feat(efuse): ESP32P4 adds ecdsa_key support

2025-10-15 21:07:25 +08:00 · 2023-08-23 17:57:26 +08:00
parent ffaf6db9db
commit 3654267765
3 changed files with 27 additions and 8 deletions
--- a/espefuse/efuse/esp32p4/fields.py
+++ b/espefuse/efuse/esp32p4/fields.py
@@ -381,7 +381,7 @@ class EfuseMacField(EfuseField):
 class EfuseKeyPurposeField(EfuseField):
    KEY_PURPOSES = [
        ("USER",                         0,  None,       None,      "no_need_rd_protect"),   # User purposes (software-only use)
-        ("RESERVED",                     1,  None,       None,      "no_need_rd_protect"),   # Reserved
+        ("ECDSA_KEY",                    1,  None,       "Reverse", "need_rd_protect"),      # ECDSA key
        ("XTS_AES_256_KEY_1",            2,  None,       "Reverse", "need_rd_protect"),      # XTS_AES_256_KEY_1 (flash/PSRAM encryption)
        ("XTS_AES_256_KEY_2",            3,  None,       "Reverse", "need_rd_protect"),      # XTS_AES_256_KEY_2 (flash/PSRAM encryption)
        ("XTS_AES_128_KEY",              4,  None,       "Reverse", "need_rd_protect"),      # XTS_AES_128_KEY (flash/PSRAM encryption)
@@ -428,6 +428,11 @@ class EfuseKeyPurposeField(EfuseField):
                return p[0]
        return "FORBIDDEN_STATE"

+    def get_name(self, raw_val):
+        for key in self.KEY_PURPOSES:
+            if key[1] == raw_val:
+                return key[0]
+
    def save(self, new_value):
        raw_val = int(self.check_format(str(new_value)))
        return super(EfuseKeyPurposeField, self).save(raw_val)
--- a/espefuse/efuse/esp32p4/operations.py
+++ b/espefuse/efuse/esp32p4/operations.py
@@ -65,7 +65,7 @@ def add_commands(subparsers, efuses):
    )
    burn_key.add_argument(
        "keyfile",
-        help="File containing 256 bits of binary key data",
+        help="File containing 256 bits of binary key data. For the ECDSA_KEY purpose use PEM file.",
        action="append",
        type=argparse.FileType("rb"),
    )
@@ -86,7 +86,7 @@ def add_commands(subparsers, efuses):
        )
        burn_key.add_argument(
            "keyfile",
-            help="File containing 256 bits of binary key data",
+            help="File containing 256 bits of binary key data. For the ECDSA_KEY purpose use PEM file.",
            nargs="?",
            action="append",
            metavar="KEYFILE",
@@ -232,6 +232,13 @@ def burn_key(esp, efuses, args, digest=None):
        block = efuses.blocks[block_num]

        if digest is None:
+            if keypurpose == "ECDSA_KEY":
+                sk = espsecure.load_ecdsa_signing_key(datafile)
+                data = sk.to_string()
+                if len(data) == 24:
+                    # the private key is 24 bytes long for NIST192p, add 8 bytes of padding
+                    data = b"\x00" * 8 + data
+            else:
                data = datafile.read()
        else:
            data = datafile
@@ -239,7 +246,7 @@ def burn_key(esp, efuses, args, digest=None):
        print(" - %s" % (efuse.name), end=" ")
        revers_msg = None
        if efuses[block.key_purpose_name].need_reverse(keypurpose):
-            revers_msg = "\tReversing byte order for AES-XTS hardware peripheral"
+            revers_msg = f"\tReversing byte order for {keypurpose} hardware peripheral"
            data = data[::-1]
        print(
            "-> [{}]".format(
--- a/test/test_espefuse.py
+++ b/test/test_espefuse.py
@@ -280,9 +280,10 @@ class TestReadProtectionCommands(EfuseTestCase):
                ret_code=2,
            )
        else:
+            key1_purpose = "USER" if arg_chip in ["esp32p4"] else "RESERVED"
            self.espefuse_py(
                f"burn_key BLOCK_KEY0 {IMAGES_DIR}/256bit USER \
-                BLOCK_KEY1 {IMAGES_DIR}/256bit RESERVED \
+                BLOCK_KEY1 {IMAGES_DIR}/256bit {key1_purpose} \
                BLOCK_KEY2 {IMAGES_DIR}/256bit SECURE_BOOT_DIGEST0 \
                BLOCK_KEY3 {IMAGES_DIR}/256bit SECURE_BOOT_DIGEST1 \
                BLOCK_KEY4 {IMAGES_DIR}/256bit SECURE_BOOT_DIGEST2 \
@@ -1054,7 +1055,10 @@ class TestBurnKeyCommands(EfuseTestCase):
            "acadaeaf a8a9aaab a4a5a6a7 22a1a2a3"
        ) in output

-    @pytest.mark.skipif(arg_chip != "esp32h2", reason="Only for ESP32-H2 chips")
+    @pytest.mark.skipif(
+        arg_chip not in ["esp32h2", "esp32p4"],
+        reason="These chips support ECDSA_KEY",
+    )
    def test_burn_key_ecdsa_key(self):
        self.espefuse_py(
            f"burn_key \
@@ -1077,7 +1081,10 @@ class TestBurnKeyCommands(EfuseTestCase):
            "00000000 00000000 00000000 00000000"
        ) in output

-    @pytest.mark.skipif(arg_chip != "esp32h2", reason="Only for ESP32-H2 chips")
+    @pytest.mark.skipif(
+        arg_chip not in ["esp32h2", "esp32p4"],
+        reason="These chips support ECDSA_KEY",
+    )
    def test_burn_key_ecdsa_key_check_byte_order(self):
        self.espefuse_py(
            f"burn_key \