Hi,
Could you please elaborate on what issue you discovered in the signing tool here?
[Solved] Secure boot signature verification failed
-
- Posts: 190
- Joined: Wed Jan 24, 2018 6:51 am
-
- Posts: 25
- Joined: Mon Nov 21, 2022 3:47 pm
Re: Secure boot signature verification failed
Your utility can not resign the application binary!
-
- Posts: 190
- Joined: Wed Jan 24, 2018 6:51 am
Re: Secure boot signature verification failed
I am still not quite clear on what you mean by the resign here?
So here is my analysis based on the information you shared so far:
1. Device has secure boot (v2) and flash encryption enabled as per EFuse settings
2. Secure signing is done on the image and then its further pre-encrypted before hosting on the OTA server
3. On device side, first pre-encrypted layer would be removed from the OTA stream for the firmware and then it would be written in the encrypted manner (using platform flash encryption) on the flash
4. Finally there would be secure verification of the firmware before it can be made as "active" partition
So far, this all looks correct. If the firmware is signed using correct key then I see no problem why its signature verification would fail. Maybe you could explain a bit more about "resign" issue here. Thank you.
So here is my analysis based on the information you shared so far:
1. Device has secure boot (v2) and flash encryption enabled as per EFuse settings
2. Secure signing is done on the image and then its further pre-encrypted before hosting on the OTA server
3. On device side, first pre-encrypted layer would be removed from the OTA stream for the firmware and then it would be written in the encrypted manner (using platform flash encryption) on the flash
4. Finally there would be secure verification of the firmware before it can be made as "active" partition
So far, this all looks correct. If the firmware is signed using correct key then I see no problem why its signature verification would fail. Maybe you could explain a bit more about "resign" issue here. Thank you.
Mahavir
https://github.com/mahavirj/
https://github.com/mahavirj/
-
- Posts: 25
- Joined: Mon Nov 21, 2022 3:47 pm
Re: Secure boot signature verification failed
Build signed application, decide this application as base application. Then it is needed to have an application signed for particular device using the device's key. Make sign_data process, no errors. At the end of OTA the device can not verify the signature.
Build signed application from scratch using the device's key. At the end of OTA the device verifies the signature successfully.
Decision: The espsecure utility can not correctly remove and sign the application.
Build signed application from scratch using the device's key. At the end of OTA the device verifies the signature successfully.
Decision: The espsecure utility can not correctly remove and sign the application.
-
- Posts: 25
- Joined: Mon Nov 21, 2022 3:47 pm
Re: Secure boot signature verification failed
Also, I have the following configuration:
So, the signing application on build is disabled. But if I use docker image of espressif/idf with this configuration (I don't use `idf.py reconfigure` there), these signature settings become enabled and I have no ability to build non-signed application.
It there a fast solution?
Code: Select all
grep SIGN configurations/sdkconfig-latch-sim800
CONFIG_SECURE_SIGNED_ON_BOOT=y
CONFIG_SECURE_SIGNED_ON_UPDATE=y
CONFIG_SECURE_SIGNED_APPS=y
CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=y
# CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y
# CONFIG_SECURE_BOOT_SIGNING_KEY="keys/current/signing_key_v2.pem"
# CONFIG_MBEDTLS_ATCA_HW_ECDSA_SIGN is not set
It there a fast solution?
-
- Posts: 190
- Joined: Wed Jan 24, 2018 6:51 am
Re: Secure boot signature verification failed
Aha, I understood the problem.
Simple solution could be to use `build/<project>-unsigned.bin` file for the manual signing purpose (instead of `project.bin`)
Alternatively with docker based approach you could add `sdkconfig.defaults` file to the project with the line `CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=n` and then build the project using instructions supplied at https://docs.espressif.com/projects/esp ... with-cmake
From the tools perspective, this is not a bug as the signing part does not really care about the image format as such, it just signs the contents and creates a signature block.
Hope this helps!
Simple solution could be to use `build/<project>-unsigned.bin` file for the manual signing purpose (instead of `project.bin`)
Alternatively with docker based approach you could add `sdkconfig.defaults` file to the project with the line `CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=n` and then build the project using instructions supplied at https://docs.espressif.com/projects/esp ... with-cmake
From the tools perspective, this is not a bug as the signing part does not really care about the image format as such, it just signs the contents and creates a signature block.
Hope this helps!
Mahavir
https://github.com/mahavirj/
https://github.com/mahavirj/
-
- Posts: 25
- Joined: Mon Nov 21, 2022 3:47 pm
Re: Secure boot signature verification failed
Thanks. All works fine!