From f5475db6e11657975aef12a1315927525fb6d169 Mon Sep 17 00:00:00 2001 From: KonstantinKondrashov Date: Mon, 24 Aug 2020 15:26:49 +0800 Subject: [PATCH 1/2] example/flash_encryption: Fix partition table and sdkconfig.defaults When the flash encryption is enabled then we do not need to change the partition table. The partition_example.csv should not have fixed offsets for partitions because we want to move the whole table. The fixed offsets in the table were cleared. --- examples/security/flash_encryption/README.md | 4 +--- examples/security/flash_encryption/partitions_example.csv | 6 +++--- examples/security/flash_encryption/sdkconfig.defaults | 1 + 3 files changed, 5 insertions(+), 6 deletions(-) diff --git a/examples/security/flash_encryption/README.md b/examples/security/flash_encryption/README.md index 41a02ba677..96b82c49ba 100644 --- a/examples/security/flash_encryption/README.md +++ b/examples/security/flash_encryption/README.md @@ -19,9 +19,7 @@ idf.py menuconfig * Enable the flash encryption mode (Development or Release) under Security Features. Default usage mode is Development (recommended during test and development phase). -* Ensure Bootloader log verbosity is Info under Bootloader config. - -* Select Single factory app, no OTA under Partition Table options. Change the partition table offset to 0x9000 from 0x8000 since after enabling flash encryption the size of bootloader is increased. +Note: After enabling flash encryption, the bootloader size increases, which means that the offset of the partition table must be changed to 0x9000 from 0x8000 to prevent the bootloader from overlapping with the partition table. In this example, the default offset of the partition table is 0x9000. ### Build and Flash diff --git a/examples/security/flash_encryption/partitions_example.csv b/examples/security/flash_encryption/partitions_example.csv index a7df975994..d352ff92aa 100644 --- a/examples/security/flash_encryption/partitions_example.csv +++ b/examples/security/flash_encryption/partitions_example.csv @@ -1,5 +1,5 @@ # Name, Type, SubType, Offset, Size, Flags -nvs, data, nvs, 0x9000, 0x6000, +nvs, data, nvs, , 0x6000, # Extra partition to demonstrate reading/writing of encrypted flash -storage, data, 0xff, 0xf000, 0x1000, encrypted -factory, app, factory, 0x10000, 1M, +storage, data, 0xff, , 0x1000, encrypted +factory, app, factory, , 1M, diff --git a/examples/security/flash_encryption/sdkconfig.defaults b/examples/security/flash_encryption/sdkconfig.defaults index 6a8feba65b..3300ebfb1a 100644 --- a/examples/security/flash_encryption/sdkconfig.defaults +++ b/examples/security/flash_encryption/sdkconfig.defaults @@ -2,3 +2,4 @@ CONFIG_PARTITION_TABLE_CUSTOM=y CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="partitions_example.csv" CONFIG_PARTITION_TABLE_FILENAME="partitions_example.csv" +CONFIG_PARTITION_TABLE_OFFSET=0x9000 From 514389681c68ec1ddb799ebc973d06fe6ae11afb Mon Sep 17 00:00:00 2001 From: Ivan Grokhotkov Date: Thu, 17 Sep 2020 00:06:54 +0200 Subject: [PATCH 2/2] examples: fix flash encryption example test Commit 5e8795eebe has changed the partition table offset, which has resulted in the ciphertext not matching the one expected in the example test. Fix by calculating the ciphertext using espsecure.py. --- examples/security/flash_encryption/README.md | 4 +-- .../security/flash_encryption/example_test.py | 36 +++++++++++++++++-- 2 files changed, 35 insertions(+), 5 deletions(-) diff --git a/examples/security/flash_encryption/README.md b/examples/security/flash_encryption/README.md index 96b82c49ba..5b7b7e0bc8 100644 --- a/examples/security/flash_encryption/README.md +++ b/examples/security/flash_encryption/README.md @@ -100,8 +100,8 @@ Reading with esp_partition_read: I (461) example: 0x3ffb4da0 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f |................| I (471) example: 0x3ffb4db0 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f |................| Reading with spi_flash_read: -I (491) example: 0x3ffb4da0 29 68 2e 13 88 a0 5b 7f cc 6b 39 f9 d7 7b 32 2f |)h....[..k9..{2/| -I (491) example: 0x3ffb4db0 9f e6 55 37 4b 91 b0 83 cd a6 e9 4e cd fa b4 c7 |..U7K......N....| +I (491) example: 0x3ffb4b30 35 9b f2 07 b4 6d 40 89 28 b4 1e 22 98 7b 4a 36 |5....m@.(..".{J6| +I (491) example: 0x3ffb4b40 ba 89 81 67 77 a3 60 5e 0a e7 51 01 b3 58 c2 f6 |...gw.`^..Q..X..| ``` ## Troubleshooting diff --git a/examples/security/flash_encryption/example_test.py b/examples/security/flash_encryption/example_test.py index 5d99a37822..6904a91a12 100644 --- a/examples/security/flash_encryption/example_test.py +++ b/examples/security/flash_encryption/example_test.py @@ -1,5 +1,19 @@ from __future__ import print_function +import binascii +from io import BytesIO +from collections import namedtuple +import os +import sys + import ttfw_idf +try: + import espsecure +except ImportError: + idf_path = os.getenv("IDF_PATH") + if not idf_path or not os.path.exists(idf_path): + raise + sys.path.insert(0, os.path.join(idf_path, "components", "esptool_py", "esptool")) + import espsecure # To prepare a test runner for this example: @@ -14,15 +28,31 @@ def test_examples_security_flash_encryption(env, extra_data): dut = env.get_dut('flash_encryption', 'examples/security/flash_encryption', dut_class=ttfw_idf.ESP32DUT) # start test dut.start_app() + + # calculate the expected ciphertext + flash_addr = dut.app.partition_table["storage"]["offset"] + plain_hex_str = '00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f' + plain_data = binascii.unhexlify(plain_hex_str.replace(' ', '')) + + # Emulate espsecure encrypt_flash_data command + EncryptFlashDataArgs = namedtuple('EncryptFlashDataArgs', ['output', 'plaintext_file', 'address', 'keyfile', 'flash_crypt_conf']) + args = EncryptFlashDataArgs(BytesIO(), BytesIO(plain_data), flash_addr, BytesIO(b'\x00' * 32), 0xF) + espsecure.encrypt_flash_data(args) + + expected_ciphertext = args.output.getvalue() + hex_ciphertext = binascii.hexlify(expected_ciphertext).decode('ascii') + expected_str = (' '.join(hex_ciphertext[i:i + 2] for i in range(0, 16, 2)) + ' ' + + ' '.join(hex_ciphertext[i:i + 2] for i in range(16, 32, 2))) + lines = [ 'FLASH_CRYPT_CNT eFuse value is 1', 'Flash encryption feature is enabled in DEVELOPMENT mode', 'with esp_partition_write', - '00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f', + plain_hex_str, 'with esp_partition_read', - '00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f', + plain_hex_str, 'with spi_flash_read', - '29 68 2e 13 88 a0 5b 7f cc 6b 39 f9 d7 7b 32 2f' + expected_str ] for line in lines: dut.expect(line, timeout=2)