Page 1 of 1

Encrypt firmware after deployement without physical access

Posted: Tue Jul 18, 2023 4:11 pm
by xtrmsound
Hello all,

I deployed a few ESP32 sensors. I didn't encrypt the firmware or burn any efuse. The sensors are running ESP-IDF 4.4 with OTA enabled.

I was able to get the efuse burned using the efuse library, so I was able to disable JTAG remotely. However, I was looking for a way to encrypt the firmware remotely using OTA. Since the ESP32 relies on the EFUSE for the AES key and to check if the ESP has a secure boot on, is there a way to create a firmware that will burn the correct efuse, set encryption, and ensure any new firmware must be signed?

For one of my projects, all ESP32s are V3, so I want to use Secure Boot V2. However, my other projects, all use ESP32s but the rev is varied, so I want to enable Secure Boot V1.

Thanks!