diff --git a/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c index bc1aa83e37..7ccb0ef4e7 100644 --- a/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2022-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -71,12 +71,9 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) esp_err_t esp_flash_encryption_enable_key_mgr(void) { - // Enable and reset key manager - // To suppress build errors about spinlock's __DECLARE_RCC_ATOMIC_ENV - int __DECLARE_RCC_ATOMIC_ENV __attribute__ ((unused)); - key_mgr_ll_enable_bus_clock(true); - key_mgr_ll_enable_peripheral_clock(true); - key_mgr_ll_reset_register(); + _key_mgr_ll_enable_bus_clock(true); + _key_mgr_ll_enable_peripheral_clock(true); + _key_mgr_ll_reset_register(); while (key_mgr_ll_get_state() != ESP_KEY_MGR_STATE_IDLE) { }; diff --git a/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c index 57cdd84b31..264188e0c2 100644 --- a/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2022-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -53,12 +53,9 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) esp_err_t esp_flash_encryption_enable_key_mgr(void) { - // Enable and reset key manager - // To suppress build errors about spinlock's __DECLARE_RCC_ATOMIC_ENV - int __DECLARE_RCC_ATOMIC_ENV __attribute__ ((unused)); - key_mgr_ll_enable_bus_clock(true); - key_mgr_ll_enable_peripheral_clock(true); - key_mgr_ll_reset_register(); + _key_mgr_ll_enable_bus_clock(true); + _key_mgr_ll_enable_peripheral_clock(true); + _key_mgr_ll_reset_register(); while (key_mgr_ll_get_state() != ESP_KEY_MGR_STATE_IDLE) { }; diff --git a/components/esp_hw_support/include/esp_crypto_lock.h b/components/esp_hw_support/include/esp_crypto_lock.h index c17333700e..b399686819 100644 --- a/components/esp_hw_support/include/esp_crypto_lock.h +++ b/components/esp_hw_support/include/esp_crypto_lock.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ diff --git a/components/esp_rom/esp32c5/include/esp32c5/rom/key_mgr.h b/components/esp_rom/esp32c5/include/esp32c5/rom/key_mgr.h new file mode 100644 index 0000000000..15be126268 --- /dev/null +++ b/components/esp_rom/esp32c5/include/esp32c5/rom/key_mgr.h @@ -0,0 +1,115 @@ +/* + * SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#pragma once + +#include "soc/soc_caps.h" + +#if SOC_KEY_MANAGER_SUPPORTED + +#include "rom/ets_sys.h" +#include "esp_attr.h" +#include +#include "rom/km.h" + +#if __cplusplus +extern "C" { +#endif + +// store huk info, occupy 96 words +struct huk_info { +// store huk info, occupy 165 words +#define HUK_INFO_LEN 660 + + uint8_t info[HUK_INFO_LEN]; + uint32_t crc; +} PACKED_ATTR; + +// store key info, occupy 512 bits +struct key_info { +#define KEY_INFO_LEN 64 + uint8_t info[KEY_INFO_LEN]; + uint32_t crc; +} PACKED_ATTR; + +struct huk_key_block { +#define KEY_HUK_SECTOR_MAGIC 0xDEA5CE5A + uint32_t magic; + uint32_t version; // for backward compatibility + uint8_t reserved[16]; + struct huk_info huk_info; + struct key_info key_info[2]; // at most 2 key info (XTS-512_1 and XTS-512_2), at least use 1 +} WORD_ALIGNED_ATTR PACKED_ATTR; + +/* + * We define two info sectors "active" and "backup" here + * Most rom code would rely only on the "active" sector for the key information + * + * But there could be a situation where the huk and key information must be regenerated + * based on ageing and other factors. For that scenario, we need a "backup" sector + */ +#define KEY_HUK_SECTOR_OFFSET(i) ((i)*0x1000) +#define ACTIVE_SECTOR_OFFSET KEY_HUK_SECTOR_OFFSET(0) +#define BACKUP_SECTOR_OFFSET KEY_HUK_SECTOR_OFFSET(1) + +#define KM_PERI_ECDSA (BIT(0)) +#define KM_PERI_XTS (BIT(1)) + +struct km_deploy_ops { +#define KM_KEY_PURPOSE_ECDSA_KEY_192 1 +#define KM_KEY_PURPOSE_ECDSA_KEY_256 2 +#define KM_KEY_PURPOSE_FLASH_XTS_256_1 3 +#define KM_KEY_PURPOSE_FLASH_XTS_256_2 4 +#define KM_KEY_PURPOSE_FLASH_XTS_128 5 +#define KM_KEY_PURPOSE_HMAC 6 +#define KM_KEY_PURPOSE_DS 7 +#define KM_KEY_PURPOSE_PSRAM_XTS_256_1 8 +#define KM_KEY_PURPOSE_PSRAM_XTS_256_2 9 +#define KM_KEY_PURPOSE_PSRAM_XTS_128 10 +#define KM_KEY_PURPOSE_ECDSA_KEY_384_L 11 +#define KM_KEY_PURPOSE_ECDSA_KEY_384_H 12 + int km_key_purpose; +#define KM_DEPLOY_MODE_RANDOM 0 +#define KM_DEPLOY_MODE_AES 1 +#define KM_DEPLOY_MODE_ECDH0 2 +#define KM_DEPLOY_MODE_ECDH1 3 +#define KM_DEPLOY_MODE_RECOVER 4 +#define KM_DEPLOY_MODE_EXPORT 5 + int deploy_mode; + uint8_t *init_key; // 256 bits, only used in aes and ecdh1 deploy mode + int deploy_only_once; + int force_use_km_key; + int km_use_efuse_key; + uint32_t efuse_km_rnd_switch_cycle; // 0 means use default + uint32_t km_rnd_switch_cycle; // 0 means use default + int km_use_sw_init_key; + struct huk_info *huk_info; + struct key_info *key_info; +}; + +/* state of km */ +#define KM_STATE_IDLE 0 +#define KM_STATE_LOAD 1 +#define KM_STATE_GAIN 2 +#define KM_STATE_BUSY 3 +#define KM_STATE_INVALID 4 + +/* state of huk generator + * values defined same as km + */ +#define HUK_STATE_IDLE 0 +#define HUK_STATE_LOAD 1 +#define HUK_STATE_GAIN 2 +#define HUK_STATE_BUSY 3 + +#define HUK_NOT_GENERATED 0 +#define HUK_GEN_VALID 1 +#define HUK_GEN_INVALID 2 + +#if __cplusplus +} +#endif +#endif diff --git