diff --git a/components/bootloader/subproject/main/ld/esp32h4/bootloader.memory.ld.in b/components/bootloader/subproject/main/ld/esp32h4/bootloader.memory.ld.in index 602a727b8a..7786327782 100644 --- a/components/bootloader/subproject/main/ld/esp32h4/bootloader.memory.ld.in +++ b/components/bootloader/subproject/main/ld/esp32h4/bootloader.memory.ld.in @@ -27,7 +27,7 @@ bootloader_usable_dram_end = 0x4085d350; bootloader_stack_overhead = 0x2000; /* For safety margin between bootloader data section and startup stacks */ bootloader_dram_seg_len = 0x5000; bootloader_iram_loader_seg_len = 0x7000; -bootloader_iram_seg_len = 0x2200; +bootloader_iram_seg_len = 0x2D00; /* Start of the lower region is determined by region size and the end of the higher region */ bootloader_dram_seg_end = bootloader_usable_dram_end - bootloader_stack_overhead; diff --git a/components/esp_hal_security/esp32h4/include/hal/hmac_ll.h b/components/esp_hal_security/esp32h4/include/hal/hmac_ll.h new file mode 100644 index 0000000000..d4d80ae51e --- /dev/null +++ b/components/esp_hal_security/esp32h4/include/hal/hmac_ll.h @@ -0,0 +1,212 @@ +/* + * SPDX-FileCopyrightText: 2025-2026 Espressif Systems (Shanghai) CO LTD + * + * SPDX-License-Identifier: Apache-2.0 + */ + +/******************************************************************************* + * NOTICE + * The hal is not public api, don't use it in application code. + * See readme.md in soc/include/hal/readme.md + ******************************************************************************/ + +#pragma once + +#include +#include + +#include "soc/system_reg.h" +#include "soc/hwcrypto_reg.h" +#include "soc/pcr_struct.h" +#include "hal/hmac_types.h" + +#define SHA256_BLOCK_SZ 64 +#define SHA256_DIGEST_SZ 32 + +#define EFUSE_KEY_PURPOSE_HMAC_DOWN_JTAG 6 +#define EFUSE_KEY_PURPOSE_HMAC_DOWN_DIGITAL_SIGNATURE 7 +#define EFUSE_KEY_PURPOSE_HMAC_UP 8 +#define EFUSE_KEY_PURPOSE_HMAC_DOWN_ALL 5 + +#ifdef __cplusplus +extern "C" { +#endif + +/** + * @brief Enable the bus clock for HMAC peripheral module + * + * @param true to enable the module, false to disable the module + */ +static inline void hmac_ll_enable_bus_clock(bool enable) +{ + PCR.hmac_conf.hmac_clk_en = enable; +} + +/** + * @brief Reset the HMAC peripheral module + */ +static inline void hmac_ll_reset_register(void) +{ + PCR.hmac_conf.hmac_rst_en = 1; + PCR.hmac_conf.hmac_rst_en = 0; +} + +/** + * Makes the peripheral ready for use, after enabling it. + */ +static inline void hmac_ll_start(void) +{ + REG_WRITE(HMAC_SET_START_REG, 1); +} + +/** + * @brief Determine where the HMAC output should go. + * + * The HMAC peripheral can be configured to deliver its output to the user directly, or to deliver + * the output directly to another peripheral instead, e.g. the Digital Signature peripheral. + */ +static inline void hmac_ll_config_output(hmac_hal_output_t config) +{ + switch (config) { + case HMAC_OUTPUT_USER: + REG_WRITE(HMAC_SET_PARA_PURPOSE_REG, EFUSE_KEY_PURPOSE_HMAC_UP); + break; + case HMAC_OUTPUT_DS: + REG_WRITE(HMAC_SET_PARA_PURPOSE_REG, EFUSE_KEY_PURPOSE_HMAC_DOWN_DIGITAL_SIGNATURE); + break; + case