To enable Secure Boots and Flash Encryption using the ESP Flash download tool

已于 2023-08-15 15:19:38 修改
阅读量1.2k 收藏 1
点赞数
分类专栏: 英文指南 (English Guide) 芯片烧录 (Chip Programming) 芯片安全 (Chip Security) 文章标签: bash 开发语言
于 2022-09-01 19:45:28 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/Marchtwentytwo/article/details/126650130
版权

To enable secure boot and Flash encryption using the v3.9.3 version of “Flash download tool” , perform the following steps:

1. Software Config

In the software “menuconfig" , disable any secure boot and Flash encryption configuration, directly compiled to generate plaintext firmware. Since Flash encryption will increases the size of the bootloader .bin firmware, the offset of the default partition table needs to be adjusted, which is 0x8000, can be adjusted to 0xa000. You can modify the settings for partition table in menuconfig. As follows:

在这里插入图片描述
请添加图片描述

Then compile the project and check the firmware download address corresponding to the compiled firmware. You can find that the download address of the hello-world.bin becomes 0x20000

Project build complete. To flash, run this command:
/home/caiguanhong/.espressif/python_env/idf4.4_py3.8_env/bin/python ../../../components/esptool_py/esptool/esptool.py -p (PORT) -b 460800 --before default_reset --after hard_reset --chip esp32  write_flash --flash_mode dio --flash_size detect --flash_freq 40m 0x1000 build/bootloader/bootloader.bin 0xa000 build/partition_table/partition-table.bin 0x20000 build/hello_world.bin

2. “Flash download tool” config

In the configuration file of the “Flash download tool” , enable the following configuration and save the file.

	[SECURE BOOT]
	secure_boot_en = True
	[FLASH ENCRYPTION]
	flash_encryption_en = True
	reserved_burn_times = 3
	[ENCRYPTION KEYS SAVE]
	keys_save_enable = True
	encrypt_keys_enable = False
	encrypt_keys_aeskey_path =
	[DISABLE FUNC]
	jtag_disable = False
	dl_encrypt_disable = False
	dl_decrypt_disable = False
	dl_cache_disable = False

3. Restart the “Flash download tool”

Restart the “Flash download tool” , and the following message is displayed:
在这里插入图片描述

4. Download the plaintext firmware by the “Flash download tool” directly

Then, add your plaintext firmware to the “Flash download tool” and set the corresponding offset address.

在这里插入图片描述

5. The plaintext firmware will be encrypted

Finally, your plaintext firmware will be encrypted directly into ciphertext firmware by using the “Flash download tool” .

test offset :  0 0x0
case ok
test offset :  0 0x0
case ok
..
Uploading stub...
Running stub...
Stub running...
Changing baud rate to 921600
Changed.
FLASH_CRYPT_CNT 0
ABS_DONE_0 False
CODING_SCHEME 0
ECDSA NIST256p private key in PEM format written to ./secure\secure_boot_key_1.pem
CODING_SCHEME 0
ECDSA NIST256p private key in PEM format written to ./secure\flash_encrypt_key_1.pem
CODING_SCHEME 0
SHA-256 digest of private key ./secure\secure_boot_key_1.pem written to ./secure\secure_boot_key_1.bin
CODING_SCHEME 0
SHA-256 digest of private key ./secure\flash_encrypt_key_1.pem written to ./secure\flash_encrypt_key_1.bin
burn secure key ...
Burn keys to blocks:
 - BLOCK2 -> [4a 2a 7e e2 1b 08 27 70 a1 ee 57 cb 69 9a 7a bc 36 39 2b ed 2b a0 ab 3a e8 11 2e ec 48 c5 90 61]
        Reversing the byte order
        Disabling read to key block
        Disabling write to key block

 - BLOCK1 -> [d1 7f 51 78 e2 4b 50 5b d3 b2 b5 73 a3 c0 91 be c1 e0 b5 32 f6 84 d8 a6 f4 98 2a 86 ad fc d9 38]
        Reversing the byte order
        Disabling read to key block
        Disabling write to key block

Burn keys in efuse blocks.
The key block will be read and write protected (no further changes or readback)


Check all blocks for burn...
idx, BLOCK_NAME,          Conclusion
[00] BLOCK0               is not empty
        (written ): 0x0000000400100000000018360000a200001394b555a584a800000000
        (to write): 0x00000000000000000000000000000000000000000000000000030180
        (coding scheme = NONE)
[01] BLOCK1               is empty, will burn the new value
[02] BLOCK2               is empty, will burn the new value
.
This is an irreversible operation!
BURN BLOCK2  - OK (write block == read block)
BURN BLOCK1  - OK (write block == read block)
BURN BLOCK0  - OK (all write block bits are set)
Reading updated efuses...
Successful
FLASH_CRYPT_CNT 0
FLASH_CRYPT_CONFIG 0
The efuses to burn:
  from BLOCK0
     - ABS_DONE_0
     - FLASH_CRYPT_CNT
     - FLASH_CRYPT_CONFIG

