Add crypto support for symmetric cipher operations
Adds a sub-provider for symmetric cipher operations.
Signed-off-by: Julian Hall <julian.hall@arm.com>
Change-Id: Ic36195ae6eeb2fb81d06f83755fa400d219febc0
diff --git a/components/service/crypto/client/psa/psa_cipher.c b/components/service/crypto/client/psa/psa_cipher.c
index 955e747..6ebf1b5 100644
--- a/components/service/crypto/client/psa/psa_cipher.c
+++ b/components/service/crypto/client/psa/psa_cipher.c
@@ -10,20 +10,75 @@
#include "psa_crypto_client.h"
#include <protocols/rpc/common/packed-c/status.h>
#include <protocols/service/crypto/packed-c/opcodes.h>
+#include <protocols/service/crypto/packed-c/cipher.h>
#include <common/tlv/tlv.h>
+static psa_status_t common_cipher_setup(psa_cipher_operation_t *operation,
+ psa_key_id_t key,
+ psa_algorithm_t alg,
+ uint32_t opcode)
+{
+ psa_status_t psa_status = PSA_ERROR_GENERIC_ERROR;
+ struct ts_crypto_cipher_setup_in req_msg;
+ size_t req_len = sizeof(struct ts_crypto_cipher_setup_in);
+
+ req_msg.key_id = key;
+ req_msg.alg = alg;
+
+ rpc_call_handle call_handle;
+ uint8_t *req_buf;
+
+ call_handle = rpc_caller_begin(psa_crypto_client_instance.caller, &req_buf, req_len);
+
+ if (call_handle) {
+
+ uint8_t *resp_buf;
+ size_t resp_len;
+ int opstatus;
+
+ memcpy(req_buf, &req_msg, req_len);
+
+ psa_crypto_client_instance.rpc_status =
+ rpc_caller_invoke(psa_crypto_client_instance.caller, call_handle,
+ opcode, &opstatus, &resp_buf, &resp_len);
+
+ if (psa_crypto_client_instance.rpc_status == TS_RPC_CALL_ACCEPTED) {
+
+ psa_status = opstatus;
+
+ if (psa_status == PSA_SUCCESS) {
+
+ if (resp_len >= sizeof(struct ts_crypto_cipher_setup_out)) {
+
+ struct ts_crypto_cipher_setup_out resp_msg;
+ memcpy(&resp_msg, resp_buf, sizeof(struct ts_crypto_cipher_setup_out));
+ operation->handle = resp_msg.op_handle;
+ }
+ else {
+ /* Failed to decode response message */
+ psa_status = PSA_ERROR_GENERIC_ERROR;
+ }
+ }
+ }
+
+ rpc_caller_end(psa_crypto_client_instance.caller, call_handle);
+ }
+
+ return psa_status;
+}
+
psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
psa_key_id_t key,
psa_algorithm_t alg)
{
- return PSA_ERROR_NOT_SUPPORTED;
+ return common_cipher_setup(operation, key, alg, TS_CRYPTO_OPCODE_CIPHER_ENCRYPT_SETUP);
}
psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation,
psa_key_id_t key,
psa_algorithm_t alg)
{
- return PSA_ERROR_NOT_SUPPORTED;
+ return common_cipher_setup(operation, key, alg, TS_CRYPTO_OPCODE_CIPHER_DECRYPT_SETUP);
}
psa_status_t psa_cipher_generate_iv(psa_cipher_operation_t *operation,
@@ -31,14 +86,112 @@
size_t iv_size,
size_t *iv_length)
{
- return PSA_ERROR_NOT_SUPPORTED;
+ psa_status_t psa_status = PSA_ERROR_GENERIC_ERROR;
+ struct ts_crypto_cipher_generate_iv_in req_msg;
+ size_t req_fixed_len = sizeof(struct ts_crypto_cipher_generate_iv_in);
+ size_t req_len = req_fixed_len;
+
+ *iv_length = 0;
+ req_msg.op_handle = operation->handle;
+
+ rpc_call_handle call_handle;
+ uint8_t *req_buf;
+
+ call_handle = rpc_caller_begin(psa_crypto_client_instance.caller, &req_buf, req_len);
+
+ if (call_handle) {
+
+ uint8_t *resp_buf;
+ size_t resp_len;
+ int opstatus;
+
+ memcpy(req_buf, &req_msg, req_fixed_len);
+
+ psa_crypto_client_instance.rpc_status =
+ rpc_caller_invoke(psa_crypto_client_instance.caller, call_handle,
+ TS_CRYPTO_OPCODE_CIPHER_GENERATE_IV, &opstatus, &resp_buf, &resp_len);
+
+ if (psa_crypto_client_instance.rpc_status == TS_RPC_CALL_ACCEPTED) {
+
+ psa_status = opstatus;
+
+ if (psa_status == PSA_SUCCESS) {
+
+ struct tlv_const_iterator resp_iter;
+ struct tlv_record decoded_record;
+ tlv_const_iterator_begin(&resp_iter, resp_buf, resp_len);
+
+ if (tlv_find_decode(&resp_iter,
+ TS_CRYPTO_CIPHER_GENERATE_IV_OUT_TAG_IV, &decoded_record)) {
+
+ if (decoded_record.length <= iv_size) {
+
+ memcpy(iv, decoded_record.value, decoded_record.length);
+ *iv_length = decoded_record.length;
+ }
+ else {
+ /* Provided buffer is too small */
+ psa_status = PSA_ERROR_BUFFER_TOO_SMALL;
+ }
+ }
+ else {
+ /* Mandatory response parameter missing */
+ psa_status = PSA_ERROR_GENERIC_ERROR;
+ }
+ }
+ }
+
+ rpc_caller_end(psa_crypto_client_instance.caller, call_handle);
+ }
+
+ return psa_status;
}
psa_status_t psa_cipher_set_iv(psa_cipher_operation_t *operation,
const uint8_t *iv,
size_t iv_length)
{
- return PSA_ERROR_NOT_SUPPORTED;
+ psa_status_t psa_status = PSA_ERROR_GENERIC_ERROR;
+ struct ts_crypto_cipher_set_iv_in req_msg;
+ size_t req_fixed_len = sizeof(struct ts_crypto_cipher_set_iv_in);
+ size_t req_len = req_fixed_len;
+
+ req_msg.op_handle = operation->handle;
+
+ /* Mandatory input data parameter */
+ struct tlv_record data_record;
+ data_record.tag = TS_CRYPTO_CIPHER_SET_IV_IN_TAG_IV;
+ data_record.length = iv_length;
+ data_record.value = iv;
+ req_len += tlv_required_space(data_record.length);
+
+ rpc_call_handle call_handle;
+ uint8_t *req_buf;
+
+ call_handle = rpc_caller_begin(psa_crypto_client_instance.caller, &req_buf, req_len);
+
+ if (call_handle) {
+
+ uint8_t *resp_buf;
+ size_t resp_len;
+ int opstatus;
+ struct tlv_iterator req_iter;
+
+ memcpy(req_buf, &req_msg, req_fixed_len);
+
+ tlv_iterator_begin(&req_iter, &req_buf[req_fixed_len], req_len - req_fixed_len);
+ tlv_encode(&req_iter, &data_record);
+
+ psa_crypto_client_instance.rpc_status =
+ rpc_caller_invoke(psa_crypto_client_instance.caller, call_handle,
+ TS_CRYPTO_OPCODE_CIPHER_SET_IV, &opstatus, &resp_buf, &resp_len);
+
+ if (psa_crypto_client_instance.rpc_status == TS_RPC_CALL_ACCEPTED) psa_status = opstatus;
+
+ rpc_caller_end(psa_crypto_client_instance.caller, call_handle);
+ }
+
+ return psa_status;
}
psa_status_t psa_cipher_update(psa_cipher_operation_t *operation,
@@ -48,7 +201,76 @@
size_t output_size,
size_t *output_length)
{
- return PSA_ERROR_NOT_SUPPORTED;
+ psa_status_t psa_status = PSA_ERROR_GENERIC_ERROR;
+ struct ts_crypto_cipher_update_in req_msg;
+ size_t req_fixed_len = sizeof(struct ts_crypto_cipher_update_in);
+ size_t req_len = req_fixed_len;
+
+ *output_length = 0;
+ req_msg.op_handle = operation->handle;
+
+ /* Mandatory input data parameter */
+ struct tlv_record data_record;
+ data_record.tag = TS_CRYPTO_CIPHER_UPDATE_IN_TAG_DATA;
+ data_record.length = input_length;
+ data_record.value = input;
+ req_len += tlv_required_space(data_record.length);
+
+ rpc_call_handle call_handle;
+ uint8_t *req_buf;
+
+ call_handle = rpc_caller_begin(psa_crypto_client_instance.caller, &req_buf, req_len);
+
+ if (call_handle) {
+
+ uint8_t *resp_buf;
+ size_t resp_len;
+ int opstatus;
+ struct tlv_iterator req_iter;
+
+ memcpy(req_buf, &req_msg, req_fixed_len);
+
+ tlv_iterator_begin(&req_iter, &req_buf[req_fixed_len], req_len - req_fixed_len);
+ tlv_encode(&req_iter, &data_record);
+
+ psa_crypto_client_instance.rpc_status =
+ rpc_caller_invoke(psa_crypto_client_instance.caller, call_handle,
+ TS_CRYPTO_OPCODE_CIPHER_UPDATE, &opstatus, &resp_buf, &resp_len);
+
+ if (psa_crypto_client_instance.rpc_status == TS_RPC_CALL_ACCEPTED) {
+
+ psa_status = opstatus;
+
+ if (psa_status == PSA_SUCCESS) {
+
+ struct tlv_const_iterator resp_iter;
+ struct tlv_record decoded_record;
+ tlv_const_iterator_begin(&resp_iter, resp_buf, resp_len);
+
+ if (tlv_find_decode(&resp_iter,
+ TS_CRYPTO_CIPHER_UPDATE_OUT_TAG_DATA, &decoded_record)) {
+
+ if (decoded_record.length <= output_size) {
+
+ memcpy(output, decoded_record.value, decoded_record.length);
+ *output_length = decoded_record.length;
+ }
+ else {
+ /* Provided buffer is too small */
+ psa_status = PSA_ERROR_BUFFER_TOO_SMALL;
+ }
+ }
+ else {
+ /* Mandatory response parameter missing */
+ psa_status = PSA_ERROR_GENERIC_ERROR;
+ }
+ }
+ }
+
+ rpc_caller_end(psa_crypto_client_instance.caller, call_handle);
+ }
+
+ return psa_status;
}
psa_status_t psa_cipher_finish(psa_cipher_operation_t *operation,
@@ -56,10 +278,97 @@
size_t output_size,
size_t *output_length)
{
- return PSA_ERROR_NOT_SUPPORTED;
+ psa_status_t psa_status = PSA_ERROR_GENERIC_ERROR;
+ struct ts_crypto_cipher_finish_in req_msg;
+ size_t req_fixed_len = sizeof(struct ts_crypto_cipher_finish_in);
+ size_t req_len = req_fixed_len;
+
+ *output_length = 0;
+ req_msg.op_handle = operation->handle;
+
+ rpc_call_handle call_handle;
+ uint8_t *req_buf;
+
+ call_handle = rpc_caller_begin(psa_crypto_client_instance.caller, &req_buf, req_len);
+
+ if (call_handle) {
+
+ uint8_t *resp_buf;
+ size_t resp_len;
+ int opstatus;
+
+ memcpy(req_buf, &req_msg, req_fixed_len);
+
+ psa_crypto_client_instance.rpc_status =
+ rpc_caller_invoke(psa_crypto_client_instance.caller, call_handle,
+ TS_CRYPTO_OPCODE_CIPHER_FINISH, &opstatus, &resp_buf, &resp_len);
+
+ if (psa_crypto_client_instance.rpc_status == TS_RPC_CALL_ACCEPTED) {
+
+ psa_status = opstatus;
+
+ if (psa_status == PSA_SUCCESS) {
+
+ struct tlv_const_iterator resp_iter;
+ struct tlv_record decoded_record;
+ tlv_const_iterator_begin(&resp_iter, resp_buf, resp_len);
+
+ if (tlv_find_decode(&resp_iter,
+ TS_CRYPTO_CIPHER_FINISH_OUT_TAG_DATA, &decoded_record)) {
+
+ if (decoded_record.length <= output_size) {
+
+ memcpy(output, decoded_record.value, decoded_record.length);
+ *output_length = decoded_record.length;
+ }
+ else {
+ /* Provided buffer is too small */
+ psa_status = PSA_ERROR_BUFFER_TOO_SMALL;
+ }
+ }
+ else {
+ /* Mandatory response parameter missing */
+ psa_status = PSA_ERROR_GENERIC_ERROR;
+ }
+ }
+ }
+
+ rpc_caller_end(psa_crypto_client_instance.caller, call_handle);
+ }
+
+ return psa_status;
}
psa_status_t psa_cipher_abort(psa_cipher_operation_t *operation)
{
- return PSA_ERROR_NOT_SUPPORTED;
+ psa_status_t psa_status = PSA_ERROR_GENERIC_ERROR;
+ struct ts_crypto_cipher_abort_in req_msg;
+ size_t req_fixed_len = sizeof(struct ts_crypto_cipher_abort_in);
+ size_t req_len = req_fixed_len;
+
+ req_msg.op_handle = operation->handle;
+
+ rpc_call_handle call_handle;
+ uint8_t *req_buf;
+
+ call_handle = rpc_caller_begin(psa_crypto_client_instance.caller, &req_buf, req_len);
+
+ if (call_handle) {
+
+ uint8_t *resp_buf;
+ size_t resp_len;
+ int opstatus;
+
+ memcpy(req_buf, &req_msg, req_fixed_len);
+
+ psa_crypto_client_instance.rpc_status =
+ rpc_caller_invoke(psa_crypto_client_instance.caller, call_handle,
+ TS_CRYPTO_OPCODE_CIPHER_ABORT, &opstatus, &resp_buf, &resp_len);
+
+ if (psa_crypto_client_instance.rpc_status == TS_RPC_CALL_ACCEPTED) psa_status = opstatus;
+
+ rpc_caller_end(psa_crypto_client_instance.caller, call_handle);
+ }
+
+ return psa_status;
}
diff --git a/components/service/crypto/factory/full/crypto_provider_factory.c b/components/service/crypto/factory/full/crypto_provider_factory.c
