Possibility to update from flash encryption development to release via OTA

[Giga__]

Hi,

I am working currently at IDF version 4.3.1, HW is Wrover-E (ESP32-Rev3).

the question is fairly simple.
1) Is it possible to upgrade from flash encryption in development mode to flash encryption in release mode via OTA-App update?
and even if it is possible, are there any drawbacks vs. reflashing the whole firmware package (bootloader, partition table and app)?


I have read the documentation and it points out the differences between development mode and release mode, but it does not specify how the bootloader and app distinguish between each.

I would like to first flash the bootloader, partition table and app in development mode, and later update to release mode via OTA (this would buy me some time and take some risks of bricking the device).

In my understanding this could be theoretically possible, if the bootloader distinguishes between release and development mode only by the efuses (which all can be set by any OTA update at least once, if I am not wrong).

Unfortunately the documentation doesn't cover this exact topic.

In the source code of the bootloader_support component I can see that it definitely checks for mismatches between project configuration and efuses, though at this place only the other way round (configured for release, efuses for development):

Code: Select all

   
   [...] 
    // Second check is to print a warning or error if the current running flash encryption mode
    // doesn't match the expectation from project config (due to mismatched bootloader and app, probably)
    mode = esp_get_flash_encryption_mode();
    if (mode == ESP_FLASH_ENC_MODE_DEVELOPMENT) {
#ifdef CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE
        ESP_LOGE(TAG, "Flash encryption settings error: app is configured for RELEASE but efuses are set for DEVELOPMENT");
        ESP_LOGE(TAG, "Mismatch found in security options in bootloader menuconfig and efuse settings. Device is not secure.");
#else
        ESP_LOGW(TAG, "Flash encryption mode is DEVELOPMENT (not secure)");
#endif
    } else if (mode == ESP_FLASH_ENC_MODE_RELEASE) {
        ESP_LOGI(TAG, "Flash encryption mode is RELEASE");
    }
    [...]

2) Can/will there be problems when the bootloader is flashed with

Code: Select all

CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT

but the system is later updated to release, without reflashing the bootloader, but only setting the efuses by the app via OTA?


The efuses on my list are:

Code: Select all

FLASH_CRYPT_CNT //to 0xFF
DISABLE_DL_DECRYPT // burn
DISABLE_DL_ENCRYPT //burn
DISABLE_DL_CACHE //burn
DISABLE_JTAG //burn
esp_efuse_disable_rom_download_mode // => UART_DOWNLOAD_DIS burn

3) Am I missing any, or is there a specific order in which they should be burned/called via API (e.g. because of a write protection dependency)?

4) When, after burning the fuses, does the switch to release mode take effect?
I guess after the next reset, so after burning the fuses a restart would be advised, I guess!?

Regards,

Giga

[matas_s]

Did you find answers to your questions? If so, could you share them?

[simonernst]

Hi,

Did you have a look at

Code: Select all

esp_flash_encryption_set_release_mode()

from bootloader_support (flash_encrypt.c)
You can call this to switch from development to release encryption.
It will burn the corresponding efuses for release encryption