mirror of https://github.com/espressif/esp-idf.git synced 2024-09-20 00:36:01 -04:00

History

hrushikesh.bhosale ed4166a64c feat(ota): Checked the support of OTA for esp32c5 Checked the support of OTA features for esp32c5, tested examples and added the support in README.md file. Even added the support in systems .build-test-rules.yml		2024-08-21 11:45:41 +05:30
..
main	fix: fix preencrypted ota failed with pytest server and partial http enabled	2023-10-11 15:22:24 +05:30
rsa_key	feature: Pre Encrypted Binary for OTA updates	2022-02-17 10:48:41 +05:30
server_certs	feature: Pre Encrypted Binary for OTA updates	2022-02-17 10:48:41 +05:30
CMakeLists.txt	feat(examples): add local components via idf_component.yml	2023-09-19 10:38:24 +02:00
pytest_pre_encrypted_ota.py	fix: Refactored script for initiating Python-based HTTPS server	2024-04-30 10:04:56 +05:30
README.md	feat(ota): Checked the support of OTA for esp32c5	2024-08-21 11:45:41 +05:30
sdkconfig.ci	ci: Optimize binary size for OTA examples	2022-07-11 15:28:48 +05:30
sdkconfig.ci.partial_download	ci: Fix pre_encrypted_ota example failure in CI	2024-03-08 14:49:24 +05:30
sdkconfig.defaults	feature: Pre Encrypted Binary for OTA updates	2022-02-17 10:48:41 +05:30

README.md

Supported Targets	ESP32	ESP32-C2	ESP32-C3	ESP32-C5	ESP32-C6	ESP32-P4	ESP32-S2	ESP32-S3

Encrypted Binary OTA

This example demonstrates OTA updates with pre-encrypted binary using esp_encrypted_img component's APIs and tool.

Pre-encrypted firmware binary must be hosted on OTA update server. This firmware will be fetched and then decrypted on device before being flashed. This allows firmware to remain confidential on the OTA update channel irrespective of underlying transport (e.g., non-TLS).

NOTE: Pre-encrypted OTA is a completely different scheme from Flash Encryption. Pre-encrypted OTA helps in ensuring the confidentiality of the firmware on the network channel, whereas Flash Encryption is intended for encrypting the contents of the ESP32's off-chip flash memory.

Caution

Using the Pre-encrypted Binary OTA provides confidentiality of the firmware, but it does not ensure authenticity of the firmware. For ensuring that the firmware is coming from trusted source, please consider enabling secure boot feature along with the Pre-encrypted binary OTA. Please refer to security guide in the ESP-IDF docs for more details.

ESP Encrypted Image Abstraction Layer

This example uses esp_encrypted_img component hosted at idf-extra-components/esp_encrypted_img and available though the IDF component manager.

Please refer to its documentation here for more details.

How to use the example

To create self-signed certificate and key, refer to README.md in upper level 'examples' directory. This certificate should be flashed with binary as it will be used for connection with server.

Creating RSA key for encryption

You can generate a public and private RSA key pair using following commands:

openssl genrsa -out rsa_key/private.pem 3072

This generates a 3072-bit RSA key pair, and writes them to a file.

Private key is required for decryption process and is used as input to the esp_encrypted_img component. Private key can either be embedded into the firmware or stored in NVS.

Encrypted image generation tool will derive public key (from private key) and use it for encryption purpose.

NOTE: We highly recommend the use of flash encryption or NVS encryption to protect the RSA Private Key on the device.
NOTE: RSA key provided in the example is for demonstration purpose only. We recommend to create a new key for production applications.

Build and Flash example

idf.py build flash

An encrypted image is automatically generated by build system. Upload the generated encrypted image (build/pre_encrypted_ota_secure.bin) to a server for performing OTA update.

Configuration

Refer the README.md in the parent directory for the setup details.