ESP32-S3 secure boot 2 after develoment (new signing key), revoke fuse burnt?
Posted: Fri Nov 22, 2024 8:04 am
Hello.
I've jumped on the project to finish up development of a ESP32-S3 device. The guy before me left a code base with a project and a script to build development and release.
We have around few dosen test devices with development signing keys. The guy assured me that it will be possible to change the key after development but only once. However I'm struggling to do it.
As You can see below It has a secure boot 2 enabled and a SECURE_BOOT_DIGEST0 for development key. However it has SECURE_BOOT_KEY_REVOKE1 and SECURE_BOOT_KEY_REVOKE2 fuse burnt. Now sure why (I don't think it was intentional).
Burnin a new SECURE_BOOT_DIGEST0 does not seems to work (i don't think it should). And using SECURE_BOOT_DIGEST1 and SECURE_BOOT_DIGEST2 seams not possible since the revoked fuses are burnt (however they seems to be R/W still).
Can anybody confirm or deny if its possible to use new signing key?
Why the SECURE_BOOT_KEY_REVOKE1 and SECURE_BOOT_KEY_REVOKE2 are burned Probably bootloader did it, but why?
This is a efuse summary of sample device used for development:
I've jumped on the project to finish up development of a ESP32-S3 device. The guy before me left a code base with a project and a script to build development and release.
We have around few dosen test devices with development signing keys. The guy assured me that it will be possible to change the key after development but only once. However I'm struggling to do it.
As You can see below It has a secure boot 2 enabled and a SECURE_BOOT_DIGEST0 for development key. However it has SECURE_BOOT_KEY_REVOKE1 and SECURE_BOOT_KEY_REVOKE2 fuse burnt. Now sure why (I don't think it was intentional).
Burnin a new SECURE_BOOT_DIGEST0 does not seems to work (i don't think it should). And using SECURE_BOOT_DIGEST1 and SECURE_BOOT_DIGEST2 seams not possible since the revoked fuses are burnt (however they seems to be R/W still).
Can anybody confirm or deny if its possible to use new signing key?
Why the SECURE_BOOT_KEY_REVOKE1 and SECURE_BOOT_KEY_REVOKE2 are burned Probably bootloader did it, but why?
This is a efuse summary of sample device used for development:
- espefuse.py v4.7.0
- Connecting....
- Detecting chip type... ESP32-S3
- === Run "summary" command ===
- EFUSE_NAME (Block) Description = [Meaningful Value] [Readable/Writeable] (Hex Value)
- ----------------------------------------------------------------------------------------
- Calibration fuses:
- K_RTC_LDO (BLOCK1) BLOCK1 K_RTC_LDO = 52 R/W (0b0001101)
- K_DIG_LDO (BLOCK1) BLOCK1 K_DIG_LDO = -64 R/W (0b1010000)
- V_RTC_DBIAS20 (BLOCK1) BLOCK1 voltage of rtc dbias20 = 80 R/W (0x14)
- V_DIG_DBIAS20 (BLOCK1) BLOCK1 voltage of digital dbias20 = -100 R/W (0x99)
- DIG_DBIAS_HVT (BLOCK1) BLOCK1 digital dbias when hvt = -44 R/W (0b11011)
- ADC2_CAL_VOL_ATTEN3 (BLOCK1) ADC2 calibration voltage at atten3 = -24 R/W (0b100110)
- TEMP_CALIB (BLOCK2) Temperature calibration data = -6.6000000000000005 R/W (0b101000010)
- OCODE (BLOCK2) ADC OCode = 79 R/W (0x4f)
- ADC1_INIT_CODE_ATTEN0 (BLOCK2) ADC1 init code at atten0 = -92 R/W (0x97)
