Crypto: Migrate the service to use Mbed crypto library
This patch migrates the TF-M Crypto service to use the
Mbed crypto library version 1.0.0. The regression tests
for Crypto are temporarily disabled to avoid build
failures due to changes in the PSA Crypto API. Some
regression tests for Attestation are disabled as well
as they rely on service-to-service calls to Crypto and
need to use the newer API.
Change-Id: Ic49fd162e89881d7a9e94fa4cddd76fe9a53fa03
Signed-off-by: Jamie Fox <jamie.fox@arm.com>
Co-authored-By: Antonio de Angelis <antonio.deangelis@arm.com>
diff --git a/secure_fw/ns_callable/tfm_crypto_veneers.c b/secure_fw/ns_callable/tfm_crypto_veneers.c
deleted file mode 100644
index 314603a..0000000
--- a/secure_fw/ns_callable/tfm_crypto_veneers.c
+++ /dev/null
@@ -1,308 +0,0 @@
-/*
- * Copyright (c) 2018-2019, Arm Limited. All rights reserved.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- *
- */
-
-#include "tfm_crypto_veneers.h"
-#include "secure_fw/services/crypto/tfm_crypto_api.h"
-#include "tfm_secure_api.h"
-#include "tfm_api.h"
-#include "spm_api.h"
-
-#include "psa_crypto.h"
-
-#include "crypto_psa_wrappers.h"
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_import_key(psa_key_slot_t key,
- psa_key_type_t type,
- const uint8_t *data,
- size_t data_length)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_import_key,
- key, type, data, data_length);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_destroy_key(psa_key_slot_t key)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_destroy_key,
- key, 0, 0, 0);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_get_key_information(
- psa_key_slot_t key,
- psa_key_type_t *type,
- size_t *bits)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_get_key_information,
- key, type, bits, 0);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_export_key(psa_key_slot_t key,
- uint8_t *data,
- size_t data_size,
- size_t *data_length)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_export_key,
- key, data, data_size, data_length);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_key_policy_init(
- psa_key_policy_t *policy)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_key_policy_init,
- policy, 0, 0, 0);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_key_policy_set_usage(
- psa_key_policy_t *policy,
- psa_key_usage_t usage,
- psa_algorithm_t alg)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_key_policy_set_usage,
- policy, usage, alg, 0);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_key_policy_get_usage(
- const psa_key_policy_t *policy,
- psa_key_usage_t *usage)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_key_policy_get_usage,
- policy, usage, 0, 0);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_key_policy_get_algorithm(
- const psa_key_policy_t *policy,
- psa_algorithm_t *alg)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_key_policy_get_algorithm,
- policy, alg, 0, 0);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_set_key_policy(
- psa_key_slot_t key,
- const psa_key_policy_t *policy)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_set_key_policy,
- key, policy, 0, 0);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_get_key_policy(psa_key_slot_t key,
- psa_key_policy_t *policy)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_get_key_policy,
- key, policy, 0, 0);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_set_key_lifetime(
- psa_key_slot_t key,
- psa_key_lifetime_t lifetime)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_set_key_lifetime,
- key, lifetime, 0, 0);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_get_key_lifetime(
- psa_key_slot_t key,
- psa_key_lifetime_t *lifetime)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_get_key_lifetime,
- key, lifetime, 0, 0);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_cipher_set_iv(
- psa_cipher_operation_t *operation,
- const unsigned char *iv,
- size_t iv_length)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_cipher_set_iv,
- operation, iv, iv_length, 0);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_cipher_encrypt_setup(
- psa_cipher_operation_t *operation,
- psa_key_slot_t key,
- psa_algorithm_t alg)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_cipher_encrypt_setup,
- operation, key, alg, 0);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_cipher_decrypt_setup(
- psa_cipher_operation_t *operation,
- psa_key_slot_t key,
- psa_algorithm_t alg)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_cipher_decrypt_setup,
- operation, key, alg, 0);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_cipher_update(
- psa_cipher_operation_t *operation,
- struct psa_cipher_update_input *input_s,
- struct psa_cipher_update_output *output_s)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_cipher_update_wrapper,
- operation, input_s, output_s, 0);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_cipher_abort(
- psa_cipher_operation_t *operation)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_cipher_abort,
- operation, 0, 0, 0);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_cipher_finish(
- psa_cipher_operation_t *operation,
- uint8_t *output,
- size_t output_size,
- size_t *output_length)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_cipher_finish,
- operation, output, output_size, output_length);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_hash_setup(
- psa_hash_operation_t *operation,
- psa_algorithm_t alg)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_hash_setup,
- operation, alg, 0, 0);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_hash_update(
- psa_hash_operation_t *operation,
- const uint8_t *input,
- size_t input_length)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_hash_update,
- operation, input, input_length, 0);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_hash_finish(
- psa_hash_operation_t *operation,
- uint8_t *hash,
- size_t hash_size,
- size_t *hash_length)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_hash_finish,
- operation, hash, hash_size, hash_length);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_hash_verify(
- psa_hash_operation_t *operation,
- const uint8_t *hash,
- size_t hash_length)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_hash_verify,
- operation, hash, hash_length, 0);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_hash_abort(
- psa_hash_operation_t *operation)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_hash_abort,
- operation, 0, 0, 0);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_mac_sign_setup(
- psa_mac_operation_t *operation,
- psa_key_slot_t key,
- psa_algorithm_t alg)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_mac_sign_setup,
- operation, key, alg, 0);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_mac_verify_setup(
- psa_mac_operation_t *operation,
- psa_key_slot_t key,
- psa_algorithm_t alg)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_mac_verify_setup,
- operation, key, alg, 0);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_mac_update(
- psa_mac_operation_t *operation,
- const uint8_t *input,
- size_t input_length)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_mac_update,
- operation, input, input_length, 0);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_mac_sign_finish(
- psa_mac_operation_t *operation,
- uint8_t *mac,
- size_t mac_size,
- size_t *mac_length)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_mac_sign_finish,
- operation, mac, mac_size, mac_length);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_mac_verify_finish(
- psa_mac_operation_t *operation,
- const uint8_t *mac,
- size_t mac_length)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_mac_verify_finish,
- operation, mac, mac_length, 0);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_mac_abort(
- psa_mac_operation_t *operation)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_mac_abort,
- operation, 0, 0, 0);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_aead_encrypt(
- struct psa_aead_encrypt_input *input_s,
- struct psa_aead_encrypt_output *output_s)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_aead_encrypt_wrapper,
- input_s, output_s, 0, 0);
-}
-
-__tfm_secure_gateway_attributes__
-enum tfm_crypto_err_t tfm_crypto_veneer_aead_decrypt(
- struct psa_aead_decrypt_input *input_s,
- struct psa_aead_decrypt_output *output_s)
-{
- TFM_CORE_SFN_REQUEST(TFM_SP_CRYPTO_ID, tfm_crypto_aead_decrypt_wrapper,
- input_s, output_s, 0, 0);
-}
diff --git a/secure_fw/ns_callable/tfm_veneers.c b/secure_fw/ns_callable/tfm_veneers.c
index 3024c6e..4621280 100644
--- a/secure_fw/ns_callable/tfm_veneers.c
+++ b/secure_fw/ns_callable/tfm_veneers.c
@@ -25,18 +25,14 @@
psa_status_t audit_core_delete_record(psa_invec *, size_t, psa_outvec *, size_t);
/******** TFM_SP_CRYPTO ********/
+psa_status_t tfm_crypto_allocate_key(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_import_key(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_destroy_key(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_get_key_information(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_export_key(psa_invec *, size_t, psa_outvec *, size_t);
-psa_status_t tfm_crypto_key_policy_init(psa_invec *, size_t, psa_outvec *, size_t);
-psa_status_t tfm_crypto_key_policy_set_usage(psa_invec *, size_t, psa_outvec *, size_t);
-psa_status_t tfm_crypto_key_policy_get_usage(psa_invec *, size_t, psa_outvec *, size_t);
-psa_status_t tfm_crypto_key_policy_get_algorithm(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_set_key_policy(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_get_key_policy(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_get_key_lifetime(psa_invec *, size_t, psa_outvec *, size_t);
-psa_status_t tfm_crypto_set_key_lifetime(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_cipher_set_iv(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_cipher_encrypt_setup(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_cipher_decrypt_setup(psa_invec *, size_t, psa_outvec *, size_t);
@@ -121,18 +117,14 @@
TFM_VENEER_FUNCTION(TFM_SP_AUDIT_LOG, audit_core_delete_record)
/******** TFM_SP_CRYPTO ********/
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_allocate_key)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_import_key)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_destroy_key)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_get_key_information)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_export_key)
-TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_key_policy_init)
-TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_key_policy_set_usage)
-TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_key_policy_get_usage)
-TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_key_policy_get_algorithm)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_set_key_policy)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_get_key_policy)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_get_key_lifetime)
-TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_set_key_lifetime)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_cipher_set_iv)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_cipher_encrypt_setup)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_cipher_decrypt_setup)
diff --git a/secure_fw/services/crypto/CMakeLists.inc b/secure_fw/services/crypto/CMakeLists.inc
index 6a65652..f5910a8 100644
--- a/secure_fw/services/crypto/CMakeLists.inc
+++ b/secure_fw/services/crypto/CMakeLists.inc
@@ -9,7 +9,7 @@
#This file assumes it will be included from a project specific cmakefile, and
#will not create a library or executable.
#Inputs:
-# MBEDTLS_INSTALL_DIR - directory where mbed TLS headers and libraries can be found. Needed only when using CRYPTO_ENGINE_MBEDTLS ON.
+# MBEDTLS_INSTALL_DIR - directory where Mbed Crypto headers and libraries can be found. Needed only when using CRYPTO_ENGINE_MBEDTLS ON.
# TFM_ROOT_DIR - root directory of the TF-M repository.
#Outputs:
# Will modify include directories to make the source compile.
@@ -47,7 +47,6 @@
"${CRYPTO_DIR}/crypto_hash.c"
"${CRYPTO_DIR}/crypto_mac.c"
"${CRYPTO_DIR}/crypto_key.c"
- "${CRYPTO_DIR}/crypto_engine.c"
"${CRYPTO_DIR}/crypto_aead.c"
"${CRYPTO_DIR}/tfm_crypto_secure_api.c"
)
@@ -65,22 +64,16 @@
#Inform the user about Crypto service features selected based on the Crypto service cmake flags
message("The Crypto service compile configuration is as follows:")
- message("- CRYPTO_ENGINE_MBEDTLS: " ${CRYPTO_ENGINE_MBEDTLS})
- if (NOT DEFINED CRYPTO_KEY_STORAGE_NUM)
- message("- CRYPTO_KEY_STORAGE_NUM using default value")
- else()
- message("- CRYPTO_KEY_STORAGE_NUM: " ${CRYPTO_KEY_STORAGE_NUM})
- endif()
- if (NOT DEFINED CRYPTO_KEY_MAX_KEY_LENGTH)
- message("- CRYPTO_KEY_MAX_KEY_LENGTH using default value")
- else()
- message("- CRYPTO_KEY_MAX_KEY_LENGTH: " ${CRYPTO_KEY_MAX_KEY_LENGTH})
- endif()
if (NOT DEFINED CRYPTO_ENGINE_BUF_SIZE)
message("- CRYPTO_ENGINE_BUF_SIZE using default value")
else()
message("- CRYPTO_ENGINE_BUF_SIZE: " ${CRYPTO_ENGINE_BUF_SIZE})
endif()
+ if (NOT DEFINED CRYPTO_CONC_OPER_NUM)
+ message("- CRYPTO_CONC_OPER_NUM using default value")
+ else()
+ message("- CRYPTO_CONC_OPER_NUM: " ${CRYPTO_CONC_OPER_NUM})
+ endif()
if (TFM_PSA_API)
if (NOT DEFINED CRYPTO_IOVEC_BUFFER_SIZE)
message("- CRYPTO_IOVEC_BUFFER_SIZE using default value")
diff --git a/secure_fw/services/crypto/CMakeLists.txt b/secure_fw/services/crypto/CMakeLists.txt
index 0cce934..e288461 100644
--- a/secure_fw/services/crypto/CMakeLists.txt
+++ b/secure_fw/services/crypto/CMakeLists.txt
@@ -24,16 +24,15 @@
#Get the definition of what files we need to build
set (ENABLE_CRYPTO ON)
-if (NOT DEFINED CRYPTO_ENGINE_MBEDTLS)
- set (CRYPTO_ENGINE_MBEDTLS ON)
-endif()
+#The backend of the service is based on Mbed Crypto
+set (CRYPTO_ENGINE_MBEDTLS ON)
if (CRYPTO_ENGINE_MBEDTLS)
- #Define location of mbed TLS source, build, and installation directory.
- get_filename_component(MBEDTLS_SOURCE_DIR "${TFM_ROOT_DIR}/../mbedtls" ABSOLUTE)
- set (MBEDTLS_BINARY_DIR "${CMAKE_CURRENT_BINARY_DIR}/mbedtls")
- set (MBEDTLS_INSTALL_DIR ${MBEDTLS_BINARY_DIR}/mbedtls_install)
- set (MBEDTLS_TARGET_NAME "mbedtls_crypto_lib")
+ #Define location of Mbed Crypto source, build, and installation directory.
+ get_filename_component(MBEDTLS_SOURCE_DIR "${TFM_ROOT_DIR}/../mbed-crypto" ABSOLUTE)
+ set (MBEDTLS_BINARY_DIR "${CMAKE_CURRENT_BINARY_DIR}/mbedcrypto")
+ set (MBEDTLS_INSTALL_DIR ${MBEDTLS_BINARY_DIR}/mbedcrypto_install)
+ set (MBEDTLS_TARGET_NAME "mbedcrypto_lib")
endif()
include(CMakeLists.inc)
@@ -49,44 +48,39 @@
list(APPEND TFM_CRYPTO_C_DEFINES_LIST __ARM_FEATURE_CMSE=3 __thumb2__ TFM_LVL=${TFM_LVL})
if (CRYPTO_ENGINE_MBEDTLS)
- list(APPEND TFM_CRYPTO_C_DEFINES_LIST TFM_CRYPTO_ENGINE_MBEDTLS MBEDTLS_CONFIG_FILE="platform/ext/common/tfm_mbedtls_config.h")
+ list(APPEND TFM_CRYPTO_C_DEFINES_LIST TFM_CRYPTO_ENGINE_MBEDTLS MBEDTLS_CONFIG_FILE="platform/ext/common/tfm_mbedcrypto_config.h")
endif()
-#Add module configuration parameters in case they are provided during cmake configuration step
-if (DEFINED CRYPTO_KEY_STORAGE_NUM)
- list(APPEND TFM_CRYPTO_C_DEFINES_LIST TFM_CRYPTO_KEY_STORAGE_NUM=${CRYPTO_KEY_STORAGE_NUM})
-endif()
-if (DEFINED CRYPTO_KEY_MAX_KEY_LENGTH)
- list(APPEND TFM_CRYPTO_C_DEFINES_LIST TFM_CRYPTO_KEY_MAX_KEY_LENGTH=${CRYPTO_KEY_MAX_KEY_LENGTH})
-endif()
+#Add module configuration parameters in case they are provided during CMake configuration step
if (DEFINED CRYPTO_ENGINE_BUF_SIZE)
list(APPEND TFM_CRYPTO_C_DEFINES_LIST TFM_CRYPTO_ENGINE_BUF_SIZE=${CRYPTO_ENGINE_BUF_SIZE})
endif()
+if (DEFINED CRYPTO_CONC_OPER_NUM)
+ list(APPEND TFM_CRYPTO_C_DEFINES_LIST TFM_CRYPTO_CONC_OPER_NUM=${CRYPTO_CONC_OPER_NUM})
+endif()
if (TFM_PSA_API AND DEFINED CRYPTO_IOVEC_BUFFER_SIZE)
list(APPEND TFM_CRYPTO_C_DEFINES_LIST TFM_CRYPTO_IOVEC_BUFFER_SIZE=${CRYPTO_IOVEC_BUFFER_SIZE})
endif()
if (CRYPTO_ENGINE_MBEDTLS)
- #Set mbed TLS compiler flags
+ #Set Mbed Crypto compiler flags
set(MBEDTLS_C_FLAGS ${MBEDTLS_C_FLAGS_SERVICES})
+ string(APPEND MBEDTLS_C_FLAGS " -DMBEDTLS_CONFIG_FILE=\\\\\\\"tfm_mbedcrypto_config.h\\\\\\\""
+ " -I${CMAKE_CURRENT_LIST_DIR}")
- #Set preinclude header options for mbed TLS
- set(MBEDTLS_PREINCLUDE_PREFIX __tfm_crypto__)
- set(MBEDTLS_PREINCLUDE_HEADER ${CRYPTO_DIR}/mbedtls_global_symbols.h)
-
- #Build mbed TLS as external project.
- #This ensures mbed TLS is built with exactly defined settings.
- #mbed TLS will be used from its install location
- include(${TFM_ROOT_DIR}/BuildMbedtls.cmake)
+ #Build Mbed Crypto as external project.
+ #This ensures Mbed Crypto is built with exactly defined settings.
+ #Mbed Crypto will be used from its install location
+ include(${TFM_ROOT_DIR}/BuildMbedCrypto.cmake)
endif()
#Specify what we build (for the crypto service, build as a static library)
add_library(tfm_crypto STATIC ${ALL_SRC_ASM} ${ALL_SRC_C})
embedded_set_target_compile_defines(TARGET tfm_crypto LANGUAGE C DEFINES ${TFM_CRYPTO_C_DEFINES_LIST})
if (CRYPTO_ENGINE_MBEDTLS)
- #Add a dependency on the mbed_tls_lib_install target.
+ #Add a dependency on the Mbed Crypto install target.
add_dependencies(tfm_crypto ${MBEDTLS_TARGET_NAME}_install)
- #Ask the compiler to merge the mbed TLS and the crypto libraries.
+ #Ask the compiler to merge the Mbed Crypto and crypto service libraries.
compiler_merge_library(DEST tfm_crypto LIBS "${MBEDTLS_INSTALL_DIR}/lib/${CMAKE_STATIC_LIBRARY_PREFIX_C}mbedcrypto${CMAKE_STATIC_LIBRARY_SUFFIX_C}")
endif()
diff --git a/secure_fw/services/crypto/crypto_aead.c b/secure_fw/services/crypto/crypto_aead.c
index 4926b28..50220fe 100644
--- a/secure_fw/services/crypto/crypto_aead.c
+++ b/secure_fw/services/crypto/crypto_aead.c
@@ -5,51 +5,18 @@
*
*/
-#include <limits.h>
-
-#include "tfm_crypto_api.h"
-#include "crypto_engine.h"
-#include "tfm_crypto_struct.h"
+#include <stddef.h>
+#include <stdint.h>
/* FixMe: Use PSA_CONNECTION_REFUSED when performing parameter
* integrity checks but this will have to be revised
* when the full set of error codes mandated by PSA FF
* is available.
*/
+#include "tfm_mbedcrypto_include.h"
-/**
- * \def CRYPTO_AEAD_MAX_KEY_LENGTH
- *
- * \brief Specifies the maximum key length supported by the
- * AEAD operations in this implementation
- */
-#ifndef CRYPTO_AEAD_MAX_KEY_LENGTH
-#define CRYPTO_AEAD_MAX_KEY_LENGTH (32)
-#endif
-
-static psa_status_t _psa_get_key_information(psa_key_slot_t key,
- psa_key_type_t *type,
- size_t *bits)
-{
- psa_status_t status;
- struct tfm_crypto_pack_iovec iov = {
- .sfn_id = TFM_CRYPTO_GET_KEY_INFORMATION_SFID,
- .key = key,
- };
- psa_invec in_vec[] = {
- {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
- };
- psa_outvec out_vec[] = {
- {.base = type, .len = sizeof(psa_key_type_t)},
- {.base = bits, .len = sizeof(size_t)}
- };
-
- status = tfm_crypto_get_key_information(
- in_vec, sizeof(in_vec)/sizeof(in_vec[0]),
- out_vec, sizeof(out_vec)/sizeof(out_vec[0]));
-
- return status;
-}
+#include "tfm_crypto_api.h"
+#include "tfm_crypto_defs.h"
/*!
* \defgroup public_psa Public functions, PSA
@@ -63,9 +30,6 @@
size_t out_len)
{
psa_status_t status = PSA_SUCCESS;
- uint8_t key_data[CRYPTO_AEAD_MAX_KEY_LENGTH];
- uint32_t key_size;
- psa_key_type_t key_type;
if ( !((in_len == 2) || (in_len == 3)) || (out_len != 1)) {
return PSA_CONNECTION_REFUSED;
@@ -76,7 +40,7 @@
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
const struct tfm_crypto_aead_pack_input *aead_pack_input = &iov->aead_in;
- psa_key_slot_t key = iov->key;
+ psa_key_handle_t key_handle = iov->key_handle;
psa_algorithm_t alg = iov->alg;
const uint8_t *nonce = aead_pack_input->nonce;
size_t nonce_length = aead_pack_input->nonce_length;
@@ -96,67 +60,10 @@
/* Initialise ciphertext_length to zero */
out_vec[0].len = 0;
- if (PSA_ALG_IS_AEAD(alg) == 0) {
- return PSA_ERROR_NOT_SUPPORTED;
- }
-
- if (PSA_AEAD_TAG_SIZE(alg) == 0) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
- if (PSA_AEAD_ENCRYPT_OUTPUT_SIZE(alg, plaintext_length) > ciphertext_size) {
- return PSA_ERROR_BUFFER_TOO_SMALL;
- }
-
- if ((nonce_length == 0) ||
- ((additional_data_length == 0) && (additional_data != NULL))) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
- /* Access the key data */
- status = _psa_get_key_information(key, &key_type, (size_t *)&key_size);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- /* Support only AES based AEAD */
- if (key_type != PSA_KEY_TYPE_AES) {
- return PSA_ERROR_NOT_SUPPORTED;
- }
-
- /* Access the crypto service key module to retrieve key data */
- status = tfm_crypto_get_key(key,
- PSA_KEY_USAGE_ENCRYPT,
- alg,
- key_data,
- CRYPTO_AEAD_MAX_KEY_LENGTH,
- (size_t *)&key_size);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- /* Request AEAD encryption on the crypto engine */
- status = tfm_crypto_engine_aead_encrypt(key_type,
- alg,
- key_data,
- key_size,
- nonce,
- nonce_length,
- additional_data,
- additional_data_length,
- plaintext,
- plaintext_length,
- ciphertext,
- ciphertext_size,
- (uint32_t *)&(out_vec[0].len));
- if (status == PSA_SUCCESS) {
- /* The ciphertext_length needs to take into account the tag length */
- out_vec[0].len += PSA_AEAD_TAG_SIZE(alg);
- } else {
- /* In case of failure set the ciphertext_length to zero */
- out_vec[0].len = 0;
- }
-
+ status = psa_aead_encrypt(key_handle, alg, nonce, nonce_length,
+ additional_data, additional_data_length,
+ plaintext, plaintext_length,
+ ciphertext, ciphertext_size, &out_vec[0].len);
return status;
}
@@ -166,9 +73,6 @@
size_t out_len)
{
psa_status_t status = PSA_SUCCESS;
- uint8_t key_data[CRYPTO_AEAD_MAX_KEY_LENGTH];
- uint32_t key_size;
- psa_key_type_t key_type;
if ( !((in_len == 2) || (in_len == 3)) || (out_len != 1)) {
return PSA_CONNECTION_REFUSED;
@@ -179,7 +83,7 @@
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
const struct tfm_crypto_aead_pack_input *aead_pack_input = &iov->aead_in;
- psa_key_slot_t key = iov->key;
+ psa_key_handle_t key_handle = iov->key_handle;
psa_algorithm_t alg = iov->alg;
const uint8_t *nonce = aead_pack_input->nonce;
size_t nonce_length = aead_pack_input->nonce_length;
@@ -199,64 +103,10 @@
/* Initialise plaintext_length to zero */
out_vec[0].len = 0;
- if (PSA_ALG_IS_AEAD(alg) == 0) {
- return PSA_ERROR_NOT_SUPPORTED;
- }
-
- if ((PSA_AEAD_TAG_SIZE(alg) == 0) ||
- (ciphertext_length < PSA_AEAD_TAG_SIZE(alg))) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
- if (PSA_AEAD_DECRYPT_OUTPUT_SIZE(alg,ciphertext_length) > plaintext_size) {
- return PSA_ERROR_BUFFER_TOO_SMALL;
- }
-
- if ((nonce_length == 0) ||
- ((additional_data_length == 0) && (additional_data != NULL))) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
- /* Access the key data */
- status = _psa_get_key_information(key, &key_type, (size_t *)&key_size);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- /* Support only AES based AEAD */
- if (key_type != PSA_KEY_TYPE_AES) {
- return PSA_ERROR_NOT_SUPPORTED;
- }
-
- /* Access the crypto service key module to retrieve key data */
- status = tfm_crypto_get_key(key,
- PSA_KEY_USAGE_DECRYPT,
- alg,
- key_data,
- CRYPTO_AEAD_MAX_KEY_LENGTH,
- (size_t *)&key_size);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- /* Request AEAD decryption on the crypto engine */
- status = tfm_crypto_engine_aead_decrypt(key_type,
- alg,
- key_data,
- key_size,
- nonce,
- nonce_length,
- additional_data,
- additional_data_length,
- ciphertext,
- ciphertext_length,
- plaintext,
- plaintext_size,
- (uint32_t *)&(out_vec[0].len));
- if (status != PSA_SUCCESS) {
- out_vec[0].len = 0;
- }
-
+ status = psa_aead_decrypt(key_handle, alg, nonce, nonce_length,
+ additional_data, additional_data_length,
+ ciphertext, ciphertext_length,
+ plaintext, plaintext_size, &out_vec[0].len);
return status;
}
/*!@}*/
diff --git a/secure_fw/services/crypto/crypto_alloc.c b/secure_fw/services/crypto/crypto_alloc.c
index 9726fa0..ef0da17 100644
--- a/secure_fw/services/crypto/crypto_alloc.c
+++ b/secure_fw/services/crypto/crypto_alloc.c
@@ -5,31 +5,33 @@
*
*/
-#include <limits.h>
+#include <stddef.h>
+#include <stdint.h>
-#include "tfm_crypto_defs.h"
+#include "tfm_mbedcrypto_include.h"
-#include "psa_crypto.h"
#include "tfm_crypto_api.h"
-
-#include "tfm_crypto_struct.h"
+#include "tfm_crypto_defs.h"
#include "secure_fw/core/tfm_memory_utils.h"
/**
* \def TFM_CRYPTO_CONC_OPER_NUM
*
- * \brief This value defines the maximum number of simultaneous operations
- * supported by this implementation.
+ * \brief This is the default value for the maximum number of concurrent
+ * operations that can be active (allocated) at any time, supported
+ * by the implementation
*/
+#ifndef TFM_CRYPTO_CONC_OPER_NUM
#define TFM_CRYPTO_CONC_OPER_NUM (8)
+#endif
struct tfm_crypto_operation_s {
uint32_t in_use; /*!< Indicates if the operation is in use */
enum tfm_crypto_operation_type type; /*!< Type of the operation */
union {
- struct tfm_cipher_operation_s cipher; /*!< Cipher operation context */
- struct tfm_mac_operation_s mac; /*!< MAC operation context */
- struct tfm_hash_operation_s hash; /*!< Hash operation context */
+ psa_cipher_operation_t cipher; /*!< Cipher operation context */
+ psa_mac_operation_t mac; /*!< MAC operation context */
+ psa_hash_operation_t hash; /*!< Hash operation context */
} operation;
};
@@ -51,13 +53,13 @@
switch(operation[index].type) {
case TFM_CRYPTO_CIPHER_OPERATION:
- mem_size = sizeof(struct tfm_cipher_operation_s);
+ mem_size = sizeof(psa_cipher_operation_t);
break;
case TFM_CRYPTO_MAC_OPERATION:
- mem_size = sizeof(struct tfm_mac_operation_s);
+ mem_size = sizeof(psa_mac_operation_t);
break;
case TFM_CRYPTO_HASH_OPERATION:
- mem_size = sizeof(struct tfm_hash_operation_s);
+ mem_size = sizeof(psa_hash_operation_t);
break;
case TFM_CRYPTO_OPERATION_NONE:
default:
diff --git a/secure_fw/services/crypto/crypto_cipher.c b/secure_fw/services/crypto/crypto_cipher.c
index 757ccc0..e49b145 100644
--- a/secure_fw/services/crypto/crypto_cipher.c
+++ b/secure_fw/services/crypto/crypto_cipher.c
@@ -5,189 +5,18 @@
*
*/
-#include "tfm_crypto_api.h"
-#include "crypto_engine.h"
-#include "tfm_crypto_struct.h"
+#include <stddef.h>
+#include <stdint.h>
/* FixMe: Use PSA_CONNECTION_REFUSED when performing parameter
* integrity checks but this will have to be revised
* when the full set of error codes mandated by PSA FF
* is available.
