ESP32-C5 Secure boot doesn't works

Post Reply
jgorgE
Posts: 1
Joined: Thu Mar 27, 2025 5:16 pm

ESP32-C5 Secure boot doesn't works

Postby jgorgE » Thu Mar 27, 2025 5:46 pm

Hello All,

We're exploring Secure Boot capabilities in ESP32-C5. We've checked guidelines at

https://docs.espressif.com/projects/esp ... ot-v2.html

Following workflow at:

https://docs.espressif.com/projects/esp ... flows.html

We're trying to enable secure boot. For doing that we flashed following parameters using espefuse.py
Run "summary" command
EFUSE_NAME (Block) Description
=
[Meaningful Value] [Readable/Writeable] (Hex Value)
Security fuses:
SECURE_BOOT_EN (BLOCK)
Represents whether secure boot is enabled or disab = True R/W (@b1) led.\\ 1: enabled\\ 0: disabled\\
BLOCK_KEY (BLOCK4)
Purpose: SECURE_BOOT_DIGESTO
Key or user data
= 47 7e a3 73 be 9f f1 a8 b9 7c be 31 4d 3c ec bc a7 24 25 cf 5c cb d2 78 3d d6 do 21 c4 05 fØ 5d R/W
BLOCK KEY1 (BLOCKS)
Purpose: SECURE_BOOT_DIGEST1
Key1 or user data
3b
77
= 77 7f f7 73 f7 df f1 b8 bb 7d bf b7 ef fe ed fc ff a7 77 cf dc eb fe fb bf d7 fc 3b dd af ff dd R/W BLOCK_KEY2 (BLOCK6)
Purpose: SECURE_BOOT_DIGEST2
Key2 or user data
= 35 79 55 11 e7 ca 80 b8 b2 35 35 96 a7 ca 21 4c 7a a3 52 83 cc 61 fc c3 87 d1 6c la 9d aa ff 89 R/W
There are several flashed blocks but we're right now testing BLOCK4 (BLOCK_KEY0)

After that we have signed the bootloader binary and our app binary with the same key as the block key 0:

Image

And we have flashed the espressif-c5 with the signed binaries. But when we check the output, we have seen that it gets stuck before jumping to second bootloader:
WINWORD_34.png
WINWORD_34.png (192.95 KiB) Viewed 525 times
After that some questions arise.
1. If we have different keys, should we sign our binaries with all keys? (e.g. in the example before we have 3 ECDSA keys on secure blocks, so should we sign the binaries three times?)
2. On the output of the espressif-c5, we can see that are checking RSA, should we sign the bootloader with RSA algorithms ? Does the first bootloader only check RSA keys ? Can first bootloader check ECDSA signs ?
3. Which should be the states of the following EFUSE? (ECDSA_DISABLE_P192, DIS_DIRECT_BOOT, SECURE_BOOT_DISABLE_FAST_WAKE)
4. On menu config we can see that the secure boot version depends on the espressif SoC, using espressif esp32c5 we understand that we should use v2. Is that right ?
WINWORD_34.png
WINWORD_34.png (192.95 KiB) Viewed 525 times
5. Is the configuration we have on menu config is correct? Should miss something?
Attachments
WINWORD_36.png
WINWORD_36.png (253.6 KiB) Viewed 525 times
WINWORD_37.png
WINWORD_37.png (80.37 KiB) Viewed 525 times
Top
Mahavir
Espressif staff
Espressif staff
Posts: 194
Joined: Wed Jan 24, 2018 6:51 am

Re: ESP32-C5 Secure boot doesn't works

Postby Mahavir » Wed Apr 02, 2025 10:01 am

Hello,
1. If we have different keys, should we sign our binaries with all keys? (e.g. in the example before we have 3 ECDSA keys on secure blocks, so should we sign the binaries three times?)
Yes, if you would like to consider key revocation feature then you must sign the bootloader image with all keys corresponding to digests programmed in the EFuses.
2. On the output of the espressif-c5, we can see that are checking RSA, should we sign the bootloader with RSA algorithms ? Does the first bootloader only check RSA keys ? Can first bootloader check ECDSA signs ?
No. Based on the signature block version appended to the image, the ROM code will correctly use either ECDSA or RSA-PSS verification scheme. Currently the error displayed because the ROM was unable to find a valid signature block appended to the bootloader image and hence it assumed the scheme to be RSA.
3. Which should be the states of the following EFUSE? (ECDSA_DISABLE_P192, DIS_DIRECT_BOOT, SECURE_BOOT_DISABLE_FAST_WAKE)
The error code is unrelated to any of these EFuses. If you plan to use ECDSA P192 scheme then the `ECDSA_DISABLE_P192` must not be programmed to 1.
4. On menu config we can see that the secure boot version depends on the espressif SoC, using espressif esp32c5 we understand that we should use v2. Is that right ?
Yes, that is correct.


Some followup questions:

- Image that you uploaded is not visible, does it show the commands corresponding to signing of the bootloader and application?
- Are you able to verify the bootloader image locally using esptool command? Please confirm if you had flashed same signed image in the flash as well.
- Please post your flashing commands and the complete espefuse summary for reference here.
Top
Post Reply

Return to “General Discussion”

Who is online

Users browsing this forum: PerplexityBot, PetalBot, Qwantbot, YisouSpider and 8 guests