Design flow with SecureBoot and FlashEncryption enabled
Posted: Tue Jan 19, 2021 10:29 pm
I'm having a commercial product out based on ESP32 where I have secure flash and OTA updates enabled. As volumes now grows I would like to enable the secure boot for a new generation based on idf 4.2. I would like to be able to be able regularly reflash my internal boards but keep them as close to the real product as possible. I have a fair amount of esp32 v1 chips so staying with Secure Boot V1 for now.
I'm trying to set up a design flow where:
1. Flash encryption is enabled, using a known random key in BLK1
2. Secure boot key is known and burnt in BLK2
3. Compile and flash new bootloader and app
I build with the following options in a file by setting (SDKCONFIG_DEFAULTS secure_dev) to get the bootloader and the signed binary
Then I encrypt the files by
And finally I flash the signed and encrypted files to my board in one go after checking that the bootloader fits in the allocated space.
And then I open my terminal and get the dreaded:
Any hints or pointers where this flow is broken would be greatly appreciated
I'm trying to set up a design flow where:
1. Flash encryption is enabled, using a known random key in BLK1
2. Secure boot key is known and burnt in BLK2
3. Compile and flash new bootloader and app
I build with the following options in a file by setting (SDKCONFIG_DEFAULTS secure_dev) to get the bootloader and the signed binary
Code: Select all
#Secure flash and NVS
CONFIG_SECURE_FLASH_ENC_ENABLED=y
CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE=y
# Enable HW Secure boot V1, Reflashable (PEM used for 256-bit BLK2 key)
# Sign binaries during build
CONFIG_SECURE_BOOT_SIGNING_KEY="private_key.pem"
CONFIG_SECURE_BOOT_VERIFICATION_KEY="public_key.pem"
CONFIG_SECURE_BOOT=y
CONFIG_SECURE_BOOT_V1_ENABLED=y
CONFIG_SECURE_SIGNED_ON_BOOT=y
CONFIG_SECURE_SIGNED_ON_UPDATE=y
CONFIG_SECURE_SIGNED_APPS=y
CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME=y
# CONFIG_SECURE_BOOTLOADER_ONE_TIME_FLASH is not set
CONFIG_SECURE_BOOTLOADER_REFLASHABLE=y
CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y
CONFIG_SECURE_BOOTLOADER_KEY_ENCODING_256BIT=y
# CONFIG_SECURE_BOOTLOADER_KEY_ENCODING_192BIT is not set
# CONFIG_SECURE_BOOT_INSECURE is not set
CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE=y
# end of Security features
CONFIG_SECURE_BOOT_ALLOW_JTAG=y
Then I encrypt the files by
Code: Select all
espsecure.py encrypt_flash_data --keyfile myKey --address 0x0 -o "enc/bootloader-digest.bin" build/bootloader/bootloader-reflash-digest.bin
espsecure.py encrypt_flash_data --keyfile myKey --address 0x8000 -o "enc/partition-table.bin" build/partition_table/partition-table.bin
espsecure.py encrypt_flash_data --keyfile myKey --address 0xb000 -o "enc/ota_data_initial.bin" build/ota_data_initial.bin
espsecure.py encrypt_flash_data --keyfile myKey --address 0x20000 -o "enc/myApp.bin" build/myApp.bin
And finally I flash the signed and encrypted files to my board in one go after checking that the bootloader fits in the allocated space.
Code: Select all
esptool.py -p COM3 -b 921600 --no-stub --before default_reset --after no_reset write_flash --flash_mode dio --flash_freq 40m --flash_size 4MB
0x0 "enc/bootloader-digest.bin"
0x8000 "enc/partition-table.bin"
0xb000 "enc/ota_data_initial.bin"
0x20000 "enc/myApp.bin"
Code: Select all
rst:0x10 (RTCWDT_RTC_RESET),boot:0x17 (SPI_FAST_FLASH_BOOT)
flash read err, 1000
ets_main.c 371
ets Jun 8 2016 00:22:57
Any hints or pointers where this flow is broken would be greatly appreciated