Crypto: Add support for some cipher and mac functions
Add support for 'psa_cipher_encrypt', 'psa_cipher_decrypt',
'psa_mac_compute' and 'psa_mac_verify' since mbedtls-3.0.0 has
implemented them.
Change-Id: Iec2c5799cd7e44a9f478bd1f36234bdc548a559e
Signed-off-by: Summer Qin <summer.qin@arm.com>
diff --git a/interface/src/tfm_crypto_func_api.c b/interface/src/tfm_crypto_func_api.c
index 62bf485..5d42405 100644
--- a/interface/src/tfm_crypto_func_api.c
+++ b/interface/src/tfm_crypto_func_api.c
@@ -1225,8 +1225,26 @@
size_t *mac_length)
{
psa_status_t status;
+ struct tfm_crypto_pack_iovec iov = {
+ .sfn_id = TFM_CRYPTO_MAC_COMPUTE_SID,
+ .key_id = key,
+ .alg = alg,
+ };
- status = PSA_ERROR_NOT_SUPPORTED;
+ psa_invec in_vec[] = {
+ {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
+ {.base = input, .len = input_length},
+ };
+ psa_outvec out_vec[] = {
+ {.base = mac, .len = mac_size},
+ };
+
+ status = API_DISPATCH(tfm_crypto_mac_compute,
+ TFM_CRYPTO_MAC_COMPUTE);
+
+ if (status == PSA_SUCCESS) {
+ *mac_length = out_vec[0].len;
+ }
return status;
}
@@ -1239,8 +1257,20 @@
const size_t mac_length)
{
psa_status_t status;
+ struct tfm_crypto_pack_iovec iov = {
+ .sfn_id = TFM_CRYPTO_MAC_VERIFY_SID,
+ .key_id = key,
+ .alg = alg,
+ };
- status = PSA_ERROR_NOT_SUPPORTED;
+ psa_invec in_vec[] = {
+ {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
+ {.base = input, .len = input_length},
+ {.base = mac, .len = mac_length},
+ };
+
+ status = API_DISPATCH_NO_OUTVEC(tfm_crypto_mac_verify,
+ TFM_CRYPTO_MAC_VERIFY);
return status;
}
@@ -1254,8 +1284,26 @@
size_t *output_length)
{
psa_status_t status;
+ struct tfm_crypto_pack_iovec iov = {
+ .sfn_id = TFM_CRYPTO_CIPHER_ENCRYPT_SID,
+ .key_id = key,
+ .alg = alg,
+ };
- status = PSA_ERROR_NOT_SUPPORTED;
+ psa_invec in_vec[] = {
+ {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
+ {.base = input, .len = input_length},
+ };
+ psa_outvec out_vec[] = {
+ {.base = output, .len = output_size},
+ };
+
+ status = API_DISPATCH(tfm_crypto_cipher_encrypt,
+ TFM_CRYPTO_CIPHER_ENCRYPT);
+
+ if (status == PSA_SUCCESS) {
+ *output_length = out_vec[0].len;
+ }
return status;
}
@@ -1269,8 +1317,26 @@
size_t *output_length)
{
psa_status_t status;
+ struct tfm_crypto_pack_iovec iov = {
+ .sfn_id = TFM_CRYPTO_CIPHER_DECRYPT_SID,
+ .key_id = key,
+ .alg = alg,
+ };
- status = PSA_ERROR_NOT_SUPPORTED;
+ psa_invec in_vec[] = {
+ {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
+ {.base = input, .len = input_length},
+ };
+ psa_outvec out_vec[] = {
+ {.base = output, .len = output_size},
+ };
+
+ status = API_DISPATCH(tfm_crypto_cipher_decrypt,
+ TFM_CRYPTO_CIPHER_DECRYPT);
+
+ if (status == PSA_SUCCESS) {
+ *output_length = out_vec[0].len;
+ }
return status;
}
diff --git a/interface/src/tfm_crypto_ipc_api.c b/interface/src/tfm_crypto_ipc_api.c
index af604ec..8dc2584 100644
--- a/interface/src/tfm_crypto_ipc_api.c
+++ b/interface/src/tfm_crypto_ipc_api.c
@@ -1252,8 +1252,26 @@
size_t *mac_length)
{
psa_status_t status;
+ struct tfm_crypto_pack_iovec iov = {
+ .sfn_id = TFM_CRYPTO_MAC_COMPUTE_SID,
+ .key_id = key,
+ .alg = alg,
+ };
- status = PSA_ERROR_NOT_SUPPORTED;
+ psa_invec in_vec[] = {
+ {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
+ {.base = input, .len = input_length},
+ };
+ psa_outvec out_vec[] = {
+ {.base = mac, .len = mac_size},
