Merge branch 'feature/esp32c5_add_hal_layer_for_key_manager' into 'ma…

…ster' Feature/esp32c5 add hal layer for key manager See merge request espressif/esp-idf!33955
espressif · Oct 28, 2024 · 101dce7 · 101dce7
2 parents ac4a084 + b0664a6
commit 101dce7
Show file tree

Hide file tree

Showing 15 changed files with 639 additions and 64 deletions.
diff --git a/components/bootloader_support/include/esp_flash_encrypt.h b/components/bootloader_support/include/esp_flash_encrypt.h
@@ -184,12 +184,14 @@ void esp_flash_encryption_init_checks(void);
  */
 esp_err_t esp_flash_encryption_enable_secure_features(void);
 
+#if CONFIG_SOC_KEY_MANAGER_FE_KEY_DEPLOY
 /** @brief Enable the key manager for flash encryption
  *
  * @return
  *  - ESP_OK - On success
  */
 esp_err_t esp_flash_encryption_enable_key_mgr(void);
+#endif // CONFIG_SOC_KEY_MANAGER_FE_KEY_DEPLOY
 
 #endif /* BOOTLOADER_BUILD && CONFIG_SECURE_FLASH_ENC_ENABLED */
 

diff --git a/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c b/components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c
@@ -11,9 +11,8 @@
 #include "esp_efuse_table.h"
 #include "esp_log.h"
 #include "sdkconfig.h"
-#include "soc/keymng_reg.h"
-#include "soc/pcr_reg.h"
-#include "soc/pcr_struct.h"
+#include "hal/key_mgr_ll.h"
+#include "hal/mspi_timing_tuning_ll.h"
 
 static __attribute__((unused)) const char *TAG = "flash_encrypt";
 
@@ -62,30 +61,21 @@ esp_err_t esp_flash_encryption_enable_secure_features(void)
     return ESP_OK;
 }
 
-// TODO: Update to use LL APIs once key manager support added in IDF-8621
 esp_err_t esp_flash_encryption_enable_key_mgr(void)
 {
-    // Set the force power down bit to 0 to enable key manager
-    PCR.km_pd_ctrl.km_mem_force_pd = 0;
-    // Reset the key manager
-    PCR.km_conf.km_clk_en = 1;
-    PCR.km_conf.km_rst_en = 1;
-    PCR.km_conf.km_rst_en = 0;
+    // Enable and reset key manager
+    // To suppress build errors about spinlock's __DECLARE_RCC_ATOMIC_ENV
+    int __DECLARE_RCC_ATOMIC_ENV __attribute__ ((unused));
+    key_mgr_ll_enable_bus_clock(true);
+    key_mgr_ll_enable_peripheral_clock(true);
+    key_mgr_ll_reset_register();
 
-    // Wait for key manager to be ready
-    while (!PCR.km_conf.km_ready) {
+    while (key_mgr_ll_get_state() != ESP_KEY_MGR_STATE_IDLE) {
     };
 
-    // Wait for key manager state machine to be idle
-    while (REG_READ(KEYMNG_STATE_REG) != 0) {
-    };
-
-    // Set the key manager to use efuse key
-    REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY, 2);
-
-    // Reset MSPI to re-load the flash encryption key
-    REG_SET_BIT(PCR_MSPI_CLK_CONF_REG, PCR_MSPI_AXI_RST_EN);
-    REG_CLR_BIT(PCR_MSPI_CLK_CONF_REG, PCR_MSPI_AXI_RST_EN);
+    // Force Key Manager to use eFuse key for XTS-AES operation
+    key_mgr_ll_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY);
+    _mspi_timing_ll_reset_mspi();
 
     return ESP_OK;
 }
diff --git a/components/bootloader_support/src/flash_encryption/flash_encrypt.c b/components/bootloader_support/src/flash_encryption/flash_encrypt.c
@@ -258,8 +258,7 @@ esp_err_t esp_flash_encrypt_contents(void)
     REG_WRITE(SENSITIVE_XTS_AES_KEY_UPDATE_REG, 1);
 #endif
 
