blackbeard420/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf synced 2025-03-09 09:09:10 -04:00
Code Issues Projects Releases Wiki Activity

Merge branch 'feat/enable_pseudo_rounds_function_in_aes' into 'master'

Browse Source 
Enable pseudo rounds function in AES and XTS-AES peripherals

Closes IDF-11305

See merge request espressif/esp-idf!33970
This commit is contained in:
Mahavir Jain 2024-12-04 13:48:09 +08:00
commit 30dbc69428
39 changed files with 975 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
components/bootloader/Kconfig.projbuild
View File

@ -1071,6 +1071,44 @@ menu "Security features"
If not set, the app does not care if the flash encryption eFuse bit is set or not.
config SECURE_FLASH_PSEUDO_ROUND_FUNC
bool "Permanently enable XTS-AES's pseudo rounds function"
default y
depends on SECURE_FLASH_ENCRYPTION_MODE_RELEASE && SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
help
If set (default), the bootloader will permanently enable the XTS-AES peripheral's pseudo rounds function.
Note: Enabling this config would burn an efuse.
choice SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH
prompt "Strength of the pseudo rounds function"
depends on SECURE_FLASH_PSEUDO_ROUND_FUNC
default SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH_LOW
help
The strength of the pseudo rounds functions can be configured to low, medium and high,
each denoting the values that would be stored in the efuses field.
By default the value to set to low.
You can configure the strength of the pseudo rounds functions according to your use cases,
for example, increasing the strength would provide higher security but would slow down the
flash encryption/decryption operations.
For more info regarding the performance impact, please checkout the pseudo round function section of the
security guide documentation.
config SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH_LOW
bool "Low"
config SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH_MEDIUM
bool "Medium"
config SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH_HIGH
bool "High"
endchoice
config SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH
int
default 1 if SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH_LOW
default 2 if SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH_MEDIUM
default 3 if SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH_HIGH
config SECURE_ROM_DL_MODE_ENABLED
bool
default y if SOC_SUPPORTS_SECURE_DL_MODE && !SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT

10
components/bootloader_support/src/esp32c5/flash_encryption_secure_features.c
View File

@ -4,15 +4,17 @@
* SPDX-License-Identifier: Apache-2.0
*/
#include <stdint.h>
#include <strings.h>
#include "esp_flash_encrypt.h"
#include "esp_secure_boot.h"
#include "esp_efuse.h"
#include "esp_efuse_table.h"
#include "esp_log.h"
#include "sdkconfig.h"
#include "hal/key_mgr_ll.h"
#include "hal/mspi_timing_tuning_ll.h"
#include "soc/soc_caps.h"
#include "sdkconfig.h"
static __attribute__((unused)) const char *TAG = "flash_encrypt";
@ -42,6 +44,12 @@ esp_err_t esp_flash_encryption_enable_secure_features(void)
esp_efuse_write_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT);
#if defined(CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE) && defined(SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND)
ESP_LOGI(TAG, "Enable XTS-AES pseudo rounds function...");
uint8_t xts_pseudo_level = CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH;
esp_efuse_write_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count);
#endif
#if defined(CONFIG_SECURE_BOOT_V2_ENABLED) && !defined(CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS)
// This bit is set when enabling Secure Boot V2, but we can't enable it until this later point in the first boot
// otherwise the Flash Encryption key cannot be read protected

6
components/bootloader_support/src/esp32c61/flash_encryption_secure_features.c
View File

@ -40,6 +40,12 @@ esp_err_t esp_flash_encryption_enable_secure_features(void)
esp_efuse_write_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT);
#if defined(CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE) && defined(SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND)
ESP_LOGI(TAG, "Enable XTS-AES pseudo rounds function...");
uint8_t xts_pseudo_level = CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH;
esp_efuse_write_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count);
#endif
#if defined(CONFIG_SECURE_BOOT_V2_ENABLED) && !defined(CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS)
// This bit is set when enabling Secure Boot V2, but we can't enable it until this later point in the first boot
// otherwise the Flash Encryption key cannot be read protected

16
components/bootloader_support/src/flash_encrypt.c
View File

@ -12,6 +12,8 @@
#include "esp_flash_encrypt.h"
#include "esp_secure_boot.h"
#include "hal/efuse_hal.h"
#include "hal/spi_flash_encrypt_hal.h"
#include "soc/soc_caps.h"
#if CONFIG_IDF_TARGET_ESP32
#define CRYPT_CNT ESP_EFUSE_FLASH_CRYPT_CNT
@ -207,6 +209,11 @@ void esp_flash_encryption_set_release_mode(void)
#endif // CONFIG_SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED
#endif // !CONFIG_IDF_TARGET_ESP32
#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
uint8_t xts_pseudo_level = ESP_XTS_AES_PSEUDO_ROUNDS_LOW;
esp_efuse_write_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count);
#endif
#ifdef CONFIG_IDF_TARGET_ESP32
esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_CACHE);
#else
@ -468,6 +475,15 @@ bool esp_flash_encryption_cfg_verify_release_mode(void)
}
result &= secure;
#if SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
uint8_t xts_pseudo_level = 0;
esp_efuse_read_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count);
if (!xts_pseudo_level) {
result &= false;
ESP_LOGW(TAG, "Not enabled XTS-AES pseudo rounds function (set XTS_DPA_PSEUDO_LEVEL->1 or more)");
}
#endif
return result;
}
#endif // not CONFIG_IDF_TARGET_ESP32

15
components/hal/aes_hal.c
View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2020-2023 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2020-2024 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -39,8 +39,15 @@ void aes_hal_transform_block(const void *input_block, void *output_block)
aes_ll_read_block(output_block);
}
#if SOC_AES_SUPPORT_DMA
#ifdef SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION
void aes_hal_enable_pseudo_rounds(bool enable, uint8_t base, uint8_t increment, uint8_t key_rng_cnt)
{
aes_ll_enable_pseudo_rounds(enable, base, increment, key_rng_cnt);
}
#endif // SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION
#if SOC_AES_SUPPORT_DMA
void aes_hal_transform_dma_start(size_t num_blocks)
{
@ -61,7 +68,7 @@ void aes_hal_transform_dma_finish(void)
void aes_hal_mode_init(esp_aes_mode_t mode)
{
/* Set the algorith mode CBC, CFB ... */
/* Set the algorithm mode CBC, CFB ... */
aes_ll_set_block_mode(mode);
/* Presently hard-coding the INC function to 32 bit */
if (mode == ESP_AES_BLOCK_MODE_CTR) {
@ -83,8 +90,6 @@ void aes_hal_wait_done()
{
while (aes_ll_get_state() != ESP_AES_STATE_DONE) {}
}
#endif //SOC_AES_SUPPORT_DMA
#if SOC_AES_SUPPORT_GCM

24
components/hal/esp32c5/include/hal/aes_ll.h
View File

@ -8,7 +8,7 @@
#include <stdbool.h>
#include <string.h>
#include "soc/hwcrypto_reg.h"
#include "soc/aes_reg.h"
#include "soc/pcr_struct.h"
#include "hal/aes_types.h"
@ -241,6 +241,28 @@ static inline void aes_ll_interrupt_clear(void)
REG_WRITE(AES_INT_CLEAR_REG, 1);
}
/**
* @brief Enable the pseudo-round function during AES operations
*
* @param enable true to enable, false to disable
* @param base basic number of pseudo rounds, zero if disable
* @param increment increment number of pseudo rounds, zero if disable
* @param key_rng_cnt update frequency of the pseudo-key, zero if disable
*/
static inline void aes_ll_enable_pseudo_rounds(bool enable, uint8_t base, uint8_t increment, uint8_t key_rng_cnt)
{
REG_SET_FIELD(AES_PSEUDO_REG, AES_PSEUDO_EN, enable);
if (enable) {
REG_SET_FIELD(AES_PSEUDO_REG, AES_PSEUDO_BASE, base);
REG_SET_FIELD(AES_PSEUDO_REG, AES_PSEUDO_INC, increment);
REG_SET_FIELD(AES_PSEUDO_REG, AES_PSEUDO_RNG_CNT, key_rng_cnt);
} else {
REG_SET_FIELD(AES_PSEUDO_REG, AES_PSEUDO_BASE, 0);
REG_SET_FIELD(AES_PSEUDO_REG, AES_PSEUDO_INC, 0);
REG_SET_FIELD(AES_PSEUDO_REG, AES_PSEUDO_RNG_CNT, 0);
}
}
#ifdef __cplusplus
}

23
components/hal/esp32c5/include/hal/spi_flash_encrypted_ll.h
View File

@ -146,6 +146,29 @@ static inline bool spi_flash_encrypt_ll_check(uint32_t address, uint32_t length)
return ((address % length) == 0) ? true : false;
}
/**
* @brief Enable the pseudo-round function during XTS-AES operations
*
* @param mode set the mode for pseudo rounds, zero to disable, with increasing security upto three.
* @param base basic number of pseudo rounds, zero if disable
* @param increment increment number of pseudo rounds, zero if disable
* @param key_rng_cnt update frequency of the pseudo-key, zero if disable
*/
static inline void spi_flash_encrypt_ll_enable_pseudo_rounds(uint8_t mode, uint8_t base, uint8_t increment, uint8_t key_rng_cnt)
{
REG_SET_FIELD(SPI_MEM_XTS_PSEUDO_ROUND_CONF_REG(0), SPI_MEM_MODE_PSEUDO, mode);
if (mode) {
REG_SET_FIELD(SPI_MEM_XTS_PSEUDO_ROUND_CONF_REG(0), SPI_MEM_PSEUDO_BASE, base);
REG_SET_FIELD(SPI_MEM_XTS_PSEUDO_ROUND_CONF_REG(0), SPI_MEM_PSEUDO_INC, increment);
REG_SET_FIELD(SPI_MEM_XTS_PSEUDO_ROUND_CONF_REG(0), SPI_MEM_PSEUDO_RNG_CNT, key_rng_cnt);
} else {
REG_SET_FIELD(SPI_MEM_XTS_PSEUDO_ROUND_CONF_REG(0), SPI_MEM_PSEUDO_BASE, 0);
REG_SET_FIELD(SPI_MEM_XTS_PSEUDO_ROUND_CONF_REG(0), SPI_MEM_PSEUDO_INC, 0);
REG_SET_FIELD(SPI_MEM_XTS_PSEUDO_ROUND_CONF_REG(0), SPI_MEM_PSEUDO_RNG_CNT, 0);
}
}
#ifdef __cplusplus
}
#endif

