diff --git a/examples/protocols/mqtt/ssl_ds/CMakeLists.txt b/examples/protocols/mqtt/ssl_ds/CMakeLists.txt index 76c1d630e9..50de6d03bc 100644 --- a/examples/protocols/mqtt/ssl_ds/CMakeLists.txt +++ b/examples/protocols/mqtt/ssl_ds/CMakeLists.txt @@ -9,5 +9,12 @@ set(EXTRA_COMPONENT_DIRS $ENV{IDF_PATH}/examples/common_components/protocol_exam include($ENV{IDF_PATH}/tools/cmake/project.cmake) project(mqtt_ssl_ds) +# Flash the custom partition named `pre_prov`. +set (partition pre_prov) +idf_build_get_property(project_dir PROJECT_DIR) +set(image_file ${project_dir}/esp_ds_data/${partition}.bin) +partition_table_get_partition_info(offset "--partition-name ${partition}" "offset") +esptool_py_flash_target_image(flash "${partition}" "${offset}" "${image_file}") + target_add_binary_data(${CMAKE_PROJECT_NAME}.elf "main/client.crt" TEXT) target_add_binary_data(${CMAKE_PROJECT_NAME}.elf "main/mosquitto.org.crt" TEXT) diff --git a/examples/protocols/mqtt/ssl_ds/README.md b/examples/protocols/mqtt/ssl_ds/README.md index 85515baeaf..01c9758086 100644 --- a/examples/protocols/mqtt/ssl_ds/README.md +++ b/examples/protocols/mqtt/ssl_ds/README.md @@ -115,7 +115,7 @@ can be provided with 3. Store `HMAC_KEY` in one of the efuse key blocks (in the hardware). The ID of the efuse key block ( should be in range 1-5) can be provided with the following option. ( default value of 1 is used if not provided), ``` - python configure_ds.py --efuse_key_id /* key id in range 1-5 */ --burn_key + python configure_ds.py --efuse_key_id /* key id in range 1-5 */ ``` Currently for development purposes, the `HMAC_KEY` is stored in the efuse key block without read protection so that read operation can be performed on the same key block. diff --git a/examples/protocols/mqtt/ssl_ds/configure_ds.py b/examples/protocols/mqtt/ssl_ds/configure_ds.py index 6f075ee5bd..2d4f9afd81 100644 --- a/examples/protocols/mqtt/ssl_ds/configure_ds.py +++ b/examples/protocols/mqtt/ssl_ds/configure_ds.py @@ -23,16 +23,6 @@ from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes from cryptography.utils import int_to_bytes -try: - import esptool - import espefuse -except ImportError: - idf_path = os.getenv("IDF_PATH") - if not idf_path or not os.path.exists(idf_path): - raise Exception("IDF_PATH not found") - sys.path.insert(0, os.path.join(idf_path, "components", "esptool_py", "esptool")) - import esptool - import espefuse try: import nvs_partition_gen as nvs_gen except ImportError: @@ -122,68 +112,14 @@ def calculate_ds_parameters(privkey, priv_key_pass): return c, iv, key_size -class DefineArgs(object): - def __init__(self, attributes): - for key, value in attributes.items(): - self.__setattr__(key, value) +def efuse_summary(args): + os.system("python $IDF_PATH/components/esptool_py/esptool/espefuse.py --chip esp32s2 -p %s summary" % (args.port)) -def efuse_summary(esp,args): - efuses, _efuse_operations = espefuse.get_efuses(esp, esp.CHIP_NAME, False, False, False) - - summary_args = DefineArgs({ - 'baud': 115200, - 'before': 'default_reset', - 'chip': esp.CHIP_NAME, - 'debug': False, - 'do_not_confirm': False, - 'file': sys.stdout, - 'mode':'w', - 'encding': 'utf-8', - 'format': 'summary', - 'operation': 'summary', - 'port':args.port, - }) - - print("\n\n\n\t---SUMMARY START---\n") - espefuse.summary(esp, efuses, summary_args) - print("\n\t---SUMMARY END---\n\n") - - -def efuse_burn_key(esp, args): - - efuses, efuse_operations = espefuse.get_efuses(esp, esp.CHIP_NAME, False, False, False) - - if args.efuse_key_id is None: - print("efuse Key id cannot be None") - sys.exit(-1) - - key_file = open(hmac_key_file, 'rb') - # First element of _KEYBLOCKS is config data so add offset of 1 - key_block = efuses._KEYBLOCKS[args.efuse_key_id + 1][0] - burn_key_args = DefineArgs({ - 'baud': 115200, - 'before': 'default_reset', - 'chip': esp.CHIP_NAME, - 'debug': False, - 'do_not_confirm': False, - 'block': [key_block], - 'keyfile': [key_file], - 'keypurpose': ['HMAC_DOWN_DIGITAL_SIGNATURE'], - 'operation': 'burn_key', - 'force_write_always': False, - 'no_read_protect': True, - 'no_write_protect': False, - 'port': args.port, - - }) - - try: - efuse_operations.burn_key(esp, efuses, burn_key_args, None) - key_file.close() - except esptool.FatalError: - print("\nERROR: The provided key block already contains previously burned key, please use a different key block ID") - sys.exit(-1) +def efuse_burn_key(args): + os.system("python $IDF_PATH/components/esptool_py/esptool/espefuse.py --chip esp32s2 -p %s burn_key" + "%s %s HMAC_DOWN_DIGITAL_SIGNATURE --no-read-protect" + % ((args.port), ("BLOCK_KEY" + str(args.efuse_key_id)), (hmac_key_file))) def generate_csv_file(c, iv, hmac_key_id, key_size, csv_file): @@ -197,6 +133,12 @@ def generate_csv_file(c, iv, hmac_key_id, key_size, csv_file): f.write("esp_ds_rsa_len,data,u16,%d\n" % (key_size)) +class DefineArgs(object): + def __init__(self, attributes): + for key, value in attributes.items(): + self.__setattr__(key, value) + + def generate_nvs_partition(input_filename, output_filename): nvs_args = DefineArgs({ @@ -211,45 +153,16 @@ def generate_nvs_partition(input_filename, output_filename): nvs_gen.generate(nvs_args, is_encr_enabled=False, encr_key=None) -def flash_nvs_partition(bin_path, addr, esp): - esp.connect() - print(bin_path) - abs_bin_path = os.path.dirname(os.path.abspath(__file__)) + '/' + bin_path - print(abs_bin_path) - if (os.path.exists(abs_bin_path) is False): - print("NVS partition not found") - sys.exit(-1) - - with open(bin_path, 'rb') as nvs_file: - - flash_file = [(addr, nvs_file)] - - flash_args = DefineArgs({ - 'flash_size': '4MB', - 'flash_mode': 'qio', - 'flash_freq': '80m', - 'addr_filename': flash_file, - 'no_stub': False, - 'compress': False, - 'verify': False, - 'encrypt': False, - 'erase_all': False, - }) - - esp.change_baud(baud=921600) - esptool.write_flash(esp, flash_args) - - def main(): - parser = argparse.ArgumentParser(description='''Provision the ESPWROOM32SE device with - device_certificate and signer_certificate required for TLS authentication''') + parser = argparse.ArgumentParser(description='''Genereate an nvs partition containing the DS private key parameters from the client private key, + Generate an HMAC key and burn it in the desired efuse key block (required for Digital Signature)''') parser.add_argument( '--private-key', dest='privkey', default='main/client.key', metavar='relative/path/to/client-priv-key', - help='relative path(from secure_cert_mfg.py) to signer certificate private key') + help='relative path to client private key') parser.add_argument( "--pwd", '--password', @@ -283,13 +196,8 @@ def main(): args = parser.parse_args() - esp = esptool.ESPLoader.detect_chip(args.port,baud=115200) - if (esp.CHIP_NAME != 'ESP32-S2'): - print("Only ESP32S2 chip is supported") - sys.exit(-1) - if args.summary is not False: - efuse_summary(esp, args) + efuse_summary(args) sys.exit(0) if (os.path.exists(esp_ds_data_dir) is False): @@ -303,11 +211,10 @@ def main(): print("overwriting previous encrypted private key data, as you have provided \"--overwrite\" option") c, iv, key_size = calculate_ds_parameters(args.privkey, args.priv_key_pass) - efuse_burn_key(esp, args) + efuse_burn_key(args) generate_csv_file(c, iv, args.efuse_key_id, key_size, csv_filename) generate_nvs_partition(csv_filename, bin_filename) - flash_nvs_partition(bin_filename, 0x10000, esp) if __name__ == "__main__":