I'm trying to enable secure boot v2 and flash encrytion in "Release Mode" for ESP32S3 chipset.
Here is the sdkcnfig for security features that I've setup:
Following that here is the =ustom partition table I use:#
# Security features
#
CONFIG_SECURE_SIGNED_ON_BOOT=y
CONFIG_SECURE_SIGNED_ON_UPDATE=y
CONFIG_SECURE_SIGNED_APPS=y
CONFIG_SECURE_BOOT_V2_RSA_SUPPORTED=y
CONFIG_SECURE_BOOT_V2_PREFERRED=y
CONFIG_SECURE_BOOT_V2_RSA_ENABLED=y
CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=y
CONFIG_SECURE_BOOT=y
CONFIG_SECURE_BOOT_V2_ENABLED=y
CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y
CONFIG_SECURE_BOOT_SIGNING_KEY="PRIVATE_SIGNING_KEY.pem"
# CONFIG_SECURE_BOOT_ENABLE_AGGRESSIVE_KEY_REVOKE is not set
# CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS is not set
# CONFIG_SECURE_BOOT_FLASH_BOOTLOADER_DEFAULT is not set
# CONFIG_SECURE_BOOT_INSECURE is not set
CONFIG_SECURE_FLASH_ENC_ENABLED=y
CONFIG_SECURE_FLASH_ENCRYPTION_AES128=y
# CONFIG_SECURE_FLASH_ENCRYPTION_AES256 is not set
# CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT is not set
CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE=y
CONFIG_SECURE_FLASH_HAS_WRITE_PROTECTION_CACHE=y
CONFIG_SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART=y
CONFIG_SECURE_FLASH_CHECK_ENC_EN_IN_APP=y
CONFIG_SECURE_ROM_DL_MODE_ENABLED=y
# CONFIG_SECURE_DISABLE_ROM_DL_MODE is not set
CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE=y
# CONFIG_SECURE_INSECURE_ALLOW_DL_MODE is not set
# end of Security features
Code: Select all
# Name, Type, SubType, Offset, Size, Flags
nvs, data, nvs, 0x9000, 0xf000,
phy_init, data, phy, 0x18000, 0x1000,
otadata, data, ota, 0x19000, 0x2000,
factory, app, factory, 0x20000, 0x250000,
ota_0, app, ota_0, 0x270000, 0x250000,
www, data, spiffs, 0x4C0000, 0x450000,
www2, data, spiffs, 0x910000, 0x450000, Once everything is enabled and the buld successful, I use to following command to flash:
After flashing when I use monitor to check first booting process I end up with invalid header logs:\esptool.py -p COM11 -b 460800 --before default_reset --after hard_reset --chip esp32s3 write_flash --flash_mode dio --flash_freq 80m --flash_size 16MB 0x0 bootloader/bootloader.bin 0x20000 CN1127.bin 0x8000 partition_table/partition-table.bin 0x19000 ota_data_initial.bin 0x4c0000 www.bin
invalid heESP-ROM:esp32s3-20210327
Build:Mar 27 2021
rst:0x7 (TG0WDT_SYS_RST),boot:0x8 (SPI_FAST_FLASH_BOOT)
Saved PC:0x40048836
invalid header: 0xdf322330
invalid header: 0xdf322330
invalid header: 0xdf322330
invalid header: 0xdf322330
invalid header: 0xdf322330
invalid header: 0xdf322330
invalid header: 0xdf322330
All these steps were integrated under development mode, however, in release mode this is always the case.
Any suggestions are welcome, thank you!