Flash Encryption and Efuses handling.
Posted: Wed Mar 20, 2024 3:47 pm
Hi!
I have some points about flash encryption to clarify. My current flashing flow looks like this:
On first boot:
1. Burn pre-generated key into eFuses
1. Upload plain text binaries
2. Boot device and let in encrypt everything
On subsequent boots:
1. Build project, get file.bin as a result
2. Encrypt file.bin with pre-generated key with the help of
3. Upload encrypted-file.bin via UART
Everything works fine (I also have Secure Boot enabled, it may be important for further discussion).
So firstly,
1. I've noticed that after enabling secure options and following my "first-boot-procedure" the following eFuses are not write or read protected:
Should they be protected manually? (with the commands):
2. If all of previously mentioned eFuses should be r/w protected manually are there any else eFuses that I'm missing?
3. And one more question about Secure Boot key:
Secure Boot key can be read, but am I right that it is not a problem as it is a public key and it can be visible? Even more if it is read protected the ESP32 software itself cannot read it during boot process?
Thanks in advance for any suggestions and information!
I have some points about flash encryption to clarify. My current flashing flow looks like this:
On first boot:
1. Burn pre-generated key into eFuses
1. Upload plain text binaries
2. Boot device and let in encrypt everything
On subsequent boots:
1. Build project, get file.bin as a result
2. Encrypt file.bin with pre-generated key with the help of
Code: Select all
espsecure.py encrypt_flash_dataEverything works fine (I also have Secure Boot enabled, it may be important for further discussion).
So firstly,
1. I've noticed that after enabling secure options and following my "first-boot-procedure" the following eFuses are not write or read protected:
Code: Select all
Security fuses:
FLASH_CRYPT_CNT (BLOCK0): Flash encryption mode counter = 127 R/W (0b1111111)
UART_DOWNLOAD_DIS (BLOCK0): Disable UART download mode (ESP32 rev3 only) = False R/W (0b0)
FLASH_CRYPT_CONFIG (BLOCK0): Flash encryption config (key tweak bits) = 15 R/W (0xf)
CONSOLE_DEBUG_DISABLE (BLOCK0): Disable ROM BASIC interpreter fallback = True R/W (0b1)
ABS_DONE_0 (BLOCK0): Secure boot V1 is enabled for bootloader image = False R/W (0b0)
ABS_DONE_1 (BLOCK0): Secure boot V2 is enabled for bootloader image = True R/W (0b1)
JTAG_DISABLE (BLOCK0): Disable JTAG = True R/W (0b1)
DISABLE_DL_ENCRYPT (BLOCK0): Disable flash encryption in UART bootloader = True R/W (0b1)
DISABLE_DL_DECRYPT (BLOCK0): Disable flash decryption in UART bootloader = True R/W (0b1)
DISABLE_DL_CACHE (BLOCK0): Disable flash cache in UART bootloader = True R/W (0b1)Code: Select all
espefuse.py --port COM4 write_protect_efuse JTAG_DISABLE
espefuse.py --port COM4 write_protect_efuse FLASH_CRYPT_CONFIG
espefuse.py --port COM4 write_protect_efuse ABS_DONE_0
espefuse.py --port COM4 write_protect_efuse ABS_DONE_1
espefuse.py --port COM4 write_protect_efuse FLASH_CRYPT_CNT
espefuse.py --port COM4 write_protect_efuse DISABLE_DL_ENCRYPT
espefuse.py --port COM4 read_protect_efuse FLASH_CRYPT_CONFIG3. And one more question about Secure Boot key:
Code: Select all
BLOCK2 (BLOCK2): Secure boot key
= 11 22 33 44 55 66 77 88 99 00 11 22 33 44 55 66 77 88 R/-Thanks in advance for any suggestions and information!