From f9e2ebaea5c21b9ebfa4cada0e810da811516a0c Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Tue, 12 Aug 2025 10:01:45 +0530 Subject: [PATCH] feat(protocomm): disable security version 0 and 1 by default Change default values for protocomm security configuration options to improve security: - CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0 now defaults to 'n' - CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1 now defaults to 'n' This reduces code size by default and encourages use of more secure protocomm implementations. Projects using these security versions must explicitly enable them in their configuration. --- components/protocomm/Kconfig | 4 ++-- .../protocomm/test_apps/sdkconfig.defaults | 4 ++++ .../release-6.x/6.0/provisioning.rst | 18 ++++++++++++++++++ .../release-6.x/6.0/provisioning.rst | 18 ++++++++++++++++++ 4 files changed, 42 insertions(+), 2 deletions(-) diff --git a/components/protocomm/Kconfig b/components/protocomm/Kconfig index 433cd7d386..4c7c51de24 100644 --- a/components/protocomm/Kconfig +++ b/components/protocomm/Kconfig @@ -2,7 +2,7 @@ menu "Protocomm" config ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0 bool "Support protocomm security version 0 (no security)" - default y + default n help Enable support of security version 0. Disabling this option saves some code size. @@ -11,7 +11,7 @@ menu "Protocomm" config ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1 bool "Support protocomm security version 1 (Curve25519 key exchange + AES-CTR encryption/decryption)" - default y + default n help Enable support of security version 1. Disabling this option saves some code size. diff --git a/components/protocomm/test_apps/sdkconfig.defaults b/components/protocomm/test_apps/sdkconfig.defaults index e7d6da5519..239ded94df 100644 --- a/components/protocomm/test_apps/sdkconfig.defaults +++ b/components/protocomm/test_apps/sdkconfig.defaults @@ -7,3 +7,7 @@ CONFIG_COMPILER_STACK_CHECK_MODE_STRONG=y CONFIG_COMPILER_STACK_CHECK=y CONFIG_ESP_TASK_WDT_EN=n + +# Enable all protocomm security versions for testing +CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0=y +CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1=y diff --git a/docs/en/migration-guides/release-6.x/6.0/provisioning.rst b/docs/en/migration-guides/release-6.x/6.0/provisioning.rst index 2b5e730cb3..2bb6138cc5 100644 --- a/docs/en/migration-guides/release-6.x/6.0/provisioning.rst +++ b/docs/en/migration-guides/release-6.x/6.0/provisioning.rst @@ -7,3 +7,21 @@ Breaking Changes ---------------- The return type of :cpp:func:`wifi_prov_mgr_deinit` has been changed from ``void`` to :cpp:type:`esp_err_t`. This change allows applications to properly handle potential failures during provisioning manager deinitialization. + +Configuration Changes +--------------------- + +Protocomm Security Configuration +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The default values for protocomm security configuration options have been changed to improve security by default: + +- :ref:`CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0` now defaults to ``n`` (previously ``y``) +- :ref:`CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1` now defaults to ``n`` (previously ``y``) + +Projects that rely on protocomm security versions 0 or 1 will need to explicitly enable these options in their configuration. If your application uses protocomm security version 0 (no security) or version 1 (Curve25519 + AES-CTR), you must explicitly enable the corresponding configuration option in your project's ``sdkconfig`` or through ``menuconfig``: + +- For security version 0: Enable :ref:`CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0` +- For security version 1: Enable :ref:`CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1` + +This change was made to reduce code size by default and encourage the use of more secure protocomm implementations. diff --git a/docs/zh_CN/migration-guides/release-6.x/6.0/provisioning.rst b/docs/zh_CN/migration-guides/release-6.x/6.0/provisioning.rst index 4bc1c34495..07a8991071 100644 --- a/docs/zh_CN/migration-guides/release-6.x/6.0/provisioning.rst +++ b/docs/zh_CN/migration-guides/release-6.x/6.0/provisioning.rst @@ -7,3 +7,21 @@ -------- 函数 :cpp:func:`wifi_prov_mgr_deinit` 的返回值类型已从 ``void`` 变更为 :cpp:type:`esp_err_t`。此项变更使应用程序在反初始化配网管理器时能够妥善处理可能出现的故障。 + +配置变更 +-------- + +Protocomm 安全配置 +~~~~~~~~~~~~~~~~~~ + +为了默认提高安全性,protocomm 安全配置选项的默认值已更改: + +- :ref:`CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0` 现在默认为 ``n`` (原为 ``y`` ) +- :ref:`CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1` 现在默认为 ``n`` (原为 ``y`` ) + +依赖 protocomm 安全版本 0 或 1 的项目需要在其配置中显式启用这些选项。如果您的应用程序使用 protocomm 安全版本 0(无安全)或版本 1(Curve25519 + AES-CTR),则必须在项目的 ``sdkconfig`` 中或通过 ``menuconfig`` 显式启用相应的配置选项: + +- 对于安全版本 0:启用 :ref:`CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_0` +- 对于安全版本 1:启用 :ref:`CONFIG_ESP_PROTOCOMM_SUPPORT_SECURITY_VERSION_1` + +此项变更旨在默认减少代码大小,并鼓励使用更安全的 protocomm 实现。