Verify Bug for [espsecure.py] don't know if Secure Boot is okay

human890209
Posts: 54
Joined: Wed Aug 15, 2018 8:56 am

Verify Bug for [espsecure.py] don't know if Secure Boot is okay

Postby human890209 » Mon Sep 10, 2018 2:51 pm

Today, I tested the secure boot with flash encryption of ESP-IDF, I use a simple example and follow the instructions step by step.
Before that I tested the flash encryption only, I succeeded.
But enabled both, I got:
secure boot check fail
I bricked 2 Dev boards with the same monitor logging results.

Before making further tests which could probably cost me more dev boards, I tried to verify my app.bin with the espsecure.py on my PC.
And I've found that there is a bug in it.

I've found that espsecure.py can only verify the Data bin file with the signing private key. It worked with the private key.
espsecure.py v2.5.0
Verifying 216016 bytes of data
Signature is valid
I extract_public_key from the private key with espsecure.py extract_public_key command.
espsecure.py v2.5.0
secure_boot_signing_key.pem public key extracted to public_key.pem
And then I verify_signature the Data bin file with the generated public_key, an error occurs.
I paste the log here:
python espsecure.py verify_signature --keyfile public_key.pem VS_app_signed.bin
espsecure.py v2.5.0
Traceback (most recent call last):
File "espsecure.py", line 156, in verify_signature
sk = _load_key(args) # try to load as private key first
File "espsecure.py", line 123, in _load_key
sk = ecdsa.SigningKey.from_pem(args.keyfile.read())
File "C:\Python37\lib\site-packages\ecdsa-0.13-py3.7.egg\ecdsa\keys.py", line 159, in from_pem
privkey_pem = string[string.index(b("-----BEGIN EC PRIVATE KEY-----")):]
ValueError: subsection not found

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "espsecure.py", line 401, in <module>
_main()
File "espsecure.py", line 394, in _main
main()
File "espsecure.py", line 389, in main
operation_func(args)
File "espsecure.py", line 160, in verify_signature
vk = ecdsa.VerifyingKey.from_pem(args.keyfile.read())
File "C:\Python37\lib\site-packages\ecdsa-0.13-py3.7.egg\ecdsa\keys.py", line 52, in from_pem
return klass.from_der(der.unpem(string))
File "C:\Python37\lib\site-packages\ecdsa-0.13-py3.7.egg\ecdsa\der.py", line 191, in unpem
return base64.b64decode(d)
File "C:\Python37\lib\base64.py", line 87, in b64decode
return binascii.a2b_base64(s)
binascii.Error: Incorrect padding
I doubt if the bootloader uses a similar method and could go wrong, too.
But at least the espsecure.py got a bug. So I reported here.

Hope someone experienced could tell me what does this means:
secure boot check fail
The error message is not very clear. I don't know if the bootloader's digest check fails and the bootloader is not booted at all. Or the signature of partitions table and app check fail.

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: Verify Bug for [espsecure.py] don't know if Secure Boot is okay

Postby ESP_Angus » Wed Sep 12, 2018 7:57 am

Thanks for reporting this. The extract_public_key command produces a raw binary public key file (suitable for embedding in the bootloader), and it's not compatible with the espsecure.py verification command. This will be fixed.

This is not a cause of the "secure boot check fail" message. This message comes from the ROM and indicates that the digest calculated for the bootloader.bin is invalid, so it's refusing to continue. I'll add some explanation of these messages to the Secure Boot documentation.

Will reply about your specific issue in the other thread.

human890209
Posts: 54
Joined: Wed Aug 15, 2018 8:56 am

Re: Verify Bug for [espsecure.py] don't know if Secure Boot is okay

Postby human890209 » Thu Sep 13, 2018 1:45 am

Thanks a lot :)

Who is online

Users browsing this forum: No registered users and 56 guests