Questions regarding flash encryption and Secure Boot

[Yuriy Bohdanovsky]

I read the flash drive with an external programmer.
It was found out, at the address 0х1002 0х1003 data are not written down.
I wrote bootloader-encrypted.bin as an external programmer and it all worked.
Probably some bit blocks these bytes

Code: Select all

0x01000 44 4B 02 20 19 2A 08 E6 C1 EF 4A 70 3C 6D 0E C9 
0x01010 ED 60 4D CF A3 40 2D AB D6 63 05 08 2D 51 2D 09

problem with bytes 0x02 0x20

[ESP_Angus]

Hi Yuriy,

It looks like the flash mode & flash size bytes of the encrypted image have been written as plaintext values. This shouldn't happen, and it may be a bug in the tool you used to flash. What tool and options did you use to write bootloader-encrypted.bin?

[Yuriy Bohdanovsky]

This all looks correct. Did you use the same my_flash_encryption_key.bin for the app firmware & partition table when you overwrote those?

Yes

Was this key written into the ESP32 with espefuse.py before the first boot?

Yes

Are you sure you flashed bootloader-encrypted.bin not bootloder.bin? Can you post the full esptool.py command lines you used each time?

I wrote down the key 2 ways
- using the command $python /home/osboxes/esp/esp-idf/components/esptool_py/esptool/espefuse.py --port /dev/ttyUSB0 burn_key flash_encryption my_flash_encryption_key.bin
- I changed the firmware of the bootloader and did it with a bootloader.
The result is the same, see past post.

[Yuriy Bohdanovsky]

For download I use FLASH_DOWNLOAD_TOOLS_V3.6.4
You pushed me to the idea of writing a bootloader-encrypted.bin using espefuse.py

[Yuriy Bohdanovsky]

I used the command but the bootloader did not start

Code: Select all

$python /home/osboxes/esp/esp-idf/components/esptool_py/esptool/esptool.py  --chip esp32 --port /dev/ttyUSB0 --baud 921600 --before default_reset --after hard_reset write_flash -z --flash_mode dio --flash_freq 40m --flash_size detect 0x1000 bootloader-encrypted_1.bin

I'm looking for an option to protect the firmware, but allow the user to change it through uart. I'm afraid that the user can mistakenly erase the bootloader and its device will turn into a brick.

Is it possible to block the bootloader from erasing or overwriting it?

[ESP_Angus]

Hi Yuriy,

It looks like the GUI download tool is a little enthusiastic in setting the flash speed/size bytes in the bootloader binary header, even when the bootloader is encrypted not plaintext. I've lodged a bug internally about this.

(esptool.py does some basic sanity checks before changing the modes, but it's safest to not pass --flash_mode and --flash_freq options when you know the image is encrypted.)

I used the command but the bootloader did not start

Code: Select all

$python /home/osboxes/esp/esp-idf/components/esptool_py/esptool/esptool.py  --chip esp32 --port /dev/ttyUSB0 --baud 921600 --before default_reset --after hard_reset write_flash -z --flash_mode dio --flash_freq 40m --flash_size detect 0x1000 bootloader-encrypted_1.bin

Same error as before? Can you retry without '--flash_mode dio' and '--flash_freq 40m' options?

I'm looking for an option to protect the firmware, but allow the user to change it through uart. I'm afraid that the user can mistakenly erase the bootloader and its device will turn into a brick.

Is it possible to block the bootloader from erasing or overwriting it?

Over UART with serial flashing, there is no protection of this kind. Depending on your use case, maybe you can provide the user with an encrypted bootloader as well (or a combined bootloader+app image binary) and have them re-flash everything over UART? This way there's no data which can be accidentally erased permanently.

[ESP_puff]

For download I use FLASH_DOWNLOAD_TOOLS_V3.6.4
You pushed me to the idea of writing a bootloader-encrypted.bin using espefuse.py

Hello Yuriy,
There is a checkbox called "DoNotChgBin" in FLASH_DOWNLOAD_TOOLS. When it is clicked, the firmware you want to download will not be changed by the SPI mode or FLASH speed

[Yuriy Bohdanovsky]

Hello ESP_puff,
Thank you so much. Everything worked.
The "DoNotChgBin" checkbox saved me.