index 482c0be..1e1d902 100644
--- a/components/service/crypto/factory/full/crypto_provider_factory.c
+++ b/components/service/crypto/factory/full/crypto_provider_factory.c
@@ -11,6 +11,8 @@
#include <service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.h>
#include <service/crypto/provider/extension/hash/hash_provider.h>
#include <service/crypto/provider/extension/hash/serializer/packed-c/packedc_hash_provider_serializer.h>
+#include <service/crypto/provider/extension/cipher/cipher_provider.h>
+#include <service/crypto/provider/extension/cipher/serializer/packed-c/packedc_cipher_provider_serializer.h>
/**
* A crypto provider factory that constucts a full-featured
@@ -23,6 +25,7 @@
{
struct crypto_provider crypto_provider;
struct hash_provider hash_provider;
+ struct cipher_provider cipher_provider;
} instance;
@@ -45,6 +48,14 @@
crypto_provider_extend(&instance.crypto_provider, &instance.hash_provider.base_provider);
+ /* Extend with symmetric cipher operations */
+ cipher_provider_init(&instance.cipher_provider);
+
+ cipher_provider_register_serializer(&instance.cipher_provider,
+ TS_RPC_ENCODING_PACKED_C, packedc_cipher_provider_serializer_instance());
+
+ crypto_provider_extend(&instance.crypto_provider, &instance.cipher_provider.base_provider);
+
return &instance.crypto_provider;
}
@@ -58,4 +69,5 @@
(void)provider;
crypto_provider_deinit(&instance.crypto_provider);
hash_provider_deinit(&instance.hash_provider);
+ cipher_provider_deinit(&instance.cipher_provider);
}
diff --git a/components/service/crypto/provider/extension/cipher/cipher_provider.c b/components/service/crypto/provider/extension/cipher/cipher_provider.c
new file mode 100644
index 0000000..7ed32f5
--- /dev/null
+++ b/components/service/crypto/provider/extension/cipher/cipher_provider.c
@@ -0,0 +1,331 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+#include <stdint.h>
+#include <stdlib.h>
+#include <protocols/service/crypto/packed-c/opcodes.h>
+#include <service/crypto/provider/extension/cipher/cipher_provider.h>
+#include <protocols/rpc/common/packed-c/status.h>
+#include <psa/crypto.h>
+
+/* Service request handlers */
+static rpc_status_t cipher_setup_handler(void *context, struct call_req* req);
+static rpc_status_t cipher_generate_iv_handler(void *context, struct call_req* req);
+static rpc_status_t cipher_set_iv_handler(void *context, struct call_req* req);
+static rpc_status_t cipher_update_handler(void *context, struct call_req* req);
+static rpc_status_t cipher_finish_handler(void *context, struct call_req* req);
+static rpc_status_t cipher_abort_handler(void *context, struct call_req* req);
+
+/* Handler mapping table for service */
+static const struct service_handler handler_table[] = {
+ {TS_CRYPTO_OPCODE_CIPHER_ENCRYPT_SETUP, cipher_setup_handler},
+ {TS_CRYPTO_OPCODE_CIPHER_DECRYPT_SETUP, cipher_setup_handler},
+ {TS_CRYPTO_OPCODE_CIPHER_GENERATE_IV, cipher_generate_iv_handler},
+ {TS_CRYPTO_OPCODE_CIPHER_SET_IV, cipher_set_iv_handler},
+ {TS_CRYPTO_OPCODE_CIPHER_UPDATE, cipher_update_handler},
+ {TS_CRYPTO_OPCODE_CIPHER_FINISH, cipher_finish_handler},
+ {TS_CRYPTO_OPCODE_CIPHER_ABORT, cipher_abort_handler}
+};
+
+void cipher_provider_init(struct cipher_provider *context)
+{
+ crypto_context_pool_init(&context->context_pool);
+
+ for (size_t encoding = 0; encoding < TS_RPC_ENCODING_LIMIT; ++encoding)
+ context->serializers[encoding] = NULL;
+
+ service_provider_init(&context->base_provider, context,
+ handler_table, sizeof(handler_table)/sizeof(struct service_handler));
+}
+
+void cipher_provider_deinit(struct cipher_provider *context)
+{
+ crypto_context_pool_deinit(&context->context_pool);
+}
+
+void cipher_provider_register_serializer(struct cipher_provider *context,
+ unsigned int encoding, const struct cipher_provider_serializer *serializer)
+{
+ if (encoding < TS_RPC_ENCODING_LIMIT)
+ context->serializers[encoding] = serializer;
+}
+
+static const struct cipher_provider_serializer* get_serializer(void *context,
+ const struct call_req *req)
+{
+ struct cipher_provider *this_instance = (struct cipher_provider*)context;
+ const struct cipher_provider_serializer* serializer = NULL;
+ unsigned int encoding = call_req_get_encoding(req);
+
+ if (encoding < TS_RPC_ENCODING_LIMIT) serializer = this_instance->serializers[encoding];
+
+ return serializer;
+}
+
+static rpc_status_t cipher_setup_handler(void *context, struct call_req* req)
+{
+ rpc_status_t rpc_status = TS_RPC_ERROR_SERIALIZATION_NOT_SUPPORTED;
+ struct call_param_buf *req_buf = call_req_get_req_buf(req);
+ const struct cipher_provider_serializer *serializer = get_serializer(context, req);
+ struct cipher_provider *this_instance = (struct cipher_provider*)context;
+
+ psa_key_id_t key_id;
+ psa_algorithm_t alg;
+
+ if (serializer)
+ rpc_status = serializer->deserialize_cipher_setup_req(req_buf, &key_id, &alg);
+
+ if (rpc_status == TS_RPC_CALL_ACCEPTED) {
+
+ uint32_t op_handle;
+
+ struct crypto_context *crypto_context =
+ crypto_context_pool_alloc(&this_instance->context_pool,
+ CRYPTO_CONTEXT_OP_ID_CIPHER, call_req_get_caller_id(req),
+ &op_handle);
+
+ if (crypto_context) {
+
+ psa_status_t psa_status;
+
+ crypto_context->op.cipher = psa_cipher_operation_init();
+
+ psa_status = (call_req_get_opcode(req) == TS_CRYPTO_OPCODE_CIPHER_ENCRYPT_SETUP) ?
