Page 1 of 1

Verify Bug for [] don't know if Secure Boot is okay

Posted: Mon Sep 10, 2018 2:51 pm
by human890209
Today, I tested the secure boot with flash encryption of ESP-IDF, I use a simple example and follow the instructions step by step.
Before that I tested the flash encryption only, I succeeded.
But enabled both, I got:
secure boot check fail
I bricked 2 Dev boards with the same monitor logging results.

Before making further tests which could probably cost me more dev boards, I tried to verify my app.bin with the on my PC.
And I've found that there is a bug in it.

I've found that can only verify the Data bin file with the signing private key. It worked with the private key. v2.5.0
Verifying 216016 bytes of data
Signature is valid
I extract_public_key from the private key with extract_public_key command. v2.5.0
secure_boot_signing_key.pem public key extracted to public_key.pem
And then I verify_signature the Data bin file with the generated public_key, an error occurs.
I paste the log here:
python verify_signature --keyfile public_key.pem VS_app_signed.bin v2.5.0
Traceback (most recent call last):
File "", line 156, in verify_signature
sk = _load_key(args) # try to load as private key first
File "", line 123, in _load_key
sk = ecdsa.SigningKey.from_pem(
File "C:\Python37\lib\site-packages\ecdsa-0.13-py3.7.egg\ecdsa\", line 159, in from_pem
privkey_pem = string[string.index(b("-----BEGIN EC PRIVATE KEY-----")):]
ValueError: subsection not found

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "", line 401, in <module>
File "", line 394, in _main
File "", line 389, in main
File "", line 160, in verify_signature
vk = ecdsa.VerifyingKey.from_pem(
File "C:\Python37\lib\site-packages\ecdsa-0.13-py3.7.egg\ecdsa\", line 52, in from_pem
return klass.from_der(der.unpem(string))
File "C:\Python37\lib\site-packages\ecdsa-0.13-py3.7.egg\ecdsa\", line 191, in unpem
return base64.b64decode(d)
File "C:\Python37\lib\", line 87, in b64decode
return binascii.a2b_base64(s)
binascii.Error: Incorrect padding
I doubt if the bootloader uses a similar method and could go wrong, too.
But at least the got a bug. So I reported here.

Hope someone experienced could tell me what does this means:
secure boot check fail
The error message is not very clear. I don't know if the bootloader's digest check fails and the bootloader is not booted at all. Or the signature of partitions table and app check fail.

Re: Verify Bug for [] don't know if Secure Boot is okay

Posted: Wed Sep 12, 2018 7:57 am
by ESP_Angus
Thanks for reporting this. The extract_public_key command produces a raw binary public key file (suitable for embedding in the bootloader), and it's not compatible with the verification command. This will be fixed.

This is not a cause of the "secure boot check fail" message. This message comes from the ROM and indicates that the digest calculated for the bootloader.bin is invalid, so it's refusing to continue. I'll add some explanation of these messages to the Secure Boot documentation.

Will reply about your specific issue in the other thread.

Re: Verify Bug for [] don't know if Secure Boot is okay

Posted: Thu Sep 13, 2018 1:45 am
by human890209
Thanks a lot :)