Adds support for flash encryption #718
Conversation
|
Thanks for the PR. Unfortunately, this include breaking changes and will require a new major release, however we are currently discussing a v4 release anyway, so probably this is not too much of an issue. If I can just ask you to be patient, once we come up with a game plan I can get back to you with regards to merging this. Hopefully within a week or two we will have a better idea of what our plans are moving forward. |
|
Hi ! Thanks for the quick response. |
|
We did some planning this week for the v4 release. I do not think we will start working on this quite yet, probably not for a few weeks still, but in the meantime I will publish one final v3 release on Monday, and then we can at least unblock this PR (and others). |
|
@4rzael Please excuse my ignorance... I do not understand how |
|
@4rzael Also I'm a bit lost as to what exactly is requested in #70 ? My understanding as to what @jessebraham demonstrates in #70, is just one way to do encryption, which is - "first flash plaintext images, and then the bootloader will encrypt them on-the-fly" (that is, given that the bootloader is compiled with encryption support in the first place, which I doubt to be the case with the bootloaders provided by This is by the way (and to my understanding - I'm still debugging the bootloader so I might very well be wrong!) a one time operation? If you can confirm my understanding is correct? Like, once it is done, you can't just burn plaintext images and hope the bootloader would encrypt them? Or am I missing something here? My understanding is, once the initial bootloader-driven encryption is done, that's it end of story. The bootloader does not repeat the process anymore, and will assume all new images you upload to be pre-encrypted. and since you don't know the encryption key, you can't pre-encrypt them in the first place? That is, given that the UART downloader was left enabled (which depends on whether you are in DEVELOPMENT or RELEASE mode w.r.t. encryption). I'm myself following the "other" process, where the encryption key is "externally" provided, and the payload (bootloader, part-table, app image, nvs keys etc.) are pre-encrypted. Seems to be what Espressif recommends as well?: If you have an opinion on this stuff - please share. I'm about to enter production with my approach... |
|
@ivmarkov
Yes. IIRC, this used to be the recommended/documented workflow if you didn't want to keep the keys. The goal of this PR, however, is to replicate esptool's encrypt feature, which is indeed only useful in development mode, where the bootloader's ability to perform encrypted-flashes is not disabled. Basically, after encryption has been enabled (by whichever of the 2 methods you prefer), you can make the bootloader reflash a plaintext image, and encrypt it on the fly, allowing developers to flash firmwares on devices with encryption enabled (and thus as similar as possible to the end product). |
@4rzael Thank you for your response. I completely agree with your statements. Ideally,
This ^^^ is the one thing I'm struggling with. I can't see an "encrypt" command on ivan@ivan-laptop:~/rp$ esptools tool -h
Tool esptool mounted as `/home/ivan/.cache/esptools/78c195b08bd57bf27167b323600d417a546d3393/esptool`
Executing `esptool`
usage: esptool [-h]
[--chip {auto,esp8266,esp32,esp32s2,esp32s3beta2,esp32s3,esp32c3,esp32c6beta,esp32h2beta1,esp32h2beta2,esp32c2,esp32c6,esp32c61,esp32c5,esp32c5beta3,esp32h2,esp32p4}]
[--port PORT] [--baud BAUD] [--port-filter PORT_FILTER]
[--before {default_reset,usb_reset,no_reset,no_reset_no_sync}]
[--after {hard_reset,soft_reset,no_reset,no_reset_stub}] [--no-stub] [--trace]
[--override-vddsdio [{1.8V,1.9V,OFF}]] [--connect-attempts CONNECT_ATTEMPTS]
{load_ram,dump_mem,read_mem,write_mem,write_flash,run,image_info,make_image,elf2image,read_mac,chip_id,flash_id,read_flash_status,write_flash_status,read_flash,verify_flash,erase_flash,erase_region,read_flash_sfdp,merge_bin,get_security_info,version}
...
esptool.py v4.8.1 - Espressif chips ROM Bootloader Utility
positional arguments:
{load_ram,dump_mem,read_mem,write_mem,write_flash,run,image_info,make_image,elf2image,read_mac,chip_id,flash_id,read_flash_status,write_flash_status,read_flash,verify_flash,erase_flash,erase_region,read_flash_sfdp,merge_bin,get_security_info,version}
Run esptool.py {command} -h for additional help
load_ram Download an image to RAM and execute
dump_mem Dump arbitrary memory to disk
read_mem Read arbitrary memory location
write_mem Read-modify-write to arbitrary memory location
write_flash Write a binary blob to flash
run Run application code in flash
image_info Dump headers from a binary file (bootloader or application)
make_image Create an application image from binary files
elf2image Create an application image from ELF file
read_mac Read MAC address from OTP ROM
chip_id Read Chip ID from OTP ROM
flash_id Read SPI flash manufacturer and device ID
read_flash_status Read SPI flash status register
write_flash_status Write SPI flash status register
read_flash Read SPI flash content
verify_flash Verify a binary blob against flash
erase_flash Perform Chip Erase on SPI flash
erase_region Erase a region of the flash
read_flash_sfdp Read SPI flash SFDP (Serial Flash Discoverable Parameters)
merge_bin Merge multiple raw binary files into a single file for later flashing
get_security_info Get some security-related data
version Print esptool version
optional arguments:
-h, --help show this help message and exit
--chip {auto,esp8266,esp32,esp32s2,esp32s3beta2,esp32s3,esp32c3,esp32c6beta,esp32h2beta1,esp32h2beta2,esp32c2,esp32c6,esp32c61,esp32c5,esp32c5beta3,esp32h2,esp32p4}, -c {auto,esp8266,esp32,esp32s2,esp32s3beta2,esp32s3,esp32c3,esp32c6beta,esp32h2beta1,esp32h2beta2,esp32c2,esp32c6,esp32c61,esp32c5,esp32c5beta3,esp32h2,esp32p4}
Target chip type
--port PORT, -p PORT Serial port device
--baud BAUD, -b BAUD Serial port baud rate used when flashing/reading
--port-filter PORT_FILTER
Serial port device filter, can be vid=NUMBER, pid=NUMBER, name=SUBSTRING
--before {default_reset,usb_reset,no_reset,no_reset_no_sync}
What to do before connecting to the chip
--after {hard_reset,soft_reset,no_reset,no_reset_stub}, -a {hard_reset,soft_reset,no_reset,no_reset_stub}
What to do after esptool.py is finished
--no-stub Disable launching the flasher stub, only talk to ROM bootloader. Some features will not be available.
--trace, -t Enable trace-level output of esptool.py interactions.
--override-vddsdio [{1.8V,1.9V,OFF}]
Override ESP32 VDDSDIO internal voltage regulator (use with care)
--connect-attempts CONNECT_ATTEMPTS
Number of attempts to connect, negative or 0 for infinite. Default: 7.
Status Ok(ExitStatus(unix_wait_status(0)))See? And that's because Now, there is a command "encrypt_flash_data" on What am I missing? |
|
@ivmarkov Yeah, sorry, wasn't super clear. What I'm talking about is the |
Introduction
This PR adds support for flash encryption, by adding a
--encryptflag toflashandwrite-bincommands.Requested by #70
As written below, I still need to perform a few tests (waiting for new chips, I hope to have it done in a few days).
Implementation
When performing encrypted writes, espflash will use non-compressed flashing instructions to the bootloader, as compression + encryption is not supported. Similarly, skip & verify features are disabled on encrypted partitions.
When passed to the
write-bincommand, espflash perform an encrypted flash directly.The
encryptflag is stored inWriteBinArgs, and then directly passed to the createdRomSegment.When passed to the
flashcommand, espflash will perform encrypted flashes on bootloader, partition, and application partitions.The parameter flow is a bit more complex there: we start in
FlashArgs, which is used to constructFlashData, which is used to constructIdfBootloaderFormat, which finally populates the appropriateRomSegments.Tests: