From 3b7d71eca27f5e3130606fe2c1c01313684506c5 Mon Sep 17 00:00:00 2001 From: "harshal.patil" Date: Mon, 30 Dec 2024 18:59:08 +0530 Subject: [PATCH] feat(examples): Extend the bootloader_nvs example to support encrypted NVS reads --- examples/storage/.build-test-rules.yml | 9 ++ examples/storage/nvs_bootloader/README.md | 117 +++++++++++++++++- .../nvs_bootloader_example/CMakeLists.txt | 4 +- .../src/nvs_bootloader_example.c | 85 ++++++++++--- .../nvs_bootloader/main/CMakeLists.txt | 12 +- .../nvs_bootloader/main/encryption_keys.bin | 1 + .../nvs_bootloader/main/nvs_enc_hmac_key.bin | 2 + .../nvs_bootloader/main/nvs_encrypted.bin | Bin 0 -> 24576 bytes .../main/nvs_encrypted_hmac.bin | Bin 0 -> 24576 bytes examples/storage/nvs_bootloader/nvs_data.csv | 2 + .../nvs_bootloader/pytest_nvs_bootloader.py | 24 +++- .../nvs_bootloader/sdkconfig.ci.default | 0 .../sdkconfig.ci.nvs_enc_flash_enc | 13 ++ .../nvs_bootloader/sdkconfig.ci.nvs_enc_hmac | 12 ++ .../storage/nvs_bootloader/sdkconfig.defaults | 2 +- .../nvs_bootloader/sdkconfig.defaults.esp32c2 | 2 + 16 files changed, 261 insertions(+), 24 deletions(-) create mode 100644 examples/storage/nvs_bootloader/main/encryption_keys.bin create mode 100644 examples/storage/nvs_bootloader/main/nvs_enc_hmac_key.bin create mode 100644 examples/storage/nvs_bootloader/main/nvs_encrypted.bin create mode 100644 examples/storage/nvs_bootloader/main/nvs_encrypted_hmac.bin create mode 100644 examples/storage/nvs_bootloader/sdkconfig.ci.default create mode 100644 examples/storage/nvs_bootloader/sdkconfig.ci.nvs_enc_flash_enc create mode 100644 examples/storage/nvs_bootloader/sdkconfig.ci.nvs_enc_hmac create mode 100644 examples/storage/nvs_bootloader/sdkconfig.defaults.esp32c2 diff --git a/examples/storage/.build-test-rules.yml b/examples/storage/.build-test-rules.yml index dfbff5c073..9fe58ad263 100644 --- a/examples/storage/.build-test-rules.yml +++ b/examples/storage/.build-test-rules.yml @@ -16,6 +16,15 @@ examples/storage/emmc: - if: IDF_TARGET == "esp32s3" reason: only support on esp32s3 +examples/storage/nvs_bootloader: + depends_components: + - nvs_flash + - nvs_sec_provider + disable: + - if: CONFIG_NAME == "nvs_enc_flash_enc" and (SOC_AES_SUPPORTED != 1 and ESP_ROM_HAS_MBEDTLS_CRYPTO_LIB != 1) + - if: CONFIG_NAME == "nvs_enc_hmac" and (SOC_HMAC_SUPPORTED != 1 or (SOC_HMAC_SUPPORTED == 1 and (SOC_AES_SUPPORTED != 1 and ESP_ROM_HAS_MBEDTLS_CRYPTO_LIB != 1))) + reason: As of now in such cases, we do not have any way to perform AES operations in the bootloader build + examples/storage/nvs_rw_blob: depends_components: - nvs_flash diff --git a/examples/storage/nvs_bootloader/README.md b/examples/storage/nvs_bootloader/README.md index a5247f64a3..e0b22376e5 100644 --- a/examples/storage/nvs_bootloader/README.md +++ b/examples/storage/nvs_bootloader/README.md @@ -3,7 +3,9 @@ # NVS Bootloader -The purpose of this example is to show how to use the simplified, read-only API of NVS flash that can be used as a part of bootloader +The purpose of this example is to show how to use the simplified, read-only API of NVS flash that can be used as a part of bootloader. + +A very practical