Secure Boot & Flash Encryption; Signed App Verification Without Hardware Secure Boot; Advanced Features - Espressif ESP32-S2 Programming Manual

Chapter 4. API Guides
Keyfile is the PEM file containing an RSA-3072 private signing key.
4.25.18 Secure Boot & Flash Encryption
If Secure Boot is used without
where flash contents are swapped after the image is verified and running. Therefore, it is recommended to use both
the features together.
4.25.19 Signed App Verification Without Hardware Secure Boot
The Secure Boot V2 signature of apps can be checked on OTA update, without enabling the hardware Secure Boot
option. This option uses the same app signature scheme as Secure Boot V2, but unlike hardware Secure Boot it does
not prevent an attacker who can write to flash from bypassing the signature protection.
This may be desirable in cases where the delay of Secure Boot verification on startup is unacceptable, and/or where
the threat model does not include physical access or attackers writing to bootloader or app partitions in flash.
In this mode, the public key which is present in the signature block of the currently running app will be used to verify
the signature of a newly updated app. (The signature on the running app isn't verified during the update process, it'
s assumed to be valid.) In this way the system creates a chain of trust from the running app to the newly updated app.
For this reason, it's essential that the initial app flashed to the device is also signed. A check is run on app startup
and the app will abort if no signatures are found. This is to try and prevent a situation where no update is possible.
The app should have only one valid signature block in the first position. Note again that, unlike hardware Secure Boot
V2, the signature of the running app isn't verified on boot. The system only verifies a signature block in the first
position and ignores any other appended signatures.
Although multiple trusted keys are supported when using hardware Secure Boot, only the first public key in the
signature block is used to verify updates if signature checking without Secure Boot is configured. If multiple trusted
public keys are required, it's necessary to enable the full Secure Boot feature instead.
Note: In general, it's recommended to use full hardware Secure Boot unless certain that this option is sufficient
for application security needs.
How To Enable Signed App Verification
1. Open Project Configuration Menu
2. Ensure App Signing Scheme is RSA
3. Enable CONFIG_SECURE_SIGNED_APPS_NO_SECURE_BOOT
4. By default, "Sign binaries during build"will be enabled on selecting "Require signed app images"option,
which will sign binary files as a part of build process. The file named in "Secure boot private signing key"
will be used to sign the image.
5. If you disable "Sign binaries during build"option then all app binaries must be manually signed by following
instructions in Remote Signing of
Warning: It is very important that all apps flashed have been signed, either during the build or after the build.

4.25.20 Advanced Features

JTAG Debugging
By default, when Secure Boot is enabled then JTAG debugging is disabled via eFuse. The bootloader does this on
first boot, at the same time it enables Secure Boot.
Espressif Systems
Flash Encryption, it is possible to launch "time-of-check to time-of-use"attack,
-> Security features
Images.
1462
Submit Document Feedback
Release v4.4