To enable Secure Boots and Flash Encryption using the ESP Flash download tool

已于 2023-08-15 15:19:38 修改
阅读量1.1k 收藏 1
点赞数
分类专栏: 英文指南 (English Guide) 芯片烧录 (Chip Programming) 芯片安全 (Chip Security) 文章标签: bash 开发语言
于 2022-09-01 19:45:28 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/Marchtwentytwo/article/details/126650130
版权

To enable secure boot and Flash encryption using the v3.9.3 version of “Flash download tool” , perform the following steps:

1. Software Config

In the software “menuconfig" , disable any secure boot and Flash encryption configuration, directly compiled to generate plaintext firmware. Since Flash encryption will increases the size of the bootloader .bin firmware, the offset of the default partition table needs to be adjusted, which is 0x8000, can be adjusted to 0xa000. You can modify the settings for partition table in menuconfig. As follows:

在这里插入图片描述
请添加图片描述

Then compile the project and check the firmware download address corresponding to the compiled firmware. You can find that the download address of the hello-world.bin becomes 0x20000

Project build complete. To flash, run this command:
/home/caiguanhong/.espressif/python_env/idf4.4_py3.8_env/bin/python ../../../components/esptool_py/esptool/esptool.py -p (PORT) -b 460800 --before default_reset --after hard_reset --chip esp32  write_flash --flash_mode dio --flash_size detect --flash_freq 40m 0x1000 build/bootloader/bootloader.bin 0xa000 build/partition_table/partition-table.bin 0x20000 build/hello_world.bin

2. “Flash download tool” config

In the configuration file of the “Flash download tool” , enable the following configuration and save the file.

	[SECURE BOOT]
	secure_boot_en = True
	[FLASH ENCRYPTION]
	flash_encryption_en = True
	reserved_burn_times = 3
	[ENCRYPTION KEYS SAVE]
	keys_save_enable = True
	encrypt_keys_enable = False
	encrypt_keys_aeskey_path =
	[DISABLE FUNC]
	jtag_disable = False
	dl_encrypt_disable = False
	dl_decrypt_disable = False
	dl_cache_disable = False

3. Restart the “Flash download tool”

Restart the “Flash download tool” , and the following message is displayed:
在这里插入图片描述

4. Download the plaintext firmware by the “Flash download tool” directly

Then, add your plaintext firmware to the “Flash download tool” and set the corresponding offset address.

在这里插入图片描述

5. The plaintext firmware will be encrypted

Finally, your plaintext firmware will be encrypted directly into ciphertext firmware by using the “Flash download tool” .

test offset :  0 0x0
case ok
test offset :  0 0x0
case ok
..
Uploading stub...
Running stub...
Stub running...
Changing baud rate to 921600
Changed.
FLASH_CRYPT_CNT 0
ABS_DONE_0 False
CODING_SCHEME 0
ECDSA NIST256p private key in PEM format written to ./secure\secure_boot_key_1.pem
CODING_SCHEME 0
ECDSA NIST256p private key in PEM format written to ./secure\flash_encrypt_key_1.pem
CODING_SCHEME 0
SHA-256 digest of private key ./secure\secure_boot_key_1.pem written to ./secure\secure_boot_key_1.bin
CODING_SCHEME 0
SHA-256 digest of private key ./secure\flash_encrypt_key_1.pem written to ./secure\flash_encrypt_key_1.bin
burn secure key ...
Burn keys to blocks:
 - BLOCK2 -> [4a 2a 7e e2 1b 08 27 70 a1 ee 57 cb 69 9a 7a bc 36 39 2b ed 2b a0 ab 3a e8 11 2e ec 48 c5 90 61]
        Reversing the byte order
        Disabling read to key block
        Disabling write to key block

 - BLOCK1 -> [d1 7f 51 78 e2 4b 50 5b d3 b2 b5 73 a3 c0 91 be c1 e0 b5 32 f6 84 d8 a6 f4 98 2a 86 ad fc d9 38]
        Reversing the byte order
        Disabling read to key block
        Disabling write to key block

Burn keys in efuse blocks.
The key block will be read and write protected (no further changes or readback)


Check all blocks for burn...
idx, BLOCK_NAME,          Conclusion
[00] BLOCK0               is not empty
        (written ): 0x0000000400100000000018360000a200001394b555a584a800000000
        (to write): 0x00000000000000000000000000000000000000000000000000030180
        (coding scheme = NONE)
[01] BLOCK1               is empty, will burn the new value
[02] BLOCK2               is empty, will burn the new value
.
This is an irreversible operation!
BURN BLOCK2  - OK (write block == read block)
BURN BLOCK1  - OK (write block == read block)
BURN BLOCK0  - OK (all write block bits are set)
Reading updated efuses...
Successful
FLASH_CRYPT_CNT 0
FLASH_CRYPT_CONFIG 0
The efuses to burn:
  from BLOCK0
     - ABS_DONE_0
     - FLASH_CRYPT_CNT
     - FLASH_CRYPT_CONFIG

