-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
espsecure: read_hsm_config now can prompt for HSM PIN (ESPTOOL-716) #900
espsecure: read_hsm_config now can prompt for HSM PIN (ESPTOOL-716) #900
Conversation
Hello @rretanubun, |
espsecure/esp_hsm_sign/__init__.py
Outdated
# Check if config.["credentials"] is set to "prompt" and prompt for HSM PIN | ||
credentials_config_val = config.get(section, "credentials") | ||
if credentials_config_val == "prompt": | ||
hsm_pin = getpass("\nPlease enter the PIN of your HSM:\n") | ||
config.set(section, "credentials", hsm_pin) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alternatively, rather than using the word "prompt" (might be misleading), we can just remove the credentials
option from the config file and add a check that if the option is absent, get the credentials using a prompt.
# Check if config.["credentials"] is set to "prompt" and prompt for HSM PIN | |
credentials_config_val = config.get(section, "credentials") | |
if credentials_config_val == "prompt": | |
hsm_pin = getpass("\nPlease enter the PIN of your HSM:\n") | |
config.set(section, "credentials", hsm_pin) | |
# If the config file does not contain the "credentials" option, prompt for the HSM PIN | |
if not config.has_option(section, "credentials"): | |
hsm_pin = getpass("Please enter the PIN of your HSM:\n") | |
config.set(section, "credentials", hsm_pin) | |
Also, you will need to remove the "credentials" options from the default section_options
list (line 35)
( section_options = ["pkcs11_lib", "slot", "label"] )
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you also add a note in the documentation regarding these changes?
Something like,
To avoid storing the PIN in plaintext, you could simply remove the `credentials` option from the config file, and during signing using the HSM, you could enter it using the prompt.
would suffice.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Harshal5 : I understand your perspective and it is do-able for sure. I am of the opinion that explicitly stating credentials = prompt
in the config file is more intuitive
and make the config files (and examples) more clear because there is no presumed default
-- every setting is spelled out in the config file itself.
Let me know if you feel strongly about making credentials
optional and I can apply the updates as requested.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For documentation update (if we stay with prompt) : This is what I have in mind:
- Change the sample to say
credentials = prompt
and then document
Below is a sample HSM config file (hsm_config.ini) for using [SoftHSMv2](https://github.com/opendnssec/SoftHSMv2) as an external HSM:
>> insert config file with credentials = prompt here as in the current example <<
Using this config file, the script will prompt for the HSM pin to be typed in for operations that need HSM access.
Alternatively the keyword `prompt` can be replaced with the `HSM pin` (e.g. 1234) to avoid being prompted.
Note that this is not a good practice for security and using `prompt` is recommended.
This way the example (which most people will copy-and paste) already sets them up to the safer behavior
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rretanubun There might be a case where the user pin of a token could be the word "prompt" itself (tried using SoftHSM2, it seems possible). In such a situation the user will not be able to get the expected behavior.
Even if say we do not come across such a situation, I think making the credentials
field optional would be a better approach rather than deciding on a word (say "prompt") and hardcoding it into the tool.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair point. Code and documentation updated as requested.
