From 9d104402a9de47b0b8c7ba8dabc05c23054afc87 Mon Sep 17 00:00:00 2001 From: "nilesh.kale" Date: Mon, 13 Oct 2025 16:52:17 +0530 Subject: [PATCH] feat: added support for pseudo round xts aes in esp32p4 eco5 --- .../bootloader_support/src/flash_encrypt.c | 8 ++-- components/efuse/esp32p4/esp_efuse_table.c | 15 ++++++- .../efuse/esp32p4/include/esp_efuse_table.h | 1 + .../include/hal/spi_flash_encrypted_ll.h | 40 ++++++++++++++++++- .../esp32p4/include/soc/Kconfig.soc_caps.in | 4 ++ components/soc/esp32p4/include/soc/soc_caps.h | 5 ++- 6 files changed, 64 insertions(+), 9 deletions(-) diff --git a/components/bootloader_support/src/flash_encrypt.c b/components/bootloader_support/src/flash_encrypt.c index 362eea9a3c..8598e2897a 100644 --- a/components/bootloader_support/src/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encrypt.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -210,7 +210,7 @@ void esp_flash_encryption_set_release_mode(void) #endif // CONFIG_SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED #endif // !CONFIG_IDF_TARGET_ESP32 -#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND +#if SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND && !CONFIG_ESP32P4_SELECTS_REV_LESS_V3 if (spi_flash_encrypt_ll_is_pseudo_rounds_function_supported()) { uint8_t xts_pseudo_level = 0; esp_efuse_read_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count); @@ -221,7 +221,6 @@ void esp_flash_encryption_set_release_mode(void) } } #endif - #ifdef CONFIG_IDF_TARGET_ESP32 esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_CACHE); #else @@ -483,7 +482,7 @@ bool esp_flash_encryption_cfg_verify_release_mode(void) } result &= secure; -#if SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND +#if SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND && !CONFIG_ESP32P4_SELECTS_REV_LESS_V3 if (spi_flash_encrypt_ll_is_pseudo_rounds_function_supported()) { uint8_t xts_pseudo_level = 0; esp_efuse_read_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count); @@ -493,7 +492,6 @@ bool esp_flash_encryption_cfg_verify_release_mode(void) } } #endif - return result; } #endif // not CONFIG_IDF_TARGET_ESP32 diff --git a/components/efuse/esp32p4/esp_efuse_table.c b/components/efuse/esp32p4/esp_efuse_table.c index 847170c2ec..3fba6b9d94 100644 --- a/components/efuse/esp32p4/esp_efuse_table.c +++ b/components/efuse/esp32p4/esp_efuse_table.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2017-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2017-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -867,6 +867,12 @@ static const esp_efuse_desc_t KM_DISABLE_DEPLOY_MODE[] = { {EFUSE_BLK0, 168, 4}, // [] TBD, }; +#ifndef CONFIG_ESP32P4_SELECTS_REV_LESS_V3 +static const esp_efuse_desc_t XTS_DPA_PSEUDO_LEVEL[] = { + {EFUSE_BLK0, 176, 2}, // [] Sets this bit to control the xts pseudo-round anti-dpa attack function. 0: controlled by register. 1-3: the higher the value is; the more pseudo-rounds are inserted to the xts-aes calculation, +}; +#endif + static const esp_efuse_desc_t HP_PWR_SRC_SEL[] = { {EFUSE_BLK0, 178, 1}, // [] HP system power source select. 0:LDO. 1: DCDC, }; @@ -2229,6 +2235,13 @@ const esp_efuse_desc_t* ESP_EFUSE_KM_DISABLE_DEPLOY_MODE[] = { NULL }; +#ifndef CONFIG_ESP32P4_SELECTS_REV_LESS_V3 +const esp_efuse_desc_t* ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[] = { + &XTS_DPA_PSEUDO_LEVEL[0], // [] Sets this bit to control the xts pseudo-round anti-dpa attack function. 0: controlled by register. 1-3: the higher the value is; the more pseudo-rounds are inserted to the xts-aes calculation + NULL +}; +#endif + const esp_efuse_desc_t* ESP_EFUSE_HP_PWR_SRC_SEL[] = { &HP_PWR_SRC_SEL[0], // [] HP system power source select. 