diff options
author | Summer Qin <summer.qin@arm.com> | 2021-07-02 17:53:21 +0800 |
---|---|---|
committer | Ken Liu <ken.liu@arm.com> | 2021-07-21 09:21:44 +0200 |
commit | ed503e125fd3f6fcb7b7d2f820b7b6b064f61ebe (patch) | |
tree | 582ab41b96b2ae4c99bced91887118eef3904e9d | |
parent | aaf994d929fe368f93fc128545a1af0431614757 (diff) | |
download | trusted-firmware-m-ed503e125fd3f6fcb7b7d2f820b7b6b064f61ebe.tar.gz |
Crypto: Align PSA Crypto API to 1.0 version
Some functions and macros are deprecated in PSA Crypto spec 1.0.
Align them with the spec definition.
Change-Id: Icc2a8c6fe245873ea76b3e0a1bdf32a87fd016ad
Signed-off-by: Summer Qin <summer.qin@arm.com>
14 files changed, 29 insertions, 94 deletions
diff --git a/interface/src/tfm_crypto_func_api.c b/interface/src/tfm_crypto_func_api.c index 6ff25a1e73..62bf4850de 100644 --- a/interface/src/tfm_crypto_func_api.c +++ b/interface/src/tfm_crypto_func_api.c @@ -861,18 +861,6 @@ psa_status_t psa_aead_decrypt(psa_key_id_t key, return status; } -psa_status_t psa_asymmetric_sign(psa_key_id_t key, - psa_algorithm_t alg, - const uint8_t *hash, - size_t hash_length, - uint8_t *signature, - size_t signature_size, - size_t *signature_length) -{ - return psa_sign_hash(key, alg, hash, hash_length, signature, - signature_size, signature_length); -} - psa_status_t psa_sign_hash(psa_key_id_t key, psa_algorithm_t alg, const uint8_t *hash, @@ -904,17 +892,6 @@ psa_status_t psa_sign_hash(psa_key_id_t key, return status; } -psa_status_t psa_asymmetric_verify(psa_key_id_t key, - psa_algorithm_t alg, - const uint8_t *hash, - size_t hash_length, - const uint8_t *signature, - size_t signature_length) -{ - return psa_verify_hash(key, alg, hash, hash_length, - signature, signature_length); -} - psa_status_t psa_verify_hash(psa_key_id_t key, psa_algorithm_t alg, const uint8_t *hash, diff --git a/interface/src/tfm_crypto_ipc_api.c b/interface/src/tfm_crypto_ipc_api.c index e925c36ea9..af604ec093 100644 --- a/interface/src/tfm_crypto_ipc_api.c +++ b/interface/src/tfm_crypto_ipc_api.c @@ -879,17 +879,6 @@ psa_status_t psa_aead_decrypt(psa_key_id_t key, return status; } -psa_status_t psa_asymmetric_sign(psa_key_id_t key, - psa_algorithm_t alg, - const uint8_t *hash, - size_t hash_length, - uint8_t *signature, - size_t signature_size, - size_t *signature_length) -{ - return psa_sign_hash(key, alg, hash, hash_length, signature, signature_size, signature_length); -} - psa_status_t psa_sign_hash(psa_key_id_t key, psa_algorithm_t alg, const uint8_t *hash, @@ -921,16 +910,6 @@ psa_status_t psa_sign_hash(psa_key_id_t key, return status; } -psa_status_t psa_asymmetric_verify(psa_key_id_t key, - psa_algorithm_t alg, - const uint8_t *hash, - size_t hash_length, - const uint8_t *signature, - size_t signature_length) -{ - return psa_verify_hash(key, alg, hash, hash_length, signature, signature_length); -} - psa_status_t psa_verify_hash(psa_key_id_t key, psa_algorithm_t alg, const uint8_t *hash, diff --git a/lib/ext/psa_arch_tests/0004-Workaround-for-removal-of-initial-attest-get-public-.patch b/lib/ext/psa_arch_tests/0004-Workaround-for-removal-of-initial-attest-get-public-.patch index bebe183a3c..75ee6af821 100644 --- a/lib/ext/psa_arch_tests/0004-Workaround-for-removal-of-initial-attest-get-public-.patch +++ b/lib/ext/psa_arch_tests/0004-Workaround-for-removal-of-initial-attest-get-public-.patch @@ -58,7 +58,7 @@ index 7f748c2..a45355e 100644 - public_key_buf_size, - public_key_len, - elliptic_curve_type); -+ if (initial_attest_curve_type != PSA_ECC_CURVE_SECP256R1) ++ if (initial_attest_curve_type != PSA_ECC_FAMILY_SECP_R1) + return PAL_ATTEST_ERR_KEY_FAIL; + + if (public_key_buf_size < initial_attest_pub_key_size) diff --git a/lib/ext/t_cose/crypto_adapters/t_cose_psa_crypto.c b/lib/ext/t_cose/crypto_adapters/t_cose_psa_crypto.c index 22203dd5e3..20ab764e31 100644 --- a/lib/ext/t_cose/crypto_adapters/t_cose_psa_crypto.c +++ b/lib/ext/t_cose/crypto_adapters/t_cose_psa_crypto.c @@ -2,7 +2,7 @@ * t_cose_psa_crypto.c * * Copyright 2019, Laurence Lundblade - * Copyright (c) 2020, Arm Limited. All rights reserved + * Copyright (c) 2020-2021, Arm Limited. All rights reserved * * SPDX-License-Identifier: BSD-3-Clause * @@ -100,7 +100,7 @@ static enum t_cose_err_t psa_status_to_t_cose_error_signing(psa_status_t err) err == PSA_ERROR_INVALID_SIGNATURE ? T_COSE_ERR_SIG_VERIFY : err == PSA_ERROR_NOT_SUPPORTED ? T_COSE_ERR_UNSUPPORTED_SIGNING_ALG: err == PSA_ERROR_INSUFFICIENT_MEMORY ? T_COSE_ERR_INSUFFICIENT_MEMORY : - err == PSA_ERROR_TAMPERING_DETECTED ? T_COSE_ERR_TAMPERING_DETECTED : + err == PSA_ERROR_CORRUPTION_DETECTED ? T_COSE_ERR_TAMPERING_DETECTED : T_COSE_ERR_SIG_FAIL; } @@ -134,7 +134,7 @@ t_cose_crypto_pub_key_verify(int32_t cose_algorithm_id, * signing_key passed in, not the cose_algorithm_id This check * looks for ECDSA signing as indicated by COSE and rejects what * is not. (Perhaps this check can be removed to save object code - * if it is the case that psa_asymmetric_verify() does the right + * if it is the case that psa_verify_hash() does the right * checks). */ if(!PSA_ALG_IS_ECDSA(psa_alg_id)) { @@ -183,7 +183,7 @@ t_cose_crypto_pub_key_sign(int32_t cose_algorithm_id, * signing_key passed in, not the cose_algorithm_id This check * looks for ECDSA signing as indicated by COSE and rejects what * is not. (Perhaps this check can be removed to save object code - * if it is the case that psa_asymmetric_verify() does the right + * if it is the case that psa_verify_hash() does the right * checks). */ if(!PSA_ALG_IS_ECDSA(psa_alg_id)) { diff --git a/lib/ext/t_cose/inc/t_cose_common.h b/lib/ext/t_cose/inc/t_cose_common.h index 9b1a3dc5e2..9375e35e97 100644 --- a/lib/ext/t_cose/inc/t_cose_common.h +++ b/lib/ext/t_cose/inc/t_cose_common.h @@ -2,7 +2,7 @@ * t_cose_common.h * * Copyright 2019, Laurence Lundblade - * Copyright (c) 2020, Arm Limited. All rights reserved. + * Copyright (c) 2020-2021, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause * @@ -282,7 +282,7 @@ enum t_cose_err_t { /** General unspecific failure. */ T_COSE_ERR_FAIL = 17, - /** Equivalent to \c PSA_ERROR_TAMPERING_DETECTED. */ + /** Equivalent to \c PSA_ERROR_CORRUPTION_DETECTED. */ T_COSE_ERR_TAMPERING_DETECTED = 18, /** The key identified by a \ref t_cose_key or a key ID was not diff --git a/lib/ext/t_cose/src/t_cose_crypto.h b/lib/ext/t_cose/src/t_cose_crypto.h index 019f909f3b..d068fc206d 100644 --- a/lib/ext/t_cose/src/t_cose_crypto.h +++ b/lib/ext/t_cose/src/t_cose_crypto.h @@ -2,7 +2,7 @@ * t_cose_crypto.h * * Copyright 2019, Laurence Lundblade - * Copyright (c) 2020, Arm Limited. All rights reserved. + * Copyright (c) 2020-2021, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause * @@ -194,7 +194,7 @@ t_cose_crypto_sig_size(int32_t cose_algorithm_id, * \retval T_COSE_ERR_FAIL * General unspecific failure. * \retval T_COSE_ERR_TAMPERING_DETECTED - * Equivalent to \c PSA_ERROR_TAMPERING_DETECTED. + * Equivalent to \c PSA_ERROR_CORRUPTION_DETECTED. * * This is called to do public key signing. The implementation will * vary from one platform / OS to another but should conform to the @@ -268,7 +268,7 @@ t_cose_crypto_pub_key_sign(int32_t cose_algorithm_id, * \retval T_COSE_ERR_FAIL * General unspecific failure. * \retval T_COSE_ERR_TAMPERING_DETECTED - * Equivalent to \c PSA_ERROR_TAMPERING_DETECTED. + * Equivalent to \c PSA_ERROR_CORRUPTION_DETECTED. */ enum t_cose_err_t t_cose_crypto_pub_key_verify(int32_t cose_algorithm_id, diff --git a/lib/ext/t_cose/test/t_cose_make_psa_test_key.c b/lib/ext/t_cose/test/t_cose_make_psa_test_key.c index d1462c4fe2..836d599377 100644 --- a/lib/ext/t_cose/test/t_cose_make_psa_test_key.c +++ b/lib/ext/t_cose/test/t_cose_make_psa_test_key.c @@ -2,6 +2,7 @@ * t_cose_make_psa_test_key.c * * Copyright 2019-2020, Laurence Lundblade + * Copyright (c) 2021, Arm Limited. All rights reserved * * SPDX-License-Identifier: BSD-3-Clause * @@ -86,21 +87,21 @@ enum t_cose_err_t make_ecdsa_key_pair(int32_t cose_algorithm_id, case COSE_ALGORITHM_ES256: private_key = private_key_256; private_key_len = sizeof(private_key_256); - key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP256R1); + key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1); key_alg = PSA_ALG_ECDSA(PSA_ALG_SHA_256); break; case COSE_ALGORITHM_ES384: private_key = private_key_384; private_key_len = sizeof(private_key_384); - key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP384R1); + key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1); key_alg = PSA_ALG_ECDSA(PSA_ALG_SHA_384); break; case COSE_ALGORITHM_ES512: private_key = private_key_521; private_key_len = sizeof(private_key_521); - key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_CURVE_SECP521R1); + key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1); key_alg = PSA_ALG_ECDSA(PSA_ALG_SHA_512); break; @@ -143,8 +144,8 @@ enum t_cose_err_t make_ecdsa_key_pair(int32_t cose_algorithm_id, /* Say what algorithm and operations the key can be used with / for */ psa_key_policy_t policy = psa_key_policy_init(); psa_key_policy_set_usage(&policy, - PSA_KEY_USAGE_SIGN | PSA_KEY_USAGE_VERIFY, - key_alg); + PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_VERIFY_HASH, + key_alg); crypto_result = psa_set_key_policy(key_handle, &policy); if (crypto_result != PSA_SUCCESS) { return T_COSE_ERR_FAIL; diff --git a/platform/ext/common/template/tfm_initial_attest_pub_key.c b/platform/ext/common/template/tfm_initial_attest_pub_key.c index 6a664aeddf..05cc4c426e 100644 --- a/platform/ext/common/template/tfm_initial_attest_pub_key.c +++ b/platform/ext/common/template/tfm_initial_attest_pub_key.c @@ -21,7 +21,7 @@ */ /* Type of the EC curve which the key belongs to, in PSA curve ID form */ -const psa_ecc_family_t initial_attest_curve_type = PSA_ECC_CURVE_SECP256R1; +const psa_ecc_family_t initial_attest_curve_type = PSA_ECC_FAMILY_SECP_R1; /* * Initial attestation public key in raw