application of being able to access the NVS in the bootloader build would be faster device restoration, where-in the application stores the device's current state/configurations and post a reset it would read the NVS to restore the device's last state, without waiting for application to boot-up. ## Usage of this example: @@ -123,3 +125,116 @@ Below is a short explanation of files in the project folder. The example creates request/response array `read_list[]`, populates it with identifiers of the data to be read. Function `nvs_bootloader_read()` tries to find respective data in the partition (here `"nvs"`) and if the data is found, it populates the request/response array with data. For nvs entries either not found or not matching are indicated in response array as well. Function `log_nvs_bootloader_read_list()`is used before and after reading from nvs to show request/response data to the console. + +# Encrypted NVS Bootloader + +This example is extended to support reading encrypted NVS partition when NVS encryption is enabled. + +## Usage of this example: + +Enable NVS encryption using your preferred scheme. Please find more details regarding the `flash encryption based NVS encryption scheme` and the `HMAC based NVS encryption scheme` in the [NVS encryption documentation](https://docs.espressif.com/projects/esp-idf/en/latest/api-reference/storage/nvs_encryption.html). + +(Note: In case you select the `HMAC based NVS encryption scheme`, make sure that you burn the below mentioned [HMAC key](./main/nvs_enc_hmac_key.bin) in the efuses.) + +For generating the encrypted NVS partitions, we shall use [NVS partition generator](https://docs.espressif.com/projects/esp-idf/en/latest/api-reference/storage/nvs_partition_gen.html#nvs-partition-generator-utility). +We shall use the [nvs_partition_gen.py](../../../components/nvs_flash/nvs_partition_generator/nvs_partition_gen.py) script for the operations. + +Along with the above mentioned file structure, the project folder also contains pre-generated encrypted partitions and the partition corresponding to the selected NVS encryption scheme is flashed along with the build artefacts using the `main/CMakeLists.txt`. + +In case the data in `nvs_data.csv` is modified, these encrypted NVS partitions can be re-generated using the following commands: + +1. NVS Encryption using the flash encryption scheme + +``` +python nvs_partition_gen.py encrypt $IDF_PATH/examples/storage/nvs_bootloader/nvs_data.csv $IDF_PATH/examples/storage/nvs_bootloader/main/nvs_encrypted.bin 0x6000 --inputkey $IDF_PATH/examples/storage/nvs_bootloader/main/encryption_keys.bin +``` + +2. NVS Encryption using the HMAC scheme + +``` +python nvs_partition_gen.py encrypt $IDF_PATH/examples/storage/nvs_bootloader/nvs_data.csv $IDF_PATH/examples/storage/nvs_bootloader/main/nvs_encrypted_hmac.bin 0x6000 --keygen --key_protect_hmac --kp_hmac_inputkey $IDF_PATH/examples/storage/nvs_bootloader/main/nvs_enc_hmac_key.bin +``` + +Build the application using configurations corresponding to the NVS encryption scheme that you have selected: + +``` +idf.py set-target + +# For NVS encryption using flash encryption scheme +cat