feat(bootloader_support): Encrypt only the app image instead of the whole partition

Currently, when flash encryption is enabled, the whole partition gets encrypted. This can be optimised by encrypting only the app image instead of encrypting the whole partition. Closes https://github.com/espressif/esp-idf/issues/12576
2023-11-22 15:17:37 +05:30 · 2023-11-22 15:17:37 +05:30 · 42943845e4
commit 42943845e4
--- a/components/bootloader/Kconfig.projbuild
+++ b/components/bootloader/Kconfig.projbuild
@ -1070,6 +1070,22 @@ menu "Security features"
                DIS_DOWNLOAD_MANUAL_ENCRYPT, DIS_USB_JTAG, DIS_USB_SERIAL_JTAG, STRAP_JTAG_SEL, USB_PHY_SEL.
    endmenu  # Potentially Insecure

+    config SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART
+        bool "Encrypt only the app image that is present in the partition of type app"
+        depends on SECURE_FLASH_ENC_ENABLED && !SECURE_FLASH_REQUIRE_ALREADY_ENABLED
+        default y
+        help
+            If set (default), optimise encryption time for the partition of type APP,
+            by only encrypting the app image that is present in the partition,
+            instead of the whole partition.
+            The image length used for encryption is derived from the image metadata, which
+            includes the size of the app image, checksum, hash and also the signature sector
+            when secure boot is enabled.
+
+            If not set, the whole partition of type APP would be encrypted,
+            which increases the encryption time but might be useful if there
+            is any custom data appended to the firmware image.
+
    config SECURE_FLASH_CHECK_ENC_EN_IN_APP
        bool "Check Flash Encryption enabled on app startup"
        depends on SECURE_FLASH_ENC_ENABLED
--- a/components/bootloader_support/src/flash_encryption/flash_encrypt.c
+++ b/components/bootloader_support/src/flash_encryption/flash_encrypt.c
@ -404,14 +404,21 @@ static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partit
 {
    esp_err_t err;
    bool should_encrypt = (partition->flags & PART_FLAG_ENCRYPTED);
+    uint32_t size = partition->pos.size;

    if (partition->type == PART_TYPE_APP) {
        /* check if the partition holds a valid unencrypted app */
-        esp_image_metadata_t data_ignored;
+        esp_image_metadata_t image_data = {};
        err = esp_image_verify(ESP_IMAGE_VERIFY,
                               &partition->pos,
-                               &data_ignored);
+                               &image_data);
        should_encrypt = (err == ESP_OK);
+#ifdef SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART
+        if (should_encrypt) {
+            // Encrypt only the app image instead of encrypting the whole partition
+            size = image_data.image_len;
+        }
+#endif
    } else if ((partition->type == PART_TYPE_DATA && partition->subtype == PART_SUBTYPE_DATA_OTA)
                || (partition->type == PART_TYPE_DATA && partition->subtype == PART_SUBTYPE_DATA_NVS_KEYS)) {
        /* check if we have ota data partition and the partition should be encrypted unconditionally */
@ -422,9 +429,9 @@ static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partit
        return ESP_OK;
    } else {
        /* should_encrypt */
-        ESP_LOGI(TAG, "Encrypting partition %d at offset 0x%x (length 0x%x)...", index, partition->pos.offset, partition->pos.size);
+        ESP_LOGI(TAG, "Encrypting partition %d at offset 0x%x (length 0x%x)...", index, partition->pos.offset, size);

-        err = esp_flash_encrypt_region(partition->pos.offset, partition->pos.size);
+        err = esp_flash_encrypt_region(partition->pos.offset, size);
        ESP_LOGI(TAG, "Done encrypting");
        if (err != ESP_OK) {
            ESP_LOGE(TAG, "Failed to encrypt partition %d", index);
--- a/docs/en/migration-guides/release-5.x/5.3/index.rst
+++ b/docs/en/migration-guides/release-5.x/5.3/index.rst
@ -7,5 +7,6 @@ Migration from 5.2 to 5.3
    :maxdepth: 1

    peripherals
+    security
    storage
    system
--- a/docs/en/migration-guides/release-5.x/5.3/security.rst
+++ b/docs/en/migration-guides/release-5.x/5.3/security.rst
@ -0,0 +1,14 @@
+Security
+========
+
+:link_to_translation:`zh_CN:[中文]`
+
+.. only:: SOC_FLASH_ENC_SUPPORTED
+
+    Platform security features
+    --------------------------
+
+    When flash encryption is enabled, encrypt only the app image that is present partition of type app, instead of encrypting the whole partition. This can help to optimize the encryption time required during the first boot.
+
+    This could be configured using the config ``CONFIG_SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART``, which is enabled by default from ESP-IDF v5.3
+    and is disabled for all earlier releases to avoid any breaking behaviour.
--- a/docs/zh_CN/migration-guides/release-5.x/5.3/index.rst
+++ b/docs/zh_CN/migration-guides/release-5.x/5.3/index.rst
@ -7,5 +7,6 @@
    :maxdepth: 1

    peripherals
+    security
    storage
    system
--- a/docs/zh_CN/migration-guides/release-5.x/5.3/security.rst
+++ b/docs/zh_CN/migration-guides/release-5.x/5.3/security.rst
@ -0,0 +1 @@
+.. include:: ../../../../en/migration-guides/release-5.x/5.3/security.rst
				`@ -0,0 +1 @@`
				`.. include:: ../../../../en/migration-guides/release-5.x/5.3/security.rst`