mirror of
https://github.com/espressif/esp-idf.git
synced 2026-04-27 19:13:21 +00:00
feat(bootloader_support): Support FE XTS-AES-256 using Key Manager for ESP32-C5
This commit is contained in:
harshal.patil
@@ -880,11 +880,16 @@ menu "Security features"
|
||||
|
||||
config SECURE_FLASH_ENCRYPTION_AES128
|
||||
bool "AES-128 (256-bit key)"
|
||||
depends on SOC_FLASH_ENCRYPTION_XTS_AES_128 && !(IDF_TARGET_ESP32C2 && SECURE_BOOT)
|
||||
depends on SOC_FLASH_ENCRYPTION_XTS_AES_128 && \
|
||||
((SECURE_FLASH_ENCRYPTION_KEY_SOURCE_EFUSES && SOC_EFUSE_XTS_AES_KEY_128) || \
|
||||
(SECURE_FLASH_ENCRYPTION_KEY_SOURCE_KEY_MGR && SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128)) && \
|
||||
!(IDF_TARGET_ESP32C2 && SECURE_BOOT)
|
||||
|
||||
config SECURE_FLASH_ENCRYPTION_AES256
|
||||
bool "AES-256 (512-bit key)"
|
||||
depends on SOC_FLASH_ENCRYPTION_XTS_AES_256
|
||||
depends on SOC_FLASH_ENCRYPTION_XTS_AES_256 && \
|
||||
((SECURE_FLASH_ENCRYPTION_KEY_SOURCE_EFUSES && SOC_EFUSE_XTS_AES_KEY_256) || \
|
||||
(SECURE_FLASH_ENCRYPTION_KEY_SOURCE_KEY_MGR && SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256))
|
||||
endchoice
|
||||
|
||||
choice SECURE_FLASH_ENCRYPTION_MODE
|
||||
|
||||
@@ -450,11 +450,11 @@ bool esp_flash_encryption_cfg_verify_release_mode(void)
|
||||
|
||||
#if CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE_EFUSES
|
||||
esp_efuse_purpose_t purposes[] = {
|
||||
#if SOC_FLASH_ENCRYPTION_XTS_AES_256
|
||||
#if SOC_EFUSE_XTS_AES_KEY_256
|
||||
ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1,
|
||||
ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2,
|
||||
#endif
|
||||
#if SOC_FLASH_ENCRYPTION_XTS_AES_128
|
||||
#if SOC_EFUSE_XTS_AES_KEY_128
|
||||
ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY,
|
||||
#endif
|
||||
};
|
||||
|
||||
@@ -286,7 +286,7 @@ esp_err_t esp_efuse_write_key(esp_efuse_block_t block, esp_efuse_purpose_t purpo
|
||||
|
||||
#if SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK
|
||||
if (block == EFUSE_BLK9 && (
|
||||
#if SOC_FLASH_ENCRYPTION_XTS_AES_256
|
||||
#if SOC_EFUSE_XTS_AES_KEY_256
|
||||
purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1 ||
|
||||
purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2 ||
|
||||
#endif
|
||||
@@ -301,10 +301,10 @@ esp_err_t esp_efuse_write_key(esp_efuse_block_t block, esp_efuse_purpose_t purpo
|
||||
#endif // SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK
|
||||
|
||||
if (purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY ||
|
||||
#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_256
|
||||
#ifdef SOC_EFUSE_XTS_AES_KEY_256
|
||||
purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1 ||
|
||||
purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2 ||
|
||||
#endif //#ifdef SOC_EFUSE_SUPPORT_XTS_AES_256_KEYS
|
||||
#endif //#ifdef SOC_EFUSE_XTS_AES_KEY_256
|
||||
#if SOC_EFUSE_ECDSA_KEY
|
||||
purpose == ESP_EFUSE_KEY_PURPOSE_ECDSA_KEY ||
|
||||
#endif
|
||||
|
||||
@@ -57,7 +57,7 @@ TEST_CASE("Test efuse API blocks burning XTS and ECDSA keys into BLOCK9", "[efus
|
||||
uint8_t key[32] = {0};
|
||||
esp_efuse_purpose_t purpose = ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY;
|
||||
TEST_ESP_ERR(ESP_ERR_NOT_SUPPORTED, esp_efuse_write_key(EFUSE_BLK9, purpose, &key, sizeof(key)));
|
||||
#if SOC_FLASH_ENCRYPTION_XTS_AES_256
|
||||
#if SOC_EFUSE_XTS_AES_KEY_256
|
||||
purpose = ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1;
|
||||
TEST_ESP_ERR(ESP_ERR_NOT_SUPPORTED, esp_efuse_write_key(EFUSE_BLK9, purpose, &key, sizeof(key)));
|
||||
