【ESP32-C6】Base on esptool commands to enable Flash Encryption and Secure Boot

Please refer to Security Guides

Security Overview
Flash Encryption
Secure Boot v2
Security Features Enablement Workflows
Vulnerabilities

You can base on “esp-idf/examples/security/flash_encryption” example for testing.

Partition Table setting：

# Name,   Type, SubType, Offset,  Size, Flags
nvs,           data, nvs,      , 0x6000,
# Extra partition to demonstrate reading/writing of encrypted flash
storage,       data, 0xff,     , 0x1000, encrypted
factory,       app,  factory,  , 1M,
# nvs_key partition contains the key that encrypts the NVS partition named nvs. The nvs_key partition needs to be encrypted.
nvs_key,       data, nvs_keys, , 0x1000, encrypted,
# Custom NVS data partition
custom_nvs,    data, nvs,      , 0x6000,
# FATFS partitions, one non-encrypted, one encrypted
fat_encrypted, data, fat,      , 600k,   encrypted
fat_not_encr,  data, fat,      , 600k,

Generate Key files

Please refer to :

Enable Flash Encryption and Secure Boot v2 Externally
Enable Flash Encryption Externally
Enable Secure Boot v2 Externally
Enable NVS Encryption Externally

1. Generate Secure Boot v2 Signing Private Key

The ESP32-C6 Secure Boot V2 can support use RSA-3072、ECDSA-256 or ECDSA-192 key. You can use the follows command to generate the secure boot key

The Secure Boot v2 signing key for the RSA3072 scheme can be generated by running:

espsecure.py generate_signing_key --version 2 --scheme rsa3072 secure_boot_signing_key.pem

The Secure Boot v2 signing key for ECDSA256 scheme can be generated by running:

espsecure.py generate_signing_key --version 2 --scheme ecdsa256 secure_boot_signing_key.pem

The Secure Boot v2 signing key for ECDSA192 scheme can be generated by running:

espsecure.py generate_signing_key --version 2 --scheme ecdsa192 secure_boot_signing_key.pem

Base on your Secure Boot Key to generate Public Key Digest

The public key digest for the private key generated in the previous step can be generated by running:

espsecure.py digest_sbv2_public_key --keyfile secure_boot_signing_key.pem --output public_key_digest.bin

2. Generate Flash Encryption Key

A random Flash Encryption key can be generated by running:

espsecure.py generate_flash_encryption_key flash_encryption_key.bin

3. Generate NVS Encryption Key

Enable NVS Encryption Based on Flash Encryption

In this case we generate NVS Encryption keys on a host. This key is then flashed on the chip and protected with the help of Flash Encryption features.

The key can be generated with the nvs_flash/nvs_partition_generator/nvs_partition_gen.py script with the help of the following command:

python E:\esp\Espressif\frameworks\esp-idf-5.2.1\esp-idf\components\nvs_flash\nvs_partition_generator\nvs_partition_gen.py generate-key --keyfile nvs_key.bin

This shall generate the respective key in the keys folder.

`【Note】`

If you don’t need to encryption the NVS partition, then you don’t need to generate the nvs_key.bin

4. Software setting：

`→ Flash Size setting`

The value of Flash Size must not be larger than the hardware Flash Size and must not be smaller than the total partition size set in the partition table.

在这里插入图片描述

`→ Partition Table setting`

Enabling flash encryption will increase the size of bootloader, which might require updating partition table offset. See Bootloader Size.

`→ Security features`

Enable Secure Boot and Flash Encryption Development mode

在这里插入图片描述

`→ Security features → UART ROM download mode`

Download mode setting

`→ Component config → NVS → [*] Enable NVS encryption`

If you enable NVS encryption, you must add a nvs_key partitions in your partition table. Please refer to NVS Encryption for more details.
If you don’t want to encrypted the nvs partition, please disable NVS encryption configuration.

