How to do 16 byte alignment in Secure boot Flash encryption #3215
Comments
Hi @Raghav3107, 16byte aligned means the memory address of your data needs to be a multiple of 16. According to the error message that "size should be 16byte aligned", it requires your image size to be 16byte aligned. In your case your .bin size files is 12,89,508 bytes you may padding with some 0s at end to make the size to 12,89,510 bytes which is 16 byte aligned. I guess this requirement is comming from the underlying block encryption algorithm. Hope it can help you. Regards, |
Hello @mingyue86010
I did not understand how should I pad with 0's to increase the size of two bytes. Thanks!! |
Hi @Raghav3107, For paddings you need check the tools that you generates your OTA image. Or you can check your linker to see how to do this. From your log I also notice another potential problem that you probably need align the address as well. I found some docs from ESP website: https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-reference/system/ota.html --> esp_ota_write_with_offsetz() which require data should be 16 byte aligned. Then further to their SPI flash doc: You have the error Regards, |
Hello @mingyue86010
I divided 12,89,510 with 16 and I got 80594.375. So, I think it is also not 16 bytes aligned.
Can you tell me where I will find the tools that you generate your OTA image?
I did not understand this. which linker you are talking about? Where I will find it? If possible can you clarify in detail how I shall align the file to 16 bytes? Thanks for your response. |
Hi @Raghav3107, It looks it is some requirement by Espressif. Maybe it's better to put this question to Espressif forum https://www.esp32.com/viewforum.php?f=23 they may have more insight of this. The ESP32 secure bootloader has the requirement of 16 bytes image size and address alignment and they also have the requirement of the partition alignment as https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-guides/partition-tables.html#offset-size. With some investagation by myself:
Hope those infomation can help you debugging these issue. Thanks, Ming Yue |
Hi @Raghav3107, could you share the steps you performed to generate OTA image? From the error logs I think you have not enabled secure boot and flash encryption options in menuconfig while generating OTA image. ESP-IDF build system takes care of alignment by padding the binary only when security features are enabled. This restriction of 16 byte alignment is not applicable when security features are disabled. Thanks, |
Hello @shubhamkulkarni97 So,I simply generated the OTA image bin file without enabling the secure boot and flash encryption. That time I got above error. But Today I tried enabling the secure boot and flash encyption and build the project. After that I got two project bin file i.e
Then I create OTA job using
|
Hello @shubhamkulkarni97 Thanks for the help. |
Hi @Raghav3107, Typical OTA Update workflow is as follows:
We write signature from step 4 to flash at the end of image (you can check here) and since security scheme (ECDSA + SHA256) is compatible with secure boot scheme in ESP32, it works well for validation as well. You can follow these steps to correctly perform OTA Update:
Hope this fixes your issue! Thanks, |
Hello @shubhamkulkarni97
Can you explain this? what I understand from this is I have to enable the secure boot and flash encryption and in menuconfig and build the program and generate the .bin file. Now this bin file I have to use the for the OTA. Am I right? If I m right, by doing so i m getting the error "E (552870) esp_ota_ops: size should be 16byte aligned for flash encryption case" allignment issue. Then I off the secure boot and flash encryption in menuconfig and build the program and i use that bin file for the OTA and surprisingly it partially worked means i did not any get issue at initially after downloading the bin file on esp and when esp try to test the ota image its getting crash. I don' t have any issue in program, program is working perfectly when I flash. |
@Raghav3107,
You are right. Once you enable secure boot and flash encryption on a device, you should keep it enabled in menuconfig for generation all images (for flashing and for OTA).
You should always upload unsigned binary as OTA image (e.g. - aws_demos-unsigned.bin). You are observing this error because of uploading signed binary (e.g. - aws_demos.bin). I'm not able to point the reason for crash, but most probably it occurs because you have generated OTA image with flash encryption and secure boot disabled. |
Hello @shubhamkulkarni97 it worked. |
Hello everyone,
I was trying to run OTA in the secure boot and flash encrypted device in esp32. At first, it tried to update with encrypted .bin files and it got failed. I got some clarification, is that right now esp32 does not support pre-encrypted image from OTA Instead it takes a plain-text image and encrypts it using internal flash encrypted hardware.
So, I tried to do OTA using a plain text .bin file at but I got an error on that.
Log:
partition table which I m using :
My .bin size files is
12,89,508 bytes
What does this mean?
E (552870) esp_ota_ops: size should be 16byte aligned for flash encryption case
The text was updated successfully, but these errors were encountered: