alex/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2025-08-14 22:16:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(bootloader_support): Encrypt only the app image instead of the whole partition

Browse Source 
Currently, when flash encryption is enabled, the whole partition gets encrypted.
This can be optimised by encrypting only the app image instead of encrypting the whole partition.

Closes https://github.com/espressif/esp-idf/issues/12576
This commit is contained in:
harshal.patil
2023-11-22 15:17:37 +05:30
parent cb169cb02f
commit 42943845e4
6 changed files with 44 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
components/bootloader_support/src/flash_encryption/flash_encrypt.c
View File

@@ -404,14 +404,21 @@ static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partit
{
esp_err_t err;
bool should_encrypt = (partition->flags & PART_FLAG_ENCRYPTED);
uint32_t size = partition->pos.size;
if (partition->type == PART_TYPE_APP) {
/* check if the partition holds a valid unencrypted app */
esp_image_metadata_t data_ignored;
esp_image_metadata_t image_data = {};
err = esp_image_verify(ESP_IMAGE_VERIFY,
&partition->pos,
&data_ignored);
&image_data);
should_encrypt = (err == ESP_OK);
#ifdef SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART
if (should_encrypt) {
// Encrypt only the app image instead of encrypting the whole partition
size = image_data.image_len;
}
#endif
} else if ((partition->type == PART_TYPE_DATA && partition->subtype == PART_SUBTYPE_DATA_OTA)
|| (partition->type == PART_TYPE_DATA && partition->subtype == PART_SUBTYPE_DATA_NVS_KEYS)) {
/* check if we have ota data partition and the partition should be encrypted unconditionally */
@@ -422,9 +429,9 @@ static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partit
return ESP_OK;
} else {
/* should_encrypt */
ESP_LOGI(TAG, "Encrypting partition %d at offset 0x%x (length 0x%x)...", index, partition->pos.offset, partition->pos.size);
ESP_LOGI(TAG, "Encrypting partition %d at offset 0x%x (length 0x%x)...", index, partition->pos.offset, size);
err = esp_flash_encrypt_region(partition->pos.offset, partition->pos.size);
err = esp_flash_encrypt_region(partition->pos.offset, size);
ESP_LOGI(TAG, "Done encrypting");
if (err != ESP_OK) {
ESP_LOGE(TAG, "Failed to encrypt partition %d", index);