+ psa_cipher_encrypt_setup(&crypto_context->op.cipher, key_id, alg) :
+ psa_cipher_decrypt_setup(&crypto_context->op.cipher, key_id, alg);
+
+ if (psa_status == PSA_SUCCESS) {
+
+ struct call_param_buf *resp_buf = call_req_get_resp_buf(req);
+ rpc_status = serializer->serialize_cipher_setup_resp(resp_buf, op_handle);
+ }
+
+ if ((psa_status != PSA_SUCCESS) || (rpc_status != TS_RPC_CALL_ACCEPTED)) {
+
+ crypto_context_pool_free(&this_instance->context_pool, crypto_context);
+ }
+
+ call_req_set_opstatus(req, psa_status);
+ }
+ else {
+ /* Failed to allocate crypto context for transaction */
+ rpc_status = TS_RPC_ERROR_RESOURCE_FAILURE;
+ }
+ }
+
+ return rpc_status;
+}
+
+static rpc_status_t cipher_generate_iv_handler(void *context, struct call_req* req)
+{
+ rpc_status_t rpc_status = TS_RPC_ERROR_SERIALIZATION_NOT_SUPPORTED;
+ struct call_param_buf *req_buf = call_req_get_req_buf(req);
+ const struct cipher_provider_serializer *serializer = get_serializer(context, req);
+ struct cipher_provider *this_instance = (struct cipher_provider*)context;
+
+ uint32_t op_handle;
+
+ if (serializer)
+ rpc_status = serializer->deserialize_cipher_generate_iv_req(req_buf, &op_handle);
+
+ if (rpc_status == TS_RPC_CALL_ACCEPTED) {
+
+ psa_status_t psa_status = PSA_ERROR_BAD_STATE;
+
+ struct crypto_context *crypto_context =
+ crypto_context_pool_find(&this_instance->context_pool,
+ CRYPTO_CONTEXT_OP_ID_CIPHER, call_req_get_caller_id(req),
+ op_handle);
+
+ if (crypto_context) {
+
+ size_t iv_len;
+ uint8_t iv[PSA_CIPHER_IV_MAX_SIZE];
+
+ psa_status = psa_cipher_generate_iv(&crypto_context->op.cipher, iv, sizeof(iv), &iv_len);
+
+ if (psa_status == PSA_SUCCESS) {
+
+ struct call_param_buf *resp_buf = call_req_get_resp_buf(req);
+ rpc_status = serializer->serialize_cipher_generate_iv_resp(resp_buf, iv, iv_len);
+ }
+ }
+
+ call_req_set_opstatus(req, psa_status);
+ }
+
+ return rpc_status;
+}
+
+static rpc_status_t cipher_set_iv_handler(void *context, struct call_req* req)
+{
+ rpc_status_t rpc_status = TS_RPC_ERROR_SERIALIZATION_NOT_SUPPORTED;
+ struct call_param_buf *req_buf = call_req_get_req_buf(req);
+ const struct cipher_provider_serializer *serializer = get_serializer(context, req);
+ struct cipher_provider *this_instance = (struct cipher_provider*)context;
+
+ uint32_t op_handle;
+ const uint8_t *iv;
+ size_t iv_len;
+
+ if (serializer)
+ rpc_status = serializer->deserialize_cipher_set_iv_req(req_buf, &op_handle,
+ &iv, &iv_len);
+
+ if (rpc_status == TS_RPC_CALL_ACCEPTED) {
+
+ psa_status_t psa_status = PSA_ERROR_BAD_STATE;
+
+ struct crypto_context *crypto_context =
+ crypto_context_pool_find(&this_instance->context_pool,
+ CRYPTO_CONTEXT_OP_ID_CIPHER, call_req_get_caller_id(req),
+ op_handle);
+
+ if (crypto_context) {
+
+ psa_status = psa_cipher_set_iv(&crypto_context->op.cipher, iv, iv_len);
+ }
+
+ call_req_set_opstatus(req, psa_status);
+ }
+
+ return rpc_status;
+}
+
+static rpc_status_t cipher_update_handler(void *context, struct call_req* req)
+{
+ rpc_status_t rpc_status = TS_RPC_ERROR_SERIALIZATION_NOT_SUPPORTED;
+ struct call_param_buf *req_buf = call_req_get_req_buf(req);
+ const struct cipher_provider_serializer *serializer = get_serializer(context, req);
+ struct cipher_provider *this_instance = (struct cipher_provider*)context;
+
+ uint32_t op_handle;
+ const uint8_t *input;
+ size_t input_len;
+
+ if (serializer)
+ rpc_status = serializer->deserialize_cipher_update_req(req_buf, &op_handle,
+ &input, &input_len);
+
+ if (rpc_status == TS_RPC_CALL_ACCEPTED) {
+
+ psa_status_t psa_status = PSA_ERROR_BAD_STATE;
+
+ struct crypto_context *crypto_context =
+ crypto_context_pool_find(&this_instance->context_pool,
+ CRYPTO_CONTEXT_OP_ID_CIPHER, call_req_get_caller_id(req),
+ op_handle);
+
+ if (crypto_context) {
+
+ size_t output_len = 0;
+ size_t output_size = PSA_CIPHER_ENCRYPT_OUTPUT_MAX_SIZE(input_len);
+ uint8_t *output = malloc(output_size);
+
+ if (output) {
+
+ psa_status = psa_cipher_update(&crypto_context->op.cipher,
+ input, input_len,
+ output, output_size, &output_len);
+
+ if (psa_status == PSA_SUCCESS) {
+
+ struct call_param_buf *resp_buf = call_req_get_resp_buf(req);
+ rpc_status = serializer->serialize_cipher_update_resp(resp_buf,
+ output, output_len);
+ }
+
+ free(output);
+ }
+ else {
+
+ psa_status = PSA_ERROR_INSUFFICIENT_MEMORY;
+ }
+ }
+
+ call_req_set_opstatus(req, psa_status);
+ }
+
+ return rpc_status;
+}
+
+static rpc_status_t cipher_finish_handler(void *context, struct call_req* req)
+{
+ rpc_status_t rpc_status = TS_RPC_ERROR_SERIALIZATION_NOT_SUPPORTED;
+ struct call_param_buf *req_buf = call_req_get_req_buf(req);
+ const struct cipher_provider_serializer *serializer = get_serializer(context, req);
+ struct cipher_provider *this_instance = (struct cipher_provider*)context;
+
+ uint32_t op_handle;
+
+ if (serializer)
+ rpc_status = serializer->deserialize_cipher_finish_req(req_buf, &op_handle);
+
+ if (rpc_status == TS_RPC_CALL_ACCEPTED) {
+
+ psa_status_t psa_status = PSA_ERROR_BAD_STATE;
+
+ struct crypto_context *crypto_context =
+ crypto_context_pool_find(&this_instance->context_pool,
+ CRYPTO_CONTEXT_OP_ID_CIPHER, call_req_get_caller_id(req),
+ op_handle);
+
+ if (crypto_context) {
+
+ size_t output_len;
+ uint8_t output[PSA_CIPHER_FINISH_OUTPUT_MAX_SIZE];
+
+ psa_status = psa_cipher_finish(&crypto_context->op.cipher, output, sizeof(output), &output_len);
+
+ if (psa_status == PSA_SUCCESS) {
+
+ struct call_param_buf *resp_buf = call_req_get_resp_buf(req);
+ rpc_status = serializer->serialize_cipher_finish_resp(resp_buf, output, output_len);
+ }
+
+ crypto_context_pool_free(&this_instance->context_pool, crypto_context);
+ }
+
+ call_req_set_opstatus(req, psa_status);
+ }
+
+ return rpc_status;
+}
+
+static rpc_status_t cipher_abort_handler(void *context, struct call_req* req)
+{
+ rpc_status_t rpc_status = TS_RPC_ERROR_SERIALIZATION_NOT_SUPPORTED;
+ struct call_param_buf *req_buf = call_req_get_req_buf(req);
+ const struct cipher_provider_serializer *serializer = get_serializer(context, req);
+ struct cipher_provider *this_instance = (struct cipher_provider*)context;
+
+ uint32_t op_handle;
+
+ if (serializer)
+ rpc_status = serializer->deserialize_cipher_abort_req(req_buf, &op_handle);
+
+ if (rpc_status == TS_RPC_CALL_ACCEPTED) {
+
+ /* Return success if operation is no longer active and
+ * doesn't need aborting.
