mirror
/
esp-idf
kopia lustrzana https://github.com/espressif/esp-idf
1
0
Forkuj 0
Kod Zgłoszenia Projekty Wydania Wiki Aktywność

Merge branch 'feature/add_key_manager_hw_support' into 'master' 

Feature/add key manager hw support

Closes IDF-7925 and IDF-8041

See merge request espressif/esp-idf!26328
pull/13090/head
Mahavir Jain 2024-01-23 17:11:05 +08:00
rodzic dd1c1279ef 4dc2ace0b7
commit 09c9001895
24 zmienionych plików z 1205 dodań i 89 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

12
components/bootloader_support/src/flash_encryption/flash_encrypt.c
Wyświetl plik

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2015-2023 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -16,8 +16,8 @@
#include "esp_log.h"
#include "hal/wdt_hal.h"
#if CONFIG_IDF_TARGET_ESP32P4 //TODO-IDF-7925
#include "soc/keymng_reg.h"
#if SOC_KEY_MANAGER_SUPPORTED
#include "hal/key_mgr_hal.h"
#endif
#ifdef CONFIG_SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK
@ -214,12 +214,6 @@ static esp_err_t check_and_generate_encryption_keys(void)
}
ESP_LOGI(TAG, "Using pre-loaded flash encryption key in efuse");
}
#if CONFIG_IDF_TARGET_ESP32P4 //TODO - IDF-7925
// Force Key Manager to use eFuse key for XTS-AES operation
REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY, 2);
#endif
return ESP_OK;
}

4
components/esp_hw_support/CMakeLists.txt
Wyświetl plik

@ -121,6 +121,10 @@ if(NOT BOOTLOADER_BUILD)
list(APPEND srcs "esp_ds.c")
endif()
if(CONFIG_SOC_KEY_MANAGER_SUPPORTED)
list(APPEND srcs "esp_key_mgr.c")
endif()
if(CONFIG_SOC_PAU_SUPPORTED)
list(APPEND srcs "port/pau_regdma.c"
"port/regdma_link.c")

