blackbeard420/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf synced 2025-03-09 09:09:10 -04:00
Code Issues Projects Releases Wiki Activity

Merge branch 'feat/support_aes_pseudo_round_func_in_esp32h2_eco5_v5.4' into 'release/v5.4'

Browse Source 
Support AES and XTS-AES's pseudo round function in ESP32H2-ECO5 (v5.4)

See merge request espressif/esp-idf!36463
This commit is contained in:
Mahavir Jain 2025-01-23 13:20:20 +08:00
commit 649f9a72ae
36 changed files with 701 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
components/bootloader/Kconfig.projbuild
View File

@ -1134,6 +1134,44 @@ menu "Security features"
If not set, the app does not care if the flash encryption eFuse bit is set or not.
config SECURE_FLASH_PSEUDO_ROUND_FUNC
bool "Permanently enable XTS-AES's pseudo rounds function"
default y
depends on SECURE_FLASH_ENCRYPTION_MODE_RELEASE && SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
help
If set (default), the bootloader will permanently enable the XTS-AES peripheral's pseudo rounds function.
Note: Enabling this config would burn an efuse.
choice SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH
prompt "Strength of the pseudo rounds function"
depends on SECURE_FLASH_PSEUDO_ROUND_FUNC
default SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH_LOW
help
The strength of the pseudo rounds functions can be configured to low, medium and high,
each denoting the values that would be stored in the efuses field.
By default the value to set to low.
You can configure the strength of the pseudo rounds functions according to your use cases,
for example, increasing the strength would provide higher security but would slow down the
flash encryption/decryption operations.
For more info regarding the performance impact, please checkout the pseudo round function section of the
security guide documentation.
config SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH_LOW
bool "Low"
config SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH_MEDIUM
bool "Medium"
config SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH_HIGH
bool "High"
endchoice
config SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH
int
default 1 if SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH_LOW
default 2 if SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH_MEDIUM
default 3 if SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH_HIGH
config SECURE_ROM_DL_MODE_ENABLED
bool
default y if SOC_SUPPORTS_SECURE_DL_MODE && !SECURE_FLASH_ENCRYPTION_MODE_DEVELOPMENT

13
components/bootloader_support/src/esp32h2/flash_encryption_secure_features.c
View File

@ -1,15 +1,18 @@
/*
* SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
#include <stdint.h>
#include <strings.h>
#include "esp_flash_encrypt.h"
#include "esp_secure_boot.h"
#include "esp_efuse.h"
#include "esp_efuse_table.h"
#include "esp_log.h"
#include "hal/spi_flash_encrypted_ll.h"
#include "soc/soc_caps.h"
#include "sdkconfig.h"
static __attribute__((unused)) const char *TAG = "flash_encrypt";
@ -33,6 +36,14 @@ esp_err_t esp_flash_encryption_enable_secure_features(void)
esp_efuse_write_field_bit(ESP_EFUSE_DIS_DIRECT_BOOT);
#if defined(CONFIG_SECURE_FLASH_ENCRYPTION_MODE_RELEASE) && defined(SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND)
if (spi_flash_encrypt_ll_is_pseudo_rounds_function_supported()) {
ESP_LOGI(TAG, "Enable XTS-AES pseudo rounds function...");
uint8_t xts_pseudo_level = CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH;
esp_efuse_write_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count);
}
#endif
#if defined(CONFIG_SECURE_BOOT_V2_ENABLED) && !defined(CONFIG_SECURE_BOOT_V2_ALLOW_EFUSE_RD_DIS)
// This bit is set when enabling Secure Boot V2, but we can't enable it until this later point in the first boot
// otherwise the Flash Encryption key cannot be read protected

23
components/bootloader_support/src/flash_encrypt.c
View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -12,6 +12,9 @@
#include "esp_flash_encrypt.h"
#include "esp_secure_boot.h"
#include "hal/efuse_hal.h"
#include "hal/spi_flash_encrypted_ll.h"
#include "hal/spi_flash_encrypt_hal.h"
#include "soc/soc_caps.h"
#if CONFIG_IDF_TARGET_ESP32
#define CRYPT_CNT ESP_EFUSE_FLASH_CRYPT_CNT
@ -207,6 +210,13 @@ void esp_flash_encryption_set_release_mode(void)
#endif // CONFIG_SOC_FLASH_ENCRYPTION_XTS_AES_128_DERIVED
#endif // !CONFIG_IDF_TARGET_ESP32
#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
if (spi_flash_encrypt_ll_is_pseudo_rounds_function_supported()) {
uint8_t xts_pseudo_level = ESP_XTS_AES_PSEUDO_ROUNDS_LOW;
esp_efuse_write_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count);
}
#endif
#ifdef CONFIG_IDF_TARGET_ESP32
esp_efuse_write_field_bit(ESP_EFUSE_WR_DIS_DIS_CACHE);
#else
@ -468,6 +478,17 @@ bool esp_flash_encryption_cfg_verify_release_mode(void)
}
result &= secure;
#if SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
if (spi_flash_encrypt_ll_is_pseudo_rounds_function_supported()) {
uint8_t xts_pseudo_level = 0;
esp_efuse_read_field_blob(ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL, &xts_pseudo_level, ESP_EFUSE_XTS_DPA_PSEUDO_LEVEL[0]->bit_count);
if (!xts_pseudo_level) {
result &= false;
ESP_LOGW(TAG, "Not enabled XTS-AES pseudo rounds function (set XTS_DPA_PSEUDO_LEVEL->1 or more)");
}
}
#endif
return result;
}
#endif // not CONFIG_IDF_TARGET_ESP32

17
components/hal/aes_hal.c
View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2020-2023 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2020-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -39,8 +39,17 @@ void aes_hal_transform_block(const void *input_block, void *output_block)
aes_ll_read_block(output_block);
}
#if SOC_AES_SUPPORT_DMA
#ifdef SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION
void aes_hal_enable_pseudo_rounds(bool enable, uint8_t base, uint8_t increment, uint8_t key_rng_cnt)
{
if (aes_ll_is_pseudo_rounds_function_supported()) {
aes_ll_enable_pseudo_rounds(enable, base, increment, key_rng_cnt);
}
}
#endif // SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION
#if SOC_AES_SUPPORT_DMA
void aes_hal_transform_dma_start(size_t num_blocks)
{
@ -61,7 +70,7 @@ void aes_hal_transform_dma_finish(void)
void aes_hal_mode_init(esp_aes_mode_t mode)
{
/* Set the algorith mode CBC, CFB ... */
/* Set the algorithm mode CBC, CFB ... */
aes_ll_set_block_mode(mode);
/* Presently hard-coding the INC function to 32 bit */
if (mode == ESP_AES_BLOCK_MODE_CTR) {
@ -83,8 +92,6 @@ void aes_hal_wait_done()
{
while (aes_ll_get_state() != ESP_AES_STATE_DONE) {}
}
#endif //SOC_AES_SUPPORT_DMA
#if SOC_AES_SUPPORT_GCM

1
components/hal/esp32/include/hal/spi_flash_encrypted_ll.h
View File

@ -11,6 +11,7 @@
******************************************************************************/
// The Lowlevel layer for SPI Flash Encryption.
#pragma once
#include "soc/dport_reg.h"
#include "soc/flash_encryption_reg.h"

