Flash Encryption & Pre Generated Key , must manually burn efuses ?

plusorc
Posts: 33
Joined: Sat Nov 09, 2019 6:27 am

Flash Encryption & Pre Generated Key , must manually burn efuses ?

Postby plusorc » Wed Jan 29, 2020 1:02 am

Hello

Let's say I have this scenario

-Firmware is in plainText
-No Flash Encryption Enabled
-No keys , efuses burned .. chip is brand new

Now .. I
-Generate a Flash Encryption Key
-Burn it to efuse
-didn't burn any efuses manually (no encrypt_cnt , cnf ..etc )
-Now I open menuconfig , enable flash encryption in Release mode
-Flash the the image normally as plainText .

will this burn the remaining efuses automatically to match the Release mode ?


Note:
I ask this because previously I had a chip that was in dev mode , then I disabled FE and then re enabled it in release mode
that didn't burn any efuses and I got an error (warning) .. device is not secure . difference between dev and release mode in efuses

Thanks

ESP_Angus
Posts: 2183
Joined: Sun May 08, 2016 4:11 am

Re: Flash Encryption & Pre Generated Key , must manually burn efuses ?

Postby ESP_Angus » Wed Jan 29, 2020 4:44 am

plusorc wrote:
Wed Jan 29, 2020 1:02 am
Let's say I have this scenario

-Firmware is in plainText
-No Flash Encryption Enabled
-No keys , efuses burned .. chip is brand new

Now .. I
-Generate a Flash Encryption Key
-Burn it to efuse
-didn't burn any efuses manually (no encrypt_cnt , cnf ..etc )
-Now I open menuconfig , enable flash encryption in Release mode
-Flash the the image normally as plainText .

will this burn the remaining efuses automatically to match the Release mode ?
Yes, that's the best way to do this.
plusorc wrote:
Wed Jan 29, 2020 1:02 am
Note:
I ask this because previously I had a chip that was in dev mode , then I disabled FE and then re enabled it in release mode
that didn't burn any efuses and I got an error (warning) .. device is not secure . difference between dev and release mode in efuses
There is no workflow at the moment for taking the same device from Development mode to Release mode. If you flash a release mode firmware on a chip which already using Development mode flash encryption then you get this warning, and it stays in Development mode.

We made the decision not to support this workflow because it's easier to discourage taking a device from Development to Release mode than to try to think of every possible sequence of updates that might leave the device in an insecure state. If you have a use case for using the same chip in first Development then Release mode then let us know, we might be able to figure something out.

plusorc
Posts: 33
Joined: Sat Nov 09, 2019 6:27 am

Re: Flash Encryption & Pre Generated Key , must manually burn efuses ?

Postby plusorc » Wed Jan 29, 2020 11:39 am

Yes, that's the best way to do this.
Thank you so much
There is no workflow at the moment for taking the same device from Development mode to Release mode
If you have a use case for using the same chip in first Development then Release mode then let us know
I actually don't , I just assumed that the chip will match the sdkconfig settings with the efuse (0 to 1 only of course)

As far as I understand , Even if the chip is in FE Dev mode , and I burn the remaining efuse bits (dl_enc,dl_dec,cnf,cnt, jtag,console_debug) , it will eventually become a Release mode .

Thanks again for the great help .

ESP_Angus
Posts: 2183
Joined: Sun May 08, 2016 4:11 am

Re: Flash Encryption & Pre Generated Key , must manually burn efuses ?

Postby ESP_Angus » Wed Jan 29, 2020 10:43 pm

plusorc wrote:
Wed Jan 29, 2020 11:39 am
As far as I understand , Even if the chip is in FE Dev mode , and I burn the remaining efuse bits (dl_enc,dl_dec,cnf,cnt, jtag,console_debug) , it will eventually become a Release mode .
That's correct. The reason we don't officially document this process is that it's fiddly and easy to do it incorrectly, so we recommend using a new whole new chip for Release mode encryption.

Angus

plusorc
Posts: 33
Joined: Sat Nov 09, 2019 6:27 am

Re: Flash Encryption & Pre Generated Key , must manually burn efuses ?

Postby plusorc » Thu Jan 30, 2020 1:21 am

You're a great help

Thank You

Who is online

Users browsing this forum: neel_basu and 39 guests