使用官方样例来进行学习,避免出现不必要的错误。样例地址在
esp-idf\examples\security\flash_encryption
所有的测试都在开发模式下进行!
一、测试不加密
设置好环境变量后,将sdkconfig.defaults复制并重命名为sdkconfig,由于默认是不加密的,所以不需要对配置进行修改。
直接build和flash即可
idf.py -p PORT flash monitor //PORT替换成对应串口号
对于的执行情况如下:
I (76) boot: Chip Revision: 3
I (76) boot_comm: chip revision: 3, min. bootloader chip revision: 0
I (42) boot: ESP-IDF v4.0-9-g390d54d27-dirty 2nd stage bootloader
I (42) boot: compile time 12:42:30
I (42) boot: Enabling RNG early entropy source...
I (48) boot: SPI Speed : 40MHz
I (52) boot: SPI Mode : DIO
I (56) boot: SPI Flash Size : 2MB
I (60) boot: Partition Table:
I (64) boot: ## Label Usage Type ST Offset Length
I (71) boot: 0 nvs WiFi data 01 02 00009000 00006000
I (78) boot: 1 storage Unknown data 01 ff 0000f000 00001000
I (86) boot: 2 factory factory app 00 00 00010000 00100000
I (93) boot: End of partition table
I (97) boot_comm: chip revision: 3, min. application chip revision: 0
I (105) esp_image: segment 0: paddr=0x00010020 vaddr=0x3f400020 size=0x05dbc ( 23996) map
I (122) esp_image: segment 1: paddr=0x00015de4 vaddr=0x3ffb0000 size=0x02144 ( 8516) load
I (126) esp_image: segment 2: paddr=0x00017f30 vaddr=0x40080000 size=0x00400 ( 1024) load
0x40080000: _WindowOverflow4 at /home/pi/blueair/ba_esp32/fw.esp32/esp-idf/components/freertos/xtensa_vectors.S:1778
I (132) esp_image: segment 3: paddr=0x00018338 vaddr=0x40080400 size=0x07cd8 ( 31960) load
I (154) esp_image: segment 4: paddr=0x00020018 vaddr=0x400d0018 size=0x13258 ( 78424) map
0x400d0018: _stext at ??:?
I (182) esp_image: segment 5: paddr=0x00033278 vaddr=0x400880d8 size=0x01cb4 ( 7348) load
0x400880d8: xQueueReceiveFromISR at /home/pi/blueair/ba_esp32/fw.esp32/esp-idf/components/freertos/queue.c:1686
I (192) boot: Loaded app from partition at offset 0x10000
I (192) boot: Disabling RNG early entropy source...
I (194) cpu_start: Pro cpu up.
I (197) cpu_start: Application information:
I (202) cpu_start: Project name: flash_encryption
I (208) cpu_start: App version: 1
I (212) cpu_start: Compile time: Oct 18 2022 12:43:06
I (218) cpu_start: ELF file SHA256: f021f72d33fd9b62...
I (224) cpu_start: ESP-IDF: v4.0-9-g390d54d27-dirty
I (231) cpu_start: Starting app cpu, entry point is 0x40080fec
0x40080fec: call_start_cpu1 at /home/pi/blueair/ba_esp32/fw.esp32/esp-idf/components/esp32/cpu_start.c:285
I (0) cpu_start: App cpu up.
I (241) heap_init: Initializing. RAM available for dynamic allocation:
I (248) heap_init: At 3FFAE6E0 len 00001920 (6 KiB): DRAM
I (254) heap_init: At 3FFB3138 len 0002CEC8 (179 KiB): DRAM
I (260) heap_init: At 3FFE0440 len 00003AE0 (14 KiB): D/IRAM
I (267) heap_init: At 3FFE4350 len 0001BCB0 (111 KiB): D/IRAM
I (273) heap_init: At 40089D8C len 00016274 (88 KiB): IRAM
I (279) cpu_start: Pro cpu start user code
I (298) spi_flash: detected chip: generic
I (298) spi_flash: flash io: dio
W (298) spi_flash: Detected size(4096k) larger than the size in the binary image header(2048k). Using the size in the binary image header.
