From 79f9c7d157c46b8ffe6a9f152e58b1d377b97c70 Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Wed, 7 Aug 2024 15:17:32 +0530 Subject: [PATCH] feat(esp_security): Move DS, HMAC, DPA and crypto lock implementation --- components/esp_hw_support/CMakeLists.txt | 8 ++-- components/esp_hw_support/Kconfig | 38 --------------- .../include/esp_crypto_lock.h | 0 .../include/esp_dpa_protection.h | 0 components/esp_hw_support/include/esp_ds.h | 18 ++++---- .../esp_hw_support/include/esp_ds_err.h | 1 - components/esp_hw_support/include/esp_hmac.h | 2 +- .../include/soc/esp32c61/esp_crypto_lock.h | 37 --------------- .../port/esp32c61/esp_crypto_lock.c | 46 ------------------- components/esp_security/CMakeLists.txt | 34 ++++++++++---- components/esp_security/Kconfig | 40 ++++++++++++++++ components/esp_security/Kconfig.projbuild | 0 .../include/esp_key_mgr.h | 0 .../esp_security/src/esp32/esp_crypto_clk.h | 10 ++++ .../esp_security/src/esp32c2/esp_crypto_clk.h | 10 ++++ .../esp_security/src/esp32c3/esp_crypto_clk.h | 10 ++++ .../clk.c => esp32c5/esp_crypto_clk.h} | 5 +- .../esp_security/src/esp32c6/esp_crypto_clk.h | 10 ++++ .../src/esp32c61/esp_crypto_clk.h | 16 +++++++ .../clk.c => esp32h2/esp_crypto_clk.h} | 5 +- .../clk.c => esp32p4/esp_crypto_clk.h} | 4 +- .../esp_security/src/esp32s2/esp_crypto_clk.h | 10 ++++ .../esp_security/src/esp32s3/esp_crypto_clk.h | 10 ++++ .../src/{crypto => }/esp_crypto_lock.c | 0 .../src/{crypto => }/esp_dpa_protection.c | 9 +--- .../src}/esp_ds.c | 0 .../src}/esp_hmac.c | 26 +++++++---- .../src}/esp_key_mgr.c | 3 +- .../esp_security/src/esp_security_priv.h | 11 +++++ components/esp_security/src/init.c | 24 ++++++++++ components/esp_system/port/soc/esp32c61/clk.c | 3 -- 31 files changed, 220 insertions(+), 170 deletions(-) rename components/{esp_security => esp_hw_support}/include/esp_crypto_lock.h (100%) rename components/{esp_security => esp_hw_support}/include/esp_dpa_protection.h (100%) delete mode 100644 components/esp_hw_support/include/soc/esp32c61/esp_crypto_lock.h delete mode 100644 components/esp_hw_support/port/esp32c61/esp_crypto_lock.c create mode 100644 components/esp_security/Kconfig delete mode 100644 components/esp_security/Kconfig.projbuild rename components/{esp_hw_support => esp_security}/include/esp_key_mgr.h (100%) create mode 100644 components/esp_security/src/esp32/esp_crypto_clk.h create mode 100644 components/esp_security/src/esp32c2/esp_crypto_clk.h create mode 100644 components/esp_security/src/esp32c3/esp_crypto_clk.h rename components/esp_security/src/{crypto/esp32c5/clk.c => esp32c5/esp_crypto_clk.h} (82%) create mode 100644 components/esp_security/src/esp32c6/esp_crypto_clk.h create mode 100644 components/esp_security/src/esp32c61/esp_crypto_clk.h rename components/esp_security/src/{crypto/esp32h2/clk.c => esp32h2/esp_crypto_clk.h} (82%) rename components/esp_security/src/{crypto/esp32p4/clk.c => esp32p4/esp_crypto_clk.h} (84%) create mode 100644 components/esp_security/src/esp32s2/esp_crypto_clk.h create mode 100644 components/esp_security/src/esp32s3/esp_crypto_clk.h rename components/esp_security/src/{crypto => }/esp_crypto_lock.c (100%) rename components/esp_security/src/{crypto => }/esp_dpa_protection.c (78%) rename components/{esp_hw_support => esp_security/src}/esp_ds.c (100%) rename components/{esp_hw_support => esp_security/src}/esp_hmac.c (94%) rename components/{esp_hw_support => esp_security/src}/esp_key_mgr.c (99%) create mode 100644 components/esp_security/src/esp_security_priv.h create mode 100644 components/esp_security/src/init.c diff --git a/components/esp_hw_support/CMakeLists.txt b/components/esp_hw_support/CMakeLists.txt index c55aefcd5c..72df5f7a3e 100644 --- a/components/esp_hw_support/CMakeLists.txt +++ b/components/esp_hw_support/CMakeLists.txt @@ -8,9 +8,10 @@ if(${target} STREQUAL "linux") return() endif() -set(requires soc esp_security) # TODO: remove esp_security from REQUIRES in ESP-IDF v6.0 +set(requires soc) # only esp_hw_support/adc_share_hw_ctrl.c requires efuse component -set(priv_requires efuse spi_flash bootloader_support) +# TODO: remove esp_security from REQUIRES in ESP-IDF v6.0 (see IDF-10733) +set(priv_requires efuse spi_flash bootloader_support esp_security) if(${target} STREQUAL "esp32c6") list(APPEND priv_requires hal) @@ -187,7 +188,4 @@ if(NOT BOOTLOADER_BUILD) if(CONFIG_SPIRAM) idf_component_optional_requires(PRIVATE esp_psram) endif() - if(CONFIG_SOC_CRYPTO_DPA_PROTECTION_SUPPORTED) - target_link_libraries(${COMPONENT_LIB} PRIVATE "-u esp_crypto_dpa_prot_include_impl") - endif() endif() diff --git a/components/esp_hw_support/Kconfig b/components/esp_hw_support/Kconfig index 6f61db5402..4efd7119fb 100644 --- a/components/esp_hw_support/Kconfig +++ b/components/esp_hw_support/Kconfig @@ -243,44 +243,6 @@ menu "Hardware Settings" orsource "./port/$IDF_TARGET/Kconfig.xtal" endmenu - menu "Crypto DPA Protection" - depends on SOC_CRYPTO_DPA_PROTECTION_SUPPORTED - config ESP_CRYPTO_DPA_PROTECTION_AT_STARTUP - bool "Enable crypto DPA protection at startup" - default y - help - This config controls the DPA (Differential Power Analysis) protection - knob for the crypto peripherals. DPA protection dynamically adjusts the - clock frequency of the crypto peripheral. DPA protection helps to make it - difficult to perform SCA attacks on the crypto peripherals. However, - there is also associated performance impact based on the security level - set. Please refer to the TRM for more details. - - choice ESP_CRYPTO_DPA_PROTECTION_LEVEL - prompt "DPA protection level" - depends on ESP_CRYPTO_DPA_PROTECTION_AT_STARTUP - default ESP_CRYPTO_DPA_PROTECTION_LEVEL_LOW - help - Configure the DPA protection security level - - config ESP_CRYPTO_DPA_PROTECTION_LEVEL_LOW - bool "Security level low" - - config ESP_CRYPTO_DPA_PROTECTION_LEVEL_MEDIUM - bool "Security level medium" - - config ESP_CRYPTO_DPA_PROTECTION_LEVEL_HIGH - bool "Security level high" - endchoice - - config ESP_CRYPTO_DPA_PROTECTION_LEVEL - int - default 1 if ESP_CRYPTO_DPA_PROTECTION_LEVEL_LOW - default 2 if ESP_CRYPTO_DPA_PROTECTION_LEVEL_MEDIUM - default 3 if ESP_CRYPTO_DPA_PROTECTION_LEVEL_HIGH - - endmenu - orsource "./port/$IDF_TARGET/Kconfig.dcdc" orsource "./port/$IDF_TARGET/Kconfig.ldo" diff --git a/components/esp_security/include/esp_crypto_lock.h b/components/esp_hw_support/include/esp_crypto_lock.h similarity index 100% rename from components/esp_security/include/esp_crypto_lock.h rename to components/esp_hw_support/include/esp_crypto_lock.h diff --git a/components/esp_security/include/esp_dpa_protection.h b/components/esp_hw_support/include/esp_dpa_protection.h similarity index 100% rename from