Before that I tested the flash encryption only, I succeeded.
But enabled both, I got:
I bricked 2 Dev boards with the same monitor logging results.secure boot check fail
Before making further tests which could probably cost me more dev boards, I tried to verify my app.bin with the espsecure.py on my PC.
And I've found that there is a bug in it.
I've found that espsecure.py can only verify the Data bin file with the signing private key. It worked with the private key.
I extract_public_key from the private key with espsecure.py extract_public_key command.espsecure.py v2.5.0
Verifying 216016 bytes of data
Signature is valid
And then I verify_signature the Data bin file with the generated public_key, an error occurs.espsecure.py v2.5.0
secure_boot_signing_key.pem public key extracted to public_key.pem
I paste the log here:
I doubt if the bootloader uses a similar method and could go wrong, too.python espsecure.py verify_signature --keyfile public_key.pem VS_app_signed.bin
espsecure.py v2.5.0
Traceback (most recent call last):
File "espsecure.py", line 156, in verify_signature
sk = _load_key(args) # try to load as private key first
File "espsecure.py", line 123, in _load_key
sk = ecdsa.SigningKey.from_pem(args.keyfile.read())
File "C:\Python37\lib\site-packages\ecdsa-0.13-py3.7.egg\ecdsa\keys.py", line 159, in from_pem
privkey_pem = string[string.index(b("-----BEGIN EC PRIVATE KEY-----")):]
ValueError: subsection not found
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "espsecure.py", line 401, in <module>
_main()
File "espsecure.py", line 394, in _main
main()
File "espsecure.py", line 389, in main
operation_func(args)
File "espsecure.py", line 160, in verify_signature
vk = ecdsa.VerifyingKey.from_pem(args.keyfile.read())
File "C:\Python37\lib\site-packages\ecdsa-0.13-py3.7.egg\ecdsa\keys.py", line 52, in from_pem
return klass.from_der(der.unpem(string))
File "C:\Python37\lib\site-packages\ecdsa-0.13-py3.7.egg\ecdsa\der.py", line 191, in unpem
return base64.b64decode(d)
File "C:\Python37\lib\base64.py", line 87, in b64decode
return binascii.a2b_base64(s)
binascii.Error: Incorrect padding
But at least the espsecure.py got a bug. So I reported here.
Hope someone experienced could tell me what does this means:
The error message is not very clear. I don't know if the bootloader's digest check fails and the bootloader is not booted at all. Or the signature of partitions table and app check fail.secure boot check fail