TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / shared / psa-adac / 6cff9c209694d13dacb0d3af9326711261d8f1d1^! / .
commit6cff9c209694d13dacb0d3af9326711261d8f1d1[log] [tgz]
authorMathias Brossard <mathias.brossard@arm.com>Wed Feb 19 22:25:51 2025 -0600
committerMathias Brossard <mathias.brossard@arm.com>Wed Feb 19 22:25:51 2025 -0600
tree28a2992652ce632db771cc444f2a4c14d134c55c
parent0e405f34418227020a19c6efb4c4f9af52ceefdd [diff]
ADAC: Add support for ECDSA P-384

Change-Id: I1d62b36ff5cff4e07fce94a54b45f8ff5babd727
Signed-off-by: Mathias Brossard <mathias.brossard@arm.com>

diff --git a/cmake/psa_adac.cmake b/cmake/psa_adac.cmake
index 54c5c5d..6f4d639 100644
--- a/cmake/psa_adac.cmake
+++ b/cmake/psa_adac.cmake

@@ -1,5 +1,5 @@
 #-------------------------------------------------------------------------------
-# Copyright (c) 2020-2021, Arm Limited. All rights reserved.
+# Copyright (c) 2020-2025, Arm Limited. All rights reserved.
 #
 # SPDX-License-Identifier: BSD-3-Clause
 #
@@ -11,6 +11,7 @@
 set(PSA_ADAC_TOOLCHAIN    TRUE    CACHE BOOL "Whether to use psa-adac toolchain.")
 
 set(PSA_ADAC_EC_P256 On CACHE BOOL "Enable support for ECDSA P-256")
+set(PSA_ADAC_EC_P384 On CACHE BOOL "Enable support for ECDSA P-384")
 set(PSA_ADAC_EC_P521 On CACHE BOOL "Enable support for ECDSA P-521")
 set(PSA_ADAC_RSA3072 On CACHE BOOL "Enable support for RSA 3072")
 set(PSA_ADAC_RSA4096 On CACHE BOOL "Enable support for RSA 4096")
@@ -39,6 +40,7 @@
 
 if (PSA_ADAC_MINIMUM_SIZE_CONFIG AND NOT (PLATFORM_NAME STREQUAL "native"))
     # set(PSA_ADAC_EC_P256 On)
+    set(PSA_ADAC_EC_P384 Off)
     set(PSA_ADAC_EC_P521 Off)
     set(PSA_ADAC_RSA3072 Off)
     set(PSA_ADAC_RSA4096 Off)

diff --git a/psa-adac/core/include/psa_adac.h b/psa-adac/core/include/psa_adac.h
index b190992..ddc8118 100644
--- a/psa-adac/core/include/psa_adac.h
+++ b/psa-adac/core/include/psa_adac.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023, Arm Limited. All rights reserved.
+ * Copyright (c) 2020-2025, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -47,7 +47,8 @@
     ED_448_SHAKE256 = 0x06,   /**< EC key using Curve448, EdDSA signature with SHAKE-256 */
     SM_SM2_SM3 = 0x07,        /**< EC key using SM2, ECDSA/SM signature with SM3 */
     CMAC_AES = 0x08,          /**< AES-128 key, CMAC MAC */
-    HMAC_SHA256 = 0x09        /**< 256-bit key, HMAC-SHA-256 MAC */
+    HMAC_SHA256 = 0x09,       /**< 256-bit key, HMAC-SHA-256 MAC */
+    ECDSA_P384_SHA384 = 0x0A  /**< EC key using P-384 curve, ECDSA signature with SHA-384 */
 } key_options_t;
 
 /**

diff --git a/psa-adac/core/include/psa_adac_config.h.in b/psa-adac/core/include/psa_adac_config.h.in
index 57510a3..efcfd68 100644
--- a/psa-adac/core/include/psa_adac_config.h.in
+++ b/psa-adac/core/include/psa_adac_config.h.in

