Failed to read NVS security cfg after migration 5.1->5.5

[dizcza]

I have lots of

Code: Select all

nvs: Failed to read NVS security cfg: [0x102] (ESP_ERR_INVALID_ARG)

after I migrated from v5.1 to v5.5 with security enabled (both full release and development).

Code: Select all

 (622) quad_psram: This chip is ESP32-D0WD
I (622) esp_psram: Found 8MB PSRAM device
I (622) esp_psram: Speed: 40MHz
I (622) esp_psram: PSRAM initialized, cache is in low/high (2-core) mode.
W (628) esp_psram: Virtual address not enough for PSRAM, map as much as we can. 4MB is mapped
I (636) cpu_start: Multicore app
I (1518) esp_psram: SPI SRAM memory test OK
I (1532) cpu_start: GPIO 3 and 1 are used as console UART I/O pins
I (1532) cpu_start: Pro cpu start user code
I (1532) cpu_start: cpu freq: 160000000 Hz
I (1534) app_init: Application information:
I (1538) app_init: Project name:     esp32-sdpsensor
I (1543) app_init: App version:      bc6e086
I (1547) app_init: Compile time:     Jun 14 2026 09:34:04
I (1552) app_init: ELF file SHA256:  90d48a5d9f6a6ae7...
I (1557) app_init: ESP-IDF:          v5.5.4-1063-ge2face00fa1
I (1562) efuse_init: Min chip rev:     v3.0
I (1566) efuse_init: Max chip rev:     v3.99 
I (1570) efuse_init: Chip rev:         v3.1
I (1575) heap_init: Initializing. RAM available for dynamic allocation:
I (1581) heap_init: At 3FFAE6E0 len 00001920 (6 KiB): DRAM
I (1586) heap_init: At 3FFB9918 len 000266E8 (153 KiB): DRAM
I (1591) heap_init: At 3FFE0440 len 00003AE0 (14 KiB): D/IRAM
I (1597) heap_init: At 3FFE4350 len 0001BCB0 (111 KiB): D/IRAM
I (1602) heap_init: At 4009AD70 len 00005290 (20 KiB): IRAM
I (1608) esp_psram: Adding pool of 4042K of PSRAM memory to heap allocator
W (1615) spi_flash: Detected winbond flash chip but using generic driver. For optimal functionality, enable `SPI_FLASH_SUPPORT_WINBOND_CHIP` in menuconfig
I (1628) spi_flash: detected chip: generic
I (1631) spi_flash: flash io: dio
I (1635) flash_encrypt: Flash encryption mode is RELEASE
W (1642) nvs: Failed to read NVS security cfg: [0x102] (ESP_ERR_INVALID_ARG)
I (1646) nvs: Generating NVS encr-keys...
E (1650) nvs: Failed to generate NVS encr-keys: [0x102] (ESP_ERR_INVALID_ARG)

Eventually, the app crashes with

Code: Select all

W (00:09:07.979) nvs: Failed to read NVS security cfg: [0x102] (ESP_ERR_INVALID_ARG)
E (00:09:07.981) nvs: Failed to generate NVS encr-keys: [0x102] (ESP_ERR_INVALID_ARG)
W (00:09:07.984) wifi_creds: nvs_read_wifi_creds line 81: ESP_ERR_INVALID_ARG
W (4195) wifi:wifi osi_nvs_open fail ret=4353

W (00:09:07.995) wifi_init: Failed to unregister Rx callbacks
E (00:09:08.001) wifi_init: Failed to deinit Wi-Fi driver (0x3001)
E (00:09:08.006) wifi_init: Failed to deinit Wi-Fi (0x3001)
W (00:09:08.012) wifi_sta: wifi_sta_start line 198: ESP_ERR_NVS_NOT_INITIALIZED
E (00:09:08.019) esp_netif_lwip: esp_netif_new_api: Failed to configure netif with config=0x3ffbeb40 (config or if_key is NULL or duplicate key)

assert failed: esp_netif_create_default_wifi_sta wifi_default.c:422 (netif)


