Merge branch 'fix/disable_efuse_xts_aes_256_esp32c5_v5.5' into 'release/v5.5'

Disable XTS-AES-256 using efuse key for ESP32-C5 (v5.5)

See merge request espressif/esp-idf!41364

Author: Jiang Jiang Jian

components/efuse/esp32c5/include/esp_efuse_chip.h

@@ -64,8 +64,6 @@ typedef enum {
     ESP_EFUSE_KEY_PURPOSE_USER = 0,                         /**< User purposes (software-only use) */
     ESP_EFUSE_KEY_PURPOSE_ECDSA_KEY = 1,                    /**< ECDSA private key (P256) (Expected in little endian order)*/
     ESP_EFUSE_KEY_PURPOSE_ECDSA_KEY_P256 = ESP_EFUSE_KEY_PURPOSE_ECDSA_KEY, /**< ECDSA private key (P256) (Expected in little endian order)*/
-    ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_1 = 2,            /**< XTS_AES_256_KEY_1 (flash/PSRAM encryption) */
-    ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_KEY_2 = 3,            /**< XTS_AES_256_KEY_2 (flash/PSRAM encryption) */
     ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_KEY = 4,              /**< XTS_AES_128_KEY (flash/PSRAM encryption) */
     ESP_EFUSE_KEY_PURPOSE_HMAC_DOWN_ALL = 5,                /**< HMAC Downstream mode */
     ESP_EFUSE_KEY_PURPOSE_HMAC_DOWN_JTAG = 6,               /**< JTAG soft enable key (uses HMAC Downstream mode) */
@@ -75,8 +73,6 @@ typedef enum {
     ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_DIGEST1 = 10,         /**< SECURE_BOOT_DIGEST1 (Secure Boot key digest) */
     ESP_EFUSE_KEY_PURPOSE_SECURE_BOOT_DIGEST2 = 11,         /**< SECURE_BOOT_DIGEST2 (Secure Boot key digest) */
     ESP_EFUSE_KEY_PURPOSE_KM_INIT_KEY = 12,                 /**< KM_INIT_KEY (Key Manager initialization key) */
-    ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_PSRAM_KEY_1 = 13,     /**< XTS_AES_256_PSRAM_KEY_1 (PSRAM encryption) */
-    ESP_EFUSE_KEY_PURPOSE_XTS_AES_256_PSRAM_KEY_2 = 14,     /**< XTS_AES_256_PSRAM_KEY_2 (PSRAM encryption) */
     ESP_EFUSE_KEY_PURPOSE_XTS_AES_128_PSRAM_KEY = 15,       /**< XTS_AES_128_PSRAM_KEY (PSRAM encryption) */
     ESP_EFUSE_KEY_PURPOSE_ECDSA_KEY_P192 = 16,              /**< ECDSA private key (P192) */
     ESP_EFUSE_KEY_PURPOSE_ECDSA_KEY_P384_L = 17,            /**< ECDSA private key (P384) */

components/hal/test_apps/crypto/main/key_manager/test_key_manager.c

@@ -84,7 +84,7 @@ static void test_xts_aes_key_ecdh0_mode(test_data_ecdh0_mode_t *test_data)
     ESP_LOG_BUFFER_HEXDUMP("Encrypted data", read_data, data_size, ESP_LOG_DEBUG);
 }
 
-#if SOC_FLASH_ENCRYPTION_XTS_AES_128
+#if SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128
 static void key_mgr_test_xts_aes_128_aes_mode(void)
 {
     static esp_key_mgr_aes_key_config_t key_config;
@@ -117,9 +117,9 @@ static void key_mgr_test_xts_aes_128_ecdh0_mode(void)
     test_xts_aes_key_ecdh0_mode(&test_data_ecdh0);
     TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type));
 }
-#endif /* SOC_FLASH_ENCRYPTION_XTS_AES_128 */
+#endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 */
 
