diff --git a/components/hal/ecdsa_hal.c b/components/hal/ecdsa_hal.c index 44b88a66c6..0c6a4a10dd 100644 --- a/components/hal/ecdsa_hal.c +++ b/components/hal/ecdsa_hal.c @@ -8,6 +8,7 @@ #include "hal/ecdsa_ll.h" #include "hal/ecdsa_hal.h" #include "hal/efuse_hal.h" +#include "hal/efuse_ll.h" #include "soc/soc_caps.h" #if HAL_CONFIG(ECDSA_GEN_SIG_CM) @@ -26,11 +27,20 @@ #define ECDSA_HAL_P384_COMPONENT_LEN 48 #endif /* SOC_ECDSA_SUPPORT_CURVE_P384 */ +void ecdsa_hal_set_efuse_key(ecdsa_curve_t curve, int efuse_blk) +{ + ecdsa_ll_set_ecdsa_key_blk(curve, efuse_blk); + + efuse_ll_rs_bypass_update(); + + efuse_hal_read(); +} + static void configure_ecdsa_periph(ecdsa_hal_config_t *conf) { if (conf->use_km_key == 0) { - efuse_hal_set_ecdsa_key(conf->curve, conf->efuse_key_blk); + ecdsa_hal_set_efuse_key(conf->curve, conf->efuse_key_blk); #if SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY // Force Key Manager to use eFuse key for XTS-AES operation diff --git a/components/hal/efuse_hal.c b/components/hal/efuse_hal.c index e2f93416c0..548425c3ac 100644 --- a/components/hal/efuse_hal.c +++ b/components/hal/efuse_hal.c @@ -58,16 +58,7 @@ IRAM_ATTR bool efuse_hal_flash_encryption_enabled(void) return enabled; } -#if SOC_EFUSE_ECDSA_KEY -void efuse_hal_set_ecdsa_key(ecdsa_curve_t curve, int efuse_blk) -{ - efuse_ll_set_ecdsa_key_blk(curve, efuse_blk); - efuse_ll_rs_bypass_update(); - - efuse_hal_read(); -} -#endif #if SOC_RECOVERY_BOOTLOADER_SUPPORTED uint32_t efuse_hal_get_recovery_bootloader_address(void) diff --git a/components/hal/esp32c5/include/hal/ecdsa_ll.h b/components/hal/esp32c5/include/hal/ecdsa_ll.h index 4dd004620d..3959a3ad3c 100644 --- a/components/hal/esp32c5/include/hal/ecdsa_ll.h +++ b/components/hal/esp32c5/include/hal/ecdsa_ll.h @@ -10,6 +10,7 @@ #include "hal/assert.h" #include "soc/ecdsa_reg.h" #include "soc/pcr_struct.h" +#include "soc/efuse_periph.h" #include "hal/ecdsa_types.h" #ifdef __cplusplus @@ -413,6 +414,37 @@ static inline bool ecdsa_ll_is_deterministic_mode_supported(void) return true; } +/** + * @brief Set the ECDSA key block in eFuse + * + * @param curve ECDSA curve type + * @param efuse_blk eFuse block number + */ +__attribute__((always_inline)) static inline void ecdsa_ll_set_ecdsa_key_blk(ecdsa_curve_t curve, int efuse_blk) +{ + uint8_t efuse_blk_low = 0; + uint8_t efuse_blk_high = 0; + + switch (curve) { + case ECDSA_CURVE_SECP192R1: + EFUSE.ecdsa.cfg_ecdsa_p192_blk = efuse_blk; + break; + case ECDSA_CURVE_SECP256R1: + EFUSE.ecdsa.cfg_ecdsa_p256_blk = efuse_blk; + break; + case ECDSA_CURVE_SECP384R1: + // ECDSA-p384 uses two efuse blocks to store the key. These two blocks are stored in a single integer + // where the least significant 4 bits store the low key block number and the next 4 more significant bits store the high key block number. + HAL_ECDSA_EXTRACT_KEY_BLOCKS(efuse_blk, efuse_blk_high, efuse_blk_low); + EFUSE.ecdsa.cfg_ecdsa_p384_h_blk = efuse_blk_high; + EFUSE.ecdsa.cfg_ecdsa_p384_l_blk = efuse_blk_low; + break; + default: + HAL_ASSERT(false && "Unsupported curve"); + break; + } +} + #ifdef __cplusplus } #endif diff --git a/components/hal/esp32c5/include/hal/efuse_ll.h b/components/hal/esp32c5/include/hal/efuse_ll.h