23
components/hal/esp32c61/include/hal/spi_flash_encrypted_ll.h
View File

@ -146,6 +146,29 @@ static inline bool spi_flash_encrypt_ll_check(uint32_t address, uint32_t length)
return ((address % length) == 0) ? true : false;
}
/**
* @brief Enable the pseudo-round function during XTS-AES operations
*
* @param mode set the mode for pseudo rounds, zero to disable, with increasing security upto three.
* @param base basic number of pseudo rounds, zero if disable
* @param increment increment number of pseudo rounds, zero if disable
* @param key_rng_cnt update frequency of the pseudo-key, zero if disable
*/
static inline void spi_flash_encrypt_ll_enable_pseudo_rounds(uint8_t mode, uint8_t base, uint8_t increment, uint8_t key_rng_cnt)
{
(void) key_rng_cnt;
REG_SET_FIELD(SPI_MEM_XTS_PSEUDO_ROUND_CONF_REG(0), SPI_MEM_MODE_PSEUDO, mode);
if (mode) {
REG_SET_FIELD(SPI_MEM_XTS_PSEUDO_ROUND_CONF_REG(0), SPI_MEM_PSEUDO_BASE, base);
REG_SET_FIELD(SPI_MEM_XTS_PSEUDO_ROUND_CONF_REG(0), SPI_MEM_PSEUDO_INC, increment);
} else {
REG_SET_FIELD(SPI_MEM_XTS_PSEUDO_ROUND_CONF_REG(0), SPI_MEM_PSEUDO_BASE, 0);
REG_SET_FIELD(SPI_MEM_XTS_PSEUDO_ROUND_CONF_REG(0), SPI_MEM_PSEUDO_INC, 0);
}
}
#ifdef __cplusplus
}
#endif

17
components/hal/include/hal/aes_hal.h
View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2020-2023 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2020-2024 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -45,6 +45,18 @@ uint8_t aes_hal_setkey(const uint8_t *key, size_t key_bytes, int mode);
*/
void aes_hal_transform_block(const void *input_block, void *output_block);
#ifdef SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION
/**
* @brief Enable the pseudo-round function during AES operations
*
* @param enable true to enable, false to disable
* @param base basic number of pseudo rounds, zero if disable
* @param increment increment number of pseudo rounds, zero if disable
* @param key_rng_cnt update frequency of the pseudo-key, zero if disable
*/
void aes_hal_enable_pseudo_rounds(bool enable, uint8_t base, uint8_t increment, uint8_t key_rng_cnt);
#endif /* SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION */
#if SOC_AES_SUPPORT_DMA
/**
* @brief Inits the AES mode of operation
@ -102,6 +114,7 @@ void aes_hal_transform_dma_finish(void);
*/
#define aes_hal_interrupt_clear() aes_ll_interrupt_clear()
#if SOC_AES_SUPPORT_GCM
/**
* @brief Calculates the Hash sub-key H0 needed to start AES-GCM
@ -114,7 +127,7 @@ void aes_hal_gcm_calc_hash(uint8_t *gcm_hash);
* @brief Initializes the AES hardware for AES-GCM
*
* @param aad_num_blocks the number of Additional Authenticated Data (AAD) blocks
* @param num_valid_bit the number of effective bits of incomplete blocks in plaintext/cipertext
* @param num_valid_bit the number of effective bits of incomplete blocks in plaintext/ciphertext
*/
void aes_hal_gcm_init(size_t aad_num_blocks, size_t num_valid_bit);

38
components/hal/include/hal/spi_flash_encrypt_hal.h
View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2021-2023 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2021-2024 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -13,11 +13,35 @@
// The HAL layer for SPI Flash Encryption
#include "hal/spi_flash_encrypted_ll.h"
#include "soc/soc_caps.h"
#ifdef __cplusplus
extern "C" {
#endif
#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
/**
* @brief Default pseudo rounds configs of the XTS-AES accelerator
*/
typedef enum {
ESP_XTS_AES_PSEUDO_ROUNDS_DISABLE = 0,
ESP_XTS_AES_PSEUDO_ROUNDS_LOW,
ESP_XTS_AES_PSEUDO_ROUNDS_MEDIUM,
ESP_XTS_AES_PSEUDO_ROUNDS_HIGH,
} esp_xts_aes_psuedo_rounds_state_t;
/* The total number of pseudo-rounds randomly inserted in an XTS-AES operation are controlled by
* configuring the PSEUDO_MODE, PSEUDO_BASE, PSEUDO_INC parameters.
* Users can also set the frequency of random key updates by configuring the PSEUDO_RNG_CNT.
* Here, we would be using some pre-decided values for these parameters corresponding to the security needed.
* For more information regarding these parameters please refer the TRM.
*/
#define XTS_AES_PSEUDO_ROUNDS_BASE 4
#define XTS_AES_PSEUDO_ROUNDS_INC 2
#define XTS_AES_PSEUDO_ROUNDS_RNG_CNT 7
#endif /* SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND */
/**
* @brief Enable the flash encryption
*/
@ -57,6 +81,18 @@ void spi_flash_encryption_hal_destroy(void);
*/
bool spi_flash_encryption_hal_check(uint32_t address, uint32_t length);
#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
/**
* @brief Enable the pseudo-round function during XTS-AES operations
*
* @param mode set the mode for pseudo rounds, zero to disable, with increasing security upto three.
* @param base basic number of pseudo rounds, zero if disable
* @param increment increment number of pseudo rounds, zero if disable
* @param key_rng_cnt update frequency of the pseudo-key, zero if disable
*/
void spi_flash_encryption_hal_enable_pseudo_rounds(uint8_t mode, uint8_t base, uint8_t increment, uint8_t key_rng_cnt);
#endif /* SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND */
#ifdef __cplusplus
}
#endif

4
components/hal/include/hal/spi_flash_types.h
View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2010-2022 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2010-2024 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -48,7 +48,7 @@ typedef enum esp_flash_speed_s {
ESP_FLASH_26MHZ = 26, ///< The flash runs under 26MHz
ESP_FLASH_40MHZ = 40, ///< The flash runs under 40MHz
ESP_FLASH_80MHZ = 80, ///< The flash runs under 80MHz
ESP_FLASH_120MHZ = 120, ///< The flash runs under 120MHz, 120MHZ can only be used by main flash after timing tuning in system. Do not use this directely in any API.
ESP_FLASH_120MHZ = 120, ///< The flash runs under 120MHz, 120MHZ can only be used by main flash after timing tuning in system. Do not use this directly in any API.
ESP_FLASH_SPEED_MAX, ///< The maximum frequency supported by the host is ``ESP_FLASH_SPEED_MAX-1``.
} esp_flash_speed_t __attribute__((deprecated));

10
components/hal/spi_flash_encrypt_hal_iram.c
View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2021-2023 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2021-2024 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -7,6 +7,7 @@
// This part is put in iram.
#include "hal/spi_flash_encrypted_ll.h"
#include "soc/soc_caps.h"
void spi_flash_encryption_hal_enable(void)
{
@ -49,3 +50,10 @@ bool spi_flash_encryption_hal_check(uint32_t address, uint32_t length)
{
return spi_flash_encrypt_ll_check(address, length);
}
#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
void spi_flash_encryption_hal_enable_pseudo_rounds(uint8_t mode, uint8_t base, uint8_t increment, uint8_t key_rng_cnt)
{
spi_flash_encrypt_ll_enable_pseudo_rounds(mode, base, increment, key_rng_cnt);
}
#endif /* SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND */

25
components/hal/test_apps/crypto/README.md
View File

@ -67,8 +67,11 @@ This contains tests for the following features of the crypto peripherals:
- SHA-512/256
- SHA-512/t
> **_NOTE:_** The verification tests for the HMAC and Digital Signature peripherals would get exercised only by enabling the example config in an FPGA environment.
- XTS-AES peripheral
- XTS-AES-128
- XTS-AES-256
> **_NOTE:_** The verification tests for the HMAC, Digital Signature, ECDSA and XTS-AES peripherals would get exercised only by enabling the example config in an FPGA environment.
# Burning the HMAC key
The HMAC tests need an HMAC key to be burned in the `BLOCK_KEY3` and `BLOCK_KEY4` of the efuses. As this verification application is independent of the efuse component, the user needs to manually burn the keys and their key purposes using `espefuse.py`.
@ -113,6 +116,26 @@ espefuse.py -p $ESPPORT burn_key BLOCK_KEY4 main/ecdsa/ecdsa192_priv_key.pem ECD
espefuse.py -p $ESPPORT burn_key BLOCK_KEY5 main/ecdsa/ecdsa256_priv_key.pem ECDSA_KEY
```
# Burning the XTS-AES key
By default, XTS-AES tests are disabled. You can enable it after disabling Digital Signature tests using `idf.py menuconfig -> Test App Configuration -> Enable XTS-AES Peripheral test cases`
The XTS-AES tests contain tests for both the modes, XTS-AES-128 and XTS-AES-256, but as per the peripheral design we can test only one mode at a time. Thus, we need to burn one key at a time.
These keys can be burned in the `BLOCK_KEY0` (for XTS-AES-128), whereas, `BLOCK_KEY0` and `BLOCK_KEY1` (for XTS-AES-256) of the efuses. As this verification application is independent of the efuse component, the user needs to manually burn the keys and their key purposes using `espefuse.py`.
While running the XTS-AES-128 tests:
```bash
espefuse.py -p $ESPPORT burn_key BLOCK_KEY0 main/xts_aes/xts_aes_128_key.bin XTS_AES_128_KEY
```
While running the XTS-AES-256 tests:
```bash
espefuse.py -p $ESPPORT burn_key BLOCK_KEY0 main/xts_aes/xts_aes_256_key.bin XTS_AES_256_KEY
```
# Building
```bash

4
components/hal/test_apps/crypto/main/CMakeLists.txt
View File

@ -73,6 +73,10 @@ if(CONFIG_SOC_SHA_SUPPORTED)
endif()
endif()
if(CONFIG_SOC_FLASH_ENCRYPTION_XTS_AES)
list(APPEND srcs "xts_aes/test_xts_aes.c")
endif()
idf_component_register(SRCS ${srcs}
PRIV_REQUIRES efuse mbedtls esp_security esp_mm bootloader_support spi_flash
REQUIRES test_utils unity

7
components/hal/test_apps/crypto/main/Kconfig.projbuild
View File

@ -28,6 +28,13 @@ menu "Test App Configuration"
help
Enabling this option includes ECDSA Peripheral related test cases in the build for supported targets.
config CRYPTO_TEST_APP_ENABLE_XTS_AES_TESTS
depends on !CRYPTO_TEST_APP_ENABLE_DS_TESTS
bool "Enable XTS-AES Peripheral test cases"
default n
help
Enabling this option includes XTS-AES Peripheral related test cases in the build for supported targets.
config CRYPTO_TESTAPP_USE_AES_INTERRUPT
bool "Use interrupt for long AES operations"
depends on SOC_AES_SUPPORTED

4
components/hal/test_apps/crypto/main/app_main.c
View File

@ -48,6 +48,10 @@ static void run_all_tests(void)
RUN_TEST_GROUP(ecdsa)
#endif
#if CONFIG_SOC_FLASH_ENCRYPTION_XTS_AES && CONFIG_CRYPTO_TEST_APP_ENABLE_XTS_AES_TESTS
RUN_TEST_GROUP(xts_aes)
#endif
#endif /* CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS */
}

73
components/hal/test_apps/crypto/main/xts_aes/generate_xts_aes_encrypt_test_cases.py Normal file
View File

