Correct sequence to apply encrypted flash and secure boot v2

schickb
Posts: 7
Joined: Sat Dec 04, 2021 8:37 am

Correct sequence to apply encrypted flash and secure boot v2

Postby schickb » Fri Jan 21, 2022 10:45 am

Using an ESP32C3 and esp-idf 4.4-rc1 I am applying encrypted flash and secure boot v2 (all in "dev mode" for now). Eventually I'm able to get it all working, but I seem to have to repeat the same steps multiple times and cut power to the device between steps to get it to work. Should these steps work:

  • Start with a new device
  • menuconfig used to enable encrypted flash in dev mode and secure boot with SECURE_BOOT_INSECURE enabled
  • idf.py fullclean build flash
  • espsecure.py generate_flash_encryption_key {bin_file}
  • espefuse.py --chip esp32c3 --port {port} burn_key BLOCK_KEY0 {bin_file} XTS_AES_128_KEY
  • espefuse.py --chip esp32c3 -p {port} burn_key_digest --no-write-protect --no-read-protect BLOCK_KEY1 pk1.pem SECURE_BOOT_DIGEST0
  • espefuse.py --chip esp32c3 -p {port} burn_key_digest --no-write-protect --no-read-protect BLOCK_KEY2 pk2.pem SECURE_BOOT_DIGEST1
  • espefuse.py --chip esp32c3 -p {port} burn_key_digest --no-write-protect --no-read-protect BLOCK_KEY3 pk3.pem SECURE_BOOT_DIGEST2
  • esptool.py --chip esp32c3 --port={port} --baud=57600 --after=no_reset --no-stub write_flash --flash_mode dio --flash_freq 80m --flash_size 4MB 0x0 {signed_bl}
When I then restart the device by holding EN low, I get repeating
invalid header: 0x01dd68cb

After trying many things... what got it working was the following sequence:

  • cut power
  • add power with EN and IO9 held low then release EN to start in upload mode
  • espefuse.py --chip esp32c3 -p {port} --baud 57600 burn_bit BLOCK0 116 (was already burned, and does nothing...I think)
  • esptool.py --chip esp32c3 -p={port} -b 57600 --before=default_reset --after=no_reset --no-stub write_flash --flash_mode dio --flash_freq 80m --flash_size 4MB 0x0 {signed_bl}
But it is unclear to me why writing the bootloader again after a power cycles and no-op efuse burn_bit would solve the problem. Between each of the steps I tried to restart by blipping EN low and got the same "invalid header" error until writing the same bootloader again. And before power cycling and trying to rewrite the SECURE_BOOT_EN bit I'd attempted to reupload the signed bootloader and app many times to no avail.

Do I need to apply encrypted flash and secure boot in stages? For example, enable encrypted flash, apply the changes, restart. Then enable secure boot and apply those changes?

sachin0x18
Posts: 2
Joined: Wed Jul 04, 2018 5:56 am

Re: Correct sequence to apply encrypted flash and secure boot v2

Postby sachin0x18 » Thu Feb 17, 2022 11:06 am

Hi @schickb,

I tried these steps at my end and it seems to work well for me on v4.4-rc1 ESP-IDF branch.

Did you by any chance flash an encrypted binary ?

Also, there is no need to enable flash encryption and secure boot in stages. Enabling them together should work

ChrisAlfred
Posts: 19
Joined: Tue Mar 23, 2021 6:22 am

Re: Correct sequence to apply encrypted flash and secure boot v2

Postby ChrisAlfred » Tue Dec 05, 2023 2:49 am

How did you create pk1.pem, pk2.pem and pk3.pem?

ESP_Mahavir
Posts: 190
Joined: Wed Jan 24, 2018 6:51 am

Re: Correct sequence to apply encrypted flash and secure boot v2

Postby ESP_Mahavir » Tue Dec 05, 2023 8:50 am

Please refer to the guide https://docs.espressif.com/projects/esp ... externally, it should help starting from the key generation to enabling secure boot externally.

ChrisAlfred
Posts: 19
Joined: Tue Mar 23, 2021 6:22 am

Re: Correct sequence to apply encrypted flash and secure boot v2

Postby ChrisAlfred » Thu Dec 07, 2023 7:14 am

So did you do exactly these command lines:
espsecure.py generate_signing_key --version 2 --scheme rsa3072 pk1.pem
espsecure.py generate_signing_key --version 2 --scheme rsa3072 pk2.pem
espsecure.py generate_signing_key --version 2 --scheme rsa3072 pk3.pem

ChrisAlfred
Posts: 19
Joined: Tue Mar 23, 2021 6:22 am

Re: Correct sequence to apply encrypted flash and secure boot v2

Postby ChrisAlfred » Fri Dec 08, 2023 9:16 am

... and what did you set menuconfig "Secure boot private signing key" to?

ESP_Mahavir
Posts: 190
Joined: Wed Jan 24, 2018 6:51 am

Re: Correct sequence to apply encrypted flash and secure boot v2

Postby ESP_Mahavir » Sun Dec 10, 2023 6:37 am

Code: Select all

 ... and what did you set menuconfig "Secure boot private signing key" to?
The path to the file containing the private key.

Please go through this guide https://docs.espressif.com/projects/esp ... re-boot-v2 which gives a step-by-step guide to enable secure boot v2 feature. Please note that, for ESP32 case only single secure boot digest is supported, hence only 1 signing key needs to be generated. The build system shall supply exact command (to generate the key) when you enable the secure boot from the configuration options and the path to the signing key is not supplied.

HTH!

Who is online

Users browsing this forum: No registered users and 245 guests