Testing secure boot and flash encryption, bootloader cannot set CRYPT_CONFIG efuse

[iot_hw]

Trouble getting secure boot and flash encryption working, I also opened an issue on github (IDFGH-3501) since I'm not sure if it's a change in the IDF or I set something wrong. I had some working a few months ago but reviewing my notes looks like I had to do secure boot first then enable flash encryption after. We are moving the project to manufacturing phase and it's highly desirable to have a simple one step flashing process.

Environment

Development Kit: none
Kit version n/a
Module or chip used: ESP32-WROOM-32U
IDF version v3.3.2-256-g332e243f1
Build System: Make
Compiler version xtensa-esp32-elf-gcc.exe (crosstool-NG crosstool-ng-1.22.0-80-g6c4433a5) 5.2.0
Operating System: Windows
(Windows only) environment type: MSYS2 mingw32
Using an IDE?: No
Power Supply: external 5V

Problem Description

Trying to enable secure boot and flash encryption but bootloader tries to set CRYPT_CONFIG efuse and ESP32 crashes with:
Fatal exception (0): IllegalInstruction
epc1=0x40081038, epc2=0x00000000, epc3=0x00000000, excvaddr=0x00000000, depc=0x00000000
Expected Behavior

Secure boot and flash encryption are enabled, bootloader encrypts the files and ESP32 boots the factory partition app
Actual Behavior

The device crashes, reboots, cycle repeats.
Steps to reproduce

Following ESP-IDF docs V3.3 for reflashable bootloader and pregenerated flash encryption key
make bootloader
follow make bootloader output to burn key and flash bootloader
burn pregenerated flash key to efuses
make flash monitor
Can erase flash and repeat the flashing bootloader and make flash monitor steps to get same result.

Debug Logs

MONITOR
--- idf_monitor on COM4 115200 ---
--- Quit: Ctrl+] | Menu: Ctrl+T | Help: Ctrl+T followed by Ctrl+H ---
paddr=0x0000102c vadets Jun 8 2016 00:22:57

rst:0x1 (POWERON_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff0018,len:4
load:0x3fff001c,len:11336
load:0x40078000,len:21124
load:0x40080400,len:6836
entry 0x400807ec
I (90) boot: Chip Revision: 1
I (90) boot_comm: chip revision: 1, min. bootloader chip revision: 0
I (43) boot: ESP-IDF v3.3.2-256-g332e243f1-dirty 2nd stage bootloader
I (43) boot: compile time 18:20:59
I (44) boot: Enabling RNG early entropy source...
I (49) boot: SPI Speed : 40MHz
I (54) boot: SPI Mode : DIO
I (58) boot: SPI Flash Size : 4MB
I (62) boot: Partition Table:
I (65) boot: ## Label Usage Type ST Offset Length
I (73) boot: 0 nvs WiFi data 01 02 0000d000 00004000
I (80) boot: 1 otadata OTA data 01 00 00011000 00002000
I (87) boot: 2 phy_init RF data 01 01 00013000 00001000
I (95) boot: 3 factory factory app 00 00 00020000 00100000
I (102) boot: 4 ota_0 OTA app 00 10 00120000 00100000
I (110) boot: 5 ota_1 OTA app 00 11 00220000 00100000
I (118) boot: 6 nvs_dev_info WiFi data 01 02 00320000 00006000
I (125) boot: End of partition table
I (129) boot: Defaulting to factory image
I (134) boot_comm: chip revision: 1, min. application chip revision: 0
I (141) esp_image: segment 0: paddr=0x00020020 vaddr=0x3f400020 size=0x31194 (201108) map
I (221) esp_image: segment 1: paddr=0x000511bc vaddr=0x3ffb0000 size=0x03c94 ( 15508) load
I (227) esp_image: segment 2: paddr=0x00054e58 vaddr=0x40080000 size=0x00400 ( 1024) load
0x40080000: _WindowOverflow4 at C:/msys32/home/mcgra/esp/esp-idf/components/freertos/xtensa_vectors.S:1779

I (228) esp_image: segment 3: paddr=0x00055260 vaddr=0x40080400 size=0x0adb0 ( 44464) load
I (255) esp_image: segment 4: paddr=0x00060018 vaddr=0x400d0018 size=0xa0768 (657256) map
0x400d0018: _flash_cache_start at ??:?

I (486) esp_image: segment 5: paddr=0x00100788 vaddr=0x4008b1b0 size=0x0a474 ( 42100) load
0x4008b1b0: xthal_window_spill_nw at /Users/igrokhotkov/e/esp32/hal/hal/windowspill_asm.S:227

I (504) esp_image: segment 6: paddr=0x0010ac04 vaddr=0x00000000 size=0x0537c ( 21372)
I (512) esp_image: Verifying image signature...
I (915) boot: Loaded app from partition at offset 0x20000
I (915) boot_comm: chip revision: 1, min. application chip revision: 0
I (917) esp_image: segment 0: paddr=0x00001020 vaddr=0x3fff0018 size=0x00004 ( 4)
I (925) esp_image: segment 1: paddr=0x0000102c vaddr=0x3fff001c size=0x02c48 ( 11336)
I (938) esp_image: segment 2: paddr=0x00003c7c vaddr=0x40078000 size=0x05284 ( 21124)
I (950) esp_image: segment 3: paddr=0x00008f08 vaddr=0x40080400 size=0x01ab4 ( 6836)
W (954) secure_boot: Using pre-loaded secure boot key in EFUSE block 2
I (958) secure_boot: Generating secure boot digest...
I (1010) secure_boot: Digest generation complete.
I (1010) boot: Checking flash encryption...
W (1010) flash_encrypt: Using pre-loaded flash encryption key in EFUSE block 1
I (1016) flash_encrypt: Setting CRYPT_CONFIG efuse to 0xF
Fatal exception (0): IllegalInstruction
epc1=0x40081038, epc2=0x00000000, epc3=0x00000000, excvaddr=0x00000000, depc=0x00000000
efuse summary
EFUSE_NAME Description = [Meaningful Value] [Readable/Writeable] (Hex Value)

