feedc0de/esp-idf
1
0
Fork 0
forked from espressif/esp-idf
Code Pull Requests Activity

feat: enable flash encryption support for c5

Browse Source 
This commit provide support for flash encryption feature in ESP32C5
This commit is contained in:
nilesh.kale
2024-03-12 14:12:01 +05:30
parent 9a1f67f222
commit d1fa51e3c9
11 changed files with 427 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
components/bootloader_support/src/flash_encryption/flash_encrypt.c
View File

@@ -16,10 +16,16 @@
#include "esp_log.h" #include "esp_log.h"
#include "hal/wdt_hal.h" #include "hal/wdt_hal.h"
#if SOC_KEY_MANAGER_SUPPORTED // Need to remove check and merge accordingly for ESP32C5 once key manager support added in IDF-8621
#if SOC_KEY_MANAGER_SUPPORTED || CONFIG_IDF_TARGET_ESP32C5
#if CONFIG_IDF_TARGET_ESP32C5
#include "soc/keymng_reg.h"
#include "hal/key_mgr_types.h"
#include "soc/pcr_reg.h"
#else
#include "hal/key_mgr_hal.h" #include "hal/key_mgr_hal.h"
#include "hal/mspi_timing_tuning_ll.h" #include "hal/mspi_timing_tuning_ll.h"
#include "soc/keymng_reg.h" #endif /* CONFIG_IDF_TARGET_ESP32C5 */
#endif #endif
#ifdef CONFIG_SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK #ifdef CONFIG_SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK
@@ -216,17 +222,17 @@ static esp_err_t check_and_generate_encryption_keys(void)
} }
ESP_LOGI(TAG, "Using pre-loaded flash encryption key in efuse"); ESP_LOGI(TAG, "Using pre-loaded flash encryption key in efuse");
} }
// Need to remove check for ESP32C5 and merge accordingly once key manager support added in IDF-8621
#if SOC_KEY_MANAGER_SUPPORTED #if SOC_KEY_MANAGER_SUPPORTED || CONFIG_IDF_TARGET_ESP32C5
#if CONFIG_IDF_TARGET_ESP32C5 && SOC_KEY_MANAGER_SUPPORTED #if CONFIG_IDF_TARGET_ESP32C5
// TODO: [ESP32C5] IDF-8622 find a more proper place for these codes REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY, 2);
REG_SET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_FLASH);
REG_SET_BIT(PCR_MSPI_CLK_CONF_REG, PCR_MSPI_AXI_RST_EN); REG_SET_BIT(PCR_MSPI_CLK_CONF_REG, PCR_MSPI_AXI_RST_EN);
REG_CLR_BIT(PCR_MSPI_CLK_CONF_REG, PCR_MSPI_AXI_RST_EN); REG_CLR_BIT(PCR_MSPI_CLK_CONF_REG, PCR_MSPI_AXI_RST_EN);
#endif #else
// Force Key Manager to use eFuse key for XTS-AES operation // Force Key Manager to use eFuse key for XTS-AES operation
key_mgr_hal_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); key_mgr_hal_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY);
_mspi_timing_ll_reset_mspi(); _mspi_timing_ll_reset_mspi();
#endif /* CONFIG_IDF_TARGET_ESP32C5 */
#endif #endif
return ESP_OK; return ESP_OK;

