From 5b17375acaf3915abfd6151b97a9537ff721a74c Mon Sep 17 00:00:00 2001 From: "harshal.patil" Date: Thu, 2 Jan 2025 14:54:42 +0530 Subject: [PATCH] test(nvs_flash): Extend the nvs_flash test app to support encrypted NVS reads --- components/nvs_flash/.build-test-rules.yml | 5 + .../test_apps_bootloader/main/CMakeLists.txt | 17 +- .../main/encryption_keys.bin | 1 + .../main/nvs_enc_hmac_key.bin | 2 + .../main/nvs_partition.bin | Bin 0 -> 24576 bytes .../main/partition_encrypted.bin | Bin 0 -> 24576 bytes .../main/partition_encrypted_hmac.bin | Bin 0 -> 24576 bytes .../main/test_encrypted_nvs_bootloader.c | 198 ++++++++++++++++++ .../pytest_nvs_bootloader_support.py | 32 ++- .../sdkconfig.ci.nvs_enc_flash_enc | 15 ++ .../sdkconfig.ci.nvs_enc_hmac | 15 ++ .../sdkconfig.ci.nvs_enc_hmac_no_cfg | 12 ++ .../sdkconfig.defaults.esp32c2 | 2 + 13 files changed, 293 insertions(+), 6 deletions(-) create mode 100644 components/nvs_flash/test_apps_bootloader/main/encryption_keys.bin create mode 100644 components/nvs_flash/test_apps_bootloader/main/nvs_enc_hmac_key.bin create mode 100644 components/nvs_flash/test_apps_bootloader/main/nvs_partition.bin create mode 100644 components/nvs_flash/test_apps_bootloader/main/partition_encrypted.bin create mode 100644 components/nvs_flash/test_apps_bootloader/main/partition_encrypted_hmac.bin create mode 100644 components/nvs_flash/test_apps_bootloader/main/test_encrypted_nvs_bootloader.c create mode 100644 components/nvs_flash/test_apps_bootloader/sdkconfig.ci.nvs_enc_flash_enc create mode 100644 components/nvs_flash/test_apps_bootloader/sdkconfig.ci.nvs_enc_hmac create mode 100644 components/nvs_flash/test_apps_bootloader/sdkconfig.ci.nvs_enc_hmac_no_cfg create mode 100644 components/nvs_flash/test_apps_bootloader/sdkconfig.defaults.esp32c2 diff --git a/components/nvs_flash/.build-test-rules.yml b/components/nvs_flash/.build-test-rules.yml index cdfd738050..e939aa9bbd 100644 --- a/components/nvs_flash/.build-test-rules.yml +++ b/components/nvs_flash/.build-test-rules.yml @@ -21,5 +21,10 @@ components/nvs_flash/test_apps_bootloader: - spi_flash - nvs_flash - esp_partition + disable: + - if: CONFIG_NAME == "nvs_enc_flash_enc" and (SOC_AES_SUPPORTED != 1 and ESP_ROM_HAS_MBEDTLS_CRYPTO_LIB != 1) + - if: (CONFIG_NAME == "nvs_enc_hmac" or CONFIG_NAME == "nvs_enc_hmac_no_cfg") and (SOC_HMAC_SUPPORTED != 1 or (SOC_HMAC_SUPPORTED == 1 and (SOC_AES_SUPPORTED != 1 and ESP_ROM_HAS_MBEDTLS_CRYPTO_LIB != 1))) + + reason: As of now in such cases, we do not have any way to perform AES operations in the bootloader build disable_test: - if: IDF_TARGET not in ["esp32", "esp32c3"] diff --git a/components/nvs_flash/test_apps_bootloader/main/CMakeLists.txt b/components/nvs_flash/test_apps_bootloader/main/CMakeLists.txt index 978ea7e30f..18179a483d 100644 --- a/components/nvs_flash/test_apps_bootloader/main/CMakeLists.txt +++ b/components/nvs_flash/test_apps_bootloader/main/CMakeLists.txt @@ -1,6 +1,19 @@ -idf_component_register(SRCS "test_app_main.c" "test_nvs_bootloader.c" +set(srcs "test_app_main.c" "test_nvs_bootloader.c") +set(embed_txtfiles "") + +if(CONFIG_NVS_ENCRYPTION OR SOC_HMAC_SUPPORTED) + list(APPEND srcs "test_encrypted_nvs_bootloader.c") + list(APPEND embed_txtfiles "nvs_partition.bin" "partition_encrypted.bin" "partition_encrypted_hmac.bin") +endif() + +if(CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC) + list(APPEND embed_txtfiles "encryption_keys.bin") +endif() + +idf_component_register(SRCS "${srcs}" INCLUDE_DIRS "." - REQUIRES unity nvs_flash + REQUIRES unity nvs_flash nvs_sec_provider bootloader_support + EMBED_TXTFILES "${embed_txtfiles}" WHOLE_ARCHIVE ) diff --git a/components/nvs_flash/test_apps_bootloader/main/encryption_keys.bin b/components/nvs_flash/test_apps_bootloader/main/encryption_keys.bin new file mode 100644 index 0000000000..9ef4439d8c --- /dev/null +++ b/components/nvs_flash/test_apps_bootloader/main/encryption_keys.bin @@ -0,0 +1 @@ +"""""""""""""""""""""""""""""""",ïÏ<ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ \ No newline at end of file diff --git a/components/nvs_flash/test_apps_bootloader/main/nvs_enc_hmac_key.bin b/components/nvs_flash/test_apps_bootloader/main/nvs_enc_hmac_key.bin new file mode 100644 index 0000000000..2ea3dec3e1 --- /dev/null +++ b/components/nvs_flash/test_apps_bootloader/main/nvs_enc_hmac_key.bin @@ -0,0 +1,2 @@ + +  \ No newline at end of file diff --git a/components/nvs_flash/test_apps_bootloader/main/nvs_partition.bin b/components/nvs_flash/test_apps_bootloader/main/nvs_partition.bin new file mode 100644 index 0000000000000000000000000000000000000000..b00ed0c96226ac607b3a6e3b1aa8b1d8378d36a8 GIT binary patch literal 24576 zcmezK|Nnmm1_p+I|1m*}?yjAyR;~JlDT5GUU}XHyxiWygxFo+QF+CMz6c{r?l`t|g z{`b8S=v-mI4z{>Hmy^jQ@Wqny$%2lW%}3U}R$aKcl8%QmLUCiUCmR|BNh* z|Fmnp~1vQd*>tn37qLS)81im#&bSlUbt2 z_52#kinXb6mk zz-S1JhQMeDjE2By2#kinXb6mkz-S1JhQMeDjE2By2#kinXb6mkz-S1JhQMeDjE2By T2#kinXb6mkz-R~z^$-96MzwKI literal 0 HcmV?d00001 diff --git a/components/nvs_flash/test_apps_bootloader/main/partition_encrypted.bin b/components/nvs_flash/test_apps_bootloader/main/partition_encrypted.bin new file mode 100644 index 0000000000000000000000000000000000000000..8d34e7031bbf1666e1353a505b5e425e159c5d7b GIT binary patch literal 24576 zcmezK|Nnmm1_p+I|1m*}?yjAyR;~JlDT5FZu35BF;)iL#ng^woZ~ii!V0}MTc8gkH ziLvRPiG3DP;`UpfNF?!l8=d;0CcWUeoOGa+AeRuHfLE zHU9eCYbGZB{5<^|@6JZs_J#I&*NsD!=A=m6dDrTfQ2KVxq6oer|RTrP8MEo;vR^|H2O$PFI4I8>Qx1pJd$mu>MZy5qF;Q>pGnh z`LiY;W;^S&kiGVT+r-{m`9IYcZVx%P zzbT}|FE>9IcRc~)Mkh11hIC7snTygz8M8fUNmo_y<8 zvZ1G3fXM@99;-W->k`e<6?s;C-l(O{w*M_t`esKy-$1uzPhW1AYSUtm&$PWceOCRf zry3QfJtXI^tMay4t|*b{ncZU)qQxk?jhrA*;kg^8uHCCv#j59B_{XB zjC))Y0u+`1vz+^>oUe0@okN%J(x;{Cqx4QD?)@|Ek5IdG&*|TRI&T-9%)K3}VE3k5 zx;o@S=ZlVwWo#J@GZF)t*QdQ_TV(T$`D?NAgxF0JFYUILO7U4H8)SHC*6OO61?&rg zyy{;&zCOJpT3!8jr0C)wH)lWcTFiC#{adrS>1o*q79p>|x8~*T!&z74!d6@=xiHWDrszY%C-?1VCwb10D)f2v+juwIn&wrTbP7*p z_g=Hw=ce#|x1y|E!;`A&@V!PCcekC{^lYw$`0gzSj#QsqeNVy9^5S=iH&to;_L~!D zSzJ5%xJC8gPSz>e_nFqTc5zN9UH&)dc!bFLV+VOnzxv7DpTxj%<%HTwmuu!{oG;z{ z&+?