Questions regarding flash encryption and Secure Boot

Yuriy Bohdanovsky
Posts: 9
Joined: Thu Apr 12, 2018 7:03 am

Re: Questions regarding flash encryption and Secure Boot

Postby Yuriy Bohdanovsky » Mon Apr 16, 2018 6:07 am

I read the flash drive with an external programmer.
It was found out, at the address 0х1002 0х1003 data are not written down.
I wrote bootloader-encrypted.bin as an external programmer and it all worked.
Probably some bit blocks these bytes

Code: Select all

0x01000 44 4B 02 20 19 2A 08 E6 C1 EF 4A 70 3C 6D 0E C9 
0x01010 ED 60 4D CF A3 40 2D AB D6 63 05 08 2D 51 2D 09
problem with bytes 0x02 0x20

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: Questions regarding flash encryption and Secure Boot

Postby ESP_Angus » Mon Apr 16, 2018 6:20 am

Hi Yuriy,

It looks like the flash mode & flash size bytes of the encrypted image have been written as plaintext values. This shouldn't happen, and it may be a bug in the tool you used to flash. What tool and options did you use to write bootloader-encrypted.bin?

Yuriy Bohdanovsky
Posts: 9
Joined: Thu Apr 12, 2018 7:03 am

Re: Questions regarding flash encryption and Secure Boot

Postby Yuriy Bohdanovsky » Mon Apr 16, 2018 6:23 am

ESP_Angus wrote: This all looks correct. Did you use the same my_flash_encryption_key.bin for the app firmware & partition table when you overwrote those?
Yes
ESP_Angus wrote: Was this key written into the ESP32 with espefuse.py before the first boot?
Yes
ESP_Angus wrote: Are you sure you flashed bootloader-encrypted.bin not bootloder.bin? Can you post the full esptool.py command lines you used each time?
I wrote down the key 2 ways
- using the command $python /home/osboxes/esp/esp-idf/components/esptool_py/esptool/espefuse.py --port /dev/ttyUSB0 burn_key flash_encryption my_flash_encryption_key.bin
- I changed the firmware of the bootloader and did it with a bootloader.
The result is the same, see past post.

Yuriy Bohdanovsky
Posts: 9
Joined: Thu Apr 12, 2018 7:03 am

Re: Questions regarding flash encryption and Secure Boot

Postby Yuriy Bohdanovsky » Mon Apr 16, 2018 6:31 am

For download I use FLASH_DOWNLOAD_TOOLS_V3.6.4
You pushed me to the idea of writing a bootloader-encrypted.bin using espefuse.py

Yuriy Bohdanovsky
Posts: 9
Joined: Thu Apr 12, 2018 7:03 am

Re: Questions regarding flash encryption and Secure Boot

Postby Yuriy Bohdanovsky » Mon Apr 16, 2018 9:01 am

I used the command but the bootloader did not start

Code: Select all

$python /home/osboxes/esp/esp-idf/components/esptool_py/esptool/esptool.py  --chip esp32 --port /dev/ttyUSB0 --baud 921600 --before default_reset --after hard_reset write_flash -z --flash_mode dio --flash_freq 40m --flash_size detect 0x1000 bootloader-encrypted_1.bin
I'm looking for an option to protect the firmware, but allow the user to change it through uart. I'm afraid that the user can mistakenly erase the bootloader and its device will turn into a brick.

Is it possible to block the bootloader from erasing or overwriting it?

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: Questions regarding flash encryption and Secure Boot

Postby ESP_Angus » Tue Apr 17, 2018 12:02 am

Hi Yuriy,

It looks like the GUI download tool is a little enthusiastic in setting the flash speed/size bytes in the bootloader binary header, even when the bootloader is encrypted not plaintext. I've lodged a bug internally about this.

(esptool.py does some basic sanity checks before changing the modes, but it's safest to not pass --flash_mode and --flash_freq options when you know the image is encrypted.)
Yuriy Bohdanovsky wrote:I used the command but the bootloader did not start

Code: Select all

$python /home/osboxes/esp/esp-idf/components/esptool_py/esptool/esptool.py  --chip esp32 --port /dev/ttyUSB0 --baud 921600 --before default_reset --after hard_reset write_flash -z --flash_mode dio --flash_freq 40m --flash_size detect 0x1000 bootloader-encrypted_1.bin
Same error as before? Can you retry without '--flash_mode dio' and '--flash_freq 40m' options?
Yuriy Bohdanovsky wrote: I'm looking for an option to protect the firmware, but allow the user to change it through uart. I'm afraid that the user can mistakenly erase the bootloader and its device will turn into a brick.

Is it possible to block the bootloader from erasing or overwriting it?
Over UART with serial flashing, there is no protection of this kind. Depending on your use case, maybe you can provide the user with an encrypted bootloader as well (or a combined bootloader+app image binary) and have them re-flash everything over UART? This way there's no data which can be accidentally erased permanently.

ESP_puff
Posts: 13
Joined: Tue Jan 10, 2017 8:34 am

Re: Questions regarding flash encryption and Secure Boot

Postby ESP_puff » Wed Apr 18, 2018 4:26 am

Yuriy Bohdanovsky wrote:For download I use FLASH_DOWNLOAD_TOOLS_V3.6.4
You pushed me to the idea of writing a bootloader-encrypted.bin using espefuse.py
Hello Yuriy,
There is a checkbox called "DoNotChgBin" in FLASH_DOWNLOAD_TOOLS. When it is clicked, the firmware you want to download will not be changed by the SPI mode or FLASH speed

Yuriy Bohdanovsky
Posts: 9
Joined: Thu Apr 12, 2018 7:03 am

Re: Questions regarding flash encryption and Secure Boot

Postby Yuriy Bohdanovsky » Wed Apr 18, 2018 5:01 pm

Hello ESP_puff,
Thank you so much. Everything worked.
The "DoNotChgBin" checkbox saved me. :D :D :D

Who is online

Users browsing this forum: No registered users and 135 guests