HW: Two ESP32-WROVER-E
So I decided to try out security features, but I didn't want to turn on both Secure BootV2 and Flash encryption at the same time, in case I mess up. So first I have first board, where I enabled encryption.
My steps:
1.1) idf.py menuconfig -> Component config -> ESP32-specific -> Minimum supported ESP32 revision -> Rev 3
1.2) idf.py menuconfig -> Secure features -> Enable flash encryption on Boot. Enable Usage mode -> Development. UART ROM download mode -> Enabled.
1.3) Custom partition table
Code: Select all
# Name, Type, SubType, Offset, Size, Flags
nvs, data, nvs, 0xd000, 0x6000,
app0, app, ota_0, , 0x160000,
app1, app, ota_1, , 0x160000,
otadata, data, ota, , 0x2000,
storage, data, fat, , 0x107000,
nvs_key, data, nvs_keys, ,0x1000, encrypted,
Code: Select all
esp_partition_t * user_keys_partition = (esp_partition_t *)esp_partition_find_first(ESP_PARTITION_TYPE_DATA, ESP_PARTITION_SUBTYPE_DATA_NVS_KEYS, NULL);
esp_partition_t * user_nvs_partition = (esp_partition_t *)esp_partition_find_first(ESP_PARTITION_TYPE_DATA, ESP_PARTITION_SUBTYPE_DATA_NVS, NULL);
nvs_sec_cfg_t nvs_cfg;
err = nvs_flash_read_security_cfg(user_keys_partition, &nvs_cfg);
if (err == ESP_ERR_NVS_KEYS_NOT_INITIALIZED || ESP_ERR_NVS_CORRUPT_KEY_PART == err)
{
err = nvs_flash_generate_keys(user_keys_partition, &nvs_cfg);
}
Code: Select all
nvs_flash_init();
1.6) idf.py flash monitor
1.7) Bootloader loads and encrypts partitions on the fly.everything works. I can modify code and do
Code: Select all
idf.py build
Code: Select all
idf.py encrypted-flash monitor
1.8)
Code: Select all
rm build/ -Rf
1.10) espsecure.py generate_signing_key secure_boot_signing_key.pem (same as in menuconfig)
1.11) idf.py build
1.12)
Code: Select all
esptool.py --chip esp32 --port=/dev/ttyUSB0 --baud=115200 --before=default_reset --after=no_reset write_flash --flash_mode dio --flash_freq 40m --flash_size 4MB 0x1000 /home/test1/build/bootloader/bootloader.bin
Code: Select all
idf.py monitor
Code: Select all
rst:0x1 (POWERON_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
invalid header: 0x93b8a46f
invalid header: 0x93b8a46f
invalid header: 0x93b8a46f
invalid header: 0x93b8a46f
invalid header: 0x93b8a46f
invalid header: 0x93b8a46f
invalid header: 0x93b8a46f
ets Jul 29 2019 12:21:46
Code: Select all
esptool.py --chip esp32 --port=/dev/ttyUSB0 --baud=115200 --before=default_reset --after=no_reset write_flash --flash_mode dio --flash_freq 40m --flash_size 4MB --encrypt 0x1000 /home/test1/build/bootloader/bootloader.bin
Code: Select all
idf.py monitor
Code: Select all
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff0030,len:12704
load:0x40078000,len:21236
ho 0 tail 12 room 4
load:0x40080400,len:3688
0x40080400: _init at ??:?
entry 0x40080678
I (32) boot: ESP-IDF v4.3 2nd stage bootloader
I (32) boot: compile time 06:34:46
I (32) boot: chip revision: 3
I (34) boot.esp32: SPI Speed : 40MHz
I (39) boot.esp32: SPI Mode : DIO
I (43) boot.esp32: SPI Flash Size : 4MB
I (48) boot: Enabling RNG early entropy source...
E (53) flash_parts: partition 0 invalid magic number 0x2e7
E (60) boot: Failed to verify partition table
E (65) boot: load partition table error!
ets Jul 29 2019 12:21:46
rst:0x3 (SW_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
...
1.13)
Code: Select all
idf.py encrypted-flash monitor
Code: Select all
rst:0x1 (POWERON_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff0030,len:12704
load:0x40078000,len:21236
ho 0 tail 12 room 4
load:0x40080400,len:3688
0x40080400: _init at ??:?
entry 0x40080678
I (32) boot: ESP-IDF v4.3 2nd stage bootloader
I (32) boot: compile time 06:34:46
I (32) boot: chip revision: 3
I (34) boot.esp32: SPI Speed : 40MHz
I (39) boot.esp32: SPI Mode : DIO
I (43) boot.esp32: SPI Flash Size : 4MB
I (48) boot: Enabling RNG early entropy source...
