dearsky/pico-hsm
1
0
Fork 0
Code Issues 17 Pull Requests 4 Actions Packages Projects Releases 26 Wiki Activity

Compare commits

merge into: dearsky:master
Branches Tags
dearsky:master dearsky:development
dearsky:nightly-development dearsky:nightly-master dearsky:v6.4 dearsky:v6.2 dearsky:v6.0-eddsa1 dearsky:v6.0 dearsky:v5.6 dearsky:v5.4-eddsa1 dearsky:v5.4 dearsky:v5.2 dearsky:v5.0-eddsa1 dearsky:v5.0 dearsky:v4.2-eddsa1 dearsky:v4.2 dearsky:v4.0-eddsa1 dearsky:v4.0 dearsky:v3.6-eddsa1 dearsky:v3.6 dearsky:v3.4 dearsky:v3.2 dearsky:v3.0 dearsky:v2.6 dearsky:v2.4 dearsky:v2.2 dearsky:v2.0 dearsky:v1.12 dearsky:v1.10 dearsky:v1.8 dearsky:v1.6 dearsky:v1.4 dearsky:v1.2 dearsky:v1.0
...
pull from: dearsky:development
Branches Tags
dearsky:development dearsky:master
dearsky:nightly-development dearsky:nightly-master dearsky:v6.4 dearsky:v6.2 dearsky:v6.0-eddsa1 dearsky:v6.0 dearsky:v5.6 dearsky:v5.4-eddsa1 dearsky:v5.4 dearsky:v5.2 dearsky:v5.0-eddsa1 dearsky:v5.0 dearsky:v4.2-eddsa1 dearsky:v4.2 dearsky:v4.0-eddsa1 dearsky:v4.0 dearsky:v3.6-eddsa1 dearsky:v3.6 dearsky:v3.4 dearsky:v3.2 dearsky:v3.0 dearsky:v2.6 dearsky:v2.4 dearsky:v2.2 dearsky:v2.0 dearsky:v1.12 dearsky:v1.10 dearsky:v1.8 dearsky:v1.6 dearsky:v1.4 dearsky:v1.2 dearsky:v1.0

23 Commits
master ... developmen

Author SHA1 Message Date
Pol Henarejos
98123046e5 Revert "Enable pytests" 
This reverts commit 96734c3a47.
 2026-02-25 20:25:08 +01:00
Pol Henarejos
f96b189eb0 Fix parsing 521 key for openssl>3. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2026-02-25 20:17:02 +01:00
Pol Henarejos
bd47ba479e Update memory layout for tests. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2026-02-25 20:16:41 +01:00
Pol Henarejos
5269c72b9c Fix reset retry only resets flag. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2026-02-25 20:16:32 +01:00
Pol Henarejos
19c70341a2 Update memory layout for tests 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2026-02-25 19:54:52 +01:00
Pol Henarejos
96734c3a47 Enable pytests 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2026-02-25 19:54:41 +01:00
Pol Henarejos
69015b84d9 Increase buffer size for non-pico. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2026-02-25 19:33:38 +01:00
Pol Henarejos
fcc82458ba Merge branch 'master' into development 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>

# Conflicts:
#	CMakeLists.txt
#	pico-keys-sdk
 2026-02-25 15:51:25 +01:00
Pol Henarejos
64c79fccd4 Let's link directly with mbedtls 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2026-01-22 11:50:12 +01:00
Pol Henarejos
9fb1e36954 First attempt for PQC 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2026-01-22 11:23:33 +01:00
Pol Henarejos
4348f09c6f Upgrade pico keys sdk layout. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2026-01-22 11:23:11 +01:00
Pol Henarejos
16b62ca761 Merge branch 'master' into development 2026-01-07 23:39:24 +01:00
Pol Henarejos
045f9dca79 Releaser is available up to 6.7.0 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2025-12-26 19:53:21 +01:00
Pol Henarejos
1768ab5a0f Merge branch 'master' into development 2025-12-11 20:05:13 +01:00
Pol Henarejos
6a04b487d0 Merge branch 'master' into development 2025-12-11 19:59:46 +01:00
Pol Henarejos
49f0706b06 Merge branch 'master' into development 2025-12-11 19:56:16 +01:00
Pol Henarejos
cdd7b6833d Merge branch 'master' into development 2025-12-09 15:51:34 +01:00
Pol Henarejos
a7b28e87f9 Merge branch 'master' into development 2025-12-02 10:18:58 +01:00
Pol Henarejos
c3ed23dc42 Merge branch 'master' into development 2025-10-26 20:19:11 +01:00
Pol Henarejos
7ecf361fec Press button when signing with HD. 
Fixes #103.

Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2025-08-26 13:38:50 +02:00
Pol Henarejos
ca82a9c9c7 Merge branch 'master' into development 2025-08-26 11:01:38 +02:00
Pol Henarejos
e4b37437d3 Fix for rp2350 build. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2025-08-25 01:39:19 +02:00
Pol Henarejos
4f42e0344e Do not call pico_sdk_init. 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
 2025-08-25 01:35:48 +02:00
11 changed files with 41 additions and 163 deletions
Expand all files Collapse all files

1
CMakeLists.txt
View File

@@ -21,6 +21,7 @@ set(USB_VID 0x2E8A)
set(USB_PID 0x10FD) set(USB_PID 0x10FD)
if(ESP_PLATFORM) if(ESP_PLATFORM)
set(ENABLE_PQC 1)
set(EXTRA_COMPONENT_DIRS pico-keys-sdk/config/esp32/components src/hsm) set(EXTRA_COMPONENT_DIRS pico-keys-sdk/config/esp32/components src/hsm)
include($ENV{IDF_PATH}/tools/cmake/project.cmake) include($ENV{IDF_PATH}/tools/cmake/project.cmake)
else() else()

2
pico-keys-sdk

Submodule pico-keys-sdk updated: 7abedc5b0e...1be3691a95

152
src/hsm/cmd_extras.c
View File

@@ -17,13 +17,6 @@
#include "sc_hsm.h" #include "sc_hsm.h"
#include "mbedtls/ecdh.h" #include "mbedtls/ecdh.h"
#ifdef PICO_PLATFORM
#include "pico/aon_timer.h"
#include "hardware/watchdog.h"
#else
#include <sys/time.h>
#include <time.h>
#endif
#include "files.h" #include "files.h"
#include "random.h" #include "random.h"
#include "kek.h" #include "kek.h"
@@ -57,50 +50,7 @@ int cmd_extras() {
if (wait_button_pressed() == true) { if (wait_button_pressed() == true) {
return SW_SECURE_MESSAGE_EXEC_ERROR(); return SW_SECURE_MESSAGE_EXEC_ERROR();
} }
if (cmd == CMD_DATETIME) { //datetime operations if (cmd == CMD_DYNOPS) { //dynamic options
if (P2(apdu) != 0x0) {
return SW_INCORRECT_P1P2();
}
if (apdu.nc == 0) {
#ifdef PICO_PLATFORM
struct timespec tv;
aon_timer_get_time(&tv);
#else
struct timeval tv;
gettimeofday(&tv, NULL);
#endif
struct tm *tm = localtime(&tv.tv_sec);
res_APDU_size += put_uint16_t_be(tm->tm_year + 1900, res_APDU);
res_APDU[res_APDU_size++] = tm->tm_mon;
res_APDU[res_APDU_size++] = tm->tm_mday;
res_APDU[res_APDU_size++] = tm->tm_wday;
res_APDU[res_APDU_size++] = tm->tm_hour;
res_APDU[res_APDU_size++] = tm->tm_min;
res_APDU[res_APDU_size++] = tm->tm_sec;
}
else {
if (apdu.nc != 8) {
return SW_WRONG_LENGTH();
}
struct tm tm;
tm.tm_year = get_uint16_t_be(apdu.data) - 1900;
tm.tm_mon = apdu.data[2];
tm.tm_mday = apdu.data[3];
tm.tm_wday = apdu.data[4];
tm.tm_hour = apdu.data[5];
tm.tm_min = apdu.data[6];
tm.tm_sec = apdu.data[7];
time_t tv_sec = mktime(&tm);
#ifdef PICO_PLATFORM
struct timespec tv = {.tv_sec = tv_sec, .tv_nsec = 0};
aon_timer_set_time(&tv);
#else
struct timeval tv = {.tv_sec = tv_sec, .tv_usec = 0};
