when i use the flash encrypt,how can i change the development mode to release mode?

[Vincent zhang]

Hi everyone,
i am learning the esp32 flash encrypt by the example "esp-idf\examples\security\flash_encryption". when i follow the official document
https://docs.espressif.com/projects/esp ... ption.html to test the flash encrypt in develpoment mode,it works OK,and i can also disable Flash Encryption.
But when i want to change development mode to release mode,it has some problems. as the decument says,i must set the flash encryption eFuse to default value which should be 0，in fact，the efuse cannot be setted to 0。although i rebuild the project which has select release mode，it can run but has a warn log which says "Flash encryption settings error: app is configured for RELEASE but efuses are set for DEVELOPMENT".
now i want to know how can i set the efuse to 0 and let the board run in release mode？

[dmitrij999]

Why do you need to switch the flash encryption from DEVELOPMENT to RELEASE?
You can alter eFUSEs only once and you cannot alter them further, the particular fuse.
As an option, for learning purposes, you can add efuse partition into your partition table and activate efuse simulation on flash with the partition.

You can switch from DEVELOPMENT to open device and back but limited number of times (2 times as I remember).
But if you switch device to RELEASE, it's impossible to get the device back to open.
These were manipulations with real eFUSEs.

For sure, you can switch back device to open and try to set it to RELEASE using real eFUSES, but this is one-way ticket for your device.

[ESP_Mahavir]

Hello,

You may call an API documented here https://github.com/espressif/esp-idf/bl ... ypt.h#L195 from your application to switch from "development" to "release" mode in flash encryption.

Please note that this is an irreversible operation and post this, device shall always operate in flash encryption enabled mode. Please carefully look at the API implementation on what EFuse it shall program once and then add it in your code.

Hope this helps!

[dmitrij999]

As I understood, you have enabled the flash encryption for learning purposes to DEVELOPMENT mode, thus, you didn't generate the flash encryption key, and this was generated internally in ESP32.

You cannot extract this key neither with PC nor with software. So if you switch to RELEASE from your software, you lose ability to reflash your device with serial port.
(If you know how to extract without using vulnerabilities, let me know).
Everything you try to flash with serial to this chip in RELEASE mode must be encrypted with the same key as in chip.

So DON'T DO THIS unless you have host-pregenerated key for encryption before flash

[dmitrij999]

For learning, as an option, I propose you to check number of switches from/to DEVELOPMENT mode left.
If not zero, you can:
1) switch back device to open
2) then allocate efuse_em partition in your custom partition table
3) set your project config like this:
- point eFUSE controller to simulate its operations on dedicated eFUSE partitions on flash
- activate Flash Encryption in RELEASE mode
And you can test your apps with Flash Encryption and even use encrypted NVS partition (with NVS encryption key on dedicated Flash partition)

[Vincent zhang]

Thanks for everyone's suggestions. These are very useful for me to learn flash encryption.