From 8978456524a31c7ea758c26ed6adbe202d67acca Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Tue, 9 Dec 2025 21:37:52 +0100 Subject: [PATCH 1/8] Move Secure Boot to another branch. Signed-off-by: Pol Henarejos --- pico-keys-sdk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pico-keys-sdk b/pico-keys-sdk index 09ec076..8cb2484 160000 --- a/pico-keys-sdk +++ b/pico-keys-sdk @@ -1 +1 @@ -Subproject commit 09ec0767b6a3bd79b2a176fb468e97d9fde28449 +Subproject commit 8cb2484aa3d0ab5d44207fce40b766abdfcc4e4f From 82f4b2201ccfbfa1f2604010b141f66e934b0f65 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Tue, 9 Dec 2025 21:38:15 +0100 Subject: [PATCH 2/8] Remove printf Signed-off-by: Pol Henarejos --- src/hsm/cmd_keypair_gen.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/src/hsm/cmd_keypair_gen.c b/src/hsm/cmd_keypair_gen.c index e43f322..42d05f5 100644 --- a/src/hsm/cmd_keypair_gen.c +++ b/src/hsm/cmd_keypair_gen.c @@ -47,9 +47,6 @@ int cmd_keypair_gen() { if (asn1_find_tag(&ctxo, 0x2, &ks) && asn1_len(&ks) > 0) { key_size = asn1_get_uint(&ks); } - printf("KEYPAIR RSA %lu (%lx)\n", - (unsigned long) key_size, - (unsigned long) exponent); mbedtls_rsa_context rsa; mbedtls_rsa_init(&rsa); uint8_t index = 0; @@ -74,7 +71,6 @@ int cmd_keypair_gen() { return SW_WRONG_DATA(); } mbedtls_ecp_group_id ec_id = ec_get_curve_from_prime(prime.data, prime.len); - printf("KEYPAIR ECC %d\n", ec_id); if (ec_id == MBEDTLS_ECP_DP_NONE) { return SW_FUNC_NOT_SUPPORTED(); } @@ -84,7 +80,6 @@ int cmd_keypair_gen() { return SW_WRONG_DATA(); } } - printf("KEYPAIR ECC %d\r\n", ec_id); mbedtls_ecdsa_context ecdsa; mbedtls_ecdsa_init(&ecdsa); uint8_t index = 0; From 8e351046959aab1f520328dca6557706f8eb6957 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Wed, 10 Dec 2025 00:20:28 +0100 Subject: [PATCH 3/8] Update memory.flash for tests Signed-off-by: Pol Henarejos --- tests/memory.tar.gz | Bin 9826 -> 9695 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/tests/memory.tar.gz b/tests/memory.tar.gz index e7dd242ffe5ff7abc496db851ebb43ecaeed9f50..f5d410db986efecfb2d34b8ae9cabf99a50a5460 100644 GIT binary patch delta 1581 zcmV+|2GaTBOy5g?ABzY8maaHy00ZpLK?;Ik5C%|>;t66D{XLIJQjiI1i*BD;M2l$W z?!Co)3=G4}a2&?ze&{dle9Cqb5h)^nW|QhIqpY^9;w3NYqDV!VnySiUZ6alP>~+w$ z+q|^Xddf15-ME(Px%)Y{j`jVYJ?}q02><{90000000027i`5U2kPTN4_U+y!t0;~G z_c;7dQ!@&v3q+!}t8oUvRO3#1DV&q55ZZn@eFfUc+S9kmR>86O^Zw z&Lqd7iiT&Zi@$NzG)p`Gqo|$Oq-}j5Yx#p)A zTfa)@rg|%P(+MX@7UN4L4PP>Ar_Uzq4;S{1-fix@SYKT}ez`K*yz^&%scpKpB7Fe> z004gg0000000000fQM@1^6sZt_RT^rsw$pF?Zw5<5E zI!d18gD7~Ejpe4^=ihe!f7N>Sx@9Ew9s&H-z48FLw zqtCCdg3DTd#j!anW_DjHJkc`ITx6ot%M5?9rAy)!5SD}lc|}DSde!^zv2lVeVP<4v z3T9-8S7l>jWn^ODj8|b}VgobG9nQE%N|>sty}oZB>dm**_;lUn#fmIt@~u(RnL_V2 zJegosuq%CS<%f>foXyLsGMhzDh&yptiq942+@>bva@k-m(4#Mb9$kdyQD;XS9({k7 z?QVBiuxywJicU?a-HnO2`p{$i@$s{*{d73^t()sUb5oaD<_s$S}zflJX&Gz zvGnHs1D(CIUOwOGyW$$MM`5AqBZTZx)&^i4uz)?wz{0==_AHoT?y$@?(kI8b=i1(7 zr!H8Yd+L8fX(OWy*T*N17cIMB>%4z=clWcdv=yaw)$-F!JNMq;?MuBE5V~C{VS?kE zw6;>c3DFRkw9 zo!x6f7bHzR*Urt(H2cqO-E$f@BR@4pi~SIv;bC>FTy61@)Yv7z|L_TNtoVN`zQto% zYl!3=_Y3{M1+MI9MR(}GUF+^VTko;JdjF-ko(pDwD*7>fIDi|9IK$Ik%oX z+beJ@a(}MJww9MyxzG40id{GbA_j! zkr6riV1b4feFxB^kC}sknF)UseePPzmrsdL4*IbyxZ_YG*ZXbZrulyjPjC8jRBVsm znW?tiYgU?W(k=cngX!+PxzC*E-&nV>`?{Qnl}5{?(4UT#L{0c?_h7-cOi%MgT{#|Pamx3^0?@EO#L~#{~?ZV-37%?3_wHnE=iL5 zm1k8fn>^uLl1r%HWsQIMJ^%h3e^wuNQRmg21s+R%-tblJy?&;azo<%tclIaWPiHy$ zXL03nr(9+VOL3eIik)&$?C6ii4wA32)fLRZY{v-9f9wp5Ow5eHu$L2+WQo?ivn1U6 zZ0nLzU70Gm@LadMTeJ=SMr}J79<`ixUPa=*PuY4~Toi|k1Eq}wOubF~n#h1bw4_H;t68>KaWUKkO^vwZl761i)iQW zy~TW+k6~sw4&!t`^p|!%B|C|TIwE~$Q&(F?UT#^&OPZBU(NqytQ>2kqS(Ybh>~+w$ z+q|^Xddf15-MEhHx%=5$YkmJ`&-;&00ssI20000000027i`Ea3kPBEm*tdU|tfDv$ z!1w)uNu=lEUhUWQFGr8oCcE~2EU)&=H&v!D z0001g0000000000003}bZC>8}6w9`(-2*+Hub;%8 zMuonT2l*fhO0%)t-1B_v;CaKVljesz`O*Bu;?MQNn(x=^o|jSWuu6xe&QyhSOJMND zwH*6DtEF14q0H8xtFtVeTOIF?55>z51O@Czcuh**3W);&eFQYL4Fb5C5;Z zyzW2S1O?T+H|P7NsU!ybU2D4CzIz7aqtLJ))n8RCVuEuemtO>W^d-=vi_kpk?1;mE zql)jm6c1(zd^i87SMiinS}je8x#!lt-9_4>`*R(4l>h$bJ8Rn<%bm^AQV+P_Yxy-! z&oAq^64<$0SxcqBwrko_WRJo^(?{(_8HbxepXYET5^#4C8 zksbC-q;Td7?LS5}@4l-{-4j-scsAsJI@3ox8}+n57cWX*TY2%zBF*jDDm|}f{pgKc z?#s2&)1{qNbauUB6XULWzb3{aT;6SBltuP%qr!h606K>eIidVV0!@Te{ApH*I%axf zmDS|un_uq@Et}D{Csmeh!->lEs*r{Ji@NRKr$riu(>7kC3`;R@(o+dAUarjiu zT-&Jo+IYd2g_f>2W*nO4|Jdo#KdJiJea~Ne)$q>~(>`Y$o^2R+?({Z?4Djz2mio##zr_PP!p=<%jyDiLQ5f%j=}J z+144Wp7?(2z<2Mwb;8T_lhew7>kb;PiP88H*47uVV;JD_I^=yjBO`M3!2%5}`VL@; zJ`ls)Awh1sfB4-83GMOEgrwd_AJ7x{lNu~|e6h|7rN0tStr|4@?u0$K`ucPKmV!G% zGpfZH)=gZncIze`-v$o$rbiWP*}g$CsQzE*md+zq3=1p_czL*y@{WOjG>Ztf+|A6) zuF$ZM%YegxiG_iQi4j8qlRg7OdK2S3P$CHdB@!OAL;^G$l1LiwW2O-t;2$sn=r=Jk zG&8aTW4Ur)THVh(yVry+NSb=CotvF$_Mh9j=QM6cerk*s`yoEV!|GPK+TtUru}gmc z;S=Oo@mG9{$FkNC$vN(S7y5q-T-nizZq>hC>+U>T@3Fvo|E0K|3ucavR49tjVj1dd zVDzn168bT5!W8ds&!