aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--config/config_default.cmake2
-rw-r--r--interface/include/psa/crypto.h344
-rw-r--r--interface/include/psa/crypto_client_struct.h4
-rw-r--r--interface/include/psa/crypto_compat.h134
-rw-r--r--interface/include/psa/crypto_sizes.h92
-rw-r--r--interface/include/psa/crypto_struct.h20
-rw-r--r--interface/include/psa/crypto_types.h8
-rw-r--r--interface/include/psa/crypto_values.h170
-rw-r--r--interface/include/tfm_crypto_defs.h5
-rw-r--r--interface/src/tfm_crypto_func_api.c134
-rw-r--r--interface/src/tfm_crypto_ipc_api.c139
-rw-r--r--lib/ext/mbedcrypto/0001-BUILD-Update-IAR-support-in-CMakeLists.txt.patch (renamed from lib/ext/mbedcrypto/0004-BUILD-Update-IAR-support-in-CMakeLists.txt.patch)0
-rw-r--r--lib/ext/mbedcrypto/0001-Build-Add-MBEDTLS_TARGET_PREFIX.patch350
-rw-r--r--lib/ext/mbedcrypto/0002-Build-Use-new-style-syntax-in-link-libraries.patch57
-rw-r--r--lib/ext/mbedcrypto/0002-Enable-crypto-code-sharing-between-independent-binar.patch (renamed from lib/ext/mbedcrypto/0005-Enable-crypto-code-sharing-between-independent-binar.patch)0
-rw-r--r--lib/ext/mbedcrypto/0003-Remove-overriding-of-CMAKE_BUILD_TYPE.patch28
-rw-r--r--lib/ext/mbedcrypto/0006-Move-misplaced-else-within-ifdef-to-avoid-compilatio.patch34
-rw-r--r--lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h14
-rw-r--r--lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium.h14
-rw-r--r--lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small.h14
-rwxr-xr-xplatform/ext/target/nxp/common/mini_mbedcrypto_config.h14
-rwxr-xr-xplatform/ext/target/nxp/lpcxpresso55s69/lpcxpresso55s69_mbedcrypto_config.h14
-rw-r--r--secure_fw/partitions/crypto/crypto_aead.c44
-rw-r--r--secure_fw/partitions/crypto/crypto_asymmetric.c52
-rw-r--r--secure_fw/partitions/crypto/crypto_cipher.c26
-rw-r--r--secure_fw/partitions/crypto/crypto_key.c205
-rw-r--r--secure_fw/partitions/crypto/crypto_key_derivation.c56
-rw-r--r--secure_fw/partitions/crypto/crypto_mac.c26
-rw-r--r--secure_fw/partitions/crypto/crypto_spe.h4
-rw-r--r--secure_fw/partitions/crypto/tfm_crypto.yaml9
-rw-r--r--secure_fw/partitions/crypto/tfm_crypto_api.h29
-rw-r--r--secure_fw/partitions/crypto/tfm_crypto_secure_api.c148
-rw-r--r--secure_fw/partitions/crypto/tfm_mbedcrypto_include.h3
-rw-r--r--secure_fw/partitions/protected_storage/crypto/ps_crypto_interface.c18
34 files changed, 1103 insertions, 1108 deletions
diff --git a/config/config_default.cmake b/config/config_default.cmake
index a7a37b5e50..35f9375bf5 100644
--- a/config/config_default.cmake
+++ b/config/config_default.cmake
@@ -151,7 +151,7 @@ set(TFM_CRYPTO_TEST_HKDF ON CACHE BOOL "Test SHA-51
################################## Dependencies ################################
set(MBEDCRYPTO_PATH "DOWNLOAD" CACHE PATH "Path to Mbed Crypto (or DOWNLOAD to fetch automatically")
-set(MBEDCRYPTO_VERSION "mbedtls-2.24.0" CACHE STRING "The version of Mbed Crypto to use")
+set(MBEDCRYPTO_VERSION "mbedtls-2.25.0" CACHE STRING "The version of Mbed Crypto to use")
set(MBEDCRYPTO_GIT_REMOTE "https://github.com/ARMmbed/mbedtls.git" CACHE STRING "The URL (or path) to retrieve MbedTLS from.")
set(MBEDCRYPTO_BUILD_TYPE "${CMAKE_BUILD_TYPE}" CACHE STRING "Build type of Mbed Crypto library")
set(TFM_MBEDCRYPTO_CONFIG_PATH "${CMAKE_SOURCE_DIR}/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h" CACHE PATH "Config to use for Mbed Crypto")
diff --git a/interface/include/psa/crypto.h b/interface/include/psa/crypto.h
index c58abda240..e9d3c66d46 100644
--- a/interface/include/psa/crypto.h
+++ b/interface/include/psa/crypto.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -24,16 +24,6 @@
* @{
*/
-/** \brief Key handle.
- *
- * This type represents open handles to keys. It must be an unsigned integral
- * type. The choice of type is implementation-dependent.
- *
- * 0 is not a valid key handle. How other handle values are assigned is
- * implementation-dependent.
- */
-typedef _unsigned_integral_type_ psa_key_handle_t;
-
/**@}*/
#endif /* __DOXYGEN_ONLY__ */
@@ -134,11 +124,11 @@ static psa_key_attributes_t psa_key_attributes_init(void);
* linkage). This function may be provided as a function-like macro,
* but in this case it must evaluate each of its arguments exactly once.
*
- * \param[out] attributes The attribute structure to write to.
- * \param id The persistent identifier for the key.
+ * \param[out] attributes The attribute structure to write to.
+ * \param key The persistent identifier for the key.
*/
static void psa_set_key_id(psa_key_attributes_t *attributes,
- psa_key_id_t id);
+ psa_key_id_t key);
/** Set the location of a persistent key.
*
@@ -335,7 +325,7 @@ static size_t psa_get_key_bits(const psa_key_attributes_t *attributes);
* Once you have called this function on an attribute structure,
* you must call psa_reset_key_attributes() to free these resources.
*
- * \param[in] handle Handle to the key to query.
+ * \param[in] key Identifier of the key to query.
* \param[in,out] attributes On success, the attributes of the key.
* On failure, equivalent to a
* freshly-initialized structure.
@@ -351,7 +341,7 @@ static size_t psa_get_key_bits(const psa_key_attributes_t *attributes);
* It is implementation-dependent whether a failure to initialize
* results in this error code.
*/
-psa_status_t psa_get_key_attributes(psa_key_handle_t handle,
+psa_status_t psa_get_key_attributes(psa_key_id_t key,
psa_key_attributes_t *attributes);
/** Reset a key attribute structure to a freshly initialized state.
@@ -374,93 +364,28 @@ void psa_reset_key_attributes(psa_key_attributes_t *attributes);
* @{
*/
-/** Open a handle to an existing persistent key.
+/** Remove non-essential copies of key material from memory.
*
- * Open a handle to a persistent key. A key is persistent if it was created
- * with a lifetime other than #PSA_KEY_LIFETIME_VOLATILE. A persistent key
- * always has a nonzero key identifier, set with psa_set_key_id() when
- * creating the key. Implementations may provide additional pre-provisioned
- * keys that can be opened with psa_open_key(). Such keys have a key identifier
- * in the vendor range, as documented in the description of #psa_key_id_t.
+ * If the key identifier designates a volatile key, this functions does not do
+ * anything and returns successfully.
*
- * The application must eventually close the handle with psa_close_key() or
- * psa_destroy_key() to release associated resources. If the application dies
- * without calling one of these functions, the implementation should perform
- * the equivalent of a call to psa_close_key().
+ * If the key identifier designates a persistent key, then this function will
+ * free all resources associated with the key in volatile memory. The key
+ * data in persistent storage is not affected and the key can still be used.
*
- * Some implementations permit an application to open the same key multiple
- * times. If this is successful, each call to psa_open_key() will return a
- * different key handle.
- *
- * \note Applications that rely on opening a key multiple times will not be
- * portable to implementations that only permit a single key handle to be
- * opened. See also :ref:\`key-handles\`.
- *
- * \param id The persistent identifier of the key.
- * \param[out] handle On success, a handle to the key.
+ * \param key Identifier of the key to purge.
*
* \retval #PSA_SUCCESS
- * Success. The application can now use the value of `*handle`
- * to access the key.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * The implementation does not have sufficient resources to open the
- * key. This can be due to reaching an implementation limit on the
- * number of open keys, the number of open key handles, or available
- * memory.
- * \retval #PSA_ERROR_DOES_NOT_EXIST
- * There is no persistent key with key identifier \p id.
+ * The key material will have been removed from memory if it is not
+ * currently required.
* \retval #PSA_ERROR_INVALID_ARGUMENT
- * \p id is not a valid persistent key identifier.
- * \retval #PSA_ERROR_NOT_PERMITTED
- * The specified key exists, but the application does not have the
- * permission to access it. Note that this specification does not
- * define any way to create such a key, but it may be possible
- * through implementation-specific means.
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_BAD_STATE
- * The library has not been previously initialized by psa_crypto_init().
- * It is implementation-dependent whether a failure to initialize
- * results in this error code.
- */
-psa_status_t psa_open_key(psa_key_id_t id,
- psa_key_handle_t *handle);
-
-
-/** Close a key handle.
- *
- * If the handle designates a volatile key, this will destroy the key material
- * and free all associated resources, just like psa_destroy_key().
- *
- * If this is the last open handle to a persistent key, then closing the handle
- * will free all resources associated with the key in volatile memory. The key
- * data in persistent storage is not affected and can be opened again later
- * with a call to psa_open_key().
- *
- * Closing the key handle makes the handle invalid, and the key handle
- * must not be used again by the application.
- *
- * \note If the key handle was used to set up an active
- * :ref:\`multipart operation <multipart-operations>\`, then closing the
- * key handle can cause the multipart operation to fail. Applications should
- * maintain the key handle until after the multipart operation has finished.
- *
- * \param handle The key handle to close.
- * If this is \c 0, do nothing and return \c PSA_SUCCESS.
- *
- * \retval #PSA_SUCCESS
- * \p handle was a valid handle or \c 0. It is now closed.
- * \retval #PSA_ERROR_INVALID_HANDLE
- * \p handle is not a valid handle nor \c 0.
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \p key is not a valid key identifier.
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
* results in this error code.
*/
-psa_status_t psa_close_key(psa_key_handle_t handle);
+psa_status_t psa_purge_key(psa_key_id_t key);
/** Make a copy of a key.
*
@@ -499,7 +424,10 @@ psa_status_t psa_close_key(psa_key_handle_t handle);
* The effect of this function on implementation-defined attributes is
* implementation-defined.
*
- * \param source_handle The key to copy. It must be a valid key handle.
+ * \param source_key The key to copy. It must allow the usage
+ * #PSA_KEY_USAGE_COPY. If a private or secret key is
+ * being copied outside of a secure element it must
+ * also allow #PSA_KEY_USAGE_EXPORT.
* \param[in] attributes The attributes for the new key.
* They are used as follows:
* - The key type and size may be 0. If either is
@@ -513,12 +441,14 @@ psa_status_t psa_close_key(psa_key_handle_t handle);
* the source key and \p attributes so that
* both sets of restrictions apply, as
* described in the documentation of this function.
- * \param[out] target_handle On success, a handle to the newly created key.
+ * \param[out] target_key On success, an identifier for the newly created
+ * key. For persistent keys, this is the key
+ * identifier defined in \p attributes.
* \c 0 on failure.
*
* \retval #PSA_SUCCESS
* \retval #PSA_ERROR_INVALID_HANDLE
- * \p source_handle is invalid.
+ * \p source_key is invalid.
* \retval #PSA_ERROR_ALREADY_EXISTS
* This is an attempt to create a persistent key, and there is
* already a persistent key with the given identifier.
@@ -546,9 +476,9 @@ psa_status_t psa_close_key(psa_key_handle_t handle);
* It is implementation-dependent whether a failure to initialize
* results in this error code.
*/
-psa_status_t psa_copy_key(psa_key_handle_t source_handle,
+psa_status_t psa_copy_key(psa_key_id_t source_key,
const psa_key_attributes_t *attributes,
- psa_key_handle_t *target_handle);
+ psa_key_id_t *target_key);
/**
@@ -559,28 +489,22 @@ psa_status_t psa_copy_key(psa_key_handle_t source_handle,
* make a best effort to ensure that that the key material cannot be recovered.
*
* This function also erases any metadata such as policies and frees
- * resources associated with the key. To free all resources associated with
- * the key, all handles to the key must be closed or destroyed.
- *
- * Destroying the key makes the handle invalid, and the key handle
- * must not be used again by the application. Using other open handles to the
- * destroyed key in a cryptographic operation will result in an error.
+ * resources associated with the key.
*
* If a key is currently in use in a multipart operation, then destroying the
* key will cause the multipart operation to fail.
*
- * \param handle Handle to the key to erase.
- * If this is \c 0, do nothing and return \c PSA_SUCCESS.
+ * \param key Identifier of the key to erase. If this is \c 0, do nothing and
+ * return #PSA_SUCCESS.
*
* \retval #PSA_SUCCESS
- * \p handle was a valid handle and the key material that it
- * referred to has been erased.
- * Alternatively, \p handle is \c 0.
+ * \p key was a valid identifier and the key material that it
+ * referred to has been erased. Alternatively, \p key is \c 0.
* \retval #PSA_ERROR_NOT_PERMITTED
* The key cannot be erased because it is
* read-only, either due to a policy or due to physical restrictions.
* \retval #PSA_ERROR_INVALID_HANDLE
- * \p handle is not a valid handle nor \c 0.
+ * \p key is not a valid identifier nor \c 0.
* \retval #PSA_ERROR_COMMUNICATION_FAILURE
* There was an failure in communication with the cryptoprocessor.
* The key material may still be present in the cryptoprocessor.
@@ -598,7 +522,7 @@ psa_status_t psa_copy_key(psa_key_handle_t source_handle,
* It is implementation-dependent whether a failure to initialize
* results in this error code.
*/
-psa_status_t psa_destroy_key(psa_key_handle_t handle);
+psa_status_t psa_destroy_key(psa_key_id_t key);
/**@}*/
@@ -633,7 +557,9 @@ psa_status_t psa_destroy_key(psa_key_handle_t handle);
* \p data buffer.
* If the key size in \p attributes is nonzero,
* it must be equal to the size from \p data.
- * \param[out] handle On success, a handle to the newly created key.
+ * \param[out] key On success, an identifier to the newly created key.
+ * For persistent keys, this is the key identifier
+ * defined in \p attributes.
* \c 0 on failure.
* \param[in] data Buffer containing the key data. The content of this
* buffer is interpreted according to the type declared
@@ -678,7 +604,7 @@ psa_status_t psa_destroy_key(psa_key_handle_t handle);
psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
const uint8_t *data,
size_t data_length,
- psa_key_handle_t *handle);
+ psa_key_id_t *key);
@@ -739,7 +665,9 @@ psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
*
* The policy on the key must have the usage flag #PSA_KEY_USAGE_EXPORT set.
*
- * \param handle Handle to the key to export.
+ * \param key Identifier of the key to export. It must allow the
+ * usage #PSA_KEY_USAGE_EXPORT, unless it is a public
+ * key.
* \param[out] data Buffer where the key data is to be written.
* \param data_size Size of the \p data buffer in bytes.
* \param[out] data_length On success, the number of bytes
@@ -766,7 +694,7 @@ psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
* It is implementation-dependent whether a failure to initialize
* results in this error code.
*/
-psa_status_t psa_export_key(psa_key_handle_t handle,
+psa_status_t psa_export_key(psa_key_id_t key,
uint8_t *data,
size_t data_size,
size_t *data_length);
@@ -809,7 +737,7 @@ psa_status_t psa_export_key(psa_key_handle_t handle,
* Exporting a public key object or the public part of a key pair is
* always permitted, regardless of the key's usage flags.
*
- * \param handle Handle to the key to export.
+ * \param key Identifier of the key to export.
* \param[out] data Buffer where the key data is to be written.
* \param data_size Size of the \p data buffer in bytes.
* \param[out] data_length On success, the number of bytes
@@ -836,7 +764,7 @@ psa_status_t psa_export_key(psa_key_handle_t handle,
* It is implementation-dependent whether a failure to initialize
* results in this error code.
*/
-psa_status_t psa_export_public_key(psa_key_handle_t handle,
+psa_status_t psa_export_public_key(psa_key_id_t key,
uint8_t *data,
size_t data_size,
size_t *data_length);
@@ -1213,7 +1141,8 @@ psa_status_t psa_hash_clone(const psa_hash_operation_t *source_operation,
* about the MAC value which could allow an attacker to guess
* a valid MAC and thereby bypass security controls.
*
- * \param handle Handle to the key to use for the operation.
+ * \param key Identifier of the key to use for the operation. It
+ * must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE.
* \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value
* such that #PSA_ALG_IS_MAC(\p alg) is true).
* \param[in] input Buffer containing the input message.
@@ -1228,7 +1157,7 @@ psa_status_t psa_hash_clone(const psa_hash_operation_t *source_operation,
* \retval #PSA_ERROR_INVALID_HANDLE
* \retval #PSA_ERROR_NOT_PERMITTED
* \retval #PSA_ERROR_INVALID_ARGUMENT
- * \p handle is not compatible with \p alg.
+ * \p key is not compatible with \p alg.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not supported or is not a MAC algorithm.
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
@@ -1244,7 +1173,7 @@ psa_status_t psa_hash_clone(const psa_hash_operation_t *source_operation,
* It is implementation-dependent whether a failure to initialize
* results in this error code.
*/
-psa_status_t psa_mac_compute(psa_key_handle_t handle,
+psa_status_t psa_mac_compute(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
@@ -1254,7 +1183,8 @@ psa_status_t psa_mac_compute(psa_key_handle_t handle,
/** Calculate the MAC of a message and compare it with a reference value.
*
- * \param handle Handle to the key to use for the operation.
+ * \param key Identifier of the key to use for the operation. It
+ * must allow the usage PSA_KEY_USAGE_VERIFY_MESSAGE.
* \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value
* such that #PSA_ALG_IS_MAC(\p alg) is true).
* \param[in] input Buffer containing the input message.
@@ -1270,7 +1200,7 @@ psa_status_t psa_mac_compute(psa_key_handle_t handle,
* \retval #PSA_ERROR_INVALID_HANDLE
* \retval #PSA_ERROR_NOT_PERMITTED
* \retval #PSA_ERROR_INVALID_ARGUMENT
- * \p handle is not compatible with \p alg.
+ * \p key is not compatible with \p alg.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not supported or is not a MAC algorithm.
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
@@ -1284,7 +1214,7 @@ psa_status_t psa_mac_compute(psa_key_handle_t handle,
* It is implementation-dependent whether a failure to initialize
* results in this error code.
*/
-psa_status_t psa_mac_verify(psa_key_handle_t handle,
+psa_status_t psa_mac_verify(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
@@ -1369,9 +1299,9 @@ static psa_mac_operation_t psa_mac_operation_init(void);
* \param[in,out] operation The operation object to set up. It must have
* been initialized as per the documentation for
* #psa_mac_operation_t and not yet in use.
- * \param handle Handle to the key to use for the operation.
- * It must remain valid until the operation
- * terminates.
+ * \param key Identifier of the key to use for the operation. It
+ * must remain valid until the operation terminates.
+ * It must allow the usage PSA_KEY_USAGE_SIGN_MESSAGE.
* \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value
* such that #PSA_ALG_IS_MAC(\p alg) is true).
*
@@ -1380,7 +1310,7 @@ static psa_mac_operation_t psa_mac_operation_init(void);
* \retval #PSA_ERROR_INVALID_HANDLE
* \retval #PSA_ERROR_NOT_PERMITTED
* \retval #PSA_ERROR_INVALID_ARGUMENT
- * \p handle is not compatible with \p alg.
+ * \p key is not compatible with \p alg.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not supported or is not a MAC algorithm.
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
@@ -1397,7 +1327,7 @@ static psa_mac_operation_t psa_mac_operation_init(void);
* results in this error code.
*/
psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation,
- psa_key_handle_t handle,
+ psa_key_id_t key,
psa_algorithm_t alg);
/** Set up a multipart MAC verification operation.
@@ -1431,9 +1361,10 @@ psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation,
* \param[in,out] operation The operation object to set up. It must have
* been initialized as per the documentation for
* #psa_mac_operation_t and not yet in use.
- * \param handle Handle to the key to use for the operation.
- * It must remain valid until the operation
- * terminates.
+ * \param key Identifier of the key to use for the operation. It
+ * must remain valid until the operation terminates.
+ * It must allow the usage
+ * PSA_KEY_USAGE_VERIFY_MESSAGE.
* \param alg The MAC algorithm to compute (\c PSA_ALG_XXX value
* such that #PSA_ALG_IS_MAC(\p alg) is true).
*
@@ -1459,7 +1390,7 @@ psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation,
* results in this error code.
*/
psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation,
- psa_key_handle_t handle,
+ psa_key_id_t key,
psa_algorithm_t alg);
/** Add a message fragment to a multipart MAC operation.
@@ -1626,9 +1557,8 @@ psa_status_t psa_mac_abort(psa_mac_operation_t *operation);
* vector). Use the multipart operation interface with a
* #psa_cipher_operation_t object to provide other forms of IV.
*
- * \param handle Handle to the key to use for the operation.
- * It must remain valid until the operation
- * terminates.
+ * \param key Identifier of the key to use for the operation.
+ * It must allow the usage #PSA_KEY_USAGE_ENCRYPT.
* \param alg The cipher algorithm to compute
* (\c PSA_ALG_XXX value such that
* #PSA_ALG_IS_CIPHER(\p alg) is true).
@@ -1646,7 +1576,7 @@ psa_status_t psa_mac_abort(psa_mac_operation_t *operation);
* \retval #PSA_ERROR_INVALID_HANDLE
* \retval #PSA_ERROR_NOT_PERMITTED
* \retval #PSA_ERROR_INVALID_ARGUMENT
- * \p handle is not compatible with \p alg.
+ * \p key is not compatible with \p alg.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not supported or is not a cipher algorithm.
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
@@ -1660,7 +1590,7 @@ psa_status_t psa_mac_abort(psa_mac_operation_t *operation);
* It is implementation-dependent whether a failure to initialize
* results in this error code.
*/
-psa_status_t psa_cipher_encrypt(psa_key_handle_t handle,
+psa_status_t psa_cipher_encrypt(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
@@ -1672,9 +1602,10 @@ psa_status_t psa_cipher_encrypt(psa_key_handle_t handle,
*
* This function decrypts a message encrypted with a symmetric cipher.
*
- * \param handle Handle to the key to use for the operation.
+ * \param key Identifier of the key to use for the operation.
* It must remain valid until the operation
- * terminates.
+ * terminates. It must allow the usage
+ * #PSA_KEY_USAGE_DECRYPT.
* \param alg The cipher algorithm to compute
* (\c PSA_ALG_XXX value such that
* #PSA_ALG_IS_CIPHER(\p alg) is true).
@@ -1692,7 +1623,7 @@ psa_status_t psa_cipher_encrypt(psa_key_handle_t handle,
* \retval #PSA_ERROR_INVALID_HANDLE
* \retval #PSA_ERROR_NOT_PERMITTED
* \retval #PSA_ERROR_INVALID_ARGUMENT
- * \p handle is not compatible with \p alg.
+ * \p key is not compatible with \p alg.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not supported or is not a cipher algorithm.
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
@@ -1706,7 +1637,7 @@ psa_status_t psa_cipher_encrypt(psa_key_handle_t handle,
* It is implementation-dependent whether a failure to initialize
* results in this error code.
*/
-psa_status_t psa_cipher_decrypt(psa_key_handle_t handle,
+psa_status_t psa_cipher_decrypt(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
@@ -1792,9 +1723,10 @@ static psa_cipher_operation_t psa_cipher_operation_init(void);
* \param[in,out] operation The operation object to set up. It must have
* been initialized as per the documentation for
* #psa_cipher_operation_t and not yet in use.
- * \param handle Handle to the key to use for the operation.
+ * \param key Identifier of the key to use for the operation.
* It must remain valid until the operation
- * terminates.
+ * terminates. It must allow the usage
+ * #PSA_KEY_USAGE_ENCRYPT.
* \param alg The cipher algorithm to compute
* (\c PSA_ALG_XXX value such that
* #PSA_ALG_IS_CIPHER(\p alg) is true).
@@ -1804,7 +1736,7 @@ static psa_cipher_operation_t psa_cipher_operation_init(void);
* \retval #PSA_ERROR_INVALID_HANDLE
* \retval #PSA_ERROR_NOT_PERMITTED
* \retval #PSA_ERROR_INVALID_ARGUMENT
- * \p handle is not compatible with \p alg.
+ * \p key is not compatible with \p alg.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not supported or is not a cipher algorithm.
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
@@ -1820,7 +1752,7 @@ static psa_cipher_operation_t psa_cipher_operation_init(void);
* results in this error code.
*/
psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
- psa_key_handle_t handle,
+ psa_key_id_t key,
psa_algorithm_t alg);
/** Set the key for a multipart symmetric decryption operation.
@@ -1855,9 +1787,10 @@ psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
* \param[in,out] operation The operation object to set up. It must have
* been initialized as per the documentation for
* #psa_cipher_operation_t and not yet in use.
- * \param handle Handle to the key to use for the operation.
+ * \param key Identifier of the key to use for the operation.
* It must remain valid until the operation
- * terminates.
+ * terminates. It must allow the usage
+ * #PSA_KEY_USAGE_DECRYPT.
* \param alg The cipher algorithm to compute
* (\c PSA_ALG_XXX value such that
* #PSA_ALG_IS_CIPHER(\p alg) is true).
@@ -1867,7 +1800,7 @@ psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
* \retval #PSA_ERROR_INVALID_HANDLE
* \retval #PSA_ERROR_NOT_PERMITTED
* \retval #PSA_ERROR_INVALID_ARGUMENT
- * \p handle is not compatible with \p alg.
