Should otadata partition use 'encrypted' flag?

jcolebaker
Posts: 60
Joined: Thu Mar 18, 2021 12:23 am

Should otadata partition use 'encrypted' flag?

Postby jcolebaker » Thu Dec 01, 2022 9:41 pm

I've been working on adding secure boot and flash encryption to our device.

The flash encryption documentation doesn't mention whether the "otadata" partition should use the "encrypted" flag when flash encryption is in use.

E.g., here's my custom partition table:

Code: Select all

# ESP-IDF Partition Table
# Name,Type,SubType,Offset,Size,Flags
nvs,data,nvs,0xF000,28K,
otadata,data,ota,0x16000,8K,
phy_init,data,phy,0x18000,4K,
...etc
I'm using "encrypted" on our "app" partitions, and on some custom data partitions which will contain certificates. "nvs" partitions are encrypted with the separate NVS encryption system.

I think that "otadata" and "phy_init" don't need encryption (or the "encrypted" flag) since they don't contain any sensitive info.

Is this correct? Will OTA updates work OK if otadata is not marked as "encrypted", and is there any security vulnerability?

ESP_Mahavir
Posts: 188
Joined: Wed Jan 24, 2018 6:51 am

Re: Should otadata partition use 'encrypted' flag?

Postby ESP_Mahavir » Fri Dec 02, 2022 4:56 am

Bootloader encrypts the `otadata` partition (and NVS keys partition if available) even if there is no explicit `encrypted` flag available for it.

Please see relevant code at: https://github.com/espressif/esp-idf/bl ... #L393-L404

Who is online

Users browsing this forum: Google [Bot] and 110 guests