Please refer to Security Guides
You can base on “esp-idf/examples/security/flash_encryption” example for testing.
Partition Table setting:
# Name, Type, SubType, Offset, Size, Flags
nvs, data, nvs, , 0x6000,
# Extra partition to demonstrate reading/writing of encrypted flash
storage, data, 0xff, , 0x1000, encrypted
factory, app, factory, , 1M,
# nvs_key partition contains the key that encrypts the NVS partition named nvs. The nvs_key partition needs to be encrypted.
nvs_key, data, nvs_keys, , 0x1000, encrypted,
# Custom NVS data partition
custom_nvs, data, nvs, , 0x6000,
# FATFS partitions, one non-encrypted, one encrypted
fat_encrypted, data, fat, , 600k, encrypted
fat_not_encr, data, fat, , 600k,
Generate Key files
Please refer to :
1. Generate Secure Boot v2 Signing Private Key
The ESP32-C6 Secure Boot V2 can support use RSA-3072、ECDSA-256 or ECDSA-192 key. You can use the follows command to generate the secure boot key
- The Secure Boot v2 signing key for the
RSA3072scheme can be generated by running:
espsecure.py generate_signing_key --version 2 --scheme rsa3072 secure_boot_signing_key.pem
- The Secure Boot v2 signing key for ECDSA256 scheme can be generated by running:
espsecure.py generate_signing_key --version 2 --scheme ecdsa256 secure_boot_signing_key.pem
- The Secure Boot v2 signing key for ECDSA192 scheme can be generated by running:
espsecure.py generate_signing_key --version 2 --scheme ecdsa192 secure_boot_signing_key.pem
- Base on your
Secure BootKey to generate Public Key Digest
The public key digest for the private key generated in the previous step can be generated by running:
espsecure.py digest_sbv2_public_key --keyfile secure_boot_signing_key.pem --output public_key_digest.bin
2. Generate Flash Encryption Key
A random Flash Encryption key can be generated by running:
espsecure.py generate_flash_encryption_key flash_encryption_key.bin
3. Generate NVS Encryption Key
Enable NVS Encryption Based on Flash Encryption
In this case we generate NVS Encryption keys on a host. This key is then flashed on the chip and protected with the help of Flash Encryption features.
The key can be generated with the nvs_flash/nvs_partition_generator/nvs_partition_gen.py script with the help of the following command:
python E:\esp\Espressif\frameworks\esp-idf-5.2.1\esp-idf\components\nvs_flash\nvs_partition_generator\nvs_partition_gen.py generate-key --keyfile nvs_key.bin
This shall generate the respective key in the keys folder.
【Note】
- If you don’t need to encryption the NVS partition, then you don’t need to generate the
nvs_key.bin
4. Software setting:
→ Flash Size setting
- The value of Flash Size must not be larger than the hardware Flash Size and must not be smaller than the total partition size set in the partition table.
→ Partition Table setting
- Enabling flash encryption will increase the size of bootloader, which might require updating partition table offset. See Bootloader Size.
→ Security features
- Enable Secure Boot and Flash Encryption Development mode
→ Security features → UART ROM download mode
- Download mode setting
→ Component config → NVS → [*] Enable NVS encryption
- If you enable NVS encryption, you must add a
nvs_keypartitions in your partition table. Please refer to NVS Encryption for more details.
- If you don’t want to encrypted the
nvspartition, please disable NVS encryption configuration.
5. Build the project and Get the firmware
- From the project building log ,we can get the Partition table offset address informations,as follows:
Partition table binary generated. Contents:
*******************************************************************************
# ESP-IDF Partition Table
# Name, Type, SubType, Offset, Size, Flags
nvs,data,nvs,0xe000,24K,
storage,data,255,0x14000,4K,encrypted
factory,app,factory,0x20000,1M,
nvs_key,data,nvs_keys,0x120000,4K,encrypted
custom_nvs,data,nvs,0x121000,24K,
fat_encrypted,data,fat,0x127000,600K,encrypted
fat_not_encr,data,fat,0x1bd000,600K,
*******************************************************************************
Because of the secure boot function is enabled. After compiled , you will get the bootloader.bin and bootloader-unsigned.bin and app.bin and app-unsigned.bin and other partition firmware bin files. The bootloader.bin and app.bin are signed firmware. The bootloader-unsigned.bin and app-unsigned.bin are unsigned firmware. We need to downlaod the signed firmware and other partition firmware bin files.