components/esp_security/include/esp_dpa_protection.h rename to components/esp_hw_support/include/esp_dpa_protection.h diff --git a/components/esp_hw_support/include/esp_ds.h b/components/esp_hw_support/include/esp_ds.h index 6ff822ea2d..f5c68a16b1 100644 --- a/components/esp_hw_support/include/esp_ds.h +++ b/components/esp_hw_support/include/esp_ds.h @@ -132,9 +132,9 @@ typedef struct { * since the message digest matches. */ esp_err_t esp_ds_sign(const void *message, - const esp_ds_data_t *data, - hmac_key_id_t key_id, - void *signature); + const esp_ds_data_t *data, + hmac_key_id_t key_id, + void *signature); /** * @brief Start the signing process. @@ -172,9 +172,9 @@ esp_err_t esp_ds_sign(const void *message, * - ESP_ERR_HW_CRYPTO_DS_INVALID_KEY if there's a problem with passing the HMAC key to the DS component */ esp_err_t esp_ds_start_sign(const void *message, - const esp_ds_data_t *data, - hmac_key_id_t key_id, - esp_ds_context_t **esp_ds_ctx); + const esp_ds_data_t *data, + hmac_key_id_t key_id, + esp_ds_context_t **esp_ds_ctx); /** * Return true if the DS peripheral is busy, otherwise false. @@ -227,9 +227,9 @@ esp_err_t esp_ds_finish_sign(void *signature, esp_ds_context_t *esp_ds_ctx); * - ESP_ERR_INVALID_ARG if one of the parameters is NULL or p_data->rsa_length is too long */ esp_err_t esp_ds_encrypt_params(esp_ds_data_t *data, - const void *iv, - const esp_ds_p_data_t *p_data, - const void *key); + const void *iv, + const esp_ds_p_data_t *p_data, + const void *key); #ifdef __cplusplus } diff --git a/components/esp_hw_support/include/esp_ds_err.h b/components/esp_hw_support/include/esp_ds_err.h index 7ac11a9f2c..3fb0c0acc1 100644 --- a/components/esp_hw_support/include/esp_ds_err.h +++ b/components/esp_hw_support/include/esp_ds_err.h @@ -6,7 +6,6 @@ #pragma once - #ifdef __cplusplus extern "C" { #endif diff --git a/components/esp_hw_support/include/esp_hmac.h b/components/esp_hw_support/include/esp_hmac.h index 5bb3a01cf0..c663aef2c6 100644 --- a/components/esp_hw_support/include/esp_hmac.h +++ b/components/esp_hw_support/include/esp_hmac.h @@ -40,7 +40,7 @@ typedef enum { * * @note Uses the HMAC peripheral in "upstream" mode. * - * @param key_id Determines which of the 6 key blocks in the efuses should be used for the HMAC calcuation. + * @param key_id Determines which of the 6 key blocks in the efuses should be used for the HMAC calculation. * The corresponding purpose field of the key block in the efuse must be set to the HMAC upstream purpose value. * @param message the message for which to calculate the HMAC * @param message_len message length diff --git a/components/esp_hw_support/include/soc/esp32c61/esp_crypto_lock.h b/components/esp_hw_support/include/soc/esp32c61/esp_crypto_lock.h deleted file mode 100644 index 819ecf98ee..0000000000 --- a/components/esp_hw_support/include/soc/esp32c61/esp_crypto_lock.h +++ /dev/null @@ -1,37 +0,0 @@ -/* - * SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD - * - * SPDX-License-Identifier: Apache-2.0 - */ - -#pragma once - -#ifdef __cplusplus -extern "C" { -#endif - -void esp_crypto_ecc_lock_acquire(void); - -/** - * @brief Release lock for the ECC cryptography peripheral. - * - */ -void esp_crypto_ecc_lock_release(void); - -/** - * @brief Acquire lock for ECDSA cryptography peripheral - * - * Internally also locks the ECC and MPI peripheral, as the ECDSA depends on these peripherals - */ -void esp_crypto_ecdsa_lock_acquire(void); - -/** - * @brief Release lock for ECDSA cryptography peripheral - * - * Internally also releases the ECC and MPI peripheral, as the ECDSA depends on these peripherals - */ -void esp_crypto_ecdsa_lock_release(void); - -#ifdef __cplusplus -} -#endif diff --git a/components/esp_hw_support/port/esp32c61/esp_crypto_lock.c b/components/esp_hw_support/port/esp32c61/esp_crypto_lock.c deleted file mode 100644 index 4665dbfde2..0000000000 --- a/components/esp_hw_support/port/esp32c61/esp_crypto_lock.c +++ /dev/null @@ -1,46 +0,0 @@ -/* - * SPDX-FileCopyrightText: 2022-2024 Espressif Systems (Shanghai) CO LTD - * - * SPDX-License-Identifier: Apache-2.0 - */ - -#include - -#include "esp_crypto_lock.h" - -/* Lock overview: -SHA: peripheral independent, but DMA is shared with AES -AES: peripheral independent, but DMA is shared with SHA -MPI/RSA: independent -ECC: independent -HMAC: needs SHA -DS: needs HMAC (which needs SHA), AES and MPI -*/ - -/* Lock for ECC peripheral */ -static _lock_t s_crypto_ecc_lock; - -/* Lock for ECDSA peripheral */ -static _lock_t s_crypto_ecdsa_lock; - -void esp_crypto_ecc_lock_acquire(void) -{ - _lock_acquire(&s_crypto_ecc_lock); -} - -void esp_crypto_ecc_lock_release(void) -{ - _lock_release(&s_crypto_ecc_lock); -} - -void esp_crypto_ecdsa_lock_acquire(void) -{ - _lock_acquire(&s_crypto_ecdsa_lock); - esp_crypto_ecc_lock_acquire(); -} - -void esp_crypto_ecdsa_lock_release(void) -{ - esp_crypto_ecc_lock_release(); - _lock_release(&s_crypto_ecdsa_lock); -} diff --git a/components/esp_security/CMakeLists.txt b/components/esp_security/CMakeLists.txt index 5678f9a796..d9c054b15e 100644 --- a/components/esp_security/CMakeLists.txt +++ b/components/esp_security/CMakeLists.txt @@ -1,24 +1,42 @@ +idf_build_get_property(target IDF_TARGET) + +if(${target} STREQUAL "linux") + return() # This component is not supported by the POSIX/Linux simulator +endif() + set(srcs "") -set(priv_requires "soc") +set(priv_requires "") +set(priv_includes "") if(NOT BOOTLOADER_BUILD) - if(CONFIG_IDF_TARGET_ESP32H2 OR CONFIG_IDF_TARGET_ESP32P4 OR CONFIG_IDF_TARGET_ESP32C5) - list(APPEND srcs "src/crypto/${IDF_TARGET}/clk.c") + list(APPEND srcs "src/init.c") + list(APPEND priv_includes "src/${IDF_TARGET}") + + if(CONFIG_SOC_HMAC_SUPPORTED) + list(APPEND srcs "src/esp_hmac.c") + endif() + + if(CONFIG_SOC_DIG_SIGN_SUPPORTED) + list(APPEND srcs "src/esp_ds.c") + endif() + + if(CONFIG_SOC_KEY_MANAGER_SUPPORTED) + list(APPEND srcs "src/esp_key_mgr.c") endif() if(CONFIG_SOC_CRYPTO_DPA_PROTECTION_SUPPORTED) - list(APPEND srcs "src/crypto/esp_dpa_protection.c") + list(APPEND srcs "src/esp_dpa_protection.c") endif() - list(APPEND srcs "src/crypto/esp_crypto_lock.c") + list(APPEND srcs "src/esp_crypto_lock.c") + list(APPEND priv_requires efuse esp_hw_support esp_system esp_timer) endif() idf_component_register(SRCS ${srcs} INCLUDE_DIRS "include" + PRIV_INCLUDE_DIRS ${priv_includes} PRIV_REQUIRES ${priv_requires}) if(NOT BOOTLOADER_BUILD) - if(CONFIG_SOC_CRYPTO_DPA_PROTECTION_SUPPORTED) - target_link_libraries(${COMPONENT_LIB} PRIVATE "-u esp_crypto_dpa_prot_include_impl") - endif() + target_link_libraries(${COMPONENT_LIB} PRIVATE "-u esp_security_init_include_impl") endif() diff --git a/components/esp_security/Kconfig