Page 1 of 1

Does Partition.bin also need to be signed when using SecureBoot V2

Posted: Thu Feb 17, 2022 12:32 pm
by gb.123
Hi !

I was wondering if Partition.bin(or Partition-table.bin) also needs to be signed when using SecureBoot V2. Signing is done seperately using espsecure.py sign_data command.

Does Partition.bin(or Partition-table.bin) need to be signed or is ot supposed to be burnt unsigned ?

Thanks for the help!

Re: Does Partition.bin also need to be signed when using SecureBoot V2

Posted: Thu Feb 17, 2022 3:46 pm
by ESP_Mahavir
Bootloader does not check signature for partition table in either of secure boot v1 or v2 scheme. However for secure boot v1 scheme, build system does add signature to partition table binary for backward compatibility purpose. For secure boot v2, partition table binary is kept as is, ref: https://github.com/espressif/esp-idf/bl ... t#L98-L102

So you may flash partition table binary without appending signature.

Re: Does Partition.bin also need to be signed when using SecureBoot V2

Posted: Thu Feb 17, 2022 5:04 pm
by gb.123
Thanks so much !

Re: Does Partition.bin also need to be signed when using SecureBoot V2

Posted: Thu Mar 16, 2023 2:35 pm
by EmilenL
What is the rationale behind not signing the partition table? Seems like a good idea to sign it and verify it at boot, to avoid any kind of
unauthorized modification.

Re: Does Partition.bin also need to be signed when using SecureBoot V2

Posted: Mon Mar 20, 2023 6:58 am
by ESP_Mahavir
What is the rationale behind not signing the partition table?
Primary reason was to speed up the bootup time with secure boot enabled case. Additionally, alteration to partition table with flash encryption enabled case is difficult, because the contents (along with integrity check) are encrypted on the flash. Here is a prior discussion on this topic: https://github.com/espressif/esp-idf/issues/1641