Flash encryption, missing something?

nikola
Posts: 11
Joined: Tue Sep 04, 2018 2:36 pm

Flash encryption, missing something?

Postby nikola » Tue Oct 20, 2020 4:49 pm

I am trying to follow the documentation and set up flash encryption on ESP32 (esp-idf v4.1) but it seems that I am missing something. With my current settings flash does not get encrypted on first boot. Do I have to burn eFuse manually and if so how? With espefuse.py burn_efuse?
I have set up the following in sdkconfig:

Code: Select all

CONFIG_SECURE_FLASH_ENC_ENABLED=y
CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT=y
CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y
CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y
CONFIG_FLASH_ENCRYPTION_ENABLED=y
CONFIG_FLASH_ENCRYPTION_INSECURE=y
CONFIG_FLASH_ENCRYPTION_UART_BOOTLOADER_ALLOW_ENCRYPT=y
CONFIG_FLASH_ENCRYPTION_UART_BOOTLOADER_ALLOW_DECRYPT=y
And current state of eFuse registers is:

Code: Select all

EFUSE_NAME             Description = [Meaningful Value] [Readable/Writeable] (Hex Value)
----------------------------------------------------------------------------------------
Efuse fuses:
WR_DIS                 Efuse write disable mask                          = 128 R/W (0x80)
RD_DIS                 Efuse read disablemask                            = 1 R/W (0x1)
CODING_SCHEME          Efuse variable block length scheme                = 0 R/W (0x0)
KEY_STATUS             Usage of efuse block 3 (reserved)                 = 0 R/W (0x0)

Identity fuses:
MAC                    Factory MAC Address
  = b4:e6:2d:b8:5d:59 (CRC 0x50 OK) R/W
CHIP_VER_REV1          Silicon Revision 1                                = 1 R/W (0x1)
CHIP_VER_REV2          Silicon Revision 2                                = 0 R/W (0x0)
CHIP_VERSION           Reserved for future chip versions                 = 2 R/W (0x2)
CHIP_PACKAGE           Chip package identifier                           = 0 R/W (0x0)

Calibration fuses:
BLK3_PART_RESERVE      BLOCK3 partially served for ADC calibration data  = 0 R/W (0x0)
ADC_VREF               Voltage reference calibration                     = 1107 R/W (0x1)

Security fuses:
FLASH_CRYPT_CNT        Flash encryption mode counter                     = 0 R/W (0x0)
UART_DOWNLOAD_DIS      Disable UART download mode (ESP32 rev3 only)      = 0 R/W (0x0)
FLASH_CRYPT_CONFIG     Flash encryption config (key tweak bits)          = 15 R/W (0xf)
CONSOLE_DEBUG_DISABLE  Disable ROM BASIC interpreter fallback            = 1 R/W (0x1)
ABS_DONE_0             secure boot enabled for bootloader                = 0 R/W (0x0)
ABS_DONE_1             secure boot abstract 1 locked                     = 0 R/W (0x0)
JTAG_DISABLE           Disable JTAG                                      = 1 R/W (0x1)
DISABLE_DL_ENCRYPT     Disable flash encryption in UART bootloader       = 0 R/W (0x0)
DISABLE_DL_DECRYPT     Disable flash decryption in UART bootloader       = 1 R/W (0x1)
DISABLE_DL_CACHE       Disable flash cache in UART bootloader            = 1 R/W (0x1)
BLK1                   Flash encryption key
  = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/-
BLK2                   Secure boot key
  = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
BLK3                   Variable Block 3
  = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W

Config fuses:
XPD_SDIO_FORCE         Ignore MTDI pin (GPIO12) for VDD_SDIO on reset    = 0 R/W (0x0)
XPD_SDIO_REG           If XPD_SDIO_FORCE, enable VDD_SDIO reg on reset   = 0 R/W (0x0)
XPD_SDIO_TIEH          If XPD_SDIO_FORCE & XPD_SDIO_REG, 1=3.3V 0=1.8V   = 0 R/W (0x0)
CLK8M_FREQ             8MHz clock freq override                          = 54 R/W (0x36)
SPI_PAD_CONFIG_CLK     Override SD_CLK pad (GPIO6/SPICLK)                = 0 R/W (0x0)
SPI_PAD_CONFIG_Q       Override SD_DATA_0 pad (GPIO7/SPIQ)               = 0 R/W (0x0)
SPI_PAD_CONFIG_D       Override SD_DATA_1 pad (GPIO8/SPID)               = 0 R/W (0x0)
SPI_PAD_CONFIG_HD      Override SD_DATA_2 pad (GPIO9/SPIHD)              = 0 R/W (0x0)
SPI_PAD_CONFIG_CS0     Override SD_CMD pad (GPIO11/SPICS0)               = 0 R/W (0x0)
DISABLE_SDIO_HOST      Disable SDIO host                                 = 0 R/W (0x0)

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: Flash encryption, missing something?

