Chapter 4. API Guides
firmware bootloader encrypts: the firmware bootloader, application partitions and partitions marked as
encrypted then resets. Encrypting in-place can take time, up to a minute for large partitions. After
that, the application is decrypted at runtime and executed.
Once the flash encryption is enabled in Release mode, the bootloader will write-protect the
SPI_BOOT_CRYPT_CNT eFuse.
For subsequent plaintext field updates, use OTA scheme.
Note: If you have pre-generated the flash encryption key and stored a copy, and the UART download mode is not
permanently disabled via CONFIG_SECURE_UART_ROM_DL_MODE , then it is possible to update the flash locally
by pre-encrypting the files and then flashing the ciphertext. See Manually Encrypting Files.
Best Practices
When using Flash Encryption in production:
• Do not reuse the same flash encryption key between multiple devices. This means that an attacker who copies
encrypted data from one device cannot transfer it to a second device.
• The UART ROM Download Mode should be disabled entirely if it is not needed, or permanently
set to “Secure Download Mode”otherwise. Secure Download Mode permanently limits the avail-
able commands to basic flash read and write only. The default behaviour is to set Secure Down-
load Mode on first boot in Release mode. To disable Download Mode entirely select select the CON-
FIG_SECURE_UART_ROM_DL_MODE to “Permanently disable ROM Download Mode (recommended)”
or call esp_efuse_disable_rom_download_mode() at runtime.
• Enable Secure Boot as an extra layer of protection, and to prevent an attacker from selectively corrupting any
part of the flash before boot.
4.13.5 Possible Failures
Once flash encryption is enabled, the SPI_BOOT_CRYPT_CNT eFuse value will have an odd number of bits set. It
means that all the partitions marked with the encryption flag are expected to contain encrypted ciphertext. Below are
the three typical failure cases if the ESP32-S2 is erroneously loaded with plaintext data:
1. If the bootloader partition is re-flashed with a plaintext firmware bootloader image, the ROM bootloader
will fail to load the firmware bootloader resulting in the following failure:
rst:0x3 (SW_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
invalid header: 0xb414f76b
invalid header: 0xb414f76b
invalid header: 0xb414f76b
invalid header: 0xb414f76b
invalid header: 0xb414f76b
invalid header: 0xb414f76b
invalid header: 0xb414f76b
Note: The value of invalid header will be different for every application.
Note: This error also appears if the flash contents are erased or corrupted.
2. If the firmware bootloader is encrypted, but the partition table is re-flashed with a plaintext partition table
image, the bootloader will fail to read the partition table resulting in the following failure:
Espressif Systems 1351
Submit Document Feedback
Release v4.4
To Next Page
Loading...
Need help?
General