diff --git a/components/hal/ecdsa_hal.c b/components/hal/ecdsa_hal.c index 3d799c0661..3d8e8696e5 100644 --- a/components/hal/ecdsa_hal.c +++ b/components/hal/ecdsa_hal.c @@ -7,12 +7,15 @@ #include "hal/assert.h" #include "hal/ecdsa_ll.h" #include "hal/ecdsa_hal.h" +#include "hal/efuse_hal.h" #define ECDSA_HAL_P192_COMPONENT_LEN 24 #define ECDSA_HAL_P256_COMPONENT_LEN 32 static void configure_ecdsa_periph(ecdsa_hal_config_t *conf) { + efuse_hal_set_ecdsa_key(conf->efuse_key_blk); + ecdsa_ll_set_mode(conf->mode); ecdsa_ll_set_curve(conf->curve); ecdsa_ll_set_k_mode(conf->k_mode); diff --git a/components/hal/efuse_hal.c b/components/hal/efuse_hal.c index 51514ad499..6a46c85d36 100644 --- a/components/hal/efuse_hal.c +++ b/components/hal/efuse_hal.c @@ -36,3 +36,14 @@ IRAM_ATTR bool efuse_hal_flash_encryption_enabled(void) } return enabled; } + +#if SOC_ECDSA_SUPPORTED +void efuse_hal_set_ecdsa_key(int efuse_blk) +{ + efuse_ll_set_ecdsa_key_blk(efuse_blk); + + efuse_ll_rs_bypass_update(); + + efuse_hal_read(); +} +#endif diff --git a/components/hal/esp32h2/include/hal/efuse_ll.h b/components/hal/esp32h2/include/hal/efuse_ll.h index 6617681c89..1ac00e6053 100644 --- a/components/hal/esp32h2/include/hal/efuse_ll.h +++ b/components/hal/esp32h2/include/hal/efuse_ll.h @@ -82,6 +82,16 @@ __attribute__((always_inline)) static inline uint32_t efuse_ll_get_chip_ver_pkg( return EFUSE.rd_mac_sys_4.pkg_version; } +__attribute__((always_inline)) static inline uint32_t efuse_ll_get_ecdsa_key_blk(void) +{ + return EFUSE.conf.cfg_ecdsa_blk; +} + +__attribute__((always_inline)) static inline void efuse_ll_set_ecdsa_key_blk(int efuse_blk) +{ + EFUSE.conf.cfg_ecdsa_blk = efuse_blk; +} + /******************* eFuse control functions *************************/ __attribute__((always_inline)) static inline bool efuse_ll_get_read_cmd(void) @@ -120,6 +130,11 @@ __attribute__((always_inline)) static inline void efuse_ll_set_pwr_off_num(uint1 EFUSE.wr_tim_conf2.pwr_off_num = value; } +__attribute__((always_inline)) static inline void efuse_ll_rs_bypass_update(void) +{ + EFUSE.wr_tim_conf0_rs_bypass.update = 1; +} + /******************* eFuse control functions *************************/ #ifdef __cplusplus diff --git a/components/hal/include/hal/ecdsa_hal.h b/components/hal/include/hal/ecdsa_hal.h index d7244b3dc0..02bad6092b 100644 --- a/components/hal/include/hal/ecdsa_hal.h +++ b/components/hal/include/hal/ecdsa_hal.h @@ -27,6 +27,7 @@ typedef struct { ecdsa_curve_t curve; /* Curve to use for operation */ ecdsa_k_mode_t k_mode; /* Source of K */ ecdsa_sha_mode_t sha_mode; /* Source of SHA that needs to be signed */ + int efuse_key_blk; /* Efuse block to use as ECDSA key (The purpose of the efuse block must be ECDSA_KEY) */ } ecdsa_hal_config_t; /** diff --git a/components/hal/include/hal/efuse_hal.h b/components/hal/include/hal/efuse_hal.h index bb11c9ae7b..a30c77da5a 100644 --- a/components/hal/include/hal/efuse_hal.h +++ b/components/hal/include/hal/efuse_hal.h @@ -8,6 +8,7 @@ #include #include +#include "soc/soc_caps.h" #ifdef __cplusplus extern "C" { @@ -45,6 +46,17 @@ uint32_t efuse_hal_get_major_chip_version(void); */ uint32_t efuse_hal_get_minor_chip_version(void); +#if SOC_ECDSA_SUPPORTED +/** + * @brief Set the efuse block that should be used as ECDSA private key + * + * @note The efuse block must be burnt with key purpose ECDSA_KEY + * + * @param efuse_key_blk Efuse key block number (Must be in [EFUSE_BLK_KEY0...EFUSE_BLK_KEY_MAX - 1] range) + */ +void efuse_hal_set_ecdsa_key(int efuse_key_blk); +#endif + #ifdef __cplusplus } #endif diff --git a/components/mbedtls/port/ecdsa/ecdsa_alt.c b/components/mbedtls/port/ecdsa/ecdsa_alt.c index e90f01c584..e098b5e9e3 100644 --- a/components/mbedtls/port/ecdsa/ecdsa_alt.c +++ b/components/mbedtls/port/ecdsa/ecdsa_alt.c @@ -140,6 +140,7 @@ static int esp_ecdsa_sign(mbedtls_ecp_group *grp, mbedtls_mpi* r, mbedtls_mpi* s .curve = curve, .k_mode = ECDSA_K_USE_TRNG, .sha_mode = ECDSA_Z_USER_PROVIDED, + .efuse_key_blk = d->MBEDTLS_PRIVATE(n), }; ecdsa_hal_gen_signature(&conf, NULL, sha_le, r_le, s_le, len); diff --git a/components/mbedtls/port/include/ecdsa/ecdsa_alt.h b/components/mbedtls/port/include/ecdsa/ecdsa_alt.h index 9e2620b312..0326795f8d 100644 --- a/components/mbedtls/port/include/ecdsa/ecdsa_alt.h +++ b/components/mbedtls/port/include/ecdsa/ecdsa_alt.h @@ -21,11 +21,6 @@ extern "C" { * We break the MPI struct of the private key in order to * differentiate between hardware key and software key * - * @note Currently, `efuse_blk` is not used internally. - * Hardware will choose the efuse block that has purpose set to ECDSA_KEY. - * In case of multiple ECDSA_KEY burnt in efuse, hardware will choose the - * greater efuse block number as the private key. - * * @param key The MPI in which this functions stores the hardware context. * This must be uninitialized * @param efuse_blk The efuse key block that should be used as the private key. @@ -42,11 +37,6 @@ int esp_ecdsa_privkey_load_mpi(mbedtls_mpi *key, int efuse_blk); * We break the MPI struct used to represent the private key `d` in ECP keypair * in order to differentiate between hardware key and software key * - * @note Currently, `efuse_blk` is not used internally. - * Hardware will choose the efuse block that has purpose set to ECDSA_KEY. - * In case of multiple ECDSA_KEY burnt in efuse, hardware will choose the - * greater efuse block number as the private key. - * * @param key_ctx The context in which this functions stores the hardware context. * This must be uninitialized * @param efuse_blk The efuse key block that should be used as the private key.