Hello,
When enabling Flash encryption for a production build I have to choose between the two UART ROM download modes:
- Permanently switch to secure mode
- Permanently disabled
What is the benefit of using the secure mode instead of completely disable the UART?
Since flash encryption is enabled, I cannot flash a new bootloader anyway since the esp32 expects an encrypted bootloader and encrypted download is disabled in secure mode. What is the point of being able to flash the esp32 in secure mode?
From my understanding, (accidently) flashing an already flashed esp32 will brick the device, so it seems safer to me to disable the UART permanently, is that correct?
Best regards
UART ROM download mode when using Flash Encryption
-
ESP-Marius
- Posts: 74
- Joined: Wed Oct 23, 2019 1:49 am
Re: UART ROM download mode when using Flash Encryption
Hi,
With secure mode you would still be able to encrypt your binary on the host, flash it and boot successfully. This is of course only possible if you already know the key burned to the ESP32.
If you don't have any specific reason to keep secure mode on we still recommend disabling the download mode to limit the attack surface.
With secure mode you would still be able to encrypt your binary on the host, flash it and boot successfully. This is of course only possible if you already know the key burned to the ESP32.
If you don't have any specific reason to keep secure mode on we still recommend disabling the download mode to limit the attack surface.
Who is online
Users browsing this forum: No registered users and 259 guests