Encrypting device specific data
Encrypting device specific data
hello,
I need to load multiple esp32 devices with different data like certificates, configuration files etc. and encrypted them.
In a previous attempt I tried to use spiffs.. That went pretty much as expected.. easy build and flash
on each esp32..
When I enabled the encryption the spiffs partition didnt got encrypted because that is the way flash encryption works.
I need to have same firmware but different configuration data and all of them to be encrypted.
Embedding the configuration data (certs and files) in firmware is an option but this will add delay in production line because of the
different build for each esp32..
Has someone else encountered such a problem ?
Thanks,
Chris..
I need to load multiple esp32 devices with different data like certificates, configuration files etc. and encrypted them.
In a previous attempt I tried to use spiffs.. That went pretty much as expected.. easy build and flash
on each esp32..
When I enabled the encryption the spiffs partition didnt got encrypted because that is the way flash encryption works.
I need to have same firmware but different configuration data and all of them to be encrypted.
Embedding the configuration data (certs and files) in firmware is an option but this will add delay in production line because of the
different build for each esp32..
Has someone else encountered such a problem ?
Thanks,
Chris..
Re: Encrypting device specific data
Hi Chris,
The approach WiFive links to is the easiest approach if you want a dedicated filesystem with this data. Create a read-only fatfs image, and mark this partition as encrypted in the partition table and the filesystem will be encrypted during first boot, and you can open it and read back data.
If you only have a small amount of files which are the same for each device, you can also embed the files directly in the app (which is entirely encrypted):
https://docs.espressif.com/projects/esp ... inary-data
Support for encrypted read/write fatfs and encrypted NVS are both being worked on now and will be available soon.
The approach WiFive links to is the easiest approach if you want a dedicated filesystem with this data. Create a read-only fatfs image, and mark this partition as encrypted in the partition table and the filesystem will be encrypted during first boot, and you can open it and read back data.
If you only have a small amount of files which are the same for each device, you can also embed the files directly in the app (which is entirely encrypted):
https://docs.espressif.com/projects/esp ... inary-data
Support for encrypted read/write fatfs and encrypted NVS are both being worked on now and will be available soon.
Re: Encrypting device specific data
Thank you both for the information
I tried the wearleveling example just to check that I could mount and work the fat partition i added in partitions.csv.
Then I tried to create an empty fat image on my linux box using :
and flashed this with :
python /data/esp/esp-idf/components/esptool_py/esptool/esptool.py --chip esp32 --port /dev/ttyUSB0 --baud 2000000 --before default_reset --after no_reset write_flash --flash_size detect 0x350000 /home/cte/540kb.img
the code that tries to mount is :
What I get is :
(135) vfs_fat_spiflash: f_mount failed (13)
I tried also to create the fat image using :
./mkfatfs -c ~/image_data -s 552960 540kb.img
I got the same error
(135) vfs_fat_spiflash: f_mount failed (13)
I believe that creating and flashing the image from the host computer is somehow fishy ...
I am using 86148a740b12b commit of the idf...
Any help will be greatly appreciated..
Thanks
Chris
I tried the wearleveling example just to check that I could mount and work the fat partition i added in partitions.csv.
It mount, it wrote data and read them as expectednvs,data,nvs,0x9000,16K,
otadata,data,ota,0xd000,8K,
phy_init,data,phy,0xf000,4K,
factory,app,factory,0x10000,1M,
ota_0,app,ota_0,0x110000,1M,
ota_1,app,ota_1,0x210000,1M,
storage,data,spiffs,0x310000,256K
storage_1,data,fat,0x350000,540K
Then I tried to create an empty fat image on my linux box using :
Code: Select all
dd if=/dev/zero of=540kb.img bs=4096 count=135
mkfs.vfat 540kb.img
python /data/esp/esp-idf/components/esptool_py/esptool/esptool.py --chip esp32 --port /dev/ttyUSB0 --baud 2000000 --before default_reset --after no_reset write_flash --flash_size detect 0x350000 /home/cte/540kb.img
the code that tries to mount is :
Code: Select all
//
ESP_LOGI(TAG, "Mounting FAT filesystem");
// To mount device we need name of device partition, define base_path
// and allow format partition in case if it is new one and was not formated before
const esp_vfs_fat_mount_config_t mount_config = {
.max_files = 4,
.format_if_mount_failed = true,
.allocation_unit_size = CONFIG_WL_SECTOR_SIZE
};
esp_err_t err = esp_vfs_fat_rawflash_mount(base_path, "storage_1", &mount_config); // try to mount read only
if (err != ESP_OK) {
ESP_LOGE(TAG, "Failed to mount FATFS (%s)", esp_err_to_name(err));
return err;
}
//
(135) vfs_fat_spiflash: f_mount failed (13)
I tried also to create the fat image using :
./mkfatfs -c ~/image_data -s 552960 540kb.img
I got the same error
(135) vfs_fat_spiflash: f_mount failed (13)
I believe that creating and flashing the image from the host computer is somehow fishy ...
