0):                               8MHz clock freq override                           = 48 R/W (0x30)
SPI_PAD_CONFIG_CLK (BLOCK0):                       Override SD_CLK pad (GPIO6/SPICLK)                 = 0 R/W (0b00000)
SPI_PAD_CONFIG_Q (BLOCK0):                         Override SD_DATA_0 pad (GPIO7/SPIQ)                = 0 R/W (0b00000)
SPI_PAD_CONFIG_D (BLOCK0):                         Override SD_DATA_1 pad (GPIO8/SPID)                = 0 R/W (0b00000)
SPI_PAD_CONFIG_HD (BLOCK0):                        Override SD_DATA_2 pad (GPIO9/SPIHD)               = 0 R/W (0b00000)
SPI_PAD_CONFIG_CS0 (BLOCK0):                       Override SD_CMD pad (GPIO11/SPICS0)                = 0 R/W (0b00000)
DISABLE_SDIO_HOST (BLOCK0):                        Disable SDIO host                                  = False R/W (0b0)

Efuse fuses:
WR_DIS (BLOCK0):                                   Efuse write disable mask                           = 257 R/W (0x0101)
RD_DIS (BLOCK0):                                   Efuse read disable mask                            = 0 R/- (0x0)
CODING_SCHEME (BLOCK0):                            Efuse variable block length scheme
   = NONE (BLK1-3 len=256 bits) R/W (0b00)
KEY_STATUS (BLOCK0):                               Usage of efuse block 3 (reserved)                  = False R/W (0b0)

Identity fuses:
MAC (BLOCK0):                                      Factory MAC Address
   = c0:49:ef:f0:e3:ec (CRC 0xb1 OK) R/W
MAC_CRC (BLOCK0):                                  CRC8 for factory MAC address                       = 177 R/W (0xb1)
CHIP_VER_REV1 (BLOCK0):                            Silicon Revision 1                                 = True R/W (0b1)
CHIP_VER_REV2 (BLOCK0):                            Silicon Revision 2                                 = True R/W (0b1)
CHIP_VERSION (BLOCK0):                             Reserved for future chip versions                  = 2 R/W (0b10)
CHIP_PACKAGE (BLOCK0):                             Chip package identifier                            = 1 R/W (0b001)
CHIP_PACKAGE_4BIT (BLOCK0):                        Chip package identifier #4bit                      = False R/W (0b0)
MAC_VERSION (BLOCK3):                              Version of the MAC field                           = 0 R/W (0x00)

Security fuses:
FLASH_CRYPT_CNT (BLOCK0):                          Flash encryption mode counter                      = 0 R/W (0b0000000)
UART_DOWNLOAD_DIS (BLOCK0):                        Disable UART download mode (ESP32 rev3 only)       = False R/W (0b0)
FLASH_CRYPT_CONFIG (BLOCK0):                       Flash encryption config (key tweak bits)           = 0 R/W (0x0)
CONSOLE_DEBUG_DISABLE (BLOCK0):                    Disable ROM BASIC interpreter fallback             = True R/W (0b1)
ABS_DONE_0 (BLOCK0):                               Secure boot V1 is enabled for bootloader image     = False R/W (0b0)
ABS_DONE_1 (BLOCK0):                               Secure boot V2 is enabled for bootloader image     = True R/W (0b1)
JTAG_DISABLE (BLOCK0):                             Disable JTAG                                       = True R/W (0b1)
DISABLE_DL_ENCRYPT (BLOCK0):                       Disable flash encryption in UART bootloader        = False R/W (0b0)
DISABLE_DL_DECRYPT (BLOCK0):                       Disable flash decryption in UART bootloader        = False R/W (0b0)
DISABLE_DL_CACHE (BLOCK0):                         Disable flash cache in UART bootloader             = False R/W (0b0)
BLOCK1 (BLOCK1):                                   Flash encryption key
   = ... VISIBLE, REMOVED ... R/W
BLOCK2 (BLOCK2):                                   Secure boot key
   = 7a f7 24 71 b8 16 dd 0b d1 44 46 f8 aa 50 e5 9d a0 3e d0 af 62 d3 82 af 49 8d 2e 2e a3 16 f0 5b R/-
BLOCK3 (BLOCK3):                                   Variable Block 3
   = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W

I also noticed the Python tool says it is reversing the key, but apparently the API does not do this. Why does it reverse it? I guess I will have to reverse it in my program as well to stay compatible with the tools.
Top
Post Reply

Return to “ESP-IDF”

Who is online

Users browsing this forum: pineapple678 and 130 guests