Flash encryption and boot secure with esptool

ctacb_
Posts: 7
Joined: Sun Aug 12, 2018 2:36 pm

Flash encryption and boot secure with esptool

Postby ctacb_ » Fri Aug 17, 2018 9:17 am

Good afternoon.

As i understood esp32's protect separated on two parts:
1 - My programm can be encrypted by espsecure (esptool script), and then decrypted by esp32 using key saved at block_1 fuse before.
2 - Bootloader secure it's something hard. I can't understand it at this moment.

So to secure my programm with Flash encryption i do:

1 - espsecure.py generate_flash_encryption_key key.bin
2 - espefuse.py --port /dev/ttyUSB0 burn_key flash_encryption key.bin
3 - espsecure encrypt_flash_data --keyfile key.bin --address 0x10000 -o my-app-encrypted.bin my-app.bin
4 - flash my-app-encrypted.bin to the esp32.

All's right?

If i'm fine, pls, explain about bootloader secure?
How it's works.
What to do in step by step.

I will be very grateful!

WiFive
Posts: 3529
Joined: Tue Dec 01, 2015 7:35 am

Re: Flash encryption and boot secure with esptool

Postby WiFive » Fri Aug 17, 2018 10:16 am


ctacb_
Posts: 7
Joined: Sun Aug 12, 2018 2:36 pm

Re: Flash encryption and boot secure with esptool

Postby ctacb_ » Fri Aug 17, 2018 2:25 pm

WiFive wrote:No, you only do steps 3&4 to update the app
Sorry, i don't understand?
Can you please quote text that you did answered?

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: Flash encryption and boot secure with esptool

Postby ESP_Angus » Sun Aug 19, 2018 11:24 pm

Hi ctacb,

If you're pre-generating the key then the steps for flash encryption are the ones shown here:
https://docs.espressif.com/projects/esp ... yption-key

For the first boot, you generate a key and flash with espefuse.py (steps 1 & 2 in your post) then you flash a plaintext bootloader and plaintext app with "esptool.py write_flash ...". The app will encrypt its own flash on first boot (this includes the app and the bootloader).

After the first boot, to update the app again you build the new and app and then encrypt it on the host and flash the encrypted .bin file (steps 3 & 4 in your post). (This part in the docs.)

You will probably also want to enable secure boot to prevent unauthorized code being booted. This is done separately, see https://docs.espressif.com/projects/esp ... -boot.html

ctacb_
Posts: 7
Joined: Sun Aug 12, 2018 2:36 pm

Re: Flash encryption and boot secure with esptool

Postby ctacb_ » Thu Sep 13, 2018 9:18 pm

Thx you ESP_Angus

Who is online

Users browsing this forum: ESP_rrtandler, zelenecul and 133 guests