Crypto: Decouple TF-M Crypto service from mbed TLS types and macros
Provide an abstraction layer towards the underlying crypto library
that implements the PSA Crypto core functionalities. Remove the
assumption that this library is mbed TLS, i.e. provide this
abstraction layer specifically for mbed TLS but could be implemented
for other crypto libraries as well, if needed, as generic as possible.
Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com>
Change-Id: I9f2690a749a01209c39acfce161d4953765e22ed
diff --git a/secure_fw/partitions/crypto/CMakeLists.txt b/secure_fw/partitions/crypto/CMakeLists.txt
index 9bd8b7a..f71df7c 100644
--- a/secure_fw/partitions/crypto/CMakeLists.txt
+++ b/secure_fw/partitions/crypto/CMakeLists.txt
@@ -27,6 +27,7 @@
crypto_key_derivation.c
crypto_key_management.c
crypto_rng.c
+ crypto_library.c
tfm_mbedcrypto_builtin_keys.c
$<$<BOOL:CRYPTO_TFM_BUILTIN_KEYS_DRIVER>:psa_driver_api/tfm_builtin_key_loader.c>
)
diff --git a/secure_fw/partitions/crypto/crypto_aead.c b/secure_fw/partitions/crypto/crypto_aead.c
index bf094ee..a49611b 100644
--- a/secure_fw/partitions/crypto/crypto_aead.c
+++ b/secure_fw/partitions/crypto/crypto_aead.c
@@ -12,8 +12,11 @@
#include "tfm_mbedcrypto_include.h"
#include "tfm_crypto_api.h"
+#include "tfm_crypto_key.h"
#include "tfm_crypto_defs.h"
+#include "crypto_library.h"
+
/*!
* \defgroup tfm_crypto_api_shim_layer Set of functions implementing a thin shim
* layer between the TF-M Crypto service
@@ -26,7 +29,7 @@
#if CRYPTO_AEAD_MODULE_ENABLED
psa_status_t tfm_crypto_aead_interface(psa_invec in_vec[],
psa_outvec out_vec[],
- mbedtls_svc_key_id_t *encoded_key)
+ struct tfm_crypto_key_id_s *encoded_key)
{
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
psa_status_t status = PSA_ERROR_NOT_SUPPORTED;
@@ -34,6 +37,8 @@
uint32_t *p_handle = NULL;
uint16_t sid = iov->function_id;
+ tfm_crypto_library_key_id_t library_key = tfm_crypto_library_key_id_init(
+ encoded_key->owner, encoded_key->key_id);
if (sid == TFM_CRYPTO_AEAD_ENCRYPT_SID) {
#if CRYPTO_SINGLE_PART_FUNCS_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
@@ -49,7 +54,7 @@
const uint8_t *additional_data = in_vec[2].base;
size_t additional_data_length = in_vec[2].len;
- status = psa_aead_encrypt(*encoded_key, iov->alg, nonce, nonce_length,
+ status = psa_aead_encrypt(library_key, iov->alg, nonce, nonce_length,
additional_data, additional_data_length,
plaintext, plaintext_length,
ciphertext, ciphertext_size, &out_vec[0].len);
@@ -75,7 +80,7 @@
const uint8_t *additional_data = in_vec[2].base;
size_t additional_data_length = in_vec[2].len;
- status = psa_aead_decrypt(*encoded_key, iov->alg, nonce, nonce_length,
+ status = psa_aead_decrypt(library_key, iov->alg, nonce, nonce_length,
additional_data, additional_data_length,
ciphertext, ciphertext_length,
plaintext, plaintext_size, &out_vec[0].len);
@@ -130,7 +135,7 @@
switch (sid) {
case TFM_CRYPTO_AEAD_ENCRYPT_SETUP_SID:
{
- status = psa_aead_encrypt_setup(operation, *encoded_key, iov->alg);
+ status = psa_aead_encrypt_setup(operation, library_key, iov->alg);
if (status != PSA_SUCCESS) {
goto release_operation_and_return;
}
@@ -138,7 +143,7 @@
break;
case TFM_CRYPTO_AEAD_DECRYPT_SETUP_SID:
{
- status = psa_aead_decrypt_setup(operation, *encoded_key, iov->alg);
+ status = psa_aead_decrypt_setup(operation, library_key, iov->alg);
if (status != PSA_SUCCESS) {
goto release_operation_and_return;
}
@@ -245,7 +250,7 @@
#else /* CRYPTO_AEAD_MODULE_ENABLED */
psa_status_t tfm_crypto_aead_interface(psa_invec in_vec[],
psa_outvec out_vec[],
- mbedtls_svc_key_id_t *encoded_key)
+ struct tfm_crypto_key_id_s *encoded_key)
{
(void)in_vec;
(void)out_vec;
diff --git a/secure_fw/partitions/crypto/crypto_alloc.c b/secure_fw/partitions/crypto/crypto_alloc.c
index f442be4..5c78005 100644
--- a/secure_fw/partitions/crypto/crypto_alloc.c
+++ b/secure_fw/partitions/crypto/crypto_alloc.c
@@ -15,7 +15,6 @@
#include "tfm_crypto_api.h"
#include "tfm_crypto_defs.h"
-
struct tfm_crypto_operation_s {
uint32_t in_use; /*!< Indicates if the operation is in use */
int32_t owner; /*!< Indicates an ID of the owner of
diff --git a/secure_fw/partitions/crypto/crypto_asymmetric.c b/secure_fw/partitions/crypto/crypto_asymmetric.c
index 6ffe91f..cd4289a 100644
--- a/secure_fw/partitions/crypto/crypto_asymmetric.c
+++ b/secure_fw/partitions/crypto/crypto_asymmetric.c
@@ -12,8 +12,11 @@
#include "tfm_mbedcrypto_include.h"
#include "tfm_crypto_api.h"
+#include "tfm_crypto_key.h"
#include "tfm_crypto_defs.h"
+#include "crypto_library.h"
+
/*!
