Crypto: Use uniform signatures
This patch amends the Crypto service to use the
Uniform Signatures interfaces supported by TF-M.
Change-Id: Ia1e269075bf94e1d60281da789dd43bb2be3f265
Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com>
diff --git a/docs/user_guides/services/tfm_crypto_integration_guide.md b/docs/user_guides/services/tfm_crypto_integration_guide.md
index fe5077c..d60cd6f 100644
--- a/docs/user_guides/services/tfm_crypto_integration_guide.md
+++ b/docs/user_guides/services/tfm_crypto_integration_guide.md
@@ -46,10 +46,6 @@
implementation). For multipart cipher/hash/MAC operations, a context is
associated to the handle provided during the setup phase, and is explicitly
cleared only following a successful termination or an abort;
- - `crypto_wrappers.c` : This file implements TF-M compatible wrappers in
- case they are needed by the functions exported by other modules;
- - `crypto_utils.c` : This file implements utility functions that can be
- used by other modules of the TF-M Crypto service;
- `crypto_engine.c` : This file implements the layer which the other modules
use to interact with the cryptography primitives available (in SW or HW). The
`TFM_CRYPTO_ENGINE_BUF_SIZE` determines the size in bytes of the static scratch
diff --git a/interface/include/crypto_psa_wrappers.h b/interface/include/crypto_psa_wrappers.h
deleted file mode 100644
index 61c4772..0000000
--- a/interface/include/crypto_psa_wrappers.h
+++ /dev/null
@@ -1,142 +0,0 @@
-/*
- * Copyright (c) 2018-2019, Arm Limited. All rights reserved.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- *
- */
-
-#ifndef __CRYPTO_PSA_WRAPPERS_H__
-#define __CRYPTO_PSA_WRAPPERS_H__
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-/*!
- * \struct psa_cipher_update_input
- *
- * \brief Input structure for the tfm_crypto_cipher_update_wrapper function
- *
- */
-struct psa_cipher_update_input {
- const uint8_t *input; /*!< Input data to the cipher */
- size_t input_length; /*!< Size of the input data */
-};
-
-/*!
- * \struct psa_cipher_update_output
- *
- * \brief Output structure for the tfm_crypto_cipher_update_wrapper function
- *
- */
-struct psa_cipher_update_output {
- unsigned char *output; /*!< Buffer to hold the output data from the cipher*/
- size_t output_size; /*!< Size of the output buffer */
- size_t *output_length; /*!< Size of the output data from the cipher */
-};
-
-/*!
- * \brief This function is a TF-M compatible wrapper for the
- * \ref tfm_crypto_cipher_update implemented in the Crypto service
- *
- * \param[out] operation Pointer to a cipher operation context in the backend
- * \param[in] input_s Pointer to the structure containing input parameters
- * associated with \ref psa_cipher_update_input
- * \param[out] output_s Pointer to the structure containing output parameters
- * associated with \ref psa_cipher_update_output
- *
- */
-enum tfm_crypto_err_t tfm_crypto_cipher_update_wrapper(
- psa_cipher_operation_t *operation,
- const struct psa_cipher_update_input *input_s,
- const struct psa_cipher_update_output *output_s);
-
-/*!
- * \struct psa_aead_encrypt_input
- *
- * \brief Input structure for the tfm_crypto_aead_encrypt_wrapper function
- *
- */
-struct psa_aead_encrypt_input {
- psa_key_slot_t key; /*!< Key slot */
- psa_algorithm_t alg; /*!< Algorithm type */
- const uint8_t *nonce; /*!< Nonce or IV to be used */
- size_t nonce_length; /*!< Size in bytes of the nonce buffer */
- const uint8_t *additional_data; /*!< Additional data to be authenticated */
- size_t additional_data_length; /*!< Size in bytes of additional_data */
- const uint8_t *plaintext; /*!< Buffer holding data for encryption */
- size_t plaintext_length; /*!< Size in bytes of plaintext */
-};
-
-/*!
- * \struct psa_aead_encrypt_output
- *
- * \brief Output structure for the tfm_crypto_aead_encrypt_wrapper function
- *
- */
-struct psa_aead_encrypt_output {
- uint8_t *ciphertext; /*!< Pointer for the buffer to hold ciphertext */
- size_t ciphertext_size; /*!< Size in bytes of the ciphertext buffer */
- size_t *ciphertext_length; /*!< Actual size in bytes of ciphertext */
-};
-
-/*!
- * \struct psa_aead_decrypt_input
- *
- * \brief Input structure for the tfm_crypto_aead_decrypt_wrapper function
- *
- */
-struct psa_aead_decrypt_input {
- psa_key_slot_t key; /*!< Key slot */
- psa_algorithm_t alg; /*!< Algorithm type */
- const uint8_t *nonce; /*!< Nonce or IV to be used */
- size_t nonce_length; /*!< Size in bytes of the nonce buffer */
- const uint8_t *additional_data; /*!< Original data that was authenticated */
- size_t additional_data_length; /*!< Size in bytes of additional_data */
- const uint8_t *ciphertext; /*!< Buffer holding data for decryption */
- size_t ciphertext_length; /*!< Size in bytes of ciphertext */
-};
-
-/*!
- * \struct psa_aead_decrypt_output
- *
- * \brief Output structure for the tfm_crypto_aead_decrypt_wrapper function
- *
- */
-struct psa_aead_decrypt_output {
- uint8_t *plaintext; /*!< Pointer for the buffer to hold plaintext */
- size_t plaintext_size; /*!< Size in bytes of the plaintext buffer */
- size_t *plaintext_length; /*!< Actual size in bytes of plaintext */
-};
-
-/*!
- * \brief This function is a TF-M compatible wrapper for the
- * \ref tfm_crypto_aead_encrypt implemented in the Crypto service
- *
- * \param[in] input_s Pointer to the structure containing input parameters
- * associated with \ref psa_aead_encrypt_input
- * \param[out] output_s Pointer to the structure containing output parameters
- * associated with \ref psa_aead_encrypt_output
- *
- */
-enum tfm_crypto_err_t tfm_crypto_aead_encrypt_wrapper(
- const struct psa_aead_encrypt_input *input_s,
- const struct psa_aead_encrypt_output *output_s);
-/*!
- * \brief This function is a TF-M compatible wrapper for the
- * \ref tfm_crypto_aead_decrypt implemented in the Crypto service
- *
- * \param[in] input_s Pointer to the structure containing input parameters
- * associated with \ref psa_aead_decrypt_input
- * \param[out] output_s Pointer to the structure containing output parameters
- * associated with \ref psa_aead_decrypt_output
- *
- */
-enum tfm_crypto_err_t tfm_crypto_aead_decrypt_wrapper(
- const struct psa_aead_decrypt_input *input_s,
- const struct psa_aead_decrypt_output *output_s);
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* __CRYPTO_PSA_WRAPPERS_H__ */
diff --git a/interface/include/tfm_crypto_defs.h b/interface/include/tfm_crypto_defs.h
index 4573811..02e9770 100644
--- a/interface/include/tfm_crypto_defs.h
+++ b/interface/include/tfm_crypto_defs.h
@@ -15,11 +15,7 @@
#include <stdint.h>
#include <limits.h>
#include "tfm_api.h"
-
-/* The return value is shared with the TFM service status value. The Crypto
- * return codes shouldn't overlap with predefined TFM status values.
- */
-#define TFM_CRYPTO_ERR_PSA_ERROR_OFFSET (TFM_PARTITION_SPECIFIC_ERROR_MIN)
+#include "psa_crypto.h"
/**
* \brief This value is used to mark an handle as invalid.
@@ -28,7 +24,7 @@
#define TFM_CRYPTO_INVALID_HANDLE (0xFFFFFFFF)
/**
- * \brief Define miscellaneous literal constants that are used in the module
+ * \brief Define miscellaneous literal constants that are used in the service
*
*/
enum {
@@ -37,57 +33,18 @@
};
/**
- * \brief Possible return values from the TFM Crypto service. They must
- * provide corresponding return values for psa_status_t possible
- * values as specified in psa_crypto.h
+ * \brief This type is used to overcome a limitation in the number of maximum
+ * IOVECs that can be used especially in psa_aead_encrypt and
+ * psa_aead_decrypt. To be removed in case the AEAD APIs number of
+ * parameters passed gets restructured
*/
-enum tfm_crypto_err_t {
- TFM_CRYPTO_ERR_PSA_SUCCESS = 0,
- TFM_CRYPTO_ERR_PSA_ERROR_UNKNOWN_ERROR = TFM_CRYPTO_ERR_PSA_ERROR_OFFSET,
- TFM_CRYPTO_ERR_PSA_ERROR_NOT_SUPPORTED,
- TFM_CRYPTO_ERR_PSA_ERROR_NOT_PERMITTED,
- TFM_CRYPTO_ERR_PSA_ERROR_BUFFER_TOO_SMALL,
- TFM_CRYPTO_ERR_PSA_ERROR_OCCUPIED_SLOT,
- TFM_CRYPTO_ERR_PSA_ERROR_EMPTY_SLOT,
- TFM_CRYPTO_ERR_PSA_ERROR_BAD_STATE,
- TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT,
- TFM_CRYPTO_ERR_PSA_ERROR_INSUFFICIENT_MEMORY,
- TFM_CRYPTO_ERR_PSA_ERROR_INSUFFICIENT_STORAGE,
- TFM_CRYPTO_ERR_PSA_ERROR_COMMUNICATION_FAILURE,
- TFM_CRYPTO_ERR_PSA_ERROR_STORAGE_FAILURE,
- TFM_CRYPTO_ERR_PSA_ERROR_HARDWARE_FAILURE,
- TFM_CRYPTO_ERR_PSA_ERROR_TAMPERING_DETECTED,
- TFM_CRYPTO_ERR_PSA_ERROR_INSUFFICIENT_ENTROPY,
- TFM_CRYPTO_ERR_PSA_ERROR_INVALID_SIGNATURE,
- TFM_CRYPTO_ERR_PSA_ERROR_INVALID_PADDING,
-
- /* Add an invalid return code which forces the size of the type as well */
- TFM_CRYPTO_ERR_INVALID = INT_MAX
+#define TFM_CRYPTO_MAX_NONCE_LENGTH (16u)
+struct tfm_crypto_aead_pack_input {
+ psa_key_slot_t key;
+ psa_algorithm_t alg;
+ uint8_t nonce[TFM_CRYPTO_MAX_NONCE_LENGTH];
};
-/**
- * \brief A macro to translate TFM Crypto service return values to the
- * corresponding psa_status_t value. The user of this macro needs
- * to cast the produced value to psa_status_t explicitly if needed
- *
- * \return Values specified by \ref psa_status_t
- */
-#define TFM_CRYPTO_ERR_TO_PSA_STATUS(val) \
- ( (val == TFM_CRYPTO_ERR_PSA_SUCCESS) ? val : \
- ((val >= (enum tfm_crypto_err_t)TFM_CRYPTO_ERR_PSA_ERROR_OFFSET) ? \
- (val - ((enum tfm_crypto_err_t)TFM_CRYPTO_ERR_PSA_ERROR_OFFSET-1)) : \
- TFM_CRYPTO_ERR_INVALID) )
-/**
- * \brief A macro to translate psa_status_t values to the corresponding return
- * values for the TFM Crypto service
- *
- * \return Values specified by \ref tfm_crypto_err_t
- *
- */
-#define PSA_STATUS_TO_TFM_CRYPTO_ERR(val) \
- ( (val == PSA_SUCCESS) ? (enum tfm_crypto_err_t)val : \
- (enum tfm_crypto_err_t)(val + TFM_CRYPTO_ERR_PSA_ERROR_OFFSET-1) )
-
#ifdef __cplusplus
}
#endif
diff --git a/interface/include/tfm_crypto_veneers.h b/interface/include/tfm_crypto_veneers.h
deleted file mode 100644
index 82654ef..0000000
--- a/interface/include/tfm_crypto_veneers.h
+++ /dev/null
@@ -1,476 +0,0 @@
-/*
- * Copyright (c) 2018-2019, Arm Limited. All rights reserved.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- *
- */
-
-#ifndef __TFM_CRYPTO_VENEERS_H__
-#define __TFM_CRYPTO_VENEERS_H__
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#include "tfm_crypto_defs.h"
-
-#include "psa_crypto.h"
-
-#include "crypto_psa_wrappers.h"
-
-/**
- * \brief Import the key data in the provided key slot (veneer function)
- *
- * \param[in] key Key slot
- * \param[in] type Key type
- * \param[in] data Key data to import
- * \param[in] data_length Length in bytes of the data field
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_import_key(psa_key_slot_t key,
- psa_key_type_t type,
- const uint8_t *data,
- size_t data_length);
-/**
- * \brief Destroy the key in the provided key slot (veneer function)
- *
- * \param[in] key Key slot
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_destroy_key(psa_key_slot_t key);
-
-/**
- * \brief Retrieve key information for the provided key slot (veneer function)
- *
- * \param[in] key Key slot
- * \param[out] type Key type associated to the key slot requested
- * \param[out] bits Length in bits of the key in the requested slot
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_get_key_information(
- psa_key_slot_t key,
- psa_key_type_t *type,
- size_t *bits);
-/**
- * \brief Export the key contained in the provided key slot (veneer function)
- *
- * \param[in] key Key slot
- * \param[out] data Buffer to hold the exported key
- * \param[in] data_size Length of the buffer pointed to by data
- * \param[out] data_length Length of the exported key
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_export_key(psa_key_slot_t key,
- uint8_t *data,
- size_t data_size,
- size_t *data_length);
-
-/**
- * \brief Initialise the key policy to a default that forbids any use of the
- * key (veneer function)
- *
- * \param[out] policy Key policy to initialise
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_key_policy_init(
- psa_key_policy_t *policy);
-
-/**
- * \brief Set the permitted usage and algorithm for the provided key policy
- * (veneer function)
- *
- * \param[out] policy Key policy to modify
- * \param[in] usage Permitted usage
- * \param[in] alg Permitted algorithm
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_key_policy_set_usage(
- psa_key_policy_t *policy,
- psa_key_usage_t usage,
- psa_algorithm_t alg);
-
-/**
- * \brief Get the permitted usage for the provided key policy (veneer function)
- *
- * \param[in] policy Key policy
- * \param[out] usage Permitted usage for this key policy
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_key_policy_get_usage(
- const psa_key_policy_t *policy,
- psa_key_usage_t *usage);
-
-/**
- * \brief Get the permitted algorithm for the provided key policy
- * (veneer function)
- *
- * \param[in] policy Key policy
- * \param[out] alg Permitted algorithm for this key policy
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_key_policy_get_algorithm(
- const psa_key_policy_t *policy,
- psa_algorithm_t *alg);
-
-/**
- * \brief Set the key policy for the provided key slot (veneer function)
- *
- * \param[in] key Key slot
- * \param[in] policy Key policy
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_set_key_policy(
- psa_key_slot_t key,
- const psa_key_policy_t *policy);
-
-/**
- * \brief Get the key policy for the provided key slot (veneer function)
- *
- * \param[in] key Key slot
- * \param[out] policy Key policy
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_get_key_policy(
- psa_key_slot_t key,
- psa_key_policy_t *policy);
-
-/**
- * \brief Set the lifetime for the provided key slot (veneer function)
- *
- * \param[in] key Key slot
- * \param[in] lifetime Lifetime value
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_set_key_lifetime(
- psa_key_slot_t key,
- psa_key_lifetime_t lifetime);
-
-/**
- * \brief Get the lifetime for the provided key slot (veneer function)
- *
- * \param[in] key Key slot
- * \param[out] lifetime Lifetime value
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_get_key_lifetime(
- psa_key_slot_t key,
- psa_key_lifetime_t *lifetime);
-
-/**
- * \brief Set the initialisation vector on the provided cipher operation (veneer
- * function)
- *
- * \param[in] operation Cipher operation context
- * \param[in] iv Buffer that contains the IV
- * \param[in] iv_length Length of the provided IV
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_cipher_set_iv(
- psa_cipher_operation_t *operation,
- const unsigned char *iv,
- size_t iv_length);
-/**
- * \brief Set the cipher operation using the provided algorithm and key slot,
- * for encryption context (veneer function)
- *
- * \note A successful call to this function initialises a cipher operation
- * context which will be referred using the operation parameter
- *
- * \param[out] operation Cipher operation context
- * \param[in] key Key slot to bind to the cipher context
- * \param[in] alg Algorithm to use for the cipher operation
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_cipher_encrypt_setup(
- psa_cipher_operation_t *operation,
- psa_key_slot_t key,
- psa_algorithm_t alg);
-/**
- * \brief Set the cipher operation using the provided algorithm and key slot,
- * for decryption context (veneer function)
- *
- * \note A successful call to this function initialises a cipher operation
- * context which will be referred using the operation parameter
- *
- * \param[out] operation Cipher operation context
- * \param[in] key Key slot to bind to the cipher context
- * \param[in] alg Algorithm to use for the cipher operation
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_cipher_decrypt_setup(
- psa_cipher_operation_t *operation,
- psa_key_slot_t key,
- psa_algorithm_t alg);
-/**
- * \brief Update the cipher context with a chunk of input data to create a
- * chunk of encrypted output data (for encryption contexts), or to
- * decrypt a chunk of encrypted input data to obtain decrypted data
- * (for decryption contexts) (veneer function)
- *
- * \param[in] operation Cipher operation context
- * \param[in] input_s Pointer to the struct containing input parameters
- * \param[out] output_s Pointer to the struct containing output parameters
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_cipher_update(
- psa_cipher_operation_t *operation,
- struct psa_cipher_update_input *input_s,
- struct psa_cipher_update_output *output_s);
-/**
- * \brief Finalise a cipher context flushing out any remaining block of
- * output data (veneer function)
- *
- * \note A successful call to this function releases the cipher operation
- * context provided as parameter
- *
- * \param[in,out] operation Cipher operation context
- * \param[out] output Buffer containing output data
- * \param[in] output_size Size of the output buffer
- * \param[out] output_length Size of the produced output
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_cipher_finish(
- psa_cipher_operation_t *operation,
- uint8_t *output,
- size_t output_size,
- size_t *output_length);
-/**
- * \brief Abort a cipher operation, clear the operation context provided
- * (veneer function)
- *
- * \note A successful call to this function releases the cipher operation
- * context provided as parameter
- *
- * \param[in,out] operation Cipher operation context
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_cipher_abort(
- psa_cipher_operation_t *operation);
-/**
- * \brief Setup a hash operation with the provided algorithm (veneer function)
- *
- * \note A successful call to this function initialises a hash operation
- * context which will be referred using the operation parameter
- *
- * \param[out] operation Hash operation context
- * \param[in] alg Algorithm chosen as hash
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_hash_setup(
- psa_hash_operation_t *operation,
- psa_algorithm_t alg);
-/**
- * \brief Add a new input chunk to the data for which the final hash value
- * will be computed (veneer function)
- *
- * \param[in,out] operation Hash operation context
- * \param[in] input Buffer containing the input data
- * \param[in] input_length Size of the provided input data
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_hash_update(
- psa_hash_operation_t *operation,
- const uint8_t *input,
- size_t input_length);
-/**
- * \brief Finalise a hash context operation producing the final hash value
- * (veneer function)
- *
- * \note A successful call to this function releases the hash operation
- * context provided as parameter
- *
- * \param[in,out] operation Hash operation context
- * \param[out] hash Buffer containing hash data
- * \param[in] hash_size Size of the hash buffer
- * \param[out] hash_length Size of the produced hash
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_hash_finish(
- psa_hash_operation_t *operation,
- uint8_t *hash,
- size_t hash_size,
- size_t *hash_length);
-/**
- * \brief Finalise a hash context operation, verifying that the final hash
- * value matches the one provided as input (veneer function)
- *
- * \note A successful call to this function releases the hash operation
- * context provided as parameter. The hash operation is released
- * also in case TFM_CRYPTO_ERR_PSA_ERROR_INVALID_SIGNATURE is returned
- *
- * \param[in,out] operation Hash operation context
- * \param[in] hash Buffer containing the provided hash value
- * \param[in] hash_length Size of the provided hash value
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_hash_verify(
- psa_hash_operation_t *operation,
- const uint8_t *hash,
- size_t hash_length);
-/**
- * \brief Abort a hash operation, clears the operation context provided
- * (veneer function)
- *
- * \note A successful call to this function releases the hash operation
- * context provided as parameter
- *
- * \param[in,out] operation Hash operation context
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_hash_abort(
- psa_hash_operation_t *operation);
-/**
- * \brief Start a MAC operation with the provided algorithm (for signing)
- * (veneer function)
- *
- * \note A successful call to this function initialises a MAC operation
- * context which will be referred using the operation parameter
- *
- * \param[out] operation MAC operation context
- * \param[in] key Key slot to bind to the MAC context
- * \param[in] alg Algorithm chosen as MAC
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_mac_sign_setup(
- psa_mac_operation_t *operation,
- psa_key_slot_t key,
- psa_algorithm_t alg);
-/**
- * \brief Start a MAC operation with the provided algorithm (for verifying)
- * (veneer function)
- *
- * \note A successful call to this function initialises a MAC operation
- * context which will be referred using the operation parameter
- *
- * \param[out] operation MAC operation context
- * \param[in] key Key slot to bind to the MAC context
- * \param[in] alg Algorithm chosen as MAC
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_mac_verify_setup(
- psa_mac_operation_t *operation,
- psa_key_slot_t key,
- psa_algorithm_t alg);
-/**
- * \brief Adds a new input chunk to the data for which the final MAC value
- * will be computed (veneer function)
- *
- * \param[in,out] operation MAC operation context
- * \param[in] input Buffer containing the input data
- * \param[in] input_length Size of the provided input data
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_mac_update(
- psa_mac_operation_t *operation,
- const uint8_t *input,
- size_t input_length);
-
-/**
- * \brief Finalises a MAC context operation producing the final MAC value
- * (veneer function)
- *
- * \note A successful call to this function releases the MAC operation
- * context provided as parameter
- *
- * \param[in,out] operation MAC operation context
- * \param[out] mac Buffer containing MAC data
- * \param[in] mac_size Size of the MAC buffer
- * \param[out] mac_length Size of the produced MAC
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_mac_sign_finish(
- psa_mac_operation_t *operation,
- uint8_t *mac,
- size_t mac_size,
- size_t *mac_length);
-/**
- * \brief Finalise a MAC context operation, verifying that the final MAC value
- * matches the one provided as input (veneer function)
- *
- * \note A successful call to this function releases the MAC operation
- * context provided as parameter. The MAC operation is released
- * also in case TFM_CRYPTO_ERR_PSA_ERROR_INVALID_SIGNATURE is returned
- *
- * \param[in,out] operation MAC operation context
- * \param[in] mac Buffer containing the provided MAC value
- * \param[in] mac_length Size of the provided MAC value
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_mac_verify_finish(
- psa_mac_operation_t *operation,
- const uint8_t *mac,
- size_t mac_length);
-/**
- * \brief Abort a MAC operation, clear the operation context provided
- * (veneer function)
- *
- * \note A successful call to this function releases the MAC operation
- * context provided as parameter
- *
- * \param[in,out] operation MAC operation context
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_mac_abort(
- psa_mac_operation_t *operation);
-/**
- * \brief Perform an AEAD encryption operation on input data with additional