settimeofday(&tv, NULL);
#endif
}
}
else if (cmd == CMD_DYNOPS) { //dynamic options
if (P2(apdu) != 0x0) { if (P2(apdu) != 0x0) {
return SW_INCORRECT_P1P2(); return SW_INCORRECT_P1P2();
} }
@@ -201,106 +151,6 @@ int cmd_extras() {
} }
} }
} }
#ifndef ENABLE_EMULATION
else if (cmd == CMD_PHY) { // Set PHY
if (apdu.nc == 0) {
if (file_has_data(ef_phy)) {
res_APDU_size = file_get_size(ef_phy);
memcpy(res_APDU, file_get_data(ef_phy), res_APDU_size);
}
}
else {
if (P2(apdu) == PHY_VIDPID) { // VIDPID
if (apdu.nc != 4) {
return SW_WRONG_LENGTH();
}
phy_data.vid = get_uint16_t_be(apdu.data);
phy_data.pid = get_uint16_t_be(apdu.data + 2);
phy_data.vidpid_present = true;
}
else if (P2(apdu) == PHY_LED_GPIO) {
phy_data.led_gpio = apdu.data[0];
phy_data.led_gpio_present = true;
}
else if (P2(apdu) == PHY_LED_BTNESS) {
phy_data.led_brightness = apdu.data[0];
phy_data.led_brightness_present = true;
}
else if (P2(apdu) == PHY_OPTS) {
if (apdu.nc != 2) {
return SW_WRONG_LENGTH();
}
phy_data.opts = get_uint16_t_be(apdu.data);
}
else {
return SW_INCORRECT_P1P2();
}
if (phy_save() != PICOKEY_OK) {
return SW_EXEC_ERROR();
}
}
}
#endif
#if PICO_RP2350
else if (cmd == CMD_OTP) {
if (apdu.nc < 2) {
return SW_WRONG_LENGTH();
}
uint16_t row = get_uint16_t_be(apdu.data);
bool israw = P2(apdu) == 0x1;
if (apdu.nc == 2) {
if (row > 0xbf && row < 0xf48) {
return SW_WRONG_DATA();
}
if (israw) {
memcpy(res_APDU, otp_buffer_raw(row), apdu.ne);
}
else {
memcpy(res_APDU, otp_buffer(row), apdu.ne);
}
res_APDU_size = apdu.ne;
}
else {
apdu.nc -= 2;
apdu.data += 2;
if (apdu.nc > 1024) {
return SW_WRONG_LENGTH();
}
if (apdu.nc % (israw ? 4 : 2)) {
return SW_WRONG_DATA();
}
uint8_t adata[1024] __attribute__((aligned(4)));
memcpy(adata, apdu.data, apdu.nc);
int ret = 0;
if (israw) {
ret = otp_write_data_raw(row, adata, apdu.nc);
}
else {
ret = otp_write_data(row, adata, apdu.nc);
}
if (ret != 0) {
return SW_EXEC_ERROR();
}
}
}
#endif
#ifdef PICO_PLATFORM
else if (cmd == CMD_REBOOT) {
if (apdu.nc != 0) {
return SW_WRONG_LENGTH();
}
watchdog_reboot(0, 0, 100);
}
#endif
else if (cmd == CMD_MEMORY) {
res_APDU_size = 0;
uint32_t free = flash_free_space(), total = flash_total_space(), used = flash_used_space(), nfiles = flash_num_files(), size = flash_size();
res_APDU_size += put_uint32_t_be(free, res_APDU + res_APDU_size);
res_APDU_size += put_uint32_t_be(used, res_APDU + res_APDU_size);
res_APDU_size += put_uint32_t_be(total, res_APDU + res_APDU_size);
res_APDU_size += put_uint32_t_be(nfiles, res_APDU + res_APDU_size);
res_APDU_size += put_uint32_t_be(size, res_APDU + res_APDU_size);
}
else { else {
return SW_INCORRECT_P1P2(); return SW_INCORRECT_P1P2();
} }

