SecureBoot and Encryption
Summary
In order to encrypt your firmware, you will need to build it from source. Our firmware source code can be found here, along with instructions on how to build it. Below you will find specific instructions on how generate keys, build and flash encrypted firmware.
Obtain keys (for Secure Boot and Flash Encryption)
Flash keys and parameters in
efuses
Compile bootloader and application with
make SECURE=on
Flash: bootloader-digest at address
0x0
and encrypted; all the others (partitions and application) encrypted, too.
Prerequisites
Firstly you will need to setup the tool chain and download the source code. detailed instructions on how to achieve this can be found here. Once you have complete this, you will need to open a terminal in the esp32
folder of the firmware source code repo.
Next you will need keys for Flash Encryption and Secure Boot; they can be generated randomly with the following commands:
The Secure Boot key secure_boot_signing_key.pem
has to be transformed into secure-bootloader-key.bin
, to be burnt into efuses. This can be done in 2 ways:
or, as an artifact of the make build process, on the same directory level as Makefile
To flash the keys (flash_encryption_key.bin
and secure-bootloader-key.bin
) into the efuses (write and read protected) run the following commands (ignoring the lines that start with #
):
Note: Irreversible operations
If the keys are not written in efuse, before flashing the bootloader, then random keys will be generated by the ESP32, they can never be read nor re-written, so bootloader can never be updated. Even more, the application can be re-flashed (by USB) just 3 more times.
Makefile options
SECURE=on
is the main flag; it's not optionalif
SECURE=on
the following defaults are set:encryption is enable
secure_boot_signing_key.pem
is the secure boot key, located relatively to Makefileflash_encryption_key.bin
is the flash encryption key, located relatively to Makefile
For flashing the bootloader digest and the encrypted versions of all binaries:
Flashing
For flashing the bootloader-reflash-digest.bin
has to be written at address 0x0, instead of the bootloader.bin
(at address 0x1000
).
Build is done using SECURE=on
option; additionally, all the binaries are pre-encrypted.
Manual flash command:
OTA update
The OTA should be done using the pre-encrypted application image.
Because the encryption is done based on the physical flash address, there are 2 application binaries generated:
gpy.bin_enc_0x10000
which has to be written at default factory address:0x10000
gpy.bin_enc_0x1A0000
which has to be written at theota_0
partition address (0x1A0000
)
Hint: on MicroPython interface, the method pycom.ota_slot()
responds with the address of the next OTA partition available (either 0x10000
or 0x1A0000
).
Last updated