OTA update with secure boot enabled fails with error "image has invalid signature version field 0xffffffff" [IDFGH-4982]

[sripad]

IDF_version : 4.2.

I am trying to implement OTA update on esp32 which has secure boot enabled.
Secure Boot works fine as flashing an unsigned image results in "secure boot failed" error. And after flashing a signed image it boots properly.
Sdkconfig settings are as follows .

#
# Bootloader config
#
CONFIG_BOOTLOADER_COMPILER_OPTIMIZATION_SIZE=y
# CONFIG_BOOTLOADER_COMPILER_OPTIMIZATION_DEBUG is not set
# CONFIG_BOOTLOADER_COMPILER_OPTIMIZATION_PERF is not set
# CONFIG_BOOTLOADER_COMPILER_OPTIMIZATION_NONE is not set
# CONFIG_BOOTLOADER_LOG_LEVEL_NONE is not set
# CONFIG_BOOTLOADER_LOG_LEVEL_ERROR is not set
CONFIG_BOOTLOADER_LOG_LEVEL_WARN=y
# CONFIG_BOOTLOADER_LOG_LEVEL_INFO is not set
# CONFIG_BOOTLOADER_LOG_LEVEL_DEBUG is not set
# CONFIG_BOOTLOADER_LOG_LEVEL_VERBOSE is not set
CONFIG_BOOTLOADER_LOG_LEVEL=2
# CONFIG_BOOTLOADER_VDDSDIO_BOOST_1_8V is not set
CONFIG_BOOTLOADER_VDDSDIO_BOOST_1_9V=y
# CONFIG_BOOTLOADER_FACTORY_RESET is not set
# CONFIG_BOOTLOADER_APP_TEST is not set
CONFIG_BOOTLOADER_WDT_ENABLE=y
# CONFIG_BOOTLOADER_WDT_DISABLE_IN_USER_CODE is not set
CONFIG_BOOTLOADER_WDT_TIME_MS=9000
# CONFIG_BOOTLOADER_APP_ROLLBACK_ENABLE is not set
CONFIG_BOOTLOADER_RESERVE_RTC_SIZE=0
# CONFIG_BOOTLOADER_CUSTOM_RESERVE_RTC is not set
# end of Bootloader config

#
# Security features
#
CONFIG_SECURE_SIGNED_ON_BOOT=y
CONFIG_SECURE_SIGNED_ON_UPDATE=y
CONFIG_SECURE_SIGNED_APPS=y
CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME=y
CONFIG_SECURE_BOOT=y
CONFIG_SECURE_BOOT_V1_ENABLED=y
# CONFIG_SECURE_BOOTLOADER_ONE_TIME_FLASH is not set
CONFIG_SECURE_BOOTLOADER_REFLASHABLE=y
# CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES is not set
CONFIG_SECURE_BOOT_VERIFICATION_KEY="signature_verification_key.bin"
CONFIG_SECURE_BOOTLOADER_KEY_ENCODING_256BIT=y
# CONFIG_SECURE_BOOTLOADER_KEY_ENCODING_192BIT is not set
# CONFIG_SECURE_BOOT_INSECURE is not set
# CONFIG_SECURE_FLASH_ENC_ENABLED is not set
# end of Security features

In order to enable OTA update I have followed the "remote signing of images".
The steps are as follows :
1.) Enable "Hardware Secure Boot in bootloader".
2.) Disable "Sign binaries during build"
3.) Build bootloader using "idf.py bootloader"
4.) Flash bootloader with "esptool.py write_flash ...." and alson burn the bootloader key in efuse as instructed in docs.
5.) Build app with "idf.py build"
6) Sign app with "espsecure.py sign_data" . The signed bin was verified with "espsecure.py verify_signature".
7) App was written to esp32 with "esptool.py write_flash .... "


After a reboot ESP boots up without any issue but, if I try to update the firmware using OTA update then i am met with error :

I (76660) esp_image: Verifying image signature...
E (76660) secure_boot_v1: image has invalid signature version field 0xffffffff
E (76660) esp_image: Secure boot signature verification failed
I (76670) esp_image: Calculating simple hash to check for corruption...
W (77060) esp_image: image valid, signature bad

Any steps that I might be missing or doing wrong?
Any suggestions ?


Thanks.

[sripad]

Can anyone help me with this? Been stuck here for more than a week.

[ESP_Angus]

Hi sripad,

Sorry noone has gotten back to you before now.

Apologies for an obvious thing to ask, but one reason the image signature field contains all 0xFFFFFFFF but the image is otherwise valid is if the .bin file served via OTA is not the signed .bin file. The .bin file sent by the server is definitely the same .bin file that "espsecure.py verify_signature" has verified the signature on?

[Konstantin]

Hi sripad!

I am able to see the same log as here ` secure_boot_v1: image has invalid signature version field 0xffffffff`. This happens when you try to provide not a signed app to OTA server.
- disable "Sign binaries during build"
- provide `Secure boot public signature verification key` - signature_verification_key.bin

espsecure.py generate_signing_key --version 1 secure_boot_signing_key.pem
espsecure.py extract_public_key --version 1 --keyfile secure_boot_signing_key.pem signature_verification_key.bin

Repeat the `sign_data` command each time after rebuild app:
espsecure.py sign_data --keyfile secure_boot_signing_key.pem --version 1 build/simple_ota.bin

To check that file has a signature:
espsecure.py verify_signature build/simple_ota.bin --version 1 --keyfile signature_verification_key.bin

There is no issue with IDF.
Thanks.

[sripad]

I remember signing and verifying the image before sending it to the server. Will check it again.
Thanks.