*/
+#include "tfm_mbedcrypto_include.h"
-/**
- * \def CRYPTO_CIPHER_MAX_KEY_LENGTH
- *
- * \brief Specifies the maximum key length supported by the
- * Cipher operations in this implementation
- */
-#ifndef CRYPTO_CIPHER_MAX_KEY_LENGTH
-#define CRYPTO_CIPHER_MAX_KEY_LENGTH (32)
-#endif
-
-static psa_status_t _psa_get_key_information(psa_key_slot_t key,
- psa_key_type_t *type,
- size_t *bits)
-{
- psa_status_t status;
- struct tfm_crypto_pack_iovec iov = {
- .sfn_id = TFM_CRYPTO_GET_KEY_INFORMATION_SFID,
- .key = key,
- };
- psa_invec in_vec[] = {
- {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
- };
- psa_outvec out_vec[] = {
- {.base = type, .len = sizeof(psa_key_type_t)},
- {.base = bits, .len = sizeof(size_t)}
- };
-
- status = tfm_crypto_get_key_information(
- in_vec, sizeof(in_vec)/sizeof(in_vec[0]),
- out_vec, sizeof(out_vec)/sizeof(out_vec[0]));
-
- return status;
-}
-
-/**
- * \brief Release all resources associated with a cipher operation.
- *
- * \param[in] operation Frontend cipher operation context
- * \param[in] ctx Backend cipher operation context
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-static psa_status_t tfm_crypto_cipher_release(
- uint32_t *handle,
- struct tfm_cipher_operation_s *ctx)
-{
- psa_status_t status = PSA_SUCCESS;
-
- /* Release resources in the engine */
- status = tfm_crypto_engine_cipher_release(&(ctx->engine_ctx));
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- /* Release the operation context */
- return tfm_crypto_operation_release(handle);
-}
-
-static psa_status_t tfm_crypto_cipher_setup(uint32_t *handle,
- psa_key_slot_t key,
- psa_algorithm_t alg,
- enum engine_cipher_mode_t c_mode)
-{
- uint8_t key_data[CRYPTO_CIPHER_MAX_KEY_LENGTH];
- size_t key_size;
- psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
- psa_status_t status = PSA_SUCCESS;
- struct tfm_cipher_operation_s *ctx = NULL;
- struct cipher_engine_info engine_info;
- psa_key_usage_t usage;
-
- if (!PSA_ALG_IS_CIPHER(alg)) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
- /* Access the key module to retrieve key related information */
- status = _psa_get_key_information(key, &key_type, &key_size);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- /* Check if it's a raw data key type */
- if (key_type == PSA_KEY_TYPE_RAW_DATA) {
- return PSA_ERROR_NOT_PERMITTED;
- }
-
- /* Check compatibility between key and algorithm */
- if ((key_type == PSA_KEY_TYPE_ARC4) && (alg != PSA_ALG_ARC4)) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
- /* Setup the algorithm on the crypto engine */
- status = tfm_crypto_engine_cipher_setup(alg,
- (const psa_key_type_t)key_type,
- (const uint32_t)key_size,
- c_mode,
- &engine_info);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- /* Allocate the operation context in the secure world */
- status = tfm_crypto_operation_alloc(TFM_CRYPTO_CIPHER_OPERATION,
- handle,
- (void **)&ctx);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- /* Set the proper cipher mode (encrypt/decrypt) in the operation context */
- ctx->cipher_mode = (uint8_t) c_mode;
-
- /* Bind the algorithm to the cipher operation */
- ctx->alg = alg;
-
- /* Start the crypto engine */
- status = tfm_crypto_engine_cipher_start(&(ctx->engine_ctx), &engine_info);
- if (status != PSA_SUCCESS) {
- /* Release the operation context, ignore if this operation fails. */
- (void)tfm_crypto_cipher_release(handle, ctx);
- return status;
- }
-
- /* Set the key usage based on the cipher mode */
- usage = (c_mode == ENGINE_CIPHER_MODE_DECRYPT) ? PSA_KEY_USAGE_DECRYPT
- : PSA_KEY_USAGE_ENCRYPT;
-
- /* Access the crypto service key module to retrieve key data */
- status = tfm_crypto_get_key(key,
- usage,
- alg,
- key_data,
- CRYPTO_CIPHER_MAX_KEY_LENGTH,
- &key_size);
- if (status != PSA_SUCCESS) {
- /* Release the operation context, ignore if this operation fails. */
- (void)tfm_crypto_cipher_release(handle, ctx);
- return status;
- }
-
- /* Set the key on the engine */
- status = tfm_crypto_engine_cipher_set_key(&(ctx->engine_ctx),
- key_data,
- key_size,
- &engine_info);
- if (status != PSA_SUCCESS) {
- /* Release the operation context, ignore if this operation fails. */
- (void)tfm_crypto_cipher_release(handle, ctx);
- return status;
- }
-
- /* Bind the key to the cipher operation */
- ctx->key = key;
- ctx->key_set = 1;
-
- /* Set padding mode on engine in case of CBC */
- if ((alg & ~PSA_ALG_BLOCK_CIPHER_PADDING_MASK) == PSA_ALG_CBC_BASE) {
-
- status = tfm_crypto_engine_cipher_set_padding_mode(&(ctx->engine_ctx),
- &engine_info);
- if (status != PSA_SUCCESS) {
- /* Release the operation context, ignore if this operation fails. */
- (void)tfm_crypto_cipher_release(handle, ctx);
- return status;
- }
- }
-
- /* FIXME: Check based on the algorithm, if we need to have an IV */
- ctx->iv_required = 1;
- ctx->block_size = PSA_BLOCK_CIPHER_BLOCK_SIZE(key_type);
-
- return PSA_SUCCESS;
-}
+#include "tfm_crypto_api.h"
+#include "tfm_crypto_defs.h"
/*!
* \defgroup public_psa Public functions, PSA
@@ -201,93 +30,56 @@
size_t out_len)
{
psa_status_t status = PSA_SUCCESS;
- struct tfm_cipher_operation_s *ctx = NULL;
+ psa_cipher_operation_t *operation = NULL;
if ((in_len != 2) || (out_len != 1)) {
return PSA_CONNECTION_REFUSED;
}
if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
- (out_vec[0].len != sizeof(uint32_t))) {
+ (out_vec[0].len != sizeof(uint32_t))) {
return PSA_CONNECTION_REFUSED;
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- uint32_t handle = iov->handle;
+ uint32_t handle = iov->op_handle;
uint32_t *handle_out = out_vec[0].base;
const unsigned char *iv = in_vec[1].base;
size_t iv_length = in_vec[1].len;
/* Init the handle in the operation with the one passed from the iov */
- *handle_out = iov->handle;
+ *handle_out = iov->op_handle;
/* Look up the corresponding operation context */
status = tfm_crypto_operation_lookup(TFM_CRYPTO_CIPHER_OPERATION,
handle,
- (void **)&ctx);
+ (void **)&operation);
if (status != PSA_SUCCESS) {
return status;
}
- if ((iv_length != ctx->block_size) || (iv_length > TFM_CIPHER_IV_MAX_SIZE)){
- if (tfm_crypto_cipher_release(&handle, ctx) == PSA_SUCCESS) {
- *handle_out = handle;
- }
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
- if ((ctx->iv_set == 1) || (ctx->iv_required == 0)) {
- if (tfm_crypto_cipher_release(&handle, ctx) == PSA_SUCCESS) {
- *handle_out = handle;
- }
- return PSA_ERROR_BAD_STATE;
- }
-
- /* Set the IV on the crypto engine */
- status = tfm_crypto_engine_cipher_set_iv(&(ctx->engine_ctx),
- iv,
- iv_length);
+ status = psa_cipher_set_iv(operation, iv, iv_length);
if (status != PSA_SUCCESS) {
- if (tfm_crypto_cipher_release(&handle, ctx) == PSA_SUCCESS) {
- *handle_out = handle;
- }
+ /* Release the operation context, ignore if the operation fails. */
+ (void)tfm_crypto_operation_release(handle_out);
return status;
}
- ctx->iv_set = 1;
- ctx->iv_size = iv_length;
-
- return PSA_SUCCESS;
-}
-
-static psa_status_t _psa_cipher_set_iv(uint32_t *handle,
- const unsigned char *iv,
- size_t iv_length)
-{
- psa_status_t status;
- struct tfm_crypto_pack_iovec iov = {
- .sfn_id = TFM_CRYPTO_CIPHER_SET_IV_SFID,
- .handle = *handle,
- };
-
- psa_invec in_vec[] = {
- {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
- {.base = iv, .len = iv_length},
- };
- psa_outvec out_vec[] = {
- {.base = handle, .len = sizeof(uint32_t)},
- };
-
- status = tfm_crypto_cipher_set_iv(in_vec, sizeof(in_vec)/sizeof(in_vec[0]),
- out_vec, sizeof(out_vec)/sizeof(out_vec[0]));
return status;
}
+/**
+ * TODO: psa_cipher_generate_iv(...)
+ *
+ */
+
psa_status_t tfm_crypto_cipher_encrypt_setup(psa_invec in_vec[],
size_t in_len,
psa_outvec out_vec[],
size_t out_len)
{
psa_status_t status = PSA_SUCCESS;
+ psa_cipher_operation_t *operation = NULL;
+
if ((in_len != 1) || (out_len != 1)) {
return PSA_CONNECTION_REFUSED;
}
@@ -297,20 +89,28 @@
return PSA_CONNECTION_REFUSED;
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- uint32_t handle = iov->handle;
+ uint32_t handle = iov->op_handle;
uint32_t *handle_out = out_vec[0].base;
- psa_key_slot_t key = iov->key;
+ psa_key_handle_t key_handle = iov->key_handle;
psa_algorithm_t alg = iov->alg;
- status = tfm_crypto_cipher_setup(&handle,
- key,
- alg,
- ENGINE_CIPHER_MODE_ENCRYPT);
- if (status == PSA_SUCCESS) {
- *handle_out = handle;
- } else {
- *handle_out = iov->handle;
+ /* Allocate the operation context in the secure world */
+ status = tfm_crypto_operation_alloc(TFM_CRYPTO_CIPHER_OPERATION,
+ &handle,
+ (void **)&operation);
+ if (status != PSA_SUCCESS) {
+ return status;
}
+
+ *handle_out = handle;
+
+ status = psa_cipher_encrypt_setup(operation, key_handle, alg);
+ if (status != PSA_SUCCESS) {
+ /* Release the operation context, ignore if the operation fails. */
+ (void)tfm_crypto_operation_release(handle_out);
+ return status;
+ }
+
return status;
}
@@ -320,6 +120,8 @@
size_t out_len)
{
psa_status_t status = PSA_SUCCESS;
+ psa_cipher_operation_t *operation = NULL;
+
if ((in_len != 1) || (out_len != 1)) {
return PSA_CONNECTION_REFUSED;
}
@@ -329,18 +131,28 @@
return PSA_CONNECTION_REFUSED;
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- uint32_t handle = iov->handle;
+ uint32_t handle = iov->op_handle;
uint32_t *handle_out = out_vec[0].base;
- psa_key_slot_t key = iov->key;
+ psa_key_handle_t key_handle = iov->key_handle;
psa_algorithm_t alg = iov->alg;
- status = tfm_crypto_cipher_setup(&handle,
- key,
- alg,
- ENGINE_CIPHER_MODE_DECRYPT);
- if (status == PSA_SUCCESS) {
- *handle_out = handle;
+ /* Allocate the operation context in the secure world */
+ status = tfm_crypto_operation_alloc(TFM_CRYPTO_CIPHER_OPERATION,
+ &handle,
+ (void **)&operation);
+ if (status != PSA_SUCCESS) {
+ return status;
}
+
+ *handle_out = handle;
+
+ status = psa_cipher_decrypt_setup(operation, key_handle, alg);
+ if (status != PSA_SUCCESS) {
+ /* Release the operation context, ignore if the operation fails. */
+ (void)tfm_crypto_operation_release(handle_out);
+ return status;
+ }
+
return status;
}
@@ -350,7 +162,7 @@
size_t out_len)
{
psa_status_t status = PSA_SUCCESS;
- struct tfm_cipher_operation_s *ctx = NULL;
+ psa_cipher_operation_t *operation = NULL;
if ((in_len != 2) || (out_len != 2)) {
return PSA_CONNECTION_REFUSED;
@@ -361,7 +173,7 @@
return PSA_CONNECTION_REFUSED;
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- uint32_t handle = iov->handle;
+ uint32_t handle = iov->op_handle;
uint32_t *handle_out = out_vec[0].base;
const uint8_t *input = in_vec[1].base;
size_t input_length = in_vec[1].len;
@@ -369,7 +181,7 @@
size_t output_size = out_vec[1].len;
/* Init the handle in the operation with the one passed from the iov */
- *handle_out = iov->handle;
+ *handle_out = iov->op_handle;
/* Initialise the output_length to zero */
out_vec[1].len = 0;
@@ -377,57 +189,20 @@
/* Look up the corresponding operation context */
status = tfm_crypto_operation_lookup(TFM_CRYPTO_CIPHER_OPERATION,
handle,
- (void **)&ctx);
+ (void **)&operation);
if (status != PSA_SUCCESS) {
return status;
}
- /* If the IV is required and it's not been set yet */
- if ((ctx->iv_required == 1) && (ctx->iv_set == 0)) {
-
- if (ctx->cipher_mode != ENGINE_CIPHER_MODE_DECRYPT) {
- if (tfm_crypto_cipher_release(&handle, ctx) == PSA_SUCCESS) {
- *handle_out = handle;
- }
- return PSA_ERROR_BAD_STATE;
- }
-
- /* This call is used to set the IV on the object */
- return _psa_cipher_set_iv(handle_out, input, input_length);
- }
-
- /* If the key is not set, setup phase has not been completed */
- if (ctx->key_set == 0) {
- if (tfm_crypto_cipher_release(&handle, ctx) == PSA_SUCCESS) {
- *handle_out = handle;
- }
- return PSA_ERROR_BAD_STATE;
- }
-
- /* FIXME: The implementation currently expects to work only on blocks
- * of input data whose length is equal to the block size
- */
- if (input_length > output_size) {
- if (tfm_crypto_cipher_release(&handle, ctx) == PSA_SUCCESS) {
- *handle_out = handle;
- }
- return PSA_ERROR_BUFFER_TOO_SMALL;
- }
-
- /* Update the cipher output with the input chunk on the engine */
- status = tfm_crypto_engine_cipher_update(&(ctx->engine_ctx),
- input,
- input_length,
- output,
- (uint32_t *)&(out_vec[1].len));
+ status = psa_cipher_update(operation, input, input_length,
+ output, output_size, &out_vec[1].len);
if (status != PSA_SUCCESS) {
- if (tfm_crypto_cipher_release(&handle, ctx) == PSA_SUCCESS) {
- *handle_out = handle;
- }
+ /* Release the operation context, ignore if the operation fails. */
+ (void)tfm_crypto_operation_release(handle_out);
return status;
}
- return PSA_SUCCESS;
+ return status;
}
psa_status_t tfm_crypto_cipher_finish(psa_invec in_vec[],
@@ -436,7 +211,7 @@
size_t out_len)
{
psa_status_t status = PSA_SUCCESS;
- struct tfm_cipher_operation_s *ctx = NULL;
+ psa_cipher_operation_t *operation = NULL;
if ((in_len != 1) || (out_len != 2)) {
return PSA_CONNECTION_REFUSED;
@@ -447,13 +222,13 @@
return PSA_CONNECTION_REFUSED;
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- uint32_t handle = iov->handle;
+ uint32_t handle = iov->op_handle;
uint32_t *handle_out = out_vec[0].base;
unsigned char *output = out_vec[1].base;
size_t output_size = out_vec[1].len;
/* Init the handle in the operation with the one passed from the iov */
- *handle_out = iov->handle;
+ *handle_out = iov->op_handle;
/* Initialise the output_length to zero */
out_vec[1].len = 0;
@@ -461,37 +236,20 @@
/* Look up the corresponding operation context */
status = tfm_crypto_operation_lookup(TFM_CRYPTO_CIPHER_OPERATION,
handle,
- (void **)&ctx);
+ (void **)&operation);
if (status != PSA_SUCCESS) {
return status;
}
- /* Check that the output buffer is large enough for up to one block size of
- * output data.
- */
- if (output_size < ctx->block_size) {
- if (tfm_crypto_cipher_release(&handle, ctx) == PSA_SUCCESS) {
- *handle_out = handle;
- }
- return PSA_ERROR_BUFFER_TOO_SMALL;
- }
-
- /* Finalise the operation on the crypto engine */
- status = tfm_crypto_engine_cipher_finish(&(ctx->engine_ctx),
- output,
- (uint32_t *)&(out_vec[1].len));
+ status = psa_cipher_finish(operation, output, output_size, &out_vec[1].len);
if (status != PSA_SUCCESS) {
- out_vec[1].len = 0;
- if (tfm_crypto_cipher_release(&handle, ctx) == PSA_SUCCESS) {
- *handle_out = handle;
- }
+ /* Release the operation context, ignore if the operation fails. */
+ (void)tfm_crypto_operation_release(handle_out);
return status;
}
- status = tfm_crypto_cipher_release(&handle, ctx);
- if (status == PSA_SUCCESS) {
- *handle_out = handle;
- }
+ status = tfm_crypto_operation_release(handle_out);
+
return status;
}
@@ -501,7 +259,7 @@
size_t out_len)
{
psa_status_t status = PSA_SUCCESS;
- struct tfm_cipher_operation_s *ctx = NULL;
+ psa_cipher_operation_t *operation = NULL;
if ((in_len != 1) || (out_len != 1)) {
return PSA_CONNECTION_REFUSED;
@@ -512,24 +270,30 @@
return PSA_CONNECTION_REFUSED;
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- uint32_t handle = iov->handle;
+ uint32_t handle = iov->op_handle;
uint32_t *handle_out = out_vec[0].base;
/* Init the handle in the operation with the one passed from the iov */
- *handle_out = iov->handle;
+ *handle_out = iov->op_handle;
/* Look up the corresponding operation context */
status = tfm_crypto_operation_lookup(TFM_CRYPTO_CIPHER_OPERATION,
handle,
- (void **)&ctx);
+ (void **)&operation);
if (status != PSA_SUCCESS) {
return status;
}
- status = tfm_crypto_cipher_release(&handle, ctx);
- if (status == PSA_SUCCESS) {
- *handle_out = handle;
+ status = psa_cipher_abort(operation);
+
+ if (status != PSA_SUCCESS) {
+ /* Release the operation context, ignore if the operation fails. */
+ (void)tfm_crypto_operation_release(handle_out);
+ return status;
}
+
+ status = tfm_crypto_operation_release(handle_out);
+
return status;
}
/*!@}*/
diff --git a/secure_fw/services/crypto/crypto_engine.c b/secure_fw/services/crypto/crypto_engine.c
deleted file mode 100644
index dd09481..0000000
--- a/secure_fw/services/crypto/crypto_engine.c
+++ /dev/null
@@ -1,699 +0,0 @@
-/*
- * Copyright (c) 2019, Arm Limited. All rights reserved.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- *
- */
-
-/**
- * \brief Include the Crypto engine header. This source module implements the
- * interface which is being used by the other components of the service
- * to interact with the cryptography primitives available, in SW or HW.
- * The current implementation provides only a SW implementation based on
- * Mbed TLS functions.
- */
-#include "crypto_engine.h"
-
-/**
- * \brief Default value for the size of the static buffer used by the Engine
- * module as a scratch buffer for its own internal allocations
- */
-#ifndef TFM_CRYPTO_ENGINE_BUF_SIZE
-#define TFM_CRYPTO_ENGINE_BUF_SIZE (1024)
-#endif
-
-#if defined(TFM_CRYPTO_ENGINE_MBEDTLS)
-/**
- * \brief Buffer size used by Mbed TLS for its allocations
- */
-#define TFM_CRYPTO_MBEDTLS_MEM_BUF_LEN (TFM_CRYPTO_ENGINE_BUF_SIZE)
-
-/**
- * \brief Static buffer to be used by Mbed TLS for memory allocations
- *
- */
-static uint8_t mbedtls_mem_buf[TFM_CRYPTO_MBEDTLS_MEM_BUF_LEN] = {0};
-
-/**
- * \brief Converts a PSA key type and key size to an Mbed TLS cipher ID.
- *
- * \param[in] key_type PSA key type
- * \param[in] key_size Key size in bits
- *
- * \return An mbedtls_cipher_id_t value corresponding to key_type and key_size,
- * or MBEDTLS_CIPHER_ID_NONE if no such cipher ID is supported by
- * Mbed TLS.
- */
-static mbedtls_cipher_id_t psa_to_mbedtls_cipher_id(psa_key_type_t key_type,
- size_t key_size)
-{
- switch (key_type) {
- case PSA_KEY_TYPE_AES:
- return MBEDTLS_CIPHER_ID_AES;
- case PSA_KEY_TYPE_DES:
- return (key_size == 192) ? MBEDTLS_CIPHER_ID_3DES
- : MBEDTLS_CIPHER_ID_DES;
- case PSA_KEY_TYPE_CAMELLIA:
- return MBEDTLS_CIPHER_ID_CAMELLIA;
- case PSA_KEY_TYPE_ARC4:
- return MBEDTLS_CIPHER_ID_ARC4;
- default:
- return MBEDTLS_CIPHER_ID_NONE;
- }
-}
-
-/**
- * \brief Converts a PSA algorithm to an Mbed TLS cipher mode.
- *
- * \param[in] alg PSA algorithm
- *
- * \return An mbedtls_cipher_mode_t value corresponding to alg, or
- * MBEDTLS_MODE_NONE if no such cipher mode is supported by Mbed TLS.
- */
-static mbedtls_cipher_mode_t psa_to_mbedtls_cipher_mode(psa_algorithm_t alg)
-{
- if (PSA_ALG_IS_BLOCK_CIPHER(alg)) {
- /* Clear the padding mask */
- alg &= ~PSA_ALG_BLOCK_CIPHER_PADDING_MASK;
- }
-
- switch (alg) {
- case PSA_ALG_CBC_BASE:
- return MBEDTLS_MODE_CBC;
- case PSA_ALG_CFB_BASE:
- return MBEDTLS_MODE_CFB;
- case PSA_ALG_OFB_BASE:
- return MBEDTLS_MODE_OFB;
- case PSA_ALG_XTS_BASE:
- return MBEDTLS_MODE_NONE; /* FIXME: requires Mbed TLS 2.11 */
- case PSA_ALG_CTR:
- return MBEDTLS_MODE_CTR;
- case PSA_ALG_ARC4:
- return MBEDTLS_MODE_STREAM; /* ARC4 is a stream cipher */
- case PSA_ALG_CCM:
- return MBEDTLS_MODE_CCM;
- case PSA_ALG_GCM:
- return MBEDTLS_MODE_GCM;
- default:
- return MBEDTLS_MODE_NONE;
- }
-}
-
-/**
- * \brief Given a PSA key type, algorithm and key size, finds the corresponding
- * Mbed TLS cipher info struct.
- *
- * \param[in] key_type PSA key type
- * \param[in] alg PSA algorithm
- * \param[in] key_size Key size in bits
- *
- * \return A pointer to the mbedtls_cipher_info_t struct corresponding to
- * key_type, alg and key_size, or NULL if Mbed TLS does not support this
- * combination.
- */
-static const mbedtls_cipher_info_t *get_mbedtls_cipher_info(
- psa_key_type_t key_type,
- psa_algorithm_t alg,
- size_t key_size)
-{
- mbedtls_cipher_id_t cipher_id;
- mbedtls_cipher_mode_t cipher_mode;
-
- /* Get the Mbed TLS cipher ID */
- cipher_id = psa_to_mbedtls_cipher_id(key_type, key_size);
- if (cipher_id == MBEDTLS_CIPHER_ID_NONE) {
- /* The requested key type is not supported by Mbed TLS */
- return NULL;
- }
-
- /* Get the Mbed TLS cipher mode */
- cipher_mode = psa_to_mbedtls_cipher_mode(alg);
- if (cipher_mode == MBEDTLS_MODE_NONE) {
- /* The requested algorithm is not supported by Mbed TLS */
- return NULL;
- }
-
- /* Get the Mbed TLS cipher info pointer */
- return mbedtls_cipher_info_from_values(cipher_id, key_size, cipher_mode);
-}
-
-/**
- * \brief Converts a PSA algorithm to an Mbed TLS message digest type.
- *
- * \param[in] alg PSA algorithm
- *
- * \return An mbedtls_md_type_t value corresponding to alg, or
- * MBEDTLS_MD_NONE if no such message digest is available.
- */
-static mbedtls_md_type_t psa_to_mbedtls_md_type(psa_algorithm_t alg)
-{
- mbedtls_md_type_t type = MBEDTLS_MD_NONE;
-
- /* Mbed TLS message digest setup */
- switch(alg) {
- case PSA_ALG_MD2:
-#if defined(MBEDTLS_MD2_C)
- type = MBEDTLS_MD_MD2;
-#endif
- break;
- case PSA_ALG_MD4:
-#if defined(MBEDTLS_MD4_C)
- type = MBEDTLS_MD_MD4;
-#endif
- break;
- case PSA_ALG_MD5:
-#if defined(MBEDTLS_MD5_C)
- type = MBEDTLS_MD_MD5;
-#endif
- break;
- case PSA_ALG_RIPEMD160:
-#if defined(MBEDTLS_RIPEMD160_C)
- type = MBEDTLS_MD_RIPEMD160;
-#endif
- break;
- case PSA_ALG_SHA_1:
-#if defined(MBEDTLS_SHA1_C)
- type = MBEDTLS_MD_SHA1;
-#endif
- break;
- case PSA_ALG_SHA_224:
-#if defined(MBEDTLS_SHA256_C)
- type = MBEDTLS_MD_SHA224;
-#endif
- break;
- case PSA_ALG_SHA_256:
-#if defined(MBEDTLS_SHA256_C)
- type = MBEDTLS_MD_SHA256;
-#endif
- break;
- case PSA_ALG_SHA_384:
-#if defined(MBEDTLS_SHA512_C)
- type = MBEDTLS_MD_SHA384;
-#endif
- break;
- case PSA_ALG_SHA_512:
-#if defined(MBEDTLS_SHA512_C)
- type = MBEDTLS_MD_SHA512;
-#endif
- break;
- case PSA_ALG_SHA3_224:
- case PSA_ALG_SHA3_256:
- case PSA_ALG_SHA3_384:
- case PSA_ALG_SHA3_512:
- /* SHA3 not yet supported */
- type = MBEDTLS_MD_NONE;
- break;
- case PSA_ALG_SHA_512_224:
- case PSA_ALG_SHA_512_256:
- /* SHA-512 Truncated modes not yet supported */
- type = MBEDTLS_MD_NONE;
- break;
- default:
- break;
- }
-
- return type;
-}
-
-/**
- * \brief This function maps Mbed TLS return codes to PSA return codes.
- *
- * \param[in] ret Mbed TLS return value
- *
- * \return Return values as specified by \ref psa_status_t
- */
-static psa_status_t mbedtls_to_psa_return(int ret)
-{
- /* zero return value means success */
- if (ret == 0) {
- return PSA_SUCCESS;
- }
-
- /* FIXME: Investigate all possible Mbed TLS errors and map them
- * to the the correct corresponding PSA status
- */
- switch (ret) {
- case MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED:
- return PSA_ERROR_INVALID_ARGUMENT;
- case MBEDTLS_ERR_CIPHER_AUTH_FAILED:
- return PSA_ERROR_INVALID_SIGNATURE;
- default:
- return PSA_ERROR_UNKNOWN_ERROR;
- }
-}
-#endif /* TFM_CRYPTO_ENGINE_MBEDTLS */
-
-psa_status_t tfm_crypto_engine_init(void)
-{
- psa_status_t return_value = PSA_ERROR_NOT_SUPPORTED;
-
-#if defined(TFM_CRYPTO_ENGINE_MBEDTLS)
- /* Initialise the Mbed TLS static memory allocator so that Mbed TLS
- * allocates memory from the provided static buffer instead of from
- * the heap.
