关于ESP32 flash加密 和secrue boot 的咨询

[xjjiang]

请教各位大神，产品需要加密，是不是只要烧录3次后，这个模块就相当于没有用了，还有什么办法或者命令救吗？如下图所示，谢谢您的回复

[esp_Hemal]

Hi xjjiang,

Have you enabled FLASH ENCRYPTION and SECURE BOOT both or only SECURE BOOT?

From the boot up log it looks like the FLASH_CRYPT_CNT is set to indicate the flash contains encrypted image however you seem to have programmed plaintext image. Perhaps you have programmed the plaintext image after updating FLASH_CRYPT_CNT to 0xFF?? If this is the case device will fail to boot since ROM is trying to read an encrypted bootloader but flash memory has plaintext bootloader

From the espefuse command log it seems all the bits in FLASH_CRYPT_CNT are set (value = 0xFF) and hence you can not further update FLASH_CRYPT_CNT but you are still trying to do so and hence the error

Once FLASH_CRYPT_CNT is set to 0xFF it is not possible to update flash with new plaintext image. So there are only 3 plaintext update possible as mentioned in flash encryption document

1. Could you please provide the complete efuse dump by running “./espefuse.py —port /dev/ttyUSB0 summary” command

2. Another option is with the latest esptool.py you can do an “encrypted write” i.e. the plaintext image would be written after internally encrypting so you can have unlimited plaintext updates

For e.g.

$ ./esptool.py —port /dev/ttyUSB0 write_flash —encrypt 0x10000 image.bin

Where image.bin is plaintext application image

Please run above command with appropriate address and application binary file. You will have to also reprogram the bootloader as well as partition table with above command

[xjjiang]

Hi esp_Hemal:
Thanks for your reply very much!

Have you enabled FLASH ENCRYPTION and SECURE BOOT both or only SECURE BOOT?
answer:YES

Once FLASH_CRYPT_CNT is set to 0xFF it is not possible to update flash with new plaintext image. So there are only 3 plaintext update possible as mentioned in flash encryption document
answer::Is there other methed to set FLASH_CRYPT_CNT zero?JTAG？

1. Could you please provide the complete efuse dump by running “./espefuse.py —port /dev/ttyUSB0 summary” command
answer:pls get the attach file
2. Another option is with the latest esptool.py you can do an “encrypted write” i.e. the plaintext image would be written after internally encrypting so you can have unlimited plaintext updates
answer:my esptool.py version is V2.6
For e.g.

$ ./esptool.py —port /dev/ttyUSB0 write_flash —encrypt 0x10000 image.bin
answer:i can write the image.bin,but it can not run
Where image.bin is plaintext application image

Please run above command with appropriate address and application binary file. You will have to also reprogram the bootloader as well as partition table with above command
[/quote]

[esp_Hemal]

Hi Xjjiang,

Thanks for providing the efuse dump and other information.

Unfortunately once the efuses are programmed you can not revert the values. So FLASH_CRYPT_CNT can not be set to zero now, not even with JTAG. It is permanently set to 0xFF

As mentioned before you need to reprogram the bootloader and partition table also with the "--encrypt" option. It seems you have only reprogrammed application image. The error you get indicates the bootloader could not be decrypted (since it seems to be in plaintext format) and hence you can not run the code

Could you take the latest esptool and try the encrypted write?
https://github.com/espressif/esptool

Please send me the log of programming bootloader, partition and application image using write_flash --encrypt command

[xjjiang]

Hi esp_Hemal:
thanks for you suggest.when i down load follow your option,it is get stuck at 22% everytime,and then esptool tips download timeout .I had try mang times.
i am looking forward your reply.thanks!

[xjjiang]

Hi esp_Hemal:
in addtion,is there a methed that i encrypt the plaintext in PC, down load the encrypted file to the esp32