- * data to be authenticated, producing ciphertext in output with an
- * appended authentication tag (veneer function)
- *
- * \param[in] input_s Pointer to the struct containing input parameters
- * \param[out] output_s Pointer to the struct containing output parameters
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_aead_encrypt(
- struct psa_aead_encrypt_input *input_s,
- struct psa_aead_encrypt_output *output_s);
-/**
- * \brief Perform an AEAD decryption operation on input data with additional
- * data to be verified, producing back the original plain text in case
- * the verification of the authentication tag is successful (veneer
- * function)
- *
- * \param[in] input_s Pointer to the struct containing input parameters
- * \param[out] output_s Pointer to the struct containing output parameters
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_veneer_aead_decrypt(
- struct psa_aead_decrypt_input *input_s,
- struct psa_aead_decrypt_output *output_s);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* __TFM_CRYPTO_VENEERS_H__ */
diff --git a/interface/include/tfm_veneers.h b/interface/include/tfm_veneers.h
index 69b0a76..b042fcf 100644
--- a/interface/include/tfm_veneers.h
+++ b/interface/include/tfm_veneers.h
@@ -46,7 +46,7 @@
psa_status_t tfm_tfm_crypto_cipher_set_iv_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
psa_status_t tfm_tfm_crypto_cipher_encrypt_setup_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
psa_status_t tfm_tfm_crypto_cipher_decrypt_setup_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
-psa_status_t tfm_tfm_crypto_cipher_update_wrapper_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
+psa_status_t tfm_tfm_crypto_cipher_update_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
psa_status_t tfm_tfm_crypto_cipher_abort_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
psa_status_t tfm_tfm_crypto_cipher_finish_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
psa_status_t tfm_tfm_crypto_hash_setup_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
@@ -60,8 +60,8 @@
psa_status_t tfm_tfm_crypto_mac_sign_finish_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
psa_status_t tfm_tfm_crypto_mac_verify_finish_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
psa_status_t tfm_tfm_crypto_mac_abort_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
-psa_status_t tfm_tfm_crypto_aead_decrypt_wrapper_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
-psa_status_t tfm_tfm_crypto_aead_encrypt_wrapper_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
+psa_status_t tfm_tfm_crypto_aead_decrypt_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
+psa_status_t tfm_tfm_crypto_aead_encrypt_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
/******** TFM_SP_PLATFORM ********/
psa_status_t tfm_platform_sp_system_reset_veneer(psa_invec *in_vec, size_t in_len, psa_outvec *out_vec, size_t out_len);
diff --git a/interface/src/tfm_crypto_api.c b/interface/src/tfm_crypto_api.c
index 1ee71d8..3b70d49 100644
--- a/interface/src/tfm_crypto_api.c
+++ b/interface/src/tfm_crypto_api.c
@@ -5,10 +5,29 @@
*
*/
-#include "tfm_crypto_veneers.h"
+#include "tfm_veneers.h"
+#include "tfm_crypto_defs.h"
#include "psa_crypto.h"
#include "tfm_ns_lock.h"
-#include "crypto_psa_wrappers.h"
+
+#define NS_LOCK_DISPATCH(sfn_name) \
+ tfm_ns_lock_dispatch((veneer_fn)tfm_##sfn_name##_veneer, \
+ (uint32_t)in_vec, sizeof(in_vec)/sizeof(in_vec[0]), \
+ (uint32_t)out_vec, sizeof(out_vec)/sizeof(out_vec[0]))
+
+#define NS_LOCK_DISPATCH_NO_INVEC(sfn_name) \
+ tfm_ns_lock_dispatch((veneer_fn)tfm_##sfn_name##_veneer, \
+ (uint32_t)NULL, 0, \
+ (uint32_t)out_vec, sizeof(out_vec)/sizeof(out_vec[0]))
+
+#define NS_LOCK_DISPATCH_NO_OUTVEC(sfn_name) \
+ tfm_ns_lock_dispatch((veneer_fn)tfm_##sfn_name##_veneer, \
+ (uint32_t)in_vec, sizeof(in_vec)/sizeof(in_vec[0]), \
+ (uint32_t)NULL, 0)
+
+#define API_DISPATCH(sfn_name) NS_LOCK_DISPATCH(sfn_name)
+#define API_DISPATCH_NO_INVEC(sfn_name) NS_LOCK_DISPATCH_NO_INVEC(sfn_name)
+#define API_DISPATCH_NO_OUTVEC(sfn_name) NS_LOCK_DISPATCH_NO_OUTVEC(sfn_name)
psa_status_t psa_crypto_init(void)
{
@@ -23,43 +42,46 @@
const uint8_t *data,
size_t data_length)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = &key, .len = sizeof(psa_key_slot_t)},
+ {.base = &type, .len = sizeof(psa_key_type_t)},
+ {.base = data, .len = data_length}
+ };
- err = tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_import_key,
- (uint32_t)key,
- (uint32_t)type,
- (uint32_t)data,
- (uint32_t)data_length);
+ status = API_DISPATCH_NO_OUTVEC(tfm_crypto_import_key);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
psa_status_t psa_destroy_key(psa_key_slot_t key)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = &key, .len = sizeof(psa_key_slot_t)},
+ };
- err = tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_destroy_key,
- (uint32_t)key,
- 0,
- 0,
- 0);
+ status = API_DISPATCH_NO_OUTVEC(tfm_crypto_destroy_key);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
psa_status_t psa_get_key_information(psa_key_slot_t key,
psa_key_type_t *type,
size_t *bits)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = &key, .len = sizeof(psa_key_slot_t)},
+ };
+ psa_outvec out_vec[] = {
+ {.base = type, .len = sizeof(psa_key_type_t)},
+ {.base = bits, .len = sizeof(size_t)}
+ };
- err = tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_get_key_information,
- (uint32_t)key,
- (uint32_t)type,
- (uint32_t)bits,
- 0);
+ status = API_DISPATCH(tfm_crypto_get_key_information);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
psa_status_t psa_export_key(psa_key_slot_t key,
@@ -67,15 +89,19 @@
size_t data_size,
size_t *data_length)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = &key, .len = sizeof(psa_key_slot_t)},
+ };
+ psa_outvec out_vec[] = {
+ {.base = data, .len = data_size}
+ };
- err = tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_export_key,
- (uint32_t)key,
- (uint32_t)data,
- (uint32_t)data_size,
- (uint32_t)data_length);
+ status = API_DISPATCH(tfm_crypto_export_key);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ *data_length = out_vec[0].len;
+
+ return status;
}
psa_status_t psa_export_public_key(psa_key_slot_t key,
@@ -94,29 +120,35 @@
void psa_key_policy_init(psa_key_policy_t *policy)
{
+ psa_status_t status;
+ psa_outvec out_vec[] = {
+ {.base = policy, .len = sizeof(psa_key_policy_t)},
+ };
+
/* PSA API returns void so just ignore error value returned */
- (void)tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_key_policy_init,
- (uint32_t)policy,
- 0,
- 0,
- 0);
+ status = API_DISPATCH_NO_INVEC(tfm_crypto_key_policy_init);
}
void psa_key_policy_set_usage(psa_key_policy_t *policy,
psa_key_usage_t usage,
psa_algorithm_t alg)
{
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = &usage, .len = sizeof(psa_key_usage_t)},
+ {.base = &alg, .len = sizeof(psa_algorithm_t)}
+ };
+ psa_outvec out_vec[] = {
+ {.base = policy, .len = sizeof(psa_key_policy_t)},
+ };
+
/* PSA API returns void so just ignore error value returned */
- (void)tfm_ns_lock_dispatch(
- (veneer_fn)tfm_crypto_veneer_key_policy_set_usage,
- (uint32_t)policy,
- (uint32_t)usage,
- (uint32_t)alg,
- 0);
+ status = API_DISPATCH(tfm_crypto_key_policy_set_usage);
}
psa_key_usage_t psa_key_policy_get_usage(const psa_key_policy_t *policy)
{
+ psa_status_t status;
psa_key_usage_t usage;
/* Initialise to a sensible default to avoid returning an uninitialised
@@ -124,19 +156,22 @@
*/
usage = 0;
+ psa_invec in_vec[] = {
+ {.base = policy, .len = sizeof(psa_key_policy_t)},
+ };
+ psa_outvec out_vec[] = {
+ {.base = &usage, .len = sizeof(psa_key_usage_t)},
+ };
+
/* The PSA API does not return an error, so ignore any error from TF-M */
- (void)tfm_ns_lock_dispatch(
- (veneer_fn)tfm_crypto_veneer_key_policy_get_usage,
- (uint32_t)policy,
- (uint32_t)&usage,
- 0,
- 0);
+ status = API_DISPATCH(tfm_crypto_key_policy_get_usage);
return usage;
}
psa_algorithm_t psa_key_policy_get_algorithm(const psa_key_policy_t *policy)
{
+ psa_status_t status;
psa_algorithm_t alg;
/* Initialise to a sensible default to avoid returning an uninitialised
@@ -144,13 +179,15 @@
*/
alg = 0;
+ psa_invec in_vec[] = {
+ {.base = policy, .len = sizeof(psa_key_policy_t)},
+ };
+ psa_outvec out_vec[] = {
+ {.base = &alg, .len = sizeof(psa_algorithm_t)},
+ };
+
/* The PSA API does not return an error, so ignore any error from TF-M */
- (void)tfm_ns_lock_dispatch(
- (veneer_fn)tfm_crypto_veneer_key_policy_get_algorithm,
- (uint32_t)policy,
- (uint32_t)&alg,
- 0,
- 0);
+ status = API_DISPATCH(tfm_crypto_key_policy_get_algorithm);
return alg;
}
@@ -158,104 +195,114 @@
psa_status_t psa_set_key_policy(psa_key_slot_t key,
const psa_key_policy_t *policy)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = &key, .len = sizeof(psa_key_slot_t)},
+ {.base = policy, .len = sizeof(psa_key_policy_t)},
+ };
- err = tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_set_key_policy,
- (uint32_t)key,
- (uint32_t)policy,
- 0,
- 0);
+ status = API_DISPATCH_NO_OUTVEC(tfm_crypto_set_key_policy);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
psa_status_t psa_get_key_policy(psa_key_slot_t key,
psa_key_policy_t *policy)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = &key, .len = sizeof(psa_key_slot_t)},
+ };
+ psa_outvec out_vec[] = {
+ {.base = policy, .len = sizeof(psa_key_policy_t)},
+ };
- err = tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_get_key_policy,
- (uint32_t)key,
- (uint32_t)policy,
- 0,
- 0);
+ status = API_DISPATCH(tfm_crypto_get_key_policy);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
psa_status_t psa_set_key_lifetime(psa_key_slot_t key,
psa_key_lifetime_t lifetime)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = &key, .len = sizeof(psa_key_slot_t)},
+ {.base = &lifetime, .len = sizeof(psa_key_lifetime_t)},
+ };
- err = tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_set_key_lifetime,
- (uint32_t)key,
- (uint32_t)lifetime,
- 0,
- 0);
+ status = API_DISPATCH_NO_OUTVEC(tfm_crypto_set_key_lifetime);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
psa_status_t psa_get_key_lifetime(psa_key_slot_t key,
psa_key_lifetime_t *lifetime)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = &key, .len = sizeof(psa_key_slot_t)},
+ };
+ psa_outvec out_vec[] = {
+ {.base = lifetime, .len = sizeof(psa_key_lifetime_t)},
+ };
- err = tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_get_key_lifetime,
- (uint32_t)key,
- (uint32_t)lifetime,
- 0,
- 0);
+ status = API_DISPATCH(tfm_crypto_get_key_lifetime);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
psa_status_t psa_cipher_set_iv(psa_cipher_operation_t *operation,
const unsigned char *iv,
size_t iv_length)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = iv, .len = iv_length},
+ };
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_cipher_operation_t)},
+ };
- err = tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_cipher_set_iv,
- (uint32_t)operation,
- (uint32_t)iv,
- (uint32_t)iv_length,
- 0);
+ status = API_DISPATCH(tfm_crypto_cipher_set_iv);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
psa_key_slot_t key,
psa_algorithm_t alg)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = &key, .len = sizeof(psa_key_slot_t)},
+ {.base = &alg, .len = sizeof(psa_algorithm_t)},
+ };
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_cipher_operation_t)},
+ };
- err = tfm_ns_lock_dispatch(
- (veneer_fn)tfm_crypto_veneer_cipher_encrypt_setup,
- (uint32_t)operation,
- (uint32_t)key,
- (uint32_t)alg,
- 0);
+ status = API_DISPATCH(tfm_crypto_cipher_encrypt_setup);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation,
psa_key_slot_t key,
psa_algorithm_t alg)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = &key, .len = sizeof(psa_key_slot_t)},
+ {.base = &alg, .len = sizeof(psa_algorithm_t)},
+ };
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_cipher_operation_t)},
+ };
- err = tfm_ns_lock_dispatch(
- (veneer_fn)tfm_crypto_veneer_cipher_decrypt_setup,
- (uint32_t)operation,
- (uint32_t)key,
- (uint32_t)alg,
- 0);
+ status = API_DISPATCH(tfm_crypto_cipher_decrypt_setup);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
psa_status_t psa_cipher_update(psa_cipher_operation_t *operation,
@@ -265,38 +312,32 @@
size_t output_size,
size_t *output_length)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = input, .len = input_length},
+ };
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_cipher_operation_t)},
+ {.base = output, .len = output_size}
+ };
- /* Packing in structures is needed to overcome the 4 parameters
- * per call limit
- */
- struct psa_cipher_update_input input_s = {.input = input,
- .input_length = input_length};
- struct psa_cipher_update_output output_s = {.output = output,
- .output_size = output_size,
- .output_length =
- output_length};
+ status = API_DISPATCH(tfm_crypto_cipher_update);
- err = tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_cipher_update,
- (uint32_t)operation,
- (uint32_t)&input_s,
- (uint32_t)&output_s,
- 0);
+ *output_length = out_vec[1].len;
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_cipher_operation_t)},
+ };
- err = tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_cipher_abort,
- (uint32_t)operation,
- 0,
- 0,
- 0);
+ status = API_DISPATCH_NO_INVEC(tfm_crypto_cipher_abort);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
psa_status_t psa_cipher_finish(psa_cipher_operation_t *operation,
@@ -304,44 +345,50 @@
size_t output_size,
size_t *output_length)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_cipher_operation_t)},
+ {.base = output, .len = output_size},
+ };
- err = tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_cipher_finish,
- (uint32_t)operation,
- (uint32_t)output,
- (uint32_t)output_size,
- (uint32_t)output_length);
+ status = API_DISPATCH_NO_INVEC(tfm_crypto_cipher_finish);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ *output_length = out_vec[1].len;
+
+ return status;
}
psa_status_t psa_hash_setup(psa_hash_operation_t *operation,
psa_algorithm_t alg)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = &alg, .len = sizeof(psa_algorithm_t)},
+ };
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_hash_operation_t)},
+ };
- err = tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_hash_setup,
- (uint32_t)operation,
- (uint32_t)alg,
- 0,
- 0);
+ status = API_DISPATCH(tfm_crypto_hash_setup);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
psa_status_t psa_hash_update(psa_hash_operation_t *operation,
const uint8_t *input,
size_t input_length)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = input, .len = input_length},
+ };
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_hash_operation_t)},
+ };
- err = tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_hash_update,
- (uint32_t)operation,
- (uint32_t)input,
- (uint32_t)input_length,
- 0);
+ status = API_DISPATCH(tfm_crypto_hash_update);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
psa_status_t psa_hash_finish(psa_hash_operation_t *operation,
@@ -349,88 +396,99 @@
size_t hash_size,
size_t *hash_length)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_hash_operation_t)},
+ {.base = hash, .len = hash_size},
+ };
- err = tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_hash_finish,
- (uint32_t)operation,
- (uint32_t)hash,
- (uint32_t)hash_size,
- (uint32_t)hash_length);
+ status = API_DISPATCH_NO_INVEC(tfm_crypto_hash_finish);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ *hash_length = out_vec[1].len;
+
+ return status;
}
psa_status_t psa_hash_verify(psa_hash_operation_t *operation,
const uint8_t *hash,
size_t hash_length)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = hash, .len = hash_length},
+ };
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_hash_operation_t)},
+ };
- err = tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_hash_verify,
- (uint32_t)operation,
- (uint32_t)hash,
- (uint32_t)hash_length,
- 0);
+ status = API_DISPATCH(tfm_crypto_hash_verify);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
psa_status_t psa_hash_abort(psa_hash_operation_t *operation)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_hash_operation_t)},
+ };
- err = tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_hash_abort,
- (uint32_t)operation,
- 0,
- 0,
- 0);
+ status = API_DISPATCH_NO_INVEC(tfm_crypto_hash_abort);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation,
psa_key_slot_t key,
psa_algorithm_t alg)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = &key, .len = sizeof(psa_key_slot_t)},
+ {.base = &alg, .len = sizeof(psa_algorithm_t)}
+ };
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_mac_operation_t)},
+ };
- err = tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_mac_sign_setup,
- (uint32_t)operation,
- (uint32_t)key,
- (uint32_t)alg,
- 0);
+ status = API_DISPATCH(tfm_crypto_mac_sign_setup);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation,
psa_key_slot_t key,
psa_algorithm_t alg)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = &key, .len = sizeof(psa_key_slot_t)},
+ {.base = &alg, .len = sizeof(psa_algorithm_t)}
+ };
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_mac_operation_t)},
+ };
- err = tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_mac_verify_setup,
- (uint32_t)operation,
- (uint32_t)key,
- (uint32_t)alg,
- 0);
+ status = API_DISPATCH(tfm_crypto_mac_verify_setup);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
psa_status_t psa_mac_update(psa_mac_operation_t *operation,
const uint8_t *input,
size_t input_length)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = input, .len = input_length},
+ };
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_mac_operation_t)},
+ };
- err = tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_mac_update,
- (uint32_t)operation,
- (uint32_t)input,
- (uint32_t)input_length,
- 0);
+ status = API_DISPATCH(tfm_crypto_mac_update);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
psa_status_t psa_mac_sign_finish(psa_mac_operation_t *operation,
@@ -438,43 +496,46 @@
size_t mac_size,
size_t *mac_length)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_mac_operation_t)},
+ {.base = mac, .len = mac_size},
+ };
- err = tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_mac_sign_finish,
- (uint32_t)operation,
- (uint32_t)mac,
- (uint32_t)mac_size,
- (uint32_t)mac_length);
+ status = API_DISPATCH_NO_INVEC(tfm_crypto_mac_sign_finish);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ *mac_length = out_vec[1].len;
+
+ return status;
}
psa_status_t psa_mac_verify_finish(psa_mac_operation_t *operation,
const uint8_t *mac,
size_t mac_length)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = mac, .len = mac_length},
+ };
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_mac_operation_t)},
+ };
- err = tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_mac_verify_finish,
- (uint32_t)operation,
- (uint32_t)mac,
- (uint32_t)mac_length,
- 0);
+ status = API_DISPATCH(tfm_crypto_mac_verify_finish);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
psa_status_t psa_mac_abort(psa_mac_operation_t *operation)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_mac_operation_t)},
+ };
- err = tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_mac_abort,
- (uint32_t)operation,
- 0,
- 0,
- 0);
+ status = API_DISPATCH_NO_INVEC(tfm_crypto_mac_abort);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
psa_status_t psa_aead_encrypt(psa_key_slot_t key,
@@ -489,34 +550,38 @@
size_t ciphertext_size,
size_t *ciphertext_length)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ struct tfm_crypto_aead_pack_input input_s = {
+ .key = key,
+ .alg = alg,
+ .nonce = {0},
+ };
+ size_t idx = 0;
+ psa_invec in_vec[] = {
+ {.base = &input_s, .len = nonce_length + sizeof(psa_key_slot_t)
+ + sizeof(psa_algorithm_t)},
+ {.base = additional_data, .len = additional_data_length},
+ {.base = plaintext, .len = plaintext_length},
+ };
+ psa_outvec out_vec[] = {
+ {.base = ciphertext, .len = ciphertext_size},
+ };
- /* Packing in structures is needed to overcome the 4 parameters
- * per call limit
- */
- struct psa_aead_encrypt_input input_s = {.key = key,
- .alg = alg,
- .nonce = nonce,
- .nonce_length = nonce_length,
- .additional_data = additional_data,
- .additional_data_length =
- additional_data_length,
- .plaintext = plaintext,
- .plaintext_length =
- plaintext_length};
- struct psa_aead_encrypt_output output_s = {.ciphertext = ciphertext,
- .ciphertext_size =
- ciphertext_size,
- .ciphertext_length =
- ciphertext_length};
+ if (nonce_length > TFM_CRYPTO_MAX_NONCE_LENGTH) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
- err = tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_aead_encrypt,
- (uint32_t)&input_s,
- (uint32_t)&output_s,
- 0,
- 0);
+ if (nonce != NULL) {
+ for (idx = 0; idx < nonce_length; idx++) {
+ input_s.nonce[idx] = nonce[idx];
+ }
+ }
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ status = API_DISPATCH(tfm_crypto_aead_encrypt);
+
+ *ciphertext_length = out_vec[0].len;
+
+ return status;
}
psa_status_t psa_aead_decrypt(psa_key_slot_t key,
@@ -531,31 +596,36 @@
size_t plaintext_size,
size_t *plaintext_length)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ struct tfm_crypto_aead_pack_input input_s = {
+ .key = key,
+ .alg = alg,
+ .nonce = {0},
+ };
+ size_t idx = 0;
+ psa_invec in_vec[] = {
+ {.base = &input_s, .len = nonce_length + sizeof(psa_key_slot_t)
+ + sizeof(psa_algorithm_t)},
+ {.base = additional_data, .len = additional_data_length},
+ {.base = ciphertext, .len = ciphertext_length},
+ };
+ psa_outvec out_vec[] = {
+ {.base = plaintext, .len = plaintext_size},
+ };
- /* Packing in structures is needed to overcome the 4 parameters
- * per call limit
- */
- struct psa_aead_decrypt_input input_s = {.key = key,
- .alg = alg,
- .nonce = nonce,
- .nonce_length = nonce_length,
- .additional_data = additional_data,
- .additional_data_length =
- additional_data_length,
- .ciphertext = ciphertext,
- .ciphertext_length =
- ciphertext_length};
- struct psa_aead_decrypt_output output_s = {.plaintext = plaintext,
- .plaintext_size = plaintext_size,
- .plaintext_length =
- plaintext_length};
+ if (nonce_length > TFM_CRYPTO_MAX_NONCE_LENGTH) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
- err = tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_aead_decrypt,
- (uint32_t)&input_s,
- (uint32_t)&output_s,
- 0,
- 0);
+ if (nonce != NULL) {
+ for (idx = 0; idx < nonce_length; idx++) {
+ input_s.nonce[idx] = nonce[idx];
+ }
+ }
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ status = API_DISPATCH(tfm_crypto_aead_decrypt);
+
+ *plaintext_length = out_vec[0].len;
+
+ return status;
}
diff --git a/secure_fw/ns_callable/CMakeLists.inc b/secure_fw/ns_callable/CMakeLists.inc
index e9e2c18..5bf98da 100644
--- a/secure_fw/ns_callable/CMakeLists.inc
+++ b/secure_fw/ns_callable/CMakeLists.inc
@@ -25,7 +25,6 @@
set (SS_NS_CALLABLE_C_SRC "${CMAKE_CURRENT_LIST_DIR}/tfm_veneers.c"
"${CMAKE_CURRENT_LIST_DIR}/tfm_audit_veneers.c"
- "${CMAKE_CURRENT_LIST_DIR}/tfm_crypto_veneers.c"
"${CMAKE_CURRENT_LIST_DIR}/tfm_platform_veneers.c")
#Append all our source files to global lists.
