Unable to sign with different Secure Boot and Flash Encryption keys !

[Tahir Shaik]

Hi!
I'm following the below steps:-

1. Generated the Encryption keys
--> python $IDF_PATH/components/esptool_py/esptool/espsecure.py generate_flash_encryption_key flash_encryption_key.bin
--> python $IDF_PATH/components/esptool_py/esptool/espsecure.py generate_signing_key secure_boot_signing_key.pem

2. Enabled the menuconfig options
App Signing Scheme (ECDSA) --->
[*] Enable hardware Secure Boot in bootloader (READ DOCS FIRST)
Select secure boot version (Enable Secure Boot version 1) --->
Secure bootloader mode (Reflashable) --->
[*] Sign binaries during build
(secure_boot_signing_key.pem) Secure boot private signing key
Hardware Key Encoding (No encoding (256 bit key)) --->
[*] Allow potentially insecure options
[*] Enable flash encryption on boot (READ DOCS FIRST)
Enable usage mode (Development(NOT SECURE)) --->
Potentially insecure options --->

3. Built the project & got secure-bootloader-key-256.bin (/build/bootloader)

4.Burnt the efuses
python $IDF_PATH/components/esptool_py/esptool/espefuse.py --port /dev/ttyUSB0 burn_key flash_encryption flash_encryption_key.bin
python $IDF_PATH/components/esptool_py/esptool/espefuse.py --port /dev/ttyUSB0 burn_key secure_boot secure-bootloader-key-256.bin

5. Enabled Flash Encryption mechanism
--> python $IDF_PATH/components/esptool_py/esptool/espefuse.py --port /dev/ttyUSB0 burn_efuse FLASH_CRYPT_CNT
# Configuring Flash Encryption to use all address bits together with Encryption key (max value 0x0F)
--> python $IDF_PATH/components/esptool_py/esptool/espefuse.py --port /dev/ttyUSB0 burn_efuse FLASH_CRYPT_CONFIG 0x0F

6. Enabled Secure Boot mechanism
--> python $IDF_PATH/components/esptool_py/esptool/espefuse.py --port /dev/ttyUSB0 burn_efuse ABS_DONE_0

7.Encrypted the partitions and helloworld

espsecure encrypt_flash_data build/partition_table/partition-table-unsigned.bin --keyfile ./flash_encryption_key.bin --address 0xC000 -o partition_en.bin

espsecure encrypt_flash_data build/hello-world.bin --keyfile ./flash_encryption_key.bin --address 0x20000 -o helloworld_en.bin


8. Flash: bootloader-digest at address 0x0 and encrypted; all the others (partitions and application) encrypted.
python $IDF_PATH/components/esptool_py/esptool/esptool.py --chip esp32 --port /dev/ttyUSB0 --baud 921600 --before no_reset --after no_reset write_flash -z --flash_mode dio --flash_freq 40m --flash_size detect 0x0 bootloader-reflash-digest.bin_enc 0xC000 partitions_en.bin 0x20000 helloworld_en.bin

I get the error:

******** SNIP *********
rst:0x10 (RTCWDT_RTC_RESET),boot:0x17 (SPI_FAST_FLASH_BOOT)
flash read err, 1000
ets_main.c 371
ets Jun 8 2016 00:22:57
******** SNIP *********

It works normally when the flash encryption is disabled .
espefuse summary

FUSE_NAME (Block) Description = [Meaningful Value] [Readable/Writeable] (Hex Value)
----------------------------------------------------------------------------------------
Calibration fuses:
BLK3_PART_RESERVE (BLOCK0): BLOCK3 partially served for ADC calibration data = False R/W (0b0)
ADC_VREF (BLOCK0): Voltage reference calibration = 1100 R/W (0b00000)

Config fuses:
XPD_SDIO_FORCE (BLOCK0): Ignore MTDI pin (GPIO12) for VDD_SDIO on reset = False R/W (0b0)
XPD_SDIO_REG (BLOCK0): If XPD_SDIO_FORCE, enable VDD_SDIO reg on reset = False R/W (0b0)
XPD_SDIO_TIEH (BLOCK0): If XPD_SDIO_FORCE & XPD_SDIO_REG = 1.8V R/W (0b0)
CLK8M_FREQ (BLOCK0): 8MHz clock freq override = 51 R/W (0x33)
SPI_PAD_CONFIG_CLK (BLOCK0): Override SD_CLK pad (GPIO6/SPICLK) = 0 R/W (0b00000)
SPI_PAD_CONFIG_Q (BLOCK0): Override SD_DATA_0 pad (GPIO7/SPIQ) = 0 R/W (0b00000)
SPI_PAD_CONFIG_D (BLOCK0): Override SD_DATA_1 pad (GPIO8/SPID) = 0 R/W (0b00000)
SPI_PAD_CONFIG_HD (BLOCK0): Override SD_DATA_2 pad (GPIO9/SPIHD) = 0 R/W (0b00000)
SPI_PAD_CONFIG_CS0 (BLOCK0): Override SD_CMD pad (GPIO11/SPICS0) = 0 R/W (0b00000)
DISABLE_SDIO_HOST (BLOCK0): Disable SDIO host = False R/W (0b0)

