ports/esp32: Add ESP32-S3 digital signature support.#19121
ports/esp32: Add ESP32-S3 digital signature support.#19121edel-macias-cubix wants to merge 1 commit intomicropython:masterfrom
Conversation
edel-macias-cubix
force-pushed
the
esp32-add-digital-signature-support
branch
2 times, most recently
from
1974c68 to
4b82194
Compare
|
Thanks for tha contribution, this appears a useful, but somewhat niche functionality, do it is good that it is properly guarded and disabled by default. I do not think that there should be two additional variants defined though. Instead a custom build should be enabled by defining the macro as a build flag. |
edel-macias-cubix
force-pushed
the
esp32-add-digital-signature-support
branch
from
4b82194 to
82d4ea6
Compare
|
@Josverl Thanks for the suggestion, I've removed the variants and added a build flag for it:
|
|
Thanks for the quick update
Please add that**, the test should first check if the feature is activated on the test target, and SKIP otherwise. ** I hope that that does not require permanently burning fuses That would allow repeatable tests with actual hardware. |
edel-macias-cubix
force-pushed
the
esp32-add-digital-signature-support
branch
from
82d4ea6 to
f0fcdc4
Compare
|
I've added tests for this, however, they require burning efuses. I've used a board with the same key set in the tests and worked correctly. I then retried with a different board with another key and a brand new board: both failed as expected. Test is guarded by imports. I've also added under ports/esp32/tools/gen_ds_blob.py the utility to generate the DS blob so users can easily generate them and use the added functionality. |
edel-macias-cubix
force-pushed
the
esp32-add-digital-signature-support
branch
from
f0fcdc4 to
e034290
Compare
Expose the ESP32-S3 DS peripheral through esp32.DS when enabled. Wire the port into the build, add build flags, and document the API. Add tests for ESP32-S3 DS peripheral functionality. Add DS blob generation tool for ease of use. Signed-off-by: Edel Macias <edel.macias@cubix.com.mx>
edel-macias-cubix
force-pushed
the
esp32-add-digital-signature-support
branch
from
e034290 to
0306dfb
Compare
2 participants
Summary
Micropython builds don't have access to the underlying ESP-IDF DS (Digital Signature Peripheral), which allows to use keys saved in eFuses to retrieve an encrypted private key to then generate a signature for a given payload.
This PR adds an entrypoint to support DS operations from ESP-IDF via esp32.DS, which is added to builds via new board variants for ESPS3:
and
Other variants and builds don't include DS, as it is a somewhat niche use case.
Having this functionality available allows for device verification/authentication.
Testing
Trade-offs and Alternatives
Main tradeoff is a slight increase in build size, which is balanced with increased functionality.
DS support remains fully opt-in.
Generative AI
I used generative AI tools when creating this PR, but a human has checked the
code and is responsible for the code and the description above.
Additional notes
Using this functionality requires building a DS blob that encrypts a private key using the HMAC key burnt into the eFuses in a format that ESP-IDF accepts. I have the python script that generates them but was unsure where to put it, if at all. It was made using the same logic as the ESP-IDF test files for DS.
I also have the testing code I used on the board to perform payload signing using the feature and DS blob.
I think they would be very useful but I'd like some guidance on this.