I've encountered an issue while attempting to secure my bootloader using Secure Boot v1 in ESP-IDF. Unfortunately, I'm consistently receiving an error message stating "secure boot check fail."I have reviewed the setup and followed the documentation closely, but I haven't been successful in resolving this issue independently.
Process I followed:
1.idf.py menuconfig
- set secureboot with reflashabale bootloader.
- bootloader config->bootloader log verbosity(error).
- partition-table offset (0x10000)
2. genrated secure_boot_key using espsecue.py and given this name to secure boot key in
menuconfig.
3. Generated public key.
4. idf.py build.
5. espefuse.py burn_key secure_boot D:/ESP32_Projects/blink/build/bootloader/secure-
bootloader-key-256.bin.
6. Burn efuse of secureboot
- espefuse -p COM4 burn_efuse ABS_DONE_0.
7. esptool.py --chip esp32 --port (PORT) --baud (BAUD) --before default_reset --after no_reset write_flash --flash_mode dio --flash_freq 40m --flash_size 2MB -u 0x1000 D:/ESP32_Projects/blink/build/bootloader/bootloader.bin.
8. esptool.py --chip esp32 --port (PORT) --baud (BAUD) --before default_reset --after no_reset write_flash --flash_mode dio --flash_freq 40m --flash_size 2MB -u 0x0 D:/ESP32_Projects/blink/build/bootloader/bootloader-reflash-digest.bin.
I've followed the steps mentioned earlier, but I'm encountering an error that says "secure boot check fail," and my controller keeps restarting repeatedly. Could you please help me troubleshoot and fix this issue?
Issue with Secure Boot v1 in ESP-IDF
-
- Posts: 24
- Joined: Wed Jul 06, 2022 8:36 am
Re: Issue with Secure Boot v1 in ESP-IDF
Hello @vkp2808,
I tried using the v5.2.2 tag of ESP-IDF but I was unable to recreate the issue.
Using which ESP-IDF release are you facing the issue?
You could also try out secure boot using QEMU (emulator) to "conserve" your testing devkits:
1. Build your firmware
2. Merge the binaries using:
3. Create an empty efuses file using:
4. In a new terminal with ESP-IDF environment enabled, run QEMU in download mode using:
5. Flash bootloader and bootloader-reflash-digest:
6. Burn the relevant efuses using:
7. Quit the QEMU download mode instance typing "quit"
8. Run QEMU in the boot mode to boot ESP32:
You should now be able to see the firmware running.
I tried using the v5.2.2 tag of ESP-IDF but I was unable to recreate the issue.
Using which ESP-IDF release are you facing the issue?
You could also try out secure boot using QEMU (emulator) to "conserve" your testing devkits:
1. Build your firmware
2. Merge the binaries using:
Code: Select all
(cd build; esptool.py --chip esp32 merge_bin --fill-flash-size 2MB -o flash_image.bin @flash_args)
Code: Select all
dd if=/dev/zero bs=1 count=124 of=qemu_efuse.bin
Code: Select all
qemu-system-xtensa -nographic -drive file=build/flash_image.bin,if=mtd,format=raw -machine esp32 -global driver=esp32.gpio,property=strap_mode,value=0x0f -drive file=qemu_efuse.bin,if=none,format=raw,id=efuse -global driver=nvram.esp32.efuse,property=drive,value=efuse -serial tcp::5555,server,nowait
Code: Select all
esptool.py -p $ESPPORT --no-stub --before=no_reset write_flash 0x0 build/bootloader/bootloader-reflash-digest.bin
esptool.py -p $ESPPORT --no-stub --before=no_reset write_flash 0x1000 build/bootloader/bootloader.bin
Code: Select all
espefuse.py -p $ESPPORT --before=no_reset burn_efuse ABS_DONE_0
espefuse.py -p $ESPPORT --before=no_reset burn_key secure_boot_v1 build/bootloader/secure-bootloader-key-256.bin
8. Run QEMU in the boot mode to boot ESP32:
Code: Select all
qemu-system-xtensa -nographic -machine esp32 -drive file=qemu_efuse.bin,if=none,format=raw,id=efuse -global driver=nvram.esp32.efuse,property=drive,value=efuse -drive file=build/flash_image.bin,if=mtd,format=raw -global driver=timer.esp32.timg,property=wdt_disable,value=true