^=aTlv`AqBvB*(wri_?DFK!iQ-eI8J9XS01f$9P`imo+fdA(?Tc^gFOL;}*~&hCPnHCd}P&-pEJkzsYhAewK>((D&402 z%KB+-omVFFyg}R*LAmyx*%Cv3-7`I38K0|{3ob1AZj%KiEq{Ywm-IRLT;;s=EU)@1 zll+738eP3n%2^k$;2z*GS15G#5?GR$1f{tJOc&DUHF=;XSq2=eABr_GJi$p%NxwSA;Eta(| zb;;xxQ!BEM_!gJ@(J-zO8=HttTO()-ZQ`fYN-RlMEPPrjCM9FbYNi0I;%g IKmZ1S0FAtGZ2$lO From 4d6f6e46354dda4f1d38067fec786125592eadf6 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Thu, 11 Dec 2025 19:35:20 +0100 Subject: [PATCH 4/8] Revert "Move Secure Boot to another branch." This reverts commit 8978456524a31c7ea758c26ed6adbe202d67acca. --- pico-keys-sdk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pico-keys-sdk b/pico-keys-sdk index 8cb2484..09ec076 160000 --- a/pico-keys-sdk +++ b/pico-keys-sdk @@ -1 +1 @@ -Subproject commit 8cb2484aa3d0ab5d44207fce40b766abdfcc4e4f +Subproject commit 09ec0767b6a3bd79b2a176fb468e97d9fde28449 From 629f14ab0db5d9bb7858be84c059d20a8567e2e3 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Thu, 11 Dec 2025 19:35:27 +0100 Subject: [PATCH 5/8] Revert "Move EDDSA to another branch." This reverts commit a0faf5308e5b687b2d35b77ecd5408337eb75e3a. --- pico-keys-sdk | 2 +- src/hsm/cmd_keypair_gen.c | 8 ++++++ src/hsm/cmd_signature.c | 14 +++++++++- src/hsm/cvc.c | 39 ++++++++++++++++++++++----- src/hsm/kek.c | 18 ++++++++++++- src/hsm/sc_hsm.c | 10 ++++++- tests/pico-hsm/test_021_key_import.py | 13 ++++++++- tests/pico-hsm/test_030_signature.py | 10 +++++++ 8 files changed, 103 insertions(+), 11 deletions(-) diff --git a/pico-keys-sdk b/pico-keys-sdk index 09ec076..d0dea3d 160000 --- a/pico-keys-sdk +++ b/pico-keys-sdk @@ -1 +1 @@ -Subproject commit 09ec0767b6a3bd79b2a176fb468e97d9fde28449 +Subproject commit d0dea3d0c5427549ad56c284a2011d5b3eea42e0 diff --git a/src/hsm/cmd_keypair_gen.c b/src/hsm/cmd_keypair_gen.c index 42d05f5..411736c 100644 --- a/src/hsm/cmd_keypair_gen.c +++ b/src/hsm/cmd_keypair_gen.c @@ -79,6 +79,14 @@ int cmd_keypair_gen() { if (asn1_find_tag(&ctxo, 0x83, &g) != true) { return SW_WRONG_DATA(); } +#ifdef MBEDTLS_EDDSA_C + if (ec_id == MBEDTLS_ECP_DP_CURVE25519 && (g.data[0] != 9)) { + ec_id = MBEDTLS_ECP_DP_ED25519; + } + else if (ec_id == MBEDTLS_ECP_DP_CURVE448 && (g.len != 56 || g.data[0] != 5)) { + ec_id = MBEDTLS_ECP_DP_ED448; + } +#endif } mbedtls_ecdsa_context ecdsa; mbedtls_ecdsa_init(&ecdsa); diff --git a/src/hsm/cmd_signature.c b/src/hsm/cmd_signature.c index 10260d8..7169ee0 100644 --- a/src/hsm/cmd_signature.c +++ b/src/hsm/cmd_signature.c @@ -20,6 +20,9 @@ #include "asn1.h" #include "mbedtls/oid.h" #include "random.h" +#ifdef MBEDTLS_EDDSA_C +#include "mbedtls/eddsa.h" +#endif extern mbedtls_ecp_keypair hd_context; extern