Security fuses:
FLASH_CRYPT_CNT Flash encryption mode counter = 0 R/W (0x0)
FLASH_CRYPT_CONFIG Flash encryption config (key tweak bits) = 0 R/W (0x0)
CONSOLE_DEBUG_DISABLE Disable ROM BASIC interpreter fallback = 1 R/W (0x1)
ABS_DONE_0 secure boot enabled for bootloader = 0 R/W (0x0)
ABS_DONE_1 secure boot abstract 1 locked = 0 R/W (0x0)
JTAG_DISABLE Disable JTAG = 0 R/W (0x0)
DISABLE_DL_ENCRYPT Disable flash encryption in UART bootloader = 0 R/W (0x0)
DISABLE_DL_DECRYPT Disable flash decryption in UART bootloader = 0 R/W (0x0)
DISABLE_DL_CACHE Disable flash cache in UART bootloader = 0 R/W (0x0)
BLK1 Flash encryption key
= ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLK2 Secure boot key
= ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLK3 Variable Block 3
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W

Efuse fuses:
WR_DIS Efuse write disable mask = 384 R/W (0x180)
RD_DIS Efuse read disablemask = 3 R/W (0x3)
CODING_SCHEME Efuse variable block length scheme = 0 R/W (0x0)
KEY_STATUS Usage of efuse block 3 (reserved) = 0 R/W (0x0)

Config fuses:
XPD_SDIO_FORCE Ignore MTDI pin (GPIO12) for VDD_SDIO on reset = 0 R/W (0x0)
XPD_SDIO_REG If XPD_SDIO_FORCE, enable VDD_SDIO reg on reset = 0 R/W (0x0)
XPD_SDIO_TIEH If XPD_SDIO_FORCE & XPD_SDIO_REG, 1=3.3V 0=1.8V = 0 R/W (0x0)
CLK8M_FREQ 8MHz clock freq override = 49 R/W (0x31)
SPI_PAD_CONFIG_CLK Override SD_CLK pad (GPIO6/SPICLK) = 0 R/W (0x0)
SPI_PAD_CONFIG_Q Override SD_DATA_0 pad (GPIO7/SPIQ) = 0 R/W (0x0)
SPI_PAD_CONFIG_D Override SD_DATA_1 pad (GPIO8/SPID) = 0 R/W (0x0)
SPI_PAD_CONFIG_HD Override SD_DATA_2 pad (GPIO9/SPIHD) = 0 R/W (0x0)
SPI_PAD_CONFIG_CS0 Override SD_CMD pad (GPIO11/SPICS0) = 0 R/W (0x0)
DISABLE_SDIO_HOST Disable SDIO host = 0 R/W (0x0)

Identity fuses:
MAC Factory MAC Address
= 98:f4AB1a:9e:6c (CRC 0x6d OK) R/W
CHIP_VER_REV1 Silicon Revision 1 = 1 R/W (0x1)
CHIP_VER_REV2 Silicon Revision 2 = 0 R/W (0x0)
CHIP_VERSION Reserved for future chip versions = 2 R/W (0x2)
CHIP_PACKAGE Chip package identifier = 1 R/W (0x1)

Calibration fuses:
BLK3_PART_RESERVE BLOCK3 partially served for ADC calibration data = 0 R/W (0x0)
ADC_VREF Voltage reference calibration = 1128 R/W (0x4)

Flash voltage (VDD_SDIO) determined by GPIO12 on reset (High for 1.8V, Low/NC for 3.3V).
Other items if possible
Security features

CONFIG_SECURE_SIGNED_ON_BOOT=y
CONFIG_SECURE_SIGNED_ON_UPDATE=y
CONFIG_SECURE_SIGNED_APPS=y
CONFIG_SECURE_BOOT_ENABLED=y
CONFIG_SECURE_BOOTLOADER_ONE_TIME_FLASH=
CONFIG_SECURE_BOOTLOADER_REFLASHABLE=y
CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y
CONFIG_SECURE_BOOT_SIGNING_KEY="dhp_iot_secure_boot_signing_key.pem"
CONFIG_SECURE_BOOTLOADER_KEY_ENCODING_256BIT=y
CONFIG_SECURE_BOOTLOADER_KEY_ENCODING_192BIT=
CONFIG_SECURE_BOOT_INSECURE=
CONFIG_FLASH_ENCRYPTION_ENABLED=y
CONFIG_FLASH_ENCRYPTION_INSECURE=
CONFIG_FLASH_ENCRYPTION_DISABLE_PLAINTEXT=

[ESP_Angus]

Hi iot_hw,

I've replied to the issue on github: https://github.com/espressif/esp-idf/issues/5456

Will lock this thread to avoid discussion diverging into two directions.