Merge branch 'fix/tee_otadata_part_encrypted' into 'master'

fix(esp_tee): TEE otadata partition default encrypted for flash-enc case See merge request espressif/esp-idf!36720
2025-03-09 09:09:10 -04:00 · 2025-03-03 17:49:05 +08:00 · 2025-03-03 17:49:05 +08:00 · 01652f590c
commit 01652f590c
parent eb5c2485e2 3821d6cb97
3 changed files with 4 additions and 0 deletions
--- a/components/bootloader_support/src/flash_encryption/flash_encrypt.c
+++ b/components/bootloader_support/src/flash_encryption/flash_encrypt.c
@ -437,6 +437,7 @@ static esp_err_t encrypt_partition(int index, const esp_partition_info_t *partit
        err = read_and_verify_partition_table(partition->pos.offset, partition_table, &num_partitions);
        should_encrypt = (err == ESP_OK && num_partitions != 0);
    } else if ((partition->type == PART_TYPE_DATA && partition->subtype == PART_SUBTYPE_DATA_OTA)
+                || (partition->type == PART_TYPE_DATA && partition->subtype == PART_SUBTYPE_DATA_TEE_OTA)
                || (partition->type == PART_TYPE_DATA && partition->subtype == PART_SUBTYPE_DATA_NVS_KEYS)) {
        /* check if we have ota data partition and the partition should be encrypted unconditionally */
        should_encrypt = true;
--- a/components/esp_partition/partition.c
+++ b/components/esp_partition/partition.c
@ -88,6 +88,7 @@ static bool is_partition_encrypted(bool encryption_config, esp_partition_type_t
                || (type == ESP_PARTITION_TYPE_BOOTLOADER)
                || (type == ESP_PARTITION_TYPE_PARTITION_TABLE)
                || (type == ESP_PARTITION_TYPE_DATA && subtype == ESP_PARTITION_SUBTYPE_DATA_OTA)
+                || (type == ESP_PARTITION_TYPE_DATA && subtype == ESP_PARTITION_SUBTYPE_DATA_TEE_OTA)
                || (type == ESP_PARTITION_TYPE_DATA && subtype == ESP_PARTITION_SUBTYPE_DATA_NVS_KEYS)) {
        /* If encryption is turned on, all app partitions and OTA data
            are always encrypted */
--- a/components/esptool_py/project_include.cmake
+++ b/components/esptool_py/project_include.cmake
@ -289,12 +289,14 @@ function(esptool_py_partition_needs_encryption retencrypted partition_name)
        #   - DATA 0x01
        # Subtypes:
        #   - ota      0x00
+        #   - TEE ota  0x90
        #   - nvs_keys 0x04
        # If the partition is an app, an OTA or an NVS keys partition, then it should
        # be encrypted
        if(
                (${type} EQUAL 0) OR
                (${type} EQUAL 1 AND ${subtype} EQUAL 0) OR
+                (${type} EQUAL 1 AND ${subtype} EQUAL 144) OR
                (${type} EQUAL 1 AND ${subtype} EQUAL 4)
          )
            set(encrypted TRUE)