a/components/esp_security/include/esp_key_mgr.h b/components/esp_security/include/esp_key_mgr.h index e32e2acada..8c7d995148 100644 --- a/components/esp_security/include/esp_key_mgr.h +++ b/components/esp_security/include/esp_key_mgr.h @@ -22,7 +22,7 @@ extern "C" { #define KEY_MGR_ASSIST_INFO_SIZE 64 #define KEY_MGR_KEY_RECOVERY_INFO_SIZE 64 -#define KEY_MGR_HUK_INFO_SIZE HUK_INFO_SIZE +#define KEY_MGR_HUK_INFO_SIZE HUK_INFO_LEN #define KEY_MGR_HUK_RISK_ALERT_LEVEL HUK_RISK_ALERT_LEVEL /* AES deploy mode */ diff --git a/components/esp_security/src/esp_crypto_periph_clk.c b/components/esp_security/src/esp_crypto_periph_clk.c index a21a0f6487..0af93ee6c5 100644 --- a/components/esp_security/src/esp_crypto_periph_clk.c +++ b/components/esp_security/src/esp_crypto_periph_clk.c @@ -141,9 +141,12 @@ void esp_crypto_ecdsa_enable_periph_clk(bool enable) void esp_crypto_key_mgr_enable_periph_clk(bool enable) { KEY_MANAGER_RCC_ATOMIC() { + key_mgr_ll_power_up(); key_mgr_ll_enable_bus_clock(enable); key_mgr_ll_enable_peripheral_clock(enable); - key_mgr_ll_reset_register(); + if (enable) { + key_mgr_ll_reset_register(); + } } } #endif diff --git a/components/esp_security/src/esp_key_mgr.c b/components/esp_security/src/esp_key_mgr.c index 275bd2d575..356a659024 100644 --- a/components/esp_security/src/esp_key_mgr.c +++ b/components/esp_security/src/esp_key_mgr.c @@ -44,13 +44,18 @@ ESP_STATIC_ASSERT(sizeof(esp_key_mgr_huk_info_t) == sizeof(struct huk_info), "Si static void esp_key_mgr_acquire_key_lock(esp_key_mgr_key_type_t key_type) { switch (key_type) { - case ESP_KEY_MGR_ECDSA_KEY: + case ESP_KEY_MGR_ECDSA_192_KEY: + case ESP_KEY_MGR_ECDSA_256_KEY: + case ESP_KEY_MGR_ECDSA_384_KEY: _lock_acquire(&s_key_mgr_ecdsa_key_lock); break; case ESP_KEY_MGR_XTS_AES_128_KEY: case ESP_KEY_MGR_XTS_AES_256_KEY: _lock_acquire(&s_key_mgr_xts_aes_key_lock); break; + default: + ESP_LOGE(TAG, "Invalid key type"); + break; } ESP_LOGV(TAG, "Key lock acquired for key type %d", key_type); } @@ -58,13 +63,18 @@ static void esp_key_mgr_acquire_key_lock(esp_key_mgr_key_type_t key_type) static void esp_key_mgr_release_key_lock(esp_key_mgr_key_type_t key_type) { switch (key_type) { - case ESP_KEY_MGR_ECDSA_KEY: + case ESP_KEY_MGR_ECDSA_192_KEY: + case ESP_KEY_MGR_ECDSA_256_KEY: + case ESP_KEY_MGR_ECDSA_384_KEY: _lock_release(&s_key_mgr_ecdsa_key_lock); break; case ESP_KEY_MGR_XTS_AES_128_KEY: case ESP_KEY_MGR_XTS_AES_256_KEY: _lock_release(&s_key_mgr_xts_aes_key_lock); break; + default: + ESP_LOGE(TAG, "Invalid key type"); + break; } ESP_LOGV(TAG, "Key lock released for key type %d", key_type); } @@ -223,7 +233,7 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) if (!key_recovery_info) { return ESP_ERR_NO_MEM; } - // Set key purpose (XTS/ECDSA) + // Set key purpose ESP_LOGD(TAG, "Key purpose = %d", config->key_purpose); key_mgr_hal_set_key_purpose(config->key_purpose); @@ -238,12 +248,10 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) if (config->key_config->use_pre_generated_sw_init_key) { key_mgr_hal_use_sw_init_key(); - } else { - if (!esp_efuse_find_purpose(ESP_EFUSE_KEY_PURPOSE_KM_INIT_KEY, NULL)) { - ESP_LOGE(TAG, "Could not find key with purpose KM_INIT_KEY"); - heap_caps_free(key_recovery_info); - return ESP_FAIL; - } + } else if (!esp_efuse_find_purpose(ESP_EFUSE_KEY_PURPOSE_KM_INIT_KEY, NULL)) { + ESP_LOGE(TAG, "Could not find key with purpose KM_INIT_KEY"); + heap_caps_free(key_recovery_info); + return ESP_FAIL; } key_mgr_hal_start(); @@ -306,8 +314,10 @@ esp_err_t esp_key_mgr_deploy_key_in_aes_mode(const esp_key_mgr_aes_key_config_t aes_deploy_config.k1_encrypted = key_config->k1_encrypted[0]; esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_config->key_type; - if (key_type == ESP_KEY_MGR_ECDSA_KEY) { - aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA; + if (key_type == ESP_KEY_MGR_ECDSA_192_KEY) { + aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192; + } else if (key_type == ESP_KEY_MGR_ECDSA_256_KEY) { + aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256; } else if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY) { aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128; } else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) { @@ -424,10 +434,12 @@ esp_err_t esp_key_mgr_activate_key(esp_key_mgr_key_recovery_info_t *key_recovery } esp_key_mgr_key_purpose_t key_purpose; - ESP_LOGD(TAG, "Activating key of type %d", key_recovery_info->key_type); + ESP_LOGI(TAG, "Activating key of type %d", key_recovery_info->key_type); esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_recovery_info->key_type; - if (key_type == ESP_KEY_MGR_ECDSA_KEY) { - key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA; + if (key_type == ESP_KEY_MGR_ECDSA_192_KEY) { + key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192; + } else if (key_type == ESP_KEY_MGR_ECDSA_256_KEY) { + key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256; } else if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY) { key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128; } else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) { @@ -438,6 +450,7 @@ esp_err_t esp_key_mgr_activate_key(esp_key_mgr_key_recovery_info_t *key_recovery } esp_err_t esp_ret = ESP_FAIL; + ESP_LOGI(TAG, "Activating key of type %d", key_recovery_info->key_type); esp_key_mgr_acquire_key_lock(key_type); key_recovery_config_t key_recovery_config = {}; key_recovery_config.key_recovery_info = key_recovery_info; @@ -448,6 +461,7 @@ esp_err_t esp_key_mgr_activate_key(esp_key_mgr_key_recovery_info_t *key_recovery esp_ret = key_mgr_recover_key(&key_recovery_config); if (esp_ret != ESP_OK) { ESP_LOGE(TAG, "Failed to recover key"); + esp_key_mgr_release_key_lock(key_type); goto cleanup; } @@ -456,13 +470,15 @@ esp_err_t esp_key_mgr_activate_key(esp_key_mgr_key_recovery_info_t *key_recovery esp_ret = key_mgr_recover_key(&key_recovery_config); if (esp_ret != ESP_OK) { ESP_LOGE(TAG, "Failed to recover key"); + esp_key_mgr_release_key_lock(key_type); goto cleanup; } } // Set the Key Manager Static Register to use own key for the respective key type - key_mgr_hal_set_key_usage(key_recovery_info->key_type, ESP_KEY_MGR_USE_OWN_KEY); + key_mgr_hal_set_key_usage(key_type, ESP_KEY_MGR_USE_OWN_KEY); ESP_LOGI(TAG, "Key activation for type %d successful", key_recovery_info->key_type); + esp_key_mgr_release_key_lock(key_type); return ESP_OK; cleanup: @@ -585,8 +601,11 @@ esp_err_t esp_key_mgr_deploy_key_in_ecdh0_mode(const esp_key_mgr_ecdh0_key_confi ecdh0_deploy_config.key_info = key_info; ecdh0_deploy_config.k1_G = key_config->k1_G[0]; - if (key_type == ESP_KEY_MGR_ECDSA_KEY) { - ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA; + if (key_type == ESP_KEY_MGR_ECDSA_192_KEY) { + ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192; + ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0]; + } else if (key_type == ESP_KEY_MGR_ECDSA_256_KEY) { + ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256; ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0]; } else if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY) { ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128; @@ -718,8 +737,10 @@ esp_err_t esp_key_mgr_deploy_key_in_random_mode(const esp_key_mgr_random_key_con random_deploy_config.key_info = key_recovery_info; esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_config->key_type; - if (key_type == ESP_KEY_MGR_ECDSA_KEY) { - random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA; + if (key_type == ESP_KEY_MGR_ECDSA_192_KEY) { + random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192; + } else if (key_type == ESP_KEY_MGR_ECDSA_256_KEY) { + random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256; } else if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY) { random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128; } else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY) { @@ -748,7 +769,7 @@ esp_err_t esp_key_mgr_deploy_key_in_random_mode(const esp_key_mgr_random_key_con } // Set the Key Manager Static Register to use own key for the respective key type - key_mgr_hal_set_key_usage(key_config->key_type, ESP_KEY_MGR_USE_OWN_KEY); + key_mgr_hal_set_key_usage(key_type, ESP_KEY_MGR_USE_OWN_KEY); esp_key_mgr_release_hardware(true); return esp_ret; diff --git a/components/esp_security/test_apps/crypto_drivers/main/test_key_mgr.c b/components/esp_security/test_apps/crypto_drivers/main/test_key_mgr.c index 1fdb5b28f1..9aa7a600fa 100644 --- a/components/esp_security/test_apps/crypto_drivers/main/test_key_mgr.c +++ b/components/esp_security/test_apps/crypto_drivers/main/test_key_mgr.c @@ -138,7 +138,7 @@ TEST_CASE("Key Manager random mode: ECDSA key deployment", "[hw_crypto] [key_mgr static esp_key_mgr_random_key_config_t key_config; static esp_key_mgr_key_recovery_info_t key_info; esp_err_t esp_ret = ESP_FAIL; - key_config.key_type = ESP_KEY_MGR_ECDSA_KEY; + key_config.key_type = ESP_KEY_MGR_ECDSA_256_KEY; esp_ret = esp_key_mgr_deploy_key_in_random_mode(&key_config, &key_info); TEST_ASSERT_EQUAL(ESP_OK, esp_ret); } diff --git a/components/hal/ecdsa_hal.c b/components/hal/ecdsa_hal.c index 98e227cb59..097ac9e53b 100644 --- a/components/hal/ecdsa_hal.c +++ b/components/hal/ecdsa_hal.c @@ -16,7 +16,7 @@ #endif #ifdef SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY -#include "hal/key_mgr_ll.h" +#include "hal/key_mgr_hal.h" #endif #define ECDSA_HAL_P192_COMPONENT_LEN 24 @@ -30,12 +30,20 @@ static void configure_ecdsa_periph(ecdsa_hal_config_t *conf) #if SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY // Force Key Manager to use eFuse key for XTS-AES operation - key_mgr_ll_set_key_usage(ESP_KEY_MGR_ECDSA_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); + if (conf->curve == ECDSA_CURVE_SECP192R1) { + key_mgr_hal_set_key_usage(ESP_KEY_MGR_ECDSA_192_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); + } else { + key_mgr_hal_set_key_usage(ESP_KEY_MGR_ECDSA_256_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); + } #endif } #if SOC_KEY_MANAGER_SUPPORTED else { - key_mgr_ll_set_key_usage(ESP_KEY_MGR_ECDSA_KEY, ESP_KEY_MGR_USE_OWN_KEY); + if (conf->curve == ECDSA_CURVE_SECP192R1) { + key_mgr_hal_set_key_usage(ESP_KEY_MGR_ECDSA_192_KEY, ESP_KEY_MGR_USE_OWN_KEY); + } else { + key_mgr_hal_set_key_usage(ESP_KEY_MGR_ECDSA_256_KEY, ESP_KEY_MGR_USE_OWN_KEY); + } } #endif