From 8a01cc2c26b98e957bb372e8a6a1a0740259a350 Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Fri, 22 Jan 2021 15:33:39 +0530 Subject: [PATCH 1/3] Revert "esp_partition: disable encrypted reads/writes if flash encryption is disabled" This reverts commit bf35ef1ce7b7db30d499d4058d6a4f39ba467fca. It has been noticed that there are scenarios where even though firmware is not enabled with flash encryption config feature, it should be able to write to encrypted partitions. This revert adds the feature back which was removed around v4.0 timelines, and same change will be backported to all releases (upto v4.0) for consistency. --- components/spi_flash/partition.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/components/spi_flash/partition.c b/components/spi_flash/partition.c index 27844f38a1..3d20b0663e 100644 --- a/components/spi_flash/partition.c +++ b/components/spi_flash/partition.c @@ -349,7 +349,6 @@ esp_err_t esp_partition_read(const esp_partition_t* partition, return spi_flash_read(partition->address + src_offset, dst, size); #endif // CONFIG_SPI_FLASH_USE_LEGACY_IMPL } else { -#if CONFIG_SECURE_FLASH_ENC_ENABLED if (partition->flash_chip != esp_flash_default_chip) { return ESP_ERR_NOT_SUPPORTED; } @@ -367,9 +366,6 @@ esp_err_t esp_partition_read(const esp_partition_t* partition, memcpy(dst, buf, size); spi_flash_munmap(handle); return ESP_OK; -#else - return ESP_ERR_NOT_SUPPORTED; -#endif // CONFIG_SECURE_FLASH_ENC_ENABLED } } @@ -391,14 +387,10 @@ esp_err_t esp_partition_write(const esp_partition_t* partition, return spi_flash_write(dst_offset, src, size); #endif // CONFIG_SPI_FLASH_USE_LEGACY_IMPL } else { -#if CONFIG_SECURE_FLASH_ENC_ENABLED if (partition->flash_chip != esp_flash_default_chip) { return ESP_ERR_NOT_SUPPORTED; } return spi_flash_write_encrypted(dst_offset, src, size); -#else - return ESP_ERR_NOT_SUPPORTED; -#endif // CONFIG_SECURE_FLASH_ENC_ENABLED } } From e712a914881484d2a238ef72327ecd9d21f6aad4 Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Fri, 22 Jan 2021 15:44:27 +0530 Subject: [PATCH 2/3] spi_flash: add config option to enable encrypted partition read/write This feature can be disabled to save some IRAM (approx 1KB) for cases where flash encryption feature is not required. --- components/bootloader/Kconfig.projbuild | 1 + components/spi_flash/Kconfig | 9 +++++++++ components/spi_flash/partition.c | 8 ++++++++ 3 files changed, 18 insertions(+) diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild index 3c015c795f..6efa18b0c4 100644 --- a/components/bootloader/Kconfig.projbuild +++ b/components/bootloader/Kconfig.projbuild @@ -576,6 +576,7 @@ menu "Security features" config SECURE_FLASH_ENC_ENABLED bool "Enable flash encryption on boot (READ DOCS FIRST)" default N + select SPI_FLASH_ENABLE_ENCRYPTED_READ_WRITE help If this option is set, flash contents will be encrypted by the bootloader on first boot. diff --git a/components/spi_flash/Kconfig b/components/spi_flash/Kconfig index 1317e34b2c..4ca5742be6 100644 --- a/components/spi_flash/Kconfig +++ b/components/spi_flash/Kconfig @@ -230,4 +230,13 @@ menu "SPI Flash driver" endmenu #auto detect flash chips + config SPI_FLASH_ENABLE_ENCRYPTED_READ_WRITE + bool "Enable encrypted partition read/write operations" + default y + help + This option enables flash read/write operations to encrypted partition/s. This option + is kept enabled irrespective of state of flash encryption feature. However, in case + application is not using flash encryption feature and is in need of some additional + memory from IRAM region (~1KB) then this config can be disabled. + endmenu diff --git a/components/spi_flash/partition.c b/components/spi_flash/partition.c index 3d20b0663e..43ce601b36 100644 --- a/components/spi_flash/partition.c +++ b/components/spi_flash/partition.c @@ -349,6 +349,7 @@ esp_err_t esp_partition_read(const esp_partition_t* partition, return spi_flash_read(partition->address + src_offset, dst, size); #endif // CONFIG_SPI_FLASH_USE_LEGACY_IMPL } else { +#if CONFIG_SPI_FLASH_ENABLE_ENCRYPTED_READ_WRITE if (partition->flash_chip != esp_flash_default_chip) { return ESP_ERR_NOT_SUPPORTED; } @@ -366,6 +367,9 @@ esp_err_t esp_partition_read(const esp_partition_t* partition, memcpy(dst, buf, size); spi_flash_munmap(handle); return ESP_OK; +#else + return ESP_ERR_NOT_SUPPORTED; +#endif // CONFIG_SPI_FLASH_ENABLE_ENCRYPTED_READ_WRITE } } @@ -387,10 +391,14 @@ esp_err_t esp_partition_write(const esp_partition_t* partition, return spi_flash_write(dst_offset, src, size); #endif // CONFIG_SPI_FLASH_USE_LEGACY_IMPL } else { +#if CONFIG_SPI_FLASH_ENABLE_ENCRYPTED_READ_WRITE if (partition->flash_chip != esp_flash_default_chip) { return ESP_ERR_NOT_SUPPORTED; } return spi_flash_write_encrypted(dst_offset, src, size); +#else + return ESP_ERR_NOT_SUPPORTED; +#endif // CONFIG_SPI_FLASH_ENABLE_ENCRYPTED_READ_WRITE } } From 80b196a662431be4281761b40ccd91ffc1a2f66c Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Sun, 24 Jan 2021 13:50:21 +0530 Subject: [PATCH 3/3] unit-test-app: disable encrypted flash read/write in psram config to fix build failure --- tools/unit-test-app/configs/psram | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tools/unit-test-app/configs/psram b/tools/unit-test-app/configs/psram index d6577376c5..6d9efe14bb 100644 --- a/tools/unit-test-app/configs/psram +++ b/tools/unit-test-app/configs/psram @@ -4,3 +4,5 @@ CONFIG_ESP32_SPIRAM_SUPPORT=y CONFIG_ESP_INT_WDT_TIMEOUT_MS=800 CONFIG_SPIRAM_OCCUPY_NO_HOST=y CONFIG_ESP32_WIFI_RX_IRAM_OPT=n +# Disable encrypted flash reads/writes to save IRAM in this build configuration +CONFIG_SPI_FLASH_ENABLE_ENCRYPTED_READ_WRITE=n