Validating that my code is safe on the board - some help please!

[sotpotatis]

Hi!

I am working on securing an ESP32 microcontroller with flash encryption and secure boot. I don't want to blindly trust that the commands given in the docs without verifying it myself.
Especially because I recently found out that the flash encryption didn't behave as I expected

I am using a GPY board, made by a company called Pycom. Unfortunately this company no longer exists and their forums are shut down.
This is their port's source code: https://github.com/pycom/pycom-micropython-sigfox

However, I believe that the process of securing their firmware is the same as any other ESP32 device.

What I want to verify is that the code that is on the device (Python files) can not be read by anyone that doesn't have access to the keys used to encrypt it.

I will put my questions at the end of this post after telling you what I've done to try invesigating if you can read out the source code of the device:

I believe I have enabled secure boot and flash encryption. I use the following commands for that:

python $IDF_PATH/components/esptool_py/esptool/espefuse.py --port /dev/ttyUSB0 burn_key flash_encryption ${flash_encryption_key_path}
python $IDF_PATH/components/esptool_py/esptool/espefuse.py --port /dev/ttyUSB0 burn_key secure_boot ${secure_bootloader_key_path}
python $IDF_PATH/components/esptool_py/esptool/espefuse.py --port /dev/ttyUSB0 burn_efuse FLASH_CRYPT_CNT
python $IDF_PATH/components/esptool_py/esptool/espefuse.py --port /dev/ttyUSB0 burn_efuse FLASH_CRYPT_CONFIG 0x0F
python $IDF_PATH/components/esptool_py/esptool/espefuse.py --port /dev/ttyUSB0 burn_efuse ABS_DONE_0

keys are generated using:

python $IDF_PATH/components/esptool_py/esptool/espsecure.py generate_flash_encryption_key ${flash_encryption_key_path} #Generate a flash encryption key
python $IDF_PATH/components/esptool_py/esptool/espsecure.py generate_signing_key ${secure_boot_signing_key_path} #Generate a secure boot signing key

If I perform a readout of the flash using esptool.py -p /dev/ttyUSB0 --no-stub read_flash 0x400000 0x400000 flash_contents_after_enc.bin --flash_size 8MB (as suggested by robert-hh in another discussion),
I can not find a trace of the source code in the .bin file (only this):

Hex View  00 01 02 03 04 05 06 07  08 09 0A 0B 0C 0D 0E 0F
 
00000000  0F 00 00 00 F0 0F FF F7  6C 69 74 74 6C 65 66 73  ........littlefs
00000010  2F E0 00 10 00 00 02 00  00 10 00 00 00 04 00 00  /...............
00000020  FE 03 00 00 FF FF FF 7F  FE 03 00 00 20 00 14 1F  ............ ...
00000030  6D 61 69 6E 2E 70 79 20  00 00 25 23 20 6D 61 69  main.py ..%# mai
00000040  6E 2E 70 79 20 2D 2D 20  70 75 74 20 79 6F 75 72  n.py -- put your
00000050  20 63 6F 64 65 20 68 65  72 65 21 0D 0A 10 00 00   code here!.....
00000060  26 21 28 00 00 30 00 10  03 62 6F 6F 74 2E 70 79  &!(..0...boot.py
00000070  20 00 00 1A 23 20 62 6F  6F 74 2E 70 79 20 2D 2D   ...# boot.py --
00000080  20 72 75 6E 20 6F 6E 20  62 6F 6F 74 2D 75 70 0D   run on boot-up.

Same if I use the on-device REPL:

>>> open("boot.py").read()
'# boot.py -- run on boot-up\r\n'

and also if I list the /flash and /flash/lib folder, there are no traces of my code there.

Also looked at the efuse summary:

espefuse.py --port /dev/ttyUSB0 summary
espefuse.py v4.8.1
Connecting.....
Detecting chip type... Unsupported detection protocol, switching and trying again...
Connecting...
Detecting chip type... ESP32

=== Run "summary" command ===
EFUSE_NAME (Block) Description  = [Meaningful Value] [Readable/Writeable] (Hex Value)
----------------------------------------------------------------------------------------
Calibration fuses:
...
DISABLE_DL_CACHE (BLOCK0)                          Disable flash cache in UART bootloader             = False R/W (0b0)

Flash fuses:
FLASH_CRYPT_CNT (BLOCK0)                           Flash encryption is enabled if this field has an o = 1 R/W (0b0000001)
                                                   dd number of bits set                             
FLASH_CRYPT_CONFIG (BLOCK0)                        Flash encryption config (key tweak bits)           = 15 R/W (0xf)
Identity fuses:
...
Jtag fuses:
...
Mac fuses:
...
Security fuses:
UART_DOWNLOAD_DIS (BLOCK0)                         Disable UART download mode. Valid for ESP32 V3 and = False R/W (0b0)
                                                    newer; only                                      
ABS_DONE_0 (BLOCK0)                                Secure boot V1 is enabled for bootloader image     = True R/W (0b1)
ABS_DONE_1 (BLOCK0)                                Secure boot V2 is enabled for bootloader image     = False R/W (0b0)
DISABLE_DL_ENCRYPT (BLOCK0)                        Disable flash encryption in UART bootloader        = False R/W (0b0)
DISABLE_DL_DECRYPT (BLOCK0)                        Disable flash decryption in UART bootloader        = False R/W (0b0)
KEY_STATUS (BLOCK0)                                Usage of efuse block 3 (reserved)                  = False R/W (0b0)
SECURE_VERSION (BLOCK3)                            Secure version for anti-rollback                   = 0 R/W (0x00000000)
BLOCK1 (BLOCK1)                                    Flash encryption key                              
   = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/- 
BLOCK2 (BLOCK2)                                    Security boot key                                 
   = ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? -/- 
BLOCK3 (BLOCK3)                                    Variable Block 3                                  
   = 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W 
Spi Pad fuses:
...
Vdd fuses:
...
Flash voltage (VDD_SDIO) set to 1.8V by efuse.

From this it looks to me that flash encryption and secureboot is enabled. I assume that ?? means that the keys are burnt correctly.

Now to my questions:

1. Main question: As I said above: What I want to verify is that the code that is on the device (Python files) can not be read by anyone that doesn't have access to the keys used to encrypt it.
   I do not know how to validate this. I have only dumped the flash as I would assume that it would be where the source code code would be located if the encryption didn't work, but this is 95% guesswork. Should I dump another part of the memory (the factory partition?) Is there any other command I can consult to validate that the code is encrypted? Recall I am using a 3rd party Micropython port. You can find the partition layout for my board here: https://github.com/pycom/pycom-micropython-sigfox/blob/a37510c092bcec00671c924accb97dcdfa2f4b5d/esp32/boards/GPY/script_8MB_enc (I assume I should look at the _enc file and not the file without that prefix)

2. Bonus question: The ESP32 docs say that

By default, on first boot the flash encryption process will burn efuses DISABLE_DL_ENCRYPT, DISABLE_DL_DECRYPT and DISABLE_DL_CACHE.

These fuses are all set to False if I look at the EFUSE summary - shouldn't they be True, or am I mistaken?

Thanks for any help!