From ea51f4e2f7ec67ee0b60b94d3a600f7b92eb161e Mon Sep 17 00:00:00 2001 From: Laukik Hase Date: Tue, 21 Nov 2023 11:11:02 +0530 Subject: [PATCH 1/2] fix(nvs_flash): Remove the forceful selection of NVS_ENCRYPTION with flash encryption - This change will introduce a breaking change for SoCs with the HMAC peripheral. Turning on flash encryption will no longer enable NVS encryption automatically. Closes https://github.com/espressif/esp-idf/issues/12549 --- components/bootloader/Kconfig.projbuild | 1 - .../nvs_flash/test_apps/main/test_nvs.c | 6 ----- .../nvs_flash/test_apps/pytest_nvs_flash.py | 7 ++++++ .../sdkconfig.ci.nvs_encr_hmac_no_cfg_esp32c3 | 22 +++++++++++++++++++ .../api-reference/storage/nvs_encryption.rst | 8 ++++++- .../release-5.x/5.2/index.rst | 1 + .../release-5.x/5.2/storage.rst | 11 ++++++++++ .../release-5.x/5.2/index.rst | 1 + .../release-5.x/5.2/storage.rst | 1 + 9 files changed, 50 insertions(+), 8 deletions(-) create mode 100644 components/nvs_flash/test_apps/sdkconfig.ci.nvs_encr_hmac_no_cfg_esp32c3 create mode 100644 docs/en/migration-guides/release-5.x/5.2/storage.rst create mode 100644 docs/zh_CN/migration-guides/release-5.x/5.2/storage.rst diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild index ccccee451b..acf65a932e 100644 --- a/components/bootloader/Kconfig.projbuild +++ b/components/bootloader/Kconfig.projbuild @@ -833,7 +833,6 @@ menu "Security features" bool "Enable flash encryption on boot (READ DOCS FIRST)" default N select SPI_FLASH_ENABLE_ENCRYPTED_READ_WRITE - select NVS_ENCRYPTION help If this option is set, flash contents will be encrypted by the bootloader on first boot. diff --git a/components/nvs_flash/test_apps/main/test_nvs.c b/components/nvs_flash/test_apps/main/test_nvs.c index 45abee6831..4b34e5bddf 100644 --- a/components/nvs_flash/test_apps/main/test_nvs.c +++ b/components/nvs_flash/test_apps/main/test_nvs.c @@ -97,12 +97,6 @@ TEST_CASE("nvs_flash_init_partition_ptr() works correctly", "[nvs]") } #ifdef CONFIG_SOC_HMAC_SUPPORTED -/* TODO: This test does not run in CI as the runner assigned has - * flash encryption enabled by default. Enabling flash encryption - * 'selects' NVS encryption; a new runner needs to be setup - * for testing the HMAC NVS encryption scheme without flash encryption - * enabled for this test. - */ TEST_CASE("test nvs encryption with HMAC-based scheme without toggling any config options", "[nvs_encr_hmac]") { nvs_handle_t handle; diff --git a/components/nvs_flash/test_apps/pytest_nvs_flash.py b/components/nvs_flash/test_apps/pytest_nvs_flash.py index 1da98e2da0..174664912e 100644 --- a/components/nvs_flash/test_apps/pytest_nvs_flash.py +++ b/components/nvs_flash/test_apps/pytest_nvs_flash.py @@ -26,6 +26,13 @@ def test_nvs_flash_encr_hmac(dut: IdfDut) -> None: dut.run_all_single_board_cases() +@pytest.mark.esp32c3 +@pytest.mark.nvs_encr_hmac +@pytest.mark.parametrize('config', ['nvs_encr_hmac_no_cfg_esp32c3'], indirect=True) +def test_nvs_flash_encr_hmac_no_cfg(dut: IdfDut) -> None: + dut.run_all_single_board_cases(group='nvs_encr_hmac', timeout=120) + + @pytest.mark.flash_encryption @pytest.mark.parametrize('config', CONFIGS_NVS_ENCR_FLASH_ENC, indirect=True) def test_nvs_flash_encr_flash_enc(dut: IdfDut) -> None: diff --git a/components/nvs_flash/test_apps/sdkconfig.ci.nvs_encr_hmac_no_cfg_esp32c3 b/components/nvs_flash/test_apps/sdkconfig.ci.nvs_encr_hmac_no_cfg_esp32c3 new file mode 100644 index 0000000000..6d5be69e26 --- /dev/null +++ b/components/nvs_flash/test_apps/sdkconfig.ci.nvs_encr_hmac_no_cfg_esp32c3 @@ -0,0 +1,22 @@ +# Restricting to ESP32C3 +CONFIG_IDF_TARGET="esp32c3" + +# NOTE: The runner for this test-app has flash-encryption enabled +# Partition Table +CONFIG_PARTITION_TABLE_CUSTOM=y +CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="partitions_nvs_encr_flash_enc.csv" +CONFIG_PARTITION_TABLE_FILENAME="partitions_nvs_encr_flash_enc.csv" +CONFIG_PARTITION_TABLE_OFFSET=0x9000 + +# Enabling Flash Encryption +CONFIG_SECURE_FLASH_ENC_ENABLED=y +CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT=y +CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC=y +CONFIG_SECURE_BOOT_ALLOW_JTAG=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y +CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y + +# Disabling NVS encryption +CONFIG_NVS_ENCRYPTION=n diff --git a/docs/en/api-reference/storage/nvs_encryption.rst b/docs/en/api-reference/storage/nvs_encryption.rst index e9fbaeaa05..ae4fc04eed 100644 --- a/docs/en/api-reference/storage/nvs_encryption.rst +++ b/docs/en/api-reference/storage/nvs_encryption.rst @@ -20,7 +20,13 @@ NVS Encryption: Flash Encryption-Based Scheme In this scheme, the keys required for NVS encryption are stored in yet another partition, which is protected using :doc:`Flash Encryption <../../security/flash-encryption>`. Therefore, enabling :doc:`Flash Encryption <../../security/flash-encryption>` becomes a prerequisite for NVS encryption here. -NVS encryption is enabled by default when :doc:`../../security/flash-encryption` is enabled. This is done because Wi-Fi driver stores credentials (like SSID and passphrase) in the default NVS partition. It is important to encrypt them as default choice if platform level encryption is already enabled. +.. only:: SOC_HMAC_SUPPORTED + + NVS encryption should be enabled when :doc:`../../security/flash-encryption` is enabled because the Wi-Fi driver stores credentials (like SSID and passphrase) in the default NVS partition. It is important to encrypt them if platform level encryption is already enabled. + +.. only:: not SOC_HMAC_SUPPORTED + + NVS encryption is enabled by default when :doc:`../../security/flash-encryption` is enabled. This is done because Wi-Fi driver stores credentials (like SSID and passphrase) in the default NVS partition. It is important to encrypt them as default choice if platform level encryption is already enabled. For using NVS encryption using this scheme, the partition table must contain the :ref:`nvs_encr_key_partition`. Two partition tables containing the :ref:`nvs_encr_key_partition` are provided for NVS encryption under the partition table option (``menuconfig`` > ``Partition Table``). They can be selected with the project configuration menu (``idf.py menuconfig``). Please refer to the example :example:`security/flash_encryption` for how to configure and use the NVS encryption feature. diff --git a/docs/en/migration-guides/release-5.x/5.2/index.rst b/docs/en/migration-guides/release-5.x/5.2/index.rst index c497099d32..79168d8665 100644 --- a/docs/en/migration-guides/release-5.x/5.2/index.rst +++ b/docs/en/migration-guides/release-5.x/5.2/index.rst @@ -9,5 +9,6 @@ Migration from 5.1 to 5.2 gcc peripherals protocols + storage system wifi diff --git a/docs/en/migration-guides/release-5.x/5.2/storage.rst b/docs/en/migration-guides/release-5.x/5.2/storage.rst new file mode 100644 index 0000000000..b8408f3b66 --- /dev/null +++ b/docs/en/migration-guides/release-5.x/5.2/storage.rst @@ -0,0 +1,11 @@ +Storage +======= + +:link_to_translation:`zh_CN:[中文]` + +NVS