IDF v4.4 ESP32 secure boot and flash encryption step-by-step

[ChrisAlfred]

Can anyone provide a step-by-step, including exact command lines, starting with hello_world to produce secure boot with flash encryption for the ESP32 with IDF v4.4?

[ChrisAlfred]

... surely someone at Espressif must have done something similar, otherwise how did they test it and write the documentation???
It is interesting that there is a flash encryption example, but no secure boot nor both example.

[ESP_harshal]

Hello @ChrisAlfred,

You should first enable Flash Encryption and then Secure Boot as mentioned in the second point of the section "Restrictions after secire boot is enabled": https://docs.espressif.com/projects/esp ... is-enabled.

You could refer to the section "How to Enable Secure Boot V2" section in the secure boot documentation: https://docs.espressif.com/projects/esp ... re-boot-v2 to enable secure boot.

If you have a secure boot key already generated, then you only need to enable secure boot from the menu config and secure boot will get enabled on the next boot-up itself.

including exact command lines

This would be required only to generate a secure boot key (if not already generated). The command for generating the secure boot key is also mentioned in the documentation.

Similarly, for flash encryption, you could refer to this section in the Flash Encryption documentation: https://docs.espressif.com/projects/esp ... pment-mode to enable flash encryption.

The above mentioned section talks about two possible ways to enable flash encryption that depends on your preferred key generation workflow. If you have to use a pre-generated key on the host side then you should refer the "Using Host Generated Key" section.
If you prefer ESP32 (on-device) generated key, which we would recommend, you should refer to the "Using ESP32 Generated Key" section.

[ChrisAlfred]

I don't believe it is as easy as you say. I can successfully program encrypted flash OR secure boot - but not both.

(1) If I enable encrypted flash, let it boot and encrypt and reboot - then encrypted flash flash is working ok
(2) If I then enable secure boot, then the header is invalid.

I suspect the missing information is that once you have encrypted flash, the procedure provided by Espressif for secure boot is incorrect as it does not account for the flash now being encrypted.

I also want to know if this is possible using QEMU - I can't just keep bricking devices just because Espressif has not provided a real-world really tested step-by-step list of commands.

[ChrisAlfred]

Can someone PLEASE respond to this. It MUST have been done by Espressif at some point, so why not just show us EXACTLY what you did to prove it works.

I have now bricked 4 ESP32 dev boards because Espressif documentation is inadequate and poorly organised.

To try and push things along, this is what I have done - what is wrong with the sequence below?
** WARNING: THIS DOES NOT WORK AND WILL BRICK YOUR DEVICE **

(1) Create a flash encryption key
espsecure.py generate_flash_encryption_key flash_encryption_key.bin

(2) Flash to flash encryption key to device
espefuse.py --port /dev/ttyUSB0 burn_key flash_encryption flash_encryption_key.bin

(3) Create secure boot private key
openssl genrsa -out sbv2_private.pem 3072

(4) Start from a simple hello work application, set menu configuration

Component config : ESP32-specfic
- Minimum Supported ESP32 Revision set to Rev 3

Security Features : [*] Enable flash encryption on boot
- Enable usage mode (Development NOT SECURE)

Security features : [*] Enable hardware secure Secure Boot
- Select secure boot version set to version 2

Security features: [*] Sign binaries during build

Security features:
- Secure boot private signing key set to sbv2_private.pem

Partition table:
- Offset to partition table set to 0x10000

(5) idf.py --port /dev/ttyUSB0 build

(6) idf.py --port /dev/ttyUSB0 flash

[ChrisAlfred]

?

[ChrisAlfred]

Any updates?

[ChrisAlfred]

Can someone PLEASE respond to this. It MUST have been done by Espressif at some point, so why not just show us EXACTLY what you did to prove it works.

[ESP_Mahavir]

Hello,

Sorry for the delayed reply!

In the instructions you shared, I was unable to see a command to flash the bootloader image. Please note that for secure boot enabled case, the default `idf.py flash` won't flash the bootloader on the device. If you could share more information about the eFuse summary, device console logs then it will be easier to analyze the problem.

I recommend that you try instructions per the guide here https://docs.espressif.com/projects/esp ... externally. This should allow you to enable both flash encryption and secure boot features on the device.

Yes, it is possible to use Qemu port of ESP32 to try out the security features. Please see release artifacts available here: https://github.com/espressif/qemu/releases. Getting started guide is available here: https://github.com/espressif/esp-toolch ... /README.md.

Hope this helps!

[Nespressif]

Hello,

Sorry for the delayed reply!

In the instructions you shared, I was unable to see a command to flash the bootloader image. Please note that for secure boot enabled case, the default `idf.py flash` won't flash the bootloader on the device. If you could share more information about the eFuse summary, device console logs then it will be easier to analyze the problem.

I recommend that you try instructions per the guide here https://docs.espressif.com/projects/esp ... externally. This should allow you to enable both flash encryption and secure boot features on the device.

Yes, it is possible to use Qemu port of ESP32 to try out the security features. Please see release artifacts available here: https://github.com/espressif/qemu/releases. Getting started guide is available here: https://github.com/espressif/esp-toolch ... /README.md.

Hope this helps!

Thanks for the help Mahavir, I am also having problems activating FE and SBv2 security as I explain in these posts:

https://esp32.com/viewtopic.php?f=13&t= ... 47#p127747
https://esp32.com/viewtopic.php?f=13&t=38358

I just have a couple of questions about the workflow for external activation of FE first and after SBv2:
1.- I imagine that this manual will be valid for any recent version of IDF, I am working with version 5.1.2.??? I ask because it is in the master branch and does not appear in the documentation of the version I use.
2.- Both workflows end with the same option: C Disable UART ROM DL mode: But it doesn't say anything. Uart Rom download mode is supposed to be permanently disabled when we enter the config menu to activate FE or SBv2. How and when exactly should it be done? This is my main doubt, the rest of the process seems clear.
I also ask this, since my two devices are locked, I think it was disabling the uart rom dl mode, the reason why I no longer have any access to them.

Thank you so much.