+ * \p key is not compatible with \p alg.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not supported or is not a cipher algorithm.
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
@@ -1883,7 +1816,7 @@ psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
* results in this error code.
*/
psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation,
- psa_key_handle_t handle,
+ psa_key_id_t key,
psa_algorithm_t alg);
/** Generate an IV for a symmetric encryption operation.
@@ -2097,7 +2030,9 @@ psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation);
/** Process an authenticated encryption operation.
*
- * \param handle Handle to the key to use for the operation.
+ * \param key Identifier of the key to use for the
+ * operation. It must allow the usage
+ * #PSA_KEY_USAGE_ENCRYPT.
* \param alg The AEAD algorithm to compute
* (\c PSA_ALG_XXX value such that
* #PSA_ALG_IS_AEAD(\p alg) is true).
@@ -2128,7 +2063,7 @@ psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation);
* \retval #PSA_ERROR_INVALID_HANDLE
* \retval #PSA_ERROR_NOT_PERMITTED
* \retval #PSA_ERROR_INVALID_ARGUMENT
- * \p handle is not compatible with \p alg.
+ * \p key is not compatible with \p alg.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not supported or is not an AEAD algorithm.
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
@@ -2143,7 +2078,7 @@ psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation);
* It is implementation-dependent whether a failure to initialize
* results in this error code.
*/
-psa_status_t psa_aead_encrypt(psa_key_handle_t handle,
+psa_status_t psa_aead_encrypt(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *nonce,
size_t nonce_length,
@@ -2157,7 +2092,9 @@ psa_status_t psa_aead_encrypt(psa_key_handle_t handle,
/** Process an authenticated decryption operation.
*
- * \param handle Handle to the key to use for the operation.
+ * \param key Identifier of the key to use for the
+ * operation. It must allow the usage
+ * #PSA_KEY_USAGE_DECRYPT.
* \param alg The AEAD algorithm to compute
* (\c PSA_ALG_XXX value such that
* #PSA_ALG_IS_AEAD(\p alg) is true).
@@ -2188,7 +2125,7 @@ psa_status_t psa_aead_encrypt(psa_key_handle_t handle,
* The ciphertext is not authentic.
* \retval #PSA_ERROR_NOT_PERMITTED
* \retval #PSA_ERROR_INVALID_ARGUMENT
- * \p handle is not compatible with \p alg.
+ * \p key is not compatible with \p alg.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not supported or is not an AEAD algorithm.
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
@@ -2203,7 +2140,7 @@ psa_status_t psa_aead_encrypt(psa_key_handle_t handle,
* It is implementation-dependent whether a failure to initialize
* results in this error code.
*/
-psa_status_t psa_aead_decrypt(psa_key_handle_t handle,
+psa_status_t psa_aead_decrypt(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *nonce,
size_t nonce_length,
@@ -2299,9 +2236,10 @@ static psa_aead_operation_t psa_aead_operation_init(void);
* \param[in,out] operation The operation object to set up. It must have
* been initialized as per the documentation for
* #psa_aead_operation_t and not yet in use.
- * \param handle Handle to the key to use for the operation.
+ * \param key Identifier of the key to use for the operation.
* It must remain valid until the operation
- * terminates.
+ * terminates. It must allow the usage
+ * #PSA_KEY_USAGE_ENCRYPT.
* \param alg The AEAD algorithm to compute
* (\c PSA_ALG_XXX value such that
* #PSA_ALG_IS_AEAD(\p alg) is true).
@@ -2310,10 +2248,10 @@ static psa_aead_operation_t psa_aead_operation_init(void);
* Success.
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be inactive).
- * \retval #PSA_ERROR_INVALID_HANDLE
+ * \retval #PSA_ERROR_INVALID_HANDLE
* \retval #PSA_ERROR_NOT_PERMITTED
* \retval #PSA_ERROR_INVALID_ARGUMENT
- * \p handle is not compatible with \p alg.
+ * \p key is not compatible with \p alg.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not supported or is not an AEAD algorithm.
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
@@ -2327,7 +2265,7 @@ static psa_aead_operation_t psa_aead_operation_init(void);
* results in this error code.
*/
psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation,
- psa_key_handle_t handle,
+ psa_key_id_t key,
psa_algorithm_t alg);
/** Set the key for a multipart authenticated decryption operation.
@@ -2365,9 +2303,10 @@ psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation,
* \param[in,out] operation The operation object to set up. It must have
* been initialized as per the documentation for
* #psa_aead_operation_t and not yet in use.
- * \param handle Handle to the key to use for the operation.
+ * \param key Identifier of the key to use for the operation.
* It must remain valid until the operation
- * terminates.
+ * terminates. It must allow the usage
+ * #PSA_KEY_USAGE_DECRYPT.
* \param alg The AEAD algorithm to compute
* (\c PSA_ALG_XXX value such that
* #PSA_ALG_IS_AEAD(\p alg) is true).
@@ -2376,10 +2315,10 @@ psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation,
* Success.
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be inactive).
- * \retval #PSA_ERROR_INVALID_HANDLE
+ * \retval #PSA_ERROR_INVALID_HANDLE
* \retval #PSA_ERROR_NOT_PERMITTED
* \retval #PSA_ERROR_INVALID_ARGUMENT
- * \p handle is not compatible with \p alg.
+ * \p key is not compatible with \p alg.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not supported or is not an AEAD algorithm.
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
@@ -2393,7 +2332,7 @@ psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation,
* results in this error code.
*/
psa_status_t psa_aead_decrypt_setup(psa_aead_operation_t *operation,
- psa_key_handle_t handle,
+ psa_key_id_t key,
psa_algorithm_t alg);
/** Generate a random nonce for an authenticated encryption operation.
@@ -2419,7 +2358,7 @@ psa_status_t psa_aead_decrypt_setup(psa_aead_operation_t *operation,
* Success.
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be an active aead encrypt
- operation, with no nonce set).
+ * operation, with no nonce set).
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of the \p nonce buffer is too small.
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
@@ -2851,10 +2790,11 @@ psa_status_t psa_aead_abort(psa_aead_operation_t *operation);
* parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg)
* to determine the hash algorithm to use.
*
- * \param handle Handle to the key to use for the operation.
- * It must be an asymmetric key pair.
+ * \param key Identifier of the key to use for the operation.
+ * It must be an asymmetric key pair. The key must
+ * allow the usage #PSA_KEY_USAGE_SIGN_HASH.
* \param alg A signature algorithm that is compatible with
- * the type of \p handle.
+ * the type of \p key.
* \param[in] hash The hash or message to sign.
* \param hash_length Size of the \p hash buffer in bytes.
* \param[out] signature Buffer where the signature is to be written.
@@ -2870,7 +2810,7 @@ psa_status_t psa_aead_abort(psa_aead_operation_t *operation);
* determine a sufficient buffer size by calling
* #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
* where \c key_type and \c key_bits are the type and bit-size
- * respectively of \p handle.
+ * respectively of \p key.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
@@ -2884,7 +2824,7 @@ psa_status_t psa_aead_abort(psa_aead_operation_t *operation);
* It is implementation-dependent whether a failure to initialize
* results in this error code.
*/
-psa_status_t psa_sign_hash(psa_key_handle_t handle,
+psa_status_t psa_sign_hash(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *hash,
size_t hash_length,
@@ -2901,10 +2841,12 @@ psa_status_t psa_sign_hash(psa_key_handle_t handle,
* parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg)
* to determine the hash algorithm to use.
*
- * \param handle Handle to the key to use for the operation.
- * It must be a public key or an asymmetric key pair.
+ * \param key Identifier of the key to use for the operation. It
+ * must be a public key or an asymmetric key pair. The
+ * key must allow the usage
+ * #PSA_KEY_USAGE_VERIFY_HASH.
* \param alg A signature algorithm that is compatible with
- * the type of \p handle.
+ * the type of \p key.
* \param[in] hash The hash or message whose signature is to be
* verified.
* \param hash_length Size of the \p hash buffer in bytes.
@@ -2930,7 +2872,7 @@ psa_status_t psa_sign_hash(psa_key_handle_t handle,
* It is implementation-dependent whether a failure to initialize
* results in this error code.
*/
-psa_status_t psa_verify_hash(psa_key_handle_t handle,
+psa_status_t psa_verify_hash(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *hash,
size_t hash_length,
@@ -2940,11 +2882,12 @@ psa_status_t psa_verify_hash(psa_key_handle_t handle,
/**
* \brief Encrypt a short message with a public key.
*
- * \param handle Handle to the key to use for the operation.
- * It must be a public key or an asymmetric
- * key pair.
+ * \param key Identifer of the key to use for the operation.
+ * It must be a public key or an asymmetric key
+ * pair. It must allow the usage
+ * #PSA_KEY_USAGE_ENCRYPT.
* \param alg An asymmetric encryption algorithm that is
- * compatible with the type of \p handle.
+ * compatible with the type of \p key.
* \param[in] input The message to encrypt.
* \param input_length Size of the \p input buffer in bytes.
* \param[in] salt A salt or label, if supported by the
@@ -2973,7 +2916,7 @@ psa_status_t psa_verify_hash(psa_key_handle_t handle,
* determine a sufficient buffer size by calling
* #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
* where \c key_type and \c key_bits are the type and bit-size
- * respectively of \p handle.
+ * respectively of \p key.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
@@ -2987,7 +2930,7 @@ psa_status_t psa_verify_hash(psa_key_handle_t handle,
* It is implementation-dependent whether a failure to initialize
* results in this error code.
*/
-psa_status_t psa_asymmetric_encrypt(psa_key_handle_t handle,
+psa_status_t psa_asymmetric_encrypt(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
@@ -3000,10 +2943,11 @@ psa_status_t psa_asymmetric_encrypt(psa_key_handle_t handle,
/**
* \brief Decrypt a short message with a private key.
*
- * \param handle Handle to the key to use for the operation.
- * It must be an asymmetric key pair.
+ * \param key Identifier of the key to use for the operation.
+ * It must be an asymmetric key pair. It must
+ * allow the usage #PSA_KEY_USAGE_DECRYPT.
* \param alg An asymmetric encryption algorithm that is
- * compatible with the type of \p handle.
+ * compatible with the type of \p key.
* \param[in] input The message to decrypt.
* \param input_length Size of the \p input buffer in bytes.
* \param[in] salt A salt or label, if supported by the
@@ -3032,7 +2976,7 @@ psa_status_t psa_asymmetric_encrypt(psa_key_handle_t handle,
* determine a sufficient buffer size by calling
* #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
* where \c key_type and \c key_bits are the type and bit-size
- * respectively of \p handle.
+ * respectively of \p key.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
@@ -3047,7 +2991,7 @@ psa_status_t psa_asymmetric_encrypt(psa_key_handle_t handle,
* It is implementation-dependent whether a failure to initialize
* results in this error code.
*/
-psa_status_t psa_asymmetric_decrypt(psa_key_handle_t handle,
+psa_status_t psa_asymmetric_decrypt(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
@@ -3305,9 +3249,9 @@ psa_status_t psa_key_derivation_input_bytes(
* psa_key_derivation_setup() and must not
* have produced any output yet.
* \param step Which step the input data is for.
- * \param handle Handle to the key. It must have an
- * appropriate type for \p step and must
- * allow the usage #PSA_KEY_USAGE_DERIVE.
+ * \param key Identifier of the key. It must have an
+ * appropriate type for step and must allow the
+ * usage #PSA_KEY_USAGE_DERIVE.
*
* \retval #PSA_SUCCESS
* Success.
@@ -3333,7 +3277,7 @@ psa_status_t psa_key_derivation_input_bytes(
psa_status_t psa_key_derivation_input_key(
psa_key_derivation_operation_t *operation,
psa_key_derivation_step_t step,
- psa_key_handle_t handle);
+ psa_key_id_t key);
/** Perform a key agreement and use the shared secret as input to a key
* derivation.
@@ -3358,7 +3302,8 @@ psa_status_t psa_key_derivation_input_key(
* The operation must be ready for an
* input of the type given by \p step.
* \param step Which step the input data is for.
- * \param private_key Handle to the private key to use.
+ * \param private_key Identifier of the private key to use. It must
+ * allow the usage #PSA_KEY_USAGE_DERIVE.
* \param[in] peer_key Public key of the peer. The peer key must be in the
* same format that psa_import_key() accepts for the
* public key type corresponding to the type of
@@ -3402,7 +3347,7 @@ psa_status_t psa_key_derivation_input_key(
psa_status_t psa_key_derivation_key_agreement(
psa_key_derivation_operation_t *operation,
psa_key_derivation_step_t step,
- psa_key_handle_t private_key,
+ psa_key_id_t private_key,
const uint8_t *peer_key,
size_t peer_key_length);
@@ -3546,7 +3491,9 @@ psa_status_t psa_key_derivation_output_bytes(
*
* \param[in] attributes The attributes for the new key.
* \param[in,out] operation The key derivation operation object to read from.
- * \param[out] handle On success, a handle to the newly created key.
+ * \param[out] key On success, an identifier for the newly created
+ * key. For persistent keys, this is the key
+ * identifier defined in \p attributes.
* \c 0 on failure.
*
* \retval #PSA_SUCCESS
@@ -3586,7 +3533,7 @@ psa_status_t psa_key_derivation_output_bytes(
psa_status_t psa_key_derivation_output_key(
const psa_key_attributes_t *attributes,
psa_key_derivation_operation_t *operation,
- psa_key_handle_t *handle);
+ psa_key_id_t *key);
/** Abort a key derivation operation.
*
@@ -3627,7 +3574,8 @@ psa_status_t psa_key_derivation_abort(
* (\c PSA_ALG_XXX value such that
* #PSA_ALG_IS_RAW_KEY_AGREEMENT(\p alg)
* is true).
- * \param private_key Handle to the private key to use.
+ * \param private_key Identifier of the private key to use. It must
+ * allow the usage #PSA_KEY_USAGE_DERIVE.
* \param[in] peer_key Public key of the peer. It must be
* in the same format that psa_import_key()
* accepts. The standard formats for public
@@ -3665,7 +3613,7 @@ psa_status_t psa_key_derivation_abort(
* results in this error code.
*/
psa_status_t psa_raw_key_agreement(psa_algorithm_t alg,
- psa_key_handle_t private_key,
+ psa_key_id_t private_key,
const uint8_t *peer_key,
size_t peer_key_length,
uint8_t *output,
@@ -3721,7 +3669,9 @@ psa_status_t psa_generate_random(uint8_t *output,
* attributes.
*
* \param[in] attributes The attributes for the new key.
- * \param[out] handle On success, a handle to the newly created key.
+ * \param[out] key On success, an identifier for the newly created
+ * key. For persistent keys, this is the key
+ * identifier defined in \p attributes.
* \c 0 on failure.
*
* \retval #PSA_SUCCESS
@@ -3746,7 +3696,7 @@ psa_status_t psa_generate_random(uint8_t *output,
* results in this error code.
*/
psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
- psa_key_handle_t *handle);
+ psa_key_id_t *key);
/**@}*/
diff --git a/interface/include/psa/crypto_client_struct.h b/interface/include/psa/crypto_client_struct.h
index 959f573b7b..98f7bfe678 100644
--- a/interface/include/psa/crypto_client_struct.h
+++ b/interface/include/psa/crypto_client_struct.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2020-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -32,7 +32,7 @@ extern "C" {
struct psa_client_key_attributes_s
{
uint32_t lifetime;
- uint32_t id;
+ psa_key_id_t id;
uint32_t alg;
uint32_t usage;
size_t bits;
diff --git a/interface/include/psa/crypto_compat.h b/interface/include/psa/crypto_compat.h
index 26c205ac9b..8ca1f6a687 100644
--- a/interface/include/psa/crypto_compat.h
+++ b/interface/include/psa/crypto_compat.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2019-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -24,6 +24,25 @@
extern "C" {
#endif
+/*
+ * To support both openless APIs and psa_open_key() temporarily, define
+ * psa_key_handle_t to be equal to psa_key_id_t. Do not mark the
+ * type and its utility macros and functions deprecated yet. This will be done
+ * in a subsequent phase.
+ */
+typedef psa_key_id_t psa_key_handle_t;
+
+/** Check whether an handle is null.
+ *
+ * \param handle Handle
+ *
+ * \return Non-zero if the handle is null, zero otherwise.
+ */
+static inline int psa_key_handle_is_null(psa_key_handle_t handle)
+{
+ return(handle == 0);
+}
+
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
/*
@@ -42,6 +61,7 @@ typedef MBEDTLS_PSA_DEPRECATED psa_ecc_family_t mbedtls_deprecated_psa_ecc_famil
typedef MBEDTLS_PSA_DEPRECATED psa_dh_family_t mbedtls_deprecated_psa_dh_family_t;
typedef MBEDTLS_PSA_DEPRECATED psa_ecc_family_t psa_ecc_curve_t;
typedef MBEDTLS_PSA_DEPRECATED psa_dh_family_t psa_dh_group_t;
+typedef MBEDTLS_PSA_DEPRECATED psa_algorithm_t mbedtls_deprecated_psa_algorithm_t;
#define PSA_KEY_TYPE_GET_CURVE PSA_KEY_TYPE_ECC_GET_FAMILY
#define PSA_KEY_TYPE_GET_GROUP PSA_KEY_TYPE_DH_GET_FAMILY
@@ -97,7 +117,6 @@ MBEDTLS_PSA_DEPRECATED psa_status_t psa_asymmetric_verify( psa_key_handle_t key,
const uint8_t *signature,
size_t signature_length );
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
/*
* Size-specific elliptic curve families.
@@ -205,6 +224,117 @@ MBEDTLS_PSA_DEPRECATED psa_status_t psa_asymmetric_verify( psa_key_handle_t key,
#define PSA_DH_GROUP_CUSTOM \
MBEDTLS_DEPRECATED_CONSTANT( psa_dh_family_t, PSA_DH_FAMILY_CUSTOM )
+/*
+ * Deprecated PSA Crypto stream cipher algorithms (PSA Crypto API <= 1.0 beta3)
+ */
+#define PSA_ALG_ARC4 \
+ MBEDTLS_DEPRECATED_CONSTANT(psa_algorithm_t, PSA_ALG_STREAM_CIPHER)
+#define PSA_ALG_CHACHA20 \
+ MBEDTLS_DEPRECATED_CONSTANT(psa_algorithm_t, PSA_ALG_STREAM_CIPHER)
+
+#endif /* MBEDTLS_DEPRECATED_REMOVED */
+
+/** Open a handle to an existing persistent key.
+ *
+ * Open a handle to a persistent key. A key is persistent if it was created
+ * with a lifetime other than #PSA_KEY_LIFETIME_VOLATILE. A persistent key
+ * always has a nonzero key identifier, set with psa_set_key_id() when
+ * creating the key. Implementations may provide additional pre-provisioned
+ * keys that can be opened with psa_open_key(). Such keys have an application
+ * key identifier in the vendor range, as documented in the description of
+ * #psa_key_id_t.
+ *
+ * The application must eventually close the handle with psa_close_key() or
+ * psa_destroy_key() to release associated resources. If the application dies
+ * without calling one of these functions, the implementation should perform
+ * the equivalent of a call to psa_close_key().
+ *
+ * Some implementations permit an application to open the same key multiple
+ * times. If this is successful, each call to psa_open_key() will return a
+ * different key handle.
+ *
+ * \note This API is not part of the PSA Cryptography API Release 1.0.0
+ * specification. It was defined in the 1.0 Beta 3 version of the
+ * specification but was removed in the 1.0.0 released version. This API is
+ * kept for the time being to not break applications relying on it. It is not
+ * deprecated yet but will be in the near future.
+ *
+ * \note Applications that rely on opening a key multiple times will not be
+ * portable to implementations that only permit a single key handle to be
+ * opened. See also :ref:\`key-handles\`.
+ *
+ *
+ * \param id The persistent identifier of the key.
+ * \param[out] key On success, a handle to the key.
+ *
+ * \retval #PSA_SUCCESS
+ * Success. The application can now use the value of `*handle`
+ * to access the key.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * The implementation does not have sufficient resources to open the
+ * key. This can be due to reaching an implementation limit on the
+ * number of open keys, the number of open key handles, or available
+ * memory.
+ * \retval #PSA_ERROR_DOES_NOT_EXIST
+ * There is no persistent key with key identifier \p id.
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \p id is not a valid persistent key identifier.
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ * The specified key exists, but the application does not have the
+ * permission to access it. Note that this specification does not
+ * define any way to create such a key, but it may be possible
+ * through implementation-specific means.
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_BAD_STATE
+ * The library has not been previously initialized by psa_crypto_init().
+ * It is implementation-dependent whether a failure to initialize
+ * results in this error code.
+ */
+psa_status_t psa_open_key(psa_key_id_t id,
+ psa_key_id_t *key);
+
+/** Close a key handle.
+ *
+ * If the handle designates a volatile key, this will destroy the key material
+ * and free all associated resources, just like psa_destroy_key().
+ *
+ * If this is the last open handle to a persistent key, then closing the handle
+ * will free all resources associated with the key in volatile memory. The key
+ * data in persistent storage is not affected and can be opened again later
+ * with a call to psa_open_key().
+ *
+ * Closing the key handle makes the handle invalid, and the key handle
+ * must not be used again by the application.
+ *
+ * \note This API is not part of the PSA Cryptography API Release 1.0.0
+ * specification. It was defined in the 1.0 Beta 3 version of the
+ * specification but was removed in the 1.0.0 released version. This API is
+ * kept for the time being to not break applications relying on it. It is not
+ * deprecated yet but will be in the near future.
+ *
+ * \note If the key handle was used to set up an active
+ * :ref:\`multipart operation <multipart-operations>\`, then closing the
+ * key handle can cause the multipart operation to fail. Applications should
+ * maintain the key handle until after the multipart operation has finished.
+ *
+ * \param key The key to close.
+ * If this is \c 0, do nothing and return \c PSA_SUCCESS.
+ *
+ * \retval #PSA_SUCCESS
+ * \p handle was a valid handle or \c 0. It is now closed.
+ * \retval #PSA_ERROR_INVALID_HANDLE
+ * \p handle is not a valid handle nor \c 0.
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_BAD_STATE
+ * The library has not been previously initialized by psa_crypto_init().
+ * It is implementation-dependent whether a failure to initialize
+ * results in this error code.
+ */
+psa_status_t psa_close_key(psa_key_id_t key);
+
#ifdef __cplusplus
}
#endif
diff --git a/interface/include/psa/crypto_sizes.h b/interface/include/psa/crypto_sizes.h
index cbdf59716a..4d13e412af 100644
--- a/interface/include/psa/crypto_sizes.h
+++ b/interface/include/psa/crypto_sizes.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -605,4 +605,94 @@
PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY(key_type) ? PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(key_bits) : \
0)
+/** The default nonce size for an AEAD algorithm, in bytes.
+ *
+ * This macro can be used to allocate a buffer of sufficient size to
+ * store the nonce output from #psa_aead_generate_nonce().
+ *
+ * See also #PSA_AEAD_NONCE_MAX_SIZE.
+ *
+ * \note This is not the maximum size of nonce supported as input to #psa_aead_set_nonce(),
+ * #psa_aead_encrypt() or #psa_aead_decrypt(), just the default size that is generated by
+ * #psa_aead_generate_nonce().
+ *
+ * \warning This macro may evaluate its arguments multiple times or
+ * zero times, so you should not pass arguments that contain
+ * side effects.
+ *
+ * \param key_type A symmetric key type that is compatible with algorithm \p alg.
+ *
+ * \param alg An AEAD algorithm (\c PSA_ALG_XXX value such that
+ * #PSA_ALG_IS_AEAD(\p alg) is true).
+ *
+ * \return The default nonce size for the specified key type and algorithm.
+ * If the key type or AEAD algorithm is not recognized,
+ * or the parameters are incompatible, return 0.
+ * An implementation can return either 0 or a correct size for a key type
+ * and AEAD algorithm that it recognizes, but does not support.
+ */
+#define PSA_AEAD_NONCE_LENGTH(key_type, alg) \
+ (PSA_BLOCK_CIPHER_BLOCK_SIZE(key_type) == 16 && \
+ (PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH(alg) == PSA_ALG_CCM || \
+ PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH(alg) == PSA_ALG_GCM) ? 12 : \
+ (key_type) == PSA_KEY_TYPE_CHACHA20 && \
+ PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH(alg) == PSA_ALG_CHACHA20_POLY1305 ? 12 : \
+ 0)
+
+/** The maximum default nonce size among all supported pairs of key types and
+ * AEAD algorithms, in bytes.
+ *
+ * This is equal to or greater than any value that #PSA_AEAD_NONCE_LENGTH() may return.
+ *
+ * \note This is not the maximum size of nonce supported as input to #psa_aead_set_nonce(),
+ * #psa_aead_encrypt() or #psa_aead_decrypt(), just the largest size that may be generated by
+ * #psa_aead_generate_nonce().
+ */
+#define PSA_AEAD_NONCE_MAX_SIZE 12
+
+/** The default IV size for a cipher algorithm, in bytes.
+ *
+ * The IV that is generated as part of a call to #psa_cipher_encrypt() is always
+ * the default IV length for the algorithm.
+ *
+ * This macro can be used to allocate a buffer of sufficient size to
+ * store the IV output from #psa_cipher_generate_iv() when using
+ * a multi-part cipher operation.
+ *
+ * See also #PSA_CIPHER_IV_MAX_SIZE.
+ *
+ * \warning This macro may evaluate its arguments multiple times or
+ * zero times, so you should not pass arguments that contain
+ * side effects.
+ *
+ * \param key_type A symmetric key type that is compatible with algorithm \p alg.
+ *
+ * \param alg A cipher algorithm (\c PSA_ALG_XXX value such that
+ * #PSA_ALG_IS_CIPHER(\p alg) is true).
+ *
+ * \return The default IV size for the specified key type and algorithm.
+ * If the algorithm does not use an IV, return 0.
+ * If the key type or cipher algorithm is not recognized,
+ * or the parameters are incompatible, return 0.
