Crypto: Refactor the API dispatcher interface to reduce code size
This patch restructures the way the underlying APIs that
implements the PSA Crypto APIs are interfaced to the TF-M
Crypto service through a thin shim layer. The size of this
layer is reduced by nearly 45% on the default configuration.
Also, it removes the check for parameter number and size on
each function call as that is a redundant check as per the
overall threat model of the interaction between the crypto
service and the partition manager.
Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com>
Change-Id: I07165bad00346cd12cf63620532f55da0c5d1262
diff --git a/interface/include/tfm_crypto_defs.h b/interface/include/tfm_crypto_defs.h
index c2f4d7c..1d26c06 100644
--- a/interface/include/tfm_crypto_defs.h
+++ b/interface/include/tfm_crypto_defs.h
@@ -20,8 +20,7 @@
/**
* \brief This type is used to overcome a limitation in the number of maximum
* IOVECs that can be used especially in psa_aead_encrypt and
- * psa_aead_decrypt. To be removed in case the AEAD APIs number of
- * parameters passed gets restructured
+ * psa_aead_decrypt.
*/
#define TFM_CRYPTO_MAX_NONCE_LENGTH (16u)
struct tfm_crypto_aead_pack_input {
@@ -34,99 +33,236 @@
*
*/
struct tfm_crypto_pack_iovec {
- uint32_t srv_id; /*!< Crypto service ID used to dispatch the
- * request
- */
- uint16_t step; /*!< Key derivation step */
- psa_key_id_t key_id; /*!< Key id */
- psa_algorithm_t alg; /*!< Algorithm */
- uint32_t op_handle; /*!< Frontend context handle associated to a
- * multipart operation
- */
- size_t capacity; /*!< Key derivation capacity */
- size_t ad_length; /*!< Additional Data length for multipart AEAD */
- size_t plaintext_length; /*!< Plaintext length for multipart AEAD */
+ uint32_t function_id; /*!< Used to identify the function in the
+ * API dispatcher to the service backend
+ */
+ uint16_t step; /*!< Key derivation step */
+ psa_key_id_t key_id; /*!< Key id */
+ psa_algorithm_t alg; /*!< Algorithm */
+ uint32_t op_handle; /*!< Frontend context handle associated to a
+ * multipart operation
+ */
+ size_t capacity; /*!< Key derivation capacity */
+ size_t ad_length; /*!< Additional Data length for multipart AEAD */
+ size_t plaintext_length; /*!< Plaintext length for multipart AEAD */
- struct tfm_crypto_aead_pack_input aead_in; /*!< FixMe: Temporarily used for
- * AEAD until the API is
- * restructured
- */
+ struct tfm_crypto_aead_pack_input aead_in; /*!< Packs AEAD-related inputs */
};
/**
- * \brief Define a progressive numerical value for each SID which can be used
- * when dispatching the requests to the service. Note: This has to