-// TODO: Remove C5 target config after key manager LL support- see IDF-8621
-#if CONFIG_SOC_KEY_MANAGER_FE_KEY_DEPLOY || CONFIG_IDF_TARGET_ESP32C5
+#if CONFIG_SOC_KEY_MANAGER_FE_KEY_DEPLOY
     esp_flash_encryption_enable_key_mgr();
 #endif
 

diff --git a/components/esp_rom/esp32c5/include/esp32c5/rom/km.h b/components/esp_rom/esp32c5/include/esp32c5/rom/km.h
@@ -0,0 +1,63 @@
+/*
+ * SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#ifndef _KM_H
+#define _KM_H
+
+#include "soc/soc_caps.h"
+#if SOC_KEY_MANAGER_SUPPORTED
+
+#include <stdint.h>
+#include "soc/soc.h"
+#include "ets_sys.h"
+
+#if __cplusplus
+extern "C" {
+#endif
+
+/* huk mode type */
+typedef enum {
+    HUK_MODE_RECOVER = 0,
+    HUK_MODE_GEN = 1,
+} huk_mode_t;
+
+/**
+  * @brief Recover efuse key or key manager key if flash encryption is enabled
+  *
+  * @param do_log : if km process print log
+  *
+  * @return ETS_OK when key is recovered, ETS_FAILED when key not recovered
+  */
+ETS_STATUS esp_rom_check_recover_key(int do_log);
+
+/**
+  * @brief Configure huk mode
+  *
+  * @param mode : HUK_MODE_RECOVER or HUK_MODE_GEN
+  *
+  * @param huk_info : uint8_t pointer to the buffer which will feed the huk info or
+  *                   gain the huk info
+  *
+  * @return ETS_OK when huk configuration is done, else ETS_FAILED
+  */
+ETS_STATUS esp_rom_km_huk_conf(huk_mode_t mode, uint8_t *huk_info);
+
+/**
+  * @brief Get huk risk. The risk level of HUK is 0-6: the higher the risk level is,
+  *        the more error bits there are in the PUF SRAM. 7: Error level, HUK is invalid
+  *
+  * @param None
+  *
+  * @return The huk risk
+  */
+int esp_rom_km_huk_risk(void);
+
+#ifdef __cplusplus
+}
+#endif
+#endif /* SOC_KEY_MANAGER_SUPPORTED */
+
+#endif /* _KM_H */
diff --git a/components/esp_security/src/init.c b/components/esp_security/src/init.c
@@ -20,23 +20,15 @@ __attribute__((unused)) static const char *TAG = "esp_security";
 
 static void esp_key_mgr_init(void)
 {
-    // The following operation makes the Key Manager to use eFuse key for ECDSA and XTS-AES operation by default
-    // This is to keep the default behavior same as the other chips
-    // If the Key Manager configuration is already locked then following operation does not have any effect
+    // The following code initializes the key manager.
 #if SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY || SOC_KEY_MANAGER_FE_KEY_DEPLOY
     // Enable key manager clock
     // Using ll APIs which do not require critical section
     _key_mgr_ll_enable_bus_clock(true);
     _key_mgr_ll_enable_peripheral_clock(true);
-
+    _key_mgr_ll_reset_register();
     while (key_mgr_ll_get_state() != ESP_KEY_MGR_STATE_IDLE) {
     };
-#if SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY
-    key_mgr_ll_set_key_usage(ESP_KEY_MGR_ECDSA_KEY, ESP_KEY_MGR_USE_EFUSE_KEY);
-#endif
-#if SOC_KEY_MANAGER_FE_KEY_DEPLOY
-    key_mgr_ll_set_key_usage(ESP_KEY_MGR_XTS_AES_128_KEY, ESP_KEY_MGR_USE_EFUSE_KEY);
-#endif
 #endif /* SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY || SOC_KEY_MANAGER_FE_KEY_DEPLOY */
 }
 

diff --git a/components/hal/ecdsa_hal.c b/components/hal/ecdsa_hal.c
@@ -14,13 +14,8 @@
 #include "esp_random.h"
 #endif
 
-// Need to remove in IDF-8621
-#if CONFIG_IDF_TARGET_ESP32C5
-#include "soc/keymng_reg.h"
-#endif
-
 #ifdef SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY
-#include "hal/key_mgr_hal.h"
+#include "hal/key_mgr_ll.h"
 #endif
 
 #define ECDSA_HAL_P192_COMPONENT_LEN        24
@@ -32,11 +27,6 @@ static void configure_ecdsa_periph(ecdsa_hal_config_t *conf)
     if (conf->use_km_key == 0) {
         efuse_hal_set_ecdsa_key(conf->efuse_key_blk);
 