format, without any encoding. diff --git a/platform/ext/common/template/tfm_initial_attestation_key_material.c b/platform/ext/common/template/tfm_initial_attestation_key_material.c index b171e5a865..436ec25755 100644 --- a/platform/ext/common/template/tfm_initial_attestation_key_material.c +++ b/platform/ext/common/template/tfm_initial_attestation_key_material.c @@ -60,7 +60,7 @@ const char *initial_attestation_kid = "kid@trustedfirmware.example"; /* Type of the EC curve which the key belongs to, in PSA curve ID form */ TFM_LINK_SET_RO_IN_PARTITION_SECTION("TFM_SP_INITIAL_ATTESTATION", "PSA-ROT") -const psa_ecc_family_t initial_attestation_curve_type = PSA_ECC_CURVE_SECP256R1; +const psa_ecc_family_t initial_attestation_curve_type = PSA_ECC_FAMILY_SECP_R1; /* Initial attestation private key in raw format, without any encoding. * It belongs to the ECDSA P-256 curve. diff --git a/platform/ext/target/nxp/common/plat_attestation_key.c b/platform/ext/target/nxp/common/plat_attestation_key.c index 643cb2e04e..976e5cdffa 100644 --- a/platform/ext/target/nxp/common/plat_attestation_key.c +++ b/platform/ext/target/nxp/common/plat_attestation_key.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2017-2020 Arm Limited. All rights reserved. + * Copyright (c) 2017-2021 Arm Limited. All rights reserved. * Copyright 2020 NXP. All rights reserved. * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -54,7 +54,7 @@ const uint8_t initial_attestation_private_key[] = /* Type of the EC curve which the key belongs to, in PSA curve ID form */ #ifndef TFM_ATTESTATION_KEY_TYPE -#define TFM_ATTESTATION_KEY_TYPE PSA_ECC_CURVE_SECP256R1 +#define TFM_ATTESTATION_KEY_TYPE PSA_ECC_FAMILY_SECP_R1 #endif /** diff --git a/secure_fw/partitions/crypto/tfm_crypto_secure_api.c b/secure_fw/partitions/crypto/tfm_crypto_secure_api.c index be1d0bad12..0494d9635d 100644 --- a/secure_fw/partitions/crypto/tfm_crypto_secure_api.c +++ b/secure_fw/partitions/crypto/tfm_crypto_secure_api.c @@ -1038,18 +1038,6 @@ psa_status_t psa_aead_decrypt(psa_key_id_t key_id, #endif /* TFM_CRYPTO_AEAD_MODULE_DISABLED */ } -psa_status_t psa_asymmetric_sign(psa_key_id_t key_id, - psa_algorithm_t alg, - const uint8_t *hash, - size_t hash_length, - uint8_t *signature, - size_t signature_size, - size_t *signature_length) -{ - return psa_sign_hash(key_id, alg, hash, hash_length, signature, - signature_size, signature_length); -} - psa_status_t psa_sign_hash(psa_key_id_t key_id, psa_algorithm_t alg, const uint8_t *hash, @@ -1085,17 +1073,6 @@ psa_status_t psa_sign_hash(psa_key_id_t key_id, #endif /* TFM_CRYPTO_ASYM_SIGN_MODULE_DISABLED */ } -psa_status_t psa_asymmetric_verify(psa_key_id_t key_id, - psa_algorithm_t alg, - const uint8_t *hash, - size_t hash_length, - const uint8_t *signature, - size_t signature_length) -{ - return psa_verify_hash(key_id, alg, hash, hash_length, - signature, signature_length); -} - psa_status_t psa_verify_hash(psa_key_id_t key_id, psa_algorithm_t alg, const uint8_t *hash, diff --git a/secure_fw/partitions/initial_attestation/attest_asymmetric_key.c b/secure_fw/partitions/initial_attestation/attest_asymmetric_key.c index 66052b4005..99317d7683 100644 --- a/secure_fw/partitions/initial_attestation/attest_asymmetric_key.c +++ b/secure_fw/partitions/initial_attestation/attest_asymmetric_key.c @@ -49,7 +49,8 @@ static size_t attestation_public_key_len = 0; static psa_ecc_family_t attestation_key_curve; #ifdef INCLUDE_COSE_KEY_ID -static uint8_t attestation_key_id[PSA_HASH_SIZE(PSA_ALG_SHA_256)]; /* 32bytes */ +/* 32bytes */ +static uint8_t attestation_key_id[PSA_HASH_LENGTH(PSA_ALG_SHA_256)]; #endif /* Instance ID for asymmetric IAK */ @@ -81,7 +82,7 @@ attest_register_initial_attestation_key() } /* Setup the key policy for private key */ - psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_SIGN); + psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_SIGN_HASH); psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDSA(PSA_ALG_SHA_256)); psa_set_key_type(&key_attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(psa_curve)); @@ -228,7 +229,7 @@ attest_map_psa_ecc_curve_to_cose_ecc_curve(psa_ecc_family_t psa_curve) /* Note: Mapping is not complete. */ switch (psa_curve) { - case PSA_ECC_CURVE_SECP256R1: + case PSA_ECC_FAMILY_SECP_R1: cose_curve = COSE_ELLIPTIC_CURVE_P_256; break; default: @@ -402,7 +403,7 @@ attest_get_initial_attestation_key_id(struct q_useful_buf_c *attest_key_id) struct q_useful_buf buffer_for_attest_key_id; buffer_for_attest_key_id.ptr = attestation_key_id; - buffer_for_attest_key_id.len = PSA_HASH_SIZE(PSA_ALG_SHA_256); + buffer_for_attest_key_id.len = PSA_HASH_LENGTH(PSA_ALG_SHA_256); /* Needs to calculate only once */ if (attest_key_id_calculated == 0) { diff --git a/secure_fw/partitions/initial_attestation/attest_symmetric_key.c b/secure_fw/partitions/initial_attestation/attest_symmetric_key.c index 4fa24a4512..759fc336c7 100644 --- a/secure_fw/partitions/initial_attestation/attest_symmetric_key.c +++ b/secure_fw/partitions/initial_attestation/attest_symmetric_key.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2019-2020, Arm Limited. All rights reserved. + * Copyright (c) 2019-2021, Arm Limited. All rights reserved. * Copyright (c) 2018-2019, Laurence Lundblade. * * SPDX-License-Identifier: BSD-3-Clause @@ -27,7 +27,7 @@ static psa_key_handle_t symmetric_iak_handle = 0; /* Instance ID for symmetric IAK */ -static uint8_t instance_id_buf[PSA_HASH_SIZE(INSTANCE_ID_HASH_ALG) + 1]; +static uint8_t instance_id_buf[PSA_HASH_LENGTH(INSTANCE_ID_HASH_ALG) + 1]; static size_t instance_id_len = 0; #ifdef INCLUDE_COSE_KEY_ID @@ -177,7 +177,7 @@ enum psa_attest_err_t attest_register_initial_attestation_key(void) } /* Setup the key attributes */ - psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_SIGN); + psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_SIGN_HASH); psa_set_key_algorithm(&key_attributes, key_alg); psa_set_key_type(&key_attributes, PSA_KEY_TYPE_HMAC); diff --git a/secure_fw/partitions/protected_storage/crypto/ps_crypto_interface.c b/secure_fw/partitions/protected_storage/crypto/ps_crypto_interface.c index 95b25c843f..1015fae2da 100644 --- a/secure_fw/partitions/protected_storage/crypto/ps_crypto_interface.c +++ b/secure_fw/partitions/protected_storage/crypto/ps_crypto_interface.c @@ -24,7 +24,7 @@ /* The PSA algorithm used by this implementation */ #define PS_CRYPTO_ALG \ - PSA_ALG_AEAD_WITH_TAG_LENGTH(PS_CRYPTO_AEAD_ALG, PS_TAG_LEN_BYTES) + PSA_ALG_AEAD_WITH_SHORTENED_TAG(PS_CRYPTO_AEAD_ALG, PS_TAG_LEN_BYTES) /* * \brief Check whether the PS AEAD algorithm is a valid one |