From e1d429ba30f76c07fd371ef9ec20ffe6a74fef11 Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Sun, 15 Mar 2026 08:46:13 +0530 Subject: [PATCH] feat(hal): add ECDSA low-level driver for esp32s31 Co-authored-by: Nilesh Kale --- .../bootloader_support/src/secure_boot.c | 5 +- .../esp32s31/include/hal/ecdsa_ll.h | 471 ++++++++++++++++++ .../test_apps/crypto/README.md | 23 +- .../test_apps/crypto/main/hal_crypto_common.h | 10 +- .../esp32c5/include/soc/Kconfig.soc_caps.in | 4 + components/soc/esp32c5/include/soc/soc_caps.h | 1 + .../esp32h4/include/soc/Kconfig.soc_caps.in | 4 + components/soc/esp32h4/include/soc/soc_caps.h | 1 + .../esp32s31/include/soc/Kconfig.soc_caps.in | 28 +- .../soc/esp32s31/include/soc/soc_caps.h | 25 +- 10 files changed, 540 insertions(+), 32 deletions(-) create mode 100644 components/esp_hal_security/esp32s31/include/hal/ecdsa_ll.h diff --git a/components/bootloader_support/src/secure_boot.c b/components/bootloader_support/src/secure_boot.c index b09c1309be0..70fefc63a7b 100644 --- a/components/bootloader_support/src/secure_boot.c +++ b/components/bootloader_support/src/secure_boot.c @@ -436,8 +436,7 @@ bool esp_secure_boot_cfg_verify_release_mode(void) ESP_LOGW(TAG, "Not enabled Secure Boot using SHA-384 mode (set SECURE_BOOT_SHA384_EN->1)"); } #else - // Note: Efuse bit ESP_EFUSE_WR_DIS_SECURE_BOOT_SHA384_EN is not present for ESP32P4 -#if !CONFIG_IDF_TARGET_ESP32P4 +#if SOC_EFUSE_SECURE_BOOT_P384_WR_DIS /* When using Secure Boot with SHA-384, the efuse bit representing Secure Boot with SHA-384 would already be programmed. * But in the case of the existing Secure Boot V2 schemes using SHA-256, the efuse bit representing * Secure Boot with SHA-384 needs to be write-protected, so that an attacker cannot perform a denial-of-service @@ -448,7 +447,7 @@ bool esp_secure_boot_cfg_verify_release_mode(void) if (!secure) { ESP_LOGW(TAG, "Not write-protected secure boot using SHA-384 mode (set WR_DIS_SECURE_BOOT_SHA384_EN->1)"); } -#endif /* !CONFIG_IDF_TARGET_ESP32P4 */ +#endif #endif #endif diff --git a/components/esp_hal_security/esp32s31/include/hal/ecdsa_ll.h b/components/esp_hal_security/esp32s31/include/hal/ecdsa_ll.h new file mode 100644 index 00000000000..842c66c38f8 --- /dev/null +++ b/components/esp_hal_security/esp32s31/include/hal/ecdsa_ll.h @@ -0,0 +1,471 @@ +/* + * SPDX-FileCopyrightText: 2026 Espressif Systems (Shanghai) CO LTD + * + * SPDX-License-Identifier: Apache-2.0 + */ +#pragma once + +#include +#include +#include "hal/assert.h" +#include "soc/ecdsa_reg.h" +#include "soc/hp_sys_clkrst_struct.h" +#include "soc/soc_caps.h" +#include "soc/efuse_periph.h" +#include "hal/ecdsa_types.h" +#include "soc/soc.h" +#ifdef __cplusplus +extern "C" { +#endif + +/** + * @brief Memory blocks of ECDSA parameters + */ +typedef enum { + ECDSA_PARAM_R, + ECDSA_PARAM_S, + ECDSA_PARAM_Z, + ECDSA_PARAM_QAX, + ECDSA_PARAM_QAY +} ecdsa_ll_param_t; + +/** + * @brief Interrupt types in ECDSA + */ +typedef enum { + ECDSA_INT_CALC_DONE, + ECDSA_INT_SHA_RELEASE, +} ecdsa_ll_intr_type_t; + +/** + * @brief Stages of ECDSA operation + */ +typedef enum { + ECDSA_STAGE_START_CALC, + ECDSA_STAGE_LOAD_DONE, + ECDSA_STAGE_GET_DONE +} ecdsa_ll_stage_t; + +/** + * @brief States