- * match exactly with the list of APIs defined in tfm_crypto_api.h by
- * the LIST_TFM_CRYPTO_UNIFORM_SIGNATURE_API X macro.
+ * \brief X macro describing each of the available PSA Crypto APIs in terms of
+ * group ID (\ref tfm_crypto_group_id) and multipart function type
+ * (\ref tfm_crypto_function_type)
*/
-enum {
- TFM_CRYPTO_GET_KEY_ATTRIBUTES_SID = (0u),
- TFM_CRYPTO_RESET_KEY_ATTRIBUTES_SID,
- TFM_CRYPTO_OPEN_KEY_SID,
- TFM_CRYPTO_CLOSE_KEY_SID,
- TFM_CRYPTO_IMPORT_KEY_SID,
- TFM_CRYPTO_DESTROY_KEY_SID,
- TFM_CRYPTO_EXPORT_KEY_SID,
- TFM_CRYPTO_EXPORT_PUBLIC_KEY_SID,
- TFM_CRYPTO_PURGE_KEY_SID,
- TFM_CRYPTO_COPY_KEY_SID,
- TFM_CRYPTO_HASH_COMPUTE_SID,
- TFM_CRYPTO_HASH_COMPARE_SID,
- TFM_CRYPTO_HASH_SETUP_SID,
- TFM_CRYPTO_HASH_UPDATE_SID,
- TFM_CRYPTO_HASH_FINISH_SID,
- TFM_CRYPTO_HASH_VERIFY_SID,
- TFM_CRYPTO_HASH_ABORT_SID,
- TFM_CRYPTO_HASH_CLONE_SID,
- TFM_CRYPTO_MAC_COMPUTE_SID,
- TFM_CRYPTO_MAC_VERIFY_SID,
- TFM_CRYPTO_MAC_SIGN_SETUP_SID,
- TFM_CRYPTO_MAC_VERIFY_SETUP_SID,
- TFM_CRYPTO_MAC_UPDATE_SID,
- TFM_CRYPTO_MAC_SIGN_FINISH_SID,
- TFM_CRYPTO_MAC_VERIFY_FINISH_SID,
- TFM_CRYPTO_MAC_ABORT_SID,
- TFM_CRYPTO_CIPHER_ENCRYPT_SID,
- TFM_CRYPTO_CIPHER_DECRYPT_SID,
- TFM_CRYPTO_CIPHER_ENCRYPT_SETUP_SID,
- TFM_CRYPTO_CIPHER_DECRYPT_SETUP_SID,
- TFM_CRYPTO_CIPHER_GENERATE_IV_SID,
- TFM_CRYPTO_CIPHER_SET_IV_SID,
- TFM_CRYPTO_CIPHER_UPDATE_SID,
- TFM_CRYPTO_CIPHER_FINISH_SID,
- TFM_CRYPTO_CIPHER_ABORT_SID,
- TFM_CRYPTO_AEAD_ENCRYPT_SID,
- TFM_CRYPTO_AEAD_DECRYPT_SID,
- TFM_CRYPTO_AEAD_ENCRYPT_SETUP_SID,
- TFM_CRYPTO_AEAD_DECRYPT_SETUP_SID,
- TFM_CRYPTO_AEAD_GENERATE_NONCE_SID,
- TFM_CRYPTO_AEAD_SET_NONCE_SID,
- TFM_CRYPTO_AEAD_SET_LENGTHS_SID,
- TFM_CRYPTO_AEAD_UPDATE_AD_SID,
- TFM_CRYPTO_AEAD_UPDATE_SID,
- TFM_CRYPTO_AEAD_FINISH_SID,
- TFM_CRYPTO_AEAD_VERIFY_SID,
- TFM_CRYPTO_AEAD_ABORT_SID,
- TFM_CRYPTO_SIGN_MESSAGE_SID,
- TFM_CRYPTO_VERIFY_MESSAGE_SID,
- TFM_CRYPTO_SIGN_HASH_SID,
- TFM_CRYPTO_VERIFY_HASH_SID,
- TFM_CRYPTO_ASYMMETRIC_ENCRYPT_SID,
- TFM_CRYPTO_ASYMMETRIC_DECRYPT_SID,
- TFM_CRYPTO_KEY_DERIVATION_SETUP_SID,
- TFM_CRYPTO_KEY_DERIVATION_GET_CAPACITY_SID,
- TFM_CRYPTO_KEY_DERIVATION_SET_CAPACITY_SID,
- TFM_CRYPTO_KEY_DERIVATION_INPUT_BYTES_SID,
- TFM_CRYPTO_KEY_DERIVATION_INPUT_KEY_SID,
- TFM_CRYPTO_KEY_DERIVATION_KEY_AGREEMENT_SID,
- TFM_CRYPTO_KEY_DERIVATION_OUTPUT_BYTES_SID,
- TFM_CRYPTO_KEY_DERIVATION_OUTPUT_KEY_SID,
- TFM_CRYPTO_KEY_DERIVATION_ABORT_SID,
- TFM_CRYPTO_RAW_KEY_AGREEMENT_SID,
- TFM_CRYPTO_GENERATE_RANDOM_SID,
- TFM_CRYPTO_GENERATE_KEY_SID,
- TFM_CRYPTO_SID_MAX,
+#define TFM_CRYPTO_SERVICE_API_DESCRIPTION \
