I have an ESP32C3 application based on platformio with secure boot enabled, i.e., after booting I read out the following information from the partition table:
Partition Name: nvs Type: 0x01 - Subtype: 0x02 Address: 0x0000a000 Size: 24576 bytes Encrypted: No
Partition Name: otadata Type: 0x01 - Subtype: 0x00 Address: 0x00010000 Size: 8192 bytes Encrypted: Yes
Partition Name: coredump Type: 0x01 - Subtype: 0x03 Address: 0x00012000 Size: 57344 bytes Encrypted: No
Partition Name: app0 Type: 0x00 - Subtype: 0x10 Address: 0x00020000 Size: 1310720 bytes Encrypted: Yes
Partition Name: app1 Type: 0x00 * Subtype: 0x11 Address: 0x00160000 Size: 1310720 bytes Encrypted: Yes
Partition Name: spiffs Type: 0x01 - Subtype: 0x82 Address: 0x002a0000 Size: 1048576 bytes Encrypted: No
This is exactly what I want to have: Encrypted and signed application and an unencrypted and signed SPIFFS.
Now the problem is: The SPIFFS is not mounted when I call spiffs.begin(false):
E (1775) SPIFFS: mount failed, -10025
[ 1614][E][SPIFFS.cpp:89] begin(): Mounting SPIFFS failed! Error: -1
I guess, this is because SPIFFS cannot handle its own signature which I had to add to the file image when building it:
:: Reduce size of SPIFFS so that signature will fit into binary
:: SPIFFS size according to partition table is 0x100000
mkspiffs -c data -b 4096 -p 256 -s 0xFE800 spiffs.bin
:: Now add signature to SPIFFS
python espsecure.py sign_data --version 2 --keyfile %SIGNING_KEY% --output spiffs.bin.sig spiffs.bin
which outputs
[INFO] Signing SPIFFS...
espsecure.py v4.5.1
Padding data contents by 2048 bytes so signature sector aligns at sector boundary
1 signing key(s) found.
Signed 1044480 bytes of data from spiffs.bin. Signature sector now has 1 signature blocks.
How can I mount SPIFFS so that the excess signature will be ignored?
Or is there a different way to sign a SPIFFS image so that SPIFFS code and ESP32C3 hardware can handle it?
NOTE: I can update my SPIFFS OTA. Directly after updating SPIFFS, my firmware can actually read the SPIFFS content. So the FS content is actually ok and in the right place. Only after rebooting and subsequent mounting the SPIFFS becomes non-accessible.
1 Answer 1
Seems like SPIFFS does not support what is needed to create a signed or encrypted FS.
Changing to LittleFS worked w/o any complicated changes, just a matter of:
No changes required in the partition table, replacing SPIFFS.bin with littlefs.bin in the post build process, small code changes:
#include <LittleFS.h>
...
// Replace all access to SPIFFS with LittleFS
and an update to platformio.ini:
board_build.filesystem = littlefs