+JS@opNZOIz@bEi@Y)ZXPjEO~uxWxe~Qr@S{A{@L0bU;OyW)i}umv*h14b$)DE zrtmA2Z3@#8&Z?4kHz&7k47qUJcKxQQl6n(2=jHa>Ec;Y@l+EK<>1O}>jwQtog|@fE zFK!NeqTo@!Hr2+Hd0VFUm1mbY_0R90v_aJANYau6YL^f(Im#Lhfzc2c4S~@R7!85Z z5Eu=C(GVC7fzc2c4S~@R7|tO8>i;w1=>ISFm~Szh{XXiq(GVC7fzc2c4S~@R7!85Z z5Eu=C(GVC7fzc2c4S~@R7%3qD>i;w0=>K;=Y)lv_;V|mY(GVC7fzc2c4S~@R7!85Z z5Eu=C(GVC7fzc2c4S~@R7|tO8>i;w2=>M;2S@Li=`+d}JqaiRF0;3@?8UmvsFd71* zAut*OqaiRF0;3@?8UmvsFj7JQ)c +#include +#include +#include + +#include "esp_err.h" +#include "esp_flash_encrypt.h" +#include "esp_partition.h" +#include "nvs_sec_provider.h" +#include "unity.h" + +#include "nvs_bootloader.h" + +static esp_err_t configure_nvs_sec_cfg(nvs_sec_cfg_t *cfg, nvs_sec_scheme_t **sec_scheme_handle) +{ + const esp_partition_t* nvs_part = esp_partition_find_first(ESP_PARTITION_TYPE_DATA, ESP_PARTITION_SUBTYPE_DATA_NVS, NULL); + TEST_ASSERT(nvs_part && "partition table must have an NVS partition"); + printf("\n nvs_part size:%" PRId32 "\n", nvs_part->size); + ESP_ERROR_CHECK(esp_partition_erase_range(nvs_part, 0, nvs_part->size)); + +#if CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC + if (!esp_flash_encryption_enabled()) { + TEST_IGNORE_MESSAGE("flash encryption disabled, skipping nvs_api tests with encryption enabled"); + } + + extern const char nvs_key_start[] asm("_binary_encryption_keys_bin_start"); + extern const char nvs_key_end[] asm("_binary_encryption_keys_bin_end"); + extern const char nvs_data_sch0_start[] asm("_binary_partition_encrypted_bin_start"); + extern const char nvs_data_sch0_end[] asm("_binary_partition_encrypted_bin_end"); + + const esp_partition_t* key_part = esp_partition_find_first( + ESP_PARTITION_TYPE_DATA, ESP_PARTITION_SUBTYPE_DATA_NVS_KEYS, NULL); + + assert(key_part && "partition table must have a KEY partition"); + TEST_ASSERT_TRUE((nvs_key_end - nvs_key_start - 1) == key_part->erase_size); + + ESP_ERROR_CHECK(esp_partition_erase_range(key_part, 0, key_part->size)); + + for (int i = 0; i < key_part->size; i+= key_part->erase_size) { + ESP_ERROR_CHECK( esp_partition_write(key_part, i, nvs_key_start + i, key_part->erase_size) ); + } + + const int content_size = nvs_data_sch0_end - nvs_data_sch0_start - 1; + TEST_ASSERT_TRUE((content_size % key_part->erase_size) == 0); + + const int size_to_write = MIN(content_size, nvs_part->size); + for (int i = 0; i < size_to_write; i+= nvs_part->erase_size) { + ESP_ERROR_CHECK( esp_partition_write(nvs_part, i, nvs_data_sch0_start + i, nvs_part->erase_size) ); + } + + nvs_sec_config_flash_enc_t sec_scheme_cfg = { + .nvs_keys_part = key_part + }; + + TEST_ESP_OK(nvs_sec_provider_register_flash_enc(&sec_scheme_cfg, sec_scheme_handle)); + return nvs_flash_read_security_cfg_v2(*sec_scheme_handle, cfg); + +#elif SOC_HMAC_SUPPORTED + extern const char nvs_data_sch1_start[] asm("_binary_partition_encrypted_hmac_bin_start"); + extern const char nvs_data_sch1_end[] asm("_binary_partition_encrypted_hmac_bin_end"); + + const int content_size = nvs_data_sch1_end - nvs_data_sch1_start - 1; + TEST_ASSERT_TRUE((content_size % nvs_part->erase_size) == 0); + + const int size_to_write = MIN(content_size, nvs_part->size); + for (int i = 0; i < size_to_write; i+= nvs_part->erase_size) { + ESP_ERROR_CHECK( esp_partition_write(nvs_part, i, nvs_data_sch1_start + i, nvs_part->erase_size) ); + } + +#ifndef CONFIG_NVS_ENCRYPTION + nvs_sec_config_hmac_t sec_scheme_cfg = { + .hmac_key_id = HMAC_KEY0, + }; +#else + nvs_sec_config_hmac_t sec_scheme_cfg = NVS_SEC_PROVIDER_CFG_HMAC_DEFAULT(); +#endif /* CONFIG_NVS_ENCRYPTION */ + + TEST_ESP_OK(nvs_sec_provider_register_hmac(&sec_scheme_cfg, sec_scheme_handle)); + return nvs_flash_read_security_cfg_v2(*sec_scheme_handle, cfg); +#endif + + return ESP_FAIL; +} + +static