From 6ceee165b5e6bbe9e1d4297f34a754978c7493a9 Mon Sep 17 00:00:00 2001
From: negativekelvin <negativekelvin@users.noreply.github.com>
Date: Fri, 29 Jan 2021 08:36:36 -0700
Subject: [PATCH 1/2] Fix nvs_flash_generate_keys

Merges https://github.com/espressif/esp-idf/pull/6478
---
 components/nvs_flash/src/nvs_api.cpp | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/components/nvs_flash/src/nvs_api.cpp b/components/nvs_flash/src/nvs_api.cpp
index 648ead9157..1d53948ca8 100644
--- a/components/nvs_flash/src/nvs_api.cpp
+++ b/components/nvs_flash/src/nvs_api.cpp
@@ -571,16 +571,24 @@ extern "C" esp_err_t nvs_flash_generate_keys(const esp_partition_t* partition, n
     }
 
     for(uint8_t cnt = 0; cnt < NVS_KEY_SIZE; cnt++) {
-        cfg->eky[cnt] = 0xff;
-        cfg->tky[cnt] = 0xee;
+        /* Adjacent 16-byte blocks should be different */
+        if (((cnt / 16) & 1) == 0) {
+            cfg->eky[cnt] = 0xff;
+            cfg->tky[cnt] = 0xee;
+        } else {
+            cfg->eky[cnt] = 0x99;
+            cfg->tky[cnt] = 0x88;
+        }
     }
-
-    err = esp_partition_write(partition, 0, cfg->eky, NVS_KEY_SIZE);
+    
+    /* Write without encryption */
+    err = esp_partition_write_raw(partition, 0, cfg->eky, NVS_KEY_SIZE);
     if(err != ESP_OK) {
         return err;
     }
-
-    err = esp_partition_write(partition, NVS_KEY_SIZE, cfg->tky, NVS_KEY_SIZE);
+    
+    /* Write without encryption */
+    err = esp_partition_write_raw(partition, NVS_KEY_SIZE, cfg->tky, NVS_KEY_SIZE);
     if(err != ESP_OK) {
         return err;
     }

From a69737787152fa101d433b00a83b8f1db19481c1 Mon Sep 17 00:00:00 2001
From: Jakob Hasse <jakob.hasse@espressif.com>
Date: Mon, 1 Feb 2021 11:35:19 +0800
Subject: [PATCH 2/2] [doc]: elaborated nvs encryption comments in nvs

---
 components/nvs_flash/src/nvs_api.cpp | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/components/nvs_flash/src/nvs_api.cpp b/components/nvs_flash/src/nvs_api.cpp
index 1d53948ca8..3a2a3495b6 100644
--- a/components/nvs_flash/src/nvs_api.cpp
+++ b/components/nvs_flash/src/nvs_api.cpp
@@ -580,14 +580,18 @@ extern "C" esp_err_t nvs_flash_generate_keys(const esp_partition_t* partition, n
             cfg->tky[cnt] = 0x88;
         }
     }
-    
-    /* Write without encryption */
+
+    /**
+     * Write key configuration without encryption engine (using raw partition write APIs).
+     * But the read is decrypted through flash encryption engine. This allows unique NVS encryption configuration,
+     * as flash encryption key is randomly generated per device.
+     */
     err = esp_partition_write_raw(partition, 0, cfg->eky, NVS_KEY_SIZE);
     if(err != ESP_OK) {
         return err;
     }
-    
-    /* Write without encryption */
+
+    /* Write without encryption, see note above */
     err = esp_partition_write_raw(partition, NVS_KEY_SIZE, cfg->tky, NVS_KEY_SIZE);
     if(err != ESP_OK) {
         return err;