Burn key Digest

The espefuse.py burn_key_digest command parses a RSA public key and burns the digest to eFuse block for use with Secure Boot V2.

Positional arguments:

  • Keyfile. Key file to digest (PEM format).

Optional arguments:

  • --no-write-protect. Disable write-protecting of the key. The key remains writable. The keys use the RS coding scheme that does not support post-write data changes. Forced write can damage RS encoding bits. The write-protecting of keypurposes does not depend on the option, it will be set anyway.

  • --no-read-protect. Disable read-protecting of the key. This option does not change anything, because Secure Boot keys are readable anyway.

  • --force-write-always. Write the eFuse key even if it looks like it is already been written, or is write protected. Note that this option can’t disable write protection, or clear any bit which has already been set.

  • --show-sensitive-info. Show data to be burned (may expose sensitive data). Enabled if –debug is used. Use this option to see the byte order of the data being written.

The key will be burned to BLOCK3.

The secure boot v2 key(s) will be readable and write protected.

Usage

See Perform Multiple Operations In A Single Espefuse Run for how to burn flash encryption and secure boot keys to the same eFuse key block at the same time.

> espefuse.py burn_key_digest secure_boot_v2_ecdsa192.pem

=== Run "burn_key_digest" command ===
Sensitive data will be hidden (see --show-sensitive-info)
Burn keys to blocks:
- BLOCK_KEY0_HI_128 -> [?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??]
        Disabling write to key block

Check all blocks for burn...
idx, BLOCK_NAME,          Conclusion
[00] BLOCK0               is empty, will burn the new value
[03] BLOCK_KEY0           is empty, will burn the new value
.
This is an irreversible operation!
Type 'BURN' (all capitals) to continue.
BURN
BURN BLOCK3  - OK (write block == read block)
BURN BLOCK0  - OK (write block == read block)
Reading updated efuses...
Successful

> espefuse.py  summary
...
XTS_KEY_LENGTH_256 (BLOCK0)                        Flash encryption key length                        = 128 bits key R/W (0b0)
...
BLOCK_KEY0 (BLOCK3)                                BLOCK_KEY0 - 256-bits. 256-bit key of Flash Encryp
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 c2 bd 9c 1a b4 b7 44 22 59 c6 d3 12 0b 79 1f R/-
                                                tion
BLOCK_KEY0_LOW_128 (BLOCK3)                        BLOCK_KEY0 - lower 128-bits. 128-bit key of Flash
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/-
                                                Encryption
BLOCK_KEY0_HI_128 (BLOCK3)                         BLOCK_KEY0 - higher 128-bits. 128-bits key of Secu
= 02 c2 bd 9c 1a b4 b7 44 22 59 c6 d3 12 0b 79 1f R/-
                                                re Boot.