sdkconfig.ci.nvs_enc_flash_enc >> sdkconfig + +OR + +# For NVS encryption using the HMAC scheme +cat sdkconfig.ci.nvs_enc_hmac >> sdkconfig + +idf.py build +``` + +Then flash it and open the monitor with the following command: +``` +idf.py flash monitor +``` + +If everything went well, the console output should contain the same three blocks of log messages that are mentioned above. + +### Running the example using QEMU + +You could quickly try out this example using QEMU. Refer this [link](https://github.com/espressif/esp-toolchain-docs/blob/main/qemu/README.md#choose-your-target) to know which targets are currently supported in QEMU. + +#### Using the NVS encryption's flash encryption scheme + +1. Configure the application with the corresponding configurations + +``` +idf.py set-target + +cat sdkconfig.ci.nvs_enc_flash_enc >> sdkconfig + +# Disable the below config as it was enabled as a CI related configuration, thus enabling flash encryption during boot-up in QEMU +echo "CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=n" >> sdkconfig + +``` + +2. Building the app + +``` +idf.py build +``` + +3. Running the app + +``` +idf.py qemu monitor +``` + +#### Using the NVS encryption's HMAC scheme + +1. Build the application using the corresponding configurations + +``` +idf.py set-target + +cat sdkconfig.ci.nvs_enc_hmac >> sdkconfig + +# Disable the below config as it was enabled as a CI related configuration, thus enabling flash encryption during boot-up in QEMU +echo "CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=n" >> sdkconfig +``` + +2. Building the app + +``` +idf.py build +``` + +3. Burn the related HMAC key in the efuses + +``` +idf.py qemu efuse-burn-key BLOCK_KEY0 main/nvs_enc_hmac_key.bin HMAC_UP +``` + +4. Running the app + +``` +idf.py qemu monitor +``` diff --git a/examples/storage/nvs_bootloader/bootloader_components/nvs_bootloader_example/CMakeLists.txt b/examples/storage/nvs_bootloader/bootloader_components/nvs_bootloader_example/CMakeLists.txt index 91038a9e13..cbe40eafec 100644 --- a/examples/storage/nvs_bootloader/bootloader_components/nvs_bootloader_example/CMakeLists.txt +++ b/examples/storage/nvs_bootloader/bootloader_components/nvs_bootloader_example/CMakeLists.txt @@ -1,6 +1,6 @@ -idf_component_register( SRCS "src/nvs_bootloader_example.c" "src/nvs_bootloader_example_utils.c" +idf_component_register(SRCS "src/nvs_bootloader_example.c" "src/nvs_bootloader_example_utils.c" INCLUDE_DIRS "include" - REQUIRES "nvs_flash" ) + REQUIRES "nvs_flash" "nvs_sec_provider") # We need to force GCC to integrate this static library into the # bootloader link. Indeed, by default, as the hooks in the bootloader are weak, diff --git a/examples/storage/nvs_bootloader/bootloader_components/nvs_bootloader_example/src/nvs_bootloader_example.c b/examples/storage/nvs_bootloader/bootloader_components/nvs_bootloader_example/src/nvs_bootloader_example.c index cf83507aaf..4b1348390c 100644 --- a/examples/storage/nvs_bootloader/bootloader_components/nvs_bootloader_example/src/nvs_bootloader_example.c +++ b/examples/storage/nvs_bootloader/bootloader_components/nvs_bootloader_example/src/nvs_bootloader_example.