index 7e0ae8f935..3ac35b4c7a 100644 --- a/components/hal/esp32c5/include/hal/efuse_ll.h +++ b/components/hal/esp32c5/include/hal/efuse_ll.h @@ -13,7 +13,6 @@ #include "soc/efuse_periph.h" #include "hal/assert.h" #include "rom/efuse.h" -#include "hal/ecdsa_types.h" #ifdef __cplusplus extern "C" { @@ -94,31 +93,6 @@ __attribute__((always_inline)) static inline uint32_t efuse_ll_get_chip_ver_pkg( return EFUSE.rd_mac_sys2.pkg_version; } -__attribute__((always_inline)) static inline void efuse_ll_set_ecdsa_key_blk(ecdsa_curve_t curve, int efuse_blk) -{ - uint8_t efuse_blk_low = 0; - uint8_t efuse_blk_high = 0; - - switch (curve) { - case ECDSA_CURVE_SECP192R1: - EFUSE.ecdsa.cfg_ecdsa_p192_blk = efuse_blk; - break; - case ECDSA_CURVE_SECP256R1: - EFUSE.ecdsa.cfg_ecdsa_p256_blk = efuse_blk; - break; - case ECDSA_CURVE_SECP384R1: - // ECDSA-p384 uses two efuse blocks to store the key. These two blocks are stored in a single integer - // where the least significant 4 bits store the low key block number and the next 4 more significant bits store the high key block number. - HAL_ECDSA_EXTRACT_KEY_BLOCKS(efuse_blk, efuse_blk_high, efuse_blk_low); - EFUSE.ecdsa.cfg_ecdsa_p384_h_blk = efuse_blk_high; - EFUSE.ecdsa.cfg_ecdsa_p384_l_blk = efuse_blk_low; - break; - default: - HAL_ASSERT(false && "Unsupported curve"); - break; - } -} - __attribute__((always_inline)) static inline uint32_t efuse_ll_get_ocode(void) { return EFUSE.rd_sys_part1_data4.ocode; diff --git a/components/hal/esp32c61/include/hal/ecdsa_ll.h b/components/hal/esp32c61/include/hal/ecdsa_ll.h index 758283e9c0..ecba35f6ee 100644 --- a/components/hal/esp32c61/include/hal/ecdsa_ll.h +++ b/components/hal/esp32c61/include/hal/ecdsa_ll.h @@ -10,6 +10,7 @@ #include "hal/assert.h" #include "soc/ecdsa_reg.h" #include "soc/pcr_struct.h" +#include "soc/efuse_periph.h" #include "hal/ecdsa_types.h" #ifdef __cplusplus @@ -432,6 +433,18 @@ static inline bool ecdsa_ll_is_deterministic_mode_supported(void) return true; } +/** + * @brief Set the ECDSA key block in eFuse + * + * @param curve ECDSA curve type + * @param efuse_blk eFuse block number + */ +__attribute__((always_inline)) static inline void ecdsa_ll_set_ecdsa_key_blk(ecdsa_curve_t curve, int efuse_blk) +{ + (void) curve; + EFUSE0.conf.cfg_ecdsa_blk = efuse_blk; +} + #ifdef __cplusplus } #endif diff --git a/components/hal/esp32c61/include/hal/efuse_ll.h b/components/hal/esp32c61/include/hal/efuse_ll.h index e1b0a9a641..df85c37ebf 100644 --- a/components/hal/esp32c61/include/hal/efuse_ll.h +++ b/components/hal/esp32c61/include/hal/efuse_ll.h @@ -13,7 +13,6 @@ #include "soc/efuse_struct.h" #include "hal/assert.h" #include "rom/efuse.h" -#include "hal/ecdsa_types.h" #ifdef __cplusplus extern "C" { @@ -139,11 +138,6 @@ __attribute__((always_inline)) static inline uint32_t efuse_ll_get_ecdsa_key_blk return EFUSE0.conf.cfg_ecdsa_blk; } -__attribute__((always_inline)) static inline void efuse_ll_set_ecdsa_key_blk(ecdsa_curve_t curve, int efuse_blk) -{ - (void) curve; - EFUSE0.conf.cfg_ecdsa_blk = efuse_blk; -} __attribute__((always_inline)) static inline uint32_t efuse_ll_get_recovery_bootloader_sector(void) { diff --git a/components/hal/esp32h2/include/hal/ecdsa_ll.h b/components/hal/esp32h2/include/hal/ecdsa_ll.h index 842e5b4d97..876485ce60 100644 --- a/components/hal/esp32h2/include/hal/ecdsa_ll.h +++ b/components/hal/esp32h2/include/hal/ecdsa_ll.h @@ -11,6 +11,7 @@ #include "soc/ecdsa_reg.h" #include "soc/ecdsa_struct.h" #include "soc/pcr_struct.h" +#include "soc/efuse_periph.h" #include "hal/ecdsa_types.h" #include "hal/ecc_ll.h" @@ -418,6 +419,18 @@ static inline bool ecdsa_ll_is_deterministic_mode_supported(void) return ESP_CHIP_REV_ABOVE(efuse_hal_chip_revision(), 102); } +/** + * @brief Set the ECDSA key block in eFuse + * + * @param curve ECDSA curve type + * @param efuse_blk eFuse block number + */ +__attribute__((always_inline)) static inline void ecdsa_ll_set_ecdsa_key_blk(ecdsa_curve_t curve, int efuse_blk) +{ + (void) curve; + EFUSE.conf.cfg_ecdsa_blk = efuse_blk; +} + /** * @brief Check if the ECDSA peripheral uses MPI module's memory */ diff --git a/components/hal/esp32h2/include/hal/efuse_ll.h b/components/hal/esp32h2/include/hal/efuse_ll.h index a12018a898..b3bdf36214 100644 --- a/components/hal/esp32h2/include/hal/efuse_ll.h +++ b/components/hal/esp32h2/include/hal/efuse_ll.h @@ -11,7 +11,6 @@ #include "soc/efuse_periph.h" #include "hal/assert.h" #include "rom/efuse.h" -#include "hal/ecdsa_types.h" #ifdef __cplusplus extern "C" { @@ -113,12 +112,6 @@ __attribute__((always_inline)) static inline uint32_t efuse_ll_get_ecdsa_key_blk return EFUSE.conf.cfg_ecdsa_blk; } -__attribute__((always_inline)) static inline void efuse_ll_set_ecdsa_key_blk(ecdsa_curve_t curve, int efuse_blk) -{ - (void) curve; - EFUSE.conf.cfg_ecdsa_blk = efuse_blk; -} - /******************* eFuse control functions *************************/ __attribute__((always_inline)) static inline bool efuse_ll_get_read_cmd(void) diff --git a/components/hal/esp32h21/include/hal/ecdsa_ll.h b/components/hal/esp32h21/include/hal/ecdsa_ll.h index 608cf19bc7..c5523e6500 100644 --- a/components/hal/esp32h21/include/hal/ecdsa_ll.h +++ b/components/hal/esp32h21/include/hal/ecdsa_ll.h @@ -10,6 +10,7 @@ #include "hal/assert.h" #include "soc/ecdsa_reg.h" #include "soc/pcr_struct.h" +#include "soc/efuse_periph.h" #include "hal/ecdsa_types.h" #ifdef __cplusplus @@ -415,6 +416,18 @@ static inline bool ecdsa_ll_is_deterministic_mode_supported(void) return true; } +/** + * @brief Set the ECDSA key block in eFuse + * + * @param curve ECDSA curve type + * @param efuse_blk eFuse block number + */ +__attribute__((always_inline)) static inline void ecdsa_ll_set_ecdsa_key_blk(ecdsa_curve_t curve, int efuse_blk) +{ + (void) curve; + (void) efuse_blk; +} + #ifdef __cplusplus } #endif diff --git a/components/hal/esp32h21/include/hal/efuse_ll.h b/components/hal/esp32h21/include/hal/efuse_ll.h index 44f821426c..0ae4e5d99e 100644 --- a/components/hal/esp32h21/include/hal/efuse_ll.h +++ b/components/hal/esp32h21/include/hal/efuse_ll.h @@ -11,7 +11,6 @@ #include "soc/efuse_periph.h" #include "hal/assert.h" #include "rom/efuse.h" -#include "hal/ecdsa_types.h" //TODO: [ESP32H21] IDF-11556, inherit from h2 @@ -103,13 +102,6 @@ __attribute__((always_inline)) static inline uint32_t efuse_ll_get_ecdsa_key_blk return 0; } -__attribute__((always_inline)) static inline void efuse_ll_set_ecdsa_key_blk(ecdsa_curve_t curve, int efuse_blk) -{ - //TODO: [ESP32H21] IDF-11507 - (void) curve; - (void) efuse_blk; -} - /******************* eFuse control functions *************************/ __attribute__((always_inline)) static inline bool efuse_ll_get_read_cmd(void) diff --git a/components/hal/esp32h4/include/hal/ecdsa_ll.h b/components/hal/esp32h4/include/hal/ecdsa_ll.h new file mode 100644 index 0000000000..cfd65a44d6 --- /dev/null +++ b/components/hal/esp32h4/include/hal/ecdsa_ll.h @@ -0,0 +1,36 @@ +/* + * SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD + * + * SPDX-License-Identifier: Apache-2.0 + */ +#pragma once + +#include +#include +#include "hal/assert.h" +#include "soc/ecdsa_reg.h" +#include "soc/pcr_struct.h" +#include "soc/efuse_periph.h" +#include "hal/ecdsa_types.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * @brief Set the ECDSA key block in eFuse + * + * @param curve ECDSA curve type + * @param efuse_blk eFuse block number + */ +__attribute__((always_inline)) static inline void ecdsa_ll_set_ecdsa_key_blk(ecdsa_curve_t curve, int efuse_blk) +{ + //ESP32H4 TODO + (void)curve; + (void)efuse_blk; +} + + +#ifdef __cplusplus +} +#endif diff --git a/components/hal/esp32h4/include/hal/efuse_ll.h b/components/hal/esp32h4/include/hal/efuse_ll.h index a3e6c26611..f02fca73ad 100644 --- a/components/hal/esp32h4/include/hal/efuse_ll.h +++ b/components/hal/esp32h4/include/hal/efuse_ll.h @@ -97,13 +97,6 @@ __attribute__((always_inline)) static inline uint32_t efuse_ll_get_ecdsa_key_blk return 0; } -__attribute__((always_inline)) static inline void efuse_ll_set_ecdsa_key_blk(ecdsa_curve_t curve, int efuse_blk) -{ - //ESP32H4 TODO - (void)curve; - (void)efuse_blk; -} - /******************* eFuse control functions *************************/ __attribute__((always_inline)) static inline bool efuse_ll_get_read_cmd(void) diff --git a/components/hal/esp32p4/include/hal/ecdsa_ll.h b/components/hal/esp32p4/include/hal/ecdsa_ll.h index 7e6a9210cb..96c31207fd 100644 --- a/components/hal/esp32p4/include/hal/ecdsa_ll.h +++ b/components/hal/esp32p4/include/hal/ecdsa_ll.h @@ -11,6 +11,7 @@ #include "soc/ecdsa_reg.h" #include "soc/hp_sys_clkrst_struct.h" #include "soc/soc_caps.h" +#include "soc/efuse_periph.h" #include "hal/ecdsa_types.h" #ifdef __cplusplus @@ -443,6 +444,18 @@ static inline bool ecdsa_ll_is_deterministic_mode_supported(void) return true; } +/** + * @brief Set the ECDSA key block in eFuse + * + * @param curve ECDSA curve type + * @param efuse_blk eFuse block number + */ +__attribute__((always_inline)) static inline void ecdsa_ll_set_ecdsa_key_blk(ecdsa_curve_t curve, int efuse_blk) +{ + (void) curve; + EFUSE.conf.cfg_ecdsa_blk = efuse_blk; +} + /** * @brief Check if the ECDSA peripheral uses MPI module's memory */ diff --git a/components/hal/esp32p4/include/hal/efuse_ll.h b/components/hal/esp32p4/include/hal/efuse_ll.h index 9011a8c50c..102a256748 100644 --- a/components/hal/esp32p4/include/hal/efuse_ll.h +++ b/components/hal/esp32p4/include/hal/efuse_ll.h @@ -11,7 +11,6 @@ #include "soc/efuse_periph.h" #include "hal/assert.h" #include "rom/efuse.h" -#include "hal/ecdsa_types.h" #ifdef __cplusplus extern "C" { @@ -92,11 +91,6 @@ __attribute__((always_inline)) static