Flash encryption not completing
Posted: Wed Feb 21, 2024 9:01 am
Hello,
First time writing a thread here.
I'm trying to enable flash encryption on the ESP32 and I followed the official guide. More specifically, starting from my current configuration I did the following steps:
- Enable encryption from security options
- Change partition table offset (because of the increased bootloader size)
Everything goes fine, I see messages coming from the chip on the serial monitor but it gets stuck at a certain point without giving much information. Further resets of the chip do not show any more messages on the serial monitor.
Below are the logs that I collected on first boot.
I also checked the efuses and noticed that FLASH_CRYPT_CNT is still set to 0, as if encryption was not enabled correctly.
Just for context, I'm using a custom UART for communicating with the serial monitor, and a custom partition table below the full sdkconfig and partition table:
The device is not bricked, I can still upload my old firmware and everything goes fine as usual. In fact I can replicate this problem each time I upload to the device.
I hope I brought enough information.
Thanks in advance to whom is willing to help.
Daniele
First time writing a thread here.
I'm trying to enable flash encryption on the ESP32 and I followed the official guide. More specifically, starting from my current configuration I did the following steps:
- Enable encryption from security options
- Change partition table offset (because of the increased bootloader size)
Everything goes fine, I see messages coming from the chip on the serial monitor but it gets stuck at a certain point without giving much information. Further resets of the chip do not show any more messages on the serial monitor.
Below are the logs that I collected on first boot.
Code: Select all
I (18) boot: ESP-IDF v5.1.2 2nd stage bootloader
I (18) boot: compile time Feb 21 2024 08:50:52
I (19) boot: Multicore bootloader
I (19) boot: chip revision: v3.0
I (19) boot.esp32: SPI Speed : 40MHz
I (20) boot.esp32: SPI Mode : DIO
I (20) boot.esp32: SPI Flash Size : 16MB
I (21) boot: Enabling RNG early entropy source...
I (22) boot: Partition Table:
I (22) boot: ## Label Usage Type ST Offset Length
I (23) boot: 0 nvs WiFi data 01 02 0000c000 00004000
I (24) boot: 1 otadata OTA data 01 00 00010000 00002000
I (25) boot: 2 phy_init RF data 01 01 00012000 00001000
I (26) boot: 3 factory factory app 00 00 00020000 00200000
I (27) boot: 4 ota_0 OTA app 00 10 00220000 00200000
I (28) boot: 5 ota_1 OTA app 00 11 00420000 00200000
I (29) boot: 6 firmware Unknown data 01 81 00620000 00200000
I (30) boot: 7 config Unknown data 01 81 00820000 00100000
01 81 00920000 00100000
I (31) boot: 9 logs Unknown data 01 81 00a20000 00200000
I (32) boot: End of partition table
I (33) boot: Defaulting to factory image
I (33) esp_image: segment 0: paddr=00020020 vaddr=3f400020 size=49410h (300048) map
I (143) esp_image: segment 1: paddr=00069438 vaddr=3ffb0000 size=048a0h ( 18592) load
I (151) esp_image: segment 2: paddr=0006dce0 vaddr=40080000 size=02338h ( 9016) load
I (155) esp_image: segment 3: paddr=00070020 vaddr=400d0020 size=1020ech (1057004) map
I (536) esp_image: segment 4: paddr=00172114 vaddr=40082338 size=135b8h ( 79288) load
I (581) boot: Loaded app from partition at offset 0x20000
I (581) boot: Checking flash encryption...
I (581) efuse: Batch mode of writing fields is enabled
I (581) flash_encrypt: Using pre-loaded flash encryption key in efuse
I (582) flash_encrypt: Setting CRYPT_CONFIG efuse to 0xF
W (583) flash_encrypt: Not disabling UART bootloader encryption
I (584) flash_encrypt: Disable UART bootloader decryption...
I (585) flash_encrypt: Disable UART bootloader MMU cache...
I (585) flash_encrypt: Disable JTAG...
I (586) flash_encrypt: Disable ROM BASIC interpreter fallback...
I (587) efuse: Batch mode. Prepared fields are committed
I (588) esp_image: segment 0: paddr=00001020 vaddr=3fff00b8 size=02ea8h ( 11944)
I (591) esp_image: segment 1: paddr=00003ed0 vaddr=40078000 size=055f8h ( 22008)
I (596) esp_image: segment 2: paddr=000094d0 vaddr=40080400 size=00004h ( 4)
I (596) esp_image: segment 3: paddr=000094dc vaddr=40080404 size=01008h ( 4104)
I (1087) flash_encrypt: bootloader encrypted successfully
I (1140) flash_encrypt: partition table encrypted and loaded successfully
I (1141) flash_encrypt: Encrypting partition 1 at offset 0x10000 (length 0x2000)...