- From the project building log ,we can get the binary generated informations ,as follows:
6. Use Flash Encryption Key to encrypt all the firmware
Please node: The address is your firmware download address
The command for encrypting the firmware of all partitions using the Flash encryption Key are the same.
espsecure.py encrypt_flash_data --aes_xts --keyfile flash_encryption_key.bin --output encrypted_bootloader.bin --address 0x0 build\bootloader\bootloader.bin
espsecure.py encrypt_flash_data --aes_xts --keyfile flash_encryption_key.bin --output encrypted_partition-table.bin --address 0xd000 build\partition_table\partition-table.bin
espsecure.py encrypt_flash_data --aes_xts --keyfile flash_encryption_key.bin --output encrypted_flash_encryption.bin --address 0x20000 build\flash_encryption.bin
7. Download all encrypt firmware and nvs_key.bin
esptool.py -p COM69 write_flash 0x0 encrypted_bootloader.bin 0xd000 encrypted_partition-table.bin 0x20000 encrypted_flash_encryption.bin 0x120000 nvs_key.bin
8. Write public_key_digest.bin and Flash encryption key to eFuse BLOCK
- First, you can read the ESP32-C6 chip efuse informations firstly:
E:\esp2\Espressif\frameworks\esp-idf-v5.4\esp-idf\examples\security\flash_encryption>espefuse.py -p COM4 summary
espefuse.py v4.8.1
Connecting....
Detecting chip type... ESP32-C6
=== Run "summary" command ===
EFUSE_NAME (Block) Description = [Meaningful Value] [Readable/Writeable] (Hex Value)
----------------------------------------------------------------------------------------
Config fuses:
WR_DIS (BLOCK0) Disable programming of individual eFuses = 0 R/W (0x00000000)
RD_DIS (BLOCK0) Disable reading from BlOCK4-10 = 0 R/W (0b0000000)
SWAP_UART_SDIO_EN (BLOCK0) Represents whether pad of uart and sdio is swapped = False R/W (0b0)
or not. 1: swapped. 0: not swapped
DIS_ICACHE (BLOCK0) Represents whether icache is disabled or enabled. = False R/W (0b0)
1: disabled. 0: enabled
DIS_TWAI (BLOCK0) Represents whether TWAI function is disabled or en = False R/W (0b0)
abled. 1: disabled. 0: enabled
DIS_DIRECT_BOOT (BLOCK0) Represents whether direct boot mode is disabled or = False R/W (0b0)
enabled. 1: disabled. 0: enabled
UART_PRINT_CONTROL (BLOCK0) Set the default UARTboot message output mode = Enable R/W (0b00)
LSLP_HP_DBG (BLOCK1) Stores the lslp hp dbg = 0 R/W (0b00)
DSLP_LP_DBG (BLOCK1) Stores the dslp lp dbg = 5 R/W (0b101)
BLOCK_USR_DATA (BLOCK3) User data
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
BLOCK_SYS_DATA2 (BLOCK10) System data part 2 (reserved)
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
Flash fuses:
FLASH_TPUW (BLOCK0) Represents the flash waiting time after power-up; = 0 R/W (0x0)
in unit of ms. When the value less than 15; the wa
iting time is the programmed value. Otherwise; the
waiting time is 2 times the programmed value
FORCE_SEND_RESUME (BLOCK0) Represents whether ROM code is forced to send a re = False R/W (0b0)
sume command during SPI boot. 1: forced. 0:not for
ced
FLASH_CAP (BLOCK1) = 0 R/W (0b000)
FLASH_TEMP (BLOCK1) = 0 R/W (0b00)
