Problems enabling secure boot: csum err

vonnieda
Posts: 145
Joined: Tue Nov 07, 2017 3:42 pm

Problems enabling secure boot: csum err

Postby vonnieda » Fri Aug 30, 2019 10:19 pm

Hi all,

I'm testing out secure boot with flash encryption and it doesn't seem to be working for me. I've tried three different chips and have tried to follow the instructions to the letter and every time I end up with:

Code: Select all

rst:0x10 (RTCWDT_RTC_RESET),boot:0x3f (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff0018,len:4
load:0x3fff001c,len:9632
ho 0 tail 12 room 4
load:0x40078000,len:22476
csum err:0x74!=0xff
ets_main.c 371 
I am using release 3.0 (6cb8d169368623a9e20c3f49493e277d332a5dde) and using instructions at https://docs.espressif.com/projects/esp ... -boot.html.

In my sdkconfig I've enabled:

Code: Select all

CONFIG_SECURE_BOOT_ENABLED=y
CONFIG_SECURE_BOOTLOADER_ONE_TIME_FLASH=y
CONFIG_SECURE_BOOTLOADER_REFLASHABLE=
CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y
CONFIG_SECURE_BOOT_SIGNING_KEY="secure_boot_signing_key.pem"
CONFIG_SECURE_BOOT_INSECURE=
CONFIG_FLASH_ENCRYPTION_ENABLED=y
CONFIG_FLASH_ENCRYPTION_INSECURE=
I generated secure_boot_signing_key.pem using the command output from make, then ran make bootloader and ran the flash command. The bootloader flashed successfully. Checking make monitor I get:

Code: Select all

ets Jun  8 2016 00:22:57

rst:0x1 (POWERON_RESET),boot:0x3f (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff0018,len:4
load:0x3fff001c,len:9632
ho 0 tail 12 room 4
load:0x40078000,len:22476
entry 0x400792ac
I (28) boot: ESP-IDF v3.0.8-24-gad783f2ff 2nd stage bootloader
I (28) boot: compile time 17:02:30
I (28) boot: Enabling RNG early entropy source...
I (34) boot: SPI Speed      : 40MHz
I (38) boot: SPI Mode       : DIO
I (42) boot: SPI Flash Size : 4MB
E (46) flash_parts: partition 0 invalid magic number 0x812a
E (52) boot: Failed to verify partition table
E (57) boot: load partition table error!
user code done
Then I run make flash monitor and after it completes successfully I see:

Code: Select all

ets Jun  8 2016 00:22:57

rst:0x1 (POWERON_RESET),boot:0x3f (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff0018,len:4
load:0x3fff001c,len:9632
ho 0 tail 12 room 4
load:0x40078000,len:22476
csum err:0x74!=0xff
ets_main.c 371 
And this repeats forever. Running a fuse summary shows that none of the secure boot or flash encryption fuses have been burned:

Code: Select all

espefuse.py v2.6
Connecting....
EFUSE_NAME             Description = [Meaningful Value] [Readable/Writeable] (Hex Value)
----------------------------------------------------------------------------------------
Security fuses:
FLASH_CRYPT_CNT        Flash encryption mode counter                     = 0 R/W (0x0)
FLASH_CRYPT_CONFIG     Flash encryption config (key tweak bits)          = 0 R/W (0x0)
CONSOLE_DEBUG_DISABLE  Disable ROM BASIC interpreter fallback            = 1 R/W (0x1)
ABS_DONE_0             secure boot enabled for bootloader                = 0 R/W (0x0)
ABS_DONE_1             secure boot abstract 1 locked                     = 0 R/W (0x0)
JTAG_DISABLE           Disable JTAG                                      = 0 R/W (0x0)
DISABLE_DL_ENCRYPT     Disable flash encryption in UART bootloader       = 0 R/W (0x0)
DISABLE_DL_DECRYPT     Disable flash decryption in UART bootloader       = 0 R/W (0x0)
DISABLE_DL_CACHE       Disable flash cache in UART bootloader            = 0 R/W (0x0)
BLK1                   Flash encryption key                              
  = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W 
BLK2                   Secure boot key                                   
  = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W 
BLK3                   Variable Block 3                                  
  = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W 
And if I then disable flash encryption and secure boot and flash normally everything works fine, proving again that none of the fuses have been blown.

So, what am I missing here?

Thanks,
Jason

WiFive
Posts: 3529
Joined: Tue Dec 01, 2015 7:35 am

Re: Problems enabling secure boot: csum err

Postby WiFive » Fri Aug 30, 2019 10:35 pm


vonnieda
Posts: 145
Joined: Tue Nov 07, 2017 3:42 pm

Re: Problems enabling secure boot: csum err

Postby vonnieda » Sat Aug 31, 2019 3:48 pm

Thanks WiFive, that looks like it's probably it. I can't test till Monday, but I just ran a full flash command with the bootloader included and it complained about the overlap.

Seems like this could be a really simple fix from Espressif's perspective? If secure boot and flash encryption are enabled, maybe just throw a message during `make bootloader` that says to check if your bootloader is over the normal size limit? Might save a lot of developers a lot of time.

Thanks,
Jason

vonnieda
Posts: 145
Joined: Tue Nov 07, 2017 3:42 pm

Re: Problems enabling secure boot: csum err

Postby vonnieda » Tue Sep 03, 2019 2:41 pm

Hi WiFive, back at work now and trying this out. How do I change the partition table offset in IDF 3.0? I don't see the option in the menuconfig.

Thanks,
Jason

Mr_Red
Posts: 23
Joined: Mon Sep 11, 2017 12:41 pm

Re: Problems enabling secure boot: csum err

Postby Mr_Red » Tue Sep 03, 2019 3:42 pm

You can't change the partition table address in IDF 3.0.x. You can reduce the log level for the bootloader to prevent overlapping the partition table.

vonnieda
Posts: 145
Joined: Tue Nov 07, 2017 3:42 pm

Re: Problems enabling secure boot: csum err

Postby vonnieda » Tue Sep 03, 2019 6:09 pm

Thanks Mr_Red, I'll try that!

Who is online

Users browsing this forum: No registered users and 115 guests