I (309) cpu_start: Starting scheduler on PRO CPU.
I (0) cpu_start: Starting scheduler on APP CPU.
Example to check Flash Encryption status
This is ESP32 chip with 2 CPU cores, WiFi/BT/BLE, silicon revision 3, 2MB external flash
FLASH_CRYPT_CNT eFuse value is 0
Flash encryption feature is disabled
Erasing partition "storage" (0x1000 bytes)
Writing data with esp_partition_write:
I (499) example: 0x3ffb4f00 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |................|
I (499) example: 0x3ffb4f10 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f |................|
Reading with esp_partition_read:
I (509) example: 0x3ffb4ee0 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |................|
I (519) example: 0x3ffb4ef0 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f |................|
Reading with spi_flash_read:
I (539) example: 0x3ffb4ee0 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |................|
I (549) example: 0x3ffb4ef0 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f |................|
二、测试加密
将sdkconfig.ci复制并重命名为sdkconfig,此配置使能了flash encryption,并且默认为开发模式。同时将partition table offset 从 0x8000 改成 0x9000。
idf.py menuconfig
此处有一个地方需要注意,本文使用的样例文件partitions_example.csv有问题,默认配置如下:
# Name, Type, SubType, Offset, Size, Flags
nvs, data, nvs, 0x9000, 0x6000,
# Extra partition to demonstrate reading/writing of encrypted flash
storage, data, 0xff, 0xf000, 0x1000, encrypted
factory, app, factory, 0x10000, 1M,
直接使用的话会出错,0x9000跟上面的冲突了,改成如下配置就没问题了。
# Name, Type, SubType, Offset, Size, Flags
nvs, data, nvs, 0xa000, 0x5000,
# Extra partition to demonstrate reading/writing of encrypted flash
storage, data, 0xff, 0xf000, 0x1000, encrypted
factory, app, factory, 0x10000, 1M,
重新build和flash
idf.py -p PORT flash monitor //PORT替换成对应串口号
加密执行情况如下
首次加密时执行结果:
I (78) boot: Chip Revision: 3
I (78) boot_comm: chip revision: 3, min. bootloader chip revision: 0
I (40) boot: ESP-IDF v4.0-9-g390d54d27-dirty 2nd stage bootloader
I (40) boot: compile time 12:57:21
I (40) boot: Enabling RNG early entropy source...
I (46) boot: SPI Speed : 40MHz
I (50) boot: SPI Mode : DIO
I (54) boot: SPI Flash Size : 2MB
I (58) boot: Partition Table:
I (62) boot: ## Label Usage Type ST Offset Length
I (69) boot: 0 nvs WiFi data 01 02 0000a000 00005000
I (77) boot: 1 storage Unknown data 01 ff 0000f000 00001000
I (84) boot: 2 factory factory app 00 00 00010000 00100000
I (92) boot: End of partition table
I (96) boot_comm: chip revision: 3, min. application chip revision: 0
I (103) esp_image: segment 0: paddr=0x00010020 vaddr=0x3f400020 size=0x0615c ( 24924) map
I (121) esp_image: segment 1: paddr=0x00016184 vaddr=0x3ffb0000 size=0x02144 ( 8516) load
I (124) esp_image: segment 2: paddr=0x000182d0 vaddr=0x40080000 size=0x00400 ( 1024) load
0x40080000: _WindowOverflow4 at /home/pi/blueair/ba_esp32/fw.esp32/esp-idf/components/freertos/xtensa_vectors.S:1778
I (130) esp_image: segment 3: paddr=0x000186d8 vaddr=0x40080400 size=0x07938 ( 31032) load
I (152) esp_image: segment 4: paddr=0x00020018 vaddr=0x400d0018 size=0x13360 ( 78688) map
0x400d0018: _stext at ??:?
I (180) esp_image: segment 5: paddr=0x00033380 vaddr=0x40087d38 size=0x025b4 ( 9652) load
0x40087d38: vPortYield at /home/pi/blueair/ba_esp32/fw.esp32/esp-idf/components/freertos/portasm.S:548
I (191) boot: Loaded app from partition at offset 0x10000
I (191) boot: Checking flash encryption...
