Crypto: Implement PSA key policy APIs
Extends the Crypto service key module to add support for
the PSA Crypto key policy and lifetime APIs. Adds new test
cases for the key policy interface and modifies existing
tests to use key policies.
Change-Id: Ic820fcc395d591dbb5f8fe09446049ff460dfe02
Signed-off-by: Jamie Fox <jamie.fox@arm.com>
diff --git a/interface/include/tfm_crypto_veneers.h b/interface/include/tfm_crypto_veneers.h
index 83ab510..9e95475 100644
--- a/interface/include/tfm_crypto_veneers.h
+++ b/interface/include/tfm_crypto_veneers.h
@@ -68,6 +68,106 @@
uint8_t *data,
size_t data_size,
size_t *data_length);
+
+/**
+ * \brief Initialise the key policy to a default that forbids any use of the
+ * key (veneer function)
+ *
+ * \param[out] policy Key policy to initialise
+ *
+ * \return Return values as described in \ref tfm_crypto_err_t
+ */
+enum tfm_crypto_err_t tfm_crypto_veneer_key_policy_init(
+ psa_key_policy_t *policy);
+
+/**
+ * \brief Set the permitted usage and algorithm for the provided key policy
+ * (veneer function)
+ *
+ * \param[out] policy Key policy to modify
+ * \param[in] usage Permitted usage
+ * \param[in] alg Permitted algorithm
+ *
+ * \return Return values as described in \ref tfm_crypto_err_t
+ */
+enum tfm_crypto_err_t tfm_crypto_veneer_key_policy_set_usage(
+ psa_key_policy_t *policy,
+ psa_key_usage_t usage,
+ psa_algorithm_t alg);
+
+/**
+ * \brief Get the permitted usage for the provided key policy (veneer function)
+ *
+ * \param[in] policy Key policy
+ * \param[out] usage Permitted usage for this key policy
+ *
+ * \return Return values as described in \ref tfm_crypto_err_t
+ */
+enum tfm_crypto_err_t tfm_crypto_veneer_key_policy_get_usage(
+ const psa_key_policy_t *policy,
+ psa_key_usage_t *usage);
+
+/**
+ * \brief Get the permitted algorithm for the provided key policy
+ * (veneer function)
+ *
+ * \param[in] policy Key policy
+ * \param[out] alg Permitted algorithm for this key policy
+ *
+ * \return Return values as described in \ref tfm_crypto_err_t
+ */
+enum tfm_crypto_err_t tfm_crypto_veneer_key_policy_get_algorithm(
+ const psa_key_policy_t *policy,
+ psa_algorithm_t *alg);
+
+/**
+ * \brief Set the key policy for the provided key slot (veneer function)
+ *
+ * \param[in] key Key slot
+ * \param[in] policy Key policy
+ *
+ * \return Return values as described in \ref tfm_crypto_err_t
+ */
+enum tfm_crypto_err_t tfm_crypto_veneer_set_key_policy(
+ psa_key_slot_t key,
+ const psa_key_policy_t *policy);
+
+/**
+ * \brief Get the key policy for the provided key slot (veneer function)
+ *
+ * \param[in] key Key slot
+ * \param[out] policy Key policy
+ *
+ * \return Return values as described in \ref tfm_crypto_err_t
+ */
+enum tfm_crypto_err_t tfm_crypto_veneer_get_key_policy(
+ psa_key_slot_t key,
+ psa_key_policy_t *policy);
+
+/**
+ * \brief Set the lifetime for the provided key slot (veneer function)
+ *
+ * \param[in] key Key slot
+ * \param[in] lifetime Lifetime value
+ *
+ * \return Return values as described in \ref tfm_crypto_err_t
+ */
+enum tfm_crypto_err_t tfm_crypto_veneer_set_key_lifetime(
+ psa_key_slot_t key,
+ psa_key_lifetime_t lifetime);
+
+/**
+ * \brief Get the lifetime for the provided key slot (veneer function)
+ *
+ * \param[in] key Key slot
+ * \param[out] lifetime Lifetime value
+ *
+ * \return Return values as described in \ref tfm_crypto_err_t