diff --git a/components/hal/esp32c5/include/hal/key_mgr_ll.h b/components/hal/esp32c5/include/hal/key_mgr_ll.h index 581af34e18..5f67b281b8 100644 --- a/components/hal/esp32c5/include/hal/key_mgr_ll.h +++ b/components/hal/esp32c5/include/hal/key_mgr_ll.h @@ -19,6 +19,7 @@ #include "hal/key_mgr_types.h" #include "soc/keymng_reg.h" #include "soc/pcr_struct.h" +#include "soc/pcr_reg.h" #ifdef __cplusplus extern "C" { @@ -34,32 +35,38 @@ static inline esp_key_mgr_state_t key_mgr_ll_get_state(void) return (esp_key_mgr_state_t) REG_GET_FIELD(KEYMNG_STATE_REG, KEYMNG_STATE); } +static inline void key_mgr_ll_power_up(void) +{ + /* Power up the Key Manager peripheral (default state is power-down) */ + REG_CLR_BIT(PCR_KM_PD_CTRL_REG, PCR_KM_MEM_FORCE_PD); + REG_SET_BIT(PCR_KM_PD_CTRL_REG, PCR_KM_MEM_FORCE_PU); +} + +#define key_mgr_ll_enable_bus_clock(...) do { \ + _key_mgr_ll_enable_bus_clock(__VA_ARGS__); \ + } while(0) + +static inline void key_mgr_ll_power_down(void) +{ + /* Power down the Key Manager peripheral */ + REG_CLR_BIT(PCR_KM_PD_CTRL_REG, PCR_KM_MEM_FORCE_PU); + REG_SET_BIT(PCR_KM_PD_CTRL_REG, PCR_KM_MEM_FORCE_PD); +} + /** * @brief Enable the bus clock for Key Manager peripheral - * Note: Please use key_mgr_ll_enable_bus_clock which requires the critical section - * and do not use _key_mgr_ll_enable_bus_clock + * * @param true to enable, false to disable */ static inline void _key_mgr_ll_enable_bus_clock(bool enable) { - // Set the force power down bit to 0 to enable key manager - PCR.km_pd_ctrl.km_mem_force_pd = 0; // Enable key manager clock - PCR.km_conf.km_clk_en = 1; + PCR.km_conf.km_clk_en = enable; } -/// use a macro to wrap the function, force the caller to use it in a critical section -/// the critical section needs to declare the __DECLARE_RCC_ATOMIC_ENV variable in advance -#define key_mgr_ll_enable_bus_clock(...) do { \ - (void)__DECLARE_RCC_ATOMIC_ENV; \ - _key_mgr_ll_enable_bus_clock(__VA_ARGS__); \ - } while(0) - /** * @brief Enable the peripheral clock for Key Manager * - * Note: Please use key_mgr_ll_enable_peripheral_clock which requires the critical section - * and do not use _key_mgr_ll_enable_peripheral_clock * @param true to enable, false to disable */ static inline void _key_mgr_ll_enable_peripheral_clock(bool enable) @@ -68,14 +75,12 @@ static inline void _key_mgr_ll_enable_peripheral_clock(bool enable) } #define key_mgr_ll_enable_peripheral_clock(...) do { \ - (void)__DECLARE_RCC_ATOMIC_ENV; \ _key_mgr_ll_enable_peripheral_clock(__VA_ARGS__); \ } while(0) /** * @brief Reset the Key Manager peripheral - * Note: Please use key_mgr_ll_reset_register which requires the critical section - * and do not use _key_mgr_ll_reset_register + * */ static inline void _key_mgr_ll_reset_register(void) { @@ -90,10 +95,7 @@ static inline void _key_mgr_ll_reset_register(void) } -/// use a macro to wrap the function, force the caller to use it in a critical section -/// the critical section needs to declare the __DECLARE_RCC_ATOMIC_ENV variable in advance #define key_mgr_ll_reset_register(...) do { \ - (void)__DECLARE_RCC_ATOMIC_ENV; \ _key_mgr_ll_reset_register(__VA_ARGS__); \ } while(0) @@ -160,7 +162,9 @@ static inline void key_mgr_ll_use_sw_init_key(void) static inline void key_mgr_ll_set_key_usage(const esp_key_mgr_key_type_t key_type, const esp_key_mgr_key_usage_t key_usage) { switch (key_type) { - case ESP_KEY_MGR_ECDSA_KEY: + case ESP_KEY_MGR_ECDSA_192_KEY: + case ESP_KEY_MGR_ECDSA_256_KEY: + case ESP_KEY_MGR_ECDSA_384_KEY: if (key_usage == ESP_KEY_MGR_USE_EFUSE_KEY) { REG_SET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_ECDSA); } else { @@ -185,7 +189,9 @@ static inline void key_mgr_ll_set_key_usage(const esp_key_mgr_key_type_t key_typ static inline esp_key_mgr_key_usage_t key_mgr_ll_get_key_usage(esp_key_mgr_key_type_t key_type) { switch (key_type) { - case ESP_KEY_MGR_ECDSA_KEY: + case ESP_KEY_MGR_ECDSA_192_KEY: + case ESP_KEY_MGR_ECDSA_256_KEY: + case ESP_KEY_MGR_ECDSA_384_KEY: return (esp_key_mgr_key_usage_t) (REG_GET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_ECDSA)); break; @@ -219,7 +225,9 @@ static inline void key_mgr_ll_lock_use_sw_init_key_reg(void) static inline void key_mgr_ll_lock_use_efuse_key_reg(esp_key_mgr_key_type_t key_type) { switch(key_type) { - case ESP_KEY_MGR_ECDSA_KEY: + case ESP_KEY_MGR_ECDSA_192_KEY: + case ESP_KEY_MGR_ECDSA_256_KEY: + case ESP_KEY_MGR_ECDSA_384_KEY: REG_SET_BIT(KEYMNG_LOCK_REG, KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA); break; case ESP_KEY_MGR_XTS_AES_128_KEY: @@ -265,8 +273,12 @@ static inline bool key_mgr_ll_is_key_deployment_valid(const esp_key_mgr_key_type { switch (key_type) { - case ESP_KEY_MGR_ECDSA_KEY: - return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_ECDSA_VLD); + case ESP_KEY_MGR_ECDSA_192_KEY: + return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_ECDSA_192_VLD); + case ESP_KEY_MGR_ECDSA_256_KEY: + return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_ECDSA_256_VLD); + case ESP_KEY_MGR_ECDSA_384_KEY: + return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_ECDSA_384_VLD); break; case ESP_KEY_MGR_XTS_AES_128_KEY: diff --git