inline uint32_t efuse_ll_get_chip_ver_pkg( return EFUSE.rd_mac_sys_2.pkg_version; } -__attribute__((always_inline)) static inline void efuse_ll_set_ecdsa_key_blk(ecdsa_curve_t curve, int efuse_blk) -{ - (void) curve; - EFUSE.conf.cfg_ecdsa_blk = efuse_blk; -} /******************* eFuse control functions *************************/ diff --git a/components/hal/include/hal/ecdsa_hal.h b/components/hal/include/hal/ecdsa_hal.h index 41722808cd..15b4d030b7 100644 --- a/components/hal/include/hal/ecdsa_hal.h +++ b/components/hal/include/hal/ecdsa_hal.h @@ -109,6 +109,17 @@ bool ecdsa_hal_det_signature_k_check(void); #endif /* SOC_ECDSA_SUPPORT_DETERMINISTIC_MODE && !SOC_ECDSA_SUPPORT_HW_DETERMINISTIC_LOOP */ +/** + * @brief Set the efuse block that should be used as ECDSA private key + * + * @note The efuse block must be burnt with key purpose ECDSA_KEY + * + * @param curve ECDSA curve type + * @param efuse_key_blk If two blocks are used to store the key, then the macro HAL_ECDSA_COMBINE_KEY_BLOCKS() can be used to combine them. The macro is defined in hal/ecdsa_types.h + * Each efuse key block number (Must be in [EFUSE_BLK_KEY0...EFUSE_BLK_KEY_MAX - 1] range). + */ +void ecdsa_hal_set_efuse_key(ecdsa_curve_t curve, int efuse_key_blk); + #ifdef __cplusplus } #endif diff --git a/components/hal/include/hal/efuse_hal.h b/components/hal/include/hal/efuse_hal.h index c18cdd2d97..d21390a27a 100644 --- a/components/hal/include/hal/efuse_hal.h +++ b/components/hal/include/hal/efuse_hal.h @@ -75,18 +75,6 @@ uint32_t efuse_hal_get_minor_chip_version(void); */ uint32_t efuse_hal_get_chip_ver_pkg(void); -#if SOC_EFUSE_ECDSA_KEY -/** - * @brief Set the efuse block that should be used as ECDSA private key - * - * @note The efuse block must be burnt with key purpose ECDSA_KEY - * - * @param curve ECDSA curve type - * @param efuse_key_blk If two blocks are used to store the key, then the macro HAL_ECDSA_COMBINE_KEY_BLOCKS() can be used to combine them. The macro is defined in hal/ecdsa_types.h - * Each efuse key block number (Must be in [EFUSE_BLK_KEY0...EFUSE_BLK_KEY_MAX - 1] range). - */ -void efuse_hal_set_ecdsa_key(ecdsa_curve_t curve, int efuse_key_blk); -#endif #if SOC_RECOVERY_BOOTLOADER_SUPPORTED diff --git a/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in b/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in index 50c0a5a929..e3466ac7bb 100644 --- a/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in @@ -797,7 +797,7 @@ config SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK config SOC_EFUSE_ECDSA_KEY bool - default y + default n config SOC_SECURE_BOOT_V2_RSA bool diff --git a/components/soc/esp32h4/include/soc/soc_caps.h b/components/soc/esp32h4/include/soc/soc_caps.h index cb24612d75..c69b1311f2 100644 --- a/components/soc/esp32h4/include/soc/soc_caps.h +++ b/components/soc/esp32h4/include/soc/soc_caps.h @@ -453,7 +453,7 @@ #define SOC_EFUSE_SOFT_DIS_JTAG 0 #define SOC_EFUSE_DIS_ICACHE 0 #define SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK 1 // XTS-AES key purpose not supported for this block -#define SOC_EFUSE_ECDSA_KEY 1 +#define SOC_EFUSE_ECDSA_KEY 0 // TODO: [ESP32H4] IDF-12259 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1