Table of Contents
Advertisement
Chapter 2. API Reference
CONFIG_SECURE_FLASH_CHECK_ENC_EN_IN_APP
Check Flash Encryption enabled on app startup
Found in:
Security features
If set (default), in an app during startup code, there is a check of the flash encryption eFuse bit is on (as
the bootloader should already have set it). The app requires this bit is on to continue work otherwise
abort.
If not set, the app does not care if the flash encryption eFuse bit is set or not.
Default value:
• Yes (enabled) if
CONFIG_SECURE_UART_ROM_DL_MODE
UART ROM download mode
Found in:
Security features
Available options:
• UART
CURE_DISABLE_ROM_DL_MODE)
If set, during startup the app will burn an eFuse bit to permanently disable the UART ROM
Download Mode. This prevents any future use of esptool.py, espefuse.py and similar tools.
Once disabled, if the SoC is booted with strapping pins set for ROM Download Mode then
an error is printed instead.
It is recommended to enable this option in any production application where Flash Encryption
and/or Secure Boot is enabled and access to Download Mode is not required.
It
is
also
esp_efuse_disable_rom_download_mode() at runtime.
• UART ROM download mode (Permanently switch to Secure mode (recommended)) (SE-
CURE_ENABLE_SECURE_ROM_DL_MODE)
If set, during startup the app will burn an eFuse bit to permanently switch the UART ROM
Download Mode into a separate Secure Download mode. This option can only work if Down-
load Mode is not already disabled by eFuse.
Secure Download mode limits the use of Download Mode functions to simple flash read,
write and erase operations, plus a command to return a summary of currently enabled security
features.
Secure Download mode is not compatible with the esptool.py flasher stub feature, espefuse.py,
read/writing memory or registers, encrypted download, or any other features that interact with
unsupported Download Mode commands.
Secure Download mode should be enabled in any application where Flash Encryption and/or
Secure Boot is enabled. Disabling this option does not immediately cancel the benefits of the
security features, but it increases the potential "attack surface"for an attacker to try and
bypass them with a successful physical attack.
It is also possible to enable secure download mode at runtime by calling
esp_efuse_enable_rom_secure_download_mode()
Note: Secure Download mode is not available for ESP32 (includes revisions till ECO3).
• UART
CURE_INSECURE_ALLOW_DL_MODE)
This is a potentially insecure option. Enabling this option will allow the full UART download
mode to stay enabled. This option SHOULD NOT BE ENABLED for production use cases.
Boot ROM Behavior
Contains:
•
CONFIG_BOOT_ROM_LOG_SCHEME
Espressif Systems
CONFIG_SECURE_FLASH_ENC_ENABLED
ROM
download
mode
possible
to
permanently
ROM
download
mode
Submit Document Feedback
(Permanently
disabled
disable
Download
(Enabled
(not
1075
(recommended))
(SE-
Mode
by
calling
recommended))
(SE-
Release v4.4
Advertisement
Table of Contents
Need help?
Do you have a question about the ESP32-S2 and is the answer not in the manual?