Postby ESP_Angus » Wed Oct 21, 2020 9:10 am

Hi nikola,

From the efuse output it looks like the initial phase of enabling flash encryption has succeeded, but it hasn't finalised.

Most likely the reason is that self-encryption was interrupted party way through and didn't complete (possibly due to more than one reset, if the board was reset after flashing and then reset again when monitor was connected?)

The good news is you should be able to reflash with plaintext, and it will try again to encrypt itself on first boot. You may need to either check that the flashing passes "--after no_reset" option to esptool to avoid a reset after flashing, or leave the ESP32 to encrypt itself for 1-2 minutes after flashing it.

nikola
Posts: 11
Joined: Tue Sep 04, 2018 2:36 pm

Re: Flash encryption, missing something?

Postby nikola » Fri Oct 23, 2020 1:55 pm

Hi,

I have flashed it without refreshing and left it in bootloader for 5 minutes (is there no way to know encryption process status?). After connecting the monitor I got the following:

Code: Select all

rst:0x3 (SW_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff0030,len:4
load:0x3fff0034,len:11052
load:0x40078000,len:21008
load:0x40080400,len:3648
0x40080400: _init at ??:?

entry 0x40080678
I (56) boot: ESP-IDF v4.1-dirty 2nd stage bootloader
I (57) boot: compile time 15:42:01
I (57) boot: chip revision: 1
I (60) boot_comm: chip revision: 1, min. bootloader chip revision: 0
I (67) boot.esp32: SPI Speed      : 40MHz
I (72) boot.esp32: SPI Mode       : DIO
I (77) boot.esp32: SPI Flash Size : 4MB
I (81) boot: Enabling RNG early entropy source...
I (87) boot: Partition Table:
I (90) boot: ## Label            Usage          Type ST Offset   Length
I (97) boot:  0 nvs              WiFi data        01 02 00009000 00004000
I (105) boot:  1 otadata          OTA data         01 00 0000d000 00002000
I (113) boot:  2 phy_init         RF data          01 01 0000f000 00001000
I (120) boot:  3 factory          factory app      00 00 00010000 00140000
I (128) boot:  4 ota_0            OTA app          00 10 00150000 00140000
I (135) boot:  5 ota_1            OTA app          00 11 00290000 00140000
I (143) boot: End of partition table
I (147) boot: Defaulting to factory image
I (152) boot_comm: chip revision: 1, min. application chip revision: 0
I (159) esp_image: segment 0: paddr=0x00010020 vaddr=0x3f400020 size=0x2299c (141724) map
I (222) esp_image: segment 1: paddr=0x000329c4 vaddr=0x3ffbdb60 size=0x03530 ( 13616) load
I (228) esp_image: segment 2: paddr=0x00035efc vaddr=0x40080000 size=0x00404 (  1028) load
0x40080000: _WindowOverflow4 at C:/Users/Knezevici/esp/esp-idf-4.1/components/freertos/xtensa_vectors.S:1778

I (229) esp_image: segment 3: paddr=0x00036308 vaddr=0x40080404 size=0x09d10 ( 40208) load
I (255) esp_image: segment 4: paddr=0x00040020 vaddr=0x400d0020 size=0xcd1d0 (840144) map
0x400d0020: _stext at ??:?

I (575) esp_image: segment 5: paddr=0x0010d1f8 vaddr=0x4008a114 size=0x117a0 ( 71584) load
0x4008a114: coex_core_ts_start at ??:?

I (607) esp_image: segment 6: paddr=0x0011e9a0 vaddr=0x400c0000 size=0x00064 (   100) load
I (607) esp_image: segment 7: paddr=0x0011ea0c vaddr=0x50000000 size=0x000a0 (   160) load
I (613) esp_image: Verifying image signature...
I (973) boot: Loaded app from partition at offset 0x10000
E (973) esp_image: partition size 0xfffff000 invalid, larger than 16MB
E (975) secure_boot_v1: bootloader image appears invalid! error 258
E (982) boot: Bootloader digest generation for secure boot failed (258).
E (989) boot: Factory app partition is not bootable
E (995) esp_image: image at 0x150000 has invalid magic byte
W (1001) esp_image: image at 0x150000 has invalid SPI mode 255
W (1008) esp_image: image at 0x150000 has invalid SPI size 15
E (1014) boot: OTA app partition slot 0 is not bootable
E (1020) esp_image: image at 0x290000 has invalid magic byte
W (1026) esp_image: image at 0x290000 has invalid SPI mode 255
W (1033) esp_image: image at 0x290000 has invalid SPI size 15
E (1039) boot: OTA app partition slot 1 is not bootable
E (1045) boot: No bootable app partitions in the partition table
ets Jun  8 2016 00:22:57
I assume that app got encrypted but the bootloader then tries to load it as unencrypted, or vice versa (or I am compleatly wrong) ..

nikola
Posts: 11
Joined: Tue Sep 04, 2018 2:36 pm

Re: Flash encryption, missing something?

