Avoiding writing plain text to encrypted partitions

kuhatovuk
Posts: 21
Joined: Thu Aug 01, 2019 8:46 pm

Avoiding writing plain text to encrypted partitions

Postby kuhatovuk » Tue Oct 15, 2019 8:12 pm

Hello ! I did "secure-boot one time" + "flash encryption release mode" on ten devices today. I thought one had failed and I restarted the operation. But maybe it was fine already. So I think I overwrote the valid encrypted bootloader with a plain-text bootloader and bricked it. Is there a command option or simple check to avoid overwriting a secure/encrypted partition with plain text ? Thank you !

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: Avoiding writing plain text to encrypted partitions

Postby ESP_Angus » Wed Oct 16, 2019 3:18 am

Hi kuhatovuk ,

Unfortunately the only precaution we have is that "make flash" & "idf.py flash" won't automatically write the bootloader if secure boot is enabled.

If you can check the output of "espefuse.py -p PORT summary" then you can see which feature(s) are already enabled.

I will see if we can add some additional checks to esptool.py to require a flag to write if security features are already enabled.


angus

kuhatovuk
Posts: 21
Joined: Thu Aug 01, 2019 8:46 pm

Re: Avoiding writing plain text to encrypted partitions

Postby kuhatovuk » Mon Oct 21, 2019 9:15 pm

Hello, thank you for the answer. I had a similar issue today. Did the usual :

burn eFuse SDIO 3.3V
burn eFuse BLK3, write protect it
make -j4 erase_flash
make -j4
make -j4 bootloader
command to flash bootloader
make -j4 flash monitor

And it started well. Then it said some byte at ota0's offset wasn't as expected. I don't have the log anymore.

Is it possible that when flashing for encryption, make does not report partitions not fitting ? And I'm overflowing factory into ota0 or similar.

Also, is it possible to do secure-boot one-time + release encryption but burn the FLASH_CNT/UART_DECRYPT/etc eFuses at the end myself ? So I can verify everything is working before locking myself out.

Thank you !

Who is online

Users browsing this forum: Baidu [Spider] and 383 guests