Merge branch 'feature/add_key_manager_hal_layer' into 'master'

Add LL & HAL for Key Manager and HUK

Closes IDF-7985 and IDF-7901

See merge request espressif/esp-idf!25167

components/esp_common/include/esp_attr.h

@@ -57,6 +57,9 @@ extern "C" {
 // Forces data to be placed to DMA-capable places
 #define DMA_ATTR WORD_ALIGNED_ATTR DRAM_ATTR
 
+// Forces the data to be tightly packed with minimum required padding and no extra bytes are added for alignment
+#define PACKED_ATTR __attribute__((packed));
+
 // Forces a function to be inlined
 #define FORCE_INLINE_ATTR static inline __attribute__((always_inline))
 

components/esp_rom/include/esp32p4/rom/key_mgr.h

@@ -0,0 +1,103 @@
+/*
+ * SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+#pragma once
+
+#include "soc/soc_caps.h"
+
+#if SOC_KEY_MANAGER_SUPPORTED
+#include <stdint.h>
+#include "esp_attr.h"
+#include "ets_sys.h"
+#include "km.h"
+
+#if __cplusplus
+extern "C" {
+#endif
+
+// store huk info, occupy 96 words
+struct huk_info {
+#define HUK_INFO_LEN 384
+    uint8_t info[HUK_INFO_LEN];
+    uint32_t crc;
+} PACKED_ATTR;
+
+// store key info, occupy 512 bits
+struct key_info {
+#define KEY_INFO_LEN 64
+    uint8_t info[KEY_INFO_LEN];
+    uint32_t crc;
+} PACKED_ATTR;
+
+struct huk_key_block {
+#define KEY_HUK_SECTOR_MAGIC 0xDEA5CE5A
+    uint32_t magic;
+    uint32_t version; // for backward compatibility
+    uint8_t reserved[16];
+    struct huk_info huk_info;
+    struct key_info key_info[2]; // at most 2 key info (XTS-512_1 and XTS-512_2), at least use 1
+} WORD_ALIGNED_ATTR PACKED_ATTR;
+
+/*
+ * We define two info sectors "active" and "backup" here
+ * Most rom code would rely only on the "active" sector for the key information
+ *
+ * But there could be a situation where the huk and key information must be regenerated
+ * based on ageing and other factors. For that scenario, we need a "backup" sector
+ */
+#define KEY_HUK_SECTOR_OFFSET(i) ((i)*0x1000)
+#define ACTIVE_SECTOR_OFFSET     KEY_HUK_SECTOR_OFFSET(0)
+#define BACKUP_SECTOR_OFFSET     KEY_HUK_SECTOR_OFFSET(1)
+
+#define KM_PERI_ECDSA (BIT(0))
+#define KM_PERI_XTS   (BIT(1))
+
+struct km_deploy_ops {
+#define KM_KEY_PURPOSE_ECDSA     1
+#define KM_KEY_PURPOSE_XTS_256_1 2
+#define KM_KEY_PURPOSE_XTS_256_2 3
+#define KM_KEY_PURPOSE_XTS_128   4
+    int km_key_purpose;
+#define KM_DEPLOY_MODE_RANDOM  0
+#define KM_DEPLOY_MODE_AES     1
+#define KM_DEPLOY_MODE_ECDH0   2
+#define KM_DEPLOY_MODE_ECDH1   3
+#define KM_DEPLOY_MODE_RECOVER 4
+#define KM_DEPLOY_MODE_EXPORT  5
+    int deploy_mode;
+    uint8_t *init_key; // 256 bits, only used in aes and ecdh1 deploy mode
+    int deploy_only_once;
+    int force_use_km_key;
+    int km_use_efuse_key;
+    uint32_t efuse_km_rnd_switch_cycle; // 0 means use default
+    uint32_t km_rnd_switch_cycle;       // 0 means use default
+    int km_use_sw_init_key;
+    struct huk_info *huk_info;
+    struct key_info *key_info;
+};
+
+/* state of km */
+#define KM_STATE_IDLE    0
+#define KM_STATE_LOAD    1
+#define KM_STATE_GAIN    2
+#define KM_STATE_BUSY    3
+#define KM_STATE_INVALID 4
+
+/* state of huk generator
+ * values defined same as km
+ */
+#define HUK_STATE_IDLE 0
+#define HUK_STATE_LOAD 1
+#define HUK_STATE_GAIN 2
+#define HUK_STATE_BUSY 3
+
+#define HUK_NOT_GENERATED 0
+#define HUK_GEN_VALID     1
+#define HUK_GEN_INVALID   2
+
+#if __cplusplus
+}
+#endif
+#endif

