From 72f703ccd49a957782a4571559c94e707c601526 Mon Sep 17 00:00:00 2001 From: Laukik Hase Date: Sun, 16 Apr 2023 11:41:11 +0530 Subject: [PATCH] nvs_flash: Extended test-app and host tests for the HMAC-based NVS encr-keys protection scheme --- .gitlab/ci/dependencies/dependencies.yml | 1 + .gitlab/ci/rules.yml | 71 +++ .gitlab/ci/target-test.yml | 16 + .../nvs_flash/test_apps/main/CMakeLists.txt | 8 +- .../main/partition_encrypted_hmac.bin | Bin 0 -> 24576 bytes .../test_apps/main/partition_plaintext.bin | Bin 0 -> 8192 bytes .../nvs_flash/test_apps/main/test_nvs.c | 239 ++++++++-- ....csv => partitions_nvs_encr_flash_enc.csv} | 0 .../nvs_flash/test_apps/pytest_nvs_flash.py | 24 +- ... => sdkconfig.ci.nvs_encr_flash_enc_esp32} | 8 +- ...> sdkconfig.ci.nvs_encr_flash_enc_esp32c3} | 8 +- .../sdkconfig.ci.nvs_encr_hmac_esp32c3 | 24 + components/nvs_flash/test_nvs_host/Makefile | 6 +- .../nvs_flash/test_nvs_host/test_nvs.cpp | 423 ++++++++++++++++++ conftest.py | 1 + 15 files changed, 765 insertions(+), 64 deletions(-) create mode 100644 components/nvs_flash/test_apps/main/partition_encrypted_hmac.bin create mode 100644 components/nvs_flash/test_apps/main/partition_plaintext.bin rename components/nvs_flash/test_apps/{partitions_nvs_encr_keys_flash_enc.csv => partitions_nvs_encr_flash_enc.csv} (100%) rename components/nvs_flash/test_apps/{sdkconfig.ci.nvs_encr_keys_flash_enc_esp32 => sdkconfig.ci.nvs_encr_flash_enc_esp32} (65%) rename components/nvs_flash/test_apps/{sdkconfig.ci.nvs_encr_keys_flash_enc_esp32c3 => sdkconfig.ci.nvs_encr_flash_enc_esp32c3} (65%) create mode 100644 components/nvs_flash/test_apps/sdkconfig.ci.nvs_encr_hmac_esp32c3 diff --git a/.gitlab/ci/dependencies/dependencies.yml b/.gitlab/ci/dependencies/dependencies.yml index 8220351063..2cd4cd47c0 100644 --- a/.gitlab/ci/dependencies/dependencies.yml +++ b/.gitlab/ci/dependencies/dependencies.yml @@ -141,6 +141,7 @@ build:integration_test: - flash_multi - ecdsa - ccs811 # pytest*ccs811* + - nvs_encr_hmac patterns: - "{0}-{1}-{2}" - "{0}-{2}" diff --git a/.gitlab/ci/rules.yml b/.gitlab/ci/rules.yml index 61b91ac9cc..a04b20b9a9 100644 --- a/.gitlab/ci/rules.yml +++ b/.gitlab/ci/rules.yml @@ -320,6 +320,15 @@ - "components/efuse/**/*" - "components/mbedtls/port/ecdsa/*" +.patterns-component_ut-nvs_encr_hmac: &patterns-component_ut-nvs_encr_hmac + - "components/nvs_flash/**/*" + - "components/nvs_sec_provider/**/*" + +.patterns-example_test-nvs_encr_hmac: &patterns-example_test-nvs_encr_hmac + - "components/nvs_flash/**/*" + - "components/nvs_sec_provider/**/*" + - "examples/security/nvs_encryption_hmac/**/*" + ############## # if anchors # ############## @@ -627,6 +636,8 @@ changes: *patterns-component_ut - <<: *if-dev-push changes: *patterns-component_ut-flash_multi + - <<: *if-dev-push + changes: *patterns-component_ut-nvs_encr_hmac - <<: *if-dev-push changes: *patterns-component_ut-sdio - <<: *if-dev-push @@ -662,6 +673,8 @@ changes: *patterns-component_ut - <<: *if-dev-push changes: *patterns-component_ut-flash_multi + - <<: *if-dev-push + changes: *patterns-component_ut-nvs_encr_hmac - <<: *if-dev-push changes: *patterns-component_ut-sdio - <<: *if-dev-push @@ -696,6 +709,8 @@ changes: *patterns-component_ut - <<: *if-dev-push changes: *patterns-component_ut-flash_multi + - <<: *if-dev-push + changes: *patterns-component_ut-nvs_encr_hmac - <<: *if-dev-push changes: *patterns-component_ut-sdio - <<: *if-dev-push @@ -730,6 +745,8 @@ changes: *patterns-component_ut - <<: *if-dev-push changes: *patterns-component_ut-flash_multi + - <<: *if-dev-push + changes: *patterns-component_ut-nvs_encr_hmac - <<: *if-dev-push changes: *patterns-component_ut-sdio - <<: *if-dev-push @@ -764,6 +781,8 @@ changes: *patterns-component_ut - <<: *if-dev-push changes: *patterns-component_ut-flash_multi + - <<: *if-dev-push + changes: *patterns-component_ut-nvs_encr_hmac - <<: *if-dev-push changes: *patterns-component_ut-sdio - <<: *if-dev-push @@ -798,6 +817,8 @@ changes: *patterns-component_ut - <<: *if-dev-push changes: *patterns-component_ut-flash_multi + - <<: *if-dev-push + changes: *patterns-component_ut-nvs_encr_hmac - <<: *if-dev-push changes: *patterns-component_ut-sdio - <<: *if-dev-push @@ -832,6 +853,8 @@ changes: *patterns-component_ut - <<: *if-dev-push changes: *patterns-component_ut-flash_multi + - <<: *if-dev-push + changes: *patterns-component_ut-nvs_encr_hmac - <<: *if-dev-push changes: *patterns-component_ut-sdio - <<: *if-dev-push @@ -866,6 +889,8 @@ changes: *patterns-component_ut - <<: *if-dev-push changes: *patterns-component_ut-flash_multi + - <<: *if-dev-push + changes: *patterns-component_ut-nvs_encr_hmac - <<: *if-dev-push changes: *patterns-component_ut-sdio - <<: *if-dev-push @@ -1145,6 +1170,8 @@ changes: *patterns-example_test-ethernet - <<: *if-dev-push changes: *patterns-example_test-i154 + - <<: *if-dev-push + changes: *patterns-example_test-nvs_encr_hmac - <<: *if-dev-push changes: *patterns-example_test-sdio - <<: *if-dev-push @@ -1188,6 +1215,8 @@ changes: *patterns-example_test-ethernet - <<: *if-dev-push changes: *patterns-example_test-i154 + - <<: *if-dev-push + changes: *patterns-example_test-nvs_encr_hmac - <<: *if-dev-push changes: *patterns-example_test-sdio - <<: *if-dev-push @@ -1230,6 +1259,8 @@ changes: *patterns-example_test-ethernet - <<: *if-dev-push changes: *patterns-example_test-i154 + - <<: *if-dev-push + changes: *patterns-example_test-nvs_encr_hmac - <<: *if-dev-push changes: *patterns-example_test-sdio - <<: *if-dev-push @@ -1273,6 +1304,8 @@ changes: *patterns-example_test-ethernet - <<: *if-dev-push changes: *patterns-example_test-i154 + - <<: *if-dev-push + changes: *patterns-example_test-nvs_encr_hmac - <<: *if-dev-push changes: *patterns-example_test-sdio - <<: *if-dev-push @@ -1315,6 +1348,8 @@ changes: *patterns-example_test-ethernet - <<: *if-dev-push changes: *patterns-example_test-i154 + - <<: *if-dev-push + changes: *patterns-example_test-nvs_encr_hmac - <<: *if-dev-push changes: *patterns-example_test-sdio - <<: *if-dev-push @@ -1357,6 +1392,8 @@ changes: *patterns-example_test-ethernet - <<: *if-dev-push changes: *patterns-example_test-i154 + - <<: *if-dev-push + changes: *patterns-example_test-nvs_encr_hmac - <<: *if-dev-push changes: *patterns-example_test-sdio - <<: *if-dev-push @@ -1399,6 +1436,8 @@ changes: *patterns-example_test-ethernet - <<: *if-dev-push changes: *patterns-example_test-i154 + - <<: *if-dev-push + changes: *patterns-example_test-nvs_encr_hmac - <<: *if-dev-push changes: *patterns-example_test-sdio - <<: *if-dev-push @@ -1441,6 +1480,8 @@ changes: *patterns-example_test-ethernet - <<: *if-dev-push changes: *patterns-example_test-i154 + - <<: *if-dev-push + changes: *patterns-example_test-nvs_encr_hmac - <<: *if-dev-push changes: *patterns-example_test-sdio - <<: *if-dev-push @@ -1544,6 +1585,8 @@ changes: *patterns-component_ut - <<: *if-dev-push changes: *patterns-component_ut-flash_multi + - <<: *if-dev-push + changes: *patterns-component_ut-nvs_encr_hmac - <<: *if-dev-push changes: *patterns-component_ut-sdio - <<: *if-dev-push @@ -1562,6 +1605,8 @@ changes: *patterns-example_test-ethernet - <<: *if-dev-push changes: *patterns-example_test-i154 + - <<: *if-dev-push + changes: *patterns-example_test-nvs_encr_hmac - <<: *if-dev-push changes: *patterns-example_test-sdio - <<: *if-dev-push @@ -1997,6 +2042,19 @@ - <<: *if-dev-push changes: *patterns-component_ut-flash_multi +.rules:test:component_ut-esp32c3-nvs_encr_hmac: + rules: + - <<: *if-revert-branch + when: never + - <<: *if-protected + - <<: *if-label-build-only + when: never + - <<: *if-label-component_ut + - <<: *if-label-component_ut_esp32c3 + - <<: *if-label-target_test + - <<: *if-dev-push + changes: *patterns-component_ut-nvs_encr_hmac + .rules:test:component_ut-esp32c3-sdio: rules: - <<: *if-revert-branch @@ -2501,6 +2559,19 @@ when: never - <<: *if-example_test-ota-include_nightly_run-rule +.rules:test:example_test-esp32c3-nvs_encr_hmac: + rules: + - <<: *if-revert-branch + when: never + - <<: *if-protected + - <<: *if-label-build-only + when: never + - <<: *if-label-example_test + - <<: *if-label-example_test_esp32c3 + - <<: *if-label-target_test + - <<: *if-dev-push + changes: *patterns-example_test-nvs_encr_hmac + .rules:test:example_test-esp32c3-sdio: rules: - <<: *if-revert-branch diff --git a/.gitlab/ci/target-test.yml b/.gitlab/ci/target-test.yml index ca1cdb0c36..97203f7367 100644 --- a/.gitlab/ci/target-test.yml +++ b/.gitlab/ci/target-test.yml @@ -410,6 +410,14 @@ pytest_examples_esp32c3_flash_encryption: - build_pytest_examples_esp32c3 tags: [ esp32c3, flash_encryption ] +pytest_examples_esp32c3_nvs_encr_hmac: + extends: + - .pytest_examples_dir_template + - .rules:test:example_test-esp32c3-nvs_encr_hmac + needs: + - build_pytest_examples_esp32c3 + tags: [ esp32c3, nvs_encr_hmac ] + pytest_examples_esp32s2_usb_device: extends: - .pytest_examples_dir_template @@ -844,6 +852,14 @@ pytest_components_esp32c3_flash_encryption: - build_pytest_components_esp32c3 tags: [ esp32c3, flash_encryption ] +pytest_components_esp32c3_nvs_encr_hmac: + extends: + - .pytest_components_dir_template + - .rules:test:component_ut-esp32c3-nvs_encr_hmac + needs: + - build_pytest_components_esp32c3 + tags: [ esp32c3, nvs_encr_hmac ] + pytest_components_esp32c3_flash_multi: extends: - .pytest_components_dir_template diff --git a/components/nvs_flash/test_apps/main/CMakeLists.txt b/components/nvs_flash/test_apps/main/CMakeLists.txt index 1553014c85..093fc198ba 100644 --- a/components/nvs_flash/test_apps/main/CMakeLists.txt +++ b/components/nvs_flash/test_apps/main/CMakeLists.txt @@ -1,8 +1,10 @@ idf_component_register(SRC_DIRS "." - PRIV_REQUIRES cmock test_utils nvs_flash bootloader_support spi_flash - EMBED_TXTFILES encryption_keys.bin partition_encrypted.bin sample.bin + PRIV_REQUIRES cmock test_utils nvs_flash nvs_sec_provider + bootloader_support spi_flash + EMBED_TXTFILES encryption_keys.bin partition_encrypted.bin + partition_encrypted_hmac.bin sample.bin WHOLE_ARCHIVE) -if(CONFIG_NVS_ENCRYPTION) +if(CONFIG_NVS_ENCRYPTION OR CONFIG_SOC_HMAC_SUPPORTED) target_link_libraries(${COMPONENT_LIB} PUBLIC idf::mbedtls) endif() diff --git a/components/nvs_flash/test_apps/main/partition_encrypted_hmac.bin b/components/nvs_flash/test_apps/main/partition_encrypted_hmac.bin new file mode 100644 index 0000000000000000000000000000000000000000..6b9a14c86742ab631375686b1d8ae4f12996d98b GIT binary patch literal 24576 zcmeI$RZLycn!s_OI4w}zU5ZO_mtw`;-CCUD&cWT?-J!U<77E3+xH|_sILy6|b0>FR zZZesN{k^PYC2M8n_pm zMz(2oCB|V2;np6G{emul~?R z-Cgd4%P+l-WNk18vm&2mO^IIiW*zdkvEN z*G3vu9#K#7NSX_@P+#YM+``dzE-D@3&&F9~Vk|ycAeyd$B5-(V8@yf}*fdL~xmUj6 zg%=kiGl%&$rv~4GVr#U}mv{@Cc>Sv@VL$)Lquq7IrapSK#3Q6M;UHTApHwY7!|$a zJwo-ntzARDFB&bAFY91f)~PF+T#|`2LAe3J4y0!MR_oz1HlhNa02fvZjtDkn&1~Hf z*tm_PZ|s}_*)swcWy*M~O#JtW<+rDi@Os1JB=f?BvF*fAqWs=i-S7)!KYQ-9L<4$? zi@wSola*`*&B|NDC4E3{u|>&snmreMcX6;QjsCrMo1)CTgn`kKS9=Up)&DJ#dQmjO zVDa_3+1IQ#h(LVlVC6x_`8;_$k|Y4q^hv}D!GvvkQ$|zgj)|(JsgV2wI?BRouB$BD z=I>M-j#HR4=95#6H^)rV#)6-|V#e!BebdAOQh$o2f}S5WUbGK~tFsz?HFYWB)AS#+ zds9|GW<{9shDq{=HE!|@;z4c7Z#)>2=G*@ImZwim$|-DFs%`EQPi`l~84y^wKWn?_ zgy7kUTvw)I%$xc{;Whb*Hcm~-s$Sa%|FQRn_Y-i+x-3$m#0Y`Cj6}U zdK>(*)`1g-MT8Qb{>X_rOXKR*-7{9{`~EPb#G`TiMocB^M#fWdjSDGKvkc;T-H2mP z++@3OjuyUH5A_p^15_Ibv=G~7Wqd)B`JTUGbtoTBvSCT(WC?8g@nvN_FU26EvR*!1 zU}&0kT(p$XleJvU6Uv{uTQZL4k-?LROV(PXU=~u+AOaK`IIVgGqX%|GrO-8{aB{yt z9?DO2sJ#?~BG@stv8mzcOh`M8C$oGTjU*>$WynXAJqBy@vDS z#ZSepZ_dn#Z5_YFSZK}`l8s525h{yPL5RIEmHiPXI#Z}hN zd*{q2DUqNOGMvYBR!rl`i`98|*9Pjw;b)MNk}U)!3s!%6&gfgR(@6yk$!9tWj%Pkc2)FJhFZfJ zdThkXQDq&<&{y3b%ekWJ^>4=$lMc0WO!+|O8M|Vho3#>!HWWsiwpLthix-ozN^An2 zQNtX?;T+#?)9Ijme3X;}L6sbkRnT!b$SDTAd~GGJr=%3U+6#CP(rd^8+ zr&bt25&0~6U0~wk9p_AT$RE8HcY_?!WP+Q z+wUg6BR)VYjTP}Gtw~^TfD>3-7^;j{Aq#VgsDp8s?ODByV$^}8wk0VV7?GWxiB^|! z+zRB7at0dcsw3{{45aFK1D^B|Fgp7dg*dvDlO7*PV1oN>E#uzPRo z!~XZ^FqGyCCB%E{Zb!&ePrYGus^>o{5@OZAeGXs#(JCrCZ08BW>POY9hx|K){OQK9D(AMxEb7llt2`kko1 z_RwL{^lO75t&NR4O3BV=>!0CcZl}o*F9KkEM_LE2ZL{gv^=AIBm5LT!>R4A9h9ViNDY^cPcrB*4-M_%On{QfNxdPb zZ2hn|``ci(6XQhb;MnvM8(KXky`SjlC-NgRCOFt-ouc*8`JX**zSpj&ENcdDa^g`u zkga`FO?vwkIp&_cfdXf4H=#B(Ha_qMtW}JI`taaBwnZgO;5BMHLB;x^B{WLI>mm!> zR6Z`ZpG#Tdr!+dglWQe9!yD7qnbj*WZ=?W-S;10dUDh&JoZAFPFkjB*QP~C+6GM7y z+C9TakFyoR9B2TC>GZK`mQn6}eFlDU;zuC}lA|elY6W@BW>xpemU{5&hh4e}scV95 zsf{%YUr8mTKc*#w{XVQ1Z?jT@T=r+Tb}ZY61Bw71YCZauB(ak}C$`Z7{a}+^C=NRpcJ6o|ae zf;=+a^SFDf(Z>dPW-aiUH<-~>;=1c*RhC6-dm9*Lz4r9B$zQy$uuv7--$HLWIdXNu zei};Ukm|xgvf!0g`Yn}ikMCDqFjIL3(jvz-1+mCN@)uJeejSnE53W7yb=7G)kxajA z@waoA@#|*h&3lYd6&K&L&0?Fk->Fiwn_T16*s{0NheVCXN*Wp~XK}jp)8q|EdHs^& z;F8>6vwry%ZB{mr#eSUcFH;kEL!8(COeDfnO5y$<3U6COC-(b^(bweWI*ZXnPc}Wu zr5z|WH|TWJ9A&x^eH{pd;fE~k;`#1Le&!G&Wbeg*>K*8w0lexn)+Ef~YWIeq*8rKN zKgyf3?BLt1Lzy6Ra{nUacK(QlqnXAmJimCOEnvp;*E8^LuSmlF-9g^jZ!C{#{NC4R zx*Ob#(h9!WbOh)qO`H+gWO7Bhg7@^G7W=Glv0f(0{Da53)cL4aLoMO3n6+&g?gWaW9aC_EI${K>7?3(Kg=)1}b=X*#fFG7+nQf@HK$@C`AtKgr-O z37Z&2Zjqo-cq)?j$vi5VWb3};|cP{4l zk@rp%PF{>je#_Jg-~C$s9g07h`S$9NxsN<(`$HeR)s!km?-Y7VaA0`mQ5&MRzab$z z*;1;&%IuCpJ_-_n%jHiIe*xm@TYWSIl^R#hmka@gF-No)4jylOn9|g(Qv4=7xt!# zHPv=R*>wELdl86{CR(-U+p6h+NJXXEn6M0i2Vc;p))D_1z+9Dt=^LNv_v#vUsb20@ zT+&bVgCz@bZMa;sR5)$?Bo&jVE~gp1<=Orq7El=YqtM>TsK=vMJp!Xh1+HY~OK)HZ z?_tQf{3F7U{|*zO&DST;G>>e~N6ik3K(E6N*soebgm&L|Xng1KPa_BP-*r7tXZBRP zZJ*onz;)_r zl2_7NUI&OOrSO}E{e0C%P?Z}fzG9dA0edybxev9?oNqQO5>ECKM!`hX=x2S)#HOL1 zi0IW60K?-!x9wuV{`^y-=9?g+!R?wkYZ{oPLl{mxuQTHKx$@DQp#;?{3{UqJUsO+} zdumqX{hc{o-ZbC7ve(dO2oDU|a7W2NuG_uA%?He0G(r~~{&V`HAgB&@;qatUmEXoY zG;%CjZzHuJFiUsGqLF6!t%3s!OxVryKcXM{-}HZ>bS}?-&;R3p{YCJ$wkY&fiubGB z_krkpHAK-YXb7H%;51Bd@Ino5o9NfUt!e+Ce}A_@`WF2t&B=4N?NwQy449XM4>`DN$311$@MTb>_0I&>#34oDr{hD&*>pd8cTNu z7NeA+j%;)GT#)9KlrpN&h1d!HmPcCRarw+OWUoEG7RB3vdVcIAD7R-iv;$XdrP4Bz zGOI&*BV!^(%XMsCx)WEl`-;@;#IJPVSD5^eE`rld8stPN_7%1(`GAS9s(Tvph2$F@ ziH35X_iX%$NFwtoE;004at)%=8DstRY5EEann1jYp5NMDVFS%C1Sc{p_a0rBk7a_z zDG5_pYMbBVtrMo;|v_iAE9b! zbzGV&wEZsfAH;&YQmZY}*nIEMY89?Yunw$c5&7_&zPJAvt>sCnW@D>|#SMPq#F$0) z!O|H2O$Sdz2ZQA7Sp-V)OOi#d+j>z6?Gt@e44n|m!-q1b;thYNt}r%0oJ+A1Hen3dQOUtkk16&HGGi#UzK z*AuGn!FsY=u+qF*a^R9*f4+vH6@hS za>l>AypTC%^kwoeX`KROb=;rme$5mk?uU3EJOb`j3)Jq$5SV{)l}RfmgbRu@rrn3G zk;PuHE4>U-1w^N;F~}TA|JYb;{9T;qZ6)j4pG|##er6HryP_3d=_|J@Upib>H`vaz zAvsJRc&lHHy3F?zU0=$Rf%4W-*Ai;M3KCxW!5}IkpE1fIEL>Wmbj(rhd(uFzM{wUDA)*TE zx)8DW5ksmJD~tHx$tlVZxq(oEYJSO^j<)sk-VN5Gq;sG8;J42P=X(1KsGF z+Re?@9?zUT7jiVX)Lg)qJGI`gQjNQP0sBQ@CD$@cE!&h#?m@lcZ_o|LJ?Keo`(r7D zkAt09)U1^1iZM=bf_FGIS$zd^vXze>b;DqYn~C1yWZaT!ZcIJ2iu?|V2NjDlG^CgV zRo{P>!6-7lcntHjUw=Z~m!~gU@ef6kbMx;pkIcyd4>=`lfx8$H6n>4v+P4fLPz-`d z_s~T~TlrF$cS9K_eT8w{!g>`d>L--YYELqna1)e4>NADqWK=uX1Orbb{|5Q!4JKl8EpgoB?hw_#Y^Q8&SK<%*6XZfTacI# zd}be~yIQ2M%@84DbQPr5hKkC*`(a4rAfgL*OAA4Uq}aHov@OD838 zP7=iD({|kG2&3UV?s!j+Vk=Q!c}Sy~c-^r<;qUG1WayewiXCPt6^)VqYbJ9;v0e@Su{TV0`3CRzbGc9SSK65UC; zf`Cj8JT!I@iXa;u5gsBK_$3;(LykQxPvCEDxNB+O9TwlT0f~%8_8+l{sX7@LRW#Xd zS3M&OS?@FR( z4BW+HW2Uz8c#9~!t}G5aZ1lgpZ`9}`$q;LeJqZp`ljXsB zUkQqz-|3wiMa8}9T3@|!PHVgP{8z)u9(qgy3~!0mlQf6o%X^C}j<6Ji$5*0GU{4eH zP)6|g3Eke?v>O_Zmfr7$BFUHi*ihB}!!-iW*xygkC{R^B zo@4e%vq#U|uDGaalGK;`dfmTmlcl%qUGC5T4dbAa%SHz-%J0`C8gd%g7nB1XaKlBh zqTJLfxsIEEa8yvSZv7u0Twntb00aO5KmZT`1OS2mP~e~a5A$#OKXMCX^dDXi90vpd z0YCr{00aO5KmZT`1ONd*01yBK0D=Dp0{`s)cmJmUtAdKQ{vSLMcmf~*2mk_r03ZMe z00MvjAOHve0)PM@00{ht0{`rP*niXie;Ycd{=@5m2mk_r03ZMe p00MvjAOHve0)PM@00;mAfB+x>2mk_r03ZMe00MvjAn<=6@LyUKqeJFD=6Ukr?l|4-U2VNWT|&8_rH%uOvWNK8&;U|@ur#t4+R zmFPPRmJhY?POSvl#=uYylNV(C|9GC22Uy+{A>RO#XJY*SWlF$fh<-yexB*ZFj4X`* zqm}oGLgbB&VDeDy{~1LX|EC*QO@^3{kOw*eYyzVq)BiJZy|cmc!6ikRdFfyygn%Kk z+FD$}z|qRU$;!al%D~0Sz}3pY4JeKb7@e3H*^C~H|7UCZtiaR{3`3w9AoEW>k?aG@J0%vUnwfyz2Qt5p|L|c$Bjd!R zWK=Vec_8z*o_)O;Q$ND|jO4ZU8L1U+nK`Mj;A7wbns4z@Y7?WfYkDUhAArm+w|epk zQ$ND|quNEnNnocVtl$BfKZ83b3m85utZeKYoH*t{i7|^(W_y_6(0sA}P&JY^$wD?CXYWM#YnhH?= z$%=8l7Sl@f{*wax|NqkGEM#fz{!#Ns`=6uz@6qvx(eanj@h8woAHC~OLiJB-UJ8bj z-~vEN(Dsize)); TEST_ESP_ERR(ESP_ERR_NVS_KEYS_NOT_INITIALIZED, nvs_flash_read_security_cfg(key_part, &cfg)); TEST_ESP_OK(nvs_flash_generate_keys(key_part, &cfg)); TEST_ESP_OK(nvs_flash_read_security_cfg(key_part, &cfg2)); +#elif CONFIG_NVS_SEC_KEY_PROTECT_USING_HMAC + nvs_sec_scheme_t *scheme_cfg = nvs_flash_get_default_security_scheme(); + assert(scheme_cfg != NULL); + TEST_ESP_OK(nvs_flash_generate_keys_v2(scheme_cfg, &cfg)); + + TEST_ESP_OK(nvs_flash_read_security_cfg_v2(scheme_cfg, &cfg2)); +#endif TEST_ASSERT_TRUE(!memcmp(&cfg, &cfg2, sizeof(nvs_sec_cfg_t))); } - TEST_CASE("test nvs apis with encryption enabled", "[nvs]") { +#if CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC if (!esp_flash_encryption_enabled()) { TEST_IGNORE_MESSAGE("flash encryption disabled, skipping nvs_api tests with encryption enabled"); } @@ -404,19 +470,23 @@ TEST_CASE("test nvs apis with encryption enabled", "[nvs]") assert(key_part && "partition table must have an NVS Key