5. Build the project and Get the firmware

From the project building log ，we can get the Partition table offset address informations，as follows：

Partition table binary generated. Contents:
*******************************************************************************
# ESP-IDF Partition Table
# Name, Type, SubType, Offset, Size, Flags
nvs,data,nvs,0xe000,24K,
storage,data,255,0x14000,4K,encrypted
factory,app,factory,0x20000,1M,
nvs_key,data,nvs_keys,0x120000,4K,encrypted
custom_nvs,data,nvs,0x121000,24K,
fat_encrypted,data,fat,0x127000,600K,encrypted
fat_not_encr,data,fat,0x1bd000,600K,
*******************************************************************************

Because of the secure boot function is enabled. After compiled , you will get the bootloader.bin and bootloader-unsigned.bin and app.bin and app-unsigned.bin and other partition firmware bin files. The bootloader.bin and app.bin are signed firmware. The bootloader-unsigned.bin and app-unsigned.bin are unsigned firmware. We need to downlaod the signed firmware and other partition firmware bin files.

From the project building log ，we can get the binary generated informations ，as follows：

在这里插入图片描述

6. Use Flash Encryption Key to encrypt all the firmware

Please node: The address is your firmware download address

The command for encrypting the firmware of all partitions using the Flash encryption Key are the same.

espsecure.py encrypt_flash_data --aes_xts --keyfile flash_encryption_key.bin --output encrypted_bootloader.bin --address 0x0 build\bootloader\bootloader.bin

espsecure.py encrypt_flash_data --aes_xts --keyfile flash_encryption_key.bin --output encrypted_partition-table.bin --address 0xd000 build\partition_table\partition-table.bin

espsecure.py encrypt_flash_data --aes_xts --keyfile flash_encryption_key.bin --output encrypted_flash_encryption.bin --address 0x20000 build\flash_encryption.bin

在这里插入图片描述

7. Download all encrypt firmware and `nvs_key.bin`

esptool.py -p COM69 write_flash 0x0 encrypted_bootloader.bin 0xd000 encrypted_partition-table.bin 0x20000 encrypted_flash_encryption.bin 0x120000 nvs_key.bin

在这里插入图片描述

8. Write `public_key_digest.bin` and Flash encryption key to eFuse BLOCK

First， you can read the ESP32-C6 chip efuse informations firstly:

E:\esp2\Espressif\frameworks\esp-idf-v5.4\esp-idf\examples\security\flash_encryption>espefuse.py -p COM4 summary
espefuse.py v4.8.1
Connecting....
Detecting chip type... ESP32-C6=== Run "summary" command ===
EFUSE_NAME (Block) Description  = [Meaningful Value] [Readable/Writeable] (Hex Value)
----------------------------------------------------------------------------------------
Config fuses:
WR_DIS (BLOCK0)                                    Disable programming of individual eFuses           = 0 R/W (0x00000000)
RD_DIS (BLOCK0)                                    Disable reading from BlOCK4-10                     = 0 R/W (0b0000000)
SWAP_UART_SDIO_EN (BLOCK0)                         Represents whether pad of uart and sdio is swapped = False R/W (0b0)or not. 1: swapped. 0: not swapped
DIS_ICACHE (BLOCK0)                                Represents whether icache is disabled or enabled.  = False R/W (0b0)1: disabled. 0: enabled
DIS_TWAI (BLOCK0)                                  Represents whether TWAI function is disabled or en = False R/W (0b0)abled. 1: disabled. 0: enabled
DIS_DIRECT_BOOT (BLOCK0)                           Represents whether direct boot mode is disabled or = False R/W (0b0)enabled. 1: disabled. 0: enabled
UART_PRINT_CONTROL (BLOCK0)                        Set the default UARTboot message output mode       = Enable R/W (0b00)
LSLP_HP_DBG (BLOCK1)                               Stores the lslp hp dbg                             = 0 R/W (0b00)
DSLP_LP_DBG (BLOCK1)                               Stores the dslp lp dbg                             = 5 R/W (0b101)
BLOCK_USR_DATA (BLOCK3)                            User data= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
BLOCK_SYS_DATA2 (BLOCK10)                          System data part 2 (reserved)= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/WFlash fuses:
FLASH_TPUW (BLOCK0)                                Represents the flash waiting time after power-up;  = 0 R/W (0x0)in unit of ms. When the value less than 15; the waiting time is the programmed value. Otherwise; thewaiting time is 2 times the programmed value
FORCE_SEND_RESUME (BLOCK0)                         Represents whether ROM code is forced to send a re = False R/W (0b0)sume command during SPI boot. 1: forced. 0:not forced
FLASH_CAP (BLOCK1)                                                                                    = 0 R/W (0b000)
FLASH_TEMP (BLOCK1)                                                                                   = 0 R/W (0b00)
FLASH_VENDOR (BLOCK1)                                                                                 = 0 R/W (0b000)Identity fuses:
DISABLE_WAFER_VERSION_MAJOR (BLOCK0)               Disables check of wafer version major              = False R/W (0b0)
DISABLE_BLK_VERSION_MAJOR (BLOCK0)                 Disables check of blk version major                = False R/W (0b0)
WAFER_VERSION_MINOR (BLOCK1)                                                                          = 2 R/W (0x2)
WAFER_VERSION_MAJOR (BLOCK1)                                                                          = 0 R/W (0b00)
PKG_VERSION (BLOCK1)                               Package version                                    = 0 R/W (0b000)
BLK_VERSION_MINOR (BLOCK1)                         BLK_VERSION_MINOR of BLOCK2                        = 3 R/W (0b011)
BLK_VERSION_MAJOR (BLOCK1)                         BLK_VERSION_MAJOR of BLOCK2                        = 0 R/W (0b00)
OPTIONAL_UNIQUE_ID (BLOCK2)                        Optional unique 128-bit ID= a8 67 12 ec 52 87 dc 6d a0 87 b2 87 a5 a4 bf 96 R/WJtag fuses:
JTAG_SEL_ENABLE (BLOCK0)                           Represents whether the selection between usb_to_jt = False R/W (0b0)ag and pad_to_jtag through strapping gpio15 when both EFUSE_DIS_PAD_JTAG and EFUSE_DIS_USB_JTAG areequal to 0 is enabled or disabled. 1: enabled. 0:disabled
SOFT_DIS_JTAG (BLOCK0)                             Represents whether JTAG is disabled in soft way. O = 0 R/W (0b000)dd number: disabled. Even number: enabled
DIS_PAD_JTAG (BLOCK0)                              Represents whether JTAG is disabled in the hard wa = False R/W (0b0)y(permanently). 1: disabled. 0: enabledMac fuses:
MAC (BLOCK1)                                       MAC address= 7c:2c:67:52:7c:fc (OK) R/W
MAC_EXT (BLOCK1)                                   Stores the extended bits of MAC address            = ff:fe (OK) R/W
CUSTOM_MAC (BLOCK3)                                Custom MAC= 00:00:00:00:00:00 (OK) R/W
MAC_EUI64 (BLOCK1)                                 calc MAC_EUI64 = MAC[0]:MAC[1]:MAC[2]:MAC_EXT[0]:M= 7c:2c:67:ff:fe:52:7c:fc (OK) R/WAC_EXT[1]:MAC[3]:MAC[4]:MAC[5]Security fuses:
DIS_DOWNLOAD_ICACHE (BLOCK0)                       Represents whether icache is disabled or enabled i = False R/W (0b0)n Download mode. 1: disabled. 0: enabled