0:LDO. 1: DCDC NULL diff --git a/components/efuse/esp32p4/include/esp_efuse_table.h b/components/efuse/esp32p4/include/esp_efuse_table.h index 4366f8541d..fe413205b5 100644 --- a/components/efuse/esp32p4/include/esp_efuse_table.h +++ b/components/efuse/esp32p4/include/esp_efuse_table.h @@ -260,6 +260,7 @@ extern const esp_efuse_desc_t* ESP_EFUSE_PXA0_TIEH_SEL_1[]; extern const esp_efuse_desc_t* ESP_EFUSE_PXA0_TIEH_SEL_2[]; extern const esp_efuse_desc_t* ESP_EFUSE_PXA0_TIEH_SEL_3[]; extern const esp_efuse_desc_t* ESP_EFUSE_KM_DISABLE_DEPLOY_MODE[]; +extern const esp_efuse_desc_t* ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[]; extern const esp_efuse_desc_t* ESP_EFUSE_HP_PWR_SRC_SEL[]; extern const esp_efuse_desc_t* ESP_EFUSE_DCDC_VSET_EN[]; extern const esp_efuse_desc_t* ESP_EFUSE_DIS_WDT[]; diff --git a/components/hal/esp32p4/include/hal/spi_flash_encrypted_ll.h b/components/hal/esp32p4/include/hal/spi_flash_encrypted_ll.h index 948e964db3..c4f4137281 100644 --- a/components/hal/esp32p4/include/hal/spi_flash_encrypted_ll.h +++ b/components/hal/esp32p4/include/hal/spi_flash_encrypted_ll.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2022-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -20,6 +20,7 @@ #include "soc/soc.h" #include "soc/soc_caps.h" #include "hal/assert.h" +#include "hal/config.h" #ifdef __cplusplus extern "C" { @@ -147,6 +148,43 @@ static inline bool spi_flash_encrypt_ll_check(uint32_t address, uint32_t length) return ((address % length) == 0) ? true : false; } +/** + * @brief Enable the pseudo-round function during XTS-AES operations + * + * @param mode set the mode for pseudo rounds, zero to disable, with increasing security upto three. + * @param base basic number of pseudo rounds, zero if disable + * @param increment increment number of pseudo rounds, zero if disable + * @param key_rng_cnt update frequency of the pseudo-key, zero if disable + */ +static inline void spi_flash_encrypt_ll_enable_pseudo_rounds(uint8_t mode, uint8_t base, uint8_t increment, uint8_t key_rng_cnt) +{ +#if HAL_CONFIG(CHIP_SUPPORT_MIN_REV) >= 300 + REG_SET_FIELD(SPI_MEM_C_XTS_PSEUDO_ROUND_CONF_REG, SPI_MEM_C_MODE_PSEUDO, mode); + + if (mode) { + REG_SET_FIELD(SPI_MEM_C_XTS_PSEUDO_ROUND_CONF_REG, SPI_MEM_C_PSEUDO_BASE, base); + REG_SET_FIELD(SPI_MEM_C_XTS_PSEUDO_ROUND_CONF_REG, SPI_MEM_C_PSEUDO_INC, increment); + REG_SET_FIELD(SPI_MEM_C_XTS_PSEUDO_ROUND_CONF_REG, SPI_MEM_C_PSEUDO_RNG_CNT, key_rng_cnt); + } else { + REG_SET_FIELD(SPI_MEM_C_XTS_PSEUDO_ROUND_CONF_REG, SPI_MEM_C_PSEUDO_BASE, 0); + REG_SET_FIELD(SPI_MEM_C_XTS_PSEUDO_ROUND_CONF_REG, SPI_MEM_C_PSEUDO_INC, 0); + REG_SET_FIELD(SPI_MEM_C_XTS_PSEUDO_ROUND_CONF_REG, SPI_MEM_C_PSEUDO_RNG_CNT, 0); + } +#endif +} + +/** + * @brief Check if the pseudo round function is supported + */ +static inline bool spi_flash_encrypt_ll_is_pseudo_rounds_function_supported(void) +{ +#if HAL_CONFIG(CHIP_SUPPORT_MIN_REV) >= 300 + return true; +#else + return false; +#endif +} + #ifdef __cplusplus } #endif diff --git a/components/soc/esp32p4/include/soc/Kconfig.soc_caps.in b/components/soc/esp32p4/include/soc/Kconfig.soc_caps.in index e1cb2274ef..17dcc88e18 100644 --- a/components/soc/esp32p4/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32p4/include/soc/Kconfig.soc_caps.in @@ -1879,6 +1879,10 @@ config SOC_FLASH_ENCRYPTION_XTS_AES_256 bool default y +config SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND + bool + default y + config SOC_UART_NUM int default 6 diff --git a/components/soc/esp32p4/include/soc/soc_caps.h b/components/soc/esp32p4/include/soc/soc_caps.h index e0e86c9d13..fb38a348b6 100644 --- a/components/soc/esp32p4/include/soc/soc_caps.h +++ b/components/soc/esp32p4/include/soc/soc_caps.h @@ -686,8 +686,9 @@ #define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (64) #define SOC_FLASH_ENCRYPTION_XTS_AES 1 #define SOC_FLASH_ENCRYPTION_XTS_AES_OPTIONS 1 -#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1 -#define SOC_FLASH_ENCRYPTION_XTS_AES_256 1 +#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1 /* SOC_EFUSE_XTS_AES_KEY_128 (1) || SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 (1) */ +#define SOC_FLASH_ENCRYPTION_XTS_AES_256 1 /* SOC_EFUSE_XTS_AES_KEY_256 (1) || SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 (1) */ +#define SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND 1 /*!< Only available in chip version above 3.0 */ /*-------------------------- MEMPROT CAPS ------------------------------------*/ /*-------------------------- UART CAPS ---------------------------------------*/