"invalid header" error with Secure boot and flash encryption enabled

mamaheshwari
Posts: 10
Joined: Fri Oct 23, 2020 4:53 am

"invalid header" error with Secure boot and flash encryption enabled

Postby mamaheshwari » Wed Dec 23, 2020 5:53 am

Platform: ESP32 LYRATD SYNS V1.3
ESP IDF: ESP IDF 4.0

I enabled Secure boot and Flash encyption using following options in menuconfig:

Code: Select all

Bootloader Config -> Bootloader log verbosity-> Info
Security Features->
    Enable hardware secure boot in bootloader-> Selected
    Secure bootloader mode -> Reflashable
    Sign binaries during build -> Not selected
    Secure boot public signature verification key -> /home/mydir/secure_boot_signing_key_pub.bin
    Hardware key Encoding -> No encoding
    Allow potentially insecure options -> Selected
    Enable flash encryption on boot-> Selected
        Enable usages mode -> Development
    Potentially insecure options->
        Leave ROM BASIC Interpreter available on reset -> Selected
        Allow JTAG debugging -> Selected
        Allow app partition length not 64 KB aligned -> Not Selected
        Leave UART bootloader encryption enabled -> Selected
        Leave UART bootloader decryption enabled -> Selected
        Leave UART bootloader flash cache enabled -> Selected
        Require flash encryption to be already enabled -> Not selected
Partition table ->
    Offset of partition table -> 0xb000
size of bootloader.bin --> 0x9B70

I have custom partition table

Code: Select all

nvs,        data, nvs,      ,           0x6000,
phy_init,   data, phy,      ,           0x1000,
factory,    app,  factory,  ,           2M,
otadata,    data, ota,      ,           0x2000,
ota_0,      app,  ota_0,    ,           2M,
ota_1,      app,  ota_1,    ,           2M,
spiffs,     data, spiffs,   0x00630000, 8M,
Build and flashed bootloader and applicaiton using following commands:

Code: Select all

openssl ecparam -name prime256v1 -genkey -noout -out secure_boot_signing_key.pem
python espsecure.py extract_public_key --keyfile secure_boot_signing_key.pem secure_boot_signing_key_pub.bin
espsecure.py digest_private_key --keylen 256 --keyfile secure_boot_signing_key.pem secure-bootloader-key-256.bin
idf.py bootloader
python espefuse.py burn_key secure_boot secure-bootloader-key-256.bin
python esptool.py --before default_reset --after no_reset write_flash --flash_mode dio --flash_freq 80m --flash_size 16MB  -u 0x1000 bootloader.bin
python esptool.py --before default_reset --after no_reset write_flash --flash_mode dio --flash_freq 80m --flash_size 16MB  -u 0x0 bootloader-reflash-digest.bin (On subsequent flash)
idf.py build
python espsecure.py sign_data --keyfile secure_boot_signing_key.pem myApp.bin
python espsecure.py sign_data --keyfile secure_boot_signing_key.pem partition-table.bin
idf.py -p /dev/ttyUSB0 flash
After reset board boot up properly and I saw logs related to encryption being performed. Following was the efuse summary:

Code: Select all

EFUSE_NAME             Description = [Meaningful Value] [Readable/Writeable] (Hex Value)
----------------------------------------------------------------------------------------
Security fuses:
FLASH_CRYPT_CNT        Flash encryption mode counter                     = 1 R/W (0x1)
FLASH_CRYPT_CONFIG     Flash encryption config (key tweak bits)          = 15 R/W (0xf)
CONSOLE_DEBUG_DISABLE  Disable ROM BASIC interpreter fallback            = 1 R/W (0x1)
ABS_DONE_0             secure boot enabled for bootloader                = 1 R/W (0x1)
ABS_DONE_1             secure boot abstract 1 locked                     = 0 R/W (0x0)
JTAG_DISABLE           Disable JTAG                                      = 0 R/W (0x0)
DISABLE_DL_ENCRYPT     Disable flash encryption in UART bootloader       = 0 R/W (0x0)
DISABLE_DL_DECRYPT     Disable flash decryption in UART bootloader       = 0 R/W (0x0)
DISABLE_DL_CACHE       Disable flash cache in UART bootloader            = 0 R/W (0x0)
BLK1                   Flash encryption key
  = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLK2                   Secure boot key
  = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLK3                   Variable Block 3
  = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W

Efuse fuses:
WR_DIS                 Efuse write disable mask                          = 384 R/W (0x180)
RD_DIS                 Efuse read disablemask                            = 3 R/W (0x3)
CODING_SCHEME          Efuse variable block length scheme                = 0 R/W (0x0)
KEY_STATUS             Usage of efuse block 3 (reserved)                 = 0 R/W (0x0)

