diff --git a/components/mbedtls/esp_tee/esp_tee_mbedtls.cmake b/components/mbedtls/esp_tee/esp_tee_mbedtls.cmake index dec42ef523..9bf64d29ad 100644 --- a/components/mbedtls/esp_tee/esp_tee_mbedtls.cmake +++ b/components/mbedtls/esp_tee/esp_tee_mbedtls.cmake @@ -63,6 +63,7 @@ endforeach() target_link_libraries(${COMPONENT_LIB} INTERFACE ${mbedtls_targets}) +target_link_libraries(tfpsacrypto PUBLIC idf::esp_hal_security) target_link_libraries(tfpsacrypto PRIVATE idf::esp_security) target_include_directories(tfpsacrypto PRIVATE ${crypto_port_inc_dirs}) diff --git a/components/mbedtls/port/aes/esp_aes_xts.c b/components/mbedtls/port/aes/esp_aes_xts.c index 29fd00f283..b46b431797 100644 --- a/components/mbedtls/port/aes/esp_aes_xts.c +++ b/components/mbedtls/port/aes/esp_aes_xts.c @@ -35,10 +35,8 @@ #include #include -#include -#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS #include "aes/esp_aes.h" -#include "psa/crypto.h" +#include "psa/crypto_values.h" void esp_aes_xts_init( esp_aes_xts_context *ctx ) { diff --git a/components/nvs_flash/private_include/nvs_xts_aes.h b/components/nvs_flash/private_include/nvs_xts_aes.h new file mode 100644 index 0000000000..fbdb057127 --- /dev/null +++ b/components/nvs_flash/private_include/nvs_xts_aes.h @@ -0,0 +1,26 @@ +/* + * SPDX-FileCopyrightText: 2026 Espressif Systems (Shanghai) CO LTD + * + * SPDX-License-Identifier: Apache-2.0 + */ +#pragma once + +#include "sdkconfig.h" + +/* NOTE: Using legacy mbedtls XTS API until PSA Crypto adds XTS support +* With TF-PSA-Crypto 1.0, AES headers moved to mbedtls/private/. +* Need MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS to access XTS functions. +*/ + +#if CONFIG_MBEDTLS_HARDWARE_AES +#include "aes/esp_aes.h" +#define XTS_FUNC(func) esp_aes_##func +#define XTS_MODE(mode) ESP_AES_##mode +#define XTS_CONTEXT esp_aes_xts_context +#else +#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS +#include "mbedtls/private/aes.h" +#define XTS_FUNC(func) mbedtls_aes_##func +#define XTS_MODE(mode) MBEDTLS_AES_##mode +#define XTS_CONTEXT mbedtls_aes_xts_context +#endif // CONFIG_MBEDTLS_HARDWARE_AES diff --git a/components/nvs_flash/src/nvs_bootloader_xts_aes.c b/components/nvs_flash/src/nvs_bootloader_xts_aes.c index 331483e6e1..181ee2e0cd 100644 --- a/components/nvs_flash/src/nvs_bootloader_xts_aes.c +++ b/components/nvs_flash/src/nvs_bootloader_xts_aes.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2024-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -257,21 +257,20 @@ int nvs_bootloader_aes_crypt_xts(nvs_bootloader_xts_aes_context *ctx, #endif /* CONFIG_ESP_ROM_HAS_MBEDTLS_CRYPTO_LIB */ #else /* BOOTLOADER_BUILD && !CONFIG_MBEDTLS_USE_CRYPTO_ROM_IMPL_BOOTLOADER */ -#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS -#include "mbedtls/private/aes.h" +#include "nvs_xts_aes.h" -static mbedtls_aes_xts_context ctx_xts; +static XTS_CONTEXT ctx_xts; void nvs_bootloader_xts_aes_init(nvs_bootloader_xts_aes_context *ctx) { (void) ctx; - mbedtls_aes_xts_init(&ctx_xts); + XTS_FUNC(xts_init)(&ctx_xts); } void nvs_bootloader_xts_aes_free(nvs_bootloader_xts_aes_context *ctx) { (void) ctx; - mbedtls_aes_xts_free(&ctx_xts); + XTS_FUNC(xts_free)(&ctx_xts); } int