mirror of
https://github.com/espressif/esp-idf.git
synced 2025-08-05 13:44:32 +02:00
change(esp_key_mgr): Refactor Key Manager driver to reduce logs
This commit is contained in:
harshal.patil
@@ -4,32 +4,23 @@
|
|||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
*/
|
*/
|
||||||
// The Hardware Support layer for Key manager
|
// The Hardware Support layer for Key manager
|
||||||
|
#include <assert.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <sys/lock.h>
|
#include <sys/lock.h>
|
||||||
#include "assert.h"
|
|
||||||
#include "esp_key_mgr.h"
|
#include "esp_key_mgr.h"
|
||||||
#include "esp_crypto_periph_clk.h"
|
#include "esp_crypto_periph_clk.h"
|
||||||
#include "esp_crypto_lock.h"
|
#include "esp_crypto_lock.h"
|
||||||
#include "esp_log.h"
|
#include "esp_log.h"
|
||||||
#include "esp_err.h"
|
#include "esp_err.h"
|
||||||
#include "esp_random.h"
|
|
||||||
#include "esp_heap_caps.h"
|
#include "esp_heap_caps.h"
|
||||||
#include "esp_rom_crc.h"
|
#include "esp_rom_crc.h"
|
||||||
#include "esp_efuse.h"
|
#include "esp_efuse.h"
|
||||||
#include "freertos/FreeRTOS.h"
|
|
||||||
#include "freertos/semphr.h"
|
|
||||||
#include "hal/key_mgr_types.h"
|
#include "hal/key_mgr_types.h"
|
||||||
#include "hal/key_mgr_hal.h"
|
#include "hal/key_mgr_hal.h"
|
||||||
#include "hal/key_mgr_ll.h"
|
|
||||||
#include "hal/huk_types.h"
|
#include "hal/huk_types.h"
|
||||||
#include "hal/huk_hal.h"
|
#include "hal/huk_hal.h"
|
||||||
#include "rom/key_mgr.h"
|
#include "rom/key_mgr.h"
|
||||||
|
|
||||||
#if CONFIG_LOG_DEFAULT_LEVEL_VERBOSE
|
|
||||||
#include "soc/huk_reg.h"
|
|
||||||
#include "soc/keymng_reg.h"
|
|
||||||
#endif
|
|
||||||
|
|
||||||
static const char *TAG = "esp_key_mgr";
|
static const char *TAG = "esp_key_mgr";
|
||||||
|
|
||||||
static _lock_t s_key_mgr_ecdsa_key_lock;
|
static _lock_t s_key_mgr_ecdsa_key_lock;
|
||||||
@@ -38,9 +29,7 @@ static _lock_t s_key_mgr_hmac_key_lock;
|
|||||||
static _lock_t s_key_mgr_ds_key_lock;
|
static _lock_t s_key_mgr_ds_key_lock;
|
||||||
|
|
||||||
ESP_STATIC_ASSERT(sizeof(esp_key_mgr_key_recovery_info_t) == sizeof(struct huk_key_block), "Size of esp_key_mgr_key_recovery_info_t should match huk_key_block (from ROM)");
|
ESP_STATIC_ASSERT(sizeof(esp_key_mgr_key_recovery_info_t) == sizeof(struct huk_key_block), "Size of esp_key_mgr_key_recovery_info_t should match huk_key_block (from ROM)");
|
||||||
|
|
||||||
ESP_STATIC_ASSERT(sizeof(esp_key_mgr_key_info_t) == sizeof(struct key_info), "Size of esp_key_mgr_key_info_t should match key_info (from ROM)");
|
ESP_STATIC_ASSERT(sizeof(esp_key_mgr_key_info_t) == sizeof(struct key_info), "Size of esp_key_mgr_key_info_t should match key_info (from ROM)");
|
||||||
|
|
||||||
ESP_STATIC_ASSERT(sizeof(esp_key_mgr_huk_info_t) == sizeof(struct huk_info), "Size of esp_key_mgr_huk_info_t should match huk_info (from ROM)");
|
ESP_STATIC_ASSERT(sizeof(esp_key_mgr_huk_info_t) == sizeof(struct huk_info), "Size of esp_key_mgr_huk_info_t should match huk_info (from ROM)");
|
||||||
|
|
||||||
static void esp_key_mgr_acquire_key_lock(esp_key_mgr_key_type_t key_type)
|
static void esp_key_mgr_acquire_key_lock(esp_key_mgr_key_type_t key_type)
|
||||||
@@ -140,7 +129,7 @@ static void check_huk_risk_level(void)
|
|||||||
"It is recommended to immediately regenerate HUK in order"
|
"It is recommended to immediately regenerate HUK in order"
|
||||||
"to avoid permanently losing the deployed keys", huk_risk_level);
|
"to avoid permanently losing the deployed keys", huk_risk_level);
|
||||||
} else {
|
} else {
|
||||||
ESP_LOGI(TAG, "HUK Risk level - %" PRId8 " within acceptable limit (%" PRIu32 ")", huk_risk_level, (uint32_t)KEY_MGR_HUK_RISK_ALERT_LEVEL);
|
ESP_LOGD(TAG, "HUK Risk level - %" PRId8 " within acceptable limit (%" PRIu32 ")", huk_risk_level, (uint32_t)KEY_MGR_HUK_RISK_ALERT_LEVEL);
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
@@ -205,13 +194,15 @@ static esp_err_t deploy_huk(huk_deploy_config_t *config)
|
|||||||
if (config->use_pre_generated_huk_info) {
|
if (config->use_pre_generated_huk_info) {
|
||||||
// If HUK info is provided then recover the HUK from given info
|
// If HUK info is provided then recover the HUK from given info
|
||||||
check_huk_risk_level();
|
check_huk_risk_level();
|
||||||
|
|
||||||
if (!check_huk_info_validity(config->pre_generated_huk_info)) {
|
if (!check_huk_info_validity(config->pre_generated_huk_info)) {
|
||||||
ESP_LOGE(TAG, "HUK info is not valid");
|
ESP_LOGE(TAG, "HUK info is not valid");
|
||||||
heap_caps_free(huk_recovery_info);
|
heap_caps_free(huk_recovery_info);
|
||||||
return ESP_ERR_INVALID_ARG;
|
return ESP_ERR_INVALID_ARG;
|
||||||
}
|
}
|
||||||
|
|
||||||
memcpy(huk_recovery_info, config->pre_generated_huk_info->info, KEY_MGR_HUK_INFO_SIZE);
|
memcpy(huk_recovery_info, config->pre_generated_huk_info->info, KEY_MGR_HUK_INFO_SIZE);
|
||||||
ESP_LOGI(TAG, "Recovering HUK from given HUK recovery info");
|
ESP_LOGD(TAG, "Recovering HUK from given HUK recovery info");
|
||||||
|
|
||||||
esp_ret = configure_huk(ESP_HUK_MODE_RECOVERY, huk_recovery_info);
|
esp_ret = configure_huk(ESP_HUK_MODE_RECOVERY, huk_recovery_info);
