Should otadata partition use 'encrypted' flag?

Post Reply
jcolebaker
Posts: 64
Joined: Thu Mar 18, 2021 12:23 am

Should otadata partition use 'encrypted' flag?

Postby jcolebaker » Thu Dec 01, 2022 9:41 pm

I've been working on adding secure boot and flash encryption to our device.

The flash encryption documentation doesn't mention whether the "otadata" partition should use the "encrypted" flag when flash encryption is in use.

E.g., here's my custom partition table:

Code: Select all

# ESP-IDF Partition Table
# Name,Type,SubType,Offset,Size,Flags
nvs,data,nvs,0xF000,28K,
otadata,data,ota,0x16000,8K,
phy_init,data,phy,0x18000,4K,
...etc
I'm using "encrypted" on our "app" partitions, and on some custom data partitions which will contain certificates. "nvs" partitions are encrypted with the separate NVS encryption system.

I think that "otadata" and "phy_init" don't need encryption (or the "encrypted" flag) since they don't contain any sensitive info.

Is this correct? Will OTA updates work OK if otadata is not marked as "encrypted", and is there any security vulnerability?
Top
ESP_Mahavir
Posts: 190
Joined: Wed Jan 24, 2018 6:51 am

Re: Should otadata partition use 'encrypted' flag?

Postby ESP_Mahavir » Fri Dec 02, 2022 4:56 am

Bootloader encrypts the `otadata` partition (and NVS keys partition if available) even if there is no explicit `encrypted` flag available for it.

Please see relevant code at: https://github.com/espressif/esp-idf/bl ... #L393-L404
Top
Post Reply

Return to “ESP-IDF”

Who is online

Users browsing this forum: danpf1 and 145 guests