NVS encryption key / initialisation problem

hereiam
Posts: 10
Joined: Mon Apr 19, 2021 9:26 pm

NVS encryption key / initialisation problem

Postby hereiam » Mon Apr 19, 2021 9:35 pm

Hello, i use this developpement tools :

esp32 v1
idf 4.2

I have secure boot and flash encrypt mode which works fine.
The program starts correctly.
I have tested several solutions for over a week and still get stuck.

TEST 1
when i put "encrypts" in the partition table for NVS i have a bootloop:

Code: Select all

nvs,      data, nvs, ,  0x6000, 
otadata,  data, ota,     ,        0x2000, 
phy_init, data, phy,     ,        0x1000, 
certs,    data, spiffs,  ,        0x10000, 
fact_cfg, data, spiffs,  ,        0x8000, 
user_cfg, data, spiffs,  ,        0x8000, 
storage,  data, spiffs,  ,        0x10000, 
ota_0,    app,  ota_0,  ,0x280000, 
# ota_0,    app,  ota_0,  ,0x180000, 
# ota_1,    app,  ota_1,   ,        0x180000, 
nvs_key,  data, nvs_keys,         , 0x1000, encrypted

 (55) boot: Partition Table:
 (59) boot: ## Label            Usage          Type ST Offset   Length
 (66) boot:  0 nvs              WiFi data        01 02 00009000 00006000
 (74) boot:  1 otadata          OTA data         01 00 0000f000 00002000
 (81) boot:  2 phy_init         RF data          01 01 00011000 00001000
 (89) boot:  3 certs            Unknown data     01 82 00012000 00010000
 (96) boot:  4 fact_cfg         Unknown data     01 82 00022000 00008000
 (103) boot:  5 user_cfg         Unknown data     01 82 0002a000 00008000
 (111) boot:  6 storage          Unknown data     01 82 00032000 00010000
 (119) boot:  7 ota_0            OTA app          00 10 00050000 00280000
 (126) boot:  8 nvs_key          NVS keys         01 04 002d0000 00001000
default code:

Code: Select all

(1020) flash_encrypt: Flash encryption mode is DEVELOPMENT (not secure)
(1022) spi_flash: detected chip: generic
(1023) spi_flash: flash io: dio
 (1027) cpu_start: Starting scheduler on PRO CPU.
(0) cpu_start: Starting scheduler on APP CPU.

abort() was called at PC 0x4012b07a on core 0
offending part of the program :

Code: Select all

   esp_err_t err = nvs_flash_init();
  
 if (err == ESP_ERR_NVS_NO_FREE_PAGES || err == ESP_ERR_NVS_NEW_VERSION_FOUND) {
        // NVS partition was truncated and needs to be erased
        // Retry nvs_flash_init
        ESP_ERROR_CHECK(nvs_flash_erase());
        err = nvs_flash_init();
    }
    ESP_ERROR_CHECK( err );
-------------------------------------
TEST 2 :

identical partition table
I modified the program by adding this :

Code: Select all

		esp_err_t nvs_secure_initialize() {
    static const char *nvs_tag = "nvs";
    esp_err_t err = ESP_OK;

    // 1. find partition with nvs_keys
    const esp_partition_t *partition = esp_partition_find_first(ESP_PARTITION_TYPE_DATA,
                                                                ESP_PARTITION_SUBTYPE_DATA_NVS_KEYS,
                                                                "nvs_key");
    if (partition == NULL) {
        ESP_LOGE(nvs_tag, "Could not locate nvs_key partition. Aborting.");
        return ESP_FAIL;
    }

    // 2. read nvs_keys from key partition
    nvs_sec_cfg_t cfg;
    if (ESP_OK != (err = nvs_flash_read_security_cfg(partition, &cfg))) {
        ESP_LOGE(nvs_tag, "Failed to read nvs keys (rc=0x%x)", err);
        return err;
    }

    // 3. initialize nvs partition
    if (ESP_OK != (err = nvs_flash_secure_init(&cfg))) {
        ESP_LOGE(nvs_tag, "failed to initialize nvs partition (err=0x%x). Aborting.", err);
        return err;
    };

    return err;
}
and in the main :

Code: Select all

   esp_err_t err = nvs_secure_initialize();
    if (err != ESP_OK) {
        ESP_LOGE("main", "Failed to initialize nvs (rc=0x%x). Halting.", err);
        while(1) { vTaskDelay(100); }
    }
without changing the partition table I have another error:

Code: Select all

	I (0) cpu_start: Starting scheduler on APP CPU.
E (1042) nvs: Failed to read nvs keys (rc=0x1117)
E (1052) main: Failed to initialize nvs (rc=0x1117). Halting.
I test to flash the keys of nvs like this:

Code: Select all


 python nvs_partition_gen.py generate nvs.csv nvs.bin 0x11000
 python nvs_partition_gen.py encrypt nvs.csv encrypted_nvs.bin 0x11000 --keygen --keyfile nvs_keys.bin
 esptool.py -p com13 --before default_reset --after no_reset write_flash 0x11000 encrypted_nvs.bin
 esptool.py -p com13 --before default_reset --after no_reset write_flash 0x2d0000 nvs_keys.bin
my test nvs.csv :

Code: Select all

# NVS csv file
key,type,encoding,value
fctryNamespace,namespace,,
serial_number,data,string,AE12A21D3D4F
mac_addr,data,string,0F:0B:01:0D:0E:0F
I dont know if my nvs.csv example is good.

Maybe I'm wrong in the offset?

Thanks for your help

WiFive
Posts: 3529
Joined: Tue Dec 01, 2015 7:35 am

Re: NVS encryption key / initialisation problem

Postby WiFive » Tue Apr 20, 2021 5:50 am

You have to encrypt nvs_keys.bin if you already turned on flash encryption.

According to your log your phy_init partition is at 0x11000

Code: Select all

(81) boot:  2 phy_init         RF data          01 01 00011000 00001000

hereiam
Posts: 10
Joined: Mon Apr 19, 2021 9:26 pm

Re: NVS encryption key / initialisation problem

Postby hereiam » Tue Apr 20, 2021 10:04 am

Hello, thank you for your response,

i've encrypted the nvs_key.bin with these command :

Code: Select all

  espsecure.py encrypt_flash_data --keyfile my_flash_encryption_key.bin --address 0x2d0000 -o encrypted_nvs_6.bin nvs_keys.bin
  
  esptool.py --port com13 --baud 460800 write_flash 0x2d0000 encrypted_nvs_6.bin
and the esp32 still in bootloop
(1041) cpu_start: Starting scheduler on PRO CPU.
(0) cpu_start: Starting scheduler on APP CPU.

abort() was called at PC 0x4012b07a on core 0
I've two qquestions about security :

Who can tell me if the secure boot is enable and the flash ecrypt is enable too, can someone successfully "hack" the esp32 without the NVS encryption?
I read in some Espressif documentation that once memory encryption is enabled, it is not useful to enable NVS encryption unless I misunderstood.

Thanks for your help

Who is online

Users browsing this forum: Google [Bot], linrh321 and 115 guests