esp32-s3 manual firmware encryption and OTA without sdkconfig flash-encryption enabled
Posted: Wed Jun 05, 2024 8:24 am
Hi,
I want to know if my process for encryption is correct and if it is needed to enable flash encryption in sdkconfig to have OTA updates encrypted.
For now my process is the following:
Of course I do the encryption also for partition, app and OTA data.
I use --show-sensitive-info and save the logs, so I know the key for each device. I need this in case of a major fail, because then I can flash the devices manually again.
Later on I burn all security relevant fuses and I also plan to use secure-boot v2.
I know that form now on I can only flash already encrypted data. And that is fine for me.
What I am now wondering about is that I have not enabled flash-encryption in the sdkconfig, but actually I do not need it right? Because I manually encrypt the binaries on my host-computer.
My OTA update is in plaintext and the esp32-s3 will encrypt the data when OTA is performed as said in the docs. Do I have to enable flash-encryption in sdkconfig for that to work?
Best
I want to know if my process for encryption is correct and if it is needed to enable flash encryption in sdkconfig to have OTA updates encrypted.
For now my process is the following:
Code: Select all
esptool.py --port $SERIAL_PORT erase_flash
espsecure.py generate_flash_encryption_key --keylen 512 $ENCRYPTION_KEY_PATH
espsecure.py encrypt_flash_data --aes_xts --keyfile $ENCRYPTION_KEY_PATH --address 0x0 --output $FIRMWARE_ENCRYPTED_PATH/$MAC.bootloader.bin $BOOTLOADER_UNENCRYPTED_PATH
Code: Select all
espefuse.py -p $SERIAL_PORT burn_key BLOCK_KEY0 $ENCRYPTION_KEY_PATH XTS_AES_256_KEY --show-sensitive-info
Code: Select all
espefuse.py -p $SERIAL_PORT burn_efuse DIS_DOWNLOAD_MANUAL_ENCRYPT 1
espefuse.py -p $SERIAL_PORT burn_efuse SPI_BOOT_CRYPT_CNT 7
I know that form now on I can only flash already encrypted data. And that is fine for me.
What I am now wondering about is that I have not enabled flash-encryption in the sdkconfig, but actually I do not need it right? Because I manually encrypt the binaries on my host-computer.
My OTA update is in plaintext and the esp32-s3 will encrypt the data when OTA is performed as said in the docs. Do I have to enable flash-encryption in sdkconfig for that to work?
Best