diff --git a/secure_fw/ns_callable/tfm_veneers.c b/secure_fw/ns_callable/tfm_veneers.c
index ba432c8..3024c6e 100644
--- a/secure_fw/ns_callable/tfm_veneers.c
+++ b/secure_fw/ns_callable/tfm_veneers.c
@@ -40,7 +40,7 @@
psa_status_t tfm_crypto_cipher_set_iv(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_cipher_encrypt_setup(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_cipher_decrypt_setup(psa_invec *, size_t, psa_outvec *, size_t);
-psa_status_t tfm_crypto_cipher_update_wrapper(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_cipher_update(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_cipher_abort(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_cipher_finish(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_hash_setup(psa_invec *, size_t, psa_outvec *, size_t);
@@ -54,8 +54,8 @@
psa_status_t tfm_crypto_mac_sign_finish(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_mac_verify_finish(psa_invec *, size_t, psa_outvec *, size_t);
psa_status_t tfm_crypto_mac_abort(psa_invec *, size_t, psa_outvec *, size_t);
-psa_status_t tfm_crypto_aead_decrypt_wrapper(psa_invec *, size_t, psa_outvec *, size_t);
-psa_status_t tfm_crypto_aead_encrypt_wrapper(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_aead_decrypt(psa_invec *, size_t, psa_outvec *, size_t);
+psa_status_t tfm_crypto_aead_encrypt(psa_invec *, size_t, psa_outvec *, size_t);
/******** TFM_SP_PLATFORM ********/
psa_status_t platform_sp_system_reset(psa_invec *, size_t, psa_outvec *, size_t);
@@ -136,7 +136,7 @@
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_cipher_set_iv)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_cipher_encrypt_setup)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_cipher_decrypt_setup)
-TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_cipher_update_wrapper)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_cipher_update)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_cipher_abort)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_cipher_finish)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_hash_setup)
@@ -150,8 +150,8 @@
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_mac_sign_finish)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_mac_verify_finish)
TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_mac_abort)
-TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_aead_decrypt_wrapper)
-TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_aead_encrypt_wrapper)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_aead_decrypt)
+TFM_VENEER_FUNCTION(TFM_SP_CRYPTO, tfm_crypto_aead_encrypt)
/******** TFM_SP_PLATFORM ********/
TFM_VENEER_FUNCTION(TFM_SP_PLATFORM, platform_sp_system_reset)
diff --git a/secure_fw/services/crypto/CMakeLists.inc b/secure_fw/services/crypto/CMakeLists.inc
index c4b02cc..dc70627 100644
--- a/secure_fw/services/crypto/CMakeLists.inc
+++ b/secure_fw/services/crypto/CMakeLists.inc
@@ -47,8 +47,6 @@
"${CRYPTO_DIR}/crypto_hash.c"
"${CRYPTO_DIR}/crypto_mac.c"
"${CRYPTO_DIR}/crypto_key.c"
- "${CRYPTO_DIR}/crypto_wrappers.c"
- "${CRYPTO_DIR}/crypto_utils.c"
"${CRYPTO_DIR}/crypto_engine.c"
"${CRYPTO_DIR}/crypto_aead.c"
"${CRYPTO_DIR}/tfm_crypto_secure_api.c"
diff --git a/secure_fw/services/crypto/crypto_aead.c b/secure_fw/services/crypto/crypto_aead.c
index 1698fd0..7978d7f 100644
--- a/secure_fw/services/crypto/crypto_aead.c
+++ b/secure_fw/services/crypto/crypto_aead.c
@@ -14,7 +14,6 @@
#include "psa_crypto.h"
#include "tfm_crypto_api.h"
-#include "crypto_utils.h"
/**
* \def CRYPTO_AEAD_MAX_KEY_LENGTH
@@ -26,108 +25,102 @@
#define CRYPTO_AEAD_MAX_KEY_LENGTH (32)
#endif
+static psa_status_t _psa_get_key_information(psa_key_slot_t key,
+ psa_key_type_t *type,
+ size_t *bits)
+{
+ psa_invec in_vec[] = {
+ {.base = &key, .len = sizeof(psa_key_slot_t)},
+ };
+ psa_outvec out_vec[] = {
+ {.base = type, .len = sizeof(psa_key_type_t)},
+ {.base = bits, .len = sizeof(size_t)}
+ };
+
+ return tfm_crypto_get_key_information(
+ in_vec, sizeof(in_vec)/sizeof(in_vec[0]),
+ out_vec, sizeof(out_vec)/sizeof(out_vec[0]));
+}
+
/*!
* \defgroup public_psa Public functions, PSA
*
*/
/*!@{*/
-enum tfm_crypto_err_t tfm_crypto_aead_encrypt(psa_key_slot_t key,
- psa_algorithm_t alg,
- const uint8_t *nonce,
- size_t nonce_length,
- const uint8_t *additional_data,
- size_t additional_data_length,
- const uint8_t *plaintext,
- size_t plaintext_length,
- uint8_t *ciphertext,
- size_t ciphertext_size,
- size_t *ciphertext_length)
+psa_status_t tfm_crypto_aead_encrypt(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
psa_status_t status = PSA_SUCCESS;
- enum tfm_crypto_err_t err;
uint8_t key_data[CRYPTO_AEAD_MAX_KEY_LENGTH];
uint32_t key_size;
psa_key_type_t key_type;
+ if ((in_len != 3) || (out_len != 1)) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ if ((in_vec[0].len < (sizeof(psa_key_slot_t) + sizeof(psa_algorithm_t))) ||
+ (in_vec[0].len > (TFM_CRYPTO_MAX_NONCE_LENGTH
+ + (sizeof(psa_key_slot_t) + sizeof(psa_algorithm_t))))) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ const struct tfm_crypto_aead_pack_input *input_s = in_vec[0].base;
+ psa_key_slot_t key = input_s->key;
+ psa_algorithm_t alg = input_s->alg;
+ const uint8_t *nonce = input_s->nonce;
+ size_t nonce_length = in_vec[0].len - sizeof(psa_key_slot_t)
+ - sizeof(psa_algorithm_t);
+ const uint8_t *additional_data = in_vec[1].base;
+ size_t additional_data_length = in_vec[1].len;
+ const uint8_t *plaintext = in_vec[2].base;
+ size_t plaintext_length = in_vec[2].len;
+ uint8_t *ciphertext = out_vec[0].base;
+ size_t ciphertext_size = out_vec[0].len;
+
/* Initialise ciphertext_length to zero */
- *ciphertext_length = 0;
+ out_vec[0].len = 0;
if (PSA_ALG_IS_AEAD(alg) == 0) {
- return TFM_CRYPTO_ERR_PSA_ERROR_NOT_SUPPORTED;
+ return PSA_ERROR_NOT_SUPPORTED;
}
if (PSA_AEAD_TAG_SIZE(alg) == 0) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ return PSA_ERROR_INVALID_ARGUMENT;
}
if (PSA_AEAD_ENCRYPT_OUTPUT_SIZE(alg, plaintext_length) > ciphertext_size) {
- return TFM_CRYPTO_ERR_PSA_ERROR_BUFFER_TOO_SMALL;
+ return PSA_ERROR_BUFFER_TOO_SMALL;
}
if ((nonce_length == 0) ||
((additional_data_length == 0) && (additional_data != NULL))) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
- }
-
- /* Validate pointers */
- err = tfm_crypto_memory_check((void *)nonce,
- nonce_length,
- TFM_MEMORY_ACCESS_RO);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
- }
-
- if ((additional_data != NULL) || (additional_data_length != 0)) {
- err = tfm_crypto_memory_check((void *)additional_data,
- additional_data_length,
- TFM_MEMORY_ACCESS_RO);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
- }
- }
-
- err = tfm_crypto_memory_check((void *)plaintext,
- plaintext_length,
- TFM_MEMORY_ACCESS_RO);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
- }
-
- err = tfm_crypto_memory_check((void *)ciphertext,
- ciphertext_size,
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
- }
-
- err = tfm_crypto_memory_check((void *)ciphertext_length,
- sizeof(size_t),
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ return PSA_ERROR_INVALID_ARGUMENT;
}
/* Access the key data */
- err = tfm_crypto_get_key_information(key, &key_type, (size_t *)&key_size);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = _psa_get_key_information(key, &key_type, (size_t *)&key_size);
+ if (status != PSA_SUCCESS) {
+ return status;
}
/* Support only AES based AEAD */
if (key_type != PSA_KEY_TYPE_AES) {
- return TFM_CRYPTO_ERR_PSA_ERROR_NOT_SUPPORTED;
+ return PSA_ERROR_NOT_SUPPORTED;
}
/* Access the crypto service key module to retrieve key data */
- err = tfm_crypto_get_key(key,
- PSA_KEY_USAGE_ENCRYPT,
- alg,
- key_data,
- CRYPTO_AEAD_MAX_KEY_LENGTH,
- (size_t *)&key_size);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = tfm_crypto_get_key(key,
+ PSA_KEY_USAGE_ENCRYPT,
+ alg,
+ key_data,
+ CRYPTO_AEAD_MAX_KEY_LENGTH,
+ (size_t *)&key_size);
+ if (status != PSA_SUCCESS) {
+ return status;
}
/* Request AEAD encryption on the crypto engine */
@@ -143,115 +136,88 @@
plaintext_length,
ciphertext,
ciphertext_size,
- (uint32_t *)ciphertext_length);
+ (uint32_t *)&(out_vec[0].len));
if (status == PSA_SUCCESS) {
/* The ciphertext_length needs to take into account the tag length */
- *ciphertext_length += PSA_AEAD_TAG_SIZE(alg);
+ out_vec[0].len += PSA_AEAD_TAG_SIZE(alg);
} else {
/* In case of failure set the ciphertext_length to zero */
- *ciphertext_length = 0;
+ out_vec[0].len = 0;
}
- return PSA_STATUS_TO_TFM_CRYPTO_ERR(status);
+ return status;
}
-enum tfm_crypto_err_t tfm_crypto_aead_decrypt(psa_key_slot_t key,
- psa_algorithm_t alg,
- const uint8_t *nonce,
- size_t nonce_length,
- const uint8_t *additional_data,
- size_t additional_data_length,
- const uint8_t *ciphertext,
- size_t ciphertext_length,
- uint8_t *plaintext,
- size_t plaintext_size,
- size_t *plaintext_length)
+psa_status_t tfm_crypto_aead_decrypt(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
psa_status_t status = PSA_SUCCESS;
- enum tfm_crypto_err_t err;
uint8_t key_data[CRYPTO_AEAD_MAX_KEY_LENGTH];
uint32_t key_size;
psa_key_type_t key_type;
+ if ((in_vec[0].len < (sizeof(psa_key_slot_t) + sizeof(psa_algorithm_t))) ||
+ (in_vec[0].len > (TFM_CRYPTO_MAX_NONCE_LENGTH
+ + (sizeof(psa_key_slot_t) + sizeof(psa_algorithm_t))))) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ const struct tfm_crypto_aead_pack_input *input_s = in_vec[0].base;
+ psa_key_slot_t key = input_s->key;
+ psa_algorithm_t alg = input_s->alg;
+ const uint8_t *nonce = input_s->nonce;
+ size_t nonce_length = in_vec[0].len - sizeof(psa_key_slot_t)
+ - sizeof(psa_algorithm_t);
+ const uint8_t *additional_data = in_vec[1].base;
+ size_t additional_data_length = in_vec[1].len;
+ const uint8_t *ciphertext = in_vec[2].base;
+ size_t ciphertext_length = in_vec[2].len;
+ uint8_t *plaintext = out_vec[0].base;
+ size_t plaintext_size = out_vec[0].len;
+
/* Initialise plaintext_length to zero */
- *plaintext_length = 0;
+ out_vec[0].len = 0;
if (PSA_ALG_IS_AEAD(alg) == 0) {
- return TFM_CRYPTO_ERR_PSA_ERROR_NOT_SUPPORTED;
+ return PSA_ERROR_NOT_SUPPORTED;
}
if ((PSA_AEAD_TAG_SIZE(alg) == 0) ||
(ciphertext_length < PSA_AEAD_TAG_SIZE(alg))) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ return PSA_ERROR_INVALID_ARGUMENT;
}
if (PSA_AEAD_DECRYPT_OUTPUT_SIZE(alg,ciphertext_length) > plaintext_size) {
- return TFM_CRYPTO_ERR_PSA_ERROR_BUFFER_TOO_SMALL;
+ return PSA_ERROR_BUFFER_TOO_SMALL;
}
if ((nonce_length == 0) ||
((additional_data_length == 0) && (additional_data != NULL))) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
- }
-
- /* Validate pointers */
- err = tfm_crypto_memory_check((void *)nonce,
- nonce_length,
- TFM_MEMORY_ACCESS_RO);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
- }
-
- if ((additional_data != NULL) || (additional_data_length != 0)) {
- err = tfm_crypto_memory_check((void *)additional_data,
- additional_data_length,
- TFM_MEMORY_ACCESS_RO);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
- }
- }
-
- err = tfm_crypto_memory_check((void *)ciphertext,
- ciphertext_length,
- TFM_MEMORY_ACCESS_RO);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
- }
-
- err = tfm_crypto_memory_check((void *)plaintext,
- plaintext_size,
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
- }
-
- err = tfm_crypto_memory_check((void *)plaintext_length,
- sizeof(size_t),
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ return PSA_ERROR_INVALID_ARGUMENT;
}
/* Access the key data */
- err = tfm_crypto_get_key_information(key, &key_type, (size_t *)&key_size);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = _psa_get_key_information(key, &key_type, (size_t *)&key_size);
+ if (status != PSA_SUCCESS) {
+ return status;
}
/* Support only AES based AEAD */
if (key_type != PSA_KEY_TYPE_AES) {
- return TFM_CRYPTO_ERR_PSA_ERROR_NOT_SUPPORTED;
+ return PSA_ERROR_NOT_SUPPORTED;
}
/* Access the crypto service key module to retrieve key data */
- err = tfm_crypto_get_key(key,
- PSA_KEY_USAGE_DECRYPT,
- alg,
- key_data,
- CRYPTO_AEAD_MAX_KEY_LENGTH,
- (size_t *)&key_size);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = tfm_crypto_get_key(key,
+ PSA_KEY_USAGE_DECRYPT,
+ alg,
+ key_data,
+ CRYPTO_AEAD_MAX_KEY_LENGTH,
+ (size_t *)&key_size);
+ if (status != PSA_SUCCESS) {
+ return status;
}
/* Request AEAD decryption on the crypto engine */
@@ -267,11 +233,11 @@
ciphertext_length,
plaintext,
plaintext_size,
- (uint32_t *)plaintext_length);
+ (uint32_t *)&(out_vec[0].len));
if (status != PSA_SUCCESS) {
- *plaintext_length = 0;
+ out_vec[0].len = 0;
}
- return PSA_STATUS_TO_TFM_CRYPTO_ERR(status);
+ return status;
}
/*!@}*/
diff --git a/secure_fw/services/crypto/crypto_alloc.c b/secure_fw/services/crypto/crypto_alloc.c
index 3812f5f..8705029 100644
--- a/secure_fw/services/crypto/crypto_alloc.c
+++ b/secure_fw/services/crypto/crypto_alloc.c
@@ -121,7 +121,8 @@
* TFM_CRYPTO_INVALID_HANDLE in case of problems
*
*/
-static uint32_t get_handle(enum tfm_crypto_operation_type type, void *oper)
+static uint32_t get_handle(enum tfm_crypto_operation_type type,
+ const void *oper)
{
uint32_t handle = TFM_CRYPTO_INVALID_HANDLE;
@@ -189,21 +190,23 @@
*/
/*!@{*/
-enum tfm_crypto_err_t tfm_crypto_init_alloc(void)
+psa_status_t tfm_crypto_init_alloc(void)
{
/* Clear the contents of the local contexts */
(void)tfm_memset(operation, 0, sizeof(operation));
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
-enum tfm_crypto_err_t tfm_crypto_operation_alloc(
- enum tfm_crypto_operation_type type,
+psa_status_t tfm_crypto_operation_alloc(enum tfm_crypto_operation_type type,
void *oper,
void **ctx)
{
uint32_t i = 0, handle;
/* Init to invalid values */
+ if (ctx == NULL) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
*ctx = NULL;
for (i=0; i<TFM_CRYPTO_CONC_OPER_NUM; i++) {
@@ -212,19 +215,18 @@
operation[i].type = type;
handle = set_handle(type, oper, i);
if (handle == TFM_CRYPTO_INVALID_HANDLE) {
- return TFM_CRYPTO_ERR_PSA_ERROR_NOT_PERMITTED;
+ return PSA_ERROR_NOT_PERMITTED;
}
*ctx = (void *) &(operation[i].operation);
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
}
- return TFM_CRYPTO_ERR_PSA_ERROR_NOT_PERMITTED;
+ return PSA_ERROR_NOT_PERMITTED;
}
-enum tfm_crypto_err_t tfm_crypto_operation_release(
- enum tfm_crypto_operation_type type,
- void *oper)
+psa_status_t tfm_crypto_operation_release(enum tfm_crypto_operation_type type,
+ void *oper)
{
uint32_t handle = get_handle(type, oper);
@@ -235,16 +237,15 @@
operation[handle].in_use = TFM_CRYPTO_NOT_IN_USE;
operation[handle].type = TFM_CRYPTO_OPERATION_NONE;
(void)set_handle(type, oper, TFM_CRYPTO_INVALID_HANDLE);
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ return PSA_ERROR_INVALID_ARGUMENT;
}
-enum tfm_crypto_err_t tfm_crypto_operation_lookup(
- enum tfm_crypto_operation_type type,
- void *oper,
- void **ctx)
+psa_status_t tfm_crypto_operation_lookup(enum tfm_crypto_operation_type type,
+ const void *oper,
+ void **ctx)
{
uint32_t handle = get_handle(type, oper);
@@ -253,9 +254,9 @@
(operation[handle].in_use == TFM_CRYPTO_IN_USE) &&
(operation[handle].type == type) ) {
*ctx = (void *) &(operation[handle].operation);
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
- return TFM_CRYPTO_ERR_PSA_ERROR_BAD_STATE;
+ return PSA_ERROR_BAD_STATE;
}
/*!@}*/
diff --git a/secure_fw/services/crypto/crypto_cipher.c b/secure_fw/services/crypto/crypto_cipher.c
index 9f6ae9d..05d8285 100644
--- a/secure_fw/services/crypto/crypto_cipher.c
+++ b/secure_fw/services/crypto/crypto_cipher.c
@@ -5,18 +5,9 @@
*
*/
-#include <limits.h>
-
-#include "tfm_crypto_defs.h"
-
-#include "crypto_engine.h"
-
-#include "psa_crypto.h"
-
-#include "tfm_crypto_struct.h"
-
#include "tfm_crypto_api.h"
-#include "crypto_utils.h"
+#include "crypto_engine.h"
+#include "tfm_crypto_struct.h"
/**
* \def CRYPTO_CIPHER_MAX_KEY_LENGTH
@@ -28,6 +19,23 @@
#define CRYPTO_CIPHER_MAX_KEY_LENGTH (32)
#endif
+static psa_status_t _psa_get_key_information(psa_key_slot_t key,
+ psa_key_type_t *type,
+ size_t *bits)
+{
+ psa_invec in_vec[] = {
+ {.base = &key, .len = sizeof(psa_key_slot_t)},
+ };
+ psa_outvec out_vec[] = {
+ {.base = type, .len = sizeof(psa_key_type_t)},
+ {.base = bits, .len = sizeof(size_t)}
+ };
+
+ return tfm_crypto_get_key_information(
+ in_vec, sizeof(in_vec)/sizeof(in_vec[0]),
+ out_vec, sizeof(out_vec)/sizeof(out_vec[0]));
+}
+
/**
* \brief Release all resources associated with a cipher operation.