partition"); + ESP_ERROR_CHECK(esp_partition_erase_range(key_part, 0, key_part->size)); +#endif + const esp_partition_t* nvs_partition = esp_partition_find_first( ESP_PARTITION_TYPE_DATA, ESP_PARTITION_SUBTYPE_DATA_NVS, NULL); assert(nvs_partition && "partition table must have an NVS partition"); - ESP_ERROR_CHECK( esp_partition_erase_range(key_part, 0, key_part->size) ); - bool done = false; do { - ESP_ERROR_CHECK( esp_partition_erase_range(nvs_partition, 0, nvs_partition->size) ); - nvs_sec_cfg_t cfg; - esp_err_t err = nvs_flash_read_security_cfg(key_part, &cfg); + esp_err_t err = ESP_FAIL; + +#if CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC + ESP_ERROR_CHECK(esp_partition_erase_range(nvs_partition, 0, nvs_partition->size)); + + err = nvs_flash_read_security_cfg(key_part, &cfg); if(err == ESP_ERR_NVS_KEYS_NOT_INITIALIZED) { uint8_t value[4096] = {[0 ... 4095] = 0xff}; @@ -430,6 +500,23 @@ TEST_CASE("test nvs apis with encryption enabled", "[nvs]") ESP_ERROR_CHECK(err); done = true; } +#elif CONFIG_NVS_SEC_KEY_PROTECT_USING_HMAC + nvs_sec_scheme_t *scheme_cfg = nvs_flash_get_default_security_scheme(); + assert(scheme_cfg != NULL); + + err = nvs_flash_read_security_cfg_v2(scheme_cfg, &cfg); + if (err != ESP_OK) { + if (err == ESP_ERR_NVS_SEC_HMAC_KEY_NOT_FOUND) { + TEST_ESP_OK(nvs_flash_generate_keys_v2(scheme_cfg, &cfg)); + } else { + ESP_ERROR_CHECK(err); + } + } else { + ESP_ERROR_CHECK(err); + done = true; + } +#endif + TEST_ESP_OK(nvs_flash_secure_init(&cfg)); nvs_handle_t handle_1; @@ -484,45 +571,59 @@ TEST_CASE("test nvs apis with encryption enabled", "[nvs]") TEST_CASE("test nvs apis for nvs partition generator utility with encryption enabled", "[nvs_part_gen]") { - - if (!esp_flash_encryption_enabled()) { - TEST_IGNORE_MESSAGE("flash encryption disabled, skipping nvs_api tests with encryption enabled"); - } - nvs_handle_t handle; nvs_sec_cfg_t xts_cfg; - - extern const char nvs_key_start[] asm("_binary_encryption_keys_bin_start"); - extern const char nvs_key_end[] asm("_binary_encryption_keys_bin_end"); - - extern const char nvs_data_start[] asm("_binary_partition_encrypted_bin_start"); - - extern const char sample_bin_start[] asm("_binary_sample_bin_start"); - - const esp_partition_t* key_part = esp_partition_find_first( - ESP_PARTITION_TYPE_DATA, ESP_PARTITION_SUBTYPE_DATA_NVS_KEYS, NULL); + esp_err_t err = ESP_FAIL; const esp_partition_t* nvs_part = esp_partition_find_first( ESP_PARTITION_TYPE_DATA, ESP_PARTITION_SUBTYPE_DATA_NVS, NULL); - assert(key_part && "partition table must have a KEY partition"); - TEST_ASSERT_TRUE((nvs_key_end - nvs_key_start - 1) == SPI_FLASH_SEC_SIZE); - assert(nvs_part && "partition table must have an NVS partition"); printf("\n nvs_part size:%" PRId32 "\n", nvs_part->size); + ESP_ERROR_CHECK(esp_partition_erase_range(nvs_part, 0, nvs_part->size)); + + extern const char sample_bin_start[] asm("_binary_sample_bin_start"); + +#if CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC + if (!esp_flash_encryption_enabled()) { + TEST_IGNORE_MESSAGE("flash encryption disabled, skipping nvs_api tests with encryption enabled"); + } + + extern const char nvs_key_start[] asm("_binary_encryption_keys_bin_start"); + extern const char nvs_key_end[] asm("_binary_encryption_keys_bin_end"); + extern const char nvs_data_sch0_start[] asm("_binary_partition_encrypted_bin_start"); + + const esp_partition_t* key_part = esp_partition_find_first( + ESP_PARTITION_TYPE_DATA, ESP_PARTITION_SUBTYPE_DATA_NVS_KEYS, NULL); + + assert(key_part && "partition table must have a KEY partition"); + TEST_ASSERT_TRUE((nvs_key_end - nvs_key_start - 1) == SPI_FLASH_SEC_SIZE); + ESP_ERROR_CHECK(esp_partition_erase_range(key_part, 0, key_part->size)); - ESP_ERROR_CHECK( esp_partition_erase_range(nvs_part, 0, nvs_part->size) ); for (int i = 0; i < key_part->size; i+= SPI_FLASH_SEC_SIZE) { ESP_ERROR_CHECK( esp_partition_write(key_part, i, nvs_key_start + i, SPI_FLASH_SEC_SIZE) ); } for (int i = 0; i < nvs_part->size; i+= SPI_FLASH_SEC_SIZE) { - ESP_ERROR_CHECK( esp_partition_write(nvs_part, i, nvs_data_start + i, SPI_FLASH_SEC_SIZE) ); + ESP_ERROR_CHECK( esp_partition_write(nvs_part, i, nvs_data_sch0_start + i, SPI_FLASH_SEC_SIZE) ); } - esp_err_t err = nvs_flash_read_security_cfg(key_part, &xts_cfg); + err = nvs_flash_read_security_cfg(key_part, &xts_cfg); +#elif CONFIG_NVS_SEC_KEY_PROTECT_USING_HMAC + extern const char nvs_data_sch1_start[] asm("_binary_partition_encrypted_hmac_bin_start"); + + for (int i = 0; i < nvs_part->size; i+= SPI_FLASH_SEC_SIZE) { + ESP_ERROR_CHECK( esp_partition_write(nvs_part, i, nvs_data_sch1_start + i, SPI_FLASH_SEC_SIZE) ); + } + + nvs_sec_scheme_t *scheme_cfg = nvs_flash_get_default_security_scheme(); + assert(scheme_cfg != NULL); + + err = nvs_flash_read_security_cfg_v2(scheme_cfg, &xts_cfg); +#endif + ESP_ERROR_CHECK(err); TEST_ESP_OK(nvs_flash_secure_init(&xts_cfg)); @@ -583,4 +684,46 @@ TEST_CASE("test nvs apis for nvs partition generator utility with encryption ena TEST_ESP_OK(nvs_flash_deinit()); } + +#if CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC +TEST_CASE("test nvs encryption with Flash Encryption-based scheme with v2 apis", "[nvs]") +{ + nvs_handle_t handle; + + nvs_sec_cfg_t cfg = {}; + nvs_sec_scheme_t *sec_scheme_handle = NULL; + nvs_sec_config_flash_enc_t sec_scheme_cfg = NVS_SEC_PROVIDER_CFG_FLASH_ENC_DEFAULT(); + + TEST_ESP_OK(nvs_sec_provider_register_flash_enc(&sec_scheme_cfg, &sec_scheme_handle)); + + esp_err_t err = nvs_flash_read_security_cfg_v2(sec_scheme_handle, &cfg); + if (err != ESP_OK) { + if (err == ESP_ERR_NVS_KEYS_NOT_INITIALIZED) { + TEST_ESP_OK(nvs_flash_generate_keys_v2(sec_scheme_handle, &cfg)); + } + TEST_ESP_OK(err); + } + + TEST_ESP_OK(nvs_flash_secure_init(&cfg)); + memset(&cfg, 0x00, sizeof(nvs_sec_cfg_t)); + + int32_t foo = 0; + + TEST_ESP_OK(nvs_open("uninit_ns", NVS_READWRITE, &handle)); + TEST_ESP_OK(nvs_set_i32(handle, "foo", 0x12345678)); + nvs_close(handle); + + TEST_ESP_OK(nvs_open("uninit_ns", NVS_READWRITE, &handle)); + TEST_ESP_OK(nvs_get_i32(handle, "foo", &foo)); + nvs_close(handle); + + TEST_ASSERT_EQUAL_INT32(foo, 0x12345678); + + TEST_ESP_OK(nvs_sec_provider_deregister(sec_scheme_handle)); + + TEST_ESP_OK(nvs_flash_deinit()); + TEST_ESP_OK(nvs_flash_erase()); +} +#endif + #endif diff --git a/components/nvs_flash/test_apps/partitions_nvs_encr_keys_flash_enc.csv b/components/nvs_flash/test_apps/partitions_nvs_encr_flash_enc.csv similarity index 100% rename from components/nvs_flash/test_apps/partitions_nvs_encr_keys_flash_enc.csv rename to components/nvs_flash/test_apps/partitions_nvs_encr_flash_enc.csv diff --git a/components/nvs_flash/test_apps/pytest_nvs_flash.py b/components/nvs_flash/test_apps/pytest_nvs_flash.py index ed07f4f729..1da98e2da0 100644 --- a/components/nvs_flash/test_apps/pytest_nvs_flash.py +++ b/components/nvs_flash/test_apps/pytest_nvs_flash.py @@ -4,23 +4,31 @@ import pytest from pytest_embedded_idf.dut import IdfDut +CONFIGS_NVS_ENCR_FLASH_ENC = [ + pytest.param('nvs_encr_flash_enc_esp32', marks=[pytest.mark.esp32]), + pytest.param('nvs_encr_flash_enc_esp32c3', marks=[pytest.mark.esp32c3]), +] + @pytest.mark.supported_targets @pytest.mark.generic @pytest.mark.parametrize('config', ['default'], indirect=True) def test_nvs_flash(dut: IdfDut) -> None: + dut.expect_exact('Press ENTER to see the list of tests') + dut.write('![nvs_encr_hmac]') + dut.expect_unity_test_output(timeout=120) + + +@pytest.mark.esp32c3 +@pytest.mark.nvs_encr_hmac +@pytest.mark.parametrize('config', ['nvs_encr_hmac_esp32c3'], indirect=True) +def test_nvs_flash_encr_hmac(dut: IdfDut) -> None: dut.run_all_single_board_cases() -CONFIGS_NVS_ENCR_KEYS_FLASH_ENC = [ - pytest.param('nvs_encr_keys_flash_enc_esp32', marks=[pytest.mark.esp32]), - pytest.param('nvs_encr_keys_flash_enc_esp32c3', marks=[pytest.mark.esp32c3]), -] - - -@pytest.mark.parametrize('config', CONFIGS_NVS_ENCR_KEYS_FLASH_ENC, indirect=True) @pytest.mark.flash_encryption -def test_nvs_flash_encr_keys_flash_enc(dut: IdfDut) -> None: +@pytest.mark.parametrize('config', CONFIGS_NVS_ENCR_FLASH_ENC, indirect=True) +def test_nvs_flash_encr_flash_enc(dut: IdfDut) -> None: # Erase the nvs_key partition dut.serial.erase_partition('nvs_key') dut.run_all_single_board_cases() diff --git a/components/nvs_flash/test_apps/sdkconfig.ci.nvs_encr_keys_flash_enc_esp32 b/components/nvs_flash/test_apps/sdkconfig.ci.nvs_encr_flash_enc_esp32 similarity index 65% rename from components/nvs_flash/test_apps/sdkconfig.ci.nvs_encr_keys_flash_enc_esp32 rename to components/nvs_flash/test_apps/sdkconfig.ci.nvs_encr_flash_enc_esp32 index 28b989f246..ac5486ed7f 100644 --- a/components/nvs_flash/test_apps/sdkconfig.ci.nvs_encr_keys_flash_enc_esp32 +++ b/components/nvs_flash/test_apps/sdkconfig.ci.nvs_encr_flash_enc_esp32 @@ -3,8 +3,8 @@ CONFIG_IDF_TARGET="esp32" # Partition Table CONFIG_PARTITION_TABLE_CUSTOM=y -CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="partitions_nvs_encr_keys_flash_enc.csv" -CONFIG_PARTITION_TABLE_FILENAME="partitions_nvs_encr_keys_flash_enc.csv" +CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="partitions_nvs_encr_flash_enc.csv" +CONFIG_PARTITION_TABLE_FILENAME="partitions_nvs_encr_flash_enc.csv" CONFIG_PARTITION_TABLE_OFFSET=0x9000 # Enabling Flash Encryption @@ -16,3 +16,7 @@ CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y + +# Enabling NVS Encryption (Flash Encryption-based scheme) +CONFIG_NVS_ENCRYPTION=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y diff --git a/components/nvs_flash/test_apps/sdkconfig.ci.nvs_encr_keys_flash_enc_esp32c3 b/components/nvs_flash/test_apps/sdkconfig.ci.nvs_encr_flash_enc_esp32c3 similarity index 65% rename from components/nvs_flash/test_apps/sdkconfig.ci.nvs_encr_keys_flash_enc_esp32c3 rename to components/nvs_flash/test_apps/sdkconfig.ci.nvs_encr_flash_enc_esp32c3 index 6a986fa54d..ae23bea21d 100644 --- a/components/nvs_flash/test_apps/sdkconfig.ci.nvs_encr_keys_flash_enc_esp32c3 +++ b/components/nvs_flash/test_apps/sdkconfig.ci.nvs_encr_flash_enc_esp32c3 @@ -3,8 +3,8 @@ CONFIG_IDF_TARGET="esp32c3" # Partition Table CONFIG_PARTITION_TABLE_CUSTOM=y -CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="partitions_nvs_encr_keys_flash_enc.csv" -CONFIG_PARTITION_TABLE_FILENAME="partitions_nvs_encr_keys_flash_enc.csv" +CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="partitions_nvs_encr_flash_enc.csv" +CONFIG_PARTITION_TABLE_FILENAME="partitions_nvs_encr_flash_enc.csv" CONFIG_PARTITION_TABLE_OFFSET=0x9000 # Enabling Flash Encryption @@ -16,3 +16,7 @@ CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y + +# Enabling NVS Encryption (Flash Encryption-based scheme) +CONFIG_NVS_ENCRYPTION=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y diff --git a/components/nvs_flash/test_apps/sdkconfig.ci.nvs_encr_hmac_esp32c3 b/components/nvs_flash/test_apps/sdkconfig.ci.nvs_encr_hmac_esp32c3 new file mode 100644 index 0000000000..f208fae5ec --- /dev/null +++ b/components/nvs_flash/test_apps/sdkconfig.ci.nvs_encr_hmac_esp32c3 @@ -0,0 +1,24 @@ +# Restricting to ESP32C3 +CONFIG_IDF_TARGET="esp32c3" + +# NOTE: The runner for this test-app has flash-encryption enabled +# Partition Table +CONFIG_PARTITION_TABLE_CUSTOM=y +CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="partitions_nvs_encr_flash_enc.csv" +CONFIG_PARTITION_TABLE_FILENAME="partitions_nvs_encr_flash_enc.csv" +CONFIG_PARTITION_TABLE_OFFSET=0x9000 + +# Enabling Flash Encryption +CONFIG_SECURE_FLASH_ENC_ENABLED=y +CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT=y +CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC=y +CONFIG_SECURE_BOOT_ALLOW_JTAG=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y +CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y + +# Enabling NVS Encryption (HMAC-based scheme) +CONFIG_NVS_ENCRYPTION=y +CONFIG_NVS_SEC_KEY_PROTECT_USING_HMAC=y +CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID=0 diff --git a/components/nvs_flash/test_nvs_host/Makefile b/components/nvs_flash/test_nvs_host/Makefile index be4e5c46b3..0ac5df21fc 100644 --- a/components/nvs_flash/test_nvs_host/Makefile +++ b/components/nvs_flash/test_nvs_host/Makefile @@ -33,7 +33,7 @@ else COMPILER := gcc endif -CPPFLAGS += -I../private_include -I../include -I../src -I../../esp_rom/include -I../../esp_rom/include/linux -I../../log/include -I./ -I../../esp_common/include -I../../esp32/include -I ../../mbedtls/mbedtls/include -I ../../spi_flash/include -I ../../esp_partition/include -I ../../hal/include -I ../../xtensa/include -I ../../../tools/catch -fprofile-arcs -ftest-coverage -g2 -ggdb +CPPFLAGS += -I../private_include -I../include -I../src -I../../esp_rom/include -I../../esp_rom/include/linux -I../../log/include -I./ -I../../esp_common/include -I../../esp32/include -I ../../mbedtls/mbedtls/include -I ../../spi_flash/include -I ../../esp_partition/include -I ../../hal/include -I ../../xtensa/include -I ../../soc/linux/include -I ../../../tools/catch -fprofile-arcs -ftest-coverage -g2 -ggdb CFLAGS += -fprofile-arcs -ftest-coverage -DLINUX_TARGET -DLINUX_HOST_LEGACY_TEST CXXFLAGS += -std=c++11 -Wall -Werror -DLINUX_TARGET -DLINUX_HOST_LEGACY_TEST LDFLAGS += -lstdc++ -Wall -fprofile-arcs -ftest-coverage @@ -93,10 +93,14 @@ clean: clean-coverage rm -f ../nvs_partition_generator/partition_single_page.bin rm -f ../nvs_partition_generator/partition_multipage_blob.bin rm -f ../nvs_partition_generator/partition_encrypted.bin + rm -f ../nvs_partition_generator/partition_encrypted_hmac.bin rm -f ../nvs_partition_generator/partition_encrypted_using_keygen.bin rm -f ../nvs_partition_generator/partition_encrypted_using_keyfile.bin + rm -f ../nvs_partition_generator/partition_encrypted_using_keygen_hmac.bin rm -f ../nvs_partition_generator/partition_decrypted.bin + rm -f ../nvs_partition_generator/partition_decrypted_hmac.bin rm -f ../nvs_partition_generator/partition_encoded.bin + rm -f ../nvs_partition_generator/Test-1-partition-encrypted-hmac.bin rm -f ../nvs_partition_generator/Test-1-partition-encrypted.bin rm -f ../nvs_partition_generator/Test-1-partition.bin rm -f ../../../tools/mass_mfg/samples/sample_values_multipage_blob_created.csv diff --git a/components/nvs_flash/test_nvs_host/test_nvs.cpp b/components/nvs_flash/test_nvs_host/test_nvs.cpp index 6550927015..1fae2c15e3 100644 --- a/components/nvs_flash/test_nvs_host/test_nvs.cpp +++ b/components/nvs_flash/test_nvs_host/test_nvs.cpp @@ -11,6 +11,7 @@ #include "nvs_partition_manager.hpp" #include "nvs_partition.hpp" #include "mbedtls/aes.h" +#include "mbedtls/md.h" #include #include #include @@ -1567,12 +1568,24 @@ TEST_CASE("test decrypt functionality for encrypted data", "[nvs_part_gen]") status = system("python ../nvs_partition_generator/nvs_partition_gen.py encrypt ../nvs_partition_generator/sample_multipage_blob.csv partition_encrypted.bin 0x5000 --inputkey ../nvs_partition_generator/testdata/sample_encryption_keys.bin --outdir ../nvs_partition_generator"); CHECK(status == 0); + //encrypting data from sample_multipage_blob.csv (hmac-based scheme) + status = system("python ../nvs_partition_generator/nvs_partition_gen.py encrypt ../nvs_partition_generator/sample_multipage_blob.csv partition_encrypted_hmac.bin 0x5000 --keygen --key_protect_hmac --kp_hmac_inputkey ../nvs_partition_generator/testdata/sample_hmac_key.bin --outdir ../nvs_partition_generator"); + CHECK(status == 0); + //decrypting data from partition_encrypted.bin status = system("python ../nvs_partition_generator/nvs_partition_gen.py decrypt ../nvs_partition_generator/partition_encrypted.bin ../nvs_partition_generator/testdata/sample_encryption_keys.bin ../nvs_partition_generator/partition_decrypted.bin"); CHECK(status == 0); status = system("diff ../nvs_partition_generator/partition_decrypted.bin ../nvs_partition_generator/partition_encoded.bin"); CHECK(status == 0); + + //decrypting data from partition_encrypted_hmac.bin + status = system("python ../nvs_partition_generator/nvs_partition_gen.py decrypt ../nvs_partition_generator/partition_encrypted_hmac.bin ../nvs_partition_generator/testdata/sample_encryption_keys_hmac.bin ../nvs_partition_generator/partition_decrypted_hmac.bin"); + CHECK(status == 0); + + status = system("diff ../nvs_partition_generator/partition_decrypted_hmac.bin ../nvs_partition_generator/partition_encoded.bin"); + CHECK(status == 0); + CHECK(WEXITSTATUS(status) == 0); @@ -1757,6 +1770,201 @@ TEST_CASE("test nvs apis for nvs partition generator utility with encryption ena } +static void compute_nvs_keys_with_hmac(nvs_sec_cfg_t *cfg, void *hmac_key) +{ + unsigned char key_bytes[32] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, 0x10, + 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, + 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, 