Flash Encryption key write protection.

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: Flash Encryption key write protection.

Postby ESP_Angus » Wed May 09, 2018 4:43 am

snahmad75 wrote:1-
espsecure.py generate_flash_encryption_key acti_flash_encryption_key.bin

2-
espefuse.py --port COM155 burn_key flash_encryption acti_flash_encryption_key.bin

3-
espsecure.py encrypt_flash_data --keyfile acti_flash_encryption_key.bin --address 0x10000 -o ./build/app-encrypted.bin ./build/app-template.bin

4-

esptool.py --port COM155 --baud 115200 write_flash 0x10000 ./build/app-encrypted.bin


Are these steps correct. Am I missing any steps?
Each step looks correct but you are missing some steps between (2) and (3). After you burn the flash encryption key, the first time you flash you need to flash a plaintext bootloader and a plaintext app. The ESP32 will encrypt itself on the first boot.

The steps are laid out in more detail here:
http://esp-idf.readthedocs.io/en/latest ... yption-key

(The missing part is under the heading "First Flash with pregenerated key".)

snahmad75
Posts: 445
Joined: Wed Jan 24, 2018 6:32 pm

Re: Flash Encryption key write protection.

Postby snahmad75 » Wed May 09, 2018 8:27 am

1-
espsecure.py generate_flash_encryption_key acti_flash_encryption_key.bin

2-
espefuse.py --port COM155 burn_key flash_encryption acti_flash_encryption_key.bin
3-
esptool.py --port COM155 --baud 115200 write_flash 0x10000 ./build/app-template.bin

4-
espsecure.py encrypt_flash_data --keyfile acti_flash_encryption_key.bin --address 0x10000 -o ./build/app-encrypted.bin ./build/app-template.bin

5-

esptool.py --port COM155 --baud 115200 write_flash 0x10000 ./build/app-encrypted.bin


I have added missing step. Is this good now?

WiFive
Posts: 3529
Joined: Tue Dec 01, 2015 7:35 am

Re: Flash Encryption key write protection.

Postby WiFive » Wed May 09, 2018 10:06 am

Instead of step 3 you should set appropriate encryption settings in menuconfig and do make flash. When you boot first time it will encrypt the flash including not just the app but bootloader, etc.. Step 4-5 is for updating app.

snahmad75
Posts: 445
Joined: Wed Jan 24, 2018 6:32 pm

Re: Flash Encryption key write protection.

Postby snahmad75 » Wed May 09, 2018 10:13 am

ok,

Do I need to change my config only one thing mention below for step3 and do make flash.

The bootloader must be compiled with flash encryption support enabled. In make menuconfig, navigate to “Security Features” and select “Yes” for “Enable flash encryption on boot”.

WiFive
Posts: 3529
Joined: Tue Dec 01, 2015 7:35 am

Re: Flash Encryption key write protection.

Postby WiFive » Wed May 09, 2018 10:36 am

Yes

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: Flash Encryption key write protection.

Postby ESP_Angus » Thu May 10, 2018 2:04 am

That's correct, set this one option and rebuild the entire project including bootloader (ie make or make flash).

When flash encryption is on, "make flash" won't automatically perform flashing (this is a safety feature as you can brick devices if the keys aren't yet set up correctly - as you unfortunately discovered). But it will print the full command line to run for flashing, and then you can run it manually.

snahmad75
Posts: 445
Joined: Wed Jan 24, 2018 6:32 pm

Re: Flash Encryption key write protection.

Postby snahmad75 » Thu May 10, 2018 8:49 am

Just to clarify

Question #1
Enable below option make sense. good.

option #2
The bootloader must be compiled with flash encryption support enabled. In make menuconfig, navigate to “Security Features” and select “Yes” for “Enable flash encryption on boot”

How about sub options "Potential insecure options" under above option. do I need to enable them?


How about first option above it.

option #'1

In make menuconfig, navigate to “Security Features” and select “Yes” for “Enable secure boot in bootloader”

Question #2

http://esp-idf.readthedocs.io/en/latest ... yption-key

Is Disabling Flash Encryption sub topic to disable temporary and run application without encryption.

Question #3

Do I need to bother with these commands.

espefuse.py --port PORT burn_efuse DISABLE_DL_DECRYPT
espefuse.py --port PORT write_protect_efuse DISABLE_DL_ENCRYPT

Question #4

So the burn a key to the device (one time only) . I need to keep key saved in my file. do not lose my key file.

snahmad75
Posts: 445
Joined: Wed Jan 24, 2018 6:32 pm

Re: Flash Encryption key write protection.

Postby snahmad75 » Thu May 10, 2018 6:57 pm

Can some one reply to clarify my last post.

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: Flash Encryption key write protection.

Postby ESP_Angus » Fri May 11, 2018 3:09 am

Hi snahmad75,
snahmad75 wrote: How about sub options "Potential insecure options" under above option. do I need to enable them?
You can read about these options here (or press the '?' key when highlighted in menuconfig) to decide:
http://esp-idf.readthedocs.io/en/latest ... re-options

(In general, no - and never in production. But maybe you have some use case that can use one of them in testing.)
snahmad75 wrote: Is Disabling Flash Encryption sub topic to disable temporary and run application without encryption.
It allows you to re-flash plaintext bootloader & app without encryption. It doesn't allow you to run the previously encrypted application.

snahmad75 wrote: Do I need to bother with these commands.

espefuse.py --port PORT burn_efuse DISABLE_DL_DECRYPT
espefuse.py --port PORT write_protect_efuse DISABLE_DL_ENCRYPT
No. To understand why, refer to the documentation where these commands are quoted:
http://esp-idf.readthedocs.io/en/latest ... decryption
snahmad75 wrote: So the burn a key to the device (one time only) . I need to keep key saved in my file. do not lose my key file.
That is correct.

Can I ask what stage of development you're at right now? Usually we would only recommend customers start enabling flash encryption and secure boot after their application is feature complete and at least the beta stage. You can develop your application with plaintext devices for prototyping and debugging and then enable the security features for final testing before you go into production.

snahmad75
Posts: 445
Joined: Wed Jan 24, 2018 6:32 pm

Re: Flash Encryption key write protection.

Postby snahmad75 » Fri May 11, 2018 8:25 am

I am at initial stage of development but I need to test enable the security features for later production usage.
I guess I can test encryption key with my dev board and keep encryption private key save into file to be used later.
Thanks for answer all my question. I am satisfied.

Who is online

Users browsing this forum: No registered users and 118 guests