diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild index 4878a4d8b2..917f04cc8c 100644 --- a/components/bootloader/Kconfig.projbuild +++ b/components/bootloader/Kconfig.projbuild @@ -839,6 +839,26 @@ menu "Security features" Read https://docs.espressif.com/projects/esp-idf/en/latest/security/flash-encryption.html before enabling. + choice SECURE_FLASH_ENCRYPTION_KEY_SOURCE + bool "Flash Encryption Key Source" + depends on SECURE_FLASH_ENC_ENABLED + default SECURE_FLASH_ENCRYPTION_KEY_SOURCE_EFUSES + help + Specify the key source for the Flash Encryption Key + + config SECURE_FLASH_ENCRYPTION_KEY_SOURCE_EFUSES + bool "eFuse Key Block" + help + Use a key that is stored in the eFuses key blocks. + + config SECURE_FLASH_ENCRYPTION_KEY_SOURCE_KEY_MGR + bool "Key Manager" + depends on SOC_KEY_MANAGER_SUPPORTED && SOC_KEY_MANAGER_FE_KEY_DEPLOY && \ + !(IDF_TARGET_ESP32P4 && ESP32P4_SELECTS_REV_LESS_V3) + help + Use a key that is deployed using the Key Manager + endchoice + choice SECURE_FLASH_ENCRYPTION_KEYSIZE bool "Size of generated XTS-AES key" default SECURE_FLASH_ENCRYPTION_AES128 @@ -860,11 +880,16 @@ menu "Security features" config SECURE_FLASH_ENCRYPTION_AES128 bool "AES-128 (256-bit key)" - depends on SOC_FLASH_ENCRYPTION_XTS_AES_128 && !(IDF_TARGET_ESP32C2 && SECURE_BOOT) + depends on SOC_FLASH_ENCRYPTION_XTS_AES_128 && \ + ((SECURE_FLASH_ENCRYPTION_KEY_SOURCE_EFUSES && SOC_EFUSE_XTS_AES_KEY_128) || \ + (SECURE_FLASH_ENCRYPTION_KEY_SOURCE_KEY_MGR && SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128)) && \ + !(IDF_TARGET_ESP32C2 && SECURE_BOOT) config SECURE_FLASH_ENCRYPTION_AES256 bool "AES-256 (512-bit key)" - depends on SOC_FLASH_ENCRYPTION_XTS_AES_256 + depends on SOC_FLASH_ENCRYPTION_XTS_AES_256 && \ + ((SECURE_FLASH_ENCRYPTION_KEY_SOURCE_EFUSES && SOC_EFUSE_XTS_AES_KEY_256) || \ + (SECURE_FLASH_ENCRYPTION_KEY_SOURCE_KEY_MGR && SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256)) endchoice choice SECURE_FLASH_ENCRYPTION_MODE diff --git a/components/bootloader/subproject/main/ld/esp32c5/bootloader.ld.in b/components/bootloader/subproject/main/ld/esp32c5/bootloader.ld.in index b392b18adb..aad2b39b2d 100644 --- a/components/bootloader/subproject/main/ld/esp32c5/bootloader.ld.in +++ b/components/bootloader/subproject/main/ld/esp32c5/bootloader.ld.in @@ -91,6 +91,11 @@ SECTIONS *libhal.a:cache_hal.*(.literal .text .literal.* .text.*) *libhal.a:efuse_hal.*(.literal .text .literal.* .text.*) *libesp_hal_wdt.a:wdt_hal_iram.*(.literal .text .literal.* .text.*) + *libhal.a:huk_hal.*(.literal .text .literal.* .text.*) + *libhal.a:key_mgr_hal.*(.literal .text .literal.* .text.*) + *libesp_security.a:esp_key_mgr.*(.literal .text .literal.* .text.*) + *libesp_security.a:esp_crypto_periph_clk.*(.literal .text .literal.* .text.*) + *libesp_security.a:esp_crypto_lock.*(.literal .text .literal.* .text.*) *libesp_hw_support.a:rtc_clk.*(.literal .text .literal.* .text.*) *libesp_hw_support.a:rtc_time.*(.literal .text .literal.* .text.*) *libesp_hw_support.a:regi2c_ctrl.*(.literal .text .literal.* .text.*) diff --git a/components/bootloader/subproject/main/ld/esp32p4/bootloader.ld.in b/components/bootloader/subproject/main/ld/esp32p4/bootloader.ld.in index 0ee5dfe65f..1d763d2d22 100644 --- a/components/bootloader/subproject/main/ld/esp32p4/bootloader.ld.in +++ b/components/bootloader/subproject/main/ld/esp32p4/bootloader.ld.in @@ -90,6 +90,7 @@ SECTIONS *libhal.a:cache_hal.*(.literal .text .literal.* .text.*) *libhal.a:efuse_hal.*(.literal .text .literal.* .text.*) *libhal.a:key_mgr_hal.*(.literal.key_mgr_hal_set_key_usage .text.key_mgr_hal_set_key_usage) + *libesp_security.a:esp_crypto_periph_clk.*(.literal .text .literal.* .text.*) *libesp_hal_wdt.a:wdt_hal_iram.*(.literal .text .literal.* .text.*) *libesp_hw_support.a:rtc_clk.*(.literal .text .literal.* .text.*) *libesp_hw_support.a:rtc_time.*(.literal .text .literal.* .text.*) diff --git a/components/bootloader/subproject/main/ld/esp32p4/bootloader.rev3.ld.in b/components/bootloader/subproject/main/ld/esp32p4/bootloader.rev3.ld.in index 9a6ae2ddf1..f51c5e63af 100644 --- a/components/bootloader/subproject/main/ld/esp32p4/bootloader.rev3.ld.in +++ b/components/bootloader/subproject/main/ld/esp32p4/bootloader.rev3.ld.in @@ -89,8 +89,12 @@ SECTIONS *libhal.a:mmu_hal.*(.literal .text .literal.* .text.*) *libhal.a:cache_hal.*(.literal .text .literal.* .text.*) *libhal.a:efuse_hal.*(.literal .text .literal.* .text.*) - *libhal.a:key_mgr_hal.*(.literal.key_mgr_hal_set_key_usage .text.key_mgr_hal_set_key_usage) *libesp_hal_wdt.a:wdt_hal_iram.*(.literal .text .literal.* .text.*) + *libhal.a:huk_hal.*(.literal .text .literal.* .text.*) + *libhal.a:key_mgr_hal.*(.literal .text .literal.* .text.*) + *libesp_security.a:esp_key_mgr.*(.literal .text .literal.* .text.*) + *libesp_security.a:esp_crypto_periph_clk.*(.literal .text .literal.* .text.*) + *libesp_security.a:esp_crypto_lock.*(.literal .text .literal.* .text.*) *libesp_hw_support.a:rtc_clk.*(.literal .text .literal.* .text.*) *libesp_hw_support.a:rtc_time.*(.literal .text .literal.* .text.*) *libesp_hw_support.a:regi2c_ctrl.*(.literal .text .literal.* .text.*) diff --git a/components/bootloader_support/CMakeLists.txt b/components/bootloader_support/CMakeLists.txt index 4128553d36..cbfffd533c 100644 --- a/components/bootloader_support/CMakeLists.txt +++ b/components/bootloader_support/CMakeLists.txt @@ -93,6 +93,8 @@ endif() if(BOOTLOADER_BUILD) list(APPEND srcs "src/bootloader_panic.c") + list(APPEND priv_requires esp_security) + if(CONFIG_SECURE_FLASH_ENC_ENABLED) list(APPEND srcs "src/flash_encryption/flash_encrypt.c" "src/${IDF_TARGET}/flash_encryption_secure_features.c") diff --git a/components/bootloader_support/include/esp_flash_encrypt.h b/components/bootloader_support/include/esp_flash_encrypt.h index e81457450f..0e502399eb 100644 --- a/components/bootloader_support/include/esp_flash_encrypt.h +++ b/components/bootloader_support/include/esp_flash_encrypt.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -9,7 +9,6 @@ #include "esp_attr.h" #include "esp_err.h" #include "soc/soc_caps.h" -#include "hal/efuse_ll.h" #include "sdkconfig.h" #ifdef __cplusplus @@ -184,14 +183,14 @@ void esp_flash_encryption_init_checks(void); */ esp_err_t esp_flash_encryption_enable_secure_features(void); -#if CONFIG_SOC_KEY_MANAGER_FE_KEY_DEPLOY +#if SOC_KEY_MANAGER_FE_KEY_DEPLOY /** @brief Enable the key manager for flash encryption * * @return * - ESP_OK - On success */ -esp_err_t esp_flash_encryption_enable_key_mgr(void); -#endif // CONFIG_SOC_KEY_MANAGER_FE_KEY_DEPLOY +esp_err_t esp_flash_encryption_use_efuse_key(void); +#endif // SOC_KEY_MANAGER_FE_KEY_DEPLOY #endif /* BOOTLOADER_BUILD && CONFIG_SECURE_FLASH_ENC_ENABLED */ diff --git a/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c index 4e4d6fc227..e07a2b40a1 100644 --- a/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c @@ -11,10 +11,13 @@ #include "esp_efuse.h" #include "esp_efuse_table.h" #include "esp_log.h" -#include "hal/key_mgr_ll.h" +#include "esp_crypto_periph_clk.h" +#include "esp_key_mgr.h" +#include "hal/key_mgr_hal.h" #include "hal/mspi_ll.h" #include "soc/soc_caps.h" #include "sdkconfig.h" +#include "hal/key_mgr_ll.h" ESP_LOG_ATTR_TAG(TAG, "flash_encrypt"); @@ -69,18 +72,12 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) return ESP_OK; } -esp_err_t esp_flash_encryption_enable_key_mgr(void) +esp_err_t esp_flash_encryption_use_efuse_key(void) { - _key_mgr_ll_enable_bus_clock(true); - _key_mgr_ll_enable_peripheral_clock(true); - _key_mgr_ll_reset_register(); - - while (key_mgr_ll_get_state() != ESP_KEY_MGR_STATE_IDLE) { - }; + esp_crypto_key_mgr_enable_periph_clk(true); // Force Key Manager to use eFuse key for XTS-AES operation - key_mgr_ll_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); - _mspi_timing_ll_reset_mspi(); + key_mgr_hal_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); return ESP_OK; } diff --git a/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c index cf7a4a8c2d..6d945a9761 100644 --- a/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c @@ -11,6 +11,9 @@ #include "esp_efuse_table.h" #include "esp_log.h" #include "sdkconfig.h" +#include "esp_crypto_periph_clk.h" +#include "esp_key_mgr.h" +#include "hal/key_mgr_hal.h" #include "hal/key_mgr_ll.h" #include "hal/mspi_ll.h" @@ -51,18 +54,12 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) return ESP_OK; } -esp_err_t esp_flash_encryption_enable_key_mgr(void) +esp_err_t esp_flash_encryption_use_efuse_key(void) { - _key_mgr_ll_enable_bus_clock(true); - _key_mgr_ll_enable_peripheral_clock(true); - _key_mgr_ll_reset_register(); - - while (key_mgr_ll_get_state() != ESP_KEY_MGR_STATE_IDLE) { - }; + esp_crypto_key_mgr_enable_periph_clk(true); // Force Key Manager to use eFuse key for XTS-AES operation - key_mgr_ll_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); - _mspi_timing_ll_reset_mspi(); + key_mgr_hal_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); return ESP_OK; } diff --git a/components/bootloader_support/src/flash_encrypt.c b/components/bootloader_support/src/flash_encrypt.c index d350fa361d..1169d80910 100644 --- a/components/bootloader_support/src/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encrypt.c @@ -16,6 +16,10 @@ #include "hal/spi_flash_encrypt_hal.h" #include "soc/soc_caps.h" +#if SOC_KEY_MANAGER_SUPPORTED +#include "esp_key_mgr.h" +#endif /* SOC_KEY_MANAGER_SUPPORTED */ + #if CONFIG_IDF_TARGET_ESP32 #define CRYPT_CNT ESP_EFUSE_FLASH_CRYPT_CNT #define WR_DIS_CRYPT_CNT ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT @@ -444,12 +448,13 @@ bool esp_flash_encryption_cfg_verify_release_mode(void) } #endif +#if CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE_EFUSES esp_efuse_purpose_t purposes[] = { -#if SOC_FLASH_ENCRYPTION_XTS_AES_256 +#if SOC_EFUSE_XTS_AES_KEY_256 ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1, ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2, #endif -#if SOC_FLASH_ENCRYPTION_XTS_AES_128 +#if SOC_EFUSE_XTS_AES_KEY_128 ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY, #endif }; @@ -482,6 +487,23 @@ bool esp_flash_encryption_cfg_verify_release_mode(void) } } result &= secure; +#elif CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE_KEY_MGR +#if CONFIG_SECURE_FLASH_ENCRYPTION_AES128 + secure = esp_efuse_read_field_bit(ESP_EFUSE_KM_XTS_KEY_LENGTH_256); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not enabled Key Manager XTS-AES-128 key (set KM_XTS_KEY_LENGTH_256->1)"); + } +#endif + + const uint32_t force_key_mgr_key = esp_efuse_read_field_bit(ESP_EFUSE_FORCE_USE_KEY_MANAGER_KEY); + secure = (force_key_mgr_key & (1 << ESP_KEY_MGR_FORCE_USE_KM_XTS_AES_KEY)); + result &= secure; + + if (!secure) { + ESP_LOGW(TAG, "Not forcing Key Manager to use XTS-AES key (set FORCE_USE_KEY_MANAGER_KEY->1)"); + } +#endif #if SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND if (spi_flash_encrypt_ll_is_pseudo_rounds_function_supported()) { diff --git a/components/bootloader_support/src/flash_encryption/flash_encrypt.c b/components/bootloader_support/src/flash_encryption/flash_encrypt.c index 24168e7cc7..766183b176 100644 --- a/components/bootloader_support/src/flash_encryption/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encryption/flash_encrypt.