nvs_bootloader_xts_aes_setkey(nvs_bootloader_xts_aes_context *ctx, @@ -279,7 +278,7 @@ int nvs_bootloader_xts_aes_setkey(nvs_bootloader_xts_aes_context *ctx, unsigned int key_bytes) { (void) ctx; - return mbedtls_aes_xts_setkey_dec(&ctx_xts, key, key_bytes * 8); + return XTS_FUNC(xts_setkey_dec)(&ctx_xts, key, key_bytes * 8); } /* * XTS-AES buffer encryption/decryption @@ -292,8 +291,8 @@ int nvs_bootloader_aes_crypt_xts(nvs_bootloader_xts_aes_context *ctx, unsigned char *output) { (void) ctx; - int mbedtls_aes_mode = mode == AES_ENC ? MBEDTLS_AES_ENCRYPT : MBEDTLS_AES_DECRYPT; - return mbedtls_aes_crypt_xts(&ctx_xts, mbedtls_aes_mode, length, data_unit, input, output); + int xts_mode = mode == AES_ENC ? XTS_MODE(ENCRYPT) : XTS_MODE(DECRYPT); + return XTS_FUNC(crypt_xts)(&ctx_xts, xts_mode, length, data_unit, input, output); } #endif /* !(BOOTLOADER_BUILD && !CONFIG_MBEDTLS_USE_CRYPTO_ROM_IMPL_BOOTLOADER) */ #endif /* !SOC_AES_SUPPORTED */ diff --git a/components/nvs_flash/src/nvs_encrypted_partition.cpp b/components/nvs_flash/src/nvs_encrypted_partition.cpp index a3b0eb572a..c108fe30ad 100644 --- a/components/nvs_flash/src/nvs_encrypted_partition.cpp +++ b/components/nvs_flash/src/nvs_encrypted_partition.cpp @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2019-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2019-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -7,6 +7,7 @@ #include "nvs_encrypted_partition.hpp" #include "nvs_types.hpp" #include "nvs_constants.h" +#include "nvs_xts_aes.h" namespace nvs { @@ -22,14 +23,14 @@ esp_err_t NVSEncryptedPartition::init(nvs_sec_cfg_t* cfg) { uint8_t* eky = reinterpret_cast(cfg); - mbedtls_aes_xts_init(&mEctxt); - mbedtls_aes_xts_init(&mDctxt); + XTS_FUNC(xts_init)(&mEctxt); + XTS_FUNC(xts_init)(&mDctxt); - if (mbedtls_aes_xts_setkey_enc(&mEctxt, eky, 2 * NVS_KEY_SIZE * 8) != 0) { + if (XTS_FUNC(xts_setkey_enc)(&mEctxt, eky, 2 * NVS_KEY_SIZE * 8) != 0) { return ESP_ERR_NVS_XTS_CFG_FAILED; } - if (mbedtls_aes_xts_setkey_dec(&mDctxt, eky, 2 * NVS_KEY_SIZE * 8) != 0) { + if (XTS_FUNC(xts_setkey_dec)(&mDctxt, eky, 2 * NVS_KEY_SIZE * 8) != 0) { return ESP_ERR_NVS_XTS_CFG_FAILED; } @@ -61,7 +62,7 @@ esp_err_t NVSEncryptedPartition::read(size_t src_offset, void* dst, size_t size) uint8_t *destination = reinterpret_cast(dst); - if (mbedtls_aes_crypt_xts(&mDctxt, MBEDTLS_AES_DECRYPT, size, data_unit, destination, destination) != 0) { + if (XTS_FUNC(crypt_xts)(&mDctxt, XTS_MODE(DECRYPT), size, data_unit, destination, destination) != 0) { return ESP_ERR_NVS_XTS_DECR_FAILED; } @@ -97,8 +98,8 @@ esp_err_t NVSEncryptedPartition::write(size_t addr, const void* src, size_t size uint32_t *addr_loc = (uint32_t*) &data_unit[0]; *addr_loc = relAddr + offset; - if (mbedtls_aes_crypt_xts(&mEctxt, - MBEDTLS_AES_ENCRYPT, + if (XTS_FUNC(crypt_xts)(&mEctxt, + XTS_MODE(ENCRYPT), entrySize, data_unit, buf + offset, diff --git a/components/nvs_flash/src/nvs_encrypted_partition.hpp b/components/nvs_flash/src/nvs_encrypted_partition.hpp index d1060999ef..ffdea250ae 100644 --- a/components/nvs_flash/src/nvs_encrypted_partition.hpp +++ b/components/nvs_flash/src/nvs_encrypted_partition.hpp @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2019-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2019-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -7,15 +7,9 @@ #include "sdkconfig.h" // For CONFIG_NVS_BDL_STACK -/* NOTE: Using legacy mbedtls XTS API until PSA Crypto adds XTS support -* With TF-PSA-Crypto 1.0, AES headers moved to mbedtls/private/. -* Need MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS to access XTS functions. -*/ -#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS -#include "mbedtls/private/aes.h" #include "nvs_flash.h" #include "nvs_partition.hpp" - +#include "nvs_xts_aes.h" namespace nvs { /** @@ -73,8 +67,8 @@ public: esp_err_t write(size_t dst_offset, const void* src, size_t size) override; protected: - mbedtls_aes_xts_context mEctxt; // AES context for encryption - mbedtls_aes_xts_context mDctxt; // AES context for decryption + XTS_CONTEXT mEctxt; // AES context for encryption + XTS_CONTEXT mDctxt; // AES context for decryption }; } // nvs diff --git a/components/nvs_flash/test_apps/main/CMakeLists.txt b/components/nvs_flash/test_apps/main/CMakeLists.txt index 59b17ad7f1..0400316c32 100644 --- a/components/nvs_flash/test_apps/main/CMakeLists.txt +++ b/components/nvs_flash/test_apps/main/CMakeLists.txt @@ -7,4 +7,6 @@ idf_component_register(SRC_DIRS "." if(CONFIG_NVS_ENCRYPTION OR CONFIG_SOC_HMAC_SUPPORTED) target_link_libraries(${COMPONENT_LIB} PUBLIC idf::mbedtls) + # Add private_include directory from nvs_flash for accessing internal headers like nvs_xts_aes.h in the test app + target_include_directories(${COMPONENT_LIB} PRIVATE "${CMAKE_CURRENT_LIST_DIR}/../../private_include") endif() diff --git a/components/nvs_flash/test_apps/main/test_nvs.c b/components/nvs_flash/test_apps/main/test_nvs.c index e4d1dfc5ca..460c2a2112 100644 --- a/components/nvs_flash/test_apps/main/test_nvs.c +++ b/components/nvs_flash/test_apps/main/test_nvs.c @@ -456,6 +456,7 @@ TEST_CASE("check for memory leaks in nvs_set_blob", "[nvs]") } #ifdef CONFIG_NVS_ENCRYPTION +#include "nvs_xts_aes.h" TEST_CASE("check underlying xts code for 32-byte size sector encryption", "[nvs]") { uint8_t eky_hex[2 * NVS_KEY_SIZE] = { /* Encryption key below*/ @@ -484,16 +485,16 @@ TEST_CASE("check underlying xts code for 32-byte size sector encryption", "[nvs] 0xab,0xf9,0x8e,0x22,0xdf,0x5b,0xdd,0x15, 0xaf,0x47,0x1f,0x3d,0xb8,0x94,0x6a,0x85 }; - mbedtls_aes_xts_context ectx[1]; - mbedtls_aes_xts_context dctx[1]; + XTS_CONTEXT ectx[1]; + XTS_CONTEXT dctx[1]; - mbedtls_aes_xts_init(ectx); - mbedtls_aes_xts_init(dctx); + XTS_FUNC(xts_init)(ectx); + XTS_FUNC(xts_init)(dctx); - TEST_ASSERT_TRUE(!mbedtls_aes_xts_setkey_enc(ectx, eky_hex, 2 * NVS_KEY_SIZE * 8)); - TEST_ASSERT_TRUE(!mbedtls_aes_xts_setkey_enc(dctx, eky_hex, 2 * NVS_KEY_SIZE * 8)); + TEST_ASSERT_TRUE(!XTS_FUNC(xts_setkey_enc)(ectx, eky_hex, 2 * NVS_KEY_SIZE * 8)); + TEST_ASSERT_TRUE(!XTS_FUNC(xts_setkey_enc)(dctx, eky_hex, 2 * NVS_KEY_SIZE * 8)); - TEST_ASSERT_TRUE(!mbedtls_aes_crypt_xts(ectx, MBEDTLS_AES_ENCRYPT, 32, ba_hex, ptxt_hex, ptxt_hex)); + TEST_ASSERT_TRUE(!XTS_FUNC(crypt_xts)(ectx, XTS_MODE(ENCRYPT), 32, ba_hex, ptxt_hex, ptxt_hex)); TEST_ASSERT_TRUE(!memcmp(ptxt_hex, ctxt_hex, 32)); }