components/esp_rom/include/esp32p4/rom/km.h

@@ -0,0 +1,63 @@
+/*
+ * SPDX-FileCopyrightText: 2015-2023 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#ifndef _KM_H
+#define _KM_H
+
+#include "soc/soc_caps.h"
+#if SOC_KEY_MANAGER_SUPPORTED
+
+#include <stdint.h>
+#include "soc/soc.h"
+#include "ets_sys.h"
+
+#if __cplusplus
+extern "C" {
+#endif
+
+/* huk mode type */
+typedef enum {
+    HUK_MODE_RECOVER = 0,
+    HUK_MODE_GEN = 1,
+} huk_mode_t;
+
+/**
+  * @brief Recover efuse key or key manager key if flash encryption is enabled
+  *
+  * @param do_log : if km process print log
+  *
+  * @return ETS_OK when key is recovered, ETS_FAILED when key not recovered
+  */
+ETS_STATUS esp_rom_check_recover_key(int do_log);
+
+/**
+  * @brief Configure huk mode
+  *
+  * @param mode : HUK_MODE_RECOVER or HUK_MODE_GEN
+  *
+  * @param huk_info : uint8_t pointer to the buffer which will feed the huk info or
+  *                   gain the huk info
+  *
+  * @return ETS_OK when huk configuration is done, else ETS_FAILED
+  */
+ETS_STATUS esp_rom_km_huk_conf(huk_mode_t mode, uint8_t *huk_info);
+
+/**
+  * @brief Get huk risk. The risk level of HUK is 0-6: the higher the risk level is,
+  *        the more error bits there are in the PUF SRAM. 7: Error level, HUK is invalid
+  *
+  * @param None
+  *
+  * @return The huk risk
+  */
+int esp_rom_km_huk_risk(void);
+
+#ifdef __cplusplus
+}
+#endif
+#endif
+
+#endif /* _KM_H */

components/hal/CMakeLists.txt

@@ -225,6 +225,11 @@ if(NOT BOOTLOADER_BUILD)
         list(APPEND srcs "ds_hal.c")
     endif()
 
+    if(CONFIG_SOC_KEY_MANAGER_SUPPORTED)
+        list(APPEND srcs "key_mgr_hal.c")
+        list(APPEND srcs "huk_hal.c")
+    endif()
+
     if(${target} STREQUAL "esp32")
         list(APPEND srcs
             "touch_sensor_hal.c"

components/hal/esp32p4/include/hal/huk_hal.h

@@ -0,0 +1,55 @@
+/*
+ * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+// The HAL layer for Hardware Unique Key (HUK) Genarator
+
+#pragma once
+
+#if SOC_KEY_MANAGER_SUPPORTED
+#include "hal/huk_types.h"
+#include <stdint.h>
+#include "esp_err.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * @brief Configure HUK: Generate new HUK information or Recover key from recovery information
+ *     Generation Mode: In this case the Generation mode of the HUK Generator is used. A new HUK is generated and the respective HUK information is copied to the given buffer. This info can be again used to recover the same HUK.
+ *     Recovery Mode: In this case the Recovery mode of the HUK Generator is used. The HUK is recovered from the given HUK information. This is the HUK information generated previously when HUK info was generated with a previous call to huk_hal_configure.
+ *
+ * @input
+ *      huk_info_buf(I/O)    Pointer to the buffer for the HUK info, size of the given buffer must equal to HUK_INFO_SIZE
+ *          In Generation Mode the buffer shall be populated with the huk_info_buf
+ *          In recovery mode the huk_info stored in the buffer shall be consumed for HUK recovery
+ *
+ * @return
+ *      ESP_OK      on success
+ *      ESP_FAIL    on failure
+ */
+esp_err_t huk_hal_configure(const esp_huk_mode_t huk_mode, uint8_t *huk_info_buf);
+
+/**
+ * @brief Read state of Hardware Unique Key Generator
+ *
+ * @return esp_huk_state_t
+ */
+esp_huk_state_t huk_hal_get_state(void);
+
+/**
+ * @brief Get the HUK generation status: esp_huk_gen_status_t
+ */
+uint8_t huk_hal_get_risk_level(void);
+
+/**
+ * @brief Read the HUK date information
+ */
+uint32_t huk_hal_get_date_info(void);
+
+#ifdef __cplusplus
+}
+#endif
+#endif

