diff --git a/components/esptool_py/esptool b/components/esptool_py/esptool
index 7d10144efd..4bc311767b 160000
--- a/components/esptool_py/esptool
+++ b/components/esptool_py/esptool
@@ -1 +1 @@
-Subproject commit 7d10144efdb14eb339a9e7ab59694f03d70e0eb9
+Subproject commit 4bc311767b7c6df41def6f95a50f87b1c9406cbd
diff --git a/components/esptool_py/project_include.cmake b/components/esptool_py/project_include.cmake
index ae37888280..0d666a22ba 100644
--- a/components/esptool_py/project_include.cmake
+++ b/components/esptool_py/project_include.cmake
@@ -37,6 +37,17 @@ set(ESPTOOLPY_FLASH_OPTIONS
     --flash_size ${ESPFLASHSIZE}
     )
 
+if(BOOTLOADER_BUILD AND CONFIG_SECURE_BOOT_V2_ENABLED)
+    # The bootloader binary needs to be 4KB aligned in order to append a secure boot V2 signature block.
+    # If CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES is NOT set, the bootloader
+    # image generated is not 4KB aligned for external HSM to sign it readily.
+    # Following esptool option --pad-to-size 4KB generates a 4K aligned bootloader image.
+    # In case of signing during build, espsecure.py "sign_data" operation handles the 4K alignment of the image.
+    if(NOT CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES)
+        list(APPEND esptool_elf2image_args --pad-to-size 4KB)
+    endif()
+endif()
+
 if(NOT BOOTLOADER_BUILD)
     set(esptool_elf2image_args --elf-sha256-offset 0xb0)
 endif()