Within the Espressif documentation titled, "Enable Flash Encryption Externally" [1], is a series of commands for encrypting binaries on a host machine. The first command encrypts a bootloader image using address "0x1000". I am confused by the use of this address in the example. It is my understanding that "0x1000" is the address of the first-stage bootloader and "0x0" is the address of the second-stage bootloader. An unencrypted bootloader.bin created during the build process of a firmware application would be flashed to the second-stage address (0x0). Yet, in this flash encryption example we seem to be assigning this bootloader.bin to the primary address (0x1000).
Why would a non-encrypted bootloader.bin be flashed to 0x0 whereas an encrypted flash writes bootloader.bin to 0x1000? Is this a bug in documentation? Please clarify.
Thanks
[1] https://docs.espressif.com/projects/esp ... externally
Clarification required regarding encrypted flash bootloader address
Re: Clarification required regarding encrypted flash bootloader address
https://docs.espressif.com/projects/esp ... bootloader
The flashing command also mentions the address 0x1000, example:
Bootloader/app can be signed or unsigned (CONFIG_SECURE_BOOT, CONFIG_SECURE_BOOT_SIGNING_KEY).
App can be encrypted:
https://docs.espressif.com/projects/esp ... artup.html...On ESP32, the bootloader image should be flashed by ESP-IDF at offset 0x1000.
Second stage bootloader binary image is loaded from flash starting at address 0x1000. If Secure Boot is in use then the first 4 kB sector of flash is used to store secure boot IV and digest of the bootloader image. Otherwise, this sector is unused.
The flashing command also mentions the address 0x1000, example:
/Users/user/.espressif/python_env/idf5.1_py3.11_env/bin/python ../../../esp/esp-idf/components/esptool_py/esptool/esptool.py -p /dev/cu.usbserial-1140 -b 460800 --before default_reset --after hard_reset --chip esp32s2 --no-stub write_flash --flash_mode dio --flash_size 2MB --flash_freq 80m 0x1000 build/bootloader/bootloader.bin 0xa000 build/partition_table/partition-table.bin 0x20000 build/app.bin
Bootloader/app can be signed or unsigned (CONFIG_SECURE_BOOT, CONFIG_SECURE_BOOT_SIGNING_KEY).
App can be encrypted:
python managed_components/espressif__esp_encrypted_img/tools/esp_enc_img_gen.py encrypt ./build/app.bin ./secrets/encrypted_img_key.pem ./build/app_encrypted.bin
Who is online
Users browsing this forum: No registered users and 81 guests