feat(esp32p4): Support newer Key Manager key sources for ESP32-P4 V3

2026-04-27 19:13:21 +00:00 · 2025-10-09 12:05:32 +05:30
parent ab149384e1
commit 609d52c6bf
26 changed files with 605 additions and 705 deletions
@@ -40,6 +40,7 @@

 #ifdef SOC_KEY_MANAGER_DS_KEY_DEPLOY
 #include "hal/key_mgr_hal.h"
+#include "hal/key_mgr_ll.h"
 #endif

 /**
@@ -326,6 +327,10 @@ esp_err_t esp_ds_start_sign(const void *message,
    ds_acquire_enable();

 #if SOC_KEY_MANAGER_DS_KEY_DEPLOY
+    if (!key_mgr_ll_is_supported()) {
+        assert(false && "Key manager is not supported");
+    }
+
    if (key_id == HMAC_KEY_KM) {
        key_mgr_hal_set_key_usage(ESP_KEY_MGR_DS_KEY, ESP_KEY_MGR_USE_OWN_KEY);
        ds_hal_set_key_source(DS_KEY_SOURCE_KEY_MGR);
@@ -21,6 +21,7 @@
 #include "hal/huk_hal.h"
 #include "rom/key_mgr.h"

+#if SOC_KEY_MANAGER_SUPPORTED
 static const char *TAG = "esp_key_mgr";

 static _lock_t s_key_mgr_ecdsa_key_lock;
@@ -914,3 +915,4 @@ esp_err_t esp_key_mgr_deploy_key_in_random_mode(const esp_key_mgr_random_key_con

    return esp_ret;
 }
+#endif
@@ -29,13 +29,13 @@

 __attribute__((unused)) static const char *TAG = "esp_security";

+#if SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT
 static void esp_key_mgr_init(void)
 {
    // The following code initializes the key manager.
    // When Flash Encryption is already enabled, Key Manager is initialized by the
    // ROM, and when Flash Encryption is enabled during boot up, Key Manager is
    // initialized by the bootloader.
-#if SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT
    if (!efuse_hal_flash_encryption_enabled()) {
        // Enable key manager clock
        key_mgr_ll_power_up();
@@ -50,13 +50,17 @@ static void esp_key_mgr_init(void)
        // Force Key Manager to use eFuse key by-default for an XTS-AES operation.
        key_mgr_ll_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY);
    }
-#endif /* SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT */
 }
+#endif /* SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT */

 ESP_SYSTEM_INIT_FN(esp_security_init, SECONDARY, BIT(0), 103)
 {
    esp_crypto_clk_init();
+
+#if SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT
    esp_key_mgr_init();
+#endif
+
 #if CONFIG_ESP_CRYPTO_DPA_PROTECTION_AT_STARTUP
    esp_crypto_dpa_protection_startup();
 #endif
@@ -8,7 +8,7 @@ if(CONFIG_SOC_DIG_SIGN_SUPPORTED)
    list(APPEND srcs "test_ds.c")
 endif()

-if(CONFIG_SOC_KEY_MANAGER_SUPPORTED)
+if(CONFIG_ESP_SECURITY_IS_KEY_MANAGER_SUPPORTED)
    list(APPEND srcs "test_key_mgr.c")
 endif()

@@ -6,4 +6,12 @@ menu "ESP Security Tests"
        help
            This includes the esp_security tests that actually require burning some efuses.
            It is better to run these tests on an FPGA to avoid mistakenly burning eFuses.
+
+    config ESP_SECURITY_IS_KEY_MANAGER_SUPPORTED
+        bool
+        default n if IDF_TARGET_ESP32P4 && ESP32P4_SELECTS_REV_LESS_V3
+        default y
+        depends on SOC_KEY_MANAGER_SUPPORTED
+        help
+            A hidden config to determine if the Key Manager tests should be included.
 endmenu
@@ -19,6 +19,9 @@
 #include "esp_system.h"
 #include "unity_test_utils_memory.h"

+#if SOC_KEY_MANAGER_SUPPORTED
+#include "hal/key_mgr_ll.h"
+
 #if SOC_KEY_MANAGER_HMAC_KEY_DEPLOY
 #include "esp_hmac.h"
 #include "hmac_test_cases.h"
@@ -394,3 +397,4 @@ TEST_CASE("Key Manager random mode: DS key deployment", "[hw_crypto] [key_mgr]")
    free(key_recovery_info);
 }
 #endif /* SOC_KEY_MANAGER_DS_KEY_DEPLOY */
+#endif /* SOC_KEY_MANAGER_SUPPORTED */