Error Factory Partition using Flash Encryption/NVS Encryption

[leandropg]

I am developing a project that implemented a Matter device and it works well. I am using the branch release/v1.4

Now, the project plan uses the Pre-Provisioned Espressif service to obtain the Matter credentials preloaded into the chip. For this reason I prepared my code to use the ESP Secure Cert partition. I have generated the partition follow next steps in the documentation:

https://github.com/project-chip/connectedhomeip/blob/master/docs/platforms/esp32/secure_cert_partition.md

Additionally, I have generated the Factory partition where are stored all the details of the device. I have a minor issues, but all works as expected. The device runs the commission process as expected. I have checked all the keys stored in the Factory partition into the namespace chip-factory (discriminator, salt, vendor-name, etc.). I can read each key normally.

My partition table is very similar to the light example:

https://github.com/espressif/esp-matter/blob/main/examples/light/partitions.csv

All works fine with both partitions.

But, I have a problem when I enable Flash Encryption and NVS Encryption in the chip. In the moment that the code tries to open the commission window, it fails:

I - Opening commissioning window!
E - Failed to open commissioning window, err:201

The error isn't very clear. So, I have debugged the code and I have found that it fails when it tries to access to the first key into the Factory Partition. This line return error because it can't find the first key iteration-count into the Factory partition:

https://github.com/espressif/connectedhomeip/blob/9b8fffe0bb4e7ba7aac319f5905070a3476db7cb/src/app/server/CommissioningWindowManager.cpp#L290-L291

It returns the code error 0x1102. The key doesn't exist.

#define ESP_ERR_NVS_NOT_FOUND               (ESP_ERR_NVS_BASE + 0x02)  /*!< A requested entry couldn't be found or namespace doesn’t exist yet and mode is NVS_READONLY */

In the debug session, I have found that the namespace chip-factory exists, but it doesn't have any key.

I generate the Factory Partition using the command generate_esp32_chip_factory_bin.py.

I suspect that it's an incompatibility between the Factory partition generated in plain format and read in a encrypted because I have enabled NVS Encryption and in this part of the code, the NVS partition is open in a secure way using nvs_flash_secure_init_partition():

https://github.com/project-chip/connectedhomeip/blob/92ab620ef431c6d4d97233378a603e09f59f919c/src/platform/ESP32/ConfigurationManagerImpl.cpp#L98-L107

But the data into the Factory partition is loaded in plain text. I tried to flash it encrypted using the esptool.py command, but the results are the same.

I have tried to find in the documentation in the ESP32 Matter SDK or in a example that enable both features and Factory partition at the same time but I didn't find it.

I hope that you can guide me to find what is the real problem and how solve it. I need solve this problem before to send the device to the certification process.

Thanks in advance.

[shripad621git]

@leandropg, can you please confirm if you have followed the steps mentioned here .

[leandropg]

Thanks for the reply @shripad621git Yes, I have followed all the steps there, except by:

1. I can't find the partitions_encrypted.csv file, but I am using a similar partition table provided into the light example (https://github.com/espressif/esp-matter/blob/main/examples/light/partitions.csv) where you defined a NVS keys partition for the NVS Encryption keys and the factory partition as well:

esp_secure_cert,  0x3F, ,0xd000,    0x2000, encrypted
nvs,      data, nvs,     0x10000,   0xC000,
nvs_keys, data, nvs_keys,,          0x1000, encrypted
otadata,  data, ota,     ,          0x2000
phy_init, data, phy,     ,          0x1000,
ota_0,    app,  ota_0,   0x20000,   0x1E0000,
ota_1,    app,  ota_1,   0x200000,  0x1E0000,
fctry,    data, nvs,     0x3E0000,  0x6000

2. Related with run the script generate_esp32_chip_factory_bin.py, you must Provide -e option along with other options to generate the encrypted factory partition: However, I have two comments:

• I can't provide the option -e running the script generate_esp32_chip_factory_bin.py that generate the data encrypted. The reason is that you need provide the key used by the NVS encryption but you don't have access because the key is stored in the nvs_keys partition. It's the principle of use Flash Encryption-Based Scheme using auto generate keys by the ESP32-C6 chip itself.

• According the options of the script, you could use the option -e indicate the an EFUSE used to encrypted:

 -e, --encrypt         Encrypt the factory parititon NVS binary
 --efuse-key-id {0,1,2,3,4,5} Provide the efuse key_id which contains/will contain HMAC_KEY, default is 1

It implies that if you must implement the HMAC Peripheral-Based Scheme instead for encrypt the partition.

• I implemented the HMAC Peripheral-Based Scheme, but the Matter SDK throws next error in the logs and it doesn't start:

CONFIG_NVS_ENCRYPTION is enabled, but no partition with subtype nvs_keys found in the partition table.

This error is throw in this line:

https://github.com/project-chip/connectedhomeip/blob/2a68f6dfb1a374da8eb159135f69629f73f7e6f9/src/platform/ESP32/ConfigurationManagerImpl.cpp#L79

It means that the SDK expects use Flash Encryption-Based Scheme. So I don't have more options-

In summary, I understand that the issue is that I generate the partition in plain format, but how the NVS Encryption is enabled it expects the data partition is encrypted, but I am not sure how generate the factory partition encrypted without access to the key.