DIS_FORCE_DOWNLOAD (BLOCK0)                        Represents whether the function that forces chip i = False R/W (0b0)nto download mode is disabled or enabled. 1: disabled. 0: enabled
SPI_DOWNLOAD_MSPI_DIS (BLOCK0)                     Represents whether SPI0 controller during boot_mod = False R/W (0b0)e_download is disabled or enabled. 1: disabled. 0:enabled
DIS_DOWNLOAD_MANUAL_ENCRYPT (BLOCK0)               Represents whether flash encrypt function is disab = False R/W (0b0)led or enabled(except in SPI boot mode). 1: disabled. 0: enabled
SPI_BOOT_CRYPT_CNT (BLOCK0)                        Enables flash encryption when 1 or 3 bits are set  = Disable R/W (0b000)and disables otherwise
SECURE_BOOT_KEY_REVOKE0 (BLOCK0)                   Revoke 1st secure boot key                         = False R/W (0b0)
SECURE_BOOT_KEY_REVOKE1 (BLOCK0)                   Revoke 2nd secure boot key                         = False R/W (0b0)
SECURE_BOOT_KEY_REVOKE2 (BLOCK0)                   Revoke 3rd secure boot key                         = False R/W (0b0)
KEY_PURPOSE_0 (BLOCK0)                             Represents the purpose of Key0                     = USER R/W (0x0)
KEY_PURPOSE_1 (BLOCK0)                             Represents the purpose of Key1                     = USER R/W (0x0)
KEY_PURPOSE_2 (BLOCK0)                             Represents the purpose of Key2                     = USER R/W (0x0)
KEY_PURPOSE_3 (BLOCK0)                             Represents the purpose of Key3                     = USER R/W (0x0)
KEY_PURPOSE_4 (BLOCK0)                             Represents the purpose of Key4                     = USER R/W (0x0)
KEY_PURPOSE_5 (BLOCK0)                             Represents the purpose of Key5                     = USER R/W (0x0)
SEC_DPA_LEVEL (BLOCK0)                             Represents the spa secure level by configuring the = 0 R/W (0b00)clock random divide mode
CRYPT_DPA_ENABLE (BLOCK0)                          Represents whether anti-dpa attack is enabled. 1:e = False R/W (0b0)nabled. 0: disabled
SECURE_BOOT_EN (BLOCK0)                            Represents whether secure boot is enabled or disab = False R/W (0b0)led. 1: enabled. 0: disabled
SECURE_BOOT_AGGRESSIVE_REVOKE (BLOCK0)             Represents whether revoking aggressive secure boot = False R/W (0b0)is enabled or disabled. 1: enabled. 0: disabled
DIS_DOWNLOAD_MODE (BLOCK0)                         Represents whether Download mode is disabled or en = False R/W (0b0)abled. 1: disabled. 0: enabled
ENABLE_SECURITY_DOWNLOAD (BLOCK0)                  Represents whether security download is enabled or = False R/W (0b0)disabled. 1: enabled. 0: disabled
SECURE_VERSION (BLOCK0)                            Represents the version used by ESP-IDF anti-rollba = 0 R/W (0x0000)ck feature
SECURE_BOOT_DISABLE_FAST_WAKE (BLOCK0)             Represents whether FAST VERIFY ON WAKE is disabled = False R/W (0b0)or enabled when Secure Boot is enabled. 1: disabled. 0: enabled
BLOCK_KEY0 (BLOCK4)Purpose: USERKey0 or user data= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
BLOCK_KEY1 (BLOCK5)Purpose: USERKey1 or user data= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
BLOCK_KEY2 (BLOCK6)Purpose: USERKey2 or user data= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
BLOCK_KEY3 (BLOCK7)Purpose: USERKey3 or user data= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
BLOCK_KEY4 (BLOCK8)Purpose: USERKey4 or user data= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/W
BLOCK_KEY5 (BLOCK9)Purpose: USERKey5 or user data= 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 R/WUsb fuses:
DIS_USB_JTAG (BLOCK0)                              Represents whether the function of usb switch to j = False R/W (0b0)tag is disabled or enabled. 1: disabled. 0: enabled
DIS_USB_SERIAL_JTAG (BLOCK0)                       Represents whether USB-Serial-JTAG is disabled or  = False R/W (0b0)enabled. 1: disabled. 0: enabled
USB_EXCHG_PINS (BLOCK0)                            Represents whether the D+ and D- pins is exchanged = False R/W (0b0). 1: exchanged. 0: not exchanged
DIS_USB_SERIAL_JTAG_ROM_PRINT (BLOCK0)             Represents whether print from USB-Serial-JTAG is d = False R/W (0b0)isabled or enabled. 1: disabled. 0: enabled
DIS_USB_SERIAL_JTAG_DOWNLOAD_MODE (BLOCK0)         Represents whether the USB-Serial-JTAG download fu = False R/W (0b0)nction is disabled or enabled. 1: disabled. 0: enabledVdd fuses:
VDD_SPI_AS_GPIO (BLOCK0)                           Represents whether vdd spi pin is functioned as gp = False R/W (0b0)io. 1: functioned. 0: not functionedWdt fuses:
WDT_DELAY_SEL (BLOCK0)                             Represents whether RTC watchdog timeout threshold  = 0 R/W (0b00)is selected at startup. 1: selected. 0: not selected

