[问答]

使用ESP32-S2的flash加密功能时，在主机上使用秘钥预先加密固件后再烧录进ESP32-S2无法运行怎么解决？

问答对人有帮助，内容完整，我也想知道答案 0 我先在主机上自己编写了一个秘钥key.bin，然后将它烧录到ESP32-S2上Code: Select all PS D:ESP-IDFtesthello_world> D:ESP-IDF.espressifpython_envidf5.1_py3.8_envScriptspython.exe D:ESP-IDFesp-idfcomponentsesptool_pyesptoolespefuse.py --port COM22 burn_key BLOCK_KEY0 key.bin XTS_AES_128_KEY espefuse.py v4.6.2Connecting....Detecting chip type... Unsupported detection protocol, switching and trying again...Detecting chip type... ESP32-S2=== Run "burn_key" command ===Sensitive data will be hidden (see --show-sensitive-info)Burn keys to blocks: - BLOCK_KEY0 -> [?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??] Reversing byte order for AES-XTS hardware peripheral 'KEY_PURPOSE_0': 'USER' -> 'XTS_AES_128_KEY'. Disabling write to 'KEY_PURPOSE_0'. Disabling read to key block Disabling write to key blockCheck all blocks for burn...idx, BLOCK_NAME, Conclusion[00] BLOCK0 is empty, will burn the new value[04] BLOCK_KEY0 is empty, will burn the new value.This is an irreversible operation!Type 'BURN' (all capitals) to continue.BURNBURN BLOCK4 - OK (write block == read block)BURN BLOCK0 - OK (write block == read block)Reading updated efuses...SuccessfulPS D:ESP-IDFtesthello_world> 然后在工程配置中启用flash加密功能，不使用UART安全模式，保留UART下载功能，然后烧录进ESP32-S2，第一次启动能观察到ESP32-S2的加密过程，然后我修改了代码，重新编译后使用key.bin预先加密固件Code: Select all PS D:ESP-IDFtesthello_world> D:ESP-IDF.espressifpython_envidf5.1_py3.8_envScriptspython.exe D:ESP-IDFesp-idfcomponentsesptool_pyesptoolespsecure.py encrypt_flash_data --aes_xts --keyfile key.bin --address 0x10000 --output my-app-ciphertext.bin build/bootloader/bootloader.binespsecure.py v4.6.2Using 256-bit keyPS D:ESP-IDFtesthello_world> 然后烧录进ESP32-S2中，接着复位ESP32-S2却无法运行，监视窗口出现如下打印信息Code: Select all ESP-ROM:esp32s2-rc4-20191025Build:Oct 25 2019rst:0x1 (POWERON),boot:0xf (SPI_FAST_FLASH_BOOT)invalid header: 0xefa1f13dinvalid header: 0xefa1f13dinvalid header: 0xefa1f13dinvalid header: 0xefa1f13dinvalid header: 0xefa1f13dinvalid header: 0xefa1f13dinvalid header: 0xefa1f13dinvalid header: 0xefa1f13dinvalid header: 0xefa1f13dinvalid header: 0xefa1f13dinvalid header: 0xefa1f13dinvalid header: 0xefa1f13dinvalid header: 0xefa1f13d 接着我读取了ESP32-S2上的eFuse信息Code: Select all PS D:ESP-IDFtesthello_world> D:ESP-IDF.espressifpython_envidf5.1_py3.8_envScriptspython.exe D:ESP-IDFesp-idfcomponentsesptool_pyesptoolespefuse.py -p COM22 summaryespefuse.py v4.6.2Connecting.............Detecting chip type... Unsupported detection protocol, switching and trying again...Detecting chip type... ESP32-S2=== Run "summary" command ===EFUSE_NAME (Block) Description = [Meaningful Value] [Readable/Writeable] (Hex Value)----------------------------------------------------------------------------------------Calibration fuses:ADC_CALIB (BLOCK2) 4 bit of ADC calibration = 0 R/W (0x0)TEMP_CALIB (BLOCK2) Temperature calibration data = -5.6000000000000005 R/W (0b100111000)RTCCALIB_V1IDX_A10H (BLOCK2) = 140 R/W (0x8c)RTCCALIB_V1IDX_A11H (BLOCK2) = 138 R/W (0x8a)RTCCALIB_V1IDX_A12H (BLOCK2) = 137 R/W (0x89)RTCCALIB_V1IDX_A13H (BLOCK2) = 133 R/W (0x85)RTCCALIB_V1IDX_A20H (BLOCK2) = 144 R/W (0x90)RTCCALIB_V1IDX_A21H (BLOCK2) = 143 R/W (0x8f)RTCCALIB_V1IDX_A22H (BLOCK2) = 141 R/W (0x8d)RTCCALIB_V1IDX_A23H (BLOCK2) = 141 R/W (0x8d)RTCCALIB_V1IDX_A10L (BLOCK2) = 38 R/W (0b100110)RTCCALIB_V1IDX_A11L (BLOCK2) = 36 R/W (0b100100)RTCCALIB_V1IDX_A12L (BLOCK2) = 35 R/W (0b100011)RTCCALIB_V1IDX_A13L (BLOCK2) = 33 R/W (0b100001)RTCCALIB_V1IDX_A20L (BLOCK2) = 40 R/W (0b101000)RTCCALIB_V1IDX_A21L (BLOCK2) = 38 R/W (0b100110)RTCCALIB_V1IDX_A22L (BLOCK2) = 37 R/W (0b100101)RTCCALIB_V1IDX_A23L (BLOCK2) = 34 R/W (0b100010)Config fuses:WR_DIS (BLOCK0) Disable programming of individual eFuses = 8388868 R/W (0x00800104)RD_DIS (BLOCK0) Disable reading from BlOCK4-10 = 1 R/W (0b0000001)DIS_ICACHE (BLOCK0) Set this bit to disable Icache = False R/- (0b0)DIS_DCACHE (BLOCK0) Set this bit to disable Dcache = False R/- (0b0)DIS_TWAI (BLOCK0) Set this bit to disable the TWAI Controller functi = False R/- (0b0) onDIS_BOOT_REMAP (BLOCK0) Disables capability to Remap RAM to ROM address sp = True R/- (0b1) aceDIS_LEGACY_SPI_BOOT (BLOCK0) Set this bit to disable Legacy SPI boot mode = True R/W (0b1)UART_PRINT_CHANNEL (BLOCK0) Selects the default UART for printing boot message = UART0 R/W (0b0) sUART_PRINT_CONTROL (BLOCK0) Set the default UART boot message output mode = Enable R/W (0b00)PIN_POWER_SELECTION (BLOCK0) Set default power supply for GPIO33-GPIO37; set wh = VDD3P3_CPU R/W (0b0) en SPI flash is initializedBLOCK_USR_DATA (BLOCK3) User data = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/WBLOCK_SYS_DATA2 (BLOCK10) System data part 2 (reserved) = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/WFlash fuses:FLASH_TPUW (BLOCK0) Configures flash startup delay after SoC power-up; = 0 R/W (0x0) in unit of (ms/2). When the value is 15; delay is 7.5 msFLASH_TYPE (BLOCK0) SPI flash type = 4 data lines R/W (0b0)FORCE_SEND_RESUME (BLOCK0) If set; forces ROM code to send an SPI flash resum = False R/W (0b0) e command during SPI bootFLASH_VERSION (BLOCK1) Flash version = 2 R/W (0x2)Identity fuses:BLOCK0_VERSION (BLOCK0) BLOCK0 efuse version = 0 R/W (0b00)DISABLE_WAFER_VERSION_MAJOR (BLOCK0) Disables check of wafer version major = False R/W (0b0)DISABLE_BLK_VERSION_MAJOR (BLOCK0) Disables check of blk version major = False R/W (0b0)WAFER_VERSION_MAJOR (BLOCK1) WAFER_VERSION_MAJOR = 0 R/W (0b00)WAFER_VERSION_MINOR_HI (BLOCK1) WAFER_VERSION_MINOR most significant bit = False R/W (0b0)BLK_VERSION_MAJOR (BLOCK1) BLK_VERSION_MAJOR = 0 R/W (0b00)PSRAM_VERSION (BLOCK1) PSRAM version = 0 R/W (0x0)PKG_VERSION (BLOCK1) Package version = 0 R/W (0x0)WAFER_VERSION_MINOR_LO (BLOCK1) WAFER_VERSION_MINOR least significant bits = 0 R/W (0b000)OPTIONAL_UNIQUE_ID (BLOCK2) Optional unique 128-bit ID = 9c 50 0f 91 b0 b3 c0 73 47 61 fc cd b1 ec 13 4d R/WBLK_VERSION_MINOR (BLOCK2) BLK_VERSION_MINOR of BLOCK2 = ADC calib V1 R/W (0b001)WAFER_VERSION_MINOR (BLOCK0) calc WAFER VERSION MINOR = WAFER_VERSION_MINOR_HI = 0 R/W (0x0) << 3 + WAFER_VERSION_MINOR_LO (read only)Jtag fuses:SOFT_DIS_JTAG (BLOCK0) Software disables JTAG. When software disabled; JT = False R/- (0b0) AG can be activated temporarily by HMAC peripheralHARD_DIS_JTAG (BLOCK0) Hardware disables JTAG permanently = True R/- (0b1)Mac fuses:MAC (BLOCK1) MAC address = 84:f7:03:e0:a3:96 (OK) R/WCUSTOM_MAC (BLOCK3) Custom MAC = 00:00:00:00:00:00 (OK) R/WSecurity fuses:DIS_DOWNLOAD_ICACHE (BLOCK0) Disables Icache when SoC is in Download mode = True R/- (0b1)DIS_DOWNLOAD_DCACHE (BLOCK0) Disables Dcache when SoC is in Download mode = True R/- (0b1)DIS_FORCE_DOWNLOAD (BLOCK0) Set this bit to disable the function that forces c = False R/- (0b0) hip into download modeDIS_DOWNLOAD_MANUAL_ENCRYPT (BLOCK0) Disables flash encryption when in download boot mo = True R/- (0b1) desSPI_BOOT_CRYPT_CNT (BLOCK0) Enables flash encryption when 1 or 3 bits are set = Enable R/W (0b111) and disabled otherwiseSECURE_BOOT_KEY_REVOKE0 (BLOCK0) Revoke 1st secure boot key = False R/W (0b0)SECURE_BOOT_KEY_REVOKE1 (BLOCK0) Revoke 2nd secure boot key = False R/W (0b0)SECURE_BOOT_KEY_REVOKE2 (BLOCK0) Revoke 3rd secure boot key = False R/W (0b0)KEY_PURPOSE_0 (BLOCK0) Purpose of KEY0 = XTS_AES_128_KEY R/- (0x4)KEY_PURPOSE_1 (BLOCK0) Purpose of KEY1 = USER R/W (0x0)KEY_PURPOSE_2 (BLOCK0) Purpose of KEY2 = USER R/W (0x0)KEY_PURPOSE_3 (BLOCK0) Purpose of KEY3 = USER R/W (0x0)KEY_PURPOSE_4 (BLOCK0) Purpose of KEY4 = USER R/W (0x0)KEY_PURPOSE_5 (BLOCK0) Purpose of KEY5 = USER R/W (0x0)SECURE_BOOT_EN (BLOCK0) Set this bit to enable secure boot = False R/W (0b0)SECURE_BOOT_AGGRESSIVE_REVOKE (BLOCK0) Set this bit to enable aggressive secure boot key = False R/W (0b0) revocation modeDIS_DOWNLOAD_MODE (BLOCK0) Set this