espressif/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2026-04-27 19:13:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(esp_tee): Remove support for ECDSA secp192r1 keys in TEE secure storage

Browse Source
This commit is contained in:
Laukik Hase
2026-01-16 17:39:05 +05:30
parent 9001b8fbcf
commit 85681d7586
13 changed files with 15 additions and 159 deletions
Download Patch File Download Diff File Expand all files Collapse all files
components/esp_tee/Kconfig.projbuild
-5
View File
@@ -98,11 +98,6 @@ menu "ESP-TEE (Trusted Execution Environment)"
menu "Secure Storage: Additional supported curves for ECDSA signing"
config SECURE_TEE_SEC_STG_SUPPORT_SECP192R1_SIGN
bool "SECP192R1"
help
Enable ECDSA signing with the SECP192R1 curve using TEE secure storage
config SECURE_TEE_SEC_STG_SUPPORT_SECP384R1_SIGN
bool "SECP384R1"
depends on SOC_ECDSA_SUPPORT_CURVE_P384
components/esp_tee/scripts/esp_tee_sec_stg_keygen/README.md
+2 -4
View File
@@ -7,13 +7,13 @@
```
$ python esp_tee_sec_stg_keygen.py --help
usage: esp_tee_sec_stg_keygen.py [-h] -k {aes256,ecdsa_p256,ecdsa_p192,ecdsa_p384} -o OUTPUT [-i INPUT] [--write-once]
usage: esp_tee_sec_stg_keygen.py [-h] -k {aes256,ecdsa_p256,ecdsa_p384} -o OUTPUT [-i INPUT] [--write-once]
Generate or import a cryptographic key structure for secure storage
options:
-h, --help show this help message and exit
-k, --key-type {aes256,ecdsa_p256,ecdsa_p192,ecdsa_p384}
-k, --key-type {aes256,ecdsa_p256,ecdsa_p384}
key type to be processed
-o, --output OUTPUT output binary file name
-i, --input INPUT input key file (.pem for ecdsa, .bin for aes)
@@ -24,7 +24,6 @@ options:
```bash
python esp_tee_sec_stg_keygen.py -k ecdsa_p256 -o ecdsa_p256_k0.bin
python esp_tee_sec_stg_keygen.py -k ecdsa_p192 -o ecdsa_p192_k0.bin
python esp_tee_sec_stg_keygen.py -k ecdsa_p384 -o ecdsa_p384_k0.bin
```
@@ -65,7 +64,6 @@ key,type,encoding,value
tee_sec_stg_ns,namespace,,
aes256_key0,file,binary,aes256_gcm_k0.bin
p256_key0,file,binary,ecdsa_p256_k0.bin
p192_key0,file,binary,ecdsa_p192_k0.bin
p384_key0,file,binary,ecdsa_p384_k0.bin
attest_key0,file,binary,ecdsa_p256_k1.bin
```
components/esp_tee/scripts/esp_tee_sec_stg_keygen/esp_tee_sec_stg_keygen.py
-4
View File
@@ -19,7 +19,6 @@ AES_KEY_LEN = 32
AES_DEFAULT_IV_LEN = 16
AES_GCM_IV_LEN = 12
ECDSA_P256_LEN = 32
ECDSA_P192_LEN = 24
ECDSA_P384_LEN = 48
@@ -27,7 +26,6 @@ ECDSA_P384_LEN = 48
class KeyType(Enum):
AES256 = 0
ECDSA_P256 = 1
ECDSA_P192 = 2
ECDSA_P384 = 3
@@ -93,8 +91,6 @@ def generate_key_data(key_type: KeyType, flags: Flags, input_file: str | None) -
return generate_aes256_key(flags, input_file)
elif key_type == KeyType.ECDSA_P256:
return generate_ecdsa_key(ec.SECP256R1(), key_type, ECDSA_P256_LEN, flags, input_file)
elif key_type == KeyType.ECDSA_P192:
return generate_ecdsa_key(ec.SECP192R1(), key_type, ECDSA_P192_LEN, flags, input_file)
elif key_type == KeyType.ECDSA_P384:
return generate_ecdsa_key(ec.SECP384R1(), key_type, ECDSA_P384_LEN, flags, input_file)
else:
components/esp_tee/subproject/components/tee_sec_storage/include/esp_tee_sec_storage.h
-1
View File
@@ -33,7 +33,6 @@ extern "C" {
typedef enum {
ESP_SEC_STG_KEY_AES256 = 0,
ESP_SEC_STG_KEY_ECDSA_SECP256R1 = 1,
ESP_SEC_STG_KEY_ECDSA_SECP192R1 = 2,
#if SOC_ECDSA_SUPPORT_CURVE_P384
ESP_SEC_STG_KEY_ECDSA_SECP384R1 = 3,
#endif /* SOC_ECDSA_SUPPORT_CURVE_P384 */
components/esp_tee/subproject/components/tee_sec_storage/tee_sec_storage.c
+3 -47
View File
@@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2024-2026 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@@ -36,7 +36,6 @@
#define AES256_GCM_IV_LEN 12
#define ECDSA_SECP384R1_KEY_LEN 48
#define ECDSA_SECP256R1_KEY_LEN 32
#define ECDSA_SECP192R1_KEY_LEN 24
#define SHA256_DIGEST_SZ 32
@@ -57,12 +56,6 @@ typedef struct {
uint8_t pub_key[2 * ECDSA_SECP256R1_KEY_LEN]; /* Public key for ECDSA SECP256R1 (X and Y coordinates) */
} __attribute__((aligned(4))) __attribute__((__packed__)) sec_stg_ecdsa_secp256r1_t;
/* Structure to hold ECDSA SECP192R1 key pair */
typedef struct {
uint8_t priv_key[ECDSA_SECP192R1_KEY_LEN]; /* Private key for ECDSA SECP192R1 */
uint8_t pub_key[2 * ECDSA_SECP192R1_KEY_LEN]; /* Public key for ECDSA SECP192R1 (X and Y coordinates) */
} __attribute__((aligned(4))) __attribute__((__packed__)) sec_stg_ecdsa_secp192r1_t;
/* Structure to hold AES-256 key and IV */
typedef struct {
uint8_t key[AES256_KEY_LEN]; /* Key for AES-256 */
@@ -76,7 +69,6 @@ typedef struct {
union {
sec_stg_ecdsa_secp384r1_t ecdsa_secp384r1; /* ECDSA SECP384R1 key pair */
sec_stg_ecdsa_secp256r1_t ecdsa_secp256r1; /* ECDSA SECP256R1 key pair */
sec_stg_ecdsa_secp192r1_t ecdsa_secp192r1; /* ECDSA SECP192R1 key pair */
sec_stg_aes256_t aes256; /* AES-256 key and IV */
};
uint32_t reserved[26]; /* Reserved space for future use */
@@ -321,15 +313,6 @@ static esp_err_t get_ecdsa_curve_info(esp_tee_sec_storage_type_t type, sec_stg_k
*pub_key = ctx->ecdsa_secp256r1.pub_key;
err = ESP_OK;
break;
#if CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP192R1_SIGN
case ESP_SEC_STG_KEY_ECDSA_SECP192R1:
*priv_key_len = ECDSA_SECP192R1_KEY_LEN;
*priv_key = ctx->ecdsa_secp192r1.priv_key;
*pub_key_len = sizeof(ctx->ecdsa_secp192r1.pub_key);
*pub_key = ctx->ecdsa_secp192r1.pub_key;
err = ESP_OK;
break;
#endif
#if CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP384R1_SIGN
case ESP_SEC_STG_KEY_ECDSA_SECP384R1:
*priv_key_len = ECDSA_SECP384R1_KEY_LEN;
@@ -385,8 +368,8 @@ static int generate_ecdsa_key(sec_stg_key_t *keyctx, esp_tee_sec_storage_type_t
goto exit;
