flash enc: add flash encryption unit and example test for C3

examples/security/flash_encryption/README.md

@@ -1,9 +1,6 @@
-| Supported Targets | ESP32 |
-| ----------------- | ----- |
-
 # Flash Encryption
 
-The example checks if the flash encryption feature is enabled/disabled and if enabled prints the flash encryption mode (DEVELOPMENT / RELEASE) and FLASH_CRYPT_CNT eFuse value.
+The example checks if the flash encryption feature is enabled/disabled and if enabled prints the flash encryption mode (DEVELOPMENT / RELEASE) and FLASH_CRYPT_CNT (for ESP32) or SPI_BOOT_CRYPT_CNT (for ESP32-S2 and newer targets) eFuse value.
 
 The example also demonstrates writing and reading encrypted partitions in flash.
 
@@ -51,7 +48,7 @@ The configuration for NVS encryption involves generating the XTS encryption keys
 
 ### Build and Flash
 
-When building the project and flashing it to the board FOR THE FIRST TIME after enabling flash encryption feature in menuconfig, run following command to program ESP32 and monitor the output:
+When building the project and flashing it to the board FOR THE FIRST TIME after enabling flash encryption feature in menuconfig, run following command to program the target and monitor the output:
 
 ```
 idf.py -p PORT flash monitor
@@ -75,7 +72,7 @@ idf.py -p PORT encrypted-flash monitor
 
 ## Example Output
 
-When running the example without enabling flash encryption, the output would be as follows:
+When running the example without enabling flash encryption, the output would be as follows (on ESP32):
 
 ```
 Example to check Flash Encryption status
@@ -145,4 +142,4 @@ It is also possible to use esptool.py utility to read the eFuse values and check
 python $IDF_PATH/components/esptool_py/esptool/espefuse.py --port PORT summary
 ```
 
-If FLASH_CRYPT_CNT eFuse value is non-zero flash encryption is enabled
+If FLASH_CRYPT_CNT (for ESP32) or SPI_BOOT_CRYPT_CNT (for ESP32-S2 and newer targets) eFuse value is non-zero flash encryption is enabled

examples/security/flash_encryption/example_test.py

@@ -25,20 +25,31 @@ except ImportError:
 #   espefuse.py --do-not-confirm -p $ESPPORT burn_efuse FLASH_CRYPT_CONFIG 0xf
 #   espefuse.py --do-not-confirm -p $ESPPORT burn_efuse FLASH_CRYPT_CNT 0x1
 #   espefuse.py --do-not-confirm -p $ESPPORT burn_key flash_encryption key.bin
-@ttfw_idf.idf_example_test(env_tag='Example_Flash_Encryption')
+@ttfw_idf.idf_example_test(env_tag='Example_Flash_Encryption', target=['esp32', 'esp32c3'])
 def test_examples_security_flash_encryption(env, extra_data):
-    dut = env.get_dut('flash_encryption', 'examples/security/flash_encryption', dut_class=ttfw_idf.ESP32DUT)
+    dut = env.get_dut('flash_encryption', 'examples/security/flash_encryption')
+
+    dut.erase_flash()
     # start test
     dut.start_app()
-
     # calculate the expected ciphertext
     flash_addr = dut.app.partition_table['storage']['offset']
     plain_hex_str = '00 01 02 03 04 05 06 07  08 09 0a 0b 0c 0d 0e 0f'
     plain_data = binascii.unhexlify(plain_hex_str.replace(' ', ''))
 
+    # espsecure uses the cryptography package for encrypting
+    # with aes-xts, but does not allow for a symmetric key
+    # so the key for later chips are not all zeros
+    if dut.TARGET == 'esp32':
+        key_bytes = b'\x00' * 32
+        aes_xts = False
+    else:
+        key_bytes = b'\xff' + b'\x00' * 31
+        aes_xts = True
+
     # Emulate espsecure encrypt_flash_data command
     EncryptFlashDataArgs = namedtuple('EncryptFlashDataArgs', ['output', 'plaintext_file', 'address', 'keyfile', 'flash_crypt_conf', 'aes_xts'])
-    args = EncryptFlashDataArgs(BytesIO(), BytesIO(plain_data), flash_addr, BytesIO(b'\x00' * 32), 0xF, None)
+    args = EncryptFlashDataArgs(BytesIO(), BytesIO(plain_data), flash_addr, BytesIO(key_bytes), 0xF, aes_xts)
     espsecure.encrypt_flash_data(args)
 
     expected_ciphertext = args.output.getvalue()