Crypto: Refactor the tfm_builtin_key_loader and HAL interaction
This patch refactors the entry points of the tfm_builtin_key_loader
driver to simplify its interaction with crypto keys HAL layer and
the rest of the TF-M Crypto service and PSA Crypto core layer.
* Decouple as much as possible each module from mbed TLS specific
types, and makes sure all library interactions are abstracted in
the crypto_library module of the crypto service
* Simplify the HAL requirements to provide platform builtin keys
as described in tfm_plat_crypto_keys.h
* Update the documentation to reflect the design change
* Fix minor issues and typos, include paths, etc
* Regenerate mbed TLS patches on top of 3.3.0 tag to be applied
Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com>
Change-Id: Id26ff0b88da87075490d17a4c8af8f209bb34a08
diff --git a/lib/ext/mbedcrypto/0004-Add-TF-M-builtin-key-driver.patch b/lib/ext/mbedcrypto/0004-Add-TF-M-builtin-key-driver.patch
index 8aa37fb..bee322f 100644
--- a/lib/ext/mbedcrypto/0004-Add-TF-M-builtin-key-driver.patch
+++ b/lib/ext/mbedcrypto/0004-Add-TF-M-builtin-key-driver.patch
@@ -1,16 +1,17 @@
-From 2982172aba752f612b4e473626f787155087ddb5 Mon Sep 17 00:00:00 2001
+From 6f49a579de65abbae877ba067ee1a76671ae8e83 Mon Sep 17 00:00:00 2001
From: Raef Coles <raef.coles@arm.com>
Date: Tue, 19 Jul 2022 11:12:30 +0100
Subject: [PATCH 4/6] Add TF-M builtin key driver
Signed-off-by: Raef Coles <raef.coles@arm.com>
+Co-authored-by: Antonio de Angelis <antonio.deangelis@arm.com>
---
library/psa_crypto.c | 11 +++-
- library/psa_crypto_driver_wrappers.c | 91 +++++++++++++++++++++++++++-
- 2 files changed, 100 insertions(+), 2 deletions(-)
+ library/psa_crypto_driver_wrappers.c | 97 +++++++++++++++++++++++++++-
+ 2 files changed, 106 insertions(+), 2 deletions(-)
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
-index cb5791fc..43c8b9e6 100644
+index cb5791fc7..43c8b9e6a 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -82,6 +82,11 @@
@@ -39,7 +40,7 @@
psa_unlock_key_slot( *p_slot );
*p_slot = NULL;
diff --git a/library/psa_crypto_driver_wrappers.c b/library/psa_crypto_driver_wrappers.c
-index e822eef0..08427604 100644
+index e822eef01..1fa26d562 100644
--- a/library/psa_crypto_driver_wrappers.c
+++ b/library/psa_crypto_driver_wrappers.c
@@ -58,6 +58,18 @@
@@ -71,7 +72,20 @@
/* END-driver id */
-@@ -155,6 +170,9 @@ psa_status_t psa_driver_wrapper_sign_message(
+@@ -92,6 +107,12 @@ psa_status_t psa_driver_wrapper_init( void )
+ {
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
++#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
++ status = tfm_builtin_key_loader_init();
++ if (status != PSA_SUCCESS)
++ return ( status );
++#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */
++
+ #if defined(PSA_CRYPTO_DRIVER_CC3XX)
+ status = cc3xx_init();
+ if (status != PSA_SUCCESS)
+@@ -155,6 +176,9 @@ psa_status_t psa_driver_wrapper_sign_message(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
@@ -81,7 +95,7 @@
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -243,6 +261,9 @@ psa_status_t psa_driver_wrapper_verify_message(
+@@ -243,6 +267,9 @@ psa_status_t psa_driver_wrapper_verify_message(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
@@ -91,7 +105,7 @@
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -342,6 +363,9 @@ psa_status_t psa_driver_wrapper_sign_hash(
+@@ -342,6 +369,9 @@ psa_status_t psa_driver_wrapper_sign_hash(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
@@ -101,7 +115,7 @@
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -438,6 +462,9 @@ psa_status_t psa_driver_wrapper_verify_hash(
+@@ -438,6 +468,9 @@ psa_status_t psa_driver_wrapper_verify_hash(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
@@ -111,7 +125,7 @@
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -582,7 +609,11 @@ psa_status_t psa_driver_wrapper_get_key_buffer_size(
+@@ -582,7 +615,11 @@ psa_status_t psa_driver_wrapper_get_key_buffer_size(
return( ( *key_buffer_size != 0 ) ?
