From f565fc24818ffedbda32b00b0eae87d452521539 Mon Sep 17 00:00:00 2001
From: Laukik Hase <laukik.hase@espressif.com>
Date: Thu, 18 Sep 2025 14:49:27 +0530
Subject: [PATCH] change(nvs_flash): Add a private dependency of the
 `nvs_sec_provider` component

- Closes https://github.com/espressif/esp-idf/issues/17256
---
 components/nvs_flash/CMakeLists.txt              | 10 +++++-----
 components/nvs_sec_provider/CMakeLists.txt       | 14 +++++++++-----
 components/nvs_sec_provider/Kconfig              |  6 ++++++
 docs/en/api-reference/storage/nvs_encryption.rst |  3 +++
 4 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/components/nvs_flash/CMakeLists.txt b/components/nvs_flash/CMakeLists.txt
index 74745ffa67..a18ea32f42 100644
--- a/components/nvs_flash/CMakeLists.txt
+++ b/components/nvs_flash/CMakeLists.txt
@@ -7,10 +7,11 @@ if(BOOTLOADER_BUILD)
              "src/nvs_bootloader_xts_aes.c")
 
     set(requires "esp_partition")
+    set(priv_requires "mbedtls" "nvs_sec_provider")
 
     idf_component_register(SRCS "${srcs}"
                         REQUIRES "${requires}"
-                        PRIV_REQUIRES "mbedtls"
+                        PRIV_REQUIRES "${priv_requires}"
                         INCLUDE_DIRS "include"
                         PRIV_INCLUDE_DIRS "private_include"
     )
@@ -60,10 +61,9 @@ else()
             "src/nvs_bootloader.c")
 
     set(requires esp_partition)
-    if(${target} STREQUAL "linux")
-        set(priv_requires spi_flash)
-    else()
-        set(priv_requires spi_flash esp_libc esptool_py)
+    set(priv_requires spi_flash)
+    if(NOT ${target} STREQUAL "linux")
+        list(APPEND priv_requires esp_libc esptool_py nvs_sec_provider)
     endif()
 
     idf_component_register(SRCS "${srcs}"
diff --git a/components/nvs_sec_provider/CMakeLists.txt b/components/nvs_sec_provider/CMakeLists.txt
index a10a0088d3..2f45f35221 100644
--- a/components/nvs_sec_provider/CMakeLists.txt
+++ b/components/nvs_sec_provider/CMakeLists.txt
@@ -4,10 +4,12 @@ if(${target} STREQUAL "linux")
     return() # This component is not supported by the POSIX/Linux simulator
 endif()
 
-if(BOOTLOADER_BUILD)
-    set(srcs "nvs_bootloader_sec_provider.c")
-else()
-    set(srcs "nvs_sec_provider.c")
+if(NOT CONFIG_NVS_SEC_KEY_PROTECT_NONE)
+    if(BOOTLOADER_BUILD)
+        set(srcs "nvs_bootloader_sec_provider.c")
+    else()
+        set(srcs "nvs_sec_provider.c")
+    endif()
 endif()
 
 idf_component_register(SRCS ${srcs}
@@ -22,4 +24,6 @@ idf_component_register(SRCS ${srcs}
 # Thus, the symbols from this component are not placed in the .map file and
 # hence the constructor, which initialises the encryption scheme for the default
 # NVS partition, never executes. The following is a workaround for the same.
-target_link_libraries(${COMPONENT_LIB} PRIVATE "-u nvs_sec_provider_include_impl")
+if(NOT CONFIG_NVS_SEC_KEY_PROTECT_NONE)
+    target_link_libraries(${COMPONENT_LIB} PRIVATE "-u nvs_sec_provider_include_impl")
+endif()
diff --git a/components/nvs_sec_provider/Kconfig b/components/nvs_sec_provider/Kconfig
index 4ed79c4e87..d0b973e1f0 100644
--- a/components/nvs_sec_provider/Kconfig
+++ b/components/nvs_sec_provider/Kconfig
@@ -27,6 +27,12 @@ menu "NVS Security Provider"
                 Requires the specified eFuse block (NVS_SEC_HMAC_EFUSE_KEY_ID or the v2 API argument)
                 to be empty or pre-written with a key with the purpose ESP_EFUSE_KEY_PURPOSE_HMAC_UP
 
+        config NVS_SEC_KEY_PROTECT_NONE
+            bool "None"
+            help
+                Select this option if key derivation/protection is handled by
+                a custom implementation, and not by the nvs_sec_provider component.
+
     endchoice
 
     config NVS_SEC_HMAC_EFUSE_KEY_ID
diff --git a/docs/en/api-reference/storage/nvs_encryption.rst b/docs/en/api-reference/storage/nvs_encryption.rst
index 1292eb94fa..e0d69e7a25 100644
--- a/docs/en/api-reference/storage/nvs_encryption.rst
+++ b/docs/en/api-reference/storage/nvs_encryption.rst
@@ -219,6 +219,9 @@ The component :component:`nvs_sec_provider` stores all the implementation-specif
 
     This component offers factory functions with which a particular security scheme can be registered without having to worry about the APIs to generate and read the encryption keys (e.g., :cpp:func:`nvs_sec_provider_register_hmac`). Refer to the :example:`security/nvs_encryption_hmac` example for API usage.
 
+.. note::
+
+    To use a custom implementation for NVS encryption key derivation or protection (instead of the ones provided by the :component:`nvs_sec_provider` component), select the :ref:`CONFIG_NVS_SEC_KEY_PROTECTION_SCHEME` -> ``CONFIG_NVS_SEC_KEY_PROTECT_NONE`` configuration option.
 
 API Reference
 -------------