components/hal/esp32p4/include/hal/huk_ll.h

@@ -0,0 +1,114 @@
+/*
+ * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/*******************************************************************************
+ * NOTICE
+ * The hal is not public api, don't use it in application code.
+ ******************************************************************************/
+
+#pragma once
+#if SOC_KEY_MANAGER_SUPPORTED
+#include <stdint.h>
+#include <stdbool.h>
+#include <string.h>
+
+#include "hal/huk_types.h"
+#include "soc/huk_reg.h"
+#include "soc/soc_caps.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* @brief Configure the HUK mode */
+static inline void huk_ll_configure_mode(const esp_huk_mode_t huk_mode)
+{
+    REG_SET_FIELD(HUK_CONF_REG, HUK_MODE, huk_mode);
+}
+
+void huk_ll_write_info(const uint8_t *buffer, const size_t size)
+{
+    memcpy((uint8_t *)HUK_INFO_MEM, buffer, size);
+}
+
+void huk_ll_read_info(uint8_t *buffer, const size_t size)
+{
+    memcpy(buffer, (uint8_t *)HUK_INFO_MEM, size);
+}
+
+/* @brief Start the HUK at IDLE state */
+static inline void huk_ll_start(void)
+{
+    REG_SET_FIELD(HUK_START_REG, HUK_START, 1);
+}
+
+/* @brief Continue HUK operation at LOAD/GAIN state */
+static inline void huk_ll_continue(void)
+{
+    REG_SET_FIELD(HUK_START_REG, HUK_CONTINUE, 1);
+}
+
+/* @bried Enable or Disable the HUK interrupts */
+static inline void huk_ll_configure_interrupt(const esp_huk_interrupt_type_t intr, const bool en)
+{
+    switch(intr) {
+        case ESP_HUK_INT_PREP_DONE:
+                REG_SET_FIELD(HUK_INT_ENA_REG, HUK_PREP_DONE_INT_ENA, en);
+        case ESP_HUK_INT_PROC_DONE:
+                REG_SET_FIELD(HUK_INT_ENA_REG, HUK_PROC_DONE_INT_ENA, en);
+        case ESP_HUK_INT_POST_DONE:
+                REG_SET_FIELD(HUK_INT_ENA_REG, HUK_POST_DONE_INT_ENA, en);
+        default:
+            return;
+    }
+}
+
+/* @bried Clear the HUK interrupts */
+static inline void huk_ll_clear_int(const esp_huk_interrupt_type_t intr)
+{
+    switch(intr) {
+        case ESP_HUK_INT_PREP_DONE:
+            REG_SET_FIELD(HUK_INT_CLR_REG, HUK_PREP_DONE_INT_CLR, 1);
+        case ESP_HUK_INT_PROC_DONE:
+            REG_SET_FIELD(HUK_INT_CLR_REG, HUK_PROC_DONE_INT_CLR, 1);
+        case ESP_HUK_INT_POST_DONE:
+            REG_SET_FIELD(HUK_INT_CLR_REG, HUK_POST_DONE_INT_CLR, 1);
+        default:
+            return;
+    }
+}
+
+/**
+ * @brief Read state of Hardware Unique Key Generator
+ *
+ * @return esp_huk_state_t
+ */
+static inline esp_huk_state_t huk_ll_get_state(void)
+{
+    return REG_GET_FIELD(HUK_STATE_REG, HUK_STATE);
+}
+
+/**
+ * @brief Get the HUK generation status: esp_huk_gen_status_t
+ */
+static inline esp_huk_gen_status_t huk_ll_get_gen_status(void)
+{
+    return REG_GET_FIELD(HUK_STATUS_REG, HUK_STATUS);
+}
+
+/**
+ * @brief Read the HUK date information
+ */
+static inline uint32_t huk_ll_get_date_info(void)
+{
+    // Only the least siginificant 28 bits have desired information
+    return (uint32_t)(0x0FFFFFFF & REG_READ(HUK_DATE_REG));
+}
+
+#ifdef __cplusplus
+}
+#endif
+#endif

components/hal/esp32p4/include/hal/key_mgr_hal.h

@@ -0,0 +1,139 @@
+/*
+ * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+// The HAL layer for Key Manager
+
+#pragma once
+
+#if SOC_KEY_MANAGER_SUPPORTED
+#include "hal/key_mgr_types.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* @brief Start the key manager at IDLE state */
+void key_mgr_hal_start(void);
+
+/* @brief Continue the key manager operation */
+void key_mgr_hal_continue(void);
+
+/**
+ * @brief Set the key manager to use the software provided init key
+ */
+void key_mgr_hal_use_sw_init_key(void);
+
+/**
+ * @brief Configure the key manager key usage policy for a particular key type
+ */