+ */
+ psa_status_t psa_status = PSA_SUCCESS;
+
+ struct crypto_context *crypto_context =
+ crypto_context_pool_find(&this_instance->context_pool,
+ CRYPTO_CONTEXT_OP_ID_CIPHER, call_req_get_caller_id(req),
+ op_handle);
+
+ if (crypto_context) {
+
+ psa_status = psa_cipher_abort(&crypto_context->op.cipher);
+ crypto_context_pool_free(&this_instance->context_pool, crypto_context);
+ }
+
+ call_req_set_opstatus(req, psa_status);
+ }
+
+ return rpc_status;
+}
diff --git a/components/service/crypto/provider/extension/cipher/cipher_provider.h b/components/service/crypto/provider/extension/cipher/cipher_provider.h
new file mode 100644
index 0000000..939c333
--- /dev/null
+++ b/components/service/crypto/provider/extension/cipher/cipher_provider.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef CIPHER_PROVIDER_H
+#define CIPHER_PROVIDER_H
+
+#include <rpc/common/endpoint/rpc_interface.h>
+#include <service/common/provider/service_provider.h>
+#include <service/crypto/provider/extension/cipher/serializer/cipher_provider_serializer.h>
+#include <service/crypto/provider/crypto_context_pool.h>
+#include <protocols/rpc/common/packed-c/encoding.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * A service provider that can be used to add symmetric cipher operations to the base
+ * crypto provider.
+ */
+struct cipher_provider
+{
+ struct service_provider base_provider;
+ struct crypto_context_pool context_pool;
+ const struct cipher_provider_serializer *serializers[TS_RPC_ENCODING_LIMIT];
+};
+
+/*
+ * Initializes an instance of the cipher service provider.
+ */
+void cipher_provider_init(struct cipher_provider *context);
+
+/*
+ * When operation of the provider is no longer required, this function
+ * frees any resource used by the previously initialized provider instance.
+ */
+void cipher_provider_deinit(struct cipher_provider *context);
+
+/*
+ * Register a serializer for supportng a particular parameter encoding.
+ */
+void cipher_provider_register_serializer(struct cipher_provider *context,
+ unsigned int encoding, const struct cipher_provider_serializer *serializer);
+
+#ifdef __cplusplus
+} /* extern "C" */
+#endif
+
+#endif /* CIPHER_PROVIDER_H */
diff --git a/components/service/crypto/provider/extension/cipher/component.cmake b/components/service/crypto/provider/extension/cipher/component.cmake
new file mode 100644
index 0000000..b412184
--- /dev/null
+++ b/components/service/crypto/provider/extension/cipher/component.cmake
@@ -0,0 +1,13 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+ "${CMAKE_CURRENT_LIST_DIR}/cipher_provider.c"
+ )
diff --git a/components/service/crypto/provider/extension/cipher/serializer/cipher_provider_serializer.h b/components/service/crypto/provider/extension/cipher/serializer/cipher_provider_serializer.h
new file mode 100644
index 0000000..ccc9b96
--- /dev/null
+++ b/components/service/crypto/provider/extension/cipher/serializer/cipher_provider_serializer.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef CIPHER_PROVIDER_SERIALIZER_H
+#define CIPHER_PROVIDER_SERIALIZER_H
+
+#include <stddef.h>
+#include <stdint.h>
+#include <psa/crypto.h>
+#include <rpc/common/endpoint/rpc_interface.h>
+
+/* Provides a common interface for parameter serialization operations
+ * for the cipher service provider.
+ */
+struct cipher_provider_serializer {
+
+ /* Operation: cipher_setup */
+ rpc_status_t (*deserialize_cipher_setup_req)(const struct call_param_buf *req_buf,
+ psa_key_id_t *id,
+ psa_algorithm_t *alg);
+
+ rpc_status_t (*serialize_cipher_setup_resp)(struct call_param_buf *resp_buf,
+ uint32_t op_handle);
+
+ /* Operation: cipher_generate_iv */
+ rpc_status_t (*deserialize_cipher_generate_iv_req)(const struct call_param_buf *req_buf,
+ uint32_t *op_handle);
+
+ rpc_status_t (*serialize_cipher_generate_iv_resp)(struct call_param_buf *resp_buf,
+ const uint8_t *iv, size_t iv_len);
+
+ /* Operation: cipher_set_iv */
+ rpc_status_t (*deserialize_cipher_set_iv_req)(const struct call_param_buf *req_buf,
+ uint32_t *op_handle,
+ const uint8_t **iv, size_t *iv_len);
+
+ /* Operation: cipher_update */
+ rpc_status_t (*deserialize_cipher_update_req)(const struct call_param_buf *req_buf,
+ uint32_t *op_handle,
+ const uint8_t **data, size_t *data_len);
+
+ rpc_status_t (*serialize_cipher_update_resp)(struct call_param_buf *resp_buf,
+ const uint8_t *data, size_t data_len);
+
+ /* Operation: cipher_finish */
+ rpc_status_t (*deserialize_cipher_finish_req)(const struct call_param_buf *req_buf,
+ uint32_t *op_handle);
+
+ rpc_status_t (*serialize_cipher_finish_resp)(struct call_param_buf *resp_buf,
+ const uint8_t *data, size_t data_len);
+
+ /* Operation: cipher_abort */
+ rpc_status_t (*deserialize_cipher_abort_req)(const struct call_param_buf *req_buf,
+ uint32_t *op_handle);
+};
+
+#endif /* CIPHER_PROVIDER_SERIALIZER_H */
diff --git a/components/service/crypto/provider/extension/cipher/serializer/packed-c/component.cmake b/components/service/crypto/provider/extension/cipher/serializer/packed-c/component.cmake
new file mode 100644
index 0000000..1ccd990
--- /dev/null
+++ b/components/service/crypto/provider/extension/cipher/serializer/packed-c/component.cmake
@@ -0,0 +1,13 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+#
+# SPDX-License-Identifier: BSD-3-Clause
+#
+#-------------------------------------------------------------------------------
+if (NOT DEFINED TGT)
+ message(FATAL_ERROR "mandatory parameter TGT is not defined.")
