Skip to content

DRAFT: ESP32-XX hardware flash encryption issue when updating images - "flash imp layer" solution #2320

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

DRAFT: ESP32-XX hardware flash encryption issue when updating images - "flash imp layer" solution #2320

wants to merge 5 commits into from

Conversation

almir-okato
Copy link
Collaborator

When hardware flash encryption is enabled, force expected erased value (0xFF) into flash when erasing a region, and also always do a real erase before writing data into flash.

This is handled on this implementation because MCUboot's state machine relies on erased valued data (0xFF) readed from a previously erased region that was not written yet, however when hardware flash encryption is enabled, the flash read always decrypts whats being read from flash, thus a region that was erased would not be read as what MCUboot expected (0xFF).

Use Zephyr branch from this PR:
zephyrproject-rtos/zephyr#90442
Use hal_espressif branch from this PR:
zephyrproject-rtos/hal_espressif#445

Prepare and enable Flash Encryption on ESP32-S3 (the conf files are already modified on the used branches):

  • Create a "zeroed" key (TEST ONLY, so the device will not be bricked):
dd if=/dev/zero of=zero_key.bin bs=1 count=32
  • Burn the key into the eFuses:
espefuse.py -p /dev/ttyUSB0 burn_key BLOCK_KEY4 zero_key.bin XTS_AES_128_KEY
  • Burn the eFuse that enabled Flash Encryption
espefuse.py burn_efuse SPI_BOOT_CRYPT_CNT

Building the sample application on Zephyr:

cd <ZEPHYRPROJECT_DIR>/zephyr/samples/subsys/mgmt/mcumgr/smp_svr/
west build -b esp32s3_devkitm/esp32s3/procpu -p --  -DEXTRA_CONF_FILE="overlay-bt.conf"
  • Flash the image (will be force encrypted, since the encryption is already enabled on the device and we are using the DEVELOPMENT configs):
esptool.py -p /dev/ttyUSB0 -b 2000000 --no-stub --after no_reset write_flash  --flash_mode dio  --flash_freq 40m --encrypt 0x0020000 build/zephyr/zephyr.signed.bin --force
  • For the update image, flash it on the second slot
esptool.py -p /dev/ttyUSB0 -b 2000000 --no-stub --after no_reset write_flash  --flash_mode dio  --flash_freq 40m --encrypt 0x00170000 build/zephyr/zephyr.signed.bin --force
  • Also, the confirmed image (build/zephyr/zephyr.signed.confirmed.bin) can be used for testing the scenario in which an image is already confirmed

Building and flashing MCUboot:

cd <MCUBOOT_DIR>/boot/espressif

(MCUBOOT_DIR should be the directory from Zephyr environment: <ZEPHYRPROJECT_DIR>/bootloader/mcuboot)

  • Build:
rm -rf build/ && cmake -DCMAKE_TOOLCHAIN_FILE=tools/toolchain-esp32s3.cmake -DMCUBOOT_TARGET=esp32s3  -DMCUBOOT_FLASH_PORT=/dev/ttyUSB0 -DESP_HAL_PATH=<ZEPHYRPROJECT_DIR>/modules/hal/espressif -B build -GNinja && ninja -C build
  • Flash:
esptool.py -p /dev/ttyUSB0 -b 2000000 --no-stub --after no_reset write_flash  --flash_mode dio  --flash_freq 40m --encrypt 0x0000 build/mcuboot_esp32s3.bin --force
  • Now open the serial monitor and press the devkit's reset button.

@almir-okato
espressif: fix build if hal_espressif is used as HAL layer for Espres…
28c673f 
…sif Port

Signed-off-by: Almir Okato <almir.okato@espressif.com>
@almir-okato
espressif: add forced aligned flash erase
c53e159 
Signed-off-by: Almir Okato <almir.okato@espressif.com>
@almir-okato
espressif: flash: fix image wrong state after swap-scratch when flash…
5b15c11 
… encryption is enabled

When hardware flash encryption is enabled, force expected erased
value (0xFF) into flash when erasing a region, and also always
do a real erase before writing data into flash.

This is handled on this implementation because MCUboot's state
machine relies on erased valued data (0xFF) readed from a
previously erased region that was not written yet, however when
hardware flash encryption is enabled, the flash read always
decrypts whats being read from flash, thus a region that was
erased would not be read as what MCUboot expected (0xFF).

Signed-off-by: Almir Okato <almir.okato@espressif.com>
@almir-okato
DEBUG: test scenario for confirm image after an OTA - THIS COMMIT WIL…
603ace7 
…L BE DELETED

Signed-off-by: Almir Okato <almir.okato@espressif.com>
@almir-okato
DEBUG: add debug logs - THIS COMMIT WILL BE DELETED
64ec4e9 
Signed-off-by: Almir Okato <almir.okato@espressif.com>
@almir-okato almir-okato mentioned this pull request May 24, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davidvincze davidvincze Awaiting requested review from davidvincze davidvincze will be requested when the pull request is marked ready for review davidvincze is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@almir-okato