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -16,6 +16,14 @@ #include "esp_log.h" #include "hal/wdt_hal.h" #include "sdkconfig.h" +#include "soc/soc_caps.h" + +#if SOC_KEY_MANAGER_SUPPORTED +#include "esp_key_mgr.h" +#include "hal/key_mgr_ll.h" +#include "rom/key_mgr.h" +#include "esp_rom_crc.h" +#endif #ifdef CONFIG_SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK #include "soc/sensitive_reg.h" @@ -124,8 +132,151 @@ esp_err_t esp_flash_encrypt_check_and_update(void) return ESP_OK; } +#if CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE_KEY_MGR +static esp_err_t key_manager_read_key_recovery_info(esp_key_mgr_key_recovery_info_t *key_recovery_info) +{ + esp_err_t err = ESP_FAIL; + uint32_t crc = 0; + + for (int i = 0; i < 2; i++) { + err = bootloader_flash_read(KEY_HUK_SECTOR_OFFSET(i), (uint32_t *)key_recovery_info, sizeof(esp_key_mgr_key_recovery_info_t), false); + if (err != ESP_OK) { + ESP_LOGD(TAG, "Failed to read key recovery info from Key Manager sector %d: %x", i, err); + continue; + } + + // check Key Recovery Info magic + if (key_recovery_info->magic != KEY_HUK_SECTOR_MAGIC) { + ESP_LOGD(TAG, "Key Manager sector %d Magic %08x failed", i, key_recovery_info->magic); + continue; + } + +#if CONFIG_SECURE_FLASH_ENCRYPTION_AES256 + if (key_recovery_info->key_type != ESP_KEY_MGR_XTS_AES_256_KEY) { + ESP_LOGD(TAG, "Key Manager sector %d has incorrect key type", i); + continue; + } +#else + if (key_recovery_info->key_type != ESP_KEY_MGR_XTS_AES_128_KEY) { + ESP_LOGD(TAG, "Key Manager sector %d has incorrect key type", i); + continue; + } +#endif + + // check HUK Info CRC + crc = esp_rom_crc32_le(0, key_recovery_info->huk_info.info, HUK_INFO_LEN); + if (crc != key_recovery_info->huk_info.crc) { + ESP_LOGD(TAG, "Key Manager sector %d HUK Info CRC error", i); + continue; + } + + // check Key Info 0 CRC + crc = esp_rom_crc32_le(0, key_recovery_info->key_info[0].info, KEY_INFO_LEN); + if (crc != key_recovery_info->key_info[0].crc) { + ESP_LOGD(TAG, "Key Manager sector %d Key Info 0 CRC error", i); + continue; + } + +#if CONFIG_SECURE_FLASH_ENCRYPTION_AES256 + // check Key Info 1 CRC + crc = esp_rom_crc32_le(0, key_recovery_info->key_info[1].info, KEY_INFO_LEN); + if (crc != key_recovery_info->key_info[1].crc) { + ESP_LOGD(TAG, "Key Manager sector %d Key Info 1 CRC error", i); + continue; + } +#endif + + ESP_LOGI(TAG, "Valid Key Manager key recovery info found in sector %d", i); + return ESP_OK; + } + + ESP_LOGD(TAG, "No valid key recovery info found"); + return ESP_ERR_NOT_FOUND; +} + +static esp_err_t key_manager_generate_key(esp_key_mgr_key_recovery_info_t *key_recovery_info) +{ + ESP_LOGI(TAG, "Deploying new flash encryption key using Key Manager"); + + esp_key_mgr_random_key_config_t key_config; + memset(&key_config, 0, sizeof(esp_key_mgr_random_key_config_t)); + +#if CONFIG_SECURE_FLASH_ENCRYPTION_AES256 + key_config.key_type = ESP_KEY_MGR_XTS_AES_256_KEY; +#else + key_config.key_type = ESP_KEY_MGR_XTS_AES_128_KEY; +#endif + + // Generate a new key and load it into Key Manager + esp_err_t err = esp_key_mgr_deploy_key_in_random_mode(&key_config, key_recovery_info); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Failed to generate key for Key Manager: %x", err); + return err; + } + + ESP_LOGV(TAG, "Successfully deployed new flash encryption key using Key Manager"); + + // Write the key recovery info of the newly generated key into the flash + for (int i = 0; i < 2; i++) { + err = bootloader_flash_erase_sector(i); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Failed to erase sector %d: %x", i, err); + return err; + } + } + + // Write the key recovery info of the newly generated key into the flash + err = bootloader_flash_write(KEY_HUK_SECTOR_OFFSET(0), (uint32_t *)key_recovery_info, sizeof(esp_key_mgr_key_recovery_info_t), false); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Failed to write key recovery info to flash: %x", err); + return err; + } + + ESP_LOGV(TAG, "Successfully wrote the newly generated Flash Encryption key recovery info into the flash"); + + return ESP_OK; +} + +static esp_err_t key_manager_check_and_generate_key(void) +{ + /* + 1. Check if we have a valid key info in the first two sectors of the flash + 2. If we have a valid key info, check if it is valid + 1. If the key is valid, use it + 2. If the key is not valid, generate a new key and load it into key manager + 3. If not, generate a new key and load it into key manager + */ + esp_key_mgr_key_recovery_info_t key_recovery_info; + + memset(&key_recovery_info, 0, sizeof(esp_key_mgr_key_recovery_info_t)); + + esp_err_t err = key_manager_read_key_recovery_info(&key_recovery_info); + if (err == ESP_ERR_NOT_FOUND) { + // No valid key recovery info found, generate a new key + err = key_manager_generate_key(&key_recovery_info); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Failed to generate key for Key Manager: %x", err); + return err; + } + } else { + // Valid key recovery info found, use it + ESP_LOGI(TAG, "Using pre-deployed Key Manager key for flash encryption"); + } + + // Recover key using the key recovery info + err = esp_key_mgr_activate_key(&key_recovery_info); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Failed to activate Key Manager key: %x", err); + return err; + } + + return ESP_OK; +} +#endif + static esp_err_t check_and_generate_encryption_keys(void) { +#if CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE_EFUSES size_t key_size = 32; #ifdef CONFIG_IDF_TARGET_ESP32 enum { BLOCKS_NEEDED = 1 }; @@ -214,12 +365,60 @@ static esp_err_t check_and_generate_encryption_keys(void) ESP_LOGI(TAG, "Using pre-loaded flash encryption key in efuse"); } +#if SOC_KEY_MANAGER_FE_KEY_DEPLOY + // In the case of Key Manager supported targets, the default XTS-AES key source is set to Key Manager. + esp_flash_encryption_use_efuse_key(); +#endif +#elif CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE_KEY_MGR + esp_err_t err = key_manager_check_and_generate_key(); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Failed to check and generate key using Key Manager: %x", err); + return err; + } + +#if CONFIG_SECURE_FLASH_ENCRYPTION_AES128 + err = esp_efuse_write_field_bit(ESP_EFUSE_KM_XTS_KEY_LENGTH_256); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Failed to set the efuse bit KM_XTS_KEY_LENGTH_256: %x", err); + return err; + } +#endif + + const uint32_t force_key_mgr_key_for_fe = 1 << ESP_KEY_MGR_FORCE_USE_KM_XTS_AES_KEY; + err = esp_efuse_write_field_blob(ESP_EFUSE_FORCE_USE_KEY_MANAGER_KEY, &force_key_mgr_key_for_fe, ESP_EFUSE_FORCE_USE_KEY_MANAGER_KEY[0]->bit_count); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Failed to set the efuse bit %d (XTS-AES key) of FORCE_USE_KEY_MANAGER_KEY: %x", ESP_KEY_MGR_FORCE_USE_KM_XTS_AES_KEY, err); + return err; + } + + ESP_LOGV(TAG, "Successfully activated the flash encryption key using Key Manager"); +#endif + return ESP_OK; } esp_err_t esp_flash_encrypt_init(void) { - if (esp_flash_encryption_enabled() || esp_flash_encrypt_initialized_once()) { + if (esp_flash_encryption_enabled()) { + return ESP_OK; + } + +#if CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE_KEY_MGR + if (!