0x20 }; + if (hmac_key != NULL){ + memcpy(key_bytes, hmac_key, 32); + } + + unsigned char ekey_seed[32], tkey_seed[32]; + + for (unsigned int i = 0; i < sizeof(ekey_seed); i+=4) { + ekey_seed[i] = 0x5A; + ekey_seed[i + 1] = 0x5A; + ekey_seed[i + 2] = 0xBE; + ekey_seed[i + 3] = 0xAE; + } + + for (unsigned int i = 0; i < sizeof(tkey_seed); i+=4) { + tkey_seed[i] = 0xA5; + tkey_seed[i + 1] = 0xA5; + tkey_seed[i + 2] = 0xDE; + tkey_seed[i + 3] = 0xCE; + } + + const mbedtls_md_type_t alg = MBEDTLS_MD_SHA256; + + mbedtls_md_context_t ctx; + mbedtls_md_init(&ctx); + + const mbedtls_md_info_t *info = mbedtls_md_info_from_type(alg); + mbedtls_md_setup(&ctx, info, 1); + mbedtls_md_hmac_starts(&ctx, key_bytes, sizeof(key_bytes)); + + mbedtls_md_hmac_update(&ctx, ekey_seed, sizeof(ekey_seed)); + mbedtls_md_hmac_finish(&ctx, cfg->eky); + + mbedtls_md_hmac_reset(&ctx); + mbedtls_md_hmac_update(&ctx, tkey_seed, sizeof(tkey_seed)); + mbedtls_md_hmac_finish(&ctx, cfg->tky); + + assert(memcmp(cfg->eky, cfg->tky, NVS_KEY_SIZE)); + + mbedtls_md_free(&ctx); +} + +TEST_CASE("test nvs apis for nvs partition generator utility with encryption enabled using keygen (user-provided HMAC-key)", "[nvs_part_gen]") +{ + int childpid = fork(); + int status; + + if (childpid == 0) { + exit(execlp("cp", " cp", + "-rf", + "../nvs_partition_generator/testdata", + ".", NULL)); + } else { + CHECK(childpid > 0); + waitpid(childpid, &status, 0); + CHECK(WEXITSTATUS(status) == 0); + + childpid = fork(); + + if (childpid == 0) { + exit(execlp("rm", " rm", + "-rf", + "../nvs_partition_generator/keys", NULL)); + } else { + CHECK(childpid > 0); + waitpid(childpid, &status, 0); + CHECK(WEXITSTATUS(status) == 0); + + childpid = fork(); + if (childpid == 0) { + exit(execlp("python", "python", + "../nvs_partition_generator/nvs_partition_gen.py", + "encrypt", + "../nvs_partition_generator/sample_multipage_blob.csv", + "partition_encrypted_using_keygen_hmac.bin", + "0x4000", + "--keygen", + "--key_protect_hmac", + "--kp_hmac_inputkey", + "../nvs_partition_generator/testdata/sample_hmac_key.bin", + "--outdir", + "../nvs_partition_generator", NULL)); + + } else { + CHECK(childpid > 0); + waitpid(childpid, &status, 0); + CHECK(WEXITSTATUS(status) == 0); + + } + } + } + + SpiFlashEmulator emu("../nvs_partition_generator/partition_encrypted_using_keygen_hmac.bin"); + + nvs_sec_cfg_t cfg; + compute_nvs_keys_with_hmac(&cfg, NULL); + + check_nvs_part_gen_args(&emu, NVS_DEFAULT_PART_NAME, 4, "../nvs_partition_generator/testdata/sample_multipage_blob.bin", true, &cfg); + +} + +TEST_CASE("test nvs apis for nvs partition generator utility with encryption enabled using keygen (dynamically generated HMAC-key)", "[nvs_part_gen]") +{ + int childpid = fork(); + int status; + + if (childpid == 0) { + exit(execlp("cp", " cp", + "-rf", + "../nvs_partition_generator/testdata", + ".", NULL)); + } else { + CHECK(childpid > 0); + waitpid(childpid, &status, 0); + CHECK(WEXITSTATUS(status) == 0); + + childpid = fork(); + + if (childpid == 0) { + exit(execlp("rm", " rm", + "-rf", + "../nvs_partition_generator/keys", NULL)); + } else { + CHECK(childpid > 0); + waitpid(childpid, &status, 0); + CHECK(WEXITSTATUS(status) == 0); + + childpid = fork(); + if (childpid == 0) { + exit(execlp("python", "python", + "../nvs_partition_generator/nvs_partition_gen.py", + "encrypt", + "../nvs_partition_generator/sample_multipage_blob.csv", + "partition_encrypted_using_keygen_hmac.bin", + "0x4000", + "--keygen", + "--key_protect_hmac", + "--kp_hmac_keygen", + "--outdir", + "../nvs_partition_generator", NULL)); + + } else { + CHECK(childpid > 0); + waitpid(childpid, &status, 0); + CHECK(WEXITSTATUS(status) == 0); + + } + } + } + + + DIR *dir; + struct dirent *file; + char *filename; + char *files; + char *file_ext; + char *hmac_key_file; + + dir = opendir("../nvs_partition_generator/keys"); + while ((file = readdir(dir)) != NULL) { + filename = file->d_name; + file_ext = NULL; + files = strrchr(filename, '.'); + if (files != NULL) { + file_ext = files + 1; + if (strncmp(file_ext, "bin", 3) != 0) { + continue; + } + } + if (strstr(filename, "hmac") != NULL) { + hmac_key_file = filename; + } + } + + std::string hmac_key_path = std::string("../nvs_partition_generator/keys/") + std::string(hmac_key_file); + SpiFlashEmulator emu("../nvs_partition_generator/partition_encrypted_using_keygen_hmac.bin"); + + char hmac_key_buf[32]; + FILE *fp; + fp = fopen(hmac_key_path.c_str(), "rb"); + fread(hmac_key_buf, sizeof(hmac_key_buf), 1, fp); + fclose(fp); + + nvs_sec_cfg_t cfg; + compute_nvs_keys_with_hmac(&cfg, hmac_key_buf); + + check_nvs_part_gen_args(&emu, NVS_DEFAULT_PART_NAME, 4, "../nvs_partition_generator/testdata/sample_multipage_blob.bin", true, &cfg); + +} + TEST_CASE("check and read data from partition generated via manufacturing utility with encryption enabled using sample inputkey", "[mfg_gen]") { int childpid = fork(); @@ -1969,6 +2177,221 @@ TEST_CASE("check and read data from partition generated via manufacturing utilit } } + +TEST_CASE("check and read data from partition generated via manufacturing utility with encryption enabled using new generated key (user-provided HMAC-key)", "[mfg_gen]") +{ + int childpid = fork(); + int status; + + if (childpid == 0) { + exit(execlp("bash", " bash", + "-c", + "rm -rf ../../../tools/mass_mfg/host_test | \ + cp -rf ../../../tools/mass_mfg/testdata mfg_testdata | \ + cp -rf ../nvs_partition_generator/testdata . | \ + mkdir -p ../../../tools/mass_mfg/host_test", NULL)); + } else { + CHECK(childpid > 0); + waitpid(childpid, &status, 0); + CHECK(WEXITSTATUS(status) == 