-
Notifications
You must be signed in to change notification settings - Fork 7.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secure boot check fails after reflashing bootloader (IDFGH-13425) #14331
Comments
I was forgetting, when I flashed first time bootloader on 0x1000, everything worked fine. |
@sachin0x18 Can you help me please. Because I saw that you answered the similar question. |
Yes, at the first boot, the bootloader burns the key into the BLOCK2.
Try to write the
Follow instructions in the doc to get Reflashable Software Bootloader - https://docs.espressif.com/projects/esp-idf/en/stable/esp32/security/secure-boot-v1.html#reflashable-software-bootloader. |
@KonstantinKondrashov Also changing the partition-table could have impact on that? |
Side-note: If you are using ESP32 with rev >= 3.0 then its highly recommended to use secure boot v2 scheme. |
@mahavirj Thanks for your response.
|
=== Run "summary" command ===
|
The step to burn secure boot v1 specific key is highlighted in the documentation section here (step 4): https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/secure-boot-v1.html#reflashable-software-bootloader. If you have missed out on that then it is not possible to update the bootloader on this device. FWIW, we are trying to integrate different security workflows through qemu (emulator) port for different targets. This will allow to establish the workflow under emulator setup and then it can be moved to real hardware. Please keep an eye on the documentation guide here: https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-guides/tools/qemu.html Closing the issue, please feel free to re-open if you have more questions |
Answers checklist.
General issue report
I got new device and enabled the
secure boot option
and selectedSecure bootloader mode (Reflashable)
and attached the(secure_boot_signing_key.pem) Secure boot private signing key
inmenuconfig
. Then I uploaded my firmware and everything worked fine.My question, is key is automatically burned into chip of secure boot?
ABS_DONE_0 (BLOCK0) Secure boot V1 is enabled for bootloader image = True R/W (0b1)
if yes, in which
BLOCK
? Because in summary I don't see anyBLOCK0
However, I faced some issue and mistakenly erased all the flash from
0x00
. According to docu, it should be fine as we have set re-flashable into config.After that I run the following command
esptool.py --before default_reset --after no_reset write_flash --flash_mode dio --flash_freq 40m --flash_size 4MB 0x0 build/bootloader/bootloader-reflash-digest.bin --force
and works fine.Then
esptool.py --before default_reset --after no_reset --chip esp32 write_flash --flash_mode dio --flash_size 4MB --flash_freq 40m 0x20000 build/partition_table/partition-table.bin 0x68000 build/ota_data_initial.bin 0x70000 build/iot_c.bin
After that I try to run with
idf.py monitor
but getting the following error.rst:0x10 (RTCWDT_RTC_RESET),boot:0x1b (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff00b8,len:2280
load:0x40078000,len:21916
ho 0 tail 12 room 4
load:0x40080400,len:4
load:0x40080404,len:2856
secure boot check fail
ets_main.c 371
ets Jun 8 2016 00:22:57
The text was updated successfully, but these errors were encountered: