aboutsummaryrefslogtreecommitdiff
path: root/secure_fw
diff options
context:
space:
mode:
authorDavid Hu <david.hu@arm.com>2021-07-19 21:04:49 +0800
committerDavid Hu <david.hu@arm.com>2021-07-23 09:15:30 +0200
commite21144c46f540747947db361932613eb5d77f2bb (patch)
tree7931c111d16408d52e696d1f7785ec13c73a7b84 /secure_fw
parentc19c76627a740ce1ffb9cd7fb06729e434c896a0 (diff)
downloadtrusted-firmware-m-e21144c46f540747947db361932613eb5d77f2bb.tar.gz
PS: Update non-static label implementation
Define client ID and UID in the PS Crypto ref structure, to replace the static array. Therefore, it can prevent defining a static array with a fixed length of psa_storage_uid_t, whose size may actually vary. Change-Id: I1f9934638807725ae47f9a0eeaa339de89eeeaa4 Signed-off-by: David Hu <david.hu@arm.com>
Diffstat (limited to 'secure_fw')
-rw-r--r--secure_fw/partitions/protected_storage/crypto/ps_crypto_interface.h9
-rw-r--r--secure_fw/partitions/protected_storage/ps_encrypted_object.c37
-rw-r--r--secure_fw/partitions/protected_storage/ps_object_system.c66
-rw-r--r--secure_fw/partitions/protected_storage/ps_utils.c25
-rw-r--r--secure_fw/partitions/protected_storage/ps_utils.h23
5 files changed, 52 insertions, 108 deletions
diff --git a/secure_fw/partitions/protected_storage/crypto/ps_crypto_interface.h b/secure_fw/partitions/protected_storage/crypto/ps_crypto_interface.h
index d9fe96f960..4377bc205c 100644
--- a/secure_fw/partitions/protected_storage/crypto/ps_crypto_interface.h
+++ b/secure_fw/partitions/protected_storage/crypto/ps_crypto_interface.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2017-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2017-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -20,10 +20,6 @@ extern "C" {
#define PS_KEY_LEN_BYTES 16
#define PS_TAG_LEN_BYTES 16
#define PS_IV_LEN_BYTES 12
-/* The key label consists of the uid + client_id, thus the length of it is:
- * sizeof(psa_storage_uid_t) + sizeof(int32_t).
- */
-#define PS_KEY_LABEL_LEN_BYTES 12
/* Union containing crypto policy implementations. The ref member provides the
* reference implementation. Further members can be added to the union to
@@ -31,9 +27,10 @@ extern "C" {
*/
union ps_crypto_t {
struct {
- uint8_t key_label[PS_KEY_LABEL_LEN_BYTES]; /*!< Key label value */
uint8_t tag[PS_TAG_LEN_BYTES]; /*!< MAC value of AEAD object */
uint8_t iv[PS_IV_LEN_BYTES]; /*!< IV value of AEAD object */
+ psa_storage_uid_t uid; /*!< UID for key label */
+ int32_t client_id; /*!< Owner client ID for key label */
} ref;
};
diff --git a/secure_fw/partitions/protected_storage/ps_encrypted_object.c b/secure_fw/partitions/protected_storage/ps_encrypted_object.c
index 41a725bb4c..589388535a 100644
--- a/secure_fw/partitions/protected_storage/ps_encrypted_object.c
+++ b/secure_fw/partitions/protected_storage/ps_encrypted_object.c
@@ -34,6 +34,23 @@
static uint8_t ps_crypto_buf[PS_CRYPTO_BUF_LEN];
+static psa_status_t fill_key_label(struct ps_object_t *obj, size_t *length)
+{
+ psa_storage_uid_t uid = obj->header.crypto.ref.uid;
+ int32_t client_id = obj->header.crypto.ref.client_id;
+
+ if (PS_CRYPTO_BUF_LEN < (sizeof(client_id) + sizeof(uid))) {
+ return PSA_ERROR_BUFFER_TOO_SMALL;
+ }
+
+ tfm_memcpy(ps_crypto_buf, &client_id, sizeof(client_id));
+ tfm_memcpy(ps_crypto_buf + sizeof(client_id), &uid, sizeof(uid));
+
+ *length = sizeof(client_id) + sizeof(uid);
+
+ return PSA_SUCCESS;
+}
+
/**
* \brief Performs authenticated decryption on object data, with the header as
* the associated data.