Postby nikola » Fri Oct 23, 2020 2:22 pm

I have disabled secure boot and after flashing (and waiting) the following happened:

Code: Select all

I (29) boot: ESP-IDF v4.1-dirty 2nd stage bootloader
I (29) boot: compile time 16:07:55
I (29) boot: chip revision: 1
I (32) boot_comm: chip revision: 1, min. bootloader chip revision: 0
I (39) boot.esp32: SPI Speed      : 40MHz
I (44) boot.esp32: SPI Mode       : DIO
I (48) boot.esp32: SPI Flash Size : 4MB
I (53) boot: Enabling RNG early entropy source...
I (58) boot: Partition Table:
I (62) boot: ## Label            Usage          Type ST Offset   Length
I (69) boot:  0 nvs              WiFi data        01 02 00009000 00004000
I (76) boot:  1 otadata          OTA data         01 00 0000d000 00002000
I (84) boot:  2 phy_init         RF data          01 01 0000f000 00001000
I (91) boot:  3 factory          factory app      00 00 00010000 00140000
I (99) boot:  4 ota_0            OTA app          00 10 00150000 00140000
I (106) boot:  5 ota_1            OTA app          00 11 00290000 00140000
I (114) boot: End of partition table
I (118) boot: Defaulting to factory image
I (123) boot_comm: chip revision: 1, min. application chip revision: 0
I (130) esp_image: segment 0: paddr=0x00010020 vaddr=0x3f400020 size=0x22674 (140916) map
I (193) esp_image: segment 1: paddr=0x0003269c vaddr=0x3ffbdb60 size=0x03530 ( 13616) load
I (198) esp_image: segment 2: paddr=0x00035bd4 vaddr=0x40080000 size=0x00404 (  1028) load
0x40080000: _WindowOverflow4 at C:/Users/Knezevici/esp/esp-idf-4.1/components/freertos/xtensa_vectors.S:1778

I (200) esp_image: segment 3: paddr=0x00035fe0 vaddr=0x40080404 size=0x0a038 ( 41016) load
I (226) esp_image: segment 4: paddr=0x00040020 vaddr=0x400d0020 size=0xccefc (839420) map
0x400d0020: _stext at ??:?

I (546) esp_image: segment 5: paddr=0x0010cf24 vaddr=0x4008a43c size=0x11478 ( 70776) load
0x4008a43c: coex_core_request at ??:?

I (577) esp_image: segment 6: paddr=0x0011e3a4 vaddr=0x400c0000 size=0x00064 (   100) load
I (577) esp_image: segment 7: paddr=0x0011e410 vaddr=0x50000000 size=0x000a0 (   160) load
I (598) boot: Loaded app from partition at offset 0x10000
I (598) boot: Checking flash encryption...
W (598) flash_encrypt: Using pre-loaded flash encryption key in EFUSE block 1
I (606) flash_encrypt: Setting CRYPT_CONFIG efuse to 0xF
W (612) flash_encrypt: Not disabling UART bootloader encryption
I (618) flash_encrypt: Disable UART bootloader decryption...
I (625) flash_encrypt: Disable UART bootloader MMU cache...
I (631) flash_encrypt: Disable JTAG...
I (635) flash_encrypt: Disable ROM BASIC interpreter fallback...
E (653) esp_image: partition size 0xfffff000 invalid, larger than 16MB
W (653) flash_encrypt: no valid bootloader was found
I (706) flash_encrypt: Encrypting partition 1 at offset 0xd000...
I (767) boot_comm: chip revision: 1, min. application chip revision: 0
I (768) esp_image: segment 0: paddr=0x00010020 vaddr=0x3f400020 size=0x22674 (140916) map
I (826) esp_image: segment 1: paddr=0x0003269c vaddr=0x3ffbdb60 size=0x03530 ( 13616) 
I (831) esp_image: segment 2: paddr=0x00035bd4 vaddr=0x40080000 size=0x00404 (  1028) 
0x40080000: _WindowOverflow4 at C:/Users/Knezevici/esp/esp-idf-4.1/components/freertos/xtensa_vectors.S:1778

I (832) esp_image: segment 3: paddr=0x00035fe0 vaddr=0x40080404 size=0x0a038 ( 41016) 
I (856) esp_image: segment 4: paddr=0x00040020 vaddr=0x400d0020 size=0xccefc (839420) map
0x400d0020: _stext at ??:?

