A utility for signing ESP32 firmware images for ESP RSA Secure Boot V2
- Pure-Rust
no_std(but needsalloc) library interface for:- Signing
- Verifying
- Generating key SHA-256 E-FUSE signature
- Command line interface
Install the command line utility
cargo install --force --git https://github.com/ivmarkov/espsignGenerate a new PEM signing key in file foo:
espsign gen-key fooGenerate a new password-protected with pass PEM signing key in file foo, and with E-FUSE SHA-256 hash in file hash:
espsign gen-key -p pass -s hash fooSign an app image firmware using a pre-generated PEM signing key from file foo
espsign sign -k foo firmware-padded firmware-signedNOTE: App image should first be padded to 64K alignment with e.g. esptools:
esptools tool --chip esp32s3 elf2image --version 2 --secure-pad-v2 --output firmware-padded firmwareVerify a signed app image firmware-signed
espsign verify firmware-signedVerify an image. Other examples.
use std::fs::File;
use std::path::PathBuf;
use log::info;
use espsign::{AsyncIo, ImageType, SBV2RsaSignatureBlock};
/// Verify that `image` is properly signed
fn main() {
let image = PathBuf::from("/home/foo/factory-app-signed");
let mut buf = [0; 65536];
info!("Verifying image `{}`...", image.display());
embassy_futures::block_on(SBV2RsaSignatureBlock::load_and_verify(
&mut buf,
AsyncIo::new(File::open(image).unwrap()),
ImageType::App,
))
.unwrap();
info!("Image verified successfully");
}