Hi, I'm using flash encryption in a ESP32 board and with micropython project, which is based in ESP-IDF. I'm manually setting the following efuses in the board using espsecure.py:
FLASH_CRYPT_CONFIG 0xF
FLASH_CRYPT_CNT 0X1
DISABLE_DL_ENCRYPT 1
DISABLE_DL_DECRYPT 1
DISABLE_DL_CACHE 1
JTAG_DISABLE 1
And then I build the micropython firmware with my scripts as frozen codes and encrypt it with a pregenerated key using espsecure.py. After that, I write the encrypted firmware in the ESP32 using esptool.py.
I'm not using the reflashing option (see here) of the Flash encryption Development mode, bacause the efuse FLASH_CRYPT_CNT has just 7 bits so the board could be reflashed just 4 times, is it correct?
But I have realized that the micropython firmware has many partitions apart from app partition (factory): nvs, phy-init, and vfs. The way I'm using encrypt all of these partition, but the Flash encryption docs state that only bootloader, partition table, NVS Key Partition, Otadata, “app” type partitions (factory) and partitions marked with encrypted flag should be encrypted. So, nvs, phy-init, and vfs partitions shouldn't be encrypted, and even nvs partition doesn't support encrypted flag. Could this cause some troubles? Could it affect Wifi taking into account the calibration data is stored in the nvs partition?
With this configuration, could someone still stole and decrypt the firmware?
Flash encryption with micropython and reflashing
-
ESP_flying_raijin
- Posts: 25
- Joined: Tue Aug 13, 2019 2:03 pm
Re: Flash encryption with micropython and reflashing
Hi MauroDiam,
Those 7 bits indicate the number of times we can disable the Flash Encryption feature on the device and again enable it.
For e.g.,
You have enabled the development mode. That would consume 1 bit out of these 7 bits.
Now you can flash unlimited number of times ( limited by the durability of your flash). The firmware flashed in this case must of Flash encryption feature enabled.
Now you want to disable the flash encryption feature. Then you would again consume 1 bit out of the above 7 bits.
Again you can flash any number of times. This time the firmware should not have flash encryption enabled as it is not enabled on the device.
This process can be repeated till the 7 bits are consumed.
Please refer to https://docs.espressif.com/projects/esp ... partitions for more details.
The NVS partition has its own encryption algorithm different from the Flash Encrpytion. Please refer https://docs.espressif.com/projects/esp ... encryption for more details.
I dont know how micropython API interface works, but if you have access to this API from esp-idf https://github.com/espressif/esp-idf/bl ... ypt.h#L199
Then you can use it to verify your eFuse setting related to Flash Encryption.
Once this returns True, that means you have enabled flash encryption is release mode which is the maximum possible protection offered by the flash encryption feature.
Please note that the 7 bits are not related to the flashing.I'm not using the reflashing option (see here) of the Flash encryption Development mode, bacause the efuse FLASH_CRYPT_CNT has just 7 bits so the board could be reflashed just 4 times, is it correct?
Those 7 bits indicate the number of times we can disable the Flash Encryption feature on the device and again enable it.
For e.g.,
You have enabled the development mode. That would consume 1 bit out of these 7 bits.
Now you can flash unlimited number of times ( limited by the durability of your flash). The firmware flashed in this case must of Flash encryption feature enabled.
Now you want to disable the flash encryption feature. Then you would again consume 1 bit out of the above 7 bits.
Again you can flash any number of times. This time the firmware should not have flash encryption enabled as it is not enabled on the device.
This process can be repeated till the 7 bits are consumed.
Yes this can cause problems. Only those partitions which support encryption should be encrypted using the flash encryption key.But I have realized that the micropython firmware has many partitions apart from app partition (factory): nvs, phy-init, and vfs. The way I'm using encrypt all of these partition, but the Flash encryption docs state that only bootloader, partition table, NVS Key Partition, Otadata, “app” type partitions (factory) and partitions marked with encrypted flag should be encrypted. So, nvs, phy-init, and vfs partitions shouldn't be encrypted, and even nvs partition doesn't support encrypted flag. Could this cause some troubles? Could it affect Wifi taking into account the calibration data is stored in the nvs partition?
Please refer to https://docs.espressif.com/projects/esp ... partitions for more details.
The NVS partition has its own encryption algorithm different from the Flash Encrpytion. Please refer https://docs.espressif.com/projects/esp ... encryption for more details.
In addition to the eFuses that you have set, you also need to write protect the FLASH_CRYPT_CNT. Please refer to https://docs.espressif.com/projects/esp ... externally for more details about the eFuses that need to be burned.With this configuration, could someone still stole and decrypt the firmware?
I dont know how micropython API interface works, but if you have access to this API from esp-idf https://github.com/espressif/esp-idf/bl ... ypt.h#L199
Then you can use it to verify your eFuse setting related to Flash Encryption.
Once this returns True, that means you have enabled flash encryption is release mode which is the maximum possible protection offered by the flash encryption feature.
Who is online
Users browsing this forum: No registered users and 168 guests