b/components/esp_security/Kconfig new file mode 100644 index 0000000000..308816c490 --- /dev/null +++ b/components/esp_security/Kconfig @@ -0,0 +1,40 @@ +menu "ESP Security Specific" + + menu "Crypto DPA Protection" + depends on SOC_CRYPTO_DPA_PROTECTION_SUPPORTED + config ESP_CRYPTO_DPA_PROTECTION_AT_STARTUP + bool "Enable crypto DPA protection at startup" + default y + help + This config controls the DPA (Differential Power Analysis) protection + knob for the crypto peripherals. DPA protection dynamically adjusts + clock frequency of the crypto peripheral. DPA protection helps to make it + difficult to perform SCA attacks on the crypto peripherals. However, + there is also associated performance impact based on the security level + set. Please refer to the TRM for more details. + + choice ESP_CRYPTO_DPA_PROTECTION_LEVEL + prompt "DPA protection level" + depends on ESP_CRYPTO_DPA_PROTECTION_AT_STARTUP + default ESP_CRYPTO_DPA_PROTECTION_LEVEL_LOW + help + Configure the DPA protection security level + + config ESP_CRYPTO_DPA_PROTECTION_LEVEL_LOW + bool "Security level low" + + config ESP_CRYPTO_DPA_PROTECTION_LEVEL_MEDIUM + bool "Security level medium" + + config ESP_CRYPTO_DPA_PROTECTION_LEVEL_HIGH + bool "Security level high" + endchoice + + config ESP_CRYPTO_DPA_PROTECTION_LEVEL + int + default 1 if ESP_CRYPTO_DPA_PROTECTION_LEVEL_LOW + default 2 if ESP_CRYPTO_DPA_PROTECTION_LEVEL_MEDIUM + default 3 if ESP_CRYPTO_DPA_PROTECTION_LEVEL_HIGH + endmenu + +endmenu diff --git a/components/esp_security/Kconfig.projbuild b/components/esp_security/Kconfig.projbuild deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/components/esp_hw_support/include/esp_key_mgr.h b/components/esp_security/include/esp_key_mgr.h similarity index 100% rename from components/esp_hw_support/include/esp_key_mgr.h rename to components/esp_security/include/esp_key_mgr.h diff --git a/components/esp_security/src/esp32/esp_crypto_clk.h b/components/esp_security/src/esp32/esp_crypto_clk.h new file mode 100644 index 0000000000..8fe1cce105 --- /dev/null +++ b/components/esp_security/src/esp32/esp_crypto_clk.h @@ -0,0 +1,10 @@ +/* + * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#pragma once + +/* nothing to do */ +static inline void esp_crypto_clk_init(void) {} diff --git a/components/esp_security/src/esp32c2/esp_crypto_clk.h b/components/esp_security/src/esp32c2/esp_crypto_clk.h new file mode 100644 index 0000000000..8fe1cce105 --- /dev/null +++ b/components/esp_security/src/esp32c2/esp_crypto_clk.h @@ -0,0 +1,10 @@ +/* + * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#pragma once + +/* nothing to do */ +static inline void esp_crypto_clk_init(void) {} diff --git a/components/esp_security/src/esp32c3/esp_crypto_clk.h b/components/esp_security/src/esp32c3/esp_crypto_clk.h new file mode 100644 index 0000000000..8fe1cce105 --- /dev/null +++ b/components/esp_security/src/esp32c3/esp_crypto_clk.h @@ -0,0 +1,10 @@ +/* + * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#pragma once + +/* nothing to do */ +static inline void esp_crypto_clk_init(void) {} diff --git a/components/esp_security/src/crypto/esp32c5/clk.c b/components/esp_security/src/esp32c5/esp_crypto_clk.h similarity index 82% rename from components/esp_security/src/crypto/esp32c5/clk.c rename to components/esp_security/src/esp32c5/esp_crypto_clk.h