* \addtogroup tfm_crypto_api_shim_layer
*
@@ -23,11 +26,13 @@
#if CRYPTO_ASYM_SIGN_MODULE_ENABLED
psa_status_t tfm_crypto_asymmetric_sign_interface(psa_invec in_vec[],
psa_outvec out_vec[],
- mbedtls_svc_key_id_t *encoded_key)
+ struct tfm_crypto_key_id_s *encoded_key)
{
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
psa_status_t status = PSA_ERROR_NOT_SUPPORTED;
+ tfm_crypto_library_key_id_t library_key = tfm_crypto_library_key_id_init(
+ encoded_key->owner, encoded_key->key_id);
switch (iov->function_id) {
case TFM_CRYPTO_ASYMMETRIC_SIGN_MESSAGE_SID:
{
@@ -36,7 +41,7 @@
uint8_t *signature = out_vec[0].base;
size_t signature_size = out_vec[0].len;
- status = psa_sign_message(*encoded_key, iov->alg, input, input_length,
+ status = psa_sign_message(library_key, iov->alg, input, input_length,
signature, signature_size, &(out_vec[0].len));
if (status != PSA_SUCCESS) {
out_vec[0].len = 0;
@@ -50,7 +55,7 @@
const uint8_t *signature = in_vec[2].base;
size_t signature_length = in_vec[2].len;
- return psa_verify_message(*encoded_key, iov->alg, input, input_length,
+ return psa_verify_message(library_key, iov->alg, input, input_length,
signature, signature_length);
}
case TFM_CRYPTO_ASYMMETRIC_SIGN_HASH_SID:
@@ -60,7 +65,7 @@
uint8_t *signature = out_vec[0].base;
size_t signature_size = out_vec[0].len;
- status = psa_sign_hash(*encoded_key, iov->alg, hash, hash_length,
+ status = psa_sign_hash(library_key, iov->alg, hash, hash_length,
signature, signature_size, &(out_vec[0].len));
if (status != PSA_SUCCESS) {
out_vec[0].len = 0;
@@ -74,7 +79,7 @@
const uint8_t *signature = in_vec[2].base;
size_t signature_length = in_vec[2].len;
- return psa_verify_hash(*encoded_key, iov->alg, hash, hash_length,
+ return psa_verify_hash(library_key, iov->alg, hash, hash_length,
signature, signature_length);
}
default:
@@ -86,7 +91,7 @@
#else /* CRYPTO_ASYM_SIGN_MODULE_ENABLED */
psa_status_t tfm_crypto_asymmetric_sign_interface(psa_invec in_vec[],
psa_outvec out_vec[],
- mbedtls_svc_key_id_t *encoded_key)
+ struct tfm_crypto_key_id_s *encoded_key)
{
(void)in_vec;
(void)out_vec;
@@ -99,11 +104,13 @@
#if CRYPTO_ASYM_ENCRYPT_MODULE_ENABLED
psa_status_t tfm_crypto_asymmetric_encrypt_interface(psa_invec in_vec[],
psa_outvec out_vec[],
- mbedtls_svc_key_id_t *encoded_key)
+ struct tfm_crypto_key_id_s *encoded_key)
{
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
psa_status_t status = PSA_ERROR_NOT_SUPPORTED;
+ tfm_crypto_library_key_id_t library_key = tfm_crypto_library_key_id_init(
+ encoded_key->owner, encoded_key->key_id);
switch (iov->function_id) {
case TFM_CRYPTO_ASYMMETRIC_ENCRYPT_SID:
{
@@ -114,7 +121,7 @@
uint8_t *output = out_vec[0].base;
size_t output_size = out_vec[0].len;
- status = psa_asymmetric_encrypt(*encoded_key, iov->alg,
+ status = psa_asymmetric_encrypt(library_key, iov->alg,
input, input_length,
salt, salt_length,
output, output_size,
@@ -133,7 +140,7 @@
uint8_t *output = out_vec[0].base;
size_t output_size = out_vec[0].len;
- status = psa_asymmetric_decrypt(*encoded_key, iov->alg,
+ status = psa_asymmetric_decrypt(library_key, iov->alg,
input, input_length,
salt, salt_length,
output, output_size,
@@ -152,7 +159,7 @@
#else /* CRYPTO_ASYM_ENCRYPT_MODULE_ENABLED */
psa_status_t tfm_crypto_asymmetric_encrypt_interface(psa_invec in_vec[],
psa_outvec out_vec[],
- mbedtls_svc_key_id_t *encoded_key)
+ struct tfm_crypto_key_id_s *encoded_key)
{
(void)in_vec;
(void)out_vec;
diff --git a/secure_fw/partitions/crypto/crypto_cipher.c b/secure_fw/partitions/crypto/crypto_cipher.c
index b9835a4..d30604c 100644
--- a/secure_fw/partitions/crypto/crypto_cipher.c
+++ b/secure_fw/partitions/crypto/crypto_cipher.c
@@ -12,8 +12,11 @@
#include "tfm_mbedcrypto_include.h"
#include "tfm_crypto_api.h"
+#include "tfm_crypto_key.h"
#include "tfm_crypto_defs.h"
+#include "crypto_library.h"
+
/*!
* \addtogroup tfm_crypto_api_shim_layer
*
@@ -23,7 +26,7 @@
#if CRYPTO_CIPHER_MODULE_ENABLED
psa_status_t tfm_crypto_cipher_interface(psa_invec in_vec[],
psa_outvec out_vec[],
- mbedtls_svc_key_id_t *encoded_key)
+ struct tfm_crypto_key_id_s *encoded_key)
{
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
psa_status_t status = PSA_ERROR_NOT_SUPPORTED;
@@ -31,6 +34,8 @@
uint32_t *p_handle = NULL;
uint16_t sid = iov->function_id;
+ tfm_crypto_library_key_id_t library_key = tfm_crypto_library_key_id_init(
+ encoded_key->owner, encoded_key->key_id);
if (sid == TFM_CRYPTO_CIPHER_ENCRYPT_SID) {
#if CRYPTO_SINGLE_PART_FUNCS_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
@@ -40,7 +45,7 @@
uint8_t *output = out_vec[0].base;
size_t output_size = out_vec[0].len;
- status = psa_cipher_encrypt(*encoded_key, iov->alg, input, input_length,
+ status = psa_cipher_encrypt(library_key, iov->alg, input, input_length,
output, output_size, &out_vec[0].len);
if (status != PSA_SUCCESS) {
out_vec[0].len = 0;
@@ -58,7 +63,7 @@
uint8_t *output = out_vec[0].base;
size_t output_size = out_vec[0].len;
- status = psa_cipher_decrypt(*encoded_key, iov->alg, input, input_length,
+ status = psa_cipher_decrypt(library_key, iov->alg, input, input_length,
output, output_size, &out_vec[0].len);
if (status != PSA_SUCCESS) {
out_vec[0].len = 0;
@@ -127,7 +132,7 @@
}
case TFM_CRYPTO_CIPHER_ENCRYPT_SETUP_SID:
{
- status = psa_cipher_encrypt_setup(operation, *encoded_key, iov->alg);
+ status = psa_cipher_encrypt_setup(operation, library_key, iov->alg);
if (status != PSA_SUCCESS) {
goto release_operation_and_return;
}
@@ -135,7 +140,7 @@
break;
case TFM_CRYPTO_CIPHER_DECRYPT_SETUP_SID:
{
- status = psa_cipher_decrypt_setup(operation, *encoded_key, iov->alg);
+ status = psa_cipher_decrypt_setup(operation, library_key, iov->alg);
if (status != PSA_SUCCESS) {
goto release_operation_and_return;
}
@@ -189,7 +194,7 @@
#else /* CRYPTO_CIPHER_MODULE_ENABLED */
psa_status_t tfm_crypto_cipher_interface(psa_invec in_vec[],
psa_outvec out_vec[],
- mbedtls_svc_key_id_t *encoded_key)
+ struct tfm_crypto_key_id_s *encoded_key)
{
(void)in_vec;
(void)out_vec;
diff --git a/secure_fw/partitions/crypto/crypto_init.c b/secure_fw/partitions/crypto/crypto_init.c
index 71f5216..c21bc85 100644
--- a/secure_fw/partitions/crypto/crypto_init.c
+++ b/secure_fw/partitions/crypto/crypto_init.c
@@ -10,6 +10,7 @@
#include "tfm_mbedcrypto_include.h"
#include "tfm_crypto_api.h"
+#include "tfm_crypto_key.h"
#include "tfm_crypto_defs.h"
#include "tfm_sp_log.h"
#include "crypto_check_config.h"
@@ -31,10 +32,6 @@
#include "crypto_hw.h"
#endif /* CRYPTO_HW_ACCELERATOR */
-#ifndef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
-#error "MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER must be selected in Mbed TLS config file"
-#endif
-
#include <string.h>
#include "psa/framework_feature.h"
#include "psa/service.h"
@@ -355,7 +352,7 @@
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
int32_t caller_id = 0;
- mbedtls_svc_key_id_t encoded_key = MBEDTLS_SVC_KEY_ID_INIT;
+ struct tfm_crypto_key_id_s encoded_key = TFM_CRYPTO_KEY_ID_S_INIT;
bool is_key_required = false;
enum tfm_crypto_group_id group_id;
@@ -376,7 +373,8 @@
/* The caller_id being set in the owner field is the partition ID
* of the calling partition
*/
- encoded_key = mbedtls_svc_key_id_make(caller_id, iov->key_id);
+ encoded_key.key_id = iov->key_id;
+ encoded_key.owner = caller_id;
}
/* Dispatch to each sub-module based on the Group ID */
diff --git a/secure_fw/partitions/crypto/crypto_key_derivation.c b/secure_fw/partitions/crypto/crypto_key_derivation.c
index 86969d1..7726559 100644
--- a/secure_fw/partitions/crypto/crypto_key_derivation.c
+++ b/secure_fw/partitions/crypto/crypto_key_derivation.c
@@ -14,11 +14,10 @@
#include "tfm_mbedcrypto_include.h"
#include "tfm_crypto_api.h"
+#include "tfm_crypto_key.h"
#include "tfm_crypto_defs.h"
-#ifndef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
-#error "MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER must be selected in Mbed TLS config file"
-#endif
+#include "crypto_library.h"
/*!
* \addtogroup tfm_crypto_api_shim_layer
@@ -28,8 +27,8 @@
/*!@{*/
#if CRYPTO_KEY_DERIVATION_MODULE_ENABLED
psa_status_t tfm_crypto_key_derivation_interface(psa_invec in_vec[],
- psa_outvec out_vec[],
- mbedtls_svc_key_id_t *encoded_key)
+ psa_outvec out_vec[],
+ struct tfm_crypto_key_id_s *encoded_key)
{
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
psa_status_t status = PSA_ERROR_NOT_SUPPORTED;
@@ -37,13 +36,15 @@
uint32_t *p_handle = NULL;
uint16_t sid = iov->function_id;
+ tfm_crypto_library_key_id_t library_key = tfm_crypto_library_key_id_init(
+ encoded_key->owner, encoded_key->key_id);
if (sid == TFM_CRYPTO_RAW_KEY_AGREEMENT_SID) {
uint8_t *output = out_vec[0].base;
size_t output_size = out_vec[0].len;
const uint8_t *peer_key = in_vec[1].base;
size_t peer_key_length = in_vec[1].len;
- return psa_raw_key_agreement(iov->alg, *encoded_key,
+ return psa_raw_key_agreement(iov->alg, library_key,
peer_key, peer_key_length,
output, output_size, &out_vec[0].len);
}
@@ -104,7 +105,7 @@
case TFM_CRYPTO_KEY_DERIVATION_INPUT_KEY_SID:
{
return psa_key_derivation_input_key(operation,
- iov->step, *encoded_key);
+ iov->step, library_key);
}
case TFM_CRYPTO_KEY_DERIVATION_OUTPUT_KEY_SID:
{
@@ -112,7 +113,7 @@
in_vec[1].base;
psa_key_id_t *key_handle = out_vec[0].base;
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
- int32_t partition_id = MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(*encoded_key);
+ int32_t partition_id = encoded_key->owner;
status = tfm_crypto_key_attributes_from_client(client_key_attr,
partition_id,
@@ -122,9 +123,9 @@
}
status = psa_key_derivation_output_key(&key_attributes, operation,
- encoded_key);
+ &library_key);
- *key_handle = encoded_key->MBEDTLS_PRIVATE(key_id);
+ *key_handle = CRYPTO_LIBRARY_GET_KEY_ID(library_key);
}
break;
case TFM_CRYPTO_KEY_DERIVATION_ABORT_SID:
@@ -151,7 +152,7 @@
size_t peer_key_length = in_vec[1].len;
return psa_key_derivation_key_agreement(operation, iov->step,
- *encoded_key,
+ library_key,
peer_key,
peer_key_length);
}
@@ -169,8 +170,8 @@
}
#else /* CRYPTO_KEY_DERIVATION_MODULE_ENABLED */
psa_status_t tfm_crypto_key_derivation_interface(psa_invec in_vec[],
- psa_outvec out_vec[],
- mbedtls_svc_key_id_t *encoded_key)
+ psa_outvec out_vec[],
+ struct tfm_crypto_key_id_s *encoded_key)
{
(void)in_vec;
(void)out_vec;
