aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSummer Qin <summer.qin@arm.com>2021-07-02 17:53:21 +0800
committerKen Liu <ken.liu@arm.com>2021-07-21 09:21:44 +0200
commited503e125fd3f6fcb7b7d2f820b7b6b064f61ebe (patch)
tree582ab41b96b2ae4c99bced91887118eef3904e9d
parentaaf994d929fe368f93fc128545a1af0431614757 (diff)
downloadtrusted-firmware-m-ed503e125fd3f6fcb7b7d2f820b7b6b064f61ebe.tar.gz
Crypto: Align PSA Crypto API to 1.0 version
Some functions and macros are deprecated in PSA Crypto spec 1.0. Align them with the spec definition. Change-Id: Icc2a8c6fe245873ea76b3e0a1bdf32a87fd016ad Signed-off-by: Summer Qin <summer.qin@arm.com>
-rw-r--r--interface/src/tfm_crypto_func_api.c23
-rw-r--r--interface/src/tfm_crypto_ipc_api.c21
-rw-r--r--lib/ext/psa_arch_tests/0004-Workaround-for-removal-of-initial-attest-get-public-.patch2
-rw-r--r--lib/ext/t_cose/crypto_adapters/t_cose_psa_crypto.c8
-rw-r--r--lib/ext/t_cose/inc/t_cose_common.h4
-rw-r--r--lib/ext/t_cose/src/t_cose_crypto.h6
-rw-r--r--lib/ext/t_cose/test/t_cose_make_psa_test_key.c11
-rw-r--r--platform/ext/common/template/tfm_initial_attest_pub_key.c2
-rw-r--r--platform/ext/common/template/tfm_initial_attestation_key_material.c2
-rw-r--r--platform/ext/target/nxp/common/plat_attestation_key.c4
-rw-r--r--secure_fw/partitions/crypto/tfm_crypto_secure_api.c23
-rw-r--r--secure_fw/partitions/initial_attestation/attest_asymmetric_key.c9
-rw-r--r--secure_fw/partitions/initial_attestation/attest_symmetric_key.c6
-rw-r--r--secure_fw/partitions/protected_storage/crypto/ps_crypto_interface.c2
14 files changed, 29 insertions, 94 deletions
diff --git a/interface/src/tfm_crypto_func_api.c b/interface/src/tfm_crypto_func_api.c
index 6ff25a1e73..62bf4850de 100644
--- a/interface/src/tfm_crypto_func_api.c
+++ b/interface/src/tfm_crypto_func_api.c
@@ -861,18 +861,6 @@ psa_status_t psa_aead_decrypt(psa_key_id_t key,
return status;
}
-psa_status_t psa_asymmetric_sign(psa_key_id_t key,
- psa_algorithm_t alg,
- const uint8_t *hash,
- size_t hash_length,
- uint8_t *signature,
- size_t signature_size,
- size_t *signature_length)
-{
- return psa_sign_hash(key, alg, hash, hash_length, signature,
- signature_size, signature_length);
-}
-
psa_status_t psa_sign_hash(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *hash,
@@ -904,17 +892,6 @@ psa_status_t psa_sign_hash(psa_key_id_t key,
return status;
}
-psa_status_t psa_asymmetric_verify(psa_key_id_t key,
- psa_algorithm_t alg,
- const uint8_t *hash,
- size_t hash_length,
- const uint8_t *signature,
- size_t signature_length)
-{
- return psa_verify_hash(key, alg, hash, hash_length,
- signature, signature_length);
-}
-
psa_status_t psa_verify_hash(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *hash,
diff --git a/interface/src/tfm_crypto_ipc_api.c b/interface/src/tfm_crypto_ipc_api.c
index e925c36ea9..af604ec093 100644
--- a/interface/src/tfm_crypto_ipc_api.c
+++ b/interface/src/tfm_crypto_ipc_api.c
@@ -879,17 +879,6 @@ psa_status_t psa_aead_decrypt(psa_key_id_t key,
return status;
}
-psa_status_t psa_asymmetric_sign(psa_key_id_t key,
- psa_algorithm_t alg,
- const uint8_t *hash,
- size_t hash_length,
- uint8_t *signature,
- size_t signature_size,
- size_t *signature_length)
