esptool write_flash with encrypt option

dmlee05a
Posts: 17
Joined: Thu Jul 06, 2017 4:00 pm

esptool write_flash with encrypt option

Postby dmlee05a » Sun Jun 16, 2019 6:36 pm

While reviewing another topic, I saw a reference to using esptool.py write_flash with an encrypt option. If I understood correctly, this allows one to get around the 4 serial flash limit when using encryption. However, I cannot find any documentation on how to use this option. For example, does the image to be encoded have to be created from a build with encryption turned off in menuconfig? When I do an OTA update, I can use the bin file from a make with encryption enabled. What other pieces need to be encrypted using this option, e.g., bootloader, boot_app0, default.bin?

Is there anywhere I can find documentation on the process or requirements for using this option? Thanks in advance.

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: esptool write_flash with encrypt option

Postby ESP_Angus » Mon Jun 17, 2019 1:41 am

We've merged the support for this option in esptool v2.7-dev, but we haven't merged the support for this into ESP-IDF yet so there's no documentation or easy config option for it. That support is being reviewed now and will be part of ESP-IDF V4.0, where we plan to change the suggested flash encryption workflow.

You can emulate the new behaviour by setting the "Potentially insecure options" in project config and set the "Leave UART bootloader encryption enabled" setting. This means that on first boot the UART_DL_DIS_ENCRYPT efuse is not burned (as such, it only works if the ESP32 doesn't already have this efuse burned.)

Setting this option will continue to allow transparent encryption when the UART bootloader mode is running, which can then be used by esptool to encrypt when writing data to flash.

Note that having this option set (or, specifically, this efuse unburned) is not secure and it should be used for development systems only, not in production.

dmlee05a
Posts: 17
Joined: Thu Jul 06, 2017 4:00 pm

Re: esptool write_flash with encrypt option

Postby dmlee05a » Tue Jun 18, 2019 12:34 am

Angus,
Thanks for the response. Two questions:
1. It's not clear to me how to take advantage of the "less secure" options. Is there documentation on how I would use those to go beyond the 4 flash limit? What would the process look like?
2. Is there a time frame for ESP-IDF V4.0, or even a development version with the new encryption workflow?

Thanks again

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: esptool write_flash with encrypt option

Postby ESP_Angus » Tue Jun 18, 2019 3:56 am

dmlee05a wrote:
Tue Jun 18, 2019 12:34 am
1. It's not clear to me how to take advantage of the "less secure" options. Is there documentation on how I would use those to go beyond the 4 flash limit? What would the process look like?
Unless you really want to dig into the semi-documented details, it's probably easiest to wait for the new "developing with flash encryption" process to be merged including the docs. This should happen in the next 10 days.

If you're already using flash encryption on an ESP32 with the 4 flash limit then that efuse configuration is unfortunately not compatible with the new method, so that ESP32 will continue to have the plaintext 4 flashes limit even after we release the new method.
dmlee05a wrote:
Tue Jun 18, 2019 12:34 am
2. Is there a time frame for ESP-IDF V4.0, or even a development version with the new encryption workflow?
We're currently developing ESP-IDF V4.0 on the master branch on GitHub. The flash encryption feature hasn't landed there yet, but it should land in the next 10 days. Early next month we expect to make a "release branch" for V4.0 (release/v4.0) and begin the beta testing process before finally making the release.

More details about how we do versioning can be found here: https://docs.espressif.com/projects/esp ... sions.html

dmlee05a
Posts: 17
Joined: Thu Jul 06, 2017 4:00 pm

Re: esptool write_flash with encrypt option

Postby dmlee05a » Tue Jun 18, 2019 2:56 pm

Angus,
I really appreciate your timely and well thought out responses. I will wait for the new process/documentation. FYI, all our production is done on linux machineswith scripts using esptool.py and espefuse.py. Unless there has been some change to the ESP32, I would assume that we should be able to accommodate whatever changes are needed for the new workflow.

I'm looking forward to seeing the new process.
Thanks again.

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: esptool write_flash with encrypt option

Postby ESP_Angus » Wed Jun 19, 2019 12:22 am

dmlee05a wrote:
Tue Jun 18, 2019 2:56 pm
Unless there has been some change to the ESP32, I would assume that we should be able to accommodate whatever changes are needed for the new workflow.
Yes, that's correct. The other work is all in the ESP-IDF documentation, configuration and build system.

Thanks for being patient while we finalise this feature.

bastian.h.jaeger
Posts: 5
Joined: Mon Jun 15, 2020 12:07 pm

Re: esptool write_flash with encrypt option

Postby bastian.h.jaeger » Mon Jun 15, 2020 12:11 pm

Any updates on the mentioned documentation?

I am looking this, as I think I can upload a encrypted FatFS but my command
[Codebox]esptool.py --chip esp32 --port /dev/ttyUSB0 write_flash -z 0x170000 build/fatfs_image.img --encrypt[/Codebox]
seems not to work. I can not mount the file system.

Who is online

Users browsing this forum: top_secret_guy and 93 guests