I (1176) esp_image: segment 5: paddr=0x0010cf24 vaddr=0x4008a43c size=0x11478 ( 70776) 
0x4008a43c: coex_core_request at ??:?

I (1203) esp_image: segment 6: paddr=0x0011e3a4 vaddr=0x400c0000 size=0x00064 (   100) 
I (1204) esp_image: segment 7: paddr=0x0011e410 vaddr=0x50000000 size=0x000a0 (   160) 
I (1210) flash_encrypt: Encrypting partition 3 at offset 0x10000...
E (16271) esp_image: image at 0x150000 has invalid magic byte
W (16271) esp_image: image at 0x150000 has invalid SPI mode 255
W (16273) esp_image: image at 0x150000 has invalid SPI size 15
E (16279) esp_image: image at 0x290000 has invalid magic byte
W (16285) esp_image: image at 0x290000 has invalid SPI mode 255
W (16292) esp_image: image at 0x290000 has invalid SPI size 15
I (16310) flash_encrypt: Flash encryption completed
I (16310) boot: Resetting with flash encryption enabled...
I can see that FLASH_CRYPT_CNT has changed and now it is:

Code: Select all

FLASH_CRYPT_CNT        Flash encryption mode counter                     = 1 R/W (0x1)
But it is stuck in a boot loop with the following output:

Code: Select all

rst:0x10 (RTCWDT_RTC_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
flash read err, 1000
ets_main.c 371
ets Jun  8 2016 00:22:57
I have tried flashing it with flash encryption disabled in menuconfig but it behaves the same. Is it bricked? What did I do wrong?

WiFive
Posts: 3529
Joined: Tue Dec 01, 2015 7:35 am

Re: Flash encryption, missing something?

Postby WiFive » Fri Oct 23, 2020 9:30 pm

Looks like you didn't leave enough space in flash for the bootloader. Bootloader with encryption and secure boot takes up more space.

nikola
Posts: 11
Joined: Tue Sep 04, 2018 2:36 pm

Re: Flash encryption, missing something?

Postby nikola » Fri Oct 23, 2020 10:06 pm

Ok.. now I am confused.. How did it got all the way to flash_encrypt: Flash encryption completed? If bootloader encrypts the partition shouldn't it have failed before?
In any case, is it possible to flash it again somehow or it is bricked now?

This is the second device I have bricked by trying to follow the documentation. Are the following steps correct to set up flash encryption (encrypted on device):

1 - enable secure boot & flash encryption in menuconfig
2 - build
3 - flash with --after no_reset (for this i have set CONFIG_ESPTOOLPY_AFTER_NORESET=y and CONFIG_ESPTOOLPY_AFTER="no_reset" and flashed with command idf.py -p COM10 flash)
4 - wait couple of minutes
5 - reset

WiFive
Posts: 3529
Joined: Tue Dec 01, 2015 7:35 am

Re: Flash encryption, missing something?

Postby WiFive » Sat Oct 24, 2020 1:16 am

Not bricked if FLASH_CRYPT_CNT can be incremented and/or DISABLE_DL_ENCRYPT=0

phillipdimond
Posts: 8
Joined: Thu Oct 22, 2020 9:08 am

Re: Flash encryption, missing something?

Postby phillipdimond » Sat Oct 24, 2020 1:43 am

Try reflashing with

idf.py encrypted-app-flash

add port if needed and "monitor" if you want, ie idf.py encrypted-app-flash monitor

nikola
Posts: 11
Joined: Tue Sep 04, 2018 2:36 pm

Re: Flash encryption, missing something?

Postby nikola » Sat Oct 24, 2020 11:48 pm

Actually I have managed to recover it by doing as described here: https://docs.espressif.com/projects/esp ... encryption
So now it is back to the drawing board to try enabling flash encryption again.

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: Flash encryption, missing something?

Postby ESP_Angus » Mon Oct 26, 2020 5:53 am

Hi nikola,

What you are doing looks mostly like it should work. The only thing which is different is that "idf.py flash" does not flash the bootloader if Secure Boot is enabled, this needs to be done separately.

You can run 'idf.py build' and it will print the necessary flashing commands. Or alternatively can do it like this:

Code: Select all

idf.py -p PORT flash
idf.py -p PORT bootloader-flash monitor 
(Running monitor immediately after flash this way means that you should be able to watch the first boot.)

Who is online

Users browsing this forum: Google [Bot] and 151 guests