Skip to content

Commit 568b3bb

Browse files
committed
test(espsecure): Add details for generating the files present in secure_images
1 parent 9a207b1 commit 568b3bb

File tree

1 file changed

+142
-0
lines changed

1 file changed

+142
-0
lines changed

test/secure_images/README.md

Lines changed: 142 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,142 @@
1+
# How are the test images generated?
2+
3+
## IV generation
4+
5+
`{len}bit_iv.bin`
6+
7+
```
8+
dd if=/dev/random of={len}bit_iv.bin bs=1 count=32
9+
10+
where len = [256]
11+
```
12+
13+
## Keys Generation
14+
15+
### Encryption Keys
16+
17+
`{len}bit_key.bin`
18+
19+
```
20+
espsecure generate-flash-encryption-key -l {len} {len}bit_key.bin
21+
22+
where len = [256, 512]
23+
```
24+
25+
`ef-flashencryption-key.bin`
26+
27+
```
28+
espsecure generate-flash-encryption-key -l 256 ef-flashencryption-key.bin
29+
```
30+
31+
### Signing Keys
32+
33+
For schemes = [rsa, ecdsa192, ecdsa256, ecdsa384]
34+
35+
`{scheme}_secure_boot_signing_keyX.pem`
36+
37+
```
38+
espsecure generate-signing-key -v 2 --scheme {scheme} {scheme}_secure_boot_signing_keyX.pem
39+
```
40+
41+
`{scheme}_secure_boot_signing_key_v2.pem`
42+
43+
```
44+
espsecure generate-signing-key -v 2 --scheme {scheme} {scheme}_secure_boot_signing_key_v2.pem
45+
```
46+
47+
`{scheme}_secure_boot_signing_pubkeyX.pem`
48+
49+
```
50+
espsecure extract-public-key -v 2 -k {scheme}_secure_boot_signing_keyX.pem {scheme}_secure_boot_signing_pubkeyX.pem
51+
```
52+
53+
`{scheme}_public_key_digest_v2.bin`
54+
55+
```
56+
espsecure digest-sbv2-public-key -k {scheme}_secure_boot_signing_key_v2.pem -o {scheme}_public_key_digest_v2.bin
57+
```
58+
59+
## Binaries Generation
60+
61+
### Bootloader Binaries
62+
63+
Base Bootloader binaries: `bootloader.bin` (ESP32 <v3.0) and `bootloader_unsigned_v2.bin` (ESP32 >=3.0) build with the configuration `CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y` enabled.
64+
65+
#### Secure Boot V1
66+
67+
`bootloader_digested.bin`
68+
69+
```
70+
espsecure digest-secure-bootloader -k 256bit_key.bin -o bootloader_digested.bin --iv 256bit_iv.bin bootloader.bin
71+
```
72+
73+
`bootloader_signed.bin`
74+
75+
```
76+
espsecure sign-data -v 1 -k ecdsa256_secure_boot_signing_key.pem -o bootloader_signed.bin bootloader.bin
77+
```
78+
79+
#### Secure Boot V2
80+
81+
`bootloader_signed_v2_{scheme}.bin`
82+
83+
```
84+
espsecure sign-data -v 2 -k {scheme}_secure_boot_signing_key.pem -o bootloader_signed_v2_{scheme}.bin bootloader_unsigned_v2.bin
85+
```
86+
87+
88+
`bootloader_multi_signed_v2.bin`
89+
90+
```
91+
espsecure sign-data -v 2 -a -k rsa_secure_boot_signing_key.pem rsa_secure_boot_signing_key2.pem rsa_secure_boot_signing_key3.pem -o bootloader_multi_signed_v2.bin bootloader_unsigned_v2.bin
92+
```
93+
94+
`pre_calculated_bootloader_signature_{scheme}.bin`
95+
96+
Generate signatures using the key `{scheme}_secure_boot_signing_key.pem` and `openssl`: [Secure-Boot V2 Documentation](https://docs.espressif.com/projects/esp-idf/en/latest/security/secure-boot-v2.html#generating-and-verifying-signatures-using-openssl)
97+
98+
### Flash Encryption
99+
100+
`bootloader-encrypted.bin`
101+
102+
```
103+
espsecure encrypt-flash-data -k 256bit_key.bin -a 0x1000 --flash-crypt-conf 0xF -o bootloader-encrypted.bin bootloader.bin
104+
```
105+
106+
`bootloader-encrypted-conf{conf:x}.bin`
107+
108+
```
109+
espsecure encrypt-flash-data -k 256bit_key.bin -a 0x1000 --flash-crypt-conf {conf} -o bootloader-encrypted-conf{conf:x}.bin bootloader.bin
110+
111+
where, conf = [0x0, 0x3, 0x9, 0xC]
112+
```
113+
114+
`bootloader-encrypted-aes-xts.bin`
115+
116+
```
117+
espsecure encrypt-flash-data -k 256bit_key.bin -a 0x1000 -x -o bootloader-encrypted-aes-xts.bin bootloader.bin
118+
```
119+
120+
## Application Binaries
121+
122+
Base Application binaries: `hello-world-signed.bin`
123+
124+
### Flash Encryption
125+
126+
`hello-world-signed-encrypted.bin`
127+
128+
```
129+
espsecure encrypt-flash-data -k ef-flashencryption-key.bin -a 0x20000 --flash-crypt-conf 0xF -o hello-world-signed-encrypted.bin hello-world-signed.bin
130+
```
131+
132+
`hello-world-signed-encrypted-aes-xts.bin`
133+
134+
```
135+
espsecure encrypt-flash-data -k ef-flashencryption-key.bin -a 0x20000 -x -o hello-world-signed-encrypted-aes-xts.bin hello-world-signed.bin
136+
```
137+
138+
`hello-world-signed-encrypted-aes-xts-256.bin`
139+
140+
```
141+
espsecure encrypt-flash-data -k 512bit_key.bin -a 0x10000 -x -o hello-world-signed-encrypted-aes-xts-256.bin hello-world-signed.bin
142+
```

0 commit comments

Comments
 (0)