From b7a8e6102fb54fd31519c7601601227d91bd9920 Mon Sep 17 00:00:00 2001 From: Harshit Malpani Date: Mon, 22 Apr 2024 12:02:24 +0530 Subject: [PATCH] docs: Update pre_encrypted_ota example README Update pre_encrytped_ota example README to clarify the difference between Flash Encryption and Pre-encrypted OTA --- examples/system/ota/pre_encrypted_ota/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/examples/system/ota/pre_encrypted_ota/README.md b/examples/system/ota/pre_encrypted_ota/README.md index 2d2d116470..52198e0cd7 100644 --- a/examples/system/ota/pre_encrypted_ota/README.md +++ b/examples/system/ota/pre_encrypted_ota/README.md @@ -9,6 +9,8 @@ Pre-encrypted firmware binary must be hosted on OTA update server. This firmware will be fetched and then decrypted on device before being flashed. This allows firmware to remain `confidential` on the OTA update channel irrespective of underlying transport (e.g., non-TLS). +* **NOTE:** Pre-encrypted OTA is a completely different scheme from Flash Encryption. Pre-encrypted OTA helps in ensuring the confidentiality of the firmware on the network channel, whereas Flash Encryption is intended for encrypting the contents of the ESP32's off-chip flash memory. + > [!CAUTION] > Using the Pre-encrypted Binary OTA provides confidentiality of the firmware, but it does not ensure authenticity of the firmware. For ensuring that the firmware is coming from trusted source, please consider enabling secure boot feature along with the Pre-encrypted binary OTA. Please refer to security guide in the ESP-IDF docs for more details.