For Secure Boot , Write public_key_digest.bin to efuse BLOCK_KEY0
For Flash Encryption, Write flash_encryption_key.bin to efuse BLOCK_KEY1

espefuse.py -p COM69 --do-not-confirm burn_key BLOCK_KEY0 public_key_digest.bin SECURE_BOOT_DIGEST0 BLOCK_KEY1 flash_encryption_key.bin XTS_AES_128_KEY

在这里插入图片描述

9. Write various efuse control bits for Secure boot and Flash Encryption Development mode

The efuse bit should be written according to the Flash encryption mode setting on the software.

The Flash encryption mode setting on the above software is in Development mode and enable download mode.
在这里插入图片描述

espefuse.py -p COM69 burn_efuse --do-not-confirm DIS_USB_JTAG 0x1 DIS_PAD_JTAG 0x1 DIS_DOWNLOAD_ICACHE 0x1 DIS_DIRECT_BOOT 0x1 SOFT_DIS_JTAG 0x1 DIS_DOWNLOAD_MANUAL_ENCRYPT 0x1 SECURE_BOOT_EN 0x1 SPI_BOOT_CRYPT_CNT 0x1

在这里插入图片描述

If you want set the Flash Encryption Release mode and disable download mode. Please Write the follows various efuse control bits for Secure boot and Flash Encryption Release mode.

espefuse.py -p COM69 burn_efuse --do-not-confirm DIS_USB_JTAG 0x1 DIS_PAD_JTAG 0x1 DIS_DOWNLOAD_ICACHE 0x1 DIS_DIRECT_BOOT 0x1 SOFT_DIS_JTAG 0x7 DIS_DOWNLOAD_MANUAL_ENCRYPT 0x1 DIS_DOWNLOAD_MODE 0x1 SECURE_BOOT_EN 0x1 SPI_BOOT_CRYPT_CNT 0x7

10. Last， reset your device to Flash boot mode：

Run the follows command to monitor the firmware running log,as follows:

