Crypto: Align to Mbed Crypto 3.0.1
This patch upgrades the Crypto service to be able
to use Mbed Crypto 3.0.1:
- Updates the PSA crypto headers to latest available in mbed-crypto
- Updates the service implementation
- Updates the test suites where needed
- Updates the SST and Attestation interfaces
towards cryptographic functionalities
- Updates documentation to reflect updated
requirements, and changes in the integration guide
This patch migrates the use of psa_asymmetric_sign() and
psa_asymmetric_verify() to the non-deprecated versions of
the API psa_sign_hash() and psa_verify_hash().
Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com>
Change-Id: I7d8275def2336c1b5cfb8847b2842c305cfab116
diff --git a/secure_fw/ns_callable/tfm_veneers.c b/secure_fw/ns_callable/tfm_veneers.c
index 8170e9c..697860a 100644
--- a/secure_fw/ns_callable/tfm_veneers.c
+++ b/secure_fw/ns_callable/tfm_veneers.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2019, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -38,49 +38,66 @@
#ifdef TFM_PARTITION_CRYPTO
/******** TFM_SP_CRYPTO ********/
-psa_status_t tfm_crypto_allocate_key(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_get_key_attributes(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_open_key(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_close_key(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_reset_key_attributes(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_import_key(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_destroy_key(psa_invec *, size_t, psa_outvec *, size_t);
-psa_status_t tfm_crypto_get_key_information(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_export_key(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_export_public_key(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_copy_key(psa_invec *, size_t, psa_outvec *, size_t);
-psa_status_t tfm_crypto_set_key_policy(psa_invec *, size_t, psa_outvec *, size_t);
-psa_status_t tfm_crypto_get_key_policy(psa_invec *, size_t, psa_outvec *, size_t);
-psa_status_t tfm_crypto_get_key_lifetime(psa_invec *, size_t, psa_outvec *, size_t);
-psa_status_t tfm_crypto_cipher_generate_iv(psa_invec *, size_t, psa_outvec *, size_t);
-psa_status_t tfm_crypto_cipher_set_iv(psa_invec *, size_t, psa_outvec *, size_t);
-psa_status_t tfm_crypto_cipher_encrypt_setup(psa_invec *, size_t, psa_outvec *, size_t);
-psa_status_t tfm_crypto_cipher_decrypt_setup(psa_invec *, size_t, psa_outvec *, size_t);
-psa_status_t tfm_crypto_cipher_update(psa_invec *, size_t, psa_outvec *, size_t);
-psa_status_t tfm_crypto_cipher_abort(psa_invec *, size_t, psa_outvec *, size_t);
-psa_status_t tfm_crypto_cipher_finish(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_hash_compute(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_hash_compare(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_hash_setup(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_hash_update(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_hash_finish(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_hash_verify(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_hash_abort(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_hash_clone(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_mac_compute(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_mac_verify(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_mac_sign_setup(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_mac_verify_setup(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_mac_update(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_mac_sign_finish(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_mac_verify_finish(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_mac_abort(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_cipher_encrypt(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_cipher_decrypt(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_cipher_encrypt_setup(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_cipher_decrypt_setup(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_cipher_generate_iv(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_cipher_set_iv(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_cipher_update(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_cipher_finish(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_cipher_abort(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_aead_encrypt(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_aead_decrypt(psa_invec *, size_t, psa_outvec *, size_t);
-psa_status_t tfm_crypto_asymmetric_sign(psa_invec *, size_t, psa_outvec *, size_t);
-psa_status_t tfm_crypto_asymmetric_verify(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_aead_encrypt_setup(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_aead_decrypt_setup(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_aead_generate_nonce(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_aead_set_nonce(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_aead_set_lengths(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_aead_update_ad(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_aead_update(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_aead_finish(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_aead_verify(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_aead_abort(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_sign_hash(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_verify_hash(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_asymmetric_encrypt(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_asymmetric_decrypt(psa_invec *, size_t, psa_outvec *, size_t);
-psa_status_t tfm_crypto_get_generator_capacity(psa_invec *, size_t, psa_outvec *, size_t);
-psa_status_t tfm_crypto_generator_read(psa_invec *, size_t, psa_outvec *, size_t);
-psa_status_t tfm_crypto_generator_import_key(psa_invec *, size_t, psa_outvec *, size_t);
-psa_status_t tfm_crypto_generator_abort(psa_invec *, size_t, psa_outvec *, size_t);
-psa_status_t tfm_crypto_key_derivation(psa_invec *, size_t, psa_outvec *, size_t);
-psa_status_t tfm_crypto_key_agreement(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_key_derivation_setup(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_key_derivation_get_capacity(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_key_derivation_set_capacity(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_key_derivation_input_bytes(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_key_derivation_input_key(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_key_derivation_key_agreement(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_key_derivation_output_bytes(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_key_derivation_output_key(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_key_derivation_abort(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_raw_key_agreement(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_generate_random(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_generate_key(psa_invec *, size_t, psa_outvec *, size_t);
#endif /* TFM_PARTITION_CRYPTO */
@@ -189,49 +206,66 @@
#ifdef TFM_PARTITION_CRYPTO
/******** TFM_SP_CRYPTO ********/
-TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_allocate_key)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_get_key_attributes)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_open_key)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_close_key)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_reset_key_attributes)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_import_key)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_destroy_key)
-TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_get_key_information)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_export_key)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_export_public_key)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_copy_key)
-TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_set_key_policy)
-TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_get_key_policy)
-TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_get_key_lifetime)
-TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_cipher_generate_iv)
-TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_cipher_set_iv)
-TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_cipher_encrypt_setup)
-TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_cipher_decrypt_setup)
-TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_cipher_update)
-TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_cipher_abort)
-TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_cipher_finish)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_hash_compute)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_hash_compare)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_hash_setup)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_hash_update)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_hash_finish)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_hash_verify)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_hash_abort)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_hash_clone)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_mac_compute)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_mac_verify)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_mac_sign_setup)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_mac_verify_setup)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_mac_update)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_mac_sign_finish)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_mac_verify_finish)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_mac_abort)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_cipher_encrypt)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_cipher_decrypt)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_cipher_encrypt_setup)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_cipher_decrypt_setup)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_cipher_generate_iv)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_cipher_set_iv)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_cipher_update)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_cipher_finish)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_cipher_abort)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_aead_encrypt)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_aead_decrypt)
-TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_asymmetric_sign)
-TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_asymmetric_verify)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_aead_encrypt_setup)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_aead_decrypt_setup)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_aead_generate_nonce)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_aead_set_nonce)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_aead_set_lengths)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_aead_update_ad)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_aead_update)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_aead_finish)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_aead_verify)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_aead_abort)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_sign_hash)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_verify_hash)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_asymmetric_encrypt)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_asymmetric_decrypt)
-TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_get_generator_capacity)
-TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_generator_read)
-TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_generator_import_key)
-TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_generator_abort)
-TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_key_derivation)
-TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_key_agreement)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_key_derivation_setup)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_key_derivation_get_capacity)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_key_derivation_set_capacity)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_key_derivation_input_bytes)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_key_derivation_input_key)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_key_derivation_key_agreement)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_key_derivation_output_bytes)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_key_derivation_output_key)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_key_derivation_abort)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_raw_key_agreement)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_generate_random)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_generate_key)
#endif /* TFM_PARTITION_CRYPTO */
diff --git a/secure_fw/ns_callable/tfm_veneers.c.template b/secure_fw/ns_callable/tfm_veneers.c.template
index 9bfec9c..a5035aa 100644
--- a/secure_fw/ns_callable/tfm_veneers.c.template
+++ b/secure_fw/ns_callable/tfm_veneers.c.template
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2019, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
diff --git a/secure_fw/services/crypto/CMakeLists.inc b/secure_fw/services/crypto/CMakeLists.inc
index 2389a5b..7fb6a85 100644
--- a/secure_fw/services/crypto/CMakeLists.inc
+++ b/secure_fw/services/crypto/CMakeLists.inc
@@ -1,5 +1,5 @@
#-------------------------------------------------------------------------------
-# Copyright (c) 2018-2019, Arm Limited. All rights reserved.
+# Copyright (c) 2018-2020, Arm Limited. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -49,7 +49,7 @@
"${CRYPTO_DIR}/crypto_key.c"
"${CRYPTO_DIR}/crypto_aead.c"
"${CRYPTO_DIR}/crypto_asymmetric.c"
- "${CRYPTO_DIR}/crypto_generator.c"
+ "${CRYPTO_DIR}/crypto_key_derivation.c"
"${CRYPTO_DIR}/tfm_crypto_secure_api.c"
)
@@ -107,11 +107,11 @@
else()
message("- CRYPTO_CIPHER_MODULE_DISABLED: " ${CRYPTO_CIPHER_MODULE_DISABLED})
endif()
- if (NOT DEFINED CRYPTO_GENERATOR_MODULE_DISABLED)
- message("- GENERATOR module enabled")
- set(CRYPTO_GENERATOR_MODULE_DISABLED 0)
+ if (NOT DEFINED CRYPTO_KEY_DERIVATION_MODULE_DISABLED)
+ message("- KEY_DERIVATION module enabled")
+ set(CRYPTO_KEY_DERIVATION_MODULE_DISABLED 0)
else()
- message("- CRYPTO_GENERATOR_MODULE_DISABLED: " ${CRYPTO_GENERATOR_MODULE_DISABLED})
+ message("- CRYPTO_KEY_DERIVATION_MODULE_DISABLED: " ${CRYPTO_KEY_DERIVATION_MODULE_DISABLED})
endif()
if (NOT DEFINED CRYPTO_ASYMMETRIC_MODULE_DISABLED)
message("- ASYMMETRIC module enabled")
diff --git a/secure_fw/services/crypto/CMakeLists.txt b/secure_fw/services/crypto/CMakeLists.txt
index 1d2d884..9d4f6cb 100644
--- a/secure_fw/services/crypto/CMakeLists.txt
+++ b/secure_fw/services/crypto/CMakeLists.txt
@@ -1,5 +1,5 @@
#-------------------------------------------------------------------------------
-# Copyright (c) 2018-2019, Arm Limited. All rights reserved.
+# Copyright (c) 2018-2020, Arm Limited. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -69,8 +69,8 @@
if (CRYPTO_HASH_MODULE_DISABLED)
list(APPEND TFM_CRYPTO_C_DEFINES_LIST TFM_CRYPTO_HASH_MODULE_DISABLED)
endif()
-if (CRYPTO_GENERATOR_MODULE_DISABLED)
- list(APPEND TFM_CRYPTO_C_DEFINES_LIST TFM_CRYPTO_GENERATOR_MODULE_DISABLED)
+if (CRYPTO_KEY_DERIVATION_MODULE_DISABLED)
+ list(APPEND TFM_CRYPTO_C_DEFINES_LIST TFM_CRYPTO_KEY_DERIVATION_MODULE_DISABLED)
endif()
if (CRYPTO_ASYMMETRIC_MODULE_DISABLED)
list(APPEND TFM_CRYPTO_C_DEFINES_LIST TFM_CRYPTO_ASYMMETRIC_MODULE_DISABLED)
diff --git a/secure_fw/services/crypto/crypto_aead.c b/secure_fw/services/crypto/crypto_aead.c
index be85c92..f663ae6 100644
--- a/secure_fw/services/crypto/crypto_aead.c
+++ b/secure_fw/services/crypto/crypto_aead.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019, Arm Limited. All rights reserved.
+ * Copyright (c) 2019-2020, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -127,4 +127,94 @@
return status;
#endif /* TFM_CRYPTO_AEAD_MODULE_DISABLED */
}
+
+psa_status_t tfm_crypto_aead_encrypt_setup(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+ /* FixMe: To be implemented */
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
+psa_status_t tfm_crypto_aead_decrypt_setup(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+ /* FixMe: To be implemented */
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
+psa_status_t tfm_crypto_aead_abort(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+ /* FixMe: To be implemented */
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
+psa_status_t tfm_crypto_aead_finish(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+ /* FixMe: To be implemented */
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
+psa_status_t tfm_crypto_aead_generate_nonce(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+ /* FixMe: To be implemented */
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
+psa_status_t tfm_crypto_aead_set_nonce(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+ /* FixMe: To be implemented */
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
+psa_status_t tfm_crypto_aead_set_lengths(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+ /* FixMe: To be implemented */
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
+psa_status_t tfm_crypto_aead_update(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+ /* FixMe: To be implemented */
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
+psa_status_t tfm_crypto_aead_update_ad(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+ /* FixMe: To be implemented */
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
+psa_status_t tfm_crypto_aead_verify(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+ /* FixMe: To be implemented */
+ return PSA_ERROR_NOT_SUPPORTED;
+}
/*!@}*/
diff --git a/secure_fw/services/crypto/crypto_alloc.c b/secure_fw/services/crypto/crypto_alloc.c
index df322ab..be68be0 100644
--- a/secure_fw/services/crypto/crypto_alloc.c
+++ b/secure_fw/services/crypto/crypto_alloc.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2019, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -35,7 +35,7 @@
psa_cipher_operation_t cipher; /*!< Cipher operation context */
psa_mac_operation_t mac; /*!< MAC operation context */
psa_hash_operation_t hash; /*!< Hash operation context */
- psa_crypto_generator_t generator; /*!< Generator operation context */
+ psa_key_derivation_operation_t key_deriv; /*!< Key derivation operation context */
} operation;
};
@@ -65,8 +65,8 @@
case TFM_CRYPTO_HASH_OPERATION:
mem_size = sizeof(psa_hash_operation_t);
break;
- case TFM_CRYPTO_GENERATOR_OPERATION:
- mem_size = sizeof(psa_crypto_generator_t);
+ case TFM_CRYPTO_KEY_DERIVATION_OPERATION:
+ mem_size = sizeof(psa_key_derivation_operation_t);
break;
case TFM_CRYPTO_OPERATION_NONE:
default:
diff --git a/secure_fw/services/crypto/crypto_asymmetric.c b/secure_fw/services/crypto/crypto_asymmetric.c
index bfca546..24bdce0 100644
--- a/secure_fw/services/crypto/crypto_asymmetric.c
+++ b/secure_fw/services/crypto/crypto_asymmetric.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019, Arm Limited. All rights reserved.
+ * Copyright (c) 2019-2020, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -24,10 +24,10 @@
*/
/*!@{*/
-psa_status_t tfm_crypto_asymmetric_sign(psa_invec in_vec[],
- size_t in_len,
- psa_outvec out_vec[],
- size_t out_len)
+psa_status_t tfm_crypto_sign_hash(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
#ifdef TFM_CRYPTO_ASYMMETRIC_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
@@ -53,15 +53,15 @@
return status;
}
- return psa_asymmetric_sign(handle, alg, hash, hash_length,
- signature, signature_size, &(out_vec[0].len));
+ return psa_sign_hash(handle, alg, hash, hash_length,
+ signature, signature_size, &(out_vec[0].len));
#endif /* TFM_CRYPTO_ASYMMETRIC_MODULE_DISABLED */
}
-psa_status_t tfm_crypto_asymmetric_verify(psa_invec in_vec[],
- size_t in_len,
- psa_outvec out_vec[],
- size_t out_len)
+psa_status_t tfm_crypto_verify_hash(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
#ifdef TFM_CRYPTO_ASYMMETRIC_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
@@ -87,8 +87,8 @@
return status;
}
- return psa_asymmetric_verify(handle, alg, hash, hash_length,
- signature, signature_length);
+ return psa_verify_hash(handle, alg, hash, hash_length,
+ signature, signature_length);
#endif /* TFM_CRYPTO_ASYMMETRIC_MODULE_DISABLED */
}
@@ -121,6 +121,7 @@
size_t output_size = out_vec[0].len;
psa_key_type_t type;
size_t key_bits;
+ psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
if (in_len == 3) {
salt = in_vec[2].base;
@@ -132,11 +133,16 @@
return status;
}
- status = psa_get_key_information(handle, &type, &key_bits);
+ status = psa_get_key_attributes(handle, &key_attributes);
if (status != PSA_SUCCESS) {
return status;
}
+ key_bits = psa_get_key_bits(&key_attributes);
+ type = psa_get_key_type(&key_attributes);
+
+ psa_reset_key_attributes(&key_attributes);
+
/* Check that the output buffer is large enough */
if (output_size < PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(type, key_bits, alg)) {
return PSA_ERROR_BUFFER_TOO_SMALL;
diff --git a/secure_fw/services/crypto/crypto_cipher.c b/secure_fw/services/crypto/crypto_cipher.c
index 160069e..85297a8 100644
--- a/secure_fw/services/crypto/crypto_cipher.c
+++ b/secure_fw/services/crypto/crypto_cipher.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2019, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -376,4 +376,22 @@
return status;
#endif /* TFM_CRYPTO_CIPHER_MODULE_DISABLED */
}
+
+psa_status_t tfm_crypto_cipher_encrypt(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+ /* FixMe: To be implemented */
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
+psa_status_t tfm_crypto_cipher_decrypt(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+ /* FixMe: To be implemented */
+ return PSA_ERROR_NOT_SUPPORTED;
+}
/*!@}*/
diff --git a/secure_fw/services/crypto/crypto_generator.c b/secure_fw/services/crypto/crypto_generator.c
deleted file mode 100644
index 3284d7d..0000000
--- a/secure_fw/services/crypto/crypto_generator.c
+++ /dev/null
@@ -1,490 +0,0 @@
-/*
- * Copyright (c) 2019, Arm Limited. All rights reserved.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- *
- */
-
-#include <stddef.h>
-#include <stdint.h>
-
-/* FixMe: Use PSA_ERROR_CONNECTION_REFUSED when performing parameter
- * integrity checks but this will have to be revised
- * when the full set of error codes mandated by PSA FF
- * is available.