diff --git a/secure_fw/partitions/crypto/crypto_key_management.c b/secure_fw/partitions/crypto/crypto_key_management.c
index d1cccff..6792919 100644
--- a/secure_fw/partitions/crypto/crypto_key_management.c
+++ b/secure_fw/partitions/crypto/crypto_key_management.c
@@ -11,11 +11,10 @@
#include "config_crypto.h"
#include "tfm_mbedcrypto_include.h"
#include "tfm_crypto_api.h"
+#include "tfm_crypto_key.h"
#include "tfm_crypto_defs.h"
-#ifndef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
-#error "MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER must be selected in Mbed TLS config file"
-#endif
+#include "crypto_library.h"
/*!
* \addtogroup tfm_crypto_api_shim_layer
@@ -25,13 +24,15 @@
/*!@{*/
#if CRYPTO_KEY_MODULE_ENABLED
psa_status_t tfm_crypto_key_management_interface(psa_invec in_vec[],
- psa_outvec out_vec[],
- mbedtls_svc_key_id_t *encoded_key)
+ psa_outvec out_vec[],
+ struct tfm_crypto_key_id_s *encoded_key)
{
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
- int32_t partition_id = MBEDTLS_SVC_KEY_ID_GET_OWNER_ID(*encoded_key);
+ int32_t partition_id = encoded_key->owner;
+ tfm_crypto_library_key_id_t library_key = tfm_crypto_library_key_id_init(
+ encoded_key->owner, encoded_key->key_id);
switch (iov->function_id) {
case TFM_CRYPTO_IMPORT_KEY_SID:
{
@@ -50,27 +51,27 @@
}
status = psa_import_key(&key_attributes,
- data, data_length, encoded_key);
+ data, data_length, &library_key);
/* Update the imported key id */
- *key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(*encoded_key);
+ *key_id = CRYPTO_LIBRARY_GET_KEY_ID(library_key);
}
break;
case TFM_CRYPTO_OPEN_KEY_SID:
{
psa_key_id_t *key_id = out_vec[0].base;
- status = psa_open_key(*encoded_key, encoded_key);
- *key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(*encoded_key);
+ status = psa_open_key(library_key, &library_key);
+ *key_id = CRYPTO_LIBRARY_GET_KEY_ID(library_key);
}
break;
case TFM_CRYPTO_CLOSE_KEY_SID:
{
- status = psa_close_key(*encoded_key);
+ status = psa_close_key(library_key);
}
break;
case TFM_CRYPTO_DESTROY_KEY_SID:
{
- status = psa_destroy_key(*encoded_key);
+ status = psa_destroy_key(library_key);
}
break;
case TFM_CRYPTO_GET_KEY_ATTRIBUTES_SID:
@@ -78,7 +79,7 @@
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
struct psa_client_key_attributes_s *client_key_attr = out_vec[0].base;
- status = psa_get_key_attributes(*encoded_key, &key_attributes);
+ status = psa_get_key_attributes(library_key, &key_attributes);
if (status == PSA_SUCCESS) {
status = tfm_crypto_key_attributes_to_client(&key_attributes,
client_key_attr);
@@ -108,7 +109,7 @@
uint8_t *data = out_vec[0].base;
size_t data_size = out_vec[0].len;
- status = psa_export_key(*encoded_key, data, data_size,
+ status = psa_export_key(library_key, data, data_size,
&(out_vec[0].len));
if (status != PSA_SUCCESS) {
out_vec[0].len = 0;
@@ -120,7 +121,7 @@
uint8_t *data = out_vec[0].base;
size_t data_size = out_vec[0].len;
- status = psa_export_public_key(*encoded_key, data, data_size,
+ status = psa_export_public_key(library_key, data, data_size,
&(out_vec[0].len));
if (status != PSA_SUCCESS) {
out_vec[0].len = 0;
@@ -129,7 +130,7 @@
break;
case TFM_CRYPTO_PURGE_KEY_SID:
{
- status = psa_purge_key(*encoded_key);
+ status = psa_purge_key(library_key);
}
break;
case TFM_CRYPTO_COPY_KEY_SID:
@@ -138,7 +139,7 @@
const struct psa_client_key_attributes_s *client_key_attr =
in_vec[1].base;