@@ -53,10 +70,14 @@ static psa_status_t ps_object_auth_decrypt(uint32_t fid,
{
psa_status_t err;
uint8_t *p_obj_data = (uint8_t *)&obj->header.info;
- size_t out_len;
+ size_t out_len, label_length;
- err = ps_crypto_setkey(obj->header.crypto.ref.key_label,
- sizeof(obj->header.crypto.ref.key_label));
+ err = fill_key_label(obj, &label_length);
+ if (err != PSA_SUCCESS) {
+ return err;
+ }
+
+ err = ps_crypto_setkey(ps_crypto_buf, label_length);
if (err != PSA_SUCCESS) {
return err;
}
@@ -101,10 +122,14 @@ static psa_status_t ps_object_auth_encrypt(uint32_t fid,
{
psa_status_t err;
uint8_t *p_obj_data = (uint8_t *)&obj->header.info;
- size_t out_len;
+ size_t out_len, label_length;
+
+ err = fill_key_label(obj, &label_length);
+ if (err != PSA_SUCCESS) {
+ return err;
+ }
- err = ps_crypto_setkey(obj->header.crypto.ref.key_label,
- sizeof(obj->header.crypto.ref.key_label));
+ err = ps_crypto_setkey(ps_crypto_buf, label_length);
if (err != PSA_SUCCESS) {
return err;
}
diff --git a/secure_fw/partitions/protected_storage/ps_object_system.c b/secure_fw/partitions/protected_storage/ps_object_system.c
index 67ef44275f..5cdcc718c7 100644
--- a/secure_fw/partitions/protected_storage/ps_object_system.c
+++ b/secure_fw/partitions/protected_storage/ps_object_system.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2017-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2017-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -188,13 +188,9 @@ psa_status_t ps_object_read(psa_storage_uid_t uid, int32_t client_id,
/* Read object */
#ifdef PS_ENCRYPTION
- err = ps_utils_fill_key_label(uid,
- client_id,
- g_ps_object.header.crypto.ref.key_label,
- sizeof(g_ps_object.header.crypto.ref.key_label));
- if (err != PSA_SUCCESS) {
- goto clear_data_and_return;
- }
+ g_ps_object.header.crypto.ref.uid = uid;
+ g_ps_object.header.crypto.ref.client_id = client_id;
+
err = ps_encrypted_object_read(g_obj_tbl_info.fid, &g_ps_object);
#else
/* Read object header */
@@ -250,13 +246,8 @@ psa_status_t ps_object_create(psa_storage_uid_t uid, int32_t client_id,
if (err == PSA_SUCCESS) {
#ifdef PS_ENCRYPTION
/* Read the object */
- err = ps_utils_fill_key_label(uid,
- client_id,
- g_ps_object.header.crypto.ref.key_label,
- sizeof(g_ps_object.header.crypto.ref.key_label));
- if (err != PSA_SUCCESS) {
- goto clear_data_and_return;
- }
+ g_ps_object.header.crypto.ref.uid = uid;
+ g_ps_object.header.crypto.ref.client_id = client_id;
err = ps_encrypted_object_read(g_obj_tbl_info.fid, &g_ps_object);
#else
@@ -309,13 +300,8 @@ psa_status_t ps_object_create(psa_storage_uid_t uid, int32_t client_id,
}
#ifdef PS_ENCRYPTION
- err = ps_utils_fill_key_label(uid,
- client_id,
- g_ps_object.header.crypto.ref.key_label,
- sizeof(g_ps_object.header.crypto.ref.key_label));
- if (err != PSA_SUCCESS) {
- goto clear_data_and_return;
- }
+ g_ps_object.header.crypto.ref.uid = uid;
+ g_ps_object.header.crypto.ref.client_id = client_id;
err = ps_encrypted_object_write(g_obj_tbl_info.fid, &g_ps_object);
#else
@@ -377,13 +363,8 @@ psa_status_t ps_object_write(psa_storage_uid_t uid, int32_t client_id,
/* Read the object */
#ifdef PS_ENCRYPTION
- err = ps_utils_fill_key_label(uid,
- client_id,
- g_ps_object.header.crypto.ref.key_label,
- sizeof(g_ps_object.header.crypto.ref.key_label));
- if (err != PSA_SUCCESS) {
- goto clear_data_and_return;
- }
+ g_ps_object.header.crypto.ref.uid = uid;
+ g_ps_object.header.crypto.ref.client_id = client_id;
err = ps_encrypted_object_read(g_obj_tbl_info.fid, &g_ps_object);
#else
@@ -435,13 +416,8 @@ psa_status_t ps_object_write(psa_storage_uid_t uid, int32_t client_id,
}