@ -0,0 +1,73 @@
#!/usr/bin/env python
# SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD
# SPDX-License-Identifier: Unlicense OR CC0-1.0
# import struct
import sys
import tempfile
import espsecure
def encrypt_and_print_aes_xts(keyfile:str, plaintext:bytes, address:int) -> None:
ciphertext = b''
inputfile = tempfile.NamedTemporaryFile()
outputfile = tempfile.NamedTemporaryFile()
with open(inputfile.name, 'wb') as f:
f.write(plaintext)
espsecure.main([
'encrypt_flash_data',
'--aes_xts',
'--keyfile',
f'{keyfile}',
'--output',
f'{outputfile.name}',
'--address',
f'{address}',
f'{inputfile.name}'
])
with open(outputfile.name, 'rb') as f:
ciphertext = f.read()
assert len(ciphertext) == len(plaintext)
print((
'{\n'
f' .address = 0x{address:08x},\n'
' .ciphertext = {\n'
f'{as_c_array(ciphertext)}\n'
' },\n'
'},'
))
def as_c_array(byte_arr: bytes) -> str:
hex_str = ''
bytes_per_line = 16
for idx, byte in enumerate(byte_arr):
if idx % bytes_per_line == 0:
hex_str += ' '
hex_str += '0x{:02x}, '.format(byte)
if idx % bytes_per_line == bytes_per_line - 1 and idx != (len(byte_arr) - 1):
hex_str += '\n'
return hex_str
def gen_aes_xts_test_case_output(keyfile: str) -> None:
plaintext = bytes(range(1, 129))
addresses = [0x160000, 0x160010, 0x160020, 0x160030, 0x160040, 0x160050, 0x160060, 0x160070]
for addr in addresses:
encrypt_and_print_aes_xts(keyfile, plaintext, addr)
if __name__ == '__main__':
if len(sys.argv) < 2:
print('Please specify the XTS-AES keyfile!')
sys.exit(1)
gen_aes_xts_test_case_output(sys.argv[1])

103
components/hal/test_apps/crypto/main/xts_aes/test_xts_aes.c Normal file
View File

@ -0,0 +1,103 @@
/*
* SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Unlicense OR CC0-1.0
*/
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include "esp_log.h"
#include "esp_flash.h"
#include "esp_partition.h"
#include "soc/soc_caps.h"
#include "memory_checks.h"
#include "unity_fixture.h"
#include "xts_aes_params.h"
const static char *TAG = "test_xts_aes";
const esp_partition_t *get_test_data_partition(void)
{
const esp_partition_t *result = esp_partition_find_first(ESP_PARTITION_TYPE_DATA, ESP_PARTITION_SUBTYPE_ANY, "storage");
TEST_ASSERT_NOT_NULL(result);
return result;
}
static void run_test_cases(const xts_aes_test *tests, size_t num_tests)
{
const esp_partition_t *test_part = get_test_data_partition();
/* Writing multiple lengths because this tests all the various block/offset combinations inside each 1024-bit block */
const int lengths[] = { 16, 32, 48, 64, 96, 128 };
for (int i = 0; i < num_tests; i++) {
size_t address = tests[i].address;
const uint8_t *ciphertext = tests[i].ciphertext;
for (int l = 0; l < sizeof(lengths) / sizeof(int); l++) {
size_t length = lengths[l];
uint8_t readback[128] = { 0 };
TEST_ASSERT_LESS_THAN_UINT32(test_part->address + test_part->size, address + length);
ESP_LOGD(TAG, "Erasing");
TEST_ASSERT_EQUAL(ESP_OK, esp_flash_erase_region(test_part->flash_chip, test_part->address, test_part->size));
ESP_LOGD(TAG, "Writing %d encrypted bytes to 0x%x", length, address);
TEST_ASSERT_EQUAL(ESP_OK, esp_flash_write_encrypted(test_part->flash_chip, address, plaintext, length));
ESP_LOGD(TAG, "Reading %d bytes from 0x%x", length, address);
TEST_ASSERT_EQUAL(ESP_OK, esp_flash_read(test_part->flash_chip, readback, address, length));
ESP_LOGD(TAG, "Readback bytes:");
ESP_LOG_BUFFER_HEXDUMP(TAG, readback, length, ESP_LOG_DEBUG);
ESP_LOGD(TAG, "Expected ciphertext:");
ESP_LOG_BUFFER_HEXDUMP(TAG, ciphertext, length, ESP_LOG_DEBUG);
TEST_ASSERT_EQUAL_HEX8_ARRAY(ciphertext, readback, length);
}
}
}
TEST_GROUP(xts_aes);
TEST_SETUP(xts_aes)
{
test_utils_record_free_mem();
TEST_ESP_OK(test_utils_set_leak_level(0, ESP_LEAK_TYPE_CRITICAL, ESP_COMP_LEAK_GENERAL));
}
TEST_TEAR_DOWN(xts_aes)
{
test_utils_finish_and_evaluate_leaks(test_utils_get_leak_level(ESP_LEAK_TYPE_WARNING, ESP_COMP_LEAK_ALL),
test_utils_get_leak_level(ESP_LEAK_TYPE_CRITICAL, ESP_COMP_LEAK_ALL));
}
#if SOC_FLASH_ENCRYPTION_XTS_AES_128
TEST(xts_aes, xts_aes_128)
{
run_test_cases(tests_xts_aes_128, sizeof(tests_xts_aes_128) / sizeof(xts_aes_test));
}
#endif
#if SOC_FLASH_ENCRYPTION_XTS_AES_256
TEST(xts_aes, xts_aes_256)
{
run_test_cases(tests_xts_aes_256, sizeof(tests_xts_aes_256) / sizeof(xts_aes_test));
}
#endif
TEST_GROUP_RUNNER(xts_aes)
{
#if SOC_FLASH_ENCRYPTION_XTS_AES_128
RUN_TEST_CASE(xts_aes, xts_aes_128);
#endif
#if SOC_FLASH_ENCRYPTION_XTS_AES_256
RUN_TEST_CASE(xts_aes, xts_aes_256);
#endif
}

2
components/hal/test_apps/crypto/main/xts_aes/xts_aes_128_key.bin Normal file
View File

@ -0,0 +1,2 @@



2
components/hal/test_apps/crypto/main/xts_aes/xts_aes_256_key.bin Normal file
View File

@ -0,0 +1,2 @@

 !"#$%&'()*+,-./0123456789:;<=>?@

248
components/hal/test_apps/crypto/main/xts_aes/xts_aes_params.h Normal file
View File

