Wrong chip type detected when using external SPI-conntected RAM and virtual efuses (IDFGH-9019)

[listout]

Answers checklist.

• [X] I have read the documentation ESP-IDF Programming Guide and the issue is not addressed there.
• [X] I have updated my IDF branch (master or release) to the latest version and checked that the issue is present there.
• [X] I have searched the issue tracker for a similar issue and not found a similar issue.

IDF version.

v4.4.3

Operating System used.

Linux

How did you build your project?

Command line with idf.py

If you are using Windows, please specify command line type.

None

Development Kit.

ESP32-PICO-DevKitM-2

Power Supply used.

USB

What is the expected behavior?

I was testing Secure boot (version 2) and flash encryption, to reduce the chances of bricking my device I decided to use virtual efuses (stored in flash). With all these three options enabled I can't run any application (in this case hello_world example from v4.4.3); the device would boot showing device informations and in the psram section it would show This chip is ESP32-D0WD whereas my chip is ESP32 Pico Mini V3 02, and after some time the device would reboot.

When I turn off SPIRAM support, the code/application runs as expected.

What is the actual behavior?

Application run and correct chip is detected with secure boot, flash encryption and virtual efuses enabled.

Steps to reproduce.

1. Clone/checkout v4.4.3 tag of ESP-IDF
2. Create/Copy a project
3. Run menuconfig and change the following settings (I've attached the minimal config below)
4. Change chip revision to 3
5. Turn on secure boot version 2
6. Turn on flash encryption (development mode)
7. Enable virtual efuses and keep efuses in flash

Debug Logs.

W (91) boot.esp32: eFuse virtual mode is enabled. If Secure boot or Flash encryption is enabled then it does not provide any security. FOR TESTING ONLY!
I (46) boot: ESP-IDF v4.4.3 2nd stage bootloader
I (46) boot: compile time 17:47:15
I (46) boot: chip revision: 3
I (49) boot.esp32: SPI Speed      : 40MHz
I (54) boot.esp32: SPI Mode       : DIO
I (58) boot.esp32: SPI Flash Size : 8MB
I (63) boot: Enabling RNG early entropy source...
I (68) boot: Partition Table:
I (72) boot: ## Label            Usage          Type ST Offset   Length
I (79) boot:  0 nvs              WiFi data        01 02 00023000 00005000
I (87) boot:  1 otadata          OTA data         01 00 00028000 00002000
I (94) boot:  2 phy_init         RF data          01 01 0002a000 00001000
I (101) boot:  3 factory          factory app      00 00 00030000 00200000
W (109) efuse: Loading virtual efuse blocks from real efuses
EFUSE_BLKx:
0) 0x00000000 0xfb6cf2ac 0x00aeac0b 0x0000ad00 0x00001334 0x0015de26 0x00000004 
1) 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 
2) 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 
3) 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 

