Crypto: Upgrade mbedtls to v3.0.0
- Remove deprecated macros and functions
- Enable SHA-224 cryptographic hash algorithm by 'define
MBEDTLS_SHA224_C'
- Enable SHA-384 cryptographic hash algorithm by 'define
MBEDTLS_SHA384_C'
- 'psa_cipher_encrypt' and 'psa_cipher_decrypt' is supported by
mbedtls-3.0.0
- 'psa_mac_compute' and 'psa_mac_verify' is supported by mbedtls-3.0.0
- mbedtls-3.0.0 changes some internal mbedtls apis' name, mcuboot needs
to align.
Change-Id: Ia868c93deceee6c8042607acf35ce2f4c9c15e35
Signed-off-by: Summer Qin <summer.qin@arm.com>
diff --git a/secure_fw/partitions/crypto/crypto_key.c b/secure_fw/partitions/crypto/crypto_key.c
index 6f0aea2..ec9bf0f 100644
--- a/secure_fw/partitions/crypto/crypto_key.c
+++ b/secure_fw/partitions/crypto/crypto_key.c
@@ -147,25 +147,30 @@
int32_t client_id,
psa_key_attributes_t *key_attributes)
{
+ psa_core_key_attributes_t *core;
+
if (client_key_attr == NULL || key_attributes == NULL) {
return PSA_ERROR_PROGRAMMER_ERROR;
}
*key_attributes = psa_key_attributes_init();
+ core = &(key_attributes->MBEDTLS_PRIVATE(core));
/* Copy core key attributes from the client core key attributes */
- key_attributes->core.type = client_key_attr->type;
- key_attributes->core.lifetime = client_key_attr->lifetime;
- key_attributes->core.policy.usage = client_key_attr->usage;
- key_attributes->core.policy.alg = client_key_attr->alg;
- key_attributes->core.bits = client_key_attr->bits;
+ core->MBEDTLS_PRIVATE(type) = client_key_attr->type;
+ core->MBEDTLS_PRIVATE(lifetime) = client_key_attr->lifetime;
+ core->MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(usage) =
+ client_key_attr->usage;
+ core->MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg) =
+ client_key_attr->alg;
+ core->MBEDTLS_PRIVATE(bits) = client_key_attr->bits;
/* Use the client key id as the key_id and its partition id as the owner */
#ifdef CRYPTO_KEY_ID_ENCODES_OWNER
- key_attributes->core.id.key_id = client_key_attr->id;
- key_attributes->core.id.owner = client_id;
+ core->MBEDTLS_PRIVATE(id).MBEDTLS_PRIVATE(key_id) = client_key_attr->id;
+ core->MBEDTLS_PRIVATE(id).MBEDTLS_PRIVATE(owner) = client_id;
#else
- key_attributes->core.id = client_key_attr->id;
+ core->MBEDTLS_PRIVATE(id) = client_key_attr->id;
#endif
return PSA_SUCCESS;
@@ -181,19 +186,20 @@
struct psa_client_key_attributes_s v = PSA_CLIENT_KEY_ATTRIBUTES_INIT;
*client_key_attr = v;
+ psa_core_key_attributes_t core = key_attributes->MBEDTLS_PRIVATE(core);
/* Copy core key attributes from the client core key attributes */
- client_key_attr->type = key_attributes->core.type;
- client_key_attr->lifetime = key_attributes->core.lifetime;
- client_key_attr->usage = key_attributes->core.policy.usage;
- client_key_attr->alg = key_attributes->core.policy.alg;
- client_key_attr->bits = key_attributes->core.bits;
+ client_key_attr->type = core.MBEDTLS_PRIVATE(type);
+ client_key_attr->lifetime = core.MBEDTLS_PRIVATE(lifetime);
+ client_key_attr->usage = core.MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(usage);
+ client_key_attr->alg = core.MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg);
+ client_key_attr->bits = core.MBEDTLS_PRIVATE(bits);
/* Return the key_id as the client key id, do not return the owner */
#ifdef CRYPTO_KEY_ID_ENCODES_OWNER
- client_key_attr->id = key_attributes->core.id.key_id;
+ client_key_attr->id = core.MBEDTLS_PRIVATE(id).MBEDTLS_PRIVATE(key_id);
#else
- client_key_attr->id = key_attributes->core.id;
+ client_key_attr->id = core.MBEDTLS_PRIVATE(id);
#endif
return PSA_SUCCESS;
@@ -331,7 +337,7 @@
status = psa_import_key(&key_attributes, data, data_length, &encoded_key);
