Secure Boot CheckSum error, Help Please!

shawn2019
Posts: 13
Joined: Mon Oct 07, 2019 2:39 am

Secure Boot CheckSum error, Help Please!

Postby shawn2019 » Tue Oct 22, 2019 2:53 am

Friends, I refer to the following two articles for the operation of Secureboot and Flash Encrypt. The Flash Encrypt operation is successful, but Secureboot has always failed. I have tried many times.

In the following article, I mainly operate according to the second scheme.

Image


https://docs.espressif.com/projects/esp ... -boot.html

In the following article, I mainly operate according to the second scheme.
https://github.com/espressif/esp-iot-so ... rypt_cn.md

The IDF version I am using is esp-idf-v4.0-beta1.
First I configure it using idf.py menuconfig,
Secrue configuration as shown below

Image

I generated the key file using "openssl ecparam -name prime256v1 -genkey -noout -out secure_boot_signing_key.pem".

Partiontable configuration as shown below, I changed the Offset of partition table to 0x9000.
Image
Partiontable CSV file as shown below
Image
Use idf.py to generate bootloader.bin, use idf.py build to generate partition-table.bin ota_data_initial.bin native_ota.bin.
Image

Then I used the ESP32 SECURE FLASHER TOOL tool to program the device. The configuration of ESP32 SECURE FLASHER TOOL is shown below.

Image

Image

The log after re-powering after burning is as shown below
Image

After burning, EFUSE is as shown below
Image

WiFive
Posts: 3529
Joined: Tue Dec 01, 2015 7:35 am

Re: Secure Boot CheckSum error, Help Please!

Postby WiFive » Tue Oct 22, 2019 1:27 pm

How big is bootloader.bin file? Do you have the secure boot and flash encryption keys saved?

For one-time flash mode and release mode you should not enable the security features in the download tool, the bootloader will do it for you.

shawn2019
Posts: 13
Joined: Mon Oct 07, 2019 2:39 am

Re: Secure Boot CheckSum error, Help Please!

Postby shawn2019 » Wed Oct 23, 2019 8:50 am

WiFive wrote:
Tue Oct 22, 2019 1:27 pm
How big is bootloader.bin file? Do you have the secure boot and flash encryption keys saved?

For one-time flash mode and release mode you should not enable the security features in the download tool, the bootloader will do it for you.
Thanks WiFive!
1. I saw that the size of my bootloader.bin file is 36k, the starting address of the bootloader is 0x1000, and the starting position of the partion-table is 0x9000, which should be able to put the bootloader.

2. If an unexpected situation such as a power failure occurs during the initial initialization process, the chip will be locked and cannot be programmed and booted again.

3. “Do you have the secure boot and flash encryption keys saved?” I don’t quite understand what you said. I generated the key file with "openssl ecparam -name prime256v1 -genkey -noout -out secure_boot_signing_key.pem" and the name and path are the same in the KConfig Menu. I confirm that there is no problem.

WiFive
Posts: 3529
Joined: Tue Dec 01, 2015 7:35 am

Re: Secure Boot CheckSum error, Help Please!

Postby WiFive » Wed Oct 23, 2019 9:13 am

0x9000-0x1000 = 0x8000 = 32k

Sorry I don't use secure flasher tool but I guess it automates the rest of the process and it wrote partition table over bootloader.

shawn2019
Posts: 13
Joined: Mon Oct 07, 2019 2:39 am

Re: Secure Boot CheckSum error, Help Please!

Postby shawn2019 » Wed Oct 23, 2019 10:49 am

WiFive wrote:
Wed Oct 23, 2019 9:13 am
0x9000-0x1000 = 0x8000 = 32k

Sorry I don't use secure flasher tool but I guess it automates the rest of the process and it wrote partition table over bootloader.
After I posted, I realized that I made a stupid mistake in the calculation of BIN size, thank you! The Secure bootloader does set ABS_DONE0 by itself, but I see the following article and found that you can use the esp flash tools to avoid problems with accidental power loss during the first boot. The article is linked as follows, but the article is written in Chinese.

shawn2019
Posts: 13
Joined: Mon Oct 07, 2019 2:39 am

Re: Secure Boot CheckSum error, Help Please!

Postby shawn2019 » Wed Oct 23, 2019 10:50 am

shawn2019 wrote:
Wed Oct 23, 2019 10:49 am
WiFive wrote:
Wed Oct 23, 2019 9:13 am
0x9000-0x1000 = 0x8000 = 32k

Sorry I don't use secure flasher tool but I guess it automates the rest of the process and it wrote partition table over bootloader.
After I posted, I realized that I made a stupid mistake in the calculation of BIN size, thank you! The Secure bootloader does set ABS_DONE0 by itself, but I see the following article and found that you can use the esp flash tools to avoid problems with accidental power loss during the first boot. The article is linked as follows, but the article is written in Chinese.
https://github.com/espressif/esp-iot-so ... rypt_cn.md

Who is online

Users browsing this forum: Baidu [Spider], Bing [Bot] and 95 guests