ESP32 Forum

Hi,
I am using pregenerated key without secure boot. I managed to do everything correctly as it was explained in the tutorial.

Now, I want to create a script to flash the whole firmware(including bootloader and everything). I managed to do so except small problem:

After burning the pregenerated key file, ESP32 wait to flash a plaintext bootloader and firmware so the bootloader will encrypt everything. In my case, I have already flashed encrypted firmware and bootlaoder and I do not want the boot loader to encrypt anything. I want everything to start working directly

How can I achieve this?

Thank you very muhc!

Humam Helfawi wrote: ↑

Wed Apr 03, 2019 6:39 pm

In my case, I have already flashed encrypted firmware and bootlaoder and I do not want the boot loader to encrypt anything. I want everything to start working directly

It is strongly recommended to use the supported workflow where the initial encryption happens on first boot. Doing it that way, there are less ways to accidentally leave the system unprotected.

However, you can do an initial encrypted flash by running two additional commands on the host:
The second command will increment FLASH_CRYPT_CNT from 0 to 1 which enables flash encryption.

If this is for a secure device, you also need to burn a number of other efuses or the security will be compromised: DISABLE_DL_ENCRYPT, DISABLE_DL_DECRYPT, DISABLE_DL_CACHE, DISABLE_JTAG,
CONSOLE_DEBUG_DISABLE .

You can burn all of these additional efuses using "espefuse.py burn_efuse EFUSE", or you can do it from inside your firmware on first boot. Normally the bootloader does this during the initial encryption on first boot, which is why we recommend booting a plaintext firmware the first time around.

If using flash encryption without secure boot in production, please also read this section of the docs:
https://docs.espressif.com/projects/esp ... ecure-boot

Thank you very much! Your reply is very helpful