ESP32-C3 flash encryption & secure boot

已于 2022-01-26 00:18:24 修改
阅读量2.4k 收藏 8
点赞数 6
分类专栏: esp32 文章标签: flash
于 2021-12-21 17:47:43 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/lambml/article/details/121959949
版权

本篇文档用来记录同时使能 ESP32-C3 flash 加密以及 secure boot 的流程。
测试环境如下:

  • 硬件: ESP32-C3(revision 3)
  • idf 版本:v4.4-dev-3042-g220590d599

文章目录

未使能前,设备的 efuse 信息

$ esptool.py flash_id                                                                                                                                                                                 
esptool.py v3.2-dev
Found 2 serial ports
Serial port /dev/ttyUSB0
Connecting....
Detecting chip type... ESP32-C3
Chip is ESP32-C3 (revision 3)
Features: Wi-Fi
Crystal is 40MHz
MAC: 7c:df:a1:61:bd:20
Uploading stub...
Running stub...
Stub running...
Manufacturer: 20
Device: 4016
Detected flash size: 4MB
Hard resetting via RTS pin...

$ espefuse.py --chip esp32c3 summary
Connecting....
espefuse.py v3.2-dev
EFUSE_NAME (Block) Description  = [Meaningful Value] [Readable/Writeable] (Hex Value)
----------------------------------------------------------------------------------------
Calibration fuses:
TEMP_SENSOR_CAL (BLOCK2)                           Temperature calibration                            = -15.100000000000001 R/W (0b110010111)
ADC1_MODE0_D2 (BLOCK2)                             ADC1 calibration 1                                 = -208 R/W (0xb4)
ADC1_MODE1_D2 (BLOCK2)                             ADC1 calibration 2                                 = 348 R/W (0x57)
ADC1_MODE2_D2 (BLOCK2)                             ADC1 calibration 3                                 = -16 R/W (0x84)
ADC1_MODE3_D2 (BLOCK2)                             ADC1 calibration 4                                 = 184 R/W (0x2e)
ADC2_MODE0_D2 (BLOCK2)                             ADC2 calibration 5                                 = -200 R/W (0xb2)
ADC2_MODE1_D2 (BLOCK2)                             ADC2 calibration 6                                 = -488 R/W (0xfa)
ADC2_MODE2_D2 (BLOCK2)                             ADC2 calibration 7                                 = -396 R/W (0xe3)
ADC2_MODE3_D2 (BLOCK2)                             ADC2 calibration 8                                 = -12 R/W (0x83)
ADC1_MODE0_D1 (BLOCK2)                             ADC1 calibration 9                                 = 4 R/W (0b000001)
ADC1_MODE1_D1 (BLOCK2)                             ADC1 calibration 10                                = -100 R/W (0b111001)
ADC1_MODE2_D1 (BLOCK2)                             ADC1 calibration 11                                = 100 R/W (0b011001)
ADC1_MODE3_D1 (BLOCK2)                             ADC1 calibration 12                                = 8 R/W (0b000010)
ADC2_MODE0_D1 (BLOCK2)                             ADC2 calibration 13                                = 0 R/W (0b000000)
ADC2_MODE1_D1 (BLOCK2)                             ADC2 calibration 14                                = 0 R/W (0b000000)
ADC2_MODE2_D1 (BLOCK2)                             ADC2 calibration 15                                = 0 R/W (0b000000)
ADC2_MODE3_D1 (BLOCK2)                             ADC2 calibration 16                                = 0 R/W (0b000000)

Config fuses:
DIS_ICACHE (BLOCK0)                                Disables ICache                                    = False R/W (0b0)
DIS_DOWNLOAD_ICACHE (BLOCK0)                       Disables Icache when SoC is in Download mode       = False R/W (0b0)
DIS_FORCE_DOWNLOAD (BLOCK0)                        Disables forcing chip into Download mode           = False R/W (0b0)
DIS_CAN (BLOCK0)                                   Disables the TWAI Controller hardware              = False R/W (0b0)
VDD_SPI_AS_GPIO (BLOCK0)                           Set this bit to vdd spi pin function as gpio       = False R/W (0b0)
BTLC_GPIO_ENABLE (BLOCK0)                          Enable btlc gpio                                   = 0 R/W (0b00)
POWERGLITCH_EN (BLOCK0)                            Set this bit to enable power glitch function       = False R/W (0b0)
POWER_GLITCH_DSENSE (BLOCK0)                       Sample delay configuration of power glitch         = 0 R/W (0b00)
DIS_LEGACY_SPI_BOOT (BLOCK0)                       Disables Legacy SPI boot mode                      = False R/W (0b0)
UART_PRINT_CHANNEL (BLOCK0)                        Selects the default UART for printing boot msg     = UART0 R/W (0b0)
UART_PRINT_CONTROL (BLOCK0)                        Sets the default UART boot message output mode     = Enabled R/W (0b00)
FORCE_SEND_RESUME (BLOCK0)                         Force ROM code to send a resume command during SPI = False R/W (0b0)
                                                    bootduring SPI boot                              
BLOCK_USR_DATA (BLOCK3)                            User data                                         
   = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W 

Efuse fuses:
WR_DIS (BLOCK0)                                    Disables programming of individual eFuses          = 0 R/W (0x00000000)
RD_DIS (BLOCK0)                                    Disables software reading from BLOCK4-10           = 0 R/W (0b0000000)