+ X(TFM_CRYPTO_GET_KEY_ATTRIBUTES_SID, \
+ TFM_CRYPTO_GROUP_ID_KEY_MANAGEMENT, \
+ TFM_CRYPTO_FUNCTION_TYPE_NON_MULTIPART) \
+ X(TFM_CRYPTO_RESET_KEY_ATTRIBUTES_SID, \
+ TFM_CRYPTO_GROUP_ID_KEY_MANAGEMENT, \
+ TFM_CRYPTO_FUNCTION_TYPE_NON_MULTIPART) \
+ X(TFM_CRYPTO_OPEN_KEY_SID, \
+ TFM_CRYPTO_GROUP_ID_KEY_MANAGEMENT, \
+ TFM_CRYPTO_FUNCTION_TYPE_NON_MULTIPART) \
+ X(TFM_CRYPTO_CLOSE_KEY_SID, \
+ TFM_CRYPTO_GROUP_ID_KEY_MANAGEMENT, \
+ TFM_CRYPTO_FUNCTION_TYPE_NON_MULTIPART) \
+ X(TFM_CRYPTO_IMPORT_KEY_SID, \
+ TFM_CRYPTO_GROUP_ID_KEY_MANAGEMENT, \
+ TFM_CRYPTO_FUNCTION_TYPE_NON_MULTIPART) \
+ X(TFM_CRYPTO_DESTROY_KEY_SID, \
+ TFM_CRYPTO_GROUP_ID_KEY_MANAGEMENT, \
+ TFM_CRYPTO_FUNCTION_TYPE_NON_MULTIPART) \
+ X(TFM_CRYPTO_EXPORT_KEY_SID, \
+ TFM_CRYPTO_GROUP_ID_KEY_MANAGEMENT, \
+ TFM_CRYPTO_FUNCTION_TYPE_NON_MULTIPART) \
+ X(TFM_CRYPTO_EXPORT_PUBLIC_KEY_SID, \
+ TFM_CRYPTO_GROUP_ID_KEY_MANAGEMENT, \
+ TFM_CRYPTO_FUNCTION_TYPE_NON_MULTIPART) \
+ X(TFM_CRYPTO_PURGE_KEY_SID, \
+ TFM_CRYPTO_GROUP_ID_KEY_MANAGEMENT, \
+ TFM_CRYPTO_FUNCTION_TYPE_NON_MULTIPART) \
+ X(TFM_CRYPTO_COPY_KEY_SID, \
+ TFM_CRYPTO_GROUP_ID_KEY_MANAGEMENT, \
+ TFM_CRYPTO_FUNCTION_TYPE_NON_MULTIPART) \
+ X(TFM_CRYPTO_GENERATE_KEY_SID, \
+ TFM_CRYPTO_GROUP_ID_KEY_MANAGEMENT, \
+ TFM_CRYPTO_FUNCTION_TYPE_NON_MULTIPART) \
+ X(TFM_CRYPTO_HASH_COMPUTE_SID, \
+ TFM_CRYPTO_GROUP_ID_HASH, \
+ TFM_CRYPTO_FUNCTION_TYPE_NON_MULTIPART) \
+ X(TFM_CRYPTO_HASH_COMPARE_SID, \
+ TFM_CRYPTO_GROUP_ID_HASH, \
+ TFM_CRYPTO_FUNCTION_TYPE_NON_MULTIPART) \
+ X(TFM_CRYPTO_HASH_SETUP_SID, \
+ TFM_CRYPTO_GROUP_ID_HASH, \
+ TFM_CRYPTO_FUNCTION_TYPE_SETUP) \
+ X(TFM_CRYPTO_HASH_UPDATE_SID, \
+ TFM_CRYPTO_GROUP_ID_HASH, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_HASH_CLONE_SID, \
+ TFM_CRYPTO_GROUP_ID_HASH, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_HASH_FINISH_SID, \
+ TFM_CRYPTO_GROUP_ID_HASH, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_HASH_VERIFY_SID, \
+ TFM_CRYPTO_GROUP_ID_HASH, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_HASH_ABORT_SID, \
+ TFM_CRYPTO_GROUP_ID_HASH, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_MAC_COMPUTE_SID, \
+ TFM_CRYPTO_GROUP_ID_MAC, \
+ TFM_CRYPTO_FUNCTION_TYPE_NON_MULTIPART) \
+ X(TFM_CRYPTO_MAC_VERIFY_SID, \
+ TFM_CRYPTO_GROUP_ID_MAC, \
+ TFM_CRYPTO_FUNCTION_TYPE_NON_MULTIPART) \
+ X(TFM_CRYPTO_MAC_SIGN_SETUP_SID, \
+ TFM_CRYPTO_GROUP_ID_MAC, \
+ TFM_CRYPTO_FUNCTION_TYPE_SETUP) \
+ X(TFM_CRYPTO_MAC_VERIFY_SETUP_SID, \
+ TFM_CRYPTO_GROUP_ID_MAC, \
+ TFM_CRYPTO_FUNCTION_TYPE_SETUP) \
+ X(TFM_CRYPTO_MAC_UPDATE_SID, \