I (1236) flash_encrypt: Done encrypting
I (1237) esp_image: segment 0: paddr=00020020 vaddr=3f400020 size=49410h (300048) map
I (1345) esp_image: segment 1: paddr=00069438 vaddr=3ffb0000 size=048a0h ( 18592)
I (1352) esp_image: segment 2: paddr=0006dce0 vaddr=40080000 size=02338h ( 9016)
I (1356) esp_image: segment 3: paddr=00070020 vaddr=400d0020 size=1020ech (1057004) map
Code: Select all
espefuse.py v4.7.0
Connecting.....
Detecting chip type... Unsupported detection protocol, switching and trying again...
Connecting....
Detecting chip type... ESP32
=== Run "summary" command ===
EFUSE_NAME (Block) Description = [Meaningful Value] [Readable/Writeable] (Hex Value)
----------------------------------------------------------------------------------------
Calibration fuses:
ADC_VREF (BLOCK0) True ADC reference voltage = 1114 R/W (0b00010)
Config fuses:
WR_DIS (BLOCK0) Efuse write disable mask = 128 R/W (0x0080)
RD_DIS (BLOCK0) Disable reading from BlOCK1-3 = 1 R/W (0x1)
DISABLE_APP_CPU (BLOCK0) Disables APP CPU = False R/W (0b0)
DISABLE_BT (BLOCK0) Disables Bluetooth = False R/W (0b0)
DIS_CACHE (BLOCK0) Disables cache = False R/W (0b0)
CHIP_CPU_FREQ_LOW (BLOCK0) If set alongside EFUSE_RD_CHIP_CPU_FREQ_RATED; the = False R/W (0b0)
ESP32's max CPU frequency is rated for 160MHz. 24
0MHz otherwise
CHIP_CPU_FREQ_RATED (BLOCK0) If set; the ESP32's maximum CPU frequency has been = True R/W (0b1)
rated
BLK3_PART_RESERVE (BLOCK0) BLOCK3 partially served for ADC calibration data = False R/W (0b0)
CLK8M_FREQ (BLOCK0) 8MHz clock freq override = 49 R/W (0x31)
VOL_LEVEL_HP_INV (BLOCK0) This field stores the voltage level for CPU to run = 0 R/W (0b00)
at 240 MHz; or for flash/PSRAM to run at 80 MHz.0
x0: level 7; 0x1: level 6; 0x2: level 5; 0x3: leve
l 4. (RO)
CODING_SCHEME (BLOCK0) Efuse variable block length scheme
= NONE (BLK1-3 len=256 bits) R/W (0b00)
CONSOLE_DEBUG_DISABLE (BLOCK0) Disable ROM BASIC interpreter fallback = True R/W (0b1)
DISABLE_SDIO_HOST (BLOCK0) = False R/W (0b0)
DISABLE_DL_CACHE (BLOCK0) Disable flash cache in UART bootloader = True R/W (0b1)
Flash fuses:
FLASH_CRYPT_CNT (BLOCK0) Flash encryption is enabled if this field has an o = 0 R/W (0b0000000)
dd number of bits set
FLASH_CRYPT_CONFIG (BLOCK0) Flash encryption config (key tweak bits) = 15 R/W (0xf)
Identity fuses:
CHIP_PACKAGE_4BIT (BLOCK0) Chip package identifier #4bit = False R/W (0b0)
CHIP_PACKAGE (BLOCK0) Chip package identifier = 1 R/W (0b001)
CHIP_VER_REV1 (BLOCK0) bit is set to 1 for rev1 silicon = True R/W (0b1)
CHIP_VER_REV2 (BLOCK0) = True R/W (0b1)
WAFER_VERSION_MINOR (BLOCK0) = 0 R/W (0b00)
WAFER_VERSION_MAJOR (BLOCK0) calc WAFER VERSION MAJOR from CHIP_VER_REV1 and CH = 3 R/W (0b011)
IP_VER_REV2 and apb_ctl_date (read only)
PKG_VERSION (BLOCK0) calc Chip package = CHIP_PACKAGE_4BIT << 3 + CHIP_ = 1 R/W (0x1)
PACKAGE (read only)
Jtag fuses:
JTAG_DISABLE (BLOCK0) Disable JTAG = True R/W (0b1)
Mac fuses:
MAC (BLOCK0) MAC address
= 34:86:5d:1f:ca:c8 (CRC 0x6d OK) R/W
MAC_CRC (BLOCK0) CRC8 for MAC address = 109 R/W (0x6d)
