Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ESP32S3 Pico HSM freezes when generating RSA or ECC keys after importing DKEK #66

Open
rrottmann opened this issue Nov 25, 2024 · 6 comments
Open

ESP32S3 Pico HSM freezes when generating RSA or ECC keys after importing DKEK #66

rrottmann opened this issue Nov 25, 2024 · 6 comments

Comments

@rrottmann
Copy link
Contributor

Steps to reproduce:

  1. Initialize ESP32S3 Pico HSM using pico-hsm-tool.py.
  2. Reinitialize the HSM using the default SO-PIN with scsh3 and set up a "standard" layout with 4 Key Domains and a single DKEK share, storing it as an encrypted file.
  3. Import the DKEK into a Key Domain.
  4. Attempt to generate an RSA or ECC key in the Key Domain.

Expected behavior:
The key generation process should complete successfully.

Actual behavior:
The key generation hangs indefinitely, displaying a message indicating that it may take a minute. (I know that random pool might run dry and operations might take longer on ESP32S3). The Pico HSM appears to freeze, requiring a physical disconnect to recover.

Additional information:
scsh3 APDU trace does not show any unusual activity.
No error messages are present in dmesg regarding key disconnection.
@fastchain
Copy link
Contributor

+1. Seen similar behavior, but during the import of a key with dkek (not generation).

@polhenarejos
Copy link
Owner

polhenarejos commented Nov 26, 2024
edited
Loading

@rrottmann Do you generate ECC or RSA? RSA is extremely slow.
I followed your setup 1-4 but I cannot reproduce it.
Captura de pantalla 2024-11-26 a les 11 11 53
I'm using SCS3 3.17.566 and generated a brainpool256r1 ECC keypair.

I'll try with importing.

EDIT: I tried generating a RSA 1024 in the Keydomain 1 and it took 25 minutes. RSA 20248 would take hours.

@polhenarejos
Copy link
Owner

@fastchain I tried importing ECC and RSA keys with the previous setup and it worked correctly. Do you have a guide step by step to reproduce it?
Also, which boards do you use?

@rrottmann
Copy link
Contributor Author

rrottmann commented Nov 26, 2024
edited
Loading

I believe the problem is related to the hardware. I tested it with a Waveshare module, and it functions properly, but with a module from Aliexpress, I can only generate ECC keys without Key Domains.

Using the Waveshare, RSA 2048 was generated in 1-2 minutes. I use the Pico Key patched SCS3 3.18.39 with Debian 12.8 and openjdk-17 on aarch64.

The Aliexpress ESP32S3 kinda works but not with imported DKEK:
image

@polhenarejos
Copy link
Owner

KCV is 00000, which means is not properly loaded. It usually appears when no PIN is introduced, but I see you are already logged.
Which curve are you trying to import?
Are you importing a wky file or a pkcs12?
If you are using wky, it has to be exported from a key domain with the same DKEK. You cannot import wky of a key that belongs to another key domain.

@fastchain
Copy link
Contributor

@polhenarejos
I made few more tests and it looks I have a slightly different problem, so I opened separate issue
#68

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rrottmann @fastchain @polhenarejos