- */
- mbedtls_memory_buffer_alloc_init(mbedtls_mem_buf,
- TFM_CRYPTO_MBEDTLS_MEM_BUF_LEN);
- /* The previous function doesn't return any error code */
- return_value = PSA_SUCCESS;
-#endif /* TFM_CRYPTO_ENGINE_MBEDTLS */
-
- return return_value;
-}
-
-psa_status_t tfm_crypto_engine_hash_setup(const psa_algorithm_t alg,
- struct hash_engine_info *engine_info)
-{
- psa_status_t return_value = PSA_ERROR_NOT_SUPPORTED;
-
-#if defined(TFM_CRYPTO_ENGINE_MBEDTLS)
- mbedtls_md_type_t type = MBEDTLS_MD_NONE;
-
- type = psa_to_mbedtls_md_type(alg);
-
- engine_info->type = (uint32_t) type;
-
- if (type == MBEDTLS_MD_NONE) {
- return_value = PSA_ERROR_NOT_SUPPORTED;
- } else {
- return_value = PSA_SUCCESS;
- }
-#endif /* TFM_CRYPTO_ENGINE_MBEDTLS */
-
- return return_value;
-}
-
-psa_status_t tfm_crypto_engine_hash_start(
- union engine_hash_context *hp,
- const struct hash_engine_info *engine_info)
-{
- psa_status_t return_value = PSA_ERROR_NOT_SUPPORTED;
-
-#if defined(TFM_CRYPTO_ENGINE_MBEDTLS)
- const mbedtls_md_info_t *info = NULL;
- int ret;
-
- /* Mbed TLS message digest init */
- mbedtls_md_init(&(hp->ctx));
- info = mbedtls_md_info_from_type((mbedtls_md_type_t)engine_info->type);
- ret = mbedtls_md_setup(&(hp->ctx), info, 0); /* 0: not HMAC */
- if (ret != 0) {
- return_value = mbedtls_to_psa_return(ret);
- } else {
- /* Start the message digest context */
- ret = mbedtls_md_starts(&(hp->ctx));
- return_value = mbedtls_to_psa_return(ret);
- }
-#endif /* TFM_CRYPTO_ENGINE_MBEDTLS */
-
- return return_value;
-}
-
-psa_status_t tfm_crypto_engine_hash_update(union engine_hash_context *hp,
- const uint8_t *input,
- const uint32_t input_length)
-{
- psa_status_t return_value = PSA_ERROR_NOT_SUPPORTED;
-
-#if defined(TFM_CRYPTO_ENGINE_MBEDTLS)
- int ret;
- /* Update the message digest with a new chunk of information */
- ret = mbedtls_md_update(&(hp->ctx), input, input_length);
- return_value = mbedtls_to_psa_return(ret);
-#endif /* TFM_CRYPTO_ENGINE_MBEDTLS */
-
- return return_value;
-}
-
-psa_status_t tfm_crypto_engine_hash_finish(union engine_hash_context *hp,
- uint8_t *hash)
-{
- psa_status_t return_value = PSA_ERROR_NOT_SUPPORTED;
-
-#if defined(TFM_CRYPTO_ENGINE_MBEDTLS)
- int ret;
- /* Finalise the hash value, producing the output */
- ret = mbedtls_md_finish(&(hp->ctx), hash);
- return_value = mbedtls_to_psa_return(ret);
-#endif /* TFM_CRYPTO_ENGINE_MBEDTLS */
-
- return return_value;
-}
-
-psa_status_t tfm_crypto_engine_hash_release(union engine_hash_context *hp)
-{
- psa_status_t return_value = PSA_ERROR_NOT_SUPPORTED;
-
-#if defined(TFM_CRYPTO_ENGINE_MBEDTLS)
- /* Clear the Mbed TLS message digest context */
- mbedtls_md_free(&(hp->ctx));
- /* The previous function doesn't return any error code */
- return_value = PSA_SUCCESS;
-#endif /* TFM_CRYPTO_ENGINE_MBEDTLS */
-
- return return_value;
-}
-
-psa_status_t tfm_crypto_engine_cipher_setup(const psa_algorithm_t alg,
- const psa_key_type_t key_type,
- const uint32_t key_size,
- const enum engine_cipher_mode_t engine_cipher_mode,
- struct cipher_engine_info *engine_info)
-{
- psa_status_t return_value = PSA_ERROR_NOT_SUPPORTED;
-
-#if defined(TFM_CRYPTO_ENGINE_MBEDTLS)
- const mbedtls_cipher_info_t *info;
- mbedtls_cipher_padding_t padding_mode = MBEDTLS_PADDING_NONE;
- psa_algorithm_t padding_mode_field = PSA_ALG_BLOCK_CIPHER_PAD_NONE;
-
- if ((engine_cipher_mode != ENGINE_CIPHER_MODE_ENCRYPT) &&
- (engine_cipher_mode != ENGINE_CIPHER_MODE_DECRYPT)) {
- return_value = PSA_ERROR_NOT_SUPPORTED;
- } else {
- /* Get the Mbed TLS cipher info from PSA key_type/alg/key_size. */
- info = get_mbedtls_cipher_info(key_type, alg, key_size);
- if (info == NULL) {
- /* The combination of key_type, alg and key_size is not a valid
- * Mbed TLS cipher configuration.
- */
- return_value = PSA_ERROR_NOT_SUPPORTED;
- } else {
- /* If CBC, need to check the padding mode */
- if ((alg & ~PSA_ALG_BLOCK_CIPHER_PADDING_MASK) == PSA_ALG_CBC_BASE){
-
- /* Check the value of padding field */
- padding_mode_field = alg & PSA_ALG_BLOCK_CIPHER_PADDING_MASK;
-
- switch (padding_mode_field) {
- case PSA_ALG_BLOCK_CIPHER_PAD_PKCS7:
- padding_mode = MBEDTLS_PADDING_PKCS7;
- return_value = PSA_SUCCESS;
- break;
- case PSA_ALG_BLOCK_CIPHER_PAD_NONE:
- padding_mode = MBEDTLS_PADDING_NONE;
- return_value = PSA_SUCCESS;
- break;
- default:
- return_value = PSA_ERROR_NOT_SUPPORTED;
- }
- } else {
- /* The engine is correctly configured */
- return_value = PSA_SUCCESS;
- }
- }
- }
-
- if (return_value == PSA_SUCCESS) {
- engine_info->type = (uint32_t) (info->type);
- engine_info->cipher_mode = engine_cipher_mode;
- engine_info->padding_mode = (uint32_t) padding_mode;
- }
-#endif /* TFM_CRYPTO_ENGINE_MBEDTLS */
-
- return return_value;
-}
-
-psa_status_t tfm_crypto_engine_cipher_set_padding_mode(
- union engine_cipher_context *cp,
- const struct cipher_engine_info *engine_info)
-{
- psa_status_t return_value = PSA_ERROR_NOT_SUPPORTED;
-
-#if defined(TFM_CRYPTO_ENGINE_MBEDTLS)
- int ret;
- ret = mbedtls_cipher_set_padding_mode(&(cp->ctx),
- (mbedtls_cipher_padding_t)engine_info->padding_mode);
- return_value = mbedtls_to_psa_return(ret);
-#endif /* TFM_CRYPTO_ENGINE_MBEDTLS */
-
- return return_value;
-}
-
-psa_status_t tfm_crypto_engine_cipher_start(
- union engine_cipher_context *cp,
- const struct cipher_engine_info *engine_info)
-{
- psa_status_t return_value = PSA_ERROR_NOT_SUPPORTED;
-
-#if defined(TFM_CRYPTO_ENGINE_MBEDTLS)
- int ret;
- const mbedtls_cipher_info_t *info = NULL;
-
- /* Mbed TLS cipher init */
- mbedtls_cipher_init(&(cp->ctx));
- info = mbedtls_cipher_info_from_type(engine_info->type);
-
- ret = mbedtls_cipher_setup(&(cp->ctx), info);
- return_value = mbedtls_to_psa_return(ret);
-#endif /* TFM_CRYPTO_ENGINE_MBEDTLS */
-
- return return_value;
-}
-
-psa_status_t tfm_crypto_engine_cipher_set_key(
- union engine_cipher_context *cp,
- const uint8_t *key_data,
- const uint32_t key_size,
- const struct cipher_engine_info *engine_info)
-{
- psa_status_t return_value = PSA_ERROR_NOT_SUPPORTED;
-
-#if defined(TFM_CRYPTO_ENGINE_MBEDTLS)
- int ret;
- /* Mbed TLS cipher set key */
- if ((engine_info->cipher_mode != ENGINE_CIPHER_MODE_ENCRYPT) &&
- (engine_info->cipher_mode != ENGINE_CIPHER_MODE_DECRYPT)) {
- return_value = PSA_ERROR_NOT_SUPPORTED;
- } else {
- /* Set the key on the context */
- ret = mbedtls_cipher_setkey(
- &(cp->ctx),
- key_data,
- PSA_BYTES_TO_BITS(key_size),
- (engine_info->cipher_mode == ENGINE_CIPHER_MODE_ENCRYPT) ?
- MBEDTLS_ENCRYPT : MBEDTLS_DECRYPT);
- return_value = mbedtls_to_psa_return(ret);
- }
-#endif /* TFM_CRYPTO_ENGINE_MBEDTLS */
-
- return return_value;
-}
-
-psa_status_t tfm_crypto_engine_cipher_set_iv(union engine_cipher_context *cp,
- const uint8_t *iv,
- const uint32_t iv_length)
-{
- psa_status_t return_value = PSA_ERROR_NOT_SUPPORTED;
-
-#if defined(TFM_CRYPTO_ENGINE_MBEDTLS)
- int ret;
-
- /* Bind the IV to the cipher operation */
- ret = mbedtls_cipher_set_iv(&(cp->ctx), iv, iv_length);
- if (ret != 0) {
- return_value = mbedtls_to_psa_return(ret);
- } else {
- /* Reset the context after IV is set */
- ret = mbedtls_cipher_reset(&(cp->ctx));
- return_value = mbedtls_to_psa_return(ret);
- }
-#endif /* TFM_CRYPTO_ENGINE_MBEDTLS */
-
- return return_value;
-}
-
-psa_status_t tfm_crypto_engine_cipher_update(union engine_cipher_context *cp,
- const uint8_t *input,
- const uint32_t input_length,
- uint8_t *output,
- uint32_t *output_length)
-{
- psa_status_t return_value = PSA_ERROR_NOT_SUPPORTED;
-
-#if defined(TFM_CRYPTO_ENGINE_MBEDTLS)
- int ret;
- /* Update with the chunk of input data, eventually producing output */
- ret = mbedtls_cipher_update(&(cp->ctx), input, input_length,
- output, (size_t *)output_length);
- return_value = mbedtls_to_psa_return(ret);
-#endif /* TFM_CRYPTO_ENGINE_MBEDTLS */
-
- return return_value;
-}
-
-psa_status_t tfm_crypto_engine_cipher_finish(union engine_cipher_context *cp,
- uint8_t *output,
- uint32_t *output_length)
-{
- psa_status_t return_value = PSA_ERROR_NOT_SUPPORTED;
-
-#if defined(TFM_CRYPTO_ENGINE_MBEDTLS)
- int ret;
- /* Finalise the cipher operation */
- ret = mbedtls_cipher_finish(&(cp->ctx), output, (size_t *)output_length);
- return_value = mbedtls_to_psa_return(ret);
-#endif /* TFM_CRYPTO_ENGINE_MBEDTLS */
-
- return return_value;
-}
-
-psa_status_t tfm_crypto_engine_cipher_release(union engine_cipher_context *cp)
-{
- psa_status_t return_value = PSA_ERROR_NOT_SUPPORTED;
-
-#if defined(TFM_CRYPTO_ENGINE_MBEDTLS)
- /* Clear the Mbed TLS context */
- mbedtls_cipher_free(&(cp->ctx));
- /* The previous function doesn't return any error code */
- return_value = PSA_SUCCESS;
-#endif /* TFM_CRYPTO_ENGINE_MBEDTLS */
-
- return return_value;
-}
-
-psa_status_t tfm_crypto_engine_aead_encrypt(psa_key_type_t key_type,
- psa_algorithm_t alg,
- const uint8_t *key_data,
- uint32_t key_size,
- const uint8_t *nonce,
- uint32_t nonce_length,
- const uint8_t *additional_data,
- uint32_t additional_data_length,
- const uint8_t *plaintext,
- uint32_t plaintext_length,
- uint8_t *ciphertext,
- uint32_t ciphertext_size,
- uint32_t *ciphertext_length)
-{
- psa_status_t return_value = PSA_ERROR_NOT_SUPPORTED;
-
-#if defined(TFM_CRYPTO_ENGINE_MBEDTLS)
- int ret;
- mbedtls_cipher_context_t aead_ctx;
- const uint32_t key_size_bits = PSA_BYTES_TO_BITS(key_size);
-
- const mbedtls_cipher_info_t *info = get_mbedtls_cipher_info(key_type,
- alg,
- key_size_bits);
- const uint32_t encrypted_message_length =
- PSA_AEAD_ENCRYPT_OUTPUT_SIZE(alg, plaintext_length) -
- PSA_AEAD_TAG_SIZE(alg);
- if (info == NULL) {
- /* The combination of key_type, alg and key_size is not a valid Mbed TLS
- * cipher configuration.
- */
- return_value = PSA_ERROR_NOT_SUPPORTED;
- } else {
- /* Init the mbedTLS context */
- mbedtls_cipher_init(&aead_ctx);
-
- /* Setup the mbedTLS context */
- ret = mbedtls_cipher_setup(&aead_ctx, info);
- if (ret != 0) {
- return_value = mbedtls_to_psa_return(ret);
- } else {
- /* Set the key on the Mbed TLS context */
- ret = mbedtls_cipher_setkey(&aead_ctx,
- key_data,
- key_size_bits,
- MBEDTLS_ENCRYPT);
- if (ret != 0) {
- return_value = mbedtls_to_psa_return(ret);
- } else {
- /* Perform the AEAD operation on the Mbed TLS context */
- ret = mbedtls_cipher_auth_encrypt(&aead_ctx,
- nonce, nonce_length,
- additional_data,
- additional_data_length,
- plaintext,
- plaintext_length,
- ciphertext,
- (size_t *)ciphertext_length,
- ciphertext +
- encrypted_message_length,
- PSA_AEAD_TAG_SIZE(alg));
-
- /* Clear the Mbed TLS context */
- mbedtls_cipher_free(&aead_ctx);
- return_value = mbedtls_to_psa_return(ret);
- }
- }
- }
-#endif /* TFM_CRYPTO_ENGINE_MBEDTLS */
-
- return return_value;
-}
-
-psa_status_t tfm_crypto_engine_aead_decrypt(psa_key_type_t key_type,
- psa_algorithm_t alg,
- const uint8_t *key_data,
- uint32_t key_size,
- const uint8_t *nonce,
- uint32_t nonce_length,
- const uint8_t *additional_data,
- uint32_t additional_data_length,
- const uint8_t *ciphertext,
- uint32_t ciphertext_length,
- uint8_t *plaintext,
- uint32_t plaintext_size,
- uint32_t *plaintext_length)
-{
- psa_status_t return_value = PSA_ERROR_NOT_SUPPORTED;
-
-#if defined(TFM_CRYPTO_ENGINE_MBEDTLS)
- int ret;
- mbedtls_cipher_context_t aead_ctx;
- const uint32_t key_size_bits = PSA_BYTES_TO_BITS(key_size);
-
- const mbedtls_cipher_info_t *info = get_mbedtls_cipher_info(key_type,
- alg,
- key_size_bits);
-
- const uint32_t encrypted_message_length =
- PSA_AEAD_DECRYPT_OUTPUT_SIZE(alg, ciphertext_length);
- if (info == NULL) {
- /* The combination of key_type, alg and key_size is not a valid Mbed TLS
- * cipher configuration.
- */
- return_value = PSA_ERROR_NOT_SUPPORTED;
- } else {
- /* Init the mbedTLS context */
- mbedtls_cipher_init(&aead_ctx);
-
- /* Setup the mbedTLS context */
- ret = mbedtls_cipher_setup(&aead_ctx, info);
- if (ret != 0) {
- return_value = mbedtls_to_psa_return(ret);
- } else {
- /* Set the key on the Mbed TLS context */
- ret = mbedtls_cipher_setkey(&aead_ctx,
- key_data,
- key_size_bits,
- MBEDTLS_DECRYPT);
- if (ret != 0) {
- return_value = mbedtls_to_psa_return(ret);
- } else {
- /* Perform the AEAD operation on the Mbed TLS context */
- ret = mbedtls_cipher_auth_decrypt(&aead_ctx,
- nonce, nonce_length,
- additional_data,
- additional_data_length,
- ciphertext,
- encrypted_message_length,
- plaintext,
- (size_t *)plaintext_length,
- ciphertext +
- encrypted_message_length,
- PSA_AEAD_TAG_SIZE(alg));
-
- /* Clear the Mbed TLS context */
- mbedtls_cipher_free(&aead_ctx);
- return_value = mbedtls_to_psa_return(ret);
- }
- }
- }
-#endif /* TFM_CRYPTO_ENGINE_MBEDTLS */
-
- return return_value;
-}
diff --git a/secure_fw/services/crypto/crypto_engine.h b/secure_fw/services/crypto/crypto_engine.h
deleted file mode 100644
index 3130396..0000000
--- a/secure_fw/services/crypto/crypto_engine.h
+++ /dev/null
@@ -1,386 +0,0 @@
-/*
- * Copyright (c) 2019, Arm Limited. All rights reserved.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- *
- */
-
-#ifndef __CRYPTO_ENGINE_H__
-#define __CRYPTO_ENGINE_H__
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#include <limits.h>
-#include "psa_crypto.h"
-
-#if defined(TFM_CRYPTO_ENGINE_MBEDTLS)
-/* Pre include Mbed TLS headers */
-#define LIB_PREFIX_NAME __tfm_crypto__
-#include "mbedtls_global_symbols.h"
-
-/* Include the Mbed TLS configuration file, the way Mbed TLS does it
- * in each of its header files. */
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "platform/ext/common/tfm_mbedtls_config.h"
-#else
-// cppcheck-suppress preprocessorErrorDirective
-#include MBEDTLS_CONFIG_FILE
-#endif
-
-/**
- * \brief List of engine specific includes for Mbed TLS
- *
- */
-#include "mbedtls/memory_buffer_alloc.h"
-#include "mbedtls/md.h"
-#include "mbedtls/cipher.h"
-#include "mbedtls/cmac.h"
-
-#endif /* TFM_CRYPTO_ENGINE_MBEDTLS */
-
-/**
- * \brief Generic engine cipher context type
- *
- */
-union engine_cipher_context {
- uint32_t dummy; /* Needed to keep the union always not empty */
-#if defined(TFM_CRYPTO_ENGINE_MBEDTLS)
- mbedtls_cipher_context_t ctx;
-#endif
-};
-
-/**
- * \brief Generic engine hash context type
- *
- */
-union engine_hash_context {
- uint32_t dummy; /* Needed to keep the union always not empty */
-#if defined (TFM_CRYPTO_ENGINE_MBEDTLS)
- mbedtls_md_context_t ctx;
-#endif
-};
-
-/**
- * \brief Generic engine cmac context type
- *
- */
-union engine_cmac_context {
- uint32_t dummy; /* Needed to keep the union always not empty */
-#if defined (TFM_CRYPTO_ENGINE_MBEDTLS)
- mbedtls_cmac_context_t ctx;
-#endif
-};
-
-
-
-/**
- * \brief For a cipher operation, define the possible modes of configuration.
- */
-enum engine_cipher_mode_t {
- ENGINE_CIPHER_MODE_NONE = 0, /*!< Cipher mode not selected */
- ENGINE_CIPHER_MODE_DECRYPT, /*!< Cipher mode set to decryption */
- ENGINE_CIPHER_MODE_ENCRYPT, /*!< Cipher mode set to encryption */
- /* Used to force enum size */
- ENGINE_CIPHER_MODE_FORCE_INT_SIZE = INT_MAX
-};
-
-/**
- * \brief Structure used to keep engine information during the engine setup
- * step for a hash operation.
- */
-struct hash_engine_info {
- uint32_t type; /*!< Engine specific identifier which describes
- * the operation which has to be configured on
- * the crypto engine
- */
-};
-
-/**
- * \brief Structure used to keep engine information during the engine setup
- * step for a cipher operation
- */
-struct cipher_engine_info {
- uint32_t type; /*!< Engine specific identifier which describes
- * the operation which has to be configured on
- * the crypto engine
- */
- enum engine_cipher_mode_t cipher_mode; /*!< Describes if the cipher on
- * the engine is configured for
- * encryption or decryption
- */
- uint32_t padding_mode; /*!< Engine specific identifier which describes
- * the padding mode which has been configured
- * on the cipher, if any
- */
-};
-
-/**
- * \brief This function performs all the generic operations required to
- * initialise the crypto engine
- *
- * \return Return values as specified by \ref psa_status_t
- */
-psa_status_t tfm_crypto_engine_init(void);
-
-/**
- * \brief This function performs the setup of a multipart hash operation on the
- * crypto engine
- *
- * \param[in] alg Algorithm to be setup
- * \param[out] engine_info Pointer to the engine_info structure containing
- * engine parameters determined during the setup
- *
- * \return Return values as specified by \ref psa_status_t
- */
-psa_status_t tfm_crypto_engine_hash_setup(const psa_algorithm_t alg,
- struct hash_engine_info *engine_info);
-/**
- * \brief This function starts a multipart hash operation on the crypto engine
- *
- * \param[in,out] hp Pointer to the hash engine context to be used
- * \param[in] engine_info Pointer to the engine_info structure as determined
- * during the setup step
- *
- * \return Return values as specified by \ref psa_status_t
- */
-psa_status_t tfm_crypto_engine_hash_start(union engine_hash_context *hp,
- const struct hash_engine_info *engine_info);
-/**
- * \brief This function updates a multipart hash operation with one chunk of
- * input data
- *
- * \param[in,out] hp Pointer to the hash engine context to be used
- * \param[in] input Pointer to the buffer containing the input data
- * \param[in] input_length Size in bytes of the input data
- *
- * \return Return values as specified by \ref psa_status_t
- */
-psa_status_t tfm_crypto_engine_hash_update(union engine_hash_context *hp,
- const uint8_t *input,
- const uint32_t input_length);
-/**
- * \brief This function finalises a multipart hash operation producing one hash
- * value in output as described by the operation context
- *
- * \param[in,out] hp Pointer to the hash engine context to be used
- * \param[out] hash Pointer to the buffer containing the output hash value
- *
- * \return Return values as specified by \ref psa_status_t
- */
-psa_status_t tfm_crypto_engine_hash_finish(union engine_hash_context *hp,
- uint8_t *hash);
-/**
- * \brief This function releases the crypto engine resources associated to a
- * multipart hash operation context
- *
- * \param[in,out] hp Pointer to the hash engine context to be used
- *
- * \return Return values as specified by \ref psa_status_t
- */
-psa_status_t tfm_crypto_engine_hash_release(union engine_hash_context *hp);
-
-/**
- * \brief This function performs the setup of a multipart cipher operation on
- * the crypto engine
- *
- * \param[in] alg Algorithm to be configured
- * \param[in] key_type Key type of the key that will be used
- * \param[in] key_size Size in bits of the key that will be used
- * \param[in] engine_cipher_mode Parameter specifying if the cipher must be set
- * in encrypt or decrypt mode
- * \param[out] engine_info Pointer to the engine configuration structure
- * containing engine parameters determined during
- * setup
- *
- * \return Return values as specified by \ref psa_status_t
- */
-psa_status_t tfm_crypto_engine_cipher_setup(const psa_algorithm_t alg,
- const psa_key_type_t key_type,
- const uint32_t key_size,
- const enum engine_cipher_mode_t engine_cipher_mode,
- struct cipher_engine_info *engine_info);
-/**
- * \brief This function sets the padding mode on the crypto engine based on the
- * information gathered during the setup phase
- *
- * \param[in,out] cp Pointer to the cipher engine context to be used
- * \param[in] engine_info Pointer to the engine configuration structure
- * containing engine parameters determined during
- * setup
- *
- * \return Return values as specified by \ref psa_status_t
- */
-psa_status_t tfm_crypto_engine_cipher_set_padding_mode(
- union engine_cipher_context *cp,
- const struct cipher_engine_info *engine_info);
-/**
- * \brief This function starts a multipart cipher operation
- *
- * \param[in,out] cp Pointer to the cipher engine context to be used
- * \param[in] engine_info Pointer to the engine configuration structure
- * containing engine parameters determined during
- * setup
- *
- * \return Return values as specified by \ref psa_status_t
- */
-psa_status_t tfm_crypto_engine_cipher_start(
- union engine_cipher_context *cp,
- const struct cipher_engine_info *engine_info);
-/**
- * \brief This function sets the key data on the crypto engine for a multipart
- * cipher operation. It reads also from the engine_info configuration
- * item to determine if the key needs to be set in encryption or
- * decryption mode on the engine.
- *
- * \param[in,out] cp Pointer to the cipher engine context to be used
- * \param[in] key_data Pointer to the buffer containing key material
- * \param[in] key_size Size in bytes of the key pointed by key_data
- * \param[in] engine_info Pointer to the engine configuration structure
- * containing engine parameters determined during
- * setup
- *
- * \return Return values as specified by \ref psa_status_t
- */
-psa_status_t tfm_crypto_engine_cipher_set_key(
- union engine_cipher_context *cp,
- const uint8_t *key_data,
- const uint32_t key_size,
- const struct cipher_engine_info *engine_info);
-/**
- * \brief This function sets the initialisation vector on the crypto engine for
- * a multipart cipher operation
- *
- * \param[in,out] cp Pointer to the cipher engine context to be used
- * \param[in] iv Pointer to the buffer containing the IV
- * \param[in] iv_length Size in bytes of the initialisation vector
- *
- * \return Return values as specified by \ref psa_status_t
- */
-psa_status_t tfm_crypto_engine_cipher_set_iv(union engine_cipher_context *cp,
- const uint8_t *iv,
- const uint32_t iv_length);
-/**
- * \brief This function updates a multipart cipher operation on the crypto
- * engine with a new chunk of input data. It may produce output data.
- *
- * \param[in,out] cp Pointer to the cipher engine context to be used
- * \param[in] input Pointer to the buffer containing the input data
- * chunk
- * \param[in] input_length Size in bytes of the input data chunk
- * \param[out] output Pointer to the buffer containing the output data
- * \param[out] output_length Pointer to the size in bytes of the data produced
- * as output
- *
- * \return Return values as specified by \ref psa_status_t
- */
-psa_status_t tfm_crypto_engine_cipher_update(union engine_cipher_context *cp,
- const uint8_t *input,
- const uint32_t input_length,
- uint8_t *output,
- uint32_t *output_length);
-/**
- * \brief This function finalises a multipart cipher operation on the crypto
- * engine. It may produce output data.
- *
- * \param[in,out] cp Pointer to the cipher engine context to be used
- * \param[out] output Pointer to the buffer containing the output data
- * \param[out] output_length Pointer to the size in bytes of the data produced
- * as output
- *
- * \return Return values as specified by \ref psa_status_t
- */
-psa_status_t tfm_crypto_engine_cipher_finish(union engine_cipher_context *cp,
- uint8_t *output,
- uint32_t *output_length);
-/**
- * \brief This function releases the crypto engine resources associated to a
- * multipart cipher operation context
- *
- * \param[in,out] cp Pointer to the cipher engine context to be used
- *
- * \return Return values as specified by \ref psa_status_t
- */
-psa_status_t tfm_crypto_engine_cipher_release(union engine_cipher_context *cp);
-
-/**
- * \brief This function performs an AEAD encryption on the provided data
- *
- * \param[in] key_type Key type of the key that will be used
- * \param[in] alg Algorithm to be used
- * \param[in] key_data Pointer to the buffer containing key
- * material
- * \param[in] key_size Size in bytes of the key pointed to by
- * key_data
- * \param[in] nonce Pointer to a buffer holding a nonce or IV
- * to use
- * \param[in] nonce_length Size in bytes of the nonce or IV data
- * \param[in] additional_data Additional information to be authenticated
- * \param[in] additional_data_length Size in bytes of the additional data
- * \param[in] plaintext Buffer pointing to data to be encrypted
- * \param[in] plaintext_length Size in bytes of the plain text buffer
- * \param[out] ciphertext Output encrypted data, with the
- * authentication tag appended
- * \param[in] ciphertext_size Size in bytes of the buffer to hold the
- * cipher text plus authentication tag
- * \param[out] ciphertext_length Size of the ciphertext plus tag produced
- * as output
- *
- * \return Return values as specified by \ref psa_status_t
- */
-psa_status_t tfm_crypto_engine_aead_encrypt(psa_key_type_t key_type,
- psa_algorithm_t alg,
- const uint8_t *key_data,
- uint32_t key_size,
- const uint8_t *nonce,
- uint32_t nonce_length,
- const uint8_t *additional_data,
- uint32_t additional_data_length,
- const uint8_t *plaintext,
- uint32_t plaintext_length,
- uint8_t *ciphertext,
- uint32_t ciphertext_size,
- uint32_t *ciphertext_length);
-/**
- * \brief This function performs an AEAD decryption on the provided data
- *
- * \param[in] key_type Key type of the key that will be used
- * \param[in] alg Algorithm to be used
- * \param[in] key_data Pointer to the buffer containing key
- * material
- * \param[in] key_size Size in bytes of the key pointed to by
- * key_data
- * \param[in] nonce Pointer to a buffer holding a nonce or IV
- * to use
- * \param[in] nonce_length Size in bytes of the nonce or IV data
- * \param[in] additional_data Additional information which was
- * authenticated but not encrypted
- * \param[in] additional_data_length Size in bytes of the additional data
- * \param[in] ciphertext Buffer pointing to data be decrypted
- * \param[in] ciphertext_length Size in bytes of the cipher text buffer
- * \param[out] plaintext Buffer for decrypted output data
- * \param[in] plaintext_size Size in bytes of the buffer to hold the
- * plain text
- * \param[out] plaintext_length Size of the plain text actually produced
- *
- * \return Return values as specified by \ref psa_status_t
- */
-psa_status_t tfm_crypto_engine_aead_decrypt(psa_key_type_t key_type,
- psa_algorithm_t alg,
- const uint8_t *key_data,
- uint32_t key_size,
- const uint8_t *nonce,
- uint32_t nonce_length,
- const uint8_t *additional_data,
- uint32_t additional_data_length,
- const uint8_t *ciphertext,
- uint32_t ciphertext_length,
- uint8_t *plaintext,
- uint32_t plaintext_size,
- uint32_t *plaintext_length);
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* __CRYPTO_ENGINE_H__ */
diff --git a/secure_fw/services/crypto/crypto_hash.c b/secure_fw/services/crypto/crypto_hash.c
index 36e5759..6468f0f 100644
--- a/secure_fw/services/crypto/crypto_hash.c
+++ b/secure_fw/services/crypto/crypto_hash.c
@@ -5,38 +5,18 @@
*
*/
-#include "tfm_crypto_api.h"
-#include "crypto_engine.h"
-#include "tfm_crypto_struct.h"
+#include <stddef.h>
+#include <stdint.h>
/* FixMe: Use PSA_CONNECTION_REFUSED when performing parameter
* integrity checks but this will have to be revised
* when the full set of error codes mandated by PSA FF
* is available.
*/
+#include "tfm_mbedcrypto_include.h"
-/**
- * \brief Release all resources associated with a hash operation.
