change(nvs_flash): Add a private dependency of the nvs_sec_provider component

- Closes https://github.com/espressif/esp-idf/issues/17256

components/nvs_flash/CMakeLists.txt

@@ -7,10 +7,11 @@ if(BOOTLOADER_BUILD)
              "src/nvs_bootloader_xts_aes.c")
 
     set(requires "esp_partition")
+    set(priv_requires "mbedtls" "nvs_sec_provider")
 
     idf_component_register(SRCS "${srcs}"
                         REQUIRES "${requires}"
-                        PRIV_REQUIRES "mbedtls"
+                        PRIV_REQUIRES "${priv_requires}"
                         INCLUDE_DIRS "include"
                         PRIV_INCLUDE_DIRS "private_include"
     )
@@ -60,10 +61,9 @@ else()
             "src/nvs_bootloader.c")
 
     set(requires esp_partition)
-    if(${target} STREQUAL "linux")
+    set(priv_requires spi_flash)
-        set(priv_requires spi_flash)
+    if(NOT ${target} STREQUAL "linux")
-    else()
+        list(APPEND priv_requires esp_libc esptool_py nvs_sec_provider)
-        set(priv_requires spi_flash esp_libc esptool_py)
     endif()
 
     idf_component_register(SRCS "${srcs}"

components/nvs_sec_provider/CMakeLists.txt

@@ -4,10 +4,12 @@ if(${target} STREQUAL "linux")
     return() # This component is not supported by the POSIX/Linux simulator
 endif()
 
-if(BOOTLOADER_BUILD)
+if(NOT CONFIG_NVS_SEC_KEY_PROTECT_NONE)
-    set(srcs "nvs_bootloader_sec_provider.c")
+    if(BOOTLOADER_BUILD)
-else()
+        set(srcs "nvs_bootloader_sec_provider.c")
-    set(srcs "nvs_sec_provider.c")
+    else()
+        set(srcs "nvs_sec_provider.c")
+    endif()
 endif()
 
 idf_component_register(SRCS ${srcs}
@@ -22,4 +24,6 @@ idf_component_register(SRCS ${srcs}
 # Thus, the symbols from this component are not placed in the .map file and
 # hence the constructor, which initialises the encryption scheme for the default
 # NVS partition, never executes. The following is a workaround for the same.
-target_link_libraries(${COMPONENT_LIB} PRIVATE "-u nvs_sec_provider_include_impl")
+if(NOT CONFIG_NVS_SEC_KEY_PROTECT_NONE)
+    target_link_libraries(${COMPONENT_LIB} PRIVATE "-u nvs_sec_provider_include_impl")
+endif()

components/nvs_sec_provider/Kconfig

@@ -27,6 +27,12 @@ menu "NVS Security Provider"
                 Requires the specified eFuse block (NVS_SEC_HMAC_EFUSE_KEY_ID or the v2 API argument)
                 to be empty or pre-written with a key with the purpose ESP_EFUSE_KEY_PURPOSE_HMAC_UP
 
+        config NVS_SEC_KEY_PROTECT_NONE
+            bool "None"
+            help
+                Select this option if key derivation/protection is handled by
+                a custom implementation, and not by the nvs_sec_provider component.
+
     endchoice
 
     config NVS_SEC_HMAC_EFUSE_KEY_ID

docs/en/api-reference/storage/nvs_encryption.rst

@@ -219,6 +219,9 @@ The component :component:`nvs_sec_provider` stores all the implementation-specif
 
     This component offers factory functions with which a particular security scheme can be registered without having to worry about the APIs to generate and read the encryption keys (e.g., :cpp:func:`nvs_sec_provider_register_hmac`). Refer to the :example:`security/nvs_encryption_hmac` example for API usage.
 
+.. note::
+
+    To use a custom implementation for NVS encryption key derivation or protection (instead of the ones provided by the :component:`nvs_sec_provider` component), select the :ref:`CONFIG_NVS_SEC_KEY_PROTECTION_SCHEME` -> ``CONFIG_NVS_SEC_KEY_PROTECT_NONE`` configuration option.
 
 API Reference
 -------------