a/components/hal/esp32p4/include/hal/key_mgr_ll.h b/components/hal/esp32p4/include/hal/key_mgr_ll.h index e098b9c368..7e7be21d50 100644 --- a/components/hal/esp32p4/include/hal/key_mgr_ll.h +++ b/components/hal/esp32p4/include/hal/key_mgr_ll.h @@ -19,6 +19,7 @@ #include "hal/key_mgr_types.h" #include "soc/keymng_reg.h" #include "soc/hp_sys_clkrst_struct.h" +#include "esp_private/esp_crypto_lock_internal.h" #ifdef __cplusplus extern "C" { @@ -158,7 +159,8 @@ static inline void key_mgr_ll_use_sw_init_key(void) static inline void key_mgr_ll_set_key_usage(const esp_key_mgr_key_type_t key_type, const esp_key_mgr_key_usage_t key_usage) { switch (key_type) { - case ESP_KEY_MGR_ECDSA_KEY: + case ESP_KEY_MGR_ECDSA_192_KEY: + case ESP_KEY_MGR_ECDSA_256_KEY: if (key_usage == ESP_KEY_MGR_USE_EFUSE_KEY) { REG_SET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_ECDSA); } else { @@ -182,7 +184,8 @@ static inline void key_mgr_ll_set_key_usage(const esp_key_mgr_key_type_t key_typ static inline esp_key_mgr_key_usage_t key_mgr_ll_get_key_usage(esp_key_mgr_key_type_t key_type) { switch (key_type) { - case ESP_KEY_MGR_ECDSA_KEY: + case ESP_KEY_MGR_ECDSA_192_KEY: + case ESP_KEY_MGR_ECDSA_256_KEY: return (esp_key_mgr_key_usage_t) (REG_GET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_ECDSA)); break; @@ -216,20 +219,38 @@ static inline void key_mgr_ll_lock_use_sw_init_key_reg(void) static inline void key_mgr_ll_lock_use_efuse_key_reg(esp_key_mgr_key_type_t key_type) { switch(key_type) { - case ESP_KEY_MGR_ECDSA_KEY: + case ESP_KEY_MGR_ECDSA_192_KEY: + case ESP_KEY_MGR_ECDSA_256_KEY: REG_SET_BIT(KEYMNG_LOCK_REG, KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA); break; case ESP_KEY_MGR_XTS_AES_128_KEY: case ESP_KEY_MGR_XTS_AES_256_KEY: REG_SET_BIT(KEYMNG_LOCK_REG, KEYMNG_USE_EFUSE_KEY_LOCK_XTS); break; + default: + HAL_ASSERT(false && "Unsupported key type"); + return; } } /* @brief Configure the key purpose to be used by the Key Manager for key generator operation */ static inline void key_mgr_ll_set_key_purpose(const esp_key_mgr_key_purpose_t key_purpose) { - REG_SET_FIELD(KEYMNG_CONF_REG, KEYMNG_KEY_PURPOSE, key_purpose); + switch(key_purpose) { + case ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192: + case ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256: + REG_SET_FIELD(KEYMNG_CONF_REG, KEYMNG_KEY_PURPOSE, KEYMNG_KEY_PURPOSE_ECDSA); + break; + case ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1: + REG_SET_FIELD(KEYMNG_CONF_REG, KEYMNG_KEY_PURPOSE, KEYMNG_KEY_PURPOSE_XTS_AES_256_1); + break; + case ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2: + REG_SET_FIELD(KEYMNG_CONF_REG, KEYMNG_KEY_PURPOSE, KEYMNG_KEY_PURPOSE_XTS_AES_256_2); + break; + default: + HAL_ASSERT(false && "Unsupported mode"); + return; + } } /** @@ -259,7 +280,8 @@ static inline bool key_mgr_ll_is_key_deployment_valid(const esp_key_mgr_key_type { switch (key_type) { - case ESP_KEY_MGR_ECDSA_KEY: + case ESP_KEY_MGR_ECDSA_192_KEY: + case ESP_KEY_MGR_ECDSA_256_KEY: return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_ECDSA_VLD); break; diff --git a/components/hal/include/hal/huk_types.h b/components/hal/include/hal/huk_types.h index 8812fe6f2f..a0f6319313 100644 --- a/components/hal/include/hal/huk_types.h +++ b/components/hal/include/hal/huk_types.h @@ -11,12 +11,12 @@ #include "esp_assert.h" #include "rom/km.h" +#include "rom/key_mgr.h" #ifdef __cplusplus extern "C" { #endif -#define HUK_INFO_SIZE 384 #define HUK_RISK_ALERT_LEVEL 4 /** @@ -35,7 +35,7 @@ ESP_STATIC_ASSERT(sizeof(esp_huk_mode_t) == sizeof(huk_mode_t), "Size of esp_huk */ typedef enum { ESP_HUK_STATE_IDLE = 0, /* Key Manager is idle */ - ESP_HUK_STATE_LOAD, /* Key Manager is read to recieve input */ + ESP_HUK_STATE_LOAD, /* Key Manager is read to receive input */ ESP_HUK_STATE_GAIN, /* Key Manager is ready to provide output */ ESP_HUK_STATE_BUSY /* Key Manager is busy */ } esp_huk_state_t; diff --git a/components/hal/include/hal/key_mgr_types.h b/components/hal/include/hal/key_mgr_types.h index 31ea39aeb4..2cdffa7cb8 100644 --- a/components/hal/include/hal/key_mgr_types.h +++ b/components/hal/include/hal/key_mgr_types.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -31,16 +31,22 @@ typedef enum { */ typedef enum { ESP_KEY_MGR_XTS_AES_LEN_256 = 0, /* xts-aes key is 256 bit, please note that xts-aes algorithm is XTS_AES_128*/ - ESP_KEY_MGR_XTS_AES_LEN_512, /* xts-aes key is 512 bit, please note that xts-aes algorithm is XTS_AES_256 */ + ESP_KEY_MGR_XTS_AES_LEN_512, /* xts-aes key is 512 bit, please note that xts-aes algorithm is XTS_AES_256 */ } esp_key_mgr_xts_aes_key_len_t; /** * @brief Type of the key: ECDSA, XTS */ typedef enum { - ESP_KEY_MGR_ECDSA_KEY = 0, /* ECDSA key */ - ESP_KEY_MGR_XTS_AES_128_KEY, /* XTS-AES 128 key */ - ESP_KEY_MGR_XTS_AES_256_KEY, /* XTS-AES 256 key */ + ESP_KEY_MGR_XTS_AES_128_KEY, /* XTS-AES 128-bit key */ + ESP_KEY_MGR_XTS_AES_256_KEY, /* XTS-AES 256-bit key */ + ESP_KEY_MGR_ECDSA_192_KEY, /* ECDSA 192-bit key */ + ESP_KEY_MGR_ECDSA_256_KEY, /* ECDSA 256-bit key */ + ESP_KEY_MGR_ECDSA_384_KEY, /* ECDSA 384-bit key */ + ESP_KEY_MGR_HMAC_KEY, /* HMAC key */ + ESP_KEY_MGR_DS_KEY, /* Digital signature key */ + ESP_KEY_MGR_PSRAM_128_KEY, /* PSRAM 128-bit key */ + ESP_KEY_MGR_PSRAM_256_KEY, /* PSRAM 256-bit key */ } esp_key_mgr_key_type_t; /* @@ -48,7 +54,7 @@ typedef enum { */ typedef enum { ESP_KEY_MGR_USE_OWN_KEY = 0, /* Use key from the key manager */ - ESP_KEY_MGR_USE_EFUSE_KEY, /* Use key from the eFuse */ + ESP_KEY_MGR_USE_EFUSE_KEY, /* Use key from the eFuse */ ESP_KEY_MGR_USAGE_INVALID, } esp_key_mgr_key_usage_t; @@ -56,10 +62,21 @@ typedef enum { * @brief Key Purpose to be set for a particular key in the Key Manager */ typedef enum { - ESP_KEY_MGR_KEY_PURPOSE_ECDSA = 1, - ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1 = 2, /* First half of the XTS AES 256 bit key */ - ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 = 3, /* Second half of the XTS AES 256 bit key */ - ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128 = 4, /* XTS AES 128 bit key */ + ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192 = 1, /* ECDSA 192-bit key */ + ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256 = 2, /* ECDSA 256-bit key */ + ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_1 = 3, /* First half of flash 256-bit key */ + ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1 = ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_1, + ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_2 = 4, /* Second half of flash 256-bit key */ + ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 = ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_2, + ESP_KEY_MGR_KEY_PURPOSE_FLASH_128 = 5, /* Flash 128-bit key */ + ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128 = ESP_KEY_MGR_KEY_PURPOSE_FLASH_128, + ESP_KEY_MGR_KEY_PURPOSE_HMAC = 6, /* HMAC key */ + ESP_KEY_MGR_KEY_PURPOSE_DS = 7, /* Digital signature key */ + ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1 = 8, /* First half of PSRAM 256-bit key */ + ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2 = 9, /* Second half of PSRAM 256-bit key */ + ESP_KEY_MGR_KEY_PURPOSE_PSRAM_128 = 10, /* PSRAM 128-bit key */ + ESP_KEY_MGR_KEY_PURPOSE_ECDSA_384_L = 11, /* Lower half of ECDSA 384-bit key */ + ESP_KEY_MGR_KEY_PURPOSE_ECDSA_384_H = 12, /* Higher half of ECDSA 384-bit key */ } esp_key_mgr_key_purpose_t; /** @@ -86,7 +103,7 @@ typedef enum { // store huk info, occupy 96 words typedef struct PACKED_ATTR { -#define HUK_INFO_LEN 384 +#define HUK_INFO_LEN 660 uint8_t info[HUK_INFO_LEN]; uint32_t crc; } esp_key_mgr_huk_info_t; diff --git a/components/hal/test_apps/crypto/main/key_manager/test_key_manager.c b/components/hal/test_apps/crypto/main/key_manager/test_key_manager.c index 2def4096e8..f0203afa2f 100644 --- a/components/hal/test_apps/crypto/main/key_manager/test_key_manager.c +++ b/components/hal/test_apps/crypto/main/key_manager/test_key_manager.c @@ -172,7 +172,7 @@ static void key_mgr_test_ecdsa_p256_aes_mode(void) memcpy(key_config.k1_encrypted, (uint8_t*) test_data_ecdsa.k1_encrypted, KEY_MGR_K1_ENCRYPTED_SIZE); memcpy(key_config.sw_init_key, (uint8_t*) test_data_ecdsa.init_key, KEY_MGR_SW_INIT_KEY_SIZE); key_config.use_pre_generated_sw_init_key = 1; - key_config.key_type = ESP_KEY_MGR_ECDSA_KEY; + key_config.key_type = ESP_KEY_MGR_ECDSA_256_KEY; static esp_key_mgr_key_recovery_info_t key_recovery_info; TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_aes_mode(&key_config, &key_recovery_info)); @@ -228,7 +228,7 @@ static void key_mgr_test_ecdsa_ecdh0_mode(void) printf("\nKey Manager ECDH0 deployment: ECDSA_256 key\n"); static esp_key_mgr_ecdh0_key_config_t key_config; memcpy(key_config.k1_G[0], (uint8_t*) test_data_ecdh0.k1_G[0], KEY_MGR_ECDH0_INFO_SIZE); - key_config.key_type = ESP_KEY_MGR_ECDSA_KEY; + key_config.key_type = ESP_KEY_MGR_ECDSA_256_KEY; static esp_key_mgr_key_recovery_info_t key_recovery_info; static esp_key_mgr_ecdh0_info_t ecdh0_info; @@ -248,7 +248,7 @@ static void key_mgr_test_ecdsa_random_mode(void) { printf("\nKey Manager Random deployment: ECDSA_256 key\n"); static esp_key_mgr_random_key_config_t key_config; - key_config.key_type = ESP_KEY_MGR_ECDSA_KEY; + key_config.key_type = ESP_KEY_MGR_ECDSA_256_KEY; static esp_key_mgr_key_recovery_info_t key_recovery_info; TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_random_mode(&key_config, &key_recovery_info)); diff --git a/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in index d68e7d8723..17bf375a28 100644 --- a/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in @@ -239,6 +239,14 @@ config SOC_RNG_SUPPORTED bool default y +config SOC_KEY_MANAGER_SUPPORTED + bool + default y + +config SOC_HUK_SUPPORTED + bool + default y + config SOC_MODEM_CLOCK_SUPPORTED bool default y diff --git a/components/soc/esp32c5/include/soc/soc_caps.h b/components/soc/esp32c5/include/soc/soc_caps.h index aab631a764..2e38397115 100644 --- a/components/soc/esp32c5/include/soc/soc_caps.h +++ b/components/soc/esp32c5/include/soc/soc_caps.h @@ -76,8 +76,8 @@ #define SOC_SPI_FLASH_SUPPORTED 1 // TODO: [ESP32C5] IDF-8715 #define SOC_ECDSA_SUPPORTED 1 #define SOC_RNG_SUPPORTED 1 -// #define SOC_KEY_MANAGER_SUPPORTED 1 // TODO: [ESP32C5] IDF-8621 -// #define SOC_HUK_SUPPORTED 1 // TODO: [ESP32C5] IDF-8617 +#define SOC_KEY_MANAGER_SUPPORTED 1 +#define SOC_HUK_SUPPORTED 1 #define SOC_MODEM_CLOCK_SUPPORTED 1 #define SOC_LIGHT_SLEEP_SUPPORTED 1 #define SOC_DEEP_SLEEP_SUPPORTED 1 diff --git a/components/soc/esp32c5/register/soc/keymng_reg.h b/components/soc/esp32c5/register/soc/keymng_reg.h index 66ab390373..bd0aaa23b7 100644 --- a/components/soc/esp32c5/register/soc/keymng_reg.h +++ b/components/soc/esp32c5/register/soc/keymng_reg.h @@ -1,5 +1,5 @@ /** - * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -163,6 +163,29 @@ extern "C" { #define KEYMNG_USE_EFUSE_KEY_FLASH_S 1 +/* KEYMNG_USE_EFUSE_KEY_HMAC : R/W ;bitpos:[0] ;default: 1'd0 ; */ +/*description: Set this bit to choose efuse key instead of key manager deployed key for hmac.