Secure boot and signed bins

[ESP_Angus]

Hi,

Question #1
As secure bootlaoder allow flash only once.
https://docs.espressif.com/projects/esp ... -boot.html

I wonder how it works for me. I use signed secure bootloader bin first which works. then later on I flash again encrypted signed bootloader after enable flash encryption which also works.

There's a "Reflashable bootloader mode", where you regenerate the digest when you reflash:
https://docs.espressif.com/projects/esp ... bootloader

You're using a variation of this process.

Also I found It don't need to enable any secure boot and flash encryption via menuconfig.

If the bootloader is built without CONFIG_SECURE_BOOT_ENABLED (and the new option CONFIG_SECURE_SIGNED_APPS_NO_SECURE_BOOT is also not set, if available), then the bootloader will not verify the app signature - it will boot any app.

So the hardware is verifying the bootloader (first stage of secure boot), but nothing is verifying the app.

Similarly, if the app is built without any secure boot options enabled then the OTA/app_update and app verification APIs will not verify the signature of any new app which is updated. This means an OTA update can download an unsigned app, flash it, and then try to boot it.

If you want to follow a custom security process like you are, that's up to you. But you should read the documentation very carefully and make sure you understand all of the options and why they exist. The recommended processes in the documentation exist for several reasons. One of those reasons is to make sure you don't get a system which you think is secure but is actually not secure.

[prasad.gj]

Help me out to test the secure boot features on ESP32.Have followed the below steps to configure the secure boot on ESP32,

Steps followed:
1)Open the Project Configuration Menu, navigate to “Secure Boot Configuration” and select the option “One-time Flash”. (To understand the alternative “Reflashable” choice, see Re-Flashable Software Bootloader.)
2)Select a name for the secure boot signing key
3)make
4)Generate secure boot signing key
` openssl ecparam -name prime256v1 -genkey -noout -out secure_boot_signing_key.pem `
5)espsecure.py sign_data --keyfile ./my_signing_key.pem --output ./image_signed.bin image-unsigned.bin
6)make
7)make bootloader
8)python /{$IDF}/esp/esp-idf/components/esptool_py/esptool/espefuse.py burn_key secure_boot /home/hmecl001302/Documents/esp/esp-idf/examples/secureboot/blink/build/bootloader/secure-bootloader-key-256.bin
9)python /{$IDF}/esp/esp-idf/components/esptool_py/esptool/esptool.py --chip esp32 --port '/dev/ttyUSB0' --baud 115200 --before default_reset --after hard_reset write_flash -z --flash_mode dio --flash_freq 40m --flash_size detect 0x1000 /home/hmecl001302/Documents/esp/esp-idf/examples/secureboot/blink/build/bootloader/bootloader.bin
10python /{$IDF}/esp/esp-idf/components/esptool_py/esptool/esptool.py --chip esp32 --port '/dev/ttyUSB0' --baud 115200 --before default_reset --after hard_reset write_flash -z --flash_mode dio --flash_freq 40m --flash_size detect 0x0 /home/hmecl001302/Documents/esp/esp-idf/examples/secureboot/blink/build/bootloader/bootloader-reflash-digest.bin
11)idf.py -p /dev/ttyUSB0 -b 115200 flash monitor


While monitoring the console getting stuck in the bootloader and throws below error

rst:0x10 (RTCWDT_RTC_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff0030,len:4
load:0x3fff0034,len:11936
ho 0 tail 12 room 4
load:0x40078000,len:21372
load:0x40080400,len:4340
secure boot check fail
ets_main.c 371

It will great ,if anyone can help me out to test the secure boot features.