E:\esp2\Espressif\frameworks\esp-idf-v5.4\esp-idf\examples\security\flash_encryption>idf.py -p COM69 monitor
Executing action: monitor
Running idf_monitor in directory E:\esp2\Espressif\frameworks\esp-idf-v5.4\esp-idf\examples\security\flash_encryption
Executing "E:\esp2\Espressif\python_env\idf5.4_py3.9_env\Scripts\python.exe E:\esp2\Espressif\frameworks\esp-idf-v5.4\esp-idf\tools/idf_monitor.py -p COM69 -b 115200 --toolchain-prefix riscv32-esp-elf- --target esp32c6 --revision 0 --decode-panic backtrace E:\esp2\Espressif\frameworks\esp-idf-v5.4\esp-idf\examples\security\flash_encryption\build\flash_encryption.elf --force-color -m 'E:\esp2\Espressif\python_env\idf5.4_py3.9_env\Scripts\python.exe' 'E:\esp2\Espressif\frameworks\esp-idf-v5.4\esp-idf\tools\idf.py' '-p' 'COM69'"...
--- Warning: GDB cannot open serial ports accessed as COMx
--- Using \\.\COM69 instead...
--- esp-idf-monitor 1.6.2 on \\.\COM69 115200
--- Quit: Ctrl+] | Menu: Ctrl+T | Help: Ctrl+T followed by Ctrl+H
ESP-ROM:esp32c6-20220919
Build:Sep 19 2022
rst:0x1 (POWERON),boot:0xc (SPI_FAST_FLASH_BOOT)
SPIWP:0xee
mode:DIO, clock div:2
Valid secure boot key blocks: 0
RSA-PSS secure boot verification succeeded
load:0x40875890,len:0x366c
load:0x4086c110,len:0xe84
load:0x4086e610,len:0x5d10
entry 0x4086c11a
I (55) boot: ESP-IDF v5.4 2nd stage bootloader
I (55) boot: compile time Apr 10 2025 16:20:52
I (55) boot: chip revision: v0.1
I (56) boot: efuse block revision: v0.3
I (58) boot.esp32c6: SPI Speed      : 80MHz
I (62) boot.esp32c6: SPI Mode       : DIO
I (66) boot.esp32c6: SPI Flash Size : 4MB
I (70) boot: Enabling RNG early entropy source...
I (74) boot: Partition Table:
I (77) boot: ## Label            Usage          Type ST Offset   Length
I (83) boot:  0 nvs              WiFi data        01 02 0000e000 00006000
I (90) boot:  1 storage          Unknown data     01 ff 00014000 00001000
I (96) boot:  2 factory          factory app      00 00 00020000 00100000
I (103) boot:  3 nvs_key          NVS keys         01 04 00120000 00001000
I (109) boot:  4 custom_nvs       WiFi data        01 02 00121000 00006000
I (116) boot:  5 fat_encrypted    Unknown data     01 81 00127000 00096000
I (122) boot:  6 fat_not_encr     Unknown data     01 81 001bd000 00096000
I (129) boot: End of partition table
I (132) esp_image: segment 0: paddr=00020020 vaddr=42020020 size=0b2f4h ( 45812) map
I (149) esp_image: segment 1: paddr=0002b31c vaddr=40800000 size=04cfch ( 19708) load
I (155) esp_image: segment 2: paddr=00030020 vaddr=42000020 size=1f4bch (128188) map
I (182) esp_image: segment 3: paddr=0004f4e4 vaddr=40804cfc size=06a00h ( 27136) load
I (189) esp_image: segment 4: paddr=00055eec vaddr=4080b700 size=019ech (  6636) load
I (192) esp_image: segment 5: paddr=000578e0 vaddr=00000000 size=086f0h ( 34544)
I (201) esp_image: Verifying image signature...
I (201) secure_boot_v2: Verifying with RSA-PSS...
I (205) secure_boot_v2: Signature verified successfully!
I (210) boot: Loaded app from partition at offset 0x20000
I (212) secure_boot_v2: enabling secure boot v2...
I (217) secure_boot_v2: secure boot v2 is already enabled, continuing..
I (223) boot: Checking flash encryption...
I (227) flash_encrypt: flash encryption is enabled (1 plaintext flashes left)
I (234) boot: Disabling RNG early entropy source...
I (250) cpu_start: Unicore app
I (258) cpu_start: Pro cpu start user code
I (259) cpu_start: cpu freq: 160000000 Hz
I (259) app_init: Application information:
I (259) app_init: Project name:     flash_encryption
I (263) app_init: App version:      v5.4
I (267) app_init: Compile time:     Apr 10 2025 16:20:04
I (272) app_init: ELF file SHA256:  a05dbff06...
I (276) app_init: ESP-IDF:          v5.4
I (280) efuse_init: Min chip rev:     v0.0
I (284) efuse_init: Max chip rev:     v0.99
I (288) efuse_init: Chip rev:         v0.1
I (292) heap_init: Initializing. RAM available for dynamic allocation:
I (298) heap_init: At 4080E260 len 0006E3B0 (440 KiB): RAM
I (303) heap_init: At 4087C610 len 00002F54 (11 KiB): RAM
I (308) heap_init: At 50000000 len 00003FE8 (15 KiB): RTCRAM
I (314) spi_flash: detected chip: generic
I (317) spi_flash: flash io: dio
W (320) spi_flash: Detected size(8192k) larger than the size in the binary image header(4096k). Using the size in the binary image header.
W (333) flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)
I (364) efuse: Batch mode of writing fields is enabled
W (364) secure_boot: Unused SECURE_BOOT_DIGEST1 should be revoked. Fixing..
W (365) secure_boot: Unused SECURE_BOOT_DIGEST2 should be revoked. Fixing..
I (371) efuse: BURN BLOCK0
I (376) efuse: BURN BLOCK0 - OK (all write block bits are set)
I (380) efuse: Batch mode. Prepared fields are committed
I (384) secure_boot: Fixed
I (387) sleep_gpio: Configure to isolate all GPIO pins in sleep state
I (393) sleep_gpio: Enable automatic switching of GPIO sleep configuration
I (400) coexist: coex firmware version: 49a8cdc
I (404) coexist: coexist rom version 5b8dcfa
I (408) main_task: Started on CPU0
I (408) main_task: Calling app_main()Example to check Flash Encryption status
This is esp32c6 chip with 1 CPU core(s), WiFi/BLE, silicon revision v0.1, 4MB external flash
FLASH_CRYPT_CNT eFuse value is 1
Flash encryption feature is enabled in DEVELOPMENT mode
Erasing partition "storage" (0x1000 bytes)
Writing data with esp_partition_write:
I (448) example: 0x40811180   00 01 02 03 04 05 06 07  08 09 0a 0b 0c 0d 0e 0f  |................|
I (448) example: 0x40811190   10 11 12 13 14 15 16 17  18 19 1a 1b 1c 1d 1e 1f  |................|
Reading with esp_partition_read:
I (458) example: 0x408111a0   00 01 02 03 04 05 06 07  08 09 0a 0b 0c 0d 0e 0f  |................|
I (468) example: 0x408111b0   10 11 12 13 14 15 16 17  18 19 1a 1b 1c 1d 1e 1f  |................|
Reading with esp_flash_read:
I (478) example: 0x408111a0   9e 97 3c b8 82 5b 7e c4  1f 54 ab 20 b1 84 84 a6  |..<..[~..T. ....|
I (488) example: 0x408111b0   b4 d4 ac 15 b4 e2 ec 19  e3 8e fa 95 f8 b6 3e 77  |..............>w|
I (498) example: Partitions fat_not_encr and fat_encrypted for FATFS example are present
I (508) example_fatfs: FAT partition "fat_not_encr" is not encrypted. Size is (0x96000 bytes)
I (508) example_fatfs: Formatting FAT filesystem
W (598) vfs_fat_spiflash: f_mount failed (13)
I (598) vfs_fat_spiflash: Formatting FATFS partition, allocation unit size=4096
I (798) vfs_fat_spiflash: Mounting again
I (848) example_fatfs: Mounting FAT filesystem
I (848) example_fatfs: Opening file
I (1008) example_fatfs: Written to file: 'the quick brown fox jumped over the lazy dog'
I (1008) example_fatfs: Reading file
I (1008) example_fatfs: Read from file: 'the quick brown fox jumped over the lazy dog'
I (1008) example_fatfs: Unmounting FAT filesystem
I (1058) example_fatfs: Read partition using esp_flash_read until test string is found
I (1118) example_fatfs: 0x40811154   74 68 65 20 71 75 69 63  6b 20 62 72 6f 77 6e 20  |the quick brown |
I (1118) example_fatfs: 0x40811164   66 6f 78 20 6a 75 6d 70  65 64 20 6f 76 65 72 20  |fox jumped over |
I (1128) example_fatfs: 0x40811174   74 68 65 20 6c 61 7a 79  20 64 6f 67              |the lazy dog|
I (1138) example_fatfs: Test string was found at offset (0x8000)
I (1138) example_fatfs: FAT partition "fat_encrypted" is encrypted. Size is (0x96000 bytes)
I (1148) example_fatfs: Formatting FAT filesystem
W (1208) vfs_fat_spiflash: f_mount failed (13)
I (1208) vfs_fat_spiflash: Formatting FATFS partition, allocation unit size=4096
I (1308) vfs_fat_spiflash: Mounting again
I (1348) example_fatfs: Mounting FAT filesystem
I (1348) example_fatfs: Opening file
I (1468) example_fatfs: Written to file: 'the quick brown fox jumped over the lazy dog'
I (1468) example_fatfs: Reading file
I (1468) example_fatfs: Read from file: 'the quick brown fox jumped over the lazy dog'
I (1468) example_fatfs: Unmounting FAT filesystem
I (1518) example_fatfs: Read partition using esp_flash_read at expected offset (0x8000)
I (1518) example_fatfs: 0x4081114c   76 e5 34 70 06 cc d2 82  58 a4 85 3b e1 0c 46 81  |v.4p....X..;..F.|
I (1528) example_fatfs: 0x4081115c   6d 76 ba 62 b1 35 84 0f  54 6f a5 52 f3 1f 29 19  |mv.b.5..To.R..).|
I (1538) example_fatfs: 0x4081116c   bf fb a7 f4 19 92 f0 41  2f 50 a7 99              |.......A/P..|
I (1548) example_fatfs: Data does not match test string
I (1558) main_task: Returned from app_main()

`【Please Note 】`

We recommend the use of automated tools to complete Flash encryption and secure boot functions, which is more convenient and more secure. You don’t need to manually encrypt the firmware, you don’t need to manually write Efuse, and you don’t even need to figure out which efuse bits to write. You just need to get the signed firmware. In addition, it can also avoid the exception caused by power failure when downloading firmware. Please refer to “Using the ESP Flash Download Tool to finish the Flash Encryption + Secure Boot + NVS Encryption” user guide.