Correct sequence to apply encrypted flash and secure boot v2
Posted: Fri Jan 21, 2022 10:45 am
Using an ESP32C3 and esp-idf 4.4-rc1 I am applying encrypted flash and secure boot v2 (all in "dev mode" for now). Eventually I'm able to get it all working, but I seem to have to repeat the same steps multiple times and cut power to the device between steps to get it to work. Should these steps work:
invalid header: 0x01dd68cb
After trying many things... what got it working was the following sequence:
Do I need to apply encrypted flash and secure boot in stages? For example, enable encrypted flash, apply the changes, restart. Then enable secure boot and apply those changes?
- Start with a new device
- menuconfig used to enable encrypted flash in dev mode and secure boot with SECURE_BOOT_INSECURE enabled
- idf.py fullclean build flash
- espsecure.py generate_flash_encryption_key {bin_file}
- espefuse.py --chip esp32c3 --port {port} burn_key BLOCK_KEY0 {bin_file} XTS_AES_128_KEY
- espefuse.py --chip esp32c3 -p {port} burn_key_digest --no-write-protect --no-read-protect BLOCK_KEY1 pk1.pem SECURE_BOOT_DIGEST0
- espefuse.py --chip esp32c3 -p {port} burn_key_digest --no-write-protect --no-read-protect BLOCK_KEY2 pk2.pem SECURE_BOOT_DIGEST1
- espefuse.py --chip esp32c3 -p {port} burn_key_digest --no-write-protect --no-read-protect BLOCK_KEY3 pk3.pem SECURE_BOOT_DIGEST2
- esptool.py --chip esp32c3 --port={port} --baud=57600 --after=no_reset --no-stub write_flash --flash_mode dio --flash_freq 80m --flash_size 4MB 0x0 {signed_bl}
invalid header: 0x01dd68cb
After trying many things... what got it working was the following sequence:
- cut power
- add power with EN and IO9 held low then release EN to start in upload mode
- espefuse.py --chip esp32c3 -p {port} --baud 57600 burn_bit BLOCK0 116 (was already burned, and does nothing...I think)
- esptool.py --chip esp32c3 -p={port} -b 57600 --before=default_reset --after=no_reset --no-stub write_flash --flash_mode dio --flash_freq 80m --flash_size 4MB 0x0 {signed_bl}
Do I need to apply encrypted flash and secure boot in stages? For example, enable encrypted flash, apply the changes, restart. Then enable secure boot and apply those changes?