Add functionality similar to get_security_info command in esptool

[jessebraham]

No description provided.

[ivmarkov]

Nice to have, but I think we need the full-blown capability of espefuse.py instead. Otherwise, there is actually no way to burn the SecureBoot V2 public key signature into efuse in the first place, and this is the one single thing the bootloader cannot do automatically "on first boot". But also in general, relying on the bootloader-compiled-with-encryption-and/or-secure-boot-enabled to auto-generate encryption XTS key, burn it, encrypt all plaintext bootloader/part table/factory image on first boot is super dangerous (IMO).

Espressif recommends this workflow instead, which relies on explicit efuse burns to enable both secure boot and encryption. Much more predictable. And allows for sub-sequent re-flashing of the encrypted/secure-booted device, as long as you keep the encryption key and the secure boot V2 private key around, and the ROM downloader enabled (in secure mode or not).

[jessebraham]

This was opened because there have been change with how chip detection is performed with newer devices (e.g. for the P4) and detecting via magic value does not work reliably with all devices. I did not consider any other application of this functionality when opening the issue.

[ivmarkov]

This was opened because there have been change with how chip detection is performed with newer devices (e.g. for the P4) and detecting via magic value does not work reliably with all devices. I did not consider any other application of this functionality when opening the issue.

Fair enough!

[jessebraham]

I probably should have mentioned that in the original comment 😅