- */
-#include "tfm_mbedcrypto_include.h"
-
-/* Required for mbedtls_calloc in tfm_crypto_huk_derivation */
-#include "mbedtls/platform.h"
-
-#include "tfm_crypto_api.h"
-#include "tfm_crypto_defs.h"
-#include "tfm_memory_utils.h"
-
-#include "platform/include/tfm_plat_crypto_keys.h"
-
-#ifdef TFM_PARTITION_TEST_SST
-#include "psa_manifest/pid.h"
-#endif /* TFM_PARTITION_TEST_SST */
-
-/**
- * \brief Perform a key derivation operation from the hardware unique key (HUK).
- *
- * \note This function allows key derivation from the HUK to be implemented in
- * a platform-defined way by calling the TF-M platform function
- * tfm_plat_get_huk_derived_key.
- *
- * \param[in,out] generator Generator object to set up
- * \param[in] key_handle Handle to the secret key
- * \param[in] salt Salt to use
- * \param[in] salt_length Size of the salt buffer in bytes
- * \param[in] label Label to use
- * \param[in] label_length Size of the label buffer in bytes
- * \param[in] capacity Maximum number of bytes that the generator will
- * be able to provide
- *
- * \return Return values as described in \ref psa_status_t
- */
-#ifndef TFM_CRYPTO_GENERATOR_MODULE_DISABLED
-static psa_status_t tfm_crypto_huk_derivation(psa_crypto_generator_t *generator,
- psa_key_handle_t key_handle,
- const uint8_t *salt,
- size_t salt_length,
- const uint8_t *label,
- size_t label_length,
- size_t capacity)
-{
- psa_status_t status;
- enum tfm_plat_err_t plat_err;
- int32_t partition_id;
- uint8_t *partition_label;
- psa_key_policy_t key_policy;
-
- status = psa_get_key_policy(key_handle, &key_policy);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- /* Check that the input key has the correct policy */
- if (key_policy.usage != PSA_KEY_USAGE_DERIVE ||
- key_policy.alg != TFM_CRYPTO_ALG_HUK_DERIVATION) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
- /* Concatenate the caller's partition ID with the supplied label to prevent
- * two different partitions from deriving the same key.
- */
- status = tfm_crypto_get_caller_id(&partition_id);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
-#ifdef TFM_PARTITION_TEST_SST
- /* The SST tests run some operations under the wrong partition ID - this
- * causes the key derivation to change.
- */
- if (partition_id == TFM_SP_SST_TEST) {
- partition_id = TFM_SP_STORAGE;
- }
-#endif /* TFM_PARTITION_TEST_SST */
-
- partition_label = mbedtls_calloc(1, sizeof(partition_id) + label_length);
- if (partition_label == NULL) {
- return PSA_ERROR_INSUFFICIENT_MEMORY;
- }
- (void)tfm_memcpy(partition_label, &partition_id, sizeof(partition_id));
- (void)tfm_memcpy(partition_label + sizeof(partition_id), label,
- label_length);
-
- /* Set up the generator object to contain the raw derived key material, so
- * that it can be directly extracted in psa_generator_import_key or
- * psa_generator_read.
- */
- generator->alg = PSA_ALG_SELECT_RAW;
- generator->ctx.buffer.data = mbedtls_calloc(1, capacity);
- if (generator->ctx.buffer.data == NULL) {
- mbedtls_free(partition_label);
- (void)psa_generator_abort(generator);
- return PSA_ERROR_INSUFFICIENT_MEMORY;
- }
- generator->ctx.buffer.size = capacity;
- generator->capacity = capacity;
-
- /* Derive key material from the HUK and output it to the generator buffer */
- plat_err = tfm_plat_get_huk_derived_key(partition_label,
- sizeof(partition_id) + label_length,
- salt, salt_length,
- generator->ctx.buffer.data,
- generator->ctx.buffer.size);
- mbedtls_free(partition_label);
- if (plat_err != TFM_PLAT_ERR_SUCCESS) {
- (void)psa_generator_abort(generator);
- return PSA_ERROR_HARDWARE_FAILURE;
- }
-
- return PSA_SUCCESS;
-}
-#endif /* TFM_CRYPTO_GENERATOR_MODULE_DISABLED */
-
-/*!
- * \defgroup public_psa Public functions, PSA
- *
- */
-
-/*!@{*/
-psa_status_t tfm_crypto_get_generator_capacity(psa_invec in_vec[],
- size_t in_len,
- psa_outvec out_vec[],
- size_t out_len)
-{
-#ifdef TFM_CRYPTO_GENERATOR_MODULE_DISABLED
- return PSA_ERROR_NOT_SUPPORTED;
-#else
- psa_status_t status;
- if ((in_len != 1) || (out_len != 1)) {
- return PSA_ERROR_CONNECTION_REFUSED;
- }
-
- if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
- (out_vec[0].len != sizeof(size_t))) {
- return PSA_ERROR_CONNECTION_REFUSED;
- }
- const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
-
- uint32_t handle = iov->op_handle;
- size_t *capacity = out_vec[0].base;
- psa_crypto_generator_t *generator = NULL;
-
- /* Look up the corresponding operation context */
- status = tfm_crypto_operation_lookup(TFM_CRYPTO_GENERATOR_OPERATION,
- handle,
- (void **)&generator);
- if (status != PSA_SUCCESS) {
- *capacity = 0;
- return status;
- }
-
- return psa_get_generator_capacity(generator, capacity);
-#endif /* TFM_CRYPTO_GENERATOR_MODULE_DISABLED */
-}
-
-psa_status_t tfm_crypto_generator_read(psa_invec in_vec[],
- size_t in_len,
- psa_outvec out_vec[],
- size_t out_len)
-{
-#ifdef TFM_CRYPTO_GENERATOR_MODULE_DISABLED
- return PSA_ERROR_NOT_SUPPORTED;
-#else
- psa_status_t status;
- if ((in_len != 1) || (out_len != 1)) {
- return PSA_ERROR_CONNECTION_REFUSED;
- }
-
- if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec))) {
- return PSA_ERROR_CONNECTION_REFUSED;
- }
- const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
-
- uint32_t handle = iov->op_handle;
- uint8_t *output = out_vec[0].base;
- size_t output_length = out_vec[0].len;
- psa_crypto_generator_t *generator = NULL;
-
- /* Look up the corresponding operation context */
- status = tfm_crypto_operation_lookup(TFM_CRYPTO_GENERATOR_OPERATION,
- handle,
- (void **)&generator);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- return psa_generator_read(generator, output, output_length);
-#endif /* TFM_CRYPTO_GENERATOR_MODULE_DISABLED */
-}
-
-psa_status_t tfm_crypto_generator_import_key(psa_invec in_vec[],
- size_t in_len,
- psa_outvec out_vec[],
- size_t out_len)
-{
-#ifdef TFM_CRYPTO_GENERATOR_MODULE_DISABLED
- return PSA_ERROR_NOT_SUPPORTED;
-#else
- psa_status_t status;
- if ((in_len != 2) || (out_len != 0)) {
- return PSA_ERROR_CONNECTION_REFUSED;
- }
-
- if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
- (in_vec[1].len != sizeof(size_t))) {
- return PSA_ERROR_CONNECTION_REFUSED;
- }
- const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
-
- uint32_t handle = iov->op_handle;
- psa_key_handle_t key_handle = iov->key_handle;
- psa_key_type_t type = iov->type;
- size_t bits = *(size_t *)(in_vec[1].base);
- psa_crypto_generator_t *generator = NULL;
-
- status = tfm_crypto_check_handle_owner(key_handle, NULL);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- /* Look up the corresponding operation context */
- status = tfm_crypto_operation_lookup(TFM_CRYPTO_GENERATOR_OPERATION,
- handle,
- (void **)&generator);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- return psa_generator_import_key(key_handle, type, bits, generator);
-#endif /* TFM_CRYPTO_GENERATOR_MODULE_DISABLED */
-}
-
-psa_status_t tfm_crypto_generator_abort(psa_invec in_vec[],
- size_t in_len,
- psa_outvec out_vec[],
- size_t out_len)
-{
-#ifdef TFM_CRYPTO_GENERATOR_MODULE_DISABLED
- return PSA_ERROR_NOT_SUPPORTED;
-#else
- psa_status_t status;
- if ((in_len != 1) || (out_len != 1)) {
- return PSA_ERROR_CONNECTION_REFUSED;
- }
-
- if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
- (out_vec[0].len != sizeof(uint32_t))) {
- return PSA_ERROR_CONNECTION_REFUSED;
- }
- const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
-
- uint32_t handle = iov->op_handle;
- uint32_t *handle_out = out_vec[0].base;
- psa_crypto_generator_t *generator = NULL;
-
- /* Init the handle in the operation with the one passed from the iov */
- *handle_out = iov->op_handle;
-
- /* Look up the corresponding operation context */
- status = tfm_crypto_operation_lookup(TFM_CRYPTO_GENERATOR_OPERATION,
- handle,
- (void **)&generator);
- if (status != PSA_SUCCESS) {
- /* Operation does not exist, so abort has no effect */
- return PSA_SUCCESS;
- }
-
- *handle_out = handle;
-
- status = psa_generator_abort(generator);
- if (status != PSA_SUCCESS) {
- /* Release the operation context, ignore if the operation fails. */
- (void)tfm_crypto_operation_release(handle_out);
- return status;
- }
-
- status = tfm_crypto_operation_release(handle_out);
-
- return status;
-#endif /* TFM_CRYPTO_GENERATOR_MODULE_DISABLED */
-}
-
-psa_status_t tfm_crypto_key_derivation(psa_invec in_vec[],
- size_t in_len,
- psa_outvec out_vec[],
- size_t out_len)
-{
-#ifdef TFM_CRYPTO_GENERATOR_MODULE_DISABLED
- return PSA_ERROR_NOT_SUPPORTED;
-#else
- psa_status_t status;
- if (!((in_len == 1) || (in_len == 2) || (in_len == 3)) || (out_len != 1)) {
- return PSA_ERROR_CONNECTION_REFUSED;
- }
-
- if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
- (out_vec[0].len != sizeof(uint32_t))) {
- return PSA_ERROR_CONNECTION_REFUSED;
- }
- const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
-
- uint32_t handle = iov->op_handle;
- uint32_t *handle_out = out_vec[0].base;
- psa_key_handle_t key_handle = iov->key_handle;
- psa_algorithm_t alg = iov->alg;
- const uint8_t *salt = NULL;
- size_t salt_length = 0;
- const uint8_t *label = NULL;
- size_t label_length = 0;
- size_t capacity = iov->capacity;
- psa_crypto_generator_t *generator = NULL;
-
- if (in_len > 1) {
- salt = in_vec[1].base;
- salt_length = in_vec[1].len;
- }
-
- if (in_len > 2) {
- label = in_vec[2].base;
- label_length = in_vec[2].len;
- }
-
- status = tfm_crypto_check_handle_owner(key_handle, NULL);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- /* Allocate the generator context in the secure world */
- status = tfm_crypto_operation_alloc(TFM_CRYPTO_GENERATOR_OPERATION,
- &handle,
- (void **)&generator);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- *handle_out = handle;
-
- /* If the caller requests that the TFM_CRYPTO_ALG_HUK_DERIVATION algorithm
- * is used for key derivation, then redirect the request to the TF-M HUK
- * derivation function, so that key derivation from the HUK can be
- * implemented in a platform-defined way.
- * FIXME: In the future, this should be replaced by the Mbed Crypto driver
- * model.
- */
- if (alg == TFM_CRYPTO_ALG_HUK_DERIVATION) {
- status = tfm_crypto_huk_derivation(generator, key_handle, salt,
- salt_length, label, label_length,
- capacity);
- } else {
- status = psa_key_derivation(generator, key_handle, alg, salt,
- salt_length, label, label_length, capacity);
- }
- if (status != PSA_SUCCESS) {
- /* Release the operation context, ignore if the operation fails. */
- (void)tfm_crypto_operation_release(handle_out);
- }
-
- return status;
-#endif /* TFM_CRYPTO_GENERATOR_MODULE_DISABLED */
-}
-
-psa_status_t tfm_crypto_key_agreement(psa_invec in_vec[],
- size_t in_len,
- psa_outvec out_vec[],
- size_t out_len)
-{
-#ifdef TFM_CRYPTO_GENERATOR_MODULE_DISABLED
- return PSA_ERROR_NOT_SUPPORTED;
-#else
- psa_status_t status;
- if ((in_len != 2) || (out_len != 1)) {
- return PSA_ERROR_CONNECTION_REFUSED;
- }
-
- if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
- (out_vec[0].len != sizeof(uint32_t))) {
- return PSA_ERROR_CONNECTION_REFUSED;
- }
- const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
-
- uint32_t handle = iov->op_handle;
- uint32_t *handle_out = out_vec[0].base;
- psa_key_handle_t private_key = iov->key_handle;
- psa_algorithm_t alg = iov->alg;
- const uint8_t *peer_key = in_vec[1].base;
- size_t peer_key_length = in_vec[1].len;
- psa_crypto_generator_t *generator = NULL;
-
- status = tfm_crypto_check_handle_owner(private_key, NULL);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- /* Allocate the generator context in the secure world */
- status = tfm_crypto_operation_alloc(TFM_CRYPTO_GENERATOR_OPERATION,
- &handle,
- (void **)&generator);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- *handle_out = handle;
-
- status = psa_key_agreement(generator, private_key,
- peer_key, peer_key_length, alg);
- if (status != PSA_SUCCESS) {
- /* Release the operation context, ignore if the operation fails. */
- (void)tfm_crypto_operation_release(handle_out);
- }
-
- return status;
-#endif /* TFM_CRYPTO_GENERATOR_MODULE_DISABLED */
-}
-
-psa_status_t tfm_crypto_generate_random(psa_invec in_vec[],
- size_t in_len,
- psa_outvec out_vec[],
- size_t out_len)
-{
-#ifdef TFM_CRYPTO_GENERATOR_MODULE_DISABLED
- return PSA_ERROR_NOT_SUPPORTED;
-#else
- if ((in_len != 1) || (out_len != 1)) {
- return PSA_ERROR_CONNECTION_REFUSED;
- }
-
- if (in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) {
- return PSA_ERROR_CONNECTION_REFUSED;
- }
- uint8_t *output = out_vec[0].base;
- size_t output_size = out_vec[0].len;
-
- return psa_generate_random(output, output_size);
-#endif /* TFM_CRYPTO_GENERATOR_MODULE_DISABLED */
-}
-
-psa_status_t tfm_crypto_generate_key(psa_invec in_vec[],
- size_t in_len,
- psa_outvec out_vec[],
- size_t out_len)
-{
-#ifdef TFM_CRYPTO_GENERATOR_MODULE_DISABLED
- return PSA_ERROR_NOT_SUPPORTED;
-#else
- if (!((in_len == 2) || (in_len == 3)) || (out_len != 0)) {
- return PSA_ERROR_CONNECTION_REFUSED;
- }
-
- if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
- (in_vec[1].len != sizeof(size_t))) {
- return PSA_ERROR_CONNECTION_REFUSED;
- }
- const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- psa_key_handle_t key_handle = iov->key_handle;
- psa_key_type_t type = iov->type;
- size_t bits = *((size_t *)(in_vec[1].base));
- const void *extra = NULL;
- size_t extra_size = 0;
- psa_status_t status;
-
- status = tfm_crypto_check_handle_owner(key_handle, NULL);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- if (in_len == 3) {
- extra = in_vec[2].base;
- extra_size = in_vec[2].len;
- }
-
- return psa_generate_key(key_handle, type, bits, extra, extra_size);
-#endif /* TFM_CRYPTO_GENERATOR_MODULE_DISABLED */
-}
-/*!@}*/
diff --git a/secure_fw/services/crypto/crypto_hash.c b/secure_fw/services/crypto/crypto_hash.c
index 97d7ad2..dcd71dc 100644
--- a/secure_fw/services/crypto/crypto_hash.c
+++ b/secure_fw/services/crypto/crypto_hash.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2019, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -318,4 +318,22 @@
return status;
#endif /* TFM_CRYPTO_HASH_MODULE_DISABLED */
}
+
+psa_status_t tfm_crypto_hash_compare(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+ /* FixMe: To be implemented */
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
+psa_status_t tfm_crypto_hash_compute(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+ /* FixMe: To be implemented */
+ return PSA_ERROR_NOT_SUPPORTED;
+}
/*!@}*/
diff --git a/secure_fw/services/crypto/crypto_key.c b/secure_fw/services/crypto/crypto_key.c
index 00cf946..f3fd277 100644
--- a/secure_fw/services/crypto/crypto_key.c
+++ b/secure_fw/services/crypto/crypto_key.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2019, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -33,73 +33,6 @@
handle_owner[TFM_CRYPTO_MAX_KEY_HANDLES] = {0};
#endif
-/**
- * \brief Open a handle to the hardware unique key (HUK).
- *
- * \note As persistent keys are not yet supported by TF-M Crypto, this function
- * allocates an empty volatile key to get a valid key handle.
- *
- * \param[in] lifetime The lifetime of the key
- * \param[out] handle On success, a handle to the HUK
- *
- * \return Return values as described in \ref psa_status_t
- */
-#ifndef TFM_CRYPTO_KEY_MODULE_DISABLED
-static psa_status_t tfm_crypto_open_huk(psa_key_lifetime_t lifetime,
- psa_key_handle_t *key_handle)
-{
- psa_status_t status;
- int32_t partition_id;
- uint32_t i;
- psa_key_policy_t huk_policy = PSA_KEY_POLICY_INIT;
-
- /* The HUK has a persistent lifetime */
- if (lifetime != PSA_KEY_LIFETIME_PERSISTENT) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
- for (i = 0; i < TFM_CRYPTO_MAX_KEY_HANDLES; i++) {
- if (handle_owner[i].in_use == TFM_CRYPTO_NOT_IN_USE) {
- break;
- }
- }
-
- if (i == TFM_CRYPTO_MAX_KEY_HANDLES) {
- return PSA_ERROR_INSUFFICIENT_MEMORY;
- }
-
- status = tfm_crypto_get_caller_id(&partition_id);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- /* Allocate a transient key to get a valid key handle */
- status = psa_allocate_key(key_handle);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- /* The HUK can only be used to derive other keys */
- huk_policy.usage = PSA_KEY_USAGE_DERIVE;
- huk_policy.alg = TFM_CRYPTO_ALG_HUK_DERIVATION;
- status = psa_set_key_policy(*key_handle, &huk_policy);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- /* Import zero data to the HUK handle to prevent further modification */
- status = psa_import_key(*key_handle, PSA_KEY_TYPE_RAW_DATA, NULL, 0);
-
- if (status == PSA_SUCCESS) {
- handle_owner[i].owner = partition_id;
- handle_owner[i].handle = *key_handle;
- handle_owner[i].in_use = TFM_CRYPTO_IN_USE;
- }
-
- return status;
-}
-#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
-
/*!
* \defgroup public Public functions
*
@@ -138,28 +71,58 @@
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
}
-psa_status_t tfm_crypto_allocate_key(psa_invec in_vec[],
- size_t in_len,
- psa_outvec out_vec[],
- size_t out_len)
+psa_status_t tfm_crypto_set_key_domain_parameters(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
#else
- if ((in_len != 1) || (out_len != 1)) {
+ /* FixMe: To be implemented */
+ return PSA_ERROR_NOT_SUPPORTED;
+#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
+}
+
+psa_status_t tfm_crypto_get_key_domain_parameters(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
+ return PSA_ERROR_NOT_SUPPORTED;
+#else
+ /* FixMe: To be implemented */
+ return PSA_ERROR_NOT_SUPPORTED;
+#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
+}
+
+psa_status_t tfm_crypto_import_key(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
+ return PSA_ERROR_NOT_SUPPORTED;
+#else
+
+ if ((in_len != 3) || (out_len != 1)) {
return PSA_ERROR_CONNECTION_REFUSED;
}
if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
+ (in_vec[1].len != sizeof(psa_key_attributes_t)) ||
(out_vec[0].len != sizeof(psa_key_handle_t))) {
return PSA_ERROR_CONNECTION_REFUSED;
}
-
+ const psa_key_attributes_t *key_attributes = in_vec[1].base;
+ const uint8_t *data = in_vec[2].base;
+ size_t data_length = in_vec[2].len;
psa_key_handle_t *key_handle = out_vec[0].base;
+ psa_status_t status;
uint32_t i = 0;
int32_t partition_id = 0;
bool empty_found = false;
- psa_status_t status;
for (i = 0; i < TFM_CRYPTO_MAX_KEY_HANDLES; i++) {
if (handle_owner[i].in_use == TFM_CRYPTO_NOT_IN_USE) {
@@ -177,7 +140,7 @@
return status;
}
- status = psa_allocate_key(key_handle);
+ status = psa_import_key(key_attributes, data, data_length, key_handle);
if (status == PSA_SUCCESS) {
handle_owner[i].owner = partition_id;
@@ -207,19 +170,7 @@
return PSA_ERROR_CONNECTION_REFUSED;
}
- const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- psa_key_lifetime_t lifetime = iov->lifetime;
- psa_key_id_t id = *((psa_key_id_t *)in_vec[1].base);
- psa_key_handle_t *key_handle = out_vec[0].base;
-
- /* FIXME: Persistent key APIs are not supported in general, so use a
- * specific implementation to open a handle to the HUK.
- */
- if (id == TFM_CRYPTO_KEY_ID_HUK) {
- return tfm_crypto_open_huk(lifetime, key_handle);
- } else {
- return PSA_ERROR_NOT_SUPPORTED;
- }
+ return PSA_ERROR_NOT_SUPPORTED;
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
}
@@ -262,39 +213,6 @@
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
}
-psa_status_t tfm_crypto_import_key(psa_invec in_vec[],
- size_t in_len,
- psa_outvec out_vec[],
- size_t out_len)
-{
-#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
- return PSA_ERROR_NOT_SUPPORTED;
-#else
- (void)out_vec;
-
- if ((in_len != 2) || (out_len != 0)) {
- return PSA_ERROR_CONNECTION_REFUSED;
- }
-
- if (in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) {
- return PSA_ERROR_CONNECTION_REFUSED;
- }
- const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
-
- psa_key_handle_t key = iov->key_handle;
- psa_key_type_t type = iov->type;
- const uint8_t *data = in_vec[1].base;
- size_t data_length = in_vec[1].len;
- psa_status_t status = tfm_crypto_check_handle_owner(key, NULL);
-
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- return psa_import_key(key, type, data, data_length);
-#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
-}
-
psa_status_t tfm_crypto_destroy_key(psa_invec in_vec[],
size_t in_len,
psa_outvec out_vec[],
@@ -334,30 +252,54 @@
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
}
-psa_status_t tfm_crypto_get_key_information(psa_invec in_vec[],
- size_t in_len,
- psa_outvec out_vec[],
- size_t out_len)
+psa_status_t tfm_crypto_get_key_attributes(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
#else
- if ((in_len != 1) || (out_len != 2)) {
+ if ((in_len != 1) || (out_len != 1)) {
return PSA_ERROR_CONNECTION_REFUSED;
}
if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
- (out_vec[0].len != sizeof(psa_key_type_t)) ||
- (out_vec[1].len != sizeof(size_t))) {
+ (out_vec[0].len != sizeof(psa_key_attributes_t))) {
return PSA_ERROR_CONNECTION_REFUSED;
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
psa_key_handle_t key = iov->key_handle;
- psa_key_type_t *type = out_vec[0].base;
- size_t *bits = out_vec[1].base;
+ psa_key_attributes_t *key_attributes = out_vec[0].base;
- return psa_get_key_information(key, type, bits);
+ return psa_get_key_attributes(key, key_attributes);
+#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
+}
+
+psa_status_t tfm_crypto_reset_key_attributes(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+#if (TFM_CRYPTO_KEY_MODULE_DISABLED != 0)
+ return PSA_ERROR_NOT_SUPPORTED;
+#else
+ if ((in_len != 1) || (out_len != 1)) {
+ return PSA_ERROR_CONNECTION_REFUSED;
+ }
+
+ if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
+ (out_vec[0].len != sizeof(psa_key_attributes_t))) {
+ return PSA_ERROR_CONNECTION_REFUSED;
+ }
+
+ psa_key_attributes_t *key_attributes = out_vec[0].base;
+
+ psa_reset_key_attributes(key_attributes);
+
+ /* psa_reset_key_attributes() doesn't report any error */
+ return PSA_SUCCESS;
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
}
@@ -419,106 +361,104 @@
#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
#else
- (void)out_vec;
- if ((in_len != 3) || (out_len != 0)) {
+ if ((in_len != 2) || (out_len != 1)) {
return PSA_ERROR_CONNECTION_REFUSED;
}
if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
- (in_vec[1].len != sizeof(psa_key_handle_t)) ||
- (in_vec[2].len != sizeof(psa_key_policy_t))) {
+ (out_vec[0].len != sizeof(psa_key_handle_t)) ||
+ (in_vec[1].len != sizeof(psa_key_attributes_t))) {
return PSA_ERROR_CONNECTION_REFUSED;
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
psa_key_handle_t source_handle = iov->key_handle;
- psa_key_handle_t target_handle = *((psa_key_handle_t *)in_vec[1].base);
- const psa_key_policy_t *policy = in_vec[2].base;
+ psa_key_handle_t *target_handle = out_vec[0].base;
+ const psa_key_attributes_t *key_attributes = in_vec[1].base;
+ psa_status_t status;
+ uint32_t i = 0;
+ int32_t partition_id = 0;
+ bool empty_found = false;
- return psa_copy_key(source_handle, target_handle, policy);
-#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
-}
-
-psa_status_t tfm_crypto_set_key_policy(psa_invec in_vec[],
- size_t in_len,
- psa_outvec out_vec[],
- size_t out_len)
-{
-#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
- return PSA_ERROR_NOT_SUPPORTED;
-#else
- (void)out_vec;
-
- if ((in_len != 2) || (out_len != 0)) {
- return PSA_ERROR_CONNECTION_REFUSED;
+ for (i = 0; i < TFM_CRYPTO_MAX_KEY_HANDLES; i++) {
+ if (handle_owner[i].in_use == TFM_CRYPTO_NOT_IN_USE) {
+ empty_found = true;
+ break;
+ }
}
- if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
- (in_vec[1].len != sizeof(psa_key_policy_t))) {
- return PSA_ERROR_CONNECTION_REFUSED;
+ if (!empty_found) {
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
}
- const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- psa_key_handle_t key = iov->key_handle;
- const psa_key_policy_t *policy = in_vec[1].base;
- psa_status_t status = tfm_crypto_check_handle_owner(key, NULL);
-
- if (status == PSA_SUCCESS) {
- return psa_set_key_policy(key, policy);
- } else {
+ status = tfm_crypto_get_caller_id(&partition_id);
+ if (status != PSA_SUCCESS) {
return status;
}
+
+ status = psa_copy_key(source_handle, key_attributes, target_handle);
+
+ if (status == PSA_SUCCESS) {
+ handle_owner[i].owner = partition_id;
+ handle_owner[i].handle = *target_handle;
+ handle_owner[i].in_use = TFM_CRYPTO_IN_USE;
+ }
+
+ return status;
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
+ return PSA_ERROR_NOT_SUPPORTED;
}
-psa_status_t tfm_crypto_get_key_policy(psa_invec in_vec[],
- size_t in_len,
- psa_outvec out_vec[],
- size_t out_len)
+psa_status_t tfm_crypto_generate_key(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
#else
- if ((in_len != 1) || (out_len != 1)) {
+ if ((in_len != 2) || (out_len != 1)) {
return PSA_ERROR_CONNECTION_REFUSED;
}
if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
- (out_vec[0].len != sizeof(psa_key_policy_t))) {
+ (in_vec[1].len != sizeof(psa_key_attributes_t)) ||
+ (out_vec[0].len != sizeof(psa_key_handle_t))) {
return PSA_ERROR_CONNECTION_REFUSED;
}
- const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
+ psa_key_handle_t *key_handle = out_vec[0].base;
+ const psa_key_attributes_t *key_attributes = in_vec[1].base;
+ psa_status_t status;
+ uint32_t i = 0;
+ int32_t partition_id = 0;
+ bool empty_found = false;
- psa_key_handle_t key = iov->key_handle;
- psa_key_policy_t *policy = out_vec[0].base;
-
- return psa_get_key_policy(key, policy);
-#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
-}
-
-psa_status_t tfm_crypto_get_key_lifetime(psa_invec in_vec[],
- size_t in_len,
- psa_outvec out_vec[],
- size_t out_len)
-{
-#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
- return PSA_ERROR_NOT_SUPPORTED;
-#else
- if ((in_len != 1) || (out_len != 1)) {
- return PSA_ERROR_CONNECTION_REFUSED;
+ for (i = 0; i < TFM_CRYPTO_MAX_KEY_HANDLES; i++) {
+ if (handle_owner[i].in_use == TFM_CRYPTO_NOT_IN_USE) {
+ empty_found = true;
+ break;
+ }
}
- if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
- (out_vec[0].len != sizeof(psa_key_lifetime_t))) {
- return PSA_ERROR_CONNECTION_REFUSED;
+ if (!empty_found) {
+ return PSA_ERROR_INSUFFICIENT_MEMORY;
}
- const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- psa_key_handle_t key = iov->key_handle;
- psa_key_lifetime_t *lifetime = out_vec[0].base;
+ status = tfm_crypto_get_caller_id(&partition_id);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
- return psa_get_key_lifetime(key, lifetime);
+ status = psa_generate_key(key_attributes, key_handle);
+
+ if (status == PSA_SUCCESS) {
+ handle_owner[i].owner = partition_id;
+ handle_owner[i].handle = *key_handle;
+ handle_owner[i].in_use = TFM_CRYPTO_IN_USE;
+ }
+
+ return status;
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
}
/*!@}*/
diff --git a/secure_fw/services/crypto/crypto_key_derivation.c b/secure_fw/services/crypto/crypto_key_derivation.c
new file mode 100644
index 0000000..80958f5
--- /dev/null
+++ b/secure_fw/services/crypto/crypto_key_derivation.c
@@ -0,0 +1,447 @@
+/*
+ * Copyright (c) 2019, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+
+#include <stddef.h>
+#include <stdint.h>
+
+/* FixMe: Use PSA_ERROR_CONNECTION_REFUSED when performing parameter
+ * integrity checks but this will have to be revised
+ * when the full set of error codes mandated by PSA FF
+ * is available.
+ */
+#include "tfm_mbedcrypto_include.h"
+
+#include "tfm_crypto_api.h"
+#include "tfm_crypto_defs.h"
+
+/*!
+ * \defgroup public_psa Public functions, PSA
+ *
+ */
+
+/*!@{*/
+psa_status_t tfm_crypto_key_derivation_setup(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+#ifdef TFM_CRYPTO_KEY_DERIVATION_MODULE_DISABLED
+ return PSA_ERROR_NOT_SUPPORTED;
+#else
+ psa_status_t status = PSA_SUCCESS;
+ psa_key_derivation_operation_t *operation = NULL;
+
+ if ((in_len != 1) || (out_len != 1)) {
+ return PSA_ERROR_CONNECTION_REFUSED;
+ }
+
+ if ((out_vec[0].len != sizeof(uint32_t)) ||
+ (in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec))) {
+ return PSA_ERROR_CONNECTION_REFUSED;
+ }
+ const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
+ uint32_t handle = iov->op_handle;
+ uint32_t *handle_out = out_vec[0].base;
+ psa_algorithm_t alg = iov->alg;
+
+ /* Allocate the operation context in the secure world */
+ status = tfm_crypto_operation_alloc(TFM_CRYPTO_KEY_DERIVATION_OPERATION,
+ &handle,
+ (void **)&operation);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ *handle_out = handle;
+
+ status = psa_key_derivation_setup(operation, alg);
+ if (status != PSA_SUCCESS) {
+ /* Release the operation context, ignore if the operation fails. */
+ (void)tfm_crypto_operation_release(handle_out);
+ return status;
+ }
+
+ return status;
+#endif /* TFM_CRYPTO_KEY_DERIVATION_MODULE_DISABLED */
+}
+
+psa_status_t tfm_crypto_key_derivation_get_capacity(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+#ifdef TFM_CRYPTO_KEY_DERIVATION_MODULE_DISABLED
+ return PSA_ERROR_NOT_SUPPORTED;
+#else
+ psa_status_t status;
+ if ((in_len != 1) || (out_len != 1)) {
+ return PSA_ERROR_CONNECTION_REFUSED;
+ }
+
+ if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
+ (out_vec[0].len != sizeof(size_t))) {
+ return PSA_ERROR_CONNECTION_REFUSED;
+ }
+ const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
+
+ uint32_t handle = iov->op_handle;
+ size_t *capacity = out_vec[0].base;
+ psa_key_derivation_operation_t *operation = NULL;
+
+ /* Look up the corresponding operation context */
+ status = tfm_crypto_operation_lookup(TFM_CRYPTO_KEY_DERIVATION_OPERATION,
+ handle,
+ (void **)&operation);
+ if (status != PSA_SUCCESS) {
+ *capacity = 0;
+ return status;
+ }
+
+ return psa_key_derivation_get_capacity(operation, capacity);
+#endif /* TFM_CRYPTO_KEY_DERIVATION_MODULE_DISABLED */
+}
+
+psa_status_t tfm_crypto_key_derivation_set_capacity(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+#ifdef TFM_CRYPTO_KEY_DERIVATION_MODULE_DISABLED
+ return PSA_ERROR_NOT_SUPPORTED;
+#else
+ psa_status_t status;
+ if ((in_len != 1) || (out_len != 0)) {
+ return PSA_ERROR_CONNECTION_REFUSED;
+ }
+
+ if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec))) {
+ return PSA_ERROR_CONNECTION_REFUSED;
+ }
+ const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
+
+ uint32_t handle = iov->op_handle;
+ size_t capacity = iov->capacity;
+ psa_key_derivation_operation_t *operation = NULL;
+
+ /* Look up the corresponding operation context */
+ status = tfm_crypto_operation_lookup(TFM_CRYPTO_KEY_DERIVATION_OPERATION,
+ handle,
+ (void **)&operation);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ return psa_key_derivation_set_capacity(operation, capacity);
+#endif /* TFM_CRYPTO_KEY_DERIVATION_MODULE_DISABLED */
+}
+
+psa_status_t tfm_crypto_key_derivation_input_bytes(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+#ifdef TFM_CRYPTO_KEY_DERIVATION_MODULE_DISABLED
+ return PSA_ERROR_NOT_SUPPORTED;
+#else
+ psa_status_t status;
+ if ((in_len != 2) || (out_len != 0)) {
+ return PSA_ERROR_CONNECTION_REFUSED;
+ }
+
+ if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec))) {
+ return PSA_ERROR_CONNECTION_REFUSED;
+ }
+ const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
+
+ uint32_t handle = iov->op_handle;
+ psa_key_derivation_step_t step = iov->step;
+ const uint8_t *data = in_vec[1].base;
+ size_t data_length = in_vec[1].len;
+ psa_key_derivation_operation_t *operation = NULL;
+
+ /* Look up the corresponding operation context */
+ status = tfm_crypto_operation_lookup(TFM_CRYPTO_KEY_DERIVATION_OPERATION,
+ handle,
+ (void **)&operation);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ return psa_key_derivation_input_bytes(operation, step, data, data_length);
+#endif /* TFM_CRYPTO_KEY_DERIVATION_MODULE_DISABLED */
+}
+
+psa_status_t tfm_crypto_key_derivation_output_bytes(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+#ifdef TFM_CRYPTO_KEY_DERIVATION_MODULE_DISABLED
+ return PSA_ERROR_NOT_SUPPORTED;
+#else
+ psa_status_t status;
+ if ((in_len != 1) || (out_len != 1)) {
+ return PSA_ERROR_CONNECTION_REFUSED;
+ }
+
+ if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec))) {
+ return PSA_ERROR_CONNECTION_REFUSED;
+ }
+ const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
+
+ uint32_t handle = iov->op_handle;
+ uint8_t *output = out_vec[0].base;
+ size_t output_length = out_vec[0].len;
+ psa_key_derivation_operation_t *operation = NULL;
+
+ /* Look up the corresponding operation context */
+ status = tfm_crypto_operation_lookup(TFM_CRYPTO_KEY_DERIVATION_OPERATION,
+ handle,
+ (void **)&operation);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ return psa_key_derivation_output_bytes(operation, output, output_length);
+#endif /* TFM_CRYPTO_KEY_DERIVATION_MODULE_DISABLED */
+}
+
+psa_status_t tfm_crypto_key_derivation_input_key(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+#ifdef TFM_CRYPTO_KEY_DERIVATION_MODULE_DISABLED
+ return PSA_ERROR_NOT_SUPPORTED;
+#else
+ psa_status_t status;
+ if ((in_len != 1) || (out_len != 0)) {
+ return PSA_ERROR_CONNECTION_REFUSED;
+ }
+
+ if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec))) {
+ return PSA_ERROR_CONNECTION_REFUSED;
+ }
+ const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
+
+ uint32_t handle = iov->op_handle;
+ psa_key_handle_t key_handle = iov->key_handle;
+ psa_key_derivation_step_t step = iov->step;
+ psa_key_derivation_operation_t *operation = NULL;
+
+ status = tfm_crypto_check_handle_owner(key_handle, NULL);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ /* Look up the corresponding operation context */
+ status = tfm_crypto_operation_lookup(TFM_CRYPTO_KEY_DERIVATION_OPERATION,
+ handle,
+ (void **)&operation);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ return psa_key_derivation_input_key(operation, step, key_handle);
+#endif /* TFM_CRYPTO_KEY_DERIVATION_MODULE_DISABLED */
+}
+
+psa_status_t tfm_crypto_key_derivation_output_key(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+#ifdef TFM_CRYPTO_KEY_DERIVATION_MODULE_DISABLED
+ return PSA_ERROR_NOT_SUPPORTED;
+#else
+ psa_status_t status;
+ if ((in_len != 2) || (out_len != 1)) {
+ return PSA_ERROR_CONNECTION_REFUSED;
+ }
+
+ if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
+ (in_vec[1].len != sizeof(psa_key_attributes_t)) ||
+ (out_vec[0].len != sizeof(psa_key_handle_t))) {
+ return PSA_ERROR_CONNECTION_REFUSED;
+ }
+ const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
+
+ uint32_t handle = iov->op_handle;
+ const psa_key_attributes_t *key_attributes = in_vec[1].base;
+ psa_key_derivation_operation_t *operation = NULL;
+ psa_key_handle_t *key_handle = out_vec[0].base;
+ //int32_t partition_id = 0;
+ //uint32_t index = 0;
+
+ /* Look up the corresponding operation context */
+ status = tfm_crypto_operation_lookup(TFM_CRYPTO_KEY_DERIVATION_OPERATION,
+ handle,
+ (void **)&operation);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ /*
+ status = tfm_crypto_check_key_storage(&partition_id, &index);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+ */
+ status = psa_key_derivation_output_key(key_attributes, operation, key_handle);
+ /*
+ if (status == PSA_SUCCESS) {
+ status = tfm_crypto_set_key_storage(partition_id, index, *key_handle);
+ }
+ */
+ return status;
+#endif /* TFM_CRYPTO_KEY_DERIVATION_MODULE_DISABLED */
+}
+
+psa_status_t tfm_crypto_key_derivation_abort(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+#ifdef TFM_CRYPTO_KEY_DERIVATION_MODULE_DISABLED
+ return PSA_ERROR_NOT_SUPPORTED;
+#else
+ psa_status_t status;
+ if ((in_len != 1) || (out_len != 1)) {
+ return PSA_ERROR_CONNECTION_REFUSED;
+ }
+
+ if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
+ (out_vec[0].len != sizeof(uint32_t))) {
+ return PSA_ERROR_CONNECTION_REFUSED;
+ }
+ const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
+
+ uint32_t handle = iov->op_handle;
+ uint32_t *handle_out = out_vec[0].base;
+ psa_key_derivation_operation_t *operation = NULL;
+
+ /* Init the handle in the operation with the one passed from the iov */
+ *handle_out = iov->op_handle;
+
+ /* Look up the corresponding operation context */
+ status = tfm_crypto_operation_lookup(TFM_CRYPTO_KEY_DERIVATION_OPERATION,
+ handle,
+ (void **)&operation);
+ if (status != PSA_SUCCESS) {
+ /* Operation does not exist, so abort has no effect */
+ return PSA_SUCCESS;
+ }
+
+ *handle_out = handle;
+
+ status = psa_key_derivation_abort(operation);
+ if (status != PSA_SUCCESS) {
+ /* Release the operation context, ignore if the operation fails. */
+ (void)tfm_crypto_operation_release(handle_out);
+ return status;
+ }
+
+ status = tfm_crypto_operation_release(handle_out);
+
+ return status;
+#endif /* TFM_CRYPTO_KEY_DERIVATION_MODULE_DISABLED */
+}
+
+psa_status_t tfm_crypto_key_derivation_key_agreement(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+#ifdef TFM_CRYPTO_KEY_DERIVATION_MODULE_DISABLED
+ return PSA_ERROR_NOT_SUPPORTED;
+#else
+ psa_status_t status;
+ if ((in_len != 2) || (out_len != 0)) {
+ return PSA_ERROR_CONNECTION_REFUSED;
+ }
+
+ if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec))) {
+ return PSA_ERROR_CONNECTION_REFUSED;
+ }
+ const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
+
+ uint32_t handle = iov->op_handle;
+ psa_key_handle_t private_key = iov->key_handle;
+ const uint8_t *peer_key = in_vec[1].base;
+ size_t peer_key_length = in_vec[1].len;
+ psa_key_derivation_operation_t *operation = NULL;
+ psa_key_derivation_step_t step = iov->step;
+
+ status = tfm_crypto_check_handle_owner(private_key, NULL);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ /* Look up the corresponding operation context */
+ status = tfm_crypto_operation_lookup(TFM_CRYPTO_KEY_DERIVATION_OPERATION,
+ handle,
+ (void **)&operation);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ return psa_key_derivation_key_agreement(operation, step,
+ private_key,
+ peer_key,
+ peer_key_length);
+#endif /* TFM_CRYPTO_KEY_DERIVATION_MODULE_DISABLED */
+}
+
+psa_status_t tfm_crypto_generate_random(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+#ifdef TFM_CRYPTO_KEY_DERIVATION_MODULE_DISABLED
+ return PSA_ERROR_NOT_SUPPORTED;
+#else
+ if ((in_len != 1) || (out_len != 1)) {
+ return PSA_ERROR_CONNECTION_REFUSED;
+ }
+
+ if (in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) {
+ return PSA_ERROR_CONNECTION_REFUSED;
+ }
+ uint8_t *output = out_vec[0].base;
+ size_t output_size = out_vec[0].len;
+
+ return psa_generate_random(output, output_size);
+#endif /* TFM_CRYPTO_KEY_DERIVATION_MODULE_DISABLED */
+}
+
+psa_status_t tfm_crypto_raw_key_agreement(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+#ifdef TFM_CRYPTO_KEY_DERIVATION_MODULE_DISABLED
+ return PSA_ERROR_NOT_SUPPORTED;
+#else
+ if ((in_len != 2) || (out_len != 1)) {
+ return PSA_ERROR_CONNECTION_REFUSED;
+ }
+
+ if (in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) {
+ return PSA_ERROR_CONNECTION_REFUSED;
+ }
+ const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
+ uint8_t *output = out_vec[0].base;
+ size_t output_size = out_vec[0].len;
+ psa_algorithm_t alg = iov->alg;
+ psa_key_handle_t private_key = iov->key_handle;
+ const uint8_t *peer_key = in_vec[1].base;
+ size_t peer_key_length = in_vec[1].len;
+
+ return psa_raw_key_agreement(alg, private_key, peer_key, peer_key_length,
+ output, output_size, &out_vec[0].len);
+#endif /* TFM_CRYPTO_KEY_DERIVATION_MODULE_DISABLED */
+}
+/*!@}*/
diff --git a/secure_fw/services/crypto/crypto_mac.c b/secure_fw/services/crypto/crypto_mac.c
index 6f85285..df42ac4 100644
--- a/secure_fw/services/crypto/crypto_mac.c
+++ b/secure_fw/services/crypto/crypto_mac.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019, Arm Limited. All rights reserved.
+ * Copyright (c) 2019-2020, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -328,4 +328,22 @@
return status;
#endif /* TFM_CRYPTO_MAC_MODULE_DISABLED */
}
+
+psa_status_t tfm_crypto_mac_compute(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+ /* FixMe: To be implemented */
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
+psa_status_t tfm_crypto_mac_verify(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+ /* FixMe: To be implemented */
+ return PSA_ERROR_NOT_SUPPORTED;
+}
/*!@}*/
diff --git a/secure_fw/services/crypto/crypto_spe.h b/secure_fw/services/crypto/crypto_spe.h
index 400fe7d..a383d0b 100644
--- a/secure_fw/services/crypto/crypto_spe.h
+++ b/secure_fw/services/crypto/crypto_spe.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019, Arm Limited. All rights reserved.