Flash Config fuses:
FLASH_TPUW (BLOCK0)                                Configures flash startup delay after SoC power-up, = 0 R/W (0x0)
                                                    unit is (ms/2). When the value is 15, delay is 7.
                                                   5 ms                                              
FLASH_ECC_MODE (BLOCK0)                            Set this bit to set flsah ecc mode.               
   = flash ecc 16to18 byte mode R/W (0b0)
FLASH_TYPE (BLOCK0)                                Selects SPI flash type                             = 4 data lines R/W (0b0)
FLASH_PAGE_SIZE (BLOCK0)                           Flash page size                                    = 0 R/W (0b00)
FLASH_ECC_EN (BLOCK0)                              Enable ECC for flash boot                          = False R/W (0b0)

Identity fuses:
SECURE_VERSION (BLOCK0)                            Secure version (used by ESP-IDF anti-rollback feat = 0 R/W (0x0000)
                                                   ure)                                              
MAC (BLOCK1)                                       Factory MAC Address                               
   = 7c:df:a1:61:bd:20 (OK) R/W 
WAFER_VERSION (BLOCK1)                             WAFER version                                      = 3 R/W (0b011)
PKG_VERSION (BLOCK1)                               Package version                                    = ESP32-C3 R/W (0b000)
BLOCK1_VERSION (BLOCK1)                            BLOCK1 efuse version                               = 4 R/W (0b100)
OPTIONAL_UNIQUE_ID (BLOCK2)                        Optional unique 128-bit ID                        
   = a6 22 f8 ea 75 8e 71 7c ac d6 4c 9c b5 13 80 11 R/W 
BLOCK2_VERSION (BLOCK2)                            Version of BLOCK2                                  = With calibration R/W (0b001)
CUSTOM_MAC (BLOCK3)                                Custom MAC Address                                
   = 00:00:00:00:00:00 (OK) R/W 

Jtag Config fuses:
JTAG_SEL_ENABLE (BLOCK0)                           Set this bit to enable selection between usb_to_jt = False R/W (0b0)
                                                   ag and pad_to_jtag through strapping gpio10 when b
                                                   oth reg_dis_usb_jtag and reg_dis_pad_jtag are equa
                                                   l to 0.                                           
SOFT_DIS_JTAG (BLOCK0)                             Software disables JTAG. When software disabled, JT = 0 R/W (0b000)
                                                   AG can be activated temporarily by HMAC peripheral
DIS_PAD_JTAG (BLOCK0)                              Permanently disable JTAG access via pads. USB JTAG = False R/W (0b0)
                                                    is controlled separately.                        

Security fuses:
DIS_DOWNLOAD_MANUAL_ENCRYPT (BLOCK0)               Disables flash encryption when in download boot mo = False R/W (0b0)
                                                   des                                               
SPI_BOOT_CRYPT_CNT (BLOCK0)                        Enables encryption and decryption, when an SPI boo = Disable R/W (0b000)
                                                   t mode is set. Enabled when 1 or 3 bits are set,di
                                                   sabled otherwise                                  
SECURE_BOOT_KEY_REVOKE0 (BLOCK0)                   If set, revokes use of secure boot key digest 0    = False R/W (0b0)
SECURE_BOOT_KEY_REVOKE1 (BLOCK0)                   If set, revokes use of secure boot key digest 1    = False R/W (0b0)
SECURE_BOOT_KEY_REVOKE2 (BLOCK0)                   If set, revokes use of secure boot key digest 2    = False R/W (0b0)
KEY_PURPOSE_0 (BLOCK0)                             KEY0 purpose                                       = USER R/W (0x0)
KEY_PURPOSE_1 (BLOCK0)                             KEY1 purpose                                       = USER R/W (0x0)
KEY_PURPOSE_2 (BLOCK0)                             KEY2 purpose                                       = USER R/W (0x0)
KEY_PURPOSE_3 (BLOCK0)                             KEY3 purpose                                       = USER R/W (0x0)
KEY_PURPOSE_4 (BLOCK0)                             KEY4 purpose                                       = USER R/W (0x0)
KEY_PURPOSE_5 (BLOCK0)                             KEY5 purpose                                       = USER R/W (0x0)
SECURE_BOOT_EN (BLOCK0)                            Enables secure boot                                = False R/W (0b0)
SECURE_BOOT_AGGRESSIVE_REVOKE (BLOCK0)             Enables aggressive secure boot key revocation mode = False R/W (0b0)
DIS_DOWNLOAD_MODE (BLOCK0)                         Disables all Download boot modes                   = False R/W (0b0)
ENABLE_SECURITY_DOWNLOAD (BLOCK0)                  Enables secure UART download mode (read/write flas = False R/W (0b0)
                                                   h only)                                           
BLOCK_KEY0 (BLOCK4)
  Purpose: USER
               Encryption key0 or user data                      
   = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W 
BLOCK_KEY1 (BLOCK5)
  Purpose: USER
               Encryption key1 or user data                      
   = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W 
BLOCK_KEY2 (BLOCK6)
  Purpose: USER
               Encryption key2 or user data                      
   = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W 
BLOCK_KEY3 (BLOCK7)
  Purpose: USER
               Encryption key3 or user data                      
   = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W 
BLOCK_KEY4 (BLOCK8)
  Purpose: USER
               Encryption key4 or user data                      
   = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W 
BLOCK_KEY5 (BLOCK9)
  Purpose: USER
               Encryption key5 or user data                      
   = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W 
BLOCK_SYS_DATA2 (BLOCK10)                          System data (part 2)                              
   = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W 