}
/* PSA exports public key with 0x04 prefix (65 bytes for secp256r1, 49 bytes for secp192r1)
* We need to strip the prefix and store only X and Y coordinates (64 bytes for secp256r1, 48 bytes for secp192r1)
/* PSA exports public key with 0x04 prefix (65 bytes for secp256r1)
* We need to strip the prefix and store only X and Y coordinates (64 bytes for secp256r1)
* Use fixed-size array to avoid VLA issues with goto statements
*/
uint8_t pub_key_with_prefix[(2 * ECDSA_SECP384R1_KEY_LEN) + 1]; /* Max size: 65 bytes for secp256r1 */
@@ -452,9 +435,6 @@ esp_err_t esp_tee_sec_storage_gen_key(const esp_tee_sec_storage_key_cfg_t *cfg)
switch (cfg->type) {
case ESP_SEC_STG_KEY_ECDSA_SECP256R1:
#if CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP192R1_SIGN
case ESP_SEC_STG_KEY_ECDSA_SECP192R1:
#endif
#if CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP384R1_SIGN
case ESP_SEC_STG_KEY_ECDSA_SECP384R1:
#endif
@@ -483,12 +463,6 @@ esp_err_t esp_tee_sec_storage_ecdsa_sign(const esp_tee_sec_storage_key_cfg_t *cf
return ESP_ERR_INVALID_ARG;
}
#if !CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP192R1_SIGN
if (cfg->type == ESP_SEC_STG_KEY_ECDSA_SECP192R1) {
return ESP_ERR_NOT_SUPPORTED;
}
#endif
#if SOC_ECC_SUPPORT_CURVE_P384 && !CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP384R1_SIGN
if (cfg->type == ESP_SEC_STG_KEY_ECDSA_SECP384R1) {
return ESP_ERR_NOT_SUPPORTED;
@@ -526,12 +500,6 @@ esp_err_t esp_tee_sec_storage_ecdsa_sign(const esp_tee_sec_storage_key_cfg_t *cf
psa_set_key_bits(&key_attributes, ECDSA_SECP256R1_KEY_LEN * 8);
priv_key = keyctx.ecdsa_secp256r1.priv_key;
priv_key_len = sizeof(keyctx.ecdsa_secp256r1.priv_key);
#if CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP192R1_SIGN
} else if (cfg->type == ESP_SEC_STG_KEY_ECDSA_SECP192R1) {
psa_set_key_bits(&key_attributes, ECDSA_SECP192R1_KEY_LEN * 8);
priv_key = keyctx.ecdsa_secp192r1.priv_key;
priv_key_len = sizeof(keyctx.ecdsa_secp192r1.priv_key);
#endif
#if CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP384R1_SIGN
} else if (cfg->type == ESP_SEC_STG_KEY_ECDSA_SECP384R1) {
psa_set_key_bits(&key_attributes, ECDSA_SECP384R1_KEY_LEN * 8);
@@ -601,12 +569,6 @@ esp_err_t esp_tee_sec_storage_ecdsa_get_pubkey(const esp_tee_sec_storage_key_cfg
pub_key_src = keyctx.ecdsa_secp256r1.pub_key;
pub_key_len = ECDSA_SECP256R1_KEY_LEN;
break;
#if CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP192R1_SIGN
case ESP_SEC_STG_KEY_ECDSA_SECP192R1:
pub_key_src = keyctx.ecdsa_secp192r1.pub_key;
pub_key_len = ECDSA_SECP192R1_KEY_LEN;
break;
#endif
#if CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP384R1_SIGN
case ESP_SEC_STG_KEY_ECDSA_SECP384R1:
pub_key_src = keyctx.ecdsa_secp384r1.pub_key;