711
components/esp_hw_support/esp_key_mgr.c 100644
Wyświetl plik

@ -0,0 +1,711 @@
/*
* SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
// The Hardware Support layer for Key manager
#include <string.h>
#include <sys/lock.h>
#include "assert.h"
#include "esp_key_mgr.h"
#include "esp_private/periph_ctrl.h"
#include "esp_crypto_lock.h"
#include "esp_log.h"
#include "esp_err.h"
#include "esp_random.h"
#include "esp_heap_caps.h"
#include "esp_rom_crc.h"
#include "freertos/FreeRTOS.h"
#include "freertos/semphr.h"
#include "hal/key_mgr_types.h"
#include "hal/key_mgr_hal.h"
#include "hal/key_mgr_ll.h"
#include "hal/huk_types.h"
#include "hal/huk_hal.h"
#include "rom/key_mgr.h"
#if CONFIG_LOG_DEFAULT_LEVEL_VERBOSE
#include "soc/huk_reg.h"
#include "soc/keymng_reg.h"
#endif
static const char *TAG = "esp_key_mgr";
#define KEY_MANAGER_RCC_ATOMIC() PERIPH_RCC_ATOMIC()
static _lock_t s_key_mgr_ecdsa_key_lock;
static _lock_t s_key_mgr_xts_aes_key_lock;
ESP_STATIC_ASSERT(sizeof(esp_key_mgr_key_recovery_info_t) == sizeof(struct huk_key_block), "Size of esp_key_mgr_key_recovery_info_t should match huk_key_block (from ROM)");
ESP_STATIC_ASSERT(sizeof(esp_key_mgr_key_info_t) == sizeof(struct key_info), "Size of esp_key_mgr_key_info_t should match key_info (from ROM)");
ESP_STATIC_ASSERT(sizeof(esp_key_mgr_huk_info_t) == sizeof(struct huk_info), "Size of esp_key_mgr_huk_info_t should match huk_info (from ROM)");
static void esp_key_mgr_acquire_key_lock(esp_key_mgr_key_type_t key_type)
{
switch (key_type) {
case ESP_KEY_MGR_ECDSA_KEY:
_lock_acquire(&s_key_mgr_ecdsa_key_lock);
break;
case ESP_KEY_MGR_XTS_AES_128_KEY:
case ESP_KEY_MGR_XTS_AES_256_KEY:
_lock_acquire(&s_key_mgr_xts_aes_key_lock);
break;
}
}
static void esp_key_mgr_release_key_lock(esp_key_mgr_key_type_t key_type)
{
switch (key_type) {
case ESP_KEY_MGR_ECDSA_KEY:
_lock_release(&s_key_mgr_xts_aes_key_lock);
break;
case ESP_KEY_MGR_XTS_AES_128_KEY:
case ESP_KEY_MGR_XTS_AES_256_KEY:
_lock_release(&s_key_mgr_ecdsa_key_lock);
break;
}
}
static void esp_key_mgr_acquire_hardware(void)
{
esp_crypto_key_manager_lock_acquire();
// Reset the Key Manager Clock
KEY_MANAGER_RCC_ATOMIC() {
key_mgr_ll_enable_bus_clock(true);
key_mgr_ll_reset_register();
}
}
static void esp_key_mgr_release_hardware(void)
{
esp_crypto_key_manager_lock_release();
// Reset the Key Manager Clock
KEY_MANAGER_RCC_ATOMIC() {
key_mgr_ll_enable_bus_clock(false);
key_mgr_ll_reset_register();
}
}
static void key_mgr_wait_for_state(esp_key_mgr_state_t state)
{
while (key_mgr_hal_get_state() != state) {
;
}
}
typedef struct aes_deploy {
esp_key_mgr_key_purpose_t key_purpose;
const uint8_t *k1_encrypted;
const esp_key_mgr_aes_key_config_t *key_config;
esp_key_mgr_key_recovery_info_t *key_info;
} aes_deploy_config_t;
static void check_huk_risk_level(void)
{
uint8_t huk_risk_level = huk_hal_get_risk_level();
if (huk_risk_level > KEY_MGR_HUK_RISK_ALERT_LEVEL) {
ESP_LOGE(TAG, "HUK Risk level too high (level %d)\n"
"It is recommended to immediately regenerate HUK in order"
"to avoid permenantly losing the deployed keys", huk_risk_level);
} else {
ESP_LOGI(TAG, "HUK Risk level - %d within acceptable limit (%d)", huk_risk_level, KEY_MGR_HUK_RISK_ALERT_LEVEL);
}
}
static bool check_huk_validity(const esp_key_mgr_huk_info_t *huk_info)
{
uint32_t calc_crc = esp_rom_crc32_le(0, huk_info->info, KEY_MGR_HUK_INFO_SIZE);
if (calc_crc != huk_info->crc) {
ESP_LOGE(TAG, "Calculated CRC for HUK %lX does not match with %lX", calc_crc, huk_info->crc);
return false;
}
return true;
}
static bool check_key_info_validity(const esp_key_mgr_key_info_t *key_info)
{
uint32_t calc_crc = esp_rom_crc32_le(0, key_info->info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
if (calc_crc != key_info->crc) {
ESP_LOGE(TAG, "Calculated CRC for Key info %lX does not match with %lX", calc_crc, key_info->crc);
return false;
}
return true;
}
typedef struct {
bool use_pre_generated_huk_info;
const esp_key_mgr_huk_info_t *pre_generated_huk_info;
esp_key_mgr_huk_info_t *huk_recovery_info;
} huk_deploy_config_t;
static esp_err_t deploy_huk(huk_deploy_config_t *config)
{
esp_err_t esp_ret = ESP_FAIL;
uint8_t *huk_recovery_info = (uint8_t *) heap_caps_calloc(1, KEY_MGR_HUK_INFO_SIZE, MALLOC_CAP_INTERNAL);
if (!huk_recovery_info) {
return ESP_ERR_NO_MEM;
}
if (config->use_pre_generated_huk_info) {
// If HUK info is provided then recover the HUK from given info
check_huk_risk_level();
if (!check_huk_validity(config->pre_generated_huk_info)) {
ESP_LOGE(TAG, "HUK info is not valid");
heap_caps_free(huk_recovery_info);
return ESP_ERR_INVALID_ARG;
}
memcpy(huk_recovery_info, config->pre_generated_huk_info->info, KEY_MGR_HUK_INFO_SIZE);
ESP_LOGI(TAG, "Recovering key from given HUK recovery info");
esp_ret = huk_hal_configure(ESP_HUK_MODE_RECOVERY, huk_recovery_info);
if (esp_ret != ESP_OK) {
ESP_LOGE(TAG, "Failed to recover HUK");
heap_caps_free(huk_recovery_info);
return esp_ret;
}
// Copy the pre generated huk info in the output key recovery info
memcpy(config->huk_recovery_info->info, huk_recovery_info, KEY_MGR_HUK_INFO_SIZE);
config->huk_recovery_info->crc = config->pre_generated_huk_info->crc;
} else {
// Generate new HUK and corresponding HUK info
ESP_LOGI(TAG, "Generating new HUK");
esp_ret = huk_hal_configure(ESP_HUK_MODE_GENERATION, huk_recovery_info);
if (esp_ret != ESP_OK) {
ESP_LOGE(TAG, "Failed to generate HUK");
heap_caps_free(huk_recovery_info);
return esp_ret;
}
memcpy(config->huk_recovery_info->info, huk_recovery_info, KEY_MGR_HUK_INFO_SIZE);
config->huk_recovery_info->crc = esp_rom_crc32_le(0, huk_recovery_info, KEY_MGR_HUK_INFO_SIZE);
}
if (!key_mgr_hal_is_huk_valid()) {
ESP_LOGE(TAG, "HUK is invalid");
heap_caps_free(huk_recovery_info);
return ESP_FAIL;
}
ESP_LOGI(TAG, "HUK recovery/generation successfull");
ESP_LOG_BUFFER_HEX_LEVEL("HUK INFO", huk_recovery_info, KEY_MGR_HUK_INFO_SIZE, ESP_LOG_DEBUG);
// Free the local buffer for huk recovery info
heap_caps_free(huk_recovery_info);
return ESP_OK;
}
static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config)
{
esp_err_t esp_ret = ESP_FAIL;
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE);
if (!key_mgr_hal_is_huk_valid()) {
// For purpose ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 this part shall be already executed
huk_deploy_config_t huk_deploy_config;
huk_deploy_config.use_pre_generated_huk_info = config->key_config->use_pre_generated_huk_info;
huk_deploy_config.pre_generated_huk_info = &config->key_config->huk_info;
huk_deploy_config.huk_recovery_info = &config->key_info->huk_info;
esp_ret = deploy_huk(&huk_deploy_config);
if (esp_ret != ESP_OK) {
return esp_ret;
}
}
ESP_LOGI(TAG, "HUK deployed is Valid");
// STEP 1: Init Step
// Set mode
key_mgr_hal_set_key_generator_mode(ESP_KEY_MGR_KEYGEN_MODE_AES);
uint8_t *key_recovery_info = (uint8_t *) heap_caps_calloc(1, KEY_MGR_KEY_RECOVERY_INFO_SIZE, MALLOC_CAP_INTERNAL);
if (!key_recovery_info) {
return ESP_ERR_NO_MEM;
}
// Set key purpose (XTS/ECDSA)
ESP_LOGI(TAG, "purpose = %d", config->key_purpose);
key_mgr_hal_set_key_purpose(config->key_purpose);
// Set key length for XTS-AES key
esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) config->key_config->key_type;
if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY) {
key_mgr_hal_set_xts_aes_key_len(ESP_KEY_MGR_XTS_AES_LEN_256);
} else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
key_mgr_hal_set_xts_aes_key_len(ESP_KEY_MGR_XTS_AES_LEN_512);
}
if (config->key_config->use_pre_generated_sw_init_key) {
key_mgr_hal_use_sw_init_key();
}
key_mgr_hal_start();
key_mgr_hal_continue();
// Step 2: Load phase
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_LOAD);
if (config->key_config->use_pre_generated_sw_init_key) {
key_mgr_hal_write_sw_init_key(config->key_config->sw_init_key, KEY_MGR_SW_INIT_KEY_SIZE);
}
ESP_LOG_BUFFER_HEX_LEVEL("SW_INIT_KEY", config->key_config->sw_init_key, KEY_MGR_SW_INIT_KEY_SIZE, ESP_LOG_DEBUG);
ESP_LOGI(TAG, "Writing Information into Key Manager Registers");
key_mgr_hal_write_assist_info(config->key_config->k2_info, KEY_MGR_K2_INFO_SIZE);
ESP_LOG_BUFFER_HEX_LEVEL("K2_INFO", config->key_config->k2_info, KEY_MGR_K2_INFO_SIZE, ESP_LOG_DEBUG);
key_mgr_hal_write_public_info(config->k1_encrypted, KEY_MGR_K1_ENCRYPTED_SIZE);
ESP_LOG_BUFFER_HEX_LEVEL("K1_ENCRYPTED", config->k1_encrypted, KEY_MGR_K1_ENCRYPTED_SIZE, ESP_LOG_INFO);
key_mgr_hal_continue();
// Step 3: Gain phase
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN);
key_mgr_hal_read_public_info(key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
ESP_LOG_BUFFER_HEX_LEVEL("KEY_RECOVERY_INFO", key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE, ESP_LOG_DEBUG);
if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1) {
if (!key_mgr_hal_is_key_deployment_valid(config->key_config->key_type)) {
ESP_LOGE(TAG, "Key deployment is not valid");
heap_caps_free(key_recovery_info);
return ESP_FAIL;
}
ESP_LOGI(TAG, "Key deployment valid");
}
// Wait till Key Manager deployment is complete
key_mgr_hal_continue();
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE);
if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2) {
memcpy(config->key_info->key_info[1].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
config->key_info->key_info[1].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
} else {
memcpy(config->key_info->key_info[0].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
config->key_info->key_info[0].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
}
heap_caps_free(key_recovery_info);
return ESP_OK;
}
esp_err_t esp_key_mgr_deploy_key_in_aes_mode(const esp_key_mgr_aes_key_config_t *key_config, esp_key_mgr_key_recovery_info_t *key_recovery_info)
{
ESP_LOGI(TAG, "Key deployment in AES mode");
aes_deploy_config_t aes_deploy_config;
aes_deploy_config.key_config = key_config;
aes_deploy_config.key_info = key_recovery_info;
aes_deploy_config.k1_encrypted = key_config->k1_encrypted[0];
esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_config->key_type;
if (key_type == ESP_KEY_MGR_ECDSA_KEY) {
aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA;
} else if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY) {
aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128;
} else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1;
} else {
ESP_LOGE(TAG, "Invalid key type");
return ESP_ERR_INVALID_ARG;
}
esp_key_mgr_acquire_hardware();
esp_err_t esp_ret = key_mgr_deploy_key_aes_mode(&aes_deploy_config);
if (esp_ret != ESP_OK) {
ESP_LOGE(TAG, "Key deployment in AES mode failed");
}
if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2;
aes_deploy_config.k1_encrypted = key_config->k1_encrypted[1];
esp_ret = key_mgr_deploy_key_aes_mode(&aes_deploy_config);
if (esp_ret != ESP_OK) {
ESP_LOGE(TAG, "Key deployment in AES mode failed");
}
}
// Set the Key Manager Static Register to use own key for the respective key type
key_mgr_hal_set_key_usage(key_type, ESP_KEY_MGR_USE_OWN_KEY);
KEY_MANAGER_RCC_ATOMIC() {
key_mgr_ll_enable_bus_clock(false);
key_mgr_ll_reset_register();
}
return esp_ret;
}
typedef struct key_recovery_config {
esp_key_mgr_key_purpose_t key_purpose;
esp_key_mgr_key_recovery_info_t *key_recovery_info;
} key_recovery_config_t;
static esp_err_t key_mgr_recover_key(key_recovery_config_t *config)
{
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE);
if (!check_huk_validity(&config->key_recovery_info->huk_info)) {
ESP_LOGE(TAG, "HUK info is not valid");
return ESP_ERR_INVALID_ARG;
}
ESP_LOGD(TAG, "HUK info valid");
if (!key_mgr_hal_is_huk_valid()) {
check_huk_risk_level();
esp_err_t esp_ret = huk_hal_configure(ESP_HUK_MODE_RECOVERY, config->key_recovery_info->huk_info.info);
if (esp_ret != ESP_OK) {
ESP_LOGE(TAG, "Failed to recover HUK");
return ESP_FAIL;
}
if (!key_mgr_hal_is_huk_valid()) {
ESP_LOGE(TAG, "HUK is invalid");
// TODO - define error code
return ESP_FAIL;
}
ESP_LOGI(TAG, "HUK deployed is Valid");
ESP_LOG_BUFFER_HEX_LEVEL("HUK INFO", config->key_recovery_info->huk_info.info, KEY_MGR_HUK_INFO_SIZE, ESP_LOG_DEBUG);
}
key_mgr_hal_set_key_generator_mode(ESP_KEY_MGR_KEYGEN_MODE_RECOVER);
// Set AES-XTS key len
esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) config->key_recovery_info->key_type;
if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY) {
key_mgr_hal_set_xts_aes_key_len(ESP_KEY_MGR_XTS_AES_LEN_256);