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -8,6 +8,8 @@ #include "nvs_bootloader.h" #include "nvs_bootloader_example_utils.h" +#include "nvs_sec_provider.h" + static const char* TAG = "nvs_bootloader_example"; // Function used to tell the linker to include this file @@ -21,14 +23,11 @@ void bootloader_before_init(void) { } -void log_request_call_read_evaluate_output(const char* nvs_partition_label, nvs_bootloader_read_list_t read_list[], const size_t read_list_count) { - // log the request structure before the read to see the requested keys and namespaces - // with the ESP_ERR_NOT_FINISHED return code we are just telling the log function to show the request data and omit printing the result data - // it is useful for debugging the request structure - log_nvs_bootloader_read_list(ESP_ERR_NOT_FINISHED, read_list, read_list_count); - +void log_request_call_read_evaluate_output(const char* nvs_partition_label, nvs_bootloader_read_list_t read_list[], const size_t read_list_count, const nvs_sec_cfg_t* sec_cfg) +{ + esp_err_t ret = ESP_FAIL; // call the read function - esp_err_t ret = nvs_bootloader_read(nvs_partition_label, read_list_count, read_list); + ret = nvs_bootloader_read(nvs_partition_label, read_list_count, read_list); // Error code ESP_OK means that the read function was successful and individual, per record results are stored in the read_list if (ret == ESP_OK) { @@ -62,10 +61,48 @@ void bootloader_after_init(void) { // we are going to read from the default nvs partition labelled 'nvs' const char* nvs_partition_label = "nvs"; - #define STR_BUFF_LEN 10+1 // 10 characters + null terminator - char str_buff[STR_BUFF_LEN]; + #define STR_BUFF_LEN_10 10+1 // 10 characters + null terminator + #define STR_BUFF_LEN_66 66+1 // 66 characters + null terminator + char str_buff_10[STR_BUFF_LEN_10]; + char str_buff_66[STR_BUFF_LEN_66]; + + nvs_sec_cfg_t* sec_cfg = NULL; + +#if CONFIG_NVS_ENCRYPTION + nvs_sec_cfg_t cfg = {}; + nvs_sec_scheme_t *sec_scheme_handle = NULL; +#if CONFIG_NVS_SEC_KEY_PROTECT_USING_HMAC + nvs_sec_config_hmac_t sec_scheme_cfg = NVS_SEC_PROVIDER_CFG_HMAC_DEFAULT(); + if (nvs_sec_provider_register_hmac(&sec_scheme_cfg, &sec_scheme_handle) != ESP_OK) { + ESP_EARLY_LOGE(TAG, "Registering the HMAC scheme failed"); + return; + } +#elif CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC + nvs_sec_config_flash_enc_t sec_scheme_cfg = NVS_SEC_PROVIDER_CFG_FLASH_ENC_DEFAULT(); + if (sec_scheme_cfg.nvs_keys_part == NULL) { + ESP_EARLY_LOGE(TAG, "partition with subtype \"nvs_keys\" not found"); + } + + if (nvs_sec_provider_register_flash_enc(&sec_scheme_cfg, &sec_scheme_handle) != ESP_OK) { + ESP_EARLY_LOGE(TAG, "Registering the Flash Encryption scheme failed"); + return; + } +#endif /* CONFIG_NVS_SEC_KEY_PROTECT_USING_HMAC */ + + if (nvs_bootloader_read_security_cfg(sec_scheme_handle, &cfg) != ESP_OK) { + ESP_EARLY_LOGE(TAG, "Reading the NVS security configuration failed"); + return; + } + + if (nvs_bootloader_secure_init(&cfg) != ESP_OK) { + ESP_LOGE(TAG, "Secure initialization of NVS failed"); + return; + } +#endif /* CONFIG_NVS_ENCRYPTION*/ // --- This is the request structure for the