Scribd
Upload
191 views6 pages

Secure Boot and Flash Encryption On Esp32 Using Esp Idf

The document discusses implementing secure boot and flash encryption on an ESP32. It explains how the author successfully set up secure boot with a reflashable bootloader. They also enabled flash encryption in a separate test. When attempting to enable both secure boot and flash encryption, an error occurs during flashing which is solved by adding the --encrypt flag when flashing the bootloader.

Uploaded by

tocoferol VE
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
191 views6 pages

Secure Boot and Flash Encryption On Esp32 Using Esp Idf

The document discusses implementing secure boot and flash encryption on an ESP32. It explains how the author successfully set up secure boot with a reflashable bootloader. They also enabled flash encryption in a separate test. When attempting to enable both secure boot and flash encryption, an error occurs during flashing which is solved by adding the --encrypt flag when flashing the bootloader.

Uploaded by

tocoferol VE
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

secure boot and flash encryption on esp32 using esp-idf

Asked 2 years, 5 months ago Modified 2 years, 5 months ago Viewed 2k times
2 I am implementing secure boot and flash encryption on esp32

So far.

1. I successfully implemented secure boot with reflashable bootloader

a-> idf.py menuconfig

b-> set secureboot with reflasbale bootloader

c-> genrated secure_boot_key using espsecue.py and given this name to secre boot key in menuconfig

d-> bootloader config->bootloader log verbosity(error)

e-> idf.py build

f-> Burn secure boot key to efuse using: D:\esp\tools.espressif\python_env\idf4.1_py3.9_env\Scripts\python.exe D:/esp/esp-idf/components


/esptool_py/esptool/espefuse.py burn_key secure_boot D:/ESP32_Projects/blink/build/bootloader/secure-bootloader-key-256.bin

g-> Burn efuse of secureboot

espefuse -p COM4 burn_efuse ABS_DONE_0

h->First time flash command is: D:\esp\tools.espressif\python_env\idf4.1_py3.9_env\Scripts\python.exe D:/esp/esp-idf/components/esptool_py


/esptool/esptool.py --chip esp32 --port (PORT) --baud (BAUD) --before default_reset --after no_reset write_flash --flash_mode dio --flash_freq
40m --flash_size 2MB
-u 0x1000 D:/ESP32_Projects/blink/build/bootloader/bootloader.bin

i->To reflash the bootloader after initial flash: D:\esp\tools.espressif\python_env\idf4.1_py3.9_env\Scripts\python.exe D:/esp/esp-idf/components


/esptool_py/esptool/esptool.py --chip esp32 --port (PORT) --baud (BAUD) --before default_reset --after no_reset write_flash --flash_mode dio
--flash_freq 40m --flash_size 2MB
-u 0x0 D:/ESP32_Projects/blink/build/bootloader/bootloader-reflash-digest.bin

j-> idf.py flash monitor and secureboot is enabled with reflasbable bootloader
j-> idf.py flash monitor and secureboot is enabled with reflasbable bootloader

2. Now for Flash Encryption -> gone through the flash_encryption example is security esp-idf and it worked.

3. Now for both Secure boot with flash encryption where I am facing problem

What I did

-> Enabled flash encryption first

->then enabled secure boot using same method explained above using (a-i)

-> idf.py encrypted-flash monitor

Output is given below kindly have look and kindly tell me what should I do next..Thanks

D:\ESP32_Projects\flash_encryption>idf.py encrypted-flash monitor


Adding "encrypted-flash"'s dependency "all" to list of commands with default set of options.
Executing action: all (aliases: build)
Running ninja in directory d:\esp32_projects\flash_encryption\build
Executing "ninja all"...
[1/4] cmd.exe /C "cd /D D:\ESP32_Projects\flash_encryption\build\esp...*******************************************************************"
Partition table binary generated. Contents:
*******************************************************************************
# Espressif ESP32 Partition Table
# Name, Type, SubType, Offset, Size, Flags
nvs,data,nvs,0x9000,24K,
storage,data,255,0xf000,4K,encrypted
factory,app,factory,0x10000,1M,
*******************************************************************************
[2/4] Performing build step for 'bootloader'
ninja: no work to do.
Executing action: encrypted-flash
Choosing default port b'COM4' (use '-p PORT' option to set a specific serial port)
Running esptool.py in directory d:\esp32_projects\flash_encryption\build
Executing "D:\esp\tools\.espressif\python_env\idf4.1_py3.9_env\Scripts\python.exe D:\esp\esp-idf\components/esptool_py/esptool/esptool.py -p
COM4 -b 460800 --before default_reset --after no_reset --chip esp32 write_flash @flash_encrypted_project_args"...
esptool.py -p COM4 -b 460800 --before default_reset --after no_reset --chip esp32 write_flash --encrypt 0x8000 partition_table/partition-
table.bin 0x10000 flash_encryption.bin
esptool.py v2.9-dev
Serial port COM4
Serial port COM4
Connecting........__
Chip is ESP32D0WDQ6 (revision 1)
Features: WiFi, BT, Dual Core, 240MHz, VRef calibration in efuse, Coding Scheme None
Crystal is 40MHz
MAC: 30:ae:a4:fe:62:c8
Uploading stub...
Running stub...
Stub running...
Changing baud rate to 460800
Changed.
Configuring flash size...
Auto-detected Flash size: 4MB

security esp32

Share Follow asked Jun 28, 2021 at 15:44


Abdul Wasey
21 2

According to the ESP IDF Flash Encryption documentation this error means the ROM bootloader cannot load the second stage bootloader, probably because the
latter has not been encrypted. – Tarmo Jun 29, 2021 at 7:35

2 Yes the problem is solved my adding --encrypt in flash command for flashing the bootloader-reflash-digest.bin at 0x0 i-e D:\esp\tools\.espressif\python_env
\idf4.1_py3.9_env\Scripts\python.exe D:/esp/esp-idf/components/esptool_py/esptool/esptool.py --chip esp32 --port (PORT) --baud (BAUD) --before default_reset
--after no_reset write_flash --flash_mode dio --flash_freq 40m --flash_size 2MB --encrypt 0x0 D:/ESP32_Projects/flash_encryption/build/bootloader/bootloader-
reflash-digest.bin – Abdul Wasey Jun 30, 2021 at 5:48

You might also like