Encryption +-------------- + +- For SoCs with the HMAC peripheral (``SOC_HMAC_SUPPORTED``), turning on :doc:`Flash Encryption <../../../security/flash-encryption>` will no longer automatically turn on :doc:`NVS encryption <../../../api-reference/storage/nvs_encryption>`. +- You will need to explicitly turn on NVS encryption and select the required scheme (flash encryption-based or HMAC peripheral-based). You can select the HMAC peripheral-based scheme (:ref:`CONFIG_NVS_SEC_KEY_PROTECTION_SCHEME`), even if flash encryption is not enabled. +- SoCs without the HMAC peripheral will still automatically turn on NVS encryption when flash encryption is enabled. diff --git a/docs/zh_CN/migration-guides/release-5.x/5.2/index.rst b/docs/zh_CN/migration-guides/release-5.x/5.2/index.rst index 3e1477075a..239b91a7ca 100644 --- a/docs/zh_CN/migration-guides/release-5.x/5.2/index.rst +++ b/docs/zh_CN/migration-guides/release-5.x/5.2/index.rst @@ -9,5 +9,6 @@ gcc peripherals protocols + storage system wifi diff --git a/docs/zh_CN/migration-guides/release-5.x/5.2/storage.rst b/docs/zh_CN/migration-guides/release-5.x/5.2/storage.rst new file mode 100644 index 0000000000..a7c49ffe7d --- /dev/null +++ b/docs/zh_CN/migration-guides/release-5.x/5.2/storage.rst @@ -0,0 +1 @@ +.. include:: ../../../../en/migration-guides/release-5.x/5.2/storage.rst From dce37a8acc1c010eb1f66ea2245af431dbefe3ef Mon Sep 17 00:00:00 2001 From: Mo Fei Fei Date: Tue, 5 Dec 2023 18:43:23 +0800 Subject: [PATCH 2/2] Docs: Update CN translation for nvs_encryption.rst --- docs/en/api-reference/storage/nvs_encryption.rst | 4 ++-- docs/en/migration-guides/release-5.x/5.2/storage.rst | 2 +- docs/zh_CN/api-reference/storage/nvs_encryption.rst | 8 +++++++- .../migration-guides/release-5.x/5.2/storage.rst | 12 +++++++++++- 4 files changed, 21 insertions(+), 5 deletions(-) diff --git a/docs/en/api-reference/storage/nvs_encryption.rst b/docs/en/api-reference/storage/nvs_encryption.rst index ae4fc04eed..ef061b2c33 100644 --- a/docs/en/api-reference/storage/nvs_encryption.rst +++ b/docs/en/api-reference/storage/nvs_encryption.rst @@ -22,11 +22,11 @@ In this scheme, the keys required for NVS encryption are stored in yet another p .. only:: SOC_HMAC_SUPPORTED - NVS encryption should be enabled when :doc:`../../security/flash-encryption` is enabled because the Wi-Fi driver stores credentials (like SSID and passphrase) in the default NVS partition. It is important to encrypt them if platform level encryption is already enabled. + NVS encryption should be enabled when :doc:`../../security/flash-encryption` is enabled because the Wi-Fi driver stores credentials (like SSID and passphrase) in the default NVS partition. It is important to encrypt them if platform-level encryption is already enabled. .. only:: not SOC_HMAC_SUPPORTED - NVS encryption is enabled by default when :doc:`../../security/flash-encryption` is enabled. This is done because Wi-Fi driver stores credentials (like SSID and passphrase) in the default NVS partition. It is important to encrypt them as default choice if platform level encryption is already enabled. + NVS encryption is enabled by default when :doc:`../../security/flash-encryption` is enabled. This is done because Wi-Fi driver stores credentials (like SSID and passphrase) in the default NVS partition. It is important to encrypt them as default choice if platform-level encryption is already enabled. For using NVS encryption using this scheme, the partition table must contain