bit to disable all download boot modes = False R/W (0b0)ENABLE_SECURITY_DOWNLOAD (BLOCK0) Set this bit to enable secure UART download mode ( = False R/W (0b0) read/write flash only)SECURE_VERSION (BLOCK0) Secure version (used by ESP-IDF anti-rollback feat = 0 R/W (0x0000) ure)BLOCK_KEY0 (BLOCK4) Purpose: XTS_AES_128_KEY Key0 or user data = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-BLOCK_KEY1 (BLOCK5) Purpose: USER Key1 or user data = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/WBLOCK_KEY2 (BLOCK6) Purpose: USER Key2 or user data = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/WBLOCK_KEY3 (BLOCK7) Purpose: USER Key3 or user data = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/WBLOCK_KEY4 (BLOCK8) Purpose: USER Key4 or user data = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/WBLOCK_KEY5 (BLOCK9) Purpose: USER Key5 or user data = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/WSpi Pad fuses:SPI_PAD_CONFIG_CLK (BLOCK1) SPI_PAD_configure CLK = 0 R/W (0b000000)SPI_PAD_CONFIG_Q (BLOCK1) SPI_PAD_configure Q(D1) = 0 R/W (0b000000)SPI_PAD_CONFIG_D (BLOCK1) SPI_PAD_configure D(D0) = 0 R/W (0b000000)SPI_PAD_CONFIG_CS (BLOCK1) SPI_PAD_configure CS = 0 R/W (0b000000)SPI_PAD_CONFIG_HD (BLOCK1) SPI_PAD_configure HD(D3) = 0 R/W (0b000000)SPI_PAD_CONFIG_WP (BLOCK1) SPI_PAD_configure WP(D2) = 0 R/W (0b000000)SPI_PAD_CONFIG_DQS (BLOCK1) SPI_PAD_configure DQS = 0 R/W (0b000000)SPI_PAD_CONFIG_D4 (BLOCK1) SPI_PAD_configure D4 = 0 R/W (0b000000)SPI_PAD_CONFIG_D5 (BLOCK1) SPI_PAD_configure D5 = 0 R/W (0b000000)SPI_PAD_CONFIG_D6 (BLOCK1) SPI_PAD_configure D6 = 0 R/W (0b000000)SPI_PAD_CONFIG_D7 (BLOCK1) SPI_PAD_configure D7 = 0 R/W (0b000000)Usb fuses:DIS_USB (BLOCK0) Set this bit to disable USB OTG function = False R/- (0b0)USB_EXCHG_PINS (BLOCK0) Set this bit to exchange USB D+ and D- pins = False R/W (0b0)USB_EXT_PHY_ENABLE (BLOCK0) Set this bit to enable external USB PHY = False R/W (0b0)USB_FORCE_NOPERSIST (BLOCK0) If set; forces USB BVALID to 1 = False R/W (0b0)DIS_USB_DOWNLOAD_MODE (BLOCK0) Set this bit to disable use of USB OTG in UART dow = False R/W (0b0) nload boot modeVdd fuses:VDD_SPI_XPD (BLOCK0) If VDD_SPI_FORCE is 1; this value determines if th = False R/W (0b0) e VDD_SPI regulator is powered onVDD_SPI_TIEH (BLOCK0) If VDD_SPI_FORCE is 1; determines VDD_SPI voltage = VDD_SPI connects to 1.8 V LDO R/W (0b0)VDD_SPI_FORCE (BLOCK0) Set this bit to use XPD_VDD_PSI_REG and VDD_SPI_TI = False R/W (0b0) EH to configure VDD_SPI LDOWdt fuses:WDT_DELAY_SEL (BLOCK0) RTC watchdog timeout threshold; in unit of slow cl = 40000 R/W (0b00) ock