Secure boot and flash encryption with remote signing and OTA

[maczar]

Hi everyone!

I'm working on a project that's using ESP32-WROOM-32U chip with 4MB flash. I'm using ESP-IDF v4.0.1.
Device is connected to the internet and cloud platform over WiFi. Currently updates are provided by http OTA - works flawlessly, there are some failsave functions added to ensure robustness.

There are two OTA partitions and no factory partition:

Code: Select all

# ESP-IDF Partition Table
# Name,   Type, SubType, Offset,  Size, Flags
nvs,      data, nvs,     0x9000,  0x4000,
otadata,  data, ota,     0xd000,  0x2000,
phy_init, data, phy,     0xf000,  0x1000,
ota_0,    0,    ota_0,  0x10000, 0x150000, encrypted
ota_1,    0,    ota_1,  0x160000, 0x150000, encrypted

My main goal is to enable both secure boot and flash encryption.
I need to send already encrypted (on remote PC) binary to the device during update procedure, so no plain-text data is send over network at any case.

As far as I understand docs I shoud do the following procedure:

1. Generate secure boot signing key using

Code: Select all

openssl ecparam -name prime256v1 -genkey -noout -out [device_id]_secure_boot_signing_private_key.pem

- it'll be individual for each device

2. Extract public key from private key:

Code: Select all

espsecure.py extract_public_key --keyfile [device_id]_secure_boot_signing_private_key.pem [device_id]_secure_boot_signing_public_key.bin

3. Generate flash encryption key using

Code: Select all

espsecure.py generate_flash_encryption_key [device_id]_flash_encryption_key.bin

- it'll be individual for each device as well

4. Burn flash encryption key to EFUSE

Code: Select all

espefuse.py --port PORT burn_key flash_encryption [device-id]_flash_encryption_key.bin

5. Enable "Enable hardware secure boot in bootloader" options in sdkconfig->Security features

6. Select "One-time flash" as "Secure bootloader mode"

7. Unselect the "Sign binaries during build" option to enable remote signing of images

8. Provide path to key extracted in 2. step

9. Save SDK Config

10. Run

Code: Select all

idf.py bootloader

to build bootloader

11. Run

Code: Select all

idf.py -p PORT bootloader-flash

to flash bootloader to device

Power cycle with GPIO0=GND to enter bootloader again

12. Encrypt partition table

Code: Select all

espsecure.py encrypt_flash_data –k [my_flash_encryption_key_form_step_3].bin --address 0x1000 –o [bootloader_encrypted].bin [bootloader].bin 

12. Sign encrypted partition table as suggested by compiler in step 10. using [...]\.espressif\python_env\idf4.0_py3.7_env\Scripts\python.exe [...]/ESP_IDF/components/esptool_py/esptool/espsecure.py sign_data --keyfile PRIVATE_KEY_FROM_STEP_1 [...]/build/partition_table/partition-table.bin

13. Flash partition table

Code: Select all

esptool.py --port PORT --baud 460800 write_flash 0x8000 partition-table.bin

Power cycle with GPIO0=GND to enter bootloader again

14. Encrypt firmware for partition OTA_0

Code: Select all

espsecure.py encrypt_flash_data –k [my_flash_encryption_key_form_step_3].bin --address 0x10000 –o ota0_encrypted.bin firmware_compiled.bin 

15. Sign encrypted firmware for OTA_0

Code: Select all

espsecure.py sign_data --keyfile PRIVATE_KEY_FROM_STEP_1 --output ota0_encrypted_signed.bin ota0_encrypted.bin

16. Flash firmware

Code: Select all

esptool.py --port PORT --baud 460800 write_flash 0x10000 ota0_encrypted_signed.bin

Power cycle with GPIO0=GND to enter bootloader again

16. Burn efuse for encrypted firmware

Code: Select all

espefuse.py burn_efuse FLASH_CRYPT_CNT

Power cycle

After those steps device is not powering up (there's nothing on the UART output, program doesn't start a well).

What am I doing wrong?

And next question about preparing future firmware updates:
I need to compile them, encrypt (system will take care of providing correct offset for encryption [it'll know whic partition is now in use and which will be updated]), sign and provide system with that binary?

Thanks for your help.
Maciej