uint8_t hd_keytype; @@ -273,7 +276,16 @@ int cmd_signature() { } size_t olen = 0; uint8_t buf[MBEDTLS_ECDSA_MAX_LEN]; - r = mbedtls_ecdsa_write_signature(&ctx, md, apdu.data, apdu.nc, buf, MBEDTLS_ECDSA_MAX_LEN, &olen, random_gen, NULL); +#ifdef MBEDTLS_EDDSA_C + if (ctx.grp.id == MBEDTLS_ECP_DP_ED25519 || ctx.grp.id == MBEDTLS_ECP_DP_ED448) { + r = mbedtls_eddsa_write_signature(&ctx, apdu.data, apdu.nc, buf, sizeof(buf), &olen, MBEDTLS_EDDSA_PURE, NULL, 0, random_gen, NULL); + } + else +#endif + { + r = mbedtls_ecdsa_write_signature(&ctx, md, apdu.data, apdu.nc, buf, MBEDTLS_ECDSA_MAX_LEN, + &olen, random_gen, NULL); + } if (r != 0) { mbedtls_ecp_keypair_free(&ctx); return SW_EXEC_ERROR(); diff --git a/src/hsm/cvc.c b/src/hsm/cvc.c index 67d833c..f7e0e97 100644 --- a/src/hsm/cvc.c +++ b/src/hsm/cvc.c @@ -26,6 +26,9 @@ #include "oid.h" #include "mbedtls/md.h" #include "files.h" +#ifdef MBEDTLS_EDDSA_C +#include "mbedtls/eddsa.h" +#endif extern const uint8_t *dev_name; extern uint16_t dev_name_len; @@ -88,7 +91,11 @@ uint16_t asn1_cvc_public_key_ecdsa(mbedtls_ecp_keypair *ecdsa, uint8_t *buf, uin uint16_t ctot_size = asn1_len_tag(0x87, (uint16_t)c_size); uint16_t oid_len = asn1_len_tag(0x6, sizeof(oid_ecdsa)); uint16_t tot_len = 0, tot_data_len = 0; - if (mbedtls_ecp_get_type(&ecdsa->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) { + if (mbedtls_ecp_get_type(&ecdsa->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY +#ifdef MBEDTLS_EDDSA_C + || mbedtls_ecp_get_type(&ecdsa->grp) == MBEDTLS_ECP_TYPE_EDWARDS +#endif + ) { tot_data_len = oid_len + ptot_size + otot_size + gtot_size + ytot_size; oid = oid_ri; } @@ -109,7 +116,11 @@ uint16_t asn1_cvc_public_key_ecdsa(mbedtls_ecp_keypair *ecdsa, uint8_t *buf, uin //oid *p++ = 0x6; p += format_tlv_len(sizeof(oid_ecdsa), p); memcpy(p, oid, sizeof(oid_ecdsa)); p += sizeof(oid_ecdsa); - if (mbedtls_ecp_get_type(&ecdsa->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY) { + if (mbedtls_ecp_get_type(&ecdsa->grp) == MBEDTLS_ECP_TYPE_MONTGOMERY +#ifdef MBEDTLS_EDDSA_C + || mbedtls_ecp_get_type(&ecdsa->grp) == MBEDTLS_ECP_TYPE_EDWARDS +#endif + ) { //p *p++ = 0x81; p += format_tlv_len((uint16_t)p_size, p); mbedtls_mpi_write_binary(&ecdsa->grp.P, p, p_size); p += p_size; @@ -296,7 +307,15 @@ uint16_t asn1_cvc_cert(void *rsa_ecdsa, mbedtls_ecp_keypair *ecdsa = (mbedtls_ecp_keypair *) rsa_ecdsa; mbedtls_mpi_init(&r); mbedtls_mpi_init(&s); - ret = mbedtls_ecdsa_sign(&ecdsa->grp, &r, &s, &ecdsa->d, hsh, sizeof(hsh), random_gen, NULL); +#ifdef MBEDTLS_EDDSA_C + if (ecdsa->grp.id == MBEDTLS_ECP_DP_ED25519 || ecdsa->grp.id == MBEDTLS_ECP_DP_ED448) { + ret = mbedtls_eddsa_sign(&ecdsa->grp, &r, &s, &ecdsa->d, body, body_size, MBEDTLS_EDDSA_PURE, NULL, 0, random_gen, NULL); + } + else +#endif + { + ret = mbedtls_ecdsa_sign(&ecdsa->grp, &r, &s, &ecdsa->d, hsh, sizeof(hsh), random_gen, NULL); + } if (ret == 0) { mbedtls_mpi_write_binary(&r, p, key_size / 2); p += key_size / 2; mbedtls_mpi_write_binary(&s, p, key_size / 2); p += key_size / 2; @@ -353,9 +372,17 @@ uint16_t asn1_cvc_aut(void *rsa_ecdsa, mbedtls_mpi r, s; mbedtls_mpi_init(&r); mbedtls_mpi_init(&s); - uint8_t hsh[32]; - hash256(body, cvcert_size + outcar_size, hsh); - ret = mbedtls_ecdsa_sign(&ectx.grp, &r, &s, &ectx.d, hsh, sizeof(hsh), random_gen, NULL); +#ifdef MBEDTLS_EDDSA_C + if (ectx.grp.id == MBEDTLS_ECP_DP_ED25519 || ectx.grp.id == MBEDTLS_ECP_DP_ED448) { + ret = mbedtls_eddsa_sign(&ectx.grp, &r, &s, &ectx.d, body, cvcert_size + outcar_size, MBEDTLS_EDDSA_PURE, NULL, 0, random_gen, NULL); + } + else +#endif + { + uint8_t hsh[32]; + hash256(body, cvcert_size + outcar_size, hsh); + ret = mbedtls_ecdsa_sign(&ectx.grp, &r, &s, &ectx.d, hsh, sizeof(hsh), random_gen, NULL); + } mbedtls_ecp_keypair_free(&ectx); if (ret != 0) { mbedtls_mpi_free(&r); diff --git a/src/hsm/kek.c b/src/hsm/kek.c index f0fdb92..1a7b9ad 100644 --- a/src/hsm/kek.c +++ b/src/hsm/kek.c @@ -664,6 +664,14 @@ int dkek_decode_key(uint8_t id, void *key_ctx, const uint8_t *in, uint16_t in_le //G len = get_uint16_t_be(kb + ofs); +#ifdef MBEDTLS_EDDSA_C + if (ec_id == MBEDTLS_ECP_DP_CURVE25519 && kb[ofs + 2] != 0x09) { + ec_id = MBEDTLS_ECP_DP_ED25519; + } + else if (ec_id == MBEDTLS_ECP_DP_CURVE448 && (len != 56 || kb[ofs + 2] != 0x05)) { + ec_id = MBEDTLS_ECP_DP_ED448; + } +#endif ofs += len + 2; //d @@ -679,7 +687,15 @@ int dkek_decode_key(uint8_t id, void *key_ctx, const uint8_t *in, uint16_t in_le len = get_uint16_t_be(kb + ofs); ofs += 2; r = mbedtls_ecp_point_read_binary(&ecdsa->grp, &ecdsa->Q, kb + ofs, len); if (r != 0) { - r = mbedtls_ecp_mul(&ecdsa->grp, &ecdsa->Q, &ecdsa->d, &ecdsa->grp.G, random_gen, NULL); +#ifdef MBEDTLS_EDDSA_C + if (mbedtls_ecp_get_type(&ecdsa->grp) == MBEDTLS_ECP_TYPE_EDWARDS) { + r = mbedtls_ecp_point_edwards(&ecdsa->grp, &ecdsa->Q, &ecdsa->d, random_gen, NULL); + } + else +#endif + { + r = mbedtls_ecp_mul(&ecdsa->grp, &ecdsa->Q, &ecdsa->d, &ecdsa->grp.G, random_gen, NULL); + } if (r != 0) { mbedtls_ecdsa_free(ecdsa); return PICOKEY_EXEC_ERROR; diff --git a/src/hsm/sc_hsm.c b/src/hsm/sc_hsm.c index fe3969a..59d453e 100644 --- a/src/hsm/sc_hsm.c +++ b/src/hsm/sc_hsm.c @@ -683,7 +683,15 @@ int load_private_key_ec(mbedtls_ecp_keypair *ctx, file_t *fkey) { return PICOKEY_EXEC_ERROR; } mbedtls_platform_zeroize(kdata, sizeof(kdata)); - r = mbedtls_ecp_mul(&ctx->grp, &ctx->Q, &ctx->d, &ctx->grp.G, random_gen, NULL); +#ifdef MBEDTLS_EDDSA_C + if (gid == MBEDTLS_ECP_DP_ED25519 || gid == MBEDTLS_ECP_DP_ED448) { + r = mbedtls_ecp_point_edwards(&ctx->grp, &ctx->Q, &ctx->d, random_gen, NULL); + } + else +#endif + { + r = mbedtls_ecp_mul(&ctx->grp, &ctx->Q, &ctx->d, &ctx->grp.G, random_gen, NULL); + } if (r != 0) { mbedtls_ecp_keypair_free(ctx); return PICOKEY_EXEC_ERROR; diff --git a/tests/pico-hsm/test_021_key_import.py b/tests/pico-hsm/test_021_key_import.py index 9f00e1b..4666f7c 100644 --- a/tests/pico-hsm/test_021_key_import.py +++ b/tests/pico-hsm/test_021_key_import.py @@ -21,7 +21,7 @@ import pytest import hashlib import os from picohsm import DOPrefixes -from cryptography.hazmat.primitives.asymmetric import rsa, ec, x25519, x448 +from cryptography.hazmat.primitives.asymmetric import rsa, ec, x25519, x448, ed25519, ed448 from cryptography.hazmat.primitives.serialization import Encoding, PublicFormat from picohsm.const import DEFAULT_RETRIES, DEFAULT_DKEK_SHARES from const import DEFAULT_DKEK @@ -70,6 +70,17 @@ def test_import_montgomery(device, curve): device.delete_file(DOPrefixes.KEY_PREFIX, keyid) device.delete_file(DOPrefixes.EE_CERTIFICATE_PREFIX, keyid) +@pytest.mark.parametrize( + "curve", [ed25519.Ed25519PrivateKey, ed448.Ed448PrivateKey] +) +def test_import_edwards(device, curve): + pkey = curve.generate() + keyid = device.import_key(pkey) + pubkey = device.public_key(keyid, param=curve) + assert(pubkey.public_bytes(Encoding.Raw, PublicFormat.Raw) == pkey.public_key().public_bytes(Encoding.Raw, PublicFormat.Raw)) + device.delete_file(DOPrefixes.KEY_PREFIX, keyid) + device.delete_file(DOPrefixes.EE_CERTIFICATE_PREFIX, keyid) + @pytest.mark.parametrize( "size", [128, 192, 256] ) diff --git a/tests/pico-hsm/test_030_signature.py b/tests/pico-hsm/test_030_signature.py index 72a91bc..4b44ade 100644 --- a/tests/pico-hsm/test_030_signature.py +++ b/tests/pico-hsm/test_030_signature.py @@ -54,3 +54,13 @@ def test_signature_rsa(device, modulus, scheme): signature = device.sign(keyid=keyid, scheme=scheme, data=data) device.delete_file(DOPrefixes.KEY_PREFIX, keyid) device.verify(pubkey, data, signature, scheme) + +@pytest.mark.parametrize( + "curve", ['ed25519', 'ed448'] +) +def test_signature_edwards(device, curve): + keyid = device.key_generation(KeyType.ECC, curve) + pubkey = device.public_key(keyid=keyid) + signature = device.sign(keyid=keyid, scheme=Algorithm.ALGO_EC_RAW, data=data) + device.delete_file(DOPrefixes.KEY_PREFIX, keyid) + device.verify(pubkey, data, signature) From 10c25b6a3a4409b0ae723f531b8e248a7473fb21 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Thu, 11 Dec 2025 19:36:06 +0100 Subject: [PATCH 6/8] Update pointer. Signed-off-by: Pol Henarejos --- pico-keys-sdk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pico-keys-sdk b/pico-keys-sdk index d0dea3d..05fe059 160000 --- a/pico-keys-sdk +++ b/pico-keys-sdk @@ -1 +1 @@ -Subproject commit d0dea3d0c5427549ad56c284a2011d5b3eea42e0 +Subproject commit 05fe0596ef004313e166b1e2f900e9af351dd26c From c9926a71d1964ada3532c55cb32a08be3cdc1d43 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Thu, 11 Dec 2025 19:48:23 +0100 Subject: [PATCH 7/8] Do not call pytest Signed-off-by: Pol Henarejos --- tests/start-up-and-test.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/start-up-and-test.sh b/tests/start-up-and-test.sh index de0a302..d1751ff 100755 --- a/tests/start-up-and-test.sh +++ b/tests/start-up-and-test.sh @@ -2,4 +2,4 @@ source ./tests/startup.sh -pytest tests -W ignore::DeprecationWarning +# pytest tests -W ignore::DeprecationWarning From 4bb81f5b25552986887aeac12c945c77af254697 Mon Sep 17 00:00:00 2001 From: Pol Henarejos Date: Thu, 11 Dec 2025 19:56:01 +0100 Subject: [PATCH 8/8] Build only necessary boards. Signed-off-by: Pol Henarejos --- build_pico_hsm.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/build_pico_hsm.sh b/build_pico_hsm.sh index c4753b1..e0d9354 100755 --- a/build_pico_hsm.sh +++ b/build_pico_hsm.sh @@ -24,8 +24,9 @@ cd build_release PICO_SDK_PATH="${PICO_SDK_PATH:-../../pico-sdk}" SECURE_BOOT_PKEY="${SECURE_BOOT_PKEY:-../../ec_private_key.pem}" -board_dir=${PICO_SDK_PATH}/src/boards/include/boards -for board in "$board_dir"/* +boards=("pico" "pico2") + +for board_name in "${boards[@]}" do board_name="$(basename -- "$board" .h)" rm -rf -- ./* @@ -37,7 +38,7 @@ done # Build with EDDSA if [[ $NO_EDDSA -eq 0 ]]; then - for board in "$board_dir"/* + for board_name in "${boards[@]}" do board_name="$(basename -- "$board" .h)" rm -rf -- ./*