Hello @rretanubun, Thank you for the update! |
Thank you @rretanubun, LGTM! Before merging, could you please:
Thank you very much! |
If hsm_config does not contain "credentials" the user will be prompted for the HSM PIN. This avoids the need to have HSM PINs typed in config files which is not a good security practice. ADJUNCT: Updated documentation to reflect new usage
5c9ea60
to
70cb931
Compare
* docs: espsecure remote signing using a HSM broken link fix * fix(rfc2217_server): Use new reset sequences * fix(ESP32-S3): Lower CPU freq to improve flasher stub stability Closes espressif#832 * fix: Unknown chip (ID or magic number) error * pyinstaller: fix glibc dependency on gnu/linux pyinstaller package for linux is built within the ubuntu-latest image in github workflow. This may cause prbolem with glibc symbol versions on older distributions, where the new symbol versions are not available. Fix this by building on the older ubuntu version. Closes espressif#843 Signed-off-by: Frantisek Hrbata <[email protected]> * tests: Create custom `host_test` marker for tests without real chip connected Closes espressif#838 * fix(ESP32-S3): Temporarily disable increasing CPU freq Related to espressif#848 Related to espressif#842 * build: add esp_rfc2217_server to published scripts Closes espressif#846 * Update version to v4.5.1 * Update version to v4.6-dev * espefuse: Hide sensitive info by default during burning burn_key and burn_key_digest Adds --show-sensitive-info flag for two commands: burn_key and burn_key_digest. * flasher_stub: pass -mabi=ilp32 to the RISC-V compiler This is a no-op change for the upstream toolchain (compiled stubs are binary identical), but is required when building with Debian's riscv64-unknown-elf-gcc compiler. * flasher_stub: allow passing extra CFLAGS The flasher_stub Makefile allows for some system-local configuration, either through local.mk, or through environment variables. For example, the compiler prefix can be overridden, by defining e.g. CROSS_ESPRISCV32. However, passing additional flags to the compiler isn't possible right now. Add EXTRA_CFLAGS and EXTRA_CFLAGS_ESPRISCV32 to allow for that option. * flasher_stub: collect all targets at the top, DRY * flasher_stub: make target selection more modular Rather than a special "make esp32", create WITHOUT_* variables to selectively disable chip families. Currently, WITHOUT_ESP8266, WITHOUT_ESP32_XTENSA and WITHOUT_ESP32_RISCV32 are defined, but the code can be easily adjusted to allow for all kinds of other sets/combinations. * flasher_stub: create %.json targets, make all a proper PHONY * flasher_stub: drop --embed from wrap_stub.py Since commit 94f29a5 the flasher stub is not embedded in the Python source, but rather included as simple json files. As such, wrap_stub.py --embed was converted to basically just vary the build dir. Rather than keep this indirection and for better clarity, remove that piece of code and replace it by a simple "cp" in the Makefile. While at it, replace the target name from "embed" to "install", as this more akin to a "make install" step. * espefuse: Support burning ECDSA_KEY from pem file - fix some assert check in test_espefuse.py - add tests to cover the new functionality * espefuse(c2): Fix BLOCK_KEY0 view for summary cmd when SB + FE keys are burnt For C2 secure boot + flash enc block, we saw that in summary cmd "0's" from secure boot digest part (upper 128 bit) were translated into "?'s" when the block was read protected. For C2, we should apply this translation for lower 128 bits only. * fix(ESP32-C6): Fix get_pkg_version and get_{major,minor}_chip_version * image_info: removed check that reserved bytes in image header are zero IDF may start using parts of the reserved bytes in the extended header at any time, which will break chip auto-detect in image_info. * build: limit max cryptography version to 40 * fix: Set flash parameters even with --flash_size keep Related to espressif/esp-idf#10788 Related to espressif/esp-idf#10959 * build: add arm and arm64 as build target Closes espressif#845 * Fix typo in serial protocol docs Fixes misspelling of `triggered` in serial protocol docs. Signed-off-by: hasheddan <[email protected]> * Support more recent reedsolo packages - https://github.com/tomerfiliba-org/reedsolomon/releases/tag/v1.6.1 - this seems to be related to licenses