I (148) boot:  4 efuse_em         efuse            01 05 00230000 00002000
I (156) boot:  5 nvs_key          NVS keys         01 04 00232000 00001000
I (163) boot: End of partition table
I (167) boot: Defaulting to factory image
I (172) esp_image: segment 0: paddr=00030020 vaddr=3f400020 size=0822ch ( 33324) map
I (193) esp_image: segment 1: paddr=00038254 vaddr=3ffb0000 size=02184h (  8580) load
I (196) esp_image: segment 2: paddr=0003a3e0 vaddr=40080000 size=05c38h ( 23608) load
I (209) esp_image: segment 3: paddr=00040020 vaddr=400d0020 size=15038h ( 86072) map
I (241) esp_image: segment 4: paddr=00055060 vaddr=40085c38 size=0588ch ( 22668) load
I (250) esp_image: segment 5: paddr=0005a8f4 vaddr=50000000 size=00010h (    16) load
I (251) esp_image: segment 6: paddr=0005a90c vaddr=00000000 size=056c4h ( 22212) 
I (265) esp_image: Verifying image signature...
I (266) secure_boot_v2: Secure boot V2 is not enabled yet and eFuse digest keys are not set
I (272) secure_boot_v2: Verifying with RSA-PSS...
I (281) secure_boot_v2: Signature verified successfully!
I (288) boot: Loaded app from partition at offset 0x30000
I (289) secure_boot_v2: enabling secure boot v2...
I (294) efuse: Batch mode of writing fields is enabled
I (300) esp_image: segment 0: paddr=00001020 vaddr=3fff0140 size=038e0h ( 14560) 
I (314) esp_image: segment 1: paddr=00004908 vaddr=40078000 size=05e5ch ( 24156) 
I (325) esp_image: segment 2: paddr=0000a76c vaddr=40080400 size=00ee0h (  3808) 
I (327) esp_image: Verifying image signature...
I (331) secure_boot_v2: Secure boot V2 is not enabled yet and eFuse digest keys are not set
I (339) secure_boot_v2: Verifying with RSA-PSS...
I (348) secure_boot_v2: Signature verified successfully!
I (351) secure_boot_v2: Secure boot digests absent, generating..
I (374) secure_boot_v2: Digests successfully calculated, 1 valid signatures (image offset 0x1000)
I (374) secure_boot_v2: 1 signature block(s) found appended to the bootloader.
I (380) secure_boot_v2: Burning public key hash to eFuse
I (386) efuse: Writing EFUSE_BLK_KEY1 with purpose 3
I (450) secure_boot_v2: Digests successfully calculated, 1 valid signatures (image offset 0x30000)
I (451) secure_boot_v2: 1 signature block(s) found appended to the app.
I (456) secure_boot_v2: Application key(0) matches with bootloader key(0).
I (464) secure_boot_v2: blowing secure boot efuse...
I (469) secure_boot: Disable JTAG...
I (473) secure_boot: Disable ROM BASIC interpreter fallback...
W (480) secure_boot: UART ROM Download mode kept enabled - SECURITY COMPROMISED
W (488) efuse: Virtual efuses enabled: Not really burning eFuses
I (523) efuse: Batch mode. Prepared fields are committed
I (523) secure_boot_v2: Secure boot permanently enabled
I (524) boot: Checking flash encryption...
I (528) efuse: Batch mode of writing fields is enabled
I (535) flash_encrypt: Generating new flash encryption key...
I (541) efuse: Writing EFUSE_BLK_KEY0 with purpose 2
I (547) flash_encrypt: Setting CRYPT_CONFIG efuse to 0xF
W (552) flash_encrypt: Not disabling UART bootloader encryption
I (559) flash_encrypt: Disable UART bootloader decryption...
I (565) flash_encrypt: Disable UART bootloader MMU cache...
I (571) flash_encrypt: Disable JTAG...
I (576) flash_encrypt: Disable ROM BASIC interpreter fallback...
W (583) efuse: Virtual efuses enabled: Not really burning eFuses
I (618) efuse: Batch mode. Prepared fields are committed
I (618) esp_image: segment 0: paddr=00001020 vaddr=3fff0140 size=038e0h ( 14560) 
I (626) esp_image: segment 1: paddr=00004908 vaddr=40078000 size=05e5ch ( 24156) 
I (638) esp_image: segment 2: paddr=0000a76c vaddr=40080400 size=00ee0h (  3808) 
I (639) esp_image: Verifying image signature...
I (643) secure_boot_v2: Verifying with RSA-PSS...
I (652) secure_boot_v2: Signature verified successfully!

Logging is enabled into file log.hello_world.20221222175010.txt
I (1262) flash_encrypt: bootloader encrypted successfully
I (1332) flash_encrypt: partition table encrypted and loaded successfully
I (1332) flash_encrypt: Encrypting partition 1 at offset 0x28000 (length 0x2000)...
I (1348) flash_encrypt: Done encrypting
I (1348) esp_image: segment 0: paddr=00030020 vaddr=3f400020 size=0822ch ( 33324) map
I (1364) esp_image: segment 1: paddr=00038254 vaddr=3ffb0000 size=02184h (  8580) 
I (1367) esp_image: segment 2: paddr=0003a3e0 vaddr=40080000 size=05c38h ( 23608) 
I (1379) esp_image: segment 3: paddr=00040020 vaddr=400d0020 size=15038h ( 86072) map
I (1411) esp_image: segment 4: paddr=00055060 vaddr=40085c38 size=0588ch ( 22668) 
I (1419) esp_image: segment 5: paddr=0005a8f4 vaddr=50000000 size=00010h (    16) 
I (1419) esp_image: segment 6: paddr=0005a90c vaddr=00000000 size=056c4h ( 22212) 
I (1434) esp_image: Verifying image signature...
I (1435) secure_boot_v2: Verifying with RSA-PSS...
I (1441) secure_boot_v2: Signature verified successfully!
I (1443) flash_encrypt: Encrypting partition 3 at offset 0x30000 (length 0x200000)...
I (6809) flash_encrypt: Done encrypting
I (6809) flash_encrypt: Encrypting partition 5 at offset 0x232000 (length 0x1000)...
I (6816) flash_encrypt: Done encrypting
W (6816) efuse: Virtual efuses enabled: Not really burning eFuses
I (6850) flash_encrypt: Flash encryption completed
I (6850) boot: Resetting with flash encryption enabled...
ets Jul 29 2019 12:21:46

rst:0x3 (SW_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
configsip: 271414342, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff0140,len:14560
load:0x40078000,len:24156
load:0x40080400,len:3808
0x40080400: _init at ??:?

entry 0x40080698
W (118) boot.esp32: eFuse virtual mode is enabled. If Secure boot or Flash encryption is enabled then it does not provide any security. FOR TESTING ONLY!
I (83) boot: ESP-IDF v4.4.3 2nd stage bootloader
I (83) boot: compile time 17:47:15
I (83) boot: chip revision: 3
I (86) boot.esp32: SPI Speed      : 40MHz
I (91) boot.esp32: SPI Mode       : DIO
I (96) boot.esp32: SPI Flash Size : 8MB
I (100) boot: Enabling RNG early entropy source...
I (106) boot: Partition Table:
I (109) boot: ## Label            Usage          Type ST Offset   Length
I (117) boot:  0 nvs              WiFi data        01 02 00023000 00005000
I (124) boot:  1 otadata          OTA data         01 00 00028000 00002000
I (132) boot:  2 phy_init         RF data          01 01 0002a000 00001000
I (139) boot:  3 factory          factory app      00 00 00030000 00200000
W (147) efuse: Loading virtual efuse blocks from flash
EFUSE_BLKx:
0) 0x00110181 0xfb6cf2ac 0x00aeac0b 0x0000ad00 0x00001334 0xf015de26 0x00000364 
1) 0xb4aac958 0x06f40b71 0x8ce28737 0x19f246a0 0xd833eb39 0x64cde9f0 0x7c5952fe 0x38888ff0 
2) 0x45fec4a0 0xe7be4799 0xe0ef0eda 0x47332e2d 0x3d2c3fda 0x44d8cb7d 0x9bf6e84b 0x85c1b5dc 
3) 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 

I (185) boot:  4 efuse_em         efuse            01 05 00230000 00002000
I (193) boot:  5 nvs_key          NVS keys         01 04 00232000 00001000
I (201) boot: End of partition table
I (205) boot: Defaulting to factory image
I (209) esp_image: segment 0: paddr=00030020 vaddr=3f400020 size=0822ch ( 33324) map
I (230) esp_image: segment 1: paddr=00038254 vaddr=3ffb0000 size=02184h (  8580) load
I (234) esp_image: segment 2: paddr=0003a3e0 vaddr=40080000 size=05c38h ( 23608) load
I (247) esp_image: segment 3: paddr=00040020 vaddr=400d0020 size=15038h ( 86072) map
I (278) esp_image: segment 4: paddr=00055060 vaddr=40085c38 size=0588ch ( 22668) load
I (288) esp_image: segment 5: paddr=0005a8f4 vaddr=50000000 size=00010h (    16) load
I (288) esp_image: segment 6: paddr=0005a90c vaddr=00000000 size=056c4h ( 22212) 
I (303) esp_image: Verifying image signature...
I (303) secure_boot_v2: Verifying with RSA-PSS...
I (309) secure_boot_v2: Signature verified successfully!
I (317) boot: Loaded app from partition at offset 0x30000
I (317) secure_boot_v2: enabling secure boot v2...
I (323) secure_boot_v2: secure boot v2 is already enabled, continuing..
I (330) boot: Checking flash encryption...
I (335) flash_encrypt: flash encryption is enabled (3 plaintext flashes left)
I (342) boot: Disabling RNG early entropy source...
I (359) psram: This chip is ESP32-D0WD
ets Jul 29 2019 12:21:46