of ECDSA peripheral + */ +typedef enum { + ECDSA_STATE_IDLE, + ECDSA_STATE_LOAD, + ECDSA_STATE_GET, + ECDSA_STATE_BUSY +} ecdsa_ll_state_t; + +/** + * @brief Types of SHA + */ +typedef enum { + ECDSA_SHA_224, + ECDSA_SHA_256 +} ecdsa_ll_sha_type_t; + +/** + * @brief Operation modes of SHA + */ +typedef enum { + ECDSA_MODE_SHA_START, + ECDSA_MODE_SHA_CONTINUE +} ecdsa_ll_sha_mode_t; + +/** + * @brief Get the state of ECDSA peripheral + * + * @return State of ECDSA + */ +static inline uint32_t ecdsa_ll_get_state(void) +{ + return REG_GET_FIELD(ECDSA_STATE_REG, ECDSA_BUSY); +} + +/** + * @brief Enable the bus clock for ECDSA peripheral module + * + * @param true to enable the module, false to disable the module + */ +static inline void ecdsa_ll_enable_bus_clock(bool enable) +{ + HP_SYS_CLKRST.crypto_ctrl0.reg_crypto_ecdsa_clk_en = enable; +} + +/// use a macro to wrap the function, force the caller to use it in a critical section +/// the critical section needs to declare the __DECLARE_RCC_ATOMIC_ENV variable in advance +#define ecdsa_ll_enable_bus_clock(...) do { \ + (void)__DECLARE_RCC_ATOMIC_ENV; \ + ecdsa_ll_enable_bus_clock(__VA_ARGS__); \ + } while(0) + +/** + * @brief Reset the ECDSA peripheral module + */ +static inline void ecdsa_ll_reset_register(void) +{ + HP_SYS_CLKRST.crypto_ctrl0.reg_crypto_ecdsa_rst_en = 1; + HP_SYS_CLKRST.crypto_ctrl0.reg_crypto_ecdsa_rst_en = 0; + + // Clear reset on parent crypto, otherwise ECDSA is held in reset + HP_SYS_CLKRST.crypto_ctrl0.reg_crypto_rst_en = 0; + + while (ecdsa_ll_get_state() != ECDSA_STATE_IDLE) { + ; + } +} + +/** + * @brief Enable interrupt of a given type + * + * @param type Interrupt type + */ +static inline void ecdsa_ll_enable_intr(ecdsa_ll_intr_type_t type) +{ + switch (type) { + case ECDSA_INT_CALC_DONE: + REG_SET_FIELD(ECDSA_INT_ENA_REG, ECDSA_PREP_DONE_INT_ENA, 1); + break; + case ECDSA_INT_SHA_RELEASE: + REG_SET_FIELD(ECDSA_INT_ENA_REG, ECDSA_SHA_RELEASE_INT_ENA, 1); + break; + default: + HAL_ASSERT(false && "Unsupported interrupt type"); + break; + } +} + +/** + * @brief Disable interrupt of a given type + * + * @param type Interrupt type + */ +static inline void ecdsa_ll_disable_intr(ecdsa_ll_intr_type_t type) +{ + switch (type) { + case ECDSA_INT_CALC_DONE: + REG_SET_FIELD(ECDSA_INT_ENA_REG, ECDSA_PREP_DONE_INT_ENA, 0); + break; + case ECDSA_INT_SHA_RELEASE: + REG_SET_FIELD(ECDSA_INT_ENA_REG, ECDSA_SHA_RELEASE_INT_ENA, 0); + break; + default: + HAL_ASSERT(false && "Unsupported interrupt type"); + break; + } +} + +/** + * @brief Clear interrupt of a given type + * + * @param type Interrupt type + */ +static inline void ecdsa_ll_clear_intr(ecdsa_ll_intr_type_t type) +{ + switch (type) { + case ECDSA_INT_CALC_DONE: + REG_SET_FIELD(ECDSA_INT_CLR_REG, ECDSA_PREP_DONE_INT_CLR, 1); + break; + case ECDSA_INT_SHA_RELEASE: + REG_SET_FIELD(ECDSA_INT_CLR_REG, ECDSA_SHA_RELEASE_INT_CLR, 1); + break; + default: + HAL_ASSERT(false && "Unsupported interrupt type"); + break; + } +} + +/** + * @brief Set working mode of ECDSA + * + * @param mode Mode of operation + */ +static inline void ecdsa_ll_set_mode(ecdsa_mode_t mode) +{ + switch (mode) { + case ECDSA_MODE_SIGN_VERIFY: + REG_SET_FIELD(ECDSA_CONF_REG, ECDSA_WORK_MODE, 