From 50c41c3b59b675744f8e5f7bb73cf06fa0fb84fe Mon Sep 17 00:00:00 2001 From: "harshal.patil" Date: Thu, 12 Jun 2025 18:00:59 +0530 Subject: [PATCH] change(esp_key_mgr): Refactor Key Manager driver to reduce logs --- components/esp_security/src/esp_key_mgr.c | 216 ++++++++++++++-------- 1 file changed, 136 insertions(+), 80 deletions(-) diff --git a/components/esp_security/src/esp_key_mgr.c b/components/esp_security/src/esp_key_mgr.c index a53f085ca5..f82cc19416 100644 --- a/components/esp_security/src/esp_key_mgr.c +++ b/components/esp_security/src/esp_key_mgr.c @@ -4,32 +4,23 @@ * SPDX-License-Identifier: Apache-2.0 */ // The Hardware Support layer for Key manager +#include #include #include -#include "assert.h" #include "esp_key_mgr.h" #include "esp_crypto_periph_clk.h" #include "esp_crypto_lock.h" #include "esp_log.h" #include "esp_err.h" -#include "esp_random.h" #include "esp_heap_caps.h" #include "esp_rom_crc.h" #include "esp_efuse.h" -#include "freertos/FreeRTOS.h" -#include "freertos/semphr.h" #include "hal/key_mgr_types.h" #include "hal/key_mgr_hal.h" -#include "hal/key_mgr_ll.h" #include "hal/huk_types.h" #include "hal/huk_hal.h" #include "rom/key_mgr.h" -#if CONFIG_LOG_DEFAULT_LEVEL_VERBOSE -#include "soc/huk_reg.h" -#include "soc/keymng_reg.h" -#endif - static const char *TAG = "esp_key_mgr"; static _lock_t s_key_mgr_ecdsa_key_lock; @@ -38,9 +29,7 @@ static _lock_t s_key_mgr_hmac_key_lock; static _lock_t s_key_mgr_ds_key_lock; ESP_STATIC_ASSERT(sizeof(esp_key_mgr_key_recovery_info_t) == sizeof(struct huk_key_block), "Size of esp_key_mgr_key_recovery_info_t should match huk_key_block (from ROM)"); - ESP_STATIC_ASSERT(sizeof(esp_key_mgr_key_info_t) == sizeof(struct key_info), "Size of esp_key_mgr_key_info_t should match key_info (from ROM)"); - ESP_STATIC_ASSERT(sizeof(esp_key_mgr_huk_info_t) == sizeof(struct huk_info), "Size of esp_key_mgr_huk_info_t should match huk_info (from ROM)"); static void esp_key_mgr_acquire_key_lock(esp_key_mgr_key_type_t key_type) @@ -140,7 +129,7 @@ static void check_huk_risk_level(void) "It is recommended to immediately regenerate HUK in order" "to avoid permanently losing the deployed keys", huk_risk_level); } else { - ESP_LOGI(TAG, "HUK Risk level - %" PRId8 " within acceptable limit (%" PRIu32 ")", huk_risk_level, (uint32_t)KEY_MGR_HUK_RISK_ALERT_LEVEL); + ESP_LOGD(TAG, "HUK Risk level - %" PRId8 " within acceptable limit (%" PRIu32 ")", huk_risk_level, (uint32_t)KEY_MGR_HUK_RISK_ALERT_LEVEL); } } @@ -205,13 +194,15 @@ static esp_err_t deploy_huk(huk_deploy_config_t *config) if (config->use_pre_generated_huk_info) { // If HUK info is provided then recover the HUK from given info check_huk_risk_level(); + if (!check_huk_info_validity(config->pre_generated_huk_info)) { ESP_LOGE(TAG, "HUK info is not valid"); heap_caps_free(huk_recovery_info); return ESP_ERR_INVALID_ARG; } + memcpy(huk_recovery_info, config->pre_generated_huk_info->info, KEY_MGR_HUK_INFO_SIZE); - ESP_LOGI(TAG, "Recovering HUK from given HUK recovery info"); + ESP_LOGD(TAG, "Recovering HUK from given HUK recovery info"); esp_ret = configure_huk(ESP_HUK_MODE_RECOVERY, huk_recovery_info); if (esp_ret != ESP_OK) { @@ -219,12 +210,13 @@ static esp_err_t deploy_huk(huk_deploy_config_t *config) heap_caps_free(huk_recovery_info); return esp_ret; } + // Copy the pre generated huk info in the output key recovery info memcpy(config->huk_recovery_info->info, huk_recovery_info, KEY_MGR_HUK_INFO_SIZE); config->huk_recovery_info->crc = config->pre_generated_huk_info->crc; } else { // Generate new HUK and corresponding HUK info - ESP_LOGI(TAG, "Generating new HUK"); + ESP_LOGD(TAG, "Generating new HUK"); esp_ret = configure_huk(ESP_HUK_MODE_GENERATION, huk_recovery_info); if (esp_ret != ESP_OK) { @@ -232,6 +224,7 @@ static esp_err_t deploy_huk(huk_deploy_config_t *config) heap_caps_free(huk_recovery_info); return