+endif()
+
+target_sources(${TGT} PRIVATE
+ "${CMAKE_CURRENT_LIST_DIR}/packedc_cipher_provider_serializer.c"
+ )
diff --git a/components/service/crypto/provider/extension/cipher/serializer/packed-c/packedc_cipher_provider_serializer.c b/components/service/crypto/provider/extension/cipher/serializer/packed-c/packedc_cipher_provider_serializer.c
new file mode 100644
index 0000000..1acb165
--- /dev/null
+++ b/components/service/crypto/provider/extension/cipher/serializer/packed-c/packedc_cipher_provider_serializer.c
@@ -0,0 +1,265 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+#include <string.h>
+#include <stdlib.h>
+#include <common/tlv/tlv.h>
+#include <psa/crypto.h>
+#include <protocols/service/crypto/packed-c/cipher.h>
+#include "packedc_cipher_provider_serializer.h"
+
+/* Operation: cipher_setup */
+static rpc_status_t deserialize_cipher_setup_req(const struct call_param_buf *req_buf,
+ psa_key_id_t *id,
+ psa_algorithm_t *alg)
+{
+ rpc_status_t rpc_status = TS_RPC_ERROR_INVALID_REQ_BODY;
+ struct ts_crypto_cipher_setup_in recv_msg;
+ size_t expected_fixed_len = sizeof(struct ts_crypto_cipher_setup_in);
+
+ if (expected_fixed_len <= req_buf->data_len) {
+
+ memcpy(&recv_msg, req_buf->data, expected_fixed_len);
+ *id = recv_msg.key_id;
+ *alg = recv_msg.alg;
+ rpc_status = TS_RPC_CALL_ACCEPTED;
+ }
+
+ return rpc_status;
+}
+
+static rpc_status_t serialize_cipher_setup_resp(struct call_param_buf *resp_buf,
+ uint32_t op_handle)
+{
+ rpc_status_t rpc_status = TS_RPC_ERROR_INTERNAL;
+ struct ts_crypto_cipher_setup_out resp_msg;
+ size_t fixed_len = sizeof(struct ts_crypto_cipher_setup_out);
+
+ resp_msg.op_handle = op_handle;
+
+ if (fixed_len <= resp_buf->size) {
+
+ memcpy(resp_buf->data, &resp_msg, fixed_len);
+ resp_buf->data_len = fixed_len;
+ rpc_status = TS_RPC_CALL_ACCEPTED;
+ }
+
+ return rpc_status;
+}
+
+/* Operation: cipher_generate_iv */
+static rpc_status_t deserialize_cipher_generate_iv_req(const struct call_param_buf *req_buf,
+ uint32_t *op_handle)
+{
+ rpc_status_t rpc_status = TS_RPC_ERROR_INVALID_REQ_BODY;
+ struct ts_crypto_cipher_generate_iv_in recv_msg;
+ size_t expected_fixed_len = sizeof(struct ts_crypto_cipher_generate_iv_in);
+
+ if (expected_fixed_len <= req_buf->data_len) {
+
+ memcpy(&recv_msg, req_buf->data, expected_fixed_len);
+ *op_handle = recv_msg.op_handle;
+ rpc_status = TS_RPC_CALL_ACCEPTED;
+ }
+
+ return rpc_status;
+}
+
+static rpc_status_t serialize_cipher_generate_iv_resp(struct call_param_buf *resp_buf,
+ const uint8_t *iv, size_t iv_len)
+{
+ rpc_status_t rpc_status = TS_RPC_ERROR_INTERNAL;
+ struct tlv_iterator resp_iter;
+
+ struct tlv_record out_record;
+ out_record.tag = TS_CRYPTO_CIPHER_GENERATE_IV_OUT_TAG_IV;
+ out_record.length = iv_len;
+ out_record.value = iv;
+
+ tlv_iterator_begin(&resp_iter, resp_buf->data, resp_buf->size);
+
+ if (tlv_encode(&resp_iter, &out_record)) {
+
+ resp_buf->data_len = tlv_required_space(iv_len);
+ rpc_status = TS_RPC_CALL_ACCEPTED;
+ }
+
+ return rpc_status;
+}
+
+/* Operation: cipher_set_iv */
+static rpc_status_t deserialize_cipher_set_iv_req(const struct call_param_buf *req_buf,
+ uint32_t *op_handle,
+ const uint8_t **iv, size_t *iv_len)
+{
+ rpc_status_t rpc_status = TS_RPC_ERROR_INVALID_REQ_BODY;
+ struct ts_crypto_cipher_set_iv_in recv_msg;
+ size_t expected_fixed_len = sizeof(struct ts_crypto_cipher_set_iv_in);
+
+ if (expected_fixed_len <= req_buf->data_len) {
+
+ struct tlv_const_iterator req_iter;
+ struct tlv_record decoded_record;
+
+ rpc_status = TS_RPC_CALL_ACCEPTED;
+
+ memcpy(&recv_msg, req_buf->data, expected_fixed_len);
+
+ *op_handle = recv_msg.op_handle;
+
+ tlv_const_iterator_begin(&req_iter,
+ (uint8_t*)req_buf->data + expected_fixed_len,
+ req_buf->data_len - expected_fixed_len);
+
+ if (tlv_find_decode(&req_iter, TS_CRYPTO_CIPHER_SET_IV_IN_TAG_IV, &decoded_record)) {
+
+ *iv = decoded_record.value;
+ *iv_len = decoded_record.length;
+ }
+ else {
+ /* Default to a zero length data */
+ *iv_len = 0;
+ }
+ }
+
+ return rpc_status;
+}
+
+/* Operation: cipher_update */
+static rpc_status_t deserialize_cipher_update_req(const struct call_param_buf *req_buf,
+ uint32_t *op_handle,
+ const uint8_t **data, size_t *data_len)
+{
+ rpc_status_t rpc_status = TS_RPC_ERROR_INVALID_REQ_BODY;
+ struct ts_crypto_cipher_update_in recv_msg;