the :ref:`nvs_encr_key_partition`. Two partition tables containing the :ref:`nvs_encr_key_partition` are provided for NVS encryption under the partition table option (``menuconfig`` > ``Partition Table``). They can be selected with the project configuration menu (``idf.py menuconfig``). Please refer to the example :example:`security/flash_encryption` for how to configure and use the NVS encryption feature. diff --git a/docs/en/migration-guides/release-5.x/5.2/storage.rst b/docs/en/migration-guides/release-5.x/5.2/storage.rst index b8408f3b66..31bda41700 100644 --- a/docs/en/migration-guides/release-5.x/5.2/storage.rst +++ b/docs/en/migration-guides/release-5.x/5.2/storage.rst @@ -6,6 +6,6 @@ Storage NVS Encryption -------------- -- For SoCs with the HMAC peripheral (``SOC_HMAC_SUPPORTED``), turning on :doc:`Flash Encryption <../../../security/flash-encryption>` will no longer automatically turn on :doc:`NVS encryption <../../../api-reference/storage/nvs_encryption>`. +- For SoCs with the HMAC peripheral (``SOC_HMAC_SUPPORTED``), turning on :doc:`../../../security/flash-encryption` will no longer automatically turn on :doc:`../../../api-reference/storage/nvs_encryption`. - You will need to explicitly turn on NVS encryption and select the required scheme (flash encryption-based or HMAC peripheral-based). You can select the HMAC peripheral-based scheme (:ref:`CONFIG_NVS_SEC_KEY_PROTECTION_SCHEME`), even if flash encryption is not enabled. - SoCs without the HMAC peripheral will still automatically turn on NVS encryption when flash encryption is enabled. diff --git a/docs/zh_CN/api-reference/storage/nvs_encryption.rst b/docs/zh_CN/api-reference/storage/nvs_encryption.rst index 589dfb143e..a5fb700845 100644 --- a/docs/zh_CN/api-reference/storage/nvs_encryption.rst +++ b/docs/zh_CN/api-reference/storage/nvs_encryption.rst @@ -20,7 +20,13 @@ NVS 加密:基于 flash 加密的方案 在这个方案中,NVS 加密所需的密钥存储在另一个分区中,该分区用 :doc:`../../security/flash-encryption` 进行保护。因此,使用该方案时,必须先启用 :doc:`../../security/flash-encryption`。 -启用 :doc:`../../security/flash-encryption` 时,默认启用 NVS 加密。这是因为 Wi-Fi 驱动程序会将凭证(如 SSID 和密码)储存在默认的 NVS 分区中。如已启用平台级加密,那么同时默认启用 NVS 加密有其必要性。 +.. only:: SOC_HMAC_SUPPORTED + + 启用 :doc:`../../security/flash-encryption` 时需同时启用 NVS 加密,因为 Wi-Fi 驱动程序会将凭据(如 SSID 和密码)储存在默认的 NVS 分区中。如已启用平台级加密,那么则需要同时启用 NVS 加密。 + +.. only:: not SOC_HMAC_SUPPORTED + + 启用 :doc:`../../security/flash-encryption` 时,默认启用 NVS 加密。这是因为 Wi-Fi 驱动程序会将凭据(如 SSID 和密码)储存在默认的 NVS 分区中。如已启用平台级加密,那么则需要同时默认启用 NVS 加密。 要用这一方案进行 NVS 加密,分区表中必须包含 :ref:`nvs_encr_key_partition`。在分区表选项 ( ``menuconfig`` > ``Partition Table`` ) 中,有两个包含 :ref:`nvs_encr_key_partition` 的分区表,可通过项目配置菜单 ( ``idf.py menuconfig``) 进行选择。要了解如何配置和使用 NVS 加密功能,请参考示例 :example:`security/flash_encryption`。 diff --git a/docs/zh_CN/migration-guides/release-5.x/5.2/storage.rst b/docs/zh_CN/migration-guides/release-5.x/5.2/storage.rst index a7c49ffe7d..0173765c92 100644 --- a/docs/zh_CN/migration-guides/release-5.x/5.2/storage.rst +++ b/docs/zh_CN/migration-guides/release-5.x/5.2/storage.rst @@ -1 +1,11 @@ -.. include:: ../../../../en/migration-guides/release-5.x/5.2/storage.rst +存储 +==== + +:link_to_translation:`en:[English]` + +NVS 加密 +-------- + +- 在集成 HMAC 外设 (``SOC_HMAC_SUPPORTED``) 的 SoC 上,启用 :doc:`../../../security/flash-encryption` 时将不再自动启用 :doc:`../../../api-reference/storage/nvs_encryption`。 +- 因此需显式启用 NVS 加密,并按照需要选择基于 flash 加密或基于 HMAC 外设的方案。即使未启用 flash 加密,也可选择基于 HMAC 外设的方案 (:ref:`CONFIG_NVS_SEC_KEY_PROTECTION_SCHEME`)。 +- 启用 flash 加密后,未集成 HMAC 外设的 SoC 仍会自动启用 NVS 加密。