(key_mgr_ll_is_supported() && key_mgr_ll_flash_encryption_supported())) { + ESP_LOGE(TAG, "Flash Encryption using Key Manager is not supported, please use efuses instead"); + return ESP_ERR_NOT_SUPPORTED; + } +#endif + + if (esp_flash_encrypt_initialized_once()) { +#if CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE_KEY_MGR + // Allow generating a new key if the key recovery info is not present in the flash + esp_err_t err = key_manager_check_and_generate_key(); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Failed to recover key using Key Manager: %x", err); + return err; + } +#endif return ESP_OK; } @@ -260,10 +459,6 @@ esp_err_t esp_flash_encrypt_contents(void) REG_WRITE(SENSITIVE_XTS_AES_KEY_UPDATE_REG, 1); #endif -#if CONFIG_SOC_KEY_MANAGER_FE_KEY_DEPLOY - esp_flash_encryption_enable_key_mgr(); -#endif - err = encrypt_bootloader(); // PART_SUBTYPE_BOOTLOADER_PRIMARY if (err != ESP_OK) { return err; diff --git a/components/efuse/src/efuse_controller/keys/with_key_purposes/esp_efuse_api_key.c b/components/efuse/src/efuse_controller/keys/with_key_purposes/esp_efuse_api_key.c index 12dc361b51..96db76c1df 100644 --- a/components/efuse/src/efuse_controller/keys/with_key_purposes/esp_efuse_api_key.c +++ b/components/efuse/src/efuse_controller/keys/with_key_purposes/esp_efuse_api_key.c @@ -286,7 +286,7 @@ esp_err_t esp_efuse_write_key(esp_efuse_block_t block, esp_efuse_purpose_t purpo #if SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK if (block == EFUSE_BLK9 && ( -#if SOC_FLASH_ENCRYPTION_XTS_AES_256 +#if SOC_EFUSE_XTS_AES_KEY_256 purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1 || purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2 || #endif @@ -301,10 +301,10 @@ esp_err_t esp_efuse_write_key(esp_efuse_block_t block, esp_efuse_purpose_t purpo #endif // SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK if (purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY || -#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_256 +#ifdef SOC_EFUSE_XTS_AES_KEY_256 purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1 || purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2 || -#endif //#ifdef SOC_EFUSE_SUPPORT_XTS_AES_256_KEYS +#endif //#ifdef SOC_EFUSE_XTS_AES_KEY_256 #if SOC_EFUSE_ECDSA_KEY purpose == ESP_EFUSE_KEY_PURPOSE_ECDSA_KEY || #endif diff --git a/components/efuse/test_apps/main/with_key_purposes/test_efuse_keys.c b/components/efuse/test_apps/main/with_key_purposes/test_efuse_keys.c index f7602bc14e..fc20a64f29 100644 --- a/components/efuse/test_apps/main/with_key_purposes/test_efuse_keys.c +++ b/components/efuse/test_apps/main/with_key_purposes/test_efuse_keys.c @@ -57,7 +57,7 @@ TEST_CASE("Test efuse API blocks burning XTS and ECDSA keys into BLOCK9", "[efus uint8_t key[32] = {0}; esp_efuse_purpose_t purpose = ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY; TEST_ESP_ERR(ESP_ERR_NOT_SUPPORTED, esp_efuse_write_key(EFUSE_BLK9, purpose, &key, sizeof(key))); -#if SOC_FLASH_ENCRYPTION_XTS_AES_256 +#if SOC_EFUSE_XTS_AES_KEY_256 purpose = ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1; TEST_ESP_ERR(ESP_ERR_NOT_SUPPORTED, esp_efuse_write_key(EFUSE_BLK9, purpose, &key, sizeof(key))); purpose = ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2; @@ -86,7 +86,7 @@ static esp_err_t s_check_key(esp_efuse_block_t num_key, void* wr_key) TEST_ASSERT_TRUE(esp_efuse_get_key_dis_write(num_key)); if (purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY || -#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_256 +#ifdef SOC_EFUSE_XTS_AES_KEY_256 purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1 || purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2 || #endif @@ -180,7 +180,7 @@ TEST_CASE("Test esp_efuse_write_key for virt mode", "[efuse]") esp_efuse_purpose_t purpose = g_purpose; #if SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK if (num_key == EFUSE_BLK9 && ( -#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_256 +#ifdef SOC_EFUSE_XTS_AES_KEY_256 purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1 || purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2 || #endif //#ifdef SOC_EFUSE_SUPPORT_XTS_AES_256_KEYS @@ -224,7 +224,7 @@ TEST_CASE("Test 1 esp_efuse_write_key for FPGA", "[efuse]") #else ESP_EFUSE_KEY_PURPOSE_RESERVED, #endif -#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_256 +#ifdef SOC_EFUSE_XTS_AES_KEY_256 ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1, ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2, #else @@ -300,7 +300,7 @@ TEST_CASE("Test esp_efuse_write_keys", "[efuse]") esp_efuse_block_t key_block = EFUSE_BLK_MAX; enum { BLOCKS_NEEDED1 = 2 }; -#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_256 +#ifdef SOC_EFUSE_XTS_AES_KEY_256 esp_efuse_purpose_t purpose1[BLOCKS_NEEDED1] = { ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1, ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2, diff --git a/components/esp_hw_support/include/esp_private/esp_crypto_lock_internal.h b/components/esp_hw_support/include/esp_private/esp_crypto_lock_internal.h index 2f6421fb0b..e32b9b8e2e 100644 --- a/components/esp_hw_support/include/esp_private/esp_crypto_lock_internal.h +++ b/components/esp_hw_support/include/esp_private/esp_crypto_lock_internal.h @@ -15,7 +15,7 @@ extern "C" { // NOTE: [ESP-TEE] Since the clock configuration APIs are part // of the TEE, the XYZ_RCC_ATOMIC macros need to be defined as void. -#if SOC_RCC_IS_INDEPENDENT || ESP_TEE_BUILD +#if SOC_RCC_IS_INDEPENDENT || NON_OS_BUILD #define MPI_RCC_ATOMIC() #define ECC_RCC_ATOMIC() #define HMAC_RCC_ATOMIC() diff --git a/components/esp_security/CMakeLists.txt b/components/esp_security/CMakeLists.txt index 35dc2361d9..362f942aeb 100644 --- a/components/esp_security/CMakeLists.txt +++ b/components/esp_security/CMakeLists.txt @@ -6,7 +6,7 @@ if(${target} STREQUAL "linux") endif() set(srcs "") -set(priv_requires "") +set(priv_requires esp_hw_support hal efuse) set(priv_includes "") if(NOT non_os_build) @@ -30,7 +30,7 @@ if(NOT non_os_build) endif() list(APPEND srcs "src/esp_crypto_lock.c" "src/esp_crypto_periph_clk.c") - list(APPEND priv_requires efuse esp_system esp_timer) + list(APPEND priv_requires esp_system esp_timer) elseif(esp_tee_build) list(APPEND srcs "src/esp_crypto_lock.c" "src/esp_crypto_periph_clk.c") list(APPEND includes "src/${IDF_TARGET}") @@ -42,6 +42,12 @@ elseif(esp_tee_build) if(CONFIG_SOC_DIG_SIGN_SUPPORTED) list(APPEND srcs "src/esp_ds.c") endif() +else() # BOOTLOADER_BUILD + list(APPEND srcs "src/esp_crypto_lock.c" "src/esp_crypto_periph_clk.c") + + if(CONFIG_SOC_KEY_MANAGER_FE_KEY_DEPLOY) + list(APPEND srcs "src/esp_key_mgr.c") + endif() endif() idf_component_register(SRCS ${srcs} diff --git a/components/esp_security/include/esp_key_mgr.h b/components/esp_security/include/esp_key_mgr.h index 8c7d995148..09f7fb4cf5 100644 --- a/components/esp_security/include/esp_key_mgr.h +++ b/components/esp_security/include/esp_key_mgr.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -25,6 +25,8 @@ extern "C" { #define KEY_MGR_HUK_INFO_SIZE HUK_INFO_LEN #define KEY_MGR_HUK_RISK_ALERT_LEVEL HUK_RISK_ALERT_LEVEL +#define KEY_MGR_KEY_INFO_SIZE KEY_INFO_LEN + /* AES deploy mode */ #define KEY_MGR_K2_INFO_SIZE 64 #define KEY_MGR_K1_ENCRYPTED_SIZE 32 @@ -59,12 +61,19 @@ typedef struct { WORD_ALIGNED_ATTR uint8_t k2_G[2][KEY_MGR_ECDH0_INFO_SIZE]; } esp_key_mgr_ecdh0_info_t; +/** + * @brief Wait for the Key Manager to reach the given state + * + * @param state The state to wait for + */ +void key_mgr_wait_for_state(esp_key_mgr_state_t state); + /** * @brief Deploy key in AES deployment mode * @input * key_config(input) AES key configuration * key_info(output) A writable struct of esp_key_mgr_key_info_t type. - * The recovery information for the the deployed key shall be stored here + * The recovery information for the the deployed key shall be stored here (Make sure that the memory is valid during the deployment process). * @return * ESP_OK for success * ESP_FAIL/relevant error code for failure @@ -75,7 +84,7 @@ esp_err_t esp_key_mgr_deploy_key_in_aes_mode(const esp_key_mgr_aes_key_config_t * @brief Deploy key in ECDH0 deployment mode * @input * key_config(input) ECDH0 key configuration - * key_info(output) A writable struct of esp_key_mgr_key_info_t type. The recovery key info for the deployed key shall be stored here + * key_info(output) A writable struct of esp_key_mgr_key_info_t type. The recovery key info for the deployed key shall be stored here (Make sure that the memory is valid during the deployment process). * ecdh0_key_info A writable struct of esp_key_mgr_ecdh0_info_t. The ecdh0 info to recover the actual key shall be stored here. * @return * ESP_OK for success @@ -87,7 +96,7 @@ esp_err_t esp_key_mgr_deploy_key_in_ecdh0_mode(const esp_key_mgr_ecdh0_key_confi * @brief Deploy key in Random deployment mode * @input * key_config(input) Random key configuration - * key_info(output) A writable struct of esp_key_mgr_key_info_t type. The recovery key info for the deployed key shall be stored here + * key_info(output) A writable struct of esp_key_mgr_key_info_t type. The recovery key info for the deployed key shall be stored here (Make sure that the memory is valid during the deployment process). * @return * ESP_OK for success * ESP_FAIL/relevant error code for failure diff --git a/components/esp_security/src/esp_crypto_periph_clk.c b/components/esp_security/src/esp_crypto_periph_clk.c index a62c804b35..329f6c8eca 100644 --- a/components/esp_security/src/esp_crypto_periph_clk.c +++ b/components/esp_security/src/esp_crypto_periph_clk.c @@ -7,6 +7,7 @@ #include "soc/soc_caps.h" #include "esp_private/esp_crypto_lock_internal.h" #include "sdkconfig.h" +#include "esp_crypto_periph_clk.h" #if SOC_AES_SUPPORTED #include "hal/aes_ll.h" @@ -38,6 +39,11 @@ #include "hal/crypto_dma_ll.h" #endif +#if NON_OS_BUILD +// To suppress build errors about spinlock's __DECLARE_RCC_ATOMIC_ENV +int __DECLARE_RCC_ATOMIC_ENV __attribute__((unused)); +#endif + #if SOC_AES_SUPPORTED void esp_crypto_aes_enable_periph_clk(bool enable) { diff --git a/components/esp_security/src/esp_key_mgr.c b/components/esp_security/src/esp_key_mgr.c index 43e5720d09..f1ccecb4b0 100644 --- a/components/esp_security/src/esp_key_mgr.c +++ b/components/esp_security/src/esp_key_mgr.c @@ -6,13 +6,11 @@ // The Hardware Support layer for Key manager #include #include -#include #include "esp_key_mgr.h" #include "esp_crypto_periph_clk.h" #include "esp_crypto_lock.h" #include "esp_log.h" #include "esp_err.h" -#include "esp_heap_caps.h" #include "esp_rom_crc.h" #include "esp_efuse.h" #include "hal/key_mgr_types.h" @@ -24,16 +22,19 @@ #if SOC_KEY_MANAGER_SUPPORTED static const char *TAG = "esp_key_mgr"; +ESP_STATIC_ASSERT(sizeof(esp_key_mgr_key_recovery_info_t) == sizeof(struct huk_key_block), "Size of esp_key_mgr_key_recovery_info_t should match huk_key_block (from ROM)"); +ESP_STATIC_ASSERT(sizeof(esp_key_mgr_key_info_t) == sizeof(struct key_info), "Size of esp_key_mgr_key_info_t should match key_info (from ROM)"); +ESP_STATIC_ASSERT(sizeof(esp_key_mgr_huk_info_t) == sizeof(struct huk_info), "Size of esp_key_mgr_huk_info_t should match huk_info (from ROM)"); + +#if !NON_OS_BUILD +#include + static _lock_t s_key_mgr_ecdsa_key_lock; static _lock_t s_key_mgr_xts_aes_key_lock; static _lock_t s_key_mgr_hmac_key_lock; static _lock_t s_key_mgr_ds_key_lock; static _lock_t s_key_mgr_psram_key_lock; -ESP_STATIC_ASSERT(sizeof(esp_key_mgr_key_recovery_info_t) == sizeof(struct huk_key_block), "Size of esp_key_mgr_key_recovery_info_t should match huk_key_block (from ROM)"); -ESP_STATIC_ASSERT(sizeof(esp_key_mgr_key_info_t) == sizeof(struct key_info), "Size of esp_key_mgr_key_info_t should match key_info (from ROM)"); -ESP_STATIC_ASSERT(sizeof(esp_key_mgr_huk_info_t) == sizeof(struct huk_info), "Size of esp_key_mgr_huk_info_t should match huk_info (from ROM)"); - static void esp_key_mgr_acquire_key_lock(esp_key_mgr_key_type_t key_type) { switch (key_type) { @@ -91,6 +92,47 @@ static void esp_key_mgr_release_key_lock(esp_key_mgr_key_type_t key_type) } ESP_LOGV(TAG, "Key lock released for key type %d", key_type); } +#else /* !NON_OS_BUILD */ +static void esp_key_mgr_acquire_key_lock(esp_key_mgr_key_type_t key_type) +{ + switch (key_type) { + case ESP_KEY_MGR_ECDSA_192_KEY: + case ESP_KEY_MGR_ECDSA_256_KEY: + case ESP_KEY_MGR_ECDSA_384_KEY: + case ESP_KEY_MGR_XTS_AES_128_KEY: + case ESP_KEY_MGR_XTS_AES_256_KEY: + case ESP_KEY_MGR_HMAC_KEY: + case ESP_KEY_MGR_DS_KEY: + case ESP_KEY_MGR_PSRAM_128_KEY: + case ESP_KEY_MGR_PSRAM_256_KEY: + break; + default: + ESP_LOGE(TAG, "Invalid key type"); + break; + } + ESP_LOGV(TAG, "Key lock acquired for key type %d", key_type); +} + +static void esp_key_mgr_release_key_lock(esp_key_mgr_key_type_t key_type) +{ + switch (key_type) { + case ESP_KEY_MGR_ECDSA_192_KEY: + case ESP_KEY_MGR_ECDSA_256_KEY: + case ESP_KEY_MGR_ECDSA_384_KEY: + case ESP_KEY_MGR_XTS_AES_128_KEY: + case ESP_KEY_MGR_XTS_AES_256_KEY: + case ESP_KEY_MGR_HMAC_KEY: + case ESP_KEY_MGR_DS_KEY: + case ESP_KEY_MGR_PSRAM_128_KEY: + case ESP_KEY_MGR_PSRAM_256_KEY: + break; + default: + ESP_LOGE(TAG, "Invalid key type"); + break; + } + ESP_LOGV(TAG, "Key lock released for key type %d", key_type); +} +#endif /* NON_OS_BUILD */ static void esp_key_mgr_acquire_hardware(bool deployment_mode) { @@ -107,30 +149,46 @@ static void esp_key_mgr_acquire_hardware(bool deployment_mode) static void esp_key_mgr_release_hardware(bool deployment_mode) { if (deployment_mode) { - esp_crypto_ecc_lock_release(); - esp_crypto_sha_aes_lock_release(); esp_crypto_key_manager_lock_release(); + esp_crypto_sha_aes_lock_release(); + esp_crypto_ecc_lock_release(); } // Reset the Key Manager Clock esp_crypto_key_mgr_enable_periph_clk(false); } -static void key_mgr_wait_for_state(esp_key_mgr_state_t state) +static esp_key_mgr_key_purpose_t get_key_purpose(esp_key_mgr_key_type_t key_type) +{ + switch (key_type) { + case ESP_KEY_MGR_ECDSA_192_KEY: + return ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192; + case ESP_KEY_MGR_ECDSA_256_KEY: + return ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256; + case ESP_KEY_MGR_XTS_AES_128_KEY: + return ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128; + case ESP_KEY_MGR_XTS_AES_256_KEY: + return ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1; + case ESP_KEY_MGR_HMAC_KEY: + return ESP_KEY_MGR_KEY_PURPOSE_HMAC; + case ESP_KEY_MGR_DS_KEY: + return ESP_KEY_MGR_KEY_PURPOSE_DS; + case ESP_KEY_MGR_PSRAM_128_KEY: + return ESP_KEY_MGR_KEY_PURPOSE_PSRAM_128; + case ESP_KEY_MGR_PSRAM_256_KEY: + return ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1; + default: + return ESP_KEY_MGR_KEY_PURPOSE_INVALID; + } +} + +void key_mgr_wait_for_state(esp_key_mgr_state_t state) { while (key_mgr_hal_get_state() != state) { ; } } -typedef struct aes_deploy { - esp_key_mgr_key_purpose_t key_purpose; - const uint8_t *k1_encrypted; - const esp_key_mgr_aes_key_config_t *key_config; - esp_key_mgr_key_recovery_info_t *key_info; - bool huk_deployed; -} aes_deploy_config_t; - static void check_huk_risk_level(void) { uint8_t huk_risk_level = huk_hal_get_risk_level(); @@ -139,7 +197,7 @@ static void check_huk_risk_level(void) "It is recommended to immediately regenerate HUK in order" "to avoid permanently losing the deployed keys", huk_risk_level); } else { - ESP_LOGD(TAG, "HUK Risk level - %" PRId8 " within acceptable limit (%" PRIu32 ")", huk_risk_level, (uint32_t)KEY_MGR_HUK_RISK_ALERT_LEVEL); + ESP_LOGD(TAG, "HUK Risk level - %d within acceptable limit (%d)", huk_risk_level, (int) KEY_MGR_HUK_RISK_ALERT_LEVEL); } } @@ -197,54 +255,54 @@ static esp_err_t configure_huk(esp_huk_mode_t huk_mode, uint8_t *huk_info) static esp_err_t deploy_huk(huk_deploy_config_t *config) { esp_err_t esp_ret = ESP_FAIL; - uint8_t *huk_recovery_info = (uint8_t *) heap_caps_calloc(1, KEY_MGR_HUK_INFO_SIZE, MALLOC_CAP_INTERNAL); - if (!huk_recovery_info) { - return ESP_ERR_NO_MEM; - } + if (config->use_pre_generated_huk_info) { + ESP_LOGD(TAG, "Using pre-generated HUK info"); + // If HUK info is provided then recover the HUK from given info check_huk_risk_level(); if (!check_huk_info_validity(config->pre_generated_huk_info)) { ESP_LOGE(TAG, "HUK info is not valid"); - heap_caps_free(huk_recovery_info); return ESP_ERR_INVALID_ARG; } - memcpy(huk_recovery_info, config->pre_generated_huk_info->info, KEY_MGR_HUK_INFO_SIZE); ESP_LOGD(TAG, "Recovering HUK from given HUK recovery info"); - esp_ret = configure_huk(ESP_HUK_MODE_RECOVERY, huk_recovery_info); + esp_ret = configure_huk(ESP_HUK_MODE_RECOVERY, (uint8_t *) config->pre_generated_huk_info->info); if (esp_ret != ESP_OK) { ESP_LOGE(TAG, "Failed to recover HUK"); - heap_caps_free(huk_recovery_info); return esp_ret; } // Copy the pre generated huk info in the output key recovery info - memcpy(config->huk_recovery_info->info, huk_recovery_info, KEY_MGR_HUK_INFO_SIZE); + memcpy(config->huk_recovery_info->info, config->pre_generated_huk_info->info, KEY_MGR_HUK_INFO_SIZE); config->huk_recovery_info->crc = config->pre_generated_huk_info->crc; } else { // Generate new HUK and corresponding HUK info ESP_LOGD(TAG, "Generating new HUK"); - esp_ret = configure_huk(ESP_HUK_MODE_GENERATION, huk_recovery_info); + esp_ret = configure_huk(ESP_HUK_MODE_GENERATION, config->huk_recovery_info->info); if (esp_ret != ESP_OK) { ESP_LOGE(TAG, "Failed to generate HUK"); - heap_caps_free(huk_recovery_info); + memset(config->huk_recovery_info->info, 0, KEY_MGR_HUK_INFO_SIZE); return esp_ret; } - memcpy(config->huk_recovery_info->info, huk_recovery_info, KEY_MGR_HUK_INFO_SIZE); - config->huk_recovery_info->crc = esp_rom_crc32_le(0, huk_recovery_info, KEY_MGR_HUK_INFO_SIZE); + config->huk_recovery_info->crc = esp_rom_crc32_le(0, config->huk_recovery_info->info, KEY_MGR_HUK_INFO_SIZE); } - ESP_LOG_BUFFER_HEX_LEVEL("HUK INFO", huk_recovery_info, KEY_MGR_HUK_INFO_SIZE, ESP_LOG_DEBUG); - // Free the local buffer for huk recovery info - heap_caps_free(huk_recovery_info); return ESP_OK; } +typedef struct aes_deploy { + esp_key_mgr_key_purpose_t key_purpose; + const uint8_t *k1_encrypted; + const esp_key_mgr_aes_key_config_t *key_config; + esp_key_mgr_key_recovery_info_t *key_info; + bool huk_deployed; +} aes_deploy_config_t; + static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) { esp_err_t esp_ret = ESP_FAIL; @@ -252,28 +310,32 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) if ((!key_mgr_hal_is_huk_valid()) || (!config->huk_deployed)) { // For purpose ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 or ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2 this part shall be already executed - huk_deploy_config_t huk_deploy_config = {}; - huk_deploy_config.use_pre_generated_huk_info = config->key_config->use_pre_generated_huk_info; - huk_deploy_config.pre_generated_huk_info = &config->key_config->huk_info; - huk_deploy_config.huk_recovery_info = &config->key_info->huk_info; + huk_deploy_config_t huk_deploy_config = { + .use_pre_generated_huk_info = config->key_config->use_pre_generated_huk_info, + .pre_generated_huk_info = &config->key_config->huk_info, + .huk_recovery_info = &config->key_info->huk_info, + }; + esp_ret = deploy_huk(&huk_deploy_config); if (esp_ret != ESP_OK) { return esp_ret; } + ESP_LOGD(TAG, "HUK deployed successfully"); } + uint8_t key_recovery_info_index = 0; + if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 || config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2) { + key_recovery_info_index = 1; + } + + uint8_t *key_recovery_info = config->key_info->key_info[key_recovery_info_index].info; + // STEP 1: Init Step // Set mode key_mgr_hal_set_key_generator_mode(ESP_KEY_MGR_KEYGEN_MODE_AES); - uint8_t *key_recovery_info = (uint8_t *) heap_caps_calloc(1, KEY_MGR_KEY_RECOVERY_INFO_SIZE, MALLOC_CAP_INTERNAL); - if (!key_recovery_info) { - return ESP_ERR_NO_MEM; - } - // Set key purpose - ESP_LOGD(TAG, "Key purpose = %d", config->key_purpose); key_mgr_hal_set_key_purpose(config->key_purpose); // Set key length for XTS-AES key @@ -289,7 +351,6 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) key_mgr_hal_use_sw_init_key(); } else if (!esp_efuse_find_purpose(ESP_EFUSE_KEY_PURPOSE_KM_INIT_KEY, NULL)) { ESP_LOGE(TAG, "Could not find key with purpose KM_INIT_KEY"); - heap_caps_free(key_recovery_info); return ESP_FAIL; } @@ -300,16 +361,12 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) if (config->key_config->use_pre_generated_sw_init_key) { key_mgr_hal_write_sw_init_key(config->key_config->sw_init_key, KEY_MGR_SW_INIT_KEY_SIZE); - ESP_LOG_BUFFER_HEX_LEVEL("SW_INIT_KEY", config->key_config->sw_init_key, KEY_MGR_SW_INIT_KEY_SIZE, ESP_LOG_DEBUG); } ESP_LOGD(TAG, "Writing Information into Key Manager Registers"); - key_mgr_hal_write_assist_info(config->key_config->k2_info, KEY_MGR_K2_INFO_SIZE); - ESP_LOG_BUFFER_HEX_LEVEL("K2_INFO", config->key_config->k2_info, KEY_MGR_K2_INFO_SIZE, ESP_LOG_DEBUG); key_mgr_hal_write_public_info(config->k1_encrypted, KEY_MGR_K1_ENCRYPTED_SIZE); - ESP_LOG_BUFFER_HEX_LEVEL("K1_ENCRYPTED", config->k1_encrypted, KEY_MGR_K1_ENCRYPTED_SIZE, ESP_LOG_DEBUG); key_mgr_hal_continue(); @@ -317,32 +374,21 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN); key_mgr_hal_read_public_info(key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - ESP_LOG_BUFFER_HEX_LEVEL("KEY_RECOVERY_INFO", key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE, ESP_LOG_DEBUG); if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1 && config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { - if (!key_mgr_hal_is_key_deployment_valid(config->key_config->key_type)) { + if (!key_mgr_hal_is_key_deployment_valid(key_type)) { ESP_LOGE(TAG, "Key deployment is not valid"); - heap_caps_free(key_recovery_info); return ESP_FAIL; } - ESP_LOGD(TAG, "Key deployment valid"); } + ESP_LOGD(TAG, "Key deployment valid"); // Wait till Key Manager deployment is complete key_mgr_hal_continue(); key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE); - if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 || config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2) { - memcpy(config->key_info->key_info[1].