Secure Boot 与 Flash encryption详情
请参考:https://blog.csdn.net/espressif/article/details/79362094
1、开发环境
- AT版本:2.4.0.0 发布
- IDF 与 python: idf4.3_py3.10_env
- 系统:虚拟机 + ubuntu 20
2、使能 secure boot 和 flash encrypt
./build.py menuconfig
3、单独编译bootloader生成 secure boot key
./build.py bootloader
4、使用 key 和 bootloader 计算 带 digest 的 bootloader
python $IDF_PATH/components/esptool_py/esptool/espsecure.py digest_secure_bootloader --keyfile ./build/bootloader/secure-bootloader-key-256.bin -o ./build/bootloader/bootloader_with_digest.bin ./build/bootloader/bootloader.bin
5、编译 partition_table 与 app
./build.py partition_table
./build.py app
6、加密三个 bin 文件
build/bootloader/bootloader_with_digest.bin
build/partition_table/partition-table.bin
build/esp-at.bin
export IDF_PATH=/home/henry/esp/esp-at/esp-idf//不同版本不一样我的这个版本是flash_encryption_key.bin,有的版本是flash_encrypt_key.bin
python $IDF_PATH/components/esptool_py/esptool/espsecure.py encrypt_flash_data --keyfile flash_encryption_key.bin --address 0x0 -o build/bootloader/bootloader_with_digest_encrypt.bin build/bootloader/bootloader_with_digest.binpython $IDF_PATH/components/esptool_py/esptool/espsecure.py encrypt_flash_data --keyfile flash_encryption_key.bin --address 0x8000 -o build/partition-table_encrypt.bin build/partition_table/partition-table.binpython $IDF_PATH/components/esptool_py/esptool/espsecure.py encrypt_flash_data --keyfile flash_encryption_key.bin --address 0x10000 -o build/esp-at_encrypt.bin build/esp-at.bin
得到三个加密后的bin文件
build/bootloader/bootloader_with_digest_encrypt.bin
build/partition-table_encrypt.bin
build/esp-at_encrypt.bin
7、烧写加密后的bin文件
build/bootloader/bootloader_with_digest_encrypt.bin 地址: 0x0
build/partition-table_encrypt.bin 地址: 0x8000
build/esp-at_encrypt.bin 地址:0x10000
python $IDF_PATH/components/esptool_py/esptool/esptool.py --baud 1152000 write_flash 0x0 build/bootloader/bootloader_with_digest_encrypt.bin
显示没有权限
开放权限
sudo chmod 777 /dev/ttyUSB2
再次烧录
python $IDF_PATH/components/esptool_py/esptool/esptool.py --baud 1152000 write_flash 0x0 build/bootloader/bootloader_with_digest_encrypt.bin
python $IDF_PATH/components/esptool_py/esptool/esptool.py --baud 1152000 write_flash 0x8000 build/partition-table_encrypt.bin
python $IDF_PATH/components/esptool_py/esptool/esptool.py --baud 1152000 write_flash 0x10000 build/esp-at_encrypt.bin
8、将 flash_encryption_key 烧入 efuse (仅在第一次boot前烧写)
python $IDF_PATH/components/esptool_py/esptool/espefuse.py burn_key flash_encryption flash_encryption_key.bin
9、将 secure boot key 烧入efuse(仅在第一次boot前烧写)
python $IDF_PATH/components/esptool_py/esptool/espefuse.py burn_key secure_boot ./build/bootloader/secure-bootloader-key-256.bin
10、烧写 efuse 中的控制标志(仅在第一次boot前烧写)
python $IDF_PATH/components/esptool_py/esptool/espefuse.py burn_efuse ABS_DONE_0
python $IDF_PATH/components/esptool_py/esptool/espefuse.py burn_efuse FLASH_CRYPT_CNT
python $IDF_PATH/components/esptool_py/esptool/espefuse.py burn_efuse FLASH_CRYPT_CONFIG 0xf
python $IDF_PATH/components/esptool_py/esptool/espefuse.py burn_efuse DISABLE_DL_ENCRYPT
python $IDF_PATH/components/esptool_py/esptool/espefuse.py burn_efuse DISABLE_DL_DECRYPT
python $IDF_PATH/components/esptool_py/esptool/espefuse.py burn_efuse DISABLE_DL_CACHE