espressif / esp-idf

Espressif IoT Development Framework. Official development framework for Espressif SoCs.
Apache License 2.0
13.7k stars 7.29k forks source link

Secure boot check fails after reflashing bootloader (IDFGH-13425) #14331

Closed AmritpalSinghSarao closed 2 months ago

AmritpalSinghSarao commented 3 months ago

Answers checklist.

General issue report

I got new device and enabled the secure boot option and selected Secure bootloader mode (Reflashable) and attached the (secure_boot_signing_key.pem) Secure boot private signing key in menuconfig. Then I uploaded my firmware and everything worked fine. My question, is key is automatically burned into chip of secure boot? ABS_DONE_0 (BLOCK0) Secure boot V1 is enabled for bootloader image = True R/W (0b1)

if yes, in which BLOCK? Because in summary I don't see any BLOCK0 However, I faced some issue and mistakenly erased all the flash from 0x00 . According to docu, it should be fine as we have set re-flashable into config. After that I run the following command esptool.py --before default_reset --after no_reset write_flash --flash_mode dio --flash_freq 40m --flash_size 4MB 0x0 build/bootloader/bootloader-reflash-digest.bin --force and works fine. Then esptool.py --before default_reset --after no_reset --chip esp32 write_flash --flash_mode dio --flash_size 4MB --flash_freq 40m 0x20000 build/partition_table/partition-table.bin 0x68000 build/ota_data_initial.bin 0x70000 build/iot_c.bin After that I try to run with idf.py monitor but getting the following error.

rst:0x10 (RTCWDT_RTC_RESET),boot:0x1b (SPI_FAST_FLASH_BOOT) configsip: 0, SPIWP:0xee clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00 mode:DIO, clock div:2 load:0x3fff00b8,len:2280 load:0x40078000,len:21916 ho 0 tail 12 room 4 load:0x40080400,len:4 load:0x40080404,len:2856 secure boot check fail ets_main.c 371 ets Jun 8 2016 00:22:57

AmritpalSinghSarao commented 3 months ago

I was forgetting, when I flashed first time bootloader on 0x1000, everything worked fine. using ESP32

AmritpalSinghSarao commented 3 months ago

@sachin0x18 Can you help me please. Because I saw that you answered the similar question.

KonstantinKondrashov commented 3 months ago

Hi @AmritpalSinghSarao!

My question, is key is automatically burned into chip of secure boot?

Yes, at the first boot, the bootloader burns the key into the BLOCK2.

secure boot check fail

Try to write the bootloader-reflash-digest.bin without the --flash_mode dio --flash_freq 40m --flash_size 4MB flags I suspect that they are different from what you have in the binary file and esptool changes the bootloader image on the fly and do not change the signature.

esptool.py --before default_reset --after no_reset write_flash  0x0 build/bootloader/bootloader-reflash-digest.bin --force

Follow instructions in the doc to get Reflashable Software Bootloader - https://docs.espressif.com/projects/esp-idf/en/stable/esp32/security/secure-boot-v1.html#reflashable-software-bootloader.

AmritpalSinghSarao commented 3 months ago

@KonstantinKondrashov I run your command but have the same issue. Erasing the flash could have had impact on device? Just wondering is there any way to check if that bootloader was flashed with re-flashable mode not one-time? I am quite sure that we did with re-flashable mode which is our default setting.

Also changing the partition-table could have impact on that?

mahavirj commented 2 months ago

@AmritpalSinghSarao

Side-note: If you are using ESP32 with rev >= 3.0 then its highly recommended to use secure boot v2 scheme.

AmritpalSinghSarao commented 2 months ago

@mahavirj Thanks for your response.