Spi_Pad_Config fuses:
SPI_PAD_CONFIG_CLK (BLOCK1)                        SPI CLK pad                                        = 0 R/W (0b000000)
SPI_PAD_CONFIG_Q (BLOCK1)                          SPI Q (D1) pad                                     = 0 R/W (0b000000)
SPI_PAD_CONFIG_D (BLOCK1)                          SPI D (D0) pad                                     = 0 R/W (0b000000)
SPI_PAD_CONFIG_CS (BLOCK1)                         SPI CS pad                                         = 0 R/W (0b000000)
SPI_PAD_CONFIG_HD (BLOCK1)                         SPI HD (D3) pad                                    = 0 R/W (0b000000)
SPI_PAD_CONFIG_WP (BLOCK1)                         SPI WP (D2) pad                                    = 0 R/W (0b000000)
SPI_PAD_CONFIG_DQS (BLOCK1)                        SPI DQS pad                                        = 0 R/W (0b000000)
SPI_PAD_CONFIG_D4 (BLOCK1)                         SPI D4 pad                                         = 0 R/W (0b000000)
SPI_PAD_CONFIG_D5 (BLOCK1)                         SPI D5 pad                                         = 0 R/W (0b000000)
SPI_PAD_CONFIG_D6 (BLOCK1)                         SPI D6 pad                                         = 0 R/W (0b000000)
SPI_PAD_CONFIG_D7 (BLOCK1)                         SPI D7 pad                                         = 0 R/W (0b000000)

Usb Config fuses:
DIS_USB_JTAG (BLOCK0)                              Disables USB JTAG. JTAG access via pads is control = False R/W (0b0)
                                                   led separately                                    
DIS_USB_DEVICE (BLOCK0)                            Disables USB DEVICE                                = False R/W (0b0)
DIS_USB (BLOCK0)                                   Disables the USB OTG hardware                      = False R/W (0b0)
USB_EXCHG_PINS (BLOCK0)                            Exchanges USB D+ and D- pins                       = False R/W (0b0)
DIS_USB_DOWNLOAD_MODE (BLOCK0)                     Disables use of USB in UART download boot mode     = False R/W (0b0)

Vdd_Spi Config fuses:
PIN_POWER_SELECTION (BLOCK0)                       GPIO33-GPIO37 power supply selection in ROM code   = VDD3P3_CPU R/W (0b0)

Wdt Config fuses:
WDT_DELAY_SEL (BLOCK0)                             Selects RTC WDT timeout threshold at startup       = False R/W (0b0)

使能 flash 加密和 secure boot

通过 menuconfig 使能

参考链接:How To Enable Secure Boot V2
在这里插入图片描述

如果使能 Sign binaries during build, 将会在构建过程中对 app/partition bin 进行签名, Secure boot private signing key中指定的文件将用于对 app/partition bin 进行签名。
如果该选项禁用,将会生成未签名的 app/partition bin,必须使用 espsecure.py 手动签名。
可使用下面的命令手动签名:
espsecure.py sign_data --version 2 --keyfile ./my_signing_key.pem --output ./image_signed.bin image-unsigned.bin
可参考 Manual Commands

在这里插入图片描述

调整分区表地址

使能 flash 加密以及 secure boot 后,生成的 bootloader bin 会变大,可以通过调整分区表地址增大 bootloader 分区大小,下图将分区表的地址从默认的 0x8000 调整到 0xF000。
在这里插入图片描述

生成签名密钥

$ espsecure.py generate_signing_key --version 2  secure_boot_signing_key.pem       
espsecure.py v3.2-dev
RSA 3072 private key in PEM format written to secure_boot_signing_key.pem

执行 idf.py bootloader

$ idf.py bootloader
...
==============================================================================
Bootloader built. Secure boot enabled, so bootloader not flashed automatically.
To sign the bootloader with additional private keys.
        /home/mali/.espressif/python_env/idf4.4_py3.8_env/bin/python /home/mali/esp/esp32/master/components/esptool_py/esptool/espsecure.py sign_data -k secure_boot_signing_key2.pem -v 2 --append_signatures -o signed_bootloader.bin build/bootloader/bootloader.bin
Secure boot enabled, so bootloader not flashed automatically.
        /home/mali/.espressif/python_env/idf4.4_py3.8_env/bin/python  /home/mali/esp/esp32/master/components/esptool_py/esptool/esptool.py --chip esp32c3 --port=(PORT) --baud=(BAUD) --before=default_reset --after=no_reset --no-stub write_flash --flash_mode dio --flash_freq 80m --flash_size 2MB 0x0 /home/mali/esp/esp32/master/examples/get-started/hello_world/build/bootloader/bootloader.bin
==============================================================================
[91/93] Generating binary image from built executable
esptool.py v3.2-dev
Merged 1 ELF section
Generated /home/mali/esp/esp32/master/examples/get-started/hello_world/build/bootloader/bootloader.bin
[92/93] cd /home/mali/esp/esp32/master/examples/get-started/hello_world/build/bootloader/esp-idf/esptool_py && /home/mali/.espressif/python_env/idf4.4_py3.8_env/bin/python /home/mali/esp/esp32/master/components/partition_table/check_sizes.py --offset 0xf000 bootloader 0x0 /home/mali/esp/esp32/master/examples/get-started/hello_world/build/bootloader/bootloader.bin
Bootloader binary size 0x9440 bytes. 0x5bc0 bytes (38%) free.
[93/93] Generated the signed Bootloader
espsecure.py v3.2-dev
Padding data contents by 3008 bytes so signature sector aligns at sector boundary
1 signing key(s) found.
Signed 40960 bytes of data from /home/mali/esp/esp32/master/examples/get-started/hello_world/build/bootloader/bootloader-unsigned.bin. Signature sector now has 1 signature blocks.
Generated signed binary image /home/mali/esp/esp32/master/examples/get-started/hello_world/build/bootloader/bootloader.bin from /home/mali/esp/esp32/master/examples/get-started/hello_world/build/bootloader/bootloader-unsigned.bin
[8/8] Completed 'bootloader'

