From 46e2cd21d49d293316d93786e0d0bc19dca3afb9 Mon Sep 17 00:00:00 2001 From: "harshal.patil" Date: Mon, 15 Sep 2025 06:42:55 +0530 Subject: [PATCH 01/10] fix(esp_security/esp_key_mgr): Fix missed error codes and some cleanup --- components/esp_security/src/esp_key_mgr.c | 338 +++++++++------------ components/hal/include/hal/key_mgr_types.h | 1 + 2 files changed, 140 insertions(+), 199 deletions(-) diff --git a/components/esp_security/src/esp_key_mgr.c b/components/esp_security/src/esp_key_mgr.c index 43e5720d09c..6c59f78dd30 100644 --- a/components/esp_security/src/esp_key_mgr.c +++ b/components/esp_security/src/esp_key_mgr.c @@ -107,30 +107,46 @@ static void esp_key_mgr_acquire_hardware(bool deployment_mode) static void esp_key_mgr_release_hardware(bool deployment_mode) { if (deployment_mode) { - esp_crypto_ecc_lock_release(); - esp_crypto_sha_aes_lock_release(); esp_crypto_key_manager_lock_release(); + esp_crypto_sha_aes_lock_release(); + esp_crypto_ecc_lock_release(); } // Reset the Key Manager Clock esp_crypto_key_mgr_enable_periph_clk(false); } -static void key_mgr_wait_for_state(esp_key_mgr_state_t state) +static esp_key_mgr_key_purpose_t get_key_purpose(esp_key_mgr_key_type_t key_type) +{ + switch (key_type) { + case ESP_KEY_MGR_ECDSA_192_KEY: + return ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192; + case ESP_KEY_MGR_ECDSA_256_KEY: + return ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256; + case ESP_KEY_MGR_XTS_AES_128_KEY: + return ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128; + case ESP_KEY_MGR_XTS_AES_256_KEY: + return ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1; + case ESP_KEY_MGR_HMAC_KEY: + return ESP_KEY_MGR_KEY_PURPOSE_HMAC; + case ESP_KEY_MGR_DS_KEY: + return ESP_KEY_MGR_KEY_PURPOSE_DS; + case ESP_KEY_MGR_PSRAM_128_KEY: + return ESP_KEY_MGR_KEY_PURPOSE_PSRAM_128; + case ESP_KEY_MGR_PSRAM_256_KEY: + return ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1; + default: + return ESP_KEY_MGR_KEY_PURPOSE_INVALID; + } +} + +void key_mgr_wait_for_state(esp_key_mgr_state_t state) { while (key_mgr_hal_get_state() != state) { ; } } -typedef struct aes_deploy { - esp_key_mgr_key_purpose_t key_purpose; - const uint8_t *k1_encrypted; - const esp_key_mgr_aes_key_config_t *key_config; - esp_key_mgr_key_recovery_info_t *key_info; - bool huk_deployed; -} aes_deploy_config_t; - static void check_huk_risk_level(void) { uint8_t huk_risk_level = huk_hal_get_risk_level(); @@ -202,6 +218,8 @@ static esp_err_t deploy_huk(huk_deploy_config_t *config) return ESP_ERR_NO_MEM; } if (config->use_pre_generated_huk_info) { + ESP_LOGD(TAG, "Using pre-generated HUK info"); + // If HUK info is provided then recover the HUK from given info check_huk_risk_level(); @@ -245,6 +263,14 @@ static esp_err_t deploy_huk(huk_deploy_config_t *config) return ESP_OK; } +typedef struct aes_deploy { + esp_key_mgr_key_purpose_t key_purpose; + const uint8_t *k1_encrypted; + const esp_key_mgr_aes_key_config_t *key_config; + esp_key_mgr_key_recovery_info_t *key_info; + bool huk_deployed; +} aes_deploy_config_t; + static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) { esp_err_t esp_ret = ESP_FAIL; @@ -252,28 +278,33 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) if ((!key_mgr_hal_is_huk_valid()) || (!config->huk_deployed)) { // For purpose ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 or ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2 this part shall be already executed - huk_deploy_config_t huk_deploy_config = {}; - huk_deploy_config.use_pre_generated_huk_info = config->key_config->use_pre_generated_huk_info; - huk_deploy_config.pre_generated_huk_info = &config->key_config->huk_info; - huk_deploy_config.huk_recovery_info = &config->key_info->huk_info; + huk_deploy_config_t huk_deploy_config = { + .use_pre_generated_huk_info = config->key_config->use_pre_generated_huk_info, + .pre_generated_huk_info = &config->key_config->huk_info, + .huk_recovery_info = &config->key_info->huk_info, + }; + esp_ret = deploy_huk(&huk_deploy_config); if (esp_ret != ESP_OK) { return esp_ret; } + ESP_LOGD(TAG, "HUK deployed successfully"); } + // TODO: Could we use config->key_info->info directly instead of allocating a copy of it? + // Advantage: BOOTLOADER_BUILD would be able to use this function. + // Note: We can memset it to zeros in case of an error. + uint8_t *key_recovery_info = (uint8_t *) heap_caps_calloc(1, KEY_MGR_KEY_RECOVERY_INFO_SIZE, MALLOC_CAP_INTERNAL); + if (!key_recovery_info) { + return ESP_ERR_NO_MEM; + } + // STEP 1: Init Step // Set mode key_mgr_hal_set_key_generator_mode(ESP_KEY_MGR_KEYGEN_MODE_AES); - uint8_t *key_recovery_info = (uint8_t *) heap_caps_calloc(1, KEY_MGR_KEY_RECOVERY_INFO_SIZE, MALLOC_CAP_INTERNAL); - if (!key_recovery_info) { - return ESP_ERR_NO_MEM; - } - // Set key purpose - ESP_LOGD(TAG, "Key purpose = %d", config->key_purpose); key_mgr_hal_set_key_purpose(config->key_purpose); // Set key length for XTS-AES key @@ -304,7 +335,6 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) } ESP_LOGD(TAG, "Writing Information into Key Manager Registers"); - key_mgr_hal_write_assist_info(config->key_config->k2_info, KEY_MGR_K2_INFO_SIZE); ESP_LOG_BUFFER_HEX_LEVEL("K2_INFO", config->key_config->k2_info, KEY_MGR_K2_INFO_SIZE, ESP_LOG_DEBUG); @@ -320,13 +350,13 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) ESP_LOG_BUFFER_HEX_LEVEL("KEY_RECOVERY_INFO", key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE, ESP_LOG_DEBUG); if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1 && config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { - if (!key_mgr_hal_is_key_deployment_valid(config->key_config->key_type)) { + if (!key_mgr_hal_is_key_deployment_valid(key_type)) { ESP_LOGE(TAG, "Key deployment is not valid"); heap_caps_free(key_recovery_info); return ESP_FAIL; } - ESP_LOGD(TAG, "Key deployment valid"); } + ESP_LOGD(TAG, "Key deployment valid"); // Wait till Key Manager deployment is complete key_mgr_hal_continue(); @@ -342,7 +372,8 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) } heap_caps_free(key_recovery_info); - config->key_info->key_type = config->key_config->key_type; + + config->key_info->key_type = key_type; config->key_info->magic = KEY_HUK_SECTOR_MAGIC; return ESP_OK; @@ -356,38 +387,16 @@ esp_err_t esp_key_mgr_deploy_key_in_aes_mode(const esp_key_mgr_aes_key_config_t ESP_LOGD(TAG, "Key deployment in AES mode"); - aes_deploy_config_t aes_deploy_config = {}; - aes_deploy_config.key_config = key_config; - aes_deploy_config.key_info = key_recovery_info; - aes_deploy_config.k1_encrypted = key_config->k1_encrypted[0]; + // TODO: Would making this static help in saving static memory? + // if so, memset the structure to 0 before using it + aes_deploy_config_t aes_deploy_config = { + .key_config = key_config, + .key_info = key_recovery_info, + .k1_encrypted = key_config->k1_encrypted[0], + }; - esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_config->key_type; - switch (key_type) { - case ESP_KEY_MGR_ECDSA_192_KEY: - aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192; - break; - case ESP_KEY_MGR_ECDSA_256_KEY: - aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256; - break; - case ESP_KEY_MGR_XTS_AES_128_KEY: - aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128; - break; - case ESP_KEY_MGR_XTS_AES_256_KEY: - aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1; - break; - case ESP_KEY_MGR_HMAC_KEY: - aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_HMAC; - break; - case ESP_KEY_MGR_DS_KEY: - aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_DS; - break; - case ESP_KEY_MGR_PSRAM_128_KEY: - aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_PSRAM_128; - break; - case ESP_KEY_MGR_PSRAM_256_KEY: - aes_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1; - break; - default: + aes_deploy_config.key_purpose = get_key_purpose(key_config->key_type); + if (aes_deploy_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_INVALID) { ESP_LOGE(TAG, "Invalid key type"); return ESP_ERR_INVALID_ARG; } @@ -402,8 +411,8 @@ esp_err_t esp_key_mgr_deploy_key_in_aes_mode(const esp_key_mgr_aes_key_config_t aes_deploy_config.huk_deployed = true; - if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY || key_type == ESP_KEY_MGR_PSRAM_256_KEY) { - aes_deploy_config.key_purpose = key_type == ESP_KEY_MGR_XTS_AES_256_KEY ? ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 : ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2; + if (key_config->key_type == ESP_KEY_MGR_XTS_AES_256_KEY || key_config->key_type == ESP_KEY_MGR_PSRAM_256_KEY) { + aes_deploy_config.key_purpose = key_config->key_type == ESP_KEY_MGR_XTS_AES_256_KEY ? ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 : ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2; aes_deploy_config.k1_encrypted = key_config->k1_encrypted[1]; esp_ret = key_mgr_deploy_key_aes_mode(&aes_deploy_config); if (esp_ret != ESP_OK) { @@ -413,7 +422,7 @@ esp_err_t esp_key_mgr_deploy_key_in_aes_mode(const esp_key_mgr_aes_key_config_t } // Set the Key Manager Static Register to use own key for the respective key type - key_mgr_hal_set_key_usage(key_type, ESP_KEY_MGR_USE_OWN_KEY); + key_mgr_hal_set_key_usage(key_config->key_type, ESP_KEY_MGR_USE_OWN_KEY); cleanup: esp_key_mgr_release_hardware(true); @@ -429,6 +438,7 @@ typedef struct key_recovery_config { static esp_err_t key_mgr_recover_key(key_recovery_config_t *config) { key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE); + if (!check_huk_info_validity(&config->key_recovery_info->huk_info)) { ESP_LOGE(TAG, "HUK info is not valid"); return ESP_ERR_INVALID_ARG; @@ -450,7 +460,7 @@ static esp_err_t key_mgr_recover_key(key_recovery_config_t *config) key_mgr_hal_set_key_generator_mode(ESP_KEY_MGR_KEYGEN_MODE_RECOVER); - // Set AES-XTS key len + // Set XTS-AES key length esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) config->key_recovery_info->key_type; if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY || key_type == ESP_KEY_MGR_PSRAM_128_KEY) { key_mgr_hal_set_xts_aes_key_len(key_type, ESP_KEY_MGR_XTS_AES_LEN_256); @@ -483,13 +493,14 @@ static esp_err_t key_mgr_recover_key(key_recovery_config_t *config) key_mgr_hal_continue(); key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN); - if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1) { - if (!key_mgr_hal_is_key_deployment_valid(config->key_recovery_info->key_type)) { + // TODO: Maybe need to extend this to ECDSA_384_L and ECDSA_384_H (IDF-14120) + if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1 && config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { + if (!key_mgr_hal_is_key_deployment_valid(key_type)) { ESP_LOGD(TAG, "Key deployment is not valid"); return ESP_FAIL; } - ESP_LOGD(TAG, "Key Recovery valid"); } + ESP_LOGD(TAG, "Key Recovery valid"); key_mgr_hal_continue(); key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE); @@ -502,51 +513,27 @@ esp_err_t esp_key_mgr_activate_key(esp_key_mgr_key_recovery_info_t *key_recovery return ESP_ERR_INVALID_ARG; } - ESP_LOGD(TAG, "Activating key of type %d", key_recovery_info->key_type); + esp_key_mgr_key_type_t key_type = key_recovery_info->key_type; - esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_recovery_info->key_type; - esp_key_mgr_key_purpose_t key_purpose; + ESP_LOGD(TAG, "Activating key of type %d", key_type); - switch (key_type) { - case ESP_KEY_MGR_ECDSA_192_KEY: - key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192; - break; - case ESP_KEY_MGR_ECDSA_256_KEY: - key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256; - break; - case ESP_KEY_MGR_XTS_AES_128_KEY: - key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128; - break; - case ESP_KEY_MGR_XTS_AES_256_KEY: - key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1; - break; - case ESP_KEY_MGR_HMAC_KEY: - key_purpose = ESP_KEY_MGR_KEY_PURPOSE_HMAC; - break; - case ESP_KEY_MGR_DS_KEY: - key_purpose = ESP_KEY_MGR_KEY_PURPOSE_DS; - break; - case ESP_KEY_MGR_PSRAM_128_KEY: - key_purpose = ESP_KEY_MGR_KEY_PURPOSE_PSRAM_128; - break; - case ESP_KEY_MGR_PSRAM_256_KEY: - key_purpose = ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1; - break; - default: + // TODO: Would making this static help in saving static memory? + // if so, memset the structure to 0 before using it + key_recovery_config_t key_recovery_config = { + .key_recovery_info = key_recovery_info, + }; + + key_recovery_config.key_purpose = get_key_purpose(key_type); + if (key_recovery_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_INVALID) { ESP_LOGE(TAG, "Invalid key type"); return ESP_ERR_INVALID_ARG; } - esp_err_t esp_ret = ESP_FAIL; esp_key_mgr_acquire_key_lock(key_type); - key_recovery_config_t key_recovery_config = { - .key_recovery_info = key_recovery_info, - .key_purpose = key_purpose, - }; esp_key_mgr_acquire_hardware(false); - esp_ret = key_mgr_recover_key(&key_recovery_config); + esp_err_t esp_ret = key_mgr_recover_key(&key_recovery_config); if (esp_ret != ESP_OK) { ESP_LOGE(TAG, "Failed to recover key"); esp_key_mgr_release_key_lock(key_type); @@ -565,7 +552,6 @@ esp_err_t esp_key_mgr_activate_key(esp_key_mgr_key_recovery_info_t *key_recovery // Set the Key Manager Static Register to use own key for the respective key type key_mgr_hal_set_key_usage(key_type, ESP_KEY_MGR_USE_OWN_KEY); - esp_key_mgr_release_key_lock(key_type); ESP_LOGD(TAG, "Key activation for type %d successful", key_type); return ESP_OK; @@ -600,14 +586,17 @@ static esp_err_t key_mgr_deploy_key_ecdh0_mode(ecdh0_deploy_config_t *config) if ((!key_mgr_hal_is_huk_valid()) || (!config->huk_deployed)) { // For purpose ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 or ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2 this part shall be already executed - huk_deploy_config_t huk_deploy_config; - huk_deploy_config.use_pre_generated_huk_info = config->key_config->use_pre_generated_huk_info; - huk_deploy_config.pre_generated_huk_info = &config->key_config->huk_info; - huk_deploy_config.huk_recovery_info = &config->key_info->huk_info; + huk_deploy_config_t huk_deploy_config = { + .use_pre_generated_huk_info = config->key_config->use_pre_generated_huk_info, + .pre_generated_huk_info = &config->key_config->huk_info, + .huk_recovery_info = &config->key_info->huk_info, + }; + esp_ret = deploy_huk(&huk_deploy_config); if (esp_ret != ESP_OK) { return esp_ret; } + ESP_LOGD(TAG, "HUK deployed successfully"); } @@ -620,17 +609,18 @@ static esp_err_t key_mgr_deploy_key_ecdh0_mode(ecdh0_deploy_config_t *config) // Configure deployment mode to ECDH0 key_mgr_hal_set_key_generator_mode(ESP_KEY_MGR_KEYGEN_MODE_ECDH0); - // Set AES-XTS key len + // Set key purpose + key_mgr_hal_set_key_purpose(config->key_purpose); + + // Set XTS-AES key length esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) config->key_config->key_type; + if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY || key_type == ESP_KEY_MGR_PSRAM_128_KEY) { key_mgr_hal_set_xts_aes_key_len(key_type, ESP_KEY_MGR_XTS_AES_LEN_256); } else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY || key_type == ESP_KEY_MGR_PSRAM_256_KEY) { key_mgr_hal_set_xts_aes_key_len(key_type, ESP_KEY_MGR_XTS_AES_LEN_512); } - // Set key purpose - key_mgr_hal_set_key_purpose(config->key_purpose); - key_mgr_hal_start(); // Step 2: Load phase @@ -646,18 +636,16 @@ static esp_err_t key_mgr_deploy_key_ecdh0_mode(ecdh0_deploy_config_t *config) key_mgr_hal_read_public_info(key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); key_mgr_hal_read_assist_info(config->ecdh0_key_info); - ESP_LOG_BUFFER_HEX_LEVEL("KEY_MGR KEY INFO", key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE, ESP_LOG_DEBUG); - - ESP_LOGD(TAG, "HUK deployed is valid"); + ESP_LOG_BUFFER_HEX_LEVEL("KEY_RECOVERY_INFO", key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE, ESP_LOG_DEBUG); if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1 && config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { - if (!key_mgr_hal_is_key_deployment_valid(config->key_config->key_type)) { + if (!key_mgr_hal_is_key_deployment_valid(key_type)) { ESP_LOGE(TAG, "Key deployment is not valid"); heap_caps_free(key_recovery_info); return ESP_FAIL; } - ESP_LOGD(TAG, "Key deployment valid"); } + ESP_LOGD(TAG, "Key deployment valid"); // Wait till Key Manager deployment is complete key_mgr_hal_continue(); @@ -671,10 +659,11 @@ static esp_err_t key_mgr_deploy_key_ecdh0_mode(ecdh0_deploy_config_t *config) config->key_info->key_info[0].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); } - config->key_info->key_type = config->key_config->key_type; + heap_caps_free(key_recovery_info); + + config->key_info->key_type = key_type; config->key_info->magic = KEY_HUK_SECTOR_MAGIC; - heap_caps_free(key_recovery_info); return ESP_OK; } @@ -687,48 +676,19 @@ esp_err_t esp_key_mgr_deploy_key_in_ecdh0_mode(const esp_key_mgr_ecdh0_key_confi ESP_LOGD(TAG, "Key Deployment in ECDH0 mode"); - esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_config->key_type; + esp_key_mgr_key_type_t key_type = key_config->key_type; + // TODO: Would making this static help in saving static memory? + // if so, memset the structure to 0 before using it ecdh0_deploy_config_t ecdh0_deploy_config = { .key_config = key_config, .key_info = key_info, .k1_G = key_config->k1_G[0], + .ecdh0_key_info = ecdh0_key_info->k2_G[0], }; - switch (key_type) { - case ESP_KEY_MGR_ECDSA_192_KEY: - ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192; - ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0]; - break; - case ESP_KEY_MGR_ECDSA_256_KEY: - ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256; - ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0]; - break; - case ESP_KEY_MGR_XTS_AES_128_KEY: - ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128; - ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0]; - break; - case ESP_KEY_MGR_XTS_AES_256_KEY: - ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1; - ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0]; - break; - case ESP_KEY_MGR_HMAC_KEY: - ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_HMAC; - ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0]; - break; - case ESP_KEY_MGR_DS_KEY: - ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_DS; - ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0]; - break; - case ESP_KEY_MGR_PSRAM_128_KEY: - ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_PSRAM_128; - ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0]; - break; - case ESP_KEY_MGR_PSRAM_256_KEY: - ecdh0_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1; - ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[0]; - break; - default: + ecdh0_deploy_config.key_purpose = get_key_purpose(key_config->key_type); + if (ecdh0_deploy_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_INVALID) { ESP_LOGE(TAG, "Invalid key type"); return ESP_ERR_INVALID_ARG; } @@ -737,7 +697,8 @@ esp_err_t esp_key_mgr_deploy_key_in_ecdh0_mode(const esp_key_mgr_ecdh0_key_confi esp_err_t esp_ret = key_mgr_deploy_key_ecdh0_mode(&ecdh0_deploy_config); if (esp_ret != ESP_OK) { - ESP_LOGE(TAG, "Failed to deploy key in ECDH0 mode"); + ESP_LOGE(TAG, "Key deployment in ECDH0 mode failed"); + goto cleanup; } ecdh0_deploy_config.huk_deployed = true; @@ -748,15 +709,17 @@ esp_err_t esp_key_mgr_deploy_key_in_ecdh0_mode(const esp_key_mgr_ecdh0_key_confi ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[1]; esp_ret = key_mgr_deploy_key_ecdh0_mode(&ecdh0_deploy_config); if (esp_ret != ESP_OK) { - ESP_LOGE(TAG, "Failed to deploy key in ECDH0 mode"); + ESP_LOGE(TAG, "Key deployment in ECDH0 mode failed"); + goto cleanup; } } // Set the Key Manager Static Register to use own key for the respective key type key_mgr_hal_set_key_usage(key_type, ESP_KEY_MGR_USE_OWN_KEY); +cleanup: esp_key_mgr_release_hardware(true); - return ESP_OK; + return esp_ret; } typedef struct random_deploy { @@ -786,10 +749,18 @@ static esp_err_t key_mgr_deploy_key_random_mode(random_deploy_config_t *config) ESP_LOGD(TAG, "HUK deployed successfully"); } + uint8_t *key_recovery_info = (uint8_t *) heap_caps_calloc(1, KEY_MGR_KEY_RECOVERY_INFO_SIZE, MALLOC_CAP_INTERNAL); + if (!key_recovery_info) { + return ESP_ERR_NO_MEM; + } + // Configure deployment mode to RANDOM key_mgr_hal_set_key_generator_mode(ESP_KEY_MGR_KEYGEN_MODE_RANDOM); - // Set AES-XTS key len + // Set key purpose + key_mgr_hal_set_key_purpose(config->key_purpose); + + // Set XTS-AES key length esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) config->key_config->key_type; if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY || key_type == ESP_KEY_MGR_PSRAM_128_KEY) { key_mgr_hal_set_xts_aes_key_len(key_type, ESP_KEY_MGR_XTS_AES_LEN_256); @@ -797,14 +768,6 @@ static esp_err_t key_mgr_deploy_key_random_mode(random_deploy_config_t *config) key_mgr_hal_set_xts_aes_key_len(key_type, ESP_KEY_MGR_XTS_AES_LEN_512); } - uint8_t *key_recovery_info = (uint8_t *) heap_caps_calloc(1, KEY_MGR_KEY_RECOVERY_INFO_SIZE, MALLOC_CAP_INTERNAL); - if (!key_recovery_info) { - return ESP_ERR_NO_MEM; - } - - // Set key purpose (XTS/ECDSA) - key_mgr_hal_set_key_purpose(config->key_purpose); - key_mgr_hal_start(); key_mgr_wait_for_state(ESP_KEY_MGR_STATE_LOAD); @@ -814,16 +777,16 @@ static esp_err_t key_mgr_deploy_key_random_mode(random_deploy_config_t *config) // No configuration for Random deploy mode key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN); key_mgr_hal_read_public_info(key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - ESP_LOG_BUFFER_HEX_LEVEL("KEY_MGR KEY INFO", key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE, ESP_LOG_DEBUG); + ESP_LOG_BUFFER_HEX_LEVEL("KEY_RECOVERY_INFO", key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE, ESP_LOG_DEBUG); if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1 && config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { - if (!key_mgr_hal_is_key_deployment_valid(config->key_config->key_type)) { + if (!key_mgr_hal_is_key_deployment_valid(key_type)) { ESP_LOGE(TAG, "Key deployment is not valid"); heap_caps_free(key_recovery_info); return ESP_FAIL; } - ESP_LOGD(TAG, "Key deployment valid"); } + ESP_LOGD(TAG, "Key deployment valid"); // Wait till Key Manager deployment is complete key_mgr_hal_continue(); @@ -839,8 +802,9 @@ static esp_err_t key_mgr_deploy_key_random_mode(random_deploy_config_t *config) heap_caps_free(key_recovery_info); - config->key_info->key_type = config->key_config->key_type; + config->key_info->key_type = key_type; config->key_info->magic = KEY_HUK_SECTOR_MAGIC; + return ESP_OK; } @@ -852,39 +816,15 @@ esp_err_t esp_key_mgr_deploy_key_in_random_mode(const esp_key_mgr_random_key_con ESP_LOGD(TAG, "Key deployment in Random mode"); + // TODO: Would making this static help in saving static memory? + // if so, memset the structure to 0 before using it random_deploy_config_t random_deploy_config = { .key_config = key_config, .key_info = key_recovery_info, }; - esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) key_config->key_type; - - switch (key_type) { - case ESP_KEY_MGR_ECDSA_192_KEY: - random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192; - break; - case ESP_KEY_MGR_ECDSA_256_KEY: - random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256; - break; - case ESP_KEY_MGR_XTS_AES_128_KEY: - random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128; - break; - case ESP_KEY_MGR_XTS_AES_256_KEY: - random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1; - break; - case ESP_KEY_MGR_HMAC_KEY: - random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_HMAC; - break; - case ESP_KEY_MGR_DS_KEY: - random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_DS; - break; - case ESP_KEY_MGR_PSRAM_128_KEY: - random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_PSRAM_128; - break; - case ESP_KEY_MGR_PSRAM_256_KEY: - random_deploy_config.key_purpose = ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1; - break; - default: + random_deploy_config.key_purpose = get_key_purpose(key_config->key_type); + if (random_deploy_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_INVALID) { ESP_LOGE(TAG, "Invalid key type"); return ESP_ERR_INVALID_ARG; } @@ -894,25 +834,25 @@ esp_err_t esp_key_mgr_deploy_key_in_random_mode(const esp_key_mgr_random_key_con esp_err_t esp_ret = key_mgr_deploy_key_random_mode(&random_deploy_config); if (esp_ret != ESP_OK) { ESP_LOGE(TAG, "Key deployment in Random mode failed"); - return ESP_FAIL; + goto cleanup; } random_deploy_config.huk_deployed = true; - if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY || key_type == ESP_KEY_MGR_PSRAM_256_KEY) { - random_deploy_config.key_purpose = key_type == ESP_KEY_MGR_XTS_AES_256_KEY ? ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 : ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2; + if (key_config->key_type == ESP_KEY_MGR_XTS_AES_256_KEY || key_config->key_type == ESP_KEY_MGR_PSRAM_256_KEY) { + random_deploy_config.key_purpose = key_config->key_type == ESP_KEY_MGR_XTS_AES_256_KEY ? ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 : ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2; esp_ret = key_mgr_deploy_key_random_mode(&random_deploy_config); if (esp_ret != ESP_OK) { ESP_LOGE(TAG, "Key deployment in Random mode failed"); - return ESP_FAIL; + goto cleanup; } } // Set the Key Manager Static Register to use own key for the respective key type - key_mgr_hal_set_key_usage(key_type, ESP_KEY_MGR_USE_OWN_KEY); + key_mgr_hal_set_key_usage(key_config->key_type, ESP_KEY_MGR_USE_OWN_KEY); +cleanup: esp_key_mgr_release_hardware(true); - return esp_ret; } #endif diff --git a/components/hal/include/hal/key_mgr_types.h b/components/hal/include/hal/key_mgr_types.h index 550b3336219..6397424c5cb 100644 --- a/components/hal/include/hal/key_mgr_types.h +++ b/components/hal/include/hal/key_mgr_types.h @@ -70,6 +70,7 @@ typedef enum { * @brief Key Purpose to be set for a particular key in the Key Manager */ typedef enum { + ESP_KEY_MGR_KEY_PURPOSE_INVALID = 0, ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192 = 1, /* ECDSA 192-bit key */ ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256 = 2, /* ECDSA 256-bit key */ ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_1 = 3, /* First half of flash 256-bit key */ From c1503cd847fc9a9bfcae79da044077df00b097c5 Mon Sep 17 00:00:00 2001 From: "harshal.patil" Date: Mon, 15 Sep 2025 05:49:17 +0530 Subject: [PATCH 02/10] feat(bootloader_support): Support Flash Encryption using Key Manager --- components/bootloader/Kconfig.projbuild | 20 ++ components/bootloader_support/CMakeLists.txt | 2 + .../include/esp_flash_encrypt.h | 7 +- .../flash_encryption_secure_features.c | 21 +- .../bootloader_support/src/flash_encrypt.c | 22 ++ .../src/flash_encryption/flash_encrypt.c | 202 +++++++++++++++++- .../esp_private/esp_crypto_lock_internal.h | 2 +- components/esp_security/CMakeLists.txt | 8 +- components/esp_security/include/esp_key_mgr.h | 11 +- .../esp_security/src/esp_crypto_periph_clk.c | 1 + components/esp_security/src/esp_key_mgr.c | 62 +++++- .../hal/esp32c5/include/hal/key_mgr_ll.h | 9 + .../hal/esp32p4/include/hal/key_mgr_ll.h | 8 + components/hal/include/hal/key_mgr_types.h | 11 + .../esp32c5/include/soc/Kconfig.soc_caps.in | 4 + components/soc/esp32c5/include/soc/soc_caps.h | 5 +- tools/test_apps/system/.build-test-rules.yml | 2 + .../sdkconfig.ci.flash_encryption_key_mgr | 4 + ...config.ci.flash_encryption_key_mgr_esp32p4 | 6 + 19 files changed, 378 insertions(+), 29 deletions(-) create mode 100644 tools/test_apps/system/bootloader_sections/sdkconfig.ci.flash_encryption_key_mgr create mode 100644 tools/test_apps/system/bootloader_sections/sdkconfig.ci.flash_encryption_key_mgr_esp32p4 diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild index 4878a4d8b22..19a6507d033 100644 --- a/components/bootloader/Kconfig.projbuild +++ b/components/bootloader/Kconfig.projbuild @@ -839,6 +839,26 @@ menu "Security features" Read https://docs.espressif.com/projects/esp-idf/en/latest/security/flash-encryption.html before enabling. + choice SECURE_FLASH_ENCRYPTION_KEY_SOURCE + bool "Flash Encryption Key Source" + depends on SECURE_FLASH_ENC_ENABLED + default SECURE_FLASH_ENCRYPTION_KEY_SOURCE_EFUSES + help + Specify the key source for the Flash Encryption Key + + config SECURE_FLASH_ENCRYPTION_KEY_SOURCE_EFUSES + bool "eFuse Key Block" + help + Use a key that is stored in the eFuses key blocks. + + config SECURE_FLASH_ENCRYPTION_KEY_SOURCE_KEY_MGR + bool "Key Manager" + depends on SOC_KEY_MANAGER_SUPPORTED && SOC_KEY_MANAGER_FE_KEY_DEPLOY && \ + !(IDF_TARGET_ESP32P4 && ESP32P4_SELECTS_REV_LESS_V3) + help + Use a key that is deployed using the Key Manager + endchoice + choice SECURE_FLASH_ENCRYPTION_KEYSIZE bool "Size of generated XTS-AES key" default SECURE_FLASH_ENCRYPTION_AES128 diff --git a/components/bootloader_support/CMakeLists.txt b/components/bootloader_support/CMakeLists.txt index 4128553d369..cbfffd533c6 100644 --- a/components/bootloader_support/CMakeLists.txt +++ b/components/bootloader_support/CMakeLists.txt @@ -93,6 +93,8 @@ endif() if(BOOTLOADER_BUILD) list(APPEND srcs "src/bootloader_panic.c") + list(APPEND priv_requires esp_security) + if(CONFIG_SECURE_FLASH_ENC_ENABLED) list(APPEND srcs "src/flash_encryption/flash_encrypt.c" "src/${IDF_TARGET}/flash_encryption_secure_features.c") diff --git a/components/bootloader_support/include/esp_flash_encrypt.h b/components/bootloader_support/include/esp_flash_encrypt.h index e81457450f6..fc00cbf36bf 100644 --- a/components/bootloader_support/include/esp_flash_encrypt.h +++ b/components/bootloader_support/include/esp_flash_encrypt.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -9,7 +9,6 @@ #include "esp_attr.h" #include "esp_err.h" #include "soc/soc_caps.h" -#include "hal/efuse_ll.h" #include "sdkconfig.h" #ifdef __cplusplus @@ -184,14 +183,14 @@ void esp_flash_encryption_init_checks(void); */ esp_err_t esp_flash_encryption_enable_secure_features(void); -#if CONFIG_SOC_KEY_MANAGER_FE_KEY_DEPLOY +#if SOC_KEY_MANAGER_FE_KEY_DEPLOY /** @brief Enable the key manager for flash encryption * * @return * - ESP_OK - On success */ esp_err_t esp_flash_encryption_enable_key_mgr(void); -#endif // CONFIG_SOC_KEY_MANAGER_FE_KEY_DEPLOY +#endif // SOC_KEY_MANAGER_FE_KEY_DEPLOY #endif /* BOOTLOADER_BUILD && CONFIG_SECURE_FLASH_ENC_ENABLED */ diff --git a/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c index 4e4d6fc2272..80b2407ff85 100644 --- a/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c @@ -11,10 +11,12 @@ #include "esp_efuse.h" #include "esp_efuse_table.h" #include "esp_log.h" -#include "hal/key_mgr_ll.h" +#include "esp_key_mgr.h" +#include "hal/key_mgr_hal.h" #include "hal/mspi_ll.h" #include "soc/soc_caps.h" #include "sdkconfig.h" +#include "esp_crypto_periph_clk.h" ESP_LOG_ATTR_TAG(TAG, "flash_encrypt"); @@ -71,15 +73,18 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) esp_err_t esp_flash_encryption_enable_key_mgr(void) { - _key_mgr_ll_enable_bus_clock(true); - _key_mgr_ll_enable_peripheral_clock(true); - _key_mgr_ll_reset_register(); - - while (key_mgr_ll_get_state() != ESP_KEY_MGR_STATE_IDLE) { - }; +#if CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE_EFUSES + esp_crypto_key_mgr_enable_periph_clk(true); + key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE); // Force Key Manager to use eFuse key for XTS-AES operation - key_mgr_ll_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); + key_mgr_hal_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); +#endif + + // In case Flash Encryption is enabled by a key deployed using the Key Manager, + // we just need to reset the SPI flash to ensure the key is used. + // Enabling Key Manager and forcing it to use its OWN key is handled in the + // Key Manager's key deployment API itself. _mspi_timing_ll_reset_mspi(); return ESP_OK; diff --git a/components/bootloader_support/src/flash_encrypt.c b/components/bootloader_support/src/flash_encrypt.c index d350fa361d4..08a380acef1 100644 --- a/components/bootloader_support/src/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encrypt.c @@ -16,6 +16,10 @@ #include "hal/spi_flash_encrypt_hal.h" #include "soc/soc_caps.h" +#if SOC_KEY_MANAGER_SUPPORTED +#include "esp_key_mgr.h" +#endif /* SOC_KEY_MANAGER_SUPPORTED */ + #if CONFIG_IDF_TARGET_ESP32 #define CRYPT_CNT ESP_EFUSE_FLASH_CRYPT_CNT #define WR_DIS_CRYPT_CNT ESP_EFUSE_WR_DIS_FLASH_CRYPT_CNT @@ -444,6 +448,7 @@ bool esp_flash_encryption_cfg_verify_release_mode(void) } #endif +#if CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE_EFUSES esp_efuse_purpose_t purposes[] = { #if SOC_FLASH_ENCRYPTION_XTS_AES_256 ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1, @@ -482,6 +487,23 @@ bool esp_flash_encryption_cfg_verify_release_mode(void) } } result &= secure; +#elif CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE_KEY_MGR +#if CONFIG_SECURE_FLASH_ENCRYPTION_AES128 + secure = esp_efuse_read_field_bit(ESP_EFUSE_KM_XTS_KEY_LENGTH_256); + result &= secure; + if (!secure) { + ESP_LOGW(TAG, "Not enabled Key Manager XTS-AES-128 key (set KM_XTS_KEY_LENGTH_256->1)"); + } +#endif + + const uint32_t force_key_mgr_key = esp_efuse_read_field_bit(ESP_EFUSE_FORCE_USE_KEY_MANAGER_KEY); + secure = (force_key_mgr_key & (1 << ESP_KEY_MGR_FORCE_USE_KM_XTS_AES_KEY)); + result &= secure; + + if (!secure) { + ESP_LOGW(TAG, "Not forcing Key Manager to use XTS-AES key (set FORCE_USE_KEY_MANAGER_KEY->1)"); + } +#endif #if SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND if (spi_flash_encrypt_ll_is_pseudo_rounds_function_supported()) { diff --git a/components/bootloader_support/src/flash_encryption/flash_encrypt.c b/components/bootloader_support/src/flash_encryption/flash_encrypt.c index 24168e7cc74..64c5afff42a 100644 --- a/components/bootloader_support/src/flash_encryption/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encryption/flash_encrypt.