espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-10-03 02:20:57 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'fix/disable_efuse_xts_aes_256_esp32c5' into 'master'

Browse Source 
Disable XTS-AES-256 using efuse key for ESP32-C5

See merge request espressif/esp-idf!41348
This commit is contained in:
Harshal Patil
2025-08-20 21:33:39 +05:30
parent 183afd54be d59bcb633c
commit 511292ba41
8 changed files with 50 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
components/efuse/esp32c5/include/esp_efuse_chip.h
View File

@@ -64,8 +64,6 @@ typedef enum {
ESP_EFUSE_KEY_PURPOSE_USER = 0, /**< User purposes (software-only use) */
ESP_EFUSE_KEY_PURPOSE_ECDSA_KEY = 1, /**< ECDSA private key (P256) (Expected in little endian order)*/
ESP_EFUSE_KEY_PURPOSE_ECDSA_KEY_P256 = ESP_EFUSE_KEY_PURPOSE_ECDSA_KEY, /**< ECDSA private key (P256) (Expected in little endian order)*/
ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1 = 2, /**< XTS_AES_256_KEY_1 (flash/PSRAM encryption) */
ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2 = 3, /**< XTS_AES_256_KEY_2 (flash/PSRAM encryption) */
ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY = 4, /**< XTS_AES_128_KEY (flash/PSRAM encryption) */
ESP_EFUSE_KEY_PURPOSE_HMAC_DOWN_ALL = 5, /**< HMAC Downstream mode */
ESP_EFUSE_KEY_PURPOSE_HMAC_DOWN_JTAG = 6, /**< JTAG soft enable key (uses HMAC Downstream mode) */
@@ -75,8 +73,6 @@ typedef enum {
ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_DIGEST1 = 10, /**< SECURE_BOOT_DIGEST1 (Secure Boot key digest) */
ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_DIGEST2 = 11, /**< SECURE_BOOT_DIGEST2 (Secure Boot key digest) */
ESP_EFUSE_KEY_PURPOSE_KM_INIT_KEY = 12, /**< KM_INIT_KEY (Key Manager initialization key) */
ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_PSRAM_KEY_1 = 13, /**< XTS_AES_256_PSRAM_KEY_1 (PSRAM encryption) */
ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_PSRAM_KEY_2 = 14, /**< XTS_AES_256_PSRAM_KEY_2 (PSRAM encryption) */
ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_PSRAM_KEY = 15, /**< XTS_AES_128_PSRAM_KEY (PSRAM encryption) */
ESP_EFUSE_KEY_PURPOSE_ECDSA_KEY_P192 = 16, /**< ECDSA private key (P192) */
ESP_EFUSE_KEY_PURPOSE_ECDSA_KEY_P384_L = 17, /**< ECDSA private key (P384) */

