Mass production with Flash Encryption - programming the ESP32 fuses
Posted: Thu Feb 04, 2021 11:44 am
Hi,
I'm considering following configuration.
1) Flash Encryption used just for the factory and ota partitions (no secure boot).
2) Binaries are encrypted using Host Generated Key as described in https://docs.espressif.com/projects/esp ... erated-key.
I would like to logistically do the following:
1) All ESP32 chips are shipped from Espressif (or other "Vendor A") with fully pre-blown fuses i.e. Key + FLASH_CRYPT_CNT + whatever else needed are already programmed by Espressif.
2) All SPI chips are shipped from a bulk burning/programming facility "Vendor B" carrying the pre-encrypted binaries.
3) ESP32 + SPI chips are soldered onto our custom PCB in "Vendor C" facility, then powered on..
I reviewed related threads and I think I am aware of the downsides such as less secure scheme using a single key etc.
(Threads like:
viewtopic.php?f=2&t=7348
viewtopic.php?f=2&t=7318
)
But the point is that I was wondering if the above scheme is even possible, the emphasis being that all fuses and SPI are burnt separately and then after placing everything on the same PCB they are expected to just start working together..
The examples are more relevant to In Circuit Programming or using a module which already has ESP32 + SPI chips soldered on the same PCB.
And they show steps carried in a specific order, last step the writing of FLASH_CRYPT_CNT (presumably AFTER the SPI have been written already).
The upside for us is that only Espressif ("Vendor A") are in possession of the encryption key, SPI chips are burnt in bulk and shipped with encrypted content.
So both vendor B+C can do their work effectively and in bulk, without being exposed to the sensitive firmware.
Can you advise if the above configuration and flow will work?
Thanks,
Shachar
I'm considering following configuration.
1) Flash Encryption used just for the factory and ota partitions (no secure boot).
2) Binaries are encrypted using Host Generated Key as described in https://docs.espressif.com/projects/esp ... erated-key.
I would like to logistically do the following:
1) All ESP32 chips are shipped from Espressif (or other "Vendor A") with fully pre-blown fuses i.e. Key + FLASH_CRYPT_CNT + whatever else needed are already programmed by Espressif.
2) All SPI chips are shipped from a bulk burning/programming facility "Vendor B" carrying the pre-encrypted binaries.
3) ESP32 + SPI chips are soldered onto our custom PCB in "Vendor C" facility, then powered on..
I reviewed related threads and I think I am aware of the downsides such as less secure scheme using a single key etc.
(Threads like:
viewtopic.php?f=2&t=7348
viewtopic.php?f=2&t=7318
)
But the point is that I was wondering if the above scheme is even possible, the emphasis being that all fuses and SPI are burnt separately and then after placing everything on the same PCB they are expected to just start working together..
The examples are more relevant to In Circuit Programming or using a module which already has ESP32 + SPI chips soldered on the same PCB.
And they show steps carried in a specific order, last step the writing of FLASH_CRYPT_CNT (presumably AFTER the SPI have been written already).
The upside for us is that only Espressif ("Vendor A") are in possession of the encryption key, SPI chips are burnt in bulk and shipped with encrypted content.
So both vendor B+C can do their work effectively and in bulk, without being exposed to the sensitive firmware.
Can you advise if the above configuration and flow will work?
Thanks,
Shachar