|
||||||
if (esp_ret != ESP_OK) {
|
if (esp_ret != ESP_OK) {
|
||||||
@@ -219,12 +210,13 @@ static esp_err_t deploy_huk(huk_deploy_config_t *config)
|
|||||||
heap_caps_free(huk_recovery_info);
|
heap_caps_free(huk_recovery_info);
|
||||||
return esp_ret;
|
return esp_ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Copy the pre generated huk info in the output key recovery info
|
// Copy the pre generated huk info in the output key recovery info
|
||||||
memcpy(config->huk_recovery_info->info, huk_recovery_info, KEY_MGR_HUK_INFO_SIZE);
|
memcpy(config->huk_recovery_info->info, huk_recovery_info, KEY_MGR_HUK_INFO_SIZE);
|
||||||
config->huk_recovery_info->crc = config->pre_generated_huk_info->crc;
|
config->huk_recovery_info->crc = config->pre_generated_huk_info->crc;
|
||||||
} else {
|
} else {
|
||||||
// Generate new HUK and corresponding HUK info
|
// Generate new HUK and corresponding HUK info
|
||||||
ESP_LOGI(TAG, "Generating new HUK");
|
ESP_LOGD(TAG, "Generating new HUK");
|
||||||
|
|
||||||
esp_ret = configure_huk(ESP_HUK_MODE_GENERATION, huk_recovery_info);
|
esp_ret = configure_huk(ESP_HUK_MODE_GENERATION, huk_recovery_info);
|
||||||
if (esp_ret != ESP_OK) {
|
if (esp_ret != ESP_OK) {
|
||||||
@@ -232,6 +224,7 @@ static esp_err_t deploy_huk(huk_deploy_config_t *config)
|
|||||||
heap_caps_free(huk_recovery_info);
|
heap_caps_free(huk_recovery_info);
|
||||||
return esp_ret;
|
return esp_ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
memcpy(config->huk_recovery_info->info, huk_recovery_info, KEY_MGR_HUK_INFO_SIZE);
|
memcpy(config->huk_recovery_info->info, huk_recovery_info, KEY_MGR_HUK_INFO_SIZE);
|
||||||
config->huk_recovery_info->crc = esp_rom_crc32_le(0, huk_recovery_info, KEY_MGR_HUK_INFO_SIZE);
|
config->huk_recovery_info->crc = esp_rom_crc32_le(0, huk_recovery_info, KEY_MGR_HUK_INFO_SIZE);
|
||||||
}
|
}
|
||||||
@@ -246,6 +239,7 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config)
|
|||||||
{
|
{
|
||||||
esp_err_t esp_ret = ESP_FAIL;
|
esp_err_t esp_ret = ESP_FAIL;
|
||||||
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE);
|
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE);
|
||||||
|
|
||||||
if ((!key_mgr_hal_is_huk_valid()) || (!config->huk_deployed)) {
|
if ((!key_mgr_hal_is_huk_valid()) || (!config->huk_deployed)) {
|
||||||
// For purpose ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 this part shall be already executed
|
// For purpose ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 this part shall be already executed
|
||||||
huk_deploy_config_t huk_deploy_config = {};
|
huk_deploy_config_t huk_deploy_config = {};
|
||||||
@@ -256,7 +250,7 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config)
|
|||||||
if (esp_ret != ESP_OK) {
|
if (esp_ret != ESP_OK) {
|
||||||
return esp_ret;
|
return esp_ret;
|
||||||
}
|
}
|
||||||
ESP_LOGI(TAG, "HUK deployed successfully");
|
ESP_LOGD(TAG, "HUK deployed successfully");
|
||||||
}
|
}
|
||||||
|
|
||||||
// STEP 1: Init Step
|
// STEP 1: Init Step
|
||||||
@@ -267,6 +261,7 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config)
|
|||||||
if (!key_recovery_info) {
|
if (!key_recovery_info) {
|
||||||
return ESP_ERR_NO_MEM;
|
return ESP_ERR_NO_MEM;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Set key purpose
|
// Set key purpose
|
||||||
ESP_LOGD(TAG, "Key purpose = %d", config->key_purpose);
|
ESP_LOGD(TAG, "Key purpose = %d", config->key_purpose);
|
||||||
key_mgr_hal_set_key_purpose(config->key_purpose);
|
key_mgr_hal_set_key_purpose(config->key_purpose);
|
||||||
@@ -290,21 +285,28 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config)
|
|||||||
|
|
||||||
key_mgr_hal_start();
|
key_mgr_hal_start();
|
||||||
key_mgr_hal_continue();
|
key_mgr_hal_continue();
|
||||||
|
|
||||||
// Step 2: Load phase
|
// Step 2: Load phase
|
||||||
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_LOAD);
|
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_LOAD);
|
||||||
|
|
||||||
if (config->key_config->use_pre_generated_sw_init_key) {
|
if (config->key_config->use_pre_generated_sw_init_key) {
|
||||||
key_mgr_hal_write_sw_init_key(config->key_config->sw_init_key, KEY_MGR_SW_INIT_KEY_SIZE);
|
key_mgr_hal_write_sw_init_key(config->key_config->sw_init_key, KEY_MGR_SW_INIT_KEY_SIZE);
|
||||||
}
|
|
||||||
ESP_LOG_BUFFER_HEX_LEVEL("SW_INIT_KEY", config->key_config->sw_init_key, KEY_MGR_SW_INIT_KEY_SIZE, ESP_LOG_DEBUG);
|
ESP_LOG_BUFFER_HEX_LEVEL("SW_INIT_KEY", config->key_config->sw_init_key, KEY_MGR_SW_INIT_KEY_SIZE, ESP_LOG_DEBUG);
|
||||||
|
}
|
||||||
|
|
||||||
ESP_LOGD(TAG, "Writing Information into Key Manager Registers");
|
ESP_LOGD(TAG, "Writing Information into Key Manager Registers");
|
||||||
|
|
||||||
key_mgr_hal_write_assist_info(config->key_config->k2_info, KEY_MGR_K2_INFO_SIZE);
|
key_mgr_hal_write_assist_info(config->key_config->k2_info, KEY_MGR_K2_INFO_SIZE);
|
||||||
ESP_LOG_BUFFER_HEX_LEVEL("K2_INFO", config->key_config->k2_info, KEY_MGR_K2_INFO_SIZE, ESP_LOG_DEBUG);
|
ESP_LOG_BUFFER_HEX_LEVEL("K2_INFO", config->key_config->k2_info, KEY_MGR_K2_INFO_SIZE, ESP_LOG_DEBUG);
|