psa_key_id_t *target_key_id = out_vec[0].base;
- mbedtls_svc_key_id_t target_key = MBEDTLS_SVC_KEY_ID_INIT;
+ tfm_crypto_library_key_id_t target_key = tfm_crypto_library_key_id_init_default();
status = tfm_crypto_key_attributes_from_client(client_key_attr,
partition_id,
@@ -147,12 +148,14 @@
return status;
}
- status = psa_copy_key(*encoded_key, &key_attributes, &target_key);
+ status = psa_copy_key(library_key,
+ &key_attributes,
+ &target_key);
if (status != PSA_SUCCESS) {
return status;
}
- *target_key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(target_key);
+ *target_key_id = CRYPTO_LIBRARY_GET_KEY_ID(target_key);
}
break;
case TFM_CRYPTO_GENERATE_KEY_SID:
@@ -169,12 +172,12 @@
return status;
}
- status = psa_generate_key(&key_attributes, encoded_key);
+ status = psa_generate_key(&key_attributes, &library_key);
if (status != PSA_SUCCESS) {
return status;
}
- *key_handle = MBEDTLS_SVC_KEY_ID_GET_KEY_ID(*encoded_key);
+ *key_handle = CRYPTO_LIBRARY_GET_KEY_ID(library_key);
}
break;
default:
@@ -185,8 +188,8 @@
}
#else /* CRYPTO_KEY_MODULE_ENABLED */
psa_status_t tfm_crypto_key_management_interface(psa_invec in_vec[],
- psa_outvec out_vec[],
- mbedtls_svc_key_id_t *encoded_key)
+ psa_outvec out_vec[],
+ struct tfm_crypto_key_id_s *encoded_key)
{
(void)in_vec;
(void)out_vec;
diff --git a/secure_fw/partitions/crypto/crypto_library.c b/secure_fw/partitions/crypto/crypto_library.c
new file mode 100644
index 0000000..ae1823b
--- /dev/null
+++ b/secure_fw/partitions/crypto/crypto_library.c
@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 2022, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+
+#include <stddef.h>
+#include <stdint.h>
+#include <string.h>
+
+#include "config_crypto.h"
+
+#include "crypto_library.h"
+
+#include "mbedtls/build_info.h"
+
+#ifndef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
+#error "MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER must be selected in Mbed TLS config file"
+#endif
+
+/* Mbed TLS is guaranteed not to have a version string longer than 18 bytes */
+static char mbedtls_version_full[18];
+
+/*!
+ * \defgroup tfm_crypto_library Set of functions implementing the abstractions of the underlying cryptographic
+ * library that implements the PSA Crypto APIs to provide the PSA Crypto core
+ * functionality to the TF-M Crypto service. Currently it supports only an
+ * mbed TLS based abstraction.
+ */
+/*!@{*/
+tfm_crypto_library_key_id_t tfm_crypto_library_key_id_init(int32_t owner, psa_key_id_t key_id)
+{
+ return mbedtls_svc_key_id_make(owner, key_id);
+}
+
+char *tfm_crypto_library_get_info(void)
+{
+ memcpy(mbedtls_version_full, MBEDTLS_VERSION_STRING_FULL, sizeof(MBEDTLS_VERSION_STRING_FULL));
+ return mbedtls_version_full;
+}
+/*!@}*/
diff --git a/secure_fw/partitions/crypto/crypto_library.h b/secure_fw/partitions/crypto/crypto_library.h
new file mode 100644
index 0000000..17e04df
--- /dev/null
+++ b/secure_fw/partitions/crypto/crypto_library.h
@@ -0,0 +1,63 @@
+/*
+ * Copyright (c) 2022, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+
+/**
+ * \file crypto_library.h
+ *
+ * \brief This file contains some abstractions required to interface the
+ * TF-M Crypto service to an underlying cryptographic library that
+ * implements the PSA Crypto API. The TF-M Crypto service uses this
+ * library to provide a PSA Crypto core layer implementation and
+ * a software or hardware based implementation of crypto algorithms.
