feat(doc): Adds note for parttool that if SB or FE are on
Use "--esptool-erase-args=force" to ignore the esptool error
This commit is contained in:
Konstantin Kondrashov
@@ -66,6 +66,10 @@ The XTS encryption keys in the :ref:`nvs_encr_key_partition` can be generated in
|
||||
|
||||
parttool.py --port PORT --partition-table-file=PARTITION_TABLE_FILE --partition-table-offset PARTITION_TABLE_OFFSET erase_partition --partition-type=data --partition-subtype=nvs_keys
|
||||
|
||||
# If Flash Encryption or Secure Boot are enabled then add "--esptool-erase-args=force" to suppress the error:
|
||||
# "Active security features detected, erasing flash is disabled as a safety measure. Use --force to override ..."
|
||||
parttool.py --port PORT --esptool-erase-args=force --partition-table-file=PARTITION_TABLE_FILE --partition-table-offset PARTITION_TABLE_OFFSET erase_partition --partition-type=data --partition-subtype=nvs_keys
|
||||
|
||||
**Use a pre-generated NVS key partition**
|
||||
|
||||
This option will be required by the user when keys in the :ref:`nvs_encr_key_partition` are not generated by the application. The :ref:`nvs_encr_key_partition` containing the XTS encryption keys can be generated with the help of :doc:`NVS Partition Generator Utility </api-reference/storage/nvs_partition_gen>`. Then the user can store the pre-generated key partition on the flash with help of the following two commands:
|
||||
@@ -80,12 +84,20 @@ The XTS encryption keys in the :ref:`nvs_encr_key_partition` can be generated in
|
||||
|
||||
parttool.py --port PORT --partition-table-offset PARTITION_TABLE_OFFSET write_partition --partition-name="name of nvs_key partition" --input NVS_KEY_PARTITION_FILE
|
||||
|
||||
# If Flash Encryption or Secure Boot are enabled then add "--esptool-erase-args=force" to suppress the error:
|
||||
# "Active security features detected, erasing flash is disabled as a safety measure. Use --force to override ..."
|
||||
parttool.py --port PORT --esptool-erase-args=force --partition-table-offset PARTITION_TABLE_OFFSET write_partition --partition-name="name of nvs_key partition" --input NVS_KEY_PARTITION_FILE
|
||||
|
||||
.. note::
|
||||
If the device is encrypted in flash encryption development mode and you want to renew the NVS key partition, you need to tell :component_file:`parttool.py<partition_table/parttool.py>` to encrypt the NVS key partition and you also need to give it a pointer to the unencrypted partition table in your build directory (build/partition_table) since the partition table on the device is encrypted, too. You can use the following command:
|
||||
::
|
||||
|
||||
parttool.py --esptool-write-args encrypt --port PORT --partition-table-file=PARTITION_TABLE_FILE --partition-table-offset PARTITION_TABLE_OFFSET write_partition --partition-name="name of nvs_key partition" --input NVS_KEY_PARTITION_FILE
|
||||
|
||||
# If Flash Encryption or Secure Boot are enabled then add "--esptool-erase-args=force" to suppress the error:
|
||||
# "Active security features detected, erasing flash is disabled as a safety measure. Use --force to override ..."
|
||||
parttool.py --esptool-erase-args=force --esptool-write-args encrypt --port PORT --partition-table-file=PARTITION_TABLE_FILE --partition-table-offset PARTITION_TABLE_OFFSET write_partition --partition-name="name of nvs_key partition" --input NVS_KEY_PARTITION_FILE
|
||||
|
||||
Since the key partition is marked as ``encrypted`` and :doc:`Flash Encryption <../../security/flash-encryption>` is enabled, the bootloader will encrypt this partition using flash encryption key on the first boot.
|
||||
|
||||
It is possible for an application to use different keys for different NVS partitions and thereby have multiple key-partitions. However, it is a responsibility of the application to provide the correct key-partition and keys for encryption or decryption.
|
||||
|
||||
Reference in New Issue
Block a user