FLASH_VENDOR (BLOCK1) = 0 R/W (0b000)
Identity fuses:
DISABLE_WAFER_VERSION_MAJOR (BLOCK0) Disables check of wafer version major = False R/W (0b0)
DISABLE_BLK_VERSION_MAJOR (BLOCK0) Disables check of blk version major = False R/W (0b0)
WAFER_VERSION_MINOR (BLOCK1) = 2 R/W (0x2)
WAFER_VERSION_MAJOR (BLOCK1) = 0 R/W (0b00)
PKG_VERSION (BLOCK1) Package version = 0 R/W (0b000)
BLK_VERSION_MINOR (BLOCK1) BLK_VERSION_MINOR of BLOCK2 = 3 R/W (0b011)
BLK_VERSION_MAJOR (BLOCK1) BLK_VERSION_MAJOR of BLOCK2 = 0 R/W (0b00)
OPTIONAL_UNIQUE_ID (BLOCK2) Optional unique 128-bit ID
= a8 67 12 ec 52 87 dc 6d a0 87 b2 87 a5 a4 bf 96 R/W
Jtag fuses:
JTAG_SEL_ENABLE (BLOCK0) Represents whether the selection between usb_to_jt = False R/W (0b0)
ag and pad_to_jtag through strapping gpio15 when b
oth EFUSE_DIS_PAD_JTAG and EFUSE_DIS_USB_JTAG are
equal to 0 is enabled or disabled. 1: enabled. 0:
disabled
SOFT_DIS_JTAG (BLOCK0) Represents whether JTAG is disabled in soft way. O = 0 R/W (0b000)
dd number: disabled. Even number: enabled
DIS_PAD_JTAG (BLOCK0) Represents whether JTAG is disabled in the hard wa = False R/W (0b0)
y(permanently). 1: disabled. 0: enabled
Mac fuses:
MAC (BLOCK1) MAC address
= 7c:2c:67:52:7c:fc (OK) R/W
MAC_EXT (BLOCK1) Stores the extended bits of MAC address = ff:fe (OK) R/W
CUSTOM_MAC (BLOCK3) Custom MAC
= 00:00:00:00:00:00 (OK) R/W
MAC_EUI64 (BLOCK1) calc MAC_EUI64 = MAC[0]:MAC[1]:MAC[2]:MAC_EXT[0]:M
= 7c:2c:67:ff:fe:52:7c:fc (OK) R/W
AC_EXT[1]:MAC[3]:MAC[4]:MAC[5]
Security fuses:
DIS_DOWNLOAD_ICACHE (BLOCK0) Represents whether icache is disabled or enabled i = False R/W (0b0)
n Download mode. 1: disabled. 0: enabled
DIS_FORCE_DOWNLOAD (BLOCK0) Represents whether the function that forces chip i = False R/W (0b0)
nto download mode is disabled or enabled. 1: disab
led. 0: enabled
SPI_DOWNLOAD_MSPI_DIS (BLOCK0) Represents whether SPI0 controller during boot_mod = False R/W (0b0)
e_download is disabled or enabled. 1: disabled. 0:
enabled
DIS_DOWNLOAD_MANUAL_ENCRYPT (BLOCK0) Represents whether flash encrypt function is disab = False R/W (0b0)
led or enabled(except in SPI boot mode). 1: disabl
ed. 0: enabled
SPI_BOOT_CRYPT_CNT (BLOCK0) Enables flash encryption when 1 or 3 bits are set = Disable R/W (0b000)
and disables otherwise
SECURE_BOOT_KEY_REVOKE0 (BLOCK0) Revoke 1st secure boot key = False R/W (0b0)
SECURE_BOOT_KEY_REVOKE1 (BLOCK0) Revoke 2nd secure boot key = False R/W (0b0)
SECURE_BOOT_KEY_REVOKE2 (BLOCK0) Revoke 3rd secure boot key = False R/W (0b0)
KEY_PURPOSE_0 (BLOCK0) Represents the purpose of Key0 = USER R/W (0x0)
KEY_PURPOSE_1 (BLOCK0) Represents the purpose of Key1 = USER R/W (0x0)
KEY_PURPOSE_2 (BLOCK0) Represents the purpose of Key2 = USER R/W (0x0)
KEY_PURPOSE_3 (BLOCK0) Represents the purpose of Key3 = USER R/W (0x0)
KEY_PURPOSE_4 (BLOCK0) Represents the purpose of Key4 = USER R/W (0x0)
KEY_PURPOSE_5 (BLOCK0) Represents the purpose of Key5 = USER R/W (0x0)
SEC_DPA_LEVEL (BLOCK0) Represents the spa secure level by configuring the = 0 R/W (0b00)
clock random divide mode
