Burn key Digest
The espefuse.py burn_key_digest
command parses a RSA public key and burns the digest to eFuse block for use with Secure Boot V2.
Positional arguments:
block
- Name of key block.Keyfile
. Key file to digest (PEM format).Key purpose
. The purpose of this key [SECURE_BOOT_DIGEST0
,SECURE_BOOT_DIGEST1
,SECURE_BOOT_DIGEST2
].
It can be list of blocks and keyfiles and key purposes (like BLOCK_KEY0 keyfile0.pem SECURE_BOOT_DIGEST0 BLOCK_KEY1 keyfile1.pem SECURE_BOOT_DIGEST1 etc.).
Optional arguments:
--no-write-protect
. Disable write-protecting of the key. The key remains writable. The keys use the RS coding scheme that does not support post-write data changes. Forced write can damage RS encoding bits. The write-protecting of keypurposes does not depend on the option, it will be set anyway.--no-read-protect
. Disable read-protecting of the key. This option does not change anything, because Secure Boot keys are readable anyway.--force-write-always
. Write the eFuse key even if it looks like it is already been written, or is write protected. Note that this option can’t disable write protection, or clear any bit which has already been set.--show-sensitive-info
. Show data to be burned (may expose sensitive data). Enabled if –debug is used. Use this option to see the byte order of the data being written.
The secure boot v2 key(s) will be readable and write protected.