Facing issue flash encryption+secure boot sbv2 combination in development mode for esp32s3

[kesha.modhia]

Hello,
I am working for the Flash Encryption and Secure boot v2, where i am facing the issue

Module - ESP32-S3
IDF - 5.0.7
Building Hello World Example given in idf
Platform - windows, using cmd [command prompt] commands for building binaries

Work Done so Far,
Enabled Secure boot in menuconfig [devlopment mode]
Generated signed key for the images
Tickmarked sign image during build time in menuconfig
Upgraded the partitioon table as per requirement
Flashed bootloader.bin manually and flashed other application.bin, partition.bin with usin idf.py flash
Secure boot is done successgfully

As I am not able to read the contents from the flash and also unsigned images are not supported bu the module
Tested Only signed Bootloade.bin and upon that signed bianries only ups the board and allows to run the default hello world example

Now Trying with the Flash encryption

Enabled flash encryption
as want to enabled both at the same time
and again dumped the bootloader.bin in the module [this time not dumped the application.bin after duming the bootloader.bin]

Attaching the logs and sdkconfig

Kindly reply on high priority

[adokitkat]

Hello.

When both Secure boot and Flash encryption enabled, you need to sign the binaries first (this is done automatically if you enabled `Sign binaries during build` in menuconfig) and then encrypt them (i.e. with `espsecure.py` if you generated the keys on PC).

I can walk you through how to do it (you don't need to do a step again if you have already done it).

I assume to work with ESP32-S3 and I won't do any recommended eFuse burning here unless necessary.

This is not a tutorial how to do it for the production, only to simply demonstrate how to make it work together.

I also highly recommend to use "Virtual eFuses" with "Keep eFuses in flash" option enabled (adding "efuse_em, data, efuse, , 0x2000," line to the partition table is needed for this option) when testing this so you don't brick your ESP: https://docs.espressif.com/projects/esp ... ual-efuses However I don't assume here it is enabled so if you have it enabled then maybe not all steps will be the same.

I followed this document: https://docs.espressif.com/projects/esp ... flows.html

1. Go to your project directory
2. Generate key for secure boot, it's digest and a key for flash encryption
   

   Code: Select all

   espsecure.py generate_signing_key --version 2 --scheme rsa3072 secure_boot_signing_key.pem
   
   espsecure.py digest_sbv2_public_key --keyfile secure_boot_signing_key.pem --output digest.bin
   
   espsecure.py generate_flash_encryption_key my_flash_encryption_key.bin
   

3. Enable these setting in `idf.py menuconfig` -> `Security features`
   
   This is not definitive list or anything, just what I used for this debug test
   
   • "Enable hardware Secure Boot in bootloader"
   • "Sign binaries during build" - optional
   • "Allow potentially insecure options" - only for this debug test, do not enable in production
   • "Enable flash encryption on boot"
   • Potentially insecure options ->
     • "Allow JTAG Debugging"
     • "Allow additional read protecting of efuses"
     • "Leave unused digest slots available (not revoke)"
     • "Leave UART bootloader flash cache enabled"
   • UART ROM download mode -> "UART ROM download mode (Enabled (not recommended))"
4. Build you binaries and sign them
   

   Code: Select all

   idf.py build
   

   If you have `Sign binaries during build` enabled and correct path to the signing key (in `idf.py menuconfig -> Security features`):

   Code: Select all

   # Use `copy` on Windows
   
   cp build/bootloader/bootloader.bin bootloader-signed.bin
   
   cp build/<NAME_OF_YOUR_APP>.bin <NAME_OF_YOUR_APP>-signed.bin
   

   If you have `Sign binaries during build` disabled (don't sign the partition table):

   Code: Select all

   espsecure.py sign_data --version 2 --keyfile secure_boot_signing_key.pem --output bootloader-signed.bin build/bootloader/bootloader.bin
   
   espsecure.py sign_data --version 2 --keyfile secure_boot_signing_key.pem --output <NAME_OF_YOUR_APP>-signed.bin build/<NAME_OF_YOUR_APP>.bin
   

5. Encrypt the binaries (I use `0x0` address for the bootloader because I assume ESP32-S3 chip)

   Code: Select all

   espsecure.py encrypt_flash_data --aes_xts --keyfile my_flash_encryption_key.bin --address 0x0 --output bootloader-signed-enc.bin bootloader-signed.bin
   
   espsecure.py encrypt_flash_data --aes_xts --keyfile my_flash_encryption_key.bin --address <ADDRESS OF THE PART TABLE> --output partition-table-enc.bin build/partition_table/partition-table.bin
   
   espsecure.py encrypt_flash_data --aes_xts --keyfile my_flash_encryption_key.bin --address <ADDRESS OF THE APP> --output <NAME_OF_YOUR_APP>-signed-enc.bin build/<NAME_OF_YOUR_APP>-signed.bin
   

   You can get the addresses if you run `idf.py partition-table`.
6. Flash the chip

   Code: Select all

   esptool.py --before=default_reset --after=no_reset --no-stub write_flash --flash_mode dio --flash_freq 80m --flash_size keep 0x0 bootloader-signed-enc.bin --force
   
   esptool.py --before=default_reset --after=no_reset --no-stub write_flash --flash_mode dio --flash_freq 80m --flash_size keep <ADDRESS OF THE PART TABLE> partition-table-enc.bin
   
   esptool.py --before=default_reset --after=no_reset --no-stub write_flash --flash_mode dio --flash_freq 80m --flash_size keep <ADDRESS OF THE APP> secure_boot_flash_encryption_test-signed-enc.bin
   

7. Burn the eFuses

   Code: Select all

   espefuse.py burn_key <e.g BLOCK_KEY0> digest.bin SECURE_BOOT_DIGEST0
   
   espefuse.py burn_efuse SECURE_BOOT_EN
   
   espefuse.py burn_key <e.g BLOCK_KEY1> my_flash_encryption_key.bin XTS_AES_128_KEY
   
   espefuse.py burn_efuse SPI_BOOT_CRYPT_CNT
   

8. Run `idf.py monitor`