Mixed Secure Boot v1 & v2

[pctj101]

I have a number of deployed devices with Secure Boot V1 & OTA Updates.

I want to make some new devices and read that ESP32-ECO3 uses Secure Boot V2 (RSA).

1) Does ESP32-ECO3 NOT support the old v1 AES signing?
2) Can I send the same OTA update binary to both devices? Seems it might be hard since the signing looks different for S.B. v1 and v2. Do I need to manage these updates separately per ECO#?
3) Is there a "typical" way that people emit both the v1 and v2 signed binaries to cover each case during build?

Thanks! Just trying to prevent bricks!

[ESP_Angus]

Hi pctj,

1) Does ESP32-ECO3 NOT support the old v1 AES signing?

ESP32 V3 supports both Secure Boot methods, you can configure this in the menuconfig for the project. The hardware Secure Boot V1 in V3 has more mitigations for fault injection compare to previous ESP32 revisions as well. However we still recommend switching to Secure Boot V2 where possible.

2) Can I send the same OTA update binary to both devices? Seems it might be hard since the signing looks different for S.B. v1 and v2. Do I need to manage these updates separately per ECO#?

I'm afraid the two Secure Boot methods and signatures schemes are incompatible.

In fact, in ESP-IDF Secure Boot V2 requires the firmware to be configured for minimum revision 3 so it won't boot on earlier revision chips at all.

There are two options:

1. Use Secure Boot V1 for everything and ship the same binary on all devices.
2. Treat the ESP32 V3 devices as a new product revision with a new set of OTA updates. (If you do this then there may be some other advantages to setting "minimum revision 3" depending on what other hardware you use - for example if using PSRAM then the toolchain workarounds used in earlier versions are disabled so performance will improve.)

[pctj101]

Solid reply. Thanks a bunch!