- *
- * \param[in] operation Frontend hash operation context
- * \param[in] ctx Backend hash operation context
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-static psa_status_t tfm_crypto_hash_release(uint32_t *handle,
- struct tfm_hash_operation_s *ctx)
-{
- psa_status_t status = PSA_SUCCESS;
-
- /* Release resources in the engine */
- status = tfm_crypto_engine_hash_release(&(ctx->engine_ctx));
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- /* Release the operation context */
- return tfm_crypto_operation_release(handle);
-}
+#include "tfm_crypto_api.h"
+#include "tfm_crypto_defs.h"
/*!
* \defgroup public_psa Public functions, PSA
@@ -50,8 +30,7 @@
size_t out_len)
{
psa_status_t status = PSA_SUCCESS;
- struct tfm_hash_operation_s *ctx = NULL;
- struct hash_engine_info engine_info;
+ psa_hash_operation_t *operation = NULL;
if ((in_len != 1) || (out_len != 1)) {
return PSA_CONNECTION_REFUSED;
@@ -62,41 +41,27 @@
return PSA_CONNECTION_REFUSED;
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- uint32_t handle = iov->handle;
+ uint32_t handle = iov->op_handle;
uint32_t *handle_out = out_vec[0].base;
psa_algorithm_t alg = iov->alg;
/* Init the handle in the operation with the one passed from the iov */
- *handle_out = iov->handle;
-
- if (PSA_ALG_IS_HASH(alg) == 0) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
- /* Setup the engine for the requested algorithm */
- status = tfm_crypto_engine_hash_setup(alg, &engine_info);
- if (status != PSA_SUCCESS) {
- return PSA_ERROR_NOT_SUPPORTED;
- }
+ *handle_out = iov->op_handle;
/* Allocate the operation context in the secure world */
status = tfm_crypto_operation_alloc(TFM_CRYPTO_HASH_OPERATION,
&handle,
- (void **)&ctx);
+ (void **)&operation);
if (status != PSA_SUCCESS) {
return status;
}
*handle_out = handle;
- /* Bind the algorithm to the hash context */
- ctx->alg = alg;
-
- /* Start the engine */
- status = tfm_crypto_engine_hash_start(&(ctx->engine_ctx), &engine_info);
+ status = psa_hash_setup(operation, alg);
if (status != PSA_SUCCESS) {
/* Release the operation context, ignore if the operation fails. */
- (void)tfm_crypto_hash_release(&handle, ctx);
+ (void)tfm_crypto_operation_release(handle_out);
return status;
}
@@ -109,7 +74,7 @@
size_t out_len)
{
psa_status_t status = PSA_SUCCESS;
- struct tfm_hash_operation_s *ctx = NULL;
+ psa_hash_operation_t *operation = NULL;
if ((in_len != 2) || (out_len != 1)) {
return PSA_CONNECTION_REFUSED;
@@ -120,30 +85,26 @@
return PSA_CONNECTION_REFUSED;
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- uint32_t handle = iov->handle;
+ uint32_t handle = iov->op_handle;
uint32_t *handle_out = out_vec[0].base;
const uint8_t *input = in_vec[1].base;
size_t input_length = in_vec[1].len;
/* Init the handle in the operation with the one passed from the iov */
- *handle_out = iov->handle;
+ *handle_out = iov->op_handle;
/* Look up the corresponding operation context */
status = tfm_crypto_operation_lookup(TFM_CRYPTO_HASH_OPERATION,
handle,
- (void **)&ctx);
+ (void **)&operation);
if (status != PSA_SUCCESS) {
return status;
}
- /* Process the input chunk with the engine */
- status = tfm_crypto_engine_hash_update(&(ctx->engine_ctx),
- input,
- input_length);
+ status = psa_hash_update(operation, input, input_length);
if (status != PSA_SUCCESS) {
- if (tfm_crypto_hash_release(&handle, ctx) == PSA_SUCCESS) {
- *handle_out = handle;
- }
+ /* Release the operation context, ignore if the operation fails. */
+ (void)tfm_crypto_operation_release(handle_out);
return status;
}
@@ -156,7 +117,7 @@
size_t out_len)
{
psa_status_t status = PSA_SUCCESS;
- struct tfm_hash_operation_s *ctx = NULL;
+ psa_hash_operation_t *operation = NULL;
if ((in_len != 1) || (out_len != 2)) {
return PSA_CONNECTION_REFUSED;
@@ -167,13 +128,13 @@
return PSA_CONNECTION_REFUSED;
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- uint32_t handle = iov->handle;
+ uint32_t handle = iov->op_handle;
uint32_t *handle_out = out_vec[0].base;
uint8_t *hash = out_vec[1].base;
size_t hash_size = out_vec[1].len;
/* Init the handle in the operation with the one passed from the iov */
- *handle_out = iov->handle;
+ *handle_out = iov->op_handle;
/* Initialise hash_length to zero */
out_vec[1].len = 0;
@@ -181,59 +142,19 @@
/* Look up the corresponding operation context */
status = tfm_crypto_operation_lookup(TFM_CRYPTO_HASH_OPERATION,
handle,
- (void **)&ctx);
+ (void **)&operation);
if (status != PSA_SUCCESS) {
return status;
}
- if (hash_size < PSA_HASH_SIZE(ctx->alg)) {
- if (tfm_crypto_hash_release(&handle, ctx) == PSA_SUCCESS) {
- *handle_out = handle;
- }
- return PSA_ERROR_BUFFER_TOO_SMALL;
- }
-
- /* Finalise the hash value using the engine */
- status = tfm_crypto_engine_hash_finish(&(ctx->engine_ctx), hash);
+ status = psa_hash_finish(operation, hash, hash_size, &out_vec[1].len);
if (status != PSA_SUCCESS) {
- if (tfm_crypto_hash_release(&handle, ctx) == PSA_SUCCESS) {
- *handle_out = handle;
- }
+ /* Release the operation context, ignore if the operation fails. */
+ (void)tfm_crypto_operation_release(handle_out);
return status;
}
- /* Set the length of the hash that has been produced */
- out_vec[1].len = PSA_HASH_SIZE(ctx->alg);
-
- status = tfm_crypto_hash_release(&handle, ctx);
- if (status == PSA_SUCCESS) {
- *handle_out = handle;
- }
- return status;
-}
-
-static psa_status_t _psa_hash_finish(uint32_t *handle,
- uint8_t *hash,
- size_t hash_size,
- size_t *hash_length)
-{
- psa_status_t status;
- struct tfm_crypto_pack_iovec iov = {
- .sfn_id = TFM_CRYPTO_HASH_FINISH_SFID,
- .handle = *handle,
- };
-
- psa_invec in_vec[] = {
- {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
- };
- psa_outvec out_vec[] = {
- {.base = handle, .len = sizeof(uint32_t)},
- {.base = hash, .len = hash_size},
- };
-
- status = tfm_crypto_hash_finish(in_vec, sizeof(in_vec)/sizeof(in_vec[0]),
- out_vec, sizeof(out_vec)/sizeof(out_vec[0]));
- *hash_length = out_vec[1].len;
+ status = tfm_crypto_operation_release(handle_out);
return status;
}
@@ -244,9 +165,7 @@
size_t out_len)
{
psa_status_t status = PSA_SUCCESS;
- uint8_t digest[PSA_HASH_MAX_SIZE] = {0};
- size_t digest_length;
- uint32_t idx, comp_mismatch = 0;
+ psa_hash_operation_t *operation = NULL;
if ((in_len != 2) || (out_len != 1)) {
return PSA_CONNECTION_REFUSED;
@@ -256,38 +175,33 @@
(out_vec[0].len != sizeof(uint32_t))) {
return PSA_CONNECTION_REFUSED;
}
-
+ const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
+ uint32_t handle = iov->op_handle;
uint32_t *handle_out = out_vec[0].base;
const uint8_t *hash = in_vec[1].base;
size_t hash_length = in_vec[1].len;
- /* Finalise the hash operation */
- status = _psa_hash_finish(handle_out,
- digest,
- PSA_HASH_MAX_SIZE,
- &digest_length);
+ /* Init the handle in the operation with the one passed from the iov */
+ *handle_out = iov->op_handle;
+ /* Look up the corresponding operation context */
+ status = tfm_crypto_operation_lookup(TFM_CRYPTO_HASH_OPERATION,
+ handle,
+ (void **)&operation);
if (status != PSA_SUCCESS) {
return status;
}
- /* Check that the computed hash has the same legnth as the provided one */
- if (hash_length != digest_length) {
- return PSA_ERROR_INVALID_SIGNATURE;
+ status = psa_hash_verify(operation, hash, hash_length);
+ if (status != PSA_SUCCESS) {
+ /* Release the operation context, ignore if the operation fails. */
+ (void)tfm_crypto_operation_release(handle_out);
+ return status;
}
- /* Verify that the computed hash matches the provided one */
- for (idx=0; idx<(uint32_t)digest_length; idx++) {
- if (digest[idx] != hash[idx]) {
- comp_mismatch = 1;
- }
- }
+ status = tfm_crypto_operation_release(handle_out);
- if (comp_mismatch == 1) {
- return PSA_ERROR_INVALID_SIGNATURE;
- }
-
- return PSA_SUCCESS;
+ return status;
}
psa_status_t tfm_crypto_hash_abort(psa_invec in_vec[],
@@ -296,7 +210,7 @@
size_t out_len)
{
psa_status_t status = PSA_SUCCESS;
- struct tfm_hash_operation_s *ctx = NULL;
+ psa_hash_operation_t *operation = NULL;
if ((in_len != 1) || (out_len != 1)) {
return PSA_CONNECTION_REFUSED;
@@ -307,24 +221,34 @@
return PSA_CONNECTION_REFUSED;
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- uint32_t handle = iov->handle;
+ uint32_t handle = iov->op_handle;
uint32_t *handle_out = out_vec[0].base;
/* Init the handle in the operation with the one passed from the iov */
- *handle_out = iov->handle;
+ *handle_out = iov->op_handle;
/* Look up the corresponding operation context */
status = tfm_crypto_operation_lookup(TFM_CRYPTO_HASH_OPERATION,
handle,
- (void **)&ctx);
+ (void **)&operation);
if (status != PSA_SUCCESS) {
return status;
}
- status = tfm_crypto_hash_release(&handle, ctx);
- if (status == PSA_SUCCESS) {
- *handle_out = handle;
+ status = psa_hash_abort(operation);
+ if (status != PSA_SUCCESS) {
+ /* Release the operation context, ignore if the operation fails. */
+ (void)tfm_crypto_operation_release(handle_out);
+ return status;
}
+
+ status = tfm_crypto_operation_release(handle_out);
+
return status;
}
+
+/**
+ * TODO: psa_hash_clone(...)
+ *
+ */
/*!@}*/
diff --git a/secure_fw/services/crypto/crypto_init.c b/secure_fw/services/crypto/crypto_init.c
index aaabea8..0144f02 100644
--- a/secure_fw/services/crypto/crypto_init.c
+++ b/secure_fw/services/crypto/crypto_init.c
@@ -5,8 +5,16 @@
*
*/
+#include "tfm_mbedcrypto_include.h"
+
#include "tfm_crypto_api.h"
-#include "crypto_engine.h"
+#include "tfm_crypto_defs.h"
+
+/*
+ * \brief This Mbed TLS include is needed to initialise the memory allocator
+ * inside the Mbed TLS layer of Mbed Crypto
+ */
+#include "mbedtls/memory_buffer_alloc.h"
#ifdef TFM_PSA_API
#include "psa_service.h"
@@ -18,17 +26,13 @@
* by the TF-M Crypto partition
*/
static const tfm_crypto_us_t sfid_func_table[TFM_CRYPTO_SFID_MAX] = {
+ tfm_crypto_allocate_key,
tfm_crypto_import_key,
tfm_crypto_destroy_key,
tfm_crypto_get_key_information,
tfm_crypto_export_key,
- tfm_crypto_key_policy_init,
- tfm_crypto_key_policy_set_usage,
- tfm_crypto_key_policy_get_usage,
- tfm_crypto_key_policy_get_algorithm,
tfm_crypto_set_key_policy,
tfm_crypto_get_key_policy,
- tfm_crypto_set_key_lifetime,
tfm_crypto_get_key_lifetime,
tfm_crypto_cipher_set_iv,
tfm_crypto_cipher_encrypt_setup,
@@ -123,7 +127,7 @@
/* There will always be a tfm_crypto_pack_iovec in the first iovec */
if (in_len < 1) {
- return PSA_ERROR_UNKNOWN_ERROR;
+ return PSA_ERROR_GENERIC_ERROR;
}
/* Initialise the first iovec with the IOV read when parsing */
in_vec[0].base = iov;
@@ -169,7 +173,7 @@
/* Clear the allocated internal scratch before returning */
if (tfm_crypto_clear_scratch() != PSA_SUCCESS) {
- return PSA_ERROR_UNKNOWN_ERROR;
+ return PSA_ERROR_GENERIC_ERROR;
}
return status;
@@ -188,12 +192,12 @@
sizeof(struct tfm_crypto_pack_iovec));
if (read_size != sizeof(struct tfm_crypto_pack_iovec)) {
- return PSA_ERROR_UNKNOWN_ERROR;
+ return PSA_ERROR_GENERIC_ERROR;
}
if (iov->sfn_id >= TFM_CRYPTO_SFID_MAX) {
*sfn_id_p = TFM_CRYPTO_SFID_INVALID;
- return PSA_ERROR_UNKNOWN_ERROR;
+ return PSA_ERROR_GENERIC_ERROR;
}
*sfn_id_p = iov->sfn_id;
@@ -233,7 +237,7 @@
if (sfn_id != TFM_CRYPTO_SFID_INVALID) {
status = tfm_crypto_call_sfn(&msg, &iov, sfn_id);
} else {
- status = PSA_ERROR_UNKNOWN_ERROR;
+ status = PSA_ERROR_GENERIC_ERROR;
}
psa_reply(msg.handle, status);
break;
@@ -256,16 +260,37 @@
}
#endif /* TFM_PSA_API */
+/**
+ * \brief Default value for the size of the static buffer used by Mbed
+ * Crypto for its dynamic allocations
+ */
+#ifndef TFM_CRYPTO_ENGINE_BUF_SIZE
+#define TFM_CRYPTO_ENGINE_BUF_SIZE (1024)
+#endif
+
+/**
+ * \brief Static buffer to be used by Mbed Crypto for memory allocations
+ *
+ */
+static uint8_t mbedtls_mem_buf[TFM_CRYPTO_ENGINE_BUF_SIZE] = {0};
+
+static psa_status_t tfm_crypto_engine_init(void)
+{
+ /* Initialise the Mbed Crypto memory allocator to use static
+ * memory allocation from the provided buffer instead of using
+ * the heap
+ */
+ mbedtls_memory_buffer_alloc_init(mbedtls_mem_buf,
+ TFM_CRYPTO_ENGINE_BUF_SIZE);
+
+ /* Previous function does not return any value, so just call the
+ * initialisation function of the Mbed Crypto layer
+ */
+ return psa_crypto_init();
+}
+
static psa_status_t tfm_crypto_module_init(void)
{
- psa_status_t status = PSA_SUCCESS;
-
- /* Init the Key module */
- status = tfm_crypto_init_key();
- if (status != PSA_SUCCESS) {
- return status;
- }
-
/* Init the Alloc module */
return tfm_crypto_init_alloc();
}
@@ -280,7 +305,7 @@
return status;
}
- /* Initialise the engine interface module */
+ /* Initialise the engine layer */
status = tfm_crypto_engine_init();
if (status != PSA_SUCCESS) {
return status;
diff --git a/secure_fw/services/crypto/crypto_key.c b/secure_fw/services/crypto/crypto_key.c
index dc55de6..073203c 100644
--- a/secure_fw/services/crypto/crypto_key.c
+++ b/secure_fw/services/crypto/crypto_key.c
@@ -5,96 +5,18 @@
*
*/
-#include <stdbool.h>
#include <stddef.h>
-
-#include "tfm_crypto_api.h"
-#include "psa_crypto.h"
-#include "tfm_crypto_defs.h"
-#include "secure_fw/core/tfm_memory_utils.h"
+#include <stdint.h>
/* FixMe: Use PSA_CONNECTION_REFUSED when performing parameter
* integrity checks but this will have to be revised
* when the full set of error codes mandated by PSA FF
* is available.
*/
+#include "tfm_mbedcrypto_include.h"
-/**
- * \brief This is the default value of maximum number of simultaneous
- * key stores supported.
- */
-#ifndef TFM_CRYPTO_KEY_STORAGE_NUM
-#define TFM_CRYPTO_KEY_STORAGE_NUM (4)
-#endif
-
-/**
- * \brief This is the default value of the maximum supported key length
- * in bytes.
- */
-#ifndef TFM_CRYPTO_MAX_KEY_LENGTH
-#define TFM_CRYPTO_MAX_KEY_LENGTH (64)
-#endif
-
-struct tfm_crypto_key_storage_s {
- uint8_t in_use; /*!< Indicates if the key store is in use */
- psa_key_type_t type; /*!< Type of the key stored */
- psa_key_policy_t policy; /*!< Policy of the key stored */
- psa_key_lifetime_t lifetime; /*!< Lifetime of the key stored */
- size_t data_length; /*!< Length of the key stored */
- uint8_t data[TFM_CRYPTO_MAX_KEY_LENGTH]; /*!< Buffer containining the key */
-};
-
-static struct tfm_crypto_key_storage_s
- key_storage[TFM_CRYPTO_KEY_STORAGE_NUM] = {{0}};
-
-/**
- * \brief Get a pointer to the key store for the provided key slot.
- *
- * \param[in] key Key slot
- *
- * \return Pointer to key store or NULL if key is not a valid key slot
- */
-static struct tfm_crypto_key_storage_s *get_key_store(psa_key_slot_t key)
-{
- if (key == 0 || key > TFM_CRYPTO_KEY_STORAGE_NUM) {
- return NULL;
- }
-
- return &key_storage[key - 1];
-}
-
-/**
- * \brief Check that the key type is supported and that key_length is a
- * supported key length for that key type.
- *
- * \param[in] type Key type
- * \param[in] key_length Key data length in bytes
- *
- * \return True if the key type is supported and key_length is a supported
- * key length for that key type, false otherwise
- */
-static bool key_type_is_supported(psa_key_type_t type, size_t key_length)
-{
- if (key_length > TFM_CRYPTO_MAX_KEY_LENGTH) {
- return false;
- }
-
- switch (type) {
- case PSA_KEY_TYPE_RAW_DATA:
- case PSA_KEY_TYPE_HMAC:
- case PSA_KEY_TYPE_DERIVE:
- return true; /* No further restictions on these key types */
- case PSA_KEY_TYPE_AES:
- case PSA_KEY_TYPE_CAMELLIA:
- return (key_length == 16 || key_length == 24 || key_length == 32);
- case PSA_KEY_TYPE_DES:
- return (key_length == 8 || key_length == 16 || key_length == 24);
- case PSA_KEY_TYPE_ARC4:
- return key_length >= 1;
- default:
- return false; /* Other key types are not supported */
- }
-}
+#include "tfm_crypto_api.h"
+#include "tfm_crypto_defs.h"
/*!
* \defgroup public Public functions
@@ -102,53 +24,23 @@
*/
/*!@{*/
-psa_status_t tfm_crypto_init_key(void)
+psa_status_t tfm_crypto_allocate_key(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
- /* Clear the contents of the local key_storage */
- (void)tfm_memset(key_storage, 0, sizeof(key_storage));
- return PSA_SUCCESS;
-}
-
-psa_status_t tfm_crypto_get_key(psa_key_slot_t key,
- psa_key_usage_t usage,
- psa_algorithm_t alg,
- uint8_t *data,
- size_t data_size,
- size_t *data_length)
-{
- struct tfm_crypto_key_storage_s *key_store;
- size_t i;
-
- key_store = get_key_store(key);
- if (key_store == NULL) {
- return PSA_ERROR_INVALID_ARGUMENT;
+ if ((in_len != 1) || (out_len != 1)) {
+ return PSA_CONNECTION_REFUSED;
}
- if (key_store->in_use == TFM_CRYPTO_NOT_IN_USE) {
- return PSA_ERROR_EMPTY_SLOT;
+ if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
+ (out_vec[0].len != sizeof(psa_key_handle_t))) {
+ return PSA_CONNECTION_REFUSED;
}
- /* Check that usage is permitted for this key */
- if ((usage & key_store->policy.usage) != usage) {
- return PSA_ERROR_NOT_PERMITTED;
- }
+ psa_key_handle_t *key_handle = out_vec[0].base;
- /* Check that alg is compatible with this key */
- if (alg != 0 && alg != key_store->policy.alg) {
- return PSA_ERROR_NOT_PERMITTED;
- }
-
- if (key_store->data_length > data_size) {
- return PSA_ERROR_BUFFER_TOO_SMALL;
- }
-
- for (i = 0; i < key_store->data_length; i++) {
- data[i] = key_store->data[i];
- }
-
- *data_length = key_store->data_length;
-
- return PSA_SUCCESS;
+ return psa_allocate_key(key_handle);
}
psa_status_t tfm_crypto_import_key(psa_invec in_vec[],
@@ -156,8 +48,7 @@
psa_outvec out_vec[],
size_t out_len)
{
- struct tfm_crypto_key_storage_s *key_store = NULL;
- size_t i;
+ (void)out_vec;
if ((in_len != 2) || (out_len != 0)) {
return PSA_CONNECTION_REFUSED;
@@ -168,34 +59,12 @@
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- psa_key_slot_t key = iov->key;
+ psa_key_handle_t key = iov->key_handle;
psa_key_type_t type = iov->type;
const uint8_t *data = in_vec[1].base;
size_t data_length = in_vec[1].len;
- key_store = get_key_store(key);
- if (key_store == NULL) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
- if (key_store->in_use != TFM_CRYPTO_NOT_IN_USE) {
- return PSA_ERROR_OCCUPIED_SLOT;
- }
-
- if (!key_type_is_supported(type, data_length)) {
- return PSA_ERROR_NOT_SUPPORTED;
- }
-
- key_store->in_use = TFM_CRYPTO_IN_USE;
- key_store->type = type;
-
- for (i=0; i<data_length; i++) {
- key_store->data[i] = data[i];
- }
-
- key_store->data_length = data_length;
-
- return PSA_SUCCESS;
+ return psa_import_key(key, type, data, data_length);
}
psa_status_t tfm_crypto_destroy_key(psa_invec in_vec[],
@@ -203,8 +72,7 @@
psa_outvec out_vec[],
size_t out_len)
{
- struct tfm_crypto_key_storage_s *key_store = NULL;
- uint32_t i;
+ (void)out_vec;
if ((in_len != 1) || (out_len != 0)) {
return PSA_CONNECTION_REFUSED;
@@ -215,25 +83,9 @@
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- psa_key_slot_t key = iov->key;
+ psa_key_handle_t key = iov->key_handle;
- key_store = get_key_store(key);
- if (key_store == NULL) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
- volatile uint8_t *p_mem = (uint8_t *)key_store;
- uint32_t size_mem = sizeof(struct tfm_crypto_key_storage_s);
-
- /* memset the key_storage */
- for (i=0; i<size_mem; i++) {
- p_mem[i] = 0;
- }
-
- /* Set default values */
- key_store->in_use = TFM_CRYPTO_NOT_IN_USE;
-
- return PSA_SUCCESS;
+ return psa_destroy_key(key);
}
psa_status_t tfm_crypto_get_key_information(psa_invec in_vec[],
@@ -241,8 +93,6 @@
psa_outvec out_vec[],
size_t out_len)
{
- struct tfm_crypto_key_storage_s *key_store = NULL;
-
if ((in_len != 1) || (out_len != 2)) {
return PSA_CONNECTION_REFUSED;
}
@@ -254,28 +104,11 @@
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- psa_key_slot_t key = iov->key;
+ psa_key_handle_t key = iov->key_handle;
psa_key_type_t *type = out_vec[0].base;
size_t *bits = out_vec[1].base;
- /* Initialise output parameters contents to zero */
- *type = (psa_key_type_t) 0;
- *bits = (size_t) 0;
-
- key_store = get_key_store(key);
- if (key_store == NULL) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
- if (key_store->in_use == TFM_CRYPTO_NOT_IN_USE) {
- return PSA_ERROR_EMPTY_SLOT;
- }
-
- /* Get basic metadata */
- *type = key_store->type;
- *bits = PSA_BYTES_TO_BITS(key_store->data_length);
-
- return PSA_SUCCESS;
+ return psa_get_key_information(key, type, bits);
}
psa_status_t tfm_crypto_export_key(psa_invec in_vec[],
@@ -292,12 +125,12 @@
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- psa_key_slot_t key = iov->key;
+ psa_key_handle_t key = iov->key_handle;
uint8_t *data = out_vec[0].base;
size_t data_size = out_vec[0].len;
+ size_t *data_length = &(out_vec[0].len);
- return tfm_crypto_get_key(key, PSA_KEY_USAGE_EXPORT, 0, data, data_size,
- &(out_vec[0].len));
+ return psa_export_key(key, data, data_size, data_length);
}
psa_status_t tfm_crypto_export_public_key(psa_invec in_vec[],
@@ -314,105 +147,12 @@
return PSA_ERROR_NOT_SUPPORTED;
}
-psa_status_t tfm_crypto_key_policy_init(psa_invec in_vec[],
- size_t in_len,
- psa_outvec out_vec[],
- size_t out_len)
-{
- if ((in_len != 1) || (out_len != 1)) {
- return PSA_CONNECTION_REFUSED;
- }
-
- if ((out_vec[0].len != sizeof(psa_key_policy_t)) ||
- (in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec))) {
- return PSA_CONNECTION_REFUSED;
- }
-
- psa_key_policy_t *policy = out_vec[0].base;
-
- policy->usage = 0;
- policy->alg = 0;
-
- return PSA_SUCCESS;
-}
-
-psa_status_t tfm_crypto_key_policy_set_usage(psa_invec in_vec[],
- size_t in_len,
- psa_outvec out_vec[],
- size_t out_len)
-{
- if ((in_len != 1) || (out_len != 1)) {
- return PSA_CONNECTION_REFUSED;
- }
-
- if ((out_vec[0].len != sizeof(psa_key_policy_t)) ||
- (in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec))) {
- return PSA_CONNECTION_REFUSED;
- }
- const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
-
- psa_key_policy_t *policy = out_vec[0].base;
- psa_key_usage_t usage = iov->usage;
- psa_algorithm_t alg = iov->alg;
-
- policy->usage = usage;
- policy->alg = alg;
-
- return PSA_SUCCESS;
-}
-
-psa_status_t tfm_crypto_key_policy_get_usage(psa_invec in_vec[],
- size_t in_len,
- psa_outvec out_vec[],
- size_t out_len)
-{
- if ((in_len != 2) || (out_len != 1)) {
- return PSA_CONNECTION_REFUSED;
- }
-
- if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
- (in_vec[1].len != sizeof(psa_key_policy_t)) ||
- (out_vec[0].len != sizeof(psa_key_usage_t))) {
- return PSA_CONNECTION_REFUSED;
- }
-
- const psa_key_policy_t *policy = in_vec[1].base;
- psa_key_usage_t *usage = out_vec[0].base;
-
- *usage = policy->usage;
-
- return PSA_SUCCESS;
-}
-
-psa_status_t tfm_crypto_key_policy_get_algorithm(psa_invec in_vec[],
- size_t in_len,
- psa_outvec out_vec[],
- size_t out_len)
-{
- if ((in_len != 2) || (out_len != 1)) {
- return PSA_CONNECTION_REFUSED;
- }
-
- if ((in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) ||
- (in_vec[1].len != sizeof(psa_key_policy_t)) ||
- (out_vec[0].len != sizeof(psa_algorithm_t))) {
- return PSA_CONNECTION_REFUSED;
- }
-
- const psa_key_policy_t *policy = in_vec[1].base;
- psa_algorithm_t *alg = out_vec[0].base;
-
- *alg = policy->alg;
-
- return PSA_SUCCESS;
-}
-
psa_status_t tfm_crypto_set_key_policy(psa_invec in_vec[],
size_t in_len,
psa_outvec out_vec[],
size_t out_len)
{
- struct tfm_crypto_key_storage_s *key_store = NULL;
+ (void)out_vec;
if ((in_len != 2) || (out_len != 0)) {
return PSA_CONNECTION_REFUSED;
@@ -424,34 +164,10 @@
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- psa_key_slot_t key = iov->key;
+ psa_key_handle_t key = iov->key_handle;
const psa_key_policy_t *policy = in_vec[1].base;
- /* Check that the policy is valid */
- if (policy->usage & ~(PSA_KEY_USAGE_EXPORT
- | PSA_KEY_USAGE_ENCRYPT
- | PSA_KEY_USAGE_DECRYPT
- | PSA_KEY_USAGE_SIGN
- | PSA_KEY_USAGE_VERIFY
- | PSA_KEY_USAGE_DERIVE)) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
- key_store = get_key_store(key);
- if (key_store == NULL) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
- /* Changing the policy of an occupied slot is not permitted as
- * this is a requirement of the PSA Crypto API
- */
- if (key_store->in_use != TFM_CRYPTO_NOT_IN_USE) {
- return PSA_ERROR_OCCUPIED_SLOT;
- }
-
- key_store->policy = *policy;
-
- return PSA_SUCCESS;
+ return psa_set_key_policy(key, policy);
}
psa_status_t tfm_crypto_get_key_policy(psa_invec in_vec[],
@@ -459,8 +175,6 @@
psa_outvec out_vec[],
size_t out_len)
{
- struct tfm_crypto_key_storage_s *key_store = NULL;
-
if ((in_len != 1) || (out_len != 1)) {
return PSA_CONNECTION_REFUSED;
}
@@ -471,65 +185,10 @@
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- psa_key_slot_t key = iov->key;
+ psa_key_handle_t key = iov->key_handle;
psa_key_policy_t *policy = out_vec[0].base;
- key_store = get_key_store(key);
- if (key_store == NULL) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
- *policy = key_store->policy;
-
- return PSA_SUCCESS;
-}
-
-psa_status_t tfm_crypto_set_key_lifetime(psa_invec in_vec[],
- size_t in_len,
- psa_outvec out_vec[],
- size_t out_len)
-{
- struct tfm_crypto_key_storage_s *key_store = NULL;
-
- if ((in_len != 1) || (out_len != 0)) {
- return PSA_CONNECTION_REFUSED;
- }
-
- if (in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) {
- return PSA_CONNECTION_REFUSED;
- }
- const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
-
- psa_key_slot_t key = iov->key;
- psa_key_lifetime_t lifetime = iov->lifetime;
-
- /* Check that the lifetime is valid */
- if (lifetime != PSA_KEY_LIFETIME_VOLATILE
- && lifetime != PSA_KEY_LIFETIME_PERSISTENT
- && lifetime != PSA_KEY_LIFETIME_WRITE_ONCE) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
- key_store = get_key_store(key);
- if (key_store == NULL) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
- /* TF-M Crypto service does not support changing the lifetime of an occupied
- * slot.
- */
- if (key_store->in_use != TFM_CRYPTO_NOT_IN_USE) {
- return PSA_ERROR_OCCUPIED_SLOT;
- }
-
- /* Only volatile keys are currently supported */
- if (lifetime != PSA_KEY_LIFETIME_VOLATILE) {
- return PSA_ERROR_NOT_SUPPORTED;
- }
-
- key_store->lifetime = lifetime;
-
- return PSA_SUCCESS;
+ return psa_get_key_policy(key, policy);
}
psa_status_t tfm_crypto_get_key_lifetime(psa_invec in_vec[],
@@ -537,8 +196,6 @@
psa_outvec out_vec[],
size_t out_len)
{
- struct tfm_crypto_key_storage_s *key_store = NULL;
-
if ((in_len != 1) || (out_len != 1)) {
return PSA_CONNECTION_REFUSED;
}
@@ -549,16 +206,9 @@
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- psa_key_slot_t key = iov->key;
+ psa_key_handle_t key = iov->key_handle;
psa_key_lifetime_t *lifetime = out_vec[0].base;
- key_store = get_key_store(key);
- if (key_store == NULL) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
- *lifetime = key_store->lifetime;
-
- return PSA_SUCCESS;
+ return psa_get_key_lifetime(key, lifetime);
}
/*!@}*/
diff --git a/secure_fw/services/crypto/crypto_mac.c b/secure_fw/services/crypto/crypto_mac.c
index ae6a00b..c9218fe 100644
--- a/secure_fw/services/crypto/crypto_mac.c
+++ b/secure_fw/services/crypto/crypto_mac.c
@@ -5,439 +5,18 @@
*
*/
-#include "secure_fw/core/tfm_memory_utils.h"
-#include "tfm_crypto_api.h"
-#include "crypto_engine.h"
-#include "tfm_crypto_struct.h"
+#include <stddef.h>
+#include <stdint.h>
/* FixMe: Use PSA_CONNECTION_REFUSED when performing parameter
* integrity checks but this will have to be revised
* when the full set of error codes mandated by PSA FF
* is available.
*/
+#include "tfm_mbedcrypto_include.h"
-static psa_status_t _psa_get_key_information(psa_key_slot_t key,
- psa_key_type_t *type,
- size_t *bits)
-{
- psa_status_t status;
- struct tfm_crypto_pack_iovec iov = {
- .sfn_id = TFM_CRYPTO_GET_KEY_INFORMATION_SFID,
- .key = key,
- };
- psa_invec in_vec[] = {
- {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
- };
- psa_outvec out_vec[] = {
- {.base = type, .len = sizeof(psa_key_type_t)},
- {.base = bits, .len = sizeof(size_t)}
- };
-
- status = tfm_crypto_get_key_information(
- in_vec, sizeof(in_vec)/sizeof(in_vec[0]),
- out_vec, sizeof(out_vec)/sizeof(out_vec[0]));
-
- return status;
-}
-
-static psa_status_t _psa_hash_setup(uint32_t *handle,
- psa_algorithm_t alg)
-{
- psa_status_t status;
- struct tfm_crypto_pack_iovec iov = {
- .sfn_id = TFM_CRYPTO_HASH_SETUP_SFID,
- .alg = alg,
- .handle = *handle,
- };
-
- psa_invec in_vec[] = {
- {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
- };
- psa_outvec out_vec[] = {
- {.base = handle, .len = sizeof(uint32_t)},
- };
-
- status = tfm_crypto_hash_setup(in_vec, sizeof(in_vec)/sizeof(in_vec[0]),
- out_vec, sizeof(out_vec)/sizeof(out_vec[0]));
-
- return status;
-}
-
-static psa_status_t _psa_hash_update(uint32_t *handle,
- const uint8_t *input,
- size_t input_length)
-{
- psa_status_t status;
- struct tfm_crypto_pack_iovec iov = {
- .sfn_id = TFM_CRYPTO_HASH_UPDATE_SFID,
- .handle = *handle,
- };
-
- psa_invec in_vec[] = {
- {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
- {.base = input, .len = input_length},
- };
- psa_outvec out_vec[] = {
- {.base = handle, .len = sizeof(uint32_t)},
- };
-
- status = tfm_crypto_hash_update(in_vec, sizeof(in_vec)/sizeof(in_vec[0]),
- out_vec, sizeof(out_vec)/sizeof(out_vec[0]));
-
- return status;
-}
-
-static psa_status_t _psa_hash_finish(uint32_t *handle,
- uint8_t *hash,
- size_t hash_size,
- size_t *hash_length)
-{
- psa_status_t status;
- struct tfm_crypto_pack_iovec iov = {
- .sfn_id = TFM_CRYPTO_HASH_FINISH_SFID,
- .handle = *handle,
- };
-
- psa_invec in_vec[] = {
- {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
- };
- psa_outvec out_vec[] = {
- {.base = handle, .len = sizeof(uint32_t)},
- {.base = hash, .len = hash_size},
- };
-
- status = tfm_crypto_hash_finish(in_vec, sizeof(in_vec)/sizeof(in_vec[0]),
- out_vec, sizeof(out_vec)/sizeof(out_vec[0]));
- *hash_length = out_vec[1].len;
-
- return status;
-}
-
-static psa_status_t _psa_hash_abort(uint32_t *handle)
-{
- psa_status_t status;
- struct tfm_crypto_pack_iovec iov = {
- .sfn_id = TFM_CRYPTO_HASH_ABORT_SFID,
- .handle = *handle,
- };
-
- psa_invec in_vec[] = {
- {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
- };
- psa_outvec out_vec[] = {
- {.base = handle, .len = sizeof(uint32_t)},
- };
-
- status = tfm_crypto_hash_abort(in_vec, sizeof(in_vec)/sizeof(in_vec[0]),
- out_vec, sizeof(out_vec)/sizeof(out_vec[0]));
-
- return status;
-}
-
-/**
- * \def UNUSED_VAR
- *
- * \brief an UNUSED_VAR() macro for better code readability
- */
-#define UNUSED_VAR(x) (void)x
-
-/**
- * \def CRYPTO_HMAC_MAX_KEY_LENGTH
- *
- * \brief Specifies the maximum key length supported by the
- * HMAC operations in this implementation
- */
-#ifndef CRYPTO_HMAC_MAX_KEY_LENGTH
-#define CRYPTO_HMAC_MAX_KEY_LENGTH (32)
-#endif
-
-static void mac_zeroize(void *data, size_t size)
-{
- (void)tfm_memset(data, 0, size);
-}
-
-static size_t get_hash_block_size(psa_algorithm_t alg)
-{
- switch (alg) {
- case PSA_ALG_MD2:
- return 16;
- case PSA_ALG_MD4:
- return 64;
- case PSA_ALG_MD5:
- return 64;
- case PSA_ALG_RIPEMD160:
- return 64;
- case PSA_ALG_SHA_1:
- return 64;
- case PSA_ALG_SHA_224:
- return 64;
- case PSA_ALG_SHA_256:
- return 64;
- case PSA_ALG_SHA_384:
- return 128;
- case PSA_ALG_SHA_512:
- return 128;
- default:
- return 0;
- }
-}
-
-static psa_status_t tfm_crypto_mac_release(uint32_t *handle,
- struct tfm_mac_operation_s *ctx)
-{
- /* No release necessary on the ctx related items for the time being */
- UNUSED_VAR(ctx);
-
- /* Release the operation context */
- return tfm_crypto_operation_release(handle);
-}
-
-static psa_status_t tfm_crypto_hmac_setup(struct tfm_mac_operation_s *ctx,
- psa_key_slot_t key,
- psa_algorithm_t alg)
-{
- psa_status_t status = PSA_SUCCESS;
- psa_key_type_t key_type;
- size_t key_size;
- uint8_t key_data[CRYPTO_HMAC_MAX_KEY_LENGTH];
- uint8_t hashed_key[PSA_HMAC_MAX_HASH_BLOCK_SIZE];
- size_t block_size;
- uint8_t ipad[PSA_HMAC_MAX_HASH_BLOCK_SIZE];
- uint8_t *opad = ctx->ctx.hmac.opad;
- size_t i;
- psa_key_usage_t usage;
-
- /* Check provided key */
- status = _psa_get_key_information(key, &key_type, &key_size);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- if (key_type != PSA_KEY_TYPE_HMAC){
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
- /* Set the key usage based on whether this is a sign or verify operation */
- if ((ctx->key_usage_sign == 1) && (ctx->key_usage_verify == 0)) {
- usage = PSA_KEY_USAGE_SIGN;
- } else if ((ctx->key_usage_sign == 0) && (ctx->key_usage_verify == 1)) {
- usage = PSA_KEY_USAGE_VERIFY;
- } else {
- return PSA_ERROR_BAD_STATE;
- }
-
- /* Get the key data to start the HMAC */
- status = tfm_crypto_get_key(key,
- usage,
- alg,
- key_data,
- CRYPTO_HMAC_MAX_KEY_LENGTH,
- &key_size);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- /* Bind the digest size to the MAC operation */
- ctx->mac_size = PSA_HASH_SIZE(PSA_ALG_HMAC_HASH(alg));
-
- block_size = get_hash_block_size(PSA_ALG_HMAC_HASH(alg));
-
- /* The HMAC algorithm is the standard procedure as described in
- * RFC-2104 (https://tools.ietf.org/html/rfc2104)
- */
- if (key_size > block_size) {
- /* Hash the key to reduce it to block size */
- status = _psa_hash_setup(&(ctx->ctx.hmac.hash_operation.handle),
- PSA_ALG_HMAC_HASH(alg));
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- status = _psa_hash_update(&(ctx->ctx.hmac.hash_operation.handle),
- &key_data[0],
- key_size);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- /* Replace the key with the hashed key */
- status = _psa_hash_finish(&(ctx->ctx.hmac.hash_operation.handle),
- hashed_key,
- sizeof(hashed_key),
- &key_size);
- if (status != PSA_SUCCESS) {
- return status;
- }
- } else {
- /* Copy the key inside the hashed_key buffer */
- for (i=0; i<key_size; i++) {
- hashed_key[i] = key_data[i];
- }
- }
-
- /* Create ipad = hashed_key XOR 0x36 and opad = hashed_key XOR 0x5C */
- for (i=0; i<key_size; i++) {
- ipad[i] = hashed_key[i] ^ 0x36;
- opad[i] = hashed_key[i] ^ 0x5C;
- }
- /* Fill ipad and opad to match block size */
- for (i=key_size; i<block_size; i++) {
- ipad[i] = 0x36;
- opad[i] = 0x5C;
- }
-
- /* Start hash1 = H(i_key_pad || message) */
- status = _psa_hash_setup(&(ctx->ctx.hmac.hash_operation.handle),
- PSA_ALG_HMAC_HASH(alg));
- if (status != PSA_SUCCESS) {
- /* Clear key information on stack */
- for (i=0; i<key_size; i++) {
- hashed_key[i] = 0;
- ipad[i] = 0;
- }
- return status;
- }
-
- status = _psa_hash_update(&(ctx->ctx.hmac.hash_operation.handle),
- ipad,
- block_size);
- return status;
-}
-
-static psa_status_t tfm_crypto_mac_setup(uint32_t *handle,
- psa_key_slot_t key,
- psa_algorithm_t alg,
- uint8_t sign_operation)
-{
- psa_status_t status = PSA_SUCCESS;
- struct tfm_mac_operation_s *ctx = NULL;
-
- if (!PSA_ALG_IS_MAC(alg)) {
- return PSA_ERROR_NOT_SUPPORTED;
- }
-
- /* Allocate the operation context in the secure world */
- status = tfm_crypto_operation_alloc(TFM_CRYPTO_MAC_OPERATION,
- handle,
- (void **)&ctx);
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- /* Bind the algorithm to the mac operation */
- ctx->alg = alg;
-
- /* Specify if this will be used for a sign or verify operation */
- if (sign_operation) {
- ctx->key_usage_verify = 0;
- ctx->key_usage_sign = 1;
- } else {
- ctx->key_usage_verify = 1;
- ctx->key_usage_sign = 0;
- }
-
- if (PSA_ALG_IS_HMAC(alg)) {
- status = tfm_crypto_hmac_setup(ctx, key, alg);
- if (status != PSA_SUCCESS) {
- /* Release the operation context */
- (void)tfm_crypto_mac_release(handle, ctx);
- return status;
- }
-
- ctx->key_set = 1;
- } else {
- /* Other MAC types constructions are not supported */
- /* Release the operation context */
- (void)tfm_crypto_mac_release(handle, ctx);
- return PSA_ERROR_NOT_SUPPORTED;
- }
-
- return PSA_SUCCESS;
-}
-
-static psa_status_t tfm_crypto_mac_finish(uint32_t *handle,
- struct tfm_mac_operation_s *ctx,
- uint8_t *mac,
- size_t mac_size,
- size_t *mac_length)
-{
- psa_status_t status = PSA_SUCCESS;
- uint8_t hash1[PSA_HASH_MAX_SIZE];
- size_t hash_size;
- uint8_t *opad;
- size_t block_size;
-
- /* Sanity checks */
- if (mac_size < ctx->mac_size) {
- (void)tfm_crypto_mac_release(handle, ctx);
- return PSA_ERROR_BUFFER_TOO_SMALL;
- }
-
- if (!(ctx->has_input)) {
- (void)tfm_crypto_mac_release(handle, ctx);
- return PSA_ERROR_BAD_STATE;
- }
-
- if (PSA_ALG_IS_HMAC(ctx->alg)) {
- opad = ctx->ctx.hmac.opad;
- block_size = get_hash_block_size(PSA_ALG_HMAC_HASH(ctx->alg));
-
- /* finish the hash1 = H(ipad || message) */
- status = _psa_hash_finish(&(ctx->ctx.hmac.hash_operation.handle),
- hash1,
- sizeof(hash1),
- &hash_size);
- if (status != PSA_SUCCESS) {
- (void)tfm_crypto_mac_release(handle, ctx);
- return status;
- }
-
- /* compute the final mac value = H(opad || hash1) */
- status = _psa_hash_setup(&(ctx->ctx.hmac.hash_operation.handle),
- PSA_ALG_HMAC_HASH(ctx->alg));
- if (status != PSA_SUCCESS) {
- mac_zeroize(hash1, sizeof(hash1));
- (void)tfm_crypto_mac_release(handle, ctx);
- return status;
- }
-
- status = _psa_hash_update(&(ctx->ctx.hmac.hash_operation.handle),
- opad,
- block_size);
- if (status != PSA_SUCCESS) {
- mac_zeroize(hash1, sizeof(hash1));
- (void)tfm_crypto_mac_release(handle, ctx);
- return status;
- }
-
- status = _psa_hash_update(&(ctx->ctx.hmac.hash_operation.handle),
- hash1,
- hash_size);
- if (status != PSA_SUCCESS) {
- mac_zeroize(hash1, sizeof(hash1));
- (void)tfm_crypto_mac_release(handle, ctx);
- return status;
- }
-
- status = _psa_hash_finish(&(ctx->ctx.hmac.hash_operation.handle),
- mac,
- mac_size,
- mac_length);
- if (status != PSA_SUCCESS) {
- mac_zeroize(hash1, sizeof(hash1));
- (void)tfm_crypto_mac_release(handle, ctx);
- return status;
- }
-
- /* Clear intermediate hash value */
- mac_zeroize(hash1, sizeof(hash1));
-
- } else {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
- return tfm_crypto_mac_release(handle, ctx);
-}
+#include "tfm_crypto_api.h"
+#include "tfm_crypto_defs.h"
/*!
* \defgroup public_psa Public functions, PSA
@@ -451,6 +30,8 @@
size_t out_len)
{
psa_status_t status = PSA_SUCCESS;
+ psa_mac_operation_t *operation = NULL;
+
if ((in_len != 1) || (out_len != 1)) {
return PSA_CONNECTION_REFUSED;
}
@@ -460,18 +41,32 @@
return PSA_CONNECTION_REFUSED;
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- uint32_t handle = iov->handle;
+ uint32_t handle = iov->op_handle;
uint32_t *handle_out = out_vec[0].base;
- psa_key_slot_t key = iov->key;
+ psa_key_handle_t key_handle = iov->key_handle;
psa_algorithm_t alg = iov->alg;
- status = tfm_crypto_mac_setup(&handle, key, alg, 1);
- if (status == PSA_SUCCESS) {
- *handle_out = handle;
- } else {
- *handle_out = iov->handle;
+ /* Init the handle in the operation with the one passed from the iov */
+ *handle_out = iov->op_handle;
+
+ /* Allocate the operation context in the secure world */
+ status = tfm_crypto_operation_alloc(TFM_CRYPTO_MAC_OPERATION,
+ &handle,
+ (void **)&operation);
+ if (status != PSA_SUCCESS) {
+ return status;
}
- return status;
+
+ *handle_out = handle;
+
+ status = psa_mac_sign_setup(operation, key_handle, alg);
+ if (status != PSA_SUCCESS) {
+ /* Release the operation context, ignore if the operation fails. */
+ (void)tfm_crypto_operation_release(handle_out);
+ return status;
+ }
+
+ return PSA_SUCCESS;
}
psa_status_t tfm_crypto_mac_verify_setup(psa_invec in_vec[],
@@ -480,6 +75,8 @@
size_t out_len)
{
psa_status_t status = PSA_SUCCESS;
+ psa_mac_operation_t *operation = NULL;
+
if ((in_len != 1) || (out_len != 1)) {
return PSA_CONNECTION_REFUSED;
}
@@ -489,18 +86,32 @@
return PSA_CONNECTION_REFUSED;
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- uint32_t handle = iov->handle;
+ uint32_t handle = iov->op_handle;
uint32_t *handle_out = out_vec[0].base;
- psa_key_slot_t key = iov->key;
+ psa_key_handle_t key_handle = iov->key_handle;
psa_algorithm_t alg = iov->alg;
- status = tfm_crypto_mac_setup(&handle, key, alg, 0);
- if (status == PSA_SUCCESS) {
- *handle_out = handle;
- } else {
- *handle_out = iov->handle;
+ /* Init the handle in the operation with the one passed from the iov */
+ *handle_out = iov->op_handle;
+
+ /* Allocate the operation context in the secure world */
+ status = tfm_crypto_operation_alloc(TFM_CRYPTO_MAC_OPERATION,
+ &handle,
+ (void **)&operation);
+ if (status != PSA_SUCCESS) {
+ return status;
}
- return status;
+
+ *handle_out = handle;
+
+ status = psa_mac_verify_setup(operation, key_handle, alg);
+ if (status != PSA_SUCCESS) {
+ /* Release the operation context, ignore if the operation fails. */
+ (void)tfm_crypto_operation_release(handle_out);
+ return status;
+ }
+
+ return PSA_SUCCESS;
}
psa_status_t tfm_crypto_mac_update(psa_invec in_vec[],
@@ -509,7 +120,7 @@
size_t out_len)
{
psa_status_t status = PSA_SUCCESS;
- struct tfm_mac_operation_s *ctx = NULL;
+ psa_mac_operation_t *operation = NULL;
if ((in_len != 2) || (out_len != 1)) {
return PSA_CONNECTION_REFUSED;
@@ -520,55 +131,27 @@
return PSA_CONNECTION_REFUSED;
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- uint32_t handle = iov->handle;
+ uint32_t handle = iov->op_handle;
uint32_t *handle_out = out_vec[0].base;
const uint8_t *input = in_vec[1].base;
size_t input_length = in_vec[1].len;
/* Init the handle in the operation with the one passed from the iov */
- *handle_out = iov->handle;
+ *handle_out = iov->op_handle;
/* Look up the corresponding operation context */
status = tfm_crypto_operation_lookup(TFM_CRYPTO_MAC_OPERATION,
handle,
- (void **)&ctx);
+ (void **)&operation);
if (status != PSA_SUCCESS) {
return status;
}
- /* Sanity check */
- if (!(ctx->key_set)) {
- if (tfm_crypto_mac_release(&handle, ctx) == PSA_SUCCESS) {
- *handle_out = handle;
- }
- return PSA_ERROR_BAD_STATE;
- }
- if (input_length == 0) {
- if (tfm_crypto_mac_release(&handle, ctx) == PSA_SUCCESS) {
- *handle_out = handle;
- }
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
- /* Process the input chunk */
- if (PSA_ALG_IS_HMAC(ctx->alg)) {
- status = _psa_hash_update(&(ctx->ctx.hmac.hash_operation.handle),
- input,
- input_length);
- if (status != PSA_SUCCESS) {
- if (tfm_crypto_mac_release(&handle, ctx) == PSA_SUCCESS) {
- *handle_out = handle;
- }
- return status;
- }
-
- /* Set this flag to avoid HMAC without data */
- ctx->has_input = 1;
- } else {
- if (tfm_crypto_mac_release(&handle, ctx) == PSA_SUCCESS) {
- *handle_out = handle;
- }
- return PSA_ERROR_INVALID_ARGUMENT;
+ status = psa_mac_update(operation, input, input_length);
+ if (status != PSA_SUCCESS) {
+ /* Release the operation context, ignore if the operation fails. */
+ (void)tfm_crypto_operation_release(handle_out);
+ return status;
}
return PSA_SUCCESS;
@@ -580,7 +163,7 @@
size_t out_len)
{
psa_status_t status = PSA_SUCCESS;
- struct tfm_mac_operation_s *ctx = NULL;
+ psa_mac_operation_t *operation = NULL;
if ((in_len != 1) || (out_len != 2)) {
return PSA_CONNECTION_REFUSED;
@@ -591,41 +174,34 @@
return PSA_CONNECTION_REFUSED;
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- uint32_t handle = iov->handle;
+ uint32_t handle = iov->op_handle;
uint32_t *handle_out = out_vec[0].base;
uint8_t *mac = out_vec[1].base;
size_t mac_size = out_vec[1].len;
/* Init the handle in the operation with the one passed from the iov */
- *handle_out = iov->handle;
+ *handle_out = iov->op_handle;
/* Initialise mac_length to zero */
out_vec[1].len = 0;
- if (mac_size == 0) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
-
/* Look up the corresponding operation context */
status = tfm_crypto_operation_lookup(TFM_CRYPTO_MAC_OPERATION,
handle,
- (void **)&ctx);
+ (void **)&operation);
if (status != PSA_SUCCESS) {
return status;
}
- if ((ctx->key_usage_sign == 1) && (ctx->key_usage_verify == 0)) {
- /* Finalise the mac operation */
- status = tfm_crypto_mac_finish(&handle,
- ctx, mac, mac_size, &(out_vec[1].len));
- } else {
- if (tfm_crypto_mac_release(&handle, ctx) == PSA_SUCCESS) {
- *handle_out = handle;
- }
- return PSA_ERROR_BAD_STATE;
+ status = psa_mac_sign_finish(operation, mac, mac_size, &out_vec[1].len);
+ if (status != PSA_SUCCESS) {
+ /* Release the operation context, ignore if the operation fails. */
+ (void)tfm_crypto_operation_release(handle_out);
+ return status;
}
- *handle_out = handle;
+ status = tfm_crypto_operation_release(handle_out);
+
return status;
}
@@ -635,11 +211,7 @@
size_t out_len)
{
psa_status_t status = PSA_SUCCESS;
- struct tfm_mac_operation_s *ctx = NULL;
- uint8_t computed_mac[PSA_HMAC_MAX_HASH_BLOCK_SIZE];
- size_t computed_mac_length;
- size_t i;
- uint32_t comp_mismatch = 0;
+ psa_mac_operation_t *operation = NULL;
if ((in_len != 2) || (out_len != 1)) {
return PSA_CONNECTION_REFUSED;
@@ -650,60 +222,32 @@
return PSA_CONNECTION_REFUSED;
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- uint32_t handle = iov->handle;
+ uint32_t handle = iov->op_handle;
uint32_t *handle_out = out_vec[0].base;
const uint8_t *mac = in_vec[1].base;
size_t mac_length = in_vec[1].len;
/* Init the handle in the operation with the one passed from the iov */
- *handle_out = iov->handle;
-
- if (mac_length == 0) {
- return PSA_ERROR_INVALID_ARGUMENT;
- }
+ *handle_out = iov->op_handle;
/* Look up the corresponding operation context */
status = tfm_crypto_operation_lookup(TFM_CRYPTO_MAC_OPERATION,
handle,
- (void **)&ctx);
+ (void **)&operation);
if (status != PSA_SUCCESS) {
return status;
}
- if ((ctx->key_usage_sign == 0) && (ctx->key_usage_verify == 1)) {
- /* Finalise the mac operation */
- status = tfm_crypto_mac_finish(&handle,
- ctx,
- computed_mac,
- sizeof(computed_mac),
- &computed_mac_length);
- *handle_out = handle;
- if (status != PSA_SUCCESS) {
- return status;
- }
-
- /* Check that the computed mac match the expected one */
- if (computed_mac_length != mac_length) {
- return PSA_ERROR_INVALID_SIGNATURE;
- }
-
- for (i=0; i<computed_mac_length ; i++) {
- if (computed_mac[i] != mac[i]) {
- comp_mismatch = 1;
- }
- }
-
- if (comp_mismatch == 1) {
- return PSA_ERROR_INVALID_SIGNATURE;
- }
- } else {
- if (tfm_crypto_mac_release(&handle, ctx) == PSA_SUCCESS) {
- *handle_out = handle;
- }
- return PSA_ERROR_BAD_STATE;
+ status = psa_mac_verify_finish(operation, mac, mac_length);
+ if (status != PSA_SUCCESS) {
+ /* Release the operation context, ignore if the operation fails. */
+ (void)tfm_crypto_operation_release(handle_out);
+ return status;
}
- return PSA_SUCCESS;
+ status = tfm_crypto_operation_release(handle_out);
+
+ return status;
}
psa_status_t tfm_crypto_mac_abort(psa_invec in_vec[],
@@ -712,7 +256,7 @@
size_t out_len)
{
psa_status_t status = PSA_SUCCESS;
- struct tfm_mac_operation_s *ctx = NULL;
+ psa_mac_operation_t *operation = NULL;
if ((in_len != 1) || (out_len != 1)) {
return PSA_CONNECTION_REFUSED;
@@ -723,38 +267,30 @@
return PSA_CONNECTION_REFUSED;
}
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
- uint32_t handle = iov->handle;
+ uint32_t handle = iov->op_handle;
uint32_t *handle_out = out_vec[0].base;
/* Init the handle in the operation with the one passed from the iov */
- *handle_out = iov->handle;
+ *handle_out = iov->op_handle;
/* Look up the corresponding operation context */
status = tfm_crypto_operation_lookup(TFM_CRYPTO_MAC_OPERATION,
handle,
- (void **)&ctx);
+ (void **)&operation);
if (status != PSA_SUCCESS) {
return status;
}
- if (PSA_ALG_IS_HMAC(ctx->alg)){
- /* Check if the HMAC internal context needs to be deallocated */
- if (ctx->ctx.hmac.hash_operation.handle != TFM_CRYPTO_INVALID_HANDLE) {
- /* Clear hash context */
- status = _psa_hash_abort(&(ctx->ctx.hmac.hash_operation.handle));
- if (status != PSA_SUCCESS) {
- return status;
- }
- }
- } else {
- /* MACs other than HMACs not currently supported */
- return PSA_ERROR_NOT_SUPPORTED;
+ status = psa_mac_abort(operation);
+
+ if (status != PSA_SUCCESS) {
+ /* Release the operation context, ignore if the operation fails. */
+ (void)tfm_crypto_operation_release(handle_out);
+ return status;
}
- status = tfm_crypto_mac_release(&handle, ctx);
- if (status == PSA_SUCCESS) {
- *handle_out = handle;
- }
+ status = tfm_crypto_operation_release(handle_out);
+
return status;
}
/*!@}*/
diff --git a/secure_fw/services/crypto/crypto_spe.h b/secure_fw/services/crypto/crypto_spe.h
new file mode 100644
index 0000000..400fe7d
--- /dev/null
+++ b/secure_fw/services/crypto/crypto_spe.h
@@ -0,0 +1,136 @@
+/*
+ * Copyright (c) 2019, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+
+/**
+ * \file crypto_spe.h
+ *
+ * \brief When Mbed Crypto is built with the MBEDTLS_PSA_CRYPTO_SPM option
+ * enabled, this header is included by all .c files in Mbed Crypto that
+ * use PSA Crypto function names. This avoids duplication of symbols
+ * between TF-M and Mbed Crypto.