Config fuses:
XPD_SDIO_FORCE         Ignore MTDI pin (GPIO12) for VDD_SDIO on reset    = 0 R/W (0x0)
XPD_SDIO_REG           If XPD_SDIO_FORCE, enable VDD_SDIO reg on reset   = 0 R/W (0x0)
XPD_SDIO_TIEH          If XPD_SDIO_FORCE & XPD_SDIO_REG, 1=3.3V 0=1.8V   = 0 R/W (0x0)
CLK8M_FREQ             8MHz clock freq override                          = 53 R/W (0x35)
SPI_PAD_CONFIG_CLK     Override SD_CLK pad (GPIO6/SPICLK)                = 0 R/W (0x0)
SPI_PAD_CONFIG_Q       Override SD_DATA_0 pad (GPIO7/SPIQ)               = 0 R/W (0x0)
SPI_PAD_CONFIG_D       Override SD_DATA_1 pad (GPIO8/SPID)               = 0 R/W (0x0)
SPI_PAD_CONFIG_HD      Override SD_DATA_2 pad (GPIO9/SPIHD)              = 0 R/W (0x0)
SPI_PAD_CONFIG_CS0     Override SD_CMD pad (GPIO11/SPICS0)               = 0 R/W (0x0)
DISABLE_SDIO_HOST      Disable SDIO host                                 = 0 R/W (0x0)

Identity fuses:
MAC                    Factory MAC Address
  = 7c:9e:bd:cf:11:c8 (CRC 0xd0 OK) R/W
CHIP_VER_REV1          Silicon Revision 1                                = 1 R/W (0x1)
CHIP_VER_REV2          Silicon Revision 2                                = 1 R/W (0x1)
CHIP_VERSION           Reserved for future chip versions                 = 2 R/W (0x2)
CHIP_PACKAGE           Chip package identifier                           = 1 R/W (0x1)

Calibration fuses:
BLK3_PART_RESERVE      BLOCK3 partially served for ADC calibration data  = 0 R/W (0x0)
ADC_VREF               Voltage reference calibration                     = 1065 R/W (0x15)

Flash voltage (VDD_SDIO) determined by GPIO12 on reset (High for 1.8V, Low/NC for 3.3V).

For testing reflashing, I made a minor change in application (added a log) , built app and signed with same key and flashed application using following command:

Code: Select all

idf.py build
python espsecure.py sign_data --keyfile secure_boot_signing_key.pem myApp.bin
python espsecure.py sign_data --keyfile secure_boot_signing_key.pem partition-table.bin
idf.py -p /dev/ttyUSB0 flash
I got following error:

Code: Select all

rst:0x1 (POWERON_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:1
load:0x3fff0018,len:4
load:0x3fff001c,len:11068
load:0x40078000,len:23980
ho 0 tail 12 room 4
load:0x40080400,len:4644
entry 0x400806ec
0;32mI (100) boot: Chip Revision: 30m
0;32mI (100) boot_comm: chip revision: 3, min. bootloader chip revision: 10m
0;32mI (46) boot: ESP-IDF e192eb7 2nd stage bootloader0m
0;32mI (46) boot: compile time 14:18:260m
0;32mI (46) boot: Enabling RNG early entropy source...0m
0;32mI (51) boot: SPI Speed      : 80MHz0m
0;32mI (55) boot: SPI Mode       : DIO0m
0;32mI (59) boot: SPI Flash Size : 16MB0m
0;31mE (63) flash_parts: partition 0 invalid magic number 0x2caa0m
0;31mE (69) boot: Failed to verify partition table0m
0;31mE (74) boot: load partition table error!0m
ets Jul 29 2019 12:21:46
I thought that this is becuse of insufficient partition table offset so inscrased partition table offset to 0x10000
After incresing parting table offset, I built bootloader, partition table and application using the steps mentione earlier and flashed all of them.
After this I am stuck in a situation where I always get following error:

Code: Select all

rst:0x1 (POWERON_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
invalid header: 0x1fc44fe3
invalid header: 0x1fc44fe3
invalid header: 0x1fc44fe3
invalid header: 0x1fc44fe3
This is the second board that I seem to have bricked (First one was https://www.esp32.com/viewtopic.php?f=13&t=18272).
Please help me recover this board.

mamaheshwari
Posts: 10
Joined: Fri Oct 23, 2020 4:53 am

Re: "invalid header" error with Secure boot and flash encryption enabled

Postby mamaheshwari » Thu Dec 24, 2020 11:54 am

This thread can be closed.
Adding "--encrypted" option while reflashing bootloader, appliciaton and partition table resolved the issue.

Who is online

Users browsing this forum: ok-home and 94 guests