*
@@ -36,69 +44,53 @@
*
* \return Return values as described in \ref tfm_crypto_err_t
*/
-static enum tfm_crypto_err_t tfm_crypto_cipher_release(
+static psa_status_t tfm_crypto_cipher_release(
psa_cipher_operation_t *operation,
struct tfm_cipher_operation_s *ctx)
{
- psa_status_t status;
- enum tfm_crypto_err_t err;
+ psa_status_t status = PSA_SUCCESS;
/* Release resources in the engine */
status = tfm_crypto_engine_cipher_release(&(ctx->engine_ctx));
if (status != PSA_SUCCESS) {
- return PSA_STATUS_TO_TFM_CRYPTO_ERR(status);
+ return status;
}
/* Release the operation context */
- err = tfm_crypto_operation_release(TFM_CRYPTO_CIPHER_OPERATION, operation);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
- }
-
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return tfm_crypto_operation_release(TFM_CRYPTO_CIPHER_OPERATION, operation);
}
-static enum tfm_crypto_err_t tfm_crypto_cipher_setup(
- psa_cipher_operation_t *operation,
- psa_key_slot_t key,
- psa_algorithm_t alg,
- enum engine_cipher_mode_t c_mode)
+static psa_status_t tfm_crypto_cipher_setup(psa_cipher_operation_t *operation,
+ psa_key_slot_t key,
+ psa_algorithm_t alg,
+ enum engine_cipher_mode_t c_mode)
{
uint8_t key_data[CRYPTO_CIPHER_MAX_KEY_LENGTH];
size_t key_size;
psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
psa_status_t status = PSA_SUCCESS;
- enum tfm_crypto_err_t err;
struct tfm_cipher_operation_s *ctx = NULL;
struct cipher_engine_info engine_info;
psa_key_usage_t usage;
- /* Validate pointers */
- err = tfm_crypto_memory_check(operation,
- sizeof(psa_cipher_operation_t),
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
- }
-
if (!PSA_ALG_IS_CIPHER(alg)) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ return PSA_ERROR_INVALID_ARGUMENT;
}
/* Access the key module to retrieve key related information */
- err = tfm_crypto_get_key_information(key, &key_type, &key_size);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = _psa_get_key_information(key, &key_type, &key_size);
+ if (status != PSA_SUCCESS) {
+ return status;
}
/* Check if it's a raw data key type */
if (key_type == PSA_KEY_TYPE_RAW_DATA) {
- return TFM_CRYPTO_ERR_PSA_ERROR_NOT_PERMITTED;
+ return PSA_ERROR_NOT_PERMITTED;
}
/* Check compatibility between key and algorithm */
if ((key_type == PSA_KEY_TYPE_ARC4) && (alg != PSA_ALG_ARC4)) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ return PSA_ERROR_INVALID_ARGUMENT;
}
/* Setup the algorithm on the crypto engine */
@@ -108,15 +100,15 @@
c_mode,
&engine_info);
if (status != PSA_SUCCESS) {
- return PSA_STATUS_TO_TFM_CRYPTO_ERR(status);
+ return status;
}
/* Allocate the operation context in the secure world */
- err = tfm_crypto_operation_alloc(TFM_CRYPTO_CIPHER_OPERATION,
- operation,
- (void **)&ctx);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = tfm_crypto_operation_alloc(TFM_CRYPTO_CIPHER_OPERATION,
+ operation,
+ (void **)&ctx);
+ if (status != PSA_SUCCESS) {
+ return status;
}
/* Set the proper cipher mode (encrypt/decrypt) in the operation context */
@@ -130,7 +122,7 @@
if (status != PSA_SUCCESS) {
/* Release the operation context, ignore if this operation fails. */
(void)tfm_crypto_cipher_release(operation, ctx);
- return PSA_STATUS_TO_TFM_CRYPTO_ERR(status);
+ return status;
}
/* Set the key usage based on the cipher mode */
@@ -138,16 +130,16 @@
: PSA_KEY_USAGE_ENCRYPT;
/* Access the crypto service key module to retrieve key data */
- err = tfm_crypto_get_key(key,
- usage,
- alg,
- key_data,
- CRYPTO_CIPHER_MAX_KEY_LENGTH,
- &key_size);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
+ status = tfm_crypto_get_key(key,
+ usage,
+ alg,
+ key_data,
+ CRYPTO_CIPHER_MAX_KEY_LENGTH,
+ &key_size);
+ if (status != PSA_SUCCESS) {
/* Release the operation context, ignore if this operation fails. */
(void)tfm_crypto_cipher_release(operation, ctx);
- return err;
+ return status;
}
/* Set the key on the engine */
@@ -158,7 +150,7 @@
if (status != PSA_SUCCESS) {
/* Release the operation context, ignore if this operation fails. */
(void)tfm_crypto_cipher_release(operation, ctx);
- return PSA_STATUS_TO_TFM_CRYPTO_ERR(status);
+ return status;
}
/* Bind the key to the cipher operation */
@@ -173,7 +165,7 @@
if (status != PSA_SUCCESS) {
/* Release the operation context, ignore if this operation fails. */
(void)tfm_crypto_cipher_release(operation, ctx);
- return PSA_STATUS_TO_TFM_CRYPTO_ERR(status);
+ return status;
}
}
@@ -181,7 +173,7 @@
ctx->iv_required = 1;
ctx->block_size = PSA_BLOCK_CIPHER_BLOCK_SIZE(key_type);
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
/*!
@@ -190,43 +182,42 @@
*/
/*!@{*/
-enum tfm_crypto_err_t tfm_crypto_cipher_set_iv(
- psa_cipher_operation_t *operation,
- const unsigned char *iv,
- size_t iv_length)
+psa_status_t tfm_crypto_cipher_set_iv(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
psa_status_t status = PSA_SUCCESS;
- enum tfm_crypto_err_t err;
struct tfm_cipher_operation_s *ctx = NULL;
- /* Validate pointers */
- err = tfm_crypto_memory_check(operation,
- sizeof(psa_cipher_operation_t),
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
- }
- err = tfm_crypto_memory_check((void *)iv, iv_length, TFM_MEMORY_ACCESS_RO);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ if ((in_len != 1) || (out_len != 1)) {
+ return PSA_CONNECTION_REFUSED;
}
+ if (out_vec[0].len != sizeof(psa_cipher_operation_t)) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ psa_cipher_operation_t *operation = out_vec[0].base;
+ const unsigned char *iv = in_vec[0].base;
+ size_t iv_length = in_vec[0].len;
+
/* Look up the corresponding operation context */
- err = tfm_crypto_operation_lookup(TFM_CRYPTO_CIPHER_OPERATION,
- operation,
- (void **)&ctx);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = tfm_crypto_operation_lookup(TFM_CRYPTO_CIPHER_OPERATION,
+ operation,
+ (void **)&ctx);
+ if (status != PSA_SUCCESS) {
+ return status;
}
if ((iv_length != ctx->block_size) || (iv_length > TFM_CIPHER_IV_MAX_SIZE)){
(void)tfm_crypto_cipher_release(operation, ctx);
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ return PSA_ERROR_INVALID_ARGUMENT;
}
if ((ctx->iv_set == 1) || (ctx->iv_required == 0)) {
(void)tfm_crypto_cipher_release(operation, ctx);
- return TFM_CRYPTO_ERR_PSA_ERROR_BAD_STATE;
+ return PSA_ERROR_BAD_STATE;
}
/* Set the IV on the crypto engine */
@@ -235,84 +226,112 @@
iv_length);
if (status != PSA_SUCCESS) {
(void)tfm_crypto_cipher_release(operation, ctx);
- return PSA_STATUS_TO_TFM_CRYPTO_ERR(status);
+ return status;
}
ctx->iv_set = 1;
ctx->iv_size = iv_length;
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
-enum tfm_crypto_err_t tfm_crypto_cipher_encrypt_setup(
- psa_cipher_operation_t *operation,
- psa_key_slot_t key,
- psa_algorithm_t alg)
+static psa_status_t _psa_cipher_set_iv(psa_cipher_operation_t *operation,
+ const unsigned char *iv,
+ size_t iv_length)
{
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = iv, .len = iv_length},
+ };
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_cipher_operation_t)},
+ };
+
+ status = tfm_crypto_cipher_set_iv(in_vec, sizeof(in_vec)/sizeof(in_vec[0]),
+ out_vec, sizeof(out_vec)/sizeof(out_vec[0]));
+ return status;
+}
+psa_status_t tfm_crypto_cipher_encrypt_setup(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+ if ((in_len != 2) || (out_len != 1)) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ if ((out_vec[0].len != sizeof(psa_cipher_operation_t)) ||
+ (in_vec[0].len != sizeof(psa_key_slot_t)) ||
+ (in_vec[1].len != sizeof(psa_algorithm_t))) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ psa_cipher_operation_t *operation = out_vec[0].base;
+ psa_key_slot_t key = *((psa_key_slot_t *)in_vec[0].base);
+ psa_algorithm_t alg = *((psa_algorithm_t *)in_vec[1].base);
+
return tfm_crypto_cipher_setup(operation,
key,
alg,
ENGINE_CIPHER_MODE_ENCRYPT);
}
-enum tfm_crypto_err_t tfm_crypto_cipher_decrypt_setup(
- psa_cipher_operation_t *operation,
- psa_key_slot_t key,
- psa_algorithm_t alg)
+psa_status_t tfm_crypto_cipher_decrypt_setup(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
+ if ((in_len != 2) || (out_len != 1)) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ if ((out_vec[0].len != sizeof(psa_cipher_operation_t)) ||
+ (in_vec[0].len != sizeof(psa_key_slot_t)) ||
+ (in_vec[1].len != sizeof(psa_algorithm_t))) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ psa_cipher_operation_t *operation = out_vec[0].base;
+ psa_key_slot_t key = *((psa_key_slot_t *)in_vec[0].base);
+ psa_algorithm_t alg = *((psa_algorithm_t *)in_vec[1].base);
+
return tfm_crypto_cipher_setup(operation,
key,
alg,
ENGINE_CIPHER_MODE_DECRYPT);
}
-enum tfm_crypto_err_t tfm_crypto_cipher_update(
- psa_cipher_operation_t *operation,
- const uint8_t *input,
- size_t input_length,
- unsigned char *output,
- size_t output_size,
- size_t *output_length)
+psa_status_t tfm_crypto_cipher_update(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
psa_status_t status = PSA_SUCCESS;
- enum tfm_crypto_err_t err;
struct tfm_cipher_operation_s *ctx = NULL;
- /* Validate pointers */
- err = tfm_crypto_memory_check(operation,
- sizeof(psa_cipher_operation_t),
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
- }
- err = tfm_crypto_memory_check((void *)input,
- input_length,
- TFM_MEMORY_ACCESS_RO);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
- }
- err = tfm_crypto_memory_check(output,
- output_size,
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
- }
- err = tfm_crypto_memory_check(output_length,
- sizeof(size_t),
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ if ((in_len != 1) || (out_len != 2)) {
+ return PSA_CONNECTION_REFUSED;
}
- /* Initialise the output length to zero */
- *output_length = 0;
+ if ((out_vec[0].len != sizeof(psa_cipher_operation_t))) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ psa_cipher_operation_t *operation = out_vec[0].base;
+ const uint8_t *input = in_vec[0].base;
+ size_t input_length = in_vec[0].len;
+ unsigned char *output = out_vec[1].base;
+ size_t output_size = out_vec[1].len;
+
+ /* Initialise the output_length to zero */
+ out_vec[1].len = 0;
/* Look up the corresponding operation context */
- err = tfm_crypto_operation_lookup(TFM_CRYPTO_CIPHER_OPERATION,
- operation,
- (void **)&ctx);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = tfm_crypto_operation_lookup(TFM_CRYPTO_CIPHER_OPERATION,
+ operation,
+ (void **)&ctx);
+ if (status != PSA_SUCCESS) {
+ return status;
}
/* If the IV is required and it's not been set yet */
@@ -320,17 +339,17 @@
if (ctx->cipher_mode != ENGINE_CIPHER_MODE_DECRYPT) {
(void)tfm_crypto_cipher_release(operation, ctx);
- return TFM_CRYPTO_ERR_PSA_ERROR_BAD_STATE;
+ return PSA_ERROR_BAD_STATE;
}
/* This call is used to set the IV on the object */
- return tfm_crypto_cipher_set_iv(operation, input, input_length);
+ return _psa_cipher_set_iv(operation, input, input_length);
}
/* If the key is not set, setup phase has not been completed */
if (ctx->key_set == 0) {
(void)tfm_crypto_cipher_release(operation, ctx);
- return TFM_CRYPTO_ERR_PSA_ERROR_BAD_STATE;
+ return PSA_ERROR_BAD_STATE;
}
/* FIXME: The implementation currently expects to work only on blocks
@@ -338,7 +357,7 @@
*/
if (input_length > output_size) {
(void)tfm_crypto_cipher_release(operation, ctx);
- return TFM_CRYPTO_ERR_PSA_ERROR_BUFFER_TOO_SMALL;
+ return PSA_ERROR_BUFFER_TOO_SMALL;
}
/* Update the cipher output with the input chunk on the engine */
@@ -346,51 +365,44 @@
input,
input_length,
output,
- (uint32_t *)output_length);
+ (uint32_t *)&(out_vec[1].len));
if (status != PSA_SUCCESS) {
(void)tfm_crypto_cipher_release(operation, ctx);
- return PSA_STATUS_TO_TFM_CRYPTO_ERR(status);
+ return status;
}
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
-enum tfm_crypto_err_t tfm_crypto_cipher_finish(
- psa_cipher_operation_t *operation,
- uint8_t *output,
- size_t output_size,
- size_t *output_length)
+psa_status_t tfm_crypto_cipher_finish(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
psa_status_t status = PSA_SUCCESS;
- enum tfm_crypto_err_t err;
struct tfm_cipher_operation_s *ctx = NULL;
- /* Validate pointers */
- err = tfm_crypto_memory_check(operation,
- sizeof(psa_cipher_operation_t),
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
- }
- err = tfm_crypto_memory_check(output,
- output_size,
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
- }
- err = tfm_crypto_memory_check(output_length,
- sizeof(size_t),
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ if ((in_len != 0) || (out_len != 2)) {
+ return PSA_CONNECTION_REFUSED;
}
+ if ((out_vec[0].len != sizeof(psa_cipher_operation_t))) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ psa_cipher_operation_t *operation = out_vec[0].base;
+ unsigned char *output = out_vec[1].base;
+ size_t output_size = out_vec[1].len;
+
+ /* Initialise the output_length to zero */
+ out_vec[1].len = 0;
+
/* Look up the corresponding operation context */
- err = tfm_crypto_operation_lookup(TFM_CRYPTO_CIPHER_OPERATION,
- operation,
- (void **)&ctx);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = tfm_crypto_operation_lookup(TFM_CRYPTO_CIPHER_OPERATION,
+ operation,
+ (void **)&ctx);
+ if (status != PSA_SUCCESS) {
+ return status;
}
/* Check that the output buffer is large enough for up to one block size of
@@ -398,41 +410,46 @@
*/
if (output_size < ctx->block_size) {
(void)tfm_crypto_cipher_release(operation, ctx);
- return TFM_CRYPTO_ERR_PSA_ERROR_BUFFER_TOO_SMALL;
+ return PSA_ERROR_BUFFER_TOO_SMALL;
}
/* Finalise the operation on the crypto engine */
status = tfm_crypto_engine_cipher_finish(&(ctx->engine_ctx),
output,
- (uint32_t *)output_length);
+ (uint32_t *)&(out_vec[1].len));
if (status != PSA_SUCCESS) {
- *output_length = 0;
+ out_vec[1].len = 0;
(void)tfm_crypto_cipher_release(operation, ctx);
- return PSA_STATUS_TO_TFM_CRYPTO_ERR(status);
+ return status;
}
return tfm_crypto_cipher_release(operation, ctx);
}
-enum tfm_crypto_err_t tfm_crypto_cipher_abort(psa_cipher_operation_t *operation)
+psa_status_t tfm_crypto_cipher_abort(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status = PSA_SUCCESS;
struct tfm_cipher_operation_s *ctx = NULL;
- /* Validate pointers */
- err = tfm_crypto_memory_check(operation,
- sizeof(psa_cipher_operation_t),
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ if ((in_len != 0) || (out_len != 1)) {
+ return PSA_CONNECTION_REFUSED;
}
+ if ((out_vec[0].len != sizeof(psa_cipher_operation_t))) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ psa_cipher_operation_t *operation = out_vec[0].base;
+
/* Look up the corresponding operation context */
- err = tfm_crypto_operation_lookup(TFM_CRYPTO_CIPHER_OPERATION,
- operation,
- (void **)&ctx);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = tfm_crypto_operation_lookup(TFM_CRYPTO_CIPHER_OPERATION,
+ operation,
+ (void **)&ctx);
+ if (status != PSA_SUCCESS) {
+ return status;
}
return tfm_crypto_cipher_release(operation, ctx);
diff --git a/secure_fw/services/crypto/crypto_hash.c b/secure_fw/services/crypto/crypto_hash.c
index 7dc6582..cd546b9 100644
--- a/secure_fw/services/crypto/crypto_hash.c
+++ b/secure_fw/services/crypto/crypto_hash.c
@@ -5,16 +5,9 @@
*
*/
-#include <limits.h>
-
-#include "tfm_crypto_defs.h"
-#include "crypto_engine.h"
-#include "psa_crypto.h"
-
-#include "tfm_crypto_struct.h"
-
#include "tfm_crypto_api.h"
-#include "crypto_utils.h"
+#include "crypto_engine.h"
+#include "tfm_crypto_struct.h"
/**
* \brief Release all resources associated with a hash operation.
@@ -24,26 +17,19 @@
*
* \return Return values as described in \ref tfm_crypto_err_t
*/
-static enum tfm_crypto_err_t tfm_crypto_hash_release(
- psa_hash_operation_t *operation,
- struct tfm_hash_operation_s *ctx)
+static psa_status_t tfm_crypto_hash_release(psa_hash_operation_t *operation,
+ struct tfm_hash_operation_s *ctx)
{
- psa_status_t status;
- enum tfm_crypto_err_t err;
+ psa_status_t status = PSA_SUCCESS;
/* Release resources in the engine */
status = tfm_crypto_engine_hash_release(&(ctx->engine_ctx));
if (status != PSA_SUCCESS) {
- return PSA_STATUS_TO_TFM_CRYPTO_ERR(status);
+ return status;
}
/* Release the operation context */
- err = tfm_crypto_operation_release(TFM_CRYPTO_HASH_OPERATION, operation);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
- }
-
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return tfm_crypto_operation_release(TFM_CRYPTO_HASH_OPERATION, operation);
}
/*!
@@ -52,38 +38,43 @@
*/
/*!@{*/
-enum tfm_crypto_err_t tfm_crypto_hash_setup(psa_hash_operation_t *operation,
- psa_algorithm_t alg)
+psa_status_t tfm_crypto_hash_setup(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
psa_status_t status = PSA_SUCCESS;
- enum tfm_crypto_err_t err;
struct tfm_hash_operation_s *ctx = NULL;
struct hash_engine_info engine_info;
- /* Validate pointers */
- err = tfm_crypto_memory_check(operation,
- sizeof(psa_hash_operation_t),
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ if ((in_len != 1) || (out_len != 1)) {
+ return PSA_CONNECTION_REFUSED;
}
+ if ((out_vec[0].len != sizeof(psa_hash_operation_t)) ||
+ (in_vec[0].len != sizeof(psa_algorithm_t))) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ psa_hash_operation_t *operation = out_vec[0].base;
+ psa_algorithm_t alg = *((psa_algorithm_t *)in_vec[0].base);
+
if (PSA_ALG_IS_HASH(alg) == 0) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ return PSA_ERROR_INVALID_ARGUMENT;
}
/* Setup the engine for the requested algorithm */
status = tfm_crypto_engine_hash_setup(alg, &engine_info);
if (status != PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_NOT_SUPPORTED;
+ return PSA_ERROR_NOT_SUPPORTED;
}
/* Allocate the operation context in the secure world */
- err = tfm_crypto_operation_alloc(TFM_CRYPTO_HASH_OPERATION,
- operation,
- (void **)&ctx);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = tfm_crypto_operation_alloc(TFM_CRYPTO_HASH_OPERATION,
+ operation,
+ (void **)&ctx);
+ if (status != PSA_SUCCESS) {
+ return status;
}
/* Bind the algorithm to the hash context */
@@ -94,40 +85,38 @@
if (status != PSA_SUCCESS) {
/* Release the operation context, ignore if the operation fails. */
(void)tfm_crypto_hash_release(operation, ctx);
- return PSA_STATUS_TO_TFM_CRYPTO_ERR(status);
+ return status;
}
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
-enum tfm_crypto_err_t tfm_crypto_hash_update(psa_hash_operation_t *operation,
- const uint8_t *input,
- size_t input_length)
+psa_status_t tfm_crypto_hash_update(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
psa_status_t status = PSA_SUCCESS;
- enum tfm_crypto_err_t err;
struct tfm_hash_operation_s *ctx = NULL;
- /* Validate pointers */
- err = tfm_crypto_memory_check(operation,
- sizeof(psa_hash_operation_t),
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
- }
- err = tfm_crypto_memory_check((void *)input,
- input_length,
- TFM_MEMORY_ACCESS_RO);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ if ((in_len != 1) || (out_len != 1)) {
+ return PSA_CONNECTION_REFUSED;
}
+ if ((out_vec[0].len != sizeof(psa_hash_operation_t))) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ psa_hash_operation_t *operation = out_vec[0].base;
+ const uint8_t *input = in_vec[0].base;
+ size_t input_length = in_vec[0].len;
+
/* Look up the corresponding operation context */
- err = tfm_crypto_operation_lookup(TFM_CRYPTO_HASH_OPERATION,
- operation,
- (void **)&ctx);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = tfm_crypto_operation_lookup(TFM_CRYPTO_HASH_OPERATION,
+ operation,
+ (void **)&ctx);
+ if (status != PSA_SUCCESS) {
+ return status;
}
/* Process the input chunk with the engine */
@@ -136,92 +125,114 @@
input_length);
if (status != PSA_SUCCESS) {
(void)tfm_crypto_hash_release(operation, ctx);
- return PSA_STATUS_TO_TFM_CRYPTO_ERR(status);
+ return status;
}
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
-enum tfm_crypto_err_t tfm_crypto_hash_finish(psa_hash_operation_t *operation,
- uint8_t *hash,
- size_t hash_size,
- size_t *hash_length)
+psa_status_t tfm_crypto_hash_finish(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
psa_status_t status = PSA_SUCCESS;
- enum tfm_crypto_err_t err;
struct tfm_hash_operation_s *ctx = NULL;
- /* Validate pointers */
- err = tfm_crypto_memory_check(operation,
- sizeof(psa_hash_operation_t),
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
- }
- err = tfm_crypto_memory_check(hash,
- hash_size,
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
- }
- err = tfm_crypto_memory_check(hash_length,
- sizeof(size_t),
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ if ((in_len != 0) || (out_len != 2)) {
+ return PSA_CONNECTION_REFUSED;
}
+ if ((out_vec[0].len != sizeof(psa_hash_operation_t))) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ psa_hash_operation_t *operation = out_vec[0].base;
+ uint8_t *hash = out_vec[1].base;
+ size_t hash_size = out_vec[1].len;
+
+ /* Initialise hash_length to zero */
+ out_vec[1].len = 0;
+
/* Look up the corresponding operation context */
- err = tfm_crypto_operation_lookup(TFM_CRYPTO_HASH_OPERATION,
- operation,
- (void **)&ctx);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = tfm_crypto_operation_lookup(TFM_CRYPTO_HASH_OPERATION,
+ operation,
+ (void **)&ctx);
+ if (status != PSA_SUCCESS) {
+ return status;
}
if (hash_size < PSA_HASH_SIZE(ctx->alg)) {
(void)tfm_crypto_hash_release(operation, ctx);
- return TFM_CRYPTO_ERR_PSA_ERROR_BUFFER_TOO_SMALL;
+ return PSA_ERROR_BUFFER_TOO_SMALL;
}
/* Finalise the hash value using the engine */
status = tfm_crypto_engine_hash_finish(&(ctx->engine_ctx), hash);
if (status != PSA_SUCCESS) {
(void)tfm_crypto_hash_release(operation, ctx);
- return PSA_STATUS_TO_TFM_CRYPTO_ERR(status);
+ return status;
}
/* Set the length of the hash that has been produced */
- *hash_length = PSA_HASH_SIZE(ctx->alg);
+ out_vec[1].len = PSA_HASH_SIZE(ctx->alg);
return tfm_crypto_hash_release(operation, ctx);
}
-enum tfm_crypto_err_t tfm_crypto_hash_verify(psa_hash_operation_t *operation,
- const uint8_t *hash,
- size_t hash_length)
+static psa_status_t _psa_hash_finish(psa_hash_operation_t *operation,
+ uint8_t *hash,
+ size_t hash_size,
+ size_t *hash_length)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_hash_operation_t)},
+ {.base = hash, .len = hash_size},
+ };
+
+ status = tfm_crypto_hash_finish(NULL, 0,
+ out_vec, sizeof(out_vec)/sizeof(out_vec[0]));
+ *hash_length = out_vec[1].len;
+
+ return status;
+}
+
+psa_status_t tfm_crypto_hash_verify(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
+{
+ psa_status_t status = PSA_SUCCESS;
uint8_t digest[PSA_HASH_MAX_SIZE] = {0};
size_t digest_length;
uint32_t idx, comp_mismatch = 0;
- /* Validate pointers */
- err = tfm_crypto_memory_check(operation,
- sizeof(psa_hash_operation_t),
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ if ((in_len != 1) || (out_len != 1)) {
+ return PSA_CONNECTION_REFUSED;
}
- /* Finalise the hash operation */
- err = tfm_crypto_hash_finish(operation,
- digest,
- PSA_HASH_MAX_SIZE,
- &digest_length);
+ if ((out_vec[0].len != sizeof(psa_hash_operation_t))) {
+ return PSA_CONNECTION_REFUSED;
+ }
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ psa_hash_operation_t *operation = out_vec[0].base;
+ const uint8_t *hash = in_vec[0].base;
+ size_t hash_length = in_vec[0].len;
+
+ /* Finalise the hash operation */
+ status = _psa_hash_finish(operation,
+ digest,
+ PSA_HASH_MAX_SIZE,
+ &digest_length);
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ /* Check that the computed hash has the same legnth as the provided one */
+ if (hash_length != digest_length) {
+ return PSA_ERROR_INVALID_SIGNATURE;
}
/* Verify that the computed hash matches the provided one */
@@ -232,31 +243,36 @@
}
if (comp_mismatch == 1) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_SIGNATURE;
+ return PSA_ERROR_INVALID_SIGNATURE;
}
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
-enum tfm_crypto_err_t tfm_crypto_hash_abort(psa_hash_operation_t *operation)
+psa_status_t tfm_crypto_hash_abort(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status = PSA_SUCCESS;
struct tfm_hash_operation_s *ctx = NULL;
- /* Validate pointers */
- err = tfm_crypto_memory_check(operation,
- sizeof(psa_hash_operation_t),
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ if ((in_len != 0) || (out_len != 1)) {
+ return PSA_CONNECTION_REFUSED;
}
+ if ((out_vec[0].len != sizeof(psa_hash_operation_t))) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ psa_hash_operation_t *operation = out_vec[0].base;
+
/* Look up the corresponding operation context */
- err = tfm_crypto_operation_lookup(TFM_CRYPTO_HASH_OPERATION,
- operation,
- (void **)&ctx);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = tfm_crypto_operation_lookup(TFM_CRYPTO_HASH_OPERATION,
+ operation,
+ (void **)&ctx);
+ if (status != PSA_SUCCESS) {
+ return status;
}
return tfm_crypto_hash_release(operation, ctx);
diff --git a/secure_fw/services/crypto/crypto_init.c b/secure_fw/services/crypto/crypto_init.c
index 083ce84..1ec7dee 100644
--- a/secure_fw/services/crypto/crypto_init.c
+++ b/secure_fw/services/crypto/crypto_init.c
@@ -5,35 +5,31 @@
*
*/
-#include "tfm_crypto_defs.h"
-#include "crypto_engine.h"
#include "tfm_crypto_api.h"
+#include "crypto_engine.h"
-static enum tfm_crypto_err_t tfm_crypto_module_init(void)
+static psa_status_t tfm_crypto_module_init(void)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status = PSA_SUCCESS;
/* Init the Key module */
- err = tfm_crypto_init_key();
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = tfm_crypto_init_key();
+ if (status != PSA_SUCCESS) {
+ return status;
}
/* Init the Alloc module */
- err = tfm_crypto_init_alloc();
-
- return err;
+ return tfm_crypto_init_alloc();
}
-enum tfm_crypto_err_t tfm_crypto_init(void)
+psa_status_t tfm_crypto_init(void)
{
psa_status_t status;
- enum tfm_crypto_err_t err;
/* Initialise other modules of the service */
- err = tfm_crypto_module_init();
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = tfm_crypto_module_init();
+ if (status != PSA_SUCCESS) {
+ return status;
}
/* Initialise the engine interface module */
@@ -44,8 +40,8 @@
* without triggering any TF-M recovery mechanism during boot-up if it
* recognises that a service has not completed booting correctly.