@@ -724,12 +686,6 @@ esp_err_t esp_tee_sec_storage_ecdsa_sign_pbkdf2(const esp_tee_sec_storage_pbkdf2
key_len = ECDSA_SECP256R1_KEY_LEN;
curve_id = MBEDTLS_ECP_DP_SECP256R1;
break;
#if CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP192R1_SIGN
case ESP_SEC_STG_KEY_ECDSA_SECP192R1:
key_len = ECDSA_SECP192R1_KEY_LEN;
curve_id = MBEDTLS_ECP_DP_SECP192R1;
break;
#endif
default:
ESP_LOGE(TAG, "Unsupported key type");
return ESP_ERR_INVALID_ARG;
components/esp_tee/test_apps/tee_cli_app/sdkconfig.ci.minimal_tee
-3
View File
@@ -16,6 +16,3 @@ CONFIG_SECURE_TEE_ATTESTATION=n
# Disabling flash protection over SPI1
CONFIG_SECURE_TEE_EXT_FLASH_MEMPROT_SPI1=n
# Disabling support for SECP192R1 signature
CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP192R1_SIGN=n
components/esp_tee/test_apps/tee_cli_app/sdkconfig.ci.release
-3
View File
@@ -8,9 +8,6 @@ CONFIG_SECURE_TEE_DRAM_SIZE=0x5000
CONFIG_SECURE_TEE_SEC_STG_MODE_RELEASE=y
CONFIG_SECURE_TEE_SEC_STG_EFUSE_HMAC_KEY_ID=5
# Disabling support for SECP192R1 signature
CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP192R1_SIGN=n
# Disabling flash protection over SPI1
CONFIG_SECURE_TEE_EXT_FLASH_MEMPROT_SPI1=n
components/esp_tee/test_apps/tee_test_fw/conftest.py
-1
View File
@@ -339,7 +339,6 @@ class TEESerial(IdfSerial):
'LS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo='
),
},
{'key': 'p192_key0', 'type': 'ecdsa_p192', 'input': None, 'write_once': False},
{
'key': 'p384_key0',
'type': 'ecdsa_p384',
components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_sec_stg.c
+1 -73
View File
@@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2024-2026 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@@ -31,7 +31,6 @@
#define SHA256_DIGEST_SZ (32)
#define ECDSA_SECP384R1_KEY_LEN (48)
#define ECDSA_SECP256R1_KEY_LEN (32)
#define ECDSA_SECP192R1_KEY_LEN (24)
#define ESP_ATT_TK_BUF_SIZE (1792)
#define ESP_ATT_TK_PSA_CERT_REF ("0632793520245-10010")
@@ -42,9 +41,6 @@ static const char *TAG = "test_esp_tee_sec_storage";
int verify_ecdsa_sign(const esp_tee_sec_storage_type_t key_type, const uint8_t *digest, size_t len, const esp_tee_sec_storage_ecdsa_pubkey_t *pubkey, const esp_tee_sec_storage_ecdsa_sign_t *sign)
{
#if !CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP192R1_SIGN
TEST_ASSERT_FALSE(key_type == ESP_SEC_STG_KEY_ECDSA_SECP192R1);
#endif
#if SOC_ECDSA_SUPPORT_CURVE_P384 && !CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP384R1_SIGN
TEST_ASSERT_FALSE(key_type == ESP_SEC_STG_KEY_ECDSA_SECP384R1);
#endif
@@ -69,13 +65,6 @@ int verify_ecdsa_sign(const esp_tee_sec_storage_type_t key_type, const uint8_t *
uint8_t pub_key[2 * ECDSA_SECP384R1_KEY_LEN + 1];
switch (key_type) {
#if CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP192R1_SIGN
case ESP_SEC_STG_KEY_ECDSA_SECP192R1:
psa_set_key_bits(&key_attributes, ECDSA_SECP192R1_KEY_LEN * 8);
pub_key_len = ECDSA_SECP192R1_KEY_LEN;
signature_size = ECDSA_SECP192R1_KEY_LEN * 2;
break;
#endif // CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP192R1_SIGN
case ESP_SEC_STG_KEY_ECDSA_SECP256R1:
psa_set_key_bits(&key_attributes, ECDSA_SECP256R1_KEY_LEN * 8);
pub_key_len = ECDSA_SECP256R1_KEY_LEN;
@@ -160,49 +149,6 @@ TEST_CASE("Test TEE Secure Storage - Sign-verify (ecdsa_secp256r1)", "[sec_stora
}
}
#if CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP192R1_SIGN && !TEMPORARY_DISABLED_FOR_TARGETS(ESP32H2)
TEST_CASE("Test TEE Secure Storage - Sign-verify (ecdsa_secp192r1)", "[sec_storage]")
{
const size_t buf_sz = 16 * 1024 + 6; // NOTE: Not an exact multiple of SHA block size
unsigned char *message = heap_caps_malloc(buf_sz, MALLOC_CAP_8BIT | MALLOC_CAP_INTERNAL);
TEST_ASSERT_NOT_NULL(message);
esp_fill_random(message, buf_sz);
uint8_t msg_digest[SHA256_DIGEST_SZ];
size_t msg_digest_len = 0;
psa_status_t status = psa_hash_compute(PSA_ALG_SHA_256, message, buf_sz, msg_digest, sizeof(msg_digest), &msg_digest_len);
(void)msg_digest_len;
TEST_ASSERT_EQUAL(PSA_SUCCESS, status);
free(message);
esp_tee_sec_storage_key_cfg_t key_cfg = {
.type = ESP_SEC_STG_KEY_ECDSA_SECP192R1
};
for (unsigned int i = 0; i < MAX_SEC_STG_ITER; i++) {
char key_id[32];
int ret = snprintf(key_id, sizeof(key_id), "ecdsa_key_%u", i);
TEST_ASSERT_TRUE(ret > 0 && ret < sizeof(key_id));
key_cfg.id = key_id;
esp_err_t err = esp_tee_sec_storage_clear_key(key_cfg.id);
TEST_ASSERT_TRUE(err == ESP_OK || err == ESP_ERR_NOT_FOUND);
TEST_ESP_OK(esp_tee_sec_storage_gen_key(&key_cfg));
esp_tee_sec_storage_ecdsa_sign_t sign = {};
TEST_ESP_OK(esp_tee_sec_storage_ecdsa_sign(&key_cfg, msg_digest, sizeof(msg_digest), &sign));
esp_tee_sec_storage_ecdsa_pubkey_t pubkey = {};
TEST_ESP_OK(esp_tee_sec_storage_ecdsa_get_pubkey(&key_cfg, &pubkey));
TEST_ESP_OK(verify_ecdsa_sign(key_cfg.type, msg_digest, sizeof(msg_digest), &pubkey, &sign));
TEST_ESP_OK(esp_tee_sec_storage_clear_key(key_cfg.id));
}
}
#endif
#if CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP384R1_SIGN
TEST_CASE("Test TEE Secure Storage - Sign-verify (ecdsa_secp384r1)", "[sec_storage]")
{
@@ -508,15 +454,6 @@ TEST_CASE("Test TEE Secure Storage - Host-generated keys", "[sec_storage_host_ke
do_ecdsa_sign_and_verify(&key_cfg, digest_buf, SHA256_DIGEST_SZ);
TEST_ESP_OK(esp_tee_sec_storage_clear_key(ecdsa_key_id0));
#if CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP192R1_SIGN
const char *ecdsa_key_id1 = "p192_key0";
key_cfg.id = ecdsa_key_id1;
key_cfg.type = ESP_SEC_STG_KEY_ECDSA_SECP192R1;
do_ecdsa_sign_and_verify(&key_cfg, digest_buf, SHA256_DIGEST_SZ);
TEST_ESP_OK(esp_tee_sec_storage_clear_key(ecdsa_key_id1));
