From 9c169a1812efce1772d66469156acc50ca888481 Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Fri, 22 Jan 2021 15:33:39 +0530 Subject: [PATCH 1/3] Revert "esp_partition: disable encrypted reads/writes if flash encryption is disabled" This reverts commit bf35ef1ce7b7db30d499d4058d6a4f39ba467fca. It has been noticed that there are scenarios where even though firmware is not enabled with flash encryption config feature, it should be able to write to encrypted partitions. This revert adds the feature back which was removed around v4.0 timelines, and same change will be backported to all releases (upto v4.0) for consistency. --- components/spi_flash/partition.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/components/spi_flash/partition.c b/components/spi_flash/partition.c index 2855df90ab..b46a1fd6b9 100644 --- a/components/spi_flash/partition.c +++ b/components/spi_flash/partition.c @@ -349,7 +349,6 @@ esp_err_t esp_partition_read(const esp_partition_t* partition, return spi_flash_read(partition->address + src_offset, dst, size); #endif // CONFIG_SPI_FLASH_USE_LEGACY_IMPL } else { -#if CONFIG_SECURE_FLASH_ENC_ENABLED if (partition->flash_chip != esp_flash_default_chip) { return ESP_ERR_NOT_SUPPORTED; } @@ -367,9 +366,6 @@ esp_err_t esp_partition_read(const esp_partition_t* partition, memcpy(dst, buf, size); spi_flash_munmap(handle); return ESP_OK; -#else - return ESP_ERR_NOT_SUPPORTED; -#endif // CONFIG_SECURE_FLASH_ENC_ENABLED } } @@ -391,14 +387,10 @@ esp_err_t esp_partition_write(const esp_partition_t* partition, return spi_flash_write(dst_offset, src, size); #endif // CONFIG_SPI_FLASH_USE_LEGACY_IMPL } else { -#if CONFIG_SECURE_FLASH_ENC_ENABLED if (partition->flash_chip != esp_flash_default_chip) { return ESP_ERR_NOT_SUPPORTED; } return spi_flash_write_encrypted(dst_offset, src, size); -#else - return ESP_ERR_NOT_SUPPORTED; -#endif // CONFIG_SECURE_FLASH_ENC_ENABLED } } From d82adb482bff6275d59139ea09ce80e5ad21d15a Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Fri, 22 Jan 2021 15:44:27 +0530 Subject: [PATCH 2/3] spi_flash: add config option to enable encrypted partition read/write This feature can be disabled to save some IRAM (approx 1KB) for cases where flash encryption feature is not required. --- components/bootloader/Kconfig.projbuild | 1 + components/spi_flash/Kconfig | 9 +++++++++ components/spi_flash/partition.c | 8 ++++++++ 3 files changed, 18 insertions(+) diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild index c21af3f9bb..81858cc623 100644 --- a/components/bootloader/Kconfig.projbuild +++ b/components/bootloader/Kconfig.projbuild @@ -406,6 +406,7 @@ menu "Security features" config SECURE_FLASH_ENC_ENABLED bool "Enable flash encryption on boot (READ DOCS FIRST)" default N + select SPI_FLASH_ENABLE_ENCRYPTED_READ_WRITE help If this option is set, flash contents will be encrypted by the bootloader on first boot. diff --git a/components/spi_flash/Kconfig b/components/spi_flash/Kconfig index e884726c5b..d69ce3e990 100644 --- a/components/spi_flash/Kconfig +++ b/components/spi_flash/Kconfig @@ -139,4 +139,13 @@ menu "SPI Flash driver" endmenu #auto detect flash chips + config SPI_FLASH_ENABLE_ENCRYPTED_READ_WRITE + bool "Enable encrypted partition read/write operations" + default y + help + This option enables flash read/write operations to encrypted partition/s. This option + is kept enabled irrespective of state of flash encryption feature. However, in case + application is not using flash encryption feature and is in need of some additional + memory from IRAM region (~1KB) then this config can be disabled. + endmenu diff --git a/components/spi_flash/partition.c b/components/spi_flash/partition.c index b46a1fd6b9..8d68b4486b 100644 --- a/components/spi_flash/partition.c +++ b/components/spi_flash/partition.c @@ -349,6 +349,7 @@ esp_err_t esp_partition_read(const esp_partition_t* partition, return spi_flash_read(partition->address + src_offset, dst, size); #endif // CONFIG_SPI_FLASH_USE_LEGACY_IMPL } else { +#if CONFIG_SPI_FLASH_ENABLE_ENCRYPTED_READ_WRITE if (partition->flash_chip != esp_flash_default_chip) { return ESP_ERR_NOT_SUPPORTED; } @@ -366,6 +367,9 @@ esp_err_t esp_partition_read(const esp_partition_t* partition, memcpy(dst, buf, size); spi_flash_munmap(handle); return ESP_OK; +#else + return ESP_ERR_NOT_SUPPORTED; +#endif // CONFIG_SPI_FLASH_ENABLE_ENCRYPTED_READ_WRITE } } @@ -387,10 +391,14 @@ esp_err_t esp_partition_write(const esp_partition_t* partition, return spi_flash_write(dst_offset, src, size); #endif // CONFIG_SPI_FLASH_USE_LEGACY_IMPL } else { +#if CONFIG_SPI_FLASH_ENABLE_ENCRYPTED_READ_WRITE if (partition->flash_chip != esp_flash_default_chip) { return ESP_ERR_NOT_SUPPORTED; } return spi_flash_write_encrypted(dst_offset, src, size); +#else + return ESP_ERR_NOT_SUPPORTED; +#endif // CONFIG_SPI_FLASH_ENABLE_ENCRYPTED_READ_WRITE } } From 544a2a4f4e9664801069bdc9830dd9fadaeccfe3 Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Sun, 24 Jan 2021 13:50:21 +0530 Subject: [PATCH 3/3] unit-test-app: disable encrypted flash read/write in psram config to fix build failure --- tools/unit-test-app/configs/psram | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tools/unit-test-app/configs/psram b/tools/unit-test-app/configs/psram index c355f16c32..be60560eef 100644 --- a/tools/unit-test-app/configs/psram +++ b/tools/unit-test-app/configs/psram @@ -2,3 +2,5 @@ TEST_EXCLUDE_COMPONENTS=libsodium bt app_update driver esp32 spi_flash CONFIG_ESP32_SPIRAM_SUPPORT=y CONFIG_SPIRAM_OCCUPY_NO_HOST=y CONFIG_ESP32_WIFI_RX_IRAM_OPT=n +# Disable encrypted flash reads/writes to save IRAM in this build configuration +CONFIG_SPI_FLASH_ENABLE_ENCRYPTED_READ_WRITE=n