Questions about Flash Encryption

[human890209]

I'm using ESP32 Arduino with Arduino IDE, and I read the ESP-IDF Programming Guide to learn the Flash Encryption and Secure Boot.

My target is to protect my firmware codes from copier and cracker. I think Flash Encryption is what I need.

I guess the simplest way of doing that is by

Reflashing via Pregenerated Flash Encryption Key

But this Warning confuses me:

This method is intended to assist with development only, not for production devices. If pre-generating flash encryption for production, ensure the keys are generated from a high quality random number source and do not share the same flash encryption key across multiple devices.

1. A high quality random number source?

Code: Select all

espsecure.py generate_flash_encryption_key my_flash_encryption_key.bin

Is generating the key.bin with a PC a high quality random number source?

2. Do not share the same flash encryption key across multiple devices?
I understand that if two devices share the same flash encryption key, the firmware dump file from one device could be upload and run on the other device. But if the two devices are the same model and version, I think that's okay.
If different models or versions use the different encryption keys, the firmware dump could not be used on a wrong model or version. And a counterfeit which doesn't have your encryption key in its eFuse cannot decrypt and run the firmware dump from your product.

And I read another warning:

Generating the flash encryption key from the secure boot signing key in this way means that you only need to store one key file. However this method is not at all suitable for production devices.

This warns me again that multiple devices sharing the same key are not recommended.

I'm wondering WHY?
If the firmware is 100% the same what makes it different to use a unique encryption key or not?
If any of your device's encryption key is cracked, then the cracker can decrypt the dump file into a plaintext firmware. The game is over.

I'm not a cracker. If multiple devices share the same encryption key in their eFuse, could a cracker get part of the key (several bits) by force? and repeat this procedure until he gets the whole key?
Or the cracker bought 100 products and use 100 computer to test the keys, a shared encryption key indeed make it more convenient to split the tasks and shorten the time.
If so, that's unsafe indeed to share an encryption key among multiple devices.

Then how to do flash encryption with unique keys for an ESP32 Arduino user?

[GeorgeFlorian1]

I'm using ESP32 Arduino with Arduino IDE, and I read the ESP-IDF Programming Guide to learn the Flash Encryption and Secure Boot.

My target is to protect my firmware codes from copier and cracker. I think Flash Encryption is what I need.

I guess the simplest way of doing that is by

Reflashing via Pregenerated Flash Encryption Key

But this Warning confuses me:

This method is intended to assist with development only, not for production devices. If pre-generating flash encryption for production, ensure the keys are generated from a high quality random number source and do not share the same flash encryption key across multiple devices.

1. A high quality random number source?

Code: Select all

espsecure.py generate_flash_encryption_key my_flash_encryption_key.bin

Is generating the key.bin with a PC a high quality random number source?

2. Do not share the same flash encryption key across multiple devices?
I understand that if two devices share the same flash encryption key, the firmware dump file from one device could be upload and run on the other device. But if the two devices are the same model and version, I think that's okay.
If different models or versions use the different encryption keys, the firmware dump could not be used on a wrong model or version. And a counterfeit which doesn't have your encryption key in its eFuse cannot decrypt and run the firmware dump from your product.

And I read another warning:

Generating the flash encryption key from the secure boot signing key in this way means that you only need to store one key file. However this method is not at all suitable for production devices.

This warns me again that multiple devices sharing the same key are not recommended.

I'm wondering WHY?
If the firmware is 100% the same what makes it different to use a unique encryption key or not?
If any of your device's encryption key is cracked, then the cracker can decrypt the dump file into a plaintext firmware. The game is over.

I'm not a cracker. If multiple devices share the same encryption key in their eFuse, could a cracker get part of the key (several bits) by force? and repeat this procedure until he gets the whole key?
Or the cracker bought 100 products and use 100 computer to test the keys, a shared encryption key indeed make it more convenient to split the tasks and shorten the time.
If so, that's unsafe indeed to share an encryption key among multiple devices.

Then how to do flash encryption with unique keys for an ESP32 Arduino user?

Have you found out more ?

[ESP_Angus]

1. A high quality random number source?

Code: Select all

espsecure.py generate_flash_encryption_key my_flash_encryption_key.bin

Is generating the key.bin with a PC a high quality random number source?

It should be, this command uses os.urandom in Python. The Python docs say "The returned data should be unpredictable enough for cryptographic applications, though its exact quality depends on the OS implementation."

Ultimately, we say a high quality random number source is needed because we don't know what OS you're using and what qualities it might have.

2. Do not share the same flash encryption key across multiple devices?
I understand that if two devices share the same flash encryption key, the firmware dump file from one device could be upload and run on the other device. But if the two devices are the same model and version, I think that's okay.
If different models or versions use the different encryption keys, the firmware dump could not be used on a wrong model or version. And a counterfeit which doesn't have your encryption key in its eFuse cannot decrypt and run the firmware dump from your product.

And I read another warning:

Generating the flash encryption key from the secure boot signing key in this way means that you only need to store one key file. However this method is not at all suitable for production devices.

This warns me again that multiple devices sharing the same key are not recommended.

I'm wondering WHY?
If the firmware is 100% the same what makes it different to use a unique encryption key or not?
If any of your device's encryption key is cracked, then the cracker can decrypt the dump file into a plaintext firmware. The game is over.

If you're concerned only about someone getting plaintext binary firmware, then this is generally correct. However there are additional protections to not sharing flash encryption keys between all devices:

• A leak of one device key only allows tampering, modification, or retrieval of user data from one device, not all devices.
• If an attacker has two devices side by side, one is running an older firmware with some vulnerability and the other one is running a newer firmware with no vulnerability, they can copy the older firmware onto the newer device without limitation. (Although the anti-rollback feature in IDF v3.3 will provide another way to prevent this.)
• Similar to previous attack, an attacker may be able to mix and match blocks of data stored in a data partition between multiple devices with different configurations, without needing any encryption keys.

For these reasons, we recommend using unique keys in each device. But the final decision is up to you and your threat model - if your only concern is someone getting access to your plaintext binary firmware, you're correct that this makes little difference.

If using flash encryption without secure boot, it's important to read and understand this section as well (otherwise the firmware can be trivially recovered by the attacker):
https://docs.espressif.com/projects/esp ... ecure-boot

Then how to do flash encryption with unique keys for an ESP32 Arduino user?

I'm afraid there is no support for flash encryption in the Arduino IDE. You can use flash encryption by converting your Arduino project into an IDF project, and using the Arduino framework as a component in IDF: https://github.com/espressif/arduino-es ... of-esp-idf

[human890209]

Thanks a lot. @ESP_Angus