@ -0,0 +1,248 @@
/*
* SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Unlicense OR CC0-1.0
*/
typedef struct {
uint32_t address;
uint8_t ciphertext[128];
} xts_aes_test;
static const uint8_t plaintext[128] = {
0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28,
0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f, 0x30,
0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38,
0x39, 0x3a, 0x3b, 0x3c, 0x3d, 0x3e, 0x3f, 0x40,
0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48,
0x49, 0x4a, 0x4b, 0x4c, 0x4d, 0x4e, 0x4f, 0x50,
0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58,
0x59, 0x5a, 0x5b, 0x5c, 0x5d, 0x5e, 0x5f, 0x60,
0x61, 0x62, 0x63, 0x64, 0x65, 0x66, 0x67, 0x68,
0x69, 0x6a, 0x6b, 0x6c, 0x6d, 0x6e, 0x6f, 0x70,
0x71, 0x72, 0x73, 0x74, 0x75, 0x76, 0x77, 0x78,
0x79, 0x7a, 0x7b, 0x7c, 0x7d, 0x7e, 0x7f, 0x80,
};
#if SOC_FLASH_ENCRYPTION_XTS_AES_128
/* Test cases generated with aes_xts_algorithm.py */
static const xts_aes_test tests_xts_aes_128[] = {
{
.address = 0x00160000,
.ciphertext = {
0x1a, 0x90, 0x01, 0x64, 0xfd, 0xc6, 0xee, 0x40, 0xce, 0x8c, 0x20, 0xc4, 0x73, 0x4b, 0x50, 0xeb,
0xc8, 0x39, 0xab, 0x38, 0x25, 0x24, 0x88, 0xd7, 0x21, 0xc1, 0x8f, 0xe5, 0x0f, 0xd2, 0x4f, 0xb2,
0xe9, 0xc2, 0x29, 0x1d, 0xbb, 0x8f, 0xcc, 0xf1, 0xbc, 0xb1, 0x49, 0xda, 0x69, 0x7e, 0xa1, 0x64,
0xb3, 0x81, 0x80, 0x4c, 0xb3, 0x5f, 0x1a, 0x17, 0xb7, 0x63, 0x69, 0xb4, 0xa0, 0x23, 0x3b, 0xf4,
0xa3, 0x68, 0x5e, 0x72, 0xcf, 0x2d, 0xa5, 0x92, 0x1b, 0xb0, 0x7a, 0x9e, 0x0e, 0x28, 0x14, 0x45,
0xe9, 0x55, 0x5d, 0x3a, 0x1e, 0xf9, 0x12, 0x51, 0xfd, 0x59, 0x56, 0x8b, 0x45, 0xb0, 0x42, 0x7a,
0xb1, 0x68, 0x2e, 0x73, 0x10, 0xe2, 0x9f, 0x43, 0xf6, 0xfe, 0x2c, 0xbf, 0xd7, 0xd3, 0xce, 0x1e,
0x90, 0x32, 0x5d, 0xae, 0xd4, 0x6f, 0x82, 0x73, 0x91, 0x8f, 0x58, 0xbe, 0x9d, 0xe4, 0xf6, 0x82,
},
},
{
.address = 0x00160010,
.ciphertext = {
0xbf, 0x76, 0x07, 0x12, 0xb2, 0xe9, 0x04, 0xa5, 0xa7, 0x28, 0xac, 0xd9, 0xe0, 0x9b, 0xd3, 0xf8,
0x99, 0xd2, 0xc9, 0x17, 0xd6, 0xff, 0xbd, 0x95, 0x9a, 0xc8, 0x0e, 0xc6, 0x32, 0x94, 0x54, 0x00,
0x16, 0x5a, 0x78, 0x2c, 0xa1, 0xda, 0x6a, 0x3e, 0x4f, 0x72, 0xd1, 0x6b, 0x43, 0x49, 0x48, 0x8a,
0xba, 0x81, 0xf0, 0xad, 0x5f, 0xc1, 0xef, 0xe8, 0x33, 0x41, 0xb8, 0x3b, 0x77, 0xd5, 0x2a, 0xe0,
0xd6, 0x6d, 0x0b, 0x9a, 0x8a, 0xcc, 0xcb, 0x45, 0xd3, 0x40, 0x03, 0x50, 0xd2, 0x9c, 0xc9, 0x22,
0xbd, 0xcd, 0x30, 0x8f, 0xa7, 0x3f, 0xa2, 0xc4, 0x46, 0x0a, 0x5c, 0xb9, 0x09, 0x86, 0xe3, 0x6d,
0xc1, 0x31, 0xd2, 0x69, 0x82, 0x89, 0x85, 0x25, 0x38, 0x7f, 0x4b, 0x86, 0xfc, 0xad, 0xb5, 0x8b,
0xb5, 0xe6, 0x8f, 0x83, 0x5b, 0x9a, 0xdc, 0x5a, 0x1e, 0x5c, 0xaa, 0xd6, 0x44, 0x57, 0x5d, 0xd8,
},
},
{
.address = 0x00160020,
.ciphertext = {
0xe5, 0x16, 0x28, 0x30, 0xb4, 0x4e, 0x14, 0xde, 0xbc, 0x48, 0x3b, 0x4e, 0x5b, 0xbe, 0x6a, 0x65,
0x37, 0x9b, 0x00, 0x7a, 0x4e, 0x9c, 0x0e, 0xee, 0x24, 0xc8, 0x6e, 0xf5, 0xf6, 0x03, 0x4a, 0xce,
0x7b, 0xac, 0x7b, 0x9e, 0x1c, 0x3b, 0x96, 0x3d, 0xd4, 0x15, 0xea, 0x94, 0xe3, 0x3b, 0x69, 0x3b,
0xe0, 0x1a, 0xbd, 0xf6, 0xc9, 0xe9, 0x6b, 0x16, 0xc7, 0xc5, 0x5d, 0xda, 0x27, 0x59, 0xb8, 0x32,
0x32, 0xa0, 0x68, 0x90, 0xe6, 0x5f, 0x14, 0x91, 0x05, 0xbc, 0x13, 0xcb, 0xfa, 0x61, 0x0a, 0x1d,
0xf3, 0xa4, 0x41, 0x60, 0xec, 0x2d, 0xcb, 0x19, 0x6d, 0x9b, 0xc6, 0xac, 0x4f, 0x45, 0x8f, 0xc0,
0x6b, 0x02, 0x12, 0x21, 0x3c, 0x01, 0x4d, 0xaa, 0xad, 0xee, 0x48, 0x9a, 0xda, 0x25, 0x20, 0xcd,
0xc8, 0x24, 0x43, 0x14, 0x95, 0xbc, 0xf0, 0x7c, 0xdb, 0xe0, 0x29, 0x8e, 0x5b, 0x61, 0x1d, 0x65,
},
},
{
.address = 0x00160030,
.ciphertext = {
0x0c, 0x1a, 0x8a, 0x43, 0x2c, 0x0b, 0xea, 0xc5, 0x30, 0x33, 0x25, 0xd2, 0x5e, 0x7e, 0x51, 0xac,
0x1b, 0x85, 0xdb, 0xb1, 0xc8, 0x2f, 0xde, 0x15, 0x08, 0x2c, 0xe8, 0xe4, 0x35, 0x64, 0xc6, 0x6e,
0x4a, 0x59, 0x33, 0xb4, 0xbd, 0xb7, 0x30, 0x2b, 0x7f, 0x00, 0xf1, 0x85, 0xb8, 0x40, 0x86, 0xee,
0x8b, 0xd9, 0xd7, 0x60, 0x77, 0x08, 0xdd, 0x94, 0xc2, 0xe4, 0x81, 0x0c, 0xef, 0x69, 0x6b, 0x20,
0xf8, 0x0e, 0x43, 0xe9, 0x6c, 0xa7, 0xb8, 0x4b, 0x15, 0x19, 0xd6, 0xfa, 0xf9, 0x81, 0x76, 0xd2,
0x70, 0xb4, 0x72, 0x93, 0xfa, 0xb9, 0x67, 0x74, 0x1c, 0xdf, 0x7d, 0xf2, 0x23, 0x06, 0xb1, 0x1b,
0x06, 0xb3, 0x41, 0xae, 0x63, 0x99, 0x38, 0x42, 0x37, 0xbd, 0xcb, 0xe1, 0xef, 0xef, 0x4f, 0xbb,
0xd7, 0x2d, 0xbb, 0xcb, 0xa5, 0xe7, 0xfb, 0x8f, 0xf0, 0xba, 0xb4, 0x8d, 0x22, 0x3d, 0xdf, 0x09,
},
},
{
.address = 0x00160040,
.ciphertext = {
0x66, 0x99, 0xfb, 0x9c, 0x86, 0x4e, 0x3e, 0x29, 0x57, 0xc3, 0xc8, 0x4f, 0x3c, 0xac, 0x25, 0x4b,
0x3a, 0x2b, 0xbf, 0xac, 0x30, 0xbd, 0x55, 0xb2, 0xdc, 0xd9, 0xf1, 0x67, 0xbf, 0x53, 0xd8, 0x83,
0x3a, 0x33, 0x85, 0xa8, 0x0d, 0x85, 0x5c, 0xde, 0x10, 0x69, 0xb7, 0xfc, 0xd3, 0x48, 0x01, 0xcd,
0x7d, 0x94, 0x8b, 0x16, 0x0e, 0xf8, 0x76, 0xb1, 0x07, 0xf7, 0x84, 0xb5, 0x7f, 0xff, 0x08, 0xf7,
0x70, 0x54, 0x50, 0xfd, 0xe4, 0x31, 0xe9, 0x62, 0x8e, 0x90, 0x94, 0xb1, 0x8c, 0x80, 0xaf, 0xf0,
0x55, 0x36, 0x8e, 0x31, 0x2e, 0x91, 0xa3, 0x9e, 0x93, 0xc1, 0xb8, 0x7b, 0x78, 0xa9, 0xf2, 0xe0,
0x62, 0xde, 0x06, 0x44, 0x6a, 0xf5, 0x4b, 0xfb, 0x15, 0xeb, 0x67, 0xb6, 0xe7, 0x6b, 0x6c, 0x81,
0x49, 0x90, 0x33, 0xe4, 0x1c, 0xa1, 0x4b, 0x68, 0xda, 0x1d, 0x47, 0x33, 0xc3, 0x95, 0xff, 0xae,
},
},
{
.address = 0x00160050,
.ciphertext = {
0xf9, 0x35, 0x63, 0xf6, 0x9b, 0x1e, 0xd6, 0xd8, 0xcf, 0xb2, 0x61, 0x35, 0xb0, 0x44, 0xe8, 0x9c,
0xc3, 0x36, 0x3d, 0xfd, 0x1d, 0xd5, 0x90, 0xc0, 0xd5, 0x20, 0x5d, 0x0c, 0xac, 0x22, 0x42, 0xb2,
0x19, 0x9d, 0x3d, 0xb4, 0xc2, 0x82, 0x94, 0xfd, 0x39, 0x99, 0x43, 0xfc, 0xa9, 0x2b, 0xc3, 0x6a,
0x9f, 0xd5, 0x95, 0xb9, 0xdc, 0xa4, 0xaa, 0x64, 0xce, 0x06, 0x24, 0x9e, 0x77, 0x99, 0xab, 0x9d,
0x97, 0x1f, 0x5d, 0x29, 0x4b, 0xdc, 0xa8, 0x6b, 0xc6, 0x8a, 0x66, 0xe3, 0xe8, 0x7c, 0x0f, 0x67,
0x48, 0xe1, 0x02, 0x93, 0xac, 0xe2, 0x0f, 0x41, 0x11, 0x7c, 0xb2, 0xc0, 0x1e, 0x3e, 0xd8, 0x8e,
0xaa, 0x2c, 0xa5, 0x5a, 0xef, 0x52, 0x35, 0x34, 0x9b, 0x20, 0x8f, 0x6c, 0xea, 0x7c, 0xd4, 0x22,
0xe5, 0x31, 0xb1, 0xbf, 0xc6, 0x0f, 0xd7, 0x86, 0xb0, 0x64, 0xc1, 0x7a, 0xb5, 0xf1, 0xda, 0x03,
},
},
{
.address = 0x00160060,
.ciphertext = {
0x9c, 0x04, 0x31, 0x2d, 0xd7, 0x9e, 0x8a, 0x2d, 0x63, 0x30, 0xb0, 0xec, 0xb6, 0x93, 0x5c, 0x48,
0x0b, 0x46, 0xc8, 0x39, 0x4e, 0x31, 0x88, 0x32, 0x9a, 0x77, 0xd6, 0x00, 0x91, 0x7f, 0x35, 0x3c,
0x21, 0xb2, 0xeb, 0x52, 0xc4, 0xbc, 0x5e, 0xc8, 0x10, 0x5d, 0x3f, 0x83, 0x27, 0x17, 0x0c, 0x25,
0xb0, 0x00, 0xee, 0x7e, 0x0c, 0x32, 0x6c, 0x01, 0xa7, 0x0b, 0x2b, 0x40, 0xfe, 0x01, 0x23, 0x75,
0x10, 0xae, 0x6f, 0x34, 0x3a, 0xb0, 0xa3, 0x1d, 0xf4, 0xb1, 0x7a, 0x75, 0x52, 0xfa, 0x0f, 0xd9,
0xe6, 0x82, 0xff, 0xc3, 0xf9, 0xd6, 0xd2, 0x91, 0xd9, 0x15, 0x10, 0x18, 0x7e, 0x60, 0x59, 0x88,
0xff, 0x92, 0xf9, 0xf9, 0xa0, 0x00, 0xa0, 0xab, 0x9e, 0xef, 0x4d, 0x4b, 0x73, 0x85, 0x29, 0x35,
0x94, 0x59, 0xcc, 0x77, 0x28, 0xa3, 0x86, 0xba, 0x1a, 0x4f, 0xdb, 0x90, 0xd8, 0x05, 0x41, 0xc0,
},
},
{
.address = 0x00160070,
.ciphertext = {
0x37, 0x3a, 0xc7, 0x18, 0xf6, 0x3c, 0xbc, 0x52, 0xab, 0xb9, 0x1a, 0x28, 0xa0, 0xff, 0x40, 0xef,
0xaf, 0xaa, 0x9c, 0x95, 0xe5, 0xa6, 0x59, 0x58, 0x05, 0xe6, 0xd2, 0x9f, 0x2e, 0x82, 0x65, 0xd6,
0x23, 0xf9, 0x76, 0x92, 0x21, 0xed, 0xf5, 0xd4, 0x78, 0xf0, 0xb8, 0xc7, 0x85, 0xe3, 0x0e, 0xb2,
