From f60bcaaa4d8f670f97566d792808f33973dabb42 Mon Sep 17 00:00:00 2001 From: Laukik Hase Date: Wed, 6 Aug 2025 15:42:34 +0530 Subject: [PATCH 1/4] feat(nvs_flash): Added an API to deregister the NVS security scheme context --- components/nvs_flash/include/nvs_flash.h | 9 ++++++++- components/nvs_flash/src/nvs_api.cpp | 7 ++++++- components/nvs_sec_provider/nvs_sec_provider.c | 1 + 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/components/nvs_flash/include/nvs_flash.h b/components/nvs_flash/include/nvs_flash.h index dfa187fbd7..03eba446c8 100644 --- a/components/nvs_flash/include/nvs_flash.h +++ b/components/nvs_flash/include/nvs_flash.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2023 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -278,6 +278,13 @@ esp_err_t nvs_flash_read_security_cfg(const esp_partition_t* partition, nvs_sec_ */ esp_err_t nvs_flash_register_security_scheme(nvs_sec_scheme_t *scheme_cfg); +/** + * @brief Deregister the security scheme previously registered using + * nvs_flash_register_security_scheme + * + */ +void nvs_flash_deregister_security_scheme(void); + /** * @brief Fetch the configuration structure for the default active * security scheme for NVS encryption diff --git a/components/nvs_flash/src/nvs_api.cpp b/components/nvs_flash/src/nvs_api.cpp index 8fdf30c0eb..bef404ccba 100644 --- a/components/nvs_flash/src/nvs_api.cpp +++ b/components/nvs_flash/src/nvs_api.cpp @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -736,6 +736,11 @@ extern "C" esp_err_t nvs_flash_register_security_scheme(nvs_sec_scheme_t *scheme return ESP_OK; } +extern "C" void nvs_flash_deregister_security_scheme(void) +{ + memset(&nvs_sec_default_scheme_cfg, 0x00, sizeof(nvs_sec_scheme_t)); +} + extern "C" nvs_sec_scheme_t *nvs_flash_get_default_security_scheme(void) { return &nvs_sec_default_scheme_cfg; diff --git a/components/nvs_sec_provider/nvs_sec_provider.c b/components/nvs_sec_provider/nvs_sec_provider.c index ab9a3e1533..db1bf0e292 100644 --- a/components/nvs_sec_provider/nvs_sec_provider.c +++ b/components/nvs_sec_provider/nvs_sec_provider.c @@ -291,6 +291,7 @@ esp_err_t nvs_sec_provider_deregister(nvs_sec_scheme_t *sec_scheme_handle) free(sec_scheme_handle); + nvs_flash_deregister_security_scheme(); return ESP_OK; } From f565fc24818ffedbda32b00b0eae87d452521539 Mon Sep 17 00:00:00 2001 From: Laukik Hase Date: Thu, 18 Sep 2025 14:49:27 +0530 Subject: [PATCH 2/4] change(nvs_flash): Add a private dependency of the `nvs_sec_provider` component - Closes https://github.com/espressif/esp-idf/issues/17256 --- components/nvs_flash/CMakeLists.txt | 10 +++++----- components/nvs_sec_provider/CMakeLists.txt | 14 +++++++++----- components/nvs_sec_provider/Kconfig | 6 ++++++ docs/en/api-reference/storage/nvs_encryption.rst | 3 +++ 4 files changed, 23 insertions(+), 10 deletions(-) diff --git a/components/nvs_flash/CMakeLists.txt b/components/nvs_flash/CMakeLists.txt index 74745ffa67..a18ea32f42 100644 --- a/components/nvs_flash/CMakeLists.txt +++ b/components/nvs_flash/CMakeLists.txt @@ -7,10 +7,11 @@ if(BOOTLOADER_BUILD) "src/nvs_bootloader_xts_aes.c") set(requires "esp_partition") + set(priv_requires "mbedtls" "nvs_sec_provider") idf_component_register(SRCS "${srcs}" REQUIRES "${requires}" - PRIV_REQUIRES "mbedtls" + PRIV_REQUIRES "${priv_requires}" INCLUDE_DIRS "include" PRIV_INCLUDE_DIRS "private_include" ) @@ -60,10 +61,9 @@ else() "src/nvs_bootloader.c") set(requires esp_partition) - if(${target} STREQUAL "linux") - set(priv_requires spi_flash) - else() - set(priv_requires spi_flash esp_libc esptool_py) + set(priv_requires spi_flash) + if(NOT ${target} STREQUAL "linux") + list(APPEND priv_requires esp_libc esptool_py nvs_sec_provider) endif() idf_component_register(SRCS "${srcs}" diff --git a/components/nvs_sec_provider/CMakeLists.txt b/components/nvs_sec_provider/CMakeLists.txt index a10a0088d3..2f45f35221 100644 --- a/components/nvs_sec_provider/CMakeLists.txt +++ b/components/nvs_sec_provider/CMakeLists.txt @@ -4,10 +4,12 @@ if(${target} STREQUAL "linux") return() # This component is not supported by the POSIX/Linux simulator endif() -if(BOOTLOADER_BUILD) - set(srcs "nvs_bootloader_sec_provider.c") -else() - set(srcs "nvs_sec_provider.c") +if(NOT CONFIG_NVS_SEC_KEY_PROTECT_NONE) + if(BOOTLOADER_BUILD) + set(srcs "nvs_bootloader_sec_provider.c") + else() + set(srcs "nvs_sec_provider.c") + endif() endif() idf_component_register(SRCS ${srcs} @@ -22,4 +24,6 @@ idf_component_register(SRCS ${srcs} # Thus, the symbols from this component are not placed in the .map file and # hence the constructor, which initialises the encryption scheme for the default # NVS partition, never executes. The following is a workaround for the same. -target_link_libraries(${COMPONENT_LIB} PRIVATE "-u nvs_sec_provider_include_impl") +if(NOT CONFIG_NVS_SEC_KEY_PROTECT_NONE) + target_link_libraries(${COMPONENT_LIB} PRIVATE "-u nvs_sec_provider_include_impl") +endif() diff --git a/components/nvs_sec_provider/Kconfig b/components/nvs_sec_provider/Kconfig index 4ed79c4e87..d0b973e1f0 100644 --- a/components/nvs_sec_provider/Kconfig +++ b/components/nvs_sec_provider/Kconfig @@ -27,6 +27,12 @@ menu "NVS Security Provider" Requires the specified eFuse block (NVS_SEC_HMAC_EFUSE_KEY_ID or the v2 API argument) to be empty or pre-written with a key with the purpose ESP_EFUSE_KEY_PURPOSE_HMAC_UP + config NVS_SEC_KEY_PROTECT_NONE + bool "None" + help + Select this option if key derivation/protection is handled by + a custom implementation, and not by the nvs_sec_provider component. + endchoice config NVS_SEC_HMAC_EFUSE_KEY_ID diff --git a/docs/en/api-reference/storage/nvs_encryption.rst b/docs/en/api-reference/storage/nvs_encryption.rst index 1292eb94fa..e0d69e7a25 100644 --- a/docs/en/api-reference/storage/nvs_encryption.rst +++ b/docs/en/api-reference/storage/nvs_encryption.rst @@ -219,6 +219,9 @@ The component :component:`nvs_sec_provider` stores all the implementation-specif This component offers factory functions with which a particular security scheme can be registered without having to worry about the APIs to generate and read the encryption keys (e.g., :cpp:func:`nvs_sec_provider_register_hmac`). Refer to the :example:`security/nvs_encryption_hmac` example for API usage. +.. note:: + + To use a custom implementation for NVS encryption key derivation or protection (instead of the ones provided by the :component:`nvs_sec_provider` component), select the :ref:`CONFIG_NVS_SEC_KEY_PROTECTION_SCHEME` -> ``CONFIG_NVS_SEC_KEY_PROTECT_NONE`` configuration option. API Reference ------------- From 1ea0fc261d11d8d8b505c042da9f41519566e9a7 Mon Sep 17 00:00:00 2001 From: Laukik Hase Date: Thu, 18 Sep 2025 14:47:35 +0530 Subject: [PATCH 3/4] change(nvs_sec_provider): Make the HMAC-based NVS security scheme default for supported SoCs - When NVS encryption is enabled on SoCs with the HMAC peripheral that have flash encryption enabled, the HMAC-based NVS encryption scheme is now selected as default instead of the flash encryption-based scheme. - If your application previously used the flash encryption-based scheme, you need to manually configure the NVS encryption scheme to flash encryption from HMAC through ``menuconfig`` or your project's ``sdkconfig`` (i.e., setting ``CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y``). --- .../esp_tee/test_apps/tee_cli_app/sdkconfig.ci.sb_fe | 2 ++ components/nvs_sec_provider/Kconfig | 3 ++- docs/en/migration-guides/release-6.x/6.0/security.rst | 7 +++++++ examples/security/flash_encryption/sdkconfig.ci | 1 + examples/security/flash_encryption/sdkconfig.ci.psram | 1 + examples/security/flash_encryption/sdkconfig.ci.rom_impl | 1 + examples/security/security_features_app/sdkconfig.defaults | 1 + .../ota/advanced_https_ota/sdkconfig.ci.anti_rollback | 1 + .../system/ota/partitions_ota/sdkconfig.ci.flash_enc_wifi | 1 + .../ota/partitions_ota/sdkconfig.ci.flash_enc_wifi_2 | 1 + .../ota/partitions_ota/sdkconfig.ci.virt_sb_v2_and_fe | 1 + .../ota/partitions_ota/sdkconfig.ci.virt_sb_v2_and_fe_2 | 1 + .../ota/simple_ota_example/sdkconfig.ci.flash_enc_wifi | 1 + tools/test_apps/build_system/bootloader/sdkconfig.defaults | 1 + tools/test_apps/security/secure_boot/sdkconfig.ci.04 | 1 + .../partition_table_readonly/sdkconfig.ci.encrypted | 1 + .../build_test/sdkconfig.ci.flash_encryption_release | 1 + 17 files changed, 25 insertions(+), 1 deletion(-) diff --git a/components/esp_tee/test_apps/tee_cli_app/sdkconfig.ci.sb_fe b/components/esp_tee/test_apps/tee_cli_app/sdkconfig.ci.sb_fe index b1d65ee809..bdec94c11b 100644 --- a/components/esp_tee/test_apps/tee_cli_app/sdkconfig.ci.sb_fe +++ b/components/esp_tee/test_apps/tee_cli_app/sdkconfig.ci.sb_fe @@ -9,6 +9,8 @@ CONFIG_SECURE_BOOT_SIGNING_KEY="test_keys/secure_boot_signing_key.pem" # Flash Encryption CONFIG_SECURE_FLASH_ENC_ENABLED=y CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE=y +# NVS Encryption +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y # TEE Secure Storage: Release mode CONFIG_SECURE_TEE_SEC_STG_MODE_RELEASE=y diff --git a/components/nvs_sec_provider/Kconfig b/components/nvs_sec_provider/Kconfig index d0b973e1f0..cbfdd9e755 100644 --- a/components/nvs_sec_provider/Kconfig +++ b/components/nvs_sec_provider/Kconfig @@ -4,7 +4,8 @@ menu "NVS Security Provider" choice NVS_SEC_KEY_PROTECTION_SCHEME prompt "NVS Encryption: Key Protection Scheme" depends on NVS_ENCRYPTION - default NVS_SEC_KEY_PROTECT_USING_FLASH_ENC + default NVS_SEC_KEY_PROTECT_USING_HMAC if SOC_HMAC_SUPPORTED + default NVS_SEC_KEY_PROTECT_USING_FLASH_ENC if !SOC_HMAC_SUPPORTED help This choice defines the default NVS encryption keys protection scheme; which will be