0); + break; + case ECDSA_MODE_SIGN_GEN: + REG_SET_FIELD(ECDSA_CONF_REG, ECDSA_WORK_MODE, 1); + // TODO: IDF-15656 support software key as key source + REG_SET_BIT(ECDSA_CONF_REG, ECDSA_USE_HARDWARE_KEY); + break; + case ECDSA_MODE_EXPORT_PUBKEY: + REG_SET_FIELD(ECDSA_CONF_REG, ECDSA_WORK_MODE, 2); + // TODO: IDF-15656 support software key as key source + REG_SET_BIT(ECDSA_CONF_REG, ECDSA_USE_HARDWARE_KEY); + break; + default: + HAL_ASSERT(false && "Unsupported mode"); + break; + } +} + +/** + * @brief Set curve for ECDSA operation + * + * @param curve ECDSA curve + */ +static inline void ecdsa_ll_set_curve(ecdsa_curve_t curve) +{ + switch (curve) { + case ECDSA_CURVE_SECP192R1: + case ECDSA_CURVE_SECP256R1: + case ECDSA_CURVE_SECP384R1: + case ECDSA_CURVE_SM2: + REG_SET_FIELD(ECDSA_CONF_REG, ECDSA_ECC_CURVE, curve); + break; + default: + HAL_ASSERT(false && "Unsupported curve"); + return; + } +} + +/** + * @brief Set the source of `Z` (SHA message) + * + * @param mode Mode of SHA generation + */ +static inline void ecdsa_ll_set_z_mode(ecdsa_ll_sha_mode_t mode) +{ + switch (mode) { + case ECDSA_Z_USE_SHA_PERI: + REG_CLR_BIT(ECDSA_CONF_REG, ECDSA_SOFTWARE_SET_Z); + break; + case ECDSA_Z_USER_PROVIDED: + REG_SET_BIT(ECDSA_CONF_REG, ECDSA_SOFTWARE_SET_Z); + break; + default: + HAL_ASSERT(false && "Unsupported curve"); + break; + } +} + +/** + * @brief Set the signature generation type of ECDSA operation + * + * @param type Type of the ECDSA signature + */ +static inline void ecdsa_ll_set_k_type(ecdsa_sign_type_t type) +{ + switch (type) { + case ECDSA_K_TYPE_TRNG: + REG_CLR_BIT(ECDSA_CONF_REG, ECDSA_DETERMINISTIC_K); + break; + case ECDSA_K_TYPE_DETERMINISITIC: + REG_SET_BIT(ECDSA_CONF_REG, ECDSA_DETERMINISTIC_K); + break; + default: + HAL_ASSERT(false && "Unsupported K type"); + break; + } +} + +/** + * @brief Set the stage of ECDSA operation + * + * @param stage Stage of operation + */ +static inline void ecdsa_ll_set_stage(ecdsa_ll_stage_t stage) +{ + switch (stage) { + case ECDSA_STAGE_START_CALC: + REG_SET_BIT(ECDSA_START_REG, ECDSA_START); + break; + case ECDSA_STAGE_LOAD_DONE: + REG_SET_BIT(ECDSA_START_REG, ECDSA_LOAD_DONE); + break; + case ECDSA_STAGE_GET_DONE: + REG_SET_BIT(ECDSA_START_REG, ECDSA_GET_DONE); + break; + default: + HAL_ASSERT(false && "Unsupported state"); + break; + } +} + +/** + * @brief Set the SHA type + * + * @param type Type of SHA + */ +static inline void ecdsa_ll_sha_set_type(ecdsa_ll_sha_type_t type) +{ + switch (type) { + case ECDSA_SHA_224: + REG_SET_FIELD(ECDSA_SHA_MODE_REG, ECDSA_SHA_MODE, 1); + break; + case ECDSA_SHA_256: + REG_SET_FIELD(ECDSA_SHA_MODE_REG, ECDSA_SHA_MODE, 2); + break; + default: + HAL_ASSERT(false && "Unsupported type"); + break; + } +} + +/** + * @brief Set the SHA operation mode + * + * @param mode Mode of SHA operation + */ +static inline void ecdsa_ll_sha_set_mode(ecdsa_ll_sha_mode_t mode) +{ + switch (mode) { + case ECDSA_MODE_SHA_START: + REG_SET_BIT(ECDSA_SHA_START_REG, ECDSA_SHA_START); + break; + case ECDSA_MODE_SHA_CONTINUE: + REG_SET_BIT(ECDSA_SHA_CONTINUE_REG, ECDSA_SHA_CONTINUE); + break; + default: + HAL_ASSERT(false && "Unsupported type"); + break; + } +} + +/** + * @brief Check if SHA is busy + * + * @return - true, if