[Solved] Secure boot signature verification failed
Posted: Tue Feb 21, 2023 10:19 pm
ESP32 REV3 with SecureBoot v2 and FlashEncryption + preencrypted OTA over MQTT + 729600 bytes of application
I have built an application using CICD (docker espressif/idf:v4.4.4) and then manually sign the image with RSA 3072 key and encrypt it with custom RSA key. I can download the result image on my notebook, decrypt it and verify the signature of application. There are no errors.
Also, I can build the application (using the same keys above) on the notebook and burn the image to device's flash. It work fine and passes all checks.
But if I pass this image over OTA I get:
I have checked the signature block in editor, it looks ok:
I have all keys and can directly burn the image and it works well. But I don't understand how to check the signature issues. Can somebody help me with this issue? Or does it possible to disable signature checks temporarily?
Also, the following happens:
I have built an application using CICD (docker espressif/idf:v4.4.4) and then manually sign the image with RSA 3072 key and encrypt it with custom RSA key. I can download the result image on my notebook, decrypt it and verify the signature of application. There are no errors.
Also, I can build the application (using the same keys above) on the notebook and burn the image to device's flash. It work fine and passes all checks.
But if I pass this image over OTA I get:
Code: Select all
D (972204) OTA: Written image length 729088
D (972204) esp_image: reading image header @ 0x1c0000
D (972204) esp_image: image header: 0xe9 0x07 0x02 0x02 40081560
I (972204) esp_image: segment 0: paddr=001c0020 vaddr=3f400020 size=25548h (152904) map
D (972214) esp_image: free data page_count 0x0000003d
I (972264) esp_image: segment 1: paddr=001e5570 vaddr=3ffbdb60 size=02e08h ( 11784)
D (972264) esp_image: free data page_count 0x0000003d
I (972274) esp_image: segment 2: paddr=001e8380 vaddr=40080000 size=07c98h ( 31896)
D (972274) esp_image: free data page_count 0x0000003d
I (972294) esp_image: segment 3: paddr=001f0020 vaddr=400d0020 size=75918h (481560) map
D (972294) esp_image: free data page_count 0x0000003d
I (972444) esp_image: segment 4: paddr=00265940 vaddr=40087c98 size=087e0h ( 34784)
D (972444) esp_image: free data page_count 0x0000003d
I (972454) esp_image: segment 5: paddr=0026e128 vaddr=50000000 size=00010h ( 16)
D (972454) esp_image: free data page_count 0x0000003d
I (972464) esp_image: segment 6: paddr=0026e140 vaddr=00000000 size=01e90h ( 7824)
D (972474) esp_image: free data page_count 0x0000003d
I (972484) esp_image: Verifying image signature...
I (972484) secure_boot_v2: Take trusted digest key(s) from eFuse block(s)
E (972494) esp_image: Secure boot signature verification failed
I (972494) esp_image: Calculating simple hash to check for corruption...
W (972684) esp_image: image valid, signature bad
Code: Select all
V (16322509) OTA: e7 02 00 00 94 7e ff eb 11 bf ae e0 0b 88 9f 3c
V (16322509) OTA: 44 71 5d 71 29 c1 5d 90 a4 40 9a 44 c8 ff 19 4a
V (16322519) OTA: 5a d4 7c 14 bf 92 10 a4 c6 aa 83 5a 6d 88 0d 1c
V (16322519) OTA: 11 f0 8b 02 b0 de 5d 8a 6e 00 10 74 de b4 98 98
