You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@nuttx.apache.org by GitBox <gi...@apache.org> on 2021/12/29 17:35:55 UTC

[GitHub] [incubator-nuttx] gustavonihei opened a new pull request #5117: xtensa/esp32: Add support for enabling hardware Flash Encryption on boot

gustavonihei opened a new pull request #5117:
URL: https://github.com/apache/incubator-nuttx/pull/5117


   ## Summary
   This PR intends to add support for encrypting the contents of the SPI Flash on boot using the MCUboot bootloader.
   
   **Flash encryption** is intended for encrypting the contents of the ESP32’s off-chip flash memory. Once this feature is enabled, firmware is flashed as plaintext, and then the data is encrypted in place on the first boot. As a result, physical readout of flash will not be sufficient to recover most flash contents.
   
   https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/flash-encryption.html
   
   ## Impact
   This new feature is activated by the MCUboot bootloader image.
   The NuttX application image will rely on existing ESP32 SPI Flash driver, which already implements the encrypted standard operations.
   Should not bring any impact to current users if the feature is not explicitly enabled.
   
   ## Testing
   Tested on `esp32-ethernet-kit` and also on QEMU-ESP32.
   
   ### Instructions for testing on QEMU:
   
   **NOTE: Make sure the QEMU-ESP32 installation is up-to-date!**
   
   1) Build a QEMU-compatible image
   ```bash
   ./tools/configure.sh -E esp32-devkitc:nsh
   kconfig-tweak -e EXPERIMENTAL
   kconfig-tweak -e ESP32_APP_FORMAT_MCUBOOT
   kconfig-tweak -e ESP32_BOOTLOADER_BUILD_FROM_SOURCE
   kconfig-tweak -e ESP32_FLASH_MODE_DOUT
   kconfig-tweak -e ESP32_QEMU_IMAGE
   kconfig-tweak -e ESP32_SECURE_FLASH_ENC_ENABLED
   kconfig-tweak -e ESP32_SPIFLASH
   make olddefconfig
   make bootloader
   make ESPTOOL_BINDIR=. -j 6
   ```
   
   2) Generate a blank efuses file
   ```
   dd if=/dev/zero bs=1 count=124 of=/tmp/qemu_efuse.bin
   ```
   
   3) Start QEMU
   ```
   qemu-system-xtensa -nographic -machine esp32 -drive file=/tmp/qemu_efuse.bin,if=none,format=raw,id=efuse -global driver=nvram.esp32.efuse,property=drive,value=efuse -drive file=nuttx.merged.bin,if=mtd,format=raw -global driver=timer.esp32.timg,property=wdt_disable,value=true
   ```
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@nuttx.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [incubator-nuttx] xiaoxiang781216 merged pull request #5117: xtensa/esp32: Add support for enabling hardware Flash Encryption on boot

Posted by GitBox <gi...@apache.org>.

xiaoxiang781216 merged pull request #5117:
URL: https://github.com/apache/incubator-nuttx/pull/5117


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@nuttx.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org