rst:0x10 (RTCWDT_RTC_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
configsip: 271414342, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff0140,len:14560
load:0x40078000,len:24156
load:0x40080400,len:3808
0x40080400: _init at ??:?

entry 0x40080698
W (92) boot.esp32: eFuse virtual mode is enabled. If Secure boot or Flash encryption is enabled then it does not provide any security. FOR TESTING ONLY!
I (46) boot: ESP-IDF v4.4.3 2nd stage bootloader
I (47) boot: compile time 17:47:15
I (47) boot: chip revision: 3
I (49) boot.esp32: SPI Speed      : 40MHz
I (54) boot.esp32: SPI Mode       : DIO
I (59) boot.esp32: SPI Flash Size : 8MB
I (63) boot: Enabling RNG early entropy source...
I (69) boot: Partition Table:
I (72) boot: ## Label            Usage          Type ST Offset   Length
I (79) boot:  0 nvs              WiFi data        01 02 00023000 00005000
I (87) boot:  1 otadata          OTA data         01 00 00028000 00002000
I (94) boot:  2 phy_init         RF data          01 01 0002a000 00001000
I (102) boot:  3 factory          factory app      00 00 00030000 00200000
W (109) efuse: Loading virtual efuse blocks from flash
EFUSE_BLKx:
0) 0x00110181 0xfb6cf2ac 0x00aeac0b 0x0000ad00 0x00001334 0xf015de26 0x00000364 
1) 0xb4aac958 0x06f40b71 0x8ce28737 0x19f246a0 0xd833eb39 0x64cde9f0 0x7c5952fe 0x38888ff0 
2) 0x45fec4a0 0xe7be4799 0xe0ef0eda 0x47332e2d 0x3d2c3fda 0x44d8cb7d 0x9bf6e84b 0x85c1b5dc 
3) 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000 

I (148) boot:  4 efuse_em         efuse            01 05 00230000 00002000
I (155) boot:  5 nvs_key          NVS keys         01 04 00232000 00001000
I (163) boot: End of partition table
I (167) boot: Defaulting to factory image
I (172) esp_image: segment 0: paddr=00030020 vaddr=3f400020 size=0822ch ( 33324) map
I (193) esp_image: segment 1: paddr=00038254 vaddr=3ffb0000 size=02184h (  8580) load
I (196) esp_image: segment 2: paddr=0003a3e0 vaddr=40080000 size=05c38h ( 23608) load
I (209) esp_image: segment 3: paddr=00040020 vaddr=400d0020 size=15038h ( 86072) map
I (241) esp_image: segment 4: paddr=00055060 vaddr=40085c38 size=0588ch ( 22668) load
I (250) esp_image: segment 5: paddr=0005a8f4 vaddr=50000000 size=00010h (    16) load
I (251) esp_image: segment 6: paddr=0005a90c vaddr=00000000 size=056c4h ( 22212) 
I (265) esp_image: Verifying image signature...
I (266) secure_boot_v2: Verifying with RSA-PSS...
I (272) secure_boot_v2: Signature verified successfully!
I (279) boot: Loaded app from partition at offset 0x30000
I (280) secure_boot_v2: enabling secure boot v2...
I (285) secure_boot_v2: secure boot v2 is already enabled, continuing..
I (292) boot: Checking flash encryption...
I (297) flash_encrypt: flash encryption is enabled (3 plaintext flashes left)
I (305) boot: Disabling RNG early entropy source...
I (322) psram: This chip is ESP32-D0WD

More Information.

