Unable to configure our ESP32 to run our app using secure boot v2 with our custom partition table (works fine with secure boot v1)
- dev platform : macbook pro
- chip : ESP 32 WROOM 32E
- flasher ESP32 Conseil Board Test
- ESP IDF 4.2 (commit c9cf7bcb0ef29c8f10df0906bf1fbac751fc1299)
cp -r ~/esp-idf/examples/get-started/blink ~/Documents/
cd ~/Documents/blink
idf.py flash -p /dev/cu.SLAB_USBtoUART
After a reset on the flasher, the app is working
CONFIG_ESP32_REV_MIN_3=y
CONFIG_ESP32_REV_MIN=3
CONFIG_PARTITION_TABLE_TWO_OTA=y
CONFIG_PARTITION_TABLE_FILENAME="partitions_two_ota.csv"
CONFIG_PARTITION_TABLE_OFFSET=0xa000
CONFIG_ESPTOOLPY_FLASHSIZE_4MB=y
CONFIG_ESPTOOLPY_FLASHSIZE="4MB"
CONFIG_SECURE_SIGNED_ON_BOOT=y
CONFIG_SECURE_SIGNED_ON_UPDATE=y
CONFIG_SECURE_SIGNED_APPS=y
CONFIG_SECURE_BOOT_SUPPORTS_RSA=y
CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=y
CONFIG_SECURE_BOOT=y
CONFIG_SECURE_BOOT_V2_ENABLED=y
CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y
CONFIG_SECURE_BOOT_SIGNING_KEY="secure_boot_signing_key.pem"
CONFIG_SECURE_BOOT_INSECURE=y
idf.py bootloader
The build fail as expected because the key file does not exist. We run the command to generate it
espsecure.py generate_signing_key --version 2 secure_boot_signing_key.pem
The secure_boot_signing_key.pem file is created
idf.py bootloader
esptool.py --chip esp32 --port=/dev/cu.SLAB_USBtoUART --baud=115200 --before=default_reset --after=no_reset write_flash --flash_mode dio --flash_freq 40m --flash_size 4MB 0x1000 /Users/fl0/Documents/blink/build/bootloader/bootloader.bin
idf.py flash -p /dev/cu.SLAB_USBtoUART
The uart log show that the application is running as expected
\# CONFIG_PARTITION_TABLE_TWO_OTA is not set
CONFIG_PARTITION_TABLE_CUSTOM=y
CONFIG_PARTITION_TABLE_FILENAME="partitions.csv"
name | type | subtype | offset | size | flags |
---|---|---|---|---|---|
nvs | data | nvs | 0xB000 | 0x4000 | |
otadata | data | ota | 0x1000 | 0x5000 | |
phy_init | data | phy | 0x15000 | 0x5000 | |
ota_0 | app | ota_0 | 0x20000 | 1792k | |
ota_1 | app | ota_1 | 1792k |
rm -rf build/
idf.py bootloader
esptool.py --chip esp32 --port=/dev/cu.SLAB_USBtoUART --baud=115200 --before=default_reset --after=no_reset write_flash --flash_mode dio --flash_freq 40m --flash_size 4MB 0x1000 /Users/fl0/Documents/blink/build/bootloader/bootloader.bin
idf.py flash -p /dev/cu.SLAB_USBtoUART
After reset, the app no longer work. UART logs show the message :
rst:0x10 (RTCWDT_RTC_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT) configsip: 0, SPIWP:0xee clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00 mode:2, clock div:2 secure boot v2 enabled Sig block 0 signed with untrusted key secure boot verification failed ets Jul 29 2019 12:21:46
Hi @fburel,
If I understand correctly, the bootloader, app signed with the secure boot key flashed works well, but it fails on updating the partitions table & reflashing the app, bootloader signed with the same key.
After the 2nd reflashing, the bootROM seems to be unable to verify the 2nd stage bootloader.
Could you try using
--flash_size keep
instead of--flash_size 4MB
while flashing the bootloaders withesptool.py
?