Bootloader build complete.

secure boot 使能的情况下,bootloader bin 不会自动烧录,需要根据提示的烧录指令手动烧录。
在上面的日志可以看到,提示的烧录指令如下:

/home/mali/esp/esp32/master/components/esptool_py/esptool/esptool.py --chip esp32c3 --port=(PORT) --baud=(BAUD) --before=default_reset --after=no_reset --no-stub write_flash --flash_mode dio --flash_freq 80m --flash_size 2MB 0x0 /home/mali/esp/esp32/master/examples/get-started/hello_world/build/bootloader/bootloader.bin

可以指定端口和波特率,也可以使用默认的数值进行烧录,如下:

$  /home/mali/.espressif/python_env/idf4.4_py3.8_env/bin/python  /home/mali/esp/esp32/master/components/esptool_py/esptool/esptool.py --chip esp32c3  --before=default_reset --after=no_reset --no-stub write_flash --flash_mode dio --flash_freq 80m --flash_size 2MB 0x0 /home/mali/esp/esp32/master/examples/get-started/hello_world/build/bootloader/bootloader.bin
esptool.py v3.2-dev
Found 2 serial ports
Serial port /dev/ttyUSB0
Connecting....
Chip is ESP32-C3 (revision 3)
Features: Wi-Fi
Crystal is 40MHz
MAC: 7c:df:a1:61:bd:20
Enabling default SPI flash mode...
Configuring flash size...
Flash will be erased from 0x00000000 to 0x0000afff...
Erasing flash...
Took 0.40s to erase flash block
Wrote 45056 bytes at 0x00000000 in 4.6 seconds (77.8 kbit/s)...
Hash of data verified.

Leaving...
Staying in bootloader.

执行 idf.py build,生成 app/partition bin

$ idf.py build     
Executing action: all (aliases: build)
Running ninja in directory /home/mali/esp/esp32/master/examples/get-started/hello_world/build
Executing "ninja all"...
[7/967] Performing build step for 'bootloader'
[1/1] cd /home/mali/esp/esp32/master/examples/get-started/hello_world/build/bootloader/esp-idf/esptool_py && /home/mali/.espressif/python_env/idf4.4_py3.8_env/bin/python /home/mali/esp/esp32/master/components/partition_table/check_sizes.py --offset 0xf000 bootloader 0x0 /home/mali/esp/esp32/master/examples/get-started/hello_world/build/bootloader/bootloader.bin
Bootloader binary size 0xb000 bytes. 0x4000 bytes (27%) free.
[963/965] Generating binary image from built executable
esptool.py v3.2-dev
Merged 1 ELF section
Generated /home/mali/esp/esp32/master/examples/get-started/hello_world/build/hello-world-unsigned.bin
[964/965] Generating signed binary image
espsecure.py v3.2-dev
1 signing key(s) found.
Signed 196608 bytes of data from /home/mali/esp/esp32/master/examples/get-started/hello_world/build/hello-world-unsigned.bin. Signature sector now has 1 signature blocks.
Generated signed binary image /home/mali/esp/esp32/master/examples/get-started/hello_world/build/hello-world.bin from /home/mali/esp/esp32/master/examples/get-started/hello_world/build/hello-world-unsigned.bin
[965/965] cd /home/mali/esp/esp32/master/examples/get-started/hello_world/build/esp-idf/esptool_py &&...artition-table.bin /home/mali/esp/esp32/master/examples/get-started/hello_world/build/hello-world.bin
hello-world.bin binary size 0x31000 bytes. Smallest app partition is 0x100000 bytes. 0xcf000 bytes (81%) free.

