Burn key Digest
The espefuse.py burn_key_digest
command parses a RSA public key and burns the digest to eFuse block for use with Secure Boot V2.
Positional arguments:
Keyfile
. Key file to digest (PEM format).
Optional arguments:
--no-protect-key
. Disable default read and write protecting of the key.--force-write-always
. Write the eFuse key even if it looks like it is already been written, or is write protected. Note that this option can’t disable write protection, or clear any bit which has already been set.--show-sensitive-info
. Show data to be burned (may expose sensitive data). Enabled if –debug is used. Use this option to see the byte order of the data being written.
ESP32 must have chip version > 3 (v300) and coding scheme = None
otherwise an error will be shown. The key will be burned to BLOCK2.
The secure boot v2 key(s) will be readable and write protected.
Usage
> espefuse.py burn_key_digest secure_boot_key_v2_0.pem
=== Run "burn_key_digest" command ===
Sensitive data will be hidden (see --show-sensitive-info)
- BLOCK2 -> [?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??]
Disabling write to efuse BLOCK2...
Check all blocks for burn...
idx, BLOCK_NAME, Conclusion
[00] BLOCK0 is empty, will burn the new value
[02] BLOCK2 is empty, will burn the new value
.
This is an irreversible operation!
Type 'BURN' (all capitals) to continue.
BURN
BURN BLOCK2 - OK (write block == read block)
BURN BLOCK0 - OK (write block == read block)
Reading updated efuses...
Successful
> espefuse.py summary
...
BLOCK2 (BLOCK2): Secure boot key
= a2 cd 39 85 df 00 d7 95 07 0f f6 7c 8b ab e1 7d 39 11 95 c4 5b 37 6e 7b f0 ec 04 5e 36 30 02 5d R/-