+ TFM_CRYPTO_GROUP_ID_MAC, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_MAC_SIGN_FINISH_SID, \
+ TFM_CRYPTO_GROUP_ID_MAC, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_MAC_VERIFY_FINISH_SID, \
+ TFM_CRYPTO_GROUP_ID_MAC, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_MAC_ABORT_SID, \
+ TFM_CRYPTO_GROUP_ID_MAC, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_CIPHER_ENCRYPT_SID, \
+ TFM_CRYPTO_GROUP_ID_CIPHER, \
+ TFM_CRYPTO_FUNCTION_TYPE_NON_MULTIPART) \
+ X(TFM_CRYPTO_CIPHER_DECRYPT_SID, \
+ TFM_CRYPTO_GROUP_ID_CIPHER, \
+ TFM_CRYPTO_FUNCTION_TYPE_NON_MULTIPART) \
+ X(TFM_CRYPTO_CIPHER_ENCRYPT_SETUP_SID, \
+ TFM_CRYPTO_GROUP_ID_CIPHER, \
+ TFM_CRYPTO_FUNCTION_TYPE_SETUP) \
+ X(TFM_CRYPTO_CIPHER_DECRYPT_SETUP_SID, \
+ TFM_CRYPTO_GROUP_ID_CIPHER, \
+ TFM_CRYPTO_FUNCTION_TYPE_SETUP) \
+ X(TFM_CRYPTO_CIPHER_GENERATE_IV_SID, \
+ TFM_CRYPTO_GROUP_ID_CIPHER, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_CIPHER_SET_IV_SID, \
+ TFM_CRYPTO_GROUP_ID_CIPHER, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_CIPHER_UPDATE_SID, \
+ TFM_CRYPTO_GROUP_ID_CIPHER, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_CIPHER_FINISH_SID, \
+ TFM_CRYPTO_GROUP_ID_CIPHER, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_CIPHER_ABORT_SID, \
+ TFM_CRYPTO_GROUP_ID_CIPHER, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_AEAD_ENCRYPT_SID, \
+ TFM_CRYPTO_GROUP_ID_AEAD, \
+ TFM_CRYPTO_FUNCTION_TYPE_NON_MULTIPART) \
+ X(TFM_CRYPTO_AEAD_DECRYPT_SID, \
+ TFM_CRYPTO_GROUP_ID_AEAD, \
+ TFM_CRYPTO_FUNCTION_TYPE_NON_MULTIPART) \
+ X(TFM_CRYPTO_AEAD_ENCRYPT_SETUP_SID, \
+ TFM_CRYPTO_GROUP_ID_AEAD, \
+ TFM_CRYPTO_FUNCTION_TYPE_SETUP) \
+ X(TFM_CRYPTO_AEAD_DECRYPT_SETUP_SID, \
+ TFM_CRYPTO_GROUP_ID_AEAD, \
+ TFM_CRYPTO_FUNCTION_TYPE_SETUP) \
+ X(TFM_CRYPTO_AEAD_GENERATE_NONCE_SID, \
+ TFM_CRYPTO_GROUP_ID_AEAD, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_AEAD_SET_NONCE_SID, \
+ TFM_CRYPTO_GROUP_ID_AEAD, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_AEAD_SET_LENGTHS_SID, \
+ TFM_CRYPTO_GROUP_ID_AEAD, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_AEAD_UPDATE_AD_SID, \
+ TFM_CRYPTO_GROUP_ID_AEAD, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_AEAD_UPDATE_SID, \
+ TFM_CRYPTO_GROUP_ID_AEAD, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_AEAD_FINISH_SID, \
+ TFM_CRYPTO_GROUP_ID_AEAD, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_AEAD_VERIFY_SID, \
+ TFM_CRYPTO_GROUP_ID_AEAD, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_AEAD_ABORT_SID, \
+ TFM_CRYPTO_GROUP_ID_AEAD, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_ASYMMETRIC_SIGN_MESSAGE_SID, \
