Secure Boot V2 failure: Sig block 0 invalid: Image digest does not match
Posted: Mon Feb 14, 2022 3:35 pm
Hi,
I have made a config/partition table and some scripts to use Security (Encryption and Secure Boot V2) in a production environment.
My scripts do activate the features on a devkit, but on our own board, Secure Boot can not be activated.
This is the error log:
I have my config in attachment, as well as the partition table.
I have my scripts (renamed to .txt, as they can't be uploaded otherwise), which are to be executed in the order:
1 build
2 nvs
3 flash
And they perform:
1 run `idf.py build` in a clean directory
2 generate an encrypted nvs.bin binary blob and corresponding encryption key
3 flash all binaries
The most important fuses (secure boot digest and flash encryption keys) are generated on chip when the bootloader runs for the first time. Some fuses are still untouched, they will be burned in the last step via `espefuse.py` (in another script).
The above does work correctly on a devkit (8MB flash), yet does not on our own board (4MB flash).
What can be the issue here?
Thanks in advance.
I have made a config/partition table and some scripts to use Security (Encryption and Secure Boot V2) in a production environment.
My scripts do activate the features on a devkit, but on our own board, Secure Boot can not be activated.
This is the error log:
Code: Select all
ets Jul 29 2019 12:21:46
rst:0x1 (POWERON_RESET),boot:0x1e (SPets Jul 29 2019 12:21:46
rst:0x1 (POWERON_RESET),boot:0x1e (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff0038,len:10140
ho 0 tail 12 room 4
load:0x40078000,len:22792
ho 0 tail 12 room 4
load:0x40080400,len:3464
0x40080400: _init at ??:?
entry 0x40080640
I (31) boot: ESP-IDF v4.4 2nd stage bootloader
I (31) boot: compile time 14:43:01
I (31) boot: chip revision: 3
I (31) boot.esp32: SPI Speed : 40MHz
I (35) boot.esp32: SPI Mode : DIO
I (38) boot.esp32: SPI Flash Size : 4MB
I (42) boot: Enabling RNG early entropy source...
I (46) boot: Partition Table:
I (49) boot: ## Label Usage Type ST Offset Length
I (55) boot: 0 nvs_key NVS keys 01 04 00011000 00001000
I (62) boot: 1 nvs WiFi data 01 02 00012000 00020000
I (68) boot: 2 otadata OTA data 01 00 00032000 00002000
I (75) boot: 3 phy_init RF data 01 01 00034000 00001000
I (81) boot: 4 coredump Unknown data 01 03 00035000 00020000
I (88) boot: 5 ota_0 OTA app 00 10 00060000 001a0000
I (94) boot: 6 ota_1 OTA app 00 11 00210000 001a0000
I (101) boot: End of partition table
I (104) boot: No factory image, trying OTA 0
I (108) esp_image: segment 0: paddr=00060020 vaddr=3f400020 size=0db6ch ( 56172) map
I (136) esp_image: segment 1: paddr=0006db94 vaddr=3ffb0000 size=01570h ( 5488) load
I (138) esp_image: segment 2: paddr=0006f10c vaddr=40080000 size=00f0ch ( 3852) load
I (141) esp_image: segment 3: paddr=00070020 vaddr=400d0020 size=6b1c0h (438720) map
I (304) esp_image: segment 4: paddr=000db1e8 vaddr=40080f0c size=0ae44h ( 44612) load
I (323) esp_image: segment 5: paddr=000e6034 vaddr=50000000 size=00010h ( 16) load
I (323) esp_image: segment 6: paddr=000e604c vaddr=00000000 size=09f84h ( 40836)
I (341) esp_image: Verifying image signature...
I (342) secure_boot_v2: Secure boot V2 is not enabled yet and eFuse digest keys are not set
I (343) secure_boot_v2: Verifying with RSA-PSS...
I (351) secure_boot_v2: Signature verified successfully!
I (357) boot: Loaded app from partition at offset 0x60000
I (414) boot: Set actual ota_seq=1 in otadata[0]
I (414) secure_boot_v2: enabling secure boot v2...