I am using 86148a740b12b commit of the idf...
Any help will be greatly appreciated..
Thanks
Chris
Re: Encrypting device specific data
Hi Chris,
There are two options for FAT filesystems in ESP-IDF right now:
- Wear levelling FATFS. This adds a "wear levelling" layer between the fatfs sector-based data and the flash itself, to avoid the FAT sectors wearing out the flash prematurely. For this reason you can't flash a "plain" FAT image and then mount it. A tool for generating wear levelling images on the host is planned but not released, at the moment you have the wear levelling FATFS from inside ESP-IDF itself.
- Read-only "raw" FATFS. This uses a different API to mount the FATFS directly, but it can't be written to. A different API is used to mount. See here: https://docs.espressif.com/projects/esp ... -only-mode
If you use the "raw" API to mount the partition, you should be able to generate it on the host as a FATFS disk image and flash it.
There are two options for FAT filesystems in ESP-IDF right now:
- Wear levelling FATFS. This adds a "wear levelling" layer between the fatfs sector-based data and the flash itself, to avoid the FAT sectors wearing out the flash prematurely. For this reason you can't flash a "plain" FAT image and then mount it. A tool for generating wear levelling images on the host is planned but not released, at the moment you have the wear levelling FATFS from inside ESP-IDF itself.
- Read-only "raw" FATFS. This uses a different API to mount the FATFS directly, but it can't be written to. A different API is used to mount. See here: https://docs.espressif.com/projects/esp ... -only-mode
If you use the "raw" API to mount the partition, you should be able to generate it on the host as a FATFS disk image and flash it.
Re: Encrypting device specific data
I would love to get access to such a tool (to generate FATFS/WL images on the host.)
Previously I had used this project with great success:
https://github.com/jkearins/ESP32_mkfatfs
But I believe something has changed recently in esp-idf w.r.t. WL (a new version V2?), and the V1 -> V2 upgrade process (when using these generated images) is not working for me upon reboot.
Previously I had used this project with great success:
https://github.com/jkearins/ESP32_mkfatfs
But I believe something has changed recently in esp-idf w.r.t. WL (a new version V2?), and the V1 -> V2 upgrade process (when using these generated images) is not working for me upon reboot.
Re: Encrypting device specific data
@ESP_Angus:
Any update on when we can expect the r/w fatfs and NVS encryption to be available?
Any update on when we can expect the r/w fatfs and NVS encryption to be available?
Support for encrypted read/write fatfs and encrypted NVS are both being worked on now and will be available soon.
Re: Encrypting device specific data
Sorry, I forgot to the update the forum.jas39_ wrote:@ESP_Angus:
Any update on when we can expect the r/w fatfs and NVS encryption to be available?
Support for encrypted read/write fatfs and encrypted NVS are both being worked on now and will be available soon.
The current master branch should work with encrypted read/write fatfs (over wear levelling layer). This support will be in ESP-IDF V3.2 release.
NVS Encryption support has been developed and is currently in review. It is also planned for the V3.2 release.
Re: Encrypting device specific data
@WiFive last commit on this was in 2017 -- have you used it without issues on the latest esp-idf master? I'll use a different third-party tool like this if it works for now!WiFive wrote:https://github.com/lllucius/esp32_fatfsimage
Who is online
Users browsing this forum: cdollar and 71 guests