change(nvs_flash): Add a private dependency of the nvs_sec_provider component

- Closes https://github.com/espressif/esp-idf/issues/17256
2025-10-02 10:00:57 +02:00 · 2025-09-18 14:49:27 +05:30
parent f60bcaaa4d
commit f565fc2481
4 changed files with 23 additions and 10 deletions
--- a/components/nvs_flash/CMakeLists.txt
+++ b/components/nvs_flash/CMakeLists.txt
@@ -7,10 +7,11 @@ if(BOOTLOADER_BUILD)
             "src/nvs_bootloader_xts_aes.c")

    set(requires "esp_partition")
+    set(priv_requires "mbedtls" "nvs_sec_provider")

    idf_component_register(SRCS "${srcs}"
                        REQUIRES "${requires}"
-                        PRIV_REQUIRES "mbedtls"
+                        PRIV_REQUIRES "${priv_requires}"
                        INCLUDE_DIRS "include"
                        PRIV_INCLUDE_DIRS "private_include"
    )
@@ -60,10 +61,9 @@ else()
            "src/nvs_bootloader.c")

    set(requires esp_partition)
-    if(${target} STREQUAL "linux")
-        set(priv_requires spi_flash)
-    else()
-        set(priv_requires spi_flash esp_libc esptool_py)
+    set(priv_requires spi_flash)
+    if(NOT ${target} STREQUAL "linux")
+        list(APPEND priv_requires esp_libc esptool_py nvs_sec_provider)
    endif()

    idf_component_register(SRCS "${srcs}"
--- a/components/nvs_sec_provider/CMakeLists.txt
+++ b/components/nvs_sec_provider/CMakeLists.txt
@@ -4,10 +4,12 @@ if(${target} STREQUAL "linux")
    return() # This component is not supported by the POSIX/Linux simulator
 endif()

-if(BOOTLOADER_BUILD)
-    set(srcs "nvs_bootloader_sec_provider.c")
-else()
-    set(srcs "nvs_sec_provider.c")
+if(NOT CONFIG_NVS_SEC_KEY_PROTECT_NONE)
+    if(BOOTLOADER_BUILD)
+        set(srcs "nvs_bootloader_sec_provider.c")
+    else()
+        set(srcs "nvs_sec_provider.c")
+    endif()
 endif()

 idf_component_register(SRCS ${srcs}
@@ -22,4 +24,6 @@ idf_component_register(SRCS ${srcs}
 # Thus, the symbols from this component are not placed in the .map file and
 # hence the constructor, which initialises the encryption scheme for the default
 # NVS partition, never executes. The following is a workaround for the same.
-target_link_libraries(${COMPONENT_LIB} PRIVATE "-u nvs_sec_provider_include_impl")
+if(NOT CONFIG_NVS_SEC_KEY_PROTECT_NONE)
+    target_link_libraries(${COMPONENT_LIB} PRIVATE "-u nvs_sec_provider_include_impl")
+endif()
--- a/components/nvs_sec_provider/Kconfig
+++ b/components/nvs_sec_provider/Kconfig
@@ -27,6 +27,12 @@ menu "NVS Security Provider"
                Requires the specified eFuse block (NVS_SEC_HMAC_EFUSE_KEY_ID or the v2 API argument)
                to be empty or pre-written with a key with the purpose ESP_EFUSE_KEY_PURPOSE_HMAC_UP

+        config NVS_SEC_KEY_PROTECT_NONE
+            bool "None"
+            help
+                Select this option if key derivation/protection is handled by
+                a custom implementation, and not by the nvs_sec_provider component.
+
    endchoice

    config NVS_SEC_HMAC_EFUSE_KEY_ID
--- a/docs/en/api-reference/storage/nvs_encryption.rst
+++ b/docs/en/api-reference/storage/nvs_encryption.rst
@@ -219,6 +219,9 @@ The component :component:`nvs_sec_provider` stores all the implementation-specif

    This component offers factory functions with which a particular security scheme can be registered without having to worry about the APIs to generate and read the encryption keys (e.g., :cpp:func:`nvs_sec_provider_register_hmac`). Refer to the :example:`security/nvs_encryption_hmac` example for API usage.

+.. note::
+
+    To use a custom implementation for NVS encryption key derivation or protection (instead of the ones provided by the :component:`nvs_sec_provider` component), select the :ref:`CONFIG_NVS_SEC_KEY_PROTECTION_SCHEME` -> ``CONFIG_NVS_SEC_KEY_PROTECT_NONE`` configuration option.

 API Reference
 -------------