read function showing validation errors - function will return ESP_ERR_INVALID_ARG --- + ESP_EARLY_LOGI(TAG, "Trying to read the NVS partition by passing invalid arguments"); + nvs_bootloader_read_list_t bad_read_list_indicate_problems[] = { { .namespace_name = "sunny_day", .key_name = "u8", .value_type = NVS_TYPE_U8 }, // ESP_ERR_NVS_NOT_FOUND // this is correct request, not found is expected default result code @@ -75,19 +112,21 @@ void bootloader_after_init(void) { // too long key name { .namespace_name = "clowny_day", .key_name = "blobeee", .value_type = NVS_TYPE_BLOB }, // ESP_ERR_INVALID_ARG // not supported data type - { .namespace_name = "sunny_day", .key_name = "string_10_chars", .value_type = NVS_TYPE_STR, .value.str_val = { .buff_ptr = str_buff, .buff_len = 0 } }, + { .namespace_name = "sunny_day", .key_name = "string_10_chars", .value_type = NVS_TYPE_STR, .value.str_val = { .buff_ptr = str_buff_10, .buff_len = 0 } }, // ESP_ERR_INVALID_SIZE // buffer size is 0 - { .namespace_name = "sunny_day", .key_name = "string_10_chars", .value_type = NVS_TYPE_STR, .value.str_val = { .buff_ptr = NULL, .buff_len = 10 } } + { .namespace_name = "sunny_day", .key_name = "string_66_chars", .value_type = NVS_TYPE_STR, .value.str_val = { .buff_ptr = NULL, .buff_len = 66 } } // ESP_ERR_INVALID_SIZE // buffer pointer is invalid }; size_t bad_read_list_indicate_problems_count = sizeof(bad_read_list_indicate_problems) / sizeof(bad_read_list_indicate_problems[0]); - log_request_call_read_evaluate_output(nvs_partition_label, bad_read_list_indicate_problems, bad_read_list_indicate_problems_count); + log_request_call_read_evaluate_output(nvs_partition_label, bad_read_list_indicate_problems, bad_read_list_indicate_problems_count, sec_cfg); // --- This is the request structure for the read function showing runtime errors - function will return ESP_OK --- // but some records will have result_code set to ESP_ERR_NVS_NOT_FOUND, ESP_ERR_NVS_TYPE_MISMATCH, ESP_ERR_INVALID_SIZE + ESP_EARLY_LOGI(TAG, "Trying to read the NVS partition by expecting incorrect data"); + nvs_bootloader_read_list_t good_read_list_bad_results[] = { { .namespace_name = "sunny_day", .key_name = "u8", .value_type = NVS_TYPE_I8 }, // ESP_ERR_NVS_TYPE_MISMATCH // data in the partition is of different type (NVS_TYPE_U8) @@ -95,17 +134,20 @@ void bootloader_after_init(void) { // data in the partition won't be found, because there is a typo in the key name { .namespace_name = "clowny_day", .key_name = "i8", .value_type = NVS_TYPE_I8 }, // ESP_ERR_NVS_NOT_FOUND // data in the partition won't be found, because there is typo in namespace name - { .namespace_name = "sunny_day", .key_name = "string_10_chars", .value_type = NVS_TYPE_STR, .value.str_val = { .buff_ptr = str_buff, .buff_len = 2 } }, + { .namespace_name = "sunny_day", .key_name = "string_10_chars", .value_type = NVS_TYPE_STR, .value.str_val = { .buff_ptr = str_buff_10, .buff_len = 2 } }, // ESP_ERR_INVALID_SIZE // buffer is too small { .namespace_name = "sunny_day", .key_name = "u32", .value_type = NVS_TYPE_U32 }, // ESP_OK // this value will be read correctly - { .namespace_name = "sunny_day", .key_name = "u32", .value_type = NVS_TYPE_U32 } // ESP_ERR_NVS_NOT_FOUND + { .namespace_name = "sunny_day", .key_name = "u32", .value_type = NVS_TYPE_U32 }, // ESP_ERR_NVS_NOT_FOUND // this value won't be read as function doesn't support duplicate readings + { .namespace_name = "sunny_day", .key_name = "string_66_chars", .value_type = NVS_TYPE_STR, .value.str_val = { .buff_ptr = str_buff_66, .buff_len = 65 } } + // ESP_ERR_INVALID_SIZE + // buffer is just small }; size_t good_read_list_bad_results_count = sizeof(good_read_list_bad_results) / sizeof(good_read_list_bad_results[0]); - log_request_call_read_evaluate_output(nvs_partition_label, good_read_list_bad_results, good_read_list_bad_results_count); + log_request_call_read_evaluate_output(nvs_partition_label, good_read_list_bad_results, good_read_list_bad_results_count, sec_cfg); // --- This is the request structure for the read function showing all records found--- @@ -116,16 +158,23 @@ void bootloader_after_init(void) { // For NVS_TYPE_STR the value field is a structure with a pointer to the buffer and the buffer length is povided // In this case, the buffer is a stack allocated array of 10 characters plus space for the null terminator + ESP_EARLY_LOGI(TAG, "Trying to read the NVS partition correctly"); + nvs_bootloader_read_list_t good_read_list[] = { { .namespace_name = "sunny_day", .key_name = "u8", .value_type = NVS_TYPE_U8 }, { .namespace_name = "sunny_day", .key_name = "i32", .value_type = NVS_TYPE_I32 }, { .namespace_name = "cloudy_day", .key_name = "i8", .value_type = NVS_TYPE_I8 }, // mixed in different namespace { .namespace_name = "sunny_day", .key_name = "u16", .value_type = NVS_TYPE_U16 }, - { .namespace_name = "sunny_day", .key_name = "string_10_chars", .value_type = NVS_TYPE_STR, .value.str_val = { .buff_ptr = str_buff, .buff_len = STR_BUFF_LEN } } + { .namespace_name = "sunny_day", .key_name = "string_10_chars", .value_type = NVS_TYPE_STR, .value.str_val = { .buff_ptr = str_buff_10, .buff_len = STR_BUFF_LEN_10 } }, + { .namespace_name = "sunny_day", .key_name = "string_66_chars", .value_type = NVS_TYPE_STR, .value.str_val = { .buff_ptr = str_buff_66, .buff_len = STR_BUFF_LEN_66 } } }; size_t good_read_list_count = sizeof(good_read_list) / sizeof(good_read_list[0]); - log_request_call_read_evaluate_output(nvs_partition_label, good_read_list, good_read_list_count); + log_request_call_read_evaluate_output(nvs_partition_label, good_read_list, good_read_list_count, sec_cfg); + +#if CONFIG_NVS_ENCRYPTION + nvs_bootloader_secure_deinit(); +#endif /* CONFIG_NVS_ENCRYPTION */ ESP_LOGI(TAG, "Finished bootloader part"); } diff --git a/examples/storage/nvs_bootloader/main/CMakeLists.txt b/examples/storage/nvs_bootloader/main/CMakeLists.txt index d8d0fb7a76..47e59caa22 100644 --- a/examples/storage/nvs_bootloader/main/CMakeLists.txt +++ b/examples/storage/nvs_bootloader/main/CMakeLists.txt @@ -1,3 +1,13 @@ idf_component_register(SRCS "bootloader_hooks_example_main.c" INCLUDE_DIRS ".") -nvs_create_partition_image(nvs ../nvs_data.csv FLASH_IN_PROJECT) + +if(NOT CONFIG_NVS_ENCRYPTION) + nvs_create_partition_image(nvs ../nvs_data.csv