Documentation
Test preparation:
- Hardware preparation:
ESP32-S3
development board or module - Software preparation:
esp-idf v5.0
version SDK
Test steps:
- Generate specified
secure boot 签名 key
- software open
secure boot 配置
- burning
被签名的固件
- Sign the new
app.bin
usage- assignmentkey
签名的 app.bin
OTA testing has been carried out
1. Generate specifiedsecure boot 签名 key
- You can use the esptool tool to run the following command to generate the specified
secure boot 签名 key
espsecure.py generate_signing_key secure_boot_signing_key.pem --version 2
secure_boot_signing_key.pem
for the generated (custom-named)key file
file--version 2
for selectsecure boot V2
version
- You can also install the OpenSSL environment and run the following command to generate a specified secure boot signature key of type RSA 3072
openssl genrsa -out my_secure_boot_signing_key.pem 3072
2. Open the softwaresecure boot 配置
- Software configuration to enable the secure boot function
- Put the key file in the current project directory and sign it with the specified key
- At the same time, pay attention to the settings of
UART ROM download mode
the configuration options. If you need to run the reburned firmware, you can set it as follows
idf.py menuconfig —> Security features —> UART ROM download mode
3. Burning被签名的固件
- Since the Secure boot is to sign the secondary bootloader, the generated by compiling
被签名的 bootloader.bin
will increase, need调整默认 partition table 偏移地址
.
idf.py menuconfig —> Partition Table
- Use
idf.py build
the command to compile the current project,已经签名的 bootloader.bin 和 app.bin
and it will be generated after the compilation is complete未被签名的 bootloader-unsigned.bin 和 app-unsigned.bin
, as follows:
- Note that after the compilation is completed, directly using
idf.py flash
the command to burn the firmware will not burn被签名的 bootloader.bin
, only burnpartition-table.bin
,ota_data_initial.bin
and被签名的 blink.bin
you need to被签名的 bootloader.bin
burn
- To burn
被签名的 bootloader.bin
the firmware , you can useidf.py bootloader-flash
the command to burn被签名的 bootloader.bin
the firmware in the current project directory. as follows:
- After the firmware is burnt, it will write
完成 secure boot 签名
to eFuse when it starts running for the first time , see the following startup log:secure boot 签名 key
secure boot 控制位
-
If
未设置安全下载模式
you can useespefuse.py summary
the command to vieweFuse
the information, you can find thatSecure Boot
it is enabled and written in eFusesecure boot 签名 key
, as follows:
-
If
设置了安全下载模式
you can useesptool.py --no-stub get_security_info
the command to vieweFuse 中的安全
the information, as follows:
- According to the description in "Table 52. Meanings corresponding to key usage values" in "ESP32-S3 Technical Reference Manual" , let's look at the meanings of the corresponding values.
EFUSE_KEY_PURPOSE
Key_Purposes:(9,0,0,0,0,0,12)
The first eFsue block is 9, indicating that there is already a secure boot digest burned into eFuse
4. Sign the new app.bin
usage specificationkey
- When updating the firmware by OTA, you need to sign the new
app.bin
application (secure_boot_signing_key.pem), use it for testing, and use the following command:secure boot 签名 key
hello_world.bin
espsecure.py sign_data --version 2 --keyfile secure_boot_signing_key.pem --output SIGNED_hello_world.bin hello_world.bin
secure_boot_signing_key.pem
for the key fileSIGNED_hello_world.bin
Signed post for custom name生成的 app.bin
hello_world.bin
for the original unsignedapp.bin
5. 签名的 SIGNED_hello_world.bin
OTA test has been carried out
- The OTA test can be performed based on the simple_ota_example routine, see "ESP32 HTTP OTA test" instructions. For example