Efuse fuses:
WR_DIS (BLOCK0): Efuse write disable mask = 384 R/W (0x0180)
RD_DIS (BLOCK0): Efuse read disable mask = 3 R/W (0x3)
CODING_SCHEME (BLOCK0): Efuse variable block length scheme
= NONE (BLK1-3 len=256 bits) R/W (0b00)
KEY_STATUS (BLOCK0): Usage of efuse block 3 (reserved) = False R/W (0b0)

Identity fuses:
MAC (BLOCK0): Factory MAC Address
= 30:ae:a4:73:a3:cc (CRC 0x02 OK) R/W
MAC_CRC (BLOCK0): CRC8 for factory MAC address = 2 R/W (0x02)
CHIP_VER_REV1 (BLOCK0): Silicon Revision 1 = True R/W (0b1)
CHIP_VER_REV2 (BLOCK0): Silicon Revision 2 = False R/W (0b0)
CHIP_VERSION (BLOCK0): Reserved for future chip versions = 0 R/W (0b00)
CHIP_PACKAGE (BLOCK0): Chip package identifier = 0 R/W (0b000)
MAC_VERSION (BLOCK3): Version of the MAC field = 0 R/W (0x00)

Security fuses:

FLASH_CRYPT_CNT (BLOCK0): Flash encryption mode counter = 7 R/W (0b0000111)
UART_DOWNLOAD_DIS (BLOCK0): Disable UART download mode (ESP32 rev3 only) = False R/W (0b0)
FLASH_CRYPT_CONFIG (BLOCK0): Flash encryption config (key tweak bits) = 15 R/W (0xf)
CONSOLE_DEBUG_DISABLE (BLOCK0): Disable ROM BASIC interpreter fallback = True R/W (0b1)
ABS_DONE_0 (BLOCK0): secure boot enabled for bootloader = True R/W (0b1)
ABS_DONE_1 (BLOCK0): secure boot abstract 1 locked = False R/W (0b0)
JTAG_DISABLE (BLOCK0): Disable JTAG = False R/W (0b0)
DISABLE_DL_ENCRYPT (BLOCK0): Disable flash encryption in UART bootloader = False R/W (0b0)
DISABLE_DL_DECRYPT (BLOCK0): Disable flash decryption in UART bootloader = False R/W (0b0)
DISABLE_DL_CACHE (BLOCK0): Disable flash cache in UART bootloader = False R/W (0b0)
BLK1 (BLOCK1): Flash encryption key
= ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLK2 (BLOCK2): Secure boot key
= ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLK3 (BLOCK3): Variable Block 3
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W

Flash voltage (VDD_SDIO) determined by GPIO12 on reset (High for 1.8V, Low/NC for 3.3V).

espefuse output


Am i missing any signing steps?
Thanks...................!

[ESP_Angus]

Hi Tahir,

Thanks for the comprehensive details.

The error "flash read err, 1000" on boot means that the ROM can't find a valid bootloader at address 0x1000.

What were the steps you used to create bootloader-reflash-digest.bin_enc? Is it possible this wasn't encrypted correctly (ie using correct key and address 0x0 to encrypt bootloader-reflash-digest.bin file.)

Angus

[Tahir Shaik]

Hi ESP_Angus,

Thank you for your reply,

****** Error: flash read err, 1000 *******
The error "flash read err, 1000" on boot means that the ROM can't find a valid bootloader at address 0x1000.

Yes i understood that this is something wrong with the bootloader from an earlier post,

>> What were the steps you used to create bootloader-reflash-digest.bin_enc? Is it possible this wasn't encrypted correctly (i.e., using correct key and address 0x0 to encrypt bootloader-reflash-digest.bin file.)

1. For the First time, i programmed bootloader-reflash-digest.bin from the build/bootloader folder
2. Tried to manually encrypt the boot & program it into 0x0
python $IDF_PATH/components/esptool_py/esptool/espsecure.py encrypt_flash_data --keyfile secure-bootloader-key.bin --address 0x0 -o bootloader-reflash-digest.bin_enc bootloader.bin

[WiFive]

If you are manually encrypting the bootloader then you have to flash it to 0x1000 and also create the secure boot digest and flash it to 0x0.

[Tahir Shaik]

Hi ESP_Angus,

It's working..

Thank you for your replay