+ };
+
+ status = API_DISPATCH(tfm_crypto_mac_compute,
+ TFM_CRYPTO_MAC_COMPUTE);
+
+ if (status == PSA_SUCCESS) {
+ *mac_length = out_vec[0].len;
+ }
return status;
}
@@ -1266,8 +1284,20 @@
const size_t mac_length)
{
psa_status_t status;
+ struct tfm_crypto_pack_iovec iov = {
+ .sfn_id = TFM_CRYPTO_MAC_VERIFY_SID,
+ .key_id = key,
+ .alg = alg,
+ };
- status = PSA_ERROR_NOT_SUPPORTED;
+ psa_invec in_vec[] = {
+ {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
+ {.base = input, .len = input_length},
+ {.base = mac, .len = mac_length},
+ };
+
+ status = API_DISPATCH_NO_OUTVEC(tfm_crypto_mac_verify,
+ TFM_CRYPTO_MAC_VERIFY);
return status;
}
@@ -1281,8 +1311,26 @@
size_t *output_length)
{
psa_status_t status;
+ struct tfm_crypto_pack_iovec iov = {
+ .sfn_id = TFM_CRYPTO_CIPHER_ENCRYPT_SID,
+ .key_id = key,
+ .alg = alg,
+ };
- status = PSA_ERROR_NOT_SUPPORTED;
+ psa_invec in_vec[] = {
+ {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
+ {.base = input, .len = input_length},
+ };
+ psa_outvec out_vec[] = {
+ {.base = output, .len = output_size}
+ };
+
+ status = API_DISPATCH(tfm_crypto_cipher_encrypt,
+ TFM_CRYPTO_CIPHER_ENCRYPT);
+
+ if (status == PSA_SUCCESS) {
+ *output_length = out_vec[0].len;
+ }
return status;
}
@@ -1296,8 +1344,26 @@
size_t *output_length)
{
psa_status_t status;
+ struct tfm_crypto_pack_iovec iov = {
+ .sfn_id = TFM_CRYPTO_CIPHER_DECRYPT_SID,
+ .key_id = key,
+ .alg = alg,
+ };
- status = PSA_ERROR_NOT_SUPPORTED;
+ psa_invec in_vec[] = {
+ {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
+ {.base = input, .len = input_length},
+ };
+ psa_outvec out_vec[] = {
+ {.base = output, .len = output_size}
+ };
+
+ status = API_DISPATCH(tfm_crypto_cipher_decrypt,
+ TFM_CRYPTO_CIPHER_DECRYPT);
+
+ if (status == PSA_SUCCESS) {
+ *output_length = out_vec[0].len;
+ }
return status;
}
diff --git a/secure_fw/partitions/crypto/crypto_cipher.c b/secure_fw/partitions/crypto/crypto_cipher.c
index 6318d0f..670aa48 100644
--- a/secure_fw/partitions/crypto/crypto_cipher.c
+++ b/secure_fw/partitions/crypto/crypto_cipher.c
@@ -355,8 +355,39 @@
psa_outvec out_vec[],
size_t out_len)
{
- /* FixMe: To be implemented */
+#ifdef TFM_CRYPTO_CIPHER_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
+#else
+ psa_status_t status = PSA_SUCCESS;
+
+ CRYPTO_IN_OUT_LEN_VALIDATE(in_len, 1, 2, out_len, 1, 1);
+
+ if (in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) {
+ return PSA_ERROR_PROGRAMMER_ERROR;
+ }
+
+ const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
+ psa_key_id_t key_id = iov->key_id;
+ psa_algorithm_t alg = iov->alg;
+ const uint8_t *input = in_vec[1].base;
+ size_t input_length = in_vec[1].len;
+ uint8_t *output = out_vec[0].base;
+ size_t output_size = out_vec[0].len;
+ mbedtls_svc_key_id_t encoded_key;
+
+ status = tfm_crypto_check_handle_owner(key_id);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = tfm_crypto_encode_id_and_owner(key_id, &encoded_key);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ return psa_cipher_encrypt(encoded_key, alg, input, input_length, output,
+ output_size, &out_vec[0].len);
+#endif /* TFM_CRYPTO_CIPHER_MODULE_DISABLED */
}
psa_status_t tfm_crypto_cipher_decrypt(psa_invec in_vec[],
@@ -364,7 +395,37 @@
psa_outvec out_vec[],
size_t out_len)
{
- /* FixMe: To be implemented */
