To use this utility in encryption mode, the following packages need to be installed:
- cryptography package
-This dependency is already captured by including these packages in `requirement.txt` in top level IDF directory.
+These dependencies is already captured by including these packages in `requirement.txt` in top level IDF directory.
CSV file format
---------------
Encoding
Supported values are: ``u8``, ``i8``, ``u16``, ``u32``, ``i32``, ``string``, ``hex2bin``, ``base64`` and ``binary``. This specifies how actual data values are encoded in the resultant binary file. Difference between ``string`` and ``binary`` encoding is that ``string`` data is terminated with a NULL character, whereas ``binary`` data is not.
- .. note:: For ``file`` type, only ``hex2bin``, ``base64``, ``string`` and ``binary`` is supported as of now.
+.. note:: For ``file`` type, only ``hex2bin``, ``base64``, ``string`` and ``binary`` is supported as of now.
Value
Data value.
key1,data,u8,1
key2,file,string,/path/to/file
-.. note:: Make sure there are no spaces before and after ',' in CSV file.
+.. note:: Make sure there are no spaces before and after ',' or at the end of each line in CSV file.
NVS Entry and Namespace association
-----------------------------------
python nvs_partition_gen.py [-h] [--input INPUT] [--output OUTPUT]
[--size SIZE] [--version {v1,v2}]
[--keygen {true,false}] [--encrypt {true,false}]
- [--keyfile KEYFILE]
+ [--keyfile KEYFILE] [--outdir OUTDIR]
+------------------------+----------------------------------------------------------------------------------------------+
+------------------------+----------------------------------------------------------------------------------------------+
| --version {v1,v2} | Set version. Default: v2 |
+------------------------+----------------------------------------------------------------------------------------------+
-| --keygen {true,false} | Generate keys for encryption. Creates an `encryption_keys.bin` file (in current directory). |
-| | Default: false |
+| --keygen {true,false} | Generate keys for encryption. |
+------------------------+----------------------------------------------------------------------------------------------+
| --encrypt {true,false} | Set encryption mode. Default: false |
+------------------------+----------------------------------------------------------------------------------------------+
| --keyfile KEYFILE | File having key for encryption (Applicable only if encryption mode is true) |
+------------------------+----------------------------------------------------------------------------------------------+
-
-
+| --outdir OUTDIR | The output directory to store the files created (Default: current directory) |
++------------------------+----------------------------------------------------------------------------------------------+
You can run this utility in two modes:
- Default mode - Binary generated in this mode is an unencrypted binary file.
python nvs_partition_gen.py [-h] --input INPUT --output OUTPUT
--size SIZE [--version {v1,v2}]
[--keygen {true,false}] [--encrypt {true,false}]
- [--keyfile KEYFILE]
+ [--keyfile KEYFILE] [--outdir OUTDIR]
You can run the utility using below command::
python nvs_partition_gen.py [-h] --input INPUT --output OUTPUT
--size SIZE --encrypt {true,false}
- --keygen {true,false} | --keyfile KEYFILE
- [--version {v1,v2}]
+ --keygen {true,false} --keyfile KEYFILE
+ [--version {v1,v2}] [--outdir OUTDIR]
You can run the utility using below commands:
+ - By enabling generation of encryption keys::
+
+ python nvs_partition_gen.py --input sample.csv --output sample_encrypted.bin --size 0x3000 --encrypt true --keygen true
+
- By taking encryption keys as an input file. A sample encryption keys binary file is provided with the utility::
python nvs_partition_gen.py --input sample.csv --output sample_encrypted.bin --size 0x3000 --encrypt true --keyfile testdata/sample_encryption_keys.bin
- - By enabling generation of encryption keys::
+ - By enabling generation of encryption keys and storing the keys in custom filename::
- python nvs_partition_gen.py --input sample.csv --output sample_encrypted.bin --size 0x3000 --encrypt true --keygen true
+ python nvs_partition_gen.py --input sample.csv --output sample_encrypted.bin --size 0x3000 --encrypt true --keygen true --keyfile encryption_keys_generated.bin
+.. note:: If `--keygen` is given with `--keyfile` argument, generated keys will be stored in `--keyfile` file. If `--keygen` argument is absent, `--keyfile` is taken as input file having key for encryption.
