Secure Boot V2 failure: Sig block 0 invalid: Image digest does not match

bdevos
Posts: 3
Joined: Thu Nov 14, 2019 10:53 am

Secure Boot V2 failure: Sig block 0 invalid: Image digest does not match

Postby bdevos » Mon Feb 14, 2022 3:35 pm

Hi,

I have made a config/partition table and some scripts to use Security (Encryption and Secure Boot V2) in a production environment.
My scripts do activate the features on a devkit, but on our own board, Secure Boot can not be activated.

This is the error log:

Code: Select all

ets Jul 29 2019 12:21:46

rst:0x1 (POWERON_RESET),boot:0x1e (SPets Jul 29 2019 12:21:46

rst:0x1 (POWERON_RESET),boot:0x1e (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff0038,len:10140
ho 0 tail 12 room 4
load:0x40078000,len:22792
ho 0 tail 12 room 4
load:0x40080400,len:3464
0x40080400: _init at ??:?

entry 0x40080640
I (31) boot: ESP-IDF v4.4 2nd stage bootloader
I (31) boot: compile time 14:43:01
I (31) boot: chip revision: 3
I (31) boot.esp32: SPI Speed      : 40MHz
I (35) boot.esp32: SPI Mode       : DIO
I (38) boot.esp32: SPI Flash Size : 4MB
I (42) boot: Enabling RNG early entropy source...
I (46) boot: Partition Table:
I (49) boot: ## Label            Usage          Type ST Offset   Length
I (55) boot:  0 nvs_key          NVS keys         01 04 00011000 00001000
I (62) boot:  1 nvs              WiFi data        01 02 00012000 00020000
I (68) boot:  2 otadata          OTA data         01 00 00032000 00002000
I (75) boot:  3 phy_init         RF data          01 01 00034000 00001000
I (81) boot:  4 coredump         Unknown data     01 03 00035000 00020000
I (88) boot:  5 ota_0            OTA app          00 10 00060000 001a0000
I (94) boot:  6 ota_1            OTA app          00 11 00210000 001a0000
I (101) boot: End of partition table
I (104) boot: No factory image, trying OTA 0
I (108) esp_image: segment 0: paddr=00060020 vaddr=3f400020 size=0db6ch ( 56172) map
I (136) esp_image: segment 1: paddr=0006db94 vaddr=3ffb0000 size=01570h (  5488) load
I (138) esp_image: segment 2: paddr=0006f10c vaddr=40080000 size=00f0ch (  3852) load
I (141) esp_image: segment 3: paddr=00070020 vaddr=400d0020 size=6b1c0h (438720) map
I (304) esp_image: segment 4: paddr=000db1e8 vaddr=40080f0c size=0ae44h ( 44612) load
I (323) esp_image: segment 5: paddr=000e6034 vaddr=50000000 size=00010h (    16) load
I (323) esp_image: segment 6: paddr=000e604c vaddr=00000000 size=09f84h ( 40836) 
I (341) esp_image: Verifying image signature...
I (342) secure_boot_v2: Secure boot V2 is not enabled yet and eFuse digest keys are not set
I (343) secure_boot_v2: Verifying with RSA-PSS...
I (351) secure_boot_v2: Signature verified successfully!
I (357) boot: Loaded app from partition at offset 0x60000
I (414) boot: Set actual ota_seq=1 in otadata[0]
I (414) secure_boot_v2: enabling secure boot v2...
I (414) efuse: Batch mode of writing fields is enabled
I (417) esp_image: segment 0: paddr=00001020 vaddr=3fff0038 size=0279ch ( 10140) 
I (427) esp_image: segment 1: paddr=000037c4 vaddr=40078000 size=05908h ( 22792) 
I (439) esp_image: segment 2: paddr=000090d4 vaddr=40080400 size=00d88h (  3464) 
I (441) esp_image: Verifying image signature...
I (443) secure_boot_v2: Secure boot V2 is not enabled yet and eFuse digest keys are not set
I (451) secure_boot_v2: Verifying with RSA-PSS...
Sig block 0 invalid: Image digest does not match
E (459) secure_boot_v2: Secure Boot V2 verification failed.
E (465) esp_image: Secure boot signature verification failed
I (470) esp_image: Calculating simple hash to check for corruption...
E (486) esp_image: Image hash failed - image is corrupt
W (486) esp_image: image corrupted on flash
E (486) secure_boot_v2: bootloader image appears invalid! error 8194
I (491) efuse: Batch mode of writing fields is cancelled
E (496) boot: Secure Boot v2 failed (8194)
E (500) boot: OTA app partition slot 0 is not bootable
I (505) esp_image: segment 0: paddr=00210020 vaddr=3f400020 size=0db6ch ( 56172) map
I (532) esp_image: segment 1: paddr=0021db94 vaddr=3ffb0000 size=01570h (  5488) load
I (535) esp_image: segment 2: paddr=0021f10c vaddr=40080000 size=00f0ch (  3852) load
I (538) esp_image: segment 3: paddr=00220020 vaddr=400d0020 size=6b1c0h (438720) map
I (701) esp_image: segment 4: paddr=0028b1e8 vaddr=40080f0c size=0ae44h ( 44612) load
I (719) esp_image: segment 5: paddr=00296034 vaddr=50000000 size=00010h (    16) load
I (720) esp_image: segment 6: paddr=0029604c vaddr=00000000 size=09f84h ( 40836) 
I (738) esp_image: Verifying image signature...
I (738) secure_boot_v2: Secure boot V2 is not enabled yet and eFuse digest keys are not set
I (739) secure_boot_v2: Verifying with RSA-PSS...
I (747) secure_boot_v2: Signature verified successfully!
I (754) boot: Loaded app from partition at offset 0x210000
I (807) boot: Set actual ota_seq=2 in otadata[0]
I (807) secure_boot_v2: enabling secure boot v2...
I (807) efuse: Batch mode of writing fields is enabled
I (809) esp_image: segment 0: paddr=00001020 vaddr=3fff0038 size=0279ch ( 10140) 
I (820) esp_image: segment 1: paddr=000037c4 vaddr=40078000 size=05908h ( 22792) 
I (832) esp_image: segment 2: paddr=000090d4 vaddr=40080400 size=00d88h (  3464) 
I (834) esp_image: Verifying image signature...
I (836) secure_boot_v2: Secure boot V2 is not enabled yet and eFuse digest keys are not set
I (844) secure_boot_v2: Verifying with RSA-PSS...
Sig block 0 invalid: Image digest does not match
E (852) secure_boot_v2: Secure Boot V2 verification failed.
E (857) esp_image: Secure boot signature verification failed
I (863) esp_image: Calculating simple hash to check for corruption...
E (879) esp_image: Image hash failed - image is corrupt
W (879) esp_image: image corrupted on flash
E (879) secure_boot_v2: bootloader image appears invalid! error 8194
I (884) efuse: Batch mode of writing fields is cancelled
E (889) boot: Secure Boot v2 failed (8194)
E (893) boot: OTA app partition slot 1 is not bootable
E (898) boot: No bootable app partitions in the partition table
I have my config in attachment, as well as the partition table.
I have my scripts (renamed to .txt, as they can't be uploaded otherwise), which are to be executed in the order:
1 build
2 nvs
3 flash
And they perform:
1 run `idf.py build` in a clean directory
2 generate an encrypted nvs.bin binary blob and corresponding encryption key
3 flash all binaries

