test(mbedtls): Add a test for opaque HMAC driver verification

components/mbedtls/test_apps/.build-test-rules.yml

@@ -8,9 +8,12 @@ components/mbedtls/test_apps:
     - if: CONFIG_NAME == "psram_all_ext_flash_enc" and SOC_SPIRAM_SUPPORTED != 1
     - if: CONFIG_NAME == "psram_all_ext_flash_enc_f4r8" and IDF_TARGET != "esp32s3"
     - if: CONFIG_NAME == "ecdsa_sign" and SOC_ECDSA_SUPPORTED != 1
+    - if: CONFIG_NAME == "hmac_opaque" and SOC_HMAC_SUPPORTED != 1
   disable_test:
     - if: CONFIG_NAME == "psram_all_ext_flash_enc" and IDF_TARGET not in ["esp32", "esp32p4", "esp32c5"]
       reason: lack of runners
+    - if: CONFIG_NAME == "hmac_opaque" and IDF_TARGET not in ["esp32c3"]
+      reason: lack of runners
   depends_components:
     - mbedtls
     - esp_security

components/mbedtls/test_apps/main/Kconfig.projbuild

@@ -0,0 +1,21 @@
+menu "MbedTLS Test Configuration"
+
+    config MBEDTLS_TEST_HMAC_OPAQUE_EFUSE_KEY
+        bool "Enable HMAC opaque driver test with eFuse key"
+        default n
+        depends on SOC_HMAC_SUPPORTED
+        help
+            Enable test cases for the PSA HMAC opaque driver using an HMAC key
+            burned in eFuse. Requires the test runner to have an HMAC_UP key
+            provisioned in the configured eFuse block.
+
+    config MBEDTLS_TEST_HMAC_OPAQUE_EFUSE_KEY_ID
+        int "eFuse key block ID for HMAC opaque test"
+        depends on MBEDTLS_TEST_HMAC_OPAQUE_EFUSE_KEY
+        range -1 5
+        default -1
+        help
+            The eFuse key block index (offset from EFUSE_BLK_KEY0) that contains
+            the HMAC_UP key for opaque driver testing.
+
+endmenu

components/mbedtls/test_apps/main/test_psa_hmac.c

@@ -10,6 +10,10 @@
 #include "unity.h"
 #include "esp_log.h"
 
+#ifdef ESP_HMAC_OPAQUE_DRIVER_ENABLED
+#include "psa_crypto_driver_esp_hmac_opaque.h"
+#endif /* ESP_HMAC_OPAQUE_DRIVER_ENABLED */
+
 static const uint8_t key_256[] = {
     0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
     0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
@@ -208,3 +212,49 @@ TEST_CASE("PSA HMAC SHA-256 truncated test", "[psa_hmac]")
     psa_destroy_key(key_id);
     psa_reset_key_attributes(&attributes);
 }
+
+#if defined(ESP_HMAC_OPAQUE_DRIVER_ENABLED) && defined(CONFIG_MBEDTLS_TEST_HMAC_OPAQUE_EFUSE_KEY)
+/*
+ * Opaque HMAC driver tests — require an HMAC key burned in eFuse.
+ *
+ * The runner has key_256 burned in eFuse with purpose HMAC_UP.
+ * efuse_key_id is configured via Kconfig (offset from EFUSE_BLK_KEY0).
+ */
+#define HMAC_EFUSE_KEY_ID   CONFIG_MBEDTLS_TEST_HMAC_OPAQUE_EFUSE_KEY_ID
+
+TEST_CASE("PSA HMAC opaque driver compute and verify", "[psa_hmac][efuse_hmac_key]")
+{
+    psa_status_t status;
+    psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+    psa_key_id_t key_id = 0;
+    psa_algorithm_t alg = PSA_ALG_HMAC(PSA_ALG_SHA_256);
+
+    esp_hmac_opaque_key_t opaque_key = {
+        .efuse_key_id = HMAC_EFUSE_KEY_ID,
+    };
+
+    psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE);
+    psa_set_key_algorithm(&attributes, alg);
+    psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
+    psa_set_key_bits(&attributes, 256);
+    psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_ESP_HMAC_VOLATILE);
+
+    status = psa_import_key(&attributes, (uint8_t *)&opaque_key, sizeof(opaque_key), &key_id);
+    TEST_ASSERT_EQUAL_HEX32(PSA_SUCCESS, status);
+
+    uint8_t mac[32] = {0};
+    size_t mac_length = 0;
+    status = psa_mac_compute(key_id, alg, test_data, sizeof(test_data),
+                             mac, sizeof(mac), &mac_length);
+    TEST_ASSERT_EQUAL_HEX32(PSA_SUCCESS, status);
+    TEST_ASSERT_EQUAL(sizeof(expected_hmac_sha256), mac_length);
+    TEST_ASSERT_EQUAL_HEX8_ARRAY(expected_hmac_sha256, mac, mac_length);
+
+    status = psa_mac_verify(key_id, alg, test_data, sizeof(test_data),
+                            expected_hmac_sha256, sizeof(expected_hmac_sha256));
+    TEST_ASSERT_EQUAL_HEX32(PSA_SUCCESS, status);
+
+    psa_destroy_key(key_id);
+    psa_reset_key_attributes(&attributes);
+}
+#endif /* ESP_HMAC_OPAQUE_DRIVER_ENABLED && CONFIG_MBEDTLS_TEST_HMAC_OPAQUE_EFUSE_KEY */

components/mbedtls/test_apps/pytest_mbedtls_ut.py

@@ -104,6 +104,19 @@ def test_mbedtls_ecdsa_sign(dut: Dut) -> None:
     dut.run_all_single_board_cases(group='efuse_key')
 
 
+@pytest.mark.nvs_encr_hmac
+@pytest.mark.parametrize(
+    'config',
+    [
+        'hmac_opaque',
+    ],
+    indirect=True,
+)
+@idf_parametrize('target', ['esp32c3'], indirect=['target'])
+def test_mbedtls_hmac_opaque(dut: Dut) -> None:
+    dut.run_all_single_board_cases(group='efuse_hmac_key')
+
+
 # TODO: IDF-15012
 # @pytest.mark.generic
 # @pytest.mark.parametrize(

components/mbedtls/test_apps/sdkconfig.ci.hmac_opaque

@@ -0,0 +1,15 @@
+# NOTE: The runner for this test has flash-encryption enabled
+# Flash Encryption
+CONFIG_SECURE_FLASH_ENC_ENABLED=y
+CONFIG_SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT=y
+CONFIG_SECURE_BOOT_ALLOW_ROM_BASIC=y
+CONFIG_SECURE_BOOT_ALLOW_JTAG=y
+CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_ENC=y
+CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_DEC=y
+CONFIG_SECURE_FLASH_UART_BOOTLOADER_ALLOW_CACHE=y
+CONFIG_SECURE_FLASH_REQUIRE_ALREADY_ENABLED=y
+CONFIG_PARTITION_TABLE_OFFSET=0x9000
+
+# HMAC opaque driver test
+CONFIG_MBEDTLS_TEST_HMAC_OPAQUE_EFUSE_KEY=y
+CONFIG_MBEDTLS_TEST_HMAC_OPAQUE_EFUSE_KEY_ID=0