diff options
author | David Hu <david.hu@arm.com> | 2021-07-19 21:04:49 +0800 |
---|---|---|
committer | David Hu <david.hu@arm.com> | 2021-07-23 09:15:30 +0200 |
commit | e21144c46f540747947db361932613eb5d77f2bb (patch) | |
tree | 7931c111d16408d52e696d1f7785ec13c73a7b84 /secure_fw | |
parent | c19c76627a740ce1ffb9cd7fb06729e434c896a0 (diff) | |
download | trusted-firmware-m-e21144c46f540747947db361932613eb5d77f2bb.tar.gz |
PS: Update non-static label implementation
Define client ID and UID in the PS Crypto ref structure, to replace the
static array. Therefore, it can prevent defining a static array with
a fixed length of psa_storage_uid_t, whose size may actually vary.
Change-Id: I1f9934638807725ae47f9a0eeaa339de89eeeaa4
Signed-off-by: David Hu <david.hu@arm.com>
Diffstat (limited to 'secure_fw')
5 files changed, 52 insertions, 108 deletions
diff --git a/secure_fw/partitions/protected_storage/crypto/ps_crypto_interface.h b/secure_fw/partitions/protected_storage/crypto/ps_crypto_interface.h index d9fe96f960..4377bc205c 100644 --- a/secure_fw/partitions/protected_storage/crypto/ps_crypto_interface.h +++ b/secure_fw/partitions/protected_storage/crypto/ps_crypto_interface.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2017-2020, Arm Limited. All rights reserved. + * Copyright (c) 2017-2021, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause * @@ -20,10 +20,6 @@ extern "C" { #define PS_KEY_LEN_BYTES 16 #define PS_TAG_LEN_BYTES 16 #define PS_IV_LEN_BYTES 12 -/* The key label consists of the uid + client_id, thus the length of it is: - * sizeof(psa_storage_uid_t) + sizeof(int32_t). - */ -#define PS_KEY_LABEL_LEN_BYTES 12 /* Union containing crypto policy implementations. The ref member provides the * reference implementation. Further members can be added to the union to @@ -31,9 +27,10 @@ extern "C" { */ union ps_crypto_t { struct { - uint8_t key_label[PS_KEY_LABEL_LEN_BYTES]; /*!< Key label value */ uint8_t tag[PS_TAG_LEN_BYTES]; /*!< MAC value of AEAD object */ uint8_t iv[PS_IV_LEN_BYTES]; /*!< IV value of AEAD object */ + psa_storage_uid_t uid; /*!< UID for key label */ + int32_t client_id; /*!< Owner client ID for key label */ } ref; }; diff --git a/secure_fw/partitions/protected_storage/ps_encrypted_object.c b/secure_fw/partitions/protected_storage/ps_encrypted_object.c index 41a725bb4c..589388535a 100644 --- a/secure_fw/partitions/protected_storage/ps_encrypted_object.c +++ b/secure_fw/partitions/protected_storage/ps_encrypted_object.c @@ -34,6 +34,23 @@ static uint8_t ps_crypto_buf[PS_CRYPTO_BUF_LEN]; +static psa_status_t fill_key_label(struct ps_object_t *obj, size_t *length) +{ + psa_storage_uid_t uid = obj->header.crypto.ref.uid; + int32_t client_id = obj->header.crypto.ref.client_id; + + if (PS_CRYPTO_BUF_LEN < (sizeof(client_id) + sizeof(uid))) { + return PSA_ERROR_BUFFER_TOO_SMALL; + } + + tfm_memcpy(ps_crypto_buf, &client_id, sizeof(client_id)); + tfm_memcpy(ps_crypto_buf + sizeof(client_id), &uid, sizeof(uid)); + + *length = sizeof(client_id) + sizeof(uid); + + return PSA_SUCCESS; +} + /** * \brief Performs authenticated decryption on object data, with the header as * the associated data. @@ -53,10 +70,14 @@ static psa_status_t ps_object_auth_decrypt(uint32_t fid, { psa_status_t err; uint8_t *p_obj_data = (uint8_t *)&obj->header.info; - size_t out_len; + size_t out_len, label_length; - err = ps_crypto_setkey(obj->header.crypto.ref.key_label, - sizeof(obj->header.crypto.ref.key_label)); + err = fill_key_label(obj, &label_length); + if (err != PSA_SUCCESS) { + return err; + } + + err = ps_crypto_setkey(ps_crypto_buf, label_length); if (err != PSA_SUCCESS) { return err; } @@ -101,10 +122,14 @@ static psa_status_t ps_object_auth_encrypt(uint32_t fid, { psa_status_t err; uint8_t *p_obj_data = (uint8_t *)&obj->header.info; - size_t out_len; + size_t out_len, label_length; + + err = fill_key_label(obj, &label_length); + if (err != PSA_SUCCESS) { + return err; + } - err = ps_crypto_setkey(obj->header.crypto.ref.key_label, - sizeof(obj->header.crypto.ref.key_label)); + err = ps_crypto_setkey(ps_crypto_buf, label_length); if (err != PSA_SUCCESS) { return err; } diff --git a/secure_fw/partitions/protected_storage/ps_object_system.c b/secure_fw/partitions/protected_storage/ps_object_system.c index 67ef44275f..5cdcc718c7 100644 --- a/secure_fw/partitions/protected_storage/ps_object_system.c +++ b/secure_fw/partitions/protected_storage/ps_object_system.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2017-2020, Arm Limited. All rights reserved. + * Copyright (c) 2017-2021, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause * @@ -188,13 +188,9 @@ psa_status_t ps_object_read(psa_storage_uid_t uid, int32_t client_id, /* Read object */ #ifdef PS_ENCRYPTION - err = ps_utils_fill_key_label(uid, - client_id, - g_ps_object.header.crypto.ref.key_label, - sizeof(g_ps_object.header.crypto.ref.key_label)); - if (err != PSA_SUCCESS) { - goto clear_data_and_return; - } + g_ps_object.header.crypto.ref.uid = uid; + g_ps_object.header.crypto.ref.client_id = client_id; + err = ps_encrypted_object_read(g_obj_tbl_info.fid, &g_ps_object); #else /* Read object header */ @@ -250,13 +246,8 @@ psa_status_t ps_object_create(psa_storage_uid_t uid, int32_t client_id, if (err == PSA_SUCCESS) { #ifdef PS_ENCRYPTION /* Read the object */ - err = ps_utils_fill_key_label(uid, - client_id, - g_ps_object.header.crypto.ref.key_label, - sizeof(g_ps_object.header.crypto.ref.key_label)); - if (err != PSA_SUCCESS) { - goto clear_data_and_return; - } + g_ps_object.header.crypto.ref.uid = uid; + g_ps_object.header.crypto.ref.client_id = client_id; err = ps_encrypted_object_read(g_obj_tbl_info.fid, &g_ps_object); #else @@ -309,13 +300,8 @@ psa_status_t ps_object_create(psa_storage_uid_t uid, int32_t client_id, } #ifdef PS_ENCRYPTION - err = ps_utils_fill_key_label(uid, - client_id, - g_ps_object.header.crypto.ref.key_label, - sizeof(g_ps_object.header.crypto.ref.key_label)); - if (err != PSA_SUCCESS) { - goto clear_data_and_return; - } + g_ps_object.header.crypto.ref.uid = uid; + g_ps_object.header.crypto.ref.client_id = client_id; err = ps_encrypted_object_write(g_obj_tbl_info.fid, &g_ps_object); #else @@ -377,13 +363,8 @@ psa_status_t ps_object_write(psa_storage_uid_t uid, int32_t client_id, /* Read the object */ #ifdef PS_ENCRYPTION - err = ps_utils_fill_key_label(uid, - client_id, - g_ps_object.header.crypto.ref.key_label, - sizeof(g_ps_object.header.crypto.ref.key_label)); - if (err != PSA_SUCCESS) { - goto clear_data_and_return; - } + g_ps_object.header.crypto.ref.uid = uid; + g_ps_object.header.crypto.ref.client_id = client_id; err = ps_encrypted_object_read(g_obj_tbl_info.fid, &g_ps_object); #else @@ -435,13 +416,8 @@ psa_status_t ps_object_write(psa_storage_uid_t uid, int32_t client_id, } #ifdef PS_ENCRYPTION - err = ps_utils_fill_key_label(uid, - client_id, - g_ps_object.header.crypto.ref.key_label, - sizeof(g_ps_object.header.crypto.ref.key_label)); - if (err != PSA_SUCCESS) { - goto clear_data_and_return; - } + g_ps_object.header.crypto.ref.uid = uid; + g_ps_object.header.crypto.ref.client_id = client_id; err = ps_encrypted_object_write(g_obj_tbl_info.fid, &g_ps_object); #else @@ -492,13 +468,8 @@ psa_status_t ps_object_get_info(psa_storage_uid_t uid, int32_t client_id, } #ifdef PS_ENCRYPTION - err = ps_utils_fill_key_label(uid, - client_id, - g_ps_object.header.crypto.ref.key_label, - sizeof(g_ps_object.header.crypto.ref.key_label)); - if (err != PSA_SUCCESS) { - goto clear_data_and_return; - } + g_ps_object.header.crypto.ref.uid = uid; + g_ps_object.header.crypto.ref.client_id = client_id; err = ps_encrypted_object_read(g_obj_tbl_info.fid, &g_ps_object); #else @@ -533,13 +504,8 @@ psa_status_t ps_object_delete(psa_storage_uid_t uid, int32_t client_id) } #ifdef PS_ENCRYPTION - err = ps_utils_fill_key_label(uid, - client_id, - g_ps_object.header.crypto.ref.key_label, - sizeof(g_ps_object.header.crypto.ref.key_label)); - if (err != PSA_SUCCESS) { - goto clear_data_and_return; - } + g_ps_object.header.crypto.ref.uid = uid; + g_ps_object.header.crypto.ref.client_id = client_id; err = ps_encrypted_object_read(g_obj_tbl_info.fid, &g_ps_object); #else diff --git a/secure_fw/partitions/protected_storage/ps_utils.c b/secure_fw/partitions/protected_storage/ps_utils.c index 5f40447fe3..91540e0288 100644 --- a/secure_fw/partitions/protected_storage/ps_utils.c +++ b/secure_fw/partitions/protected_storage/ps_utils.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2017-2020, Arm Limited. All rights reserved. + * Copyright (c) 2017-2021, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause * @@ -27,26 +27,3 @@ psa_status_t ps_utils_check_contained_in(uint32_t superset_size, return PSA_SUCCESS; } - -#ifdef PS_ENCRYPTION -psa_status_t ps_utils_fill_key_label(psa_storage_uid_t uid, - int32_t client_id, - uint8_t *buff, - size_t buff_len) -{ - - if (buff_len < (sizeof(client_id) + sizeof(uid))) { - return PSA_ERROR_BUFFER_TOO_SMALL; - } - - if (buff == NULL) { - return PSA_ERROR_INVALID_ARGUMENT; - } - - tfm_memset(buff, 0x0, buff_len); - tfm_memcpy(buff, &client_id, sizeof(client_id)); - tfm_memcpy(buff + sizeof(client_id), &uid, sizeof(uid)); - - return PSA_SUCCESS; -} -#endif diff --git a/secure_fw/partitions/protected_storage/ps_utils.h b/secure_fw/partitions/protected_storage/ps_utils.h index 3364478864..4722ed0b4b 100644 --- a/secure_fw/partitions/protected_storage/ps_utils.h +++ b/secure_fw/partitions/protected_storage/ps_utils.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2017-2020, Arm Limited. All rights reserved. + * Copyright (c) 2017-2021, Arm Limited. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause * @@ -62,27 +62,6 @@ psa_status_t ps_utils_check_contained_in(uint32_t superset_size, uint32_t subset_offset, uint32_t subset_size); - -#ifdef PS_ENCRYPTION -/** - * \brief Fills the uint8_t buffer with the client_id and the uid - * - * \param[in] uid The data identifier - * \param[in] client_id Client id of the partition - * \param[out] buff The output buffer - * \param[in] buff_len Length of the output buffer in bytes - * - * \retval PSA_SUCCESS Buffer filled successfully - * \retval PSA_ERROR_INVALID_ARGUMENT The buffer pointer is NULL - * \retval PSA_ERROR_BUFFER_TOO_SMALL The buffer cannot fit the client_id + uid - * - */ -psa_status_t ps_utils_fill_key_label(psa_storage_uid_t uid, - int32_t client_id, - uint8_t *buff, - size_t buff_len); -#endif - #ifdef __cplusplus } #endif |