+#ifdef TFM_CRYPTO_CIPHER_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
+#else
+ psa_status_t status = PSA_SUCCESS;
+
+ CRYPTO_IN_OUT_LEN_VALIDATE(in_len, 1, 2, out_len, 1, 1);
+
+ if (in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) {
+ return PSA_ERROR_PROGRAMMER_ERROR;
+ }
+ const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
+ psa_key_id_t key_id = iov->key_id;
+ psa_algorithm_t alg = iov->alg;
+ const uint8_t *input = in_vec[1].base;
+ size_t input_length = in_vec[1].len;
+ uint8_t *output = out_vec[0].base;
+ size_t output_size = out_vec[0].len;
+ mbedtls_svc_key_id_t encoded_key;
+
+ status = tfm_crypto_check_handle_owner(key_id);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = tfm_crypto_encode_id_and_owner(key_id, &encoded_key);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ return psa_cipher_decrypt(encoded_key, alg, input, input_length, output,
+ output_size, &out_vec[0].len);
+#endif /* TFM_CRYPTO_CIPHER_MODULE_DISABLED */
}
/*!@}*/
diff --git a/secure_fw/partitions/crypto/crypto_mac.c b/secure_fw/partitions/crypto/crypto_mac.c
index 1c4beae..011a3ce 100644
--- a/secure_fw/partitions/crypto/crypto_mac.c
+++ b/secure_fw/partitions/crypto/crypto_mac.c
@@ -321,8 +321,38 @@
psa_outvec out_vec[],
size_t out_len)
{
- /* FixMe: To be implemented */
+#ifdef TFM_CRYPTO_MAC_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
+#else
+ psa_status_t status = PSA_SUCCESS;
+
+ CRYPTO_IN_OUT_LEN_VALIDATE(in_len, 1, 2, out_len, 1, 1);
+
+ if (in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) {
+ return PSA_ERROR_PROGRAMMER_ERROR;
+ }
+ const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
+ psa_key_id_t key_id = iov->key_id;
+ psa_algorithm_t alg = iov->alg;
+ const uint8_t *input = in_vec[1].base;
+ size_t input_length = in_vec[1].len;
+ uint8_t *mac = out_vec[0].base;
+ size_t mac_size = out_vec[0].len;
+ mbedtls_svc_key_id_t encoded_key;
+
+ status = tfm_crypto_check_handle_owner(key_id);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = tfm_crypto_encode_id_and_owner(key_id, &encoded_key);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ return psa_mac_compute(encoded_key, alg, input, input_length, mac, mac_size,
+ &out_vec[0].len);
+#endif /* TFM_CRYPTO_MAC_MODULE_DISABLED */
}
psa_status_t tfm_crypto_mac_verify(psa_invec in_vec[],
@@ -330,7 +360,37 @@
psa_outvec out_vec[],
size_t out_len)
{
- /* FixMe: To be implemented */
+#ifdef TFM_CRYPTO_MAC_MODULE_DISABLED
return PSA_ERROR_NOT_SUPPORTED;
+#else
+ psa_status_t status = PSA_SUCCESS;
+
+ CRYPTO_IN_OUT_LEN_VALIDATE(in_len, 1, 3, out_len, 0, 0);
+
+ if (in_vec[0].len != sizeof(struct tfm_crypto_pack_iovec)) {
+ return PSA_ERROR_PROGRAMMER_ERROR;
+ }
+ const struct tfm_crypto_pack_iovec *iov = in_vec[0].base;
+ psa_key_id_t key_id = iov->key_id;
+ psa_algorithm_t alg = iov->alg;
+ const uint8_t *input = in_vec[1].base;
+ size_t input_length = in_vec[1].len;
+ const uint8_t *mac = in_vec[2].base;
+ size_t mac_length = in_vec[2].len;
+ mbedtls_svc_key_id_t encoded_key;
+
+ status = tfm_crypto_check_handle_owner(key_id);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = tfm_crypto_encode_id_and_owner(key_id, &encoded_key);
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ return psa_mac_verify(encoded_key, alg, input, input_length, mac,
+ mac_length);
+#endif /* TFM_CRYPTO_MAC_MODULE_DISABLED */
}
