Page 1 of 1

Not able to enable Secure Boot

Posted: Mon Aug 14, 2017 12:41 pm
by arvindshes
Am getting the below error while enabling secure boot in reflashable mode.

I (500) esp_image: !@simple hash: 075071f3
I (515) esp_image: !@Calculated secure boot hash: ec7257cb
W (534) esp_image: start_addr: 0x1000
W (547) esp_image: image_len: 0x7bd0
E (560) secure_boot: image has invalid signature version field 0xffffffff
E (583) esp_image: Secure boot signature verification failed

I (603) esp_image: Calculating simple hash to check for corruption...
I (647) esp_image: !@Calculated hash: 075071f3
W (648) esp_image: image valid, signature bad

Re: Not able to enable Secure Boot

Posted: Tue Aug 15, 2017 1:28 am
by ESP_Angus
Thanks for posting this issue. Are you using the current IDF master branch (V3.0-dev)? We're investigating a similar issue there.

Re: Not able to enable Secure Boot

Posted: Sat Aug 26, 2017 5:12 pm
by d.cook
I've gotten the same error while using one-time-flash secure boot as well. I was going to post a separate thread about it until I saw this in a search.

My output:

Code: Select all

I (785) boot: Checking secure boot...
I (825) esp_image: segment 0: paddr=0x00001020 vaddr=0x3fff0010 size=0x00004 (     4) 
I (905) esp_image: segment 1: paddr=0x0000102c vaddr=0x3fff0014 size=0x01ca8 (  7336) 
I (993) esp_image: segment 2: paddr=0x00002cdc vaddr=0x40078000 size=0x00000 (     0) 
I (1063) esp_image: segment 3: paddr=0x00002ce4 vaddr=0x40078000 size=0x04994 ( 18836) 
E (1167) secure_boot: image has invalid signature version field 0xffffffff
E (1213) esp_image: Secure boot signature verification failed
I (1272) esp_image: Calculating simple hash to check for corruption...
W (1365) esp_image: image valid, signature bad
E (1386) secure_boot: bootloader image appears invalid! error 8194
E (1449) boot: Bootloader digest generation failed (8194). SECURE BOOT IS NOT ENABLED.
I'm not sure if it's related, but when I enable encryption along with secure boot the issue seems to change, where I then get

Code: Select all

I (47) boot: ESP-IDF v2.0-rc1-1324-g93d228bf-dirty 2nd stage bootloader
I (47) boot: compile time 13:59:35
I (58) boot: Enabling RNG early entropy source...
I (107) boot: SPI Speed      : 80MHz
I (147) boot: SPI Mode       : DIO
I (184) boot: SPI Flash Size : 4MB
E (222) flash_parts: partition 0 invalid magic number 0x8282
E (280) boot: Failed to verify partition table
E (328) boot: load partition table error!
user code done

I am using IDF 2.1.

Re: Not able to enable Secure Boot

Posted: Sun Aug 27, 2017 11:32 pm
by ESP_Angus
Hi Daniel,

Thanks for letting us know about this:
d.cook wrote:

Code: Select all

E (1167) secure_boot: image has invalid signature version field 0xffffffff
E (1213) esp_image: Secure boot signature verification failed
This error matches the bug in the current V3.0-dev master branch. A fix should be available in the next couple of days.

However, I noticed you said you are using V2.1. The code which produces this log message (and the related regression) are not in V2.1, they were introduced after we branched for V3.0. The commit hash in the bootloader log you posted is "v2.0-rc1-1324-g93d228bf-dirty" which suggests maybe some hybrid version of IDF. Can you please check and clarify?
E (222) flash_parts: partition 0 invalid magic number 0x8282
E (280) boot: Failed to verify partition table
E (328) boot: load partition table error!
user code done
This error suggests that either encryption is enabled in efuse and the partition table wasn't correctly encrypted on flash (this can happen if, for example, the initial encrypt-in-place pass is interrupted by a power cycle or a reset), or it can suggest that encryption is not enabled in efuse but the partition table was already encrypted in place (in preparation for encryption to be enabled), before something went wrong.

The second is the most likely explanation I think, but to verify you can run "espefuse.py summary" and look at the value of the FLASH_CRYPT_CNT efuse. If it's still zero (encryption never enabled) then you can erase the flash and re-flash with plaintext data.

Re: Not able to enable Secure Boot

Posted: Tue Sep 12, 2017 6:56 pm
by d.cook
Thanks Angus, I'm just getting back around to looking into this again. I've updated the IDF to the latest---I'll report back with the results.

I double-checked the IDF version. I did have the latest version in my last post, however we have a fork of the IDF for integration with our internal build tools. When syncing with upstream I wasn't fetching the tags, so the git describe command to pull the IDF version was seeing the latest tag as only being 2.0. Ours probably isn't a common use case, but is there a more reliable way to build the IDF version string than relying on tags?

Re: Not able to enable Secure Boot

Posted: Tue Sep 12, 2017 7:22 pm
by d.cook
I may have some idea why I'm getting the 'invalid magic number' in the partition table.

When compiling the bootloader with secure boot enabled, the resulting binary is 30KB. However, the default offsets for the bootloader (0x1000) and the partition table (0x8000) only leaves ~28KB for the bootloader binary.

If you try and flash them all at once, you get an error about them overlapping. However, the default behaviour from esptool is that the bootloader is flashed separately when secure boot is enabled, thereby overwriting the partition table.

The remaining question is why the bootloader is becoming so large with secure boot enabled.

Re: Not able to enable Secure Boot

Posted: Wed Sep 13, 2017 12:33 am
by ESP_Angus
Hi Daniel,
d.cook wrote: I double-checked the IDF version. I did have the latest version in my last post, however we have a fork of the IDF for integration with our internal build tools. When syncing with upstream I wasn't fetching the tags, so the git describe command to pull the IDF version was seeing the latest tag as only being 2.0. Ours probably isn't a common use case, but is there a more reliable way to build the IDF version string than relying on tags?
We don't right now, although there are many more newer tags on our esp-idf master branch:
https://github.com/espressif/esp-idf/tags
(The current tag being v3.0-dev as this is the development version that master is working towards.)

You may need to review the merge strategy for your fork, to make it easier for you track the upstream. If there are any additional hooks in ESP-IDF that would make it easier to integrate with the tools you have without needing them to be part of the IDF tree itself (so you could have ESP-IDF as a submodule by itself, for example), then please let us know and we'll see if we can add support.
d.cook wrote:I may have some idea why I'm getting the 'invalid magic number' in the partition table.

When compiling the bootloader with secure boot enabled, the resulting binary is 30KB. However, the default offsets for the bootloader (0x1000) and the partition table (0x8000) only leaves ~28KB for the bootloader binary.

If you try and flash them all at once, you get an error about them overlapping. However, the default behaviour from esptool is that the bootloader is flashed separately when secure boot is enabled, thereby overwriting the partition table.

The remaining question is why the bootloader is becoming so large with secure boot enabled.
Yes, sorry for that. We're tracking both these issues (the lack of a proper error message when the bootloader grows too big, and the bootloader growing so big ion the first place.) But we don't have fixes right now.

Extra code is compiled into the bootloader when secure boot (and/or flash encryption) are turned on in menuconfig, and it can get too big. We've only ever seen this happen when the bootloader log level is set to "Debug" or higher. If you turn it back down then the bootloader should shrink.

We're working towards a proper fix for this.