I (414) efuse: Batch mode of writing fields is enabled
I (417) esp_image: segment 0: paddr=00001020 vaddr=3fff0038 size=0279ch ( 10140)
I (427) esp_image: segment 1: paddr=000037c4 vaddr=40078000 size=05908h ( 22792)
I (439) esp_image: segment 2: paddr=000090d4 vaddr=40080400 size=00d88h ( 3464)
I (441) esp_image: Verifying image signature...
I (443) secure_boot_v2: Secure boot V2 is not enabled yet and eFuse digest keys are not set
I (451) secure_boot_v2: Verifying with RSA-PSS...
Sig block 0 invalid: Image digest does not match
E (459) secure_boot_v2: Secure Boot V2 verification failed.
E (465) esp_image: Secure boot signature verification failed
I (470) esp_image: Calculating simple hash to check for corruption...
E (486) esp_image: Image hash failed - image is corrupt
W (486) esp_image: image corrupted on flash
E (486) secure_boot_v2: bootloader image appears invalid! error 8194
I (491) efuse: Batch mode of writing fields is cancelled
E (496) boot: Secure Boot v2 failed (8194)
E (500) boot: OTA app partition slot 0 is not bootable
I (505) esp_image: segment 0: paddr=00210020 vaddr=3f400020 size=0db6ch ( 56172) map
I (532) esp_image: segment 1: paddr=0021db94 vaddr=3ffb0000 size=01570h ( 5488) load
I (535) esp_image: segment 2: paddr=0021f10c vaddr=40080000 size=00f0ch ( 3852) load
I (538) esp_image: segment 3: paddr=00220020 vaddr=400d0020 size=6b1c0h (438720) map
I (701) esp_image: segment 4: paddr=0028b1e8 vaddr=40080f0c size=0ae44h ( 44612) load
I (719) esp_image: segment 5: paddr=00296034 vaddr=50000000 size=00010h ( 16) load
I (720) esp_image: segment 6: paddr=0029604c vaddr=00000000 size=09f84h ( 40836)
I (738) esp_image: Verifying image signature...
I (738) secure_boot_v2: Secure boot V2 is not enabled yet and eFuse digest keys are not set
I (739) secure_boot_v2: Verifying with RSA-PSS...
I (747) secure_boot_v2: Signature verified successfully!
I (754) boot: Loaded app from partition at offset 0x210000
I (807) boot: Set actual ota_seq=2 in otadata[0]
I (807) secure_boot_v2: enabling secure boot v2...
I (807) efuse: Batch mode of writing fields is enabled
I (809) esp_image: segment 0: paddr=00001020 vaddr=3fff0038 size=0279ch ( 10140)
I (820) esp_image: segment 1: paddr=000037c4 vaddr=40078000 size=05908h ( 22792)
I (832) esp_image: segment 2: paddr=000090d4 vaddr=40080400 size=00d88h ( 3464)
I (834) esp_image: Verifying image signature...
I (836) secure_boot_v2: Secure boot V2 is not enabled yet and eFuse digest keys are not set
I (844) secure_boot_v2: Verifying with RSA-PSS...
Sig block 0 invalid: Image digest does not match
E (852) secure_boot_v2: Secure Boot V2 verification failed.
E (857) esp_image: Secure boot signature verification failed
I (863) esp_image: Calculating simple hash to check for corruption...
E (879) esp_image: Image hash failed - image is corrupt
W (879) esp_image: image corrupted on flash
E (879) secure_boot_v2: bootloader image appears invalid! error 8194
I (884) efuse: Batch mode of writing fields is cancelled
E (889) boot: Secure Boot v2 failed (8194)
E (893) boot: OTA app partition slot 1 is not bootable
E (898) boot: No bootable app partitions in the partition table
I have my scripts (renamed to .txt, as they can't be uploaded otherwise), which are to be executed in the order:
1 build
2 nvs
3 flash
And they perform:
1 run `idf.py build` in a clean directory
2 generate an encrypted nvs.bin binary blob and corresponding encryption key
3 flash all binaries
The most important fuses (secure boot digest and flash encryption keys) are generated on chip when the bootloader runs for the first time. Some fuses are still untouched, they will be burned in the last step via `espefuse.py` (in another script).
The above does work correctly on a devkit (8MB flash), yet does not on our own board (4MB flash).
What can be the issue here?
Thanks in advance.