-*To generate* **only** *encryption keys with this utility* ( Creates an `encryption_keys.bin` file in current directory ): ::
+*To generate* **only** *encryption keys with this utility*::
python nvs_partition_gen.py --keygen true
-.. note:: This `encryption_keys.bin` file is compatible with NVS key-partition structure. Refer to :ref:`nvs_key_partition` for more details.
+This creates an `encryption_keys_<timestamp>.bin` file.
+.. note:: This newly created file having encryption keys in `keys/` directory is compatible with NVS key-partition structure. Refer to :ref:`nvs_key_partition` for more details.
You can also provide the format version number (in any of the two modes):
- Utility doesn't check for duplicate keys and will write data pertaining to both keys. User needs to make sure keys are distinct.
- Once a new page is created, no data will be written in the space left in previous page. Fields in the CSV file need to be ordered in such a way so as to optimize memory.
- 64-bit datatype is not yet supported.
+
import csv
import zlib
import codecs
-from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
-from cryptography.hazmat.backends import default_backend
+import datetime
+import distutils.dir_util
+try:
+ from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
+ from cryptography.hazmat.backends import default_backend
+except ImportError:
+ print("cryptography package needs to be installed.\nRun: pip install cryptography>=2.1.4")
+ sys.exit(0)
VERSION1_PRINT = "v1 - Multipage Blob Support Disabled"
VERSION2_PRINT = "v2 - Multipage Blob Support Enabled"
def check_input_args(input_filename=None, output_filename=None, input_part_size=None, is_key_gen=None,
- encrypt_mode=None, key_file=None, version_no=None, print_arg_str=None, print_encrypt_arg_str=None):
+ encrypt_mode=None, key_file=None, version_no=None, print_arg_str=None, print_encrypt_arg_str=None,
+ output_dir=None):
global version, is_encrypt_data, input_size, key_gen
key_gen = is_key_gen
input_size = input_part_size
+ if not output_dir == os.getcwd() and (key_file and os.path.isabs(key_file)):
+ sys.exit("Error. Cannot provide --outdir argument as --keyfile is absolute path.")
+
+ if not os.path.isdir(output_dir):
+ distutils.dir_util.mkpath(output_dir)
+
if is_encrypt_data.lower() == 'true':
is_encrypt_data = True
elif is_encrypt_data.lower() == 'false':
elif any(arg is not None for arg in [input_filename, output_filename, input_size]):
sys.exit(print_arg_str)
else:
- if not input_size:
- if not all(arg is not None for arg in [input_filename, output_filename]):
- sys.exit(print_arg_str)
+ if not (input_filename and output_filename and input_size):
+ sys.exit(print_arg_str)
- if is_encrypt_data and not key_gen and not key_file:
- sys.exit(print_encrypt_arg_str)
+ if is_encrypt_data and not key_gen and not key_file:
+ sys.exit(print_encrypt_arg_str)
- if is_encrypt_data and key_gen and key_file:
- sys.exit(print_encrypt_arg_str)
+ if not is_encrypt_data and key_file:
+ sys.exit("Invalid. Cannot give --keyfile as --encrypt is set to false.")
- if not is_encrypt_data and key_file:
- sys.exit("Invalid. Cannot give --keyfile as --encrypt is set to false.")
+ if key_file:
+ key_file_name, key_file_ext = os.path.splitext(key_file)
+ if key_file_ext:
+ if not key_file_ext == '.bin':
+ sys.exit("--keyfile argument can be a filename with no extension or .bin extension only")
+
+ # If only one of the arguments - input_filename, output_filename, input_size is given
+ if ((any(arg is None for arg in [input_filename, output_filename, input_size])) is True) and \
+ ((all(arg is None for arg in [input_filename, output_filename, input_size])) is False):
+ sys.exit(print_arg_str)
if input_size:
# Set size
sys.exit("Minimum NVS partition size needed is 0x3000 bytes.")
