mirror of
https://github.com/espressif/esp-idf.git
synced 2025-12-26 05:09:19 +00:00
1ea0fc261d
- When NVS encryption is enabled on SoCs with the HMAC peripheral that have flash encryption enabled, the HMAC-based NVS encryption scheme is now selected as default instead of the flash encryption-based scheme. - If your application previously used the flash encryption-based scheme, you need to manually configure the NVS encryption scheme to flash encryption from HMAC through ``menuconfig`` or your project's ``sdkconfig`` (i.e., setting ``CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y``).
33 lines
1.1 KiB
Plaintext
33 lines
1.1 KiB
Plaintext
# This example uses an extra partition to demonstrate encrypted/non-encrypted reads/writes.
|
|
CONFIG_PARTITION_TABLE_CUSTOM=y
|
|
CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="partitions.csv"
|
|
CONFIG_PARTITION_TABLE_FILENAME="partitions.csv"
|
|
CONFIG_PARTITION_TABLE_OFFSET=0xD000
|
|
|
|
# Secure Boot V2
|
|
CONFIG_SECURE_SIGNED_ON_BOOT=y
|
|
CONFIG_SECURE_SIGNED_ON_UPDATE=y
|
|
CONFIG_SECURE_SIGNED_APPS=y
|
|
CONFIG_SECURE_BOOT_V2_RSA_ENABLED=y
|
|
CONFIG_SECURE_SIGNED_APPS_RSA_SCHEME=y
|
|
CONFIG_SECURE_BOOT=y
|
|
CONFIG_SECURE_BOOT_V2_ENABLED=y
|
|
CONFIG_SECURE_BOOT_BUILD_SIGNED_BINARIES=y
|
|
CONFIG_SECURE_BOOT_SIGNING_KEY="secure_boot_signing_key.pem"
|
|
|
|
CONFIG_SECURE_BOOT_FLASH_BOOTLOADER_DEFAULT=y
|
|
|
|
# Please note that this does not make the device insecure as JTAG shall be soft disabled with instructions from README along
|
|
|
|
CONFIG_SECURE_BOOT_INSECURE=y
|
|
CONFIG_SECURE_BOOT_ALLOW_JTAG=y
|
|
|
|
# Flash Encryption
|
|
CONFIG_SECURE_FLASH_ENC_ENABLED=y
|
|
CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE=y
|
|
CONFIG_SECURE_FLASH_ENCRYPT_ONLY_IMAGE_LEN_IN_APP_PART=y
|
|
CONFIG_SECURE_FLASH_CHECK_ENC_EN_IN_APP=y
|
|
CONFIG_SECURE_ROM_DL_MODE_ENABLED=y
|
|
CONFIG_SECURE_ENABLE_SECURE_ROM_DL_MODE=y
|
|
CONFIG_NVS_SEC_KEY_PROTECT_USING_FLASH_ENC=y
|