#endif /* CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP192R1_SIGN */
#if CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP384R1_SIGN
const char *ecdsa_key_id2 = "p384_key0";
key_cfg.id = ecdsa_key_id2;
@@ -564,12 +501,6 @@ static void test_ecdsa_sign(mbedtls_ecp_group_id gid)
key_type = ESP_SEC_STG_KEY_ECDSA_SECP256R1;
key_len = ECDSA_SECP256R1_KEY_LEN;
break;
#if CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP192R1_SIGN
case MBEDTLS_ECP_DP_SECP192R1:
key_type = ESP_SEC_STG_KEY_ECDSA_SECP192R1;
key_len = ECDSA_SECP192R1_KEY_LEN;
break;
#endif
#if CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP384R1_SIGN
case MBEDTLS_ECP_DP_SECP384R1:
key_type = ESP_SEC_STG_KEY_ECDSA_SECP384R1;
@@ -636,9 +567,6 @@ static void test_ecdsa_sign(mbedtls_ecp_group_id gid)
TEST_CASE("Test TEE Secure Storage - mbedtls ECDSA signing", "[mbedtls]")
{
test_ecdsa_sign(MBEDTLS_ECP_DP_SECP256R1);
#if CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP192R1_SIGN && !TEMPORARY_DISABLED_FOR_TARGETS(ESP32H2)
test_ecdsa_sign(MBEDTLS_ECP_DP_SECP192R1);
#endif
#if CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP384R1_SIGN
test_ecdsa_sign(MBEDTLS_ECP_DP_SECP384R1);
#endif
components/esp_tee/test_apps/tee_test_fw/sdkconfig.ci.tee_ota
-1
View File
@@ -8,7 +8,6 @@ CONFIG_PARTITION_TABLE_FILENAME="partitions_tee_ota.csv"
CONFIG_BOOTLOADER_LOG_LEVEL_DEBUG=y
CONFIG_SECURE_TEE_LOG_LEVEL_DEBUG=y
CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP192R1_SIGN=y
# Takes effect only for supported targets
CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP384R1_SIGN=y
components/mbedtls/esp_tee/esp_tee_mbedtls_config.h
+6 -5
View File
@@ -48,12 +48,14 @@
#define MBEDTLS_ASN1_PARSE_C
#define MBEDTLS_BIGNUM_C
#if CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP384R1_SIGN
#define PSA_WANT_ECC_SECP_R1_384 1
#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
#else
#undef PSA_WANT_ECC_SECP_R1_384
#undef MBEDTLS_ECP_DP_SECP384R1_ENABLED
#endif
#define PSA_WANT_ECC_SECP_R1_256 1
#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
#if CONFIG_SECURE_TEE_SEC_STG_SUPPORT_SECP192R1_SIGN
#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
#endif
#define MBEDTLS_ECP_C
#define MBEDTLS_ECDSA_C
@@ -82,8 +84,7 @@
#define MBEDTLS_ECP_VERIFY_ALT
#endif
#define PSA_WANT_ECC_SECP_R1_192 1
#define PSA_WANT_ECC_SECP_R1_384 1
#undef PSA_WANT_ECC_SECP_R1_192
#undef PSA_WANT_ECC_SECP_K1_192
#undef PSA_WANT_ECC_SECP_K1_256
#undef PSA_WANT_ECC_SECP_R1_224
components/mbedtls/port/ecdsa/ecdsa_alt.c
+2 -9
View File
@@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2023-2026 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@@ -841,9 +841,6 @@ int esp_ecdsa_tee_load_pubkey(mbedtls_ecp_keypair *keypair, const char *tee_key_
