ESP32S2 secure boot and flash encryption using menuconfig

[Asvn Rohit]

Hello,

I am trying to get the flash encryption and secure boot working on esp32s2. I have few doubts regarding.

I individually tested secure boot and flash encryption. It was working. I would like to test enabling both. Before I do that I have few questions to ask based on the individual testing

Question on secure boot:-

I generated three keys and burned them using espefuse.py. I could manually sign the bootloader with three keys and app with one key and flashed it into the esp32s2 chip and it worked. I had to use esptool.py file to write the bootloader, app and other information into the chip.

When I use the idf.py menuconfig it is accepting only one key. In the documentation of esp32s2 secure boot https://docs.espressif.com/projects/esp ... ot-v2.html under the section How To Enable Secure Boot V2 point number 3 it has mentioned to specify the number of keys, but in the menuconfig there is no provision for it. Am I missing something?

If I provide 1 pem file directly to the menuconfig it accepts and signs the bootloader but if I provide three keys (along with path) instead with space in between them it throws an file not found error during the building process. Is there a way to provide three keys in the menuconfig without getting error?

Questions on flash encryption:-

I could able to achieve flash encryption using menuconfig. Is there a way to manually perform flash encryption? Is it sufficient to write the keys into respective blocks; burn and write protect the DIS_DOWNLOAD_MANUAL_ENCRYPT and SPI_BOOT_CRYPT_CNT key? Or is there any other extra setting which has to be done for manual flash encryption?

The reason for manual flash encryption is because I want to pre-encrypt the firmware which is being transferred over OTA, so I would like to generate the flash encryption key seperately.

Questions on bootloader size
Till now I haven't merged secure boot with flash encryption so the partition offset at 0x8000 was not an issue, now that I am trying to enable both the document mentions to increase the partition offset, enable bootloader optimization on size and change log verbosity to warning. Since it is in testing phase I don't want to touch the verbosity but can do set the optimization and partition.
I am currently using the default factory app and two OTA partition table. If I change the partition offset do I have to change this to custom partition table?

I'm using esp-idf 4.2.1

[Asvn Rohit]

Got it working. The partition table had to be changed from two OTA partitions to a custom partition. Increased the offset because of the bootloader. Because of the custom partition, I didn't have to change the boot verbosity. Hope this helps someone.

One issue faced is that, while performing OTA the encrypted app must be uploaded. To encrypt one should use the espsecure.py encrypt_flash_data. I used a 512bit key. This is generated as two separate keys. espsecure.py encrypt_flash_data accepts only one key. Tried merging the two separate key into one still, it didn't work. It displayed a length 64bytes error. So, I had to switch back to a 256bit key and perform the flash. If someone knows a way around this. Please let me know.

Thanks.

[AlSantana]

Hello, glad you made it!! I'm still fighting with this. Can you provide details or step by step instructions on how you accomplished OTA with encrypted firmware? Perhaps a tutorial or any other resource pointing me to the right direction? What OTA library are you using? Thank you very much in advance. I know this could be time consuming so it's ok if you can't help right now. At least now I know it is possible, so I'll keep fighting