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -16,6 +16,14 @@ #include "esp_log.h" #include "hal/wdt_hal.h" #include "sdkconfig.h" +#include "soc/soc_caps.h" + +#if SOC_KEY_MANAGER_SUPPORTED +#include "esp_key_mgr.h" +#include "hal/key_mgr_ll.h" +#include "rom/key_mgr.h" +#include "esp_rom_crc.h" +#endif #ifdef CONFIG_SOC_EFUSE_CONSISTS_OF_ONE_KEY_BLOCK #include "soc/sensitive_reg.h" @@ -124,8 +132,151 @@ esp_err_t esp_flash_encrypt_check_and_update(void) return ESP_OK; } +#if CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE_KEY_MGR +static esp_err_t key_manager_read_key_recovery_info(esp_key_mgr_key_recovery_info_t *key_recovery_info) +{ + esp_err_t err = ESP_FAIL; + uint32_t crc = 0; + + for (int i = 0; i < 2; i++) { + err = bootloader_flash_read(KEY_HUK_SECTOR_OFFSET(i), (uint32_t *)key_recovery_info, sizeof(esp_key_mgr_key_recovery_info_t), false); + if (err != ESP_OK) { + ESP_LOGD(TAG, "Failed to read key recovery info from Key Manager sector %d: %x", i, err); + continue; + } + + // check Key Recovery Info magic + if (key_recovery_info->magic != KEY_HUK_SECTOR_MAGIC) { + ESP_LOGD(TAG, "Key Manager sector %d Magic %08x failed", i, key_recovery_info->magic); + continue; + } + +#if CONFIG_SECURE_FLASH_ENCRYPTION_AES256 + if (key_recovery_info->key_type != ESP_KEY_MGR_XTS_AES_256_KEY) { + ESP_LOGD(TAG, "Key Manager sector %d has incorrect key type", i); + continue; + } +#else + if (key_recovery_info->key_type != ESP_KEY_MGR_XTS_AES_128_KEY) { + ESP_LOGD(TAG, "Key Manager sector %d has incorrect key type", i); + continue; + } +#endif + + // check HUK Info CRC + crc = esp_rom_crc32_le(0, key_recovery_info->huk_info.info, HUK_INFO_LEN); + if (crc != key_recovery_info->huk_info.crc) { + ESP_LOGD(TAG, "Key Manager sector %d HUK Info CRC error", i); + continue; + } + + // check Key Info 0 CRC + crc = esp_rom_crc32_le(0, key_recovery_info->key_info[0].info, KEY_INFO_LEN); + if (crc != key_recovery_info->key_info[0].crc) { + ESP_LOGD(TAG, "Key Manager sector %d Key Info 0 CRC error", i); + continue; + } + +#if CONFIG_SECURE_FLASH_ENCRYPTION_AES256 + // check Key Info 1 CRC + crc = esp_rom_crc32_le(0, key_recovery_info->key_info[1].info, KEY_INFO_LEN); + if (crc != key_recovery_info->key_info[1].crc) { + ESP_LOGD(TAG, "Key Manager sector %d Key Info 1 CRC error", i); + continue; + } +#endif + + ESP_LOGI(TAG, "Valid Key Manager key recovery info found in sector %d", i); + return ESP_OK; + } + + ESP_LOGD(TAG, "No valid key recovery info found"); + return ESP_ERR_NOT_FOUND; +} + +static esp_err_t key_manager_generate_key(esp_key_mgr_key_recovery_info_t *key_recovery_info) +{ + ESP_LOGI(TAG, "Deploying new flash encryption key using Key Manager"); + + esp_key_mgr_random_key_config_t key_config; + memset(&key_config, 0, sizeof(esp_key_mgr_random_key_config_t)); + +#if CONFIG_SECURE_FLASH_ENCRYPTION_AES256 + key_config.key_type = ESP_KEY_MGR_XTS_AES_256_KEY; +#else + key_config.key_type = ESP_KEY_MGR_XTS_AES_128_KEY; +#endif + + // Generate a new key and load it into Key Manager + esp_err_t err = esp_key_mgr_deploy_key_in_random_mode(&key_config, key_recovery_info); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Failed to generate key for Key Manager: %x", err); + return err; + } + + ESP_LOGV(TAG, "Successfully deployed new flash encryption key using Key Manager"); + + // Write the key recovery info of the newly generated key into the flash + for (int i = 0; i < 2; i++) { + err = bootloader_flash_erase_sector(i); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Failed to erase sector %d: %x", i, err); + return err; + } + } + + // Write the key recovery info of the newly generated key into the flash + err = bootloader_flash_write(KEY_HUK_SECTOR_OFFSET(0), (uint32_t *)key_recovery_info, sizeof(esp_key_mgr_key_recovery_info_t), false); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Failed to write key recovery info to flash: %x", err); + return err; + } + + ESP_LOGV(TAG, "Successfully wrote the newly generated Flash Encryption key recovery info into the flash"); + + return ESP_OK; +} + +static esp_err_t key_manager_check_and_generate_key(void) +{ + /* + 1. Check if we have a valid key info in the first two sectors of the flash + 2. If we have a valid key info, check if it is valid + 1. If the key is valid, use it + 2. If the key is not valid, generate a new key and load it into key manager + 3. If not, generate a new key and load it into key manager + */ + esp_key_mgr_key_recovery_info_t key_recovery_info; + + memset(&key_recovery_info, 0, sizeof(esp_key_mgr_key_recovery_info_t)); + + esp_err_t err = key_manager_read_key_recovery_info(&key_recovery_info); + if (err == ESP_ERR_NOT_FOUND) { + // No valid key recovery info found, generate a new key + err = key_manager_generate_key(&key_recovery_info); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Failed to generate key for Key Manager: %x", err); + return err; + } + } else { + // Valid key recovery info found, use it + ESP_LOGI(TAG, "Using pre-deployed Key Manager key for flash encryption"); + } + + // Recover key using the key recovery info + err = esp_key_mgr_activate_key(&key_recovery_info); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Failed to activate Key Manager key: %x", err); + return err; + } + + return ESP_OK; +} +#endif + static esp_err_t check_and_generate_encryption_keys(void) { +#if CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE_EFUSES size_t key_size = 32; #ifdef CONFIG_IDF_TARGET_ESP32 enum { BLOCKS_NEEDED = 1 }; @@ -213,13 +364,56 @@ static esp_err_t check_and_generate_encryption_keys(void) } ESP_LOGI(TAG, "Using pre-loaded flash encryption key in efuse"); } +#elif CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE_KEY_MGR + esp_err_t err = key_manager_check_and_generate_key(); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Failed to check and generate key using Key Manager: %x", err); + return err; + } + +#if CONFIG_SECURE_FLASH_ENCRYPTION_AES128 + err = esp_efuse_write_field_bit(ESP_EFUSE_KM_XTS_KEY_LENGTH_256); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Failed to set the efuse bit KM_XTS_KEY_LENGTH_256: %x", err); + return err; + } +#endif + + const uint32_t force_key_mgr_key_for_fe = 1 << ESP_KEY_MGR_FORCE_USE_KM_XTS_AES_KEY; + err = esp_efuse_write_field_blob(ESP_EFUSE_FORCE_USE_KEY_MANAGER_KEY, &force_key_mgr_key_for_fe, ESP_EFUSE_FORCE_USE_KEY_MANAGER_KEY[0]->bit_count); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Failed to set the efuse bit %d (XTS-AES key) of FORCE_USE_KEY_MANAGER_KEY: %x", ESP_KEY_MGR_FORCE_USE_KM_XTS_AES_KEY, err); + return err; + } + + ESP_LOGV(TAG, "Successfully activated the flash encryption key using Key Manager"); +#endif return ESP_OK; } esp_err_t esp_flash_encrypt_init(void) { - if (esp_flash_encryption_enabled() || esp_flash_encrypt_initialized_once()) { + if (esp_flash_encryption_enabled()) { + return ESP_OK; + } + +#if CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE_KEY_MGR + if (!(key_mgr_ll_is_supported() && key_mgr_ll_flash_encryption_supported())) { + ESP_LOGE(TAG, "Flash Encryption using Key Manager is not supported, please use efuses instead"); + return ESP_ERR_NOT_SUPPORTED; + } +#endif + + if (esp_flash_encrypt_initialized_once()) { +#if CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE_KEY_MGR + // Allow generating a new key if the key recovery info is not present in the flash + esp_err_t err = key_manager_check_and_generate_key(); + if (err != ESP_OK) { + ESP_LOGE(TAG, "Failed to recover key using Key Manager: %x", err); + return err; + } +#endif return ESP_OK; } @@ -260,10 +454,6 @@ esp_err_t esp_flash_encrypt_contents(void) REG_WRITE(SENSITIVE_XTS_AES_KEY_UPDATE_REG, 1); #endif -#if CONFIG_SOC_KEY_MANAGER_FE_KEY_DEPLOY - esp_flash_encryption_enable_key_mgr(); -#endif - err = encrypt_bootloader(); // PART_SUBTYPE_BOOTLOADER_PRIMARY if (err != ESP_OK) { return err; diff --git a/components/esp_hw_support/include/esp_private/esp_crypto_lock_internal.h b/components/esp_hw_support/include/esp_private/esp_crypto_lock_internal.h index 2f6421fb0be..e32b9b8e2e9 100644 --- a/components/esp_hw_support/include/esp_private/esp_crypto_lock_internal.h +++ b/components/esp_hw_support/include/esp_private/esp_crypto_lock_internal.h @@ -15,7 +15,7 @@ extern "C" { // NOTE: [ESP-TEE] Since the clock configuration APIs are part // of the TEE, the XYZ_RCC_ATOMIC macros need to be defined as void. -#if SOC_RCC_IS_INDEPENDENT || ESP_TEE_BUILD +#if SOC_RCC_IS_INDEPENDENT || NON_OS_BUILD #define MPI_RCC_ATOMIC() #define ECC_RCC_ATOMIC() #define HMAC_RCC_ATOMIC() diff --git a/components/esp_security/CMakeLists.txt b/components/esp_security/CMakeLists.txt index 35dc2361d9a..745b0480700 100644 --- a/components/esp_security/CMakeLists.txt +++ b/components/esp_security/CMakeLists.txt @@ -6,7 +6,7 @@ if(${target} STREQUAL "linux") endif() set(srcs "") -set(priv_requires "") +set(priv_requires "esp_hw_support") set(priv_includes "") if(NOT non_os_build) @@ -42,6 +42,12 @@ elseif(esp_tee_build) if(CONFIG_SOC_DIG_SIGN_SUPPORTED) list(APPEND srcs "src/esp_ds.c") endif() +else() # BOOTLOADER_BUILD + list(APPEND srcs "src/esp_crypto_lock.c" "src/esp_crypto_periph_clk.c") + + if(CONFIG_SOC_KEY_MANAGER_FE_KEY_DEPLOY) + list(APPEND srcs "src/esp_key_mgr.c") + endif() endif() idf_component_register(SRCS ${srcs} diff --git a/components/esp_security/include/esp_key_mgr.h b/components/esp_security/include/esp_key_mgr.h index 8c7d9951486..91488b1cbb9 100644 --- a/components/esp_security/include/esp_key_mgr.h +++ b/components/esp_security/include/esp_key_mgr.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -25,6 +25,8 @@ extern "C" { #define KEY_MGR_HUK_INFO_SIZE HUK_INFO_LEN #define KEY_MGR_HUK_RISK_ALERT_LEVEL HUK_RISK_ALERT_LEVEL +#define KEY_MGR_KEY_INFO_SIZE KEY_INFO_LEN + /* AES deploy mode */ #define KEY_MGR_K2_INFO_SIZE 64 #define KEY_MGR_K1_ENCRYPTED_SIZE 32 @@ -59,6 +61,13 @@ typedef struct { WORD_ALIGNED_ATTR uint8_t k2_G[2][KEY_MGR_ECDH0_INFO_SIZE]; } esp_key_mgr_ecdh0_info_t; +/** + * @brief Wait for the Key Manager to reach the given state + * + * @param state The state to wait for + */ +void key_mgr_wait_for_state(esp_key_mgr_state_t state); + /** * @brief Deploy key in AES deployment mode * @input diff --git a/components/esp_security/src/esp_crypto_periph_clk.c b/components/esp_security/src/esp_crypto_periph_clk.c index a62c804b35c..12f245da550 100644 --- a/components/esp_security/src/esp_crypto_periph_clk.c +++ b/components/esp_security/src/esp_crypto_periph_clk.c @@ -7,6 +7,7 @@ #include "soc/soc_caps.h" #include "esp_private/esp_crypto_lock_internal.h" #include "sdkconfig.h" +#include "esp_crypto_periph_clk.h" #if SOC_AES_SUPPORTED #include "hal/aes_ll.h" diff --git a/components/esp_security/src/esp_key_mgr.c b/components/esp_security/src/esp_key_mgr.c index 6c59f78dd30..ccc53f93a8d 100644 --- a/components/esp_security/src/esp_key_mgr.c +++ b/components/esp_security/src/esp_key_mgr.c @@ -6,7 +6,6 @@ // The Hardware Support layer for Key manager #include #include -#include #include "esp_key_mgr.h" #include "esp_crypto_periph_clk.h" #include "esp_crypto_lock.h" @@ -24,16 +23,19 @@ #if SOC_KEY_MANAGER_SUPPORTED static const char *TAG = "esp_key_mgr"; +ESP_STATIC_ASSERT(sizeof(esp_key_mgr_key_recovery_info_t) == sizeof(struct huk_key_block), "Size of esp_key_mgr_key_recovery_info_t should match huk_key_block (from ROM)"); +ESP_STATIC_ASSERT(sizeof(esp_key_mgr_key_info_t) == sizeof(struct key_info), "Size of esp_key_mgr_key_info_t should match key_info (from ROM)"); +ESP_STATIC_ASSERT(sizeof(esp_key_mgr_huk_info_t) == sizeof(struct huk_info), "Size of esp_key_mgr_huk_info_t should match huk_info (from ROM)"); + +#if !NON_OS_BUILD +#include + static _lock_t s_key_mgr_ecdsa_key_lock; static _lock_t s_key_mgr_xts_aes_key_lock; static _lock_t s_key_mgr_hmac_key_lock; static _lock_t s_key_mgr_ds_key_lock; static _lock_t s_key_mgr_psram_key_lock; -ESP_STATIC_ASSERT(sizeof(esp_key_mgr_key_recovery_info_t) == sizeof(struct huk_key_block), "Size of esp_key_mgr_key_recovery_info_t should match huk_key_block (from ROM)"); -ESP_STATIC_ASSERT(sizeof(esp_key_mgr_key_info_t) == sizeof(struct key_info), "Size of esp_key_mgr_key_info_t should match key_info (from ROM)"); -ESP_STATIC_ASSERT(sizeof(esp_key_mgr_huk_info_t) == sizeof(struct huk_info), "Size of esp_key_mgr_huk_info_t should match huk_info (from ROM)"); - static void esp_key_mgr_acquire_key_lock(esp_key_mgr_key_type_t key_type) { switch (key_type) { @@ -91,6 +93,46 @@ static void esp_key_mgr_release_key_lock(esp_key_mgr_key_type_t key_type) } ESP_LOGV(TAG, "Key lock released for key type %d", key_type); } +#else /* !NON_OS_BUILD */ +static void esp_key_mgr_acquire_key_lock(esp_key_mgr_key_type_t key_type) +{ + switch (key_type) { + case ESP_KEY_MGR_ECDSA_192_KEY: + case ESP_KEY_MGR_ECDSA_256_KEY: + case ESP_KEY_MGR_ECDSA_384_KEY: + case ESP_KEY_MGR_XTS_AES_128_KEY: + case ESP_KEY_MGR_XTS_AES_256_KEY: + case ESP_KEY_MGR_HMAC_KEY: + case ESP_KEY_MGR_DS_KEY: + case ESP_KEY_MGR_PSRAM_128_KEY: + case ESP_KEY_MGR_PSRAM_256_KEY: + break; + default: + ESP_LOGE(TAG, "Invalid key type"); + break; + } + ESP_LOGV(TAG, "Key lock acquired for key type %d", key_type); +} + +static void esp_key_mgr_release_key_lock(esp_key_mgr_key_type_t key_type) +{ + switch (key_type) { + case ESP_KEY_MGR_ECDSA_192_KEY: + case ESP_KEY_MGR_ECDSA_256_KEY: + case ESP_KEY_MGR_ECDSA_384_KEY: + case ESP_KEY_MGR_XTS_AES_128_KEY: + case ESP_KEY_MGR_XTS_AES_256_KEY: + case ESP_KEY_MGR_HMAC_KEY: + case ESP_KEY_MGR_DS_KEY: + case ESP_KEY_MGR_PSRAM_128_KEY: + case ESP_KEY_MGR_PSRAM_256_KEY: + default: + ESP_LOGE(TAG, "Invalid key type"); + break; + } + ESP_LOGV(TAG, "Key lock released for key type %d", key_type); +} +#endif /* NON_OS_BUILD */ static void esp_key_mgr_acquire_hardware(bool deployment_mode) { @@ -155,7 +197,7 @@ static void check_huk_risk_level(void) "It is recommended to immediately regenerate HUK in order" "to avoid permanently losing the deployed keys", huk_risk_level); } else { - ESP_LOGD(TAG, "HUK Risk level - %" PRId8 " within acceptable limit (%" PRIu32 ")", huk_risk_level, (uint32_t)KEY_MGR_HUK_RISK_ALERT_LEVEL); + ESP_LOGD(TAG, "HUK Risk level - %d within acceptable limit (%d)", huk_risk_level, (int) KEY_MGR_HUK_RISK_ALERT_LEVEL); } } @@ -186,6 +228,8 @@ typedef struct { esp_key_mgr_huk_info_t *huk_recovery_info; } huk_deploy_config_t; +static const uint8_t zeros[KEY_MGR_HUK_INFO_SIZE] = {0}; + static esp_err_t configure_huk(esp_huk_mode_t huk_mode, uint8_t *huk_info) { esp_err_t ret = huk_hal_configure(huk_mode, huk_info); @@ -198,9 +242,11 @@ static esp_err_t configure_huk(esp_huk_mode_t huk_mode, uint8_t *huk_info) huk_hal_recharge_huk_memory(); ret = huk_hal_configure(huk_mode, huk_info); if (ret != ESP_OK) { + // heap_caps_free(huk_recovery_info_zeros); return ret; } } + // heap_caps_free(huk_recovery_info_zeros); #endif if (!key_mgr_hal_is_huk_valid()) { @@ -213,6 +259,10 @@ static esp_err_t configure_huk(esp_huk_mode_t huk_mode, uint8_t *huk_info) static esp_err_t deploy_huk(huk_deploy_config_t *config) { esp_err_t esp_ret = ESP_FAIL; + + // TODO: Could we use config->huk_recovery_info->info directly instead of allocating a copy of it? + // Advantage: BOOTLOADER_BUILD would be able to use this function. + // Note: We can memset it to zeros in case of an error. uint8_t *huk_recovery_info = (uint8_t *) heap_caps_calloc(1, KEY_MGR_HUK_INFO_SIZE, MALLOC_CAP_INTERNAL); if (!huk_recovery_info) { return ESP_ERR_NO_MEM; diff --git a/components/hal/esp32c5/include/hal/key_mgr_ll.h b/components/hal/esp32c5/include/hal/key_mgr_ll.h index ff35e84aafd..71fc8167f76 100644 --- a/components/hal/esp32c5/include/hal/key_mgr_ll.h +++ b/components/hal/esp32c5/include/hal/key_mgr_ll.h @@ -20,6 +20,7 @@ #include "soc/keymng_reg.h" #include "soc/pcr_struct.h" #include "soc/pcr_reg.h" +#include "hal/efuse_hal.h" #ifdef __cplusplus extern "C" { @@ -443,6 +444,14 @@ static inline bool key_mgr_ll_is_supported(void) return true; } +static inline bool key_mgr_ll_flash_encryption_supported(void) +{ + if (!key_mgr_ll_is_supported() || efuse_hal_chip_revision() <= 100) { + return false; + } + return true; +} + #ifdef __cplusplus } #endif diff --git a/components/hal/esp32p4/include/hal/key_mgr_ll.h b/components/hal/esp32p4/include/hal/key_mgr_ll.h index dfc3b510a6f..285f5909f02 100644 --- a/components/hal/esp32p4/include/hal/key_mgr_ll.h +++ b/components/hal/esp32p4/include/hal/key_mgr_ll.h @@ -484,6 +484,14 @@ static inline bool key_mgr_ll_is_supported(void) #endif } +static inline bool key_mgr_ll_flash_encryption_supported(void) +{ + if (!key_mgr_ll_is_supported()) { + return false; + } + return true; +} + #ifdef __cplusplus } #endif diff --git a/components/hal/include/hal/key_mgr_types.h b/components/hal/include/hal/key_mgr_types.h index 6397424c5cb..dcdc8bd30ef 100644 --- a/components/hal/include/hal/key_mgr_types.h +++ b/components/hal/include/hal/key_mgr_types.h @@ -110,6 +110,17 @@ typedef enum { ESP_KEY_MGR_INT_POST_DONE, } esp_key_mgr_interrupt_type_t; +/** + * @brief Force use key manager key type + * @note This is used to force the key manager to use a specific key type. + */ +typedef enum { + ESP_KEY_MGR_FORCE_USE_KM_ECDSA_KEY = 0, + ESP_KEY_MGR_FORCE_USE_KM_XTS_AES_KEY = 1, + ESP_KEY_MGR_FORCE_USE_KM_HMAC_KEY = 2, + ESP_KEY_MGR_FORCE_USE_KM_DS_KEY = 3, +} esp_key_mgr_force_use_km_key_t; + // store huk info, occupy 96 words typedef struct PACKED_ATTR { #define HUK_INFO_LEN 660 diff --git a/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in index 0e1520c13de..996de617452 100644 --- a/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in @@ -1339,6 +1339,10 @@ config SOC_FLASH_ENCRYPTION_XTS_AES bool default y +config SOC_FLASH_ENCRYPTION_XTS_AES_OPTIONS + bool + default y + config SOC_FLASH_ENCRYPTION_XTS_AES_128 bool default y diff --git a/components/soc/esp32c5/include/soc/soc_caps.h b/components/soc/esp32c5/include/soc/soc_caps.h index 92c4c0b7174..8a2cb6b5c66 100644 --- a/components/soc/esp32c5/include/soc/soc_caps.h +++ b/components/soc/esp32c5/include/soc/soc_caps.h @@ -532,8 +532,9 @@ /*-------------------------- Flash Encryption CAPS----------------------------*/ #define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (64) -#define SOC_FLASH_ENCRYPTION_XTS_AES 1 -#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1 +#define SOC_FLASH_ENCRYPTION_XTS_AES 1 +#define SOC_FLASH_ENCRYPTION_XTS_AES_OPTIONS 1 +#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1 #define SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND 1 /*-------------------------- PSRAM Encryption CAPS----------------------------*/ diff --git a/tools/test_apps/system/.build-test-rules.yml b/tools/test_apps/system/.build-test-rules.yml index cb10f5c2551..762309a0c6e 100644 --- a/tools/test_apps/system/.build-test-rules.yml +++ b/tools/test_apps/system/.build-test-rules.yml @@ -3,6 +3,8 @@ tools/test_apps/system/bootloader_sections: disable: - if: CONFIG_NAME == "rtc_retain" and SOC_RTC_FAST_MEM_SUPPORTED != 1 + - if: CONFIG_NAME == "flash_encryption_key_mgr" and (SOC_KEY_MANAGER_FE_KEY_DEPLOY != 1 or IDF_TARGET == "esp32p4") + - if: CONFIG_NAME == "flash_encryption_key_mgr_esp32p4" and IDF_TARGET != "esp32p4" tools/test_apps/system/build_test: disable: diff --git a/tools/test_apps/system/bootloader_sections/sdkconfig.ci.flash_encryption_key_mgr b/tools/test_apps/system/bootloader_sections/sdkconfig.ci.flash_encryption_key_mgr new file mode 100644 index 00000000000..9c2f087437d --- /dev/null +++ b/tools/test_apps/system/bootloader_sections/sdkconfig.ci.flash_encryption_key_mgr @@ -0,0 +1,4 @@ +CONFIG_SECURE_FLASH_ENC_ENABLED=y +CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE=y +CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE_KEY_MGR=y +CONFIG_PARTITION_TABLE_OFFSET=0xC000 diff --git a/tools/test_apps/system/bootloader_sections/sdkconfig.ci.flash_encryption_key_mgr_esp32p4 b/tools/test_apps/system/bootloader_sections/sdkconfig.ci.flash_encryption_key_mgr_esp32p4 new file mode 100644 index 00000000000..cdb00e387a5 --- /dev/null +++ b/tools/test_apps/system/bootloader_sections/sdkconfig.ci.flash_encryption_key_mgr_esp32p4 @@ -0,0 +1,6 @@ +CONFIG_SECURE_FLASH_ENC_ENABLED=y +CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE=y +CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE_KEY_MGR=y +CONFIG_PARTITION_TABLE_OFFSET=0xC000 + +CONFIG_ESP32P4_SELECTS_REV_LESS_V3=n From 7212b517d4b8d54648a58fc2b719325237e2c584 Mon Sep 17 00:00:00 2001 From: "harshal.patil" Date: Wed, 15 Oct 2025 00:04:13 +0530 Subject: [PATCH 03/10] change(esp_key_mgr): Make Key Manager driver bootloader compatible - Independent of heap --- .../main/ld/esp32c5/bootloader.ld.in | 5 + .../main/ld/esp32p4/bootloader.ld.in | 1 + .../main/ld/esp32p4/bootloader.rev3.ld.in | 6 +- .../flash_encryption_secure_features.c | 4 +- .../flash_encryption_secure_features.c | 8 +- components/esp_security/CMakeLists.txt | 4 +- components/esp_security/include/esp_key_mgr.h | 6 +- .../esp_security/src/esp_crypto_periph_clk.c | 5 + components/esp_security/src/esp_key_mgr.c | 112 ++++-------------- 9 files changed, 48 insertions(+), 103 deletions(-) diff --git a/components/bootloader/subproject/main/ld/esp32c5/bootloader.ld.in b/components/bootloader/subproject/main/ld/esp32c5/bootloader.ld.in index b392b18adb3..aad2b39b2db 100644 --- a/components/bootloader/subproject/main/ld/esp32c5/bootloader.ld.in +++ b/components/bootloader/subproject/main/ld/esp32c5/bootloader.ld.in @@ -91,6 +91,11 @@ SECTIONS *libhal.a:cache_hal.*(.literal .text .literal.* .text.*) *libhal.a:efuse_hal.*(.literal .text .literal.* .text.*) *libesp_hal_wdt.a:wdt_hal_iram.*(.literal .text .literal.* .text.*) + *libhal.a:huk_hal.*(.literal .text .literal.* .text.*) + *libhal.a:key_mgr_hal.*(.literal .text .literal.* .text.*) + *libesp_security.a:esp_key_mgr.*(.literal .text .literal.* .text.*) + *libesp_security.a:esp_crypto_periph_clk.*(.literal .text .literal.* .text.*) + *libesp_security.a:esp_crypto_lock.*(.literal .text .literal.* .text.*) *libesp_hw_support.a:rtc_clk.*(.literal .text .literal.* .text.*) *libesp_hw_support.a:rtc_time.*(.literal .text .literal.* .text.*) *libesp_hw_support.a:regi2c_ctrl.*(.literal .text .literal.* .text.*) diff --git a/components/bootloader/subproject/main/ld/esp32p4/bootloader.ld.in b/components/bootloader/subproject/main/ld/esp32p4/bootloader.ld.in index 0ee5dfe65f8..1d763d2d222 100644 --- a/components/bootloader/subproject/main/ld/esp32p4/bootloader.ld.in +++ b/components/bootloader/subproject/main/ld/esp32p4/bootloader.ld.in @@ -90,6 +90,7 @@ SECTIONS *libhal.a:cache_hal.*(.literal .text .literal.* .text.*) *libhal.a:efuse_hal.*(.literal .text .literal.* .text.*) *libhal.a:key_mgr_hal.*(.literal.key_mgr_hal_set_key_usage .text.key_mgr_hal_set_key_usage) + *libesp_security.a:esp_crypto_periph_clk.*(.literal .text .literal.* .text.*) *libesp_hal_wdt.a:wdt_hal_iram.*(.literal .text .literal.* .text.*) *libesp_hw_support.a:rtc_clk.*(.literal .text .literal.* .text.*) *libesp_hw_support.a:rtc_time.*(.literal .text .literal.* .text.*) diff --git a/components/bootloader/subproject/main/ld/esp32p4/bootloader.rev3.ld.in b/components/bootloader/subproject/main/ld/esp32p4/bootloader.rev3.ld.in index 9a6ae2ddf11..f51c5e63afe 100644 --- a/components/bootloader/subproject/main/ld/esp32p4/bootloader.rev3.ld.in +++ b/components/bootloader/subproject/main/ld/esp32p4/bootloader.rev3.ld.in @@ -89,8 +89,12 @@ SECTIONS *libhal.a:mmu_hal.*(.literal .text .literal.* .text.*) *libhal.a:cache_hal.*(.literal .text .literal.* .text.*) *libhal.a:efuse_hal.*(.literal .text .literal.* .text.*) - *libhal.a:key_mgr_hal.*(.literal.key_mgr_hal_set_key_usage .text.key_mgr_hal_set_key_usage) *libesp_hal_wdt.a:wdt_hal_iram.*(.literal .text .literal.* .text.*) + *libhal.a:huk_hal.*(.literal .text .literal.* .text.*) + *libhal.a:key_mgr_hal.*(.literal .text .literal.* .text.*) + *libesp_security.a:esp_key_mgr.*(.literal .text .literal.* .text.*) + *libesp_security.a:esp_crypto_periph_clk.*(.literal .text .literal.* .text.*) + *libesp_security.a:esp_crypto_lock.*(.literal .text .literal.* .text.*) *libesp_hw_support.a:rtc_clk.*(.literal .text .literal.* .text.*) *libesp_hw_support.a:rtc_time.*(.literal .text .literal.* .text.*) *libesp_hw_support.a:regi2c_ctrl.*(.literal .text .literal.* .text.*) diff --git a/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c index 80b2407ff85..a1804969bfd 100644 --- a/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c @@ -11,6 +11,7 @@ #include "esp_efuse.h" #include "esp_efuse_table.h" #include "esp_log.h" +#include "esp_crypto_periph_clk.h" #include "esp_key_mgr.h" #include "hal/key_mgr_hal.h" #include "hal/mspi_ll.h" @@ -73,13 +74,10 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) esp_err_t esp_flash_encryption_enable_key_mgr(void) { -#if CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE_EFUSES esp_crypto_key_mgr_enable_periph_clk(true); - key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE); // Force Key Manager to use eFuse key for XTS-AES operation key_mgr_hal_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); -#endif // In case Flash Encryption is enabled by a key deployed using the Key Manager, // we just need to reset the SPI flash to ensure the key is used. diff --git a/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c index cf7a4a8c2d1..c111cbf665c 100644 --- a/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c @@ -11,6 +11,7 @@ #include "esp_efuse_table.h" #include "esp_log.h" #include "sdkconfig.h" +#include "esp_crypto_periph_clk.h" #include "hal/key_mgr_ll.h" #include "hal/mspi_ll.h" @@ -53,12 +54,7 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) esp_err_t esp_flash_encryption_enable_key_mgr(void) { - _key_mgr_ll_enable_bus_clock(true); - _key_mgr_ll_enable_peripheral_clock(true); - _key_mgr_ll_reset_register(); - - while (key_mgr_ll_get_state() != ESP_KEY_MGR_STATE_IDLE) { - }; + esp_crypto_key_mgr_enable_periph_clk(true); // Force Key Manager to use eFuse key for XTS-AES operation key_mgr_ll_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); diff --git a/components/esp_security/CMakeLists.txt b/components/esp_security/CMakeLists.txt index 745b0480700..362f942aebd 100644 --- a/components/esp_security/CMakeLists.txt +++ b/components/esp_security/CMakeLists.txt @@ -6,7 +6,7 @@ if(${target} STREQUAL "linux") endif() set(srcs "") -set(priv_requires "esp_hw_support") +set(priv_requires esp_hw_support hal efuse) set(priv_includes "") if(NOT non_os_build) @@ -30,7 +30,7 @@ if(NOT non_os_build) endif() list(APPEND srcs "src/esp_crypto_lock.c" "src/esp_crypto_periph_clk.c") - list(APPEND priv_requires efuse esp_system esp_timer) + list(APPEND priv_requires esp_system esp_timer) elseif(esp_tee_build) list(APPEND srcs "src/esp_crypto_lock.c" "src/esp_crypto_periph_clk.c") list(APPEND includes "src/${IDF_TARGET}") diff --git a/components/esp_security/include/esp_key_mgr.h b/components/esp_security/include/esp_key_mgr.h index 91488b1cbb9..09f7fb4cf59 100644 --- a/components/esp_security/include/esp_key_mgr.h +++ b/components/esp_security/include/esp_key_mgr.h @@ -73,7 +73,7 @@ void key_mgr_wait_for_state(esp_key_mgr_state_t state); * @input * key_config(input) AES key configuration * key_info(output) A writable struct of esp_key_mgr_key_info_t type. - * The recovery information for the the deployed key shall be stored here + * The recovery information for the the deployed key shall be stored here (Make sure that the memory is valid during the deployment process). * @return * ESP_OK for success * ESP_FAIL/relevant error code for failure @@ -84,7 +84,7 @@ esp_err_t esp_key_mgr_deploy_key_in_aes_mode(const esp_key_mgr_aes_key_config_t * @brief Deploy key in ECDH0 deployment mode * @input * key_config(input) ECDH0 key configuration - * key_info(output) A writable struct of esp_key_mgr_key_info_t type. The recovery key info for the deployed key shall be stored here + * key_info(output) A writable struct of esp_key_mgr_key_info_t type. The recovery key info for the deployed key shall be stored here (Make sure that the memory is valid during the deployment process). * ecdh0_key_info A writable struct of esp_key_mgr_ecdh0_info_t. The ecdh0 info to recover the actual key shall be stored here. * @return * ESP_OK for success @@ -96,7 +96,7 @@ esp_err_t esp_key_mgr_deploy_key_in_ecdh0_mode(const esp_key_mgr_ecdh0_key_confi * @brief Deploy key in Random deployment mode * @input * key_config(input) Random key configuration - * key_info(output) A writable struct of esp_key_mgr_key_info_t type. The recovery key info for the deployed key shall be stored here + * key_info(output) A writable struct of esp_key_mgr_key_info_t type. The recovery key info for the deployed key shall be stored here (Make sure that the memory is valid during the deployment process). * @return * ESP_OK for success * ESP_FAIL/relevant error code for failure diff --git a/components/esp_security/src/esp_crypto_periph_clk.c b/components/esp_security/src/esp_crypto_periph_clk.c index 12f245da550..329f6c8eca6 100644 --- a/components/esp_security/src/esp_crypto_periph_clk.c +++ b/components/esp_security/src/esp_crypto_periph_clk.c @@ -39,6 +39,11 @@ #include "hal/crypto_dma_ll.h" #endif +#if NON_OS_BUILD +// To suppress build errors about spinlock's __DECLARE_RCC_ATOMIC_ENV +int __DECLARE_RCC_ATOMIC_ENV __attribute__((unused)); +#endif + #if SOC_AES_SUPPORTED void esp_crypto_aes_enable_periph_clk(bool enable) { diff --git a/components/esp_security/src/esp_key_mgr.c b/components/esp_security/src/esp_key_mgr.c index ccc53f93a8d..f1ccecb4b0c 100644 --- a/components/esp_security/src/esp_key_mgr.c +++ b/components/esp_security/src/esp_key_mgr.c @@ -11,7 +11,6 @@ #include "esp_crypto_lock.h" #include "esp_log.h" #include "esp_err.h" -#include "esp_heap_caps.h" #include "esp_rom_crc.h" #include "esp_efuse.h" #include "hal/key_mgr_types.h" @@ -126,6 +125,7 @@ static void esp_key_mgr_release_key_lock(esp_key_mgr_key_type_t key_type) case ESP_KEY_MGR_DS_KEY: case ESP_KEY_MGR_PSRAM_128_KEY: case ESP_KEY_MGR_PSRAM_256_KEY: + break; default: ESP_LOGE(TAG, "Invalid key type"); break; @@ -228,8 +228,6 @@ typedef struct { esp_key_mgr_huk_info_t *huk_recovery_info; } huk_deploy_config_t; -static const uint8_t zeros[KEY_MGR_HUK_INFO_SIZE] = {0}; - static esp_err_t configure_huk(esp_huk_mode_t huk_mode, uint8_t *huk_info) { esp_err_t ret = huk_hal_configure(huk_mode, huk_info); @@ -242,11 +240,9 @@ static esp_err_t configure_huk(esp_huk_mode_t huk_mode, uint8_t *huk_info) huk_hal_recharge_huk_memory(); ret = huk_hal_configure(huk_mode, huk_info); if (ret != ESP_OK) { - // heap_caps_free(huk_recovery_info_zeros); return ret; } } - // heap_caps_free(huk_recovery_info_zeros); #endif if (!key_mgr_hal_is_huk_valid()) { @@ -260,13 +256,6 @@ static esp_err_t deploy_huk(huk_deploy_config_t *config) { esp_err_t esp_ret = ESP_FAIL; - // TODO: Could we use config->huk_recovery_info->info directly instead of allocating a copy of it? - // Advantage: BOOTLOADER_BUILD would be able to use this function. - // Note: We can memset it to zeros in case of an error. - uint8_t *huk_recovery_info = (uint8_t *) heap_caps_calloc(1, KEY_MGR_HUK_INFO_SIZE, MALLOC_CAP_INTERNAL); - if (!huk_recovery_info) { - return ESP_ERR_NO_MEM; - } if (config->use_pre_generated_huk_info) { ESP_LOGD(TAG, "Using pre-generated HUK info"); @@ -275,41 +264,34 @@ static esp_err_t deploy_huk(huk_deploy_config_t *config) if (!check_huk_info_validity(config->pre_generated_huk_info)) { ESP_LOGE(TAG, "HUK info is not valid"); - heap_caps_free(huk_recovery_info); return ESP_ERR_INVALID_ARG; } - memcpy(huk_recovery_info, config->pre_generated_huk_info->info, KEY_MGR_HUK_INFO_SIZE); ESP_LOGD(TAG, "Recovering HUK from given HUK recovery info"); - esp_ret = configure_huk(ESP_HUK_MODE_RECOVERY, huk_recovery_info); + esp_ret = configure_huk(ESP_HUK_MODE_RECOVERY, (uint8_t *) config->pre_generated_huk_info->info); if (esp_ret != ESP_OK) { ESP_LOGE(TAG, "Failed to recover HUK"); - heap_caps_free(huk_recovery_info); return esp_ret; } // Copy the pre generated huk info in the output key recovery info - memcpy(config->huk_recovery_info->info, huk_recovery_info, KEY_MGR_HUK_INFO_SIZE); + memcpy(config->huk_recovery_info->info, config->pre_generated_huk_info->info, KEY_MGR_HUK_INFO_SIZE); config->huk_recovery_info->crc = config->pre_generated_huk_info->crc; } else { // Generate new HUK and corresponding HUK info ESP_LOGD(TAG, "Generating new HUK"); - esp_ret = configure_huk(ESP_HUK_MODE_GENERATION, huk_recovery_info); + esp_ret = configure_huk(ESP_HUK_MODE_GENERATION, config->huk_recovery_info->info); if (esp_ret != ESP_OK) { ESP_LOGE(TAG, "Failed to generate HUK"); - heap_caps_free(huk_recovery_info); + memset(config->huk_recovery_info->info, 0, KEY_MGR_HUK_INFO_SIZE); return esp_ret; } - memcpy(config->huk_recovery_info->info, huk_recovery_info, KEY_MGR_HUK_INFO_SIZE); - config->huk_recovery_info->crc = esp_rom_crc32_le(0, huk_recovery_info, KEY_MGR_HUK_INFO_SIZE); + config->huk_recovery_info->crc = esp_rom_crc32_le(0, config->huk_recovery_info->info, KEY_MGR_HUK_INFO_SIZE); } - ESP_LOG_BUFFER_HEX_LEVEL("HUK INFO", huk_recovery_info, KEY_MGR_HUK_INFO_SIZE, ESP_LOG_DEBUG); - // Free the local buffer for huk recovery info - heap_caps_free(huk_recovery_info); return ESP_OK; } @@ -342,14 +324,13 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) ESP_LOGD(TAG, "HUK deployed successfully"); } - // TODO: Could we use config->key_info->info directly instead of allocating a copy of it? - // Advantage: BOOTLOADER_BUILD would be able to use this function. - // Note: We can memset it to zeros in case of an error. - uint8_t *key_recovery_info = (uint8_t *) heap_caps_calloc(1, KEY_MGR_KEY_RECOVERY_INFO_SIZE, MALLOC_CAP_INTERNAL); - if (!key_recovery_info) { - return ESP_ERR_NO_MEM; + uint8_t key_recovery_info_index = 0; + if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 || config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2) { + key_recovery_info_index = 1; } + uint8_t *key_recovery_info = config->key_info->key_info[key_recovery_info_index].info; + // STEP 1: Init Step // Set mode key_mgr_hal_set_key_generator_mode(ESP_KEY_MGR_KEYGEN_MODE_AES); @@ -370,7 +351,6 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) key_mgr_hal_use_sw_init_key(); } else if (!esp_efuse_find_purpose(ESP_EFUSE_KEY_PURPOSE_KM_INIT_KEY, NULL)) { ESP_LOGE(TAG, "Could not find key with purpose KM_INIT_KEY"); - heap_caps_free(key_recovery_info); return ESP_FAIL; } @@ -381,15 +361,12 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) if (config->key_config->use_pre_generated_sw_init_key) { key_mgr_hal_write_sw_init_key(config->key_config->sw_init_key, KEY_MGR_SW_INIT_KEY_SIZE); - ESP_LOG_BUFFER_HEX_LEVEL("SW_INIT_KEY", config->key_config->sw_init_key, KEY_MGR_SW_INIT_KEY_SIZE, ESP_LOG_DEBUG); } ESP_LOGD(TAG, "Writing Information into Key Manager Registers"); key_mgr_hal_write_assist_info(config->key_config->k2_info, KEY_MGR_K2_INFO_SIZE); - ESP_LOG_BUFFER_HEX_LEVEL("K2_INFO", config->key_config->k2_info, KEY_MGR_K2_INFO_SIZE, ESP_LOG_DEBUG); key_mgr_hal_write_public_info(config->k1_encrypted, KEY_MGR_K1_ENCRYPTED_SIZE); - ESP_LOG_BUFFER_HEX_LEVEL("K1_ENCRYPTED", config->k1_encrypted, KEY_MGR_K1_ENCRYPTED_SIZE, ESP_LOG_DEBUG); key_mgr_hal_continue(); @@ -397,12 +374,10 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN); key_mgr_hal_read_public_info(key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - ESP_LOG_BUFFER_HEX_LEVEL("KEY_RECOVERY_INFO", key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE, ESP_LOG_DEBUG); if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1 && config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { if (!key_mgr_hal_is_key_deployment_valid(key_type)) { ESP_LOGE(TAG, "Key deployment is not valid"); - heap_caps_free(key_recovery_info); return ESP_FAIL; } } @@ -412,17 +387,7 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) key_mgr_hal_continue(); key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE); - if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 || config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2) { - memcpy(config->key_info->key_info[1].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - config->key_info->key_info[1].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - - } else { - memcpy(config->key_info->key_info[0].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - config->key_info->key_info[0].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - } - - heap_caps_free(key_recovery_info); - + config->key_info->key_info[key_recovery_info_index].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); config->key_info->key_type = key_type; config->key_info->magic = KEY_HUK_SECTOR_MAGIC; @@ -437,8 +402,6 @@ esp_err_t esp_key_mgr_deploy_key_in_aes_mode(const esp_key_mgr_aes_key_config_t ESP_LOGD(TAG, "Key deployment in AES mode"); - // TODO: Would making this static help in saving static memory? - // if so, memset the structure to 0 before using it aes_deploy_config_t aes_deploy_config = { .key_config = key_config, .key_info = key_recovery_info, @@ -504,7 +467,6 @@ static esp_err_t key_mgr_recover_key(key_recovery_config_t *config) } ESP_LOGD(TAG, "HUK recovered successfully"); - ESP_LOG_BUFFER_HEX_LEVEL("HUK INFO", config->key_recovery_info->huk_info.info, KEY_MGR_HUK_INFO_SIZE, ESP_LOG_DEBUG); config->huk_recovered = true; } @@ -530,14 +492,12 @@ static esp_err_t key_mgr_recover_key(key_recovery_config_t *config) return ESP_FAIL; } key_mgr_hal_write_assist_info(config->key_recovery_info->key_info[1].info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - ESP_LOG_BUFFER_HEX_LEVEL("RECOVERY_INFO[1]", config->key_recovery_info->key_info[0].info, KEY_MGR_KEY_RECOVERY_INFO_SIZE, ESP_LOG_DEBUG); } else { if (!check_key_info_validity(&config->key_recovery_info->key_info[0])) { ESP_LOGE(TAG, "Key info not valid"); return ESP_FAIL; } key_mgr_hal_write_assist_info(config->key_recovery_info->key_info[0].info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - ESP_LOG_BUFFER_HEX_LEVEL("RECOVERY_INFO[0]", config->key_recovery_info->key_info[0].info, KEY_MGR_KEY_RECOVERY_INFO_SIZE, ESP_LOG_DEBUG); } key_mgr_hal_continue(); @@ -567,8 +527,6 @@ esp_err_t esp_key_mgr_activate_key(esp_key_mgr_key_recovery_info_t *key_recovery ESP_LOGD(TAG, "Activating key of type %d", key_type); - // TODO: Would making this static help in saving static memory? - // if so, memset the structure to 0 before using it key_recovery_config_t key_recovery_config = { .key_recovery_info = key_recovery_info, }; @@ -650,11 +608,13 @@ static esp_err_t key_mgr_deploy_key_ecdh0_mode(ecdh0_deploy_config_t *config) ESP_LOGD(TAG, "HUK deployed successfully"); } - uint8_t *key_recovery_info = (uint8_t *) heap_caps_calloc(1, KEY_MGR_KEY_RECOVERY_INFO_SIZE, MALLOC_CAP_INTERNAL); - if (!key_recovery_info) { - return ESP_ERR_NO_MEM; + uint8_t key_recovery_info_index = 0; + if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 || config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2) { + key_recovery_info_index = 1; } + uint8_t *key_recovery_info = config->key_info->key_info[key_recovery_info_index].info; + // Step 1 : Initialization // Configure deployment mode to ECDH0 key_mgr_hal_set_key_generator_mode(ESP_KEY_MGR_KEYGEN_MODE_ECDH0); @@ -686,12 +646,10 @@ static esp_err_t key_mgr_deploy_key_ecdh0_mode(ecdh0_deploy_config_t *config) key_mgr_hal_read_public_info(key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); key_mgr_hal_read_assist_info(config->ecdh0_key_info); - ESP_LOG_BUFFER_HEX_LEVEL("KEY_RECOVERY_INFO", key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE, ESP_LOG_DEBUG); if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1 && config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { if (!key_mgr_hal_is_key_deployment_valid(key_type)) { ESP_LOGE(TAG, "Key deployment is not valid"); - heap_caps_free(key_recovery_info); return ESP_FAIL; } } @@ -701,16 +659,7 @@ static esp_err_t key_mgr_deploy_key_ecdh0_mode(ecdh0_deploy_config_t *config) key_mgr_hal_continue(); key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE); - if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 || config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2) { - memcpy(config->key_info->key_info[1].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - config->key_info->key_info[1].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - } else { - memcpy(config->key_info->key_info[0].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - config->key_info->key_info[0].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - } - - heap_caps_free(key_recovery_info); - + config->key_info->key_info[key_recovery_info_index].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); config->key_info->key_type = key_type; config->key_info->magic = KEY_HUK_SECTOR_MAGIC; @@ -728,8 +677,6 @@ esp_err_t esp_key_mgr_deploy_key_in_ecdh0_mode(const esp_key_mgr_ecdh0_key_confi esp_key_mgr_key_type_t key_type = key_config->key_type; - // TODO: Would making this static help in saving static memory? - // if so, memset the structure to 0 before using it ecdh0_deploy_config_t ecdh0_deploy_config = { .key_config = key_config, .key_info = key_info, @@ -799,11 +746,13 @@ static esp_err_t key_mgr_deploy_key_random_mode(random_deploy_config_t *config) ESP_LOGD(TAG, "HUK deployed successfully"); } - uint8_t *key_recovery_info = (uint8_t *) heap_caps_calloc(1, KEY_MGR_KEY_RECOVERY_INFO_SIZE, MALLOC_CAP_INTERNAL); - if (!key_recovery_info) { - return ESP_ERR_NO_MEM; + uint8_t key_recovery_info_index = 0; + if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 || config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2) { + key_recovery_info_index = 1; } + uint8_t *key_recovery_info = config->key_info->key_info[key_recovery_info_index].info; + // Configure deployment mode to RANDOM key_mgr_hal_set_key_generator_mode(ESP_KEY_MGR_KEYGEN_MODE_RANDOM); @@ -827,12 +776,10 @@ static esp_err_t key_mgr_deploy_key_random_mode(random_deploy_config_t *config) // No configuration for Random deploy mode key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN); key_mgr_hal_read_public_info(key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - ESP_LOG_BUFFER_HEX_LEVEL("KEY_RECOVERY_INFO", key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE, ESP_LOG_DEBUG); if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1 && config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { if (!key_mgr_hal_is_key_deployment_valid(key_type)) { ESP_LOGE(TAG, "Key deployment is not valid"); - heap_caps_free(key_recovery_info); return ESP_FAIL; } } @@ -842,16 +789,7 @@ static esp_err_t key_mgr_deploy_key_random_mode(random_deploy_config_t *config) key_mgr_hal_continue(); key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE); - if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 || config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2) { - memcpy(config->key_info->key_info[1].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - config->key_info->key_info[1].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - } else { - memcpy(config->key_info->key_info[0].info, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - config->key_info->key_info[0].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - } - - heap_caps_free(key_recovery_info); - + config->key_info->key_info[key_recovery_info_index].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); config->key_info->key_type = key_type; config->key_info->magic = KEY_HUK_SECTOR_MAGIC; @@ -866,8 +804,6 @@ esp_err_t esp_key_mgr_deploy_key_in_random_mode(const esp_key_mgr_random_key_con ESP_LOGD(TAG, "Key deployment in Random mode"); - // TODO: Would making this static help in saving static memory? - // if so, memset the structure to 0 before using it random_deploy_config_t random_deploy_config = { .key_config = key_config, .key_info = key_recovery_info, From 92e5cfa47ebe0e276b5e1dd6f6f63b1ddf8d138f Mon Sep 17 00:00:00 2001 From: "harshal.patil" Date: Thu, 18 Sep 2025 15:14:12 +0530 Subject: [PATCH 04/10] change(bootloader_support): Rename the esp_flash_encryption_enable_key_mgr() API --- components/bootloader_support/include/esp_flash_encrypt.h | 2 +- .../src/esp32c5/flash_encryption_secure_features.c | 5 +++-- .../src/esp32p4/flash_encryption_secure_features.c | 7 +++++-- .../src/flash_encryption/flash_encrypt.c | 5 +++++ 4 files changed, 14 insertions(+), 5 deletions(-) diff --git a/components/bootloader_support/include/esp_flash_encrypt.h b/components/bootloader_support/include/esp_flash_encrypt.h index fc00cbf36bf..0e502399eb3 100644 --- a/components/bootloader_support/include/esp_flash_encrypt.h +++ b/components/bootloader_support/include/esp_flash_encrypt.h @@ -189,7 +189,7 @@ esp_err_t esp_flash_encryption_enable_secure_features(void); * @return * - ESP_OK - On success */ -esp_err_t esp_flash_encryption_enable_key_mgr(void); +esp_err_t esp_flash_encryption_use_efuse_key(void); #endif // SOC_KEY_MANAGER_FE_KEY_DEPLOY #endif /* BOOTLOADER_BUILD && CONFIG_SECURE_FLASH_ENC_ENABLED */ diff --git a/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c index a1804969bfd..54a14dcfdb8 100644 --- a/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c @@ -17,7 +17,7 @@ #include "hal/mspi_ll.h" #include "soc/soc_caps.h" #include "sdkconfig.h" -#include "esp_crypto_periph_clk.h" +#include "hal/key_mgr_ll.h" ESP_LOG_ATTR_TAG(TAG, "flash_encrypt"); @@ -72,13 +72,14 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) return ESP_OK; } -esp_err_t esp_flash_encryption_enable_key_mgr(void) +esp_err_t esp_flash_encryption_use_efuse_key(void) { esp_crypto_key_mgr_enable_periph_clk(true); // Force Key Manager to use eFuse key for XTS-AES operation key_mgr_hal_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); + // TODO: Check if this is necessary else remove it // In case Flash Encryption is enabled by a key deployed using the Key Manager, // we just need to reset the SPI flash to ensure the key is used. // Enabling Key Manager and forcing it to use its OWN key is handled in the diff --git a/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c index c111cbf665c..907626ce32f 100644 --- a/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c @@ -12,6 +12,8 @@ #include "esp_log.h" #include "sdkconfig.h" #include "esp_crypto_periph_clk.h" +#include "esp_key_mgr.h" +#include "hal/key_mgr_hal.h" #include "hal/key_mgr_ll.h" #include "hal/mspi_ll.h" @@ -52,12 +54,13 @@ esp_err_t esp_flash_encryption_enable_secure_features(void) return ESP_OK; } -esp_err_t esp_flash_encryption_enable_key_mgr(void) +esp_err_t esp_flash_encryption_use_efuse_key(void) { esp_crypto_key_mgr_enable_periph_clk(true); // Force Key Manager to use eFuse key for XTS-AES operation - key_mgr_ll_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); + key_mgr_hal_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); + _mspi_timing_ll_reset_mspi(); return ESP_OK; diff --git a/components/bootloader_support/src/flash_encryption/flash_encrypt.c b/components/bootloader_support/src/flash_encryption/flash_encrypt.c index 64c5afff42a..766183b176e 100644 --- a/components/bootloader_support/src/flash_encryption/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encryption/flash_encrypt.c @@ -364,6 +364,11 @@ static esp_err_t check_and_generate_encryption_keys(void) } ESP_LOGI(TAG, "Using pre-loaded flash encryption key in efuse"); } + +#if SOC_KEY_MANAGER_FE_KEY_DEPLOY + // In the case of Key Manager supported targets, the default XTS-AES key source is set to Key Manager. + esp_flash_encryption_use_efuse_key(); +#endif #elif CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE_KEY_MGR esp_err_t err = key_manager_check_and_generate_key(); if (err != ESP_OK) { From 7cefae573a9e6180c9f912bf6c04058367677b03 Mon Sep 17 00:00:00 2001 From: "harshal.patil" Date: Tue, 14 Oct 2025 10:05:47 +0530 Subject: [PATCH 05/10] feat(flash_encryption): Remove mspi reset when switching the XTS-AES key source --- .../src/esp32c5/flash_encryption_secure_features.c | 7 ------- .../src/esp32p4/flash_encryption_secure_features.c | 2 -- 2 files changed, 9 deletions(-) diff --git a/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c index 54a14dcfdb8..e07a2b40a1b 100644 --- a/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c @@ -79,12 +79,5 @@ esp_err_t esp_flash_encryption_use_efuse_key(void) // Force Key Manager to use eFuse key for XTS-AES operation key_mgr_hal_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); - // TODO: Check if this is necessary else remove it - // In case Flash Encryption is enabled by a key deployed using the Key Manager, - // we just need to reset the SPI flash to ensure the key is used. - // Enabling Key Manager and forcing it to use its OWN key is handled in the - // Key Manager's key deployment API itself. - _mspi_timing_ll_reset_mspi(); - return ESP_OK; } diff --git a/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c index 907626ce32f..6d945a97611 100644 --- a/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c @@ -61,7 +61,5 @@ esp_err_t esp_flash_encryption_use_efuse_key(void) // Force Key Manager to use eFuse key for XTS-AES operation key_mgr_hal_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); - _mspi_timing_ll_reset_mspi(); - return ESP_OK; } From 9c823cdf381a9ab8b2d847ce2ca3cfb5b0dc723e Mon Sep 17 00:00:00 2001 From: "harshal.patil" Date: Mon, 27 Oct 2025 18:44:11 +0530 Subject: [PATCH 06/10] fix(hal): Force HUK power up when configuring HUK for ESP32-C5 --- components/hal/esp32c5/include/hal/huk_ll.h | 8 ++++++++ components/hal/esp32p4/include/hal/huk_ll.h | 7 ++++++- components/hal/huk_hal.c | 2 ++ 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/components/hal/esp32c5/include/hal/huk_ll.h b/components/hal/esp32c5/include/hal/huk_ll.h index fb6e4e69f44..d66eed2e417 100644 --- a/components/hal/esp32c5/include/hal/huk_ll.h +++ b/components/hal/esp32c5/include/hal/huk_ll.h @@ -29,6 +29,14 @@ extern "C" { #endif +static inline void huk_ll_power_up(void) +{ + /* huk force_pd MUST be cleared!!! */ + REG_CLR_BIT(LP_AON_MEM_CTRL_REG, LP_AON_HUK_MEM_FORCE_PD); + /* huk force_pu MUST be set!!! */ + REG_SET_BIT(LP_AON_MEM_CTRL_REG, LP_AON_HUK_MEM_FORCE_PU); +} + /* @brief Configure the HUK mode */ static inline void huk_ll_configure_mode(const esp_huk_mode_t huk_mode) { diff --git a/components/hal/esp32p4/include/hal/huk_ll.h b/components/hal/esp32p4/include/hal/huk_ll.h index 6b5a50a64fd..dc624890501 100644 --- a/components/hal/esp32p4/include/hal/huk_ll.h +++ b/components/hal/esp32p4/include/hal/huk_ll.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -27,6 +27,11 @@ extern "C" { #endif +static inline void huk_ll_power_up(void) +{ + +} + /* @brief Configure the HUK mode */ static inline void huk_ll_configure_mode(const esp_huk_mode_t huk_mode) { diff --git a/components/hal/huk_hal.c b/components/hal/huk_hal.c index a2742191621..21f1a12959e 100644 --- a/components/hal/huk_hal.c +++ b/components/hal/huk_hal.c @@ -30,6 +30,8 @@ static void inline huk_hal_wait_for_state(esp_huk_state_t state) esp_err_t huk_hal_configure(const esp_huk_mode_t huk_mode, uint8_t *huk_info_buf) { + huk_ll_power_up(); + if (esp_rom_km_huk_conf(huk_mode, huk_info_buf) != ETS_OK) { return ESP_FAIL; } From 172f904e23df5b1a74cb88d993839cf408c00666 Mon Sep 17 00:00:00 2001 From: "harshal.patil" Date: Wed, 5 Nov 2025 08:32:19 +0530 Subject: [PATCH 07/10] feat(bootloader_support): Support FE XTS-AES-256 using Key Manager for ESP32-C5 --- components/bootloader/Kconfig.projbuild | 9 +++++++-- components/bootloader_support/src/flash_encrypt.c | 4 ++-- .../keys/with_key_purposes/esp_efuse_api_key.c | 6 +++--- .../test_apps/main/with_key_purposes/test_efuse_keys.c | 10 +++++----- components/soc/esp32c2/include/soc/Kconfig.soc_caps.in | 4 ++++ components/soc/esp32c2/include/soc/soc_caps.h | 1 + components/soc/esp32c3/include/soc/Kconfig.soc_caps.in | 4 ++++ components/soc/esp32c3/include/soc/soc_caps.h | 1 + components/soc/esp32c5/include/soc/Kconfig.soc_caps.in | 8 ++++++++ components/soc/esp32c5/include/soc/soc_caps.h | 4 +++- components/soc/esp32c6/include/soc/Kconfig.soc_caps.in | 4 ++++ components/soc/esp32c6/include/soc/soc_caps.h | 1 + .../soc/esp32c61/include/soc/Kconfig.soc_caps.in | 4 ++++ components/soc/esp32c61/include/soc/soc_caps.h | 1 + components/soc/esp32h2/include/soc/Kconfig.soc_caps.in | 4 ++++ components/soc/esp32h2/include/soc/soc_caps.h | 1 + .../soc/esp32h21/include/soc/Kconfig.soc_caps.in | 4 ++++ components/soc/esp32h21/include/soc/soc_caps.h | 1 + components/soc/esp32h4/include/soc/Kconfig.soc_caps.in | 4 ++++ components/soc/esp32h4/include/soc/soc_caps.h | 1 + components/soc/esp32p4/include/soc/Kconfig.soc_caps.in | 8 ++++++++ components/soc/esp32p4/include/soc/soc_caps.h | 6 ++++-- components/soc/esp32s2/include/soc/Kconfig.soc_caps.in | 8 ++++++++ components/soc/esp32s2/include/soc/soc_caps.h | 2 ++ components/soc/esp32s3/include/soc/Kconfig.soc_caps.in | 8 ++++++++ components/soc/esp32s3/include/soc/soc_caps.h | 2 ++ 26 files changed, 95 insertions(+), 15 deletions(-) diff --git a/components/bootloader/Kconfig.projbuild b/components/bootloader/Kconfig.projbuild index 19a6507d033..917f04cc8c1 100644 --- a/components/bootloader/Kconfig.projbuild +++ b/components/bootloader/Kconfig.projbuild @@ -880,11 +880,16 @@ menu "Security features" config SECURE_FLASH_ENCRYPTION_AES128 bool "AES-128 (256-bit key)" - depends on SOC_FLASH_ENCRYPTION_XTS_AES_128 && !(IDF_TARGET_ESP32C2 && SECURE_BOOT) + depends on SOC_FLASH_ENCRYPTION_XTS_AES_128 && \ + ((SECURE_FLASH_ENCRYPTION_KEY_SOURCE_EFUSES && SOC_EFUSE_XTS_AES_KEY_128) || \ + (SECURE_FLASH_ENCRYPTION_KEY_SOURCE_KEY_MGR && SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128)) && \ + !(IDF_TARGET_ESP32C2 && SECURE_BOOT) config SECURE_FLASH_ENCRYPTION_AES256 bool "AES-256 (512-bit key)" - depends on SOC_FLASH_ENCRYPTION_XTS_AES_256 + depends on SOC_FLASH_ENCRYPTION_XTS_AES_256 && \ + ((SECURE_FLASH_ENCRYPTION_KEY_SOURCE_EFUSES && SOC_EFUSE_XTS_AES_KEY_256) || \ + (SECURE_FLASH_ENCRYPTION_KEY_SOURCE_KEY_MGR && SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256)) endchoice choice SECURE_FLASH_ENCRYPTION_MODE diff --git a/components/bootloader_support/src/flash_encrypt.c b/components/bootloader_support/src/flash_encrypt.c index 08a380acef1..1169d809101 100644 --- a/components/bootloader_support/src/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encrypt.c @@ -450,11 +450,11 @@ bool esp_flash_encryption_cfg_verify_release_mode(void) #if CONFIG_SECURE_FLASH_ENCRYPTION_KEY_SOURCE_EFUSES esp_efuse_purpose_t purposes[] = { -#if SOC_FLASH_ENCRYPTION_XTS_AES_256 +#if SOC_EFUSE_XTS_AES_KEY_256 ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1, ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2, #endif -#if SOC_FLASH_ENCRYPTION_XTS_AES_128 +#if SOC_EFUSE_XTS_AES_KEY_128 ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY, #endif }; diff --git a/components/efuse/src/efuse_controller/keys/with_key_purposes/esp_efuse_api_key.c b/components/efuse/src/efuse_controller/keys/with_key_purposes/esp_efuse_api_key.c index 12dc361b51c..96db76c1df0 100644 --- a/components/efuse/src/efuse_controller/keys/with_key_purposes/esp_efuse_api_key.c +++ b/components/efuse/src/efuse_controller/keys/with_key_purposes/esp_efuse_api_key.c @@ -286,7 +286,7 @@ esp_err_t esp_efuse_write_key(esp_efuse_block_t block, esp_efuse_purpose_t purpo #if SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK if (block == EFUSE_BLK9 && ( -#if SOC_FLASH_ENCRYPTION_XTS_AES_256 +#if SOC_EFUSE_XTS_AES_KEY_256 purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1 || purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2 || #endif @@ -301,10 +301,10 @@ esp_err_t esp_efuse_write_key(esp_efuse_block_t block, esp_efuse_purpose_t purpo #endif // SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK if (purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY || -#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_256 +#ifdef SOC_EFUSE_XTS_AES_KEY_256 purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1 || purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2 || -#endif //#ifdef SOC_EFUSE_SUPPORT_XTS_AES_256_KEYS +#endif //#ifdef SOC_EFUSE_XTS_AES_KEY_256 #if SOC_EFUSE_ECDSA_KEY purpose == ESP_EFUSE_KEY_PURPOSE_ECDSA_KEY || #endif diff --git a/components/efuse/test_apps/main/with_key_purposes/test_efuse_keys.c b/components/efuse/test_apps/main/with_key_purposes/test_efuse_keys.c index f7602bc14e7..fc20a64f299 100644 --- a/components/efuse/test_apps/main/with_key_purposes/test_efuse_keys.c +++ b/components/efuse/test_apps/main/with_key_purposes/test_efuse_keys.c @@ -57,7 +57,7 @@ TEST_CASE("Test efuse API blocks burning XTS and ECDSA keys into BLOCK9", "[efus uint8_t key[32] = {0}; esp_efuse_purpose_t purpose = ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY; TEST_ESP_ERR(ESP_ERR_NOT_SUPPORTED, esp_efuse_write_key(EFUSE_BLK9, purpose, &key, sizeof(key))); -#if SOC_FLASH_ENCRYPTION_XTS_AES_256 +#if SOC_EFUSE_XTS_AES_KEY_256 purpose = ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1; TEST_ESP_ERR(ESP_ERR_NOT_SUPPORTED, esp_efuse_write_key(EFUSE_BLK9, purpose, &key, sizeof(key))); purpose = ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2; @@ -86,7 +86,7 @@ static esp_err_t s_check_key(esp_efuse_block_t num_key, void* wr_key) TEST_ASSERT_TRUE(esp_efuse_get_key_dis_write(num_key)); if (purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY || -#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_256 +#ifdef SOC_EFUSE_XTS_AES_KEY_256 purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1 || purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2 || #endif @@ -180,7 +180,7 @@ TEST_CASE("Test esp_efuse_write_key for virt mode", "[efuse]") esp_efuse_purpose_t purpose = g_purpose; #if SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK if (num_key == EFUSE_BLK9 && ( -#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_256 +#ifdef SOC_EFUSE_XTS_AES_KEY_256 purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1 || purpose == ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2 || #endif //#ifdef SOC_EFUSE_SUPPORT_XTS_AES_256_KEYS @@ -224,7 +224,7 @@ TEST_CASE("Test 1 esp_efuse_write_key for FPGA", "[efuse]") #else ESP_EFUSE_KEY_PURPOSE_RESERVED, #endif -#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_256 +#ifdef SOC_EFUSE_XTS_AES_KEY_256 ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1, ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2, #else @@ -300,7 +300,7 @@ TEST_CASE("Test esp_efuse_write_keys", "[efuse]") esp_efuse_block_t key_block = EFUSE_BLK_MAX; enum { BLOCKS_NEEDED1 = 2 }; -#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_256 +#ifdef SOC_EFUSE_XTS_AES_KEY_256 esp_efuse_purpose_t purpose1[BLOCKS_NEEDED1] = { ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1, ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2, diff --git a/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in index a79fd8fa486..fb48fd7d2bb 100644 --- a/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c2/include/soc/Kconfig.soc_caps.in @@ -603,6 +603,10 @@ config SOC_EFUSE_DIS_DIRECT_BOOT bool default y +config SOC_EFUSE_XTS_AES_KEY_128 + bool + default y + config SOC_SECURE_BOOT_V2_ECC bool default y diff --git a/components/soc/esp32c2/include/soc/soc_caps.h b/components/soc/esp32c2/include/soc/soc_caps.h index 701ee2c5ea0..a358b7bba25 100644 --- a/components/soc/esp32c2/include/soc/soc_caps.h +++ b/components/soc/esp32c2/include/soc/soc_caps.h @@ -275,6 +275,7 @@ #define SOC_EFUSE_DIS_DOWNLOAD_ICACHE 1 #define SOC_EFUSE_DIS_PAD_JTAG 1 #define SOC_EFUSE_DIS_DIRECT_BOOT 1 +#define SOC_EFUSE_XTS_AES_KEY_128 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_ECC 1 diff --git a/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in index 4472fc985b0..c0dd923f1de 100644 --- a/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c3/include/soc/Kconfig.soc_caps.in @@ -879,6 +879,10 @@ config SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK bool default y +config SOC_EFUSE_XTS_AES_KEY_128 + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32c3/include/soc/soc_caps.h b/components/soc/esp32c3/include/soc/soc_caps.h index d25c7c661ea..76e98a526ae 100644 --- a/components/soc/esp32c3/include/soc/soc_caps.h +++ b/components/soc/esp32c3/include/soc/soc_caps.h @@ -374,6 +374,7 @@ #define SOC_EFUSE_SOFT_DIS_JTAG 1 #define SOC_EFUSE_DIS_ICACHE 1 #define SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK 1 // XTS-AES key purpose not supported for this block +#define SOC_EFUSE_XTS_AES_KEY_128 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in index 996de617452..99f67ef3da2 100644 --- a/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c5/include/soc/Kconfig.soc_caps.in @@ -1279,6 +1279,10 @@ config SOC_EFUSE_ECDSA_KEY_P384 bool default y +config SOC_EFUSE_XTS_AES_KEY_128 + bool + default y + config SOC_HUK_MEM_NEEDS_RECHARGE bool default y @@ -1347,6 +1351,10 @@ config SOC_FLASH_ENCRYPTION_XTS_AES_128 bool default y +config SOC_FLASH_ENCRYPTION_XTS_AES_256 + bool + default y + config SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND bool default y diff --git a/components/soc/esp32c5/include/soc/soc_caps.h b/components/soc/esp32c5/include/soc/soc_caps.h index 8a2cb6b5c66..0ddd69fde94 100644 --- a/components/soc/esp32c5/include/soc/soc_caps.h +++ b/components/soc/esp32c5/include/soc/soc_caps.h @@ -510,6 +510,7 @@ #define SOC_EFUSE_ECDSA_KEY 1 #define SOC_EFUSE_ECDSA_KEY_P192 1 #define SOC_EFUSE_ECDSA_KEY_P384 1 +#define SOC_EFUSE_XTS_AES_KEY_128 1 /*-------------------------- HUK CAPS----------------------------*/ #define SOC_HUK_MEM_NEEDS_RECHARGE 1 @@ -534,7 +535,8 @@ #define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (64) #define SOC_FLASH_ENCRYPTION_XTS_AES 1 #define SOC_FLASH_ENCRYPTION_XTS_AES_OPTIONS 1 -#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1 +#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1 /* SOC_EFUSE_XTS_AES_KEY_128 (1) || SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 (1) */ +#define SOC_FLASH_ENCRYPTION_XTS_AES_256 1 /* SOC_EFUSE_XTS_AES_KEY_256 (0) || SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 (1) */ #define SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND 1 /*-------------------------- PSRAM Encryption CAPS----------------------------*/ diff --git a/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in index f393b198d6c..a3053cdd88e 100644 --- a/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c6/include/soc/Kconfig.soc_caps.in @@ -1119,6 +1119,10 @@ config SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK bool default y +config SOC_EFUSE_XTS_AES_KEY_128 + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32c6/include/soc/soc_caps.h b/components/soc/esp32c6/include/soc/soc_caps.h index a64d07dfdb1..f11882a6d48 100644 --- a/components/soc/esp32c6/include/soc/soc_caps.h +++ b/components/soc/esp32c6/include/soc/soc_caps.h @@ -454,6 +454,7 @@ #define SOC_EFUSE_SOFT_DIS_JTAG 1 #define SOC_EFUSE_DIS_ICACHE 1 #define SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK 1 // XTS-AES key purpose not supported for this block +#define SOC_EFUSE_XTS_AES_KEY_128 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32c61/include/soc/Kconfig.soc_caps.in b/components/soc/esp32c61/include/soc/Kconfig.soc_caps.in index c07f5dd57bb..204ba574bee 100644 --- a/components/soc/esp32c61/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32c61/include/soc/Kconfig.soc_caps.in @@ -911,6 +911,10 @@ config SOC_EFUSE_ECDSA_KEY bool default y +config SOC_EFUSE_XTS_AES_KEY_128 + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default n diff --git a/components/soc/esp32c61/include/soc/soc_caps.h b/components/soc/esp32c61/include/soc/soc_caps.h index aa80b52f2c4..01d87ea58fb 100644 --- a/components/soc/esp32c61/include/soc/soc_caps.h +++ b/components/soc/esp32c61/include/soc/soc_caps.h @@ -378,6 +378,7 @@ #define SOC_EFUSE_SOFT_DIS_JTAG 0 #define SOC_EFUSE_DIS_ICACHE 1 #define SOC_EFUSE_ECDSA_KEY 1 +#define SOC_EFUSE_XTS_AES_KEY_128 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 0 diff --git a/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in b/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in index 2bec2242c6d..f5a88b97c06 100644 --- a/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32h2/include/soc/Kconfig.soc_caps.in @@ -1131,6 +1131,10 @@ config SOC_EFUSE_ECDSA_KEY bool default y +config SOC_EFUSE_XTS_AES_KEY_128 + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32h2/include/soc/soc_caps.h b/components/soc/esp32h2/include/soc/soc_caps.h index 1c00ce0f0cf..cfc025d44e9 100644 --- a/components/soc/esp32h2/include/soc/soc_caps.h +++ b/components/soc/esp32h2/include/soc/soc_caps.h @@ -473,6 +473,7 @@ #define SOC_EFUSE_ECDSA_USE_HARDWARE_K 1 // Force use hardware TRNG supplied K for ECDSA #endif #define SOC_EFUSE_ECDSA_KEY 1 +#define SOC_EFUSE_XTS_AES_KEY_128 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32h21/include/soc/Kconfig.soc_caps.in b/components/soc/esp32h21/include/soc/Kconfig.soc_caps.in index 1878f56aec7..9ff62fe6ba0 100644 --- a/components/soc/esp32h21/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32h21/include/soc/Kconfig.soc_caps.in @@ -819,6 +819,10 @@ config SOC_EFUSE_ECDSA_KEY bool default y +config SOC_EFUSE_XTS_AES_KEY_128 + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32h21/include/soc/soc_caps.h b/components/soc/esp32h21/include/soc/soc_caps.h index 471f8c01c81..b51fc05d47c 100644 --- a/components/soc/esp32h21/include/soc/soc_caps.h +++ b/components/soc/esp32h21/include/soc/soc_caps.h @@ -451,6 +451,7 @@ #define SOC_EFUSE_DIS_ICACHE 1 // #define SOC_EFUSE_ECDSA_USE_HARDWARE_K 1 // Force use hardware TRNG supplied K for ECDSA #define SOC_EFUSE_ECDSA_KEY 1 +#define SOC_EFUSE_XTS_AES_KEY_128 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in b/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in index 8b43a903be1..17696a453e6 100644 --- a/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32h4/include/soc/Kconfig.soc_caps.in @@ -811,6 +811,10 @@ config SOC_EFUSE_ECDSA_KEY bool default n +config SOC_EFUSE_XTS_AES_KEY_128 + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32h4/include/soc/soc_caps.h b/components/soc/esp32h4/include/soc/soc_caps.h index 429546053cd..7d0719c9e37 100644 --- a/components/soc/esp32h4/include/soc/soc_caps.h +++ b/components/soc/esp32h4/include/soc/soc_caps.h @@ -437,6 +437,7 @@ #define SOC_EFUSE_DIS_ICACHE 0 #define SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK 1 // XTS-AES key purpose not supported for this block #define SOC_EFUSE_ECDSA_KEY 0 // TODO: [ESP32H4] IDF-12259 +#define SOC_EFUSE_XTS_AES_KEY_128 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32p4/include/soc/Kconfig.soc_caps.in b/components/soc/esp32p4/include/soc/Kconfig.soc_caps.in index 404baad1fb3..c6049b7eda2 100644 --- a/components/soc/esp32p4/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32p4/include/soc/Kconfig.soc_caps.in @@ -1679,6 +1679,14 @@ config SOC_EFUSE_ECDSA_KEY bool default y +config SOC_EFUSE_XTS_AES_KEY_128 + bool + default y + +config SOC_EFUSE_XTS_AES_KEY_256 + bool + default y + config SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT bool default y diff --git a/components/soc/esp32p4/include/soc/soc_caps.h b/components/soc/esp32p4/include/soc/soc_caps.h index a2896b7e6b7..0b15149554e 100644 --- a/components/soc/esp32p4/include/soc/soc_caps.h +++ b/components/soc/esp32p4/include/soc/soc_caps.h @@ -634,6 +634,8 @@ /* Capability to disable the MSPI access in download mode */ #define SOC_EFUSE_DIS_DOWNLOAD_MSPI 1 #define SOC_EFUSE_ECDSA_KEY 1 +#define SOC_EFUSE_XTS_AES_KEY_128 1 +#define SOC_EFUSE_XTS_AES_KEY_256 1 /*-------------------------- Key Manager CAPS----------------------------*/ #define SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT 1 /*!< Key manager supports key deployment */ @@ -655,8 +657,8 @@ #define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (64) #define SOC_FLASH_ENCRYPTION_XTS_AES 1 #define SOC_FLASH_ENCRYPTION_XTS_AES_OPTIONS 1 -#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1 -#define SOC_FLASH_ENCRYPTION_XTS_AES_256 1 +#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1 /* SOC_EFUSE_XTS_AES_KEY_128 (1) || SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 (1) */ +#define SOC_FLASH_ENCRYPTION_XTS_AES_256 1 /* SOC_EFUSE_XTS_AES_KEY_256 (1) || SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 (1) */ /*-------------------------- MEMPROT CAPS ------------------------------------*/ /*-------------------------- UART CAPS ---------------------------------------*/ diff --git a/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in b/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in index 186d2ae2b65..2df36f9b13c 100644 --- a/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32s2/include/soc/Kconfig.soc_caps.in @@ -915,6 +915,14 @@ config SOC_EFUSE_DIS_ICACHE bool default y +config SOC_EFUSE_XTS_AES_KEY_128 + bool + default y + +config SOC_EFUSE_XTS_AES_KEY_256 + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32s2/include/soc/soc_caps.h b/components/soc/esp32s2/include/soc/soc_caps.h index 6376fe2a58b..7f96f49c9c9 100644 --- a/components/soc/esp32s2/include/soc/soc_caps.h +++ b/components/soc/esp32s2/include/soc/soc_caps.h @@ -396,6 +396,8 @@ #define SOC_EFUSE_DIS_BOOT_REMAP 1 #define SOC_EFUSE_DIS_LEGACY_SPI_BOOT 1 #define SOC_EFUSE_DIS_ICACHE 1 +#define SOC_EFUSE_XTS_AES_KEY_128 1 +#define SOC_EFUSE_XTS_AES_KEY_256 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 diff --git a/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in b/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in index 1af3e5af9ac..1bc0940b15b 100644 --- a/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in +++ b/components/soc/esp32s3/include/soc/Kconfig.soc_caps.in @@ -1163,6 +1163,14 @@ config SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK bool default y +config SOC_EFUSE_XTS_AES_KEY_128 + bool + default y + +config SOC_EFUSE_XTS_AES_KEY_256 + bool + default y + config SOC_SECURE_BOOT_V2_RSA bool default y diff --git a/components/soc/esp32s3/include/soc/soc_caps.h b/components/soc/esp32s3/include/soc/soc_caps.h index bb599f03817..2c9c3e3fb27 100644 --- a/components/soc/esp32s3/include/soc/soc_caps.h +++ b/components/soc/esp32s3/include/soc/soc_caps.h @@ -470,6 +470,8 @@ #define SOC_EFUSE_DIS_DIRECT_BOOT 1 #define SOC_EFUSE_DIS_ICACHE 1 #define SOC_EFUSE_BLOCK9_KEY_PURPOSE_QUIRK 1 // XTS-AES key purpose not supported for this block +#define SOC_EFUSE_XTS_AES_KEY_128 1 +#define SOC_EFUSE_XTS_AES_KEY_256 1 /*-------------------------- Secure Boot CAPS----------------------------*/ #define SOC_SECURE_BOOT_V2_RSA 1 From cd0770cd39317016501c8e19fb910e668394c431 Mon Sep 17 00:00:00 2001 From: "harshal.patil" Date: Tue, 11 Nov 2025 10:58:17 +0530 Subject: [PATCH 08/10] change(esp_key_mgr): Store key_len field in the key_info - Update the Key Manager key types to be generic - Define a new enum to determine the length of the keys - Refactor the Key Manager driver support generic key types and key lengths - Also store key deployment mode in the key recovery info --- .../flash_encryption_secure_features.c | 2 +- .../flash_encryption_secure_features.c | 2 +- .../src/flash_encryption/flash_encrypt.c | 19 +- components/esp_security/include/esp_key_mgr.h | 4 + components/esp_security/src/esp_key_mgr.c | 190 +++++++++-------- components/esp_security/src/init.c | 2 +- .../crypto_drivers/main/test_key_mgr.c | 12 +- components/hal/ecdsa_hal.c | 12 +- .../hal/esp32c5/include/hal/key_mgr_ll.h | 135 ++++++++---- .../hal/esp32p4/include/hal/key_mgr_ll.h | 197 +++++++++--------- components/hal/include/hal/key_mgr_hal.h | 6 +- components/hal/include/hal/key_mgr_types.h | 43 ++-- components/hal/key_mgr_hal.c | 8 +- .../main/key_manager/test_key_manager.c | 27 ++- .../test_apps/main/test_mbedtls_ecdsa.c | 27 +-- 15 files changed, 379 insertions(+), 307 deletions(-) diff --git a/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c index e07a2b40a1b..81cf0828b63 100644 --- a/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c @@ -77,7 +77,7 @@ esp_err_t esp_flash_encryption_use_efuse_key(void) esp_crypto_key_mgr_enable_periph_clk(true); // Force Key Manager to use eFuse key for XTS-AES operation - key_mgr_hal_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); + key_mgr_hal_set_key_usage(ESP_KEY_MGR_FLASH_XTS_AES_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); return ESP_OK; } diff --git a/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c index 6d945a97611..e5f8dd18609 100644 --- a/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c +++ b/components/bootloader_support/src/esp32p4/flash_encryption_secure_features.c @@ -59,7 +59,7 @@ esp_err_t esp_flash_encryption_use_efuse_key(void) esp_crypto_key_mgr_enable_periph_clk(true); // Force Key Manager to use eFuse key for XTS-AES operation - key_mgr_hal_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); + key_mgr_hal_set_key_usage(ESP_KEY_MGR_FLASH_XTS_AES_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); return ESP_OK; } diff --git a/components/bootloader_support/src/flash_encryption/flash_encrypt.c b/components/bootloader_support/src/flash_encryption/flash_encrypt.c index 766183b176e..7da8a6957da 100644 --- a/components/bootloader_support/src/flash_encryption/flash_encrypt.c +++ b/components/bootloader_support/src/flash_encryption/flash_encrypt.c @@ -151,14 +151,19 @@ static esp_err_t key_manager_read_key_recovery_info(esp_key_mgr_key_recovery_inf continue; } + if (key_recovery_info->key_type != ESP_KEY_MGR_FLASH_XTS_AES_KEY) { + ESP_LOGD(TAG, "Key Manager sector %d has incorrect key type %d", i, key_recovery_info->key_type); + continue; + } + #if CONFIG_SECURE_FLASH_ENCRYPTION_AES256 - if (key_recovery_info->key_type != ESP_KEY_MGR_XTS_AES_256_KEY) { - ESP_LOGD(TAG, "Key Manager sector %d has incorrect key type", i); + if (key_recovery_info->key_len != ESP_KEY_MGR_XTS_AES_LEN_256) { + ESP_LOGD(TAG, "Key Manager sector %d has incorrect key length %d", i, key_recovery_info->key_len); continue; } #else - if (key_recovery_info->key_type != ESP_KEY_MGR_XTS_AES_128_KEY) { - ESP_LOGD(TAG, "Key Manager sector %d has incorrect key type", i); + if (key_recovery_info->key_len != ESP_KEY_MGR_XTS_AES_LEN_128) { + ESP_LOGD(TAG, "Key Manager sector %d has incorrect key length %d", i, key_recovery_info->key_len); continue; } #endif @@ -201,10 +206,12 @@ static esp_err_t key_manager_generate_key(esp_key_mgr_key_recovery_info_t *key_r esp_key_mgr_random_key_config_t key_config; memset(&key_config, 0, sizeof(esp_key_mgr_random_key_config_t)); + key_config.key_type = ESP_KEY_MGR_FLASH_XTS_AES_KEY; + #if CONFIG_SECURE_FLASH_ENCRYPTION_AES256 - key_config.key_type = ESP_KEY_MGR_XTS_AES_256_KEY; + key_config.key_len = ESP_KEY_MGR_XTS_AES_LEN_256; #else - key_config.key_type = ESP_KEY_MGR_XTS_AES_128_KEY; + key_config.key_len = ESP_KEY_MGR_XTS_AES_LEN_128; #endif // Generate a new key and load it into Key Manager diff --git a/components/esp_security/include/esp_key_mgr.h b/components/esp_security/include/esp_key_mgr.h index 09f7fb4cf59..5e768c681d7 100644 --- a/components/esp_security/include/esp_key_mgr.h +++ b/components/esp_security/include/esp_key_mgr.h @@ -35,6 +35,7 @@ extern "C" { typedef struct { esp_key_mgr_key_type_t key_type; + esp_key_mgr_key_len_t key_len; bool use_pre_generated_huk_info; bool use_pre_generated_sw_init_key; WORD_ALIGNED_ATTR esp_key_mgr_huk_info_t huk_info; @@ -45,6 +46,7 @@ typedef struct { typedef struct { esp_key_mgr_key_type_t key_type; + esp_key_mgr_key_len_t key_len; bool use_pre_generated_huk_info; WORD_ALIGNED_ATTR esp_key_mgr_huk_info_t huk_info; WORD_ALIGNED_ATTR uint8_t k1_G[2][KEY_MGR_ECDH0_INFO_SIZE]; @@ -52,12 +54,14 @@ typedef struct { typedef struct { esp_key_mgr_key_type_t key_type; + esp_key_mgr_key_len_t key_len; bool use_pre_generated_huk_info; WORD_ALIGNED_ATTR esp_key_mgr_huk_info_t huk_info; } esp_key_mgr_random_key_config_t; typedef struct { esp_key_mgr_key_type_t key_type; + esp_key_mgr_key_len_t key_len; WORD_ALIGNED_ATTR uint8_t k2_G[2][KEY_MGR_ECDH0_INFO_SIZE]; } esp_key_mgr_ecdh0_info_t; diff --git a/components/esp_security/src/esp_key_mgr.c b/components/esp_security/src/esp_key_mgr.c index f1ccecb4b0c..ea91777eff7 100644 --- a/components/esp_security/src/esp_key_mgr.c +++ b/components/esp_security/src/esp_key_mgr.c @@ -38,13 +38,10 @@ static _lock_t s_key_mgr_psram_key_lock; static void esp_key_mgr_acquire_key_lock(esp_key_mgr_key_type_t key_type) { switch (key_type) { - case ESP_KEY_MGR_ECDSA_192_KEY: - case