HMAC_OUTPUT_JTAG_ENABLE: + REG_WRITE(HMAC_SET_PARA_PURPOSE_REG, EFUSE_KEY_PURPOSE_HMAC_DOWN_JTAG); + break; + case HMAC_OUTPUT_ALL: + REG_WRITE(HMAC_SET_PARA_PURPOSE_REG, EFUSE_KEY_PURPOSE_HMAC_DOWN_ALL); + break; + default: + ; // do nothing, error will be indicated by hmac_hal_config_error() + } +} + +/** + * @brief Selects which hardware key should be used. + */ +static inline void hmac_ll_config_hw_key_id(uint32_t key_id) +{ + REG_WRITE(HMAC_SET_PARA_KEY_REG, key_id); +} + +/** + * @brief Apply and check configuration. + * + * Afterwards, the configuration can be checked for errors with hmac_hal_config_error(). + */ +static inline void hmac_ll_config_finish(void) +{ + REG_WRITE(HMAC_SET_PARA_FINISH_REG, 1); +} + +/** + * + * @brief Query HMAC error state after configuration actions. + * + * @return + * - 1 or greater on error + * - 0 on success + */ +static inline uint32_t hmac_ll_config_error(void) +{ + return REG_READ(HMAC_QUERY_ERROR_REG); +} + +/** + * Wait until the HAL is ready for the next interaction. + */ +static inline void hmac_ll_wait_idle(void) +{ + uint32_t query; + do { + query = REG_READ(HMAC_QUERY_BUSY_REG); + } while (query != 0); +} + +/** + * @brief Write a message block of 512 bits to the HMAC peripheral. + */ +static inline void hmac_ll_write_block_512(const uint32_t *block) +{ + const size_t REG_WIDTH = sizeof(uint32_t); + for (size_t i = 0; i < SHA256_BLOCK_SZ / REG_WIDTH; i++) { + REG_WRITE(HMAC_WR_MESSAGE_MEM + (i * REG_WIDTH), block[i]); + } + + REG_WRITE(HMAC_SET_MESSAGE_ONE_REG, 1); +} + +/** + * @brief Read the 256 bit HMAC. + */ +static inline void hmac_ll_read_result_256(uint32_t *result) +{ + const size_t REG_WIDTH = sizeof(uint32_t); + for (size_t i = 0; i < SHA256_DIGEST_SZ / REG_WIDTH; i++) { + result[i] = REG_READ(HMAC_RD_RESULT_MEM + (i * REG_WIDTH)); + } +} + +/** + * @brief Clean the HMAC result provided to other hardware. + */ +static inline void hmac_ll_clean(void) +{ + REG_WRITE(HMAC_SET_INVALIDATE_DS_REG, 1); + REG_WRITE(HMAC_SET_INVALIDATE_JTAG_REG, 1); +} + +/** + * @brief Signals that the following block will be the padded last block. + */ +static inline void hmac_ll_msg_padding(void) +{ + REG_WRITE(HMAC_SET_MESSAGE_PAD_REG, 1); +} + +/** + * @brief Signals that all blocks have been written and a padding block will automatically be applied by hardware. + * + * Only applies if the message length is a multiple of 512 bits. + * See the chip TRM HMAC chapter for more details. + */ +static inline void hmac_ll_msg_end(void) +{ + REG_WRITE(HMAC_SET_MESSAGE_END_REG, 1); +} + +/** + * @brief The message including padding fits into one block, so no further action needs to be taken. + * + * This is called after the one-block-message has been written. + */ +static inline void hmac_ll_msg_one_block(void) +{ + REG_WRITE(HMAC_ONE_BLOCK_REG, 1); +} + +/** + * @brief Indicate that more blocks will be written after the last block. + */ +static inline void hmac_ll_msg_continue(void) +{ + REG_WRITE(HMAC_SET_MESSAGE_ING_REG, 1); +} + +/** + * @brief Clear the