MAC_VERSION (BLOCK3) Version of the MAC field = 0 R/W (0x00)
Security fuses:
UART_DOWNLOAD_DIS (BLOCK0) Disable UART download mode. Valid for ESP32 V3 and = False R/W (0b0)
newer; only
ABS_DONE_0 (BLOCK0) Secure boot V1 is enabled for bootloader image = False R/W (0b0)
ABS_DONE_1 (BLOCK0) Secure boot V2 is enabled for bootloader image = False R/W (0b0)
DISABLE_DL_ENCRYPT (BLOCK0) Disable flash encryption in UART bootloader = False R/W (0b0)
DISABLE_DL_DECRYPT (BLOCK0) Disable flash decryption in UART bootloader = True R/W (0b1)
KEY_STATUS (BLOCK0) Usage of efuse block 3 (reserved) = False R/W (0b0)
SECURE_VERSION (BLOCK3) Secure version for anti-rollback = 0 R/W (0x00000000)
BLOCK1 (BLOCK1) Flash encryption key
= ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLOCK2 (BLOCK2) Security boot key
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
BLOCK3 (BLOCK3) Variable Block 3
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 27 08 00 00 R/W
Spi Pad fuses:
SPI_PAD_CONFIG_HD (BLOCK0) read for SPI_pad_config_hd = 0 R/W (0b00000)
SPI_PAD_CONFIG_CLK (BLOCK0) Override SD_CLK pad (GPIO6/SPICLK) = 0 R/W (0b00000)
SPI_PAD_CONFIG_Q (BLOCK0) Override SD_DATA_0 pad (GPIO7/SPIQ) = 0 R/W (0b00000)
SPI_PAD_CONFIG_D (BLOCK0) Override SD_DATA_1 pad (GPIO8/SPID) = 0 R/W (0b00000)
SPI_PAD_CONFIG_CS0 (BLOCK0) Override SD_CMD pad (GPIO11/SPICS0) = 0 R/W (0b00000)
Vdd fuses:
XPD_SDIO_REG (BLOCK0) read for XPD_SDIO_REG = False R/W (0b0)
XPD_SDIO_TIEH (BLOCK0) If XPD_SDIO_FORCE & XPD_SDIO_REG = 1.8V R/W (0b0)
XPD_SDIO_FORCE (BLOCK0) Ignore MTDI pin (GPIO12) for VDD_SDIO on reset = False R/W (0b0)
Flash voltage (VDD_SDIO) determined by GPIO12 on reset (High for 1.8V, Low/NC for 3.3V)
Code: Select all
CONFIG_APP_COMPATIBLE_PRE_V2_1_BOOTLOADERS=y
CONFIG_SECURE_FLASH_ENC_ENABLED=y
CONFIG_ESPTOOLPY_FLASHSIZE_16MB=y
CONFIG_PARTITION_TABLE_CUSTOM=y
CONFIG_PARTITION_TABLE_OFFSET=0xb000
CONFIG_WIFI_TIMEOUT=30
CONFIG_ENABLE_RTC=y
CONFIG_TLS_TIMEOUT=30
CONFIG_STANDALONE_TIMEOUT=900
CONFIG_TCPIP_SCOCKET_TIMEOUT=10
CONFIG_COMPILER_OPTIMIZATION_SIZE=y
CONFIG_ESP32_REV_MIN_3=y
CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ_240=y
CONFIG_ESP_SYSTEM_EVENT_TASK_STACK_SIZE=4096
CONFIG_ESP_MAIN_TASK_STACK_SIZE=4096
CONFIG_ESP_CONSOLE_UART_CUSTOM=y
CONFIG_ESP_CONSOLE_UART_TX_GPIO=17
CONFIG_ESP_CONSOLE_UART_RX_GPIO=16
CONFIG_ESP_CONSOLE_UART_BAUDRATE=921600
CONFIG_ESP_TIMER_TASK_STACK_SIZE=4096
CONFIG_FREERTOS_IDLE_TASK_STACKSIZE=2048
CONFIG_FREERTOS_ISR_STACKSIZE=3072
CONFIG_LWIP_TCP_SYNMAXRTX=6
CONFIG_LWIP_TCP_MSS=1436
CONFIG_LWIP_TCPIP_TASK_STACK_SIZE=2560
CONFIG_MQTT_SKIP_PUBLISH_IF_DISCONNECTED=y
CONFIG_PTHREAD_TASK_STACK_SIZE_DEFAULT=4096
Code: Select all
# Name,Type,SubType,Offset,Size,Flags
nvs,data,nvs,,0x4000
otadata,data,ota,,0x2000
phy_init,data,phy,,0x1000
factory,app,factory,,2M
ota_0,app,ota_0,,2M
ota_1,app,ota_1,,2M
firmware,data,fat,,2M
config,data,fat,,1M
script,data,fat,,1M
logs,data,fat,,2M
I hope I brought enough information.
Thanks in advance to whom is willing to help.
Daniele