From 388a61c7b79910469b5dc959cbe7ca1ccdd66e52 Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Fri, 4 Aug 2023 10:01:18 +0530 Subject: [PATCH] fix(security): Fixed the host-based security workflows --- docs/en/security/host-based-security-workflows.rst | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/en/security/host-based-security-workflows.rst b/docs/en/security/host-based-security-workflows.rst index 2360f62140..2382273cc1 100644 --- a/docs/en/security/host-based-security-workflows.rst +++ b/docs/en/security/host-based-security-workflows.rst @@ -52,7 +52,9 @@ When enabling the Flash Encryption and Secure Boot V2 externally we need to enab #. Enable Flash Encryption feature by following the steps listed in :ref:`enable-flash-encryption-externally`. #. Enable Secure Boot V2 feature by following the steps listed in :ref:`enable-secure-boot-v2-externally`. -The reason for this order is that when Secure Boot V2 is enabled, we write protect the eFuse ``WR_DIS``. Once that eFuse is write protected, we can no longer enable Flash Encryption. +The reason for this order is as follows: + +To enable the Secure Boot (SB) V2, it is necessary to keep the SB V2 key readable. To protect the key's readability, the write-protection for RD_DIS (ESP_EFUSE_WR_DIS_RD_DIS) is applied. However, this action poses a challenge when attempting to enable Flash Encryption, as the Flash Encryption (FE) key needs to remain unreadable. This conflict arises because the RD_DIS is already write-protected, making it impossible to read protect the FE key. .. _enable-flash-encryption-externally: @@ -133,7 +135,7 @@ In this case all the eFuses related to flash encryption are written with help of espefuse.py --port PORT burn_key BLOCK my_flash_encryption_key.bin KEYPURPOSE - where ``BLOCK`` is a free keyblock between ``BLOCK_KEY0`` and ``BLOCK_KEY5``. And ``KEYPURPOSE`` is either ``AES_256_KEY_1``, ``XTS_AES_256_KEY_2``, ``XTS_AES_128_KEY``. See `{IDF_TARGET_NAME} Technical Reference Manual <{IDF_TARGET_TRM_EN_URL}>`_ for a description of the key purposes. + where ``BLOCK`` is a free keyblock between ``BLOCK_KEY0`` and ``BLOCK_KEY5``. And ``KEYPURPOSE`` is either ``XTS_AES_256_KEY_1``, ``XTS_AES_256_KEY_2``, ``XTS_AES_128_KEY``. See `{IDF_TARGET_NAME} Technical Reference Manual <{IDF_TARGET_TRM_EN_URL}>`_ for a description of the key purposes. For AES-128 (256-bit key) - ``XTS_AES_128_KEY``: