Hi!
I'm following the below steps:-
1. Generated the Encryption keys
--> python $IDF_PATH/components/esptool_py/esptool/espsecure.py generate_flash_encryption_key flash_encryption_key.bin
--> python $IDF_PATH/components/esptool_py/esptool/espsecure.py generate_signing_key secure_boot_signing_key.pem
2. Enabled the menuconfig options
App Signing Scheme (ECDSA) --->
[*] Enable hardware Secure Boot in bootloader (READ DOCS FIRST)
Select secure boot version (Enable Secure Boot version 1) --->
Secure bootloader mode (Reflashable) --->
[*] Sign binaries during build
(secure_boot_signing_key.pem) Secure boot private signing key
Hardware Key Encoding (No encoding (256 bit key)) --->
[*] Allow potentially insecure options
[*] Enable flash encryption on boot (READ DOCS FIRST)
Enable usage mode (Development(NOT SECURE)) --->
Potentially insecure options --->
3. Built the project & got secure-bootloader-key-256.bin (/build/bootloader)
4.Burnt the efuses
python $IDF_PATH/components/esptool_py/esptool/espefuse.py --port /dev/ttyUSB0 burn_key flash_encryption flash_encryption_key.bin
python $IDF_PATH/components/esptool_py/esptool/espefuse.py --port /dev/ttyUSB0 burn_key secure_boot secure-bootloader-key-256.bin
5. Enabled Flash Encryption mechanism
--> python $IDF_PATH/components/esptool_py/esptool/espefuse.py --port /dev/ttyUSB0 burn_efuse FLASH_CRYPT_CNT
# Configuring Flash Encryption to use all address bits together with Encryption key (max value 0x0F)
--> python $IDF_PATH/components/esptool_py/esptool/espefuse.py --port /dev/ttyUSB0 burn_efuse FLASH_CRYPT_CONFIG 0x0F
6. Enabled Secure Boot mechanism
--> python $IDF_PATH/components/esptool_py/esptool/espefuse.py --port /dev/ttyUSB0 burn_efuse ABS_DONE_0
7.Encrypted the partitions and helloworld
espsecure encrypt_flash_data build/partition_table/partition-table-unsigned.bin --keyfile ./flash_encryption_key.bin --address 0xC000 -o partition_en.bin
espsecure encrypt_flash_data build/hello-world.bin --keyfile ./flash_encryption_key.bin --address 0x20000 -o helloworld_en.bin
8. Flash: bootloader-digest at address 0x0 and encrypted; all the others (partitions and application) encrypted.
python $IDF_PATH/components/esptool_py/esptool/esptool.py --chip esp32 --port /dev/ttyUSB0 --baud 921600 --before no_reset --after no_reset write_flash -z --flash_mode dio --flash_freq 40m --flash_size detect 0x0 bootloader-reflash-digest.bin_enc 0xC000 partitions_en.bin 0x20000 helloworld_en.bin
I get the error:
******** SNIP *********
rst:0x10 (RTCWDT_RTC_RESET),boot:0x17 (SPI_FAST_FLASH_BOOT)
flash read err, 1000
ets_main.c 371
ets Jun 8 2016 00:22:57
******** SNIP *********
It works normally when the flash encryption is disabled .
espefuse summary
FUSE_NAME (Block) Description = [Meaningful Value] [Readable/Writeable] (Hex Value)
----------------------------------------------------------------------------------------
Calibration fuses:
BLK3_PART_RESERVE (BLOCK0): BLOCK3 partially served for ADC calibration data = False R/W (0b0)
ADC_VREF (BLOCK0): Voltage reference calibration = 1100 R/W (0b00000)
Config fuses:
XPD_SDIO_FORCE (BLOCK0): Ignore MTDI pin (GPIO12) for VDD_SDIO on reset = False R/W (0b0)
XPD_SDIO_REG (BLOCK0): If XPD_SDIO_FORCE, enable VDD_SDIO reg on reset = False R/W (0b0)
XPD_SDIO_TIEH (BLOCK0): If XPD_SDIO_FORCE & XPD_SDIO_REG = 1.8V R/W (0b0)
CLK8M_FREQ (BLOCK0): 8MHz clock freq override = 51 R/W (0x33)
SPI_PAD_CONFIG_CLK (BLOCK0): Override SD_CLK pad (GPIO6/SPICLK) = 0 R/W (0b00000)
SPI_PAD_CONFIG_Q (BLOCK0): Override SD_DATA_0 pad (GPIO7/SPIQ) = 0 R/W (0b00000)
SPI_PAD_CONFIG_D (BLOCK0): Override SD_DATA_1 pad (GPIO8/SPID) = 0 R/W (0b00000)
SPI_PAD_CONFIG_HD (BLOCK0): Override SD_DATA_2 pad (GPIO9/SPIHD) = 0 R/W (0b00000)
SPI_PAD_CONFIG_CS0 (BLOCK0): Override SD_CMD pad (GPIO11/SPICS0) = 0 R/W (0b00000)
DISABLE_SDIO_HOST (BLOCK0): Disable SDIO host = False R/W (0b0)
Efuse fuses:
WR_DIS (BLOCK0): Efuse write disable mask = 384 R/W (0x0180)
RD_DIS (BLOCK0): Efuse read disable mask = 3 R/W (0x3)
CODING_SCHEME (BLOCK0): Efuse variable block length scheme
= NONE (BLK1-3 len=256 bits) R/W (0b00)
KEY_STATUS (BLOCK0): Usage of efuse block 3 (reserved) = False R/W (0b0)
Identity fuses:
MAC (BLOCK0): Factory MAC Address
= 30:ae:a4:73:a3:cc (CRC 0x02 OK) R/W
MAC_CRC (BLOCK0): CRC8 for factory MAC address = 2 R/W (0x02)
CHIP_VER_REV1 (BLOCK0): Silicon Revision 1 = True R/W (0b1)
CHIP_VER_REV2 (BLOCK0): Silicon Revision 2 = False R/W (0b0)
CHIP_VERSION (BLOCK0): Reserved for future chip versions = 0 R/W (0b00)
