Page 1 of 1

Enabling Flash Encryption after Secure Boot

Posted: Thu Aug 22, 2019 7:12 am
by vjacobs
Hi all,

I am using ESP-IDF v3.3rc on an ESP-WROOM-32.

I have succesfully enabled Secure Boot on my module and everything seems to run fine and all fuses seem to be in correct state. My bootloader was set to 'One-Time Flash' since I'm targeting a production environment. I now want to try to enable Flash Encyption by setting the correct fields in menuconfig but nothing happens. It is not stated directly as such in the docs that this isn't possible but I suppose the issue is that I flashed the bootloader already in 'One-Time Flash' mode and would need to re-flash the bootloader with Flash Encryption enabled in order for this to work?

I just want to double check here that there isn't another way to still enable Flash Encryption in my situation?

Thanks,
Vincent

Re: Enabling Flash Encryption after Secure Boot

Posted: Thu Aug 22, 2019 7:36 am
by ESP_Angus
Hi Vincent,
vjacobs wrote:
Thu Aug 22, 2019 7:12 am
the issue is that I flashed the bootloader already in 'One-Time Flash' mode and would need to re-flash the bootloader with Flash Encryption enabled in order for this to work?
Unfortunately that's correct. Flash encryption is enabled by the bootloader during first boot, so you need to compile a bootloader with flash encryption enabled and then reflash it. But if the bootloader was already flashed in One-Time Flash mode, the ESP32 won't let you boot a different bootloader.

Re: Enabling Flash Encryption after Secure Boot

Posted: Thu Aug 22, 2019 7:51 am
by vjacobs
Hi Angus,

That's ok and thanks for the fast clarification!

Best,
Vincent

Re: Enabling Flash Encryption after Secure Boot

Posted: Thu Aug 22, 2019 11:33 am
by urbanze
ESP_Angus wrote:
Thu Aug 22, 2019 7:36 am
Hi Vincent,
vjacobs wrote:
Thu Aug 22, 2019 7:12 am
the issue is that I flashed the bootloader already in 'One-Time Flash' mode and would need to re-flash the bootloader with Flash Encryption enabled in order for this to work?
Unfortunately that's correct. Flash encryption is enabled by the bootloader during first boot, so you need to compile a bootloader with flash encryption enabled and then reflash it. But if the bootloader was already flashed in One-Time Flash mode, the ESP32 won't let you boot a different bootloader.
If it saves the key or just sets the eFuses, shouldn't it work the same way as enabling it in menuconfig?

Re: Enabling Flash Encryption after Secure Boot

Posted: Fri Aug 23, 2019 1:30 am
by ESP_Angus
urbanze wrote:
Thu Aug 22, 2019 11:33 am
If it saves the key or just sets the eFuses, shouldn't it work the same way as enabling it in menuconfig?
The bootloader also encrypts all the partitions in-place on first boot.

Technically it is probably possible to enable flash encryption fully manually: read out the existing bootloader and the secure boot digest from the flash, generate a flash encryption key and burn it to the ESP32, burn efuses to enable flash encryption, then flash encrypted versions of the existing bootloader, existing secure boot digest, partition table, and app on to the ESP32. (either by encrypting locally with espsecure.py and then flashing the encrypted versions, or by using the new "Development Mode" encrypt-when-flashing feature in ESP-IDF V4.0.)

It's much simpler to get a new ESP32, though, and much less chance of accidentally mis-configuring flash encryption.