Merge branch 'feature/add_custom_nvs_part_enc_support' into 'master'

examples/security: add support for custom NVS partition init with encryption See merge request espressif/esp-idf!18360
2022-06-07 11:10:25 +08:00 · 2022-06-07 11:10:25 +08:00 · dc510bc271
commit dc510bc271
--- a/examples/security/flash_encryption/main/flash_encrypt_main.c
+++ b/examples/security/flash_encryption/main/flash_encrypt_main.c
@ -22,6 +22,8 @@ static void example_print_chip_info(void);
 static void example_print_flash_encryption_status(void);
 static void example_read_write_flash(void);

+#define CUSTOM_NVS_PART_NAME "custom_nvs"
+
 static const char* TAG = "example";

 #if CONFIG_IDF_TARGET_ESP32
@ -32,6 +34,35 @@ static const char* TAG = "example";
 #define TARGET_CRYPT_CNT_WIDTH  3
 #endif

+static esp_err_t example_custom_nvs_part_init(const char *name)
+{
+#if CONFIG_NVS_ENCRYPTION
+    esp_err_t ret = ESP_FAIL;
+    const esp_partition_t *key_part = esp_partition_find_first(
+                                          ESP_PARTITION_TYPE_DATA, ESP_PARTITION_SUBTYPE_DATA_NVS_KEYS, NULL);
+    if (key_part == NULL) {
+        ESP_LOGE(TAG, "CONFIG_NVS_ENCRYPTION is enabled, but no partition with subtype nvs_keys found in the partition table.");
+        return ret;
+    }
+
+    nvs_sec_cfg_t cfg = {};
+    ret = nvs_flash_read_security_cfg(key_part, &cfg);
+    if (ret != ESP_OK) {
+        /* We shall not generate keys here as that must have been done in default NVS partition initialization case */
+        ESP_LOGE(TAG, "Failed to read NVS security cfg: [0x%02X] (%s)", ret, esp_err_to_name(ret));
+        return ret;
+    }
+
+    ret = nvs_flash_secure_init_partition(name, &cfg);
+    if (ret == ESP_OK) {
+        ESP_LOGI(TAG, "NVS partition \"%s\" is encrypted.", name);
+    }
+    return ret;
+#else
+    return nvs_flash_init_partition(name);
+#endif
+}
+
 void app_main(void)
 {
    printf("\nExample to check Flash Encryption status\n");
@ -46,8 +77,15 @@ void app_main(void)
        ret = nvs_flash_init();
    }
    ESP_ERROR_CHECK(ret);
-}

+    /* Initialize the custom NVS partition */
+    ret = example_custom_nvs_part_init(CUSTOM_NVS_PART_NAME);
+    if (ret == ESP_ERR_NVS_NO_FREE_PAGES || ret == ESP_ERR_NVS_NEW_VERSION_FOUND) {
+        ESP_ERROR_CHECK(nvs_flash_erase_partition(CUSTOM_NVS_PART_NAME));
+        ret = example_custom_nvs_part_init(CUSTOM_NVS_PART_NAME);
+    }
+    ESP_ERROR_CHECK(ret);
+}

 static void example_print_chip_info(void)
 {
--- a/examples/security/flash_encryption/partitions_example.csv
+++ b/examples/security/flash_encryption/partitions_example.csv
@ -5,3 +5,5 @@ storage,    data, 0xff,     ,  0x1000, encrypted
 factory,    app,  factory,  , 1M,
 # nvs_key partition contains the key that encrypts the NVS partition named nvs. The nvs_key partition needs to be encrypted.
 nvs_key,    data, nvs_keys, , 0x1000, encrypted,
+# Custom NVS data partition
+custom_nvs, data, nvs,      ,  0x6000,
--- a/examples/security/flash_encryption/pytest_flash_encryption.py
+++ b/examples/security/flash_encryption/pytest_flash_encryption.py
@ -60,7 +60,9 @@ def test_examples_security_flash_encryption(dut: Dut) -> None:
        'with spi_flash_read',
        expected_str,
        # The status of NVS encryption for the "nvs" partition
-        'NVS partition "nvs" is encrypted.'
+        'NVS partition "nvs" is encrypted.',
+        # The status of NVS encryption for the "custom_nvs" partition
+        'NVS partition "custom_nvs" is encrypted.'
    ]
    for line in lines:
        dut.expect(line, timeout=2)