ESP32 Forum

Hi,

I want to implement secure bootloader and flash encryption on my devices. I am trying to implement the secure bootloader first and later I will activate the flash encryption as well.

My problem is that I don't fully understand the secure bootloader methodology.

My system is composed from many ESP32 and a Raspberry Pi. The case scenario is that you connect the ESP32 to RPI and it will update its firmware if there is a new version available. The secure keys will be stored on Google Cloud.

As far as I understand, once I enable secure bootloader I will not be able to update it anymore. But what happens if I want to change a setting from menuconfig or update the idf? I should generate another bootloader, but am I able to reflash it?

Also, can I somehow disable the secure bootloader once activated?

https://docs.espressif.com/projects/esp ... bootloader

No you can't disable the secure boot check for the bootloader. Don't lose your key!

And how do I make an update in case of new idf version?

As long as you have the key you can sign a new bootloader and flash it.

- We don't support OTA updating of the bootloader, only the app. The only safe way to update the bootloader is via serial. The bootloader from older ESP-IDF should stay compatible with apps built from newer ESP-IDF versions, so you don't need to update it for most purposes.

- If you enable Secure Boot then you have to run a manual build step to flash the bootloader, to prevent updating it accidentally over serial. The normal "flash" target will skip the bootloader.

- As WiFive says, If you keep a copy of the Secure Boot key that's written to efuse then you can generate a valid digest to re-flash an updated bootloader over serial, while keeping secure boot enabled. But this is not supported when doing OTA firmware updates.

- It is possible to configure ESP-IDF to verify app signatures on OTA updates, without using the hardware secure boot feature. See this option. However, this option is limited because it only protects against an attacker with network access and not an attacker with physical access.

It makes sense. As I understand, the ESP can generate a key for itself as well. If I use this option I won't be able to update the bootloader later, right?

It makes sense. As I understand, the ESP can generate a key for itself as well. If I use this option I won't be able to update the bootloader later, right?

Yes, Right.
For your information :
There are two way to generate the Flash encryption key:
1)Using ESP32 Generated Flash Encryption Key.
2)Using Host Generated Flash Encryption Key.

Hello,

I am trying to use Flash encryption and Secure Bootloader together in my ESP32 board.

Below is my espefuse summary

=====================================================================
espefuse.py v2.7-dev
Connecting........_
EFUSE_NAME Description = [Meaningful Value] [Readable/Writeable] (Hex Value)
----------------------------------------------------------------------------------------
Security fuses:
FLASH_CRYPT_CNT Flash encryption mode counter = 0 R/- (0x0)
FLASH_CRYPT_CONFIG Flash encryption config (key tweak bits) = 15 R/W (0xf)
CONSOLE_DEBUG_DISABLE Disable ROM BASIC interpreter fallback = 1 R/W (0x1)
ABS_DONE_0 secure boot enabled for bootloader = 1 R/W (0x1)
ABS_DONE_1 secure boot abstract 1 locked = 0 R/W (0x0)
JTAG_DISABLE Disable JTAG = 0 R/W (0x0)
DISABLE_DL_ENCRYPT Disable flash encryption in UART bootloader = 0 R/W (0x0)
DISABLE_DL_DECRYPT Disable flash decryption in UART bootloader = 0 R/W (0x0)
DISABLE_DL_CACHE Disable flash cache in UART bootloader = 0 R/W (0x0)
BLK1 Flash encryption key
= ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLK2 Secure boot key
= ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLK3 Variable Block 3
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W

Efuse fuses:
WR_DIS Efuse write disable mask = 388 R/W (0x184)
RD_DIS Efuse read disablemask = 3 R/W (0x3)
CODING_SCHEME Efuse variable block length scheme = 0 R/W (0x0)
KEY_STATUS Usage of efuse block 3 (reserved) = 0 R/W (0x0)

==================================================================================
arun@27863:~/esp/blink$ make encrypted-flash monitor
Toolchain path: /home/arun/esp/xtensa-esp32-elf/bin/xtensa-esp32-elf-gcc
WARNING: Toolchain version is not supported: crosstool-ng-1.22.0-80-g6c4433a
Expected to see version: esp32-2019r1
Please check ESP-IDF setup instructions and update the toolchain, or proceed at your own risk.
WARNING: Compiler version is not supported: 5.2.0
Expected to see version(s): 8.2.0
Please check ESP-IDF setup instructions and update the toolchain, or proceed at your own risk.
Python requirements from /home/arun/esp/esp-idf/requirements.txt are satisfied.

Project is not inside a git repository, will not use 'git describe' to determine PROJECT_VER.
App "blink" version: 1
Flashing binaries to serial port /dev/ttyUSB0 (app at offset 0x20000)...
(Secure boot enabled, so bootloader not flashed automatically. See 'make bootloader' output)
esptool.py v2.7-dev
Serial port /dev/ttyUSB0
Connecting........____
Chip is ESP32D0WDQ6 (revision 1)
Features: WiFi, BT, Dual Core, 240MHz, VRef calibration in efuse, Coding Scheme None
MAC: 3c:71:bf:4c:b0:38
Uploading stub...
Running stub...
Stub running...
Configuring flash size...
Auto-detected Flash size: 4MB

WARNING: - compress and encrypt options are mutually exclusive
Will flash uncompressed
Wrote 196608 bytes at 0x00020000 in 17.4 seconds (90.5 kbit/s)...
Wrote 16384 bytes at 0x00009000 in 1.4 seconds (91.2 kbit/s)...

Leaving...
Hard resetting via RTS pin...
MONITOR
--- idf_monitor on /dev/ttyUSB0 115200 ---
--- Quit: Ctrl+] | Menu: Ctrl+T | Help: Ctrl+T followed by Ctrl+H ---
3 �ets Jun 8 2016 00:22:57

rst:0x1 (POWERON_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff0018,len:4
load:0x3fff001c,len:6520
load:0x40078000,len:18248
load:0x40080400,len:6048
entry 0x400806dc
E (33) flash_parts: partition 0 invalid magic number 0x9496
E (33) boot: Failed to verify partition table
E (34) boot: load partition table error!
ets Jun 8 2016 00:22:57
======================================================================

I get the above error while running make encrypted_flash monitor... If someone can guide what could possibly be the issue here..?
Thanks,
Arun