USB DFU and secure boot

marclee
Posts: 51
Joined: Fri Apr 09, 2021 1:09 pm

USB DFU and secure boot

Postby marclee » Fri Aug 19, 2022 9:09 pm

Equipment: ESP32-S2-WROVER with SDK esp-idf.v5.0-dev-4770-gd622bcfd46

https://docs.espressif.com/projects/esp ... s/dfu.html
"USB DFU" worked fine until "secure boot" got enabled.

With "secure boot" enabled, ESP32-S2 can't be recognized as DFU device any more. I couldn't read anything about this behaviour in any documentation. Is there a way to get "USB DFU" work together with "secure boot"?

ESP_Sprite
Posts: 8921
Joined: Thu Nov 26, 2015 4:08 am

Re: USB DFU and secure boot

Postby ESP_Sprite » Sat Aug 20, 2022 2:27 am

No, and this is deliberate. Secure boot is a feature that (together with flash encryption) is used to stop people from reading out the unencrypted flash. DFU can generally be used to read the flash, and if not, the stack is so large that we cannot guarantee there isn't a security exploit hidden in there somewhere. Additionally, it's in ROM, so if there was, we would have no way to fix this. As such, we disable DFU (and other USB) update methods when secureboot is enabled.

You are right, however, in that this behaviour is not easy to find in the docs. I'll create a ticket to make this clearer.

marclee
Posts: 51
Joined: Fri Apr 09, 2021 1:09 pm

Re: USB DFU and secure boot

Postby marclee » Tue Aug 23, 2022 6:14 pm

Thank you for clarifying.

Who is online

Users browsing this forum: No registered users and 126 guests