AmritpalSinghSarao commented 2 months ago

@mahavirj

=== Run "summary" command === EFUSE_NAME (Block) Description = [Meaningful Value] [Readable/Writeable] (Hex Value)

Calibration fuses: ADC_VREF (BLOCK0) True ADC reference voltage = 1156 R/W (0b01000)

Config fuses: WR_DIS (BLOCK0) Efuse write disable mask = 256 R/W (0x0100) RD_DIS (BLOCK0) Disable reading from BlOCK1-3 = 2 R/W (0x2) DISABLE_APP_CPU (BLOCK0) Disables APP CPU = False R/W (0b0) DISABLE_BT (BLOCK0) Disables Bluetooth = False R/W (0b0) DIS_CACHE (BLOCK0) Disables cache = False R/W (0b0) CHIP_CPU_FREQ_LOW (BLOCK0) If set alongside EFUSE_RD_CHIP_CPU_FREQ_RATED; the = False R/W (0b0) ESP32's max CPU frequency is rated for 160MHz. 24 0MHz otherwise
CHIP_CPU_FREQ_RATED (BLOCK0) If set; the ESP32's maximum CPU frequency has been = True R/W (0b1) rated
BLK3_PART_RESERVE (BLOCK0) BLOCK3 partially served for ADC calibration data = False R/W (0b0) CLK8M_FREQ (BLOCK0) 8MHz clock freq override = 54 R/W (0x36) VOL_LEVEL_HP_INV (BLOCK0) This field stores the voltage level for CPU to run = 0 R/W (0b00) at 240 MHz; or for flash/PSRAM to run at 80 MHz.0 x0: level 7; 0x1: level 6; 0x2: level 5; 0x3: leve l 4. (RO)
CODING_SCHEME (BLOCK0) Efuse variable block length scheme
= NONE (BLK1-3 len=256 bits) R/W (0b00) CONSOLE_DEBUG_DISABLE (BLOCK0) Disable ROM BASIC interpreter fallback = True R/W (0b1) DISABLE_SDIO_HOST (BLOCK0) = False R/W (0b0) DISABLE_DL_CACHE (BLOCK0) Disable flash cache in UART bootloader = False R/W (0b0)

Flash fuses: FLASH_CRYPT_CNT (BLOCK0) Flash encryption is enabled if this field has an o = 0 R/W (0b0000000) dd number of bits set
FLASH_CRYPT_CONFIG (BLOCK0) Flash encryption config (key tweak bits) = 0 R/W (0x0)

Identity fuses: CHIP_PACKAGE_4BIT (BLOCK0) Chip package identifier #4bit = False R/W (0b0) CHIP_PACKAGE (BLOCK0) Chip package identifier = 1 R/W (0b001) CHIP_VER_REV1 (BLOCK0) bit is set to 1 for rev1 silicon = True R/W (0b1) CHIP_VER_REV2 (BLOCK0) = False R/W (0b0) WAFER_VERSION_MINOR (BLOCK0) = 0 R/W (0b00) WAFER_VERSION_MAJOR (BLOCK0) calc WAFER VERSION MAJOR from CHIP_VER_REV1 and CH = 1 R/W (0b001) IP_VER_REV2 and apb_ctl_date (read only)
PKG_VERSION (BLOCK0) calc Chip package = CHIP_PACKAGE4BIT << 3 + CHIP = 1 R/W (0x1) PACKAGE (read only)

Jtag fuses: JTAG_DISABLE (BLOCK0) Disable JTAG = True R/W (0b1)

Mac fuses: MAC (BLOCK0) MAC address
= 94:3c:c6:b1:fe:10 (CRC 0x37 OK) R/W MAC_CRC (BLOCK0) CRC8 for MAC address = 55 R/W (0x37) MAC_VERSION (BLOCK3) Version of the MAC field = 0 R/W (0x00)