void restore_nvs_partition(void) +{ + const esp_partition_t* nvs_part = esp_partition_find_first(ESP_PARTITION_TYPE_DATA, ESP_PARTITION_SUBTYPE_DATA_NVS, NULL); + TEST_ASSERT(nvs_part && "partition table must have an NVS partition"); + printf("\n nvs_part size:%" PRId32 "\n", nvs_part->size); + ESP_ERROR_CHECK(esp_partition_erase_range(nvs_part, 0, nvs_part->size)); + + extern const char nvs_data_start[] asm("_binary_nvs_partition_bin_start"); + extern const char nvs_data_end[] asm("_binary_nvs_partition_bin_end"); + + const int content_size = nvs_data_end - nvs_data_start - 1; + TEST_ASSERT_TRUE((content_size % nvs_part->erase_size) == 0); + + const int size_to_write = MIN(content_size, nvs_part->size); + for (int i = 0; i < size_to_write; i+= nvs_part->erase_size) { + ESP_ERROR_CHECK(esp_partition_write(nvs_part, i, nvs_data_start + i, nvs_part->erase_size)); + } +} + +TEST_CASE("Verify encrypted nvs bootloader read_list result_code and value if bootloader read is successful", "[nvs_encrypted_bootloader]") +{ + nvs_sec_cfg_t xts_cfg; + nvs_sec_scheme_t *sec_scheme_handle = NULL; + TEST_ESP_OK(configure_nvs_sec_cfg(&xts_cfg, &sec_scheme_handle)); + + nvs_bootloader_read_list_t read_list[] = { +// {namespace_name, key_name, value_type, result_code, value, namespace_index}} + { .namespace_name = "storage", .key_name = "u8_key", .value_type = NVS_TYPE_U8 }, //0 OK + { .namespace_name = "storage", .key_name = "u16_key", .value_type = NVS_TYPE_U16 }, //1 OK + { .namespace_name = "storage", .key_name = "u32_key", .value_type = NVS_TYPE_U32 }, //2 OK + { .namespace_name = "storage", .key_name = "i32_key", .value_type = NVS_TYPE_I32 }, //3 OK + { .namespace_name = "storage", .key_name = "i8_key", .value_type = NVS_TYPE_U8 }, //4 Type mismatch + { .namespace_name = "storage", .key_name = "i16_key", .value_type = NVS_TYPE_I16 }, //5 Not found + }; + uint8_t size = sizeof(read_list) / sizeof(read_list[0]); + + TEST_ESP_OK(nvs_bootloader_secure_init(&xts_cfg)); + TEST_ESP_OK(nvs_bootloader_read("nvs", size, read_list)); + nvs_bootloader_secure_deinit(); + + TEST_ASSERT_EQUAL(ESP_OK, read_list[0].result_code); + TEST_ASSERT_EQUAL(ESP_OK, read_list[1].result_code); + TEST_ASSERT_EQUAL(ESP_OK, read_list[2].result_code); + TEST_ASSERT_EQUAL(ESP_OK, read_list[3].result_code); + TEST_ASSERT_EQUAL(ESP_ERR_NVS_TYPE_MISMATCH, read_list[4].result_code); + TEST_ASSERT_EQUAL(ESP_ERR_NVS_NOT_FOUND, read_list[5].result_code); + + TEST_ASSERT_EQUAL(255, read_list[0].value.u8_val); + TEST_ASSERT_EQUAL(65535, read_list[1].value.u16_val); + TEST_ASSERT_EQUAL(4294967295, read_list[2].value.u32_val); + TEST_ASSERT_EQUAL(-2147483648, read_list[3].value.i32_val); + + TEST_ESP_OK(nvs_sec_provider_deregister(sec_scheme_handle)); + restore_nvs_partition(); +} + +TEST_CASE("Verify encrypted nvs bootloader read_list result_code if bootloader read fails", "[nvs_encrypted_bootloader]") +{ + nvs_sec_cfg_t xts_cfg; + nvs_sec_scheme_t *sec_scheme_handle = NULL; + TEST_ESP_OK(configure_nvs_sec_cfg(&xts_cfg, &sec_scheme_handle)); + + nvs_bootloader_read_list_t read_list[] = { +// {namespace_name, key_name, value_type, result_code, value, namespace_index}} + { .namespace_name = "too_long_namespace", .key_name = "i32_key", .value_type = NVS_TYPE_I32 }, //0 Invalid name + { .namespace_name = "nvs", .key_name = "too_long_key_name", .value_type = NVS_TYPE_I32 }, //1 Key too long + { .namespace_name = "nvs", .key_name = "str_key", .value_type = NVS_TYPE_BLOB }, //2 Invalid arg + { .namespace_name = "nvs", .key_name = "i32_key", .value_type = NVS_TYPE_I32 }, //3 Not found + }; + uint8_t size = sizeof(read_list) / sizeof(read_list[0]); + + TEST_ESP_OK(nvs_bootloader_secure_init(&xts_cfg)); + esp_err_t ret = nvs_bootloader_read("nvs", size, read_list); + + TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, ret); + TEST_ASSERT_EQUAL(ESP_ERR_NVS_INVALID_NAME, read_list[0].result_code); + TEST_ASSERT_EQUAL(ESP_ERR_NVS_KEY_TOO_LONG, read_list[1].result_code); + TEST_ASSERT_EQUAL(ESP_ERR_INVALID_ARG, read_list[2].result_code); + TEST_ASSERT_EQUAL(ESP_ERR_NVS_NOT_FOUND, read_list[3].result_code); + + nvs_bootloader_secure_deinit(); + + TEST_ESP_OK(nvs_sec_provider_deregister(sec_scheme_handle)); + restore_nvs_partition(); +} + +TEST_CASE("Verify nvs_bootloader_read_encrypted failure cases", "[nvs_encrypted_bootloader]") +{ + nvs_sec_cfg_t xts_cfg; + nvs_sec_scheme_t *sec_scheme_handle = NULL; + TEST_ESP_OK(configure_nvs_sec_cfg(&xts_cfg, &sec_scheme_handle)); + + nvs_bootloader_read_list_t read_list[] = { +// {namespace_name, key_name, value_type, result_code, value, namespace_index}} + { "nvs", "i32_key", NVS_TYPE_I32, ESP_OK, {0}, 0} + }; + uint8_t size = sizeof(read_list) / sizeof(read_list[0]); + + TEST_ESP_OK(nvs_bootloader_secure_init(&xts_cfg)); + esp_err_t ret = nvs_bootloader_read("nvs_partition_name_too_long", size, read_list); + TEST_ASSERT_EQUAL(ESP_ERR_NVS_INVALID_NAME, ret); + + ret = nvs_bootloader_read("nvs_part", size, read_list); + TEST_ASSERT_EQUAL(ESP_ERR_NVS_PART_NOT_FOUND, ret); + + nvs_bootloader_secure_deinit(); + TEST_ESP_OK(nvs_sec_provider_deregister(sec_scheme_handle)); + restore_nvs_partition(); +} diff --git a/components/nvs_flash/test_apps_bootloader/pytest_nvs_bootloader_support.py b/components/nvs_flash/test_apps_bootloader/pytest_nvs_bootloader_support.py index b7562bf5a0..b44656e19d 100644 --- a/components/nvs_flash/test_apps_bootloader/pytest_nvs_bootloader_support.py +++ b/components/nvs_flash/test_apps_bootloader/pytest_nvs_bootloader_support.py @@ -1,12 +1,36 @@ -# SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD -# SPDX-License-Identifier: CC0-1.0 +# SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD +# SPDX-License-Identifier: Apache-2.0 import pytest -from pytest_embedded import Dut +from pytest_embedded_idf.dut import IdfDut @pytest.mark.esp32 @pytest.mark.esp32c3 @pytest.mark.generic @pytest.mark.parametrize('config', ['default'], indirect=True) -def test_nvs_bootloader_support(dut: Dut) -> None: +def test_nvs_bootloader_support(dut: IdfDut) -> None: + dut.run_all_single_board_cases(group='!nvs_encrypted_bootloader', timeout=120) + + +@pytest.mark.esp32c3 +@pytest.mark.nvs_encr_hmac +@pytest.mark.parametrize('config', ['nvs_enc_hmac'], indirect=True) +def test_nvs_bootloader_support_encr_hmac(dut: IdfDut) -> None: + dut.run_all_single_board_cases() + + +@pytest.mark.esp32 +@pytest.mark.esp32c3 +@pytest.mark.flash_encryption +@pytest.mark.parametrize('config', ['nvs_enc_flash_enc'], indirect=True) +def