Backtrace: 0x4008d0ed:0x3ffbe9e0 0x4008d081:0x3ffbea00 0x40093c75:0x3ffbea20 0x4013d29f:0x3ffbeb40 0x400df5f3:0x3ffbeb70 0x400d871b:0x3ffbed70 0x401cb9be:0x3ffbee10 0x401cc1a2:0x3ffbee40
--- 0x4008d0ed: panic_abort at /home/dizcza/tools/esp-idf/components/esp_system/panic.c:477
--- 0x4008d081: esp_system_abort at /home/dizcza/tools/esp-idf/components/esp_system/port/esp_system_chip.c:87
--- 0x40093c75: __assert_func at /home/dizcza/tools/esp-idf/components/newlib/src/assert.c:81
--- 0x4013d29f: esp_netif_create_default_wifi_sta at /home/dizcza/tools/esp-idf/components/esp_wifi/src/wifi_default.c:422
--- 0x400df5f3: wifi_sta_start at /home/dizcza/Projects/Embedded/espressif-workspace/esp32-sdpsensor-secure/components_esp32/wifi_sta/wifi_sta.c:195
--- 0x400d871b: start_wifi_sta at /home/dizcza/Projects/Embedded/espressif-workspace/esp32-sdpsensor-secure/main/main.c:80
--- (inlined by) app_main at /home/dizcza/Projects/Embedded/espressif-workspace/esp32-sdpsensor-secure/main/main.c:108
--- 0x401cb9be: main_task at /home/dizcza/tools/esp-idf/components/freertos/app_startup.c:215
--- 0x401cc1a2: vPortTaskWrapper at /home/dizcza/tools/esp-idf/components/freertos/FreeRTOS-Kernel/portable/xtensa/port.c:143

And I think this is due to NVS config error I mentioned. Note that the same code works fine with no security enabled. I've read NVS Security migration guide 5.1->5.2 and haven't found any further steps I need to do for my setup. I already had nvs_keys in my partitions (I haven't changed the partition table):

Code: Select all

# Name,   Type, SubType, Offset,   Size, Flags
# Note: if you have increased the bootloader size, make sure to update the offsets to avoid overlap
nvs,      data, nvs,     ,        0x4000,
nvs_key,  data, nvs_keys,,        0x1000, encrypted,
otadata,  data, ota,     ,        0x2000,
phy_init, data, phy,     ,        0x1000,
ota_0,    app,  ota_0,   ,        0x1e0000,
ota_1,    app,  ota_1,   ,        0x1e0000,
coredump, data, coredump,,        64K, encrypted

This renders to

Code: Select all

# ESP-IDF Partition Table
# Name, Type, SubType, Offset, Size, Flags
nvs,data,nvs,0xd000,16K,
nvs_key,data,nvs_keys,0x11000,4K,encrypted
otadata,data,ota,0x12000,8K,
phy_init,data,phy,0x14000,4K,
ota_0,app,ota_0,0x20000,1920K,
ota_1,app,ota_1,0x200000,1920K,
coredump,data,coredump,0x3e0000,64K,encrypted

And according to the docs, it should work. Not sure if this is an issue or I'm still doing something wrong, hence decided to ask on the forum first. I have already bricked one security-enabled device (cannot start wifi due to this error and hence no OTA update) and have 6 more devices I need to migrate from 5.1 to 5.5 with security already enabled (3 devices release mode and 3 development).

My WiFi and NVS related code:

Code: Select all

esp_err_t bsp_nvs_flash_init() {
    esp_err_t err = nvs_flash_init();
    if (err == ESP_ERR_NVS_NO_FREE_PAGES || err == ESP_ERR_NVS_NEW_VERSION_FOUND) {
        // NVS partition was truncated and needs to be erased
        // Retry nvs_flash_init
        nvs_flash_erase();
        err = nvs_flash_init();
    }
    return err;
}

bsp_nvs_flash_init();

ESP_ERROR_CHECK(esp_netif_init());

esp_event_loop_create_default();
wifi_sta->netif = esp_netif_create_default_wifi_sta();

wifi_init_config_t cfg = WIFI_INIT_CONFIG_DEFAULT();
ESP_ERROR_CHECK(esp_wifi_init(&cfg));

Screenshot from 2026-06-16 08-42-37.png (74.42 KiB) Viewed 60 times

How should I fix NVS and Wi-Fi-related issues on devices with security enabled when migrating from 5.1 to 5.5?

