[Solved] Secure boot signature verification failed

ESP_Mahavir
Posts: 190
Joined: Wed Jan 24, 2018 6:51 am

Re: Secure boot signature verification failed

Postby ESP_Mahavir » Thu Feb 23, 2023 8:21 am

Hi,

Could you please elaborate on what issue you discovered in the signing tool here?

RuslanPopov
Posts: 25
Joined: Mon Nov 21, 2022 3:47 pm

Re: Secure boot signature verification failed

Postby RuslanPopov » Thu Feb 23, 2023 9:01 am

Your utility can not resign the application binary!

ESP_Mahavir
Posts: 190
Joined: Wed Jan 24, 2018 6:51 am

Re: Secure boot signature verification failed

Postby ESP_Mahavir » Fri Feb 24, 2023 3:29 am

I am still not quite clear on what you mean by the resign here?

So here is my analysis based on the information you shared so far:

1. Device has secure boot (v2) and flash encryption enabled as per EFuse settings
2. Secure signing is done on the image and then its further pre-encrypted before hosting on the OTA server
3. On device side, first pre-encrypted layer would be removed from the OTA stream for the firmware and then it would be written in the encrypted manner (using platform flash encryption) on the flash
4. Finally there would be secure verification of the firmware before it can be made as "active" partition

So far, this all looks correct. If the firmware is signed using correct key then I see no problem why its signature verification would fail. Maybe you could explain a bit more about "resign" issue here. Thank you.

RuslanPopov
Posts: 25
Joined: Mon Nov 21, 2022 3:47 pm

Re: Secure boot signature verification failed

Postby RuslanPopov » Thu Mar 02, 2023 5:58 pm

Build signed application, decide this application as base application. Then it is needed to have an application signed for particular device using the device's key. Make sign_data process, no errors. At the end of OTA the device can not verify the signature.

Build signed application from scratch using the device's key. At the end of OTA the device verifies the signature successfully.

Decision: The espsecure utility can not correctly remove and sign the application.

RuslanPopov
Posts: 25
Joined: Mon Nov 21, 2022 3:47 pm

Re: Secure boot signature verification failed

Postby RuslanPopov » Thu Mar 02, 2023 8:42 pm

Also, I have the following configuration:

Code: Select all

grep SIGN configurations/sdkconfig-latch-sim800
CONFIG_SECURE_SIGNED_ON_BOOT=y
CONFIG_SECURE_SIGNED_ON_UPDATE=y
CONFIG_SECURE_SIGNED_APPS=y
CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=y
# CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y
# CONFIG_SECURE_BOOT_SIGNING_KEY="keys/current/signing_key_v2.pem"
# CONFIG_MBEDTLS_ATCA_HW_ECDSA_SIGN is not set
So, the signing application on build is disabled. But if I use docker image of espressif/idf with this configuration (I don't use `idf.py reconfigure` there), these signature settings become enabled and I have no ability to build non-signed application.

It there a fast solution?

ESP_Mahavir
Posts: 190
Joined: Wed Jan 24, 2018 6:51 am

Re: Secure boot signature verification failed

Postby ESP_Mahavir » Fri Mar 03, 2023 3:53 pm

Aha, I understood the problem.

Simple solution could be to use `build/<project>-unsigned.bin` file for the manual signing purpose (instead of `project.bin`)

Alternatively with docker based approach you could add `sdkconfig.defaults` file to the project with the line `CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=n` and then build the project using instructions supplied at https://docs.espressif.com/projects/esp ... with-cmake

From the tools perspective, this is not a bug as the signing part does not really care about the image format as such, it just signs the contents and creates a signature block.

Hope this helps!

RuslanPopov
Posts: 25
Joined: Mon Nov 21, 2022 3:47 pm

Re: Secure boot signature verification failed

Postby RuslanPopov » Sun Mar 05, 2023 4:55 pm

Thanks. All works fine!

Who is online

Users browsing this forum: dzungpv, Google [Bot], Majestic-12 [Bot], ok-home and 60 guests