TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / TF-M / trusted-firmware-m / f57c6a73e0aa50b36c75de3c96bda65d44f44c6b / . / lib / ext / mbedcrypto / 0004-Add-TF-M-builtin-key-driver.patch
blob: 2ab8aca433e2009b89a163d3f7e75963b7d658a9 [file] [log] [blame]
From 6f49a579de65abbae877ba067ee1a76671ae8e83 Mon Sep 17 00:00:00 2001
From: Raef Coles <raef.coles@arm.com>
Date: Tue, 19 Jul 2022 11:12:30 +0100
Subject: [PATCH 4/7] Add TF-M builtin key driver
Signed-off-by: Raef Coles <raef.coles@arm.com>
Co-authored-by: Antonio de Angelis <antonio.deangelis@arm.com>
---
library/psa_crypto.c | 11 +++-
library/psa_crypto_driver_wrappers.c | 97 +++++++++++++++++++++++++++-
2 files changed, 106 insertions(+), 2 deletions(-)
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index cb5791fc7..43c8b9e6a 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -82,6 +82,11 @@
#include "mbedtls/sha256.h"
#include "mbedtls/sha512.h"
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+#include "tfm_crypto_defs.h"
+#include "tfm_builtin_key_loader.h"
+#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
+
#define ARRAY_LENGTH( array ) ( sizeof( array ) / sizeof( *( array ) ) )
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \
@@ -947,7 +952,11 @@ static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy(
if( status != PSA_SUCCESS )
return( status );
- if( psa_key_lifetime_is_external( (*p_slot)->attr.lifetime ) )
+ if( psa_key_lifetime_is_external( (*p_slot)->attr.lifetime )
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ && PSA_KEY_LIFETIME_GET_LOCATION((*p_slot)->attr.lifetime) != TFM_BUILTIN_KEY_LOADER_KEY_LOCATION
+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
+ )
{
psa_unlock_key_slot( *p_slot );
*p_slot = NULL;
diff --git a/library/psa_crypto_driver_wrappers.c b/library/psa_crypto_driver_wrappers.c
index e822eef01..1fa26d562 100644
--- a/library/psa_crypto_driver_wrappers.c
+++ b/library/psa_crypto_driver_wrappers.c
@@ -58,6 +58,18 @@
#include "cc3xx.h"
#endif /* PSA_CRYPTO_DRIVER_CC3XX */
+/* Include TF-M builtin key driver */
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+#ifndef PSA_CRYPTO_DRIVER_PRESENT
+#define PSA_CRYPTO_DRIVER_PRESENT
+#endif
+#ifndef PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT
+#define PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT
+#endif
+#include "tfm_crypto_defs.h"
+#include "tfm_builtin_key_loader.h"
+#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
+
#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS */
/* END-driver headers */
@@ -71,6 +83,9 @@
#if defined(PSA_CRYPTO_DRIVER_CC3XX)
#define PSA_CRYPTO_CC3XX_DRIVER_ID (4)
#endif /* PSA_CRYPTO_DRIVER_CC3XX */
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+#define PSA_CRYPTO_TFM_BUILTIN_KEY_LOADER_DRIVER_ID (5)
+#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
/* END-driver id */
@@ -92,6 +107,12 @@ psa_status_t psa_driver_wrapper_init( void )
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ status = tfm_builtin_key_loader_init();
+ if (status != PSA_SUCCESS)
+ return ( status );
+#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
+
#if defined(PSA_CRYPTO_DRIVER_CC3XX)
status = cc3xx_init();
if (status != PSA_SUCCESS)
@@ -155,6 +176,9 @@ psa_status_t psa_driver_wrapper_sign_message(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
@@ -243,6 +267,9 @@ psa_status_t psa_driver_wrapper_verify_message(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
@@ -342,6 +369,9 @@ psa_status_t psa_driver_wrapper_sign_hash(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
@@ -438,6 +468,9 @@ psa_status_t psa_driver_wrapper_verify_hash(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
@@ -582,7 +615,11 @@ psa_status_t psa_driver_wrapper_get_key_buffer_size(
return( ( *key_buffer_size != 0 ) ?
PSA_SUCCESS : PSA_ERROR_NOT_SUPPORTED );
#endif /* PSA_CRYPTO_DRIVER_TEST */
-
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
+ return tfm_builtin_key_loader_get_key_buffer_size(psa_get_key_id(attributes),
+ key_buffer_size);
+#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
default:
(void)key_type;
(void)key_bits;
@@ -622,6 +659,9 @@ psa_status_t psa_driver_wrapper_generate_key(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
/* Transparent drivers are limited to generating asymmetric keys */
if( PSA_KEY_TYPE_IS_ASYMMETRIC( attributes->core.type ) )
@@ -714,6 +754,9 @@ psa_status_t psa_driver_wrapper_import_key(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
@@ -800,6 +843,9 @@ psa_status_t psa_driver_wrapper_export_key(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
return( psa_export_key_internal( attributes,
key_buffer,
key_buffer_size,
@@ -865,6 +911,9 @@ psa_status_t psa_driver_wrapper_export_public_key(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
@@ -950,6 +999,13 @@ psa_status_t psa_driver_wrapper_get_builtin_key(
#endif /* PSA_CRYPTO_DRIVER_TEST */
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
+ return( tfm_builtin_key_loader_get_builtin_key(
+ slot_number,
+ attributes,
+ key_buffer, key_buffer_size, key_buffer_length ) );
+#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
default:
(void) slot_number;
(void) key_buffer;
@@ -1035,6 +1091,9 @@ psa_status_t psa_driver_wrapper_cipher_encrypt(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
@@ -1139,6 +1198,9 @@ psa_status_t psa_driver_wrapper_cipher_decrypt(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
@@ -1228,6 +1290,9 @@ psa_status_t psa_driver_wrapper_cipher_encrypt_setup(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
@@ -1311,6 +1376,9 @@ psa_status_t psa_driver_wrapper_cipher_decrypt_setup(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
@@ -1794,6 +1862,9 @@ psa_status_t psa_driver_wrapper_aead_encrypt(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
@@ -1857,6 +1928,9 @@ psa_status_t psa_driver_wrapper_aead_decrypt(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
@@ -1917,6 +1991,9 @@ psa_status_t psa_driver_wrapper_aead_encrypt_setup(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
@@ -1974,6 +2051,9 @@ psa_status_t psa_driver_wrapper_aead_decrypt_setup(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
@@ -2371,6 +2451,9 @@ psa_status_t psa_driver_wrapper_mac_compute(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
@@ -2441,6 +2524,9 @@ psa_status_t psa_driver_wrapper_mac_sign_setup(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
@@ -2522,6 +2608,9 @@ psa_status_t psa_driver_wrapper_mac_verify_setup(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
@@ -2822,6 +2911,9 @@ psa_status_t psa_driver_wrapper_asymmetric_decrypt(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
@@ -2900,6 +2992,9 @@ psa_status_t psa_driver_wrapper_key_agreement(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
+#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
--
2.25.1