Now that we live in the Internet of Things (IoT) age, wireless communication is rapidly becoming the norm for most people. Espressif Systems’ ESP32 is a widely adopted low-cost System on Chip (SoC) microcontroller in the Internet of Things (IoT) due to its integrated hybrid WiFi and Bluetooth processors. Its widespread adoption in Internet of Things (IoT) settings can be attributed to its low power usage and dependable construction. However, data safety and secure connections in IoT applications will spring to mind. For secure HTTPS, IoT cloud (AWS-IoT, Azure, Google Firebase, etc.) authentication, and data communications, the ESP32 enables X.509 certificate-based mutual authentication. ESP32 provides protection against data theft via the internet for information saved in FLASH memory and Boot Sectors. The ESP32’s security features, especially those concerning Boot sections, are the focus of today’s discussion. The ESP32 has two primary layers of protection: Secure-Boot and flash security (also dubbed Flash-Encryption)
What eFUSE Blocks in ESP32?
The ESP32 includes a segment of One-Time-Programmable (OTP) memory with a size of 1024 bits. Each of the four blocks in this OTP memory is 256 bits in size.
The encryption and Secure Boot passwords for the Flash drive are kept in these memory regions. There is no program available to extract the contents of the OTP memory block. The Security features can only be viewed and verified by the ESP32 hardware.
What is Flash Encryption? How to Enable it on ESP32?
To keep your ESP32’s flash memory safe, you can use the ESP-IDF by Espressif System’s ESP32 Flash Encryption function. When activated, flash encryption scrambles everything stored in ESP32’s SPI flash memory, including (but not limited to) the following:
- Firmware Bootloader
- Partition Table
- “app” type partitions or Application partitions
- Any partition marked with an “encrypted” flag in the partition table is also encrypted.
Users can quickly and simply turn on Flash Encryption in ESP-IDF projects by changing a single setting in the project’s configuration.
After you’ve opened the ESP32 project configuration window, you should go to
“Security Features” --> “Enable flash encryption on boot” --> “Enable usage mode (Development(NOT SECURE))” / “Enable usage mode (Release)”
In flash encryption there are two modes:
- In development mode, you can read out flash via the UART and modify any of the encrypted sectors in the ESP32’s flash memory.
- The manufacturing and production phases benefit greatly from using the release option. All UART/JTAG access to the flash memory is disabled in this mode, so fresh firmware must be downloaded wirelessly.(OTA).
The present code’s binaries are flashed into the ESP32’s memory as a plain text file when flash encryption is disabled. In contrast, the ESP32 encrypts each upper-mentioned partition individually upon first start using the AES flash encryption key that is saved in the eFUSE-BLK1 during the flash process. The ESP32 device rebooted itself after partition encryption and continued to execute the predetermined sequence of events.
To read from flash memory, the ESP32’s execution section uses the flash execution process to decrypt the data, and to write to flash memory, the flash execution process encrypts the data.
What is Secure-Boot? How to Enable it on ESP32?
ESP32 Secure-boot is a safety component that ensures only authorized software can be launched on ESP32 hardware. When secure start is activated, the RSA-3072 based Secure-boot’s signature keys are used to verify the integrity of the binaries stored in the flash memory before they are loaded. Secure-boot serves as a “Guardian of the ESP32,” as its name implies.
Using the same procedure, we can activate Flash Encryption and Secure-boot from the project menuconfig.
“Security Features” --> “Enable hardware Secure Boot in bootloader”
How Secure-boot works?
During startup, the ESP32 device’s trusted rom, also known as the 1st stage bootloader, verifies the software bootloader using an RSA-3072-based secure-boot key before proceeding to verify the application firmware using the same signature key and launch the application.
Conclusion
The ESP32 has a protected setting (Secure-boot and Flash-Encryption) that must be activated during the loading process. We need to turn on both of them to increase safety.