Encrypting device specific data

chriselef
Posts: 15
Joined: Wed Jun 13, 2018 11:47 am

Encrypting device specific data

Postby chriselef » Mon Jul 23, 2018 2:12 pm

hello,

I need to load multiple esp32 devices with different data like certificates, configuration files etc. and encrypted them.

In a previous attempt I tried to use spiffs.. That went pretty much as expected.. easy build and flash
on each esp32..

When I enabled the encryption the spiffs partition didnt got encrypted because that is the way flash encryption works.
I need to have same firmware but different configuration data and all of them to be encrypted.
Embedding the configuration data (certs and files) in firmware is an option but this will add delay in production line because of the
different build for each esp32..


Has someone else encountered such a problem ?

Thanks,
Chris..

WiFive
Posts: 3529
Joined: Tue Dec 01, 2015 7:35 am

Re: Encrypting device specific data

Postby WiFive » Mon Jul 23, 2018 4:03 pm


ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: Encrypting device specific data

Postby ESP_Angus » Mon Jul 23, 2018 11:49 pm

Hi Chris,

The approach WiFive links to is the easiest approach if you want a dedicated filesystem with this data. Create a read-only fatfs image, and mark this partition as encrypted in the partition table and the filesystem will be encrypted during first boot, and you can open it and read back data.

If you only have a small amount of files which are the same for each device, you can also embed the files directly in the app (which is entirely encrypted):
https://docs.espressif.com/projects/esp ... inary-data

Support for encrypted read/write fatfs and encrypted NVS are both being worked on now and will be available soon.

chriselef
Posts: 15
Joined: Wed Jun 13, 2018 11:47 am

Re: Encrypting device specific data

Postby chriselef » Wed Jul 25, 2018 3:57 pm

Thank you both for the information

I tried the wearleveling example just to check that I could mount and work the fat partition i added in partitions.csv.
nvs,data,nvs,0x9000,16K,
otadata,data,ota,0xd000,8K,
phy_init,data,phy,0xf000,4K,
factory,app,factory,0x10000,1M,
ota_0,app,ota_0,0x110000,1M,
ota_1,app,ota_1,0x210000,1M,
storage,data,spiffs,0x310000,256K
storage_1,data,fat,0x350000,540K
It mount, it wrote data and read them as expected

Then I tried to create an empty fat image on my linux box using :

Code: Select all

dd if=/dev/zero of=540kb.img bs=4096 count=135
mkfs.vfat 540kb.img 
and flashed this with :
python /data/esp/esp-idf/components/esptool_py/esptool/esptool.py --chip esp32 --port /dev/ttyUSB0 --baud 2000000 --before default_reset --after no_reset write_flash --flash_size detect 0x350000 /home/cte/540kb.img

the code that tries to mount is :

Code: Select all

//
    ESP_LOGI(TAG, "Mounting FAT filesystem");
    // To mount device we need name of device partition, define base_path
    // and allow format partition in case if it is new one and was not formated before
    const esp_vfs_fat_mount_config_t mount_config = {
            .max_files = 4,
            .format_if_mount_failed = true,
            .allocation_unit_size = CONFIG_WL_SECTOR_SIZE
    };

    esp_err_t err = esp_vfs_fat_rawflash_mount(base_path, "storage_1", &mount_config); // try to mount read only

    if (err != ESP_OK) {
        ESP_LOGE(TAG, "Failed to mount FATFS (%s)", esp_err_to_name(err));
        return err;
    }
//
What I get is :
(135) vfs_fat_spiflash: f_mount failed (13)

I tried also to create the fat image using :
./mkfatfs -c ~/image_data -s 552960 540kb.img

I got the same error
(135) vfs_fat_spiflash: f_mount failed (13)

I believe that creating and flashing the image from the host computer is somehow fishy ...

I am using 86148a740b12b commit of the idf...

Any help will be greatly appreciated..

Thanks
Chris

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: Encrypting device specific data

Postby ESP_Angus » Wed Jul 25, 2018 11:30 pm

Hi Chris,

There are two options for FAT filesystems in ESP-IDF right now:

- Wear levelling FATFS. This adds a "wear levelling" layer between the fatfs sector-based data and the flash itself, to avoid the FAT sectors wearing out the flash prematurely. For this reason you can't flash a "plain" FAT image and then mount it. A tool for generating wear levelling images on the host is planned but not released, at the moment you have the wear levelling FATFS from inside ESP-IDF itself.

- Read-only "raw" FATFS. This uses a different API to mount the FATFS directly, but it can't be written to. A different API is used to mount. See here: https://docs.espressif.com/projects/esp ... -only-mode

If you use the "raw" API to mount the partition, you should be able to generate it on the host as a FATFS disk image and flash it.

p-rimes
Posts: 89
Joined: Thu Jun 08, 2017 6:20 pm

Re: Encrypting device specific data

Postby p-rimes » Tue Aug 28, 2018 6:14 pm

I would love to get access to such a tool (to generate FATFS/WL images on the host.)

Previously I had used this project with great success:
https://github.com/jkearins/ESP32_mkfatfs

But I believe something has changed recently in esp-idf w.r.t. WL (a new version V2?), and the V1 -> V2 upgrade process (when using these generated images) is not working for me upon reboot.

WiFive
Posts: 3529
Joined: Tue Dec 01, 2015 7:35 am

Re: Encrypting device specific data

Postby WiFive » Tue Aug 28, 2018 11:19 pm


jas39_
Posts: 21
Joined: Mon Aug 29, 2016 8:26 pm

Re: Encrypting device specific data

Postby jas39_ » Mon Sep 03, 2018 10:34 pm

@ESP_Angus:
Any update on when we can expect the r/w fatfs and NVS encryption to be available?
Support for encrypted read/write fatfs and encrypted NVS are both being worked on now and will be available soon.

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: Encrypting device specific data

Postby ESP_Angus » Tue Sep 04, 2018 4:11 am

jas39_ wrote:@ESP_Angus:
Any update on when we can expect the r/w fatfs and NVS encryption to be available?
Support for encrypted read/write fatfs and encrypted NVS are both being worked on now and will be available soon.
Sorry, I forgot to the update the forum.

The current master branch should work with encrypted read/write fatfs (over wear levelling layer). This support will be in ESP-IDF V3.2 release.

NVS Encryption support has been developed and is currently in review. It is also planned for the V3.2 release.

p-rimes
Posts: 89
Joined: Thu Jun 08, 2017 6:20 pm

Re: Encrypting device specific data

Postby p-rimes » Wed Sep 12, 2018 4:22 pm

@WiFive last commit on this was in 2017 -- have you used it without issues on the latest esp-idf master? I'll use a different third-party tool like this if it works for now!

Who is online

Users browsing this forum: Bing [Bot] and 85 guests