+ * Copyright (c) 2019-2020, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -24,40 +24,66 @@
#define psa_crypto_init \
PSA_FUNCTION_NAME(psa_crypto_init)
-#define psa_key_policy_init \
- PSA_FUNCTION_NAME(psa_key_policy_init)
-#define psa_key_policy_set_usage \
- PSA_FUNCTION_NAME(psa_key_policy_set_usage)
-#define psa_key_policy_get_usage \
- PSA_FUNCTION_NAME(psa_key_policy_get_usage)
-#define psa_key_policy_get_algorithm \
- PSA_FUNCTION_NAME(psa_key_policy_get_algorithm)
-#define psa_set_key_policy \
- PSA_FUNCTION_NAME(psa_set_key_policy)
-#define psa_get_key_policy \
- PSA_FUNCTION_NAME(psa_get_key_policy)
-#define psa_get_key_lifetime \
- PSA_FUNCTION_NAME(psa_get_key_lifetime)
-#define psa_allocate_key \
- PSA_FUNCTION_NAME(psa_allocate_key)
+#define psa_key_derivation_get_capacity \
+ PSA_FUNCTION_NAME(psa_key_derivation_get_capacity)
+#define psa_key_derivation_set_capacity \
+ PSA_FUNCTION_NAME(psa_key_derivation_set_capacity)
+#define psa_key_derivation_input_bytes \
+ PSA_FUNCTION_NAME(psa_key_derivation_input_bytes)
+#define psa_key_derivation_output_bytes \
+ PSA_FUNCTION_NAME(psa_key_derivation_output_bytes)
+#define psa_key_derivation_input_key \
+ PSA_FUNCTION_NAME(psa_key_derivation_input_key)
+#define psa_key_derivation_output_key \
+ PSA_FUNCTION_NAME(psa_key_derivation_output_key)
+#define psa_key_derivation_setup \
+ PSA_FUNCTION_NAME(psa_key_derivation_setup)
+#define psa_key_derivation_abort \
+ PSA_FUNCTION_NAME(psa_key_derivation_abort)
+#define psa_key_derivation_key_agreement \
+ PSA_FUNCTION_NAME(psa_key_derivation_key_agreement)
+#define psa_raw_key_agreement \
+ PSA_FUNCTION_NAME(psa_raw_key_agreement)
+#define psa_generate_random \
+ PSA_FUNCTION_NAME(psa_generate_random)
+#define psa_aead_encrypt \
+ PSA_FUNCTION_NAME(psa_aead_encrypt)
+#define psa_aead_decrypt \
+ PSA_FUNCTION_NAME(psa_aead_decrypt)
#define psa_open_key \
PSA_FUNCTION_NAME(psa_open_key)
-#define psa_create_key \
- PSA_FUNCTION_NAME(psa_create_key)
#define psa_close_key \
PSA_FUNCTION_NAME(psa_close_key)
#define psa_import_key \
PSA_FUNCTION_NAME(psa_import_key)
#define psa_destroy_key \
PSA_FUNCTION_NAME(psa_destroy_key)
-#define psa_get_key_information \
- PSA_FUNCTION_NAME(psa_get_key_information)
+#define psa_get_key_attributes \
+ PSA_FUNCTION_NAME(psa_get_key_attributes)
+#define psa_reset_key_attributes \
+ PSA_FUNCTION_NAME(psa_reset_key_attributes)
#define psa_export_key \
PSA_FUNCTION_NAME(psa_export_key)
#define psa_export_public_key \
PSA_FUNCTION_NAME(psa_export_public_key)
#define psa_copy_key \
PSA_FUNCTION_NAME(psa_copy_key)
+#define psa_cipher_operation_init \
+ PSA_FUNCTION_NAME(psa_cipher_operation_init)
+#define psa_cipher_generate_iv \
+ PSA_FUNCTION_NAME(psa_cipher_generate_iv)
+#define psa_cipher_set_iv \
+ PSA_FUNCTION_NAME(psa_cipher_set_iv)
+#define psa_cipher_encrypt_setup \
+ PSA_FUNCTION_NAME(psa_cipher_encrypt_setup)
+#define psa_cipher_decrypt_setup \
+ PSA_FUNCTION_NAME(psa_cipher_decrypt_setup)
+#define psa_cipher_update \
+ PSA_FUNCTION_NAME(psa_cipher_update)
+#define psa_cipher_finish \
+ PSA_FUNCTION_NAME(psa_cipher_finish)
+#define psa_cipher_abort \
+ PSA_FUNCTION_NAME(psa_cipher_abort)
#define psa_hash_operation_init \
PSA_FUNCTION_NAME(psa_hash_operation_init)
#define psa_hash_setup \
@@ -86,51 +112,19 @@
PSA_FUNCTION_NAME(psa_mac_verify_finish)
#define psa_mac_abort \
PSA_FUNCTION_NAME(psa_mac_abort)
-#define psa_cipher_operation_init \
- PSA_FUNCTION_NAME(psa_cipher_operation_init)
-#define psa_cipher_encrypt_setup \
- PSA_FUNCTION_NAME(psa_cipher_encrypt_setup)
-#define psa_cipher_decrypt_setup \
- PSA_FUNCTION_NAME(psa_cipher_decrypt_setup)
-#define psa_cipher_generate_iv \
- PSA_FUNCTION_NAME(psa_cipher_generate_iv)
-#define psa_cipher_set_iv \
- PSA_FUNCTION_NAME(psa_cipher_set_iv)
-#define psa_cipher_update \
- PSA_FUNCTION_NAME(psa_cipher_update)
-#define psa_cipher_finish \
- PSA_FUNCTION_NAME(psa_cipher_finish)
-#define psa_cipher_abort \
- PSA_FUNCTION_NAME(psa_cipher_abort)
-#define psa_aead_encrypt \
- PSA_FUNCTION_NAME(psa_aead_encrypt)
-#define psa_aead_decrypt \
- PSA_FUNCTION_NAME(psa_aead_decrypt)
-#define psa_asymmetric_sign \
- PSA_FUNCTION_NAME(psa_asymmetric_sign)
-#define psa_asymmetric_verify \
- PSA_FUNCTION_NAME(psa_asymmetric_verify)
+#define psa_sign_hash \
+ PSA_FUNCTION_NAME(psa_sign_hash)
+#define psa_verify_hash \
+ PSA_FUNCTION_NAME(psa_verify_hash)
#define psa_asymmetric_encrypt \
PSA_FUNCTION_NAME(psa_asymmetric_encrypt)
#define psa_asymmetric_decrypt \
PSA_FUNCTION_NAME(psa_asymmetric_decrypt)
-#define psa_crypto_generator_init \
- PSA_FUNCTION_NAME(psa_crypto_generator_init)
-#define psa_get_generator_capacity \
- PSA_FUNCTION_NAME(psa_get_generator_capacity)
-#define psa_generator_read \
- PSA_FUNCTION_NAME(psa_generator_read)
-#define psa_generator_import_key \
- PSA_FUNCTION_NAME(psa_generator_import_key)
-#define psa_generator_abort \
- PSA_FUNCTION_NAME(psa_generator_abort)
-#define psa_key_derivation \
- PSA_FUNCTION_NAME(psa_key_derivation)
-#define psa_key_agreement \
- PSA_FUNCTION_NAME(psa_key_agreement)
-#define psa_generate_random \
- PSA_FUNCTION_NAME(psa_generate_random)
#define psa_generate_key \
PSA_FUNCTION_NAME(psa_generate_key)
+#define psa_set_key_domain_parameters \
+ PSA_FUNCTION_NAME(psa_set_key_domain_parameters)
+#define psa_get_key_domain_parameters \
+ PSA_FUNCTION_NAME(psa_get_key_domain_parameters)
#endif /* CRYPTO_SPE_H */
diff --git a/secure_fw/services/crypto/tfm_crypto.yaml b/secure_fw/services/crypto/tfm_crypto.yaml
index 0580d7e..6008cde 100644
--- a/secure_fw/services/crypto/tfm_crypto.yaml
+++ b/secure_fw/services/crypto/tfm_crypto.yaml
@@ -14,8 +14,8 @@
"stack_size": "0x2000",
"secure_functions": [
{
- "name": "TFM_CRYPTO_ALLOCATE_KEY",
- "signal": "TFM_CRYPTO_ALLOCATE_KEY",
+ "name": "TFM_CRYPTO_GET_KEY_ATTRIBUTES",
+ "signal": "TFM_CRYPTO_GET_KEY_ATTRIBUTES",
"non_secure_clients": true,
"version": 1,
"version_policy": "STRICT"
@@ -35,13 +35,20 @@
"version_policy": "STRICT"
},
{
- "name": "TFM_CRYPTO_IMPORT_KEY",
- "signal": "TFM_CRYPTO_IMPORT_KEY",
+ "name": "TFM_CRYPTO_RESET_KEY_ATTRIBUTES",
+ "signal": "TFM_CRYPTO_RESET_KEY_ATTRIBUTES",
"non_secure_clients": true,
"version": 1,
"version_policy": "STRICT"
},
{
+ "name": "TFM_CRYPTO_IMPORT_KEY",
+ "signal": "TFM_CRYPTO_IMPORT_KEY",
+ "non_secure_clients": true,
+ "minor_version": 1,
+ "minor_policy": "STRICT"
+ },
+ {
"name": "TFM_CRYPTO_DESTROY_KEY",
"signal": "TFM_CRYPTO_DESTROY_KEY",
"non_secure_clients": true,
@@ -49,13 +56,6 @@
"version_policy": "STRICT"
},
{
- "name": "TFM_CRYPTO_GET_KEY_INFORMATION",
- "signal": "TFM_CRYPTO_GET_KEY_INFORMATION",
- "non_secure_clients": true,
- "version": 1,
- "version_policy": "STRICT"
- },
- {
"name": "TFM_CRYPTO_EXPORT_KEY",
"signal": "TFM_CRYPTO_EXPORT_KEY",
"non_secure_clients": true,
@@ -77,71 +77,15 @@
"version_policy": "STRICT"
},
{
- "name": "TFM_CRYPTO_SET_KEY_POLICY",
- "signal": "TFM_CRYPTO_SET_KEY_POLICY",
+ "name": "TFM_CRYPTO_HASH_COMPUTE",
+ "signal": "TFM_CRYPTO_HASH_COMPUTE",
"non_secure_clients": true,
"version": 1,
"version_policy": "STRICT"
},
{
- "name": "TFM_CRYPTO_GET_KEY_POLICY",
- "signal": "TFM_CRYPTO_GET_KEY_POLICY",
- "non_secure_clients": true,
- "version": 1,
- "version_policy": "STRICT"
- },
- {
- "name": "TFM_CRYPTO_GET_KEY_LIFETIME",
- "signal": "TFM_CRYPTO_GET_KEY_LIFETIME",
- "non_secure_clients": true,
- "version": 1,
- "version_policy": "STRICT"
- },
- {
- "name": "TFM_CRYPTO_CIPHER_GENERATE_IV",
- "signal": "TFM_CRYPTO_CIPHER_GENERATE_IV",
- "non_secure_clients": true,
- "version": 1,
- "version_policy": "STRICT"
- },
- {
- "name": "TFM_CRYPTO_CIPHER_SET_IV",
- "signal": "TFM_CRYPTO_CIPHER_SET_IV",
- "non_secure_clients": true,
- "version": 1,
- "version_policy": "STRICT"
- },
- {
- "name": "TFM_CRYPTO_CIPHER_ENCRYPT_SETUP",
- "signal": "TFM_CRYPTO_CIPHER_ENCRYPT_SETUP",
- "non_secure_clients": true,
- "version": 1,
- "version_policy": "STRICT"
- },
- {
- "name": "TFM_CRYPTO_CIPHER_DECRYPT_SETUP",
- "signal": "TFM_CRYPTO_CIPHER_DECRYPT_SETUP",
- "non_secure_clients": true,
- "version": 1,
- "version_policy": "STRICT"
- },
- {
- "name": "TFM_CRYPTO_CIPHER_UPDATE",
- "signal": "TFM_CRYPTO_CIPHER_UPDATE",
- "non_secure_clients": true,
- "version": 1,
- "version_policy": "STRICT"
- },
- {
- "name": "TFM_CRYPTO_CIPHER_ABORT",
- "signal": "TFM_CRYPTO_CIPHER_ABORT",
- "non_secure_clients": true,
- "version": 1,
- "version_policy": "STRICT"
- },
- {
- "name": "TFM_CRYPTO_CIPHER_FINISH",
- "signal": "TFM_CRYPTO_CIPHER_FINISH",
+ "name": "TFM_CRYPTO_HASH_COMPARE",
+ "signal": "TFM_CRYPTO_HASH_COMPARE",
"non_secure_clients": true,
"version": 1,
"version_policy": "STRICT"
@@ -189,6 +133,20 @@
"version_policy": "STRICT"
},
{
+ "name": "TFM_CRYPTO_MAC_COMPUTE",
+ "signal": "TFM_CRYPTO_MAC_COMPUTE",
+ "non_secure_clients": true,
+ "version": 1,
+ "version_policy": "STRICT"
+ },
+ {
+ "name": "TFM_CRYPTO_MAC_VERIFY",
+ "signal": "TFM_CRYPTO_MAC_VERIFY",
+ "non_secure_clients": true,
+ "version": 1,
+ "version_policy": "STRICT"
+ },
+ {
"name": "TFM_CRYPTO_MAC_SIGN_SETUP",
"signal": "TFM_CRYPTO_MAC_SIGN_SETUP",
"non_secure_clients": true,
@@ -231,6 +189,69 @@
"version_policy": "STRICT"
},
{
+ "name": "TFM_CRYPTO_CIPHER_ENCRYPT",
+ "signal": "TFM_CRYPTO_CIPHER_ENCRYPT",
+ "non_secure_clients": true,
+ "version": 1,
+ "version_policy": "STRICT"
+ },
+ {
+ "name": "TFM_CRYPTO_CIPHER_DECRYPT",
+ "signal": "TFM_CRYPTO_CIPHER_DECRYPT",
+ "non_secure_clients": true,
+ "version": 1,
+ "version_policy": "STRICT"
+ },
+ {
+ "name": "TFM_CRYPTO_CIPHER_ENCRYPT_SETUP",
+ "signal": "TFM_CRYPTO_CIPHER_ENCRYPT_SETUP",
+ "non_secure_clients": true,
+ "version": 1,
+ "version_policy": "STRICT"
+ },
+ {
+ "name": "TFM_CRYPTO_CIPHER_DECRYPT_SETUP",
+ "signal": "TFM_CRYPTO_CIPHER_DECRYPT_SETUP",
+ "non_secure_clients": true,
+ "version": 1,
+ "version_policy": "STRICT"
+ },
+ {
+ "name": "TFM_CRYPTO_CIPHER_GENERATE_IV",
+ "signal": "TFM_CRYPTO_CIPHER_GENERATE_IV",
+ "non_secure_clients": true,
+ "version": 1,
+ "version_policy": "STRICT"
+ },
+ {
+ "name": "TFM_CRYPTO_CIPHER_SET_IV",
+ "signal": "TFM_CRYPTO_CIPHER_SET_IV",
+ "non_secure_clients": true,
+ "minor_version": 1,
+ "minor_policy": "STRICT"
+ },
+ {
+ "name": "TFM_CRYPTO_CIPHER_UPDATE",
+ "signal": "TFM_CRYPTO_CIPHER_UPDATE",
+ "non_secure_clients": true,
+ "minor_version": 1,
+ "minor_policy": "STRICT"
+ },
+ {
+ "name": "TFM_CRYPTO_CIPHER_FINISH",
+ "signal": "TFM_CRYPTO_CIPHER_FINISH",
+ "non_secure_clients": true,
+ "minor_version": 1,
+ "minor_policy": "STRICT"
+ },
+ {
+ "name": "TFM_CRYPTO_CIPHER_ABORT",
+ "signal": "TFM_CRYPTO_CIPHER_ABORT",
+ "non_secure_clients": true,
+ "version": 1,
+ "version_policy": "STRICT"
+ },
+ {
"name": "TFM_CRYPTO_AEAD_ENCRYPT",
"signal": "TFM_CRYPTO_AEAD_ENCRYPT",
"non_secure_clients": true,
@@ -245,15 +266,85 @@
"version_policy": "STRICT"
},
{
- "name": "TFM_CRYPTO_ASYMMETRIC_SIGN",
- "signal": "TFM_CRYPTO_ASYMMETRIC_SIGN",
+ "name": "TFM_CRYPTO_AEAD_ENCRYPT_SETUP",
+ "signal": "TFM_CRYPTO_AEAD_ENCRYPT_SETUP",
+ "non_secure_clients": true,
+ "minor_version": 1,
+ "minor_policy": "STRICT"
+ },
+ {
+ "name": "TFM_CRYPTO_AEAD_DECRYPT_SETUP",
+ "signal": "TFM_CRYPTO_AEAD_DECRYPT_SETUP",
+ "non_secure_clients": true,
+ "minor_version": 1,
+ "minor_policy": "STRICT"
+ },
+ {
+ "name": "TFM_CRYPTO_AEAD_GENERATE_NONCE",
+ "signal": "TFM_CRYPTO_AEAD_GENERATE_NONCE",
+ "non_secure_clients": true,
+ "minor_version": 1,
+ "minor_policy": "STRICT"
+ },
+ {
+ "name": "TFM_CRYPTO_AEAD_SET_NONCE",
+ "signal": "TFM_CRYPTO_AEAD_SET_NONCE",
+ "non_secure_clients": true,
+ "minor_version": 1,
+ "minor_policy": "STRICT"
+ },
+ {
+ "name": "TFM_CRYPTO_AEAD_SET_LENGTHS",
+ "signal": "TFM_CRYPTO_AEAD_SET_LENGTHS",
+ "non_secure_clients": true,
+ "minor_version": 1,
+ "minor_policy": "STRICT"
+ },
+ {
+ "name": "TFM_CRYPTO_AEAD_UPDATE_AD",
+ "signal": "TFM_CRYPTO_AEAD_UPDATE_AD",
+ "non_secure_clients": true,
+ "minor_version": 1,
+ "minor_policy": "STRICT"
+ },
+ {
+ "name": "TFM_CRYPTO_AEAD_UPDATE",
+ "signal": "TFM_CRYPTO_AEAD_UPDATE",
+ "non_secure_clients": true,
+ "minor_version": 1,
+ "minor_policy": "STRICT"
+ },
+ {
+ "name": "TFM_CRYPTO_AEAD_FINISH",
+ "signal": "TFM_CRYPTO_AEAD_FINISH",
+ "non_secure_clients": true,
+ "minor_version": 1,
+ "minor_policy": "STRICT"
+ },
+ {
+ "name": "TFM_CRYPTO_AEAD_VERIFY",
+ "signal": "TFM_CRYPTO_AEAD_VERIFY",
+ "non_secure_clients": true,
+ "minor_version": 1,
+ "minor_policy": "STRICT"
+ },
+ {
+ "name": "TFM_CRYPTO_AEAD_ABORT",
+ "signal": "TFM_CRYPTO_AEAD_ABORT",
+ "non_secure_clients": true,
+ "minor_version": 1,
+ "minor_policy": "STRICT"
+ },
+ {
+ "name": "TFM_CRYPTO_SIGN_HASH",
+ "signal": "TFM_CRYPTO_SIGN_HASH",
"non_secure_clients": true,
"version": 1,
"version_policy": "STRICT"
},
{
- "name": "TFM_CRYPTO_ASYMMETRIC_VERIFY",
- "signal": "TFM_CRYPTO_ASYMMETRIC_VERIFY",
+ "name": "TFM_CRYPTO_VERIFY_HASH",
+ "signal": "TFM_CRYPTO_VERIFY_HASH",
"non_secure_clients": true,
"version": 1,
"version_policy": "STRICT"
@@ -273,43 +364,71 @@
"version_policy": "STRICT"
},
{
- "name": "TFM_CRYPTO_GET_GENERATOR_CAPACITY",
- "signal": "TFM_CRYPTO_GET_GENERATOR_CAPACITY",
+ "name": "TFM_CRYPTO_KEY_DERIVATION_SETUP",
+ "signal": "TFM_CRYPTO_KEY_DERIVATION_SETUP",
+ "non_secure_clients": true,
+ "minor_version": 1,
+ "minor_policy": "STRICT"
+ },
+ {
+ "name": "TFM_CRYPTO_KEY_DERIVATION_GET_CAPACITY",
+ "signal": "TFM_CRYPTO_KEY_DERIVATION_GET_CAPACITY",
+ "non_secure_clients": true,
+ "minor_version": 1,
+ "minor_policy": "STRICT"
+ },
+ {
+ "name": "TFM_CRYPTO_KEY_DERIVATION_SET_CAPACITY",
+ "signal": "TFM_CRYPTO_KEY_DERIVATION_SET_CAPACITY",
+ "non_secure_clients": true,
+ "minor_version": 1,
+ "minor_policy": "STRICT"
+ },
+ {
+ "name": "TFM_CRYPTO_KEY_DERIVATION_INPUT_BYTES",
+ "signal": "TFM_CRYPTO_KEY_DERIVATION_INPUT_BYTES",
+ "non_secure_clients": true,
+ "minor_version": 1,
+ "minor_policy": "STRICT"
+ },
+ {
+ "name": "TFM_CRYPTO_KEY_DERIVATION_INPUT_KEY",
+ "signal": "TFM_CRYPTO_KEY_DERIVATION_INPUT_KEY",
"non_secure_clients": true,
"version": 1,
"version_policy": "STRICT"
},
{
- "name": "TFM_CRYPTO_GENERATOR_READ",
- "signal": "TFM_CRYPTO_GENERATOR_READ",
+ "name": "TFM_CRYPTO_KEY_DERIVATION_KEY_AGREEMENT",
+ "signal": "TFM_CRYPTO_KEY_DERIVATION_KEY_AGREEMENT",
"non_secure_clients": true,
"version": 1,
"version_policy": "STRICT"
},
{
- "name": "TFM_CRYPTO_GENERATOR_IMPORT_KEY",
- "signal": "TFM_CRYPTO_GENERATOR_IMPORT_KEY",
+ "name": "TFM_CRYPTO_KEY_DERIVATION_OUTPUT_BYTES",
+ "signal": "TFM_CRYPTO_KEY_DERIVATION_OUTPUT_BYTES",
"non_secure_clients": true,
"version": 1,
"version_policy": "STRICT"
},
{
- "name": "TFM_CRYPTO_GENERATOR_ABORT",
- "signal": "TFM_CRYPTO_GENERATOR_ABORT",
+ "name": "TFM_CRYPTO_KEY_DERIVATION_OUTPUT_KEY",
+ "signal": "TFM_CRYPTO_KEY_DERIVATION_OUTPUT_KEY",
"non_secure_clients": true,
"version": 1,
"version_policy": "STRICT"
},
{
- "name": "TFM_CRYPTO_KEY_DERIVATION",
- "signal": "TFM_CRYPTO_KEY_DERIVATION",
+ "name": "TFM_CRYPTO_KEY_DERIVATION_ABORT",
+ "signal": "TFM_CRYPTO_KEY_DERIVATION_ABORT",
"non_secure_clients": true,
"version": 1,
"version_policy": "STRICT"
},
{
- "name": "TFM_CRYPTO_KEY_AGREEMENT",
- "signal": "TFM_CRYPTO_KEY_AGREEMENT",
+ "name": "TFM_CRYPTO_RAW_KEY_AGREEMENT",
+ "signal": "TFM_CRYPTO_RAW_KEY_AGREEMENT",
"non_secure_clients": true,
"version": 1,
"version_policy": "STRICT"
diff --git a/secure_fw/services/crypto/tfm_crypto_api.h b/secure_fw/services/crypto/tfm_crypto_api.h
index 34400ad..811e04a 100644
--- a/secure_fw/services/crypto/tfm_crypto_api.h
+++ b/secure_fw/services/crypto/tfm_crypto_api.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2019, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -13,9 +13,7 @@
#endif
#include <stdint.h>
-#include "tfm_api.h"
#include "tfm_crypto_defs.h"
-#include "psa/crypto.h"
#ifdef TFM_PSA_API
#include "psa/service.h"
@@ -40,7 +38,7 @@
TFM_CRYPTO_CIPHER_OPERATION = 1,
TFM_CRYPTO_MAC_OPERATION = 2,
TFM_CRYPTO_HASH_OPERATION = 3,
- TFM_CRYPTO_GENERATOR_OPERATION = 4,
+ TFM_CRYPTO_KEY_DERIVATION_OPERATION = 4,
/* Used to force the enum size */
TFM_CRYPTO_OPERATION_TYPE_MAX = INT_MAX
@@ -83,6 +81,34 @@
*/
psa_status_t tfm_crypto_check_handle_owner(psa_key_handle_t handle,
uint32_t *index);
+
+/**
+ * \brief Checks that there is enough local storage in RAM to keep
+ * another key, and returns the index of the storage to use
+ * and the ID of the partition to associated to the key
+ *
+ * \param[out] partition_id ID of the requesting partition
+ * \param[out] index Index of the local storage to use
+ *
+ * \return Return values as described in \ref psa_status_t
+ */
+psa_status_t tfm_crypto_check_key_storage(int32_t *partition_id,
+ uint32_t *index);
+
+/**
+ * \brief Sets the index of the local storage in use with a key
+ * requested by a partition specified by the input parameter
+ * partition_id, and stores the corresponding key_handle
+ *
+ * \param[in] partition_id ID of the requesting partition
+ * \param[in] index Index of the local storage to use
+ * \param[in] key_handle Corresponding key handle to associate
+ *
+ * \return Return values as described in \ref psa_status_t
+ */
+psa_status_t tfm_crypto_set_key_storage(int32_t partition_id,
+ uint32_t index,
+ psa_key_handle_t key_handle);
/**
* \brief Allocate an operation context in the backend
*
@@ -118,51 +144,70 @@
void **ctx);
#define LIST_TFM_CRYPTO_UNIFORM_SIGNATURE_API \
- X(tfm_crypto_allocate_key) \
+ X(tfm_crypto_get_key_attributes) \
+ X(tfm_crypto_reset_key_attributes) \
X(tfm_crypto_open_key) \
X(tfm_crypto_close_key) \
X(tfm_crypto_import_key) \
X(tfm_crypto_destroy_key) \
- X(tfm_crypto_get_key_information) \
X(tfm_crypto_export_key) \
X(tfm_crypto_export_public_key) \
X(tfm_crypto_copy_key) \
- X(tfm_crypto_set_key_policy) \
- X(tfm_crypto_get_key_policy) \
- X(tfm_crypto_get_key_lifetime) \
- X(tfm_crypto_cipher_generate_iv) \
- X(tfm_crypto_cipher_set_iv) \
- X(tfm_crypto_cipher_encrypt_setup) \
- X(tfm_crypto_cipher_decrypt_setup) \
- X(tfm_crypto_cipher_update) \
- X(tfm_crypto_cipher_abort) \
- X(tfm_crypto_cipher_finish) \
+ X(tfm_crypto_hash_compute) \
+ X(tfm_crypto_hash_compare) \
X(tfm_crypto_hash_setup) \
X(tfm_crypto_hash_update) \
X(tfm_crypto_hash_finish) \
X(tfm_crypto_hash_verify) \
X(tfm_crypto_hash_abort) \
X(tfm_crypto_hash_clone) \
+ X(tfm_crypto_mac_compute) \
+ X(tfm_crypto_mac_verify) \
X(tfm_crypto_mac_sign_setup) \
X(tfm_crypto_mac_verify_setup) \
X(tfm_crypto_mac_update) \
X(tfm_crypto_mac_sign_finish) \
X(tfm_crypto_mac_verify_finish) \
X(tfm_crypto_mac_abort) \
+ X(tfm_crypto_cipher_encrypt) \
+ X(tfm_crypto_cipher_decrypt) \
+ X(tfm_crypto_cipher_encrypt_setup) \
+ X(tfm_crypto_cipher_decrypt_setup) \
+ X(tfm_crypto_cipher_generate_iv) \
+ X(tfm_crypto_cipher_set_iv) \
+ X(tfm_crypto_cipher_update) \
+ X(tfm_crypto_cipher_finish) \
+ X(tfm_crypto_cipher_abort) \
X(tfm_crypto_aead_encrypt) \
X(tfm_crypto_aead_decrypt) \
- X(tfm_crypto_asymmetric_sign) \
- X(tfm_crypto_asymmetric_verify) \
+ X(tfm_crypto_aead_encrypt_setup) \
+ X(tfm_crypto_aead_decrypt_setup) \
+ X(tfm_crypto_aead_generate_nonce) \
+ X(tfm_crypto_aead_set_nonce) \
+ X(tfm_crypto_aead_set_lengths) \
+ X(tfm_crypto_aead_update_ad) \
+ X(tfm_crypto_aead_update) \
+ X(tfm_crypto_aead_finish) \
+ X(tfm_crypto_aead_verify) \
+ X(tfm_crypto_aead_abort) \
+ X(tfm_crypto_sign_hash) \
+ X(tfm_crypto_verify_hash) \
X(tfm_crypto_asymmetric_encrypt) \
X(tfm_crypto_asymmetric_decrypt) \
- X(tfm_crypto_get_generator_capacity) \
- X(tfm_crypto_generator_read) \
- X(tfm_crypto_generator_import_key) \
- X(tfm_crypto_generator_abort) \
- X(tfm_crypto_key_derivation) \
- X(tfm_crypto_key_agreement) \
+ X(tfm_crypto_key_derivation_setup) \
+ X(tfm_crypto_key_derivation_get_capacity) \
+ X(tfm_crypto_key_derivation_set_capacity) \
+ X(tfm_crypto_key_derivation_input_bytes) \
+ X(tfm_crypto_key_derivation_input_key) \
+ X(tfm_crypto_key_derivation_key_agreement)\
+ X(tfm_crypto_key_derivation_output_bytes) \
+ X(tfm_crypto_key_derivation_output_key) \
+ X(tfm_crypto_key_derivation_abort) \
+ X(tfm_crypto_raw_key_agreement) \
X(tfm_crypto_generate_random) \
X(tfm_crypto_generate_key) \
+ X(tfm_crypto_set_key_domain_parameters) \
+ X(tfm_crypto_get_key_domain_parameters) \
#define X(api_name) UNIFORM_SIGNATURE_API(api_name);
LIST_TFM_CRYPTO_UNIFORM_SIGNATURE_API
diff --git a/secure_fw/services/crypto/tfm_crypto_secure_api.c b/secure_fw/services/crypto/tfm_crypto_secure_api.c
index bb5732c..c750701 100644
--- a/secure_fw/services/crypto/tfm_crypto_secure_api.c
+++ b/secure_fw/services/crypto/tfm_crypto_secure_api.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2019, Arm Limited. All rights reserved.