Minimal sdkconfig

CONFIG_SECURE_BOOT=y
CONFIG_SECURE_FLASH_ENC_ENABLED=y
CONFIG_ESPTOOLPY_FLASHSIZE_8MB=y
CONFIG_PARTITION_TABLE_CUSTOM=y
CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="partitions_test.csv"
CONFIG_PARTITION_TABLE_OFFSET=0x22000
CONFIG_COMPILER_OPTIMIZATION_SIZE=y
CONFIG_EFUSE_VIRTUAL=y
CONFIG_EFUSE_VIRTUAL_KEEP_IN_FLASH=y
CONFIG_ESP32_REV_MIN_3=y
CONFIG_ESP32_DEFAULT_CPU_FREQ_240=y
CONFIG_ESP32_SPIRAM_SUPPORT=y
CONFIG_SPIRAM_ALLOW_BSS_SEG_EXTERNAL_MEMORY=y
CONFIG_SPIRAM_ALLOW_NOINIT_SEG_EXTERNAL_MEMORY=y
CONFIG_FREERTOS_HZ=1000

Partition table

# ESP-IDF Partition Table
# Name,   Type, SubType, Offset,  Size,   Flags
nvs,      data, nvs,           ,  20K,
otadata,  data, ota,           ,  8K,
phy_init, data, phy,           ,  4K,
factory,  app,  factory,       ,  2M,
efuse_em, data, efuse,         ,  0x2000,
nvs_key,  data, nvs_keys,      ,  0x1000, encrypted,

Code I used

/* Hello World Example

   This example code is in the Public Domain (or CC0 licensed, at your option.)

   Unless required by applicable law or agreed to in writing, this
   software is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
   CONDITIONS OF ANY KIND, either express or implied.
*/
#include <stdio.h>
#include "sdkconfig.h"
#include "freertos/FreeRTOS.h"
#include "freertos/task.h"
#include "esp_system.h"
#include "esp_spi_flash.h"

void app_main(void)
{
    printf("Hello world!\n");

    /* Print chip information */
    esp_chip_info_t chip_info;
    esp_chip_info(&chip_info);
    printf("This is %s chip with %d CPU core(s), WiFi%s%s, ",
            CONFIG_IDF_TARGET,
            chip_info.cores,
            (chip_info.features & CHIP_FEATURE_BT) ? "/BT" : "",
            (chip_info.features & CHIP_FEATURE_BLE) ? "/BLE" : "");

    printf("silicon revision %d, ", chip_info.revision);

    printf("%dMB %s flash\n", spi_flash_get_chip_size() / (1024 * 1024),
            (chip_info.features & CHIP_FEATURE_EMB_FLASH) ? "embedded" : "external");

    printf("Minimum free heap size: %d bytes\n", esp_get_minimum_free_heap_size());

    for (int i = 10; i >= 0; i--) {
        printf("Restarting in %d seconds...\n", i);
        vTaskDelay(1000 / portTICK_PERIOD_MS);
    }
    printf("Restarting now.\n");
    fflush(stdout);
    esp_restart();
}

[listout]

Any help or ideas?

[mahavirj]

@listout

Probably esp_efuse_get_pkg_ver refers to the virtual EFuse block and reads an incorrect version as highlighted below:

https://github.com/espressif/esp-idf/blob/9ee3c8337d3c4f7914f62527e7f7c78d7167be95/components/efuse/src/esp_efuse_utility.c#L264-L268

As highlighted in the help for CONFIG_EFUSE_VIRTUAL, this features is primarily for the testing purpose and it is difficult to ensure functionality of all features with this config.

I would recommend that you try our qemu port for verifying security features on ESP32.

Hope this helps!

[listout]

Thank you @mahavirj. I've been using qemu for testing secure boot, unfortunately for flash encryption, it's not possible and the wiki says info added later.

[mahavirj]

Thanks for the feedback! I will update the wiki for the flash enc instructions and notify you.