UART ROM download mode when using Flash Encryption

osiris81
Posts: 6
Joined: Fri Sep 11, 2020 12:57 pm

UART ROM download mode when using Flash Encryption

Postby osiris81 » Fri Jul 30, 2021 3:55 pm

Hello,

When enabling Flash encryption for a production build I have to choose between the two UART ROM download modes:
- Permanently switch to secure mode
- Permanently disabled

What is the benefit of using the secure mode instead of completely disable the UART?

Since flash encryption is enabled, I cannot flash a new bootloader anyway since the esp32 expects an encrypted bootloader and encrypted download is disabled in secure mode. What is the point of being able to flash the esp32 in secure mode?

From my understanding, (accidently) flashing an already flashed esp32 will brick the device, so it seems safer to me to disable the UART permanently, is that correct?

Best regards

ESP-Marius
Posts: 74
Joined: Wed Oct 23, 2019 1:49 am

Re: UART ROM download mode when using Flash Encryption

Postby ESP-Marius » Sat Jul 31, 2021 12:47 am

Hi,

With secure mode you would still be able to encrypt your binary on the host, flash it and boot successfully. This is of course only possible if you already know the key burned to the ESP32.

If you don't have any specific reason to keep secure mode on we still recommend disabling the download mode to limit the attack surface.

Who is online

Users browsing this forum: dzungpv, Majestic-12 [Bot] and 137 guests