Should otadata partition use 'encrypted' flag?
Posted: Thu Dec 01, 2022 9:41 pm
I've been working on adding secure boot and flash encryption to our device.
The flash encryption documentation doesn't mention whether the "otadata" partition should use the "encrypted" flag when flash encryption is in use.
E.g., here's my custom partition table:
I'm using "encrypted" on our "app" partitions, and on some custom data partitions which will contain certificates. "nvs" partitions are encrypted with the separate NVS encryption system.
I think that "otadata" and "phy_init" don't need encryption (or the "encrypted" flag) since they don't contain any sensitive info.
Is this correct? Will OTA updates work OK if otadata is not marked as "encrypted", and is there any security vulnerability?
The flash encryption documentation doesn't mention whether the "otadata" partition should use the "encrypted" flag when flash encryption is in use.
E.g., here's my custom partition table:
Code: Select all
# ESP-IDF Partition Table
# Name,Type,SubType,Offset,Size,Flags
nvs,data,nvs,0xF000,28K,
otadata,data,ota,0x16000,8K,
phy_init,data,phy,0x18000,4K,
...etc
I think that "otadata" and "phy_init" don't need encryption (or the "encrypted" flag) since they don't contain any sensitive info.
Is this correct? Will OTA updates work OK if otadata is not marked as "encrypted", and is there any security vulnerability?