+ *
+ * \note This file should be included before including any PSA Crypto headers
+ * from Mbed Crypto.
+ */
+
+#ifndef CRYPTO_SPE_H
+#define CRYPTO_SPE_H
+
+#define PSA_FUNCTION_NAME(x) mbedcrypto__ ## x
+
+#define psa_crypto_init \
+ PSA_FUNCTION_NAME(psa_crypto_init)
+#define psa_key_policy_init \
+ PSA_FUNCTION_NAME(psa_key_policy_init)
+#define psa_key_policy_set_usage \
+ PSA_FUNCTION_NAME(psa_key_policy_set_usage)
+#define psa_key_policy_get_usage \
+ PSA_FUNCTION_NAME(psa_key_policy_get_usage)
+#define psa_key_policy_get_algorithm \
+ PSA_FUNCTION_NAME(psa_key_policy_get_algorithm)
+#define psa_set_key_policy \
+ PSA_FUNCTION_NAME(psa_set_key_policy)
+#define psa_get_key_policy \
+ PSA_FUNCTION_NAME(psa_get_key_policy)
+#define psa_get_key_lifetime \
+ PSA_FUNCTION_NAME(psa_get_key_lifetime)
+#define psa_allocate_key \
+ PSA_FUNCTION_NAME(psa_allocate_key)
+#define psa_open_key \
+ PSA_FUNCTION_NAME(psa_open_key)
+#define psa_create_key \
+ PSA_FUNCTION_NAME(psa_create_key)
+#define psa_close_key \
+ PSA_FUNCTION_NAME(psa_close_key)
+#define psa_import_key \
+ PSA_FUNCTION_NAME(psa_import_key)
+#define psa_destroy_key \
+ PSA_FUNCTION_NAME(psa_destroy_key)
+#define psa_get_key_information \
+ PSA_FUNCTION_NAME(psa_get_key_information)
+#define psa_export_key \
+ PSA_FUNCTION_NAME(psa_export_key)
+#define psa_export_public_key \
+ PSA_FUNCTION_NAME(psa_export_public_key)
+#define psa_copy_key \
+ PSA_FUNCTION_NAME(psa_copy_key)
+#define psa_hash_operation_init \
+ PSA_FUNCTION_NAME(psa_hash_operation_init)
+#define psa_hash_setup \
+ PSA_FUNCTION_NAME(psa_hash_setup)
+#define psa_hash_update \
+ PSA_FUNCTION_NAME(psa_hash_update)
+#define psa_hash_finish \
+ PSA_FUNCTION_NAME(psa_hash_finish)
+#define psa_hash_verify \
+ PSA_FUNCTION_NAME(psa_hash_verify)
+#define psa_hash_abort \
+ PSA_FUNCTION_NAME(psa_hash_abort)
+#define psa_hash_clone \
+ PSA_FUNCTION_NAME(psa_hash_clone)
+#define psa_mac_operation_init \
+ PSA_FUNCTION_NAME(psa_mac_operation_init)
+#define psa_mac_sign_setup \
+ PSA_FUNCTION_NAME(psa_mac_sign_setup)
+#define psa_mac_verify_setup \
+ PSA_FUNCTION_NAME(psa_mac_verify_setup)
+#define psa_mac_update \
+ PSA_FUNCTION_NAME(psa_mac_update)
+#define psa_mac_sign_finish \
+ PSA_FUNCTION_NAME(psa_mac_sign_finish)
+#define psa_mac_verify_finish \
+ PSA_FUNCTION_NAME(psa_mac_verify_finish)
+#define psa_mac_abort \
+ PSA_FUNCTION_NAME(psa_mac_abort)
+#define psa_cipher_operation_init \
+ PSA_FUNCTION_NAME(psa_cipher_operation_init)
+#define psa_cipher_encrypt_setup \
+ PSA_FUNCTION_NAME(psa_cipher_encrypt_setup)
+#define psa_cipher_decrypt_setup \
+ PSA_FUNCTION_NAME(psa_cipher_decrypt_setup)
+#define psa_cipher_generate_iv \
+ PSA_FUNCTION_NAME(psa_cipher_generate_iv)
+#define psa_cipher_set_iv \
+ PSA_FUNCTION_NAME(psa_cipher_set_iv)
+#define psa_cipher_update \
+ PSA_FUNCTION_NAME(psa_cipher_update)
+#define psa_cipher_finish \
+ PSA_FUNCTION_NAME(psa_cipher_finish)
+#define psa_cipher_abort \
+ PSA_FUNCTION_NAME(psa_cipher_abort)
+#define psa_aead_encrypt \
+ PSA_FUNCTION_NAME(psa_aead_encrypt)
+#define psa_aead_decrypt \
+ PSA_FUNCTION_NAME(psa_aead_decrypt)
+#define psa_asymmetric_sign \
+ PSA_FUNCTION_NAME(psa_asymmetric_sign)
+#define psa_asymmetric_verify \
+ PSA_FUNCTION_NAME(psa_asymmetric_verify)
+#define psa_asymmetric_encrypt \
+ PSA_FUNCTION_NAME(psa_asymmetric_encrypt)
+#define psa_asymmetric_decrypt \
+ PSA_FUNCTION_NAME(psa_asymmetric_decrypt)
+#define psa_crypto_generator_init \
+ PSA_FUNCTION_NAME(psa_crypto_generator_init)
+#define psa_get_generator_capacity \
+ PSA_FUNCTION_NAME(psa_get_generator_capacity)
+#define psa_generator_read \
+ PSA_FUNCTION_NAME(psa_generator_read)
+#define psa_generator_import_key \
+ PSA_FUNCTION_NAME(psa_generator_import_key)
+#define psa_generator_abort \
+ PSA_FUNCTION_NAME(psa_generator_abort)
+#define psa_key_derivation \
+ PSA_FUNCTION_NAME(psa_key_derivation)
+#define psa_key_agreement \
+ PSA_FUNCTION_NAME(psa_key_agreement)
+#define psa_generate_random \
+ PSA_FUNCTION_NAME(psa_generate_random)
+#define psa_generate_key \
+ PSA_FUNCTION_NAME(psa_generate_key)
+
+#endif /* CRYPTO_SPE_H */
diff --git a/secure_fw/services/crypto/manifest.yaml b/secure_fw/services/crypto/manifest.yaml
index 7964ba4..688a919 100644
--- a/secure_fw/services/crypto/manifest.yaml
+++ b/secure_fw/services/crypto/manifest.yaml
@@ -16,6 +16,14 @@
"tfm_partition_ipc": true,
"secure_functions": [
{
+ "sfid": "TFM_CRYPTO_ALLOCATE_KEY_SFID",
+ "signal": "TFM_CRYPTO_ALLOCATE_KEY",
+ "tfm_symbol": "tfm_crypto_allocate_key",
+ "non_secure_clients": true,
+ "minor_version": 1,
+ "minor_policy": "strict"
+ },
+ {
"sfid": "TFM_CRYPTO_IMPORT_KEY_SFID",
"signal": "TFM_CRYPTO_IMPORT_KEY",
"tfm_symbol": "tfm_crypto_import_key",
@@ -48,38 +56,6 @@
"minor_policy": "strict"
},
{
- "sfid": "TFM_CRYPTO_KEY_POLICY_INIT_SFID",
- "signal": "TFM_CRYPTO_KEY_POLICY_INIT",
- "tfm_symbol": "tfm_crypto_key_policy_init",
- "non_secure_clients": true,
- "minor_version": 1,
- "minor_policy": "strict"
- },
- {
- "sfid": "TFM_CRYPTO_KEY_POLICY_SET_USAGE_SFID",
- "signal": "TFM_CRYPTO_KEY_POLICY_SET_USAGE",
- "tfm_symbol": "tfm_crypto_key_policy_set_usage",
- "non_secure_clients": true,
- "minor_version": 1,
- "minor_policy": "strict"
- },
- {
- "sfid": "TFM_CRYPTO_KEY_POLICY_GET_USAGE_SFID",
- "signal": "TFM_CRYPTO_KEY_POLICY_GET_USAGE",
- "tfm_symbol": "tfm_crypto_key_policy_get_usage",
- "non_secure_clients": true,
- "minor_version": 1,
- "minor_policy": "strict"
- },
- {
- "sfid": "TFM_CRYPTO_KEY_POLICY_GET_ALGORITHM_SFID",
- "signal": "TFM_CRYPTO_KEY_POLICY_GET_ALGORITHM",
- "tfm_symbol": "tfm_crypto_key_policy_get_algorithm",
- "non_secure_clients": true,
- "minor_version": 1,
- "minor_policy": "strict"
- },
- {
"sfid": "TFM_CRYPTO_SET_KEY_POLICY_SFID",
"signal": "TFM_CRYPTO_SET_KEY_POLICY",
"tfm_symbol": "tfm_crypto_set_key_policy",
@@ -104,14 +80,6 @@
"minor_policy": "strict"
},
{
- "sfid": "TFM_CRYPTO_SET_KEY_LIFETIME_SFID",
- "signal": "TFM_CRYPTO_SET_KEY_LIFETIME",
- "tfm_symbol": "tfm_crypto_set_key_lifetime",
- "non_secure_clients": true,
- "minor_version": 1,
- "minor_policy": "strict"
- },
- {
"sfid": "TFM_CRYPTO_CIPHER_SET_IV_SFID",
"signal": "TFM_CRYPTO_CIPHER_SET_IV",
"tfm_symbol": "tfm_crypto_cipher_set_iv",
diff --git a/secure_fw/services/crypto/mbedtls_global_symbols.h b/secure_fw/services/crypto/mbedtls_global_symbols.h
deleted file mode 100644
index 59778ad..0000000
--- a/secure_fw/services/crypto/mbedtls_global_symbols.h
+++ /dev/null
@@ -1,878 +0,0 @@
-/*
- * Copyright (c) 2018-2019, Arm Limited. All rights reserved.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- *
- */
-
-#ifndef __MBEDTLS_GLOBAL_SYMBOLS_H__
-#define __MBEDTLS_GLOBAL_SYMBOLS_H__
-
-#ifndef LIB_PREFIX_NAME
-#warning "LIB_PREFIX_NAME is undefined!!!"
-#define LIB_PREFIX_NAME
-#endif
-
-#define _CONCAT(A,B) A##B
-#define CONCAT(A,B) _CONCAT(A,B)
-
-#define mbedtls_aes_crypt_cbc \
- CONCAT(LIB_PREFIX_NAME, mbedtls_aes_crypt_cbc)
-#define mbedtls_aes_crypt_cfb128 \
- CONCAT(LIB_PREFIX_NAME, mbedtls_aes_crypt_cfb128)
-#define mbedtls_aes_crypt_cfb8 \
- CONCAT(LIB_PREFIX_NAME, mbedtls_aes_crypt_cfb8)
-#define mbedtls_aes_crypt_ctr \
- CONCAT(LIB_PREFIX_NAME, mbedtls_aes_crypt_ctr)
-#define mbedtls_aes_crypt_ecb \
- CONCAT(LIB_PREFIX_NAME, mbedtls_aes_crypt_ecb)
-#define mbedtls_aes_decrypt \
- CONCAT(LIB_PREFIX_NAME, mbedtls_aes_decrypt)
-#define mbedtls_aes_encrypt \
- CONCAT(LIB_PREFIX_NAME, mbedtls_aes_encrypt)
-#define mbedtls_aes_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_aes_free)
-#define mbedtls_aes_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_aes_init)
-#define mbedtls_aes_self_test \
- CONCAT(LIB_PREFIX_NAME, mbedtls_aes_self_test)
-#define mbedtls_aes_setkey_dec \
- CONCAT(LIB_PREFIX_NAME, mbedtls_aes_setkey_dec)
-#define mbedtls_aes_setkey_enc \
- CONCAT(LIB_PREFIX_NAME, mbedtls_aes_setkey_enc)
-#define mbedtls_arc4_crypt \
- CONCAT(LIB_PREFIX_NAME, mbedtls_arc4_crypt)
-#define mbedtls_arc4_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_arc4_free)
-#define mbedtls_arc4_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_arc4_init)
-#define mbedtls_arc4_self_test \
- CONCAT(LIB_PREFIX_NAME, mbedtls_arc4_self_test)
-#define mbedtls_arc4_setup \
- CONCAT(LIB_PREFIX_NAME, mbedtls_arc4_setup)
-#define mbedtls_asn1_find_named_data \
- CONCAT(LIB_PREFIX_NAME, mbedtls_asn1_find_named_data)
-#define mbedtls_asn1_free_named_data \
- CONCAT(LIB_PREFIX_NAME, mbedtls_asn1_free_named_data)
-#define mbedtls_asn1_free_named_data_list \
- CONCAT(LIB_PREFIX_NAME, mbedtls_asn1_free_named_data_list)
-#define mbedtls_asn1_get_alg \
- CONCAT(LIB_PREFIX_NAME, mbedtls_asn1_get_alg)
-#define mbedtls_asn1_get_alg_null \
- CONCAT(LIB_PREFIX_NAME, mbedtls_asn1_get_alg_null)
-#define mbedtls_asn1_get_bitstring \
- CONCAT(LIB_PREFIX_NAME, mbedtls_asn1_get_bitstring)
-#define mbedtls_asn1_get_bitstring_null \
- CONCAT(LIB_PREFIX_NAME, mbedtls_asn1_get_bitstring_null)
-#define mbedtls_asn1_get_bool \
- CONCAT(LIB_PREFIX_NAME, mbedtls_asn1_get_bool)
-#define mbedtls_asn1_get_int \
- CONCAT(LIB_PREFIX_NAME, mbedtls_asn1_get_int)
-#define mbedtls_asn1_get_len \
- CONCAT(LIB_PREFIX_NAME, mbedtls_asn1_get_len)
-#define mbedtls_asn1_get_mpi \
- CONCAT(LIB_PREFIX_NAME, mbedtls_asn1_get_mpi)
-#define mbedtls_asn1_get_sequence_of \
- CONCAT(LIB_PREFIX_NAME, mbedtls_asn1_get_sequence_of)
-#define mbedtls_asn1_get_tag \
- CONCAT(LIB_PREFIX_NAME, mbedtls_asn1_get_tag)
-#define mbedtls_asn1_store_named_data \
- CONCAT(LIB_PREFIX_NAME, mbedtls_asn1_store_named_data)
-#define mbedtls_asn1_write_algorithm_identifier \
- CONCAT(LIB_PREFIX_NAME, mbedtls_asn1_write_algorithm_identifier)
-#define mbedtls_asn1_write_bitstring \
- CONCAT(LIB_PREFIX_NAME, mbedtls_asn1_write_bitstring)
-#define mbedtls_asn1_write_bool \
- CONCAT(LIB_PREFIX_NAME, mbedtls_asn1_write_bool)
-#define mbedtls_asn1_write_ia5_string \
- CONCAT(LIB_PREFIX_NAME, mbedtls_asn1_write_ia5_string)
-#define mbedtls_asn1_write_int \
- CONCAT(LIB_PREFIX_NAME, mbedtls_asn1_write_int)
-#define mbedtls_asn1_write_len \
- CONCAT(LIB_PREFIX_NAME, mbedtls_asn1_write_len)
-#define mbedtls_asn1_write_mpi \
- CONCAT(LIB_PREFIX_NAME, mbedtls_asn1_write_mpi)
-#define mbedtls_asn1_write_null \
- CONCAT(LIB_PREFIX_NAME, mbedtls_asn1_write_null)
-#define mbedtls_asn1_write_octet_string \
- CONCAT(LIB_PREFIX_NAME, mbedtls_asn1_write_octet_string)
-#define mbedtls_asn1_write_oid \
- CONCAT(LIB_PREFIX_NAME, mbedtls_asn1_write_oid)
-#define mbedtls_asn1_write_printable_string \
- CONCAT(LIB_PREFIX_NAME, mbedtls_asn1_write_printable_string)
-#define mbedtls_asn1_write_raw_buffer \
- CONCAT(LIB_PREFIX_NAME, mbedtls_asn1_write_raw_buffer)
-#define mbedtls_asn1_write_tag \
- CONCAT(LIB_PREFIX_NAME, mbedtls_asn1_write_tag)
-#define mbedtls_base64_decode \
- CONCAT(LIB_PREFIX_NAME, mbedtls_base64_decode)
-#define mbedtls_base64_encode \
- CONCAT(LIB_PREFIX_NAME, mbedtls_base64_encode)
-#define mbedtls_base64_self_test \
- CONCAT(LIB_PREFIX_NAME, mbedtls_base64_self_test)
-#define mbedtls_blowfish_crypt_cbc \
- CONCAT(LIB_PREFIX_NAME, mbedtls_blowfish_crypt_cbc)
-#define mbedtls_blowfish_crypt_cfb64 \
- CONCAT(LIB_PREFIX_NAME, mbedtls_blowfish_crypt_cfb64)
-#define mbedtls_blowfish_crypt_ctr \
- CONCAT(LIB_PREFIX_NAME, mbedtls_blowfish_crypt_ctr)
-#define mbedtls_blowfish_crypt_ecb \
- CONCAT(LIB_PREFIX_NAME, mbedtls_blowfish_crypt_ecb)
-#define mbedtls_blowfish_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_blowfish_free)
-#define mbedtls_blowfish_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_blowfish_init)
-#define mbedtls_blowfish_setkey \
- CONCAT(LIB_PREFIX_NAME, mbedtls_blowfish_setkey)
-#define mbedtls_calloc \
- CONCAT(LIB_PREFIX_NAME, mbedtls_calloc)
-#define mbedtls_camellia_crypt_cbc \
- CONCAT(LIB_PREFIX_NAME, mbedtls_camellia_crypt_cbc)
-#define mbedtls_camellia_crypt_cfb128 \
- CONCAT(LIB_PREFIX_NAME, mbedtls_camellia_crypt_cfb128)
-#define mbedtls_camellia_crypt_ctr \
- CONCAT(LIB_PREFIX_NAME, mbedtls_camellia_crypt_ctr)
-#define mbedtls_camellia_crypt_ecb \
- CONCAT(LIB_PREFIX_NAME, mbedtls_camellia_crypt_ecb)
-#define mbedtls_camellia_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_camellia_free)
-#define mbedtls_camellia_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_camellia_init)
-#define mbedtls_camellia_self_test \
- CONCAT(LIB_PREFIX_NAME, mbedtls_camellia_self_test)
-#define mbedtls_camellia_setkey_dec \
- CONCAT(LIB_PREFIX_NAME, mbedtls_camellia_setkey_dec)
-#define mbedtls_camellia_setkey_enc \
- CONCAT(LIB_PREFIX_NAME, mbedtls_camellia_setkey_enc)
-#define mbedtls_ccm_auth_decrypt \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ccm_auth_decrypt)
-#define mbedtls_ccm_encrypt_and_tag \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ccm_encrypt_and_tag)
-#define mbedtls_ccm_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ccm_free)
-#define mbedtls_ccm_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ccm_init)
-#define mbedtls_ccm_self_test \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ccm_self_test)
-#define mbedtls_ccm_setkey \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ccm_setkey)
-#define mbedtls_ccm_star_auth_decrypt \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ccm_star_auth_decrypt)
-#define mbedtls_ccm_star_encrypt_and_tag \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ccm_star_encrypt_and_tag)
-#define mbedtls_cipher_auth_decrypt \
- CONCAT(LIB_PREFIX_NAME, mbedtls_cipher_auth_decrypt)
-#define mbedtls_cipher_auth_encrypt \
- CONCAT(LIB_PREFIX_NAME, mbedtls_cipher_auth_encrypt)
-#define mbedtls_cipher_check_tag \
- CONCAT(LIB_PREFIX_NAME, mbedtls_cipher_check_tag)
-#define mbedtls_cipher_crypt \
- CONCAT(LIB_PREFIX_NAME, mbedtls_cipher_crypt)
-#define mbedtls_cipher_definitions \
- CONCAT(LIB_PREFIX_NAME, mbedtls_cipher_definitions)
-#define mbedtls_cipher_finish \
- CONCAT(LIB_PREFIX_NAME, mbedtls_cipher_finish)
-#define mbedtls_cipher_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_cipher_free)
-#define mbedtls_cipher_info_from_string \
- CONCAT(LIB_PREFIX_NAME, mbedtls_cipher_info_from_string)
-#define mbedtls_cipher_info_from_type \
- CONCAT(LIB_PREFIX_NAME, mbedtls_cipher_info_from_type)
-#define mbedtls_cipher_info_from_values \
- CONCAT(LIB_PREFIX_NAME, mbedtls_cipher_info_from_values)
-#define mbedtls_cipher_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_cipher_init)
-#define mbedtls_cipher_list \
- CONCAT(LIB_PREFIX_NAME, mbedtls_cipher_list)
-#define mbedtls_cipher_reset \
- CONCAT(LIB_PREFIX_NAME, mbedtls_cipher_reset)
-#define mbedtls_cipher_set_iv \
- CONCAT(LIB_PREFIX_NAME, mbedtls_cipher_set_iv)
-#define mbedtls_cipher_setkey \
- CONCAT(LIB_PREFIX_NAME, mbedtls_cipher_setkey)
-#define mbedtls_cipher_set_padding_mode \
- CONCAT(LIB_PREFIX_NAME, mbedtls_cipher_set_padding_mode)
-#define mbedtls_cipher_setup \
- CONCAT(LIB_PREFIX_NAME, mbedtls_cipher_setup)
-#define mbedtls_cipher_supported \
- CONCAT(LIB_PREFIX_NAME, mbedtls_cipher_supported)
-#define mbedtls_cipher_update \
- CONCAT(LIB_PREFIX_NAME, mbedtls_cipher_update)
-#define mbedtls_cipher_update_ad \
- CONCAT(LIB_PREFIX_NAME, mbedtls_cipher_update_ad)
-#define mbedtls_cipher_write_tag \
- CONCAT(LIB_PREFIX_NAME, mbedtls_cipher_write_tag)
-#define mbedtls_ctr_drbg_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ctr_drbg_free)
-#define mbedtls_ctr_drbg_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ctr_drbg_init)
-#define mbedtls_ctr_drbg_random \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ctr_drbg_random)
-#define mbedtls_ctr_drbg_random_with_add \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ctr_drbg_random_with_add)
-#define mbedtls_ctr_drbg_reseed \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ctr_drbg_reseed)
-#define mbedtls_ctr_drbg_seed \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ctr_drbg_seed)
-#define mbedtls_ctr_drbg_seed_entropy_len \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ctr_drbg_seed_entropy_len)
-#define mbedtls_ctr_drbg_self_test \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ctr_drbg_self_test)
-#define mbedtls_ctr_drbg_set_entropy_len \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ctr_drbg_set_entropy_len)
-#define mbedtls_ctr_drbg_set_prediction_resistance \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ctr_drbg_set_prediction_resistance)
-#define mbedtls_ctr_drbg_set_reseed_interval \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ctr_drbg_set_reseed_interval)
-#define mbedtls_ctr_drbg_update \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ctr_drbg_update)
-#define mbedtls_des3_crypt_cbc \
- CONCAT(LIB_PREFIX_NAME, mbedtls_des3_crypt_cbc)
-#define mbedtls_des3_crypt_ecb \
- CONCAT(LIB_PREFIX_NAME, mbedtls_des3_crypt_ecb)
-#define mbedtls_des3_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_des3_free)
-#define mbedtls_des3_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_des3_init)
-#define mbedtls_des3_set2key_dec \
- CONCAT(LIB_PREFIX_NAME, mbedtls_des3_set2key_dec)
-#define mbedtls_des3_set2key_enc \
- CONCAT(LIB_PREFIX_NAME, mbedtls_des3_set2key_enc)
-#define mbedtls_des3_set3key_dec \
- CONCAT(LIB_PREFIX_NAME, mbedtls_des3_set3key_dec)
-#define mbedtls_des3_set3key_enc \
- CONCAT(LIB_PREFIX_NAME, mbedtls_des3_set3key_enc)
-#define mbedtls_des_crypt_cbc \
- CONCAT(LIB_PREFIX_NAME, mbedtls_des_crypt_cbc)
-#define mbedtls_des_crypt_ecb \
- CONCAT(LIB_PREFIX_NAME, mbedtls_des_crypt_ecb)
-#define mbedtls_des_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_des_free)
-#define mbedtls_des_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_des_init)
-#define mbedtls_des_key_check_key_parity \
- CONCAT(LIB_PREFIX_NAME, mbedtls_des_key_check_key_parity)
-#define mbedtls_des_key_check_weak \
- CONCAT(LIB_PREFIX_NAME, mbedtls_des_key_check_weak)
-#define mbedtls_des_key_set_parity \
- CONCAT(LIB_PREFIX_NAME, mbedtls_des_key_set_parity)
-#define mbedtls_des_self_test \
- CONCAT(LIB_PREFIX_NAME, mbedtls_des_self_test)
-#define mbedtls_des_setkey \
- CONCAT(LIB_PREFIX_NAME, mbedtls_des_setkey)
-#define mbedtls_des_setkey_dec \
- CONCAT(LIB_PREFIX_NAME, mbedtls_des_setkey_dec)
-#define mbedtls_des_setkey_enc \
- CONCAT(LIB_PREFIX_NAME, mbedtls_des_setkey_enc)
-#define mbedtls_dhm_calc_secret \
- CONCAT(LIB_PREFIX_NAME, mbedtls_dhm_calc_secret)
-#define mbedtls_dhm_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_dhm_free)
-#define mbedtls_dhm_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_dhm_init)
-#define mbedtls_dhm_make_params \
- CONCAT(LIB_PREFIX_NAME, mbedtls_dhm_make_params)
-#define mbedtls_dhm_make_public \
- CONCAT(LIB_PREFIX_NAME, mbedtls_dhm_make_public)
-#define mbedtls_dhm_parse_dhm \
- CONCAT(LIB_PREFIX_NAME, mbedtls_dhm_parse_dhm)
-#define mbedtls_dhm_read_params \
- CONCAT(LIB_PREFIX_NAME, mbedtls_dhm_read_params)
-#define mbedtls_dhm_read_public \
- CONCAT(LIB_PREFIX_NAME, mbedtls_dhm_read_public)
-#define mbedtls_dhm_self_test \
- CONCAT(LIB_PREFIX_NAME, mbedtls_dhm_self_test)
-#define mbedtls_ecdh_calc_secret \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecdh_calc_secret)
-#define mbedtls_ecdh_compute_shared \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecdh_compute_shared)
-#define mbedtls_ecdh_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecdh_free)
-#define mbedtls_ecdh_gen_public \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecdh_gen_public)
-#define mbedtls_ecdh_get_params \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecdh_get_params)
-#define mbedtls_ecdh_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecdh_init)
-#define mbedtls_ecdh_make_params \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecdh_make_params)
-#define mbedtls_ecdh_make_public \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecdh_make_public)
-#define mbedtls_ecdh_read_params \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecdh_read_params)
-#define mbedtls_ecdh_read_public \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecdh_read_public)
-#define mbedtls_ecdsa_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecdsa_free)
-#define mbedtls_ecdsa_from_keypair \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecdsa_from_keypair)
-#define mbedtls_ecdsa_genkey \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecdsa_genkey)
-#define mbedtls_ecdsa_info \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecdsa_info)
-#define mbedtls_ecdsa_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecdsa_init)
-#define mbedtls_ecdsa_read_signature \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecdsa_read_signature)
-#define mbedtls_ecdsa_sign \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecdsa_sign)
-#define mbedtls_ecdsa_sign_det \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecdsa_sign_det)
-#define mbedtls_ecdsa_verify \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecdsa_verify)
-#define mbedtls_ecdsa_write_signature \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecdsa_write_signature)
-#define mbedtls_ecdsa_write_signature_det \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecdsa_write_signature_det)
-#define mbedtls_eckeydh_info \
- CONCAT(LIB_PREFIX_NAME, mbedtls_eckeydh_info)
-#define mbedtls_eckey_info \
- CONCAT(LIB_PREFIX_NAME, mbedtls_eckey_info)
-#define mbedtls_ecp_check_privkey \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_check_privkey)
-#define mbedtls_ecp_check_pubkey \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_check_pubkey)
-#define mbedtls_ecp_check_pub_priv \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_check_pub_priv)
-#define mbedtls_ecp_copy \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_copy)
-#define mbedtls_ecp_curve_info_from_grp_id \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_curve_info_from_grp_id)
-#define mbedtls_ecp_curve_info_from_name \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_curve_info_from_name)
-#define mbedtls_ecp_curve_info_from_tls_id \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_curve_info_from_tls_id)
-#define mbedtls_ecp_curve_list \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_curve_list)
-#define mbedtls_ecp_gen_key \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_gen_key)
-#define mbedtls_ecp_gen_keypair \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_gen_keypair)
-#define mbedtls_ecp_gen_keypair_base \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_gen_keypair_base)
-#define mbedtls_ecp_group_copy \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_group_copy)
-#define mbedtls_ecp_group_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_group_free)
-#define mbedtls_ecp_group_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_group_init)
-#define mbedtls_ecp_group_load \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_group_load)
-#define mbedtls_ecp_grp_id_list \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_grp_id_list)
-#define mbedtls_ecp_is_zero \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_is_zero)
-#define mbedtls_ecp_keypair_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_keypair_free)
-#define mbedtls_ecp_keypair_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_keypair_init)
-#define mbedtls_ecp_mul \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_mul)
-#define mbedtls_ecp_muladd \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_muladd)
-#define mbedtls_ecp_point_cmp \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_point_cmp)
-#define mbedtls_ecp_point_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_point_free)
-#define mbedtls_ecp_point_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_point_init)
-#define mbedtls_ecp_point_read_binary \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_point_read_binary)
-#define mbedtls_ecp_point_read_string \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_point_read_string)
-#define mbedtls_ecp_point_write_binary \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_point_write_binary)
-#define mbedtls_ecp_self_test \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_self_test)
-#define mbedtls_ecp_set_zero \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_set_zero)
-#define mbedtls_ecp_tls_read_group \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_tls_read_group)
-#define mbedtls_ecp_tls_read_point \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_tls_read_point)
-#define mbedtls_ecp_tls_write_group \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_tls_write_group)
-#define mbedtls_ecp_tls_write_point \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ecp_tls_write_point)
-#define mbedtls_entropy_add_source \
- CONCAT(LIB_PREFIX_NAME, mbedtls_entropy_add_source)
-#define mbedtls_entropy_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_entropy_free)
-#define mbedtls_entropy_func \
- CONCAT(LIB_PREFIX_NAME, mbedtls_entropy_func)
-#define mbedtls_entropy_gather \
- CONCAT(LIB_PREFIX_NAME, mbedtls_entropy_gather)
-#define mbedtls_entropy_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_entropy_init)
-#define mbedtls_entropy_self_test \
- CONCAT(LIB_PREFIX_NAME, mbedtls_entropy_self_test)
-#define mbedtls_entropy_update_manual \
- CONCAT(LIB_PREFIX_NAME, mbedtls_entropy_update_manual)
-#define mbedtls_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_free)
-#define mbedtls_gcm_auth_decrypt \
- CONCAT(LIB_PREFIX_NAME, mbedtls_gcm_auth_decrypt)
-#define mbedtls_gcm_crypt_and_tag \
- CONCAT(LIB_PREFIX_NAME, mbedtls_gcm_crypt_and_tag)
-#define mbedtls_gcm_finish \
- CONCAT(LIB_PREFIX_NAME, mbedtls_gcm_finish)
-#define mbedtls_gcm_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_gcm_free)
-#define mbedtls_gcm_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_gcm_init)
-#define mbedtls_gcm_self_test \
- CONCAT(LIB_PREFIX_NAME, mbedtls_gcm_self_test)
-#define mbedtls_gcm_setkey \
- CONCAT(LIB_PREFIX_NAME, mbedtls_gcm_setkey)
-#define mbedtls_gcm_starts \
- CONCAT(LIB_PREFIX_NAME, mbedtls_gcm_starts)
-#define mbedtls_gcm_update \
- CONCAT(LIB_PREFIX_NAME, mbedtls_gcm_update)
-#define mbedtls_hmac_drbg_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_hmac_drbg_free)
-#define mbedtls_hmac_drbg_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_hmac_drbg_init)
-#define mbedtls_hmac_drbg_random \
- CONCAT(LIB_PREFIX_NAME, mbedtls_hmac_drbg_random)
-#define mbedtls_hmac_drbg_random_with_add \
- CONCAT(LIB_PREFIX_NAME, mbedtls_hmac_drbg_random_with_add)
-#define mbedtls_hmac_drbg_reseed \
- CONCAT(LIB_PREFIX_NAME, mbedtls_hmac_drbg_reseed)
-#define mbedtls_hmac_drbg_seed \
- CONCAT(LIB_PREFIX_NAME, mbedtls_hmac_drbg_seed)
-#define mbedtls_hmac_drbg_seed_buf \
- CONCAT(LIB_PREFIX_NAME, mbedtls_hmac_drbg_seed_buf)
-#define mbedtls_hmac_drbg_self_test \
- CONCAT(LIB_PREFIX_NAME, mbedtls_hmac_drbg_self_test)
-#define mbedtls_hmac_drbg_set_entropy_len \
- CONCAT(LIB_PREFIX_NAME, mbedtls_hmac_drbg_set_entropy_len)
-#define mbedtls_hmac_drbg_set_prediction_resistance \
- CONCAT(LIB_PREFIX_NAME, mbedtls_hmac_drbg_set_prediction_resistance)
-#define mbedtls_hmac_drbg_set_reseed_interval \
- CONCAT(LIB_PREFIX_NAME, mbedtls_hmac_drbg_set_reseed_interval)
-#define mbedtls_hmac_drbg_update \
- CONCAT(LIB_PREFIX_NAME, mbedtls_hmac_drbg_update)
-#define mbedtls_internal_aes_decrypt \
- CONCAT(LIB_PREFIX_NAME, mbedtls_internal_aes_decrypt)
-#define mbedtls_internal_aes_encrypt \
- CONCAT(LIB_PREFIX_NAME, mbedtls_internal_aes_encrypt)
-#define mbedtls_md \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md)
-#define mbedtls_md5 \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md5)
-#define mbedtls_md5_clone \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md5_clone)
-#define mbedtls_md5_finish \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md5_finish)
-#define mbedtls_md5_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md5_free)
-#define mbedtls_md5_info \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md5_info)
-#define mbedtls_md5_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md5_init)
-#define mbedtls_md5_process \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md5_process)
-#define mbedtls_md5_self_test \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md5_self_test)
-#define mbedtls_md5_starts \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md5_starts)
-#define mbedtls_md5_update \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md5_update)
-#define mbedtls_md_clone \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md_clone)
-#define mbedtls_md_finish \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md_finish)
-#define mbedtls_md_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md_free)