used for the default NVS partition. diff --git a/docs/en/migration-guides/release-6.x/6.0/security.rst b/docs/en/migration-guides/release-6.x/6.0/security.rst index 1f0bdc61a3..630275d6c4 100644 --- a/docs/en/migration-guides/release-6.x/6.0/security.rst +++ b/docs/en/migration-guides/release-6.x/6.0/security.rst @@ -30,3 +30,10 @@ Bootloader Support The following deprecated functions have been removed: - :cpp:func:`esp_secure_boot_verify_signature_block` – Use :cpp:func:`esp_secure_boot_verify_ecdsa_signature_block` instead. + +.. only:: SOC_HMAC_SUPPORTED + + NVS Security Provider + --------------------- + + - When NVS encryption is enabled on SoCs with the HMAC peripheral that have flash encryption enabled, the HMAC-based NVS encryption scheme is now selected as default instead of the flash encryption-based scheme. If your application previously used the flash encryption-based scheme, you need to manually configure the NVS encryption scheme to flash encryption from HMAC through ``menuconfig`` or your project's ``sdkconfig`` (i.e., setting ``CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y``). diff --git a/examples/security/flash_encryption/sdkconfig.ci b/examples/security/flash_encryption/sdkconfig.ci index b7f834c1bf..3d50fd9b25 100644 --- a/examples/security/flash_encryption/sdkconfig.ci +++ b/examples/security/flash_encryption/sdkconfig.ci @@ -10,3 +10,4 @@ CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y diff --git a/examples/security/flash_encryption/sdkconfig.ci.psram b/examples/security/flash_encryption/sdkconfig.ci.psram index 6bc2e46df5..d5d6e8c07a 100644 --- a/examples/security/flash_encryption/sdkconfig.ci.psram +++ b/examples/security/flash_encryption/sdkconfig.ci.psram @@ -7,6 +7,7 @@ CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y CONFIG_SPIRAM=y CONFIG_SPIRAM_BOOT_INIT=y diff --git a/examples/security/flash_encryption/sdkconfig.ci.rom_impl b/examples/security/flash_encryption/sdkconfig.ci.rom_impl index 321cd5ee1b..9789bbccc0 100644 --- a/examples/security/flash_encryption/sdkconfig.ci.rom_impl +++ b/examples/security/flash_encryption/sdkconfig.ci.rom_impl @@ -7,6 +7,7 @@ CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y CONFIG_SPI_FLASH_ROM_IMPL=y CONFIG_COMPILER_OPTIMIZATION_SIZE=y diff --git a/examples/security/security_features_app/sdkconfig.defaults b/examples/security/security_features_app/sdkconfig.defaults index 32987b85f3..8ec11ec6c1 100644 --- a/examples/security/security_features_app/sdkconfig.defaults +++ b/examples/security/security_features_app/sdkconfig.defaults @@ -29,3 +29,4 @@ CONFIG_SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART=y CONFIG_SECURE_FLASH_CHECK_ENC_EN_IN_APP=y CONFIG_SECURE_ROM_DL_MODE_ENABLED=y CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y diff --git a/examples/system/ota/advanced_https_ota/sdkconfig.ci.anti_rollback b/examples/system/ota/advanced_https_ota/sdkconfig.ci.anti_rollback index 82dd6864a5..0114fc14c2 100644 --- a/examples/system/ota/advanced_https_ota/sdkconfig.ci.anti_rollback +++ b/examples/system/ota/advanced_https_ota/sdkconfig.ci.anti_rollback @@ -38,3 +38,4 @@ CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y CONFIG_NVS_ENCRYPTION=n # this test combination