feat(ecc): enable ECC constant time mode for ESP32-H2 ECO5

components/esp_hw_support/port/esp32h2/Kconfig.hw_support

@@ -15,6 +15,8 @@ choice ESP32H2_REV_MIN
         bool "Rev v0.1 (ECO1)"
     config ESP32H2_REV_MIN_2
         bool "Rev v0.2 (ECO2)"
+    config ESP32H2_REV_MIN_102
+        bool "Rev v1.2 (ECO5)"
 endchoice
 
 config ESP32H2_REV_MIN_FULL
@@ -22,6 +24,7 @@ config ESP32H2_REV_MIN_FULL
     default 0 if ESP32H2_REV_MIN_0
     default 1 if ESP32H2_REV_MIN_1
     default 2 if ESP32H2_REV_MIN_2
+    default 102 if ESP32H2_REV_MIN_102
 
 config ESP_REV_MIN_FULL
     int
@@ -31,7 +34,7 @@ config ESP_REV_MIN_FULL
     # MAX Revision
     #
 
-    comment "Maximum Supported ESP32-H2 Revision (Rev v0.99)"
+    comment "Maximum Supported ESP32-H2 Revision (Rev v1.99)"
     # Maximum revision that IDF supports.
     # It can not be changed by user.
     # Only Espressif can change it when a new version will be supported in IDF.

components/esp_security/Kconfig

@@ -38,8 +38,9 @@ menu "ESP Security Specific"
     endmenu
 
     config ESP_CRYPTO_FORCE_ECC_CONSTANT_TIME_POINT_MUL
-        bool "Forcfully enable ECC constant time point multiplication operations"
+        bool "Forcefully enable ECC constant time point multiplication operations"
         depends on SOC_ECC_CONSTANT_TIME_POINT_MUL
+        depends on !(IDF_TARGET_ESP32H2 && ESP32H2_REV_MIN_FULL < 102)
         default N
         help
             If enabled, the app startup code will burn the ECC_FORCE_CONST_TIME efuse bit to force the

components/esp_security/src/init.c

@@ -40,7 +40,7 @@ ESP_SYSTEM_INIT_FN(esp_security_init, SECONDARY, BIT(0), 103)
     esp_crypto_dpa_protection_startup();
 #endif
 
-#ifdef CONFIG_ESP_CRYPTO_FORCE_ECC_CONSTANT_TIME_POINT_MUL
+#if CONFIG_ESP_CRYPTO_FORCE_ECC_CONSTANT_TIME_POINT_MUL
     if (!esp_efuse_read_field_bit(ESP_EFUSE_ECC_FORCE_CONST_TIME)) {
         ESP_EARLY_LOGD(TAG, "Forcefully enabling ECC constant time operations");
         esp_err_t err = esp_efuse_write_field_bit(ESP_EFUSE_ECC_FORCE_CONST_TIME);

components/hal/Kconfig

@@ -105,8 +105,8 @@ menu "Hardware Abstraction Layer (HAL) and Low Level (LL)"
 
     config HAL_ECDSA_GEN_SIG_CM
         bool "Enable countermeasure for ECDSA signature generation"
+        depends on IDF_TARGET_ESP32H2 && ESP32H2_REV_MIN_FULL < 102
         default n
-        # ToDo - IDF-11051
         help
             Enable this option to apply the countermeasure for ECDSA signature operation
             This countermeasure masks the real ECDSA sign operation

components/hal/ecc_hal.c

@@ -178,9 +178,7 @@ int ecc_hal_read_mod_op_result(uint8_t *r, uint16_t len)
 
 #endif /* SOC_ECC_EXTENDED_MODES_SUPPORTED */
 
-#ifdef SOC_ECC_CONSTANT_TIME_POINT_MUL
 void ecc_hal_enable_constant_time_point_mul(bool enable)
 {
     ecc_ll_enable_constant_time_point_mul(enable);
 }
-#endif /* SOC_ECC_CONSTANT_TIME_POINT_MUL */

components/hal/esp32c2/include/hal/ecc_ll.h

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2020-2023 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2020-2024 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -171,6 +171,12 @@ static inline void ecc_ll_read_param(ecc_ll_param_t param, uint8_t *buf, uint16_
     memcpy(buf, (void *)reg, len);
 }
 
+static inline void ecc_ll_enable_constant_time_point_mul(bool enable)
+{
+    // Not supported for ESP32-C2
+    (void) enable; //unused
+}
+
 #ifdef __cplusplus
 }
 #endif

components/hal/esp32c6/include/hal/ecc_ll.h

@@ -173,6 +173,12 @@ static inline void ecc_ll_read_param(ecc_ll_param_t param, uint8_t *buf, uint16_
     memcpy(buf, (void *)reg, len);
 }
 
+static inline void ecc_ll_enable_constant_time_point_mul(bool enable)
+{
+    // Not supported for ESP32-C6
+    (void) enable; //unused
+}
+
 #ifdef __cplusplus
 }
 #endif

components/hal/esp32h2/include/hal/ecc_ll.h

@@ -12,6 +12,8 @@
 #include "soc/ecc_mult_reg.h"
 #include "soc/pcr_struct.h"
 #include "soc/pcr_reg.h"
+#include "soc/chip_revision.h"
+#include "hal/efuse_ll.h"
 
 #ifdef __cplusplus
 extern "C" {
@@ -211,6 +213,18 @@ static inline ecc_mod_base_t ecc_ll_get_mod_base(void)
     return (ecc_mod_base_t)(REG_GET_FIELD(ECC_MULT_CONF_REG, ECC_MULT_MOD_BASE));
 }
 
+static inline void ecc_ll_enable_constant_time_point_mul(bool enable)
+{
+    // ECC constant time point multiplication is supported only on rev 1.2 and above
+    if ((efuse_ll_get_chip_wafer_version_major() >= 1) && (efuse_ll_get_chip_wafer_version_minor() >= 2)) {
+        if (enable) {
+            REG_SET_BIT(ECC_MULT_CONF_REG, ECC_MULT_SECURITY_MODE);
+        } else {
+            REG_CLR_BIT(ECC_MULT_CONF_REG, ECC_MULT_SECURITY_MODE);
+        }
+    }
+}
+
 static inline void ecc_ll_read_param(ecc_ll_param_t param, uint8_t *buf, uint16_t len)
 {
     uint32_t reg;

components/hal/esp32p4/include/hal/ecc_ll.h

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -240,6 +240,12 @@ static inline void ecc_ll_read_param(ecc_ll_param_t param, uint8_t *buf, uint16_
     memcpy(buf, (void *)reg, len);
 }
 
+static inline void ecc_ll_enable_constant_time_point_mul(bool enable)
+{
+    // Not supported for ESP32-P4
+    (void) enable; //unused
+}
+
 #ifdef __cplusplus
 }
 #endif

components/hal/include/hal/ecc_hal.h

@@ -195,14 +195,12 @@ int ecc_hal_read_mod_op_result(uint8_t *r, uint16_t len);
 
 #endif /* SOC_ECC_EXTENDED_MODES_SUPPORTED */
 
-#ifdef SOC_ECC_CONSTANT_TIME_POINT_MUL
 /**
  * @brief Enable constant time multiplication operations
  *
  * @param true: enable; false: disable
  */
 void ecc_hal_enable_constant_time_point_mul(bool enable);
-#endif /* SOC_ECC_CONSTANT_TIME_POINT_MUL */
 
 #ifdef __cplusplus
 }

components/hal/test_apps/crypto/main/ecc/test_ecc.c

@@ -87,9 +87,7 @@ static void ecc_point_mul(const uint8_t *k_le, const uint8_t *x_le, const uint8_
     } else {
         ecc_hal_set_mode(ECC_MODE_POINT_MUL);
     }
-#ifdef SOC_ECC_CONSTANT_TIME_POINT_MUL
     ecc_hal_enable_constant_time_point_mul(true);
-#endif /* SOC_ECC_CONSTANT_TIME_POINT_MUL */
     ecc_hal_start_calc();
 
     while (!ecc_hal_is_calc_finished()) {
@@ -161,7 +159,7 @@ TEST(ecc, ecc_point_multiplication_on_SECP192R1_and_SECP256R1)
     test_ecc_point_mul_inner(false);
 }
 
-#if SOC_ECC_CONSTANT_TIME_POINT_MUL
+#if SOC_ECC_CONSTANT_TIME_POINT_MUL || (CONFIG_IDF_TARGET_ESP32H2 && CONFIG_ESP32H2_REV_MIN_FULL >= 102)
 
 #define CONST_TIME_DEVIATION_PERCENT 0.002
 
@@ -561,7 +559,7 @@ TEST_GROUP_RUNNER(ecc)
 {
 #if SOC_ECC_SUPPORT_POINT_MULT
     RUN_TEST_CASE(ecc, ecc_point_multiplication_on_SECP192R1_and_SECP256R1);
-#if SOC_ECC_CONSTANT_TIME_POINT_MUL
+#if SOC_ECC_CONSTANT_TIME_POINT_MUL || (CONFIG_IDF_TARGET_ESP32H2 && CONFIG_ESP32H2_REV_MIN_FULL >= 102)
     RUN_TEST_CASE(ecc, ecc_point_multiplication_const_time_check_on_SECP192R1_and_SECP256R1);
 #endif
 #endif

components/mbedtls/Kconfig

@@ -586,11 +586,10 @@ menu "mbedTLS"
 
     menu "Enable Software Countermeasure for ECDSA signing using on-chip ECDSA peripheral"
         depends on MBEDTLS_HARDWARE_ECDSA_SIGN
-        depends on IDF_TARGET_ESP32H2
+        depends on IDF_TARGET_ESP32H2 && ESP32H2_REV_MIN_FULL < 102
         config MBEDTLS_HARDWARE_ECDSA_SIGN_MASKING_CM
             bool "Mask original ECDSA sign operation under dummy sign operations"
             select HAL_ECDSA_GEN_SIG_CM
-            # ToDo: IDF-11051
             default y
             help
                 The ECDSA peripheral before ECO5 does not offer constant time ECDSA sign operation.

components/mbedtls/port/ecc/esp_ecc.c

@@ -45,14 +45,13 @@ int esp_ecc_point_multiply(const ecc_point_t *point, const uint8_t *scalar, ecc_
 
     ecc_hal_write_mul_param(scalar, point->x, point->y, len);
     ecc_hal_set_mode(work_mode);
-#ifdef SOC_ECC_CONSTANT_TIME_POINT_MUL
+    /*
-    /*  Enable constant-time point multiplication operations for the ECC hardware accelerator
+     * Enable constant-time point multiplication operations for the ECC hardware accelerator,
-        This protects the ECC multiplication operation from timing attacks.
+     * if supported for the given target. This protects the ECC multiplication operation from
-        This increases the time taken (by almost 50%) for some point multiplication
+     * timing attacks. This increases the time taken (by almost 50%) for some point
-        operations performed by the ECC hardware accelerator.
+     * multiplication operations performed by the ECC hardware accelerator.
      */
     ecc_hal_enable_constant_time_point_mul(true);
-#endif /* SOC_ECC_CONSTANT_TIME_POINT_MUL */
     ecc_hal_start_calc();
 
     memset(result, 0, sizeof(ecc_point_t));

components/soc/esp32h2/include/soc/Kconfig.soc_caps.in

@@ -1291,6 +1291,10 @@ config SOC_CRYPTO_DPA_PROTECTION_SUPPORTED
     bool
     default y
 
+config SOC_ECC_CONSTANT_TIME_POINT_MUL
+    bool
+    default y
+
 config SOC_ECDSA_USES_MPI
     bool
     default y

components/soc/esp32h2/include/soc/soc_caps.h

@@ -517,6 +517,9 @@
 /*------------------------ Anti DPA (Security) CAPS --------------------------*/
 #define SOC_CRYPTO_DPA_PROTECTION_SUPPORTED     1
 
+/*--------------------------- ECC CAPS ---------------------------------------*/
+#define SOC_ECC_CONSTANT_TIME_POINT_MUL           1
+
 /*------------------------- ECDSA CAPS -------------------------*/
 #define SOC_ECDSA_USES_MPI                  (1)