esp-idf/tools/test_apps/security/secure_boot
2021-04-16 16:40:47 +10:00
..
main Whitespace: Automated whitespace fixes (large commit) 2020-11-11 07:36:35 +00:00
CMakeLists.txt build_app: make multi target support readable 2020-04-09 16:40:57 +08:00
Makefile Whitespace: Automated whitespace fixes (large commit) 2020-11-11 07:36:35 +00:00
README.md build_app: make multi target support readable 2020-04-09 16:40:57 +08:00
sdkconfig.ci.00 ci: Add test apps for ESP32-S2 Secure Boot 2020-07-27 00:01:10 +00:00
sdkconfig.ci.01 ci: Add test apps for ESP32-S2 Secure Boot 2020-07-27 00:01:10 +00:00
sdkconfig.ci.02 ci: Add test apps for ESP32-S2 Secure Boot 2020-07-27 00:01:10 +00:00
sdkconfig.ci.03 Whitespace: Automated whitespace fixes (large commit) 2020-11-11 07:36:35 +00:00
sdkconfig.ci.04 ci: Add test apps for ESP32-S2 Secure Boot 2020-07-27 00:01:10 +00:00
sdkconfig.defaults ci: Move partition table offset in secure boot test app 2021-04-16 16:40:47 +10:00
test_ecdsa_key.pem feat/secure_boot_v2: Adding tools support for secure boot v2 ECO3 2020-02-25 01:28:22 +05:30
test_rsa_3072_key.pem feat/secure_boot_v2: Adding tools support for secure boot v2 ECO3 2020-02-25 01:28:22 +05:30

Supported Targets ESP32

Secure Boot

The example checks if the secure boot feature is enabled/disabled and if enabled prints the secure boot version (Version 1 / Version 2) and FLASH_CRYPT_CNT eFuse value.

How to use example

Hardware Required

ESP32 (supports Secure Boot V1) or ESP32-ECO3 (supports Secure Boot V2 & Secure Boot V1). It is recommended to use Secure Boot V2 from ESP32-ECO3 onwards.

Configure the project

idf.py menuconfig
  • Set serial port under Serial Flasher Options.

  • Enable the Enable hardware Secure Boot under Security Features. Default version for ESP32 is Secure Boot V1. The chip revision should be changed to revision 3(ESP32- ECO3) to view the Secure Boot V2 option.

  • To change the chip revision, set "Component Config" -> "ESP32- Specific"->"Minimum Supported ESP32 Revision" to Rev 3. Now, set Secure Boot V2 option can now be enabled under "Enable hardware Secure Boot in bootloader" -> "Secure Boot Version".

  • Specify the apt secure boot signing key path. If not present generate one using python $IDF_PATH/components/esptool_py/esptool/espsecure.py generate_signing_key --version {VERSION} secure_boot_signing_key.pem

  • Ensure Bootloader log verbosity is Info under Bootloader config.

  • Select Single factory app, no OTA under Partition Table options. Change the partition table offset to 0xb000 from 0x8000 since after enabling secure boot the size of bootloader is increased.

Build and Flash

  • The below steps can be used in any application to enable secure boot.

  • Secure Boot is an irreversible operation, please read the Secure Boot section in ESP-IDF Programming Manual.

  • Secure boot will be enabled on building the project after enabling hardware secure boot feature in Security features in menuconfig and flashing it to the board FOR THE FIRST TIME.

  • The bootloader will not be automatically flashed when secure boot is enabled. Running idf.py bootloader will print a command to flash the bootloader on the ESP32. Run this command manually to flash the bootloader.

Run following command to program the partition table and application on the ESP32 and monitor the output:

idf.py -p PORT flash monitor

(To exit the serial monitor, type Ctrl-].)

See the Getting Started Guide for full steps to configure and use ESP-IDF to build projects.

  • On subsequent boots, the secure boot hardware will verify the software bootloader has not changed and the software bootloader will verify the signed app image (using the validated public key portion of its appended signature block).

Example Output

Troubleshooting