/* Update the imported key id */
#ifdef CRYPTO_KEY_ID_ENCODES_OWNER
- *psa_key = encoded_key.key_id;
+ *psa_key = encoded_key.MBEDTLS_PRIVATE(key_id);
#else
*psa_key = (psa_key_id_t)encoded_key;
#endif
@@ -383,7 +389,7 @@
status = psa_open_key(encoded_key, &encoded_key);
#ifdef CRYPTO_KEY_ID_ENCODES_OWNER
- *key = encoded_key.key_id;
+ *key = encoded_key.MBEDTLS_PRIVATE(key_id);
#else
*key = (psa_key_id_t)encoded_key;
#endif
@@ -712,7 +718,7 @@
status = psa_copy_key(encoded_key, &key_attributes, &target_key);
#ifdef CRYPTO_KEY_ID_ENCODES_OWNER
- *target_key_id = target_key.key_id;
+ *target_key_id = target_key.MBEDTLS_PRIVATE(key_id);
#else
*target_key_id = (psa_key_id_t)target_key;
#endif
@@ -767,7 +773,7 @@
status = psa_generate_key(&key_attributes, &encoded_key);
#ifdef CRYPTO_KEY_ID_ENCODES_OWNER
- *key_handle = encoded_key.key_id;
+ *key_handle = encoded_key.MBEDTLS_PRIVATE(key_id);
#else
*key_handle = (psa_key_id_t)encoded_key;
#endif
diff --git a/secure_fw/partitions/crypto/crypto_key_derivation.c b/secure_fw/partitions/crypto/crypto_key_derivation.c
index 38fda1b..3399683 100644
--- a/secure_fw/partitions/crypto/crypto_key_derivation.c
+++ b/secure_fw/partitions/crypto/crypto_key_derivation.c
@@ -29,7 +29,7 @@
psa_key_derivation_operation_t *operation,
psa_algorithm_t alg)
{
- operation->alg = TFM_CRYPTO_ALG_HUK_DERIVATION;
+ operation->MBEDTLS_PRIVATE(alg) = TFM_CRYPTO_ALG_HUK_DERIVATION;
return PSA_SUCCESS;
}
@@ -41,6 +41,7 @@
{
psa_status_t status;
int32_t partition_id;
+ psa_tls12_prf_key_derivation_t *tls12_prf;
if (step != PSA_KEY_DERIVATION_INPUT_LABEL) {
return PSA_ERROR_INVALID_ARGUMENT;
@@ -66,16 +67,18 @@
/* Put the label in the tls12_prf ctx to make it available in the output key
* step.
*/
- operation->ctx.tls12_prf.label = mbedtls_calloc(1, sizeof(partition_id)
- + data_length);
- if (operation->ctx.tls12_prf.label == NULL) {
+ tls12_prf = &(operation->MBEDTLS_PRIVATE(ctx).MBEDTLS_PRIVATE(tls12_prf));
+ tls12_prf->MBEDTLS_PRIVATE(label) =
+ mbedtls_calloc(1, sizeof(partition_id) + data_length);
+ if (tls12_prf->MBEDTLS_PRIVATE(label) == NULL) {
return PSA_ERROR_INSUFFICIENT_MEMORY;
}
- (void)tfm_memcpy(operation->ctx.tls12_prf.label, &partition_id,
+ (void)tfm_memcpy(tls12_prf->MBEDTLS_PRIVATE(label), &partition_id,
sizeof(partition_id));
- (void)tfm_memcpy(operation->ctx.tls12_prf.label + sizeof(partition_id),
+ (void)tfm_memcpy(tls12_prf->MBEDTLS_PRIVATE(label) + sizeof(partition_id),
data, data_length);
- operation->ctx.tls12_prf.label_length = sizeof(partition_id) + data_length;
+ tls12_prf->MBEDTLS_PRIVATE(label_length) = sizeof(partition_id) +
+ data_length;
return PSA_SUCCESS;
}
@@ -87,32 +90,37 @@
{
enum tfm_plat_err_t err;
size_t bytes = PSA_BITS_TO_BYTES(psa_get_key_bits(attributes));
+ psa_tls12_prf_key_derivation_t *tls12_prf =
+ &(operation->MBEDTLS_PRIVATE(ctx).MBEDTLS_PRIVATE(tls12_prf));
- if (sizeof(operation->ctx.tls12_prf.output_block) < bytes) {
+ if (sizeof(tls12_prf->MBEDTLS_PRIVATE(output_block)) < bytes) {
return PSA_ERROR_INSUFFICIENT_MEMORY;
}
/* Derive key material from the HUK and output it to the operation buffer */
- err = tfm_plat_get_huk_derived_key(operation->ctx.tls12_prf.label,
- operation->ctx.tls12_prf.label_length,
+ err = tfm_plat_get_huk_derived_key(tls12_prf->MBEDTLS_PRIVATE(label),
+ tls12_prf->MBEDTLS_PRIVATE(label_length),
NULL, 0,
- operation->ctx.tls12_prf.output_block,
+ tls12_prf->MBEDTLS_PRIVATE(output_block),
bytes);
if (err != TFM_PLAT_ERR_SUCCESS) {
return PSA_ERROR_HARDWARE_FAILURE;
}
- return psa_import_key(attributes, operation->ctx.tls12_prf.output_block,