only. - https://github.com/tomerfiliba-org/reedsolomon/releases/tag/v1.7.0 - this is related to installation. Closes espressif#872 * build(arm): add pip extra url for github action build * ci: Fix libffi symlinks for cryptography>=40 * espefuse: Prevent burning XTS_AES and ECDSA keys into BLOCK9 (BLOCK_KEY5) eFuse module has a hardware bug. It is related to ESP32-C3, C6, S3, H2 chips: - BLOCK9 (BLOCK_KEY5) can not be used by XTS_AES keys. For H2 chips, the BLOCK9 (BLOCK_KEY5) can not be used by ECDSA keys. S2 does not have such a hardware bug. * image_info: Display disabled WP pin as disabled The image formats know about the special value 0xee used to disable WP. Display this with image_info. E.g.: ESP32-C3 extended image header ============================== WP pin: 0xee (disabled) * image_info: Print chip ID's name if known Example: Flash pins drive settings: clk_drv: 0x0, q_drv: 0x0, d_drv: 0x0, cs0_drv: 0x0, hd_drv: 0x0, wp_drv: 0x0 Chip ID: 5 (ESP32-C3) Minimal chip revision: v0.0, (legacy min_rev = 0) Maximal chip revision: v655.35 An unknown ID will be printed as: Chip ID: 42 (Unknown ID) * tests: Make the testsuite Windows compatible * espefuse: Adds external esp instance Closes espressif#873 * espefuse: Improve efuse error viewing * espefuse: Explicit setting of efuse time settings EFUSE_PWR_ON_NUM in C3 has default value = 0x2880, now = 0x3000 * docs(Boot log): Add all esp targets to cover boot troubleshooting Closes espressif#732 * fix: USB-JTAG-Serial PID detection error * esptool: Move bootdesc on the top of the ram segment * espefuse: Move some vars under init method to speedup tool after adding yaml support * espefuse: Adds yaml efuse description files for all chip - esptool: Updates eFuses wafer major&minor versions - esptool(esp32c6): Adds package versions - espefuse(esp32c6): Replace PKG_VERSION BLK_VERSION_MINOR BLK_VERSION_MAJOR - espefuse(esp32c6): Adds adc calib efuses - espefuse: Adds yaml files for Build with PyInstaller * efuse(H2): Adds RF Calibration Information * espsecure: Improve error message for incorrect PEM format Closes espressif#881 * bugfix(usb_jtag_serial): Autofeed super watchdog (SWD) to avoid resets during flashing * esptool: Read 64-bit MAC address on C6 and H2 * bugfix: Adjust wrapper scripts to not import themselves * bugfix(espsecure): Print a clear error message if incompatible OpenSSL backend is used Closes espressif#878 * fix: inconsistent usage of dirs separator * feat(esptool): add option to dump whole flash based on detected size Closes espressif#461 * Update version to v4.6 * Update version to v4.7-dev * fix(ESP32-S3): Correct RTC WDT registers to fix resets during flashing * Update version to v4.6.1 * Update version to v4.7-dev * docs: add explanation for flash_id example to avoid confusion * docs(boot-log): fix list formatting * docs: add c2, c6 and h2 as build targets * fix(compressed upload): Accept short data blocks with only Adler-32 bytes * fix(CH9102F): Suggest to install new serial drivers if writing to RAM fails * esptool & espefuse: Fix byte order in MAC (for C6 and H2) MAC: 60:55:f9:ff:fe:f7:2c:a2 (EUI64, used for IEEE802154) BASE MAC: 60:55:f9:f7:2c:a2 (used for BT) MAC_EXT: ff:fe * Update version to v4.6.2 * Update version to v4.7 * change: Add conventional precommit linter * ci(pre-commit): Update version of `conventional-precommit-linter` * feat(get_security_info): Improved the output format and added more details * fix(esp32-c2): Enable flashing in secure download mode Closes espressif#895 * ci: Add DangerJS checks to GL and GH * feat(esptool): Add PICO package for ESP32S3 and flash/psram efuses * feat(esptool): Add tests for get_chip_features * feat(esptool): Add new packages for ESP32C3 and flash efuses * fix(expand file args): Correctly print the expanded command * feat(espsecure): Allow prompting for HSM PIN in read_hsm_config If hsm_config does not contain "credentials" the user will be prompted for the HSM PIN. This avoids the need to have HSM PINs typed in config files which is not a good security practice. ADJUNCT: Updated documentation to reflect new usage Closes espressif#900 * fix(dangerGH): Update token permissions - allow Danger to add comments to PR * fix(elf2image): fix text/rodata mapping overlap issue on uni-idrom bus chips * fix: assert in esp32 exclusive workaround * docs: Add other resources page * fix(autodetection): Remove the ESP32-S2 ROM