Project build complete. To flash, run this command:
/home/mali/.espressif/python_env/idf4.4_py3.8_env/bin/python ../../../components/esptool_py/esptool/esptool.py -p (PORT) -b 460800 --before default_reset --after no_reset --chip esp32c3 --no-stub write_flash --flash_mode dio --flash_size keep --flash_freq 80m 0xf000 build/partition_table/partition-table.bin 0x20000 build/hello-world.bin
or run 'idf.py -p (PORT) flash'

重启设备

$ idf.py monitor                                                                                                                                                                                     
Executing action: monitor
Serial port /dev/ttyUSB0
Connecting....
Detecting chip type... ESP32-C3
Running idf_monitor in directory /home/mali/esp/esp32/master/examples/get-started/hello_world
Executing "/home/mali/.espressif/python_env/idf4.4_py3.8_env/bin/python /home/mali/esp/esp32/master/tools/idf_monitor.py -p /dev/ttyUSB0 -b 115200 --toolchain-prefix riscv32-esp-elf- --target esp32c3 --decode-panic backtrace /home/mali/esp/esp32/master/examples/get-started/hello_world/build/hello-world.elf -m '/home/mali/.espressif/python_env/idf4.4_py3.8_env/bin/python' '/home/mali/esp/esp32/master/tools/idf.py'"...
--- idf_monitor on /dev/ttyUSB0 115200 ---
--- Quit: Ctrl+] | Menu: Ctrl+T | Help: Ctrl+T followed by Ctrl+H ---
ESP-ROM:esp32c3-api1-20210207
Build:Feb  7 2021
rst:0x1 (POWERON),boot:0xc (SPI_FAST_FLASH_BOOT)
SPIWP:0xee
mode:DIO, clock div:1
load:0x3fcd6268,len:0x35d8
load:0x403ce000,len:0x930
load:0x403d0000,len:0x54e4
entry 0x403ce000
I (36) boot: ESP-IDF v4.4-dev-3042-g220590d599-dirty 2nd stage bootloader
I (36) boot: compile time 20:04:19
I (36) boot: chip revision: 3
I (40) boot.esp32c3: SPI Speed      : 80MHz
I (44) boot.esp32c3: SPI Mode       : DIO
I (49) boot.esp32c3: SPI Flash Size : 2MB
I (54) boot: Enabling RNG early entropy source...
I (59) boot: Partition Table:
I (63) boot: ## Label            Usage          Type ST Offset   Length
I (70) boot:  0 nvs              WiFi data        01 02 00010000 00006000
I (78) boot:  1 phy_init         RF data          01 01 00016000 00001000
I (85) boot:  2 factory          factory app      00 00 00020000 00100000
I (93) boot: End of partition table
I (97) esp_image: segment 0: paddr=00020020 vaddr=3c020020 size=07258h ( 29272) map
I (110) esp_image: segment 1: paddr=00027280 vaddr=3fc89e00 size=015bch (  5564) load
I (115) esp_image: segment 2: paddr=00028844 vaddr=40380000 size=077d4h ( 30676) load
I (128) esp_image: segment 3: paddr=00030020 vaddr=42000020 size=16fb4h ( 94132) map
I (145) esp_image: segment 4: paddr=00046fdc vaddr=403877d4 size=024bch (  9404) load
I (147) esp_image: segment 5: paddr=000494a0 vaddr=50000000 size=00010h (    16) load
I (150) esp_image: segment 6: paddr=000494b8 vaddr=00000000 size=06b18h ( 27416) 
I (163) esp_image: Verifying image signature...
I (164) secure_boot_v2: Secure boot V2 is not enabled yet and eFuse digest keys are not set
I (173) secure_boot_v2: Verifying with RSA-PSS...
I (181) secure_boot_v2: Signature verified successfully!
I (187) boot: Loaded app from partition at offset 0x20000
I (190) secure_boot_v2: enabling secure boot v2...
I (196) efuse: Batch mode of writing fields is enabled
I (202) esp_image: segment 0: paddr=00000020 vaddr=3fcd6268 size=035d8h ( 13784) 
I (212) esp_image: segment 1: paddr=00003600 vaddr=403ce000 size=00930h (  2352) 
I (218) esp_image: segment 2: paddr=00003f38 vaddr=403d0000 size=054e4h ( 21732) 
I (229) esp_image: Verifying image signature...
I (232) secure_boot_v2: Secure boot V2 is not enabled yet and eFuse digest keys are not set
I (241) secure_boot_v2: Verifying with RSA-PSS...
I (249) secure_boot_v2: Signature verified successfully!
I (252) secure_boot_v2: Secure boot digests absent, generating..
I (265) secure_boot_v2: Digests successfully calculated, 1 valid signatures (image offset 0x0)
I (268) secure_boot_v2: 1 signature block(s) found appended to the bootloader.
I (275) secure_boot_v2: Burning public key hash to eFuse
I (283) efuse: Writing EFUSE_BLK_KEY0 with purpose 9
I (308) secure_boot_v2: Digests successfully calculated, 1 valid signatures (image offset 0x20000)
I (308) secure_boot_v2: 1 signature block(s) found appended to the app.
I (314) secure_boot_v2: Application key(0) matches with bootloader key(0).
I (321) secure_boot_v2: Revoking empty key digest slot (1)...
I (328) secure_boot_v2: Revoking empty key digest slot (2)...
I (334) secure_boot_v2: blowing secure boot efuse...
I (340) secure_boot: Enabling Security download mode...
I (346) secure_boot: Disable hardware & software JTAG...
I (357) efuse: Batch mode. Prepared fields are committed
I (358) secure_boot_v2: Secure boot permanently enabled
I (364) boot: Checking flash encryption...
I (369) efuse: Batch mode of writing fields is enabled
I (374) flash_encrypt: Generating new flash encryption key...
I (383) efuse: Writing EFUSE_BLK_KEY1 with purpose 4
W (387) flash_encrypt: Not disabling UART bootloader encryption
