Update hal_dice_sign_hash

yosuke-wolfssl · yosuke-wolfssl · commit b48a9f24241b · 2026-04-28T16:45:45.000+09:00
diff --git a/hal/mcxn.c b/hal/mcxn.c
@@ -655,28 +655,49 @@ int hal_dice_create_attest_key(void)
 int hal_dice_sign_hash(const uint8_t *hash, size_t hash_len,
                        uint8_t *sig, size_t *sig_len)
 {
-    /*
-     * Sign pre-hashed TBS using ELS ECSIGN with the IAK slot.
-     * Output MUST be 64-byte raw R||S (big-endian), NOT DER-encoded.
-     * This matches WOLFBOOT_DICE_SIG_LEN and is used directly in COSE_Sign1.
-     *
-     * TODO: Implement using mcuxClEls_EccSign_Async:
-     *   static uint8_t sig_buf[64] __attribute__((aligned(4)));
-     *   mcuxClEls_EccSignOption_t opts = {0};
-     *   opts.bits.echashchl = 0; // pre-hashed input (not plain message)
-     *   MCUX_CSSL_FP_FUNCTION_CALL_BEGIN(...,
-     *       mcuxClEls_EccSign_Async(opts,
-     *           MCXN_ELS_DICE_IAK_KEYSLOT,
-     *           hash, NULL, 0, sig_buf));
-     *   mcuxClEls_WaitForOperation(MCUXCLELS_ERROR_FLAGS_CLEAR);
-     *   memcpy(sig, sig_buf, 64);
-     *   *sig_len = 64;
-     */
-    (void)hash;
-    (void)hash_len;
-    (void)sig;
-    (void)sig_len;
-    return -1; /* placeholder */
+    mcuxClEls_EccSignOption_t opts = {0};
+    uint8_t sig_buf[MCUXCLELS_ECC_SIGNATURE_SIZE] __attribute__((aligned(4)));
+    int ret = 0;
+
+    if (hash == NULL || sig == NULL || sig_len == NULL || hash_len != SHA256_DIGEST_SIZE) {
+        ret = -1;
+    }
+
+    if (ret == 0) {
+        /* Set options */
+        opts.bits.echashchl = MCUXCLELS_ECC_HASHED;
+
+        /* Trigger the ECC Sign command.
+         * We just give the names of token and return value
+         * since it's declared within the macro */
+        MCUX_CSSL_FP_FUNCTION_CALL_BEGIN(res_sign, tok_sign,
+            mcuxClEls_EccSign_Async(opts,
+                MCXN_ELS_DICE_IAK_KEYSLOT,
+                hash, NULL, 0, sig_buf));
+
+        if ((MCUX_CSSL_FP_FUNCTION_CALLED(mcuxClEls_EccSign_Async) != tok_sign) ||
+            (MCUXCLELS_STATUS_OK_WAIT != res_sign))
+            ret = -1;
+
+        MCUX_CSSL_FP_FUNCTION_CALL_END();
+
+        /* Wait for hardware to finish */
+        MCUX_CSSL_FP_FUNCTION_CALL_BEGIN(res_w, tok_w,
+            mcuxClEls_WaitForOperation(MCUXCLELS_ERROR_FLAGS_CLEAR));
+
+        if ((MCUX_CSSL_FP_FUNCTION_CALLED(mcuxClEls_WaitForOperation) != tok_w) ||
+            (MCUXCLELS_STATUS_OK != res_w))
+            ret = -1;
+
+        MCUX_CSSL_FP_FUNCTION_CALL_END();
+    }
+
+    if (ret == 0) {
+        XMEMCPY(sig, sig_buf, MCUXCLELS_ECC_SIGNATURE_SIZE);
+        *sig_len = MCUXCLELS_ECC_SIGNATURE_SIZE;
+    }
+
+    return ret;
 }
 
 #endif /* WOLFCRYPT_TZ_PSA && WOLFBOOT_DICE_HW && __WOLFBOOT */
