Merge branch 'bugfix/esp32h2_ecdsa_hardware_k_v5.2' into 'release/v5.2'

fix(esp32h2): program use_hardware_k efuse bit for ECDSA key purpose (v5.2) See merge request espressif/esp-idf!27234
2025-08-29 21:48:39 +00:00 · 2023-11-21 11:13:37 +08:00
parent c73141a9c2 bad8adfd59
commit df7ba090f3
23 changed files with 157 additions and 82 deletions
--- a/components/mbedtls/port/ecdsa/ecdsa_alt.c
+++ b/components/mbedtls/port/ecdsa/ecdsa_alt.c
@@ -244,13 +244,12 @@ static int esp_ecdsa_sign(mbedtls_ecp_group *grp, mbedtls_mpi* r, mbedtls_mpi* s
        ecdsa_hal_config_t conf = {
            .mode = ECDSA_MODE_SIGN_GEN,
            .curve = curve,
-            .k_mode = ECDSA_K_USE_TRNG,
            .sha_mode = ECDSA_Z_USER_PROVIDED,
            .efuse_key_blk = d->MBEDTLS_PRIVATE(n),
            .use_km_key = 0, //TODO: IDF-7992
        };

-        ecdsa_hal_gen_signature(&conf, NULL, sha_le, r_le, s_le, len);
+        ecdsa_hal_gen_signature(&conf, sha_le, r_le, s_le, len);
    } while (!memcmp(r_le, zeroes, len) || !memcmp(s_le, zeroes, len));

    esp_ecdsa_release_hardware();
@@ -470,7 +469,6 @@ static int esp_ecdsa_verify(mbedtls_ecp_group *grp,
    ecdsa_hal_config_t conf = {
        .mode = ECDSA_MODE_SIGN_VERIFY,
        .curve = curve,
-        .k_mode = ECDSA_K_USE_TRNG,
        .sha_mode = ECDSA_Z_USER_PROVIDED,
    };

--- a/components/mbedtls/port/include/ecdsa/ecdsa_alt.h
+++ b/components/mbedtls/port/include/ecdsa/ecdsa_alt.h
@@ -24,14 +24,14 @@ extern "C" {
 *        by the peripheral, a flag load_pubkey that is used specify if the public key has to be populated
 */
 typedef struct {
-    mbedtls_ecp_group_id grp_id;
-    uint8_t efuse_block;
+    mbedtls_ecp_group_id grp_id;            /*!< MbedTLS ECP group identifier */
+    uint8_t efuse_block;                    /*!< EFuse block id for ECDSA private key */
 #ifdef SOC_ECDSA_SUPPORT_EXPORT_PUBKEY
-    bool load_pubkey;
+    bool load_pubkey;                       /*!< Export ECDSA public key from the hardware */
 #endif
 } esp_ecdsa_pk_conf_t;  //TODO: IDF-7925 (Add a config to select the ecdsa key from the key manager peripheral)

-#ifdef SOC_ECDSA_SUPPORT_EXPORT_PUBKEY
+#if SOC_ECDSA_SUPPORT_EXPORT_PUBKEY || __DOXYGEN__

 /**
 * @brief Populate the public key buffer of the mbedtls_ecp_keypair context.
@@ -45,9 +45,10 @@ typedef struct {
 *         - -1 if invalid efuse block is specified
 */
 int esp_ecdsa_load_pubkey(mbedtls_ecp_keypair *keypair, int efuse_blk);
-#endif

-#ifdef CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN
+#endif // SOC_ECDSA_SUPPORT_EXPORT_PUBKEY || __DOXYGEN__
+
+#if CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN || __DOXYGEN__

 /**
 * @brief Initialize MPI to notify mbedtls_ecdsa_sign to use the private key in efuse
@@ -97,7 +98,8 @@ int esp_ecdsa_privkey_load_pk_context(mbedtls_pk_context *key_ctx, int efuse_blk
 *         - -1 otherwise
 */
 int esp_ecdsa_set_pk_context(mbedtls_pk_context *key_ctx, esp_ecdsa_pk_conf_t *conf);
-#endif
+
+#endif // CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN || __DOXYGEN__

 #ifdef __cplusplus
 }