ecdsa: Support multiple ECDSA keys

Add provision to choose which efuse block should be used as ECDSA
private key

components/hal/ecdsa_hal.c

@@ -7,12 +7,15 @@
 #include "hal/assert.h"
 #include "hal/ecdsa_ll.h"
 #include "hal/ecdsa_hal.h"
+#include "hal/efuse_hal.h"
 
 #define ECDSA_HAL_P192_COMPONENT_LEN        24
 #define ECDSA_HAL_P256_COMPONENT_LEN        32
 
 static void configure_ecdsa_periph(ecdsa_hal_config_t *conf)
 {
+    efuse_hal_set_ecdsa_key(conf->efuse_key_blk);
+
     ecdsa_ll_set_mode(conf->mode);
     ecdsa_ll_set_curve(conf->curve);
     ecdsa_ll_set_k_mode(conf->k_mode);

components/hal/efuse_hal.c

@@ -36,3 +36,14 @@ IRAM_ATTR bool efuse_hal_flash_encryption_enabled(void)
     }
     return enabled;
 }
+
+#if SOC_ECDSA_SUPPORTED
+void efuse_hal_set_ecdsa_key(int efuse_blk)
+{
+    efuse_ll_set_ecdsa_key_blk(efuse_blk);
+
+    efuse_ll_rs_bypass_update();
+
+    efuse_hal_read();
+}
+#endif

components/hal/esp32h2/include/hal/efuse_ll.h

@@ -82,6 +82,16 @@ __attribute__((always_inline)) static inline uint32_t efuse_ll_get_chip_ver_pkg(
     return EFUSE.rd_mac_sys_4.pkg_version;
 }
 
+__attribute__((always_inline)) static inline uint32_t efuse_ll_get_ecdsa_key_blk(void)
+{
+    return EFUSE.conf.cfg_ecdsa_blk;
+}
+
+__attribute__((always_inline)) static inline void efuse_ll_set_ecdsa_key_blk(int efuse_blk)
+{
+    EFUSE.conf.cfg_ecdsa_blk = efuse_blk;
+}
+
 /******************* eFuse control functions *************************/
 
 __attribute__((always_inline)) static inline bool efuse_ll_get_read_cmd(void)
@@ -120,6 +130,11 @@ __attribute__((always_inline)) static inline void efuse_ll_set_pwr_off_num(uint1
     EFUSE.wr_tim_conf2.pwr_off_num = value;
 }
 
+__attribute__((always_inline)) static inline void efuse_ll_rs_bypass_update(void)
+{
+    EFUSE.wr_tim_conf0_rs_bypass.update = 1;
+}
+
 /******************* eFuse control functions *************************/
 
 #ifdef __cplusplus

components/hal/include/hal/ecdsa_hal.h

@@ -27,6 +27,7 @@ typedef struct {
     ecdsa_curve_t curve;            /* Curve to use for operation */
     ecdsa_k_mode_t k_mode;          /* Source of K */
     ecdsa_sha_mode_t sha_mode;      /* Source of SHA that needs to be signed */
+    int efuse_key_blk;              /* Efuse block to use as ECDSA key (The purpose of the efuse block must be ECDSA_KEY) */
 } ecdsa_hal_config_t;
 
 /**

components/hal/include/hal/efuse_hal.h

@@ -8,6 +8,7 @@
 
 #include <stdint.h>
 #include <stdbool.h>
+#include "soc/soc_caps.h"
 
 #ifdef __cplusplus
 extern "C" {
@@ -45,6 +46,17 @@ uint32_t efuse_hal_get_major_chip_version(void);
  */
 uint32_t efuse_hal_get_minor_chip_version(void);
 
+#if SOC_ECDSA_SUPPORTED
+/**
+ * @brief Set the efuse block that should be used as ECDSA private key
+ *
+ * @note The efuse block must be burnt with key purpose ECDSA_KEY
+ *
+ * @param efuse_key_blk Efuse key block number (Must be in [EFUSE_BLK_KEY0...EFUSE_BLK_KEY_MAX - 1] range)
+ */
+void efuse_hal_set_ecdsa_key(int efuse_key_blk);
+#endif
+
 #ifdef __cplusplus
 }
 #endif

components/mbedtls/port/ecdsa/ecdsa_alt.c

@@ -140,6 +140,7 @@ static int esp_ecdsa_sign(mbedtls_ecp_group *grp, mbedtls_mpi* r, mbedtls_mpi* s
             .curve = curve,
             .k_mode = ECDSA_K_USE_TRNG,
             .sha_mode = ECDSA_Z_USER_PROVIDED,
+            .efuse_key_blk = d->MBEDTLS_PRIVATE(n),
         };
 
         ecdsa_hal_gen_signature(&conf, NULL, sha_le, r_le, s_le, len);

components/mbedtls/port/include/ecdsa/ecdsa_alt.h

@@ -21,11 +21,6 @@ extern "C" {
  *        We break the MPI struct of the private key in order to
  *        differentiate between hardware key and software key
  *
- * @note Currently, `efuse_blk` is not used internally.
- *       Hardware will choose the efuse block that has purpose set to ECDSA_KEY.
- *       In case of multiple ECDSA_KEY burnt in efuse, hardware will choose the
- *       greater efuse block number as the private key.
- *
  * @param key The MPI in which this functions stores the hardware context.
  *            This must be uninitialized
  * @param efuse_blk The efuse key block that should be used as the private key.
@@ -42,11 +37,6 @@ int esp_ecdsa_privkey_load_mpi(mbedtls_mpi *key, int efuse_blk);
  *        We break the MPI struct used to represent the private key `d` in ECP keypair
  *        in order to differentiate between hardware key and software key
  *
- * @note Currently, `efuse_blk` is not used internally.
- *       Hardware will choose the efuse block that has purpose set to ECDSA_KEY.
- *       In case of multiple ECDSA_KEY burnt in efuse, hardware will choose the
- *       greater efuse block number as the private key.
- *
  * @param key_ctx The context in which this functions stores the hardware context.
  *                This must be uninitialized
  * @param efuse_blk The efuse key block that should be used as the private key.