+ * An implementation can return either 0 or a correct size for a key type
+ * and cipher algorithm that it recognizes, but does not support.
+ */
+#define PSA_CIPHER_IV_LENGTH(key_type, alg) \
+ (PSA_BLOCK_CIPHER_BLOCK_SIZE(key_type) > 1 && \
+ ((alg) == PSA_ALG_CTR || \
+ (alg) == PSA_ALG_CFB || \
+ (alg) == PSA_ALG_OFB || \
+ (alg) == PSA_ALG_XTS || \
+ (alg) == PSA_ALG_CBC_NO_PADDING || \
+ (alg) == PSA_ALG_CBC_PKCS7) ? PSA_BLOCK_CIPHER_BLOCK_SIZE(key_type) : \
+ (key_type) == PSA_KEY_TYPE_CHACHA20 && \
+ (alg) == PSA_ALG_STREAM_CIPHER ? 12 : \
+ 0)
+
+/** The maximum IV size for all supported cipher algorithms, in bytes.
+ *
+ * See also #PSA_CIPHER_IV_LENGTH().
+ */
+#define PSA_CIPHER_IV_MAX_SIZE 16
+
#endif /* PSA_CRYPTO_SIZES_H */
diff --git a/interface/include/psa/crypto_struct.h b/interface/include/psa/crypto_struct.h
index ac08987ca0..e0ceb2f924 100644
--- a/interface/include/psa/crypto_struct.h
+++ b/interface/include/psa/crypto_struct.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -126,11 +126,19 @@ static inline struct psa_client_key_attributes_s psa_key_attributes_init( void )
}
static inline void psa_set_key_id(psa_key_attributes_t *attributes,
- psa_key_id_t id)
+ psa_key_id_t key)
{
- attributes->id = id;
- if( attributes->lifetime == PSA_KEY_LIFETIME_VOLATILE )
- attributes->lifetime = PSA_KEY_LIFETIME_PERSISTENT;
+ psa_key_lifetime_t lifetime = attributes->lifetime;
+
+ attributes->id = key;
+
+ if( PSA_KEY_LIFETIME_IS_VOLATILE(lifetime))
+ {
+ attributes->lifetime =
+ PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(
+ PSA_KEY_LIFETIME_PERSISTENT,
+ PSA_KEY_LIFETIME_GET_LOCATION(lifetime));
+ }
}
static inline psa_key_id_t psa_get_key_id(
@@ -143,7 +151,7 @@ static inline void psa_set_key_lifetime(psa_key_attributes_t *attributes,
psa_key_lifetime_t lifetime)
{
attributes->lifetime = lifetime;
- if( lifetime == PSA_KEY_LIFETIME_VOLATILE )
+ if(PSA_KEY_LIFETIME_IS_VOLATILE(lifetime))
{
attributes->id = 0;
}
diff --git a/interface/include/psa/crypto_types.h b/interface/include/psa/crypto_types.h
index 540e49aead..bf51a2fa4e 100644
--- a/interface/include/psa/crypto_types.h
+++ b/interface/include/psa/crypto_types.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -49,10 +49,6 @@ typedef int32_t psa_status_t;
* @{
*/
-/* Integral type representing a key handle. */
-typedef uint16_t psa_key_handle_t;
-
-
/** \brief Encoding of a key type.
*/
typedef uint16_t psa_key_type_t;
@@ -328,7 +324,7 @@ typedef uint32_t psa_key_usage_t;
* -# Call a key creation function: psa_import_key(), psa_generate_key(),
* psa_key_derivation_output_key() or psa_copy_key(). This function reads
* the attribute structure, creates a key with these attributes, and
- * outputs a handle to the newly created key.
+ * outputs a key identifier to the newly created key.
* -# The attribute structure is now no longer necessary.
* You may call psa_reset_key_attributes(), although this is optional
* with the workflow presented here because the attributes currently
diff --git a/interface/include/psa/crypto_values.h b/interface/include/psa/crypto_values.h
index 75e30505d4..9cca6b24cf 100644
--- a/interface/include/psa/crypto_values.h
+++ b/interface/include/psa/crypto_values.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -100,7 +100,7 @@
* as applicable.
*
* Implementations shall not return this error code to indicate that a
- * key handle is invalid, but shall return #PSA_ERROR_INVALID_HANDLE
+ * key identifier is invalid, but shall return #PSA_ERROR_INVALID_HANDLE
* instead. */
#define PSA_ERROR_BAD_STATE ((psa_status_t)-137)
@@ -110,7 +110,7 @@
* combination of parameters are recognized as invalid.
*
* Implementations shall not return this error code to indicate that a
- * key handle is invalid, but shall return #PSA_ERROR_INVALID_HANDLE
+ * key identifier is invalid, but shall return #PSA_ERROR_INVALID_HANDLE
* instead.
*/
#define PSA_ERROR_INVALID_ARGUMENT ((psa_status_t)-135)
@@ -258,7 +258,7 @@
* to read from a resource. */
#define PSA_ERROR_INSUFFICIENT_DATA ((psa_status_t)-143)
-/** The key handle is not valid. See also :ref:\`key-handles\`.
+/** The key identifier is not valid. See also :ref:\`key-handles\`.
*/
#define PSA_ERROR_INVALID_HANDLE ((psa_status_t)-136)
@@ -601,14 +601,14 @@
#define PSA_ALG_VENDOR_FLAG ((psa_algorithm_t)0x80000000)
#define PSA_ALG_CATEGORY_MASK ((psa_algorithm_t)0x7f000000)
-#define PSA_ALG_CATEGORY_HASH ((psa_algorithm_t)0x01000000)
-#define PSA_ALG_CATEGORY_MAC ((psa_algorithm_t)0x02000000)
+#define PSA_ALG_CATEGORY_HASH ((psa_algorithm_t)0x02000000)
+#define PSA_ALG_CATEGORY_MAC ((psa_algorithm_t)0x03000000)
#define PSA_ALG_CATEGORY_CIPHER ((psa_algorithm_t)0x04000000)
-#define PSA_ALG_CATEGORY_AEAD ((psa_algorithm_t)0x06000000)
-#define PSA_ALG_CATEGORY_SIGN ((psa_algorithm_t)0x10000000)
-#define PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION ((psa_algorithm_t)0x12000000)
-#define PSA_ALG_CATEGORY_KEY_DERIVATION ((psa_algorithm_t)0x20000000)
-#define PSA_ALG_CATEGORY_KEY_AGREEMENT ((psa_algorithm_t)0x30000000)
+#define PSA_ALG_CATEGORY_AEAD ((psa_algorithm_t)0x05000000)
+#define PSA_ALG_CATEGORY_SIGN ((psa_algorithm_t)0x06000000)
+#define PSA_ALG_CATEGORY_ASYMMETRIC_ENCRYPTION ((psa_algorithm_t)0x07000000)
+#define PSA_ALG_CATEGORY_KEY_DERIVATION ((psa_algorithm_t)0x08000000)
+#define PSA_ALG_CATEGORY_KEY_AGREEMENT ((psa_algorithm_t)0x09000000)
/** Whether an algorithm is vendor-defined.
*
@@ -710,35 +710,35 @@
#define PSA_ALG_HASH_MASK ((psa_algorithm_t)0x000000ff)
/** MD2 */
-#define PSA_ALG_MD2 ((psa_algorithm_t)0x01000001)
+#define PSA_ALG_MD2 ((psa_algorithm_t)0x02000001)
/** MD4 */
-#define PSA_ALG_MD4 ((psa_algorithm_t)0x01000002)
+#define PSA_ALG_MD4 ((psa_algorithm_t)0x02000002)
/** MD5 */
-#define PSA_ALG_MD5 ((psa_algorithm_t)0x01000003)
+#define PSA_ALG_MD5 ((psa_algorithm_t)0x02000003)
/** PSA_ALG_RIPEMD160 */
-#define PSA_ALG_RIPEMD160 ((psa_algorithm_t)0x01000004)
+#define PSA_ALG_RIPEMD160 ((psa_algorithm_t)0x02000004)
/** SHA1 */
-#define PSA_ALG_SHA_1 ((psa_algorithm_t)0x01000005)
+#define PSA_ALG_SHA_1 ((psa_algorithm_t)0x02000005)
/** SHA2-224 */
-#define PSA_ALG_SHA_224 ((psa_algorithm_t)0x01000008)
+#define PSA_ALG_SHA_224 ((psa_algorithm_t)0x02000008)
/** SHA2-256 */
-#define PSA_ALG_SHA_256 ((psa_algorithm_t)0x01000009)
+#define PSA_ALG_SHA_256 ((psa_algorithm_t)0x02000009)
/** SHA2-384 */
-#define PSA_ALG_SHA_384 ((psa_algorithm_t)0x0100000a)
+#define PSA_ALG_SHA_384 ((psa_algorithm_t)0x0200000a)
/** SHA2-512 */
-#define PSA_ALG_SHA_512 ((psa_algorithm_t)0x0100000b)
+#define PSA_ALG_SHA_512 ((psa_algorithm_t)0x0200000b)
/** SHA2-512/224 */
-#define PSA_ALG_SHA_512_224 ((psa_algorithm_t)0x0100000c)
+#define PSA_ALG_SHA_512_224 ((psa_algorithm_t)0x0200000c)
/** SHA2-512/256 */
-#define PSA_ALG_SHA_512_256 ((psa_algorithm_t)0x0100000d)
+#define PSA_ALG_SHA_512_256 ((psa_algorithm_t)0x0200000d)
/** SHA3-224 */
-#define PSA_ALG_SHA3_224 ((psa_algorithm_t)0x01000010)
+#define PSA_ALG_SHA3_224 ((psa_algorithm_t)0x02000010)
/** SHA3-256 */
-#define PSA_ALG_SHA3_256 ((psa_algorithm_t)0x01000011)
+#define PSA_ALG_SHA3_256 ((psa_algorithm_t)0x02000011)
/** SHA3-384 */
-#define PSA_ALG_SHA3_384 ((psa_algorithm_t)0x01000012)
+#define PSA_ALG_SHA3_384 ((psa_algorithm_t)0x02000012)
/** SHA3-512 */
-#define PSA_ALG_SHA3_512 ((psa_algorithm_t)0x01000013)
+#define PSA_ALG_SHA3_512 ((psa_algorithm_t)0x02000013)
/** In a hash-and-sign algorithm policy, allow any hash algorithm.
*
@@ -761,9 +761,9 @@
* an algorithm built from `PSA_xxx_SIGNATURE` and a specific hash. Each
* call to sign or verify a message may use a different hash.
* ```
- * psa_sign_hash(handle, PSA_xxx_SIGNATURE(PSA_ALG_SHA_256), ...);
- * psa_sign_hash(handle, PSA_xxx_SIGNATURE(PSA_ALG_SHA_512), ...);
- * psa_sign_hash(handle, PSA_xxx_SIGNATURE(PSA_ALG_SHA3_256), ...);
+ * psa_sign_hash(key, PSA_xxx_SIGNATURE(PSA_ALG_SHA_256), ...);
+ * psa_sign_hash(key, PSA_xxx_SIGNATURE(PSA_ALG_SHA_512), ...);
+ * psa_sign_hash(key, PSA_xxx_SIGNATURE(PSA_ALG_SHA3_256), ...);
* ```
*
* This value may not be used to build other algorithms that are
@@ -773,10 +773,10 @@
* This value may not be used to build an algorithm specification to
* perform an operation. It is only valid to build policies.
*/
-#define PSA_ALG_ANY_HASH ((psa_algorithm_t)0x010000ff)
+#define PSA_ALG_ANY_HASH ((psa_algorithm_t)0x020000ff)
#define PSA_ALG_MAC_SUBCATEGORY_MASK ((psa_algorithm_t)0x00c00000)
-#define PSA_ALG_HMAC_BASE ((psa_algorithm_t)0x02800000)
+#define PSA_ALG_HMAC_BASE ((psa_algorithm_t)0x03800000)
/** Macro to build an HMAC algorithm.
*
* For example, #PSA_ALG_HMAC(#PSA_ALG_SHA_256) is HMAC-SHA-256.
@@ -815,8 +815,8 @@
* reach up to 63; the largest MAC is 64 bytes so its trivial truncation
* to full length is correctly encoded as 0 and any non-trivial truncation
* is correctly encoded as a value between 1 and 63. */
-#define PSA_ALG_MAC_TRUNCATION_MASK ((psa_algorithm_t)0x00003f00)
-#define PSA_MAC_TRUNCATION_OFFSET 8
+#define PSA_ALG_MAC_TRUNCATION_MASK ((psa_algorithm_t)0x003f0000)
+#define PSA_MAC_TRUNCATION_OFFSET 16
/** Macro to build a truncated MAC algorithm.
*
@@ -884,15 +884,15 @@
#define PSA_MAC_TRUNCATED_LENGTH(mac_alg) \
(((mac_alg) & PSA_ALG_MAC_TRUNCATION_MASK) >> PSA_MAC_TRUNCATION_OFFSET)
-#define PSA_ALG_CIPHER_MAC_BASE ((psa_algorithm_t)0x02c00000)
+#define PSA_ALG_CIPHER_MAC_BASE ((psa_algorithm_t)0x03c00000)
/** The CBC-MAC construction over a block cipher
*
* \warning CBC-MAC is insecure in many cases.
* A more secure mode, such as #PSA_ALG_CMAC, is recommended.
*/
-#define PSA_ALG_CBC_MAC ((psa_algorithm_t)0x02c00001)
+#define PSA_ALG_CBC_MAC ((psa_algorithm_t)0x03c00100)
/** The CMAC construction over a block cipher */
-#define PSA_ALG_CMAC ((psa_algorithm_t)0x02c00002)
+#define PSA_ALG_CMAC ((psa_algorithm_t)0x03c00200)
/** Whether the specified algorithm is a MAC algorithm based on a block cipher.
*
@@ -925,21 +925,13 @@
(((alg) & (PSA_ALG_CATEGORY_MASK | PSA_ALG_CIPHER_STREAM_FLAG)) == \
(PSA_ALG_CATEGORY_CIPHER | PSA_ALG_CIPHER_STREAM_FLAG))
-/** The ARC4 stream cipher algorithm.
- */
-#define PSA_ALG_ARC4 ((psa_algorithm_t)0x04800001)
-
-/** The ChaCha20 stream cipher.
- *
- * ChaCha20 is defined in RFC 7539.
- *
- * The nonce size for psa_cipher_set_iv() or psa_cipher_generate_iv()
- * must be 12.
- *
- * The initial block counter is always 0.
+/** The stream cipher mode of a stream cipher algorithm.
*
+ * The underlying stream cipher is determined by the key type.
+ * - To use ChaCha20, use a key type of #PSA_KEY_TYPE_CHACHA20.
+ * - To use ARC4, use a key type of #PSA_KEY_TYPE_ARC4.
*/
-#define PSA_ALG_CHACHA20 ((psa_algorithm_t)0x04800005)
+#define PSA_ALG_STREAM_CIPHER ((psa_algorithm_t)0x04800100)
/** The CTR stream cipher mode.
*
@@ -948,19 +940,19 @@
* For example, to use AES-128-CTR, use this algorithm with
* a key of type #PSA_KEY_TYPE_AES and a length of 128 bits (16 bytes).
*/
-#define PSA_ALG_CTR ((psa_algorithm_t)0x04c00001)
+#define PSA_ALG_CTR ((psa_algorithm_t)0x04c01000)
/** The CFB stream cipher mode.
*
* The underlying block cipher is determined by the key type.
*/
-#define PSA_ALG_CFB ((psa_algorithm_t)0x04c00002)
+#define PSA_ALG_CFB ((psa_algorithm_t)0x04c01100)
/** The OFB stream cipher mode.
*
* The underlying block cipher is determined by the key type.
*/
-#define PSA_ALG_OFB ((psa_algorithm_t)0x04c00003)
+#define PSA_ALG_OFB ((psa_algorithm_t)0x04c01200)
/** The XTS cipher mode.
*
@@ -968,7 +960,27 @@
* least one full block of input, but beyond this minimum the input
* does not need to be a whole number of blocks.
*/
-#define PSA_ALG_XTS ((psa_algorithm_t)0x044000ff)
+#define PSA_ALG_XTS ((psa_algorithm_t)0x0440ff00)
+
+/** The Electronic Code Book (ECB) mode of a block cipher, with no padding.
+ *
+ * \warning ECB mode does not protect the confidentiality of the encrypted data
+ * except in extremely narrow circumstances. It is recommended that applications
+ * only use ECB if they need to construct an operating mode that the
+ * implementation does not provide. Implementations are encouraged to provide
+ * the modes that applications need in preference to supporting direct access
+ * to ECB.
+ *
+ * The underlying block cipher is determined by the key type.
+ *
+ * This symmetric cipher mode can only be used with messages whose lengths are a
+ * multiple of the block size of the chosen block cipher.
+ *
+ * ECB mode does not accept an initialization vector (IV). When using a
+ * multi-part cipher operation with this algorithm, psa_cipher_generate_iv()
+ * and psa_cipher_set_iv() must not be called.
+ */
+#define PSA_ALG_ECB_NO_PADDING ((psa_algorithm_t)0x04404400)
/** The CBC block cipher chaining mode, with no padding.
*
@@ -977,7 +989,7 @@
* This symmetric cipher mode can only be used with messages whose lengths
* are whole number of blocks for the chosen block cipher.
*/
-#define PSA_ALG_CBC_NO_PADDING ((psa_algorithm_t)0x04600100)
+#define PSA_ALG_CBC_NO_PADDING ((psa_algorithm_t)0x04404000)
/** The CBC block cipher chaining mode with PKCS#7 padding.
*
@@ -985,7 +997,7 @@
*
* This is the padding method defined by PKCS#7 (RFC 2315) &sect;10.3.
*/
-#define PSA_ALG_CBC_PKCS7 ((psa_algorithm_t)0x04600101)
+#define PSA_ALG_CBC_PKCS7 ((psa_algorithm_t)0x04404100)
#define PSA_ALG_AEAD_FROM_BLOCK_FLAG ((psa_algorithm_t)0x00400000)
@@ -1006,13 +1018,13 @@
*
* The underlying block cipher is determined by the key type.
*/
-#define PSA_ALG_CCM ((psa_algorithm_t)0x06401001)
+#define PSA_ALG_CCM ((psa_algorithm_t)0x05500100)
/** The GCM authenticated encryption algorithm.
*
* The underlying block cipher is determined by the key type.
*/
-#define PSA_ALG_GCM ((psa_algorithm_t)0x06401002)
+#define PSA_ALG_GCM ((psa_algorithm_t)0x05500200)
/** The Chacha20-Poly1305 AEAD algorithm.
*
@@ -1023,14 +1035,14 @@
*
* Implementations must support 16-byte tags and should reject other sizes.
*/
-#define PSA_ALG_CHACHA20_POLY1305 ((psa_algorithm_t)0x06001005)
+#define PSA_ALG_CHACHA20_POLY1305 ((psa_algorithm_t)0x05100500)
/* In the encoding of a AEAD algorithm, the bits corresponding to
* PSA_ALG_AEAD_TAG_LENGTH_MASK encode the length of the AEAD tag.
* The constants for default lengths follow this encoding.
*/
-#define PSA_ALG_AEAD_TAG_LENGTH_MASK ((psa_algorithm_t)0x00003f00)
-#define PSA_AEAD_TAG_LENGTH_OFFSET 8
+#define PSA_ALG_AEAD_TAG_LENGTH_MASK ((psa_algorithm_t)0x003f0000)
+#define PSA_AEAD_TAG_LENGTH_OFFSET 16
/** Macro to build a shortened AEAD algorithm.
*
@@ -1074,7 +1086,7 @@
PSA_ALG_AEAD_WITH_TAG_LENGTH(ref, 0) ? \
ref :
-#define PSA_ALG_RSA_PKCS1V15_SIGN_BASE ((psa_algorithm_t)0x10020000)
+#define PSA_ALG_RSA_PKCS1V15_SIGN_BASE ((psa_algorithm_t)0x06000200)
/** RSA PKCS#1 v1.5 signature with hashing.
*
* This is the signature scheme defined by RFC 8017
@@ -1102,7 +1114,7 @@
#define PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) \
(((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_PKCS1V15_SIGN_BASE)
-#define PSA_ALG_RSA_PSS_BASE ((psa_algorithm_t)0x10030000)
+#define PSA_ALG_RSA_PSS_BASE ((psa_algorithm_t)0x06000300)
/** RSA PSS signature with hashing.
*
* This is the signature scheme defined by RFC 8017
@@ -1126,7 +1138,7 @@
#define PSA_ALG_IS_RSA_PSS(alg) \
(((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_PSS_BASE)
-#define PSA_ALG_ECDSA_BASE ((psa_algorithm_t)0x10060000)
+#define PSA_ALG_ECDSA_BASE ((psa_algorithm_t)0x06000600)
/** ECDSA signature with hashing.
*
* This is the ECDSA signature scheme defined by ANSI X9.62,
@@ -1159,7 +1171,7 @@
* the curve size.
*/
#define PSA_ALG_ECDSA_ANY PSA_ALG_ECDSA_BASE
-#define PSA_ALG_DETERMINISTIC_ECDSA_BASE ((psa_algorithm_t)0x10070000)
+#define PSA_ALG_DETERMINISTIC_ECDSA_BASE ((psa_algorithm_t)0x06000700)
/** Deterministic ECDSA signature with hashing.
*
* This is the deterministic ECDSA signature scheme defined by RFC 6979.
@@ -1184,7 +1196,7 @@
*/
#define PSA_ALG_DETERMINISTIC_ECDSA(hash_alg) \
(PSA_ALG_DETERMINISTIC_ECDSA_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
-#define PSA_ALG_ECDSA_DETERMINISTIC_FLAG ((psa_algorithm_t)0x00010000)
+#define PSA_ALG_ECDSA_DETERMINISTIC_FLAG ((psa_algorithm_t)0x00000100)
#define PSA_ALG_IS_ECDSA(alg) \
(((alg) & ~PSA_ALG_HASH_MASK & ~PSA_ALG_ECDSA_DETERMINISTIC_FLAG) == \
PSA_ALG_ECDSA_BASE)
@@ -1238,9 +1250,9 @@
/** RSA PKCS#1 v1.5 encryption.
*/
-#define PSA_ALG_RSA_PKCS1V15_CRYPT ((psa_algorithm_t)0x12020000)
+#define PSA_ALG_RSA_PKCS1V15_CRYPT ((psa_algorithm_t)0x07000200)
-#define PSA_ALG_RSA_OAEP_BASE ((psa_algorithm_t)0x12030000)
+#define PSA_ALG_RSA_OAEP_BASE ((psa_algorithm_t)0x07000300)
/** RSA OAEP encryption.
*
* This is the encryption scheme defined by RFC 8017
@@ -1264,7 +1276,7 @@
((alg) & PSA_ALG_HASH_MASK) | PSA_ALG_CATEGORY_HASH : \
0)
-#define PSA_ALG_HKDF_BASE ((psa_algorithm_t)0x20000100)
+#define PSA_ALG_HKDF_BASE ((psa_algorithm_t)0x08000100)
/** Macro to build an HKDF algorithm.
*
* For example, `PSA_ALG_HKDF(PSA_ALG_SHA256)` is HKDF using HMAC-SHA-256.
@@ -1303,7 +1315,7 @@
#define PSA_ALG_HKDF_GET_HASH(hkdf_alg) \
(PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK))
-#define PSA_ALG_TLS12_PRF_BASE ((psa_algorithm_t)0x20000200)
+#define PSA_ALG_TLS12_PRF_BASE ((psa_algorithm_t)0x08000200)
/** Macro to build a TLS-1.2 PRF algorithm.
*
* TLS 1.2 uses a custom pseudorandom function (PRF) for key schedule,
@@ -1346,7 +1358,7 @@
#define PSA_ALG_TLS12_PRF_GET_HASH(hkdf_alg) \
(PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK))
-#define PSA_ALG_TLS12_PSK_TO_MS_BASE ((psa_algorithm_t)0x20000300)
+#define PSA_ALG_TLS12_PSK_TO_MS_BASE ((psa_algorithm_t)0x08000300)
/** Macro to build a TLS-1.2 PSK-to-MasterSecret algorithm.
*
* In a pure-PSK handshake in TLS 1.2, the master secret is derived
@@ -1392,8 +1404,8 @@
#define PSA_ALG_TLS12_PSK_TO_MS_GET_HASH(hkdf_alg) \
(PSA_ALG_CATEGORY_HASH | ((hkdf_alg) & PSA_ALG_HASH_MASK))
-#define PSA_ALG_KEY_DERIVATION_MASK ((psa_algorithm_t)0x0803ffff)
-#define PSA_ALG_KEY_AGREEMENT_MASK ((psa_algorithm_t)0x10fc0000)
+#define PSA_ALG_KEY_DERIVATION_MASK ((psa_algorithm_t)0xfe00ffff)
+#define PSA_ALG_KEY_AGREEMENT_MASK ((psa_algorithm_t)0xffff0000)
/** Macro to build a combined algorithm that chains a key agreement with
* a key derivation.
@@ -1424,7 +1436,7 @@
* a key derivation function.
* Usually, raw key agreement algorithms are constructed directly with
* a \c PSA_ALG_xxx macro while non-raw key agreement algorithms are
- * constructed with PSA_ALG_KEY_AGREEMENT().
+ * constructed with #PSA_ALG_KEY_AGREEMENT().
*
* \param alg An algorithm identifier (value of type #psa_algorithm_t).
*
@@ -1446,7 +1458,7 @@
* It is `ceiling(m / 8)` bytes long where `m` is the size of the prime `p`
* in bits.
*/
-#define PSA_ALG_FFDH ((psa_algorithm_t)0x30100000)
+#define PSA_ALG_FFDH ((psa_algorithm_t)0x09010000)
/** Whether the specified algorithm is a finite field Diffie-Hellman algorithm.
*
@@ -1488,7 +1500,7 @@
* in big-endian byte order.
* The bit size is `m` for the field `F_{2^m}`.
*/
-#define PSA_ALG_ECDH ((psa_algorithm_t)0x30200000)
+#define PSA_ALG_ECDH ((psa_algorithm_t)0x09020000)
/** Whether the specified algorithm is an elliptic curve Diffie-Hellman
* algorithm.
@@ -1533,7 +1545,7 @@
/** The default lifetime for volatile keys.
*
- * A volatile key only exists as long as the handle to it is not closed.
+ * A volatile key only exists as long as the identifier to it is not destroyed.
* The key material is guaranteed to be erased on a power reset.
*
* A key with this lifetime is typically stored in the RAM area of the
@@ -1704,7 +1716,7 @@
*
* For a key pair, this concerns the private key.
*/
-#define PSA_KEY_USAGE_SIGN_HASH ((psa_key_usage_t)0x00000400)
+#define PSA_KEY_USAGE_SIGN_HASH ((psa_key_usage_t)0x00001000)
/** Whether the key may be used to verify a message signature.
*
@@ -1714,11 +1726,11 @@
*
* For a key pair, this concerns the public key.
*/
-#define PSA_KEY_USAGE_VERIFY_HASH ((psa_key_usage_t)0x00000800)
+#define PSA_KEY_USAGE_VERIFY_HASH ((psa_key_usage_t)0x00002000)
/** Whether the key may be used to derive other keys.
*/
-#define PSA_KEY_USAGE_DERIVE ((psa_key_usage_t)0x00001000)
+#define PSA_KEY_USAGE_DERIVE ((psa_key_usage_t)0x00004000)
/**@}*/
diff --git a/interface/include/tfm_crypto_defs.h b/interface/include/tfm_crypto_defs.h
index 53c03ce022..b4c771f2df 100644
--- a/interface/include/tfm_crypto_defs.h
+++ b/interface/include/tfm_crypto_defs.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -38,7 +38,7 @@ struct tfm_crypto_pack_iovec {
* request
*/
uint16_t step; /*!< Key derivation step */
- psa_key_handle_t key_handle; /*!< Key handle */
+ psa_key_id_t key_id; /*!< Key id */
psa_algorithm_t alg; /*!< Algorithm */
uint32_t op_handle; /*!< Frontend context handle associated to a
* multipart operation
@@ -64,6 +64,7 @@ enum {
TFM_CRYPTO_DESTROY_KEY_SID,
TFM_CRYPTO_EXPORT_KEY_SID,
TFM_CRYPTO_EXPORT_PUBLIC_KEY_SID,
+ TFM_CRYPTO_PURGE_KEY_SID,
TFM_CRYPTO_COPY_KEY_SID,
TFM_CRYPTO_HASH_COMPUTE_SID,
TFM_CRYPTO_HASH_COMPARE_SID,
diff --git a/interface/src/tfm_crypto_func_api.c b/interface/src/tfm_crypto_func_api.c
index 6ddbb6bc96..dd6a90a9ff 100644
--- a/interface/src/tfm_crypto_func_api.c
+++ b/interface/src/tfm_crypto_func_api.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -31,7 +31,7 @@ psa_status_t psa_crypto_init(void)
}
psa_status_t psa_open_key(psa_key_id_t id,
- psa_key_handle_t *handle)
+ psa_key_id_t *key)
{
const struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_OPEN_KEY_SID,
@@ -41,18 +41,18 @@ psa_status_t psa_open_key(psa_key_id_t id,
{.base = &id, .len = sizeof(psa_key_id_t)},
};
psa_outvec out_vec[] = {
- {.base = handle, .len = sizeof(psa_key_handle_t)},
+ {.base = key, .len = sizeof(psa_key_id_t)},
};
return API_DISPATCH(tfm_crypto_open_key,
TFM_CRYPTO_OPEN_KEY);
}
-psa_status_t psa_close_key(psa_key_handle_t handle)
+psa_status_t psa_close_key(psa_key_id_t key)
{
const struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_CLOSE_KEY_SID,
- .key_handle = handle,
+ .key_id = key,
};
psa_invec in_vec[] = {
{.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
@@ -65,7 +65,7 @@ psa_status_t psa_close_key(psa_key_handle_t handle)
psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
const uint8_t *data,
size_t data_length,
- psa_key_handle_t *handle)
+ psa_key_id_t *key)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
@@ -77,7 +77,7 @@ psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
{.base = data, .len = data_length}
};
psa_outvec out_vec[] = {
- {.base = handle, .len = sizeof(psa_key_handle_t)}
+ {.base = key, .len = sizeof(psa_key_id_t)}
};
status = API_DISPATCH(tfm_crypto_import_key,
@@ -86,12 +86,12 @@ psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
return status;
}
-psa_status_t psa_destroy_key(psa_key_handle_t handle)
+psa_status_t psa_destroy_key(psa_key_id_t key)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_DESTROY_KEY_SID,
- .key_handle = handle,
+ .key_id = key,
};
psa_invec in_vec[] = {
{.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
@@ -103,13 +103,13 @@ psa_status_t psa_destroy_key(psa_key_handle_t handle)
return status;
}
-psa_status_t psa_get_key_attributes(psa_key_handle_t handle,
+psa_status_t psa_get_key_attributes(psa_key_id_t key,
psa_key_attributes_t *attributes)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_GET_KEY_ATTRIBUTES_SID,
- .key_handle = handle,
+ .key_id = key,
};
psa_invec in_vec[] = {
{.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
@@ -140,7 +140,7 @@ void psa_reset_key_attributes(psa_key_attributes_t *attributes)
return;
}
-psa_status_t psa_export_key(psa_key_handle_t handle,
+psa_status_t psa_export_key(psa_key_id_t key,
uint8_t *data,
size_t data_size,
size_t *data_length)
@@ -148,7 +148,7 @@ psa_status_t psa_export_key(psa_key_handle_t handle,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_EXPORT_KEY_SID,
- .key_handle = handle,
+ .key_id = key,
};
psa_invec in_vec[] = {
{.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
@@ -165,7 +165,7 @@ psa_status_t psa_export_key(psa_key_handle_t handle,
return status;
}
-psa_status_t psa_export_public_key(psa_key_handle_t handle,
+psa_status_t psa_export_public_key(psa_key_id_t key,
uint8_t *data,
size_t data_size,
size_t *data_length)
@@ -173,7 +173,7 @@ psa_status_t psa_export_public_key(psa_key_handle_t handle,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_EXPORT_PUBLIC_KEY_SID,
- .key_handle = handle,
+ .key_id = key,
};
psa_invec in_vec[] = {
@@ -191,14 +191,30 @@ psa_status_t psa_export_public_key(psa_key_handle_t handle,
return status;
}
-psa_status_t psa_copy_key(psa_key_handle_t source_handle,
+psa_status_t psa_purge_key(psa_key_id_t key)
+{
+ psa_status_t status;
+ struct tfm_crypto_pack_iovec iov = {
+ .sfn_id = TFM_CRYPTO_PURGE_KEY_SID,
+ .key_id = key,
+ };
+ psa_invec in_vec[] = {
+ {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
+ };
+
+ status = API_DISPATCH_NO_OUTVEC(tfm_crypto_purge_key,
+ TFM_CRYPTO_PURGE_KEY);
+ return status;
+}
+
+psa_status_t psa_copy_key(psa_key_id_t source_key,
const psa_key_attributes_t *attributes,
- psa_key_handle_t *target_handle)
+ psa_key_id_t *target_key)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_COPY_KEY_SID,
- .key_handle = source_handle,
+ .key_id = source_key,
};
psa_invec in_vec[] = {
@@ -207,7 +223,7 @@ psa_status_t psa_copy_key(psa_key_handle_t source_handle,
};
psa_outvec out_vec[] = {
- {.base = target_handle, .len = sizeof(psa_key_handle_t)},
+ {.base = target_key, .len = sizeof(psa_key_id_t)},
};
status = API_DISPATCH(tfm_crypto_copy_key,
@@ -268,13 +284,13 @@ psa_status_t psa_cipher_set_iv(psa_cipher_operation_t *operation,
}
psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
- psa_key_handle_t handle,
+ psa_key_id_t key,
psa_algorithm_t alg)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_CIPHER_ENCRYPT_SETUP_SID,
- .key_handle = handle,
+ .key_id = key,
.alg = alg,
.op_handle = operation->handle,
};
@@ -293,13 +309,13 @@ psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
}
psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation,
- psa_key_handle_t handle,
+ psa_key_id_t key,
psa_algorithm_t alg)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_CIPHER_DECRYPT_SETUP_SID,
- .key_handle = handle,
+ .key_id = key,
.alg = alg,
.op_handle = operation->handle,
};
@@ -595,13 +611,13 @@ psa_status_t psa_hash_compare(psa_algorithm_t alg,
}
psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation,
- psa_key_handle_t handle,
+ psa_key_id_t key,
psa_algorithm_t alg)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_MAC_SIGN_SETUP_SID,
- .key_handle = handle,
+ .key_id = key,
.alg = alg,
.op_handle = operation->handle,
};
@@ -620,13 +636,13 @@ psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation,
}
psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation,
- psa_key_handle_t handle,
+ psa_key_id_t key,
psa_algorithm_t alg)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_MAC_VERIFY_SETUP_SID,
- .key_handle = handle,
+ .key_id = key,
.alg = alg,
.op_handle = operation->handle,
};
@@ -740,7 +756,7 @@ psa_status_t psa_mac_abort(psa_mac_operation_t *operation)
return status;
}
-psa_status_t psa_aead_encrypt(psa_key_handle_t handle,
+psa_status_t psa_aead_encrypt(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *nonce,
size_t nonce_length,
@@ -755,7 +771,7 @@ psa_status_t psa_aead_encrypt(psa_key_handle_t handle,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_AEAD_ENCRYPT_SID,
- .key_handle = handle,
+ .key_id = key,
.alg = alg,
.aead_in = {.nonce = {0}, .nonce_length = nonce_length}
};
@@ -793,7 +809,7 @@ psa_status_t psa_aead_encrypt(psa_key_handle_t handle,
return status;
}
-psa_status_t psa_aead_decrypt(psa_key_handle_t handle,
+psa_status_t psa_aead_decrypt(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *nonce,
size_t nonce_length,
@@ -808,7 +824,7 @@ psa_status_t psa_aead_decrypt(psa_key_handle_t handle,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_AEAD_DECRYPT_SID,
- .key_handle = handle,
+ .key_id = key,
.alg = alg,
.aead_in = {.nonce = {0}, .nonce_length = nonce_length}
};
@@ -846,7 +862,7 @@ psa_status_t psa_aead_decrypt(psa_key_handle_t handle,
return status;
}
-psa_status_t psa_asymmetric_sign(psa_key_handle_t handle,
+psa_status_t psa_asymmetric_sign(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *hash,
size_t hash_length,
@@ -854,11 +870,11 @@ psa_status_t psa_asymmetric_sign(psa_key_handle_t handle,
size_t signature_size,
size_t *signature_length)
{
- return psa_sign_hash(handle, alg, hash, hash_length, signature,
+ return psa_sign_hash(key, alg, hash, hash_length, signature,
signature_size, signature_length);
}
-psa_status_t psa_sign_hash(psa_key_handle_t handle,
+psa_status_t psa_sign_hash(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *hash,
size_t hash_length,
@@ -869,7 +885,7 @@ psa_status_t psa_sign_hash(psa_key_handle_t handle,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_SIGN_HASH_SID,
- .key_handle = handle,
+ .key_id = key,
.alg = alg,
};
@@ -889,18 +905,18 @@ psa_status_t psa_sign_hash(psa_key_handle_t handle,
return status;
}
-psa_status_t psa_asymmetric_verify(psa_key_handle_t handle,
+psa_status_t psa_asymmetric_verify(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *hash,
size_t hash_length,
const uint8_t *signature,
size_t signature_length)
{
- return psa_verify_hash(handle, alg, hash, hash_length,
+ return psa_verify_hash(key, alg, hash, hash_length,
signature, signature_length);
}
-psa_status_t psa_verify_hash(psa_key_handle_t handle,
+psa_status_t psa_verify_hash(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *hash,
size_t hash_length,
@@ -910,7 +926,7 @@ psa_status_t psa_verify_hash(psa_key_handle_t handle,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_VERIFY_HASH_SID,
- .key_handle = handle,
+ .key_id = key,
.alg = alg
};
@@ -926,7 +942,7 @@ psa_status_t psa_verify_hash(psa_key_handle_t handle,
return status;
}
-psa_status_t psa_asymmetric_encrypt(psa_key_handle_t handle,
+psa_status_t psa_asymmetric_encrypt(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
@@ -939,7 +955,7 @@ psa_status_t psa_asymmetric_encrypt(psa_key_handle_t handle,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_ASYMMETRIC_ENCRYPT_SID,
- .key_handle = handle,
+ .key_id = key,
.alg = alg
};
@@ -966,7 +982,7 @@ psa_status_t psa_asymmetric_encrypt(psa_key_handle_t handle,
return status;
}
-psa_status_t psa_asymmetric_decrypt(psa_key_handle_t handle,
+psa_status_t psa_asymmetric_decrypt(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
@@ -979,7 +995,7 @@ psa_status_t psa_asymmetric_decrypt(psa_key_handle_t handle,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_ASYMMETRIC_DECRYPT_SID,
- .key_handle = handle,
+ .key_id = key,
.alg = alg
};
@@ -1058,12 +1074,12 @@ psa_status_t psa_key_derivation_output_bytes(
psa_status_t psa_key_derivation_input_key(
psa_key_derivation_operation_t *operation,
psa_key_derivation_step_t step,
- psa_key_handle_t handle)
+ psa_key_id_t key)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_KEY_DERIVATION_INPUT_KEY_SID,
- .key_handle = handle,
+ .key_id = key,
.step = step,
.op_handle = operation->handle,
};
@@ -1103,14 +1119,14 @@ psa_status_t psa_key_derivation_abort(psa_key_derivation_operation_t *operation)
psa_status_t psa_key_derivation_key_agreement(
psa_key_derivation_operation_t *operation,
psa_key_derivation_step_t step,
- psa_key_handle_t private_key,
+ psa_key_id_t private_key,
const uint8_t *peer_key,
size_t peer_key_length)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_KEY_DERIVATION_KEY_AGREEMENT_SID,
- .key_handle = private_key,
+ .key_id = private_key,
.step = step,
.op_handle = operation->handle,
};
@@ -1153,7 +1169,7 @@ psa_status_t psa_generate_random(uint8_t *output,
}
psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
- psa_key_handle_t *handle)
+ psa_key_id_t *key)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
@@ -1166,7 +1182,7 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
};
psa_outvec out_vec[] = {
- {.base = handle, .len = sizeof(psa_key_handle_t)},
+ {.base = key, .len = sizeof(psa_key_id_t)},
};
status = API_DISPATCH(tfm_crypto_generate_key,
@@ -1249,7 +1265,7 @@ psa_status_t psa_aead_abort(psa_aead_operation_t *operation)
return status;
}
-psa_status_t psa_mac_compute(psa_key_handle_t handle,
+psa_status_t psa_mac_compute(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
@@ -1264,7 +1280,7 @@ psa_status_t psa_mac_compute(psa_key_handle_t handle,
return status;
}
-psa_status_t psa_mac_verify(psa_key_handle_t handle,
+psa_status_t psa_mac_verify(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
@@ -1278,7 +1294,7 @@ psa_status_t psa_mac_verify(psa_key_handle_t handle,
return status;
}
-psa_status_t psa_cipher_encrypt(psa_key_handle_t handle,
+psa_status_t psa_cipher_encrypt(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
@@ -1293,7 +1309,7 @@ psa_status_t psa_cipher_encrypt(psa_key_handle_t handle,
return status;
}
-psa_status_t psa_cipher_decrypt(psa_key_handle_t handle,
+psa_status_t psa_cipher_decrypt(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
@@ -1309,7 +1325,7 @@ psa_status_t psa_cipher_decrypt(psa_key_handle_t handle,
}
psa_status_t psa_raw_key_agreement(psa_algorithm_t alg,
- psa_key_handle_t private_key,
+ psa_key_id_t private_key,
const uint8_t *peer_key,
size_t peer_key_length,
uint8_t *output,
@@ -1320,7 +1336,7 @@ psa_status_t psa_raw_key_agreement(psa_algorithm_t alg,
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_RAW_KEY_AGREEMENT_SID,
.alg = alg,
- .key_handle = private_key
+ .key_id = private_key
};
psa_invec in_vec[] = {
@@ -1408,7 +1424,7 @@ psa_status_t psa_key_derivation_input_bytes(
psa_status_t psa_key_derivation_output_key(
const psa_key_attributes_t *attributes,
psa_key_derivation_operation_t *operation,
- psa_key_handle_t *handle)
+ psa_key_id_t *key)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
@@ -1422,7 +1438,7 @@ psa_status_t psa_key_derivation_output_key(
};
psa_outvec out_vec[] = {
- {.base = handle, .len = sizeof(psa_key_handle_t)}
+ {.base = key, .len = sizeof(psa_key_id_t)}
};
status = API_DISPATCH(tfm_crypto_key_derivation_output_key,
@@ -1431,7 +1447,7 @@ psa_status_t psa_key_derivation_output_key(
}
psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation,
- psa_key_handle_t handle,
+ psa_key_id_t key,
psa_algorithm_t alg)
{
psa_status_t status;
@@ -1442,7 +1458,7 @@ psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation,
}
psa_status_t psa_aead_decrypt_setup(psa_aead_operation_t *operation,
- psa_key_handle_t handle,
+ psa_key_id_t key,
psa_algorithm_t alg)
{
psa_status_t status;
diff --git a/interface/src/tfm_crypto_ipc_api.c b/interface/src/tfm_crypto_ipc_api.c
index 166e051e9a..a89dd2b9ca 100644
--- a/interface/src/tfm_crypto_ipc_api.c
+++ b/interface/src/tfm_crypto_ipc_api.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -41,7 +41,7 @@ psa_status_t psa_crypto_init(void)
}
psa_status_t psa_open_key(psa_key_id_t id,
- psa_key_handle_t *handle)
+ psa_key_id_t *key)
{
psa_status_t status;
const struct tfm_crypto_pack_iovec iov = {
@@ -52,7 +52,7 @@ psa_status_t psa_open_key(psa_key_id_t id,
{.base = &id, .len = sizeof(psa_key_id_t)},
};
psa_outvec out_vec[] = {
- {.base = handle, .len = sizeof(psa_key_handle_t)},
+ {.base = key, .len = sizeof(psa_key_id_t)},
};
PSA_CONNECT(TFM_CRYPTO);
@@ -65,12 +65,12 @@ psa_status_t psa_open_key(psa_key_id_t id,
return status;
}
-psa_status_t psa_close_key(psa_key_handle_t handle)
+psa_status_t psa_close_key(psa_key_id_t key)
{
psa_status_t status;
const struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_CLOSE_KEY_SID,
- .key_handle = handle,
+ .key_id = key,
};
psa_invec in_vec[] = {
{.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
@@ -89,7 +89,7 @@ psa_status_t psa_close_key(psa_key_handle_t handle)
psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
const uint8_t *data,
size_t data_length,
- psa_key_handle_t *handle)
+ psa_key_id_t *key)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
@@ -101,7 +101,7 @@ psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
{.base = data, .len = data_length}
};
psa_outvec out_vec[] = {
- {.base = handle, .len = sizeof(psa_key_handle_t)}
+ {.base = key, .len = sizeof(psa_key_id_t)}
};
PSA_CONNECT(TFM_CRYPTO);
@@ -113,12 +113,12 @@ psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
return status;
}
-psa_status_t psa_destroy_key(psa_key_handle_t handle)
+psa_status_t psa_destroy_key(psa_key_id_t key)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_DESTROY_KEY_SID,
- .key_handle = handle,
+ .key_id = key,
};
psa_invec in_vec[] = {
{.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
@@ -133,13 +133,13 @@ psa_status_t psa_destroy_key(psa_key_handle_t handle)
return status;
}
-psa_status_t psa_get_key_attributes(psa_key_handle_t handle,
+psa_status_t psa_get_key_attributes(psa_key_id_t key,
psa_key_attributes_t *attributes)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_GET_KEY_ATTRIBUTES_SID,
- .key_handle = handle,
+ .key_id = key,
};
psa_invec in_vec[] = {
{.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
@@ -182,7 +182,7 @@ void psa_reset_key_attributes(psa_key_attributes_t *attributes)
return;
}
-psa_status_t psa_export_key(psa_key_handle_t handle,
+psa_status_t psa_export_key(psa_key_id_t key,
uint8_t *data,
size_t data_size,
size_t *data_length)
@@ -190,7 +190,7 @@ psa_status_t psa_export_key(psa_key_handle_t handle,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_EXPORT_KEY_SID,
- .key_handle = handle,
+ .key_id = key,
};
psa_invec in_vec[] = {
{.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
@@ -211,7 +211,7 @@ psa_status_t psa_export_key(psa_key_handle_t handle,
return status;
}
-psa_status_t psa_export_public_key(psa_key_handle_t handle,
+psa_status_t psa_export_public_key(psa_key_id_t key,
uint8_t *data,
size_t data_size,
size_t *data_length)
@@ -219,7 +219,7 @@ psa_status_t psa_export_public_key(psa_key_handle_t handle,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_EXPORT_PUBLIC_KEY_SID,
- .key_handle = handle,
+ .key_id = key,
};
psa_invec in_vec[] = {
@@ -241,14 +241,35 @@ psa_status_t psa_export_public_key(psa_key_handle_t handle,
return status;
}
-psa_status_t psa_copy_key(psa_key_handle_t source_handle,
+psa_status_t psa_purge_key(psa_key_id_t key)
+{
+ psa_status_t status;
+ struct tfm_crypto_pack_iovec iov = {
+ .sfn_id = TFM_CRYPTO_PURGE_KEY_SID,
+ .key_id = key,
+ };
+ psa_invec in_vec[] = {
+ {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
+ };
+
+ PSA_CONNECT(TFM_CRYPTO);
+
+ status = API_DISPATCH_NO_OUTVEC(tfm_crypto_purge_key,
+ TFM_CRYPTO_PURGE_KEY);
+
+ PSA_CLOSE();
+
+ return status;
+}
+
+psa_status_t psa_copy_key(psa_key_id_t source_key,
const psa_key_attributes_t *attributes,
- psa_key_handle_t *target_handle)
+ psa_key_id_t *target_key)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_COPY_KEY_SID,
- .key_handle = source_handle,
+ .key_id = source_key,
};
psa_invec in_vec[] = {
@@ -258,7 +279,7 @@ psa_status_t psa_copy_key(psa_key_handle_t source_handle,
};
psa_outvec out_vec[] = {
- {.base = target_handle, .len = sizeof(psa_key_handle_t)},
+ {.base = target_key, .len = sizeof(psa_key_id_t)},
};
PSA_CONNECT(TFM_CRYPTO);
@@ -331,13 +352,13 @@ psa_status_t psa_cipher_set_iv(psa_cipher_operation_t *operation,
}
psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
- psa_key_handle_t handle,
+ psa_key_id_t key,
psa_algorithm_t alg)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_CIPHER_ENCRYPT_SETUP_SID,
- .key_handle = handle,
+ .key_id = key,
.alg = alg,
.op_handle = operation->handle,
};
@@ -360,13 +381,13 @@ psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
}
psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation,
- psa_key_handle_t handle,
+ psa_key_id_t key,
psa_algorithm_t alg)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_CIPHER_DECRYPT_SETUP_SID,
- .key_handle = handle,
+ .key_id = key,
.alg = alg,
.op_handle = operation->handle,
};
@@ -710,13 +731,13 @@ psa_status_t psa_hash_compare(psa_algorithm_t alg,
}
psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation,
- psa_key_handle_t handle,
+ psa_key_id_t key,
psa_algorithm_t alg)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_MAC_SIGN_SETUP_SID,
- .key_handle = handle,
+ .key_id = key,
.alg = alg,
.op_handle = operation->handle,
};
@@ -739,13 +760,13 @@ psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation,
}
psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation,
- psa_key_handle_t handle,
+ psa_key_id_t key,
psa_algorithm_t alg)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_MAC_VERIFY_SETUP_SID,
- .key_handle = handle,
+ .key_id = key,
.alg = alg,
.op_handle = operation->handle,
};
@@ -879,7 +900,7 @@ psa_status_t psa_mac_abort(psa_mac_operation_t *operation)
return status;
}
-psa_status_t psa_aead_encrypt(psa_key_handle_t handle,
+psa_status_t psa_aead_encrypt(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *nonce,
size_t nonce_length,
@@ -894,7 +915,7 @@ psa_status_t psa_aead_encrypt(psa_key_handle_t handle,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_AEAD_ENCRYPT_SID,
- .key_handle = handle,
+ .key_id = key,
.alg = alg,
.aead_in = {.nonce = {0}, .nonce_length = nonce_length}