+ size_t expected_fixed_len = sizeof(struct ts_crypto_cipher_update_in);
+
+ if (expected_fixed_len <= req_buf->data_len) {
+
+ struct tlv_const_iterator req_iter;
+ struct tlv_record decoded_record;
+
+ rpc_status = TS_RPC_CALL_ACCEPTED;
+
+ memcpy(&recv_msg, req_buf->data, expected_fixed_len);
+
+ *op_handle = recv_msg.op_handle;
+
+ tlv_const_iterator_begin(&req_iter,
+ (uint8_t*)req_buf->data + expected_fixed_len,
+ req_buf->data_len - expected_fixed_len);
+
+ if (tlv_find_decode(&req_iter, TS_CRYPTO_CIPHER_UPDATE_IN_TAG_DATA, &decoded_record)) {
+
+ *data = decoded_record.value;
+ *data_len = decoded_record.length;
+ }
+ else {
+ /* Default to a zero length data */
+ *data_len = 0;
+ }
+ }
+
+ return rpc_status;
+}
+
+static rpc_status_t serialize_cipher_update_resp(struct call_param_buf *resp_buf,
+ const uint8_t *data, size_t data_len)
+{
+ rpc_status_t rpc_status = TS_RPC_ERROR_INTERNAL;
+ struct tlv_iterator resp_iter;
+
+ struct tlv_record out_record;
+ out_record.tag = TS_CRYPTO_CIPHER_UPDATE_OUT_TAG_DATA;
+ out_record.length = data_len;
+ out_record.value = data;
+
+ tlv_iterator_begin(&resp_iter, resp_buf->data, resp_buf->size);
+
+ if (tlv_encode(&resp_iter, &out_record)) {
+
+ resp_buf->data_len = tlv_required_space(data_len);
+ rpc_status = TS_RPC_CALL_ACCEPTED;
+ }
+
+ return rpc_status;
+}
+
+/* Operation: cipher_finish */
+static rpc_status_t deserialize_cipher_finish_req(const struct call_param_buf *req_buf,
+ uint32_t *op_handle)
+{
+ rpc_status_t rpc_status = TS_RPC_ERROR_INVALID_REQ_BODY;
+ struct ts_crypto_cipher_finish_in recv_msg;
+ size_t expected_fixed_len = sizeof(struct ts_crypto_cipher_finish_in);
+
+ if (expected_fixed_len <= req_buf->data_len) {
+
+ memcpy(&recv_msg, req_buf->data, expected_fixed_len);
+ *op_handle = recv_msg.op_handle;
+ rpc_status = TS_RPC_CALL_ACCEPTED;
+ }
+
+ return rpc_status;
+}
+
+static rpc_status_t serialize_cipher_finish_resp(struct call_param_buf *resp_buf,
+ const uint8_t *data, size_t data_len)
+{
+ rpc_status_t rpc_status = TS_RPC_ERROR_INTERNAL;
+ struct tlv_iterator resp_iter;
+
+ struct tlv_record out_record;
+ out_record.tag = TS_CRYPTO_CIPHER_FINISH_OUT_TAG_DATA;
+ out_record.length = data_len;
+ out_record.value = data;
+
+ tlv_iterator_begin(&resp_iter, resp_buf->data, resp_buf->size);
+
+ if (tlv_encode(&resp_iter, &out_record)) {
+
+ resp_buf->data_len = tlv_required_space(data_len);
+ rpc_status = TS_RPC_CALL_ACCEPTED;
+ }
+
+ return rpc_status;
+}
+
+/* Operation: cipher_abort */
+static rpc_status_t deserialize_cipher_abort_req(const struct call_param_buf *req_buf,
+ uint32_t *op_handle)
+{
+ rpc_status_t rpc_status = TS_RPC_ERROR_INVALID_REQ_BODY;
+ struct ts_crypto_cipher_abort_in recv_msg;
+ size_t expected_fixed_len = sizeof(struct ts_crypto_cipher_abort_in);
+
+ if (expected_fixed_len <= req_buf->data_len) {
+
+ memcpy(&recv_msg, req_buf->data, expected_fixed_len);
+ *op_handle = recv_msg.op_handle;
+ rpc_status = TS_RPC_CALL_ACCEPTED;
+ }
+
+ return rpc_status;
+}
+
+/* Singleton method to provide access to the serializer instance */
+const struct cipher_provider_serializer *packedc_cipher_provider_serializer_instance(void)
+{
+ static const struct cipher_provider_serializer instance = {
+ deserialize_cipher_setup_req,
+ serialize_cipher_setup_resp,
+ deserialize_cipher_generate_iv_req,
+ serialize_cipher_generate_iv_resp,
+ deserialize_cipher_set_iv_req,
+ deserialize_cipher_update_req,
+ serialize_cipher_update_resp,
+ deserialize_cipher_finish_req,
+ serialize_cipher_finish_resp,
+ deserialize_cipher_abort_req
+ };
+
+ return &instance;
+}
diff --git a/components/service/crypto/provider/extension/cipher/serializer/packed-c/packedc_cipher_provider_serializer.h b/components/service/crypto/provider/extension/cipher/serializer/packed-c/packedc_cipher_provider_serializer.h
new file mode 100644
index 0000000..98b8f17
--- /dev/null
+++ b/components/service/crypto/provider/extension/cipher/serializer/packed-c/packedc_cipher_provider_serializer.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef PACKEDC_CIPHER_PROVIDER_SERIALIZER_H
+#define PACKEDC_CIPHER_PROVIDER_SERIALIZER_H
+
+#include <service/crypto/provider/extension/cipher/serializer/cipher_provider_serializer.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Singleton method to provide access to the packed-c serializer
+ * for the cipher service provider.
