Merge branch 'bugfix/nvs_key_part_check_err' into 'master'

nvs_flash: Detect key partition as uninitialised even if encrypted by bootloader

See merge request idf/esp-idf!4224

components/nvs_flash/src/nvs_api.cpp

@@ -627,6 +627,16 @@ extern "C" esp_err_t nvs_flash_read_security_cfg(const esp_partition_t* partitio
     uint8_t eky_raw[NVS_KEY_SIZE], tky_raw[NVS_KEY_SIZE];
     uint32_t crc_raw, crc_read, crc_calc;
 
+    auto check_if_initialized = [](uint8_t* eky, uint8_t* tky, uint32_t crc) {
+        uint8_t cnt = 0; 
+        while(cnt < NVS_KEY_SIZE && eky[cnt] == 0xff && tky[cnt] == 0xff) cnt++;
+
+        if(cnt == NVS_KEY_SIZE && crc == 0xffffffff) {
+            return false;
+        }
+        return true;
+    };
+
     auto err = spi_flash_read(partition->address, eky_raw, NVS_KEY_SIZE);
     if(err != ESP_OK) {
         return err;
@@ -642,12 +652,7 @@ extern "C" esp_err_t nvs_flash_read_security_cfg(const esp_partition_t* partitio
         return err;
     }
 
-
-    uint8_t cnt = 0;
-
-    while(cnt < NVS_KEY_SIZE && eky_raw[cnt] == 0xff && tky_raw[cnt] == 0xff) cnt++;
-
-    if(cnt == NVS_KEY_SIZE && crc_raw == 0xffffffff) {
+    if(!check_if_initialized(eky_raw, tky_raw, crc_raw)) {
         /* This is an uninitialized key partition*/
         return ESP_ERR_NVS_KEYS_NOT_INITIALIZED;
     }
@@ -674,6 +679,10 @@ extern "C" esp_err_t nvs_flash_read_security_cfg(const esp_partition_t* partitio
     crc_calc = crc32_le(crc_calc, cfg->tky, NVS_KEY_SIZE);
 
     if(crc_calc != crc_read) {
+        if(!check_if_initialized(cfg->eky, cfg->tky, crc_read)) {
+            /* This is an uninitialized key partition*/
+            return ESP_ERR_NVS_KEYS_NOT_INITIALIZED;
+        }
         return ESP_ERR_NVS_CORRUPT_KEY_PART;
     }
 

components/nvs_flash/test/test_nvs.c

@@ -310,27 +310,39 @@ TEST_CASE("Check nvs key partition APIs (read and generate keys)", "[nvs]")
 
 TEST_CASE("test nvs apis with encryption enabled", "[nvs]")
 {
-
-
     if (!esp_flash_encryption_enabled()) {
         TEST_IGNORE_MESSAGE("flash encryption disabled, skipping nvs_api tests with encryption enabled");
     }
     const esp_partition_t* key_part = esp_partition_find_first(
             ESP_PARTITION_TYPE_DATA, ESP_PARTITION_SUBTYPE_DATA_NVS_KEYS, NULL);
     
+    assert(key_part && "partition table must have an NVS Key partition");
+
     const esp_partition_t* nvs_partition = esp_partition_find_first(
             ESP_PARTITION_TYPE_DATA, ESP_PARTITION_SUBTYPE_DATA_NVS, NULL);
     assert(nvs_partition && "partition table must have an NVS partition");
 
+    ESP_ERROR_CHECK( esp_partition_erase_range(key_part, 0, key_part->size) );
+
+    bool done = false;
+
+    do {
         ESP_ERROR_CHECK( esp_partition_erase_range(nvs_partition, 0, nvs_partition->size) );
 
         nvs_sec_cfg_t cfg;
         esp_err_t err = nvs_flash_read_security_cfg(key_part, &cfg);
 
         if(err == ESP_ERR_NVS_KEYS_NOT_INITIALIZED) {
+            uint8_t value[4096] = {[0 ... 4095] = 0xff};
+            TEST_ESP_OK(esp_partition_write(key_part, 0, value, sizeof(value)));
+
+            TEST_ESP_ERR(nvs_flash_read_security_cfg(key_part, &cfg), ESP_ERR_NVS_KEYS_NOT_INITIALIZED);
+
             TEST_ESP_OK(nvs_flash_generate_keys(key_part, &cfg));
         } else {
+            /* Second time key_partition exists already*/
             ESP_ERROR_CHECK(err);
+            done = true;
         }
         TEST_ESP_OK(nvs_flash_secure_init(&cfg));
 
@@ -381,6 +393,7 @@ TEST_CASE("test nvs apis with encryption enabled", "[nvs]")
         nvs_close(handle_2);
 
         TEST_ESP_OK(nvs_flash_deinit());
+    } while(!done);
 }
 
 TEST_CASE("test nvs apis for nvs partition generator utility with encryption enabled", "[nvs_part_gen]")