- ADC1_INIT_CODE_ATTEN1 (BLOCK2) ADC1 init code at atten1 = 0 R/W (0b100000)
- ADC1_INIT_CODE_ATTEN2 (BLOCK2) ADC1 init code at atten2 = 92 R/W (0b010111)
- ADC1_INIT_CODE_ATTEN3 (BLOCK2) ADC1 init code at atten3 = 116 R/W (0b011101)
- ADC2_INIT_CODE_ATTEN0 (BLOCK2) ADC2 init code at atten0 = -196 R/W (0xb1)
- ADC2_INIT_CODE_ATTEN1 (BLOCK2) ADC2 init code at atten1 = -8 R/W (0b100010)
- ADC2_INIT_CODE_ATTEN2 (BLOCK2) ADC2 init code at atten2 = 64 R/W (0b010000)
- ADC2_INIT_CODE_ATTEN3 (BLOCK2) ADC2 init code at atten3 = 96 R/W (0b011000)
- ADC1_CAL_VOL_ATTEN0 (BLOCK2) ADC1 calibration voltage at atten0 = -16 R/W (0x84)
- ADC1_CAL_VOL_ATTEN1 (BLOCK2) ADC1 calibration voltage at atten1 = 508 R/W (0x7f)
- ADC1_CAL_VOL_ATTEN2 (BLOCK2) ADC1 calibration voltage at atten2 = 448 R/W (0x70)
- ADC1_CAL_VOL_ATTEN3 (BLOCK2) ADC1 calibration voltage at atten3 = -24 R/W (0x86)
- ADC2_CAL_VOL_ATTEN0 (BLOCK2) ADC2 calibration voltage at atten0 = -32 R/W (0x88)
- ADC2_CAL_VOL_ATTEN1 (BLOCK2) ADC2 calibration voltage at atten1 = -4 R/W (0b1000001)
- ADC2_CAL_VOL_ATTEN2 (BLOCK2) ADC2 calibration voltage at atten2 = -16 R/W (0b1000100)
- Config fuses:
- WR_DIS (BLOCK0) Disable programming of individual eFuses = 58722049 R/W (0x03800701)
- RD_DIS (BLOCK0) Disable reading from BlOCK4-10 = 6 R/- (0b0000110)
- DIS_ICACHE (BLOCK0) Set this bit to disable Icache = False R/W (0b0)
- DIS_DCACHE (BLOCK0) Set this bit to disable Dcache = False R/W (0b0)
- DIS_TWAI (BLOCK0) Set this bit to disable CAN function = False R/W (0b0)
- DIS_APP_CPU (BLOCK0) Disable app cpu = False R/W (0b0)
- DIS_DIRECT_BOOT (BLOCK0) Disable direct boot mode = True R/W (0b1)
- UART_PRINT_CONTROL (BLOCK0) Set the default UART boot message output mode = Enable R/W (0b00)
- PIN_POWER_SELECTION (BLOCK0) Set default power supply for GPIO33-GPIO37; set wh = VDD3P3_CPU R/W (0b0)
- en SPI flash is initialized
- PSRAM_CAP (BLOCK1) PSRAM capacity = None R/W (0b00)
- PSRAM_TEMP (BLOCK1) PSRAM temperature = None R/W (0b00)
- PSRAM_VENDOR (BLOCK1) PSRAM vendor = None R/W (0b00)
- BLOCK_USR_DATA (BLOCK3) User data
- = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
- BLOCK_SYS_DATA2 (BLOCK10) System data part 2 (reserved)
- = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
- Flash fuses:
- FLASH_TPUW (BLOCK0) Configures flash waiting time after power-up; in u = 0 R/W (0x0)
- nit of ms. If the value is less than 15; the waiti
- ng time is the configurable value. Otherwise; the
- waiting time is twice the configurable value
- FLASH_ECC_MODE (BLOCK0) Flash ECC mode in ROM = 16to18 byte R/W (0b0)
- FLASH_TYPE (BLOCK0) SPI flash type = 4 data lines R/W (0b0)
- FLASH_PAGE_SIZE (BLOCK0) Set Flash page size = 0 R/W (0b00)
- FLASH_ECC_EN (BLOCK0) Set 1 to enable ECC for flash boot = False R/W (0b0)
- FORCE_SEND_RESUME (BLOCK0) Set this bit to force ROM code to send a resume co = False R/W (0b0)
- mmand during SPI boot
- FLASH_CAP (BLOCK1) Flash capacity = None R/W (0b000)
- FLASH_TEMP (BLOCK1) Flash temperature = None R/W (0b00)
- FLASH_VENDOR (BLOCK1) Flash vendor = None R/W (0b000)
- Identity fuses:
- DISABLE_WAFER_VERSION_MAJOR (BLOCK0) Disables check of wafer version major = False R/W (0b0)
- DISABLE_BLK_VERSION_MAJOR (BLOCK0) Disables check of blk version major = False R/W (0b0)
