SecureBoot + FlashEncryption + OTA !

Tahir Shaik
Posts: 9
Joined: Thu Oct 08, 2020 4:29 pm

SecureBoot + FlashEncryption + OTA !

Postby Tahir Shaik » Sat Feb 06, 2021 12:12 pm

Hi,
I enabled the Secure boot and Flash encryption and trying to perform OTA.
But I dont Know how to perform OTA After enabling Security features (Secure boot and Flash encryption ),
I Successfully done the OTA without enabling the Security features (Secure boot and Flash encryption ).

1. how to perform OTA After Enabling Security Features?
2. Did I need to Encrypt the OTA image before Performing OTA?
3. Do I need to encrypt the OTA image internally with my firmware? If yes, How to Encrypt the OTA image internally after Receving the Image in the firmware?


I performed OTA after Enabling the Security feature without Encrypting the OTA Image (app.bin file), I got the following Output...

Code: Select all

I (296425) aws_iot_mqtt_jobs: Complete Data was Received.
I (296435) esp_image: segment 0: paddr=0x00120020 vaddr=0x3f400020 size=0x1f420 (128032) map
I (296515) esp_image: segment 1: paddr=0x0013f448 vaddr=0x3ffb0000 size=0x00bd0 (  3024) 
I (296515) esp_image: segment 2: paddr=0x00140020 vaddr=0x400d0020 size=0x76980 (485760) map
0x400d0020: _stext at ??:?

I (296795) esp_image: segment 3: paddr=0x001b69a8 vaddr=0x3ffb0bd0 size=0x017b4 (  6068) 
I (296795) esp_image: segment 4: paddr=0x001b8164 vaddr=0x40080000 size=0x00404 (  1028) 
0x40080000: _WindowOverflow4 at /home/bookwater/esp/esp-idf/components/freertos/xtensa_vectors.S:1778

I (296795) esp_image: segment 5: paddr=0x001b8570 vaddr=0x40080404 size=0x0c79c ( 51100) 
I (296835) esp_image: Verifying image signature...
E (296835) secure_boot_v1: image has invalid signature version field 0xf6b60c7a
E (296835) esp_image: Secure boot signature verification failed
I (296845) esp_image: Calculating simple hash to check for corruption...
W (297205) esp_image: image valid, signature bad
CORRUPT HEAP: multi_heap.c:175 detected at 0x3fff9134
abort() was called at PC 0x4008a447 on core 0

Thank you,

Regards,
Tahir Shaik

WiFive
Posts: 3529
Joined: Tue Dec 01, 2015 7:35 am

Re: SecureBoot + FlashEncryption + OTA !

Postby WiFive » Sat Feb 06, 2021 4:14 pm

You need to sign the ota firmware with the key you generated when you built the secure bootloader. This can be configured in menuconfig.

Tahir Shaik
Posts: 9
Joined: Thu Oct 08, 2020 4:29 pm

Re: SecureBoot + FlashEncryption + OTA !

Postby Tahir Shaik » Mon Feb 08, 2021 5:39 am

Thank you WiFive !

Now I successfully Performed the OTA after Signing the OTA image with the secure keys....

I used the Following Command to sign the OTA Image...

Code: Select all

espsecure.py sign_data --version 1 --keyfile PRIVATE_KEY.pem --output Firmware_Signed.bin build/Fimware_Unsigned.bin

But in production, How can we perform OTA for all of our devices? We cann't use the Same keys for all the Devices. Is there any solution for this?

Regards,
Tahir Shaik

WiFive
Posts: 3529
Joined: Tue Dec 01, 2015 7:35 am

Re: SecureBoot + FlashEncryption + OTA !

Postby WiFive » Mon Feb 08, 2021 3:34 pm

There are two secure boot keys. One is per device to sign the bootloader and the other key is used to sign the ota apps. The app signing key is meant to be a common key.

Tahir Shaik
Posts: 9
Joined: Thu Oct 08, 2020 4:29 pm

Re: SecureBoot + FlashEncryption + OTA !

Postby Tahir Shaik » Tue Feb 09, 2021 5:22 am

Thank you WiFive !

Who is online

Users browsing this forum: axellin and 81 guests