Which version of SecureBoot should I use for ESP32-WROVER-E

RuslanPopov
Posts: 21
Joined: Mon Nov 21, 2022 3:47 pm

Re: Which version of SecureBoot should I use for ESP32-WROVER-E

Postby RuslanPopov » Thu Nov 24, 2022 10:36 am

I have tested on Qemu before use the real hardware, thank you.

If I understand you right, I should drop this device and take another one.

But can you confirm, the last my reply has the right way of usage?

RuslanPopov
Posts: 21
Joined: Mon Nov 21, 2022 3:47 pm

Re: Which version of SecureBoot should I use for ESP32-WROVER-E

Postby RuslanPopov » Sat Nov 26, 2022 10:49 am

I have read the SecureBoot v2 part of documentation many times. I see that it never uses block 0x0000-0x0FFF for digest as it was with V1. Now the digest of signing key is stored in BLOCK2 and the block 0x0000-0FFF is not used anyway. Right?

RuslanPopov
Posts: 21
Joined: Mon Nov 21, 2022 3:47 pm

Re: Which version of SecureBoot should I use for ESP32-WROVER-E

Postby RuslanPopov » Sun Nov 27, 2022 8:29 pm

SecureBoot works fine:

Code: Select all

rst:0x3 (SW_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff0038,len:13836
ho 0 tail 12 room 4
load:0x40078000,len:23580
load:0x40080400,len:3584
entry 0x40080660
I (56) boot: ESP-IDF v4.4-386-g9b75e5664e 2nd stage bootloader
I (56) boot: compile time 20:08:58
I (56) boot: chip revision: 3
I (61) boot.esp32: SPI Speed      : 40MHz
I (66) boot.esp32: SPI Mode       : DIO
I (70) boot.esp32: SPI Flash Size : 4MB
I (75) boot: Enabling RNG early entropy source...
I (80) boot: Partition Table:
I (84) boot: ## Label            Usage          Type ST Offset   Length
I (91) boot:  0 phy_init         RF data          01 01 0000d000 00001000
I (99) boot:  1 otadata          OTA data         01 00 0000e000 00002000
I (106) boot:  2 ota_0            OTA app          00 10 00010000 00180000
I (114) boot:  3 ota_1            OTA app          00 11 00190000 00180000
I (121) boot:  4 nvs              WiFi data        01 02 00379000 00004000
I (129) boot:  5 nvs_key          NVS keys         01 04 0037d000 00001000
I (136) boot:  6 phones           WiFi data        01 02 0037f000 00080000
I (144) boot:  7 phones_key       NVS keys         01 04 003ff000 00001000
I (151) boot: End of partition table
I (156) esp_image: segment 0: paddr=00010020 vaddr=3f400020 size=22384h (140164) map
I (215) esp_image: segment 1: paddr=000323ac vaddr=3ffbdb60 size=02dd0h ( 11728) load
I (220) esp_image: segment 2: paddr=00035184 vaddr=40080000 size=0ae94h ( 44692) load
I (239) esp_image: segment 3: paddr=00040020 vaddr=400d0020 size=77f40h (491328) map
I (417) esp_image: segment 4: paddr=000b7f68 vaddr=4008ae94 size=04804h ( 18436) load
I (425) esp_image: segment 5: paddr=000bc774 vaddr=50000000 size=00010h (    16) load
I (425) esp_image: segment 6: paddr=000bc78c vaddr=00000000 size=03844h ( 14404)
I (436) esp_image: Verifying image signature...
I (437) secure_boot_v2: Verifying with RSA-PSS...
I (446) secure_boot_v2: Signature verified successfully!
I (455) boot: Loaded app from partition at offset 0x10000
I (455) secure_boot_v2: enabling secure boot v2...
I (459) efuse: Batch mode of writing fields is enabled
I (465) esp_image: segment 0: paddr=00001020 vaddr=3fff0038 size=0360ch ( 13836)
I (478) esp_image: segment 1: paddr=00004634 vaddr=40078000 size=05c1ch ( 23580)
I (490) esp_image: segment 2: paddr=0000a258 vaddr=40080400 size=00e00h (  3584)
I (492) esp_image: Verifying image signature...
I (496) secure_boot_v2: Verifying with RSA-PSS...
No signature block magic byte found at signature sector (found 0xaa not 0xe7). Image not V2 signed?
E (509) secure_boot_v2: Secure Boot V2 verification failed.
E (515) esp_image: Secure boot signature verification failed
I (521) esp_image: Calculating simple hash to check for corruption...
W (540) esp_image: image valid, signature bad
E (540) secure_boot_v2: bootloader image appears invalid! error 8194
I (543) efuse: Batch mode of writing fields is cancelled
E (549) boot: Secure Boot v2 failed (8194)
E (554) boot: OTA app partition slot 0 is not bootable
E (559) esp_image: image at 0x190000 has invalid magic byte (nothing flashed here?)
E (568) boot: OTA app partition slot 1 is not bootable
E (574) boot: No bootable app partitions in the partition table
ets Jul 29 2019 12:21:46
But there is signature for V2:

Code: Select all

espsecure.py verify_signature --version 2 --keyfile keys/6a74a53c-18ff-4b5a-8be4-aa661a0123c9/signing_key_v2.pem app.clear.bin
espsecure.py v4.1
Signature block 0 is valid (RSA).
Signature block 0 verification successful with keys/6a74a53c-18ff-4b5a-8be4-aa661a0123c9/signing_key_v2.pem (RSA).
Signature block 1 invalid. Skipping.
Signature block 2 invalid. Skipping.
Does possible that the source of this error is the difference of espsecure versions:

Build machine:

Code: Select all

espsecure.py v3.3-dev
1 signing key(s) found.
Signed 720896 bytes of data from app-unsigned.bin. Signature sector now has 1 signature blocks.
Generated signed binary image app.bin from app-unsigned.bin
Burn machine:

Code: Select all

espsecure.py v4.1
...
Please, help ;)

Who is online

Users browsing this forum: No registered users and 108 guests