} else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
key_mgr_hal_set_xts_aes_key_len(ESP_KEY_MGR_XTS_AES_LEN_512);
}
key_mgr_hal_set_key_purpose(config->key_purpose);
key_mgr_hal_start();
key_mgr_hal_continue();
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_LOAD);
if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2) {
if (!check_key_info_validity(&config->key_recovery_info->key_info[1])) {
ESP_LOGE(TAG, "Key info not valid");
return ESP_FAIL;
}
key_mgr_hal_write_assist_info(config->key_recovery_info->key_info[1].info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
} else {
if (!check_key_info_validity(&config->key_recovery_info->key_info[0])) {
ESP_LOGE(TAG, "Key info not valid");
return ESP_FAIL;
}
key_mgr_hal_write_assist_info(config->key_recovery_info->key_info[0].info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
ESP_LOG_BUFFER_HEX_LEVEL("RECOVERY_INFO", config->key_recovery_info->key_info[0].info, KEY_MGR_KEY_RECOVERY_INFO_SIZE, ESP_LOG_INFO);
}
key_mgr_hal_continue();
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN);
if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1) {
if (!key_mgr_hal_is_key_deployment_valid(config->key_recovery_info->key_type)) {
ESP_LOGD(TAG, "Key deployment is not valid");
return ESP_FAIL;
}
ESP_LOGI(TAG, "Key Recovery valid");
}
key_mgr_hal_continue();
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE);
return ESP_OK;
}
esp_err_t esp_key_mgr_activate_key(esp_key_mgr_key_recovery_info_t *key_recovery_info)
{
esp_key_mgr_key_purpose_t key_purpose;
esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_recovery_info->key_type;
if (key_type == ESP_KEY_MGR_ECDSA_KEY) {
key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA;
} else if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY) {
key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128;
} else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1;
} else {
ESP_LOGE(TAG, "Invalid key type");
return ESP_ERR_INVALID_ARG;
}
esp_err_t esp_ret = ESP_FAIL;
esp_key_mgr_acquire_key_lock(key_type);
key_recovery_config_t key_recovery_config;
key_recovery_config.key_recovery_info = key_recovery_info;
key_recovery_config.key_purpose = key_purpose;
esp_key_mgr_acquire_hardware();
esp_ret = key_mgr_recover_key(&key_recovery_config);
if (esp_ret != ESP_OK) {
ESP_LOGE(TAG, "Failed to recover key");
goto cleanup;
}
if (key_recovery_info->key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
key_recovery_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2;
esp_ret = key_mgr_recover_key(&key_recovery_config);
if (esp_ret != ESP_OK) {
ESP_LOGE(TAG, "Failed to recover key");
goto cleanup;
}
}
// Set the Key Manager Static Register to use own key for the respective key type
key_mgr_hal_set_key_usage(key_recovery_info->key_type, ESP_KEY_MGR_USE_OWN_KEY);
cleanup:
esp_key_mgr_release_hardware();
return esp_ret;
}
esp_err_t esp_key_mgr_deactivate_key(esp_key_mgr_key_type_t key_type)
{
esp_key_mgr_release_key_lock(key_type);
esp_key_mgr_acquire_hardware();
esp_key_mgr_release_hardware();
return ESP_OK;
}
typedef struct ecdh0_config {
esp_key_mgr_key_purpose_t key_purpose;
const esp_key_mgr_ecdh0_key_config_t *key_config;
esp_key_mgr_key_recovery_info_t *key_info;
uint8_t *ecdh0_key_info;
} ecdh0_deploy_config_t;
static esp_err_t key_mgr_deploy_key_ecdh0_mode(ecdh0_deploy_config_t *config)
{
esp_err_t esp_ret = ESP_FAIL;
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE);
if (!key_mgr_hal_is_huk_valid()) {
// For purpose ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 this part shall be already executed
huk_deploy_config_t huk_deploy_config;
huk_deploy_config.use_pre_generated_huk_info = config->key_config->use_pre_generated_huk_info;
huk_deploy_config.pre_generated_huk_info = &config->key_config->huk_info;
huk_deploy_config.huk_recovery_info = &config->key_info->huk_info;
esp_ret = deploy_huk(&huk_deploy_config);
if (esp_ret != ESP_OK) {
return esp_ret;
}
}
ESP_LOGI(TAG, "HUK deployed is Valid");
uint8_t *key_recovery_info = (uint8_t *) heap_caps_calloc(1, KEY_MGR_KEY_RECOVERY_INFO_SIZE, MALLOC_CAP_INTERNAL);
if (!key_recovery_info) {
return ESP_ERR_NO_MEM;
}
// Step 1 : Initialization
// Configure deployment mode to ECDH0
key_mgr_hal_set_key_generator_mode(ESP_KEY_MGR_KEYGEN_MODE_ECDH0);
// Set AES-XTS key len
esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) config->key_config->key_type;
if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY) {
key_mgr_hal_set_xts_aes_key_len(ESP_KEY_MGR_XTS_AES_LEN_256);
} else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
key_mgr_hal_set_xts_aes_key_len(ESP_KEY_MGR_XTS_AES_LEN_512);
}
// Set key purpose (XTS/ECDSA)
key_mgr_hal_set_key_purpose(config->key_purpose);
key_mgr_hal_start();
key_mgr_hal_continue();
// Step 2: Load phase
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_LOAD);
ESP_LOGD(TAG, "Writing Information into Key Manager Registers");
key_mgr_hal_write_public_info(config->key_config->k1_G, KEY_MGR_ECDH0_INFO_SIZE);
key_mgr_hal_continue();
// Step 3: Gain phase
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN);
key_mgr_hal_read_public_info(key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
key_mgr_hal_read_assist_info(config->ecdh0_key_info);
ESP_LOG_BUFFER_HEX_LEVEL("KEY_MGR KEY INFO", key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE, ESP_LOG_DEBUG);
ESP_LOGI(TAG, "HUK deplpoyed is Valid");
if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1) {
if (!key_mgr_hal_is_key_deployment_valid(config->key_config->key_type)) {
ESP_LOGE(TAG, "Key deployment is not valid");
return ESP_FAIL;
}
ESP_LOGI(TAG, "Key deployment valid");
}
// Wait till Key Manager deployment is complete
key_mgr_hal_continue();
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE);
if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2) {
memcpy(config->key_info->key_info[1].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
config->key_info->key_info[1].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
} else {
memcpy(config->key_info->key_info[0].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
config->key_info->key_info[0].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
}
config->key_info->key_type = config->key_config->key_type;
heap_caps_free(key_recovery_info);
return ESP_OK;
}
esp_err_t esp_key_mgr_deploy_key_in_ecdh0_mode(const esp_key_mgr_ecdh0_key_config_t *key_config,
esp_key_mgr_key_recovery_info_t *key_info, esp_key_mgr_ecdh0_info_t *ecdh0_key_info)
{
ESP_LOGI(TAG, "Key Deployment in ECDH0 mode");
esp_key_mgr_key_purpose_t key_purpose;
esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_config->key_type;
ecdh0_deploy_config_t ecdh0_deploy_config;
ecdh0_deploy_config.key_config = key_config;
ecdh0_deploy_config.key_info = key_info;
if (key_type == ESP_KEY_MGR_ECDSA_KEY) {
ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA;
ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0];
} else if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY) {
ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128;
ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0];
} else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1;
ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0];
} else {
ESP_LOGE(TAG, "Invalid key type");
return ESP_ERR_INVALID_ARG;
}
esp_key_mgr_acquire_hardware();
esp_err_t esp_ret = key_mgr_deploy_key_ecdh0_mode(&ecdh0_deploy_config);
if (esp_ret != ESP_OK) {
ESP_LOGE(TAG, "Failed to deploy key in ECDH0 mode");
}
if (key_config->key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2;
ecdh0_deploy_config.key_purpose = key_purpose;
ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[1];
esp_ret = key_mgr_deploy_key_ecdh0_mode(&ecdh0_deploy_config);
if (esp_ret != ESP_OK) {
ESP_LOGE(TAG, "Failed to deploy key in ECDH0 mode");
}
}
// Set the Key Manager Static Register to use own key for the respective key type
key_mgr_hal_set_key_usage(key_type, ESP_KEY_MGR_USE_OWN_KEY);
esp_key_mgr_release_hardware();
return ESP_OK;
}
typedef struct random_deploy {
esp_key_mgr_key_purpose_t key_purpose;
const esp_key_mgr_random_key_config_t *key_config;
esp_key_mgr_key_recovery_info_t *key_info;
} random_deploy_config_t;
static esp_err_t key_mgr_deploy_key_random_mode(random_deploy_config_t *config)
{
esp_err_t esp_ret = ESP_FAIL;
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE);
if (!key_mgr_hal_is_huk_valid()) {
// For purpose ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 this part shall be already executed
huk_deploy_config_t huk_deploy_config;
huk_deploy_config.use_pre_generated_huk_info = config->key_config->use_pre_generated_huk_info;
huk_deploy_config.pre_generated_huk_info = &config->key_config->huk_info;
huk_deploy_config.huk_recovery_info = &config->key_info->huk_info;
esp_ret = deploy_huk(&huk_deploy_config);
if (esp_ret != ESP_OK) {
return esp_ret;
}
}
ESP_LOGI(TAG, "HUK deployed is Valid");
// Configure deployment mode to RANDOM
key_mgr_hal_set_key_generator_mode(ESP_KEY_MGR_KEYGEN_MODE_RANDOM);
// Set AES-XTS key len
esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) config->key_config->key_type;
if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY) {
key_mgr_hal_set_xts_aes_key_len(ESP_KEY_MGR_XTS_AES_LEN_256);
} else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
key_mgr_hal_set_xts_aes_key_len(ESP_KEY_MGR_XTS_AES_LEN_512);
}
uint8_t *key_recovery_info = (uint8_t *) heap_caps_calloc(1, KEY_MGR_KEY_RECOVERY_INFO_SIZE, MALLOC_CAP_INTERNAL);
if (!key_recovery_info) {
return ESP_ERR_NO_MEM;
}
// Set key purpose (XTS/ECDSA)
key_mgr_hal_set_key_purpose(config->key_purpose);
key_mgr_hal_start();
key_mgr_hal_continue();
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_LOAD);
key_mgr_hal_continue();
// No configuration for Random deploy mode
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN);
key_mgr_hal_read_public_info(key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
ESP_LOG_BUFFER_HEX_LEVEL("KEY_MGR KEY INFO", key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE, ESP_LOG_DEBUG);
if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1) {
if (!key_mgr_hal_is_key_deployment_valid(config->key_config->key_type)) {
ESP_LOGE(TAG, "Key deployment is not valid");
heap_caps_free(key_recovery_info);
return ESP_FAIL;
}
ESP_LOGI(TAG, "Key deployment valid");
}
// Wait till Key Manager deployment is complete
key_mgr_hal_continue();
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE);
if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2) {
memcpy(config->key_info->key_info[1].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
config->key_info->key_info[1].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
} else {
memcpy(config->key_info->key_info[0].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
config->key_info->key_info[0].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
}
heap_caps_free(key_recovery_info);
return ESP_OK;
}
esp_err_t esp_key_mgr_deploy_key_in_random_mode(const esp_key_mgr_random_key_config_t *key_config, esp_key_mgr_key_recovery_info_t *key_recovery_info)
{
ESP_LOGI(TAG, "Key deployment in Random mode");
random_deploy_config_t random_deploy_config;
random_deploy_config.key_config = key_config;
random_deploy_config.key_info = key_recovery_info;
esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_config->key_type;
if (key_type == ESP_KEY_MGR_ECDSA_KEY) {
random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA;
} else if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY) {
random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128;
} else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1;
} else {
ESP_LOGE(TAG, "Invalid key type");
return ESP_ERR_INVALID_ARG;
}
esp_key_mgr_acquire_hardware();
esp_err_t esp_ret = key_mgr_deploy_key_random_mode(&random_deploy_config);
if (esp_ret != ESP_OK) {
ESP_LOGE(TAG, "Key deployment in Random mode failed");
return ESP_FAIL;
}
if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2;
esp_ret = key_mgr_deploy_key_random_mode(&random_deploy_config);
if (esp_ret != ESP_OK) {
ESP_LOGE(TAG, "Key deployment in Random mode failed");
return ESP_FAIL;
}
}
// Set the Key Manager Static Register to use own key for the respective key type
key_mgr_hal_set_key_usage(key_config->key_type, ESP_KEY_MGR_USE_OWN_KEY);
esp_key_mgr_release_hardware();
return esp_ret;
}

