Unable to sign with different Secure Boot and Flash Encryption keys !

Tahir Shaik
Posts: 2
Joined: Thu Oct 08, 2020 4:29 pm

Unable to sign with different Secure Boot and Flash Encryption keys !

Postby Tahir Shaik » Thu Oct 08, 2020 5:06 pm

Hi!
I'm following the below steps:-

1. Generated the Encryption keys
--> python $IDF_PATH/components/esptool_py/esptool/espsecure.py generate_flash_encryption_key flash_encryption_key.bin
--> python $IDF_PATH/components/esptool_py/esptool/espsecure.py generate_signing_key secure_boot_signing_key.pem

2. Enabled the menuconfig options
App Signing Scheme (ECDSA) --->
[*] Enable hardware Secure Boot in bootloader (READ DOCS FIRST)
Select secure boot version (Enable Secure Boot version 1) --->
Secure bootloader mode (Reflashable) --->
[*] Sign binaries during build
(secure_boot_signing_key.pem) Secure boot private signing key
Hardware Key Encoding (No encoding (256 bit key)) --->
[*] Allow potentially insecure options
[*] Enable flash encryption on boot (READ DOCS FIRST)
Enable usage mode (Development(NOT SECURE)) --->
Potentially insecure options --->

3. Built the project & got secure-bootloader-key-256.bin (/build/bootloader)

4.Burnt the efuses
python $IDF_PATH/components/esptool_py/esptool/espefuse.py --port /dev/ttyUSB0 burn_key flash_encryption flash_encryption_key.bin
python $IDF_PATH/components/esptool_py/esptool/espefuse.py --port /dev/ttyUSB0 burn_key secure_boot secure-bootloader-key-256.bin

5. Enabled Flash Encryption mechanism
--> python $IDF_PATH/components/esptool_py/esptool/espefuse.py --port /dev/ttyUSB0 burn_efuse FLASH_CRYPT_CNT
# Configuring Flash Encryption to use all address bits together with Encryption key (max value 0x0F)
--> python $IDF_PATH/components/esptool_py/esptool/espefuse.py --port /dev/ttyUSB0 burn_efuse FLASH_CRYPT_CONFIG 0x0F

6. Enabled Secure Boot mechanism
--> python $IDF_PATH/components/esptool_py/esptool/espefuse.py --port /dev/ttyUSB0 burn_efuse ABS_DONE_0

7.Encrypted the partitions and helloworld

espsecure encrypt_flash_data build/partition_table/partition-table-unsigned.bin --keyfile ./flash_encryption_key.bin --address 0xC000 -o partition_en.bin

espsecure encrypt_flash_data build/hello-world.bin --keyfile ./flash_encryption_key.bin --address 0x20000 -o helloworld_en.bin


8. Flash: bootloader-digest at address 0x0 and encrypted; all the others (partitions and application) encrypted.
python $IDF_PATH/components/esptool_py/esptool/esptool.py --chip esp32 --port /dev/ttyUSB0 --baud 921600 --before no_reset --after no_reset write_flash -z --flash_mode dio --flash_freq 40m --flash_size detect 0x0 bootloader-reflash-digest.bin_enc 0xC000 partitions_en.bin 0x20000 helloworld_en.bin

I get the error:

******** SNIP *********
rst:0x10 (RTCWDT_RTC_RESET),boot:0x17 (SPI_FAST_FLASH_BOOT)
flash read err, 1000
ets_main.c 371
ets Jun 8 2016 00:22:57
******** SNIP *********

It works normally when the flash encryption is disabled .
espefuse summary

FUSE_NAME (Block) Description = [Meaningful Value] [Readable/Writeable] (Hex Value)
----------------------------------------------------------------------------------------
Calibration fuses:
BLK3_PART_RESERVE (BLOCK0): BLOCK3 partially served for ADC calibration data = False R/W (0b0)
ADC_VREF (BLOCK0): Voltage reference calibration = 1100 R/W (0b00000)

Config fuses:
XPD_SDIO_FORCE (BLOCK0): Ignore MTDI pin (GPIO12) for VDD_SDIO on reset = False R/W (0b0)
XPD_SDIO_REG (BLOCK0): If XPD_SDIO_FORCE, enable VDD_SDIO reg on reset = False R/W (0b0)
XPD_SDIO_TIEH (BLOCK0): If XPD_SDIO_FORCE & XPD_SDIO_REG = 1.8V R/W (0b0)
CLK8M_FREQ (BLOCK0): 8MHz clock freq override = 51 R/W (0x33)
SPI_PAD_CONFIG_CLK (BLOCK0): Override SD_CLK pad (GPIO6/SPICLK) = 0 R/W (0b00000)
SPI_PAD_CONFIG_Q (BLOCK0): Override SD_DATA_0 pad (GPIO7/SPIQ) = 0 R/W (0b00000)
SPI_PAD_CONFIG_D (BLOCK0): Override SD_DATA_1 pad (GPIO8/SPID) = 0 R/W (0b00000)
SPI_PAD_CONFIG_HD (BLOCK0): Override SD_DATA_2 pad (GPIO9/SPIHD) = 0 R/W (0b00000)
SPI_PAD_CONFIG_CS0 (BLOCK0): Override SD_CMD pad (GPIO11/SPICS0) = 0 R/W (0b00000)
DISABLE_SDIO_HOST (BLOCK0): Disable SDIO host = False R/W (0b0)

