dearsky/pico-hsm
1
0
Fork 0
Code Issues 17 Pull Requests 4 Actions Packages Projects Releases 26 Wiki Activity

First attempt for PQC

Browse Source 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
This commit is contained in:
Pol Henarejos
2026-01-22 11:23:33 +01:00
parent 4348f09c6f
commit 9fb1e36954
6 changed files with 33 additions and 162 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
CMakeLists.txt
View File

@@ -18,7 +18,8 @@
cmake_minimum_required(VERSION 3.13)
if(ESP_PLATFORM)
set(EXTRA_COMPONENT_DIRS src pico-keys-sdk/src)
set(ENABLE_PQC 1)
set(EXTRA_COMPONENT_DIRS pico-keys-sdk/config/esp32/components src/hsm)
include($ENV{IDF_PATH}/tools/cmake/project.cmake)
else()
if(NOT ENABLE_EMULATION)
@@ -124,7 +125,7 @@ if(NOT ESP_PLATFORM)
-Wl,--gc-sections
)
endif(APPLE)
target_link_libraries(pico_hsm PRIVATE pthread m)
target_link_libraries(pico_hsm PRIVATE pico_keys_sdk pthread m)
else()
pico_add_extra_outputs(${CMAKE_PROJECT_NAME})
endif()

4
src/hsm/CMakeLists.txt
View File

@@ -1,6 +1,6 @@
idf_component_register(
SRCS ${SOURCES}
INCLUDE_DIRS . ../../pico-keys-sdk/src ../../pico-keys-sdk/src/fs ../../pico-keys-sdk/src/rng ../../pico-keys-sdk/src/usb
REQUIRES mbedtls efuse
INCLUDE_DIRS .
REQUIRES mbedtls efuse pico-keys-sdk
)
idf_component_set_property(${COMPONENT_NAME} WHOLE_ARCHIVE ON)

152
src/hsm/cmd_extras.c
View File

@@ -17,13 +17,6 @@
#include "sc_hsm.h"
#include "mbedtls/ecdh.h"
#ifdef PICO_PLATFORM
#include "pico/aon_timer.h"
#include "hardware/watchdog.h"
#else
#include <sys/time.h>
#include <time.h>
#endif
#include "files.h"
#include "random.h"
#include "kek.h"
@@ -57,50 +50,7 @@ int cmd_extras() {
if (wait_button_pressed() == true) {
return SW_SECURE_MESSAGE_EXEC_ERROR();
}
if (cmd == CMD_DATETIME) { //datetime operations
if (P2(apdu) != 0x0) {
return SW_INCORRECT_P1P2();
}
if (apdu.nc == 0) {
#ifdef PICO_PLATFORM
struct timespec tv;
aon_timer_get_time(&tv);
#else
struct timeval tv;
gettimeofday(&tv, NULL);
#endif
struct tm *tm = localtime(&tv.tv_sec);
res_APDU_size += put_uint16_t_be(tm->tm_year + 1900, res_APDU);
res_APDU[res_APDU_size++] = tm->tm_mon;
res_APDU[res_APDU_size++] = tm->tm_mday;
res_APDU[res_APDU_size++] = tm->tm_wday;
res_APDU[res_APDU_size++] = tm->tm_hour;
res_APDU[res_APDU_size++] = tm->tm_min;
res_APDU[res_APDU_size++] = tm->tm_sec;
}
else {
if (apdu.nc != 8) {
return SW_WRONG_LENGTH();
}
struct tm tm;
tm.tm_year = get_uint16_t_be(apdu.data) - 1900;
tm.tm_mon = apdu.data[2];
tm.tm_mday = apdu.data[3];
tm.tm_wday = apdu.data[4];
tm.tm_hour = apdu.data[5];
tm.tm_min = apdu.data[6];
tm.tm_sec = apdu.data[7];
time_t tv_sec = mktime(&tm);
#ifdef PICO_PLATFORM
struct timespec tv = {.tv_sec = tv_sec, .tv_nsec = 0};
aon_timer_set_time(&tv);
#else
struct timeval tv = {.tv_sec = tv_sec, .tv_usec = 0};
settimeofday(&tv, NULL);
#endif
}
}
else if (cmd == CMD_DYNOPS) { //dynamic options
if (cmd == CMD_DYNOPS) { //dynamic options
if (P2(apdu) != 0x0) {
return SW_INCORRECT_P1P2();
}
@@ -201,106 +151,6 @@ int cmd_extras() {
}
}
}
#ifndef ENABLE_EMULATION
else if (cmd == CMD_PHY) { // Set PHY
if (apdu.nc == 0) {
if (file_has_data(ef_phy)) {
res_APDU_size = file_get_size(ef_phy);
memcpy(res_APDU, file_get_data(ef_phy), res_APDU_size);
}
}
else {
if (P2(apdu) == PHY_VIDPID) { // VIDPID
if (apdu.nc != 4) {
return SW_WRONG_LENGTH();
}
phy_data.vid = get_uint16_t_be(apdu.data);
phy_data.pid = get_uint16_t_be(apdu.data + 2);
phy_data.vidpid_present = true;
}
else if (P2(apdu) == PHY_LED_GPIO) {
phy_data.led_gpio = apdu.data[0];
phy_data.led_gpio_present = true;
}
else if (P2(apdu) == PHY_LED_BTNESS) {
phy_data.led_brightness = apdu.data[0];
phy_data.led_brightness_present = true;
}
else if (P2(apdu) == PHY_OPTS) {
if (apdu.nc != 2) {
return SW_WRONG_LENGTH();
}
phy_data.opts = get_uint16_t_be(apdu.data);
}
else {
return SW_INCORRECT_P1P2();
}
if (phy_save() != PICOKEY_OK) {
return SW_EXEC_ERROR();
}
}
}
#endif
#if PICO_RP2350
else if (cmd == CMD_OTP) {
if (apdu.nc < 2) {
return SW_WRONG_LENGTH();
}
uint16_t row = get_uint16_t_be(apdu.data);
bool israw = P2(apdu) == 0x1;
if (apdu.nc == 2) {
if (row > 0xbf && row < 0xf48) {
return SW_WRONG_DATA();
}
if (israw) {
memcpy(res_APDU, otp_buffer_raw(row), apdu.ne);
}
else {
memcpy(res_APDU, otp_buffer(row), apdu.ne);
}
res_APDU_size = apdu.ne;
}
else {
apdu.nc -= 2;
apdu.data += 2;
if (apdu.nc > 1024) {
return SW_WRONG_LENGTH();
}
if (apdu.nc % (israw ? 4 : 2)) {
return SW_WRONG_DATA();
}
uint8_t adata[1024] __attribute__((aligned(4)));
memcpy(adata, apdu.data, apdu.nc);
int ret = 0;
if (israw) {
ret = otp_write_data_raw(row, adata, apdu.nc);
}
else {
ret = otp_write_data(row, adata, apdu.nc);
}
if (ret != 0) {
return SW_EXEC_ERROR();
}
}
}
#endif
#ifdef PICO_PLATFORM
else if (cmd == CMD_REBOOT) {
if (apdu.nc != 0) {
return SW_WRONG_LENGTH();
}
watchdog_reboot(0, 0, 100);
}
#endif
else if (cmd == CMD_MEMORY) {
res_APDU_size = 0;
uint32_t free = flash_free_space(), total = flash_total_space(), used = flash_used_space(), nfiles = flash_num_files(), size = flash_size();
res_APDU_size += put_uint32_t_be(free, res_APDU + res_APDU_size);
res_APDU_size += put_uint32_t_be(used, res_APDU + res_APDU_size);
res_APDU_size += put_uint32_t_be(total, res_APDU + res_APDU_size);
res_APDU_size += put_uint32_t_be(nfiles, res_APDU + res_APDU_size);
res_APDU_size += put_uint32_t_be(size, res_APDU + res_APDU_size);
}
else {
return SW_INCORRECT_P1P2();
}