+void key_mgr_hal_set_key_usage(const esp_key_mgr_key_type_t key_type, const esp_key_mgr_key_usage_t key_usage);
+
+/*
+ * @brief Get the configured key usage for a given key type
+ */
+esp_key_mgr_key_usage_t key_mgr_hal_get_key_usage(const esp_key_mgr_key_type_t key_type);
+
+/* @brief Configure the key purpose to be used by the Key Manager for key generator opearation */
+void key_mgr_hal_set_key_purpose(const esp_key_mgr_key_purpose_t key_purpose);
+
+/**
+ * @bfief Configure the mode which is used by the Key Manager for the generator key deployement process
+ */
+void key_mgr_hal_set_key_generator_mode(const esp_key_mgr_key_generator_mode_t mode);
+
+/**
+ * @brief Read the key manager process result
+ * @return  1 for Success
+ *          0 for failure
+ */
+bool key_mgr_hal_is_result_success(void);
+
+/**
+ * @brief Check if the deployed key is valid or not
+ * @return  1 for Success
+ *          0 for failure
+ */
+bool key_mgr_hal_is_key_deployment_valid(const esp_key_mgr_key_type_t key_type);
+
+/**
+ * @brief Check if the HUK is valid or not
+ * @return  1 for Success
+ *          0 for failure
+ */
+bool key_mgr_hal_is_huk_valid(void);
+
+/*
+ * @brief Write the SW init key in the key manager registers
+ *
+ * @input
+ * sw_init_key_buf      Init key buffer, this should be a readable buffer of data_len size which should contain the sw init key. The buffer must be 32 bit aligned
+ * data_len             Length of the init key buffer
+ */
+void key_mgr_hal_write_sw_init_key(const uint8_t *sw_init_key_buf, const size_t data_len);
+
+/*
+ * @brief Write the Assist info in the key manager registers
+ *
+ * @input
+ * assist_info_buf      Assist info buffer, this should be a readable buffer of data_len size which should contain the assist info.  The buffer must be 32 bit aligned
+ * data_len             Length of the assist info buffer
+ */
+void key_mgr_hal_write_assist_info(const uint8_t *assist_info_buf, const size_t data_len);
+
+/*
+ * @brief Read the Assist info from the key manager registers
+ *
+ * @input
+ * assist_info_buf      Assist info buffer, this should be a writable buffer of size KEY_MGR_ASSIST_INFO_LEN.  The buffer must be 32 bit aligned
+ * data_len             Length of the assist info buffer
+ */
+void key_mgr_hal_read_assist_info(uint8_t *assist_info_buf);
+
+/*
+ * @brief Write the Public info in the key manager registers
+ *
+ * @input
+ * public_info_buf      Public info buffer, this should be a readable buffer of data_len size which should contain the public info.  The buffer must be 32 bit aligned
+ * data_len             Length of the public info buffer
+ */
+void key_mgr_hal_write_public_info(const uint8_t *public_info_buf, const size_t data_len);
+
+/*
+ * @brief Read the Public info in the key manager registers
+ *
+ * @input
+ * public_info_buf      Public info buffer, this should be a writable buffer of read_len,  The buffer must be 32 bit aligned
+ * read_len             Length of the public info buffer
+ */
+void key_mgr_hal_read_public_info(uint8_t *public_info_buf, const size_t read_len);
+
+/* @brief Set the AES-XTS key length for the Key Manager */
+void key_mgr_hal_set_aes_xts_key_len(const esp_key_mgr_xts_aes_key_len_t key_len);
+
+/* @brief Get the AES-XTS key length for the Key Manager */
+esp_key_mgr_xts_aes_key_len_t key_mgr_hal_get_aes_xts_key_len(void);
+
+/**
+ * @brief Read state of Key Manager
+ *
+ * @return esp_key_mgr_state_t
+ */
+esp_key_mgr_state_t key_mgr_hal_get_state(void);
+
+/**
+ * @brief Read the Key Manager date information
+ */
+uint32_t key_mgr_hal_get_date_info(void);
+
+/**
+ * @brief Set the Key Manager date information
+ *        Only the least siginificant 28 bits shall be considered
+ */
+void key_mgr_hal_set_date_info(const uint32_t date_info);
+
+#ifdef __cplusplus
+}
+#endif
+#endif