+ */
+const struct cipher_provider_serializer *packedc_cipher_provider_serializer_instance(void);
+
+#ifdef __cplusplus
+} /* extern "C" */
+#endif
+
+#endif /* PACKEDC_CIPHER_PROVIDER_SERIALIZER_H */
diff --git a/deployments/component-test/component-test.cmake b/deployments/component-test/component-test.cmake
index e1855a3..7d12298 100644
--- a/deployments/component-test/component-test.cmake
+++ b/deployments/component-test/component-test.cmake
@@ -71,6 +71,8 @@
"components/service/crypto/provider/serializer/packed-c"
"components/service/crypto/provider/extension/hash"
"components/service/crypto/provider/extension/hash/serializer/packed-c"
+ "components/service/crypto/provider/extension/cipher"
+ "components/service/crypto/provider/extension/cipher/serializer/packed-c"
"components/service/crypto/provider/test"
"components/service/crypto/backend/mbedcrypto"
"components/service/crypto/factory/full"
diff --git a/deployments/crypto/opteesp/CMakeLists.txt b/deployments/crypto/opteesp/CMakeLists.txt
index cbc1d73..23e2159 100644
--- a/deployments/crypto/opteesp/CMakeLists.txt
+++ b/deployments/crypto/opteesp/CMakeLists.txt
@@ -50,6 +50,8 @@
"components/service/crypto/provider/serializer/packed-c"
"components/service/crypto/provider/extension/hash"
"components/service/crypto/provider/extension/hash/serializer/packed-c"
+ "components/service/crypto/provider/extension/cipher"
+ "components/service/crypto/provider/extension/cipher/serializer/packed-c"
"components/service/crypto/factory/full"
"components/service/crypto/backend/mbedcrypto"
"components/service/crypto/backend/mbedcrypto/trng_adapter/platform"
diff --git a/deployments/libts/linux-pc/CMakeLists.txt b/deployments/libts/linux-pc/CMakeLists.txt
index b4d39a1..f8e259c 100644
--- a/deployments/libts/linux-pc/CMakeLists.txt
+++ b/deployments/libts/linux-pc/CMakeLists.txt
@@ -59,6 +59,8 @@
"components/service/crypto/provider/serializer/packed-c"
"components/service/crypto/provider/extension/hash"
"components/service/crypto/provider/extension/hash/serializer/packed-c"
+ "components/service/crypto/provider/extension/cipher"
+ "components/service/crypto/provider/extension/cipher/serializer/packed-c"
"components/service/crypto/factory/full"
"components/service/crypto/backend/mbedcrypto"
"components/service/crypto/backend/mbedcrypto/trng_adapter/linux"
diff --git a/deployments/se-proxy/opteesp/CMakeLists.txt b/deployments/se-proxy/opteesp/CMakeLists.txt
index af25f39..988b1fc 100644
--- a/deployments/se-proxy/opteesp/CMakeLists.txt
+++ b/deployments/se-proxy/opteesp/CMakeLists.txt
@@ -62,6 +62,8 @@
"components/service/crypto/provider/serializer/packed-c"
"components/service/crypto/provider/extension/hash"
"components/service/crypto/provider/extension/hash/serializer/packed-c"
+ "components/service/crypto/provider/extension/cipher"
+ "components/service/crypto/provider/extension/cipher/serializer/packed-c"
"components/service/crypto/factory/full"
"components/service/secure_storage/include"
"components/service/secure_storage/frontend/secure_storage_provider"
diff --git a/protocols/service/crypto/packed-c/cipher.h b/protocols/service/crypto/packed-c/cipher.h
new file mode 100644
index 0000000..72cd427
--- /dev/null
+++ b/protocols/service/crypto/packed-c/cipher.h
@@ -0,0 +1,116 @@
+/*
+ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef TS_CRYPTO_CIPHER_H
+#define TS_CRYPTO_CIPHER_H
+
+#include <stdint.h>
+
+/**
+ * Cipher operations on arbitrary sized data involve three operations,
+ * a setup, called once, an update called 1..* times and a finish
+ * to finalise theh hash operation. Operations may be aborted
+ * using the abort operation.
+ */
+
+
+/****************************************
+ * cipher_setup operation definition (encrypt or decrypt)
+ */
+
+/* Mandatory fixed sized input parameters */
+struct __attribute__ ((__packed__)) ts_crypto_cipher_setup_in
+{
+ uint32_t key_id;
+ uint32_t alg;
+};
+
+/* Mandatory fixed sized output parameters */
+struct __attribute__ ((__packed__)) ts_crypto_cipher_setup_out
+{
+ uint32_t op_handle;
+};
+
+/****************************************
+ * cipher_generate_iv operation definition
+ */
+
+/* Mandatory fixed sized input parameters */
+struct __attribute__ ((__packed__)) ts_crypto_cipher_generate_iv_in
+{
+ uint32_t op_handle;
+};
+
+/* Variable length output parameter tags */
+enum
+{
+ TS_CRYPTO_CIPHER_GENERATE_IV_OUT_TAG_IV = 1
+};
+
+/****************************************
+ * cipher_set_iv operation definition
+ */
+
+/* Mandatory fixed sized input parameters */
+struct __attribute__ ((__packed__)) ts_crypto_cipher_set_iv_in
+{
+ uint32_t op_handle;
+};
+
+/* Variable length input parameter tags */
+enum
+{
+ TS_CRYPTO_CIPHER_SET_IV_IN_TAG_IV = 1
+};
+
+/****************************************
+ * cipher_update operation definition
+ */
+
+/* Mandatory fixed sized input parameters */
+struct __attribute__ ((__packed__)) ts_crypto_cipher_update_in
+{
+ uint32_t op_handle;
+};
+
+/* Variable length input parameter tags */
+enum
+{
+ TS_CRYPTO_CIPHER_UPDATE_IN_TAG_DATA = 1
+};
+
+/* Variable length output parameter tags */
+enum
+{
+ TS_CRYPTO_CIPHER_UPDATE_OUT_TAG_DATA = 1
+};
+
+/****************************************
+ * cipher_finish operation definition
+ */
+
+/* Mandatory fixed sized input parameters */
+struct __attribute__ ((__packed__)) ts_crypto_cipher_finish_in
+{
+ uint32_t op_handle;
+};
+
+/* Variable length output parameter tags */
+enum
+{
+ TS_CRYPTO_CIPHER_FINISH_OUT_TAG_DATA = 1
+};
+
+/****************************************
+ * cipher_abort operation definition
+ */
+
+/* Mandatory fixed sized input parameters */
+struct __attribute__ ((__packed__)) ts_crypto_cipher_abort_in
+{
+ uint32_t op_handle;
+};
+
+#endif /* TS_CRYPTO_CIPHER_H */
diff --git a/protocols/service/crypto/packed-c/opcodes.h b/protocols/service/crypto/packed-c/opcodes.h
index b0ccff3..e06ab68 100644
--- a/protocols/service/crypto/packed-c/opcodes.h
+++ b/protocols/service/crypto/packed-c/opcodes.h
@@ -36,4 +36,14 @@
#define TS_CRYPTO_OPCODE_HASH_VERIFY (TS_CRYPTO_OPCODE_HASH_BASE + 5)
#define TS_CRYPTO_OPCODE_HASH_CLONE (TS_CRYPTO_OPCODE_HASH_BASE + 6)
+/* Cipher operations */
+#define TS_CRYPTO_OPCODE_CIPHER_BASE (0x0300)
+#define TS_CRYPTO_OPCODE_CIPHER_ENCRYPT_SETUP (TS_CRYPTO_OPCODE_CIPHER_BASE + 1)
+#define TS_CRYPTO_OPCODE_CIPHER_DECRYPT_SETUP (TS_CRYPTO_OPCODE_CIPHER_BASE + 2)
+#define TS_CRYPTO_OPCODE_CIPHER_GENERATE_IV (TS_CRYPTO_OPCODE_CIPHER_BASE + 3)
+#define TS_CRYPTO_OPCODE_CIPHER_SET_IV (TS_CRYPTO_OPCODE_CIPHER_BASE + 4)
+#define TS_CRYPTO_OPCODE_CIPHER_UPDATE (TS_CRYPTO_OPCODE_CIPHER_BASE + 5)
+#define TS_CRYPTO_OPCODE_CIPHER_FINISH (TS_CRYPTO_OPCODE_CIPHER_BASE + 6)
+#define TS_CRYPTO_OPCODE_CIPHER_ABORT (TS_CRYPTO_OPCODE_CIPHER_BASE + 7)
+
#endif /* TS_CRYPTO_OPCODES_H */