#ifdef PS_ENCRYPTION
- err = ps_utils_fill_key_label(uid,
- client_id,
- g_ps_object.header.crypto.ref.key_label,
- sizeof(g_ps_object.header.crypto.ref.key_label));
- if (err != PSA_SUCCESS) {
- goto clear_data_and_return;
- }
+ g_ps_object.header.crypto.ref.uid = uid;
+ g_ps_object.header.crypto.ref.client_id = client_id;
err = ps_encrypted_object_write(g_obj_tbl_info.fid, &g_ps_object);
#else
@@ -492,13 +468,8 @@ psa_status_t ps_object_get_info(psa_storage_uid_t uid, int32_t client_id,
}
#ifdef PS_ENCRYPTION
- err = ps_utils_fill_key_label(uid,
- client_id,
- g_ps_object.header.crypto.ref.key_label,
- sizeof(g_ps_object.header.crypto.ref.key_label));
- if (err != PSA_SUCCESS) {
- goto clear_data_and_return;
- }
+ g_ps_object.header.crypto.ref.uid = uid;
+ g_ps_object.header.crypto.ref.client_id = client_id;
err = ps_encrypted_object_read(g_obj_tbl_info.fid, &g_ps_object);
#else
@@ -533,13 +504,8 @@ psa_status_t ps_object_delete(psa_storage_uid_t uid, int32_t client_id)
}
#ifdef PS_ENCRYPTION
- err = ps_utils_fill_key_label(uid,
- client_id,
- g_ps_object.header.crypto.ref.key_label,
- sizeof(g_ps_object.header.crypto.ref.key_label));
- if (err != PSA_SUCCESS) {
- goto clear_data_and_return;
- }
+ g_ps_object.header.crypto.ref.uid = uid;
+ g_ps_object.header.crypto.ref.client_id = client_id;
err = ps_encrypted_object_read(g_obj_tbl_info.fid, &g_ps_object);
#else
diff --git a/secure_fw/partitions/protected_storage/ps_utils.c b/secure_fw/partitions/protected_storage/ps_utils.c
index 5f40447fe3..91540e0288 100644
--- a/secure_fw/partitions/protected_storage/ps_utils.c
+++ b/secure_fw/partitions/protected_storage/ps_utils.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2017-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2017-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -27,26 +27,3 @@ psa_status_t ps_utils_check_contained_in(uint32_t superset_size,
return PSA_SUCCESS;
}
-
-#ifdef PS_ENCRYPTION
-psa_status_t ps_utils_fill_key_label(psa_storage_uid_t uid,
- int32_t client_id,
- uint8_t *buff,
- size_t buff_len)
-{
-
- if (buff_len < (sizeof(client_id) + sizeof(uid))) {
- return PSA_ERROR_BUFFER_TOO_SMALL;
- }
-
- if (buff == NULL) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
- tfm_memset(buff, 0x0, buff_len);
- tfm_memcpy(buff, &client_id, sizeof(client_id));
- tfm_memcpy(buff + sizeof(client_id), &uid, sizeof(uid));
-
- return PSA_SUCCESS;
-}
-#endif
diff --git a/secure_fw/partitions/protected_storage/ps_utils.h b/secure_fw/partitions/protected_storage/ps_utils.h
index 3364478864..4722ed0b4b 100644
--- a/secure_fw/partitions/protected_storage/ps_utils.h
+++ b/secure_fw/partitions/protected_storage/ps_utils.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2017-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2017-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -62,27 +62,6 @@ psa_status_t ps_utils_check_contained_in(uint32_t superset_size,
uint32_t subset_offset,
uint32_t subset_size);
-
-#ifdef PS_ENCRYPTION
-/**
- * \brief Fills the uint8_t buffer with the client_id and the uid
- *
- * \param[in] uid The data identifier
- * \param[in] client_id Client id of the partition
- * \param[out] buff The output buffer
- * \param[in] buff_len Length of the output buffer in bytes
- *
- * \retval PSA_SUCCESS Buffer filled successfully
- * \retval PSA_ERROR_INVALID_ARGUMENT The buffer pointer is NULL
- * \retval PSA_ERROR_BUFFER_TOO_SMALL The buffer cannot fit the client_id + uid
- *
- */
-psa_status_t ps_utils_fill_key_label(psa_storage_uid_t uid,
- int32_t client_id,
- uint8_t *buff,
- size_t buff_len);
-#endif
-
#ifdef __cplusplus
}
#endif