mirror of
https://github.com/espressif/esp-idf.git
synced 2024-10-05 20:47:46 -04:00
mqtt/ssl_ds: Remove unwanted references to configure_ds.py, Also updated
the DS documentation
This commit is contained in:
parent
cbecb2e944
commit
c88b27f285
@ -63,13 +63,9 @@ The configuration involves the following steps -
|
||||
|
||||
For more details, see *{IDF_TARGET_NAME} Technical Reference Manual* > *Digital Signature (DS)* [`PDF <{IDF_TARGET_TRM_EN_URL}#digsig>`__].
|
||||
|
||||
To configure the DS peripheral for development purposes, you can use the python script :example_file:`configure_ds.py<protocols/mqtt/ssl_ds/configure_ds.py>`.
|
||||
More details about the `configure_ds.py` script can be found at :example_file:`mqtt example README <protocols/mqtt/ssl_ds/README.md>`.
|
||||
To configure the DS peripheral for development purposes, you can use the `esp-secure-cert-tool <https://pypi.org/project/esp-secure-cert-tool>`_.
|
||||
|
||||
The encrypted private key parameters obtained after the DS peripheral configuration are then to be kept in flash. Furthermore, they are to be passed to the DS peripheral which makes use of those parameters for the Digital Signature operation.
|
||||
:doc:`Non Volatile Storage<../storage/nvs_flash>` can be used to store the encrypted private key parameters in flash.
|
||||
The script :example_file:`configure_ds.py<protocols/mqtt/ssl_ds/configure_ds.py>` creates an NVS partition for the encrypted private key parameters. Then the script flashes this partition onto the {IDF_TARGET_NAME}.
|
||||
The application then needs to read the DS data from NVS, which can be done with the function ``esp_read_ds_data_from_nvs()`` in file :example_file:`ssl_ds/main/app_main.c <protocols/mqtt/ssl_ds/main/app_main.c>`
|
||||
The encrypted private key parameters obtained after the DS peripheral configuration are then to be kept in flash. Furthermore, they are to be passed to the DS peripheral which makes use of those parameters for the Digital Signature operation. The application then needs to read the ds data from the flash which has been done through the API's provided by the `esp_secure_cert_mgr <https://github.com/espressif/esp_secure_cert_mgr>`_ component. Please refer the `component/README. <https://github.com/espressif/esp_secure_cert_mgr#readme>`_ for more details.
|
||||
|
||||
The process of initializing the DS peripheral and then performing the Digital Signature operation is done internally with help of `ESP-TLS`. Please refer to `Digital Signature with ESP-TLS` in :doc:`ESP-TLS <../protocols/esp_tls>` for more details.
|
||||
As mentioned in the `ESP-TLS` documentation, the application only needs to provide the encrypted private key parameters to the esp_tls context (as `ds_data`), which internally performs
|
||||
|
@ -102,49 +102,3 @@ I (5194) MQTTS_EXAMPLE: MQTT_EVENT_DATA
|
||||
TOPIC=/topic/qos0
|
||||
DATA=data
|
||||
```
|
||||
|
||||
|
||||
### configure_ds.py
|
||||
The script [configure_ds.py](./configure_ds.py) is used for configuring the DS peripheral on the ESP32-S2/ESP32-S3/ESP32-C3 SoC. The steps in the script are based on technical details of certain operations in the Digital Signature calculation, which can be found at Digital Signature Section of [ESP32-S2 TRM](https://www.espressif.com/sites/default/files/documentation/esp32-s2_technical_reference_manual_en.pdf)
|
||||
|
||||
The configuration script performs the following steps -
|
||||
|
||||
1. Take the client private key ( RSA key ) as input.
|
||||
(*required parameter for the script)
|
||||
can be provided with
|
||||
```
|
||||
python configure_ds.py --private-key /* path to client (rsa) prv key */
|
||||
```
|
||||
|
||||
2. Randomly Calculate the `HMAC_KEY` and the `initialization vector`(IV). Then calculate the encrypted private key parameters from client private key (step i) and newly generated parameters. These encrypted private key parameters are required for the DS peripheral to perform the Digital Signature operation.
|
||||
|
||||
3. Store the `HMAC_KEY` in one of the efuse key blocks (in the hardware).
|
||||
The ID of the efuse key block ( should be in range 1-5) can be provided with the following option. (default value of 1 is used if not provided),
|
||||
```
|
||||
python configure_ds.py --efuse_key_id /* key id in range 1-5 */
|
||||
```
|
||||
|
||||
Currently for development purposes, the `HMAC_KEY` is stored in the efuse key block without read protection so that read operation can be performed on the same key block.
|
||||
> You can burn (write) a key on an efuse key block only once. Please use a different key block ID if you want to use a different `HMAC_KEY` for the DS operation.
|
||||
|
||||
4. Create an NVS partition of the name `pre_prov.csv` (in `esp_ds_data` folder) which contains the required encrypted private key parameters. A bin file of the nvs partition (`pre_prov.bin`) is also created. As we have added a custom partition, the example is set to use the custom partition table by adding the required option in `sdkconfig.defaults`.
|
||||
|
||||
5. (optional) The script can be made to print the summary of the efuse on the chip by providing the following option. When this option is enabled, no other operations in the script are performed.
|
||||
```
|
||||
python configure_ds.py --summary
|
||||
```
|
||||
|
||||
6. (optional) If the user wants to keep the encrypted private key data and the randomly generated `HMAC_KEY` on the host machine for testing purpose. The following option may be used.
|
||||
```
|
||||
python configure_ds.py --keep_ds_data_on_host
|
||||
```
|
||||
The respective files will be stored in the `esp_ds_data` folder which is generated by the script in the same directory. The contents of the `esp_ds_data` folder may be overwritten when the `configure_ds.py` script is executed again.
|
||||
|
||||
7. (optional) If the user wants to use the script for production usecase then this option can be used.
|
||||
Currently for development purpose, the script disables the read protection on the efuse key block by default.
|
||||
In case of a production usecase it is recommeneded to enable the read protection for the efuse key block. It can be done by providing following option along with other required options:
|
||||
```
|
||||
python configure_ds.py --production
|
||||
```
|
||||
|
||||
> A list of all the supported options in the script can be obtained by executing `python configure_ds.py --help`.
|
||||
|
@ -78,7 +78,6 @@ examples/protocols/icmp_echo/example_test.py
|
||||
examples/protocols/modbus/serial/example_test.py
|
||||
examples/protocols/modbus/tcp/example_test.py
|
||||
examples/protocols/mqtt/ssl/mqtt_ssl_example_test.py
|
||||
examples/protocols/mqtt/ssl_ds/configure_ds.py
|
||||
examples/protocols/mqtt/tcp/mqtt_tcp_example_test.py
|
||||
examples/protocols/mqtt/ws/mqtt_ws_example_test.py
|
||||
examples/protocols/mqtt/wss/mqtt_wss_example_test.py
|
||||
|
Loading…
x
Reference in New Issue
Block a user