espsecure - ESP32 Secure Boot & Flash Encryption tool
Contents
Copyright
Copyright © 2014-2017 Fredrik Ahlberg, Angus Gratton, Espressif Systems (Shanghai) PTE LTD, other
contributors as noted. License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent
permitted by law.
Description
usage: espsecure [OPTION] COMMAND
commandarguments:
Run espsecure {command} -h for additional help
digest_secure_bootloader
Take a bootloader binary image and a secure boot key, and output a combined digest+binary suitable
for flashing along with the precalculated secure boot key.
generate_signing_key
Generate a private key for signing secure boot images as per the secure boot version. Key file is
generated in PEM format, Secure Boot V1 - ECDSA NIST256p private key. Secure Boot V2 - RSA 3072,
ECDSA NIST256p, ECDSA NIST192p private key.
sign_data
Sign a data file for use with secure boot. Signing algorithm is deterministic ECDSA w/ SHA-512
(V1) or either RSA-PSS or ECDSA w/ SHA-256 (V2).
verify_signature
Verify a data file previously signed by "sign_data", using the public key.
extract_public_key
Extract the public verification key for signatures, save it as a raw binary file.
digest_rsa_public_key
Generate an SHA-256 digest of the RSA public key. This digest is burned into the eFuse and asserts
the legitimacy of the public key for Secure boot v2.
digest_sbv2_public_key
Generate an SHA-256 digest of the public key. This digest is burned into the eFuse and asserts the
legitimacy of the public key for Secure boot v2.
signature_info_v2
Reads the signature block and provides the signature block information.
digest_private_key
Generate an SHA-256 digest of the private signing key. This can be used as a reproducible secure
bootloader (only secure boot v1) or flash encryption key.
generate_flash_encryption_key
Generate a development-use flash encryption key with random data.
decrypt_flash_data
Decrypt some data read from encrypted flash (using known key)
encrypt_flash_data
Encrypt some data suitable for encrypted flash (using known key)
options:-h, --help
show this help message and exit
Examples
Display device features, SPI flash manufacturer and device ID:
esptool flash_id
Flash ESP8266 Espressif AT v1.6.2 firmware to ESP-WROOM-02 board:
esptool write_flash --flash_mode dio --flash_size 4MB-c1 0x00 boot_v1.7.bin 0x1000 at/1024+1024/user1.2048.new.5.bin 0xfe000 blank.bin 0x3fc000 esp_init_data_default_v08.bin 0x3fe000 blank.bin
Flash ESP32 Espressif AT v1.1.1 firmware to ESP-WROOM-32 board:
esptool write_flash --flash_mode dio --flash_freq 40m --flash_size detect 0x1000 bootloader/bootloader.bin 0x20000 at_customize.bin 0x21000 customized_partitions/ble_data.bin 0x24000 customized_partitions/server_cert.bin 0x26000 customized_partitions/server_key.bin 0x28000 customized_partitions/server_ca.bin 0x2a000 customized_partitions/client_cert.bin 0x2c000 customized_partitions/client_key.bin 0x2e000 customized_partitions/client_ca.bin 0xf000 phy_init_data.bin 0x100000 esp-at.bin 0x8000 partitions_at.bin
Display ESP32 efuse state summary:
espefuse --port /dev/ttyUSB0 summary
Generate a flash encryption key:
espsecure generate_flash_encryption_key key.bin
Burn the key to the device (WARNING: one time only operation):
espefuse --port /dev/ttyUSB1 burn_key flash_encryption key.bin
Encrypt flash data:
espsecure encrypt_flash_data --keyfile key.bin --address 0x10000 -o my-app-encrypted.bin my-app.bin
Name
espsecure - ESP32 Secure Boot & Flash Encryption tool
Reporting Bugs
Review: <https://github.com/espressif/esptool/#troubleshooting>
Known issues: <https://github.com/espressif/esptool/issues>
Report new issues at: <https://github.com/espressif/esptool/issues/new>
See Also
esptool(1), espefuse(1), espsecure(1) esptool.py 4.7.0 January 2024 ESPSECURE.PY(1)