purpose = ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2;
|
||||
@@ -86,7 +86,7 @@ static esp_err_t s_check_key(esp_efuse_block_t num_key, void* wr_key)
|
||||
|
||||
TEST_ASSERT_TRUE(esp_efuse_get_key_dis_write(num_key));
|
||||
if (purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY ||
|
||||
#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_256
|
||||
#ifdef SOC_EFUSE_XTS_AES_KEY_256
|
||||
purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1 ||
|
||||
purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2 ||
|
||||
#endif
|
||||
@@ -180,7 +180,7 @@ TEST_CASE("Test esp_efuse_write_key for virt mode", "[efuse]")
|
||||
esp_efuse_purpose_t purpose = g_purpose;
|
||||
#if SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK
|
||||
if (num_key == EFUSE_BLK9 && (
|
||||
#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_256
|
||||
#ifdef SOC_EFUSE_XTS_AES_KEY_256
|
||||
purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1 ||
|
||||
purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2 ||
|
||||
#endif //#ifdef SOC_EFUSE_SUPPORT_XTS_AES_256_KEYS
|
||||
@@ -224,7 +224,7 @@ TEST_CASE("Test 1 esp_efuse_write_key for FPGA", "[efuse]")
|
||||
#else
|
||||
ESP_EFUSE_KEY_PURPOSE_RESERVED,
|
||||
#endif
|
||||
#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_256
|
||||
#ifdef SOC_EFUSE_XTS_AES_KEY_256
|
||||
ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1,
|
||||
ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2,
|
||||
#else
|
||||
@@ -300,7 +300,7 @@ TEST_CASE("Test esp_efuse_write_keys", "[efuse]")
|
||||
esp_efuse_block_t key_block = EFUSE_BLK_MAX;
|
||||
|
||||
enum { BLOCKS_NEEDED1 = 2 };
|
||||
#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_256
|
||||
#ifdef SOC_EFUSE_XTS_AES_KEY_256
|
||||
esp_efuse_purpose_t purpose1[BLOCKS_NEEDED1] = {
|
||||
ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1,
|
||||
ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2,
|
||||
|
||||
@@ -603,6 +603,10 @@ config SOC_EFUSE_DIS_DIRECT_BOOT
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_XTS_AES_KEY_128
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_SECURE_BOOT_V2_ECC
|
||||
bool
|
||||
default y
|
||||
|
||||
@@ -275,6 +275,7 @@
|
||||
#define SOC_EFUSE_DIS_DOWNLOAD_ICACHE 1
|
||||
#define SOC_EFUSE_DIS_PAD_JTAG 1
|
||||
#define SOC_EFUSE_DIS_DIRECT_BOOT 1
|
||||
#define SOC_EFUSE_XTS_AES_KEY_128 1
|
||||
|
||||
/*-------------------------- Secure Boot CAPS----------------------------*/
|
||||
#define SOC_SECURE_BOOT_V2_ECC 1
|
||||
|
||||
@@ -879,6 +879,10 @@ config SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_XTS_AES_KEY_128
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_SECURE_BOOT_V2_RSA
|
||||
bool
|
||||
default y
|
||||
|
||||
@@ -374,6 +374,7 @@
|
||||
#define SOC_EFUSE_SOFT_DIS_JTAG 1
|
||||
#define SOC_EFUSE_DIS_ICACHE 1
|
||||
#define SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK 1 // XTS-AES key purpose not supported for this block
|
||||
#define SOC_EFUSE_XTS_AES_KEY_128 1
|
||||
|
||||
/*-------------------------- Secure Boot CAPS----------------------------*/
|
||||
#define SOC_SECURE_BOOT_V2_RSA 1
|
||||
|
||||
@@ -1279,6 +1279,10 @@ config SOC_EFUSE_ECDSA_KEY_P384
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_XTS_AES_KEY_128
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_HUK_MEM_NEEDS_RECHARGE
|
||||
bool
|
||||
default y
|
||||
@@ -1347,6 +1351,10 @@ config SOC_FLASH_ENCRYPTION_XTS_AES_128
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_FLASH_ENCRYPTION_XTS_AES_256
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
|
||||
bool
|
||||
default y
|
||||
|
||||
@@ -510,6 +510,7 @@
|
||||
#define SOC_EFUSE_ECDSA_KEY 1
|
||||
#define SOC_EFUSE_ECDSA_KEY_P192 1
|
||||
#define SOC_EFUSE_ECDSA_KEY_P384 1
|
||||
#define SOC_EFUSE_XTS_AES_KEY_128 1
|
||||
|
||||
/*-------------------------- HUK CAPS----------------------------*/
|
||||
#define SOC_HUK_MEM_NEEDS_RECHARGE 1
|
||||
@@ -534,7 +535,8 @@
|
||||
#define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (64)
|
||||
#define SOC_FLASH_ENCRYPTION_XTS_AES 1
|
||||
#define SOC_FLASH_ENCRYPTION_XTS_AES_OPTIONS 1
|
||||
#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1
|
||||
#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1 /* SOC_EFUSE_XTS_AES_KEY_128 (1) || SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 (1) */
|
||||
#define SOC_FLASH_ENCRYPTION_XTS_AES_256 1 /* SOC_EFUSE_XTS_AES_KEY_256 (0) || SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 (1) */
|
||||
#define SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND 1
|
||||
|
||||
/*-------------------------- PSRAM Encryption CAPS----------------------------*/
|
||||
|
||||
@@ -1119,6 +1119,10 @@ config SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_XTS_AES_KEY_128
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_SECURE_BOOT_V2_RSA
|
||||
bool
|
||||
default y
|
||||
|
||||
@@ -454,6 +454,7 @@
|
||||
#define SOC_EFUSE_SOFT_DIS_JTAG 1
|
||||
#define SOC_EFUSE_DIS_ICACHE 1
|
||||
#define SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK 1 // XTS-AES key purpose not supported for this block
|
||||
#define SOC_EFUSE_XTS_AES_KEY_128 1
|
||||
|
||||
/*-------------------------- Secure Boot CAPS----------------------------*/
|
||||
#define SOC_SECURE_BOOT_V2_RSA 1
|
||||
|
||||
@@ -911,6 +911,10 @@ config SOC_EFUSE_ECDSA_KEY
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_XTS_AES_KEY_128
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_SECURE_BOOT_V2_RSA
|
||||
bool
|
||||
default n
|
||||
|
||||
@@ -378,6 +378,7 @@
|
||||
#define SOC_EFUSE_SOFT_DIS_JTAG 0
|
||||
#define SOC_EFUSE_DIS_ICACHE 1
|
||||
#define SOC_EFUSE_ECDSA_KEY 1
|
||||
#define SOC_EFUSE_XTS_AES_KEY_128 1
|
||||
|
||||
/*-------------------------- Secure Boot CAPS----------------------------*/
|
||||
#define SOC_SECURE_BOOT_V2_RSA 0
|
||||
|
||||
@@ -1131,6 +1131,10 @@ config SOC_EFUSE_ECDSA_KEY
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_XTS_AES_KEY_128
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_SECURE_BOOT_V2_RSA
|
||||
bool
|
||||
default y
|
||||
|
||||
@@ -473,6 +473,7 @@
|
||||
#define SOC_EFUSE_ECDSA_USE_HARDWARE_K 1 // Force use hardware TRNG supplied K for ECDSA
|
||||
#endif
|
||||
#define SOC_EFUSE_ECDSA_KEY 1
|
||||
#define SOC_EFUSE_XTS_AES_KEY_128 1
|
||||
|
||||
/*-------------------------- Secure Boot CAPS----------------------------*/
|
||||
#define SOC_SECURE_BOOT_V2_RSA 1
|
||||
|
||||
@@ -819,6 +819,10 @@ config SOC_EFUSE_ECDSA_KEY
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_XTS_AES_KEY_128
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_SECURE_BOOT_V2_RSA
|
||||
bool
|
||||
default y
|
||||
|
||||
@@ -451,6 +451,7 @@
|
||||
#define SOC_EFUSE_DIS_ICACHE 1
|
||||
// #define SOC_EFUSE_ECDSA_USE_HARDWARE_K 1 // Force use hardware TRNG supplied K for ECDSA
|
||||
#define SOC_EFUSE_ECDSA_KEY 1
|
||||
#define SOC_EFUSE_XTS_AES_KEY_128 1
|
||||
|
||||
/*-------------------------- Secure Boot CAPS----------------------------*/
|
||||
#define SOC_SECURE_BOOT_V2_RSA 1
|
||||
|
||||
@@ -811,6 +811,10 @@ config SOC_EFUSE_ECDSA_KEY
|
||||
bool
|
||||
default n
|
||||
|
||||
config SOC_EFUSE_XTS_AES_KEY_128
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_SECURE_BOOT_V2_RSA
|
||||
bool
|
||||
default y
|
||||
|
||||
@@ -437,6 +437,7 @@
|
||||
#define SOC_EFUSE_DIS_ICACHE 0
|
||||
#define SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK 1 // XTS-AES key purpose not supported for this block
|
||||
#define SOC_EFUSE_ECDSA_KEY 0 // TODO: [ESP32H4] IDF-12259
|
||||
#define SOC_EFUSE_XTS_AES_KEY_128 1
|
||||
|
||||
/*-------------------------- Secure Boot CAPS----------------------------*/
|
||||
#define SOC_SECURE_BOOT_V2_RSA 1
|
||||
|
||||
@@ -1679,6 +1679,14 @@ config SOC_EFUSE_ECDSA_KEY
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_XTS_AES_KEY_128
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_XTS_AES_KEY_256
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT
|
||||
bool
|
||||
default y
|
||||
|
||||
@@ -634,6 +634,8 @@
|
||||
/* Capability to disable the MSPI access in download mode */
|
||||
#define SOC_EFUSE_DIS_DOWNLOAD_MSPI 1
|
||||
#define SOC_EFUSE_ECDSA_KEY 1
|
||||
#define SOC_EFUSE_XTS_AES_KEY_128 1
|
||||
#define SOC_EFUSE_XTS_AES_KEY_256 1
|
||||
|
||||
/*-------------------------- Key Manager CAPS----------------------------*/
|
||||
#define SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT 1 /*!< Key manager supports key deployment */
|
||||
@@ -655,8 +657,8 @@
|
||||
#define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (64)
|
||||
#define SOC_FLASH_ENCRYPTION_XTS_AES 1
|
||||
#define SOC_FLASH_ENCRYPTION_XTS_AES_OPTIONS 1
|
||||
#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1
|
||||
#define SOC_FLASH_ENCRYPTION_XTS_AES_256 1
|
||||
#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1 /* SOC_EFUSE_XTS_AES_KEY_128 (1) || SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 (1) */
|
||||
#define SOC_FLASH_ENCRYPTION_XTS_AES_256 1 /* SOC_EFUSE_XTS_AES_KEY_256 (1) || SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 (1) */
|
||||
/*-------------------------- MEMPROT CAPS ------------------------------------*/
|
||||
|
||||
/*-------------------------- UART CAPS ---------------------------------------*/
|
||||
|
||||
@@ -915,6 +915,14 @@ config SOC_EFUSE_DIS_ICACHE
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_XTS_AES_KEY_128
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_XTS_AES_KEY_256
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_SECURE_BOOT_V2_RSA
|
||||
bool
|
||||
default y
|
||||
|
||||
@@ -396,6 +396,8 @@
|
||||
#define SOC_EFUSE_DIS_BOOT_REMAP 1
|
||||
#define SOC_EFUSE_DIS_LEGACY_SPI_BOOT 1
|
||||
#define SOC_EFUSE_DIS_ICACHE 1
|
||||
#define SOC_EFUSE_XTS_AES_KEY_128 1
|
||||
#define SOC_EFUSE_XTS_AES_KEY_256 1
|
||||
|
||||
/*-------------------------- Secure Boot CAPS----------------------------*/
|
||||
#define SOC_SECURE_BOOT_V2_RSA 1
|
||||
|
||||
@@ -1163,6 +1163,14 @@ config SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_XTS_AES_KEY_128
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_EFUSE_XTS_AES_KEY_256
|
||||
bool
|
||||
default y
|
||||
|
||||
config SOC_SECURE_BOOT_V2_RSA
|
||||
bool
|
||||
default y
|
||||
|
||||
@@ -470,6 +470,8 @@
|
||||
#define SOC_EFUSE_DIS_DIRECT_BOOT 1
|
||||
#define SOC_EFUSE_DIS_ICACHE 1
|
||||
#define SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK 1 // XTS-AES key purpose not supported for this block
|
||||
#define SOC_EFUSE_XTS_AES_KEY_128 1
|
||||
#define SOC_EFUSE_XTS_AES_KEY_256 1
|
||||
|
||||
/*-------------------------- Secure Boot CAPS----------------------------*/
|
||||
#define SOC_SECURE_BOOT_V2_RSA 1
|
||||
|
||||
Reference in New Issue
Block a user