diff --git a/components/nvs_sec_provider/Kconfig b/components/nvs_sec_provider/Kconfig index e50839d3a8..4ed79c4e87 100644 --- a/components/nvs_sec_provider/Kconfig +++ b/components/nvs_sec_provider/Kconfig @@ -32,8 +32,8 @@ menu "NVS Security Provider" config NVS_SEC_HMAC_EFUSE_KEY_ID int "eFuse key ID storing the HMAC key" depends on NVS_SEC_KEY_PROTECT_USING_HMAC - range 0 6 - default 6 + range -1 5 + default -1 help eFuse block key ID storing the HMAC key for deriving the NVS encryption keys diff --git a/components/nvs_sec_provider/nvs_bootloader_sec_provider.c b/components/nvs_sec_provider/nvs_bootloader_sec_provider.c index 052abda446..d8ffbde1b8 100644 --- a/components/nvs_sec_provider/nvs_bootloader_sec_provider.c +++ b/components/nvs_sec_provider/nvs_bootloader_sec_provider.c @@ -96,7 +96,7 @@ esp_err_t nvs_sec_provider_register_flash_enc(const nvs_sec_config_flash_enc_t * static nvs_sec_config_hmac_t nvs_sec_config_hmac_scheme_data; -#if CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID > 5 +#if CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID < 0 #error "NVS Encryption (HMAC): Configured eFuse block (CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID) out of range!" #endif diff --git a/components/nvs_sec_provider/nvs_sec_provider.c b/components/nvs_sec_provider/nvs_sec_provider.c index c7f592dd43..ab9a3e1533 100644 --- a/components/nvs_sec_provider/nvs_sec_provider.c +++ b/components/nvs_sec_provider/nvs_sec_provider.c @@ -107,7 +107,7 @@ ESP_SYSTEM_INIT_FN(nvs_sec_provider_register_flash_enc_scheme, SECONDARY, BIT(0) #if SOC_HMAC_SUPPORTED -#if CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID > 5 +#if CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID < 0 #error "NVS Encryption (HMAC): Configured eFuse block (CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID) out of range!" #endif diff --git a/docs/en/api-reference/storage/nvs_encryption.rst b/docs/en/api-reference/storage/nvs_encryption.rst index 826bd5e8cf..cbae3878dd 100644 --- a/docs/en/api-reference/storage/nvs_encryption.rst +++ b/docs/en/api-reference/storage/nvs_encryption.rst @@ -121,7 +121,7 @@ It is possible for an application to use different keys for different NVS partit .. note:: - The valid range for the config :ref:`CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID` is from ``0`` (:cpp:enumerator:`hmac_key_id_t::HMAC_KEY0`) to ``5`` (:cpp:enumerator:`hmac_key_id_t::HMAC_KEY5`). By default, the config is set to ``6`` (:cpp:enumerator:`hmac_key_id_t::HMAC_KEY_MAX`), which have to be configured before building the user application. + The valid range for the config :ref:`CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID` is from ``0`` (:cpp:enumerator:`hmac_key_id_t::HMAC_KEY0`) to ``5`` (:cpp:enumerator:`hmac_key_id_t::HMAC_KEY5`). By default, the config is set to ``-1``, which have to be configured before building the user application. - If no key is found, a key is generated internally and stored at the eFuse block specified at :ref:`CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID`. - If a key is found with the purpose :cpp:enumerator:`esp_efuse_purpose_t::ESP_EFUSE_KEY_PURPOSE_HMAC_UP`, the same is used for the derivation of the XTS encryption keys. diff --git a/docs/zh_CN/api-reference/storage/nvs_encryption.rst b/docs/zh_CN/api-reference/storage/nvs_encryption.rst index 13c3bb59d3..49dd20d283 100644 --- a/docs/zh_CN/api-reference/storage/nvs_encryption.rst +++ b/docs/zh_CN/api-reference/storage/nvs_encryption.rst @@ -121,7 +121,7 @@ NVS 密钥分区 .. note:: - :ref:`CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID` 配置的有效范围为 ``0`` (:cpp:enumerator:`hmac_key_id_t::HMAC_KEY0`) 到 ``5`` (:cpp:enumerator:`hmac_key_id_t::HMAC_KEY5`)。默认情况下该配置为 ``6`` (:cpp:enumerator:`hmac_key_id_t::HMAC_KEY_MAX`),须在构建用户应用程序之前进行修改。 + :ref:`CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID` 配置的有效范围为 ``0`` (:cpp:enumerator:`hmac_key_id_t::HMAC_KEY0`) 到 ``5`` (:cpp:enumerator:`hmac_key_id_t::HMAC_KEY5`)。默认情况下该配置为 ``-1``,须在构建用户应用程序之前进行修改。 - 如果找不到密钥,会内部生成一个密钥,并储存在 :ref:`CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID` 指定的 eFuse 块中。 - 如果找到用于 :cpp:enumerator:`esp_efuse_purpose_t::ESP_EFUSE_KEY_PURPOSE_HMAC_UP` 的密钥,该密钥也会用于 XTS 加密密钥的生成。