components/hal/esp32p4/include/hal/key_mgr_ll.h

@@ -0,0 +1,290 @@
+/*
+ * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/*******************************************************************************
+ * NOTICE
+ * The hal is not public api, don't use it in application code.
+ ******************************************************************************/
+
+#pragma once
+#if SOC_KEY_MANAGER_SUPPORTED
+#include <stdint.h>
+#include <stdbool.h>
+#include <string.h>
+
+#include "hal/assert.h"
+#include "hal/key_mgr_types.h"
+#include "soc/keymng_reg.h"
+#include "soc/hp_sys_clkrst_struct.h"
+#include "soc/soc_caps.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * @brief Enable the bus clock for Key Manager peripheral
+ *
+ * @param true to enable, false to disable
+ */
+static inline void key_mgr_ll_enable_bus_clock(bool enable)
+{
+    HP_SYS_CLKRST.soc_clk_ctrl1.reg_key_manager_sys_clk_en = enable;
+}
+
+/// use a macro to wrap the function, force the caller to use it in a critical section
+/// the critical section needs to declare the __DECLARE_RCC_ATOMIC_ENV variable in advance
+#define key_mgr_ll_enable_bus_clock(...) (void)__DECLARE_RCC_ATOMIC_ENV; key_mgr_ll_enable_bus_clock(__VA_ARGS__)
+
+/**
+ * @brief Reset the Key Manager peripheral */
+static inline void key_mgr_ll_reset_register(void)
+{
+    HP_SYS_CLKRST.peri_clk_ctrl25.reg_crypto_km_clk_en = 1;
+    HP_SYS_CLKRST.peri_clk_ctrl25.reg_crypto_km_clk_en = 0;
+    HP_SYS_CLKRST.hp_rst_en2.reg_rst_en_crypto = 1;
+    HP_SYS_CLKRST.hp_rst_en2.reg_rst_en_crypto = 0;
+}
+
+/// use a macro to wrap the function, force the caller to use it in a critical section
+/// the critical section needs to declare the __DECLARE_RCC_ATOMIC_ENV variable in advance
+#define key_mgr_ll_reset_register(...) (void)__DECLARE_RCC_ATOMIC_ENV; key_mgr_ll_reset_register(__VA_ARGS__)
+
+/* @brief Start the key manager at IDLE state */
+static inline void key_mgr_ll_start(void)
+{
+    REG_SET_BIT(KEYMNG_START_REG, KEYMNG_START);
+}
+
+/* @brief Continue key manager operation at LOAD/GAIN state */
+static inline void key_mgr_ll_continue(void)
+{
+    REG_SET_BIT(KEYMNG_START_REG, KEYMNG_CONTINUE);
+}
+
+
+/* @brief Enable or Disable the KEY_MGR interrupts */
+static inline void key_mgr_ll_configure_interrupt(const esp_key_mgr_interrupt_type_t intr, bool en)
+{
+    switch(intr) {
+        case ESP_KEY_MGR_INT_PREP_DONE:
+            REG_SET_FIELD(KEYMNG_INT_ENA_REG, KEYMNG_PREP_DONE_INT_ENA, en);
+            break;
+        case ESP_KEY_MGR_INT_PROC_DONE:
+            REG_SET_FIELD(KEYMNG_INT_ENA_REG, KEYMNG_PROC_DONE_INT_ENA, en);
+            break;
+        case ESP_KEY_MGR_INT_POST_DONE:
+            REG_SET_FIELD(KEYMNG_INT_ENA_REG, KEYMNG_POST_DONE_INT_ENA, en);
+            break;
+        default:
+            return;
+    }
+}
+
+/* @brief Clear the KEY_MGR interrupts */
+static inline void key_mgr_ll_clear_int(const esp_key_mgr_interrupt_type_t intr)
+{
+    switch(intr) {
+        case ESP_KEY_MGR_INT_PREP_DONE:
+            REG_SET_FIELD(KEYMNG_INT_CLR_REG, KEYMNG_PREP_DONE_INT_CLR, 1);
+            break;
+        case ESP_KEY_MGR_INT_PROC_DONE:
+            REG_SET_FIELD(KEYMNG_INT_CLR_REG, KEYMNG_PROC_DONE_INT_CLR, 1);
+            break;
+        case ESP_KEY_MGR_INT_POST_DONE:
+            REG_SET_FIELD(KEYMNG_INT_CLR_REG, KEYMNG_POST_DONE_INT_CLR, 1);
+            break;
+        default:
+            return;
+    }
+}
+
+
+/**
+ * @brief Set the key manager to use the software provided init key
+ */
+static inline void key_mgr_ll_use_sw_init_key(void)
+{
+    REG_SET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_SW_INIT_KEY);
+}
+
+/**
+ * @brief Configure the key manager key usage policy for a particular key type
+ *
+ */
+static inline void key_mgr_ll_set_key_usage(const esp_key_mgr_key_type_t key_type, const esp_key_mgr_key_usage_t key_usage)
+{
+    uint8_t read_value = ((0x03) & REG_GET_FIELD(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY));
+    uint8_t reg_value = (read_value & (~((uint8_t)key_type))) | (uint8_t) (key_type * key_usage);
+    REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY, reg_value);
+}
+
+static inline esp_key_mgr_key_usage_t key_mgr_ll_get_key_usage(esp_key_mgr_key_type_t key_type)
+{
+    return (esp_key_mgr_key_usage_t) (key_type & REG_GET_FIELD(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY));
+}
+
+/**
+ * @brief Set the lock for the use_sw_init_key_reg
+ *        After this lock has been set,
+ *        The Key manager configuration about the use of software init key cannot be changed
+ */
+static inline void key_mgr_ll_lock_use_sw_init_key_reg(void)
+{
+    REG_SET_BIT(KEYMNG_LOCK_REG, KEYMNG_USE_SW_INIT_KEY_LOCK);
+}
+
+/**
+ * @brief Set the lock for the use_sw_init_key_reg
+ *        After this lock has been set,
+ *        The Key manager configuration about whether to use a paricular key from efuse or key manager cannot be changed.
+ */