-#define mbedtls_md_get_name \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md_get_name)
-#define mbedtls_md_get_size \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md_get_size)
-#define mbedtls_md_get_type \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md_get_type)
-#define mbedtls_md_hmac \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md_hmac)
-#define mbedtls_md_hmac_finish \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md_hmac_finish)
-#define mbedtls_md_hmac_reset \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md_hmac_reset)
-#define mbedtls_md_hmac_starts \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md_hmac_starts)
-#define mbedtls_md_hmac_update \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md_hmac_update)
-#define mbedtls_md_info_from_string \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md_info_from_string)
-#define mbedtls_md_info_from_type \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md_info_from_type)
-#define mbedtls_md_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md_init)
-#define mbedtls_md_init_ctx \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md_init_ctx)
-#define mbedtls_md_list \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md_list)
-#define mbedtls_md_process \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md_process)
-#define mbedtls_md_setup \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md_setup)
-#define mbedtls_md_starts \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md_starts)
-#define mbedtls_md_update \
- CONCAT(LIB_PREFIX_NAME, mbedtls_md_update)
-#define mbedtls_memory_buffer_alloc_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_memory_buffer_alloc_free)
-#define mbedtls_memory_buffer_alloc_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_memory_buffer_alloc_init)
-#define mbedtls_memory_buffer_alloc_self_test \
- CONCAT(LIB_PREFIX_NAME, mbedtls_memory_buffer_alloc_self_test)
-#define mbedtls_memory_buffer_alloc_verify \
- CONCAT(LIB_PREFIX_NAME, mbedtls_memory_buffer_alloc_verify)
-#define mbedtls_memory_buffer_set_verify \
- CONCAT(LIB_PREFIX_NAME, mbedtls_memory_buffer_set_verify)
-#define mbedtls_mpi_add_abs \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_add_abs)
-#define mbedtls_mpi_add_int \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_add_int)
-#define mbedtls_mpi_add_mpi \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_add_mpi)
-#define mbedtls_mpi_bitlen \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_bitlen)
-#define mbedtls_mpi_cmp_abs \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_cmp_abs)
-#define mbedtls_mpi_cmp_int \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_cmp_int)
-#define mbedtls_mpi_cmp_mpi \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_cmp_mpi)
-#define mbedtls_mpi_copy \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_copy)
-#define mbedtls_mpi_div_int \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_div_int)
-#define mbedtls_mpi_div_mpi \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_div_mpi)
-#define mbedtls_mpi_exp_mod \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_exp_mod)
-#define mbedtls_mpi_fill_random \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_fill_random)
-#define mbedtls_mpi_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_free)
-#define mbedtls_mpi_gcd \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_gcd)
-#define mbedtls_mpi_gen_prime \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_gen_prime)
-#define mbedtls_mpi_get_bit \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_get_bit)
-#define mbedtls_mpi_grow \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_grow)
-#define mbedtls_mpi_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_init)
-#define mbedtls_mpi_inv_mod \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_inv_mod)
-#define mbedtls_mpi_is_prime \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_is_prime)
-#define mbedtls_mpi_lsb \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_lsb)
-#define mbedtls_mpi_lset \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_lset)
-#define mbedtls_mpi_mod_int \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_mod_int)
-#define mbedtls_mpi_mod_mpi \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_mod_mpi)
-#define mbedtls_mpi_mul_int \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_mul_int)
-#define mbedtls_mpi_mul_mpi \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_mul_mpi)
-#define mbedtls_mpi_read_binary \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_read_binary)
-#define mbedtls_mpi_read_string \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_read_string)
-#define mbedtls_mpi_safe_cond_assign \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_safe_cond_assign)
-#define mbedtls_mpi_safe_cond_swap \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_safe_cond_swap)
-#define mbedtls_mpi_self_test \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_self_test)
-#define mbedtls_mpi_set_bit \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_set_bit)
-#define mbedtls_mpi_shift_l \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_shift_l)
-#define mbedtls_mpi_shift_r \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_shift_r)
-#define mbedtls_mpi_shrink \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_shrink)
-#define mbedtls_mpi_size \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_size)
-#define mbedtls_mpi_sub_abs \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_sub_abs)
-#define mbedtls_mpi_sub_int \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_sub_int)
-#define mbedtls_mpi_sub_mpi \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_sub_mpi)
-#define mbedtls_mpi_swap \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_swap)
-#define mbedtls_mpi_write_binary \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_write_binary)
-#define mbedtls_mpi_write_string \
- CONCAT(LIB_PREFIX_NAME, mbedtls_mpi_write_string)
-#define mbedtls_oid_get_attr_short_name \
- CONCAT(LIB_PREFIX_NAME, mbedtls_oid_get_attr_short_name)
-#define mbedtls_oid_get_cipher_alg \
- CONCAT(LIB_PREFIX_NAME, mbedtls_oid_get_cipher_alg)
-#define mbedtls_oid_get_ec_grp \
- CONCAT(LIB_PREFIX_NAME, mbedtls_oid_get_ec_grp)
-#define mbedtls_oid_get_extended_key_usage \
- CONCAT(LIB_PREFIX_NAME, mbedtls_oid_get_extended_key_usage)
-#define mbedtls_oid_get_md_alg \
- CONCAT(LIB_PREFIX_NAME, mbedtls_oid_get_md_alg)
-#define mbedtls_oid_get_numeric_string \
- CONCAT(LIB_PREFIX_NAME, mbedtls_oid_get_numeric_string)
-#define mbedtls_oid_get_oid_by_ec_grp \
- CONCAT(LIB_PREFIX_NAME, mbedtls_oid_get_oid_by_ec_grp)
-#define mbedtls_oid_get_oid_by_md \
- CONCAT(LIB_PREFIX_NAME, mbedtls_oid_get_oid_by_md)
-#define mbedtls_oid_get_oid_by_pk_alg \
- CONCAT(LIB_PREFIX_NAME, mbedtls_oid_get_oid_by_pk_alg)
-#define mbedtls_oid_get_oid_by_sig_alg \
- CONCAT(LIB_PREFIX_NAME, mbedtls_oid_get_oid_by_sig_alg)
-#define mbedtls_oid_get_pk_alg \
- CONCAT(LIB_PREFIX_NAME, mbedtls_oid_get_pk_alg)
-#define mbedtls_oid_get_pkcs12_pbe_alg \
- CONCAT(LIB_PREFIX_NAME, mbedtls_oid_get_pkcs12_pbe_alg)
-#define mbedtls_oid_get_sig_alg \
- CONCAT(LIB_PREFIX_NAME, mbedtls_oid_get_sig_alg)
-#define mbedtls_oid_get_sig_alg_desc \
- CONCAT(LIB_PREFIX_NAME, mbedtls_oid_get_sig_alg_desc)
-#define mbedtls_oid_get_x509_ext_type \
- CONCAT(LIB_PREFIX_NAME, mbedtls_oid_get_x509_ext_type)
-#define mbedtls_pem_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pem_free)
-#define mbedtls_pem_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pem_init)
-#define mbedtls_pem_read_buffer \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pem_read_buffer)
-#define mbedtls_pem_write_buffer \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pem_write_buffer)
-#define mbedtls_pk_can_do \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pk_can_do)
-#define mbedtls_pk_check_pair \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pk_check_pair)
-#define mbedtls_pkcs12_derivation \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pkcs12_derivation)
-#define mbedtls_pkcs12_pbe \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pkcs12_pbe)
-#define mbedtls_pkcs12_pbe_sha1_rc4_128 \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pkcs12_pbe_sha1_rc4_128)
-#define mbedtls_pkcs5_pbes2 \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pkcs5_pbes2)
-#define mbedtls_pkcs5_pbkdf2_hmac \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pkcs5_pbkdf2_hmac)
-#define mbedtls_pkcs5_self_test \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pkcs5_self_test)
-#define mbedtls_pk_debug \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pk_debug)
-#define mbedtls_pk_decrypt \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pk_decrypt)
-#define mbedtls_pk_encrypt \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pk_encrypt)
-#define mbedtls_pk_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pk_free)
-#define mbedtls_pk_get_bitlen \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pk_get_bitlen)
-#define mbedtls_pk_get_name \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pk_get_name)
-#define mbedtls_pk_get_type \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pk_get_type)
-#define mbedtls_pk_info_from_type \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pk_info_from_type)
-#define mbedtls_pk_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pk_init)
-#define mbedtls_pk_parse_key \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pk_parse_key)
-#define mbedtls_pk_parse_public_key \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pk_parse_public_key)
-#define mbedtls_pk_parse_subpubkey \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pk_parse_subpubkey)
-#define mbedtls_pk_setup \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pk_setup)
-#define mbedtls_pk_setup_rsa_alt \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pk_setup_rsa_alt)
-#define mbedtls_pk_sign \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pk_sign)
-#define mbedtls_pk_verify \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pk_verify)
-#define mbedtls_pk_verify_ext \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pk_verify_ext)
-#define mbedtls_pk_write_key_der \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pk_write_key_der)
-#define mbedtls_pk_write_key_pem \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pk_write_key_pem)
-#define mbedtls_pk_write_pubkey \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pk_write_pubkey)
-#define mbedtls_pk_write_pubkey_der \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pk_write_pubkey_der)
-#define mbedtls_pk_write_pubkey_pem \
- CONCAT(LIB_PREFIX_NAME, mbedtls_pk_write_pubkey_pem)
-#define mbedtls_platform_set_calloc_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_platform_set_calloc_free)
-#define mbedtls_platform_setup \
- CONCAT(LIB_PREFIX_NAME, mbedtls_platform_setup)
-#define mbedtls_platform_teardown \
- CONCAT(LIB_PREFIX_NAME, mbedtls_platform_teardown)
-#define mbedtls_ripemd160 \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ripemd160)
-#define mbedtls_ripemd160_clone \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ripemd160_clone)
-#define mbedtls_ripemd160_finish \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ripemd160_finish)
-#define mbedtls_ripemd160_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ripemd160_free)
-#define mbedtls_ripemd160_info \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ripemd160_info)
-#define mbedtls_ripemd160_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ripemd160_init)
-#define mbedtls_ripemd160_process \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ripemd160_process)
-#define mbedtls_ripemd160_self_test \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ripemd160_self_test)
-#define mbedtls_ripemd160_starts \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ripemd160_starts)
-#define mbedtls_ripemd160_update \
- CONCAT(LIB_PREFIX_NAME, mbedtls_ripemd160_update)
-#define mbedtls_rsa_alt_info \
- CONCAT(LIB_PREFIX_NAME, mbedtls_rsa_alt_info)
-#define mbedtls_rsa_check_privkey \
- CONCAT(LIB_PREFIX_NAME, mbedtls_rsa_check_privkey)
-#define mbedtls_rsa_check_pubkey \
- CONCAT(LIB_PREFIX_NAME, mbedtls_rsa_check_pubkey)
-#define mbedtls_rsa_check_pub_priv \
- CONCAT(LIB_PREFIX_NAME, mbedtls_rsa_check_pub_priv)
-#define mbedtls_rsa_copy \
- CONCAT(LIB_PREFIX_NAME, mbedtls_rsa_copy)
-#define mbedtls_rsa_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_rsa_free)
-#define mbedtls_rsa_gen_key \
- CONCAT(LIB_PREFIX_NAME, mbedtls_rsa_gen_key)
-#define mbedtls_rsa_info \
- CONCAT(LIB_PREFIX_NAME, mbedtls_rsa_info)
-#define mbedtls_rsa_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_rsa_init)
-#define mbedtls_rsa_pkcs1_decrypt \
- CONCAT(LIB_PREFIX_NAME, mbedtls_rsa_pkcs1_decrypt)
-#define mbedtls_rsa_pkcs1_encrypt \
- CONCAT(LIB_PREFIX_NAME, mbedtls_rsa_pkcs1_encrypt)
-#define mbedtls_rsa_pkcs1_sign \
- CONCAT(LIB_PREFIX_NAME, mbedtls_rsa_pkcs1_sign)
-#define mbedtls_rsa_pkcs1_verify \
- CONCAT(LIB_PREFIX_NAME, mbedtls_rsa_pkcs1_verify)
-#define mbedtls_rsa_private \
- CONCAT(LIB_PREFIX_NAME, mbedtls_rsa_private)
-#define mbedtls_rsa_public \
- CONCAT(LIB_PREFIX_NAME, mbedtls_rsa_public)
-#define mbedtls_rsa_rsaes_oaep_decrypt \
- CONCAT(LIB_PREFIX_NAME, mbedtls_rsa_rsaes_oaep_decrypt)
-#define mbedtls_rsa_rsaes_oaep_encrypt \
- CONCAT(LIB_PREFIX_NAME, mbedtls_rsa_rsaes_oaep_encrypt)
-#define mbedtls_rsa_rsaes_pkcs1_v15_decrypt \
- CONCAT(LIB_PREFIX_NAME, mbedtls_rsa_rsaes_pkcs1_v15_decrypt)
-#define mbedtls_rsa_rsaes_pkcs1_v15_encrypt \
- CONCAT(LIB_PREFIX_NAME, mbedtls_rsa_rsaes_pkcs1_v15_encrypt)
-#define mbedtls_rsa_rsassa_pkcs1_v15_sign \
- CONCAT(LIB_PREFIX_NAME, mbedtls_rsa_rsassa_pkcs1_v15_sign)
-#define mbedtls_rsa_rsassa_pkcs1_v15_verify \
- CONCAT(LIB_PREFIX_NAME, mbedtls_rsa_rsassa_pkcs1_v15_verify)
-#define mbedtls_rsa_rsassa_pss_sign \
- CONCAT(LIB_PREFIX_NAME, mbedtls_rsa_rsassa_pss_sign)
-#define mbedtls_rsa_rsassa_pss_verify \
- CONCAT(LIB_PREFIX_NAME, mbedtls_rsa_rsassa_pss_verify)
-#define mbedtls_rsa_rsassa_pss_verify_ext \
- CONCAT(LIB_PREFIX_NAME, mbedtls_rsa_rsassa_pss_verify_ext)
-#define mbedtls_rsa_self_test \
- CONCAT(LIB_PREFIX_NAME, mbedtls_rsa_self_test)
-#define mbedtls_rsa_set_padding \
- CONCAT(LIB_PREFIX_NAME, mbedtls_rsa_set_padding)
-#define mbedtls_sha1 \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha1)
-#define mbedtls_sha1_clone \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha1_clone)
-#define mbedtls_sha1_finish \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha1_finish)
-#define mbedtls_sha1_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha1_free)
-#define mbedtls_sha1_info \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha1_info)
-#define mbedtls_sha1_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha1_init)
-#define mbedtls_sha1_process \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha1_process)
-#define mbedtls_sha1_self_test \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha1_self_test)
-#define mbedtls_sha1_starts \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha1_starts)
-#define mbedtls_sha1_update \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha1_update)
-#define mbedtls_sha224_info \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha224_info)
-#define mbedtls_sha256 \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha256)
-#define mbedtls_sha256_clone \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha256_clone)
-#define mbedtls_sha256_finish \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha256_finish)
-#define mbedtls_sha256_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha256_free)
-#define mbedtls_sha256_info \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha256_info)
-#define mbedtls_sha256_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha256_init)
-#define mbedtls_sha256_process \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha256_process)
-#define mbedtls_sha256_self_test \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha256_self_test)
-#define mbedtls_sha256_starts \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha256_starts)
-#define mbedtls_sha256_update \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha256_update)
-#define mbedtls_sha384_info \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha384_info)
-#define mbedtls_sha512 \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha512)
-#define mbedtls_sha512_clone \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha512_clone)
-#define mbedtls_sha512_finish \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha512_finish)
-#define mbedtls_sha512_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha512_free)
-#define mbedtls_sha512_info \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha512_info)
-#define mbedtls_sha512_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha512_init)
-#define mbedtls_sha512_process \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha512_process)
-#define mbedtls_sha512_self_test \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha512_self_test)
-#define mbedtls_sha512_starts \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha512_starts)
-#define mbedtls_sha512_update \
- CONCAT(LIB_PREFIX_NAME, mbedtls_sha512_update)
-#define mbedtls_strerror \
- CONCAT(LIB_PREFIX_NAME, mbedtls_strerror)
-#define mbedtls_version_check_feature \
- CONCAT(LIB_PREFIX_NAME, mbedtls_version_check_feature)
-#define mbedtls_version_get_number \
- CONCAT(LIB_PREFIX_NAME, mbedtls_version_get_number)
-#define mbedtls_version_get_string \
- CONCAT(LIB_PREFIX_NAME, mbedtls_version_get_string)
-#define mbedtls_version_get_string_full \
- CONCAT(LIB_PREFIX_NAME, mbedtls_version_get_string_full)
-#define mbedtls_xtea_crypt_cbc \
- CONCAT(LIB_PREFIX_NAME, mbedtls_xtea_crypt_cbc)
-#define mbedtls_xtea_crypt_ecb \
- CONCAT(LIB_PREFIX_NAME, mbedtls_xtea_crypt_ecb)
-#define mbedtls_xtea_free \
- CONCAT(LIB_PREFIX_NAME, mbedtls_xtea_free)
-#define mbedtls_xtea_init \
- CONCAT(LIB_PREFIX_NAME, mbedtls_xtea_init)
-#define mbedtls_xtea_self_test \
- CONCAT(LIB_PREFIX_NAME, mbedtls_xtea_self_test)
-#define mbedtls_xtea_setup \
- CONCAT(LIB_PREFIX_NAME, mbedtls_xtea_setup)
-
-#endif /* __MBEDTLS_GLOBAL_SYMBOLS_H__ */
diff --git a/secure_fw/services/crypto/tfm_crypto_api.h b/secure_fw/services/crypto/tfm_crypto_api.h
index 36a0915..723e84a 100644
--- a/secure_fw/services/crypto/tfm_crypto_api.h
+++ b/secure_fw/services/crypto/tfm_crypto_api.h
@@ -53,13 +53,6 @@
psa_status_t tfm_crypto_init(void);
/**
- * \brief Initialise the Key module
- *
- * \return Return values as described in \ref psa_status_t
- */
-psa_status_t tfm_crypto_init_key(void);
-
-/**
* \brief Initialise the Alloc module
*
* \return Return values as described in \ref psa_status_t
@@ -99,41 +92,17 @@
psa_status_t tfm_crypto_operation_lookup(enum tfm_crypto_operation_type type,
uint32_t handle,
void **ctx);
-/**
- * \brief Retrieve a key from the provided key slot according to the key
- * policy and algorithm provided. This function is expected to be
- * called intra-service
- *
- * \param[in] key Key slot
- * \param[in] usage Usage policy to be used on the retrieved key
- * \param[in] alg Algorithm to be used for the retrieved key
- * \param[out] data Buffer to hold the exported key
- * \param[in] data_size Length of the buffer pointed to by data
- * \param[out] data_length Length of the exported key
- *
- * \return Return values as described in \ref psa_status_t
- */
-psa_status_t tfm_crypto_get_key(psa_key_slot_t key,
- psa_key_usage_t usage,
- psa_algorithm_t alg,
- uint8_t *data,
- size_t data_size,
- size_t *data_length);
#define LIST_TFM_CRYPTO_UNIFORM_SIGNATURE_API \
+ X(tfm_crypto_allocate_key); \
X(tfm_crypto_import_key); \
X(tfm_crypto_destroy_key); \
X(tfm_crypto_get_key_information); \
X(tfm_crypto_export_key); \
- X(tfm_crypto_key_policy_init); \
- X(tfm_crypto_key_policy_set_usage); \
- X(tfm_crypto_key_policy_get_usage); \
- X(tfm_crypto_key_policy_get_algorithm); \
+ X(tfm_crypto_export_public_key); \
X(tfm_crypto_set_key_policy); \
X(tfm_crypto_get_key_policy); \
- X(tfm_crypto_set_key_lifetime); \
X(tfm_crypto_get_key_lifetime); \
- X(tfm_crypto_export_public_key); \
X(tfm_crypto_cipher_set_iv); \
X(tfm_crypto_cipher_encrypt_setup); \
X(tfm_crypto_cipher_decrypt_setup); \
diff --git a/secure_fw/services/crypto/tfm_crypto_secure_api.c b/secure_fw/services/crypto/tfm_crypto_secure_api.c
index 4d6f726..857a473 100644
--- a/secure_fw/services/crypto/tfm_crypto_secure_api.c
+++ b/secure_fw/services/crypto/tfm_crypto_secure_api.c
@@ -18,37 +18,37 @@
/* FixMe: Here temporarily until it's added to the framework headers */
#define PSA_IS_HANDLE_VALID(handle) ((handle) > (psa_handle_t)0)
-#define PSA_CONNECT(service) \
- psa_handle_t handle; \
- handle = psa_connect(service##_SID, service##_MIN_VER); \
- if (!PSA_IS_HANDLE_VALID(handle)) { \
- return PSA_ERROR_UNKNOWN_ERROR; \
- } \
+#define PSA_CONNECT(service) \
+ psa_handle_t ipc_handle; \
+ ipc_handle = psa_connect(service##_SID, service##_MIN_VER); \
+ if (!PSA_IS_HANDLE_VALID(ipc_handle)) { \
+ return PSA_ERROR_GENERIC_ERROR; \
+ } \
-#define PSA_CLOSE() psa_close(handle)
+#define PSA_CLOSE() psa_close(ipc_handle)
-#define API_DISPATCH(sfn_name, sfn_id) \
- psa_call(handle, /*PSA_IPC_CALL,*/ \
- in_vec, ARRAY_SIZE(in_vec), \
+#define API_DISPATCH(sfn_name, sfn_id) \
+ psa_call(ipc_handle, /*PSA_IPC_CALL,*/ \
+ in_vec, ARRAY_SIZE(in_vec), \
out_vec, ARRAY_SIZE(out_vec))
-#define API_DISPATCH_NO_OUTVEC(sfn_name, sfn_id) \
- psa_call(handle, /*PSA_IPC_CALL,*/ \
- in_vec, ARRAY_SIZE(in_vec), \
+#define API_DISPATCH_NO_OUTVEC(sfn_name, sfn_id) \
+ psa_call(ipc_handle, /*PSA_IPC_CALL,*/ \
+ in_vec, ARRAY_SIZE(in_vec), \
(psa_outvec *)NULL, 0)
#else
-#define API_DISPATCH(sfn_name, sfn_id) \
- tfm_##sfn_name##_veneer( \
- in_vec, ARRAY_SIZE(in_vec), \
+#define API_DISPATCH(sfn_name, sfn_id) \
+ tfm_##sfn_name##_veneer( \
+ in_vec, ARRAY_SIZE(in_vec), \
out_vec, ARRAY_SIZE(out_vec))
-#define API_DISPATCH_NO_OUTVEC(sfn_name, sfn_id) \
- tfm_##sfn_name##_veneer( \
- in_vec, ARRAY_SIZE(in_vec), \
+#define API_DISPATCH_NO_OUTVEC(sfn_name, sfn_id) \
+ tfm_##sfn_name##_veneer( \
+ in_vec, ARRAY_SIZE(in_vec), \
NULL, 0)
#endif /* TFM_PSA_API */
-__attribute__(( section("SFN")))
+__attribute__((section("SFN")))
psa_status_t psa_crypto_init(void)
{
/* Service init is performed during TFM boot up,
@@ -57,8 +57,70 @@
return PSA_SUCCESS;
}
-__attribute__(( section("SFN")))
-psa_status_t psa_import_key(psa_key_slot_t key,
+__attribute__((section("SFN")))
+psa_status_t psa_allocate_key(psa_key_handle_t *handle)
+{
+ psa_status_t status;
+ const struct tfm_crypto_pack_iovec iov = {
+ .sfn_id = TFM_CRYPTO_ALLOCATE_KEY_SFID,
+ };
+ psa_invec in_vec[] = {
+ {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
+ };
+ psa_outvec out_vec[] = {
+ {.base = handle, .len = sizeof(psa_key_handle_t)},
+ };
+
+#ifdef TFM_PSA_API
+ PSA_CONNECT(TFM_CRYPTO);
+#endif
+
+ status = API_DISPATCH(tfm_crypto_allocate_key,
+ TFM_CRYPTO_ALLOCATE_KEY);
+#ifdef TFM_PSA_API
+ PSA_CLOSE();
+#endif
+
+ return status;
+}
+
+__attribute__((section("SFN")))
+psa_status_t psa_open_key(psa_key_lifetime_t lifetime,
+ psa_key_id_t id,
+ psa_key_handle_t *handle)
+{
+ (void)lifetime;
+ (void)id;
+ (void)handle;
+
+ /* TODO: This API is not supported yet */
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
+__attribute__((section("SFN")))
+psa_status_t psa_create_key(psa_key_lifetime_t lifetime,
+ psa_key_id_t id,
+ psa_key_handle_t *handle)
+{
+ (void)lifetime;
+ (void)id;
+ (void)handle;
+
+ /* TODO: This API is not supported yet */
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
+__attribute__((section("SFN")))
+psa_status_t psa_close_key(psa_key_handle_t handle)
+{
+ (void)handle;
+
+ /* TODO: This API is not supported yet */
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
+__attribute__((section("SFN")))
+psa_status_t psa_import_key(psa_key_handle_t handle,
psa_key_type_t type,
const uint8_t *data,
size_t data_length)
@@ -66,7 +128,7 @@
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_IMPORT_KEY_SFID,
- .key = key,
+ .key_handle = handle,
.type = type,
};
psa_invec in_vec[] = {
@@ -87,13 +149,13 @@
return status;
}
-__attribute__(( section("SFN")))
-psa_status_t psa_destroy_key(psa_key_slot_t key)
+__attribute__((section("SFN")))
+psa_status_t psa_destroy_key(psa_key_handle_t handle)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_DESTROY_KEY_SFID,
- .key = key,
+ .key_handle = handle,
};
psa_invec in_vec[] = {
{.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
@@ -112,15 +174,15 @@
return status;
}
-__attribute__(( section("SFN")))
-psa_status_t psa_get_key_information(psa_key_slot_t key,
+__attribute__((section("SFN")))
+psa_status_t psa_get_key_information(psa_key_handle_t handle,
psa_key_type_t *type,
size_t *bits)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_GET_KEY_INFORMATION_SFID,
- .key = key,
+ .key_handle = handle,
};
psa_invec in_vec[] = {
{.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
@@ -143,8 +205,8 @@
return status;
}
-__attribute__(( section("SFN")))
-psa_status_t psa_export_key(psa_key_slot_t key,
+__attribute__((section("SFN")))
+psa_status_t psa_export_key(psa_key_handle_t handle,
uint8_t *data,
size_t data_size,
size_t *data_length)
@@ -152,7 +214,7 @@
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_EXPORT_KEY_SFID,
- .key = key,
+ .key_handle = handle,
};
psa_invec in_vec[] = {
{.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
@@ -177,13 +239,13 @@
return status;
}
-__attribute__(( section("SFN")))
-psa_status_t psa_export_public_key(psa_key_slot_t key,
+__attribute__((section("SFN")))
+psa_status_t psa_export_public_key(psa_key_handle_t handle,
uint8_t *data,
size_t data_size,
size_t *data_length)
{
- (void)key;
+ (void)handle;
(void)data;
(void)data_size;
(void)data_length;
@@ -192,154 +254,48 @@
return PSA_ERROR_NOT_SUPPORTED;
}
-__attribute__(( section("SFN")))
-void psa_key_policy_init(psa_key_policy_t *policy)
+__attribute__((section("SFN")))
+psa_status_t psa_copy_key(psa_key_handle_t source_handle,
+ psa_key_handle_t target_handle,
+ const psa_key_policy_t *constraint)
{
- psa_status_t status;
- struct tfm_crypto_pack_iovec iov = {
- .sfn_id = TFM_CRYPTO_KEY_POLICY_INIT_SFID,
- };
- psa_invec in_vec[] = {
- {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
- };
- psa_outvec out_vec[] = {
- {.base = policy, .len = sizeof(psa_key_policy_t)},
- };
+ (void)source_handle;
+ (void)target_handle;
+ (void)constraint;
-#ifdef TFM_PSA_API
- psa_handle_t handle;
- handle = psa_connect(TFM_CRYPTO_SID,
- TFM_CRYPTO_MIN_VER);
- if (!PSA_IS_HANDLE_VALID(handle)) {
- return;
- }
-#endif
-
- /* PSA API returns void so just ignore error value returned */
- status = API_DISPATCH(tfm_crypto_key_policy_init,
- TFM_CRYPTO_KEY_POLICY_INIT);
-#ifdef TFM_PSA_API
- PSA_CLOSE();
-#endif
+ /* TODO: This API is not supported yet */
+ return PSA_ERROR_NOT_SUPPORTED;
}
-__attribute__(( section("SFN")))
+__attribute__((section("SFN")))
void psa_key_policy_set_usage(psa_key_policy_t *policy,
psa_key_usage_t usage,
psa_algorithm_t alg)
{
- psa_status_t status;
- struct tfm_crypto_pack_iovec iov = {
- .sfn_id = TFM_CRYPTO_KEY_POLICY_SET_USAGE_SFID,
- .usage = usage,
- .alg = alg,
- };
- psa_invec in_vec[] = {
- {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
- };
- psa_outvec out_vec[] = {
- {.base = policy, .len = sizeof(psa_key_policy_t)},
- };
-
-#ifdef TFM_PSA_API
- psa_handle_t handle;
- handle = psa_connect(TFM_CRYPTO_SID,
- TFM_CRYPTO_MIN_VER);
- if (!PSA_IS_HANDLE_VALID(handle)) {
- return;
- }
-#endif
-
- /* PSA API returns void so just ignore error value returned */
- status = API_DISPATCH(tfm_crypto_key_policy_set_usage,
- TFM_CRYPTO_KEY_POLICY_SET_USAGE);
-#ifdef TFM_PSA_API
- PSA_CLOSE();
-#endif
+ policy->usage = usage;
+ policy->alg = alg;
}
-__attribute__(( section("SFN")))
+__attribute__((section("SFN")))
psa_key_usage_t psa_key_policy_get_usage(const psa_key_policy_t *policy)
{
- psa_status_t status;
- psa_key_usage_t usage;
-
- struct tfm_crypto_pack_iovec iov = {
- .sfn_id = TFM_CRYPTO_KEY_POLICY_GET_USAGE_SFID,
- };
-
- psa_invec in_vec[] = {
- {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
- {.base = policy, .len = sizeof(psa_key_policy_t)},
- };
- psa_outvec out_vec[] = {
- {.base = &usage, .len = sizeof(psa_key_usage_t)},
- };
-
- /* Initialise to a sensible default to avoid returning an uninitialised
- * value in case the secure function fails.
