Merge branch 'doc/update_esp_https_ota_pre_encrypted_doc' into 'master'

docs(system/esp_https_ota): adds ECIES-256 to pre-enc ota design doc

See merge request espressif/esp-idf!39515

docs/en/api-reference/system/esp_https_ota.rst

@@ -82,17 +82,17 @@ Pre-encrypted firmware distribution ensures that the firmware image stays encryp
 Design
 ^^^^^^
 
-* This scheme requires a unique RSA-3072 public-private key pair to be generated first. The public key stays on the OTA update server for encryption purpose and the private key is part of the device (e.g., embedded in firmware) for decryption purpose.
-* Pre-encrypted firmware is encrypted using AES-GCM key which is then appended to the image as header (along with config parameters).
-* Further the AES-GCM key gets encrypted using RSA public key and the resultant image gets hosted on the OTA update server.
-* On the device side, first the AES-GCM key is retrieved by decrypting the image header using RSA private key available to the device.
-* Finally, the contents of the image are decrypted using AES-GCM key (and config parameters) and written to the flash storage.
+Pre-encrypted firmware is a **transport security scheme** that ensures firmware images remain encrypted **in transit** from the OTA server to the device (irrespective of the underlying transport security). This approach differs from :doc:`../../security/flash-encryption` in several key ways:
 
-This whole workflow is managed by an external component `esp_encrypted_image <https://github.com/espressif/idf-extra-components/blob/master/esp_encrypted_img>`_ and it gets plugged into the OTA update framework through decryption callback (:cpp:member:`esp_https_ota_config_t::decrypt_cb`) mechanism.
+* **Key Management**: Uses externally managed encryption keys rather than per-device unique keys generated internally
+* **Flash Offset Independence**: Generates consistent ciphertext regardless of flash partition location (``ota_0``, ``ota_1``, etc.)
+* **Transport Protection**: Provides encryption protection during firmware distribution, not device-level storage security
 
-.. note::
+**Important Security Note**: Pre-encrypted firmware does not provide device-level security on its own. Once received, the firmware is decrypted on the device and stored according to the device's flash encryption configuration. For device-level security, flash encryption must be separately enabled.
 
-    The supported scheme is based on RSA-3072 and the private key on device side must be protected using platform security features.
+This process is managed by the `esp_encrypted_img <https://github.com/espressif/idf-extra-components/tree/master/esp_encrypted_img>`_ component, which integrates with the OTA update framework via the decryption callback (:cpp:member:`esp_https_ota_config_t::decrypt_cb`).
+
+For detailed information on the image format, key generation, and implementation details, refer to the `esp_encrypted_img component documentation <https://github.com/espressif/idf-extra-components/tree/master/esp_encrypted_img>`_.
 
 OTA System Events
 -----------------

docs/zh_CN/api-reference/system/esp_https_ota.rst

@@ -82,17 +82,17 @@ OTA 恢复
 设计
 ^^^^
 
-* 该方案需首先生成一个唯一的 RSA-3072 公钥—私钥对。公钥保留在 OTA 更新服务器上，用于加密，而私钥作为设备的一部分，例如内嵌于固件中，用于解密。
-* 预加密固件使用 AES-GCM 密钥进行加密，并将该密钥（及其配置参数）作为标头附加到镜像中。
-* 此外，AES-GCM 密钥使用 RSA 公钥进行加密，生成的镜像会托管到 OTA 更新服务器上。
-* 在设备端，首先使用可用的 RSA 私钥解密镜像标头，从而获取 AES-GCM 密钥。
-* 最后，使用 AES-GCM 密钥（和配置参数）解密镜像内容，并将其写入 flash。
+预加密固件是一种 **传输安全方案**，用于确保固件镜像在从 OTA 服务器传输到设备的过程中始终处于加密状态（与底层传输安全无关）。这种方案与 :doc:`../../security/flash-encryption` 在多个关键方面有所不同：
 
-整个工作流程由外部组件 `esp_encrypted_image <https://github.com/espressif/idf-extra-components/blob/master/esp_encrypted_img>`_ 管理，并通过解密回调 (:cpp:member:`esp_https_ota_config_t::decrypt_cb`) 机制插入到 OTA 更新框架中。
+* **密钥管理**：使用外部管理的加密密钥，而不是每个设备内部生成的唯一密钥
+* **独立于 flash 偏移**：无论固件烧录在哪个 flash 分区（``ota_0``、``ota_1`` 等），生成的密文内容一致
+* **传输保护**：在固件传输过程中提供加密保护，不涉及设备本地存储安全
 
-.. note::
+**重要安全提示**：预加密固件本身不提供设备级安全保护。固件被接收后在设备上解密，并按设备的 flash 加密配置存储。如需设备级安全措施，需另外启用 flash 加密功能。
 
-    该支持方案基于 RSA-3072，必须使用平台安全功能保护设备端的私钥。
+该功能由 `esp_encrypted_img <https://github.com/espressif/idf-extra-components/tree/master/esp_encrypted_img>`_ 组件实现，该组件通过解密回调 (:cpp:member:`esp_https_ota_config_t::decrypt_cb`) 机制集成在 OTA 更新框架中。
+
+有关镜像格式、密钥生成及实现细节的详细信息，请参阅 `esp_encrypted_img 组件文档 <https://github.com/espressif/idf-extra-components/tree/master/esp_encrypted_img>`_。
 
 OTA 系统事件
 -----------------