};
@@ -940,7 +961,7 @@ psa_status_t psa_aead_encrypt(psa_key_handle_t handle,
return status;
}
-psa_status_t psa_aead_decrypt(psa_key_handle_t handle,
+psa_status_t psa_aead_decrypt(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *nonce,
size_t nonce_length,
@@ -955,7 +976,7 @@ psa_status_t psa_aead_decrypt(psa_key_handle_t handle,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_AEAD_DECRYPT_SID,
- .key_handle = handle,
+ .key_id = key,
.alg = alg,
.aead_in = {.nonce = {0}, .nonce_length = nonce_length}
};
@@ -1001,7 +1022,7 @@ psa_status_t psa_aead_decrypt(psa_key_handle_t handle,
return status;
}
-psa_status_t psa_asymmetric_sign(psa_key_handle_t handle,
+psa_status_t psa_asymmetric_sign(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *hash,
size_t hash_length,
@@ -1009,10 +1030,10 @@ psa_status_t psa_asymmetric_sign(psa_key_handle_t handle,
size_t signature_size,
size_t *signature_length)
{
- return psa_sign_hash(handle, alg, hash, hash_length, signature, signature_size, signature_length);
+ return psa_sign_hash(key, alg, hash, hash_length, signature, signature_size, signature_length);
}
-psa_status_t psa_sign_hash(psa_key_handle_t handle,
+psa_status_t psa_sign_hash(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *hash,
size_t hash_length,
@@ -1023,7 +1044,7 @@ psa_status_t psa_sign_hash(psa_key_handle_t handle,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_SIGN_HASH_SID,
- .key_handle = handle,
+ .key_id = key,
.alg = alg,
};
@@ -1047,17 +1068,17 @@ psa_status_t psa_sign_hash(psa_key_handle_t handle,
return status;
}
-psa_status_t psa_asymmetric_verify(psa_key_handle_t handle,
+psa_status_t psa_asymmetric_verify(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *hash,
size_t hash_length,
const uint8_t *signature,
size_t signature_length)
{
- return psa_verify_hash(handle, alg, hash, hash_length, signature, signature_length);
+ return psa_verify_hash(key, alg, hash, hash_length, signature, signature_length);
}
-psa_status_t psa_verify_hash(psa_key_handle_t handle,
+psa_status_t psa_verify_hash(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *hash,
size_t hash_length,
@@ -1067,7 +1088,7 @@ psa_status_t psa_verify_hash(psa_key_handle_t handle,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_VERIFY_HASH_SID,
- .key_handle = handle,
+ .key_id = key,
.alg = alg
};
@@ -1087,7 +1108,7 @@ psa_status_t psa_verify_hash(psa_key_handle_t handle,
return status;
}
-psa_status_t psa_asymmetric_encrypt(psa_key_handle_t handle,
+psa_status_t psa_asymmetric_encrypt(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
@@ -1100,7 +1121,7 @@ psa_status_t psa_asymmetric_encrypt(psa_key_handle_t handle,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_ASYMMETRIC_ENCRYPT_SID,
- .key_handle = handle,
+ .key_id = key,
.alg = alg
};
@@ -1135,7 +1156,7 @@ psa_status_t psa_asymmetric_encrypt(psa_key_handle_t handle,
return status;
}
-psa_status_t psa_asymmetric_decrypt(psa_key_handle_t handle,
+psa_status_t psa_asymmetric_decrypt(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
@@ -1148,7 +1169,7 @@ psa_status_t psa_asymmetric_decrypt(psa_key_handle_t handle,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_ASYMMETRIC_DECRYPT_SID,
- .key_handle = handle,
+ .key_id = key,
.alg = alg
};
@@ -1243,12 +1264,12 @@ psa_status_t psa_key_derivation_output_bytes(
psa_status_t psa_key_derivation_input_key(
psa_key_derivation_operation_t *operation,
psa_key_derivation_step_t step,
- psa_key_handle_t handle)
+ psa_key_id_t key)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_KEY_DERIVATION_INPUT_KEY_SID,
- .key_handle = handle,
+ .key_id = key,
.step = step,
.op_handle = operation->handle,
};
@@ -1297,14 +1318,14 @@ psa_status_t psa_key_derivation_abort(
psa_status_t psa_key_derivation_key_agreement(
psa_key_derivation_operation_t *operation,
psa_key_derivation_step_t step,
- psa_key_handle_t private_key,
+ psa_key_id_t private_key,
const uint8_t *peer_key,
size_t peer_key_length)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_KEY_DERIVATION_KEY_AGREEMENT_SID,
- .key_handle = private_key,
+ .key_id = private_key,
.step = step,
.op_handle = operation->handle,
};
@@ -1355,7 +1376,7 @@ psa_status_t psa_generate_random(uint8_t *output,
}
psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
- psa_key_handle_t *handle)
+ psa_key_id_t *key)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
@@ -1368,7 +1389,7 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
};
psa_outvec out_vec[] = {
- {.base = handle, .len = sizeof(psa_key_handle_t)},
+ {.base = key, .len = sizeof(psa_key_id_t)},
};
PSA_CONNECT(TFM_CRYPTO);
@@ -1454,7 +1475,7 @@ psa_status_t psa_aead_abort(psa_aead_operation_t *operation)
return status;
}
-psa_status_t psa_mac_compute(psa_key_handle_t handle,
+psa_status_t psa_mac_compute(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
@@ -1469,7 +1490,7 @@ psa_status_t psa_mac_compute(psa_key_handle_t handle,
return status;
}
-psa_status_t psa_mac_verify(psa_key_handle_t handle,
+psa_status_t psa_mac_verify(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
@@ -1483,7 +1504,7 @@ psa_status_t psa_mac_verify(psa_key_handle_t handle,
return status;
}
-psa_status_t psa_cipher_encrypt(psa_key_handle_t handle,
+psa_status_t psa_cipher_encrypt(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
@@ -1498,7 +1519,7 @@ psa_status_t psa_cipher_encrypt(psa_key_handle_t handle,
return status;
}
-psa_status_t psa_cipher_decrypt(psa_key_handle_t handle,
+psa_status_t psa_cipher_decrypt(psa_key_id_t key,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
@@ -1514,7 +1535,7 @@ psa_status_t psa_cipher_decrypt(psa_key_handle_t handle,
}
psa_status_t psa_raw_key_agreement(psa_algorithm_t alg,
- psa_key_handle_t private_key,
+ psa_key_id_t private_key,
const uint8_t *peer_key,
size_t peer_key_length,
uint8_t *output,
@@ -1525,7 +1546,7 @@ psa_status_t psa_raw_key_agreement(psa_algorithm_t alg,
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_RAW_KEY_AGREEMENT_SID,
.alg = alg,
- .key_handle = private_key
+ .key_id = private_key
};
psa_invec in_vec[] = {
@@ -1629,7 +1650,7 @@ psa_status_t psa_key_derivation_input_bytes(
psa_status_t psa_key_derivation_output_key(
const psa_key_attributes_t *attributes,
psa_key_derivation_operation_t *operation,
- psa_key_handle_t *handle)
+ psa_key_id_t *key)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
@@ -1643,7 +1664,7 @@ psa_status_t psa_key_derivation_output_key(
};
psa_outvec out_vec[] = {
- {.base = handle, .len = sizeof(psa_key_handle_t)}
+ {.base = key, .len = sizeof(psa_key_id_t)}
};
PSA_CONNECT(TFM_CRYPTO);
@@ -1656,7 +1677,7 @@ psa_status_t psa_key_derivation_output_key(
}
psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation,
- psa_key_handle_t handle,
+ psa_key_id_t key,
psa_algorithm_t alg)
{
psa_status_t status;
@@ -1667,7 +1688,7 @@ psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation,
}
psa_status_t psa_aead_decrypt_setup(psa_aead_operation_t *operation,
- psa_key_handle_t handle,
+ psa_key_id_t key,
psa_algorithm_t alg)
{
psa_status_t status;
diff --git a/lib/ext/mbedcrypto/0004-BUILD-Update-IAR-support-in-CMakeLists.txt.patch b/lib/ext/mbedcrypto/0001-BUILD-Update-IAR-support-in-CMakeLists.txt.patch
index 47c6448c9a..47c6448c9a 100644
--- a/lib/ext/mbedcrypto/0004-BUILD-Update-IAR-support-in-CMakeLists.txt.patch
+++ b/lib/ext/mbedcrypto/0001-BUILD-Update-IAR-support-in-CMakeLists.txt.patch
diff --git a/lib/ext/mbedcrypto/0001-Build-Add-MBEDTLS_TARGET_PREFIX.patch b/lib/ext/mbedcrypto/0001-Build-Add-MBEDTLS_TARGET_PREFIX.patch
deleted file mode 100644
index f19479c2a5..0000000000
--- a/lib/ext/mbedcrypto/0001-Build-Add-MBEDTLS_TARGET_PREFIX.patch
+++ /dev/null
@@ -1,350 +0,0 @@
-From 995c66f702db3a004be1e3d822ffad64b2ad125f Mon Sep 17 00:00:00 2001
-From: Raef Coles <raef.coles@arm.com>
-Date: Tue, 13 Oct 2020 16:30:41 +0100
-Subject: [PATCH 1/2] Build: Add MBEDTLS_TARGET_PREFIX
-
-Allows required targets to have prefixes added to them, so that external
-projects can avoid target names clashing.
-
-Signed-off-by: Raef Coles <raef.coles@arm.com>
----
- CMakeLists.txt | 6 +-
- .../add_MBEDTLS_TARGET_PREFIX_to_cmake.txt | 6 ++
- library/CMakeLists.txt | 55 ++++++++++++-------
- programs/aes/CMakeLists.txt | 2 +-
- programs/fuzz/CMakeLists.txt | 2 +-
- programs/hash/CMakeLists.txt | 2 +-
- programs/pkey/CMakeLists.txt | 4 +-
- programs/psa/CMakeLists.txt | 2 +-
- programs/random/CMakeLists.txt | 2 +-
- programs/ssl/CMakeLists.txt | 2 +-
- programs/test/CMakeLists.txt | 4 +-
- programs/test/cmake_subproject/CMakeLists.txt | 12 ++--
- programs/util/CMakeLists.txt | 2 +-
- programs/x509/CMakeLists.txt | 4 +-
- tests/CMakeLists.txt | 4 +-
- 15 files changed, 69 insertions(+), 40 deletions(-)
- create mode 100644 ChangeLog.d/add_MBEDTLS_TARGET_PREFIX_to_cmake.txt
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 5af4c8124..e4f318b3c 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -14,6 +14,10 @@
- # CMake files. It is related to ZLIB support which is planned to be removed.
- # When the support is removed, the associated include_directories command
- # will be removed as well as this note.
-+# - MBEDTLS_TARGET_PREFIX: CMake targets are designed to be alterable by calling
-+# CMake in order to avoid target name clashes, via the use of
-+# MBEDTLS_TARGET_PREFIX. The value of this variable is prefixed to the
-+# mbedtls, mbedx509, mbedcrypto and apidoc targets.
- #
-
- cmake_minimum_required(VERSION 2.6)
-@@ -273,7 +277,7 @@ if(ENABLE_PROGRAMS)
- add_subdirectory(programs)
- endif()
-
--ADD_CUSTOM_TARGET(apidoc
-+ADD_CUSTOM_TARGET(${MBEDTLS_TARGET_PREFIX}apidoc
- COMMAND doxygen mbedtls.doxyfile
- WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/doxygen)
-
-diff --git a/ChangeLog.d/add_MBEDTLS_TARGET_PREFIX_to_cmake.txt b/ChangeLog.d/add_MBEDTLS_TARGET_PREFIX_to_cmake.txt
-new file mode 100644
-index 000000000..533f309ab
---- /dev/null
-+++ b/ChangeLog.d/add_MBEDTLS_TARGET_PREFIX_to_cmake.txt
-@@ -0,0 +1,6 @@
-+Features
-+ * Add MBEDTLS_TARGET_PREFIX CMake variable, which is prefixed to the mbedtls,
-+ mbedcrypto, mbedx509 and apidoc CMake target names. This can be used by
-+ external CMake projects that include this one to avoid CMake target name
-+ clashes. The default value of this variable is "", so default target names
-+ are unchanged.
-diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
-index 4444b984e..f0315f721 100644
---- a/library/CMakeLists.txt
-+++ b/library/CMakeLists.txt
-@@ -150,18 +150,31 @@ if (NOT USE_STATIC_MBEDTLS_LIBRARY AND NOT USE_SHARED_MBEDTLS_LIBRARY)
- message(FATAL_ERROR "Need to choose static or shared mbedtls build!")
- endif(NOT USE_STATIC_MBEDTLS_LIBRARY AND NOT USE_SHARED_MBEDTLS_LIBRARY)
-
--set(target_libraries "mbedcrypto" "mbedx509" "mbedtls")
-+set(mbedtls_target "${MBEDTLS_TARGET_PREFIX}mbedtls")
-+set(mbedx509_target "${MBEDTLS_TARGET_PREFIX}mbedx509")
-+set(mbedcrypto_target "${MBEDTLS_TARGET_PREFIX}mbedcrypto")
-+
-+set(mbedtls_target ${mbedtls_target} PARENT_SCOPE)
-+set(mbedx509_target ${mbedx509_target} PARENT_SCOPE)
-+set(mbedcrypto_target ${mbedcrypto_target} PARENT_SCOPE)
-+
-+if (USE_STATIC_MBEDTLS_LIBRARY)
-+ set(mbedtls_static_target ${mbedtls_target})
-+ set(mbedx509_static_target ${mbedx509_target})
-+ set(mbedcrypto_static_target ${mbedcrypto_target})
-+endif()
-+
-+set(target_libraries ${mbedcrypto_target} ${mbedx509_target} ${mbedtls_target})
-
- if(USE_STATIC_MBEDTLS_LIBRARY AND USE_SHARED_MBEDTLS_LIBRARY)
-- set(mbedtls_static_target "mbedtls_static")
-- set(mbedx509_static_target "mbedx509_static")
-- set(mbedcrypto_static_target "mbedcrypto_static")
-+ string(APPEND mbedtls_static_target "_static")
-+ string(APPEND mbedx509_static_target "_static")
-+ string(APPEND mbedcrypto_static_target "_static")
-+
- list(APPEND target_libraries
-- "mbedcrypto_static" "mbedx509_static" "mbedtls_static")
--elseif(USE_STATIC_MBEDTLS_LIBRARY)
-- set(mbedtls_static_target "mbedtls")
-- set(mbedx509_static_target "mbedx509")
-- set(mbedcrypto_static_target "mbedcrypto")
-+ ${mbedcrypto_static_target}
-+ ${mbedx509_static_target}
-+ ${mbedtls_static_target})
- endif()
-
- if(USE_STATIC_MBEDTLS_LIBRARY)
-@@ -179,17 +192,17 @@ if(USE_STATIC_MBEDTLS_LIBRARY)
- endif(USE_STATIC_MBEDTLS_LIBRARY)
-
- if(USE_SHARED_MBEDTLS_LIBRARY)
-- add_library(mbedcrypto SHARED ${src_crypto})
-- set_target_properties(mbedcrypto PROPERTIES VERSION 2.24.0 SOVERSION 5)
-- target_link_libraries(mbedcrypto ${libs})
-+ add_library(${mbedcrypto_target} SHARED ${src_crypto})
-+ set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 2.24.0 SOVERSION 5)
-+ target_link_libraries(${mbedcrypto_target} ${libs})
-
-- add_library(mbedx509 SHARED ${src_x509})
-- set_target_properties(mbedx509 PROPERTIES VERSION 2.24.0 SOVERSION 1)
-- target_link_libraries(mbedx509 ${libs} mbedcrypto)
-+ add_library(${mbedx509_target} SHARED ${src_x509})
-+ set_target_properties(${mbedx509_target} PROPERTIES VERSION 2.24.0 SOVERSION 1)
-+ target_link_libraries(${mbedx509_target} ${libs} ${mbedcrypto_target})
-
-- add_library(mbedtls SHARED ${src_tls})
-- set_target_properties(mbedtls PROPERTIES VERSION 2.24.0 SOVERSION 13)
-- target_link_libraries(mbedtls ${libs} mbedx509)
-+ add_library(${mbedtls_target} SHARED ${src_tls})
-+ set_target_properties(${mbedtls_target} PROPERTIES VERSION 2.24.0 SOVERSION 13)
-+ target_link_libraries(${mbedtls_target} ${libs} ${mbedx509_target})
- endif(USE_SHARED_MBEDTLS_LIBRARY)
-
- foreach(target IN LISTS target_libraries)
-@@ -210,7 +223,9 @@ foreach(target IN LISTS target_libraries)
- PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ)
- endforeach(target)
-
--add_custom_target(lib DEPENDS mbedcrypto mbedx509 mbedtls)
-+set(lib_target "${MBEDTLS_TARGET_PREFIX}lib")
-+
-+add_custom_target(${lib_target} DEPENDS ${mbedcrypto_target} ${mbedx509_target} ${mbedtls_target})
- if(USE_STATIC_MBEDTLS_LIBRARY AND USE_SHARED_MBEDTLS_LIBRARY)
-- add_dependencies(lib mbedcrypto_static mbedx509_static mbedtls_static)
-+ add_dependencies(${lib_target} ${mbedcrypto_static_target} ${mbedx509_static_target} ${mbedtls_static_target})
- endif()
-diff --git a/programs/aes/CMakeLists.txt b/programs/aes/CMakeLists.txt
-index 2309789a6..6b8ce2ab4 100644
---- a/programs/aes/CMakeLists.txt
-+++ b/programs/aes/CMakeLists.txt
-@@ -5,7 +5,7 @@ set(executables
-
- foreach(exe IN LISTS executables)
- add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
-- target_link_libraries(${exe} mbedcrypto)
-+ target_link_libraries(${exe} ${mbedcrypto_target})
- endforeach()
-
- install(TARGETS ${executables}
-diff --git a/programs/fuzz/CMakeLists.txt b/programs/fuzz/CMakeLists.txt
-index e2b0eace2..35512c79a 100644
---- a/programs/fuzz/CMakeLists.txt
-+++ b/programs/fuzz/CMakeLists.txt
-@@ -1,5 +1,5 @@
- set(libs
-- mbedtls
-+ ${mbedtls_target}
- )
-
- if(USE_PKCS11_HELPER_LIBRARY)
-diff --git a/programs/hash/CMakeLists.txt b/programs/hash/CMakeLists.txt
-index ae294798b..b2f2a1f5c 100644
---- a/programs/hash/CMakeLists.txt
-+++ b/programs/hash/CMakeLists.txt
-@@ -5,7 +5,7 @@ set(executables
-
- foreach(exe IN LISTS executables)
- add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
-- target_link_libraries(${exe} mbedcrypto)
-+ target_link_libraries(${exe} ${mbedcrypto_target})
- endforeach()
-
- install(TARGETS ${executables}
-diff --git a/programs/pkey/CMakeLists.txt b/programs/pkey/CMakeLists.txt
-index b4b3d3042..9c6fe7d49 100644
---- a/programs/pkey/CMakeLists.txt
-+++ b/programs/pkey/CMakeLists.txt
-@@ -5,7 +5,7 @@ set(executables_mbedtls
-
- foreach(exe IN LISTS executables_mbedtls)
- add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
-- target_link_libraries(${exe} mbedtls)
-+ target_link_libraries(${exe} ${mbedtls_target})
- endforeach()
-
- set(executables_mbedcrypto
-@@ -31,7 +31,7 @@ set(executables_mbedcrypto
-
- foreach(exe IN LISTS executables_mbedcrypto)
- add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
-- target_link_libraries(${exe} mbedcrypto)
-+ target_link_libraries(${exe} ${mbedcrypto_target})
- endforeach()
-
- install(TARGETS ${executables_mbedtls} ${executables_mbedcrypto}
-diff --git a/programs/psa/CMakeLists.txt b/programs/psa/CMakeLists.txt
-index 5cbcf7191..23e85fea7 100644
---- a/programs/psa/CMakeLists.txt
-+++ b/programs/psa/CMakeLists.txt
-@@ -6,7 +6,7 @@ set(executables
-
- foreach(exe IN LISTS executables)
- add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
-- target_link_libraries(${exe} mbedcrypto)
-+ target_link_libraries(${exe} ${mbedcrypto_target})
- target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
- endforeach()
-
-diff --git a/programs/random/CMakeLists.txt b/programs/random/CMakeLists.txt
-index 95acb7e10..8df836580 100644
---- a/programs/random/CMakeLists.txt
-+++ b/programs/random/CMakeLists.txt
-@@ -6,7 +6,7 @@ set(executables
-
- foreach(exe IN LISTS executables)
- add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>)
-- target_link_libraries(${exe} mbedcrypto)
-+ target_link_libraries(${exe} ${mbedcrypto_target})
- endforeach()
-
- install(TARGETS ${executables}
-diff --git a/programs/ssl/CMakeLists.txt b/programs/ssl/CMakeLists.txt
-index 28fbfc5a7..ca0a6a429 100644
---- a/programs/ssl/CMakeLists.txt
-+++ b/programs/ssl/CMakeLists.txt
-@@ -2,7 +2,7 @@ set(THREADS_USE_PTHREADS_WIN32 true)
- find_package(Threads)
-
- set(libs
-- mbedtls
-+ ${mbedtls_target}
- )
-
- if(USE_PKCS11_HELPER_LIBRARY)
-diff --git a/programs/test/CMakeLists.txt b/programs/test/CMakeLists.txt
-index 0df0becd9..217741bf9 100644
---- a/programs/test/CMakeLists.txt
-+++ b/programs/test/CMakeLists.txt
-@@ -1,5 +1,5 @@
- set(libs
-- mbedtls
-+ ${mbedtls_target}
- )
-
- if(USE_PKCS11_HELPER_LIBRARY)
-@@ -33,7 +33,7 @@ foreach(exe IN LISTS executables_libs executables_mbedcrypto)
- if (${exe_index} GREATER -1)
- target_link_libraries(${exe} ${libs})
- else()
-- target_link_libraries(${exe} mbedcrypto)
-+ target_link_libraries(${exe} ${mbedcrypto_target})
- endif()
- endforeach()
-
-diff --git a/programs/test/cmake_subproject/CMakeLists.txt b/programs/test/cmake_subproject/CMakeLists.txt
-index 3e32c5fc3..a9fcfde29 100644
---- a/programs/test/cmake_subproject/CMakeLists.txt
-+++ b/programs/test/cmake_subproject/CMakeLists.txt
-@@ -1,5 +1,8 @@
- cmake_minimum_required(VERSION 2.6)
-
-+# Test the target renaming support by adding a prefix to the targets built
-+set(MBEDTLS_TARGET_PREFIX subproject_test_)
-+
- # We use the parent Mbed TLS directory as the MBEDTLS_DIR for this test. Other
- # projects that use Mbed TLS as a subproject are likely to add by their own
- # relative paths.
-@@ -8,11 +11,12 @@ set(MBEDTLS_DIR ../../../)
- # Add Mbed TLS as a subdirectory.
- add_subdirectory(${MBEDTLS_DIR} build)
-
--# Link against all the Mbed TLS libraries.
-+# Link against all the Mbed TLS libraries. Verifies that the targets have been
-+# created using the specified prefix
- set(libs
-- mbedcrypto
-- mbedx509
-- mbedtls
-+ subproject_test_mbedcrypto
-+ subproject_test_mbedx509
-+ subproject_test_mbedtls
- )
-
- add_executable(cmake_subproject cmake_subproject.c)
-diff --git a/programs/util/CMakeLists.txt b/programs/util/CMakeLists.txt
-index cb14a3ee6..2a11212ec 100644
---- a/programs/util/CMakeLists.txt
-+++ b/programs/util/CMakeLists.txt
-@@ -1,5 +1,5 @@
- set(libs
-- mbedcrypto
-+ ${mbedcrypto_target}
- )
-
- set(executables
-diff --git a/programs/x509/CMakeLists.txt b/programs/x509/CMakeLists.txt
-index f7b5fe1d9..29cbeb800 100644
---- a/programs/x509/CMakeLists.txt
-+++ b/programs/x509/CMakeLists.txt
-@@ -1,5 +1,5 @@
- set(libs
-- mbedx509
-+ ${mbedx509_target}
- )
-
- if(USE_PKCS11_HELPER_LIBRARY)
-@@ -23,7 +23,7 @@ foreach(exe IN LISTS executables)
- target_link_libraries(${exe} ${libs})
- endforeach()
-
--target_link_libraries(cert_app mbedtls)
-+target_link_libraries(cert_app ${mbedtls_target})
-
- install(TARGETS ${executables}
- DESTINATION "bin"
-diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
-index cc6866309..580d936c0 100644
---- a/tests/CMakeLists.txt
-+++ b/tests/CMakeLists.txt
-@@ -1,5 +1,5 @@
- set(libs
-- mbedtls
-+ ${mbedtls_target}
- )
-
- # Set the project root directory if it's not already defined, as may happen if
-@@ -43,7 +43,7 @@ function(add_test_suite suite_name)
- add_custom_command(
- OUTPUT test_suite_${data_name}.c
- COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/generate_test_code.py -f ${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${suite_name}.function -d ${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${data_name}.data -t ${CMAKE_CURRENT_SOURCE_DIR}/suites/main_test.function -p ${CMAKE_CURRENT_SOURCE_DIR}/suites/host_test.function -s ${CMAKE_CURRENT_SOURCE_DIR}/suites --helpers-file ${CMAKE_CURRENT_SOURCE_DIR}/suites/helpers.function -o .
-- DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/scripts/generate_test_code.py mbedtls ${CMAKE_CURRENT_SOURCE_DIR}/suites/helpers.function ${CMAKE_CURRENT_SOURCE_DIR}/suites/main_test.function ${CMAKE_CURRENT_SOURCE_DIR}/suites/host_test.function ${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${suite_name}.function ${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${data_name}.data
-+ DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/scripts/generate_test_code.py ${mbedtls_target} ${CMAKE_CURRENT_SOURCE_DIR}/suites/helpers.function ${CMAKE_CURRENT_SOURCE_DIR}/suites/main_test.function ${CMAKE_CURRENT_SOURCE_DIR}/suites/host_test.function ${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${suite_name}.function ${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${data_name}.data
- )
-
- add_executable(test_suite_${data_name} test_suite_${data_name}.c $<TARGET_OBJECTS:mbedtls_test>)
---
-2.20.1
-
diff --git a/lib/ext/mbedcrypto/0002-Build-Use-new-style-syntax-in-link-libraries.patch b/lib/ext/mbedcrypto/0002-Build-Use-new-style-syntax-in-link-libraries.patch
deleted file mode 100644
index c4d51500b3..0000000000
--- a/lib/ext/mbedcrypto/0002-Build-Use-new-style-syntax-in-link-libraries.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From 4762eddfb3e17d50b471cf6dda491047cbd712d6 Mon Sep 17 00:00:00 2001
-From: Raef Coles <raef.coles@arm.com>
-Date: Tue, 13 Oct 2020 16:31:41 +0100
-Subject: [PATCH 2/2] Build: Use new-style syntax in link-libraries
-
-Migrate to new syntax where the PUBLIC attribute is explicitly defined.
