ESP32S2 secure boot and flash encryption using menuconfig
Posted: Mon May 31, 2021 7:17 am
Hello,
I am trying to get the flash encryption and secure boot working on esp32s2. I have few doubts regarding.
I individually tested secure boot and flash encryption. It was working. I would like to test enabling both. Before I do that I have few questions to ask based on the individual testing
Question on secure boot:-
I generated three keys and burned them using espefuse.py. I could manually sign the bootloader with three keys and app with one key and flashed it into the esp32s2 chip and it worked. I had to use esptool.py file to write the bootloader, app and other information into the chip.
When I use the idf.py menuconfig it is accepting only one key. In the documentation of esp32s2 secure boot https://docs.espressif.com/projects/esp ... ot-v2.html under the section How To Enable Secure Boot V2 point number 3 it has mentioned to specify the number of keys, but in the menuconfig there is no provision for it. Am I missing something?
If I provide 1 pem file directly to the menuconfig it accepts and signs the bootloader but if I provide three keys (along with path) instead with space in between them it throws an file not found error during the building process. Is there a way to provide three keys in the menuconfig without getting error?
Questions on flash encryption:-
I could able to achieve flash encryption using menuconfig. Is there a way to manually perform flash encryption? Is it sufficient to write the keys into respective blocks; burn and write protect the DIS_DOWNLOAD_MANUAL_ENCRYPT and SPI_BOOT_CRYPT_CNT key? Or is there any other extra setting which has to be done for manual flash encryption?
The reason for manual flash encryption is because I want to pre-encrypt the firmware which is being transferred over OTA, so I would like to generate the flash encryption key seperately.
Questions on bootloader size
Till now I haven't merged secure boot with flash encryption so the partition offset at 0x8000 was not an issue, now that I am trying to enable both the document mentions to increase the partition offset, enable bootloader optimization on size and change log verbosity to warning. Since it is in testing phase I don't want to touch the verbosity but can do set the optimization and partition.
I am currently using the default factory app and two OTA partition table. If I change the partition offset do I have to change this to custom partition table?
I'm using esp-idf 4.2.1
I am trying to get the flash encryption and secure boot working on esp32s2. I have few doubts regarding.
I individually tested secure boot and flash encryption. It was working. I would like to test enabling both. Before I do that I have few questions to ask based on the individual testing
Question on secure boot:-
I generated three keys and burned them using espefuse.py. I could manually sign the bootloader with three keys and app with one key and flashed it into the esp32s2 chip and it worked. I had to use esptool.py file to write the bootloader, app and other information into the chip.
When I use the idf.py menuconfig it is accepting only one key. In the documentation of esp32s2 secure boot https://docs.espressif.com/projects/esp ... ot-v2.html under the section How To Enable Secure Boot V2 point number 3 it has mentioned to specify the number of keys, but in the menuconfig there is no provision for it. Am I missing something?
If I provide 1 pem file directly to the menuconfig it accepts and signs the bootloader but if I provide three keys (along with path) instead with space in between them it throws an file not found error during the building process. Is there a way to provide three keys in the menuconfig without getting error?
Questions on flash encryption:-
I could able to achieve flash encryption using menuconfig. Is there a way to manually perform flash encryption? Is it sufficient to write the keys into respective blocks; burn and write protect the DIS_DOWNLOAD_MANUAL_ENCRYPT and SPI_BOOT_CRYPT_CNT key? Or is there any other extra setting which has to be done for manual flash encryption?
The reason for manual flash encryption is because I want to pre-encrypt the firmware which is being transferred over OTA, so I would like to generate the flash encryption key seperately.
Questions on bootloader size
Till now I haven't merged secure boot with flash encryption so the partition offset at 0x8000 was not an issue, now that I am trying to enable both the document mentions to increase the partition offset, enable bootloader optimization on size and change log verbosity to warning. Since it is in testing phase I don't want to touch the verbosity but can do set the optimization and partition.
I am currently using the default factory app and two OTA partition table. If I change the partition offset do I have to change this to custom partition table?
I'm using esp-idf 4.2.1