HMAC result. + * + * Use this after reading the HMAC result or if aborting after any of the other steps above. + */ +static inline void hmac_ll_calc_finish(void) +{ + REG_WRITE(HMAC_SET_RESULT_FINISH_REG, 2); +} + +#ifdef __cplusplus +} +#endif diff --git a/components/esp_hal_security/test_apps/crypto/main/hmac/test_hmac.c b/components/esp_hal_security/test_apps/crypto/main/hmac/test_hmac.c index 0f7a8cdcfb..8bfa364979 100644 --- a/components/esp_hal_security/test_apps/crypto/main/hmac/test_hmac.c +++ b/components/esp_hal_security/test_apps/crypto/main/hmac/test_hmac.c @@ -33,10 +33,13 @@ static esp_err_t hmac_jtag_disable(void) #include "hal/hmac_hal.h" #include "hal/hmac_ll.h" -#include "hal/ds_ll.h" #include "hal/sha_ll.h" #include "esp_private/periph_ctrl.h" +#if SOC_DIG_SIGN_SUPPORTED +#include "hal/ds_ll.h" +#endif + #define SHA256_BLOCK_SZ 64 #define SHA256_PAD_SZ 8 @@ -67,7 +70,9 @@ esp_err_t hmac_calculate(uint32_t key_id, const void *message, size_t message_le esp_crypto_hmac_enable_periph_clk(true); esp_crypto_sha_enable_periph_clk(true); +#if SOC_DIG_SIGN_SUPPORTED esp_crypto_ds_enable_periph_clk(true); +#endif hmac_hal_start(); @@ -121,7 +126,9 @@ esp_err_t hmac_calculate(uint32_t key_id, const void *message, size_t message_le esp_crypto_hmac_enable_periph_clk(false); esp_crypto_sha_enable_periph_clk(false); +#if SOC_DIG_SIGN_SUPPORTED esp_crypto_ds_enable_periph_clk(false); +#endif return ESP_OK; } diff --git a/components/esp_security/src/esp_hmac.c b/components/esp_security/src/esp_hmac.c index 8657d06fd3..3161f9db06 100644 --- a/components/esp_security/src/esp_hmac.c +++ b/components/esp_security/src/esp_hmac.c @@ -16,9 +16,9 @@ #include "esp_crypto_periph_clk.h" #include "soc/hwcrypto_reg.h" #include "soc/system_reg.h" +#include "soc/soc_caps.h" #if !CONFIG_IDF_TARGET_ESP32S2 -#include "hal/ds_ll.h" #include "hal/hmac_hal.h" #include "hal/hmac_ll.h" #include "hal/sha_ll.h" @@ -75,7 +75,9 @@ esp_err_t esp_hmac_calculate(hmac_key_id_t key_id, esp_crypto_sha_enable_periph_clk(true); +#if SOC_DIG_SIGN_SUPPORTED esp_crypto_ds_enable_periph_clk(true); +#endif #if SOC_KEY_MANAGER_HMAC_KEY_DEPLOY /* Key Manager holds the key usage selector register(efuse vs own key). @@ -149,7 +151,9 @@ esp_err_t esp_hmac_calculate(hmac_key_id_t key_id, esp_crypto_key_mgr_enable_periph_clk(false); #endif /* SOC_KEY_MANAGER_HMAC_KEY_DEPLOY */ +#if SOC_DIG_SIGN_SUPPORTED esp_crypto_ds_enable_periph_clk(false); +#endif esp_crypto_sha_enable_periph_clk(false); diff --git a/components/esp_security/test_apps/crypto_drivers/README.md b/components/esp_security/test_apps/crypto_drivers/README.md index 80964f7213..f25cdd0570 100644 --- a/components/esp_security/test_apps/crypto_drivers/README.md +++ b/components/esp_security/test_apps/crypto_drivers/README.md @@ -1,3 +1,3 @@ -| Supported Targets | ESP32-C3 | ESP32-C5 | ESP32-C6 | ESP32-H2 | ESP32-H21 | ESP32-P4 | ESP32-S2 | ESP32-S3 | -| ----------------- | -------- | -------- | -------- | -------- | --------- | -------- | -------- | -------- | +| Supported Targets | ESP32-C3 | ESP32-C5 | ESP32-C6 | ESP32-H2 | ESP32-H21 | ESP32-H4 | ESP32-P4 | ESP32-S2 | ESP32-S3 | +| ----------------- | -------- | -------- | -------- | -------- | --------- | -------- | -------- | -------- | -------- | diff --git a/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in b/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in index c97a20edaa..33df9f9f80 100644 --- a/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in @@ -127,6 +127,10 @@ config SOC_SHA_SUPPORTED bool default y +config SOC_HMAC_SUPPORTED + bool + default y + config SOC_ECC_SUPPORTED bool default y @@ -137,7 +141,7 @@ config SOC_ECC_EXTENDED_MODES_SUPPORTED config SOC_FLASH_ENC_SUPPORTED bool - default y + default n config SOC_PMU_SUPPORTED bool diff --git a/components/soc/esp32h4/include/soc/soc_caps.h b/components/soc/esp32h4/include/soc/soc_caps.h index f81103e9f3..2b23f2b981 100644 --- a/components/soc/esp32h4/include/soc/soc_caps.h +++ b/components/soc/esp32h4/include/soc/soc_caps.h @@ -68,10 +68,10 @@ // #define SOC_SUPPORT_COEXISTENCE 1 // TODO: [ESP32H4] IDF-12251 IDF-12252 IDF-12253 #define SOC_AES_SUPPORTED 1 #define SOC_SHA_SUPPORTED 1 -// #define SOC_HMAC_SUPPORTED 0 // TODO: [ESP32H4] IDF-12257 +#define SOC_HMAC_SUPPORTED 1 #define SOC_ECC_SUPPORTED 1 #define SOC_ECC_EXTENDED_MODES_SUPPORTED 1 -#define SOC_FLASH_ENC_SUPPORTED 1 // TODO: [ESP32H4] IDF-12261 +#define SOC_FLASH_ENC_SUPPORTED 0 // TODO: [ESP32H4] IDF-12261 // #define SOC_SECURE_BOOT_SUPPORTED 1 // TODO: [ESP32H4] IDF-12262 // #define SOC_BOD_SUPPORTED 1 // TODO: [ESP32H4] IDF-12295 diff --git a/examples/security/hmac_soft_jtag/README.md b/examples/security/hmac_soft_jtag/README.md index 15669b0313..1c0ee552be 100644 --- a/examples/security/hmac_soft_jtag/README.md +++ b/examples/security/hmac_soft_jtag/README.md @@ -1,5 +1,5 @@ -| Supported Targets | ESP32-C3 | ESP32-C5 | ESP32-C6 | ESP32-H2 | ESP32-H21 | ESP32-P4 | ESP32-S2 | ESP32-S3 | -| ----------------- | -------- | -------- | -------- | -------- | --------- | -------- | -------- | -------- | +| Supported Targets | ESP32-C3 | ESP32-C5 | ESP32-C6 | ESP32-H2 | ESP32-H21 | ESP32-H4 | ESP32-P4 | ESP32-S2 | ESP32-S3 | +| ----------------- | -------- | -------- | -------- | -------- | --------- | -------- | -------- | -------- | -------- | # JTAG Re-enable Example diff --git a/examples/security/nvs_encryption_hmac/README.md b/examples/security/nvs_encryption_hmac/README.md index 88b2e14c71..ccb809281c 100644 --- a/examples/security/nvs_encryption_hmac/README.md +++ b/examples/security/nvs_encryption_hmac/README.md @@ -1,5 +1,5 @@ -| Supported Targets | ESP32-C3 | ESP32-C5 | ESP32-C6 | ESP32-H2 | ESP32-H21 | ESP32-P4 | ESP32-S2 | ESP32-S3 | -| ----------------- | -------- | -------- | -------- | -------- | --------- | -------- | -------- | -------- | +| Supported Targets | ESP32-C3 | ESP32-C5 | ESP32-C6 | ESP32-H2 | ESP32-H21 | ESP32-H4 | ESP32-P4 | ESP32-S2 | ESP32-S3 | +| ----------------- | -------- | -------- | -------- | -------- | --------- | -------- | -------- | -------- | -------- | # NVS Encryption with HMAC-based encryption key protection scheme