*/
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
diff --git a/secure_fw/services/crypto/crypto_key.c b/secure_fw/services/crypto/crypto_key.c
index 499ffa7..2bef9ca 100644
--- a/secure_fw/services/crypto/crypto_key.c
+++ b/secure_fw/services/crypto/crypto_key.c
@@ -9,10 +9,9 @@
#include <stddef.h>
#include "tfm_crypto_api.h"
-#include "crypto_utils.h"
-#include "secure_fw/core/tfm_memory_utils.h"
#include "psa_crypto.h"
#include "tfm_crypto_defs.h"
+#include "secure_fw/core/tfm_memory_utils.h"
/**
* \brief This is the default value of maximum number of simultaneous
@@ -97,44 +96,44 @@
*/
/*!@{*/
-enum tfm_crypto_err_t tfm_crypto_init_key(void)
+psa_status_t tfm_crypto_init_key(void)
{
/* Clear the contents of the local key_storage */
(void)tfm_memset(key_storage, 0, sizeof(key_storage));
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
-enum tfm_crypto_err_t tfm_crypto_get_key(psa_key_slot_t key,
- psa_key_usage_t usage,
- psa_algorithm_t alg,
- uint8_t *data,
- size_t data_size,
- size_t *data_length)
+psa_status_t tfm_crypto_get_key(psa_key_slot_t key,
+ psa_key_usage_t usage,
+ psa_algorithm_t alg,
+ uint8_t *data,
+ size_t data_size,
+ size_t *data_length)
{
struct tfm_crypto_key_storage_s *key_store;
size_t i;
key_store = get_key_store(key);
if (key_store == NULL) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ return PSA_ERROR_INVALID_ARGUMENT;
}
if (key_store->in_use == TFM_CRYPTO_NOT_IN_USE) {
- return TFM_CRYPTO_ERR_PSA_ERROR_EMPTY_SLOT;
+ return PSA_ERROR_EMPTY_SLOT;
}
/* Check that usage is permitted for this key */
if ((usage & key_store->policy.usage) != usage) {
- return TFM_CRYPTO_ERR_PSA_ERROR_NOT_PERMITTED;
+ return PSA_ERROR_NOT_PERMITTED;
}
/* Check that alg is compatible with this key */
if (alg != 0 && alg != key_store->policy.alg) {
- return TFM_CRYPTO_ERR_PSA_ERROR_NOT_PERMITTED;
+ return PSA_ERROR_NOT_PERMITTED;
}
if (key_store->data_length > data_size) {
- return TFM_CRYPTO_ERR_PSA_ERROR_BUFFER_TOO_SMALL;
+ return PSA_ERROR_BUFFER_TOO_SMALL;
}
for (i = 0; i < key_store->data_length; i++) {
@@ -143,35 +142,42 @@
*data_length = key_store->data_length;
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
-enum tfm_crypto_err_t tfm_crypto_import_key(psa_key_slot_t key,
- psa_key_type_t type,
- const uint8_t *data,
- size_t data_length)
+psa_status_t tfm_crypto_import_key(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
- enum tfm_crypto_err_t err;
- struct tfm_crypto_key_storage_s *key_store;
+ struct tfm_crypto_key_storage_s *key_store = NULL;
size_t i;
- err = tfm_crypto_memory_check((uint8_t *)data, data_length,
- TFM_MEMORY_ACCESS_RO);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ if ((in_len != 3) || (out_len != 0)) {
+ return PSA_CONNECTION_REFUSED;
}
+ if ((in_vec[0].len != sizeof(psa_key_slot_t)) ||
+ (in_vec[1].len != sizeof(psa_key_type_t))) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ psa_key_slot_t key = *((psa_key_slot_t *)in_vec[0].base);
+ psa_key_type_t type = *((psa_key_type_t *)in_vec[1].base);
+ const uint8_t *data = in_vec[2].base;
+ size_t data_length = in_vec[2].len;
+
key_store = get_key_store(key);
if (key_store == NULL) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ return PSA_ERROR_INVALID_ARGUMENT;
}
if (key_store->in_use != TFM_CRYPTO_NOT_IN_USE) {
- return TFM_CRYPTO_ERR_PSA_ERROR_OCCUPIED_SLOT;
+ return PSA_ERROR_OCCUPIED_SLOT;
}
if (!key_type_is_supported(type, data_length)) {
- return TFM_CRYPTO_ERR_PSA_ERROR_NOT_SUPPORTED;
+ return PSA_ERROR_NOT_SUPPORTED;
}
key_store->in_use = TFM_CRYPTO_IN_USE;
@@ -183,17 +189,30 @@
key_store->data_length = data_length;
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
-enum tfm_crypto_err_t tfm_crypto_destroy_key(psa_key_slot_t key)
+psa_status_t tfm_crypto_destroy_key(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
- struct tfm_crypto_key_storage_s *key_store;
+ struct tfm_crypto_key_storage_s *key_store = NULL;
uint32_t i;
+ if ((in_len != 1) || (out_len != 0)) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ if (in_vec[0].len != sizeof(psa_key_slot_t)) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ psa_key_slot_t key = *((psa_key_slot_t *)in_vec[0].base);
+
key_store = get_key_store(key);
if (key_store == NULL) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ return PSA_ERROR_INVALID_ARGUMENT;
}
volatile uint8_t *p_mem = (uint8_t *)key_store;
@@ -207,180 +226,194 @@
/* Set default values */
key_store->in_use = TFM_CRYPTO_NOT_IN_USE;
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
-enum tfm_crypto_err_t tfm_crypto_get_key_information(psa_key_slot_t key,
- psa_key_type_t *type,
- size_t *bits)
+psa_status_t tfm_crypto_get_key_information(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
- enum tfm_crypto_err_t err;
- struct tfm_crypto_key_storage_s *key_store;
+ struct tfm_crypto_key_storage_s *key_store = NULL;
- err = tfm_crypto_memory_check(type, sizeof(psa_key_type_t),
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ if ((in_len != 1) || (out_len != 2)) {
+ return PSA_CONNECTION_REFUSED;
}
- err = tfm_crypto_memory_check(bits, sizeof(size_t), TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ if ((in_vec[0].len != sizeof(psa_key_slot_t)) ||
+ (out_vec[0].len != sizeof(psa_key_type_t)) ||
+ (out_vec[1].len != sizeof(size_t))) {
+ return PSA_CONNECTION_REFUSED;
}
+ psa_key_slot_t key = *((psa_key_slot_t *)in_vec[0].base);
+ psa_key_type_t *type = out_vec[0].base;
+ size_t *bits = out_vec[1].base;
+
/* Initialise output parameters contents to zero */
*type = (psa_key_type_t) 0;
- *bits = (size_t)0;
+ *bits = (size_t) 0;
key_store = get_key_store(key);
if (key_store == NULL) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ return PSA_ERROR_INVALID_ARGUMENT;
}
if (key_store->in_use == TFM_CRYPTO_NOT_IN_USE) {
- return TFM_CRYPTO_ERR_PSA_ERROR_EMPTY_SLOT;
+ return PSA_ERROR_EMPTY_SLOT;
}
/* Get basic metadata */
*type = key_store->type;
*bits = PSA_BYTES_TO_BITS(key_store->data_length);
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
-enum tfm_crypto_err_t tfm_crypto_export_key(psa_key_slot_t key,
- uint8_t *data,
- size_t data_size,
- size_t *data_length)
+psa_status_t tfm_crypto_export_key(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
- enum tfm_crypto_err_t err;
-
- err = tfm_crypto_memory_check(data, data_size, TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ if ((in_len != 1) || (out_len != 1)) {
+ return PSA_CONNECTION_REFUSED;
}
- err = tfm_crypto_memory_check(data_length, sizeof(size_t),
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ if (in_vec[0].len != sizeof(psa_key_slot_t)) {
+ return PSA_CONNECTION_REFUSED;
}
+ psa_key_slot_t key = *((psa_key_slot_t *)in_vec[0].base);
+ uint8_t *data = out_vec[0].base;
+ size_t data_size = out_vec[0].len;
+
return tfm_crypto_get_key(key, PSA_KEY_USAGE_EXPORT, 0, data, data_size,
- data_length);
+ &(out_vec[0].len));
}
-enum tfm_crypto_err_t tfm_crypto_export_public_key(psa_key_slot_t key,
- uint8_t *data,
- size_t data_size,
- size_t *data_length)
+psa_status_t tfm_crypto_export_public_key(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
- (void)key;
- (void)data;
- (void)data_size;
- (void)data_length;
+ (void)in_vec;
+ (void)in_len;
+ (void)out_vec;
+ (void)out_len;
/* FIXME: This API is not supported yet */
- return TFM_CRYPTO_ERR_PSA_ERROR_NOT_SUPPORTED;
+ return PSA_ERROR_NOT_SUPPORTED;
}
-enum tfm_crypto_err_t tfm_crypto_key_policy_init(psa_key_policy_t *policy)
+psa_status_t tfm_crypto_key_policy_init(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
- enum tfm_crypto_err_t err;
-
- err = tfm_crypto_memory_check(policy, sizeof(psa_key_policy_t),
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ if ((in_len != 0) || (out_len != 1)) {
+ return PSA_CONNECTION_REFUSED;
}
+ if (out_vec[0].len != sizeof(psa_key_policy_t)) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ psa_key_policy_t *policy = out_vec[0].base;
+
policy->usage = 0;
policy->alg = 0;
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
-enum tfm_crypto_err_t tfm_crypto_key_policy_set_usage(psa_key_policy_t *policy,
- psa_key_usage_t usage,
- psa_algorithm_t alg)
+psa_status_t tfm_crypto_key_policy_set_usage(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
- enum tfm_crypto_err_t err;
-
- err = tfm_crypto_memory_check(policy, sizeof(psa_key_policy_t),
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ if ((in_len != 2) || (out_len != 1)) {
+ return PSA_CONNECTION_REFUSED;
}
+ if ((out_vec[0].len != sizeof(psa_key_policy_t)) ||
+ (in_vec[0].len != sizeof(psa_key_usage_t)) ||
+ (in_vec[1].len != sizeof(psa_algorithm_t))) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ psa_key_policy_t *policy = out_vec[0].base;
+ psa_key_usage_t usage = *((psa_key_usage_t *)in_vec[0].base);
+ psa_algorithm_t alg = *((psa_algorithm_t *)in_vec[1].base);
+
policy->usage = usage;
policy->alg = alg;
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
-enum tfm_crypto_err_t tfm_crypto_key_policy_get_usage(
- const psa_key_policy_t *policy,
- psa_key_usage_t *usage)
+psa_status_t tfm_crypto_key_policy_get_usage(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
- enum tfm_crypto_err_t err;
-
- err = tfm_crypto_memory_check((psa_key_policy_t *)policy,
- sizeof(psa_key_policy_t),
- TFM_MEMORY_ACCESS_RO);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ if ((in_len != 1) || (out_len != 1)) {
+ return PSA_CONNECTION_REFUSED;
}
- err = tfm_crypto_memory_check((psa_key_policy_t *)usage,
- sizeof(psa_key_usage_t),
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ if ((in_vec[0].len != sizeof(psa_key_policy_t)) ||
+ (out_vec[0].len != sizeof(psa_key_usage_t))) {
+ return PSA_CONNECTION_REFUSED;
}
+ const psa_key_policy_t *policy = in_vec[0].base;
+ psa_key_usage_t *usage = out_vec[0].base;
+
*usage = policy->usage;
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
-enum tfm_crypto_err_t tfm_crypto_key_policy_get_algorithm(
- const psa_key_policy_t *policy,
- psa_algorithm_t *alg)
+psa_status_t tfm_crypto_key_policy_get_algorithm(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
- enum tfm_crypto_err_t err;
-
- err = tfm_crypto_memory_check((psa_key_policy_t *)policy,
- sizeof(psa_key_policy_t),
- TFM_MEMORY_ACCESS_RO);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ if ((in_len != 1) || (out_len != 1)) {
+ return PSA_CONNECTION_REFUSED;
}
- err = tfm_crypto_memory_check((psa_key_policy_t *)alg,
- sizeof(psa_algorithm_t),
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ if ((in_vec[0].len != sizeof(psa_key_policy_t)) ||
+ (out_vec[0].len != sizeof(psa_algorithm_t))) {
+ return PSA_CONNECTION_REFUSED;
}
+ const psa_key_policy_t *policy = in_vec[0].base;
+ psa_algorithm_t *alg = out_vec[0].base;
+
*alg = policy->alg;
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
-enum tfm_crypto_err_t tfm_crypto_set_key_policy(psa_key_slot_t key,
- const psa_key_policy_t *policy)
+psa_status_t tfm_crypto_set_key_policy(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
- enum tfm_crypto_err_t err;
- struct tfm_crypto_key_storage_s *key_store;
+ struct tfm_crypto_key_storage_s *key_store = NULL;
- err = tfm_crypto_memory_check((psa_key_policy_t *)policy,
- sizeof(psa_key_policy_t),
- TFM_MEMORY_ACCESS_RO);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ if ((in_len != 2) || (out_len != 0)) {
+ return PSA_CONNECTION_REFUSED;
}
+ if ((in_vec[0].len != sizeof(psa_key_slot_t)) ||
+ (in_vec[1].len != sizeof(psa_key_policy_t))) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ psa_key_slot_t key = *((psa_key_slot_t *)in_vec[0].base);
+ const psa_key_policy_t *policy = in_vec[1].base;
+
/* Check that the policy is valid */
if (policy->usage & ~(PSA_KEY_USAGE_EXPORT
| PSA_KEY_USAGE_ENCRYPT
@@ -388,102 +421,129 @@
| PSA_KEY_USAGE_SIGN
| PSA_KEY_USAGE_VERIFY
| PSA_KEY_USAGE_DERIVE)) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ return PSA_ERROR_INVALID_ARGUMENT;
}
key_store = get_key_store(key);
if (key_store == NULL) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ return PSA_ERROR_INVALID_ARGUMENT;
}
/* Changing the policy of an occupied slot is not permitted as
* this is a requirement of the PSA Crypto API
*/
if (key_store->in_use != TFM_CRYPTO_NOT_IN_USE) {
- return TFM_CRYPTO_ERR_PSA_ERROR_OCCUPIED_SLOT;
+ return PSA_ERROR_OCCUPIED_SLOT;
}
key_store->policy = *policy;
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
-enum tfm_crypto_err_t tfm_crypto_get_key_policy(psa_key_slot_t key,
- psa_key_policy_t *policy)
+psa_status_t tfm_crypto_get_key_policy(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
- enum tfm_crypto_err_t err;
- struct tfm_crypto_key_storage_s *key_store;
+ struct tfm_crypto_key_storage_s *key_store = NULL;
- err = tfm_crypto_memory_check(policy, sizeof(psa_key_policy_t),
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ if ((in_len != 1) || (out_len != 1)) {
+ return PSA_CONNECTION_REFUSED;
}
+ if ((in_vec[0].len != sizeof(psa_key_slot_t)) ||
+ (out_vec[0].len != sizeof(psa_key_policy_t))) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ psa_key_slot_t key = *((psa_key_slot_t *)in_vec[0].base);
+ psa_key_policy_t *policy = out_vec[0].base;
+
key_store = get_key_store(key);
if (key_store == NULL) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ return PSA_ERROR_INVALID_ARGUMENT;
}
*policy = key_store->policy;
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
-enum tfm_crypto_err_t tfm_crypto_set_key_lifetime(psa_key_slot_t key,
- psa_key_lifetime_t lifetime)
+psa_status_t tfm_crypto_set_key_lifetime(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
- struct tfm_crypto_key_storage_s *key_store;
+ struct tfm_crypto_key_storage_s *key_store = NULL;
+
+ if ((in_len != 2) || (out_len != 0)) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ if ((in_vec[0].len != sizeof(psa_key_slot_t)) ||
+ (in_vec[1].len != sizeof(psa_key_lifetime_t))) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ psa_key_slot_t key = *((psa_key_slot_t *)in_vec[0].base);
+ psa_key_lifetime_t lifetime = *((psa_key_lifetime_t *)in_vec[1].base);
/* Check that the lifetime is valid */
if (lifetime != PSA_KEY_LIFETIME_VOLATILE
&& lifetime != PSA_KEY_LIFETIME_PERSISTENT
&& lifetime != PSA_KEY_LIFETIME_WRITE_ONCE) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ return PSA_ERROR_INVALID_ARGUMENT;
}
key_store = get_key_store(key);
if (key_store == NULL) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ return PSA_ERROR_INVALID_ARGUMENT;
}
/* TF-M Crypto service does not support changing the lifetime of an occupied
* slot.