+static inline void key_mgr_ll_lock_use_efuse_key_reg(void)
+{
+    REG_SET_BIT(KEYMNG_LOCK_REG, KEYMNG_USE_EFUSE_KEY_LOCK);
+}
+
+/* @brief Configure the key purpose to be used by the Key Manager for key generator opearation */
+static inline void key_mgr_ll_set_key_purpose(const esp_key_mgr_key_purpose_t key_purpose)
+{
+    REG_SET_FIELD(KEYMNG_CONF_REG, KEYMNG_KEY_PURPOSE, key_purpose);
+}
+
+/**
+ * @brief Configure the mode which is used by the Key Manager for the generator key deployement process
+ */
+static inline void key_mgr_ll_set_key_generator_mode(const esp_key_mgr_key_generator_mode_t mode)
+{
+    REG_SET_FIELD(KEYMNG_CONF_REG, KEYMNG_KGEN_MODE, mode);
+}
+
+/**
+ * @brief Read the key manager process result
+ * @return  1 for Success
+ *          0 for failure
+ */
+static inline bool key_mgr_ll_is_result_success(void)
+{
+    return REG_GET_FIELD(KEYMNG_RESULT_REG, KEYMNG_PROC_RESULT);
+}
+
+/**
+ * @brief Check if the deployed key is valid or not
+ * @return  1 for Success
+ *          0 for failure
+ */
+static inline bool key_mgr_ll_is_key_deployment_valid(const esp_key_mgr_key_type_t key_type)
+{
+    switch (key_type) {
+    case ESP_KEY_MGR_ECDSA_KEY:
+        return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_ECDSA_VLD);
+        break;
+    case ESP_KEY_MGR_XTS_KEY:
+        return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_XTS_VLD);
+        break;
+    default:
+        HAL_ASSERT(false && "Unsupported mode");
+        return 0;
+    }
+}
+
+/*
+ * @brief Write the SW init key in the key manager registers
+ *
+ * @input
+ * sw_init_key_buf      Init key buffer, this should be a readable buffer of data_len size which should contain the sw init key. The buffer must be 32 bit aligned
+ * data_len             Length of the init key buffer
+ */
+static inline void key_mgr_ll_write_sw_init_key(const uint8_t *sw_init_key_buf, const size_t data_len)
+{
+    memcpy((uint8_t *)KEYMNG_SW_INIT_KEY_MEM, sw_init_key_buf, data_len);
+}
+
+/*
+ * @brief Write the Assist info in the key manager registers
+ *
+ * @input
+ * assist_info_buf      Assist info buffer, this should be a readable buffer of data_len size which should contain the assist info.  The buffer must be 32 bit aligned
+ * data_len             Length of the assist info buffer
+ */
+static inline void key_mgr_ll_write_assist_info(const uint8_t *assist_info_buf, const size_t data_len)
+{
+    memcpy((uint8_t *)KEYMNG_ASSIST_INFO_MEM, assist_info_buf, data_len);
+}
+
+/*
+ * @brief Read the Assist info from the key manager registers
+ *
+ * @input
+ * assist_info_buf      Assist info buffer, this should be a writable buffer of size KEY_MGR_ASSIST_INFO_LEN. The buffer must be 32 bit aligned
+ */
+static inline void key_mgr_ll_read_assist_info( uint8_t *assist_info_buf)
+{
+    memcpy(assist_info_buf, (uint8_t *)KEYMNG_ASSIST_INFO_MEM, KEY_MGR_ASSIST_INFO_LEN);
+}
+
+/*
+ * @brief Write the Public info in the key manager registers
+ * @input
+ * public_info_buf      Public info buffer, this should be a readable buffer of data_len size which should contain the public info.  The buffer must be 32 bit aligned
+ * data_len             Length of the public info buffer
+ */
+static inline void key_mgr_ll_write_public_info(const uint8_t *public_info_buf, const size_t data_len)
+{
+    memcpy((uint8_t *)KEYMNG_PUBLIC_INFO_MEM, public_info_buf, data_len);
+}
+
+/*
+ * @brief Read the Public info in the key manager registers
+ * @input
+ * public_info_buf      Public info buffer, this should be a writable buffer of read_len,  The buffer must be 32 bit aligned
+ * read_len             Length of the public info buffer
+ */
+static inline void key_mgr_ll_read_public_info(uint8_t *public_info_buf, const size_t read_len)
+{
+    memcpy(public_info_buf, (uint8_t *)KEYMNG_PUBLIC_INFO_MEM, read_len);
+}
+
+static inline bool key_mgr_ll_is_huk_valid(void)
+{
+    return REG_GET_FIELD(KEYMNG_HUK_VLD_REG, KEYMNG_HUK_VALID);
+}
+
+/* @brief Set the AES-XTS key length for the Key Manager */
+static inline void key_mgr_ll_set_aes_xts_key_len(const esp_key_mgr_xts_aes_key_len_t key_len)
+{
+    REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_XTS_AES_KEY_LEN, key_len);
+}
+
+/* @brief Get the AES-XTS key length for the Key Manager */
+static inline esp_key_mgr_xts_aes_key_len_t key_mgr_ll_get_aes_xts_key_len(void)
+{
+    return (esp_key_mgr_xts_aes_key_len_t) REG_GET_FIELD(KEYMNG_STATIC_REG, KEYMNG_XTS_AES_KEY_LEN);
+}
+
+/**
+ * @brief Read state of Key Manager
+ *
+ * @return esp_key_mgr_state_t
+ */
+static inline esp_key_mgr_state_t key_mgr_ll_get_state(void)
+{
+    return (esp_key_mgr_state_t) REG_GET_FIELD(KEYMNG_STATE_REG, KEYMNG_STATE);
+}
+
+/**
+ * @brief Read the Key Manager date information
+ */
+static inline uint32_t key_mgr_ll_get_date_info(void)
+{
+    // Only the lest siginificantt 28 bits have desired information
+    return (uint32_t)(0x0FFFFFFF & REG_READ(KEYMNG_DATE_REG));
+}
+
+#ifdef __cplusplus
+}
+#endif
+#endif