SHA is busy + * - false, if SHA is IDLE + */ +static inline bool ecdsa_ll_sha_is_busy(void) +{ + return REG_GET_BIT(ECDSA_SHA_BUSY_REG, ECDSA_SHA_BUSY); +} + +/** + * @brief Write the ECDSA parameter + * + * @param param Parameter to be written + * @param buf Buffer containing data + * @param len Length of buffer + */ +static inline void ecdsa_ll_write_param(ecdsa_ll_param_t param, const uint8_t *buf, uint16_t len) +{ + uint32_t reg; + uint32_t word; + switch (param) { + case ECDSA_PARAM_R: + reg = ECDSA_R_MEM; + break; + case ECDSA_PARAM_S: + reg = ECDSA_S_MEM; + break; + case ECDSA_PARAM_Z: + reg = ECDSA_Z_MEM; + break; + case ECDSA_PARAM_QAX: + reg = ECDSA_QAX_MEM; + break; + case ECDSA_PARAM_QAY: + reg = ECDSA_QAY_MEM; + break; + default: + HAL_ASSERT(false && "Invalid parameter"); + return; + } + + for (int i = 0; i < len; i += 4) { + memcpy(&word, buf + i, 4); + REG_WRITE(reg + i, word); + } +} + +/** + * @brief Read the ECDSA parameter + * + * @param param Parameter to be read + * @param buf Buffer where the data will be written + * @param len Length of buffer + */ +static inline void ecdsa_ll_read_param(ecdsa_ll_param_t param, uint8_t *buf, uint16_t len) +{ + uint32_t reg; + switch (param) { + case ECDSA_PARAM_R: + reg = ECDSA_R_MEM; + break; + case ECDSA_PARAM_S: + reg = ECDSA_S_MEM; + break; + case ECDSA_PARAM_Z: + reg = ECDSA_Z_MEM; + break; + case ECDSA_PARAM_QAX: + reg = ECDSA_QAX_MEM; + break; + case ECDSA_PARAM_QAY: + reg = ECDSA_QAY_MEM; + break; + default: + HAL_ASSERT(false && "Invalid parameter"); + return; + } + + memcpy(buf, (void *)reg, len); +} + +/** + * @brief Check if the ECDSA operation is successful + * + * @return - 1, if ECDSA operation succeeds + * - 0, otherwise + */ +static inline int ecdsa_ll_get_operation_result(void) +{ + return REG_GET_BIT(ECDSA_RESULT_REG, ECDSA_OPERATION_RESULT); +} + +/** + * @brief Check if the ECDSA deterministic mode is supported + */ +static inline bool ecdsa_ll_is_deterministic_mode_supported(void) +{ + return true; +} + +/** + * @brief Set the ECDSA key block in eFuse + * + * @param curve ECDSA curve type + * @param efuse_blk eFuse block number + */ +__attribute__((always_inline)) static inline void ecdsa_ll_set_ecdsa_key_blk(ecdsa_curve_t curve, int efuse_blk) +{ + uint8_t efuse_blk_low = 0; + uint8_t efuse_blk_high = 0; + switch (curve) { + case ECDSA_CURVE_SECP192R1: + EFUSE.ecdsa.cfg_ecdsa_p192_blk = efuse_blk; + break; + case ECDSA_CURVE_SECP256R1: + EFUSE.ecdsa.cfg_ecdsa_p256_blk = efuse_blk; + break; + case ECDSA_CURVE_SECP384R1: + // ECDSA-p384 uses two efuse blocks to store the key. These two blocks are stored in a single integer + // where the least significant 4 bits store the low key block number and the next 4 more significant bits store the high key block number. + HAL_ECDSA_EXTRACT_KEY_BLOCKS(efuse_blk, efuse_blk_high, efuse_blk_low); + EFUSE.ecdsa.cfg_ecdsa_p384_h_blk = efuse_blk_high; + EFUSE.ecdsa.cfg_ecdsa_p384_l_blk = efuse_blk_low; + break; + default: + HAL_ASSERT(false && "Unsupported curve"); + break; + } +} + +/** + * @brief Check if the ECDSA peripheral is supported on this chip revision + * ESP32-S31 always supports ECDSA (no chip revision restriction) + */ +static inline bool