||||||
|
|
||||||
key_mgr_hal_write_public_info(config->k1_encrypted, KEY_MGR_K1_ENCRYPTED_SIZE);
|
key_mgr_hal_write_public_info(config->k1_encrypted, KEY_MGR_K1_ENCRYPTED_SIZE);
|
||||||
ESP_LOG_BUFFER_HEX_LEVEL("K1_ENCRYPTED", config->k1_encrypted, KEY_MGR_K1_ENCRYPTED_SIZE, ESP_LOG_DEBUG);
|
ESP_LOG_BUFFER_HEX_LEVEL("K1_ENCRYPTED", config->k1_encrypted, KEY_MGR_K1_ENCRYPTED_SIZE, ESP_LOG_DEBUG);
|
||||||
|
|
||||||
key_mgr_hal_continue();
|
key_mgr_hal_continue();
|
||||||
|
|
||||||
// Step 3: Gain phase
|
// Step 3: Gain phase
|
||||||
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN);
|
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN);
|
||||||
|
|
||||||
key_mgr_hal_read_public_info(key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
key_mgr_hal_read_public_info(key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
||||||
ESP_LOG_BUFFER_HEX_LEVEL("KEY_RECOVERY_INFO", key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE, ESP_LOG_DEBUG);
|
ESP_LOG_BUFFER_HEX_LEVEL("KEY_RECOVERY_INFO", key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE, ESP_LOG_DEBUG);
|
||||||
|
|
||||||
@@ -314,11 +316,13 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config)
|
|||||||
heap_caps_free(key_recovery_info);
|
heap_caps_free(key_recovery_info);
|
||||||
return ESP_FAIL;
|
return ESP_FAIL;
|
||||||
}
|
}
|
||||||
ESP_LOGI(TAG, "Key deployment valid");
|
ESP_LOGD(TAG, "Key deployment valid");
|
||||||
}
|
}
|
||||||
|
|
||||||
// Wait till Key Manager deployment is complete
|
// Wait till Key Manager deployment is complete
|
||||||
key_mgr_hal_continue();
|
key_mgr_hal_continue();
|
||||||
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE);
|
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE);
|
||||||
|
|
||||||
if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2) {
|
if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2) {
|
||||||
memcpy(config->key_info->key_info[1].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
memcpy(config->key_info->key_info[1].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
||||||
config->key_info->key_info[1].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
config->key_info->key_info[1].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
||||||
@@ -327,6 +331,7 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config)
|
|||||||
memcpy(config->key_info->key_info[0].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
memcpy(config->key_info->key_info[0].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
||||||
config->key_info->key_info[0].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
config->key_info->key_info[0].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
||||||
}
|
}
|
||||||
|
|
||||||
heap_caps_free(key_recovery_info);
|
heap_caps_free(key_recovery_info);
|
||||||
config->key_info->key_type = config->key_config->key_type;
|
config->key_info->key_type = config->key_config->key_type;
|
||||||
config->key_info->magic = KEY_HUK_SECTOR_MAGIC;
|
config->key_info->magic = KEY_HUK_SECTOR_MAGIC;
|
||||||
@@ -340,7 +345,7 @@ esp_err_t esp_key_mgr_deploy_key_in_aes_mode(const esp_key_mgr_aes_key_config_t
|
|||||||
return ESP_ERR_INVALID_ARG;
|
return ESP_ERR_INVALID_ARG;
|
||||||
}
|
}
|
||||||
|
|
||||||
ESP_LOGI(TAG, "Key deployment in AES mode");
|
ESP_LOGD(TAG, "Key deployment in AES mode");
|
||||||
|
|
||||||
aes_deploy_config_t aes_deploy_config = {};
|
aes_deploy_config_t aes_deploy_config = {};
|
||||||
aes_deploy_config.key_config = key_config;
|
aes_deploy_config.key_config = key_config;
|
||||||
@@ -348,19 +353,26 @@ esp_err_t esp_key_mgr_deploy_key_in_aes_mode(const esp_key_mgr_aes_key_config_t
|
|||||||
aes_deploy_config.k1_encrypted = key_config->k1_encrypted[0];
|
aes_deploy_config.k1_encrypted = key_config->k1_encrypted[0];
|
||||||
|
|
||||||
esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_config->key_type;
|
esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_config->key_type;
|
||||||
if (key_type == ESP_KEY_MGR_ECDSA_192_KEY) {
|
switch (key_type) {
|
||||||
|
case ESP_KEY_MGR_ECDSA_192_KEY:
|
||||||
aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192;
|
aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192;
|
||||||
} else if (key_type == ESP_KEY_MGR_ECDSA_256_KEY) {
|
break;
|
||||||
|
case ESP_KEY_MGR_ECDSA_256_KEY:
|
||||||
aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256;
|
aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256;
|
||||||
} else if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY) {
|
break;
|
||||||
|
case ESP_KEY_MGR_XTS_AES_128_KEY:
|
||||||
aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128;
|
aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128;
|
||||||
} else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
|
break;
|
||||||
|
case ESP_KEY_MGR_XTS_AES_256_KEY:
|
||||||
aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1;
|
aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1;
|
||||||
} else if (key_type == ESP_KEY_MGR_HMAC_KEY) {
|
break;
|
||||||
|
case ESP_KEY_MGR_HMAC_KEY:
|
||||||
aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_HMAC;