7
components/hal/esp32c2/include/hal/spi_flash_encrypted_ll.h
View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2015-2022 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -11,6 +11,7 @@
******************************************************************************/
// The Lowlevel layer for SPI Flash Encryption.
#pragma once
#include <stdbool.h>
#include <string.h>
@ -24,7 +25,7 @@
extern "C" {
#endif
/// Choose type of chip you want to encrypt manully
/// Choose type of chip you want to encrypt manually
typedef enum
{
FLASH_ENCRYPTION_MANU = 0, ///!< Manually encrypt the flash chip.
@ -51,7 +52,7 @@ static inline void spi_flash_encrypt_ll_disable(void)
}
/**
* Choose type of chip you want to encrypt manully
* Choose type of chip you want to encrypt manually
*
* @param type The type of chip to be encrypted
*

7
components/hal/esp32c3/include/hal/spi_flash_encrypted_ll.h
View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2015-2023 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -11,6 +11,7 @@
******************************************************************************/
// The Lowlevel layer for SPI Flash Encryption.
#pragma once
#include <stdbool.h>
#include <string.h>
@ -24,7 +25,7 @@
extern "C" {
#endif
/// Choose type of chip you want to encrypt manully
/// Choose type of chip you want to encrypt manually
typedef enum
{
FLASH_ENCRYPTION_MANU = 0, ///!< Manually encrypt the flash chip.
@ -51,7 +52,7 @@ static inline void spi_flash_encrypt_ll_disable(void)
}
/**
* Choose type of chip you want to encrypt manully
* Choose type of chip you want to encrypt manually
*
* @param type The type of chip to be encrypted
*

1
components/hal/esp32c5/include/hal/spi_flash_encrypted_ll.h
View File

@ -11,6 +11,7 @@
******************************************************************************/
// The Lowlevel layer for SPI Flash Encryption.
#pragma once
#include <stdbool.h>
#include <string.h>

7
components/hal/esp32c6/include/hal/spi_flash_encrypted_ll.h
View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -11,6 +11,7 @@
******************************************************************************/
// The Lowlevel layer for SPI Flash Encryption.
#pragma once
#include <stdbool.h>
#include <string.h>
@ -24,7 +25,7 @@
extern "C" {
#endif
/// Choose type of chip you want to encrypt manully
/// Choose type of chip you want to encrypt manually
typedef enum
{
FLASH_ENCRYPTION_MANU = 0, ///!< Manually encrypt the flash chip.
@ -51,7 +52,7 @@ static inline void spi_flash_encrypt_ll_disable(void)
}
/**
* Choose type of chip you want to encrypt manully
* Choose type of chip you want to encrypt manually
*
* @param type The type of chip to be encrypted
*

1
components/hal/esp32c61/include/hal/spi_flash_encrypted_ll.h
View File

@ -11,6 +11,7 @@
******************************************************************************/
// The Lowlevel layer for SPI Flash Encryption.
#pragma once
#include <stdbool.h>
#include <string.h>

37
components/hal/esp32h2/include/hal/aes_ll.h
View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -12,6 +12,9 @@
#include "soc/pcr_struct.h"
#include "hal/aes_types.h"
#include "hal/efuse_hal.h"
#include "soc/chip_revision.h"
#ifdef __cplusplus
extern "C" {
#endif
@ -241,6 +244,38 @@ static inline void aes_ll_interrupt_clear(void)
REG_WRITE(AES_INT_CLEAR_REG, 1);
}
/**
* @brief Enable the pseudo-round function during AES operations
*
* @param enable true to enable, false to disable
* @param base basic number of pseudo rounds, zero if disable
* @param increment increment number of pseudo rounds, zero if disable
* @param key_rng_cnt update frequency of the pseudo-key, zero if disable
*/
static inline void aes_ll_enable_pseudo_rounds(bool enable, uint8_t base, uint8_t increment, uint8_t key_rng_cnt)
{
REG_SET_FIELD(AES_PSEUDO_REG, AES_PSEUDO_EN, enable);
if (enable) {
REG_SET_FIELD(AES_PSEUDO_REG, AES_PSEUDO_BASE, base);
REG_SET_FIELD(AES_PSEUDO_REG, AES_PSEUDO_INC, increment);
REG_SET_FIELD(AES_PSEUDO_REG, AES_PSEUDO_RNG_CNT, key_rng_cnt);
} else {
REG_SET_FIELD(AES_PSEUDO_REG, AES_PSEUDO_BASE, 0);
REG_SET_FIELD(AES_PSEUDO_REG, AES_PSEUDO_INC, 0);
REG_SET_FIELD(AES_PSEUDO_REG, AES_PSEUDO_RNG_CNT, 0);
}
}
/**
* @brief Check if the pseudo round function is supported
* The AES pseudo round function is only avliable in chip version
* above 1.2 in ESP32-H2
*/
static inline bool aes_ll_is_pseudo_rounds_function_supported(void)
{
return ESP_CHIP_REV_ABOVE(efuse_hal_chip_revision(), 102);
}
#ifdef __cplusplus
}

43
components/hal/esp32h2/include/hal/spi_flash_encrypted_ll.h
View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -11,6 +11,7 @@
******************************************************************************/
// The Lowlevel layer for SPI Flash Encryption.
#pragma once
#include <stdbool.h>
#include <string.h>
@ -20,11 +21,14 @@
#include "soc/soc_caps.h"
#include "hal/assert.h"
#include "hal/efuse_hal.h"
#include "soc/chip_revision.h"
#ifdef __cplusplus
extern "C" {
#endif
/// Choose type of chip you want to encrypt manully
/// Choose type of chip you want to encrypt manually
typedef enum
{
FLASH_ENCRYPTION_MANU = 0, ///!< Manually encrypt the flash chip.
@ -51,7 +55,7 @@ static inline void spi_flash_encrypt_ll_disable(void)
}
/**
* Choose type of chip you want to encrypt manully
* Choose type of chip you want to encrypt manually
*
* @param type The type of chip to be encrypted
*
@ -146,6 +150,39 @@ static inline bool spi_flash_encrypt_ll_check(uint32_t address, uint32_t length)
return ((address % length) == 0) ? true : false;
}
/**
* @brief Enable the pseudo-round function during XTS-AES operations
*
* @param mode set the mode for pseudo rounds, zero to disable, with increasing security upto three.
* @param base basic number of pseudo rounds, zero if disable
* @param increment increment number of pseudo rounds, zero if disable
* @param key_rng_cnt update frequency of the pseudo-key, zero if disable
*/
static inline void spi_flash_encrypt_ll_enable_pseudo_rounds(uint8_t mode, uint8_t base, uint8_t increment, uint8_t key_rng_cnt)
{
REG_SET_FIELD(XTS_AES_PSEUDO_ROUND_CONF_REG(0), XTS_AES_MODE_PSEUDO, mode);
if (mode) {
REG_SET_FIELD(XTS_AES_PSEUDO_ROUND_CONF_REG(0), XTS_AES_PSEUDO_BASE, base);
REG_SET_FIELD(XTS_AES_PSEUDO_ROUND_CONF_REG(0), XTS_AES_PSEUDO_INC, increment);
REG_SET_FIELD(XTS_AES_PSEUDO_ROUND_CONF_REG(0), XTS_AES_PSEUDO_RNG_CNT, key_rng_cnt);
} else {
REG_SET_FIELD(XTS_AES_PSEUDO_ROUND_CONF_REG(0), XTS_AES_PSEUDO_BASE, 0);
REG_SET_FIELD(XTS_AES_PSEUDO_ROUND_CONF_REG(0), XTS_AES_PSEUDO_INC, 0);
REG_SET_FIELD(XTS_AES_PSEUDO_ROUND_CONF_REG(0), XTS_AES_PSEUDO_RNG_CNT, 0);
}
}
/**
* @brief Check if the pseudo round function is supported
* The XTS-AES pseudo round function is only avliable in chip version
* above 1.2 in ESP32-H2
*/
static inline bool spi_flash_encrypt_ll_is_pseudo_rounds_function_supported(void)
{
return ESP_CHIP_REV_ABOVE(efuse_hal_chip_revision(), 102);
}
#ifdef __cplusplus
}
#endif

7
components/hal/esp32p4/include/hal/spi_flash_encrypted_ll.h
View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2022-2024 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -11,6 +11,7 @@
******************************************************************************/
// The Lowlevel layer for SPI Flash Encryption.
#pragma once
#include <stdbool.h>
#include <string.h>
@ -24,7 +25,7 @@
extern "C" {
#endif
/// Choose type of chip you want to encrypt manully
/// Choose type of chip you want to encrypt manually
typedef enum
{
FLASH_ENCRYPTION_MANU = 0, ///!< Manually encrypt the flash chip.
@ -51,7 +52,7 @@ static inline void spi_flash_encrypt_ll_disable(void)
}
/**
* Choose type of chip you want to encrypt manully
* Choose type of chip you want to encrypt manually
*
* @param type The type of chip to be encrypted
*

7
components/hal/esp32s2/include/hal/spi_flash_encrypted_ll.h
View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2015-2023 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -11,6 +11,7 @@
******************************************************************************/
// The Lowlevel layer for SPI Flash Encryption.
#pragma once
#include <stdbool.h>
#include <string.h>
@ -24,7 +25,7 @@
extern "C" {
#endif
/// Choose type of chip you want to encrypt manully
/// Choose type of chip you want to encrypt manually
typedef enum
{
FLASH_ENCRYPTION_MANU = 0, ///!< Manually encrypt the flash chip.
@ -61,7 +62,7 @@ static inline void spi_flash_encrypt_ll_disable(void)
}
/**
* Choose type of chip you want to encrypt manully
* Choose type of chip you want to encrypt manually
*
* @param type The type of chip to be encrypted
*

7
components/hal/esp32s3/include/hal/spi_flash_encrypted_ll.h
View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2015-2023 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -11,6 +11,7 @@
******************************************************************************/
// The Lowlevel layer for SPI Flash Encryption.
#pragma once
#include <stdbool.h>
#include <string.h>
@ -24,7 +25,7 @@
extern "C" {
#endif
/// Choose type of chip you want to encrypt manully
/// Choose type of chip you want to encrypt manually
typedef enum
{
FLASH_ENCRYPTION_MANU = 0, ///!< Manually encrypt the flash chip.
@ -51,7 +52,7 @@ static inline void spi_flash_encrypt_ll_disable(void)
}
/**
* Choose type of chip you want to encrypt manully
* Choose type of chip you want to encrypt manually
*
* @param type The type of chip to be encrypted
*

17
components/hal/include/hal/aes_hal.h
View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2020-2023 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2020-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -45,6 +45,18 @@ uint8_t aes_hal_setkey(const uint8_t *key, size_t key_bytes, int mode);
*/
void aes_hal_transform_block(const void *input_block, void *output_block);
#ifdef SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION
/**
* @brief Enable the pseudo-round function during AES operations
*
* @param enable true to enable, false to disable
* @param base basic number of pseudo rounds, zero if disable
* @param increment increment number of pseudo rounds, zero if disable
* @param key_rng_cnt update frequency of the pseudo-key, zero if disable
*/
void aes_hal_enable_pseudo_rounds(bool enable, uint8_t base, uint8_t increment, uint8_t key_rng_cnt);
#endif /* SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION */
#if SOC_AES_SUPPORT_DMA
/**
* @brief Inits the AES mode of operation
@ -102,6 +114,7 @@ void aes_hal_transform_dma_finish(void);
*/
#define aes_hal_interrupt_clear() aes_ll_interrupt_clear()
#if SOC_AES_SUPPORT_GCM
/**
* @brief Calculates the Hash sub-key H0 needed to start AES-GCM
@ -114,7 +127,7 @@ void aes_hal_gcm_calc_hash(uint8_t *gcm_hash);
* @brief Initializes the AES hardware for AES-GCM
*
* @param aad_num_blocks the number of Additional Authenticated Data (AAD) blocks
* @param num_valid_bit the number of effective bits of incomplete blocks in plaintext/cipertext
* @param num_valid_bit the number of effective bits of incomplete blocks in plaintext/ciphertext
*/
void aes_hal_gcm_init(size_t aad_num_blocks, size_t num_valid_bit);

38
components/hal/include/hal/spi_flash_encrypt_hal.h
View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2021-2023 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2021-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -13,11 +13,35 @@
// The HAL layer for SPI Flash Encryption
#include "hal/spi_flash_encrypted_ll.h"
#include "soc/soc_caps.h"
#ifdef __cplusplus
extern "C" {
#endif
#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
/**
* @brief Default pseudo rounds configs of the XTS-AES accelerator
*/
typedef enum {
ESP_XTS_AES_PSEUDO_ROUNDS_DISABLE = 0,
ESP_XTS_AES_PSEUDO_ROUNDS_LOW,
ESP_XTS_AES_PSEUDO_ROUNDS_MEDIUM,
ESP_XTS_AES_PSEUDO_ROUNDS_HIGH,
} esp_xts_aes_psuedo_rounds_state_t;
/* The total number of pseudo-rounds randomly inserted in an XTS-AES operation are controlled by
* configuring the PSEUDO_MODE, PSEUDO_BASE, PSEUDO_INC parameters.
* Users can also set the frequency of random key updates by configuring the PSEUDO_RNG_CNT.
* Here, we would be using some pre-decided values for these parameters corresponding to the security needed.
* For more information regarding these parameters please refer the TRM.
*/
#define XTS_AES_PSEUDO_ROUNDS_BASE 4
#define XTS_AES_PSEUDO_ROUNDS_INC 2
#define XTS_AES_PSEUDO_ROUNDS_RNG_CNT 7
#endif /* SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND */
/**
* @brief Enable the flash encryption
*/
@ -57,6 +81,18 @@ void spi_flash_encryption_hal_destroy(void);
*/
bool spi_flash_encryption_hal_check(uint32_t address, uint32_t length);
#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
/**
* @brief Enable the pseudo-round function during XTS-AES operations
*
* @param mode set the mode for pseudo rounds, zero to disable, with increasing security upto three.
* @param base basic number of pseudo rounds, zero if disable
* @param increment increment number of pseudo rounds, zero if disable
* @param key_rng_cnt update frequency of the pseudo-key, zero if disable
*/
void spi_flash_encryption_hal_enable_pseudo_rounds(uint8_t mode, uint8_t base, uint8_t increment, uint8_t key_rng_cnt);
#endif /* SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND */
#ifdef __cplusplus
}
#endif

12
components/hal/spi_flash_encrypt_hal_iram.c
View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2021-2023 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2021-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -7,6 +7,7 @@
// This part is put in iram.
#include "hal/spi_flash_encrypted_ll.h"
#include "soc/soc_caps.h"
void spi_flash_encryption_hal_enable(void)
{
@ -49,3 +50,12 @@ bool spi_flash_encryption_hal_check(uint32_t address, uint32_t length)
{
return spi_flash_encrypt_ll_check(address, length);
}
#ifdef SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
void spi_flash_encryption_hal_enable_pseudo_rounds(uint8_t mode, uint8_t base, uint8_t increment, uint8_t key_rng_cnt)
{
if (spi_flash_encrypt_ll_is_pseudo_rounds_function_supported()) {
spi_flash_encrypt_ll_enable_pseudo_rounds(mode, base, increment, key_rng_cnt);
}
}
#endif /* SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND */

36
components/mbedtls/Kconfig
View File

@ -416,6 +416,42 @@ menu "mbedTLS"
priority level and any level from 1 to 3 can be selected (based on the availability).
Note: Higher value indicates high interrupt priority.
config MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC
bool "Enable AES hardware's pseudo round function"
default n
depends on SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION
help
Enables the pseudo round function of the AES peripheral.
Enabling this would impact the performance of the AES operations.
For more info regarding the performance impact, please checkout the pseudo round function section of the
security guide.
choice MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH
prompt "Strength of the pseudo rounds function"
depends on MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC
default MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH_LOW
help
The strength of the pseudo rounds functions can be configured to low, medium and high.
You can configure the strength of the pseudo rounds functions according to your use cases,
for example, increasing the strength would provide higher security but would slow down the
hardware AES encryption/decryption operations.
config MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH_LOW
bool "Low"
config MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH_MEDIUM
bool "Medium"
config MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH_HIGH
bool "High"
endchoice
config MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH
int
default 1 if MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH_LOW
default 2 if MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH_MEDIUM
default 3 if MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH_HIGH
config MBEDTLS_HARDWARE_GCM
bool "Enable partially hardware accelerated GCM"
depends on SOC_AES_SUPPORT_GCM && MBEDTLS_HARDWARE_AES

5
components/mbedtls/port/aes/block/esp_aes.c
View File

@ -35,6 +35,7 @@
#include "hal/aes_hal.h"
#include "hal/aes_ll.h"
#include "esp_aes_internal.h"
#include "sdkconfig.h"
#include <freertos/FreeRTOS.h>
@ -105,6 +106,10 @@ static int esp_aes_block(esp_aes_context *ctx, const void *input, void *output)
i2 = input_words[2];
i3 = input_words[3];
#ifdef CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC
esp_aes_enable_pseudo_rounds(CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH);
#endif /* CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC */
aes_hal_transform_block(input, output);
/* Physical security check: Verify the AES accelerator actually ran, and wasn't

18
components/mbedtls/port/aes/dma/esp_aes_dma_core.c
View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -595,6 +595,10 @@ int esp_aes_process_dma(esp_aes_context *ctx, const unsigned char *input, unsign
aes_hal_interrupt_enable(false);
}
#ifdef CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC
esp_aes_enable_pseudo_rounds(CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH);
#endif /* CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC */
if (esp_aes_dma_start(input_desc, output_desc) != ESP_OK) {
ESP_LOGE(TAG, "esp_aes_dma_start failed, no DMA channel available");
ret = -1;
@ -814,6 +818,10 @@ int esp_aes_process_dma_gcm(esp_aes_context *ctx, const unsigned char *input, un
aes_hal_interrupt_enable(false);
}
#ifdef CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC
esp_aes_enable_pseudo_rounds(CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH);
#endif /* CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC */
/* Start AES operation */
if (esp_aes_dma_start(in_desc_head, output_desc) != ESP_OK) {
ESP_LOGE(TAG, "esp_aes_dma_start failed, no DMA channel available");
@ -1069,6 +1077,10 @@ int esp_aes_process_dma(esp_aes_context *ctx, const unsigned char *input, unsign
aes_hal_interrupt_enable(false);
}
#ifdef CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC
esp_aes_enable_pseudo_rounds(CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH);
#endif /* CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC */
if (esp_aes_dma_start(in_desc_head, out_desc_head) != ESP_OK) {
ESP_LOGE(TAG, "esp_aes_dma_start failed, no DMA channel available");
ret = -1;
@ -1247,6 +1259,10 @@ int esp_aes_process_dma_gcm(esp_aes_context *ctx, const unsigned char *input, un
aes_hal_interrupt_enable(false);
}
#ifdef CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC
esp_aes_enable_pseudo_rounds(CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH);
#endif /* CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC */
/* Start AES operation */
if (esp_aes_dma_start(in_desc_head, out_desc_head) != ESP_OK) {
ESP_LOGE(TAG, "esp_aes_dma_start failed, no DMA channel available");

29
components/mbedtls/port/aes/esp_aes_common.c
View File

@ -6,7 +6,7 @@
*
* SPDX-License-Identifier: Apache-2.0
*
* SPDX-FileContributor: 2016-2023 Espressif Systems (Shanghai) CO LTD
* SPDX-FileContributor: 2016-2025 Espressif Systems (Shanghai) CO LTD
*/
/*
* The AES block cipher was designed by Vincent Rijmen and Joan Daemen.
@ -76,3 +76,30 @@ int esp_aes_setkey( esp_aes_context *ctx, const unsigned char *key,
ctx->key_in_hardware = 0;
return 0;
}
#ifdef CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC
/* The total number of pseudo-rounds randomly inserted in an AES operation are controlled by
* configuring the AES_PSEUDO_BASE, AES_PSEUDO_INC parameters.
* Users can also set the frequency of random key updates by configuring the AES_PSEUDO_RNG_CNT.
* Here, we would be using some pre-decided values for these parameters corresponding to the security needed.
* For more information regarding these parameters please refer the TRM.
*/
#define AES_PSEUDO_ROUNDS_BASE_LOW 4
#define AES_PSEUDO_ROUNDS_BASE_MEDIUM 7
#define AES_PSEUDO_ROUNDS_BASE_HIGH 15
#define AES_PSEUDO_ROUNDS_INC 3
#define AES_PSEUDO_ROUNDS_RNG_CNT 7
void esp_aes_enable_pseudo_rounds(esp_aes_psuedo_rounds_state_t state)
{
if (state == ESP_AES_PSEUDO_ROUNDS_DISABLE) {
aes_hal_enable_pseudo_rounds(false, 0, 0, 0);
} else if (state == ESP_AES_PSEUDO_ROUNDS_LOW) {
aes_hal_enable_pseudo_rounds(true, AES_PSEUDO_ROUNDS_BASE_LOW, AES_PSEUDO_ROUNDS_INC, AES_PSEUDO_ROUNDS_RNG_CNT);
} else if (state == ESP_AES_PSEUDO_ROUNDS_MEDIUM) {
aes_hal_enable_pseudo_rounds(true, AES_PSEUDO_ROUNDS_BASE_MEDIUM, AES_PSEUDO_ROUNDS_INC, AES_PSEUDO_ROUNDS_RNG_CNT);
} else {
aes_hal_enable_pseudo_rounds(true, AES_PSEUDO_ROUNDS_BASE_HIGH, AES_PSEUDO_ROUNDS_INC, AES_PSEUDO_ROUNDS_RNG_CNT);
}
}
#endif /* CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC */

18
components/mbedtls/port/aes/include/esp_aes_internal.h
View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -9,7 +9,9 @@
#include <stdbool.h>
#include "aes/esp_aes.h"
#include "soc/soc_caps.h"
#include "hal/aes_hal.h"
#include "esp_crypto_dma.h"
#include "sdkconfig.h"
#ifdef __cplusplus
extern "C" {
@ -17,6 +19,20 @@ extern "C" {
bool valid_key_length(const esp_aes_context *ctx);
#ifdef CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC
/**
* @brief Default pseudo rounds configs of the AES accelerator
*/
typedef enum {
ESP_AES_PSEUDO_ROUNDS_DISABLE = 0,
ESP_AES_PSEUDO_ROUNDS_LOW,
ESP_AES_PSEUDO_ROUNDS_MEDIUM,
ESP_AES_PSEUDO_ROUNDS_HIGH,
} esp_aes_psuedo_rounds_state_t;
void esp_aes_enable_pseudo_rounds(esp_aes_psuedo_rounds_state_t state);
#endif /* CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC */
#if SOC_AES_SUPPORT_DMA
/**
* @brief Run a AES operation using DMA

