You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nuttx.apache.org by GitBox <gi...@apache.org> on 2021/12/29 17:35:55 UTC
[GitHub] [incubator-nuttx] gustavonihei opened a new pull request #5117: xtensa/esp32: Add support for enabling hardware Flash Encryption on boot
gustavonihei opened a new pull request #5117:
URL: https://github.com/apache/incubator-nuttx/pull/5117
## Summary
This PR intends to add support for encrypting the contents of the SPI Flash on boot using the MCUboot bootloader.
**Flash encryption** is intended for encrypting the contents of the ESP32’s off-chip flash memory. Once this feature is enabled, firmware is flashed as plaintext, and then the data is encrypted in place on the first boot. As a result, physical readout of flash will not be sufficient to recover most flash contents.
https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/flash-encryption.html
## Impact
This new feature is activated by the MCUboot bootloader image.
The NuttX application image will rely on existing ESP32 SPI Flash driver, which already implements the encrypted standard operations.
Should not bring any impact to current users if the feature is not explicitly enabled.
## Testing
Tested on `esp32-ethernet-kit` and also on QEMU-ESP32.
### Instructions for testing on QEMU:
**NOTE: Make sure the QEMU-ESP32 installation is up-to-date!**
1) Build a QEMU-compatible image
```bash
./tools/configure.sh -E esp32-devkitc:nsh
kconfig-tweak -e EXPERIMENTAL
kconfig-tweak -e ESP32_APP_FORMAT_MCUBOOT
kconfig-tweak -e ESP32_BOOTLOADER_BUILD_FROM_SOURCE
kconfig-tweak -e ESP32_FLASH_MODE_DOUT
kconfig-tweak -e ESP32_QEMU_IMAGE
kconfig-tweak -e ESP32_SECURE_FLASH_ENC_ENABLED
kconfig-tweak -e ESP32_SPIFLASH
make olddefconfig
make bootloader
make ESPTOOL_BINDIR=. -j 6
```
2) Generate a blank efuses file
```
dd if=/dev/zero bs=1 count=124 of=/tmp/qemu_efuse.bin
```
3) Start QEMU
```
qemu-system-xtensa -nographic -machine esp32 -drive file=/tmp/qemu_efuse.bin,if=none,format=raw,id=efuse -global driver=nvram.esp32.efuse,property=drive,value=efuse -drive file=nuttx.merged.bin,if=mtd,format=raw -global driver=timer.esp32.timg,property=wdt_disable,value=true
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@nuttx.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [incubator-nuttx] xiaoxiang781216 merged pull request #5117: xtensa/esp32: Add support for enabling hardware Flash Encryption on boot
Posted by GitBox <gi...@apache.org>.
xiaoxiang781216 merged pull request #5117:
URL: https://github.com/apache/incubator-nuttx/pull/5117
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@nuttx.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org