Espressif Systems ESP Faq page 124

Chapter 4. Software framework
4.7.13 What are the use scenarios for secure boot and flash encryption?
• When secure boot is enabled, the device will only load and run firmware that is signed by the specified key.
Therefore, it can prevent the device from loading illegal firmware and prevent unauthorized firmware from
being flashed to the device.
• When flash encryption is enabled, the partitions on the flash where firmware is stored and the data in the
partitions marked as "encrypeted"will be encrypted. Therefore, it can prevent the data from being illegally
viewed, and firmware data copied from flash cannot be applied to other devices.
4.7.14 What are the data stored in eFuse involved in secure boot and flash encryption?
• For the data stored in eFuse used in secure boot v1, please refer to
• For the data stored in eFuse used in secure boot v2, please refer to
• For the data stored in eFuse used in flash encryption, please refer to
4.7.15 Enabling secure boot failed with the log "Checksum failure". How to fix it?
• After enabling secure boot, the size of bootloader.bin will increase, please check whether the size of the
bootloader partition is enough to store the compiled bootloader.bin. For more information, please refer to
Bootloader Size。
4.7.16 NVS encryption failed to start and an error occurred as nvs: Failed to read
NVS security cfg: [0x1117] (ESP_ERR_NVS_CORRUPT_KEY_PART).
How can I solve this issue?
• Please erase flash once using the flash tool before starting NVS encryption, and then flash the firmware which
can enable the NVS encryption to the SoC.
4.7.17 After flash encryption was enabled, a warning occurred as esp_image: image
at 0x520000 has invalid magic byte (nothing flashed here).
How can I solve this issue?
• After SoC starts flash encryption, it will try to encrypt the data of all the partitions of the app type. If there is
no corresponding app firmware stored in one app partition, the above log will appear. To avoid this warning,
you can flash pre-compiled app firmware to the partitions of the app type when starting flash encryption.
4.7.18 Why is reltead data not encrypted after I enable CONFIG_EFUSE_VIRTUAL and
flash encryption?
• Currently, Virtual eFuses is only used to test the update of eFuse data. Thus, flash encryption is not enabled
completely even this function is enabled.
4.7.19 Can I update an app firmware which enables flash encryption in a device which
does not enable fash encryption through OTA?
• Yes, please deselect Check Flash Encryption enabled on app startup when compiling.
Espressif Systems 107
Submit Document Feedback
secure boot v1 efuses。
secure boot v2 efuses。
flash encryption efuses。
Release master