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Arm Limited. All rights reserved.
+ * Copyright (c) 2020-2025 Arm Limited. All rights reserved.
  * SPDX-License-Identifier: BSD-3-Clause
  */
 
@@ -12,6 +12,7 @@
 #cmakedefine PSA_ADAC_MINIMUM_SIZE_CONFIG
 
 #cmakedefine PSA_ADAC_EC_P256
+#cmakedefine PSA_ADAC_EC_P384
 #cmakedefine PSA_ADAC_EC_P521
 #cmakedefine PSA_ADAC_RSA3072
 #cmakedefine PSA_ADAC_RSA4096

diff --git a/psa-adac/core/include/psa_adac_cryptosystems.h b/psa-adac/core/include/psa_adac_cryptosystems.h
index f694469..753435e 100644
--- a/psa-adac/core/include/psa_adac_cryptosystems.h
+++ b/psa-adac/core/include/psa_adac_cryptosystems.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020 Arm Limited. All rights reserved.
+ * Copyright (c) 2020-2025 Arm Limited. All rights reserved.
  * SPDX-License-Identifier: BSD-3-Clause
  */
 
@@ -49,6 +49,41 @@
 
 #endif // PSA_ADAC_EC_P256
 
+#ifdef PSA_ADAC_EC_P384
+
+/** \addtogroup ecdsap384
+ * @{
+ */
+
+#define ECDSA_P384_PUBLIC_KEY_SIZE 96
+#define ECDSA_P384_SIGNATURE_SIZE  96
+#define ECDSA_P384_HASH_SIZE       48
+#define ECDSA_P384_HASH_ALGORITHM  PSA_ALG_SHA_384
+#define ECDSA_P384_SIGN_ALGORITHM  PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384)
+
+/** \brief ADAC certificate structure for ECDSA with P-384 curve cryptosystem
+ */
+typedef struct {
+    certificate_header_t header;
+    uint8_t pubkey[ECDSA_P384_PUBLIC_KEY_SIZE]; // P-384 public key
+    uint8_t extensions_hash[ECDSA_P384_HASH_SIZE]; // SHA-384 hash
+    uint8_t signature[ECDSA_P384_SIGNATURE_SIZE]; // P-384 with SHA-384 signature
+    uint32_t extensions[];
+} certificate_p384_p384_t;
+
+/** \brief ADAC token structure for ECDSA with P-384 curve cryptosystem
+ */
+typedef struct {
+    token_header_t header;
+    uint8_t extensions_hash[ECDSA_P384_HASH_SIZE]; // SHA-384 hash
+    uint8_t signature[ECDSA_P384_SIGNATURE_SIZE]; // P-384 with SHA-384 signature
+    uint32_t extensions[];
+} token_p384_t;
+
+/**@}*/
+
+#endif // PSA_ADAC_EC_P384
+
 #ifdef PSA_ADAC_EC_P521
 
 /** \addtogroup ecdsap521

diff --git a/psa-adac/core/src/adac_certificate.c b/psa-adac/core/src/adac_certificate.c
index f077d0f..36a7850 100644
--- a/psa-adac/core/src/adac_certificate.c
+++ b/psa-adac/core/src/adac_certificate.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Arm Limited. All rights reserved.
+ * Copyright (c) 2020-2025 Arm Limited. All rights reserved.
  * SPDX-License-Identifier: BSD-3-Clause
  */
 