Burning efuses:

    - 'ABS_DONE_0' (Secure boot V1 is enabled for bootloader image) 0b0 -> 0b1

    - 'FLASH_CRYPT_CNT' (Flash encryption mode counter) 0b0000000 -> 0b0000001

    - 'FLASH_CRYPT_CONFIG' (Flash encryption config (key tweak bits)) 0x0 -> 0xf

Check all blocks for burn...
idx, BLOCK_NAME,          Conclusion
[00] BLOCK0               is not empty
        (written ): 0x0000000400100000000018360000a200001394b555a584a800030180
        (to write): 0x00000010f00000000000000000000000000000000000000000100000
        (coding scheme = NONE)
.
This is an irreversible operation!
BURN BLOCK0  - OK (all write block bits are set)
Reading updated efuses...
Checking efuses...
Successful

WARNING: - compress and encrypt options are mutually exclusive
Will flash uncompressed

 is stub and send flash finish
The efuses to burn:

Burning efuses:

Check all blocks for burn...
idx, BLOCK_NAME,          Conclusion
Nothing to burn, see messages above.
Checking efuses...
Successful

6. The encryption key will saved in locally.

在这里插入图片描述

Note

  • After this operation, you can read the Flash firmware by using esptool, but read the firmware is ciphertext firmware and cannot be used properly.

  • After this operation, the module will not support re-download the firmware by the “Flash download tool”.

