Merge branch 'fix/nvs_encr_flash_enc_dependency_v5.2' into 'release/v5.2'

fix(nvs_flash): Remove the forceful selection of NVS_ENCRYPTION with flash encryption (v5.2) See merge request espressif/esp-idf!27838
2025-07-30 18:57:19 +02:00 · 2023-12-22 11:50:59 +08:00
parent 692d15abbe d1efa0d869
commit c6bf363f14
10 changed files with 67 additions and 9 deletions
--- a/components/bootloader/Kconfig.projbuild
+++ b/components/bootloader/Kconfig.projbuild
@ -833,7 +833,6 @@ menu "Security features"
        bool "Enable flash encryption on boot (READ DOCS FIRST)"
        default N
        select SPI_FLASH_ENABLE_ENCRYPTED_READ_WRITE
        select NVS_ENCRYPTION
        help
            If this option is set, flash contents will be encrypted by the bootloader on first boot.
--- a/components/nvs_flash/test_apps/main/test_nvs.c
+++ b/components/nvs_flash/test_apps/main/test_nvs.c
@ -97,12 +97,6 @@ TEST_CASE("nvs_flash_init_partition_ptr() works correctly", "[nvs]")
 }
 #ifdef CONFIG_SOC_HMAC_SUPPORTED
 /* TODO: This test does not run in CI as the runner assigned has
 * flash encryption enabled by default. Enabling flash encryption
 * 'selects' NVS encryption; a new runner needs to be setup
 * for testing the HMAC NVS encryption scheme without flash encryption
 * enabled for this test.
 */
 TEST_CASE("test nvs encryption with HMAC-based scheme without toggling any config options", "[nvs_encr_hmac]")
 {
    nvs_handle_t handle;
--- a/components/nvs_flash/test_apps/pytest_nvs_flash.py
+++ b/components/nvs_flash/test_apps/pytest_nvs_flash.py
@ -26,6 +26,13 @@ def test_nvs_flash_encr_hmac(dut: IdfDut) -> None:
    dut.run_all_single_board_cases()
@pytest.mark.esp32c3
@pytest.mark.nvs_encr_hmac
@pytest.mark.parametrize('config', ['nvs_encr_hmac_no_cfg_esp32c3'], indirect=True)
 def test_nvs_flash_encr_hmac_no_cfg(dut: IdfDut) -> None:
    dut.run_all_single_board_cases(group='nvs_encr_hmac', timeout=120)
@pytest.mark.flash_encryption
@pytest.mark.parametrize('config', CONFIGS_NVS_ENCR_FLASH_ENC, indirect=True)
 def test_nvs_flash_encr_flash_enc(dut: IdfDut) -> None:
--- a/components/nvs_flash/test_apps/sdkconfig.ci.nvs_encr_hmac_no_cfg_esp32c3
+++ b/components/nvs_flash/test_apps/sdkconfig.ci.nvs_encr_hmac_no_cfg_esp32c3
@ -0,0 +1,22 @@
 # Restricting to ESP32C3
 CONFIG_IDF_TARGET="esp32c3"
 # NOTE: The runner for this test-app has flash-encryption enabled
 # Partition Table
 CONFIG_PARTITION_TABLE_CUSTOM=y
 CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="partitions_nvs_encr_flash_enc.csv"
 CONFIG_PARTITION_TABLE_FILENAME="partitions_nvs_encr_flash_enc.csv"
 CONFIG_PARTITION_TABLE_OFFSET=0x9000
 # Enabling Flash Encryption
 CONFIG_SECURE_FLASH_ENC_ENABLED=y
 CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT=y
 CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC=y
 CONFIG_SECURE_BOOT_ALLOW_JTAG=y
 CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y
 CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y
 CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y
 CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y
 # Disabling NVS encryption
 CONFIG_NVS_ENCRYPTION=n
--- a/docs/en/api-reference/storage/nvs_encryption.rst
+++ b/docs/en/api-reference/storage/nvs_encryption.rst
@ -20,7 +20,13 @@ NVS Encryption: Flash Encryption-Based Scheme
 In this scheme, the keys required for NVS encryption are stored in yet another partition, which is protected using :doc:`Flash Encryption <../../security/flash-encryption>`. Therefore, enabling :doc:`Flash Encryption <../../security/flash-encryption>` becomes a prerequisite for NVS encryption here.
-NVS encryption is enabled by default when :doc:`../../security/flash-encryption` is enabled. This is done because Wi-Fi driver stores credentials (like SSID and passphrase) in the default NVS partition. It is important to encrypt them as default choice if platform level encryption is already enabled.
+.. only:: SOC_HMAC_SUPPORTED
    NVS encryption should be enabled when :doc:`../../security/flash-encryption` is enabled because the Wi-Fi driver stores credentials (like SSID and passphrase) in the default NVS partition. It is important to encrypt them if platform-level encryption is already enabled.
