Secure boot and signed bins

[snahmad75]

Hi,

I am getting confused. secure boot not working for me. I can put unsigned partitions.bin and main app bins.

I am not using make menuconfig -> Security features to enable secure boot. I don't want to use ideally.

Now I change my bootloader debug log level to warning. no used. I guess It is default to one time only upload.

For secure bootloader , Do you have to specify 0x0000?



I did these commands.

Code: Select all

partitions="partitions.bin"
firmware="W2K1-BootLoader-Release.bin"
port="COM184"
baud="921600"
secure_boot_key="secure_boot_key.bin"
secure_sign_key="signing_key.pem"

echo "create secure bootloader"
/c/Work/library/esp32/esp-idf/components/esptool_py/esptool/espsecure.py digest_secure_bootloader --keyfile $secure_boot_key --output ./build/secure_bootloader.bin ./build/bootloader/bootloader.bin

echo "sign partitions"
/c/Work/library/esp32/esp-idf/components/esptool_py/esptool/espsecure.py sign_data --keyfile $secure_sign_key --output ./build/signed_$partitions ./build/$partitions

echo "sign firmware"
/c/Work/library/esp32/esp-idf/components/esptool_py/esptool/espsecure.py sign_data --keyfile $secure_sign_key --output ./build/signed_$firmware ./build/$firmware



echo "burn secure boot key"
/c/Work/library/esp32/esp-idf/components/esptool_py/esptool/espefuse.py --port $port burn_key secure_boot $secure_boot_key --no-protect-key

echo "Enable secure boot"
/c/Work/library/esp32/esp-idf/components/esptool_py/esptool/espefuse.py --port $port burn_efuse ABS_DONE_0 1

echo "Upload signed bins"
/c/Work/library/esp32/esp-idf/components/esptool_py/esptool/esptool.py --port $port --baud $baud write_flash 0x0000 ./build/secure_bootloader.bin 0x8000 ./build/signed_$partitions 0x10000 ./build/$firmware

It works. but After uploading signed bins and secure bootloader. If I upload unsigned bins via flash or OTA. It will works with no error. I am expecting to give me error for both OTA and via flash.

Thanks,
Naeem

[WiFive]

The rom bootloader will check the 2nd stage bootloader signature but you have to enable secure boot in menuconfig to build the 2nd stage bootloader otherwise it won't check the other partition signatures.

[snahmad75]

The rom bootloader will check the 2nd stage bootloader signature but you have to enable secure boot in menuconfig to build the 2nd stage bootloader otherwise it won't check the other partition signatures.

ok, I will try enable secure boot in menuconfig. then it generated signed bins. I still need to use esptool to generate signed bin. I guess i can use unsigned bins output of make -j and use above esptool to generated signed bins. and upload them.
then I to to upload unsigned bin or unsigned bin via OTA.

put secure bootloader at 0x0000.

I upload secure bootloader. I did not select Reflashable option.

[snahmad75]

Now I am using latest master branch now.

I enable secure boot in menuconfig.

My config is

#
# Security features
#
CONFIG_SECURE_SIGNED_ON_BOOT=y
CONFIG_SECURE_SIGNED_ON_UPDATE=y
CONFIG_SECURE_SIGNED_APPS=y
CONFIG_SECURE_BOOT_ENABLED=y
CONFIG_SECURE_BOOTLOADER_ONE_TIME_FLASH=y
CONFIG_SECURE_BOOTLOADER_REFLASHABLE=
CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y
CONFIG_SECURE_BOOT_SIGNING_KEY="signing_key.pem"
CONFIG_SECURE_BOOT_INSECURE=
CONFIG_FLASH_ENCRYPTION_ENABLED=

My partition is

# Name, Type, SubType, Offset, Size
nvs, data, nvs, 0x9000, 0x4000
otadata, data, ota, 0xd000, 0x2000
phy_init, data, phy, 0xf000, 0x1000
ota_0, app, ota_0, 0x10000, 0x1D0000
ota_1, app, ota_1, , 0x1D0000
storage, data, fat, ,0x20000

As secure bootloader is big size. I change my paritition.bin offset = 0x8500 instead of 0x8000
Now error is :

rst:0x10 (RTCWDT_RTC_RESET),boot:0x1f (SPI_FAST_FLASH_BOOT)
flash read err, 1000
ets_main.c 371
ets Jun 8 2016 00:22:57


Do I need to specify ota_data_initial.bin as well?

I flash secure bootloader using few months old master branch old.

I am getting these for my paritition.bin offset = 0x8000

E (548) secure_boot: Embedded public verification key has wrong length 32
E (548) esp_image: Secure boot signature verification failed
W (911) esp_image: image valid, signature bad
E (911) boot: OTA app partition slot 0 is not bootable
E (911) esp_image: image at 0x1e0000 has invalid magic byte
W (916) esp_image: image at 0x1e0000 has invalid SPI mode 255
W (923) esp_image: image at 0x1e0000 has invalid SPI size 15
E (929) boot: OTA app partition slot 1 is not bootable
E (935) boot: No bootable app partitions in the partition table

[snahmad75]

After putting One-time flash secure boot at address = 0x000

I enable secure boot option on efuse. I am going to change my efuse.

Can I put back default insecure first stage bootloader and the do make flash which put second stage unsecured bootloader.



What are steps?

[WiFive]

Your secure_bootloader.bin at 0x0 is just digest. You also have to flash bootloader.bin to 0x1000. They have to be matching pair.

First stage bootloader is ROM, you cannot change it. Efuse is one time program, you cannot change it. Once you set ABS_DONE_0 you can only use signed second stage bootloader. You can change it as long as you have signing key and flash matching pair.

[snahmad75]

Your secure_bootloader.bin at 0x0 is just digest. You also have to flash bootloader.bin to 0x1000. They have to be matching pair.

First stage bootloader is ROM, you cannot change it. Efuse is one time program, you cannot change it. Once you set ABS_DONE_0 you can only use signed second stage bootloader. You can change it as long as you have signing key and flash matching pair.

Thanks, understood

[snahmad75]

Your secure_bootloader.bin at 0x0 is just digest. You also have to flash bootloader.bin to 0x1000. They have to be matching pair.

First stage bootloader is ROM, you cannot change it. Efuse is one time program, you cannot change it. Once you set ABS_DONE_0 you can only use signed second stage bootloader. You can change it as long as you have signing key and flash matching pair.

I already flash my secure boot-loader. I want to do again. I reduce my debug level which reduce secure boot-loader size now, otherwise it over run my partition start address 0x8000.
Is there any option to fiddle with hardware to make it work.

[ESP_Angus]

As secure bootloader is big size. I change my paritition.bin offset = 0x8500 instead of 0x8000

The partition table should be placed at a multiple of 0x1000, as this is the flash erase size. I'll see about adding some checks to the IDF build system so we can error out if this offset is invalid.

[ESP_Angus]

I already flash my secure boot-loader. I want to do again. I reduce my debug level which reduce secure boot-loader size now, otherwise it over run my partition start address 0x8000.

What is the value of the ABS_DONE_0 efuse, as shown in "espefuse.py -p PORT summary"? If it's still 0 then you can start again from the beginning and follow the steps in the IDF Programming Guide for Secure Boot.

If ABS_DONE_0 has value 1 then secure boot has been enabled during a previous boot. You can still reflash the bootloader only if you used the "Reflashable" process to pre-burn the secure boot key ("espefuse.py burn_key SECURE_BOOT keyfile.bin"). In this case, you flash the bootloader+digest combination .bin file at offset 0x0 (if flashing only the bootloader, it flashes at offset 0x1000).