8
components/soc/esp32h2/include/soc/Kconfig.soc_caps.in
View File

@ -255,6 +255,10 @@ config SOC_AES_SUPPORT_AES_256
bool
default y
config SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION
bool
default y
config SOC_ADC_DIG_CTRL_SUPPORTED
bool
default y
@ -1275,6 +1279,10 @@ config SOC_FLASH_ENCRYPTION_XTS_AES_128
bool
default y
config SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
bool
default y
config SOC_APM_CTRL_FILTER_SUPPORTED
bool
default y

3
components/soc/esp32h2/include/soc/soc_caps.h
View File

@ -104,6 +104,8 @@
#define SOC_AES_SUPPORT_AES_128 (1)
#define SOC_AES_SUPPORT_AES_256 (1)
#define SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION (1) /*!< Only avliable in chip version above 1.2*/
/*-------------------------- ADC CAPS -------------------------------*/
/*!< SAR ADC Module*/
#define SOC_ADC_DIG_CTRL_SUPPORTED 1
@ -507,6 +509,7 @@
#define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX (64)
#define SOC_FLASH_ENCRYPTION_XTS_AES 1
#define SOC_FLASH_ENCRYPTION_XTS_AES_128 1
#define SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND 1 /*!< Only avliable in chip version above 1.2*/
/*-------------------------- APM CAPS ----------------------------------------*/
#define SOC_APM_CTRL_FILTER_SUPPORTED 1 /*!< Support for APM control filter */

59
components/soc/esp32h2/register/soc/aes_reg.h
View File

@ -1,5 +1,5 @@
/**
* SPDX-FileCopyrightText: 2022 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -412,6 +412,63 @@ extern "C" {
#define AES_DMA_EXIT_V 0x00000001U
#define AES_DMA_EXIT_S 0
/** AES_RX_RESET_REG register
* AES-DMA reset rx-fifo register
*/
#define AES_RX_RESET_REG (DR_REG_AES_BASE + 0xc0)
/** AES_RX_RESET : WT; bitpos: [0]; default: 0;
* Set this bit to reset rx_fifo under dma_aes working mode.
*/
#define AES_RX_RESET (BIT(0))
#define AES_RX_RESET_M (AES_RX_RESET_V << AES_RX_RESET_S)
#define AES_RX_RESET_V 0x00000001U
#define AES_RX_RESET_S 0
/** AES_TX_RESET_REG register
* AES-DMA reset tx-fifo register
*/
#define AES_TX_RESET_REG (DR_REG_AES_BASE + 0xc4)
/** AES_TX_RESET : WT; bitpos: [0]; default: 0;
* Set this bit to reset tx_fifo under dma_aes working mode.
*/
#define AES_TX_RESET (BIT(0))
#define AES_TX_RESET_M (AES_TX_RESET_V << AES_TX_RESET_S)
#define AES_TX_RESET_V 0x00000001U
#define AES_TX_RESET_S 0
/** AES_PSEUDO_REG register
* AES PSEUDO function configure register
*/
#define AES_PSEUDO_REG (DR_REG_AES_BASE + 0xd0)
/** AES_PSEUDO_EN : R/W; bitpos: [0]; default: 0;
* This bit decides whether the pseudo round function is enable or not.
*/
#define AES_PSEUDO_EN (BIT(0))
#define AES_PSEUDO_EN_M (AES_PSEUDO_EN_V << AES_PSEUDO_EN_S)
#define AES_PSEUDO_EN_V 0x00000001U
#define AES_PSEUDO_EN_S 0
/** AES_PSEUDO_BASE : R/W; bitpos: [4:1]; default: 2;
* Those bits decides the basic number of pseudo round number.
*/
#define AES_PSEUDO_BASE 0x0000000FU
#define AES_PSEUDO_BASE_M (AES_PSEUDO_BASE_V << AES_PSEUDO_BASE_S)
#define AES_PSEUDO_BASE_V 0x0000000FU
#define AES_PSEUDO_BASE_S 1
/** AES_PSEUDO_INC : R/W; bitpos: [6:5]; default: 2;
* Those bits decides the increment number of pseudo round number
*/
#define AES_PSEUDO_INC 0x00000003U
#define AES_PSEUDO_INC_M (AES_PSEUDO_INC_V << AES_PSEUDO_INC_S)
#define AES_PSEUDO_INC_V 0x00000003U
#define AES_PSEUDO_INC_S 5
/** AES_PSEUDO_RNG_CNT : R/W; bitpos: [9:7]; default: 7;
* Those bits decides the update frequency of the pseudo-key.
*/
#define AES_PSEUDO_RNG_CNT 0x00000007U
#define AES_PSEUDO_RNG_CNT_M (AES_PSEUDO_RNG_CNT_V << AES_PSEUDO_RNG_CNT_S)
#define AES_PSEUDO_RNG_CNT_V 0x00000007U
#define AES_PSEUDO_RNG_CNT_S 7
#ifdef __cplusplus
}
#endif

64
components/soc/esp32h2/register/soc/aes_struct.h
View File

@ -1,5 +1,5 @@
/**
* SPDX-FileCopyrightText: 2022 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -398,6 +398,61 @@ typedef union {
uint32_t val;
} aes_dma_exit_reg_t;
/** Type of rx_reset register
* AES-DMA reset rx-fifo register
*/
typedef union {
struct {
/** rx_reset : WT; bitpos: [0]; default: 0;
* Set this bit to reset rx_fifo under dma_aes working mode.
*/
uint32_t rx_reset:1;
uint32_t reserved_1:31;
};
uint32_t val;
} aes_rx_reset_reg_t;
/** Type of tx_reset register
* AES-DMA reset tx-fifo register
*/
typedef union {
struct {
/** tx_reset : WT; bitpos: [0]; default: 0;
* Set this bit to reset tx_fifo under dma_aes working mode.
*/
uint32_t tx_reset:1;
uint32_t reserved_1:31;
};
uint32_t val;
} aes_tx_reset_reg_t;
/** Group: Configuration register */
/** Type of pseudo register
* AES PSEUDO function configure register
*/
typedef union {
struct {
/** pseudo_en : R/W; bitpos: [0]; default: 0;
* This bit decides whether the pseudo round function is enable or not.
*/
uint32_t pseudo_en:1;
/** pseudo_base : R/W; bitpos: [4:1]; default: 2;
* Those bits decides the basic number of pseudo round number.
*/
uint32_t pseudo_base:4;
/** pseudo_inc : R/W; bitpos: [6:5]; default: 2;
* Those bits decides the increment number of pseudo round number
*/
uint32_t pseudo_inc:2;
/** pseudo_rng_cnt : R/W; bitpos: [9:7]; default: 7;
* Those bits decides the update frequency of the pseudo-key.
*/
uint32_t pseudo_rng_cnt:3;
uint32_t reserved_10:22;
};
uint32_t val;
} aes_pseudo_reg_t;
/** Group: memory type */
@ -483,12 +538,17 @@ typedef struct {
volatile aes_int_ena_reg_t int_ena;
volatile aes_date_reg_t date;
volatile aes_dma_exit_reg_t dma_exit;
uint32_t reserved_0bc;
volatile aes_rx_reset_reg_t rx_reset;
volatile aes_tx_reset_reg_t tx_reset;
uint32_t reserved_0c8[2];
volatile aes_pseudo_reg_t pseudo;
} aes_dev_t;
extern aes_dev_t AES;
#ifndef __cplusplus
_Static_assert(sizeof(aes_dev_t) == 0xbc, "Invalid size of aes_dev_t structure");
_Static_assert(sizeof(aes_dev_t) == 0xd4, "Invalid size of aes_dev_t structure");
#endif
#ifdef __cplusplus