128
components/esp_hw_support/include/esp_key_mgr.h 100644
Wyświetl plik

@ -0,0 +1,128 @@
/*
* SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
#pragma once
#include "esp_err.h"
#include "soc/soc_caps.h"
#if SOC_KEY_MANAGER_SUPPORTED
#ifdef __cplusplus
extern "C" {
#endif
#include "hal/key_mgr_types.h"
#include "hal/huk_types.h"
#include "esp_attr.h"
#define KEY_MGR_SW_INIT_KEY_SIZE 32
#define KEY_MGR_ASSIST_INFO_SIZE 64
#define KEY_MGR_KEY_RECOVERY_INFO_SIZE 64
#define KEY_MGR_HUK_INFO_SIZE HUK_INFO_SIZE
#define KEY_MGR_HUK_RISK_ALERT_LEVEL HUK_RISK_ALERT_LEVEL
/* AES deploy mode */
#define KEY_MGR_K2_INFO_SIZE 64
#define KEY_MGR_K1_ENCRYPTED_SIZE 32
#define KEY_MGR_ECDH0_INFO_SIZE 64
#define KEY_MGR_ECDH0_INFO_SIZE 64
#define KEY_MGR_PLAINTEXT_KEY_SIZE 32
typedef struct {
esp_key_mgr_key_type_t key_type;
bool use_pre_generated_huk_info;
bool use_pre_generated_sw_init_key;
WORD_ALIGNED_ATTR esp_key_mgr_huk_info_t huk_info;
WORD_ALIGNED_ATTR uint8_t sw_init_key[KEY_MGR_SW_INIT_KEY_SIZE];
WORD_ALIGNED_ATTR uint8_t k2_info[KEY_MGR_K2_INFO_SIZE];
WORD_ALIGNED_ATTR uint8_t k1_encrypted[2][KEY_MGR_K1_ENCRYPTED_SIZE];
} esp_key_mgr_aes_key_config_t;
typedef struct {
esp_key_mgr_key_type_t key_type;
bool use_pre_generated_huk_info;
WORD_ALIGNED_ATTR esp_key_mgr_huk_info_t huk_info;
WORD_ALIGNED_ATTR uint8_t k1_G[KEY_MGR_ECDH0_INFO_SIZE];
} esp_key_mgr_ecdh0_key_config_t;
typedef struct {
esp_key_mgr_key_type_t key_type;
bool use_pre_generated_huk_info;
WORD_ALIGNED_ATTR esp_key_mgr_huk_info_t huk_info;
} esp_key_mgr_random_key_config_t;
typedef struct {
esp_key_mgr_key_type_t key_type;
WORD_ALIGNED_ATTR uint8_t k2_G[2][KEY_MGR_ECDH0_INFO_SIZE];
} esp_key_mgr_ecdh0_info_t;
/**
* @brief Deploy key in AES deployment mode
* @input
* key_config(input) AES key configuration
* key_info(output) A writable struct of esp_key_mgr_key_info_t type.
* The recovery information for the the deployed key shall be stored here
* @return
* ESP_OK for success
* ESP_FAIL/relevant error code for failure
*/
esp_err_t esp_key_mgr_deploy_key_in_aes_mode(const esp_key_mgr_aes_key_config_t *key_config, esp_key_mgr_key_recovery_info_t *key_info);
/**
* @brief Deploy key in ECDH0 deployment mode
* @input
* key_config(input) ECDH0 key configuration
* key_info(output) A writable struct of esp_key_mgr_key_info_t type. The recovery key info for the deployed key shall be stored here
* ecdh0_key_info A writable struct of esp_key_mgr_ecdh0_info_t. The ecdh0 info to recover the actual key shall be stored here.
* @return
* ESP_OK for success
* ESP_FAIL/relevant error code for failure
*/
esp_err_t esp_key_mgr_deploy_key_in_ecdh0_mode(const esp_key_mgr_ecdh0_key_config_t *key_config, esp_key_mgr_key_recovery_info_t *key_info, esp_key_mgr_ecdh0_info_t *ecdh0_key_info);
/**
* @brief Deploy key in Random deployment mode
* @input
* key_config(input) Random key configuration
* key_info(output) A writable struct of esp_key_mgr_key_info_t type. The recovery key info for the deployed key shall be stored here
* @return
* ESP_OK for success
* ESP_FAIL/relevant error code for failure
*/
esp_err_t esp_key_mgr_deploy_key_in_random_mode(const esp_key_mgr_random_key_config_t *key_config, esp_key_mgr_key_recovery_info_t *key_info);
/*
* @brief Recover and Activate a key from the given key info
*
* @note
* Once a key of particular type is activated through Key Manager,
* then a different key of the same type cannot be activated at the same time.
* This key must be deactivated first through a call to esp_key_mgr_deactivate_key()
* before activating other key of the same type
* @input
* key_info The key info required to recover the key
* @return
* ESP_OK for success
* ESP_FAIL/relevant error code for failure
*/
esp_err_t esp_key_mgr_activate_key(esp_key_mgr_key_recovery_info_t *key_recovery_info);
/*
* @brief De-activate a key from the given key info
* The key which is de-activated can no longer be used for any operation
* @input
* key_info The key info required to recover the key
* @return
* ESP_OK for success
* ESP_FAIL/relevant error code for failure
*/
esp_err_t esp_key_mgr_deactivate_key(esp_key_mgr_key_type_t key_type);
#ifdef __cplusplus
}
#endif
#endif

14
components/esp_hw_support/include/soc/esp32p4/esp_crypto_lock.h
Wyświetl plik

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -91,6 +91,18 @@ void esp_crypto_ecdsa_lock_acquire(void);
*/
void esp_crypto_ecdsa_lock_release(void);
/**
* @brief Acquire lock for Key Manager peripheral
*
*/
void esp_crypto_key_manager_lock_acquire(void);
/**
* @brief Release lock for Key Manager peripheral
*
*/
void esp_crypto_key_manager_lock_release(void);
#ifdef __cplusplus
}
#endif

19
components/esp_hw_support/port/esp32p4/esp_crypto_lock.c
Wyświetl plik

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2022-2024 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -36,6 +36,9 @@ static _lock_t s_crypto_ecc_lock;
/* Lock for ECDSA peripheral */
static _lock_t s_crypto_ecdsa_lock;
/* Lock for Key Manager peripheral */
static _lock_t s_crypto_key_manager_lock;
void esp_crypto_hmac_lock_acquire(void)
{
_lock_acquire(&s_crypto_hmac_lock);
@ -105,3 +108,17 @@ void esp_crypto_ecdsa_lock_release(void)
esp_crypto_ecc_lock_release();
_lock_release(&s_crypto_ecdsa_lock);
}
void esp_crypto_key_manager_lock_acquire(void)
{
_lock_acquire(&s_crypto_key_manager_lock);
esp_crypto_ecc_lock_acquire();
esp_crypto_sha_aes_lock_acquire();
}
void esp_crypto_key_manager_lock_release(void)
{
esp_crypto_sha_aes_lock_release();
esp_crypto_ecc_lock_release();
_lock_release(&s_crypto_key_manager_lock);
}

3
components/esp_hw_support/test_apps/esp_hw_support_unity_tests/main/CMakeLists.txt
Wyświetl plik

@ -6,6 +6,7 @@ set(srcs "test_app_main.c"
"test_ds.c"
"test_hmac.c"
"test_random.c"
"test_key_mgr.c"
)
if(CONFIG_SOC_MULTI_USAGE_LDO_SUPPORTED)
@ -19,5 +20,5 @@ endif()
# In order for the cases defined by `TEST_CASE` to be linked into the final elf,
# the component can be registered as WHOLE_ARCHIVE
idf_component_register(SRCS ${srcs}
REQUIRES unity esp_driver_gpio esp_driver_gptimer esp_driver_uart test_utils efuse
REQUIRES unity esp_driver_gpio esp_driver_gptimer esp_driver_uart test_utils efuse spi_flash
WHOLE_ARCHIVE)

140
components/esp_hw_support/test_apps/esp_hw_support_unity_tests/main/test_key_mgr.c 100644
Wyświetl plik

@ -0,0 +1,140 @@
/*
* SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Unlicense OR CC0-1.0
*/
#include <string.h>
#include "unity.h"
#include "soc/soc_caps.h"
#if SOC_KEY_MANAGER_SUPPORTED
#include "esp_partition.h"
#include "esp_flash.h"
#include "esp_log.h"
#include "esp_err.h"
#if CONFIG_IDF_TARGET_ESP32P4
#include "esp32p4/rom/efuse.h"
#endif
#include "soc/keymng_reg.h"
#include "esp_key_mgr.h"
static const char *TAG = "key_mgr_test";
#define ENCRYPTED_DATA_SIZE 128
static const uint8_t plaintext_data[ENCRYPTED_DATA_SIZE] = {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30,
0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40,
0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50,
0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, 0x60,
0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80,
};
static const uint8_t expected_ciphertext[ENCRYPTED_DATA_SIZE] = {
0x10, 0x5d, 0x20, 0x41, 0x87, 0xb7, 0x16, 0x09, 0x3f, 0x67, 0x32, 0x79, 0x06, 0x53, 0x97, 0x53,
0x2b, 0x88, 0x1a, 0x22, 0xb2, 0xdc, 0x4e, 0x5e, 0xc2, 0xc8, 0x25, 0xe9, 0xf9, 0x6b, 0xfe, 0xd6,
0x12, 0x2c, 0xfa, 0x2c, 0x67, 0x7f, 0x08, 0xae, 0xce, 0x50, 0x68, 0x00, 0x0c, 0xee, 0x27, 0x1a,
0x54, 0x94, 0xc8, 0xea, 0xc3, 0xf3, 0x3e, 0xd9, 0xe6, 0x11, 0x76, 0x80, 0x3e, 0xa2, 0x16, 0xc0,
0x66, 0xdc, 0xdf, 0xb1, 0x73, 0x59, 0xae, 0x3e, 0xfc, 0x64, 0x38, 0x60, 0xf6, 0xc8, 0xf8, 0x57,
0xa8, 0x0c, 0x56, 0xd6, 0x2e, 0xdd, 0x06, 0xb6, 0xef, 0xf4, 0xb6, 0xba, 0xae, 0x5e, 0xcc, 0xe0,
0x74, 0x7d, 0x76, 0x69, 0x34, 0x15, 0x6d, 0x6e, 0x0c, 0xbd, 0xae, 0xdf, 0xe5, 0x2a, 0xf0, 0xed,
0x6d, 0xb0, 0xbd, 0x75, 0xda, 0xd6, 0x78, 0x08, 0x4b, 0xeb, 0xdd, 0xfe, 0x72, 0xd1, 0xd2, 0x26,
};
/* Big endian */
uint8_t init_key[] = {
0x4d, 0x21, 0x64, 0x21, 0x8f, 0xa2, 0xe3, 0xa0, 0xab, 0x74, 0xb5, 0xab, 0x17, 0x9a, 0x5d, 0x08,
0x58, 0xf4, 0x22, 0x03, 0xbd, 0x52, 0xe7, 0x88, 0x3c, 0x22, 0x0f, 0x95, 0x89, 0x70, 0xe1, 0x93
};
/* Big endian */
uint8_t k2_info[] = {
0xd8, 0xcd, 0x04, 0x45, 0xb4, 0x45, 0xc4, 0x15, 0xf6, 0x40, 0x1c, 0x7d, 0x90, 0x1b, 0x99, 0xa4,
0x79, 0x6b, 0xfb, 0x5b, 0x2a, 0x40, 0x60, 0xe1, 0xc1, 0xe1, 0x48, 0xcd, 0x46, 0x6b, 0x9b, 0x48,
0xda, 0x7a, 0x70, 0x0a, 0x78, 0x0b, 0x9d, 0xf9, 0x0e, 0xed, 0x91, 0xfc, 0xa5, 0xc2, 0x96, 0x05,
0x91, 0x76, 0xdb, 0x68, 0x84, 0x5d, 0x5e, 0x5b, 0xa6, 0xe9, 0x6b, 0x3b, 0x12, 0x50, 0x05, 0xc3
};
/* Big endian */
uint8_t k1_ecdsa_encrypt[] = {
0xeb, 0x83, 0x24, 0x7d, 0xf8, 0x40, 0xc9, 0x88, 0x5f, 0x5e, 0x58, 0x57, 0x25, 0xa9, 0x23, 0x4a,
0xa4, 0xc4, 0x12, 0x17, 0xf3, 0x9e, 0x1f, 0xa0, 0xa0, 0xfa, 0xd5, 0xbf, 0xb6, 0x6c, 0xb5, 0x48
};
uint8_t k1_xts_encrypt[] = {
0xeb, 0x83, 0x24, 0x7d, 0xf8, 0x40, 0xc9, 0x88, 0x5f, 0x5e, 0x58, 0x57, 0x25, 0xa9, 0x23, 0x4a,
0xa4, 0xc4, 0x12, 0x17, 0xf3, 0x9e, 0x1f, 0xa0, 0xa0, 0xfa, 0xd5, 0xbf, 0xb6, 0x6c, 0xb5, 0x48
};
const esp_partition_t *get_test_storage_partition(void)
{
/* This finds "storage" partition defined partition table */
const esp_partition_t *result = esp_partition_find_first(ESP_PARTITION_TYPE_DATA,
ESP_PARTITION_SUBTYPE_ANY, "storage");
if (!result) {
/* means partition table set wrong */
ESP_LOGE(TAG, "ERROR in obtaining storage partition");
return NULL;
}
return result;
}
static esp_err_t test_xts_aes_key(void)
{
const esp_partition_t *partition = get_test_storage_partition();
ESP_ERROR_CHECK(esp_partition_erase_range(partition, 0, partition->size));
uint32_t address = partition->address;
ESP_ERROR_CHECK(esp_flash_write_encrypted(NULL, address, plaintext_data, sizeof(plaintext_data)));
uint8_t read_data[ENCRYPTED_DATA_SIZE];
ESP_ERROR_CHECK(esp_flash_read(NULL, read_data, address, sizeof(read_data)));
if (memcmp(read_data, expected_ciphertext, sizeof(expected_ciphertext)) != 0) {
ESP_LOGE(TAG, "Encrypted data does not match expected data");
return ESP_FAIL;
}
return ESP_OK;
}
TEST_CASE("Key Manager AES mode: XTS-AES key deployment", "[hw_crypto] [key_mgr]")
{
static esp_key_mgr_aes_key_config_t key_config;
memcpy(key_config.k2_info, (uint8_t*) k2_info, KEY_MGR_K2_INFO_SIZE);
memcpy(key_config.k1_encrypted, (uint8_t*) k1_xts_encrypt, KEY_MGR_K1_ENCRYPTED_SIZE);
memcpy(key_config.sw_init_key, (uint8_t*) init_key, KEY_MGR_SW_INIT_KEY_SIZE);
key_config.use_pre_generated_sw_init_key = 1;
key_config.key_type = ESP_KEY_MGR_XTS_AES_128_KEY;
static esp_key_mgr_key_recovery_info_t key_info;
esp_err_t esp_ret = ESP_FAIL;
esp_ret = esp_key_mgr_deploy_key_in_aes_mode(&key_config, &key_info);
TEST_ASSERT_EQUAL(ESP_OK, esp_ret);
esp_ret = test_xts_aes_key();
TEST_ASSERT_EQUAL(ESP_OK, esp_ret);
}
TEST_CASE("Key Manager random mode: XTS_AES_128 key deployment", "[hw_crypto] [key_mgr]")
{
ESP_LOGI(TAG, "Key Manager Example Start");
static esp_key_mgr_random_key_config_t key_config;
key_config.key_type = ESP_KEY_MGR_XTS_AES_128_KEY;
static esp_key_mgr_key_recovery_info_t key_info;
esp_err_t esp_ret = ESP_FAIL;
esp_ret = esp_key_mgr_deploy_key_in_random_mode(&key_config, &key_info);
TEST_ASSERT_EQUAL(ESP_OK, esp_ret);
}
TEST_CASE("Key Manager random mode: ECDSA key deployment", "[hw_crypto] [key_mgr]")
{
static esp_key_mgr_random_key_config_t key_config;
static esp_key_mgr_key_recovery_info_t key_info;
esp_err_t esp_ret = ESP_FAIL;
key_config.key_type = ESP_KEY_MGR_ECDSA_KEY;
esp_ret = esp_key_mgr_deploy_key_in_random_mode(&key_config, &key_info);
TEST_ASSERT_EQUAL(ESP_OK, esp_ret);
}
#endif

