Issue with Secure Boot v1 in ESP-IDF

vkp2808
Posts: 2
Joined: Mon Nov 15, 2021 5:26 am

Issue with Secure Boot v1 in ESP-IDF

Postby vkp2808 » Wed Jul 17, 2024 10:07 am

I've encountered an issue while attempting to secure my bootloader using Secure Boot v1 in ESP-IDF. Unfortunately, I'm consistently receiving an error message stating "secure boot check fail."I have reviewed the setup and followed the documentation closely, but I haven't been successful in resolving this issue independently.

Process I followed:

1.idf.py menuconfig
- set secureboot with reflashabale bootloader.
- bootloader config->bootloader log verbosity(error).
- partition-table offset (0x10000)

2. genrated secure_boot_key using espsecue.py and given this name to secure boot key in
menuconfig.

3. Generated public key.

4. idf.py build.

5. espefuse.py burn_key secure_boot D:/ESP32_Projects/blink/build/bootloader/secure-
bootloader-key-256.bin.

6. Burn efuse of secureboot
- espefuse -p COM4 burn_efuse ABS_DONE_0.

7. esptool.py --chip esp32 --port (PORT) --baud (BAUD) --before default_reset --after no_reset write_flash --flash_mode dio --flash_freq 40m --flash_size 2MB -u 0x1000 D:/ESP32_Projects/blink/build/bootloader/bootloader.bin.

8. esptool.py --chip esp32 --port (PORT) --baud (BAUD) --before default_reset --after no_reset write_flash --flash_mode dio --flash_freq 40m --flash_size 2MB -u 0x0 D:/ESP32_Projects/blink/build/bootloader/bootloader-reflash-digest.bin.

I've followed the steps mentioned earlier, but I'm encountering an error that says "secure boot check fail," and my controller keeps restarting repeatedly. Could you please help me troubleshoot and fix this issue?

ESP_harshal
Posts: 24
Joined: Wed Jul 06, 2022 8:36 am

Re: Issue with Secure Boot v1 in ESP-IDF

Postby ESP_harshal » Mon Jul 22, 2024 9:06 am

Hello @vkp2808,

I tried using the v5.2.2 tag of ESP-IDF but I was unable to recreate the issue.
Using which ESP-IDF release are you facing the issue?

You could also try out secure boot using QEMU (emulator) to "conserve" your testing devkits:

1. Build your firmware
2. Merge the binaries using:

Code: Select all

(cd build; esptool.py --chip esp32 merge_bin --fill-flash-size 2MB -o flash_image.bin @flash_args)
3. Create an empty efuses file using:

Code: Select all

dd if=/dev/zero bs=1 count=124 of=qemu_efuse.bin
4. In a new terminal with ESP-IDF environment enabled, run QEMU in download mode using:

Code: Select all

qemu-system-xtensa -nographic -drive file=build/flash_image.bin,if=mtd,format=raw -machine esp32 -global driver=esp32.gpio,property=strap_mode,value=0x0f -drive file=qemu_efuse.bin,if=none,format=raw,id=efuse -global driver=nvram.esp32.efuse,property=drive,value=efuse -serial tcp::5555,server,nowait
5. Flash bootloader and bootloader-reflash-digest:

Code: Select all

esptool.py -p $ESPPORT --no-stub --before=no_reset write_flash 0x0 build/bootloader/bootloader-reflash-digest.bin
esptool.py -p $ESPPORT --no-stub --before=no_reset write_flash 0x1000 build/bootloader/bootloader.bin
6. Burn the relevant efuses using:

Code: Select all

espefuse.py -p $ESPPORT --before=no_reset burn_efuse ABS_DONE_0
espefuse.py -p $ESPPORT --before=no_reset burn_key secure_boot_v1 build/bootloader/secure-bootloader-key-256.bin
7. Quit the QEMU download mode instance typing "quit"
8. Run QEMU in the boot mode to boot ESP32:

Code: Select all

qemu-system-xtensa -nographic -machine esp32 -drive file=qemu_efuse.bin,if=none,format=raw,id=efuse -global driver=nvram.esp32.efuse,property=drive,value=efuse -drive file=build/flash_image.bin,if=mtd,format=raw -global driver=timer.esp32.timg,property=wdt_disable,value=true
You should now be able to see the firmware running.

Who is online

Users browsing this forum: No registered users and 137 guests