class from get_security_info autodetection * change(pre-commit): Bump version conventional-precommit-linter to 1.2.1 * feat(esptool): added target to esp32p4 * feat(espefuse): Add support for esp32p4 chip * fix: Fix redirection of STDOUT Closes espressif#904 * fix(danger-github): Fir Danger GitHub token permission * ci(danger-github): Fix github-action-bot permissions for posting Danger output * ci: Shared danger to local stage (remove possible double CI pipelines) * ci: add 'flake8-import-order' as a dependecy to flake8 * fix(bin_image): Check only ELF sections when searching for .flash.appdesc Closes espressif#917 * feat(efuse): ESP32P4 adds ecdsa_key support * feat(efuse): Update key purpose table and tests * feat(esp32-s3): Support >16MB quad flash chips Adds support for the W25Q256 and GD25Q256 flash chips. Closes espressif#883 * ci(dev_release): Upload dev releases to PyPI with GH Actions * ci: fix pipeline for building docs * feat(merge_bin): add support for uf2 format * feat(esp32c3): Support ECO6 and ECO7 magic numbers * ci(gitlab_ci): Change only/except syntax to rules * fix(flasher_stub): fix usb-serial-jtag enabled non-related intr source * fix(loader): Could not open serial port message adjusted * ci(gitlab): Fix deploying docs to production * ci(github): Fix pyinstaller builds on ubuntu * docs(basic-commands): added note for PowerShell users for merge_bin command Closes espressif#923 * feat: Add support for Python 3.12 * feat(loader): Added hints for some serial port issues when rising port error Closes espressif/esp-idf#12366 * feat: add support for get_security_info on esp32c3 ECO7 * docs(troubleshooting): Explain issues when flashing with USB-Serial/JTAG or USB-OTG Closes espressif#924 * feat(espefuse): Update the way to complete the operation * docs(boot_mode_selection): Correct secondary strapping pin boot mode levels Closes espressif#928 * feat(espefuse): Adds efuse ADC calibration data for ESP32H2 * feat(rfc2217_server): Add hard reset sequence * feat(elf2image): add ram-only-header argument The ram-only-header configuration makes only the RAM segments visible to the ROM bootloader placing them at the beginning of the file and altering the segment count from the image header with the quantity of these segments, and also writing only their checksum. This segment placement also may not result as optimal as the standard way regarding the padding gap use among the flash segments that could result in a less fragmented binary. The image built must then handle the basic hardware initialization and the flash mapping for code execution after ROM bootloader boot it. Signed-off-by: Marek Matej <[email protected]> Signed-off-by: Almir Okato <[email protected]> * feat(esp32p4): Stub flasher support * refactor(stub_flasher): Cleanup, make adding new targets easier * feat: add support for intel hex format --------- Signed-off-by: Frantisek Hrbata <[email protected]> Signed-off-by: hasheddan <[email protected]> Signed-off-by: Marek Matej <[email protected]> Signed-off-by: Almir Okato <[email protected]> Co-authored-by: harshal.patil <[email protected]> Co-authored-by: radim.karnis <[email protected]> Co-authored-by: Frantisek Hrbata <[email protected]> Co-authored-by: Peter Dragun <[email protected]> Co-authored-by: KonstantinKondrashov <[email protected]> Co-authored-by: Faidon Liambotis <[email protected]> Co-authored-by: XiNGRZ <[email protected]> Co-authored-by: Marius Vikhammer <[email protected]> Co-authored-by: hasheddan <[email protected]> Co-authored-by: Roland Dobai <[email protected]> Co-authored-by: Trent Piepho <[email protected]> Co-authored-by: Dean Gardiner <[email protected]> Co-authored-by: Massimiliano Montagni <[email protected]> Co-authored-by: Tomas Sebestik <[email protected]> Co-authored-by: Aditya Patwardhan <[email protected]> Co-authored-by: Richard Retanubun <[email protected]> Co-authored-by: wuzhenghui <[email protected]> Co-authored-by: Armando <[email protected]> Co-authored-by: Jakub Kocka <[email protected]> Co-authored-by: 20162026 <[email protected]> Co-authored-by: Almir Okato <[email protected]>