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - config->key_info->key_info[1].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - - } else { - memcpy(config->key_info->key_info[0].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - config->key_info->key_info[0].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - } - - heap_caps_free(key_recovery_info); - config->key_info->key_type = config->key_config->key_type; + config->key_info->key_info[key_recovery_info_index].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); + config->key_info->key_type = key_type; config->key_info->magic = KEY_HUK_SECTOR_MAGIC; return ESP_OK; @@ -356,38 +402,14 @@ esp_err_t esp_key_mgr_deploy_key_in_aes_mode(const esp_key_mgr_aes_key_config_t ESP_LOGD(TAG, "Key deployment in AES mode"); - aes_deploy_config_t aes_deploy_config = {}; - aes_deploy_config.key_config = key_config; - aes_deploy_config.key_info = key_recovery_info; - aes_deploy_config.k1_encrypted = key_config->k1_encrypted[0]; + aes_deploy_config_t aes_deploy_config = { + .key_config = key_config, + .key_info = key_recovery_info, + .k1_encrypted = key_config->k1_encrypted[0], + }; - esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_config->key_type; - switch (key_type) { - case ESP_KEY_MGR_ECDSA_192_KEY: - aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192; - break; - case ESP_KEY_MGR_ECDSA_256_KEY: - aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256; - break; - case ESP_KEY_MGR_XTS_AES_128_KEY: - aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128; - break; - case ESP_KEY_MGR_XTS_AES_256_KEY: - aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1; - break; - case ESP_KEY_MGR_HMAC_KEY: - aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_HMAC; - break; - case ESP_KEY_MGR_DS_KEY: - aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_DS; - break; - case ESP_KEY_MGR_PSRAM_128_KEY: - aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_PSRAM_128; - break; - case ESP_KEY_MGR_PSRAM_256_KEY: - aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1; - break; - default: + aes_deploy_config.key_purpose = get_key_purpose(key_config->key_type); + if (aes_deploy_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_INVALID) { ESP_LOGE(TAG, "Invalid key type"); return ESP_ERR_INVALID_ARG; } @@ -402,8 +424,8 @@ esp_err_t esp_key_mgr_deploy_key_in_aes_mode(const esp_key_mgr_aes_key_config_t aes_deploy_config.huk_deployed = true; - if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY || key_type == ESP_KEY_MGR_PSRAM_256_KEY) { - aes_deploy_config.key_purpose = key_type == ESP_KEY_MGR_XTS_AES_256_KEY ? ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 : ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2; + if (key_config->key_type == ESP_KEY_MGR_XTS_AES_256_KEY || key_config->key_type == ESP_KEY_MGR_PSRAM_256_KEY) { + aes_deploy_config.key_purpose = key_config->key_type == ESP_KEY_MGR_XTS_AES_256_KEY ? ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 : ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2; aes_deploy_config.k1_encrypted = key_config->k1_encrypted[1]; esp_ret = key_mgr_deploy_key_aes_mode(&aes_deploy_config); if (esp_ret != ESP_OK) { @@ -413,7 +435,7 @@ esp_err_t esp_key_mgr_deploy_key_in_aes_mode(const esp_key_mgr_aes_key_config_t } // Set the Key Manager Static Register to use own key for the respective key type - key_mgr_hal_set_key_usage(key_type, ESP_KEY_MGR_USE_OWN_KEY); + key_mgr_hal_set_key_usage(key_config->key_type, ESP_KEY_MGR_USE_OWN_KEY); cleanup: esp_key_mgr_release_hardware(true); @@ -429,6 +451,7 @@ typedef struct key_recovery_config { static esp_err_t key_mgr_recover_key(key_recovery_config_t *config) { key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE); + if (!check_huk_info_validity(&config->key_recovery_info->huk_info)) { ESP_LOGE(TAG, "HUK info is not valid"); return ESP_ERR_INVALID_ARG; @@ -444,13 +467,12 @@ static esp_err_t key_mgr_recover_key(key_recovery_config_t *config) } ESP_LOGD(TAG, "HUK recovered successfully"); - ESP_LOG_BUFFER_HEX_LEVEL("HUK INFO", config->key_recovery_info->huk_info.info, KEY_MGR_HUK_INFO_SIZE, ESP_LOG_DEBUG); config->huk_recovered = true; } key_mgr_hal_set_key_generator_mode(ESP_KEY_MGR_KEYGEN_MODE_RECOVER); - // Set AES-XTS key len + // Set XTS-AES key length esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) config->key_recovery_info->key_type; if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY || key_type == ESP_KEY_MGR_PSRAM_128_KEY) { key_mgr_hal_set_xts_aes_key_len(key_type, ESP_KEY_MGR_XTS_AES_LEN_256); @@ -470,26 +492,25 @@ static esp_err_t key_mgr_recover_key(key_recovery_config_t *config) return ESP_FAIL; } key_mgr_hal_write_assist_info(config->key_recovery_info->key_info[1].info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - ESP_LOG_BUFFER_HEX_LEVEL("RECOVERY_INFO[1]", config->key_recovery_info->key_info[0].info, KEY_MGR_KEY_RECOVERY_INFO_SIZE, ESP_LOG_DEBUG); } else { if (!check_key_info_validity(&config->key_recovery_info->key_info[0])) { ESP_LOGE(TAG, "Key info not valid"); return ESP_FAIL; } key_mgr_hal_write_assist_info(config->key_recovery_info->key_info[0].info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - ESP_LOG_BUFFER_HEX_LEVEL("RECOVERY_INFO[0]", config->key_recovery_info->key_info[0].info, KEY_MGR_KEY_RECOVERY_INFO_SIZE, ESP_LOG_DEBUG); } key_mgr_hal_continue(); key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN); - if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1) { - if (!key_mgr_hal_is_key_deployment_valid(config->key_recovery_info->key_type)) { + // TODO: Maybe need to extend this to ECDSA_384_L and ECDSA_384_H (IDF-14120) + if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1 && config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { + if (!key_mgr_hal_is_key_deployment_valid(key_type)) { ESP_LOGD(TAG, "Key deployment is not valid"); return ESP_FAIL; } - ESP_LOGD(TAG, "Key Recovery valid"); } + ESP_LOGD(TAG, "Key Recovery valid"); key_mgr_hal_continue(); key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE); @@ -502,51 +523,25 @@ esp_err_t esp_key_mgr_activate_key(esp_key_mgr_key_recovery_info_t *key_recovery return ESP_ERR_INVALID_ARG; } - ESP_LOGD(TAG, "Activating key of type %d", key_recovery_info->key_type); + esp_key_mgr_key_type_t key_type = key_recovery_info->key_type; - esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_recovery_info->key_type; - esp_key_mgr_key_purpose_t key_purpose; + ESP_LOGD(TAG, "Activating key of type %d", key_type); - switch (key_type) { - case ESP_KEY_MGR_ECDSA_192_KEY: - key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192; - break; - case ESP_KEY_MGR_ECDSA_256_KEY: - key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256; - break; - case ESP_KEY_MGR_XTS_AES_128_KEY: - key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128; - break; - case ESP_KEY_MGR_XTS_AES_256_KEY: - key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1; - break; - case ESP_KEY_MGR_HMAC_KEY: - key_purpose = ESP_KEY_MGR_KEY_PURPOSE_HMAC; - break; - case ESP_KEY_MGR_DS_KEY: - key_purpose = ESP_KEY_MGR_KEY_PURPOSE_DS; - break; - case ESP_KEY_MGR_PSRAM_128_KEY: - key_purpose = ESP_KEY_MGR_KEY_PURPOSE_PSRAM_128; - break; - case ESP_KEY_MGR_PSRAM_256_KEY: - key_purpose = ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1; - break; - default: + key_recovery_config_t key_recovery_config = { + .key_recovery_info = key_recovery_info, + }; + + key_recovery_config.key_purpose = get_key_purpose(key_type); + if (key_recovery_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_INVALID) { ESP_LOGE(TAG, "Invalid key type"); return ESP_ERR_INVALID_ARG; } - esp_err_t esp_ret = ESP_FAIL; esp_key_mgr_acquire_key_lock(key_type); - key_recovery_config_t key_recovery_config = { - .key_recovery_info = key_recovery_info, - .key_purpose = key_purpose, - }; esp_key_mgr_acquire_hardware(false); - esp_ret = key_mgr_recover_key(&key_recovery_config); + esp_err_t esp_ret = key_mgr_recover_key(&key_recovery_config); if (esp_ret != ESP_OK) { ESP_LOGE(TAG, "Failed to recover key"); esp_key_mgr_release_key_lock(key_type); @@ -565,7 +560,6 @@ esp_err_t esp_key_mgr_activate_key(esp_key_mgr_key_recovery_info_t *key_recovery // Set the Key Manager Static Register to use own key for the respective key type key_mgr_hal_set_key_usage(key_type, ESP_KEY_MGR_USE_OWN_KEY); - esp_key_mgr_release_key_lock(key_type); ESP_LOGD(TAG, "Key activation for type %d successful", key_type); return ESP_OK; @@ -600,37 +594,43 @@ static esp_err_t key_mgr_deploy_key_ecdh0_mode(ecdh0_deploy_config_t *config) if ((!key_mgr_hal_is_huk_valid()) || (!config->huk_deployed)) { // For purpose ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 or ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2 this part shall be already executed - huk_deploy_config_t huk_deploy_config; - huk_deploy_config.use_pre_generated_huk_info = config->key_config->use_pre_generated_huk_info; - huk_deploy_config.pre_generated_huk_info = &config->key_config->huk_info; - huk_deploy_config.huk_recovery_info = &config->key_info->huk_info; + huk_deploy_config_t huk_deploy_config = { + .use_pre_generated_huk_info = config->key_config->use_pre_generated_huk_info, + .pre_generated_huk_info = &config->key_config->huk_info, + .huk_recovery_info = &config->key_info->huk_info, + }; + esp_ret = deploy_huk(&huk_deploy_config); if (esp_ret != ESP_OK) { return esp_ret; } + ESP_LOGD(TAG, "HUK deployed successfully"); } - uint8_t *key_recovery_info = (uint8_t *) heap_caps_calloc(1, KEY_MGR_KEY_RECOVERY_INFO_SIZE, MALLOC_CAP_INTERNAL); - if (!key_recovery_info) { - return ESP_ERR_NO_MEM; + uint8_t key_recovery_info_index = 0; + if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 || config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2) { + key_recovery_info_index = 1; } + uint8_t *key_recovery_info = config->key_info->key_info[key_recovery_info_index].info; + // Step 1 : Initialization // Configure deployment mode to ECDH0 key_mgr_hal_set_key_generator_mode(ESP_KEY_MGR_KEYGEN_MODE_ECDH0); - // Set AES-XTS key len + // Set key purpose + key_mgr_hal_set_key_purpose(config->key_purpose); + + // Set XTS-AES key length esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) config->key_config->key_type; + if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY || key_type == ESP_KEY_MGR_PSRAM_128_KEY) { key_mgr_hal_set_xts_aes_key_len(key_type, ESP_KEY_MGR_XTS_AES_LEN_256); } else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY || key_type == ESP_KEY_MGR_PSRAM_256_KEY) { key_mgr_hal_set_xts_aes_key_len(key_type, ESP_KEY_MGR_XTS_AES_LEN_512); } - // Set key purpose - key_mgr_hal_set_key_purpose(config->key_purpose); - key_mgr_hal_start(); // Step 2: Load phase @@ -646,35 +646,23 @@ static esp_err_t key_mgr_deploy_key_ecdh0_mode(ecdh0_deploy_config_t *config) key_mgr_hal_read_public_info(key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); key_mgr_hal_read_assist_info(config->ecdh0_key_info); - ESP_LOG_BUFFER_HEX_LEVEL("KEY_MGR KEY INFO", key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE, ESP_LOG_DEBUG); - - ESP_LOGD(TAG, "HUK deployed is valid"); if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1 && config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { - if (!key_mgr_hal_is_key_deployment_valid(config->key_config->key_type)) { + if (!key_mgr_hal_is_key_deployment_valid(key_type)) { ESP_LOGE(TAG, "Key deployment is not valid"); - heap_caps_free(key_recovery_info); return ESP_FAIL; } - ESP_LOGD(TAG, "Key deployment valid"); } + ESP_LOGD(TAG, "Key deployment valid"); // Wait till Key Manager deployment is complete key_mgr_hal_continue(); key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE); - if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 || config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2) { - memcpy(config->key_info->key_info[1].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - config->key_info->key_info[1].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - } else { - memcpy(config->key_info->key_info[0].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - config->key_info->key_info[0].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - } - - config->key_info->key_type = config->key_config->key_type; + config->key_info->key_info[key_recovery_info_index].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); + config->key_info->key_type = key_type; config->key_info->magic = KEY_HUK_SECTOR_MAGIC; - heap_caps_free(key_recovery_info); return ESP_OK; } @@ -687,48 +675,17 @@ esp_err_t esp_key_mgr_deploy_key_in_ecdh0_mode(const esp_key_mgr_ecdh0_key_confi ESP_LOGD(TAG, "Key Deployment in ECDH0 mode"); - esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_config->key_type; + esp_key_mgr_key_type_t key_type = key_config->key_type; ecdh0_deploy_config_t ecdh0_deploy_config = { .key_config = key_config, .key_info = key_info, .k1_G = key_config->k1_G[0], + .ecdh0_key_info = ecdh0_key_info->k2_G[0], }; - switch (key_type) { - case ESP_KEY_MGR_ECDSA_192_KEY: - ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192; - ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0]; - break; - case ESP_KEY_MGR_ECDSA_256_KEY: - ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256; - ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0]; - break; - case ESP_KEY_MGR_XTS_AES_128_KEY: - ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128; - ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0]; - break; - case ESP_KEY_MGR_XTS_AES_256_KEY: - ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1; - ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0]; - break; - case ESP_KEY_MGR_HMAC_KEY: - ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_HMAC; - ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0]; - break; - case ESP_KEY_MGR_DS_KEY: - ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_DS; - ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0]; - break; - case ESP_KEY_MGR_PSRAM_128_KEY: - ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_PSRAM_128; - ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0]; - break; - case ESP_KEY_MGR_PSRAM_256_KEY: - ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1; - ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0]; - break; - default: + ecdh0_deploy_config.key_purpose = get_key_purpose(key_config->key_type); + if (ecdh0_deploy_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_INVALID) { ESP_LOGE(TAG, "Invalid key type"); return ESP_ERR_INVALID_ARG; } @@ -737,7 +694,8 @@ esp_err_t esp_key_mgr_deploy_key_in_ecdh0_mode(const esp_key_mgr_ecdh0_key_confi esp_err_t esp_ret = key_mgr_deploy_key_ecdh0_mode(&ecdh0_deploy_config); if (esp_ret != ESP_OK) { - ESP_LOGE(TAG, "Failed to deploy key in ECDH0 mode"); + ESP_LOGE(TAG, "Key deployment in ECDH0 mode failed"); + goto cleanup; } ecdh0_deploy_config.huk_deployed = true; @@ -748,15 +706,17 @@ esp_err_t esp_key_mgr_deploy_key_in_ecdh0_mode(const esp_key_mgr_ecdh0_key_confi ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[1]; esp_ret = key_mgr_deploy_key_ecdh0_mode(&ecdh0_deploy_config); if (esp_ret != ESP_OK) { - ESP_LOGE(TAG, "Failed to deploy key in ECDH0 mode"); + ESP_LOGE(TAG, "Key deployment in ECDH0 mode failed"); + goto cleanup; } } // Set the Key Manager Static Register to use own key for the respective key type key_mgr_hal_set_key_usage(key_type, ESP_KEY_MGR_USE_OWN_KEY); +cleanup: esp_key_mgr_release_hardware(true); - return ESP_OK; + return esp_ret; } typedef struct random_deploy { @@ -786,10 +746,20 @@ static esp_err_t key_mgr_deploy_key_random_mode(random_deploy_config_t *config) ESP_LOGD(TAG, "HUK deployed successfully"); } + uint8_t key_recovery_info_index = 0; + if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 || config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2) { + key_recovery_info_index = 1; + } + + uint8_t *key_recovery_info = config->key_info->key_info[key_recovery_info_index].info; + // Configure deployment mode to RANDOM key_mgr_hal_set_key_generator_mode(ESP_KEY_MGR_KEYGEN_MODE_RANDOM); - // Set AES-XTS key len + // Set key purpose + key_mgr_hal_set_key_purpose(config->key_purpose); + + // Set XTS-AES key length esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) config->key_config->key_type; if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY || key_type == ESP_KEY_MGR_PSRAM_128_KEY) { key_mgr_hal_set_xts_aes_key_len(key_type, ESP_KEY_MGR_XTS_AES_LEN_256); @@ -797,14 +767,6 @@ static esp_err_t key_mgr_deploy_key_random_mode(random_deploy_config_t *config) key_mgr_hal_set_xts_aes_key_len(key_type, ESP_KEY_MGR_XTS_AES_LEN_512); } - uint8_t *key_recovery_info = (uint8_t *) heap_caps_calloc(1, KEY_MGR_KEY_RECOVERY_INFO_SIZE, MALLOC_CAP_INTERNAL); - if (!key_recovery_info) { - return ESP_ERR_NO_MEM; - } - - // Set key purpose (XTS/ECDSA) - key_mgr_hal_set_key_purpose(config->key_purpose); - key_mgr_hal_start(); key_mgr_wait_for_state(ESP_KEY_MGR_STATE_LOAD); @@ -814,33 +776,23 @@ static esp_err_t key_mgr_deploy_key_random_mode(random_deploy_config_t *config) // No configuration for Random deploy mode key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN); key_mgr_hal_read_public_info(key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - ESP_LOG_BUFFER_HEX_LEVEL("KEY_MGR KEY INFO", key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE, ESP_LOG_DEBUG); if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1 && config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { - if (!key_mgr_hal_is_key_deployment_valid(config->key_config->key_type)) { + if (!key_mgr_hal_is_key_deployment_valid(key_type)) { ESP_LOGE(TAG, "Key deployment is not valid"); - heap_caps_free(key_recovery_info); return ESP_FAIL; } - ESP_LOGD(TAG, "Key deployment valid"); } + ESP_LOGD(TAG, "Key deployment valid"); // Wait till Key Manager deployment is complete key_mgr_hal_continue(); key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE); - if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 || config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2) { - memcpy(config->key_info->key_info[1].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - config->key_info->key_info[1].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - } else { - memcpy(config->key_info->key_info[0].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - config->key_info->key_info[0].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - } - - heap_caps_free(key_recovery_info); - - config->key_info->key_type = config->key_config->key_type; + config->key_info->key_info[key_recovery_info_index].