- WAFER_VERSION_MINOR_LO (BLOCK1) WAFER_VERSION_MINOR least significant bits = 1 R/W (0b001)
- PKG_VERSION (BLOCK1) Package version = 0 R/W (0b000)
- BLK_VERSION_MINOR (BLOCK1) BLK_VERSION_MINOR = 2 R/W (0b010)
- WAFER_VERSION_MINOR_HI (BLOCK1) WAFER_VERSION_MINOR most significant bit = False R/W (0b0)
- WAFER_VERSION_MAJOR (BLOCK1) WAFER_VERSION_MAJOR = 0 R/W (0b00)
- OPTIONAL_UNIQUE_ID (BLOCK2) Optional unique 128-bit ID
- = b5 81 d4 fe 9f 65 5c fd b6 6b 5e ef b5 6d 19 ba R/W
- BLK_VERSION_MAJOR (BLOCK2) BLK_VERSION_MAJOR of BLOCK2 = ADC calib V1 R/W (0b01)
- WAFER_VERSION_MINOR (BLOCK0) calc WAFER VERSION MINOR = WAFER_VERSION_MINOR_HI = 1 R/W (0x1)
- << 3 + WAFER_VERSION_MINOR_LO (read only)
- Jtag fuses:
- SOFT_DIS_JTAG (BLOCK0) Set these bits to disable JTAG in the soft way (od = 7 R/W (0b111)
- d number 1 means disable ). JTAG can be enabled in
- HMAC module
- DIS_PAD_JTAG (BLOCK0) Set this bit to disable JTAG in the hard way. JTAG = True R/W (0b1)
- is disabled permanently
- STRAP_JTAG_SEL (BLOCK0) Set this bit to enable selection between usb_to_jt = False R/W (0b0)
- ag and pad_to_jtag through strapping gpio10 when b
- oth reg_dis_usb_jtag and reg_dis_pad_jtag are equa
- l to 0
- Mac fuses:
- MAC (BLOCK1) MAC address
- = 34:85:18:52:5c:00 (OK) R/W
- CUSTOM_MAC (BLOCK3) Custom MAC
- = 00:00:00:00:00:00 (OK) R/W
- Security fuses:
- DIS_DOWNLOAD_ICACHE (BLOCK0) Set this bit to disable Icache in download mode (b = True R/W (0b1)
- oot_mode[3:0] is 0; 1; 2; 3; 6; 7)
- DIS_DOWNLOAD_DCACHE (BLOCK0) Set this bit to disable Dcache in download mode ( = True R/W (0b1)
- boot_mode[3:0] is 0; 1; 2; 3; 6; 7)
- DIS_FORCE_DOWNLOAD (BLOCK0) Set this bit to disable the function that forces c = False R/W (0b0)
- hip into download mode
- DIS_DOWNLOAD_MANUAL_ENCRYPT (BLOCK0) Set this bit to disable flash encryption when in d = False R/W (0b0)
- ownload boot modes
- SPI_BOOT_CRYPT_CNT (BLOCK0) Enables flash encryption when 1 or 3 bits are set = Enable R/W (0b001)
- and disabled otherwise
- SECURE_BOOT_KEY_REVOKE0 (BLOCK0) Revoke 1st secure boot key = False R/W (0b0)
- SECURE_BOOT_KEY_REVOKE1 (BLOCK0) Revoke 2nd secure boot key = True R/W (0b1)
- SECURE_BOOT_KEY_REVOKE2 (BLOCK0) Revoke 3rd secure boot key = True R/W (0b1)
- KEY_PURPOSE_0 (BLOCK0) Purpose of Key0 = SECURE_BOOT_DIGEST0 R/- (0x9)
- KEY_PURPOSE_1 (BLOCK0) Purpose of Key1 = XTS_AES_256_KEY_1 R/- (0x2)
- KEY_PURPOSE_2 (BLOCK0) Purpose of Key2 = XTS_AES_256_KEY_2 R/- (0x3)
- KEY_PURPOSE_3 (BLOCK0) Purpose of Key3 = USER R/W (0x0)
- KEY_PURPOSE_4 (BLOCK0) Purpose of Key4 = USER R/W (0x0)
- KEY_PURPOSE_5 (BLOCK0) Purpose of Key5 = USER R/W (0x0)
- SECURE_BOOT_EN (BLOCK0) Set this bit to enable secure boot = True R/W (0b1)
- SECURE_BOOT_AGGRESSIVE_REVOKE (BLOCK0) Set this bit to enable revoking aggressive secure = False R/W (0b0)
- boot
- DIS_DOWNLOAD_MODE (BLOCK0) Set this bit to disable download mode (boot_mode[3 = False R/W (0b0)
- :0] = 0; 1; 2; 3; 6; 7)
- ENABLE_SECURITY_DOWNLOAD (BLOCK0) Set this bit to enable secure UART download mode = False R/W (0b0)
- SECURE_VERSION (BLOCK0) Secure version (used by ESP-IDF anti-rollback feat = 0 R/W (0x0000)
- ure)
- BLOCK_KEY0 (BLOCK4)