*/
if (key_store->in_use != TFM_CRYPTO_NOT_IN_USE) {
- return TFM_CRYPTO_ERR_PSA_ERROR_OCCUPIED_SLOT;
+ return PSA_ERROR_OCCUPIED_SLOT;
}
/* Only volatile keys are currently supported */
if (lifetime != PSA_KEY_LIFETIME_VOLATILE) {
- return TFM_CRYPTO_ERR_PSA_ERROR_NOT_SUPPORTED;
+ return PSA_ERROR_NOT_SUPPORTED;
}
key_store->lifetime = lifetime;
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
-enum tfm_crypto_err_t tfm_crypto_get_key_lifetime(psa_key_slot_t key,
- psa_key_lifetime_t *lifetime)
+psa_status_t tfm_crypto_get_key_lifetime(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
- enum tfm_crypto_err_t err;
- struct tfm_crypto_key_storage_s *key_store;
+ struct tfm_crypto_key_storage_s *key_store = NULL;
- err = tfm_crypto_memory_check(lifetime, sizeof(psa_key_lifetime_t),
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ if ((in_len != 1) || (out_len != 1)) {
+ return PSA_CONNECTION_REFUSED;
}
+ if ((in_vec[0].len != sizeof(psa_key_slot_t)) ||
+ (out_vec[0].len != sizeof(psa_key_lifetime_t))) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ psa_key_slot_t key = *((psa_key_slot_t *)in_vec[0].base);
+ psa_key_lifetime_t *lifetime = out_vec[0].base;
+
key_store = get_key_store(key);
if (key_store == NULL) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ return PSA_ERROR_INVALID_ARGUMENT;
}
*lifetime = key_store->lifetime;
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
-
/*!@}*/
diff --git a/secure_fw/services/crypto/crypto_mac.c b/secure_fw/services/crypto/crypto_mac.c
index 2aeb99e..7000b18 100644
--- a/secure_fw/services/crypto/crypto_mac.c
+++ b/secure_fw/services/crypto/crypto_mac.c
@@ -5,15 +5,84 @@
*
*/
-#include "crypto_utils.h"
#include "secure_fw/core/tfm_memory_utils.h"
-#include "tfm_crypto_defs.h"
-
-#include "psa_crypto.h"
-
+#include "tfm_crypto_api.h"
+#include "crypto_engine.h"
#include "tfm_crypto_struct.h"
-#include "tfm_crypto_api.h"
+static psa_status_t _psa_get_key_information(psa_key_slot_t key,
+ psa_key_type_t *type,
+ size_t *bits)
+{
+ psa_invec in_vec[] = {
+ {.base = &key, .len = sizeof(psa_key_slot_t)},
+ };
+ psa_outvec out_vec[] = {
+ {.base = type, .len = sizeof(psa_key_type_t)},
+ {.base = bits, .len = sizeof(size_t)}
+ };
+
+ return tfm_crypto_get_key_information(
+ in_vec, sizeof(in_vec)/sizeof(in_vec[0]),
+ out_vec, sizeof(out_vec)/sizeof(out_vec[0]));
+}
+
+static psa_status_t _psa_hash_setup(psa_hash_operation_t *operation,
+ psa_algorithm_t alg)
+{
+ psa_invec in_vec[] = {
+ {.base = &alg, .len = sizeof(psa_algorithm_t)},
+ };
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_hash_operation_t)},
+ };
+
+ return tfm_crypto_hash_setup(in_vec, sizeof(in_vec)/sizeof(in_vec[0]),
+ out_vec, sizeof(out_vec)/sizeof(out_vec[0]));
+}
+
+static psa_status_t _psa_hash_update(psa_hash_operation_t *operation,
+ const uint8_t *input,
+ size_t input_length)
+{
+ psa_invec in_vec[] = {
+ {.base = input, .len = input_length},
+ };
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_hash_operation_t)},
+ };
+
+ return tfm_crypto_hash_update(in_vec, sizeof(in_vec)/sizeof(in_vec[0]),
+ out_vec, sizeof(out_vec)/sizeof(out_vec[0]));
+}
+
+static psa_status_t _psa_hash_finish(psa_hash_operation_t *operation,
+ uint8_t *hash,
+ size_t hash_size,
+ size_t *hash_length)
+{
+ psa_status_t status;
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_hash_operation_t)},
+ {.base = hash, .len = hash_size},
+ };
+
+ status = tfm_crypto_hash_finish(NULL, 0,
+ out_vec, sizeof(out_vec)/sizeof(out_vec[0]));
+ *hash_length = out_vec[1].len;
+
+ return status;
+}
+
+static psa_status_t _psa_hash_abort(psa_hash_operation_t *operation)
+{
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_hash_operation_t)},
+ };
+
+ return tfm_crypto_hash_abort(NULL, 0,
+ out_vec, sizeof(out_vec)/sizeof(out_vec[0]));
+}
/**
* \def UNUSED_VAR
@@ -63,23 +132,21 @@
}
}
-static enum tfm_crypto_err_t tfm_crypto_mac_release(
- psa_mac_operation_t *operation,
- struct tfm_mac_operation_s *ctx)
+static psa_status_t tfm_crypto_mac_release(psa_mac_operation_t *operation,
+ struct tfm_mac_operation_s *ctx)
{
- /* No release necessary on the ctx related quantites for the time being */
+ /* No release necessary on the ctx related items for the time being */
UNUSED_VAR(ctx);
/* Release the operation context */
return tfm_crypto_operation_release(TFM_CRYPTO_MAC_OPERATION, operation);
}
-static enum tfm_crypto_err_t tfm_crypto_hmac_setup(
- struct tfm_mac_operation_s *ctx,
+static psa_status_t tfm_crypto_hmac_setup(struct tfm_mac_operation_s *ctx,
psa_key_slot_t key,
psa_algorithm_t alg)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status = PSA_SUCCESS;
psa_key_type_t key_type;
size_t key_size;
uint8_t key_data[CRYPTO_HMAC_MAX_KEY_LENGTH];
@@ -91,13 +158,13 @@
psa_key_usage_t usage;
/* Check provided key */
- err = tfm_crypto_get_key_information(key, &key_type, &key_size);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = _psa_get_key_information(key, &key_type, &key_size);
+ if (status != PSA_SUCCESS) {
+ return status;
}
if (key_type != PSA_KEY_TYPE_HMAC){
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ return PSA_ERROR_INVALID_ARGUMENT;
}
/* Set the key usage based on whether this is a sign or verify operation */
@@ -106,18 +173,18 @@
} else if ((ctx->key_usage_sign == 0) && (ctx->key_usage_verify == 1)) {
usage = PSA_KEY_USAGE_VERIFY;
} else {
- return TFM_CRYPTO_ERR_PSA_ERROR_BAD_STATE;
+ return PSA_ERROR_BAD_STATE;
}
/* Get the key data to start the HMAC */
- err = tfm_crypto_get_key(key,
- usage,
- alg,
- key_data,
- CRYPTO_HMAC_MAX_KEY_LENGTH,
- &key_size);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = tfm_crypto_get_key(key,
+ usage,
+ alg,
+ key_data,
+ CRYPTO_HMAC_MAX_KEY_LENGTH,
+ &key_size);
+ if (status != PSA_SUCCESS) {
+ return status;
}
/* Bind the digest size to the MAC operation */
@@ -130,25 +197,26 @@
*/
if (key_size > block_size) {
/* Hash the key to reduce it to block size */
- err = tfm_crypto_hash_setup(&(ctx->ctx.hmac.hash_operation),
- PSA_ALG_HMAC_HASH(alg));
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = _psa_hash_setup(&(ctx->ctx.hmac.hash_operation),
+ PSA_ALG_HMAC_HASH(alg));
+ if (status != PSA_SUCCESS) {
+ return status;
}
- err = tfm_crypto_hash_update(&(ctx->ctx.hmac.hash_operation),
- &key_data[0],
- key_size);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = _psa_hash_update(&(ctx->ctx.hmac.hash_operation),
+ &key_data[0],
+ key_size);
+ if (status != PSA_SUCCESS) {
+ return status;
}
/* Replace the key with the hashed key */
- err = tfm_crypto_hash_finish(&(ctx->ctx.hmac.hash_operation),
- hashed_key, sizeof(hashed_key),
- &key_size);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = _psa_hash_finish(&(ctx->ctx.hmac.hash_operation),
+ hashed_key,
+ sizeof(hashed_key),
+ &key_size);
+ if (status != PSA_SUCCESS) {
+ return status;
}
} else {
/* Copy the key inside the hashed_key buffer */
@@ -169,54 +237,45 @@
}
/* Start hash1 = H(i_key_pad || message) */
- err = tfm_crypto_hash_setup(&(ctx->ctx.hmac.hash_operation),
- PSA_ALG_HMAC_HASH(alg));
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
+ status = _psa_hash_setup(&(ctx->ctx.hmac.hash_operation),
+ PSA_ALG_HMAC_HASH(alg));
+ if (status != PSA_SUCCESS) {
/* Clear key information on stack */
for (i=0; i<key_size; i++) {
hashed_key[i] = 0;
ipad[i] = 0;
}
- return err;
+ return status;
}
- err = tfm_crypto_hash_update(&(ctx->ctx.hmac.hash_operation),
- ipad,
- block_size);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = _psa_hash_update(&(ctx->ctx.hmac.hash_operation),
+ ipad,
+ block_size);
+ if (status != PSA_SUCCESS) {
+ return status;
}
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
-static enum tfm_crypto_err_t tfm_crypto_mac_setup(psa_mac_operation_t *operation,
- psa_key_slot_t key,
- psa_algorithm_t alg,
- uint8_t sign_operation)
+static psa_status_t tfm_crypto_mac_setup(psa_mac_operation_t *operation,
+ psa_key_slot_t key,
+ psa_algorithm_t alg,
+ uint8_t sign_operation)
{
- enum tfm_crypto_err_t err;
-
+ psa_status_t status = PSA_SUCCESS;
struct tfm_mac_operation_s *ctx = NULL;
if (!PSA_ALG_IS_MAC(alg)) {
- return TFM_CRYPTO_ERR_PSA_ERROR_NOT_SUPPORTED;
- }
-
- /* Validate pointers */
- err = tfm_crypto_memory_check(operation,
- sizeof(psa_mac_operation_t),
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ return PSA_ERROR_NOT_SUPPORTED;
}
/* Allocate the operation context in the secure world */
- err = tfm_crypto_operation_alloc(TFM_CRYPTO_MAC_OPERATION,
- operation,
- (void **)&ctx);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = tfm_crypto_operation_alloc(TFM_CRYPTO_MAC_OPERATION,
+ operation,
+ (void **)&ctx);
+ if (status != PSA_SUCCESS) {
+ return status;
}
/* Bind the algorithm to the mac operation */
@@ -232,11 +291,11 @@
}
if (PSA_ALG_IS_HMAC(alg)) {
- err = tfm_crypto_hmac_setup(ctx, key, alg);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
+ status = tfm_crypto_hmac_setup(ctx, key, alg);
+ if (status != PSA_SUCCESS) {
/* Release the operation context */
(void)tfm_crypto_mac_release(operation, ctx);
- return err;
+ return status;
}
ctx->key_set = 1;
@@ -244,20 +303,19 @@
/* Other MAC types constructions are not supported */
/* Release the operation context */
(void)tfm_crypto_mac_release(operation, ctx);
- return TFM_CRYPTO_ERR_PSA_ERROR_NOT_SUPPORTED;
+ return PSA_ERROR_NOT_SUPPORTED;
}
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
-static enum tfm_crypto_err_t tfm_crypto_mac_finish(
- psa_mac_operation_t *operation,
- struct tfm_mac_operation_s *ctx,
- uint8_t *mac,
- size_t mac_size,
- size_t *mac_length)
+static psa_status_t tfm_crypto_mac_finish(psa_mac_operation_t *operation,
+ struct tfm_mac_operation_s *ctx,
+ uint8_t *mac,
+ size_t mac_size,
+ size_t *mac_length)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status = PSA_SUCCESS;
uint8_t hash1[PSA_HASH_MAX_SIZE];
size_t hash_size;
uint8_t *opad;
@@ -266,12 +324,12 @@
/* Sanity checks */
if (mac_size < ctx->mac_size) {
(void)tfm_crypto_mac_release(operation, ctx);
- return TFM_CRYPTO_ERR_PSA_ERROR_BUFFER_TOO_SMALL;
+ return PSA_ERROR_BUFFER_TOO_SMALL;
}
if (!(ctx->has_input)) {
(void)tfm_crypto_mac_release(operation, ctx);
- return TFM_CRYPTO_ERR_PSA_ERROR_BAD_STATE;
+ return PSA_ERROR_BAD_STATE;
}
if (PSA_ALG_IS_HMAC(ctx->alg)) {
@@ -279,57 +337,57 @@
block_size = get_hash_block_size(PSA_ALG_HMAC_HASH(ctx->alg));
/* finish the hash1 = H(ipad || message) */
- err = tfm_crypto_hash_finish(&(ctx->ctx.hmac.hash_operation),
- hash1,
- sizeof(hash1),
- &hash_size);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
+ status = _psa_hash_finish(&(ctx->ctx.hmac.hash_operation),
+ hash1,
+ sizeof(hash1),
+ &hash_size);
+ if (status != PSA_SUCCESS) {
(void)tfm_crypto_mac_release(operation, ctx);
- return err;
+ return status;
}
/* compute the final mac value = H(opad || hash1) */
- err = tfm_crypto_hash_setup(&(ctx->ctx.hmac.hash_operation),
- PSA_ALG_HMAC_HASH(ctx->alg));
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
+ status = _psa_hash_setup(&(ctx->ctx.hmac.hash_operation),
+ PSA_ALG_HMAC_HASH(ctx->alg));
+ if (status != PSA_SUCCESS) {
mac_zeroize(hash1, sizeof(hash1));
(void)tfm_crypto_mac_release(operation, ctx);
- return err;
+ return status;
}
- err = tfm_crypto_hash_update(&(ctx->ctx.hmac.hash_operation),
- opad,
- block_size);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
+ status = _psa_hash_update(&(ctx->ctx.hmac.hash_operation),
+ opad,
+ block_size);
+ if (status != PSA_SUCCESS) {
mac_zeroize(hash1, sizeof(hash1));
(void)tfm_crypto_mac_release(operation, ctx);
- return err;
+ return status;
}
- err = tfm_crypto_hash_update(&(ctx->ctx.hmac.hash_operation),
- hash1,
- hash_size);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
+ status = _psa_hash_update(&(ctx->ctx.hmac.hash_operation),
+ hash1,
+ hash_size);
+ if (status != PSA_SUCCESS) {
mac_zeroize(hash1, sizeof(hash1));
(void)tfm_crypto_mac_release(operation, ctx);
- return err;
+ return status;
}
- err = tfm_crypto_hash_finish(&(ctx->ctx.hmac.hash_operation),
- mac,
- mac_size,
- mac_length);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
+ status = _psa_hash_finish(&(ctx->ctx.hmac.hash_operation),
+ mac,
+ mac_size,
+ mac_length);
+ if (status != PSA_SUCCESS) {
mac_zeroize(hash1, sizeof(hash1));
(void)tfm_crypto_mac_release(operation, ctx);
- return err;
+ return status;
}
/* Clear intermediate hash value */
mac_zeroize(hash1, sizeof(hash1));
} else {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ return PSA_ERROR_INVALID_ARGUMENT;
}
return tfm_crypto_mac_release(operation, ctx);
@@ -341,194 +399,211 @@
*/
/*!@{*/
-enum tfm_crypto_err_t tfm_crypto_mac_sign_setup(psa_mac_operation_t *operation,
- psa_key_slot_t key,
- psa_algorithm_t alg)
+psa_status_t tfm_crypto_mac_sign_setup(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
+ if ((in_len != 2) || (out_len != 1)) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ if ((out_vec[0].len != sizeof(psa_mac_operation_t)) ||
+ (in_vec[0].len != sizeof(psa_key_slot_t)) ||
+ (in_vec[1].len != sizeof(psa_algorithm_t))) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ psa_mac_operation_t *operation = out_vec[0].base;
+ psa_key_slot_t key = *((psa_key_slot_t *)in_vec[0].base);
+ psa_algorithm_t alg = *((psa_algorithm_t *)in_vec[1].base);
+
return tfm_crypto_mac_setup(operation, key, alg, 1);
}
-enum tfm_crypto_err_t tfm_crypto_mac_verify_setup(
- psa_mac_operation_t *operation,
- psa_key_slot_t key,
- psa_algorithm_t alg)
+psa_status_t tfm_crypto_mac_verify_setup(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
+ if ((in_len != 2) || (out_len != 1)) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ if ((out_vec[0].len != sizeof(psa_mac_operation_t)) ||
+ (in_vec[0].len != sizeof(psa_key_slot_t)) ||
+ (in_vec[1].len != sizeof(psa_algorithm_t))) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ psa_mac_operation_t *operation = out_vec[0].base;
+ psa_key_slot_t key = *((psa_key_slot_t *)in_vec[0].base);
+ psa_algorithm_t alg = *((psa_algorithm_t *)in_vec[1].base);
+
return tfm_crypto_mac_setup(operation, key, alg, 0);
}
-enum tfm_crypto_err_t tfm_crypto_mac_update(psa_mac_operation_t *operation,
- const uint8_t *input,
- size_t input_length)
+psa_status_t tfm_crypto_mac_update(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
- enum tfm_crypto_err_t err;
-
+ psa_status_t status = PSA_SUCCESS;
struct tfm_mac_operation_s *ctx = NULL;
- /* Validate pointers */
- err = tfm_crypto_memory_check(operation,
- sizeof(psa_mac_operation_t),
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ if ((in_len != 1) || (out_len != 1)) {
+ return PSA_CONNECTION_REFUSED;
}
- err = tfm_crypto_memory_check((void *)input,
- input_length,
- TFM_MEMORY_ACCESS_RO);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ if ((out_vec[0].len != sizeof(psa_mac_operation_t))) {
+ return PSA_CONNECTION_REFUSED;
}
+ psa_mac_operation_t *operation = out_vec[0].base;
+ const uint8_t *input = in_vec[0].base;
+ size_t input_length = in_vec[0].len;
+
/* Look up the corresponding operation context */
- err = tfm_crypto_operation_lookup(TFM_CRYPTO_MAC_OPERATION,
- operation,
- (void **)&ctx);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = tfm_crypto_operation_lookup(TFM_CRYPTO_MAC_OPERATION,
+ operation,
+ (void **)&ctx);
+ if (status != PSA_SUCCESS) {
+ return status;
}
/* Sanity check */
if (!(ctx->key_set)) {
(void)tfm_crypto_mac_release(operation, ctx);
- return TFM_CRYPTO_ERR_PSA_ERROR_BAD_STATE;
+ return PSA_ERROR_BAD_STATE;
}
if (input_length == 0) {
(void)tfm_crypto_mac_release(operation, ctx);
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ return PSA_ERROR_INVALID_ARGUMENT;
}
/* Process the input chunk */
if (PSA_ALG_IS_HMAC(ctx->alg)) {
- err = tfm_crypto_hash_update(&(ctx->ctx.hmac.hash_operation),
- input,
- input_length);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
+ status = _psa_hash_update(&(ctx->ctx.hmac.hash_operation),
+ input,
+ input_length);
+ if (status != PSA_SUCCESS) {
(void)tfm_crypto_mac_release(operation, ctx);
- return err;
+ return status;
}
/* Set this flag to avoid HMAC without data */
ctx->has_input = 1;
} else {
(void)tfm_crypto_mac_release(operation, ctx);
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ return PSA_ERROR_INVALID_ARGUMENT;
}
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
-enum tfm_crypto_err_t tfm_crypto_mac_sign_finish(psa_mac_operation_t *operation,
- uint8_t *mac,
- size_t mac_size,
- size_t *mac_length)
+psa_status_t tfm_crypto_mac_sign_finish(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status = PSA_SUCCESS;
struct tfm_mac_operation_s *ctx = NULL;
+ if ((in_len != 0) || (out_len != 2)) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ if ((out_vec[0].len != sizeof(psa_mac_operation_t))) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ psa_mac_operation_t *operation = out_vec[0].base;
+ uint8_t *mac = out_vec[1].base;
+ size_t mac_size = out_vec[1].len;
+
+ /* Initialise mac_length to zero */
+ out_vec[1].len = 0;
+
if (mac_size == 0) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
- }
-
- /* Validate pointers */
- err = tfm_crypto_memory_check(operation,
- sizeof(psa_mac_operation_t),
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
- }
-
- err = tfm_crypto_memory_check((void *)mac,
- mac_size,
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
- }
-
- err = tfm_crypto_memory_check(mac_length,
- sizeof(size_t),
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ return PSA_ERROR_INVALID_ARGUMENT;
}
/* Look up the corresponding operation context */
- err = tfm_crypto_operation_lookup(TFM_CRYPTO_MAC_OPERATION,
- operation,
- (void **)&ctx);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = tfm_crypto_operation_lookup(TFM_CRYPTO_MAC_OPERATION,
+ operation,
+ (void **)&ctx);
+ if (status != PSA_SUCCESS) {
+ return status;
}
if ((ctx->key_usage_sign == 1) && (ctx->key_usage_verify == 0)) {
/* Finalise the mac operation */
- err = tfm_crypto_mac_finish(operation, ctx, mac, mac_size, mac_length);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = tfm_crypto_mac_finish(operation,
+ ctx, mac, mac_size, &(out_vec[1].len));
+ if (status != PSA_SUCCESS) {
+ return status;
}
/* A call to tfm_crypto_mac_finish() always releases the operation */
} else {
(void)tfm_crypto_mac_release(operation, ctx);
- return TFM_CRYPTO_ERR_PSA_ERROR_BAD_STATE;
+ return PSA_ERROR_BAD_STATE;
}
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
-enum tfm_crypto_err_t tfm_crypto_mac_verify_finish(
- psa_mac_operation_t *operation,
- const uint8_t *mac,
- size_t mac_length)
+psa_status_t tfm_crypto_mac_verify_finish(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status = PSA_SUCCESS;
struct tfm_mac_operation_s *ctx = NULL;
uint8_t computed_mac[PSA_HMAC_MAX_HASH_BLOCK_SIZE];
size_t computed_mac_length;
size_t i;
uint32_t comp_mismatch = 0;
+ if ((in_len != 1) || (out_len != 1)) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ if ((out_vec[0].len != sizeof(psa_mac_operation_t))) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ psa_mac_operation_t *operation = out_vec[0].base;
+ const uint8_t *mac = in_vec[0].base;
+ size_t mac_length = in_vec[0].len;
+
if (mac_length == 0) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
- }
-
- /* Validate pointers */
- err = tfm_crypto_memory_check(operation,
- sizeof(psa_mac_operation_t),
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
- }
-
- err = tfm_crypto_memory_check((void *)mac,
- mac_length,
- TFM_MEMORY_ACCESS_RO);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ return PSA_ERROR_INVALID_ARGUMENT;
}
/* Look up the corresponding operation context */
- err = tfm_crypto_operation_lookup(TFM_CRYPTO_MAC_OPERATION,
- operation,
- (void **)&ctx);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = tfm_crypto_operation_lookup(TFM_CRYPTO_MAC_OPERATION,
+ operation,
+ (void **)&ctx);
+ if (status != PSA_SUCCESS) {
+ return status;
}
if ((ctx->key_usage_sign == 0) && (ctx->key_usage_verify == 1)) {
/* Finalise the mac operation */
- err = tfm_crypto_mac_finish(operation,
- ctx,
- computed_mac,
- sizeof(computed_mac),
- &computed_mac_length);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = tfm_crypto_mac_finish(operation,
+ ctx,
+ computed_mac,
+ sizeof(computed_mac),
+ &computed_mac_length);
+ if (status != PSA_SUCCESS) {
+ return status;
}
/* A call to tfm_crypto_mac_finish() always releases the operation */
/* Check that the computed mac match the expected one */
if (computed_mac_length != mac_length) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_SIGNATURE;
+ return PSA_ERROR_INVALID_SIGNATURE;
}
for (i=0; i<computed_mac_length ; i++) {
@@ -538,49 +613,54 @@
}
if (comp_mismatch == 1) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_SIGNATURE;
+ return PSA_ERROR_INVALID_SIGNATURE;
}
} else {
(void)tfm_crypto_mac_release(operation, ctx);
- return TFM_CRYPTO_ERR_PSA_ERROR_BAD_STATE;
+ return PSA_ERROR_BAD_STATE;
}
- return TFM_CRYPTO_ERR_PSA_SUCCESS;
+ return PSA_SUCCESS;
}
-enum tfm_crypto_err_t tfm_crypto_mac_abort(psa_mac_operation_t *operation)
+psa_status_t tfm_crypto_mac_abort(psa_invec in_vec[],
+ size_t in_len,
+ psa_outvec out_vec[],
+ size_t out_len)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status = PSA_SUCCESS;
struct tfm_mac_operation_s *ctx = NULL;
- /* Validate pointers */
- err = tfm_crypto_memory_check(operation,
- sizeof(psa_mac_operation_t),
- TFM_MEMORY_ACCESS_RW);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return TFM_CRYPTO_ERR_PSA_ERROR_INVALID_ARGUMENT;
+ if ((in_len != 0) || (out_len != 1)) {
+ return PSA_CONNECTION_REFUSED;
}
+ if ((out_vec[0].len != sizeof(psa_mac_operation_t))) {
+ return PSA_CONNECTION_REFUSED;
+ }
+
+ psa_mac_operation_t *operation = out_vec[0].base;
+
/* Look up the corresponding operation context */
- err = tfm_crypto_operation_lookup(TFM_CRYPTO_MAC_OPERATION,
- operation,
- (void **)&ctx);
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = tfm_crypto_operation_lookup(TFM_CRYPTO_MAC_OPERATION,
+ operation,
+ (void **)&ctx);
+ if (status != PSA_SUCCESS) {
+ return status;
}
if (PSA_ALG_IS_HMAC(ctx->alg)){
/* Check if the HMAC internal context needs to be deallocated */
if (ctx->ctx.hmac.hash_operation.handle != TFM_CRYPTO_INVALID_HANDLE) {
/* Clear hash context */
- err = tfm_crypto_hash_abort(&(ctx->ctx.hmac.hash_operation));
- if (err != TFM_CRYPTO_ERR_PSA_SUCCESS) {
- return err;
+ status = _psa_hash_abort(&(ctx->ctx.hmac.hash_operation));
+ if (status != PSA_SUCCESS) {
+ return status;
}
}
} else {
/* MACs other than HMACs not currently supported */
- return TFM_CRYPTO_ERR_PSA_ERROR_NOT_SUPPORTED;
+ return PSA_ERROR_NOT_SUPPORTED;
}
return tfm_crypto_mac_release(operation, ctx);
diff --git a/secure_fw/services/crypto/crypto_utils.c b/secure_fw/services/crypto/crypto_utils.c
deleted file mode 100644
index e318f17..0000000
--- a/secure_fw/services/crypto/crypto_utils.c
+++ /dev/null
@@ -1,17 +0,0 @@
-/*
- * Copyright (c) 2018, Arm Limited. All rights reserved.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- *
- */
-
-#include <stdint.h>
-#include "tfm_crypto_defs.h"
-#include "tfm_secure_api.h"
-
-enum tfm_crypto_err_t tfm_crypto_memory_check(void *addr,
- uint32_t size,
- uint32_t access)
-{
- return tfm_core_memory_permission_check(addr, size, access);
-}
diff --git a/secure_fw/services/crypto/crypto_utils.h b/secure_fw/services/crypto/crypto_utils.h
deleted file mode 100644
index afab51e..0000000
--- a/secure_fw/services/crypto/crypto_utils.h
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (c) 2018, Arm Limited. All rights reserved.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- *
- */
-
-#ifndef __TFM_CRYPTO_UTILS_H__
-#define __TFM_CRYPTO_UTILS_H__
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-#include "tfm_secure_api.h"
-
-/**
- * \brief Checks that a given type of access on a memory address with a
- * a given size is allowed
- *
- * \param[in] addr Base address to be checked
- * \param[in] size Size of the buffer to checked
- * \param[in] access Type of access (1: READ ONLY, 2: READ/WRITE)
- *
- * \return Returns values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_memory_check(void *addr,
- uint32_t size,
- uint32_t access);
-#ifdef __cplusplus
-}
-#endif
-
-#endif /* __TFM_CRYPTO_UTILS_H__ */
diff --git a/secure_fw/services/crypto/crypto_wrappers.c b/secure_fw/services/crypto/crypto_wrappers.c
deleted file mode 100644
index 6bd40d9..0000000
--- a/secure_fw/services/crypto/crypto_wrappers.c
+++ /dev/null
@@ -1,85 +0,0 @@
-/*
- * Copyright (c) 2018-2019, Arm Limited. All rights reserved.