components/hal/huk_hal.c

@@ -0,0 +1,45 @@
+/*
+ * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+// The HAL layer for Hardware Unique Key(HUK) Generator
+
+
+#include "hal/huk_hal.h"
+#include "hal/huk_ll.h"
+#include "hal/huk_types.h"
+#include "hal/assert.h"
+#include "hal/log.h"
+#include "rom/km.h"
+
+esp_huk_state_t huk_hal_get_state(void)
+{
+    return huk_ll_get_state();
+}
+
+static void inline huk_hal_wait_for_state(esp_huk_state_t state)
+{
+    while (huk_ll_get_state() != state) {
+        ;
+    }
+}
+
+esp_err_t huk_hal_configure(const esp_huk_mode_t huk_mode, uint8_t *huk_info_buf)
+{
+    if (esp_rom_km_huk_conf(huk_mode, huk_info_buf) == ETS_OK) {
+        return ESP_OK;
+    } else {
+        return ESP_FAIL;
+    }
+}
+
+uint8_t huk_hal_get_risk_level(void)
+{
+    return (uint8_t) esp_rom_km_huk_risk();
+}
+
+uint32_t huk_hal_get_date_info(void)
+{
+    return huk_ll_get_date_info();
+}

components/hal/include/hal/huk_types.h

@@ -0,0 +1,65 @@
+/*
+ * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+#pragma once
+
+#include "soc/soc_caps.h"
+
+#if SOC_KEY_MANAGER_SUPPORTED
+
+#include "esp_assert.h"
+#include "rom/km.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define HUK_INFO_SIZE           384
+
+/**
+ * @brief Mode for Hardware Unique Key Process: recovery, generation
+ */
+typedef enum {
+    ESP_HUK_MODE_RECOVERY = 0,     /* HUK recovery mode */
+    ESP_HUK_MODE_GENERATION,       /* HUK generation mode */
+} esp_huk_mode_t;
+
+ESP_STATIC_ASSERT(sizeof(esp_huk_mode_t) == sizeof(huk_mode_t), "Size of esp_huk_mode_t should match huk_mode_t (from ROM)");
+
+/**
+ * @brief State of Hardware Unique Key Generator: idle, load, gain or busy.
+ *
+ */
+typedef enum {
+    ESP_HUK_STATE_IDLE = 0, /* Key Manager is idle */
+    ESP_HUK_STATE_LOAD,     /* Key Manager is read to recieve input */
+    ESP_HUK_STATE_GAIN,     /* Key Manager is ready to provide output */
+    ESP_HUK_STATE_BUSY      /* Key Manager is busy */
+} esp_huk_state_t;
+
+/**
+ * @brief Status of the Hardware Unique Key Generation:
+ * not generated, generated and valid, generated and invalid
+ */
+typedef enum {
+    ESP_HUK_STATUS_NOT_GENERATED = 0,      /* HUK is not generated */
+    ESP_HUK_STATUS_GENERATED_AND_VALID,    /* HUK is generated and valid */
+    ESP_HUK_STATUS_GENERATED_AND_INVALID   /* HUK is generated and is invalid */
+} esp_huk_gen_status_t;
+
+/**
+ * @brief
+ * HUK interrupt types
+ */
+typedef enum {
+    ESP_HUK_INT_PREP_DONE = 0x01,
+    ESP_HUK_INT_PROC_DONE,
+    ESP_HUK_INT_POST_DONE,
+} esp_huk_interrupt_type_t;
+
+#ifdef __cplusplus
+}
+#endif
+#endif

components/hal/include/hal/key_mgr_types.h

@@ -0,0 +1,91 @@
+/*
+ * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+#pragma once
+
+#include "soc/soc_caps.h"
+
+#if SOC_KEY_MANAGER_SUPPORTED
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
+
+#define KEY_MGR_ASSIST_INFO_LEN    64
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * @brief State of Key Manager: idle, load, gain or busy.
+ */
+typedef enum {
+    ESP_KEY_MGR_STATE_IDLE = 0, /* Key Manager is idle */
+    ESP_KEY_MGR_STATE_LOAD,     /* Key Manager is read to recieve input */
+    ESP_KEY_MGR_STATE_GAIN,     /* Key Manager is ready to provide output */
+    ESP_KEY_MGR_STATE_BUSY      /* Key Manager is busy */
+} esp_key_mgr_state_t;
+
+/**
+ * @brief Length of the XTS AES key
+ */
+typedef enum {
+    ESP_KEY_MGR_XTS_AES_LEN_512 = 0, /* xts-aes key is 512 bit, please note that xts-aes algorithm is XTS_AES_256  */
+    ESP_KEY_MGR_XTS_AES_LEN_256,     /* xts-aes key is 256 bit, please note that xts-aes algorithm is XTS_AES_128*/
+} esp_key_mgr_xts_aes_key_len_t;
+
+/**
+ * @brief Type of the key: ECDSA, XTS
+ */
+typedef enum {
+    ESP_KEY_MGR_ECDSA_KEY = 1, /* ECDSA key */
+    ESP_KEY_MGR_XTS_KEY,       /* XTS AES key */
+} esp_key_mgr_key_type_t;
+
+/*
+ * @brief Key Manager key usage type
+ */
+typedef enum {
+    ESP_KEY_MGR_USE_OWN_KEY = 0, /* Use key from the key manager */
+    ESP_KEY_MGR_USE_EFUSE_KEY, /* Use key from the eFuse */
+} esp_key_mgr_key_usage_t;
+
+/**
+ * @brief Key Purpose to be set for a particular key in the Key Manager
+ */
+typedef enum {
+    ESP_KEY_MGR_KEY_PURPOSE_ECDSA = 1,
+    ESP_KEY_MGR_KEY_PURPOSE_XTS_256_1, /* First half of the XTS AES 256 bit key */
+    ESP_KEY_MGR_KEY_PURPOSE_XTS_256_2, /* Second half of the XTS AES 256 bit key */
+    ESP_KEY_MGR_KEY_PURPOSE_XTS_128    /* XTS AES 128 bit key */
+} esp_key_mgr_key_purpose_t;
+
+/**
+ * @brief Key Manager Generator mode
+ */
+typedef enum {
+    ESP_KEY_MGR_KEYGEN_MODE_RANDOM = 0,
+    ESP_KEY_MGR_KEYGEN_MODE_AES,
+    ESP_KEY_MGR_KEYGEN_MODE_ECDH0,
+    ESP_KEY_MGR_KEYGEN_MODE_ECDH1,
+    ESP_KEY_MGR_KEYGEN_MODE_RECOVER,
+    ESP_KEY_MGR_KEYGEN_MODE_EXPORT,
+} esp_key_mgr_key_generator_mode_t;
+
+/**
+ * @brief
+ * Key Manager interrupt types
+ */
+typedef enum {
+    ESP_KEY_MGR_INT_PREP_DONE = 0x01,
+    ESP_KEY_MGR_INT_PROC_DONE,
+    ESP_KEY_MGR_INT_POST_DONE,
+} esp_key_mgr_interrupt_type_t;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif

components/hal/key_mgr_hal.c

@@ -0,0 +1,105 @@
+/*
+ * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+// The HAL layer for Key Manager
+
+#include "hal/key_mgr_hal.h"
+#include "hal/key_mgr_ll.h"
+#include "hal/key_mgr_types.h"
+
+void key_mgr_hal_start(void)
+{
+    key_mgr_ll_start();
+}
+
+void key_mgr_hal_use_sw_init_key(void)
+{
+    return key_mgr_ll_use_sw_init_key();
+}
+
+void key_mgr_hal_set_key_usage(const esp_key_mgr_key_type_t key_type, const esp_key_mgr_key_usage_t key_usage)
+{
+    return key_mgr_ll_set_key_usage(key_type, key_usage);
+}
+
+esp_key_mgr_key_usage_t key_mgr_hal_get_key_usage(const esp_key_mgr_key_type_t key_type)
+{
+    return key_mgr_ll_get_key_usage(key_type);
+}
+
+void key_mgr_hal_set_key_purpose(const esp_key_mgr_key_purpose_t key_purpose)
+{
+    return key_mgr_ll_set_key_purpose(key_purpose);
+}
+
+void key_mgr_hal_set_key_generator_mode(const esp_key_mgr_key_generator_mode_t mode)
+{
+    return key_mgr_ll_set_key_generator_mode(mode);
+}
+
+bool key_mgr_hal_is_result_success(void)
+{
+    return key_mgr_ll_is_result_success();
+}
+
+bool key_mgr_hal_is_key_deployment_valid(const esp_key_mgr_key_type_t key_type)
+{
+    return key_mgr_ll_is_key_deployment_valid(key_type);
+}
+
+void key_mgr_hal_write_sw_init_key(const uint8_t *sw_init_key_buf, const size_t data_len)
+{
+    key_mgr_ll_write_sw_init_key(sw_init_key_buf, data_len);
+}
+
+void key_mgr_hal_write_assist_info(const uint8_t *assist_info_buf, const size_t data_len)
+{
+    key_mgr_ll_write_assist_info(assist_info_buf, data_len);
+}
+
+void key_mgr_hal_assist_assist_info(uint8_t *assist_info_buf)
+{
+    key_mgr_ll_read_assist_info(assist_info_buf);
+}
+
+void key_mgr_hal_write_public_info(const uint8_t *public_info_buf, const size_t data_len)
+{
+    key_mgr_ll_write_public_info(public_info_buf, data_len);
+}
+
+void key_mgr_hal_read_public_info(uint8_t *public_info_buf, const size_t read_len)
+{
+    key_mgr_ll_read_public_info(public_info_buf, read_len);
+}
+
+bool key_mgr_hal_is_huk_valid(void)
+{
+    return key_mgr_ll_is_huk_valid();
+}
+
+void key_mgr_hal_set_aes_xts_key_len(const esp_key_mgr_xts_aes_key_len_t key_len)
+{
+    key_mgr_ll_set_aes_xts_key_len(key_len);
+}
+
+esp_key_mgr_xts_aes_key_len_t key_mgr_hal_get_aes_xts_key_len(void)
+{
+    return key_mgr_ll_get_aes_xts_key_len();
+}
+
+void key_mgr_hal_continue(void)
+{
+    key_mgr_ll_continue();
+}
+
+esp_key_mgr_state_t key_mgr_hal_get_state(void)
+{
+    return key_mgr_ll_get_state();
+}
+
+uint32_t key_mgr_hal_get_date_info(void)
+{
+    return key_mgr_ll_get_date_info();
+}

components/soc/esp32p4/include/soc/reg_base.h

@@ -47,7 +47,7 @@
 #define DR_REG_JPEG_BASE              (DR_REG_HPPERIPH0_BASE + 0x86000)
 #define DR_REG_PPA_BASE               (DR_REG_HPPERIPH0_BASE + 0x87000)
 #define DR_REG_DMA2D_BASE             (DR_REG_HPPERIPH0_BASE + 0x88000)
-#define DR_REG_KEY_MANAGER_BASE       (DR_REG_HPPERIPH0_BASE + 0x89000)
+#define DR_REG_KEYMNG_BASE            (DR_REG_HPPERIPH0_BASE + 0x89000)
 #define DR_REG_AXI_DMA_BASE           (DR_REG_HPPERIPH0_BASE + 0x8A000)
 #define DR_REG_FLASH_SPI0_BASE        (DR_REG_HPPERIPH0_BASE + 0x8C000)
 #define DR_REG_FLASH_SPI1_BASE        (DR_REG_HPPERIPH0_BASE + 0x8D000)
@@ -126,6 +126,7 @@
 #define DR_REG_LP_TIMER_BASE          (DR_REG_LPAON_BASE + 0x2000)
 #define DR_REG_LP_ANAPERI_BASE        (DR_REG_LPAON_BASE + 0x3000)
 #define DR_REG_LP_HUK_BASE            (DR_REG_LPAON_BASE + 0x4000)
+#define DR_REG_HUK_BASE               (DR_REG_LP_HUK_BASE)
 #define DR_REG_PMU_BASE               (DR_REG_LPAON_BASE + 0x5000)
 #define DR_REG_LP_WDT_BASE            (DR_REG_LPAON_BASE + 0x6000)
 #define DR_REG_LP_MB_BASE             (DR_REG_LPAON_BASE + 0x8000)