1 /*
2 * SPDX-FileCopyrightText: 2020-2022 Espressif Systems (Shanghai) CO LTD
3 *
4 * SPDX-License-Identifier: Apache-2.0
5 */
6
7 #include <stdlib.h>
8 #include <string.h>
9 #include <assert.h>
10
11 #include "freertos/FreeRTOS.h"
12 #include "freertos/task.h"
13
14 #include "esp_timer.h"
15 #include "esp_ds.h"
16 #include "esp_crypto_lock.h"
17 #include "esp_hmac.h"
18 #include "esp_memory_utils.h"
19 #if CONFIG_IDF_TARGET_ESP32S2
20 #include "esp32s2/rom/aes.h"
21 #include "esp32s2/rom/sha.h"
22 #include "esp32s2/rom/hmac.h"
23 #include "soc/soc_memory_layout.h"
24 #else /* CONFIG_IDF_TARGET_ESP32S2 */
25 #include "esp_private/periph_ctrl.h"
26 #include "hal/ds_hal.h"
27 #include "hal/ds_ll.h"
28 #include "hal/hmac_hal.h"
29 #endif /* !CONFIG_IDF_TARGET_ESP32S2 */
30
31 #if CONFIG_IDF_TARGET_ESP32S2
32 #include "esp32s2/rom/digital_signature.h"
33 #endif
34
35 #if CONFIG_IDF_TARGET_ESP32S3
36 #include "esp32s3/rom/digital_signature.h"
37 #endif
38
39 #if CONFIG_IDF_TARGET_ESP32C3
40 #include "esp32c3/rom/digital_signature.h"
41 #endif
42
43 #if CONFIG_IDF_TARGET_ESP32C6
44 #include "esp32c6/rom/digital_signature.h"
45 #endif
46
47 #if CONFIG_IDF_TARGET_ESP32H2
48 #include "esp32h2/rom/digital_signature.h"
49 #endif
50
51
52 struct esp_ds_context {
53 const ets_ds_data_t *data;
54 };
55
56 /**
57 * The vtask delay \c esp_ds_sign() is using while waiting for completion of the signing operation.
58 */
59 #define ESP_DS_SIGN_TASK_DELAY_MS 10
60
61 #define RSA_LEN_MAX ((SOC_RSA_MAX_BIT_LEN/8) - 1)
62
63 /*
64 * Check that the size of esp_ds_data_t and ets_ds_data_t is the same because both structs are converted using
65 * raw casts.
66 */
67 _Static_assert(sizeof(esp_ds_data_t) == sizeof(ets_ds_data_t),
68 "The size and structure of esp_ds_data_t and ets_ds_data_t must match exactly, they're used in raw casts");
69
70 /*
71 * esp_digital_signature_length_t is used in esp_ds_data_t in contrast to ets_ds_data_t, where unsigned is used.
72 * Check esp_digital_signature_length_t's width here because it's converted to unsigned using raw casts.
73 */
74 _Static_assert(sizeof(esp_digital_signature_length_t) == sizeof(unsigned),
75 "The size of esp_digital_signature_length_t and unsigned has to be the same");
76
77 #ifdef CONFIG_IDF_TARGET_ESP32S2
78
ds_acquire_enable(void)79 static void ds_acquire_enable(void)
80 {
81 /* Lock AES, SHA and RSA peripheral */
82 esp_crypto_dma_lock_acquire();
83 esp_crypto_mpi_lock_acquire();
84 ets_hmac_enable();
85 ets_ds_enable();
86 }
87
ds_disable_release(void)88 static void ds_disable_release(void)
89 {
90 ets_ds_disable();
91 ets_hmac_disable();
92 esp_crypto_mpi_lock_release();
93 esp_crypto_dma_lock_release();
94 }
95
esp_ds_sign(const void * message,const esp_ds_data_t * data,hmac_key_id_t key_id,void * signature)96 esp_err_t esp_ds_sign(const void *message,
97 const esp_ds_data_t *data,
98 hmac_key_id_t key_id,
99 void *signature)
100 {
101 // Need to check signature here, otherwise the signature is only checked when the signing has finished and fails
102 // but the signing isn't uninitialized and the mutex is still locked.