Burning efuses:

    - 'ABS_DONE_0' (Secure boot V1 is enabled for bootloader image) 0b0 -> 0b1

    - 'FLASH_CRYPT_CNT' (Flash encryption mode counter) 0b0000000 -> 0b0000001

    - 'FLASH_CRYPT_CONFIG' (Flash encryption config (key tweak bits)) 0x0 -> 0xf

Check all blocks for burn...
idx, BLOCK_NAME,          Conclusion
[00] BLOCK0               is not empty
        (written ): 0x0000000400100000000018360000a200001394b555a584a800030180
        (to write): 0x00000010f00000000000000000000000000000000000000000100000
        (coding scheme = NONE)
.
This is an irreversible operation!
BURN BLOCK0  - OK (all write block bits are set)
Reading updated efuses...
Checking efuses...
Successful

WARNING: - compress and encrypt options are mutually exclusive
Will flash uncompressed

 is stub and send flash finish
The efuses to burn:

Burning efuses:

Check all blocks for burn...
idx, BLOCK_NAME,          Conclusion
Nothing to burn, see messages above.
Checking efuses...
Successful

6. The encryption key will saved in locally.

在这里插入图片描述

Note

  • After this operation, you can read the Flash firmware by using esptool, but read the firmware is ciphertext firmware and cannot be used properly.

  • After this operation, the module will not support re-download the firmware by the “Flash download tool”.