/*!@}*/
diff --git a/secure_fw/partitions/crypto/tfm_crypto_secure_api.c b/secure_fw/partitions/crypto/tfm_crypto_secure_api.c
index 0494d96..3dd2366 100644
--- a/secure_fw/partitions/crypto/tfm_crypto_secure_api.c
+++ b/secure_fw/partitions/crypto/tfm_crypto_secure_api.c
@@ -1467,11 +1467,33 @@
size_t mac_size,
size_t *mac_length)
{
+#ifdef TFM_CRYPTO_MAC_MODULE_DISABLED
+ return PSA_ERROR_NOT_SUPPORTED;
+#else
psa_status_t status;
+ struct tfm_crypto_pack_iovec iov = {
+ .sfn_id = TFM_CRYPTO_MAC_COMPUTE_SID,
+ .key_id = key_id,
+ .alg = alg,
+ };
- status = PSA_ERROR_NOT_SUPPORTED;
+ psa_invec in_vec[] = {
+ {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
+ {.base = input, .len = input_length},
+ };
+ psa_outvec out_vec[] = {
+ {.base = mac, .len = mac_size},
+ };
+
+ status = API_DISPATCH(tfm_crypto_mac_compute,
+ TFM_CRYPTO_MAC_COMPUTE);
+
+ if (status == PSA_SUCCESS) {
+ *mac_length = out_vec[0].len;
+ }
return status;
+#endif /* TFM_CRYPTO_MAC_MODULE_DISABLED */
}
psa_status_t psa_mac_verify(psa_key_id_t key_id,
@@ -1481,11 +1503,27 @@
const uint8_t *mac,
const size_t mac_length)
{
+#ifdef TFM_CRYPTO_MAC_MODULE_DISABLED
+ return PSA_ERROR_NOT_SUPPORTED;
+#else
psa_status_t status;
+ struct tfm_crypto_pack_iovec iov = {
+ .sfn_id = TFM_CRYPTO_MAC_VERIFY_SID,
+ .key_id = key_id,
+ .alg = alg,
+ };
- status = PSA_ERROR_NOT_SUPPORTED;
+ psa_invec in_vec[] = {
+ {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
+ {.base = input, .len = input_length},
+ {.base = mac, .len = mac_length},
+ };
+
+ status = API_DISPATCH_NO_OUTVEC(tfm_crypto_mac_verify,
+ TFM_CRYPTO_MAC_VERIFY);
return status;
+#endif /* TFM_CRYPTO_MAC_MODULE_DISABLED */
}
psa_status_t psa_cipher_encrypt(psa_key_id_t key_id,
@@ -1496,11 +1534,33 @@
size_t output_size,
size_t *output_length)
{
+#ifdef TFM_CRYPTO_CIPHER_MODULE_DISABLED
+ return PSA_ERROR_NOT_SUPPORTED;
+#else
psa_status_t status;
+ struct tfm_crypto_pack_iovec iov = {
+ .sfn_id = TFM_CRYPTO_CIPHER_ENCRYPT_SID,
+ .key_id = key_id,
+ .alg = alg,
+ };
- status = PSA_ERROR_NOT_SUPPORTED;
+ psa_invec in_vec[] = {
+ {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
+ {.base = input, .len = input_length},
+ };
+ psa_outvec out_vec[] = {
+ {.base = output, .len = output_size},
+ };
+
+ status = API_DISPATCH(tfm_crypto_cipher_encrypt,
+ TFM_CRYPTO_CIPHER_ENCRYPT);
+
+ if (status == PSA_SUCCESS) {
+ *output_length = out_vec[0].len;
+ }
return status;
+#endif /* TFM_CRYPTO_CIPHER_MODULE_DISABLED */
}
psa_status_t psa_cipher_decrypt(psa_key_id_t key_id,
@@ -1511,11 +1571,33 @@
size_t output_size,
size_t *output_length)
{
+#ifdef TFM_CRYPTO_CIPHER_MODULE_DISABLED
+ return PSA_ERROR_NOT_SUPPORTED;
+#else
psa_status_t status;
+ struct tfm_crypto_pack_iovec iov = {
+ .sfn_id = TFM_CRYPTO_CIPHER_DECRYPT_SID,
+ .key_id = key_id,
+ .alg = alg,
+ };
- status = PSA_ERROR_NOT_SUPPORTED;
+ psa_invec in_vec[] = {
+ {.base = &iov, .len = sizeof(struct tfm_crypto_pack_iovec)},
+ {.base = input, .len = input_length},
+ };
+ psa_outvec out_vec[] = {
+ {.base = output, .len = output_size},
+ };
+
+ status = API_DISPATCH(tfm_crypto_cipher_decrypt,
+ TFM_CRYPTO_CIPHER_DECRYPT);
+
+ if (status == PSA_SUCCESS) {
+ *output_length = out_vec[0].len;
+ }
return status;
+#endif /* TFM_CRYPTO_CIPHER_MODULE_DISABLED */
}
psa_status_t psa_raw_key_agreement(psa_algorithm_t alg,