From dac0bbfcc2d575eac3579b14ca56e4d5e10f4589 Mon Sep 17 00:00:00 2001 From: "harshal.patil" Date: Mon, 10 Nov 2025 10:37:00 +0530 Subject: [PATCH] change(mbedtls): Generalize key source union for the hardware ECDSA context --- .../tee_test_fw/main/test_esp_tee_sec_stg.c | 1 - components/mbedtls/port/ecdsa/ecdsa_alt.c | 2 +- components/mbedtls/port/include/ecdsa/ecdsa_alt.h | 14 +++++--------- 3 files changed, 6 insertions(+), 11 deletions(-) diff --git a/components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_sec_stg.c b/components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_sec_stg.c index 2f979eb137..b1dbef45fe 100644 --- a/components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_sec_stg.c +++ b/components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_sec_stg.c @@ -480,7 +480,6 @@ static void test_ecdsa_sign(mbedtls_ecp_group_id gid) .grp_id = gid, .tee_key_id = key_id, .load_pubkey = true, - .use_tee_sec_stg_key = true, }; TEST_ASSERT_EQUAL(0, esp_ecdsa_tee_set_pk_context(&key_ctx, &conf)); diff --git a/components/mbedtls/port/ecdsa/ecdsa_alt.c b/components/mbedtls/port/ecdsa/ecdsa_alt.c index 01d6d9be44..1385a7d8c1 100644 --- a/components/mbedtls/port/ecdsa/ecdsa_alt.c +++ b/components/mbedtls/port/ecdsa/ecdsa_alt.c @@ -595,7 +595,7 @@ int esp_ecdsa_tee_set_pk_context(mbedtls_pk_context *key_ctx, esp_ecdsa_pk_conf_ return ret; } - if (!conf->use_tee_sec_stg_key) { + if (!conf->tee_key_id) { ESP_LOGE(TAG, "Invalid esp_ecdsa_pk_conf_t configuration"); return ret; } diff --git a/components/mbedtls/port/include/ecdsa/ecdsa_alt.h b/components/mbedtls/port/include/ecdsa/ecdsa_alt.h index b2b8f3a65a..3fe1145b2d 100644 --- a/components/mbedtls/port/include/ecdsa/ecdsa_alt.h +++ b/components/mbedtls/port/include/ecdsa/ecdsa_alt.h @@ -30,19 +30,15 @@ typedef struct { mbedtls_ecp_group_id grp_id; /*!< MbedTLS ECP group identifier */ union { uint8_t efuse_block; /*!< EFuse block id for ECDSA private key */ +#if CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN const char *tee_key_id; /*!< TEE secure storage key id for ECDSA private key */ - }; /*!< Union to hold either EFuse block id or TEE secure storage key id for ECDSA private key */ +#endif + bool use_km_key; /*!< Use key deployed in the key manager for ECDSA operation. Note: The key must be already deployed by the application and it must be activated for the lifetime of this context */ + }; /*!< Union to hold either EFuse block id or TEE secure storage key id or use key deployed in the key manager for ECDSA operation for ECDSA private key */ #if SOC_ECDSA_SUPPORT_EXPORT_PUBKEY || CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN bool load_pubkey; /*!< Export ECDSA public key from the hardware */ - #endif - bool use_km_key; /*!< Use key deployed in the key manager for ECDSA operation. - Note: The key must be already deployed by the application and it must be activated for the lifetime of this context */ -#if CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN - bool use_tee_sec_stg_key; /*!< Use key deployed in the TEE secure storage for ECDSA operation. - Note: The key must be already deployed by the application and it must be activated for the lifetime of this context */ -#endif -} esp_ecdsa_pk_conf_t; //TODO: IDF-9008 (Add a config to select the ecdsa key from the key manager peripheral) +} esp_ecdsa_pk_conf_t; #if SOC_ECDSA_SUPPORT_EXPORT_PUBKEY || __DOXYGEN__