0xeb, 0x26, 0xe6, 0x5f, 0xc2, 0x47, 0x64, 0xdf, 0xa5, 0x60, 0x3c, 0x5a, 0x87, 0x54, 0x8c, 0xab,
0xd5, 0xa9, 0x0b, 0x7b, 0xba, 0x01, 0x51, 0x47, 0x01, 0x4c, 0x65, 0xce, 0x29, 0xf9, 0xc3, 0x64,
0x8d, 0x43, 0xf8, 0xb0, 0x3c, 0x6a, 0xe3, 0x97, 0x56, 0x4d, 0xd4, 0x02, 0xef, 0x09, 0xdd, 0x9c,
0xd4, 0x8f, 0xff, 0xb9, 0xb0, 0xd2, 0x35, 0xca, 0x41, 0x64, 0x74, 0x4b, 0x64, 0x1e, 0x0e, 0xe6,
0x47, 0x7a, 0x81, 0xd8, 0xa1, 0x79, 0x49, 0x7c, 0x36, 0x6b, 0xc9, 0xaf, 0x82, 0x3d, 0x72, 0xd8,
},
},
};
#endif
#if SOC_FLASH_ENCRYPTION_XTS_AES_256
static const xts_aes_test tests_xts_aes_256[] = {
{
.address = 0x00160000,
.ciphertext = {
0x42, 0xfe, 0x14, 0xf3, 0x9c, 0x9e, 0xaf, 0xd9, 0x6d, 0xba, 0x8d, 0x90, 0x2b, 0x89, 0x4e, 0x3d,
0x94, 0xb3, 0x51, 0x70, 0xeb, 0x17, 0x57, 0xed, 0x8b, 0x8f, 0xdf, 0x9a, 0xa6, 0x60, 0xb4, 0x0e,
0xb8, 0xc6, 0xa0, 0x3f, 0xd7, 0x54, 0xc0, 0x9a, 0x06, 0xd9, 0xd4, 0xd9, 0x4c, 0x80, 0x29, 0x9a,
0x7c, 0x55, 0xfa, 0x70, 0xf3, 0x62, 0x1e, 0xcf, 0x74, 0x09, 0x12, 0x62, 0x14, 0x12, 0xaa, 0xce,
0x9b, 0x2e, 0x99, 0x29, 0x04, 0xbd, 0xf5, 0x72, 0xe1, 0xef, 0xf9, 0x56, 0x5d, 0xca, 0x60, 0xcc,
0xa8, 0x5c, 0x35, 0xe2, 0xf5, 0x0a, 0x7c, 0x51, 0x50, 0x3e, 0x0c, 0x16, 0xbf, 0x4b, 0xdf, 0x72,
0x5a, 0x87, 0x71, 0xfa, 0x9f, 0x85, 0xb4, 0x6c, 0x09, 0x43, 0x42, 0x8c, 0x5e, 0x12, 0x2a, 0x2d,
0xd8, 0xa1, 0xe7, 0x1a, 0x34, 0xff, 0xec, 0x9b, 0x32, 0x84, 0xc3, 0x90, 0xb0, 0x93, 0x14, 0x59,
},
},
{
.address = 0x00160010,
.ciphertext = {
0x08, 0xd3, 0xff, 0x75, 0x1e, 0x57, 0xaa, 0xf7, 0xd4, 0x24, 0x94, 0xec, 0xf8, 0x1c, 0xbd, 0xff,
0x82, 0xd2, 0x63, 0x88, 0x76, 0x5b, 0x04, 0xf9, 0x28, 0x75, 0xf9, 0x6d, 0x66, 0x40, 0xe5, 0xfc,
0x50, 0x09, 0xf0, 0xa3, 0x73, 0x50, 0xeb, 0x2c, 0x78, 0x5a, 0x9d, 0xa7, 0x4e, 0x08, 0x2a, 0x36,
0x7c, 0xf0, 0x49, 0xf2, 0x9b, 0x41, 0xe0, 0xf8, 0xed, 0x93, 0xa8, 0xd3, 0x68, 0xe4, 0x15, 0x79,
0xca, 0xf3, 0xd6, 0xf7, 0x67, 0xc4, 0x07, 0x7f, 0x3e, 0xb3, 0x49, 0x20, 0xce, 0xbd, 0x87, 0xac,
0x6c, 0x20, 0x4e, 0xc6, 0x62, 0x03, 0x21, 0xb7, 0xe5, 0xc5, 0xa4, 0x04, 0x1c, 0x6e, 0x7d, 0x6c,
0x93, 0x9e, 0x3d, 0x6a, 0x9a, 0x22, 0x7d, 0x74, 0xd6, 0x34, 0xaf, 0x96, 0x04, 0x34, 0x3b, 0x83,
0x05, 0xfb, 0x56, 0x67, 0xfa, 0x55, 0x95, 0x0f, 0xd5, 0x01, 0xf7, 0x64, 0xb7, 0x99, 0x92, 0x79,
},
},
{
.address = 0x00160020,
.ciphertext = {
0x0c, 0x92, 0x23, 0x69, 0x70, 0xf9, 0x7a, 0x08, 0x7b, 0x3d, 0x4b, 0x2e, 0xda, 0xc4, 0x94, 0x40,
0xb5, 0x55, 0xde, 0xb9, 0x81, 0xbf, 0x65, 0x13, 0x6c, 0x14, 0x45, 0xbe, 0x10, 0xdb, 0x0b, 0x29,
0x6b, 0xd0, 0x60, 0x05, 0x5a, 0x13, 0x94, 0xbf, 0xaa, 0x31, 0xfd, 0x60, 0x3b, 0xfb, 0x30, 0x8a,
0x4e, 0x98, 0xfd, 0x05, 0x33, 0xeb, 0x06, 0xa4, 0x77, 0xd2, 0xa4, 0x1c, 0x5a, 0x80, 0x57, 0x1b,
0x14, 0x4d, 0x38, 0xc2, 0x02, 0x0b, 0x0d, 0xb6, 0xf7, 0x5e, 0x85, 0xa5, 0xa7, 0x9b, 0x0d, 0xfb,
0x64, 0xa7, 0x95, 0x77, 0xf9, 0x64, 0x32, 0x64, 0xa8, 0x97, 0xc0, 0xf8, 0x52, 0xe0, 0x5f, 0x95,
0x8e, 0xf9, 0xbd, 0x7e, 0x1a, 0xe9, 0xeb, 0xcb, 0xd3, 0xcb, 0x19, 0x8a, 0xce, 0x5f, 0xd9, 0xef,
0xc0, 0xb1, 0x9b, 0x79, 0x6d, 0xe9, 0x80, 0x47, 0x17, 0xf0, 0x6b, 0x1e, 0x0c, 0x4c, 0xdc, 0x2a,
},
},
{
.address = 0x00160030,
.ciphertext = {
0xe1, 0x85, 0xc0, 0x9a, 0xd8, 0x5e, 0x26, 0xd8, 0xc5, 0x8c, 0xbb, 0xf0, 0xf1, 0x3e, 0x40, 0xbd,
0x6b, 0x9b, 0x81, 0x08, 0x93, 0x2d, 0xce, 0x2e, 0x27, 0xe4, 0xbe, 0xc4, 0xea, 0x93, 0xc8, 0xaa,
0x6a, 0x22, 0x29, 0xfc, 0x7b, 0x91, 0x70, 0x48, 0x15, 0x19, 0x46, 0xd0, 0x3b, 0x39, 0x67, 0xa3,
0xa6, 0x2f, 0x91, 0xd5, 0xe7, 0x80, 0x17, 0x0d, 0xee, 0xe4, 0x3d, 0x54, 0xf2, 0xf9, 0x6b, 0x7c,
0x2c, 0x5b, 0x63, 0xf3, 0xaa, 0x54, 0x68, 0xa5, 0xda, 0x3e, 0xa0, 0x09, 0x4a, 0x56, 0x95, 0x6b,
0x4d, 0xcc, 0x21, 0xb7, 0x0e, 0x38, 0x00, 0xc7, 0x35, 0x03, 0xb8, 0x2b, 0x71, 0xfb, 0x33, 0x1d,
0x39, 0xdd, 0xd5, 0xdf, 0xc2, 0x16, 0xf5, 0x0e, 0xf8, 0x7f, 0x8d, 0x77, 0x0c, 0x8b, 0xa6, 0xf3,
0xb2, 0x42, 0x1a, 0x50, 0x7a, 0x33, 0x63, 0xef, 0xbf, 0x73, 0x3e, 0xaa, 0xc4, 0xeb, 0xcf, 0xc4,
},
},
{
.address = 0x00160040,
.ciphertext = {
0x65, 0x17, 0xb9, 0xc9, 0x17, 0xde, 0xba, 0x6c, 0x6a, 0xe6, 0xfb, 0xbf, 0xdd, 0xbf, 0x71, 0xdc,
0xb4, 0x41, 0x38, 0x21, 0x0d, 0x18, 0x8d, 0x30, 0x40, 0x67, 0x07, 0x88, 0x09, 0x62, 0xf9, 0x55,
0xbc, 0x82, 0x29, 0xf7, 0xca, 0x87, 0x1d, 0x4a, 0x22, 0x80, 0xee, 0x80, 0xb4, 0x26, 0x61, 0x68,
0xcc, 0x1d, 0x36, 0xc8, 0x4f, 0x57, 0x0d, 0xca, 0xd0, 0x22, 0x0d, 0x78, 0xa9, 0xc5, 0x04, 0x9f,
0x8e, 0xa3, 0x96, 0x47, 0x51, 0xf2, 0x8b, 0xbf, 0x39, 0xfa, 0xa2, 0x30, 0x12, 0xfa, 0xcc, 0x2f,
0x08, 0xcc, 0x33, 0x0f, 0x61, 0x96, 0xcc, 0x8d, 0xb8, 0x5f, 0x29, 0xbd, 0x6b, 0x1e, 0xe4, 0x74,
0x32, 0x70, 0xc3, 0x69, 0x6d, 0xf0, 0x4b, 0xf9, 0x04, 0x13, 0x4a, 0x47, 0xf6, 0xa6, 0xd4, 0x95,
0x3e, 0x6a, 0x56, 0x66, 0xd7, 0xe9, 0x94, 0x9a, 0x2f, 0xe4, 0x9b, 0x2e, 0x82, 0x32, 0x97, 0x2f,
},
},
{
.address = 0x00160050,
.ciphertext = {
0x4a, 0xe0, 0xa5, 0xd6, 0x11, 0xf3, 0x7e, 0x57, 0xf2, 0x3e, 0x7f, 0x4e, 0x14, 0xa8, 0x0f, 0x4e,
0xf3, 0x24, 0x93, 0x11, 0x74, 0x48, 0x2e, 0xa4, 0xc0, 0x9e, 0xa0, 0xf2, 0xc2, 0x60, 0xe9, 0x84,
0x6c, 0x86, 0x1d, 0xbd, 0x0e, 0xa7, 0x9c, 0x8c, 0x1b, 0xf2, 0xb7, 0x39, 0xbc, 0xd4, 0x31, 0x43,
0x7b, 0x4c, 0x6d, 0x81, 0x18, 0x76, 0xa4, 0x4f, 0x9b, 0x60, 0xeb, 0x43, 0xc0, 0xcf, 0x83, 0x48,
0x0b, 0x0f, 0xcf, 0x94, 0x61, 0x57, 0x58, 0x67, 0x5c, 0xbf, 0x27, 0x93, 0xd4, 0x5b, 0xc7, 0xae,
0x22, 0x84, 0x41, 0xcd, 0x4e, 0x97, 0xac, 0x05, 0xce, 0x94, 0x97, 0xf7, 0x49, 0xd5, 0x1a, 0x37,
0x7d, 0x2c, 0x10, 0x8e, 0xd9, 0x8e, 0x98, 0x60, 0x1c, 0x59, 0xd5, 0x09, 0x9e, 0x6d, 0x21, 0xdf,
0x1b, 0x09, 0x98, 0xdc, 0x7f, 0x8b, 0x7f, 0x62, 0xa9, 0xf1, 0x5c, 0x54, 0xd4, 0x73, 0x90, 0x6a,
},
},
{
.address = 0x00160060,
.ciphertext = {
0x1c, 0x36, 0xb4, 0x70, 0xfc, 0x41, 0xbb, 0x9e, 0x12, 0x52, 0xd6, 0xa5, 0xff, 0xb3, 0x2c, 0x70,
0x4e, 0x64, 0xa6, 0xe9, 0xe5, 0x79, 0xed, 0x62, 0xe1, 0x02, 0xd7, 0xf7, 0xc3, 0x3c, 0x5c, 0xea,
0x47, 0xd4, 0xdd, 0x12, 0x09, 0x51, 0x32, 0xf6, 0x25, 0xaa, 0xd8, 0x91, 0x9c, 0xfa, 0xab, 0x62,
0x09, 0x46, 0x4b, 0x4b, 0x8b, 0xbe, 0x11, 0x60, 0x44, 0xa1, 0xf2, 0x19, 0xa5, 0x6d, 0xe1, 0x69,
0x54, 0xe9, 0x27, 0x33, 0x55, 0x10, 0xfa, 0xb6, 0xd2, 0x0d, 0x09, 0x5f, 0xf0, 0xa5, 0xab, 0x30,
0xd7, 0xda, 0xab, 0xf8, 0x0f, 0xfd, 0x7e, 0xd9, 0xad, 0x7f, 0xb0, 0x0c, 0xae, 0x45, 0x07, 0x98,
0x86, 0x09, 0x9c, 0xf7, 0x3b, 0xaf, 0x12, 0x01, 0x68, 0xb6, 0x69, 0x13, 0x8d, 0xcd, 0xbf, 0x8e,
0xbb, 0xff, 0x17, 0x35, 0x47, 0x86, 0x4f, 0x45, 0x3d, 0x77, 0x44, 0xd1, 0xc3, 0x2e, 0x9a, 0xf9,
},
},
{
.address = 0x00160070,
.ciphertext = {
0xc9, 0x57, 0xb5, 0x8e, 0xd5, 0x82, 0xff, 0xf5, 0xa8, 0x49, 0x18, 0x1f, 0x29, 0x21, 0xff, 0xa7,
0xf5, 0x8c, 0xf7, 0x72, 0xfe, 0x4c, 0x90, 0xba, 0xa9, 0x03, 0x50, 0x93, 0x4c, 0x69, 0xcb, 0xd6,
0x0a, 0x0b, 0x7a, 0xc2, 0x97, 0xff, 0x3d, 0xc9, 0x4e, 0xa9, 0xd2, 0x62, 0x1f, 0x4d, 0xd8, 0xf5,
0x48, 0x9d, 0xba, 0xee, 0x0e, 0x78, 0xcb, 0xe4, 0xee, 0x27, 0x4e, 0x2a, 0xd1, 0xcd, 0xae, 0xb7,
0xdc, 0x5c, 0x5b, 0xcf, 0x7a, 0x44, 0xf4, 0xe7, 0xe2, 0x18, 0xbe, 0xf4, 0xb9, 0x4f, 0x3a, 0xb6,
0x65, 0x78, 0x03, 0x06, 0x08, 0x1a, 0xb2, 0x60, 0x4b, 0x5b, 0x9e, 0x86, 0xc0, 0x90, 0x50, 0xc9,
0xd4, 0xba, 0xee, 0xe4, 0xd0, 0x4a, 0xb3, 0x5d, 0x2f, 0x3e, 0x59, 0x4f, 0xcf, 0xe6, 0xef, 0x46,
0x6a, 0xb0, 0xfb, 0x5e, 0x50, 0xf3, 0x96, 0xff, 0x62, 0x19, 0xb8, 0xd2, 0x49, 0x64, 0x86, 0x34,
},
},
};
#endif