Efuse fuses:
WR_DIS (BLOCK0): Efuse write disable mask = 384 R/W (0x0180)
RD_DIS (BLOCK0): Efuse read disable mask = 3 R/W (0x3)
CODING_SCHEME (BLOCK0): Efuse variable block length scheme
= NONE (BLK1-3 len=256 bits) R/W (0b00)
KEY_STATUS (BLOCK0): Usage of efuse block 3 (reserved) = False R/W (0b0)

Identity fuses:
MAC (BLOCK0): Factory MAC Address
= 30:ae:a4:73:a3:cc (CRC 0x02 OK) R/W
MAC_CRC (BLOCK0): CRC8 for factory MAC address = 2 R/W (0x02)
CHIP_VER_REV1 (BLOCK0): Silicon Revision 1 = True R/W (0b1)
CHIP_VER_REV2 (BLOCK0): Silicon Revision 2 = False R/W (0b0)
CHIP_VERSION (BLOCK0): Reserved for future chip versions = 0 R/W (0b00)
CHIP_PACKAGE (BLOCK0): Chip package identifier = 0 R/W (0b000)
MAC_VERSION (BLOCK3): Version of the MAC field = 0 R/W (0x00)

Security fuses:

FLASH_CRYPT_CNT (BLOCK0): Flash encryption mode counter = 7 R/W (0b0000111)
UART_DOWNLOAD_DIS (BLOCK0): Disable UART download mode (ESP32 rev3 only) = False R/W (0b0)
FLASH_CRYPT_CONFIG (BLOCK0): Flash encryption config (key tweak bits) = 15 R/W (0xf)
CONSOLE_DEBUG_DISABLE (BLOCK0): Disable ROM BASIC interpreter fallback = True R/W (0b1)
ABS_DONE_0 (BLOCK0): secure boot enabled for bootloader = True R/W (0b1)
ABS_DONE_1 (BLOCK0): secure boot abstract 1 locked = False R/W (0b0)
JTAG_DISABLE (BLOCK0): Disable JTAG = False R/W (0b0)
DISABLE_DL_ENCRYPT (BLOCK0): Disable flash encryption in UART bootloader = False R/W (0b0)
DISABLE_DL_DECRYPT (BLOCK0): Disable flash decryption in UART bootloader = False R/W (0b0)
DISABLE_DL_CACHE (BLOCK0): Disable flash cache in UART bootloader = False R/W (0b0)
BLK1 (BLOCK1): Flash encryption key
= ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLK2 (BLOCK2): Secure boot key
= ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLK3 (BLOCK3): Variable Block 3
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W

Flash voltage (VDD_SDIO) determined by GPIO12 on reset (High for 1.8V, Low/NC for 3.3V).

espefuse output


Am i missing any signing steps?
Thanks...................!

ESP_Angus
Posts: 2201
Joined: Sun May 08, 2016 4:11 am

Re: Unable to sign with different Secure Boot and Flash Encryption keys !

Postby ESP_Angus » Fri Oct 09, 2020 4:23 am

Hi Tahir,

Thanks for the comprehensive details.

The error "flash read err, 1000" on boot means that the ROM can't find a valid bootloader at address 0x1000.

What were the steps you used to create bootloader-reflash-digest.bin_enc? Is it possible this wasn't encrypted correctly (ie using correct key and address 0x0 to encrypt bootloader-reflash-digest.bin file.)

Angus

Tahir Shaik
Posts: 2
Joined: Thu Oct 08, 2020 4:29 pm

Re: Unable to sign with different Secure Boot and Flash Encryption keys !

Postby Tahir Shaik » Fri Oct 09, 2020 6:46 am

Hi ESP_Angus,

Thank you for your reply,

****** Error: flash read err, 1000 *******
The error "flash read err, 1000" on boot means that the ROM can't find a valid bootloader at address 0x1000.

Yes i understood that this is something wrong with the bootloader from an earlier post,

>> What were the steps you used to create bootloader-reflash-digest.bin_enc? Is it possible this wasn't encrypted correctly (i.e., using correct key and address 0x0 to encrypt bootloader-reflash-digest.bin file.)

1. For the First time, i programmed bootloader-reflash-digest.bin from the build/bootloader folder
2. Tried to manually encrypt the boot & program it into 0x0
python $IDF_PATH/components/esptool_py/esptool/espsecure.py encrypt_flash_data --keyfile secure-bootloader-key.bin --address 0x0 -o bootloader-reflash-digest.bin_enc bootloader.bin

WiFive
Posts: 2978
Joined: Tue Dec 01, 2015 7:35 am

Re: Unable to sign with different Secure Boot and Flash Encryption keys !

Postby WiFive » Fri Oct 09, 2020 10:34 pm

If you are manually encrypting the bootloader then you have to flash it to 0x1000 and also create the secure boot digest and flash it to 0x0.

Who is online

Users browsing this forum: No registered users and 50 guests