Enable Secure Boot and Flash Encrypt on software

User Guide：

• Secure Boot V1
• Secure Boot V2
• Flash Encryption
• espsecure.py

---

Please follow these steps:

1. Query chip version

esptool.py chip_id

• The V1.0 version chip only supports Secure boot V1

• The V3.0 or later version chip support Secure boot V2

2. Query efuse information

espefuse.py -p COM4 summary

3. Obtain the private key for secure boot

• The Secure Boot V1 key requires use the ECDSA 256（SHA-256） bit private keys.

• Running the following command to obtain the Secure Boot V1 ECDSA 256 bit（SHA-256） private key.

espsecure.py generate_signing_key secure_boot_signing_key.pem --version 1 --scheme ecdsa256

---

• If you are use the ECO3 or ECO4 SoC , we recommend to use the Secure Boot V2 . The Secure boot V2 key requires use the rsa3072 private keys.
• To use Secure boot v2, need to set the chip version to ECO3 or ECO4 ， as follows:

Component config → Hardware Settings → Chip revision → Minimum Supported ESP32 Revision

• Running the following command to obtain the secure boot V2 key.

espsecure.py generate_signing_key secure_boot_signing_key.pem --version 2 --scheme rsa3072

4. Increases the offset address setting of the partition-table.

Since enable Secure Boot and Flash Encrypt will increases the size of the bootloader.bin firmware, so the offset of the default partition table needs to be adjusted, which is 0x8000, can be adjusted to 0xf000. You can modify the settings for partition table in menuconfig. As follows:

5. Enable the config for secure boot and Flash encryption release mode.

• Please set the correct private key file（secure_boot_signing_key.pem）
  

Please Note：

• After Flash encryption is enabled, the NVS encryption will also enabled by default. If the partition table have not set the nvs_key , please disable the NVS encryption on the software. As follows:

6. Running the following command to obtain the “bootloader.bin” firmware

idf.py bootloader

7. Running the following command to download the bootloader.bin firmware

idf.py -p COM6 bootloader-flash

• You can also use the follows command to download the bootloadr.bin

esptool.py --chip esp32 --before=default_reset --after=no_reset write_flash --flash_mode dio --flash_freq 40m --flash_size keep 0x1000 E:/esp/esp-idf-v5.1/examples/get-started/blink/build/bootloader/bootloader.bin

---

9. To compile the firmware

• Then , Running the following command to compile the firmware and get the partition-table.bin and app.bin. As follows:

idf.py build

• If you are using the secure boot V1 ， After compiled, you will get the signed firmware and a summary of the public key generated based on the secure boot signature private key.

  • The partition-table.bin and app.bin will be signed, the bootloader.bin firmware will not be signed. As follows:
    
    
    

  • A summary of the public key generated based on the secure boot signature private key
    

---

• If you are using the secure boot V2 ，After compiled, you will get the signed firmware

  • The app.bin and bootloade.bin will be signed, the partition table firmware will not be signed.
    
    
    
    

  • When use the secure boot private key（secure_boot_signing_key.pem） to sign the plaintext firmware, the public key and the summary of the public key will are generated. The public key and the summary of the public key will storage to the signature block. The signature block is written at the end of the firmware.

---

10. Running the following command to download the partition-table.bin and app.bin and monitor the running log.

idf.py flash monitor 

• After the firmware is downloaded, the secure boot and the Flash encryption will running when the first boot. You can confirm the secure boot and Flash encryption process by viewing the running log . As follows:

During the software encryption Flash process, please make ensure that the power supply is stable.

• After the Flash encryption is complete, the firmware will restarts. After the restart, the firmware is ciphertext firmware.