-def nvs_part_gen(input_filename=None, output_filename=None, input_part_size=None, is_key_gen=None, encrypt_mode=None, key_file=None, version_no=None):
+def nvs_part_gen(input_filename=None, output_filename=None, input_part_size=None, is_key_gen=None, encrypt_mode=None,
+ key_file=None, encr_key_prefix=None, version_no=None, output_dir=None):
""" Wrapper to generate nvs partition binary
:param input_filename: Name of input file containing data
"""
global key_input, key_len_needed
+ encr_key_bin_file = None
+ encr_keys_dir = None
+ backslash = ['/','\\']
key_len_needed = 64
key_input = bytearray()
key_input = key_f.read(64)
if all(arg is not None for arg in [input_filename, output_filename, input_size]):
+ if not os.path.isabs(output_filename) and not any(ch in output_filename for ch in backslash):
+ output_filename = os.path.join(output_dir, '') + output_filename
input_file = open(input_filename, 'rt', encoding='utf8')
output_file = open(output_filename, 'wb')
input_file.close()
output_file.close()
+ print("NVS binary created: " + output_filename)
+
if key_gen:
keys_page_buf = bytearray(b'\xff') * Page.PAGE_PARAMS["max_size"]
key_bytes = bytearray()
crc_data = bytes(crc_data)
crc = zlib.crc32(crc_data, 0xFFFFFFFF)
struct.pack_into('<I', keys_page_buf, key_len, crc & 0xFFFFFFFF)
- with open("encryption_keys.bin",'wb') as output_keys_file:
+
+ if not key_file or (key_file and not os.path.isabs(key_file)):
+ # Create encryption keys bin file with timestamp
+ if not encr_key_prefix:
+ timestamp = datetime.datetime.now().strftime('%m-%d_%H-%M')
+ output_dir = os.path.join(output_dir, '')
+ encr_keys_dir = output_dir + "keys"
+ if not os.path.isdir(encr_keys_dir):
+ distutils.dir_util.mkpath(encr_keys_dir)
+
+ # Add backslash to `keys` dir if it is not present
+ encr_keys_dir = os.path.join(encr_keys_dir, '')
+
+ if key_file:
+ key_file_name, ext = os.path.splitext(key_file)
+ if ext:
+ if ".bin" not in ext:
+ sys.exit("Error: --keyfile must have .bin extension")
+ encr_key_bin_file = os.path.basename(key_file)
+ else:
+ encr_key_bin_file = key_file_name + ".bin"
+ if encr_keys_dir:
+ encr_key_bin_file = encr_keys_dir + encr_key_bin_file
+ else:
+ if encr_key_prefix:
+ encr_key_bin_file = encr_keys_dir + encr_key_prefix + "-keys" + ".bin"
+ else:
+ encr_key_bin_file = encr_keys_dir + "encryption_keys_" + timestamp + ".bin"
+
+ with open(encr_key_bin_file,'wb') as output_keys_file:
output_keys_file.write(keys_page_buf)
- print("Binary created.")
