Initial flash encryption not working

[owenjames]

My project is configured to enable flash encryption on boot. I have successfully used this command in the past to flash new chips:

Code: Select all

esptool.py --port COM10 --baud 460800 --before default_reset --after hard_reset write_flash --flash_mode dio --flash_freq 80m --flash_size detect 0x0 bootloader.bin 0x8000 partition-table.bin 131072 application.bin

Note that the encrypt flag is not set. Per documentation, I rely on the bootloader to detect that encryption is required and set the fuses automatically - BLOCK_KEY0 and SPI_BOOT_CRYPT_CNT.
This used to work - the image was encrypted on first boot as expected. Recently this has stopped working, possibly due to updated silicon? After issuing the same command I see that BLOCK_KEY0 is set to XTS_AES_128_KEY but SPI_BOOT_CRYPT_CNT remains at 0. I have to manually increment this (espefuse.py burn_efuse) then run the command again with encrypt flag set to get it to work. Any explanation for this?

Chip is ESP32-S3 (QFN56) (revision v0.2)
esptool.py v4.7.0 - Espressif chips ROM Bootloader Utility

[owenjames]

Solved! I was simply not waiting long enough after flashing for the encryption process to complete and SPI_BOOT_CRYPT_CNT to be updated, per documentation:

Flash encryption block encrypts the flash contents - the firmware bootloader, applications and partitions marked as encrypted. Encrypting in-place can take time, up to a minute for large partitions.

The device is then rebooted to start executing the encrypted image