@@ -23,6 +23,10 @@
 #ifdef PSA_ADAC_EC_P256
             body_size = sizeof(certificate_p256_p256_t);
 #endif
+        } else if ((h_crt->key_type == ECDSA_P384_SHA384) && (h_crt->signature_type == ECDSA_P384_SHA384)) {
+#ifdef PSA_ADAC_EC_P384
+            body_size = sizeof(certificate_p384_p384_t);
+#endif
         } else if ((h_crt->key_type == ECDSA_P521_SHA512) && (h_crt->signature_type == ECDSA_P521_SHA512)) {
 #ifdef PSA_ADAC_EC_P521
             body_size = sizeof(certificate_p521_p521_t);
@@ -129,6 +133,21 @@
 #else
         r = PSA_ERROR_NOT_SUPPORTED;
 #endif
+    } else if ((h_crt->key_type == ECDSA_P384_SHA384) && (h_crt->signature_type == ECDSA_P384_SHA384)) {
+#ifdef PSA_ADAC_EC_P384
+        certificate_p384_p384_t *s_crt = (certificate_p384_p384_t *) crt;
+        sig = s_crt->signature;
+        sig_algo = ECDSA_P384_SIGN_ALGORITHM;
+        sig_size = sizeof(s_crt->signature);
+        tbs_size = offsetof(certificate_p384_p384_t, signature);
+        body_size = sizeof(certificate_p384_p384_t);
+        ext = (uint8_t *) s_crt->extensions;
+        ext_hash = s_crt->extensions_hash;
+        hash_size = sizeof(s_crt->extensions_hash);
+        hash_algo = ECDSA_P384_HASH_ALGORITHM;
+#else
+        r = PSA_ERROR_NOT_SUPPORTED;
+#endif
     } else if ((h_crt->key_type == ECDSA_P521_SHA512) && (h_crt->signature_type == ECDSA_P521_SHA512)) {
 #ifdef PSA_ADAC_EC_P521
         certificate_p521_p521_t *s_crt = (certificate_p521_p521_t *) crt;

diff --git a/psa-adac/core/src/adac_crypto.c b/psa-adac/core/src/adac_crypto.c
index 26c3175..d4ecd5e 100644
--- a/psa-adac/core/src/adac_crypto.c
+++ b/psa-adac/core/src/adac_crypto.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Arm Limited. All rights reserved.
+ * Copyright (c) 2020-2025 Arm Limited. All rights reserved.
  * SPDX-License-Identifier: BSD-3-Clause
  */
 
@@ -52,6 +52,17 @@
 #else
         ret = PSA_ERROR_NOT_SUPPORTED;
 #endif
+    } else if ((header->key_type == ECDSA_P384_SHA384) &&
+               (header->signature_type == ECDSA_P384_SHA384)) {
+#ifdef PSA_ADAC_EC_P384
+        certificate_p384_p384_t *certificate = (certificate_p384_p384_t *) crt;
+        body_size = sizeof(certificate_p384_p384_t);
+        ext_bytes = certificate->header.extensions_bytes;
+        *pubkey = certificate->pubkey;
+        *pubkey_size = sizeof(certificate->pubkey);
+#else
+        ret = PSA_ERROR_NOT_SUPPORTED;
+#endif
     } else if ((header->key_type == ECDSA_P521_SHA512) &&
                (header->signature_type == ECDSA_P521_SHA512)) {
 #ifdef PSA_ADAC_EC_P521

diff --git a/psa-adac/core/src/adac_token.c b/psa-adac/core/src/adac_token.c
index a2205a9..f24c4a3 100755
--- a/psa-adac/core/src/adac_token.c
+++ b/psa-adac/core/src/adac_token.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2023 Arm Limited. All rights reserved.
+ * Copyright (c) 2020-2025 Arm Limited. All rights reserved.
  * SPDX-License-Identifier: BSD-3-Clause
  */
 