is only for flash encryption and anti-rollback use-case and hence disabling it. +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y diff --git a/examples/system/ota/partitions_ota/sdkconfig.ci.flash_enc_wifi b/examples/system/ota/partitions_ota/sdkconfig.ci.flash_enc_wifi index bbbb89bbed..3378561bcf 100644 --- a/examples/system/ota/partitions_ota/sdkconfig.ci.flash_enc_wifi +++ b/examples/system/ota/partitions_ota/sdkconfig.ci.flash_enc_wifi @@ -16,6 +16,7 @@ CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y # This is required for nvs encryption (which is enabled by default with flash encryption) CONFIG_PARTITION_TABLE_OFFSET=0x9000 diff --git a/examples/system/ota/partitions_ota/sdkconfig.ci.flash_enc_wifi_2 b/examples/system/ota/partitions_ota/sdkconfig.ci.flash_enc_wifi_2 index 4fb0b551b0..73fc7265dc 100644 --- a/examples/system/ota/partitions_ota/sdkconfig.ci.flash_enc_wifi_2 +++ b/examples/system/ota/partitions_ota/sdkconfig.ci.flash_enc_wifi_2 @@ -16,6 +16,7 @@ CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y # This is required for nvs encryption (which is enabled by default with flash encryption) CONFIG_PARTITION_TABLE_OFFSET=0x9000 diff --git a/examples/system/ota/partitions_ota/sdkconfig.ci.virt_sb_v2_and_fe b/examples/system/ota/partitions_ota/sdkconfig.ci.virt_sb_v2_and_fe index b46d7a4f58..31ad1c1fa3 100644 --- a/examples/system/ota/partitions_ota/sdkconfig.ci.virt_sb_v2_and_fe +++ b/examples/system/ota/partitions_ota/sdkconfig.ci.virt_sb_v2_and_fe @@ -21,3 +21,4 @@ CONFIG_SECURE_BOOT_SIGNING_KEY="test/secure_boot_signing_key.pem" CONFIG_SECURE_DISABLE_ROM_DL_MODE=y CONFIG_SECURE_FLASH_ENC_ENABLED=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y diff --git a/examples/system/ota/partitions_ota/sdkconfig.ci.virt_sb_v2_and_fe_2 b/examples/system/ota/partitions_ota/sdkconfig.ci.virt_sb_v2_and_fe_2 index 40d2f72990..164a15925c 100644 --- a/examples/system/ota/partitions_ota/sdkconfig.ci.virt_sb_v2_and_fe_2 +++ b/examples/system/ota/partitions_ota/sdkconfig.ci.virt_sb_v2_and_fe_2 @@ -24,3 +24,4 @@ CONFIG_SECURE_BOOT_SIGNING_KEY="test/secure_boot_signing_key.pem" CONFIG_SECURE_DISABLE_ROM_DL_MODE=y CONFIG_SECURE_FLASH_ENC_ENABLED=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y diff --git a/examples/system/ota/simple_ota_example/sdkconfig.ci.flash_enc_wifi b/examples/system/ota/simple_ota_example/sdkconfig.ci.flash_enc_wifi index d4fba8c002..71026b08d2 100644 --- a/examples/system/ota/simple_ota_example/sdkconfig.ci.flash_enc_wifi +++ b/examples/system/ota/simple_ota_example/sdkconfig.ci.flash_enc_wifi @@ -8,6 +8,7 @@ CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y CONFIG_PARTITION_TABLE_OFFSET=0x9000 CONFIG_EXAMPLE_CONNECT_ETHERNET=n CONFIG_EXAMPLE_CONNECT_WIFI=y diff --git a/tools/test_apps/build_system/bootloader/sdkconfig.defaults b/tools/test_apps/build_system/bootloader/sdkconfig.defaults index f3453ccf99..ae8132771d 100644 --- a/tools/test_apps/build_system/bootloader/sdkconfig.defaults +++ b/tools/test_apps/build_system/bootloader/sdkconfig.defaults @@ -15,6 +15,7 @@ CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=n # CONFIG_SECURE_FLASH_ENC_ENABLED=y CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y # # Increase partition table offset diff --git a/tools/test_apps/security/secure_boot/sdkconfig.ci.04 b/tools/test_apps/security/secure_boot/sdkconfig.ci.04 index fcf9c86d36..a0bef5b384 100644 --- a/tools/test_apps/security/secure_boot/sdkconfig.ci.04 +++ b/tools/test_apps/security/secure_boot/sdkconfig.ci.04 @@ -3,3 +3,4 @@ CONFIG_SECURE_BOOT=y CONFIG_SECURE_BOOT_SIGNING_KEY="test_rsa_3072_key.pem" CONFIG_SECURE_FLASH_ENC_ENABLED=y CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y diff --git a/tools/test_apps/storage/partition_table_readonly/sdkconfig.ci.encrypted b/tools/test_apps/storage/partition_table_readonly/sdkconfig.ci.encrypted index 4cfe55cc81..7dc2b5ac51 100644 --- a/tools/test_apps/storage/partition_table_readonly/sdkconfig.ci.encrypted +++ b/tools/test_apps/storage/partition_table_readonly/sdkconfig.ci.encrypted @@ -7,3 +7,4 @@ CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y diff --git a/tools/test_apps/system/build_test/sdkconfig.ci.flash_encryption_release b/tools/test_apps/system/build_test/sdkconfig.ci.flash_encryption_release index f4365e57ab..122c060cc0 100644 --- a/tools/test_apps/system/build_test/sdkconfig.ci.flash_encryption_release +++ b/tools/test_apps/system/build_test/sdkconfig.ci.flash_encryption_release @@ -1,3 +1,4 @@ CONFIG_SECURE_FLASH_ENC_ENABLED=y CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y CONFIG_PARTITION_TABLE_OFFSET=0xC000 From 536ec82dd3b01d18ec951a54eec75c18b57c81a1 Mon Sep 17 00:00:00 2001 From: renpeiying Date: Tue, 26 Aug 2025 19:33:08 +0800 Subject: [PATCH 4/4] docs: Update translation for nvs_encryption and security docs --- docs/zh_CN/api-reference/storage/nvs_encryption.rst | 3 +++ docs/zh_CN/migration-guides/release-6.x/6.0/security.rst | 7 +++++++ 2 files changed, 10 insertions(+) diff --git a/docs/zh_CN/api-reference/storage/nvs_encryption.rst b/docs/zh_CN/api-reference/storage/nvs_encryption.rst index dfc7ad7ce6..a6f5f631d1 100644 --- a/docs/zh_CN/api-reference/storage/nvs_encryption.rst +++ b/docs/zh_CN/api-reference/storage/nvs_encryption.rst @@ -219,6 +219,9 @@ NVS Security Provider 该组件通过工厂函数注册了特殊的安全框架,可以实现出厂即用的安全方案。在该方案中,无需使用 API 来生成、读取加密密钥(如 :cpp:func:`nvs_sec_provider_register_hmac`)。要了解 API 的使用,参考示例 :example:`security/nvs_encryption_hmac`。 +.. note:: + + 如果不希望使用 :component: `nvs_sec_provider` 组件的默认实现,而使用自定义方式生成或者保护 NVS 加密密钥,请选择 :ref:`CONFIG_NVS_SEC_KEY_PROTECTION_SCHEME` -> ``CONFIG_NVS_SEC_KEY_PROTECT_NONE`` 配置项。 API 参考 ------------- diff --git a/docs/zh_CN/migration-guides/release-6.x/6.0/security.rst b/docs/zh_CN/migration-guides/release-6.x/6.0/security.rst index c7e329914e..8dc3b8da99 100644 --- a/docs/zh_CN/migration-guides/release-6.x/6.0/security.rst +++ b/docs/zh_CN/migration-guides/release-6.x/6.0/security.rst @@ -30,3 +30,10 @@ Mbed TLS 以下废弃函数已被移除: - :cpp:func:`esp_secure_boot_verify_signature_block` – 请使用 :cpp:func:`esp_secure_boot_verify_ecdsa_signature_block` 代替。 + +.. only:: SOC_HMAC_SUPPORTED + + NVS 安全方案 + ---------------- + + - 当 SoC 具备 HMAC 外设并启用了 flash 加密时,如果同时还启用了 NVS 加密,则默认会选择基于 HMAC 的 NVS 加密方案,而不是基于 flash 加密的方案。如果你的应用程序之前基于 flash 加密,则需要通过 ``menuconfig`` 或项目的 ``sdkconfig`` 文件,手动将 NVS 加密方案从 HMAC 配置为 flash 加密(即设置 ``CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y``)。