ecdsa_ll_is_supported(void) +{ + return true; +} + +#ifdef __cplusplus +} +#endif diff --git a/components/esp_hal_security/test_apps/crypto/README.md b/components/esp_hal_security/test_apps/crypto/README.md index e2315a365d2..9a4f86ffaca 100644 --- a/components/esp_hal_security/test_apps/crypto/README.md +++ b/components/esp_hal_security/test_apps/crypto/README.md @@ -77,9 +77,9 @@ This contains tests for the following features of the crypto peripherals: The HMAC tests need an HMAC key to be burned in the `BLOCK_KEY4` and `BLOCK_KEY5` of the efuses. As this verification application is independent of the efuse component, the user needs to manually burn the keys and their key purposes using `espefuse`. ```bash -espefuse -p $ESPPORT burn-key BLOCK_KEY4 main/hmac/hmac_key.bin HMAC_DOWN_JTAG +espefuse -p $ESPPORT burn-key BLOCK_KEY3 main/hmac/hmac_key.bin HMAC_DOWN_JTAG -espefuse -p $ESPPORT burn-key BLOCK_KEY5 main/hmac/hmac_key.bin HMAC_UP +espefuse -p $ESPPORT burn-key BLOCK_KEY4 main/hmac/hmac_key.bin HMAC_UP ``` # Burning the HMAC keys for Digital Signature tests @@ -108,12 +108,25 @@ espefuse -p $ESPPORT burn-key BLOCK_KEY2 main/ds/keys/4096/ds_key3.bin HMAC_DOWN By default, ECDSA tests are disabled. You can enable it after disabling HMAC & DS tests using `idf.py menuconfig -> Test App Configuration -> Enable ECDSA Peripheral test cases` -The ECDSA tests need some ECDSA keys to be burned in the `BLOCK_KEY3` and `BLOCK_KEY4` of the efuses. As this verification application is independent of the efuse component, the user needs to manually burn the keys and their key purposes using `espefuse`. +The ECDSA tests need ECDSA private keys burned in efuse key blocks. This application does not use the efuse component, so you must burn the keys and their key purposes manually with `espefuse`. + +**When curve-specific key purposes are supported** (e.g. chips with `SOC_ECDSA_SUPPORT_CURVE_SPECIFIC_KEY_PURPOSES`): ```bash -espefuse -p $ESPPORT burn-key BLOCK_KEY3 main/ecdsa/ecdsa192_priv_key.pem ECDSA_KEY +espefuse -p $ESPPORT burn-key BLOCK_KEY0 main/ecdsa/ecdsa192_priv_key.pem ECDSA_KEY_P192 -espefuse -p $ESPPORT burn-key BLOCK_KEY4 main/ecdsa/ecdsa256_priv_key.pem ECDSA_KEY +espefuse -p $ESPPORT burn-key BLOCK_KEY1 main/ecdsa/ecdsa256_priv_key.pem ECDSA_KEY_P256 + +espefuse -p $ESPPORT burn-key BLOCK_KEY2 main/ecdsa/ecdsa384_priv_key.pem ECDSA_KEY_P384 +``` +The ECDSA-P384 key will be burned in two parts, with the lower portion programmed into BLOCK_KEY2 using the key purpose ECDSA_KEY_P384_L and the upper portion programmed into the next available eFuse block using the key purpose ECDSA_KEY_P384_H. + +**When curve-specific key purposes are not supported** + +```bash +espefuse -p $ESPPORT burn-key BLOCK_KEY0 main/ecdsa/ecdsa192_priv_key.pem ECDSA_KEY + +espefuse -p $ESPPORT burn-key BLOCK_KEY1 main/ecdsa/ecdsa256_priv_key.pem ECDSA_KEY ``` # Burning the XTS-AES key diff --git a/components/esp_hal_security/test_apps/crypto/main/hal_crypto_common.h b/components/esp_hal_security/test_apps/crypto/main/hal_crypto_common.h index e7fd80f1c51..925e540c218 100644 --- a/components/esp_hal_security/test_apps/crypto/main/hal_crypto_common.h +++ b/components/esp_hal_security/test_apps/crypto/main/hal_crypto_common.