@@ -42,6 +42,21 @@
 #else
         ret = PSA_ERROR_NOT_SUPPORTED;
 #endif
+    } else if (header->signature_type == ECDSA_P384_SHA384) {
+#ifdef PSA_ADAC_EC_P384
+        token_p384_t *_token = (token_p384_t *) token;
+        _body_size = sizeof(token_p384_t);
+        _tbs_size = offsetof(token_p384_t, signature);
+        _sig_size = sizeof(_token->signature);
+        _sig = _token->signature;
+        _hash_algo = ECDSA_P384_HASH_ALGORITHM;
+        _sig_algo = ECDSA_P384_SIGN_ALGORITHM;
+        ext_hash_size = sizeof(_token->extensions_hash);
+        ext_hash = _token->extensions_hash;
+        exts = (uint8_t *) _token->extensions;
+#else
+        ret = PSA_ERROR_NOT_SUPPORTED;
+#endif
     } else if (header->signature_type == ECDSA_P521_SHA512) {
 #ifdef PSA_ADAC_EC_P521
         token_p521_t *_token = (token_p521_t *) token;

diff --git a/psa-adac/sdm/src/psa_adac_sdm.c b/psa-adac/sdm/src/psa_adac_sdm.c
index c993ee5..45d2572 100644
--- a/psa-adac/sdm/src/psa_adac_sdm.c
+++ b/psa-adac/sdm/src/psa_adac_sdm.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022-2023, Arm Limited. All rights reserved.
+ * Copyright (c) 2022-2025, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -194,6 +194,13 @@
             p_size = 32;
             offset = 7;
             *type = ECDSA_P256_SHA256;
+        } else if (bit_len == 384) {
+            PSA_ADAC_LOG_DEBUG("sdm", "Importing EC P-384 key\n");
+            psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1));
+            psa_set_key_algorithm(&attributes, PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384));
+            p_size = 48;
+            offset = 8;
+            *type = ECDSA_P384_SHA384;
         } else if (bit_len == 521) {
             PSA_ADAC_LOG_DEBUG("sdm", "Importing EC P-521 key\n");
             psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1));

diff --git a/psa-adac/sdm/src/sdm_token.c b/psa-adac/sdm/src/sdm_token.c
index 589c78a..90ff81d 100644
--- a/psa-adac/sdm/src/sdm_token.c
+++ b/psa-adac/sdm/src/sdm_token.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, Arm Limited. All rights reserved.
+ * Copyright (c) 2022-2025, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -112,6 +112,22 @@
 #else
         return PSA_ERROR_NOT_SUPPORTED;
 #endif /* PSA_ADAC_EC_P256 */
+    } else if (signature_type == ECDSA_P384_SHA384) {
+#ifdef PSA_ADAC_EC_P384
+        token_size = sizeof(token_p384_t) + exts_size;
+        _fragment = (uint8_t *) calloc(1, token_size + sizeof(psa_tlv_t));
+        token_p384_t *token = (token_p384_t *) (_fragment + sizeof(psa_tlv_t));
+        tbs_size = token->signature - (uint8_t *) token;
+        body_size = sizeof(*token);
+        sig = token->signature;
+        sig_size = sizeof(token->signature);
+        hash_algo = ECDSA_P384_HASH_ALGORITHM;
+        sig_algo = ECDSA_P384_SIGN_ALGORITHM;
+        ext_hash = token->extensions_hash;
+        ext_hash_size = sizeof(token->extensions_hash);
+#else
+        return PSA_ERROR_NOT_SUPPORTED;
+#endif /* PSA_ADAC_EC_P384 */
     } else if (signature_type == ECDSA_P521_SHA512) {
 #ifdef PSA_ADAC_EC_P521
         token_size = sizeof(token_p521_t) + exts_size;

diff --git a/psa_crypto/adac_crypto_psa_pk.c b/psa_crypto/adac_crypto_psa_pk.c
index b5dab4b..05b1c2a 100644
--- a/psa_crypto/adac_crypto_psa_pk.c
+++ b/psa_crypto/adac_crypto_psa_pk.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2024, Arm Limited. All rights reserved.
+ * Copyright (c) 2020-2025, Arm Limited. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  *
@@ -201,6 +201,36 @@
 
