diff --git a/components/nvs_sec_provider/include/nvs_sec_provider.h b/components/nvs_sec_provider/include/nvs_sec_provider.h index 3624553ef5..329d9b51c0 100644 --- a/components/nvs_sec_provider/include/nvs_sec_provider.h +++ b/components/nvs_sec_provider/include/nvs_sec_provider.h @@ -23,17 +23,21 @@ extern "C" { #define ESP_ERR_NVS_SEC_BASE 0xF000 /*!< Starting number of error codes */ +#if SOC_HMAC_SUPPORTED #define ESP_ERR_NVS_SEC_HMAC_KEY_NOT_FOUND (ESP_ERR_NVS_SEC_BASE + 0x01) /*!< HMAC Key required to generate the NVS encryption keys not found */ #define ESP_ERR_NVS_SEC_HMAC_KEY_BLK_ALREADY_USED (ESP_ERR_NVS_SEC_BASE + 0x02) /*!< Provided eFuse block for HMAC key generation is already in use */ #define ESP_ERR_NVS_SEC_HMAC_KEY_GENERATION_FAILED (ESP_ERR_NVS_SEC_BASE + 0x03) /*!< Failed to generate/write the HMAC key to eFuse */ #define ESP_ERR_NVS_SEC_HMAC_XTS_KEYS_DERIV_FAILED (ESP_ERR_NVS_SEC_BASE + 0x04) /*!< Failed to derive the NVS encryption keys based on the HMAC-based scheme */ +#endif /** * @brief NVS Encryption Keys Protection Scheme */ typedef enum { NVS_SEC_SCHEME_FLASH_ENC = 0, /*!< Protect NVS encryption keys using Flash Encryption */ +#if SOC_HMAC_SUPPORTED NVS_SEC_SCHEME_HMAC, /*!< Protect NVS encryption keys using HMAC peripheral */ +#endif NVS_SEC_SCHEME_MAX } nvs_sec_scheme_id_t; @@ -77,7 +81,7 @@ typedef struct { * * @return * - ESP_OK, if `sec_scheme_handle_out` was populated successfully with the scheme configuration; - * - ESP_ERR_INVALID_ARG, if `scheme_cfg_hmac` is NULL; + * - ESP_ERR_INVALID_ARG, if `sec_scheme_cfg` is NULL; * - ESP_ERR_NO_MEM, No memory for the scheme-specific handle `sec_scheme_handle_out` * - ESP_ERR_NOT_FOUND, if no `nvs_keys` partition is found */ @@ -92,7 +96,7 @@ esp_err_t nvs_sec_provider_register_flash_enc(const nvs_sec_config_flash_enc_t * * * @return * - ESP_OK, if `sec_scheme_handle_out` was populated successfully with the scheme configuration; - * - ESP_ERR_INVALID_ARG, if `scheme_cfg_hmac` is NULL; + * - ESP_ERR_INVALID_ARG, if `sec_scheme_cfg` is NULL; * - ESP_ERR_NO_MEM, No memory for the scheme-specific handle `sec_scheme_handle_out` */ esp_err_t nvs_sec_provider_register_hmac(const nvs_sec_config_hmac_t *sec_scheme_cfg, nvs_sec_scheme_t **sec_scheme_handle_out); diff --git a/docs/en/api-reference/storage/nvs_encryption.rst b/docs/en/api-reference/storage/nvs_encryption.rst index e0d69e7a25..d24a725d20 100644 --- a/docs/en/api-reference/storage/nvs_encryption.rst +++ b/docs/en/api-reference/storage/nvs_encryption.rst @@ -148,7 +148,11 @@ The same NVS API functions ``nvs_get_*`` or ``nvs_set_*`` can be used for readin - To enable encryption for the default NVS partition, no additional step is necessary. When :ref:`CONFIG_NVS_ENCRYPTION` is enabled, the :cpp:func:`nvs_flash_init` API function internally performs some additional steps to enable encryption for the default NVS partition depending on the scheme being used (set by :ref:`CONFIG_NVS_SEC_KEY_PROTECTION_SCHEME`). -- For the flash encryption-based scheme, the first :ref:`nvs_encr_key_partition` found is used to generate the encryption keys while for the HMAC one, keys are generated using the HMAC key burnt in eFuse at :ref:`CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID` (refer to the API documentation for more details). +- For the flash encryption-based scheme, the first :ref:`nvs_encr_key_partition` found is used to generate the encryption keys. + +.. only:: SOC_HMAC_SUPPORTED + + For the HMAC-based scheme, keys are generated using the HMAC key burnt in eFuse at :ref:`CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID` (refer to the API documentation for more details). Alternatively, :cpp:func:`nvs_flash_secure_init` API function can also be used to enable encryption for the default NVS partition. diff --git a/docs/zh_CN/api-reference/storage/nvs_encryption.rst b/docs/zh_CN/api-reference/storage/nvs_encryption.rst index a6f5f631d1..27d7d615be 100644 --- a/docs/zh_CN/api-reference/storage/nvs_encryption.rst +++ b/docs/zh_CN/api-reference/storage/nvs_encryption.rst @@ -148,7 +148,11 @@ NVS API 函数 ``nvs_get_*`` 或 ``nvs_set_*`` 也可用于读取和写入加密 - 要为默认 NVS 分区启用加密,无需额外的步骤。在启用 :ref:`CONFIG_NVS_ENCRYPTION` 时,API 函数 :cpp:func:`nvs_flash_init` 会根据使用的方案(由 :ref:`CONFIG_NVS_SEC_KEY_PROTECTION_SCHEME` 设置)在内部执行一些额外步骤,为默认的 NVS 分区启用加密。 -- 在基于 flash 加密的方案中,加密密钥由找到的第一个 :ref:`nvs_encr_key_partition` 生成。在 HMAC 方案中,密钥由 :ref:`CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID` 中烧录的 HMAC 密钥生成(参考 API 文档以了解更多详细信息)。 +- 在基于 flash 加密的方案中,加密密钥由找到的第一个 :ref:`nvs_encr_key_partition` 生成。 + +.. only:: SOC_HMAC_SUPPORTED + + 在 HMAC 方案中,密钥由 :ref:`CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID` 中烧录的 HMAC 密钥生成(参考 API 文档以了解更多详细信息)。 另外,还可使用 API 函数 :cpp:func:`nvs_flash_secure_init` 为默认 NVS 分区启用加密。