13
components/soc/esp32h2/register/soc/spi_mem_struct.h
View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2022 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -1033,7 +1033,16 @@ typedef volatile struct spi_mem_dev_s {
};
uint32_t val;
} dpa_ctrl;
uint32_t reserved_38c;
union {
struct {
uint32_t reg_mode_pseudo : 2; /*Set the mode of pseudo. 2'b00: crypto without pseudo. 2'b01: state T with pseudo and state D without pseudo. 2'b10: state T with pseudo and state D with few pseudo. 2'b11: crypto with pseudo.*/
uint32_t reg_pseudo_rng_cnt : 3; /*xts aes peseudo function base round that must be performed.*/
uint32_t reg_pseudo_base : 4; /*xts aes peseudo function base round that must be performed.*/
uint32_t reg_pseudo_inc : 2; /*xts aes peseudo function increment round that will be performed randomly between 0 & 2**(inc+1).*/
uint32_t reserved11 : 21; /*reserved*/
};
uint32_t val;
} xts_pseudo_round_conf;
uint32_t reserved_390;
uint32_t reserved_394;
uint32_t reserved_398;

38
components/soc/esp32h2/register/soc/xts_aes_reg.h
View File

@ -1,5 +1,5 @@
/**
* SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -124,6 +124,42 @@ formance of cryption will decrease together with this number increasing).*/
#define XTS_AES_CRYPT_SECURITY_LEVEL_V 0x7
#define XTS_AES_CRYPT_SECURITY_LEVEL_S 0
/** XTS_AES_PSEUDO_ROUND_CONF_REG register
* SPI memory encryption PSEUDO register
*/
#define XTS_AES_PSEUDO_ROUND_CONF_REG(i) (REG_SPI_MEM_BASE(i) + 0x38c)
/** XTS_AES_MODE_PSEUDO : R/W; bitpos: [1:0]; default: 0;
* Set the mode of pseudo. 2'b00: crypto without pseudo. 2'b01: state T with pseudo
* and state D without pseudo. 2'b10: state T with pseudo and state D with few pseudo.
* 2'b11: crypto with pseudo.
*/
#define XTS_AES_MODE_PSEUDO 0x00000003U
#define XTS_AES_MODE_PSEUDO_M (XTS_AES_MODE_PSEUDO_V << XTS_AES_MODE_PSEUDO_S)
#define XTS_AES_MODE_PSEUDO_V 0x00000003U
#define XTS_AES_MODE_PSEUDO_S 0
/** XTS_AES_PSEUDO_RNG_CNT : R/W; bitpos: [4:2]; default: 7;
* xts aes peseudo function base round that must be performed.
*/
#define XTS_AES_PSEUDO_RNG_CNT 0x00000007U
#define XTS_AES_PSEUDO_RNG_CNT_M (XTS_AES_PSEUDO_RNG_CNT_V << XTS_AES_PSEUDO_RNG_CNT_S)
#define XTS_AES_PSEUDO_RNG_CNT_V 0x00000007U
#define XTS_AES_PSEUDO_RNG_CNT_S 2
/** XTS_AES_PSEUDO_BASE : R/W; bitpos: [8:5]; default: 2;
* xts aes peseudo function base round that must be performed.
*/
#define XTS_AES_PSEUDO_BASE 0x0000000FU
#define XTS_AES_PSEUDO_BASE_M (XTS_AES_PSEUDO_BASE_V << XTS_AES_PSEUDO_BASE_S)
#define XTS_AES_PSEUDO_BASE_V 0x0000000FU
#define XTS_AES_PSEUDO_BASE_S 5
/** XTS_AES_PSEUDO_INC : R/W; bitpos: [10:9]; default: 2;
* xts aes peseudo function increment round that will be performed randomly between 0 &
* 2**(inc+1).
*/
#define XTS_AES_PSEUDO_INC 0x00000003U
#define XTS_AES_PSEUDO_INC_M (XTS_AES_PSEUDO_INC_V << XTS_AES_PSEUDO_INC_S)
#define XTS_AES_PSEUDO_INC_V 0x00000003U
#define XTS_AES_PSEUDO_INC_S 9
#ifdef __cplusplus
}
#endif

7
components/spi_flash/spi_flash_chip_generic.c
View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2015-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -517,6 +517,11 @@ esp_err_t spi_flash_chip_generic_write_encrypted(esp_flash_t *chip, const void *
const uint8_t *data_bytes = (const uint8_t *)buffer;
esp_flash_encryption->flash_encryption_enable();
#if SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
spi_flash_encryption_hal_enable_pseudo_rounds(ESP_XTS_AES_PSEUDO_ROUNDS_LOW, XTS_AES_PSEUDO_ROUNDS_BASE, XTS_AES_PSEUDO_ROUNDS_INC, XTS_AES_PSEUDO_ROUNDS_RNG_CNT);
#endif /* SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND */
while (length > 0) {
int block_size;
/* Write the largest block if possible */

42
docs/en/security/flash-encryption.rst
View File

@ -528,12 +528,13 @@ To use this mode, take the following steps:
.. list::
- :ref:`Enable flash encryption on boot <CONFIG_SECURE_FLASH_ENC_ENABLED>`
:esp32: - :ref:`Select Release mode <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>` (Note that once Release mode is selected, the ``DISABLE_DL_ENCRYPT`` and ``DISABLE_DL_DECRYPT`` eFuse bits will be burned to disable flash encryption hardware in ROM Download Mode.)
- :ref:`Enable flash encryption on boot <CONFIG_SECURE_FLASH_ENC_ENABLED>`.
:esp32: - :ref:`Select Release mode <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>`. (Note that once Release mode is selected, the ``DISABLE_DL_ENCRYPT`` and ``DISABLE_DL_DECRYPT`` eFuse bits will be burned to disable flash encryption hardware in ROM Download Mode.)
:esp32: - :ref:`Select UART ROM download mode (Permanently disabled (recommended)) <CONFIG_SECURE_UART_ROM_DL_MODE>` (Note that this option is only available when :ref:`CONFIG_ESP32_REV_MIN` is set to 3 (ESP32 V3).) The default choice is to keep UART ROM download mode enabled, however it is recommended to permanently disable this mode to reduce the options available to an attacker.
:not esp32: - :ref:`Select Release mode <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>` (Note that once Release mode is selected, the ``EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT`` eFuse bit will be burned to disable flash encryption hardware in ROM Download Mode.)
:not esp32: - :ref:`Select Release mode <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>`. (Note that once Release mode is selected, the ``EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT`` eFuse bit will be burned to disable flash encryption hardware in ROM Download Mode.)
:not esp32: - :ref:`Select UART ROM download mode (Permanently switch to Secure mode (recommended)) <CONFIG_SECURE_UART_ROM_DL_MODE>`. This is the default option, and is recommended. It is also possible to change this configuration setting to permanently disable UART ROM download mode, if this mode is not needed.
- :ref:`Select the appropriate bootloader log verbosity <CONFIG_BOOTLOADER_LOG_LEVEL>`
:SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND: - :ref:`Select enable XTS-AES's pseudo rounds function <CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC>`. This option is selected by default and its strength is configured to level low considering the performance impact on the flash encryption/decryption operations. Please refer to :ref:`xts-aes-pseudo-round-func` for more information regarding the performance impact per security level.
- :ref:`Select the appropriate bootloader log verbosity <CONFIG_BOOTLOADER_LOG_LEVEL>`.
- Save the configuration and exit.
Enabling flash encryption will increase the size of bootloader, which might require updating partition table offset. See :ref:`bootloader-size`.
@ -1119,3 +1120,36 @@ The following sections provide some reference information about the operation of
- The flash encryption key is stored in ``BLOCK_KEY0`` eFuse and, by default, is protected from further writes or software readout.
- To see the full flash encryption algorithm implemented in Python, refer to the `_flash_encryption_operation()` function in the ``espsecure.py`` source code.
.. only:: SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
Protection Against Side-Channel Attacks
---------------------------------------
.. _xts-aes-pseudo-round-func:
Pseudo-Round Function
^^^^^^^^^^^^^^^^^^^^^
{IDF_TARGET_NAME} incorporates a pseudo-round function in the XTS-AES peripheral, thus enabling the peripheral to randomly insert pseudo-rounds before and after the original operation rounds and also generate a pseudo key to perform these dummy operations.
These operations do not alter the original result, but they increase the complexity to perform side channel analysis attacks by randomizing the power profile.
:ref:`CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH` can be used to select the strength of the pseudo-round function. Increasing the strength improves the security provided, but would slow down the XTS-AES operations.
.. list-table:: Performance impact on XTS-AES operations per strength level
:widths: 10 10
:header-rows: 1
:align: center
* - **Strength**
- **Performance Impact**
* - Low
- < 0.5 %
* - Medium
- 6.2 %
* - High
- 18 %
You can configure the strength of the pseudo rounds functions according to your use cases. For example, increasing the strength would provide higher security but would slow down the flash encryption/decryption operations.
Considering the above performance impact, ESP-IDF by-default enables low strength configuration for the pseudo-round function for minimal performance impact.