* docs: espsecure remote signing using a HSM broken link fix * fix(rfc2217_server): Use new reset sequences * fix(ESP32-S3): Lower CPU freq to improve flasher stub stability Closes espressif#832 * fix: Unknown chip (ID or magic number) error * pyinstaller: fix glibc dependency on gnu/linux pyinstaller package for linux is built within the ubuntu-latest image in github workflow. This may cause prbolem with glibc symbol versions on older distributions, where the new symbol versions are not available. Fix this by building on the older ubuntu version. Closes espressif#843 Signed-off-by: Frantisek Hrbata <[email protected]> * tests: Create custom `host_test` marker for tests without real chip connected Closes espressif#838 * fix(ESP32-S3): Temporarily disable increasing CPU freq Related to espressif#848 Related to espressif#842 * build: add esp_rfc2217_server to published scripts Closes espressif#846 * Update version to v4.5.1 * Update version to v4.6-dev * espefuse: Hide sensitive info by default during burning burn_key and burn_key_digest Adds --show-sensitive-info flag for two commands: burn_key and burn_key_digest. * flasher_stub: pass -mabi=ilp32 to the RISC-V compiler This is a no-op change for the upstream toolchain (compiled stubs are binary identical), but is required when building with Debian's riscv64-unknown-elf-gcc compiler. * flasher_stub: allow passing extra CFLAGS The flasher_stub Makefile allows for some system-local configuration, either through local.mk, or through environment variables. For example, the compiler prefix can be overridden, by defining e.g. CROSS_ESPRISCV32. However, passing additional flags to the compiler isn't possible right now. Add EXTRA_CFLAGS and EXTRA_CFLAGS_ESPRISCV32 to allow for that option. * flasher_stub: collect all targets at the top, DRY * flasher_stub: make target selection more modular Rather than a special "make esp32", create WITHOUT_* variables to selectively disable chip families. Currently, WITHOUT_ESP8266, WITHOUT_ESP32_XTENSA and WITHOUT_ESP32_RISCV32 are defined, but the code can be easily adjusted to allow for all kinds of other sets/combinations. * flasher_stub: create %.json targets, make all a proper PHONY * flasher_stub: drop --embed from wrap_stub.py Since commit 94f29a5 the flasher stub is not embedded in the Python source, but rather included as simple json files. As such, wrap_stub.py --embed was converted to basically just vary the build dir. Rather than keep this indirection and for better clarity, remove that piece of code and replace it by a simple "cp" in the Makefile. While at it, replace the target name from "embed" to "install", as this more akin to a "make install" step. * espefuse: Support burning ECDSA_KEY from pem file - fix some assert check in test_espefuse.py - add tests to cover the new functionality * espefuse(c2): Fix BLOCK_KEY0 view for summary cmd when SB + FE keys are burnt For C2 secure boot + flash enc block, we saw that in summary cmd "0's" from secure boot digest part (upper 128 bit) were translated into "?'s" when the block was read protected. For C2, we should apply this translation for lower 128 bits only. * fix(ESP32-C6): Fix get_pkg_version and get_{major,minor}_chip_version * image_info: removed check that reserved bytes in image header are zero IDF may start using parts of the reserved bytes in the extended header at any time, which will break chip auto-detect in image_info. * build: limit max cryptography version to 40 * fix: Set flash parameters even with --flash_size keep Related to espressif/esp-idf#10788 Related to espressif/esp-idf#10959 * build: add arm and arm64 as build target Closes espressif#845 * Fix typo in serial protocol docs Fixes misspelling of `triggered` in serial protocol docs. Signed-off-by: hasheddan <[email protected]> * Support more recent reedsolo packages - https://github.com/tomerfiliba-org/reedsolomon/releases/tag/v1.6.1 - this seems to be related to licenses only. - https://github.com/tomerfiliba-org/reedsolomon/releases/tag/v1.7.0 - this is related to installation. Closes espressif#872 * build(arm): add pip extra url for github action build * ci: Fix libffi symlinks for cryptography>=40 * espefuse: Prevent burning XTS_AES and ECDSA keys into BLOCK9 (BLOCK_KEY5) eFuse module has a hardware bug. It is related to ESP32-C3, C6, S3, H2 chips: - BLOCK9 (BLOCK_KEY5) can not be used by XTS_AES keys. For H2 chips, the BLOCK9 (BLOCK_KEY5) can not be used by ECDSA keys. S2 does not have such a hardware bug. * image_info: Display disabled WP pin as disabled The image formats know about the special value 0xee used to disable WP. Display this with image_info. E.g.: ESP32-C3 extended image header ============================== WP pin: 0xee (disabled) * image_info: Print chip ID's name if known Example: Flash pins drive settings: clk_drv: 0x0, q_drv: 0x0, d_drv: 0x0, cs0_drv: 0x0, hd_drv: 0x0, wp_drv: 0x0 Chip ID: 5 (ESP32-C3) Minimal chip revision: v0.0, (legacy min_rev = 0) Maximal chip revision: v655.35 An unknown ID will be printed as: Chip ID: 42 (Unknown ID) * tests: Make the testsuite Windows compatible * espefuse: Adds external esp instance Closes espressif#873 * espefuse: Improve efuse error viewing * espefuse: Explicit setting of efuse time settings EFUSE_PWR_ON_NUM in C3 has default value = 0x2880, now = 0x3000 * docs(Boot log): Add all esp targets to cover boot troubleshooting Closes espressif#732 * fix: USB-JTAG-Serial PID detection error * esptool: Move bootdesc on the top of the ram segment * espefuse: Move some vars under init method to speedup tool after adding yaml support * espefuse: Adds yaml efuse description files for all chip - esptool: Updates eFuses wafer major&minor versions - esptool(esp32c6): Adds package versions - espefuse(esp32c6): Replace PKG_VERSION BLK_VERSION_MINOR BLK_VERSION_MAJOR - espefuse(esp32c6): Adds adc calib efuses - espefuse: Adds yaml files for Build with PyInstaller * efuse(H2): Adds RF Calibration Information * espsecure: Improve error message for incorrect PEM format Closes espressif#881 * bugfix(usb_jtag_serial): Autofeed super watchdog (SWD) to avoid resets during flashing * esptool: Read 64-bit MAC address on C6 and H2 * bugfix: Adjust wrapper scripts to not import themselves * bugfix(espsecure): Print a clear error message if incompatible OpenSSL backend is used Closes espressif#878 * fix: inconsistent usage of dirs separator * feat(esptool): add option to dump whole flash based on detected size Closes espressif#461 * Update version to v4.6 * Update version to v4.7-dev * fix(ESP32-S3): Correct RTC WDT registers to fix resets during flashing * Update version to v4.6.1 * Update version to v4.7-dev * docs: add explanation for flash_id example to avoid confusion * docs(boot-log): fix list formatting * docs: add c2, c6 and h2 as build targets * fix(compressed upload): Accept short data blocks with only Adler-32 bytes * fix(CH9102F): Suggest to install new serial drivers if writing to RAM fails * esptool & espefuse: Fix byte order in MAC (for C6 and H2) MAC: 60:55:f9:ff:fe:f7:2c:a2 (EUI64, used for IEEE802154) BASE MAC: 60:55:f9:f7:2c:a2 (used for BT) MAC_EXT: ff:fe * Update version to v4.6.2 * Update version to v4.7 * change: Add conventional precommit linter * ci(pre-commit): Update version of `conventional-precommit-linter` * feat(get_security_info): Improved the output format and added more details * fix(esp32-c2): Enable flashing in secure download mode Closes espressif#895 * ci: Add DangerJS checks to GL and GH * feat(esptool): Add PICO package for ESP32S3 and flash/psram efuses * feat(esptool): Add tests for get_chip_features * feat(esptool): Add new packages for ESP32C3 and flash efuses * fix(expand file args): Correctly print the expanded command * feat(espsecure): Allow prompting for HSM PIN in read_hsm_config If hsm_config does not contain "credentials" the user will be prompted for the HSM PIN. This avoids the need to have HSM PINs typed in config files which is not a good security practice. ADJUNCT: Updated documentation to reflect new usage Closes espressif#900 * fix(dangerGH): Update token permissions - allow Danger to add comments to PR * fix(elf2image): fix text/rodata mapping overlap issue on uni-idrom bus chips * fix: assert in esp32 exclusive workaround * docs: Add other resources page * fix(autodetection): Remove the ESP32-S2 ROM class from get_security_info autodetection * change(pre-commit): Bump version conventional-precommit-linter to 1.2.1 * feat(esptool): added target to esp32p4 * feat(espefuse): Add support for esp32p4 chip * fix: Fix redirection of STDOUT Closes espressif#904 * fix(danger-github): Fir Danger GitHub token permission * ci(danger-github): Fix github-action-bot permissions for posting Danger output * ci: Shared danger to local stage (remove possible double CI pipelines) * ci: add 'flake8-import-order' as a dependecy to flake8 * fix(bin_image): Check only ELF sections when searching for .flash.appdesc Closes espressif#917 * feat(efuse): ESP32P4 adds ecdsa_key support * feat(efuse): Update key purpose table and tests * feat(esp32-s3): Support >16MB quad flash chips Adds support for the W25Q256 and GD25Q256 flash chips. Closes espressif#883 * ci(dev_release): Upload dev releases to PyPI with GH Actions * ci: fix pipeline for building docs * feat(merge_bin): add support for uf2 format * feat(esp32c3): Support ECO6 and ECO7 magic numbers * ci(gitlab_ci): Change only/except syntax to rules * fix(flasher_stub): fix usb-serial-jtag enabled non-related intr source * fix(loader): Could not open serial port message adjusted * ci(gitlab): Fix deploying docs to production * ci(github): Fix pyinstaller builds on ubuntu * docs(basic-commands): added note for PowerShell users for merge_bin command Closes espressif#923 * feat: Add support for Python 3.12 * feat(loader): Added hints for some serial port issues when rising port error Closes espressif/esp-idf#12366 * feat: add support for get_security_info on esp32c3 ECO7 * docs(troubleshooting): Explain issues when flashing with USB-Serial/JTAG or USB-OTG Closes espressif#924 * feat(espefuse): Update the way to complete the operation * docs(boot_mode_selection): Correct secondary strapping pin boot mode levels Closes espressif#928 * feat(espefuse): Adds efuse ADC calibration data for ESP32H2 * feat(rfc2217_server): Add hard reset sequence * feat(elf2image): add ram-only-header argument The ram-only-header configuration makes only the RAM segments visible to the ROM bootloader placing them at the beginning of the file and altering the segment count from the image header with the quantity of these segments, and also writing only their checksum. This segment placement also may not result as optimal as the standard way regarding the padding gap use among the flash segments that could result in a less fragmented binary. The image built must then handle the basic hardware initialization and the flash mapping for code execution after ROM bootloader boot it. Signed-off-by: Marek Matej <[email protected]> Signed-off-by: Almir Okato <[email protected]> * feat(esp32p4): Stub flasher support * refactor(stub_flasher): Cleanup, make adding new targets easier * feat: add support for intel hex format * feat(xip_psram): support xip psram feature on esp32p4 Expanded IROM / DROM range to include psram space as well * Delete docs directory * Delete .gitlab-ci.yml * Delete .pre-commit-config.yaml * Delete MANIFEST.in * Update build_esptool.yml * Delete .github/workflows/test_esptool.yml --------- Signed-off-by: Frantisek Hrbata <[email protected]> Signed-off-by: hasheddan <[email protected]> Signed-off-by: Marek Matej <[email protected]> Signed-off-by: Almir Okato <[email protected]> Co-authored-by: harshal.patil <[email protected]> Co-authored-by: radim.karnis <[email protected]> Co-authored-by: Frantisek Hrbata <[email protected]> Co-authored-by: Peter Dragun <[email protected]> Co-authored-by: KonstantinKondrashov <[email protected]> Co-authored-by: Faidon Liambotis <[email protected]> Co-authored-by: XiNGRZ <[email protected]> Co-authored-by: Marius Vikhammer <[email protected]> Co-authored-by: hasheddan <[email protected]> Co-authored-by: Roland Dobai <[email protected]> Co-authored-by: Trent Piepho <[email protected]> Co-authored-by: Dean Gardiner <[email protected]> Co-authored-by: Massimiliano Montagni <[email protected]> Co-authored-by: Tomas Sebestik <[email protected]> Co-authored-by: Aditya Patwardhan <[email protected]> Co-authored-by: Richard Retanubun <[email protected]> Co-authored-by: wuzhenghui <[email protected]> Co-authored-by: Armando <[email protected]> Co-authored-by: Jakub Kocka <[email protected]> Co-authored-by: 20162026 <[email protected]> Co-authored-by: Almir Okato <[email protected]>
If hsm_config does not contain "credentials" the user will be prompted for the HSM PIN. This avoids the need to have HSM PINs typed in config files which is not a good security practice. ADJUNCT: Updated documentation to reflect new usage Closes espressif#900
Description of change
If the config file contains
credentials = prompt
during image signing process, the user will be prompted to type in the HSM PIN. This avoids the need to have the HSM PIN written as plaintext into a config file, which is not a secure practice.I have tested this change with the following hardware & software combinations:
espsecure using NitroKey HSM2 HW on Linux Ubuntu 22.04