host generated key if using idf.py encrypted-app-flash / encrypted-flash ?

julcol
Posts: 10
Joined: Tue Oct 29, 2024 1:23 am

host generated key if using idf.py encrypted-app-flash / encrypted-flash ?

Postby julcol » Sun Nov 17, 2024 12:47 pm

Hello,

I would like to understand where my host generated key need to be stored so the process of reflashing (whether dev/release mode) uses my encryption key. It does not seem I can add as a parameter or if there is a default place/name.


My goal is actually to have a bunch of encrypted/signed firmwares hanging in enterprise github.

Allow anybody to flash any device, in as far as signing and matching flash key encryption.

I want to leave the device in a state that firmware can be uploaded and downloaded.

However, in both cases it is encrypted and only possible to decrypt with host key.

Can somebody help with correct set up of fuses and project config ?

Frankly I have a number of esp32S3 devices unusable in my desk and I am running out of them with tests.

Any help appreciated.

Thanks.

JC

julcol
Posts: 10
Joined: Tue Oct 29, 2024 1:23 am

[solved] Re: host generated key if using idf.py encrypted-app-flash / encrypted-flash ?

Postby julcol » Tue Nov 19, 2024 9:28 pm

As I understand and make it work,

with idf 5.1.2 you can setup the secureboot signature file in menuconfig, but not the encryption key.

Hence, I manually encrypt bootloader, partition and firmware ( micropython in my case), then I sign bootloader and firmware, and eventually I upload everything into the device.

I works as expected

JC

Who is online

Users browsing this forum: Google Feedfetcher, ok-home and 203 guests