Secure boot test mode after configuration of pre-encrypted flashing procedure

[bewatermyfriendxd]

Hello,

Im currently working on an ESP32 project in which I am using the flash encryption and secure boot feature.
I followed the instructions in this post ( viewtopic.php?f=2&t=7318 ) to flash pre-encrypted data
via esptool.py and serial interface on the esp32.

In the menuconfig of the main application "secure boot" and "signing" of created binaries is enabled.
This is a simplified version of my build procedure:

Code: Select all

#!/bin/bash

cd App
make

cd ..

# encryption key
python2 espefuse.py --port /dev/ttyACM0 burn_key flash_encryption ${FLASH_ENCRYPTION_KEY}

# secure boot key
python2 espefuse.py --port /dev/ttyACM0 burn_key secure_boot ${SECURE_BOOT_KEY}

# enable flashing of pre-encrypted data
python2 espefuse.py --port /dev/ttyACM0 burn_efuse FLASH_CRYPT_CNT
python2 espefuse.py --port /dev/ttyACM0 burn_efuse FLASH_CRYPT_CONFIG 0xF

# flash pre-encrypted data
python2 esptool.py --chip esp32 /dev/ttyACM0 --baud 921600 --before default_reset --after hard_reset write_flash -z --flash_mode dio --flash_freq 40m --flash_size detect 0x1000 ${ENCRYPTED_BOOTLOADER}

python2 esptool.py --chip esp32 /dev/ttyACM0 --baud 921600  write_flash -z 0x10000 ${ENCRYPTED_PARTITIONS}

...

The device boots up fine after finishing the flashing procedure. The app starts as expected.

The problem is, when im checking the log with "make monitor" I encounter this entry:

Code: Select all

W (1636) secure_boot: Using pre-loaded secure boot key in EFUSE block 2
I (1640) secure_boot: Generating secure boot digest...
I (1697) secure_boot: Digest generation complete.
I (1697) secure_boot: blowing secure boot efuse...
I (1697) secure_boot: Disable JTAG...
I (1701) secure_boot: Disable ROM BASIC interpreter fallback...
E (1707) secure_boot: SECURE BOOT TEST MODE. Not really burning any efuses! NOT SECURE
E (1716) secure_boot: secure boot not enabled due to test mode
E (1722) boot: Bootloader digest generation failed (259). SECURE BOOT IS NOT ENABLED.
I (1731) boot: Checking flash encryption...
I (1736) flash_encrypt: flash encryption is enabled (3 plaintext flashes left)
I (1744) boot: Disabling RNG early entropy source…

The problem lies in this section


E (1707) secure_boot: SECURE BOOT TEST MODE. Not really burning any efuses! NOT SECURE
E (1716) secure_boot: secure boot not enabled due to test mode
E (1722) boot: Bootloader digest generation failed (259). SECURE BOOT IS NOT ENABLED.


I suspect that I need to burn some more efuses manually to fix this issue. But I cant find any Information in the official documentation or on this forum. I hope anybody can help me with this problem. I appreciate any help.

Thanks for the support.

Greetings

[ESP_Angus]

Hi,

First off, it's strongly recommended to follow the supported workflow and have the device encrypt itself on first boot. There are less ways that this can accidentally leave the device unprotected.

Regarding the error, please check if you have the "secure boot test mode" config item enabled:
https://docs.espressif.com/projects/esp ... _TEST_MODE

Note that if the first flash is using an encrypted firmware you also have to burn some additional efuses in order to have a secure device. See the list here: viewtopic.php?f=13&t=9977&p=41213#p41213 - two of these efuses (JTAG_DISABLE and CONSOLE_DEBUG_DISABLE) are also burned if secure boot is enabled by the bootloader on first boot, so you don't necessarily need to pre-burn these efuses.