esp-idf/examples/security/flash_encryption/pytest_flash_encryption.py

# SPDX-FileCopyrightText: 2018-2022 Espressif Systems (Shanghai) CO LTD
# SPDX-License-Identifier: Apache-2.0

from __future__ import print_function

import binascii
from collections import namedtuple
from io import BytesIO

import espsecure
import pytest
from pytest_embedded import Dut


# To prepare a test runner for this example:
# 1. Generate zero flash encryption key:
#   dd if=/dev/zero of=key.bin bs=1 count=32
# 2.Burn Efuses:
#   espefuse.py --do-not-confirm -p $ESPPORT burn_efuse FLASH_CRYPT_CONFIG 0xf
#   espefuse.py --do-not-confirm -p $ESPPORT burn_efuse FLASH_CRYPT_CNT 0x1
#   espefuse.py --do-not-confirm -p $ESPPORT burn_key flash_encryption key.bin
@pytest.mark.esp32
@pytest.mark.esp32c3
@pytest.mark.flash_encryption
def test_examples_security_flash_encryption(dut: Dut) -> None:
    # Erase the nvs_key partition
    dut.serial.erase_partition('nvs_key')
    # calculate the expected ciphertext
    flash_addr = dut.app.partition_table['storage']['offset']
    plain_hex_str = '00 01 02 03 04 05 06 07  08 09 0a 0b 0c 0d 0e 0f'
    plain_data = binascii.unhexlify(plain_hex_str.replace(' ', ''))

    # espsecure uses the cryptography package for encrypting
    # with aes-xts, but does not allow for a symmetric key
    # so the key for later chips are not all zeros
    if dut.target == 'esp32':
        key_bytes = b'\x00' * 32
        aes_xts = False
    else:
        key_bytes = b'\xff' + b'\x00' * 31
        aes_xts = True

    # Emulate espsecure encrypt_flash_data command
    EncryptFlashDataArgs = namedtuple('EncryptFlashDataArgs', ['output', 'plaintext_file', 'address', 'keyfile', 'flash_crypt_conf', 'aes_xts'])
    args = EncryptFlashDataArgs(BytesIO(), BytesIO(plain_data), flash_addr, BytesIO(key_bytes), 0xF, aes_xts)
    espsecure.encrypt_flash_data(args)

    expected_ciphertext = args.output.getvalue()
    hex_ciphertext = binascii.hexlify(expected_ciphertext).decode('ascii')
    expected_str = (' '.join(hex_ciphertext[i:i + 2] for i in range(0, 16, 2)) + '  ' +
                    ' '.join(hex_ciphertext[i:i + 2] for i in range(16, 32, 2)))

    lines = [
        'FLASH_CRYPT_CNT eFuse value is 1',
        'Flash encryption feature is enabled in DEVELOPMENT mode',
        'with esp_partition_write',
        plain_hex_str,
        'with esp_partition_read',
        plain_hex_str,
        'with spi_flash_read',
        expected_str,
        # The status of NVS encryption for the "nvs" partition
        'NVS partition "nvs" is encrypted.',
        # The status of NVS encryption for the "custom_nvs" partition
        'NVS partition "custom_nvs" is encrypted.'
    ]
    for line in lines:
        dut.expect(line, timeout=20)
flash_encryption_example: Update example test to use pytest framework 2022-04-14 04:54:04 +00:00			`# SPDX-FileCopyrightText: 2018-2022 Espressif Systems (Shanghai) CO LTD`
			`# SPDX-License-Identifier: Apache-2.0`

