From d28b0e834f7e1927c0e95b134952b747abbee41c Mon Sep 17 00:00:00 2001 From: Shubham Patil Date: Fri, 2 Dec 2022 17:33:17 +0530 Subject: [PATCH] mfg_tool: Option to encrypt the factory partition --- tools/mfg_tool/README.md | 20 ++++++++++++++++++++ tools/mfg_tool/mfg_tool.py | 17 +++++++++++++++-- 2 files changed, 35 insertions(+), 2 deletions(-) diff --git a/tools/mfg_tool/README.md b/tools/mfg_tool/README.md index 24d2ad5e1..2a2ce7636 100644 --- a/tools/mfg_tool/README.md +++ b/tools/mfg_tool/README.md @@ -157,3 +157,23 @@ Please note that `mfg_tool.py` only generates manufacturing binary images which ``` esptool.py -p write_flash
path/to/-partition.bin ``` + +## Encrypting NVS partition + +Below are the steps for encrypting the application and factory partition but before proceeding further please READ THE DOCS FIRST. Documentation References: + +- [Flash and NVS encryption](https://github.com/project-chip/connectedhomeip/blob/master/docs/guides/esp32/flash_nvs_encryption.md#flash-and-nvs-encryption) + +Provide `-e` option along with other options to generate the encrypted NVS partition binary. + +It will generate additional partition binary (`-keys-partition.bin`) containing the key for decrypting encrypted partition. + +- Flash the partition binary containing factory data, as NVS encryption works differently, please flash is without `--encrypt` option +``` +esptool.py -p (PORT) write_flash (FACTORY_PARTITION_ADDR) path/to/factory_partition.bin +``` + +- Flash the partition binary containing encryption keys, these SHALL be flashed with `--encrypt` option +``` +esptool.py -p (PORT) write_flash --encrypt (NVS_KEYS_PARTITION_ADDR) path/to/nvs_key_partition.bin +``` diff --git a/tools/mfg_tool/mfg_tool.py b/tools/mfg_tool/mfg_tool.py index 6a62dc402..2a459a8da 100755 --- a/tools/mfg_tool/mfg_tool.py +++ b/tools/mfg_tool/mfg_tool.py @@ -372,6 +372,11 @@ def organize_output_files(suffix, args): replace_with = os.sep.join([dest_path, '{}-partition.bin'.format(UUIDs[i])]) os.rename(replace, replace_with) + if args.encrypt: + replace = os.sep.join([OUT_DIR['top'], 'keys', 'keys-{}-{}.bin'.format(suffix, str(i + 1))]) + replace_with = os.sep.join([dest_path, '{}-keys-partition.bin'.format(UUIDs[i])]) + os.rename(replace, replace_with) + replace = os.sep.join([OUT_DIR['top'], 'csv', '{}-{}.csv'.format(suffix, str(i + 1))]) replace_with = os.sep.join([internal_path, 'partition.csv']) os.rename(replace, replace_with) @@ -384,14 +389,20 @@ def organize_output_files(suffix, args): os.rmdir(os.sep.join([OUT_DIR['top'], 'bin'])) os.rmdir(os.sep.join([OUT_DIR['top'], 'csv'])) + if args.encrypt: + os.rmdir(os.sep.join([OUT_DIR['top'], 'keys'])) -def generate_partitions(suffix, size): +def generate_partitions(suffix, size, encrypt): cmd = [ 'python3', TOOLS['mfg_gen'], 'generate', OUT_FILE['config_csv'], OUT_FILE['mcsv'], suffix, hex(size), '--outdir', OUT_DIR['top'] ] + + if encrypt: + cmd.append('--keygen') + execute_cmd(cmd) @@ -431,6 +442,8 @@ def get_args(): If --csv and --mcsv are present, the number of lines in the mcsv file is used.') g_gen.add_argument('-s', '--size', type=any_base_int, default=0x6000, help='The size of manufacturing partition binaries to generate. Default is 0x6000.') + g_gen.add_argument('-e', '--encrypt', action='store_true', required=False, + help='Encrypt the factory parititon NVS binary') g_commissioning = parser.add_argument_group('Commisioning options') g_commissioning.add_argument('--passcode', type=any_base_int, @@ -576,7 +589,7 @@ def main(): if args.paa or args.pai: setup_root_certs(args) write_per_device_unique_data(args) - generate_partitions('matter_partition', args.size) + generate_partitions('matter_partition', args.size, args.encrypt) organize_output_files('matter_partition', args)