V (16322529) OTA: d1 4c f4 25 33 18 be 62 01 48 dd eb 10 2c 4a f5
V (16322539) OTA: 56 9c 29 0c 9c e2 9c d4 22 ee a6 be 5e 88 ab 2f
V (16322539) OTA: be 46 5c bb 2e 21 3d 52 1c 73 6a dc 52 7a 45 6b
V (16322549) OTA: ea c6 6e 74 3d 44 1b 47 de e3 9d fd fa d9 e5 45
V (16322559) OTA: 67 eb 1d 0f a8 29 59 9f bd 36 ee 10 fd 8c 61 77
V (16322559) OTA: 9e a8 da b2 91 89 df 0f b2 3e aa ab c6 52 f8 27
V (16322569) OTA: d6 66 08 a3 ad 81 a6 a0 64 65 5b 77 e5 81 44 78
V (16322569) OTA: 7c 4f 9b be ee 47 07 af a8 ed b0 f4 bf 72 f1 69
V (16322579) OTA: 0a 38 cf d3 04 e1 48 01 d4 b4 d7 6f db 28 09 95
V (16322589) OTA: 81 2b 82 90 90 b5 18 d6 ec 61 1a fb 25 b8 d7 15
V (16322589) OTA: 20 79 ce f5 17 26 1f 24 ed 99 54 fb 41 93 38 1c
V (16322599) OTA: 35 a4 83 4f f1 44 1e c8 88 72 90 a9 e4 26 d4 b9
V (16322609) OTA: cc c3 6c 69 7e ae fd 71 a3 c2 aa 25 56 fd 77 31
V (16322609) OTA: b7 de f4 77 42 91 72 ba 71 0b 91 05 d8 ee 03 23
V (16322619) OTA: 32 af ee fc 65 9f 50 04 34 39 70 d5 be d3 06 43
V (16322619) OTA: 3a 26 57 33 3a b2 88 2c b4 39 ef 5c e3 6d 08 34
V (16322629) OTA: 8a 2d c3 5b 81 27 38 b0 71 92 a3 78 59 27 87 03
V (16322639) OTA: ca b6 5c a2 55 d2 da b5 65 73 ff 4a e2 98 a1 28
V (16322639) OTA: 1e 76 95 4b 48 31 e3 8c 0c 43 c0 0d 01 3a b7 31
V (16322649) OTA: f6 71 7f fa 69 05 66 15 cf 18 fd 80 2c 66 86 80
V (16322659) OTA: bb 87 62 e2 6c 73 04 de f4 6b 8e 07 49 be 8f 10
V (16322659) OTA: 75 74 76 ae 98 2d b5 9d 3e da 66 2f 87 fd a2 64
V (16322669) OTA: b4 48 3f b1 01 00 01 00 36 78 d8 e4 29 7b bc a7
V (16322669) OTA: 09 7e 67 ae 3b 52 39 90 f0 8a 20 0e bf d3 80 95
V (16322679) OTA: 63 9f df d2 27 0b 36 bb 44 f6 49 22 8d 94 78 73
V (16322689) OTA: 04 ab cd 9d f5 e7 34 aa e9 4d 21 2d c8 8c 5d 46
V (16322689) OTA: b4 e4 6a 32 a7 49 fc 7c 52 aa 87 30 43 19 06 27
V (16322699) OTA: 3f e4 9a 1d 38 26 88 69 da ce c8 86 e0 e4 ee 7b
V (16323209) OTA: b0 3e d9 29 d4 f5 8f 51 1a 89 f9 fb b9 41 37 db
V (16323209) OTA: df 0e 13 6c 7c 12 f8 4a a5 50 a5 24 3c 96 43 85
V (16323219) OTA: 3e 62 10 b0 4d 2e 77 61 d2 7d 60 37 0d 1f 21 d3
V (16323229) OTA: e5 cb e1 f2 03 ea a8 e6 6e 1a b7 3c 89 15 fa 43
V (16323229) OTA: d9 49 c3 e8 65 b5 6f dd 92 6a 84 c8 db 55 1b b9
V (16323239) OTA: ce 32 c3 92 e1 44 ad 58 46 1c d5 37 7b 17 65 fe
V (16323249) OTA: 17 33 5e 67 80 b3 98 92 b1 31 d3 c3 dc 49 14 45
V (16323249) OTA: 24 9e c8 ba 24 a1 4e ea 1a 82 fc 65 87 0d c7 61
V (16323259) OTA: c2 44 e7 eb 47 87 12 4c 5d c3 2e dc d4 87 33 d0
V (16323259) OTA: e8 92 ad 1c e9 50 e0 ac 04 ed 32 64 d0 2f b0 43
V (16323269) OTA: e4 68 72 d1 f6 e2 2c c6 16 02 70 1c b3 02 94 d1
V (16323279) OTA: a0 f7 6f 82 51 0d bb e7 bd 17 10 e4 ce c4 45 6d
V (16323279) OTA: 46 15 91 43 67 c6 12 15 4b 94 8f 12 2e 95 3e 59
V (16323289) OTA: 6f b3 ce 2b 71 a4 71 13 9c 1d 94 97 47 ca 54 3a
V (16323299) OTA: 53 fe 00 92 6a 38 fd 1b 20 d3 ef 15 54 86 e2 81
V (16323299) OTA: ed 04 c2 1b 9b fb b7 0a 21 ad 94 f3 ac 9d ed 6d
V (16323309) OTA: 0c 15 56 4a 44 16 bc 64 da d3 34 ad bb ac 73 d6
V (16323309) OTA: b1 da b7 eb 06 17 e5 d8 42 e9 1b 4b 51 34 cd e6
V (16323319) OTA: ff 10 2c 2a dd af b9 01 c1 22 fc 58 ea 13 55 1c
V (16323329) OTA: f5 f3 d5 91 15 bb a2 88 cb fa 0a b4 71 b3 33 1f
