Automatic Provisioning of Secure Boot v2 Keys on Boot

[tamoorman]

We have a project which uses the ESP32-C6. The project uses Secure Boot v2, specifically with ECDSA P256.

Our initial programming process consists of the following steps.

• Run espefuse.exe's burn-key-digest command to provision the ESP32-C6 with the Secure Boot v2 public key digest. Repeat for a total of three times to burn all three valid keys.
  Ex:

  Code: Select all

  .\espefuse.exe --chip esp32c6 --port COMXX burn-key-digest BLOCK_KEY0 key1.pem SECURE_BOOT_DIGEST0

• Run esptool.exe's write-flash command to program the ESP32-C6 (bootloader, parition-table, and application).
  Ex:

  Code: Select all

  esptool write-flash 0x0 combined_application.bin

Recently, there was an oversight that resulted in some boards being programmed without the Secure Boot v2 public key digests being written to the ESP32-C6's eFuses. We were surprised to see that the boards booted without issues and running espefuse.exe's summary command shows that the key blocks were properly set.

Is this an officially supported feature or did we get lucky that our boards were not bricked? We could not find this functionality referenced in any documentation we looked through.