espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-11-02 16:11:41 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix(nvs_flash): Remove the forceful selection of NVS_ENCRYPTION with flash encryption

Browse Source 
- This change will introduce a breaking change for SoCs with the HMAC
  peripheral. Turning on flash encryption will no longer enable NVS
  encryption automatically.

Closes https://github.com/espressif/esp-idf/issues/12549
This commit is contained in:
Laukik Hase
2023-11-21 11:11:02 +05:30
parent 94d7ec7a38
commit ea51f4e2f7
9 changed files with 50 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/en/api-reference/storage/nvs_encryption.rst
View File

@@ -20,7 +20,13 @@ NVS Encryption: Flash Encryption-Based Scheme
In this scheme, the keys required for NVS encryption are stored in yet another partition, which is protected using :doc:`Flash Encryption <../../security/flash-encryption>`. Therefore, enabling :doc:`Flash Encryption <../../security/flash-encryption>` becomes a prerequisite for NVS encryption here.
NVS encryption is enabled by default when :doc:`../../security/flash-encryption` is enabled. This is done because Wi-Fi driver stores credentials (like SSID and passphrase) in the default NVS partition. It is important to encrypt them as default choice if platform level encryption is already enabled.
.. only:: SOC_HMAC_SUPPORTED
NVS encryption should be enabled when :doc:`../../security/flash-encryption` is enabled because the Wi-Fi driver stores credentials (like SSID and passphrase) in the default NVS partition. It is important to encrypt them if platform level encryption is already enabled.
.. only:: not SOC_HMAC_SUPPORTED
NVS encryption is enabled by default when :doc:`../../security/flash-encryption` is enabled. This is done because Wi-Fi driver stores credentials (like SSID and passphrase) in the default NVS partition. It is important to encrypt them as default choice if platform level encryption is already enabled.
For using NVS encryption using this scheme, the partition table must contain the :ref:`nvs_encr_key_partition`. Two partition tables containing the :ref:`nvs_encr_key_partition` are provided for NVS encryption under the partition table option (``menuconfig`` > ``Partition Table``). They can be selected with the project configuration menu (``idf.py menuconfig``). Please refer to the example :example:`security/flash_encryption` for how to configure and use the NVS encryption feature.