17
src/hsm/cmd_keypair_gen.c
View File

@@ -23,6 +23,9 @@
#include "oid.h" #include "oid.h"
#include "random.h" #include "random.h"
#include "kek.h" #include "kek.h"
#ifdef ENABLE_PQC
#include "mlkem_native_all.h"
#endif
int cmd_keypair_gen() { int cmd_keypair_gen() {
uint8_t key_id = P1(apdu); uint8_t key_id = P1(apdu);
@@ -143,7 +146,19 @@ int cmd_keypair_gen() {
return SW_EXEC_ERROR(); return SW_EXEC_ERROR();
} }
} }
#ifdef ENABLE_PQC
else if (memcmp(oid.data, OID_ML_KEM_768, MIN(oid.len, 10)) == 0) { //Post-Quantum ML KEM 768
uint8_t public_key[MLKEM768_PUBLICKEYBYTES];
uint8_t secret_key[MLKEM768_SECRETKEYBYTES];
int rc = mlkem512_keypair(public_key, secret_key);
if (rc != PICOKEY_OK) {
return SW_EXEC_ERROR();
}
}
#endif
else {
return SW_FUNC_NOT_SUPPORTED();
}
} }
} }
else { else {

6
src/hsm/cmd_reset_retry.c
View File

@@ -34,6 +34,9 @@ int cmd_reset_retry() {
return SW_COMMAND_NOT_ALLOWED(); return SW_COMMAND_NOT_ALLOWED();
} }
if (P1(apdu) == 0x0 || P1(apdu) == 0x2) { if (P1(apdu) == 0x0 || P1(apdu) == 0x2) {
if (opts & HSM_OPT_RRC_RESET_ONLY) {
return SW_COMMAND_NOT_ALLOWED();
}
uint8_t newpin_len = 0; uint8_t newpin_len = 0;
if (P1(apdu) == 0x0) { if (P1(apdu) == 0x0) {
uint8_t so_pin_len = file_read_uint8(file_sopin); uint8_t so_pin_len = file_read_uint8(file_sopin);
@@ -78,9 +81,6 @@ int cmd_reset_retry() {
return SW_OK(); return SW_OK();
} }
else if (P1(apdu) == 0x1 || P1(apdu) == 0x3) { else if (P1(apdu) == 0x1 || P1(apdu) == 0x3) {
if (!(opts & HSM_OPT_RRC_RESET_ONLY)) {
return SW_COMMAND_NOT_ALLOWED();
}
if (P1(apdu) == 0x1) { if (P1(apdu) == 0x1) {
uint8_t so_pin_len = file_read_uint8(file_sopin); uint8_t so_pin_len = file_read_uint8(file_sopin);
if (apdu.nc != so_pin_len) { if (apdu.nc != so_pin_len) {

3
src/hsm/cmd_signature.c
View File

@@ -305,6 +305,9 @@ int cmd_signature() {
mbedtls_ecp_keypair_free(&hd_context); mbedtls_ecp_keypair_free(&hd_context);
return SW_INCORRECT_PARAMS(); return SW_INCORRECT_PARAMS();
} }
if (wait_button_pressed() == true) { // timeout
return SW_SECURE_MESSAGE_EXEC_ERROR();
}
md = MBEDTLS_MD_SHA256; md = MBEDTLS_MD_SHA256;
if (mbedtls_ecdsa_write_signature(&hd_context, md, apdu.data, apdu.nc, buf, if (mbedtls_ecdsa_write_signature(&hd_context, md, apdu.data, apdu.nc, buf,
MBEDTLS_ECDSA_MAX_LEN, MBEDTLS_ECDSA_MAX_LEN,