0); + + childpid = fork(); + if (childpid == 0) { + exit(execlp("python", "python", + "../../../tools/mass_mfg/mfg_gen.py", + "generate", + "../../../tools/mass_mfg/samples/sample_config.csv", + "../../../tools/mass_mfg/samples/sample_values_multipage_blob.csv", + "Test", + "0x4000", + "--version", + "2", + "--keygen", + "--key_protect_hmac", + "--kp_hmac_inputkey", + "mfg_testdata/sample_hmac_key.bin", + "--outdir", + "../../../tools/mass_mfg/host_test",NULL)); + + } else { + CHECK(childpid > 0); + waitpid(childpid, &status, 0); + CHECK(WEXITSTATUS(status) == 0); + + childpid = fork(); + if (childpid == 0) { + exit(execlp("python", "python", + "../nvs_partition_generator/nvs_partition_gen.py", + "encrypt", + "../../../tools/mass_mfg/host_test/csv/Test-1.csv", + "../nvs_partition_generator/Test-1-partition-encrypted-hmac.bin", + "0x4000", + "--version", + "2", + "--keygen", + "--key_protect_hmac", + "--kp_hmac_inputkey", + "mfg_testdata/sample_hmac_key.bin", NULL)); + + } else { + CHECK(childpid > 0); + waitpid(childpid, &status, 0); + CHECK(WEXITSTATUS(status) == 0); + + } + + } + + } + + SpiFlashEmulator emu1("../../../tools/mass_mfg/host_test/bin/Test-1.bin"); + + nvs_sec_cfg_t cfg; + compute_nvs_keys_with_hmac(&cfg, NULL); + + check_nvs_part_gen_args_mfg(&emu1, NVS_DEFAULT_PART_NAME, 4, "mfg_testdata/sample_multipage_blob.bin", true, &cfg); + + SpiFlashEmulator emu2("../nvs_partition_generator/Test-1-partition-encrypted-hmac.bin"); + + check_nvs_part_gen_args_mfg(&emu2, NVS_DEFAULT_PART_NAME, 4, "testdata/sample_multipage_blob.bin", true, &cfg); + + + childpid = fork(); + if (childpid == 0) { + exit(execlp("bash", " bash", + "-c", + "rm -rf ../../../tools/mass_mfg/host_test | \ + rm -rf mfg_testdata | \ + rm -rf testdata", NULL)); + } else { + CHECK(childpid > 0); + waitpid(childpid, &status, 0); + CHECK(WEXITSTATUS(status) == 0); + + } + +} + +TEST_CASE("check and read data from partition generated via manufacturing utility with encryption enabled using new generated key (dynamically generated HMAC-key)", "[mfg_gen]") +{ + int childpid = fork(); + int status; + + if (childpid == 0) { + exit(execlp("bash", " bash", + "-c", + "rm -rf ../../../tools/mass_mfg/host_test | \ + cp -rf ../../../tools/mass_mfg/testdata mfg_testdata | \ + cp -rf ../nvs_partition_generator/testdata . | \ + mkdir -p ../../../tools/mass_mfg/host_test", NULL)); + } else { + CHECK(childpid > 0); + waitpid(childpid, &status, 0); + CHECK(WEXITSTATUS(status) == 0); + + childpid = fork(); + if (childpid == 0) { + exit(execlp("python", "python", + "../../../tools/mass_mfg/mfg_gen.py", + "generate-key", + "--outdir", + "../../../tools/mass_mfg/host_test", + "--key_protect_hmac", + "--kp_hmac_keygen", + "--kp_hmac_keyfile", + "hmac_key_host_test.bin", + "--keyfile", + "encr_keys_host_test.bin", NULL)); + + } else { + CHECK(childpid > 0); + waitpid(childpid, &status, 0); + CHECK(WEXITSTATUS(status) == 0); + + childpid = fork(); + if (childpid == 0) { + exit(execlp("python", "python", + "../../../tools/mass_mfg/mfg_gen.py", + "generate", + "../../../tools/mass_mfg/samples/sample_config.csv", + "../../../tools/mass_mfg/samples/sample_values_multipage_blob.csv", + "Test", + "0x4000", + "--outdir", + "../../../tools/mass_mfg/host_test", + "--version", + "2", + "--inputkey", + "../../../tools/mass_mfg/host_test/keys/encr_keys_host_test.bin", NULL)); + + } else { + CHECK(childpid > 0); + waitpid(childpid, &status, 0); + CHECK(WEXITSTATUS(status) == 0); + + childpid = fork(); + if (childpid == 0) { + exit(execlp("python", "python", + "../nvs_partition_generator/nvs_partition_gen.py", + "encrypt", + "../../../tools/mass_mfg/host_test/csv/Test-1.csv", + "../nvs_partition_generator/Test-1-partition-encrypted-hmac.bin", + "0x4000", + "--version", + "2", + "--inputkey", + "../../../tools/mass_mfg/host_test/keys/encr_keys_host_test.bin", NULL)); + + } else { + CHECK(childpid > 0); + waitpid(childpid, &status, 0); + CHECK(WEXITSTATUS(status) == 0); + + } + + } + + } + + } + + + SpiFlashEmulator emu1("../../../tools/mass_mfg/host_test/bin/Test-1.bin"); + + char hmac_key_buf[32]; + FILE *fp; + + fp = fopen("../../../tools/mass_mfg/host_test/keys/hmac_key_host_test.bin", "rb"); + fread(hmac_key_buf, sizeof(hmac_key_buf), 1, fp); + + fclose(fp); + + nvs_sec_cfg_t cfg; + compute_nvs_keys_with_hmac(&cfg, hmac_key_buf); + + check_nvs_part_gen_args_mfg(&emu1, NVS_DEFAULT_PART_NAME, 4, "mfg_testdata/sample_multipage_blob.bin", true, &cfg); + + SpiFlashEmulator emu2("../nvs_partition_generator/Test-1-partition-encrypted-hmac.bin"); + + check_nvs_part_gen_args_mfg(&emu2, NVS_DEFAULT_PART_NAME, 4, "testdata/sample_multipage_blob.bin", true, &cfg); + + childpid = fork(); + if (childpid == 0) { + exit(execlp("bash", " bash", + "-c", + "rm -rf keys | \ + rm -rf mfg_testdata | \ + rm -rf testdata | \ + rm -rf ../../../tools/mass_mfg/host_test", NULL)); + } else { + CHECK(childpid > 0); + waitpid(childpid, &status, 0); + CHECK(WEXITSTATUS(status) == 0); + + } + +} + #endif /* Add new tests above */ diff --git a/conftest.py b/conftest.py index da6f07ba46..385fe9fb26 100644 --- a/conftest.py +++ b/conftest.py @@ -124,6 +124,7 @@ ENV_MARKERS = { 'ecdsa_efuse': 'Runner with test ECDSA private keys programmed in efuse', 'ccs811': 'Runner with CCS811 connected', 'ethernet_w5500': 'SPI Ethernet module with two W5500', + 'nvs_encr_hmac': 'Runner with test HMAC key programmed in efuse', # multi-dut markers 'ieee802154': 'ieee802154 related tests should run on ieee802154 runners.', 'openthread_br': 'tests should be used for openthread border router.',