Enabling Flash Encryption after Secure Boot

vjacobs
Posts: 10
Joined: Mon May 20, 2019 8:34 am

Enabling Flash Encryption after Secure Boot

Postby vjacobs » Thu Aug 22, 2019 7:12 am

Hi all,

I am using ESP-IDF v3.3rc on an ESP-WROOM-32.

I have succesfully enabled Secure Boot on my module and everything seems to run fine and all fuses seem to be in correct state. My bootloader was set to 'One-Time Flash' since I'm targeting a production environment. I now want to try to enable Flash Encyption by setting the correct fields in menuconfig but nothing happens. It is not stated directly as such in the docs that this isn't possible but I suppose the issue is that I flashed the bootloader already in 'One-Time Flash' mode and would need to re-flash the bootloader with Flash Encryption enabled in order for this to work?

I just want to double check here that there isn't another way to still enable Flash Encryption in my situation?

Thanks,
Vincent

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: Enabling Flash Encryption after Secure Boot

Postby ESP_Angus » Thu Aug 22, 2019 7:36 am

Hi Vincent,
vjacobs wrote:
Thu Aug 22, 2019 7:12 am
the issue is that I flashed the bootloader already in 'One-Time Flash' mode and would need to re-flash the bootloader with Flash Encryption enabled in order for this to work?
Unfortunately that's correct. Flash encryption is enabled by the bootloader during first boot, so you need to compile a bootloader with flash encryption enabled and then reflash it. But if the bootloader was already flashed in One-Time Flash mode, the ESP32 won't let you boot a different bootloader.

vjacobs
Posts: 10
Joined: Mon May 20, 2019 8:34 am

Re: Enabling Flash Encryption after Secure Boot

Postby vjacobs » Thu Aug 22, 2019 7:51 am

Hi Angus,

That's ok and thanks for the fast clarification!

Best,
Vincent

User avatar
urbanze
Posts: 301
Joined: Sat Jun 10, 2017 9:55 pm
Location: Brazil

Re: Enabling Flash Encryption after Secure Boot

Postby urbanze » Thu Aug 22, 2019 11:33 am

ESP_Angus wrote:
Thu Aug 22, 2019 7:36 am
Hi Vincent,
vjacobs wrote:
Thu Aug 22, 2019 7:12 am
the issue is that I flashed the bootloader already in 'One-Time Flash' mode and would need to re-flash the bootloader with Flash Encryption enabled in order for this to work?
Unfortunately that's correct. Flash encryption is enabled by the bootloader during first boot, so you need to compile a bootloader with flash encryption enabled and then reflash it. But if the bootloader was already flashed in One-Time Flash mode, the ESP32 won't let you boot a different bootloader.
If it saves the key or just sets the eFuses, shouldn't it work the same way as enabling it in menuconfig?

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: Enabling Flash Encryption after Secure Boot

Postby ESP_Angus » Fri Aug 23, 2019 1:30 am

urbanze wrote:
Thu Aug 22, 2019 11:33 am
If it saves the key or just sets the eFuses, shouldn't it work the same way as enabling it in menuconfig?
The bootloader also encrypts all the partitions in-place on first boot.

Technically it is probably possible to enable flash encryption fully manually: read out the existing bootloader and the secure boot digest from the flash, generate a flash encryption key and burn it to the ESP32, burn efuses to enable flash encryption, then flash encrypted versions of the existing bootloader, existing secure boot digest, partition table, and app on to the ESP32. (either by encrypting locally with espsecure.py and then flashing the encrypted versions, or by using the new "Development Mode" encrypt-when-flashing feature in ESP-IDF V4.0.)

It's much simpler to get a new ESP32, though, and much less chance of accidentally mis-configuring flash encryption.

Who is online

Users browsing this forum: No registered users and 79 guests