CRYPT_DPA_ENABLE (BLOCK0) Represents whether anti-dpa attack is enabled. 1:e = False R/W (0b0)
nabled. 0: disabled
SECURE_BOOT_EN (BLOCK0) Represents whether secure boot is enabled or disab = False R/W (0b0)
led. 1: enabled. 0: disabled
SECURE_BOOT_AGGRESSIVE_REVOKE (BLOCK0) Represents whether revoking aggressive secure boot = False R/W (0b0)
is enabled or disabled. 1: enabled. 0: disabled
DIS_DOWNLOAD_MODE (BLOCK0) Represents whether Download mode is disabled or en = False R/W (0b0)
abled. 1: disabled. 0: enabled
ENABLE_SECURITY_DOWNLOAD (BLOCK0) Represents whether security download is enabled or = False R/W (0b0)
disabled. 1: enabled. 0: disabled
SECURE_VERSION (BLOCK0) Represents the version used by ESP-IDF anti-rollba = 0 R/W (0x0000)
ck feature
SECURE_BOOT_DISABLE_FAST_WAKE (BLOCK0) Represents whether FAST VERIFY ON WAKE is disabled = False R/W (0b0)
or enabled when Secure Boot is enabled. 1: disabl
ed. 0: enabled
BLOCK_KEY0 (BLOCK4)
Purpose: USER
Key0 or user data
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
BLOCK_KEY1 (BLOCK5)
Purpose: USER
Key1 or user data
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
BLOCK_KEY2 (BLOCK6)
Purpose: USER
Key2 or user data
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
BLOCK_KEY3 (BLOCK7)
Purpose: USER
Key3 or user data
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
BLOCK_KEY4 (BLOCK8)
Purpose: USER
Key4 or user data
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
BLOCK_KEY5 (BLOCK9)
Purpose: USER
Key5 or user data
= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
Usb fuses:
DIS_USB_JTAG (BLOCK0) Represents whether the function of usb switch to j = False R/W (0b0)
tag is disabled or enabled. 1: disabled. 0: enable
d
DIS_USB_SERIAL_JTAG (BLOCK0) Represents whether USB-Serial-JTAG is disabled or = False R/W (0b0)
enabled. 1: disabled. 0: enabled
USB_EXCHG_PINS (BLOCK0) Represents whether the D+ and D- pins is exchanged = False R/W (0b0)
. 1: exchanged. 0: not exchanged
DIS_USB_SERIAL_JTAG_ROM_PRINT (BLOCK0) Represents whether print from USB-Serial-JTAG is d = False R/W (0b0)
isabled or enabled. 1: disabled. 0: enabled
DIS_USB_SERIAL_JTAG_DOWNLOAD_MODE (BLOCK0) Represents whether the USB-Serial-JTAG download fu = False R/W (0b0)
nction is disabled or enabled. 1: disabled. 0: ena
bled
Vdd fuses:
VDD_SPI_AS_GPIO (BLOCK0) Represents whether vdd spi pin is functioned as gp = False R/W (0b0)
io. 1: functioned. 0: not functioned
Wdt fuses:
WDT_DELAY_SEL (BLOCK0) Represents whether RTC watchdog timeout threshold = 0 R/W (0b00)
is selected at startup. 1: selected. 0: not select
ed
- For Secure Boot , Write
public_key_digest.binto efuseBLOCK_KEY0 - For Flash Encryption, Write
flash_encryption_key.binto efuseBLOCK_KEY1
espefuse.py -p COM69 --do-not-confirm burn_key BLOCK_KEY0 public_key_digest.bin SECURE_BOOT_DIGEST0 BLOCK_KEY1 flash_encryption_key.bin XTS_AES_128_KEY
9. Write various efuse control bits for Secure boot and Flash Encryption Development mode
The efuse bit should be written according to the Flash encryption mode setting on the software.
