Skip to content

Instantly share code, notes, and snippets.

@jessebraham

jessebraham/flash_encryption_instructions.md

Last active March 7, 2025 08:30
Show Gist options
  • Save jessebraham/0c7d86f9866614dc602e5d8e0e97c37a to your computer and use it in GitHub Desktop.
Save jessebraham/0c7d86f9866614dc602e5d8e0e97c37a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
flash_encryption_instructions.md

Flash Encryption Instructions

For more details instructions please see the official ESP-IDF documentation:

https://docs.espressif.com/projects/esp-idf/en/latest/esp32c3/security/flash-encryption.html

std

TODO

no_std

We require esp-idf in order to build the bootloader:

$ mkdir -p ~/esp
$ cd ~/esp
$ git clone --recursive https://github.com/espressif/esp-idf

We can use any project to build the bootloader. Set the correct target and then configure the bootloader for flash encryption:

$ cd ~/esp/esp-idf/examples/get-started/hello_world/
$ idf.py set-target $CHIP
$ idf.py menuconfig

Enable the Security Features -> Enable flash encryption on boot setting. Usage mode is set to Development by default, can also be set to Production if desired. Remember to check the minimum chip revision is compatible with your chip as well. Exit menuconfig and save.

Build the bootloader and move it to your project:

$ idf.py build bootloader
$ cp build/bootloader/bootloader.bin $PROJECT_DIR

For example, we can test using the esp32c3-hal package's examples from esp-hal:

$ cargo espflash --release --monitor --bootloader=bootloader.bin --example=hello_world

Upon first boot the device will generate a key and self-encrypt. The second-stage bootloader logs the process to the serial monitor (this can take some time):

I (51) boot: ESP-IDF v5.0-dev-3290-g01d014c42d-dirty 2nd stage bootloader
I (52) boot: compile time 09:50:23
I (52) boot: chip revision: 2
I (56) boot.esp32c3: SPI Speed      : 80MHz
I (60) boot.esp32c3: SPI Mode       : DIO
I (65) boot.esp32c3: SPI Flash Size : 4MB
I (70) boot: Enabling RNG early entropy source...
I (75) boot: Partition Table:
I (79) boot: ## Label            Usage          Type ST Offset   Length
I (86) boot:  0 nvs              WiFi data        01 02 00009000 00006000
I (93) boot:  1 phy_init         RF data          01 01 0000f000 00001000
I (101) boot:  2 factory          factory app      00 00 00010000 003f0000
I (108) boot: End of partition table
I (113) boot_comm: chip revision: 2, min. application chip revision: 0
I (120) esp_image: segment 0: paddr=00010020 vaddr=3c010020 size=00508h (  1288) map
I (129) esp_image: segment 1: paddr=00010530 vaddr=00000000 size=0fae8h ( 64232)
I (147) esp_image: segment 2: paddr=00020020 vaddr=42000020 size=01ca8h (  7336) map
I (148) boot: Loaded app from partition at offset 0x10000
I (151) boot: Checking flash encryption...
I (156) esp_image: segment 0: paddr=00000020 vaddr=3fcd6270 size=02c88h ( 11400)
I (165) esp_image: segment 1: paddr=00002cb0 vaddr=403ce000 size=00904h (  2308)
I (172) esp_image: segment 2: paddr=000035bc vaddr=403cf600 size=048b4h ( 18612)
I (579) flash_encrypt: bootloader encrypted successfully
I (626) flash_encrypt: partition table encrypted and loaded successfully
I (626) boot_comm: chip revision: 2, min. application chip revision: 0
I (629) esp_image: segment 0: paddr=00010020 vaddr=3c010020 size=00508h (  1288) map
I (638) esp_image: segment 1: paddr=00010530 vaddr=00000000 size=0fae8h ( 64232)
I (656) esp_image: segment 2: paddr=00020020 vaddr=42000020 size=01ca8h (  7336) map
I (657) flash_encrypt: Encrypting partition 2 at offset 0x10000 (length 0x3f0000)...
I (50652) flash_encrypt: Done encrypting
I (50653) efuse: BURN BLOCK0
I (50655) efuse: BURN BLOCK0 - OK (all write block bits are set)
I (50656) flash_encrypt: Flash encryption completed
I (50661) boot: Resetting with flash encryption enabled...

Upon completing the encryption process the device will reset itself and run the application:

I (57) boot: ESP-IDF v5.0-dev-3290-g01d014c42d-dirty 2nd stage bootloader
I (57) boot: compile time 09:50:23
I (57) boot: chip revision: 2
I (61) boot.esp32c3: SPI Speed      : 80MHz
I (66) boot.esp32c3: SPI Mode       : DIO
I (71) boot.esp32c3: SPI Flash Size : 4MB
I (75) boot: Enabling RNG early entropy source...
I (81) boot: Partition Table:
I (84) boot: ## Label            Usage          Type ST Offset   Length
I (92) boot:  0 nvs              WiFi data        01 02 00009000 00006000
I (99) boot:  1 phy_init         RF data          01 01 0000f000 00001000
I (107) boot:  2 factory          factory app      00 00 00010000 003f0000
I (114) boot: End of partition table
I (118) boot_comm: chip revision: 2, min. application chip revision: 0
I (126) esp_image: segment 0: paddr=00010020 vaddr=3c010020 size=00508h (  1288) map
I (134) esp_image: segment 1: paddr=00010530 vaddr=00000000 size=0fae8h ( 64232)
I (153) esp_image: segment 2: paddr=00020020 vaddr=42000020 size=01ca8h (  7336) map
I (155) boot: Loaded app from partition at offset 0x10000
I (157) boot: Checking flash encryption...
I (161) flash_encrypt: flash encryption is enabled (0 plaintext flashes left)
I (169) boot: Disabling RNG early entropy source...
Hello world!
Hello world!
Hello world!

To disable flash encryption once enabled, you must burn the correct eFuse.

For ESP32:

$ espefuse.py burn_efuse FLASH_CRYPT_CNT

For ESP32-C2, ESP32-C3, ESP32-S2, and ESP32-S3:

$ espefuse.py burn_efuse SPI_BOOT_CRYPT_CNT
@Makuo12
Copy link

Makuo12 commented Feb 8, 2025

Hey @jessebraham I tried following your steps and I get this error

rst:0x10 (RTCWDT_RTC_RESET),boot:0x13 (SPI_FAST_FLASH_BOOT)
configsip: 0, SPIWP:0xee
clk_drv:0x00,q_drv:0x00,d_drv:0x00,cs0_drv:0x00,hd_drv:0x00,wp_drv:0x00
mode:DIO, clock div:2
load:0x3fff00c0,len:10452
load:0x40078000,len:22340
load:0x40080400,len:3860
csum err:0xd3!=0xc9
ets_main.c 384 
ets Jul 29 2019 12:21:46

@jessebraham
Copy link
Author

Sorry, not sure; wrote this years ago and haven't looked at it since. I would follow the ESP-IDF documentation linked to at the top of the gist.

@coolwanglu
Copy link

I was able to succesffully enable flash encryption and burn an esp-hal project on ESP32S3.

I basically followed the instruction and flashed the official bootloader (AND the hello world application) using ESP-IDF. Then I had to flash back the older bootloader from espflash before I'm using a version before this PR, then it worked with my esp-hal project.

Notes:

  • Probably you want to generate the AES keys externall and keep them on the host, otherwise I suspect the chip may not accept plain text any more.
  • You probaby want to set flash size and partition table in idf.py menuconfig. Thery were not automatically detected in my case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment