Chapter 2. API Reference
NOTE: Once a BLOCK is read-protected, the application will read all zeros from that block
NOTE: If“UART ROM download mode (Permanently disabled (recommended))”or“UART ROM
download mode (Permanently switch to Secure mode (recommended))”is set, then it is __NOT__
possible to read/write efuses using espefuse.py utility. However, efuse can be read/written from the
application
CONFIG_SECURE_BOOT_ALLOW_UNUSED_DIGEST_SLOTS
Leave unused digest slots available (not revoke)
Found in: Security features > Potentially insecure options
If not set (default), during startup in the app all unused digest slots will be revoked. To revoke unused
slot will be called esp_efuse_set_digest_revoke(num_digest) for each digest. Revoking unused digest
slots makes ensures that no trusted keys can be added later by an attacker. If set, it means that you have
a plan to use unused digests slots later.
Default value:
• No (disabled) if CONFIG_SECURE_BOOT_INSECURE
CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC
Leave UART bootloader encryption enabled
Found in: Security features > Potentially insecure options
If not set (default), the bootloader will permanently disable UART bootloader encryption access on first
boot. If set, the UART bootloader will still be able to access hardware encryption.
It is recommended to only set this option in testing environments.
Default value:
• No (disabled) if SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE
Leave UART bootloader flash cache enabled
Found in: Security features > Potentially insecure options
If not set (default), the bootloader will permanently disable UART bootloader flash cache access on first
boot. If set, the UART bootloader will still be able to access the flash cache.
Only set this option in testing environments.
Default value:
• No (disabled) if SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED
Require flash encryption to be already enabled
Found in: Security features > Potentially insecure options
If not set (default), and flash encryption is not yet enabled in eFuses, the 2nd stage bootloader will enable
flash encryption: generate the flash encryption key and program eFuses. If this option is set, and flash
encryption is not yet enabled, the bootloader will error out and reboot. If flash encryption is enabled in
eFuses, this option does not change the bootloader behavior.
Only use this option in testing environments, to avoid accidentally enabling flash encryption on the wrong
device. The device needs to have flash encryption already enabled using espefuse.py.
Default value:
• No (disabled) if SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT
Espressif Systems 1074
Submit Document Feedback
Release v4.4