Issue with RD_DIS eFuse on First Boot (ESP32‑S3 with Secure Boot V2 + NVS Encryption)
Posted: Tue Feb 03, 2026 8:11 am
Hi everyone,
I am working with the ESP32‑S3 and have enabled NVS encryption using the HMAC scheme, as well as Secure Boot V2.
On the first boot, the controller crashes because the eFuse bit RD_DIS in BLOCK0 cannot be burned. However, on the second boot the controller runs without any issues. Please note that both features (Secure Boot and NVS encryption) are already configured and enabled before the first boot.
The eFuse summary shows that the RD_DIS bit is still not burned and cannot be burned anymore because Secure Boot is already activated. Since Secure Boot prevents further writes to certain eFuses, the HMAC key region remains readable.
How should I handle this situation?
Would it make sense to enable NVS encryption only on the first boot, allow the RD_DIS bit to be burned, and then flash a new binary with Secure Boot and NVS encryption activated? This way, RD_DIS would be burned only for the HMAC key region, and once Secure Boot is active, the other eFuses would remain protected and no longer writable.
Or are there alternative options to achieve this?
Thank you in advance for your support.
Best regards,
I am working with the ESP32‑S3 and have enabled NVS encryption using the HMAC scheme, as well as Secure Boot V2.
On the first boot, the controller crashes because the eFuse bit RD_DIS in BLOCK0 cannot be burned. However, on the second boot the controller runs without any issues. Please note that both features (Secure Boot and NVS encryption) are already configured and enabled before the first boot.
The eFuse summary shows that the RD_DIS bit is still not burned and cannot be burned anymore because Secure Boot is already activated. Since Secure Boot prevents further writes to certain eFuses, the HMAC key region remains readable.
How should I handle this situation?
Would it make sense to enable NVS encryption only on the first boot, allow the RD_DIS bit to be burned, and then flash a new binary with Secure Boot and NVS encryption activated? This way, RD_DIS would be burned only for the HMAC key region, and once Secure Boot is active, the other eFuses would remain protected and no longer writable.
Or are there alternative options to achieve this?
Thank you in advance for your support.
Best regards,