diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild index 2855441d6a..6ffbf68aac 100644 --- a/components/bootloader/Kconfig.projbuild +++ b/components/bootloader/Kconfig.projbuild @@ -832,7 +832,6 @@ menu "Security features" bool "Enable flash encryption on boot (READ DOCS FIRST)" default N select SPI_FLASH_ENABLE_ENCRYPTED_READ_WRITE - select NVS_ENCRYPTION help If this option is set, flash contents will be encrypted by the bootloader on first boot. diff --git a/components/nvs_flash/test_apps/main/test_nvs.c b/components/nvs_flash/test_apps/main/test_nvs.c index 45abee6831..4b34e5bddf 100644 --- a/components/nvs_flash/test_apps/main/test_nvs.c +++ b/components/nvs_flash/test_apps/main/test_nvs.c @@ -97,12 +97,6 @@ TEST_CASE("nvs_flash_init_partition_ptr() works correctly", "[nvs]") } #ifdef CONFIG_SOC_HMAC_SUPPORTED -/* TODO: This test does not run in CI as the runner assigned has - * flash encryption enabled by default. Enabling flash encryption - * 'selects' NVS encryption; a new runner needs to be setup - * for testing the HMAC NVS encryption scheme without flash encryption - * enabled for this test. - */ TEST_CASE("test nvs encryption with HMAC-based scheme without toggling any config options", "[nvs_encr_hmac]") { nvs_handle_t handle; diff --git a/components/nvs_flash/test_apps/pytest_nvs_flash.py b/components/nvs_flash/test_apps/pytest_nvs_flash.py index 1da98e2da0..174664912e 100644 --- a/components/nvs_flash/test_apps/pytest_nvs_flash.py +++ b/components/nvs_flash/test_apps/pytest_nvs_flash.py @@ -26,6 +26,13 @@ def test_nvs_flash_encr_hmac(dut: IdfDut) -> None: dut.run_all_single_board_cases() +@pytest.mark.esp32c3 +@pytest.mark.nvs_encr_hmac +@pytest.mark.parametrize('config', ['nvs_encr_hmac_no_cfg_esp32c3'], indirect=True) +def test_nvs_flash_encr_hmac_no_cfg(dut: IdfDut) -> None: + dut.run_all_single_board_cases(group='nvs_encr_hmac', timeout=120) + + @pytest.mark.flash_encryption @pytest.mark.parametrize('config', CONFIGS_NVS_ENCR_FLASH_ENC, indirect=True) def test_nvs_flash_encr_flash_enc(dut: IdfDut) -> None: diff --git a/components/nvs_flash/test_apps/sdkconfig.ci.nvs_encr_hmac_no_cfg_esp32c3 b/components/nvs_flash/test_apps/sdkconfig.ci.nvs_encr_hmac_no_cfg_esp32c3 new file mode 100644 index 0000000000..6d5be69e26 --- /dev/null +++ b/components/nvs_flash/test_apps/sdkconfig.ci.nvs_encr_hmac_no_cfg_esp32c3 @@ -0,0 +1,22 @@ +# Restricting to ESP32C3 +CONFIG_IDF_TARGET="esp32c3" + +# NOTE: The runner for this test-app has flash-encryption enabled +# Partition Table +CONFIG_PARTITION_TABLE_CUSTOM=y +CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="partitions_nvs_encr_flash_enc.csv" +CONFIG_PARTITION_TABLE_FILENAME="partitions_nvs_encr_flash_enc.csv" +CONFIG_PARTITION_TABLE_OFFSET=0x9000 + +# Enabling Flash Encryption +CONFIG_SECURE_FLASH_ENC_ENABLED=y +CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT=y +CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC=y +CONFIG_SECURE_BOOT_ALLOW_JTAG=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y +CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y + +# Disabling NVS encryption +CONFIG_NVS_ENCRYPTION=n diff --git a/docs/en/api-reference/storage/nvs_encryption.rst b/docs/en/api-reference/storage/nvs_encryption.rst index e9fbaeaa05..ef061b2c33 100644 --- a/docs/en/api-reference/storage/nvs_encryption.rst +++ b/docs/en/api-reference/storage/nvs_encryption.rst @@ -20,7 +20,13 @@ NVS Encryption: Flash Encryption-Based Scheme In this scheme, the keys required for NVS encryption are stored in yet another partition, which is protected using :doc:`Flash Encryption <../../security/flash-encryption>`. Therefore, enabling :doc:`Flash Encryption <../../security/flash-encryption>` becomes a prerequisite for NVS encryption here. -NVS encryption is enabled by default when :doc:`../../security/flash-encryption` is enabled. This is done because Wi-Fi driver stores credentials (like SSID and passphrase) in the default NVS partition. It is important to encrypt them as default choice if platform level encryption is already enabled. +.. only:: SOC_HMAC_SUPPORTED + + NVS encryption should be enabled when :doc:`../../security/flash-encryption` is enabled because the Wi-Fi driver stores credentials (like SSID and passphrase) in the default NVS partition. It is important to encrypt them if platform-level