cycleFlash voltage (VDD_SPI) determined by GPIO45 on reset (GPIO45=High: VDD_SPI pin is powered from internal 1.8V LDOGPIO45=Low or NC: VDD_SPI pin is powered directly from VDD3P3_RTC_IO via resistor Rspi. Typically this voltage is 3.3 V).PS D:ESP-IDFtesthello_world> 我无法查看到烧录进eFuse中的秘钥是否与我主机上的秘钥一样，我观察到第一次烧录秘钥时的提示信息中有一句Reversing byte order for AES-XTS hardware peripheral，不知此提示是否对秘钥有不一样的处理，并且ESP32-S2的技术参考手册中写道Code: Select all BLOCK1 ~ BLOCK10 均采用 RS 编码方式，因此参数烧写受到一定的限制，具体请参考章节 4.3.1.3：数据存储方式，和章节 4.3.2：软件烧写参数。BLOCK0 使用 4 备份方式存储参数，即 BLOCK0 中的所有参数（除了 EFUSE_WR_DIS ）均在 eFuse 中存储了4 份。4 备份机制对软件不可见。BLOCK1 ~ BLOCK10 使用 RS (44, 32) 编码方式，最多支持自动校正 5 个字节。本文 RS (44, 32) 使用的本源多项式为 p(x) = x^8 + x^4 + x^3 + x^2 + 1，产生校验码的移位寄存器电路如图 4-1 所示，其中 gf_mul_n（n 为一个整数）为 GF(28) 域中某一字节数据与元素 α^n 相乘的结果。不知道这些是否会对我烧录进ESP32-S2中的秘钥造成影响，而且我的秘钥是自己编写的，并非是在主机上使用espsecure.py命令生成的随机秘钥。请问这种情况下我该怎么处理？ 0 本主题由 Harmony技术专家于 2024-6-6 11:10 审核通过
2024-6-6 07:17:11　　评论淘帖0 邀请回答您可以邀请以下用户，快速回答问题 × wang21cj 该类别下有 38 个回答。邀请回答 hgimtk 该类别下有 38 个回答。邀请回答新星之火12138 该类别下有 33 个回答。邀请回答 chm5 该类别下有 32 个回答。邀请回答 zyh34997 该类别下有 32 个回答。邀请回答就好国dd 该类别下有 32 个回答。邀请回答 zaichenxi 该类别下有 31 个回答。邀请回答 heks 该类别下有 31 个回答。邀请回答四川赵赵该类别下有 29 个回答。邀请回答 flowerddd 该类别下有 29 个回答。邀请回答 muwersddg 该类别下有 29 个回答。邀请回答 caosurround 该类别下有 28 个回答。邀请回答星星公交站该类别下有 28 个回答。邀请回答 vinww特烦恼该类别下有 28 个回答。邀请回答 xwgc888 该类别下有 27 个回答。邀请回答 lkjflksjfsa 该类别下有 27 个回答。邀请回答 h1654155143.8331 该类别下有 27 个回答。邀请回答 723662364d 该类别下有 27 个回答。邀请回答 overheat 该类别下有 27 个回答。邀请回答 gvjhvbc 该类别下有 27 个回答。邀请回答举报话多显蠢相关推荐 • 请问ESP32-S2启用UART安全下载模式后是否还能通过UART烧录程序？ 147 • 请问ESP32-S2烧录一般是使用串口吗？ 171 • ESP32-S3(ESP32-S2,ESP32)在商用触摸按键面板上使用安全吗？ 449 • ESP32S2 flash加密问题求解 299 • WWE例程为什么不支持esp32-s2？ 278 • ESP32-S2创建热点后，是使用哪个API来收发数据？ 212 • ESP32-S2以太网插拔网线后经常无法再次分配到IP地址的原因？如何解决？ 270 • ESP32-S2以太网插拔网线后经常无法再次分配到IP地址，怎么解决这个问题？ 206 • ESP32-S2运行example\ ulp\uulp-fsm，运行不了是为什么？ 220 • ESP32-S2创建热点后，是使用API来收发数据吗？ 215 1个回答

答案对人有帮助，有参考价值 0 在使用ESP32-S2的flash加密功能时，如果在主机上使用秘钥预先加密固件后再烧录进ESP32-S2无法运行，可以尝试以下步骤来解决问题： 1. 确保ESP32-S2固件版本与ESP-IDF版本兼容。请检查您的ESP-IDF版本是否与ESP32-S2兼容。如果不兼容，请更新ESP-IDF到合适的版本。 2. 检查烧录秘钥的步骤是否正确。根据您的描述，您已经使用以下命令烧录秘钥： ``` esptool.py --port COM22 burn_key BLOCK_KEY0 key.bin XTS_AES_128_KEY ``` 请确保您的设备端口（这里是COM22）是正确的，并且秘钥文件（这里是key.bin）已经正确生成。 3. 确保固件已使用正确的秘钥加密。在烧录加密固件之前，请确保您的固件已经使用与烧录到ESP32-S2上的相同的秘钥进行加密。 4. 检查ESP32-S2的flash加密设置。请确保您已经启用了flash加密功能，并正确设置了加密算法（这里是XTS_AES_128_KEY）。 5. 如果问题仍然存在，请尝试以下操作： a. 重置ESP32-S2，然后重新烧录秘钥和固件。 b. 检查ESP32-S2的硬件连接，确保没有硬件故障。 c. 尝试使用不同的设备端口进行烧录。 6. 如果以上步骤都无法解决问题，您可以考虑在ESP-IDF的GitHub仓库中查找类似问题的解决方案，或者在相关论坛和社区寻求帮助。总之，解决这个问题的关键是确保固件加密、秘钥烧录和ESP32-S2的flash加密设置都正确无误。希望这些建议能帮助您解决问题。

2024-6-6 14:50:10 评论举报洒下墨色