index 8ebf65d0e2..b983ad446e 100644 --- a/components/esp_security/src/crypto/esp32c5/clk.c +++ b/components/esp_security/src/esp32c5/esp_crypto_clk.h @@ -3,10 +3,13 @@ * * SPDX-License-Identifier: Apache-2.0 */ + #include "soc/soc.h" #include "soc/pcr_reg.h" -__attribute__((weak)) void esp_crypto_clk_init(void) +#pragma once + +static inline void esp_crypto_clk_init(void) { // Set crypto clock (`clk_sec`) to use 480M SPLL clock REG_SET_FIELD(PCR_SEC_CONF_REG, PCR_SEC_CLK_SEL, 0x2); diff --git a/components/esp_security/src/esp32c6/esp_crypto_clk.h b/components/esp_security/src/esp32c6/esp_crypto_clk.h new file mode 100644 index 0000000000..8fe1cce105 --- /dev/null +++ b/components/esp_security/src/esp32c6/esp_crypto_clk.h @@ -0,0 +1,10 @@ +/* + * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#pragma once + +/* nothing to do */ +static inline void esp_crypto_clk_init(void) {} diff --git a/components/esp_security/src/esp32c61/esp_crypto_clk.h b/components/esp_security/src/esp32c61/esp_crypto_clk.h new file mode 100644 index 0000000000..b983ad446e --- /dev/null +++ b/components/esp_security/src/esp32c61/esp_crypto_clk.h @@ -0,0 +1,16 @@ +/* + * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#include "soc/soc.h" +#include "soc/pcr_reg.h" + +#pragma once + +static inline void esp_crypto_clk_init(void) +{ + // Set crypto clock (`clk_sec`) to use 480M SPLL clock + REG_SET_FIELD(PCR_SEC_CONF_REG, PCR_SEC_CLK_SEL, 0x2); +} diff --git a/components/esp_security/src/crypto/esp32h2/clk.c b/components/esp_security/src/esp32h2/esp_crypto_clk.h similarity index 82% rename from components/esp_security/src/crypto/esp32h2/clk.c rename to components/esp_security/src/esp32h2/esp_crypto_clk.h index 44abf80715..f56da30058 100644 --- a/components/esp_security/src/crypto/esp32h2/clk.c +++ b/components/esp_security/src/esp32h2/esp_crypto_clk.h @@ -3,10 +3,13 @@ * * SPDX-License-Identifier: Apache-2.0 */ + #include "soc/soc.h" #include "soc/pcr_reg.h" -__attribute__((weak)) void esp_crypto_clk_init(void) +#pragma once + +static inline void esp_crypto_clk_init(void) { // Set crypto clock (`clk_sec`) to use 96M PLL clock REG_SET_FIELD(PCR_SEC_CONF_REG, PCR_SEC_CLK_SEL, 0x3); diff --git a/components/esp_security/src/crypto/esp32p4/clk.c b/components/esp_security/src/esp32p4/esp_crypto_clk.h similarity index 84% rename from components/esp_security/src/crypto/esp32p4/clk.c rename to components/esp_security/src/esp32p4/esp_crypto_clk.h index 3e159fdbdc..f4f8b75257 100644 --- a/components/esp_security/src/crypto/esp32p4/clk.c +++ b/components/esp_security/src/esp32p4/esp_crypto_clk.h @@ -6,7 +6,9 @@ #include "soc/soc.h" #include "soc/hp_sys_clkrst_reg.h" -__attribute__((weak)) void esp_crypto_clk_init(void) +#pragma once + +static inline void esp_crypto_clk_init(void) { // Set crypto clock (`clk_sec`) to use 240M PLL clock REG_SET_FIELD(HP_SYS_CLKRST_PERI_CLK_CTRL25_REG, HP_SYS_CLKRST_REG_CRYPTO_CLK_SRC_SEL, 0x2); diff --git a/components/esp_security/src/esp32s2/esp_crypto_clk.h b/components/esp_security/src/esp32s2/esp_crypto_clk.h new file mode 100644 index 0000000000..8fe1cce105 --- /dev/null +++ b/components/esp_security/src/esp32s2/esp_crypto_clk.h @@ -0,0 +1,10 @@ +/* + * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#pragma once + +/* nothing to do */ +static inline void