-{
- return psa_sign_hash(key, alg, hash, hash_length, signature, signature_size, signature_length);
-}
-
psa_status_t psa_sign_hash(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *hash,
@@ -921,16 +910,6 @@ psa_status_t psa_sign_hash(psa_key_id_t key,
return status;
}
-psa_status_t psa_asymmetric_verify(psa_key_id_t key,
- psa_algorithm_t alg,
- const uint8_t *hash,
- size_t hash_length,
- const uint8_t *signature,
- size_t signature_length)
-{
- return psa_verify_hash(key, alg, hash, hash_length, signature, signature_length);
-}
-
psa_status_t psa_verify_hash(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *hash,
diff --git a/lib/ext/psa_arch_tests/0004-Workaround-for-removal-of-initial-attest-get-public-.patch b/lib/ext/psa_arch_tests/0004-Workaround-for-removal-of-initial-attest-get-public-.patch
index bebe183a3c..75ee6af821 100644
--- a/lib/ext/psa_arch_tests/0004-Workaround-for-removal-of-initial-attest-get-public-.patch
+++ b/lib/ext/psa_arch_tests/0004-Workaround-for-removal-of-initial-attest-get-public-.patch
@@ -58,7 +58,7 @@ index 7f748c2..a45355e 100644
- public_key_buf_size,
- public_key_len,
- elliptic_curve_type);
-+ if (initial_attest_curve_type != PSA_ECC_CURVE_SECP256R1)
++ if (initial_attest_curve_type != PSA_ECC_FAMILY_SECP_R1)
+ return PAL_ATTEST_ERR_KEY_FAIL;
+
+ if (public_key_buf_size < initial_attest_pub_key_size)
diff --git a/lib/ext/t_cose/crypto_adapters/t_cose_psa_crypto.c b/lib/ext/t_cose/crypto_adapters/t_cose_psa_crypto.c
index 22203dd5e3..20ab764e31 100644
--- a/lib/ext/t_cose/crypto_adapters/t_cose_psa_crypto.c
+++ b/lib/ext/t_cose/crypto_adapters/t_cose_psa_crypto.c
@@ -2,7 +2,7 @@
* t_cose_psa_crypto.c
*
* Copyright 2019, Laurence Lundblade
- * Copyright (c) 2020, Arm Limited. All rights reserved
+ * Copyright (c) 2020-2021, Arm Limited. All rights reserved
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -100,7 +100,7 @@ static enum t_cose_err_t psa_status_to_t_cose_error_signing(psa_status_t err)
err == PSA_ERROR_INVALID_SIGNATURE ? T_COSE_ERR_SIG_VERIFY :
err == PSA_ERROR_NOT_SUPPORTED ? T_COSE_ERR_UNSUPPORTED_SIGNING_ALG:
err == PSA_ERROR_INSUFFICIENT_MEMORY ? T_COSE_ERR_INSUFFICIENT_MEMORY :
- err == PSA_ERROR_TAMPERING_DETECTED ? T_COSE_ERR_TAMPERING_DETECTED :
+ err == PSA_ERROR_CORRUPTION_DETECTED ? T_COSE_ERR_TAMPERING_DETECTED :
T_COSE_ERR_SIG_FAIL;
}
@@ -134,7 +134,7 @@ t_cose_crypto_pub_key_verify(int32_t cose_algorithm_id,
* signing_key passed in, not the cose_algorithm_id This check
* looks for ECDSA signing as indicated by COSE and rejects what
* is not. (Perhaps this check can be removed to save object code
- * if it is the case that psa_asymmetric_verify() does the right
+ * if it is the case that psa_verify_hash() does the right
* checks).
*/
if(!PSA_ALG_IS_ECDSA(psa_alg_id)) {
@@ -183,7 +183,7 @@ t_cose_crypto_pub_key_sign(int32_t cose_algorithm_id,
* signing_key passed in, not the cose_algorithm_id This check
* looks for ECDSA signing as indicated by COSE and rejects what
* is not. (Perhaps this check can be removed to save object code
- * if it is the case that psa_asymmetric_verify() does the right
+ * if it is the case that psa_verify_hash() does the right
* checks).
