Secure boot and flash encrytion issue in release mode

[fanmen1]

Hi,
I'm trying to enable secure boot v2 and flash encrytion in "Release Mode" for ESP32S3 chipset.
Here is the sdkcnfig for security features that I've setup:

#
# Security features
#
CONFIG_SECURE_SIGNED_ON_BOOT=y
CONFIG_SECURE_SIGNED_ON_UPDATE=y
CONFIG_SECURE_SIGNED_APPS=y
CONFIG_SECURE_BOOT_V2_RSA_SUPPORTED=y
CONFIG_SECURE_BOOT_V2_PREFERRED=y
CONFIG_SECURE_BOOT_V2_RSA_ENABLED=y
CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=y
CONFIG_SECURE_BOOT=y
CONFIG_SECURE_BOOT_V2_ENABLED=y
CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y
CONFIG_SECURE_BOOT_SIGNING_KEY="PRIVATE_SIGNING_KEY.pem"
# CONFIG_SECURE_BOOT_ENABLE_AGGRESSIVE_KEY_REVOKE is not set
# CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS is not set
# CONFIG_SECURE_BOOT_FLASH_BOOTLOADER_DEFAULT is not set
# CONFIG_SECURE_BOOT_INSECURE is not set
CONFIG_SECURE_FLASH_ENC_ENABLED=y
CONFIG_SECURE_FLASH_ENCRYPTION_AES128=y
# CONFIG_SECURE_FLASH_ENCRYPTION_AES256 is not set
# CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT is not set
CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE=y
CONFIG_SECURE_FLASH_HAS_WRITE_PROTECTION_CACHE=y
CONFIG_SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART=y
CONFIG_SECURE_FLASH_CHECK_ENC_EN_IN_APP=y
CONFIG_SECURE_ROM_DL_MODE_ENABLED=y
# CONFIG_SECURE_DISABLE_ROM_DL_MODE is not set
CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE=y
# CONFIG_SECURE_INSECURE_ALLOW_DL_MODE is not set
# end of Security features

Following that here is the custom partition table I use:

Code: Select all

Code: Select all

# Name,	    Type,	SubType,	Offset,	    Size,	Flags
nvs,	    data,	nvs,	    0x9000,	    0xf000,	
phy_init,	data,	phy,	    0x18000,	0x1000,	
otadata,	data,	ota,    	0x19000,	0x2000,	
factory,	app,	factory,	0x20000,	0x250000,	
ota_0,	    app,	ota_0,	    0x270000,	0x250000,	
www,	    data,	spiffs,	    0x4C0000,	0x450000,	
www2,	    data,	spiffs,	    0x910000,	0x450000,	

with the partition table offset set to: CONFIG_PARTITION_TABLE_OFFSET=0x8000

Once everything is enabled and the buld successful, I use to following command to flash:

\

esptool.py -p COM11 -b 460800 --before default_reset --after hard_reset --chip esp32s3 write_flash --flash_mode dio --flash_freq 80m --flash_size 16MB 0x0 bootloader/bootloader.bin 0x20000 CN1127.bin 0x8000 partition_table/partition-table.bin 0x19000 ota_data_initial.bin 0x4c0000 www.bin

After flashing when I use monitor to check first booting process I end up with invalid header logs:

Code: Select all

invalid heESP-ROM:esp32s3-20210327
Build:Mar 27 2021
rst:0x7 (TG0WDT_SYS_RST),boot:0x8 (SPI_FAST_FLASH_BOOT)
Saved PC:0x40048836
invalid header: 0xdf322330
invalid header: 0xdf322330
invalid header: 0xdf322330
invalid header: 0xdf322330
invalid header: 0xdf322330
invalid header: 0xdf322330
invalid header: 0xdf322330

All these steps were integrated under development mode, however, in release mode this is always the case.
Any suggestions are welcome, thank you!