Hello everyone,
I have a general question regarding USB-OTG and Secure Boot V2 on esp32s3.
So according to espressif documentation: enabling the Secure Boot disables the USB-OTG Stack in the ROM.
So my question: will the USB-OTG Stack be disable temporary and only during the validation of the signature or will it be permanet disabled?
I mean, is any communication via USB-OTG after enabling SBV2 not possible anymore ? Or is it only not available only during the verification and validation process ?
So I did a simple example and tried to send a string "Hello" via USB and it has been sent. That means the USB-OTG is not disabled.
Screenshot:
USB-OTG and Secure Boot V2
USB-OTG and Secure Boot V2
Last edited by aygh4266 on Thu Aug 22, 2024 8:34 am, edited 2 times in total.
-
- Posts: 9766
- Joined: Thu Nov 26, 2015 4:08 am
Re: USB-OTG and Secure Boot V2
It will be disabled permanently. The issue is that the USB-OTG driver in ROM is a fairly large attack surface which we cannot patch, and we cannot guarantee there are no bugs in there.aygh4266 wrote: ↑Thu Aug 22, 2024 7:48 amSo my question: will the USB-OTG Stack be disable temporary and only during the validation of the signature or will it be permanet disabled?
I mean, is any communication via USB-OTG after enabling SBV2 not possible anymore ? Or is it only not available only during the verification and validation process ?
Do note that this may impact less than you may think. USB-OTG can still be used in an application (as it doesn't use the ROM driver), and by default on the S3, the bootloader uses USB-serial-JTAG and not USB-OTG on the USB pins.
Re: USB-OTG and Secure Boot V2
ESP_Sprite wrote: ↑Thu Aug 22, 2024 8:09 amIt will be disabled permanently. The issue is that the USB-OTG driver in ROM is a fairly large attack surface which we cannot patch, and we cannot guarantee there are no bugs in there.aygh4266 wrote: ↑Thu Aug 22, 2024 7:48 amSo my question: will the USB-OTG Stack be disable temporary and only during the validation of the signature or will it be permanet disabled?
I mean, is any communication via USB-OTG after enabling SBV2 not possible anymore ? Or is it only not available only during the verification and validation process ?
Do note that this may impact less than you may think. USB-OTG can still be used in an application (as it doesn't use the ROM driver), and by default on the S3, the bootloader uses USB-serial-JTAG and not USB-OTG on the USB pins.
First of all thank you very much for your quick reply. I tried to send a string "Hello" via USB using the tinyUSB stack and it worked. I attached a screenshot in my upper comment.
I also have read that by default, enabling Flash Encryption and/or Secure Boot will disable JTAG debugging. On first boot, the bootloader will burn an eFuse bit to permanently disable JTAG at the same time it enables the other features.
I am a little bit confused, how the USB-serial-JTAG can work after that ?
-
- Posts: 9766
- Joined: Thu Nov 26, 2015 4:08 am
Re: USB-OTG and Secure Boot V2
The JTAG bit will not work; you can try to connect to it but it won't see the CPU. The USB-to-serial bit will still function as a serial port.aygh4266 wrote: ↑Thu Aug 22, 2024 8:31 amI also have read that by default, enabling Flash Encryption and/or Secure Boot will disable JTAG debugging. On first boot, the bootloader will burn an eFuse bit to permanently disable JTAG at the same time it enables the other features.
I am a little bit confused, how the USB-serial-JTAG can work after that ?
Re: USB-OTG and Secure Boot V2
Ok thanks.ESP_Sprite wrote: ↑Thu Aug 22, 2024 11:47 pm
The JTAG bit will not work; you can try to connect to it but it won't see the CPU. The USB-to-serial bit will still function as a serial port.
But since the USB-OTG is disabled, I can communicate only with PC and send data over usb-serial.
Am I able to write data from esp32s3 to a smartphone or a usb-stick after enabling SBV2 ? I don't think I will be able to do this, since both of the devices must use USB-OTG and the esp32 must act as usb-host.
-
- Posts: 9766
- Joined: Thu Nov 26, 2015 4:08 am
Re: USB-OTG and Secure Boot V2
No, but you're not able to do that anyway without an app that does that for you as the bootloader does not do usb-host.
Who is online
Users browsing this forum: No registered users and 70 guests