Page 1 of 1

Clarification required regarding encrypted flash bootloader address

Posted: Fri Feb 16, 2024 12:03 pm
by dowwie
Within the Espressif documentation titled, "Enable Flash Encryption Externally" [1], is a series of commands for encrypting binaries on a host machine. The first command encrypts a bootloader image using address "0x1000". I am confused by the use of this address in the example. It is my understanding that "0x1000" is the address of the first-stage bootloader and "0x0" is the address of the second-stage bootloader. An unencrypted bootloader.bin created during the build process of a firmware application would be flashed to the second-stage address (0x0). Yet, in this flash encryption example we seem to be assigning this bootloader.bin to the primary address (0x1000).

Why would a non-encrypted bootloader.bin be flashed to 0x0 whereas an encrypted flash writes bootloader.bin to 0x1000? Is this a bug in documentation? Please clarify.

Thanks



[1] https://docs.espressif.com/projects/esp ... externally

Re: Clarification required regarding encrypted flash bootloader address

Posted: Sun Feb 18, 2024 7:00 pm
by stan-k
https://docs.espressif.com/projects/esp ... bootloader
...On ESP32, the bootloader image should be flashed by ESP-IDF at offset 0x1000.
https://docs.espressif.com/projects/esp ... artup.html
Second stage bootloader binary image is loaded from flash starting at address 0x1000. If Secure Boot is in use then the first 4 kB sector of flash is used to store secure boot IV and digest of the bootloader image. Otherwise, this sector is unused.

The flashing command also mentions the address 0x1000, example:
/Users/user/.espressif/python_env/idf5.1_py3.11_env/bin/python ../../../esp/esp-idf/components/esptool_py/esptool/esptool.py -p /dev/cu.usbserial-1140 -b 460800 --before default_reset --after hard_reset --chip esp32s2 --no-stub write_flash --flash_mode dio --flash_size 2MB --flash_freq 80m 0x1000 build/bootloader/bootloader.bin 0xa000 build/partition_table/partition-table.bin 0x20000 build/app.bin

Bootloader/app can be signed or unsigned (CONFIG_SECURE_BOOT, CONFIG_SECURE_BOOT_SIGNING_KEY).

App can be encrypted:
python managed_components/espressif__esp_encrypted_img/tools/esp_enc_img_gen.py encrypt ./build/app.bin ./secrets/encrypted_img_key.pem ./build/app_encrypted.bin