- */
- usage = 0;
-
-#ifdef TFM_PSA_API
- PSA_CONNECT(TFM_CRYPTO);
-#endif
-
- /* The PSA API does not return an error, so ignore any error from TF-M */
- status = API_DISPATCH(tfm_crypto_key_policy_get_usage,
- TFM_CRYPTO_KEY_POLICY_GET_USAGE);
-#ifdef TFM_PSA_API
- PSA_CLOSE();
-#endif
-
- return usage;
+ return policy->usage;
}
-__attribute__(( section("SFN")))
+__attribute__((section("SFN")))
psa_algorithm_t psa_key_policy_get_algorithm(const psa_key_policy_t *policy)
{
- psa_status_t status;
- psa_algorithm_t alg;
-
- struct tfm_crypto_pack_iovec iov = {
- .sfn_id = TFM_CRYPTO_KEY_POLICY_GET_ALGORITHM_SFID,
- };
-
- psa_invec in_vec[] = {
- {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
- {.base = policy, .len = sizeof(psa_key_policy_t)},
- };
- psa_outvec out_vec[] = {
- {.base = &alg, .len = sizeof(psa_algorithm_t)},
- };
-
- /* Initialise to a sensible default to avoid returning an uninitialised
- * value in case the secure function fails.
- */
- alg = 0;
-
-#ifdef TFM_PSA_API
- PSA_CONNECT(TFM_CRYPTO);
-#endif
-
- /* The PSA API does not return an error, so ignore any error from TF-M */
- status = API_DISPATCH(tfm_crypto_key_policy_get_algorithm,
- TFM_CRYPTO_KEY_POLICY_GET_ALGORITHM);
-#ifdef TFM_PSA_API
- PSA_CLOSE();
-#endif
-
- return alg;
+ return policy->alg;
}
-__attribute__(( section("SFN")))
-psa_status_t psa_set_key_policy(psa_key_slot_t key,
+__attribute__((section("SFN")))
+psa_status_t psa_set_key_policy(psa_key_handle_t handle,
const psa_key_policy_t *policy)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_SET_KEY_POLICY_SFID,
- .key = key,
+ .key_handle = handle,
};
psa_invec in_vec[] = {
@@ -360,14 +316,14 @@
return status;
}
-__attribute__(( section("SFN")))
-psa_status_t psa_get_key_policy(psa_key_slot_t key,
+__attribute__((section("SFN")))
+psa_status_t psa_get_key_policy(psa_key_handle_t handle,
psa_key_policy_t *policy)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_GET_KEY_POLICY_SFID,
- .key = key,
+ .key_handle = handle,
};
psa_invec in_vec[] = {
@@ -390,42 +346,14 @@
return status;
}
-__attribute__(( section("SFN")))
-psa_status_t psa_set_key_lifetime(psa_key_slot_t key,
- psa_key_lifetime_t lifetime)
-{
- psa_status_t status;
- struct tfm_crypto_pack_iovec iov = {
- .sfn_id = TFM_CRYPTO_SET_KEY_LIFETIME_SFID,
- .key = key,
- .lifetime = lifetime,
- };
-
- psa_invec in_vec[] = {
- {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
- };
-
-#ifdef TFM_PSA_API
- PSA_CONNECT(TFM_CRYPTO);
-#endif
-
- status = API_DISPATCH_NO_OUTVEC(tfm_crypto_set_key_lifetime,
- TFM_CRYPTO_SET_KEY_LIFETIME);
-#ifdef TFM_PSA_API
- PSA_CLOSE();
-#endif
-
- return status;
-}
-
-__attribute__(( section("SFN")))
-psa_status_t psa_get_key_lifetime(psa_key_slot_t key,
+__attribute__((section("SFN")))
+psa_status_t psa_get_key_lifetime(psa_key_handle_t handle,
psa_key_lifetime_t *lifetime)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_GET_KEY_LIFETIME_SFID,
- .key = key,
+ .key_handle = handle,
};
psa_invec in_vec[] = {
@@ -448,7 +376,22 @@
return status;
}
-__attribute__(( section("SFN")))
+__attribute__((section("SFN")))
+psa_status_t psa_cipher_generate_iv(psa_cipher_operation_t *operation,
+ unsigned char *iv,
+ size_t iv_size,
+ size_t *iv_length)
+{
+ (void) operation;
+ (void) iv;
+ (void) iv_size;
+ (void) iv_length;
+
+ /* TODO: This API is not supported yet */
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
+__attribute__((section("SFN")))
psa_status_t psa_cipher_set_iv(psa_cipher_operation_t *operation,
const unsigned char *iv,
size_t iv_length)
@@ -456,7 +399,7 @@
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_CIPHER_SET_IV_SFID,
- .handle = operation->handle,
+ .op_handle = operation->handle,
};
psa_invec in_vec[] = {
@@ -480,17 +423,17 @@
return status;
}
-__attribute__(( section("SFN")))
+__attribute__((section("SFN")))
psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
- psa_key_slot_t key,
+ psa_key_handle_t handle,
psa_algorithm_t alg)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_CIPHER_ENCRYPT_SETUP_SFID,
- .key = key,
+ .key_handle = handle,
.alg = alg,
- .handle = operation->handle,
+ .op_handle = operation->handle,
};
psa_invec in_vec[] = {
@@ -513,17 +456,17 @@
return status;
}
-__attribute__(( section("SFN")))
+__attribute__((section("SFN")))
psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation,
- psa_key_slot_t key,
+ psa_key_handle_t handle,
psa_algorithm_t alg)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_CIPHER_DECRYPT_SETUP_SFID,
- .key = key,
+ .key_handle = handle,
.alg = alg,
- .handle = operation->handle,
+ .op_handle = operation->handle,
};
psa_invec in_vec[] = {
@@ -546,7 +489,7 @@
return status;
}
-__attribute__(( section("SFN")))
+__attribute__((section("SFN")))
psa_status_t psa_cipher_update(psa_cipher_operation_t *operation,
const uint8_t *input,
size_t input_length,
@@ -557,7 +500,7 @@
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_CIPHER_UPDATE_SFID,
- .handle = operation->handle,
+ .op_handle = operation->handle,
};
psa_invec in_vec[] = {
@@ -585,13 +528,13 @@
return status;
}
-__attribute__(( section("SFN")))
+__attribute__((section("SFN")))
psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_CIPHER_ABORT_SFID,
- .handle = operation->handle,
+ .op_handle = operation->handle,
};
psa_invec in_vec[] = {
@@ -614,7 +557,7 @@
return status;
}
-__attribute__(( section("SFN")))
+__attribute__((section("SFN")))
psa_status_t psa_cipher_finish(psa_cipher_operation_t *operation,
uint8_t *output,
size_t output_size,
@@ -623,7 +566,7 @@
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_CIPHER_FINISH_SFID,
- .handle = operation->handle,
+ .op_handle = operation->handle,
};
psa_invec in_vec[] = {
@@ -650,7 +593,7 @@
return status;
}
-__attribute__(( section("SFN")))
+__attribute__((section("SFN")))
psa_status_t psa_hash_setup(psa_hash_operation_t *operation,
psa_algorithm_t alg)
{
@@ -658,7 +601,7 @@
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_HASH_SETUP_SFID,
.alg = alg,
- .handle = operation->handle,
+ .op_handle = operation->handle,
};
psa_invec in_vec[] = {
@@ -682,7 +625,7 @@
return status;
}
-__attribute__(( section("SFN")))
+__attribute__((section("SFN")))
psa_status_t psa_hash_update(psa_hash_operation_t *operation,
const uint8_t *input,
size_t input_length)
@@ -690,7 +633,7 @@
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_HASH_UPDATE_SFID,
- .handle = operation->handle,
+ .op_handle = operation->handle,
};
psa_invec in_vec[] = {
@@ -715,7 +658,7 @@
return status;
}
-__attribute__(( section("SFN")))
+__attribute__((section("SFN")))
psa_status_t psa_hash_finish(psa_hash_operation_t *operation,
uint8_t *hash,
size_t hash_size,
@@ -724,7 +667,7 @@
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_HASH_FINISH_SFID,
- .handle = operation->handle,
+ .op_handle = operation->handle,
};
psa_invec in_vec[] = {
@@ -751,7 +694,7 @@
return status;
}
-__attribute__(( section("SFN")))
+__attribute__((section("SFN")))
psa_status_t psa_hash_verify(psa_hash_operation_t *operation,
const uint8_t *hash,
size_t hash_length)
@@ -759,7 +702,7 @@
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_HASH_VERIFY_SFID,
- .handle = operation->handle,
+ .op_handle = operation->handle,
};
psa_invec in_vec[] = {
@@ -783,13 +726,13 @@
return status;
}
-__attribute__(( section("SFN")))
+__attribute__((section("SFN")))
psa_status_t psa_hash_abort(psa_hash_operation_t *operation)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_HASH_ABORT_SFID,
- .handle = operation->handle,
+ .op_handle = operation->handle,
};
psa_invec in_vec[] = {
@@ -812,17 +755,28 @@
return status;
}
-__attribute__(( section("SFN")))
+__attribute__((section("SFN")))
+psa_status_t psa_hash_clone(const psa_hash_operation_t *source_operation,
+ psa_hash_operation_t *target_operation)
+{
+ (void)source_operation;
+ (void)target_operation;
+
+ /* TODO: This API is not supported yet */
+ return PSA_ERROR_NOT_SUPPORTED;
+}
+
+__attribute__((section("SFN")))
psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation,
- psa_key_slot_t key,
+ psa_key_handle_t handle,
psa_algorithm_t alg)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_MAC_SIGN_SETUP_SFID,
- .key = key,
+ .key_handle = handle,
.alg = alg,
- .handle = operation->handle,
+ .op_handle = operation->handle,
};
psa_invec in_vec[] = {
@@ -845,17 +799,17 @@
return status;
}
-__attribute__(( section("SFN")))
+__attribute__((section("SFN")))
psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation,
- psa_key_slot_t key,
+ psa_key_handle_t handle,
psa_algorithm_t alg)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_MAC_VERIFY_SETUP_SFID,
- .key = key,
+ .key_handle = handle,
.alg = alg,
- .handle = operation->handle,
+ .op_handle = operation->handle,
};
psa_invec in_vec[] = {
@@ -878,7 +832,7 @@
return status;
}
-__attribute__(( section("SFN")))
+__attribute__((section("SFN")))
psa_status_t psa_mac_update(psa_mac_operation_t *operation,
const uint8_t *input,
size_t input_length)
@@ -886,7 +840,7 @@
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_MAC_UPDATE_SFID,
- .handle = operation->handle,
+ .op_handle = operation->handle,
};
psa_invec in_vec[] = {
@@ -910,7 +864,7 @@
return status;
}
-__attribute__(( section("SFN")))
+__attribute__((section("SFN")))
psa_status_t psa_mac_sign_finish(psa_mac_operation_t *operation,
uint8_t *mac,
size_t mac_size,
@@ -919,7 +873,7 @@
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_MAC_SIGN_FINISH_SFID,
- .handle = operation->handle,
+ .op_handle = operation->handle,
};
psa_invec in_vec[] = {
@@ -946,7 +900,7 @@
return status;
}
-__attribute__(( section("SFN")))
+__attribute__((section("SFN")))
psa_status_t psa_mac_verify_finish(psa_mac_operation_t *operation,
const uint8_t *mac,
size_t mac_length)
@@ -954,7 +908,7 @@
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_MAC_VERIFY_FINISH_SFID,
- .handle = operation->handle,
+ .op_handle = operation->handle,
};
psa_invec in_vec[] = {
@@ -979,13 +933,13 @@
return status;
}
-__attribute__(( section("SFN")))
+__attribute__((section("SFN")))
psa_status_t psa_mac_abort(psa_mac_operation_t *operation)
{
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_MAC_ABORT_SFID,
- .handle = operation->handle,
+ .op_handle = operation->handle,
};
psa_invec in_vec[] = {
@@ -1008,8 +962,8 @@
return status;
}
-__attribute__(( section("SFN")))
-psa_status_t psa_aead_encrypt(psa_key_slot_t key,
+__attribute__((section("SFN")))
+psa_status_t psa_aead_encrypt(psa_key_handle_t handle,
psa_algorithm_t alg,
const uint8_t *nonce,
size_t nonce_length,
@@ -1024,7 +978,7 @@
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_AEAD_ENCRYPT_SFID,
- .key = key,
+ .key_handle = handle,
.alg = alg,
.aead_in = {.nonce = {0}, .nonce_length = nonce_length}
};
@@ -1054,12 +1008,12 @@
#endif
#ifdef TFM_PSA_API
- size_t in_len = sizeof(in_vec)/sizeof(in_vec[0]);
+ size_t in_len = ARRAY_SIZE(in_vec);
if (additional_data == NULL) {
- in_len--;
+ in_len--;
}
- status = psa_call(handle, in_vec, in_len,
- out_vec, sizeof(out_vec)/sizeof(out_vec[0]));
+ status = psa_call(ipc_handle, in_vec, in_len,
+ out_vec, ARRAY_SIZE(out_vec));
#else
status = API_DISPATCH(tfm_crypto_aead_encrypt,
TFM_CRYPTO_AEAD_ENCRYPT);
@@ -1074,8 +1028,8 @@
return status;
}
-__attribute__(( section("SFN")))
-psa_status_t psa_aead_decrypt(psa_key_slot_t key,
+__attribute__((section("SFN")))
+psa_status_t psa_aead_decrypt(psa_key_handle_t handle,
psa_algorithm_t alg,
const uint8_t *nonce,
size_t nonce_length,
@@ -1090,7 +1044,7 @@
psa_status_t status;
struct tfm_crypto_pack_iovec iov = {
.sfn_id = TFM_CRYPTO_AEAD_DECRYPT_SFID,
- .key = key,
+ .key_handle = handle,
.alg = alg,
.aead_in = {.nonce = {0}, .nonce_length = nonce_length}
};
@@ -1120,12 +1074,12 @@
#endif
#ifdef TFM_PSA_API
- size_t in_len = sizeof(in_vec)/sizeof(in_vec[0]);
+ size_t in_len = ARRAY_SIZE(in_vec);
if (additional_data == NULL) {
- in_len--;
+ in_len--;
}
- status = psa_call(handle, in_vec, in_len,
- out_vec, sizeof(out_vec)/sizeof(out_vec[0]));
+ status = psa_call(ipc_handle, in_vec, in_len,
+ out_vec, ARRAY_SIZE(out_vec));
#else
status = API_DISPATCH(tfm_crypto_aead_decrypt,
TFM_CRYPTO_AEAD_DECRYPT);
diff --git a/secure_fw/services/crypto/tfm_crypto_struct.h b/secure_fw/services/crypto/tfm_crypto_struct.h
deleted file mode 100644
index 9909cf9..0000000
--- a/secure_fw/services/crypto/tfm_crypto_struct.h
+++ /dev/null
@@ -1,66 +0,0 @@
-/*
- * Copyright (c) 2019, Arm Limited. All rights reserved.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- *
- */
-
-/**
- * \file tfm_crypto_struct.h
- *
- * \brief Similarly to what psa_crypto_struct.h defines for
- * the frontend, this header provides Crypto service
- * specific definitions for operation contexts.
- */
-
-#include "psa_crypto.h"
-#include "crypto_engine.h"
-
-#ifndef __TFM_CRYPTO_STRUCT_H__
-#define __TFM_CRYPTO_STRUCT_H__
-
-struct tfm_hash_operation_s {
-
- psa_algorithm_t alg;
- union engine_hash_context engine_ctx;
-};
-
-struct tfm_hmac_internal_data_s {
-
- /* The hash operation. */
- psa_hash_operation_t hash_operation;
- /* The HMAC part of the context. */
- uint8_t opad[PSA_HMAC_MAX_HASH_BLOCK_SIZE];
-};
-
-struct tfm_mac_operation_s {
-
- psa_algorithm_t alg;
- uint8_t key_set;
- uint8_t iv_required;
- uint8_t iv_set;
- uint8_t has_input;
- uint8_t key_usage_sign;
- uint8_t key_usage_verify;
- uint8_t mac_size;
- union {
- struct tfm_hmac_internal_data_s hmac;
- union engine_cmac_context cmac;
- } ctx;
-};
-
-#define TFM_CIPHER_IV_MAX_SIZE 16
-
-struct tfm_cipher_operation_s {
-
- psa_algorithm_t alg;
- uint8_t key_set;
- uint8_t iv_required;
- uint8_t iv_set;
- uint8_t iv_size;
- uint8_t block_size;
- psa_key_slot_t key;
- uint8_t cipher_mode;
- union engine_cipher_context engine_ctx;
-};
-#endif /* __TFM_CRYPTO_STRUCT_H__ */
diff --git a/secure_fw/services/crypto/tfm_mbedcrypto_include.h b/secure_fw/services/crypto/tfm_mbedcrypto_include.h
new file mode 100644
index 0000000..b04b180
--- /dev/null
+++ b/secure_fw/services/crypto/tfm_mbedcrypto_include.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (c) 2019, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+
+#ifndef __TFM_MBEDCRYPTO_INCLUDE_H__
+#define __TFM_MBEDCRYPTO_INCLUDE_H__
+
+/* FIXME: The PSA Crypto headers in Mbed Crypto define PSA_SUCCESS and typedef
+ * psa_status_t. To prevent redefinition errors in psa_client.h, use the
+ * preprocessor to prefix psa_status_t in the Mbed Crypto headers, and then
+ * undef psa_status_t and PSA_SUCCESS after the include.
+ */
+#define psa_status_t mbedcrypto__psa_status_t
+/* Include the crypto_spe.h header before including the PSA Crypto header from
+ * Mbed Crypto
+ */
+#include "crypto_spe.h"
+#include "mbedcrypto/psa/crypto.h"
+#undef psa_status_t
+#undef PSA_SUCCESS
+
+#endif /* __TFM_MBEDCRYPTO_INCLUDE_H__ */
diff --git a/secure_fw/services/initial_attestation/attestation_crypto_stub.c b/secure_fw/services/initial_attestation/attestation_crypto_stub.c
index 5b1df81..6848ff8 100644
--- a/secure_fw/services/initial_attestation/attestation_crypto_stub.c
+++ b/secure_fw/services/initial_attestation/attestation_crypto_stub.c
@@ -15,7 +15,7 @@
* simulates a real ECDSA P-256 over SHA256 signature generation. The size of
* the signature will be equal with a real one.
*/
-psa_status_t psa_asymmetric_sign(psa_key_slot_t key,
+psa_status_t psa_asymmetric_sign(psa_key_handle_t handle,
psa_algorithm_t alg,
const uint8_t *hash,
size_t hash_length,
diff --git a/secure_fw/services/initial_attestation/attestation_key.c b/secure_fw/services/initial_attestation/attestation_key.c
index c075668..386ac20 100644
--- a/secure_fw/services/initial_attestation/attestation_key.c
+++ b/secure_fw/services/initial_attestation/attestation_key.c
@@ -79,7 +79,7 @@
psa_key_type_t attest_key_type;
size_t public_key_size;
psa_status_t crypto_res;
- psa_key_policy_t policy;
+ psa_key_policy_t policy = psa_key_policy_init();
/* Key(s) should be unregistered at this point */
if (private_key_registered != 0 || public_key_registered != 0) {
@@ -102,9 +102,8 @@
}
/* Setup the key policy for private key */
- psa_key_policy_init(&policy);
psa_key_policy_set_usage(&policy, PSA_KEY_USAGE_SIGN, 0); /* FixMe: alg */
- crypto_res = psa_set_key_policy((psa_key_slot_t)ATTEST_PRIVATE_KEY_SLOT,
+ crypto_res = psa_set_key_policy((psa_key_handle_t)ATTEST_PRIVATE_KEY_SLOT,
&policy);
if (crypto_res != PSA_SUCCESS) {
return PSA_ATTEST_ERR_GENERAL;
@@ -117,7 +116,7 @@
attest_key_type = PSA_KEY_TYPE_RAW_DATA;
/* Register private key to crypto service */
- crypto_res = psa_import_key((psa_key_slot_t)ATTEST_PRIVATE_KEY_SLOT,
+ crypto_res = psa_import_key((psa_key_handle_t)ATTEST_PRIVATE_KEY_SLOT,
attest_key_type,
attest_key.priv_key,
attest_key.priv_key_size);
@@ -133,9 +132,9 @@
}
/* Setup the key policy for public key */
- psa_key_policy_init(&policy);
+ policy = psa_key_policy_init();
psa_key_policy_set_usage(&policy, PSA_KEY_USAGE_VERIFY, 0); /* FixMe: alg */
- crypto_res = psa_set_key_policy((psa_key_slot_t)ATTEST_PUBLIC_KEY_SLOT,
+ crypto_res = psa_set_key_policy((psa_key_handle_t)ATTEST_PUBLIC_KEY_SLOT,
&policy);
if (crypto_res != PSA_SUCCESS) {
return PSA_ATTEST_ERR_GENERAL;
@@ -150,7 +149,7 @@
/* Register public key to crypto service */
public_key_size = attest_key.pubx_key_size + attest_key.puby_key_size;
- crypto_res = psa_import_key((psa_key_slot_t)ATTEST_PUBLIC_KEY_SLOT,
+ crypto_res = psa_import_key((psa_key_handle_t)ATTEST_PUBLIC_KEY_SLOT,
attest_key_type,
attest_key.pubx_key,
public_key_size);
@@ -173,14 +172,14 @@
return PSA_ATTEST_ERR_GENERAL;
}
- crypto_res = psa_destroy_key((psa_key_slot_t)ATTEST_PRIVATE_KEY_SLOT);
+ crypto_res = psa_destroy_key((psa_key_handle_t)ATTEST_PRIVATE_KEY_SLOT);
if (crypto_res != PSA_SUCCESS) {
return PSA_ATTEST_ERR_GENERAL;
}
private_key_registered = 0;
if (public_key_registered) {
- crypto_res = psa_destroy_key((psa_key_slot_t)ATTEST_PUBLIC_KEY_SLOT);
+ crypto_res = psa_destroy_key((psa_key_handle_t)ATTEST_PUBLIC_KEY_SLOT);
if (crypto_res != PSA_SUCCESS) {
return PSA_ATTEST_ERR_GENERAL;
}
diff --git a/secure_fw/services/secure_storage/CMakeLists.txt b/secure_fw/services/secure_storage/CMakeLists.txt
index ff07904..acba11b 100644
--- a/secure_fw/services/secure_storage/CMakeLists.txt
+++ b/secure_fw/services/secure_storage/CMakeLists.txt
@@ -29,6 +29,7 @@
#Set mbedTLS compiler flags
set(MBEDTLS_C_FLAGS ${MBEDTLS_C_FLAGS_SERVICES})
+string(APPEND MBEDTLS_C_FLAGS " -DMBEDTLS_CONFIG_FILE=\\\\\\\"tfm_mbedtls_config.h\\\\\\\"")
###Get the definition of what files we need to build
include(CMakeLists.inc)