Update README.md

2026-02-05 20:08:14 +05:30
13 changed files with 164 additions and 43 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -21,7 +21,6 @@ set(USB_VID 0x2E8A)
 set(USB_PID 0x10FD)

 if(ESP_PLATFORM)
-    set(ENABLE_PQC 1)
    set(EXTRA_COMPONENT_DIRS pico-keys-sdk/config/esp32/components src/hsm)
    include($ENV{IDF_PATH}/tools/cmake/project.cmake)
 else()
--- a/README.md
+++ b/README.md
@@ -195,8 +195,8 @@ Before building, ensure you have installed the toolchain for the Pico and the Pi

 ```
 git clone https://github.com/polhenarejos/pico-hsm
-git submodule update --init --recursive
 cd pico-hsm
+git submodule update --init --recursive
 mkdir build
 cd build
 PICO_SDK_PATH=/path/to/pico-sdk cmake .. -DPICO_BOARD=board_type -DUSB_VID=0x1234 -DUSB_PID=0x5678
--- a/2
+++ b/2
--- a/sdkconfig.defaults
+++ b/sdkconfig.defaults
@@ -9,7 +9,6 @@ CONFIG_TINYUSB_TASK_STACK_SIZE=16384
 CONFIG_PARTITION_TABLE_CUSTOM=y
 CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="pico-keys-sdk/config/esp32/partitions.csv"
 CONFIG_PARTITION_TABLE_FILENAME="pico-keys-sdk/config/esp32/partitions.csv"
-CONFIG_PARTITION_TABLE_OFFSET=0x10000
 CONFIG_ESPTOOLPY_FLASHSIZE_4MB=y
 CONFIG_ESPTOOLPY_FLASHMODE_QIO=y
 CONFIG_ESP_DEFAULT_CPU_FREQ_MHZ_240=y
--- a/src/hsm/cmd_extras.c
+++ b/src/hsm/cmd_extras.c
@@ -17,6 +17,13 @@

 #include "sc_hsm.h"
 #include "mbedtls/ecdh.h"
+#ifdef PICO_PLATFORM
+#include "pico/aon_timer.h"
+#include "hardware/watchdog.h"
+#else
+#include <sys/time.h>
+#include <time.h>
+#endif
 #include "files.h"
 #include "random.h"
 #include "kek.h"
@@ -50,7 +57,50 @@ int cmd_extras() {
    if (wait_button_pressed() == true) {
        return SW_SECURE_MESSAGE_EXEC_ERROR();
    }
-    if (cmd == CMD_DYNOPS) {   //dynamic options
+    if (cmd == CMD_DATETIME) { //datetime operations
+        if (P2(apdu) != 0x0) {
+            return SW_INCORRECT_P1P2();
+        }
+        if (apdu.nc == 0) {
+#ifdef PICO_PLATFORM
+            struct timespec tv;
+            aon_timer_get_time(&tv);
+#else
+            struct timeval tv;
+            gettimeofday(&tv, NULL);
+#endif
+            struct tm *tm = localtime(&tv.tv_sec);
+            res_APDU_size += put_uint16_t_be(tm->tm_year + 1900, res_APDU);
+            res_APDU[res_APDU_size++] = tm->tm_mon;
+            res_APDU[res_APDU_size++] = tm->tm_mday;
+            res_APDU[res_APDU_size++] = tm->tm_wday;
+            res_APDU[res_APDU_size++] = tm->tm_hour;
+            res_APDU[res_APDU_size++] = tm->tm_min;
+            res_APDU[res_APDU_size++] = tm->tm_sec;
+        }
+        else {
+            if (apdu.nc != 8) {
+                return SW_WRONG_LENGTH();
+            }
+            struct tm tm;
+            tm.tm_year = get_uint16_t_be(apdu.data) - 1900;
+            tm.tm_mon = apdu.data[2];
+            tm.tm_mday = apdu.data[3];
+            tm.tm_wday = apdu.data[4];
+            tm.tm_hour = apdu.data[5];
+            tm.tm_min = apdu.data[6];
+            tm.tm_sec = apdu.data[7];
+            time_t tv_sec = mktime(&tm);
+#ifdef PICO_PLATFORM
+            struct timespec tv = {.tv_sec = tv_sec, .tv_nsec = 0};
+            aon_timer_set_time(&tv);
+#else
+            struct timeval tv = {.tv_sec = tv_sec, .tv_usec = 0};
+            settimeofday(&tv, NULL);
+#endif
+        }
+    }
+    else if (cmd == CMD_DYNOPS) {   //dynamic options
        if (P2(apdu) != 0x0) {
            return SW_INCORRECT_P1P2();
        }
@@ -151,6 +201,106 @@ int cmd_extras() {
            }
        }
    }
+#ifndef ENABLE_EMULATION
+    else if (cmd == CMD_PHY) { // Set PHY
+        if (apdu.nc == 0) {
+            if (file_has_data(ef_phy)) {
+                res_APDU_size = file_get_size(ef_phy);
+                memcpy(res_APDU, file_get_data(ef_phy), res_APDU_size);
+            }
+        }
+        else {
+            if (P2(apdu) == PHY_VIDPID) { // VIDPID
