Skip to content

Commit 255859e

Browse files
mahavirjmahavirj
committed
feat(esp_encrypted_img): add support for PSA crypto interface
1 parent 24b2828 commit 255859e

File tree

3 files changed

+753
-140
lines changed

3 files changed

+753
-140
lines changed

esp_encrypted_img/private_include/esp_encrypted_img_priv.h

Lines changed: 101 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,101 @@
1+
/*
2+
* SPDX-FileCopyrightText: 2026 Espressif Systems (Shanghai) CO LTD
3+
*
4+
* SPDX-License-Identifier: Apache-2.0
5+
*/
6+
#pragma once
7+
8+
#include <stddef.h>
9+
#include <stdbool.h>
10+
#include "esp_err.h"
11+
#include "esp_encrypted_img.h"
12+
#include "mbedtls/version.h"
13+
#include "sdkconfig.h"
14+
15+
#if defined(CONFIG_MBEDTLS_VER_4_X_SUPPORT)
16+
#include "psa/crypto.h"
17+
#else
18+
#include "mbedtls/gcm.h"
19+
#endif
20+
21+
#if defined(CONFIG_PRE_ENCRYPTED_OTA_USE_ECIES)
22+
#include "esp_hmac.h"
23+
#endif
24+
25+
#ifdef __cplusplus
26+
extern "C" {
27+
#endif
28+
29+
#define GCM_KEY_SIZE 32
30+
#define CACHE_BUF_SIZE 16
31+
32+
typedef enum {
33+
ESP_PRE_ENC_IMG_READ_MAGIC,
34+
ESP_PRE_ENC_IMG_READ_GCM,
35+
ESP_PRE_ENC_IMG_READ_IV,
36+
ESP_PRE_ENC_IMG_READ_BINSIZE,
37+
ESP_PRE_ENC_IMG_READ_AUTH,
38+
ESP_PRE_ENC_IMG_READ_EXTRA_HEADER,
39+
ESP_PRE_ENC_DATA_DECODE_STATE,
40+
} esp_encrypted_img_state;
41+
42+
/**
43+
* @brief Internal handle structure for encrypted image decryption
44+
*/
45+
typedef struct esp_encrypted_img_handle {
46+
#if defined(CONFIG_PRE_ENCRYPTED_OTA_USE_RSA)
47+
#if !defined(CONFIG_PRE_ENCRYPTED_RSA_USE_DS)
48+
char *rsa_pem;
49+
size_t rsa_len;
50+
#endif
51+
#elif defined(CONFIG_PRE_ENCRYPTED_OTA_USE_ECIES)
52+
hmac_key_id_t hmac_key;
53+
#endif /* CONFIG_PRE_ENCRYPTED_OTA_USE_ECIES */
54+
uint32_t binary_file_len;
55+
uint32_t binary_file_read;
56+
char gcm_key[GCM_KEY_SIZE];
57+
char iv[IV_SIZE];
58+
char auth_tag[AUTH_SIZE];
59+
esp_encrypted_img_state state;
60+
#if defined(CONFIG_MBEDTLS_VER_4_X_SUPPORT)
61+
psa_aead_operation_t psa_aead_op;
62+
psa_key_id_t psa_gcm_key_id;
63+
bool psa_initialized;
64+
#else
65+
mbedtls_gcm_context gcm_ctx;
66+
#endif
67+
size_t cache_buf_len;
68+
char *cache_buf;
69+
} esp_encrypted_img_t;
70+
71+
72+
typedef struct {
73+
char magic[MAGIC_SIZE];
74+
#if defined(CONFIG_PRE_ENCRYPTED_OTA_USE_RSA)
75+
char enc_gcm[ENC_GCM_KEY_SIZE];
76+
#elif defined(CONFIG_PRE_ENCRYPTED_OTA_USE_ECIES)
77+
unsigned char server_ecc_pub_key[SERVER_ECC_KEY_LEN];
78+
unsigned char kdf_salt[KDF_SALT_SIZE];
79+
unsigned char reserved[RESERVED_SIZE];
80+
#endif /* CONFIG_PRE_ENCRYPTED_OTA_USE_ECIES */
81+
char iv[IV_SIZE];
82+
char bin_size[BIN_SIZE_DATA];
83+
char auth[AUTH_SIZE];
84+
char extra_header[RESERVED_HEADER];
85+
} pre_enc_bin_header;
86+
#define HEADER_DATA_SIZE sizeof(pre_enc_bin_header)
87+
88+
// Magic Byte is created using command: echo -n "esp_encrypted_img" | sha256sum
89+
static uint32_t esp_enc_img_magic = 0x0788b6cf;
90+
91+
#if defined(CONFIG_PRE_ENCRYPTED_OTA_USE_ECIES)
92+
#define HMAC_OUTPUT_SIZE 32
93+
#define PBKDF2_ITERATIONS 2048
94+
#define HKDF_INFO_SIZE 16
95+
#define DER_ASN1_OVERHEAD 30
96+
#define SECP256R1_COORD_SIZE 32
97+
#endif /* CONFIG_PRE_ENCRYPTED_OTA_USE_ECIES */
98+
99+
#ifdef __cplusplus
100+
}
101+
#endif

0 commit comments

Comments
 (0)