Hi community… I am working with esp32-wroom-se under platformio and arduino framework…
Thanks @maxgerhardt
Not supported by the developers.
opened 12:47PM - 30 Nov 21 UTC
feature
I've been trying to compile a signed binaries for OTA without secure boot and wi… thout flash encryption:
\# Security features
\#
CONFIG_SECURE_SIGNED_ON_UPDATE=y
CONFIG_SECURE_SIGNED_APPS=y
CONFIG_SECURE_SIGNED_APPS_NO_SECURE_BOOT=y
CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME=y
\# CONFIG_SECURE_SIGNED_ON_BOOT_NO_SECURE_BOOT is not set
CONFIG_SECURE_SIGNED_ON_UPDATE_NO_SECURE_BOOT=y
\# CONFIG_SECURE_BOOT is not set
CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y
CONFIG_SECURE_BOOT_SIGNING_KEY="secure_boot_signing_key.pem"
\# CONFIG_SECURE_FLASH_ENC_ENABLED is not set
\# end of Security features
I've generated the signing key + signature_verification_key.bin out of it.
The compile process builds the signature_verification_key.bin.S file correctly in .pio/build/esp-pico/signature_verification_key.bin.S
But at some point of compilation looks like the compiler is looking for the file in wrong directory:
Compiling .pio\build\esp-pico\bootloader\bootloader_support\src\esp32\bootloader_esp32.o
*** [.pio\build\esp-pico\bootloader\signature_verification_key.bin.o] Source `.pio\build\esp-pico\bootloader\signature_verification_key.bin.S' not found, needed by target `.pio\build\esp-pico\bootloader\signature_verification_key.bin.o'.
If I put it there really fast before the compiler crashes the compilation finishes correctly. Moreover the binary does the signature verification correctly during OTA but its not signed itself - I gotta sign it manually with espsecure.py.
Any idea what am I missing?
opened 12:14PM - 03 Feb 22 UTC
feature
Arduino
ESP-IDF
Hello,
I have an arduino project for ESP32.
I'd like to enable flash encryptio… n.
I moved to "arduino, espidf". It's building.
Now, I'd like to rebuild the bootloader to enable flash encryption and use this custom bootloader.
Is there any possibility ? if yes, can it be documented ?
Plus if you have an older revision ESP32, this is broken anyways: Espressif ESP32: Bypassing Secure Boot using EMFI
Thanks @maxgerhardt … so what do you suggest to do?
If you want a signed + encrypted firmware, the only way I see that happening is when you use the native ESP-IDF toolchain and add Arduino as an ESP-IDF component, then use the ESP-IDF’s menuconfig etc. tooling to generate your signed binaries. I.e., don’t use PlatformIO for this.
https://docs.espressif.com/projects/esp-idf/en/latest/esp32/get-started/index.html#
https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/secure-boot-v2.html
https://docs.espressif.com/projects/arduino-esp32/en/latest/esp-idf_component.html
1 Like
what about this…
t seems he was able to do it…@maxgerhardt
This is basically using ESP-IDF’s secure boot + flash encryption firmware, just all the steps manually executed.
And … he only enabled enctyption without secure boot. Getting both going is the tricky bit.