+ */
+
+#ifndef CRYPTO_LIBRARY_H
+#define CRYPTO_LIBRARY_H
+
+#include "psa/crypto.h"
+#include "tfm_crypto_api.h"
+
+/**
+ * \brief This macro extracts the key ID from the library encoded key passed as parameter
+ *
+ */
+#define CRYPTO_LIBRARY_GET_KEY_ID(encoded_key_library) MBEDTLS_SVC_KEY_ID_GET_KEY_ID(encoded_key_library)
+
+/**
+ * \brief The following typedef must be defined to the type associated to the key_id in the underlying library
+ *
+ */
+typedef mbedtls_svc_key_id_t tfm_crypto_library_key_id_t;
+
+/**
+ * \brief Function used to initialise an object of \ref tfm_crypto_library_key_id_t to a (owner, key_id) pair
+ *
+ * \param[in] owner Owner of the key
+ * \param[in] key_id key ID associated to the key of type \ref psa_key_id_t
+ *
+ * \return An object of type \ref tfm_crypto_library_key_id_t
+ *
+ */
+tfm_crypto_library_key_id_t tfm_crypto_library_key_id_init(int32_t owner, psa_key_id_t key_id);
+
+/**
+ * \brief This function is used to retrieve a string describing the library used in the backend
+ * to provide information to the crypto service and the user
+ *
+ * \return A NULL terminated string describing the backend library
+ */
+char *tfm_crypto_library_get_info(void);
+
+/**
+ * \brief This function initialises a \ref tfm_crypto_library_key_id_t with default values
+ *
+ */
+static inline tfm_crypto_library_key_id_t tfm_crypto_library_key_id_init_default(void)
+{
+ return tfm_crypto_library_key_id_init(0, 0);
+}
+#endif /* CRYPTO_LIBRARY_H */
diff --git a/secure_fw/partitions/crypto/crypto_mac.c b/secure_fw/partitions/crypto/crypto_mac.c
index 8531de5..0fcda86 100644
--- a/secure_fw/partitions/crypto/crypto_mac.c
+++ b/secure_fw/partitions/crypto/crypto_mac.c
@@ -12,8 +12,11 @@
#include "tfm_mbedcrypto_include.h"
#include "tfm_crypto_api.h"
+#include "tfm_crypto_key.h"
#include "tfm_crypto_defs.h"
+#include "crypto_library.h"
+
/*!
* \addtogroup tfm_crypto_api_shim_layer
*
@@ -23,7 +26,7 @@
#if CRYPTO_MAC_MODULE_ENABLED
psa_status_t tfm_crypto_mac_interface(psa_invec in_vec[],
psa_outvec out_vec[],
- mbedtls_svc_key_id_t *encoded_key)
+ struct tfm_crypto_key_id_s *encoded_key)
{
const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
psa_status_t status = PSA_ERROR_NOT_SUPPORTED;
@@ -31,6 +34,8 @@
uint32_t *p_handle = NULL;
uint16_t sid = iov->function_id;
+ tfm_crypto_library_key_id_t library_key = tfm_crypto_library_key_id_init(
+ encoded_key->owner, encoded_key->key_id);
if (sid == TFM_CRYPTO_MAC_COMPUTE_SID) {
#if CRYPTO_SINGLE_PART_FUNCS_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
@@ -40,7 +45,7 @@
uint8_t *mac = out_vec[0].base;
size_t mac_size = out_vec[0].len;
- status = psa_mac_compute(*encoded_key, iov->alg, input, input_length,
+ status = psa_mac_compute(library_key, iov->alg, input, input_length,
mac, mac_size, &out_vec[0].len);
if (status != PSA_SUCCESS) {
out_vec[0].len = 0;
@@ -58,7 +63,7 @@
const uint8_t *mac = in_vec[2].base;
size_t mac_length = in_vec[2].len;
- return psa_mac_verify(*encoded_key, iov->alg, input, input_length,
+ return psa_mac_verify(library_key, iov->alg, input, input_length,
mac, mac_length);
#endif
}
@@ -106,7 +111,7 @@
switch (sid) {
case TFM_CRYPTO_MAC_SIGN_SETUP_SID:
{
- status = psa_mac_sign_setup(operation, *encoded_key, iov->alg);
+ status = psa_mac_sign_setup(operation, library_key, iov->alg);
if (status != PSA_SUCCESS) {
goto release_operation_and_return;
}
@@ -114,7 +119,7 @@
break;
case TFM_CRYPTO_MAC_VERIFY_SETUP_SID:
{
- status = psa_mac_verify_setup(operation, *encoded_key, iov->alg);
+ status = psa_mac_verify_setup(operation, library_key, iov->alg);
if (status != PSA_SUCCESS) {