|
aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_HMAC;
|
||||||
} else if (key_type == ESP_KEY_MGR_DS_KEY) {
|
break;
|
||||||
|
case ESP_KEY_MGR_DS_KEY:
|
||||||
aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_DS;
|
aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_DS;
|
||||||
} else {
|
break;
|
||||||
|
default:
|
||||||
ESP_LOGE(TAG, "Invalid key type");
|
ESP_LOGE(TAG, "Invalid key type");
|
||||||
return ESP_ERR_INVALID_ARG;
|
return ESP_ERR_INVALID_ARG;
|
||||||
}
|
}
|
||||||
@@ -370,7 +382,9 @@ esp_err_t esp_key_mgr_deploy_key_in_aes_mode(const esp_key_mgr_aes_key_config_t
|
|||||||
esp_err_t esp_ret = key_mgr_deploy_key_aes_mode(&aes_deploy_config);
|
esp_err_t esp_ret = key_mgr_deploy_key_aes_mode(&aes_deploy_config);
|
||||||
if (esp_ret != ESP_OK) {
|
if (esp_ret != ESP_OK) {
|
||||||
ESP_LOGE(TAG, "Key deployment in AES mode failed");
|
ESP_LOGE(TAG, "Key deployment in AES mode failed");
|
||||||
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
|
||||||
aes_deploy_config.huk_deployed = true;
|
aes_deploy_config.huk_deployed = true;
|
||||||
|
|
||||||
if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
|
if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
|
||||||
@@ -379,12 +393,14 @@ esp_err_t esp_key_mgr_deploy_key_in_aes_mode(const esp_key_mgr_aes_key_config_t
|
|||||||
esp_ret = key_mgr_deploy_key_aes_mode(&aes_deploy_config);
|
esp_ret = key_mgr_deploy_key_aes_mode(&aes_deploy_config);
|
||||||
if (esp_ret != ESP_OK) {
|
if (esp_ret != ESP_OK) {
|
||||||
ESP_LOGE(TAG, "Key deployment in AES mode failed");
|
ESP_LOGE(TAG, "Key deployment in AES mode failed");
|
||||||
|
goto cleanup;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Set the Key Manager Static Register to use own key for the respective key type
|
// Set the Key Manager Static Register to use own key for the respective key type
|
||||||
key_mgr_hal_set_key_usage(key_type, ESP_KEY_MGR_USE_OWN_KEY);
|
key_mgr_hal_set_key_usage(key_type, ESP_KEY_MGR_USE_OWN_KEY);
|
||||||
|
|
||||||
|
cleanup:
|
||||||
esp_key_mgr_release_hardware(true);
|
esp_key_mgr_release_hardware(true);
|
||||||
return esp_ret;
|
return esp_ret;
|
||||||
}
|
}
|
||||||
@@ -411,7 +427,8 @@ static esp_err_t key_mgr_recover_key(key_recovery_config_t *config)
|
|||||||
ESP_LOGE(TAG, "Failed to recover HUK");
|
ESP_LOGE(TAG, "Failed to recover HUK");
|
||||||
return esp_ret;
|
return esp_ret;
|
||||||
}
|
}
|
||||||
ESP_LOGI(TAG, "HUK recovered successfully");
|
|
||||||
|
ESP_LOGD(TAG, "HUK recovered successfully");
|
||||||
ESP_LOG_BUFFER_HEX_LEVEL("HUK INFO", config->key_recovery_info->huk_info.info, KEY_MGR_HUK_INFO_SIZE, ESP_LOG_DEBUG);
|
ESP_LOG_BUFFER_HEX_LEVEL("HUK INFO", config->key_recovery_info->huk_info.info, KEY_MGR_HUK_INFO_SIZE, ESP_LOG_DEBUG);
|
||||||
config->huk_recovered = true;
|
config->huk_recovered = true;
|
||||||
}
|
}
|
||||||
@@ -430,6 +447,7 @@ static esp_err_t key_mgr_recover_key(key_recovery_config_t *config)
|
|||||||
key_mgr_hal_start();
|
key_mgr_hal_start();
|
||||||
key_mgr_hal_continue();
|
key_mgr_hal_continue();
|
||||||
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_LOAD);
|
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_LOAD);
|
||||||
|
|
||||||
if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2) {
|
if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2) {
|
||||||
if (!check_key_info_validity(&config->key_recovery_info->key_info[1])) {
|
if (!check_key_info_validity(&config->key_recovery_info->key_info[1])) {
|
||||||
ESP_LOGE(TAG, "Key info not valid");
|
ESP_LOGE(TAG, "Key info not valid");
|
||||||
@@ -448,6 +466,7 @@ static esp_err_t key_mgr_recover_key(key_recovery_config_t *config)
|
|||||||
|
|
||||||
key_mgr_hal_continue();
|
key_mgr_hal_continue();
|
||||||
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN);
|
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN);
|
||||||
|
|
||||||
if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1) {
|
if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1) {
|
||||||
if (!key_mgr_hal_is_key_deployment_valid(config->key_recovery_info->key_type)) {
|
if (!key_mgr_hal_is_key_deployment_valid(config->key_recovery_info->key_type)) {
|
||||||
ESP_LOGD(TAG, "Key deployment is not valid");
|
ESP_LOGD(TAG, "Key deployment is not valid");
|
||||||
@@ -455,6 +474,7 @@ static esp_err_t key_mgr_recover_key(key_recovery_config_t *config)
|
|||||||
}
|
}
|
||||||
ESP_LOGD(TAG, "Key Recovery valid");
|
ESP_LOGD(TAG, "Key Recovery valid");
|
||||||
}
|
}
|
||||||
|
|
||||||
key_mgr_hal_continue();
|
key_mgr_hal_continue();
|
||||||
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE);
|
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE);
|
||||||
return ESP_OK;
|
return ESP_OK;
|
||||||
@@ -466,33 +486,41 @@ esp_err_t esp_key_mgr_activate_key(esp_key_mgr_key_recovery_info_t *key_recovery
|
|||||||
return ESP_ERR_INVALID_ARG;
|
return ESP_ERR_INVALID_ARG;
|
||||||
}
|
}
|
||||||
|
|
||||||
ESP_LOGI(TAG, "Activating key of type %d", key_recovery_info->key_type);
|
ESP_LOGD(TAG, "Activating key of type %d", key_recovery_info->key_type);
|
||||||
