Secure Boot V2 and Flash Encryption

[aygh4266]

Hello everbody.

I intend to use Flash encryption in combination with Secure Boot V2. I would like to know if the FW Image must be signed before it will be encrypted and flashed. Basically I want to use the flash encryption in Release mode.
For me something was not clear enough:

So as far as I understood, with OTA-Update there is no restrictions, so we can send FW Images in plaintext. However the image should be signed correctly before the send process. Then it will be verified and encrypted

Via serial it is not possible to flash images in plaintext in the release mode. One must sign it correctly, pre-encreypt it and then flash it.

I appreciate your help to clarify the problem

Best regards

[esp_nilesh_kale]

You’re almost correct, but there’s an important detail regarding Release mode:

OTA Update: In Release mode with Flash Encryption and Secure Boot V2, you can send the firmware image in plaintext. The image needs to be signed before sending, and the device will verify the signature and encrypt the image as it is stored in flash.

Serial Flashing in Release Mode: Directly flashing plaintext images is not allowed in Release mode. You’ll need to enable Secure Download Mode, which ensures that only pre-encrypted firmware can be flashed. This mode enforces that no unencrypted data is flashed, maintaining security even in Release mode. Please refer to https://docs.espressif.com/projects/esp ... om-dl-mode to select the appropriate download mode.

You can flash using idf.py encrypted-flash, if secure download mode is enabled.