Correct sequence to apply encrypted flash and secure boot v2

schickb
Posts: 4
Joined: Sat Dec 04, 2021 8:37 am

Correct sequence to apply encrypted flash and secure boot v2

Postby schickb » Fri Jan 21, 2022 10:45 am

Using an ESP32C3 and esp-idf 4.4-rc1 I am applying encrypted flash and secure boot v2 (all in "dev mode" for now). Eventually I'm able to get it all working, but I seem to have to repeat the same steps multiple times and cut power to the device between steps to get it to work. Should these steps work:

  • Start with a new device
  • menuconfig used to enable encrypted flash in dev mode and secure boot with SECURE_BOOT_INSECURE enabled
  • idf.py fullclean build flash
  • espsecure.py generate_flash_encryption_key {bin_file}
  • espefuse.py --chip esp32c3 --port {port} burn_key BLOCK_KEY0 {bin_file} XTS_AES_128_KEY
  • espefuse.py --chip esp32c3 -p {port} burn_key_digest --no-write-protect --no-read-protect BLOCK_KEY1 pk1.pem SECURE_BOOT_DIGEST0
  • espefuse.py --chip esp32c3 -p {port} burn_key_digest --no-write-protect --no-read-protect BLOCK_KEY2 pk2.pem SECURE_BOOT_DIGEST1
  • espefuse.py --chip esp32c3 -p {port} burn_key_digest --no-write-protect --no-read-protect BLOCK_KEY3 pk3.pem SECURE_BOOT_DIGEST2
  • esptool.py --chip esp32c3 --port={port} --baud=57600 --after=no_reset --no-stub write_flash --flash_mode dio --flash_freq 80m --flash_size 4MB 0x0 {signed_bl}
When I then restart the device by holding EN low, I get repeating
invalid header: 0x01dd68cb

After trying many things... what got it working was the following sequence:

  • cut power
  • add power with EN and IO9 held low then release EN to start in upload mode
  • espefuse.py --chip esp32c3 -p {port} --baud 57600 burn_bit BLOCK0 116 (was already burned, and does nothing...I think)
  • esptool.py --chip esp32c3 -p={port} -b 57600 --before=default_reset --after=no_reset --no-stub write_flash --flash_mode dio --flash_freq 80m --flash_size 4MB 0x0 {signed_bl}
But it is unclear to me why writing the bootloader again after a power cycles and no-op efuse burn_bit would solve the problem. Between each of the steps I tried to restart by blipping EN low and got the same "invalid header" error until writing the same bootloader again. And before power cycling and trying to rewrite the SECURE_BOOT_EN bit I'd attempted to reupload the signed bootloader and app many times to no avail.

Do I need to apply encrypted flash and secure boot in stages? For example, enable encrypted flash, apply the changes, restart. Then enable secure boot and apply those changes?

sachin0x18
Posts: 2
Joined: Wed Jul 04, 2018 5:56 am

Re: Correct sequence to apply encrypted flash and secure boot v2

Postby sachin0x18 » Thu Feb 17, 2022 11:06 am

Hi @schickb,

I tried these steps at my end and it seems to work well for me on v4.4-rc1 ESP-IDF branch.

Did you by any chance flash an encrypted binary ?

Also, there is no need to enable flash encryption and secure boot in stages. Enabling them together should work

Who is online

Users browsing this forum: No registered users and 48 guests