|
|
||||||
esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_recovery_info->key_type;
|
esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_recovery_info->key_type;
|
||||||
esp_key_mgr_key_purpose_t key_purpose;
|
esp_key_mgr_key_purpose_t key_purpose;
|
||||||
|
|
||||||
if (key_type == ESP_KEY_MGR_ECDSA_192_KEY) {
|
switch (key_type) {
|
||||||
|
case ESP_KEY_MGR_ECDSA_192_KEY:
|
||||||
key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192;
|
key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192;
|
||||||
} else if (key_type == ESP_KEY_MGR_ECDSA_256_KEY) {
|
break;
|
||||||
|
case ESP_KEY_MGR_ECDSA_256_KEY:
|
||||||
key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256;
|
key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256;
|
||||||
} else if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY) {
|
break;
|
||||||
|
case ESP_KEY_MGR_XTS_AES_128_KEY:
|
||||||
key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128;
|
key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128;
|
||||||
} else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
|
break;
|
||||||
|
case ESP_KEY_MGR_XTS_AES_256_KEY:
|
||||||
key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1;
|
key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1;
|
||||||
} else if (key_type == ESP_KEY_MGR_HMAC_KEY) {
|
break;
|
||||||
|
case ESP_KEY_MGR_HMAC_KEY:
|
||||||
key_purpose = ESP_KEY_MGR_KEY_PURPOSE_HMAC;
|
key_purpose = ESP_KEY_MGR_KEY_PURPOSE_HMAC;
|
||||||
} else if (key_type == ESP_KEY_MGR_DS_KEY) {
|
break;
|
||||||
|
case ESP_KEY_MGR_DS_KEY:
|
||||||
key_purpose = ESP_KEY_MGR_KEY_PURPOSE_DS;
|
key_purpose = ESP_KEY_MGR_KEY_PURPOSE_DS;
|
||||||
} else {
|
break;
|
||||||
|
default:
|
||||||
ESP_LOGE(TAG, "Invalid key type");
|
ESP_LOGE(TAG, "Invalid key type");
|
||||||
return ESP_ERR_INVALID_ARG;
|
return ESP_ERR_INVALID_ARG;
|
||||||
}
|
}
|
||||||
|
|
||||||
esp_err_t esp_ret = ESP_FAIL;
|
esp_err_t esp_ret = ESP_FAIL;
|
||||||
esp_key_mgr_acquire_key_lock(key_type);
|
esp_key_mgr_acquire_key_lock(key_type);
|
||||||
key_recovery_config_t key_recovery_config = {};
|
key_recovery_config_t key_recovery_config = {
|
||||||
key_recovery_config.key_recovery_info = key_recovery_info;
|
.key_recovery_info = key_recovery_info,
|
||||||
key_recovery_config.key_purpose = key_purpose;
|
.key_purpose = key_purpose,
|
||||||
|
};
|
||||||
|
|
||||||
esp_key_mgr_acquire_hardware(false);
|
esp_key_mgr_acquire_hardware(false);
|
||||||
|
|
||||||
@@ -515,8 +543,9 @@ esp_err_t esp_key_mgr_activate_key(esp_key_mgr_key_recovery_info_t *key_recovery
|
|||||||
|
|
||||||
// Set the Key Manager Static Register to use own key for the respective key type
|
// Set the Key Manager Static Register to use own key for the respective key type
|
||||||
key_mgr_hal_set_key_usage(key_type, ESP_KEY_MGR_USE_OWN_KEY);
|
key_mgr_hal_set_key_usage(key_type, ESP_KEY_MGR_USE_OWN_KEY);
|
||||||
ESP_LOGI(TAG, "Key activation for type %d successful", key_recovery_info->key_type);
|
|
||||||
esp_key_mgr_release_key_lock(key_type);
|
esp_key_mgr_release_key_lock(key_type);
|
||||||
|
|
||||||
|
ESP_LOGD(TAG, "Key activation for type %d successful", key_recovery_info->key_type);
|
||||||
return ESP_OK;
|
return ESP_OK;
|
||||||
|
|
||||||
cleanup:
|
cleanup:
|
||||||
@@ -527,10 +556,9 @@ cleanup:
|
|||||||
|
|
||||||
esp_err_t esp_key_mgr_deactivate_key(esp_key_mgr_key_type_t key_type)
|
esp_err_t esp_key_mgr_deactivate_key(esp_key_mgr_key_type_t key_type)
|
||||||
{
|
{
|
||||||
ESP_LOGD(TAG, "Deactivating key of type %d", key_type);
|
|
||||||
esp_key_mgr_release_key_lock(key_type);
|
esp_key_mgr_release_key_lock(key_type);
|
||||||
esp_key_mgr_release_hardware(false);
|
esp_key_mgr_release_hardware(false);
|
||||||
ESP_LOGI(TAG, "Key deactivation successful");
|
ESP_LOGD(TAG, "Key deactivation successful for type %d", key_type);
|
||||||
return ESP_OK;
|
return ESP_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -558,7 +586,7 @@ static esp_err_t key_mgr_deploy_key_ecdh0_mode(ecdh0_deploy_config_t *config)
|
|||||||
if (esp_ret != ESP_OK) {
|
if (esp_ret != ESP_OK) {
|
||||||
return esp_ret;
|
return esp_ret;
|
||||||
}
|
}
|
||||||
ESP_LOGI(TAG, "HUK deployed successfully");
|
ESP_LOGD(TAG, "HUK deployed successfully");
|
||||||
}
|
}
|
||||||
|
|
||||||
uint8_t *key_recovery_info = (uint8_t *) heap_caps_calloc(1, KEY_MGR_KEY_RECOVERY_INFO_SIZE, MALLOC_CAP_INTERNAL);
|
uint8_t *key_recovery_info = (uint8_t *) heap_caps_calloc(1, KEY_MGR_KEY_RECOVERY_INFO_SIZE, MALLOC_CAP_INTERNAL);
|
||||||
@@ -585,17 +613,20 @@ static esp_err_t key_mgr_deploy_key_ecdh0_mode(ecdh0_deploy_config_t *config)
|
|||||||
|
|
||||||
// Step 2: Load phase
|
// Step 2: Load phase
|
||||||
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_LOAD);
|
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_LOAD);
|
||||||
|
|
||||||
ESP_LOGD(TAG, "Writing Information into Key Manager Registers");
|
ESP_LOGD(TAG, "Writing Information into Key Manager Registers");
|
||||||
key_mgr_hal_write_public_info(config->k1_G, KEY_MGR_ECDH0_INFO_SIZE);
|
key_mgr_hal_write_public_info(config->k1_G, KEY_MGR_ECDH0_INFO_SIZE);