-// Need to remove in IDF-8621
-#if CONFIG_IDF_TARGET_ESP32C5
-        REG_SET_FIELD(KEYMNG_STATIC_REG, KEYMNG_USE_EFUSE_KEY, 1);
-#endif
-
 #if SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY
         // Force Key Manager to use eFuse key for XTS-AES operation
         key_mgr_ll_set_key_usage(ESP_KEY_MGR_ECDSA_KEY, ESP_KEY_MGR_USE_EFUSE_KEY);

diff --git a/components/hal/esp32c5/include/hal/huk_ll.h b/components/hal/esp32c5/include/hal/huk_ll.h
@@ -0,0 +1,118 @@
+/*
+ * SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/*******************************************************************************
+ * NOTICE
+ * The hal is not public api, don't use it in application code.
+ ******************************************************************************/
+
+#pragma once
+
+#include "soc/soc_caps.h"
+
+#if SOC_KEY_MANAGER_SUPPORTED
+
+#include <stdint.h>
+#include <stdbool.h>
+#include <string.h>
+
+#include "hal/huk_types.h"
+#include "soc/huk_reg.h"
+#include "soc/soc_caps.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* @brief Configure the HUK mode */
+static inline void huk_ll_configure_mode(const esp_huk_mode_t huk_mode)
+{
+    REG_SET_FIELD(HUK_CONF_REG, HUK_MODE, huk_mode);
+}
+
+static inline void huk_ll_write_info(const uint8_t *buffer, const size_t size)
+{
+    memcpy((uint8_t *)HUK_INFO_MEM, buffer, size);
+}
+
+static inline void huk_ll_read_info(uint8_t *buffer, const size_t size)
+{
+    memcpy(buffer, (uint8_t *)HUK_INFO_MEM, size);
+}
+
+/* @brief Start the HUK at IDLE state */
+static inline void huk_ll_start(void)
+{
+    REG_SET_FIELD(HUK_START_REG, HUK_START, 1);
+}
+
+/* @brief Continue HUK operation at LOAD/GAIN state */
+static inline void huk_ll_continue(void)
+{
+    REG_SET_FIELD(HUK_START_REG, HUK_CONTINUE, 1);
+}
+
+/* @bried Enable or Disable the HUK interrupts */
+static inline void huk_ll_configure_interrupt(const esp_huk_interrupt_type_t intr, const bool en)
+{
+    switch(intr) {
+        case ESP_HUK_INT_PREP_DONE:
+                REG_SET_FIELD(HUK_INT_ENA_REG, HUK_PREP_DONE_INT_ENA, en);
+        case ESP_HUK_INT_PROC_DONE:
+                REG_SET_FIELD(HUK_INT_ENA_REG, HUK_PROC_DONE_INT_ENA, en);
+        case ESP_HUK_INT_POST_DONE:
+                REG_SET_FIELD(HUK_INT_ENA_REG, HUK_POST_DONE_INT_ENA, en);
+        default:
+            return;
+    }
+}
+
+/* @bried Clear the HUK interrupts */
+static inline void huk_ll_clear_int(const esp_huk_interrupt_type_t intr)
+{
+    switch(intr) {
+        case ESP_HUK_INT_PREP_DONE:
+            REG_SET_FIELD(HUK_INT_CLR_REG, HUK_PREP_DONE_INT_CLR, 1);
+        case ESP_HUK_INT_PROC_DONE:
+            REG_SET_FIELD(HUK_INT_CLR_REG, HUK_PROC_DONE_INT_CLR, 1);
+        case ESP_HUK_INT_POST_DONE:
+            REG_SET_FIELD(HUK_INT_CLR_REG, HUK_POST_DONE_INT_CLR, 1);
+        default:
+            return;
+    }
+}
+
+/**
+ * @brief Read state of Hardware Unique Key Generator
+ *
+ * @return esp_huk_state_t
+ */
+static inline esp_huk_state_t huk_ll_get_state(void)
+{
+    return (esp_huk_state_t) REG_GET_FIELD(HUK_STATE_REG, HUK_STATE);
+}
+
+/**
+ * @brief Get the HUK generation status
+ */
+static inline esp_huk_gen_status_t huk_ll_get_gen_status(void)
+{
+    return (esp_huk_gen_status_t) REG_GET_FIELD(HUK_STATUS_REG, HUK_STATUS);
+}
+
+/**
+ * @brief Read the HUK date information
+ */
+static inline uint32_t huk_ll_get_date_info(void)
+{
+    // Only the least significant 28 bits have desired information
+    return (uint32_t)(0x0FFFFFFF & REG_READ(HUK_DATE_REG));
+}
+
+#ifdef __cplusplus
+}
+#endif
+#endif