ESP_KEY_MGR_ECDSA_256_KEY: - case ESP_KEY_MGR_ECDSA_384_KEY: + case ESP_KEY_MGR_ECDSA_KEY: _lock_acquire(&s_key_mgr_ecdsa_key_lock); break; - case ESP_KEY_MGR_XTS_AES_128_KEY: - case ESP_KEY_MGR_XTS_AES_256_KEY: + case ESP_KEY_MGR_FLASH_XTS_AES_KEY: _lock_acquire(&s_key_mgr_xts_aes_key_lock); break; case ESP_KEY_MGR_HMAC_KEY: @@ -53,8 +50,7 @@ static void esp_key_mgr_acquire_key_lock(esp_key_mgr_key_type_t key_type) case ESP_KEY_MGR_DS_KEY: _lock_acquire(&s_key_mgr_ds_key_lock); break; - case ESP_KEY_MGR_PSRAM_128_KEY: - case ESP_KEY_MGR_PSRAM_256_KEY: + case ESP_KEY_MGR_PSRAM_XTS_AES_KEY: _lock_acquire(&s_key_mgr_psram_key_lock); break; default: @@ -67,13 +63,10 @@ static void esp_key_mgr_acquire_key_lock(esp_key_mgr_key_type_t key_type) static void esp_key_mgr_release_key_lock(esp_key_mgr_key_type_t key_type) { switch (key_type) { - case ESP_KEY_MGR_ECDSA_192_KEY: - case ESP_KEY_MGR_ECDSA_256_KEY: - case ESP_KEY_MGR_ECDSA_384_KEY: + case ESP_KEY_MGR_ECDSA_KEY: _lock_release(&s_key_mgr_ecdsa_key_lock); break; - case ESP_KEY_MGR_XTS_AES_128_KEY: - case ESP_KEY_MGR_XTS_AES_256_KEY: + case ESP_KEY_MGR_FLASH_XTS_AES_KEY: _lock_release(&s_key_mgr_xts_aes_key_lock); break; case ESP_KEY_MGR_HMAC_KEY: @@ -82,8 +75,7 @@ static void esp_key_mgr_release_key_lock(esp_key_mgr_key_type_t key_type) case ESP_KEY_MGR_DS_KEY: _lock_release(&s_key_mgr_ds_key_lock); break; - case ESP_KEY_MGR_PSRAM_128_KEY: - case ESP_KEY_MGR_PSRAM_256_KEY: + case ESP_KEY_MGR_PSRAM_XTS_AES_KEY: _lock_release(&s_key_mgr_psram_key_lock); break; default: @@ -96,15 +88,11 @@ static void esp_key_mgr_release_key_lock(esp_key_mgr_key_type_t key_type) static void esp_key_mgr_acquire_key_lock(esp_key_mgr_key_type_t key_type) { switch (key_type) { - case ESP_KEY_MGR_ECDSA_192_KEY: - case ESP_KEY_MGR_ECDSA_256_KEY: - case ESP_KEY_MGR_ECDSA_384_KEY: - case ESP_KEY_MGR_XTS_AES_128_KEY: - case ESP_KEY_MGR_XTS_AES_256_KEY: + case ESP_KEY_MGR_ECDSA_KEY: + case ESP_KEY_MGR_FLASH_XTS_AES_KEY: case ESP_KEY_MGR_HMAC_KEY: case ESP_KEY_MGR_DS_KEY: - case ESP_KEY_MGR_PSRAM_128_KEY: - case ESP_KEY_MGR_PSRAM_256_KEY: + case ESP_KEY_MGR_PSRAM_XTS_AES_KEY: break; default: ESP_LOGE(TAG, "Invalid key type"); @@ -116,15 +104,11 @@ static void esp_key_mgr_acquire_key_lock(esp_key_mgr_key_type_t key_type) static void esp_key_mgr_release_key_lock(esp_key_mgr_key_type_t key_type) { switch (key_type) { - case ESP_KEY_MGR_ECDSA_192_KEY: - case ESP_KEY_MGR_ECDSA_256_KEY: - case ESP_KEY_MGR_ECDSA_384_KEY: - case ESP_KEY_MGR_XTS_AES_128_KEY: - case ESP_KEY_MGR_XTS_AES_256_KEY: + case ESP_KEY_MGR_ECDSA_KEY: + case ESP_KEY_MGR_FLASH_XTS_AES_KEY: case ESP_KEY_MGR_HMAC_KEY: case ESP_KEY_MGR_DS_KEY: - case ESP_KEY_MGR_PSRAM_128_KEY: - case ESP_KEY_MGR_PSRAM_256_KEY: + case ESP_KEY_MGR_PSRAM_XTS_AES_KEY: break; default: ESP_LOGE(TAG, "Invalid key type"); @@ -158,25 +142,47 @@ static void esp_key_mgr_release_hardware(bool deployment_mode) esp_crypto_key_mgr_enable_periph_clk(false); } -static esp_key_mgr_key_purpose_t get_key_purpose(esp_key_mgr_key_type_t key_type) +static esp_key_mgr_key_purpose_t get_key_purpose(const esp_key_mgr_key_type_t key_type, const esp_key_mgr_key_len_t key_len) { switch (key_type) { - case ESP_KEY_MGR_ECDSA_192_KEY: - return ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192; - case ESP_KEY_MGR_ECDSA_256_KEY: - return ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256; - case ESP_KEY_MGR_XTS_AES_128_KEY: - return ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_128; - case ESP_KEY_MGR_XTS_AES_256_KEY: - return ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1; + case ESP_KEY_MGR_ECDSA_KEY: + switch (key_len) { + case ESP_KEY_MGR_ECDSA_LEN_192: + return ESP_KEY_MGR_KEY_PURPOSE_ECDSA_192; + case ESP_KEY_MGR_ECDSA_LEN_256: + return ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256; + case ESP_KEY_MGR_ECDSA_LEN_384: + // TODO: Verify: (IDF-14120) + return ESP_KEY_MGR_KEY_PURPOSE_ECDSA_384_H; + default: + return ESP_KEY_MGR_KEY_PURPOSE_INVALID; + } + + case ESP_KEY_MGR_FLASH_XTS_AES_KEY: + switch (key_len) { + case ESP_KEY_MGR_XTS_AES_LEN_128: + return ESP_KEY_MGR_KEY_PURPOSE_FLASH_128; + case ESP_KEY_MGR_XTS_AES_LEN_256: + return ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_1; + default: + return ESP_KEY_MGR_KEY_PURPOSE_INVALID; + } + case ESP_KEY_MGR_HMAC_KEY: return ESP_KEY_MGR_KEY_PURPOSE_HMAC; + case ESP_KEY_MGR_DS_KEY: return ESP_KEY_MGR_KEY_PURPOSE_DS; - case ESP_KEY_MGR_PSRAM_128_KEY: - return ESP_KEY_MGR_KEY_PURPOSE_PSRAM_128; - case ESP_KEY_MGR_PSRAM_256_KEY: - return ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1; + + case ESP_KEY_MGR_PSRAM_XTS_AES_KEY: + switch (key_len) { + case ESP_KEY_MGR_XTS_AES_LEN_128: + return ESP_KEY_MGR_KEY_PURPOSE_PSRAM_128; + case ESP_KEY_MGR_XTS_AES_LEN_256: + return ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1; + default: + return ESP_KEY_MGR_KEY_PURPOSE_INVALID; + } default: return ESP_KEY_MGR_KEY_PURPOSE_INVALID; } @@ -309,7 +315,7 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE); if ((!key_mgr_hal_is_huk_valid()) || (!config->huk_deployed)) { - // For purpose ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 or ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2 this part shall be already executed + // For purpose ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_2 or ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2 this part shall be already executed huk_deploy_config_t huk_deploy_config = { .use_pre_generated_huk_info = config->key_config->use_pre_generated_huk_info, .pre_generated_huk_info = &config->key_config->huk_info, @@ -325,7 +331,7 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) } uint8_t key_recovery_info_index = 0; - if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 || config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2) { + if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_2 || config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2) { key_recovery_info_index = 1; } @@ -339,12 +345,11 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) key_mgr_hal_set_key_purpose(config->key_purpose); // Set key length for XTS-AES key - esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) config->key_config->key_type; + esp_key_mgr_key_type_t key_type = config->key_config->key_type; + esp_key_mgr_key_len_t key_len = config->key_config->key_len; - if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY || key_type == ESP_KEY_MGR_PSRAM_128_KEY) { - key_mgr_hal_set_xts_aes_key_len(key_type, ESP_KEY_MGR_XTS_AES_LEN_256); - } else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY || key_type == ESP_KEY_MGR_PSRAM_256_KEY) { - key_mgr_hal_set_xts_aes_key_len(key_type, ESP_KEY_MGR_XTS_AES_LEN_512); + if (key_type == ESP_KEY_MGR_FLASH_XTS_AES_KEY || key_type == ESP_KEY_MGR_PSRAM_XTS_AES_KEY) { + key_mgr_hal_set_xts_aes_key_len(key_type, key_len); } if (config->key_config->use_pre_generated_sw_init_key) { @@ -375,8 +380,8 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) key_mgr_hal_read_public_info(key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1 && config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { - if (!key_mgr_hal_is_key_deployment_valid(key_type)) { + if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_1 && config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { + if (!key_mgr_hal_is_key_deployment_valid(key_type, key_len)) { ESP_LOGE(TAG, "Key deployment is not valid"); return ESP_FAIL; } @@ -389,6 +394,8 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) config->key_info->key_info[key_recovery_info_index].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); config->key_info->key_type = key_type; + config->key_info->key_len = key_len; + config->key_info->key_deployment_mode = ESP_KEY_MGR_KEYGEN_MODE_AES; config->key_info->magic = KEY_HUK_SECTOR_MAGIC; return ESP_OK; @@ -408,7 +415,7 @@ esp_err_t esp_key_mgr_deploy_key_in_aes_mode(const esp_key_mgr_aes_key_config_t .k1_encrypted = key_config->k1_encrypted[0], }; - aes_deploy_config.key_purpose = get_key_purpose(key_config->key_type); + aes_deploy_config.key_purpose = get_key_purpose(key_config->key_type, key_config->key_len); if (aes_deploy_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_INVALID) { ESP_LOGE(TAG, "Invalid key type"); return ESP_ERR_INVALID_ARG; @@ -424,8 +431,8 @@ esp_err_t esp_key_mgr_deploy_key_in_aes_mode(const esp_key_mgr_aes_key_config_t aes_deploy_config.huk_deployed = true; - if (key_config->key_type == ESP_KEY_MGR_XTS_AES_256_KEY || key_config->key_type == ESP_KEY_MGR_PSRAM_256_KEY) { - aes_deploy_config.key_purpose = key_config->key_type == ESP_KEY_MGR_XTS_AES_256_KEY ? ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 : ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2; + if (aes_deploy_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_1 || aes_deploy_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { + aes_deploy_config.key_purpose = key_config->key_type == ESP_KEY_MGR_FLASH_XTS_AES_KEY ? ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_2 : ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2; aes_deploy_config.k1_encrypted = key_config->k1_encrypted[1]; esp_ret = key_mgr_deploy_key_aes_mode(&aes_deploy_config); if (esp_ret != ESP_OK) { @@ -473,11 +480,11 @@ static esp_err_t key_mgr_recover_key(key_recovery_config_t *config) key_mgr_hal_set_key_generator_mode(ESP_KEY_MGR_KEYGEN_MODE_RECOVER); // Set XTS-AES key length - esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) config->key_recovery_info->key_type; - if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY || key_type == ESP_KEY_MGR_PSRAM_128_KEY) { - key_mgr_hal_set_xts_aes_key_len(key_type, ESP_KEY_MGR_XTS_AES_LEN_256); - } else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY || key_type == ESP_KEY_MGR_PSRAM_256_KEY) { - key_mgr_hal_set_xts_aes_key_len(key_type, ESP_KEY_MGR_XTS_AES_LEN_512); + esp_key_mgr_key_type_t key_type = config->key_recovery_info->key_type; + esp_key_mgr_key_len_t key_len = config->key_recovery_info->key_len; + + if (key_type == ESP_KEY_MGR_FLASH_XTS_AES_KEY || key_type == ESP_KEY_MGR_PSRAM_XTS_AES_KEY) { + key_mgr_hal_set_xts_aes_key_len(key_type, key_len); } key_mgr_hal_set_key_purpose(config->key_purpose); @@ -486,7 +493,7 @@ static esp_err_t key_mgr_recover_key(key_recovery_config_t *config) key_mgr_wait_for_state(ESP_KEY_MGR_STATE_LOAD); - if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 || config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2) { + if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_2 || config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2) { if (!check_key_info_validity(&config->key_recovery_info->key_info[1])) { ESP_LOGE(TAG, "Key info not valid"); return ESP_FAIL; @@ -504,8 +511,8 @@ static esp_err_t key_mgr_recover_key(key_recovery_config_t *config) key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN); // TODO: Maybe need to extend this to ECDSA_384_L and ECDSA_384_H (IDF-14120) - if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1 && config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { - if (!key_mgr_hal_is_key_deployment_valid(key_type)) { + if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_1 && config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { + if (!key_mgr_hal_is_key_deployment_valid(key_type, key_len)) { ESP_LOGD(TAG, "Key deployment is not valid"); return ESP_FAIL; } @@ -531,7 +538,7 @@ esp_err_t esp_key_mgr_activate_key(esp_key_mgr_key_recovery_info_t *key_recovery .key_recovery_info = key_recovery_info, }; - key_recovery_config.key_purpose = get_key_purpose(key_type); + key_recovery_config.key_purpose = get_key_purpose(key_type, key_recovery_info->key_len); if (key_recovery_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_INVALID) { ESP_LOGE(TAG, "Invalid key type"); return ESP_ERR_INVALID_ARG; @@ -548,8 +555,8 @@ esp_err_t esp_key_mgr_activate_key(esp_key_mgr_key_recovery_info_t *key_recovery goto cleanup; } - if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY || key_type == ESP_KEY_MGR_PSRAM_256_KEY) { - key_recovery_config.key_purpose = key_type == ESP_KEY_MGR_XTS_AES_256_KEY ? ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 : ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2; + if (key_recovery_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_1 || key_recovery_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { + key_recovery_config.key_purpose = key_recovery_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_1 ? ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_2 : ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2; esp_ret = key_mgr_recover_key(&key_recovery_config); if (esp_ret != ESP_OK) { ESP_LOGE(TAG, "Failed to recover key"); @@ -593,7 +600,7 @@ static esp_err_t key_mgr_deploy_key_ecdh0_mode(ecdh0_deploy_config_t *config) key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE); if ((!key_mgr_hal_is_huk_valid()) || (!config->huk_deployed)) { - // For purpose ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 or ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2 this part shall be already executed + // For purpose ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_2 or ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2 this part shall be already executed huk_deploy_config_t huk_deploy_config = { .use_pre_generated_huk_info = config->key_config->use_pre_generated_huk_info, .pre_generated_huk_info = &config->key_config->huk_info, @@ -609,7 +616,7 @@ static esp_err_t key_mgr_deploy_key_ecdh0_mode(ecdh0_deploy_config_t *config) } uint8_t key_recovery_info_index = 0; - if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 || config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2) { + if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_2 || config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2) { key_recovery_info_index = 1; } @@ -623,12 +630,11 @@ static esp_err_t key_mgr_deploy_key_ecdh0_mode(ecdh0_deploy_config_t *config) key_mgr_hal_set_key_purpose(config->key_purpose); // Set XTS-AES key length - esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) config->key_config->key_type; + esp_key_mgr_key_type_t key_type = config->key_config->key_type; + esp_key_mgr_key_len_t key_len = config->key_config->key_len; - if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY || key_type == ESP_KEY_MGR_PSRAM_128_KEY) { - key_mgr_hal_set_xts_aes_key_len(key_type, ESP_KEY_MGR_XTS_AES_LEN_256); - } else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY || key_type == ESP_KEY_MGR_PSRAM_256_KEY) { - key_mgr_hal_set_xts_aes_key_len(key_type, ESP_KEY_MGR_XTS_AES_LEN_512); + if (key_type == ESP_KEY_MGR_FLASH_XTS_AES_KEY || key_type == ESP_KEY_MGR_PSRAM_XTS_AES_KEY) { + key_mgr_hal_set_xts_aes_key_len(key_type, key_len); } key_mgr_hal_start(); @@ -647,8 +653,8 @@ static esp_err_t key_mgr_deploy_key_ecdh0_mode(ecdh0_deploy_config_t *config) key_mgr_hal_read_public_info(key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); key_mgr_hal_read_assist_info(config->ecdh0_key_info); - if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1 && config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { - if (!key_mgr_hal_is_key_deployment_valid(key_type)) { + if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_1 && config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { + if (!key_mgr_hal_is_key_deployment_valid(key_type, key_len)) { ESP_LOGE(TAG, "Key deployment is not valid"); return ESP_FAIL; } @@ -661,6 +667,8 @@ static esp_err_t key_mgr_deploy_key_ecdh0_mode(ecdh0_deploy_config_t *config) config->key_info->key_info[key_recovery_info_index].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); config->key_info->key_type = key_type; + config->key_info->key_len = key_len; + config->key_info->key_deployment_mode = ESP_KEY_MGR_KEYGEN_MODE_ECDH0; config->key_info->magic = KEY_HUK_SECTOR_MAGIC; return ESP_OK; @@ -675,8 +683,6 @@ esp_err_t esp_key_mgr_deploy_key_in_ecdh0_mode(const esp_key_mgr_ecdh0_key_confi ESP_LOGD(TAG, "Key Deployment in ECDH0 mode"); - esp_key_mgr_key_type_t key_type = key_config->key_type; - ecdh0_deploy_config_t ecdh0_deploy_config = { .key_config = key_config, .key_info = key_info, @@ -684,7 +690,7 @@ esp_err_t esp_key_mgr_deploy_key_in_ecdh0_mode(const esp_key_mgr_ecdh0_key_confi .ecdh0_key_info = ecdh0_key_info->k2_G[0], }; - ecdh0_deploy_config.key_purpose = get_key_purpose(key_config->key_type); + ecdh0_deploy_config.key_purpose = get_key_purpose(key_config->key_type, key_config->key_len); if (ecdh0_deploy_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_INVALID) { ESP_LOGE(TAG, "Invalid key type"); return ESP_ERR_INVALID_ARG; @@ -700,8 +706,8 @@ esp_err_t esp_key_mgr_deploy_key_in_ecdh0_mode(const esp_key_mgr_ecdh0_key_confi ecdh0_deploy_config.huk_deployed = true; - if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY || key_type == ESP_KEY_MGR_PSRAM_256_KEY) { - ecdh0_deploy_config.key_purpose = key_type == ESP_KEY_MGR_XTS_AES_256_KEY ? ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 : ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2; + if (ecdh0_deploy_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_1 || ecdh0_deploy_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { + ecdh0_deploy_config.key_purpose = key_config->key_type == ESP_KEY_MGR_FLASH_XTS_AES_KEY ? ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_2 : ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2; ecdh0_deploy_config.k1_G = key_config->k1_G[1]; ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[1]; esp_ret = key_mgr_deploy_key_ecdh0_mode(&ecdh0_deploy_config); @@ -712,7 +718,7 @@ esp_err_t esp_key_mgr_deploy_key_in_ecdh0_mode(const esp_key_mgr_ecdh0_key_confi } // Set the Key Manager Static Register to use own key for the respective key type - key_mgr_hal_set_key_usage(key_type, ESP_KEY_MGR_USE_OWN_KEY); + key_mgr_hal_set_key_usage(key_config->key_type, ESP_KEY_MGR_USE_OWN_KEY); cleanup: esp_key_mgr_release_hardware(true); @@ -732,7 +738,7 @@ static esp_err_t key_mgr_deploy_key_random_mode(random_deploy_config_t *config) key_mgr_wait_for_state(ESP_KEY_MGR_STATE_IDLE); if ((!key_mgr_hal_is_huk_valid()) || (!config->huk_deployed)) { - // For purpose ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 or ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2 this part shall be already executed + // For purpose ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_2 or ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2 this part shall be already executed huk_deploy_config_t huk_deploy_config = { .use_pre_generated_huk_info = config->key_config->use_pre_generated_huk_info, .pre_generated_huk_info = &config->key_config->huk_info, @@ -747,7 +753,7 @@ static esp_err_t key_mgr_deploy_key_random_mode(random_deploy_config_t *config) } uint8_t key_recovery_info_index = 0; - if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 || config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2) { + if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_2 || config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2) { key_recovery_info_index = 1; } @@ -760,11 +766,11 @@ static esp_err_t key_mgr_deploy_key_random_mode(random_deploy_config_t *config) key_mgr_hal_set_key_purpose(config->key_purpose); // Set XTS-AES key length - esp_key_mgr_key_type_t key_type = (esp_key_mgr_key_type_t) config->key_config->key_type; - if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY || key_type == ESP_KEY_MGR_PSRAM_128_KEY) { - key_mgr_hal_set_xts_aes_key_len(key_type, ESP_KEY_MGR_XTS_AES_LEN_256); - } else if (key_type == ESP_KEY_MGR_XTS_AES_256_KEY || key_type == ESP_KEY_MGR_PSRAM_256_KEY) { - key_mgr_hal_set_xts_aes_key_len(key_type, ESP_KEY_MGR_XTS_AES_LEN_512); + esp_key_mgr_key_type_t key_type = config->key_config->key_type; + esp_key_mgr_key_len_t key_len = config->key_config->key_len; + + if (key_type == ESP_KEY_MGR_FLASH_XTS_AES_KEY || key_type == ESP_KEY_MGR_PSRAM_XTS_AES_KEY) { + key_mgr_hal_set_xts_aes_key_len(key_type, key_len); } key_mgr_hal_start(); @@ -777,8 +783,8 @@ static esp_err_t key_mgr_deploy_key_random_mode(random_deploy_config_t *config) key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN); key_mgr_hal_read_public_info(key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_1 && config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { - if (!key_mgr_hal_is_key_deployment_valid(key_type)) { + if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_1 && config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { + if (!key_mgr_hal_is_key_deployment_valid(key_type, key_len)) { ESP_LOGE(TAG, "Key deployment is not valid"); return ESP_FAIL; } @@ -791,6 +797,8 @@ static esp_err_t key_mgr_deploy_key_random_mode(random_deploy_config_t *config) config->key_info->key_info[key_recovery_info_index].crc = esp_rom_crc32_le(0, key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); config->key_info->key_type = key_type; + config->key_info->key_len = key_len; + config->key_info->key_deployment_mode = ESP_KEY_MGR_KEYGEN_MODE_RANDOM; config->key_info->magic = KEY_HUK_SECTOR_MAGIC; return ESP_OK; @@ -809,7 +817,7 @@ esp_err_t esp_key_mgr_deploy_key_in_random_mode(const esp_key_mgr_random_key_con .key_info = key_recovery_info, }; - random_deploy_config.key_purpose = get_key_purpose(key_config->key_type); + random_deploy_config.key_purpose = get_key_purpose(key_config->key_type, key_config->key_len); if (random_deploy_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_INVALID) { ESP_LOGE(TAG, "Invalid key type"); return ESP_ERR_INVALID_ARG; @@ -825,8 +833,8 @@ esp_err_t esp_key_mgr_deploy_key_in_random_mode(const esp_key_mgr_random_key_con random_deploy_config.huk_deployed = true; - if (key_config->key_type == ESP_KEY_MGR_XTS_AES_256_KEY || key_config->key_type == ESP_KEY_MGR_PSRAM_256_KEY) { - random_deploy_config.key_purpose = key_config->key_type == ESP_KEY_MGR_XTS_AES_256_KEY ? ESP_KEY_MGR_KEY_PURPOSE_XTS_AES_256_2 : ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2; + if (random_deploy_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_1 || random_deploy_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { + random_deploy_config.key_purpose = key_config->key_type == ESP_KEY_MGR_FLASH_XTS_AES_KEY ? ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_2 : ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2; esp_ret = key_mgr_deploy_key_random_mode(&random_deploy_config); if (esp_ret != ESP_OK) { ESP_LOGE(TAG, "Key deployment in Random mode failed"); diff --git a/components/esp_security/src/init.c b/components/esp_security/src/init.c index d73fda5c887..9a3a3fc147c 100644 --- a/components/esp_security/src/init.c +++ b/components/esp_security/src/init.c @@ -48,7 +48,7 @@ static void esp_key_mgr_init(void) }; // Force Key Manager to use eFuse key by-default for an XTS-AES operation. - key_mgr_ll_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); + key_mgr_ll_set_key_usage(ESP_KEY_MGR_FLASH_XTS_AES_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); } } #endif /* SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT */ diff --git a/components/esp_security/test_apps/crypto_drivers/main/test_key_mgr.c b/components/esp_security/test_apps/crypto_drivers/main/test_key_mgr.c index a2f9c01181e..5b5a34abac8 100644 --- a/components/esp_security/test_apps/crypto_drivers/main/test_key_mgr.c +++ b/components/esp_security/test_apps/crypto_drivers/main/test_key_mgr.c @@ -147,7 +147,8 @@ TEST_CASE("Key Manager AES mode: XTS-AES-128 key deployment", "[hw_crypto] [key_ memcpy(key_config->k1_encrypted, (uint8_t*) k1_encrypt, KEY_MGR_K1_ENCRYPTED_SIZE); memcpy(key_config->sw_init_key, (uint8_t*) init_key, KEY_MGR_SW_INIT_KEY_SIZE); key_config->use_pre_generated_sw_init_key = 1; - key_config->key_type = ESP_KEY_MGR_XTS_AES_128_KEY; + key_config->key_type = ESP_KEY_MGR_FLASH_XTS_AES_KEY; + key_config->key_len = ESP_KEY_MGR_XTS_AES_LEN_128; esp_key_mgr_key_recovery_info_t *key_recovery_info = calloc(1, sizeof(esp_key_mgr_key_recovery_info_t)); TEST_ASSERT_NOT_NULL(key_recovery_info); @@ -167,7 +168,8 @@ TEST_CASE("Key Manager ECDH0 mode: XTS-AES-128 key deployment", "[hw_crypto] [ke TEST_ASSERT_NOT_NULL(key_config); memcpy(key_config->k1_G, (uint8_t*) k1_G, KEY_MGR_ECDH0_INFO_SIZE); - key_config->key_type = ESP_KEY_MGR_XTS_AES_128_KEY; + key_config->key_type = ESP_KEY_MGR_FLASH_XTS_AES_KEY; + key_config->key_len = ESP_KEY_MGR_XTS_AES_LEN_128; esp_key_mgr_key_recovery_info_t *key_recovery_info = calloc(1, sizeof(esp_key_mgr_key_recovery_info_t)); TEST_ASSERT_NOT_NULL(key_recovery_info); @@ -190,7 +192,8 @@ TEST_CASE("Key Manager Random mode: XTS-AES-128 key deployment", "[hw_crypto] [k esp_key_mgr_random_key_config_t *key_config = calloc(1, sizeof(esp_key_mgr_random_key_config_t)); TEST_ASSERT_NOT_NULL(key_config); - key_config->key_type = ESP_KEY_MGR_XTS_AES_128_KEY; + key_config->key_type = ESP_KEY_MGR_FLASH_XTS_AES_KEY; + key_config->key_len = ESP_KEY_MGR_XTS_AES_LEN_128; esp_key_mgr_key_recovery_info_t *key_recovery_info = calloc(1, sizeof(esp_key_mgr_key_recovery_info_t)); TEST_ASSERT_NOT_NULL(key_recovery_info); @@ -211,7 +214,8 @@ TEST_CASE("Key Manager random mode: ECDSA key deployment", "[hw_crypto] [key_mgr esp_key_mgr_random_key_config_t *key_config = calloc(1, sizeof(esp_key_mgr_random_key_config_t)); TEST_ASSERT_NOT_NULL(key_config); - key_config->key_type = ESP_KEY_MGR_ECDSA_256_KEY; + key_config->key_type = ESP_KEY_MGR_ECDSA_KEY; + key_config->key_len = ESP_KEY_MGR_ECDSA_LEN_256; esp_key_mgr_key_recovery_info_t *key_recovery_info = calloc(1, sizeof(esp_key_mgr_key_recovery_info_t)); TEST_ASSERT_NOT_NULL(key_recovery_info); diff --git a/components/hal/ecdsa_hal.c b/components/hal/ecdsa_hal.c index 923119017bb..72a74bf2133 100644 --- a/components/hal/ecdsa_hal.c +++ b/components/hal/ecdsa_hal.c @@ -50,20 +50,12 @@ static void configure_ecdsa_periph(ecdsa_hal_config_t *conf) } // Force Key Manager to use eFuse key for XTS-AES operation - if (conf->curve == ECDSA_CURVE_SECP192R1) { - key_mgr_hal_set_key_usage(ESP_KEY_MGR_ECDSA_192_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); - } else { - key_mgr_hal_set_key_usage(ESP_KEY_MGR_ECDSA_256_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); - } + key_mgr_hal_set_key_usage(ESP_KEY_MGR_ECDSA_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); #endif } #if SOC_KEY_MANAGER_SUPPORTED else { - if (conf->curve == ECDSA_CURVE_SECP192R1) { - key_mgr_hal_set_key_usage(ESP_KEY_MGR_ECDSA_192_KEY, ESP_KEY_MGR_USE_OWN_KEY); - } else { - key_mgr_hal_set_key_usage(ESP_KEY_MGR_ECDSA_256_KEY, ESP_KEY_MGR_USE_OWN_KEY); - } + key_mgr_hal_set_key_usage(ESP_KEY_MGR_ECDSA_KEY, ESP_KEY_MGR_USE_OWN_KEY); } #endif diff --git a/components/hal/esp32c5/include/hal/key_mgr_ll.h b/components/hal/esp32c5/include/hal/key_mgr_ll.h index 71fc8167f76..83e4bbfbc26 100644 --- a/components/hal/esp32c5/include/hal/key_mgr_ll.h +++ b/components/hal/esp32c5/include/hal/key_mgr_ll.h @@ -163,9 +163,7 @@ static inline void key_mgr_ll_use_sw_init_key(void) static inline void key_mgr_ll_set_key_usage(const esp_key_mgr_key_type_t key_type, const esp_key_mgr_key_usage_t key_usage) { switch (key_type) { - case ESP_KEY_MGR_ECDSA_192_KEY: - case ESP_KEY_MGR_ECDSA_256_KEY: - case ESP_KEY_MGR_ECDSA_384_KEY: + case ESP_KEY_MGR_ECDSA_KEY: if (key_usage == ESP_KEY_MGR_USE_EFUSE_KEY) { REG_SET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_ECDSA); } else { @@ -173,8 +171,7 @@ static inline void key_mgr_ll_set_key_usage(const esp_key_mgr_key_type_t key_typ } break; - case ESP_KEY_MGR_XTS_AES_128_KEY: - case ESP_KEY_MGR_XTS_AES_256_KEY: + case ESP_KEY_MGR_FLASH_XTS_AES_KEY: if (key_usage == ESP_KEY_MGR_USE_EFUSE_KEY) { REG_SET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_FLASH); } else { @@ -198,8 +195,7 @@ static inline void key_mgr_ll_set_key_usage(const esp_key_mgr_key_type_t key_typ } break; - case ESP_KEY_MGR_PSRAM_128_KEY: - case ESP_KEY_MGR_PSRAM_256_KEY: + case ESP_KEY_MGR_PSRAM_XTS_AES_KEY: if (key_usage == ESP_KEY_MGR_USE_EFUSE_KEY) { REG_SET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_PSRAM); } else { @@ -215,30 +211,30 @@ static inline void key_mgr_ll_set_key_usage(const esp_key_mgr_key_type_t key_typ static inline esp_key_mgr_key_usage_t key_mgr_ll_get_key_usage(esp_key_mgr_key_type_t key_type) { switch (key_type) { - case ESP_KEY_MGR_ECDSA_192_KEY: - case ESP_KEY_MGR_ECDSA_256_KEY: - case ESP_KEY_MGR_ECDSA_384_KEY: + case ESP_KEY_MGR_ECDSA_KEY: return (esp_key_mgr_key_usage_t) (REG_GET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_ECDSA)); + break; - case ESP_KEY_MGR_XTS_AES_128_KEY: - case ESP_KEY_MGR_XTS_AES_256_KEY: + case ESP_KEY_MGR_FLASH_XTS_AES_KEY: return (esp_key_mgr_key_usage_t) (REG_GET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_FLASH)); + break; case ESP_KEY_MGR_HMAC_KEY: return (esp_key_mgr_key_usage_t) (REG_GET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_HMAC)); + break; case ESP_KEY_MGR_DS_KEY: return (esp_key_mgr_key_usage_t) (REG_GET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_DS)); + break; - case ESP_KEY_MGR_PSRAM_128_KEY: - case ESP_KEY_MGR_PSRAM_256_KEY: + case ESP_KEY_MGR_PSRAM_XTS_AES_KEY: return (esp_key_mgr_key_usage_t) (REG_GET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_PSRAM)); + break; default: HAL_ASSERT(false && "Unsupported key type"); return ESP_KEY_MGR_USAGE_INVALID; } - return ESP_KEY_MGR_USAGE_INVALID; } /** @@ -259,14 +255,11 @@ static inline void key_mgr_ll_lock_use_sw_init_key_reg(void) static inline void key_mgr_ll_lock_use_efuse_key_reg(esp_key_mgr_key_type_t key_type) { switch(key_type) { - case ESP_KEY_MGR_ECDSA_192_KEY: - case ESP_KEY_MGR_ECDSA_256_KEY: - case ESP_KEY_MGR_ECDSA_384_KEY: + case ESP_KEY_MGR_ECDSA_KEY: REG_SET_BIT(KEYMNG_LOCK_REG, KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA); break; - case ESP_KEY_MGR_XTS_AES_128_KEY: - case ESP_KEY_MGR_XTS_AES_256_KEY: + case ESP_KEY_MGR_FLASH_XTS_AES_KEY: REG_SET_BIT(KEYMNG_LOCK_REG, KEYMNG_USE_EFUSE_KEY_LOCK_FLASH); break; @@ -278,8 +271,7 @@ static inline void key_mgr_ll_lock_use_efuse_key_reg(esp_key_mgr_key_type_t key_ REG_SET_BIT(KEYMNG_LOCK_REG, KEYMNG_USE_EFUSE_KEY_LOCK_DS); break; - case ESP_KEY_MGR_PSRAM_128_KEY: - case ESP_KEY_MGR_PSRAM_256_KEY: + case ESP_KEY_MGR_PSRAM_XTS_AES_KEY: REG_SET_BIT(KEYMNG_LOCK_REG, KEYMNG_USE_EFUSE_KEY_LOCK_PSRAM); break; @@ -318,32 +310,53 @@ static inline bool key_mgr_ll_is_result_success(void) * @return 1 for Success * 0 for failure */ -static inline bool key_mgr_ll_is_key_deployment_valid(const esp_key_mgr_key_type_t key_type) +static inline bool key_mgr_ll_is_key_deployment_valid(const esp_key_mgr_key_type_t key_type, const esp_key_mgr_key_len_t key_len) { switch (key_type) { - case ESP_KEY_MGR_ECDSA_192_KEY: - return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_ECDSA_192_VLD); - case ESP_KEY_MGR_ECDSA_256_KEY: - return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_ECDSA_256_VLD); - case ESP_KEY_MGR_ECDSA_384_KEY: - return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_ECDSA_384_VLD); - - case ESP_KEY_MGR_XTS_AES_128_KEY: - case ESP_KEY_MGR_XTS_AES_256_KEY: + case ESP_KEY_MGR_ECDSA_KEY: + switch (key_len) { + case ESP_KEY_MGR_ECDSA_LEN_192: + return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_ECDSA_192_VLD); + case ESP_KEY_MGR_ECDSA_LEN_256: + return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_ECDSA_256_VLD); + case ESP_KEY_MGR_ECDSA_LEN_384: + return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_ECDSA_384_VLD); + default: + HAL_ASSERT(false && "Unsupported key type"); + return 0; + } + case ESP_KEY_MGR_FLASH_XTS_AES_KEY: + switch (key_len) { + case ESP_KEY_MGR_XTS_AES_LEN_128: + case ESP_KEY_MGR_XTS_AES_LEN_256: + return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_FLASH_VLD); + default: + HAL_ASSERT(false && "Unsupported key type"); + return 0; + } return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_FLASH_VLD); + break; case ESP_KEY_MGR_HMAC_KEY: return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_HMAC_VLD); + break; case ESP_KEY_MGR_DS_KEY: return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_DS_VLD); + break; - case ESP_KEY_MGR_PSRAM_128_KEY: - case ESP_KEY_MGR_PSRAM_256_KEY: - return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_PSRAM_VLD); + case ESP_KEY_MGR_PSRAM_XTS_AES_KEY: + switch (key_len) { + case ESP_KEY_MGR_XTS_AES_LEN_128: + case ESP_KEY_MGR_XTS_AES_LEN_256: + return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_PSRAM_VLD); + default: + HAL_ASSERT(false && "Unsupported key type"); + return 0; + } default: - HAL_ASSERT(false && "Unsupported key type"); + HAL_ASSERT(false && "Unsupported mode"); return 0; } } @@ -411,22 +424,54 @@ static inline bool key_mgr_ll_is_huk_valid(void) } /* @brief Set the XTS-AES (Flash Encryption) key length for the Key Manager */ -static inline void key_mgr_ll_set_xts_aes_key_len(const esp_key_mgr_key_type_t key_type, const esp_key_mgr_xts_aes_key_len_t key_len) +static inline void key_mgr_ll_set_xts_aes_key_len(const esp_key_mgr_key_type_t key_type, const esp_key_mgr_key_len_t key_len) { - if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY || key_type == ESP_KEY_MGR_XTS_AES_256_KEY) { - REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_FLASH_KEY_LEN, key_len); - } else if (key_type == ESP_KEY_MGR_PSRAM_128_KEY || key_type == ESP_KEY_MGR_PSRAM_256_KEY) { - REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_PSRAM_KEY_LEN, key_len); + uint32_t key_len_bit_mask; + + if (key_type == ESP_KEY_MGR_FLASH_XTS_AES_KEY) { + key_len_bit_mask = KEYMNG_FLASH_KEY_LEN; + } else if (key_type == ESP_KEY_MGR_PSRAM_XTS_AES_KEY) { + key_len_bit_mask = KEYMNG_PSRAM_KEY_LEN; + } else { + HAL_ASSERT(false && "Unsupported key type"); + return; + } + + switch (key_len) { + case ESP_KEY_MGR_XTS_AES_LEN_128: + REG_CLR_BIT(KEYMNG_STATIC_REG, key_len_bit_mask); + break; + case ESP_KEY_MGR_XTS_AES_LEN_256: + REG_SET_BIT(KEYMNG_STATIC_REG, key_len_bit_mask); + break; + default: + HAL_ASSERT(false && "Unsupported key length"); + return; } } /* @brief Get the XTS-AES (Flash Encryption) key length for the Key Manager */ -static inline esp_key_mgr_xts_aes_key_len_t key_mgr_ll_get_xts_aes_key_len(const esp_key_mgr_key_type_t key_type) +static inline esp_key_mgr_key_len_t key_mgr_ll_get_xts_aes_key_len(const esp_key_mgr_key_type_t key_type) { - if (key_type == ESP_KEY_MGR_PSRAM_128_KEY || key_type == ESP_KEY_MGR_PSRAM_256_KEY) { - return (esp_key_mgr_xts_aes_key_len_t) REG_GET_FIELD(KEYMNG_STATIC_REG, KEYMNG_PSRAM_KEY_LEN); + uint32_t key_len_bit = 0; + + if (key_type == ESP_KEY_MGR_FLASH_XTS_AES_KEY) { + key_len_bit = REG_GET_BIT(KEYMNG_STATIC_REG, KEYMNG_FLASH_KEY_LEN); + } else if (key_type == ESP_KEY_MGR_PSRAM_XTS_AES_KEY) { + key_len_bit = REG_GET_BIT(KEYMNG_STATIC_REG, KEYMNG_PSRAM_KEY_LEN); } else { - return (esp_key_mgr_xts_aes_key_len_t) REG_GET_FIELD(KEYMNG_STATIC_REG, KEYMNG_FLASH_KEY_LEN); + HAL_ASSERT(false && "Unsupported key type"); + return (esp_key_mgr_key_len_t) key_len_bit; + } + + switch (key_len_bit) { + case 0: + return ESP_KEY_MGR_XTS_AES_LEN_128; + case 1: + return ESP_KEY_MGR_XTS_AES_LEN_256; + default: + HAL_ASSERT(false && "Unsupported key length"); + return (esp_key_mgr_key_len_t) key_len_bit; } } diff --git a/components/hal/esp32p4/include/hal/key_mgr_ll.h b/components/hal/esp32p4/include/hal/key_mgr_ll.h index 285f5909f02..60906963554 100644 --- a/components/hal/esp32p4/include/hal/key_mgr_ll.h +++ b/components/hal/esp32p4/include/hal/key_mgr_ll.h @@ -187,9 +187,7 @@ static inline void key_mgr_ll_use_sw_init_key(void) static inline void key_mgr_ll_set_key_usage(const esp_key_mgr_key_type_t key_type, const esp_key_mgr_key_usage_t key_usage) { switch (key_type) { - case ESP_KEY_MGR_ECDSA_192_KEY: - case ESP_KEY_MGR_ECDSA_256_KEY: - case ESP_KEY_MGR_ECDSA_384_KEY: + case ESP_KEY_MGR_ECDSA_KEY: if (key_usage == ESP_KEY_MGR_USE_EFUSE_KEY) { REG_SET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_ECDSA); } else { @@ -197,39 +195,38 @@ static inline void key_mgr_ll_set_key_usage(const esp_key_mgr_key_type_t key_typ } break; - case ESP_KEY_MGR_XTS_AES_128_KEY: - case ESP_KEY_MGR_XTS_AES_256_KEY: - if (key_usage == ESP_KEY_MGR_USE_EFUSE_KEY) { - REG_SET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_FLASH); - } else { - REG_CLR_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_FLASH); - } - break; -#if HAL_CONFIG(CHIP_SUPPORT_MIN_REV) >= 300 - case ESP_KEY_MGR_HMAC_KEY: - if (key_usage == ESP_KEY_MGR_USE_EFUSE_KEY) { - REG_SET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_HMAC); - } else { - REG_CLR_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_HMAC); - } - break; - - case ESP_KEY_MGR_DS_KEY: - if (key_usage == ESP_KEY_MGR_USE_EFUSE_KEY) { - REG_SET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_DS); - } else { - REG_CLR_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_DS); - } - break; - - case ESP_KEY_MGR_PSRAM_128_KEY: - case ESP_KEY_MGR_PSRAM_256_KEY: - if (key_usage == ESP_KEY_MGR_USE_EFUSE_KEY) { - REG_SET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_PSRAM); - } else { - REG_CLR_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_PSRAM); - } + case ESP_KEY_MGR_FLASH_XTS_AES_KEY: + if (key_usage == ESP_KEY_MGR_USE_EFUSE_KEY) { + REG_SET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_FLASH); + } else { + REG_CLR_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_FLASH); + } break; + +#if HAL_CONFIG(CHIP_SUPPORT_MIN_REV) >= 300 + case ESP_KEY_MGR_HMAC_KEY: + if (key_usage == ESP_KEY_MGR_USE_EFUSE_KEY) { + REG_SET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_HMAC); + } else { + REG_CLR_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_HMAC); + } + break; + + case ESP_KEY_MGR_DS_KEY: + if (key_usage == ESP_KEY_MGR_USE_EFUSE_KEY) { + REG_SET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_DS); + } else { + REG_CLR_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_DS); + } + break; + + case ESP_KEY_MGR_PSRAM_XTS_AES_KEY: + if (key_usage == ESP_KEY_MGR_USE_EFUSE_KEY) { + REG_SET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_PSRAM); + } else { + REG_CLR_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_PSRAM); + } + break; #endif default: HAL_ASSERT(false && "Unsupported mode"); @@ -240,35 +237,26 @@ static inline void key_mgr_ll_set_key_usage(const esp_key_mgr_key_type_t key_typ static inline esp_key_mgr_key_usage_t key_mgr_ll_get_key_usage(esp_key_mgr_key_type_t key_type) { switch (key_type) { - case ESP_KEY_MGR_ECDSA_192_KEY: - case ESP_KEY_MGR_ECDSA_256_KEY: - case ESP_KEY_MGR_ECDSA_384_KEY: + case ESP_KEY_MGR_ECDSA_KEY: return (esp_key_mgr_key_usage_t) (REG_GET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_ECDSA)); - break; - case ESP_KEY_MGR_XTS_AES_128_KEY: - case ESP_KEY_MGR_XTS_AES_256_KEY: - return (esp_key_mgr_key_usage_t) (REG_GET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_FLASH)); - break; + case ESP_KEY_MGR_FLASH_XTS_AES_KEY: + return (esp_key_mgr_key_usage_t) (REG_GET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_FLASH)); + #if HAL_CONFIG(CHIP_SUPPORT_MIN_REV) >= 300 - case ESP_KEY_MGR_HMAC_KEY: - return (esp_key_mgr_key_usage_t) (REG_GET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_HMAC)); - break; + case ESP_KEY_MGR_HMAC_KEY: + return (esp_key_mgr_key_usage_t) (REG_GET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_HMAC)); - case ESP_KEY_MGR_DS_KEY: - return (esp_key_mgr_key_usage_t) (REG_GET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_DS)); - break; + case ESP_KEY_MGR_DS_KEY: + return (esp_key_mgr_key_usage_t) (REG_GET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_DS)); - case ESP_KEY_MGR_PSRAM_128_KEY: - case ESP_KEY_MGR_PSRAM_256_KEY: - return (esp_key_mgr_key_usage_t) (REG_GET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_PSRAM)); - break; + case ESP_KEY_MGR_PSRAM_XTS_AES_KEY: + return (esp_key_mgr_key_usage_t) (REG_GET_BIT(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY_PSRAM)); #endif default: HAL_ASSERT(false && "Unsupported mode"); return ESP_KEY_MGR_USAGE_INVALID; } - return ESP_KEY_MGR_USAGE_INVALID; } /** @@ -289,29 +277,26 @@ static inline void key_mgr_ll_lock_use_sw_init_key_reg(void) static inline void key_mgr_ll_lock_use_efuse_key_reg(esp_key_mgr_key_type_t key_type) { switch(key_type) { - case ESP_KEY_MGR_ECDSA_192_KEY: - case ESP_KEY_MGR_ECDSA_256_KEY: - case ESP_KEY_MGR_ECDSA_384_KEY: + case ESP_KEY_MGR_ECDSA_KEY: REG_SET_BIT(KEYMNG_LOCK_REG, KEYMNG_USE_EFUSE_KEY_LOCK_ECDSA); break; - case ESP_KEY_MGR_XTS_AES_128_KEY: - case ESP_KEY_MGR_XTS_AES_256_KEY: - REG_SET_BIT(KEYMNG_LOCK_REG, KEYMNG_USE_EFUSE_KEY_LOCK_FLASH); - break; + case ESP_KEY_MGR_FLASH_XTS_AES_KEY: + REG_SET_BIT(KEYMNG_LOCK_REG, KEYMNG_USE_EFUSE_KEY_LOCK_FLASH); + break; + #if HAL_CONFIG(CHIP_SUPPORT_MIN_REV) >= 300 - case ESP_KEY_MGR_HMAC_KEY: - REG_SET_BIT(KEYMNG_LOCK_REG, KEYMNG_USE_EFUSE_KEY_LOCK_HMAC); - break; + case ESP_KEY_MGR_HMAC_KEY: + REG_SET_BIT(KEYMNG_LOCK_REG, KEYMNG_USE_EFUSE_KEY_LOCK_HMAC); + break; - case ESP_KEY_MGR_DS_KEY: - REG_SET_BIT(KEYMNG_LOCK_REG, KEYMNG_USE_EFUSE_KEY_LOCK_DS); - break; + case ESP_KEY_MGR_DS_KEY: + REG_SET_BIT(KEYMNG_LOCK_REG, KEYMNG_USE_EFUSE_KEY_LOCK_DS); + break; - case ESP_KEY_MGR_PSRAM_128_KEY: - case ESP_KEY_MGR_PSRAM_256_KEY: - REG_SET_BIT(KEYMNG_LOCK_REG, KEYMNG_USE_EFUSE_KEY_LOCK_PSRAM); - break; + case ESP_KEY_MGR_PSRAM_XTS_AES_KEY: + REG_SET_BIT(KEYMNG_LOCK_REG, KEYMNG_USE_EFUSE_KEY_LOCK_PSRAM); + break; #endif default: HAL_ASSERT(false && "Unsupported key type"); @@ -348,19 +333,33 @@ static inline bool key_mgr_ll_is_result_success(void) * @return 1 for Success * 0 for failure */ -static inline bool key_mgr_ll_is_key_deployment_valid(const esp_key_mgr_key_type_t key_type) +static inline bool key_mgr_ll_is_key_deployment_valid(const esp_key_mgr_key_type_t key_type, const esp_key_mgr_key_len_t key_len) { switch (key_type) { - case ESP_KEY_MGR_ECDSA_192_KEY: - return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_ECDSA_192_VLD); - case ESP_KEY_MGR_ECDSA_256_KEY: - return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_ECDSA_256_VLD); - case ESP_KEY_MGR_ECDSA_384_KEY: - return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_ECDSA_384_VLD); + case ESP_KEY_MGR_ECDSA_KEY: + switch (key_len) { + case ESP_KEY_MGR_ECDSA_LEN_192: + return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_ECDSA_192_VLD); + case ESP_KEY_MGR_ECDSA_LEN_256: + return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_ECDSA_256_VLD); + case ESP_KEY_MGR_ECDSA_LEN_384: + return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_ECDSA_384_VLD); + default: + HAL_ASSERT(false && "Unsupported key type"); + return 0; + } + + case ESP_KEY_MGR_FLASH_XTS_AES_KEY: + switch (key_len) { + case ESP_KEY_MGR_XTS_AES_LEN_128: + return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_FLASH_VLD); + case ESP_KEY_MGR_XTS_AES_LEN_256: + return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_FLASH_VLD); + default: + HAL_ASSERT(false && "Unsupported key type"); + return 0; + } - case ESP_KEY_MGR_XTS_AES_128_KEY: - case ESP_KEY_MGR_XTS_AES_256_KEY: - return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_FLASH_VLD); #if HAL_CONFIG(CHIP_SUPPORT_MIN_REV) >= 300 case ESP_KEY_MGR_HMAC_KEY: return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_HMAC_VLD); @@ -368,9 +367,16 @@ static inline bool key_mgr_ll_is_key_deployment_valid(const esp_key_mgr_key_type case ESP_KEY_MGR_DS_KEY: return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_DS_VLD); - case ESP_KEY_MGR_PSRAM_128_KEY: - case ESP_KEY_MGR_PSRAM_256_KEY: - return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_PSRAM_VLD); + case ESP_KEY_MGR_PSRAM_XTS_AES_KEY: + switch (key_len) { + case ESP_KEY_MGR_XTS_AES_LEN_128: + return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_PSRAM_VLD); + case ESP_KEY_MGR_XTS_AES_LEN_256: + return REG_GET_FIELD(KEYMNG_KEY_VLD_REG, KEYMNG_KEY_PSRAM_VLD); + default: + HAL_ASSERT(false && "Unsupported key type"); + return 0; + } #endif default: HAL_ASSERT(false && "Unsupported mode"); @@ -440,29 +446,32 @@ static inline bool key_mgr_ll_is_huk_valid(void) return REG_GET_FIELD(KEYMNG_HUK_VLD_REG, KEYMNG_HUK_VALID); } /* @brief Set the XTS-AES (Flash Encryption) key length for the Key Manager */ -static inline void key_mgr_ll_set_xts_aes_key_len(const esp_key_mgr_key_type_t key_type, const esp_key_mgr_xts_aes_key_len_t key_len) +static inline void key_mgr_ll_set_xts_aes_key_len(const esp_key_mgr_key_type_t key_type, const esp_key_mgr_key_len_t key_len) { - if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY || key_type == ESP_KEY_MGR_XTS_AES_256_KEY) { + if (key_type == ESP_KEY_MGR_FLASH_XTS_AES_KEY) { REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_FLASH_KEY_LEN, key_len); } #if HAL_CONFIG(CHIP_SUPPORT_MIN_REV) >= 300 - else if (key_type == ESP_KEY_MGR_PSRAM_128_KEY || key_type == ESP_KEY_MGR_PSRAM_256_KEY) { + else if (key_type == ESP_KEY_MGR_PSRAM_XTS_AES_KEY) { REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_PSRAM_KEY_LEN, key_len); } #endif } /* @brief Get the XTS-AES (Flash Encryption) key length for the Key Manager */ -static inline esp_key_mgr_xts_aes_key_len_t key_mgr_ll_get_xts_aes_key_len(const esp_key_mgr_key_type_t key_type) +static inline esp_key_mgr_key_len_t key_mgr_ll_get_xts_aes_key_len(const esp_key_mgr_key_type_t key_type) { - if (key_type == ESP_KEY_MGR_XTS_AES_128_KEY || key_type == ESP_KEY_MGR_XTS_AES_256_KEY) { - return (esp_key_mgr_xts_aes_key_len_t) REG_GET_FIELD(KEYMNG_STATIC_REG, KEYMNG_FLASH_KEY_LEN); - } else { + if (key_type == ESP_KEY_MGR_FLASH_XTS_AES_KEY) { + return (esp_key_mgr_key_len_t) REG_GET_FIELD(KEYMNG_STATIC_REG, KEYMNG_FLASH_KEY_LEN); + } #if HAL_CONFIG(CHIP_SUPPORT_MIN_REV) >= 300 - return (esp_key_mgr_xts_aes_key_len_t) REG_GET_FIELD(KEYMNG_STATIC_REG, KEYMNG_PSRAM_KEY_LEN); -#else - HAL_ASSERT(false && "Unsupported key type"); + else if (key_type == ESP_KEY_MGR_PSRAM_XTS_AES_KEY) { + return (esp_key_mgr_key_len_t) REG_GET_FIELD(KEYMNG_STATIC_REG, KEYMNG_PSRAM_KEY_LEN); + } #endif + else { + HAL_ASSERT(false && "Unsupported key type"); + return (esp_key_mgr_key_len_t) 0; } } diff --git a/components/hal/include/hal/key_mgr_hal.h b/components/hal/include/hal/key_mgr_hal.h index 8434601a5d5..f5427814545 100644 --- a/components/hal/include/hal/key_mgr_hal.h +++ b/components/hal/include/hal/key_mgr_hal.h @@ -57,7 +57,7 @@ bool key_mgr_hal_is_result_success(void); * @return 1 for Success * 0 for failure */ -bool key_mgr_hal_is_key_deployment_valid(const esp_key_mgr_key_type_t key_type); +bool key_mgr_hal_is_key_deployment_valid(const esp_key_mgr_key_type_t key_type, const esp_key_mgr_key_len_t key_len); /** * @brief Check if the HUK is valid or not @@ -112,10 +112,10 @@ void key_mgr_hal_write_public_info(const uint8_t *public_info_buf, const size_t void key_mgr_hal_read_public_info(uint8_t *public_info_buf, const size_t read_len); /* @brief Set the XTS-AES key length for the Key Manager */ -void key_mgr_hal_set_xts_aes_key_len(const esp_key_mgr_key_type_t key_type, const esp_key_mgr_xts_aes_key_len_t key_len); +void key_mgr_hal_set_xts_aes_key_len(const esp_key_mgr_key_type_t key_type, const esp_key_mgr_key_len_t key_len); /* @brief Get the XTS-AES key length for the Key Manager */ -esp_key_mgr_xts_aes_key_len_t key_mgr_hal_get_xts_aes_key_len(const esp_key_mgr_key_type_t key_type); +esp_key_mgr_key_len_t key_mgr_hal_get_xts_aes_key_len(const esp_key_mgr_key_type_t key_type); /** * @brief Read state of Key Manager diff --git a/components/hal/include/hal/key_mgr_types.h b/components/hal/include/hal/key_mgr_types.h index dcdc8bd30ef..48d764b9015 100644 --- a/components/hal/include/hal/key_mgr_types.h +++ b/components/hal/include/hal/key_mgr_types.h @@ -20,41 +20,32 @@ extern "C" { * @brief State of Key Manager: idle, load, gain or busy. */ typedef enum { - ESP_KEY_MGR_STATE_IDLE = 0, /* Key Manager is idle */ + ESP_KEY_MGR_STATE_IDLE = 0, /* Key Manager is idle */ ESP_KEY_MGR_STATE_LOAD = 1, /* Key Manager is ready to receive input */ ESP_KEY_MGR_STATE_GAIN = 2, /* Key Manager is ready to provide output */ - ESP_KEY_MGR_STATE_BUSY = 3, /* Key Manager is busy */ + ESP_KEY_MGR_STATE_BUSY = 3, /* Key Manager is busy */ } esp_key_mgr_state_t; /** - * @brief Length of the XTS AES key + * @brief Length of the deployed key (XTS-AES, ECDSA) */ typedef enum { - ESP_KEY_MGR_XTS_AES_LEN_256 = 0, /* xts-aes key is 256 bit, please note that xts-aes algorithm is XTS_AES_128 */ - ESP_KEY_MGR_XTS_AES_LEN_512, /* xts-aes key is 512 bit, please note that xts-aes algorithm is XTS_AES_256 */ -} esp_key_mgr_xts_aes_key_len_t; + ESP_KEY_MGR_ECDSA_LEN_192 = 0, /* ecdsa key is 192 bit */ + ESP_KEY_MGR_ECDSA_LEN_256, /* ecdsa key is 256 bit */ + ESP_KEY_MGR_ECDSA_LEN_384, /* ecdsa key is 384 bit */ + ESP_KEY_MGR_XTS_AES_LEN_128, /* xts-aes key is 128 bit */ + ESP_KEY_MGR_XTS_AES_LEN_256, /* xts-aes key is 512 bit, please note that xts-aes algorithm is XTS_AES_256 */ +} esp_key_mgr_key_len_t; /** - * @brief Length of the PSRAM key + * @brief Type of the key */ typedef enum { - ESP_KEY_MGR_PSRAM_LEN_256 = 0, /* psram key is 256 bit, please note that xts-aes algorithm is XTS_AES_128 */ - ESP_KEY_MGR_PSRAM_LEN_512, /* psram key is 512 bit, please note that xts-aes algorithm is XTS_AES_256 */ -} esp_key_mgr_psram_key_len_t; - -/** - * @brief Type of the key: ECDSA, XTS - */ -typedef enum { - ESP_KEY_MGR_XTS_AES_128_KEY, /* XTS-AES 128-bit key */ - ESP_KEY_MGR_XTS_AES_256_KEY, /* XTS-AES 256-bit key */ - ESP_KEY_MGR_ECDSA_192_KEY, /* ECDSA 192-bit key */ - ESP_KEY_MGR_ECDSA_256_KEY, /* ECDSA 256-bit key */ - ESP_KEY_MGR_ECDSA_384_KEY, /* ECDSA 384-bit key */ - ESP_KEY_MGR_HMAC_KEY, /* HMAC key */ - ESP_KEY_MGR_DS_KEY, /* Digital signature key */ - ESP_KEY_MGR_PSRAM_128_KEY, /* PSRAM 128-bit key */ - ESP_KEY_MGR_PSRAM_256_KEY, /* PSRAM 256-bit key */ + ESP_KEY_MGR_ECDSA_KEY = 0, /* ECDSA key */ + ESP_KEY_MGR_FLASH_XTS_AES_KEY, /* XTS-AES key */ + ESP_KEY_MGR_HMAC_KEY, /* HMAC key */ + ESP_KEY_MGR_DS_KEY, /* Digital signature key */ + ESP_KEY_MGR_PSRAM_XTS_AES_KEY, /* PSRAM XTS-AES key */ } esp_key_mgr_key_type_t; /* @@ -140,7 +131,9 @@ typedef struct WORD_ALIGNED_ATTR PACKED_ATTR { uint32_t magic; uint32_t version; // for backward compatibility uint8_t key_type; - uint8_t reserved[15]; + uint8_t key_len; + uint8_t key_deployment_mode; + uint8_t reserved[13]; esp_key_mgr_huk_info_t huk_info; esp_key_mgr_key_info_t key_info[2]; // at most 2 key info (XTS-512_1 and XTS-512_2), at least use 1 } esp_key_mgr_key_recovery_info_t; diff --git a/components/hal/key_mgr_hal.c b/components/hal/key_mgr_hal.c index 5dcb67f5b2c..9a9c2812383 100644 --- a/components/hal/key_mgr_hal.c +++ b/components/hal/key_mgr_hal.c @@ -44,9 +44,9 @@ bool key_mgr_hal_is_result_success(void) return key_mgr_ll_is_result_success(); } -bool key_mgr_hal_is_key_deployment_valid(const esp_key_mgr_key_type_t key_type) +bool key_mgr_hal_is_key_deployment_valid(const esp_key_mgr_key_type_t key_type, const esp_key_mgr_key_len_t key_len) { - return key_mgr_ll_is_key_deployment_valid(key_type); + return key_mgr_ll_is_key_deployment_valid(key_type, key_len); } void key_mgr_hal_write_sw_init_key(const uint8_t *sw_init_key_buf, const size_t data_len) @@ -79,12 +79,12 @@ bool key_mgr_hal_is_huk_valid(void) return key_mgr_ll_is_huk_valid(); } -void key_mgr_hal_set_xts_aes_key_len(const esp_key_mgr_key_type_t key_type, const esp_key_mgr_xts_aes_key_len_t key_len) +void key_mgr_hal_set_xts_aes_key_len(const esp_key_mgr_key_type_t key_type, const esp_key_mgr_key_len_t key_len) { key_mgr_ll_set_xts_aes_key_len(key_type, key_len); } -esp_key_mgr_xts_aes_key_len_t key_mgr_hal_get_xts_aes_key_len(const esp_key_mgr_key_type_t key_type) +esp_key_mgr_key_len_t key_mgr_hal_get_xts_aes_key_len(const esp_key_mgr_key_type_t key_type) { return key_mgr_ll_get_xts_aes_key_len(key_type); } diff --git a/components/hal/test_apps/crypto/main/key_manager/test_key_manager.c b/components/hal/test_apps/crypto/main/key_manager/test_key_manager.c index 121b49a6c87..886ee5492a7 100644 --- a/components/hal/test_apps/crypto/main/key_manager/test_key_manager.c +++ b/components/hal/test_apps/crypto/main/key_manager/test_key_manager.c @@ -92,7 +92,8 @@ static void key_mgr_test_xts_aes_128_aes_mode(void) memcpy(key_config.k1_encrypted, (uint8_t*) test_data_xts_aes_128.k1_encrypted, KEY_MGR_K1_ENCRYPTED_SIZE); memcpy(key_config.sw_init_key, (uint8_t*) test_data_xts_aes_128.init_key, KEY_MGR_SW_INIT_KEY_SIZE); key_config.use_pre_generated_sw_init_key = 1; - key_config.key_type = ESP_KEY_MGR_XTS_AES_128_KEY; + key_config.key_type = ESP_KEY_MGR_FLASH_XTS_AES_KEY; + key_config.key_len = ESP_KEY_MGR_XTS_AES_LEN_128; static esp_key_mgr_key_recovery_info_t key_recovery_info; TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_aes_mode(&key_config, &key_recovery_info)); @@ -105,7 +106,8 @@ static void key_mgr_test_xts_aes_128_ecdh0_mode(void) { static esp_key_mgr_ecdh0_key_config_t key_config; memcpy(key_config.k1_G[0], (uint8_t*) test_data_ecdh0.k1_G[0], KEY_MGR_ECDH0_INFO_SIZE); - key_config.key_type = ESP_KEY_MGR_XTS_AES_128_KEY; + key_config.key_type = ESP_KEY_MGR_FLASH_XTS_AES_KEY; + key_config.key_len = ESP_KEY_MGR_XTS_AES_LEN_128; static esp_key_mgr_key_recovery_info_t key_recovery_info; static esp_key_mgr_ecdh0_info_t ecdh0_info; @@ -128,7 +130,8 @@ static void key_mgr_test_xts_aes_256_aes_mode(void) memcpy(key_config.k1_encrypted[1], (uint8_t*) test_data_xts_aes_256.k1_encrypted[1], KEY_MGR_K1_ENCRYPTED_SIZE); memcpy(key_config.sw_init_key, (uint8_t*) test_data_xts_aes_256.init_key, KEY_MGR_SW_INIT_KEY_SIZE); key_config.use_pre_generated_sw_init_key = 1; - key_config.key_type = ESP_KEY_MGR_XTS_AES_256_KEY; + key_config.key_type = ESP_KEY_MGR_FLASH_XTS_AES_KEY; + key_config.key_len = ESP_KEY_MGR_XTS_AES_LEN_256; static esp_key_mgr_key_recovery_info_t key_recovery_info; TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_aes_mode(&key_config, &key_recovery_info)); @@ -142,7 +145,8 @@ static void key_mgr_test_xts_aes_256_ecdh0_mode(void) static esp_key_mgr_ecdh0_key_config_t key_config; memcpy(key_config.k1_G[0], (uint8_t*) test_data_ecdh0.k1_G[0], KEY_MGR_ECDH0_INFO_SIZE); memcpy(key_config.k1_G[1], (uint8_t*) test_data_ecdh0.k1_G[1], KEY_MGR_ECDH0_INFO_SIZE); - key_config.key_type = ESP_KEY_MGR_XTS_AES_256_KEY; + key_config.key_type = ESP_KEY_MGR_FLASH_XTS_AES_KEY; + key_config.key_len = ESP_KEY_MGR_XTS_AES_LEN_256; static esp_key_mgr_key_recovery_info_t key_recovery_info; static esp_key_mgr_ecdh0_info_t ecdh0_info; @@ -177,7 +181,8 @@ static void test_xts_aes_key_random_mode(void) static void key_mgr_test_xts_aes_128_random_mode(void) { static esp_key_mgr_random_key_config_t key_config; - key_config.key_type = ESP_KEY_MGR_XTS_AES_128_KEY; + key_config.key_type = ESP_KEY_MGR_FLASH_XTS_AES_KEY; + key_config.key_len = ESP_KEY_MGR_XTS_AES_LEN_128; static esp_key_mgr_key_recovery_info_t key_recovery_info; TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_random_mode(&key_config, &key_recovery_info)); @@ -191,7 +196,8 @@ static void key_mgr_test_xts_aes_128_random_mode(void) static void key_mgr_test_xts_aes_256_random_mode(void) { static esp_key_mgr_random_key_config_t key_config; - key_config.key_type = ESP_KEY_MGR_XTS_AES_256_KEY; + key_config.key_type = ESP_KEY_MGR_FLASH_XTS_AES_KEY; + key_config.key_len = ESP_KEY_MGR_XTS_AES_LEN_256; static esp_key_mgr_key_recovery_info_t key_recovery_info; TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_random_mode(&key_config, &key_recovery_info)); @@ -257,7 +263,8 @@ static void key_mgr_test_ecdsa_p256_aes_mode(void) memcpy(key_config.k1_encrypted, (uint8_t*) test_data_ecdsa.k1_encrypted, KEY_MGR_K1_ENCRYPTED_SIZE); memcpy(key_config.sw_init_key, (uint8_t*) test_data_ecdsa.init_key, KEY_MGR_SW_INIT_KEY_SIZE); key_config.use_pre_generated_sw_init_key = 1; - key_config.key_type = ESP_KEY_MGR_ECDSA_256_KEY; + key_config.key_type = ESP_KEY_MGR_ECDSA_KEY; + key_config.key_len = ESP_KEY_MGR_ECDSA_LEN_256; static esp_key_mgr_key_recovery_info_t key_recovery_info; TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_aes_mode(&key_config, &key_recovery_info)); @@ -274,7 +281,8 @@ static void key_mgr_test_ecdsa_ecdh0_mode(void) { static esp_key_mgr_ecdh0_key_config_t key_config; memcpy(key_config.k1_G[0], (uint8_t*) test_data_ecdh0.k1_G[0], KEY_MGR_ECDH0_INFO_SIZE); - key_config.key_type = ESP_KEY_MGR_ECDSA_256_KEY; + key_config.key_type = ESP_KEY_MGR_ECDSA_KEY; + key_config.key_len = ESP_KEY_MGR_ECDSA_LEN_256; static esp_key_mgr_key_recovery_info_t key_recovery_info; static esp_key_mgr_ecdh0_info_t ecdh0_info; @@ -292,7 +300,8 @@ static void key_mgr_test_ecdsa_ecdh0_mode(void) static void key_mgr_test_ecdsa_random_mode(void) { static esp_key_mgr_random_key_config_t key_config; - key_config.key_type = ESP_KEY_MGR_ECDSA_256_KEY; + key_config.key_type = ESP_KEY_MGR_ECDSA_KEY; + key_config.key_len = ESP_KEY_MGR_ECDSA_LEN_256; static esp_key_mgr_key_recovery_info_t key_recovery_info; TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_random_mode(&key_config, &key_recovery_info)); diff --git a/components/mbedtls/test_apps/main/test_mbedtls_ecdsa.c b/components/mbedtls/test_apps/main/test_mbedtls_ecdsa.c index bb8eab21a71..7007f3baadb 100644 --- a/components/mbedtls/test_apps/main/test_mbedtls_ecdsa.c +++ b/components/mbedtls/test_apps/main/test_mbedtls_ecdsa.c @@ -359,12 +359,13 @@ TEST_CASE("mbedtls ECDSA signature generation on SECP384R1", "[mbedtls][efuse_ke #if SOC_KEY_MANAGER_SUPPORTED -static void deploy_key_in_key_manager(const uint8_t *k1_encrypted, esp_key_mgr_key_type_t key_type) { +static void deploy_key_in_key_manager(const uint8_t *k1_encrypted, esp_key_mgr_key_type_t key_type, esp_key_mgr_key_len_t key_len) { esp_key_mgr_aes_key_config_t *key_config = NULL; key_config = heap_caps_calloc(1, sizeof(esp_key_mgr_aes_key_config_t), MALLOC_CAP_INTERNAL); TEST_ASSERT_NOT_NULL(key_config); key_config->key_type = key_type; + key_config->key_len = key_len; key_config->use_pre_generated_sw_init_key = 1; memcpy(key_config->k2_info, (uint8_t*) k2_info, KEY_MGR_K2_INFO_SIZE); memcpy(key_config->k1_encrypted[0], (uint8_t*) k1_encrypted, KEY_MGR_K1_ENCRYPTED_SIZE); @@ -389,9 +390,9 @@ TEST_CASE("mbedtls ECDSA signature generation on SECP192R1", "[mbedtls][key_mana TEST_IGNORE_MESSAGE("Key manager is not supported"); } - deploy_key_in_key_manager(k1_ecdsa192_encrypt, ESP_KEY_MGR_ECDSA_192_KEY); + deploy_key_in_key_manager(k1_ecdsa192_encrypt, ESP_KEY_MGR_ECDSA_KEY, ESP_KEY_MGR_ECDSA_LEN_192); test_ecdsa_sign(MBEDTLS_ECP_DP_SECP192R1, sha, ecdsa192_pub_x, ecdsa192_pub_y, false, USE_ECDSA_KEY_FROM_KEY_MANAGER); - esp_key_mgr_deactivate_key(ESP_KEY_MGR_ECDSA_192_KEY); + esp_key_mgr_deactivate_key(ESP_KEY_MGR_ECDSA_KEY); } TEST_CASE("mbedtls ECDSA signature generation on SECP256R1", "[mbedtls][key_manager_key]") @@ -400,9 +401,9 @@ TEST_CASE("mbedtls ECDSA signature generation on SECP256R1", "[mbedtls][key_mana TEST_IGNORE_MESSAGE("Key manager is not supported"); } - deploy_key_in_key_manager(k1_ecdsa256_encrypt, ESP_KEY_MGR_ECDSA_256_KEY); + deploy_key_in_key_manager(k1_ecdsa256_encrypt, ESP_KEY_MGR_ECDSA_KEY, ESP_KEY_MGR_ECDSA_LEN_256); test_ecdsa_sign(MBEDTLS_ECP_DP_SECP256R1, sha, ecdsa256_pub_x, ecdsa256_pub_y, false, USE_ECDSA_KEY_FROM_KEY_MANAGER); - esp_key_mgr_deactivate_key(ESP_KEY_MGR_ECDSA_256_KEY); + esp_key_mgr_deactivate_key(ESP_KEY_MGR_ECDSA_KEY); } #endif /* SOC_KEY_MANAGER_SUPPORTED */ @@ -443,9 +444,9 @@ TEST_CASE("mbedtls ECDSA deterministic signature generation on SECP192R1", "[mbe if (!ecdsa_ll_is_deterministic_mode_supported()) { ESP_LOGI(TAG, "Skipping test because ECDSA deterministic mode is not supported."); } else { - deploy_key_in_key_manager(k1_ecdsa192_encrypt, ESP_KEY_MGR_ECDSA_192_KEY); + deploy_key_in_key_manager(k1_ecdsa192_encrypt, ESP_KEY_MGR_ECDSA_KEY, ESP_KEY_MGR_ECDSA_LEN_192); test_ecdsa_sign(MBEDTLS_ECP_DP_SECP192R1, sha, ecdsa192_pub_x, ecdsa192_pub_y, true, USE_ECDSA_KEY_FROM_KEY_MANAGER); - esp_key_mgr_deactivate_key(ESP_KEY_MGR_ECDSA_192_KEY); + esp_key_mgr_deactivate_key(ESP_KEY_MGR_ECDSA_KEY); } } @@ -454,9 +455,9 @@ TEST_CASE("mbedtls ECDSA deterministic signature generation on SECP256R1", "[mbe if (!ecdsa_ll_is_deterministic_mode_supported()) { ESP_LOGI(TAG, "Skipping test because ECDSA deterministic mode is not supported."); } else { - deploy_key_in_key_manager(k1_ecdsa256_encrypt, ESP_KEY_MGR_ECDSA_256_KEY); + deploy_key_in_key_manager(k1_ecdsa256_encrypt, ESP_KEY_MGR_ECDSA_KEY, ESP_KEY_MGR_ECDSA_LEN_256); test_ecdsa_sign(MBEDTLS_ECP_DP_SECP256R1, sha, ecdsa256_pub_x, ecdsa256_pub_y, true, USE_ECDSA_KEY_FROM_KEY_MANAGER); - esp_key_mgr_deactivate_key(ESP_KEY_MGR_ECDSA_256_KEY); + esp_key_mgr_deactivate_key(ESP_KEY_MGR_ECDSA_KEY); } } #endif /* SOC_KEY_MANAGER_SUPPORTED */ @@ -532,9 +533,9 @@ TEST_CASE("mbedtls ECDSA export public key on SECP192R1", "[mbedtls][key_manager TEST_IGNORE_MESSAGE("Key manager is not supported"); } - deploy_key_in_key_manager(k1_ecdsa192_encrypt, ESP_KEY_MGR_ECDSA_192_KEY); + deploy_key_in_key_manager(k1_ecdsa192_encrypt, ESP_KEY_MGR_ECDSA_KEY, ESP_KEY_MGR_ECDSA_LEN_192); test_ecdsa_export_pubkey(MBEDTLS_ECP_DP_SECP192R1, ecdsa192_pub_x, ecdsa192_pub_y, USE_ECDSA_KEY_FROM_KEY_MANAGER); - esp_key_mgr_deactivate_key(ESP_KEY_MGR_ECDSA_192_KEY); + esp_key_mgr_deactivate_key(ESP_KEY_MGR_ECDSA_KEY); } TEST_CASE("mbedtls ECDSA export public key on SECP256R1", "[mbedtls][key_manager_key]") @@ -543,9 +544,9 @@ TEST_CASE("mbedtls ECDSA export public key on SECP256R1", "[mbedtls][key_manager TEST_IGNORE_MESSAGE("Key manager is not supported"); } - deploy_key_in_key_manager(k1_ecdsa256_encrypt, ESP_KEY_MGR_ECDSA_256_KEY); + deploy_key_in_key_manager(k1_ecdsa256_encrypt, ESP_KEY_MGR_ECDSA_KEY, ESP_KEY_MGR_ECDSA_LEN_256); test_ecdsa_export_pubkey(MBEDTLS_ECP_DP_SECP256R1, ecdsa256_pub_x, ecdsa256_pub_y, USE_ECDSA_KEY_FROM_KEY_MANAGER); - esp_key_mgr_deactivate_key(ESP_KEY_MGR_ECDSA_256_KEY); + esp_key_mgr_deactivate_key(ESP_KEY_MGR_ECDSA_KEY); } #endif #endif /* SOC_ECDSA_SUPPORT_EXPORT_PUBKEY */ From 792c93c59750bfed8b0034e78bb797b4c7d5c3da Mon Sep 17 00:00:00 2001 From: "harshal.patil" Date: Mon, 10 Nov 2025 10:37:00 +0530 Subject: [PATCH 09/10] change(mbedtls): Generalize key source union for the hardware ECDSA context --- .../tee_test_fw/main/test_esp_tee_sec_stg.c | 1 - components/mbedtls/port/ecdsa/ecdsa_alt.c | 2 +- components/mbedtls/port/include/ecdsa/ecdsa_alt.h | 14 +++++--------- 3 files changed, 6 insertions(+), 11 deletions(-) diff --git a/components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_sec_stg.c b/components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_sec_stg.c index 2f979eb137e..b1dbef45fe4 100644 --- a/components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_sec_stg.c +++ b/components/esp_tee/test_apps/tee_test_fw/main/test_esp_tee_sec_stg.c @@ -480,7 +480,6 @@ static void test_ecdsa_sign(mbedtls_ecp_group_id gid) .grp_id = gid, .tee_key_id = key_id, .load_pubkey = true, - .use_tee_sec_stg_key = true, }; TEST_ASSERT_EQUAL(0, esp_ecdsa_tee_set_pk_context(&key_ctx, &conf)); diff --git a/components/mbedtls/port/ecdsa/ecdsa_alt.c b/components/mbedtls/port/ecdsa/ecdsa_alt.c index 01d6d9be44c..1385a7d8c1b 100644 --- a/components/mbedtls/port/ecdsa/ecdsa_alt.c +++ b/components/mbedtls/port/ecdsa/ecdsa_alt.c @@ -595,7 +595,7 @@ int esp_ecdsa_tee_set_pk_context(mbedtls_pk_context *key_ctx, esp_ecdsa_pk_conf_ return ret; } - if (!conf->use_tee_sec_stg_key) { + if (!conf->tee_key_id) { ESP_LOGE(TAG, "Invalid esp_ecdsa_pk_conf_t configuration"); return ret; } diff --git a/components/mbedtls/port/include/ecdsa/ecdsa_alt.h b/components/mbedtls/port/include/ecdsa/ecdsa_alt.h index b2b8f3a65a3..3fe1145b2dc 100644 --- a/components/mbedtls/port/include/ecdsa/ecdsa_alt.h +++ b/components/mbedtls/port/include/ecdsa/ecdsa_alt.h @@ -30,19 +30,15 @@ typedef struct { mbedtls_ecp_group_id grp_id; /*!< MbedTLS ECP group identifier */ union { uint8_t efuse_block; /*!< EFuse block id for ECDSA private key */ +#if CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN const char *tee_key_id; /*!< TEE secure storage key id for ECDSA private key */ - }; /*!< Union to hold either EFuse block id or TEE secure storage key id for ECDSA private key */ +#endif + bool use_km_key; /*!< Use key deployed in the key manager for ECDSA operation. Note: The key must be already deployed by the application and it must be activated for the lifetime of this context */ + }; /*!< Union to hold either EFuse block id or TEE secure storage key id or use key deployed in the key manager for ECDSA operation for ECDSA private key */ #if SOC_ECDSA_SUPPORT_EXPORT_PUBKEY || CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN bool load_pubkey; /*!< Export ECDSA public key from the hardware */ - #endif - bool use_km_key; /*!< Use key deployed in the key manager for ECDSA operation. - Note: The key must be already deployed by the application and it must be activated for the lifetime of this context */ -#if CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN - bool use_tee_sec_stg_key; /*!< Use key deployed in the TEE secure storage for ECDSA operation. - Note: The key must be already deployed by the application and it must be activated for the lifetime of this context */ -#endif -} esp_ecdsa_pk_conf_t; //TODO: IDF-9008 (Add a config to select the ecdsa key from the key manager peripheral) +} esp_ecdsa_pk_conf_t; #if SOC_ECDSA_SUPPORT_EXPORT_PUBKEY || __DOXYGEN__ From 9a183862024f2ebc5a469e7c82d71c4bb89fcf54 Mon Sep 17 00:00:00 2001 From: "harshal.patil" Date: Tue, 11 Nov 2025 16:17:42 +0530 Subject: [PATCH 10/10] feat(esp_security): Support ECDSA-P384 key deployment using Key Manager --- components/esp_security/src/esp_key_mgr.c | 107 +++--- components/hal/ecdsa_hal.c | 2 +- .../crypto/main/key_manager/ecdsa_192_key.pem | 5 + .../crypto/main/key_manager/ecdsa_256_key.pem | 6 +- .../crypto/main/key_manager/ecdsa_384_key.pem | 6 + .../key_manager/gen_key_manager_test_cases.py | 139 +++++--- .../main/key_manager/key_manager_test_cases.h | 67 ++-- .../main/key_manager/test_key_manager.c | 323 ++++++++++++------ .../hal/test_apps/crypto/sdkconfig.defaults | 4 + 9 files changed, 439 insertions(+), 220 deletions(-) create mode 100644 components/hal/test_apps/crypto/main/key_manager/ecdsa_192_key.pem create mode 100644 components/hal/test_apps/crypto/main/key_manager/ecdsa_384_key.pem diff --git a/components/esp_security/src/esp_key_mgr.c b/components/esp_security/src/esp_key_mgr.c index ea91777eff7..6ffefe58981 100644 --- a/components/esp_security/src/esp_key_mgr.c +++ b/components/esp_security/src/esp_key_mgr.c @@ -142,6 +142,42 @@ static void esp_key_mgr_release_hardware(bool deployment_mode) esp_crypto_key_mgr_enable_periph_clk(false); } +/** + * @brief Check if a key purpose requires a secondary deployment stage + * + * Multi-part keys (256-bit XTS-AES and 384-bit ECDSA) require two deployment stages. + * This function identifies the primary purposes that need a follow-up secondary deployment. + * + * @param purpose Key purpose to check + * @return true if this purpose requires a secondary deployment, false otherwise + */ +static inline bool is_multi_stage_key_purpose(esp_key_mgr_key_purpose_t purpose) +{ + return (purpose == ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_1 || + purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1 || + purpose == ESP_KEY_MGR_KEY_PURPOSE_ECDSA_384_H); +} + +/** + * @brief Get the secondary key purpose for a given primary purpose + * + * @param primary_purpose The primary key purpose + * @return The corresponding secondary purpose, or ESP_KEY_MGR_KEY_PURPOSE_INVALID if not applicable + */ +static inline esp_key_mgr_key_purpose_t get_secondary_key_purpose(esp_key_mgr_key_purpose_t primary_purpose) +{ + switch (primary_purpose) { + case ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_1: + return ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_2; + case ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1: + return ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2; + case ESP_KEY_MGR_KEY_PURPOSE_ECDSA_384_H: + return ESP_KEY_MGR_KEY_PURPOSE_ECDSA_384_L; + default: + return ESP_KEY_MGR_KEY_PURPOSE_INVALID; + } +} + static esp_key_mgr_key_purpose_t get_key_purpose(const esp_key_mgr_key_type_t key_type, const esp_key_mgr_key_len_t key_len) { switch (key_type) { @@ -152,7 +188,6 @@ static esp_key_mgr_key_purpose_t get_key_purpose(const esp_key_mgr_key_type_t ke case ESP_KEY_MGR_ECDSA_LEN_256: return ESP_KEY_MGR_KEY_PURPOSE_ECDSA_256; case ESP_KEY_MGR_ECDSA_LEN_384: - // TODO: Verify: (IDF-14120) return ESP_KEY_MGR_KEY_PURPOSE_ECDSA_384_H; default: return ESP_KEY_MGR_KEY_PURPOSE_INVALID; @@ -330,10 +365,7 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) ESP_LOGD(TAG, "HUK deployed successfully"); } - uint8_t key_recovery_info_index = 0; - if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_2 || config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2) { - key_recovery_info_index = 1; - } + uint8_t key_recovery_info_index = is_multi_stage_key_purpose(config->key_purpose) ? 0 : 1; uint8_t *key_recovery_info = config->key_info->key_info[key_recovery_info_index].info; @@ -380,7 +412,10 @@ static esp_err_t key_mgr_deploy_key_aes_mode(aes_deploy_config_t *config) key_mgr_hal_read_public_info(key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_1 && config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { + // Check if key deployment validation should be skipped for this purpose + // Primary purposes in multi-stage deployments skip validation after the first stage + // because the key is not yet completely deployed. + if (!is_multi_stage_key_purpose(config->key_purpose)) { if (!key_mgr_hal_is_key_deployment_valid(key_type, key_len)) { ESP_LOGE(TAG, "Key deployment is not valid"); return ESP_FAIL; @@ -431,8 +466,8 @@ esp_err_t esp_key_mgr_deploy_key_in_aes_mode(const esp_key_mgr_aes_key_config_t aes_deploy_config.huk_deployed = true; - if (aes_deploy_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_1 || aes_deploy_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { - aes_deploy_config.key_purpose = key_config->key_type == ESP_KEY_MGR_FLASH_XTS_AES_KEY ? ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_2 : ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2; + if (is_multi_stage_key_purpose(aes_deploy_config.key_purpose)) { + aes_deploy_config.key_purpose = get_secondary_key_purpose(aes_deploy_config.key_purpose); aes_deploy_config.k1_encrypted = key_config->k1_encrypted[1]; esp_ret = key_mgr_deploy_key_aes_mode(&aes_deploy_config); if (esp_ret != ESP_OK) { @@ -493,25 +528,21 @@ static esp_err_t key_mgr_recover_key(key_recovery_config_t *config) key_mgr_wait_for_state(ESP_KEY_MGR_STATE_LOAD); - if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_2 || config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2) { - if (!check_key_info_validity(&config->key_recovery_info->key_info[1])) { - ESP_LOGE(TAG, "Key info not valid"); - return ESP_FAIL; - } - key_mgr_hal_write_assist_info(config->key_recovery_info->key_info[1].info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - } else { - if (!check_key_info_validity(&config->key_recovery_info->key_info[0])) { - ESP_LOGE(TAG, "Key info not valid"); - return ESP_FAIL; - } - key_mgr_hal_write_assist_info(config->key_recovery_info->key_info[0].info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); + uint8_t key_recovery_info_index = is_multi_stage_key_purpose(config->key_purpose) ? 0 : 1; + + if (!check_key_info_validity(&config->key_recovery_info->key_info[key_recovery_info_index])) { + ESP_LOGE(TAG, "Key info not valid"); + return ESP_FAIL; } + key_mgr_hal_write_assist_info(config->key_recovery_info->key_info[key_recovery_info_index].info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); key_mgr_hal_continue(); key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN); - // TODO: Maybe need to extend this to ECDSA_384_L and ECDSA_384_H (IDF-14120) - if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_1 && config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { + // Check if key deployment validation should be skipped for this purpose + // Primary purposes in multi-stage deployments skip validation after the first stage + // because the key is not yet completely deployed. + if (!is_multi_stage_key_purpose(config->key_purpose)) { if (!key_mgr_hal_is_key_deployment_valid(key_type, key_len)) { ESP_LOGD(TAG, "Key deployment is not valid"); return ESP_FAIL; @@ -555,8 +586,8 @@ esp_err_t esp_key_mgr_activate_key(esp_key_mgr_key_recovery_info_t *key_recovery goto cleanup; } - if (key_recovery_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_1 || key_recovery_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { - key_recovery_config.key_purpose = key_recovery_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_1 ? ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_2 : ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2; + if (is_multi_stage_key_purpose(key_recovery_config.key_purpose)) { + key_recovery_config.key_purpose = get_secondary_key_purpose(key_recovery_config.key_purpose); esp_ret = key_mgr_recover_key(&key_recovery_config); if (esp_ret != ESP_OK) { ESP_LOGE(TAG, "Failed to recover key"); @@ -615,10 +646,7 @@ static esp_err_t key_mgr_deploy_key_ecdh0_mode(ecdh0_deploy_config_t *config) ESP_LOGD(TAG, "HUK deployed successfully"); } - uint8_t key_recovery_info_index = 0; - if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_2 || config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2) { - key_recovery_info_index = 1; - } + uint8_t key_recovery_info_index = is_multi_stage_key_purpose(config->key_purpose) ? 