The most important fuses (secure boot digest and flash encryption keys) are generated on chip when the bootloader runs for the first time. Some fuses are still untouched, they will be burned in the last step via `espefuse.py` (in another script).

The above does work correctly on a devkit (8MB flash), yet does not on our own board (4MB flash).
What can be the issue here?

Thanks in advance.
Attachments
flash.txt
(912 Bytes) Downloaded 314 times
partitions.csv
(1.31 KiB) Downloaded 311 times
sdkconfig.txt
(41.12 KiB) Downloaded 319 times

bdevos
Posts: 3
Joined: Thu Nov 14, 2019 10:53 am

Re: Secure Boot V2 failure: Sig block 0 invalid: Image digest does not match

Postby bdevos » Mon Feb 14, 2022 8:33 pm

btw, I'm using ESP-IDF-4.4

bdevos
Posts: 3
Joined: Thu Nov 14, 2019 10:53 am

Re: Secure Boot V2 failure: Sig block 0 invalid: Image digest does not match

Postby bdevos » Mon Feb 14, 2022 8:53 pm

Another question I have.
The actual error message "Sig block 0 invalid: Image digest does not match"
Is not printed using `ESP_LOGx` in the code from ESP-IDF.
Is this printed from the bootrom?

gb.123
Posts: 32
Joined: Thu May 20, 2021 9:56 pm

Re: Secure Boot V2 failure: Sig block 0 invalid: Image digest does not match

Postby gb.123 » Thu Feb 17, 2022 3:42 pm

I am also having the same problem.

I am using ESP32-DevkitC-VE (Wrover Module) with 8MB Flash.

If I burn the digest using : espefuse.py --port COM6 burn_key_digest X:\secure_boot_signing_key.pem,
I get

"Sig block 0 invalid: Image digest does not match"

If I dont burn the digest manually, I get similar message as you are getting in your first post.
I also have encryption enabled.
The app works perfectly if SecurebootV2 is not enabled.

gb.123
Posts: 32
Joined: Thu May 20, 2021 9:56 pm

Re: Secure Boot V2 failure: Sig block 0 invalid: Image digest does not match

Postby gb.123 » Sun Feb 20, 2022 3:26 pm

After discussion on the ESP-IDF github, it was concluded that this is due to mismatch of Size header in the bootloader.
Best way is to manually pass --flash_size keep or --flash_size <SIZE>

Who is online

Users browsing this forum: No registered users and 390 guests