-#if SOC_FLASH_ENCRYPTION_XTS_AES_256
+#if SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256
 static void key_mgr_test_xts_aes_256_aes_mode(void)
 {
     static esp_key_mgr_aes_key_config_t key_config;
@@ -155,7 +155,7 @@ static void key_mgr_test_xts_aes_256_ecdh0_mode(void)
     test_xts_aes_key_ecdh0_mode(&test_data_ecdh0);
     TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type));
 }
-#endif /* SOC_FLASH_ENCRYPTION_XTS_AES_256 */
+#endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 */
 
 #if CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS
 static void test_xts_aes_key_random_mode(void)
@@ -173,7 +173,7 @@ static void test_xts_aes_key_random_mode(void)
     }
 }
 
-#if SOC_FLASH_ENCRYPTION_XTS_AES_128
+#if SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128
 static void key_mgr_test_xts_aes_128_random_mode(void)
 {
     static esp_key_mgr_random_key_config_t key_config;
@@ -185,9 +185,9 @@ static void key_mgr_test_xts_aes_128_random_mode(void)
     test_xts_aes_key_random_mode();
     TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type));
 }
-#endif /* SOC_FLASH_ENCRYPTION_XTS_AES_128 */
+#endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 */
 
-#if SOC_FLASH_ENCRYPTION_XTS_AES_256
+#if SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256
 static void key_mgr_test_xts_aes_256_random_mode(void)
 {
     static esp_key_mgr_random_key_config_t key_config;
@@ -199,7 +199,7 @@ static void key_mgr_test_xts_aes_256_random_mode(void)
     test_xts_aes_key_random_mode();
     TEST_ASSERT_EQUAL(ESP_OK, esp_key_mgr_deactivate_key(key_recovery_info.key_type));
 }
-#endif /* SOC_FLASH_ENCRYPTION_XTS_AES_256 */
+#endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 */
 #endif /* CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS */
 #endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY */
 
@@ -436,7 +436,7 @@ TEST_TEAR_DOWN(key_manager)
 }
 
 #if SOC_KEY_MANAGER_FE_KEY_DEPLOY
-#if SOC_FLASH_ENCRYPTION_XTS_AES_128
+#if SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128
 TEST(key_manager, xts_aes_128_key_aes_deployment)
 {
     key_mgr_test_xts_aes_128_aes_mode();
@@ -453,9 +453,9 @@ TEST(key_manager, xts_key_128_random_deployment)
     key_mgr_test_xts_aes_128_random_mode();
 }
 #endif /* CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS */
-#endif /* SOC_FLASH_ENCRYPTION_XTS_AES_128 */
+#endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 */
 
-#if SOC_FLASH_ENCRYPTION_XTS_AES_256
+#if SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256
 TEST(key_manager, xts_aes_256_key_aes_deployment)
 {
     key_mgr_test_xts_aes_256_aes_mode();
@@ -472,7 +472,7 @@ TEST(key_manager, xts_key_256_random_deployment)
     key_mgr_test_xts_aes_256_random_mode();
 }
 #endif /* CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS */
-#endif /* SOC_FLASH_ENCRYPTION_XTS_AES_256 */
+#endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 */
 #endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY */
 
 #if SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY
@@ -519,22 +519,22 @@ TEST(key_manager, ds_key_aes_deployment)
 TEST_GROUP_RUNNER(key_manager)
 {
 #if SOC_KEY_MANAGER_FE_KEY_DEPLOY
-#if SOC_FLASH_ENCRYPTION_XTS_AES_128
+#if SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128
     RUN_TEST_CASE(key_manager, xts_aes_128_key_aes_deployment);
     RUN_TEST_CASE(key_manager, xts_key_128_ecdh0_deployment);
 #if CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS
     // This tests expects Flash encryption to be enabled as the test compares the decrypted flash data with the plaintext data
     RUN_TEST_CASE(key_manager, xts_key_128_random_deployment);
 #endif /* CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS */
-#endif /* SOC_FLASH_ENCRYPTION_XTS_AES_128 */
+#endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128 */
 
-#if SOC_FLASH_ENCRYPTION_XTS_AES_256
+#if SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256
     RUN_TEST_CASE(key_manager, xts_aes_256_key_aes_deployment);
     RUN_TEST_CASE(key_manager, xts_key_256_ecdh0_deployment);
 #if CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS
     RUN_TEST_CASE(key_manager, xts_key_256_random_deployment);
 #endif /* CONFIG_CRYPTO_TEST_APP_ENABLE_FPGA_TESTS */
-#endif /* SOC_FLASH_ENCRYPTION_XTS_AES_256 */
+#endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256 */
 #endif /* SOC_KEY_MANAGER_FE_KEY_DEPLOY */
 
 #if SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY

components/soc/esp32c5/include/soc/Kconfig.soc_caps.in

@@ -1427,6 +1427,14 @@ config SOC_KEY_MANAGER_FE_KEY_DEPLOY
     bool
     default y
 
+config SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128
+    bool
+    default y
+
+config SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256
+    bool
+    default y
+
 config SOC_KEY_MANAGER_HMAC_KEY_DEPLOY
     bool
     default y
@@ -1467,10 +1475,6 @@ config SOC_FLASH_ENCRYPTION_XTS_AES_128
     bool
     default y
 
-config SOC_FLASH_ENCRYPTION_XTS_AES_256
-    bool
-    default y
-
 config SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND
     bool
     default y
@@ -1479,10 +1483,6 @@ config SOC_PSRAM_ENCRYPTION_XTS_AES_128
     bool
     default y
 
-config SOC_PSRAM_ENCRYPTION_XTS_AES_256
-    bool
-    default y
-
 config SOC_RECOVERY_BOOTLOADER_SUPPORTED
     bool
     default y

components/soc/esp32c5/include/soc/soc_caps.h

@@ -548,6 +548,8 @@
 #define SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT  1 /*!< Key manager supports key deployment */
 #define SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY        1 /*!< Key manager responsible to deploy ECDSA key */
 #define SOC_KEY_MANAGER_FE_KEY_DEPLOY           1 /*!< Key manager responsible to deploy Flash Encryption key */
+#define SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128   1 /*!< Key manager responsible to deploy the XTS-AES-128 key */
+#define SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256   1 /*!< Key manager responsible to deploy the XTS-AES-256 key */
 #define SOC_KEY_MANAGER_HMAC_KEY_DEPLOY         1 /*!< Key manager responsible to deploy HMAC key */
 #define SOC_KEY_MANAGER_DS_KEY_DEPLOY           1 /*!< Key manager responsible to deploy DS key */
 
@@ -562,12 +564,10 @@
 #define SOC_FLASH_ENCRYPTED_XTS_AES_BLOCK_MAX   (64)
 #define SOC_FLASH_ENCRYPTION_XTS_AES        1
 #define SOC_FLASH_ENCRYPTION_XTS_AES_128    1
-#define SOC_FLASH_ENCRYPTION_XTS_AES_256    1
 #define SOC_FLASH_ENCRYPTION_XTS_AES_SUPPORT_PSEUDO_ROUND  1
 
 /*-------------------------- PSRAM Encryption CAPS----------------------------*/
 #define SOC_PSRAM_ENCRYPTION_XTS_AES_128    (1)
-#define SOC_PSRAM_ENCRYPTION_XTS_AES_256    (1)
 
 /*------------------------Bootloader CAPS---------------------------------*/
 /* Support Recovery Bootloader */

components/soc/esp32p4/include/soc/Kconfig.soc_caps.in

@@ -1847,6 +1847,14 @@ config SOC_KEY_MANAGER_FE_KEY_DEPLOY
     bool
     default y
 