*/
if(!PSA_ALG_IS_ECDSA(psa_alg_id)) {
diff --git a/lib/ext/t_cose/inc/t_cose_common.h b/lib/ext/t_cose/inc/t_cose_common.h
index 9b1a3dc5e2..9375e35e97 100644
--- a/lib/ext/t_cose/inc/t_cose_common.h
+++ b/lib/ext/t_cose/inc/t_cose_common.h
@@ -2,7 +2,7 @@
* t_cose_common.h
*
* Copyright 2019, Laurence Lundblade
- * Copyright (c) 2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2020-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -282,7 +282,7 @@ enum t_cose_err_t {
/** General unspecific failure. */
T_COSE_ERR_FAIL = 17,
- /** Equivalent to \c PSA_ERROR_TAMPERING_DETECTED. */
+ /** Equivalent to \c PSA_ERROR_CORRUPTION_DETECTED. */
T_COSE_ERR_TAMPERING_DETECTED = 18,
/** The key identified by a \ref t_cose_key or a key ID was not
diff --git a/lib/ext/t_cose/src/t_cose_crypto.h b/lib/ext/t_cose/src/t_cose_crypto.h
index 019f909f3b..d068fc206d 100644
--- a/lib/ext/t_cose/src/t_cose_crypto.h
+++ b/lib/ext/t_cose/src/t_cose_crypto.h
@@ -2,7 +2,7 @@
* t_cose_crypto.h
*
* Copyright 2019, Laurence Lundblade
- * Copyright (c) 2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2020-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -194,7 +194,7 @@ t_cose_crypto_sig_size(int32_t cose_algorithm_id,
* \retval T_COSE_ERR_FAIL
* General unspecific failure.
* \retval T_COSE_ERR_TAMPERING_DETECTED
- * Equivalent to \c PSA_ERROR_TAMPERING_DETECTED.
+ * Equivalent to \c PSA_ERROR_CORRUPTION_DETECTED.
*
* This is called to do public key signing. The implementation will
* vary from one platform / OS to another but should conform to the
@@ -268,7 +268,7 @@ t_cose_crypto_pub_key_sign(int32_t cose_algorithm_id,
* \retval T_COSE_ERR_FAIL
* General unspecific failure.
* \retval T_COSE_ERR_TAMPERING_DETECTED
- * Equivalent to \c PSA_ERROR_TAMPERING_DETECTED.
+ * Equivalent to \c PSA_ERROR_CORRUPTION_DETECTED.
*/
enum t_cose_err_t
t_cose_crypto_pub_key_verify(int32_t cose_algorithm_id,
diff --git a/lib/ext/t_cose/test/t_cose_make_psa_test_key.c b/lib/ext/t_cose/test/t_cose_make_psa_test_key.c
index d1462c4fe2..836d599377 100644
--- a/lib/ext/t_cose/test/t_cose_make_psa_test_key.c
+++ b/lib/ext/t_cose/test/t_cose_make_psa_test_key.c
@@ -2,6 +2,7 @@
* t_cose_make_psa_test_key.c
*
* Copyright 2019-2020, Laurence Lundblade
+ * Copyright (c) 2021, Arm Limited. All rights reserved
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -86,21 +87,21 @@ enum t_cose_err_t make_ecdsa_key_pair(int32_t cose_algorithm_id,
case COSE_ALGORITHM_ES256:
private_key = private_key_256;
private_key_len = sizeof(private_key_256);
- key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP256R1);
+ key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1);
key_alg = PSA_ALG_ECDSA(PSA_ALG_SHA_256);
break;
case COSE_ALGORITHM_ES384:
private_key = private_key_384;
private_key_len = sizeof(private_key_384);
- key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP384R1);
+ key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1);
key_alg = PSA_ALG_ECDSA(PSA_ALG_SHA_384);
break;
case COSE_ALGORITHM_ES512:
private_key = private_key_521;
private_key_len = sizeof(private_key_521);
- key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP521R1);
+ key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1);
key_alg = PSA_ALG_ECDSA(PSA_ALG_SHA_512);
break;
@@ -143,8 +144,8 @@ enum t_cose_err_t make_ecdsa_key_pair(int32_t cose_algorithm_id,
/* Say what algorithm and operations the key can be used with / for */
psa_key_policy_t policy = psa_key_policy_init();
psa_key_policy_set_usage(&policy,
- PSA_KEY_USAGE_SIGN | PSA_KEY_USAGE_VERIFY,
- key_alg);
+ PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH,
+ key_alg);
crypto_result = psa_set_key_policy(key_handle, &policy);
if (crypto_result != PSA_SUCCESS) {
return T_COSE_ERR_FAIL;
diff --git a/platform/ext/common/template/tfm_initial_attest_pub_key.c b/platform/ext/common/template/tfm_initial_attest_pub_key.c
index 6a664aeddf..05cc4c426e 100644
--- a/platform/ext/common/template/tfm_initial_attest_pub_key.c
+++ b/platform/ext/common/template/tfm_initial_attest_pub_key.c
@@ -21,7 +21,7 @@
*/
/* Type of the EC curve which the key belongs to, in PSA curve ID form */
-const psa_ecc_family_t initial_attest_curve_type = PSA_ECC_CURVE_SECP256R1;
+const psa_ecc_family_t initial_attest_curve_type = PSA_ECC_FAMILY_SECP_R1;
/*
* Initial attestation public key in raw format, without any encoding.