encryption is already enabled. + +.. only:: not SOC_HMAC_SUPPORTED + + NVS encryption is enabled by default when :doc:`../../security/flash-encryption` is enabled. This is done because Wi-Fi driver stores credentials (like SSID and passphrase) in the default NVS partition. It is important to encrypt them as default choice if platform-level encryption is already enabled. For using NVS encryption using this scheme, the partition table must contain the :ref:`nvs_encr_key_partition`. Two partition tables containing the :ref:`nvs_encr_key_partition` are provided for NVS encryption under the partition table option (``menuconfig`` > ``Partition Table``). They can be selected with the project configuration menu (``idf.py menuconfig``). Please refer to the example :example:`security/flash_encryption` for how to configure and use the NVS encryption feature. diff --git a/docs/en/migration-guides/release-5.x/5.2/index.rst b/docs/en/migration-guides/release-5.x/5.2/index.rst index c497099d32..79168d8665 100644 --- a/docs/en/migration-guides/release-5.x/5.2/index.rst +++ b/docs/en/migration-guides/release-5.x/5.2/index.rst @@ -9,5 +9,6 @@ Migration from 5.1 to 5.2 gcc peripherals protocols + storage system wifi diff --git a/docs/en/migration-guides/release-5.x/5.2/storage.rst b/docs/en/migration-guides/release-5.x/5.2/storage.rst new file mode 100644 index 0000000000..31bda41700 --- /dev/null +++ b/docs/en/migration-guides/release-5.x/5.2/storage.rst @@ -0,0 +1,11 @@ +Storage +======= + +:link_to_translation:`zh_CN:[中文]` + +NVS Encryption +-------------- + +- For SoCs with the HMAC peripheral (``SOC_HMAC_SUPPORTED``), turning on :doc:`../../../security/flash-encryption` will no longer automatically turn on :doc:`../../../api-reference/storage/nvs_encryption`. +- You will need to explicitly turn on NVS encryption and select the required scheme (flash encryption-based or HMAC peripheral-based). You can select the HMAC peripheral-based scheme (:ref:`CONFIG_NVS_SEC_KEY_PROTECTION_SCHEME`), even if flash encryption is not enabled. +- SoCs without the HMAC peripheral will still automatically turn on NVS encryption when flash encryption is enabled. diff --git a/docs/zh_CN/api-reference/storage/nvs_encryption.rst b/docs/zh_CN/api-reference/storage/nvs_encryption.rst index 589dfb143e..a5fb700845 100644 --- a/docs/zh_CN/api-reference/storage/nvs_encryption.rst +++ b/docs/zh_CN/api-reference/storage/nvs_encryption.rst @@ -20,7 +20,13 @@ NVS 加密:基于 flash 加密的方案 在这个方案中,NVS 加密所需的密钥存储在另一个分区中,该分区用 :doc:`../../security/flash-encryption` 进行保护。因此,使用该方案时,必须先启用 :doc:`../../security/flash-encryption`。 -启用 :doc:`../../security/flash-encryption` 时,默认启用 NVS 加密。这是因为 Wi-Fi 驱动程序会将凭证(如 SSID 和密码)储存在默认的 NVS 分区中。如已启用平台级加密,那么同时默认启用 NVS 加密有其必要性。 +.. only:: SOC_HMAC_SUPPORTED + + 启用 :doc:`../../security/flash-encryption` 时需同时启用 NVS 加密,因为 Wi-Fi 驱动程序会将凭据(如 SSID 和密码)储存在默认的 NVS 分区中。如已启用平台级加密,那么则需要同时启用 NVS 加密。 + +.. only:: not SOC_HMAC_SUPPORTED + + 启用 :doc:`../../security/flash-encryption` 时,默认启用 NVS 加密。这是因为 Wi-Fi 驱动程序会将凭据(如 SSID 和密码)储存在默认的 NVS 分区中。如已启用平台级加密,那么则需要同时默认启用 NVS 加密。 要用这一方案进行 NVS 加密,分区表中必须包含 :ref:`nvs_encr_key_partition`。在分区表选项 ( ``menuconfig`` > ``Partition Table`` ) 中,有两个包含 :ref:`nvs_encr_key_partition` 的分区表,可通过项目配置菜单 ( ``idf.py menuconfig``) 进行选择。要了解如何配置和使用 NVS 加密功能,请参考示例 :example:`security/flash_encryption`。 diff --git a/docs/zh_CN/migration-guides/release-5.x/5.2/index.rst b/docs/zh_CN/migration-guides/release-5.x/5.2/index.rst index 3e1477075a..239b91a7ca 100644 --- a/docs/zh_CN/migration-guides/release-5.x/5.2/index.rst +++ b/docs/zh_CN/migration-guides/release-5.x/5.2/index.rst @@ -9,5 +9,6 @@ gcc peripherals protocols + storage system wifi diff --git a/docs/zh_CN/migration-guides/release-5.x/5.2/storage.rst b/docs/zh_CN/migration-guides/release-5.x/5.2/storage.rst new file mode 100644 index 0000000000..0173765c92 --- /dev/null +++ b/docs/zh_CN/migration-guides/release-5.x/5.2/storage.rst @@ -0,0 +1,11 @@ +存储 +==== + +:link_to_translation:`en:[English]` + +NVS 加密 +-------- + +- 在集成 HMAC 外设 (``SOC_HMAC_SUPPORTED``) 的 SoC 上,启用 :doc:`../../../security/flash-encryption` 时将不再自动启用 :doc:`../../../api-reference/storage/nvs_encryption`。 +- 因此需显式启用 NVS 加密,并按照需要选择基于 flash 加密或基于 HMAC 外设的方案。即使未启用 flash 加密,也可选择基于 HMAC 外设的方案 (:ref:`CONFIG_NVS_SEC_KEY_PROTECTION_SCHEME`)。 +- 启用 flash 加密后,未集成 HMAC 外设的 SoC 仍会自动启用 NVS 加密。