+ */
+enum tfm_crypto_err_t tfm_crypto_veneer_get_key_lifetime(
+ psa_key_slot_t key,
+ psa_key_lifetime_t *lifetime);
+
/**
* \brief Set the initialisation vector on the provided cipher operation (veneer
* function)
diff --git a/interface/src/tfm_crypto_api.c b/interface/src/tfm_crypto_api.c
index 8069934..9d28d5b 100644
--- a/interface/src/tfm_crypto_api.c
+++ b/interface/src/tfm_crypto_api.c
@@ -87,6 +87,125 @@
return PSA_ERROR_NOT_SUPPORTED;
}
+void psa_key_policy_init(psa_key_policy_t *policy)
+{
+ /* PSA API returns void so just ignore error value returned */
+ (void)tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_key_policy_init,
+ (uint32_t)policy,
+ 0,
+ 0,
+ 0);
+}
+
+void psa_key_policy_set_usage(psa_key_policy_t *policy,
+ psa_key_usage_t usage,
+ psa_algorithm_t alg)
+{
+ /* PSA API returns void so just ignore error value returned */
+ (void)tfm_ns_lock_dispatch(
+ (veneer_fn)tfm_crypto_veneer_key_policy_set_usage,
+ (uint32_t)policy,
+ (uint32_t)usage,
+ (uint32_t)alg,
+ 0);
+}
+
+psa_key_usage_t psa_key_policy_get_usage(const psa_key_policy_t *policy)
+{
+ psa_key_usage_t usage;
+
+ /* Initialise to a sensible default to avoid returning an uninitialised
+ * value in case the secure function fails.
+ */
+ usage = 0;
+
+ /* The PSA API does not return an error, so ignore any error from TF-M */
+ (void)tfm_ns_lock_dispatch(
+ (veneer_fn)tfm_crypto_veneer_key_policy_get_usage,
+ (uint32_t)policy,
+ (uint32_t)&usage,
+ 0,
+ 0);
+
+ return usage;
+}
+
+psa_algorithm_t psa_key_policy_get_algorithm(const psa_key_policy_t *policy)
+{
+ psa_algorithm_t alg;
+
+ /* Initialise to a sensible default to avoid returning an uninitialised
+ * value in case the secure function fails.
+ */
+ alg = 0;
+
+ /* The PSA API does not return an error, so ignore any error from TF-M */
+ (void)tfm_ns_lock_dispatch(
+ (veneer_fn)tfm_crypto_veneer_key_policy_get_algorithm,
+ (uint32_t)policy,
+ (uint32_t)&alg,
+ 0,
+ 0);
+
+ return alg;
+}
+
+psa_status_t psa_set_key_policy(psa_key_slot_t key,
+ const psa_key_policy_t *policy)
+{
+ enum tfm_crypto_err_t err;
+
+ err = tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_set_key_policy,
+ (uint32_t)key,
+ (uint32_t)policy,
+ 0,
+ 0);
+
+ return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+}
+
+psa_status_t psa_get_key_policy(psa_key_slot_t key,
+ psa_key_policy_t *policy)
+{
+ enum tfm_crypto_err_t err;
+
+ err = tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_get_key_policy,
+ (uint32_t)key,
+ (uint32_t)policy,
+ 0,
+ 0);
+
+ return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+}
+
+psa_status_t psa_set_key_lifetime(psa_key_slot_t key,
+ psa_key_lifetime_t lifetime)
+{
+ enum tfm_crypto_err_t err;
+
+ err = tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_set_key_lifetime,
+ (uint32_t)key,
+ (uint32_t)lifetime,
+ 0,
+ 0);
+
+ return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+}
+
+psa_status_t psa_get_key_lifetime(psa_key_slot_t key,
+ psa_key_lifetime_t *lifetime)
+{
+ enum tfm_crypto_err_t err;
+
+ err = tfm_ns_lock_dispatch((veneer_fn)tfm_crypto_veneer_get_key_lifetime,
+ (uint32_t)key,
+ (uint32_t)lifetime,
+ 0,
+ 0);
+
+ return TFM_CRYPTO_ERR_TO_PSA_STATUS(err);
+}
+
psa_status_t psa_cipher_set_iv(psa_cipher_operation_t *operation,
const unsigned char *iv,
size_t iv_length)