17
src/hsm/cmd_keypair_gen.c
View File

@@ -23,6 +23,9 @@
#include "oid.h"
#include "random.h"
#include "kek.h"
#ifdef ENABLE_PQC
#include "mlkem_native_all.h"
#endif
int cmd_keypair_gen() {
uint8_t key_id = P1(apdu);
@@ -143,7 +146,19 @@ int cmd_keypair_gen() {
return SW_EXEC_ERROR();
}
}
#ifdef ENABLE_PQC
else if (memcmp(oid.data, OID_ML_KEM_768, MIN(oid.len, 10)) == 0) { //Post-Quantum ML KEM 768
uint8_t public_key[MLKEM768_PUBLICKEYBYTES];
uint8_t secret_key[MLKEM768_SECRETKEYBYTES];
int rc = mlkem512_keypair(public_key, secret_key);
if (rc != PICOKEY_OK) {
return SW_EXEC_ERROR();
}
}
#endif
else {
return SW_FUNC_NOT_SUPPORTED();
}
}
}
else {

10
src/hsm/oid.h
View File

@@ -59,6 +59,16 @@
#define OID_ID_TA_ECDSA_SHA_384 OID_ID_TA_ECDSA "\x04"
#define OID_ID_TA_ECDSA_SHA_512 OID_ID_TA_ECDSA "\x05"
#define OID_PQC "\x06\x08\x60\x86\x48\x01\x65\x03\x04"
#define OID_SIGALGS OID_PQC "\x03"
#define OID_ML_DSA_44 OID_SIGALGS "\x11"
#define OID_ML_DSA_65 OID_SIGALGS "\x12"
#define OID_ML_DSA_87 OID_SIGALGS "\x13"
#define OID_KEMS OID_PQC "\x04"
#define OID_ML_KEM_512 OID_KEMS "\x01"
#define OID_ML_KEM_768 OID_KEMS "\x02"
#define OID_ML_KEM_1024 OID_KEMS "\x03"
#define OID_ID_CA OID_BSI_DE "\x02\x02\x03"
#define OID_ID_CA_DH OID_ID_CA "\x01"

7
src/hsm/sc_hsm.h
View File

@@ -19,11 +19,7 @@
#define _SC_HSM_H_
#include <stdlib.h>
#ifndef ESP_PLATFORM
#include "common.h"
#else
#define MBEDTLS_ALLOW_PRIVATE_ACCESS
#endif
#include "pico_keys.h"
#include "mbedtls/rsa.h"
#include "mbedtls/ecdsa.h"
#if !defined(ENABLE_EMULATION) && !defined(ESP_PLATFORM)
@@ -31,7 +27,6 @@
#endif
#include "file.h"
#include "apdu.h"
#include "pico_keys.h"
#include "usb.h"
#define MAX_APDU_DATA (USB_BUFFER_SIZE - 20)