nvs: add config to ignore "encrypted" flag of nvs partitions

This is to allow having pre IDF v4.3 behavior where "encrypted" flag was not being checked for NVS partitions. It is recommended to enable this new config only if you have production devices where NVS partition was being set with "encrypted" flag by mistake. Please see commit aca9ec2 which introduced check to not allow NVS partitions with "encrypted" flag set. More discussion on this at: espressif#5747 (comment) espressif#7839 (comment) Closes espressif#7839 Closes IDFGH-6162
zoonman · Nov 11, 2021 · e67128d · e67128d
1 parent 86fbe68
commit e67128d
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/components/nvs_flash/Kconfig b/components/nvs_flash/Kconfig
@@ -9,4 +9,15 @@ menu "NVS"
             the complete NVS data, except the page headers. It requires XTS encryption keys
             to be stored in an encrypted partition. This means enabling flash encryption is
             a pre-requisite for this feature.
+
+    config NVS_COMPATIBLE_PRE_V4_3_ENCRYPTION_FLAG
+        bool "NVS partition encrypted flag compatible with ESP-IDF before v4.3"
+        depends on SECURE_FLASH_ENC_ENABLED
+        help
+            Enabling this will ignore "encrypted" flag for NVS partitions. NVS encryption
+            scheme is different than hardware flash encryption and hence it is not recommended
+            to have "encrypted" flag for NVS partitions. This was not being checked in pre v4.3
+            IDF. Hence, if you have any devices where this flag is kept enabled in partition
+            table then enabling this config will allow to have same behavior as pre v4.3 IDF.
+
 endmenu
diff --git a/components/spi_flash/partition.c b/components/spi_flash/partition.c
@@ -229,6 +229,15 @@ static esp_err_t load_partitions(void)
             item->info.encrypted = true;
         }
 
+#if CONFIG_NVS_COMPATIBLE_PRE_V4_3_ENCRYPTION_FLAG
+        if (entry.type == ESP_PARTITION_TYPE_DATA &&
+                    entry.subtype == ESP_PARTITION_SUBTYPE_DATA_NVS &&
+                    (entry.flags & PART_FLAG_ENCRYPTED)) {
+            ESP_LOGI(TAG, "Ignoring encrypted flag for \"%s\" partition", entry.label);
+            item->info.encrypted = false;
+        }
+#endif
+
         // item->info.label is initialized by calloc, so resulting string will be null terminated
         strncpy(item->info.label, (const char*) entry.label, sizeof(item->info.label) - 1);