+ print("Encryption keys binary created: " + encr_key_bin_file)
def main():
parser = argparse.ArgumentParser(description="ESP32 NVS partition generation utility")
nvs_part_gen_group = parser.add_argument_group('To generate NVS partition')
- nvs_part_gen_group.add_argument(
- "--input",
- help="Path to CSV file to parse.",
- default=None)
-
- nvs_part_gen_group.add_argument(
- "--output",
- help='Path to output converted binary file.',
- default=None)
-
- nvs_part_gen_group.add_argument(
- "--size",
- help='Size of NVS Partition in bytes (must be multiple of 4096)')
-
- nvs_part_gen_group.add_argument(
- "--version",
- help='Set version. Default: v2',
- choices=['v1','v2'],
- default='v2',
- type=str.lower)
-
- keygen_action = nvs_part_gen_group.add_argument(
- "--keygen",
- help='Generate keys for encryption. Creates an `encryption_keys.bin` file. Default: false',
- choices=['true','false'],
- default='false',
- type=str.lower)
-
- nvs_part_gen_group.add_argument(
- "--encrypt",
- help='Set encryption mode. Default: false',
- choices=['true','false'],
- default='false',
- type=str.lower)
-
- nvs_part_gen_group.add_argument(
- "--keyfile",
- help='File having key for encryption (Applicable only if encryption mode is true)',
- default=None)
+ nvs_part_gen_group.add_argument("--input",
+ help="Path to CSV file to parse.",
+ default=None)
+
+ nvs_part_gen_group.add_argument("--output",
+ help='Path to output converted binary file.',
+ default=None)
+
+ nvs_part_gen_group.add_argument("--size",
+ help='Size of NVS Partition in bytes (must be multiple of 4096)')
+
+ nvs_part_gen_group.add_argument("--version",
+ help='Set version. Default: v2',
+ choices=['v1','v2'],
+ default='v2',
+ type=str.lower)
+
+ keygen_action_key = nvs_part_gen_group.add_argument("--keygen",
+ help='Generate keys for encryption.',
+ choices=['true','false'],
+ default='false',
+ type=str.lower)
+
+ nvs_part_gen_group.add_argument("--encrypt",
+ help='Set encryption mode. Default: false',
+ choices=['true','false'],
+ default='false',
+ type=str.lower)
+
+ keygen_action_file = nvs_part_gen_group.add_argument("--keyfile",
+ help='File having key for encryption (Applicable only if encryption mode is true).',
+ default=None)
+
+ keygen_action_dir = nvs_part_gen_group.add_argument('--outdir',
+ dest='outdir',
+ default=os.getcwd(),
+ help='the output directory to store the files created\
+ (Default: current directory)')
key_gen_group = parser.add_argument_group('To generate encryption keys')
- key_gen_group._group_actions.append(keygen_action)
+ key_gen_group._group_actions.append(keygen_action_key)
+ key_gen_group._group_actions.append(keygen_action_file)
+ key_gen_group._group_actions.append(keygen_action_dir)
args = parser.parse_args()
input_filename = args.input
is_key_gen = args.keygen
is_encrypt_data = args.encrypt
key_file = args.keyfile
+ output_dir_path = args.outdir
+ encr_keys_prefix = None
- print_arg_str = "Invalid.\nTo generate nvs partition binary --input, --output and --size arguments are mandatory.\n \
- To generate encryption keys --keygen argument is mandatory."
+ print_arg_str = "Invalid.\nTo generate nvs partition binary --input, --output and --size arguments are mandatory.\
+ \nTo generate encryption keys --keygen argument is mandatory."
print_encrypt_arg_str = "Missing parameter. Enter --keyfile or --keygen."
