ESP32 Forum

gb.123

Well the Document states :
"SCA and BBI vulnerabilities reported in this advisory may be applicable for Espressif SoC's including ESP32, ESP32-S2, ESP32-C3 and ESP32-S3. We will incorporate hardware countermeasures in our future chips to address these vulnerabilities."

Also For ESP32, EMFI has ...

gb.123

Hello,
Anyone knows if Security Advisory AR2022-003 been addressed ?
If yes, then what is the revision number of ESP32-S3 that addresses this issue ?
(I am specifically looking ESP32-S3-DevKitC which addresses this issue)
Thanks

gb.123

After discussion on the ESP-IDF github, it was concluded that this is due to mismatch of Size header in the bootloader.
Best way is to manually pass --flash_size keep or --flash_size <SIZE>

gb.123

Is it ok to do that?
I think its a design flaw (imho)... If you dont mind the keys being read, why not store it in your program itself and check for it while the program boots ?
(unless you are using this as a digest again)... there should be no 'negative' effect though as far as esp32 is ...

gb.123

Hi All !

After reading so much on the forum and getting help from ESP admins and mods, I have written a simple BAT script to burn the required fuses to protect ESP incase someone wants to burn pre-flashed keys.

Please replace :
<PORT> to your actual connected port
<KEY> Path to your Key.bin ...

gb.123

Thanks so much !

gb.123

I am also having the same problem.

I am using ESP32-DevkitC-VE (Wrover Module) with 8MB Flash.

If I burn the digest using : espefuse.py --port COM6 burn_key_digest X:\secure_boot_signing_key.pem,
I get

"Sig block 0 invalid: Image digest does not match"

If I dont burn the digest manually, I get ...

gb.123

Hi !

I was wondering if Partition.bin(or Partition-table.bin) also needs to be signed when using SecureBoot V2. Signing is done seperately using espsecure.py sign_data command.

Does Partition.bin(or Partition-table.bin) need to be signed or is ot supposed to be burnt unsigned ?

Thanks for the help!

gb.123

Hi @chegewara,

I am trying to decrypt the file while writing OTA. The problem is that I get esp_image: invalid segment length 0xffc70fb10m if I use decryption. Direct non-encrypted OTA updates fine .

Code :

if (true)
{
#define BUFFER_SIZE=2048
mbedtls_aes_context aes;

const uint8_t key ...

gb.123

I know int (11) is not the same as hex (0x11) and definitely not the same as "11".

What I wanted to do was get a series of bytes is input to be encoded and decoded back to byte format.
i,e -> input = 0x11 -> encrypt -> decrypt -> back to 0x11

I realize that the Decrypt array is showing as decimal ...

Search found 32 matches

Re: [Question] : Has Security Advisory AR2022-003 been addressed ?

[Question] : Has Security Advisory AR2022-003 been addressed ?

Re: Secure Boot V2 failure: Sig block 0 invalid: Image digest does not match

Re: ESP32 Efuses

[Script] Easy burn e-fuse in case of Flashing Pre-Generated Keys for Flash Encryption

Re: Does Partition.bin also need to be signed when using SecureBoot V2

Re: Secure Boot V2 failure: Sig block 0 invalid: Image digest does not match

Does Partition.bin also need to be signed when using SecureBoot V2

Re: Problem in Computing AES 256 CBC

Re: Problem in Computing AES 256 CBC

About Us

Extra

Information