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); + config->key_info->key_type = key_type; config->key_info->magic = KEY_HUK_SECTOR_MAGIC; + return ESP_OK; } @@ -857,34 +809,8 @@ esp_err_t esp_key_mgr_deploy_key_in_random_mode(const esp_key_mgr_random_key_con .key_info = key_recovery_info, }; - esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_config->key_type; - - switch (key_type) { - case ESP_KEY_MGR_ECDSA_192_KEY: - random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192; - break; - case ESP_KEY_MGR_ECDSA_256_KEY: - random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256; - break; - case ESP_KEY_MGR_XTS_AES_128_KEY: - random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128; - break; - case ESP_KEY_MGR_XTS_AES_256_KEY: - random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1; - break; - case ESP_KEY_MGR_HMAC_KEY: - random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_HMAC; - break; - case ESP_KEY_MGR_DS_KEY: - random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_DS; - break; - case ESP_KEY_MGR_PSRAM_128_KEY: - random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_PSRAM_128; - break; - case ESP_KEY_MGR_PSRAM_256_KEY: - random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1; - break; - default: + random_deploy_config.key_purpose = get_key_purpose(key_config->key_type); + if (random_deploy_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_INVALID) { ESP_LOGE(TAG, "Invalid key type"); return ESP_ERR_INVALID_ARG; } @@ -894,25 +820,25 @@ esp_err_t esp_key_mgr_deploy_key_in_random_mode(const esp_key_mgr_random_key_con esp_err_t esp_ret = key_mgr_deploy_key_random_mode(&random_deploy_config); if (esp_ret != ESP_OK) { ESP_LOGE(TAG, "Key deployment in Random mode failed"); - return ESP_FAIL; + goto cleanup; } random_deploy_config.huk_deployed = true; - if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY || key_type == ESP_KEY_MGR_PSRAM_256_KEY) { - random_deploy_config.key_purpose = key_type == ESP_KEY_MGR_XTS_AES_256_KEY ? ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 : ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2; + if (key_config->key_type == ESP_KEY_MGR_XTS_AES_256_KEY || key_config->key_type == ESP_KEY_MGR_PSRAM_256_KEY) { + random_deploy_config.key_purpose = key_config->key_type == ESP_KEY_MGR_XTS_AES_256_KEY ? ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 : ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2; esp_ret = key_mgr_deploy_key_random_mode(&random_deploy_config); if (esp_ret != ESP_OK) { ESP_LOGE(TAG, "Key deployment in Random mode failed"); - return ESP_FAIL; + goto cleanup; } } // Set the Key Manager Static Register to use own key for the respective key type - key_mgr_hal_set_key_usage(key_type, ESP_KEY_MGR_USE_OWN_KEY); + key_mgr_hal_set_key_usage(key_config->key_type, ESP_KEY_MGR_USE_OWN_KEY); +cleanup: esp_key_mgr_release_hardware(true); - return esp_ret; } #endif diff --git a/components/hal/esp32c5/include/hal/huk_ll.h b/components/hal/esp32c5/include/hal/huk_ll.h index fb6e4e69f4..d66eed2e41 100644 --- a/components/hal/esp32c5/include/hal/huk_ll.h +++ b/components/hal/esp32c5/include/hal/huk_ll.h @@ -29,6 +29,14 @@ extern "C" { #endif +static inline void huk_ll_power_up(void) +{ + /* huk force_pd MUST be cleared!!! */ + REG_CLR_BIT(LP_AON_MEM_CTRL_REG, LP_AON_HUK_MEM_FORCE_PD); + /* huk force_pu MUST be set!!! */ + REG_SET_BIT(LP_AON_MEM_CTRL_REG, LP_AON_HUK_MEM_FORCE_PU); +} + /* @brief Configure the HUK mode */ static inline void huk_ll_configure_mode(const esp_huk_mode_t huk_mode) { diff --git a/components/hal/esp32c5/include/hal/key_mgr_ll.h b/components/hal/esp32c5/include/hal/key_mgr_ll.h index ff35e84aaf..71fc8167f7 100644 --- a/components/hal/esp32c5/include/hal/key_mgr_ll.h +++ b/components/hal/esp32c5/include/hal/key_mgr_ll.h @@ -20,6 +20,7 @@ #include "soc/keymng_reg.h" #include "soc/pcr_struct.h" #include "soc/pcr_reg.h" +#include "hal/efuse_hal.h" #ifdef __cplusplus extern "C" { @@ -443,6 +444,14 @@ static inline bool key_mgr_ll_is_supported(void) return true; } +static inline bool key_mgr_ll_flash_encryption_supported(void) +{ + if (!key_mgr_ll_is_supported() || efuse_hal_chip_revision() <= 100) { + return false; + } + return true; +} + #ifdef __cplusplus } #endif diff --git a/components/hal/esp32p4/include/hal/huk_ll.h b/components/hal/esp32p4/include/hal/huk_ll.h index 6b5a50a64f..dc62489050 100644 --- a/components/hal/esp32p4/include/hal/huk_ll.h +++ b/components/hal/esp32p4/include/hal/huk_ll.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -27,6 +27,11 @@ extern "C" { #endif +static inline void huk_ll_power_up(void) +{ + +} + /* @brief Configure the HUK mode */ static inline void huk_ll_configure_mode(const esp_huk_mode_t huk_mode) { diff --git a/components/hal/esp32p4/include/hal/key_mgr_ll.h b/components/hal/esp32p4/include/hal/key_mgr_ll.h index dfc3b510a6..285f5909f0 100644 --- a/components/hal/esp32p4/include/hal/key_mgr_ll.h +++ b/components/hal/esp32p4/include/hal/key_mgr_ll.h @@ -484,6 +484,14 @@ static inline bool key_mgr_ll_is_supported(void) #endif } +static inline bool key_mgr_ll_flash_encryption_supported(void) +{ + if (!key_mgr_ll_is_supported()) { + return false; + } + return true; +} + #ifdef __cplusplus } #endif diff --git a/components/hal/huk_hal.c b/components/hal/huk_hal.c index a274219162..21f1a12959 100644 --- a/components/hal/huk_hal.c +++ b/components/hal/huk_hal.c @@ -30,6 +30,8 @@ static void inline huk_hal_wait_for_state(esp_huk_state_t state) esp_err_t huk_hal_configure(const esp_huk_mode_t huk_mode, uint8_t *huk_info_buf) { + huk_ll_power_up(); + if (esp_rom_km_huk_conf(huk_mode, huk_info_buf) != ETS_OK) { return ESP_FAIL; } diff --git a/components/hal/include/hal/key_mgr_types.h b/components/hal/include/hal/key_mgr_types.h index 550b333621..dcdc8bd30e 100644 --- a/components/hal/include/hal/key_mgr_types.h +++ b/components/hal/include/hal/key_mgr_types.h @@ -70,6 +70,7 @@ typedef enum { * @brief Key Purpose to be set for a particular key in the Key Manager */ typedef enum { + ESP_KEY_MGR_KEY_PURPOSE_INVALID = 0, ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192 = 1, /* ECDSA 192-bit key */ ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256 = 2, /* ECDSA 256-bit key */ ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_1 = 3, /* First half of flash 256-bit key */ @@ -109,6 +110,17 @@ typedef enum { ESP_KEY_MGR_INT_POST_DONE, } esp_key_mgr_interrupt_type_t; +/** + * @brief Force use key manager key type + * @note This is used to force the key manager to use a specific key type. + */ +typedef enum { + ESP_KEY_MGR_FORCE_USE_KM_ECDSA_KEY = 0, + ESP_KEY_MGR_FORCE_USE_KM_XTS_AES_KEY = 1, + ESP_KEY_MGR_FORCE_USE_KM_HMAC_KEY = 2, + ESP_KEY_MGR_FORCE_USE_KM_DS_KEY = 3, +} esp_key_mgr_force_use_km_key_t; + // store huk info, occupy 96 words typedef struct PACKED_ATTR { #define HUK_INFO_LEN 660 diff --git a/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in index a79fd8fa48..fb48fd7d2b 100644 --- a/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in @@ -603,6 +603,10 @@ config SOC_EFUSE_DIS_DIRECT_BOOT bool default y +config SOC_EFUSE_XTS_AES_KEY_128 + bool + default y + config SOC_SECURE_BOOT_V2_ECC bool default y diff --git a/components/soc/esp32c2/include/soc/soc_caps.h b/components/soc/esp32c2/include/soc/soc_caps.h index 701ee2c5ea..a358b7bba2 100644 --- a/components/soc/esp32c2/include/soc/soc_caps.h +++ b/components/soc/esp32c2/include/soc/soc_caps.h @@ -275,6 +275,7 @@ #define SOC_EFUSE_DIS_DOWNLOAD_ICACHE 1 #define SOC_EFUSE_DIS_PAD_JTAG 1 #define SOC_EFUSE_DIS_DIRECT_BOOT 1 +#define SOC_EFUSE_XTS_AES_KEY_128 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_ECC 1 diff --git a/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in index 4472fc985b..c0dd923f1d 100644 --- a/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in @@ -879,6 +879,10 @@ config SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK bool default y +config SOC_EFUSE_XTS_AES_KEY_128 + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32c3/include/soc/soc_caps.h b/components/soc/esp32c3/include/soc/soc_caps.h index d25c7c661e..76e98a526a 100644 --- a/components/soc/esp32c3/include/soc/soc_caps.h +++ b/components/soc/esp32c3/include/soc/soc_caps.h @@ -374,6 +374,7 @@ #define SOC_EFUSE_SOFT_DIS_JTAG 1 #define SOC_EFUSE_DIS_ICACHE 1 #define SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK 1 // XTS-AES key purpose not supported for this block +#define SOC_EFUSE_XTS_AES_KEY_128 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in index 0614bb3f3e..dc2d8965a0 100644 --- a/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in @@ -1283,6 +1283,10 @@ config SOC_EFUSE_ECDSA_KEY_P384 bool default y +config SOC_EFUSE_XTS_AES_KEY_128 + bool + default y + config SOC_HUK_MEM_NEEDS_RECHARGE bool default y @@ -1343,10 +1347,18 @@ config SOC_FLASH_ENCRYPTION_XTS_AES bool default y +config SOC_FLASH_ENCRYPTION_XTS_AES_OPTIONS + bool + default y + config SOC_FLASH_ENCRYPTION_XTS_AES_128 bool default y +config SOC_FLASH_ENCRYPTION_XTS_AES_256 + bool + default y + config SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND bool default y diff --git a/components/soc/esp32c5/include/soc/soc_caps.h b/components/soc/esp32c5/include/soc/soc_caps.h index 08711e7be8..b7f4d4f4af 100644 --- a/components/soc/esp32c5/include/soc/soc_caps.h +++ b/components/soc/esp32c5/include/soc/soc_caps.h @@ -511,6 +511,7 @@ #define SOC_EFUSE_ECDSA_KEY 1 #define SOC_EFUSE_ECDSA_KEY_P192 1 #define SOC_EFUSE_ECDSA_KEY_P384 1 +#define SOC_EFUSE_XTS_AES_KEY_128 1 /*-------------------------- HUK CAPS----------------------------*/ #define SOC_HUK_MEM_NEEDS_RECHARGE 1 @@ -533,8 +534,10 @@ /*-------------------------- Flash Encryption CAPS----------------------------*/ #define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (64) -#define SOC_FLASH_ENCRYPTION_XTS_AES 1 -#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1 +#define SOC_FLASH_ENCRYPTION_XTS_AES 1 +#define SOC_FLASH_ENCRYPTION_XTS_AES_OPTIONS 1 +#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1 /* SOC_EFUSE_XTS_AES_KEY_128 (1) || SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 (1) */ +#define SOC_FLASH_ENCRYPTION_XTS_AES_256 1 /* SOC_EFUSE_XTS_AES_KEY_256 (0) || SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 (1) */ #define SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND 1 /*-------------------------- PSRAM Encryption CAPS----------------------------*/ diff --git a/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in index 7be9c85de9..a6b432dcad 100644 --- a/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in @@ -1123,6 +1123,10 @@ config SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK bool default y +config SOC_EFUSE_XTS_AES_KEY_128 + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32c6/include/soc/soc_caps.h b/components/soc/esp32c6/include/soc/soc_caps.h index 45d1c7c2d2..4d4c45fcbd 100644 --- a/components/soc/esp32c6/include/soc/soc_caps.h +++ b/components/soc/esp32c6/include/soc/soc_caps.h @@ -455,6 +455,7 @@ #define SOC_EFUSE_SOFT_DIS_JTAG 1 #define SOC_EFUSE_DIS_ICACHE 1 #define SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK 1 // XTS-AES key purpose not supported for this block +#define SOC_EFUSE_XTS_AES_KEY_128 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32c61/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c61/include/soc/Kconfig.soc_caps.in index 50f5015b38..287920979b 100644 --- a/components/soc/esp32c61/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c61/include/soc/Kconfig.soc_caps.in @@ -915,6 +915,10 @@ config SOC_EFUSE_ECDSA_KEY bool default y +config SOC_EFUSE_XTS_AES_KEY_128 + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default n diff --git a/components/soc/esp32c61/include/soc/soc_caps.h b/components/soc/esp32c61/include/soc/soc_caps.h index 94d31afaf8..07a447a3f2 100644 --- a/components/soc/esp32c61/include/soc/soc_caps.h +++ b/components/soc/esp32c61/include/soc/soc_caps.h @@ -379,6 +379,7 @@ #define SOC_EFUSE_SOFT_DIS_JTAG 0 #define SOC_EFUSE_DIS_ICACHE 1 #define SOC_EFUSE_ECDSA_KEY 1 +#define SOC_EFUSE_XTS_AES_KEY_128 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 0 diff --git a/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in b/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in index 576f357786..28573475ad 100644 --- a/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in @@ -1135,6 +1135,10 @@ config SOC_EFUSE_ECDSA_KEY bool default y +config SOC_EFUSE_XTS_AES_KEY_128 + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32h2/include/soc/soc_caps.h b/components/soc/esp32h2/include/soc/soc_caps.h index 2dd0e7084a..a500e59ebb 100644 --- a/components/soc/esp32h2/include/soc/soc_caps.h +++ b/components/soc/esp32h2/include/soc/soc_caps.h @@ -474,6 +474,7 @@ #define SOC_EFUSE_ECDSA_USE_HARDWARE_K 1 // Force use hardware TRNG supplied K for ECDSA #endif #define SOC_EFUSE_ECDSA_KEY 1 +#define SOC_EFUSE_XTS_AES_KEY_128 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32h21/include/soc/Kconfig.soc_caps.in b/components/soc/esp32h21/include/soc/Kconfig.soc_caps.in index 79e62e6eeb..6c9fe5ba1b 100644 --- a/components/soc/esp32h21/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32h21/include/soc/Kconfig.soc_caps.in @@ -855,6 +855,10 @@ config SOC_EFUSE_ECDSA_KEY bool default y +config SOC_EFUSE_XTS_AES_KEY_128 + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32h21/include/soc/soc_caps.h b/components/soc/esp32h21/include/soc/soc_caps.h index 283710878b..9ae287e1e3 100644 --- a/components/soc/esp32h21/include/soc/soc_caps.h +++ b/components/soc/esp32h21/include/soc/soc_caps.h @@ -452,6 +452,7 @@ #define SOC_EFUSE_DIS_ICACHE 1 // #define SOC_EFUSE_ECDSA_USE_HARDWARE_K 1 // Force use hardware TRNG supplied K for ECDSA #define SOC_EFUSE_ECDSA_KEY 1 +#define SOC_EFUSE_XTS_AES_KEY_128 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in b/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in index 07b3e737bd..38671a7e6e 100644 --- a/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in @@ -815,6 +815,10 @@ config SOC_EFUSE_ECDSA_KEY bool default n +config SOC_EFUSE_XTS_AES_KEY_128 + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32h4/include/soc/soc_caps.h b/components/soc/esp32h4/include/soc/soc_caps.h index c75f19e62b..dd5879f772 100644 --- a/components/soc/esp32h4/include/soc/soc_caps.h +++ b/components/soc/esp32h4/include/soc/soc_caps.h @@ -438,6 +438,7 @@ #define SOC_EFUSE_DIS_ICACHE 0 #define SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK 1 // XTS-AES key purpose not supported for this block #define SOC_EFUSE_ECDSA_KEY 0 // TODO: [ESP32H4] IDF-12259 +#define SOC_EFUSE_XTS_AES_KEY_128 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32p4/include/soc/Kconfig.soc_caps.in b/components/soc/esp32p4/include/soc/Kconfig.soc_caps.in index f0c917187d..9d64cd1f89 100644 --- a/components/soc/esp32p4/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32p4/include/soc/Kconfig.soc_caps.in @@ -1679,6 +1679,14 @@ config SOC_EFUSE_ECDSA_KEY bool default y +config SOC_EFUSE_XTS_AES_KEY_128 + bool + default y + +config SOC_EFUSE_XTS_AES_KEY_256 + bool + default y + config SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT bool default y diff --git a/components/soc/esp32p4/include/soc/soc_caps.h b/components/soc/esp32p4/include/soc/soc_caps.h index c620d18884..e492a945b6 100644 --- a/components/soc/esp32p4/include/soc/soc_caps.h +++ b/components/soc/esp32p4/include/soc/soc_caps.h @@ -634,6 +634,8 @@ /* Capability to disable the MSPI access in download mode */ #define SOC_EFUSE_DIS_DOWNLOAD_MSPI 1 #define SOC_EFUSE_ECDSA_KEY 1 +#define SOC_EFUSE_XTS_AES_KEY_128 1 +#define SOC_EFUSE_XTS_AES_KEY_256 1 /*-------------------------- Key Manager CAPS----------------------------*/ #define SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT 1 /*!< Key manager supports key deployment */ @@ -655,8 +657,8 @@ #define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (64) #define SOC_FLASH_ENCRYPTION_XTS_AES 1 #define SOC_FLASH_ENCRYPTION_XTS_AES_OPTIONS 1 -#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1 -#define SOC_FLASH_ENCRYPTION_XTS_AES_256 1 +#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1 /* SOC_EFUSE_XTS_AES_KEY_128 (1) || SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 (1) */ +#define SOC_FLASH_ENCRYPTION_XTS_AES_256 1 /* SOC_EFUSE_XTS_AES_KEY_256 (1) || SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 (1) */ /*-------------------------- MEMPROT CAPS ------------------------------------*/ /*-------------------------- UART CAPS ---------------------------------------*/ diff --git a/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in b/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in index 186d2ae2b6..2df36f9b13 100644 --- a/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in @@ -915,6 +915,14 @@ config SOC_EFUSE_DIS_ICACHE bool default y +config SOC_EFUSE_XTS_AES_KEY_128 + bool + default y + +config SOC_EFUSE_XTS_AES_KEY_256 + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32s2/include/soc/soc_caps.h b/components/soc/esp32s2/include/soc/soc_caps.h index 6376fe2a58..7f96f49c9c 100644 --- a/components/soc/esp32s2/include/soc/soc_caps.h +++ b/components/soc/esp32s2/include/soc/soc_caps.h @@ -396,6 +396,8 @@ #define SOC_EFUSE_DIS_BOOT_REMAP 1 #define SOC_EFUSE_DIS_LEGACY_SPI_BOOT 1 #define SOC_EFUSE_DIS_ICACHE 1 +#define SOC_EFUSE_XTS_AES_KEY_128 1 +#define SOC_EFUSE_XTS_AES_KEY_256 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in b/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in index 1af3e5af9a..1bc0940b15 100644 --- a/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in @@ -1163,6 +1163,14 @@ config SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK bool default y +config SOC_EFUSE_XTS_AES_KEY_128 + bool + default y + +config SOC_EFUSE_XTS_AES_KEY_256 + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32s3/include/soc/soc_caps.h b/components/soc/esp32s3/include/soc/soc_caps.h index bb599f0381..2c9c3e3fb2 100644 --- a/components/soc/esp32s3/include/soc/soc_caps.h +++ b/components/soc/esp32s3/include/soc/soc_caps.h @@ -470,6 +470,8 @@ #define SOC_EFUSE_DIS_DIRECT_BOOT 1 #define SOC_EFUSE_DIS_ICACHE 1 #define SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK 1 // XTS-AES key purpose not supported for this block +#define SOC_EFUSE_XTS_AES_KEY_128 1 +#define SOC_EFUSE_XTS_AES_KEY_256 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/tools/test_apps/system/.build-test-rules.yml b/tools/test_apps/system/.build-test-rules.yml index 55d2058eaa..fe4c7d8a96 100644 --- a/tools/test_apps/system/.build-test-rules.yml +++ b/tools/test_apps/system/.build-test-rules.yml @@ -3,6 +3,8 @@ tools/test_apps/system/bootloader_sections: disable: - if: CONFIG_NAME == "rtc_retain" and SOC_RTC_FAST_MEM_SUPPORTED != 1 + - if: CONFIG_NAME == "flash_encryption_key_mgr" and (SOC_KEY_MANAGER_FE_KEY_DEPLOY != 1 or IDF_TARGET == "esp32p4") + - if: CONFIG_NAME == "flash_encryption_key_mgr_esp32p4" and IDF_TARGET != "esp32p4" tools/test_apps/system/build_tests/client_only_mbedtls: disable: diff --git a/tools/test_apps/system/bootloader_sections/sdkconfig.ci.flash_encryption_key_mgr b/tools/test_apps/system/bootloader_sections/sdkconfig.ci.flash_encryption_key_mgr new file mode 100644 index 0000000000..9c2f087437 --- /dev/null +++ b/tools/test_apps/system/bootloader_sections/sdkconfig.ci.flash_encryption_key_mgr @@ -0,0 +1,4 @@ +CONFIG_SECURE_FLASH_ENC_ENABLED=y +CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE=y +CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE_KEY_MGR=y +CONFIG_PARTITION_TABLE_OFFSET=0xC000 diff --git a/tools/test_apps/system/bootloader_sections/sdkconfig.ci.flash_encryption_key_mgr_esp32p4 b/tools/test_apps/system/bootloader_sections/sdkconfig.ci.flash_encryption_key_mgr_esp32p4 new file mode 100644 index 0000000000..cdb00e387a --- /dev/null +++ b/tools/test_apps/system/bootloader_sections/sdkconfig.ci.flash_encryption_key_mgr_esp32p4 @@ -0,0 +1,6 @@ +CONFIG_SECURE_FLASH_ENC_ENABLED=y +CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE=y +CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE_KEY_MGR=y +CONFIG_PARTITION_TABLE_OFFSET=0xC000 + +CONFIG_ESP32P4_SELECTS_REV_LESS_V3=n