|
||||||
|
|
||||||
key_mgr_hal_continue();
|
key_mgr_hal_continue();
|
||||||
|
|
||||||
// Step 3: Gain phase
|
// Step 3: Gain phase
|
||||||
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN);
|
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN);
|
||||||
|
|
||||||
key_mgr_hal_read_public_info(key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
key_mgr_hal_read_public_info(key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
||||||
key_mgr_hal_read_assist_info(config->ecdh0_key_info);
|
key_mgr_hal_read_assist_info(config->ecdh0_key_info);
|
||||||
ESP_LOG_BUFFER_HEX_LEVEL("KEY_MGR KEY INFO", key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE, ESP_LOG_DEBUG);
|
ESP_LOG_BUFFER_HEX_LEVEL("KEY_MGR KEY INFO", key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE, ESP_LOG_DEBUG);
|
||||||
|
|
||||||
ESP_LOGI(TAG, "HUK deplpoyed is Valid");
|
ESP_LOGD(TAG, "HUK deployed is valid");
|
||||||
|
|
||||||
if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1) {
|
if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1) {
|
||||||
if (!key_mgr_hal_is_key_deployment_valid(config->key_config->key_type)) {
|
if (!key_mgr_hal_is_key_deployment_valid(config->key_config->key_type)) {
|
||||||
@@ -603,15 +634,16 @@ static esp_err_t key_mgr_deploy_key_ecdh0_mode(ecdh0_deploy_config_t *config)
|
|||||||
heap_caps_free(key_recovery_info);
|
heap_caps_free(key_recovery_info);
|
||||||
return ESP_FAIL;
|
return ESP_FAIL;
|
||||||
}
|
}
|
||||||
ESP_LOGI(TAG, "Key deployment valid");
|
ESP_LOGD(TAG, "Key deployment valid");
|
||||||
}
|
}
|
||||||
|
|
||||||
// Wait till Key Manager deployment is complete
|
// Wait till Key Manager deployment is complete
|
||||||
key_mgr_hal_continue();
|
key_mgr_hal_continue();
|
||||||
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE);
|
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE);
|
||||||
|
|
||||||
if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2) {
|
if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2) {
|
||||||
memcpy(config->key_info->key_info[1].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
memcpy(config->key_info->key_info[1].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
||||||
config->key_info->key_info[1].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
config->key_info->key_info[1].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
memcpy(config->key_info->key_info[0].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
memcpy(config->key_info->key_info[0].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
||||||
config->key_info->key_info[0].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
config->key_info->key_info[0].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
||||||
@@ -630,34 +662,43 @@ esp_err_t esp_key_mgr_deploy_key_in_ecdh0_mode(const esp_key_mgr_ecdh0_key_confi
|
|||||||
if (key_config == NULL || key_info == NULL || ecdh0_key_info == NULL) {
|
if (key_config == NULL || key_info == NULL || ecdh0_key_info == NULL) {
|
||||||
return ESP_ERR_INVALID_ARG;
|
return ESP_ERR_INVALID_ARG;
|
||||||
}
|
}
|
||||||
ESP_LOGI(TAG, "Key Deployment in ECDH0 mode");
|
|
||||||
esp_key_mgr_key_purpose_t key_purpose;
|
ESP_LOGD(TAG, "Key Deployment in ECDH0 mode");
|
||||||
|
|
||||||
esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_config->key_type;
|
esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_config->key_type;
|
||||||
|
|
||||||
ecdh0_deploy_config_t ecdh0_deploy_config = {};
|
ecdh0_deploy_config_t ecdh0_deploy_config = {
|
||||||
ecdh0_deploy_config.key_config = key_config;
|
.key_config = key_config,
|
||||||
ecdh0_deploy_config.key_info = key_info;
|
.key_info = key_info,
|
||||||
ecdh0_deploy_config.k1_G = key_config->k1_G[0];
|
.k1_G = key_config->k1_G[0],
|
||||||
|
};
|
||||||
|
|
||||||
if (key_type == ESP_KEY_MGR_ECDSA_192_KEY) {
|
switch (key_type) {
|
||||||
|
case ESP_KEY_MGR_ECDSA_192_KEY:
|
||||||
ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192;
|
ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192;
|
||||||
ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0];
|
ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0];
|
||||||
} else if (key_type == ESP_KEY_MGR_ECDSA_256_KEY) {
|
break;
|
||||||
|
case ESP_KEY_MGR_ECDSA_256_KEY:
|
||||||
ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256;
|
ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256;
|
||||||
ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0];
|
ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0];
|
||||||
} else if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY) {
|
break;
|
||||||
|
case ESP_KEY_MGR_XTS_AES_128_KEY:
|
||||||
ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128;
|
ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128;
|
||||||
ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0];
|
ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0];
|
||||||
} else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
|
break;
|
||||||
|
case ESP_KEY_MGR_XTS_AES_256_KEY:
|
||||||
ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1;
|
ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1;
|
||||||
ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0];
|
ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0];
|
||||||
} else if (key_type == ESP_KEY_MGR_HMAC_KEY) {
|
break;
|
||||||
|
case ESP_KEY_MGR_HMAC_KEY:
|
||||||
ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_HMAC;
|
ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_HMAC;
|
||||||
ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0];
|
ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0];
|
||||||
} else if (key_type == ESP_KEY_MGR_DS_KEY) {
|
break;
|
||||||
|
case ESP_KEY_MGR_DS_KEY:
|
||||||
ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_DS;
|
ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_DS;
|
||||||
ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0];
|
ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0];
|
||||||
} else {
|
break;
|
||||||
|
default:
|
||||||
ESP_LOGE(TAG, "Invalid key type");
|
ESP_LOGE(TAG, "Invalid key type");
|
||||||
return ESP_ERR_INVALID_ARG;
|
return ESP_ERR_INVALID_ARG;
|
||||||
}
|
}
|
||||||
@@ -668,13 +709,12 @@ esp_err_t esp_key_mgr_deploy_key_in_ecdh0_mode(const esp_key_mgr_ecdh0_key_confi
|
|||||||
if (esp_ret != ESP_OK) {
|
if (esp_ret != ESP_OK) {
|
||||||
ESP_LOGE(TAG, "Failed to deploy key in ECDH0 mode");
|
ESP_LOGE(TAG, "Failed to deploy key in ECDH0 mode");
|
||||||
}
|
}
|
||||||
|
|
||||||
ecdh0_deploy_config.huk_deployed = true;
|
ecdh0_deploy_config.huk_deployed = true;
|
||||||
|
|
||||||
if (key_config->key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
|
if (key_config->key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
|
||||||
key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2;
|
ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2;
|
||||||
ecdh0_deploy_config.key_purpose = key_purpose;
|
|
||||||
ecdh0_deploy_config.k1_G = key_config->k1_G[1];
|
ecdh0_deploy_config.k1_G = key_config->k1_G[1];
|
||||||
|
|
||||||
ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[1];
|
ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[1];
|
||||||
esp_ret = key_mgr_deploy_key_ecdh0_mode(&ecdh0_deploy_config);
|
esp_ret = key_mgr_deploy_key_ecdh0_mode(&ecdh0_deploy_config);
|
||||||
if (esp_ret != ESP_OK) {
|
if (esp_ret != ESP_OK) {
|
||||||
@@ -700,17 +740,20 @@ static esp_err_t key_mgr_deploy_key_random_mode(random_deploy_config_t *config)
|
|||||||
{
|
{
|
||||||
esp_err_t esp_ret = ESP_FAIL;
|
esp_err_t esp_ret = ESP_FAIL;
|
||||||
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE);
|
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE);
|
||||||
|
|
||||||
if ((!key_mgr_hal_is_huk_valid()) || (!config->huk_deployed)) {
|
if ((!key_mgr_hal_is_huk_valid()) || (!config->huk_deployed)) {
|
||||||
// For purpose ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 this part shall be already executed
|
// For purpose ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 this part shall be already executed
|
||||||
huk_deploy_config_t huk_deploy_config = {};
|
huk_deploy_config_t huk_deploy_config = {
|
||||||
huk_deploy_config.use_pre_generated_huk_info = config->key_config->use_pre_generated_huk_info;
|
.use_pre_generated_huk_info = config->key_config->use_pre_generated_huk_info,
|
||||||
huk_deploy_config.pre_generated_huk_info = &config->key_config->huk_info;
|
.pre_generated_huk_info = &config->key_config->huk_info,
|
||||||
huk_deploy_config.huk_recovery_info = &config->key_info->huk_info;
|
.huk_recovery_info = &config->key_info->huk_info,
|
||||||
|
};
|
||||||
|
|
||||||
esp_ret = deploy_huk(&huk_deploy_config);
|
esp_ret = deploy_huk(&huk_deploy_config);
|
||||||
if (esp_ret != ESP_OK) {
|
if (esp_ret != ESP_OK) {
|
||||||
return esp_ret;
|
return esp_ret;
|
||||||
}
|
}
|
||||||
ESP_LOGI(TAG, "HUK deployed successfully");
|
ESP_LOGD(TAG, "HUK deployed successfully");
|
||||||
}
|
}
|
||||||
|
|
||||||
// Configure deployment mode to RANDOM
|
// Configure deployment mode to RANDOM
|
||||||
@@ -736,6 +779,7 @@ static esp_err_t key_mgr_deploy_key_random_mode(random_deploy_config_t *config)
|
|||||||
key_mgr_hal_continue();
|
key_mgr_hal_continue();
|
||||||
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_LOAD);
|
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_LOAD);
|
||||||
key_mgr_hal_continue();
|
key_mgr_hal_continue();
|
||||||
|
|
||||||
// No configuration for Random deploy mode
|
// No configuration for Random deploy mode
|
||||||
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN);
|
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN);
|
||||||
key_mgr_hal_read_public_info(key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
key_mgr_hal_read_public_info(key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
||||||
@@ -747,24 +791,25 @@ static esp_err_t key_mgr_deploy_key_random_mode(random_deploy_config_t *config)
|
|||||||
heap_caps_free(key_recovery_info);
|
heap_caps_free(key_recovery_info);
|
||||||
return ESP_FAIL;
|
return ESP_FAIL;
|
||||||
}
|
}
|
||||||
ESP_LOGI(TAG, "Key deployment valid");
|
ESP_LOGD(TAG, "Key deployment valid");
|
||||||
}
|
}
|
||||||
|
|
||||||
