Questions on Secure Boot & Flash Encryption -- Step by Step using only CLI

[Munque]

I'm attempting to get a comprehensive understanding of the Secure Boot & Flash Encryption in step-by-step form using only CLI.

Reasons for the CLI-only method:
- To have control over the process and automate it for consistency, accuracy, flexibility depending on how the overall production workflow evolves.
- To be able to re-flash during development.

There's something close on this esp32.com link. Naeem/snahmad75, WiFive, and ESP_Angus do a great job of clarifying the process and answering a whole lot of questions, but I still haven't been able to put together a complete coherent picture.

Also those notes are for Secure Boot V1, so hoping to build this out with V2 in mind.

Right now, just trying to avoid making under-informed eFuse mistakes that render our ESP32s unusable.

Part of the challenge has been just understanding how the different files created relate to one another. Between the Espressif documentation for Secure Boot V1, Secure Boot V2, Flash Encryption, and the variety of forum posts, it's challenging to make the recognize continuity between the various files and the necessary flow of generating keys, digesting, signing, and encrypting.

Here's a first attempt, with questions below.
I get an error midway through (noted below);


GenerateFlashEncryptionKey
espsecure.py generate_flash_encryption_key --version 2 ./flash_encryption_key.bin

GenerateSigningKey
espsecure.py generate_signing_key --version 2 ./secure_boot_signing_key.pem

ExtractPublicKey
espsecure.py extract_public_key --version 2 --keyfile ./secure_boot_signing_key.pem --output ./public_verification_key.bin
Question: What is the public key used for? Is there a step missing that should be making use of it

DigestPrivateKey
espsecure.py digest_private_key --version 2 --keyfile ./secure_boot_signing_key.pem --keylen 256 ./secure_bootloader_key.bin

DigestSecureBootloader
espsecure.py digest_secure_bootloader --version 2 --keyfile ./secure_bootloader_key.bin --output ./bootloader_digest.bin ./bootloader.bin
Question: Where does "bootloader.bin" come from in this context?
I've been assuming when doing unprotected sketch uploading (unencrypted and no secure boot), that it's automatically taken care of -- either by default on the ESP32 or created automatically when uploading, but I haven't seen it as a standalone, accessible file until now.

SignBinary
espsecure.py sign_data --version 2 --keyfile ./secure_boot_signing_key.pem --output ./project_signed.bin ./project.bin
espsecure.py sign_data --version 2 --keyfile ./secure_boot_signing_key.pem --output ./project.partitions_signed.bin ./project.partitions.bin
Note: The above CLI steps seem to be working up until this point. Getting the following error: A fatal error occurred: Incorrect RSA Signing key.

DoEncryption
espsecure.py encrypt_flash_data --version 2 --keyfile ./flash_encryption_key.bin --address 0x0 --output ./secure_bootloader_encrypted.bin ./bootloader_digest.bin
espsecure.py encrypt_flash_data --version 2 --keyfile ./flash_encryption_key.bin --address 0x8000 --output ./project.partitions_signed_encrypted.bin ./project.partitions_signed.bin
espsecure.py encrypt_flash_data --version 2 --keyfile ./flash_encryption_key.bin --address 0x20000 --output ./project_signed_encrypted.bin ./project_signed.bin

BurnEfuse_Bootloader
espefuse.py burn_key secure_boot --port /dev/cu.SLAB_USBtoUART ./secure_bootloader_key.bin
espefuse.py burn_efuse --port /dev/cu.SLAB_USBtoUART ABS_DONE_0 1

BurnEfuse_FlashEncryption
espefuse.py --port /dev/cu.SLAB_USBtoUART burn_key flash_encryption ./flash_encryption_key.bin
espefuse.py burn_efuse --port /dev/cu.SLAB_USBtoUART FLASH_CRYPT_CONFIG 0xF
espefuse.py burn_efuse --port /dev/cu.SLAB_USBtoUART FLASH_CRYPT_CNT

FlashEsp
esptool.py write_flash --port /dev/cu.SLAB_USBtoUART --baud 921600 0x0 (???./bootloader_digest.bin vs ./secure_bootloader_encrypted.bin???)
esptool.py write_flash --port /dev/cu.SLAB_USBtoUART --baud 921600 0x8000 ./project.partitions_signed_encrypted.bin
esptool.py write_flash --port /dev/cu.SLAB_USBtoUART --baud 921600 0x20000 ./project_signed_encrypted.bin
Question: What flashes to 0x0, "bootloader_digest.bin" or "secure_bootloader_encrypted.bin"