-Avoids issues caused sometimes where cmake does not allow the mixing of
-old-style and new-style syntax
-
-Signed-off-by: Raef Coles <raef.coles@arm.com>
----
- library/CMakeLists.txt | 12 ++++++------
- 1 file changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
-index f0315f721..89625558a 100644
---- a/library/CMakeLists.txt
-+++ b/library/CMakeLists.txt
-@@ -180,29 +180,29 @@ endif()
- if(USE_STATIC_MBEDTLS_LIBRARY)
- add_library(${mbedcrypto_static_target} STATIC ${src_crypto})
- set_target_properties(${mbedcrypto_static_target} PROPERTIES OUTPUT_NAME mbedcrypto)
-- target_link_libraries(${mbedcrypto_static_target} ${libs})
-+ target_link_libraries(${mbedcrypto_static_target} PUBLIC ${libs})
-
- add_library(${mbedx509_static_target} STATIC ${src_x509})
- set_target_properties(${mbedx509_static_target} PROPERTIES OUTPUT_NAME mbedx509)
-- target_link_libraries(${mbedx509_static_target} ${libs} ${mbedcrypto_static_target})
-+ target_link_libraries(${mbedx509_static_target} PUBLIC ${libs} ${mbedcrypto_static_target})
-
- add_library(${mbedtls_static_target} STATIC ${src_tls})
- set_target_properties(${mbedtls_static_target} PROPERTIES OUTPUT_NAME mbedtls)
-- target_link_libraries(${mbedtls_static_target} ${libs} ${mbedx509_static_target})
-+ target_link_libraries(${mbedtls_static_target} PUBLIC ${libs} ${mbedx509_static_target})
- endif(USE_STATIC_MBEDTLS_LIBRARY)
-
- if(USE_SHARED_MBEDTLS_LIBRARY)
- add_library(${mbedcrypto_target} SHARED ${src_crypto})
- set_target_properties(${mbedcrypto_target} PROPERTIES VERSION 2.24.0 SOVERSION 5)
-- target_link_libraries(${mbedcrypto_target} ${libs})
-+ target_link_libraries(${mbedcrypto_target} PUBLIC ${libs})
-
- add_library(${mbedx509_target} SHARED ${src_x509})
- set_target_properties(${mbedx509_target} PROPERTIES VERSION 2.24.0 SOVERSION 1)
-- target_link_libraries(${mbedx509_target} ${libs} ${mbedcrypto_target})
-+ target_link_libraries(${mbedx509_target} PUBLIC ${libs} ${mbedcrypto_target})
-
- add_library(${mbedtls_target} SHARED ${src_tls})
- set_target_properties(${mbedtls_target} PROPERTIES VERSION 2.24.0 SOVERSION 13)
-- target_link_libraries(${mbedtls_target} ${libs} ${mbedx509_target})
-+ target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target})
- endif(USE_SHARED_MBEDTLS_LIBRARY)
-
- foreach(target IN LISTS target_libraries)
---
-2.20.1
-
diff --git a/lib/ext/mbedcrypto/0005-Enable-crypto-code-sharing-between-independent-binar.patch b/lib/ext/mbedcrypto/0002-Enable-crypto-code-sharing-between-independent-binar.patch
index 3c220b4e6d..3c220b4e6d 100644
--- a/lib/ext/mbedcrypto/0005-Enable-crypto-code-sharing-between-independent-binar.patch
+++ b/lib/ext/mbedcrypto/0002-Enable-crypto-code-sharing-between-independent-binar.patch
diff --git a/lib/ext/mbedcrypto/0003-Remove-overriding-of-CMAKE_BUILD_TYPE.patch b/lib/ext/mbedcrypto/0003-Remove-overriding-of-CMAKE_BUILD_TYPE.patch
deleted file mode 100644
index f94de4e0a1..0000000000
--- a/lib/ext/mbedcrypto/0003-Remove-overriding-of-CMAKE_BUILD_TYPE.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 1c4af63fc32e16022f884e29ad3ccbdb8c3ed2f2 Mon Sep 17 00:00:00 2001
-From: Raef Coles <raef.coles@arm.com>
-Date: Wed, 2 Sep 2020 10:15:02 +0100
-Subject: [PATCH 3/4] Remove overriding of CMAKE_BUILD_TYPE
-
-Signed-off-by: Raef Coles <raef.coles@arm.com>
----
- CMakeLists.txt | 4 ----
- 1 file changed, 4 deletions(-)
-
-diff --git a/CMakeLists.txt b/CMakeLists.txt
-index ba9227ff3..a671575b7 100644
---- a/CMakeLists.txt
-+++ b/CMakeLists.txt
-@@ -112,10 +112,6 @@ option: \n\
- endif()
- endif()
-
--set(CMAKE_BUILD_TYPE ${CMAKE_BUILD_TYPE}
-- CACHE STRING "Choose the type of build: None Debug Release Coverage ASan ASanDbg MemSan MemSanDbg Check CheckFull"
-- FORCE)
--
- # Create a symbolic link from ${base_name} in the binary directory
- # to the corresponding path in the source directory.
- function(link_to_source base_name)
---
-2.20.1
-
diff --git a/lib/ext/mbedcrypto/0006-Move-misplaced-else-within-ifdef-to-avoid-compilatio.patch b/lib/ext/mbedcrypto/0006-Move-misplaced-else-within-ifdef-to-avoid-compilatio.patch
deleted file mode 100644
index 159e325041..0000000000
--- a/lib/ext/mbedcrypto/0006-Move-misplaced-else-within-ifdef-to-avoid-compilatio.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 8b2dc6377637c6c146ab5d23a4e119e3d508156c Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?H=C3=A5kon=20=C3=98ye=20Amundsen?=
- <haakon.amundsen@nordicsemi.no>
-Date: Tue, 19 Jan 2021 15:16:55 +0100
-Subject: [PATCH] Move misplaced 'else' within #ifdef to avoid compilation
- error
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-... when MBEDTLS_MD_C is not defined.
-
-Signed-off-by: Håkon Øye Amundsen <haakon.amundsen@nordicsemi.no>
----
- library/psa_crypto.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/library/psa_crypto.c b/library/psa_crypto.c
-index bffddc995..8b1201461 100644
---- a/library/psa_crypto.c
-+++ b/library/psa_crypto.c
-@@ -5220,8 +5220,8 @@ static psa_status_t psa_key_derivation_setup_kdf(
- operation->capacity = 255 * hash_size;
- return( PSA_SUCCESS );
- }
--#endif /* MBEDTLS_MD_C */
- else
-+#endif /* MBEDTLS_MD_C */
- return( PSA_ERROR_NOT_SUPPORTED );
- }
-
---
-2.30.0
-
diff --git a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h
index c9fc9f4f6c..60c42c2b79 100644
--- a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h
+++ b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h
@@ -8,7 +8,7 @@
* memory footprint.
*/
/*
- * Copyright (C) 2006-2020, ARM Limited, All Rights Reserved
+ * Copyright (C) 2006-2021, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -855,20 +855,20 @@
*/
//#define MBEDTLS_ENTROPY_NV_SEED
-/* MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER
+/* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
*
- * In PSA key storage, encode the owner of the key.
+ * Enable key identifiers that encode a key owner identifier.
*
* This is only meaningful when building the library as part of a
- * multi-client service. When you activate this option, you must provide
- * an implementation of the type psa_key_owner_id_t and a translation
- * from psa_key_file_id_t to file name in all the storage backends that
+ * multi-client service. When you activate this option, you must provide an
+ * implementation of the type mbedtls_key_owner_id_t and a translation from
+ * mbedtls_svc_key_id_t to file name in all the storage backends that you
* you wish to support.
*
* Note that this option is meant for internal use only and may be removed
* without notice.
*/
-#define MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER
+#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
/**
* \def MBEDTLS_MEMORY_DEBUG
diff --git a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium.h b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium.h
index 1d61ac2350..c1663d0e5e 100644
--- a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium.h
+++ b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium.h
@@ -8,7 +8,7 @@
* memory footprint.
*/
/*
- * Copyright (C) 2006-2020, ARM Limited, All Rights Reserved
+ * Copyright (C) 2006-2021, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -850,20 +850,20 @@
*/
//#define MBEDTLS_ENTROPY_NV_SEED
-/* MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER
+/* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
*
- * In PSA key storage, encode the owner of the key.
+ * Enable key identifiers that encode a key owner identifier.
*
* This is only meaningful when building the library as part of a
- * multi-client service. When you activate this option, you must provide
- * an implementation of the type psa_key_owner_id_t and a translation
- * from psa_key_file_id_t to file name in all the storage backends that
+ * multi-client service. When you activate this option, you must provide an
+ * implementation of the type mbedtls_key_owner_id_t and a translation from
+ * mbedtls_svc_key_id_t to file name in all the storage backends that you
* you wish to support.
*
* Note that this option is meant for internal use only and may be removed
* without notice.
*/
-#define MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER
+#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
/**
* \def MBEDTLS_MEMORY_DEBUG
diff --git a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small.h b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small.h
index ee578749d0..3c2c12295a 100644
--- a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small.h
+++ b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small.h
@@ -8,7 +8,7 @@
* memory footprint.
*/
/*
- * Copyright (C) 2006-2020, ARM Limited, All Rights Reserved
+ * Copyright (C) 2006-2021, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -850,20 +850,20 @@
*/
//#define MBEDTLS_ENTROPY_NV_SEED
-/* MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER
+/* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
*
- * In PSA key storage, encode the owner of the key.
+ * Enable key identifiers that encode a key owner identifier.
*
* This is only meaningful when building the library as part of a
- * multi-client service. When you activate this option, you must provide
- * an implementation of the type psa_key_owner_id_t and a translation
- * from psa_key_file_id_t to file name in all the storage backends that
+ * multi-client service. When you activate this option, you must provide an
+ * implementation of the type mbedtls_key_owner_id_t and a translation from
+ * mbedtls_svc_key_id_t to file name in all the storage backends that you
* you wish to support.
*
* Note that this option is meant for internal use only and may be removed
* without notice.
*/
-#define MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER
+#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
/**
* \def MBEDTLS_MEMORY_DEBUG
diff --git a/platform/ext/target/nxp/common/mini_mbedcrypto_config.h b/platform/ext/target/nxp/common/mini_mbedcrypto_config.h
index 6d8594e1df..36b2c2b052 100755
--- a/platform/ext/target/nxp/common/mini_mbedcrypto_config.h
+++ b/platform/ext/target/nxp/common/mini_mbedcrypto_config.h
@@ -8,7 +8,7 @@
* memory footprint.
*/
/*
- * Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
+ * Copyright (C) 2006-2021, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -850,20 +850,20 @@
*/
//#define MBEDTLS_ENTROPY_NV_SEED
-/* MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER
+/* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
*
- * In PSA key storage, encode the owner of the key.
+ * Enable key identifiers that encode a key owner identifier.
*
* This is only meaningful when building the library as part of a
- * multi-client service. When you activate this option, you must provide
- * an implementation of the type psa_key_owner_id_t and a translation
- * from psa_key_file_id_t to file name in all the storage backends that
+ * multi-client service. When you activate this option, you must provide an
+ * implementation of the type mbedtls_key_owner_id_t and a translation from
+ * mbedtls_svc_key_id_t to file name in all the storage backends that you
* you wish to support.
*
* Note that this option is meant for internal use only and may be removed
* without notice.
*/
-//#define MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER
+//#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
/**
* \def MBEDTLS_MEMORY_DEBUG
diff --git a/platform/ext/target/nxp/lpcxpresso55s69/lpcxpresso55s69_mbedcrypto_config.h b/platform/ext/target/nxp/lpcxpresso55s69/lpcxpresso55s69_mbedcrypto_config.h
index 6ad1f95a10..0c4390ea9d 100755
--- a/platform/ext/target/nxp/lpcxpresso55s69/lpcxpresso55s69_mbedcrypto_config.h
+++ b/platform/ext/target/nxp/lpcxpresso55s69/lpcxpresso55s69_mbedcrypto_config.h
@@ -8,7 +8,7 @@
* memory footprint.
*/
/*
- * Copyright (C) 2006-2018, ARM Limited, All Rights Reserved
+ * Copyright (C) 2006-2021, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -850,20 +850,20 @@
*/
//#define MBEDTLS_ENTROPY_NV_SEED
-/* MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER
+/* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
*
- * In PSA key storage, encode the owner of the key.
+ * Enable key identifiers that encode a key owner identifier.
*
* This is only meaningful when building the library as part of a
- * multi-client service. When you activate this option, you must provide
- * an implementation of the type psa_key_owner_id_t and a translation
- * from psa_key_file_id_t to file name in all the storage backends that
+ * multi-client service. When you activate this option, you must provide an
+ * implementation of the type mbedtls_key_owner_id_t and a translation from
+ * mbedtls_svc_key_id_t to file name in all the storage backends that you
* you wish to support.
*
* Note that this option is meant for internal use only and may be removed
* without notice.
*/
-//#define MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER
+//#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
/**
* \def MBEDTLS_MEMORY_DEBUG
diff --git a/secure_fw/partitions/crypto/crypto_aead.c b/secure_fw/partitions/crypto/crypto_aead.c
index 53b08485a1..d4aee11e44 100644
--- a/secure_fw/partitions/crypto/crypto_aead.c
+++ b/secure_fw/partitions/crypto/crypto_aead.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2019-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -38,7 +38,7 @@ psa_status_t tfm_crypto_aead_encrypt(psa_invec in_vec[],
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
const struct tfm_crypto_aead_pack_input *aead_pack_input = &iov->aead_in;
- psa_key_handle_t key_handle = iov->key_handle;
+ psa_key_id_t key_id = iov->key_id;
psa_algorithm_t alg = iov->alg;
const uint8_t *nonce = aead_pack_input->nonce;
size_t nonce_length = aead_pack_input->nonce_length;
@@ -48,20 +48,25 @@ psa_status_t tfm_crypto_aead_encrypt(psa_invec in_vec[],
size_t ciphertext_size = out_vec[0].len;
const uint8_t *additional_data = in_vec[2].base;
size_t additional_data_length = in_vec[2].len;
+ mbedtls_svc_key_id_t encoded_key;
/* Initialise ciphertext_length to zero. */
out_vec[0].len = 0;
- status = tfm_crypto_check_handle_owner(key_handle, NULL);
- if (status == PSA_SUCCESS) {
+ status = tfm_crypto_check_handle_owner(key_id, NULL);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
- status = psa_aead_encrypt(key_handle, alg, nonce, nonce_length,
- additional_data, additional_data_length,
- plaintext, plaintext_length,
- ciphertext, ciphertext_size, &out_vec[0].len);
+ status = tfm_crypto_encode_id_and_owner(key_id, &encoded_key);
+ if (status != PSA_SUCCESS) {
+ return status;
}
- return status;
+ return psa_aead_encrypt(encoded_key, alg, nonce, nonce_length,
+ additional_data, additional_data_length,
+ plaintext, plaintext_length,
+ ciphertext, ciphertext_size, &out_vec[0].len);
#endif /* TFM_CRYPTO_AEAD_MODULE_DISABLED */
}
@@ -83,7 +88,7 @@ psa_status_t tfm_crypto_aead_decrypt(psa_invec in_vec[],
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
const struct tfm_crypto_aead_pack_input *aead_pack_input = &iov->aead_in;
- psa_key_handle_t key_handle = iov->key_handle;
+ psa_key_id_t key_id = iov->key_id;
psa_algorithm_t alg = iov->alg;
const uint8_t *nonce = aead_pack_input->nonce;
size_t nonce_length = aead_pack_input->nonce_length;
@@ -93,20 +98,25 @@ psa_status_t tfm_crypto_aead_decrypt(psa_invec in_vec[],
size_t plaintext_size = out_vec[0].len;
const uint8_t *additional_data = in_vec[2].base;
size_t additional_data_length = in_vec[2].len;
+ mbedtls_svc_key_id_t encoded_key;
/* Initialise plaintext_length to zero. */
out_vec[0].len = 0;
- status = tfm_crypto_check_handle_owner(key_handle, NULL);
- if (status == PSA_SUCCESS) {
+ status = tfm_crypto_check_handle_owner(key_id, NULL);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
- status = psa_aead_decrypt(key_handle, alg, nonce, nonce_length,
- additional_data, additional_data_length,
- ciphertext, ciphertext_length,
- plaintext, plaintext_size, &out_vec[0].len);
+ status = tfm_crypto_encode_id_and_owner(key_id, &encoded_key);
+ if (status != PSA_SUCCESS) {
+ return status;
}
- return status;
+ return psa_aead_decrypt(encoded_key, alg, nonce, nonce_length,
+ additional_data, additional_data_length,
+ ciphertext, ciphertext_length,
+ plaintext, plaintext_size, &out_vec[0].len);
#endif /* TFM_CRYPTO_AEAD_MODULE_DISABLED */
}
diff --git a/secure_fw/partitions/crypto/crypto_asymmetric.c b/secure_fw/partitions/crypto/crypto_asymmetric.c
index 9f43eb4ae3..c3a39094e4 100644
--- a/secure_fw/partitions/crypto/crypto_asymmetric.c
+++ b/secure_fw/partitions/crypto/crypto_asymmetric.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2019-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -35,19 +35,25 @@ psa_status_t tfm_crypto_sign_hash(psa_invec in_vec[],
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- psa_key_handle_t handle = iov->key_handle;
+ psa_key_id_t key_id = iov->key_id;
psa_algorithm_t alg = iov->alg;
const uint8_t *hash = in_vec[1].base;
size_t hash_length = in_vec[1].len;
uint8_t *signature = out_vec[0].base;
size_t signature_size = out_vec[0].len;
- psa_status_t status = tfm_crypto_check_handle_owner(handle, NULL);
+ mbedtls_svc_key_id_t encoded_key;
+ psa_status_t status = tfm_crypto_check_handle_owner(key_id, NULL);
if (status != PSA_SUCCESS) {
return status;
}
- return psa_sign_hash(handle, alg, hash, hash_length,
+ status = tfm_crypto_encode_id_and_owner(key_id, &encoded_key);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ return psa_sign_hash(encoded_key, alg, hash, hash_length,
signature, signature_size, &(out_vec[0].len));
#endif /* TFM_CRYPTO_ASYMMETRIC_MODULE_DISABLED */
}
@@ -68,19 +74,25 @@ psa_status_t tfm_crypto_verify_hash(psa_invec in_vec[],
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- psa_key_handle_t handle = iov->key_handle;
+ psa_key_id_t key_id = iov->key_id;
psa_algorithm_t alg = iov->alg;
const uint8_t *hash = in_vec[1].base;
size_t hash_length = in_vec[1].len;
const uint8_t *signature = in_vec[2].base;
size_t signature_length = in_vec[2].len;
- psa_status_t status = tfm_crypto_check_handle_owner(handle, NULL);
+ mbedtls_svc_key_id_t encoded_key;
+ psa_status_t status = tfm_crypto_check_handle_owner(key_id, NULL);
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ status = tfm_crypto_encode_id_and_owner(key_id, &encoded_key);
if (status != PSA_SUCCESS) {
return status;
}
- return psa_verify_hash(handle, alg, hash, hash_length,
+ return psa_verify_hash(encoded_key, alg, hash, hash_length,
signature, signature_length);
#endif /* TFM_CRYPTO_ASYMMETRIC_MODULE_DISABLED */
}
@@ -102,7 +114,7 @@ psa_status_t tfm_crypto_asymmetric_encrypt(psa_invec in_vec[],
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- psa_key_handle_t handle = iov->key_handle;
+ psa_key_id_t key_id = iov->key_id;
psa_algorithm_t alg = iov->alg;
const uint8_t *input = in_vec[1].base;
size_t input_length = in_vec[1].len;
@@ -113,13 +125,19 @@ psa_status_t tfm_crypto_asymmetric_encrypt(psa_invec in_vec[],
psa_key_type_t type;
size_t key_bits;
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
+ mbedtls_svc_key_id_t encoded_key;
- status = tfm_crypto_check_handle_owner(handle, NULL);
+ status = tfm_crypto_check_handle_owner(key_id, NULL);
if (status != PSA_SUCCESS) {
return status;
}
- status = psa_get_key_attributes(handle, &key_attributes);
+ status = tfm_crypto_encode_id_and_owner(key_id, &encoded_key);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = psa_get_key_attributes(encoded_key, &key_attributes);
if (status != PSA_SUCCESS) {
return status;
}
@@ -134,7 +152,7 @@ psa_status_t tfm_crypto_asymmetric_encrypt(psa_invec in_vec[],
return PSA_ERROR_BUFFER_TOO_SMALL;
}
- return psa_asymmetric_encrypt(handle, alg, input, input_length,
+ return psa_asymmetric_encrypt(encoded_key, alg, input, input_length,
salt, salt_length,
output, output_size, &(out_vec[0].len));
#endif /* TFM_CRYPTO_ASYMMETRIC_MODULE_DISABLED */
@@ -156,7 +174,7 @@ psa_status_t tfm_crypto_asymmetric_decrypt(psa_invec in_vec[],
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- psa_key_handle_t handle = iov->key_handle;
+ psa_key_id_t key_id = iov->key_id;
psa_algorithm_t alg = iov->alg;
const uint8_t *input = in_vec[1].base;
size_t input_length = in_vec[1].len;
@@ -165,13 +183,19 @@ psa_status_t tfm_crypto_asymmetric_decrypt(psa_invec in_vec[],
uint8_t *output = out_vec[0].base;
size_t output_size = out_vec[0].len;
psa_status_t status;
+ mbedtls_svc_key_id_t encoded_key;
+
+ status = tfm_crypto_check_handle_owner(key_id, NULL);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
- status = tfm_crypto_check_handle_owner(handle, NULL);
+ status = tfm_crypto_encode_id_and_owner(key_id, &encoded_key);
if (status != PSA_SUCCESS) {
return status;
}
- return psa_asymmetric_decrypt(handle, alg, input, input_length,
+ return psa_asymmetric_decrypt(encoded_key, alg, input, input_length,
salt, salt_length,
output, output_size, &(out_vec[0].len));
#endif /* TFM_CRYPTO_ASYMMETRIC_MODULE_DISABLED */
diff --git a/secure_fw/partitions/crypto/crypto_cipher.c b/secure_fw/partitions/crypto/crypto_cipher.c
index 6e47f61b16..03849dfd97 100644
--- a/secure_fw/partitions/crypto/crypto_cipher.c
+++ b/secure_fw/partitions/crypto/crypto_cipher.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -133,10 +133,11 @@ psa_status_t tfm_crypto_cipher_encrypt_setup(psa_invec in_vec[],
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
uint32_t handle = iov->op_handle;
uint32_t *handle_out = out_vec[0].base;
- psa_key_handle_t key_handle = iov->key_handle;
+ psa_key_id_t key_id = iov->key_id;
psa_algorithm_t alg = iov->alg;
+ mbedtls_svc_key_id_t encoded_key;
- status = tfm_crypto_check_handle_owner(key_handle, NULL);
+ status = tfm_crypto_check_handle_owner(key_id, NULL);
if (status != PSA_SUCCESS) {
return status;
}
@@ -148,10 +149,14 @@ psa_status_t tfm_crypto_cipher_encrypt_setup(psa_invec in_vec[],
if (status != PSA_SUCCESS) {
return status;
}
-
*handle_out = handle;
- status = psa_cipher_encrypt_setup(operation, key_handle, alg);
+ status = tfm_crypto_encode_id_and_owner(key_id, &encoded_key);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = psa_cipher_encrypt_setup(operation, encoded_key, alg);
if (status != PSA_SUCCESS) {
/* Release the operation context, ignore if the operation fails. */
(void)tfm_crypto_operation_release(handle_out);
@@ -182,10 +187,11 @@ psa_status_t tfm_crypto_cipher_decrypt_setup(psa_invec in_vec[],
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
uint32_t handle = iov->op_handle;
uint32_t *handle_out = out_vec[0].base;
- psa_key_handle_t key_handle = iov->key_handle;
+ psa_key_id_t key_id = iov->key_id;
psa_algorithm_t alg = iov->alg;
+ mbedtls_svc_key_id_t encoded_key;
- status = tfm_crypto_check_handle_owner(key_handle, NULL);
+ status = tfm_crypto_check_handle_owner(key_id, NULL);
if (status != PSA_SUCCESS) {
return status;
}
@@ -199,8 +205,12 @@ psa_status_t tfm_crypto_cipher_decrypt_setup(psa_invec in_vec[],
}
*handle_out = handle;