+ TFM_CRYPTO_GROUP_ID_ASYM_SIGN, \
+ TFM_CRYPTO_FUNCTION_TYPE_NON_MULTIPART) \
+ X(TFM_CRYPTO_ASYMMETRIC_VERIFY_MESSAGE_SID, \
+ TFM_CRYPTO_GROUP_ID_ASYM_SIGN, \
+ TFM_CRYPTO_FUNCTION_TYPE_NON_MULTIPART) \
+ X(TFM_CRYPTO_ASYMMETRIC_SIGN_HASH_SID, \
+ TFM_CRYPTO_GROUP_ID_ASYM_SIGN, \
+ TFM_CRYPTO_FUNCTION_TYPE_NON_MULTIPART) \
+ X(TFM_CRYPTO_ASYMMETRIC_VERIFY_HASH_SID, \
+ TFM_CRYPTO_GROUP_ID_ASYM_SIGN, \
+ TFM_CRYPTO_FUNCTION_TYPE_NON_MULTIPART) \
+ X(TFM_CRYPTO_ASYMMETRIC_ENCRYPT_SID, \
+ TFM_CRYPTO_GROUP_ID_ASYM_ENCRYPT, \
+ TFM_CRYPTO_FUNCTION_TYPE_NON_MULTIPART) \
+ X(TFM_CRYPTO_ASYMMETRIC_DECRYPT_SID, \
+ TFM_CRYPTO_GROUP_ID_ASYM_ENCRYPT, \
+ TFM_CRYPTO_FUNCTION_TYPE_NON_MULTIPART) \
+ X(TFM_CRYPTO_RAW_KEY_AGREEMENT_SID, \
+ TFM_CRYPTO_GROUP_ID_KEY_DERIVATION, \
+ TFM_CRYPTO_FUNCTION_TYPE_NON_MULTIPART) \
+ X(TFM_CRYPTO_KEY_DERIVATION_SETUP_SID, \
+ TFM_CRYPTO_GROUP_ID_KEY_DERIVATION, \
+ TFM_CRYPTO_FUNCTION_TYPE_SETUP) \
+ X(TFM_CRYPTO_KEY_DERIVATION_GET_CAPACITY_SID, \
+ TFM_CRYPTO_GROUP_ID_KEY_DERIVATION, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_KEY_DERIVATION_SET_CAPACITY_SID, \
+ TFM_CRYPTO_GROUP_ID_KEY_DERIVATION, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_KEY_DERIVATION_INPUT_BYTES_SID, \
+ TFM_CRYPTO_GROUP_ID_KEY_DERIVATION, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_KEY_DERIVATION_INPUT_KEY_SID, \
+ TFM_CRYPTO_GROUP_ID_KEY_DERIVATION, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_KEY_DERIVATION_KEY_AGREEMENT_SID, \
+ TFM_CRYPTO_GROUP_ID_KEY_DERIVATION, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_KEY_DERIVATION_OUTPUT_BYTES_SID, \
+ TFM_CRYPTO_GROUP_ID_KEY_DERIVATION, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_KEY_DERIVATION_OUTPUT_KEY_SID, \
+ TFM_CRYPTO_GROUP_ID_KEY_DERIVATION, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_KEY_DERIVATION_ABORT_SID, \
+ TFM_CRYPTO_GROUP_ID_KEY_DERIVATION, \
+ TFM_CRYPTO_FUNCTION_TYPE_LOOKUP) \
+ X(TFM_CRYPTO_GENERATE_RANDOM_SID, \
+ TFM_CRYPTO_GROUP_ID_RANDOM, \
+ TFM_CRYPTO_FUNCTION_TYPE_NON_MULTIPART) \
+ X(TFM_CRYPTO_API_DISPATCHER_SID, \
+ TFM_CRYPTO_GROUP_ID_RANDOM, \
+ TFM_CRYPTO_FUNCTION_TYPE_NON_MULTIPART) \
+/**
+ * \brief Numerical progressive value identifying a function API exposed through
+ * the interfaces (S or NS). It's used to dispatch the requests from S/NS
+ * to the corresponding API implementation in the Crypto service backend.
+ */
+#define X(function_id, group_id, function_type) function_id,
+enum tfm_crypto_function_id {
+ TFM_CRYPTO_SERVICE_API_DESCRIPTION
};
+#undef X
/**
* \brief Define an invalid value for an SID