Flashing encrypted firmware for the first time after pregenerated key burned

Humam Helfawi
Posts: 19
Joined: Tue May 29, 2018 10:24 pm

Flashing encrypted firmware for the first time after pregenerated key burned

Postby Humam Helfawi » Wed Apr 03, 2019 6:39 pm

Hi,
I am using pregenerated key without secure boot. I managed to do everything correctly as it was explained in the tutorial.

Now, I want to create a script to flash the whole firmware(including bootloader and everything). I managed to do so except small problem:

After burning the pregenerated key file, ESP32 wait to flash a plaintext bootloader and firmware so the bootloader will encrypt everything. In my case, I have already flashed encrypted firmware and bootlaoder and I do not want the boot loader to encrypt anything. I want everything to start working directly

How can I achieve this?

Thank you very muhc!

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: Flashing encrypted firmware for the first time after pregenerated key burned

Postby ESP_Angus » Wed Apr 03, 2019 11:01 pm

Humam Helfawi wrote:
Wed Apr 03, 2019 6:39 pm
In my case, I have already flashed encrypted firmware and bootlaoder and I do not want the boot loader to encrypt anything. I want everything to start working directly
It is strongly recommended to use the supported workflow where the initial encryption happens on first boot. Doing it that way, there are less ways to accidentally leave the system unprotected.

However, you can do an initial encrypted flash by running two additional commands on the host:

Code: Select all

espefuse.py burn_efuse FLASH_CRYPT_CONFIG 0xF
espefuse.py burn_efuse FLASH_CRYPT_CNT 1
The second command will increment FLASH_CRYPT_CNT from 0 to 1 which enables flash encryption.

If this is for a secure device, you also need to burn a number of other efuses or the security will be compromised: DISABLE_DL_ENCRYPT, DISABLE_DL_DECRYPT, DISABLE_DL_CACHE, DISABLE_JTAG,
CONSOLE_DEBUG_DISABLE .

You can burn all of these additional efuses using "espefuse.py burn_efuse EFUSE", or you can do it from inside your firmware on first boot. Normally the bootloader does this during the initial encryption on first boot, which is why we recommend booting a plaintext firmware the first time around.

If using flash encryption without secure boot in production, please also read this section of the docs:
https://docs.espressif.com/projects/esp ... ecure-boot

Humam Helfawi
Posts: 19
Joined: Tue May 29, 2018 10:24 pm

Re: Flashing encrypted firmware for the first time after pregenerated key burned

Postby Humam Helfawi » Thu Apr 04, 2019 3:13 am

Thank you very much! Your reply is very helpful

Who is online

Users browsing this forum: No registered users and 95 guests