V (16323329) OTA: 6b fc 3a dc ba cd 31 a8 5a 47 dc 1d ea 5f 8a ae
V (16323339) OTA: 2a d1 57 27 c9 f0 17 e4 a6 d7 c8 ef 88 e3 1a 98
V (16323349) OTA: b5 0c 51 20 f4 01 b5 b6 ff e7 64 ae c8 64 0a 97
V (16323349) OTA: 0c a3 8f 6d 01 28 a9 32 01 69 2f e8 51 13 eb 18
V (16323359) OTA: 41 43 1b 17 9d 00 55 37 9f 94 7e 6a 01 8c e5 e5
V (16323359) OTA: 2b 5b eb f3 f3 ad 83 88 08 6f e1 95 b8 9a 53 95
V (16323369) OTA: c6 3e 4b aa 42 4a 15 b5 b8 ac 5f 4f be 6a 23 3f
V (16323379) OTA: 8b 5f fb 60 86 12 ed 4b b3 97 b3 3b 31 ac b2 16
V (16323379) OTA: 10 75 27 95 59 c1 ad 0e 41 c1 a0 41 b6 b7 a9 b6
V (16323389) OTA: f8 da 20 50 7d a4 fa e2 d1 2c 97 f6 bf 9a 68 a5
V (16323399) OTA: 5c 8d 69 38 25 25 dc 1b f3 10 23 0a b6 8a df db
V (16323399) OTA: 71 18 14 e9 0c 8f f2 80 0d f4 b9 a5 89 7a 5c 47
V (16323409) OTA: fd 1f ad ef f7 5d bf 7d 37 72 ec 6d 3a ee 0d de
V (16323409) OTA: 34 38 b9 98 f8 dc 3c 33 fb 84 dc 39 f9 77 22 1c
V (16323419) OTA: 11 67 54 73 6e d4 df 54 4a 3e c7 cf fc f0 f3 50
V (16323429) OTA: 18 bc 58 97 6e c8 d8 8b 1b d2 df 5d 54 30 18 d8
V (16323429) OTA: ff 89 bb d6 d9 92 ae 64 94 2b 44 64 cf 05 7b ce
V (16323439) OTA: 84 7b 04 2e e5 6e 39 ea 0b fb c5 c5 1e 34 00 12
V (16323449) OTA: 97 16 63 9d 73 b7 06 09 44 04 b2 e4 76 a3 22 b9
V (16323449) OTA: b0 6e b1 85 92 2d c9 6c 18 9a f9 51 88 76 25 9f
V (16323459) OTA: 97 36 bb 1e de ef 2f e7 95 df f9 4f f0 9c f7 5d
V (16323459) OTA: d1 c4 34 47 4f 85 4c 46 ed e9 9b cc 62 0e ab 02
V (16323469) OTA: c3 79 1e 9c 3b 20 4c 50 5e 1d 64 4c 4b 9e 87 65
V (16323479) OTA: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Also, the following happens:
- OTA slot 0 is current, OTA writes on slot 1 and failed with bad signature
- I manually burn the image on slot 0 and trying to start, bootloader shows the following error and BOOTS from slot 1 without any errors!!!
Code: Select all
I (440) secure_boot_v2: Verifying with RSA-PSS...
Sig block 0 signed with untrusted key
E (448) secure_boot_v2: Secure Boot V2 verification failed.
E (454) esp_image: Secure boot signature verification failed
I (461) esp_image: Calculating simple hash to check for corruption...
W (674) esp_image: image valid, signature bad
E (674) boot: OTA app partition slot 0 is not bootable
I (674) esp_image: segment 0: paddr=001c0020 vaddr=3f400020 size=27710h (161552) map
I (742) esp_image: segment 1: paddr=001e7738 vaddr=3ffbdb60 size=049f4h ( 18932) load
I (750) esp_image: segment 2: paddr=001ec134 vaddr=40080000 size=03ee4h ( 16100) load
I (757) esp_image: segment 3: paddr=001f0020 vaddr=400d0020 size=9b694h (636564) map
I (996) esp_image: segment 4: paddr=0028b6bc vaddr=40083ee4 size=14358h ( 82776) load
I (1031) esp_image: segment 5: paddr=0029fa1c vaddr=00000000 size=005b4h ( 1460)
I (1032) esp_image: Verifying image signature...
I (1033) secure_boot_v2: Verifying with RSA-PSS...
I (1043) secure_boot_v2: Signature verified successfully!
I (1057) boot: Loaded app from partition at offset 0x1c0000
I (1057) secure_boot_v2: enabling secure boot v2...
I (1059) secure_boot_v2: secure boot v2 is already enabled, continuing..
I (1066) boot: Checking flash encryption...
I (1071) flash_encrypt: flash encryption is enabled (3 plaintext flashes left)