Secure boot test mode after configuration of pre-encrypted flashing procedure
Posted: Wed Apr 03, 2019 2:03 pm
Hello,
Im currently working on an ESP32 project in which I am using the flash encryption and secure boot feature.
I followed the instructions in this post ( viewtopic.php?f=2&t=7318 ) to flash pre-encrypted data
via esptool.py and serial interface on the esp32.
In the menuconfig of the main application "secure boot" and "signing" of created binaries is enabled.
This is a simplified version of my build procedure:
The device boots up fine after finishing the flashing procedure. The app starts as expected.
The problem is, when im checking the log with "make monitor" I encounter this entry:
The problem lies in this section
E (1707) secure_boot: SECURE BOOT TEST MODE. Not really burning any efuses! NOT SECURE
E (1716) secure_boot: secure boot not enabled due to test mode
E (1722) boot: Bootloader digest generation failed (259). SECURE BOOT IS NOT ENABLED.
I suspect that I need to burn some more efuses manually to fix this issue. But I cant find any Information in the official documentation or on this forum. I hope anybody can help me with this problem. I appreciate any help.
Thanks for the support.
Greetings
Im currently working on an ESP32 project in which I am using the flash encryption and secure boot feature.
I followed the instructions in this post ( viewtopic.php?f=2&t=7318 ) to flash pre-encrypted data
via esptool.py and serial interface on the esp32.
In the menuconfig of the main application "secure boot" and "signing" of created binaries is enabled.
This is a simplified version of my build procedure:
Code: Select all
#!/bin/bash
cd App
make
cd ..
# encryption key
python2 espefuse.py --port /dev/ttyACM0 burn_key flash_encryption ${FLASH_ENCRYPTION_KEY}
# secure boot key
python2 espefuse.py --port /dev/ttyACM0 burn_key secure_boot ${SECURE_BOOT_KEY}
# enable flashing of pre-encrypted data
python2 espefuse.py --port /dev/ttyACM0 burn_efuse FLASH_CRYPT_CNT
python2 espefuse.py --port /dev/ttyACM0 burn_efuse FLASH_CRYPT_CONFIG 0xF
# flash pre-encrypted data
python2 esptool.py --chip esp32 /dev/ttyACM0 --baud 921600 --before default_reset --after hard_reset write_flash -z --flash_mode dio --flash_freq 40m --flash_size detect 0x1000 ${ENCRYPTED_BOOTLOADER}
python2 esptool.py --chip esp32 /dev/ttyACM0 --baud 921600 write_flash -z 0x10000 ${ENCRYPTED_PARTITIONS}
...
The device boots up fine after finishing the flashing procedure. The app starts as expected.
The problem is, when im checking the log with "make monitor" I encounter this entry:
Code: Select all
W (1636) secure_boot: Using pre-loaded secure boot key in EFUSE block 2
I (1640) secure_boot: Generating secure boot digest...
I (1697) secure_boot: Digest generation complete.
I (1697) secure_boot: blowing secure boot efuse...
I (1697) secure_boot: Disable JTAG...
I (1701) secure_boot: Disable ROM BASIC interpreter fallback...
E (1707) secure_boot: SECURE BOOT TEST MODE. Not really burning any efuses! NOT SECURE
E (1716) secure_boot: secure boot not enabled due to test mode
E (1722) boot: Bootloader digest generation failed (259). SECURE BOOT IS NOT ENABLED.
I (1731) boot: Checking flash encryption...
I (1736) flash_encrypt: flash encryption is enabled (3 plaintext flashes left)
I (1744) boot: Disabling RNG early entropy sourceā¦
E (1707) secure_boot: SECURE BOOT TEST MODE. Not really burning any efuses! NOT SECURE
E (1716) secure_boot: secure boot not enabled due to test mode
E (1722) boot: Bootloader digest generation failed (259). SECURE BOOT IS NOT ENABLED.
I suspect that I need to burn some more efuses manually to fix this issue. But I cant find any Information in the official documentation or on this forum. I hope anybody can help me with this problem. I appreciate any help.
Thanks for the support.
Greetings