CHIP_PACKAGE (BLOCK0): Chip package identifier = 0 R/W (0b000)
MAC_VERSION (BLOCK3): Version of the MAC field = 0 R/W (0x00)
Security fuses:
FLASH_CRYPT_CNT (BLOCK0): Flash encryption mode counter = 7 R/W (0b0000111)
UART_DOWNLOAD_DIS (BLOCK0): Disable UART download mode (ESP32 rev3 only) = False R/W (0b0)
FLASH_CRYPT_CONFIG (BLOCK0): Flash encryption config (key tweak bits) = 15 R/W (0xf)
CONSOLE_DEBUG_DISABLE (BLOCK0): Disable ROM BASIC interpreter fallback = True R/W (0b1)
ABS_DONE_0 (BLOCK0): secure boot enabled for bootloader = True R/W (0b1)
ABS_DONE_1 (BLOCK0): secure boot abstract 1 locked = False R/W (0b0)
JTAG_DISABLE (BLOCK0): Disable JTAG = False R/W (0b0)
DISABLE_DL_ENCRYPT (BLOCK0): Disable flash encryption in UART bootloader = False R/W (0b0)
DISABLE_DL_DECRYPT (BLOCK0): Disable flash decryption in UART bootloader = False R/W (0b0)
DISABLE_DL_CACHE (BLOCK0): Disable flash cache in UART bootloader = False R/W (0b0)
BLK1 (BLOCK1): Flash encryption key
= ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLK2 (BLOCK2): Secure boot key
= ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLK3 (BLOCK3): Variable Block 3
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
Flash voltage (VDD_SDIO) determined by GPIO12 on reset (High for 1.8V, Low/NC for 3.3V).
espefuse output
Am i missing any signing steps?
Thanks...................!
Unable to sign with different Secure Boot and Flash Encryption keys !
-
- Posts: 9
- Joined: Thu Oct 08, 2020 4:29 pm
Re: Unable to sign with different Secure Boot and Flash Encryption keys !
Hi Tahir,
Thanks for the comprehensive details.
The error "flash read err, 1000" on boot means that the ROM can't find a valid bootloader at address 0x1000.
What were the steps you used to create bootloader-reflash-digest.bin_enc? Is it possible this wasn't encrypted correctly (ie using correct key and address 0x0 to encrypt bootloader-reflash-digest.bin file.)
Angus
Thanks for the comprehensive details.
The error "flash read err, 1000" on boot means that the ROM can't find a valid bootloader at address 0x1000.
What were the steps you used to create bootloader-reflash-digest.bin_enc? Is it possible this wasn't encrypted correctly (ie using correct key and address 0x0 to encrypt bootloader-reflash-digest.bin file.)
Angus
-
- Posts: 9
- Joined: Thu Oct 08, 2020 4:29 pm
Re: Unable to sign with different Secure Boot and Flash Encryption keys !
Hi ESP_Angus,
Thank you for your reply,
****** Error: flash read err, 1000 *******
The error "flash read err, 1000" on boot means that the ROM can't find a valid bootloader at address 0x1000.
Yes i understood that this is something wrong with the bootloader from an earlier post,
>> What were the steps you used to create bootloader-reflash-digest.bin_enc? Is it possible this wasn't encrypted correctly (i.e., using correct key and address 0x0 to encrypt bootloader-reflash-digest.bin file.)
1. For the First time, i programmed bootloader-reflash-digest.bin from the build/bootloader folder
2. Tried to manually encrypt the boot & program it into 0x0
python $IDF_PATH/components/esptool_py/esptool/espsecure.py encrypt_flash_data --keyfile secure-bootloader-key.bin --address 0x0 -o bootloader-reflash-digest.bin_enc bootloader.bin
Thank you for your reply,
****** Error: flash read err, 1000 *******
The error "flash read err, 1000" on boot means that the ROM can't find a valid bootloader at address 0x1000.
Yes i understood that this is something wrong with the bootloader from an earlier post,
>> What were the steps you used to create bootloader-reflash-digest.bin_enc? Is it possible this wasn't encrypted correctly (i.e., using correct key and address 0x0 to encrypt bootloader-reflash-digest.bin file.)
1. For the First time, i programmed bootloader-reflash-digest.bin from the build/bootloader folder
2. Tried to manually encrypt the boot & program it into 0x0
python $IDF_PATH/components/esptool_py/esptool/espsecure.py encrypt_flash_data --keyfile secure-bootloader-key.bin --address 0x0 -o bootloader-reflash-digest.bin_enc bootloader.bin
Re: Unable to sign with different Secure Boot and Flash Encryption keys !
If you are manually encrypting the bootloader then you have to flash it to 0x1000 and also create the secure boot digest and flash it to 0x0.
-
- Posts: 9
- Joined: Thu Oct 08, 2020 4:29 pm
Re: Unable to sign with different Secure Boot and Flash Encryption keys !
Hi ESP_Angus,
It's working..
Thank you for your replay
It's working..
Thank you for your replay
Who is online
Users browsing this forum: No registered users and 99 guests