+ * Copyright (c) 2019-2020, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -57,39 +57,8 @@
}
__attribute__((section("SFN")))
-psa_status_t psa_allocate_key(psa_key_handle_t *handle)
-{
-#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
- return PSA_ERROR_NOT_SUPPORTED;
-#else
- psa_status_t status;
- const struct tfm_crypto_pack_iovec iov = {
- .sfn_id = TFM_CRYPTO_ALLOCATE_KEY_SID,
- };
- psa_invec in_vec[] = {
- {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
- };
- psa_outvec out_vec[] = {
- {.base = handle, .len = sizeof(psa_key_handle_t)},
- };
-#ifdef TFM_PSA_API
- PSA_CONNECT(TFM_CRYPTO);
-#endif
-
- status = API_DISPATCH(tfm_crypto_allocate_key,
- TFM_CRYPTO_ALLOCATE_KEY);
-#ifdef TFM_PSA_API
- PSA_CLOSE();
-#endif
-
- return status;
-#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
-}
-
-__attribute__((section("SFN")))
-psa_status_t psa_open_key(psa_key_lifetime_t lifetime,
- psa_key_id_t id,
+psa_status_t psa_open_key(psa_key_id_t id,
psa_key_handle_t *handle)
{
#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
@@ -98,7 +67,6 @@
psa_status_t status;
const struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_OPEN_KEY_SID,
- .lifetime = lifetime,
};
psa_invec in_vec[] = {
{.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
@@ -171,10 +139,10 @@
}
__attribute__((section("SFN")))
-psa_status_t psa_import_key(psa_key_handle_t handle,
- psa_key_type_t type,
+psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
const uint8_t *data,
- size_t data_length)
+ size_t data_length,
+ psa_key_handle_t *handle)
{
#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
@@ -182,20 +150,22 @@
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_IMPORT_KEY_SID,
- .key_handle = handle,
- .type = type,
};
psa_invec in_vec[] = {
{.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
+ {.base = attributes, .len = sizeof(psa_key_attributes_t)},
{.base = data, .len = data_length}
};
+ psa_outvec out_vec[] = {
+ {.base = handle, .len = sizeof(psa_key_handle_t)}
+ };
#ifdef TFM_PSA_API
PSA_CONNECT(TFM_CRYPTO);
#endif
- status = API_DISPATCH_NO_OUTVEC(tfm_crypto_import_key,
- TFM_CRYPTO_IMPORT_KEY);
+ status = API_DISPATCH(tfm_crypto_import_key,
+ TFM_CRYPTO_IMPORT_KEY);
#ifdef TFM_PSA_API
PSA_CLOSE();
#endif
@@ -234,32 +204,30 @@
}
__attribute__((section("SFN")))
-psa_status_t psa_get_key_information(psa_key_handle_t handle,
- psa_key_type_t *type,
- size_t *bits)
+psa_status_t psa_get_key_attributes(psa_key_handle_t handle,
+ psa_key_attributes_t *attributes)
{
#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
#else
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
- .sfn_id = TFM_CRYPTO_GET_KEY_INFORMATION_SID,
+ .sfn_id = TFM_CRYPTO_GET_KEY_ATTRIBUTES_SID,
.key_handle = handle,
};
psa_invec in_vec[] = {
{.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
};
psa_outvec out_vec[] = {
- {.base = type, .len = sizeof(psa_key_type_t)},
- {.base = bits, .len = sizeof(size_t)}
+ {.base = attributes, .len = sizeof(psa_key_attributes_t)},
};
#ifdef TFM_PSA_API
PSA_CONNECT(TFM_CRYPTO);
#endif
- status = API_DISPATCH(tfm_crypto_get_key_information,
- TFM_CRYPTO_GET_KEY_INFORMATION);
+ status = API_DISPATCH(tfm_crypto_get_key_attributes,
+ TFM_CRYPTO_GET_KEY_ATTRIBUTES);
#ifdef TFM_PSA_API
PSA_CLOSE();
#endif
@@ -268,6 +236,39 @@
#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
}
+void psa_reset_key_attributes(psa_key_attributes_t *attributes)
+{
+#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
+ return PSA_ERROR_NOT_SUPPORTED;
+#else
+ struct tfm_crypto_pack_iovec iov = {
+ .sfn_id = TFM_CRYPTO_RESET_KEY_ATTRIBUTES_SID,
+ };
+ psa_invec in_vec[] = {
+ {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
+ };
+ psa_outvec out_vec[] = {
+ {.base = attributes, .len = sizeof(psa_key_attributes_t)},
+ };
+
+#ifdef TFM_PSA_API
+ psa_handle_t ipc_handle;
+ ipc_handle = psa_connect(TFM_CRYPTO_SID, TFM_CRYPTO_VERSION);
+ if (!PSA_HANDLE_IS_VALID(ipc_handle)) {
+ return;
+ }
+#endif
+
+ (void)API_DISPATCH(tfm_crypto_reset_key_attributes,
+ TFM_CRYPTO_RESET_KEY_ATTRIBUTES);
+#ifdef TFM_PSA_API
+ PSA_CLOSE();
+#endif
+
+ return;
+#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
+}
+
__attribute__((section("SFN")))
psa_status_t psa_export_key(psa_key_handle_t handle,
uint8_t *data,
@@ -347,8 +348,8 @@
__attribute__((section("SFN")))
psa_status_t psa_copy_key(psa_key_handle_t source_handle,
- psa_key_handle_t target_handle,
- const psa_key_policy_t *constraint)
+ const psa_key_attributes_t *attributes,
+ psa_key_handle_t *target_handle)
{
#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
@@ -361,137 +362,19 @@
psa_invec in_vec[] = {
{.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
- {.base = &target_handle, .len = sizeof(psa_key_handle_t)},
- {.base = constraint, .len = sizeof(psa_key_policy_t)},
+ {.base = attributes, .len = sizeof(psa_key_attributes_t)},
};
-#ifdef TFM_PSA_API
- PSA_CONNECT(TFM_CRYPTO);
-#endif
-
- status = API_DISPATCH_NO_OUTVEC(tfm_crypto_copy_key,
- TFM_CRYPTO_COPY_KEY);
-#ifdef TFM_PSA_API
- PSA_CLOSE();
-#endif
-
- return status;
-#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
-}
-
-__attribute__((section("SFN")))
-void psa_key_policy_set_usage(psa_key_policy_t *policy,
- psa_key_usage_t usage,
- psa_algorithm_t alg)
-{
- policy->usage = usage;
- policy->alg = alg;
-}
-
-__attribute__((section("SFN")))
-psa_key_usage_t psa_key_policy_get_usage(const psa_key_policy_t *policy)
-{
- return policy->usage;
-}
-
-__attribute__((section("SFN")))
-psa_algorithm_t psa_key_policy_get_algorithm(const psa_key_policy_t *policy)
-{
- return policy->alg;
-}
-
-__attribute__((section("SFN")))
-psa_status_t psa_set_key_policy(psa_key_handle_t handle,
- const psa_key_policy_t *policy)
-{
-#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
- return PSA_ERROR_NOT_SUPPORTED;
-#else
- psa_status_t status;
- struct tfm_crypto_pack_iovec iov = {
- .sfn_id = TFM_CRYPTO_SET_KEY_POLICY_SID,
- .key_handle = handle,
- };
-
- psa_invec in_vec[] = {
- {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
- {.base = policy, .len = sizeof(psa_key_policy_t)},
- };
-
-#ifdef TFM_PSA_API
- PSA_CONNECT(TFM_CRYPTO);
-#endif
-
- status = API_DISPATCH_NO_OUTVEC(tfm_crypto_set_key_policy,
- TFM_CRYPTO_SET_KEY_POLICY);
-#ifdef TFM_PSA_API
- PSA_CLOSE();
-#endif
-
- return status;
-#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
-}
-
-__attribute__((section("SFN")))
-psa_status_t psa_get_key_policy(psa_key_handle_t handle,
- psa_key_policy_t *policy)
-{
-#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
- return PSA_ERROR_NOT_SUPPORTED;
-#else
- psa_status_t status;
- struct tfm_crypto_pack_iovec iov = {
- .sfn_id = TFM_CRYPTO_GET_KEY_POLICY_SID,
- .key_handle = handle,
- };
-
- psa_invec in_vec[] = {
- {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
- };
psa_outvec out_vec[] = {
- {.base = policy, .len = sizeof(psa_key_policy_t)},
+ {.base = target_handle, .len = sizeof(psa_key_handle_t)},
};
#ifdef TFM_PSA_API
PSA_CONNECT(TFM_CRYPTO);
#endif
- status = API_DISPATCH(tfm_crypto_get_key_policy,
- TFM_CRYPTO_GET_KEY_POLICY);
-#ifdef TFM_PSA_API
- PSA_CLOSE();
-#endif
-
- return status;
-#endif /* TFM_CRYPTO_KEY_MODULE_DISABLED */
-}
-
-__attribute__((section("SFN")))
-psa_status_t psa_get_key_lifetime(psa_key_handle_t handle,
- psa_key_lifetime_t *lifetime)
-{
-#ifdef TFM_CRYPTO_KEY_MODULE_DISABLED
- return PSA_ERROR_NOT_SUPPORTED;
-#else
- psa_status_t status;
- struct tfm_crypto_pack_iovec iov = {
- .sfn_id = TFM_CRYPTO_GET_KEY_LIFETIME_SID,
- .key_handle = handle,
- };
-
- psa_invec in_vec[] = {
- {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
- };
- psa_outvec out_vec[] = {
- {.base = lifetime, .len = sizeof(psa_key_lifetime_t)},
- };
-
-#ifdef TFM_PSA_API
- PSA_CONNECT(TFM_CRYPTO);
-#endif
-
- status = API_DISPATCH(tfm_crypto_get_key_lifetime,
- TFM_CRYPTO_GET_KEY_LIFETIME);
+ status = API_DISPATCH(tfm_crypto_copy_key,
+ TFM_CRYPTO_COPY_KEY);
#ifdef TFM_PSA_API
PSA_CLOSE();
#endif
@@ -968,6 +851,10 @@
{.base = target_operation, .len = sizeof(psa_hash_operation_t)},
};
+ if (target_operation && (target_operation->handle != 0)) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
#ifdef TFM_PSA_API
PSA_CONNECT(TFM_CRYPTO);
#endif
@@ -1361,12 +1248,24 @@
size_t signature_size,
size_t *signature_length)
{
+ return psa_sign_hash(handle, alg, hash, hash_length, signature, signature_size, signature_length);
+}
+
+__attribute__((section("SFN")))
+psa_status_t psa_sign_hash(psa_key_handle_t handle,
+ psa_algorithm_t alg,
+ const uint8_t *hash,
+ size_t hash_length,
+ uint8_t *signature,
+ size_t signature_size,
+ size_t *signature_length)
+{
#ifdef TFM_CRYPTO_ASYMMETRIC_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
#else
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
- .sfn_id = TFM_CRYPTO_ASYMMETRIC_SIGN_SID,
+ .sfn_id = TFM_CRYPTO_SIGN_HASH_SID,
.key_handle = handle,
.alg = alg,
};
@@ -1382,9 +1281,8 @@
#ifdef TFM_PSA_API
PSA_CONNECT(TFM_CRYPTO);
#endif
-
- status = API_DISPATCH(tfm_crypto_asymmetric_sign,
- TFM_CRYPTO_ASYMMETRIC_SIGN);
+ status = API_DISPATCH(tfm_crypto_sign_hash,
+ TFM_CRYPTO_SIGN_HASH);
*signature_length = out_vec[0].len;
@@ -1404,12 +1302,23 @@
const uint8_t *signature,
size_t signature_length)
{
+ return psa_verify_hash(handle, alg, hash, hash_length, signature, signature_length);
+}
+
+__attribute__((section("SFN")))
+psa_status_t psa_verify_hash(psa_key_handle_t handle,
+ psa_algorithm_t alg,
+ const uint8_t *hash,
+ size_t hash_length,
+ const uint8_t *signature,
+ size_t signature_length)
+{
#ifdef TFM_CRYPTO_ASYMMETRIC_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
#else
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
- .sfn_id = TFM_CRYPTO_ASYMMETRIC_VERIFY_SID,
+ .sfn_id = TFM_CRYPTO_VERIFY_HASH_SID,
.key_handle = handle,
.alg = alg
};
@@ -1424,8 +1333,8 @@
PSA_CONNECT(TFM_CRYPTO);
#endif
- status = API_DISPATCH_NO_OUTVEC(tfm_crypto_asymmetric_verify,
- TFM_CRYPTO_ASYMMETRIC_VERIFY);
+ status = API_DISPATCH_NO_OUTVEC(tfm_crypto_verify_hash,
+ TFM_CRYPTO_VERIFY_HASH);
#ifdef TFM_PSA_API
PSA_CLOSE();
#endif
@@ -1559,16 +1468,17 @@
}
__attribute__((section("SFN")))
-psa_status_t psa_get_generator_capacity(const psa_crypto_generator_t *generator,
- size_t *capacity)
+psa_status_t psa_key_derivation_get_capacity(
+ const psa_key_derivation_operation_t *operation,
+ size_t *capacity)
{
#ifdef TFM_CRYPTO_GENERATOR_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
#else
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
- .sfn_id = TFM_CRYPTO_GET_GENERATOR_CAPACITY_SID,
- .op_handle = generator->handle,
+ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_GET_CAPACITY_SID,
+ .op_handle = operation->handle,
};
psa_invec in_vec[] = {
@@ -1583,8 +1493,8 @@
PSA_CONNECT(TFM_CRYPTO);
#endif
- status = API_DISPATCH(tfm_crypto_get_generator_capacity,
- TFM_CRYPTO_GET_GENERATOR_CAPACITY);
+ status = API_DISPATCH(tfm_crypto_key_derivation_get_capacity,
+ TFM_CRYPTO_KEY_DERIVATION_GET_CAPACITY);
#ifdef TFM_PSA_API
PSA_CLOSE();
#endif
@@ -1594,17 +1504,18 @@
}
__attribute__((section("SFN")))
-psa_status_t psa_generator_read(psa_crypto_generator_t *generator,
- uint8_t *output,
- size_t output_length)
+psa_status_t psa_key_derivation_output_bytes(
+ psa_key_derivation_operation_t *operation,
+ uint8_t *output,
+ size_t output_length)
{
#ifdef TFM_CRYPTO_GENERATOR_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
#else
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
- .sfn_id = TFM_CRYPTO_GENERATOR_READ_SID,
- .op_handle = generator->handle,
+ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_OUTPUT_BYTES_SID,
+ .op_handle = operation->handle,
};
psa_invec in_vec[] = {
@@ -1619,8 +1530,8 @@
PSA_CONNECT(TFM_CRYPTO);
#endif
- status = API_DISPATCH(tfm_crypto_generator_read,
- TFM_CRYPTO_GENERATOR_READ);
+ status = API_DISPATCH(tfm_crypto_key_derivation_output_bytes,
+ TFM_CRYPTO_KEY_DERIVATION_OUTPUT_BYTES);
#ifdef TFM_PSA_API
PSA_CLOSE();
#endif
@@ -1630,33 +1541,32 @@
}
__attribute__((section("SFN")))
-psa_status_t psa_generator_import_key(psa_key_handle_t handle,
- psa_key_type_t type,
- size_t bits,
- psa_crypto_generator_t *generator)
+psa_status_t psa_key_derivation_input_key(
+ psa_key_derivation_operation_t *operation,
+ psa_key_derivation_step_t step,
+ psa_key_handle_t handle)
{
#ifdef TFM_CRYPTO_GENERATOR_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
#else
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
- .sfn_id = TFM_CRYPTO_GENERATOR_IMPORT_KEY_SID,
+ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_INPUT_KEY_SID,
.key_handle = handle,
- .type = type,
- .op_handle = generator->handle,
+ .step = step,
+ .op_handle = operation->handle,
};
psa_invec in_vec[] = {
{.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
- {.base = &bits, .len = sizeof(size_t)},
};
#ifdef TFM_PSA_API
PSA_CONNECT(TFM_CRYPTO);
#endif
- status = API_DISPATCH_NO_OUTVEC(tfm_crypto_generator_import_key,
- TFM_CRYPTO_GENERATOR_IMPORT_KEY);
+ status = API_DISPATCH_NO_OUTVEC(tfm_crypto_key_derivation_input_key,
+ TFM_CRYPTO_KEY_DERIVATION_INPUT_KEY);
#ifdef TFM_PSA_API
PSA_CLOSE();
#endif
@@ -1666,15 +1576,15 @@
}
__attribute__((section("SFN")))
-psa_status_t psa_generator_abort(psa_crypto_generator_t *generator)
+psa_status_t psa_key_derivation_abort(psa_key_derivation_operation_t *operation)
{
#ifdef TFM_CRYPTO_GENERATOR_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
#else
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
- .sfn_id = TFM_CRYPTO_GENERATOR_ABORT_SID,
- .op_handle = generator->handle,
+ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_ABORT_SID,
+ .op_handle = operation->handle,
};
psa_invec in_vec[] = {
@@ -1682,15 +1592,15 @@
};
psa_outvec out_vec[] = {
- {.base = &(generator->handle), .len = sizeof(uint32_t)},
+ {.base = &(operation->handle), .len = sizeof(uint32_t)},
};
#ifdef TFM_PSA_API
PSA_CONNECT(TFM_CRYPTO);
#endif
- status = API_DISPATCH(tfm_crypto_generator_abort,
- TFM_CRYPTO_GENERATOR_ABORT);
+ status = API_DISPATCH(tfm_crypto_key_derivation_abort,
+ TFM_CRYPTO_KEY_DERIVATION_ABORT);
#ifdef TFM_PSA_API
PSA_CLOSE();
#endif
@@ -1700,89 +1610,22 @@
}
__attribute__((section("SFN")))
-psa_status_t psa_key_derivation(psa_crypto_generator_t *generator,
- psa_key_handle_t handle,
- psa_algorithm_t alg,
- const uint8_t *salt,
- size_t salt_length,
- const uint8_t *label,
- size_t label_length,
- size_t capacity)
+psa_status_t psa_key_derivation_key_agreement(
+ psa_key_derivation_operation_t *operation,
+ psa_key_derivation_step_t step,
+ psa_key_handle_t private_key,
+ const uint8_t *peer_key,
+ size_t peer_key_length)
{
#ifdef TFM_CRYPTO_GENERATOR_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
#else
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
- .sfn_id = TFM_CRYPTO_KEY_DERIVATION_SID,
- .key_handle = handle,
- .alg = alg,
- .op_handle = generator->handle,
