change(mbedtls/psa_driver_esp_hmac): Use efuse key block instead of efuse block

- Maintains compatibility of the older esp_hmac_ APIs and the PSA driver
2026-04-27 19:13:21 +00:00 · 2026-02-26 12:22:17 +05:30
parent aa63487d9f
commit 163e0974b3
6 changed files with 11 additions and 17 deletions
@@ -157,7 +157,7 @@ static esp_err_t compute_nvs_keys_with_hmac(esp_efuse_block_t key_blk, nvs_sec_c
    // Create opaque key reference
    esp_hmac_opaque_key_t opaque_key = {
        .use_km_key = false,
-        .efuse_block = (uint8_t)key_blk,
+        .efuse_key_id = hmac_key_id,
    };

    // Import the opaque key
@@ -53,7 +53,7 @@ esp_err_t esp_hmac_derive_pbkdf2_key(hmac_key_id_t key_id, const uint8_t *salt,
    // Create opaque key reference
    esp_hmac_opaque_key_t opaque_key = {
        .use_km_key = false,
-        .efuse_block = (uint8_t)(EFUSE_BLK_KEY0 + key_id),
+        .efuse_key_id = key_id,
    };

    // Import the opaque key
@@ -15,8 +15,9 @@

 static bool validate_hmac_opaque_key_attributes(const esp_hmac_opaque_key_t *opaque_key)
 {
-    // efuse_block is uint8_t, so it's always >= 0 (EFUSE_BLK0)
-    if (opaque_key->efuse_block < EFUSE_BLK_MAX && esp_efuse_get_key_purpose(opaque_key->efuse_block) == ESP_EFUSE_KEY_PURPOSE_HMAC_UP) {
+    // efuse_key_id is uint8_t, so it's always >= 0 (EFUSE_BLK0)
+    if (((opaque_key->efuse_key_id + EFUSE_BLK_KEY0) < EFUSE_BLK_KEY_MAX)
+        && (esp_efuse_get_key_purpose(EFUSE_BLK_KEY0 + opaque_key->efuse_key_id) == ESP_EFUSE_KEY_PURPOSE_HMAC_UP)) {
        return true;
    }
    return false;
@@ -97,27 +98,19 @@ psa_status_t esp_hmac_setup_opaque(
    return PSA_SUCCESS;
 }

-static hmac_key_id_t translate_efuse_block_to_hmac_key_id(uint8_t efuse_block)
-{
-    return (hmac_key_id_t) (efuse_block - EFUSE_BLK_KEY0);
-}
-
 psa_status_t esp_hmac_update_opaque(esp_hmac_opaque_operation_t *esp_hmac_ctx, const uint8_t *data, size_t data_length)
 {
    if (!esp_hmac_ctx || !data || data_length == 0) {
        return PSA_ERROR_INVALID_ARGUMENT;
    }

-    hmac_key_id_t hmac_key_id = HMAC_KEY_MAX;
+    hmac_key_id_t hmac_key_id = esp_hmac_ctx->opaque_key->efuse_key_id;

 #if SOC_KEY_MANAGER_HMAC_KEY_DEPLOY
    if (esp_hmac_ctx->opaque_key->use_km_key) {
        hmac_key_id = HMAC_KEY_KM;
-    } else
-#endif /* SOC_KEY_MANAGER_HMAC_KEY_DEPLOY */
-    {
-        hmac_key_id = translate_efuse_block_to_hmac_key_id(esp_hmac_ctx->opaque_key->efuse_block);
    }
+#endif /* SOC_KEY_MANAGER_HMAC_KEY_DEPLOY */

    esp_err_t hmac_ret = esp_hmac_calculate(hmac_key_id, data, data_length, esp_hmac_ctx->hmac);
    if (hmac_ret == ESP_ERR_INVALID_ARG) {
@@ -9,6 +9,7 @@
 #include "esp_types.h"
 #include "soc/soc_caps.h"
 #include "psa/crypto_driver_common.h"
+#include "hal/hmac_types.h"

 #ifdef __cplusplus
 extern "C" {
@@ -24,7 +25,7 @@ extern "C" {
 */
 typedef struct {
    bool use_km_key;                        /**< Use key deployed in the key manager */
-    uint8_t efuse_block;                    /**< eFuse block id for HMAC key */
+    hmac_key_id_t efuse_key_id;                    /**< eFuse key block id for HMAC key */
 } esp_hmac_opaque_key_t;

 /**
@@ -184,7 +184,7 @@ Now we can calculate an HMAC for software usage with the saved key through the P
    // Create opaque key reference
    esp_hmac_opaque_key_t opaque_key = {
        .use_km_key = false,
-        .efuse_block = EFUSE_BLK_KEY4,
+        .efuse_key_id = HMAC_KEY4,
    };

    // Import the opaque key
@@ -184,7 +184,7 @@ HMAC 的第三种应用场景是将其作为密钥，启用软禁用的 JTAG 接
    // 创建不透明密钥引用
    esp_hmac_opaque_key_t opaque_key = {
        .use_km_key = false,
-        .efuse_block = EFUSE_BLK_KEY4,
+        .efuse_key_id = HMAC_KEY4,
    };

    // 导入不透明密钥