From aaf1f868d5a0a22b57c823e810df9db03d7cd067 Mon Sep 17 00:00:00 2001 From: "hrushikesh.bhosale" Date: Fri, 30 Aug 2024 11:26:34 +0530 Subject: [PATCH] fix(nvs_sec_provider): Added check for nvs_keys partition Added check to whether nvs_keys partition is provided or not in partiton csv. Converted nvs_sec_provider_register_flash_enc_ctr and nvs_sec_provider_register_hmac_ctr functions from __attribute__(constructor) to ESP_SYSTEM_INIT_FN. --- components/esp_system/system_init_fn.txt | 4 +++ .../nvs_sec_provider/nvs_sec_provider.c | 26 ++++++++++++++----- 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/components/esp_system/system_init_fn.txt b/components/esp_system/system_init_fn.txt index ea32c8dc99..561baa29d6 100644 --- a/components/esp_system/system_init_fn.txt +++ b/components/esp_system/system_init_fn.txt @@ -97,6 +97,10 @@ SECONDARY: 130: init_coredump in components/espcoredump/src/core_dump_init.c on # esp_debug_stubs doesn't have init dependencies SECONDARY: 140: init_dbg_stubs in components/app_trace/debug_stubs.c on BIT(0) +# Register NVS Encryption schemes +SECONDARY: 150: nvs_sec_provider_register_flash_enc_scheme in components/nvs_sec_provider/nvs_sec_provider.c on BIT(0) +SECONDARY: 151: nvs_sec_provider_register_hmac_scheme in components/nvs_sec_provider/nvs_sec_provider.c on BIT(0) + # the rest of the components which are initialized from startup_funcs.c # [refactor-todo]: move init calls into respective components SECONDARY: 201: init_pm in components/esp_system/startup_funcs.c on BIT(0) diff --git a/components/nvs_sec_provider/nvs_sec_provider.c b/components/nvs_sec_provider/nvs_sec_provider.c index c6c7bb0aeb..e45c84f4db 100644 --- a/components/nvs_sec_provider/nvs_sec_provider.c +++ b/components/nvs_sec_provider/nvs_sec_provider.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -10,10 +10,10 @@ #include "esp_fault.h" #include "soc/soc_caps.h" #include "sdkconfig.h" - #include "nvs_flash.h" #include "nvs_sec_provider.h" +#include "esp_private/startup_internal.h" #if SOC_HMAC_SUPPORTED #include "bootloader_random.h" #include "esp_random.h" @@ -79,14 +79,27 @@ esp_err_t nvs_sec_provider_register_flash_enc(const nvs_sec_config_flash_enc_t * return ESP_OK; } -static void __attribute__((constructor)) nvs_sec_provider_register_flash_enc_ctr(void) + +ESP_SYSTEM_INIT_FN(nvs_sec_provider_register_flash_enc_scheme, SECONDARY, BIT(0), 150) { ESP_EARLY_LOGI(TAG, "NVS Encryption - Registering Flash encryption-based scheme..."); nvs_sec_config_flash_enc_t sec_scheme_cfg = NVS_SEC_PROVIDER_CFG_FLASH_ENC_DEFAULT(); + + /* + * This checks partition with subtype nvs_keys from partition table, if NVS Encryption is enabled + * and "nvs_keys" do not exist in partition table, then execution gets aborted. To fix the problem, + * please introduce partition with subtype "nvs_keys" in the partition table. + */ + + if (sec_scheme_cfg.nvs_keys_part == NULL) { + ESP_EARLY_LOGE(TAG, "partition with subtype \"nvs_keys\" not found"); + return ESP_FAIL; + } + nvs_sec_scheme_t *sec_scheme_handle_out = NULL; - nvs_sec_provider_register_flash_enc(&sec_scheme_cfg, &sec_scheme_handle_out); + return nvs_sec_provider_register_flash_enc(&sec_scheme_cfg, &sec_scheme_handle_out); } #endif @@ -251,14 +264,15 @@ esp_err_t nvs_sec_provider_register_hmac(const nvs_sec_config_hmac_t *sec_scheme } #if CONFIG_NVS_SEC_KEY_PROTECT_USING_HMAC -static void __attribute__((constructor)) nvs_sec_provider_register_hmac_ctr(void) +ESP_SYSTEM_INIT_FN(nvs_sec_provider_register_hmac_scheme, SECONDARY, BIT(0), 151) { ESP_EARLY_LOGI(TAG, "NVS Encryption - Registering HMAC-based scheme..."); nvs_sec_config_hmac_t sec_scheme_cfg = NVS_SEC_PROVIDER_CFG_HMAC_DEFAULT(); + nvs_sec_scheme_t *sec_scheme_handle_out = NULL; - nvs_sec_provider_register_hmac(&sec_scheme_cfg, &sec_scheme_handle_out); + return nvs_sec_provider_register_hmac(&sec_scheme_cfg, &sec_scheme_handle_out); } #endif // CONFIG_NVS_SEC_KEY_PROTECT_USING_HMAC