Page 1 of 1

Esp32 blocked: Flash encryption eFuse bit was not enabled in bootloader

Posted: Wed Feb 07, 2024 5:45 pm
by Nespressif
Good afternoon, I think I made a mistake trying to encrypt the flash and activate secure boot v2 and locked my chip. I think I know what my mistake was, but I would like to check it, so I don't make the same mistake again.

I had already done the process some time ago with the idf 4.2 version and now I am working with 5.1. The other times I have done it always went well, but it has been a while since I did it and although I read the documentation on encryption and secure boot in the new version, I think I made a mistake.

Once I had everything well configured:
1º I generated the signature with openssl genrsa -out my_secure_boot_signing_key.pem 3072
2º I executed idf.py menuconfig and activated the encryption in release mode and also secure boot, with the name of the signature that I had generated and uninhabited UART ROM download. then exit menuconfig and save changes.
3º Then I built idf.py build.
4º I built the bootloader again idf.py bootloader.
5º Then I plugged in the chip and flashed with the output of the build command, as I have done other times...espy...write-flash.
6º Finally, idf.py flash.

No step of this process gave me error, but the device would not reboot, nor would it allow me to re-flash, it no longer connects. The only thing I can do is idf.py /dev/ttyACM0 monitor and then I see that it is constantly rebooting with this error:

Code: Select all

I (200) cpu_start: ELF file SHA256:  d2b95646ec6ceb5d...
Warning: checksum mismatch between flashed and built applications. Checksum of built application is 1a031e44c0ef97588e9b046b6bebb50c3ba15637bb1b82456341ab20f3f39ffd
I (206) cpu_start: ESP-IDF:          v5.1.1-1-gd3c99ed3b8
I (212) cpu_start: Min chip rev:     v3.0
I (217) cpu_start: Max chip rev:     v3.99 
I (221) cpu_start: Chip rev:         v3.0
I (226) heap_init: Initializing. RAM available for dynamic allocation:
I (234) heap_init: At 3FFAE6E0 len 00001920 (6 KiB): DRAM
I (239) heap_init: At 3FFB3070 len 0002CF90 (179 KiB): DRAM
I (246) heap_init: At 3FFE0440 len 00003AE0 (14 KiB): D/IRAM
I (252) heap_init: At 3FFE4350 len 0001BCB0 (111 KiB): D/IRAM
I (259) heap_init: At 4008CD70 len 00013290 (76 KiB): IRAM
I (266) spi_flash: detected chip: winbond
I (269) spi_flash: flash io: dio
E (273) flash_encrypt: Flash encryption eFuse bit was not enabled in bootloader but CONFIG_SECURE_FLASH_ENC_ENABLED is on

abort() was called at PC 0x400e34b6 on core 0
0x400e34b6: esp_mmu_vaddr_to_paddr at /home/alfredo/esp/esp-idf/components/esp_mm/esp_mmu_map.c:724 (discriminator 5)



Backtrace: 0x400813be:0x3ffe3b30 0x40086595:0x3ffe3b50 0x4008b98e:0x3ffe3b70 0x400e34b6:0x3ffe3be0 0x400d2282:0x3ffe3c10 0x40081282:0x3ffe3c50 0x400791b6:0x3ffe3c90 |<-CORRUPTED
0x400813be: rtc_brownout_isr_handler at /home/alfredo/esp/esp-idf/components/esp_system/port/brownout.c:49
0x40086595: xQueueGenericReset at /home/alfredo/esp/esp-idf/components/freertos/FreeRTOS-Kernel/queue.c:300 (discriminator 1)
0x4008b98e: _calloc_r at /home/alfredo/esp/esp-idf/components/newlib/heap.c:70
0x400e34b6: esp_mmu_vaddr_to_paddr at /home/alfredo/esp/esp-idf/components/esp_mm/esp_mmu_map.c:724 (discriminator 5)
0x400d2282: panic_handler at /home/alfredo/esp/esp-idf/components/esp_system/port/panic_handler.c:167
0x40081282: xt_highint4 at /home/alfredo/esp/esp-idf/components/esp_system/port/soc/esp32/highint_hdl.S:286

ELF file SHA256: d2b95646ec6ceb5d
Warning: checksum mismatch between flashed and built applications. Checksum of built application is 1a031e44c0ef97588e9b046b6bebb50c3ba15637bb1b82456341ab20f3f39ffd

Rebooting...
I think my mistake was, flashing the bootloader first, I should have run idf.py flash and reboot it first so it would have encrypted the flash first.

As I didn't have the OTA scheme implemented and the unlock encryption mode selected, I think nothing can be done to recover the chip.

Please, if someone can confirm that my mistake was to do the secure boot process before doing idf.py flash to make it encrypted, please confirm it. I don't want to mess up a chip again. And if so, I think the documentation should highlight this point to send this error.

Thank you very much in advance,

Re: Esp32 blocked: Flash encryption eFuse bit was not enabled in bootloader

Posted: Thu Feb 08, 2024 1:50 pm
by Nespressif
Please if someone can tell me if this is the correct process to enable flash encryption and secure boot v2 in the safest and simplest way:

1.- I clean the project by deleting the build directory or idf.py clean.
2.- I generate the signature with the command openssl
3.- I run idf.py menuconfig and enable flash encryption in realease mode and secure boot v2 (my chip has revision V3) putting the name of the signature file .pem that I have generated. I close the menuconfig and save the changes.
4.- I plug in the chip, run idf.py build, run idf.py flash to flash and encrypt the partitions.
5.- I wait for it to restart. Here the memory should be encrypted
6.- I build the bootloader.ini and flash it with the output of the build command.
7.- I reset it and everything should be protected.
Is this the correct method?
Thanks

Re: Esp32 blocked: Flash encryption eFuse bit was not enabled in bootloader

Posted: Fri Feb 09, 2024 12:48 pm
by Nespressif
Please, any information will be welcome. A little help. Thank you.