1
docs/en/security/security-features-enablement-workflows.rst
View File

@ -250,6 +250,7 @@ In this case all the eFuses related to Flash Encryption are written with help of
:SOC_EFUSE_DIS_PAD_JTAG: - ``DIS_PAD_JTAG``: Disable JTAG permanently
:not esp32: - ``DIS_DOWNLOAD_MANUAL_ENCRYPT``: Disable UART bootloader encryption access
:SOC_EFUSE_DIS_DOWNLOAD_MSPI: - ``DIS_DOWNLOAD_MSPI``: Disable the MSPI access in download mode
:SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND: - ``XTS_DPA_PSEUDO_LEVEL``: Enable the pseudo rounds function of the XTS-AES peripheral. The value to be burned in the eFuse can be 1, 2 or 3, denoting the security level. By default ESP-IDF's bootloader configures the value of this eFuse to 1 while enabling flash encryption release mode during boot-up.
The respective eFuses can be burned by running:

49
docs/en/security/security.rst
View File

@ -114,18 +114,53 @@ Flash Encryption Best Practices
This feature can help to prevent the possibility of remote code injection due to the existing vulnerabilities in the software.
.. only:: SOC_CRYPTO_DPA_PROTECTION_SUPPORTED
.. only:: SOC_CRYPTO_DPA_PROTECTION_SUPPORTED or SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION
DPA (Differential Power Analysis) Protection
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Protection Against Side-Channel Attacks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
{IDF_TARGET_NAME} has support for protection mechanisms against the Differential Power Analysis related security attacks. DPA protection dynamically adjusts the clock frequency of the crypto peripherals, thereby blurring the power consumption trajectory during its operation. Based on the configured DPA security level, the clock variation range changes. Please refer to the TRM for more details on this topic.
.. only:: SOC_CRYPTO_DPA_PROTECTION_SUPPORTED
:ref:`CONFIG_ESP_CRYPTO_DPA_PROTECTION_LEVEL` can help to select the DPA level. Higher level means better security, but it can also have an associated performance impact. By default, the lowest DPA level is kept enabled but it can be modified based on the security requirement.
DPA (Differential Power Analysis) Protection
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. note::
{IDF_TARGET_NAME} has support for protection mechanisms against the Differential Power Analysis related security attacks. DPA protection dynamically adjusts the clock frequency of the crypto peripherals, thereby blurring the power consumption trajectory during its operation. Based on the configured DPA security level, the clock variation range changes. Please refer to the *{IDF_TARGET_NAME} Technical Reference Manual* [`PDF <{IDF_TARGET_TRM_EN_URL}>`__]. for more details on this topic.
:ref:`CONFIG_ESP_CRYPTO_DPA_PROTECTION_LEVEL` can help to select the DPA level. Higher level means better security, but it can also have an associated performance impact. By default, the lowest DPA level is kept enabled but it can be modified based on the security requirement.
.. note::
Please note that hardware :doc:`RNG <../api-reference/system/random>` must be enabled for DPA protection to work correctly.
.. only:: SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION
AES Peripheral's Pseudo-Round Function
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
{IDF_TARGET_NAME} incorporates a pseudo-round function in the AES peripheral, thus enabling the peripheral to randomly insert pseudo-rounds before and after the original operation rounds and also generate a pseudo key to perform these dummy operations.
These operations do not alter the original result, but they increase the complexity to perform side channel analysis attacks by randomizing the power profile.
:ref:`CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH` can be used to select the strength of the pseudo-round function. Increasing the strength improves the security provided, but would slow down the encrryption/decryption operations.
.. list-table:: Performance impact on AES operations per strength level
:widths: 10 10
:header-rows: 1
:align: center
* - **Strength**
- **Performance Impact** [#]_
* - Low
- 20.9 %
* - Medium
- 47.6 %
* - High
- 72.4 %
.. [#] The above performance numbers have been calculated using the AES performance test of the mbedtls test application :component_file:`test_aes_perf.c <mbedtls/test_apps/main/test_aes_perf.c>`.
Considering the above performance impact, ESP-IDF by-default does not enable the pseudo-round function to avoid any performance-related degrade. But it is recommended to enable the pseudo-round function for better security.
Please note that hardware :doc:`RNG <../api-reference/system/random>` must be enabled for DPA protection to work correctly.
Debug Interfaces
~~~~~~~~~~~~~~~~

44
docs/zh_CN/security/flash-encryption.rst