FLASH_IN_PROJECT) +else() + if(CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC) + esptool_py_flash_to_partition(flash "nvs_key" ${PROJECT_DIR}/main/encryption_keys.bin) + esptool_py_flash_to_partition(flash "nvs" ${PROJECT_DIR}/main/nvs_encrypted.bin) + else() # NVS Encryption using HMAC (CONFIG_NVS_SEC_KEY_PROTECT_USING_HMAC) + esptool_py_flash_to_partition(flash "nvs" ${PROJECT_DIR}/main/nvs_encrypted_hmac.bin) + endif() +endif() diff --git a/examples/storage/nvs_bootloader/main/encryption_keys.bin b/examples/storage/nvs_bootloader/main/encryption_keys.bin new file mode 100644 index 0000000000..9ef4439d8c --- /dev/null +++ b/examples/storage/nvs_bootloader/main/encryption_keys.bin @@ -0,0 +1 @@ +"""""""""""""""""""""""""""""""",ïÏ<ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ \ No newline at end of file diff --git a/examples/storage/nvs_bootloader/main/nvs_enc_hmac_key.bin b/examples/storage/nvs_bootloader/main/nvs_enc_hmac_key.bin new file mode 100644 index 0000000000..2ea3dec3e1 --- /dev/null +++ b/examples/storage/nvs_bootloader/main/nvs_enc_hmac_key.bin @@ -0,0 +1,2 @@ + +  \ No newline at end of file diff --git a/examples/storage/nvs_bootloader/main/nvs_encrypted.bin b/examples/storage/nvs_bootloader/main/nvs_encrypted.bin new file mode 100644 index 0000000000000000000000000000000000000000..890d720300b95e6b407d5536310af374121b0207 GIT binary patch literal 24576 zcmezK|Nnmm1_p+I|1m*}?yjAyR;_x4DT5GMv86_WH)on|hIXpWn=7B{ZhTxCeA!QM zkxbzCv;WpjOP#o^CRydSSlRNLkEeBv4I?=WrrdC6`l(vzZ_ym&yrwx;X*G|GbOEn( zqHQW`uSvkq&(pv0?rgMeUud6q-8fW3k)?MnmLB>xB2@eKKJw4wyT=Cm>>|Fgtnk%Do+rE>m zkEZ6y@BKEXjDvMm`KHbaKhKIh)lF~IZzu6Cwtl&(&MCBaLUj_?+{b@b^l$oc!{y(M zrW^B)nJ4R9$u0`^TOG4C*Uj2GYgYG&d*{k zpSEj4;l&RIPyHKy6|RV24cfh!dG49R2^r9`h}RvfoDCJ{kg}Aut*OqaiRF0;3@?8UmvsFd71*Aut*OqaiRF0;3@S z2?0?5p9x3*zx!ch0z}m)IT`|^Aut*OqaiRF0;3@?8UmvsFd71*Aut*OqaiRF0;3@? zltTd2|7XV0|6kLx$ literal 0 HcmV?d00001 diff --git a/examples/storage/nvs_bootloader/main/nvs_encrypted_hmac.bin b/examples/storage/nvs_bootloader/main/nvs_encrypted_hmac.bin new file mode 100644 index 0000000000000000000000000000000000000000..e413d5108e783e9c5c695a09fd9fe1ec4bdec859 GIT binary patch literal 24576 zcmezK|Nnmm1_p+I|1m*}?yjAyR;_x4DT5GU-2KS*NY2C8rMbHj=149UK6&)*GV|jC zyVisjij<_jlsK&VXUR;FvhWnO&O>>JpBtS_-1}$RAE9>Xp3}brb>1#&bcx<5{F(kz|EwXvWTr=sQ!PN~6W(};#s}Gl-vM{_fYjxGk0`>(# zUiGgXU!PV{+#P!S-LDlJT{Xmc7EVphd>ZMrzFKIVy6odRJM|rJ_JyQ9Wh-PBWb-*A zTUQiiz3;2E>FU?*-TX%JUz4RXF2xmg25!xmuGd<#^|pMO-nj|B9D5rxqa@=cr%t<; zwus@eO8D!F%$YwN>omN@=JAE8w|@0n9I}4i+3$I?R)0RDI{W&q+^_$Yovyx=RC8GQ z$5>|9^G!EbzR2g<%W||$HtW|eF5QJISRHq-(PDLya8f_|=a$ClH??I6d&E9$2=DEl z&YJZyr7U%$b^wFcEaMNA2PQO?OjeAzAYIFRefLbYP1c^jYi(p@7_^u-9yxOT@cwNQ zVzz>TXEiLEC5|^gU1#UBxbDp&pT1cYash81I9~43U4GPhuGn>5ou#j@$y{8=AhmFc z&9h5i*FBv7^lRjT`gQ!