diff --git a/platform/ext/common/template/tfm_initial_attestation_key_material.c b/platform/ext/common/template/tfm_initial_attestation_key_material.c
index b171e5a865..436ec25755 100644
--- a/platform/ext/common/template/tfm_initial_attestation_key_material.c
+++ b/platform/ext/common/template/tfm_initial_attestation_key_material.c
@@ -60,7 +60,7 @@ const char *initial_attestation_kid = "kid@trustedfirmware.example";
/* Type of the EC curve which the key belongs to, in PSA curve ID form */
TFM_LINK_SET_RO_IN_PARTITION_SECTION("TFM_SP_INITIAL_ATTESTATION", "PSA-ROT")
-const psa_ecc_family_t initial_attestation_curve_type = PSA_ECC_CURVE_SECP256R1;
+const psa_ecc_family_t initial_attestation_curve_type = PSA_ECC_FAMILY_SECP_R1;
/* Initial attestation private key in raw format, without any encoding.
* It belongs to the ECDSA P-256 curve.
diff --git a/platform/ext/target/nxp/common/plat_attestation_key.c b/platform/ext/target/nxp/common/plat_attestation_key.c
index 643cb2e04e..976e5cdffa 100644
--- a/platform/ext/target/nxp/common/plat_attestation_key.c
+++ b/platform/ext/target/nxp/common/plat_attestation_key.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2017-2020 Arm Limited. All rights reserved.
+ * Copyright (c) 2017-2021 Arm Limited. All rights reserved.
* Copyright 2020 NXP. All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@@ -54,7 +54,7 @@ const uint8_t initial_attestation_private_key[] =
/* Type of the EC curve which the key belongs to, in PSA curve ID form */
#ifndef TFM_ATTESTATION_KEY_TYPE
-#define TFM_ATTESTATION_KEY_TYPE PSA_ECC_CURVE_SECP256R1
+#define TFM_ATTESTATION_KEY_TYPE PSA_ECC_FAMILY_SECP_R1
#endif
/**
diff --git a/secure_fw/partitions/crypto/tfm_crypto_secure_api.c b/secure_fw/partitions/crypto/tfm_crypto_secure_api.c
index be1d0bad12..0494d9635d 100644
--- a/secure_fw/partitions/crypto/tfm_crypto_secure_api.c
+++ b/secure_fw/partitions/crypto/tfm_crypto_secure_api.c
@@ -1038,18 +1038,6 @@ psa_status_t psa_aead_decrypt(psa_key_id_t key_id,
#endif /* TFM_CRYPTO_AEAD_MODULE_DISABLED */
}
-psa_status_t psa_asymmetric_sign(psa_key_id_t key_id,
- psa_algorithm_t alg,
- const uint8_t *hash,
- size_t hash_length,
- uint8_t *signature,
- size_t signature_size,
- size_t *signature_length)
-{
- return psa_sign_hash(key_id, alg, hash, hash_length, signature,
- signature_size, signature_length);
-}
-
psa_status_t psa_sign_hash(psa_key_id_t key_id,
psa_algorithm_t alg,
const uint8_t *hash,
@@ -1085,17 +1073,6 @@ psa_status_t psa_sign_hash(psa_key_id_t key_id,
#endif /* TFM_CRYPTO_ASYM_SIGN_MODULE_DISABLED */
}
-psa_status_t psa_asymmetric_verify(psa_key_id_t key_id,
- psa_algorithm_t alg,
- const uint8_t *hash,
- size_t hash_length,
- const uint8_t *signature,
- size_t signature_length)
-{
- return psa_verify_hash(key_id, alg, hash, hash_length,
- signature, signature_length);
-}
-
psa_status_t psa_verify_hash(psa_key_id_t key_id,
psa_algorithm_t alg,
const uint8_t *hash,
diff --git a/secure_fw/partitions/initial_attestation/attest_asymmetric_key.c b/secure_fw/partitions/initial_attestation/attest_asymmetric_key.c
index 66052b4005..99317d7683 100644
--- a/secure_fw/partitions/initial_attestation/attest_asymmetric_key.c
+++ b/secure_fw/partitions/initial_attestation/attest_asymmetric_key.c
