Extend crypto SP to support signature verification
The UEFI service of SMM gateway needs pkcs7 signature verification
to authorize variable accesses. Instead of duplicating the mbedtls
entities, crypto SP will provide an interface to do the signature
verification.
Signed-off-by: Gabor Toth <gabor.toth2@arm.com>
Change-Id: I7b0472435ac1620c4fe42d0592e1c64faaf10df7
diff --git a/components/service/crypto/backend/mbedcrypto/component.cmake b/components/service/crypto/backend/mbedcrypto/component.cmake
index bd7f4ae..36fd3df 100644
--- a/components/service/crypto/backend/mbedcrypto/component.cmake
+++ b/components/service/crypto/backend/mbedcrypto/component.cmake
@@ -1,5 +1,5 @@
#-------------------------------------------------------------------------------
-# Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
+# Copyright (c) 2021-2023, Arm Limited and Contributors. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -8,6 +8,9 @@
message(FATAL_ERROR "mandatory parameter TGT is not defined.")
endif()
+target_include_directories(${TGT} PRIVATE
+ "${MBEDTLS_INSTALL_DIR}/include"
+)
target_sources(${TGT} PRIVATE
"${CMAKE_CURRENT_LIST_DIR}/mbedcrypto_backend.c"
)
diff --git a/components/service/crypto/backend/mbedcrypto/mbedtls_fake_x509/component.cmake b/components/service/crypto/backend/mbedcrypto/mbedtls_fake_x509/component.cmake
new file mode 100644
index 0000000..878af28
--- /dev/null
+++ b/components/service/crypto/backend/mbedcrypto/mbedtls_fake_x509/component.cmake
@@ -0,0 +1,16 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2023, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_include_directories(${TGT} PRIVATE
+ "${MBEDTLS_INSTALL_DIR}/include"
+)
+target_sources(${TGT} PRIVATE
+ "${CMAKE_CURRENT_LIST_DIR}/mbedtls_fake_x509.c"
+ )
diff --git a/components/service/crypto/backend/mbedcrypto/mbedtls_fake_x509/mbedtls_fake_x509.c b/components/service/crypto/backend/mbedcrypto/mbedtls_fake_x509/mbedtls_fake_x509.c
new file mode 100644
index 0000000..a579252
--- /dev/null
+++ b/components/service/crypto/backend/mbedcrypto/mbedtls_fake_x509/mbedtls_fake_x509.c
@@ -0,0 +1,76 @@
+/*
+ * Copyright (c) 2023, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <mbedtls/build_info.h>
+#include <mbedtls/error.h>
+#include <mbedtls/pkcs7.h>
+#include <mbedtls/x509_crt.h>
+#include <compiler.h>
+#include <stdlib.h>
+
+#include "mbedtls_fake_x509.h"
+
+/*
+ * This file contains X509 and PKCS#7 related fake functions. When crypto SP is compiled
+ * with a minimalistic mbedtls config which does not support the aformentioned features
+ * these functions need to be included to avoid linkage errors.
+ */
+#if !defined(MBEDTLS_X509_CRT_PARSE_C)
+void mbedtls_x509_crt_init(mbedtls_x509_crt *crt)
+{
+ (void)crt;
+}
+
+int mbedtls_x509_crt_parse_der(mbedtls_x509_crt *chain,
+ const unsigned char *buf,
+ size_t buflen)
+{
+ (void)chain;
+ (void)buf;
+ (void)buflen;
+
+ return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
+}
+
+void mbedtls_x509_crt_free(mbedtls_x509_crt *crt)
+{
+ (void)crt;
+}
+#endif
+
+#if !defined(MBEDTLS_PKCS7_C)
+void mbedtls_pkcs7_init(mbedtls_pkcs7 *pkcs7)
+{
+ (void)pkcs7;
+}
+
+int mbedtls_pkcs7_parse_der(mbedtls_pkcs7 *pkcs7, const unsigned char *buf,
+ const size_t buflen)
+{
+ (void)pkcs7;
+ (void)buf;
+ (void)buflen;
+
+ return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
+}
+
+void mbedtls_pkcs7_free(mbedtls_pkcs7 *pkcs7)
+{
+ (void)pkcs7;
+}
+
+int mbedtls_pkcs7_signed_hash_verify(mbedtls_pkcs7 *pkcs7,
+ const mbedtls_x509_crt *cert,
+ const unsigned char *hash, size_t hashlen)
+{
+ (void)pkcs7;
+ (void)cert;
+ (void)hash;
+ (void)hashlen;
+
+ return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED;
+}
+#endif
diff --git a/components/service/crypto/backend/mbedcrypto/mbedtls_fake_x509/mbedtls_fake_x509.h b/components/service/crypto/backend/mbedcrypto/mbedtls_fake_x509/mbedtls_fake_x509.h
new file mode 100644
index 0000000..f282aa7
--- /dev/null
+++ b/components/service/crypto/backend/mbedcrypto/mbedtls_fake_x509/mbedtls_fake_x509.h
@@ -0,0 +1,11 @@
+/*
+ * Copyright (c) 2023, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef MBEDTLS_FAKE_X509_H
+#define MBEDTLS_FAKE_X509_H
+
+
+#endif /* MBEDTLS_FAKE_X509_H */