_M_;b{qj*VIdTr*>j!kCQ-`MV2ZFA=p(@fJRvmP( None: # Expect to read hooks messages and data from NVS partition dut.expect_exact('Before reading from NVS partition') + dut.expect_exact('Result data. Return code: ESP_OK') + dut.expect_exact('u8 U8 255') + dut.expect_exact('i32 I32 -2147483648') + dut.expect_exact('i8 I8 -13') + dut.expect_exact('u16 U16 65535') + dut.expect_exact('string_10_chars STR Text_67890') + dut.expect_exact('string_66_chars STR Text_67890_Text_67890_Text_67890_0_Text_67890_Text_67890_Text_6789') dut.expect_exact('Finished bootloader part') dut.expect_exact('User application is loaded and running.') + + +@pytest.mark.esp32c3 +@pytest.mark.nvs_encr_hmac +@pytest.mark.parametrize('config', ['nvs_enc_hmac'], indirect=True) +def test_nvs_bootloader_example_nvs_encr_hmac(dut: Dut) -> None: + test_nvs_bootloader_example(dut) + + +@pytest.mark.esp32 +@pytest.mark.esp32c3 +@pytest.mark.flash_encryption +@pytest.mark.parametrize('config', ['nvs_enc_flash_enc'], indirect=True) +def test_nvs_bootloader_example_flash_enc(dut: Dut) -> None: + test_nvs_bootloader_example(dut) diff --git a/examples/storage/nvs_bootloader/sdkconfig.ci.default b/examples/storage/nvs_bootloader/sdkconfig.ci.default new file mode 100644 index 0000000000..e69de29bb2 diff --git a/examples/storage/nvs_bootloader/sdkconfig.ci.nvs_enc_flash_enc b/examples/storage/nvs_bootloader/sdkconfig.ci.nvs_enc_flash_enc new file mode 100644 index 0000000000..34dc45f65a --- /dev/null +++ b/examples/storage/nvs_bootloader/sdkconfig.ci.nvs_enc_flash_enc @@ -0,0 +1,13 @@ +CONFIG_SECURE_FLASH_ENC_ENABLED=y +CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT=y +CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC=y +CONFIG_SECURE_BOOT_ALLOW_JTAG=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y +CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y + +CONFIG_NVS_ENCRYPTION=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y + +CONFIG_PARTITION_TABLE_SINGLE_APP_ENCRYPTED_NVS=y diff --git a/examples/storage/nvs_bootloader/sdkconfig.ci.nvs_enc_hmac b/examples/storage/nvs_bootloader/sdkconfig.ci.nvs_enc_hmac new file mode 100644 index 0000000000..b0b02f4a85 --- /dev/null +++ b/examples/storage/nvs_bootloader/sdkconfig.ci.nvs_enc_hmac @@ -0,0 +1,12 @@ +CONFIG_SECURE_FLASH_ENC_ENABLED=y +CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT=y +CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC=y +CONFIG_SECURE_BOOT_ALLOW_JTAG=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y +CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y + +CONFIG_NVS_ENCRYPTION=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_HMAC=y +CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID=0 diff --git a/examples/storage/nvs_bootloader/sdkconfig.defaults b/examples/storage/nvs_bootloader/sdkconfig.defaults index bb48f6522e..5b4203d232 100644 --- a/examples/storage/nvs_bootloader/sdkconfig.defaults +++ b/examples/storage/nvs_bootloader/sdkconfig.defaults @@ -1,4 +1,4 @@ # The size of bootloader has been increased, so the partition table offset needs adjustment -CONFIG_PARTITION_TABLE_OFFSET=0xA000 +CONFIG_PARTITION_TABLE_OFFSET=0xB000 CONFIG_BOOTLOADER_LOG_LEVEL_WARN=y CONFIG_BOOTLOADER_LOG_LEVEL=2 diff --git a/examples/storage/nvs_bootloader/sdkconfig.defaults.esp32c2 b/examples/storage/nvs_bootloader/sdkconfig.defaults.esp32c2 new file mode 100644 index 0000000000..5e3a3c88f4 --- /dev/null +++ b/examples/storage/nvs_bootloader/sdkconfig.defaults.esp32c2 @@ -0,0 +1,2 @@ +CONFIG_IDF_TARGET="esp32c2" +CONFIG_MBEDTLS_USE_CRYPTO_ROM_IMPL_BOOTLOADER=y