ESP32-S3 uses the specified key to perform secure boot signature and conduct OTA test

Documentation

• Secure Boot V2

Test preparation:

• Hardware preparation: ESP32-S3development board or module
• Software preparation: esp-idf v5.0version SDK

Test steps:

• Generate specifiedsecure boot 签名 key
• software opensecure boot 配置
• burning被签名的固件
• Sign the new app.binusage- assignmentkey
• 签名的 app.binOTA testing has been carried out

---

1. Generate specifiedsecure boot 签名 key

• You can use the esptool tool to run the following command to generate the specifiedsecure boot 签名 key

espsecure.py generate_signing_key secure_boot_signing_key.pem --version 2

• secure_boot_signing_key.pemfor the generated (custom-named) key filefile
• --version 2for select secure boot V2version

• You can also install the OpenSSL environment and run the following command to generate a specified secure boot signature key of type RSA 3072

openssl genrsa -out my_secure_boot_signing_key.pem 3072

---

2. Open the softwaresecure boot 配置

• Software configuration to enable the secure boot function
• Put the key file in the current project directory and sign it with the specified key
• At the same time, pay attention to the settings of UART ROM download modethe configuration options. If you need to run the reburned firmware, you can set it as follows

idf.py menuconfig —> Security features —> UART ROM download mode

---

---

3. Burning被签名的固件

• Since the Secure boot is to sign the secondary bootloader, the generated by compiling 被签名的 bootloader.binwill increase, need 调整默认 partition table 偏移地址.

idf.py menuconfig —> Partition Table

• Use idf.py buildthe command to compile the current project, 已经签名的 bootloader.bin 和 app.binand it will be generated after the compilation is complete 未被签名的 bootloader-unsigned.bin 和 app-unsigned.bin, as follows:

• Note that after the compilation is completed, directly using idf.py flashthe command to burn the firmware will not burn 被签名的 bootloader.bin, only burn partition-table.bin, ota_data_initial.binand 被签名的 blink.binyou need to 被签名的 bootloader.binburn

• To burn 被签名的 bootloader.binthe firmware , you can use idf.py bootloader-flashthe command to burn 被签名的 bootloader.binthe firmware in the current project directory. as follows:

• After the firmware is burnt, it will write完成 secure boot 签名 to eFuse when it starts running for the first time , see the following startup log:secure boot 签名 keysecure boot 控制位

• If 未设置安全下载模式you can use espefuse.py summarythe command to view eFusethe information, you can find that Secure Bootit is enabled and written in eFuse secure boot 签名 key, as follows:
  

• If 设置了安全下载模式you can use esptool.py --no-stub get_security_infothe command to view eFuse 中的安全the information, as follows:

• According to the description in "Table 52. Meanings corresponding to key usage values" in "ESP32-S3 Technical Reference Manual" , let's look at the meanings of the corresponding values.EFUSE_KEY_PURPOSE

• Key_Purposes：（9，0，0，0，0，0，12）The first eFsue block is 9, indicating that there is already a secure boot digest burned into eFuse

---

4. Sign the new app.binusage specificationkey

• When updating the firmware by OTA, you need to sign the new app.binapplication (secure_boot_signing_key.pem), use it for testing, and use the following command:secure boot 签名 keyhello_world.bin

espsecure.py sign_data --version 2 --keyfile secure_boot_signing_key.pem --output SIGNED_hello_world.bin hello_world.bin

• secure_boot_signing_key.pemfor the key file
• SIGNED_hello_world.binSigned post for custom name生成的 app.bin
• hello_world.binfor the original unsignedapp.bin

---

5. 签名的 SIGNED_hello_world.binOTA test has been carried out

• The OTA test can be performed based on the simple_ota_example routine, see "ESP32 HTTP OTA test" instructions. For example