- .capacity = capacity,
- };
-
- /* Sanitize the optional input */
- if ((salt == NULL) && (salt_length != 0)) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
- if ((label == NULL) && (label_length != 0)) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
- psa_invec in_vec[] = {
- {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
- {.base = salt, .len = salt_length},
- {.base = label, .len = label_length},
- };
-
- psa_outvec out_vec[] = {
- {.base = &(generator->handle), .len = sizeof(uint32_t)},
- };
-
-#ifdef TFM_PSA_API
- PSA_CONNECT(TFM_CRYPTO);
-#endif
-
-#ifdef TFM_PSA_API
- size_t in_len = ARRAY_SIZE(in_vec);
- if (label == NULL) {
- in_len--;
- if (salt == NULL) {
- in_len--;
- }
- }
- status = psa_call(ipc_handle, PSA_IPC_CALL, in_vec, in_len,
- out_vec, ARRAY_SIZE(out_vec));
-#else
- status = API_DISPATCH(tfm_crypto_key_derivation,
- TFM_CRYPTO_KEY_DERIVATION);
-#endif
-
-#ifdef TFM_PSA_API
- PSA_CLOSE();
-#endif
-
- return status;
-#endif /* TFM_CRYPTO_GENERATOR_MODULE_DISABLED */
-}
-
-__attribute__((section("SFN")))
-psa_status_t psa_key_agreement(psa_crypto_generator_t *generator,
- psa_key_handle_t private_key,
- const uint8_t *peer_key,
- size_t peer_key_length,
- psa_algorithm_t alg)
-{
-#ifdef TFM_CRYPTO_GENERATOR_MODULE_DISABLED
- return PSA_ERROR_NOT_SUPPORTED;
-#else
- psa_status_t status;
- struct tfm_crypto_pack_iovec iov = {
- .sfn_id = TFM_CRYPTO_KEY_AGREEMENT_SID,
+ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_KEY_AGREEMENT_SID,
.key_handle = private_key,
- .alg = alg,
- .op_handle = generator->handle,
+ .step = step,
+ .op_handle = operation->handle,
};
psa_invec in_vec[] = {
@@ -1791,15 +1634,15 @@
};
psa_outvec out_vec[] = {
- {.base = &(generator->handle), .len = sizeof(uint32_t)},
+ {.base = &(operation->handle), .len = sizeof(uint32_t)},
};
#ifdef TFM_PSA_API
PSA_CONNECT(TFM_CRYPTO);
#endif
- status = API_DISPATCH(tfm_crypto_key_agreement,
- TFM_CRYPTO_KEY_AGREEMENT);
+ status = API_DISPATCH(tfm_crypto_key_derivation_key_agreement,
+ TFM_CRYPTO_KEY_DERIVATION_KEY_AGREEMENT);
#ifdef TFM_PSA_API
PSA_CLOSE();
@@ -1849,11 +1692,8 @@
}
__attribute__((section("SFN")))
-psa_status_t psa_generate_key(psa_key_handle_t handle,
- psa_key_type_t type,
- size_t bits,
- const void *extra,
- size_t extra_size)
+psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
+ psa_key_handle_t *handle)
{
#ifdef TFM_CRYPTO_GENERATOR_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
@@ -1861,37 +1701,224 @@
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_GENERATE_KEY_SID,
- .key_handle = handle,
- .type = type,
};
- /* Sanitize the optional input */
- if ((extra == NULL) && (extra_size != 0)) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
psa_invec in_vec[] = {
{.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
- {.base = &bits, .len = sizeof(size_t)},
- {.base = extra, .len = extra_size},
+ {.base = attributes, .len = sizeof(psa_key_attributes_t)},
+ };
+
+ psa_outvec out_vec[] = {
+ {.base = handle, .len = sizeof(psa_key_handle_t)},
};
#ifdef TFM_PSA_API
PSA_CONNECT(TFM_CRYPTO);
#endif
+ status = API_DISPATCH(tfm_crypto_generate_key,
+ TFM_CRYPTO_GENERATE_KEY);
#ifdef TFM_PSA_API
- size_t in_len = ARRAY_SIZE(in_vec);
- if (extra == NULL) {
- in_len--;
- }
-
- status = psa_call(ipc_handle, PSA_IPC_CALL, in_vec, in_len, NULL, 0);
-#else
- status = API_DISPATCH_NO_OUTVEC(tfm_crypto_generate_key,
- TFM_CRYPTO_GENERATE_KEY);
+ PSA_CLOSE();
#endif
+ return status;
+#endif /* TFM_CRYPTO_GENERATOR_MODULE_DISABLED */
+}
+
+__attribute__((section("SFN")))
+psa_status_t psa_set_key_domain_parameters(psa_key_attributes_t *attributes,
+ psa_key_type_t type,
+ const uint8_t *data,
+ size_t data_length)
+{
+ psa_status_t status;
+
+ status = PSA_ERROR_NOT_SUPPORTED;
+
+ return status;
+}
+
+__attribute__((section("SFN")))
+psa_status_t psa_get_key_domain_parameters(
+ const psa_key_attributes_t *attributes,
+ uint8_t *data,
+ size_t data_size,
+ size_t *data_length)
+{
+ psa_status_t status;
+
+ status = PSA_ERROR_NOT_SUPPORTED;
+
+ return status;
+}
+
+__attribute__((section("SFN")))
+psa_status_t psa_hash_compare(psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ const uint8_t *hash,
+ const size_t hash_length)
+{
+ psa_status_t status;
+
+ status = PSA_ERROR_NOT_SUPPORTED;
+
+ return status;
+}
+
+__attribute__((section("SFN")))
+psa_status_t psa_aead_update_ad(psa_aead_operation_t *operation,
+ const uint8_t *input,
+ size_t input_length)
+{
+ psa_status_t status;
+
+ status = PSA_ERROR_NOT_SUPPORTED;
+
+ return status;
+}
+
+__attribute__((section("SFN")))
+psa_status_t psa_aead_finish(psa_aead_operation_t *operation,
+ uint8_t *ciphertext,
+ size_t ciphertext_size,
+ size_t *ciphertext_length,
+ uint8_t *tag,
+ size_t tag_size,
+ size_t *tag_length)
+{
+ psa_status_t status;
+
+ status = PSA_ERROR_NOT_SUPPORTED;
+
+ return status;
+}
+
+__attribute__((section("SFN")))
+psa_status_t psa_aead_verify(psa_aead_operation_t *operation,
+ uint8_t *plaintext,
+ size_t plaintext_size,
+ size_t *plaintext_length,
+ const uint8_t *tag,
+ size_t tag_length)
+{
+ psa_status_t status;
+
+ status = PSA_ERROR_NOT_SUPPORTED;
+
+ return status;
+}
+
+__attribute__((section("SFN")))
+psa_status_t psa_aead_abort(psa_aead_operation_t *operation)
+{
+ psa_status_t status;
+
+ status = PSA_ERROR_NOT_SUPPORTED;
+
+ return status;
+}
+
+__attribute__((section("SFN")))
+psa_status_t psa_mac_compute(psa_key_handle_t handle,
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ uint8_t *mac,
+ size_t mac_size,
+ size_t *mac_length)
+{
+ psa_status_t status;
+
+ status = PSA_ERROR_NOT_SUPPORTED;
+
+ return status;
+}
+
+__attribute__((section("SFN")))
+psa_status_t psa_mac_verify(psa_key_handle_t handle,
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ const uint8_t *mac,
+ const size_t mac_length)
+{
+ psa_status_t status;
+
+ status = PSA_ERROR_NOT_SUPPORTED;
+
+ return status;
+}
+
+__attribute__((section("SFN")))
+psa_status_t psa_cipher_encrypt(psa_key_handle_t handle,
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ uint8_t *output,
+ size_t output_size,
+ size_t *output_length)
+{
+ psa_status_t status;
+
+ status = PSA_ERROR_NOT_SUPPORTED;
+
+ return status;
+}
+
+__attribute__((section("SFN")))
+psa_status_t psa_cipher_decrypt(psa_key_handle_t handle,
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ uint8_t *output,
+ size_t output_size,
+ size_t *output_length)
+{
+ psa_status_t status;
+
+ status = PSA_ERROR_NOT_SUPPORTED;
+
+ return status;
+}
+
+__attribute__((section("SFN")))
+psa_status_t psa_raw_key_agreement(psa_algorithm_t alg,
+ psa_key_handle_t private_key,
+ const uint8_t *peer_key,
+ size_t peer_key_length,
+ uint8_t *output,
+ size_t output_size,
+ size_t *output_length)
+{
+#ifdef TFM_CRYPTO_GENERATOR_MODULE_DISABLED
+ return PSA_ERROR_NOT_SUPPORTED;
+#else
+ psa_status_t status;
+ struct tfm_crypto_pack_iovec iov = {
+ .sfn_id = TFM_CRYPTO_RAW_KEY_AGREEMENT_SID,
+ .alg = alg,
+ .key_handle = private_key
+ };
+
+ psa_invec in_vec[] = {
+ {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
+ {.base = peer_key, .len = peer_key_length},
+ };
+
+ psa_outvec out_vec[] = {
+ {.base = output, .len = output_size},
+ };
+
+#ifdef TFM_PSA_API
+ PSA_CONNECT(TFM_CRYPTO);
+#endif
+ status = API_DISPATCH(tfm_crypto_raw_key_agreement,
+ TFM_CRYPTO_RAW_KEY_AGREEMENT);
+
+ *output_length = out_vec[0].len;
+
#ifdef TFM_PSA_API
PSA_CLOSE();
#endif
@@ -1899,3 +1926,236 @@
return status;
#endif /* TFM_CRYPTO_GENERATOR_MODULE_DISABLED */
}
+
+__attribute__((section("SFN")))
+psa_status_t psa_key_derivation_setup(psa_key_derivation_operation_t *operation,
+ psa_algorithm_t alg)
+{
+#ifdef TFM_CRYPTO_GENERATOR_MODULE_DISABLED
+ return PSA_ERROR_NOT_SUPPORTED;
+#else
+ psa_status_t status;
+ struct tfm_crypto_pack_iovec iov = {
+ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_SETUP_SID,
+ .alg = alg,
+ .op_handle = operation->handle,
+ };
+
+ psa_invec in_vec[] = {
+ {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
+ };
+ psa_outvec out_vec[] = {
+ {.base = &(operation->handle), .len = sizeof(uint32_t)},
+ };
+
+#ifdef TFM_PSA_API
+ PSA_CONNECT(TFM_CRYPTO);
+#endif
+
+ status = API_DISPATCH(tfm_crypto_key_derivation_setup,
+ TFM_CRYPTO_KEY_DERIVATION_SETUP);
+#ifdef TFM_PSA_API
+ PSA_CLOSE();
+#endif
+
+ return status;
+#endif /* TFM_CRYPTO_GENERATOR_MODULE_DISABLED */
+}
+
+__attribute__((section("SFN")))
+psa_status_t psa_key_derivation_set_capacity(
+ psa_key_derivation_operation_t *operation,
+ size_t capacity)
+{
+#ifdef TFM_CRYPTO_GENERATOR_MODULE_DISABLED
+ return PSA_ERROR_NOT_SUPPORTED;
+#else
+ psa_status_t status;
+ struct tfm_crypto_pack_iovec iov = {
+ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_SET_CAPACITY_SID,
+ .capacity = capacity,
+ .op_handle = operation->handle,
+ };
+
+ psa_invec in_vec[] = {
+ {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
+ };
+
+#ifdef TFM_PSA_API
+ PSA_CONNECT(TFM_CRYPTO);
+#endif
+
+ status = API_DISPATCH_NO_OUTVEC(tfm_crypto_key_derivation_set_capacity,
+ TFM_CRYPTO_KEY_DERIVATION_SET_CAPACITY);
+#ifdef TFM_PSA_API
+ PSA_CLOSE();
+#endif
+
+ return status;
+#endif /* TFM_CRYPTO_GENERATOR_MODULE_DISABLED */
+}
+
+__attribute__((section("SFN")))
+psa_status_t psa_key_derivation_input_bytes(
+ psa_key_derivation_operation_t *operation,
+ psa_key_derivation_step_t step,
+ const uint8_t *data,
+ size_t data_length)
+{
+#if (TFM_CRYPTO_GENERATOR_MODULE_DISABLED != 0)
+ return PSA_ERROR_NOT_SUPPORTED;
+#else
+ psa_status_t status;
+ struct tfm_crypto_pack_iovec iov = {
+ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_INPUT_BYTES_SID,
+ .step = step,
+ .op_handle = operation->handle,
+ };
+
+ psa_invec in_vec[] = {
+ {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
+ {.base = data, .len = data_length},
+ };
+
+#ifdef TFM_PSA_API
+ PSA_CONNECT(TFM_CRYPTO);
+#endif
+
+ status = API_DISPATCH_NO_OUTVEC(tfm_crypto_key_derivation_input_bytes,
+ TFM_CRYPTO_KEY_DERIVATION_INPUT_BYTES);
+#ifdef TFM_PSA_API
+ PSA_CLOSE();
+#endif
+
+ return status;
+#endif /* TFM_CRYPTO_GENERATOR_MODULE_DISABLED */
+}
+
+__attribute__((section("SFN")))
+psa_status_t psa_key_derivation_output_key(
+ const psa_key_attributes_t *attributes,
+ psa_key_derivation_operation_t *operation,
+ psa_key_handle_t *handle)
+{
+#if (TFM_CRYPTO_GENERATOR_MODULE_DISABLED != 0)
+ return PSA_ERROR_NOT_SUPPORTED;
+#else
+ psa_status_t status;
+ struct tfm_crypto_pack_iovec iov = {
+ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_OUTPUT_KEY_SID,
+ .op_handle = operation->handle,
+ };
+
+ psa_invec in_vec[] = {
+ {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
+ {.base = attributes, .len = sizeof(psa_key_attributes_t)},
+ };
+
+ psa_outvec out_vec[] = {
+ {.base = handle, .len = sizeof(psa_key_handle_t)}
+ };
+
+#ifdef TFM_PSA_API
+ PSA_CONNECT(TFM_CRYPTO);
+#endif
+
+ status = API_DISPATCH(tfm_crypto_key_derivation_output_key,
+ TFM_CRYPTO_KEY_DERIVATION_OUTPUT_KEY);
+#ifdef TFM_PSA_API
+ PSA_CLOSE();
+#endif
+
+ return status;
+#endif /* TFM_CRYPTO_GENERATOR_MODULE_DISABLED */
+}
+
+__attribute__((section("SFN")))
+psa_status_t psa_hash_compute(psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ uint8_t *hash,
+ size_t hash_size,
+ size_t *hash_length)
+{
+ psa_status_t status;
+
+ status = PSA_ERROR_NOT_SUPPORTED;
+
+ return status;
+}
+
+__attribute__((section("SFN")))
+psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation,
+ psa_key_handle_t handle,
+ psa_algorithm_t alg)
+{
+ psa_status_t status;
+
+ status = PSA_ERROR_NOT_SUPPORTED;
+
+ return status;
+}
+
+__attribute__((section("SFN")))
+psa_status_t psa_aead_decrypt_setup(psa_aead_operation_t *operation,
+ psa_key_handle_t handle,
+ psa_algorithm_t alg)
+{
+ psa_status_t status;
+
+ status = PSA_ERROR_NOT_SUPPORTED;
+
+ return status;
+}
+
+__attribute__((section("SFN")))
+psa_status_t psa_aead_generate_nonce(psa_aead_operation_t *operation,
+ uint8_t *nonce,
+ size_t nonce_size,
+ size_t *nonce_length)
+{
+ psa_status_t status;
+
+ status = PSA_ERROR_NOT_SUPPORTED;
+
+ return status;
+}
+
+__attribute__((section("SFN")))
+psa_status_t psa_aead_set_nonce(psa_aead_operation_t *operation,
+ const uint8_t *nonce,
+ size_t nonce_length)
+{
+ psa_status_t status;
+
+ status = PSA_ERROR_NOT_SUPPORTED;
+
+ return status;
+}
+
+__attribute__((section("SFN")))
+psa_status_t psa_aead_set_lengths(psa_aead_operation_t *operation,
+ size_t ad_length,
+ size_t plaintext_length)
+{
+ psa_status_t status;
+
+ status = PSA_ERROR_NOT_SUPPORTED;
+
+ return status;
+}
+
+__attribute__((section("SFN")))
+psa_status_t psa_aead_update(psa_aead_operation_t *operation,
+ const uint8_t *input,
+ size_t input_length,
+ uint8_t *output,
+ size_t output_size,
+ size_t *output_length)
+{
+ psa_status_t status;
+
+ status = PSA_ERROR_NOT_SUPPORTED;
+
+ return status;
+}
diff --git a/secure_fw/services/initial_attestation/attestation_key.c b/secure_fw/services/initial_attestation/attestation_key.c
index 75e5d92..7e6f1c4 100644
--- a/secure_fw/services/initial_attestation/attestation_key.c
+++ b/secure_fw/services/initial_attestation/attestation_key.c
@@ -58,21 +58,14 @@
psa_ecc_curve_t psa_curve;
struct ecc_key_t attest_key = {0};
uint8_t key_buf[3 * ECC_P256_COORD_SIZE]; /* priv + x_coord + y_coord */
- psa_key_type_t attest_key_type;
- psa_key_handle_t key_handle;
+ psa_key_handle_t key_handle = ATTEST_KEY_HANDLE_NOT_LOADED;
psa_status_t crypto_res;
- psa_key_policy_t policy = psa_key_policy_init();
+ psa_key_attributes_t key_attributes = psa_key_attributes_init();
if (attestation_key_handle != ATTEST_KEY_HANDLE_NOT_LOADED) {
return PSA_ATTEST_ERR_GENERAL;
}
- /* Allocate a transient key for the private key in the Crypto service */
- crypto_res = psa_allocate_key(&key_handle);
- if (crypto_res != PSA_SUCCESS) {
- return PSA_ATTEST_ERR_GENERAL;
- }
-
/* Get the initial attestation key */
plat_res = tfm_plat_get_initial_attest_key(key_buf, sizeof(key_buf),
&attest_key, &psa_curve);
@@ -83,22 +76,16 @@
}
/* Setup the key policy for private key */
- psa_key_policy_set_usage(&policy,
- PSA_KEY_USAGE_SIGN,
- PSA_ALG_ECDSA(PSA_ALG_SHA_256));
- crypto_res = psa_set_key_policy(key_handle, &policy);
- if (crypto_res != PSA_SUCCESS) {
- return PSA_ATTEST_ERR_GENERAL;
- }
-
- /* Set key type for private key */
- attest_key_type = PSA_KEY_TYPE_ECC_KEYPAIR((psa_key_type_t)psa_curve);
+ psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_SIGN);
+ psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDSA(PSA_ALG_SHA_256));
+ psa_set_key_type(&key_attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(psa_curve));
/* Register private key to Crypto service */
- crypto_res = psa_import_key(key_handle,
- attest_key_type,
+ crypto_res = psa_import_key(&key_attributes,
attest_key.priv_key,
- attest_key.priv_key_size);
+ attest_key.priv_key_size,
+ &key_handle);
+
if (crypto_res != PSA_SUCCESS) {
return PSA_ATTEST_ERR_GENERAL;