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2023-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Unlicense OR CC0-1.0 */ @@ -11,12 +11,8 @@ #define DS_KEY_BLOCK_3 2 // efuse key blocks for HMAC -#define HMAC_KEY_BLOCK_1 4 -#if CONFIG_IDF_TARGET_ESP32S31 -#define HMAC_KEY_BLOCK_2 3 // S31 has only KEY0-KEY4, KEY3 is free -#else -#define HMAC_KEY_BLOCK_2 5 -#endif +#define HMAC_KEY_BLOCK_1 3 +#define HMAC_KEY_BLOCK_2 4 /* * ECDSA and other peripheral testcases cannot run together as block used for burning keys are overlapped diff --git a/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in index b079f1bf76e..88abeed5316 100644 --- a/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in @@ -1163,6 +1163,10 @@ config SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS int default 3 +config SOC_EFUSE_SECURE_BOOT_P384_WR_DIS + bool + default y + config SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS bool default y diff --git a/components/soc/esp32c5/include/soc/soc_caps.h b/components/soc/esp32c5/include/soc/soc_caps.h index b645470bdbc..43814f52316 100644 --- a/components/soc/esp32c5/include/soc/soc_caps.h +++ b/components/soc/esp32c5/include/soc/soc_caps.h @@ -476,6 +476,7 @@ #define SOC_SECURE_BOOT_V2_RSA 1 #define SOC_SECURE_BOOT_V2_ECC 1 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3 +#define SOC_EFUSE_SECURE_BOOT_P384_WR_DIS 1 #define SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS 1 #define SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY 1 diff --git a/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in b/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in index 4ce6694398b..ac37c080d70 100644 --- a/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in @@ -991,6 +991,10 @@ config SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS int default 3 +config SOC_EFUSE_SECURE_BOOT_P384_WR_DIS + bool + default y + config SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS bool default y diff --git a/components/soc/esp32h4/include/soc/soc_caps.h b/components/soc/esp32h4/include/soc/soc_caps.h index 4fd46b63e48..fb566eecfbb 100644 --- a/components/soc/esp32h4/include/soc/soc_caps.h +++ b/components/soc/esp32h4/include/soc/soc_caps.h @@ -430,6 +430,7 @@ #define SOC_SECURE_BOOT_V2_RSA 0 #define SOC_SECURE_BOOT_V2_ECC 1 #define SOC_EFUSE_SECURE_BOOT_KEY_DIGESTS 3 +#define SOC_EFUSE_SECURE_BOOT_P384_WR_DIS 1 #define SOC_EFUSE_REVOKE_BOOT_KEY_DIGESTS 1 #define SOC_SUPPORT_SECURE_BOOT_REVOKE_KEY 1 diff --git a/components/soc/esp32s31/include/soc/Kconfig.soc_caps.in b/components/soc/esp32s31/include/soc/Kconfig.soc_caps.in index ab739a4ed14..06ced3a32dd 100644 --- a/components/soc/esp32s31/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32s31/include/soc/Kconfig.soc_caps.in @@ -195,6 +195,10 @@ config SOC_ECC_EXTENDED_MODES_SUPPORTED bool default y +config SOC_ECDSA_SUPPORTED + bool + default y + config SOC_BOD_SUPPORTED bool default y @@ -1011,6 +1015,26 @@ config SOC_ECC_SUPPORT_CURVE_P384 bool default y +config SOC_ECDSA_SUPPORT_EXPORT_PUBKEY + bool + default y + +config SOC_ECDSA_SUPPORT_DETERMINISTIC_MODE + bool + default y + +config SOC_ECDSA_SUPPORT_HW_DETERMINISTIC_LOOP + bool + default y + +config