change(nvs_sec_provider): Change NVS encryption's default efuse HMAC key ID to -1

2025-03-09 09:09:10 -04:00 · 2025-01-16 18:05:58 +05:30 · 2025-01-16 18:05:58 +05:30 · 62df1017ad
commit 62df1017ad
parent f205476ffe
5 changed files with 6 additions and 6 deletions
--- a/components/nvs_sec_provider/Kconfig
+++ b/components/nvs_sec_provider/Kconfig
@ -32,8 +32,8 @@ menu "NVS Security Provider"
    config NVS_SEC_HMAC_EFUSE_KEY_ID
        int "eFuse key ID storing the HMAC key"
        depends on NVS_SEC_KEY_PROTECT_USING_HMAC
-        range 0 6
-        default 6
+        range -1 5
+        default -1
        help
            eFuse block key ID storing the HMAC key for deriving the NVS encryption keys

--- a/components/nvs_sec_provider/nvs_bootloader_sec_provider.c
+++ b/components/nvs_sec_provider/nvs_bootloader_sec_provider.c
@ -96,7 +96,7 @@ esp_err_t nvs_sec_provider_register_flash_enc(const nvs_sec_config_flash_enc_t *

 static nvs_sec_config_hmac_t nvs_sec_config_hmac_scheme_data;

-#if CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID > 5
+#if CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID < 0
 #error "NVS Encryption (HMAC): Configured eFuse block (CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID) out of range!"
 #endif

--- a/components/nvs_sec_provider/nvs_sec_provider.c
+++ b/components/nvs_sec_provider/nvs_sec_provider.c
@ -107,7 +107,7 @@ ESP_SYSTEM_INIT_FN(nvs_sec_provider_register_flash_enc_scheme, SECONDARY, BIT(0)

 #if SOC_HMAC_SUPPORTED

-#if CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID > 5
+#if CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID < 0
 #error "NVS Encryption (HMAC): Configured eFuse block (CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID) out of range!"
 #endif

--- a/docs/en/api-reference/storage/nvs_encryption.rst
+++ b/docs/en/api-reference/storage/nvs_encryption.rst
@ -121,7 +121,7 @@ It is possible for an application to use different keys for different NVS partit

    .. note::

-        The valid range for the config :ref:`CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID` is from ``0`` (:cpp:enumerator:`hmac_key_id_t::HMAC_KEY0`) to ``5`` (:cpp:enumerator:`hmac_key_id_t::HMAC_KEY5`). By default, the config is set to ``6`` (:cpp:enumerator:`hmac_key_id_t::HMAC_KEY_MAX`), which have to be configured before building the user application.
+        The valid range for the config :ref:`CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID` is from ``0`` (:cpp:enumerator:`hmac_key_id_t::HMAC_KEY0`) to ``5`` (:cpp:enumerator:`hmac_key_id_t::HMAC_KEY5`). By default, the config is set to ``-1``, which have to be configured before building the user application.

    - If no key is found, a key is generated internally and stored at the eFuse block specified at :ref:`CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID`.
    - If a key is found with the purpose :cpp:enumerator:`esp_efuse_purpose_t::ESP_EFUSE_KEY_PURPOSE_HMAC_UP`, the same is used for the derivation of the XTS encryption keys.
--- a/docs/zh_CN/api-reference/storage/nvs_encryption.rst
+++ b/docs/zh_CN/api-reference/storage/nvs_encryption.rst
@ -121,7 +121,7 @@ NVS 密钥分区

    .. note::

-        :ref:`CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID` 配置的有效范围为 ``0`` (:cpp:enumerator:`hmac_key_id_t::HMAC_KEY0`) 到 ``5`` (:cpp:enumerator:`hmac_key_id_t::HMAC_KEY5`)。默认情况下该配置为 ``6`` (:cpp:enumerator:`hmac_key_id_t::HMAC_KEY_MAX`)，须在构建用户应用程序之前进行修改。
+        :ref:`CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID` 配置的有效范围为 ``0`` (:cpp:enumerator:`hmac_key_id_t::HMAC_KEY0`) 到 ``5`` (:cpp:enumerator:`hmac_key_id_t::HMAC_KEY5`)。默认情况下该配置为 ``-1``，须在构建用户应用程序之前进行修改。

    - 如果找不到密钥，会内部生成一个密钥，并储存在 :ref:`CONFIG_NVS_SEC_HMAC_EFUSE_KEY_ID` 指定的 eFuse 块中。
    - 如果找到用于 :cpp:enumerator:`esp_efuse_purpose_t::ESP_EFUSE_KEY_PURPOSE_HMAC_UP` 的密钥，该密钥也会用于 XTS 加密密钥的生成。