103 if (!signature) {
104 return ESP_ERR_INVALID_ARG;
105 }
106
107 esp_ds_context_t *context;
108 esp_err_t result = esp_ds_start_sign(message, data, key_id, &context);
109 if (result != ESP_OK) {
110 return result;
111 }
112
113 while (esp_ds_is_busy()) {
114 vTaskDelay(ESP_DS_SIGN_TASK_DELAY_MS / portTICK_PERIOD_MS);
115 }
116
117 return esp_ds_finish_sign(signature, context);
118 }
119
esp_ds_start_sign(const void * message,const esp_ds_data_t * data,hmac_key_id_t key_id,esp_ds_context_t ** esp_ds_ctx)120 esp_err_t esp_ds_start_sign(const void *message,
121 const esp_ds_data_t *data,
122 hmac_key_id_t key_id,
123 esp_ds_context_t **esp_ds_ctx)
124 {
125 if (!message || !data || !esp_ds_ctx) {
126 return ESP_ERR_INVALID_ARG;
127 }
128 if (key_id >= HMAC_KEY_MAX) {
129 return ESP_ERR_INVALID_ARG;
130 }
131 if (!(data->rsa_length == ESP_DS_RSA_1024
132 || data->rsa_length == ESP_DS_RSA_2048
133 || data->rsa_length == ESP_DS_RSA_3072
134 #if SOC_RSA_MAX_BIT_LEN == 4096
135 || data->rsa_length == ESP_DS_RSA_4096
136 #endif
137 )) {
138 return ESP_ERR_INVALID_ARG;
139 }
140
141 ds_acquire_enable();
142
143 // initiate hmac
144 int r = ets_hmac_calculate_downstream(ETS_EFUSE_BLOCK_KEY0 + (ets_efuse_block_t) key_id,
145 ETS_EFUSE_KEY_PURPOSE_HMAC_DOWN_DIGITAL_SIGNATURE);
146 if (r != ETS_OK) {
147 ds_disable_release();
148 return ESP_ERR_HW_CRYPTO_DS_HMAC_FAIL;
149 }
150
151 esp_ds_context_t *context = malloc(sizeof(esp_ds_context_t));
152 if (!context) {
153 ds_disable_release();
154 return ESP_ERR_NO_MEM;
155 }
156
157 ets_ds_data_t *ds_data = (ets_ds_data_t *) data;
158
159 // initiate signing
160 ets_ds_result_t result = ets_ds_start_sign(message, ds_data);
161
162 // ETS_DS_INVALID_PARAM only happens if a parameter is NULL or data->rsa_length is wrong
163 // We checked all of that already
164 assert(result != ETS_DS_INVALID_PARAM);
165
166 if (result == ETS_DS_INVALID_KEY) {
167 ds_disable_release();
168 free(context);
169 return ESP_ERR_HW_CRYPTO_DS_INVALID_KEY;
170 }
171
172 context->data = (const ets_ds_data_t *)ds_data;
173 *esp_ds_ctx = context;
174
175 return ESP_OK;
176 }
177
esp_ds_is_busy(void)178 bool esp_ds_is_busy(void)
179 {
180 return ets_ds_is_busy();
181 }
182
esp_ds_finish_sign(void * signature,esp_ds_context_t * esp_ds_ctx)183 esp_err_t esp_ds_finish_sign(void *signature, esp_ds_context_t *esp_ds_ctx)
184 {
185 if (!signature || !esp_ds_ctx) {
186 return ESP_ERR_INVALID_ARG;
187 }
188
189 const ets_ds_data_t *ds_data = esp_ds_ctx->data;
190
191 ets_ds_result_t result = ets_ds_finish_sign(signature, ds_data);
192
193 esp_err_t return_value = ESP_OK;
194
195 // we checked all the parameters
196 assert(result != ETS_DS_INVALID_PARAM);
197
198 if (result == ETS_DS_INVALID_DIGEST) {
199 return_value = ESP_ERR_HW_CRYPTO_DS_INVALID_DIGEST;
200 }
201 if (result == ETS_DS_INVALID_PADDING) {
202 return_value = ESP_ERR_HW_CRYPTO_DS_INVALID_PADDING;
203 }
204
205 free(esp_ds_ctx);
206
207 int res = ets_hmac_invalidate_downstream(ETS_EFUSE_KEY_PURPOSE_HMAC_DOWN_DIGITAL_SIGNATURE);
208 assert(res == ETS_OK); // should not fail if called with correct purpose
209 (void)res;
210
211 ds_disable_release();
212
213 return return_value;
214 }
215
esp_ds_encrypt_params(esp_ds_data_t * data,const void * iv,const esp_ds_p_data_t * p_data,const void * key)216 esp_err_t esp_ds_encrypt_params(esp_ds_data_t *data,
