Page 1 of 2

Non-volatile storage with flash encryption enabled.

Posted: Mon Oct 15, 2018 3:55 pm
by snahmad75
Hi,

If I need to read and write nvs while my flash encryption is enabled. What steps I need to do.

I read it https://docs.espressif.com/projects/esp ... flash.html
not understood with flash encryption is enabled.
But do provide me example using while flash encryption is enabled that is I upload encrypted parition.bin

Do I need to check if flash encryption is enabled. Do I have provide encryption key in C/C++ to read and write nvs.

Kindly do reply urgently.

Populate nvs_sec_cfg_t struct using nvs_flash_read_security_cfg or nvs_flash_generate_keys APIs ????

for read/writing any file from storage area/partition. Is there special fopen to fo as well if flash encryption is enabled.


Thanks,
Naeem

Re: Non-volatile storage with flash encryption enabled.

Posted: Mon Oct 15, 2018 9:24 pm
by WiFive

Re: Non-volatile storage with flash encryption enabled.

Posted: Mon Oct 15, 2018 9:33 pm
by snahmad75
ok, thanks. I will try to do same later. check flash encryption is enabled or not in the code.

Re: Non-volatile storage with flash encryption enabled.

Posted: Mon Oct 29, 2018 2:38 pm
by snahmad75

The code I downloaded from master branch is few months. SDK is updated with NVS flash encryption I guess recently.
How and where I can get build which contains NVS code compile and whole SDK build successfully.

Code: Select all

const esp_partition_t* key_part = esp_partition_find_first(
			ESP_PARTITION_TYPE_DATA, ESP_PARTITION_SUBTYPE_DATA_NVS_KEYS, NULL);

		const esp_partition_t* nvs_partition = esp_partition_find_first(
			ESP_PARTITION_TYPE_DATA, ESP_PARTITION_SUBTYPE_DATA_NVS, NULL);
		assert(nvs_partition && "partition table must have an NVS partition");

		ESP_ERROR_CHECK(esp_partition_erase_range(nvs_partition, 0, nvs_partition->size));

		nvs_sec_cfg_t cfg;
		esp_err_t err = nvs_flash_read_security_cfg(key_part, &cfg);

		if (err == ESP_ERR_NVS_KEYS_NOT_INITIALIZED) {
			TEST_ESP_OK(nvs_flash_generate_keys(key_part, &cfg));
		}
		else {
			ESP_ERROR_CHECK(err);
		}
		TEST_ESP_OK(nvs_flash_secure_init(&cfg));
Thanks,
Naeem

Re: Non-volatile storage with flash encryption enabled.

Posted: Mon Oct 29, 2018 10:59 pm
by ESP_Angus
snahmad75 wrote: How and where I can get build which contains NVS code compile and whole SDK build successfully.
Currently only master branch (since commit linked above) has NVS encryption support. This will be added to ESP-IDF V3.2.

Re: Non-volatile storage with flash encryption enabled.

Posted: Tue Oct 30, 2018 9:25 am
by snahmad75
In my code which I download few months back. I have flash encryption enabled. still I can read NVS. once i get latest code. It will stop working unless i used NVS init function when flash encryption is enabled. Am I right?

ok, you mean it will added to V3.2 when it gets released.

Re: Non-volatile storage with flash encryption enabled.

Posted: Tue Oct 30, 2018 12:50 pm
by WiFive
snahmad75 wrote: It will stop working unless i used NVS init function when flash encryption is enabled. Am I right?
No. It is different encryption so old nvs will still work with the non-secure apis.

Re: Non-volatile storage with flash encryption enabled.

Posted: Tue Oct 30, 2018 10:54 pm
by ESP_Angus
snahmad75 wrote:In my code which I download few months back. I have flash encryption enabled. still I can read NVS. once i get latest code. It will stop working unless i used NVS init function when flash encryption is enabled. Am I right?
You can continue to use the "old" NVS with flash encryption, but the NVS data is not being encrypted.
snahmad75 wrote:ok, you mean it will added to V3.2 when it gets released.
Yes. Master branch is currently "v3.2-dev" (ie development working towards v3.2).

Re: Non-volatile storage with flash encryption enabled.

Posted: Tue Oct 30, 2018 11:09 pm
by snahmad75
good, thanks. got it.

Re: Non-volatile storage with flash encryption enabled.

Posted: Mon Nov 12, 2018 11:09 pm
by kyklas
I am evaluating the NVS with Encryption ( comparing with regular partition encryption ).

As far as I understand, NVS encryption is a run-time operation if the key is to be auto generated. This would store run-time data.

Any factory data would need to be pre-encrypted which would imply a known key or generate both the NVS and NVS Key at manufacturing time. For almost read-only data, using a standard encrypted data partition ( handled by the flash with flash encryption key ) looks like less work.

I am not able to test the generation of a NVS partition with encryption.

Code: Select all

nvs_partition_gen.py sample.csv sample_encrypted.bin 0x6000  --encrypt True --keyfile mynvs_openssl_key.bin
Traceback (most recent call last):
  File "nvs_partition_gen.py", line 775, in <module>
    main()
  File "nvs_partition_gen.py", line 770, in main
    nvs_part_gen(input_filename, output_filename, input_size, key_gen, is_encrypt_data, key_file, version_no)
  File "nvs_partition_gen.py", line 682, in nvs_part_gen
    key_input = key_f.readline()
  File "/usr/lib/python3.5/codecs.py", line 321, in decode
    (result, consumed) = self._buffer_decode(data, self.errors, final)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0x9a in position 0: invalid start byte
I tested with python2.7 and python3.5 same result.

Developing under Ubuntu 16.04.

Regards,
Stan