The Flash encryption mode setting on the above software is in Development mode and enable download mode.
espefuse.py -p COM69 burn_efuse --do-not-confirm DIS_USB_JTAG 0x1 DIS_PAD_JTAG 0x1 DIS_DOWNLOAD_ICACHE 0x1 DIS_DIRECT_BOOT 0x1 SOFT_DIS_JTAG 0x1 DIS_DOWNLOAD_MANUAL_ENCRYPT 0x1 SECURE_BOOT_EN 0x1 SPI_BOOT_CRYPT_CNT 0x1
- If you want set the Flash Encryption
Release modeanddisable download mode. Please Write the follows various efuse control bits for Secure boot and Flash Encryption Release mode.
espefuse.py -p COM69 burn_efuse --do-not-confirm DIS_USB_JTAG 0x1 DIS_PAD_JTAG 0x1 DIS_DOWNLOAD_ICACHE 0x1 DIS_DIRECT_BOOT 0x1 SOFT_DIS_JTAG 0x7 DIS_DOWNLOAD_MANUAL_ENCRYPT 0x1 DIS_DOWNLOAD_MODE 0x1 SECURE_BOOT_EN 0x1 SPI_BOOT_CRYPT_CNT 0x7
10. Last, reset your device to Flash boot mode:
Run the follows command to monitor the firmware running log,as follows:
E:\esp2\Espressif\frameworks\esp-idf-v5.4\esp-idf\examples\security\flash_encryption>idf.py -p COM69 monitor
Executing action: monitor
Running idf_monitor in directory E:\esp2\Espressif\frameworks\esp-idf-v5.4\esp-idf\examples\security\flash_encryption
Executing "E:\esp2\Espressif\python_env\idf5.4_py3.9_env\Scripts\python.exe E:\esp2\Espressif\frameworks\esp-idf-v5.4\esp-idf\tools/idf_monitor.py -p COM69 -b 115200 --toolchain-prefix riscv32-esp-elf- --target esp32c6 --revision 0 --decode-panic backtrace E:\esp2\Espressif\frameworks\esp-idf-v5.4\esp-idf\examples\security\flash_encryption\build\flash_encryption.elf --force-color -m 'E:\esp2\Espressif\python_env\idf5.4_py3.9_env\Scripts\python.exe' 'E:\esp2\Espressif\frameworks\esp-idf-v5.4\esp-idf\tools\idf.py' '-p' 'COM69'"...
--- Warning: GDB cannot open serial ports accessed as COMx
--- Using \\.\COM69 instead...
--- esp-idf-monitor 1.6.2 on \\.\COM69 115200
--- Quit: Ctrl+] | Menu: Ctrl+T | Help: Ctrl+T followed by Ctrl+H
ESP-ROM:esp32c6-20220919
Build:Sep 19 2022
rst:0x1 (POWERON),boot:0xc (SPI_FAST_FLASH_BOOT)
SPIWP:0xee
mode:DIO, clock div:2
Valid secure boot key blocks: 0
RSA-PSS secure boot verification succeeded
load:0x40875890,len:0x366c
load:0x4086c110,len:0xe84
load:0x4086e610,len:0x5d10
entry 0x4086c11a
I (55) boot: ESP-IDF v5.4 2nd stage bootloader
I (55) boot: compile time Apr 10 2025 16:20:52
I (55) boot: chip revision: v0.1
I (56) boot: efuse block revision: v0.3
I (58) boot.esp32c6: SPI Speed : 80MHz
I (62) boot.esp32c6: SPI Mode : DIO
I (66) boot.esp32c6: SPI Flash Size : 4MB
I (70) boot: Enabling RNG early entropy source...
