Description
Answers checklist.
- I have read the documentation ESP-IDF Programming Guide and the issue is not addressed there.
- I have updated my IDF branch (master or release) to the latest version and checked that the issue is present there.
- I have searched the issue tracker for a similar issue and not found a similar issue.
General issue report
When you enable secure boot and flash encryption, there's currently no simple option to update device through USB without making flash encryption useless.
Currently, you can use esp_encrypted_img to update ESP using encrypted firmware image via OTA.
There is an existing integration to HTTPS OTA but there's no implementation to update when using USB.
You can also use tinyuf2 to update firmware through USB MSC.
But UF2 doesn't have built-in encryption.
You can use esp_encrypted_img component and flash images via USB by placing them onto exposed USB MSC device, but it'd be basically re-implementation of tinyuf2 with different image format.
However, UF2 supports extension tags:
When the 0x8000 flag is set, additional information can be appended right after payload data (i.e., it starts at 32 + payloadSize).
So, it is quite possible to add this part of custom encrypted image as an extension:
In that case, you essentially get "ESP Encrypted Image" but in UF2 format.
Another option is to use same read-protected key that is used for flash encryption, as described in the docs.
This way you don't need to store an additional RSA key nor add any headers. But it is likely less convenient to use since you need to store a bunch of security-sensitive AES keys instead of just public RSA key(s).
It doesn't matter if this extension tag is "non-standard". Encryption scheme for different devices will not be the same anyway. And you won't feed same UF2 binary to different platform either.