esp_partition_write to encrypted partition, but flash encryption not enabled

pctj101
Posts: 20
Joined: Wed Aug 23, 2017 3:20 pm

esp_partition_write to encrypted partition, but flash encryption not enabled

Postby pctj101 » Sun Sep 08, 2019 9:47 pm

esp-idf v3.3

During development, it is advantageous to be able to have non-encrypted apps, but have encrypted data. However if a partition is marked encrypted, yet flash encryption is disabled, we simply write encrypted garbage and read back garbage.

Here's the scenario:

When using esp_partition_write, it simply checks if partition->encrypted is true, and if so encrypts the write using spi_flash_write_encrypted() which is blindly calling spi_flash_write_encrypted() even when esp_flash_encryption_enabled == false

Later in esp_partition_read, it again detects partition->encrypted is true, uses esp_partition_mmap() and reads back garbage. (I'm guessing because spi_flash_mmap doesn't see a flash key and doesn't de-encrypt using a 0x0000000 key)

I "fixed" this by checking if esp_flash_encryption_enabled() before recognizing partition->encrypted. Example:

Code: Select all

esp_err_t esp_partition_read(const esp_partition_t* partition,
        size_t src_offset, void* dst, size_t size)         
{
...
if (!partition->encrypted || !esp_flash_encryption_enabled()) {        
        return spi_flash_read(partition->address + src_offset, dst, size);
}
and

Code: Select all

esp_err_t esp_partition_write(const esp_partition_t* partition,      
                             size_t dst_offset, const void* src, size_t size)
{                                                   
   ...     
    if (partition->encrypted && esp_flash_encryption_enabled()) {          
        return spi_flash_write_encrypted(dst_offset, src, size);                       
    } else {                                                                                    
        return spi_flash_write(dst_offset, src, size);                    
    }                                                                  
}     



I'm not saying this modification is good. But I'm saying that it's inconvenient to need to insert this condition into esp-idf just to streamline development.

Anyways, would be great to develop plain-text app, but have encrypted data just to get all that data alignment/testing out of the way. Having to do OTA during development is slow and inconvenient.

Good idea? Bad idea? Am I having a hard time just because I set something up wrong?

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: esp_partition_write to encrypted partition, but flash encryption not enabled

Postby ESP_Angus » Tue Sep 10, 2019 6:06 am

Hi pctj101,
Anyways, would be great to develop plain-text app, but have encrypted data just to get all that data alignment/testing out of the way. Having to do OTA during development is slow and inconvenient.

Good idea? Bad idea? Am I having a hard time just because I set something up wrong?
I think you've found a good solution to a common frustration.

We probably won't adopt your modification in ESP-IDF because of the risk that the impression may be created that encryption is enabled when it's actually not enabled. But I don't see any reason why you can't keep using this modification in your own IDF tree.

In ESP-IDF v4.0 we've added a new approach to flash encryption, there is now "Development" mode and "Release" mode and "Development" mode allows unlimited serial flashing via the build system (but is not secure):
https://docs.espressif.com/projects/esp ... ption.html

This is designed to solve the same problem you've identified, but in a way that the development configuration will be almost identical to the production environment (including using transparent encryption everywhere that it will be used in production[*]), with only one configuration change needed.

ESP-IDF v3.x doesn't have this feature, unfortunately. The only alternative to what you're doing is to pre-generate an encryption key, burn it to the ESP32, and then encrypt all of the binaries on the host before flashing. Unfortunately there are no automatic build system targets for this, so it will need some additional targets in your project or a script, etc, to make a smooth workflow.

[*] This is important to note, because it means you can check that all the data you expect to be encrypted at runtime is being encrypted at runtime and also check for any incompatibility, during the development process.

pctj101
Posts: 20
Joined: Wed Aug 23, 2017 3:20 pm

Re: esp_partition_write to encrypted partition, but flash encryption not enabled

Postby pctj101 » Fri Sep 13, 2019 12:08 pm

Excellent reply. Thanks Angus!

IvoSmits
Posts: 1
Joined: Thu Apr 09, 2020 5:50 pm

Re: esp_partition_write to encrypted partition, but flash encryption not enabled

Postby IvoSmits » Thu Apr 09, 2020 6:14 pm

ESP_Angus wrote:
Tue Sep 10, 2019 6:06 am
I think you've found a good solution to a common frustration.

We probably won't adopt your modification in ESP-IDF because of the risk that the impression may be created that encryption is enabled when it's actually not enabled. But I don't see any reason why you can't keep using this modification in your own IDF tree.
I ran into the same problem and it took some time before I figured out what was going on - the code worked fine on an encrypted device but not on a remote unencrypted device. I'd say the current situation is a bug since it silently corrupts data. I think the read/write functions should either 1. encrypt and decrypt, 2. not encrypt and not decrypt (might be preferable over 1 since it won't cause double encryption if the bootloader is replaced with one that encrypts), or 3. return an error.

If the partition write (and possibly read) functions would return an error if used with an encrypted partition while flash encryption is not enabled, at least it is immediately obvious that it is not working and an application won't incorrectly assume the write was successful and the data can be read back.

Who is online

Users browsing this forum: No registered users and 129 guests