Hi, When you say you are having trouble with re-flashing with flash encryption enabled does that mean that the first plaintext flashed got encrypted properly after flash encryption was enabled with pre-generated key and ESP32 boots correctly? Could you provide details of all the steps you followed? ...

chegewara,

Thanks for your comment.

This is not a bug. As you have already noticed IV gets updated after AES-CBC operation. This is due to the nature of CBC algorithm. So you need to ensure same IV value is used for encryption and decryption

Your plaintext is 13 bytes which is less than block size (=16 bytes) and AES-CBC only works on input whose length is multiple of block size. If not multiple of block size it needs to be padded. So the encryption output would be different for different padding. In your case during encryption out of 3...

Hi SK,

It's a documentation error. The AES_KEY registers are WRITE ONLY and hence will always return 0 when read

As suggested on other thread in general the dport registers should be read with DPORT_REG_READ()

Hi Xjjiang, Thanks for providing the efuse dump and other information. Unfortunately once the efuses are programmed you can not revert the values. So FLASH_CRYPT_CNT can not be set to zero now, not even with JTAG. It is permanently set to 0xFF As mentioned before you need to reprogram the bootloader...

Hi xjjiang, Have you enabled FLASH ENCRYPTION and SECURE BOOT both or only SECURE BOOT? From the boot up log it looks like the FLASH_CRYPT_CNT is set to indicate the flash contains encrypted image however you seem to have programmed plaintext image. Perhaps you have programmed the plaintext image af...

Hi sk, mbedtls_aes_crypt_ecb() function accepts mode (encrypt/decrypt) as one of the arguments so it can do both. Whereas mbedtls_internal_aes_encrypt() performs only encryption. Later one gets called from previous if the mode is selected as 'encrypt'. If AES HW acceleration is enabled (through menu...

Hi, You are right. The encryption key can be internally generated within ESP32 or could be generated externally and programmed in efuse There are two APIs for encrypted flash write & read namely esp_partition_write() and esp_partition_read() Please refer this link for more information: https://docs....