Page 1 of 1

Will secure boot work after upgrade esp-idf version?

Posted: Mon Jan 08, 2024 2:36 am
by minhbka
Hi everybody,
I am testing secureboot v1 with esp32 dev kit.
I use the blink example and enable secure boot with reflashable option.
The private key is pre-generated.
Actually, the project worked properly when I use with esp_idf version 4.4.
After that, I upgraded esp_idf version to 5.1.2
Then I test the blink example again with same private key and bootloader digest key.
I also change the partition table to support ota in future.
After that I flashed both app binary bin file and bootloader_reflash_digest bin file to the dev kit.
The result shows "secure boot check fail" message as below:

Code: Select all

rst:0x10 (RTCWDT_RTC_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff00b8,len:7684
load:0x40078000,len:24116
load:0x40080400,len:4
0x40080400: _init at ??:?

ho 8 tail 4 room 4
load:0x40080404,len:3176
secure boot check fail
ets_main.c 371
My question is that if I upgrade the esp_idf version, will the secure boot work with same private key ?
Thank you.

Re: Will secure boot work after upgrade esp-idf version?

Posted: Tue Jan 09, 2024 9:48 am
by ESP_harshal
Hello @minhbka,

Secure boot should work even after an ESP-IDF version update.

Taking a look at the error log, it looks like bootloader verification has failed.

And by the steps that you have mentioned, seems like you flashed the new reflashable bootloader digest, app, and partition table, but missed flashing the new bootloader binary at 0x1000.

Could you confirm if you have re-flashed the newer bootloader binary?

Thank you!

Re: Will secure boot work after upgrade esp-idf version?

Posted: Fri Jan 12, 2024 2:13 am
by minhbka
Hello @ESP_harshal
Below is project partition table map

Code: Select all

# ESP-IDF Partition Table
# Name, Type, SubType, Offset, Size, Flags
nvs,data,nvs,0xb000,24K,
phy_init,data,phy,0x11000,4K,
factory,app,factory,0x20000,1M,
I already read current data in flash memory.
Below are some image of data in flash with realative address.

at 0x00:
digest.jpg
digest.jpg (161.53 KiB) Viewed 18329 times
bootloader at 0x1000
bootloader.jpg
bootloader.jpg (319.98 KiB) Viewed 18329 times
app at 0x 20000
app.jpg
app.jpg (363.25 KiB) Viewed 18329 times
Could you help me to check if there is any problem here?
Actually, I rebuilded project before write to flash. Could it be problem?