 .. only:: not SOC_HMAC_SUPPORTED
    NVS encryption is enabled by default when :doc:`../../security/flash-encryption` is enabled. This is done because Wi-Fi driver stores credentials (like SSID and passphrase) in the default NVS partition. It is important to encrypt them as default choice if platform-level encryption is already enabled.
 For using NVS encryption using this scheme, the partition table must contain the :ref:`nvs_encr_key_partition`. Two partition tables containing the :ref:`nvs_encr_key_partition` are provided for NVS encryption under the partition table option (``menuconfig`` > ``Partition Table``). They can be selected with the project configuration menu (``idf.py menuconfig``). Please refer to the example :example:`security/flash_encryption` for how to configure and use the NVS encryption feature.
--- a/docs/en/migration-guides/release-5.x/5.2/index.rst
+++ b/docs/en/migration-guides/release-5.x/5.2/index.rst
@ -9,5 +9,6 @@ Migration from 5.1 to 5.2
    gcc
    peripherals
    protocols
    storage
    system
    wifi
--- a/docs/en/migration-guides/release-5.x/5.2/storage.rst
+++ b/docs/en/migration-guides/release-5.x/5.2/storage.rst
@ -0,0 +1,11 @@
 Storage
 =======
 :link_to_translation:`zh_CN:[中文]`
 NVS Encryption
 --------------
 - For SoCs with the HMAC peripheral (``SOC_HMAC_SUPPORTED``), turning on :doc:`../../../security/flash-encryption` will no longer automatically turn on :doc:`../../../api-reference/storage/nvs_encryption`.
 - You will need to explicitly turn on NVS encryption and select the required scheme (flash encryption-based or HMAC peripheral-based). You can select the HMAC peripheral-based scheme (:ref:`CONFIG_NVS_SEC_KEY_PROTECTION_SCHEME`), even if flash encryption is not enabled.
 - SoCs without the HMAC peripheral will still automatically turn on NVS encryption when flash encryption is enabled.
--- a/docs/zh_CN/api-reference/storage/nvs_encryption.rst
+++ b/docs/zh_CN/api-reference/storage/nvs_encryption.rst
@ -20,7 +20,13 @@ NVS 加密：基于 flash 加密的方案
 在这个方案中，NVS 加密所需的密钥存储在另一个分区中，该分区用 :doc:`../../security/flash-encryption` 进行保护。因此，使用该方案时，必须先启用 :doc:`../../security/flash-encryption`。
-启用 :doc:`../../security/flash-encryption` 时，默认启用 NVS 加密。这是因为 Wi-Fi 驱动程序会将凭证（如 SSID 和密码）储存在默认的 NVS 分区中。如已启用平台级加密，那么同时默认启用 NVS 加密有其必要性。
+.. only:: SOC_HMAC_SUPPORTED
    启用 :doc:`../../security/flash-encryption` 时需同时启用 NVS 加密，因为 Wi-Fi 驱动程序会将凭据（如 SSID 和密码）储存在默认的 NVS 分区中。如已启用平台级加密，那么则需要同时启用 NVS 加密。
 .. only:: not SOC_HMAC_SUPPORTED
    启用 :doc:`../../security/flash-encryption` 时，默认启用 NVS 加密。这是因为 Wi-Fi 驱动程序会将凭据（如 SSID 和密码）储存在默认的 NVS 分区中。如已启用平台级加密，那么则需要同时默认启用 NVS 加密。
 要用这一方案进行 NVS 加密，分区表中必须包含 :ref:`nvs_encr_key_partition`。在分区表选项 ( ``menuconfig`` > ``Partition Table`` ) 中，有两个包含 :ref:`nvs_encr_key_partition` 的分区表，可通过项目配置菜单 ( ``idf.py menuconfig``) 进行选择。要了解如何配置和使用 NVS 加密功能，请参考示例 :example:`security/flash_encryption`。
--- a/docs/zh_CN/migration-guides/release-5.x/5.2/index.rst
+++ b/docs/zh_CN/migration-guides/release-5.x/5.2/index.rst
@ -9,5 +9,6 @@
    gcc
    peripherals
    protocols
    storage
    system
    wifi
--- a/docs/zh_CN/migration-guides/release-5.x/5.2/storage.rst
+++ b/docs/zh_CN/migration-guides/release-5.x/5.2/storage.rst
@ -0,0 +1,11 @@
 存储
 ====
 :link_to_translation:`en:[English]`
 NVS 加密
 --------
 - 在集成 HMAC 外设 (``SOC_HMAC_SUPPORTED``) 的 SoC 上，启用 :doc:`../../../security/flash-encryption` 时将不再自动启用 :doc:`../../../api-reference/storage/nvs_encryption`。
 - 因此需显式启用 NVS 加密，并按照需要选择基于 flash 加密或基于 HMAC 外设的方案。即使未启用 flash 加密，也可选择基于 HMAC 外设的方案 (:ref:`CONFIG_NVS_SEC_KEY_PROTECTION_SCHEME`)。
 - 启用 flash 加密后，未集成 HMAC 外设的 SoC 仍会自动启用 NVS 加密。