ESP32 Forum

Hi,
I'm starting to use secure bootloader with the purpose that firmware will run only on my hardware.

The first test I have done, is to dump the memory from address 0 of a module with secure boot and signed app and flash it to a brand new module.

I was expecting that the firmware won't boot. I was wrong! The board boot without problem and activate secure boot on the new module.
So If someone will clone my hardware, he can just dump the memory and use it on a cloned hardware.

My question is: how can I achieve the goal of a firmware that will boot only on my hardware?

Thank you

Hi lodogg,

lodogg wrote: ↑

Wed Sep 11, 2019 12:28 pm

My question is: how can I achieve the goal of a firmware that will boot only on my hardware?

The intention of Secure Boot is to ensure that only trusted firmware is run on the hardware (ie it's not possible to change the firmware of a device once secure boot is enabled).

To prevent recovering the firmware from a device (which would allow it to be cloned onto another device), enable Flash Encryption.

For production configurations we recommend using Flash Encryption and Secure Boot together.

Please consult the ESP-IDF documentation for more details:
https://docs.espressif.com/projects/esp ... -boot.html
https://docs.espressif.com/projects/esp ... ption.html