Merge branch 'fix/coverity_reports_security' into 'master'

mahavirj · mahavirj · commit 4e072b3f8a51 · 2025-02-12T12:34:19.000+08:00
fix(security): Fixed coverity warnings from `nvs_sec_provider` and `esp_tee` components

Closes IDF-12190, IDF-12194, and IDF-12197

See merge request espressif/esp-idf!36721
diff --git a/components/esp_tee/subproject/main/common/panic/panic_helper_riscv.c b/components/esp_tee/subproject/main/common/panic/panic_helper_riscv.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -113,34 +113,26 @@ void panic_print_isrcause(const void *f, int core)
 {
     RvExcFrame *regs = (RvExcFrame *) f;
 
-    /* Please keep in sync with PANIC_RSN_* defines */
-    static const char *pseudo_reason[] = {
-        "Unknown reason",
-        "Interrupt wdt timeout on CPU0",
-        "Interrupt wdt timeout on CPU1",
-        "Cache error",
-    };
-
     const void *addr = (void *) regs->mepc;
-    const char *rsn = pseudo_reason[0];
+    const char *rsn = "Unknown reason";
 
     /* The mcause has been set by the CPU when the panic occurred.
      * All SoC-level panic will call this function, thus, this register
      * lets us know which error was triggered. */
-    if (regs->mcause == ETS_CACHEERR_INUM) {
-        /* Panic due to a cache error, multiple cache error are possible,
-         * assign function print_cache_err_details to our structure's
-         * details field. As its name states, it will give more details
-         * about why the error happened. */
-        rsn = pseudo_reason[PANIC_RSN_CACHEERR];
-    } else if (regs->mcause == ETS_INT_WDT_INUM) {
-        /* Watchdog interrupt occurred, get the core on which it happened
-         * and update the reason/message accordingly. */
-#if SOC_CPU_NUM > 1
-        _Static_assert(PANIC_RSN_INTWDT_CPU0 + 1 == PANIC_RSN_INTWDT_CPU1,
-                       "PANIC_RSN_INTWDT_CPU1 must be equal to PANIC_RSN_INTWDT_CPU0 + 1");
+    switch (regs->mcause) {
+    case ETS_CACHEERR_INUM:
+        rsn = "Cache error";
+        break;
+    case PANIC_RSN_INTWDT_CPU0:
+        rsn = "Interrupt wdt timeout on CPU0";
+        break;
+#if SOC_CPU_CORES_NUM > 1
+    case PANIC_RSN_INTWDT_CPU1:
+        rsn = "Interrupt wdt timeout on CPU1";
+        break;
 #endif
-        rsn = pseudo_reason[PANIC_RSN_INTWDT_CPU0 + core];
+    default:
+        break;
     }
 
     const char *desc = "Exception was unhandled.";
diff --git a/examples/security/nvs_encryption_hmac/main/main.c b/examples/security/nvs_encryption_hmac/main/main.c
@@ -1,7 +1,7 @@
 /*
  * NVS Encryption with HMAC-based encryption key protection scheme example
  *
- * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Unlicense OR CC0-1.0
  */
@@ -39,14 +39,7 @@ static esp_err_t example_custom_nvs_part_init(const char *label)
     esp_err_t ret = ESP_FAIL;
 #if defined(CONFIG_NVS_ENCRYPTION) && defined(CONFIG_NVS_SEC_KEY_PROTECT_USING_HMAC)
     nvs_sec_cfg_t cfg = {};
-    nvs_sec_scheme_t *sec_scheme_handle = NULL;
-
-    nvs_sec_config_hmac_t sec_scheme_cfg = NVS_SEC_PROVIDER_CFG_HMAC_DEFAULT();
-
-    ret = nvs_sec_provider_register_hmac(&sec_scheme_cfg, &sec_scheme_handle);
-    if (ret != ESP_OK) {
-        return ret;
-    }
+    nvs_sec_scheme_t *sec_scheme_handle = nvs_flash_get_default_security_scheme();
 
     ret = nvs_flash_read_security_cfg_v2(sec_scheme_handle, &cfg);
     if (ret != ESP_OK) {
diff --git a/examples/security/security_features_app/main/security_features_app_main.c b/examples/security/security_features_app/main/security_features_app_main.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Unlicense OR CC0-1.0
  */
@@ -72,12 +72,7 @@ static esp_err_t example_custom_nvs_part_init(const char *name)
 #if CONFIG_NVS_ENCRYPTION
     esp_err_t ret = ESP_FAIL;
     nvs_sec_cfg_t cfg = {};
-    nvs_sec_scheme_t *sec_scheme_handle = NULL;
-    nvs_sec_config_hmac_t sec_scheme_cfg = NVS_SEC_PROVIDER_CFG_HMAC_DEFAULT();
-    ret = nvs_sec_provider_register_hmac(&sec_scheme_cfg, &sec_scheme_handle);
-    if (ret != ESP_OK) {
-        return ret;
-    }
+    nvs_sec_scheme_t *sec_scheme_handle = nvs_flash_get_default_security_scheme();
 
     ret = nvs_flash_read_security_cfg_v2(sec_scheme_handle, &cfg);
     if (ret != ESP_OK) {
