Process to enable secure boot v2 + flash encryption to esp32-s3
Posted: Fri Jan 27, 2023 7:49 pm
Hello,
I am facing some difficulties to enable both secure boot v2 and flash encryption on ESP32-S3. When I enabled individually each one on a different module, everything works fine. But when I tried to enable both, the esp keeps crashing.
Is there a better order to enable them? like flash encryption after secure boot? or I can enable both at the same time?
The process that I used to enable both is:
1. Generate flash encryption and secure boot keys;
2. Burn keys to efuse;
3. Burn efuses SPI_BOOT_CRYPT_CNT and SECURE_BOOT_EN;
4. build bootloader -->
5. Flash bootloader -->
6. Flash app -->
The error I get is:
my partition table is:
The sdkconfig is:
and my partition table offset is
--> I am using ESP-IDF V5.0
I did this process in two modules and got the same error. I've already read all ESP-IDF documents and didn't find what I have done wrong!
I am facing some difficulties to enable both secure boot v2 and flash encryption on ESP32-S3. When I enabled individually each one on a different module, everything works fine. But when I tried to enable both, the esp keeps crashing.
Is there a better order to enable them? like flash encryption after secure boot? or I can enable both at the same time?
The process that I used to enable both is:
1. Generate flash encryption and secure boot keys;
2. Burn keys to efuse;
3. Burn efuses SPI_BOOT_CRYPT_CNT and SECURE_BOOT_EN;
4. build bootloader -->
Code: Select all
idf.py bootloader
Code: Select all
esptool.py --no-stub --port COM34 write_flash --encrypt 0x0 bootloader.bin --force
Code: Select all
idf.py encrypted-app-flash monitor
Code: Select all
E (104) flash_parts: partition 0 invalid magic number 0x7562
E (111) boot: Failed to verify partition table
E (116) boot: load partition table error!
Code: Select all
otadata, data, ota, , 0x2000,
phy_init, data, phy, , 0x1000,
factory, app, factory, , 0x200000,
ota_0, app, ota_0, , 0x300000,
ota_1, app, ota_1, , 0x300000,
nvs, data, nvs, , 0x8000,
nvs_keys, data, nvs_keys, , 0x1000, encrypted
reserved, 0xaf, 0xaf, , 0x400000,
Code: Select all
#
# Security features
#
CONFIG_SECURE_SIGNED_ON_BOOT=y
CONFIG_SECURE_SIGNED_ON_UPDATE=y
CONFIG_SECURE_SIGNED_APPS=y
CONFIG_SECURE_BOOT_V2_RSA_SUPPORTED=y
CONFIG_SECURE_BOOT_V2_PREFERRED=y
CONFIG_SECURE_BOOT_V2_RSA_ENABLED=y
CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=y
CONFIG_SECURE_BOOT=y
CONFIG_SECURE_BOOT_V2_ENABLED=y
CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y
CONFIG_SECURE_BOOT_SIGNING_KEY="resources/security/SECURE_BOOT_DIGEST0.pem"
# CONFIG_SECURE_BOOT_ENABLE_AGGRESSIVE_KEY_REVOKE is not set
CONFIG_SECURE_BOOT_INSECURE=y
CONFIG_SECURE_FLASH_ENC_ENABLED=y
# CONFIG_SECURE_FLASH_ENCRYPTION_AES128 is not set
CONFIG_SECURE_FLASH_ENCRYPTION_AES256=y
CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT=y
# CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE is not set
#
# Potentially insecure options
#
# CONFIG_SECURE_BOOT_ALLOW_JTAG is not set
# CONFIG_SECURE_BOOT_ALLOW_SHORT_APP_PARTITION is not set
# CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS is not set
# CONFIG_SECURE_BOOT_ALLOW_UNUSED_DIGEST_SLOTS is not set
CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y
# CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE is not set
# CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED is not set
# end of Potentially insecure options
CONFIG_SECURE_FLASH_CHECK_ENC_EN_IN_APP=y
# CONFIG_SECURE_DISABLE_ROM_DL_MODE is not set
# CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE is not set
CONFIG_SECURE_INSECURE_ALLOW_DL_MODE=y
# end of Security features
Code: Select all
CONFIG_PARTITION_TABLE_OFFSET=0xD000
I did this process in two modules and got the same error. I've already read all ESP-IDF documents and didn't find what I have done wrong!