 #endif /* PSA_ADAC_EC_P256 */
 
+#ifdef PSA_ADAC_EC_P384
+
+static psa_status_t load_ecdsa_p384_public_key(uint8_t *key,
+                                               size_t key_size,
+                                               psa_key_handle_t *handle)
+{
+    psa_status_t ret;
+    ADAC_STATIC uint8_t pub_key[ECDSA_P384_PUBLIC_KEY_SIZE + 1] = {0x04};
+
+    if (ECDSA_P384_PUBLIC_KEY_SIZE == key_size) {
+
+        (void) memcpy(&(pub_key[1]), key, ECDSA_P384_PUBLIC_KEY_SIZE);
+        psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+        psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
+        psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1));
+        psa_set_key_algorithm(&attributes, PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384));
+        psa_set_key_lifetime(&attributes, PSA_KEY_LIFETIME_VOLATILE);
+        psa_set_key_bits(&attributes, 384);
+
+        ret = psa_import_key(&attributes, pub_key, sizeof(pub_key), handle);
+    } else {
+
+        ret = PSA_ERROR_INVALID_ARGUMENT;
+    }
+
+    return ret;
+}
+
+#endif /* PSA_ADAC_EC_P384 */
+
 #ifdef PSA_ADAC_EC_P521
 
 static psa_status_t load_ecdsa_p521_public_key(uint8_t *key,
@@ -242,6 +272,11 @@
         PSA_ADAC_LOG_TRACE("psa-crypto", "Load EcdsaP256 Public-key\n");
         ret = load_ecdsa_p256_public_key(key, key_size, handle);
 #endif /* PSA_ADAC_EC_P256 */
+    } else if (key_type == ECDSA_P384_SHA384) {
+#ifdef PSA_ADAC_EC_P384
+        PSA_ADAC_LOG_TRACE("psa-crypto", "Load EcdsaP384 Public-key\n");
+        ret = load_ecdsa_p384_public_key(key, key_size, handle);
+#endif /* PSA_ADAC_EC_P384 */
     } else if (key_type == ECDSA_P521_SHA512) {
 #ifdef PSA_ADAC_EC_P521
         PSA_ADAC_LOG_TRACE("psa-crypto", "Load EcdsaP521 Public-key\n");

diff --git a/target/trusted-firmware-m/authenticator-crypto-config.h b/target/trusted-firmware-m/authenticator-crypto-config.h
index ab2f1c6..a55e6ac 100644
--- a/target/trusted-firmware-m/authenticator-crypto-config.h
+++ b/target/trusted-firmware-m/authenticator-crypto-config.h

@@ -37,7 +37,8 @@
 #endif
 
 /* PSA ADAC */
-#if defined(PSA_ADAC_EC_P256) || defined(PSA_ADAC_EC_P521)
+#if defined(PSA_ADAC_EC_P256) || defined(PSA_ADAC_EC_P384) \
+    || defined(PSA_ADAC_EC_P521)
 #define MBEDTLS_ECDSA_C
 #define MBEDTLS_ECP_C
 #define MBEDTLS_ASN1_PARSE_C
@@ -51,6 +52,9 @@
 #if defined(PSA_ADAC_EC_P256)
 #define MBEDTLS_ECP_DP_SECP256R1_ENABLED
 #endif
+#if defined(PSA_ADAC_EC_P384)
+#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
+#endif
 #if defined(PSA_ADAC_EC_P521)
 #define MBEDTLS_ECP_DP_SECP521R1_ENABLED
 #endif
@@ -67,6 +71,10 @@
 #define MBEDTLS_SHA224_C
 #define MBEDTLS_SHA256_C
 #define MBEDTLS_SHA256_SMALLER
+#if defined(PSA_ADAC_EC_P384)
+#define MBEDTLS_SHA384_C
+#define MBEDTLS_SHA384_SMALLER
+#endif
 #if defined(PSA_ADAC_EC_P521) || defined(PSA_ADAC_ED25519)
 #define MBEDTLS_SHA512_C
 #define MBEDTLS_SHA512_SMALLER