View File

@ -528,13 +528,14 @@ flash 加密设置
.. list::
- :ref:`启动时使能 flash 加密 <CONFIG_SECURE_FLASH_ENC_ENABLED>`
:esp32: - :ref:`选择发布模式 <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>` (注意一旦选择了发布模式,``DISABLE_DL_ENCRYPT`` 和 ``DISABLE_DL_DECRYPT`` eFuse 位将被编程为在 ROM 下载模式下禁用 flash 加密硬件)
- :ref:`启动时使能 flash 加密 <CONFIG_SECURE_FLASH_ENC_ENABLED>`
:esp32: - :ref:`选择发布模式 <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>`(注意一旦选择了发布模式,``DISABLE_DL_ENCRYPT`` 和 ``DISABLE_DL_DECRYPT`` eFuse 位将被编程为在 ROM 下载模式下禁用 flash 加密硬件)
:esp32: - :ref:`选择 UART ROM 下载模式(推荐永久性禁用)<CONFIG_SECURE_UART_ROM_DL_MODE>` (注意该选项仅在 :ref:`CONFIG_ESP32_REV_MIN` 级别设置为 3 时 (ESP32 V3) 可用。)默认选项是保持启用 UART ROM 下载模式,然而建议永久禁用该模式,以减少攻击者可用的选项。
:not esp32: - :ref:`选择发布模式 <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>` (注意一旦选择了发布模式,``EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT`` eFuse 位将被编程为在 ROM 下载模式下禁用 flash 加密硬件
:not esp32: - :ref:`选择发布模式 <CONFIG_SECURE_FLASH_ENCRYPTION_MODE>`(注意一旦选择了发布模式,``EFUSE_DIS_DOWNLOAD_MANUAL_ENCRYPT`` eFuse 位将被编程为在 ROM 下载模式下禁用 flash 加密硬件)
:not esp32: - :ref:`选择 UART ROM 下载(推荐永久性的切换到安全模式)<CONFIG_SECURE_UART_ROM_DL_MODE>`。这是默认且推荐使用的选项。如果不需要该模式,也可以改变此配置设置永久地禁用 UART ROM 下载模式。
- :ref:`选择适当详细程度的引导加载程序日志 <CONFIG_BOOTLOADER_LOG_LEVEL>`
- 保存配置并退出
:SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND: - :ref:`启用 XTS-AES 伪轮次功能 <CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC>`。该选项已默认启用,且配置为最低强度等级,以降低对 flash 加密/解密操作的性能影响。如需了解每个安全等级对性能影响的更多信息,请参考 :ref:`xts-aes-pseudo-round-func`。
- :ref:`选择适当详细程度的引导加载程序日志级别 <CONFIG_BOOTLOADER_LOG_LEVEL>`
- 保存配置并退出。
启用 flash 加密将增大引导加载程序,因而可能需更新分区表偏移量。请参考 :ref:`引导加载程序大小 <bootloader-size>`
@ -1119,3 +1120,36 @@ JTAG 调试
- flash 加密的密钥存储于一个 ``BLOCK_KEY0`` eFuse 中,默认受保护防止进一步写入或软件读取。
- 有关在 Python 中实现的完整 flash 加密算法,可参见 ``espsecure.py`` 源代码中的函数 ``_flash_encryption_operation()``
.. only:: SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
防御侧信道攻击
-------------------
.. _xts-aes-pseudo-round-func:
伪轮次功能
^^^^^^^^^^^^^^
{IDF_TARGET_NAME} 在 XTS-AES 外设中引入了伪轮次功能,使该外设可以在原始操作轮次之前和之后随机插入伪轮次,并生成伪密钥以执行这些虚拟操作。
这些操作不会改变原始结果,但通过随机化功率曲线,增加了实施侧信道分析攻击的复杂性。
可以通过 :ref:`CONFIG_SECURE_FLASH_PSEUDO_ROUND_FUNC_STRENGTH` 选择伪轮次功能的强度。提高强度会增强该功能所提供的安全性,但也会降低 XTS-AES 操作的速度。
.. list-table:: 不同强度的伪轮次对 XTS-AES 操作性能的影响
:widths: 10 10
:header-rows: 1
:align: center
* - **强度**
- **性能影响**
* - 低
- < 0.5 %
* - 中
- 6.2 %
* - 高
- 18 %
可以根据实际用例需求配置伪轮次功能的强度。例如,提高强度以提供更高的安全性,同时减慢 flash 加解密操作的速度。
考虑到上述性能影响ESP-IDF 默认为伪轮次功能启用了低强度配置,以尽量减少性能影响。

1
docs/zh_CN/security/security-features-enablement-workflows.rst
View File

@ -250,6 +250,7 @@
:SOC_EFUSE_DIS_PAD_JTAG: - ``DIS_PAD_JTAG``:永久禁用 JTAG
:not esp32: - ``DIS_DOWNLOAD_MANUAL_ENCRYPT``:禁用 UART 引导加载程序加密访问
:SOC_EFUSE_DIS_DOWNLOAD_MSPI: - ``DIS_DOWNLOAD_MSPI``:禁用下载模式下的 MSPI 访问
:SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND: - ``XTS_DPA_PSEUDO_LEVEL``:启用 XTS-AES 外设的伪轮次功能。要烧录到 eFuse 中的值可以是 1、2 或 3表示安全等级。默认情况下ESP-IDF 的引导加载程序在启动过程中启用 flash 加密的发布模式时,会将该 eFuse 的值配置为 1。
可运行以下命令烧录相应的 eFuse

49
docs/zh_CN/security/security.rst
View File

@ -114,18 +114,53 @@ flash 加密最佳实践
内存保护功能可以防止因软件漏洞导致的远程代码注入。
.. only:: SOC_CRYPTO_DPA_PROTECTION_SUPPORTED
.. only:: SOC_CRYPTO_DPA_PROTECTION_SUPPORTED or SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION
差分功耗分析 (DPA) 保护
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
防御侧信道攻击
~~~~~~~~~~~~~~~~~
{IDF_TARGET_NAME} 支持针对 DPA 相关安全攻击的保护机制。DPA 保护通过动态调整加密外设的时钟频率,在其运行期间模糊了功耗消耗记录。时钟变化范围会根据配置的 DPA 安全级别改变。更多详情请参阅技术参考手册。
.. only:: SOC_CRYPTO_DPA_PROTECTION_SUPPORTED
通过 :ref:`CONFIG_ESP_CRYPTO_DPA_PROTECTION_LEVEL` 可以调整 DPA 级别。级别越高安全性越强,但也可能会影响性能。默认启用最低级别 DPA 保护,可以根据安全需求修改。
差分功耗分析 (DPA) 保护
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. note::
{IDF_TARGET_NAME} 支持针对 DPA 相关安全攻击的保护机制。DPA 保护通过动态调整加密外设的时钟频率,在其运行期间模糊了功耗轨迹。时钟变化范围会根据配置的 DPA 安全级别改变。更多详情请参阅 *{IDF_TARGET_NAME} 技术参考手册* > [`PDF <{IDF_TARGET_TRM_CN_URL}>`__]。
通过 :ref:`CONFIG_ESP_CRYPTO_DPA_PROTECTION_LEVEL` 可以调整 DPA 级别。级别越高安全性越强,但也可能会影响性能。默认启用最低级别 DPA 保护,可以根据安全需求修改。
.. note::
请注意,为确保 DPA 保护机制正常工作,必须启用硬件 :doc:`RNG <../api-reference/system/random>`
.. only:: SOC_AES_SUPPORT_PSEUDO_ROUND_FUNCTION
AES 外设的伪轮次功能
^^^^^^^^^^^^^^^^^^^^^
{IDF_TARGET_NAME} 在 AES 外设中集成了伪轮次功能,使该外设能够在原始操作轮次前后随机插入伪轮次,并生成一个伪密钥来执行这些虚拟操作。
这些操作不会改变原始结果,但能够通过随机化功耗特征,提高实施侧信道分析攻击的复杂性。
可以使用 :ref:`CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC_STRENGTH` 选择伪轮次功能的强度。提高强度会增强该功能所提供的安全性,但会加密/解密操作的速度。
.. list-table:: 伪轮次功能的不同强度对 AES 操作性能的影响
:widths: 10 10
:header-rows: 1
:align: center
* - **强度**
- **性能影响** [#]_
* - 低
- 20.9 %
* - 中
- 47.6 %
* - 高
- 72.4 %
.. [#] 上述性能数据通过 mbedtls 测试应用中的 AES 性能测试 :component_file:`test_aes_perf.c <mbedtls/test_apps/main/test_aes_perf.c>` 计算得出。
考虑到上述性能影响ESP-IDF 默认关闭伪轮次功能,避免对相关性能造成影响。但如果需要更高的安全性,仍然建议启用。
请注意,为确保 DPA 保护正常工作,必须启用硬件 :doc:`RNG <../api-reference/system/random>`
调试接口
~~~~~~~~~~~~~~~~