*/ +#define KEYMNG_USE_EFUSE_KEY_HMAC (BIT(2)) +#define KEYMNG_USE_EFUSE_KEY_HMAC_M ((KEYMNG_USE_EFUSE_KEY_HMAC_V)<<(KEYMNG_USE_EFUSE_KEY_HMAC_S)) +#define KEYMNG_USE_EFUSE_KEY_HMAC_V 0x1 +#define KEYMNG_USE_EFUSE_KEY_HMAC_S 2 + +/* KEYMNG_USE_EFUSE_KEY_DS : R/W ;bitpos:[1] ;default: 1'd0 ; */ +/*description: Set this bit to choose efuse key instead of key manager deployed key for ds.*/ +#define KEYMNG_USE_EFUSE_KEY_DS (BIT(3)) +#define KEYMNG_USE_EFUSE_KEY_DS_M ((KEYMNG_USE_EFUSE_KEY_DS_V)<<(KEYMNG_USE_EFUSE_KEY_DS_S)) +#define KEYMNG_USE_EFUSE_KEY_DS_V 0x1 +#define KEYMNG_USE_EFUSE_KEY_DS_S 3 + + +/* KEYMNG_USE_EFUSE_KEY_PSRAM : R/W ;bitpos:[1] ;default: 1'd0 ; */ +/*description: Set this bit to choose efuse key instead of key manager deployed key for psram.*/ +#define KEYMNG_USE_EFUSE_KEY_PSRAM (BIT(4)) +#define KEYMNG_USE_EFUSE_KEY_PSRAM_M ((KEYMNG_USE_EFUSE_KEY_PSRAM_V)<<(KEYMNG_USE_EFUSE_KEY_PSRAM_S)) +#define KEYMNG_USE_EFUSE_KEY_PSRAM_V 0x1 +#define KEYMNG_USE_EFUSE_KEY_PSRAM_S 4 + + /** KEYMNG_RND_SWITCH_CYCLE : R/W; bitpos: [9:5]; default: 15; * The core clock cycle number to sample one rng input data. Please set it bigger than * the clock cycle ratio: T_rng/T_km @@ -209,21 +232,69 @@ extern "C" { #define KEYMNG_USE_EFUSE_KEY_LOCK_S 0 /* KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA : R/W1 ;bitpos:[0] ;default: 1'd0 ; */ + /*description: Write 1 to lock reg_use_efuse_key for esdsa*/ #define KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA (BIT(0)) + #define KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA_M ((KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA_V)<<(KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA_S)) + #define KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA_V 0x1 + #define KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA_S 0 /* KEYMNG_USE_EFUSE_KEY_LOCK_FLASH : R/W1 ;bitpos:[1] ;default: 1'd0 ; */ + /*description: Write 1 to lock reg_use_efuse_key for FLASH*/ #define KEYMNG_USE_EFUSE_KEY_LOCK_FLASH (BIT(1)) + #define KEYMNG_USE_EFUSE_KEY_LOCK_FLASH_M ((KEYMNG_USE_EFUSE_KEY_LOCK_FLASH_V)<<(KEYMNG_USE_EFUSE_KEY_LOCK_FLASH_S)) + #define KEYMNG_USE_EFUSE_KEY_LOCK_FLASH_V 0x1 + #define KEYMNG_USE_EFUSE_KEY_LOCK_FLASH_S 1 + +/* KEYMNG_USE_EFUSE_KEY_LOCK_HMAC : R/W1 ;bitpos:[0] ;default: 1'd0 ; */ + +/*description: Write 1 to lock reg_use_efuse_key for hmac*/ + +#define KEYMNG_USE_EFUSE_KEY_LOCK_HMAC (BIT(2)) + +#define KEYMNG_USE_EFUSE_KEY_LOCK_HMAC_M ((KEYMNG_USE_EFUSE_KEY_LOCK_HMAC_V)<<(KEYMNG_USE_EFUSE_KEY_LOCK_HMAC_S)) + +#define KEYMNG_USE_EFUSE_KEY_LOCK_HMAC_V 0x1 + +#define KEYMNG_USE_EFUSE_KEY_LOCK_HMAC_S 2 + + +/* KEYMNG_USE_EFUSE_KEY_LOCK_DS : R/W1 ;bitpos:[1] ;default: 1'd0 ; */ + +/*description: Write 1 to lock reg_use_efuse_key for ds*/ + +#define KEYMNG_USE_EFUSE_KEY_LOCK_DS (BIT(3)) + +#define KEYMNG_USE_EFUSE_KEY_LOCK_DS_M ((KEYMNG_USE_EFUSE_KEY_LOCK_DS_V)<<(KEYMNG_USE_EFUSE_KEY_LOCK_DS_S)) + +#define KEYMNG_USE_EFUSE_KEY_LOCK_DS_V 0x1 + +#define KEYMNG_USE_EFUSE_KEY_LOCK_DS_S 3 + + +/* KEYMNG_USE_EFUSE_KEY_LOCK_PSRAM : R/W1 ;bitpos:[1] ;default: 1'd0 ; */ + +/*description: Write 1 to lock reg_use_efuse_key for PSRAM*/ + +#define KEYMNG_USE_EFUSE_KEY_LOCK_PSRAM (BIT(4)) + +#define KEYMNG_USE_EFUSE_KEY_LOCK_PSRAM_M ((KEYMNG_USE_EFUSE_KEY_LOCK_PSRAM_V)<<(KEYMNG_USE_EFUSE_KEY_LOCK_PSRAM_S)) + +#define KEYMNG_USE_EFUSE_KEY_LOCK_PSRAM_V 0x1 + +#define KEYMNG_USE_EFUSE_KEY_LOCK_PSRAM_S 4 + + /** KEYMNG_RND_SWITCH_CYCLE_LOCK : R/W1; bitpos: [5]; default: 0; * Write 1 to lock reg_rnd_switch_cycle. */ @@ -266,9 +337,10 @@ extern "C" { #define KEYMNG_KGEN_MODE_V 0x00000007U #define KEYMNG_KGEN_MODE_S 0 /** KEYMNG_KEY_PURPOSE : R/W; bitpos: [6:3]; default: 0; - * Set this field to choose the key purpose. 1: ecdsa_key 2: flash_256_1_key. 3: - * flash_256_2_key. 4: flash_128_key. 6: hmac_key. 7: ds_key. 8: psram_256_1_key. 9: - * psram_256_2_key. 10: psram_128_key. Others: reserved. + * Set this field to choose the key purpose. 1: ecdsa_key_192. 2: ecdsa_key_256. 3: + * flash_256_1_key. 4: flash_256_2_key. 5: flash_128_key. 6: hmac_key. 7: ds_key. 8: + * psram_256_1_key. 9: psram_256_2_key. 10: psram_128_key. 11: ecdsa_key_384_l. 12: + * ecdsa_key_384_h. Others: reserved. */ #define KEYMNG_KEY_PURPOSE 0x0000000FU #define KEYMNG_KEY_PURPOSE_M (KEYMNG_KEY_PURPOSE_V << KEYMNG_KEY_PURPOSE_S) @@ -323,46 +395,62 @@ extern "C" { * Key Manager key status register */ #define KEYMNG_KEY_VLD_REG (DR_REG_KEYMNG_BASE + 0x30) -/** KEYMNG_KEY_ECDSA_VLD : RO; bitpos: [0]; default: 0; - * The status bit for key_ecdsa. 