- *
- * SPDX-License-Identifier: BSD-3-Clause
- *
- */
-#include "tfm_crypto_defs.h"
-
-#include "psa_crypto.h"
-
-#include "crypto_psa_wrappers.h"
-
-#include "tfm_crypto_api.h"
-
-/*!
- * \defgroup public Public functions, TF-M compatible wrappers
- *
- */
-
-/*!@{*/
-enum tfm_crypto_err_t tfm_crypto_cipher_update_wrapper(
- psa_cipher_operation_t *operation,
- const struct psa_cipher_update_input *input_s,
- const struct psa_cipher_update_output *output_s)
-{
- /* Extract the following fields from the input and output structures */
- const uint8_t *input = input_s->input;
- size_t input_length = input_s->input_length;
-
- unsigned char *output = output_s->output;
- size_t output_size = output_s->output_size;
- size_t *output_length = output_s->output_length;
-
- return tfm_crypto_cipher_update(operation, input, input_length,
- output, output_size, output_length);
-}
-
-enum tfm_crypto_err_t tfm_crypto_aead_encrypt_wrapper(
- const struct psa_aead_encrypt_input *input_s,
- const struct psa_aead_encrypt_output *output_s)
-{
- /* Extract the following fields from the input and output structures */
- psa_key_slot_t key = input_s->key;
- psa_algorithm_t alg = input_s->alg;
- const uint8_t *nonce = input_s->nonce;
- size_t nonce_length = input_s->nonce_length;
- const uint8_t *additional_data = input_s->additional_data;
- size_t additional_data_length = input_s->additional_data_length;
- const uint8_t *plaintext = input_s->plaintext;
- size_t plaintext_length = input_s->plaintext_length;
-
- uint8_t *ciphertext = output_s->ciphertext;
- size_t ciphertext_size = output_s->ciphertext_size;
- size_t *ciphertext_length = output_s->ciphertext_length;
-
- return tfm_crypto_aead_encrypt(key, alg, nonce, nonce_length,
- additional_data, additional_data_length,
- plaintext, plaintext_length, ciphertext,
- ciphertext_size, ciphertext_length);
-}
-
-enum tfm_crypto_err_t tfm_crypto_aead_decrypt_wrapper(
- const struct psa_aead_decrypt_input *input_s,
- const struct psa_aead_decrypt_output *output_s)
-{
- /* Extract the following fields from the input and output structures */
- psa_key_slot_t key = input_s->key;
- psa_algorithm_t alg = input_s->alg;
- const uint8_t *nonce = input_s->nonce;
- size_t nonce_length = input_s->nonce_length;
- const uint8_t *additional_data = input_s->additional_data;
- size_t additional_data_length = input_s->additional_data_length;
- const uint8_t *ciphertext = input_s->ciphertext;
- size_t ciphertext_length = input_s->ciphertext_length;
-
- uint8_t *plaintext = output_s->plaintext;
- size_t plaintext_size = output_s->plaintext_size;
- size_t *plaintext_length = output_s->plaintext_length;
-
- return tfm_crypto_aead_decrypt(key, alg, nonce, nonce_length,
- additional_data, additional_data_length,
- ciphertext, ciphertext_length, plaintext,
- plaintext_size, plaintext_length);
-}
-/*!@}*/
diff --git a/secure_fw/services/crypto/manifest.yaml b/secure_fw/services/crypto/manifest.yaml
index c7ae862..a3cba08 100644
--- a/secure_fw/services/crypto/manifest.yaml
+++ b/secure_fw/services/crypto/manifest.yaml
@@ -137,7 +137,7 @@
{
"sfid": "TFM_CRYPTO_CIPHER_UPDATE_SFID",
"signal": "TFM_CRYPTO_CIPHER_UPDATE",
- "tfm_symbol": "tfm_crypto_cipher_update_wrapper",
+ "tfm_symbol": "tfm_crypto_cipher_update",
"non_secure_clients": true,
"minor_version": 1,
"minor_policy": "strict"
@@ -249,7 +249,7 @@
{
"sfid": "TFM_CRYPTO_AEAD_DECRYPT_SFID",
"signal": "TFM_CRYPTO_AEAD_DECRYPT",
- "tfm_symbol": "tfm_crypto_aead_decrypt_wrapper",
+ "tfm_symbol": "tfm_crypto_aead_decrypt",
"non_secure_clients": true,
"minor_version": 1,
"minor_policy": "strict"
@@ -257,7 +257,7 @@
{
"sfid": "TFM_CRYPTO_AEAD_ENCRYPT_SFID",
"signal": "TFM_CRYPTO_AEAD_ENCRYPT",
- "tfm_symbol": "tfm_crypto_aead_encrypt_wrapper",
+ "tfm_symbol": "tfm_crypto_aead_encrypt",
"non_secure_clients": true,
"minor_version": 1,
"minor_policy": "strict"
@@ -268,8 +268,6 @@
"crypto_cipher.c",
"crypto_key.c",
"crypto_init.c",
- "crypto_wrappers.c",
- "crypto_utils.c",
"crypto_hash.c",
"crypto_engine.c",
"crypto_mac.c",
diff --git a/secure_fw/services/crypto/tfm_crypto_api.h b/secure_fw/services/crypto/tfm_crypto_api.h
index 23bcda1..5e6ffbd 100644
--- a/secure_fw/services/crypto/tfm_crypto_api.h
+++ b/secure_fw/services/crypto/tfm_crypto_api.h
@@ -13,9 +13,13 @@
#endif
#include <stdint.h>
+#include "tfm_api.h"
#include "tfm_crypto_defs.h"
#include "psa_crypto.h"
+#define UNIFORM_SIGNATURE_API(api_name) \
+ psa_status_t api_name(psa_invec[], size_t, psa_outvec[], size_t)
+
/**
* \brief List of possible operation types supported by the TFM based
* implementation. This type is needed by the operation allocation,
@@ -35,23 +39,23 @@
/**
* \brief Initialise the service
*
- * \return Return values as described in \ref tfm_crypto_err_t
+ * \return Return values as described in \ref psa_status_t
*/
-enum tfm_crypto_err_t tfm_crypto_init(void);
+psa_status_t tfm_crypto_init(void);
/**
* \brief Initialise the Key module
*
- * \return Return values as described in \ref tfm_crypto_err_t
+ * \return Return values as described in \ref psa_status_t
*/
-enum tfm_crypto_err_t tfm_crypto_init_key(void);
+psa_status_t tfm_crypto_init_key(void);
/**
* \brief Initialise the Alloc module
*
- * \return Return values as described in \ref tfm_crypto_err_t
+ * \return Return values as described in \ref psa_status_t
*/
-enum tfm_crypto_err_t tfm_crypto_init_alloc(void);
+psa_status_t tfm_crypto_init_alloc(void);
/**
* \brief Allocate an operation context in the backend
@@ -60,10 +64,9 @@
* \param[out] oper Pointer to the frontend operation
* \param[out ctx Double pointer to the corresponding context
*
- * \return Return values as described in \ref tfm_crypto_err_t
+ * \return Return values as described in \ref psa_status_t
*/
-enum tfm_crypto_err_t tfm_crypto_operation_alloc(
- enum tfm_crypto_operation_type type,
+psa_status_t tfm_crypto_operation_alloc(enum tfm_crypto_operation_type type,
void *oper,
void **ctx);
/**
@@ -73,11 +76,10 @@
* \param[in/out] oper Pointer to the frontend operation for the release
* of the corresponding backend context
*
- * \return Return values as described in \ref tfm_crypto_err_t
+ * \return Return values as described in \ref psa_status_t
*/
-enum tfm_crypto_err_t tfm_crypto_operation_release(
- enum tfm_crypto_operation_type type,
- void *oper);
+psa_status_t tfm_crypto_operation_release(enum tfm_crypto_operation_type type,
+ void *oper);
/**
* \brief Look up an operation context in the backend for the corresponding
* frontend operation
@@ -86,12 +88,11 @@
* \param[in] oper Pointer to the frontend operation
* \param[out] ctx Double pointer to the corresponding context
*
- * \return Return values as described in \ref tfm_crypto_err_t
+ * \return Return values as described in \ref psa_status_t
*/
-enum tfm_crypto_err_t tfm_crypto_operation_lookup(
- enum tfm_crypto_operation_type type,
- void *oper,
- void **ctx);
+psa_status_t tfm_crypto_operation_lookup(enum tfm_crypto_operation_type type,
+ const void *oper,
+ void **ctx);
/**
* \brief Retrieve a key from the provided key slot according to the key
* policy and algorithm provided. This function is expected to be
@@ -104,490 +105,53 @@
* \param[in] data_size Length of the buffer pointed to by data
* \param[out] data_length Length of the exported key
*
- * \return Return values as described in \ref tfm_crypto_err_t
+ * \return Return values as described in \ref psa_status_t
*/
-enum tfm_crypto_err_t tfm_crypto_get_key(psa_key_slot_t key,
- psa_key_usage_t usage,
- psa_algorithm_t alg,
- uint8_t *data,
- size_t data_size,
- size_t *data_length);
-/**
- * \brief Import the key data in the provided key slot
- *
- * \param[in] key Key slot
- * \param[in] type Key type
- * \param[in] data Key data to import
- * \param[in] data_length Length in bytes of the data field
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_import_key(psa_key_slot_t key,
- psa_key_type_t type,
- const uint8_t *data,
- size_t data_length);
-/**
- * \brief Destroy the key in the provided key slot
- *
- * \param[in] key Key slot
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_destroy_key(psa_key_slot_t key);
+psa_status_t tfm_crypto_get_key(psa_key_slot_t key,
+ psa_key_usage_t usage,
+ psa_algorithm_t alg,
+ uint8_t *data,
+ size_t data_size,
+ size_t *data_length);
-/**
- * \brief Retrieve key information for the provided key slot
- *
- * \param[in] key Key slot
- * \param[out] type Key type associated to the key slot requested
- * \param[out] bits Length in bits of the key in the requested slot
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_get_key_information(psa_key_slot_t key,
- psa_key_type_t *type,
- size_t *bits);
-/**
- * \brief Export the key contained in the provided key slot
- *
- * \param[in] key Key slot
- * \param[out] data Buffer to hold the exported key
- * \param[in] data_size Length of the buffer pointed to by data
- * \param[out] data_length Length of the exported key
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_export_key(psa_key_slot_t key,
- uint8_t *data,
- size_t data_size,
- size_t *data_length);
+#define LIST_TFM_CRYPTO_UNIFORM_SIGNATURE_API \
+ X(tfm_crypto_import_key); \
+ X(tfm_crypto_destroy_key); \
+ X(tfm_crypto_get_key_information); \
+ X(tfm_crypto_export_key); \
+ X(tfm_crypto_key_policy_init); \
+ X(tfm_crypto_key_policy_set_usage); \
+ X(tfm_crypto_key_policy_get_usage); \
+ X(tfm_crypto_key_policy_get_algorithm); \
+ X(tfm_crypto_set_key_policy); \
+ X(tfm_crypto_get_key_policy); \
+ X(tfm_crypto_set_key_lifetime); \
+ X(tfm_crypto_get_key_lifetime); \
+ X(tfm_crypto_export_public_key); \
+ X(tfm_crypto_cipher_set_iv); \
+ X(tfm_crypto_cipher_encrypt_setup); \
+ X(tfm_crypto_cipher_decrypt_setup); \
+ X(tfm_crypto_cipher_update); \
+ X(tfm_crypto_cipher_finish); \
+ X(tfm_crypto_cipher_abort); \
+ X(tfm_crypto_hash_setup); \
+ X(tfm_crypto_hash_update); \
+ X(tfm_crypto_hash_finish); \
+ X(tfm_crypto_hash_verify); \
+ X(tfm_crypto_hash_abort); \
+ X(tfm_crypto_mac_sign_setup); \
+ X(tfm_crypto_mac_verify_setup); \
+ X(tfm_crypto_mac_update); \
+ X(tfm_crypto_mac_sign_finish); \
+ X(tfm_crypto_mac_verify_finish); \
+ X(tfm_crypto_mac_abort); \
+ X(tfm_crypto_aead_encrypt); \
+ X(tfm_crypto_aead_decrypt); \
-/**
- * \brief Initialise the key policy to a default that forbids any use of the
- * key
- *
- * \param[out] policy Key policy to initialise
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_key_policy_init(psa_key_policy_t *policy);
+#define X(api_name) UNIFORM_SIGNATURE_API(api_name)
+LIST_TFM_CRYPTO_UNIFORM_SIGNATURE_API
+#undef X
-/**
- * \brief Set the permitted usage and algorithm for the provided key policy
- *
- * \param[out] policy Key policy to modify
- * \param[in] usage Permitted usage
- * \param[in] alg Permitted algorithm
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_key_policy_set_usage(psa_key_policy_t *policy,
- psa_key_usage_t usage,
- psa_algorithm_t alg);
-
-/**
- * \brief Get the permitted usage for the provided key policy
- *
- * \param[in] policy Key policy
- * \param[out] usage Permitted usage for this key policy
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_key_policy_get_usage(
- const psa_key_policy_t *policy,
- psa_key_usage_t *usage);
-
-/**
- * \brief Get the permitted algorithm for the provided key policy
- *
- * \param[in] policy Key policy
- * \param[out] alg Permitted algorithm for this key policy
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_key_policy_get_algorithm(
- const psa_key_policy_t *policy,
- psa_algorithm_t *alg);
-
-/**
- * \brief Set the key policy for the provided key slot
- *
- * \param[in] key Key slot
- * \param[in] policy Key policy
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_set_key_policy(psa_key_slot_t key,
- const psa_key_policy_t *policy);
-
-/**
- * \brief Get the key policy for the provided key slot
- *
- * \param[in] key Key slot
- * \param[out] policy Key policy
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_get_key_policy(psa_key_slot_t key,
- psa_key_policy_t *policy);
-
-/**
- * \brief Set the lifetime for the provided key slot
- *
- * \param[in] key Key slot
- * \param[in] lifetime Lifetime value
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_set_key_lifetime(psa_key_slot_t key,
- psa_key_lifetime_t lifetime);
-
-/**
- * \brief Get the lifetime for the provided key slot
- *
- * \param[in] key Key slot
- * \param[out] lifetime Lifetime value
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_get_key_lifetime(psa_key_slot_t key,
- psa_key_lifetime_t *lifetime);
-
-/**
- * \brief Export the public key contained in the provided key slot
- * for an asymmetric key pair
- *
- * \param[in] key Key slot
- * \param[out] data Buffer to hold the exported key
- * \param[in] data_size Length of the buffer pointed to by data
- * \param[out] data_length Length of the exported key
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_export_public_key(psa_key_slot_t key,
- uint8_t *data,
- size_t data_size,
- size_t *data_length);
-/**
- * \brief Set the initialisation vector on the provided cipher operation
- *
- * \param[in] operation Cipher operation context
- * \param[in] iv Buffer that contains the IV
- * \param[in] iv_length Length of the provided IV
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_cipher_set_iv(
- psa_cipher_operation_t *operation,
- const unsigned char *iv,
- size_t iv_length);
-/**
- * \brief Set the cipher operation using the provided algorithm and key slot,
- * for encryption context
- *
- * \note A successful call to this function initialises a cipher operation
- * context which will be referred using the operation parameter
- *
- * \param[out] operation Cipher operation context
- * \param[in] key Key slot to bind to the cipher context
- * \param[in] alg Algorithm to use for the cipher operation
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_cipher_encrypt_setup(
- psa_cipher_operation_t *operation,
- psa_key_slot_t key,
- psa_algorithm_t alg);
-/**
- * \brief Set the cipher operation using the provided algorithm and key slot,
- * for decryption context
- *
- * \note A successful call to this function initialises a cipher operation
- * context which will be referred using the operation parameter
- *
- * \param[out] operation Cipher operation context
- * \param[in] key Key slot to bind to the cipher context
- * \param[in] alg Algorithm to use for the cipher operation
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_cipher_decrypt_setup(
- psa_cipher_operation_t *operation,
- psa_key_slot_t key,
- psa_algorithm_t alg);
-/**
- * \brief Update the cipher context with a chunk of input data to create a
- * chunk of encrypted output data (for encryption contexts), or to
- * decrypt a chunk of encrypted input data to obtain decrypted data
- * (for decryption contexts)
- *
- * \param[in,out] operation Cipher operation context
- * \param[in] input Buffer containing input data
- * \param[in] input_length Input length
- * \param[out] output Buffer containing output data
- * \param[in] output_size Size of the output buffer
- * \param[out] output_length Size of the produced output
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_cipher_update(
- psa_cipher_operation_t *operation,
- const uint8_t *input,
- size_t input_length,
- unsigned char *output,
- size_t output_size,
- size_t *output_length);
-/**
- * \brief Finalise a cipher context flushing out any remaining block of
- * output data
- *
- * \note A successful call to this function de-initialises the cipher operation
- * context provided as parameter
- *
- * \param[in,out] operation Cipher operation context
- * \param[out] output Buffer containing output data
- * \param[in] output_size Size of the output buffer
- * \param[out] output_length Size of the produced output
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_cipher_finish(
- psa_cipher_operation_t *operation,
- uint8_t *output,
- size_t output_size,
- size_t *output_length);
-/**
- * \brief Abort a cipher operation, clears the operation context provided
- *
- * \note A successful call to this function de-initialises the cipher operation
- * context provided as parameter
- *
- * \param[in,out] operation Cipher operation context
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_cipher_abort(
- psa_cipher_operation_t *operation);
-/**
- * \brief Start a hash operation with the provided algorithm
- *
- * \note A successful call to this function initialises a hash operation
- * context which will be referred using the operation parameter
- *
- * \param[out] operation Hash operation context
- * \param[in] alg Algorithm chosen as hash
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_hash_setup(psa_hash_operation_t *operation,
- psa_algorithm_t alg);
-/**
- * \brief Add a new input chunk to the data for which the final hash value
- * will be computed
- *
- * \param[in] operation Hash operation context
- * \param[in] input Buffer containing the input data
- * \param[in] input_length Size of the provided input data
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_hash_update(psa_hash_operation_t *operation,
- const uint8_t *input,
- size_t input_length);
-/**
- * \brief Finalise a hash context operation producing the final hash value
- *
- * \note A successful call to this function de-initialises the hash operation
- * context provided as parameter
- *
- * \param[in,out] operation Hash operation context
- * \param[out] hash Buffer containing hash data
- * \param[in] hash_size Size of the hash buffer
- * \param[out] hash_length Size of the produced hash
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_hash_finish(psa_hash_operation_t *operation,
- uint8_t *hash,
- size_t hash_size,
- size_t *hash_length);
-/**
- * \brief Finalise a hash context operation, verifying that the final hash
- * value matches the one provided as input
- *
- * \note A successful call to this function de-initialises the hash operation
- * context provided as parameter. The hash operation is de-initialised
- * also in case TFM_CRYPTO_ERR_PSA_ERROR_INVALID_SIGNATURE is returned
- *
- * \param[in,out] operation Hash operation context
- * \param[in] hash Buffer containing the provided hash value
- * \param[in] hash_length Size of the provided hash value
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_hash_verify(psa_hash_operation_t *operation,
- const uint8_t *hash,
- size_t hash_length);
-/**
- * \brief Abort a hash operation, clears the operation context provided
- *
- * \note A successful call to this function de-initialises the hash operation
- * context provided as parameter
- *
- * \param[in,out] operation Hash operation context
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_hash_abort(psa_hash_operation_t *operation);
-
-/**
- * \brief Start a MAC operation with the provided algorithm (for signing)
- *
- * \note A successful call to this function initialises a MAC operation
- * context which will be referred using the operation parameter
- *
- * \param[out] operation MAC operation context
- * \param[in] key Key slot to bind to the MAC context
- * \param[in] alg Algorithm chosen as MAC
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_mac_sign_setup(psa_mac_operation_t *operation,
- psa_key_slot_t key,
- psa_algorithm_t alg);
-/**
- * \brief Start a MAC operation with the provided algorithm (for verifying)
- *
- * \note A successful call to this function initialises a MAC operation
- * context which will be referred using the operation parameter
- *
- * \param[out] operation MAC operation context
- * \param[in] key Key slot to bind to the MAC context
- * \param[in] alg Algorithm chosen as MAC
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_mac_verify_setup(
- psa_mac_operation_t *operation,
- psa_key_slot_t key,
- psa_algorithm_t alg);
-/**
- * \brief Adds a new input chunk to the data for which the final MAC value
- * will be computed
- *
- * \param[in] operation MAC operation context
- * \param[in] input Buffer containing the input data
- * \param[in] input_length Size of the provided input data
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_mac_update(psa_mac_operation_t *operation,
- const uint8_t *input,
- size_t input_length);
-/**
- * \brief Finalise a MAC context operation producing the final MAC value
- *
- * \param[in,out] operation Mac operation context
- * \param[out] mac Buffer containing MAC data
- * \param[in] mac_size Size of the mac buffer
- * \param[out] mac_length Size of the produced mac
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_mac_sign_finish(psa_mac_operation_t *operation,
- uint8_t *mac,
- size_t mac_size,
- size_t *mac_length);
-/**
- * \brief Finalise a MAC context operation, verifying that the final MAC value
- * matches the one provided as input
- *
- * \param[in,out] operation MAC operation context
- * \param[in] mac Buffer containing the provided MAC value
- * \param[in] mac_length Size of the provided MAC value
