Flash encryption and secure boot workflow

tomy983
Posts: 1
Joined: Sun Apr 21, 2024 1:19 pm

Flash encryption and secure boot workflow

Postby tomy983 » Sun Apr 21, 2024 3:20 pm

Hi, I need some help for correctly enabling the security features on the ESP32-S3
I am using ESP-IDF v4.4.7, vscode on win11.
I have tested my firmware and it can perform HTTPS OTA, it is now time to secure it.
The chosen encryption method is with esp generated keys for firmware encryption https://docs.espressif.com/projects/esp ... erated-key

I generate the secure boot key with espsecure.py generate_signing_key

This is my partition table, and the first question is:
Which partitions should i flag with encrypted flag? (asking because marking nvs partition as encrypted causes crashes at boot) Are the others OK like shown?

Code: Select all

# ESP-IDF Partition Table
#offset in config: 0x9000
# ESP-IDF Partition Table
# Name, Type, SubType, Offset, Size, Flags
nvs,data,nvs,,16K,,
otadata,data,ota,,8K,encrypted,
phy_init,data,phy,,4K,encrypted,
ota_0,app,ota_0,,3M,encrypted,
ota_1,app,ota_1,,3M,encrypted,
nvs_key,data,nvs_keys,,0x1000,encrypted,
storage,data,spiffs,,0x100000,encrypted,,
Relevant Vscode SDK Configuration editor settings:

Code: Select all

App signing scheme: RSA
Enable hardware Secure Boot in bootloader: YES
Secure boot version: V2
Sign binaries during build: YES
Enable aggressive key revoke strategy: NO
Allow potentially insecure options: YES
Enable flash encryption on boot: YES
Enable usage mode: Development (NOT SECURE)
Allow JTAG Debugging: NO
Allow app partition length not 64KB aligned:NO
Allow additional read protecting of efuses:NO
Leave unused digest slots available (not revoke):NO
Leave UART bootloader encryption enabled:YES
Leave UART bootloader flash cache enabled:YES
Require flash encryption to be already enabled:NO
Check Flash Encryption enabled on app startup:YES
UART ROM download mode: UART ROM download mode (Permanently switch to Secure mode (recommended))
After this I flash normally. Everything works as expected, and subsequent changes have to be flashed with:
idf.py -p encrypted-flash monitor
idf.py partition-table-flash
idf.py encrypted-bootloader-flash
esptool -p erase_flash –force

Reading the flash content shows it is encrypted, my led flashes and OTA is functional.

Now I would like to prepare the settings for production for a single flash either with esptool, vscode or even better the flash_download_tool_3.9.6

So i change the sdk config settings as follows:

Code: Select all

App Signing Scheme: RSA
Enable hardware Secure Boot in bootloader: YES
Select secure boot version: Enable Secure Boot version 2
Sign binaries during build: YES
Secure boot private signing key: signKey/secure_boot_signing_key.pem
Enable Aggressive key revoke strategy: NO
Allow potentially insecure options: NO
Enable flash encryption on boot: NO
Size of generated AES-XTS key: AES-128 (256-bit key)
Enable usage mode: Release
Check Flash Encryption enabled on app startup: YES
UART ROM download mode: UART ROM download mode (Permanently disabled (recommended))
idf.py build

I've then set the flash_download_tool with the generated bin files (bootloader, ota data initial, partition table, app) and the addresses as suggested from the idf.py build output
But my esp is now bricked and the app did not start (should flash an LED)

I would not mind using another tool instead (have to flash many boards) even if I like the download tool idea, but I need to know how to flash with all the security features mentioned enabled without bricking devices...


Thank you

dzungpv
Posts: 17
Joined: Thu Mar 26, 2020 4:52 am

Re: Flash encryption and secure boot workflow

Postby dzungpv » Sun May 12, 2024 1:22 pm

Just follow the process and then try. I have bricked many ESP32 before it work and after it work sometime I still brick it.
You can try with emulator for ESP32 and ESP32C3, it may differ with ESP32S3 but nearly the same.
https://github.com/espressif/esp-toolch ... /README.md
https://github.com/espressif/qemu/releases

Who is online

Users browsing this forum: Google [Bot] and 274 guests