-
Notifications
You must be signed in to change notification settings - Fork 7.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Identical app images for Secure Boot and Non-Secure Boot bootloaders (IDFGH-12079) #13139
Comments
Hi @jkronaw! We will discuss it internally. If you can try this way, that would be good. static esp_err_t get_secure_boot_key_digests(esp_image_sig_public_key_digests_t *public_key_digests)
{
if (!esp_secure_boot_enabled()) {
// Gets key digests from running app
ESP_LOGI(TAG, "Take trusted digest key(s) from running app");
return esp_secure_boot_get_signature_blocks_for_running_app(true, public_key_digests);
} else {
ESP_LOGI(TAG, "Take trusted digest key(s) from eFuse block(s)");
// Read key digests from efuse
esp_secure_boot_key_digests_t efuse_trusted;
if (esp_secure_boot_read_key_digests(&efuse_trusted) == ESP_OK) { |
replacing I found something else which probably should be addressed in that context. It applies when trying to do a factory reset by using const esp_partition_t *pFactory = esp_partition_find_first(ESP_PARTITION_TYPE_APP, ESP_PARTITION_SUBTYPE_APP_FACTORY, NULL);
if (pFactory && esp_ota_set_boot_partition(pFactory ) == ESP_OK) {
// do reboot
} When calling
Since the factory partition has been flashed along with the "no secure boot" bootloader, it does not have a signature block. When I flash a signed app manually to the factory slot and try the above factory reset again, it works.
I hope this helps. |
Hi @jkronaw! Another way would be to introduce a new Kconfig option like CONFIG_SECURE_BOOT_ALLOW_BOOT_UNSIGNED_FACTORY_APP and skip the error if (image_validate(partition, ESP_IMAGE_VERIFY) != ESP_OK) and only for the FACTORY partition. It's not good for me to add a new option that changes the behavior a little. const esp_partition_t *find_partition = esp_partition_find_first(ESP_PARTITION_TYPE_DATA, ESP_PARTITION_SUBTYPE_DATA_OTA, NULL);
if (find_partition != NULL) {
return esp_partition_erase_range(find_partition, 0, find_partition->size);
} else {
return ESP_ERR_NOT_FOUND;
} Let me know if you are ok with using the erase approach in your code. |
Erasing the OTA partition achieves just the same thing. I tested it, it works. Thanks again, @KonstantinKondrashov. Will I hear from you about if or when changes regarding my use case will make it into master? BR |
Hi @jkronaw! I already created the MR in our internal repo, it is reviewing now. |
Sure, thanks! |
Secure Boot is great for production, yet an obstacle in development. Given the current ESP-IDF v5.1 features, we can either enable or disable secure boot but this configuration always affects bootloader and app image.
Let's say I flash 10 devices with secure boot off and 10 devices with secure boot on. If I want to update them all, I might try to use a OTA image that is signed with the correct key.
Installing this OTA image on the "secure boot off" bootloader devices works just fine. However, if I install a "secure boot on" OTA update on the "secure boot off" bootloader devices, I get the following error:
I can live with that error. However, what it implies is that the newly installed "secure boot on" image has lost updatability. It was compiled with the
CONFIG_SECURE_BOOT
option on and therefore will try to verify new OTA images with secure boot keys from the eFuses. These are not available however since we are running the "secure boot off" bootloader.Trying an OTA update anyway will fail with the following errors:
My initial hope of just being able to used signed binaries for all bootloader types is gone now.
Preferred Solution
I would appreciate a mechanism where a signed OTA image can also run on devices with bootloaders that have secure boot disabled. Has this use case never been considered or is there a technical reason why it is impossible?
Current Approach
Without modifying the ESP-IDF source code, the only solution for updating both secure boot and non secure boot devices is by two different OTA variants.
For testing purposes, we are running secure boot and non secure boot variants of our upcoming product in combination. The overhead of providing two update binaries instead of a single one despite functionally equivalent is not negligable in development and testing environments.
The text was updated successfully, but these errors were encountered: