Update.setupCrypt usage issue with ESP32-S3

[plystdr]

Board

Custom esp32-s3 board with 8MB Flash 2MB Ram

Device Description

Custom board to control motor

Hardware Configuration

n/a

Version

v3.0.3

IDE Name

PlatformIO

Operating System

Windows 11

Flash frequency

80

PSRAM enabled

yes

Upload speed

115200

Description

I am trying to implement a OTA update using with encrypted firmware bin files. However I am not quite sure how to use Update.setupCrypt since ESP32-S3 does not have FLASH_CRYPT_CNT fuse and embedding decryption key inside firmware file seems a security issue, even though it is encrypted. So what is the workflow for the ESP32-S3 implementation. Does using decryption key from efuse directly is possible?

Does OTA_KEY is as the same AES key that is used for encryption with espsecure.py tool? Does AES-256 (512-bit) key is supported?

We are using a custom library to handle the OTA (https://github.com/chrisjoyce911/esp32FOTA) and I suggested to implement support encrypted OTA update. They suggested me to simply calling Update.setupCrypt() from setup is sufficient. However update does not progress stuck with the following serial output.

[ 52927][V][esp32fota.cpp:1086] getHTTPStream(): This server supports resume!
[ 52934][D][esp32fota.cpp:1151] getHTTPStream(): updateSize : 2377152, contentType: application/octet-stream
[ 52948][D][esp32fota.cpp:576] execOTA(): compression: disabled
[ 52955][D][Updater.cpp:140] begin(): OTA Partition: app1
[ 52961][I][esp32fota.cpp:625] execOTA(): Begin Firmware OTA. This may take 2 - 5 mins to complete. Things might be quiet for a while.. Patience!
[ 52983][D][Updater.cpp:348] _writeBuffer(): Decrypting OTA Image
[ 52989][W][Updater.cpp:292] _decryptBuffer(): AES key not set
[ 52995][E][esp32fota.cpp:640] execOTA(): Written only : 0/2377152 Premature end of stream?
[ 53003][D][HTTPClient.cpp:373] disconnect(): still data in buffer (17), clean up.

This is the example i am trying to use to implement our custom OTA code.
https://github.com/espressif/arduino-esp32/blob/master/libraries/Update/examples/HTTP_Client_AES_OTA_Update/HTTP_Client_AES_OTA_Update.ino

Thanks!

Sketch

/**
   esp32 firmware OTA

   Purpose: Perform an OTA update to both firmware and filesystem from binaries located
			on a webserver (HTTPS) while using progmem to check for certificate validity
*/

#include "FS.h"
#include <LittleFS.h>
#include <esp32fota.h>

#include "root_ca_cert.h"

const bool check_signature = false;
const bool disable_security = false;

esp32FOTA FOTA;

CryptoMemAsset *MyRootCA = new CryptoMemAsset("Root CA", root_ca_cert, strlen(root_ca_cert) + 1);
// CryptoMemAsset *MyRSAKey = new CryptoMemAsset("RSA Public Key", pub_key, strlen(pub_key)+1 );

int firmwareUpdateProgress = 0; // Global variable to store update progress

void my_progress_callback(size_t progress, size_t size)
{
	// Calculate the progress as a percentage
	firmwareUpdateProgress = static_cast<int>((static_cast<float>(progress) / size) * 100);

	if (progress == size || progress == 0)
	{
		// Firmware update is complete or hasn't started yet
	}
}

void fotaSetup()
{
	// Set up the progress callback
	FOTA.setProgressCb(my_progress_callback);
	FOTA.setExtraHTTPHeader("XXX", "XXXXXXXXXXX");

	Update.setupCrypt(0, 0, 0x0, U_AES_DECRYPT_NONE);

	{
		auto cfg = FOTA.getConfig();
		cfg.name = (char *)FW_NAME;
		cfg.manifest_url = (char *)FW_ADDR;
		cfg.sem = SemverClass(firmware_version_major, firmware_version_minor, firmware_version_patch);
		cfg.check_sig = check_signature;
		cfg.unsafe = disable_security;
		cfg.root_ca = MyRootCA;
		// cfg.pub_key      = MyRSAKey;
		FOTA.setConfig(cfg);
	}
	// FOTA.printConfig();
}

void fwUpdateCheck()
{
	if (wifiConnected)
	{
		fwUpdatedNeeded = FOTA.execHTTPcheck(true);
		log_e("HTTP code returned: (httpCode=%i)", fwUpdatedNeeded);
		fwUpdateChecked = true;
		fwUpdateChecking = false;
	}
}

void fwUpdateAutoCheckInit()
{
	if (wifiConnected)
	{
		if (fwUpdateAutoCheck)
		{
			if (fwUpdateCheckBootTicker.active())
			{
				fwUpdateCheckBootTicker.detach();
			}

			fwUpdateChecking = true;
			fwUpdateChecked = false;

			fwUpdateStartCheckTicker.once(3, fwUpdateCheck);
		}
	}
}

void fwUpdateExecute()
{
	if (fwUpdatedNeeded == 200 || fwUpdatedNeeded == 301)
	{
		FOTA.execOTA();
	}
}

void OTAUpdateTask(void *pvParameters)
{
	// Perform the firmware update
	fwUpdateExecute();

	// Introduce a delay to yield the task
	vTaskDelay(pdMS_TO_TICKS(100)); // Adjust the delay duration as needed

	// The task can be deleted once the update is complete
	vTaskDelete(NULL);
}

void startOTAUpdateTask()
{
	// Create the OTA update task and start it
	xTaskCreate(OTAUpdateTask, "OTAUpdateTask", 8192, NULL, 0, NULL);
}

Debug Message

[ 52927][V][esp32fota.cpp:1086] getHTTPStream(): This server supports resume!
[ 52934][D][esp32fota.cpp:1151] getHTTPStream(): updateSize : 2377152, contentType: application/octet-stream
[ 52948][D][esp32fota.cpp:576] execOTA(): compression: disabled
[ 52955][D][Updater.cpp:140] begin(): OTA Partition: app1
[ 52961][I][esp32fota.cpp:625] execOTA(): Begin Firmware OTA. This may take 2 - 5 mins to complete. Things might be quiet for a while.. Patience!
[ 52983][D][Updater.cpp:348] _writeBuffer(): Decrypting OTA Image
[ 52989][W][Updater.cpp:292] _decryptBuffer(): AES key not set
[ 52995][E][esp32fota.cpp:640] execOTA(): Written only : 0/2377152 Premature end of stream?
[ 53003][D][HTTPClient.cpp:373] disconnect(): still data in buffer (17), clean up.

[ 53011][D][HTTPClient.cpp:378] disconnect(): tcp keep open for reuse

Other Steps to Reproduce

No response

I have checked existing issues, online documentation and the Troubleshooting Guide

• I confirm I have checked existing issues, online documentation and Troubleshooting guide.