I (74) boot: Partition Table:
I (77) boot: ## Label Usage Type ST Offset Length
I (83) boot: 0 nvs WiFi data 01 02 0000e000 00006000
I (90) boot: 1 storage Unknown data 01 ff 00014000 00001000
I (96) boot: 2 factory factory app 00 00 00020000 00100000
I (103) boot: 3 nvs_key NVS keys 01 04 00120000 00001000
I (109) boot: 4 custom_nvs WiFi data 01 02 00121000 00006000
I (116) boot: 5 fat_encrypted Unknown data 01 81 00127000 00096000
I (122) boot: 6 fat_not_encr Unknown data 01 81 001bd000 00096000
I (129) boot: End of partition table
I (132) esp_image: segment 0: paddr=00020020 vaddr=42020020 size=0b2f4h ( 45812) map
I (149) esp_image: segment 1: paddr=0002b31c vaddr=40800000 size=04cfch ( 19708) load
I (155) esp_image: segment 2: paddr=00030020 vaddr=42000020 size=1f4bch (128188) map
I (182) esp_image: segment 3: paddr=0004f4e4 vaddr=40804cfc size=06a00h ( 27136) load
I (189) esp_image: segment 4: paddr=00055eec vaddr=4080b700 size=019ech ( 6636) load
I (192) esp_image: segment 5: paddr=000578e0 vaddr=00000000 size=086f0h ( 34544)
I (201) esp_image: Verifying image signature...
I (201) secure_boot_v2: Verifying with RSA-PSS...
I (205) secure_boot_v2: Signature verified successfully!
I (210) boot: Loaded app from partition at offset 0x20000
I (212) secure_boot_v2: enabling secure boot v2...
I (217) secure_boot_v2: secure boot v2 is already enabled, continuing..
I (223) boot: Checking flash encryption...
I (227) flash_encrypt: flash encryption is enabled (1 plaintext flashes left)
I (234) boot: Disabling RNG early entropy source...
I (250) cpu_start: Unicore app
I (258) cpu_start: Pro cpu start user code
I (259) cpu_start: cpu freq: 160000000 Hz
I (259) app_init: Application information:
I (259) app_init: Project name: flash_encryption
I (263) app_init: App version: v5.4
I (267) app_init: Compile time: Apr 10 2025 16:20:04
I (272) app_init: ELF file SHA256: a05dbff06...
I (276) app_init: ESP-IDF: v5.4
I (280) efuse_init: Min chip rev: v0.0
I (284) efuse_init: Max chip rev: v0.99
I (288) efuse_init: Chip rev: v0.1
I (292) heap_init: Initializing. RAM available for dynamic allocation:
I (298) heap_init: At 4080E260 len 0006E3B0 (440 KiB): RAM
I (303) heap_init: At 4087C610 len 00002F54 (11 KiB): RAM
I (308) heap_init: At 50000000 len 00003FE8 (15 KiB): RTCRAM
I (314) spi_flash: detected chip: generic
I (317) spi_flash: flash io: dio
W (320) spi_flash: Detected size(8192k) larger than the size in the binary image header(4096k). Using the size in the binary image header.
W (333) flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)
I (364) efuse: Batch mode of writing fields is enabled
W (364) secure_boot: Unused SECURE_BOOT_DIGEST1 should be revoked. Fixing..
W (365) secure_boot: Unused SECURE_BOOT_DIGEST2 should be revoked. Fixing..
