Page 1 of 1

Flash encryption with internal key generation boots with "invalid header"

Posted: Wed Oct 09, 2024 2:33 pm
by Lobelois
Hi,

I'm struggling to write for the first time some ESP32-S3 chips with a firmware, bootloader, ... that are configured to use flash encryption in development mode with UART encryption still enabled and internal key generation.

I do quite a basic programming:
- I'm flashing with esptool (write_partition) some partitions in the ESP32-S3 (plain text),
- Then I use idf.py flash so it flashes the bootloader, ota-initial, firmware and partition table.

It reboots, then takes a while to encrypt the flash as expected, during the process I have an error that does not look blocking saying that the second OTA partition is empty:
esp_image: image at 0x410000 has invalid magic byte (nothing flashed here?)
When it finally reboots, it looks like nothing has been encrypted or is badly encrypted:
invalid header: 0x8630e3ac
...
It works well afterward when I use idf.py encrypted-flash.

I'm using esp-idf 5.2.3 on an ESP32-S3 chip.

Does anyone have any idea of what I'm doing wrong?

Thank you!

Re: Flash encryption with internal key generation boots with "invalid header"

Posted: Tue Oct 15, 2024 6:22 am
by ESP_harshal
Hello @Lobelois,

Is it possible for you to share your partition table csv?

Re: Flash encryption with internal key generation boots with "invalid header"

Posted: Wed Oct 16, 2024 8:02 am
by Lobelois
Hello,

Thank your for your answer.

Here is the partition table:

Code: Select all

# Name,                      Type, SubType,  Offset,   Size,          Flags
nvs,                         data, nvs,      0x9000,   0x4000,
otadata,                     data, ota,      0xd000,   0x2000,
phy_init,                    data, phy,      0xf000,   0x1000,
ota_0,                       app,  ota_0,    ,         4M,
ota_1,                       app,  ota_1,    ,         4M,
partition1,                  data, nvs,      ,         1M,
partition2,                  data, nvs,      ,         500K,                    
partition3,                  data, nvs,      ,         2M,
partition4,                  data, nvs,      ,         2M,
partition_key1,              data, nvs_keys, ,         0x1000,        encrypted 
efuse_em,                    data, efuse,    ,         0x2000,                  
partition_key2,              data, nvs_keys, ,         0x1000,        encrypted
partition5,                  data, nvs,      ,         12K,
partition_key3,              data, nvs_keys, ,         0x1000,        encrypted
partition6,                  data, nvs,      ,         128K,
partition7,                  data, nvs,      ,         12K,
storage,                     data, nvs,      ,         18M,           encrypted
I realised that removing the "encrypted" flag from the last partition was solving the problem.

Is it a limitation of the IDF? Should I use "indirect" encryption (using nvs_keys) instead of direct flash encryption for large partitions?

Thank you!

Re: Flash encryption with internal key generation boots with "invalid header"

Posted: Wed Oct 16, 2024 8:58 am
by ESP_harshal
I realised that removing the "encrypted" flag from the last partition was solving the problem.
With the "last partition", do you mean the "storage" nvs partition?

Re: Flash encryption with internal key generation boots with "invalid header"

Posted: Wed Oct 16, 2024 1:30 pm
by Lobelois
Indeed, I meant the "storage" partition, sorry.

Re: Flash encryption with internal key generation boots with "invalid header"

Posted: Thu Oct 17, 2024 5:04 am
by ESP_harshal
ESP-IDF does not support a partition of subtype "nvs" to be marked as "encrypted": reference: https://github.com/espressif/esp-idf/bl ... pp#L21-L23.

You could enable the NVS encryption feature for the partition by initializing it using `nvs_flash_secure_init_partition()`.

Re: Flash encryption with internal key generation boots with "invalid header"

Posted: Thu Oct 17, 2024 8:21 am
by Lobelois
Ok, thank you for your support, I misunderstood the feature.