[Solved] Secure boot signature verification failed

[ESP_Mahavir]

Hi,

Could you please elaborate on what issue you discovered in the signing tool here?

[RuslanPopov]

Your utility can not resign the application binary!

[ESP_Mahavir]

I am still not quite clear on what you mean by the resign here?

So here is my analysis based on the information you shared so far:

1. Device has secure boot (v2) and flash encryption enabled as per EFuse settings
2. Secure signing is done on the image and then its further pre-encrypted before hosting on the OTA server
3. On device side, first pre-encrypted layer would be removed from the OTA stream for the firmware and then it would be written in the encrypted manner (using platform flash encryption) on the flash
4. Finally there would be secure verification of the firmware before it can be made as "active" partition

So far, this all looks correct. If the firmware is signed using correct key then I see no problem why its signature verification would fail. Maybe you could explain a bit more about "resign" issue here. Thank you.

[RuslanPopov]

Build signed application, decide this application as base application. Then it is needed to have an application signed for particular device using the device's key. Make sign_data process, no errors. At the end of OTA the device can not verify the signature.

Build signed application from scratch using the device's key. At the end of OTA the device verifies the signature successfully.

Decision: The espsecure utility can not correctly remove and sign the application.

[RuslanPopov]

Also, I have the following configuration:

Code: Select all

grep SIGN configurations/sdkconfig-latch-sim800
CONFIG_SECURE_SIGNED_ON_BOOT=y
CONFIG_SECURE_SIGNED_ON_UPDATE=y
CONFIG_SECURE_SIGNED_APPS=y
CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=y
# CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y
# CONFIG_SECURE_BOOT_SIGNING_KEY="keys/current/signing_key_v2.pem"
# CONFIG_MBEDTLS_ATCA_HW_ECDSA_SIGN is not set

So, the signing application on build is disabled. But if I use docker image of espressif/idf with this configuration (I don't use `idf.py reconfigure` there), these signature settings become enabled and I have no ability to build non-signed application.

It there a fast solution?

[ESP_Mahavir]

Aha, I understood the problem.

Simple solution could be to use `build/<project>-unsigned.bin` file for the manual signing purpose (instead of `project.bin`)

Alternatively with docker based approach you could add `sdkconfig.defaults` file to the project with the line `CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=n` and then build the project using instructions supplied at https://docs.espressif.com/projects/esp ... with-cmake

From the tools perspective, this is not a bug as the signing part does not really care about the image format as such, it just signs the contents and creates a signature block.

Hope this helps!

[RuslanPopov]

Thanks. All works fine!