What if Flash Encryption and Secure Boot goes wrong ??

k.ifantidis
Posts: 33
Joined: Wed Mar 28, 2018 6:58 am

What if Flash Encryption and Secure Boot goes wrong ??

Postby k.ifantidis » Thu Feb 14, 2019 3:04 pm

Hello there.
I'm studying Flash Encryption and security features about ESP32 in esp-idf sdk. I would like to know if it's possible to use "make erase_flash" after enabling the encryption and all other features like secureboot, signed app images, partitions etc in order to restore the flash and flash new programs in the chip.
I'm going to find this out somewhere in near future :D but I would like a quick answer(Y or N) if it's possible.


Regards, Kostas.

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: What if Flash Encryption and Secure Boot goes wrong ??

Postby ESP_Angus » Thu Feb 14, 2019 11:32 pm

Hi Kostas,

Flash Encryption and Secure Boot are both enabled by burning efuses inside the ESP32 (not the flash). Efuses are write-once only, once an efuse bit is set to "1" it can't be set back to "0".

If you erase the flash of an ESP32 with flash encryption and secure boot turned on, the only way to continue to use that ESP32 is to have saved pre-generated Flash Encryption and Secure Boot keys (which match the efuse contents) and then re-flash pre-encrypted binaries with a pre-generated secure boot digest. See here:

https://docs.espressif.com/projects/esp ... bootloader
https://docs.espressif.com/projects/esp ... yption-key

(One exception: If flash encryption is used and FLASH_CRYPT_CNT value is not yet the max, you can increment by one bit to disable flash encryption again and use the chip with flash encryption off. This can only be done 3 times in total, after this you run out of efuse bits in FLASH_CRYPT_CNT. If Secure Boot is enabled then you will still need the secure boot key to generate a bootloader digest for the plaintext bootloader.)

k.ifantidis
Posts: 33
Joined: Wed Mar 28, 2018 6:58 am

Re: What if Flash Encryption and Secure Boot goes wrong ??

Postby k.ifantidis » Sat Feb 16, 2019 2:43 pm

Thank you a lot Angus for the quick response. I'm going to study more these days about the topic.

Best regards, Kostas.

Who is online

Users browsing this forum: No registered users and 139 guests