25March
关注
  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
ESP32 快速入门(十一):Secure Boot 与 Flash encryption 的介绍与实践
Zombie's blog
05-27 1779
此篇博客为 ESP32 Secure Boot 与 ESP32 Flash encryption 的介绍与实践。 1 ESP32 Secure Boot 1.1 ESP32 Secure Boot 功能概述 Secure Boot 的目的是保证芯片只运行用户指定的程序,芯片每次启动时都会验证从 flash 中加载的 partition table 和 app images 是否是用户指定的 Secure Boot 中采用 ECDSA 签名算法对 partition table 和 app images 进
ESP32 Secure boot 与 Flash encryption 过程前后部分问题整理
Zombie's blog
09-27 1097
此篇博客用来整理 ESP32 Secure boot 与 Flash encryption 过程前后部分问题的解决方法。 1. secure boot 后重新烧录程序发现无法正常进入 bootloader 对应 log 如下: csum err:0x9a!=0x5f ets_main.c 371 ets Jun 8 2016 00:22:57 rst:0x10 (RTCWDT_RTC_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT) configsip: 0, SPIWP:0x
ESP32 Secure Boot和Flash加密
一个人要像一支队伍
01-21 7352
ESP32的代码是存在外部Flash中,如果不加密,很容易被窃取代码。 ESP32的secure boot和flash加密是两个功能,但是要配合一起使用,其加密效果才好。 一、初次加密。 这里只写可重复烧写的加密方式,其加密步骤如下: 1、进入menuconfig配置secure boot和flash加密。 make menuconfig 这里Secure bootloader mode选择Reflashable。配置后要与下图完全一致。 2、生成私钥,即pem文件。 pyth.
ESP32 ECO3】Using Flash Download Tool to Enable Secure Boot V2
最新发布
ESP 技术分享,推动万物互联
04-11 891
Base on ESP32 ECO3 to enable Secure Boot V2
ESP32-Secure Boot 安全方案
热门推荐
乐鑫 Espressif
02-24 1万+
Secure Boot 功能概述 方案概述 Secure Boot 的目的是保证芯片只运行用户指定的程序,芯片每次启动时都会验证从 flash 中加载的 partition table 和 app images 是否是用户指定的 Secure Boot 中采用 ECDSA 签名算法对 partition table 和 app images 进行签名和验证,ECDSA 签名算法使用公钥/...
ESP32-C3 手动启用 Secure Boot V2 与 Flash 加密流程
ESP 技术分享,推动万物互联
08-21 1627
1. 手动生成秘钥 2. 手动加密固件并写入加密固件 3. 手动写 Efuse 开启 Flash 加密和安全启动
Discrete logarithm based additively homomorphic encryption and secure data aggregation
02-21
At PKC 2006, Chevallier-Mames, Paillier, and Pointcheval proposed discrete logarithm based encryption schemes that are partially homomorphic, either additively or multiplicatively and announced an ...
Cryptanalysis of an Image Encryption Using 2D Henon-Sine Map and DNA Approach
02-08
Cryptanalysis of an Image Encryption Using 2D Henon-Sine Map and DNA Approach
string_xoring.zip_tool_xor encryption
09-23
本工具“string_xoring.zip_tool_xor encryption”旨在帮助用户轻松地对字符串进行XOR编码和解码操作。** XOR(异或)运算符在计算机科学中扮演着重要角色,它具有以下特性:任何数与0进行异或运算,结果仍为原数;...
figure-1.rar_encryption image_tool
07-14
This Code is used to reproduce the figures Using Digitizing the figure using one tool and read data form text files.
Secure and noise-free holographic encryption with a quick-response code
02-05
In holographic encryption, double random-phase encoding in the Fresnel domain (DRPEiFD) is a prevalent encryption method because it is lensless and secure. However, noises bring adverse effects during...
ESP32 ECO3 手动启用 Secure Boot V2 与 flash 加密流程
ESP 技术分享,推动万物互联
02-02 5332
本篇文档用来说明 ESP32(eco3) 芯片同时使能 Secure Boot V2 和 flash 加密的操作流程,其中,flash 加密使用发布模式(Release Mode),使用主机生成的密钥对数据进行加密。 文章目录1. 测试环境1. 未使能前查询 efuse2. 通过 menuconfig 配置使能2.1 将 ESP32 芯片版本设置为 revision 32.2 调整分区表偏移量2.3 安全特征配置3. 测试流程3.1 secure boot v2 秘钥生成与烧录3.2 flash 加密秘钥生
[加密]ESP32 -Secure Boot 安全方案
anxuan3201的博客
06-19 1518
转自:https://blog.csdn.net/espressif/article/details/79362094 Secure Boot 功能概述 方案概述 Secure Boot 的目的是保证芯片只运行用户指定的程序,芯片每次启动时都会验证从 flash 中加载的 partition table 和 app images 是否是用户指定的 Secure Boot 中采...
ESP32-S3 V5.0.2 flash 手动生成密钥加密 _By星年(已验证)
qq_18070087的博客
06-16 669
(4)加密镜像并烧录(根据idf.py build编译后信息,修改文件路径、文件名、烧录地址及生成文件名)环境 ESP32-S3 ESP_IDF V5.0.2 手动生成密钥加密。三、关闭加密和解密已加密镜像(关闭解密只有1次机会)(3)烧录密钥到设备(修改端口号)(只能烧录一次)(1)AES-128(256 位密钥)(2)AES-256(512 位密钥)(2)工程加密配置及串口配置安全模式。1.查看是否加密:(修改端口号)(5)烧录加密bin。
How to manually encrypt the plaintext firmware of the ESP32 device using a fixed key
ESP 技术分享,推动万物互联
06-21 490
flash encryption
esp32 esp8266_esp32致命愤怒袭击你应该知道的
weixin_26636643的博客
08-13 672
esp32 esp8266The recent flurry of media attention on the ESP32 IoT device attack piqued my interest in secure boot on IoT devices. Espressif has already announced CVE-2019–17391(here) and published a ...
ESP32-C3 flash encryption & secure boot
lambml的博客
12-21 2463
未使能前,efuse 信息 $ esptool.py flash_id esptool.py v3.2-dev Found 2 serial ports Se
磁盘分区与多系统安装(windows ubuntu)
aaa1150322487的专栏
02-02 342
1.磁盘分区 MBR分区表最多可以分4个主分区(无扩展分区),或者3个主分区和一个扩展分区,想要装多系统的网友一定要把主分区利用好;配合传统bios能发挥出它更好的功能。 GPT分区表最多可以分N>>4个分区(目前N=128),配合UEFI bios能够发挥出它更好的功能 我使用的是MBR分区表,主-主-扩展-主(最后一个主分区后面装Ubuntu时又...
ESP32 ECO V3】使用 Flash 下载工具完成 Secure Boot V2 功能
ESP 技术分享,推动万物互联
04-02 1155
【应用笔记】基于 Flash 下载工具完成 Secure Boot V2 的全部流程
flash player
04-09
Flash Player是由Adobe公司开发的一款多媒体播放器插件,用于在网页浏览器中播放Flash动画、视频和音频等多媒体内容。它支持跨平台运行,可以在Windows、Mac和Linux等操作系统上使用。 Flash Player具有以下特点: 1. 支持丰富的多媒体内容:Flash Player可以播放包括动画、游戏、广告、应用程序等在内的各种多媒体内容,使网页更加生动有趣。 2. 跨平台兼容性:Flash Player可以在不同的操作系统和浏览器上运行,提供了广泛的兼容性。 3. 动态交互性:Flash Player支持ActionScript编程语言,可以实现丰富的交互功能,如表单验证、动态数据加载等。 4. 流媒体播放:Flash Player支持流媒体技术,可以实现在线视频和音频的实时播放。 5. 小巧高效:Flash Player插件体积较小,加载速度快,并且具有较低的系统资源占用。 然而,随着HTML5技术的发展和广泛应用,Flash Player逐渐被淘汰。现代浏览器已经不再默认支持Flash内容,并且Adobe公司已于2020年底停止了对Flash Player的更新和分发。因此,建议用户在浏览网页时使用HTML5技术来播放多媒体内容,以获得更好的性能和安全性。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值