I (393) flash_encrypt: Disable UART bootloader cache...
I (399) flash_encrypt: Disable JTAG...
I (408) efuse: Batch mode. Prepared fields are committed
I (409) esp_image: segment 0: paddr=00000020 vaddr=3fcd6268 size=035d8h ( 13784) 
I (419) esp_image: segment 1: paddr=00003600 vaddr=403ce000 size=00930h (  2352) 
I (426) esp_image: segment 2: paddr=00003f38 vaddr=403d0000 size=054e4h ( 21732) 
I (437) esp_image: Verifying image signature...
I (439) secure_boot_v2: Verifying with RSA-PSS...
I (447) secure_boot_v2: Signature verified successfully!
I (964) flash_encrypt: bootloader encrypted successfully
I (1011) flash_encrypt: partition table encrypted and loaded successfully
I (1012) esp_image: segment 0: paddr=00020020 vaddr=3c020020 size=07258h ( 29272) map
I (1021) esp_image: segment 1: paddr=00027280 vaddr=3fc89e00 size=015bch (  5564) 
I (1025) esp_image: segment 2: paddr=00028844 vaddr=40380000 size=077d4h ( 30676) 
I (1037) esp_image: segment 3: paddr=00030020 vaddr=42000020 size=16fb4h ( 94132) map
I (1055) esp_image: segment 4: paddr=00046fdc vaddr=403877d4 size=024bch (  9404) 
I (1057) esp_image: segment 5: paddr=000494a0 vaddr=50000000 size=00010h (    16) 
I (1061) esp_image: segment 6: paddr=000494b8 vaddr=00000000 size=06b18h ( 27416) 
I (1073) esp_image: Verifying image signature...
I (1074) secure_boot_v2: Verifying with RSA-PSS...
I (1083) secure_boot_v2: Signature verified successfully!
I (1086) flash_encrypt: Encrypting partition 2 at offset 0x20000 (length 0x100000)...
I (12900) flash_encrypt: Done encrypting
I (12902) flash_encrypt: Flash encryption completed
I (12902) boot: Resetting with flash encryption enabled...
ESP-ROM:esp32c3-api1-20210207
Build:Feb  7 2021
rst:0x3 (RTC_SW_SYS_RST),boot:0xc (SPI_FAST_FLASH_BOOT)
Saved PC:0x403d13c6
SPIWP:0xee
mode:DIO, clock div:1
Valid secure boot key blocks: 0
secure boot verification succeeded
load:0x3fcd6268,len:0x35d8
load:0x403ce000,len:0x930
load:0x403d0000,len:0x54e4
entry 0x403ce000
I (80) boot: ESP-IDF v4.4-dev-3042-g220590d599-dirty 2nd stage bootloader
I (80) boot: compile time 20:04:19
I (80) boot: chip revision: 3
I (84) boot.esp32c3: SPI Speed      : 80MHz
I (89) boot.esp32c3: SPI Mode       : DIO
I (93) boot.esp32c3: SPI Flash Size : 2MB
I (98) boot: Enabling RNG early entropy source...
I (103) boot: Partition Table:
I (107) boot: ## Label            Usage          Type ST Offset   Length
I (114) boot:  0 nvs              WiFi data        01 02 00010000 00006000
I (122) boot:  1 phy_init         RF data          01 01 00016000 00001000
I (129) boot:  2 factory          factory app      00 00 00020000 00100000
I (137) boot: End of partition table
I (141) esp_image: segment 0: paddr=00020020 vaddr=3c020020 size=07258h ( 29272) map
I (155) esp_image: segment 1: paddr=00027280 vaddr=3fc89e00 size=015bch (  5564) load
I (159) esp_image: segment 2: paddr=00028844 vaddr=40380000 size=077d4h ( 30676) load
I (173) esp_image: segment 3: paddr=00030020 vaddr=42000020 size=16fb4h ( 94132) map
I (191) esp_image: segment 4: paddr=00046fdc vaddr=403877d4 size=024bch (  9404) load
I (193) esp_image: segment 5: paddr=000494a0 vaddr=50000000 size=00010h (    16) load
I (197) esp_image: segment 6: paddr=000494b8 vaddr=00000000 size=06b18h ( 27416) 
I (209) esp_image: Verifying image signature...
I (210) secure_boot_v2: Verifying with RSA-PSS...
I (218) secure_boot_v2: Signature verified successfully!
I (224) boot: Loaded app from partition at offset 0x20000
I (227) secure_boot_v2: enabling secure boot v2...
I (233) secure_boot_v2: secure boot v2 is already enabled, continuing..
I (240) boot: Checking flash encryption...
I (245) flash_encrypt: flash encryption is enabled (1 plaintext flashes left)
I (253) boot: Disabling RNG early entropy source...
I (269) cpu_start: Pro cpu up.
I (278) cpu_start: Pro cpu start user code
I (278) cpu_start: cpu freq: 160000000
I (278) cpu_start: Application information:
I (281) cpu_start: Project name:     hello-world
I (286) cpu_start: App version:      list-1448-g220590d599-dirty
I (293) cpu_start: Compile time:     Dec 15 2021 20:11:19
I (299) cpu_start: ELF file SHA256:  9f73efaf38751407...
I (305) cpu_start: ESP-IDF:          v4.4-dev-3042-g220590d599-dirty
I (312) heap_init: Initializing. RAM available for dynamic allocation:
I (319) heap_init: At 3FC8C380 len 00033C80 (207 KiB): DRAM
I (325) heap_init: At 3FCC0000 len 0001F060 (124 KiB): STACK/DRAM
I (332) heap_init: At 50000010 len 00001FF0 (7 KiB): RTCRAM
I (339) spi_flash: detected chip: generic
I (343) spi_flash: flash io: dio
W (347) spi_flash: Detected size(4096k) larger than the size in the binary image header(2048k). Using the size in the binary image header.
W (360) flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)
I (368) sleep: Configure to isolate all GPIO pins in sleep state
I (374) sleep: Enable automatic switching of GPIO sleep configuration
I (381) cpu_start: Starting scheduler.
Hello world!
This is esp32c3 chip with 1 CPU core(s), WiFi/BLE, silicon revision 3, 2MB external flash
Minimum free heap size: 329848 bytes

