From d6456b4ddec23e73feea69be44432a27059d3c0b Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 8 Apr 2024 19:41:39 +0200 Subject: [PATCH 01/10] First attempt to add support to ESP32. Signed-off-by: Pol Henarejos --- CMakeLists.txt | 19 ++++++++++++---- pico-keys-sdk | 2 +- sdkconfig.defaults | 18 +++++++++++++++ src/hsm/CMakeLists.txt | 6 +++++ src/hsm/cmd_cipher_sym.c | 9 ++++---- src/hsm/cmd_decrypt_asym.c | 3 +-- src/hsm/cmd_derive_asym.c | 3 +-- src/hsm/cmd_extras.c | 36 +++++++++++++++++++++++++----- src/hsm/cmd_general_authenticate.c | 3 +-- src/hsm/cmd_initialize.c | 2 +- src/hsm/cmd_key_unwrap.c | 3 +-- src/hsm/cvc.c | 3 +-- src/hsm/cvc.h | 2 +- src/hsm/kek.c | 6 ++--- src/hsm/kek.h | 3 ++- src/hsm/sc_hsm.c | 2 +- src/hsm/sc_hsm.h | 6 ++++- 17 files changed, 92 insertions(+), 34 deletions(-) create mode 100755 sdkconfig.defaults create mode 100644 src/hsm/CMakeLists.txt diff --git a/CMakeLists.txt b/CMakeLists.txt index ee5157b..23f5cd9 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -17,6 +17,14 @@ cmake_minimum_required(VERSION 3.13) +if(ESP_PLATFORM) +set(EXTRA_COMPONENT_DIRS src pico-keys-sdk/src) +include($ENV{IDF_PATH}/tools/cmake/project.cmake) +set(USB_VID 0x20a0) +set(USB_PID 0x4230) +set(DEBUG_APDU 1) +set(USB_ITF_CCID 1) +else() if(ENABLE_EMULATION) else() include(pico_sdk_import.cmake) @@ -27,8 +35,7 @@ project(pico_hsm C CXX ASM) set(CMAKE_C_STANDARD 11) set(CMAKE_CXX_STANDARD 17) -if(ENABLE_EMULATION) -else() +if(NOT ENABLE_EMULATION) pico_sdk_init() endif() @@ -40,7 +47,7 @@ if (__FOR_CI) endif() add_executable(pico_hsm) - +endif() set(SOURCES ${SOURCES} ${CMAKE_CURRENT_LIST_DIR}/src/hsm/sc_hsm.c ${CMAKE_CURRENT_LIST_DIR}/src/hsm/cmd_select.c @@ -77,11 +84,14 @@ set(SOURCES ${SOURCES} ) set(USB_ITF_CCID 1) include(pico-keys-sdk/pico_keys_sdk_import.cmake) +if(ESP_PLATFORM) + project(pico_hsm) +endif() set(INCLUDES ${INCLUDES} ${CMAKE_CURRENT_LIST_DIR}/src/hsm ) - +if(NOT ESP_PLATFORM) target_sources(pico_hsm PUBLIC ${SOURCES}) target_include_directories(pico_hsm PUBLIC ${INCLUDES}) @@ -120,3 +130,4 @@ else() pico_add_extra_outputs(pico_hsm) target_link_libraries(pico_hsm PRIVATE pico_keys_sdk pico_stdlib pico_multicore hardware_flash hardware_sync hardware_adc pico_unique_id hardware_rtc tinyusb_device tinyusb_board) endif() +endif() diff --git a/pico-keys-sdk b/pico-keys-sdk index 151ae5f..1ba109b 160000 --- a/pico-keys-sdk +++ b/pico-keys-sdk @@ -1 +1 @@ -Subproject commit 151ae5fae4c5815042fce5d5cbcc06d76561dc9c +Subproject commit 1ba109bd0a46bed18c097d750f5ebee568d734d4 diff --git a/sdkconfig.defaults b/sdkconfig.defaults new file mode 100755 index 0000000..39b5b87 --- /dev/null +++ b/sdkconfig.defaults @@ -0,0 +1,18 @@ +# This file was generated using idf.py save-defconfig. It can be edited manually. +# Espressif IoT Development Framework (ESP-IDF) Project Minimal Configuration +# +IGNORE_UNKNOWN_FILES_FOR_MANAGED_COMPONENTS=1 + +CONFIG_TINYUSB=y + +CONFIG_PARTITION_TABLE_CUSTOM=y +CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="pico-keys-sdk/partitions.csv" +CONFIG_PARTITION_TABLE_FILENAME="pico-keys-sdk/partitions.csv" +CONFIG_ESPTOOLPY_FLASHSIZE_4MB=y +CONFIG_WL_SECTOR_SIZE_512=y +CONFIG_WL_SECTOR_MODE_PERF=y + +CONFIG_MBEDTLS_CHACHA20_C=y +CONFIG_MBEDTLS_POLY1305_C=y +CONFIG_MBEDTLS_CHACHAPOLY_C=y +CONFIG_MBEDTLS_HKDF_C=y diff --git a/src/hsm/CMakeLists.txt b/src/hsm/CMakeLists.txt new file mode 100644 index 0000000..5a60962 --- /dev/null +++ b/src/hsm/CMakeLists.txt @@ -0,0 +1,6 @@ +idf_component_register( + SRCS ${SOURCES} + INCLUDE_DIRS . ../../pico-keys-sdk/src ../../pico-keys-sdk/src/fs ../../pico-keys-sdk/src/rng ../../pico-keys-sdk/src/usb + REQUIRES bootloader_support esp_partition esp_tinyusb zorxx__neopixel mbedtls +) +idf_component_set_property(${COMPONENT_NAME} WHOLE_ARCHIVE ON) diff --git a/src/hsm/cmd_cipher_sym.c b/src/hsm/cmd_cipher_sym.c index 6de1409..0014d14 100644 --- a/src/hsm/cmd_cipher_sym.c +++ b/src/hsm/cmd_cipher_sym.c @@ -15,16 +15,15 @@ * along with this program. If not, see . */ -#include "common.h" +#include "sc_hsm.h" #include "mbedtls/aes.h" #include "mbedtls/cmac.h" #include "mbedtls/hkdf.h" #include "mbedtls/chachapoly.h" #include "mbedtls/gcm.h" -#include "md_wrap.h" +//#include "mbedtls/md_wrap.h" #include "mbedtls/md.h" #include "crypto_utils.h" -#include "sc_hsm.h" #include "kek.h" #include "asn1.h" #include "oid.h" @@ -134,7 +133,7 @@ int mbedtls_ansi_x963_kdf(mbedtls_md_type_t md_type, } // keydatalen equals output_len - hashlen = md_info->size; + hashlen = mbedtls_md_get_size(md_info); if (output_len >= hashlen * ((1ULL << 32) - 1)) { return exit_code; } @@ -349,7 +348,7 @@ int cmd_cipher_sym() { if (r != 0) { return SW_EXEC_ERROR(); } - res_APDU_size = md_info->size; + res_APDU_size = mbedtls_md_get_size(md_info); } else if (memcmp(oid.data, OID_HKDF_SHA256, oid.len) == 0 || diff --git a/src/hsm/cmd_decrypt_asym.c b/src/hsm/cmd_decrypt_asym.c index e68853e..fc9c904 100644 --- a/src/hsm/cmd_decrypt_asym.c +++ b/src/hsm/cmd_decrypt_asym.c @@ -15,10 +15,9 @@ * along with this program. If not, see . */ -#include "common.h" +#include "sc_hsm.h" #include "mbedtls/ecdh.h" #include "crypto_utils.h" -#include "sc_hsm.h" #include "kek.h" #include "files.h" #include "asn1.h" diff --git a/src/hsm/cmd_derive_asym.c b/src/hsm/cmd_derive_asym.c index ff59009..03ded64 100644 --- a/src/hsm/cmd_derive_asym.c +++ b/src/hsm/cmd_derive_asym.c @@ -15,10 +15,9 @@ * along with this program. If not, see . */ -#include "common.h" +#include "sc_hsm.h" #include "mbedtls/ecdsa.h" #include "crypto_utils.h" -#include "sc_hsm.h" #include "cvc.h" #define MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED -0x006E diff --git a/src/hsm/cmd_extras.c b/src/hsm/cmd_extras.c index a5c4499..a0818bc 100644 --- a/src/hsm/cmd_extras.c +++ b/src/hsm/cmd_extras.c @@ -15,11 +15,12 @@ * along with this program. If not, see . */ -#include "common.h" -#include "mbedtls/ecdh.h" #include "sc_hsm.h" -#ifndef ENABLE_EMULATION +#include "mbedtls/ecdh.h" +#if !defined(ENABLE_EMULATION) && !defined(ESP_PLATFORM) #include "hardware/rtc.h" +#else +#include #endif #include "files.h" #include "random.h" @@ -33,7 +34,7 @@ int cmd_extras() { return SW_INCORRECT_P1P2(); } if (apdu.nc == 0) { -#ifndef ENABLE_EMULATION +#if !defined(ENABLE_EMULATION) && !defined(ESP_PLATFORM) datetime_t dt; if (!rtc_get_datetime(&dt)) { return SW_EXEC_ERROR(); @@ -46,13 +47,26 @@ int cmd_extras() { res_APDU[res_APDU_size++] = dt.hour; res_APDU[res_APDU_size++] = dt.min; res_APDU[res_APDU_size++] = dt.sec; +#else + struct timeval tv; + struct tm *tm; + gettimeofday(&tv, NULL); + tm = localtime(&tv.tv_sec); + res_APDU[res_APDU_size++] = (tm->tm_year + 1900) >> 8; + res_APDU[res_APDU_size++] = (tm->tm_year + 1900) & 0xff; + res_APDU[res_APDU_size++] = tm->tm_mon; + res_APDU[res_APDU_size++] = tm->tm_mday; + res_APDU[res_APDU_size++] = tm->tm_wday; + res_APDU[res_APDU_size++] = tm->tm_hour; + res_APDU[res_APDU_size++] = tm->tm_min; + res_APDU[res_APDU_size++] = tm->tm_sec; #endif } else { if (apdu.nc != 8) { return SW_WRONG_LENGTH(); } -#ifndef ENABLE_EMULATION +#if !defined(ENABLE_EMULATION) && !defined(ESP_PLATFORM) datetime_t dt; dt.year = (apdu.data[0] << 8) | (apdu.data[1]); dt.month = apdu.data[2]; @@ -64,6 +78,18 @@ int cmd_extras() { if (!rtc_set_datetime(&dt)) { return SW_WRONG_DATA(); } +#else + struct tm tm; + struct timeval tv; + tm.tm_year = ((apdu.data[0] << 8) | (apdu.data[1])) - 1900; + tm.tm_mon = apdu.data[2]; + tm.tm_mday = apdu.data[3]; + tm.tm_wday = apdu.data[4]; + tm.tm_hour = apdu.data[5]; + tm.tm_min = apdu.data[6]; + tm.tm_sec = apdu.data[7]; + tv.tv_sec = mktime(&tm); + settimeofday(&tv, NULL); #endif } } diff --git a/src/hsm/cmd_general_authenticate.c b/src/hsm/cmd_general_authenticate.c index 64c5860..47aabc3 100644 --- a/src/hsm/cmd_general_authenticate.c +++ b/src/hsm/cmd_general_authenticate.c @@ -15,10 +15,9 @@ * along with this program. If not, see . */ -#include "common.h" +#include "sc_hsm.h" #include "mbedtls/ecdh.h" #include "asn1.h" -#include "sc_hsm.h" #include "random.h" #include "oid.h" #include "eac.h" diff --git a/src/hsm/cmd_initialize.c b/src/hsm/cmd_initialize.c index cf19cb3..8a5ebb4 100644 --- a/src/hsm/cmd_initialize.c +++ b/src/hsm/cmd_initialize.c @@ -28,7 +28,7 @@ extern void scan_all(); extern char __StackLimit; int heapLeft() { -#ifndef ENABLE_EMULATION +#if !defined(ENABLE_EMULATION) && !defined(ESP_PLATFORM) char *p = malloc(256); // try to avoid undue fragmentation int left = &__StackLimit - p; free(p); diff --git a/src/hsm/cmd_key_unwrap.c b/src/hsm/cmd_key_unwrap.c index 1eb0ecb..85b8288 100644 --- a/src/hsm/cmd_key_unwrap.c +++ b/src/hsm/cmd_key_unwrap.c @@ -15,9 +15,8 @@ * along with this program. If not, see . */ -#include "common.h" -#include "crypto_utils.h" #include "sc_hsm.h" +#include "crypto_utils.h" #include "kek.h" #include "cvc.h" diff --git a/src/hsm/cvc.c b/src/hsm/cvc.c index fcc722c..c2df5dc 100644 --- a/src/hsm/cvc.c +++ b/src/hsm/cvc.c @@ -15,9 +15,8 @@ * along with this program. If not, see . */ -#include "common.h" -#include "cvc.h" #include "sc_hsm.h" +#include "cvc.h" #include "mbedtls/rsa.h" #include "mbedtls/ecdsa.h" #include diff --git a/src/hsm/cvc.h b/src/hsm/cvc.h index 1eb217a..a0b878a 100644 --- a/src/hsm/cvc.h +++ b/src/hsm/cvc.h @@ -19,7 +19,7 @@ #define _CVC_H_ #include -#ifndef ENABLE_EMULATION +#if !defined(ENABLE_EMULATION) && !defined(ESP_PLATFORM) #include "pico/stdlib.h" #else #include diff --git a/src/hsm/kek.c b/src/hsm/kek.c index 4d317b8..66c0710 100644 --- a/src/hsm/kek.c +++ b/src/hsm/kek.c @@ -15,16 +15,14 @@ * along with this program. If not, see . */ -#include -#include "common.h" +#include "sc_hsm.h" #include "stdlib.h" -#ifndef ENABLE_EMULATION +#if !defined(ENABLE_EMULATION) && !defined(ESP_PLATFORM) #include "pico/stdlib.h" #endif #include "kek.h" #include "crypto_utils.h" #include "random.h" -#include "sc_hsm.h" #include "mbedtls/md.h" #include "mbedtls/cmac.h" #include "mbedtls/rsa.h" diff --git a/src/hsm/kek.h b/src/hsm/kek.h index aa095cc..f0aca86 100644 --- a/src/hsm/kek.h +++ b/src/hsm/kek.h @@ -19,10 +19,11 @@ #define _DKEK_H_ #include "crypto_utils.h" -#ifdef ENABLE_EMULATION +#if defined(ENABLE_EMULATION) || defined(ESP_PLATFORM) #include #endif + extern int load_mkek(uint8_t *); extern int store_mkek(const uint8_t *); extern int save_dkek_key(uint8_t, const uint8_t *key); diff --git a/src/hsm/sc_hsm.c b/src/hsm/sc_hsm.c index 70f7534..bd43567 100644 --- a/src/hsm/sc_hsm.c +++ b/src/hsm/sc_hsm.c @@ -17,7 +17,6 @@ #include "sc_hsm.h" #include "files.h" -#include "common.h" #include "version.h" #include "crypto_utils.h" #include "kek.h" @@ -89,6 +88,7 @@ int sc_hsm_select_aid(app_t *a) { } INITIALIZER( sc_hsm_ctor ) { + printf("INITIALIZER\n"); ccid_atr = atr_sc_hsm; register_app(sc_hsm_select_aid, sc_hsm_aid); } diff --git a/src/hsm/sc_hsm.h b/src/hsm/sc_hsm.h index fa8d3ff..e187d26 100644 --- a/src/hsm/sc_hsm.h +++ b/src/hsm/sc_hsm.h @@ -19,10 +19,14 @@ #define _SC_HSM_H_ #include +#ifndef ESP_PLATFORM #include "common.h" +#else +#define MBEDTLS_ALLOW_PRIVATE_ACCESS +#endif #include "mbedtls/rsa.h" #include "mbedtls/ecdsa.h" -#ifndef ENABLE_EMULATION +#if !defined(ENABLE_EMULATION) && !defined(ESP_PLATFORM) #include "pico/stdlib.h" #endif #include "file.h" From d8c7fb0856600ea69d873be34916742a1d2847d6 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Wed, 10 Apr 2024 18:16:38 +0200 Subject: [PATCH 02/10] Remove carriage return \r for better debug. Signed-off-by: Pol Henarejos --- src/hsm/cmd_keypair_gen.c | 4 ++-- src/hsm/sc_hsm.c | 20 ++++++++++---------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/src/hsm/cmd_keypair_gen.c b/src/hsm/cmd_keypair_gen.c index 6a88b85..22c1e05 100644 --- a/src/hsm/cmd_keypair_gen.c +++ b/src/hsm/cmd_keypair_gen.c @@ -47,7 +47,7 @@ int cmd_keypair_gen() { if (asn1_find_tag(&ctxo, 0x2, &ks) && asn1_len(&ks) > 0) { key_size = asn1_get_uint(&ks); } - printf("KEYPAIR RSA %lu (%lx)\r\n", + printf("KEYPAIR RSA %lu (%lx)\n", (unsigned long) key_size, (unsigned long) exponent); mbedtls_rsa_context rsa; @@ -75,7 +75,7 @@ int cmd_keypair_gen() { return SW_WRONG_DATA(); } mbedtls_ecp_group_id ec_id = ec_get_curve_from_prime(prime.data, prime.len); - printf("KEYPAIR ECC %d\r\n", ec_id); + printf("KEYPAIR ECC %d\n", ec_id); if (ec_id == MBEDTLS_ECP_DP_NONE) { return SW_FUNC_NOT_SUPPORTED(); } diff --git a/src/hsm/sc_hsm.c b/src/hsm/sc_hsm.c index bd43567..d4ccb68 100644 --- a/src/hsm/sc_hsm.c +++ b/src/hsm/sc_hsm.c @@ -97,24 +97,24 @@ void scan_files() { file_pin1 = search_by_fid(0x1081, NULL, SPECIFY_EF); if (file_pin1) { if (!file_pin1->data) { - printf("PIN1 is empty. Initializing with default password\r\n"); + printf("PIN1 is empty. Initializing with default password\n"); const uint8_t empty[33] = { 0 }; flash_write_data_to_file(file_pin1, empty, sizeof(empty)); } } else { - printf("FATAL ERROR: PIN1 not found in memory!\r\n"); + printf("FATAL ERROR: PIN1 not found in memory!\n"); } file_sopin = search_by_fid(0x1088, NULL, SPECIFY_EF); if (file_sopin) { if (!file_sopin->data) { - printf("SOPIN is empty. Initializing with default password\r\n"); + printf("SOPIN is empty. Initializing with default password\n"); const uint8_t empty[33] = { 0 }; flash_write_data_to_file(file_sopin, empty, sizeof(empty)); } } else { - printf("FATAL ERROR: SOPIN not found in memory!