I (191) flash_encrypt: Generating new flash encryption key...
I (209) flash_encrypt: Read & write protecting new key...
I (220) flash_encrypt: Setting CRYPT_CONFIG efuse to 0xF
W (232) flash_encrypt: Not disabling UART bootloader encryption
I (232) flash_encrypt: Disable UART bootloader decryption...
I (233) flash_encrypt: Disable UART bootloader MMU cache...
I (240) flash_encrypt: Disable JTAG...
I (244) flash_encrypt: Disable ROM BASIC interpreter fallback...
I (262) boot_comm: chip revision: 3, min. application chip revision: 0
I (262) esp_image: segment 0: paddr=0x00001020 vaddr=0x3fff0018 size=0x00004 ( 4)
I (269) esp_image: segment 1: paddr=0x0000102c vaddr=0x3fff001c size=0x0229c ( 8860)
I (281) esp_image: segment 2: paddr=0x000032d0 vaddr=0x40078000 size=0x03f80 ( 16256)
I (292) esp_image: segment 3: paddr=0x00007258 vaddr=0x40080400 size=0x010d0 ( 4304)
I (968) flash_encrypt: Encrypting partition 1 at offset 0xf000...
I (1046) boot_comm: chip revision: 3, min. application chip revision: 0
I (1046) esp_image: segment 0: paddr=0x00010020 vaddr=0x3f400020 size=0x0615c ( 24924) map
I (1060) esp_image: segment 1: paddr=0x00016184 vaddr=0x3ffb0000 size=0x02144 ( 8516)
I (1064) esp_image: segment 2: paddr=0x000182d0 vaddr=0x40080000 size=0x00400 ( 1024)
0x40080000: _WindowOverflow4 at /home/pi/blueair/ba_esp32/fw.esp32/esp-idf/components/freertos/xtensa_vectors.S:1778
I (1069) esp_image: segment 3: paddr=0x000186d8 vaddr=0x40080400 size=0x07938 ( 31032)
I (1089) esp_image: segment 4: paddr=0x00020018 vaddr=0x400d0018 size=0x13360 ( 78688) map
0x400d0018: _stext at ??:?
I (1117) esp_image: segment 5: paddr=0x00033380 vaddr=0x40087d38 size=0x025b4 ( 9652)
0x40087d38: vPortYield at /home/pi/blueair/ba_esp32/fw.esp32/esp-idf/components/freertos/portasm.S:548
I (1121) flash_encrypt: Encrypting partition 2 at offset 0x10000...
I (20295) flash_encrypt: Flash encryption completed
I (20296) boot: Resetting with flash encryption enabled...
重启后加密执行结果
I (80) boot: Chip Revision: 3
I (80) boot_comm: chip revision: 3, min. bootloader chip revision: 0
I (40) boot: ESP-IDF v4.0-9-g390d54d27-dirty 2nd stage bootloader
I (40) boot: compile time 12:57:21
I (40) boot: Enabling RNG early entropy source...
I (46) boot: SPI Speed : 40MHz
I (50) boot: SPI Mode : DIO
I (54) boot: SPI Flash Size : 2MB
I (58) boot: Partition Table:
I (62) boot: ## Label Usage Type ST Offset Length
I (69) boot: 0 nvs WiFi data 01 02 0000a000 00005000
I (77) boot: 1 storage Unknown data 01 ff 0000f000 00001000
I (84) boot: 2 factory factory app 00 00 00010000 00100000
I (92) boot: End of partition table
I (96) boot_comm: chip revision: 3, min. application chip revision: 0
I (103) esp_image: segment 0: paddr=0x00010020 vaddr=0x3f400020 size=0x0615c ( 24924) map
I (121) esp_image: segment 1: paddr=0x00016184 vaddr=0x3ffb0000 size=0x02144 ( 8516) load
I (125) esp_image: segment 2: paddr=0x000182d0 vaddr=0x40080000 size=0x00400 ( 1024) load
0x40080000: _WindowOverflow4 at /home/pi/blueair/ba_esp32/fw.esp32/esp-idf/components/freertos/xtensa_vectors.S:1778
I (130) esp_image: segment 3: paddr=0x000186d8 vaddr=0x40080400 size=0x07938 ( 31032) load
I (152) esp_image: segment 4: paddr=0x00020018 vaddr=0x400d0018 size=0x13360 ( 78688) map
0x400d0018: _stext at ??:?
