Restrictions After Secure Boot Is Enabled; Generating Secure Boot Signing Key - Espressif ESP32-S2 Programming Manual

Chapter 4. API Guides
Important: A signing key generated this way will use the best random number source available to the OS and
its Python installation (/dev/urandom on OSX/Linux and CryptGenRandom() on Windows). If this random number
source is weak, then the private key will be weak.
Important: For production environments, we recommend generating the key pair using openssl or another industry
standard encryption program. See
7. Run idf.py bootloader to build a Secure Boot enabled bootloader. The build output will include a
prompt for a flashing command, using esptool.py write_flash.
8. When you're ready to flash the bootloader, run the specified command (you have to enter it yourself, this step
is not performed by the build system) and then wait for flashing to complete.
9. Run idf.py flash to build and flash the partition table and the just-built app image. The app image will
be signed using the signing key you generated in step 4.
Note: idf.py flash doesn't flash the bootloader if Secure Boot is enabled.
10. Reset the ESP32-S2 and it will boot the software bootloader you flashed. The software bootloader will enable
Secure Boot on the chip, and then it verifies the app image signature and boots the app. You should watch the
serial console output from the ESP32-S2 to verify that Secure Boot is enabled and no errors have occurred due
to the build configuration.
Note: Secure boot won't be enabled until after a valid partition table and app image have been flashed. This is to
prevent accidents before the system is fully configured.
Note: If the ESP32-S2 is reset or powered down during the first boot, it will start the process again on the next boot.
11. On subsequent boots, the Secure Boot hardware will verify the software bootloader has not changed and the
software bootloader will verify the signed app image (using the validated public key portion of its appended
signature block).

4.25.10 Restrictions after Secure Boot is enabled

• Any updated bootloader or app will need to be signed with a key matching the digest already stored in eFuse.
• After Secure Boot is enabled, no further eFuses can be read protected. (If
the bootloader will ensure that any flash encryption key generated on first boot will already be read protected.)
If CONFIG_SECURE_BOOT_INSECURE
mended.

4.25.11 Generating Secure Boot Signing Key

The build system will prompt you with a command to generate a new signing key via espsecure.py gener-
ate_signing_key. The –version 2 parameter will generate the RSA 3072 private key for Secure Boot V2.
The strength of the signing key is proportional to (a) the random number source of the system, and (b) the correctness
of the algorithm used. For production devices, we recommend generating signing keys from a system with a quality
entropy source, and using the best available RSA key generation utilities.
For example, to generate a signing key using the openssl command line:
` openssl genrsa -out my_secure_boot_signing_key.pem 3072 `
Remember that the strength of the Secure Boot system depends on keeping the signing key private.
Espressif Systems
Generating Secure Boot Signing Key
is enabled then this behavior can be disabled, but this is not recom-
1459
Submit Document Feedback
for more details.
Flash Encryption is enabled then
Release v4.4