Espressif ESP32-S2 Programming Manual page 1030

Chapter 2. API Reference
A typical anti-rollback scheme is
• New firmware released with the elimination of vulnerabilities with the previous version of security.
• After the developer makes sure that this firmware is working. He can increase the security version and release
a new firmware.
• Download new application.
• To make it bootable, run the function esp_ota_set_boot_partition(). If the security version of
the new application is smaller than the version in the chip, the new application will be erased. Update to new
firmware is not possible.
• Reboot.
• In the bootloader, an application with a security version greater than or equal to the version in the chip will
be selected. If otadata is in the initial state, and one firmware was loaded via a serial channel, whose secure
version is higher than the chip, then the secure version of efuse will be immediately updated in the bootloader.
• New application booted. Then the application should perform diagnostics of the operation and if it is
completed successfully, you should call
tion to mark the running application with the ESP_OTA_IMG_VALID state and update the secure ver-
sion on chip. Note that if was called
function a rollback may not happend due to the device may not have any bootable apps then it will return
ESP_ERR_OTA_ROLLBACK_FAILED error and stay in the ESP_OTA_IMG_PENDING_VERIFY state.
• The next update of app is possible if a running app is in the ESP_OTA_IMG_VALID state.
Recommendation:
If you want to avoid the download/erase overhead in case of the app from the server has security version lower
then running app you have to get new_app_info.secure_version from the first package of an image and
compare it with the secure version of efuse. Use esp_efuse_check_secure_version(new_app_info.
secure_version) function if it is true then continue downloading otherwise abort.
....
bool image_header_was_checked
while (1) {
int data_read =
...
if (data_read >
if (image_header_was_checked
esp_app_desc_t new_app_info;
if (data_read
header_t) + sizeof(esp_app_desc_t)) {
→
// check current version with downloading
if (esp_efuse_check_secure_version(new_app_info.secure_version)
false) {
→
secure version is lower than stored in
→
}
image_header_was_checked
esp_ota_begin(update_partition, OTA_SIZE_UNKNOWN, &update_handle);
}
}
esp_ota_write( update_handle,
}
}
...
Restrictions:
• The number of bits in the secure_version field is limited to 32 bits.
32 times you can do an anti-rollback.
FIG_BOOTLOADER_APP_SEC_VER_SIZE_EFUSE_FIELD
• Anti-rollback only works if the encoding scheme for efuse is set to NONE.
Espressif Systems
esp_ota_mark_app_valid_cancel_rollback()
esp_ota_mark_app_invalid_rollback_and_reboot()
= false;
esp_http_client_read(client, ota_write_data, BUFFSIZE);
0) {
==
> sizeof(esp_image_header_t)
ESP_LOGE(TAG, "This a new app can not be downloaded due to
http_cleanup(client);
task_fatal_error();
(const
You can reduce the length of this efuse field use
Submit Document Feedback
false) {
+ sizeof(esp_image_segment_
efuse.");
= true;
void *)ota_write_data, data_read);
option.
1019
func-
==␣
a␣
This means that only
CON-
Release v4.4