Skip to content

Commit ef407ed

Browse files
KonstantinKondrashovKonstantinKondrashov
committed
feat(espsecure): Improves an error message for encrypt_flash_data and decrypt_flash_data
Closes espressif/esp-idf#15115
1 parent 4e922fe commit ef407ed

File tree

1 file changed

+31
-10
lines changed

1 file changed

+31
-10
lines changed

espsecure/__init__.py

Lines changed: 31 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -65,7 +65,7 @@ def swap_word_order(source):
6565
return struct.pack(words, *reversed(struct.unpack(words, source)))
6666

6767

68-
def _load_hardware_key(keyfile):
68+
def _load_hardware_key(keyfile, is_flash_encryption_key, aes_xts=None):
6969
"""Load a 128/256/512-bit key, similar to stored in efuse, from a file
7070
7171
128-bit keys will be extended to 256-bit using the SHA256 of the key
@@ -78,6 +78,17 @@ def _load_hardware_key(keyfile):
7878
"Key file contains wrong length (%d bytes), 16, 24, 32 or 64 expected."
7979
% len(key)
8080
)
81+
if is_flash_encryption_key:
82+
if aes_xts:
83+
if len(key) not in [16, 32, 64]:
84+
raise esptool.FatalError(
85+
f"AES_XTS supports only 128, 256, and 512-bit keys. Provided key is {len(key) * 8} bits."
86+
)
87+
else:
88+
if len(key) not in [24, 32]:
89+
raise esptool.FatalError(
90+
f"ESP32 supports only 192 and 256-bit keys. Provided key is {len(key) * 8} bits. Use --aes_xts for other chips."
91+
)
8192
if len(key) == 16:
8293
key = _sha256_digest(key)
8394
print("Using 128-bit key (extended)")
@@ -129,7 +140,7 @@ def digest_secure_bootloader(args):
129140
# produce the digest. Each block in/out of ECB is reordered
130141
# (due to hardware quirks not for security.)
131142

132-
key = _load_hardware_key(args.keyfile)
143+
key = _load_hardware_key(args.keyfile, False)
133144
backend = default_backend()
134145
cipher = Cipher(algorithms.AES(key), modes.ECB(), backend=backend)
135146
encryptor = cipher.encryptor()
@@ -1233,7 +1244,19 @@ def generate_flash_encryption_key(args):
12331244
def _flash_encryption_operation_esp32(
12341245
output_file, input_file, flash_address, keyfile, flash_crypt_conf, do_decrypt
12351246
):
1236-
key = _load_hardware_key(keyfile)
1247+
"""
1248+
Perform flash encryption or decryption operation for ESP32.
1249+
1250+
This function handles the encryption or decryption of flash data for the ESP32 chip.
1251+
It reads data from the input file, processes it in 16-byte blocks, and writes the
1252+
processed data to the output file. The function ensures that the key length is either
1253+
192 or 256 bits, as required by the ESP32 chip. It also checks that the flash address
1254+
is a multiple of 16.
1255+
1256+
Note: This function is specific to the ESP32 chip. For other chips, use the --aes_xts
1257+
flag to call the correct function.
1258+
"""
1259+
key = _load_hardware_key(keyfile, True, aes_xts=False)
12371260

12381261
if flash_address % 16 != 0:
12391262
raise esptool.FatalError(
@@ -1322,7 +1345,7 @@ def _flash_encryption_operation_aes_xts(
13221345
"""
13231346

13241347
backend = default_backend()
1325-
key = _load_hardware_key(keyfile)
1348+
key = _load_hardware_key(keyfile, True, aes_xts=True)
13261349
indata = input_file.read()
13271350

13281351
if flash_address % 16 != 0:
@@ -1789,8 +1812,7 @@ def main(custom_commandline=None):
17891812
p.add_argument(
17901813
"--aes_xts",
17911814
"-x",
1792-
help="Decrypt data using AES-XTS as used on "
1793-
"ESP32-S2, ESP32-C2, ESP32-C3, ESP32-C6, ESP32-C5, ESP32-C61 and ESP32-P4",
1815+
help="Decrypt data using AES-XTS (not applicable for ESP32)",
17941816
action="store_true",
17951817
)
17961818
p.add_argument(
@@ -1816,7 +1838,7 @@ def main(custom_commandline=None):
18161838
)
18171839
p.add_argument(
18181840
"--flash_crypt_conf",
1819-
help="Override FLASH_CRYPT_CONF efuse value (default is 0XF).",
1841+
help="Override FLASH_CRYPT_CONF efuse value (default is 0XF) (applicable only for ESP32).",
18201842
required=False,
18211843
default=0xF,
18221844
type=esptool.arg_auto_int,
@@ -1829,8 +1851,7 @@ def main(custom_commandline=None):
18291851
p.add_argument(
18301852
"--aes_xts",
18311853
"-x",
1832-
help="Encrypt data using AES-XTS as used on "
1833-
"ESP32-S2, ESP32-C2, ESP32-C3, ESP32-C6, ESP32-C5, ESP32-C61 and ESP32-P4",
1854+
help="Encrypt data using AES-XTS (not applicable for ESP32)",
18341855
action="store_true",
18351856
)
18361857
p.add_argument(
@@ -1856,7 +1877,7 @@ def main(custom_commandline=None):
18561877
)
18571878
p.add_argument(
18581879
"--flash_crypt_conf",
1859-
help="Override FLASH_CRYPT_CONF efuse value (default is 0XF).",
1880+
help="Override FLASH_CRYPT_CONF efuse value (default is 0XF) (applicable only for ESP32)",
18601881
required=False,
18611882
default=0xF,
18621883
type=esptool.arg_auto_int,

0 commit comments

Comments
 (0)