@@ -49,7 +49,8 @@ static size_t attestation_public_key_len = 0;
static psa_ecc_family_t attestation_key_curve;
#ifdef INCLUDE_COSE_KEY_ID
-static uint8_t attestation_key_id[PSA_HASH_SIZE(PSA_ALG_SHA_256)]; /* 32bytes */
+/* 32bytes */
+static uint8_t attestation_key_id[PSA_HASH_LENGTH(PSA_ALG_SHA_256)];
#endif
/* Instance ID for asymmetric IAK */
@@ -81,7 +82,7 @@ attest_register_initial_attestation_key()
}
/* Setup the key policy for private key */
- psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_SIGN);
+ psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_SIGN_HASH);
psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDSA(PSA_ALG_SHA_256));
psa_set_key_type(&key_attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(psa_curve));
@@ -228,7 +229,7 @@ attest_map_psa_ecc_curve_to_cose_ecc_curve(psa_ecc_family_t psa_curve)
/* Note: Mapping is not complete. */
switch (psa_curve) {
- case PSA_ECC_CURVE_SECP256R1:
+ case PSA_ECC_FAMILY_SECP_R1:
cose_curve = COSE_ELLIPTIC_CURVE_P_256;
break;
default:
@@ -402,7 +403,7 @@ attest_get_initial_attestation_key_id(struct q_useful_buf_c *attest_key_id)
struct q_useful_buf buffer_for_attest_key_id;
buffer_for_attest_key_id.ptr = attestation_key_id;
- buffer_for_attest_key_id.len = PSA_HASH_SIZE(PSA_ALG_SHA_256);
+ buffer_for_attest_key_id.len = PSA_HASH_LENGTH(PSA_ALG_SHA_256);
/* Needs to calculate only once */
if (attest_key_id_calculated == 0) {
diff --git a/secure_fw/partitions/initial_attestation/attest_symmetric_key.c b/secure_fw/partitions/initial_attestation/attest_symmetric_key.c
index 4fa24a4512..759fc336c7 100644
--- a/secure_fw/partitions/initial_attestation/attest_symmetric_key.c
+++ b/secure_fw/partitions/initial_attestation/attest_symmetric_key.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2019-2021, Arm Limited. All rights reserved.
* Copyright (c) 2018-2019, Laurence Lundblade.
*
* SPDX-License-Identifier: BSD-3-Clause
@@ -27,7 +27,7 @@
static psa_key_handle_t symmetric_iak_handle = 0;
/* Instance ID for symmetric IAK */
-static uint8_t instance_id_buf[PSA_HASH_SIZE(INSTANCE_ID_HASH_ALG) + 1];
+static uint8_t instance_id_buf[PSA_HASH_LENGTH(INSTANCE_ID_HASH_ALG) + 1];
static size_t instance_id_len = 0;
#ifdef INCLUDE_COSE_KEY_ID
@@ -177,7 +177,7 @@ enum psa_attest_err_t attest_register_initial_attestation_key(void)
}
/* Setup the key attributes */
- psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_SIGN);
+ psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_SIGN_HASH);
psa_set_key_algorithm(&key_attributes, key_alg);
psa_set_key_type(&key_attributes, PSA_KEY_TYPE_HMAC);
diff --git a/secure_fw/partitions/protected_storage/crypto/ps_crypto_interface.c b/secure_fw/partitions/protected_storage/crypto/ps_crypto_interface.c
index 95b25c843f..1015fae2da 100644
--- a/secure_fw/partitions/protected_storage/crypto/ps_crypto_interface.c
+++ b/secure_fw/partitions/protected_storage/crypto/ps_crypto_interface.c
@@ -24,7 +24,7 @@
/* The PSA algorithm used by this implementation */
#define PS_CRYPTO_ALG \
- PSA_ALG_AEAD_WITH_TAG_LENGTH(PS_CRYPTO_AEAD_ALG, PS_TAG_LEN_BYTES)
+ PSA_ALG_AEAD_WITH_SHORTENED_TAG(PS_CRYPTO_AEAD_ALG, PS_TAG_LEN_BYTES)
/*
* \brief Check whether the PS AEAD algorithm is a valid one