From 16873520fd38ec0feb5ad27608d18284751be038 Mon Sep 17 00:00:00 2001 From: "harshal.patil" Date: Mon, 4 Aug 2025 14:49:08 +0530 Subject: [PATCH] ci(flash_enc): Extend flash encryption and mbedtls test case to test PSRAM encryption --- .../mbedtls/test_apps/.build-test-rules.yml | 4 +++ .../mbedtls/test_apps/pytest_mbedtls_ut.py | 26 +++++++++++++++++ .../sdkconfig.ci.psram_all_ext_flash_enc | 17 +++++++++++ ...ig.ci.psram_all_ext_flash_enc_esp32p4_200m | 21 ++++++++++++++ examples/security/.build-test-rules.yml | 4 ++- .../flash_encryption/main/CMakeLists.txt | 2 +- .../pytest_flash_encryption.py | 29 ++++++++++++++++++- .../flash_encryption/sdkconfig.ci.psram | 16 ++++++++++ pytest.ini | 1 + 9 files changed, 117 insertions(+), 3 deletions(-) create mode 100644 components/mbedtls/test_apps/sdkconfig.ci.psram_all_ext_flash_enc create mode 100644 components/mbedtls/test_apps/sdkconfig.ci.psram_all_ext_flash_enc_esp32p4_200m create mode 100644 examples/security/flash_encryption/sdkconfig.ci.psram diff --git a/components/mbedtls/test_apps/.build-test-rules.yml b/components/mbedtls/test_apps/.build-test-rules.yml index 0e72c8d3dc..5c97f3c763 100644 --- a/components/mbedtls/test_apps/.build-test-rules.yml +++ b/components/mbedtls/test_apps/.build-test-rules.yml @@ -5,6 +5,10 @@ components/mbedtls/test_apps: - if: CONFIG_NAME == "psram" and SOC_SPIRAM_SUPPORTED != 1 - if: CONFIG_NAME == "psram_all_ext" and SOC_SPIRAM_SUPPORTED != 1 - if: CONFIG_NAME == "ecdsa_sign" and SOC_ECDSA_SUPPORTED != 1 + - if: CONFIG_NAME == "psram_all_ext_flash_enc" and SOC_SPIRAM_SUPPORTED != 1 + disable_test: + - if: CONFIG_NAME == "psram_all_ext_flash_enc" and IDF_TARGET not in ["esp32"] + reason: lack of runners depends_components: - efuse - mbedtls diff --git a/components/mbedtls/test_apps/pytest_mbedtls_ut.py b/components/mbedtls/test_apps/pytest_mbedtls_ut.py index 00d9582bf0..edba967677 100644 --- a/components/mbedtls/test_apps/pytest_mbedtls_ut.py +++ b/components/mbedtls/test_apps/pytest_mbedtls_ut.py @@ -51,6 +51,19 @@ def test_mbedtls_psram(dut: Dut) -> None: dut.run_all_single_board_cases() +@pytest.mark.flash_encryption_psram +@pytest.mark.parametrize( + 'config', + [ + 'psram_all_ext_flash_enc', + ], + indirect=True, +) +@idf_parametrize('target', ['esp32'], indirect=['target']) +def test_mbedtls_psram_all_ext_flash_enc(dut: Dut) -> None: + dut.run_all_single_board_cases() + + @pytest.mark.generic @pytest.mark.parametrize( 'config', @@ -62,6 +75,19 @@ def test_mbedtls_psram_esp32p4(dut: Dut) -> None: dut.run_all_single_board_cases() +@pytest.mark.flash_encryption +@pytest.mark.parametrize( + 'config', + [ + 'psram_all_ext_flash_enc_esp32p4_200m', + ], + indirect=True, +) +@idf_parametrize('target', ['esp32p4'], indirect=['target']) +def test_mbedtls_psram_all_ext_flash_enc_esp32p4_200m(dut: Dut) -> None: + dut.run_all_single_board_cases() + + @pytest.mark.ecdsa_efuse @pytest.mark.parametrize( 'config', diff --git a/components/mbedtls/test_apps/sdkconfig.ci.psram_all_ext_flash_enc b/components/mbedtls/test_apps/sdkconfig.ci.psram_all_ext_flash_enc new file mode 100644 index 0000000000..83fe8f4ede --- /dev/null +++ b/components/mbedtls/test_apps/sdkconfig.ci.psram_all_ext_flash_enc @@ -0,0 +1,17 @@ +CONFIG_SPIRAM=y +CONFIG_ESP_INT_WDT_TIMEOUT_MS=800 +CONFIG_FREERTOS_TASK_CREATE_ALLOW_EXT_MEM=y +CONFIG_SPIRAM_MALLOC_ALWAYSINTERNAL=0 + +# Default settings for testing this example in CI. +# This configuration is not secure, don't use it in production! +# See Flash Encryption API Guide for more details. + +CONFIG_SECURE_FLASH_ENC_ENABLED=y +CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT=y +CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC=y +CONFIG_SECURE_BOOT_ALLOW_JTAG=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y +CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y diff --git a/components/mbedtls/test_apps/sdkconfig.ci.psram_all_ext_flash_enc_esp32p4_200m b/components/mbedtls/test_apps/sdkconfig.ci.psram_all_ext_flash_enc_esp32p4_200m new file mode 100644 index 0000000000..7d51165285 --- /dev/null +++ b/components/mbedtls/test_apps/sdkconfig.ci.psram_all_ext_flash_enc_esp32p4_200m @@ -0,0 +1,21 @@ +CONFIG_IDF_TARGET="esp32p4" +CONFIG_SPIRAM=y +CONFIG_ESP_INT_WDT_TIMEOUT_MS=800 +CONFIG_FREERTOS_TASK_CREATE_ALLOW_EXT_MEM=y +CONFIG_SPIRAM_MALLOC_ALWAYSINTERNAL=0 + +CONFIG_IDF_EXPERIMENTAL_FEATURES=y +CONFIG_SPIRAM_SPEED_200M=y + +# Default settings for testing this example in CI. +# This configuration is not secure, don't use it in production! +# See Flash Encryption API Guide for more details. + +CONFIG_SECURE_FLASH_ENC_ENABLED=y +CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT=y +CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC=y +CONFIG_SECURE_BOOT_ALLOW_JTAG=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y +CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y diff --git a/examples/security/.build-test-rules.yml b/examples/security/.build-test-rules.yml index 792158ea99..64d0781791 100644 --- a/examples/security/.build-test-rules.yml +++ b/examples/security/.build-test-rules.yml @@ -1,8 +1,10 @@ # Documentation: .gitlab/ci/README.md#manifest-file-to-control-the-buildtest-apps examples/security/flash_encryption: + disable: + - if: CONFIG_NAME == "psram" and SOC_SPIRAM_SUPPORTED != 1 disable_test: - - if: IDF_TARGET in ["esp32s2", "esp32s3", "esp32c6", "esp32h2", "esp32c2", "esp32p4", "esp32c5", "esp32c61"] + - if: IDF_TARGET in ["esp32s2", "esp32s3", "esp32c6", "esp32h2", "esp32c2", "esp32c5", "esp32c61"] temporary: true reason: lack of runners diff --git a/examples/security/flash_encryption/main/CMakeLists.txt b/examples/security/flash_encryption/main/CMakeLists.txt index 1b358ad0df..8110b1ace0 100644 --- a/examples/security/flash_encryption/main/CMakeLists.txt +++ b/examples/security/flash_encryption/main/CMakeLists.txt @@ -1,5 +1,5 @@ idf_component_register(SRCS "flash_encrypt_main.c" "flash_encrypt_fatfs.c" PRIV_REQUIRES vfs nvs_flash spi_flash efuse bootloader_support - fatfs espcoredump nvs_sec_provider + fatfs espcoredump nvs_sec_provider esp_psram INCLUDE_DIRS ".") diff --git a/examples/security/flash_encryption/pytest_flash_encryption.py b/examples/security/flash_encryption/pytest_flash_encryption.py index 114e63e3a7..ceb2eecc32 100644 --- a/examples/security/flash_encryption/pytest_flash_encryption.py +++ b/examples/security/flash_encryption/pytest_flash_encryption.py @@ -8,6 +8,7 @@ import espsecure import pytest from pytest_embedded import Dut from pytest_embedded_idf.utils import idf_parametrize + # To prepare a test runner for this example: # 1. Generate zero flash encryption key: # dd if=/dev/zero of=key.bin bs=1 count=32 @@ -75,7 +76,7 @@ def _test_flash_encryption(dut: Dut) -> None: @pytest.mark.flash_encryption -@idf_parametrize('target', ['esp32', 'esp32c3'], indirect=['target']) +@idf_parametrize('target', ['esp32', 'esp32c3', 'esp32p4'], indirect=['target']) def test_examples_security_flash_encryption(dut: Dut) -> None: _test_flash_encryption(dut) @@ -91,3 +92,29 @@ def test_examples_security_flash_encryption(dut: Dut) -> None: @idf_parametrize('target', ['esp32c3'], indirect=['target']) def test_examples_security_flash_encryption_rom_impl(dut: Dut) -> None: _test_flash_encryption(dut) + + +@pytest.mark.flash_encryption_psram +@pytest.mark.parametrize( + 'config', + [ + 'psram', + ], + indirect=True, +) +@idf_parametrize('target', ['esp32'], indirect=['target']) +def test_examples_security_flash_encryption_psram_esp32(dut: Dut) -> None: + _test_flash_encryption(dut) + + +@pytest.mark.flash_encryption +@pytest.mark.parametrize( + 'config', + [ + 'psram', + ], + indirect=True, +) +@idf_parametrize('target', ['esp32p4'], indirect=['target']) +def test_examples_security_flash_encryption_psram(dut: Dut) -> None: + _test_flash_encryption(dut) diff --git a/examples/security/flash_encryption/sdkconfig.ci.psram b/examples/security/flash_encryption/sdkconfig.ci.psram new file mode 100644 index 0000000000..6bc2e46df5 --- /dev/null +++ b/examples/security/flash_encryption/sdkconfig.ci.psram @@ -0,0 +1,16 @@ +# Configurations for flash encryption. +CONFIG_SECURE_FLASH_ENC_ENABLED=y +CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT=y +CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC=y +CONFIG_SECURE_BOOT_ALLOW_JTAG=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y +CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y +CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y + +CONFIG_SPIRAM=y +CONFIG_SPIRAM_BOOT_INIT=y + +# Enabling PSRAM MEMTEST to verify the PSRAM encryption +# case when flash encryption is enabled +CONFIG_SPIRAM_MEMTEST=y diff --git a/pytest.ini b/pytest.ini index e12d1747bd..ecce08cb6c 100644 --- a/pytest.ini +++ b/pytest.ini @@ -64,6 +64,7 @@ env_markers = flash_encryption_f4r8: Flash Encryption runners with 4-line flash and 8-line psram flash_encryption_f8r8: Flash Encryption runners with 8-line flash and 8-line psram flash_encryption_ota: Flash Encryption runners with ethernet OTA support with 4mb flash size + flash_encryption_psram: ESP32 Flash Encryption runners with psram flash_multi: Multiple flash chips tests psram: Chip has 4-line psram ir_transceiver: runners with a pair of IR transmitter and receiver