Flash encryption with micropython and reflashing

MauroDiam
Posts: 2
Joined: Thu Oct 12, 2023 11:05 pm

Flash encryption with micropython and reflashing

Postby MauroDiam » Thu Oct 12, 2023 11:22 pm

Hi, I'm using flash encryption in a ESP32 board and with micropython project, which is based in ESP-IDF. I'm manually setting the following efuses in the board using espsecure.py:
FLASH_CRYPT_CONFIG 0xF
FLASH_CRYPT_CNT 0X1
DISABLE_DL_ENCRYPT 1
DISABLE_DL_DECRYPT 1
DISABLE_DL_CACHE 1
JTAG_DISABLE 1
And then I build the micropython firmware with my scripts as frozen codes and encrypt it with a pregenerated key using espsecure.py. After that, I write the encrypted firmware in the ESP32 using esptool.py.
I'm not using the reflashing option (see here) of the Flash encryption Development mode, bacause the efuse FLASH_CRYPT_CNT has just 7 bits so the board could be reflashed just 4 times, is it correct?
But I have realized that the micropython firmware has many partitions apart from app partition (factory): nvs, phy-init, and vfs. The way I'm using encrypt all of these partition, but the Flash encryption docs state that only bootloader, partition table, NVS Key Partition, Otadata, “app” type partitions (factory) and partitions marked with encrypted flag should be encrypted. So, nvs, phy-init, and vfs partitions shouldn't be encrypted, and even nvs partition doesn't support encrypted flag. Could this cause some troubles? Could it affect Wifi taking into account the calibration data is stored in the nvs partition?
With this configuration, could someone still stole and decrypt the firmware?

ESP_flying_raijin
Posts: 25
Joined: Tue Aug 13, 2019 2:03 pm

Re: Flash encryption with micropython and reflashing

Postby ESP_flying_raijin » Mon Oct 16, 2023 9:16 am

Hi MauroDiam,
I'm not using the reflashing option (see here) of the Flash encryption Development mode, bacause the efuse FLASH_CRYPT_CNT has just 7 bits so the board could be reflashed just 4 times, is it correct?
Please note that the 7 bits are not related to the flashing.
Those 7 bits indicate the number of times we can disable the Flash Encryption feature on the device and again enable it.

For e.g.,
You have enabled the development mode. That would consume 1 bit out of these 7 bits.
Now you can flash unlimited number of times ( limited by the durability of your flash). The firmware flashed in this case must of Flash encryption feature enabled.

Now you want to disable the flash encryption feature. Then you would again consume 1 bit out of the above 7 bits.
Again you can flash any number of times. This time the firmware should not have flash encryption enabled as it is not enabled on the device.

This process can be repeated till the 7 bits are consumed.
But I have realized that the micropython firmware has many partitions apart from app partition (factory): nvs, phy-init, and vfs. The way I'm using encrypt all of these partition, but the Flash encryption docs state that only bootloader, partition table, NVS Key Partition, Otadata, “app” type partitions (factory) and partitions marked with encrypted flag should be encrypted. So, nvs, phy-init, and vfs partitions shouldn't be encrypted, and even nvs partition doesn't support encrypted flag. Could this cause some troubles? Could it affect Wifi taking into account the calibration data is stored in the nvs partition?
Yes this can cause problems. Only those partitions which support encryption should be encrypted using the flash encryption key.
Please refer to https://docs.espressif.com/projects/esp ... partitions for more details.
The NVS partition has its own encryption algorithm different from the Flash Encrpytion. Please refer https://docs.espressif.com/projects/esp ... encryption for more details.
With this configuration, could someone still stole and decrypt the firmware?
In addition to the eFuses that you have set, you also need to write protect the FLASH_CRYPT_CNT. Please refer to https://docs.espressif.com/projects/esp ... externally for more details about the eFuses that need to be burned.

I dont know how micropython API interface works, but if you have access to this API from esp-idf https://github.com/espressif/esp-idf/bl ... ypt.h#L199

Then you can use it to verify your eFuse setting related to Flash Encryption.
Once this returns True, that means you have enabled flash encryption is release mode which is the maximum possible protection offered by the flash encryption feature.

Who is online

Users browsing this forum: No registered users and 115 guests