Page 1 of 1
Prevent Modification of NVS Data
Posted: Tue Aug 20, 2019 2:23 pm
by GerryTitan
Hello,
Is there a way to prevent unauthorized modification of data in the NVS partition (for example, via esptool write_flash)?
Thanks.
Re: Prevent Modification of NVS Data
Posted: Tue Aug 20, 2019 6:54 pm
by jcsbanks
You could encrypt it.
Re: Prevent Modification of NVS Data
Posted: Tue Aug 20, 2019 9:08 pm
by GerryTitan
jcsbanks wrote: ↑Tue Aug 20, 2019 6:54 pm
You could encrypt it.
That's true, but there is still the possibility that an attacker can modify/corrupt the data, right?
Re: Prevent Modification of NVS Data
Posted: Tue Aug 20, 2019 9:30 pm
by WiFive
If NVS encryption is not used, it is possible for anyone with physical access to the flash chip to alter, erase, or add key-value pairs. With NVS encryption enabled, it is not possible to alter or add a key-value pair and get recognized as a valid pair without knowing corresponding NVS encryption keys. However, there is no tamper-resistance against the erase operation.
Re: Prevent Modification of NVS Data
Posted: Tue Aug 20, 2019 10:07 pm
by GerryTitan
Is it possible to just disable the UART interface to the chip so that physical tampering is impossible?
Re: Prevent Modification of NVS Data
Posted: Wed Aug 21, 2019 12:08 am
by WiFive
No, and even if you did it would be possible to connect directly to the flash chip. For some physical protection you'd have to encapsulate.
Re: Prevent Modification of NVS Data
Posted: Wed Aug 21, 2019 12:20 am
by GerryTitan
Okay, thank you for the explanation. I guess apps should just be robust enough to anticipate tampering/erasing of NVS data. I will consider this for the future.