+                if (apdu.nc != 4) {
+                    return SW_WRONG_LENGTH();
+                }
+                phy_data.vid = get_uint16_t_be(apdu.data);
+                phy_data.pid = get_uint16_t_be(apdu.data + 2);
+                phy_data.vidpid_present = true;
+            }
+            else if (P2(apdu) == PHY_LED_GPIO) {
+                phy_data.led_gpio = apdu.data[0];
+                phy_data.led_gpio_present = true;
+            }
+            else if (P2(apdu) == PHY_LED_BTNESS) {
+                phy_data.led_brightness = apdu.data[0];
+                phy_data.led_brightness_present = true;
+            }
+            else if (P2(apdu) == PHY_OPTS) {
+                if (apdu.nc != 2) {
+                    return SW_WRONG_LENGTH();
+                }
+                phy_data.opts = get_uint16_t_be(apdu.data);
+            }
+            else {
+                return SW_INCORRECT_P1P2();
+            }
+            if (phy_save() != PICOKEY_OK) {
+                return SW_EXEC_ERROR();
+            }
+        }
+    }
+#endif
+#if PICO_RP2350
+    else if (cmd == CMD_OTP) {
+        if (apdu.nc < 2) {
+            return SW_WRONG_LENGTH();
+        }
+        uint16_t row = get_uint16_t_be(apdu.data);
+        bool israw = P2(apdu) == 0x1;
+        if (apdu.nc == 2) {
+            if (row > 0xbf && row < 0xf48) {
+                return SW_WRONG_DATA();
+            }
+            if (israw) {
+                memcpy(res_APDU, otp_buffer_raw(row), apdu.ne);
+            }
+            else {
+                memcpy(res_APDU, otp_buffer(row), apdu.ne);
+            }
+            res_APDU_size = apdu.ne;
+        }
+        else {
+            apdu.nc -= 2;
+            apdu.data += 2;
+            if (apdu.nc > 1024) {
+                return SW_WRONG_LENGTH();
+            }
+            if (apdu.nc % (israw ? 4 : 2)) {
+                return SW_WRONG_DATA();
+            }
+            uint8_t adata[1024] __attribute__((aligned(4)));
+            memcpy(adata, apdu.data, apdu.nc);
+            int ret = 0;
+            if (israw) {
+                ret = otp_write_data_raw(row, adata, apdu.nc);
+            }
+            else {
+                ret = otp_write_data(row, adata, apdu.nc);
+            }
+            if (ret != 0) {
+                return SW_EXEC_ERROR();
+            }
+        }
+    }
+#endif
+#ifdef PICO_PLATFORM
+    else if (cmd == CMD_REBOOT) {
+        if (apdu.nc != 0) {
+            return SW_WRONG_LENGTH();
+        }
+        watchdog_reboot(0, 0, 100);
+    }
+#endif
+    else if (cmd == CMD_MEMORY) {
+        res_APDU_size = 0;
+        uint32_t free = flash_free_space(), total = flash_total_space(), used = flash_used_space(), nfiles = flash_num_files(), size = flash_size();
+        res_APDU_size += put_uint32_t_be(free, res_APDU + res_APDU_size);
+        res_APDU_size += put_uint32_t_be(used, res_APDU + res_APDU_size);
+        res_APDU_size += put_uint32_t_be(total, res_APDU + res_APDU_size);
+        res_APDU_size += put_uint32_t_be(nfiles, res_APDU + res_APDU_size);
+        res_APDU_size += put_uint32_t_be(size, res_APDU + res_APDU_size);
+    }
    else {
        return SW_INCORRECT_P1P2();
    }
--- a/src/hsm/cmd_keypair_gen.c
+++ b/src/hsm/cmd_keypair_gen.c
@@ -23,9 +23,6 @@
 #include "oid.h"
 #include "random.h"
 #include "kek.h"
-#ifdef ENABLE_PQC
-#include "mlkem_native_all.h"
-#endif

 int cmd_keypair_gen() {
    uint8_t key_id = P1(apdu);
@@ -146,19 +143,7 @@ int cmd_keypair_gen() {
                    return SW_EXEC_ERROR();
                }
            }
-#ifdef ENABLE_PQC
-            else if (memcmp(oid.data, OID_ML_KEM_768, MIN(oid.len, 10)) == 0) { //Post-Quantum ML KEM 768
-                uint8_t public_key[MLKEM768_PUBLICKEYBYTES];
-                uint8_t secret_key[MLKEM768_SECRETKEYBYTES];