6
components/esp_hw_support/test_apps/esp_hw_support_unity_tests/sdkconfig.defaults
Wyświetl plik

@ -1,2 +1,8 @@
CONFIG_ESP_TASK_WDT_INIT=n
CONFIG_ESP_MAIN_TASK_STACK_SIZE=8192
# set compiler optimization level
CONFIG_COMPILER_OPTIMIZATION_SIZE=y
CONFIG_BOOTLOADER_COMPILER_OPTIMIZATION_SIZE=y
# we can silent the assertion to save the binary footprint
CONFIG_COMPILER_OPTIMIZATION_ASSERTIONS_SILENT=y

3
components/esp_rom/include/esp32p4/rom/key_mgr.h
Wyświetl plik

@ -35,7 +35,8 @@ struct huk_key_block {
#define KEY_HUK_SECTOR_MAGIC 0xDEA5CE5A
uint32_t magic;
uint32_t version; // for backward compatibility
uint8_t reserved[16];
uint8_t key_type;
uint8_t reserved[15];
struct huk_info huk_info;
struct key_info key_info[2]; // at most 2 key info (XTS-512_1 and XTS-512_2), at least use 1
} WORD_ALIGNED_ATTR PACKED_ATTR;

12
components/esp_system/port/cpu_start.c
Wyświetl plik

@ -68,7 +68,10 @@
#elif CONFIG_IDF_TARGET_ESP32P4
#include "esp32p4/rtc.h"
#include "soc/hp_sys_clkrst_reg.h"
#include "soc/keymng_reg.h"
#endif
#if SOC_KEY_MANAGER_SUPPORTED
#include "hal/key_mgr_hal.h"
#endif
#include "esp_private/rtc_clk.h"
@ -305,11 +308,14 @@ static void start_other_core(void)
if(REG_GET_BIT(HP_SYS_CLKRST_HP_RST_EN0_REG, HP_SYS_CLKRST_REG_RST_EN_CORE1_GLOBAL)){
REG_CLR_BIT(HP_SYS_CLKRST_HP_RST_EN0_REG, HP_SYS_CLKRST_REG_RST_EN_CORE1_GLOBAL);
}
#endif
#if SOC_KEY_MANAGER_SUPPORTED
// The following operation makes the Key Manager to use eFuse key for ECDSA and XTS-AES operation by default
// This is to keep the default behavior same as the other chips
// If the Key Manager configuration is already locked then following operation does not have any effect
// TODO-IDF 7925 (Move this under SOC_KEY_MANAGER_SUPPORTED)
REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY, 3);
key_mgr_hal_set_key_usage(ESP_KEY_MGR_ECDSA_KEY, ESP_KEY_MGR_USE_EFUSE_KEY);
key_mgr_hal_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY);
#endif
ets_set_appcpu_boot_addr((uint32_t)call_start_cpu1);

10
components/hal/CMakeLists.txt
Wyświetl plik

@ -26,6 +26,11 @@ if(CONFIG_SOC_WDT_SUPPORTED AND NOT CONFIG_HAL_WDT_USE_ROM_IMPL)
list(APPEND srcs "wdt_hal_iram.c")
endif()
if(CONFIG_SOC_KEY_MANAGER_SUPPORTED)
list(APPEND srcs "key_mgr_hal.c")
list(APPEND srcs "huk_hal.c")
endif()
if(NOT CONFIG_APP_BUILD_TYPE_PURE_RAM_APP)
if(CONFIG_SOC_MMU_PERIPH_NUM)
list(APPEND srcs "mmu_hal.c")
@ -242,11 +247,6 @@ if(NOT BOOTLOADER_BUILD)
list(APPEND srcs "ds_hal.c")
endif()
if(CONFIG_SOC_KEY_MANAGER_SUPPORTED)
list(APPEND srcs "key_mgr_hal.c")
list(APPEND srcs "huk_hal.c")
endif()
if(CONFIG_SOC_USB_OTG_SUPPORTED)
list(APPEND srcs
"usb_dwc_hal.c"

16
components/hal/ecdsa_hal.c
Wyświetl plik

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -10,7 +10,7 @@
#include "hal/efuse_hal.h"
#ifdef SOC_KEY_MANAGER_SUPPORTED
#include "soc/keymng_reg.h" // TODO: IDF-7901
#include "hal/key_mgr_hal.h"
#endif
#define ECDSA_HAL_P192_COMPONENT_LEN 24
@ -18,13 +18,19 @@
static void configure_ecdsa_periph(ecdsa_hal_config_t *conf)
{
#ifdef SOC_KEY_MANAGER_SUPPORTED
REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY, 1); // TODO: IDF-7901
#endif
if (conf->use_km_key == 0) {
efuse_hal_set_ecdsa_key(conf->efuse_key_blk);
#if SOC_KEY_MANAGER_SUPPORTED
key_mgr_hal_set_key_usage(ESP_KEY_MGR_ECDSA_KEY, ESP_KEY_MGR_USE_EFUSE_KEY);
#endif
}
#if SOC_KEY_MANAGER_SUPPORTED
else {
key_mgr_hal_set_key_usage(ESP_KEY_MGR_ECDSA_KEY, ESP_KEY_MGR_USE_OWN_KEY);
}
#endif
ecdsa_ll_set_mode(conf->mode);
ecdsa_ll_set_curve(conf->curve);

13
components/hal/esp32p4/include/hal/huk_ll.h
Wyświetl plik

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -14,6 +14,7 @@
#include "soc/soc_caps.h"
#if SOC_KEY_MANAGER_SUPPORTED
#include <stdint.h>
#include <stdbool.h>
#include <string.h>
@ -32,12 +33,12 @@ static inline void huk_ll_configure_mode(const esp_huk_mode_t huk_mode)
REG_SET_FIELD(HUK_CONF_REG, HUK_MODE, huk_mode);
}
void huk_ll_write_info(const uint8_t *buffer, const size_t size)
static inline void huk_ll_write_info(const uint8_t *buffer, const size_t size)
{
memcpy((uint8_t *)HUK_INFO_MEM, buffer, size);
}
void huk_ll_read_info(uint8_t *buffer, const size_t size)
static inline void huk_ll_read_info(uint8_t *buffer, const size_t size)
{
memcpy(buffer, (uint8_t *)HUK_INFO_MEM, size);
}
@ -91,15 +92,15 @@ static inline void huk_ll_clear_int(const esp_huk_interrupt_type_t intr)
*/
static inline esp_huk_state_t huk_ll_get_state(void)
{
return REG_GET_FIELD(HUK_STATE_REG, HUK_STATE);
return (esp_huk_state_t) REG_GET_FIELD(HUK_STATE_REG, HUK_STATE);
}
/**
* @brief Get the HUK generation status: esp_huk_gen_status_t
* @brief Get the HUK generation status
*/
static inline esp_huk_gen_status_t huk_ll_get_gen_status(void)
{
return REG_GET_FIELD(HUK_STATUS_REG, HUK_STATUS);
return (esp_huk_gen_status_t) REG_GET_FIELD(HUK_STATUS_REG, HUK_STATUS);
}
/**

2
components/hal/esp32p4/include/hal/key_mgr_hal.h
Wyświetl plik

@ -112,7 +112,7 @@ void key_mgr_hal_write_public_info(const uint8_t *public_info_buf, const size_t
void key_mgr_hal_read_public_info(uint8_t *public_info_buf, const size_t read_len);
/* @brief Set the AES-XTS key length for the Key Manager */
void key_mgr_hal_set_aes_xts_key_len(const esp_key_mgr_xts_aes_key_len_t key_len);
void key_mgr_hal_set_xts_aes_key_len(const esp_key_mgr_xts_aes_key_len_t key_len);
/* @brief Get the AES-XTS key length for the Key Manager */
esp_key_mgr_xts_aes_key_len_t key_mgr_hal_get_aes_xts_key_len(void);