+ status = tfm_crypto_encode_id_and_owner(key_id, &encoded_key);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
- status = psa_cipher_decrypt_setup(operation, key_handle, alg);
+ status = psa_cipher_decrypt_setup(operation, encoded_key, alg);
if (status != PSA_SUCCESS) {
/* Release the operation context, ignore if the operation fails. */
(void)tfm_crypto_operation_release(handle_out);
diff --git a/secure_fw/partitions/crypto/crypto_key.c b/secure_fw/partitions/crypto/crypto_key.c
index a2ca7d8d64..d07eef3c1d 100644
--- a/secure_fw/partitions/crypto/crypto_key.c
+++ b/secure_fw/partitions/crypto/crypto_key.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -16,11 +16,11 @@
#include <stdbool.h>
#ifndef TFM_CRYPTO_MAX_KEY_HANDLES
-#define TFM_CRYPTO_MAX_KEY_HANDLES (16)
+#define TFM_CRYPTO_MAX_KEY_HANDLES (32)
#endif
struct tfm_crypto_handle_owner_s {
int32_t owner; /*!< Owner of the allocated handle */
- psa_key_handle_t handle; /*!< Allocated handle */
+ psa_key_id_t key; /*!< Allocated key */
uint8_t in_use; /*!< Flag to indicate if this in use */
};
@@ -35,9 +35,9 @@ static struct tfm_crypto_handle_owner_s
*/
/*!@{*/
psa_status_t tfm_crypto_key_attributes_from_client(
- const struct psa_client_key_attributes_s *client_key_attr,
- int32_t client_id,
- psa_key_attributes_t *key_attributes)
+ const struct psa_client_key_attributes_s *client_key_attr,
+ int32_t client_id,
+ psa_key_attributes_t *key_attributes)
{
if (client_key_attr == NULL || key_attributes == NULL) {
return PSA_ERROR_PROGRAMMER_ERROR;
@@ -60,8 +60,8 @@ psa_status_t tfm_crypto_key_attributes_from_client(
}
psa_status_t tfm_crypto_key_attributes_to_client(
- const psa_key_attributes_t *key_attributes,
- struct psa_client_key_attributes_s *client_key_attr)
+ const psa_key_attributes_t *key_attributes,
+ struct psa_client_key_attributes_s *client_key_attr)
{
if (client_key_attr == NULL || key_attributes == NULL) {
return PSA_ERROR_PROGRAMMER_ERROR;
@@ -83,7 +83,7 @@ psa_status_t tfm_crypto_key_attributes_to_client(
return PSA_SUCCESS;
}
-psa_status_t tfm_crypto_check_handle_owner(psa_key_handle_t handle,
+psa_status_t tfm_crypto_check_handle_owner(psa_key_id_t key,
uint32_t *index)
{
#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
@@ -99,7 +99,7 @@ psa_status_t tfm_crypto_check_handle_owner(psa_key_handle_t handle,
}
for (i = 0; i < TFM_CRYPTO_MAX_KEY_HANDLES; i++) {
- if (handle_owner[i].in_use && handle_owner[i].handle == handle) {
+ if (handle_owner[i].in_use && handle_owner[i].key == key) {
if (handle_owner[i].owner == partition_id) {
if (index != NULL) {
*index = i;
@@ -115,6 +115,27 @@ psa_status_t tfm_crypto_check_handle_owner(psa_key_handle_t handle,
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
}
+psa_status_t tfm_crypto_encode_id_and_owner(psa_key_id_t key_id,
+ mbedtls_svc_key_id_t *enc_key_ptr)
+{
+ int32_t partition_id = 0;
+ psa_status_t status = tfm_crypto_get_caller_id(&partition_id);
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ /* If Null Pointer, return PSA_ERROR_PROGRAMMER_ERROR */
+ if (enc_key_ptr == NULL) {
+ return PSA_ERROR_PROGRAMMER_ERROR;
+ }
+
+ /* Use the client key id as the key_id and its partition id as the owner */
+ *enc_key_ptr = mbedtls_svc_key_id_make(partition_id, key_id);
+
+ return PSA_SUCCESS;
+}
+
psa_status_t tfm_crypto_check_key_storage(uint32_t *index)
{
#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
@@ -134,7 +155,7 @@ psa_status_t tfm_crypto_check_key_storage(uint32_t *index)
}
psa_status_t tfm_crypto_set_key_storage(uint32_t index,
- psa_key_handle_t key_handle)
+ psa_key_id_t key_handle)
{
#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
@@ -148,7 +169,7 @@ psa_status_t tfm_crypto_set_key_storage(uint32_t index,
}
handle_owner[index].owner = partition_id;
- handle_owner[index].handle = key_handle;
+ handle_owner[index].key = key_handle;
handle_owner[index].in_use = TFM_CRYPTO_IN_USE;
return PSA_SUCCESS;
@@ -194,16 +215,18 @@ psa_status_t tfm_crypto_import_key(psa_invec in_vec[],
if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
(in_vec[1].len != sizeof(struct psa_client_key_attributes_s)) ||
- (out_vec[0].len != sizeof(psa_key_handle_t))) {
+ (out_vec[0].len != sizeof(psa_key_id_t))) {
return PSA_ERROR_PROGRAMMER_ERROR;
}
const struct psa_client_key_attributes_s *client_key_attr = in_vec[1].base;
const uint8_t *data = in_vec[2].base;
size_t data_length = in_vec[2].len;
- psa_key_handle_t *key_handle = out_vec[0].base;
+ psa_key_id_t *psa_key = out_vec[0].base;
+
psa_status_t status;
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
uint32_t i = 0;
+ mbedtls_svc_key_id_t encoded_key;
int32_t partition_id = 0;
bool empty_found = false;
@@ -230,11 +253,13 @@ psa_status_t tfm_crypto_import_key(psa_invec in_vec[],
return status;
}
- status = psa_import_key(&key_attributes, data, data_length, key_handle);
+ status = psa_import_key(&key_attributes, data, data_length, &encoded_key);
+ /* Update the imported key id */
+ *psa_key = encoded_key.key_id;
if (status == PSA_SUCCESS) {
handle_owner[i].owner = partition_id;
- handle_owner[i].handle = *key_handle;
+ handle_owner[i].key = *psa_key;
handle_owner[i].in_use = TFM_CRYPTO_IN_USE;
}
@@ -254,15 +279,15 @@ psa_status_t tfm_crypto_open_key(psa_invec in_vec[],
CRYPTO_IN_OUT_LEN_VALIDATE(in_len, 2, 2, out_len, 1, 1);
if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
- (in_vec[1].len != sizeof(psa_app_key_id_t)) ||
- (out_vec[0].len != sizeof(psa_key_handle_t))) {
+ (in_vec[1].len != sizeof(psa_key_id_t)) ||
+ (out_vec[0].len != sizeof(psa_key_id_t))) {
return PSA_ERROR_PROGRAMMER_ERROR;
}
- psa_app_key_id_t client_key_id = *((psa_app_key_id_t *)in_vec[1].base);
- psa_key_handle_t *key_handle = out_vec[0].base;
+ psa_key_id_t client_key_id = *((psa_key_id_t *)in_vec[1].base);
+ psa_key_id_t *key = out_vec[0].base;
psa_status_t status;
- psa_key_id_t id;
+ mbedtls_svc_key_id_t encoded_key;
int32_t partition_id;
uint32_t i;
@@ -282,13 +307,14 @@ psa_status_t tfm_crypto_open_key(psa_invec in_vec[],
}
/* Use the client key id as the key_id and its partition id as the owner */
- id = (psa_key_id_t){ .key_id = client_key_id, .owner = partition_id };
+ encoded_key = mbedtls_svc_key_id_make(partition_id, client_key_id);
- status = psa_open_key(id, key_handle);
+ status = psa_open_key(encoded_key, &encoded_key);
+ *key = encoded_key.key_id;
if (status == PSA_SUCCESS) {
handle_owner[i].owner = partition_id;
- handle_owner[i].handle = *key_handle;
+ handle_owner[i].key = *key;
handle_owner[i].in_use = TFM_CRYPTO_IN_USE;
}
@@ -313,19 +339,21 @@ psa_status_t tfm_crypto_close_key(psa_invec in_vec[],
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- psa_key_handle_t key = iov->key_handle;
+ psa_key_id_t key = iov->key_id;
uint32_t index;
- psa_status_t status = tfm_crypto_check_handle_owner(key, &index);
+ mbedtls_svc_key_id_t encoded_key;
+ psa_status_t status = tfm_crypto_check_handle_owner(key, &index);
if (status != PSA_SUCCESS) {
return status;
}
- status = psa_close_key(key);
+ encoded_key = mbedtls_svc_key_id_make(handle_owner[index].owner, key);
+ status = psa_close_key(encoded_key);
if (status == PSA_SUCCESS) {
handle_owner[index].owner = 0;
- handle_owner[index].handle = 0;
+ handle_owner[index].key = 0;
handle_owner[index].in_use = TFM_CRYPTO_NOT_IN_USE;
}
@@ -349,20 +377,21 @@ psa_status_t tfm_crypto_destroy_key(psa_invec in_vec[],
return PSA_ERROR_PROGRAMMER_ERROR;
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
-
- psa_key_handle_t key = iov->key_handle;
+ psa_key_id_t key = iov->key_id;
uint32_t index;
- psa_status_t status = tfm_crypto_check_handle_owner(key, &index);
+ mbedtls_svc_key_id_t encoded_key;
+ psa_status_t status = tfm_crypto_check_handle_owner(key, &index);
if (status != PSA_SUCCESS) {
return status;
}
- status = psa_destroy_key(key);
+ encoded_key = mbedtls_svc_key_id_make(handle_owner[index].owner, key);
+ status = psa_destroy_key(encoded_key);
if (status == PSA_SUCCESS) {
handle_owner[index].owner = 0;
- handle_owner[index].handle = 0;
+ handle_owner[index].key = 0;
handle_owner[index].in_use = TFM_CRYPTO_NOT_IN_USE;
}
@@ -387,18 +416,23 @@ psa_status_t tfm_crypto_get_key_attributes(psa_invec in_vec[],
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- psa_key_handle_t key = iov->key_handle;
+ psa_key_id_t key = iov->key_id;
struct psa_client_key_attributes_s *client_key_attr = out_vec[0].base;
psa_status_t status;
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
+ mbedtls_svc_key_id_t encoded_key;
status = tfm_crypto_check_handle_owner(key, NULL);
if (status != PSA_SUCCESS) {
return status;
}
- status = psa_get_key_attributes(key, &key_attributes);
+ status = tfm_crypto_encode_id_and_owner(key, &encoded_key);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ status = psa_get_key_attributes(encoded_key, &key_attributes);
if (status == PSA_SUCCESS) {
status = tfm_crypto_key_attributes_to_client(&key_attributes,
client_key_attr);
@@ -464,11 +498,21 @@ psa_status_t tfm_crypto_export_key(psa_invec in_vec[],
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- psa_key_handle_t key = iov->key_handle;
+ psa_key_id_t key = iov->key_id;
uint8_t *data = out_vec[0].base;
size_t data_size = out_vec[0].len;
+ mbedtls_svc_key_id_t encoded_key;
+ uint32_t index;
+
+ psa_status_t status = tfm_crypto_check_handle_owner(key, &index);
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
- return psa_export_key(key, data, data_size, &(out_vec[0].len));
+ encoded_key = mbedtls_svc_key_id_make(handle_owner[index].owner, key);
+ return psa_export_key(encoded_key, data, data_size,
+ &(out_vec[0].len));
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
}
@@ -487,12 +531,61 @@ psa_status_t tfm_crypto_export_public_key(psa_invec in_vec[],
return PSA_ERROR_PROGRAMMER_ERROR;
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
-
- psa_key_handle_t key = iov->key_handle;
+ psa_key_id_t key = iov->key_id;
uint8_t *data = out_vec[0].base;
size_t data_size = out_vec[0].len;
+ mbedtls_svc_key_id_t encoded_key;
+ uint32_t index;
+
+ psa_status_t status = tfm_crypto_check_handle_owner(key, &index);
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ encoded_key = mbedtls_svc_key_id_make(handle_owner[index].owner, key);
- return psa_export_public_key(key, data, data_size, &(out_vec[0].len));
+ return psa_export_public_key(encoded_key, data, data_size,
+ &(out_vec[0].len));
+#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
+}
+
+psa_status_t tfm_crypto_purge_key(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
+ return PSA_ERROR_NOT_SUPPORTED;
+#else
+ (void)out_vec;
+
+ CRYPTO_IN_OUT_LEN_VALIDATE(in_len, 1, 1, out_len, 0, 0);
+
+ if (in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) {
+ return PSA_ERROR_PROGRAMMER_ERROR;
+ }
+ const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
+ psa_key_id_t key = iov->key_id;
+ uint32_t index;
+ mbedtls_svc_key_id_t encoded_key;
+
+ psa_status_t status = tfm_crypto_check_handle_owner(key, &index);
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ encoded_key = mbedtls_svc_key_id_make(handle_owner[index].owner, key);
+
+ status = psa_purge_key(encoded_key);
+ if (status == PSA_SUCCESS) {
+ handle_owner[index].owner = 0;
+ handle_owner[index].key = 0;
+ handle_owner[index].in_use = TFM_CRYPTO_NOT_IN_USE;
+ }
+
+ return status;
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
}
@@ -508,20 +601,22 @@ psa_status_t tfm_crypto_copy_key(psa_invec in_vec[],
CRYPTO_IN_OUT_LEN_VALIDATE(in_len, 2, 2, out_len, 1, 1);
if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
- (out_vec[0].len != sizeof(psa_key_handle_t)) ||
+ (out_vec[0].len != sizeof(psa_key_id_t)) ||
(in_vec[1].len != sizeof(struct psa_client_key_attributes_s))) {
return PSA_ERROR_PROGRAMMER_ERROR;
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- psa_key_handle_t source_handle = iov->key_handle;
- psa_key_handle_t *target_handle = out_vec[0].base;
+ psa_key_id_t source_key_id = iov->key_id;
+ psa_key_id_t *target_key_id = out_vec[0].base;
const struct psa_client_key_attributes_s *client_key_attr = in_vec[1].base;
psa_status_t status;
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
uint32_t i = 0;
int32_t partition_id = 0;
bool empty_found = false;
+ mbedtls_svc_key_id_t target_key;
+ mbedtls_svc_key_id_t encoded_key;
for (i = 0; i < TFM_CRYPTO_MAX_KEY_HANDLES; i++) {
if (handle_owner[i].in_use == TFM_CRYPTO_NOT_IN_USE) {
@@ -546,11 +641,21 @@ psa_status_t tfm_crypto_copy_key(psa_invec in_vec[],
return status;
}
- status = psa_copy_key(source_handle, &key_attributes, target_handle);
+ status = tfm_crypto_check_handle_owner(source_key_id, NULL);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = tfm_crypto_encode_id_and_owner(source_key_id, &encoded_key);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ status = psa_copy_key(encoded_key, &key_attributes, &target_key);
+ *target_key_id = target_key.key_id;
if (status == PSA_SUCCESS) {
handle_owner[i].owner = partition_id;
- handle_owner[i].handle = *target_handle;
+ handle_owner[i].key = *target_key_id;
handle_owner[i].in_use = TFM_CRYPTO_IN_USE;
}
@@ -571,16 +676,17 @@ psa_status_t tfm_crypto_generate_key(psa_invec in_vec[],
if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
(in_vec[1].len != sizeof(struct psa_client_key_attributes_s)) ||
- (out_vec[0].len != sizeof(psa_key_handle_t))) {
+ (out_vec[0].len != sizeof(psa_key_id_t))) {
return PSA_ERROR_PROGRAMMER_ERROR;
}
- psa_key_handle_t *key_handle = out_vec[0].base;
+ psa_key_id_t *key_handle = out_vec[0].base;
const struct psa_client_key_attributes_s *client_key_attr = in_vec[1].base;
psa_status_t status;
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
uint32_t i = 0;
int32_t partition_id = 0;
bool empty_found = false;
+ mbedtls_svc_key_id_t encoded_key;
for (i = 0; i < TFM_CRYPTO_MAX_KEY_HANDLES; i++) {
if (handle_owner[i].in_use == TFM_CRYPTO_NOT_IN_USE) {
@@ -605,11 +711,12 @@ psa_status_t tfm_crypto_generate_key(psa_invec in_vec[],
return status;
}
- status = psa_generate_key(&key_attributes, key_handle);
+ status = psa_generate_key(&key_attributes, &encoded_key);
+ *key_handle = encoded_key.key_id;
if (status == PSA_SUCCESS) {
handle_owner[i].owner = partition_id;
- handle_owner[i].handle = *key_handle;
+ handle_owner[i].key = *key_handle;
handle_owner[i].in_use = TFM_CRYPTO_IN_USE;
}
diff --git a/secure_fw/partitions/crypto/crypto_key_derivation.c b/secure_fw/partitions/crypto/crypto_key_derivation.c
index b2e09beb0a..1d2cb7a6d4 100644
--- a/secure_fw/partitions/crypto/crypto_key_derivation.c
+++ b/secure_fw/partitions/crypto/crypto_key_derivation.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2019-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -83,7 +83,7 @@ static psa_status_t tfm_crypto_huk_derivation_input_bytes(
static psa_status_t tfm_crypto_huk_derivation_output_key(
const psa_key_attributes_t *attributes,
psa_key_derivation_operation_t *operation,
- psa_key_handle_t *handle)
+ mbedtls_svc_key_id_t *key_id)
{
enum tfm_plat_err_t err;
size_t bytes = PSA_BITS_TO_BYTES(psa_get_key_bits(attributes));
@@ -103,7 +103,7 @@ static psa_status_t tfm_crypto_huk_derivation_output_key(
}
return psa_import_key(attributes, operation->ctx.tls12_prf.output_block,
- bytes, handle);
+ bytes, key_id);
}
static psa_status_t tfm_crypto_huk_derivation_abort(
@@ -333,13 +333,13 @@ psa_status_t tfm_crypto_key_derivation_input_key(psa_invec in_vec[],
return PSA_ERROR_PROGRAMMER_ERROR;
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
-
uint32_t handle = iov->op_handle;
- psa_key_handle_t key_handle = iov->key_handle;
+ psa_key_id_t key_id = iov->key_id;
psa_key_derivation_step_t step = iov->step;
psa_key_derivation_operation_t *operation = NULL;
+ mbedtls_svc_key_id_t encoded_key;
- status = tfm_crypto_check_handle_owner(key_handle, NULL);
+ status = tfm_crypto_check_handle_owner(key_id, NULL);
if (status != PSA_SUCCESS) {
return status;
}
@@ -352,7 +352,12 @@ psa_status_t tfm_crypto_key_derivation_input_key(psa_invec in_vec[],
return status;
}
- return psa_key_derivation_input_key(operation, step, key_handle);
+ status = tfm_crypto_encode_id_and_owner(key_id, &encoded_key);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ return psa_key_derivation_input_key(operation, step, encoded_key);
#endif /* TFM_CRYPTO_KEY_DERIVATION_MODULE_DISABLED */
}
@@ -370,7 +375,7 @@ psa_status_t tfm_crypto_key_derivation_output_key(psa_invec in_vec[],
if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
(in_vec[1].len != sizeof(struct psa_client_key_attributes_s)) ||
- (out_vec[0].len != sizeof(psa_key_handle_t))) {
+ (out_vec[0].len != sizeof(psa_key_id_t))) {
return PSA_ERROR_PROGRAMMER_ERROR;
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
@@ -378,10 +383,11 @@ psa_status_t tfm_crypto_key_derivation_output_key(psa_invec in_vec[],
uint32_t handle = iov->op_handle;
const struct psa_client_key_attributes_s *client_key_attr = in_vec[1].base;
psa_key_derivation_operation_t *operation = NULL;
- psa_key_handle_t *key_handle = out_vec[0].base;
+ psa_key_id_t *key_handle = out_vec[0].base;
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
int32_t partition_id;
uint32_t index;
+ mbedtls_svc_key_id_t encoded_key;
/* Look up the corresponding operation context */
status = tfm_crypto_operation_lookup(TFM_CRYPTO_KEY_DERIVATION_OPERATION,
@@ -410,11 +416,13 @@ psa_status_t tfm_crypto_key_derivation_output_key(psa_invec in_vec[],
if (operation->alg == TFM_CRYPTO_ALG_HUK_DERIVATION) {
status = tfm_crypto_huk_derivation_output_key(&key_attributes,
- operation, key_handle);
+ operation, &encoded_key);
} else {
status = psa_key_derivation_output_key(&key_attributes, operation,
- key_handle);
+ &encoded_key);
}
+ *key_handle = encoded_key.key_id;
+
if (status == PSA_SUCCESS) {
status = tfm_crypto_set_key_storage(index, *key_handle);
}
@@ -494,11 +502,12 @@ psa_status_t tfm_crypto_key_derivation_key_agreement(psa_invec in_vec[],
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
uint32_t handle = iov->op_handle;
- psa_key_handle_t private_key = iov->key_handle;
+ psa_key_id_t private_key = iov->key_id;
const uint8_t *peer_key = in_vec[1].base;
size_t peer_key_length = in_vec[1].len;
psa_key_derivation_operation_t *operation = NULL;
psa_key_derivation_step_t step = iov->step;
+ mbedtls_svc_key_id_t encoded_key;
status = tfm_crypto_check_handle_owner(private_key, NULL);
if (status != PSA_SUCCESS) {
@@ -513,8 +522,13 @@ psa_status_t tfm_crypto_key_derivation_key_agreement(psa_invec in_vec[],
return status;
}
+ status = tfm_crypto_encode_id_and_owner(private_key, &encoded_key);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
return psa_key_derivation_key_agreement(operation, step,
- private_key,
+ encoded_key,
peer_key,
peer_key_length);
#endif /* TFM_CRYPTO_KEY_DERIVATION_MODULE_DISABLED */
@@ -559,11 +573,23 @@ psa_status_t tfm_crypto_raw_key_agreement(psa_invec in_vec[],
uint8_t *output = out_vec[0].base;
size_t output_size = out_vec[0].len;
psa_algorithm_t alg = iov->alg;
- psa_key_handle_t private_key = iov->key_handle;
+ psa_key_id_t private_key = iov->key_id;
const uint8_t *peer_key = in_vec[1].base;
size_t peer_key_length = in_vec[1].len;
+ mbedtls_svc_key_id_t encoded_key;
+
+ psa_status_t status = tfm_crypto_check_handle_owner(private_key, NULL);
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = tfm_crypto_encode_id_and_owner(private_key, &encoded_key);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
- return psa_raw_key_agreement(alg, private_key, peer_key, peer_key_length,
+ return psa_raw_key_agreement(alg, encoded_key, peer_key, peer_key_length,
output, output_size, &out_vec[0].len);
#endif /* TFM_CRYPTO_KEY_DERIVATION_MODULE_DISABLED */
}
diff --git a/secure_fw/partitions/crypto/crypto_mac.c b/secure_fw/partitions/crypto/crypto_mac.c
index c983b6ac4f..e2f27c55b7 100644
--- a/secure_fw/partitions/crypto/crypto_mac.c
+++ b/secure_fw/partitions/crypto/crypto_mac.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2019-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -40,10 +40,11 @@ psa_status_t tfm_crypto_mac_sign_setup(psa_invec in_vec[],
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
uint32_t handle = iov->op_handle;
uint32_t *handle_out = out_vec[0].base;
- psa_key_handle_t key_handle = iov->key_handle;
+ psa_key_id_t key_id = iov->key_id;
psa_algorithm_t alg = iov->alg;
+ mbedtls_svc_key_id_t encoded_key;
- status = tfm_crypto_check_handle_owner(key_handle, NULL);
+ status = tfm_crypto_check_handle_owner(key_id, NULL);
if (status != PSA_SUCCESS) {
return status;
}
@@ -61,7 +62,12 @@ psa_status_t tfm_crypto_mac_sign_setup(psa_invec in_vec[],
*handle_out = handle;
- status = psa_mac_sign_setup(operation, key_handle, alg);
+ status = tfm_crypto_encode_id_and_owner(key_id, &encoded_key);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = psa_mac_sign_setup(operation, encoded_key, alg);
if (status != PSA_SUCCESS) {
/* Release the operation context, ignore if the operation fails. */
(void)tfm_crypto_operation_release(handle_out);
@@ -92,10 +98,11 @@ psa_status_t tfm_crypto_mac_verify_setup(psa_invec in_vec[],
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
uint32_t handle = iov->op_handle;
uint32_t *handle_out = out_vec[0].base;
- psa_key_handle_t key_handle = iov->key_handle;
+ psa_key_id_t key_id = iov->key_id;
psa_algorithm_t alg = iov->alg;
+ mbedtls_svc_key_id_t encoded_key;
- status = tfm_crypto_check_handle_owner(key_handle, NULL);
+ status = tfm_crypto_check_handle_owner(key_id, NULL);
if (status != PSA_SUCCESS) {
return status;
}
@@ -113,7 +120,12 @@ psa_status_t tfm_crypto_mac_verify_setup(psa_invec in_vec[],
*handle_out = handle;
- status = psa_mac_verify_setup(operation, key_handle, alg);
+ status = tfm_crypto_encode_id_and_owner(key_id, &encoded_key);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = psa_mac_verify_setup(operation, encoded_key, alg);
if (status != PSA_SUCCESS) {
/* Release the operation context, ignore if the operation fails. */
(void)tfm_crypto_operation_release(handle_out);
diff --git a/secure_fw/partitions/crypto/crypto_spe.h b/secure_fw/partitions/crypto/crypto_spe.h
index 2ceaefdc66..507eda277c 100644
--- a/secure_fw/partitions/crypto/crypto_spe.h
+++ b/secure_fw/partitions/crypto/crypto_spe.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2019-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -66,6 +66,8 @@
PSA_FUNCTION_NAME(psa_export_key)
#define psa_export_public_key \
PSA_FUNCTION_NAME(psa_export_public_key)
+#define psa_purge_key \
+ PSA_FUNCTION_NAME(psa_purge_key)
#define psa_copy_key \
PSA_FUNCTION_NAME(psa_copy_key)
#define psa_cipher_operation_init \
diff --git a/secure_fw/partitions/crypto/tfm_crypto.yaml b/secure_fw/partitions/crypto/tfm_crypto.yaml
index cc836c5cce..c97bf94543 100644
--- a/secure_fw/partitions/crypto/tfm_crypto.yaml
+++ b/secure_fw/partitions/crypto/tfm_crypto.yaml
@@ -1,5 +1,5 @@
#-------------------------------------------------------------------------------
-# Copyright (c) 2018-2020, Arm Limited. All rights reserved.