如果将 UART ROM download mode 设置为 Permanently switch to Secure mode,则无法读取设备的 efuse 值。
参考 UART ROM download mode

$ espefuse.py --chip esp32c3 summary
Connecting....
Traceback (most recent call last):
  File "/home/mali/esp/esp32/master/components/esptool_py/esptool/espefuse.py", line 148, in <module>
    _main()
  File "/home/mali/esp/esp32/master/components/esptool_py/esptool/espefuse.py", line 141, in _main
    main()
  File "/home/mali/esp/esp32/master/components/esptool_py/esptool/espefuse.py", line 119, in main
    efuses, efuse_operations = get_efuses(esp, just_print_help, debug_mode, args1.do_not_confirm)
  File "/home/mali/esp/esp32/master/components/esptool_py/esptool/espefuse.py", line 77, in get_efuses
    return (efuse.EspEfuses(esp, skip_connect, debug_mode, do_not_confirm), efuse.operations)
  File "/home/mali/esp/esp32/master/components/esptool_py/esptool/espressif/efuse/esp32c3/fields.py", line 84, in __init__
    self.blocks = [EfuseBlock(self, self.Blocks.get(block), skip_read=skip_connect) for block in self.Blocks.BLOCKS]
  File "/home/mali/esp/esp32/master/components/esptool_py/esptool/espressif/efuse/esp32c3/fields.py", line 84, in <listcomp>
    self.blocks = [EfuseBlock(self, self.Blocks.get(block), skip_read=skip_connect) for block in self.Blocks.BLOCKS]
  File "/home/mali/esp/esp32/master/components/esptool_py/esptool/espressif/efuse/esp32c3/fields.py", line 42, in __init__
    super(EfuseBlock, self).__init__(parent, param, skip_read=skip_read)
  File "/home/mali/esp/esp32/master/components/esptool_py/esptool/espressif/efuse/base_fields.py", line 141, in __init__
    self.read()
  File "/home/mali/esp/esp32/master/components/esptool_py/esptool/espressif/efuse/base_fields.py", line 187, in read
    words = self.get_words()
  File "/home/mali/esp/esp32/master/components/esptool_py/esptool/espressif/efuse/base_fields.py", line 184, in get_words
    return [self.parent.read_reg(offs) for offs in get_offsets(self)]
  File "/home/mali/esp/esp32/master/components/esptool_py/esptool/espressif/efuse/base_fields.py", line 184, in <listcomp>
    return [self.parent.read_reg(offs) for offs in get_offsets(self)]
  File "/home/mali/esp/esp32/master/components/esptool_py/esptool/espressif/efuse/base_fields.py", line 352, in read_reg
    return self._esp.read_reg(addr)
  File "/home/mali/esp/esp32/master/components/esptool_py/esptool/esptool.py", line 702, in read_reg
    val, data = self.command(self.ESP_READ_REG, struct.pack('<I', addr), timeout=timeout)
  File "/home/mali/esp/esp32/master/components/esptool_py/esptool/esptool.py", line 477, in command
    raise UnsupportedCommandError(self, op)
esptool.UnsupportedCommandError: This command (0xa) is not supported in Secure Download Mode
lambml
关注
  • 6
    点赞
  • 8
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
PHP User-Specific Encryption&Decryption-开源
07-14
PHP User-Specific Encryption&Decryption Class 你遇到了一个错误,你的请求如果你打开一张票,正确的更新,我可以。
ESP32 Flash Encryption 学习
u011983700的专栏
10-18 2711
ESP32 Flash Encryption
ESP32 快速入门(十一):Secure BootFlash encryption 的介绍与实践
Zombie's blog
05-27 1793
