From 0715c862117c4194c8a4bff93febcc312df26848 Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Fri, 22 Jan 2021 15:33:39 +0530 Subject: [PATCH 1/3] Revert "esp_partition: disable encrypted reads/writes if flash encryption is disabled" This reverts commit bf35ef1ce7b7db30d499d4058d6a4f39ba467fca. It has been noticed that there are scenarios where even though firmware is not enabled with flash encryption config feature, it should be able to write to encrypted partitions. This revert adds the feature back which was removed around v4.0 timelines, and same change will be backported to all releases (upto v4.0) for consistency. --- components/spi_flash/partition.c | 8 -------- 1 file changed, 8 deletions(-) diff --git a/components/spi_flash/partition.c b/components/spi_flash/partition.c index 4457d63360..718e326aa0 100644 --- a/components/spi_flash/partition.c +++ b/components/spi_flash/partition.c @@ -349,7 +349,6 @@ esp_err_t esp_partition_read(const esp_partition_t* partition, return spi_flash_read(partition->address + src_offset, dst, size); #endif // CONFIG_SPI_FLASH_USE_LEGACY_IMPL } else { -#if CONFIG_SECURE_FLASH_ENC_ENABLED if (partition->flash_chip != esp_flash_default_chip) { return ESP_ERR_NOT_SUPPORTED; } @@ -367,9 +366,6 @@ esp_err_t esp_partition_read(const esp_partition_t* partition, memcpy(dst, buf, size); spi_flash_munmap(handle); return ESP_OK; -#else - return ESP_ERR_NOT_SUPPORTED; -#endif // CONFIG_SECURE_FLASH_ENC_ENABLED } } @@ -391,14 +387,10 @@ esp_err_t esp_partition_write(const esp_partition_t* partition, return spi_flash_write(dst_offset, src, size); #endif // CONFIG_SPI_FLASH_USE_LEGACY_IMPL } else { -#if CONFIG_SECURE_FLASH_ENC_ENABLED if (partition->flash_chip != esp_flash_default_chip) { return ESP_ERR_NOT_SUPPORTED; } return spi_flash_write_encrypted(dst_offset, src, size); -#else - return ESP_ERR_NOT_SUPPORTED; -#endif // CONFIG_SECURE_FLASH_ENC_ENABLED } } From e032384c7f6993c327d7ec20a9a607c0fec356f0 Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Fri, 22 Jan 2021 15:44:27 +0530 Subject: [PATCH 2/3] spi_flash: add config option to enable encrypted partition read/write This feature can be disabled to save some IRAM (approx 1KB) for cases where flash encryption feature is not required. --- components/bootloader/Kconfig.projbuild | 1 + components/spi_flash/Kconfig | 9 +++++++++ components/spi_flash/partition.c | 8 ++++++++ 3 files changed, 18 insertions(+) diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild index cf513b1998..690c7881ef 100644 --- a/components/bootloader/Kconfig.projbuild +++ b/components/bootloader/Kconfig.projbuild @@ -539,6 +539,7 @@ menu "Security features" config SECURE_FLASH_ENC_ENABLED bool "Enable flash encryption on boot (READ DOCS FIRST)" default N + select SPI_FLASH_ENABLE_ENCRYPTED_READ_WRITE help If this option is set, flash contents will be encrypted by the bootloader on first boot. diff --git a/components/spi_flash/Kconfig b/components/spi_flash/Kconfig index e884726c5b..d69ce3e990 100644 --- a/components/spi_flash/Kconfig +++ b/components/spi_flash/Kconfig @@ -139,4 +139,13 @@ menu "SPI Flash driver" endmenu #auto detect flash chips + config SPI_FLASH_ENABLE_ENCRYPTED_READ_WRITE + bool "Enable encrypted partition read/write operations" + default y + help + This option enables flash read/write operations to encrypted partition/s. This option + is kept enabled irrespective of state of flash encryption feature. However, in case + application is not using flash encryption feature and is in need of some additional + memory from IRAM region (~1KB) then this config can be disabled. + endmenu diff --git a/components/spi_flash/partition.c b/components/spi_flash/partition.c index 718e326aa0..21dce006ea 100644 --- a/components/spi_flash/partition.c +++ b/components/spi_flash/partition.c @@ -349,6 +349,7 @@ esp_err_t esp_partition_read(const esp_partition_t* partition, return spi_flash_read(partition->address + src_offset, dst, size); #endif // CONFIG_SPI_FLASH_USE_LEGACY_IMPL } else { +#if CONFIG_SPI_FLASH_ENABLE_ENCRYPTED_READ_WRITE if (partition->flash_chip != esp_flash_default_chip) { return ESP_ERR_NOT_SUPPORTED; } @@ -366,6 +367,9 @@ esp_err_t esp_partition_read(const esp_partition_t* partition, memcpy(dst, buf, size); spi_flash_munmap(handle); return ESP_OK; +#else + return ESP_ERR_NOT_SUPPORTED; +#endif // CONFIG_SPI_FLASH_ENABLE_ENCRYPTED_READ_WRITE } } @@ -387,10 +391,14 @@ esp_err_t esp_partition_write(const esp_partition_t* partition, return spi_flash_write(dst_offset, src, size); #endif // CONFIG_SPI_FLASH_USE_LEGACY_IMPL } else { +#if CONFIG_SPI_FLASH_ENABLE_ENCRYPTED_READ_WRITE if (partition->flash_chip != esp_flash_default_chip) { return ESP_ERR_NOT_SUPPORTED; } return spi_flash_write_encrypted(dst_offset, src, size); +#else + return ESP_ERR_NOT_SUPPORTED; +#endif // CONFIG_SPI_FLASH_ENABLE_ENCRYPTED_READ_WRITE } } From 6317ef13f8c853fd3bc03a03f164d532fa9e2898 Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Sun, 24 Jan 2021 13:50:21 +0530 Subject: [PATCH 3/3] unit-test-app: disable encrypted flash read/write in psram config to fix build failure --- tools/unit-test-app/configs/psram | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tools/unit-test-app/configs/psram b/tools/unit-test-app/configs/psram index a00f527f89..7536d741ff 100644 --- a/tools/unit-test-app/configs/psram +++ b/tools/unit-test-app/configs/psram @@ -3,3 +3,5 @@ CONFIG_ESP32_SPIRAM_SUPPORT=y CONFIG_ESP_INT_WDT_TIMEOUT_MS=800 CONFIG_SPIRAM_OCCUPY_NO_HOST=y CONFIG_ESP32_WIFI_RX_IRAM_OPT=n +# Disable encrypted flash reads/writes to save IRAM in this build configuration +CONFIG_SPI_FLASH_ENABLE_ENCRYPTED_READ_WRITE=n