goto release_operation_and_return;
}
@@ -171,7 +176,7 @@
#else /* CRYPTO_MAC_MODULE_ENABLED */
psa_status_t tfm_crypto_mac_interface(psa_invec in_vec[],
psa_outvec out_vec[],
- mbedtls_svc_key_id_t *encoded_key)
+ struct tfm_crypto_key_id_s *encoded_key)
{
(void)in_vec;
(void)out_vec;
diff --git a/secure_fw/partitions/crypto/tfm_crypto_api.h b/secure_fw/partitions/crypto/tfm_crypto_api.h
index 9adfeea..d2c82bc 100644
--- a/secure_fw/partitions/crypto/tfm_crypto_api.h
+++ b/secure_fw/partitions/crypto/tfm_crypto_api.h
@@ -14,6 +14,7 @@
#include <stdint.h>
#include "tfm_crypto_defs.h"
+#include "tfm_crypto_key.h"
#include "psa/crypto_client_struct.h"
/**
@@ -151,7 +152,7 @@
*/
psa_status_t tfm_crypto_key_management_interface(psa_invec in_vec[],
psa_outvec out_vec[],
- mbedtls_svc_key_id_t *encoded_key);
+ struct tfm_crypto_key_id_s *encoded_key);
/**
* \brief This function acts as interface for the MAC module
*
@@ -163,7 +164,7 @@
*/
psa_status_t tfm_crypto_mac_interface(psa_invec in_vec[],
psa_outvec out_vec[],
- mbedtls_svc_key_id_t *encoded_key);
+ struct tfm_crypto_key_id_s *encoded_key);
/**
* \brief This function acts as interface for the Cipher module
*
@@ -175,7 +176,7 @@
*/
psa_status_t tfm_crypto_cipher_interface(psa_invec in_vec[],
psa_outvec out_vec[],
- mbedtls_svc_key_id_t *encoded_key);
+ struct tfm_crypto_key_id_s *encoded_key);
/**
* \brief This function acts as interface for the AEAD module
*
@@ -187,7 +188,7 @@
*/
psa_status_t tfm_crypto_aead_interface(psa_invec in_vec[],
psa_outvec out_vec[],
- mbedtls_svc_key_id_t *encoded_key);
+ struct tfm_crypto_key_id_s *encoded_key);
/**
* \brief This function acts as interface for the Asymmetric signing module
@@ -200,7 +201,7 @@
*/
psa_status_t tfm_crypto_asymmetric_sign_interface(psa_invec in_vec[],
psa_outvec out_vec[],
- mbedtls_svc_key_id_t *encoded_key);
+ struct tfm_crypto_key_id_s *encoded_key);
/**
* \brief This function acts as interface for the Asymmetric encryption module
@@ -213,7 +214,7 @@
*/
psa_status_t tfm_crypto_asymmetric_encrypt_interface(psa_invec in_vec[],
psa_outvec out_vec[],
- mbedtls_svc_key_id_t *encoded_key);
+ struct tfm_crypto_key_id_s *encoded_key);
/**
* \brief This function acts as interface for the Key derivation module
@@ -225,8 +226,8 @@
* \return Return values as described in \ref psa_status_t
*/
psa_status_t tfm_crypto_key_derivation_interface(psa_invec in_vec[],
- psa_outvec out_vec[],
- mbedtls_svc_key_id_t *encoded_key);
+ psa_outvec out_vec[],
+ struct tfm_crypto_key_id_s *encoded_key);
/**
* \brief This function acts as interface for the Random module
*
diff --git a/secure_fw/partitions/crypto/tfm_crypto_key.h b/secure_fw/partitions/crypto/tfm_crypto_key.h
new file mode 100644
index 0000000..538cdfe
--- /dev/null
+++ b/secure_fw/partitions/crypto/tfm_crypto_key.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (c) 2022, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ */
+
+#ifndef __TFM_CRYPTO_KEY_H__
+#define __TFM_CRYPTO_KEY_H__
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <stdint.h>
+#include "psa/crypto.h"
+
+/**
+ * \brief The type which describes a key identifier to the Crypto
+ * service. The key identifiers must clearly provide a
+ * dedicated indication of the entity owner which owns the key
+ */
+struct tfm_crypto_key_id_s {
+ psa_key_id_t key_id; /*!< Key ID for the key itself */
+ int32_t owner; /*!< ID of the entity owning the key */
+};
+
+/**
+ * \brief A macro to perform static initialisation of a \struct tfm_crypto_key_id_s
+ * structure
+ */
+#define TFM_CRYPTO_KEY_ID_S_INIT {0, 0}
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __TFM_CRYPTO_KEY_H__ */