I am using ESP-IDF v4.4.7, vscode on win11.
I have tested my firmware and it can perform HTTPS OTA, it is now time to secure it.
The chosen encryption method is with esp generated keys for firmware encryption https://docs.espressif.com/projects/esp ... erated-key
I generate the secure boot key with espsecure.py generate_signing_key
This is my partition table, and the first question is:
Which partitions should i flag with encrypted flag? (asking because marking nvs partition as encrypted causes crashes at boot) Are the others OK like shown?
Code: Select all
# ESP-IDF Partition Table
#offset in config: 0x9000
# ESP-IDF Partition Table
# Name, Type, SubType, Offset, Size, Flags
nvs,data,nvs,,16K,,
otadata,data,ota,,8K,encrypted,
phy_init,data,phy,,4K,encrypted,
ota_0,app,ota_0,,3M,encrypted,
ota_1,app,ota_1,,3M,encrypted,
nvs_key,data,nvs_keys,,0x1000,encrypted,
storage,data,spiffs,,0x100000,encrypted,,
Code: Select all
App signing scheme: RSA
Enable hardware Secure Boot in bootloader: YES
Secure boot version: V2
Sign binaries during build: YES
Enable aggressive key revoke strategy: NO
Allow potentially insecure options: YES
Enable flash encryption on boot: YES
Enable usage mode: Development (NOT SECURE)
Allow JTAG Debugging: NO
Allow app partition length not 64KB aligned:NO
Allow additional read protecting of efuses:NO
Leave unused digest slots available (not revoke):NO
Leave UART bootloader encryption enabled:YES
Leave UART bootloader flash cache enabled:YES
Require flash encryption to be already enabled:NO
Check Flash Encryption enabled on app startup:YES
UART ROM download mode: UART ROM download mode (Permanently switch to Secure mode (recommended))
idf.py -p encrypted-flash monitor
idf.py partition-table-flash
idf.py encrypted-bootloader-flash
esptool -p erase_flash –force
Reading the flash content shows it is encrypted, my led flashes and OTA is functional.
Now I would like to prepare the settings for production for a single flash either with esptool, vscode or even better the flash_download_tool_3.9.6
So i change the sdk config settings as follows:
Code: Select all
App Signing Scheme: RSA
Enable hardware Secure Boot in bootloader: YES
Select secure boot version: Enable Secure Boot version 2
Sign binaries during build: YES
Secure boot private signing key: signKey/secure_boot_signing_key.pem
Enable Aggressive key revoke strategy: NO
Allow potentially insecure options: NO
Enable flash encryption on boot: NO
Size of generated AES-XTS key: AES-128 (256-bit key)
Enable usage mode: Release
Check Flash Encryption enabled on app startup: YES
UART ROM download mode: UART ROM download mode (Permanently disabled (recommended))
I've then set the flash_download_tool with the generated bin files (bootloader, ota data initial, partition table, app) and the addresses as suggested from the idf.py build output
But my esp is now bricked and the app did not start (should flash an LED)
I would not mind using another tool instead (have to flash many boards) even if I like the download tool idea, but I need to know how to flash with all the security features mentioned enabled without bricking devices...
Thank you