I (54) boot: Partition Table:
I (57) boot: ## Label Usage Type ST Offset Length
I (64) boot: 0 nvs WiFi data 01 02 0000d000 00006000
I (72) boot: 1 app0 OTA app 00 10 00020000 00160000
I (79) boot: 2 app1 OTA app 00 11 00180000 00160000
I (87) boot: 3 otadata OTA data 01 00 002e0000 00002000
I (94) boot: 4 storage Unknown data 01 81 002e2000 00107000
I (102) boot: 5 nvs_key NVS keys 01 04 003e9000 00001000
I (109) boot: End of partition table
I (114) esp_image: segment 0: paddr=00020020 vaddr=3f400020 size=29684h (169604) map
I (185) esp_image: segment 1: paddr=000496ac vaddr=3ffbdb60 size=04efch ( 20220) load
I (194) esp_image: segment 2: paddr=0004e5b0 vaddr=40080000 size=01a68h ( 6760) load
I (197) esp_image: segment 3: paddr=00050020 vaddr=400d0020 size=dba28h (899624) map
I (536) esp_image: segment 4: paddr=0012ba50 vaddr=40081a68 size=18474h ( 99444) load
I (578) esp_image: segment 5: paddr=00143ecc vaddr=50000000 size=00010h ( 16) load
I (578) esp_image: segment 6: paddr=00143ee4 vaddr=00000000 size=0c0ech ( 49388)
I (602) esp_image: Verifying image signature...
I (602) secure_boot_v2: Secure boot V2 is not enabled yet and eFuse digest keys are not set
I (606) secure_boot_v2: Verifying with RSA-PSS...
I (615) secure_boot_v2: Signature verified successfully!
I (631) boot: Loaded app from partition at offset 0x20000
I (631) secure_boot_v2: enabling secure boot v2...
I (631) efuse: Batch mode of writing fields is enabled
I (637) esp_image: segment 0: paddr=00001020 vaddr=3fff0030 size=031a0h ( 12704)
I (650) esp_image: segment 1: paddr=000041c8 vaddr=40078000 size=052f4h ( 21236)
I (661) esp_image: segment 2: paddr=000094c4 vaddr=40080400 size=00e68h ( 3688)
I (663) esp_image: Verifying image signature...
I (668) secure_boot_v2: Secure boot V2 is not enabled yet and eFuse digest keys are not set
I (675) secure_boot_v2: Verifying with RSA-PSS...
No signature block magic byte found at signature sector (found 0xaa not 0xe7). Image not V2 signed?
E (690) secure_boot_v2: Secure Boot V2 verification failed.
E (696) esp_image: Secure boot signature verification failed
I (702) esp_image: Calculating simple hash to check for corruption...
W (720) esp_image: image valid, signature bad
E (720) secure_boot_v2: bootloader image appears invalid! error 8194
E (721) boot: Secure Boot v2 failed (8194)
E (726) boot: OTA app partition slot 0 is not bootable
E (732) esp_image: image at 0x180000 has invalid magic byte
W (738) esp_image: image at 0x180000 has invalid SPI mode 88
W (745) esp_image: image at 0x180000 has invalid SPI size 8
E (751) boot: OTA app partition slot 1 is not bootable
E (757) boot: No bootable app partitions in the partition table
ets Jul 29 2019 12:21:46
Code: Select all
espefuse.py summary
Code: Select all
BLOCK1 (BLOCK1): Flash encryption key
= ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLOCK2 (BLOCK2): Secure boot key
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
Ok, let's try another way. Fresh board, first enable secure boot v2. This time, I want to pregenerate encryption key on HOST.
2.1) idf.py menuconfig -> Secure features -> Disable flash encryption on Boot. Leave secure boot v2 on.
2.2)
Code: Select all
rm build/ -Rf
2.4)
Code: Select all
idf.py build
Code: Select all
esptool.py --chip esp32 --port=/dev/ttyUSB0 --baud=115200 --before=default_reset --after=no_reset write_flash --flash_mode dio --flash_freq 40m --flash_size 4MB CONFIG_BOOTLOADER_OFFSET_IN_FLASH /home/test1/build/bootloader/bootloader.bin
Code: Select all
idf.py flash monitor
2.7) Pre Generate key.
Code: Select all
espsecure.py generate_flash_encryption_key my_flash_encryption_key.bin
Code: Select all
espefuse.py --port /dev/ttyUSB0 burn_key flash_encryption my_flash_encryption_key.bin
2.10) Modify code like in (1.4)
2.11)
Code: Select all
rm build/ -Rf
Code: Select all
idf.py build
Code: Select all
esptool.py --chip esp32 --port=/dev/ttyUSB0 --baud=115200 --before=default_reset --after=no_reset write_flash --flash_mode dio --flash_freq 40m --flash_size 4MB 0x1000 /home/test1/build/bootloader/bootloader.bin
Code: Select all
entry 0x40080678
I (73) boot: ESP-IDF v4.3 2nd stage bootloader
I (73) boot: compile time 07:15:04
I (73) boot: chip revision: 3
I (76) boot.esp32: SPI Speed : 40MHz
I (81) boot.esp32: SPI Mode : DIO
I (85) boot.esp32: SPI Flash Size : 4MB
I (90) boot: Enabling RNG early entropy source...
E (95) flash_parts: partition 0 invalid magic number 0x2e7
E (101) boot: Failed to verify partition table
E (106) boot: load partition table error!
ets Jul 29 2019 12:21:46
Code: Select all
idf.py flash monitor
Code: Select all
rst:0x10 (RTCWDT_RTC_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:2, clock div:2
secure boot v2 enabled
No signature block magic byte found at signature sector (found 0xaa not 0xe7). Image not V2 signed?
secure boot verification failed
ets Jul 29 2019 12:21:46
Which one I can still make work with both security features?