I (181) esp_image: segment 5: paddr=0x00033380 vaddr=0x40087d38 size=0x025b4 ( 9652) load
0x40087d38: vPortYield at /home/pi/blueair/ba_esp32/fw.esp32/esp-idf/components/freertos/portasm.S:548
I (192) boot: Loaded app from partition at offset 0x10000
I (192) boot: Checking flash encryption...
I (192) flash_encrypt: flash encryption is enabled (3 plaintext flashes left)
I (200) boot: Disabling RNG early entropy source...
I (206) cpu_start: Pro cpu up.
I (209) cpu_start: Application information:
I (214) cpu_start: Project name: flash_encryption
I (220) cpu_start: App version: 1
I (224) cpu_start: Compile time: Oct 18 2022 12:57:55
I (230) cpu_start: ELF file SHA256: ee9ed9c2e271fc27...
I (236) cpu_start: ESP-IDF: v4.0-9-g390d54d27-dirty
I (243) cpu_start: Starting app cpu, entry point is 0x40081038
0x40081038: call_start_cpu1 at /home/pi/blueair/ba_esp32/fw.esp32/esp-idf/components/esp32/cpu_start.c:285
W (249) flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)
I (0) cpu_start: App cpu up.
I (260) heap_init: Initializing. RAM available for dynamic allocation:
I (267) heap_init: At 3FFAE6E0 len 00001920 (6 KiB): DRAM
I (273) heap_init: At 3FFB3138 len 0002CEC8 (179 KiB): DRAM
I (280) heap_init: At 3FFE0440 len 00003AE0 (14 KiB): D/IRAM
I (286) heap_init: At 3FFE4350 len 0001BCB0 (111 KiB): D/IRAM
I (292) heap_init: At 4008A2EC len 00015D14 (87 KiB): IRAM
I (299) cpu_start: Pro cpu start user code
I (317) spi_flash: detected chip: generic
I (317) spi_flash: flash io: dio
W (318) spi_flash: Detected size(4096k) larger than the size in the binary image header(2048k). Using the size in the binary image header.
I (328) cpu_start: Starting scheduler on PRO CPU.
I (0) cpu_start: Starting scheduler on APP CPU.
Example to check Flash Encryption status
This is ESP32 chip with 2 CPU cores, WiFi/BT/BLE, silicon revision 3, 2MB external flash
FLASH_CRYPT_CNT eFuse value is 1
Flash encryption feature is enabled in DEVELOPMENT mode
Erasing partition "storage" (0x1000 bytes)
Writing data with esp_partition_write:
I (481) example: 0x3ffb4f00 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |................|
I (481) example: 0x3ffb4f10 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f |................|
Reading with esp_partition_read:
I (501) example: 0x3ffb4ee0 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |................|
I (511) example: 0x3ffb4ef0 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f |................|
Reading with spi_flash_read:
I (521) example: 0x3ffb4ee0 db 13 54 91 f2 44 87 c2 f8 0f 9e 5d bd c0 ef ca |..T..D.....]....|
I (531) example: 0x3ffb4ef0 45 f7 4e 6b ad 34 a5 d8 c2 e4 45 32 ca 30 79 bc |E.Nk.4....E2.0y.|
三、解除加密
官网提示如果操作错误导致无法正常运行,可以解除加密,但是只有3次机会。
首先禁用flash encryption功能,确保一定要禁用!
重新构建烧录:
idf.py -p PORT flash
使用 espefuse.py (在 components/esptool_py/esptool 中)以关闭 FLASH_CRYPT_CNT
espefuse.py burn_efuse FLASH_CRYPT_CNT
执行时会有提示,输入BURN即可。
重启开发板,此时又变成非加密的了