Page 1 of 1

Efuse DISABLE_DL_DECRYPT

Posted: Tue Sep 10, 2019 8:44 pm
by Seungwhan
Hi,

Let's say we
- enable flash encryption
- write 1 to DISABLE_DL_DECRYPT

What happens if we hold down GPIO0 and GPIO2 during reset?
Does the ROM Bootloader put the CPU into the state so that it can communicate with PC over UART?
(or in short, does CPU go into UART bootloader mode?)
Will the PC be able to send stub_code to CPU?
If so will the stub_code run?
Is it just that you can't read out Flash contents?
Or maybe you still can read the Flash contents but it will be just meaningless because of encryption.

Thanks for reading!

Re: Efuse DISABLE_DL_DECRYPT

Posted: Wed Sep 11, 2019 1:24 am
by ESP_Angus
Hi Seungwhan,
Seungwhan wrote:
Tue Sep 10, 2019 8:44 pm
Or maybe you still can read the Flash contents but it will be just meaningless because of encryption.
This is 100% correct.

On current ESP32 we don't prevent any other interactions in the UART download mode, but if DISABLE_DL_DECRYPT is set then flash decryption will not work in UART download mode, so the only data that can be read is the ciphertext (the same data could be read by attaching a SPI flash programmer to the flash chip and reading out this way.)

Note that it's important to burn both of the DISABLE_DL_ENCRYPT & DISABLE_DL_DECRYPT efuses to get this protection (otherwise attacker can write a small encrypted firmware that decrypts and dumps the rest of the firmware when booted). ESP-IDF should set these efuses automatically if you follow the flash encryption process in the docs.

Re: Efuse DISABLE_DL_DECRYPT

Posted: Wed Sep 11, 2019 7:26 pm
by Seungwhan
Thanks for the explanation, ESP_Angus.

But even with all the efuses like DISABLE_DL_DECRYPT, DISABLE_DL_ENCRYPT and DISABLE_DL_CACHE, the fact that attackers code can run on the CPU's RAM makes me a little nervous.
Wish you had capability to entirely block the uart bootloader.

Re: Efuse DISABLE_DL_DECRYPT

Posted: Thu Sep 12, 2019 2:42 am
by WiFive
Yes, it is a valid point. There should be an efuse to completely disable uart... although researchers have also bypassed efuses with hardware attacks. Hopefully the new chip will have it along with the anti-glitch hardware.