spi_flash: remove duplicate definition of spi_flash_unlock The other (static) definition is in flash_ops.c, all references are also in flash_ops.c. 2019-08-23 04:37:55 +00:00			`from __future__ import print_function`
style: format python files with isort and double-quote-string-fixer 2021-01-26 02:49:01 +00:00
examples: fix flash encryption example test Commit 5e8795eebe has changed the partition table offset, which has resulted in the ciphertext not matching the one expected in the example test. Fix by calculating the ciphertext using espsecure.py. 2020-09-16 22:06:54 +00:00			`import binascii`
style: format python files with isort and double-quote-string-fixer 2021-01-26 02:49:01 +00:00			`from collections import namedtuple`
			`from io import BytesIO`
examples: fix flash encryption example test Commit 5e8795eebe has changed the partition table offset, which has resulted in the ciphertext not matching the one expected in the example test. Fix by calculating the ciphertext using espsecure.py. 2020-09-16 22:06:54 +00:00
flash_encryption_example_test: Add support for erasing the flash for the target. 2022-04-28 07:14:47 +00:00			`import espsecure`
flash_encryption_example: Update example test to use pytest framework 2022-04-14 04:54:04 +00:00			`import pytest`
			`from pytest_embedded import Dut`
style: format python files with isort and double-quote-string-fixer 2021-01-26 02:49:01 +00:00
spi_flash: remove duplicate definition of spi_flash_unlock The other (static) definition is in flash_ops.c, all references are also in flash_ops.c. 2019-08-23 04:37:55 +00:00
			`# To prepare a test runner for this example:`
			`# 1. Generate zero flash encryption key:`
			`# dd if=/dev/zero of=key.bin bs=1 count=32`
			`# 2.Burn Efuses:`
			`# espefuse.py --do-not-confirm -p $ESPPORT burn_efuse FLASH_CRYPT_CONFIG 0xf`
			`# espefuse.py --do-not-confirm -p $ESPPORT burn_efuse FLASH_CRYPT_CNT 0x1`
			`# espefuse.py --do-not-confirm -p $ESPPORT burn_key flash_encryption key.bin`
flash_encryption_example: Update example test to use pytest framework 2022-04-14 04:54:04 +00:00			`@pytest.mark.esp32`
			`@pytest.mark.esp32c3`
			`@pytest.mark.flash_encryption`
			`def test_examples_security_flash_encryption(dut: Dut) -> None:`
flash_encryption_example_test: Add support for erasing the flash for the target. 2022-04-28 07:14:47 +00:00			`# Erase the nvs_key partition`
			`dut.serial.erase_partition('nvs_key')`
examples: fix flash encryption example test Commit 5e8795eebe has changed the partition table offset, which has resulted in the ciphertext not matching the one expected in the example test. Fix by calculating the ciphertext using espsecure.py. 2020-09-16 22:06:54 +00:00			`# calculate the expected ciphertext`
style: format python files with isort and double-quote-string-fixer 2021-01-26 02:49:01 +00:00			`flash_addr = dut.app.partition_table['storage']['offset']`
examples: fix flash encryption example test Commit 5e8795eebe has changed the partition table offset, which has resulted in the ciphertext not matching the one expected in the example test. Fix by calculating the ciphertext using espsecure.py. 2020-09-16 22:06:54 +00:00			`plain_hex_str = '00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f'`
			`plain_data = binascii.unhexlify(plain_hex_str.replace(' ', ''))`

flash enc: add flash encryption unit and example test for C3 2021-03-17 08:11:03 +00:00			`# espsecure uses the cryptography package for encrypting`
			`# with aes-xts, but does not allow for a symmetric key`
			`# so the key for later chips are not all zeros`
flash_encryption_example: Update example test to use pytest framework 2022-04-14 04:54:04 +00:00			`if dut.target == 'esp32':`
flash enc: add flash encryption unit and example test for C3 2021-03-17 08:11:03 +00:00			`key_bytes = b'\x00' * 32`
			`aes_xts = False`
			`else:`
			`key_bytes = b'\xff' + b'\x00' * 31`
			`aes_xts = True`