- Purpose: SECURE_BOOT_DIGEST0
- Key0 or user data
- = 0b aa 7f 66 16 11 01 b1 c3 ee 6b 78 d8 ab 38 dc 20 ae fb e9 43 9e 87 ce 86 44 a7 bd 20 c7 ef fb R/-
- BLOCK_KEY1 (BLOCK5)
- Purpose: XTS_AES_256_KEY_1
- Key1 or user data
- = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
- BLOCK_KEY2 (BLOCK6)
- Purpose: XTS_AES_256_KEY_2
- Key2 or user data
- = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
- BLOCK_KEY3 (BLOCK7)
- Purpose: USER
- Key3 or user data
- = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
- BLOCK_KEY4 (BLOCK8)
- Purpose: USER
- Key4 or user data
- = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
- BLOCK_KEY5 (BLOCK9)
- Purpose: USER
- Key5 or user data
- = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
- Spi Pad fuses:
- SPI_PAD_CONFIG_CLK (BLOCK1) SPI_PAD_configure CLK = 0 R/W (0b000000)
- SPI_PAD_CONFIG_Q (BLOCK1) SPI_PAD_configure Q(D1) = 0 R/W (0b000000)
- SPI_PAD_CONFIG_D (BLOCK1) SPI_PAD_configure D(D0) = 0 R/W (0b000000)
- SPI_PAD_CONFIG_CS (BLOCK1) SPI_PAD_configure CS = 0 R/W (0b000000)
- SPI_PAD_CONFIG_HD (BLOCK1) SPI_PAD_configure HD(D3) = 0 R/W (0b000000)
- SPI_PAD_CONFIG_WP (BLOCK1) SPI_PAD_configure WP(D2) = 0 R/W (0b000000)
- SPI_PAD_CONFIG_DQS (BLOCK1) SPI_PAD_configure DQS = 0 R/W (0b000000)
- SPI_PAD_CONFIG_D4 (BLOCK1) SPI_PAD_configure D4 = 0 R/W (0b000000)
- SPI_PAD_CONFIG_D5 (BLOCK1) SPI_PAD_configure D5 = 0 R/W (0b000000)
- SPI_PAD_CONFIG_D6 (BLOCK1) SPI_PAD_configure D6 = 0 R/W (0b000000)
- SPI_PAD_CONFIG_D7 (BLOCK1) SPI_PAD_configure D7 = 0 R/W (0b000000)
- Usb fuses:
- DIS_USB_OTG (BLOCK0) Set this bit to disable USB function = False R/W (0b0)
- USB_EXCHG_PINS (BLOCK0) Set this bit to exchange USB D+ and D- pins = False R/W (0b0)
- USB_EXT_PHY_ENABLE (BLOCK0) Set this bit to enable external PHY = False R/W (0b0)
- DIS_USB_JTAG (BLOCK0) Set this bit to disable function of usb switch to = True R/W (0b1)
- jtag in module of usb device
- DIS_USB_SERIAL_JTAG (BLOCK0) Set this bit to disable usb device = False R/W (0b0)
- USB_PHY_SEL (BLOCK0) This bit is used to switch internal PHY and extern
- = internal PHY is assigned to USB Device while external PHY is assigned to USB OTG R/W (0b0)
- al PHY for USB OTG and USB Device
- DIS_USB_SERIAL_JTAG_ROM_PRINT (BLOCK0) USB printing = Enable R/W (0b0)
- DIS_USB_SERIAL_JTAG_DOWNLOAD_MODE (BLOCK0) Set this bit to disable UART download mode through = False R/W (0b0)
- USB
- DIS_USB_OTG_DOWNLOAD_MODE (BLOCK0) Set this bit to disable download through USB-OTG = False R/W (0b0)
- Vdd fuses:
- VDD_SPI_XPD (BLOCK0) SPI regulator power up signal = False R/W (0b0)
- VDD_SPI_TIEH (BLOCK0) If VDD_SPI_FORCE is 1; determines VDD_SPI voltage
- = VDD_SPI connects to 1.8 V LDO R/W (0b0)
- VDD_SPI_FORCE (BLOCK0) Set this bit and force to use the configuration of = False R/W (0b0)
- eFuse to configure VDD_SPI
- Wdt fuses:
- WDT_DELAY_SEL (BLOCK0) RTC watchdog timeout threshold; in unit of slow cl = 40000 R/W (0b00)
- ock cycle
- Flash voltage (VDD_SPI) determined by GPIO45 on reset (GPIO45=High: VDD_SPI pin is powered from internal 1.8V LDO
- GPIO45=Low or NC: VDD_SPI pin is powered directly from VDD3P3_RTC_IO via resistor Rspi. Typically this voltage is 3.3 V).
