ESP32 Forum

ESP32 Official Forum
http://forum.esp32.com/

Esp delta ota + Secure Boot + Flash Encryption

http://forum.esp32.com/viewtopic.php?f=13&t=40807

Page 1 of 1

Esp delta ota + Secure Boot + Flash Encryption

Posted: Tue Jul 09, 2024 9:22 pm
by renansoares
Hello everyone!

Recently, I came across the ESP Delta OTA Library and found it very interesting and useful for some projects I work on. Currently, the OTA update process is quite costly because we use mobile networks to download binaries, most of which exceed 1MB. Some projects have the limitation of having only a few megabytes available for internet use.

The problem faced is that these projects use Secure Boot and Flash Encryption. In my tests with Delta OTA, I simply cannot get a signed patch to work with Secure Boot. My question is whether this would be possible?

I have not yet tested with equipment running only Flash Encryption implemented, but I need to first resolve the issue with Secure Boot.

Looking forward to some guidance!

Re: Esp delta ota + Secure Boot + Flash Encryption

Posted: Thu Jul 18, 2024 8:57 am
by hmalpani
Hello
Good to know that you are using ESP Delta OTA component. Can you please describe the workflow you are using to create the patch files when secure boot is also enabled.

Re: Esp delta ota + Secure Boot + Flash Encryption

Posted: Fri Jul 19, 2024 10:18 am
by brocliath
I am also very interested in using the Delta OTA option with Secure Boot and Flash Encryption.

Re: Esp delta ota + Secure Boot + Flash Encryption

Posted: Mon Jul 22, 2024 5:26 pm
by renansoares
Sorry for the delay in responding. I did some tests with Delta OTA and realized that it was generating the patch with the wrong binaries. In the end, I managed to make it work in a project with Secure Boot and Flash Encryption.

Some things I did:
In menuconfig, I changed these parameters:
  • APP_REPRODUCIBLE_BUILD // ENABLE THIS OPTION
  • CONFIG_APP_COMPILE_TIME_DATE // DISABLE THIS OPTION
These changes in menuconfig were to be able to create a patch by reverting the versions;
(To use with Secure Boot): The binaries used to generate the patch must be signed beforehand.

An example update flow to facilitate understanding:

Code: Select all

mkdir -p ota/versions/ ota/patches/

// Considering version 0 as the first BASE
cp release_build/sign/main.bin ota/versions/0.bin

// Modified the code and generated version 1:
cp release_build/sign/main.bin ota/versions/1.bin

// Modified again and generated version 2:
cp release_build/sign/main.bin ota/versions/2.bin
Now I generate a patcher between version 0 (base) and 1:

Code: Select all

cd ota && python esp_delta_ota_patch_gen.py --chip esp32s3 --base_binary versions/0.bin --new_binary versions/1.bin --patch_file_name patches/patch_base_to_new.bin && cd ..
// And I use this patcher (patch_base_to_new.bin) to perform the update;
Now I generate a patcher between version 1 (base) and 2:

Code: Select all

cd ota && python esp_delta_ota_patch_gen.py --chip esp32s3 --base_binary versions/1.bin --new_binary versions/2.bin --patch_file_name patches/patch_base_to_new_1.bin && cd ..
// And I use this patcher (patch_base_to_new_1.bin) to perform the update;
And finally, for testing purposes, I reverted to version 0:

Code: Select all

cd ota && python esp_delta_ota_patch_gen.py --chip esp32s3 --base_binary versions/2.bin --new_binary versions/0.bin --patch_file_name patches/patch_base_to_new_2.bin && cd ..
// And I use this patcher (patch_base_to_new_2.bin) to perform the update, creating the patch between version 2 (base) and 0, making it revert;
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/