diff --git a/components/hal/ecdsa_hal.c b/components/hal/ecdsa_hal.c index 097ac9e53b..2c7f607d7c 100644 --- a/components/hal/ecdsa_hal.c +++ b/components/hal/ecdsa_hal.c @@ -8,8 +8,9 @@ #include "hal/ecdsa_ll.h" #include "hal/ecdsa_hal.h" #include "hal/efuse_hal.h" +#include "soc/soc_caps.h" -#if CONFIG_HAL_ECDSA_GEN_SIG_CM +#if HAL_CONFIG_ECDSA_GEN_SIG_CM #include "esp_fault.h" #include "esp_random.h" #include "soc/chip_revision.h" @@ -98,7 +99,7 @@ static void ecdsa_hal_gen_signature_inner(const uint8_t *hash, uint8_t *r_out, } } -#if CONFIG_HAL_ECDSA_GEN_SIG_CM +#if HAL_CONFIG_ECDSA_GEN_SIG_CM __attribute__((optimize("O0"))) static void ecdsa_hal_gen_signature_with_countermeasure(const uint8_t *hash, uint8_t *r_out, uint8_t *s_out, uint16_t len) { @@ -126,7 +127,7 @@ __attribute__((optimize("O0"))) static void ecdsa_hal_gen_signature_with_counter } } -#endif /* CONFIG_HAL_ECDSA_GEN_SIG_CM */ +#endif /* HAL_CONFIG_ECDSA_GEN_SIG_CM */ @@ -147,19 +148,17 @@ void ecdsa_hal_gen_signature(ecdsa_hal_config_t *conf, const uint8_t *hash, configure_ecdsa_periph(conf); -#if CONFIG_HAL_ECDSA_GEN_SIG_CM -#if CONFIG_IDF_TARGET_ESP32H2 +#if HAL_CONFIG_ECDSA_GEN_SIG_CM +#if SOC_IS(ESP32H2) if (!ESP_CHIP_REV_ABOVE(efuse_hal_chip_revision(), 102)) { ecdsa_hal_gen_signature_with_countermeasure(hash, r_out, s_out, len); - } else { - ecdsa_hal_gen_signature_inner(hash, r_out, s_out, len); + return; } -#else - ecdsa_hal_gen_signature_with_countermeasure(hash, r_out, s_out, len); #endif -#else /* CONFIG_HAL_ECDSA_GEN_SIG_CM */ + ecdsa_hal_gen_signature_with_countermeasure(hash, r_out, s_out, len); +#else /* HAL_CONFIG_ECDSA_GEN_SIG_CM */ ecdsa_hal_gen_signature_inner(hash, r_out, s_out, len); -#endif /* !CONFIG_HAL_ECDSA_GEN_SIG_CM */ +#endif /* !HAL_CONFIG_ECDSA_GEN_SIG_CM */ } diff --git a/components/hal/include/hal/ecdsa_hal.h b/components/hal/include/hal/ecdsa_hal.h index 182ebbe80d..3053286a5b 100644 --- a/components/hal/include/hal/ecdsa_hal.h +++ b/components/hal/include/hal/ecdsa_hal.h @@ -16,13 +16,13 @@ #include #include "hal/ecdsa_types.h" #include "soc/soc_caps.h" -#include "sdkconfig.h" +#include "hal/config.h" #ifdef __cplusplus extern "C" { #endif -#if CONFIG_HAL_ECDSA_GEN_SIG_CM +#if HAL_CONFIG_ECDSA_GEN_SIG_CM #define ECDSA_SIGN_MAX_DUMMY_OP_COUNT 0x7 @@ -32,7 +32,7 @@ extern "C" { After the countermeasure is enabled, hardware ECDSA signature operation shall take time approximately equal to original time multiplied by this number. If you observe that the reduced performance is affecting your use-case then you may try reducing this time to the minimum. */ -#endif /* CONFIG_HAL_ECDSA_GEN_SIG_CM */ +#endif /* HAL_CONFIG_ECDSA_GEN_SIG_CM */ /* * ECDSA peripheral config structure */ diff --git a/components/hal/platform_port/include/hal/config.h b/components/hal/platform_port/include/hal/config.h index 4c972ced8a..f7790b8191 100644 --- a/components/hal/platform_port/include/hal/config.h +++ b/components/hal/platform_port/include/hal/config.h @@ -33,6 +33,12 @@ extern "C" { */ #define HAL_CONFIG_SPI_FLASH_USE_ROM_API CONFIG_SPI_FLASH_ROM_IMPL +/** + * @brief Enable this to use constant-time ECDSA signature generation. + * This provides enhanced security against timing attacks. + */ +#define HAL_CONFIG_ECDSA_GEN_SIG_CM CONFIG_HAL_ECDSA_GEN_SIG_CM + #ifdef __cplusplus } #endif diff --git a/tools/ci/sg_rules/no_kconfig_in_hal_component.yml b/tools/ci/sg_rules/no_kconfig_in_hal_component.yml index 567f79be01..c5f3181bdc 100644 --- a/tools/ci/sg_rules/no_kconfig_in_hal_component.yml +++ b/tools/ci/sg_rules/no_kconfig_in_hal_component.yml @@ -13,13 +13,11 @@ ignores: # the following files should be refactored to remove Kconfig macros - "components/hal/adc_oneshot_hal.c" - "components/hal/cache_hal.c" - - "components/hal/ecdsa_hal.c" - "components/hal/mmu_hal.c" - "components/hal/twai_hal_sja1000.c" - "components/hal/esp32/gpio_hal_workaround.c" - "components/hal/esp32/include/hal/twai_ll.h" - "components/hal/esp32/include/hal/uart_ll.h" - - "components/hal/include/hal/ecdsa_hal.h" - "components/hal/include/hal/gpio_hal.h" - "components/hal/include/hal/twai_types_deprecated.h" rule: @@ -56,7 +54,6 @@ ignores: - "components/hal/cache_hal.c" - "components/hal/mmu_hal.c" - "components/hal/twai_hal_sja1000.c" - - "components/hal/include/hal/ecdsa_hal.h" - "components/hal/include/hal/twai_types_deprecated.h" rule: kind: preproc_include