4
components/hal/test_apps/crypto/partitions.csv Normal file
View File

@ -0,0 +1,4 @@
# Name, Type, SubType, Offset, Size, Flags
# Note: if you have increased the bootloader size, make sure to update the offsets to avoid overlap
factory, 0, 0, 0x10000, 0x150000
storage, data, fat, 0x160000, 320K
1 # Name, Type, SubType, Offset, Size, Flags
2 # Note: if you have increased the bootloader size, make sure to update the offsets to avoid overlap
3 factory, 0, 0, 0x10000, 0x150000
4 storage, data, fat, 0x160000, 320K

5
components/hal/test_apps/crypto/sdkconfig.defaults
View File

@ -1,3 +1,8 @@
CONFIG_ESP_TASK_WDT_EN=y
CONFIG_ESP_TASK_WDT_INIT=n
CONFIG_UNITY_ENABLE_FIXTURE=y
CONFIG_PARTITION_TABLE_CUSTOM=y
CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="partitions.csv"
CONFIG_PARTITION_TABLE_FILENAME="partitions.csv"
CONFIG_PARTITION_TABLE_OFFSET=0x8000

36
components/mbedtls/Kconfig
View File

@ -416,6 +416,42 @@ menu "mbedTLS"
priority level and any level from 1 to 3 can be selected (based on the availability).
Note: Higher value indicates high interrupt priority.
config MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC
bool "Enable AES hardware's pseudo round function"
default n
depends on SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION
help
Enables the pseudo round function of the AES peripheral.
Enabling this would impact the performance of the AES operations.
For more info regarding the performance impact, please checkout the pseudo round function section of the
security guide.
choice MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH
prompt "Strength of the pseudo rounds function"
depends on MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC
default MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH_LOW
help
The strength of the pseudo rounds functions can be configured to low, medium and high.
You can configure the strength of the pseudo rounds functions according to your use cases,
for example, increasing the strength would provide higher security but would slow down the
hardware AES encryption/decryption operations.
config MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH_LOW
bool "Low"
config MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH_MEDIUM
bool "Medium"
config MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH_HIGH
bool "High"
endchoice
config MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH
int
default 1 if MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH_LOW
default 2 if MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH_MEDIUM
default 3 if MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH_HIGH
config MBEDTLS_HARDWARE_GCM
bool "Enable partially hardware accelerated GCM"
depends on SOC_AES_SUPPORT_GCM && MBEDTLS_HARDWARE_AES

5
components/mbedtls/port/aes/block/esp_aes.c
View File

@ -31,6 +31,7 @@
#include "esp_log.h"
#include "aes/esp_aes.h"
#include "soc/hwcrypto_periph.h"
#include "soc/soc_caps.h"
#include <sys/lock.h>
#include "hal/aes_hal.h"
#include "hal/aes_ll.h"
@ -105,6 +106,10 @@ static int esp_aes_block(esp_aes_context *ctx, const void *input, void *output)
i2 = input_words[2];
i3 = input_words[3];
#ifdef CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC
esp_aes_enable_pseudo_rounds(CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH);
#endif /* CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC */
aes_hal_transform_block(input, output);
/* Physical security check: Verify the AES accelerator actually ran, and wasn't

16
components/mbedtls/port/aes/dma/esp_aes_dma_core.c
View File

@ -610,6 +610,10 @@ int esp_aes_process_dma(esp_aes_context *ctx, const unsigned char *input, unsign
aes_hal_interrupt_enable(false);
}
#ifdef CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC
esp_aes_enable_pseudo_rounds(CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH);
#endif /* CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC */
if (esp_aes_dma_start(input_desc, output_desc) != ESP_OK) {
ESP_LOGE(TAG, "esp_aes_dma_start failed, no DMA channel available");
ret = -1;
@ -829,6 +833,10 @@ int esp_aes_process_dma_gcm(esp_aes_context *ctx, const unsigned char *input, un
aes_hal_interrupt_enable(false);
}
#ifdef CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC
esp_aes_enable_pseudo_rounds(CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH);
#endif /* CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC */
/* Start AES operation */
if (esp_aes_dma_start(in_desc_head, output_desc) != ESP_OK) {
ESP_LOGE(TAG, "esp_aes_dma_start failed, no DMA channel available");
@ -1084,6 +1092,10 @@ int esp_aes_process_dma(esp_aes_context *ctx, const unsigned char *input, unsign
aes_hal_interrupt_enable(false);
}
#ifdef CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC
esp_aes_enable_pseudo_rounds(CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH);
#endif /* CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC */
if (esp_aes_dma_start(in_desc_head, out_desc_head) != ESP_OK) {
ESP_LOGE(TAG, "esp_aes_dma_start failed, no DMA channel available");
ret = -1;
@ -1262,6 +1274,10 @@ int esp_aes_process_dma_gcm(esp_aes_context *ctx, const unsigned char *input, un
aes_hal_interrupt_enable(false);
}
#ifdef CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC
esp_aes_enable_pseudo_rounds(CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH);
#endif /* CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC */
/* Start AES operation */
if (esp_aes_dma_start(in_desc_head, out_desc_head) != ESP_OK) {
ESP_LOGE(TAG, "esp_aes_dma_start failed, no DMA channel available");

29
components/mbedtls/port/aes/esp_aes_common.c
View File

@ -6,7 +6,7 @@
*
* SPDX-License-Identifier: Apache-2.0
*
* SPDX-FileContributor: 2016-2023 Espressif Systems (Shanghai) CO LTD
* SPDX-FileContributor: 2016-2024 Espressif Systems (Shanghai) CO LTD
*/
/*
* The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
@ -76,3 +76,30 @@ int esp_aes_setkey( esp_aes_context *ctx, const unsigned char *key,
ctx->key_in_hardware = 0;
return 0;
}
#ifdef CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC
/* The total number of pseudo-rounds randomly inserted in an AES operation are controlled by
* configuring the AES_PSEUDO_BASE, AES_PSEUDO_INC parameters.
* Users can also set the frequency of random key updates by configuring the AES_PSEUDO_RNG_CNT.
* Here, we would be using some pre-decided values for these parameters corresponding to the security needed.
* For more information regarding these parameters please refer the TRM.
*/
#define AES_PSEUDO_ROUNDS_BASE_LOW 4
#define AES_PSEUDO_ROUNDS_BASE_MEDIUM 7
#define AES_PSEUDO_ROUNDS_BASE_HIGH 15
#define AES_PSEUDO_ROUNDS_INC 3
#define AES_PSEUDO_ROUNDS_RNG_CNT 7
void esp_aes_enable_pseudo_rounds(esp_aes_psuedo_rounds_state_t state)
{
if (state == ESP_AES_PSEUDO_ROUNDS_DISABLE) {
aes_hal_enable_pseudo_rounds(false, 0, 0, 0);
} else if (state == ESP_AES_PSEUDO_ROUNDS_LOW) {
aes_hal_enable_pseudo_rounds(true, AES_PSEUDO_ROUNDS_BASE_LOW, AES_PSEUDO_ROUNDS_INC, AES_PSEUDO_ROUNDS_RNG_CNT);
} else if (state == ESP_AES_PSEUDO_ROUNDS_MEDIUM) {
aes_hal_enable_pseudo_rounds(true, AES_PSEUDO_ROUNDS_BASE_MEDIUM, AES_PSEUDO_ROUNDS_INC, AES_PSEUDO_ROUNDS_RNG_CNT);
} else {
aes_hal_enable_pseudo_rounds(true, AES_PSEUDO_ROUNDS_BASE_HIGH, AES_PSEUDO_ROUNDS_INC, AES_PSEUDO_ROUNDS_RNG_CNT);
}
}
#endif /* CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC */

15
components/mbedtls/port/aes/include/esp_aes_internal.h
View File

@ -9,6 +9,7 @@
#include <stdbool.h>
#include "aes/esp_aes.h"
#include "soc/soc_caps.h"
#include "hal/aes_hal.h"
#include "esp_crypto_dma.h"
#ifdef __cplusplus
@ -17,6 +18,20 @@ extern "C" {
bool valid_key_length(const esp_aes_context *ctx);
#ifdef CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC
/**
* @brief Default pseudo rounds configs of the AES accelerator
*/
typedef enum {
ESP_AES_PSEUDO_ROUNDS_DISABLE = 0,
ESP_AES_PSEUDO_ROUNDS_LOW,
ESP_AES_PSEUDO_ROUNDS_MEDIUM,
ESP_AES_PSEUDO_ROUNDS_HIGH,
} esp_aes_psuedo_rounds_state_t;
void esp_aes_enable_pseudo_rounds(esp_aes_psuedo_rounds_state_t state);
#endif /* CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC */
#if SOC_AES_SUPPORT_DMA
/**
* @brief Run a AES operation using DMA

8
components/soc/esp32c5/include/soc/Kconfig.soc_caps.in
View File

@ -267,6 +267,10 @@ config SOC_AES_SUPPORT_AES_256
bool
default y
config SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION
bool
default y
config SOC_ADC_DIG_CTRL_SUPPORTED
bool
default y
@ -1247,6 +1251,10 @@ config SOC_FLASH_ENCRYPTION_XTS_AES_128
bool
default y
config SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
bool
default y
config SOC_APM_CTRL_FILTER_SUPPORTED
bool
default y

3
components/soc/esp32c5/include/soc/soc_caps.h
View File

@ -97,6 +97,8 @@
#define SOC_AES_SUPPORT_AES_128 (1)
#define SOC_AES_SUPPORT_AES_256 (1)
#define SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION (1)
/*-------------------------- ADC CAPS -------------------------------*/
/*!< SAR ADC Module*/
#define SOC_ADC_DIG_CTRL_SUPPORTED 1
@ -520,6 +522,7 @@
#define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (64)
#define SOC_FLASH_ENCRYPTION_XTS_AES 1
#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1
#define SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND 1
/*-------------------------- APM CAPS-----------------------------------------*/
#define SOC_APM_CTRL_FILTER_SUPPORTED 1 /*!< Support for APM control filter */

4
components/soc/esp32c61/include/soc/Kconfig.soc_caps.in
View File

@ -943,6 +943,10 @@ config SOC_FLASH_ENCRYPTION_XTS_AES_128
bool
default y
config SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
bool
default y
config SOC_APM_CTRL_FILTER_SUPPORTED
bool
default y

1
components/soc/esp32c61/include/soc/soc_caps.h
View File

@ -390,6 +390,7 @@
#define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (64)
#define SOC_FLASH_ENCRYPTION_XTS_AES 1
#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1
#define SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND 1
/*-------------------------- APM CAPS ----------------------------------------*/
#define SOC_APM_CTRL_FILTER_SUPPORTED 1 /*!< Support for APM control filter */

5
components/spi_flash/spi_flash_chip_generic.c
View File

@ -527,6 +527,11 @@ esp_err_t spi_flash_chip_generic_write_encrypted(esp_flash_t *chip, const void *
const uint8_t *data_bytes = (const uint8_t *)buffer;
esp_flash_encryption->flash_encryption_enable();
#if SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
spi_flash_encryption_hal_enable_pseudo_rounds(ESP_XTS_AES_PSEUDO_ROUNDS_LOW, XTS_AES_PSEUDO_ROUNDS_BASE, XTS_AES_PSEUDO_ROUNDS_INC, XTS_AES_PSEUDO_ROUNDS_RNG_CNT);
#endif /* SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND */
while (length > 0) {
int block_size;
/* Write the largest block if possible */

44
docs/en/security/flash-encryption.rst
View File

@ -528,12 +528,13 @@ To use this mode, take the following steps:
.. list::
- :ref:`Enable flash encryption on boot <CONFIG_SECURE_FLASH_ENC_ENABLED>`
:esp32: - :ref:`Select Release mode <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>` (Note that once Release mode is selected, the ``DISABLE_DL_ENCRYPT`` and ``DISABLE_DL_DECRYPT`` eFuse bits will be burned to disable flash encryption hardware in ROM Download Mode.)
- :ref:`Enable flash encryption on boot <CONFIG_SECURE_FLASH_ENC_ENABLED>`.
:esp32: - :ref:`Select Release mode <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>`. (Note that once Release mode is selected, the ``DISABLE_DL_ENCRYPT`` and ``DISABLE_DL_DECRYPT`` eFuse bits will be burned to disable flash encryption hardware in ROM Download Mode.)
:esp32: - :ref:`Select UART ROM download mode (Permanently disabled (recommended)) <CONFIG_SECURE_UART_ROM_DL_MODE>` (Note that this option is only available when :ref:`CONFIG_ESP32_REV_MIN` is set to 3 (ESP32 V3).) The default choice is to keep UART ROM download mode enabled, however it is recommended to permanently disable this mode to reduce the options available to an attacker.
:not esp32: - :ref:`Select Release mode <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>` (Note that once Release mode is selected, the ``EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT`` eFuse bit will be burned to disable flash encryption hardware in ROM Download Mode.)
:not esp32: - :ref:`Select Release mode <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>`. (Note that once Release mode is selected, the ``EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT`` eFuse bit will be burned to disable flash encryption hardware in ROM Download Mode.)
:not esp32: - :ref:`Select UART ROM download mode (Permanently switch to Secure mode (recommended)) <CONFIG_SECURE_UART_ROM_DL_MODE>`. This is the default option, and is recommended. It is also possible to change this configuration setting to permanently disable UART ROM download mode, if this mode is not needed.
- :ref:`Select the appropriate bootloader log verbosity <CONFIG_BOOTLOADER_LOG_LEVEL>`
:SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND: - :ref:`Select enable XTS-AES's pseudo rounds function <CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC>`. This option is selected by default and its strength is configured to level low considering the performance impact on the flash encryption/decryption operations. Please refer to :ref:`xts-aes-pseudo-round-func` for more information regarding the performance impact per security level.
- :ref:`Select the appropriate bootloader log verbosity <CONFIG_BOOTLOADER_LOG_LEVEL>`.
- Save the configuration and exit.
Enabling flash encryption will increase the size of bootloader, which might require updating partition table offset. See :ref:`bootloader-size`.
@ -1119,3 +1120,38 @@ The following sections provide some reference information about the operation of
- The flash encryption key is stored in ``BLOCK_KEY0`` eFuse and, by default, is protected from further writes or software readout.
- To see the full flash encryption algorithm implemented in Python, refer to the `_flash_encryption_operation()` function in the ``espsecure.py`` source code.
.. only:: SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
Protection Against Side-Channel Attacks
---------------------------------------
.. _xts-aes-pseudo-round-func:
Pseudo-Round Function
^^^^^^^^^^^^^^^^^^^^^
{IDF_TARGET_NAME} incorporates a pseudo-round function in the XTS-AES peripheral, thus enabling the peripheral to randomly insert pseudo-rounds before and after the original operation rounds and also generate a pseudo key to perform these dummy operations.
These operations do not alter the original result, but they increase the complexity to perform side channel analysis attacks by randomizing the power profile.
:ref:`CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH` can be used to select the strength of the pseudo-round function. Increasing the strength improves the security provided, but would slow down the XTS-AES operations.
.. list-table:: Performance impact on XTS-AES operations per strength level
:widths: 10 10
:header-rows: 1
:align: center
* - **Strength**
- **Performance Impact** [#]_
* - Low
- < 0.5 %
* - Medium
- 6.2 %
* - High
- 18 %
.. [#] The above performance numbers have been calculated using the XTS-AES test of the HAL crypto test app :component_file:`test_xts_aes.c <hal/test_apps/crypto/main/xts_aes/test_xts_aes.c>`.
You can configure the strength of the pseudo rounds functions according to your use cases. For example, increasing the strength would provide higher security but would slow down the flash encryption/decryption operations.
Considering the above performance impact, ESP-IDF by-default enables low strength configuration for the pseudo-round function for minimal performance impact.

1
docs/en/security/security-features-enablement-workflows.rst
View File

@ -250,6 +250,7 @@ In this case all the eFuses related to Flash Encryption are written with help of
:SOC_EFUSE_DIS_PAD_JTAG: - ``DIS_PAD_JTAG``: Disable JTAG permanently
:not esp32: - ``DIS_DOWNLOAD_MANUAL_ENCRYPT``: Disable UART bootloader encryption access
:SOC_EFUSE_DIS_DOWNLOAD_MSPI: - ``DIS_DOWNLOAD_MSPI``: Disable the MSPI access in download mode
:SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND: - ``XTS_DPA_PSEUDO_LEVEL``: Enable the pseudo rounds function of the XTS-AES peripheral. The value to be burned in the eFuse can be 1, 2 or 3, denoting the security level. By default ESP-IDF's bootloader configures the value of this eFuse to 1 while enabling flash encryption release mode during boot-up.
The respective eFuses can be burned by running:

49
docs/en/security/security.rst
View File

@ -114,18 +114,53 @@ Flash Encryption Best Practices
This feature can help to prevent the possibility of remote code injection due to the existing vulnerabilities in the software.
.. only:: SOC_CRYPTO_DPA_PROTECTION_SUPPORTED
.. only:: SOC_CRYPTO_DPA_PROTECTION_SUPPORTED or SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION
DPA (Differential Power Analysis) Protection
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Protection Against Side-Channel Attacks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
{IDF_TARGET_NAME} has support for protection mechanisms against the Differential Power Analysis related security attacks. DPA protection dynamically adjusts the clock frequency of the crypto peripherals, thereby blurring the power consumption trajectory during its operation. Based on the configured DPA security level, the clock variation range changes. Please refer to the TRM for more details on this topic.
.. only:: SOC_CRYPTO_DPA_PROTECTION_SUPPORTED
:ref:`CONFIG_ESP_CRYPTO_DPA_PROTECTION_LEVEL` can help to select the DPA level. Higher level means better security, but it can also have an associated performance impact. By default, the lowest DPA level is kept enabled but it can be modified based on the security requirement.
DPA (Differential Power Analysis) Protection
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. note::
{IDF_TARGET_NAME} has support for protection mechanisms against the Differential Power Analysis related security attacks. DPA protection dynamically adjusts the clock frequency of the crypto peripherals, thereby blurring the power consumption trajectory during its operation. Based on the configured DPA security level, the clock variation range changes. Please refer to the *{IDF_TARGET_NAME} Technical Reference Manual* [`PDF <{IDF_TARGET_TRM_EN_URL}>`__]. for more details on this topic.
:ref:`CONFIG_ESP_CRYPTO_DPA_PROTECTION_LEVEL` can help to select the DPA level. Higher level means better security, but it can also have an associated performance impact. By default, the lowest DPA level is kept enabled but it can be modified based on the security requirement.
.. note::
Please note that hardware :doc:`RNG <../api-reference/system/random>` must be enabled for DPA protection to work correctly.
.. only:: SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION
AES Peripheral's Pseudo-Round Function
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
{IDF_TARGET_NAME} incorporates a pseudo-round function in the AES peripheral, thus enabling the peripheral to randomly insert pseudo-rounds before and after the original operation rounds and also generate a pseudo key to perform these dummy operations.
These operations do not alter the original result, but they increase the complexity to perform side channel analysis attacks by randomizing the power profile.
:ref:`CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH` can be used to select the strength of the pseudo-round function. Increasing the strength improves the security provided, but would slow down the encrryption/decryption operations.
.. list-table:: Performance impact on AES operations per strength level
:widths: 10 10
:header-rows: 1
:align: center
* - **Strength**
- **Performance Impact** [#]_
* - Low
- 20.9 %
* - Medium
- 47.6 %
* - High
- 72.4 %
.. [#] The above performance numbers have been calculated using the AES performance test of the mbedtls test application :component_file:`test_aes_perf.c <mbedtls/test_apps/main/test_aes_perf.c>`.
Considering the above performance impact, ESP-IDF by-default does not enable the pseudo-round function to avoid any performance-related degrade. But it is recommended to enable the pseudo-round function for better security.
Please note that hardware :doc:`RNG <../api-reference/system/random>` must be enabled for DPA protection to work correctly.
Debug Interfaces
~~~~~~~~~~~~~~~~

46
docs/zh_CN/security/flash-encryption.rst
View File

@ -528,13 +528,14 @@ flash 加密设置
.. list::
- :ref:`启动时使能 flash 加密 <CONFIG_SECURE_FLASH_ENC_ENABLED>`
:esp32: - :ref:`选择发布模式 <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>` (注意一旦选择了发布模式,``DISABLE_DL_ENCRYPT`` 和 ``DISABLE_DL_DECRYPT`` eFuse 位将被编程为在 ROM 下载模式下禁用 flash 加密硬件)
- :ref:`启动时使能 flash 加密 <CONFIG_SECURE_FLASH_ENC_ENABLED>`
:esp32: - :ref:`选择发布模式 <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>`(注意一旦选择了发布模式,``DISABLE_DL_ENCRYPT`` 和 ``DISABLE_DL_DECRYPT`` eFuse 位将被编程为在 ROM 下载模式下禁用 flash 加密硬件)
:esp32: - :ref:`选择 UART ROM 下载模式(推荐永久性禁用)<CONFIG_SECURE_UART_ROM_DL_MODE>` (注意该选项仅在 :ref:`CONFIG_ESP32_REV_MIN` 级别设置为 3 时 (ESP32 V3) 可用。)默认选项是保持启用 UART ROM 下载模式,然而建议永久禁用该模式,以减少攻击者可用的选项。
:not esp32: - :ref:`选择发布模式 <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>` (注意一旦选择了发布模式,``EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT`` eFuse 位将被编程为在 ROM 下载模式下禁用 flash 加密硬件
:not esp32: - :ref:`选择发布模式 <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>`(注意一旦选择了发布模式,``EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT`` eFuse 位将被编程为在 ROM 下载模式下禁用 flash 加密硬件)
:not esp32: - :ref:`选择 UART ROM 下载(推荐永久性的切换到安全模式)<CONFIG_SECURE_UART_ROM_DL_MODE>`。这是默认且推荐使用的选项。如果不需要该模式,也可以改变此配置设置永久地禁用 UART ROM 下载模式。
- :ref:`选择适当详细程度的引导加载程序日志 <CONFIG_BOOTLOADER_LOG_LEVEL>`
- 保存配置并退出
:SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND: - :ref:`启用 XTS-AES 伪轮次功能 <CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC>`。该选项已默认启用,且配置为最低强度等级,以降低对 flash 加密/解密操作的性能影响。如需了解每个安全等级对性能影响的更多信息,请参考 :ref:`xts-aes-pseudo-round-func`。
- :ref:`选择适当详细程度的引导加载程序日志级别 <CONFIG_BOOTLOADER_LOG_LEVEL>`
- 保存配置并退出。
启用 flash 加密将增大引导加载程序,因而可能需更新分区表偏移量。请参考 :ref:`引导加载程序大小 <bootloader-size>`
@ -1119,3 +1120,38 @@ JTAG 调试
- flash 加密的密钥存储于一个 ``BLOCK_KEY0`` eFuse 中,默认受保护防止进一步写入或软件读取。
- 有关在 Python 中实现的完整 flash 加密算法,可参见 ``espsecure.py`` 源代码中的函数 ``_flash_encryption_operation()``
.. only:: SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
防御侧信道攻击
-------------------
.. _xts-aes-pseudo-round-func:
伪轮次功能
^^^^^^^^^^^^^^
{IDF_TARGET_NAME} 在 XTS-AES 外设中引入了伪轮次功能,使该外设可以在原始操作轮次之前和之后随机插入伪轮次,并生成伪密钥以执行这些虚拟操作。
这些操作不会改变原始结果,但通过随机化功率曲线,增加了实施侧信道分析攻击的复杂性。
可以通过 :ref:`CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH` 选择伪轮次功能的强度。提高强度会增强该功能所提供的安全性,但也会降低 XTS-AES 操作的速度。
.. list-table:: 不同强度的伪轮次对 XTS-AES 操作性能的影响
:widths: 10 10
:header-rows: 1
:align: center
* - **强度**
- **性能影响** [#]_
* - 低
- < 0.5 %
* - 中
- 6.2 %
* - 高
- 18 %
.. [#] 上述性能数据由 HAL 加密测试应用中的 XTS-AES 测试程序 :component_file:`test_xts_aes.c <hal/test_apps/crypto/main/xts_aes/test_xts_aes.c>` 计算得出。
可以根据实际用例需求配置伪轮次功能的强度。例如,提高强度以提供更高的安全性,同时减慢 flash 加解密操作的速度。
考虑到上述性能影响ESP-IDF 默认为伪轮次功能启用了低强度配置,以尽量减少性能影响。

1
docs/zh_CN/security/security-features-enablement-workflows.rst
View File

@ -250,6 +250,7 @@
:SOC_EFUSE_DIS_PAD_JTAG: - ``DIS_PAD_JTAG``:永久禁用 JTAG
:not esp32: - ``DIS_DOWNLOAD_MANUAL_ENCRYPT``:禁用 UART 引导加载程序加密访问
:SOC_EFUSE_DIS_DOWNLOAD_MSPI: - ``DIS_DOWNLOAD_MSPI``:禁用下载模式下的 MSPI 访问
:SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND: - ``XTS_DPA_PSEUDO_LEVEL``:启用 XTS-AES 外设的伪轮次功能。要烧录到 eFuse 中的值可以是 1、2 或 3表示安全等级。默认情况下ESP-IDF 的引导加载程序在启动过程中启用 flash 加密的发布模式时,会将该 eFuse 的值配置为 1。
可运行以下命令烧录相应的 eFuse

49
docs/zh_CN/security/security.rst
View File

@ -114,18 +114,53 @@ flash 加密最佳实践
内存保护功能可以防止因软件漏洞导致的远程代码注入。
.. only:: SOC_CRYPTO_DPA_PROTECTION_SUPPORTED
.. only:: SOC_CRYPTO_DPA_PROTECTION_SUPPORTED or SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION
差分功耗分析 (DPA) 保护
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
防御侧信道攻击
~~~~~~~~~~~~~~~~~
{IDF_TARGET_NAME} 支持针对 DPA 相关安全攻击的保护机制。DPA 保护通过动态调整加密外设的时钟频率,在其运行期间模糊了功耗消耗记录。时钟变化范围会根据配置的 DPA 安全级别改变。更多详情请参阅技术参考手册。
.. only:: SOC_CRYPTO_DPA_PROTECTION_SUPPORTED
通过 :ref:`CONFIG_ESP_CRYPTO_DPA_PROTECTION_LEVEL` 可以调整 DPA 级别。级别越高安全性越强,但也可能会影响性能。默认启用最低级别 DPA 保护,可以根据安全需求修改。
差分功耗分析 (DPA) 保护
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. note::
{IDF_TARGET_NAME} 支持针对 DPA 相关安全攻击的保护机制。DPA 保护通过动态调整加密外设的时钟频率,在其运行期间模糊了功耗轨迹。时钟变化范围会根据配置的 DPA 安全级别改变。更多详情请参阅 *{IDF_TARGET_NAME} 技术参考手册* > [`PDF <{IDF_TARGET_TRM_CN_URL}>`__]。
通过 :ref:`CONFIG_ESP_CRYPTO_DPA_PROTECTION_LEVEL` 可以调整 DPA 级别。级别越高安全性越强,但也可能会影响性能。默认启用最低级别 DPA 保护,可以根据安全需求修改。
.. note::
请注意,为确保 DPA 保护机制正常工作,必须启用硬件 :doc:`RNG <../api-reference/system/random>`
.. only:: SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION
AES 外设的伪轮次功能
^^^^^^^^^^^^^^^^^^^^^
{IDF_TARGET_NAME} 在 AES 外设中集成了伪轮次功能,使该外设能够在原始操作轮次前后随机插入伪轮次,并生成一个伪密钥来执行这些虚拟操作。
这些操作不会改变原始结果,但能够通过随机化功耗特征,提高实施侧信道分析攻击的复杂性。
可以使用 :ref:`CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH` 选择伪轮次功能的强度。提高强度会增强该功能所提供的安全性,但会加密/解密操作的速度。
.. list-table:: 伪轮次功能的不同强度对 AES 操作性能的影响
:widths: 10 10
:header-rows: 1
:align: center
* - **强度**
- **性能影响** [#]_
* - 低
- 20.9 %
* - 中
- 47.6 %
* - 高
- 72.4 %
.. [#] 上述性能数据通过 mbedtls 测试应用中的 AES 性能测试 :component_file:`test_aes_perf.c <mbedtls/test_apps/main/test_aes_perf.c>` 计算得出。
考虑到上述性能影响ESP-IDF 默认关闭伪轮次功能,避免对相关性能造成影响。但如果需要更高的安全性,仍然建议启用。
请注意,为确保 DPA 保护正常工作,必须启用硬件 :doc:`RNG <../api-reference/system/random>`
调试接口
~~~~~~~~~~~~~~~~