25March
关注
专栏目录
Debezium报错处理系列之五十九:The driver could not establish a secure connection to SQL Server by using Secure
zhengzaifeidelushang的博客
04-12 1488
Debezium报错处理系列之五十九:The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer SSL encryption
ESP32 快速入门(十一):Secure BootFlash encryption 的介绍与实践
Zombie's blog
05-27 1871
此篇博客为 ESP32 Secure BootESP32 Flash encryption 的介绍与实践。 1 ESP32 Secure Boot 1.1 ESP32 Secure Boot 功能概述 Secure Boot 的目的是保证芯片只运行用户指定的程序,芯片每次启动时都会验证从 flash 中加载的 partition table 和 app images 是否是用户指定的 Secure Boot 中采用 ECDSA 签名算法对 partition table 和 app images 进
ESP32 Secure BootFlash加密
一个人要像一支队伍
01-21 7906
ESP32的代码是存在外部Flash中,如果不加密,很容易被窃取代码。 ESP32secure bootflash加密是两个功能,但是要配合一起使用,其加密效果才好。 一、初次加密。 这里只写可重复烧写的加密方式,其加密步骤如下: 1、进入menuconfig配置secure bootflash加密。 make menuconfig 这里Secure bootloader mode选择Reflashable。配置后要与下图完全一致。 2、生成私钥,即pem文件。 pyth.
ESP32-Secure Boot 安全方案
热门推荐
乐鑫 Espressif
02-24 1万+
Secure Boot 功能概述 方案概述 Secure Boot 的目的是保证芯片只运行用户指定的程序,芯片每次启动时都会验证从 flash 中加载的 partition table 和 app images 是否是用户指定的 Secure Boot 中采用 ECDSA 签名算法对 partition table 和 app images 进行签名和验证,ECDSA 签名算法使用公钥/...
ESP32 Secure bootFlash encryption 过程前后部分问题整理
Zombie's blog
09-27 1158
此篇博客用来整理 ESP32 Secure bootFlash encryption 过程前后部分问题的解决方法。 1. secure boot 后重新烧录程序发现无法正常进入 bootloader 对应 log 如下: csum err:0x9a!=0x5f ets_main.c 371 ets Jun 8 2016 00:22:57 rst:0x10 (RTCWDT_RTC_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT) configsip: 0, SPIWP:0x
ESP32-C3 手动启用 Secure Boot V2 与 Flash 加密流程
ESP 技术分享,推动万物互联
08-21 2093
1. 手动生成秘钥 2. 手动加密固件并写入加密固件 3. 手动写 Efuse 开启 Flash 加密和安全启动
Image encryption using SIT: A Lightweight Encryption Algorithm for Secure Internet of Things:Image encryption using SIT: A Lightweight Encryption Algorithm for Secure Internet of Things-matlab开发
05-29
在本次提交中,我展示了使用名为 Secure IoT (SIT) 的轻量级加密算法对图像加密的模拟。 它是一个 64 位分组密码,需要 64 位密钥来加密数据。 该算法的架构是 feistel 和统一替换置换网络的混合体。 参考: SIT:一...
Cryptanalysis of an Image Encryption Using 2D Henon-Sine Map and DNA Approach
02-08
Cryptanalysis of an Image Encryption Using 2D Henon-Sine Map and DNA Approach
Discrete logarithm based additively homomorphic encryption and secure data aggregation
02-21
At PKC 2006, Chevallier-Mames, Paillier, and Pointcheval proposed discrete logarithm based encryption schemes that are partially homomorphic, either additively or multiplicatively and announced an ...
ESP32 ECO3 手动启用 Secure Boot V2 与 flash 加密流程
ESP 技术分享,推动万物互联
02-02 5562
本篇文档用来说明 ESP32(eco3) 芯片同时使能 Secure Boot V2 和 flash 加密的操作流程,其中,flash 加密使用发布模式(Release Mode),使用主机生成的密钥对数据进行加密。 文章目录1. 测试环境1. 未使能前查询 efuse2. 通过 menuconfig 配置使能2.1 将 ESP32 芯片版本设置为 revision 32.2 调整分区表偏移量2.3 安全特征配置3. 测试流程3.1 secure boot v2 秘钥生成与烧录3.2 flash 加密秘钥生
[加密]ESP32 -Secure Boot 安全方案
anxuan3201的博客
06-19 1620
转自:https://blog.csdn.net/espressif/article/details/79362094 Secure Boot 功能概述 方案概述 Secure Boot 的目的是保证芯片只运行用户指定的程序,芯片每次启动时都会验证从 flash 中加载的 partition table 和 app images 是否是用户指定的 Secure Boot 中采...
ESP32-S3 V5.0.2 flash 手动生成密钥加密 _By星年(已验证)
qq_18070087的博客
06-16 894
(4)加密镜像并烧录(根据idf.py build编译后信息,修改文件路径、文件名、烧录地址及生成文件名)环境 ESP32-S3 ESP_IDF V5.0.2 手动生成密钥加密。三、关闭加密和解密已加密镜像(关闭解密只有1次机会)(3)烧录密钥到设备(修改端口号)(只能烧录一次)(1)AES-128(256 位密钥)(2)AES-256(512 位密钥)(2)工程加密配置及串口配置安全模式。1.查看是否加密:(修改端口号)(5)烧录加密bin。
ESP32 ECO V3】使用 Flash 下载工具完成 Secure Boot V2 功能
ESP 技术分享,推动万物互联
04-02 1530
【应用笔记】基于 Flash 下载工具完成 Secure Boot V2 的全部流程
How to manually encrypt the plaintext firmware of the ESP32 device using a fixed key
ESP 技术分享,推动万物互联
06-21 518
flash encryption
esp32 esp8266_esp32致命愤怒袭击你应该知道的
weixin_26636643的博客
08-13 698
esp32 esp8266The recent flurry of media attention on the ESP32 IoT device attack piqued my interest in secure boot on IoT devices. Espressif has already announced CVE-2019–17391(here) and published a ...
ESP32S3】使用 Flash 下载工具完成 Flash 加密功能
ESP 技术分享,推动万物互联
04-29 1460
【应用笔记】基于 ESP32-S3 使用 Flash 下载工具完成 Flash 加密的全部流程
ESP8266 烧录
最新发布
qq_39239990的博客
08-04 1097
连线正常,电源不发热,芯片不发热,UART0(25 RX 26 TX)不输出;,未加SPI FLASH 显示 下载模式(IO15 下拉 , IO0下拉);为了增加,减少复杂度,可以使用有源晶振 26M;(四脚无源无电容亦可)使用 FLASHDOWNLOAD V3.9.7就是无法下载,产生错误。复位脚 32 RST 与 en 脚 32可以空,EN复位 低电平。3.3V GND 有源晶振26M。故意排除:上电无打印 虚焊,连线。(IO0上拉 FLASH 启动。奇怪了,下载模式正常。
ESP32-C3 flash encryption & secure boot
lambml的博客
12-21 2597
未使能前,efuse 信息 $ esptool.py flash_id esptool.py v3.2-dev Found 2 serial ports Se
磁盘分区与多系统安装(windows ubuntu)
aaa1150322487的专栏
02-02 410
1.磁盘分区 MBR分区表最多可以分4个主分区(无扩展分区),或者3个主分区和一个扩展分区,想要装多系统的网友一定要把主分区利用好;配合传统bios能发挥出它更好的功能。 GPT分区表最多可以分N>>4个分区(目前N=128),配合UEFI bios能够发挥出它更好的功能 我使用的是MBR分区表,主-主-扩展-主(最后一个主分区后面装Ubuntu时又...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值