Extra NVS Partition with Flash Encryption , Can't Init the partition

plusorc
Posts: 22
Joined: Sat Nov 09, 2019 6:27 am

Extra NVS Partition with Flash Encryption , Can't Init the partition

Postby plusorc » Sun Jan 12, 2020 12:16 am

Hello

I'm totally confused about how to manage an extra NVS partition .
As far as I understand the documentation , THE NVS partition (the main one) is not encrypted , So I initialize it with

Code: Select all

nvs_flash_init(); // only for the main NVS even if Flash encryption is enabled


Now my other NVS partition is inited as

Code: Select all

nvs_sec_cfg_t xts_cfg;
nvs_handle_t my_handle;
esp_err_t ret;

key_part = esp_partition_find_first(
                    ESP_PARTITION_TYPE_DATA, ESP_PARTITION_SUBTYPE_DATA_NVS_KEYS, NULL);
                   
ret = nvs_flash_read_security_cfg(key_part, &xts_cfg);
ret = nvs_flash_secure_init(&xts_cfg);

//I try this 
ret = nvs_open_from_partition(key_part->label, "Partition_Saved_Keys", NVS_READONLY, &my_handle);

// or this
ret = nvs_open("Partition_Saved_Keys", NVS_READONLY, &my_handle);
// but they always fail .
I'm not sure what should be done here , All help I could find is here
https://github.com/espressif/esp-idf/bl ... #L311-L384

but I don't get what is happening there .

My flash encryption mode is Development and before enabling flash encryption .. everything was fine
I just don't know how to init the extra NVS partition after flash encryption is enabled .

Is there any code that describes how to handle this in a real situation ? not a Test Case ?

Thank You

plusorc
Posts: 22
Joined: Sat Nov 09, 2019 6:27 am

Re: Extra NVS Partition with Flash Encryption , Can't Init the partition

Postby plusorc » Tue Jan 14, 2020 2:23 am

I looked again at this subject , and I figured out what should be done
create the Key partition and NVS partition , find them in the software and then access them .

but in the Test Case (the link above) , the keys are in a bin format that gets combined with the firmware itself
and then read and written to the NVS partition .

I can't do that , I must have separation between the keys and the firmware .. so Is it possible ?
what I'm doing now goes like this :

I create the NVS partition and encryption keys using the NVS partition generator utility

"cmake"

Code: Select all

COMMAND ${PYTHON_EXECUTABLE} ${part_gen}/nvs_partition_gen.py encrypt ${DIR_ONE_ABOVE}/custom_build/device.csv ${DIR_ONE_ABOVE}/custom_build/nvs_encrypted_partition.bin 0x6000 --keygen --keyfile ${DIR_ONE_ABOVE}/custom_build/nvs_encryption_key.bin


# combine them in the flash stage
esptool_py_flash_project_args("/nvs_dev"  0x320000 ${DIR_ONE_ABOVE}/custom_build/nvs_encrypted_partition.bin FLASH_IN_PROJECT)
esptool_py_flash_project_args("/nvs_keys" 0x370000 ${DIR_ONE_ABOVE}/custom_build/nvs_encryption_key.bin FLASH_IN_PROJECT)
Then in the software

Code: Select all


nvs_part = esp_partition_find_first(ESP_PARTITION_TYPE_DATA, ESP_PARTITION_SUBTYPE_DATA_NVS, "nvs_dev");
assert(nvs_part);
               
key_part = esp_partition_find_first(ESP_PARTITION_TYPE_DATA, ESP_PARTITION_SUBTYPE_DATA_NVS_KEYS, "nvs_keys");
assert(key_part);
                      
ret = nvs_flash_read_security_cfg(key_part, &xts_cfg);
               
ret = nvs_flash_secure_init_partition(nvs_part->label, &xts_cfg);
                // all is OK till now 
initiating the handle always fails

Code: Select all

ret = nvs_open_from_partition(nvs_part->label, "my_keys", NVS_READONLY, &my_handle);

OR

ret = nvs_open("my_keys", NVS_READONLY, &my_handle);
Do I have to combine the data to the Firmware first and then re-write it to the NVS partition encrypted ?

WiFive
Posts: 2947
Joined: Tue Dec 01, 2015 7:35 am

Re: Extra NVS Partition with Flash Encryption , Can't Init the partition

Postby WiFive » Tue Jan 14, 2020 11:43 am

The key partition has to be marked as encrypted and encrypted either before or during flashing. The nvs partition has to be marked as not encrypted and flashed as plaintext (even though the plaintext is actually encrypted outside the scope of flash encryption).

plusorc
Posts: 22
Joined: Sat Nov 09, 2019 6:27 am

Re: Extra NVS Partition with Flash Encryption , Can't Init the partition

Postby plusorc » Tue Jan 14, 2020 2:38 pm

Thank you so much
You're a life saver my friend .. thank you .

I have one more question ..
what is the proper workflow for this ?
right now .. I have a cmake script that writes to the flash during the Build process ! , to escape the encrypt-flash process and flash as a plain text , so .. Ignoring the current case of Flash encryption is activated ..

what is the logical steps that if I follow .. I can eventually flash at one step all the partitions ?
should I work with NVS flash enabled first without Flash Encryption enabled ?


Thanks again

Who is online

Users browsing this forum: Bing [Bot] and 28 guests