Merge branch 'refactor/hide_ecdsa_kconfig_option_from_hal' into 'master'

refactor(hal): Move CONFIG options used in ecdsa_hal.c under config.h

Closes IDF-13584

See merge request espressif/esp-idf!40713

components/hal/ecdsa_hal.c

@@ -8,8 +8,9 @@
 #include "hal/ecdsa_ll.h"
 #include "hal/ecdsa_hal.h"
 #include "hal/efuse_hal.h"
+#include "soc/soc_caps.h"
 
-#if CONFIG_HAL_ECDSA_GEN_SIG_CM
+#if HAL_CONFIG_ECDSA_GEN_SIG_CM
 #include "esp_fault.h"
 #include "esp_random.h"
 #include "soc/chip_revision.h"
@@ -98,7 +99,7 @@ static void ecdsa_hal_gen_signature_inner(const uint8_t *hash, uint8_t *r_out,
     }
 }
 
-#if CONFIG_HAL_ECDSA_GEN_SIG_CM
+#if HAL_CONFIG_ECDSA_GEN_SIG_CM
 __attribute__((optimize("O0"))) static void ecdsa_hal_gen_signature_with_countermeasure(const uint8_t *hash, uint8_t *r_out,
                        uint8_t *s_out, uint16_t len)
 {
@@ -126,7 +127,7 @@ __attribute__((optimize("O0"))) static void ecdsa_hal_gen_signature_with_counter
     }
 
 }
-#endif /* CONFIG_HAL_ECDSA_GEN_SIG_CM */
+#endif /* HAL_CONFIG_ECDSA_GEN_SIG_CM */
 
 
 
@@ -147,19 +148,17 @@ void ecdsa_hal_gen_signature(ecdsa_hal_config_t *conf, const uint8_t *hash,
 
     configure_ecdsa_periph(conf);
 
-#if CONFIG_HAL_ECDSA_GEN_SIG_CM
-#if CONFIG_IDF_TARGET_ESP32H2
+#if HAL_CONFIG_ECDSA_GEN_SIG_CM
+#if SOC_IS(ESP32H2)
     if (!ESP_CHIP_REV_ABOVE(efuse_hal_chip_revision(), 102)) {
         ecdsa_hal_gen_signature_with_countermeasure(hash, r_out, s_out, len);
-    } else {
-        ecdsa_hal_gen_signature_inner(hash, r_out, s_out, len);
+        return;
     }
-#else
-    ecdsa_hal_gen_signature_with_countermeasure(hash, r_out, s_out, len);
 #endif
-#else /* CONFIG_HAL_ECDSA_GEN_SIG_CM */
+    ecdsa_hal_gen_signature_with_countermeasure(hash, r_out, s_out, len);
+#else /* HAL_CONFIG_ECDSA_GEN_SIG_CM */
     ecdsa_hal_gen_signature_inner(hash, r_out, s_out, len);
-#endif /* !CONFIG_HAL_ECDSA_GEN_SIG_CM */
+#endif /* !HAL_CONFIG_ECDSA_GEN_SIG_CM */
 
 }
 

components/hal/include/hal/ecdsa_hal.h

@@ -16,13 +16,13 @@
 #include <stdint.h>
 #include "hal/ecdsa_types.h"
 #include "soc/soc_caps.h"
-#include "sdkconfig.h"
+#include "hal/config.h"
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
-#if CONFIG_HAL_ECDSA_GEN_SIG_CM
+#if HAL_CONFIG_ECDSA_GEN_SIG_CM
 
 #define ECDSA_SIGN_MAX_DUMMY_OP_COUNT 0x7
 
@@ -32,7 +32,7 @@ extern "C" {
    After the countermeasure is enabled, hardware ECDSA signature operation
    shall take time approximately equal to original time multiplied by this number.
    If you observe that the reduced performance is affecting your use-case then you may try reducing this time to the minimum. */
-#endif /* CONFIG_HAL_ECDSA_GEN_SIG_CM */
+#endif /* HAL_CONFIG_ECDSA_GEN_SIG_CM */
 /*
  * ECDSA peripheral config structure
  */

components/hal/platform_port/include/hal/config.h

@@ -33,6 +33,12 @@ extern "C" {
  */
 #define HAL_CONFIG_SPI_FLASH_USE_ROM_API CONFIG_SPI_FLASH_ROM_IMPL
 
+/**
+ * @brief Enable this to use constant-time ECDSA signature generation.
+ *        This provides enhanced security against timing attacks.
+ */
+#define HAL_CONFIG_ECDSA_GEN_SIG_CM CONFIG_HAL_ECDSA_GEN_SIG_CM
+
 #ifdef __cplusplus
 }
 #endif

tools/ci/sg_rules/no_kconfig_in_hal_component.yml

@@ -13,13 +13,11 @@ ignores:
   # the following files should be refactored to remove Kconfig macros
   - "components/hal/adc_oneshot_hal.c"
   - "components/hal/cache_hal.c"
-  - "components/hal/ecdsa_hal.c"
   - "components/hal/mmu_hal.c"
   - "components/hal/twai_hal_sja1000.c"
   - "components/hal/esp32/gpio_hal_workaround.c"
   - "components/hal/esp32/include/hal/twai_ll.h"
   - "components/hal/esp32/include/hal/uart_ll.h"
-  - "components/hal/include/hal/ecdsa_hal.h"
   - "components/hal/include/hal/gpio_hal.h"
   - "components/hal/include/hal/twai_types_deprecated.h"
 rule:
@@ -56,7 +54,6 @@ ignores:
   - "components/hal/cache_hal.c"
   - "components/hal/mmu_hal.c"
   - "components/hal/twai_hal_sja1000.c"
-  - "components/hal/include/hal/ecdsa_hal.h"
   - "components/hal/include/hal/twai_types_deprecated.h"
 rule:
   kind: preproc_include