1 /*
2  * Copyright (c) 2022-2023, Arm Limited. All rights reserved.
3  *
4  * SPDX-License-Identifier: BSD-3-Clause
5  *
6  */
7 
8 #include "pq_crypto.h"
9 #include "crypto.h"
10 #include "mbedtls/lms.h"
11 #include "otp.h"
12 #include "psa/crypto.h"
13 
psa_hash_setup(psa_hash_operation_t * operation,psa_algorithm_t alg)14 psa_status_t psa_hash_setup(
15     psa_hash_operation_t *operation,
16     psa_algorithm_t alg)
17 {
18     (void)operation;
19     (void)alg;
20 
21     return fih_int_decode(bl1_sha256_init());
22 }
23 
psa_hash_update(psa_hash_operation_t * operation,const uint8_t * input,size_t input_length)24 psa_status_t psa_hash_update(
25     psa_hash_operation_t *operation,
26     const uint8_t *input,
27     size_t input_length)
28 {
29     (void)operation;
30 
31     return fih_int_decode(bl1_sha256_update((unsigned char *)input, input_length));
32 }
33 
psa_hash_finish(psa_hash_operation_t * operation,uint8_t * hash,size_t hash_size,size_t * hash_length)34 psa_status_t psa_hash_finish(
35     psa_hash_operation_t *operation,
36     uint8_t *hash,
37     size_t hash_size,
38     size_t *hash_length)
39 {
40     (void)operation;
41     (void)hash_size;
42 
43     *hash_length = 32;
44     return fih_int_decode(bl1_sha256_finish(hash));
45 }
46 
psa_hash_abort(psa_hash_operation_t * operation)47 psa_status_t psa_hash_abort(
48     psa_hash_operation_t *operation)
49 {
50     (void)operation;
51 
52     return PSA_SUCCESS;
53 }
54 
pq_crypto_verify(enum tfm_bl1_key_id_t key,const uint8_t * data,size_t data_length,const uint8_t * signature,size_t signature_length)55 fih_int pq_crypto_verify(enum tfm_bl1_key_id_t key,
56                          const uint8_t *data,
57                          size_t data_length,
58                          const uint8_t *signature,
59                          size_t signature_length)
60 {
61     int rc;
62     fih_int fih_rc;
63     mbedtls_lms_public_t ctx;
64     uint8_t key_buf[MBEDTLS_LMS_PUBLIC_KEY_LEN(MBEDTLS_LMS_SHA256_M32_H10)];
65 
66     FIH_CALL(bl1_otp_read_key, fih_rc, key, key_buf);
67     if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
68         FIH_RET(FIH_FAILURE);
69     }
70 
71     mbedtls_lms_public_init(&ctx);
72 
73     rc = mbedtls_lms_import_public_key(&ctx, key_buf, MBEDTLS_LMS_PUBLIC_KEY_LEN(MBEDTLS_LMS_SHA256_M32_H10));
74     fih_rc = fih_int_encode_zero_equality(rc);
75     if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
76         fih_rc = FIH_FAILURE;
77         goto out;
78     }
79 
80     rc = mbedtls_lms_verify(&ctx, data, data_length, signature, signature_length);
81     fih_rc = fih_int_encode_zero_equality(rc);
82 
83 out:
84     mbedtls_lms_public_free(&ctx);
85     FIH_RET(fih_rc);
86 }
87 
pq_crypto_get_pub_key_hash(enum tfm_bl1_key_id_t key,uint8_t * hash,size_t hash_size,size_t * hash_length)88 int pq_crypto_get_pub_key_hash(enum tfm_bl1_key_id_t key,
89                                uint8_t *hash,
90                                size_t hash_size,
91                                size_t *hash_length)
92 {
93     fih_int fih_rc;
94     uint8_t key_buf[MBEDTLS_LMS_PUBLIC_KEY_LEN(MBEDTLS_LMS_SHA256_M32_H10)];
95 
96     if (hash_size < 32) {
97         return -1;
98     }
99 
100     fih_rc = bl1_otp_read_key(key, key_buf);
101     if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
102         return -1;
103     }
104 
105     fih_rc = bl1_sha256_compute(key_buf, sizeof(key_buf), hash);
106     if (fih_not_eq(fih_rc, FIH_SUCCESS)) {
107         return -1;
108     }
109 
110     *hash_length = 32;
111     return 0;
112 }
113