Page 1 of 1

Process to enable secure boot v2 + flash encryption to esp32-s3

Posted: Fri Jan 27, 2023 7:49 pm
by dev1795_esp
Hello,

I am facing some difficulties to enable both secure boot v2 and flash encryption on ESP32-S3. When I enabled individually each one on a different module, everything works fine. But when I tried to enable both, the esp keeps crashing.

Is there a better order to enable them? like flash encryption after secure boot? or I can enable both at the same time?

The process that I used to enable both is:
1. Generate flash encryption and secure boot keys;
2. Burn keys to efuse;
3. Burn efuses SPI_BOOT_CRYPT_CNT and SECURE_BOOT_EN;
4. build bootloader -->

Code: Select all

 idf.py bootloader
5. Flash bootloader -->

Code: Select all

esptool.py --no-stub --port COM34 write_flash --encrypt 0x0 bootloader.bin --force
6. Flash app -->

Code: Select all

idf.py encrypted-app-flash monitor
The error I get is:

Code: Select all

E (104) flash_parts: partition 0 invalid magic number 0x7562 
E (111) boot: Failed to verify partition table 
E (116) boot: load partition table error!
my partition table is:

Code: Select all

otadata,      data, ota,            , 0x2000,
phy_init,     data, phy,            , 0x1000,
factory,      app,  factory,        , 0x200000,
ota_0,        app,  ota_0,          , 0x300000,
ota_1,        app,  ota_1,          , 0x300000,
nvs,          data, nvs,            , 0x8000,
nvs_keys,     data, nvs_keys,       , 0x1000,   encrypted
reserved,     0xaf, 0xaf,           , 0x400000,
The sdkconfig is:

Code: Select all

#
# Security features
#
CONFIG_SECURE_SIGNED_ON_BOOT=y
CONFIG_SECURE_SIGNED_ON_UPDATE=y
CONFIG_SECURE_SIGNED_APPS=y
CONFIG_SECURE_BOOT_V2_RSA_SUPPORTED=y
CONFIG_SECURE_BOOT_V2_PREFERRED=y
CONFIG_SECURE_BOOT_V2_RSA_ENABLED=y
CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=y
CONFIG_SECURE_BOOT=y
CONFIG_SECURE_BOOT_V2_ENABLED=y
CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y
CONFIG_SECURE_BOOT_SIGNING_KEY="resources/security/SECURE_BOOT_DIGEST0.pem"
# CONFIG_SECURE_BOOT_ENABLE_AGGRESSIVE_KEY_REVOKE is not set
CONFIG_SECURE_BOOT_INSECURE=y
CONFIG_SECURE_FLASH_ENC_ENABLED=y
# CONFIG_SECURE_FLASH_ENCRYPTION_AES128 is not set
CONFIG_SECURE_FLASH_ENCRYPTION_AES256=y
CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT=y
# CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE is not set

#
# Potentially insecure options
#
# CONFIG_SECURE_BOOT_ALLOW_JTAG is not set
# CONFIG_SECURE_BOOT_ALLOW_SHORT_APP_PARTITION is not set
# CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS is not set
# CONFIG_SECURE_BOOT_ALLOW_UNUSED_DIGEST_SLOTS is not set
CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y
# CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE is not set
# CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED is not set
# end of Potentially insecure options

CONFIG_SECURE_FLASH_CHECK_ENC_EN_IN_APP=y
# CONFIG_SECURE_DISABLE_ROM_DL_MODE is not set
# CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE is not set
CONFIG_SECURE_INSECURE_ALLOW_DL_MODE=y
# end of Security features
and my partition table offset is

Code: Select all

CONFIG_PARTITION_TABLE_OFFSET=0xD000
--> I am using ESP-IDF V5.0

I did this process in two modules and got the same error. I've already read all ESP-IDF documents and didn't find what I have done wrong!

Re: Process to enable secure boot v2 + flash encryption to esp32-s3

Posted: Mon Feb 06, 2023 6:38 pm
by dev1795_esp
Is there any update about this please? It is urgent.

Re: Process to enable secure boot v2 + flash encryption to esp32-s3

Posted: Thu Jul 27, 2023 1:46 pm
by krishan.harit
Is there any update on this? The documentation is very poor with no clarity on the order of operations. I am using IDF v5.1.0 now. I also have the ESP32-S3 (N8R8) module.

I have already bricked 3x units and I have just one left. I have figured out how to enable and configure Secure Boot V2 (not that the documentation was very clear, I just spent a week experimenting).

I bricked 3x units by trying to configure flash encryption alongside Secure Boot V2. That's why I'm also wondering if we should first configure flash encryption then configure Secure Boot V2.

Hope to hear back.