esp_crypto_clk_init(void) {} diff --git a/components/esp_security/src/esp32s3/esp_crypto_clk.h b/components/esp_security/src/esp32s3/esp_crypto_clk.h new file mode 100644 index 0000000000..8fe1cce105 --- /dev/null +++ b/components/esp_security/src/esp32s3/esp_crypto_clk.h @@ -0,0 +1,10 @@ +/* + * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#pragma once + +/* nothing to do */ +static inline void esp_crypto_clk_init(void) {} diff --git a/components/esp_security/src/crypto/esp_crypto_lock.c b/components/esp_security/src/esp_crypto_lock.c similarity index 100% rename from components/esp_security/src/crypto/esp_crypto_lock.c rename to components/esp_security/src/esp_crypto_lock.c diff --git a/components/esp_security/src/crypto/esp_dpa_protection.c b/components/esp_security/src/esp_dpa_protection.c similarity index 78% rename from components/esp_security/src/crypto/esp_dpa_protection.c rename to components/esp_security/src/esp_dpa_protection.c index a3749be6a8..19e9435373 100644 --- a/components/esp_security/src/crypto/esp_dpa_protection.c +++ b/components/esp_security/src/esp_dpa_protection.c @@ -16,12 +16,10 @@ static inline void esp_crypto_dpa_set_level(esp_crypto_dpa_sec_level_t level) REG_SET_FIELD(HP_SYSTEM_SEC_DPA_CONF_REG, HP_SYSTEM_SEC_DPA_LEVEL, level); } -#if CONFIG_ESP_CRYPTO_DPA_PROTECTION_AT_STARTUP -static void __attribute__((constructor)) esp_crypto_dpa_protection_startup(void) +void esp_crypto_dpa_protection_startup(void) { esp_crypto_dpa_set_level(CONFIG_ESP_CRYPTO_DPA_PROTECTION_LEVEL); } -#endif void esp_crypto_dpa_protection_enable(esp_crypto_dpa_sec_level_t level) { @@ -32,8 +30,3 @@ void esp_crypto_dpa_protection_disable(void) { REG_CLR_BIT(HP_SYSTEM_SEC_DPA_CONF_REG, HP_SYSTEM_SEC_DPA_CFG_SEL); } - -void esp_crypto_dpa_prot_include_impl(void) -{ - // Linker hook, exists for no other purpose -} diff --git a/components/esp_hw_support/esp_ds.c b/components/esp_security/src/esp_ds.c similarity index 100% rename from components/esp_hw_support/esp_ds.c rename to components/esp_security/src/esp_ds.c diff --git a/components/esp_hw_support/esp_hmac.c b/components/esp_security/src/esp_hmac.c similarity index 94% rename from components/esp_hw_support/esp_hmac.c rename to components/esp_security/src/esp_hmac.c index 9facad6e03..c922752788 100644 --- a/components/esp_hw_support/esp_hmac.c +++ b/components/esp_security/src/esp_hmac.c @@ -163,7 +163,8 @@ esp_err_t esp_hmac_calculate(hmac_key_id_t key_id, return ESP_OK; } -static ets_efuse_block_t convert_key_type(hmac_key_id_t key_id) { +static ets_efuse_block_t convert_key_type(hmac_key_id_t key_id) +{ return ETS_EFUSE_BLOCK_KEY0 + (ets_efuse_block_t) key_id; } @@ -172,8 +173,9 @@ esp_err_t esp_hmac_jtag_enable(hmac_key_id_t key_id, const uint8_t *token) int ets_status; esp_err_t err = ESP_OK; - if ((!token) || (key_id >= HMAC_KEY_MAX)) + if ((!token) || (key_id >= HMAC_KEY_MAX)) { return ESP_ERR_INVALID_ARG; + } /* Check if JTAG is permanently disabled by HW Disable eFuse */ if (esp_efuse_read_field_bit(JTAG_STATUS_BIT)) { @@ -224,18 +226,23 @@ esp_err_t esp_hmac_jtag_disable() } #else /* !CONFIG_IDF_TARGET_ESP32S2 */ -static ets_efuse_block_t convert_key_type(hmac_key_id_t key_id) { +static ets_efuse_block_t convert_key_type(hmac_key_id_t key_id) +{ return ETS_EFUSE_BLOCK_KEY0 + (ets_efuse_block_t) key_id; } esp_err_t