Flash Encryption and Efuses handling.

[sparks]

Hi!

I have some points about flash encryption to clarify. My current flashing flow looks like this:

On first boot:
1. Burn pre-generated key into eFuses
1. Upload plain text binaries
2. Boot device and let in encrypt everything

On subsequent boots:
1. Build project, get file.bin as a result
2. Encrypt file.bin with pre-generated key with the help of

Code: Select all

espsecure.py encrypt_flash_data

3. Upload encrypted-file.bin via UART

Everything works fine (I also have Secure Boot enabled, it may be important for further discussion).

So firstly,
1. I've noticed that after enabling secure options and following my "first-boot-procedure" the following eFuses are not write or read protected:

Code: Select all

Security fuses:
FLASH_CRYPT_CNT (BLOCK0):                          Flash encryption mode counter                      = 127 R/W (0b1111111)
UART_DOWNLOAD_DIS (BLOCK0):                        Disable UART download mode (ESP32 rev3 only)       = False R/W (0b0)
FLASH_CRYPT_CONFIG (BLOCK0):                       Flash encryption config (key tweak bits)           = 15 R/W (0xf)
CONSOLE_DEBUG_DISABLE (BLOCK0):                    Disable ROM BASIC interpreter fallback             = True R/W (0b1)
ABS_DONE_0 (BLOCK0):                               Secure boot V1 is enabled for bootloader image     = False R/W (0b0)
ABS_DONE_1 (BLOCK0):                               Secure boot V2 is enabled for bootloader image     = True R/W (0b1)
JTAG_DISABLE (BLOCK0):                             Disable JTAG                                       = True R/W (0b1)
DISABLE_DL_ENCRYPT (BLOCK0):                       Disable flash encryption in UART bootloader        = True R/W (0b1)
DISABLE_DL_DECRYPT (BLOCK0):                       Disable flash decryption in UART bootloader        = True R/W (0b1)
DISABLE_DL_CACHE (BLOCK0):                         Disable flash cache in UART bootloader             = True R/W (0b1)

Should they be protected manually? (with the commands):

Code: Select all

espefuse.py --port COM4 write_protect_efuse JTAG_DISABLE
espefuse.py --port COM4 write_protect_efuse FLASH_CRYPT_CONFIG
espefuse.py --port COM4 write_protect_efuse ABS_DONE_0
espefuse.py --port COM4 write_protect_efuse ABS_DONE_1
espefuse.py --port COM4 write_protect_efuse FLASH_CRYPT_CNT
espefuse.py --port COM4 write_protect_efuse DISABLE_DL_ENCRYPT

espefuse.py --port COM4 read_protect_efuse FLASH_CRYPT_CONFIG

2. If all of previously mentioned eFuses should be r/w protected manually are there any else eFuses that I'm missing?

3. And one more question about Secure Boot key:

Code: Select all

BLOCK2 (BLOCK2):                                   Secure boot key
   = 11 22 33 44 55 66 77 88 99 00 11 22 33 44 55 66 77 88 R/-

Secure Boot key can be read, but am I right that it is not a problem as it is a public key and it can be visible? Even more if it is read protected the ESP32 software itself cannot read it during boot process?

Thanks in advance for any suggestions and information!

[liaifat85]

The Secure Boot key is typically considered a public key and can be visible. However, it's crucial to ensure that it remains confidential and is not tampered with. While the ESP32 software itself may not read the Secure Boot key during the boot process, unauthorized access to the key could potentially compromise the security of the system.

[sparks]

While the ESP32 software itself may not read the Secure Boot key during the boot process, unauthorized access to the key could potentially compromise the security of the system.

But how can it be achieved then? If it's read protected then it wouldn't work at all.

[sparks]

Does anyone has any suggestions or thoughts?

[sparks]

Seems that nobody uses flash encryption at all?