[Secure Boot V2] Unable to flash signed App binary after flashing signed bootloader. (IDFGH-10705)

[robokrishan]

Answers checklist.

• I have read the documentation ESP-IDF Programming Guide and the issue is not addressed there.
• I have updated my IDF branch (master or release) to the latest version and checked that the issue is present there.
• I have searched the issue tracker for a similar issue and not found a similar issue.

General issue report

Question:

How can I enable Secure Boot V2 and be able to flash a signed bootloader AND a signed app binary on an ESP32-S3 (N8R8) chip?

Context:

I am trying to configure Secure Boot V2 on my ESP32-S3 (N8R8) chip. I followed the steps mentioned in the documentation i.e.:

1. Checking the box for Enable hardware Secure Boot in bootloader in Menuconfig -> App Signing Scheme
2. Selecting Enable Secure Boot version 2 in Menuconfig -> Select secure boot version
3. Specifying the path to my signing key (ECDSA private key)
4. Selecting Permanently switch to Secure mode in Menuconfig -> UART ROM download mode
5. Building the signed app binary, OTA, and partition table with idf.py build
6. Building the signed bootloader with idf.py bootloader
7. Flashing the signed bootloader with idf.py bootloader-flash

Everything works until this point. The problem arises when I try to flash the app binary, partition table and OTA using idf.py flash.

I get the following error logs when I run idf.py flash:

esptool esp32s3 -p /dev/ttyUSB0 -b 460800 --before=default_reset --after=no_reset --no-stub write_flash --flash_mode dio --flash_freq 80m --flash_size keep 0x100000 embed-reader-firmware-2.bin 0x10000 partition_table/partition-table.bin 0x11000 ota_data_initial.bin
esptool.py v4.5.1
Serial port /dev/ttyUSB0
Connecting....
Chip is ESP32-S3 (revision v0.1)
Features: WiFi, BLE
Crystal is 40MHz
MAC: f4:12:fa:df:30:10
Changing baud rate to 460800
Changed.
Enabling default SPI flash mode...
Configuring flash size...
Flash will be erased from 0x00100000 to 0x00280fff...
Flash will be erased from 0x00010000 to 0x00010fff...
Flash will be erased from 0x00011000 to 0x00012fff...
Erasing flash...

A fatal error occurred: Failed to enter Flash download mode (result was 01060000: Operation or feature not supported)
CMake Error at run_serial_tool.cmake:55 (message):
  
  /home/****/.espressif/python_env/idf5.0_py3.10_env/bin/python;;/home/****/esp/esp-idf/components/esptool_py/esptool/esptool.py;--chip;esp32s3
  failed

I have also tried manually entering the command with the --force option but I get the same output as above.

Have I missed a step in configuring Secure Boot V2?

[mahavirj]

@robokrishan

Please try replacing --flash_size keep with the specific flash capacity on your dev board (e.g., --flash_size 4MB) and that should fix this issue. Please see prior discussion on this topic here #10959 (comment)

[robokrishan]

@mahavirj You're right, that solved the problem!

If there are others with ESP-IDF V 5.0.1 running into the same problem, you must change the --flash_size keep option to the specific value corresponding to the flash size on your chip. I have an N8R8 module so I use --flash_size 8MB.

If you're wondering where to add this option, you need to go to build/ and look for flash_args and bootloader-flash_args. You will find the --flash_size option in both of these files. Modify it to specify your chip's flash size and run the command manually, NOT via idf.py bootloader-flash or idf.py flash. You may need to use the --force option.