Encrypted OTA firmware

[kuhatovuk]

Thank you ! Is it better to keep the secret key in the firmware or eFuse BLK3 ? Thank you again.

EDIT: Just read I wouldn't have access to BLK3 from program if I read protect it so it's not good. Should I instead add a small encrypted flash partition to hold the key ?

[ESP_Angus]

Thank you ! Is it better to keep the secret key in the firmware or eFuse BLK3 ? Thank you again.

EDIT: Just read I wouldn't have access to BLK3 from program if I read protect it so it's not good. Should I instead add a small encrypted flash partition to hold the key ?

Storing it in flash is necessary, for the reason you describe.

You could store it in the NVS partition if NVS encryption is enabled, or you can simply compile it into the firmware as a string.

[lucalorenzoni]

Hy,
I follow instruction to implement Encrypted OTA Firmware.
I have a factory partition + 2 OTAs partitions.
All works good, except when I try OTA ecrypted update.
The OTA update procedure runs without errors, but when ESP32 reboot idf.py monitor tells me

E (117) boot: ota data partition invalid, falling back to factory

I really cannot understand what is wrong.
Someone can help me?

[k.shyshkin]

@lucalorenzoni hello. Do you solve problem with upload pre-encrypted FW to ota partition? I see in your last message that you decrypt fw and upload it decrypted to partition. How you do that? Can you shared part of your code where you reciev chunk of your pre-encrypted firmware, decrypt it, and write to flash? Is it possible do by chunks?