85
components/hal/esp32c5/include/hal/spi_flash_encrypted_ll.h
View File

@@ -1,5 +1,5 @@
/* /*
* SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD * SPDX-FileCopyrightText: 2022-2024 Espressif Systems (Shanghai) CO LTD
* *
* SPDX-License-Identifier: Apache-2.0 * SPDX-License-Identifier: Apache-2.0
*/ */
@@ -15,7 +15,7 @@
#include <stdbool.h> #include <stdbool.h>
#include <string.h> #include <string.h>
#include "soc/hp_system_reg.h" #include "soc/hp_system_reg.h"
// #include "soc/xts_aes_reg.h" #include "soc/spi_mem_reg.h"
#include "soc/soc.h" #include "soc/soc.h"
#include "soc/soc_caps.h" #include "soc/soc_caps.h"
#include "hal/assert.h" #include "hal/assert.h"
@@ -27,7 +27,6 @@ extern "C" {
/// Choose type of chip you want to encrypt manually /// Choose type of chip you want to encrypt manually
typedef enum typedef enum
{ {
// TODO: [ESP32C5] IDF-8622, IDF-8649
FLASH_ENCRYPTION_MANU = 0, ///!< Manually encrypt the flash chip. FLASH_ENCRYPTION_MANU = 0, ///!< Manually encrypt the flash chip.
PSRAM_ENCRYPTION_MANU = 1 ///!< Manually encrypt the psram chip. PSRAM_ENCRYPTION_MANU = 1 ///!< Manually encrypt the psram chip.
} flash_encrypt_ll_type_t; } flash_encrypt_ll_type_t;
@@ -37,11 +36,15 @@ typedef enum
*/ */
static inline void spi_flash_encrypt_ll_enable(void) static inline void spi_flash_encrypt_ll_enable(void)
{ {
// TODO: [ESP32C5] IDF-8622, IDF-8649 #if CONFIG_IDF_TARGET_ESP32C5_BETA3_VERSION
// REG_SET_BIT(HP_SYSTEM_EXTERNAL_DEVICE_ENCRYPT_DECRYPT_CONTROL_REG, REG_SET_BIT(HP_SYS_EXTERNAL_DEVICE_ENCRYPT_DECRYPT_CONTROL_REG,
// HP_SYSTEM_ENABLE_DOWNLOAD_MANUAL_ENCRYPT | HP_SYS_ENABLE_DOWNLOAD_MANUAL_ENCRYPT |
// HP_SYSTEM_ENABLE_SPI_MANUAL_ENCRYPT); HP_SYS_ENABLE_SPI_MANUAL_ENCRYPT);
abort(); #else
REG_SET_BIT(HP_SYSTEM_EXTERNAL_DEVICE_ENCRYPT_DECRYPT_CONTROL_REG,
HP_SYSTEM_ENABLE_DOWNLOAD_MANUAL_ENCRYPT |
HP_SYSTEM_ENABLE_SPI_MANUAL_ENCRYPT);
#endif
} }
/* /*
@@ -49,14 +52,17 @@ static inline void spi_flash_encrypt_ll_enable(void)
*/ */
static inline void spi_flash_encrypt_ll_disable(void) static inline void spi_flash_encrypt_ll_disable(void)
{ {
// TODO: [ESP32C5] IDF-8622, IDF-8649 #if CONFIG_IDF_TARGET_ESP32C5_BETA3_VERSION
// REG_CLR_BIT(HP_SYSTEM_EXTERNAL_DEVICE_ENCRYPT_DECRYPT_CONTROL_REG, REG_CLR_BIT(HP_SYS_EXTERNAL_DEVICE_ENCRYPT_DECRYPT_CONTROL_REG,
// HP_SYSTEM_ENABLE_SPI_MANUAL_ENCRYPT); HP_SYS_ENABLE_SPI_MANUAL_ENCRYPT);
abort(); #else
REG_CLR_BIT(HP_SYSTEM_EXTERNAL_DEVICE_ENCRYPT_DECRYPT_CONTROL_REG,
HP_SYSTEM_ENABLE_SPI_MANUAL_ENCRYPT);
#endif
} }
/** /**
* Choose type of chip you want to encrypt manully * Choose type of chip you want to encrypt manually
* *
* @param type The type of chip to be encrypted * @param type The type of chip to be encrypted
* *
@@ -64,11 +70,9 @@ static inline void spi_flash_encrypt_ll_disable(void)
*/ */
static inline void spi_flash_encrypt_ll_type(flash_encrypt_ll_type_t type) static inline void spi_flash_encrypt_ll_type(flash_encrypt_ll_type_t type)
{ {
// TODO: [ESP32C5] IDF-8622, IDF-8649 // Our hardware only support flash encryption
// // Our hardware only support flash encryption HAL_ASSERT(type == FLASH_ENCRYPTION_MANU);
// HAL_ASSERT(type == FLASH_ENCRYPTION_MANU); REG_SET_FIELD(SPI_MEM_XTS_DESTINATION_REG(0), SPI_XTS_DESTINATION, type);
// REG_SET_FIELD(XTS_AES_DESTINATION_REG(0), XTS_AES_DESTINATION, type);
abort();
} }
/** /**
@@ -78,10 +82,8 @@ static inline void spi_flash_encrypt_ll_type(flash_encrypt_ll_type_t type)
*/ */
static inline void spi_flash_encrypt_ll_buffer_length(uint32_t size) static inline void spi_flash_encrypt_ll_buffer_length(uint32_t size)
{ {
// TODO: [ESP32C5] IDF-8622, IDF-8649 // Desired block should not be larger than the block size.
// // Desired block should not be larger than the block size. REG_SET_FIELD(SPI_MEM_XTS_LINESIZE_REG(0), SPI_XTS_LINESIZE, size >> 5);
// REG_SET_FIELD(XTS_AES_LINESIZE_REG(0), XTS_AES_LINESIZE, size >> 5);
abort();
} }
/** /**
@@ -94,11 +96,9 @@ static inline void spi_flash_encrypt_ll_buffer_length(uint32_t size)
*/ */
static inline void spi_flash_encrypt_ll_plaintext_save(uint32_t address, const uint32_t* buffer, uint32_t size) static inline void spi_flash_encrypt_ll_plaintext_save(uint32_t address, const uint32_t* buffer, uint32_t size)
{ {
// TODO: [ESP32C5] IDF-8622, IDF-8649 uint32_t plaintext_offs = (address % SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX);
// uint32_t plaintext_offs = (address % SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX); HAL_ASSERT(plaintext_offs + size <= SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX);
// HAL_ASSERT(plaintext_offs + size <= SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX); memcpy((void *)(SPI_MEM_XTS_PLAIN_BASE_REG(0) + plaintext_offs), buffer, size);
// memcpy((void *)(XTS_AES_PLAIN_MEM(0) + plaintext_offs), buffer, size);
abort();
} }
/** /**
@@ -108,9 +108,7 @@ static inline void spi_flash_encrypt_ll_plaintext_save(uint32_t address, const u
*/ */
static inline void spi_flash_encrypt_ll_address_save(uint32_t flash_addr) static inline void spi_flash_encrypt_ll_address_save(uint32_t flash_addr)
{ {
// TODO: [ESP32C5] IDF-8622, IDF-8649 REG_SET_FIELD(SPI_MEM_XTS_PHYSICAL_ADDRESS_REG(0), SPI_XTS_PHYSICAL_ADDRESS, flash_addr);
// REG_SET_FIELD(XTS_AES_PHYSICAL_ADDRESS_REG(0), XTS_AES_PHYSICAL_ADDRESS, flash_addr);
abort();
} }
/** /**
@@ -118,9 +116,7 @@ static inline void spi_flash_encrypt_ll_address_save(uint32_t flash_addr)
*/ */
static inline void spi_flash_encrypt_ll_calculate_start(void) static inline void spi_flash_encrypt_ll_calculate_start(void)
{ {
// TODO: [ESP32C5] IDF-8622, IDF-8649 REG_SET_FIELD(SPI_MEM_XTS_TRIGGER_REG(0), SPI_XTS_TRIGGER, 1);
// REG_SET_FIELD(XTS_AES_TRIGGER_REG(0), XTS_AES_TRIGGER, 1);
abort();
} }
/** /**
@@ -128,10 +124,8 @@ static inline void spi_flash_encrypt_ll_calculate_start(void)
*/ */
static inline void spi_flash_encrypt_ll_calculate_wait_idle(void) static inline void spi_flash_encrypt_ll_calculate_wait_idle(void)
{ {
// TODO: [ESP32C5] IDF-8622, IDF-8649 while(REG_GET_FIELD(SPI_MEM_XTS_STATE_REG(0), SPI_XTS_STATE) == 0x1) {
// while(REG_GET_FIELD(XTS_AES_STATE_REG(0), XTS_AES_STATE) == 0x1) { }
// }
abort();
} }
/** /**
@@ -139,11 +133,9 @@ static inline void spi_flash_encrypt_ll_calculate_wait_idle(void)
*/ */
static inline void spi_flash_encrypt_ll_done(void) static inline void spi_flash_encrypt_ll_done(void)
{ {
// TODO: [ESP32C5] IDF-8622, IDF-8649 REG_SET_BIT(SPI_MEM_XTS_RELEASE_REG(0), SPI_XTS_RELEASE);
// REG_SET_BIT(XTS_AES_RELEASE_REG(0), XTS_AES_RELEASE); while(REG_GET_FIELD(SPI_MEM_XTS_STATE_REG(0), SPI_XTS_STATE) != 0x3) {
// while(REG_GET_FIELD(XTS_AES_STATE_REG(0), XTS_AES_STATE) != 0x3) { }
// }
abort();
} }
/** /**
@@ -151,9 +143,7 @@ static inline void spi_flash_encrypt_ll_done(void)
*/ */
static inline void spi_flash_encrypt_ll_destroy(void) static inline void spi_flash_encrypt_ll_destroy(void)
{ {
// TODO: [ESP32C5] IDF-8622, IDF-8649 REG_SET_BIT(SPI_MEM_XTS_DESTROY_REG(0), SPI_XTS_DESTROY);
// REG_SET_BIT(XTS_AES_DESTROY_REG(0), XTS_AES_DESTROY);
abort();
} }
/** /**
@@ -164,10 +154,7 @@ static inline void spi_flash_encrypt_ll_destroy(void)
*/ */
static inline bool spi_flash_encrypt_ll_check(uint32_t address, uint32_t length) static inline bool spi_flash_encrypt_ll_check(uint32_t address, uint32_t length)
{ {
// TODO: [ESP32C5] IDF-8622, IDF-8649 return ((address % length) == 0) ? true : false;
// return ((address % length) == 0) ? true : false;
abort();
return (bool)0;
} }
#ifdef __cplusplus #ifdef __cplusplus

6
components/soc/esp32c5/beta3/include/soc/soc_caps.h
View File

@@ -55,7 +55,7 @@
#define SOC_DIG_SIGN_SUPPORTED 1 #define SOC_DIG_SIGN_SUPPORTED 1
#define SOC_ECC_SUPPORTED 1 #define SOC_ECC_SUPPORTED 1
#define SOC_ECC_EXTENDED_MODES_SUPPORTED 1 #define SOC_ECC_EXTENDED_MODES_SUPPORTED 1
#define SOC_FLASH_ENC_SUPPORTED 1 // TODO: [ESP32C5] IDF-8622 #define SOC_FLASH_ENC_SUPPORTED 1
#define SOC_SECURE_BOOT_SUPPORTED 1 #define SOC_SECURE_BOOT_SUPPORTED 1
// #define SOC_BOD_SUPPORTED 1 // TODO: [ESP32C5] IDF-8647 // #define SOC_BOD_SUPPORTED 1 // TODO: [ESP32C5] IDF-8647
// #define SOC_APM_SUPPORTED 1 // TODO: [ESP32C5] IDF-8614, IDF-8615 // #define SOC_APM_SUPPORTED 1 // TODO: [ESP32C5] IDF-8614, IDF-8615
@@ -474,9 +474,9 @@
#define SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY 1 #define SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY 1
/*-------------------------- Flash Encryption CAPS----------------------------*/ /*-------------------------- Flash Encryption CAPS----------------------------*/
#define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (64) // TODO: [ESP32C5] IDF-8622 #define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (64)
#define SOC_FLASH_ENCRYPTION_XTS_AES 1 #define SOC_FLASH_ENCRYPTION_XTS_AES 1
#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1 // TODO: [ESP32C5] IDF-8622 #define SOC_FLASH_ENCRYPTION_XTS_AES_128 1
/*------------------------ Anti DPA (Security) CAPS --------------------------*/ /*------------------------ Anti DPA (Security) CAPS --------------------------*/
// #define SOC_CRYPTO_DPA_PROTECTION_SUPPORTED 1 // #define SOC_CRYPTO_DPA_PROTECTION_SUPPORTED 1

6
components/soc/esp32c5/mp/include/soc/soc_caps.h
View File

@@ -53,7 +53,7 @@
#define SOC_DIG_SIGN_SUPPORTED 1 #define SOC_DIG_SIGN_SUPPORTED 1
#define SOC_ECC_SUPPORTED 1 #define SOC_ECC_SUPPORTED 1
#define SOC_ECC_EXTENDED_MODES_SUPPORTED 1 #define SOC_ECC_EXTENDED_MODES_SUPPORTED 1
#define SOC_FLASH_ENC_SUPPORTED 1 // TODO: [ESP32C5] IDF-8622 #define SOC_FLASH_ENC_SUPPORTED 1
#define SOC_SECURE_BOOT_SUPPORTED 1 #define SOC_SECURE_BOOT_SUPPORTED 1
// #define SOC_BOD_SUPPORTED 1 // TODO: [ESP32C5] IDF-8647 // #define SOC_BOD_SUPPORTED 1 // TODO: [ESP32C5] IDF-8647
// #define SOC_APM_SUPPORTED 1 // TODO: [ESP32C5] IDF-8614, IDF-8615 // #define SOC_APM_SUPPORTED 1 // TODO: [ESP32C5] IDF-8614, IDF-8615
@@ -475,9 +475,9 @@
#define SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY 1 #define SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY 1
/*-------------------------- Flash Encryption CAPS----------------------------*/ /*-------------------------- Flash Encryption CAPS----------------------------*/
#define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (64) // TODO: [ESP32C5] IDF-8622 #define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (64)
#define SOC_FLASH_ENCRYPTION_XTS_AES 1 #define SOC_FLASH_ENCRYPTION_XTS_AES 1
#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1 // TODO: [ESP32C5] IDF-8622 #define SOC_FLASH_ENCRYPTION_XTS_AES_128 1
/*------------------------ Anti DPA (Security) CAPS --------------------------*/ /*------------------------ Anti DPA (Security) CAPS --------------------------*/
// #define SOC_CRYPTO_DPA_PROTECTION_SUPPORTED 1 // #define SOC_CRYPTO_DPA_PROTECTION_SUPPORTED 1