此篇博客为 ESP32 Secure BootESP32 Flash encryption 的介绍与实践。 1 ESP32 Secure Boot 1.1 ESP32 Secure Boot 功能概述 Secure Boot 的目的是保证芯片只运行用户指定的程序,芯片每次启动时都会验证从 flash 中加载的 partition table 和 app images 是否是用户指定的 Secure Boot 中采用 ECDSA 签名算法对 partition table 和 app images 进
ESP32S3】使用 Flash 下载工具完成 Flash 加密功能
最新发布
ESP 技术分享,推动万物互联
04-29 718
【应用笔记】基于 ESP32-S3 使用 Flash 下载工具完成 Flash 加密的全部流程
ESP32下载时选错SPI Flash Size,导致一直重启
caicai的博客
03-04 5788
esp32烧录程序后一直重启报错
时区跳变问题分析
qq_21911097的博客
12-02 188
时区跳变问题
ESP32-Secure Boot 安全方案
热门推荐
乐鑫 Espressif
02-24 1万+
Secure Boot 功能概述 方案概述 Secure Boot 的目的是保证芯片只运行用户指定的程序,芯片每次启动时都会验证从 flash 中加载的 partition table 和 app images 是否是用户指定的 Secure Boot 中采用 ECDSA 签名算法对 partition table 和 app images 进行签名和验证,ECDSA 签名算法使用公钥/...
StudyInEsp32-master_StudyInEsp32-master_esp32ws2812music_
09-30
ESP32在WS2812音乐控制器中的应用与学习》 ESP32是一款功能强大的微控制器,常用于物联网(IoT)项目,具备Wi-Fi和蓝牙双重无线通信能力,且内置丰富的数字输入/输出接口,这使得它在硬件控制领域具有广泛的应用。...
mongoose-field-encryption:用于各个字段的简单对称加密插件
02-04
猫鼬场加密 一个针对各个字段的简单对称加密插件。 该插件的目的是加密数据,但仍允许搜索具有字符串值的字段。 该插件依赖于Node crypto模块。 加密和解密在保存和查找过程中透明进行。 尽管此插件可用于任何类型的...
use - Use Secure Encryption-开源
05-13
标题中的“Use Secure Encryption”可能是指一个开源项目,旨在提供安全的加密工具或服务。开源软件指的是源代码公开,允许用户自由使用、修改和分发的软件。这种类型的软件通常由全球开发者社区维护和更新,促进了...
ESP32-C3 手动启用 Secure Boot V2 与 Flash 加密流程
ESP 技术分享,推动万物互联
08-21 1677
1. 手动生成秘钥 2. 手动加密固件并写入加密固件 3. 手动写 Efuse 开启 Flash 加密和安全启动
ESP32 ECO3 手动启用 Secure Boot V2 与 flash 加密流程
ESP 技术分享,推动万物互联
02-02 5352
本篇文档用来说明 ESP32(eco3) 芯片同时使能 Secure Boot V2 和 flash 加密的操作流程,其中,flash 加密使用发布模式(Release Mode),使用主机生成的密钥对数据进行加密。 文章目录1. 测试环境1. 未使能前查询 efuse2. 通过 menuconfig 配置使能2.1 将 ESP32 芯片版本设置为 revision 32.2 调整分区表偏移量2.3 安全特征配置3. 测试流程3.1 secure boot v2 秘钥生成与烧录3.2 flash 加密秘钥生
ESP32 Secure bootFlash encryption 过程前后部分问题整理
Zombie's blog
09-27 1102
此篇博客用来整理 ESP32 Secure bootFlash encryption 过程前后部分问题的解决方法。 1. secure boot 后重新烧录程序发现无法正常进入 bootloader 对应 log 如下: csum err:0x9a!=0x5f ets_main.c 371 ets Jun 8 2016 00:22:57 rst:0x10 (RTCWDT_RTC_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT) configsip: 0, SPIWP:0x
ESP32-S3 使用指定 key 来进行 secure boot 签名并进行 OTA 测试
ESP 技术分享,推动万物互联
06-08 1772
1. 生成指定 secure boot 签名 key 2. 软件开启 secure boot 配置 3. 烧录被签名的固件 4. 对新的 app.bin 使用指定 key 进行签名 5. 对已经签名的 app.bin 进行 OTA 测试
esp32 IDF框架开发经常遇到的问题
藤一泓的博客
03-28 2759
目的 在基于IDF框架开发时,经常遇到很多问题,查了很多资料也找不到解决方法,所以开设了这个话题,我将不定期的讲收录到的问题,写入好文章中。 问题1 esp32重启问题 结语 欢迎大家评论区留下你遇到的问题,我看到你的评论后将会第一时间回复,如果有大佬路过也欢迎来一起讨论解决问题 ...
ESP32-S2安全启动和flash加密的量产工具与方法,附上工具链接
katerdaisy的博客
11-29 729
生成安全启动密钥:.\espsecure.exe generate_signing_key --version 2 secure_boot_signing_key.pem。烧录密钥:./espefuse.exe -p COM497 burn_key BLOCK_KEY1 key.bin XTS_AES_128_KEY。生成密钥:./espsecure.exe generate_flash_encryption_key key.bin。
ESP32 ECO V3】使用 Flash 下载工具完成 Secure Boot V2 功能
ESP 技术分享,推动万物互联
04-02 1208
【应用笔记】基于 Flash 下载工具完成 Secure Boot V2 的全部流程
ESP32 Secure BootFlash加密
一个人要像一支队伍
01-21 7433
ESP32的代码是存在外部Flash中,如果不加密,很容易被窃取代码。 ESP32secure bootflash加密是两个功能,但是要配合一起使用,其加密效果才好。 一、初次加密。 这里只写可重复烧写的加密方式,其加密步骤如下: 1、进入menuconfig配置secure bootflash加密。 make menuconfig 这里Secure bootloader mode选择Reflashable。配置后要与下图完全一致。 2、生成私钥,即pem文件。 pyth.

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值