I (371) efuse: BURN BLOCK0
I (376) efuse: BURN BLOCK0 - OK (all write block bits are set)
I (380) efuse: Batch mode. Prepared fields are committed
I (384) secure_boot: Fixed
I (387) sleep_gpio: Configure to isolate all GPIO pins in sleep state
I (393) sleep_gpio: Enable automatic switching of GPIO sleep configuration
I (400) coexist: coex firmware version: 49a8cdc
I (404) coexist: coexist rom version 5b8dcfa
I (408) main_task: Started on CPU0
I (408) main_task: Calling app_main()
Example to check Flash Encryption status
This is esp32c6 chip with 1 CPU core(s), WiFi/BLE, silicon revision v0.1, 4MB external flash
FLASH_CRYPT_CNT eFuse value is 1
Flash encryption feature is enabled in DEVELOPMENT mode
Erasing partition "storage" (0x1000 bytes)
Writing data with esp_partition_write:
I (448) example: 0x40811180 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |................|
I (448) example: 0x40811190 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f |................|
Reading with esp_partition_read:
I (458) example: 0x408111a0 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |................|
I (468) example: 0x408111b0 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f |................|
Reading with esp_flash_read:
I (478) example: 0x408111a0 9e 97 3c b8 82 5b 7e c4 1f 54 ab 20 b1 84 84 a6 |..<..[~..T. ....|
I (488) example: 0x408111b0 b4 d4 ac 15 b4 e2 ec 19 e3 8e fa 95 f8 b6 3e 77 |..............>w|
I (498) example: Partitions fat_not_encr and fat_encrypted for FATFS example are present
I (508) example_fatfs: FAT partition "fat_not_encr" is not encrypted. Size is (0x96000 bytes)
I (508) example_fatfs: Formatting FAT filesystem
W (598) vfs_fat_spiflash: f_mount failed (13)
I (598) vfs_fat_spiflash: Formatting FATFS partition, allocation unit size=4096
I (798) vfs_fat_spiflash: Mounting again
I (848) example_fatfs: Mounting FAT filesystem
I (848) example_fatfs: Opening file
I (1008) example_fatfs: Written to file: 'the quick brown fox jumped over the lazy dog'
I (1008) example_fatfs: Reading file
I (1008) example_fatfs: Read from file: 'the quick brown fox jumped over the lazy dog'
I (1008) example_fatfs: Unmounting FAT filesystem
I (1058) example_fatfs: Read partition using esp_flash_read until test string is found
I (1118) example_fatfs: 0x40811154 74 68 65 20 71 75 69 63 6b 20 62 72 6f 77 6e 20 |the quick brown |
I (1118) example_fatfs: 0x40811164 66 6f 78 20 6a 75 6d 70 65 64 20 6f 76 65 72 20 |fox jumped over |
I (1128) example_fatfs: 0x40811174 74 68 65 20 6c 61 7a 79 20 64 6f 67 |the lazy dog|
I (1138) example_fatfs: Test string was found at offset (0x8000)
I (1138) example_fatfs: FAT partition "fat_encrypted" is encrypted. Size is (0x96000 bytes)
I (1148) example_fatfs: Formatting FAT filesystem
W (1208) vfs_fat_spiflash: f_mount failed (13)
I (1208) vfs_fat_spiflash: Formatting FATFS partition, allocation unit size=4096
I (1308) vfs_fat_spiflash: Mounting again
I (1348) example_fatfs: Mounting FAT filesystem
I (1348) example_fatfs: Opening file
I (1468) example_fatfs: Written to file: 'the quick brown fox jumped over the lazy dog'
I (1468) example_fatfs: Reading file
I (1468) example_fatfs: Read from file: 'the quick brown fox jumped over the lazy dog'
I (1468) example_fatfs: Unmounting FAT filesystem
I (1518) example_fatfs: Read partition using esp_flash_read at expected offset (0x8000)
I (1518) example_fatfs: 0x4081114c 76 e5 34 70 06 cc d2 82 58 a4 85 3b e1 0c 46 81 |v.4p....X..;..F.|
I (1528) example_fatfs: 0x4081115c 6d 76 ba 62 b1 35 84 0f 54 6f a5 52 f3 1f 29 19 |mv.b.5..To.R..).|
I (1538) example_fatfs: 0x4081116c bf fb a7 f4 19 92 f0 41 2f 50 a7 99 |.......A/P..|
I (1548) example_fatfs: Data does not match test string
I (1558) main_task: Returned from app_main()
【Please Note 】
We recommend the use of automated tools to complete Flash encryption and secure boot functions, which is more convenient and more secure. You don’t need to manually encrypt the firmware, you don’t need to manually write Efuse, and you don’t even need to figure out which efuse bits to write. You just need to get the signed firmware. In addition, it can also avoid the exception caused by power failure when downloading firmware. Please refer to “Using the ESP Flash Download Tool to finish the Flash Encryption + Secure Boot + NVS Encryption” user guide.
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
