User Guide:
Please follow these steps:
1. Query chip version
esptool.py chip_id
-
The V1.0 version chip only supports Secure boot V1
-
The V3.0 or later version chip support Secure boot V2
2. Query efuse information
espefuse.py -p COM4 summary
3. Obtain the private key for secure boot
- The Secure Boot V1 key requires use the
ECDSA 256
(SHA-256) bitprivate
keys.
- Running the following command to obtain the Secure Boot V1
ECDSA 256
bit(SHA-256) private key.
espsecure.py generate_signing_key secure_boot_signing_key.pem --version 1 --scheme ecdsa256
- If you are use the
ECO3
orECO4
SoC , we recommend to use the Secure Boot V2 . The Secure boot V2 key requires use thersa3072
private keys. - To use
Secure boot v2
, need to set the chip version toECO3
orECO4
, as follows:
Component config → Hardware Settings → Chip revision → Minimum Supported ESP32 Revision
- Running the following command to obtain the
secure boot V2
key.
espsecure.py generate_signing_key secure_boot_signing_key.pem --version 2 --scheme rsa3072
4. Increases the offset address setting of the partition-table.
Since enable Secure Boot and Flash Encrypt will increases the size of the bootloader.bin
firmware, so the offset of the default partition table needs to be adjusted, which is 0x8000, can be adjusted to 0xf000. You can modify the settings for partition table in menuconfig. As follows:
5. Enable the config for secure boot and Flash encryption release mode.
- Please set the correct private key file(
secure_boot_signing_key.pem
)
Please Note:
- After Flash encryption is enabled, the NVS encryption will also enabled by default. If the partition table have not set the nvs_key , please disable the NVS encryption on the software. As follows:
6. Running the following command to obtain the “bootloader.bin” firmware
idf.py bootloader
7. Running the following command to download the bootloader.bin
firmware
idf.py -p COM6 bootloader-flash
- You can also use the follows command to download the bootloadr.bin
esptool.py --chip esp32 --before=default_reset --after=no_reset write_flash --flash_mode dio --flash_freq 40m --flash_size keep 0x1000 E:/esp/esp-idf-v5.1/examples/get-started/blink/build/bootloader/bootloader.bin
9. To compile the firmware
- Then , Running the following command to compile the firmware and get the
partition-table.bin
andapp.bin
. As follows:
idf.py build
- If you are using the
secure boot V1
, After compiled, you will get the signed firmware and a summary of the public key generated based on the secure boot signature private key.-
The
partition-table.bin
andapp.bin
will be signed, thebootloader.bin
firmware will not be signed. As follows:
-
A summary of the public key generated based on the secure boot signature private key
-
-
If you are using the
secure boot V2
,After compiled, you will get the signed firmware-
The
app.bin
andbootloade.bin
will be signed, thepartition table
firmware will not be signed.
-
When use the secure boot private key(secure_boot_signing_key.pem) to sign the plaintext firmware, the public key and the summary of the public key will are generated. The public key and the summary of the public key will storage to the signature block. The signature block is written at the end of the firmware.
-
10. Running the following command to download the partition-table.bin and app.bin and monitor the running log.
idf.py flash monitor
- After the firmware is downloaded, the secure boot and the Flash encryption will running when the
first boot
. You can confirm the secure boot and Flash encryption process by viewing the running log . As follows:
During the software encryption Flash process, please make ensure that the power supply is stable.
- After the Flash encryption is complete, the firmware will restarts. After the restart, the firmware is ciphertext firmware.