esp_hmac_calculate(hmac_key_id_t key_id, - const void *message, - size_t message_len, - uint8_t *hmac) + const void *message, + size_t message_len, + uint8_t *hmac) { int hmac_ret; - if (!message || !hmac) return ESP_ERR_INVALID_ARG; - if (key_id >= HMAC_KEY_MAX) return ESP_ERR_INVALID_ARG; + if (!message || !hmac) { + return ESP_ERR_INVALID_ARG; + } + if (key_id >= HMAC_KEY_MAX) { + return ESP_ERR_INVALID_ARG; + } esp_crypto_dma_lock_acquire(); @@ -257,8 +264,9 @@ esp_err_t esp_hmac_jtag_enable(hmac_key_id_t key_id, const uint8_t *token) int ets_status; esp_err_t err = ESP_OK; - if ((!token) || (key_id >= HMAC_KEY_MAX)) + if ((!token) || (key_id >= HMAC_KEY_MAX)) { return ESP_ERR_INVALID_ARG; + } /* Check if JTAG is permanently disabled by HW Disable eFuse */ if (esp_efuse_read_field_bit(ESP_EFUSE_HARD_DIS_JTAG)) { diff --git a/components/esp_hw_support/esp_key_mgr.c b/components/esp_security/src/esp_key_mgr.c similarity index 99% rename from components/esp_hw_support/esp_key_mgr.c rename to components/esp_security/src/esp_key_mgr.c index 3c3990cca7..77537735e8 100644 --- a/components/esp_hw_support/esp_key_mgr.c +++ b/components/esp_security/src/esp_key_mgr.c @@ -366,8 +366,7 @@ static esp_err_t key_mgr_recover_key(key_recovery_config_t *config) } ESP_LOGD(TAG, "HUK info valid"); - if ((!key_mgr_hal_is_huk_valid()) || (!config->huk_recovered)) - { + if ((!key_mgr_hal_is_huk_valid()) || (!config->huk_recovered)) { check_huk_risk_level(); esp_err_t esp_ret = huk_hal_configure(ESP_HUK_MODE_RECOVERY, config->key_recovery_info->huk_info.info); if (esp_ret != ESP_OK) { diff --git a/components/esp_security/src/esp_security_priv.h b/components/esp_security/src/esp_security_priv.h new file mode 100644 index 0000000000..18cba2c90f --- /dev/null +++ b/components/esp_security/src/esp_security_priv.h @@ -0,0 +1,11 @@ +/* + * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#pragma once + +/* Private interface file */ + +void esp_crypto_dpa_protection_startup(void); diff --git a/components/esp_security/src/init.c b/components/esp_security/src/init.c new file mode 100644 index 0000000000..d835de10c8 --- /dev/null +++ b/components/esp_security/src/init.c @@ -0,0 +1,24 @@ +/* + * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#include "esp_private/startup_internal.h" +#include "sdkconfig.h" +#include "esp_crypto_clk.h" +#include "esp_security_priv.h" + +ESP_SYSTEM_INIT_FN(esp_security_init, SECONDARY, BIT(0), 103) +{ + esp_crypto_clk_init(); +#if CONFIG_ESP_CRYPTO_DPA_PROTECTION_AT_STARTUP + esp_crypto_dpa_protection_startup(); +#endif + return ESP_OK; +} + +void esp_security_init_include_impl(void) +{ + // Linker hook, exists for no other purpose +} diff --git a/components/esp_system/port/soc/esp32c61/clk.c b/components/esp_system/port/soc/esp32c61/clk.c index 77fa2a75fd..035cc1c87f 100644 --- a/components/esp_system/port/soc/esp32c61/clk.c +++ b/components/esp_system/port/soc/esp32c61/clk.c @@ -106,9 +106,6 @@ __attribute__((weak)) void esp_clk_init(void) // Re calculate the ccount to make time calculation correct. esp_cpu_set_cycle_count((uint64_t)esp_cpu_get_cycle_count() * new_freq_mhz / old_freq_mhz); - - // Set crypto clock (`clk_sec`) to use 480M SPLL clock - REG_SET_FIELD(PCR_SEC_CONF_REG, PCR_SEC_CLK_SEL, 0x2); } static void select_rtc_slow_clk(soc_rtc_slow_clk_src_t rtc_slow_clk_src)