esp_ret; } + memcpy(config->huk_recovery_info->info, huk_recovery_info, KEY_MGR_HUK_INFO_SIZE); config->huk_recovery_info->crc = esp_rom_crc32_le(0, huk_recovery_info, KEY_MGR_HUK_INFO_SIZE); } @@ -246,6 +239,7 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) { esp_err_t esp_ret = ESP_FAIL; key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE); + if ((!key_mgr_hal_is_huk_valid()) || (!config->huk_deployed)) { // For purpose ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 this part shall be already executed huk_deploy_config_t huk_deploy_config = {}; @@ -256,7 +250,7 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) if (esp_ret != ESP_OK) { return esp_ret; } - ESP_LOGI(TAG, "HUK deployed successfully"); + ESP_LOGD(TAG, "HUK deployed successfully"); } // STEP 1: Init Step @@ -267,6 +261,7 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) if (!key_recovery_info) { return ESP_ERR_NO_MEM; } + // Set key purpose ESP_LOGD(TAG, "Key purpose = %d", config->key_purpose); key_mgr_hal_set_key_purpose(config->key_purpose); @@ -290,21 +285,28 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) key_mgr_hal_start(); key_mgr_hal_continue(); + // Step 2: Load phase key_mgr_wait_for_state(ESP_KEY_MGR_STATE_LOAD); + if (config->key_config->use_pre_generated_sw_init_key) { key_mgr_hal_write_sw_init_key(config->key_config->sw_init_key, KEY_MGR_SW_INIT_KEY_SIZE); + ESP_LOG_BUFFER_HEX_LEVEL("SW_INIT_KEY", config->key_config->sw_init_key, KEY_MGR_SW_INIT_KEY_SIZE, ESP_LOG_DEBUG); } - ESP_LOG_BUFFER_HEX_LEVEL("SW_INIT_KEY", config->key_config->sw_init_key, KEY_MGR_SW_INIT_KEY_SIZE, ESP_LOG_DEBUG); ESP_LOGD(TAG, "Writing Information into Key Manager Registers"); + key_mgr_hal_write_assist_info(config->key_config->k2_info, KEY_MGR_K2_INFO_SIZE); ESP_LOG_BUFFER_HEX_LEVEL("K2_INFO", config->key_config->k2_info, KEY_MGR_K2_INFO_SIZE, ESP_LOG_DEBUG); + key_mgr_hal_write_public_info(config->k1_encrypted, KEY_MGR_K1_ENCRYPTED_SIZE); ESP_LOG_BUFFER_HEX_LEVEL("K1_ENCRYPTED", config->k1_encrypted, KEY_MGR_K1_ENCRYPTED_SIZE, ESP_LOG_DEBUG); + key_mgr_hal_continue(); + // Step 3: Gain phase key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN); + key_mgr_hal_read_public_info(key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); ESP_LOG_BUFFER_HEX_LEVEL("KEY_RECOVERY_INFO", key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE, ESP_LOG_DEBUG); @@ -314,11 +316,13 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) heap_caps_free(key_recovery_info); return ESP_FAIL; } - ESP_LOGI(TAG, "Key deployment valid"); + ESP_LOGD(TAG, "Key deployment valid"); } + // Wait till Key Manager deployment is complete key_mgr_hal_continue(); key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE); + if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2) { memcpy(config->key_info->key_info[1].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); config->key_info->key_info[1].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); @@ -327,6 +331,7 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) memcpy(config->key_info->key_info[0].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); config->key_info->key_info[0].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); } + heap_caps_free(key_recovery_info); config->key_info->key_type = config->key_config->key_type; config->key_info->magic = KEY_HUK_SECTOR_MAGIC; @@ -340,7 +345,7 @@ esp_err_t esp_key_mgr_deploy_key_in_aes_mode(const esp_key_mgr_aes_key_config_t return ESP_ERR_INVALID_ARG; } - ESP_LOGI(TAG, "Key deployment in AES mode"); + ESP_LOGD(TAG, "Key deployment in AES mode"); aes_deploy_config_t aes_deploy_config = {}; aes_deploy_config.key_config = key_config; @@ -348,19 +353,26 @@ esp_err_t esp_key_mgr_deploy_key_in_aes_mode(const esp_key_mgr_aes_key_config_t aes_deploy_config.k1_encrypted = key_config->k1_encrypted[0]; esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_config->key_type; - if (key_type == ESP_KEY_MGR_ECDSA_192_KEY) { + switch (key_type) { + case ESP_KEY_MGR_ECDSA_192_KEY: aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192; - } else if (key_type == ESP_KEY_MGR_ECDSA_256_KEY) { + break; + case ESP_KEY_MGR_ECDSA_256_KEY: aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256; - } else if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY) { + break; + case ESP_KEY_MGR_XTS_AES_128_KEY: aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128; - } else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) { + break; + case ESP_KEY_MGR_XTS_AES_256_KEY: aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1; - } else if (key_type == ESP_KEY_MGR_HMAC_KEY) { + break; + case ESP_KEY_MGR_HMAC_KEY: aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_HMAC; - } else if (key_type == ESP_KEY_MGR_DS_KEY) { + break; + case ESP_KEY_MGR_DS_KEY: aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_DS; - } else { + break; + default: ESP_LOGE(TAG, "Invalid key type"); return ESP_ERR_INVALID_ARG; } @@ -370,7 +382,9 @@ esp_err_t esp_key_mgr_deploy_key_in_aes_mode(const esp_key_mgr_aes_key_config_t esp_err_t esp_ret = key_mgr_deploy_key_aes_mode(&aes_deploy_config); if (esp_ret != ESP_OK) { ESP_LOGE(TAG, "Key deployment in AES mode failed"); + goto cleanup; } + aes_deploy_config.huk_deployed = true; if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) { @@ -379,12 +393,14 @@ esp_err_t esp_key_mgr_deploy_key_in_aes_mode(const esp_key_mgr_aes_key_config_t esp_ret = key_mgr_deploy_key_aes_mode(&aes_deploy_config); if (esp_ret != ESP_OK) { ESP_LOGE(TAG, "Key deployment in AES mode failed"); + goto cleanup; } } // Set the Key Manager Static Register to use own key for the respective key type key_mgr_hal_set_key_usage(key_type, ESP_KEY_MGR_USE_OWN_KEY); +cleanup: esp_key_mgr_release_hardware(true); return esp_ret; } @@ -411,7 +427,8 @@ static esp_err_t key_mgr_recover_key(key_recovery_config_t *config) ESP_LOGE(TAG, "Failed to recover HUK"); return esp_ret; } - ESP_LOGI(TAG, "HUK recovered successfully"); + + ESP_LOGD(TAG, "HUK recovered successfully"); ESP_LOG_BUFFER_HEX_LEVEL("HUK INFO", config->key_recovery_info->huk_info.info, KEY_MGR_HUK_INFO_SIZE, ESP_LOG_DEBUG); config->huk_recovered = true; } @@ -430,6 +447,7 @@ static esp_err_t key_mgr_recover_key(key_recovery_config_t *config) key_mgr_hal_start(); key_mgr_hal_continue(); key_mgr_wait_for_state(ESP_KEY_MGR_STATE_LOAD); + if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2) { if (!check_key_info_validity(&config->key_recovery_info->key_info[1])) { ESP_LOGE(TAG, "Key info not valid"); @@ -448,6 +466,7 @@ static esp_err_t key_mgr_recover_key(key_recovery_config_t *config) key_mgr_hal_continue(); key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN); + if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1) { if (!key_mgr_hal_is_key_deployment_valid(config->key_recovery_info->key_type)) { ESP_LOGD(TAG, "Key deployment is not valid"); @@ -455,6 +474,7 @@ static esp_err_t key_mgr_recover_key(key_recovery_config_t *config) } ESP_LOGD(TAG, "Key Recovery valid"); } + key_mgr_hal_continue(); key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE); return ESP_OK; @@ -466,33 +486,41 @@ esp_err_t esp_key_mgr_activate_key(esp_key_mgr_key_recovery_info_t *key_recovery return ESP_ERR_INVALID_ARG; } - ESP_LOGI(TAG, "Activating key of type %d", key_recovery_info->key_type); + ESP_LOGD(TAG, "Activating key of type %d", key_recovery_info->key_type); esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_recovery_info->key_type; esp_key_mgr_key_purpose_t key_purpose; - if (key_type == ESP_KEY_MGR_ECDSA_192_KEY) { + switch (key_type) { + case ESP_KEY_MGR_ECDSA_192_KEY: key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192; - } else if (key_type == ESP_KEY_MGR_ECDSA_256_KEY) { + break; + case ESP_KEY_MGR_ECDSA_256_KEY: key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256; - } else if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY) { + break; + case ESP_KEY_MGR_XTS_AES_128_KEY: key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128; - } else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) { + break; + case ESP_KEY_MGR_XTS_AES_256_KEY: key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1; - } else if (key_type == ESP_KEY_MGR_HMAC_KEY) { + break; + case ESP_KEY_MGR_HMAC_KEY: key_purpose = ESP_KEY_MGR_KEY_PURPOSE_HMAC; - } else if (key_type == ESP_KEY_MGR_DS_KEY) { + break; + case ESP_KEY_MGR_DS_KEY: key_purpose = ESP_KEY_MGR_KEY_PURPOSE_DS; - } else { + break; + default: ESP_LOGE(TAG, "Invalid key type"); return ESP_ERR_INVALID_ARG; } esp_err_t esp_ret = ESP_FAIL; esp_key_mgr_acquire_key_lock(key_type); - key_recovery_config_t key_recovery_config = {}; - key_recovery_config.key_recovery_info = key_recovery_info; - key_recovery_config.key_purpose = key_purpose; + key_recovery_config_t key_recovery_config = { + .key_recovery_info = key_recovery_info, + .key_purpose = key_purpose, + }; esp_key_mgr_acquire_hardware(false); @@ -515,8 +543,9 @@ esp_err_t esp_key_mgr_activate_key(esp_key_mgr_key_recovery_info_t *key_recovery // Set the Key Manager Static Register to use own key for the respective key type key_mgr_hal_set_key_usage(key_type, ESP_KEY_MGR_USE_OWN_KEY); - ESP_LOGI(TAG, "Key activation for type %d successful", key_recovery_info->key_type); esp_key_mgr_release_key_lock(key_type); + + ESP_LOGD(TAG, "Key activation for type %d successful", key_recovery_info->key_type); return ESP_OK; cleanup: @@ -527,10 +556,9 @@ cleanup: esp_err_t esp_key_mgr_deactivate_key(esp_key_mgr_key_type_t key_type) { - ESP_LOGD(TAG, "Deactivating key of type %d", key_type); esp_key_mgr_release_key_lock(key_type); esp_key_mgr_release_hardware(false); - ESP_LOGI(TAG, "Key deactivation successful"); + ESP_LOGD(TAG, "Key deactivation successful for type %d", key_type); return ESP_OK; } @@ -558,7 +586,7 @@ static esp_err_t key_mgr_deploy_key_ecdh0_mode(ecdh0_deploy_config_t *config) if (esp_ret != ESP_OK) { return esp_ret; } - ESP_LOGI(TAG, "HUK deployed successfully"); + ESP_LOGD(TAG, "HUK deployed successfully"); } uint8_t *key_recovery_info = (uint8_t *) heap_caps_calloc(1, KEY_MGR_KEY_RECOVERY_INFO_SIZE, MALLOC_CAP_INTERNAL); @@ -585,17 +613,20 @@ static esp_err_t key_mgr_deploy_key_ecdh0_mode(ecdh0_deploy_config_t *config) // Step 2: Load phase key_mgr_wait_for_state(ESP_KEY_MGR_STATE_LOAD); + ESP_LOGD(TAG, "Writing Information into Key Manager Registers"); key_mgr_hal_write_public_info(config->k1_G, KEY_MGR_ECDH0_INFO_SIZE); + key_mgr_hal_continue(); // Step 3: Gain phase key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN); + key_mgr_hal_read_public_info(key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); key_mgr_hal_read_assist_info(config->ecdh0_key_info); ESP_LOG_BUFFER_HEX_LEVEL("KEY_MGR KEY INFO", key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE, ESP_LOG_DEBUG); - ESP_LOGI(TAG, "HUK deplpoyed is Valid"); + ESP_LOGD(TAG, "HUK deployed is valid"); if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1) { if (!key_mgr_hal_is_key_deployment_valid(config->key_config->key_type)) { @@ -603,15 +634,16 @@ static esp_err_t key_mgr_deploy_key_ecdh0_mode(ecdh0_deploy_config_t *config) heap_caps_free(key_recovery_info); return ESP_FAIL; } - ESP_LOGI(TAG, "Key deployment valid"); + ESP_LOGD(TAG, "Key deployment valid"); } + // Wait till Key Manager deployment is complete key_mgr_hal_continue(); key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE); + if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2) { memcpy(config->key_info->key_info[1].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); config->key_info->key_info[1].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - } else { memcpy(config->key_info->key_info[0].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); config->key_info->key_info[0].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); @@ -630,34 +662,43 @@ esp_err_t esp_key_mgr_deploy_key_in_ecdh0_mode(const esp_key_mgr_ecdh0_key_confi if (key_config == NULL || key_info == NULL || ecdh0_key_info == NULL) { return ESP_ERR_INVALID_ARG; } - ESP_LOGI(TAG, "Key Deployment in ECDH0 mode"); - esp_key_mgr_key_purpose_t key_purpose; + + ESP_LOGD(TAG, "Key Deployment in ECDH0 mode"); + esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_config->key_type; - ecdh0_deploy_config_t ecdh0_deploy_config = {}; - ecdh0_deploy_config.key_config = key_config; - ecdh0_deploy_config.key_info = key_info; - ecdh0_deploy_config.k1_G = key_config->k1_G[0]; + ecdh0_deploy_config_t ecdh0_deploy_config = { + .key_config = key_config, + .key_info = key_info, + .k1_G = key_config->k1_G[0], + }; - if (key_type == ESP_KEY_MGR_ECDSA_192_KEY) { + switch (key_type) { + case ESP_KEY_MGR_ECDSA_192_KEY: ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192; ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0]; - } else if (key_type == ESP_KEY_MGR_ECDSA_256_KEY) { + break; + case ESP_KEY_MGR_ECDSA_256_KEY: ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256; ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0]; - } else if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY) { + break; + case ESP_KEY_MGR_XTS_AES_128_KEY: ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128; ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0]; - } else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) { + break; + case ESP_KEY_MGR_XTS_AES_256_KEY: ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1; ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0]; - } else if (key_type == ESP_KEY_MGR_HMAC_KEY) { + break; + case ESP_KEY_MGR_HMAC_KEY: ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_HMAC; ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0]; - } else if (key_type == ESP_KEY_MGR_DS_KEY) { + break; + case ESP_KEY_MGR_DS_KEY: ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_DS; ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0]; - } else { + break; + default: ESP_LOGE(TAG, "Invalid key type"); return ESP_ERR_INVALID_ARG; } @@ -668,13 +709,12 @@ esp_err_t esp_key_mgr_deploy_key_in_ecdh0_mode(const esp_key_mgr_ecdh0_key_confi if (esp_ret != ESP_OK) { ESP_LOGE(TAG, "Failed to deploy key in ECDH0 mode"); } + ecdh0_deploy_config.huk_deployed = true; if (key_config->key_type == ESP_KEY_MGR_XTS_AES_256_KEY) { - key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2; - ecdh0_deploy_config.key_purpose = key_purpose; + ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2; ecdh0_deploy_config.k1_G = key_config->k1_G[1]; - ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[1]; esp_ret = key_mgr_deploy_key_ecdh0_mode(&ecdh0_deploy_config); if (esp_ret != ESP_OK) { @@ -700,17 +740,20 @@ static esp_err_t key_mgr_deploy_key_random_mode(random_deploy_config_t *config) { esp_err_t esp_ret = ESP_FAIL; key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE); + if ((!key_mgr_hal_is_huk_valid()) || (!config->huk_deployed)) { // For purpose ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 this part shall be already executed - huk_deploy_config_t huk_deploy_config = {}; - huk_deploy_config.use_pre_generated_huk_info = config->key_config->use_pre_generated_huk_info; - huk_deploy_config.pre_generated_huk_info = &config->key_config->huk_info; - huk_deploy_config.huk_recovery_info = &config->key_info->huk_info; + huk_deploy_config_t huk_deploy_config = { + .use_pre_generated_huk_info = config->key_config->use_pre_generated_huk_info, + .pre_generated_huk_info = &config->key_config->huk_info, + .huk_recovery_info = &config->key_info->huk_info, + }; + esp_ret = deploy_huk(&huk_deploy_config); if (esp_ret != ESP_OK) { return esp_ret; } - ESP_LOGI(TAG, "HUK deployed successfully"); + ESP_LOGD(TAG, "HUK deployed successfully"); } // Configure deployment mode to RANDOM @@ -736,6 +779,7 @@ static esp_err_t key_mgr_deploy_key_random_mode(random_deploy_config_t *config) key_mgr_hal_continue(); key_mgr_wait_for_state(ESP_KEY_MGR_STATE_LOAD); key_mgr_hal_continue(); + // No configuration for Random deploy mode key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN); key_mgr_hal_read_public_info(key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); @@ -747,24 +791,25 @@ static esp_err_t key_mgr_deploy_key_random_mode(random_deploy_config_t *config) heap_caps_free(key_recovery_info); return ESP_FAIL; } - ESP_LOGI(TAG, "Key deployment valid"); + ESP_LOGD(TAG, "Key deployment valid"); } // Wait till Key Manager deployment is complete key_mgr_hal_continue(); key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE); + if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2) { memcpy(config->key_info->key_info[1].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); config->key_info->key_info[1].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - } else { memcpy(config->key_info->key_info[0].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); config->key_info->key_info[0].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); } + heap_caps_free(key_recovery_info); + config->key_info->key_type = config->key_config->key_type; config->key_info->magic = KEY_HUK_SECTOR_MAGIC; - return ESP_OK; } @@ -774,26 +819,35 @@ esp_err_t esp_key_mgr_deploy_key_in_random_mode(const esp_key_mgr_random_key_con return ESP_ERR_INVALID_ARG; } - ESP_LOGI(TAG, "Key deployment in Random mode"); + ESP_LOGD(TAG, "Key deployment in Random mode"); + + random_deploy_config_t random_deploy_config = { + .key_config = key_config, + .key_info = key_recovery_info, + }; - random_deploy_config_t random_deploy_config = {}; - random_deploy_config.key_config = key_config; - random_deploy_config.key_info = key_recovery_info; esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_config->key_type; - if (key_type == ESP_KEY_MGR_ECDSA_192_KEY) { + switch (key_type) { + case ESP_KEY_MGR_ECDSA_192_KEY: random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192; - } else if (key_type == ESP_KEY_MGR_ECDSA_256_KEY) { + break; + case ESP_KEY_MGR_ECDSA_256_KEY: random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256; - } else if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY) { + break; + case ESP_KEY_MGR_XTS_AES_128_KEY: random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128; - } else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) { + break; + case ESP_KEY_MGR_XTS_AES_256_KEY: random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1; - } else if (key_type == ESP_KEY_MGR_HMAC_KEY) { + break; + case ESP_KEY_MGR_HMAC_KEY: random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_HMAC; - } else if (key_type == ESP_KEY_MGR_DS_KEY) { + break; + case ESP_KEY_MGR_DS_KEY: random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_DS; - } else { + break; + default: ESP_LOGE(TAG, "Invalid key type"); return ESP_ERR_INVALID_ARG; } @@ -805,6 +859,7 @@ esp_err_t esp_key_mgr_deploy_key_in_random_mode(const esp_key_mgr_random_key_con ESP_LOGE(TAG, "Key deployment in Random mode failed"); return ESP_FAIL; } + random_deploy_config.huk_deployed = true; if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) { @@ -820,5 +875,6 @@ esp_err_t esp_key_mgr_deploy_key_in_random_mode(const esp_key_mgr_random_key_con key_mgr_hal_set_key_usage(key_type, ESP_KEY_MGR_USE_OWN_KEY); esp_key_mgr_release_hardware(true); + return esp_ret; }