In Pre-generated key Flash encryption I have few queries below : request help in understanding the same :
At broad level following are the steps I need to follow : Please correct me If I am wrong
1. Pre -generate Key using the script at esptool folder espsecure.py
2. Burning Flash encryption key
Can I flash the key through ESP32 download Tool or I need to do it only through Commandprompt
Where should I select "my_flash_encryption_key.bin" in ESP32 Download tool ?
should I select it at DeviceMasterKeyfolder path ?
Can I generate the key second time and flash it again , using same command prompt or download tool ? Can the key be overwritten ?
First flash plain text :
1. make menuconfig - > enable flash encryption - > make
2. app.bin, bootloader.bin and partition table.bin
3. make flash or flash through download tool
boot loader would encrypt all the partitons with pre burned key
Reflashing : Generate Encrypted app-bin using the my_flash_encryption_key.bin and flash through download tool
As per the document I see if Flags in partition table is set to "encrypt" , that will be encrypted. Is there a similar flag to disable an app partition from flash encryption?
Are my steps correct ?
Regarding Flash Encryption
Re: Regarding Flash Encryption - Key --force-write-always
Further to my above study , Flash encryption with Pre-generated Keys
I was able to flash with key generated and see flash encryption enabled. I had used the command
espefuse.py --port PORT burn_key --no-protect-key --force-write-always flash_encryption my_flash_encryption_key.bin
since --no-protect-key was used , read/write of it was enabled
--force-write-always was also defined.
Now I wanted to know what the difference between these 2 ?
Then I used like below --force-write-always , can I use different Keys ? ( as mentioned : new Key = OR of old and new ) ?
espefuse.py --port PORT burn_key --force-write-always flash_encryption my_flash_encryption_key.bin
I now strangely see my block 1 is all set to 0
BLK1 Flash encryption key
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -/-
What could be the reason for this ? when --force-write-always is used , doesnt it mean a valid non zero key must be generated.
Am not unable to change this BLK1 key... Any ways to update this BLK1 with a valid non zero key.
Request expert help in this regard
thanks
abhiram
I was able to flash with key generated and see flash encryption enabled. I had used the command
espefuse.py --port PORT burn_key --no-protect-key --force-write-always flash_encryption my_flash_encryption_key.bin
since --no-protect-key was used , read/write of it was enabled
--force-write-always was also defined.
Now I wanted to know what the difference between these 2 ?
Then I used like below --force-write-always , can I use different Keys ? ( as mentioned : new Key = OR of old and new ) ?
espefuse.py --port PORT burn_key --force-write-always flash_encryption my_flash_encryption_key.bin
I now strangely see my block 1 is all set to 0
BLK1 Flash encryption key
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -/-
What could be the reason for this ? when --force-write-always is used , doesnt it mean a valid non zero key must be generated.
Am not unable to change this BLK1 key... Any ways to update this BLK1 with a valid non zero key.
Request expert help in this regard
thanks
abhiram
Re: Regarding Flash Encryption
Hi Abhiram,
Technically, it is possible to make some changes: efuse bits can be burned 0->1 but never the other way. Doing this to the key blocks requires keeping their write protection efuse disabled. This will compromise security.
I don't know if you're concerned about this, but app partitions are prevented from "double encryption" because the bootloader only encrypts-in-place app partitions that contain valid apps. If encryption is disabled and the app partition is already encrypted, it will be seen as invalid and therefore left alone.
https://github.com/espressif/esptool/wi ... ning-a-key
Because it's read protected, it reads as all zeroes to software (including espeefuse.py).
Probably we should change this output to make it more intuitive.
The reason it became read/write protected is that this time you didn't pass "--no-protect-key", so the new key was written and then the read & write protection bits were set. The (protected) key value will be set to the OR of the old and new keys you had written.
