From 82db0feab2d6e51556f0f76a46cffb677ed6017e Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Tue, 1 Oct 2024 22:10:57 +0530 Subject: [PATCH] fix(security): Update key manager specific initializations for esp32c5 --- .../include/esp_flash_encrypt.h | 2 ++ .../flash_encryption_secure_features.c | 34 +++++++------------ .../src/flash_encryption/flash_encrypt.c | 3 +- components/esp_security/src/init.c | 12 ++----- components/hal/ecdsa_hal.c | 12 +------ .../hal/esp32c5/include/hal/key_mgr_ll.h | 5 ++- .../include/hal/mspi_timing_tuning_ll.h | 7 ++-- 7 files changed, 27 insertions(+), 48 deletions(-) diff --git a/components/bootloader_support/include/esp_flash_encrypt.h b/components/bootloader_support/include/esp_flash_encrypt.h index e942d7f54d..efc061edf5 100644 --- a/components/bootloader_support/include/esp_flash_encrypt.h +++ b/components/bootloader_support/include/esp_flash_encrypt.h @@ -184,12 +184,14 @@ void esp_flash_encryption_init_checks(void); */ esp_err_t esp_flash_encryption_enable_secure_features(void); +#if CONFIG_SOC_KEY_MANAGER_FE_KEY_DEPLOY /** @brief Enable the key manager for flash encryption * * @return * - ESP_OK - On success */ esp_err_t esp_flash_encryption_enable_key_mgr(void); +#endif // CONFIG_SOC_KEY_MANAGER_FE_KEY_DEPLOY #endif /* BOOTLOADER_BUILD && CONFIG_SECURE_FLASH_ENC_ENABLED */ diff --git a/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c index 03af18a1db..ad90f306c0 100644 --- a/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c @@ -11,9 +11,8 @@ #include "esp_efuse_table.h" #include "esp_log.h" #include "sdkconfig.h" -#include "soc/keymng_reg.h" -#include "soc/pcr_reg.h" -#include "soc/pcr_struct.h" +#include "hal/key_mgr_ll.h" +#include "hal/mspi_timing_tuning_ll.h" static __attribute__((unused)) const char *TAG = "flash_encrypt"; @@ -62,30 +61,21 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) return ESP_OK; } -// TODO: Update to use LL APIs once key manager support added in IDF-8621 esp_err_t esp_flash_encryption_enable_key_mgr(void) { - // Set the force power down bit to 0 to enable key manager - PCR.km_pd_ctrl.km_mem_force_pd = 0; - // Reset the key manager - PCR.km_conf.km_clk_en = 1; - PCR.km_conf.km_rst_en = 1; - PCR.km_conf.km_rst_en = 0; + // Enable and reset key manager + // To suppress build errors about spinlock's __DECLARE_RCC_ATOMIC_ENV + int __DECLARE_RCC_ATOMIC_ENV __attribute__ ((unused)); + key_mgr_ll_enable_bus_clock(true); + key_mgr_ll_enable_peripheral_clock(true); + key_mgr_ll_reset_register(); - // Wait for key manager to be ready - while (!PCR.km_conf.km_ready) { + while (key_mgr_ll_get_state() != ESP_KEY_MGR_STATE_IDLE) { }; - // Wait for key manager state machine to be idle - while (REG_READ(KEYMNG_STATE_REG) != 0) { - }; - - // Set the key manager to use efuse key - REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY, 2); - - // Reset MSPI to re-load the flash encryption key - REG_SET_BIT(PCR_MSPI_CLK_CONF_REG, PCR_MSPI_AXI_RST_EN); - REG_CLR_BIT(PCR_MSPI_CLK_CONF_REG, PCR_MSPI_AXI_RST_EN); + // Force Key Manager to use eFuse key for XTS-AES operation + key_mgr_ll_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); + _mspi_timing_ll_reset_mspi(); return ESP_OK; } diff --git a/components/bootloader_support/src/flash_encryption/flash_encrypt.c b/components/bootloader_support/src/flash_encryption/flash_encrypt.c index 92bc72b21f..810cd36c2d 100644 --- a/components/bootloader_support/src/flash_encryption/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encryption/flash_encrypt.c @@ -258,8 +258,7 @@ esp_err_t esp_flash_encrypt_contents(void) REG_WRITE(SENSITIVE_XTS_AES_KEY_UPDATE_REG, 1); #endif -// TODO: Remove C5 target config after key manager LL support- see IDF-8621 -#if CONFIG_SOC_KEY_MANAGER_FE_KEY_DEPLOY || CONFIG_IDF_TARGET_ESP32C5 +#if CONFIG_SOC_KEY_MANAGER_FE_KEY_DEPLOY esp_flash_encryption_enable_key_mgr(); #endif diff --git