1: The key has been deployed correctly. 0: The key - * has not been deployed yet. +/** KEYMNG_KEY_ECDSA_192_VLD : RO; bitpos: [0]; default: 0; + * The status bit for key_ecdsa_192. 1: The key has been deployed correctly. 0: The + * key has not been deployed yet. */ -#define KEYMNG_KEY_ECDSA_VLD (BIT(0)) -#define KEYMNG_KEY_ECDSA_VLD_M (KEYMNG_KEY_ECDSA_VLD_V << KEYMNG_KEY_ECDSA_VLD_S) -#define KEYMNG_KEY_ECDSA_VLD_V 0x00000001U -#define KEYMNG_KEY_ECDSA_VLD_S 0 -/** KEYMNG_KEY_FLASH_VLD : RO; bitpos: [1]; default: 0; +#define KEYMNG_KEY_ECDSA_192_VLD (BIT(0)) +#define KEYMNG_KEY_ECDSA_192_VLD_M (KEYMNG_KEY_ECDSA_192_VLD_V << KEYMNG_KEY_ECDSA_192_VLD_S) +#define KEYMNG_KEY_ECDSA_192_VLD_V 0x00000001U +#define KEYMNG_KEY_ECDSA_192_VLD_S 0 +/** KEYMNG_KEY_ECDSA_256_VLD : RO; bitpos: [1]; default: 0; + * The status bit for key_ecdsa_256. 1: The key has been deployed correctly. 0: The + * key has not been deployed yet. + */ +#define KEYMNG_KEY_ECDSA_256_VLD (BIT(1)) +#define KEYMNG_KEY_ECDSA_256_VLD_M (KEYMNG_KEY_ECDSA_256_VLD_V << KEYMNG_KEY_ECDSA_256_VLD_S) +#define KEYMNG_KEY_ECDSA_256_VLD_V 0x00000001U +#define KEYMNG_KEY_ECDSA_256_VLD_S 1 +/** KEYMNG_KEY_FLASH_VLD : RO; bitpos: [2]; default: 0; * The status bit for key_flash. 1: The key has been deployed correctly. 0: The * key has not been deployed yet. */ -#define KEYMNG_KEY_FLASH_VLD (BIT(1)) +#define KEYMNG_KEY_FLASH_VLD (BIT(2)) #define KEYMNG_KEY_FLASH_VLD_M (KEYMNG_KEY_FLASH_VLD_V << KEYMNG_KEY_FLASH_VLD_S) #define KEYMNG_KEY_FLASH_VLD_V 0x00000001U -#define KEYMNG_KEY_FLASH_VLD_S 1 -/** KEYMNG_KEY_HMAC_VLD : RO; bitpos: [2]; default: 0; +#define KEYMNG_KEY_FLASH_VLD_S 2 +/** KEYMNG_KEY_HMAC_VLD : RO; bitpos: [3]; default: 0; * The status bit for key_hmac. 1: The key has been deployed correctly. 0: The key * has not been deployed yet. */ -#define KEYMNG_KEY_HMAC_VLD (BIT(2)) +#define KEYMNG_KEY_HMAC_VLD (BIT(3)) #define KEYMNG_KEY_HMAC_VLD_M (KEYMNG_KEY_HMAC_VLD_V << KEYMNG_KEY_HMAC_VLD_S) #define KEYMNG_KEY_HMAC_VLD_V 0x00000001U -#define KEYMNG_KEY_HMAC_VLD_S 2 -/** KEYMNG_KEY_DS_VLD : RO; bitpos: [3]; default: 0; +#define KEYMNG_KEY_HMAC_VLD_S 3 +/** KEYMNG_KEY_DS_VLD : RO; bitpos: [4]; default: 0; * The status bit for key_ds. 1: The key has been deployed correctly. 0: The * key has not been deployed yet. */ -#define KEYMNG_KEY_DS_VLD (BIT(3)) +#define KEYMNG_KEY_DS_VLD (BIT(4)) #define KEYMNG_KEY_DS_VLD_M (KEYMNG_KEY_DS_VLD_V << KEYMNG_KEY_DS_VLD_S) #define KEYMNG_KEY_DS_VLD_V 0x00000001U -#define KEYMNG_KEY_DS_VLD_S 3 -/** KEYMNG_KEY_PSRAM_VLD : RO; bitpos: [4]; default: 0; +#define KEYMNG_KEY_DS_VLD_S 4 +/** KEYMNG_KEY_PSRAM_VLD : RO; bitpos: [5]; default: 0; * The status bit for key_psram. 1: The key has been deployed correctly. 0: The key * has not been deployed yet. */ -#define KEYMNG_KEY_PSRAM_VLD (BIT(4)) +#define KEYMNG_KEY_PSRAM_VLD (BIT(5)) #define KEYMNG_KEY_PSRAM_VLD_M (KEYMNG_KEY_PSRAM_VLD_V << KEYMNG_KEY_PSRAM_VLD_S) #define KEYMNG_KEY_PSRAM_VLD_V 0x00000001U -#define KEYMNG_KEY_PSRAM_VLD_S 4 +#define KEYMNG_KEY_PSRAM_VLD_S 5 +/** KEYMNG_KEY_ECDSA_384_VLD : RO; bitpos: [6]; default: 0; + * The status bit for key_ecdsa_384. 1: The key has been deployed correctly. 0: The + * key has not been deployed yet. + */ +#define KEYMNG_KEY_ECDSA_384_VLD (BIT(6)) +#define KEYMNG_KEY_ECDSA_384_VLD_M (KEYMNG_KEY_ECDSA_384_VLD_V << KEYMNG_KEY_ECDSA_384_VLD_S) +#define KEYMNG_KEY_ECDSA_384_VLD_V 0x00000001U +#define KEYMNG_KEY_ECDSA_384_VLD_S 6 /** KEYMNG_HUK_VLD_REG register * Key Manager HUK status register @@ -380,7 +468,7 @@ extern "C" { * Version control register */ #define KEYMNG_DATE_REG (DR_REG_KEYMNG_BASE + 0xfc) -/** KEYMNG_DATE : R/W; bitpos: [27:0]; default: 36774224; +/** KEYMNG_DATE : R/W; bitpos: [27:0]; default: 37781824; * Key Manager version control register. */ #define KEYMNG_DATE 0x0FFFFFFFU diff --git a/components/soc/esp32p4/register/soc/keymng_reg.h b/components/soc/esp32p4/register/soc/keymng_reg.h index a8f03edc6e..cfb0f9c12b 100644 --- a/components/soc/esp32p4/register/soc/keymng_reg.h +++ b/components/soc/esp32p4/register/soc/keymng_reg.h @@ -1,5 +1,5 @@ /** - * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -239,6 +239,21 @@ extern "C" { #define KEYMNG_KEY_PURPOSE_V 0x0000000FU #define KEYMNG_KEY_PURPOSE_S 3 +#define KEYMNG_KEY_PURPOSE_ECDSA (BIT(0)) +#define KEYMNG_KEY_PURPOSE_ECDSA_M (KEYMNG_KEY_PURPOSE_ECDSA_V << KEYMNG_KEY_PURPOSE_ECDSA_S) +#define KEYMNG_KEY_PURPOSE_ECDSA_V 0x00000001U +#define KEYMNG_KEY_PURPOSE_ECDSA_S 0 + +#define KEYMNG_KEY_PURPOSE_XTS_AES_256_1 (BIT(1)) +#define KEYMNG_KEY_PURPOSE_XTS_AES_256_1_M (KEYMNG_KEY_PURPOSE_XTS_AES_256_1_V << KEYMNG_KEY_PURPOSE_XTS_AES_256_1_S) +#define KEYMNG_KEY_PURPOSE_XTS_AES_256_1_V 0x00000001U +#define KEYMNG_KEY_PURPOSE_XTS_AES_256_1_S 1 + +#define KEYMNG_KEY_PURPOSE_XTS_AES_256_2 (BIT(2)) +#define KEYMNG_KEY_PURPOSE_XTS_AES_256_2_M (KEYMNG_KEY_PURPOSE_XTS_AES_256_2_V << KEYMNG_KEY_PURPOSE_XTS_AES_256_2_S) +#define KEYMNG_KEY_PURPOSE_XTS_AES_256_2_V 0x00000001U +#define KEYMNG_KEY_PURPOSE_XTS_AES_256_2_S 2 + /** KEYMNG_START_REG register * Key Manager control register */