Questions on Secure Boot & Flash Encryption -- Step by Step using only CLI

Posts: 23
Joined: Mon Feb 10, 2020 11:38 pm

Questions on Secure Boot & Flash Encryption -- Step by Step using only CLI

Postby Munque » Wed May 13, 2020 7:00 pm

I'm attempting to get a comprehensive understanding of the Secure Boot & Flash Encryption in step-by-step form using only CLI.

Reasons for the CLI-only method:
- To have control over the process and automate it for consistency, accuracy, flexibility depending on how the overall production workflow evolves.
- To be able to re-flash during development.

There's something close on this link. Naeem/snahmad75, WiFive, and ESP_Angus do a great job of clarifying the process and answering a whole lot of questions, but I still haven't been able to put together a complete coherent picture.

Also those notes are for Secure Boot V1, so hoping to build this out with V2 in mind.

Right now, just trying to avoid making under-informed eFuse mistakes that render our ESP32s unusable.

Part of the challenge has been just understanding how the different files created relate to one another. Between the Espressif documentation for Secure Boot V1, Secure Boot V2, Flash Encryption, and the variety of forum posts, it's challenging to make the recognize continuity between the various files and the necessary flow of generating keys, digesting, signing, and encrypting.

Here's a first attempt, with questions below.
I get an error midway through (noted below);

GenerateFlashEncryptionKey generate_flash_encryption_key --version 2 ./flash_encryption_key.bin

GenerateSigningKey generate_signing_key --version 2 ./secure_boot_signing_key.pem

ExtractPublicKey extract_public_key --version 2 --keyfile ./secure_boot_signing_key.pem --output ./public_verification_key.bin
Question: What is the public key used for? Is there a step missing that should be making use of it

DigestPrivateKey digest_private_key --version 2 --keyfile ./secure_boot_signing_key.pem --keylen 256 ./secure_bootloader_key.bin

DigestSecureBootloader digest_secure_bootloader --version 2 --keyfile ./secure_bootloader_key.bin --output ./bootloader_digest.bin ./bootloader.bin
Question: Where does "bootloader.bin" come from in this context?
I've been assuming when doing unprotected sketch uploading (unencrypted and no secure boot), that it's automatically taken care of -- either by default on the ESP32 or created automatically when uploading, but I haven't seen it as a standalone, accessible file until now.

SignBinary sign_data --version 2 --keyfile ./secure_boot_signing_key.pem --output ./project_signed.bin ./project.bin sign_data --version 2 --keyfile ./secure_boot_signing_key.pem --output ./project.partitions_signed.bin ./project.partitions.bin
Note: The above CLI steps seem to be working up until this point. Getting the following error: A fatal error occurred: Incorrect RSA Signing key.

DoEncryption encrypt_flash_data --version 2 --keyfile ./flash_encryption_key.bin --address 0x0 --output ./secure_bootloader_encrypted.bin ./bootloader_digest.bin encrypt_flash_data --version 2 --keyfile ./flash_encryption_key.bin --address 0x8000 --output ./project.partitions_signed_encrypted.bin ./project.partitions_signed.bin encrypt_flash_data --version 2 --keyfile ./flash_encryption_key.bin --address 0x20000 --output ./project_signed_encrypted.bin ./project_signed.bin

BurnEfuse_Bootloader burn_key secure_boot --port /dev/cu.SLAB_USBtoUART ./secure_bootloader_key.bin burn_efuse --port /dev/cu.SLAB_USBtoUART ABS_DONE_0 1

BurnEfuse_FlashEncryption --port /dev/cu.SLAB_USBtoUART burn_key flash_encryption ./flash_encryption_key.bin burn_efuse --port /dev/cu.SLAB_USBtoUART FLASH_CRYPT_CONFIG 0xF burn_efuse --port /dev/cu.SLAB_USBtoUART FLASH_CRYPT_CNT

FlashEsp write_flash --port /dev/cu.SLAB_USBtoUART --baud 921600 0x0 (???./bootloader_digest.bin vs ./secure_bootloader_encrypted.bin???) write_flash --port /dev/cu.SLAB_USBtoUART --baud 921600 0x8000 ./project.partitions_signed_encrypted.bin write_flash --port /dev/cu.SLAB_USBtoUART --baud 921600 0x20000 ./project_signed_encrypted.bin
Question: What flashes to 0x0, "bootloader_digest.bin" or "secure_bootloader_encrypted.bin"

Who is online

Users browsing this forum: No registered users and 14 guests