Security fuses: UART_DOWNLOAD_DIS (BLOCK0) Disable UART download mode. Valid for ESP32 V3 and = False R/W (0b0) newer; only
ABS_DONE_0 (BLOCK0) Secure boot V1 is enabled for bootloader image = True R/W (0b1) ABS_DONE_1 (BLOCK0) Secure boot V2 is enabled for bootloader image = False R/W (0b0) DISABLE_DL_ENCRYPT (BLOCK0) Disable flash encryption in UART bootloader = False R/W (0b0) DISABLE_DL_DECRYPT (BLOCK0) Disable flash decryption in UART bootloader = False R/W (0b0) KEY_STATUS (BLOCK0) Usage of efuse block 3 (reserved) = False R/W (0b0) SECURE_VERSION (BLOCK3) Secure version for anti-rollback = 0 R/W (0x00000000) BLOCK1 (BLOCK1) Flash encryption key
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W BLOCK2 (BLOCK2) Security boot key
= ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/- BLOCK3 (BLOCK3) Variable Block 3
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W

Spi Pad fuses: SPI_PAD_CONFIG_HD (BLOCK0) read for SPI_pad_config_hd = 0 R/W (0b00000) SPI_PAD_CONFIG_CLK (BLOCK0) Override SD_CLK pad (GPIO6/SPICLK) = 0 R/W (0b00000) SPI_PAD_CONFIG_Q (BLOCK0) Override SD_DATA_0 pad (GPIO7/SPIQ) = 0 R/W (0b00000) SPI_PAD_CONFIG_D (BLOCK0) Override SD_DATA_1 pad (GPIO8/SPID) = 0 R/W (0b00000) SPI_PAD_CONFIG_CS0 (BLOCK0) Override SD_CMD pad (GPIO11/SPICS0) = 0 R/W (0b00000)

Vdd fuses: XPD_SDIO_REG (BLOCK0) read for XPD_SDIO_REG = False R/W (0b0) XPD_SDIO_TIEH (BLOCK0) If XPD_SDIO_FORCE & XPD_SDIO_REG = 1.8V R/W (0b0) XPD_SDIO_FORCE (BLOCK0) Ignore MTDI pin (GPIO12) for VDD_SDIO on reset = False R/W (0b0)

Flash voltage (VDD_SDIO) determined by GPIO12 on reset (High for 1.8V, Low/NC for 3.3V)

#

Security features

# CONFIG_SECURE_SIGNED_ON_BOOT=y CONFIG_SECURE_SIGNED_ON_UPDATE=y CONFIG_SECURE_SIGNED_APPS=y CONFIG_SECURE_BOOT_V1_SUPPORTED=y CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME=y CONFIG_SECURE_BOOT=y CONFIG_SECURE_BOOT_V1_ENABLED=y

CONFIG_SECURE_BOOTLOADER_ONE_TIME_FLASH is not set

CONFIG_SECURE_BOOTLOADER_REFLASHABLE=y CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y CONFIG_SECURE_BOOT_SIGNING_KEY="secure_boot_signing_key.pem" CONFIG_SECURE_BOOTLOADER_KEY_ENCODING_256BIT=y

CONFIG_SECURE_BOOTLOADER_KEY_ENCODING_192BIT is not set

CONFIG_SECURE_BOOT_INSECURE is not set

CONFIG_SECURE_FLASH_ENC_ENABLED is not set

end of Security features

I went through the documentation again, if we run idf.py bootloader-flash, it will will generate the hardware generated key and will burn it, even though, we have selected the re-flashable option. To have, the re-flashable, I should have used my own key. I think, this might have created some confusion.

mahavirj commented 2 months ago

@AmritpalSinghSarao

The step to burn secure boot v1 specific key is highlighted in the documentation section here (step 4): https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/secure-boot-v1.html#reflashable-software-bootloader. If you have missed out on that then it is not possible to update the bootloader on this device.

FWIW, we are trying to integrate different security workflows through qemu (emulator) port for different targets. This will allow to establish the workflow under emulator setup and then it can be moved to real hardware. Please keep an eye on the documentation guide here: https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-guides/tools/qemu.html

Closing the issue, please feel free to re-open if you have more questions