[ESP_rrtandler]

Hi @dizcza ,

The IDF 5.2 has added one more indirection inside the nvs security. The concept is called nvs_security_provider.

The on-flash format is identical — read_security_cfg_flash_enc() in 5.2 ultimately calls the same nvs_flash_read_security_cfg() against the same nvs_keys partition. So if the 5.2 build is configured correctly (CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y, scheme registered), migration is seamless: the 5.1-written keys are read, the 5.1-encrypted NVS is decrypted, everything works.

The breakage is entirely in the new indirection layer:

In 5.1, key acquisition was unconditional and built into nvs_flash_init().
In 5.2, it depends on a separately-registered default scheme. When the project's sdkconfig is regenerated during the upgrade, the brand-new CONFIG_NVS_SEC_KEY_PROTECTION_SCHEME choice is resolved from Kconfig defaults. If CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC doesn't end up effectively set (its depends on SECURE_FLASH_ENC_ENABLED, or it lands on NONE), no scheme is registered → nvs_sec_default_scheme_cfg has null callbacks → nvs_flash_read_security_cfg_v2() returns 0x102 (ESP_ERR_INVALID_ARG) → the 5.2 "regenerate on any error" branch runs nvs_flash_generate_keys_v2(), which also returns 0x102 → nvs_flash_init() fails → Wi-Fi creds can't be read → the esp_netif_create_default_wifi_sta assert.

Please check the sdkconfig of your IDF 5.2 based upgrade and check presence and values of:
CONFIG_NVS_SEC_KEY_PROTECTION_SCHEME
CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC

If these are not present, start menuconfig and navigate to "component config->NVS Security Provider" and set the Key protection scheme - to Using Flash Encryption. In order to see the settings, the flash encryption has to be enabled (this part is set in your project already)

[dizcza]

Hi @dizcza ,

The IDF 5.2 has added one more indirection inside the nvs security. The concept is called nvs_security_provider.

The on-flash format is identical — read_security_cfg_flash_enc() in 5.2 ultimately calls the same nvs_flash_read_security_cfg() against the same nvs_keys partition. So if the 5.2 build is configured correctly (CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y, scheme registered), migration is seamless: the 5.1-written keys are read, the 5.1-encrypted NVS is decrypted, everything works.

The breakage is entirely in the new indirection layer:

In 5.1, key acquisition was unconditional and built into nvs_flash_init().
In 5.2, it depends on a separately-registered default scheme. When the project's sdkconfig is regenerated during the upgrade, the brand-new CONFIG_NVS_SEC_KEY_PROTECTION_SCHEME choice is resolved from Kconfig defaults. If CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC doesn't end up effectively set (its depends on SECURE_FLASH_ENC_ENABLED, or it lands on NONE), no scheme is registered → nvs_sec_default_scheme_cfg has null callbacks → nvs_flash_read_security_cfg_v2() returns 0x102 (ESP_ERR_INVALID_ARG) → the 5.2 "regenerate on any error" branch runs nvs_flash_generate_keys_v2(), which also returns 0x102 → nvs_flash_init() fails → Wi-Fi creds can't be read → the esp_netif_create_default_wifi_sta assert.

Please check the sdkconfig of your IDF 5.2 based upgrade and check presence and values of:
CONFIG_NVS_SEC_KEY_PROTECTION_SCHEME
CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC

If these are not present, start menuconfig and navigate to "component config->NVS Security Provider" and set the Key protection scheme - to Using Flash Encryption. In order to see the settings, the flash encryption has to be enabled (this part is set in your project already)

Wow, thanks for the detailed route of where the error comes from and the steps I need to do. I didn't have the CONFIG_NVS_SEC_KEY_PROTECTION_SCHEME key in my menuconfig at all. I read the docs and added

Code: Select all

REQUIRES nvs_sec_provider

After that, it's set to "Using Flash Encryption". And I guess the error should be resolved if I just reupload the OTA image with this flag enabled and call OTA update for my old v5.1 boards. I'll definitely try this once I have my boards with me.

Many thanks!