+config SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128
+    bool
+    default y
+
+config SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256
+    bool
+    default y
+
 config SOC_SECURE_BOOT_V2_RSA
     bool
     default y

components/soc/esp32p4/include/soc/soc_caps.h

@@ -675,6 +675,8 @@
 #define SOC_KEY_MANAGER_SUPPORT_KEY_DEPLOYMENT  1 /*!< Key manager supports key deployment */
 #define SOC_KEY_MANAGER_ECDSA_KEY_DEPLOY        1 /*!< Key manager responsible to deploy ECDSA key */
 #define SOC_KEY_MANAGER_FE_KEY_DEPLOY           1 /*!< Key manager responsible to deploy Flash Encryption key */
+#define SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_128   1 /*!< Key manager responsible to deploy the XTS-AES-128 key */
+#define SOC_KEY_MANAGER_FE_KEY_DEPLOY_XTS_AES_256   1 /*!< Key manager responsible to deploy the XTS-AES-256 key */
 
 /*-------------------------- Secure Boot CAPS----------------------------*/
 #define SOC_SECURE_BOOT_V2_RSA              1

docs/en/api-reference/peripherals/ecdsa.rst

@@ -12,9 +12,13 @@ ECDSA peripheral can help to establish **Secure Device Identity** for TLS mutual
 Supported Features
 ------------------
 
-- ECDSA digital signature generation and verification
-- Two different elliptic curves, namely P-192 and P-256 (FIPS 186-3 specification)
-- Two hash algorithms for message hash in the ECDSA operation, namely SHA-224 and SHA-256 (FIPS PUB 180-4 specification)
+.. list::
+
+    - ECDSA digital signature generation and verification
+    :SOC_ECDSA_SUPPORT_CURVE_P384: - Three different elliptic curves, namely P-192, P-256 and P-384 (FIPS 186-3 specification)
+    :not SOC_ECDSA_SUPPORT_CURVE_P384: - Two different elliptic curves, namely P-192 and P-256 (FIPS 186-3 specification)
+    :SOC_ECDSA_SUPPORT_CURVE_P384: - Three hash algorithms for message hash in the ECDSA operation, namely SHA-224, SHA-256 and SHA-384 (FIPS PUB 180-4 specification)
+    :not SOC_ECDSA_SUPPORT_CURVE_P384: - Two hash algorithms for message hash in the ECDSA operation, namely SHA-224 and SHA-256 (FIPS PUB 180-4 specification)
 
 
 ECDSA on {IDF_TARGET_NAME}

docs/zh_CN/api-reference/peripherals/ecdsa.rst

@@ -12,9 +12,13 @@ ECDSA 外设可以为 TLS 双向身份验证等用例建立 **安全设备身份
 支持的特性
 ----------
 
-- ECDSA 数字签名生成和验证
-- 两种不同的椭圆曲线，P-192 和 P-256（FIPS 186-3 规范）
-- ECDSA 操作中哈希消息的两种哈希算法，SHA-224 和 SHA-256（FIPS PUB 180-4 规范）
+.. list::
+
+    - ECDSA 数字签名生成和验证
+    :SOC_ECDSA_SUPPORT_CURVE_P384: - 三种不同的椭圆曲线，P-192，P-256 和 P-384（FIPS 186-3 规范）
+    :not SOC_ECDSA_SUPPORT_CURVE_P384: - 两种不同的椭圆曲线，P-192 和 P-256（FIPS 186-3 规范）
+    :SOC_ECDSA_SUPPORT_CURVE_P384: - ECDSA 操作中用于散列消息的三种哈希算法，SHA-224, SHA-256 和 SHA-384（FIPS PUB 180-4 规范）
+    :not SOC_ECDSA_SUPPORT_CURVE_P384: - ECDSA 操作中哈希消息的两种哈希算法，SHA-224 和 SHA-256（FIPS PUB 180-4 规范）
 
 
 {IDF_TARGET_NAME} 上的 ECDSA