Page 1 of 1

[Script] Easy burn e-fuse in case of Flashing Pre-Generated Keys for Flash Encryption

Posted: Thu Feb 17, 2022 5:26 pm
by gb.123
Hi All !

After reading so much on the forum and getting help from ESP admins and mods, I have written a simple BAT script to burn the required fuses to protect ESP incase someone wants to burn pre-flashed keys.

Please replace :
<PORT> to your actual connected port
<KEY> Path to your Key.bin
::*** from 2 lines if you want to disable UART DOWNLOAD mode (recommended)

Please note that once you protect FLASH_CRYPT_CNT, Status of UART Download Mode also gets frozen.

Script :

Code: Select all

espefuse.py -p <PORT> burn_efuse FLASH_CRYPT_CNT 1            --do-not-confirm
espefuse.py -p <PORT> burn_efuse FLASH_CRYPT_CONFIG 0xF   --do-not-confirm
espefuse.py -p <PORT> burn_efuse DISABLE_DL_ENCRYPT 1       --do-not-confirm
espefuse.py -p <PORT> burn_efuse DISABLE_DL_DECRYPT 1       --do-not-confirm
espefuse.py -p <PORT> burn_efuse DISABLE_DL_CACHE 1          --do-not-confirm
espefuse.py -p <PORT> burn_efuse JTAG_DISABLE 1                  --do-not-confirm
espefuse.py -p <PORT> burn_key flash_encryption <KEY>          --do-not-confirm

:: This is Pre-Burnt
espefuse.py -p <PORT> burn_efuse CONSOLE_DEBUG_DISABLE 1 --do-not-confirm

:: Burn this if you want to disable UART Download (Recommended)
:: *** espefuse.py -p <PORT> burn_efuse UART_DOWNLOAD_DIS 1      --do-not-confirm

::Write Protecting FLASH_CRYPT_CNT & UART_DOWNLOAD_DIS
:: *** espefuse.py -p <PORT> write_protect_efuse FLASH_CRYPT_CNT    --do-not-confirm

::Write Protecting FLASH_CRYPT_CONFIG (which also protects : CODING_SCHEME, KEY_STATUS, BLK3_PART_RESERVE)
::espefuse.py -p <PORT>write_protect_efuse FLASH_CRYPT_CONFIG  --do-not-confirm

Question that I need help with :

1. Is it required to write protect the fuses ?

Re: [Script] Easy burn e-fuse in case of Flashing Pre-Generated Keys for Flash Encryption

Posted: Wed Feb 23, 2022 8:09 am
by ESP_Mahavir
1. Is it required to write protect the fuses ?
Its advised to write protect configuration efuses to prevent further modifications. For example, `FLASH_CRYPT_CNT` is 7-bit field (https://docs.espressif.com/projects/esp ... ant-efuses) and hence either all bits must be set to enable flash encryption (odd count) or field be write protected to avoid any further modifications (e.g. disabling flash encryption).

Re: [Script] Easy burn e-fuse in case of Flashing Pre-Generated Keys for Flash Encryption

Posted: Tue Apr 25, 2023 6:17 pm
by ncinfo
Hi All,

I am trying to implement firmware encryption in Release mode for ESP32-S2 with a single AES-128 key so that I can send encrypted firmware update files that can be updated via USB MSC. I don't need

I have generated a random AES-128 key with espsecure.py generate_flash_encryption_key
I have encrypted my firmware file with espsecure.py encrypt_flash_data
I have burnt the key in to BLOCK_KEY0 with espefuse.py burn_key

But I am confused as to what fuses I need to burn in order to enable the firmware encryption.

Will the script mentioned in this post do the job?
Can I flash a plaintext image before running the script or do I need to flash an encrypted image? And if so, when?

Thank you for your support

Re: [Script] Easy burn e-fuse in case of Flashing Pre-Generated Keys for Flash Encryption

Posted: Tue May 02, 2023 12:57 pm
by ESP_flying_raijin
Hi @ncinfo

The state of the Flash Encryption feature for the device depends on the state of the eFuse with name SPI_BOOT_CRYPT_CNT

I think you need to perform following steps in order to enable flash encryption for esp32s2.
I have generated a random AES-128 key with espsecure.py generate_flash_encryption_key
I have encrypted my firmware file with espsecure.py encrypt_flash_data
I have burnt the key in to BLOCK_KEY0 with espefuse.py burn_key

espefuse.py -p $ESPPORT burn_efuse SPI_BOOT_CRYPT_CNT 0x7
espefuse.py -p $ESPPORT write_protect_efuse SPI_BOOT_CRYPT_CNT

This would enable flash encryption for the device which is usually enabled by the bootloader when Flash encryption is enabled in menuconfig while building the bootloader firmware. When the bootloader enables flash encryption it also encrypts all the regions one by one which are marked as encrypted in the partition table.
In your case this step also needs to happen externally.
You would need to encrypt the data for all the partitions which are marked as encrypted in your partition table.
After encrypting you may just use write_flash command of the esptool utility to write to the flash.

Please note that the relevant security eFuse also need to be burned ( which is done by the bootloader when Flash Encryption is enabled by the bootloader)

I am listing the relevant eFuses as below

* DIS_DOWNLOAD_ICACHE & DISABLE_DOWNLOAD_DCACHE: Disable UART cache
* HARD_DIS_JTAG and DIS_USB_JTAG: Disable JTAG
* DIS_DIRECT_BOOT: Disable direct boot.
* DIS_DOWNLOAD_MANUAL_ENCRYPT: Disable UART bootloader encryption.
* DIS_BOOT_REMAP
* DIS_USB_JTAG
* ENABLE_SECURITY_DOWNLOAD - Enables security ROM Download mode.

We are soon adding a documentation regarding enabling of Security features using host based utilities such as espefuse.py.
It should be available in a couple of weeks.
Please let me know if you want me to elaborate on any point.

Thanks,
Aditya