Enabling Flash Encryption after Secure Boot

[vjacobs]

Hi all,

I am using ESP-IDF v3.3rc on an ESP-WROOM-32.

I have succesfully enabled Secure Boot on my module and everything seems to run fine and all fuses seem to be in correct state. My bootloader was set to 'One-Time Flash' since I'm targeting a production environment. I now want to try to enable Flash Encyption by setting the correct fields in menuconfig but nothing happens. It is not stated directly as such in the docs that this isn't possible but I suppose the issue is that I flashed the bootloader already in 'One-Time Flash' mode and would need to re-flash the bootloader with Flash Encryption enabled in order for this to work?

I just want to double check here that there isn't another way to still enable Flash Encryption in my situation?

Thanks,
Vincent

[ESP_Angus]

Hi Vincent,

the issue is that I flashed the bootloader already in 'One-Time Flash' mode and would need to re-flash the bootloader with Flash Encryption enabled in order for this to work?

Unfortunately that's correct. Flash encryption is enabled by the bootloader during first boot, so you need to compile a bootloader with flash encryption enabled and then reflash it. But if the bootloader was already flashed in One-Time Flash mode, the ESP32 won't let you boot a different bootloader.

[vjacobs]

Hi Angus,

That's ok and thanks for the fast clarification!

Best,
Vincent

[urbanze]

Hi Vincent,

the issue is that I flashed the bootloader already in 'One-Time Flash' mode and would need to re-flash the bootloader with Flash Encryption enabled in order for this to work?

Unfortunately that's correct. Flash encryption is enabled by the bootloader during first boot, so you need to compile a bootloader with flash encryption enabled and then reflash it. But if the bootloader was already flashed in One-Time Flash mode, the ESP32 won't let you boot a different bootloader.

If it saves the key or just sets the eFuses, shouldn't it work the same way as enabling it in menuconfig?

[ESP_Angus]

If it saves the key or just sets the eFuses, shouldn't it work the same way as enabling it in menuconfig?

The bootloader also encrypts all the partitions in-place on first boot.

Technically it is probably possible to enable flash encryption fully manually: read out the existing bootloader and the secure boot digest from the flash, generate a flash encryption key and burn it to the ESP32, burn efuses to enable flash encryption, then flash encrypted versions of the existing bootloader, existing secure boot digest, partition table, and app on to the ESP32. (either by encrypting locally with espsecure.py and then flashing the encrypted versions, or by using the new "Development Mode" encrypt-when-flashing feature in ESP-IDF V4.0.)

It's much simpler to get a new ESP32, though, and much less chance of accidentally mis-configuring flash encryption.