// Wait till Key Manager deployment is complete
|
// Wait till Key Manager deployment is complete
|
||||||
key_mgr_hal_continue();
|
key_mgr_hal_continue();
|
||||||
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE);
|
key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE);
|
||||||
|
|
||||||
if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2) {
|
if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2) {
|
||||||
memcpy(config->key_info->key_info[1].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
memcpy(config->key_info->key_info[1].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
||||||
config->key_info->key_info[1].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
config->key_info->key_info[1].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
memcpy(config->key_info->key_info[0].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
memcpy(config->key_info->key_info[0].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
||||||
config->key_info->key_info[0].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
config->key_info->key_info[0].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE);
|
||||||
}
|
}
|
||||||
|
|
||||||
heap_caps_free(key_recovery_info);
|
heap_caps_free(key_recovery_info);
|
||||||
|
|
||||||
config->key_info->key_type = config->key_config->key_type;
|
config->key_info->key_type = config->key_config->key_type;
|
||||||
config->key_info->magic = KEY_HUK_SECTOR_MAGIC;
|
config->key_info->magic = KEY_HUK_SECTOR_MAGIC;
|
||||||
|
|
||||||
return ESP_OK;
|
return ESP_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -774,26 +819,35 @@ esp_err_t esp_key_mgr_deploy_key_in_random_mode(const esp_key_mgr_random_key_con
|
|||||||
return ESP_ERR_INVALID_ARG;
|
return ESP_ERR_INVALID_ARG;
|
||||||
}
|
}
|
||||||
|
|
||||||
ESP_LOGI(TAG, "Key deployment in Random mode");
|
ESP_LOGD(TAG, "Key deployment in Random mode");
|
||||||
|
|
||||||
|
random_deploy_config_t random_deploy_config = {
|
||||||
|
.key_config = key_config,
|
||||||
|
.key_info = key_recovery_info,
|
||||||
|
};
|
||||||
|
|
||||||
random_deploy_config_t random_deploy_config = {};
|
|
||||||
random_deploy_config.key_config = key_config;
|
|
||||||
random_deploy_config.key_info = key_recovery_info;
|
|
||||||
esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_config->key_type;
|
esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_config->key_type;
|
||||||
|
|
||||||
if (key_type == ESP_KEY_MGR_ECDSA_192_KEY) {
|
switch (key_type) {
|
||||||
|
case ESP_KEY_MGR_ECDSA_192_KEY:
|
||||||
random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192;
|
random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192;
|
||||||
} else if (key_type == ESP_KEY_MGR_ECDSA_256_KEY) {
|
break;
|
||||||
|
case ESP_KEY_MGR_ECDSA_256_KEY:
|
||||||
random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256;
|
random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256;
|
||||||
} else if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY) {
|
break;
|
||||||
|
case ESP_KEY_MGR_XTS_AES_128_KEY:
|
||||||
random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128;
|
random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128;
|
||||||
} else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
|
break;
|
||||||
|
case ESP_KEY_MGR_XTS_AES_256_KEY:
|
||||||
random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1;
|
random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1;
|
||||||
} else if (key_type == ESP_KEY_MGR_HMAC_KEY) {
|
break;
|
||||||
|
case ESP_KEY_MGR_HMAC_KEY:
|
||||||
random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_HMAC;
|
random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_HMAC;
|
||||||
} else if (key_type == ESP_KEY_MGR_DS_KEY) {
|
break;
|
||||||
|
case ESP_KEY_MGR_DS_KEY:
|
||||||
random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_DS;
|
random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_DS;
|
||||||
} else {
|
break;
|
||||||
|
default:
|
||||||
ESP_LOGE(TAG, "Invalid key type");
|
ESP_LOGE(TAG, "Invalid key type");
|
||||||
return ESP_ERR_INVALID_ARG;
|
return ESP_ERR_INVALID_ARG;
|
||||||
}
|
}
|
||||||
@@ -805,6 +859,7 @@ esp_err_t esp_key_mgr_deploy_key_in_random_mode(const esp_key_mgr_random_key_con
|
|||||||
ESP_LOGE(TAG, "Key deployment in Random mode failed");
|
ESP_LOGE(TAG, "Key deployment in Random mode failed");
|
||||||
return ESP_FAIL;
|
return ESP_FAIL;
|
||||||
}
|
}
|
||||||
|
|
||||||
random_deploy_config.huk_deployed = true;
|
random_deploy_config.huk_deployed = true;
|
||||||
|
|
||||||
if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
|
if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) {
|
||||||
@@ -820,5 +875,6 @@ esp_err_t esp_key_mgr_deploy_key_in_random_mode(const esp_key_mgr_random_key_con
|
|||||||
key_mgr_hal_set_key_usage(key_type, ESP_KEY_MGR_USE_OWN_KEY);
|
key_mgr_hal_set_key_usage(key_type, ESP_KEY_MGR_USE_OWN_KEY);
|
||||||
|
|
||||||
esp_key_mgr_release_hardware(true);
|
esp_key_mgr_release_hardware(true);
|
||||||
|
|
||||||
return esp_ret;
|
return esp_ret;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user