docs/Flash encryption: Add encrypted partitions section

This commit is contained in:
Aditya Patwardhan 2023-06-14 11:20:17 +05:30
parent 6d4a116625
commit b078541ca5
2 changed files with 36 additions and 22 deletions

View File

@ -17,17 +17,6 @@ Introduction
Flash encryption is intended for encrypting the contents of the {IDF_TARGET_NAME}'s off-chip flash memory. Once this feature is enabled, firmware is flashed as plaintext, and then the data is encrypted in place on the first boot. As a result, physical readout of flash will not be sufficient to recover most flash contents.
With flash encryption enabled, the following types of data are encrypted by default:
- Firmware bootloader
- Partition Table
- All "app" type partitions
Other types of data can be encrypted conditionally:
- Any partition marked with the ``encrypted`` flag in the partition table. For details, see :ref:`encrypted-partition-flag`.
- Secure Boot bootloader digest if Secure Boot is enabled (see below).
.. only:: esp32
:doc:`Secure Boot <secure-boot-v2>` is a separate feature which can be used together with flash encryption to create an even more secure environment.
@ -40,6 +29,24 @@ Other types of data can be encrypted conditionally:
Enabling flash encryption limits the options for further updates of {IDF_TARGET_NAME}. Before using this feature, read the document and make sure to understand the implications.
.. _encrypted-partitions:
Encrypted Partitions
--------------------
With flash encryption enabled, the following types of data are encrypted by default:
- Firmware bootloader
- Partition Table
- :ref:`nvs_encr_key_partition`
- Otadata
- All "app" type partitions
Other types of data can be encrypted conditionally:
- Any partition marked with the ``encrypted`` flag in the partition table. For details, see :ref:`encrypted-partition-flag`.
- Secure Boot bootloader digest if Secure Boot is enabled (see below).
.. _flash-encryption-efuse:
Relevant eFuses

View File

@ -17,17 +17,6 @@ flash 加密
flash 加密功能用于加密与 {IDF_TARGET_NAME} 搭载使用的片外 flash 中的内容。启用 flash 加密功能后,固件会以明文形式烧录,然后在首次启动时将数据进行加密。因此,物理读取 flash 将无法恢复大部分 flash 内容。
启用 flash 加密后,系统将默认加密下列类型的 flash 数据:
- 固件引导加载程序
- 分区表
- 所有 “app” 类型的分区
其他类型的数据将视情况进行加密:
- 任何在分区表中标有“加密”标志的分区。详情请见 :ref:`encrypted-partition-flag`
- 如果启用了安全启动,则可以加密安全启动引导程序摘要(见下文)。
.. only:: esp32
:doc:`安全启动<secure-boot-v2>` 是一个独立的功能,可以与 flash 加密一起使用,从而创建更安全的环境。
@ -40,6 +29,24 @@ flash 加密功能用于加密与 {IDF_TARGET_NAME} 搭载使用的片外 flash
启用 flash 加密将限制后续 {IDF_TARGET_NAME} 更新。在使用 flash 加密功能前,请务必阅读本文档了解其影响。
.. _encrypted-partitions:
Encrypted Partitions
--------------------
启用 flash 加密后,系统将默认加密下列类型的 flash 数据:
- 固件引导加载程序
- 分区表
- :ref:`nvs_encr_key_partition`
- Otadata
- 所有 “app” 类型的分区
其他类型的数据将视情况进行加密:
- 任何在分区表中标有“加密”标志的分区。详情请见 :ref:`encrypted-partition-flag`
- 如果启用了安全启动,则可以加密安全启动引导程序摘要(见下文)。
.. _flash-encryption-efuse:
相关 eFuses