NVS encryption key / initialisation problem
Posted: Mon Apr 19, 2021 9:35 pm
Hello, i use this developpement tools :
esp32 v1
idf 4.2
I have secure boot and flash encrypt mode which works fine.
The program starts correctly.
I have tested several solutions for over a week and still get stuck.
TEST 1
when i put "encrypts" in the partition table for NVS i have a bootloop:
default code:
offending part of the program :
-------------------------------------
TEST 2 :
identical partition table
I modified the program by adding this :
and in the main :
without changing the partition table I have another error:
I test to flash the keys of nvs like this:
my test nvs.csv :
I dont know if my nvs.csv example is good.
Maybe I'm wrong in the offset?
Thanks for your help
esp32 v1
idf 4.2
I have secure boot and flash encrypt mode which works fine.
The program starts correctly.
I have tested several solutions for over a week and still get stuck.
TEST 1
when i put "encrypts" in the partition table for NVS i have a bootloop:
Code: Select all
nvs, data, nvs, , 0x6000,
otadata, data, ota, , 0x2000,
phy_init, data, phy, , 0x1000,
certs, data, spiffs, , 0x10000,
fact_cfg, data, spiffs, , 0x8000,
user_cfg, data, spiffs, , 0x8000,
storage, data, spiffs, , 0x10000,
ota_0, app, ota_0, ,0x280000,
# ota_0, app, ota_0, ,0x180000,
# ota_1, app, ota_1, , 0x180000,
nvs_key, data, nvs_keys, , 0x1000, encrypted
(55) boot: Partition Table:
(59) boot: ## Label Usage Type ST Offset Length
(66) boot: 0 nvs WiFi data 01 02 00009000 00006000
(74) boot: 1 otadata OTA data 01 00 0000f000 00002000
(81) boot: 2 phy_init RF data 01 01 00011000 00001000
(89) boot: 3 certs Unknown data 01 82 00012000 00010000
(96) boot: 4 fact_cfg Unknown data 01 82 00022000 00008000
(103) boot: 5 user_cfg Unknown data 01 82 0002a000 00008000
(111) boot: 6 storage Unknown data 01 82 00032000 00010000
(119) boot: 7 ota_0 OTA app 00 10 00050000 00280000
(126) boot: 8 nvs_key NVS keys 01 04 002d0000 00001000
Code: Select all
(1020) flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)
(1022) spi_flash: detected chip: generic
(1023) spi_flash: flash io: dio
(1027) cpu_start: Starting scheduler on PRO CPU.
(0) cpu_start: Starting scheduler on APP CPU.
abort() was called at PC 0x4012b07a on core 0
Code: Select all
esp_err_t err = nvs_flash_init();
if (err == ESP_ERR_NVS_NO_FREE_PAGES || err == ESP_ERR_NVS_NEW_VERSION_FOUND) {
// NVS partition was truncated and needs to be erased
// Retry nvs_flash_init
ESP_ERROR_CHECK(nvs_flash_erase());
err = nvs_flash_init();
}
ESP_ERROR_CHECK( err );
TEST 2 :
identical partition table
I modified the program by adding this :
Code: Select all
esp_err_t nvs_secure_initialize() {
static const char *nvs_tag = "nvs";
esp_err_t err = ESP_OK;
// 1. find partition with nvs_keys
const esp_partition_t *partition = esp_partition_find_first(ESP_PARTITION_TYPE_DATA,
ESP_PARTITION_SUBTYPE_DATA_NVS_KEYS,
"nvs_key");
if (partition == NULL) {
ESP_LOGE(nvs_tag, "Could not locate nvs_key partition. Aborting.");
return ESP_FAIL;
}
// 2. read nvs_keys from key partition
nvs_sec_cfg_t cfg;
if (ESP_OK != (err = nvs_flash_read_security_cfg(partition, &cfg))) {
ESP_LOGE(nvs_tag, "Failed to read nvs keys (rc=0x%x)", err);
return err;
}
// 3. initialize nvs partition
if (ESP_OK != (err = nvs_flash_secure_init(&cfg))) {
ESP_LOGE(nvs_tag, "failed to initialize nvs partition (err=0x%x). Aborting.", err);
return err;
};
return err;
}
Code: Select all
esp_err_t err = nvs_secure_initialize();
if (err != ESP_OK) {
ESP_LOGE("main", "Failed to initialize nvs (rc=0x%x). Halting.", err);
while(1) { vTaskDelay(100); }
}
Code: Select all
I (0) cpu_start: Starting scheduler on APP CPU.
E (1042) nvs: Failed to read nvs keys (rc=0x1117)
E (1052) main: Failed to initialize nvs (rc=0x1117). Halting.
Code: Select all
python nvs_partition_gen.py generate nvs.csv nvs.bin 0x11000
python nvs_partition_gen.py encrypt nvs.csv encrypted_nvs.bin 0x11000 --keygen --keyfile nvs_keys.bin
esptool.py -p com13 --before default_reset --after no_reset write_flash 0x11000 encrypted_nvs.bin
esptool.py -p com13 --before default_reset --after no_reset write_flash 0x2d0000 nvs_keys.bin
Code: Select all
# NVS csv file
key,type,encoding,value
fctryNamespace,namespace,,
serial_number,data,string,AE12A21D3D4F
mac_addr,data,string,0F:0B:01:0D:0E:0F
Maybe I'm wrong in the offset?
Thanks for your help