Re: Esp32 blocked: Flash encryption eFuse bit was not enabled in bootloader

Posted: Mon Feb 12, 2024 9:29 am
by ESP_Mahavir
E (273) flash_encrypt: Flash encryption eFuse bit was not enabled in bootloader but CONFIG_SECURE_FLASH_ENC_ENABLED is on
This error indicates that the flash encryption is not yet enabled on this device. Maybe the device was power cycled interim the bootloader was enabling the flash encryption workflow.

Are you able to connect esptool and fetch the eFuse summary? If yes, could you please share it here?
4.- I plug in the chip, run idf.py build, run idf.py flash to flash and encrypt the partitions.
5.- I wait for it to restart. Here the memory should be encrypted
Please note that the memory artifacts (includes bootloader, partition-table, application) would be encrypted by the bootloader itself. Again the encryption process won't start until the bootloader finds a valid partition-table and application flashed on the device. So, either you flash bootloader first or at last, it should not really matter.

Alternatively, you can also enable the secure boot and flash encryption workflow outside of the device as mentioned in the host machine based workflow guide here: https://docs.espressif.com/projects/esp ... flows.html

Hope this helps!

Re: Esp32 blocked: Flash encryption eFuse bit was not enabled in bootloader

Posted: Tue Feb 13, 2024 8:06 pm
by Nespressif
ESP_Mahavir wrote:
Mon Feb 12, 2024 9:29 am
E (273) flash_encrypt: Flash encryption eFuse bit was not enabled in bootloader but CONFIG_SECURE_FLASH_ENC_ENABLED is on
This error indicates that the flash encryption is not yet enabled on this device. Maybe the device was power cycled interim the bootloader was enabling the flash encryption workflow.

Are you able to connect esptool and fetch the eFuse summary? If yes, could you please share it here?
4.- I plug in the chip, run idf.py build, run idf.py flash to flash and encrypt the partitions.
5.- I wait for it to restart. Here the memory should be encrypted
Please note that the memory artifacts (includes bootloader, partition-table, application) would be encrypted by the bootloader itself. Again the encryption process won't start until the bootloader finds a valid partition-table and application flashed on the device. So, either you flash bootloader first or at last, it should not really matter.

Alternatively, you can also enable the secure boot and flash encryption workflow outside of the device as mentioned in the host machine based workflow guide here: https://docs.espressif.com/projects/esp ... flows.html

Hope this helps!
Good evening Mahavir, first of all I want to thank you for your help. I need to activate all security for a project I just finished in ESP32 V3 idf version 5.1.2.

Neither of the two chips that I have blocked trying to activate flash encryption and secure boot v2 allow me to connect with espefuse.py to obtain the status information of the efuses. It just allows me to use idf.py -p /dev/ttyACM0 monitor to see what's happening when I connect them.

Code: Select all

espefuse.py -p /dev/ttyACM0 summary
espefuse.py v4.7.0
Connecting......................................

A fatal error occurred: Failed to connect to Espressif device: No serial data received.
For troubleshooting steps visit: https://docs.espressif.com/projects/esptool/en/latest/troubleshooting.html
Please make sure that you have specified the right port with the --port argument
I am going to try with a new chip to carry out the workflow as indicated in the documentation and then I will report the result.
https://docs.espressif.com/projects/esp ... externally

The other chip gives another error but I imagine it will be as a result of a wrong workflow, since I activated everything at once in the menuconfig. https://esp32.com/viewtopic.php?f=13&t=38358

Thank you so much.

Re: Esp32 blocked: Flash encryption eFuse bit was not enabled in bootloader

Posted: Wed Feb 14, 2024 8:38 am
by ESP_Mahavir
Neither of the two chips that I have blocked trying to activate flash encryption and secure boot v2 allow me to connect with espefuse.py
Sorry to hear that. This also confirms that UART DL mode is disabled on these chips. For future experiments, please keep `CONFIG_SECURE_INSECURE_ALLOW_DL_MODE` enabled until you have entire workflow established and verified. Please see details on this config here: https://docs.espressif.com/projects/esp ... om-dl-mode

Re: Esp32 blocked: Flash encryption eFuse bit was not enabled in bootloader

Posted: Wed Feb 14, 2024 10:29 am
by Nespressif
ESP_Mahavir wrote:
Wed Feb 14, 2024 8:38 am
Neither of the two chips that I have blocked trying to activate flash encryption and secure boot v2 allow me to connect with espefuse.py
Sorry to hear that. This also confirms that UART DL mode is disabled on these chips. For future experiments, please keep `CONFIG_SECURE_INSECURE_ALLOW_DL_MODE` enabled until you have entire workflow established and verified. Please see details on this config here: https://docs.espressif.com/projects/esp ... om-dl-mode
Thanks again, as I told you in the other post, I think this should be explained more clearly in the documentation, as in all the docs it says to disable when FE is enabled.

For example in the third bullet of step 2 to enable FE in release mode in the version I am using.

https://docs.espressif.com/projects/esp ... ption.html

Regards