Can't init NVS when enabling flash encryption.

[vomed1991]

Hello forum.

ver: 4.3.

I tried enabling flash encryption with the code I already have, but as the app started I got the error, that there is no nvs_key partition. So I changed my partition table to

Code: Select all

nvs,      data, nvs,     0xd000,   0x6000,
app0,     app,  ota_0,   ,  0x160000,
app1,     app,  ota_1,   , 0x160000,
otadata,  data, ota,     , 0x2000,
storage,  data, fat,     , 0x107000,
nvs_key,  data, nvs_keys, ,0x1000, encrypted

but I still get

Code: Select all

 (850) nvs: Failed to read NVS security cfg: [0x1117] (ESP_ERR_NVS_CORRUPT_KEY_PART)

Should I rewrite my nvs init procedure? Right now it looks like this

Code: Select all

    esp_err_t err = nvs_flash_init();
    if (err == ESP_ERR_NVS_NO_FREE_PAGES || err == ESP_ERR_NVS_NEW_VERSION_FOUND) {
        ESP_ERROR_CHECK(nvs_flash_erase());
        err = nvs_flash_init();
    }

Should I externally generate the nvs_keys partition? How can I do that, if the encryption key was generated on ESP32 and I don't know it?

[vomed1991]

Ok, figured this myself

Code: Select all

    esp_partition_t * user_keys_partition = (esp_partition_t *)esp_partition_find_first(ESP_PARTITION_TYPE_DATA, ESP_PARTITION_SUBTYPE_DATA_NVS_KEYS, NULL);
    esp_partition_t * user_nvs_partition = (esp_partition_t *)esp_partition_find_first(ESP_PARTITION_TYPE_DATA, ESP_PARTITION_SUBTYPE_DATA_NVS, NULL);

    nvs_sec_cfg_t nvs_cfg;
    err = nvs_flash_read_security_cfg(user_keys_partition, &nvs_cfg);
    if (err == ESP_ERR_NVS_KEYS_NOT_INITIALIZED || ESP_ERR_NVS_CORRUPT_KEY_PART == err)
    {
        err = nvs_flash_generate_keys(user_keys_partition, &nvs_cfg);
    }

[ESP_Mahavir]

Hello,

Sorry for delayed reply!

Actually `nvs_flash_init()` API takes care of correctly initialising NVS partition for encryption requirement.

Please see relevant commit that had added this support at https://github.com/espressif/esp-idf/co ... 7085ab99cd

Documentation pointer at https://docs.espressif.com/projects/esp ... read-write

I wonder why you require additional code to generate keys here.

Could you please enable debug logs and post output of error case?

[WiFive]

It only works if the key partition has been erased, not if it has random data because the user didn't do a full flash erase before flashing the project.

[ESP_Mahavir]

It only works if the key partition has been erased, not if it has random data because the user didn't do a full flash erase before flashing the project.

Good point. This could be the reason for failure here.