78
components/hal/esp32p4/include/hal/key_mgr_ll.h
Wyświetl plik

@ -10,7 +10,6 @@
******************************************************************************/
#pragma once
#include "soc/soc_caps.h"
#if SOC_KEY_MANAGER_SUPPORTED
@ -120,14 +119,45 @@ static inline void key_mgr_ll_use_sw_init_key(void)
*/
static inline void key_mgr_ll_set_key_usage(const esp_key_mgr_key_type_t key_type, const esp_key_mgr_key_usage_t key_usage)
{
uint8_t read_value = ((0x03) & REG_GET_FIELD(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY));
uint8_t reg_value = (read_value & (~((uint8_t)key_type))) | (uint8_t) (key_type * key_usage);
REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY, reg_value);
switch (key_type) {
case ESP_KEY_MGR_ECDSA_KEY:
if (key_usage == ESP_KEY_MGR_USE_EFUSE_KEY) {
REG_SET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_ECDSA);
} else {
REG_CLR_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_ECDSA);
}
break;
case ESP_KEY_MGR_XTS_AES_128_KEY:
case ESP_KEY_MGR_XTS_AES_256_KEY:
if (key_usage == ESP_KEY_MGR_USE_EFUSE_KEY) {
REG_SET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_XTS);
} else {
REG_CLR_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_XTS);
}
break;
default:
HAL_ASSERT(false && "Unsupported mode");
return;
}
}
static inline esp_key_mgr_key_usage_t key_mgr_ll_get_key_usage(esp_key_mgr_key_type_t key_type)
{
return (esp_key_mgr_key_usage_t) (key_type & REG_GET_FIELD(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY));
switch (key_type) {
case ESP_KEY_MGR_ECDSA_KEY:
return (esp_key_mgr_key_usage_t) (REG_GET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_ECDSA));
break;
case ESP_KEY_MGR_XTS_AES_128_KEY:
case ESP_KEY_MGR_XTS_AES_256_KEY:
return (esp_key_mgr_key_usage_t) (REG_GET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_XTS));
break;
default:
HAL_ASSERT(false && "Unsupported mode");
return ESP_KEY_MGR_USAGE_INVALID;
}
return ESP_KEY_MGR_USAGE_INVALID;
}
/**
@ -145,9 +175,17 @@ static inline void key_mgr_ll_lock_use_sw_init_key_reg(void)
* After this lock has been set,
* The Key manager configuration about whether to use a paricular key from efuse or key manager cannot be changed.
*/
static inline void key_mgr_ll_lock_use_efuse_key_reg(void)
static inline void key_mgr_ll_lock_use_efuse_key_reg(esp_key_mgr_key_type_t key_type)
{
REG_SET_BIT(KEYMNG_LOCK_REG, KEYMNG_USE_EFUSE_KEY_LOCK);
switch(key_type) {
case ESP_KEY_MGR_ECDSA_KEY:
REG_SET_BIT(KEYMNG_LOCK_REG, KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA);
break;
case ESP_KEY_MGR_XTS_AES_128_KEY:
case ESP_KEY_MGR_XTS_AES_256_KEY:
REG_SET_BIT(KEYMNG_LOCK_REG, KEYMNG_USE_EFUSE_KEY_LOCK_XTS);
break;
}
}
/* @brief Configure the key purpose to be used by the Key Manager for key generator opearation */
@ -182,15 +220,19 @@ static inline bool key_mgr_ll_is_result_success(void)
static inline bool key_mgr_ll_is_key_deployment_valid(const esp_key_mgr_key_type_t key_type)
{
switch (key_type) {
case ESP_KEY_MGR_ECDSA_KEY:
return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_ECDSA_VLD);
break;
case ESP_KEY_MGR_XTS_KEY:
return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_XTS_VLD);
break;
default:
HAL_ASSERT(false && "Unsupported mode");
return 0;
case ESP_KEY_MGR_ECDSA_KEY:
return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_ECDSA_VLD);
break;
case ESP_KEY_MGR_XTS_AES_128_KEY:
case ESP_KEY_MGR_XTS_AES_256_KEY:
return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_XTS_VLD);
break;
default:
HAL_ASSERT(false && "Unsupported mode");
return 0;
}
}
@ -257,13 +299,13 @@ static inline bool key_mgr_ll_is_huk_valid(void)
}
/* @brief Set the AES-XTS key length for the Key Manager */
static inline void key_mgr_ll_set_aes_xts_key_len(const esp_key_mgr_xts_aes_key_len_t key_len)
static inline void key_mgr_ll_set_xts_aes_key_len(const esp_key_mgr_xts_aes_key_len_t key_len)
{
REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_XTS_AES_KEY_LEN, key_len);
}
/* @brief Get the AES-XTS key length for the Key Manager */
static inline esp_key_mgr_xts_aes_key_len_t key_mgr_ll_get_aes_xts_key_len(void)
static inline esp_key_mgr_xts_aes_key_len_t key_mgr_ll_get_xts_aes_key_len(void)
{
return (esp_key_mgr_xts_aes_key_len_t) REG_GET_FIELD(KEYMNG_STATIC_REG, KEYMNG_XTS_AES_KEY_LEN);
}

1
components/hal/huk_hal.c
Wyświetl plik

@ -12,6 +12,7 @@
#include "hal/assert.h"
#include "hal/log.h"
#include "rom/km.h"
#include "esp_err.h"
esp_huk_state_t huk_hal_get_state(void)
{

1
components/hal/include/hal/huk_types.h
Wyświetl plik

@ -17,6 +17,7 @@ extern "C" {
#endif
#define HUK_INFO_SIZE 384
#define HUK_RISK_ALERT_LEVEL 4
/**
* @brief Mode for Hardware Unique Key Process: recovery, generation

59
components/hal/include/hal/key_mgr_types.h
Wyświetl plik

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -11,6 +11,7 @@
#include <stdbool.h>
#include <stddef.h>
#include <stdint.h>
#include "esp_attr.h"
#define KEY_MGR_ASSIST_INFO_LEN 64
@ -23,25 +24,26 @@ extern "C" {
*/
typedef enum {
ESP_KEY_MGR_STATE_IDLE = 0, /* Key Manager is idle */
ESP_KEY_MGR_STATE_LOAD, /* Key Manager is read to recieve input */
ESP_KEY_MGR_STATE_GAIN, /* Key Manager is ready to provide output */
ESP_KEY_MGR_STATE_BUSY /* Key Manager is busy */
ESP_KEY_MGR_STATE_LOAD = 1, /* Key Manager is ready to recieve input */
ESP_KEY_MGR_STATE_GAIN = 2, /* Key Manager is ready to provide output */
ESP_KEY_MGR_STATE_BUSY = 3, /* Key Manager is busy */
} esp_key_mgr_state_t;
/**
* @brief Length of the XTS AES key
*/
typedef enum {
ESP_KEY_MGR_XTS_AES_LEN_512 = 0, /* xts-aes key is 512 bit, please note that xts-aes algorithm is XTS_AES_256 */
ESP_KEY_MGR_XTS_AES_LEN_256, /* xts-aes key is 256 bit, please note that xts-aes algorithm is XTS_AES_128*/
ESP_KEY_MGR_XTS_AES_LEN_256 = 0, /* xts-aes key is 256 bit, please note that xts-aes algorithm is XTS_AES_128*/
ESP_KEY_MGR_XTS_AES_LEN_512, /* xts-aes key is 512 bit, please note that xts-aes algorithm is XTS_AES_256 */
} esp_key_mgr_xts_aes_key_len_t;
/**
* @brief Type of the key: ECDSA, XTS
*/
typedef enum {
ESP_KEY_MGR_ECDSA_KEY = 1, /* ECDSA key */
ESP_KEY_MGR_XTS_KEY, /* XTS AES key */
ESP_KEY_MGR_ECDSA_KEY = 0, /* ECDSA key */
ESP_KEY_MGR_XTS_AES_128_KEY, /* XTS-AES 128 key */
ESP_KEY_MGR_XTS_AES_256_KEY, /* XTS-AES 256 key */
} esp_key_mgr_key_type_t;
/*
@ -50,6 +52,7 @@ typedef enum {
typedef enum {
ESP_KEY_MGR_USE_OWN_KEY = 0, /* Use key from the key manager */
ESP_KEY_MGR_USE_EFUSE_KEY, /* Use key from the eFuse */
ESP_KEY_MGR_USAGE_INVALID,
} esp_key_mgr_key_usage_t;
/**
@ -57,9 +60,9 @@ typedef enum {
*/
typedef enum {
ESP_KEY_MGR_KEY_PURPOSE_ECDSA = 1,
ESP_KEY_MGR_KEY_PURPOSE_XTS_256_1, /* First half of the XTS AES 256 bit key */
ESP_KEY_MGR_KEY_PURPOSE_XTS_256_2, /* Second half of the XTS AES 256 bit key */
ESP_KEY_MGR_KEY_PURPOSE_XTS_128 /* XTS AES 128 bit key */
ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1 = 2, /* First half of the XTS AES 256 bit key */
ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 = 3, /* Second half of the XTS AES 256 bit key */
ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128 = 4, /* XTS AES 128 bit key */
} esp_key_mgr_key_purpose_t;
/**
@ -67,11 +70,11 @@ typedef enum {
*/
typedef enum {
ESP_KEY_MGR_KEYGEN_MODE_RANDOM = 0,
ESP_KEY_MGR_KEYGEN_MODE_AES,
ESP_KEY_MGR_KEYGEN_MODE_ECDH0,
ESP_KEY_MGR_KEYGEN_MODE_ECDH1,
ESP_KEY_MGR_KEYGEN_MODE_RECOVER,
ESP_KEY_MGR_KEYGEN_MODE_EXPORT,
ESP_KEY_MGR_KEYGEN_MODE_AES = 1,
ESP_KEY_MGR_KEYGEN_MODE_ECDH0 = 2,
ESP_KEY_MGR_KEYGEN_MODE_ECDH1 = 3,
ESP_KEY_MGR_KEYGEN_MODE_RECOVER = 4,
ESP_KEY_MGR_KEYGEN_MODE_EXPORT = 5,
} esp_key_mgr_key_generator_mode_t;
/**
@ -84,6 +87,30 @@ typedef enum {
ESP_KEY_MGR_INT_POST_DONE,
} esp_key_mgr_interrupt_type_t;
// store huk info, occupy 96 words
typedef struct PACKED_ATTR {
#define HUK_INFO_LEN 384
uint8_t info[HUK_INFO_LEN];
uint32_t crc;
} esp_key_mgr_huk_info_t;
// store key info, occupy 512 bits
typedef struct PACKED_ATTR {
#define KEY_INFO_LEN 64
uint8_t info[KEY_INFO_LEN];
uint32_t crc;
} esp_key_mgr_key_info_t;
typedef struct WORD_ALIGNED_ATTR PACKED_ATTR {
#define KEY_HUK_SECTOR_MAGIC 0xDEA5CE5A
uint32_t magic;
uint32_t version; // for backward compatibility
uint8_t key_type;
uint8_t reserved[15];
esp_key_mgr_huk_info_t huk_info;
esp_key_mgr_key_info_t key_info[2]; // at most 2 key info (XTS-512_1 and XTS-512_2), at least use 1
} esp_key_mgr_key_recovery_info_t;
#ifdef __cplusplus
}
#endif