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_mac_verify_finish(
- psa_mac_operation_t *operation,
- const uint8_t *mac,
- size_t mac_length);
-/**
- * \brief Abort a MAC operation, clear the operation context provided
- *
- * \param[in,out] operation MAC operation context
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_mac_abort(psa_mac_operation_t *operation);
-
-/**
- * \brief Perform an AEAD encryption operation on input data with additional
- * data to be authenticated, producing ciphertext in output with an
- * appended authentication tag
- *
- * \param[in] key Key slot for the key
- * \param[in] alg Algorithm to be used
- * \param[in] nonce Pointer to a buffer holding a nonce or IV
- * to use
- * \param[in] nonce_length Size in bytes of the nonce or IV data
- * \param[in] additional_data Additional information to be authenticated
- * \param[in] additional_data_length Size in bytes of the additional data
- * \param[in] plaintext Buffer pointing to data to be encrypted
- * \param[in] plaintext_length Size in bytes of the plain text buffer
- * \param[out] ciphertext Output encrypted data, with the
- * authentication tag appended
- * \param[in] ciphertext_size Size in bytes of the buffer to hold the
- * cipher text plus authentication tag
- * \param[out] ciphertext_length Size of the ciphertext plus tag produced
- * as output
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_aead_encrypt(psa_key_slot_t key,
- psa_algorithm_t alg,
- const uint8_t *nonce,
- size_t nonce_length,
- const uint8_t *additional_data,
- size_t additional_data_length,
- const uint8_t *plaintext,
- size_t plaintext_length,
- uint8_t *ciphertext,
- size_t ciphertext_size,
- size_t *ciphertext_length);
-/**
- * \brief Perform an AEAD decryption operation on input data with additional
- * data to be verified, producing back the original plain text in case
- * the verification of the authentication tag is successful
- *
- * \param[in] key Key slot for the key
- * \param[in] alg Algorithm to be used
- * \param[in] nonce Pointer to a buffer holding a nonce or IV
- * to use
- * \param[in] nonce_length Size in bytes of the nonce or IV data
- * \param[in] additional_data Additional information which was
- * authenticated but not encrypted
- * \param[in] additional_data_length Size in bytes of the additional data
- * \param[in] ciphertext Buffer pointing to data be decrypted
- * \param[in] ciphertext_length Size in bytes of the cipher text buffer
- * \param[out] plaintext Buffer for decrypted output data
- * \param[in] plaintext_size Size in bytes of the buffer to hold the
- * plain text
- * \param[out] plaintext_length Size of the plain text actually produced
- *
- * \return Return values as described in \ref tfm_crypto_err_t
- */
-enum tfm_crypto_err_t tfm_crypto_aead_decrypt(psa_key_slot_t key,
- psa_algorithm_t alg,
- const uint8_t *nonce,
- size_t nonce_length,
- const uint8_t *additional_data,
- size_t additional_data_length,
- const uint8_t *ciphertext,
- size_t ciphertext_length,
- uint8_t *plaintext,
- size_t plaintext_size,
- size_t *plaintext_length);
#ifdef __cplusplus
}
#endif
diff --git a/secure_fw/services/crypto/tfm_crypto_secure_api.c b/secure_fw/services/crypto/tfm_crypto_secure_api.c
index b1645c2..f04f470 100644
--- a/secure_fw/services/crypto/tfm_crypto_secure_api.c
+++ b/secure_fw/services/crypto/tfm_crypto_secure_api.c
@@ -5,9 +5,28 @@
*
*/
-#include "tfm_crypto_veneers.h"
+#include "tfm_veneers.h"
+#include "tfm_crypto_defs.h"
#include "psa_crypto.h"
-#include "crypto_psa_wrappers.h"
+
+#define SFN_DISPATCH(sfn_name) \
+ tfm_##sfn_name##_veneer( \
+ in_vec, sizeof(in_vec)/sizeof(in_vec[0]), \
+ out_vec, sizeof(out_vec)/sizeof(out_vec[0]))
+
+#define SFN_DISPATCH_NO_INVEC(sfn_name) \
+ tfm_##sfn_name##_veneer( \
+ NULL, 0, \
+ out_vec, sizeof(out_vec)/sizeof(out_vec[0]))
+
+#define SFN_DISPATCH_NO_OUTVEC(sfn_name) \
+ tfm_##sfn_name##_veneer( \
+ in_vec, sizeof(in_vec)/sizeof(in_vec[0]), \
+ NULL, 0)
+
+#define API_DISPATCH(sfn_name) SFN_DISPATCH(sfn_name)
+#define API_DISPATCH_NO_INVEC(sfn_name) SFN_DISPATCH_NO_INVEC(sfn_name)
+#define API_DISPATCH_NO_OUTVEC(sfn_name) SFN_DISPATCH_NO_OUTVEC(sfn_name)
__attribute__(( section("SFN")))
psa_status_t psa_crypto_init(void)
@@ -24,21 +43,29 @@
const uint8_t *data,
size_t data_length)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = &key, .len = sizeof(psa_key_slot_t)},
+ {.base = &type, .len = sizeof(psa_key_type_t)},
+ {.base = data, .len = data_length}
+ };
- err = tfm_crypto_veneer_import_key(key, type, data, data_length);
+ status = API_DISPATCH_NO_OUTVEC(tfm_crypto_import_key);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
__attribute__(( section("SFN")))
psa_status_t psa_destroy_key(psa_key_slot_t key)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = &key, .len = sizeof(psa_key_slot_t)},
+ };
- err = tfm_crypto_veneer_destroy_key(key);
+ status = API_DISPATCH_NO_OUTVEC(tfm_crypto_destroy_key);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
__attribute__(( section("SFN")))
@@ -46,11 +73,18 @@
psa_key_type_t *type,
size_t *bits)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = &key, .len = sizeof(psa_key_slot_t)},
+ };
+ psa_outvec out_vec[] = {
+ {.base = type, .len = sizeof(psa_key_type_t)},
+ {.base = bits, .len = sizeof(size_t)}
+ };
- err = tfm_crypto_veneer_get_key_information(key, type, bits);
+ status = API_DISPATCH(tfm_crypto_get_key_information);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
__attribute__(( section("SFN")))
@@ -59,11 +93,19 @@
size_t data_size,
size_t *data_length)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = &key, .len = sizeof(psa_key_slot_t)},
+ };
+ psa_outvec out_vec[] = {
+ {.base = data, .len = data_size}
+ };
- err = tfm_crypto_veneer_export_key(key, data, data_size, data_length);
+ status = API_DISPATCH(tfm_crypto_export_key);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ *data_length = out_vec[0].len;
+
+ return status;
}
__attribute__(( section("SFN")))
@@ -79,8 +121,13 @@
__attribute__(( section("SFN")))
void psa_key_policy_init(psa_key_policy_t *policy)
{
+ psa_status_t status;
+ psa_outvec out_vec[] = {
+ {.base = policy, .len = sizeof(psa_key_policy_t)},
+ };
+
/* PSA API returns void so just ignore error value returned */
- (void)tfm_crypto_veneer_key_policy_init(policy);
+ status = API_DISPATCH_NO_INVEC(tfm_crypto_key_policy_init);
}
__attribute__(( section("SFN")))
@@ -88,13 +135,23 @@
psa_key_usage_t usage,
psa_algorithm_t alg)
{
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = &usage, .len = sizeof(psa_key_usage_t)},
+ {.base = &alg, .len = sizeof(psa_algorithm_t)}
+ };
+ psa_outvec out_vec[] = {
+ {.base = policy, .len = sizeof(psa_key_policy_t)},
+ };
+
/* PSA API returns void so just ignore error value returned */
- (void)tfm_crypto_veneer_key_policy_set_usage(policy, usage, alg);
+ status = API_DISPATCH(tfm_crypto_key_policy_set_usage);
}
__attribute__(( section("SFN")))
psa_key_usage_t psa_key_policy_get_usage(const psa_key_policy_t *policy)
{
+ psa_status_t status;
psa_key_usage_t usage;
/* Initialise to a sensible default to avoid returning an uninitialised
@@ -102,8 +159,15 @@
*/
usage = 0;
+ psa_invec in_vec[] = {
+ {.base = policy, .len = sizeof(psa_key_policy_t)},
+ };
+ psa_outvec out_vec[] = {
+ {.base = &usage, .len = sizeof(psa_key_usage_t)},
+ };
+
/* The PSA API does not return an error, so ignore any error from TF-M */
- (void)tfm_crypto_veneer_key_policy_get_usage(policy, &usage);
+ status = API_DISPATCH(tfm_crypto_key_policy_get_usage);
return usage;
}
@@ -111,6 +175,7 @@
__attribute__(( section("SFN")))
psa_algorithm_t psa_key_policy_get_algorithm(const psa_key_policy_t *policy)
{
+ psa_status_t status;
psa_algorithm_t alg;
/* Initialise to a sensible default to avoid returning an uninitialised
@@ -118,8 +183,15 @@
*/
alg = 0;
+ psa_invec in_vec[] = {
+ {.base = policy, .len = sizeof(psa_key_policy_t)},
+ };
+ psa_outvec out_vec[] = {
+ {.base = &alg, .len = sizeof(psa_algorithm_t)},
+ };
+
/* The PSA API does not return an error, so ignore any error from TF-M */
- (void)tfm_crypto_veneer_key_policy_get_algorithm(policy, &alg);
+ status = API_DISPATCH(tfm_crypto_key_policy_get_algorithm);
return alg;
}
@@ -128,44 +200,64 @@
psa_status_t psa_set_key_policy(psa_key_slot_t key,
const psa_key_policy_t *policy)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = &key, .len = sizeof(psa_key_slot_t)},
+ {.base = policy, .len = sizeof(psa_key_policy_t)},
+ };
- err = tfm_crypto_veneer_set_key_policy(key, policy);
+ status = API_DISPATCH_NO_OUTVEC(tfm_crypto_set_key_policy);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
__attribute__(( section("SFN")))
psa_status_t psa_get_key_policy(psa_key_slot_t key,
psa_key_policy_t *policy)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = &key, .len = sizeof(psa_key_slot_t)},
+ };
+ psa_outvec out_vec[] = {
+ {.base = policy, .len = sizeof(psa_key_policy_t)},
+ };
- err = tfm_crypto_veneer_get_key_policy(key, policy);
+ status = API_DISPATCH(tfm_crypto_get_key_policy);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
__attribute__(( section("SFN")))
psa_status_t psa_set_key_lifetime(psa_key_slot_t key,
psa_key_lifetime_t lifetime)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = &key, .len = sizeof(psa_key_slot_t)},
+ {.base = &lifetime, .len = sizeof(psa_key_lifetime_t)},
+ };
- err = tfm_crypto_veneer_set_key_lifetime(key, lifetime);
+ status = API_DISPATCH_NO_OUTVEC(tfm_crypto_set_key_lifetime);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
__attribute__(( section("SFN")))
psa_status_t psa_get_key_lifetime(psa_key_slot_t key,
psa_key_lifetime_t *lifetime)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = &key, .len = sizeof(psa_key_slot_t)},
+ };
+ psa_outvec out_vec[] = {
+ {.base = lifetime, .len = sizeof(psa_key_lifetime_t)},
+ };
- err = tfm_crypto_veneer_get_key_lifetime(key, lifetime);
+ status = API_DISPATCH(tfm_crypto_get_key_lifetime);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
__attribute__(( section("SFN")))
@@ -173,11 +265,17 @@
const unsigned char *iv,
size_t iv_length)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = iv, .len = iv_length},
+ };
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_cipher_operation_t)},
+ };
- err = tfm_crypto_veneer_cipher_set_iv(operation, iv, iv_length);
+ status = API_DISPATCH(tfm_crypto_cipher_set_iv);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
__attribute__(( section("SFN")))
@@ -185,11 +283,18 @@
psa_key_slot_t key,
psa_algorithm_t alg)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = &key, .len = sizeof(psa_key_slot_t)},
+ {.base = &alg, .len = sizeof(psa_algorithm_t)},
+ };
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_cipher_operation_t)},
+ };
- err = tfm_crypto_veneer_cipher_encrypt_setup(operation, key, alg);
+ status = API_DISPATCH(tfm_crypto_cipher_encrypt_setup);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
__attribute__(( section("SFN")))
@@ -197,11 +302,18 @@
psa_key_slot_t key,
psa_algorithm_t alg)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = &key, .len = sizeof(psa_key_slot_t)},
+ {.base = &alg, .len = sizeof(psa_algorithm_t)},
+ };
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_cipher_operation_t)},
+ };
- err = tfm_crypto_veneer_cipher_decrypt_setup(operation, key, alg);
+ status = API_DISPATCH(tfm_crypto_cipher_decrypt_setup);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
__attribute__(( section("SFN")))
@@ -212,31 +324,33 @@
size_t output_size,
size_t *output_length)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = input, .len = input_length},
+ };
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_cipher_operation_t)},
+ {.base = output, .len = output_size}
+ };
- /* Packing in structures is needed to overcome the 4 parameters
- * per call limit
- */
- struct psa_cipher_update_input input_s = {.input = input,
- .input_length = input_length};
- struct psa_cipher_update_output output_s = {.output = output,
- .output_size = output_size,
- .output_length =
- output_length};
+ status = API_DISPATCH(tfm_crypto_cipher_update);
- err = tfm_crypto_veneer_cipher_update(operation, &input_s, &output_s);
+ *output_length = out_vec[1].len;
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
__attribute__(( section("SFN")))
psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_cipher_operation_t)},
+ };
- err = tfm_crypto_veneer_cipher_abort(operation);
+ status = API_DISPATCH_NO_INVEC(tfm_crypto_cipher_abort);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
__attribute__(( section("SFN")))
@@ -245,23 +359,34 @@
size_t output_size,
size_t *output_length)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_cipher_operation_t)},
+ {.base = output, .len = output_size},
+ };
- err = tfm_crypto_veneer_cipher_finish(operation, output, output_size,
- output_length);
+ status = API_DISPATCH_NO_INVEC(tfm_crypto_cipher_finish);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ *output_length = out_vec[1].len;
+
+ return status;
}
__attribute__(( section("SFN")))
psa_status_t psa_hash_setup(psa_hash_operation_t *operation,
psa_algorithm_t alg)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = &alg, .len = sizeof(psa_algorithm_t)},
+ };
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_hash_operation_t)},
+ };
- err = tfm_crypto_veneer_hash_setup(operation, alg);
+ status = API_DISPATCH(tfm_crypto_hash_setup);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
__attribute__(( section("SFN")))
@@ -269,11 +394,17 @@
const uint8_t *input,
size_t input_length)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = input, .len = input_length},
+ };
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_hash_operation_t)},
+ };
- err = tfm_crypto_veneer_hash_update(operation, input, input_length);
+ status = API_DISPATCH(tfm_crypto_hash_update);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
__attribute__(( section("SFN")))
@@ -282,12 +413,17 @@
size_t hash_size,
size_t *hash_length)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_hash_operation_t)},
+ {.base = hash, .len = hash_size},
+ };
- err = tfm_crypto_veneer_hash_finish(operation, hash, hash_size,
- hash_length);
+ status = API_DISPATCH_NO_INVEC(tfm_crypto_hash_finish);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ *hash_length = out_vec[1].len;
+
+ return status;
}
__attribute__(( section("SFN")))
@@ -295,21 +431,30 @@
const uint8_t *hash,
size_t hash_length)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = hash, .len = hash_length},
+ };
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_hash_operation_t)},
+ };
- err = tfm_crypto_veneer_hash_verify(operation, hash, hash_length);
+ status = API_DISPATCH(tfm_crypto_hash_verify);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
__attribute__(( section("SFN")))
psa_status_t psa_hash_abort(psa_hash_operation_t *operation)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_hash_operation_t)},
+ };
- err = tfm_crypto_veneer_hash_abort(operation);
+ status = API_DISPATCH_NO_INVEC(tfm_crypto_hash_abort);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
__attribute__(( section("SFN")))
@@ -317,11 +462,18 @@
psa_key_slot_t key,
psa_algorithm_t alg)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = &key, .len = sizeof(psa_key_slot_t)},
+ {.base = &alg, .len = sizeof(psa_algorithm_t)}
+ };
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_mac_operation_t)},
+ };
- err = tfm_crypto_veneer_mac_sign_setup(operation, key, alg);
+ status = API_DISPATCH(tfm_crypto_mac_sign_setup);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
__attribute__(( section("SFN")))
@@ -329,11 +481,18 @@
psa_key_slot_t key,
psa_algorithm_t alg)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = &key, .len = sizeof(psa_key_slot_t)},
+ {.base = &alg, .len = sizeof(psa_algorithm_t)}
+ };
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_mac_operation_t)},
+ };
- err = tfm_crypto_veneer_mac_verify_setup(operation, key, alg);
+ status = API_DISPATCH(tfm_crypto_mac_verify_setup);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
__attribute__(( section("SFN")))
@@ -341,11 +500,17 @@
const uint8_t *input,
size_t input_length)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = input, .len = input_length},
+ };
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_mac_operation_t)},
+ };
- err = tfm_crypto_veneer_mac_update(operation, input, input_length);
+ status = API_DISPATCH(tfm_crypto_mac_update);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
__attribute__(( section("SFN")))
@@ -354,12 +519,17 @@
size_t mac_size,
size_t *mac_length)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_mac_operation_t)},
+ {.base = mac, .len = mac_size},
+ };
- err = tfm_crypto_veneer_mac_sign_finish(operation, mac, mac_size,
- mac_length);
+ status = API_DISPATCH_NO_INVEC(tfm_crypto_mac_sign_finish);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ *mac_length = out_vec[1].len;
+
+ return status;
}
__attribute__(( section("SFN")))
@@ -367,21 +537,30 @@
const uint8_t *mac,
size_t mac_length)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_invec in_vec[] = {
+ {.base = mac, .len = mac_length},
+ };
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_mac_operation_t)},
+ };
- err = tfm_crypto_veneer_mac_verify_finish(operation, mac, mac_length);
+ status = API_DISPATCH(tfm_crypto_mac_verify_finish);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
__attribute__(( section("SFN")))
psa_status_t psa_mac_abort(psa_mac_operation_t *operation)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ psa_outvec out_vec[] = {
+ {.base = operation, .len = sizeof(psa_mac_operation_t)},
+ };
- err = tfm_crypto_veneer_mac_abort(operation);
+ status = API_DISPATCH_NO_INVEC(tfm_crypto_mac_abort);
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ return status;
}
__attribute__(( section("SFN")))
@@ -397,30 +576,38 @@
size_t ciphertext_size,
size_t *ciphertext_length)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ struct tfm_crypto_aead_pack_input input_s = {
+ .key = key,
+ .alg = alg,
+ .nonce = {0},
+ };
+ size_t idx = 0;
+ psa_invec in_vec[] = {
+ {.base = &input_s, .len = nonce_length + sizeof(psa_key_slot_t)
+ + sizeof(psa_algorithm_t)},
+ {.base = additional_data, .len = additional_data_length},
+ {.base = plaintext, .len = plaintext_length},
+ };
+ psa_outvec out_vec[] = {
+ {.base = ciphertext, .len = ciphertext_size},
+ };
- /* Packing in structures is needed to overcome the 4 parameters
- * per call limit
- */
- struct psa_aead_encrypt_input input_s = {.key = key,
- .alg = alg,
- .nonce = nonce,
- .nonce_length = nonce_length,
- .additional_data = additional_data,
- .additional_data_length =
- additional_data_length,
- .plaintext = plaintext,
- .plaintext_length =
- plaintext_length};
- struct psa_aead_encrypt_output output_s = {.ciphertext = ciphertext,
- .ciphertext_size =
- ciphertext_size,
- .ciphertext_length =
- ciphertext_length};
+ if (nonce_length > TFM_CRYPTO_MAX_NONCE_LENGTH) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
- err = tfm_crypto_veneer_aead_encrypt(&input_s, &output_s);
+ if (nonce != NULL) {
+ for (idx = 0; idx < nonce_length; idx++) {
+ input_s.nonce[idx] = nonce[idx];
+ }
+ }
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ status = API_DISPATCH(tfm_crypto_aead_encrypt);
+
+ *ciphertext_length = out_vec[0].len;
+
+ return status;
}
__attribute__(( section("SFN")))
@@ -436,27 +623,36 @@
size_t plaintext_size,
size_t *plaintext_length)
{
- enum tfm_crypto_err_t err;
+ psa_status_t status;
+ struct tfm_crypto_aead_pack_input input_s = {
+ .key = key,
+ .alg = alg,
+ .nonce = {0},
+ };
+ size_t idx = 0;
+ psa_invec in_vec[] = {
+ {.base = &input_s, .len = nonce_length + sizeof(psa_key_slot_t)
+ + sizeof(psa_algorithm_t)},
+ {.base = additional_data, .len = additional_data_length},
+ {.base = ciphertext, .len = ciphertext_length},
+ };
+ psa_outvec out_vec[] = {
+ {.base = plaintext, .len = plaintext_size},
+ };
- /* Packing in structures is needed to overcome the 4 parameters
- * per call limit
- */
- struct psa_aead_decrypt_input input_s = {.key = key,
- .alg = alg,
- .nonce = nonce,
- .nonce_length = nonce_length,
- .additional_data = additional_data,
- .additional_data_length =
- additional_data_length,
- .ciphertext = ciphertext,
- .ciphertext_length =
- ciphertext_length};
- struct psa_aead_decrypt_output output_s = {.plaintext = plaintext,
- .plaintext_size = plaintext_size,
- .plaintext_length =
- plaintext_length};
+ if (nonce_length > TFM_CRYPTO_MAX_NONCE_LENGTH) {
+ return PSA_ERROR_INVALID_ARGUMENT;
+ }
- err = tfm_crypto_veneer_aead_decrypt(&input_s, &output_s);
+ if (nonce != NULL) {
+ for (idx = 0; idx < nonce_length; idx++) {
+ input_s.nonce[idx] = nonce[idx];
+ }
+ }
- return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+ status = API_DISPATCH(tfm_crypto_aead_decrypt);
+
+ *plaintext_length = out_vec[0].len;
+
+ return status;
}