0 : 1; uint8_t *key_recovery_info = config->key_info->key_info[key_recovery_info_index].info; @@ -653,7 +681,10 @@ static esp_err_t key_mgr_deploy_key_ecdh0_mode(ecdh0_deploy_config_t *config) key_mgr_hal_read_public_info(key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); key_mgr_hal_read_assist_info(config->ecdh0_key_info); - if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_1 && config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { + // Check if key deployment validation should be skipped for this purpose + // Primary purposes in multi-stage deployments skip validation after the first stage + // because the key is not yet completely deployed. + if (!is_multi_stage_key_purpose(config->key_purpose)) { if (!key_mgr_hal_is_key_deployment_valid(key_type, key_len)) { ESP_LOGE(TAG, "Key deployment is not valid"); return ESP_FAIL; @@ -706,8 +737,8 @@ esp_err_t esp_key_mgr_deploy_key_in_ecdh0_mode(const esp_key_mgr_ecdh0_key_confi ecdh0_deploy_config.huk_deployed = true; - if (ecdh0_deploy_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_1 || ecdh0_deploy_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { - ecdh0_deploy_config.key_purpose = key_config->key_type == ESP_KEY_MGR_FLASH_XTS_AES_KEY ? ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_2 : ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2; + if (is_multi_stage_key_purpose(ecdh0_deploy_config.key_purpose)) { + ecdh0_deploy_config.key_purpose = get_secondary_key_purpose(ecdh0_deploy_config.key_purpose); ecdh0_deploy_config.k1_G = key_config->k1_G[1]; ecdh0_deploy_config.ecdh0_key_info = ecdh0_key_info->k2_G[1]; esp_ret = key_mgr_deploy_key_ecdh0_mode(&ecdh0_deploy_config); @@ -752,10 +783,7 @@ static esp_err_t key_mgr_deploy_key_random_mode(random_deploy_config_t *config) ESP_LOGD(TAG, "HUK deployed successfully"); } - uint8_t key_recovery_info_index = 0; - if (config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_2 || config->key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2) { - key_recovery_info_index = 1; - } + uint8_t key_recovery_info_index = is_multi_stage_key_purpose(config->key_purpose) ? 0 : 1; uint8_t *key_recovery_info = config->key_info->key_info[key_recovery_info_index].info; @@ -783,7 +811,10 @@ static esp_err_t key_mgr_deploy_key_random_mode(random_deploy_config_t *config) key_mgr_wait_for_state(ESP_KEY_MGR_STATE_GAIN); key_mgr_hal_read_public_info(key_recovery_info, KEY_MGR_KEY_RECOVERY_INFO_SIZE); - if (config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_1 && config->key_purpose != ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { + // Check if key deployment validation should be skipped for this purpose + // Primary purposes in multi-stage deployments skip validation after the first stage + // because the key is not yet completely deployed. + if (!is_multi_stage_key_purpose(config->key_purpose)) { if (!key_mgr_hal_is_key_deployment_valid(key_type, key_len)) { ESP_LOGE(TAG, "Key deployment is not valid"); return ESP_FAIL; @@ -833,8 +864,8 @@ esp_err_t esp_key_mgr_deploy_key_in_random_mode(const esp_key_mgr_random_key_con random_deploy_config.huk_deployed = true; - if (random_deploy_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_1 || random_deploy_config.key_purpose == ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_1) { - random_deploy_config.key_purpose = key_config->key_type == ESP_KEY_MGR_FLASH_XTS_AES_KEY ? ESP_KEY_MGR_KEY_PURPOSE_FLASH_256_2 : ESP_KEY_MGR_KEY_PURPOSE_PSRAM_256_2; + if (is_multi_stage_key_purpose(random_deploy_config.key_purpose)) { + random_deploy_config.key_purpose = get_secondary_key_purpose(random_deploy_config.key_purpose); esp_ret = key_mgr_deploy_key_random_mode(&random_deploy_config); if (esp_ret != ESP_OK) { ESP_LOGE(TAG, "Key deployment in Random mode failed"); diff --git a/components/hal/ecdsa_hal.c b/components/hal/ecdsa_hal.c index 72a74bf2133..36480dfab20 100644 --- a/components/hal/ecdsa_hal.c +++ b/components/hal/ecdsa_hal.c @@ -49,7 +49,7 @@ static void configure_ecdsa_periph(ecdsa_hal_config_t *conf) HAL_ASSERT(false && "Key manager is not supported"); } - // Force Key Manager to use eFuse key for XTS-AES operation + // Force Key Manager to use eFuse key for ECDSA operation key_mgr_hal_set_key_usage(ESP_KEY_MGR_ECDSA_KEY, ESP_KEY_MGR_USE_EFUSE_KEY); #endif } diff --git a/components/hal/test_apps/crypto/main/key_manager/ecdsa_192_key.pem b/components/hal/test_apps/crypto/main/key_manager/ecdsa_192_key.pem new file mode 100644 index 00000000000..56c7094fb54 --- /dev/null +++ b/components/hal/test_apps/crypto/main/key_manager/ecdsa_192_key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MF8CAQEEGDXkbV5pWiMz+DCRueuWFyVZh/evy5rYyaAKBggqhkjOPQMBAaE0AzIA +BNaaJCemMzzHS5Eo8+3Dk5cHda8oYh1FadIbVLhnJA5EHrDv8QfStCVMSwV4mKoV +4A== +-----END EC PRIVATE KEY----- diff --git a/components/hal/test_apps/crypto/main/key_manager/ecdsa_256_key.pem b/components/hal/test_apps/crypto/main/key_manager/ecdsa_256_key.pem index 5e4dc4d806f..9bfc1bf5a0d 100644 --- a/components/hal/test_apps/crypto/main/key_manager/ecdsa_256_key.pem +++ b/components/hal/test_apps/crypto/main/key_manager/ecdsa_256_key.pem @@ -1,5 +1,5 @@ -----BEGIN EC PRIVATE KEY----- -MHcCAQEEICySt/VCEPFi962COuQDE+cXD3Bz8XjZy2O5SM1LsHsGoAoGCCqGSM49 -AwEHoUQDQgAEBYu5KXarLURySNNaeZcxtBTxC0vJAM/evz9NC01IjCVQlOLJ4Y6i -3UviK3bgk+3FqpJBM+SQCqeDgd7ktPtr9Q== +MHcCAQEEIDXkbV5pWiMz+DCRueuWFyVZh/evy5rYybp9nCInR4ADoAoGCCqGSM49 +AwEHoUQDQgAEtK2sL4kKVX9prPt6DqZBxJ24ZkXHnY2/oQZqnn4E1w4XtSHvIgFT +XdPWQ84RYC7IbrPmL36o0ftKY1xWtgMhFQ== -----END EC PRIVATE KEY----- diff --git a/components/hal/test_apps/crypto/main/key_manager/ecdsa_384_key.pem b/components/hal/test_apps/crypto/main/key_manager/ecdsa_384_key.pem new file mode 100644 index 00000000000..95cac99e07b --- /dev/null +++ b/components/hal/test_apps/crypto/main/key_manager/ecdsa_384_key.pem @@ -0,0 +1,6 @@ +-----BEGIN EC PRIVATE KEY----- +MIGkAgEBBDA15G1eaVojM/gwkbnrlhclWYf3r8ua2Mm6fZwiJ0eAA14RGq+Kl7Ap +1rabwaNfV2+gBwYFK4EEACKhZANiAAQSh7nvJpR8mRriSCjrNV2pAobLOigdosYt +u9I7EvTU4DmUthIIuFIoOdjkg8qvK2sucHc7sTdTx2BVwT8BeBCkTwPwqWPc5vnN +GEvVeg/3DrbA4k8MjT5z4C2cn752AM0= +-----END EC PRIVATE KEY----- diff --git a/components/hal/test_apps/crypto/main/key_manager/gen_key_manager_test_cases.py b/components/hal/test_apps/crypto/main/key_manager/gen_key_manager_test_cases.py index e271b3d48b1..94c5752a8ff 100644 --- a/components/hal/test_apps/crypto/main/key_manager/gen_key_manager_test_cases.py +++ b/components/hal/test_apps/crypto/main/key_manager/gen_key_manager_test_cases.py @@ -1,6 +1,5 @@ # SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD # SPDX-License-Identifier: Unlicense OR CC0-1.0 -import argparse import hashlib import hmac import os @@ -18,9 +17,6 @@ from cryptography.hazmat.primitives.ciphers import modes from cryptography.utils import int_to_bytes from ecdsa.curves import NIST256p -supported_targets = {'esp32p4', 'esp32c5'} -supported_ds_key_size = {'esp32p4': [4096, 3072, 2048, 1024], 'esp32c5': [3072, 2048, 1024]} - # Constants TEST_COUNT = 5 STORAGE_PARTITION_OFFSET = 0x160000 @@ -100,24 +96,32 @@ def generate_xts_test_data(key: bytes, base_flash_address: int = STORAGE_PARTITI return xts_test_data -def generate_ecdsa_256_key_and_pub_key(filename: str) -> tuple: - with open(filename, 'rb') as f: - private_number = int.from_bytes(f.read(), byteorder='big') +def generate_ecdsa_key_and_pub_key(key: bytes, key_size: int) -> tuple: + private_number = int.from_bytes(key, byteorder='big') - private_key = ec.derive_private_key(private_number, ec.SECP256R1()) + if key_size == 192: + curve = ec.SECP192R1() + elif key_size == 256: + curve = ec.SECP256R1() + elif key_size == 384: + curve = ec.SECP384R1() + else: + raise ValueError(f'Unsupported key size: {key_size}') + + private_key = ec.derive_private_key(private_number, curve) pem = private_key.private_bytes( encoding=serialization.Encoding.PEM, format=serialization.PrivateFormat.TraditionalOpenSSL, encryption_algorithm=serialization.NoEncryption(), ) - with open('ecdsa_256_key.pem', 'wb') as pem_file: + with open(f'ecdsa_{key_size}_key.pem', 'wb') as pem_file: pem_file.write(pem) public_key = private_key.public_key() pub_numbers = public_key.public_numbers() - pubx = pub_numbers.x.to_bytes(32, byteorder='little') - puby = pub_numbers.y.to_bytes(32, byteorder='little') + pubx = pub_numbers.x.to_bytes(key_size // 8, byteorder='little') + puby = pub_numbers.y.to_bytes(key_size // 8, byteorder='little') return pubx, puby @@ -128,20 +132,16 @@ def perform_ecc_point_multiplication(k1_int: int) -> Any: return k1_G -def generate_k1_G(key_file_path: str) -> tuple: +def generate_k1_G(k1_bytes: bytes) -> tuple: k1_G = [] - if os.path.exists(key_file_path): - with open(key_file_path, 'rb') as key_file: - k1_bytes = key_file.read() + k1_int = int.from_bytes(k1_bytes, byteorder='big') + k1_G_point = perform_ecc_point_multiplication(k1_int) + k1_G = k1_G_point.to_bytes()[:64] - k1_int = int.from_bytes(k1_bytes, byteorder='big') - k1_G_point = perform_ecc_point_multiplication(k1_int) - k1_G = k1_G_point.to_bytes()[:64] - - k1_G = k1_G[::-1] - k1_G_x = k1_G[:32] - k1_G_y = k1_G[32:] - k1_G = k1_G_y + k1_G_x + k1_G = k1_G[::-1] + k1_G_x = k1_G[:32] + k1_G_y = k1_G[32:] + k1_G = k1_G_y + k1_G_x return k1_G, k1_G @@ -238,14 +238,22 @@ def write_to_c_header( init_key: bytes, k1: bytes, k2_info: bytes, + k1_encrypted_24: list, + k1_encrypted_24_reversed: list, k1_encrypted_32: list, k1_encrypted_32_reversed: list, + k1_encrypted_48: list, + k1_encrypted_48_reversed: list, test_data_xts_aes_128: list, k1_encrypted_64: list, k1_encrypted_64_reversed: list, xts_test_data_xts_aes_256: list, - pubx: bytes, - puby: bytes, + ecdsa_p192_pubx: bytes, + ecdsa_p192_puby: bytes, + ecdsa_p256_pubx: bytes, + ecdsa_p256_puby: bytes, + ecdsa_p384_pubx: bytes, + ecdsa_p384_puby: bytes, k1_G_0: bytes, k1_G_1: bytes, hmac_message: bytes, @@ -271,8 +279,12 @@ typedef struct test_xts_data {{ }} test_xts_data_t; typedef struct test_ecdsa_data {{ - uint8_t pubx[32]; - uint8_t puby[32]; + uint8_t ecdsa_p192_pubx[24]; + uint8_t ecdsa_p192_puby[24]; + uint8_t ecdsa_p256_pubx[32]; + uint8_t ecdsa_p256_puby[32]; + uint8_t ecdsa_p384_pubx[48]; + uint8_t ecdsa_p384_puby[48]; }} test_ecdsa_data_t; typedef struct test_hmac_data {{ @@ -297,7 +309,9 @@ typedef struct test_ds_data {{ typedef struct test_data {{ uint8_t init_key[32]; uint8_t k2_info[64]; - uint8_t k1_encrypted[2][32]; // For both 256-bit and 512-bit keys + // [0] for XTS-AES-128 / ECDSA-P192 / HMAC / DS, [1] for XTS-AES-256 / ECDSA-P256 + // [2] for ECDSA-P384-H, [3] for ECDSA-P384-L + uint8_t k1_encrypted[4][32]; uint8_t plaintext_data[128]; union {{ test_xts_data_t xts_test_data[TEST_COUNT]; @@ -354,10 +368,19 @@ test_data_aes_mode_t test_data_xts_aes_128 = {{ test_data_aes_mode_t test_data_ecdsa = {{ .init_key = {{ {key_to_c_format(init_key)} }}, .k2_info = {{ {key_to_c_format(k2_info)} }}, - .k1_encrypted = {{ {{ {key_to_c_format(k1_encrypted_32_reversed[0])} }}, {{ }} }}, + .k1_encrypted = {{ + {{ {key_to_c_format(k1_encrypted_24_reversed[0])} }}, + {{ {key_to_c_format(k1_encrypted_32_reversed[0])} }}, + {{ {key_to_c_format(k1_encrypted_48_reversed[0])} }}, + {{ {key_to_c_format(k1_encrypted_48_reversed[1])} }}, + }}, .ecdsa_test_data = {{ - .pubx = {{ {key_to_c_format(pubx)} }}, - .puby = {{ {key_to_c_format(puby)} }} + .ecdsa_p192_pubx = {{ {key_to_c_format(ecdsa_p192_pubx)} }}, + .ecdsa_p192_puby = {{ {key_to_c_format(ecdsa_p192_puby)} }}, + .ecdsa_p256_pubx = {{ {key_to_c_format(ecdsa_p256_pubx)} }}, + .ecdsa_p256_puby = {{ {key_to_c_format(ecdsa_p256_puby)} }}, + .ecdsa_p384_pubx = {{ {key_to_c_format(ecdsa_p384_pubx)} }}, + .ecdsa_p384_puby = {{ {key_to_c_format(ecdsa_p384_puby)} }}, }} }}; """ @@ -413,7 +436,7 @@ test_data_aes_mode_t test_data_ds = {{ file.write(header_content) -def generate_tests_cases(target: str) -> None: +def generate_tests_cases() -> None: # Main script logic follows as per your provided structure init_key = key_from_file_or_generate('init_key.bin', 32) k2 = key_from_file_or_generate('k2.bin', 32) @@ -423,28 +446,47 @@ def generate_tests_cases(target: str) -> None: temp_result_outer = calculate_aes_cipher(temp_result_inner + rand_num, init_key) k2_info = temp_result_outer - k1_32 = key_from_file_or_generate('k1.bin', 32) - k1_64 = key_from_file_or_generate('k1_64.bin', 64) + k1 = key_from_file_or_generate('k1_64.bin', 64) + k1_24 = k1[:24] + k1_32 = k1[:32] + k1_48 = k1[:48] + k1_64 = k1[:] + + k1_24_reversed = k1_24[::-1] k1_32_reversed = k1_32[::-1] + k1_48_1 = k1_48[:16] + k1_48_1_reversed = k1_48_1[::-1] + k1_48_2 = k1_48[16:] + k1_48_2_reversed = k1_48_2[::-1] + k1_64_1 = k1_64[:32] k1_64_1_reversed = k1_64_1[::-1] k1_64_2 = k1_64[32:] k1_64_2_reversed = k1_64_2[::-1] + k1_encrypted_24 = [calculate_aes_cipher(b'\x00' * 8 + k1_24, k2)] k1_encrypted_32 = [calculate_aes_cipher(k1_32, k2)] + k1_encrypted_48 = [calculate_aes_cipher(b'\x00' * 16 + k1_48_1, k2), calculate_aes_cipher(k1_48_2, k2)] k1_encrypted_64 = [calculate_aes_cipher(k1_64_1, k2), calculate_aes_cipher(k1_64_2, k2)] + k1_encrypted_24_reversed = [calculate_aes_cipher(k1_24_reversed + b'\x00' * 8, k2)] k1_encrypted_32_reversed = [calculate_aes_cipher(k1_32_reversed, k2)] + k1_encrypted_48_reversed = [ + calculate_aes_cipher(k1_48_1_reversed + b'\x00' * 16, k2), + calculate_aes_cipher(k1_48_2_reversed, k2), + ] k1_encrypted_64_reversed = [calculate_aes_cipher(k1_64_1_reversed, k2), calculate_aes_cipher(k1_64_2_reversed, k2)] test_data_xts_aes_128 = generate_xts_test_data(k1_32) xts_test_data_xts_aes_256 = generate_xts_test_data(k1_64) - pubx, puby = generate_ecdsa_256_key_and_pub_key('k1.bin') + ecdsa_p192_pubx, ecdsa_p192_puby = generate_ecdsa_key_and_pub_key(k1_24, 192) + ecdsa_p256_pubx, ecdsa_p256_puby = generate_ecdsa_key_and_pub_key(k1_32, 256) + ecdsa_p384_pubx, ecdsa_p384_puby = generate_ecdsa_key_and_pub_key(k1_48, 384) - k1_G_0, k1_G_1 = generate_k1_G('k1.bin') + k1_G_0, k1_G_1 = generate_k1_G(k1_32) hmac_message, hmac_result = generate_hmac_test_data(k1_32) @@ -462,14 +504,22 @@ def generate_tests_cases(target: str) -> None: init_key, k1_32, k2_info, + k1_encrypted_24, + k1_encrypted_24_reversed, k1_encrypted_32, k1_encrypted_32_reversed, + k1_encrypted_48, + k1_encrypted_48_reversed, test_data_xts_aes_128, k1_encrypted_64, k1_encrypted_64_reversed, xts_test_data_xts_aes_256, - pubx, - puby, + ecdsa_p192_pubx, + ecdsa_p192_puby, + ecdsa_p256_pubx, + ecdsa_p256_puby, + ecdsa_p384_pubx, + ecdsa_p384_puby, k1_G_0, k1_G_1, hmac_message, @@ -485,15 +535,4 @@ def generate_tests_cases(target: str) -> None: if __name__ == '__main__': - parser = argparse.ArgumentParser(description="""Generates Digital Signature Test Cases""") - - parser.add_argument( - '--target', - required=True, - choices=supported_targets, - help='Target to generate test cases for, different targets support different max key length', - ) - - args = parser.parse_args() - - generate_tests_cases(args.target) + generate_tests_cases() diff --git a/components/hal/test_apps/crypto/main/key_manager/key_manager_test_cases.h b/components/hal/test_apps/crypto/main/key_manager/key_manager_test_cases.h index d6cfe6fd545..b6742bd3a2b 100644 --- a/components/hal/test_apps/crypto/main/key_manager/key_manager_test_cases.h +++ b/components/hal/test_apps/crypto/main/key_manager/key_manager_test_cases.h @@ -15,8 +15,12 @@ typedef struct test_xts_data { } test_xts_data_t; typedef struct test_ecdsa_data { - uint8_t pubx[32]; - uint8_t puby[32]; + uint8_t ecdsa_p192_pubx[24]; + uint8_t ecdsa_p192_puby[24]; + uint8_t ecdsa_p256_pubx[32]; + uint8_t ecdsa_p256_puby[32]; + uint8_t ecdsa_p384_pubx[48]; + uint8_t ecdsa_p384_puby[48]; } test_ecdsa_data_t; typedef struct test_hmac_data { @@ -41,7 +45,9 @@ typedef struct test_ds_data { typedef struct test_data { uint8_t init_key[32]; uint8_t k2_info[64]; - uint8_t k1_encrypted[2][32]; // For both 256-bit and 512-bit keys + // [0] for XTS-AES-128 / ECDSA-P192 / HMAC / DS, [1] for XTS-AES-256 / ECDSA-P256 + // [2] for ECDSA-P384-H, [3] for ECDSA-P384-L + uint8_t k1_encrypted[4][32]; uint8_t plaintext_data[128]; union { test_xts_data_t xts_test_data[TEST_COUNT]; @@ -61,14 +67,14 @@ typedef struct test_data_ecdh0 { test_data_aes_mode_t test_data_xts_aes_128 = { .init_key = { 0xee, 0x89, 0x95, 0xda, 0x3c, 0x8a, 0x43, 0x83, 0xa9, 0x4b, 0x25, 0x5b, 0x04, 0x7e, 0xf1, 0x57, 0xb8, 0xe8, 0x06, 0x45, 0x87, 0x76, 0xee, 0x1b, 0x4e, 0x2e, 0x55, 0xa7, 0x1f, 0x25, 0xe1, 0x94 }, .k2_info = { 0x8f, 0x96, 0x33, 0x47, 0xe1, 0xa5, 0x57, 0xe9, 0x2a, 0x51, 0xa9, 0xbe, 0x48, 0x84, 0x25, 0x4e, 0x6f, 0x50, 0x1c, 0x45, 0xdb, 0xb6, 0xfa, 0xeb, 0x35, 0xd2, 0x27, 0x91, 0x3f, 0x67, 0x57, 0xd9, 0xcb, 0x55, 0xe4, 0x2b, 0x18, 0x16, 0xe7, 0xce, 0x6c, 0xf2, 0x58, 0x71, 0x17, 0x76, 0x2a, 0x86, 0x05, 0xe7, 0x37, 0x45, 0x71, 0x34, 0xca, 0xaf, 0x60, 0x07, 0xdf, 0xf4, 0xd2, 0xee, 0x3d, 0x4b }, - .k1_encrypted = { { 0xe0, 0xe8, 0x41, 0xe3, 0xd0, 0x92, 0x71, 0x84, 0x4b, 0x02, 0x1e, 0xec, 0x14, 0xdd, 0xaf, 0xf8, 0x39, 0xf9, 0x6a, 0x8d, 0x1b, 0xd7, 0x64, 0x3b, 0x7b, 0xa6, 0x05, 0x42, 0x01, 0xfb, 0xab, 0xe1 }, { } }, + .k1_encrypted = { { 0x37, 0xcf, 0x5b, 0x9e, 0x08, 0x26, 0x36, 0x31, 0xd7, 0x51, 0x3c, 0x33, 0x0d, 0x5d, 0x03, 0xad, 0x48, 0x6e, 0xbe, 0x82, 0xce, 0xa9, 0xc8, 0xd5, 0x98, 0x11, 0x24, 0xcc, 0x83, 0xf8, 0xf9, 0x53 }, { } }, .plaintext_data = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80 }, .xts_test_data = { - {.data_size = 32, .data_offset = 0x160000, .ciphertext = {0x0d, 0x02, 0x33, 0x69, 0x2f, 0x0f, 0x6f, 0x3e, 0xd1, 0xf0, 0x3d, 0x38, 0x63, 0xe3, 0x45, 0xe1, 0x01, 0xe2, 0xde, 0x88, 0xf2, 0x4e, 0x94, 0xa2, 0x22, 0xfe, 0x01, 0x6e, 0xe0, 0xf5, 0x16, 0x7c}}, - {.data_size = 64, .data_offset = 0x160100, .ciphertext = {0xc0, 0xc8, 0x19, 0x93, 0x12, 0xa2, 0xa6, 0x9c, 0xeb, 0x2b, 0x15, 0x84, 0x06, 0x71, 0x34, 0xfc, 0xef, 0xba, 0x53, 0xef, 0x66, 0xd8, 0xfd, 0x7f, 0x47, 0x88, 0x03, 0xe7, 0x44, 0xc4, 0x83, 0x30, 0x11, 0x2d, 0xd8, 0x87, 0xcd, 0xf9, 0x0c, 0x74, 0xa4, 0x14, 0x2d, 0xa5, 0xab, 0xf6, 0xd7, 0xdc, 0x4f, 0x8d, 0x22, 0x1a, 0x2e, 0x3d, 0x6d, 0x0f, 0xb3, 0xed, 0xf0, 0x7b, 0x01, 0x18, 0xf0, 0xd3}}, - {.data_size = 128, .data_offset = 0x160200, .ciphertext = {0xba, 0xe8, 0x7d, 0xfe, 0x1d, 0x7c, 0x95, 0x41, 0x5b, 0x59, 0x84, 0x4b, 0x37, 0x8e, 0x29, 0x53, 0xf5, 0x9d, 0x90, 0x07, 0xec, 0xc9, 0xdf, 0x52, 0xd5, 0xab, 0x7c, 0x73, 0x21, 0x52, 0x8d, 0xdc, 0x6f, 0xe1, 0xaa, 0x16, 0x4d, 0x86, 0x8a, 0x12, 0x29, 0x49, 0x9f, 0x96, 0x23, 0xd2, 0x4c, 0xa8, 0xcf, 0xe7, 0xa8, 0x83, 0x69, 0x57, 0x41, 0x92, 0x0a, 0x06, 0xf8, 0x7a, 0x30, 0xc6, 0xd6, 0x51, 0xb0, 0x34, 0x46, 0x08, 0x77, 0xc9, 0x49, 0x9d, 0x63, 0xee, 0x9f, 0x66, 0x08, 0xc1, 0x01, 0x0c, 0x07, 0x24, 0xc2, 0x76, 0x86, 0x14, 0xcb, 0xa1, 0x27, 0xc0, 0xe9, 0xcd, 0x1d, 0x60, 0x70, 0xa0, 0x0a, 0x21, 0x9e, 0x91, 0xfa, 0x1a, 0x8c, 0x10, 0x87, 0x17, 0x36, 0xf6, 0x20, 0xc2, 0x7e, 0x96, 0x0f, 0xde, 0x30, 0x28, 0x5a, 0x3a, 0x9e, 0x08, 0xe1, 0x35, 0xb3, 0x36, 0x2f, 0xc7, 0x0d, 0x28}}, - {.data_size = 16, .data_offset = 0x160300, .ciphertext = {0x0a, 0x2c, 0xcf, 0x75, 0x73, 0xa0, 0x5f, 0x80, 0xbb, 0xfb, 0xed, 0x9b, 0xc2, 0xd6, 0x05, 0x92}}, - {.data_size = 32, .data_offset = 0x160400, .ciphertext = {0x1e, 0x45, 0xab, 0xea, 0x70, 0x46, 0xb9, 0x08, 0x6d, 0x2f, 0xd1, 0xe4, 0x7f, 0xf3, 0x5d, 0xf9, 0x2e, 0xf9, 0x3d, 0x1f, 0x23, 0xe8, 0xa2, 0xd8, 0x5a, 0x53, 0xe7, 0xd7, 0xd7, 0x51, 0xe6, 0x92}}, + {.data_size = 32, .data_offset = 0x160000, .ciphertext = {0xba, 0xa3, 0xa4, 0x8f, 0x77, 0xac, 0xb5, 0x96, 0xc2, 0x9c, 0x76, 0xc3, 0x0f, 0x0e, 0xc5, 0xf1, 0xa8, 0x44, 0x4e, 0x05, 0x79, 0x0e, 0xa4, 0x1f, 0x72, 0x0a, 0xa5, 0xa9, 0xd8, 0x7c, 0xe8, 0xf5}}, + {.data_size = 64, .data_offset = 0x160100, .ciphertext = {0xf9, 0x09, 0x32, 0x28, 0xdc, 0x0b, 0x44, 0x8a, 0xbc, 0x06, 0x0e, 0xfb, 0x0e, 0x58, 0xfa, 0x3a, 0x16, 0x27, 0x41, 0xab, 0xde, 0xa7, 0x2b, 0xf5, 0xcc, 0xe0, 0x8c, 0xde, 0xda, 0x3b, 0x9b, 0x39, 0x04, 0xdf, 0x02, 0x5d, 0x87, 0xe8, 0x19, 0x2f, 0x87, 0x3a, 0x77, 0x00, 0x9c, 0x38, 0xb1, 0xfb, 0xae, 0xd8, 0xa7, 0x39, 0x4b, 0x89, 0x83, 0x4d, 0x4a, 0x9c, 0xee, 0x50, 0x3e, 0xd1, 0x64, 0xd2}}, + {.data_size = 128, .data_offset = 0x160200, .ciphertext = {0x03, 0xb0, 0xa3, 0x50, 0x55, 0x50, 0xdb, 0xc9, 0x6b, 0x39, 0xb2, 0x19, 0xd2, 0x57, 0xf8, 0x7b, 0x07, 0x3c, 0xe0, 0x01, 0xec, 0xc1, 0x38, 0x92, 0x8c, 0x96, 0x64, 0xbf, 0x18, 0xde, 0x12, 0x18, 0xa5, 0xca, 0x3a, 0x97, 0x6b, 0x7d, 0x0d, 0xe5, 0x15, 0xa1, 0x2d, 0x28, 0xdb, 0xb5, 0xe0, 0x2b, 0x7e, 0x6a, 0x9a, 0xe0, 0x16, 0x7b, 0xbf, 0x3c, 0x49, 0x05, 0x4e, 0x46, 0x92, 0x63, 0x7b, 0x49, 0x22, 0x60, 0x6a, 0xde, 0x96, 0x02, 0xd0, 0x24, 0x03, 0x69, 0x3b, 0xfe, 0x5f, 0xfe, 0xe4, 0x0c, 0xe3, 0x77, 0x40, 0x98, 0x43, 0xe9, 0x2a, 0xaf, 0x35, 0x57, 0x6f, 0x60, 0x08, 0x43, 0xd4, 0xb3, 0x7e, 0xb6, 0x2d, 0x19, 0x56, 0xc3, 0x94, 0x49, 0x93, 0x94, 0x3d, 0x8a, 0xf9, 0xbe, 0xb4, 0x19, 0x63, 0x20, 0x09, 0xae, 0x45, 0x00, 0x33, 0x4e, 0xa4, 0xbf, 0x09, 0x74, 0x78, 0x03, 0x13, 0x0b}}, + {.data_size = 16, .data_offset = 0x160300, .ciphertext = {0x8c, 0x37, 0x62, 0x84, 0x37, 0xb0, 0x80, 0x0f, 0xf2, 0xb2, 0xa8, 0x1b, 0x1e, 0x7f, 0xeb, 0x1b}}, + {.data_size = 32, .data_offset = 0x160400, .ciphertext = {0x05, 0x19, 0x1b, 0x8f, 0x30, 0xf1, 0x4d, 0x74, 0xc6, 0xf1, 0x3d, 0x9c, 0xcb, 0xbe, 0x7d, 0x06, 0x1a, 0xf4, 0xdd, 0x41, 0x23, 0x1e, 0x61, 0xe0, 0xaa, 0x14, 0x6a, 0x16, 0xac, 0x4c, 0x01, 0x67}}, } }; @@ -90,51 +96,60 @@ test_data_aes_mode_t test_data_xts_aes_256 = { test_data_aes_mode_t test_data_ecdsa = { .init_key = { 0xee, 0x89, 0x95, 0xda, 0x3c, 0x8a, 0x43, 0x83, 0xa9, 0x4b, 0x25, 0x5b, 0x04, 0x7e, 0xf1, 0x57, 0xb8, 0xe8, 0x06, 0x45, 0x87, 0x76, 0xee, 0x1b, 0x4e, 0x2e, 0x55, 0xa7, 0x1f, 0x25, 0xe1, 0x94 }, .k2_info = { 0x8f, 0x96, 0x33, 0x47, 0xe1, 0xa5, 0x57, 0xe9, 0x2a, 0x51, 0xa9, 0xbe, 0x48, 0x84, 0x25, 0x4e, 0x6f, 0x50, 0x1c, 0x45, 0xdb, 0xb6, 0xfa, 0xeb, 0x35, 0xd2, 0x27, 0x91, 0x3f, 0x67, 0x57, 0xd9, 0xcb, 0x55, 0xe4, 0x2b, 0x18, 0x16, 0xe7, 0xce, 0x6c, 0xf2, 0x58, 0x71, 0x17, 0x76, 0x2a, 0x86, 0x05, 0xe7, 0x37, 0x45, 0x71, 0x34, 0xca, 0xaf, 0x60, 0x07, 0xdf, 0xf4, 0xd2, 0xee, 0x3d, 0x4b }, - .k1_encrypted = { { 0xe0, 0xe8, 0x41, 0xe3, 0xd0, 0x92, 0x71, 0x84, 0x4b, 0x02, 0x1e, 0xec, 0x14, 0xdd, 0xaf, 0xf8, 0x39, 0xf9, 0x6a, 0x8d, 0x1b, 0xd7, 0x64, 0x3b, 0x7b, 0xa6, 0x05, 0x42, 0x01, 0xfb, 0xab, 0xe1 }, { } }, + .k1_encrypted = { + { 0xf2, 0x97, 0xcb, 0x28, 0xe0, 0x9b, 0xae, 0xc8, 0xa3, 0xbe, 0x53, 0xa0, 0xde, 0x43, 0xbe, 0xdd, 0xab, 0x93, 0x78, 0xf9, 0x05, 0x69, 0xd0, 0x8c, 0x80, 0x03, 0x07, 0x4c, 0x12, 0x17, 0x5a, 0xb3 }, + { 0x37, 0xcf, 0x5b, 0x9e, 0x08, 0x26, 0x36, 0x31, 0xd7, 0x51, 0x3c, 0x33, 0x0d, 0x5d, 0x03, 0xad, 0x48, 0x6e, 0xbe, 0x82, 0xce, 0xa9, 0xc8, 0xd5, 0x98, 0x11, 0x24, 0xcc, 0x83, 0xf8, 0xf9, 0x53 }, + { 0x48, 0x6e, 0xbe, 0x82, 0xce, 0xa9, 0xc8, 0xd5, 0x98, 0x11, 0x24, 0xcc, 0x83, 0xf8, 0xf9, 0x53, 0x1b, 0x44, 0xdf, 0x62, 0x72, 0x6e, 0xff, 0x10, 0xcf, 0x9b, 0xff, 0xac, 0xb3, 0x9f, 0xec, 0x22 }, + { 0x31, 0xd4, 0x4f, 0xf4, 0xf6, 0x1d, 0xa1, 0xc7, 0x1f, 0x2c, 0x11, 0xca, 0x9f, 0x21, 0x26, 0xaa, 0x37, 0xcf, 0x5b, 0x9e, 0x08, 0x26, 0x36, 0x31, 0xd7, 0x51, 0x3c, 0x33, 0x0d, 0x5d, 0x03, 0xad }, + }, .ecdsa_test_data = { - .pubx = { 0x25, 0x8c, 0x48, 0x4d, 0x0b, 0x4d, 0x3f, 0xbf, 0xde, 0xcf, 0x00, 0xc9, 0x4b, 0x0b, 0xf1, 0x14, 0xb4, 0x31, 0x97, 0x79, 0x5a, 0xd3, 0x48, 0x72, 0x44, 0x2d, 0xab, 0x76, 0x29, 0xb9, 0x8b, 0x05 }, - .puby = { 0xf5, 0x6b, 0xfb, 0xb4, 0xe4, 0xde, 0x81, 0x83, 0xa7, 0x0a, 0x90, 0xe4, 0x33, 0x41, 0x92, 0xaa, 0xc5, 0xed, 0x93, 0xe0, 0x76, 0x2b, 0xe2, 0x4b, 0xdd, 0xa2, 0x8e, 0xe1, 0xc9, 0xe2, 0x94, 0x50 } + .ecdsa_p192_pubx = { 0x69, 0x45, 0x1d, 0x62, 0x28, 0xaf, 0x75, 0x07, 0x97, 0x93, 0xc3, 0xed, 0xf3, 0x28, 0x91, 0x4b, 0xc7, 0x3c, 0x33, 0xa6, 0x27, 0x24, 0x9a, 0xd6 }, + .ecdsa_p192_puby = { 0xe0, 0x15, 0xaa, 0x98, 0x78, 0x05, 0x4b, 0x4c, 0x25, 0xb4, 0xd2, 0x07, 0xf1, 0xef, 0xb0, 0x1e, 0x44, 0x0e, 0x24, 0x67, 0xb8, 0x54, 0x1b, 0xd2 }, + .ecdsa_p256_pubx = { 0x0e, 0xd7, 0x04, 0x7e, 0x9e, 0x6a, 0x06, 0xa1, 0xbf, 0x8d, 0x9d, 0xc7, 0x45, 0x66, 0xb8, 0x9d, 0xc4, 0x41, 0xa6, 0x0e, 0x7a, 0xfb, 0xac, 0x69, 0x7f, 0x55, 0x0a, 0x89, 0x2f, 0xac, 0xad, 0xb4 }, + .ecdsa_p256_puby = { 0x15, 0x21, 0x03, 0xb6, 0x56, 0x5c, 0x63, 0x4a, 0xfb, 0xd1, 0xa8, 0x7e, 0x2f, 0xe6, 0xb3, 0x6e, 0xc8, 0x2e, 0x60, 0x11, 0xce, 0x43, 0xd6, 0xd3, 0x5d, 0x53, 0x01, 0x22, 0xef, 0x21, 0xb5, 0x17 }, + .ecdsa_p384_pubx = { 0x6b, 0x2b, 0xaf, 0xca, 0x83, 0xe4, 0xd8, 0x39, 0x28, 0x52, 0xb8, 0x08, 0x12, 0xb6, 0x94, 0x39, 0xe0, 0xd4, 0xf4, 0x12, 0x3b, 0xd2, 0xbb, 0x2d, 0xc6, 0xa2, 0x1d, 0x28, 0x3a, 0xcb, 0x86, 0x02, 0xa9, 0x5d, 0x35, 0xeb, 0x28, 0x48, 0xe2, 0x1a, 0x99, 0x7c, 0x94, 0x26, 0xef, 0xb9, 0x87, 0x12 }, + .ecdsa_p384_puby = { 0xcd, 0x00, 0x76, 0xbe, 0x9f, 0x9c, 0x2d, 0xe0, 0x73, 0x3e, 0x8d, 0x0c, 0x4f, 0xe2, 0xc0, 0xb6, 0x0e, 0xf7, 0x0f, 0x7a, 0xd5, 0x4b, 0x18, 0xcd, 0xf9, 0xe6, 0xdc, 0x63, 0xa9, 0xf0, 0x03, 0x4f, 0xa4, 0x10, 0x78, 0x01, 0x3f, 0xc1, 0x55, 0x60, 0xc7, 0x53, 0x37, 0xb1, 0x3b, 0x77, 0x70, 0x2e }, } }; test_data_ecdh0_mode_t test_data_ecdh0 = { .plaintext_data = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50, 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, 0x60, 0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70, 0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80 }, .k1 = { - { 0x2c, 0x92, 0xb7, 0xf5, 0x42, 0x10, 0xf1, 0x62, 0xf7, 0xad, 0x82, 0x3a, 0xe4, 0x03, 0x13, 0xe7, 0x17, 0x0f, 0x70, 0x73, 0xf1, 0x78, 0xd9, 0xcb, 0x63, 0xb9, 0x48, 0xcd, 0x4b, 0xb0, 0x7b, 0x06 }, - { 0x2c, 0x92, 0xb7, 0xf5, 0x42, 0x10, 0xf1, 0x62, 0xf7, 0xad, 0x82, 0x3a, 0xe4, 0x03, 0x13, 0xe7, 0x17, 0x0f, 0x70, 0x73, 0xf1, 0x78, 0xd9, 0xcb, 0x63, 0xb9, 0x48, 0xcd, 0x4b, 0xb0, 0x7b, 0x06 }, + { 0x35, 0xe4, 0x6d, 0x5e, 0x69, 0x5a, 0x23, 0x33, 0xf8, 0x30, 0x91, 0xb9, 0xeb, 0x96, 0x17, 0x25, 0x59, 0x87, 0xf7, 0xaf, 0xcb, 0x9a, 0xd8, 0xc9, 0xba, 0x7d, 0x9c, 0x22, 0x27, 0x47, 0x80, 0x03 }, + { 0x35, 0xe4, 0x6d, 0x5e, 0x69, 0x5a, 0x23, 0x33, 0xf8, 0x30, 0x91, 0xb9, 0xeb, 0x96, 0x17, 0x25, 0x59, 0x87, 0xf7, 0xaf, 0xcb, 0x9a, 0xd8, 0xc9, 0xba, 0x7d, 0x9c, 0x22, 0x27, 0x47, 0x80, 0x03 }, }, .k1_G = { - { 0x25, 0x8c, 0x48, 0x4d, 0x0b, 0x4d, 0x3f, 0xbf, 0xde, 0xcf, 0x00, 0xc9, 0x4b, 0x0b, 0xf1, 0x14, 0xb4, 0x31, 0x97, 0x79, 0x5a, 0xd3, 0x48, 0x72, 0x44, 0x2d, 0xab, 0x76, 0x29, 0xb9, 0x8b, 0x05, 0xf5, 0x6b, 0xfb, 0xb4, 0xe4, 0xde, 0x81, 0x83, 0xa7, 0x0a, 0x90, 0xe4, 0x33, 0x41, 0x92, 0xaa, 0xc5, 0xed, 0x93, 0xe0, 0x76, 0x2b, 0xe2, 0x4b, 0xdd, 0xa2, 0x8e, 0xe1, 0xc9, 0xe2, 0x94, 0x50 }, - { 0x25, 0x8c, 0x48, 0x4d, 0x0b, 0x4d, 0x3f, 0xbf, 0xde, 0xcf, 0x00, 0xc9, 0x4b, 0x0b, 0xf1, 0x14, 0xb4, 0x31, 0x97, 0x79, 0x5a, 0xd3, 0x48, 0x72, 0x44, 0x2d, 0xab, 0x76, 0x29, 0xb9, 0x8b, 0x05, 0xf5, 0x6b, 0xfb, 0xb4, 0xe4, 0xde, 0x81, 0x83, 0xa7, 0x0a, 0x90, 0xe4, 0x33, 0x41, 0x92, 0xaa, 0xc5, 0xed, 0x93, 0xe0, 0x76, 0x2b, 0xe2, 0x4b, 0xdd, 0xa2, 0x8e, 0xe1, 0xc9, 0xe2, 0x94, 0x50 }, + { 0x0e, 0xd7, 0x04, 0x7e, 0x9e, 0x6a, 0x06, 0xa1, 0xbf, 0x8d, 0x9d, 0xc7, 0x45, 0x66, 0xb8, 0x9d, 0xc4, 0x41, 0xa6, 0x0e, 0x7a, 0xfb, 0xac, 0x69, 0x7f, 0x55, 0x0a, 0x89, 0x2f, 0xac, 0xad, 0xb4, 0x15, 0x21, 0x03, 0xb6, 0x56, 0x5c, 0x63, 0x4a, 0xfb, 0xd1, 0xa8, 0x7e, 0x2f, 0xe6, 0xb3, 0x6e, 0xc8, 0x2e, 0x60, 0x11, 0xce, 0x43, 0xd6, 0xd3, 0x5d, 0x53, 0x01, 0x22, 0xef, 0x21, 0xb5, 0x17 }, + { 0x0e, 0xd7, 0x04, 0x7e, 0x9e, 0x6a, 0x06, 0xa1, 0xbf, 0x8d, 0x9d, 0xc7, 0x45, 0x66, 0xb8, 0x9d, 0xc4, 0x41, 0xa6, 0x0e, 0x7a, 0xfb, 0xac, 0x69, 0x7f, 0x55, 0x0a, 0x89, 0x2f, 0xac, 0xad, 0xb4, 0x15, 0x21, 0x03, 0xb6, 0x56, 0x5c, 0x63, 0x4a, 0xfb, 0xd1, 0xa8, 0x7e, 0x2f, 0xe6, 0xb3, 0x6e, 0xc8, 0x2e, 0x60, 0x11, 0xce, 0x43, 0xd6, 0xd3, 0x5d, 0x53, 0x01, 0x22, 0xef, 0x21, 0xb5, 0x17 }, } }; test_data_aes_mode_t test_data_hmac = { .init_key = { 0xee, 0x89, 0x95, 0xda, 0x3c, 0x8a, 0x43, 0x83, 0xa9, 0x4b, 0x25, 0x5b, 0x04, 0x7e, 0xf1, 0x57, 0xb8, 0xe8, 0x06, 0x45, 0x87, 0x76, 0xee, 0x1b, 0x4e, 0x2e, 0x55, 0xa7, 0x1f, 0x25, 0xe1, 0x94 }, .k2_info = { 0x8f, 0x96, 0x33, 0x47, 0xe1, 0xa5, 0x57, 0xe9, 0x2a, 0x51, 0xa9, 0xbe, 0x48, 0x84, 0x25, 0x4e, 0x6f, 0x50, 0x1c, 0x45, 0xdb, 0xb6, 0xfa, 0xeb, 0x35, 0xd2, 0x27, 0x91, 0x3f, 0x67, 0x57, 0xd9, 0xcb, 0x55, 0xe4, 0x2b, 0x18, 0x16, 0xe7, 0xce, 0x6c, 0xf2, 0x58, 0x71, 0x17, 0x76, 0x2a, 0x86, 0x05, 0xe7, 0x37, 0x45, 0x71, 0x34, 0xca, 0xaf, 0x60, 0x07, 0xdf, 0xf4, 0xd2, 0xee, 0x3d, 0x4b }, - .k1_encrypted = { { 0xd8, 0xf5, 0xe3, 0x3e, 0x9e, 0x79, 0xb7, 0x94, 0x3c, 0x84, 0xb0, 0xd4, 0x73, 0x21, 0x55, 0x39, 0x3f, 0xa4, 0x5f, 0x27, 0x5d, 0x4a, 0x2d, 0x2a, 0x30, 0xe5, 0xa2, 0xae, 0x78, 0xde, 0x34, 0x50 }, { } }, + .k1_encrypted = { { 0x92, 0x09, 0xe1, 0xb9, 0x45, 0x56, 0x38, 0x98, 0x6c, 0x83, 0xe2, 0xff, 0xc7, 0x82, 0x84, 0x69, 0x0a, 0xb4, 0xc7, 0x48, 0x84, 0xa4, 0xa0, 0xf6, 0x5c, 0xef, 0x4a, 0xd5, 0x70, 0x33, 0xfe, 0x7c }, { } }, .hmac_test_data = { .message = { 0x44, 0x65, 0x6c, 0x65, 0x6e, 0x69, 0x74, 0x69, 0x20, 0x76, 0x6f, 0x6c, 0x75, 0x70, 0x74, 0x61, 0x73, 0x20, 0x65, 0x78, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x62, 0x6f, 0x20, 0x65, 0x74, 0x20, 0x61, 0x73, 0x73, 0x75, 0x6d, 0x65, 0x6e, 0x64, 0x61, 0x2e, 0x20, 0x53, 0x65, 0x64, 0x20, 0x65, 0x74, 0x20, 0x61, 0x6c, 0x69, 0x71, 0x75, 0x69, 0x64, 0x20, 0x6d, 0x69, 0x6e, 0x75, 0x73, 0x20, 0x71, 0x75, 0x69, 0x73, 0x2e, 0x20, 0x50, 0x72, 0x61, 0x65, 0x73, 0x65, 0x6e, 0x74, 0x69, 0x75, 0x6d, 0x20, 0x63, 0x75, 0x70, 0x69, 0x64, 0x69, 0x74, 0x61, 0x74, 0x65, 0x20, 0x71, 0x75, 0x69, 0x61, 0x20, 0x6e, 0x65, 0x6d, 0x6f, 0x20, 0x65, 0x73, 0x74, 0x2e, 0x20, 0x4c, 0x61, 0x62, 0x6f, 0x72, 0x69, 0x6f, 0x73, 0x61, 0x6d, 0x20, 0x70, 0x61, 0x72, 0x69, 0x61, 0x74, 0x75, 0x72, 0x20, 0x75, 0x74, 0x20, 0x64, 0x69, 0x73, 0x74, 0x69, 0x6e, 0x63, 0x74, 0x69, 0x6f, 0x20, 0x74, 0x65, 0x6e, 0x65, 0x74, 0x75, 0x72, 0x2e, 0x20, 0x53, 0x75, 0x6e, 0x74, 0x20, 0x61, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x6f, 0x20, 0x69, 0x75, 0x72, 0x65, 0x20, 0x61, 0x73, 0x70, 0x65, 0x72, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x20, 0x73, 0x6f, 0x6c, 0x75, 0x74, 0x61, 0x20, 0x75, 0x74, 0x20, 0x72, 0x65, 0x63, 0x75, 0x73, 0x61, 0x6e, 0x64, 0x61, 0x65, 0x2e, 0x20, 0x55, 0x74, 0x20, 0x71, 0x75, 0x69, 0x62, 0x75, 0x73, 0x64, 0x61, 0x6d, 0x20, 0x6f, 0x63, 0x63, 0x61, 0x65, 0x63, 0x61, 0x74, 0x69, 0x20, 0x75, 0x74, 0x20, 0x71, 0x75, 0x69, 0x20, 0x73, 0x69, 0x74, 0x20, 0x64, 0x69, 0x67, 0x6e, 0x69, 0x73, 0x73, 0x69, 0x6d, 0x6f, 0x73, 0x20, 0x65, 0x61, 0x71, 0x75, 0x65, 0x2e, 0x2e }, - .hmac_result = { 0xa8, 0xc0, 0x4e, 0x46, 0x70, 0x24, 0x52, 0x24, 0x47, 0x05, 0x8a, 0xa0, 0x99, 0x2b, 0xf8, 0x67, 0xf6, 0x72, 0x6f, 0x51, 0xe0, 0x94, 0x97, 0xe5, 0x88, 0x71, 0x2d, 0x42, 0x63, 0xa9, 0x2c, 0xb7 } + .hmac_result = { 0xfe, 0xc4, 0x5b, 0xb8, 0x5a, 0x78, 0x83, 0x88, 0x61, 0x9d, 0x9f, 0x60, 0x4b, 0xca, 0x0e, 0xab, 0x0c, 0x91, 0x20, 0x09, 0x32, 0xcb, 0x9c, 0x66, 0xad, 0x4a, 0x3d, 0x71, 0xb9, 0xc6, 0x0c, 0x03 } } }; test_data_aes_mode_t test_data_ds = { .init_key = { 0xee, 0x89, 0x95, 0xda, 0x3c, 0x8a, 0x43, 0x83, 0xa9, 0x4b, 0x25, 0x5b, 0x04, 0x7e, 0xf1, 0x57, 0xb8, 0xe8, 0x06, 0x45, 0x87, 0x76, 0xee, 0x1b, 0x4e, 0x2e, 0x55, 0xa7, 0x1f, 0x25, 0xe1, 0x94 }, .k2_info = { 0x8f, 0x96, 0x33, 0x47, 0xe1, 0xa5, 0x57, 0xe9, 0x2a, 0x51, 0xa9, 0xbe, 0x48, 0x84, 0x25, 0x4e, 0x6f, 0x50, 0x1c, 0x45, 0xdb, 0xb6, 0xfa, 0xeb, 0x35, 0xd2, 0x27, 0x91, 0x3f, 0x67, 0x57, 0xd9, 0xcb, 0x55, 0xe4, 0x2b, 0x18, 0x16, 0xe7, 0xce, 0x6c, 0xf2, 0x58, 0x71, 0x17, 0x76, 0x2a, 0x86, 0x05, 0xe7, 0x37, 0x45, 0x71, 0x34, 0xca, 0xaf, 0x60, 0x07, 0xdf, 0xf4, 0xd2, 0xee, 0x3d, 0x4b }, - .k1_encrypted = { { 0xe0, 0xe8, 0x41, 0xe3, 0xd0, 0x92, 0x71, 0x84, 0x4b, 0x02, 0x1e, 0xec, 0x14, 0xdd, 0xaf, 0xf8, 0x39, 0xf9, 0x6a, 0x8d, 0x1b, 0xd7, 0x64, 0x3b, 0x7b, 0xa6, 0x05, 0x42, 0x01, 0xfb, 0xab, 0xe1 }, { } }, + .k1_encrypted = { { 0x37, 0xcf, 0x5b, 0x9e, 0x08, 0x26, 0x36, 0x31, 0xd7, 0x51, 0x3c, 0x33, 0x0d, 0x5d, 0x03, 0xad, 0x48, 0x6e, 0xbe, 0x82, 0xce, 0xa9, 0xc8, 0xd5, 0x98, 0x11, 0x24, 0xcc, 0x83, 0xf8, 0xf9, 0x53 }, { } }, .ds_test_data = { #if SOC_DS_SIGNATURE_MAX_BIT_LEN == 4096 - .ds_message = { 0x24, 0x9b, 0x52, 0x6f, 0xcd, 0xa0, 0x61, 0xab, 0xaa, 0x78, 0x7e, 0x3f, 0x4a, 0xd6, 0x0c, 0xd6, 0x54, 0xe7, 0xbc, 0x86, 0x07, 0xfc, 0xf5, 0x10, 0xfc, 0x81, 0x34, 0x70, 0x71, 0xcd, 0x07, 0x26, 0xa3, 0xec, 0x7c, 0x6d, 0xaa, 0xf9, 0x3b, 0x95, 0x50, 0xc8, 0x95, 0xee, 0x2a, 0x10, 0x81, 0x3b, 0xcb, 0x67, 0xdb, 0xe7, 0x17, 0x21, 0xe6, 0x9c, 0x2a, 0x3a, 0xb4, 0xa4, 0x68, 0x8d, 0x87, 0x62, 0x3d, 0xd4, 0x24, 0xdf, 0xeb, 0x35, 0x02, 0xf8, 0xd6, 0x46, 0x09, 0xc1, 0xaf, 0x0d, 0x39, 0x5f, 0x5f, 0x03, 0x5f, 0xd0, 0x4e, 0x3d, 0x29, 0x15, 0x53, 0x70, 0x6a, 0x57, 0x92, 0xfe, 0x21, 0x52, 0xae, 0xcf, 0x0e, 0xd9, 0xad, 0x66, 0xc3, 0x0f, 0x52, 0xe2, 0xd3, 0x52, 0x4d, 0xf7, 0x52, 0x3b, 0x43, 0x9e, 0x5e, 0xb7, 0xfa, 0x70, 0xc2, 0x9a, 0x53, 0xd7, 0x36, 0x4f, 0xa8, 0x80, 0xc1, 0xab, 0x62, 0xc8, 0x22, 0xef, 0x67, 0x78, 0x71, 0x74, 0x69, 0x09, 0xfd, 0x3e, 0x2c, 0x02, 0xd6, 0xeb, 0xc9, 0x15, 0x51, 0x5e, 0x9a, 0x14, 0x5c, 0x97, 0xcc, 0x4a, 0xc6, 0x6e, 0x1c, 0x57, 0xb7, 0x24, 0x6d, 0xe6, 0x39, 0x8f, 0x86, 0x37, 0x48, 0xf0, 0xd6, 0x46, 0x75, 0x13, 0x02, 0x46, 0x7d, 0x7a, 0x07, 0x1e, 0xf0, 0x69, 0x56, 0x93, 0xdc, 0x11, 0xb3, 0xd7, 0xbf, 0x55, 0x92, 0x64, 0x02, 0xf2, 0x26, 0x5d, 0x4f, 0x04, 0x45, 0xed, 0x59, 0x40, 0xf2, 0xa3, 0x3f, 0x50, 0x01, 0xc8, 0xea, 0xd1, 0x53, 0x96, 0xc6, 0x3c, 0x55, 0x67, 0x2e, 0x02, 0x28, 0xc0, 0xfd, 0xee, 0x19, 0x19, 0xa6, 0x37, 0xf3, 0x95, 0xeb, 0xd6, 0xd3, 0xbc, 0x4f, 0x8b, 0xa8, 0x3d, 0x7d, 0x35, 0xa5, 0x22, 0x23, 0x1a, 0x2c, 0x24, 0x8c, 0x90, 0x14, 0xfc, 0x4f, 0x2e, 0xc6, 0x03, 0x42, 0x33, 0x07, 0x7a, 0xec, 0xe8, 0xc3, 0x9c, 0x13, 0x7c, 0x56, 0x8c, 0xd0, 0x5a, 0x90, 0xe3, 0x40, 0x68, 0xeb, 0x9d, 0x91, 0x73, 0x85, 0xe3, 0x7d, 0xb3, 0xa9, 0x9a, 0x82, 0x1c, 0x0a, 0x50, 0x1f, 0x1a, 0xc6, 0x22, 0x88, 0x24, 0x04, 0x79, 0xfe, 0x3e, 0xce, 0x6f, 0xae, 0xa7, 0x8f, 0xb3, 0x3b, 0x05, 0xf1, 0xbb, 0x3b, 0xf1, 0x7b, 0x0a, 0x4f, 0x7e, 0x81, 0xea, 0xdf, 0x04, 0x27, 0x4b, 0x76, 0x4d, 0x52, 0x93, 0xd3, 0xa1, 0xc8, 0x6c, 0x42, 0xcb, 0x3f, 0xaf, 0xd2, 0x74, 0x5b, 0x75, 0x4e, 0xd2, 0x4f, 0x3a, 0x28, 0xf0, 0xe1, 0xfe, 0xac, 0xe1, 0xb9, 0x47, 0xc5, 0x27, 0x0f, 0xe6, 0xd8, 0x7b, 0x1d, 0x5c, 0x52, 0xf4, 0xf2, 0x3d, 0x98, 0x9a, 0x27, 0x3a, 0xac, 0x9e, 0xa4, 0x9c, 0xea, 0xfb, 0xf6, 0x95, 0xf0, 0xbf, 0x15, 0xc5, 0xa9, 0xf2, 0x74, 0x30, 0x5e, 0xff, 0x90, 0x71, 0x30, 0x6a, 0x6f, 0x92, 0xb9, 0x7c, 0x7b, 0xe4, 0x9b, 0xae, 0x2d, 0xb8, 0xdc, 0xe2, 0x4e, 0x7c, 0x5e, 0xc1, 0xc1, 0xb6, 0xf7, 0x48, 0x67, 0x06, 0x28, 0x84, 0xf1, 0xd2, 0x0b, 0x34, 0xff, 0xd6, 0x29, 0xc8, 0xce, 0x46, 0x8f, 0x4d, 0x8f, 0x26, 0x43, 0x0d, 0x65, 0xfa, 0xdc, 0x0e, 0x54, 0x60, 0x24, 0xae, 0x49, 0x64, 0x27, 0x73, 0x8e, 0x8d, 0x6a, 0xc2, 0x7a, 0xee, 0x09, 0xf8, 0xbb, 0xbb, 0x0b, 0x05, 0x36, 0xa5, 0xca, 0x87, 0x3c, 0x32, 0x69, 0xbc, 0x91, 0x0b, 0x53, 0xec, 0x7e, 0x5a, 0x68, 0x8a, 0xea, 0xa5, 0xd9, 0x2b, 0x7a, 0xbd, 0x66, 0x93, 0xa0, 0x0e, 0x30, 0x4c, 0xf7, 0x54, 0x4f, 0x7f, 0x63, 0x79, 0x53, 0xdc, 0xd0, 0xf0, 0x0a, 0x0c, 0xb2, 0x68, 0x3e, 0xab, 0xed, 0x60, 0x78, 0xbe, 0x59, 0xc4, 0x72, 0xcb, 0x35, 0xd6, 0x44, 0x44, 0xfd, 0x10, 0x47, 0xa2, 0x28, 0xed, 0xcd, 0x3b, 0x7e, 0xe9, 0x42, 0x37 }, - .ds_encrypted_input_params = { 0xb6, 0x7e, 0xce, 0xf8, 0x83, 0x31, 0x57, 0x71, 0x2c, 0x34, 0x27, 0xe9, 0x98, 0xc9, 0x9f, 0x07, 0x8d, 0xeb, 0x88, 0x1c, 0xd3, 0xed, 0x6f, 0x32, 0x40, 0xd2, 0x94, 0x7a, 0x52, 0x30, 0x78, 0x55, 0x72, 0xcb, 0x9a, 0x67, 0x6c, 0x68, 0x0b, 0x9e, 0x09, 0x8e, 0x52, 0x5b, 0x6c, 0x6a, 0xc8, 0xcb, 0x44, 0xa9, 0x0d, 0x42, 0xff, 0xcc, 0x0f, 0x70, 0x95, 0x73, 0x35, 0x4b, 0x1a, 0xef, 0xf7, 0x6f, 0x23, 0x6e, 0x7a, 0xd2, 0xdd, 0xa1, 0xdb, 0x20, 0xe7, 0x50, 0x5a, 0x1a, 0x3c, 0xa8, 0xa7, 0xa6, 0x41, 0x92, 0x8e, 0x90, 0x49, 0x11, 0x90, 0x83, 0x7b, 0x03, 0x1b, 0x9a, 0x32, 0xf4, 0x63, 0x10, 0x04, 0x61, 0xf3, 0x91, 0x8c, 0xbd, 0xed, 0x9e, 0x36, 0x90, 0x7d, 0x0a, 0xbb, 0xd2, 0xbe, 0x9b, 0xcb, 0x8f, 0x7c, 0x7a, 0xb7, 0x98, 0xaf, 0x19, 0x4f, 0x83, 0x26, 0xcc, 0x46, 0x56, 0x8a, 0x77, 0x03, 0x0e, 0x40, 0x7e, 0x17, 0x9e, 0xf8, 0x5e, 0xdc, 0x53, 0x27, 0x66, 0x33, 0x90, 0x9c, 0x1c, 0xfc, 0x85, 0xa1, 0xc3, 0x2a, 0x4d, 0xc0, 0xe0, 0xb5, 0xd8, 0x3f, 0x81, 0x64, 0x33, 0x68, 0x16, 0x48, 0xc8, 0x48, 0xc1, 0x6b, 0xbd, 0x1f, 0xe3, 0x57, 0xe2, 0x5c, 0xf7, 0x0f, 0x66, 0x9c, 0x90, 0xe6, 0x06, 0x09, 0x79, 0xe5, 0x04, 0x0d, 0x8d, 0x81, 0x76, 0x71, 0xc4, 0x5d, 0xae, 0x55, 0x03, 0x91, 0x3a, 0x1c, 0xe6, 0x4f, 0x92, 0x48, 0xbe, 0x20, 0xc2, 0x2c, 0xb4, 0x4e, 0xee, 0x89, 0xf5, 0xa0, 0x93, 0xa2, 0x09, 0x81, 0x1d, 0xa5, 0xf5, 0xac, 0xc8, 0xf0, 0x8c, 0xf3, 0x04, 0xca, 0x98, 0x4d, 0xc5, 0x20, 0xdf, 0x0e, 0x10, 0x9b, 0x62, 0x22, 0x36, 0xef, 0x71, 0x83, 0xb6, 0x23, 0xf9, 0xd4, 0x71, 0x2a, 0x03, 0xce, 0x8c, 0x65, 0x15, 0x58, 0x04, 0xa6, 0x11, 0xa1, 0xcb, 0x5b, 0x2c, 0xcf, 0xe1, 0xd2, 0x06, 0x86, 0xd2, 0x07, 0xcd, 0xd7, 0xcc, 0xd8, 0xb8, 0xb5, 0x3e, 0xe3, 0x19, 0x56, 0xa3, 0xf5, 0x9e, 0x8b, 0x85, 0x21, 0x38, 0x6b, 0xea, 0xec, 0xf2, 0x57, 0xf6, 0x2f, 0x0f, 0x79, 0x5e, 0xcd, 0xad, 0xa9, 0x42, 0xb3, 0x75, 0x2f, 0xc6, 0xf5, 0x6a, 0xf6, 0x62, 0x1a, 0x7c, 0xbb, 0x83, 0x80, 0xdb, 0x1d, 0x30, 0x37, 0x07, 0x5a, 0x1b, 0x92, 0x5b, 0x4a, 0xc8, 0x0c, 0x2f, 0xd5, 0x97, 0xd6, 0x35, 0x5f, 0xb8, 0xae, 0x9c, 0x5c, 0x80, 0x57, 0xad, 0xd3, 0x4b, 0x5b, 0xe3, 0x45, 0x47, 0x9a, 0x59, 0x07, 0xff, 0xaa, 0x9d, 0x43, 0x57, 0xaf, 0x42, 0xbd, 0x7d, 0x76, 0x74, 0x7a, 0xdf, 0x81, 0xfd, 0x5e, 0xab, 0x72, 0xfe, 0xed, 0xd3, 0x44, 0xe1, 0x69, 0x0d, 0xc1, 0x33, 0xc7, 0xda, 0x9d, 0xd8, 0xfe, 0x82, 0x1d, 0x72, 0xba, 0xd8, 0x79, 0x2e, 0x10, 0x4e, 0x7d, 0x64, 0x13, 0xac, 0x3e, 0x6c, 0xb2, 0x9c, 0x29, 0xae, 0x0b, 0x38, 0x1b, 0x02, 0x79, 0xb8, 0xad, 0x23, 0x8a, 0xc9, 0x8c, 0xbd, 0xaf, 0xc2, 0x86, 0x76, 0x3a, 0x86, 0xbd, 0x6e, 0x1e, 0xd9, 0x87, 0x00, 0x94, 0x9c, 0x03, 0x10, 0x9f, 0x51, 0x9b, 0x11, 0x4b, 0x6a, 0x25, 0x2e, 0xac, 0x5e, 0x74, 0x7e, 0xf3, 0xe2, 0x11, 0x12, 0x90, 0x40, 0xc0, 0x9e, 0xe8, 0x0a, 0x3d, 0x17, 0xea, 0x6a, 0x27, 0xe7, 0x99, 0xaa, 0xe5, 0x1c, 0x61, 0x31, 0xc3, 0xe9, 0x01, 0xac, 0x67, 0xe5, 0x9b, 0xec, 0xd2, 0x0c, 0x5d, 0x12, 0xfc, 0xa9, 0x1d, 0x7c, 0xcf, 0x68, 0xfb, 0x80, 0x66, 0xf0, 0x34, 0xe3, 0xdf, 0x3d, 0xdc, 0xd0, 0x91, 0xd8, 0x1f, 0xeb, 0x0c, 0x50, 0xdd, 0x37, 0xea, 0x4f, 0x3a, 0x29, 0x21, 0x0c, 0xb1, 0xea, 0x09, 0xdd, 0x23, 0xbd, 0x32, 0xcc, 0x93, 0xe2, 0x83, 0xe4, 0xc9, 0xd3, 0x16, 0x90, 0x91, 0x81, 0x3f, 0x0d, 0x8e, 0x95, 0x6b, 0x49, 0x00, 0x76, 0x0c, 0x95, 0x6b, 0x97, 0x89, 0x03, 0x1f, 0xa4, 0x14, 0x3c, 0xe3, 0xb4, 0x6f, 0x79, 0x5b, 0x31, 0x02, 0x11, 0xe7, 0x91, 0xe4, 0x9b, 0x4e, 0x5d, 0x7b, 0x2f, 0x9d, 0xb0, 0xa4, 0x08, 0x07, 0x79, 0x0b, 0xa7, 0x10, 0x6a, 0xf3, 0x27, 0x4d, 0xb7, 0xca, 0x76, 0x16, 0xcc, 0x91, 0xa6, 0x86, 0xcf, 0xbe, 0xbf, 0xb4, 0x15, 0x35, 0x61, 0x0a, 0x55, 0x0f, 0xd9, 0x0e, 0x5e, 0xb9, 0x8a, 0xe7, 0xbb, 0x36, 0xf5, 0xea, 0x31, 0xdc, 0x5a, 0xae, 0x9a, 0x5e, 0xa0, 0xd2, 0xfd, 0xdb, 0xcb, 0x51, 0x3c, 0xb1, 0x48, 0xee, 0xa5, 0xeb, 0xb1, 0x84, 0x62, 0x56, 0x75, 0x56, 0x79, 0xdd, 0xf9, 0xa8, 0x26, 0x72, 0x74, 0x5b, 0xad, 0x1f, 0xcf, 0x01, 0x94, 0x5c, 0xf7, 0xd3, 0x2d, 0x60, 0xa4, 0x23, 0x8a, 0x1f, 0x97, 0x2c, 0xe6, 0x13, 0x8c, 0x61, 0x6b, 0x9c, 0xba, 0x02, 0x3d, 0x25, 0xf5, 0x86, 0x44, 0xcd, 0xee, 0x56, 0x10, 0x32, 0xbb, 0xee, 0xf2, 0x3b, 0x2b, 0x4e, 0xa2, 0x1e, 0xb1, 0x8b, 0x00, 0x14, 0x21, 0xbb, 0x57, 0x38, 0xf4, 0x49, 0x42, 0x27, 0x0e, 0x82, 0xd0, 0x9d, 0xcd, 0x53, 0x72, 0x25, 0xa1, 0x6e, 0xe9, 0xfd, 0xd8, 0xaf, 0x3b, 0xc5, 0x69, 0x1e, 0x58, 0x2f, 0x1f, 0x2b, 0x77, 0xa1, 0x46, 0x03, 0x35, 0x6e, 0x38, 0x0e, 0x9e, 0xa6, 0x22, 0x80, 0x69, 0x05, 0x2b, 0x8c, 0x8e, 0x7a, 0x64, 0x02, 0xe6, 0x4f, 0x71, 0x85, 0x89, 0xc6, 0xf5, 0xe4, 0xd2, 0xe8, 0xd0, 0x0b, 0x1e, 0xc3, 0x5b, 0x92, 0xd8, 0xe1, 0x1f, 0xd5, 0x95, 0xee, 0x24, 0x01, 0x33, 0xa1, 0x39, 0x76, 0x44, 0xd8, 0xba, 0xd4, 0x79, 0x08, 0xae, 0x2a, 0xcf, 0xb5, 0xe3, 0x4a, 0x86, 0x2d, 0x38, 0x64, 0xff, 0x9e, 0x26, 0xec, 0x20, 0x37, 0xe9, 0xd5, 0x0a, 0xa2, 0x3a, 0x3d, 0x75, 0xd9, 0xf7, 0x66, 0x6b, 0x6d, 0x63, 0x53, 0x16, 0x88, 0x37, 0xad, 0xa0, 0x2e, 0x77, 0xc2, 0x2e, 0x43, 0x1a, 0xf9, 0x55, 0xc8, 0x74, 0xa7, 0xb4, 0xe9, 0x24, 0x2f, 0xa5, 0xb8, 0x1e, 0x1b, 0x58, 0x5d, 0x44, 0x2f, 0x58, 0x59, 0x00, 0x34, 0xe3, 0xf5, 0xa9, 0x12, 0x06, 0x20, 0x5c, 0x59, 0x7b, 0x29, 0x3c, 0x8b, 0x4b, 0x0e, 0xc3, 0x6b, 0x43, 0x55, 0x04, 0x08, 0x65, 0x1a, 0x9a, 0x42, 0xf4, 0xd1, 0xbc, 0x1e, 0x10, 0x96, 0x79, 0x6f, 0xaa, 0x29, 0x8e, 0x3d, 0xce, 0x09, 0x94, 0xff, 0xdd, 0x8a, 0x49, 0x73, 0xde, 0x49, 0xb9, 0xb7, 0x44, 0x9a, 0xd1, 0xcf, 0xc3, 0xd7, 0xb4, 0x71, 0x97, 0xa0, 0x9f, 0x73, 0x62, 0xbb, 0x0a, 0x59, 0x63, 0x64, 0x73, 0x3a, 0x62, 0x5f, 0xae, 0x4b, 0xac, 0xe2, 0x0d, 0x30, 0xa5, 0x2a, 0x65, 0x04, 0x13, 0x17, 0xbb, 0x4f, 0x72, 0xaf, 0xce, 0x5a, 0x28, 0x69, 0xfa, 0x60, 0xe0, 0xc5, 0xc4, 0x65, 0x5d, 0x48, 0xd1, 0x1c, 0x91, 0xd1, 0x59, 0xf4, 0xde, 0x79, 0x2a, 0xf1, 0xd5, 0x60, 0x12, 0xd2, 0x84, 0xc8, 0x0e, 0x0d, 0xa9, 0x78, 0x3b, 0xfb, 0xff, 0x1d, 0xdd, 0xd9, 0x9b, 0xac, 0xa0, 0x8c, 0x76, 0x96, 0xe5, 0x10, 0xfb, 0xfe, 0xab, 0x14, 0xbd, 0x66, 0xa4, 0xa2, 0xe2, 0xe9, 0x6c, 0xf5, 0x6e, 0xba, 0x3a, 0x7a, 0x8a, 0x97, 0x65, 0x9b, 0xdb, 0x92, 0xff, 0xea, 0xd7, 0xa6, 0xeb, 0x48, 0x89, 0x2a, 0x21, 0x83, 0xb8, 0xa2, 0xf3, 0xd9, 0xae, 0xa0, 0x7d, 0xd2, 0x2a, 0xde, 0xaa, 0xaf, 0x8b, 0x30, 0xfd, 0x0c, 0xc0, 0xcb, 0x69, 0x3d, 0x55, 0xe0, 0x9a, 0x57, 0xd3, 0x6d, 0x60, 0xf9, 0xc9, 0x98, 0x30, 0x57, 0x6a, 0x22, 0xaf, 0x72, 0xc1, 0x29, 0xcc, 0xdb, 0x81, 0xe7, 0xe1, 0xdc, 0xca, 0xfe, 0xea, 0xa9, 0xc4, 0x48, 0x64, 0x16, 0x91, 0xba, 0xb7, 0x0b, 0x76, 0xd9, 0x9f, 0xed, 0x19, 0xfb, 0x70, 0x6e, 0xc9, 0xb0, 0xe5, 0x24, 0x1d, 0x99, 0x1c, 0xd3, 0x23, 0x6f, 0x11, 0x4e, 0xac, 0x11, 0xb0, 0xfc, 0x3c, 0x3b, 0xc7, 0xb7, 0xc7, 0x1a, 0xdf, 0x56, 0xe3, 0xd0, 0x4c, 0x2a, 0xde, 0xa4, 0x70, 0xa1, 0xb8, 0xbf, 0x81, 0xab, 0x7b, 0x10, 0x3f, 0xe9, 0x7d, 0xf1, 0x82, 0xcc, 0x4e, 0xcf, 0x00, 0x79, 0x69, 0xdb, 0x99, 0xdf, 0x15, 0xee, 0x1e, 0xbd, 0x28, 0x34, 0xfc, 0xc5, 0x1f, 0xea, 0xf0, 0xca, 0x9f, 0x73, 0x60, 0x5d, 0xe3, 0x03, 0x2f, 0x24, 0xb5, 0x18, 0xcb, 0x35, 0x14, 0x88, 0x87, 0xa0, 0xef, 0x63, 0x43, 0xbc, 0x24, 0x2b, 0x67, 0x8e, 0xc6, 0x4a, 0x92, 0xcf, 0xd9, 0xd3, 0xb8, 0xfb, 0x74, 0xc2, 0x4c, 0xb1, 0x00, 0x5d, 0xa5, 0x23, 0x59, 0xf7, 0xfe, 0x8e, 0x25, 0x07, 0x7f, 0xf8, 0xfd, 0x29, 0x4a, 0x93, 0x80, 0x63, 0x0d, 0xd3, 0x56, 0xff, 0x61, 0x74, 0x1e, 0x19, 0x8f, 0x15, 0x34, 0xd0, 0x53, 0xbf, 0x30, 0xae, 0x86, 0x46, 0x56, 0xfc, 0x73, 0x80, 0x57, 0xe4, 0x11, 0x59, 0x2d, 0xd4, 0x0a, 0xfe, 0x16, 0x22, 0x23, 0xe2, 0xec, 0x15, 0x15, 0xc4, 0xb8, 0xe2, 0xd0, 0x45, 0xa9, 0xce, 0xb4, 0x48, 0x54, 0x79, 0x73, 0x6d, 0x1b, 0x49, 0x32, 0x5b, 0xe3, 0x23, 0x78, 0xf4, 0xa6, 0xe2, 0xd4, 0xc4, 0x43, 0xeb, 0xd4, 0x1b, 0x9f, 0xdb, 0xb6, 0xdb, 0x7a, 0x54, 0x83, 0x99, 0xb9, 0x7c, 0x24, 0x0e, 0x08, 0xbc, 0x27, 0x65, 0x15, 0x24, 0xc5, 0x8b, 0x35, 0xe7, 0x9a, 0x24, 0x62, 0x88, 0x2b, 0x13, 0xe5, 0xc9, 0x5a, 0x14, 0xe8, 0xde, 0xa0, 0x17, 0xb2, 0x1d, 0xcb, 0xb5, 0xb0, 0xc6, 0xcd, 0x89, 0x89, 0xe7, 0x2a, 0x8a, 0x8f, 0x9e, 0x1c, 0xc5, 0x6c, 0xf4, 0xc5, 0x9b, 0xad, 0x39, 0xe1, 0xef, 0xb5, 0x9a, 0xc8, 0x67, 0x33, 0x45, 0xae, 0x44, 0xca, 0x12, 0x2c, 0x8b, 0x6f, 0x16, 0x30, 0x0b, 0xbc, 0x3b, 0x5b, 0x7c, 0xd0, 0x79, 0x31, 0xf6, 0xd9, 0x56, 0x8b, 0xe7, 0xc0, 0x8b, 0x26, 0x46, 0x0d, 0xe8, 0xa9, 0x99, 0x6a, 0xf6, 0x84, 0x89, 0xb9, 0x40, 0xbb, 0xd5, 0x97, 0xd8, 0x3c, 0x3d, 0xcf, 0xd1, 0xf2, 0xa5, 0xf6, 0xda, 0x50, 0x76, 0xe4, 0x28, 0xe4, 0x9f, 0x75, 0x67, 0x9f, 0xa2, 0x9b, 0x56, 0xf8, 0xd8, 0xbc, 0x25, 0x30, 0x57, 0x13, 0xa8, 0x33, 0xcf, 0x0a, 0xb9, 0xba, 0x22, 0x12, 0xac, 0xe0, 0xf1, 0xfb, 0x89, 0xe8, 0x50, 0x5b, 0x9b, 0xb9, 0x06, 0xf4, 0x8b, 0x63, 0xf5, 0x58, 0xd0, 0x12, 0x8b, 0xc1, 0xe5, 0x5e, 0xa9, 0x02, 0x36, 0x78, 0x33, 0xea, 0x91, 0x7d, 0xac, 0x67, 0x0b, 0x98, 0xa5, 0x24, 0xe7, 0xe3, 0xb2, 0xd9, 0xa0, 0xcc, 0x7b, 0xa5, 0x90, 0x6f, 0x36, 0xf4, 0xc1, 0x85, 0x13, 0x57, 0x31, 0xb4, 0x36, 0x44, 0x91, 0x7e, 0x50, 0xb7, 0x5a, 0x30, 0x33, 0xf2, 0xf3, 0x4f, 0x5d, 0x7f, 0x15, 0xad, 0x9c, 0xd5, 0x40, 0x35, 0x4c, 0x0b, 0x7c, 0xc2, 0x9e, 0xd7, 0xfb, 0xa8, 0xd0, 0xb3, 0x39, 0x3e, 0x02, 0xb8, 0x4c, 0x1d, 0x60, 0xfd, 0x45, 0xef, 0x5b, 0x45, 0xef, 0xc1, 0x0b, 0xea, 0xd3, 0xa0, 0x61, 0x9e, 0xab, 0x68, 0xc9, 0xa6, 0x88, 0x87, 0x50, 0xd0, 0xdf, 0x77, 0x93, 0x7d, 0x42, 0xcc, 0x3e, 0xb5, 0xb8, 0xf9, 0xe0, 0x6e, 0xee, 0x69, 0xf5, 0x7f, 0xb7, 0x28, 0x23, 0x0b, 0x0c, 0xc5, 0x7f, 0x42, 0xbe, 0x25, 0x57, 0x7c, 0x47, 0x0a, 0xc0, 0x51, 0xf0, 0xf8, 0x90, 0xea, 0x41, 0x71, 0x70, 0xb0, 0xd2, 0xd3, 0xca, 0x2d, 0x0b, 0xf4, 0xae, 0x0d, 0x65, 0x7f, 0x89, 0x0e, 0x30, 0x2f, 0x6a, 0x21, 0xcc, 0x9d, 0x6e, 0x2e, 0xa6, 0xe2, 0xda, 0xd0, 0xbf, 0xbd, 0xcb, 0x53, 0x98, 0xa1, 0xaa, 0xfe, 0xe0, 0x8b, 0xb5, 0x50, 0xdb, 0x89, 0xa3, 0xfe, 0x02, 0x32, 0x35, 0x7b, 0xb7, 0x5e, 0x3c, 0x3b, 0x2c, 0x71, 0xe2, 0x00, 0x31, 0x84, 0x59, 0xd2, 0x30, 0x27, 0xa4, 0xe4, 0x36, 0xc1, 0x36, 0x4c, 0x38, 0x16 }, + .ds_message = { 0x29, 0x35, 0xb7, 0x0d, 0x63, 0x95, 0xaf, 0x34, 0xc3, 0xc1, 0xe5, 0x21, 0xb8, 0x74, 0xb8, 0x38, 0x95, 0xe9, 0x10, 0xf6, 0x81, 0x7e, 0xf8, 0x65, 0x05, 0x59, 0x7f, 0x2b, 0xda, 0x85, 0xa9, 0xaa, 0xa6, 0xcf, 0xf7, 0xdf, 0xa7, 0x16, 0x08, 0x48, 0x02, 0x5c, 0x2b, 0x1c, 0xed, 0x92, 0xb6, 0x0c, 0xac, 0xd2, 0x7f, 0x70, 0x50, 0x1e, 0x5b, 0x4a, 0x32, 0xec, 0x19, 0xe8, 0xa3, 0x88, 0xca, 0x36, 0x83, 0x24, 0xe4, 0x5d, 0x1a, 0xf6, 0x38, 0x11, 0xdb, 0xcb, 0xab, 0x3e, 0x2b, 0xcb, 0x76, 0x6a, 0x88, 0x3c, 0xf8, 0x11, 0x8f, 0xfd, 0x85, 0x82, 0xbf, 0xad, 0xc0, 0x47, 0x5a, 0xcd, 0xaf, 0x3b, 0x77, 0xf0, 0x53, 0x89, 0xe9, 0xfe, 0x0a, 0x76, 0x93, 0xf9, 0xf3, 0xf5, 0x5f, 0x16, 0x12, 0x07, 0x53, 0x15, 0x31, 0x03, 0xb9, 0x16, 0x62, 0x88, 0x6c, 0x2e, 0x41, 0x10, 0x88, 0x63, 0xb9, 0x77, 0xa5, 0xc2, 0xa1, 0xb8, 0x90, 0x8c, 0x3d, 0x74, 0x14, 0xb1, 0xf3, 0xde, 0x4b, 0x90, 0xd4, 0xb0, 0x95, 0xd9, 0xc0, 0x3d, 0x61, 0x1e, 0x03, 0xf7, 0x79, 0x9f, 0x98, 0x44, 0x4b, 0x13, 0xf5, 0xb1, 0x57, 0xfd, 0x76, 0xde, 0x30, 0x0e, 0x16, 0xf0, 0xb0, 0x7b, 0xa9, 0x5e, 0x0d, 0xf8, 0xf8, 0x39, 0xea, 0xe4, 0x72, 0x9b, 0xb7, 0xb9, 0xa6, 0xb2, 0x97, 0xd8, 0x2e, 0xf2, 0xf3, 0x18, 0xc3, 0x35, 0xd1, 0x69, 0x9b, 0x07, 0x4e, 0x37, 0xcd, 0xb5, 0xae, 0x8e, 0x7c, 0x3e, 0xaf, 0xfa, 0x29, 0x7f, 0x2b, 0x7c, 0x85, 0x57, 0x0f, 0x45, 0x49, 0xd8, 0x76, 0x2a, 0x7f, 0xc4, 0xf0, 0x3b, 0xca, 0x38, 0x90, 0x7d, 0x99, 0x7b, 0x0c, 0xf1, 0x07, 0x98, 0x0b, 0x00, 0x86, 0xbb, 0xa0, 0x55, 0x2b, 0xd0, 0x84, 0x56, 0x05, 0x05, 0x30, 0x61, 0xa5, 0xe5, 0xca, 0x6d, 0xb4, 0x43, 0x7c, 0x61, 0x4f, 0x84, 0xe1, 0xed, 0xd9, 0xdc, 0xf8, 0x17, 0xf4, 0x11, 0xd2, 0xa1, 0x85, 0xde, 0x00, 0x5e, 0x29, 0x2b, 0x64, 0xcb, 0x88, 0x2f, 0xc8, 0x13, 0x2d, 0xfb, 0xd6, 0xc7, 0x49, 0xc8, 0xf7, 0x41, 0x56, 0x20, 0xd9, 0x8c, 0xb4, 0xb8, 0xba, 0x82, 0xe9, 0xe7, 0xa5, 0x73, 0xec, 0xc5, 0xaa, 0x47, 0x47, 0x07, 0xf0, 0x34, 0x27, 0x4b, 0x3d, 0x6c, 0x79, 0x57, 0x52, 0x4c, 0xdd, 0x39, 0xb1, 0x57, 0x38, 0xd8, 0x5e, 0x89, 0x96, 0x2b, 0x38, 0xd9, 0x2d, 0x88, 0x88, 0x7d, 0xb3, 0x6e, 0xde, 0x80, 0x05, 0xd5, 0xc4, 0xeb, 0x7b, 0xcd, 0x36, 0xbf, 0xa4, 0xd6, 0xaa, 0x63, 0x61, 0xbc, 0xa8, 0x78, 0xd1, 0xb3, 0xbb, 0x30, 0x96, 0x73, 0xf1, 0x47, 0xcb, 0x77, 0xa4, 0x45, 0x04, 0x57, 0x6b, 0x4b, 0x3d, 0x7f, 0xd4, 0x84, 0xac, 0x5e, 0x3a, 0xf2, 0xa4, 0x89, 0x07, 0x52, 0x3b, 0xed, 0xcd, 0x08, 0xd8, 0xb9, 0xff, 0x3e, 0x72, 0xf3, 0x4e, 0xbd, 0x59, 0x97, 0x22, 0x8e, 0x58, 0xc3, 0x2c, 0x66, 0x97, 0x79, 0x53, 0x20, 0x9e, 0x7b, 0x20, 0xf9, 0xde, 0xad, 0x21, 0x65, 0x0a, 0x4f, 0x61, 0xea, 0x13, 0xa9, 0x95, 0x89, 0xd2, 0xbb, 0x8d, 0x1e, 0x3c, 0x01, 0x41, 0x51, 0xb3, 0xe7, 0xd5, 0xa3, 0xdd, 0x78, 0x29, 0x5d, 0xe9, 0x2f, 0x2c, 0x1e, 0xf7, 0x74, 0x6c, 0x6e, 0x66, 0x44, 0xb7, 0xd3, 0x8e, 0x09, 0x27, 0xf6, 0x7f, 0x1a, 0xd4, 0x2b, 0xc2, 0x57, 0xcc, 0xb3, 0x5e, 0x22, 0xc1, 0x82, 0x5d, 0xcc, 0x66, 0xc8, 0xb2, 0x86, 0x42, 0x83, 0xc4, 0xe7, 0xea, 0x70, 0x48, 0x20, 0x2a, 0x33, 0x54, 0xda, 0x46, 0x15, 0x64, 0x4b, 0x72, 0x97, 0x1a, 0x83, 0xe9, 0x6a, 0x65, 0x7a, 0xe0, 0xec, 0x0a, 0xe1, 0xbc, 0xe2, 0x0b, 0x1a, 0x1c, 0x39, 0x31, 0x15, 0x2b, 0xbf, 0xf8, 0x64, 0x00, 0x69, 0x1b, 0xa4 }, + .ds_encrypted_input_params = { 0x8b, 0x5a, 0x3f, 0x8b, 0xf0, 0x8a, 0x45, 0x00, 0x4e, 0x13, 0x97, 0x3b, 0x24, 0x50, 0x00, 0x11, 0x92, 0xfe, 0xb5, 0x51, 0xfa, 0x75, 0xbc, 0x95, 0xbf, 0x90, 0xad, 0xf1, 0x08, 0x1c, 0x44, 0xa6, 0xae, 0x7b, 0x51, 0x2e, 0x88, 0x59, 0xb3, 0xb4, 0x41, 0x9f, 0x3d, 0x01, 0x5d, 0x82, 0xe9, 0xcc, 0x94, 0x87, 0x2d, 0x17, 0x6b, 0x8f, 0x04, 0xc1, 0x93, 0xa1, 0x93, 0x8e, 0x73, 0xe6, 0x08, 0xeb, 0x9b, 0x9f, 0x24, 0x87, 0x27, 0x9b, 0xb8, 0x27, 0x30, 0xeb, 0x3a, 0x8f, 0x3c, 0x97, 0xce, 0x34, 0xa6, 0xa7, 0xdd, 0xa3, 0x66, 0x25, 0xf8, 0x39, 0x0a, 0xb9, 0xb6, 0x49, 0x62, 0x2d, 0x3e, 0xe5, 0xe4, 0x8e, 0x35, 0xbf, 0xf8, 0x8b, 0xb3, 0xc1, 0xa8, 0xc8, 0x48, 0x60, 0x9d, 0x1f, 0xd2, 0x0e, 0x91, 0xbc, 0xb6, 0xae, 0xff, 0x8b, 0xd9, 0x99, 0xcb, 0x05, 0x3e, 0xdb, 0x36, 0x36, 0xe1, 0x36, 0xf4, 0x89, 0x03, 0xb9, 0xf9, 0xbc, 0xe9, 0x36, 0x29, 0x68, 0x22, 0x4f, 0x2f, 0x9e, 0x6e, 0x8f, 0xe1, 0xb0, 0x0a, 0xcf, 0xc9, 0xab, 0x00, 0x1c, 0x75, 0xaa, 0x8b, 0x4d, 0xf0, 0x07, 0x30, 0xf7, 0xea, 0x40, 0x7b, 0xee, 0x82, 0xd3, 0xab, 0xe1, 0x29, 0xc4, 0x17, 0x7e, 0x9c, 0x85, 0xe9, 0x49, 0xa9, 0x6d, 0xaa, 0xdb, 0xb3, 0x27, 0xd4, 0x76, 0x62, 0x02, 0x5e, 0x63, 0x43, 0x12, 0x04, 0xb5, 0x12, 0x9e, 0x6f, 0xb5, 0xab, 0x8f, 0x53, 0x5a, 0xf3, 0xc0, 0x03, 0x09, 0xc0, 0x53, 0xc4, 0x8a, 0xb0, 0x9b, 0xfb, 0xf3, 0x0d, 0xe8, 0x08, 0x8a, 0x09, 0xcf, 0x09, 0x55, 0xd5, 0xce, 0x8b, 0x2c, 0x3c, 0xed, 0x46, 0x82, 0xaa, 0x30, 0xe9, 0x06, 0xa1, 0xfc, 0x14, 0xf8, 0x98, 0x76, 0x6a, 0x56, 0x57, 0xa1, 0x1a, 0x79, 0x14, 0x6b, 0x2c, 0xca, 0x67, 0xda, 0x5b, 0x19, 0x01, 0xd8, 0x77, 0x32, 0x73, 0x74, 0x1d, 0xa1, 0x5a, 0x90, 0xc3, 0x6a, 0xcc, 0xf7, 0x87, 0x7d, 0x5c, 0x76, 0x7b, 0xae, 0x06, 0x27, 0x55, 0x9a, 0xa4, 0x09, 0xf0, 0x5a, 0x51, 0x20, 0xcf, 0x67, 0x75, 0x55, 0xfc, 0x83, 0x4c, 0x02, 0x64, 0x12, 0x16, 0xc4, 0x54, 0x46, 0x8b, 0x37, 0x29, 0x55, 0x68, 0xa0, 0xd2, 0xd7, 0x31, 0x42, 0x2b, 0x16, 0xf2, 0x54, 0x56, 0x78, 0x5a, 0xde, 0x20, 0xc0, 0xd0, 0x89, 0x53, 0xf1, 0x9e, 0xaa, 0x1c, 0x6f, 0xca, 0xf9, 0xee, 0x28, 0xf0, 0x2d, 0xfc, 0x40, 0x90, 0x4d, 0x8b, 0xf9, 0xec, 0xb3, 0x5f, 0x8a, 0x16, 0xc6, 0xc3, 0xce, 0x73, 0xc5, 0xde, 0x47, 0x93, 0xca, 0xa6, 0x15, 0xf1, 0x06, 0xb0, 0xfe, 0xed, 0x2b, 0xea, 0x2f, 0x33, 0xd5, 0x7c, 0x4a, 0x20, 0x3c, 0xfe, 0x09, 0x54, 0x5a, 0xcc, 0x9d, 0x31, 0x61, 0xa5, 0x1b, 0x28, 0xa2, 0x46, 0xd5, 0xcf, 0xab, 0x37, 0x0e, 0x25, 0x4d, 0x04, 0xd2, 0x96, 0x5a, 0x44, 0xc0, 0xcb, 0x7b, 0x67, 0xd3, 0x78, 0x2d, 0x72, 0xc8, 0x9d, 0x1e, 0xf9, 0xe1, 0x46, 0x83, 0x9b, 0x9e, 0xa1, 0x40, 0x6e, 0x5e, 0x61, 0x66, 0x21, 0x86, 0x40, 0x5d, 0x72, 0xca, 0x90, 0xd9, 0xcd, 0x57, 0x9c, 0x13, 0x42, 0x76, 0x38, 0xc9, 0x9b, 0x58, 0x8b, 0x3b, 0x15, 0x49, 0xfc, 0x67, 0x18, 0x93, 0x00, 0xb4, 0xc6, 0x22, 0x13, 0x08, 0x4e, 0x53, 0x50, 0x34, 0x6d, 0x88, 0x50, 0x24, 0x53, 0x24, 0x7c, 0x0d, 0x5a, 0x05, 0xcd, 0x3f, 0x5c, 0x15, 0x9a, 0xdb, 0x66, 0x03, 0x3e, 0xf0, 0x4d, 0x2d, 0x6f, 0x38, 0xc9, 0xef, 0xf5, 0xcb, 0xaf, 0x98, 0x38, 0x55, 0xc3, 0xbd, 0x60, 0xdb, 0x9b, 0xc8, 0x06, 0x87, 0xd0, 0xe2, 0x7b, 0x6c, 0x39, 0x9e, 0x65, 0xaa, 0xff, 0x70, 0xe5, 0xaa, 0x50, 0x24, 0xe4, 0x61, 0x42, 0xc8, 0x62, 0x90, 0xc2, 0x37, 0xae, 0x29, 0x8d, 0xd3, 0xbd, 0xb5, 0x14, 0x5d, 0xd6, 0x84, 0xc3, 0xa6, 0xfa, 0x5c, 0xc3, 0x1b, 0xe5, 0xae, 0x76, 0x91, 0x0b, 0xcc, 0x44, 0x42, 0x3b, 0x3f, 0x49, 0x75, 0xe0, 0x66, 0xb1, 0x1a, 0x42, 0x34, 0xf4, 0x6c, 0x3e, 0x67, 0x5e, 0x4f, 0x5e, 0x68, 0x4a, 0xa9, 0xd7, 0x28, 0x16, 0xf9, 0xb6, 0xad, 0x1e, 0x2a, 0x0a, 0xe7, 0x6c, 0xee, 0x97, 0x83, 0xfa, 0x64, 0xf0, 0xab, 0x02, 0x72, 0xd4, 0xbb, 0xe4, 0xe5, 0xd3, 0xd7, 0x67, 0xe0, 0xd2, 0x7c, 0xaa, 0x15, 0x42, 0x64, 0x13, 0x33, 0x98, 0x63, 0x7a, 0x3a, 0xd6, 0x99, 0xe6, 0x96, 0x81, 0x44, 0x87, 0x2b, 0x1f, 0xd1, 0x4e, 0xd1, 0xde, 0xa7, 0x9b, 0x3b, 0x0d, 0xaf, 0x41, 0xee, 0x40, 0xc5, 0x9e, 0xd4, 0x62, 0xd6, 0x72, 0x59, 0xc2, 0xd7, 0xb9, 0x55, 0x96, 0x26, 0xde, 0xc2, 0x82, 0xa3, 0x8c, 0xcc, 0xfa, 0xd8, 0x49, 0x57, 0x32, 0x11, 0x95, 0xf2, 0xba, 0xdb, 0x67, 0xd0, 0xb0, 0x66, 0xda, 0x89, 0x23, 0xff, 0x79, 0x16, 0xc1, 0xee, 0xd9, 0xeb, 0xea, 0x10, 0x8e, 0xf1, 0x77, 0x6c, 0x11, 0x7a, 0x83, 0xfd, 0xa5, 0x29, 0x67, 0x72, 0x28, 0x66, 0x24, 0x5d, 0x4d, 0xc1, 0x85, 0x8d, 0x06, 0x5a, 0xcb, 0xd5, 0xad, 0x5e, 0x08, 0xdd, 0x02, 0xa8, 0x14, 0xe4, 0x84, 0x6a, 0x90, 0xa5, 0x97, 0x14, 0x78, 0xc6, 0x8d, 0xcf, 0x07, 0xb1, 0xf5, 0xdb, 0x12, 0xf7, 0x67, 0x51, 0x19, 0x7c, 0x23, 0x7d, 0x97, 0xac, 0x5d, 0xda, 0xc4, 0xe3, 0x62, 0x2d, 0x31, 0xf4, 0x31, 0x74, 0xa4, 0x06, 0x7a, 0x35, 0x24, 0x4d, 0xa8, 0x86, 0xeb, 0xee, 0xdc, 0x0f, 0xd6, 0xc7, 0x31, 0xbb, 0xb2, 0x1d, 0xfb, 0xab, 0xb1, 0xf0, 0xb8, 0x37, 0xef, 0xd7, 0x0d, 0x2a, 0x9e, 0x63, 0xcf, 0x60, 0xa1, 0xd6, 0x9f, 0x2d, 0xd3, 0x8d, 0x64, 0x78, 0xe4, 0x3d, 0xfb, 0x3f, 0x2c, 0x76, 0x79, 0x09, 0xb7, 0x67, 0x69, 0x5e, 0x18, 0x66, 0x8a, 0x72, 0x4a, 0x77, 0x4d, 0x48, 0x04, 0xc2, 0x33, 0xda, 0x54, 0x46, 0xe1, 0x7c, 0xfa, 0xbe, 0x7e, 0xf3, 0xc9, 0xa8, 0x97, 0xe4, 0xf2, 0xbb, 0xb3, 0x9d, 0x5c, 0xd3, 0xd2, 0x88, 0x6e, 0x69, 0x9a, 0xa5, 0x8a, 0x05, 0x69, 0x55, 0xc1, 0x7a, 0x2a, 0x3e, 0x10, 0x87, 0x67, 0xbf, 0x78, 0x98, 0x73, 0x33, 0xe2, 0x02, 0x25, 0xfa, 0x5d, 0x39, 0xd1, 0xe3, 0x9b, 0x37, 0xd1, 0xc4, 0xfa, 0x94, 0xb9, 0x2a, 0x54, 0xc5, 0x2d, 0x66, 0x34, 0x3b, 0x6c, 0x7f, 0x1c, 0x28, 0x37, 0x4c, 0xd0, 0x84, 0x10, 0x46, 0x89, 0xf2, 0xb5, 0xf0, 0xbf, 0xa6, 0xad, 0xca, 0xc9, 0x2b, 0x26, 0xa7, 0x91, 0x9c, 0x4b, 0xa9, 0xb3, 0x49, 0x6f, 0xfc, 0x11, 0x29, 0x34, 0x03, 0x4d, 0xe3, 0x5c, 0x84, 0xe3, 0x49, 0x15, 0x56, 0x4f, 0x84, 0x21, 0xff, 0xa7, 0x7d, 0xa1, 0x58, 0x03, 0xaa, 0xb8, 0x52, 0xc9, 0xb4, 0x51, 0x24, 0x79, 0xf6, 0x7a, 0xa9, 0xcd, 0x6c, 0xb6, 0xdc, 0x77, 0xf2, 0xad, 0x7c, 0x74, 0x1d, 0xf0, 0xce, 0x11, 0x6c, 0x05, 0x0b, 0x86, 0x14, 0x76, 0x61, 0x6f, 0xd0, 0x6f, 0x81, 0x47, 0x78, 0x5f, 0x62, 0x80, 0x75, 0xb9, 0xbe, 0xb3, 0x24, 0x88, 0x57, 0x9f, 0x0e, 0x6c, 0x94, 0x44, 0x55, 0x72, 0x62, 0x54, 0xd5, 0x18, 0xdc, 0xee, 0x5d, 0x28, 0xea, 0xf4, 0x70, 0x80, 0x0f, 0x6d, 0xa7, 0x11, 0x38, 0x05, 0xa5, 0x0c, 0xa0, 0xe0, 0x4a, 0x1d, 0x66, 0x53, 0x8c, 0x85, 0x8b, 0xbd, 0x58, 0x59, 0x6e, 0x3a, 0x19, 0x19, 0x74, 0xdf, 0x30, 0x0c, 0x1b, 0x93, 0x25, 0xbd, 0xee, 0xb5, 0x73, 0x9c, 0x41, 0x04, 0x00, 0x0f, 0xbd, 0x21, 0x4b, 0x62, 0x7f, 0x1f, 0xb0, 0xd2, 0xeb, 0x3c, 0xdb, 0x2d, 0x41, 0x19, 0x1b, 0xea, 0x3f, 0xf0, 0x14, 0x2c, 0xf9, 0x0e, 0x4b, 0x01, 0xe5, 0x4d, 0x14, 0x90, 0x8e, 0xb2, 0x8e, 0xfb, 0xd7, 0x37, 0x14, 0x3b, 0x2c, 0xe1, 0x6e, 0xe8, 0x1d, 0x64, 0x0d, 0xe3, 0x24, 0xa0, 0x67, 0x2e, 0xd8, 0x27, 0x69, 0x3f, 0x41, 0x6a, 0x2b, 0x83, 0xda, 0x5a, 0x4b, 0x97, 0xc6, 0x3f, 0x86, 0xe0, 0x8c, 0x6d, 0xe6, 0x19, 0xae, 0xa9, 0xdf, 0x85, 0xbb, 0xcc, 0x23, 0x4d, 0x23, 0x24, 0x84, 0x61, 0xe8, 0x95, 0x73, 0x38, 0xcd, 0xce, 0x95, 0x92, 0x7f, 0xc5, 0x73, 0x33, 0x8e, 0x2e, 0x6e, 0x14, 0xcd, 0x56, 0xec, 0xac, 0xc9, 0x02, 0x12, 0x01, 0xb3, 0x07, 0xa4, 0xb9, 0x6a, 0xe9, 0xde, 0x87, 0x8f, 0x42, 0xea, 0x8d, 0x39, 0x18, 0xd3, 0xbb, 0xf6, 0x4d, 0xe1, 0xd4, 0xbe, 0x25, 0x04, 0xed, 0x51, 0xf3, 0x1c, 0xef, 0x1b, 0x8e, 0xbc, 0x3a, 0x6e, 0x68, 0x4b, 0x37, 0xfd, 0x4c, 0xa0, 0x5a, 0x38, 0x7e, 0xa2, 0xa2, 0xde, 0x9e, 0x5d, 0xe8, 0x48, 0x9e, 0x92, 0x2d, 0xe5, 0x2e, 0xba, 0x64, 0x4e, 0xaf, 0x74, 0xc8, 0xcc, 0xde, 0xa3, 0xe1, 0xf4, 0x0c, 0xdd, 0x66, 0x99, 0xd2, 0x1d, 0xef, 0x40, 0x25, 0x8f, 0xe5, 0x77, 0xe3, 0x33, 0xbe, 0xa9, 0xdf, 0x5c, 0xb4, 0x7b, 0x97, 0xe9, 0xd9, 0x05, 0xa0, 0x1b, 0xb0, 0xda, 0x2f, 0xd5, 0xa3, 0xdf, 0x46, 0x8f, 0xa5, 0xe8, 0xe1, 0x12, 0xe3, 0x43, 0xb6, 0xf2, 0xcd, 0x1d, 0xb9, 0xdd, 0xfc, 0xb2, 0xcb, 0x5f, 0xdd, 0xb7, 0x13, 0x52, 0xae, 0x9b, 0x72, 0xfb, 0xab, 0xb9, 0xeb, 0x21, 0xa1, 0xf2, 0x52, 0x44, 0x32, 0xe5, 0xa0, 0xe6, 0xb7, 0x08, 0xec, 0x5e, 0x93, 0x54, 0x4a, 0x76, 0x09, 0xae, 0x2a, 0x55, 0x9c, 0x98, 0x76, 0xc9, 0x19, 0xe1, 0x1f, 0xc1, 0x3c, 0x17, 0xc4, 0xb1, 0xc0, 0xf9, 0xd5, 0x6a, 0x83, 0xde, 0xc1, 0x67, 0x09, 0x60, 0xd0, 0x01, 0x3e, 0xc4, 0x83, 0xc9, 0x26, 0x59, 0x8b, 0xc4, 0xbe, 0x26, 0x5f, 0xe0, 0x69, 0x8e, 0x43, 0x4d, 0x1d, 0x8e, 0xe3, 0x97, 0x7f, 0xb6, 0x38, 0x03, 0x31, 0x45, 0x11, 0x9e, 0xb7, 0x38, 0xca, 0xe5, 0x7f, 0xf3, 0x87, 0xd6, 0x3b, 0x75, 0x6e, 0x58, 0x8b, 0x98, 0xdb, 0x6e, 0x7b, 0x46, 0x27, 0x17, 0x65, 0xec, 0x04, 0x07, 0x82, 0xea, 0xab, 0x98, 0x11, 0xe1, 0x4c, 0x8e, 0xf3, 0xb0, 0x83, 0xf2, 0xb7, 0xd2, 0xcf, 0x6d, 0x0a, 0xf3, 0xad, 0xc4, 0x0e, 0x25, 0x2e, 0xcd, 0xfe, 0xee, 0x4d, 0xfd, 0x03, 0xc4, 0x78, 0xad, 0x4e, 0x58, 0xac, 0x36, 0x4a, 0x68, 0xba, 0x7f, 0xdd, 0x73, 0xef, 0xfc, 0xca, 0xf2, 0x58, 0x75, 0x94, 0xfd, 0x70, 0x25, 0xef, 0x7c, 0x17, 0x96, 0x6d, 0x70, 0x97, 0xf2, 0x56, 0x7b, 0x5f, 0xfa, 0x03, 0xe5, 0x6f, 0xf3, 0x0e, 0x37, 0x6b, 0x60, 0x04, 0x9d, 0x1b, 0x30, 0xbf, 0xe0, 0xda, 0x42, 0x69, 0x3c, 0x33, 0xcb, 0xac, 0x89, 0xff, 0x8f, 0x92, 0x20, 0xea, 0x2f, 0xb0, 0xdf, 0xee, 0x7b, 0x04, 0xc2, 0x13, 0xea, 0x23, 0xa2, 0xf8, 0x2b, 0x1b, 0xc9, 0x6a, 0x34, 0xf8, 0x18, 0x4e, 0x1c, 0xc9, 0x6d, 0xe5, 0xd6, 0x37, 0xe8, 0x56, 0x12, 0x3e, 0xc3, 0xe9, 0x4a, 0x85, 0x0b, 0x1f, 0xac, 0x6b, 0x26, 0xf3, 0x20, 0x4c, 0x61, 0x70, 0x79, 0xaa, 0x08, 0xf0, 0x17, 0xb9, 0x7f, 0xc7, 0xe7, 0xc5, 0x5a, 0xfe, 0xcd, 0x6d, 0xa0, 0x5a, 0x11, 0x88, 0x52, 0xcf, 0x37, 0x32, 0xa1, 0x6f, 0x2d, 0xc7, 0xed, 0x74, 0x5e, 0xf0, 0x5d, 0x32, 0x5f, 0xcc, 0xf9, 0xfa, 0x33, 0x3a, 0xd4, 0xfa, 0x81, 0x5c, 0xb5, 0x73, 0x00, 0x60, 0xb0, 0x11, 0xa4, 0xa0, 0x8c, 0x0a, 0x9c, 0x97, 0x19, 0xfa, 0x59, 0x6d, 0xc2, 0x75, 0xd5, 0x00, 0x05, 0x8c, 0x72, 0x5e, 0xa3, 0x85, 0xb3, 0xf2, 0xef, 0x0d, 0xef, 0x9f, 0x80, 0x45, 0x2a, 0x8a, 0x42, 0xc7, 0x2b, 0x3c, 0x0f, 0x78, 0xf0, 0x54, 0x94, 0xd5, 0x2e, 0x0d, 0x76, 0x2d, 0xfe, 0x2a, 0xb9, 0x1a, 0xb2, 0x95, 0x3d, 0xa4, 0x52, 0xbe, 0xa6, 0xa2, 0x8e, 0x77, 0x9d, 0xa5, 0x77, 0x0a, 0x46 }, .ds_key_size = 4096, - .ds_result = { 0xa2, 0xbe, 0x4f, 0x7b, 0xd7, 0xcb, 0x10, 0xb4, 0x9e, 0x0f, 0x74, 0x53, 0x09, 0xc7, 0x13, 0x32, 0x20, 0x5b, 0xf3, 0x32, 0x9f, 0x79, 0xe5, 0xe3, 0x46, 0x9a, 0xfd, 0xe8, 0x36, 0xfa, 0x73, 0x99, 0x34, 0xee, 0xd3, 0x73, 0xd7, 0x67, 0xfd, 0x50, 0xe6, 0xf7, 0x82, 0x1f, 0x19, 0x8e, 0x8c, 0xab, 0x5d, 0x9c, 0xe5, 0xbd, 0xe1, 0xc3, 0xf0, 0xe6, 0x96, 0x17, 0x02, 0x0d, 0x3a, 0xc4, 0x62, 0x30, 0xf4, 0x5b, 0x9b, 0xfa, 0x59, 0xae, 0x2b, 0x69, 0x69, 0x64, 0x90, 0xbe, 0x09, 0x13, 0x13, 0xa0, 0xe5, 0xa4, 0xc2, 0xac, 0xe5, 0x5a, 0xae, 0x0d, 0x0e, 0x46, 0xe9, 0xa9, 0x8c, 0x44, 0x4a, 0x5f, 0x9e, 0xf0, 0x3a, 0xb6, 0x94, 0x27, 0x9d, 0x40, 0xff, 0x61, 0x8e, 0xd8, 0xd6, 0x1a, 0xdd, 0xcc, 0x2c, 0xc2, 0xd1, 0x53, 0xec, 0x1e, 0xce, 0x05, 0x92, 0x4e, 0xaf, 0x8b, 0x7f, 0x91, 0xdb, 0x17, 0x18, 0x4e, 0x82, 0x60, 0xf1, 0x36, 0xdf, 0x31, 0xb2, 0x60, 0xe1, 0x44, 0x8f, 0xb3, 0xe0, 0x73, 0xc8, 0xf7, 0xe7, 0x69, 0xb8, 0x24, 0xf8, 0xcb, 0x56, 0x0c, 0xed, 0x6b, 0x36, 0x9b, 0xe3, 0x52, 0xca, 0x50, 0xc4, 0xa8, 0x67, 0x84, 0xa0, 0xc8, 0x25, 0x81, 0xaf, 0x57, 0x06, 0x4e, 0x78, 0x98, 0xf7, 0x0c, 0x74, 0x8e, 0xf4, 0x3e, 0x28, 0x7b, 0x4e, 0xe5, 0x2c, 0x6e, 0x5e, 0xa6, 0x29, 0x7d, 0x5f, 0xd5, 0x90, 0x84, 0xce, 0x1a, 0x57, 0x1a, 0xd6, 0xfb, 0xf1, 0xec, 0xd7, 0x81, 0x18, 0x2a, 0x94, 0xaf, 0xc7, 0x0a, 0x77, 0xe7, 0x6c, 0xd5, 0x87, 0xa2, 0x15, 0x56, 0x0f, 0xdb, 0x3e, 0xe2, 0x64, 0xa7, 0x71, 0x4e, 0xd0, 0xcf, 0x3e, 0x10, 0x97, 0x40, 0x16, 0x69, 0x9d, 0xd4, 0x18, 0xb1, 0xdb, 0xf9, 0xca, 0x6a, 0x5d, 0xb3, 0x9f, 0xe2, 0x3e, 0x57, 0xf9, 0xac, 0x11, 0x88, 0x00, 0x22, 0xf4, 0xcd, 0xa9, 0x15, 0xc2, 0x0b, 0xc8, 0x9b, 0x73, 0x04, 0xdf, 0xf8, 0xdd, 0xeb, 0x50, 0xaa, 0xdd, 0x34, 0x8f, 0x36, 0xca, 0x59, 0x06, 0x70, 0xb0, 0x4a, 0xea, 0x13, 0xed, 0xb5, 0x55, 0x3c, 0xd2, 0xe7, 0x30, 0x2a, 0x41, 0xb5, 0x2c, 0xdb, 0xd5, 0x2a, 0xf7, 0x31, 0xb3, 0x71, 0x22, 0xcd, 0xfd, 0x6b, 0x3a, 0x98, 0x4b, 0xf4, 0xe9, 0xc8, 0xa0, 0x92, 0xc1, 0xcd, 0x23, 0x97, 0x88, 0x21, 0x45, 0xc1, 0xe4, 0x3b, 0x77, 0x69, 0xfb, 0xcd, 0x42, 0x3e, 0x6c, 0xe3, 0x96, 0xc3, 0xfa, 0x5a, 0x0c, 0xea, 0x87, 0x01, 0xee, 0x23, 0x1f, 0x58, 0x07, 0x2c, 0x98, 0x69, 0x6c, 0x14, 0xbd, 0xe6, 0x11, 0x4e, 0x77, 0x67, 0x02, 0x4c, 0x23, 0x36, 0x97, 0xd6, 0x95, 0x95, 0x48, 0x1f, 0x1a, 0xab, 0x8f, 0x13, 0xaa, 0x0b, 0x8d, 0xb5, 0x08, 0xad, 0xaf, 0xf2, 0x7a, 0x70, 0xcc, 0x8a, 0x26, 0x47, 0x34, 0xba, 0x85, 0x07, 0xc9, 0x3a, 0x1e, 0x56, 0x6b, 0x53, 0x47, 0xdc, 0x4a, 0x39, 0xa5, 0x5a, 0x87, 0x3f, 0x6a, 0xb0, 0x96, 0xd8, 0x86, 0xba, 0x01, 0xee, 0x91, 0xb8, 0xca, 0x41, 0xaa, 0x5a, 0x10, 0x4c, 0x9b, 0x5d, 0xf9, 0xd4, 0xac, 0x5f, 0x05, 0x48, 0xfb, 0xa0, 0x63, 0xf7, 0x2c, 0x13, 0xd1, 0x18, 0x2c, 0x62, 0xe8, 0xe6, 0x5c, 0xc2, 0xe6, 0x81, 0x61, 0x84, 0xa8, 0x35, 0xb2, 0x19, 0x35, 0x4a, 0x1b, 0x75, 0x01, 0x91, 0x97, 0x83, 0xc6, 0x24, 0xf2, 0xc4, 0xf4, 0x05, 0xe4, 0x96, 0x60, 0xc8, 0x14, 0x00, 0x30, 0x9c, 0x45, 0xc9, 0x29, 0x22, 0xf4, 0x4c, 0x2f, 0x27, 0x65, 0xdf, 0x24, 0x87, 0x6b, 0x10, 0x65, 0x20, 0x48, 0x1a, 0x36, 0x54, 0xd1, 0x01, 0x80, 0xb1, 0x6a, 0x3e, 0xc0, 0xb6, 0x13, 0x9d, 0xbf, 0x64, 0x44, 0x6e, 0xe2, 0xfe, 0x86, 0x81, 0xaa, 0xa7, 0x07, 0x3d }, + .ds_result = { 0xf1, 0xdd, 0xd5, 0x9d, 0x73, 0x05, 0xc4, 0x21, 0x9c, 0x69, 0x5f, 0x04, 0x28, 0x30, 0x58, 0xc8, 0x77, 0x7b, 0xbf, 0x44, 0x9f, 0xd1, 0xdf, 0x2e, 0xac, 0x7c, 0x64, 0x92, 0x73, 0xf2, 0x70, 0x98, 0x7c, 0x80, 0x05, 0xf0, 0x1f, 0x90, 0xdb, 0x9d, 0x21, 0x60, 0x3d, 0x0f, 0x39, 0x16, 0xe1, 0x39, 0xab, 0x62, 0xa8, 0xc5, 0x43, 0x86, 0xb3, 0x5a, 0x99, 0x99, 0xae, 0x9c, 0x20, 0x02, 0xd6, 0x6f, 0x5e, 0x26, 0xd4, 0x12, 0x7f, 0xcd, 0xab, 0x43, 0xd1, 0x46, 0x72, 0x79, 0x1a, 0x1e, 0x2b, 0xcc, 0xb7, 0xe3, 0xf3, 0x7e, 0xd1, 0x31, 0x22, 0xe0, 0x61, 0x7d, 0x18, 0x3e, 0xcb, 0x94, 0xc9, 0xe0, 0x64, 0xf6, 0x4e, 0x7a, 0x7a, 0x3f, 0x8c, 0x80, 0xad, 0x68, 0x4c, 0x98, 0x3c, 0xc1, 0xe3, 0x0f, 0xc5, 0x4b, 0xbb, 0xa8, 0x5d, 0xad, 0xd0, 0x6d, 0x56, 0x92, 0xcf, 0x5f, 0x63, 0x83, 0x93, 0xa2, 0x52, 0xb1, 0x55, 0x11, 0xb6, 0xfc, 0xb2, 0x7d, 0xe4, 0x22, 0xb7, 0xfd, 0xf4, 0xf0, 0x6f, 0x4c, 0xa9, 0x4e, 0x30, 0xc6, 0xad, 0xb4, 0x1c, 0x30, 0xf4, 0x1e, 0x1c, 0xe4, 0x0f, 0x5a, 0x4d, 0x34, 0xd7, 0x91, 0xe1, 0xcd, 0x18, 0xfc, 0x77, 0x05, 0xa9, 0x5c, 0x72, 0xab, 0x79, 0x2a, 0xa8, 0x26, 0x9e, 0xb6, 0x3b, 0xd1, 0x18, 0x01, 0x4a, 0x5f, 0xf0, 0x40, 0x8d, 0x39, 0x41, 0x54, 0x90, 0xc4, 0xbb, 0xf9, 0xb0, 0x84, 0x70, 0x59, 0x6c, 0xc2, 0x91, 0xfe, 0x02, 0x18, 0xe0, 0xa3, 0xc8, 0xc6, 0x62, 0xa6, 0x64, 0x53, 0xb8, 0xc0, 0xd2, 0x64, 0x7c, 0x41, 0x15, 0x17, 0x4f, 0xd0, 0xa8, 0x8b, 0xad, 0x35, 0xe6, 0x35, 0xd4, 0x92, 0x34, 0x03, 0xb7, 0x41, 0xc8, 0x5a, 0x5e, 0xc8, 0xe2, 0x55, 0x67, 0x9d, 0x95, 0x83, 0x3a, 0xc8, 0x17, 0xa3, 0x0a, 0x4e, 0x47, 0xe6, 0x44, 0xa1, 0x22, 0x30, 0x50, 0xdb, 0x68, 0xb5, 0x69, 0x97, 0x52, 0xa7, 0xc6, 0x5b, 0x33, 0x86, 0x25, 0xe3, 0x5b, 0x16, 0xb1, 0x7a, 0x77, 0xe6, 0xf8, 0xd7, 0xde, 0xc8, 0x17, 0xe7, 0x7a, 0x12, 0xdf, 0x95, 0xae, 0xa5, 0xb3, 0x01, 0x58, 0xfe, 0x0e, 0xec, 0x74, 0x0c, 0xfc, 0x08, 0xcc, 0xb7, 0xbb, 0xb1, 0x6c, 0x46, 0x09, 0x9d, 0x36, 0x4a, 0x39, 0xa9, 0xb5, 0x9b, 0xe3, 0x02, 0xbf, 0x74, 0xf0, 0x3e, 0xc5, 0xd9, 0xd2, 0xf7, 0x55, 0xbc, 0x40, 0xdd, 0x0c, 0x6f, 0xae, 0xf8, 0xe4, 0xe2, 0x36, 0x75, 0x53, 0x8a, 0xae, 0x78, 0x6d, 0x4b, 0xc3, 0x91, 0xaf, 0xfd, 0x74, 0xd5, 0x45, 0xed, 0x1d, 0xe4, 0xdc, 0xad, 0x71, 0x87, 0xa8, 0x52, 0x4a, 0x20, 0xcb, 0xcc, 0x30, 0x98, 0x64, 0xb3, 0x08, 0x47, 0xce, 0xb0, 0x93, 0xd1, 0x2b, 0xcd, 0xa4, 0x3d, 0xee, 0x52, 0x37, 0xfe, 0xd8, 0x55, 0x2b, 0x0e, 0x0c, 0xa3, 0x2d, 0x01, 0x9b, 0xfc, 0x65, 0x41, 0xa0, 0x81, 0x71, 0x43, 0x64, 0xd8, 0x1d, 0x8c, 0x36, 0xc2, 0xc8, 0xe7, 0x89, 0x84, 0xb7, 0xa7, 0x8e, 0xbd, 0x32, 0xf0, 0xe0, 0xa0, 0x5b, 0x47, 0x97, 0xe7, 0x81, 0x15, 0xa3, 0x24, 0x39, 0x40, 0x47, 0x17, 0x07, 0xe5, 0x35, 0x19, 0x81, 0x04, 0xdc, 0x57, 0xce, 0x52, 0xd4, 0xcd, 0xe7, 0xe4, 0x97, 0xb3, 0x1d, 0x60, 0x7b, 0xbb, 0xb5, 0x15, 0xb3, 0x4b, 0x27, 0xf1, 0xda, 0x2b, 0xd9, 0xe9, 0x4e, 0xca, 0x57, 0x1d, 0xb6, 0xde, 0x8d, 0x0f, 0x9e, 0xbd, 0xdb, 0xaf, 0xde, 0x69, 0x0a, 0xd6, 0x5a, 0x37, 0xc5, 0x38, 0x76, 0x33, 0x73, 0xc9, 0x07, 0xa6, 0xbb, 0x50, 0xa4, 0x31, 0x0e, 0x27, 0x50, 0xef, 0xab, 0x34, 0x7a, 0xe2, 0xb5, 0x42, 0xec, 0x0c, 0x63, 0x70, 0x2b, 0xed, 0x97, 0xee, 0xe4, 0x7b, 0x62, 0xc9, 0xaf, 0x02, 0x7b, 0xc6, 0x17, 0x43 }, #elif SOC_DS_SIGNATURE_MAX_BIT_LEN == 3072 - .ds_message = { 0x55, 0xa7, 0xa1, 0x8e, 0x10, 0xb3, 0x30, 0x81, 0x42, 0xef, 0xf3, 0x25, 0xc6, 0x7e, 0xd4, 0x0b, 0x0c, 0x67, 0x33, 0xdf, 0x3a, 0xc9, 0x6d, 0x75, 0x19, 0x80, 0x8c, 0xf0, 0xb3, 0x2f, 0x7e, 0x62, 0xd9, 0xae, 0xa6, 0xdc, 0xdd, 0x67, 0x6f, 0x7d, 0x27, 0x4f, 0x46, 0x37, 0x8d, 0x3d, 0xba, 0x2e, 0x8b, 0x84, 0x48, 0x25, 0x4b, 0x8c, 0x6d, 0xdc, 0xcf, 0x19, 0xf0, 0xae, 0x56, 0x2f, 0x6e, 0x1a, 0xe7, 0xa6, 0xdb, 0x72, 0x67, 0x1c, 0xde, 0xcc, 0x16, 0x92, 0x07, 0xf4, 0x66, 0x0b, 0x26, 0xc0, 0x60, 0xd4, 0x45, 0xf1, 0x88, 0xbd, 0x3d, 0xa1, 0x05, 0x7f, 0x96, 0x3f, 0x79, 0x71, 0x19, 0x5b, 0xfa, 0x62, 0xac, 0xc6, 0xaa, 0x8c, 0xc6, 0x8a, 0x50, 0x20, 0x25, 0xc2, 0x60, 0x6b, 0x96, 0xe8, 0xb6, 0xaf, 0x3a, 0xb7, 0x48, 0x08, 0x7b, 0xc4, 0x48, 0xc3, 0x4c, 0xd4, 0x5d, 0x28, 0x7a, 0xbb, 0x37, 0x0d, 0x09, 0xb0, 0x51, 0xdf, 0x2e, 0xee, 0xa4, 0x79, 0xf5, 0x7f, 0x90, 0xcd, 0x12, 0xcf, 0x8b, 0x17, 0x27, 0xce, 0x02, 0x33, 0x91, 0x52, 0x84, 0x2b, 0x09, 0x71, 0x55, 0xe0, 0xd1, 0xfa, 0xc0, 0x34, 0x9b, 0xb0, 0xc2, 0x57, 0xc9, 0x53, 0x21, 0x0f, 0x00, 0xec, 0x1d, 0x61, 0x7f, 0x56, 0x81, 0xca, 0xa2, 0xff, 0xb2, 0x7e, 0xc0, 0x8b, 0xc8, 0x02, 0x21, 0xf6, 0x0f, 0xd0, 0x46, 0xa5, 0xd1, 0x43, 0xce, 0xcb, 0x0e, 0x50, 0xb8, 0x4b, 0x45, 0x3a, 0xac, 0x5f, 0x83, 0x58, 0x30, 0x49, 0xe0, 0x6d, 0x18, 0xc2, 0x96, 0xe7, 0x0c, 0xa6, 0x5b, 0x6e, 0xff, 0xab, 0xa7, 0x40, 0x6d, 0x2d, 0xf8, 0xda, 0x68, 0x9f, 0xf4, 0x29, 0x4f, 0x6e, 0xfd, 0xda, 0x68, 0x8d, 0x0e, 0x6a, 0x12, 0x96, 0x18, 0x95, 0x53, 0x4f, 0xfd, 0x52, 0x61, 0x42, 0x1c, 0xe5, 0x2c, 0xc1, 0x6b, 0x27, 0xee, 0xd0, 0xdf, 0x2d, 0x34, 0x57, 0x39, 0x21, 0x88, 0xda, 0x1e, 0x40, 0xfa, 0x81, 0x85, 0xb2, 0x59, 0x9f, 0x4c, 0x4d, 0xa9, 0xed, 0xca, 0x69, 0x70, 0xbf, 0xc0, 0xaf, 0x6f, 0x10, 0xd0, 0x5d, 0x44, 0xfe, 0xc4, 0x0a, 0xa1, 0x51, 0x9b, 0x44, 0x3a, 0x12, 0x6c, 0x4c, 0x4d, 0x4b, 0x8e, 0x77, 0xe1, 0x83, 0x4a, 0x50, 0x72, 0x02, 0x3e, 0x0d, 0x27, 0xdf, 0xca, 0x0e, 0x3e, 0x36, 0x8c, 0x6c, 0x49, 0xe7, 0xa2, 0xd3, 0x3a, 0x17, 0x85, 0xf7, 0x33, 0xcb, 0xbd, 0xa9, 0xd4, 0xf8, 0xd8, 0x55, 0x61, 0x97, 0x51, 0x97, 0x45, 0x49, 0x41, 0xc0, 0x36, 0xc3, 0x60, 0x85, 0x08, 0x5e, 0xfa, 0x14, 0xc0, 0x14, 0x56, 0x50, 0xdc, 0xae, 0xc0, 0x71, 0xcd, 0x96, 0x4d, 0x94, 0x8f, 0x11, 0xe5, 0x68, 0x68, 0xba, 0x8a, 0x44, 0xde, 0x85, 0x44, 0xdc, 0x1d, 0x85, 0xa2, 0x30, 0xcd, 0xfc, 0xe9, 0x11, 0xea, 0xdc }, - .ds_encrypted_input_params = { 0xb9, 0xe0, 0xf0, 0x75, 0xf1, 0x2f, 0x97, 0x74, 0x5a, 0x91, 0x99, 0xdf, 0xd4, 0x65, 0x56, 0xec, 0xbc, 0xca, 0xa5, 0xf1, 0x83, 0xe7, 0x13, 0x86, 0x95, 0xb6, 0xc2, 0xf9, 0xf4, 0x2c, 0x55, 0xb0, 0x5b, 0x3c, 0x77, 0x64, 0x6b, 0x25, 0xf0, 0x25, 0x31, 0xb0, 0xd8, 0x60, 0xfd, 0x06, 0xcb, 0x6e, 0xa1, 0xf8, 0x79, 0x4f, 0xdf, 0xe5, 0x03, 0x4d, 0xcb, 0x30, 0xed, 0xb2, 0x10, 0xe4, 0x89, 0x34, 0x37, 0x0d, 0xe6, 0xb2, 0x69, 0x41, 0x3c, 0x8e, 0x54, 0x34, 0xbb, 0x7c, 0x08, 0x34, 0xe9, 0x37, 0xe8, 0x89, 0x5e, 0xe7, 0x1d, 0xac, 0x2c, 0x83, 0x33, 0xf3, 0x35, 0x12, 0x5f, 0x2a, 0xec, 0xfa, 0xc2, 0x33, 0xd2, 0x08, 0x4e, 0xcc, 0x86, 0xf2, 0xb3, 0xfb, 0xff, 0x07, 0x1a, 0xa1, 0x07, 0xf4, 0xfb, 0x87, 0xf0, 0x80, 0xbd, 0xc2, 0x27, 0x2b, 0x42, 0xf7, 0xc2, 0xd2, 0xae, 0x9f, 0x82, 0xf2, 0x91, 0xb7, 0xf5, 0x53, 0x25, 0x15, 0xf1, 0x5c, 0x6c, 0x33, 0x88, 0xff, 0x44, 0x13, 0xcb, 0x00, 0x23, 0xbc, 0xfd, 0xae, 0x0d, 0xf8, 0x9d, 0xb7, 0x45, 0x35, 0x80, 0xce, 0xcd, 0x77, 0x5c, 0x9a, 0xc2, 0x46, 0x0a, 0x3c, 0x44, 0xeb, 0xdd, 0xa3, 0x08, 0xcf, 0x5a, 0x38, 0x07, 0x89, 0x88, 0x0f, 0x0d, 0x1b, 0x84, 0x3c, 0xcb, 0x4e, 0x61, 0x07, 0xec, 0x20, 0x89, 0xbb, 0x3c, 0x63, 0xf8, 0x7f, 0x50, 0x68, 0x25, 0x85, 0xba, 0xa4, 0xec, 0xf7, 0x11, 0x8d, 0xa6, 0xa0, 0x2c, 0xc5, 0xa8, 0x7d, 0x9a, 0x85, 0xb6, 0x7a, 0x6a, 0x45, 0x5b, 0x46, 0xc7, 0xcb, 0xda, 0x25, 0xbf, 0x6a, 0xfe, 0xbf, 0xbc, 0xb0, 0x11, 0x19, 0x43, 0x71, 0x0e, 0x1f, 0x66, 0xac, 0x81, 0xd4, 0xe5, 0x3a, 0x03, 0xd8, 0xb0, 0x83, 0xbf, 0xbc, 0x57, 0x24, 0x7a, 0x03, 0x54, 0x2f, 0x58, 0x82, 0x5d, 0x63, 0x4f, 0x78, 0xff, 0x78, 0x84, 0x46, 0x51, 0x9d, 0x40, 0x6c, 0xe5, 0x97, 0xf9, 0xa3, 0x2b, 0x14, 0x02, 0x0f, 0x97, 0xe4, 0xde, 0x32, 0xc3, 0xcf, 0xe6, 0xcf, 0x9c, 0x38, 0xc0, 0x5f, 0x44, 0x9e, 0x78, 0xc9, 0x88, 0xbd, 0xc6, 0x84, 0x25, 0x20, 0x7a, 0xb5, 0xae, 0xc5, 0xf6, 0xe1, 0xb2, 0xdb, 0x1d, 0xb9, 0x06, 0x3f, 0x8a, 0x29, 0xd5, 0xc6, 0xe3, 0x3e, 0x5c, 0x86, 0xe6, 0x88, 0x56, 0x0f, 0x36, 0xe8, 0x48, 0xf0, 0xa8, 0x9b, 0x47, 0x3a, 0xeb, 0x69, 0xb7, 0x03, 0x45, 0x8d, 0xfb, 0xa7, 0xf2, 0x56, 0xd4, 0x2a, 0x81, 0x00, 0x7a, 0x80, 0xfa, 0x72, 0x5d, 0x00, 0x20, 0x67, 0xe3, 0x11, 0x19, 0x1d, 0x22, 0xde, 0x99, 0x03, 0xe5, 0xf2, 0x3f, 0x27, 0x25, 0x05, 0x4b, 0x87, 0x63, 0xb6, 0x50, 0x62, 0xaa, 0x19, 0xe0, 0xf9, 0x35, 0x80, 0x57, 0x01, 0x7d, 0xdd, 0x98, 0xf1, 0x4a, 0x19, 0x5b, 0x5b, 0x7a, 0xf5, 0xab, 0x87, 0x5b, 0x42, 0xfb, 0x01, 0xc4, 0xc5, 0x95, 0xa3, 0x46, 0xfb, 0xd0, 0x96, 0x59, 0x13, 0x7b, 0xdf, 0x11, 0x25, 0x38, 0x80, 0x64, 0x69, 0x53, 0xee, 0xe3, 0x59, 0xf3, 0x9d, 0x4a, 0xee, 0x2f, 0x3f, 0x39, 0xd2, 0x5b, 0xce, 0x73, 0x3e, 0x73, 0xd5, 0x30, 0x1b, 0x50, 0x68, 0x74, 0x3a, 0x29, 0x30, 0x29, 0x63, 0xbb, 0xdf, 0x27, 0xc9, 0x68, 0xeb, 0x5b, 0xb3, 0xe9, 0x9a, 0xa8, 0x11, 0x2a, 0x99, 0x71, 0xcd, 0x1f, 0x02, 0x09, 0xbb, 0x3d, 0x82, 0x12, 0x47, 0x7e, 0xd2, 0x01, 0xeb, 0x1a, 0xd3, 0xb6, 0x24, 0x32, 0xfa, 0x03, 0x09, 0xec, 0x29, 0xfa, 0x56, 0x30, 0xb2, 0xba, 0x9a, 0x23, 0x6c, 0x09, 0xd3, 0x66, 0xfb, 0xa1, 0xef, 0x32, 0xe4, 0x09, 0x4b, 0xfb, 0x41, 0x3a, 0x8f, 0xac, 0xde, 0x4a, 0xad, 0x4d, 0x91, 0xf5, 0xb9, 0x7d, 0x90, 0x3e, 0x41, 0x7e, 0x95, 0x6d, 0x64, 0x4d, 0x83, 0x2a, 0x6e, 0xa5, 0x99, 0x87, 0x70, 0xc6, 0xb0, 0xc8, 0xab, 0xe6, 0xde, 0xec, 0x5b, 0x66, 0xc7, 0x08, 0xe8, 0x10, 0x7d, 0x38, 0x60, 0x06, 0x5b, 0x6c, 0xbc, 0x0e, 0xc9, 0x3c, 0x1c, 0x87, 0x40, 0x8a, 0x90, 0xf8, 0x11, 0xa7, 0xc0, 0x32, 0x7c, 0x50, 0x25, 0xd6, 0x08, 0x94, 0x54, 0x79, 0x5b, 0x3f, 0xc2, 0x8a, 0xa9, 0xc2, 0xcb, 0xca, 0xf4, 0x22, 0x3d, 0x12, 0x0a, 0x77, 0xcd, 0x8e, 0x1f, 0x32, 0x6b, 0x8d, 0xde, 0x8b, 0xcd, 0xca, 0x94, 0xea, 0x5a, 0xa9, 0xf0, 0xaf, 0x91, 0x25, 0x60, 0x0f, 0x87, 0xc1, 0x0b, 0xfc, 0xe5, 0x87, 0xed, 0xb4, 0xf0, 0xad, 0xa5, 0x08, 0x48, 0xbf, 0x2c, 0x07, 0x57, 0x2a, 0x59, 0x52, 0xd7, 0x24, 0x53, 0x0c, 0x41, 0x08, 0x6e, 0x87, 0x1b, 0x89, 0xd3, 0x7e, 0x79, 0x49, 0xa9, 0xeb, 0x99, 0x97, 0x9d, 0x49, 0x01, 0x34, 0x1f, 0x65, 0x0d, 0xcc, 0x4c, 0xe5, 0xdc, 0x90, 0x14, 0xa4, 0x37, 0x8e, 0x51, 0xf8, 0x85, 0xbc, 0xde, 0x21, 0x87, 0xc3, 0xd9, 0xa9, 0x6c, 0x85, 0x2c, 0x7d, 0x8d, 0xba, 0xcb, 0x89, 0xc9, 0x15, 0x73, 0xd3, 0x81, 0x0b, 0x0c, 0x7c, 0x24, 0x16, 0x86, 0x17, 0x90, 0xce, 0x25, 0x54, 0x9e, 0xb5, 0xd1, 0x35, 0x83, 0x24, 0x7e, 0x7b, 0x42, 0x22, 0x9b, 0xe2, 0x42, 0xbd, 0x1e, 0x01, 0x98, 0x7a, 0x9b, 0x61, 0x75, 0x51, 0x74, 0xf6, 0x42, 0x31, 0x60, 0x42, 0x16, 0x71, 0x75, 0xee, 0x22, 0xdb, 0xd7, 0x03, 0xa1, 0x8d, 0x1c, 0x20, 0x04, 0x40, 0x60, 0x20, 0xb9, 0x70, 0x3c, 0x1c, 0x29, 0xf2, 0x3f, 0x6c, 0xfc, 0x79, 0xe0, 0x72, 0x9c, 0xec, 0x8c, 0x1e, 0x29, 0xe7, 0x92, 0x91, 0xdd, 0x7d, 0x20, 0x39, 0xc7, 0xcf, 0xf4, 0x47, 0xdc, 0x9d, 0xea, 0x25, 0xcf, 0x72, 0x52, 0xea, 0x87, 0x5a, 0x6f, 0xce, 0x50, 0x20, 0x69, 0x91, 0xd3, 0x7b, 0x55, 0x52, 0xd9, 0xdf, 0x57, 0x76, 0x3b, 0xdc, 0x6c, 0x17, 0x89, 0x32, 0x04, 0xa6, 0x60, 0x7e, 0x66, 0x55, 0x35, 0xf4, 0x6a, 0xe0, 0x34, 0xf7, 0x57, 0x77, 0xdc, 0xba, 0x02, 0x20, 0x5d, 0xc9, 0xad, 0x8a, 0x19, 0xdb, 0x90, 0xc3, 0x28, 0x10, 0x6c, 0xdd, 0xd3, 0x75, 0x9d, 0x75, 0xac, 0xec, 0xf8, 0x5a, 0x85, 0x8a, 0x89, 0xaa, 0xe9, 0xca, 0xc0, 0xbc, 0xff, 0x42, 0x91, 0x66, 0x49, 0x4c, 0x4b, 0x29, 0x94, 0xad, 0x87, 0x41, 0x87, 0x15, 0x3e, 0x14, 0xd6, 0x4a, 0x74, 0x6d, 0xee, 0xa2, 0x27, 0x81, 0x79, 0xa2, 0x3f, 0x27, 0x82, 0x32, 0xa4, 0x46, 0xf0, 0x59, 0x25, 0x21, 0x31, 0xb8, 0xda, 0xba, 0x50, 0x6f, 0xa4, 0x59, 0xad, 0x8c, 0xb5, 0x9c, 0x83, 0x0b, 0x40, 0x71, 0x25, 0xba, 0x76, 0xa3, 0xa2, 0xe1, 0x6d, 0x5d, 0xda, 0x2f, 0xc4, 0xe3, 0x3f, 0x5c, 0x60, 0x12, 0xfe, 0x74, 0xe6, 0x18, 0x5c, 0x4a, 0x34, 0x65, 0x6b, 0x87, 0x34, 0x3b, 0x3c, 0xf2, 0x0e, 0x78, 0x33, 0x46, 0xc5, 0xa5, 0xd9, 0x10, 0xcc, 0x5e, 0x4d, 0xd2, 0xf2, 0x98, 0xad, 0xcc, 0xef, 0xb3, 0x11, 0x0f, 0x6c, 0x07, 0x9e, 0x84, 0xfc, 0x42, 0x8e, 0x19, 0x81, 0x92, 0x49, 0xe0, 0xca, 0xdd, 0x15, 0x88, 0x1d, 0x4c, 0xd3, 0x3e, 0x24, 0xbb, 0x59, 0x89, 0xd8, 0xae, 0x06, 0x4a, 0x26, 0x0b, 0xe2, 0x38, 0x18, 0x31, 0x7b, 0xb3, 0x0c, 0x73, 0x04, 0x48, 0x39, 0xe4, 0x46, 0x99, 0x67, 0x8d, 0x08, 0xa1, 0xb9, 0x5d, 0x7e, 0xc6, 0x57, 0x40, 0xca, 0x53, 0xd9, 0xab, 0xdc, 0xc3, 0x6d, 0x1f, 0x65, 0xd4, 0xfa, 0x3a, 0xa3, 0xde, 0x9d, 0x7f, 0x23, 0x0f, 0xa4, 0x45, 0xca, 0xbd, 0x05, 0xd9, 0xd7, 0x81, 0xc2, 0xa4, 0x88, 0x03, 0x12, 0x5b, 0x7f, 0xe8, 0xde, 0x08, 0xbc, 0x80, 0xea, 0x13, 0xb4, 0xf1, 0xe8, 0x69, 0x79, 0x71, 0xea, 0x7c, 0xd7, 0x0b, 0xbd, 0x2e, 0x8b, 0xb2, 0x6d, 0xce, 0xd0, 0xe9, 0x3a, 0xd6, 0xd4, 0xf6, 0xa3, 0x7a, 0x4e, 0x4b, 0x07, 0xd3, 0xc7, 0x46, 0xee, 0xf6, 0xeb, 0x07, 0xf7, 0xf8, 0x3f, 0x3d, 0x35, 0xa8, 0x73, 0x9c, 0xae, 0x21, 0xa5, 0x52, 0xb8, 0x1a, 0x9e, 0xce, 0xe3, 0x9f, 0x2f, 0x9a, 0xc2, 0xee, 0xbb, 0x27, 0xcb, 0x35, 0xb3, 0x24, 0x63, 0x5e, 0x93, 0x1d, 0xeb, 0x3e, 0x33, 0x54, 0xf1, 0x7f, 0x0a, 0x8b, 0xe4, 0x28, 0x73, 0x52, 0x81, 0x73, 0x5c, 0x6a, 0xf3, 0x25, 0x6f, 0xf1, 0xda, 0x5f, 0x96, 0xb2, 0xf5, 0x87, 0x80, 0xf2, 0x01, 0x10, 0x38, 0xa6, 0xc8, 0xdf, 0x75, 0x7a, 0x52, 0xd4, 0x4d, 0xc0, 0x85, 0xdf, 0xb8, 0x4f, 0x75, 0x32, 0xd2, 0x3a, 0x71, 0x11, 0x84, 0x7e, 0x08, 0x35, 0x87, 0xca, 0x5c, 0x5e, 0xa3, 0xac, 0x04, 0xca, 0x11, 0x66, 0x19, 0x0c, 0x73, 0xdc, 0x48, 0x42, 0xc4, 0x03, 0x06, 0x0a, 0xe4, 0x9d, 0x50, 0xd1, 0xb2, 0xab, 0x81, 0x74, 0xd9, 0xe8, 0x94, 0xc1, 0x6c, 0x24, 0x57, 0x45, 0x2e, 0x47, 0x00, 0x64, 0x96, 0x23, 0x7d, 0x3c, 0x2a, 0x25, 0x17, 0x92, 0x9a, 0x8b, 0x81 }, + .ds_message = { 0x6e, 0xec, 0x39, 0xd5, 0xc7, 0x09, 0x68, 0x9f, 0xcd, 0xb6, 0x3e, 0x1c, 0x74, 0xa7, 0x03, 0x91, 0xe7, 0xbd, 0x26, 0x8b, 0xeb, 0xbe, 0x3f, 0x81, 0xf9, 0xcc, 0xd6, 0x10, 0xea, 0x4c, 0xd6, 0xb1, 0xb9, 0xe5, 0x2f, 0x9d, 0x56, 0xc9, 0x44, 0x2e, 0xb1, 0x62, 0x2f, 0x61, 0xac, 0x15, 0x2c, 0x69, 0xe8, 0xb0, 0x97, 0x4b, 0x2c, 0xd5, 0x3e, 0xc1, 0xce, 0x19, 0x31, 0xb1, 0x73, 0xa3, 0xe8, 0xc8, 0x0a, 0x6f, 0x31, 0xa4, 0x02, 0x71, 0x06, 0xa0, 0xae, 0xed, 0xdc, 0xb5, 0x67, 0xfe, 0xe9, 0xcf, 0x6e, 0x3f, 0xa6, 0x2f, 0x29, 0x5f, 0xcf, 0x20, 0x36, 0x80, 0xdb, 0x62, 0xae, 0x84, 0xd7, 0x47, 0x09, 0x43, 0xd2, 0x95, 0x1d, 0x68, 0x07, 0xc1, 0x0e, 0xcc, 0x15, 0x8c, 0xe2, 0x00, 0x3e, 0x12, 0x0b, 0xf5, 0x7e, 0x7e, 0xec, 0x2d, 0x72, 0xf5, 0xd3, 0xb8, 0x0b, 0x37, 0x92, 0xd8, 0xea, 0x1e, 0x80, 0x00, 0x75, 0xb9, 0x8b, 0x8d, 0x7e, 0x2e, 0x91, 0xf5, 0xdb, 0x91, 0x26, 0x8a, 0x07, 0x1b, 0x0b, 0xf1, 0xf9, 0x47, 0x6c, 