- CONFIG_IDF_TARGET="esp32s3"
- CONFIG_BOOTLOADER_APP_ROLLBACK_ENABLE=y
- CONFIG_SECURE_BOOT=y
- CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE=y
- CONFIG_SECURE_DISABLE_ROM_DL_MODE=y
- CONFIG_SECURE_BOOT_SIGNING_KEY="main/security/secure_boot/rel/secure_boot_key_0.pem"
- CONFIG_LOG_DEFAULT_LEVEL_ERROR=y
- CONFIG_TARGET_DEVICE_RELEASE_BUILD=y
- CONFIG_SECURE_BOOT_FLASH_BOOTLOADER_DEFAULT=y
- CONFIG_SECURE_FLASH_ENC_ENABLED=y
- CONFIG_SECURE_FLASH_ENCRYPTION_AES256=y
- CONFIG_ESPTOOLPY_FLASHSIZE_16MB=y
- CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="partitions.csv"
- CONFIG_PARTITION_TABLE_CUSTOM=y
- CONFIG_APP_RETRIEVE_LEN_ELF_SHA=16
- CONFIG_PARTITION_TABLE_OFFSET=0x10000
- CONFIG_COMPILER_OPTIMIZATION_SIZE=y
- CONFIG_BT_ENABLED=y
- CONFIG_BT_NIMBLE_ENABLED=y
- CONFIG_BT_NIMBLE_MAX_CONNECTIONS=1
- CONFIG_BT_NIMBLE_MAX_BONDS=2
- CONFIG_BT_NIMBLE_MAX_CCCDS=4
- CONFIG_BT_NIMBLE_ATT_PREFERRED_MTU=512
- CONFIG_ESP_MAIN_TASK_STACK_SIZE=4096
- CONFIG_FREERTOS_PLACE_FUNCTIONS_INTO_FLASH=y
- CONFIG_LWIP_TCP_SND_BUF_DEFAULT=5744
- CONFIG_LWIP_TCP_WND_DEFAULT=5744
- CONFIG_TARGET_DEVICE_CERT_TYPE="REL"
- CONFIG_IDF_TARGET="esp32s3"
- CONFIG_BOOTLOADER_APP_ROLLBACK_ENABLE=y
- CONFIG_SECURE_BOOT=y
- CONFIG_SECURE_BOOT_SIGNING_KEY="main/security/secure_boot/dev/secure_boot_key_0.pem"
- CONFIG_LOG_DEFAULT_LEVEL_INFO=y
- CONFIG_FREERTOS_USE_TRACE_FACILITY=y
- CONFIG_FREERTOS_USE_STATS_FORMATTING_FUNCTIONS=y
- CONFIG_FREERTOS_VTASKLIST_INCLUDE_COREID=y
- CONFIG_FREERTOS_VTASKLIST_INCLUDE_COREID=y
- CONFIG_FREERTOS_GENERATE_RUN_TIME_STATS=y
- CONFIG_SECURE_BOOT_FLASH_BOOTLOADER_DEFAULT=y
- CONFIG_SECURE_FLASH_ENC_ENABLED=y
- CONFIG_SECURE_FLASH_ENCRYPTION_AES256=y
- CONFIG_ESPTOOLPY_FLASHSIZE_16MB=y
- CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="partitions.csv"
- CONFIG_PARTITION_TABLE_CUSTOM=y
- CONFIG_APP_RETRIEVE_LEN_ELF_SHA=16
- CONFIG_PARTITION_TABLE_OFFSET=0x10000
- CONFIG_COMPILER_OPTIMIZATION_SIZE=y
- CONFIG_BT_ENABLED=y
- CONFIG_BT_NIMBLE_ENABLED=y
- CONFIG_BT_NIMBLE_MAX_CONNECTIONS=1
- CONFIG_BT_NIMBLE_MAX_BONDS=2
- CONFIG_BT_NIMBLE_MAX_CCCDS=4
- CONFIG_BT_NIMBLE_ATT_PREFERRED_MTU=512
- CONFIG_ESP_MAIN_TASK_STACK_SIZE=4096
- CONFIG_FREERTOS_PLACE_FUNCTIONS_INTO_FLASH=y
- CONFIG_LWIP_TCP_SND_BUF_DEFAULT=5744
- CONFIG_LWIP_TCP_WND_DEFAULT=5744
- CONFIG_TARGET_DEVICE_CERT_TYPE="DEV"