fix(doc): Documentation of NVS HMAC encryption adjusted

2026-04-27 19:13:21 +00:00 · 2026-03-04 16:22:30 +01:00
parent bbee94f718
commit 123de681bd
3 changed files with 16 additions and 4 deletions
@@ -23,17 +23,21 @@ extern "C" {

 #define ESP_ERR_NVS_SEC_BASE                        0xF000                         /*!< Starting number of error codes */

+#if SOC_HMAC_SUPPORTED
 #define ESP_ERR_NVS_SEC_HMAC_KEY_NOT_FOUND          (ESP_ERR_NVS_SEC_BASE + 0x01)  /*!< HMAC Key required to generate the NVS encryption keys not found */
 #define ESP_ERR_NVS_SEC_HMAC_KEY_BLK_ALREADY_USED   (ESP_ERR_NVS_SEC_BASE + 0x02)  /*!< Provided eFuse block for HMAC key generation is already in use */
 #define ESP_ERR_NVS_SEC_HMAC_KEY_GENERATION_FAILED  (ESP_ERR_NVS_SEC_BASE + 0x03)  /*!< Failed to generate/write the HMAC key to eFuse */
 #define ESP_ERR_NVS_SEC_HMAC_XTS_KEYS_DERIV_FAILED  (ESP_ERR_NVS_SEC_BASE + 0x04)  /*!< Failed to derive the NVS encryption keys based on the HMAC-based scheme */
+#endif

 /**
 * @brief NVS Encryption Keys Protection Scheme
 */
 typedef enum {
    NVS_SEC_SCHEME_FLASH_ENC = 0, /*!<  Protect NVS encryption keys using Flash Encryption */
+#if SOC_HMAC_SUPPORTED
    NVS_SEC_SCHEME_HMAC,          /*!<  Protect NVS encryption keys using HMAC peripheral */
+#endif
    NVS_SEC_SCHEME_MAX
 } nvs_sec_scheme_id_t;

@@ -77,7 +81,7 @@ typedef struct {
 *
 * @return
 *      - ESP_OK, if `sec_scheme_handle_out` was populated successfully with the scheme configuration;
- *      - ESP_ERR_INVALID_ARG, if `scheme_cfg_hmac` is NULL;
+ *      - ESP_ERR_INVALID_ARG, if `sec_scheme_cfg` is NULL;
 *      - ESP_ERR_NO_MEM, No memory for the scheme-specific handle `sec_scheme_handle_out`
 *      - ESP_ERR_NOT_FOUND, if no `nvs_keys` partition is found
 */
@@ -92,7 +96,7 @@ esp_err_t nvs_sec_provider_register_flash_enc(const nvs_sec_config_flash_enc_t *
 *
 * @return
 *      - ESP_OK, if `sec_scheme_handle_out` was populated successfully with the scheme configuration;
- *      - ESP_ERR_INVALID_ARG, if `scheme_cfg_hmac` is NULL;
+ *      - ESP_ERR_INVALID_ARG, if `sec_scheme_cfg` is NULL;
 *      - ESP_ERR_NO_MEM, No memory for the scheme-specific handle `sec_scheme_handle_out`
 */
 esp_err_t nvs_sec_provider_register_hmac(const nvs_sec_config_hmac_t *sec_scheme_cfg, nvs_sec_scheme_t **sec_scheme_handle_out);
@@ -148,7 +148,11 @@ The same NVS API functions ``nvs_get_*`` or ``nvs_set_*`` can be used for readin

 - To enable encryption for the default NVS partition, no additional step is necessary. When :ref:`CONFIG_NVS_ENCRYPTION` is enabled, the :cpp:func:`nvs_flash_init` API function internally performs some additional steps to enable encryption for the default NVS partition depending on the scheme being used (set by :ref:`CONFIG_NVS_SEC_KEY_PROTECTION_SCHEME`).

- For the flash encryption-based scheme, the first :ref:`nvs_encr_key_partition` found is used to generate the encryption keys while for the HMAC one, keys are generated using the HMAC key burnt in eFuse at :ref:`CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID` (refer to the API documentation for more details).
+- For the flash encryption-based scheme, the first :ref:`nvs_encr_key_partition` found is used to generate the encryption keys.
+
+.. only:: SOC_HMAC_SUPPORTED
+
+    For the HMAC-based scheme, keys are generated using the HMAC key burnt in eFuse at :ref:`CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID` (refer to the API documentation for more details).

 Alternatively, :cpp:func:`nvs_flash_secure_init` API function can also be used to enable encryption for the default NVS partition.

@@ -148,7 +148,11 @@ NVS API 函数 ``nvs_get_*`` 或 ``nvs_set_*`` 也可用于读取和写入加密

 - 要为默认 NVS 分区启用加密，无需额外的步骤。在启用 :ref:`CONFIG_NVS_ENCRYPTION` 时，API 函数 :cpp:func:`nvs_flash_init` 会根据使用的方案（由 :ref:`CONFIG_NVS_SEC_KEY_PROTECTION_SCHEME` 设置）在内部执行一些额外步骤，为默认的 NVS 分区启用加密。

- 在基于 flash 加密的方案中，加密密钥由找到的第一个 :ref:`nvs_encr_key_partition` 生成。在 HMAC 方案中，密钥由 :ref:`CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID` 中烧录的 HMAC 密钥生成（参考 API 文档以了解更多详细信息）。
+- 在基于 flash 加密的方案中，加密密钥由找到的第一个 :ref:`nvs_encr_key_partition` 生成。
+
+.. only:: SOC_HMAC_SUPPORTED
+
+    在 HMAC 方案中，密钥由 :ref:`CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID` 中烧录的 HMAC 密钥生成（参考 API 文档以了解更多详细信息）。

 另外，还可使用 API 函数 :cpp:func:`nvs_flash_secure_init` 为默认 NVS 分区启用加密。