-                int rc = mlkem512_keypair(public_key, secret_key);
-                if (rc != PICOKEY_OK) {
-                    return SW_EXEC_ERROR();
-                }
-            }
-#endif
-            else {
-                return SW_FUNC_NOT_SUPPORTED();
-            }
+
        }
    }
    else {
--- a/src/hsm/cmd_reset_retry.c
+++ b/src/hsm/cmd_reset_retry.c
@@ -34,9 +34,6 @@ int cmd_reset_retry() {
        return SW_COMMAND_NOT_ALLOWED();
    }
    if (P1(apdu) == 0x0 || P1(apdu) == 0x2) {
-        if (opts & HSM_OPT_RRC_RESET_ONLY) {
-            return SW_COMMAND_NOT_ALLOWED();
-        }
        uint8_t newpin_len = 0;
        if (P1(apdu) == 0x0) {
            uint8_t so_pin_len = file_read_uint8(file_sopin);
@@ -81,6 +78,9 @@ int cmd_reset_retry() {
        return SW_OK();
    }
    else if (P1(apdu) == 0x1 || P1(apdu) == 0x3) {
+        if (!(opts & HSM_OPT_RRC_RESET_ONLY)) {
+            return SW_COMMAND_NOT_ALLOWED();
+        }
        if (P1(apdu) == 0x1) {
            uint8_t so_pin_len = file_read_uint8(file_sopin);
            if (apdu.nc != so_pin_len) {
--- a/src/hsm/cmd_signature.c
+++ b/src/hsm/cmd_signature.c
@@ -305,9 +305,6 @@ int cmd_signature() {
            mbedtls_ecp_keypair_free(&hd_context);
            return SW_INCORRECT_PARAMS();
        }
-        if (wait_button_pressed() == true) { // timeout
-            return SW_SECURE_MESSAGE_EXEC_ERROR();
-        }
        md = MBEDTLS_MD_SHA256;
        if (mbedtls_ecdsa_write_signature(&hd_context, md, apdu.data, apdu.nc, buf,
                                          MBEDTLS_ECDSA_MAX_LEN,
--- a/src/hsm/oid.h
+++ b/src/hsm/oid.h
@@ -59,16 +59,6 @@
 #define OID_ID_TA_ECDSA_SHA_384         OID_ID_TA_ECDSA "\x04"
 #define OID_ID_TA_ECDSA_SHA_512         OID_ID_TA_ECDSA "\x05"

-#define OID_PQC                         "\x06\x08\x60\x86\x48\x01\x65\x03\x04"
-#define OID_SIGALGS                     OID_PQC "\x03"
-#define OID_ML_DSA_44                   OID_SIGALGS "\x11"
-#define OID_ML_DSA_65                   OID_SIGALGS "\x12"
-#define OID_ML_DSA_87                   OID_SIGALGS "\x13"
-#define OID_KEMS                        OID_PQC "\x04"
-#define OID_ML_KEM_512                  OID_KEMS "\x01"
-#define OID_ML_KEM_768                  OID_KEMS "\x02"
-#define OID_ML_KEM_1024                 OID_KEMS "\x03"
-
 #define OID_ID_CA                       OID_BSI_DE "\x02\x02\x03"

 #define OID_ID_CA_DH                    OID_ID_CA "\x01"
--- a/src/hsm/sc_hsm.c
+++ b/src/hsm/sc_hsm.c
@@ -522,11 +522,7 @@ uint32_t decrement_key_counter(file_t *fkey) {
 int store_keys(void *key_ctx, int type, uint8_t key_id) {
    int r = 0;
    uint16_t key_size = 0;
-#ifdef ENABLE_EMULATION
-    uint8_t kdata[8192 / 8]; // worst case
-#else
    uint8_t kdata[4096 / 8]; // worst case
-#endif
    if (type & PICO_KEYS_KEY_RSA) {
        mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) key_ctx;
        key_size = (uint16_t)mbedtls_mpi_size(&rsa->P) + (uint16_t)mbedtls_mpi_size(&rsa->Q);
--- a/src/hsm/sc_hsm.h
+++ b/src/hsm/sc_hsm.h
@@ -19,7 +19,11 @@
 #define _SC_HSM_H_

 #include <stdlib.h>
-#include "pico_keys.h"
+#ifndef ESP_PLATFORM
+#include "common.h"
+#else
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
+#endif
 #include "mbedtls/rsa.h"
 #include "mbedtls/ecdsa.h"
 #if !defined(ENABLE_EMULATION) && !defined(ESP_PLATFORM)
@@ -27,6 +31,7 @@
 #endif
 #include "file.h"
 #include "apdu.h"
+#include "pico_keys.h"
 #include "usb.h"

 #define MAX_APDU_DATA (USB_BUFFER_SIZE - 20)
--- a/tests/memory.tar.gz
+++ b/tests/memory.tar.gz
--- a/tests/scripts/func.sh
+++ b/tests/scripts/func.sh
@@ -21,7 +21,7 @@ gen_and_check() {
        glabel="EC_POINT 512 bits"
        ;;
    *"521"*)
-        glabel="EC_POINT 52"
+        glabel="EC_POINT 528 bits"
        ;;
    *"rsa"*)
        IFS=: read -r v1 bits <<< "$1"