0x49, 0x00, 0x3d, 0x04, 0x2b, 0xfa, 0xfb, 0x29, 0xf5, 0xde, 0x32, 0xcd, 0x80, 0x3c, 0x88, 0xbd, 0x40, 0xbe, 0x76, 0x11, 0x24, 0x0d, 0x00, 0x65, 0x1c, 0xcf, 0x5c, 0x3b, 0xbc, 0x70, 0x40, 0x29, 0xf8, 0x4d, 0xdc, 0x06, 0x31, 0x16, 0xea, 0xa2, 0x6a, 0x36, 0xfc, 0xca, 0x63, 0xf6, 0x6f, 0x5d, 0x48, 0x8e, 0xdf, 0x78, 0x6f, 0x09, 0xe4, 0x41, 0xee, 0xe1, 0x11, 0x41, 0x6b, 0x00, 0x29, 0x8e, 0xfd, 0x27, 0x58, 0xfd, 0x7b, 0xf3, 0x53, 0x71, 0xd8, 0xc3, 0x7c, 0x26, 0xfc, 0x2b, 0xb4, 0xa6, 0xf3, 0x46, 0xc7, 0x92, 0xe1, 0xd2, 0x47, 0xc2, 0xaf, 0x4f, 0x10, 0xa8, 0x7c, 0x55, 0x26, 0x54, 0xbd, 0x69, 0x35, 0xf8, 0x55, 0x0a, 0x45, 0x11, 0x5c, 0x36, 0xc6, 0x20, 0x9d, 0x3e, 0x27, 0xd3, 0xf9, 0xb8, 0x62, 0x13, 0x26, 0x9e, 0x6d, 0xba, 0x9c, 0xe9, 0xec, 0xb7, 0x3d, 0x84, 0xf4, 0x0b, 0x8e, 0x59, 0xde, 0xc3, 0xd6, 0x1f, 0xe6, 0x05, 0x85, 0x96, 0x7d, 0xd5, 0x6d, 0x79, 0xd7, 0xb2, 0x17, 0x84, 0xd4, 0xaf, 0xfa, 0x03, 0x7f, 0xc7, 0x2e, 0x72, 0xa4, 0x06, 0xa1, 0xe3, 0x45, 0x30, 0x75, 0x4a, 0x10, 0xce, 0x1c, 0xa6, 0xc3, 0x18, 0x1e, 0x14, 0xcf, 0x31, 0xd5, 0xe1, 0x88, 0x57, 0x8a, 0xbc, 0x2d, 0x5d, 0x5d, 0x2c, 0x2a, 0x09, 0xaf, 0x51, 0x7c, 0x51, 0x06, 0xcc, 0xa9, 0x2e, 0x68, 0x00, 0x05, 0x1d, 0x40, 0x07, 0x05, 0x56, 0x7a, 0xba, 0xdf, 0x3b, 0x10, 0x38, 0x94, 0xb0, 0xf3, 0x87, 0xeb, 0x74, 0x7a, 0x17, 0xf6, 0x37, 0x00, 0xb4, 0x81, 0x3b, 0x21, 0x8b, 0xb6, 0x25, 0xd6, 0x90, 0x6f, 0x07, 0xbe, 0x54, 0x6e, 0x46, 0x55, 0xe8, 0x17 }, + .ds_encrypted_input_params = { 0x08, 0x02, 0x0e, 0x26, 0xd6, 0x3f, 0xe7, 0x55, 0x75, 0xd8, 0x04, 0x9a, 0x2c, 0xcb, 0x09, 0x7c, 0x36, 0xf3, 0xce, 0xcf, 0x74, 0xaf, 0x6c, 0x4e, 0x9b, 0x96, 0xf8, 0x49, 0xe5, 0xa9, 0x73, 0x00, 0x45, 0xe0, 0xeb, 0x8a, 0x14, 0x61, 0xb3, 0xc9, 0x99, 0x84, 0x27, 0x88, 0x31, 0x54, 0x78, 0x4e, 0x22, 0x73, 0x4f, 0x5e, 0x80, 0x0b, 0xca, 0x84, 0x03, 0x5e, 0x5f, 0x21, 0xa6, 0x60, 0xa2, 0x3d, 0x61, 0x4f, 0xfd, 0x8d, 0xea, 0x0a, 0xef, 0x1f, 0x32, 0xb0, 0x8f, 0xee, 0x4b, 0x5f, 0x37, 0x6d, 0x0b, 0x0a, 0x2f, 0xe2, 0x5c, 0xa4, 0x2a, 0xf6, 0xa4, 0x41, 0xce, 0xd7, 0x0b, 0x4f, 0x66, 0x22, 0x23, 0x5e, 0xfb, 0x05, 0xc6, 0x31, 0x90, 0x4d, 0xbc, 0x39, 0x49, 0xde, 0x70, 0x68, 0x48, 0xb4, 0xc5, 0x5b, 0xaf, 0x9b, 0x73, 0x06, 0x3d, 0x85, 0x4c, 0xcb, 0x61, 0x21, 0x3c, 0x85, 0x09, 0x87, 0xfb, 0x1a, 0x6d, 0xcc, 0x8f, 0x21, 0x71, 0xcf, 0x53, 0x03, 0x7b, 0x02, 0x0b, 0x41, 0xd3, 0x8c, 0x0e, 0xe2, 0xa2, 0x8f, 0x33, 0xc3, 0x41, 0xcf, 0xaf, 0xf2, 0xc6, 0x6a, 0x76, 0xc2, 0x72, 0xe2, 0x8c, 0x10, 0xff, 0x68, 0xbd, 0x07, 0x50, 0x65, 0x2f, 0xf7, 0x2d, 0xfc, 0x3a, 0x78, 0x70, 0xe9, 0x50, 0x29, 0x9a, 0xb4, 0x2d, 0x51, 0x14, 0xb3, 0x81, 0x86, 0x27, 0xd6, 0x1e, 0x34, 0xad, 0x4d, 0x92, 0xfa, 0x1e, 0x94, 0x3c, 0x42, 0xf6, 0x6d, 0x76, 0x87, 0x1e, 0x9a, 0xb6, 0x0b, 0x5f, 0x0b, 0xc5, 0x47, 0xcf, 0x38, 0xb8, 0xd1, 0xc0, 0x21, 0x92, 0xd3, 0x58, 0x9b, 0xb9, 0xd1, 0x32, 0x2c, 0xdf, 0x6c, 0x54, 0x18, 0xcc, 0xdc, 0x92, 0x9b, 0xfc, 0x18, 0xa0, 0x79, 0x84, 0x69, 0x8f, 0xa7, 0x99, 0x4a, 0x18, 0xd4, 0xa9, 0xb4, 0x3f, 0x60, 0x64, 0x94, 0x1b, 0xc5, 0xfd, 0xfe, 0xc8, 0x8d, 0x2e, 0xdc, 0xd2, 0x21, 0xc7, 0xf1, 0x9b, 0xd6, 0x4c, 0xb3, 0x69, 0x67, 0x2d, 0x68, 0x6d, 0x0c, 0xd6, 0x98, 0x40, 0xb8, 0xe5, 0x86, 0x5a, 0x7d, 0x9d, 0x99, 0x9f, 0xf9, 0xa4, 0x2c, 0xc5, 0x25, 0x52, 0x8c, 0xa2, 0xfb, 0x0c, 0x24, 0x4b, 0x4b, 0x24, 0x29, 0xf0, 0x6f, 0x21, 0x7d, 0xc7, 0x6f, 0x8c, 0x4a, 0x5b, 0x6e, 0x2d, 0xab, 0x6e, 0x60, 0x9d, 0x64, 0xd8, 0xb5, 0x63, 0xa8, 0x4e, 0x47, 0x47, 0x73, 0xa4, 0xea, 0x61, 0xe3, 0x0f, 0x94, 0xc8, 0x78, 0x71, 0xcd, 0x25, 0x93, 0x04, 0xf9, 0x72, 0x1b, 0x1b, 0x12, 0x80, 0xd0, 0x8a, 0xb8, 0x1b, 0x57, 0x55, 0x6d, 0x6e, 0xdc, 0x41, 0x84, 0x63, 0xf9, 0x77, 0x6e, 0x73, 0x2a, 0xa3, 0xb2, 0xfa, 0xb8, 0x45, 0x20, 0xcb, 0x9b, 0x1b, 0x21, 0xdb, 0x1a, 0x43, 0xf7, 0xc4, 0xce, 0xda, 0xc3, 0x24, 0x8e, 0x31, 0x76, 0x7a, 0x85, 0xef, 0x45, 0xca, 0xbf, 0xdc, 0xbc, 0x71, 0xaf, 0x1c, 0x40, 0x2c, 0xc3, 0x56, 0x5e, 0x9f, 0x18, 0x92, 0xee, 0x98, 0x3a, 0xe3, 0xd4, 0x71, 0xe5, 0x53, 0x5e, 0xe8, 0xf7, 0x8b, 0x25, 0xc3, 0x94, 0xfb, 0x98, 0xc6, 0x9d, 0x15, 0x3d, 0xd8, 0xcf, 0xd9, 0x85, 0xb8, 0xd5, 0x80, 0x9d, 0x15, 0xe7, 0xfa, 0x61, 0xaa, 0x26, 0x71, 0x58, 0x4b, 0xb3, 0x63, 0x27, 0x31, 0xa0, 0xa8, 0xbb, 0x19, 0x88, 0x05, 0xbe, 0x2a, 0xc1, 0x8f, 0x0e, 0x60, 0x63, 0x14, 0xd3, 0xa2, 0xa4, 0x68, 0xf6, 0xb4, 0x69, 0xdd, 0x5f, 0x77, 0xff, 0x96, 0x5f, 0x91, 0x04, 0xba, 0xe4, 0x4e, 0x72, 0x53, 0x52, 0xf3, 0x3b, 0x9c, 0xca, 0x51, 0xf8, 0x82, 0x60, 0xe5, 0x99, 0x85, 0xad, 0xf9, 0xa8, 0x8d, 0x25, 0xcb, 0x6d, 0xc2, 0x0c, 0x32, 0x2b, 0x89, 0xa9, 0xbe, 0xc0, 0x06, 0xdf, 0x96, 0x64, 0xdc, 0xa9, 0x46, 0xbb, 0x8c, 0xa5, 0x98, 0xfe, 0xf5, 0x9b, 0x26, 0xbf, 0x43, 0xb8, 0x0b, 0x43, 0x3f, 0x26, 0xdf, 0xf1, 0x36, 0x7f, 0xf5, 0x43, 0x47, 0x50, 0xd0, 0xab, 0x9b, 0xb8, 0x61, 0x67, 0xb3, 0xf5, 0xf3, 0xf7, 0x75, 0x2a, 0x3c, 0xfe, 0x8d, 0x8f, 0x3a, 0x55, 0x05, 0x4d, 0xbb, 0x02, 0x59, 0xce, 0xde, 0x2a, 0x4b, 0xd4, 0x81, 0xb4, 0x8d, 0xcf, 0xf4, 0xa9, 0x37, 0x5f, 0xf5, 0xfa, 0xdc, 0xc8, 0x03, 0x9f, 0x5e, 0xfe, 0x57, 0x82, 0xf2, 0x59, 0x6f, 0xaf, 0x92, 0x0b, 0x67, 0x72, 0xd4, 0x79, 0xb6, 0xa9, 0xde, 0xa4, 0x8d, 0x7b, 0xc5, 0xa8, 0x09, 0xa8, 0xe4, 0x70, 0x2c, 0xbe, 0x07, 0x33, 0x11, 0xd7, 0xff, 0xe4, 0x4f, 0x55, 0xb1, 0x21, 0xba, 0x2b, 0x1e, 0x7a, 0x1c, 0x6e, 0x5b, 0x16, 0xcd, 0x0d, 0xe7, 0x9b, 0x2e, 0xdd, 0xfa, 0xbb, 0xf8, 0x92, 0x6e, 0x23, 0x4d, 0xbf, 0xac, 0x9e, 0x3a, 0xcf, 0x16, 0xc8, 0x1a, 0x9c, 0xea, 0x90, 0x2c, 0x36, 0x92, 0x31, 0xb4, 0xd2, 0xdf, 0xde, 0x36, 0x8c, 0x28, 0xd3, 0xb4, 0x0e, 0x8f, 0x2e, 0x86, 0x92, 0x4e, 0x49, 0xfb, 0xb3, 0xf8, 0xd4, 0x46, 0x77, 0x78, 0x2f, 0xfa, 0xf5, 0x11, 0x00, 0xa8, 0xa2, 0xc5, 0xd3, 0x25, 0x53, 0x67, 0x00, 0xf2, 0xe3, 0x61, 0xe4, 0x2b, 0xb8, 0xf3, 0x89, 0x13, 0x54, 0x08, 0x4a, 0x43, 0xa6, 0xe4, 0xea, 0xdb, 0x02, 0xf0, 0xdd, 0xc7, 0x41, 0x02, 0x99, 0x8a, 0x9c, 0x76, 0xf5, 0xe8, 0xf2, 0x4c, 0x79, 0x33, 0xa0, 0x4f, 0xbd, 0x02, 0x3d, 0x75, 0x59, 0x96, 0xb4, 0xa1, 0xd6, 0x60, 0xb3, 0xad, 0x8b, 0xe7, 0x15, 0xc4, 0x74, 0x31, 0xdb, 0xe0, 0x38, 0xb3, 0xd4, 0x8c, 0x53, 0x3a, 0xdd, 0xe5, 0xf3, 0x49, 0xcf, 0xbf, 0x66, 0x93, 0x05, 0x10, 0xe5, 0x6d, 0x57, 0x96, 0x7e, 0xce, 0x99, 0xb3, 0x3d, 0x0a, 0xf8, 0x34, 0xa9, 0xdd, 0x6e, 0x1f, 0x60, 0x16, 0xa9, 0x35, 0x17, 0xb4, 0x0a, 0x10, 0x8b, 0x54, 0xe5, 0x20, 0x0d, 0x70, 0xf9, 0x8f, 0xac, 0x89, 0x04, 0x75, 0xb5, 0xbe, 0x58, 0xc5, 0x46, 0xf4, 0x37, 0x5f, 0xc8, 0x8c, 0x58, 0xfa, 0x93, 0x26, 0x13, 0xf9, 0xad, 0xc0, 0xfe, 0x13, 0x06, 0x11, 0x93, 0x9e, 0xef, 0xaf, 0xf5, 0x7f, 0x5b, 0xbd, 0x45, 0x32, 0xe1, 0x53, 0xbc, 0x94, 0x93, 0x31, 0x36, 0x66, 0x3a, 0x37, 0x8e, 0xcf, 0x91, 0xdd, 0xde, 0x65, 0x2b, 0x69, 0x66, 0x9b, 0x58, 0x97, 0x0e, 0x1d, 0x80, 0xb3, 0xc8, 0xca, 0xdb, 0x15, 0x90, 0x90, 0x23, 0xa1, 0x90, 0x7a, 0x30, 0xed, 0x31, 0x86, 0xca, 0x09, 0x09, 0x2a, 0x32, 0xf1, 0x49, 0xc4, 0xc8, 0x8e, 0x5a, 0x2f, 0x2d, 0xde, 0xf7, 0xba, 0xd8, 0x61, 0x3f, 0xfe, 0xce, 0x46, 0xd8, 0x54, 0x02, 0x1a, 0x95, 0xa4, 0xfd, 0xc6, 0x6d, 0xdb, 0x26, 0xe3, 0xc5, 0xca, 0x92, 0x23, 0x6e, 0xd4, 0x51, 0x10, 0xfc, 0xb9, 0x35, 0x01, 0xf1, 0x7f, 0x01, 0xdc, 0x66, 0x28, 0xef, 0x06, 0x09, 0x4d, 0xbe, 0xf0, 0x60, 0x70, 0x7a, 0x1c, 0xc6, 0xd1, 0xb0, 0xa0, 0xc9, 0xd4, 0xfc, 0x0a, 0x58, 0x4e, 0x6a, 0x6e, 0x63, 0xf8, 0x17, 0x10, 0x0e, 0x9b, 0x64, 0x76, 0x17, 0xe3, 0x22, 0x50, 0x93, 0xa1, 0xb3, 0xce, 0xb3, 0xf2, 0xb3, 0xc7, 0xe8, 0x09, 0xa8, 0xbb, 0x6d, 0x7d, 0xea, 0x68, 0x76, 0xd8, 0xa1, 0x61, 0xaa, 0xc1, 0x4f, 0x34, 0x02, 0x66, 0xf5, 0xb8, 0xe7, 0x46, 0x93, 0x58, 0xb6, 0x26, 0xda, 0x3a, 0x1c, 0xda, 0x63, 0x38, 0xce, 0xe0, 0x55, 0x26, 0x5a, 0x15, 0xda, 0xd6, 0x2a, 0xa1, 0xb6, 0xf7, 0x60, 0x1f, 0xa9, 0x41, 0x87, 0x18, 0xe2, 0xf1, 0x0c, 0x05, 0x2f, 0x1d, 0xc6, 0x07, 0xc9, 0x53, 0x9b, 0x97, 0x18, 0x6a, 0xbe, 0x0e, 0x40, 0xf3, 0x6a, 0xb4, 0xb0, 0x61, 0x5d, 0xde, 0x1e, 0xaf, 0xc0, 0x0d, 0xdd, 0xe2, 0x9c, 0xb5, 0xca, 0x3b, 0xaf, 0x1c, 0x31, 0xd3, 0x90, 0x69, 0x4d, 0x07, 0x99, 0x05, 0xf0, 0x5e, 0x26, 0x08, 0xa4, 0xb7, 0xdd, 0x81, 0x9d, 0x85, 0x55, 0xe8, 0x93, 0x6c, 0xba, 0x27, 0x0d, 0x26, 0x3a, 0x63, 0xd9, 0x2c, 0x4c, 0x9d, 0x03, 0xe2, 0x58, 0x3b, 0xc5, 0x48, 0x60, 0x31, 0x90, 0x81, 0x82, 0x07, 0x7b, 0xaf, 0x33, 0x5b, 0x85, 0xe6, 0xe0, 0x8d, 0x15, 0x5c, 0x69, 0x7a, 0xd8, 0x27, 0x4b, 0xb1, 0x69, 0xfd, 0x8e, 0x9a, 0x9b, 0x87, 0xbd, 0xac, 0xdc, 0xde, 0xf0, 0x39, 0x88, 0xa1, 0x74, 0x01, 0x40, 0x55, 0x33, 0x16, 0x6e, 0xbb, 0xbb, 0xb2, 0x27, 0x9a, 0x21, 0x86, 0xef, 0xeb, 0xc6, 0xab, 0x1f, 0x98, 0xa4, 0xbf, 0x9d, 0x2a, 0x32, 0x68, 0x44, 0x50, 0x9e, 0xb0, 0x32, 0x46, 0xd6, 0x75, 0x38, 0x78, 0xb4, 0xd8, 0x43, 0xaf, 0xe2, 0x27, 0xd5, 0x90, 0xd8, 0x47, 0xbe, 0xdb, 0xd3, 0x0f, 0x2e, 0xbc, 0x5d, 0xea, 0x29, 0x98, 0xb0, 0xee, 0x0d, 0x10, 0x7b, 0xbb, 0x20, 0x01, 0x22, 0xd0, 0xc4, 0x3b, 0xec, 0xdf, 0x62, 0x83, 0xaa, 0xb6, 0x9a, 0xce, 0xaf, 0x57, 0xec, 0x81, 0xa4, 0x7f, 0x8b }, .ds_key_size = 3072, - .ds_result = { 0x8d, 0x8b, 0x79, 0x31, 0xbb, 0xc8, 0x02, 0x33, 0xf3, 0x32, 0x96, 0x53, 0xd0, 0x19, 0xd8, 0x3d, 0x71, 0x9d, 0xc9, 0xf1, 0xad, 0x3a, 0x2b, 0x07, 0xb7, 0x08, 0x6f, 0xe4, 0x45, 0xfa, 0x44, 0x7d, 0x66, 0xa5, 0x01, 0x71, 0x28, 0x34, 0xaa, 0x53, 0x0c, 0x66, 0x53, 0x9b, 0x39, 0xeb, 0xb9, 0x6f, 0x24, 0xa6, 0x2e, 0xb7, 0xbd, 0x01, 0x88, 0xab, 0x02, 0x0f, 0x7f, 0x7b, 0xdf, 0xf9, 0xd7, 0x40, 0x51, 0xde, 0x94, 0x83, 0x47, 0x72, 0xab, 0x96, 0xb5, 0xb9, 0xca, 0xbf, 0xc5, 0xff, 0xe4, 0x15, 0x61, 0x65, 0xca, 0x29, 0xf6, 0x37, 0x6a, 0xb0, 0x2e, 0xb4, 0xb9, 0x99, 0x1c, 0x0c, 0xcd, 0x02, 0x3e, 0x26, 0x91, 0x04, 0xc0, 0x6f, 0x13, 0x42, 0xeb, 0x38, 0xc9, 0x63, 0xd3, 0x44, 0xc0, 0xa3, 0x49, 0x30, 0xed, 0xf2, 0x92, 0xbb, 0x66, 0x6d, 0x18, 0x25, 0x91, 0xc2, 0x82, 0x3c, 0x61, 0xf1, 0x95, 0x1a, 0x9d, 0x78, 0xef, 0x48, 0x55, 0xd5, 0xc5, 0xdc, 0x67, 0x7b, 0xba, 0x8a, 0x5e, 0x46, 0x32, 0x1d, 0x37, 0xbc, 0x1b, 0x1b, 0x47, 0xe9, 0x30, 0xa7, 0x89, 0x63, 0x80, 0x87, 0x6c, 0xe5, 0x37, 0xc3, 0x72, 0x35, 0x22, 0x7b, 0xb0, 0xec, 0x20, 0xf7, 0x2c, 0x00, 0xe7, 0x90, 0xec, 0x7f, 0xe1, 0x91, 0xe8, 0xca, 0xf1, 0x06, 0x86, 0xb1, 0xf0, 0x38, 0x5c, 0x2e, 0xfa, 0x0d, 0x95, 0xf1, 0xb1, 0x69, 0x28, 0xd4, 0x55, 0x20, 0xa6, 0xcd, 0xf3, 0x4b, 0x5d, 0xce, 0x7b, 0xd8, 0x43, 0x76, 0x5b, 0x6a, 0x66, 0x59, 0x84, 0x5a, 0xc4, 0xc4, 0xb5, 0x9d, 0x22, 0x07, 0x72, 0x7c, 0xe6, 0xf8, 0x0b, 0x4c, 0x69, 0x11, 0x91, 0x14, 0x84, 0x26, 0x31, 0x3e, 0x12, 0xf7, 0xb1, 0x67, 0x0c, 0x54, 0xe2, 0x17, 0x8a, 0xfa, 0x59, 0x17, 0xf8, 0x21, 0xc1, 0x50, 0x98, 0xd8, 0x0e, 0x36, 0x98, 0xbd, 0x76, 0x06, 0x8f, 0x85, 0x4b, 0x55, 0x16, 0xeb, 0xa4, 0xaa, 0xd5, 0xd9, 0xba, 0x31, 0x91, 0x5e, 0xc6, 0x76, 0xcb, 0xbb, 0x10, 0x5b, 0x82, 0x0c, 0x38, 0x82, 0x91, 0x05, 0x98, 0x15, 0xc4, 0x49, 0x3f, 0xab, 0xe3, 0x29, 0x36, 0x72, 0xc3, 0xfc, 0xb2, 0xde, 0x94, 0x4b, 0x2f, 0x49, 0xba, 0xb1, 0x2c, 0xfe, 0x4c, 0x02, 0x2c, 0x59, 0x1b, 0x31, 0xd9, 0xa6, 0x4a, 0x7c, 0xfb, 0x47, 0xf2, 0x17, 0x73, 0x2d, 0xaa, 0x88, 0x2c, 0x9e, 0xd1, 0xf6, 0xbb, 0xd9, 0x4b, 0x93, 0x15, 0x92, 0x1d, 0x0a, 0xfc, 0xf1, 0xff, 0xf2, 0x3d, 0x96, 0xb9, 0x58, 0x00, 0x4c, 0xfa, 0xee, 0x1c, 0xe1, 0xc7, 0x8d, 0xd4, 0xd0, 0xdc, 0xaa, 0x4d, 0x6c, 0x5b, 0x08, 0x19, 0x5c, 0xd9, 0xdb, 0x8e, 0x55, 0x35, 0xa3, 0x41, 0xe8, 0xda, 0xa4, 0xcc, 0x33, 0xb9, 0x17, 0x08, 0x4b, 0xc5, 0x6d, 0x7a, 0x6a, 0x86, 0x5c }, + .ds_result = { 0x23, 0x54, 0x4f, 0x7e, 0x5b, 0x54, 0x6f, 0xef, 0xc9, 0x9b, 0xb6, 0x35, 0x14, 0xe1, 0xeb, 0x58, 0xf8, 0x7d, 0x0a, 0x94, 0x24, 0x42, 0x87, 0xf0, 0x4a, 0x46, 0xb9, 0xe2, 0x85, 0xb3, 0x79, 0xed, 0x18, 0x66, 0xa5, 0x34, 0x56, 0x48, 0xd8, 0x42, 0x92, 0x06, 0xaf, 0x32, 0xd4, 0xc5, 0xf3, 0x4f, 0x12, 0x40, 0xec, 0x65, 0xe7, 0x8c, 0x9e, 0x5c, 0xd7, 0xb8, 0x69, 0x8d, 0x7a, 0x6c, 0xa0, 0x0d, 0x6f, 0x6b, 0xe8, 0xe1, 0xee, 0x39, 0xad, 0xc5, 0x40, 0x8e, 0x36, 0xd6, 0x45, 0xbe, 0x20, 0xd5, 0x7d, 0x01, 0xa6, 0x1d, 0x21, 0xe8, 0x3a, 0x79, 0x8c, 0x69, 0xc6, 0x93, 0x84, 0x7a, 0xd4, 0x55, 0xaf, 0x65, 0x0e, 0x6e, 0x37, 0xe7, 0x4b, 0x3a, 0xf3, 0x39, 0x11, 0xb5, 0xb4, 0xf8, 0x8d, 0x36, 0x91, 0xc8, 0xc8, 0x63, 0x86, 0xc5, 0x1f, 0x86, 0x65, 0x12, 0xf4, 0x73, 0x65, 0x35, 0x71, 0x53, 0x8f, 0xa4, 0x6c, 0x86, 0xb8, 0xbd, 0xb7, 0x05, 0x6f, 0x64, 0x3b, 0xc7, 0x63, 0x40, 0x5a, 0xb4, 0x09, 0xf5, 0xaa, 0x10, 0xf2, 0xab, 0x4c, 0x2f, 0xdb, 0x78, 0xb3, 0x2c, 0x00, 0x99, 0x99, 0xdc, 0xee, 0x4f, 0xdc, 0x95, 0xfe, 0x25, 0x10, 0x0e, 0x01, 0xcf, 0x98, 0x7e, 0x20, 0xe4, 0x75, 0xb9, 0x63, 0x88, 0x53, 0x3c, 0xd7, 0x65, 0xef, 0xb6, 0xe9, 0x92, 0x0e, 0x1e, 0x43, 0x0f, 0xa9, 0x74, 0x2f, 0xa1, 0xa0, 0xf5, 0xd5, 0x29, 0xaa, 0xc9, 0x08, 0xf2, 0x42, 0x19, 0x49, 0x47, 0x1e, 0x28, 0xc4, 0x31, 0xc0, 0x82, 0x5d, 0x9a, 0x43, 0x8a, 0x6e, 0x7d, 0xc5, 0x51, 0xa1, 0xee, 0xd3, 0xdc, 0x0b, 0x50, 0x69, 0x2f, 0xe8, 0x3b, 0xe9, 0xbf, 0x88, 0x04, 0x9f, 0x55, 0x18, 0xf8, 0xc2, 0x68, 0x7f, 0x98, 0xdc, 0x1b, 0x75, 0x27, 0x6a, 0x95, 0xbc, 0xc6, 0x13, 0xeb, 0xfa, 0xa6, 0x73, 0x9c, 0x92, 0xc1, 0xf6, 0xd7, 0x96, 0x87, 0x19, 0x0c, 0xc1, 0x97, 0x8a, 0x12, 0x05, 0x8f, 0x71, 0xce, 0xa0, 0x9b, 0x17, 0x08, 0x1a, 0x71, 0xfb, 0x7f, 0x49, 0x32, 0x69, 0x7f, 0x86, 0x94, 0x42, 0x8f, 0x47, 0x68, 0x1d, 0x61, 0x6f, 0x11, 0x82, 0x76, 0x25, 0xbe, 0x20, 0xd4, 0xa5, 0xcb, 0xa7, 0x63, 0xae, 0x3b, 0x55, 0x8a, 0xf8, 0xb1, 0x54, 0xe2, 0x97, 0xd0, 0x6b, 0xa5, 0x01, 0x75, 0xe3, 0xa6, 0x1b, 0xe0, 0xfb, 0xb4, 0xba, 0x67, 0xf4, 0xca, 0xcb, 0xd1, 0xb1, 0x4b, 0x2f, 0xdf, 0x51, 0x12, 0xe7, 0x1f, 0xcb, 0x5a, 0xd1, 0x75, 0x72, 0x25, 0x10, 0x5c, 0x72, 0x10, 0xb3, 0x01, 0x1b, 0xf8, 0xdc, 0xbe, 0xda, 0xcb, 0x6a, 0x88, 0xe3, 0xb2, 0xff, 0x47, 0xef, 0xb4, 0x4b, 0x3b, 0x9a, 0x01, 0x54, 0x20, 0x45, 0xda, 0xc3, 0xc0, 0x03, 0xed, 0x68, 0x51, 0xc9, 0x99, 0x3d, 0xff, 0x61, 0x91 }, #endif - .ds_encrypted_input_params_iv = { 0xff, 0xb6, 0x53, 0x89, 0xd3, 0xe6, 0x33, 0x9b, 0x37, 0xd9, 0x09, 0xc0, 0xd5, 0xe3, 0x98, 0xd6 }, + .ds_encrypted_input_params_iv = { 0x95, 0x65, 0x6e, 0x21, 0xdd, 0x34, 0xa4, 0x8d, 0x1f, 0x57, 0xb6, 0x82, 0x59, 0x78, 0x91, 0x71 }, }, }; diff --git a/components/hal/test_apps/crypto/main/key_manager/test_key_manager.c b/components/hal/test_apps/crypto/main/key_manager/test_key_manager.c index 886ee5492a7..c063daad686 100644 --- a/components/hal/test_apps/crypto/main/key_manager/test_key_manager.c +++ b/components/hal/test_apps/crypto/main/key_manager/test_key_manager.c @@ -84,84 +84,88 @@ static void test_xts_aes_key_ecdh0_mode(test_data_ecdh0_mode_t *test_data) ESP_LOG_BUFFER_HEXDUMP("Encrypted data", read_data, data_size, ESP_LOG_DEBUG); } -#if SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 -static void key_mgr_test_xts_aes_128_aes_mode(void) +#if SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 || SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 +static void key_mgr_test_xts_aes_key_aes_mode(esp_key_mgr_key_len_t key_len, test_data_aes_mode_t *test_data) { static esp_key_mgr_aes_key_config_t key_config; - memcpy(key_config.k2_info, (uint8_t*) test_data_xts_aes_128.k2_info, KEY_MGR_K2_INFO_SIZE); - memcpy(key_config.k1_encrypted, (uint8_t*) test_data_xts_aes_128.k1_encrypted, KEY_MGR_K1_ENCRYPTED_SIZE); - memcpy(key_config.sw_init_key, (uint8_t*) test_data_xts_aes_128.init_key, KEY_MGR_SW_INIT_KEY_SIZE); - key_config.use_pre_generated_sw_init_key = 1; - key_config.key_type = ESP_KEY_MGR_FLASH_XTS_AES_KEY; - key_config.key_len = ESP_KEY_MGR_XTS_AES_LEN_128; - - static esp_key_mgr_key_recovery_info_t key_recovery_info; - TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_aes_mode(&key_config, &key_recovery_info)); - TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(&key_recovery_info)); - test_xts_aes_key_aes_mode(&test_data_xts_aes_128); - TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type)); -} - -static void key_mgr_test_xts_aes_128_ecdh0_mode(void) -{ - static esp_key_mgr_ecdh0_key_config_t key_config; - memcpy(key_config.k1_G[0], (uint8_t*) test_data_ecdh0.k1_G[0], KEY_MGR_ECDH0_INFO_SIZE); - key_config.key_type = ESP_KEY_MGR_FLASH_XTS_AES_KEY; - key_config.key_len = ESP_KEY_MGR_XTS_AES_LEN_128; - - static esp_key_mgr_key_recovery_info_t key_recovery_info; - static esp_key_mgr_ecdh0_info_t ecdh0_info; - TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_ecdh0_mode(&key_config, &key_recovery_info, &ecdh0_info)); - - ESP_LOG_BUFFER_HEXDUMP("K2_G", ecdh0_info.k2_G[0], KEY_MGR_ECDH0_INFO_SIZE, ESP_LOG_DEBUG); - - TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(&key_recovery_info)); - test_xts_aes_key_ecdh0_mode(&test_data_ecdh0); - TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type)); -} -#endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 */ + memcpy(key_config.k2_info, (uint8_t*) test_data->k2_info, KEY_MGR_K2_INFO_SIZE); + memcpy(key_config.k1_encrypted[0], (uint8_t*) test_data->k1_encrypted[0], KEY_MGR_K1_ENCRYPTED_SIZE); #if SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 -static void key_mgr_test_xts_aes_256_aes_mode(void) -{ - static esp_key_mgr_aes_key_config_t key_config; - memcpy(key_config.k2_info, (uint8_t*) test_data_xts_aes_256.k2_info, KEY_MGR_K2_INFO_SIZE); - memcpy(key_config.k1_encrypted[0], (uint8_t*) test_data_xts_aes_256.k1_encrypted[0], KEY_MGR_K1_ENCRYPTED_SIZE); - memcpy(key_config.k1_encrypted[1], (uint8_t*) test_data_xts_aes_256.k1_encrypted[1], KEY_MGR_K1_ENCRYPTED_SIZE); - memcpy(key_config.sw_init_key, (uint8_t*) test_data_xts_aes_256.init_key, KEY_MGR_SW_INIT_KEY_SIZE); + if (key_len == ESP_KEY_MGR_XTS_AES_LEN_256) { + memcpy(key_config.k1_encrypted[1], (uint8_t*) test_data->k1_encrypted[1], KEY_MGR_K1_ENCRYPTED_SIZE); + } +#endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 */ + + memcpy(key_config.sw_init_key, (uint8_t*) test_data->init_key, KEY_MGR_SW_INIT_KEY_SIZE); key_config.use_pre_generated_sw_init_key = 1; key_config.key_type = ESP_KEY_MGR_FLASH_XTS_AES_KEY; - key_config.key_len = ESP_KEY_MGR_XTS_AES_LEN_256; + key_config.key_len = key_len; static esp_key_mgr_key_recovery_info_t key_recovery_info; TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_aes_mode(&key_config, &key_recovery_info)); TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(&key_recovery_info)); - test_xts_aes_key_aes_mode(&test_data_xts_aes_256); + test_xts_aes_key_aes_mode(test_data); TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type)); } -static void key_mgr_test_xts_aes_256_ecdh0_mode(void) +static void key_mgr_test_xts_aes_key_ecdh0_mode(esp_key_mgr_key_len_t key_len) { static esp_key_mgr_ecdh0_key_config_t key_config; memcpy(key_config.k1_G[0], (uint8_t*) test_data_ecdh0.k1_G[0], KEY_MGR_ECDH0_INFO_SIZE); - memcpy(key_config.k1_G[1], (uint8_t*) test_data_ecdh0.k1_G[1], KEY_MGR_ECDH0_INFO_SIZE); + +#if SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 + if (key_len == ESP_KEY_MGR_XTS_AES_LEN_256) { + memcpy(key_config.k1_G[1], (uint8_t*) test_data_ecdh0.k1_G[1], KEY_MGR_ECDH0_INFO_SIZE); + } +#endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 */ + key_config.key_type = ESP_KEY_MGR_FLASH_XTS_AES_KEY; - key_config.key_len = ESP_KEY_MGR_XTS_AES_LEN_256; + key_config.key_len = key_len; static esp_key_mgr_key_recovery_info_t key_recovery_info; static esp_key_mgr_ecdh0_info_t ecdh0_info; TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_ecdh0_mode(&key_config, &key_recovery_info, &ecdh0_info)); ESP_LOG_BUFFER_HEXDUMP("K2_G_0", ecdh0_info.k2_G[0], KEY_MGR_ECDH0_INFO_SIZE, ESP_LOG_DEBUG); - ESP_LOG_BUFFER_HEXDUMP("K2_G_1", ecdh0_info.k2_G[1], KEY_MGR_ECDH0_INFO_SIZE, ESP_LOG_DEBUG); +#if SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 + if (key_len == ESP_KEY_MGR_XTS_AES_LEN_256) { + ESP_LOG_BUFFER_HEXDUMP("K2_G_1", ecdh0_info.k2_G[1], KEY_MGR_ECDH0_INFO_SIZE, ESP_LOG_DEBUG); + } +#endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 */ TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(&key_recovery_info)); test_xts_aes_key_ecdh0_mode(&test_data_ecdh0); TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type)); } +#endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 || SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 */ + +#if SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 +static void key_mgr_test_xts_aes_128_aes_mode(void) +{ + key_mgr_test_xts_aes_key_aes_mode(ESP_KEY_MGR_XTS_AES_LEN_128, &test_data_xts_aes_128); +} + +static void key_mgr_test_xts_aes_128_ecdh0_mode(void) +{ + key_mgr_test_xts_aes_key_ecdh0_mode(ESP_KEY_MGR_XTS_AES_LEN_128); +} +#endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 */ + +#if SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 +static void key_mgr_test_xts_aes_256_aes_mode(void) +{ + key_mgr_test_xts_aes_key_aes_mode(ESP_KEY_MGR_XTS_AES_LEN_256, &test_data_xts_aes_256); +} + +static void key_mgr_test_xts_aes_256_ecdh0_mode(void) +{ + key_mgr_test_xts_aes_key_ecdh0_mode(ESP_KEY_MGR_XTS_AES_LEN_256); +} #endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 */ #if CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS +#if SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 || SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 static void test_xts_aes_key_random_mode(void) { const esp_partition_t *partition = get_test_storage_partition(); @@ -177,12 +181,11 @@ static void test_xts_aes_key_random_mode(void) } } -#if SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 -static void key_mgr_test_xts_aes_128_random_mode(void) +static void key_mgr_test_xts_aes_key_random_mode(esp_key_mgr_key_len_t key_len) { static esp_key_mgr_random_key_config_t key_config; key_config.key_type = ESP_KEY_MGR_FLASH_XTS_AES_KEY; - key_config.key_len = ESP_KEY_MGR_XTS_AES_LEN_128; + key_config.key_len = key_len; static esp_key_mgr_key_recovery_info_t key_recovery_info; TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_random_mode(&key_config, &key_recovery_info)); @@ -190,20 +193,19 @@ static void key_mgr_test_xts_aes_128_random_mode(void) test_xts_aes_key_random_mode(); TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type)); } +#endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 || SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 */ + +#if SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 +static void key_mgr_test_xts_aes_128_random_mode(void) +{ + key_mgr_test_xts_aes_key_random_mode(ESP_KEY_MGR_XTS_AES_LEN_128); +} #endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 */ #if SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 static void key_mgr_test_xts_aes_256_random_mode(void) { - static esp_key_mgr_random_key_config_t key_config; - key_config.key_type = ESP_KEY_MGR_FLASH_XTS_AES_KEY; - key_config.key_len = ESP_KEY_MGR_XTS_AES_LEN_256; - - static esp_key_mgr_key_recovery_info_t key_recovery_info; - TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_random_mode(&key_config, &key_recovery_info)); - TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(&key_recovery_info)); - test_xts_aes_key_random_mode(); - TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type)); + key_mgr_test_xts_aes_key_random_mode(ESP_KEY_MGR_XTS_AES_LEN_256); } #endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 */ #endif /* CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS */ @@ -211,106 +213,182 @@ static void key_mgr_test_xts_aes_256_random_mode(void) #if SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY #if SOC_ECDSA_SUPPORT_EXPORT_PUBKEY -extern void test_ecdsa_export_pubkey(bool is_p256, uint8_t *ecdsa_pub_x, uint8_t *ecdsa_pub_y, bool use_km_key); -extern void test_ecdsa_export_pubkey_inner(bool is_p256, uint8_t *exported_pub_x, uint8_t *exported_pub_y, bool use_km_key, uint16_t *len); +extern void test_ecdsa_export_pubkey(ecdsa_curve_t curve, uint8_t *ecdsa_pub_x, uint8_t *ecdsa_pub_y, bool use_km_key); +extern void test_ecdsa_export_pubkey_inner(ecdsa_curve_t curve, uint8_t *exported_pub_x, uint8_t *exported_pub_y, bool use_km_key, uint16_t *len); #endif -extern void test_ecdsa_sign(bool is_p256, uint8_t* sha, uint8_t* r_le, uint8_t* s_le, bool use_km_key, ecdsa_sign_type_t k_type); -extern int test_ecdsa_verify(bool is_p256, uint8_t* sha, uint8_t* r_le, uint8_t* s_le, uint8_t *pub_x, uint8_t *pub_y); -extern void test_ecdsa_sign_and_verify(bool is_p256, uint8_t* sha, uint8_t* pub_x, uint8_t* pub_y, bool use_km_key, ecdsa_sign_type_t k_type); +extern void test_ecdsa_sign(ecdsa_curve_t curve, uint8_t* sha, uint8_t* r_le, uint8_t* s_le, bool use_km_key, ecdsa_sign_type_t k_type); +extern int test_ecdsa_verify(ecdsa_curve_t curve, uint8_t* sha, uint8_t* r_le, uint8_t* s_le, uint8_t *pub_x, uint8_t *pub_y); +extern void test_ecdsa_sign_and_verify(ecdsa_curve_t curve, uint8_t* sha, uint8_t* pub_x, uint8_t* pub_y, bool use_km_key, ecdsa_sign_type_t k_type); /* const uint8_t message[32] = { 0xDF, 0xDE, 0xD7, 0x4A, 0x47, 0xB1, 0x4F, 0x73, 0x00, 0x21, 0x62, 0xC7, 0x66, 0x6D, 0xA3, 0x95, 0x66, 0x19, 0x62, 0x7F, 0x71, 0x7B, 0x3C, 0x66, 0x82, 0xD3, 0x9F, 0x71, 0xAC, 0x9C, 0xC3, 0x39 }; */ +/* sha384 digest of the above message */ +uint8_t sha_digest[48] = { 0xF0, 0x94, 0xC4, 0x4A, 0xF0, 0xEE, 0x68, 0xDB, 0x5B, 0x6A, 0x12, 0x84, 0xAC, 0xAF, 0x49, 0x0C, 0x24, 0xED, 0x70, 0x41, 0xE6, 0xE3, 0xBD, 0x74, 0x2B, 0x8D, 0xCF, 0x46, 0x19, 0xE1, 0xC2, 0x61, 0xCA, 0x79, 0xF3, 0x86, 0xF9, 0x04, 0xC0, 0x63, 0xC6, 0xF0, 0xEE, 0x36, 0x7C, 0x5C, 0x82, 0x89 }; -/* sha256 digest of the above message */ -uint8_t sha256_digest[32] = { 0x47, 0xA6, 0xEF, 0xBE, 0x39, 0x5E, 0xE4, 0xAE, 0x2B, 0xEC, 0x83, 0xB1, 0xED, 0xAF, 0xC6, 0x78, 0x57, 0x7A, 0x16, 0x8C, 0x22, 0x16, 0x13, 0xE2, 0xAC, 0xA8, 0x50, 0xD5, 0x67, 0x95, 0x9F, 0x71 }; - -void test_ecdsa_key_aes_mode(test_data_aes_mode_t *ecdsa_test_data, ecdsa_sign_type_t k_type) +void test_ecdsa_key_aes_mode(ecdsa_curve_t curve, uint8_t *sha_digest, uint8_t *pub_x, uint8_t *pub_y, ecdsa_sign_type_t k_type) { - test_ecdsa_sign_and_verify(1, sha256_digest, ecdsa_test_data->ecdsa_test_data.pubx, ecdsa_test_data->ecdsa_test_data.puby, 1, k_type); + test_ecdsa_sign_and_verify(curve, sha_digest, pub_x, pub_y, 1, k_type); #ifdef SOC_ECDSA_SUPPORT_EXPORT_PUBKEY - test_ecdsa_export_pubkey(1, ecdsa_test_data->ecdsa_test_data.pubx, ecdsa_test_data->ecdsa_test_data.puby, 1); + test_ecdsa_export_pubkey(curve, pub_x, pub_y, 1); #endif } -void key_mgr_test_ecdsa_key(bool is_p256, ecdsa_sign_type_t k_type) +void key_mgr_test_ecdsa_key(esp_key_mgr_key_len_t key_len, ecdsa_sign_type_t k_type) { - uint8_t pub_x[32] = {}; - uint8_t pub_y[32] = {}; - uint8_t r_le[32] = {0}; - uint8_t s_le[32] = {0}; + uint8_t pub_x[48] = {}; + uint8_t pub_y[48] = {}; + uint8_t r_le[48] = {0}; + uint8_t s_le[48] = {0}; - test_ecdsa_sign(is_p256, sha256_digest, r_le, s_le, 1, k_type); + uint16_t sha_digest_len = 0; - ESP_LOG_BUFFER_HEXDUMP("ECDSA message sha256 digest", sha256_digest, sizeof(sha256_digest), ESP_LOG_DEBUG); + ecdsa_curve_t curve = ECDSA_CURVE_SECP192R1; + + switch (key_len) { + case ESP_KEY_MGR_ECDSA_LEN_192: + sha_digest_len = 24; + curve = ECDSA_CURVE_SECP192R1; + break; + case ESP_KEY_MGR_ECDSA_LEN_256: + sha_digest_len = 32; + curve = ECDSA_CURVE_SECP256R1; + break; +#if SOC_ECDSA_SUPPORT_CURVE_P384 + case ESP_KEY_MGR_ECDSA_LEN_384: + sha_digest_len = 48; + curve = ECDSA_CURVE_SECP384R1; + break; +#endif + default: + TEST_FAIL_MESSAGE("Unsupported key length"); + return; + } + + test_ecdsa_sign(curve, sha_digest, r_le, s_le, 1, k_type); + + ESP_LOG_BUFFER_HEXDUMP("ECDSA message digest", sha_digest, sha_digest_len, ESP_LOG_DEBUG); ESP_LOG_BUFFER_HEXDUMP("ECDSA signature r_le", r_le, sizeof(r_le), ESP_LOG_DEBUG); ESP_LOG_BUFFER_HEXDUMP("ECDSA signature s_le", s_le, sizeof(s_le), ESP_LOG_DEBUG); // Export the pubkey from ECDSA peripheral uint16_t pubkey_len = 0; - test_ecdsa_export_pubkey_inner(is_p256, pub_x, pub_y, 1, &pubkey_len); + test_ecdsa_export_pubkey_inner(curve, pub_x, pub_y, 1, &pubkey_len); ESP_LOG_BUFFER_HEXDUMP("ECDSA key pubx", pub_x, pubkey_len, ESP_LOG_DEBUG); ESP_LOG_BUFFER_HEXDUMP("ECDSA key puby", pub_y, pubkey_len, ESP_LOG_DEBUG); - TEST_ASSERT_EQUAL(0, test_ecdsa_verify(is_p256, sha256_digest, r_le, s_le, pub_x, pub_y)); + TEST_ASSERT_EQUAL(0, test_ecdsa_verify(curve, sha_digest, r_le, s_le, pub_x, pub_y)); } -static void key_mgr_test_ecdsa_p256_aes_mode(void) +/* Generic ECDSA AES mode test function */ +static void key_mgr_test_ecdsa_key_aes_mode(esp_key_mgr_key_len_t key_len, test_data_aes_mode_t *test_data) { static esp_key_mgr_aes_key_config_t key_config; - memcpy(key_config.k2_info, (uint8_t*) test_data_ecdsa.k2_info, KEY_MGR_K2_INFO_SIZE); - memcpy(key_config.k1_encrypted, (uint8_t*) test_data_ecdsa.k1_encrypted, KEY_MGR_K1_ENCRYPTED_SIZE); - memcpy(key_config.sw_init_key, (uint8_t*) test_data_ecdsa.init_key, KEY_MGR_SW_INIT_KEY_SIZE); + ecdsa_curve_t curve = ECDSA_CURVE_SECP192R1; + uint8_t *pub_x = NULL; + uint8_t *pub_y = NULL; + + memcpy(key_config.k2_info, (uint8_t*) test_data->k2_info, KEY_MGR_K2_INFO_SIZE); + + if (key_len == ESP_KEY_MGR_ECDSA_LEN_192) { + memcpy(key_config.k1_encrypted[0], (uint8_t*) test_data->k1_encrypted[0], KEY_MGR_K1_ENCRYPTED_SIZE); + pub_x = test_data->ecdsa_test_data.ecdsa_p192_pubx; + pub_y = test_data->ecdsa_test_data.ecdsa_p192_puby; + curve = ECDSA_CURVE_SECP192R1; + } + else if (key_len == ESP_KEY_MGR_ECDSA_LEN_256) { + memcpy(key_config.k1_encrypted[0], (uint8_t*) test_data->k1_encrypted[1], KEY_MGR_K1_ENCRYPTED_SIZE); + pub_x = test_data->ecdsa_test_data.ecdsa_p256_pubx; + pub_y = test_data->ecdsa_test_data.ecdsa_p256_puby; + curve = ECDSA_CURVE_SECP256R1; + } +#if SOC_ECDSA_SUPPORT_CURVE_P384 + else if (key_len == ESP_KEY_MGR_ECDSA_LEN_384) { + memcpy(key_config.k1_encrypted[0], (uint8_t*) test_data->k1_encrypted[2], KEY_MGR_K1_ENCRYPTED_SIZE); + memcpy(key_config.k1_encrypted[1], (uint8_t*) test_data->k1_encrypted[3], KEY_MGR_K1_ENCRYPTED_SIZE); + pub_x = test_data->ecdsa_test_data.ecdsa_p384_pubx; + pub_y = test_data->ecdsa_test_data.ecdsa_p384_puby; + curve = ECDSA_CURVE_SECP384R1; + } +#endif + memcpy(key_config.sw_init_key, (uint8_t*) test_data->init_key, KEY_MGR_SW_INIT_KEY_SIZE); key_config.use_pre_generated_sw_init_key = 1; key_config.key_type = ESP_KEY_MGR_ECDSA_KEY; - key_config.key_len = ESP_KEY_MGR_ECDSA_LEN_256; + key_config.key_len = key_len; static esp_key_mgr_key_recovery_info_t key_recovery_info; TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_aes_mode(&key_config, &key_recovery_info)); TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(&key_recovery_info)); -#ifdef SOC_ECDSA_SUPPORT_DETERMINISTIC_MODE - test_ecdsa_key_aes_mode(&test_data_ecdsa, ECDSA_K_TYPE_DETERMINISITIC); + +#if SOC_ECDSA_SUPPORT_DETERMINISTIC_MODE + test_ecdsa_key_aes_mode(curve, sha_digest, pub_x, pub_y, ECDSA_K_TYPE_DETERMINISITIC); #endif - test_ecdsa_key_aes_mode(&test_data_ecdsa, ECDSA_K_TYPE_TRNG); + test_ecdsa_key_aes_mode(curve, sha_digest, pub_x, pub_y, ECDSA_K_TYPE_TRNG); TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type)); } -static void key_mgr_test_ecdsa_ecdh0_mode(void) +/* Generic ECDSA ECDH0 mode test function */ +static void key_mgr_test_ecdsa_key_ecdh0_mode(esp_key_mgr_key_len_t key_len) { static esp_key_mgr_ecdh0_key_config_t key_config; memcpy(key_config.k1_G[0], (uint8_t*) test_data_ecdh0.k1_G[0], KEY_MGR_ECDH0_INFO_SIZE); +#if SOC_ECDSA_SUPPORT_CURVE_P384 + // For 384-bit keys, copy the second k1_G block + if (key_len == ESP_KEY_MGR_ECDSA_LEN_384) { + memcpy(key_config.k1_G[1], (uint8_t*) test_data_ecdh0.k1_G[1], KEY_MGR_ECDH0_INFO_SIZE); + } +#endif key_config.key_type = ESP_KEY_MGR_ECDSA_KEY; - key_config.key_len = ESP_KEY_MGR_ECDSA_LEN_256; + key_config.key_len = key_len; static esp_key_mgr_key_recovery_info_t key_recovery_info; static esp_key_mgr_ecdh0_info_t ecdh0_info; TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_ecdh0_mode(&key_config, &key_recovery_info, &ecdh0_info)); - ESP_LOG_BUFFER_HEXDUMP("K2_G", ecdh0_info.k2_G[0], KEY_MGR_ECDH0_INFO_SIZE, ESP_LOG_DEBUG); - TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(&key_recovery_info)); -#ifdef SOC_ECDSA_SUPPORT_DETERMINISTIC_MODE - key_mgr_test_ecdsa_key(1, ECDSA_K_TYPE_DETERMINISITIC); + ESP_LOG_BUFFER_HEXDUMP("K2_G_0", ecdh0_info.k2_G[0], KEY_MGR_ECDH0_INFO_SIZE, ESP_LOG_DEBUG); +#if SOC_ECDSA_SUPPORT_CURVE_P384 + if (key_len == ESP_KEY_MGR_ECDSA_LEN_384) { + ESP_LOG_BUFFER_HEXDUMP("K2_G_1", ecdh0_info.k2_G[1], KEY_MGR_ECDH0_INFO_SIZE, ESP_LOG_DEBUG); + } #endif - key_mgr_test_ecdsa_key(1, ECDSA_K_TYPE_TRNG); + TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(&key_recovery_info)); + +#if SOC_ECDSA_SUPPORT_DETERMINISTIC_MODE + key_mgr_test_ecdsa_key(key_len, ECDSA_K_TYPE_DETERMINISITIC); +#endif + key_mgr_test_ecdsa_key(key_len, ECDSA_K_TYPE_TRNG); + TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type)); } -static void key_mgr_test_ecdsa_random_mode(void) +/* Generic ECDSA random mode test function */ +static void key_mgr_test_ecdsa_key_random_mode(esp_key_mgr_key_len_t key_len) { static esp_key_mgr_random_key_config_t key_config; key_config.key_type = ESP_KEY_MGR_ECDSA_KEY; - key_config.key_len = ESP_KEY_MGR_ECDSA_LEN_256; + key_config.key_len = key_len; static esp_key_mgr_key_recovery_info_t key_recovery_info; TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deploy_key_in_random_mode(&key_config, &key_recovery_info)); TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_activate_key(&key_recovery_info)); + + if (key_len == ESP_KEY_MGR_ECDSA_LEN_256) { #ifdef SOC_ECDSA_SUPPORT_DETERMINISTIC_MODE - key_mgr_test_ecdsa_key(1, ECDSA_K_TYPE_DETERMINISITIC); + key_mgr_test_ecdsa_key(ECDSA_CURVE_SECP256R1, ECDSA_K_TYPE_DETERMINISITIC); +#endif + key_mgr_test_ecdsa_key(ECDSA_CURVE_SECP256R1, ECDSA_K_TYPE_TRNG); + } +#if SOC_ECDSA_SUPPORT_CURVE_P384 + else if (key_len == ESP_KEY_MGR_ECDSA_LEN_384) { +#ifdef SOC_ECDSA_SUPPORT_DETERMINISTIC_MODE + key_mgr_test_ecdsa_key(ECDSA_CURVE_SECP384R1, ECDSA_K_TYPE_DETERMINISITIC); +#endif + key_mgr_test_ecdsa_key(ECDSA_CURVE_SECP384R1, ECDSA_K_TYPE_TRNG); + } #endif - key_mgr_test_ecdsa_key(1, ECDSA_K_TYPE_TRNG); TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type)); } #endif /* SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY */ @@ -339,7 +417,6 @@ static void key_mgr_test_hmac_key_aes_random_mode(const uint8_t *message, size_t // We cannot verify the result here as the HMAC key deployed is unknown. } - static void key_mgr_test_hmac_aes_mode(void) { static esp_key_mgr_aes_key_config_t key_config; @@ -485,20 +562,52 @@ TEST(key_manager, xts_key_256_random_deployment) #endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY */ #if SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY +TEST(key_manager, ecdsa_p192_key_aes_deployment) +{ + key_mgr_test_ecdsa_key_aes_mode(ESP_KEY_MGR_ECDSA_LEN_192, &test_data_ecdsa); +} + +TEST(key_manager, ecdsa_p192_key_ecdh0_deployment) +{ + key_mgr_test_ecdsa_key_ecdh0_mode(ESP_KEY_MGR_ECDSA_LEN_192); +} + +TEST(key_manager, ecdsa_p192_key_random_deployment) +{ + key_mgr_test_ecdsa_key_random_mode(ESP_KEY_MGR_ECDSA_LEN_192); +} + TEST(key_manager, ecdsa_p256_key_aes_deployment) { - key_mgr_test_ecdsa_p256_aes_mode(); + key_mgr_test_ecdsa_key_aes_mode(ESP_KEY_MGR_ECDSA_LEN_256, &test_data_ecdsa); } TEST(key_manager, ecdsa_p256_key_ecdh0_deployment) { - key_mgr_test_ecdsa_ecdh0_mode(); + key_mgr_test_ecdsa_key_ecdh0_mode(ESP_KEY_MGR_ECDSA_LEN_256); } TEST(key_manager, ecdsa_p256_key_random_deployment) { - key_mgr_test_ecdsa_random_mode(); + key_mgr_test_ecdsa_key_random_mode(ESP_KEY_MGR_ECDSA_LEN_256); } + +#if SOC_ECDSA_SUPPORT_CURVE_P384 +TEST(key_manager, ecdsa_p384_key_aes_deployment) +{ + key_mgr_test_ecdsa_key_aes_mode(ESP_KEY_MGR_ECDSA_LEN_384, &test_data_ecdsa); +} + +TEST(key_manager, ecdsa_p384_key_ecdh0_deployment) +{ + key_mgr_test_ecdsa_key_ecdh0_mode(ESP_KEY_MGR_ECDSA_LEN_384); +} + +TEST(key_manager, ecdsa_p384_key_random_deployment) +{ + key_mgr_test_ecdsa_key_random_mode(ESP_KEY_MGR_ECDSA_LEN_384); +} +#endif /* SOC_ECDSA_SUPPORT_CURVE_P384 */ #endif /* SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY */ #if SOC_KEY_MANAGER_HMAC_KEY_DEPLOY @@ -547,9 +656,19 @@ TEST_GROUP_RUNNER(key_manager) #endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY */ #if SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY + RUN_TEST_CASE(key_manager, ecdsa_p192_key_aes_deployment); + RUN_TEST_CASE(key_manager, ecdsa_p192_key_ecdh0_deployment); + RUN_TEST_CASE(key_manager, ecdsa_p192_key_random_deployment); + RUN_TEST_CASE(key_manager, ecdsa_p256_key_aes_deployment); RUN_TEST_CASE(key_manager, ecdsa_p256_key_ecdh0_deployment); RUN_TEST_CASE(key_manager, ecdsa_p256_key_random_deployment); + +#if SOC_ECDSA_SUPPORT_CURVE_P384 + RUN_TEST_CASE(key_manager, ecdsa_p384_key_aes_deployment); + RUN_TEST_CASE(key_manager, ecdsa_p384_key_ecdh0_deployment); + RUN_TEST_CASE(key_manager, ecdsa_p384_key_random_deployment); +#endif /* SOC_ECDSA_SUPPORT_CURVE_P384 */ #endif /* SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY */ #if SOC_KEY_MANAGER_HMAC_KEY_DEPLOY diff --git a/components/hal/test_apps/crypto/sdkconfig.defaults b/components/hal/test_apps/crypto/sdkconfig.defaults index 13eafa08c27..1e7d4540c0d 100644 --- a/components/hal/test_apps/crypto/sdkconfig.defaults +++ b/components/hal/test_apps/crypto/sdkconfig.defaults @@ -1,3 +1,7 @@ +CONFIG_COMPILER_STACK_CHECK=y +CONFIG_COMPILER_STACK_CHECK_MODE_STRONG=y +CONFIG_FREERTOS_WATCHPOINT_END_OF_STACK=y + CONFIG_ESP_TASK_WDT_EN=y CONFIG_ESP_TASK_WDT_INIT=n CONFIG_UNITY_ENABLE_FIXTURE=y