ESP32S3 Secure boot enabling issues.
Posted: Fri Apr 04, 2025 3:47 pm
Hi,
I'm trying to enable secure boot v2 and flash encrytion in "Release Mode" for ESP32S3 chipset.
Here is the sdkcnfig for security features that I've setup:
with the partition table offset set to: CONFIG_PARTITION_TABLE_OFFSET=0x8000
Once everything is enabled and the buld successful, I use to following command to flash:
invalid heESP-ROM:esp32s3-20210327
Build:Mar 27 2021
rst:0x7 (TG0WDT_SYS_RST),boot:0x8 (SPI_FAST_FLASH_BOOT)
Saved PC:0x40048836
invalid header: 0xdf322330
invalid header: 0xdf322330
invalid header: 0xdf322330
invalid header: 0xdf322330
invalid header: 0xdf322330
invalid header: 0xdf322330
invalid header: 0xdf322330
All these steps were integrated under development mode, however, in release mode this is always the case.
Any suggestions are welcome, thank you!
I'm trying to enable secure boot v2 and flash encrytion in "Release Mode" for ESP32S3 chipset.
Here is the sdkcnfig for security features that I've setup:
Following that here is the =ustom partition table I use:#
# Security features
#
CONFIG_SECURE_SIGNED_ON_BOOT=y
CONFIG_SECURE_SIGNED_ON_UPDATE=y
CONFIG_SECURE_SIGNED_APPS=y
CONFIG_SECURE_BOOT_V2_RSA_SUPPORTED=y
CONFIG_SECURE_BOOT_V2_PREFERRED=y
CONFIG_SECURE_BOOT_V2_RSA_ENABLED=y
CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=y
CONFIG_SECURE_BOOT=y
CONFIG_SECURE_BOOT_V2_ENABLED=y
CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y
CONFIG_SECURE_BOOT_SIGNING_KEY="PRIVATE_SIGNING_KEY.pem"
# CONFIG_SECURE_BOOT_ENABLE_AGGRESSIVE_KEY_REVOKE is not set
# CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS is not set
# CONFIG_SECURE_BOOT_FLASH_BOOTLOADER_DEFAULT is not set
# CONFIG_SECURE_BOOT_INSECURE is not set
CONFIG_SECURE_FLASH_ENC_ENABLED=y
CONFIG_SECURE_FLASH_ENCRYPTION_AES128=y
# CONFIG_SECURE_FLASH_ENCRYPTION_AES256 is not set
# CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT is not set
CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE=y
CONFIG_SECURE_FLASH_HAS_WRITE_PROTECTION_CACHE=y
CONFIG_SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART=y
CONFIG_SECURE_FLASH_CHECK_ENC_EN_IN_APP=y
CONFIG_SECURE_ROM_DL_MODE_ENABLED=y
# CONFIG_SECURE_DISABLE_ROM_DL_MODE is not set
CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE=y
# CONFIG_SECURE_INSECURE_ALLOW_DL_MODE is not set
# end of Security features
Code: Select all
# Name, Type, SubType, Offset, Size, Flags
nvs, data, nvs, 0x9000, 0xf000,
phy_init, data, phy, 0x18000, 0x1000,
otadata, data, ota, 0x19000, 0x2000,
factory, app, factory, 0x20000, 0x250000,
ota_0, app, ota_0, 0x270000, 0x250000,
www, data, spiffs, 0x4C0000, 0x450000,
www2, data, spiffs, 0x910000, 0x450000, Once everything is enabled and the buld successful, I use to following command to flash:
After flashing when I use monitor to check first booting process I end up with invalid header logs:\esptool.py -p COM11 -b 460800 --before default_reset --after hard_reset --chip esp32s3 write_flash --flash_mode dio --flash_freq 80m --flash_size 16MB 0x0 bootloader/bootloader.bin 0x20000 CN1127.bin 0x8000 partition_table/partition-table.bin 0x19000 ota_data_initial.bin 0x4c0000 www.bin
invalid heESP-ROM:esp32s3-20210327
Build:Mar 27 2021
rst:0x7 (TG0WDT_SYS_RST),boot:0x8 (SPI_FAST_FLASH_BOOT)
Saved PC:0x40048836
invalid header: 0xdf322330
invalid header: 0xdf322330
invalid header: 0xdf322330
invalid header: 0xdf322330
invalid header: 0xdf322330
invalid header: 0xdf322330
invalid header: 0xdf322330
All these steps were integrated under development mode, however, in release mode this is always the case.
Any suggestions are welcome, thank you!