8
components/hal/key_mgr_hal.c
Wyświetl plik

@ -79,14 +79,14 @@ bool key_mgr_hal_is_huk_valid(void)
return key_mgr_ll_is_huk_valid();
}
void key_mgr_hal_set_aes_xts_key_len(const esp_key_mgr_xts_aes_key_len_t key_len)
void key_mgr_hal_set_xts_aes_key_len(const esp_key_mgr_xts_aes_key_len_t key_len)
{
key_mgr_ll_set_aes_xts_key_len(key_len);
key_mgr_ll_set_xts_aes_key_len(key_len);
}
esp_key_mgr_xts_aes_key_len_t key_mgr_hal_get_aes_xts_key_len(void)
esp_key_mgr_xts_aes_key_len_t key_mgr_hal_get_xts_aes_key_len(void)
{
return key_mgr_ll_get_aes_xts_key_len();
return key_mgr_ll_get_xts_aes_key_len();
}
void key_mgr_hal_continue(void)

2
components/mbedtls/port/include/ecdsa/ecdsa_alt.h
Wyświetl plik

@ -29,7 +29,7 @@ typedef struct {
#ifdef SOC_ECDSA_SUPPORT_EXPORT_PUBKEY
bool load_pubkey; /*!< Export ECDSA public key from the hardware */
#endif
} esp_ecdsa_pk_conf_t; //TODO: IDF-7925 (Add a config to select the ecdsa key from the key manager peripheral)
} esp_ecdsa_pk_conf_t; //TODO: IDF-9008 (Add a config to select the ecdsa key from the key manager peripheral)
#if SOC_ECDSA_SUPPORT_EXPORT_PUBKEY || __DOXYGEN__

4
components/soc/esp32p4/include/soc/Kconfig.soc_caps.in
Wyświetl plik

@ -147,6 +147,10 @@ config SOC_ECDSA_SUPPORTED
bool
default y
config SOC_KEY_MANAGER_SUPPORTED
bool
default y
config SOC_FLASH_ENC_SUPPORTED
bool
default y

46
components/soc/esp32p4/include/soc/keymng_reg.h
Wyświetl plik

@ -138,14 +138,21 @@ extern "C" {
* Key Manager static configuration register
*/
#define KEYMNG_STATIC_REG (DR_REG_KEYMNG_BASE + 0x18)
/** KEYMNG_USE_EFUSE_KEY : R/W; bitpos: [1:0]; default: 0;
* Set each bit to choose efuse key instead of key manager deployed key. Each bit
* stands for a key type: bit 1 for xts_key; bit 0 for ecdsa_key
*/
#define KEYMNG_USE_EFUSE_KEY 0x00000003U
#define KEYMNG_USE_EFUSE_KEY_M (KEYMNG_USE_EFUSE_KEY_V << KEYMNG_USE_EFUSE_KEY_S)
#define KEYMNG_USE_EFUSE_KEY_V 0x00000003U
#define KEYMNG_USE_EFUSE_KEY_S 0
/* KEYMNG_USE_EFUSE_KEY_XTS : R/W ;bitpos:[1] ;default: 1'd0 ; */
/*description: Set this bit to choose efuse key instead of key manager deployed key for xts_key.*/
#define KEYMNG_USE_EFUSE_KEY_XTS (BIT(1))
#define KEYMNG_USE_EFUSE_KEY_XTS_M ((KEYMNG_USE_EFUSE_KEY_XTS_V)<<(KEYMNG_USE_EFUSE_KEY_XTS_S))
#define KEYMNG_USE_EFUSE_KEY_XTS_V 0x1
#define KEYMNG_USE_EFUSE_KEY_XTS_S 1
/* KEYMNG_USE_EFUSE_KEY_ECDSA : R/W ;bitpos:[0] ;default: 1'd0 ; */
/*description: Set this bit to choose efuse key instead of key manager deployed key for ecdsa_key.*/
#define KEYMNG_USE_EFUSE_KEY_ECDSA (BIT(0))
#define KEYMNG_USE_EFUSE_KEY_ECDSA_M ((KEYMNG_USE_EFUSE_KEY_ECDSA_V)<<(KEYMNG_USE_EFUSE_KEY_ECDSA_S))
#define KEYMNG_USE_EFUSE_KEY_ECDSA_V 0x1
#define KEYMNG_USE_EFUSE_KEY_ECDSA_S 0
/** KEYMNG_RND_SWITCH_CYCLE : R/W; bitpos: [8:4]; default: 15;
* The core clock cycle number to sample one rng input data. Please set it bigger than
* the clock cycle ratio: T_rng/T_km
@ -174,14 +181,21 @@ extern "C" {
* Key Manager static configuration locker register
*/
#define KEYMNG_LOCK_REG (DR_REG_KEYMNG_BASE + 0x1c)
/** KEYMNG_USE_EFUSE_KEY_LOCK : R/W1; bitpos: [1:0]; default: 0;
* Write 1 to lock reg_use_efuse_key. Each bit locks the corresponding bit of
* reg_use_efuse_key.
*/
#define KEYMNG_USE_EFUSE_KEY_LOCK 0x00000003U
#define KEYMNG_USE_EFUSE_KEY_LOCK_M (KEYMNG_USE_EFUSE_KEY_LOCK_V << KEYMNG_USE_EFUSE_KEY_LOCK_S)
#define KEYMNG_USE_EFUSE_KEY_LOCK_V 0x00000003U
#define KEYMNG_USE_EFUSE_KEY_LOCK_S 0
/* KEYMNG_USE_EFUSE_KEY_XTS : R/W ; bitpos:[1] ; default: 1'd0 ; */
/* description: Set thus bit to choose efuse key instead of key manager deployed key for xts_key */
#define KEYMNG_USE_EFUSE_KEY_LOCK_XTS (BIT(1))
#define KEYMNG_USE_EFUSE_KEY_LOCK_XTS_M ((KEYMNG_USE_EFUSE_KEY_LOCK_XTS_V)<<(KEYMNG_USE_EFUSE_KEY_LOCK_XTS_S))
#define KEYMNG_USE_EFUSE_KEY_LOCK_XTS_V 0x1
#define KEYMNG_USE_EFUSE_KEY_LOCK_XTS_S 1
/* KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA : R/W ; bitpos:[0] ; default: 1'd0 ; */
/* description: Write 1 to lock ecdsa-key */
#define KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA (BIT(0))
#define KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA_M ((KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA_V)<<(KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA_S))
#define KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA_V 0x1
#define KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA_S 0
/** KEYMNG_RND_SWITCH_CYCLE_LOCK : R/W1; bitpos: [4]; default: 0;
* Write 1 to lock reg_rnd_switch_cycle.
*/

2
components/soc/esp32p4/include/soc/soc_caps.h
Wyświetl plik

@ -61,7 +61,7 @@
#define SOC_ECC_SUPPORTED 1
#define SOC_ECC_EXTENDED_MODES_SUPPORTED 1
#define SOC_ECDSA_SUPPORTED 1
// #define SOC_KEY_MANAGER_SUPPORTED 1 //TODO: IDF-7925
#define SOC_KEY_MANAGER_SUPPORTED 1
#define SOC_FLASH_ENC_SUPPORTED 1
#define SOC_SECURE_BOOT_SUPPORTED 1
// #define SOC_BOD_SUPPORTED 1 //TODO: IDF-7519