6
components/spi_flash/test_apps/.build-test-rules.yml
View File

@@ -22,12 +22,8 @@ components/spi_flash/test_apps/esp_flash_stress:
reason: not support yet # TODO: [ESP32C5] IDF-8715 reason: not support yet # TODO: [ESP32C5] IDF-8715
components/spi_flash/test_apps/flash_encryption: components/spi_flash/test_apps/flash_encryption:
disable:
- if: IDF_TARGET == "esp32c5"
temporary: true
reason: not support yet # TODO: [ESP32C5] IDF-8622
disable_test: disable_test:
- if: IDF_TARGET in ["esp32c2", "esp32s2", "esp32c6", "esp32h2", "esp32p4"] - if: IDF_TARGET in ["esp32c2", "esp32s2", "esp32c6", "esp32h2", "esp32p4", "esp32c5"]
temporary: true temporary: true
reason: No runners # IDF-5634 reason: No runners # IDF-5634

4
components/spi_flash/test_apps/flash_encryption/README.md
View File

@@ -1,5 +1,5 @@
| Supported Targets | ESP32 | ESP32-C2 | ESP32-C3 | ESP32-C6 | ESP32-H2 | ESP32-P4 | ESP32-S2 | ESP32-S3 | | Supported Targets | ESP32 | ESP32-C2 | ESP32-C3 | ESP32-C5 | ESP32-C6 | ESP32-H2 | ESP32-P4 | ESP32-S2 | ESP32-S3 |
| ----------------- | ----- | -------- | -------- | -------- | -------- | -------- | -------- | -------- | | ----------------- | ----- | -------- | -------- | -------- | -------- | -------- | -------- | -------- | -------- |
## Prepare runner ## Prepare runner

1
docs/docs_not_updated/esp32c5.txt
View File

@@ -222,7 +222,6 @@ api-reference/protocols/esp_tls.rst
api-reference/protocols/mdns.rst api-reference/protocols/mdns.rst
api-reference/protocols/index.rst api-reference/protocols/index.rst
api-reference/protocols/asio.rst api-reference/protocols/asio.rst
security/flash-encryption.rst
about.rst about.rst
resources.rst resources.rst
migration-guides/release-5.x/5.2/ieee802154.rst migration-guides/release-5.x/5.2/ieee802154.rst

184
docs/en/security/esp32c5_log.inc
View File

@@ -3,7 +3,65 @@
.. code-block:: none .. code-block:: none
To be updated for C5 rst:0x1 (POWERON),boot:0x3d (SPI_FAST_FLASH_BOOT)
SPI mode:DIO, clock div:2
load:0x40855c10,len:0x2c34
load:0x4084c7a0,len:0x6f8
load:0x4084e9a0,len:0x41c4
entry 0x4084c804
I (32) boot: ESP-IDF v5.3-dev-3860-g5d36288649-dirty 2nd stage bootloader
I (33) boot: compile time May 7 2024 17:31:13
I (34) boot: chip revision: v0.0
I (37) boot.esp32c5: SPI Speed : 40MHz
I (42) boot.esp32c5: SPI Mode : DIO
I (47) boot.esp32c5: SPI Flash Size : 2MB
I (52) boot: Enabling RNG early entropy source...
I (64) boot: Partition Table:
I (68) boot: ## Label Usage Type ST Offset Length
I (75) boot: 0 nvs WiFi data 01 02 0000e000 00006000
I (82) boot: 1 storage Unknown data 01 ff 00014000 00001000
I (90) boot: 2 factory factory app 00 00 00020000 00100000
I (97) boot: 3 nvs_key NVS keys 01 04 00120000 00001000
I (105) boot: 4 custom_nvs WiFi data 01 02 00121000 00006000
I (113) boot: End of partition table
I (117) esp_image: segment 0: paddr=00020020 vaddr=42010020 size=09674h ( 38516) map
I (169) esp_image: segment 1: paddr=0002969c vaddr=40800000 size=0697ch ( 27004) load
I (197) esp_image: segment 2: paddr=00030020 vaddr=42000020 size=0f4fch ( 62716) map
I (256) esp_image: segment 3: paddr=0003f524 vaddr=4080697c size=00c28h ( 3112) load
I (261) esp_image: segment 4: paddr=00040154 vaddr=408075b0 size=00d18h ( 3352) load
I (269) boot: Loaded app from partition at offset 0x20000
I (270) boot: Checking flash encryption...
I (273) efuse: Batch mode of writing fields is enabled
I (279) flash_encrypt: Generating new flash encryption key...
I (297) efuse: Writing EFUSE_BLK_KEY0 with purpose 4
I (300) flash_encrypt: Disable UART bootloader encryption...
I (306) flash_encrypt: Disable JTAG...
I (312) efuse: BURN BLOCK4
I (317) efuse: BURN BLOCK4 - OK (write block == read block)
I (320) efuse: BURN BLOCK0
I (326) efuse: BURN BLOCK0 - OK (write block == read block)
I (330) efuse: Batch mode. Prepared fields are committed
I (335) esp_image: segment 0: paddr=00002020 vaddr=40855c10 size=02c34h ( 11316)
I (353) esp_image: segment 1: paddr=00004c5c vaddr=4084c7a0 size=006f8h ( 1784)
I (356) esp_image: segment 2: paddr=0000535c vaddr=4084e9a0 size=041c4h ( 16836)
I (1091) flash_encrypt: bootloader encrypted successfully
I (1182) flash_encrypt: partition table encrypted and loaded successfully
I (1183) flash_encrypt: Encrypting partition 1 at offset 0x14000 (length 0x1000)...
I (1271) flash_encrypt: Done encrypting
I (1272) esp_image: segment 0: paddr=00020020 vaddr=42010020 size=09674h ( 38516) map
I (1309) esp_image: segment 1: paddr=0002969c vaddr=40800000 size=0697ch ( 27004)
I (1336) esp_image: segment 2: paddr=00030020 vaddr=42000020 size=0f4fch ( 62716) map
I (1395) esp_image: segment 3: paddr=0003f524 vaddr=4080697c size=00c28h ( 3112)
I (1400) esp_image: segment 4: paddr=00040154 vaddr=408075b0 size=00d18h ( 3352)
I (1405) flash_encrypt: Encrypting partition 2 at offset 0x20000 (length 0x100000)...
I (24123) flash_encrypt: Done encrypting
I (24124) flash_encrypt: Encrypting partition 3 at offset 0x120000 (length 0x1000)...
I (24215) flash_encrypt: Done encrypting
I (24216) flash_encrypt: Setting CRYPT_CNT for permanent encryption
I (24217) efuse: BURN BLOCK0
I (24221) efuse: BURN BLOCK0 - OK (all write block bits are set)
I (24226) flash_encrypt: Flash encryption completed
I (24231) boot: Resetting with flash encryption enabled...
------ ------
@@ -12,6 +70,128 @@
.. code-block:: none .. code-block:: none
To be updated for C5 rst:0x1 (POWERON),boot:0x3d (SPI_FAST_FLASH_BOOT)
SPI mode:DIO, clock div:2
load:0x40855c10,len:0x2be8
load:0x4084c7a0,len:0x6f8
load:0x4084e9a0,len:0x418c
entry 0x4084c804
I (32) boot: ESP-IDF v5.3-dev-3860-g5d36288649 2nd stage bootloader
I (33) boot: compile time May 7 2024 17:24:43
I (34) boot: chip revision: v0.0
I (37) boot.esp32c5: SPI Speed : 40MHz
I (42) boot.esp32c5: SPI Mode : DIO
I (46) boot.esp32c5: SPI Flash Size : 2MB
I (51) boot: Enabling RNG early entropy source...
I (64) boot: Partition Table:
I (67) boot: ## Label Usage Type ST Offset Length
I (74) boot: 0 nvs WiFi data 01 02 0000e000 00006000
I (82) boot: 1 storage Unknown data 01 ff 00014000 00001000
I (89) boot: 2 factory factory app 00 00 00020000 00100000
I (97) boot: 3 nvs_key NVS keys 01 04 00120000 00001000
I (104) boot: 4 custom_nvs WiFi data 01 02 00121000 00006000
I (113) boot: End of partition table
I (116) esp_image: segment 0: paddr=00020020 vaddr=42010020 size=095c4h ( 38340) map
E (125) fpga_rng: Project configuration is for internal FPGA use, RNG will not work
I (169) esp_image: segment 1: paddr=000295ec vaddr=40800000 size=06a2ch ( 27180) load
I (197) esp_image: segment 2: paddr=00030020 vaddr=42000020 size=0f4d4h ( 62676) map
I (256) esp_image: segment 3: paddr=0003f4fc vaddr=40806a2c size=00b78h ( 2936) load
I (261) esp_image: segment 4: paddr=0004007c vaddr=408075b0 size=00d18h ( 3352) load
I (269) boot: Loaded app from partition at offset 0x20000
I (270) boot: Checking flash encryption...
I (273) efuse: Batch mode of writing fields is enabled
I (278) flash_encrypt: Generating new flash encryption key...
E (285) fpga_rng: Project configuration is for internal FPGA use, RNG will not work
I (295) efuse: Writing EFUSE_BLK_KEY0 with purpose 4
W (300) flash_encrypt: Not disabling UART bootloader encryption
I (305) flash_encrypt: Disable JTAG...
I (312) efuse: BURN BLOCK4
I (317) efuse: BURN BLOCK4 - OK (write block == read block)
I (319) efuse: BURN BLOCK0
I (325) efuse: BURN BLOCK0 - OK (all write block bits are set)
I (330) efuse: Batch mode. Prepared fields are committed
I (335) esp_image: segment 0: paddr=00002020 vaddr=40855c10 size=02be8h ( 11240)
I (353) esp_image: segment 1: paddr=00004c10 vaddr=4084c7a0 size=006f8h ( 1784)
I (356) esp_image: segment 2: paddr=00005310 vaddr=4084e9a0 size=0418ch ( 16780)
I (1131) flash_encrypt: bootloader encrypted successfully
I (1229) flash_encrypt: partition table encrypted and loaded successfully
I (1230) flash_encrypt: Encrypting partition 1 at offset 0x14000 (length 0x1000)...
I (1325) flash_encrypt: Done encrypting
I (1325) esp_image: segment 0: paddr=00020020 vaddr=42010020 size=095c4h ( 38340) map
I (1362) esp_image: segment 1: paddr=000295ec vaddr=40800000 size=06a2ch ( 27180)
I (1389) esp_image: segment 2: paddr=00030020 vaddr=42000020 size=0f4d4h ( 62676) map
I (1448) esp_image: segment 3: paddr=0003f4fc vaddr=40806a2c size=00b78h ( 2936)
I (1453) esp_image: segment 4: paddr=0004007c vaddr=408075b0 size=00d18h ( 3352)
I (1458) flash_encrypt: Encrypting partition 2 at offset 0x20000 (length 0x100000)...
I (24332) flash_encrypt: Done encrypting
I (24332) flash_encrypt: Encrypting partition 3 at offset 0x120000 (length 0x1000)...
I (24422) flash_encrypt: Done encrypting
I (24423) efuse: BURN BLOCK0
I (24425) efuse: BURN BLOCK0 - OK (all write block bits are set)
I (24427) flash_encrypt: Flash encryption completed
I (24431) boot: Resetting with flash encryption enabled...
ESP-ROM:esp32c5-20240329
Build:Mar 29 2024
rst:0x3 (RTC_SW_HPSYS),boot:0x3d (SPI_FAST_FLASH_BOOT)
Core0 Saved PC:0x4084fe1c
use legacy efuse key
SPI mode:DIO, clock div:2
load:0x40855c10,len:0x2be8
load:0x4084c7a0,len:0x6f8
load:0x4084e9a0,len:0x418c
entry 0x4084c804
I (39) boot: ESP-IDF v5.3-dev-3860-g5d36288649 2nd stage bootloader
I (40) boot: compile time May 7 2024 17:24:43
I (41) boot: chip revision: v0.0
I (44) boot.esp32c5: SPI Speed : 40MHz
I (48) boot.esp32c5: SPI Mode : DIO
I (53) boot.esp32c5: SPI Flash Size : 2MB
I (58) boot: Enabling RNG early entropy source...
I (70) boot: Partition Table:
I (74) boot: ## Label Usage Type ST Offset Length
I (81) boot: 0 nvs WiFi data 01 02 0000e000 00006000
I (89) boot: 1 storage Unknown data 01 ff 00014000 00001000
I (96) boot: 2 factory factory app 00 00 00020000 00100000
I (103) boot: 3 nvs_key NVS keys 01 04 00120000 00001000
I (111) boot: 4 custom_nvs WiFi data 01 02 00121000 00006000
I (119) boot: End of partition table
I (123) esp_image: segment 0: paddr=00020020 vaddr=42010020 size=095c4h ( 38340) map
I (177) esp_image: segment 1: paddr=000295ec vaddr=40800000 size=06a2ch ( 27180) load
I (207) esp_image: segment 2: paddr=00030020 vaddr=42000020 size=0f4d4h ( 62676) map
I (269) esp_image: segment 3: paddr=0003f4fc vaddr=40806a2c size=00b78h ( 2936) load
I (274) esp_image: segment 4: paddr=0004007c vaddr=408075b0 size=00d18h ( 3352) load
I (283) boot: Loaded app from partition at offset 0x20000
I (283) boot: Checking flash encryption...
I (286) flash_encrypt: flash encryption is enabled (1 plaintext flashes left)
I (294) boot: Disabling RNG early entropy source...
I (318) cpu_start: Unicore app
I (326) cpu_start: Pro cpu start user code
I (330) cpu_start: cpu freq: 40000000 Hz
I (335) app_init: Application information:
I (340) app_init: Project name: flash_encryption
I (345) app_init: App version: qa-test-v5.3-20240419-267-g5d36
I (352) app_init: Compile time: May 7 2024 17:24:35
I (358) app_init: ELF file SHA256: 712933cde...
I (364) app_init: ESP-IDF: v5.3-dev-3860-g5d36288649
I (370) efuse_init: Min chip rev: v0.0
I (375) efuse_init: Max chip rev: v0.99
I (380) efuse_init: Chip rev: v0.0
I (385) heap_init: Initializing. RAM available for dynamic allocation:
I (392) heap_init: At 408091A0 len 00051730 (325 KiB): RAM
I (398) heap_init: At 4085A8D0 len 00004C30 (19 KiB): RAM
I (404) heap_init: At 50000000 len 00003FE8 (15 KiB): RTCRAM
I (426) spi_flash: detected chip: generic
I (427) spi_flash: flash io: dio
W (431) spi_flash: Detected size(4096k) larger than the size in the binary image header(2048k). Using the size in the binary image header.
W (445) flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)
I (452) nvs_sec_provider: NVS Encryption - Registering Flash encryption-based scheme...
I (466) main_task: Started on CPU0
I (466) main_task: Calling app_main()
Example to check Flash Encryption status
This is esp32c5 chip with 1 CPU core(s), WiFi/BLE, silicon revision v0.0, 2MB external flash
FLASH_CRYPT_CNT eFuse value is 1
Flash encryption feature is enabled in DEVELOPMENT mode
------ ------

184
docs/zh_CN/security/esp32c5_log.inc
View File

@@ -3,7 +3,65 @@
.. code-block:: none .. code-block:: none
To be updated for C5 rst:0x1 (POWERON),boot:0x3d (SPI_FAST_FLASH_BOOT)
SPI mode:DIO, clock div:2
load:0x40855c10,len:0x2c34
load:0x4084c7a0,len:0x6f8
load:0x4084e9a0,len:0x41c4
entry 0x4084c804
I (32) boot: ESP-IDF v5.3-dev-3860-g5d36288649-dirty 2nd stage bootloader
I (33) boot: compile time May 7 2024 17:31:13
I (34) boot: chip revision: v0.0
I (37) boot.esp32c5: SPI Speed : 40MHz
I (42) boot.esp32c5: SPI Mode : DIO
I (47) boot.esp32c5: SPI Flash Size : 2MB
I (52) boot: Enabling RNG early entropy source...
I (64) boot: Partition Table:
I (68) boot: ## Label Usage Type ST Offset Length
I (75) boot: 0 nvs WiFi data 01 02 0000e000 00006000
I (82) boot: 1 storage Unknown data 01 ff 00014000 00001000
I (90) boot: 2 factory factory app 00 00 00020000 00100000
I (97) boot: 3 nvs_key NVS keys 01 04 00120000 00001000
I (105) boot: 4 custom_nvs WiFi data 01 02 00121000 00006000
I (113) boot: End of partition table
I (117) esp_image: segment 0: paddr=00020020 vaddr=42010020 size=09674h ( 38516) map
I (169) esp_image: segment 1: paddr=0002969c vaddr=40800000 size=0697ch ( 27004) load
I (197) esp_image: segment 2: paddr=00030020 vaddr=42000020 size=0f4fch ( 62716) map
I (256) esp_image: segment 3: paddr=0003f524 vaddr=4080697c size=00c28h ( 3112) load
I (261) esp_image: segment 4: paddr=00040154 vaddr=408075b0 size=00d18h ( 3352) load
I (269) boot: Loaded app from partition at offset 0x20000
I (270) boot: Checking flash encryption...
I (273) efuse: Batch mode of writing fields is enabled
I (279) flash_encrypt: Generating new flash encryption key...
I (297) efuse: Writing EFUSE_BLK_KEY0 with purpose 4
I (300) flash_encrypt: Disable UART bootloader encryption...
I (306) flash_encrypt: Disable JTAG...
I (312) efuse: BURN BLOCK4
I (317) efuse: BURN BLOCK4 - OK (write block == read block)
I (320) efuse: BURN BLOCK0
I (326) efuse: BURN BLOCK0 - OK (write block == read block)
I (330) efuse: Batch mode. Prepared fields are committed
I (335) esp_image: segment 0: paddr=00002020 vaddr=40855c10 size=02c34h ( 11316)
I (353) esp_image: segment 1: paddr=00004c5c vaddr=4084c7a0 size=006f8h ( 1784)
I (356) esp_image: segment 2: paddr=0000535c vaddr=4084e9a0 size=041c4h ( 16836)
I (1091) flash_encrypt: bootloader encrypted successfully
I (1182) flash_encrypt: partition table encrypted and loaded successfully
I (1183) flash_encrypt: Encrypting partition 1 at offset 0x14000 (length 0x1000)...
I (1271) flash_encrypt: Done encrypting
I (1272) esp_image: segment 0: paddr=00020020 vaddr=42010020 size=09674h ( 38516) map
I (1309) esp_image: segment 1: paddr=0002969c vaddr=40800000 size=0697ch ( 27004)
I (1336) esp_image: segment 2: paddr=00030020 vaddr=42000020 size=0f4fch ( 62716) map
I (1395) esp_image: segment 3: paddr=0003f524 vaddr=4080697c size=00c28h ( 3112)
I (1400) esp_image: segment 4: paddr=00040154 vaddr=408075b0 size=00d18h ( 3352)
I (1405) flash_encrypt: Encrypting partition 2 at offset 0x20000 (length 0x100000)...
I (24123) flash_encrypt: Done encrypting
I (24124) flash_encrypt: Encrypting partition 3 at offset 0x120000 (length 0x1000)...
I (24215) flash_encrypt: Done encrypting
I (24216) flash_encrypt: Setting CRYPT_CNT for permanent encryption
I (24217) efuse: BURN BLOCK0
I (24221) efuse: BURN BLOCK0 - OK (all write block bits are set)
I (24226) flash_encrypt: Flash encryption completed
I (24231) boot: Resetting with flash encryption enabled...
------ ------
@@ -12,6 +70,128 @@
.. code-block:: none .. code-block:: none
To be updated for C5 rst:0x1 (POWERON),boot:0x3d (SPI_FAST_FLASH_BOOT)
SPI mode:DIO, clock div:2
load:0x40855c10,len:0x2be8
load:0x4084c7a0,len:0x6f8
load:0x4084e9a0,len:0x418c
entry 0x4084c804
I (32) boot: ESP-IDF v5.3-dev-3860-g5d36288649 2nd stage bootloader
I (33) boot: compile time May 7 2024 17:24:43
I (34) boot: chip revision: v0.0
I (37) boot.esp32c5: SPI Speed : 40MHz
I (42) boot.esp32c5: SPI Mode : DIO
I (46) boot.esp32c5: SPI Flash Size : 2MB
I (51) boot: Enabling RNG early entropy source...
I (64) boot: Partition Table:
I (67) boot: ## Label Usage Type ST Offset Length
I (74) boot: 0 nvs WiFi data 01 02 0000e000 00006000
I (82) boot: 1 storage Unknown data 01 ff 00014000 00001000
I (89) boot: 2 factory factory app 00 00 00020000 00100000
I (97) boot: 3 nvs_key NVS keys 01 04 00120000 00001000
I (104) boot: 4 custom_nvs WiFi data 01 02 00121000 00006000
I (113) boot: End of partition table
I (116) esp_image: segment 0: paddr=00020020 vaddr=42010020 size=095c4h ( 38340) map
E (125) fpga_rng: Project configuration is for internal FPGA use, RNG will not work
I (169) esp_image: segment 1: paddr=000295ec vaddr=40800000 size=06a2ch ( 27180) load
I (197) esp_image: segment 2: paddr=00030020 vaddr=42000020 size=0f4d4h ( 62676) map
I (256) esp_image: segment 3: paddr=0003f4fc vaddr=40806a2c size=00b78h ( 2936) load
I (261) esp_image: segment 4: paddr=0004007c vaddr=408075b0 size=00d18h ( 3352) load
I (269) boot: Loaded app from partition at offset 0x20000
I (270) boot: Checking flash encryption...
I (273) efuse: Batch mode of writing fields is enabled
I (278) flash_encrypt: Generating new flash encryption key...
E (285) fpga_rng: Project configuration is for internal FPGA use, RNG will not work
I (295) efuse: Writing EFUSE_BLK_KEY0 with purpose 4
W (300) flash_encrypt: Not disabling UART bootloader encryption
I (305) flash_encrypt: Disable JTAG...
I (312) efuse: BURN BLOCK4
I (317) efuse: BURN BLOCK4 - OK (write block == read block)
I (319) efuse: BURN BLOCK0
I (325) efuse: BURN BLOCK0 - OK (all write block bits are set)
I (330) efuse: Batch mode. Prepared fields are committed
I (335) esp_image: segment 0: paddr=00002020 vaddr=40855c10 size=02be8h ( 11240)
I (353) esp_image: segment 1: paddr=00004c10 vaddr=4084c7a0 size=006f8h ( 1784)
I (356) esp_image: segment 2: paddr=00005310 vaddr=4084e9a0 size=0418ch ( 16780)
I (1131) flash_encrypt: bootloader encrypted successfully
I (1229) flash_encrypt: partition table encrypted and loaded successfully
I (1230) flash_encrypt: Encrypting partition 1 at offset 0x14000 (length 0x1000)...
I (1325) flash_encrypt: Done encrypting
I (1325) esp_image: segment 0: paddr=00020020 vaddr=42010020 size=095c4h ( 38340) map
I (1362) esp_image: segment 1: paddr=000295ec vaddr=40800000 size=06a2ch ( 27180)
I (1389) esp_image: segment 2: paddr=00030020 vaddr=42000020 size=0f4d4h ( 62676) map
I (1448) esp_image: segment 3: paddr=0003f4fc vaddr=40806a2c size=00b78h ( 2936)
I (1453) esp_image: segment 4: paddr=0004007c vaddr=408075b0 size=00d18h ( 3352)
I (1458) flash_encrypt: Encrypting partition 2 at offset 0x20000 (length 0x100000)...
I (24332) flash_encrypt: Done encrypting
I (24332) flash_encrypt: Encrypting partition 3 at offset 0x120000 (length 0x1000)...
I (24422) flash_encrypt: Done encrypting
I (24423) efuse: BURN BLOCK0
I (24425) efuse: BURN BLOCK0 - OK (all write block bits are set)
I (24427) flash_encrypt: Flash encryption completed
I (24431) boot: Resetting with flash encryption enabled...
ESP-ROM:esp32c5-20240329
Build:Mar 29 2024
rst:0x3 (RTC_SW_HPSYS),boot:0x3d (SPI_FAST_FLASH_BOOT)
Core0 Saved PC:0x4084fe1c
use legacy efuse key
SPI mode:DIO, clock div:2
load:0x40855c10,len:0x2be8
load:0x4084c7a0,len:0x6f8
load:0x4084e9a0,len:0x418c
entry 0x4084c804
I (39) boot: ESP-IDF v5.3-dev-3860-g5d36288649 2nd stage bootloader
I (40) boot: compile time May 7 2024 17:24:43
I (41) boot: chip revision: v0.0
I (44) boot.esp32c5: SPI Speed : 40MHz
I (48) boot.esp32c5: SPI Mode : DIO
I (53) boot.esp32c5: SPI Flash Size : 2MB
I (58) boot: Enabling RNG early entropy source...
I (70) boot: Partition Table:
I (74) boot: ## Label Usage Type ST Offset Length
I (81) boot: 0 nvs WiFi data 01 02 0000e000 00006000
I (89) boot: 1 storage Unknown data 01 ff 00014000 00001000
I (96) boot: 2 factory factory app 00 00 00020000 00100000
I (103) boot: 3 nvs_key NVS keys 01 04 00120000 00001000
I (111) boot: 4 custom_nvs WiFi data 01 02 00121000 00006000
I (119) boot: End of partition table
I (123) esp_image: segment 0: paddr=00020020 vaddr=42010020 size=095c4h ( 38340) map
I (177) esp_image: segment 1: paddr=000295ec vaddr=40800000 size=06a2ch ( 27180) load
I (207) esp_image: segment 2: paddr=00030020 vaddr=42000020 size=0f4d4h ( 62676) map
I (269) esp_image: segment 3: paddr=0003f4fc vaddr=40806a2c size=00b78h ( 2936) load
I (274) esp_image: segment 4: paddr=0004007c vaddr=408075b0 size=00d18h ( 3352) load
I (283) boot: Loaded app from partition at offset 0x20000
I (283) boot: Checking flash encryption...
I (286) flash_encrypt: flash encryption is enabled (1 plaintext flashes left)
I (294) boot: Disabling RNG early entropy source...
I (318) cpu_start: Unicore app
I (326) cpu_start: Pro cpu start user code
I (330) cpu_start: cpu freq: 40000000 Hz
I (335) app_init: Application information:
I (340) app_init: Project name: flash_encryption
I (345) app_init: App version: qa-test-v5.3-20240419-267-g5d36
I (352) app_init: Compile time: May 7 2024 17:24:35
I (358) app_init: ELF file SHA256: 712933cde...
I (364) app_init: ESP-IDF: v5.3-dev-3860-g5d36288649
I (370) efuse_init: Min chip rev: v0.0
I (375) efuse_init: Max chip rev: v0.99
I (380) efuse_init: Chip rev: v0.0
I (385) heap_init: Initializing. RAM available for dynamic allocation:
I (392) heap_init: At 408091A0 len 00051730 (325 KiB): RAM
I (398) heap_init: At 4085A8D0 len 00004C30 (19 KiB): RAM
I (404) heap_init: At 50000000 len 00003FE8 (15 KiB): RTCRAM
I (426) spi_flash: detected chip: generic
I (427) spi_flash: flash io: dio
W (431) spi_flash: Detected size(4096k) larger than the size in the binary image header(2048k). Using the size in the binary image header.
W (445) flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)
I (452) nvs_sec_provider: NVS Encryption - Registering Flash encryption-based scheme...
I (466) main_task: Started on CPU0
I (466) main_task: Calling app_main()
Example to check Flash Encryption status
This is esp32c5 chip with 1 CPU core(s), WiFi/BLE, silicon revision v0.0, 2MB external flash
FLASH_CRYPT_CNT eFuse value is 1
Flash encryption feature is enabled in DEVELOPMENT mode
------ ------

6
examples/security/.build-test-rules.yml
View File

@@ -1,12 +1,8 @@
# Documentation: .gitlab/ci/README.md#manifest-file-to-control-the-buildtest-apps # Documentation: .gitlab/ci/README.md#manifest-file-to-control-the-buildtest-apps
examples/security/flash_encryption: examples/security/flash_encryption:
disable:
- if: IDF_TARGET == "esp32c5"
temporary: true
reason: not supported yet # TODO: [ESP32C5] IDF-8622
disable_test: disable_test:
- if: IDF_TARGET in ["esp32s2", "esp32s3", "esp32c6", "esp32h2", "esp32c2", "esp32p4"] - if: IDF_TARGET in ["esp32s2", "esp32s3", "esp32c6", "esp32h2", "esp32c2", "esp32p4", "esp32c5"]
temporary: true temporary: true
reason: lack of runners reason: lack of runners

6
examples/security/flash_encryption/README.md
View File

@@ -1,5 +1,5 @@
| Supported Targets | ESP32 | ESP32-C2 | ESP32-C3 | ESP32-C6 | ESP32-H2 | ESP32-P4 | ESP32-S2 | ESP32-S3 | | Supported Targets | ESP32 | ESP32-C2 | ESP32-C3 | ESP32-C5 | ESP32-C6 | ESP32-H2 | ESP32-P4 | ESP32-S2 | ESP32-S3 |
| ----------------- | ----- | -------- | -------- | -------- | -------- | -------- | -------- | -------- | | ----------------- | ----- | -------- | -------- | -------- | -------- | -------- | -------- | -------- | -------- |
# Flash Encryption # Flash Encryption
@@ -32,7 +32,7 @@ The configuration for NVS encryption involves generating the XTS encryption keys
When NVS encryption is enabled the `nvs_flash_init` API function can internally generate the XTS encryption keys on the ESP chip. The API function finds the first [NVS key partition](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-reference/storage/nvs_flash.html#nvs-key-partition) i.e. a partition of type `data` and subtype `nvs_keys`. When NVS encryption is enabled the `nvs_flash_init` API function can internally generate the XTS encryption keys on the ESP chip. The API function finds the first [NVS key partition](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-reference/storage/nvs_flash.html#nvs-key-partition) i.e. a partition of type `data` and subtype `nvs_keys`.
Then the API function automatically generates and stores the Then the API function automatically generates and stores the
nvs keys in that partition. New keys are generated and stored only when the respective key partiton is empty. (Consult the [`nvs_flash_init`](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-reference/storage/nvs_flash.html#_CPPv414nvs_flash_initv) API documentation in the ESP-IDF programming guide for more details). nvs keys in that partition. New keys are generated and stored only when the respective key partition is empty. (Consult the [`nvs_flash_init`](https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-reference/storage/nvs_flash.html#_CPPv414nvs_flash_initv) API documentation in the ESP-IDF programming guide for more details).
**Please note that `nvs_keys` partition must be completely erased before starting the application. Otherwise the application may generate `ESP_ERR_NVS_CORRUPT_KEY_PART` error code assuming that `nvs_keys` partition was not empty and contains malformatted data.** **Please note that `nvs_keys` partition must be completely erased before starting the application. Otherwise the application may generate `ESP_ERR_NVS_CORRUPT_KEY_PART` error code assuming that `nvs_keys` partition was not empty and contains malformatted data.**