SOC_ECDSA_SUPPORT_CURVE_P384 + bool + default y + +config SOC_ECDSA_SUPPORT_CURVE_SPECIFIC_KEY_PURPOSES + bool + default y + config SOC_DS_SIGNATURE_MAX_BIT_LEN int default 4096 @@ -1055,10 +1079,6 @@ config SOC_EFUSE_ECDSA_KEY_P384 bool default y -config SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY - bool - default y - config SOC_LCDCAM_CAM_SUPPORT_RGB_YUV_CONV bool default y diff --git a/components/soc/esp32s31/include/soc/soc_caps.h b/components/soc/esp32s31/include/soc/soc_caps.h index 58980daea91..42c15112158 100644 --- a/components/soc/esp32s31/include/soc/soc_caps.h +++ b/components/soc/esp32s31/include/soc/soc_caps.h @@ -74,6 +74,7 @@ #define SOC_DIG_SIGN_SUPPORTED 1 #define SOC_ECC_SUPPORTED 1 #define SOC_ECC_EXTENDED_MODES_SUPPORTED 1 +#define SOC_ECDSA_SUPPORTED 1 // #define SOC_FLASH_ENC_SUPPORTED 1 // TODO: [ESP32S31] IDF-14628 // #define SOC_SECURE_BOOT_SUPPORTED 1 // TODO: [ESP32S31] IDF-14629 #define SOC_BOD_SUPPORTED 1 @@ -376,26 +377,24 @@ #define SOC_SHA_SUPPORT_SHA512_256 (1) #define SOC_SHA_SUPPORT_SHA512_T (1) -/*-------------------------- MPI/RSA CAPS ----------------------------------------*/ -#define SOC_MPI_MEM_BLOCKS_NUM (4) -#define SOC_MPI_OPERATIONS_NUM (3) -#define SOC_RSA_MAX_BIT_LEN (4096) - -/*-------------------------- ECC CAPS ----------------------------------------*/ -#define SOC_ECC_CONSTANT_TIME_POINT_MUL 1 -#define SOC_ECC_SUPPORT_CURVE_P384 (1) - -/*-------------------------- MPI CAPS ------------------------------------------*/ +/*--------------------------- MPI CAPS ---------------------------------------*/ #define SOC_MPI_MEM_BLOCKS_NUM (4) #define SOC_MPI_OPERATIONS_NUM (3) -/*-------------------------- RSA CAPS ------------------------------------------*/ +/*--------------------------- RSA CAPS ---------------------------------------*/ #define SOC_RSA_MAX_BIT_LEN (4096) -/*-------------------------- ECC CAPS ------------------------------------------*/ +/*--------------------------- ECC CAPS ---------------------------------------*/ #define SOC_ECC_CONSTANT_TIME_POINT_MUL 1 #define SOC_ECC_SUPPORT_CURVE_P384 (1) +/*--------------------------- ECDSA CAPS ---------------------------------------*/ +#define SOC_ECDSA_SUPPORT_EXPORT_PUBKEY (1) +#define SOC_ECDSA_SUPPORT_DETERMINISTIC_MODE (1) +#define SOC_ECDSA_SUPPORT_HW_DETERMINISTIC_LOOP (1) +#define SOC_ECDSA_SUPPORT_CURVE_P384 (1) +#define SOC_ECDSA_SUPPORT_CURVE_SPECIFIC_KEY_PURPOSES (1) /*!< Support individual key purposes for different ECDSA curves (P192, P256, P384) */ + /*-------------------------- Digital Signature CAPS ----------------------------------------*/ #define SOC_DS_SIGNATURE_MAX_BIT_LEN (4096) #define SOC_DS_KEY_PARAM_MD_IV_LENGTH (16) @@ -415,7 +414,7 @@ /*-------------------------- Key Manager CAPS----------------------------*/ // TODO: [ESP32S31] IDF-14626 -#define SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY 1 /*!< Key manager responsible to deploy ECDSA key */ +// #define SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY 1 /*!< Key manager responsible to deploy ECDSA key */ // #define SOC_KEY_MANAGER_FE_KEY_DEPLOY 1 /*!< Key manager responsible to deploy Flash Encryption key */ /*--------------------------- CAM ---------------------------------*/