esp32-s3 Flash Encryption for Production

[Jonathan2892]

Hello,

We are using the esp32-s3-wroom-1-n16r8 module in our products and are heading towards series production.
We are using the USB pins to program the module and get logs. We also want to use flash encryption and/or secure boot and I have some questions about the use of the usb-port and the security features.

1. In case that we have a bad OTA and break our devices we want to have a backdoor: We are generating the encryption keys and keep them safe at ours. So we are able to encrypt the firmware and use the usp-port to flash the firmware in case we can not do any OTAs anymore and have to call back all the devices from our customers. But I fear, that this is not possible with the usb-port right? If I understood correctly than with flash encryption and/or secure boot the usb-port can not longer be used to communicate with the esp32-s3. Is that correct? And would that even work, if we use the standard uart-port?

2. In the production process there will be some kind of initialisation and tests done by our third-party manufacturer. For that we want that the results of these tests are logged via the usb-port. With flash encryption and/or secure boot enabled is this still possible? Would that be possible with the standard uart-port?

3. Is it at all possible to get logs(plaintext) via the usb- or uart-port when encryption is enabled?

Best,
Jonathan

[liaifat85]

With flash encryption and secure boot enabled, the USB port can indeed be restricted for communication purposes, as it's often used for firmware updates and debugging. However, this restriction typically applies to unauthorized access during runtime.You can still use the USB port for firmware updates if you have the encryption keys and a method to decrypt the firmware before flashing it onto the device. If you're concerned about potentially losing USB port access due to security features, consider implementing a secondary communication method, such as UART, for emergency scenarios.

[Jonathan2892]

Thanks for your answer.
Unfortunately we can not implement a secondary communication part. We are using the USB port, but with the UART protocol.

In the docs it is said, that:

Please note that enabling Secure Boot or flash encryption disables the USB-OTG USB stack in the ROM, disallowing updates via the serial emulation or Device Firmware Update (DFU) on that port.

We will have the encryption keys, so to build the encrpyted firmware will not be a problem. I am only concerned, that this is not even possible anymore, after we activated the encryption.

Doesn't this mean, that after encryption we can not use the usb-port anymore to flash our devices and also get logs from it via the usb-uart interface?

Best
Jonathan

[ESP_Sprite]

Note that the ESP32-S3 has two USB devices: the USB-OTG peripheral and the (more limited) USB-serial-JTAG peripheral. By default, the bootloader uses the second of the two, and that is more-or-less seen as a serial port: you should be able to get debug logging out and reflash the chip using that in the same fashion as the UART port.