Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bootloader encrypt_flash_contents: add means to encrypt application image only (IDFGH-11439) #12576

Closed
boborjan2 opened this issue Nov 13, 2023 · 2 comments
Closed

Bootloader encrypt_flash_contents: add means to encrypt application image only (IDFGH-11439) #12576

boborjan2 opened this issue Nov 13, 2023 · 2 comments
Assignees
@Harshal5
Labels
Resolution: NA Issue resolution is unavailable Status: Done Issue is done internally Type: Feature Request Feature request for IDF

Comments

@boborjan2
Copy link

Is your feature request related to a problem?

When enabling flash encryption, bootloader will set relevant fuses and encrypt partitions on next boot. Partition encryption is very slow btw: it takes ~30s to encrypt a 1.5M partition. It becomes even more relevant when we first flash a small app for eol testing. It basically doubles our eol times (compared to the non-encrypted process).

Describe the solution you'd like.

App partition encryption is performed by encrypt_partition() in bootloader_support/src/flash_encryption/flash_encrypt.c. Here all the information is available to encrypt the image only (instead of the whole partition). An example solution is as follows:

static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partition)
{
    esp_err_t err;
    bool should_encrypt = (partition->flags & PART_FLAG_ENCRYPTED);
    uint32_t size = partition->pos.size;

    if (partition->type == PART_TYPE_APP) {
        /* check if the partition holds a valid unencrypted app */
        esp_image_metadata_t metadata;
        err = esp_image_verify(ESP_IMAGE_VERIFY,
                               &partition->pos,
                               &metadata);
        if((should_encrypt = (err == ESP_OK))) {
            size = metadata.image_len;
        }
    } else if ((partition->type == PART_TYPE_DATA && partition->subtype == PART_SUBTYPE_DATA_OTA)
                || (partition->type == PART_TYPE_DATA && partition->subtype == PART_SUBTYPE_DATA_NVS_KEYS)) {
        /* check if we have ota data partition and the partition should be encrypted unconditionally */
        should_encrypt = true;
    }

    if (!should_encrypt) {
        return ESP_OK;
    } else {
        /* should_encrypt */
        ESP_LOGI(TAG, "Encrypting partition %d at offset 0x%x (length 0x%x)...", index, partition->pos.offset, size);

        err = esp_flash_encrypt_region(partition->pos.offset, size);
        ESP_LOGI(TAG, "Done encrypting");
        if (err != ESP_OK) {
            ESP_LOGE(TAG, "Failed to encrypt partition %d", index);
        }
        return err;
    }
}

The change may also be configurable via menuconfig.

Describe alternatives you've considered.

No response

Additional context.

No response
@boborjan2 boborjan2 added the Type: Feature Request Feature request for IDF label Nov 13, 2023
@espressif-bot espressif-bot added the Status: Opened Issue is new label Nov 13, 2023
@github-actions github-actions bot changed the title Bootloader encrypt_flash_contents: add means to encrypt application image only Bootloader encrypt_flash_contents: add means to encrypt application image only (IDFGH-11439) Nov 13, 2023
@mahavirj
Copy link
Member

@boborjan2

Thanks for the suggestion, looks quite useful!

However, the actual image length may vary based on the secure boot enabled case. We will have to consider the padding, signature block into calculations. We will analyze this further and share the update on this tracker.

@espressif-bot espressif-bot added Status: Reviewing Issue is being reviewed and removed Status: Opened Issue is new labels Nov 28, 2023
@espressif-bot espressif-bot added Status: Done Issue is done internally Resolution: NA Issue resolution is unavailable and removed Status: Reviewing Issue is being reviewed labels Dec 19, 2023
@Harshal5
Copy link
Collaborator

Feature implemented in 4294384, thus closing this issue.

espressif-bot pushed a commit that referenced this issue Feb 17, 2024
@Harshal5
feat(bootloader_support): Encrypt only the app image instead of the w…
eebdd3f 
…hole partition

Currently, when flash encryption is enabled, the whole partition gets encrypted.
This can be optimised by encrypting only the app image instead of encrypting the whole partition.

Closes #12576
espressif-bot pushed a commit that referenced this issue Mar 1, 2024
@Harshal5
feat(bootloader_support): Encrypt only the app image instead of the w…
8176a03 
…hole partition

Currently, when flash encryption is enabled, the whole partition gets encrypted.
This can be optimised by encrypting only the app image instead of encrypting the whole partition.

Closes #12576
espressif-bot pushed a commit that referenced this issue Mar 1, 2024
@Harshal5 @mahavirj
feat(bootloader_support): Encrypt only the app image instead of the w…
a24715d 
…hole partition

Currently, when flash encryption is enabled, the whole partition gets encrypted.
This can be optimised by encrypting only the app image instead of encrypting the whole partition.

Closes #12576
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Harshal5 Harshal5

Labels
Resolution: NA Issue resolution is unavailable Status: Done Issue is done internally Type: Feature Request Feature request for IDF
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mahavirj @Harshal5 @boborjan2 @espressif-bot