ESP32 Forum

In Pre-generated key Flash encryption I have few queries below : request help in understanding the same :
At broad level following are the steps I need to follow : Please correct me If I am wrong

1. Pre -generate Key using the script at esptool folder espsecure.py
2. Burning Flash encryption key

Can I flash the key through ESP32 download Tool or I need to do it only through Commandprompt
Where should I select "my_flash_encryption_key.bin" in ESP32 Download tool ?
should I select it at DeviceMasterKeyfolder path ?

Can I generate the key second time and flash it again , using same command prompt or download tool ? Can the key be overwritten ?

First flash plain text :
1. make menuconfig - > enable flash encryption - > make
2. app.bin, bootloader.bin and partition table.bin
3. make flash or flash through download tool
boot loader would encrypt all the partitons with pre burned key
Reflashing : Generate Encrypted app-bin using the my_flash_encryption_key.bin and flash through download tool
As per the document I see if Flags in partition table is set to "encrypt" , that will be encrypted. Is there a similar flag to disable an app partition from flash encryption?
Are my steps correct ?

Further to my above study , Flash encryption with Pre-generated Keys

I was able to flash with key generated and see flash encryption enabled. I had used the command
espefuse.py --port PORT burn_key --no-protect-key --force-write-always flash_encryption my_flash_encryption_key.bin

since --no-protect-key was used , read/write of it was enabled
--force-write-always was also defined.

Now I wanted to know what the difference between these 2 ?

Then I used like below --force-write-always , can I use different Keys ? ( as mentioned : new Key = OR of old and new ) ?
espefuse.py --port PORT burn_key --force-write-always flash_encryption my_flash_encryption_key.bin

I now strangely see my block 1 is all set to 0
BLK1 Flash encryption key
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -/-

What could be the reason for this ? when --force-write-always is used , doesnt it mean a valid non zero key must be generated.
Am not unable to change this BLK1 key... Any ways to update this BLK1 with a valid non zero key.
Request expert help in this regard

thanks
abhiram

Hi Abhiram,

Abhiram wrote: Can I flash the key through ESP32 download Tool or I need to do it only through Commandprompt
Where should I select "my_flash_encryption_key.bin" in ESP32 Download tool ?
should I select it at DeviceMasterKeyfolder path ?

At the moment burning the key to efuse is only possible from the command prompt. The "DeviceMasterKey" feature of the GUI Download Tool is different, it relates to writing keys to the flash of multiple devices (one key file per device). Whereas flash encryption keys are written to an internal efuse field of the chip itself.

Abhiram wrote: Can I generate the key second time and flash it again , using same command prompt or download tool ? Can the key be overwritten ?

In general, no: the flash encryption key is written to efuse which is one-time-programmable. In normal use once the key block is written it is read & write protected which prevents any further modification.

Technically, it is possible to make some changes: efuse bits can be burned 0->1 but never the other way. Doing this to the key blocks requires keeping their write protection efuse disabled. This will compromise security.

Abhiram wrote: First flash plain text :
1. make menuconfig - > enable flash encryption - > make
2. app.bin, bootloader.bin and partition table.bin
3. make flash or flash through download tool
boot loader would encrypt all the partitons with pre burned key

Correct. (For anyone who finds this post later, this is the reference documentation: http://esp-idf.readthedocs.io/en/latest ... ption.html )

Reflashing : Generate Encrypted app-bin using the my_flash_encryption_key.bin and flash through download tool

Also correct.

As per the document I see if Flags in partition table is set to "encrypt" , that will be encrypted. Is there a similar flag to disable an app partition from flash encryption?

No, such a flag would not be usable. Once flash encryption is enabled, only encrypted data can be read via the "flash cache" MMU. This means that only encrypted apps can be run by the chip. The only partitions which can (optionally) remain unencrypted are data partitions which are read via partition_read/spi_flash_read APIs.

I don't know if you're concerned about this, but app partitions are prevented from "double encryption" because the bootloader only encrypts-in-place app partitions that contain valid apps. If encryption is disabled and the app partition is already encrypted, it will be seen as invalid and therefore left alone.

Abhiram wrote:espefuse.py --port PORT burn_key --no-protect-key --force-write-always flash_encryption my_flash_encryption_key.bin

since --no-protect-key was used , read/write of it was enabled
--force-write-always was also defined.

Now I wanted to know what the difference between these 2 ?

Please see the description of these options here:
https://github.com/espressif/esptool/wi ... ning-a-key

Then I used like below --force-write-always , can I use different Keys ? ( as mentioned : new Key = OR of old and new ) ?

Yes, if you kept the flash encryption write unprotected then you can use --force-write-always to set more bits to 1 (ie OR the old and the new key). This isn't something we support or encourage, but it's possible.

espefuse.py --port PORT burn_key --force-write-always flash_encryption my_flash_encryption_key.bin

I now strangely see my block 1 is all set to 0
BLK1 Flash encryption key
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -/-

What could be the reason for this ?

The "-/-" at the end is the read/write indicator. "R/W" means efuse is read & writable, "-/-" means it is read and write protected.

Because it's read protected, it reads as all zeroes to software (including espeefuse.py).

Probably we should change this output to make it more intuitive.

The reason it became read/write protected is that this time you didn't pass "--no-protect-key", so the new key was written and then the read & write protection bits were set. The (protected) key value will be set to the OR of the old and new keys you had written.

when --force-write-always is used , doesnt it mean a valid non zero key must be generated.

This option just prevents espefuse.py from failing if it sees some values already written in that field (as normally this would indicate an error).

Am not unable to change this BLK1 key... Any ways to update this BLK1 with a valid non zero key.

No, the key is now permanently read & write protected.

Thanks a lot ESP_Angus.
It became much clearer to me with your detailed explanation.

Best Regards
Abhiram