10
src/hsm/oid.h
View File

@@ -59,6 +59,16 @@
#define OID_ID_TA_ECDSA_SHA_384 OID_ID_TA_ECDSA "\x04" #define OID_ID_TA_ECDSA_SHA_384 OID_ID_TA_ECDSA "\x04"
#define OID_ID_TA_ECDSA_SHA_512 OID_ID_TA_ECDSA "\x05" #define OID_ID_TA_ECDSA_SHA_512 OID_ID_TA_ECDSA "\x05"
#define OID_PQC "\x06\x08\x60\x86\x48\x01\x65\x03\x04"
#define OID_SIGALGS OID_PQC "\x03"
#define OID_ML_DSA_44 OID_SIGALGS "\x11"
#define OID_ML_DSA_65 OID_SIGALGS "\x12"
#define OID_ML_DSA_87 OID_SIGALGS "\x13"
#define OID_KEMS OID_PQC "\x04"
#define OID_ML_KEM_512 OID_KEMS "\x01"
#define OID_ML_KEM_768 OID_KEMS "\x02"
#define OID_ML_KEM_1024 OID_KEMS "\x03"
#define OID_ID_CA OID_BSI_DE "\x02\x02\x03" #define OID_ID_CA OID_BSI_DE "\x02\x02\x03"
#define OID_ID_CA_DH OID_ID_CA "\x01" #define OID_ID_CA_DH OID_ID_CA "\x01"

4
src/hsm/sc_hsm.c
View File

@@ -522,7 +522,11 @@ uint32_t decrement_key_counter(file_t *fkey) {
int store_keys(void *key_ctx, int type, uint8_t key_id) { int store_keys(void *key_ctx, int type, uint8_t key_id) {
int r = 0; int r = 0;
uint16_t key_size = 0; uint16_t key_size = 0;
#ifdef ENABLE_EMULATION
uint8_t kdata[8192 / 8]; // worst case
#else
uint8_t kdata[4096 / 8]; // worst case uint8_t kdata[4096 / 8]; // worst case
#endif
if (type & PICO_KEYS_KEY_RSA) { if (type & PICO_KEYS_KEY_RSA) {
mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) key_ctx; mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) key_ctx;
key_size = (uint16_t)mbedtls_mpi_size(&rsa->P) + (uint16_t)mbedtls_mpi_size(&rsa->Q); key_size = (uint16_t)mbedtls_mpi_size(&rsa->P) + (uint16_t)mbedtls_mpi_size(&rsa->Q);

7
src/hsm/sc_hsm.h
View File

@@ -19,11 +19,7 @@
#define _SC_HSM_H_ #define _SC_HSM_H_
#include <stdlib.h> #include <stdlib.h>
#ifndef ESP_PLATFORM #include "pico_keys.h"
#include "common.h"
#else
#define MBEDTLS_ALLOW_PRIVATE_ACCESS
#endif
#include "mbedtls/rsa.h" #include "mbedtls/rsa.h"
#include "mbedtls/ecdsa.h" #include "mbedtls/ecdsa.h"
#if !defined(ENABLE_EMULATION) && !defined(ESP_PLATFORM) #if !defined(ENABLE_EMULATION) && !defined(ESP_PLATFORM)
@@ -31,7 +27,6 @@
#endif #endif
#include "file.h" #include "file.h"
#include "apdu.h" #include "apdu.h"
#include "pico_keys.h"
#include "usb.h" #include "usb.h"
#define MAX_APDU_DATA (USB_BUFFER_SIZE - 20) #define MAX_APDU_DATA (USB_BUFFER_SIZE - 20)

BIN
tests/memory.tar.gz
View File

Binary file not shown.

2
tests/scripts/func.sh
View File

@@ -21,7 +21,7 @@ gen_and_check() {
glabel="EC_POINT 512 bits" glabel="EC_POINT 512 bits"
;; ;;
*"521"*) *"521"*)
glabel="EC_POINT 528 bits" glabel="EC_POINT 52"
;; ;;
*"rsa"*) *"rsa"*)
IFS=: read -r v1 bits <<< "$1" IFS=: read -r v1 bits <<< "$1"