+# Copyright (c) 2018-2021, Arm Limited. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -70,6 +70,13 @@
"version_policy": "STRICT"
},
{
+ "name": "TFM_CRYPTO_PURGE_KEY",
+ "signal": "TFM_CRYPTO_PURGE_KEY",
+ "non_secure_clients": true,
+ "version": 1,
+ "version_policy": "STRICT"
+ },
+ {
"name": "TFM_CRYPTO_COPY_KEY",
"signal": "TFM_CRYPTO_COPY_KEY",
"non_secure_clients": true,
diff --git a/secure_fw/partitions/crypto/tfm_crypto_api.h b/secure_fw/partitions/crypto/tfm_crypto_api.h
index fa6f136be0..3f3d9bf097 100644
--- a/secure_fw/partitions/crypto/tfm_crypto_api.h
+++ b/secure_fw/partitions/crypto/tfm_crypto_api.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -79,9 +79,9 @@ psa_status_t tfm_crypto_get_caller_id(int32_t *id);
* \return Return values as described in \ref psa_status_t
*/
psa_status_t tfm_crypto_key_attributes_from_client(
- const struct psa_client_key_attributes_s *client_key_attr,
- int32_t client_id,
- psa_key_attributes_t *key_attributes);
+ const struct psa_client_key_attributes_s *client_key_attr,
+ int32_t client_id,
+ psa_key_attributes_t *key_attributes);
/**
* \brief Converts key attributes to client key attributes.
@@ -92,14 +92,14 @@ psa_status_t tfm_crypto_key_attributes_from_client(
* \return Return values as described in \ref psa_status_t
*/
psa_status_t tfm_crypto_key_attributes_to_client(
- const psa_key_attributes_t *key_attributes,
- struct psa_client_key_attributes_s *client_key_attr);
+ const psa_key_attributes_t *key_attributes,
+ struct psa_client_key_attributes_s *client_key_attr);
/**
* \brief Checks that the requested handle belongs to the requesting
* partition
*
- * \param[in] handle Handle given as input
+ * \param[in] key key given as input
* \param[out] index Optionally, pointer to hold the internal index
* corresponding to the input handle. Valid only
* on PSA_SUCCESS, it's returned only if the input
@@ -107,7 +107,7 @@ psa_status_t tfm_crypto_key_attributes_to_client(
*
* \return Return values as described in \ref psa_status_t
*/
-psa_status_t tfm_crypto_check_handle_owner(psa_key_handle_t handle,
+psa_status_t tfm_crypto_check_handle_owner(psa_key_id_t key,
uint32_t *index);
/**
@@ -130,7 +130,7 @@ psa_status_t tfm_crypto_check_key_storage(uint32_t *index);
* \return Return values as described in \ref psa_status_t
*/
psa_status_t tfm_crypto_set_key_storage(uint32_t index,
- psa_key_handle_t key_handle);
+ psa_key_id_t key_handle);
/**
* \brief Allocate an operation context in the backend
*
@@ -164,6 +164,16 @@ psa_status_t tfm_crypto_operation_release(uint32_t *handle);
psa_status_t tfm_crypto_operation_lookup(enum tfm_crypto_operation_type type,
uint32_t handle,
void **ctx);
+/**
+ * \brief Encodes the input key id and owner to output key
+ *
+ * \param[in] key_id Id of the key to encode
+ * \param[out] enc_key_ptr Pointer to encoded key with id and owner
+ *
+ * \return Return values as described in \ref psa_status_t
+ */
+psa_status_t tfm_crypto_encode_id_and_owner(psa_key_id_t key_id,
+ mbedtls_svc_key_id_t *enc_key_ptr);
#define LIST_TFM_CRYPTO_UNIFORM_SIGNATURE_API \
X(tfm_crypto_get_key_attributes) \
@@ -174,6 +184,7 @@ psa_status_t tfm_crypto_operation_lookup(enum tfm_crypto_operation_type type,
X(tfm_crypto_destroy_key) \
X(tfm_crypto_export_key) \
X(tfm_crypto_export_public_key) \
+ X(tfm_crypto_purge_key) \
X(tfm_crypto_copy_key) \
X(tfm_crypto_hash_compute) \
X(tfm_crypto_hash_compare) \
diff --git a/secure_fw/partitions/crypto/tfm_crypto_secure_api.c b/secure_fw/partitions/crypto/tfm_crypto_secure_api.c
index 1db9be2c86..d7ae1374f8 100644
--- a/secure_fw/partitions/crypto/tfm_crypto_secure_api.c
+++ b/secure_fw/partitions/crypto/tfm_crypto_secure_api.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2019-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -56,7 +56,7 @@ psa_status_t psa_crypto_init(void)
}
psa_status_t psa_open_key(psa_key_id_t id,
- psa_key_handle_t *handle)
+ psa_key_id_t *key_id)
{
#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
@@ -70,7 +70,7 @@ psa_status_t psa_open_key(psa_key_id_t id,
{.base = &id, .len = sizeof(psa_key_id_t)},
};
psa_outvec out_vec[] = {
- {.base = handle, .len = sizeof(psa_key_handle_t)},
+ {.base = key_id, .len = sizeof(psa_key_id_t)},
};
#ifdef TFM_PSA_API
@@ -88,7 +88,7 @@ psa_status_t psa_open_key(psa_key_id_t id,
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
}
-psa_status_t psa_close_key(psa_key_handle_t handle)
+psa_status_t psa_close_key(psa_key_id_t key_id)
{
#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
@@ -96,7 +96,7 @@ psa_status_t psa_close_key(psa_key_handle_t handle)
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_CLOSE_KEY_SID,
- .key_handle = handle,
+ .key_id = key_id,
};
psa_invec in_vec[] = {
{.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
@@ -120,7 +120,7 @@ psa_status_t psa_close_key(psa_key_handle_t handle)
psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
const uint8_t *data,
size_t data_length,
- psa_key_handle_t *handle)
+ psa_key_id_t *key_id)
{
#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
@@ -135,7 +135,7 @@ psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
{.base = data, .len = data_length}
};
psa_outvec out_vec[] = {
- {.base = handle, .len = sizeof(psa_key_handle_t)}
+ {.base = key_id, .len = sizeof(psa_key_id_t)}
};
#ifdef TFM_PSA_API
@@ -152,7 +152,7 @@ psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
}
-psa_status_t psa_destroy_key(psa_key_handle_t handle)
+psa_status_t psa_destroy_key(psa_key_id_t key_id)
{
#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
@@ -160,7 +160,7 @@ psa_status_t psa_destroy_key(psa_key_handle_t handle)
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_DESTROY_KEY_SID,
- .key_handle = handle,
+ .key_id = key_id,
};
psa_invec in_vec[] = {
{.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
@@ -180,7 +180,7 @@ psa_status_t psa_destroy_key(psa_key_handle_t handle)
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
}
-psa_status_t psa_get_key_attributes(psa_key_handle_t handle,
+psa_status_t psa_get_key_attributes(psa_key_id_t key_id,
psa_key_attributes_t *attributes)
{
#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
@@ -189,7 +189,7 @@ psa_status_t psa_get_key_attributes(psa_key_handle_t handle,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_GET_KEY_ATTRIBUTES_SID,
- .key_handle = handle,
+ .key_id = key_id,
};
psa_invec in_vec[] = {
{.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
@@ -245,7 +245,7 @@ void psa_reset_key_attributes(psa_key_attributes_t *attributes)
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
}
-psa_status_t psa_export_key(psa_key_handle_t handle,
+psa_status_t psa_export_key(psa_key_id_t key_id,
uint8_t *data,
size_t data_size,
size_t *data_length)
@@ -256,7 +256,7 @@ psa_status_t psa_export_key(psa_key_handle_t handle,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_EXPORT_KEY_SID,
- .key_handle = handle,
+ .key_id = key_id,
};
psa_invec in_vec[] = {
{.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
@@ -282,7 +282,7 @@ psa_status_t psa_export_key(psa_key_handle_t handle,
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
}
-psa_status_t psa_export_public_key(psa_key_handle_t handle,
+psa_status_t psa_export_public_key(psa_key_id_t key_id,
uint8_t *data,
size_t data_size,
size_t *data_length)
@@ -293,7 +293,7 @@ psa_status_t psa_export_public_key(psa_key_handle_t handle,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_EXPORT_PUBLIC_KEY_SID,
- .key_handle = handle,
+ .key_id = key_id,
};
psa_invec in_vec[] = {
@@ -320,9 +320,37 @@ psa_status_t psa_export_public_key(psa_key_handle_t handle,
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
}
-psa_status_t psa_copy_key(psa_key_handle_t source_handle,
+psa_status_t psa_purge_key(psa_key_id_t key_id)
+{
+#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
+ return PSA_ERROR_NOT_SUPPORTED;
+#else
+ psa_status_t status;
+ struct tfm_crypto_pack_iovec iov = {
+ .sfn_id = TFM_CRYPTO_PURGE_KEY_SID,
+ .key_id = key_id,
+ };
+ psa_invec in_vec[] = {
+ {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
+ };
+
+#ifdef TFM_PSA_API
+ PSA_CONNECT(TFM_CRYPTO);
+#endif
+
+ status = API_DISPATCH_NO_OUTVEC(tfm_crypto_purge_key,
+ TFM_CRYPTO_PURGE_KEY);
+#ifdef TFM_PSA_API
+ PSA_CLOSE();
+#endif
+
+ return status;
+#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
+}
+
+psa_status_t psa_copy_key(psa_key_id_t source_key_id,
const psa_key_attributes_t *attributes,
- psa_key_handle_t *target_handle)
+ psa_key_id_t *target_key_id)
{
#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
@@ -330,7 +358,7 @@ psa_status_t psa_copy_key(psa_key_handle_t source_handle,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_COPY_KEY_SID,
- .key_handle = source_handle,
+ .key_id = source_key_id,
};
psa_invec in_vec[] = {
@@ -339,7 +367,7 @@ psa_status_t psa_copy_key(psa_key_handle_t source_handle,
};
psa_outvec out_vec[] = {
- {.base = target_handle, .len = sizeof(psa_key_handle_t)},
+ {.base = target_key_id, .len = sizeof(psa_key_id_t)},
};
#ifdef TFM_PSA_API
@@ -431,7 +459,7 @@ psa_status_t psa_cipher_set_iv(psa_cipher_operation_t *operation,
}
psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
- psa_key_handle_t handle,
+ psa_key_id_t key_id,
psa_algorithm_t alg)
{
#ifdef TFM_CRYPTO_CIPHER_MODULE_DISABLED
@@ -440,7 +468,7 @@ psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_CIPHER_ENCRYPT_SETUP_SID,
- .key_handle = handle,
+ .key_id = key_id,
.alg = alg,
.op_handle = operation->handle,
};
@@ -467,7 +495,7 @@ psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
}
psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation,
- psa_key_handle_t handle,
+ psa_key_id_t key_id,
psa_algorithm_t alg)
{
#ifdef TFM_CRYPTO_CIPHER_MODULE_DISABLED
@@ -476,7 +504,7 @@ psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_CIPHER_DECRYPT_SETUP_SID,
- .key_handle = handle,
+ .key_id = key_id,
.alg = alg,
.op_handle = operation->handle,
};
@@ -908,7 +936,7 @@ psa_status_t psa_hash_compare(psa_algorithm_t alg,
}
psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation,
- psa_key_handle_t handle,
+ psa_key_id_t key_id,
psa_algorithm_t alg)
{
#ifdef TFM_CRYPTO_MAC_MODULE_DISABLED
@@ -917,7 +945,7 @@ psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_MAC_SIGN_SETUP_SID,
- .key_handle = handle,
+ .key_id = key_id,
.alg = alg,
.op_handle = operation->handle,
};
@@ -944,7 +972,7 @@ psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation,
}
psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation,
- psa_key_handle_t handle,
+ psa_key_id_t key_id,
psa_algorithm_t alg)
{
#ifdef TFM_CRYPTO_MAC_MODULE_DISABLED
@@ -953,7 +981,7 @@ psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_MAC_VERIFY_SETUP_SID,
- .key_handle = handle,
+ .key_id = key_id,
.alg = alg,
.op_handle = operation->handle,
};
@@ -1121,7 +1149,7 @@ psa_status_t psa_mac_abort(psa_mac_operation_t *operation)
#endif /* TFM_CRYPTO_MAC_MODULE_DISABLED */
}
-psa_status_t psa_aead_encrypt(psa_key_handle_t handle,
+psa_status_t psa_aead_encrypt(psa_key_id_t key_id,
psa_algorithm_t alg,
const uint8_t *nonce,
size_t nonce_length,
@@ -1139,7 +1167,7 @@ psa_status_t psa_aead_encrypt(psa_key_handle_t handle,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_AEAD_ENCRYPT_SID,
- .key_handle = handle,
+ .key_id = key_id,
.alg = alg,
.aead_in = {.nonce = {0}, .nonce_length = nonce_length}
};
@@ -1195,7 +1223,7 @@ psa_status_t psa_aead_encrypt(psa_key_handle_t handle,
#endif /* TFM_CRYPTO_AEAD_MODULE_DISABLED */
}
-psa_status_t psa_aead_decrypt(psa_key_handle_t handle,
+psa_status_t psa_aead_decrypt(psa_key_id_t key_id,
psa_algorithm_t alg,
const uint8_t *nonce,
size_t nonce_length,
@@ -1213,7 +1241,7 @@ psa_status_t psa_aead_decrypt(psa_key_handle_t handle,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_AEAD_DECRYPT_SID,
- .key_handle = handle,
+ .key_id = key_id,
.alg = alg,
.aead_in = {.nonce = {0}, .nonce_length = nonce_length}
};
@@ -1269,7 +1297,7 @@ psa_status_t psa_aead_decrypt(psa_key_handle_t handle,
#endif /* TFM_CRYPTO_AEAD_MODULE_DISABLED */
}
-psa_status_t psa_asymmetric_sign(psa_key_handle_t handle,
+psa_status_t psa_asymmetric_sign(psa_key_id_t key_id,
psa_algorithm_t alg,
const uint8_t *hash,
size_t hash_length,
@@ -1277,10 +1305,11 @@ psa_status_t psa_asymmetric_sign(psa_key_handle_t handle,
size_t signature_size,
size_t *signature_length)
{
- return psa_sign_hash(handle, alg, hash, hash_length, signature, signature_size, signature_length);
+ return psa_sign_hash(key_id, alg, hash, hash_length, signature,
+ signature_size, signature_length);
}
-psa_status_t psa_sign_hash(psa_key_handle_t handle,
+psa_status_t psa_sign_hash(psa_key_id_t key_id,
psa_algorithm_t alg,
const uint8_t *hash,
size_t hash_length,
@@ -1294,7 +1323,7 @@ psa_status_t psa_sign_hash(psa_key_handle_t handle,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_SIGN_HASH_SID,
- .key_handle = handle,
+ .key_id = key_id,
.alg = alg,
};
@@ -1322,17 +1351,18 @@ psa_status_t psa_sign_hash(psa_key_handle_t handle,
#endif /* TFM_CRYPTO_ASYMMETRIC_MODULE_DISABLED */
}
-psa_status_t psa_asymmetric_verify(psa_key_handle_t handle,
+psa_status_t psa_asymmetric_verify(psa_key_id_t key_id,
psa_algorithm_t alg,
const uint8_t *hash,
size_t hash_length,
const uint8_t *signature,
size_t signature_length)
{
- return psa_verify_hash(handle, alg, hash, hash_length, signature, signature_length);
+ return psa_verify_hash(key_id, alg, hash, hash_length,
+ signature, signature_length);
}
-psa_status_t psa_verify_hash(psa_key_handle_t handle,
+psa_status_t psa_verify_hash(psa_key_id_t key_id,
psa_algorithm_t alg,
const uint8_t *hash,
size_t hash_length,
@@ -1345,7 +1375,7 @@ psa_status_t psa_verify_hash(psa_key_handle_t handle,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_VERIFY_HASH_SID,
- .key_handle = handle,
+ .key_id = key_id,
.alg = alg
};
@@ -1369,7 +1399,7 @@ psa_status_t psa_verify_hash(psa_key_handle_t handle,
#endif /* TFM_CRYPTO_ASYMMETRIC_MODULE_DISABLED */
}
-psa_status_t psa_asymmetric_encrypt(psa_key_handle_t handle,
+psa_status_t psa_asymmetric_encrypt(psa_key_id_t key_id,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
@@ -1385,7 +1415,7 @@ psa_status_t psa_asymmetric_encrypt(psa_key_handle_t handle,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_ASYMMETRIC_ENCRYPT_SID,
- .key_handle = handle,
+ .key_id = key_id,
.alg = alg
};
@@ -1430,7 +1460,7 @@ psa_status_t psa_asymmetric_encrypt(psa_key_handle_t handle,
#endif /* TFM_CRYPTO_ASYMMETRIC_MODULE_DISABLED */
}
-psa_status_t psa_asymmetric_decrypt(psa_key_handle_t handle,
+psa_status_t psa_asymmetric_decrypt(psa_key_id_t key_id,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
@@ -1446,7 +1476,7 @@ psa_status_t psa_asymmetric_decrypt(psa_key_handle_t handle,
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_ASYMMETRIC_DECRYPT_SID,
- .key_handle = handle,
+ .key_id = key_id,
.alg = alg
};
@@ -1565,7 +1595,7 @@ psa_status_t psa_key_derivation_output_bytes(
psa_status_t psa_key_derivation_input_key(
psa_key_derivation_operation_t *operation,
psa_key_derivation_step_t step,
- psa_key_handle_t handle)
+ psa_key_id_t key_id)
{
#ifdef TFM_CRYPTO_GENERATOR_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
@@ -1573,7 +1603,7 @@ psa_status_t psa_key_derivation_input_key(
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_KEY_DERIVATION_INPUT_KEY_SID,
- .key_handle = handle,
+ .key_id = key_id,
.step = step,
.op_handle = operation->handle,
};
@@ -1632,7 +1662,7 @@ psa_status_t psa_key_derivation_abort(psa_key_derivation_operation_t *operation)
psa_status_t psa_key_derivation_key_agreement(
psa_key_derivation_operation_t *operation,
psa_key_derivation_step_t step,
- psa_key_handle_t private_key,
+ psa_key_id_t private_key,
const uint8_t *peer_key,
size_t peer_key_length)
{
@@ -1642,7 +1672,7 @@ psa_status_t psa_key_derivation_key_agreement(
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_KEY_DERIVATION_KEY_AGREEMENT_SID,
- .key_handle = private_key,
+ .key_id = private_key,
.step = step,
.op_handle = operation->handle,
};
@@ -1710,7 +1740,7 @@ psa_status_t psa_generate_random(uint8_t *output,
}
psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
- psa_key_handle_t *handle)
+ psa_key_id_t *key_id)
{
#ifdef TFM_CRYPTO_GENERATOR_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
@@ -1726,7 +1756,7 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
};
psa_outvec out_vec[] = {
- {.base = handle, .len = sizeof(psa_key_handle_t)},
+ {.base = key_id, .len = sizeof(psa_key_id_t)},
};
#ifdef TFM_PSA_API
@@ -1817,7 +1847,7 @@ psa_status_t psa_aead_abort(psa_aead_operation_t *operation)
return status;
}
-psa_status_t psa_mac_compute(psa_key_handle_t handle,
+psa_status_t psa_mac_compute(psa_key_id_t key_id,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
@@ -1832,7 +1862,7 @@ psa_status_t psa_mac_compute(psa_key_handle_t handle,
return status;
}
-psa_status_t psa_mac_verify(psa_key_handle_t handle,
+psa_status_t psa_mac_verify(psa_key_id_t key_id,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
@@ -1846,7 +1876,7 @@ psa_status_t psa_mac_verify(psa_key_handle_t handle,
return status;
}
-psa_status_t psa_cipher_encrypt(psa_key_handle_t handle,
+psa_status_t psa_cipher_encrypt(psa_key_id_t key_id,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
@@ -1861,7 +1891,7 @@ psa_status_t psa_cipher_encrypt(psa_key_handle_t handle,
return status;
}
-psa_status_t psa_cipher_decrypt(psa_key_handle_t handle,
+psa_status_t psa_cipher_decrypt(psa_key_id_t key_id,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
@@ -1877,7 +1907,7 @@ psa_status_t psa_cipher_decrypt(psa_key_handle_t handle,
}
psa_status_t psa_raw_key_agreement(psa_algorithm_t alg,
- psa_key_handle_t private_key,
+ psa_key_id_t private_key,
const uint8_t *peer_key,
size_t peer_key_length,
uint8_t *output,
@@ -1891,7 +1921,7 @@ psa_status_t psa_raw_key_agreement(psa_algorithm_t alg,
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_RAW_KEY_AGREEMENT_SID,
.alg = alg,
- .key_handle = private_key
+ .key_id = private_key
};
psa_invec in_vec[] = {
@@ -2023,7 +2053,7 @@ psa_status_t psa_key_derivation_input_bytes(
psa_status_t psa_key_derivation_output_key(
const psa_key_attributes_t *attributes,
psa_key_derivation_operation_t *operation,
- psa_key_handle_t *handle)
+ psa_key_id_t *key_id)
{
#if (TFM_CRYPTO_GENERATOR_MODULE_DISABLED != 0)
return PSA_ERROR_NOT_SUPPORTED;
@@ -2040,7 +2070,7 @@ psa_status_t psa_key_derivation_output_key(
};
psa_outvec out_vec[] = {
- {.base = handle, .len = sizeof(psa_key_handle_t)}
+ {.base = key_id, .len = sizeof(psa_key_id_t)}
};
#ifdef TFM_PSA_API
@@ -2058,7 +2088,7 @@ psa_status_t psa_key_derivation_output_key(
}
psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation,
- psa_key_handle_t handle,
+ psa_key_id_t key_id,
psa_algorithm_t alg)
{
psa_status_t status;
@@ -2069,7 +2099,7 @@ psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation,
}
psa_status_t psa_aead_decrypt_setup(psa_aead_operation_t *operation,
- psa_key_handle_t handle,
+ psa_key_id_t key_id,
psa_algorithm_t alg)
{
psa_status_t status;
diff --git a/secure_fw/partitions/crypto/tfm_mbedcrypto_include.h b/secure_fw/partitions/crypto/tfm_mbedcrypto_include.h
index 7bb7f467e4..e2b14238e4 100644
--- a/secure_fw/partitions/crypto/tfm_mbedcrypto_include.h
+++ b/secure_fw/partitions/crypto/tfm_mbedcrypto_include.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2019-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -10,6 +10,7 @@
/* Define PSA_CRYPTO_SECURE to signal that we are compiling for the SPE */
#define PSA_CRYPTO_SECURE 1
+
/* Include the crypto_spe.h header before including the PSA Crypto header from
* Mbed Crypto
*/
diff --git a/secure_fw/partitions/protected_storage/crypto/ps_crypto_interface.c b/secure_fw/partitions/protected_storage/crypto/ps_crypto_interface.c
index ecfa566fd7..e4b66ff632 100644
--- a/secure_fw/partitions/protected_storage/crypto/ps_crypto_interface.c
+++ b/secure_fw/partitions/protected_storage/crypto/ps_crypto_interface.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2017-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2017-2021, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -36,7 +36,7 @@
typedef char PS_ERROR_NOT_AEAD_ALG[(PSA_ALG_IS_AEAD(PS_CRYPTO_ALG)) ? 1 : -1];
static const uint8_t ps_key_label[] = "storage_key";
-static psa_key_handle_t ps_key_handle;
+static psa_key_id_t ps_key;
static uint8_t ps_crypto_iv_buf[PS_IV_LEN_BYTES];
psa_status_t ps_crypto_init(void)
@@ -74,7 +74,7 @@ psa_status_t ps_crypto_setkey(void)
}
/* Create the storage key from the key derivation operation */
- status = psa_key_derivation_output_key(&attributes, &op, &ps_key_handle);
+ status = psa_key_derivation_output_key(&attributes, &op, &ps_key);
if (status != PSA_SUCCESS) {
goto err_release_op;
}
@@ -88,7 +88,7 @@ psa_status_t ps_crypto_setkey(void)
return PSA_SUCCESS;
err_release_key:
- (void)psa_destroy_key(ps_key_handle);
+ (void)psa_destroy_key(ps_key);
err_release_op:
(void)psa_key_derivation_abort(&op);
@@ -101,7 +101,7 @@ psa_status_t ps_crypto_destroykey(void)
psa_status_t status;
/* Destroy the transient key */
- status = psa_destroy_key(ps_key_handle);
+ status = psa_destroy_key(ps_key);
if (status != PSA_SUCCESS) {
return PSA_ERROR_GENERIC_ERROR;
}
@@ -167,7 +167,7 @@ psa_status_t ps_crypto_encrypt_and_tag(union ps_crypto_t *crypto,
{
psa_status_t status;
- status = psa_aead_encrypt(ps_key_handle, PS_CRYPTO_ALG,
+ status = psa_aead_encrypt(ps_key, PS_CRYPTO_ALG,
crypto->ref.iv, PS_IV_LEN_BYTES,
add, add_len,
in, in_len,
@@ -198,7 +198,7 @@ psa_status_t ps_crypto_auth_and_decrypt(const union ps_crypto_t *crypto,
(void)tfm_memcpy((in + in_len), crypto->ref.tag, PS_TAG_LEN_BYTES);
in_len += PS_TAG_LEN_BYTES;
- status = psa_aead_decrypt(ps_key_handle, PS_CRYPTO_ALG,
+ status = psa_aead_decrypt(ps_key, PS_CRYPTO_ALG,
crypto->ref.iv, PS_IV_LEN_BYTES,
add, add_len,
in, in_len,
@@ -217,7 +217,7 @@ psa_status_t ps_crypto_generate_auth_tag(union ps_crypto_t *crypto,
psa_status_t status;
size_t out_len;
- status = psa_aead_encrypt(ps_key_handle, PS_CRYPTO_ALG,
+ status = psa_aead_encrypt(ps_key, PS_CRYPTO_ALG,
crypto->ref.iv, PS_IV_LEN_BYTES,
add, add_len,
0, 0,
@@ -236,7 +236,7 @@ psa_status_t ps_crypto_authenticate(const union ps_crypto_t *crypto,
psa_status_t status;
size_t out_len;
- status = psa_aead_decrypt(ps_key_handle, PS_CRYPTO_ALG,
+ status = psa_aead_decrypt(ps_key, PS_CRYPTO_ALG,
crypto->ref.iv, PS_IV_LEN_BYTES,
add, add_len,
crypto->ref.tag, PS_TAG_LEN_BYTES,