Non-volatile storage with flash encryption enabled.

snahmad75 · Postby **snahmad75** » Mon Oct 15, 2018 3:55 pm

Hi,

If I need to read and write nvs while my flash encryption is enabled. What steps I need to do.

I read it https://docs.espressif.com/projects/esp ... flash.html
not understood with flash encryption is enabled.
But do provide me example using while flash encryption is enabled that is I upload encrypted parition.bin

Do I need to check if flash encryption is enabled. Do I have provide encryption key in C/C++ to read and write nvs.

Kindly do reply urgently.

Populate nvs_sec_cfg_t struct using nvs_flash_read_security_cfg or nvs_flash_generate_keys APIs ????

for read/writing any file from storage area/partition. Is there special fopen to fo as well if flash encryption is enabled.

Thanks,
Naeem

WiFive · Postby **WiFive** » Mon Oct 15, 2018 9:24 pm

https://github.com/espressif/esp-idf/bl ... #L311-L384

snahmad75 · Postby **snahmad75** » Mon Oct 15, 2018 9:33 pm

ok, thanks. I will try to do same later. check flash encryption is enabled or not in the code.

snahmad75 · Postby **snahmad75** » Mon Oct 29, 2018 2:38 pm

WiFive wrote:https://github.com/espressif/esp-idf/bl ... #L311-L384

The code I downloaded from master branch is few months. SDK is updated with NVS flash encryption I guess recently.
How and where I can get build which contains NVS code compile and whole SDK build successfully.

Code: Select all

const esp_partition_t* key_part = esp_partition_find_first(
			ESP_PARTITION_TYPE_DATA, ESP_PARTITION_SUBTYPE_DATA_NVS_KEYS, NULL);

		const esp_partition_t* nvs_partition = esp_partition_find_first(
			ESP_PARTITION_TYPE_DATA, ESP_PARTITION_SUBTYPE_DATA_NVS, NULL);
		assert(nvs_partition && "partition table must have an NVS partition");

		ESP_ERROR_CHECK(esp_partition_erase_range(nvs_partition, 0, nvs_partition->size));

		nvs_sec_cfg_t cfg;
		esp_err_t err = nvs_flash_read_security_cfg(key_part, &cfg);

		if (err == ESP_ERR_NVS_KEYS_NOT_INITIALIZED) {
			TEST_ESP_OK(nvs_flash_generate_keys(key_part, &cfg));
		}
		else {
			ESP_ERROR_CHECK(err);
		}
		TEST_ESP_OK(nvs_flash_secure_init(&cfg));

Thanks,
Naeem

ESP_Angus · Postby **ESP_Angus** » Mon Oct 29, 2018 10:59 pm

snahmad75 wrote: How and where I can get build which contains NVS code compile and whole SDK build successfully.

Currently only master branch (since commit linked above) has NVS encryption support. This will be added to ESP-IDF V3.2.

snahmad75 · Postby **snahmad75** » Tue Oct 30, 2018 9:25 am

In my code which I download few months back. I have flash encryption enabled. still I can read NVS. once i get latest code. It will stop working unless i used NVS init function when flash encryption is enabled. Am I right?

ok, you mean it will added to V3.2 when it gets released.

WiFive · Postby **WiFive** » Tue Oct 30, 2018 12:50 pm

snahmad75 wrote: It will stop working unless i used NVS init function when flash encryption is enabled. Am I right?

No. It is different encryption so old nvs will still work with the non-secure apis.

ESP_Angus · Postby **ESP_Angus** » Tue Oct 30, 2018 10:54 pm

snahmad75 wrote:In my code which I download few months back. I have flash encryption enabled. still I can read NVS. once i get latest code. It will stop working unless i used NVS init function when flash encryption is enabled. Am I right?

You can continue to use the "old" NVS with flash encryption, but the NVS data is not being encrypted.

snahmad75 wrote:ok, you mean it will added to V3.2 when it gets released.

Yes. Master branch is currently "v3.2-dev" (ie development working towards v3.2).

snahmad75 · Postby **snahmad75** » Tue Oct 30, 2018 11:09 pm

good, thanks. got it.

kyklas · Postby **kyklas** » Mon Nov 12, 2018 11:09 pm

I am evaluating the NVS with Encryption ( comparing with regular partition encryption ).

As far as I understand, NVS encryption is a run-time operation if the key is to be auto generated. This would store run-time data.

Any factory data would need to be pre-encrypted which would imply a known key or generate both the NVS and NVS Key at manufacturing time. For almost read-only data, using a standard encrypted data partition ( handled by the flash with flash encryption key ) looks like less work.

I am not able to test the generation of a NVS partition with encryption.

Code: Select all

nvs_partition_gen.py sample.csv sample_encrypted.bin 0x6000  --encrypt True --keyfile mynvs_openssl_key.bin
Traceback (most recent call last):
  File "nvs_partition_gen.py", line 775, in <module>
    main()
  File "nvs_partition_gen.py", line 770, in main
    nvs_part_gen(input_filename, output_filename, input_size, key_gen, is_encrypt_data, key_file, version_no)
  File "nvs_partition_gen.py", line 682, in nvs_part_gen
    key_input = key_f.readline()
  File "/usr/lib/python3.5/codecs.py", line 321, in decode
    (result, consumed) = self._buffer_decode(data, self.errors, final)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x9a in position 0: invalid start byte

I tested with python2.7 and python3.5 same result.

Developing under Ubuntu 16.04.

Regards,
Stan

Non-volatile storage with flash encryption enabled.

Non-volatile storage with flash encryption enabled.

Re: Non-volatile storage with flash encryption enabled.

Re: Non-volatile storage with flash encryption enabled.

Re: Non-volatile storage with flash encryption enabled.

Re: Non-volatile storage with flash encryption enabled.

Re: Non-volatile storage with flash encryption enabled.

Re: Non-volatile storage with flash encryption enabled.

Re: Non-volatile storage with flash encryption enabled.

Re: Non-volatile storage with flash encryption enabled.

Re: Non-volatile storage with flash encryption enabled.

Who is online

About Us

Extra

Information