From beca401fbc92e76dd370222ae7a97a79ef3bed42 Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Thu, 2 Jun 2022 18:13:43 +0530 Subject: [PATCH 1/2] examples/security: add support for initializing custom NVS partition with encryption --- .../main/flash_encrypt_main.c | 40 ++++++++++++++++++- .../flash_encryption/partitions_example.csv | 2 + 2 files changed, 41 insertions(+), 1 deletion(-) diff --git a/examples/security/flash_encryption/main/flash_encrypt_main.c b/examples/security/flash_encryption/main/flash_encrypt_main.c index 9a26c1bb2a..c666fa4d31 100644 --- a/examples/security/flash_encryption/main/flash_encrypt_main.c +++ b/examples/security/flash_encryption/main/flash_encrypt_main.c @@ -22,6 +22,8 @@ static void example_print_chip_info(void); static void example_print_flash_encryption_status(void); static void example_read_write_flash(void); +#define CUSTOM_NVS_PART_NAME "custom_nvs" + static const char* TAG = "example"; #if CONFIG_IDF_TARGET_ESP32 @@ -32,6 +34,35 @@ static const char* TAG = "example"; #define TARGET_CRYPT_CNT_WIDTH 3 #endif +static esp_err_t example_custom_nvs_part_init(const char *name) +{ +#if CONFIG_NVS_ENCRYPTION + esp_err_t ret = ESP_FAIL; + const esp_partition_t *key_part = esp_partition_find_first( + ESP_PARTITION_TYPE_DATA, ESP_PARTITION_SUBTYPE_DATA_NVS_KEYS, NULL); + if (key_part == NULL) { + ESP_LOGE(TAG, "CONFIG_NVS_ENCRYPTION is enabled, but no partition with subtype nvs_keys found in the partition table."); + return ret; + } + + nvs_sec_cfg_t cfg = {}; + ret = nvs_flash_read_security_cfg(key_part, &cfg); + if (ret != ESP_OK) { + /* We shall not generate keys here as that must have been done in default NVS partition initialization case */ + ESP_LOGE(TAG, "Failed to read NVS security cfg: [0x%02X] (%s)", ret, esp_err_to_name(ret)); + return ret; + } + + ret = nvs_flash_secure_init_partition(name, &cfg); + if (ret == ESP_OK) { + ESP_LOGI(TAG, "NVS partition \"%s\" is encrypted.", name); + } + return ret; +#else + return nvs_flash_init_partition(name); +#endif +} + void app_main(void) { printf("\nExample to check Flash Encryption status\n"); @@ -46,8 +77,15 @@ void app_main(void) ret = nvs_flash_init(); } ESP_ERROR_CHECK(ret); -} + /* Initialize the custom NVS partition */ + ret = example_custom_nvs_part_init(CUSTOM_NVS_PART_NAME); + if (ret == ESP_ERR_NVS_NO_FREE_PAGES || ret == ESP_ERR_NVS_NEW_VERSION_FOUND) { + ESP_ERROR_CHECK(nvs_flash_erase_partition(CUSTOM_NVS_PART_NAME)); + ret = example_custom_nvs_part_init(CUSTOM_NVS_PART_NAME); + } + ESP_ERROR_CHECK(ret); +} static void example_print_chip_info(void) { diff --git a/examples/security/flash_encryption/partitions_example.csv b/examples/security/flash_encryption/partitions_example.csv index badda35d08..736d14c877 100644 --- a/examples/security/flash_encryption/partitions_example.csv +++ b/examples/security/flash_encryption/partitions_example.csv @@ -5,3 +5,5 @@ storage, data, 0xff, , 0x1000, encrypted factory, app, factory, , 1M, # nvs_key partition contains the key that encrypts the NVS partition named nvs. The nvs_key partition needs to be encrypted. nvs_key, data, nvs_keys, , 0x1000, encrypted, +# Custom NVS data partition +custom_nvs, data, nvs, , 0x6000, From 3a104b011d3d8737f06ecbc2de431bae8ef731c0 Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Thu, 2 Jun 2022 18:14:21 +0530 Subject: [PATCH 2/2] examples/security: update test script to handle custom NVS partition init --- examples/security/flash_encryption/pytest_flash_encryption.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/examples/security/flash_encryption/pytest_flash_encryption.py b/examples/security/flash_encryption/pytest_flash_encryption.py index b8e9de2f08..dd5fd1c782 100644 --- a/examples/security/flash_encryption/pytest_flash_encryption.py +++ b/examples/security/flash_encryption/pytest_flash_encryption.py @@ -60,7 +60,9 @@ def test_examples_security_flash_encryption(dut: Dut) -> None: 'with spi_flash_read', expected_str, # The status of NVS encryption for the "nvs" partition - 'NVS partition "nvs" is encrypted.' + 'NVS partition "nvs" is encrypted.', + # The status of NVS encryption for the "custom_nvs" partition + 'NVS partition "custom_nvs" is encrypted.' ] for line in lines: dut.expect(line, timeout=2)