if (keypair->MBEDTLS_PRIVATE(grp).id == MBEDTLS_ECP_DP_SECP256R1) {
len = ECDSA_KEY_LEN_P256;
key_type = ESP_SEC_STG_KEY_ECDSA_SECP256R1;
} else if (keypair->MBEDTLS_PRIVATE(grp).id == MBEDTLS_ECP_DP_SECP192R1) {
len = ECDSA_KEY_LEN_P192;
key_type = ESP_SEC_STG_KEY_ECDSA_SECP192R1;
}
#if SOC_ECDSA_SUPPORT_CURVE_P384
else if (keypair->MBEDTLS_PRIVATE(grp).id == MBEDTLS_ECP_DP_SECP384R1) {
@@ -954,8 +951,7 @@ static int esp_ecdsa_tee_sign(mbedtls_ecp_group *grp, mbedtls_mpi* r, mbedtls_mp
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
}
if ((grp->id == MBEDTLS_ECP_DP_SECP192R1 && msg_len != ECDSA_SHA_LEN) ||
(grp->id == MBEDTLS_ECP_DP_SECP256R1 && msg_len != ECDSA_SHA_LEN)
if ((grp->id == MBEDTLS_ECP_DP_SECP256R1 && msg_len != ECDSA_SHA_LEN)
#if SOC_ECDSA_SUPPORT_CURVE_P384
|| (grp->id == MBEDTLS_ECP_DP_SECP384R1 && msg_len != ECDSA_SHA_LEN_P384)
#endif
@@ -966,9 +962,6 @@ static int esp_ecdsa_tee_sign(mbedtls_ecp_group *grp, mbedtls_mpi* r, mbedtls_mp
if (grp->id == MBEDTLS_ECP_DP_SECP256R1) {
len = ECDSA_KEY_LEN_P256;
key_type = ESP_SEC_STG_KEY_ECDSA_SECP256R1;
} else if (grp->id == MBEDTLS_ECP_DP_SECP192R1) {
len = ECDSA_KEY_LEN_P192;
key_type = ESP_SEC_STG_KEY_ECDSA_SECP192R1;
}
#if SOC_ECDSA_SUPPORT_CURVE_P384
else if (grp->id == MBEDTLS_ECP_DP_SECP384R1) {
docs/en/security/tee/tee-sec-storage.rst
+1 -3
View File
@@ -25,7 +25,6 @@ Additionally, the secure storage provides interfaces for performing the followin
.. list::
- ``ecdsa_secp256r1``
- ``ecdsa_secp192r1``
:SOC_ECDSA_SUPPORT_CURVE_P384: - ``ecdsa_secp384r1``
@@ -35,7 +34,7 @@ Additionally, the secure storage provides interfaces for performing the followin
.. only:: SOC_HMAC_SUPPORTED
TEE secure storage also supports ECDSA signing with keys derived via PBKDF2 (Password-Based Key Derivation Function 2), using an HMAC key programmed in eFuse along with a user-provided salt. This mechanism enables ECDSA signing on both P-256 and P-192 curves without requiring storage of the actual private keys. The eFuse HMAC key ID for the PBKDF2 operations is specified via the :ref:`CONFIG_SECURE_TEE_PBKDF2_EFUSE_HMAC_KEY_ID` option.
TEE secure storage also supports ECDSA signing with keys derived via PBKDF2 (Password-Based Key Derivation Function 2), using an HMAC key programmed in eFuse along with a user-provided salt. This mechanism enables ECDSA signing on the P-256 curve without requiring storage of the actual private keys. The eFuse HMAC key ID for the PBKDF2 operations is specified via the :ref:`CONFIG_SECURE_TEE_PBKDF2_EFUSE_HMAC_KEY_ID` option.
.. important::
@@ -58,7 +57,6 @@ Currently, TEE secure storage supports storing the following cryptographic keys:
.. list::
- ``ecdsa_secp256r1``
- ``ecdsa_secp192r1``
:SOC_ECDSA_SUPPORT_CURVE_P384: - ``ecdsa_secp384r1``