- check_input_args(input_filename,output_filename, part_size, is_key_gen, is_encrypt_data, key_file, version_no, print_arg_str, print_encrypt_arg_str)
- nvs_part_gen(input_filename, output_filename, part_size, is_key_gen, is_encrypt_data, key_file, version_no)
+ check_input_args(input_filename,output_filename, part_size, is_key_gen, is_encrypt_data, key_file, version_no,
+ print_arg_str, print_encrypt_arg_str, output_dir_path)
+ nvs_part_gen(input_filename, output_filename, part_size, is_key_gen, is_encrypt_data, key_file,
+ encr_keys_prefix, version_no, output_dir_path)
if __name__ == "__main__":
#include <sstream>
#include <iostream>
#include <fstream>
+#include <dirent.h>
#include <unistd.h>
#include <sys/wait.h>
+#include <string.h>
#define TEST_ESP_ERR(rc, res) CHECK((rc) == (res))
#define TEST_ESP_OK(rc) CHECK((rc) == ESP_OK)
{
int childpid = fork();
int status;
- if (childpid == 0) {
- exit(execlp("python", "python",
- "../nvs_partition_generator/nvs_partition_gen.py",
- "--input",
- "../nvs_partition_generator/sample_multipage_blob.csv",
- "--output",
- "../nvs_partition_generator/partition_encrypted_using_keygen.bin",
- "--size",
- "0x4000",
- "--encrypt",
- "True",
- "--keygen",
- "true",NULL));
+ if (childpid == 0) {
+ exit(execlp("rm", " rm",
+ "-rf",
+ "keys",NULL));
} else {
CHECK(childpid > 0);
waitpid(childpid, &status, 0);
CHECK(WEXITSTATUS(status) != -1);
+
+ childpid = fork();
+ if (childpid == 0) {
+ exit(execlp("python", "python",
+ "../nvs_partition_generator/nvs_partition_gen.py",
+ "--input",
+ "../nvs_partition_generator/sample_multipage_blob.csv",
+ "--output",
+ "../nvs_partition_generator/partition_encrypted_using_keygen.bin",
+ "--size",
+ "0x4000",
+ "--encrypt",
+ "True",
+ "--keygen",
+ "true",NULL));
+
+ } else {
+ CHECK(childpid > 0);
+ waitpid(childpid, &status, 0);
+ CHECK(WEXITSTATUS(status) != -1);
+
+ }
+ }
+
+
+ DIR *dir;
+ struct dirent *file;
+ char *filename;
+ char *files;
+ char *file_ext;
+
+ dir = opendir("keys");
+ while ((file = readdir(dir)) != NULL)
+ {
+ filename = file->d_name;
+ files = strrchr(filename, '.');
+ if (files != NULL)
+ {
+ file_ext = files+1;
+ if (strncmp(file_ext,"bin",3) == 0)
+ {
+ break;
+ }
+ }
}
+ std::string encr_file = std::string("keys/") + std::string(filename);
SpiFlashEmulator emu("../nvs_partition_generator/partition_encrypted_using_keygen.bin");
char buffer[64];
FILE *fp;
- fp = fopen("encryption_keys.bin","rb");
+ fp = fopen(encr_file.c_str(),"rb");
fread(buffer,sizeof(buffer),1,fp);
fclose(fp);
check_nvs_part_gen_args(NVS_DEFAULT_PART_NAME, 4, "../nvs_partition_generator/testdata/sample_multipage_blob.bin", true, &cfg);
-
}
TEST_CASE("test nvs apis for nvs partition generator utility with encryption enabled using keyfile", "[nvs_part_gen]")
{
int childpid = fork();
int status;
- if (childpid == 0) {
+
+ DIR *dir;
+ struct dirent *file;
+ char *filename;
+ char *files;
+ char *file_ext;
+
+ dir = opendir("keys");
+ while ((file = readdir(dir)) != NULL)
+ {
+ filename = file->d_name;
+ files = strrchr(filename, '.');
+ if (files != NULL)
+ {
+ file_ext = files+1;
+ if (strncmp(file_ext,"bin",3) == 0)
+ {
+ break;
+ }
+ }
+ }
+
+ std::string encr_file = std::string("keys/") + std::string(filename);
+
+ if (childpid == 0) {
exit(execlp("python", "python",
"../nvs_partition_generator/nvs_partition_gen.py",
"--input",
"--encrypt",
"True",
"--keyfile",
- "encryption_keys.bin",NULL));
+ encr_file.c_str(),NULL));
} else {
CHECK(childpid > 0);
char buffer[64];
FILE *fp;
- fp = fopen("encryption_keys.bin","rb");
+ fp = fopen(encr_file.c_str(),"rb");
fread(buffer,sizeof(buffer),1,fp);
fclose(fp);
childpid = fork();
if (childpid == 0) {
exit(execlp("rm", " rm",
- "encryption_keys.bin",NULL));
+ "-rf",
+ "keys",NULL));
} else {
CHECK(childpid > 0);
waitpid(childpid, &status, 0);