Platform: Add API to get key derived from HUK
Adds the tfm_plat_get_huk_derived_key() function to get key material
that is derived from the HUK through a platform-defined implementation.
Change-Id: I307597b7c9e280cc984ccac9dcf28b627367e5b5
Signed-off-by: Jamie Fox <jamie.fox@arm.com>
diff --git a/platform/ext/target/mps2/an519/dummy_crypto_keys.c b/platform/ext/target/mps2/an519/dummy_crypto_keys.c
index 9cb21e0..a7936ab 100644
--- a/platform/ext/target/mps2/an519/dummy_crypto_keys.c
+++ b/platform/ext/target/mps2/an519/dummy_crypto_keys.c
@@ -69,6 +69,28 @@
return TFM_PLAT_ERR_SUCCESS;
}
+enum tfm_plat_err_t tfm_plat_get_huk_derived_key(const uint8_t *label,
+ size_t label_size,
+ const uint8_t *context,
+ size_t context_size,
+ uint8_t *key,
+ size_t key_size)
+{
+ (void)label;
+ (void)label_size;
+ (void)context;
+ (void)context_size;
+
+ if (key_size > TFM_KEY_LEN_BYTES) {
+ return TFM_PLAT_ERR_SYSTEM_ERR;
+ }
+
+ /* FIXME: Do key derivation */
+ copy_key(key, sample_tfm_key, key_size);
+
+ return TFM_PLAT_ERR_SUCCESS;
+}
+
enum tfm_plat_err_t
tfm_plat_get_initial_attest_key(uint8_t *key_buf,
uint32_t size,
diff --git a/platform/ext/target/mps2/an521/dummy_crypto_keys.c b/platform/ext/target/mps2/an521/dummy_crypto_keys.c
index 66d2c36..39d1bdd 100644
--- a/platform/ext/target/mps2/an521/dummy_crypto_keys.c
+++ b/platform/ext/target/mps2/an521/dummy_crypto_keys.c
@@ -69,6 +69,28 @@
return TFM_PLAT_ERR_SUCCESS;
}
+enum tfm_plat_err_t tfm_plat_get_huk_derived_key(const uint8_t *label,
+ size_t label_size,
+ const uint8_t *context,
+ size_t context_size,
+ uint8_t *key,
+ size_t key_size)
+{
+ (void)label;
+ (void)label_size;
+ (void)context;
+ (void)context_size;
+
+ if (key_size > TFM_KEY_LEN_BYTES) {
+ return TFM_PLAT_ERR_SYSTEM_ERR;
+ }
+
+ /* FIXME: Do key derivation */
+ copy_key(key, sample_tfm_key, key_size);
+
+ return TFM_PLAT_ERR_SUCCESS;
+}
+
enum tfm_plat_err_t
tfm_plat_get_initial_attest_key(uint8_t *key_buf,
uint32_t size,
diff --git a/platform/ext/target/mps2/an539/dummy_crypto_keys.c b/platform/ext/target/mps2/an539/dummy_crypto_keys.c
index ba7c860..e354ddc 100644
--- a/platform/ext/target/mps2/an539/dummy_crypto_keys.c
+++ b/platform/ext/target/mps2/an539/dummy_crypto_keys.c
@@ -66,6 +66,28 @@
return TFM_PLAT_ERR_SUCCESS;
}
+enum tfm_plat_err_t tfm_plat_get_huk_derived_key(const uint8_t *label,
+ size_t label_size,
+ const uint8_t *context,
+ size_t context_size,
+ uint8_t *key,
+ size_t key_size)
+{
+ (void)label;
+ (void)label_size;
+ (void)context;
+ (void)context_size;
+
+ if (key_size > TFM_KEY_LEN_BYTES) {
+ return TFM_PLAT_ERR_SYSTEM_ERR;
+ }
+
+ /* FIXME: Do key derivation */
+ copy_key(key, sample_tfm_key, key_size);
+
+ return TFM_PLAT_ERR_SUCCESS;
+}
+
enum tfm_plat_err_t
tfm_plat_get_initial_attest_key(uint8_t *key_buf,
uint32_t size,
diff --git a/platform/ext/target/mps3/an524/dummy_crypto_keys.c b/platform/ext/target/mps3/an524/dummy_crypto_keys.c
index 83cbd1c..633c97a 100644
--- a/platform/ext/target/mps3/an524/dummy_crypto_keys.c
+++ b/platform/ext/target/mps3/an524/dummy_crypto_keys.c
@@ -66,6 +66,28 @@
return TFM_PLAT_ERR_SUCCESS;
}
+enum tfm_plat_err_t tfm_plat_get_huk_derived_key(const uint8_t *label,
+ size_t label_size,
+ const uint8_t *context,
+ size_t context_size,
+ uint8_t *key,
+ size_t key_size)
+{
+ (void)label;
+ (void)label_size;
+ (void)context;
+ (void)context_size;
+
+ if (key_size > TFM_KEY_LEN_BYTES) {
+ return TFM_PLAT_ERR_SYSTEM_ERR;
+ }
+
+ /* FIXME: Do key derivation */
+ copy_key(key, sample_tfm_key, key_size);
+
+ return TFM_PLAT_ERR_SUCCESS;
+}
+
enum tfm_plat_err_t
tfm_plat_get_initial_attest_key(uint8_t *key_buf,
uint32_t size,
diff --git a/platform/ext/target/musca_a/dummy_crypto_keys.c b/platform/ext/target/musca_a/dummy_crypto_keys.c
index 3bf1f99..34c47c6 100644
--- a/platform/ext/target/musca_a/dummy_crypto_keys.c
+++ b/platform/ext/target/musca_a/dummy_crypto_keys.c
@@ -69,6 +69,28 @@
return TFM_PLAT_ERR_SUCCESS;
}
+enum tfm_plat_err_t tfm_plat_get_huk_derived_key(const uint8_t *label,
+ size_t label_size,
+ const uint8_t *context,
+ size_t context_size,
+ uint8_t *key,
+ size_t key_size)
+{
+ (void)label;
+ (void)label_size;
+ (void)context;
+ (void)context_size;
+
+ if (key_size > TFM_KEY_LEN_BYTES) {
+ return TFM_PLAT_ERR_SYSTEM_ERR;
+ }
+
+ /* FIXME: Do key derivation */
+ copy_key(key, sample_tfm_key, key_size);
+
+ return TFM_PLAT_ERR_SUCCESS;
+}
+
enum tfm_plat_err_t
tfm_plat_get_initial_attest_key(uint8_t *key_buf,
uint32_t size,
diff --git a/platform/ext/target/musca_b1/dummy_crypto_keys.c b/platform/ext/target/musca_b1/dummy_crypto_keys.c
index 83cbd1c..633c97a 100644
--- a/platform/ext/target/musca_b1/dummy_crypto_keys.c
+++ b/platform/ext/target/musca_b1/dummy_crypto_keys.c
@@ -66,6 +66,28 @@
return TFM_PLAT_ERR_SUCCESS;
}
+enum tfm_plat_err_t tfm_plat_get_huk_derived_key(const uint8_t *label,
+ size_t label_size,
+ const uint8_t *context,
+ size_t context_size,
+ uint8_t *key,
+ size_t key_size)
+{
+ (void)label;
+ (void)label_size;
+ (void)context;
+ (void)context_size;
+
+ if (key_size > TFM_KEY_LEN_BYTES) {
+ return TFM_PLAT_ERR_SYSTEM_ERR;
+ }
+
+ /* FIXME: Do key derivation */
+ copy_key(key, sample_tfm_key, key_size);
+
+ return TFM_PLAT_ERR_SUCCESS;
+}
+
enum tfm_plat_err_t
tfm_plat_get_initial_attest_key(uint8_t *key_buf,
uint32_t size,
diff --git a/platform/include/tfm_plat_crypto_keys.h b/platform/include/tfm_plat_crypto_keys.h
index 81c54a7..a281b7f 100644
--- a/platform/include/tfm_plat_crypto_keys.h
+++ b/platform/include/tfm_plat_crypto_keys.h
@@ -12,6 +12,7 @@
* SoC.
*/
+#include <stddef.h>
#include <stdint.h>
#include "tfm_plat_defs.h"
#include "psa/crypto.h"
@@ -88,6 +89,26 @@
enum tfm_plat_err_t tfm_plat_get_crypto_huk(uint8_t *key, uint32_t size);
/**
+ * \brief Gets key material derived from the hardware unique key.
+ *
+ * \param[in] label Label for KDF
+ * \param[in] label_size Size of the label
+ * \param[in] context Context for KDF
+ * \param[in] context_size Size of the context
+ * \param[out] key Buffer to output the derived key material
+ * \param[in] key_size Requested size of the derived key material and
+ * minimum size of the key buffer
+ *
+ * \return Returns error code specified in \ref tfm_plat_err_t
+ */
+enum tfm_plat_err_t tfm_plat_get_huk_derived_key(const uint8_t *label,
+ size_t label_size,
+ const uint8_t *context,
+ size_t context_size,
+ uint8_t *key,
+ size_t key_size);
+
+/**
* \brief Get the initial attestation key
*
* The device MUST contain an initial attestation key, which is used to sign the