Chapter 4. Software framework
4.7.20 How can I delete keys of secure boot?
• Keys of secure boot should be deleted in the rmware new_app.bin. First, please assure
that new_app.bin is employed with two signatures. Then, ash new_app.bin to the de-
vice. At last, when the original signatures are veried, you can delete the original keys through
esp_ota_revoke_secure_boot_public_key() in new_app.bin. Please note that if you
use the OTA rollback scheme, please call esp_ota_revoke_secure_boot_public_key() after
esp_ota_mark_app_valid_cancel_rollback() returns ESP_OK. For more details, please refer
to Key Revocation.
4.7.21 After I enabled secure boot or ash encryption (development mode), I cannot ash
the new rmware, and an error occured as Failed to enter Flash down-
load mode. How can I solve this issue?
• Generally, the above log indicates that your ash command is incorrect. Please use script idf.py to execute
idf.py bootloader and idf.py app to compile bootloader.bin and app.bin. Then execute
the ash command through idf.py according to the tips after compiling. If you still cannot ash your
rmware, please use espefuse.py -p PORT summary to check the eFuse of the current device and
check whether the ash download mode is enabled or not.
4.7.22 After I input the command espefuse.py read_protect_efuse BLOCK3
command in the terminal congured with ESP-IDF to enable the read-protection
for Efuse BLOCK3, why is the data of the Efuse BLOCK3 all 0x00 when I input
esp_efuse_read_block() to read the Efuse BLOCK3?
• After the Efuse BLOCK3 is read protected, it cannot be read anymore.
4.7.23 How can I enable secure boot or ash encryption by pre-burning eFuse?
By default, you can enable secure boot or ash encryption by burning rmware with secure boot or ash
encryption enabled. In addition, you can also enable secure boot or ash encryption by pre-burning eFuse
in the following two methods: - With ash_download_tool, eFuse will be pre-burned automatically if
secure boot or ash encryption is enabled. - You can generate the key and burn corresponding eFuse
blocks with espsecure.py and espefuse.py.
4.7.24 After enabling Secure Boot, why can’t I ash the new bootloader.bin using the
idf.py build command?
After enabling Secure Boot, please use the idf.py bootloader command to compile the new boot-
loader.bin. Then, ash the new bootloader.bin using the command idf.py -p (PORT) bootloader-ash.
4.7.25 After enabling Secure Boot or ash encryption, how can I view the security-related
information in the device?
Please use the command esptool.py –no-stub get_security_info to view the security information of the
device.
Espressif Systems 108
Submit Document Feedback
Release master
To Next Page
Loading...
Need help?
General