Failed to enable secure boot / encrypted flash
Posted: Tue Mar 13, 2018 1:42 pm
I just enabled secure boot together with encrypted flash for the very first time. While trying to follow documentation I must have missed something, as make monitor displays in a loop:
I did the following:
used make menuconfig to enable the features, resulting in sdkconfig:
Made and flashed the bootloader and the app:
make monitor shows the 'secure boot check fail' message.
Fuses state is:
The partition table in use is (no factory partition):
Could it be, that turning on secure boot and encrypted flash this way fails, because there is no factory image partition?
Up to now, I had no issues to use 'make flash' to write ota_0 and then do ota updates to use ota_1->ota_0->ota_1...
Markus
Code: Select all
rst:0x10 (RTCWDT_RTC_RESET),boot:0x17 (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff0018,len:4
load:0x3fff001c,len:6944
ho 0 tail 12 room 4
load:0x40078000,len:0
load:0x40078000,len:20620
secure boot check fail
ets_main.c 371
ets Jun 8 2016 00:22:57
used make menuconfig to enable the features, resulting in sdkconfig:
Code: Select all
<snip>
#
# Security features
#
CONFIG_SECURE_BOOT_ENABLED=y
CONFIG_SECURE_BOOTLOADER_ONE_TIME_FLASH=y
CONFIG_SECURE_BOOTLOADER_REFLASHABLE=
CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y
CONFIG_SECURE_BOOT_SIGNING_KEY="keys/secure_boot_signing_key.pem"
CONFIG_SECURE_BOOT_INSECURE=
CONFIG_FLASH_ENCRYPTION_ENABLED=y
CONFIG_FLASH_ENCRYPTION_INSECURE=
<snip>
Code: Select all
python /home/esp32/esp/esp-idf/components/esptool_py/esptool/espsecure.py generate_signing_key /home/esp32/tbox_v2/tbox-spp/keys/secure_boot_signing_key.pem
make bootloader
python /home/esp32/esp/esp-idf/components/esptool_py/esptool/esptool.py --chip esp32 --port /dev/ttyUSB0 --baud 921600 --before default_reset --after no_reset write_flash -z --flash_mode dio --flash_freq 40m --flash_size detect 0x1000 /home/esp32/tbox_v2/tbox-spp/build/bootloader/bootloader.bin
make flash
Fuses state is:
Code: Select all
espefuse.py v2.2.1
Connecting........_
Security fuses:
FLASH_CRYPT_CNT Flash encryption mode counter = 1 R/W (0x1)
FLASH_CRYPT_CONFIG Flash encryption config (key tweak bits) = 15 R/W (0xf)
CONSOLE_DEBUG_DISABLE Disable ROM BASIC interpreter fallback = 1 R/W (0x1)
ABS_DONE_0 secure boot enabled for bootloader = 1 R/W (0x1)
ABS_DONE_1 secure boot abstract 1 locked = 0 R/W (0x0)
JTAG_DISABLE Disable JTAG = 1 R/W (0x1)
DISABLE_DL_ENCRYPT Disable flash encryption in UART bootloader = 1 R/W (0x1)
DISABLE_DL_DECRYPT Disable flash decryption in UART bootloader = 1 R/W (0x1)
DISABLE_DL_CACHE Disable flash cache in UART bootloader = 1 R/W (0x1)
BLK1 Flash encryption key
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -/-
BLK2 Secure boot key
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -/-
BLK3 Variable Block 3
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
Efuse fuses:
WR_DIS Efuse write disable mask = 384 R/W (0x180)
RD_DIS Efuse read disablemask = 3 R/W (0x3)
CODING_SCHEME Efuse variable block length scheme = 0 R/W (0x0)
KEY_STATUS Usage of efuse block 3 (reserved) = 0 R/W (0x0)
Config fuses:
XPD_SDIO_FORCE Ignore MTDI pin (GPIO12) for VDD_SDIO on reset = 0 R/W (0x0)
XPD_SDIO_REG If XPD_SDIO_FORCE, enable VDD_SDIO reg on reset = 0 R/W (0x0)
XPD_SDIO_TIEH If XPD_SDIO_FORCE & XPD_SDIO_REG, 1=3.3V 0=1.8V = 0 R/W (0x0)
SPI_PAD_CONFIG_CLK Override SD_CLK pad (GPIO6/SPICLK) = 0 R/W (0x0)
SPI_PAD_CONFIG_Q Override SD_DATA_0 pad (GPIO7/SPIQ) = 0 R/W (0x0)
SPI_PAD_CONFIG_D Override SD_DATA_1 pad (GPIO8/SPID) = 0 R/W (0x0)
SPI_PAD_CONFIG_HD Override SD_DATA_2 pad (GPIO9/SPIHD) = 0 R/W (0x0)
SPI_PAD_CONFIG_CS0 Override SD_CMD pad (GPIO11/SPICS0) = 0 R/W (0x0)
DISABLE_SDIO_HOST Disable SDIO host = 0 R/W (0x0)
Identity fuses:
MAC MAC Address
= 24:0a:c4:05:58:9c (CRC 66 OK) R/W
CHIP_VERSION Chip version = 0 -/W (0x0)
CHIP_PACKAGE Chip package identifier = 0 -/W (0x0)
Flash voltage (VDD_SDIO) determined by GPIO12 on reset (High for 1.8V, Low/NC for 3.3V).
Code: Select all
otadata, data, ota, 0x9000, 0x2000
conf, data, spiffs, 0xb000, 0x5000
ota_0, app, ota_0, 0x10000, 0x180000
ota_1, app, ota_1, 0x190000, 0x180000
nvs, data, nvs, 0x310000, 0x0f0000
Up to now, I had no issues to use 'make flash' to write ota_0 and then do ota updates to use ota_1->ota_0->ota_1...
Markus