\r\n"); + printf("FATAL ERROR: SOPIN not found in memory!\n"); } file_retries_pin1 = search_by_fid(0x1083, NULL, SPECIFY_EF); if (file_retries_pin1) { @@ -125,18 +125,18 @@ void scan_files() { } } else { - printf("FATAL ERROR: Retries PIN1 not found in memory!\r\n"); + printf("FATAL ERROR: Retries PIN1 not found in memory!\n"); } file_retries_sopin = search_by_fid(0x108A, NULL, SPECIFY_EF); if (file_retries_sopin) { if (!file_retries_sopin->data) { - printf("Retries SOPIN is empty. Initializing with default retries\r\n"); + printf("Retries SOPIN is empty. Initializing with default retries\n"); const uint8_t retries = 15; flash_write_data_to_file(file_retries_sopin, &retries, sizeof(uint8_t)); } } else { - printf("FATAL ERROR: Retries SOPIN not found in memory!\r\n"); + printf("FATAL ERROR: Retries SOPIN not found in memory!\n"); } file_t *tf = NULL; @@ -149,18 +149,18 @@ void scan_files() { } } else { - printf("FATAL ERROR: Max Retries PIN1 not found in memory!\r\n"); + printf("FATAL ERROR: Max Retries PIN1 not found in memory!\n"); } tf = search_by_fid(0x1089, NULL, SPECIFY_EF); if (tf) { if (!tf->data) { - printf("Max Retries SOPIN is empty. Initializing with default max retries\r\n"); + printf("Max Retries SOPIN is empty. Initializing with default max retries\n"); const uint8_t retries = 15; flash_write_data_to_file(tf, &retries, sizeof(uint8_t)); } } else { - printf("FATAL ERROR: Retries SOPIN not found in memory!\r\n"); + printf("FATAL ERROR: Retries SOPIN not found in memory!\n"); } low_flash_available(); } From 60038f934574163be6022008b96b55bf4a34343a Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Wed, 10 Apr 2024 20:29:02 +0200 Subject: [PATCH 03/10] Fix flash issues. Signed-off-by: Pol Henarejos --- pico-keys-sdk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pico-keys-sdk b/pico-keys-sdk index 1ba109b..7def35f 160000 --- a/pico-keys-sdk +++ b/pico-keys-sdk @@ -1 +1 @@ -Subproject commit 1ba109bd0a46bed18c097d750f5ebee568d734d4 +Subproject commit 7def35f87cfb79ac52c203a31bb5282b20dde0a9 From 3dbcefea8574e82959d2000a65e9285fa615bd33 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Thu, 11 Apr 2024 15:15:18 +0200 Subject: [PATCH 04/10] Upate build parameters. Signed-off-by: Pol Henarejos --- sdkconfig.defaults | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/sdkconfig.defaults b/sdkconfig.defaults index 39b5b87..180cb70 100755 --- a/sdkconfig.defaults +++ b/sdkconfig.defaults @@ -12,7 +12,50 @@ CONFIG_ESPTOOLPY_FLASHSIZE_4MB=y CONFIG_WL_SECTOR_SIZE_512=y CONFIG_WL_SECTOR_MODE_PERF=y +CONFIG_MBEDTLS_ECP_C=y +CONFIG_MBEDTLS_ECDH_C=y +CONFIG_MBEDTLS_ECDSA_C=y +CONFIG_MBEDTLS_CMAC_C=y CONFIG_MBEDTLS_CHACHA20_C=y CONFIG_MBEDTLS_POLY1305_C=y CONFIG_MBEDTLS_CHACHAPOLY_C=y +CONFIG_MBEDTLS_AES_C=y +CONFIG_MBEDTLS_CCM_C=y +CONFIG_MBEDTLS_GCM_C=y +CONFIG_MBEDTLS_RIPEMD160_C=y CONFIG_MBEDTLS_HKDF_C=y +CONFIG_MBEDTLS_HARDWARE_ECC=y +CONFIG_MBEDTLS_HARDWARE_GCM=y +# CONFIG_MBEDTLS_HARDWARE_MPI is not set +CONFIG_MBEDTLS_HARDWARE_SHA=y +CONFIG_MBEDTLS_HARDWARE_AES=y +CONFIG_MBEDTLS_DES_C=y +# CONFIG_MBEDTLS_ROM_MD5 is not set +CONFIG_MBEDTLS_SHA512_C=y +CONFIG_MBEDTLS_TLS_DISABLED=y +# CONFIG_MBEDTLS_TLS_ENABLED is not set +# CONFIG_ESP_TLS_USE_DS_PERIPHERAL is not set +# CONFIG_ESP_WIFI_ENABLED is not set +# CONFIG_ESP_WIFI_MBEDTLS_CRYPTO is not set +# CONFIG_ESP_WIFI_MBEDTLS_TLS_CLIENT is not set +# CONFIG_WPA_MBEDTLS_CRYPTO is not set +# CONFIG_MBEDTLS_PSK_MODES is not set +# CONFIG_MBEDTLS_KEY_EXCHANGE_RSA is not set +# CONFIG_MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE is not set +# CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA is not set +# CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA is not set +# CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA is not set +# CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA is not set +# CONFIG_MBEDTLS_SSL_RENEGOTIATION is not set +# CONFIG_MBEDTLS_SSL_PROTO_TLS1_2 is not set +# CONFIG_MBEDTLS_SSL_PROTO_GMTSSL1_1 is not set +# CONFIG_MBEDTLS_SSL_PROTO_DTLS is not set +# CONFIG_MBEDTLS_SSL_ALPN is not set +# CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS is not set +# CONFIG_MBEDTLS_SERVER_SSL_SESSION_TICKETS is not set +# CONFIG_ESP32_WIFI_ENABLE_WPA3_SAE is not set +# CONFIG_ESP32_WIFI_ENABLE_WPA3_OWE_STA is not set +# CONFIG_ESP_WIFI_ENABLE_WPA3_SAE is not set +# CONFIG_ESP_WIFI_ENABLE_WPA3_OWE_STA is not set + +CONFIG_ESP_COREDUMP_ENABLE_TO_UART=y From 842919a26b9027027ca6a2ba49419c4162fffdda Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Mon, 15 Apr 2024 23:45:30 +0200 Subject: [PATCH 05/10] Use external unique ID. Signed-off-by: Pol Henarejos --- pico-keys-sdk | 2 +- src/hsm/CMakeLists.txt | 2 +- src/hsm/sc_hsm.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pico-keys-sdk b/pico-keys-sdk index 7def35f..8d86a8c 160000 --- a/pico-keys-sdk +++ b/pico-keys-sdk @@ -1 +1 @@ -Subproject commit 7def35f87cfb79ac52c203a31bb5282b20dde0a9 +Subproject commit 8d86a8c56b4e8dd4b525570d2ca324a29d5b901a diff --git a/src/hsm/CMakeLists.txt b/src/hsm/CMakeLists.txt index 5a60962..31d66c9 100644 --- a/src/hsm/CMakeLists.txt +++ b/src/hsm/CMakeLists.txt @@ -1,6 +1,6 @@ idf_component_register( SRCS ${SOURCES} INCLUDE_DIRS . ../../pico-keys-sdk/src ../../pico-keys-sdk/src/fs ../../pico-keys-sdk/src/rng ../../pico-keys-sdk/src/usb - REQUIRES bootloader_support esp_partition esp_tinyusb zorxx__neopixel mbedtls + REQUIRES bootloader_support esp_partition esp_tinyusb zorxx__neopixel mbedtls efuse ) idf_component_set_property(${COMPONENT_NAME} WHOLE_ARCHIVE ON) diff --git a/src/hsm/sc_hsm.c b/src/hsm/sc_hsm.c index d4ccb68..82a2334 100644 --- a/src/hsm/sc_hsm.c +++ b/src/hsm/sc_hsm.c @@ -301,7 +301,7 @@ int parse_token_info(const file_t *f, int mode) { *p++ = 0; //set later *p++ = 0x2; *p++ = 1; *p++ = HSM_VERSION_MAJOR; #ifndef ENABLE_EMULATION - *p++ = 0x4; *p++ = 8; pico_get_unique_board_id((pico_unique_board_id_t *) p); p += 8; + *p++ = 0x4; *p++ = 8; memcpy(p, pico_serial.id, 8); p += 8; #else *p++ = 0x4; *p++ = 8; memset(p, 0, 8); p += 8; #endif From 45b633cc9d2922647a81848768128190581e7b3d Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Tue, 16 Apr 2024 00:04:33 +0200 Subject: [PATCH 06/10] More defaults. Signed-off-by: Pol Henarejos --- sdkconfig.defaults | 8 -------- 1 file changed, 8 deletions(-) diff --git a/sdkconfig.defaults b/sdkconfig.defaults index 180cb70..f8a8d9f 100755 --- a/sdkconfig.defaults +++ b/sdkconfig.defaults @@ -12,24 +12,16 @@ CONFIG_ESPTOOLPY_FLASHSIZE_4MB=y CONFIG_WL_SECTOR_SIZE_512=y CONFIG_WL_SECTOR_MODE_PERF=y -CONFIG_MBEDTLS_ECP_C=y -CONFIG_MBEDTLS_ECDH_C=y -CONFIG_MBEDTLS_ECDSA_C=y CONFIG_MBEDTLS_CMAC_C=y CONFIG_MBEDTLS_CHACHA20_C=y CONFIG_MBEDTLS_POLY1305_C=y CONFIG_MBEDTLS_CHACHAPOLY_C=y -CONFIG_MBEDTLS_AES_C=y -CONFIG_MBEDTLS_CCM_C=y -CONFIG_MBEDTLS_GCM_C=y -CONFIG_MBEDTLS_RIPEMD160_C=y CONFIG_MBEDTLS_HKDF_C=y CONFIG_MBEDTLS_HARDWARE_ECC=y CONFIG_MBEDTLS_HARDWARE_GCM=y # CONFIG_MBEDTLS_HARDWARE_MPI is not set CONFIG_MBEDTLS_HARDWARE_SHA=y CONFIG_MBEDTLS_HARDWARE_AES=y -CONFIG_MBEDTLS_DES_C=y # CONFIG_MBEDTLS_ROM_MD5 is not set CONFIG_MBEDTLS_SHA512_C=y CONFIG_MBEDTLS_TLS_DISABLED=y From 8bbbdb4dd8104484ae7be7438f97c41ffba43ae2 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Tue, 16 Apr 2024 00:04:48 +0200 Subject: [PATCH 07/10] Build WCID interface. Signed-off-by: Pol Henarejos --- CMakeLists.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/CMakeLists.txt b/CMakeLists.txt index 23f5cd9..1e926f6 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -24,6 +24,7 @@ set(USB_VID 0x20a0) set(USB_PID 0x4230) set(DEBUG_APDU 1) set(USB_ITF_CCID 1) +set(USB_ITF_WCID 1) else() if(ENABLE_EMULATION) else() From be071b0bc1d63ac9b3ba2d1efbb21011581cd749 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Tue, 16 Apr 2024 00:05:01 +0200 Subject: [PATCH 08/10] Add support for dynamic VID / PID. Signed-off-by: Pol Henarejos --- pico-keys-sdk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pico-keys-sdk b/pico-keys-sdk index 8d86a8c..6f7ab69 160000 --- a/pico-keys-sdk +++ b/pico-keys-sdk @@ -1 +1 @@ -Subproject commit 8d86a8c56b4e8dd4b525570d2ca324a29d5b901a +Subproject commit 6f7ab69a9df3950c9b538a72661bc3810e978778 From aeeb540a2ff9108289e999047fd93a30e190e1af Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Tue, 16 Apr 2024 23:22:49 +0200 Subject: [PATCH 09/10] Add support for PHY command to store and change VIDPID and LED no. dynamically on reboot. Signed-off-by: Pol Henarejos --- pico-keys-sdk | 2 +- src/hsm/cmd_extras.c | 34 ++++++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+), 1 deletion(-) diff --git a/pico-keys-sdk b/pico-keys-sdk index 6f7ab69..ade730f 160000 --- a/pico-keys-sdk +++ b/pico-keys-sdk @@ -1 +1 @@ -Subproject commit 6f7ab69a9df3950c9b538a72661bc3810e978778 +Subproject commit ade730ffb5e38b37afaab21247a2c9ac6db2ac1b diff --git a/src/hsm/cmd_extras.c b/src/hsm/cmd_extras.c index a0818bc..5aefd81 100644 --- a/src/hsm/cmd_extras.c +++ b/src/hsm/cmd_extras.c @@ -221,6 +221,40 @@ int cmd_extras() { } } } +#ifndef ENABLE_EMULATION + else if (P1(apdu) == 0x1B) { // Set PHY + if (apdu.nc == 0) { + if (file_has_data(ef_phy)) { + res_APDU_size = file_get_size(ef_phy); + memcpy(res_APDU, file_get_data(ef_phy), res_APDU_size); + } + } + else { + uint8_t tmp[PHY_MAX_SIZE]; + memset(tmp, 0, sizeof(tmp)); + if (file_has_data(ef_phy)) { + memcpy(tmp, file_get_data(ef_phy), MIN(sizeof(tmp), file_get_size(ef_phy))); + } + if (P2(apdu) == PHY_VID) { // VIDPID + if (apdu.nc != 4) { + return SW_WRONG_LENGTH(); + } + memcpy(tmp + PHY_VID, apdu.data, 4); + } + else if (P2(apdu) == PHY_LED_GPIO || P2(apdu) == PHY_LED_MODE) { + if (apdu.nc != 1) { + return SW_WRONG_LENGTH(); + } + tmp[P2(apdu)] = apdu.data[0]; + } + else { + return SW_INCORRECT_P1P2(); + } + flash_write_data_to_file(ef_phy, tmp, sizeof(tmp)); + low_flash_available(); + } + } +#endif else { return SW_INCORRECT_P1P2(); } From 920d22212aa2f12ac057f63c86a8b31688841537 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Tue, 16 Apr 2024 23:23:20 +0200 Subject: [PATCH 10/10] Add phy command to pico-hsm-tool to change VIDPID dynamically. Signed-off-by: Pol Henarejos --- tools/pico-hsm-tool.py | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/tools/pico-hsm-tool.py b/tools/pico-hsm-tool.py index 00d9ee6..7d7813f 100644 --- a/tools/pico-hsm-tool.py +++ b/tools/pico-hsm-tool.py @@ -87,10 +87,17 @@ def parse_args(): parser_opts = subparser.add_parser('options', help='Manage extra options.', formatter_class=RawTextHelpFormatter) subparser_opts = parser_opts.add_subparsers(title='commands', dest='subcommand', required=True) parser_opts_set = subparser_opts.add_parser('set', help='Sets option OPT.') - parser_opts_get = subparser_opts.add_parser('get', help='Gets optiont OPT.') + parser_opts_get = subparser_opts.add_parser('get', help='Gets option OPT.') parser_opts.add_argument('opt', choices=['button', 'counter'], help='button: press-to-confirm button.\ncounter: every generated key has an internal counter.', metavar='OPT') parser_opts_set.add_argument('onoff', choices=['on', 'off'], help='Toggles state ON or OFF', metavar='ON/OFF', nargs='?') + parser_phy = subparser.add_parser('phy', help='Set PHY options.') + subparser_phy = parser_phy.add_subparsers(title='commands', dest='subcommand', required=True) + parser_phy_vp = subparser_phy.add_parser('vidpid', help='Sets VID/PID. Use VID:PID format (e.g. 1234:5678)') + parser_phy_ledn = subparser_phy.add_parser('led', help='Sets LED GPIO number.') + parser_phy_vp.add_argument('value', help='Value of the PHY option.', metavar='VAL', nargs='?') + parser_phy_ledn.add_argument('value', help='Value of the PHY option.', metavar='VAL', nargs='?') + parser_secure = subparser.add_parser('secure', help='Manages security of Pico HSM.') subparser_secure = parser_secure.add_subparsers(title='commands', dest='subcommand', required=True) parser_opts_enable = subparser_secure.add_parser('enable', help='Enables secure lock.') @@ -444,8 +451,22 @@ def keygen(picohsm, args): print('Key generated successfully.') print(f'Key ID: {ret}') +def phy(picohsm, args): + val = args.value if 'value' in args else None + if (val): + if (args.subcommand == 'vidpid'): + sp = val.split(':') + if (len(sp) != 2): + print('ERROR: VID/PID have wrong format. Use VID:PID format (e.g. 1234:5678)') + val = int(sp[0],16).to_bytes(2, 'big') + int(sp[1],16).to_bytes(2, 'big') + elif (args.subcommand == 'led'): + val = [int(val)] + ret = picohsm.phy(args.subcommand, val) + if (ret): + print(f'Current value: {hexlify(ret)}') + def main(args): - sys.stderr.buffer.write(b'Pico HSM Tool v1.10\n') + sys.stderr.buffer.write(b'Pico HSM Tool v1.12\n') sys.stderr.buffer.write(b'Author: Pol Henarejos\n') sys.stderr.buffer.write(b'Report bugs to https://github.com/polhenarejos/pico-hsm/issues\n') sys.stderr.buffer.write(b'\n\n') @@ -470,6 +491,8 @@ def main(args): cipher(picohsm, args) elif (args.command == 'keygen'): keygen(picohsm, args) + elif (args.command == 'phy'): + phy(picohsm, args) def run():