32
components/hal/test_apps/crypto/main/key_manager/test_key_manager.c
View File

@@ -84,7 +84,7 @@ static void test_xts_aes_key_ecdh0_mode(test_data_ecdh0_mode_t *test_data)
ESP_LOG_BUFFER_HEXDUMP("Encrypted data", read_data, data_size, ESP_LOG_DEBUG);
}
#if SOC_FLASH_ENCRYPTION_XTS_AES_128
#if SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128
static void key_mgr_test_xts_aes_128_aes_mode(void)
{
static esp_key_mgr_aes_key_config_t key_config;
@@ -117,9 +117,9 @@ static void key_mgr_test_xts_aes_128_ecdh0_mode(void)
test_xts_aes_key_ecdh0_mode(&test_data_ecdh0);
TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type));
}
#endif /* SOC_FLASH_ENCRYPTION_XTS_AES_128 */
#endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 */
#if SOC_FLASH_ENCRYPTION_XTS_AES_256
#if SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256
static void key_mgr_test_xts_aes_256_aes_mode(void)
{
static esp_key_mgr_aes_key_config_t key_config;
@@ -155,7 +155,7 @@ static void key_mgr_test_xts_aes_256_ecdh0_mode(void)
test_xts_aes_key_ecdh0_mode(&test_data_ecdh0);
TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type));
}
#endif /* SOC_FLASH_ENCRYPTION_XTS_AES_256 */
#endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 */
#if CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS
static void test_xts_aes_key_random_mode(void)
@@ -173,7 +173,7 @@ static void test_xts_aes_key_random_mode(void)
}
}
#if SOC_FLASH_ENCRYPTION_XTS_AES_128
#if SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128
static void key_mgr_test_xts_aes_128_random_mode(void)
{
static esp_key_mgr_random_key_config_t key_config;
@@ -185,9 +185,9 @@ static void key_mgr_test_xts_aes_128_random_mode(void)
test_xts_aes_key_random_mode();
TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type));
}
#endif /* SOC_FLASH_ENCRYPTION_XTS_AES_128 */
#endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 */
#if SOC_FLASH_ENCRYPTION_XTS_AES_256
#if SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256
static void key_mgr_test_xts_aes_256_random_mode(void)
{
static esp_key_mgr_random_key_config_t key_config;
@@ -199,7 +199,7 @@ static void key_mgr_test_xts_aes_256_random_mode(void)
test_xts_aes_key_random_mode();
TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type));
}
#endif /* SOC_FLASH_ENCRYPTION_XTS_AES_256 */
#endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 */
#endif /* CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS */
#endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY */
@@ -436,7 +436,7 @@ TEST_TEAR_DOWN(key_manager)
}
#if SOC_KEY_MANAGER_FE_KEY_DEPLOY
#if SOC_FLASH_ENCRYPTION_XTS_AES_128
#if SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128
TEST(key_manager, xts_aes_128_key_aes_deployment)
{
key_mgr_test_xts_aes_128_aes_mode();
@@ -453,9 +453,9 @@ TEST(key_manager, xts_key_128_random_deployment)
key_mgr_test_xts_aes_128_random_mode();
}
#endif /* CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS */
#endif /* SOC_FLASH_ENCRYPTION_XTS_AES_128 */
#endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 */
#if SOC_FLASH_ENCRYPTION_XTS_AES_256
#if SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256
TEST(key_manager, xts_aes_256_key_aes_deployment)
{
key_mgr_test_xts_aes_256_aes_mode();
@@ -472,7 +472,7 @@ TEST(key_manager, xts_key_256_random_deployment)
key_mgr_test_xts_aes_256_random_mode();
}
#endif /* CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS */
#endif /* SOC_FLASH_ENCRYPTION_XTS_AES_256 */
#endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 */
#endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY */
#if SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY
@@ -519,22 +519,22 @@ TEST(key_manager, ds_key_aes_deployment)
TEST_GROUP_RUNNER(key_manager)
{
#if SOC_KEY_MANAGER_FE_KEY_DEPLOY
#if SOC_FLASH_ENCRYPTION_XTS_AES_128
#if SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128
RUN_TEST_CASE(key_manager, xts_aes_128_key_aes_deployment);
RUN_TEST_CASE(key_manager, xts_key_128_ecdh0_deployment);
#if CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS
// This tests expects Flash encryption to be enabled as the test compares the decrypted flash data with the plaintext data
RUN_TEST_CASE(key_manager, xts_key_128_random_deployment);
#endif /* CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS */
#endif /* SOC_FLASH_ENCRYPTION_XTS_AES_128 */
#endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 */
#if SOC_FLASH_ENCRYPTION_XTS_AES_256
#if SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256
RUN_TEST_CASE(key_manager, xts_aes_256_key_aes_deployment);
RUN_TEST_CASE(key_manager, xts_key_256_ecdh0_deployment);
#if CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS
RUN_TEST_CASE(key_manager, xts_key_256_random_deployment);
#endif /* CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS */
#endif /* SOC_FLASH_ENCRYPTION_XTS_AES_256 */
#endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 */
#endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY */
#if SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY

16
components/soc/esp32c5/include/soc/Kconfig.soc_caps.in
View File

@@ -1403,6 +1403,14 @@ config SOC_KEY_MANAGER_FE_KEY_DEPLOY
bool
default y
config SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128
bool
default y
config SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256
bool
default y
config SOC_KEY_MANAGER_HMAC_KEY_DEPLOY
bool
default y
@@ -1443,10 +1451,6 @@ config SOC_FLASH_ENCRYPTION_XTS_AES_128
bool
default y
config SOC_FLASH_ENCRYPTION_XTS_AES_256
bool
default y
config SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
bool
default y
@@ -1455,10 +1459,6 @@ config SOC_PSRAM_ENCRYPTION_XTS_AES_128
bool
default y
config SOC_PSRAM_ENCRYPTION_XTS_AES_256
bool
default y
config SOC_RECOVERY_BOOTLOADER_SUPPORTED
bool
default y