+ return psa_import_key(attributes, tls12_prf->MBEDTLS_PRIVATE(output_block),
bytes, key_id);
}
static psa_status_t tfm_crypto_huk_derivation_abort(
psa_key_derivation_operation_t *operation)
{
- if (operation->ctx.tls12_prf.label != NULL) {
- (void)tfm_memset(operation->ctx.tls12_prf.label, 0,
- operation->ctx.tls12_prf.label_length);
- mbedtls_free(operation->ctx.tls12_prf.label);
+ psa_tls12_prf_key_derivation_t *tls12_prf =
+ &(operation->MBEDTLS_PRIVATE(ctx).MBEDTLS_PRIVATE(tls12_prf));
+
+ if (tls12_prf->MBEDTLS_PRIVATE(label) != NULL) {
+ (void)tfm_memset(tls12_prf->MBEDTLS_PRIVATE(label), 0,
+ tls12_prf->MBEDTLS_PRIVATE(label_length));
+ mbedtls_free(tls12_prf->MBEDTLS_PRIVATE(label));
}
(void)tfm_memset(operation, 0, sizeof(*operation));
@@ -273,7 +281,7 @@
return status;
}
- if (operation->alg == TFM_CRYPTO_ALG_HUK_DERIVATION) {
+ if (operation->MBEDTLS_PRIVATE(alg) == TFM_CRYPTO_ALG_HUK_DERIVATION) {
return tfm_crypto_huk_derivation_input_bytes(operation, step, data,
data_length);
} else {
@@ -414,7 +422,7 @@
return status;
}
- if (operation->alg == TFM_CRYPTO_ALG_HUK_DERIVATION) {
+ if (operation->MBEDTLS_PRIVATE(alg) == TFM_CRYPTO_ALG_HUK_DERIVATION) {
status = tfm_crypto_huk_derivation_output_key(&key_attributes,
operation, &encoded_key);
} else {
@@ -422,7 +430,7 @@
&encoded_key);
}
#ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
- *key_handle = encoded_key.key_id;
+ *key_handle = encoded_key.MBEDTLS_PRIVATE(key_id);
#else
*key_handle = (psa_key_id_t)encoded_key;
#endif
@@ -471,7 +479,7 @@
*handle_out = handle;
- if (operation->alg == TFM_CRYPTO_ALG_HUK_DERIVATION) {
+ if (operation->MBEDTLS_PRIVATE(alg) == TFM_CRYPTO_ALG_HUK_DERIVATION) {
status = tfm_crypto_huk_derivation_abort(operation);
} else {
status = psa_key_derivation_abort(operation);
diff --git a/secure_fw/partitions/crypto/crypto_spe.h b/secure_fw/partitions/crypto/crypto_spe.h
index f80fd86..58f761f 100644
--- a/secure_fw/partitions/crypto/crypto_spe.h
+++ b/secure_fw/partitions/crypto/crypto_spe.h
@@ -82,6 +82,10 @@
PSA_FUNCTION_NAME(psa_cipher_decrypt_setup)
#define psa_cipher_update \
PSA_FUNCTION_NAME(psa_cipher_update)
+#define psa_cipher_encrypt \
+ PSA_FUNCTION_NAME(psa_cipher_encrypt)
+#define psa_cipher_decrypt \
+ PSA_FUNCTION_NAME(psa_cipher_decrypt)
#define psa_cipher_finish \
PSA_FUNCTION_NAME(psa_cipher_finish)
#define psa_cipher_abort \
@@ -116,6 +120,10 @@
PSA_FUNCTION_NAME(psa_mac_sign_finish)
#define psa_mac_verify_finish \
PSA_FUNCTION_NAME(psa_mac_verify_finish)
+#define psa_mac_compute \
+ PSA_FUNCTION_NAME(psa_mac_compute)
+#define psa_mac_verify \
+ PSA_FUNCTION_NAME(psa_mac_verify)
#define psa_mac_abort \
PSA_FUNCTION_NAME(psa_mac_abort)
#define psa_sign_hash \
diff --git a/secure_fw/partitions/crypto/tfm_mbedcrypto_alt.c b/secure_fw/partitions/crypto/tfm_mbedcrypto_alt.c
index 9cf9277..3275766 100644
--- a/secure_fw/partitions/crypto/tfm_mbedcrypto_alt.c
+++ b/secure_fw/partitions/crypto/tfm_mbedcrypto_alt.c
@@ -18,6 +18,7 @@
#include "tfm_mbedcrypto_include.h"
#if defined(MBEDTLS_AES_DECRYPT_ALT) || defined(MBEDTLS_AES_SETKEY_DEC_ALT)
#include "mbedtls/aes.h"
+#include "mbedtls/error.h"
#endif
#if defined(MBEDTLS_AES_DECRYPT_ALT) && defined(MBEDTLS_CCM_C)
@@ -35,7 +36,7 @@
(void)input;
(void)output;
- return MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE;
+ return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
}
#endif
@@ -53,6 +54,6 @@
(void)key;
(void)keybits;
- return MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE;
+ return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
}
#endif