From c21add49b5bb920220ab5ef67a394e1ca3d86d6d Mon Sep 17 00:00:00 2001 From: Raef Coles Date: Tue, 19 Jul 2022 11:12:30 +0100 Subject: [PATCH 4/8] Add TF-M builtin key driver Signed-off-by: Raef Coles Co-authored-by: Antonio de Angelis --- library/psa_crypto.c | 11 +++- library/psa_crypto_driver_wrappers.c | 97 +++++++++++++++++++++++++++- 2 files changed, 106 insertions(+), 2 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index bc19ed07..df7776f3 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -82,6 +82,11 @@ #include "mbedtls/sha512.h" #include "hash_info.h" +#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) +#include "tfm_crypto_defs.h" +#include "tfm_builtin_key_loader.h" +#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */ + #define ARRAY_LENGTH(array) (sizeof(array) / sizeof(*(array))) #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \ @@ -1011,7 +1016,11 @@ static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy( return status; } - if (psa_key_lifetime_is_external((*p_slot)->attr.lifetime)) { + if (psa_key_lifetime_is_external((*p_slot)->attr.lifetime) +#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) + && PSA_KEY_LIFETIME_GET_LOCATION((*p_slot)->attr.lifetime) != TFM_BUILTIN_KEY_LOADER_KEY_LOCATION +#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */ + ) { psa_unlock_key_slot(*p_slot); *p_slot = NULL; return PSA_ERROR_NOT_SUPPORTED; diff --git a/library/psa_crypto_driver_wrappers.c b/library/psa_crypto_driver_wrappers.c index ce26b346..38251f11 100644 --- a/library/psa_crypto_driver_wrappers.c +++ b/library/psa_crypto_driver_wrappers.c @@ -59,6 +59,18 @@ #include "cc3xx.h" #endif /* PSA_CRYPTO_DRIVER_CC3XX */ +/* Include TF-M builtin key driver */ +#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) +#ifndef PSA_CRYPTO_DRIVER_PRESENT +#define PSA_CRYPTO_DRIVER_PRESENT +#endif +#ifndef PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT +#define PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT +#endif +#include "tfm_crypto_defs.h" +#include "tfm_builtin_key_loader.h" +#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */ + #endif /* MBEDTLS_PSA_CRYPTO_DRIVERS */ /* END-driver headers */ @@ -72,6 +84,9 @@ #if defined(PSA_CRYPTO_DRIVER_CC3XX) #define PSA_CRYPTO_CC3XX_DRIVER_ID (4) #endif /* PSA_CRYPTO_DRIVER_CC3XX */ +#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) +#define PSA_CRYPTO_TFM_BUILTIN_KEY_LOADER_DRIVER_ID (5) +#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */ /* END-driver id */ @@ -93,6 +108,12 @@ psa_status_t psa_driver_wrapper_init( void ) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; +#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) + status = tfm_builtin_key_loader_init(); + if (status != PSA_SUCCESS) + return ( status ); +#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */ + #if defined(PSA_CRYPTO_DRIVER_CC3XX) status = cc3xx_init(); if (status != PSA_SUCCESS) @@ -156,6 +177,9 @@ psa_status_t psa_driver_wrapper_sign_message( switch( location ) { case PSA_KEY_LOCATION_LOCAL_STORAGE: +#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) + case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION: +#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */ /* Key is stored in the slot in export representation, so * cycle through all known transparent accelerators */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) @@ -244,6 +268,9 @@ psa_status_t psa_driver_wrapper_verify_message( switch( location ) { case PSA_KEY_LOCATION_LOCAL_STORAGE: +#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) + case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION: +#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */ /* Key is stored in the slot in export representation, so * cycle through all known transparent accelerators */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) @@ -343,6 +370,9 @@ psa_status_t psa_driver_wrapper_sign_hash( switch( location ) { case PSA_KEY_LOCATION_LOCAL_STORAGE: +#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) + case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION: +#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */ /* Key is stored in the slot in export representation, so * cycle through all known transparent accelerators */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) @@ -439,6 +469,9 @@ psa_status_t psa_driver_wrapper_verify_hash( switch( location ) { case PSA_KEY_LOCATION_LOCAL_STORAGE: +#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) + case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION: +#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */ /* Key is stored in the slot in export representation, so * cycle through all known transparent accelerators */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) @@ -828,7 +861,11 @@ psa_status_t psa_driver_wrapper_get_key_buffer_size( return( ( *key_buffer_size != 0 ) ? PSA_SUCCESS : PSA_ERROR_NOT_SUPPORTED ); #endif /* PSA_CRYPTO_DRIVER_TEST */ - +#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) + case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION: + return tfm_builtin_key_loader_get_key_buffer_size(psa_get_key_id(attributes), + key_buffer_size); +#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */ default: (void)key_type; (void)key_bits; @@ -868,6 +905,9 @@ psa_status_t psa_driver_wrapper_generate_key( switch( location ) { case PSA_KEY_LOCATION_LOCAL_STORAGE: +#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) + case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION: +#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) /* Transparent drivers are limited to generating asymmetric keys */ if( PSA_KEY_TYPE_IS_ASYMMETRIC( attributes->core.type ) ) @@ -960,6 +1000,9 @@ psa_status_t psa_driver_wrapper_import_key( switch( location ) { case PSA_KEY_LOCATION_LOCAL_STORAGE: +#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) + case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION: +#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */ /* Key is stored in the slot in export representation, so * cycle through all known transparent accelerators */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) @@ -1046,6 +1089,9 @@ psa_status_t psa_driver_wrapper_export_key( switch( location ) { case PSA_KEY_LOCATION_LOCAL_STORAGE: +#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) + case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION: +#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */ return( psa_export_key_internal( attributes, key_buffer, key_buffer_size, @@ -1111,6 +1157,9 @@ psa_status_t psa_driver_wrapper_export_public_key( switch( location ) { case PSA_KEY_LOCATION_LOCAL_STORAGE: +#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) + case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION: +#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */ /* Key is stored in the slot in export representation, so * cycle through all known transparent accelerators */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) @@ -1196,6 +1245,13 @@ psa_status_t psa_driver_wrapper_get_builtin_key( #endif /* PSA_CRYPTO_DRIVER_TEST */ +#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) + case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION: + return( tfm_builtin_key_loader_get_builtin_key( + slot_number, + attributes, + key_buffer, key_buffer_size, key_buffer_length ) ); +#endif /* PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER */ default: (void) slot_number; (void) key_buffer; @@ -1281,6 +1337,9 @@ psa_status_t psa_driver_wrapper_cipher_encrypt( switch( location ) { case PSA_KEY_LOCATION_LOCAL_STORAGE: +#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) + case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION: +#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */ /* Key is stored in the slot in export representation, so * cycle through all known transparent accelerators */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) @@ -1385,6 +1444,9 @@ psa_status_t psa_driver_wrapper_cipher_decrypt( switch( location ) { case PSA_KEY_LOCATION_LOCAL_STORAGE: +#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) + case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION: +#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */ /* Key is stored in the slot in export representation, so * cycle through all known transparent accelerators */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) @@ -1474,6 +1536,9 @@ psa_status_t psa_driver_wrapper_cipher_encrypt_setup( switch( location ) { case PSA_KEY_LOCATION_LOCAL_STORAGE: +#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) + case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION: +#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */ /* Key is stored in the slot in export representation, so * cycle through all known transparent accelerators */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) @@ -1557,6 +1622,9 @@ psa_status_t psa_driver_wrapper_cipher_decrypt_setup( switch( location ) { case PSA_KEY_LOCATION_LOCAL_STORAGE: +#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) + case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION: +#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */ /* Key is stored in the slot in export representation, so * cycle through all known transparent accelerators */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) @@ -2041,6 +2109,9 @@ psa_status_t psa_driver_wrapper_aead_encrypt( switch( location ) { case PSA_KEY_LOCATION_LOCAL_STORAGE: +#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) + case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION: +#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */ /* Key is stored in the slot in export representation, so * cycle through all known transparent accelerators */ @@ -2104,6 +2175,9 @@ psa_status_t psa_driver_wrapper_aead_decrypt( switch( location ) { case PSA_KEY_LOCATION_LOCAL_STORAGE: +#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) + case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION: +#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */ /* Key is stored in the slot in export representation, so * cycle through all known transparent accelerators */ @@ -2164,6 +2238,9 @@ psa_status_t psa_driver_wrapper_aead_encrypt_setup( switch( location ) { case PSA_KEY_LOCATION_LOCAL_STORAGE: +#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) + case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION: +#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */ /* Key is stored in the slot in export representation, so * cycle through all known transparent accelerators */ @@ -2221,6 +2298,9 @@ psa_status_t psa_driver_wrapper_aead_decrypt_setup( switch( location ) { case PSA_KEY_LOCATION_LOCAL_STORAGE: +#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) + case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION: +#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */ /* Key is stored in the slot in export representation, so * cycle through all known transparent accelerators */ @@ -2618,6 +2698,9 @@ psa_status_t psa_driver_wrapper_mac_compute( switch( location ) { case PSA_KEY_LOCATION_LOCAL_STORAGE: +#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) + case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION: +#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */ /* Key is stored in the slot in export representation, so * cycle through all known transparent accelerators */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) @@ -2688,6 +2771,9 @@ psa_status_t psa_driver_wrapper_mac_sign_setup( switch( location ) { case PSA_KEY_LOCATION_LOCAL_STORAGE: +#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) + case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION: +#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */ /* Key is stored in the slot in export representation, so * cycle through all known transparent accelerators */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) @@ -2769,6 +2855,9 @@ psa_status_t psa_driver_wrapper_mac_verify_setup( switch( location ) { case PSA_KEY_LOCATION_LOCAL_STORAGE: +#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) + case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION: +#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */ /* Key is stored in the slot in export representation, so * cycle through all known transparent accelerators */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) @@ -2997,6 +3086,9 @@ psa_status_t psa_driver_wrapper_asymmetric_encrypt( switch( location ) { case PSA_KEY_LOCATION_LOCAL_STORAGE: +#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) + case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION: +#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */ /* Key is stored in the slot in export representation, so * cycle through all known transparent accelerators */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) @@ -3069,6 +3161,9 @@ psa_status_t psa_driver_wrapper_asymmetric_decrypt( switch( location ) { case PSA_KEY_LOCATION_LOCAL_STORAGE: +#if defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) + case TFM_BUILTIN_KEY_LOADER_KEY_LOCATION: +#endif /* defined(PSA_CRYPTO_DRIVER_TFM_BUILTIN_KEY_LOADER) */ /* Key is stored in the slot in export representation, so * cycle through all known transparent accelerators */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) -- 2.25.1