examples: fix flash encryption example test Commit 5e8795eebe has changed the partition table offset, which has resulted in the ciphertext not matching the one expected in the example test. Fix by calculating the ciphertext using espsecure.py. 2020-09-16 22:06:54 +00:00			`# Emulate espsecure encrypt_flash_data command`
tools: Update esptool submodule Closes https://github.com/espressif/esp-idf/issues/6415 2021-01-15 08:04:59 +00:00			`EncryptFlashDataArgs = namedtuple('EncryptFlashDataArgs', ['output', 'plaintext_file', 'address', 'keyfile', 'flash_crypt_conf', 'aes_xts'])`
flash enc: add flash encryption unit and example test for C3 2021-03-17 08:11:03 +00:00			`args = EncryptFlashDataArgs(BytesIO(), BytesIO(plain_data), flash_addr, BytesIO(key_bytes), 0xF, aes_xts)`
examples: fix flash encryption example test Commit 5e8795eebe has changed the partition table offset, which has resulted in the ciphertext not matching the one expected in the example test. Fix by calculating the ciphertext using espsecure.py. 2020-09-16 22:06:54 +00:00			`espsecure.encrypt_flash_data(args)`

			`expected_ciphertext = args.output.getvalue()`
			`hex_ciphertext = binascii.hexlify(expected_ciphertext).decode('ascii')`
			`expected_str = (' '.join(hex_ciphertext[i:i + 2] for i in range(0, 16, 2)) + ' ' +`
			`' '.join(hex_ciphertext[i:i + 2] for i in range(16, 32, 2)))`

spi_flash: remove duplicate definition of spi_flash_unlock The other (static) definition is in flash_ops.c, all references are also in flash_ops.c. 2019-08-23 04:37:55 +00:00			`lines = [`
			`'FLASH_CRYPT_CNT eFuse value is 1',`
			`'Flash encryption feature is enabled in DEVELOPMENT mode',`
			`'with esp_partition_write',`
examples: fix flash encryption example test Commit 5e8795eebe has changed the partition table offset, which has resulted in the ciphertext not matching the one expected in the example test. Fix by calculating the ciphertext using espsecure.py. 2020-09-16 22:06:54 +00:00			`plain_hex_str,`
spi_flash: remove duplicate definition of spi_flash_unlock The other (static) definition is in flash_ops.c, all references are also in flash_ops.c. 2019-08-23 04:37:55 +00:00			`'with esp_partition_read',`
examples: fix flash encryption example test Commit 5e8795eebe has changed the partition table offset, which has resulted in the ciphertext not matching the one expected in the example test. Fix by calculating the ciphertext using espsecure.py. 2020-09-16 22:06:54 +00:00			`plain_hex_str,`
spi_flash: remove duplicate definition of spi_flash_unlock The other (static) definition is in flash_ops.c, all references are also in flash_ops.c. 2019-08-23 04:37:55 +00:00			`'with spi_flash_read',`
nvs_flash: Modify the default NVS initialization API with internal nvs encryption handling (only when nvs encryption is enabled) * NVS Encryption will now be turned on by default with flash encryption * Updated the flash encryption example to shocase NVS encryption along with information on how to configure and use NVS encryption * Updated respective test case * Added two partition tables for NVS encryption i) Table 1- Single factory app, no OTA, encrypted NVS ii) Table 2- Factory app, Two OTA, encrypted NVS 2020-12-15 03:01:39 +00:00			`expected_str,`
			`# The status of NVS encryption for the "nvs" partition`
examples/security: update test script to handle custom NVS partition init 2022-06-02 12:44:21 +00:00			`'NVS partition "nvs" is encrypted.',`
			`# The status of NVS encryption for the "custom_nvs" partition`
			`'NVS partition "custom_nvs" is encrypted.'`
spi_flash: remove duplicate definition of spi_flash_unlock The other (static) definition is in flash_ops.c, all references are also in flash_ops.c. 2019-08-23 04:37:55 +00:00			`]`
			`for line in lines:`
flash_encryption_example: Increase timeout 2022-06-27 13:27:58 +00:00			`dut.expect(line, timeout=20)`