217 const void *iv,
218 const esp_ds_p_data_t *p_data,
219 const void *key)
220 {
221 // p_data has to be valid, in internal memory and word aligned
222 if (!p_data) {
223 return ESP_ERR_INVALID_ARG;
224 }
225 assert(esp_ptr_internal(p_data) && esp_ptr_word_aligned(p_data));
226
227 esp_err_t result = ESP_OK;
228
229 esp_crypto_dma_lock_acquire();
230 ets_aes_enable();
231 ets_sha_enable();
232
233 ets_ds_data_t *ds_data = (ets_ds_data_t *) data;
234 const ets_ds_p_data_t *ds_plain_data = (const ets_ds_p_data_t *) p_data;
235
236 ets_ds_result_t ets_result = ets_ds_encrypt_params(ds_data, iv, ds_plain_data, key, ETS_DS_KEY_HMAC);
237
238 if (ets_result == ETS_DS_INVALID_PARAM) {
239 result = ESP_ERR_INVALID_ARG;
240 }
241
242 ets_sha_disable();
243 ets_aes_disable();
244 esp_crypto_dma_lock_release();
245
246 return result;
247 }
248
249 #else /* !CONFIG_IDF_TARGET_ESP32S2 (targets other than esp32s2) */
250
ds_acquire_enable(void)251 static void ds_acquire_enable(void)
252 {
253 esp_crypto_ds_lock_acquire();
254 #if CONFIG_IDF_TARGET_ESP32S3
255 esp_crypto_mpi_lock_acquire();
256 #endif
257 // We also enable SHA and HMAC here. SHA is used by HMAC, HMAC is used by DS.
258 periph_module_enable(PERIPH_HMAC_MODULE);
259 periph_module_enable(PERIPH_SHA_MODULE);
260 periph_module_enable(PERIPH_DS_MODULE);
261
262 hmac_hal_start();
263 }
264
ds_disable_release(void)265 static void ds_disable_release(void)
266 {
267 ds_hal_finish();
268
269 periph_module_disable(PERIPH_DS_MODULE);
270 periph_module_disable(PERIPH_SHA_MODULE);
271 periph_module_disable(PERIPH_HMAC_MODULE);
272
273 #if CONFIG_IDF_TARGET_ESP32S3
274 esp_crypto_mpi_lock_release();
275 #endif
276 esp_crypto_ds_lock_release();
277 }
278
esp_ds_sign(const void * message,const esp_ds_data_t * data,hmac_key_id_t key_id,void * signature)279 esp_err_t esp_ds_sign(const void *message,
280 const esp_ds_data_t *data,
281 hmac_key_id_t key_id,
282 void *signature)
283 {
284 // Need to check signature here, otherwise the signature is only checked when the signing has finished and fails
285 // but the signing isn't uninitialized and the mutex is still locked.
286 if (!signature) {
287 return ESP_ERR_INVALID_ARG;
288 }
289
290 esp_ds_context_t *context;
291 esp_err_t result = esp_ds_start_sign(message, data, key_id, &context);
292 if (result != ESP_OK) {
293 return result;
294 }
295
296 while (esp_ds_is_busy()) {
297 vTaskDelay(ESP_DS_SIGN_TASK_DELAY_MS / portTICK_PERIOD_MS);
298 }
299
300 return esp_ds_finish_sign(signature, context);
301 }
302
esp_ds_start_sign(const void * message,const esp_ds_data_t * data,hmac_key_id_t key_id,esp_ds_context_t ** esp_ds_ctx)303 esp_err_t esp_ds_start_sign(const void *message,
304 const esp_ds_data_t *data,
305 hmac_key_id_t key_id,
306 esp_ds_context_t **esp_ds_ctx)
307 {
308 if (!message || !data || !esp_ds_ctx) {
309 return ESP_ERR_INVALID_ARG;
310 }
311
312 if (key_id >= HMAC_KEY_MAX) {
313 return ESP_ERR_INVALID_ARG;
314 }
315
316 if (!(data->rsa_length == ESP_DS_RSA_1024
317 || data->rsa_length == ESP_DS_RSA_2048
318 || data->rsa_length == ESP_DS_RSA_3072
319 #if SOC_RSA_MAX_BIT_LEN == 4096
320 || data->rsa_length == ESP_DS_RSA_4096
321 #endif
322 )) {
323 return ESP_ERR_INVALID_ARG;
324 }
325
326 ds_acquire_enable();
327
328 // initiate hmac
329 uint32_t conf_error = hmac_hal_configure(HMAC_OUTPUT_DS, key_id);
330 if (conf_error) {
331 ds_disable_release();
332 return ESP_ERR_HW_CRYPTO_DS_HMAC_FAIL;
333 }
334
335 ds_hal_start();
336
337 // check encryption key from HMAC
338 int64_t start_time = esp_timer_get_time();
339 while (ds_ll_busy() != 0) {
340 if ((esp_timer_get_time() - start_time) > SOC_DS_KEY_CHECK_MAX_WAIT_US) {
341 ds_disable_release();
342 return ESP_ERR_HW_CRYPTO_DS_INVALID_KEY;
343 }
344 }
345
346 esp_ds_context_t *context = malloc(sizeof(esp_ds_context_t));
347 if (!context) {
348 ds_disable_release();
349 return ESP_ERR_NO_MEM;
350 }
351
352 size_t rsa_len = (data->rsa_length + 1) * 4;
353 ds_hal_write_private_key_params(data->c);
354 ds_hal_configure_iv((uint32_t *)data->iv);
355 ds_hal_write_message(message, rsa_len);
356
357 // initiate signing
358 ds_hal_start_sign();
359
360 context->data = (const ets_ds_data_t *)data;
361 *esp_ds_ctx = context;
362
363 return ESP_OK;
364 }
365
esp_ds_is_busy(void)366 bool esp_ds_is_busy(void)
367 {
368 return ds_hal_busy();
369 }
370
esp_ds_finish_sign(void * signature,esp_ds_context_t * esp_ds_ctx)371 esp_err_t esp_ds_finish_sign(void *signature, esp_ds_context_t *esp_ds_ctx)
372 {
373 if (!signature || !esp_ds_ctx) {
374 return ESP_ERR_INVALID_ARG;
375 }
376
377 const esp_ds_data_t *data = (const esp_ds_data_t *)esp_ds_ctx->data;
378 unsigned rsa_len = (data->rsa_length + 1) * 4;
379
380 while (ds_hal_busy()) { }
381
382 ds_signature_check_t sig_check_result = ds_hal_read_result((uint8_t *) signature, (size_t) rsa_len);
383
384 esp_err_t return_value = ESP_OK;
385
386 if (sig_check_result == DS_SIGNATURE_MD_FAIL || sig_check_result == DS_SIGNATURE_PADDING_AND_MD_FAIL) {
387 return_value = ESP_ERR_HW_CRYPTO_DS_INVALID_DIGEST;
388 }
389
390 if (sig_check_result == DS_SIGNATURE_PADDING_FAIL) {
391 return_value = ESP_ERR_HW_CRYPTO_DS_INVALID_PADDING;
392 }
393
394 free(esp_ds_ctx);
395
396 hmac_hal_clean();
397
398 ds_disable_release();
399
400 return return_value;
401 }
402
esp_ds_encrypt_params(esp_ds_data_t * data,const void * iv,const esp_ds_p_data_t * p_data,const void * key)403 esp_err_t esp_ds_encrypt_params(esp_ds_data_t *data,
404 const void *iv,
405 const esp_ds_p_data_t *p_data,
406 const void *key)
407 {
408 if (!p_data) {
409 return ESP_ERR_INVALID_ARG;
410 }
411
412 esp_err_t result = ESP_OK;
413
414 esp_crypto_ds_lock_acquire();
415 periph_module_enable(PERIPH_AES_MODULE);
416 periph_module_enable(PERIPH_DS_MODULE);
417 periph_module_enable(PERIPH_SHA_MODULE);
418 periph_module_enable(PERIPH_HMAC_MODULE);
419 periph_module_enable(PERIPH_RSA_MODULE);
420
421 ets_ds_data_t *ds_data = (ets_ds_data_t *) data;
422 const ets_ds_p_data_t *ds_plain_data = (const ets_ds_p_data_t *) p_data;
423
424 ets_ds_result_t ets_result = ets_ds_encrypt_params(ds_data, iv, ds_plain_data, key, ETS_DS_KEY_HMAC);
425
426 if (ets_result == ETS_DS_INVALID_PARAM) {
427 result = ESP_ERR_INVALID_ARG;
428 }
429
430 periph_module_disable(PERIPH_RSA_MODULE);
431 periph_module_disable(PERIPH_HMAC_MODULE);
432 periph_module_disable(PERIPH_SHA_MODULE);
433 periph_module_disable(PERIPH_DS_MODULE);
434 periph_module_disable(PERIPH_AES_MODULE);
435 esp_crypto_ds_lock_release();
436
437 return result;
438 }
439 #endif
440