At the moment burning the key to efuse is only possible from the command prompt. The "DeviceMasterKey" feature of the GUI Download Tool is different, it relates to writing keys to the flash of multiple devices (one key file per device). Whereas flash encryption keys are written to an internal efuse field of the chip itself.Abhiram wrote: Can I flash the key through ESP32 download Tool or I need to do it only through Commandprompt
Where should I select "my_flash_encryption_key.bin" in ESP32 Download tool ?
should I select it at DeviceMasterKeyfolder path ?
In general, no: the flash encryption key is written to efuse which is one-time-programmable. In normal use once the key block is written it is read & write protected which prevents any further modification.Abhiram wrote: Can I generate the key second time and flash it again , using same command prompt or download tool ? Can the key be overwritten ?
Technically, it is possible to make some changes: efuse bits can be burned 0->1 but never the other way. Doing this to the key blocks requires keeping their write protection efuse disabled. This will compromise security.
Correct. (For anyone who finds this post later, this is the reference documentation: http://esp-idf.readthedocs.io/en/latest ... ption.html )Abhiram wrote: First flash plain text :
1. make menuconfig - > enable flash encryption - > make
2. app.bin, bootloader.bin and partition table.bin
3. make flash or flash through download tool
boot loader would encrypt all the partitons with pre burned key
Also correct.Reflashing : Generate Encrypted app-bin using the my_flash_encryption_key.bin and flash through download tool
No, such a flag would not be usable. Once flash encryption is enabled, only encrypted data can be read via the "flash cache" MMU. This means that only encrypted apps can be run by the chip. The only partitions which can (optionally) remain unencrypted are data partitions which are read via partition_read/spi_flash_read APIs.As per the document I see if Flags in partition table is set to "encrypt" , that will be encrypted. Is there a similar flag to disable an app partition from flash encryption?
I don't know if you're concerned about this, but app partitions are prevented from "double encryption" because the bootloader only encrypts-in-place app partitions that contain valid apps. If encryption is disabled and the app partition is already encrypted, it will be seen as invalid and therefore left alone.
Please see the description of these options here:Abhiram wrote:espefuse.py --port PORT burn_key --no-protect-key --force-write-always flash_encryption my_flash_encryption_key.bin
since --no-protect-key was used , read/write of it was enabled
--force-write-always was also defined.
Now I wanted to know what the difference between these 2 ?
https://github.com/espressif/esptool/wi ... ning-a-key
Yes, if you kept the flash encryption write unprotected then you can use --force-write-always to set more bits to 1 (ie OR the old and the new key). This isn't something we support or encourage, but it's possible.Then I used like below --force-write-always , can I use different Keys ? ( as mentioned : new Key = OR of old and new ) ?
The "-/-" at the end is the read/write indicator. "R/W" means efuse is read & writable, "-/-" means it is read and write protected.espefuse.py --port PORT burn_key --force-write-always flash_encryption my_flash_encryption_key.bin
I now strangely see my block 1 is all set to 0
BLK1 Flash encryption key
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -/-
What could be the reason for this ?
Because it's read protected, it reads as all zeroes to software (including espeefuse.py).
Probably we should change this output to make it more intuitive.
The reason it became read/write protected is that this time you didn't pass "--no-protect-key", so the new key was written and then the read & write protection bits were set. The (protected) key value will be set to the OR of the old and new keys you had written.
This option just prevents espefuse.py from failing if it sees some values already written in that field (as normally this would indicate an error).when --force-write-always is used , doesnt it mean a valid non zero key must be generated.
No, the key is now permanently read & write protected.Am not unable to change this BLK1 key... Any ways to update this BLK1 with a valid non zero key.
Re: Regarding Flash Encryption
Thanks a lot ESP_Angus.
It became much clearer to me with your detailed explanation.
Best Regards
Abhiram
It became much clearer to me with your detailed explanation.
Best Regards
Abhiram
Who is online
Users browsing this forum: Hamzah Hajeir, MicroController and 117 guests