PSA_SUCCESS : PSA_ERROR_NOT_SUPPORTED );
#endif /* PSA_CRYPTO_DRIVER_TEST */
@@ -124,7 +138,7 @@
default:
(void)key_type;
(void)key_bits;
-@@ -622,6 +653,9 @@ psa_status_t psa_driver_wrapper_generate_key(
+@@ -622,6 +659,9 @@ psa_status_t psa_driver_wrapper_generate_key(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
@@ -134,7 +148,7 @@
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
/* Transparent drivers are limited to generating asymmetric keys */
if( PSA_KEY_TYPE_IS_ASYMMETRIC( attributes->core.type ) )
-@@ -714,6 +748,9 @@ psa_status_t psa_driver_wrapper_import_key(
+@@ -714,6 +754,9 @@ psa_status_t psa_driver_wrapper_import_key(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
@@ -144,7 +158,7 @@
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -800,6 +837,9 @@ psa_status_t psa_driver_wrapper_export_key(
+@@ -800,6 +843,9 @@ psa_status_t psa_driver_wrapper_export_key(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
@@ -154,7 +168,7 @@
return( psa_export_key_internal( attributes,
key_buffer,
key_buffer_size,
-@@ -865,6 +905,9 @@ psa_status_t psa_driver_wrapper_export_public_key(
+@@ -865,6 +911,9 @@ psa_status_t psa_driver_wrapper_export_public_key(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
@@ -164,13 +178,13 @@
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -950,6 +993,13 @@ psa_status_t psa_driver_wrapper_get_builtin_key(
+@@ -950,6 +999,13 @@ psa_status_t psa_driver_wrapper_get_builtin_key(
#endif /* PSA_CRYPTO_DRIVER_TEST */
+#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER)
+ case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION:
-+ return( tfm_builtin_key_loader_get_key_buffer(
++ return( tfm_builtin_key_loader_get_builtin_key(
+ slot_number,
+ attributes,
+ key_buffer, key_buffer_size, key_buffer_length ) );
@@ -178,7 +192,7 @@
default:
(void) slot_number;
(void) key_buffer;
-@@ -1035,6 +1085,9 @@ psa_status_t psa_driver_wrapper_cipher_encrypt(
+@@ -1035,6 +1091,9 @@ psa_status_t psa_driver_wrapper_cipher_encrypt(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
@@ -188,7 +202,7 @@
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -1139,6 +1192,9 @@ psa_status_t psa_driver_wrapper_cipher_decrypt(
+@@ -1139,6 +1198,9 @@ psa_status_t psa_driver_wrapper_cipher_decrypt(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
@@ -198,7 +212,7 @@
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -1228,6 +1284,9 @@ psa_status_t psa_driver_wrapper_cipher_encrypt_setup(
+@@ -1228,6 +1290,9 @@ psa_status_t psa_driver_wrapper_cipher_encrypt_setup(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
@@ -208,7 +222,7 @@
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -1311,6 +1370,9 @@ psa_status_t psa_driver_wrapper_cipher_decrypt_setup(
+@@ -1311,6 +1376,9 @@ psa_status_t psa_driver_wrapper_cipher_decrypt_setup(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
@@ -218,7 +232,7 @@
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -1794,6 +1856,9 @@ psa_status_t psa_driver_wrapper_aead_encrypt(
+@@ -1794,6 +1862,9 @@ psa_status_t psa_driver_wrapper_aead_encrypt(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
@@ -228,7 +242,7 @@
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
-@@ -1857,6 +1922,9 @@ psa_status_t psa_driver_wrapper_aead_decrypt(
+@@ -1857,6 +1928,9 @@ psa_status_t psa_driver_wrapper_aead_decrypt(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
@@ -238,7 +252,7 @@
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
-@@ -1917,6 +1985,9 @@ psa_status_t psa_driver_wrapper_aead_encrypt_setup(
+@@ -1917,6 +1991,9 @@ psa_status_t psa_driver_wrapper_aead_encrypt_setup(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
@@ -248,7 +262,7 @@
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
-@@ -1974,6 +2045,9 @@ psa_status_t psa_driver_wrapper_aead_decrypt_setup(
+@@ -1974,6 +2051,9 @@ psa_status_t psa_driver_wrapper_aead_decrypt_setup(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
@@ -258,7 +272,7 @@
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
-@@ -2371,6 +2445,9 @@ psa_status_t psa_driver_wrapper_mac_compute(
+@@ -2371,6 +2451,9 @@ psa_status_t psa_driver_wrapper_mac_compute(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
@@ -268,7 +282,7 @@
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -2441,6 +2518,9 @@ psa_status_t psa_driver_wrapper_mac_sign_setup(
+@@ -2441,6 +2524,9 @@ psa_status_t psa_driver_wrapper_mac_sign_setup(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
@@ -278,7 +292,7 @@
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -2522,6 +2602,9 @@ psa_status_t psa_driver_wrapper_mac_verify_setup(
+@@ -2522,6 +2608,9 @@ psa_status_t psa_driver_wrapper_mac_verify_setup(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
@@ -288,7 +302,7 @@
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -2822,6 +2905,9 @@ psa_status_t psa_driver_wrapper_asymmetric_decrypt(
+@@ -2822,6 +2911,9 @@ psa_status_t psa_driver_wrapper_asymmetric_decrypt(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE:
@@ -298,7 +312,7 @@
/* Key is stored in the slot in export representation, so
* cycle through all known transparent accelerators */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
-@@ -2900,6 +2986,9 @@ psa_status_t psa_driver_wrapper_key_agreement(
+@@ -2900,6 +2992,9 @@ psa_status_t psa_driver_wrapper_key_agreement(
switch( location )
{
case PSA_KEY_LOCATION_LOCAL_STORAGE: