gustavonihei opened a new pull request #5117: URL: https://github.com/apache/incubator-nuttx/pull/5117
## Summary This PR intends to add support for encrypting the contents of the SPI Flash on boot using the MCUboot bootloader. **Flash encryption** is intended for encrypting the contents of the ESP32’s off-chip flash memory. Once this feature is enabled, firmware is flashed as plaintext, and then the data is encrypted in place on the first boot. As a result, physical readout of flash will not be sufficient to recover most flash contents. https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/flash-encryption.html ## Impact This new feature is activated by the MCUboot bootloader image. The NuttX application image will rely on existing ESP32 SPI Flash driver, which already implements the encrypted standard operations. Should not bring any impact to current users if the feature is not explicitly enabled. ## Testing Tested on `esp32-ethernet-kit` and also on QEMU-ESP32. ### Instructions for testing on QEMU: **NOTE: Make sure the QEMU-ESP32 installation is up-to-date!** 1) Build a QEMU-compatible image ```bash ./tools/configure.sh -E esp32-devkitc:nsh kconfig-tweak -e EXPERIMENTAL kconfig-tweak -e ESP32_APP_FORMAT_MCUBOOT kconfig-tweak -e ESP32_BOOTLOADER_BUILD_FROM_SOURCE kconfig-tweak -e ESP32_FLASH_MODE_DOUT kconfig-tweak -e ESP32_QEMU_IMAGE kconfig-tweak -e ESP32_SECURE_FLASH_ENC_ENABLED kconfig-tweak -e ESP32_SPIFLASH make olddefconfig make bootloader make ESPTOOL_BINDIR=. -j 6 ``` 2) Generate a blank efuses file ``` dd if=/dev/zero bs=1 count=124 of=/tmp/qemu_efuse.bin ``` 3) Start QEMU ``` qemu-system-xtensa -nographic -machine esp32 -drive file=/tmp/qemu_efuse.bin,if=none,format=raw,id=efuse -global driver=nvram.esp32.efuse,property=drive,value=efuse -drive file=nuttx.merged.bin,if=mtd,format=raw -global driver=timer.esp32.timg,property=wdt_disable,value=true ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
