Skip to content

Instantly share code, notes, and snippets.

@fburel

fburel/esp32.md

Last active May 4, 2021 11:33
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save fburel/f60af82b993ecc61c2194ee3262985db to your computer and use it in GitHub Desktop.
Save fburel/f60af82b993ecc61c2194ee3262985db to your computer and use it in GitHub Desktop.
Download ZIP
Raw
esp32.md

Secure boot v2 issue

Description

Unable to configure our ESP32 to run our app using secure boot v2 with our custom partition table (works fine with secure boot v1)

Environment

Hardware

Toolchain

  • ESP IDF 4.2 (commit c9cf7bcb0ef29c8f10df0906bf1fbac751fc1299)

Reproducing the issue

Get a working starter project

cp -r ~/esp-idf/examples/get-started/blink ~/Documents/
cd ~/Documents/blink
idf.py flash -p /dev/cu.SLAB_USBtoUART

After a reset on the flasher, the app is working

Add secure boot v2

Set the minimum ESP revision to 3

CONFIG_ESP32_REV_MIN_3=y
CONFIG_ESP32_REV_MIN=3

Change the partition table and its offset

CONFIG_PARTITION_TABLE_TWO_OTA=y
CONFIG_PARTITION_TABLE_FILENAME="partitions_two_ota.csv"
CONFIG_PARTITION_TABLE_OFFSET=0xa000

Set the memory size to 4 mb

CONFIG_ESPTOOLPY_FLASHSIZE_4MB=y
CONFIG_ESPTOOLPY_FLASHSIZE="4MB"

Set the minimum secure boot v2 with insecure options

CONFIG_SECURE_SIGNED_ON_BOOT=y
CONFIG_SECURE_SIGNED_ON_UPDATE=y
CONFIG_SECURE_SIGNED_APPS=y
CONFIG_SECURE_BOOT_SUPPORTS_RSA=y
CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=y
CONFIG_SECURE_BOOT=y
CONFIG_SECURE_BOOT_V2_ENABLED=y
CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y
CONFIG_SECURE_BOOT_SIGNING_KEY="secure_boot_signing_key.pem"
CONFIG_SECURE_BOOT_INSECURE=y

Build & flash bootloader

idf.py bootloader

The build fail as expected because the key file does not exist. We run the command to generate it

espsecure.py generate_signing_key --version 2 secure_boot_signing_key.pem

The secure_boot_signing_key.pem file is created

idf.py bootloader
esptool.py --chip esp32 --port=/dev/cu.SLAB_USBtoUART --baud=115200 --before=default_reset --after=no_reset write_flash --flash_mode dio --flash_freq 40m --flash_size 4MB 0x1000 /Users/fl0/Documents/blink/build/bootloader/bootloader.bin

Build & flash app

idf.py flash -p /dev/cu.SLAB_USBtoUART

The uart log show that the application is running as expected

Change to the 'unworking' partition table

Change the partition type to custom

\# CONFIG_PARTITION_TABLE_TWO_OTA is not set
CONFIG_PARTITION_TABLE_CUSTOM=y
CONFIG_PARTITION_TABLE_FILENAME="partitions.csv"

Create the partitions.csv file

name type subtype offset size flags
nvs data nvs 0xB000 0x4000
otadata data ota 0x1000 0x5000
phy_init data phy 0x15000 0x5000
ota_0 app ota_0 0x20000 1792k
ota_1 app ota_1 1792k

clean, build & re-flash everything

rm -rf build/
idf.py bootloader
esptool.py --chip esp32 --port=/dev/cu.SLAB_USBtoUART --baud=115200 --before=default_reset --after=no_reset write_flash --flash_mode dio --flash_freq 40m --flash_size 4MB 0x1000 /Users/fl0/Documents/blink/build/bootloader/bootloader.bin
idf.py flash -p /dev/cu.SLAB_USBtoUART

After reset, the app no longer work. UART logs show the message :

rst:0x10 (RTCWDT_RTC_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT) configsip: 0, SPIWP:0xee clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00 mode:2, clock div:2 secure boot v2 enabled Sig block 0 signed with untrusted key secure boot verification failed ets Jul 29 2019 12:21:46

@supreetd21
Copy link

Hi @fburel,
If I understand correctly, the bootloader, app signed with the secure boot key flashed works well, but it fails on updating the partitions table & reflashing the app, bootloader signed with the same key.
After the 2nd reflashing, the bootROM seems to be unable to verify the 2nd stage bootloader.

Could you try using --flash_size keep instead of --flash_size 4MB while flashing the bootloaders with esptool.py?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment