While reviewing another topic, I saw a reference to using esptool.py write_flash with an encrypt option. If I understood correctly, this allows one to get around the 4 serial flash limit when using encryption. However, I cannot find any documentation on how to use this option. For example, does the image to be encoded have to be created from a build with encryption turned off in menuconfig? When I do an OTA update, I can use the bin file from a make with encryption enabled. What other pieces need to be encrypted using this option, e.g., bootloader, boot_app0, default.bin?
Is there anywhere I can find documentation on the process or requirements for using this option? Thanks in advance.
esptool write_flash with encrypt option
Re: esptool write_flash with encrypt option
We've merged the support for this option in esptool v2.7-dev, but we haven't merged the support for this into ESP-IDF yet so there's no documentation or easy config option for it. That support is being reviewed now and will be part of ESP-IDF V4.0, where we plan to change the suggested flash encryption workflow.
You can emulate the new behaviour by setting the "Potentially insecure options" in project config and set the "Leave UART bootloader encryption enabled" setting. This means that on first boot the UART_DL_DIS_ENCRYPT efuse is not burned (as such, it only works if the ESP32 doesn't already have this efuse burned.)
Setting this option will continue to allow transparent encryption when the UART bootloader mode is running, which can then be used by esptool to encrypt when writing data to flash.
Note that having this option set (or, specifically, this efuse unburned) is not secure and it should be used for development systems only, not in production.
You can emulate the new behaviour by setting the "Potentially insecure options" in project config and set the "Leave UART bootloader encryption enabled" setting. This means that on first boot the UART_DL_DIS_ENCRYPT efuse is not burned (as such, it only works if the ESP32 doesn't already have this efuse burned.)
Setting this option will continue to allow transparent encryption when the UART bootloader mode is running, which can then be used by esptool to encrypt when writing data to flash.
Note that having this option set (or, specifically, this efuse unburned) is not secure and it should be used for development systems only, not in production.
Re: esptool write_flash with encrypt option
Angus,
Thanks for the response. Two questions:
1. It's not clear to me how to take advantage of the "less secure" options. Is there documentation on how I would use those to go beyond the 4 flash limit? What would the process look like?
2. Is there a time frame for ESP-IDF V4.0, or even a development version with the new encryption workflow?
Thanks again
Thanks for the response. Two questions:
1. It's not clear to me how to take advantage of the "less secure" options. Is there documentation on how I would use those to go beyond the 4 flash limit? What would the process look like?
2. Is there a time frame for ESP-IDF V4.0, or even a development version with the new encryption workflow?
Thanks again
Re: esptool write_flash with encrypt option
Unless you really want to dig into the semi-documented details, it's probably easiest to wait for the new "developing with flash encryption" process to be merged including the docs. This should happen in the next 10 days.
If you're already using flash encryption on an ESP32 with the 4 flash limit then that efuse configuration is unfortunately not compatible with the new method, so that ESP32 will continue to have the plaintext 4 flashes limit even after we release the new method.
We're currently developing ESP-IDF V4.0 on the master branch on GitHub. The flash encryption feature hasn't landed there yet, but it should land in the next 10 days. Early next month we expect to make a "release branch" for V4.0 (release/v4.0) and begin the beta testing process before finally making the release.
More details about how we do versioning can be found here: https://docs.espressif.com/projects/esp ... sions.html
Re: esptool write_flash with encrypt option
Angus,
I really appreciate your timely and well thought out responses. I will wait for the new process/documentation. FYI, all our production is done on linux machineswith scripts using esptool.py and espefuse.py. Unless there has been some change to the ESP32, I would assume that we should be able to accommodate whatever changes are needed for the new workflow.
I'm looking forward to seeing the new process.
Thanks again.
I really appreciate your timely and well thought out responses. I will wait for the new process/documentation. FYI, all our production is done on linux machineswith scripts using esptool.py and espefuse.py. Unless there has been some change to the ESP32, I would assume that we should be able to accommodate whatever changes are needed for the new workflow.
I'm looking forward to seeing the new process.
Thanks again.
Re: esptool write_flash with encrypt option
Yes, that's correct. The other work is all in the ESP-IDF documentation, configuration and build system.
Thanks for being patient while we finalise this feature.
-
- Posts: 5
- Joined: Mon Jun 15, 2020 12:07 pm
Re: esptool write_flash with encrypt option
Any updates on the mentioned documentation?
I am looking this, as I think I can upload a encrypted FatFS but my command
[Codebox]esptool.py --chip esp32 --port /dev/ttyUSB0 write_flash -z 0x170000 build/fatfs_image.img --encrypt[/Codebox]
seems not to work. I can not mount the file system.
I am looking this, as I think I can upload a encrypted FatFS but my command
[Codebox]esptool.py --chip esp32 --port /dev/ttyUSB0 write_flash -z 0x170000 build/fatfs_image.img --encrypt[/Codebox]
seems not to work. I can not mount the file system.
Who is online
Users browsing this forum: No registered users and 114 guests