a/components/esp_security/src/init.c b/components/esp_security/src/init.c index d00d0e9647..d12e1fe326 100644 --- a/components/esp_security/src/init.c +++ b/components/esp_security/src/init.c @@ -20,23 +20,15 @@ __attribute__((unused)) static const char *TAG = "esp_security"; static void esp_key_mgr_init(void) { - // The following operation makes the Key Manager to use eFuse key for ECDSA and XTS-AES operation by default - // This is to keep the default behavior same as the other chips - // If the Key Manager configuration is already locked then following operation does not have any effect + // The following code initializes the key manager. #if SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY || SOC_KEY_MANAGER_FE_KEY_DEPLOY // Enable key manager clock // Using ll APIs which do not require critical section _key_mgr_ll_enable_bus_clock(true); _key_mgr_ll_enable_peripheral_clock(true); - + _key_mgr_ll_reset_register(); while (key_mgr_ll_get_state() != ESP_KEY_MGR_STATE_IDLE) { }; -#if SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY - key_mgr_ll_set_key_usage(ESP_KEY_MGR_ECDSA_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); -#endif -#if SOC_KEY_MANAGER_FE_KEY_DEPLOY - key_mgr_ll_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); -#endif #endif /* SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY || SOC_KEY_MANAGER_FE_KEY_DEPLOY */ } diff --git a/components/hal/ecdsa_hal.c b/components/hal/ecdsa_hal.c index 237a461f6d..bec830e391 100644 --- a/components/hal/ecdsa_hal.c +++ b/components/hal/ecdsa_hal.c @@ -14,13 +14,8 @@ #include "esp_random.h" #endif -// Need to remove in IDF-8621 -#if CONFIG_IDF_TARGET_ESP32C5 -#include "soc/keymng_reg.h" -#endif - #ifdef SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY -#include "hal/key_mgr_hal.h" +#include "hal/key_mgr_ll.h" #endif #define ECDSA_HAL_P192_COMPONENT_LEN 24 @@ -32,11 +27,6 @@ static void configure_ecdsa_periph(ecdsa_hal_config_t *conf) if (conf->use_km_key == 0) { efuse_hal_set_ecdsa_key(conf->efuse_key_blk); -// Need to remove in IDF-8621 -#if CONFIG_IDF_TARGET_ESP32C5 - REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY, 1); -#endif - #if SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY // Force Key Manager to use eFuse key for XTS-AES operation key_mgr_ll_set_key_usage(ESP_KEY_MGR_ECDSA_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); diff --git a/components/hal/esp32c5/include/hal/key_mgr_ll.h b/components/hal/esp32c5/include/hal/key_mgr_ll.h index 1076555f02..f46c7c2e4c 100644 --- a/components/hal/esp32c5/include/hal/key_mgr_ll.h +++ b/components/hal/esp32c5/include/hal/key_mgr_ll.h @@ -67,7 +67,10 @@ static inline void _key_mgr_ll_enable_peripheral_clock(bool enable) #define key_mgr_ll_enable_peripheral_clock(...) (void)__DECLARE_RCC_ATOMIC_ENV; _key_mgr_ll_enable_peripheral_clock(__VA_ARGS__) /** - * @brief Reset the Key Manager peripheral */ + * @brief Reset the Key Manager peripheral + * Note: Please use key_mgr_ll_reset_register which requires the critical section + * and do not use _key_mgr_ll_reset_register + */ static inline void _key_mgr_ll_reset_register(void) { PCR.km_conf.km_rst_en = 1; diff --git a/components/hal/esp32c5/include/hal/mspi_timing_tuning_ll.h b/components/hal/esp32c5/include/hal/mspi_timing_tuning_ll.h index c94ca97466..2d4416657f 100644 --- a/components/hal/esp32c5/include/hal/mspi_timing_tuning_ll.h +++ b/components/hal/esp32c5/include/hal/mspi_timing_tuning_ll.h @@ -68,8 +68,11 @@ static inline __attribute__((always_inline)) void mspi_ll_enable_bus_clock(bool */ static inline __attribute__((always_inline)) void _mspi_timing_ll_reset_mspi(void) { - PCR.mspi_conf.mspi_rst_en = 1; - PCR.mspi_conf.mspi_rst_en = 0; + PCR.mspi_clk_conf.mspi_axi_rst_en = 1; + PCR.mspi_clk_conf.mspi_axi_rst_en = 0; + // Wait for mspi to be ready + while (!PCR.mspi_conf.mspi_ready) { + }; } #ifdef __cplusplus