test_nvs_bootloader_support_encr_flash_enc(dut: IdfDut) -> None: + # Erase the nvs_key partition + dut.serial.erase_partition('nvs_key') + dut.run_all_single_board_cases() + + +@pytest.mark.esp32c3 +@pytest.mark.nvs_encr_hmac +@pytest.mark.parametrize('config', ['nvs_enc_hmac_no_cfg'], indirect=True) +def test_nvs_bootloader_support_encr_hmac_no_cfg(dut: IdfDut) -> None: dut.run_all_single_board_cases() diff --git a/components/nvs_flash/test_apps_bootloader/sdkconfig.ci.nvs_enc_flash_enc b/components/nvs_flash/test_apps_bootloader/sdkconfig.ci.nvs_enc_flash_enc new file mode 100644 index 0000000000..13c6b00aaf --- /dev/null +++ b/components/nvs_flash/test_apps_bootloader/sdkconfig.ci.nvs_enc_flash_enc @@ -0,0 +1,15 @@ +# Enabling Flash Encryption +CONFIG_SECURE_FLASH_ENC_ENABLED=y +CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT=y +CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC=y +CONFIG_SECURE_BOOT_ALLOW_JTAG=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y +CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y + +# Enabling NVS Encryption (Flash Encryption-based scheme) +CONFIG_NVS_ENCRYPTION=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y + +CONFIG_PARTITION_TABLE_SINGLE_APP_ENCRYPTED_NVS=y diff --git a/components/nvs_flash/test_apps_bootloader/sdkconfig.ci.nvs_enc_hmac b/components/nvs_flash/test_apps_bootloader/sdkconfig.ci.nvs_enc_hmac new file mode 100644 index 0000000000..3f0d0fc27c --- /dev/null +++ b/components/nvs_flash/test_apps_bootloader/sdkconfig.ci.nvs_enc_hmac @@ -0,0 +1,15 @@ +# NOTE: The runner for this test-app has flash-encryption enabled +# Enabling Flash Encryption +CONFIG_SECURE_FLASH_ENC_ENABLED=y +CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT=y +CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC=y +CONFIG_SECURE_BOOT_ALLOW_JTAG=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y +CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y + +# Enabling NVS Encryption (HMAC-based scheme) +CONFIG_NVS_ENCRYPTION=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_HMAC=y +CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID=0 diff --git a/components/nvs_flash/test_apps_bootloader/sdkconfig.ci.nvs_enc_hmac_no_cfg b/components/nvs_flash/test_apps_bootloader/sdkconfig.ci.nvs_enc_hmac_no_cfg new file mode 100644 index 0000000000..7541167a38 --- /dev/null +++ b/components/nvs_flash/test_apps_bootloader/sdkconfig.ci.nvs_enc_hmac_no_cfg @@ -0,0 +1,12 @@ +# NOTE: The runner for this test-app has flash-encryption enabled +# Enabling Flash Encryption +CONFIG_SECURE_FLASH_ENC_ENABLED=y +CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT=y +CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC=y +CONFIG_SECURE_BOOT_ALLOW_JTAG=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y +CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y + +CONFIG_NVS_ENCRYPTION=n diff --git a/components/nvs_flash/test_apps_bootloader/sdkconfig.defaults.esp32c2 b/components/nvs_flash/test_apps_bootloader/sdkconfig.defaults.esp32c2 new file mode 100644 index 0000000000..5e3a3c88f4 --- /dev/null +++ b/components/nvs_flash/test_apps_bootloader/sdkconfig.defaults.esp32c2 @@ -0,0 +1,2 @@ +CONFIG_IDF_TARGET="esp32c2" +CONFIG_MBEDTLS_USE_CRYPTO_ROM_IMPL_BOOTLOADER=y