4
components/soc/esp32c5/include/soc/soc_caps.h
View File

@@ -546,6 +546,8 @@
#define SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT 1 /*!< Key manager supports key deployment */
#define SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY 1 /*!< Key manager responsible to deploy ECDSA key */
#define SOC_KEY_MANAGER_FE_KEY_DEPLOY 1 /*!< Key manager responsible to deploy Flash Encryption key */
#define SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 1 /*!< Key manager responsible to deploy the XTS-AES-128 key */
#define SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 1 /*!< Key manager responsible to deploy the XTS-AES-256 key */
#define SOC_KEY_MANAGER_HMAC_KEY_DEPLOY 1 /*!< Key manager responsible to deploy HMAC key */
#define SOC_KEY_MANAGER_DS_KEY_DEPLOY 1 /*!< Key manager responsible to deploy DS key */
@@ -560,12 +562,10 @@
#define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (64)
#define SOC_FLASH_ENCRYPTION_XTS_AES 1
#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1
#define SOC_FLASH_ENCRYPTION_XTS_AES_256 1
#define SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND 1
/*-------------------------- PSRAM Encryption CAPS----------------------------*/
#define SOC_PSRAM_ENCRYPTION_XTS_AES_128 (1)
#define SOC_PSRAM_ENCRYPTION_XTS_AES_256 (1)
/*------------------------Bootloader CAPS---------------------------------*/
/* Support Recovery Bootloader */

8
components/soc/esp32p4/include/soc/Kconfig.soc_caps.in
View File

@@ -1799,6 +1799,14 @@ config SOC_KEY_MANAGER_FE_KEY_DEPLOY
bool
default y
config SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128
bool
default y
config SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256
bool
default y
config SOC_SECURE_BOOT_V2_RSA
bool
default y

2
components/soc/esp32p4/include/soc/soc_caps.h
View File

@@ -667,6 +667,8 @@
#define SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT 1 /*!< Key manager supports key deployment */
#define SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY 1 /*!< Key manager responsible to deploy ECDSA key */
#define SOC_KEY_MANAGER_FE_KEY_DEPLOY 1 /*!< Key manager responsible to deploy Flash Encryption key */
#define SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 1 /*!< Key manager responsible to deploy the XTS-AES-128 key */
#define SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 1 /*!< Key manager responsible to deploy the XTS-AES-256 key */
/*-------------------------- Secure Boot CAPS----------------------------*/
#define SOC_SECURE_BOOT_V2_RSA 1

8
docs/en/api-reference/peripherals/ecdsa.rst
View File

@@ -12,9 +12,13 @@ ECDSA peripheral can help to establish **Secure Device Identity** for TLS mutual
Supported Features
------------------
.. list::
- ECDSA digital signature generation and verification
- Two different elliptic curves, namely P-192 and P-256 (FIPS 186-3 specification)
- Two hash algorithms for message hash in the ECDSA operation, namely SHA-224 and SHA-256 (FIPS PUB 180-4 specification)
:SOC_ECDSA_SUPPORT_CURVE_P384: - Three different elliptic curves, namely P-192, P-256 and P-384 (FIPS 186-3 specification)
:not SOC_ECDSA_SUPPORT_CURVE_P384: - Two different elliptic curves, namely P-192 and P-256 (FIPS 186-3 specification)
:SOC_ECDSA_SUPPORT_CURVE_P384: - Three hash algorithms for message hash in the ECDSA operation, namely SHA-224, SHA-256 and SHA-384 (FIPS PUB 180-4 specification)
:not SOC_ECDSA_SUPPORT_CURVE_P384: - Two hash algorithms for message hash in the ECDSA operation, namely SHA-224 and SHA-256 (FIPS PUB 180-4 specification)
ECDSA on {IDF_TARGET_NAME}

8
docs/zh_CN/api-reference/peripherals/ecdsa.rst
View File

@@ -12,9 +12,13 @@ ECDSA 外设可以为 TLS 双向身份验证等用例建立 **安全设备身份
支持的特性
----------
.. list::
- ECDSA 数字签名生成和验证
-种不同的椭圆曲线P-192P-256FIPS 186-3 规范)
- ECDSA 操作中哈希消息的两种哈希算法SHA-224 和 SHA-256FIPS PUB 180-4 规范)
:SOC_ECDSA_SUPPORT_CURVE_P384: - 三种不同的椭圆曲线P-192P-256 和 P-384FIPS 186-3 规范)
:not SOC_ECDSA_SUPPORT_CURVE_P384: - 两种不同的椭圆曲线P-192 和 P-256FIPS 186-3 规范)
:SOC_ECDSA_SUPPORT_CURVE_P384: - ECDSA 操作中用于散列消息的三种哈希算法SHA-224, SHA-256 和 SHA-384FIPS PUB 180-4 规范)
:not SOC_ECDSA_SUPPORT_CURVE_P384: - ECDSA 操作中哈希消息的两种哈希算法SHA-224 和 SHA-256FIPS PUB 180-4 规范)
{IDF_TARGET_NAME} 上的 ECDSA