1 /* 2 * Copyright (c) 2023, Arm Limited. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 * 6 */ 7 8 #ifndef __RSE_KEY_DERIVATION_H__ 9 #define __RSE_KEY_DERIVATION_H__ 10 11 #include <stdint.h> 12 #include <stddef.h> 13 #include "rse_kmu_slot_ids.h" 14 15 #ifdef __cplusplus 16 extern "C" { 17 #endif 18 19 /** 20 * \brief Derive a VHUK seed. 21 * 22 * \param[out] vhuk_seed The buffer to derive the seed into. 23 * \param[in] vhuk_seed_buf_len The size of the seed buffer. 24 * \param[out] vhuk_seed_size The size of the seed. 25 * 26 * \return 0 on success, non-zero on error. 27 */ 28 int rse_derive_vhuk_seed(uint32_t *vhuk_seed, size_t vhuk_seed_buf_len, 29 size_t *vhuk_seed_size); 30 31 /** 32 * \brief Derive the CPAK seed, and lock in a KMU slot. 33 * 34 * \param[in] slot The KMU slot to derive and lock the seed into. 35 * 36 * \return 0 on success, non-zero on error. 37 */ 38 int rse_derive_cpak_seed(enum rse_kmu_slot_id_t slot); 39 40 /** 41 * \brief Derive the DAK seed, and lock in a KMU slot. 42 * 43 * \param[in] slot The KMU slot to derive and lock the seed into. 44 * 45 * \return 0 on success, non-zero on error. 46 */ 47 int rse_derive_dak_seed(enum rse_kmu_slot_id_t slot); 48 49 /** 50 * \brief Derive the RoT CDI, and lock in a KMU slot. 51 * 52 * \param[in] slot The KMU slot to derive and lock the seed into. 53 * 54 * \return 0 on success, non-zero on error. 55 */ 56 int rse_derive_rot_cdi(enum rse_kmu_slot_id_t slot); 57 58 /** 59 * \brief Derive the VHUK, and lock in a KMU slot. 60 * 61 * \param[in] vhuk_seeds A buffer containing the seed values. 62 * \param[in] vhuk_seeds_len The size of the vhuk_seeds buffer. This must be 63 * RSE_AMOUNT * 32 in size. 64 * \param[in] slot The KMU slot to derive and lock the seed into. 65 * 66 * \return 0 on success, non-zero on error. 67 */ 68 int rse_derive_vhuk(const uint8_t *vhuk_seeds, size_t vhuk_seeds_len, 69 enum rse_kmu_slot_id_t slot); 70 71 /** 72 * \brief Derive the session key, and lock into two KMU 73 * slots. 74 * 75 * \note Due to a limitation in KMU key export, keys used 76 * for AEAD (such as this one) require two slots. The 77 * slots used will be `slot` and `slot + 1`. It is 78 * invalid for `slot` to be `KMU_USER_SLOT_MAX` 79 * 80 * \param[in] ivs A buffer containing the iv values. 81 * \param[in] ivs_len The size of the ivs buffer. This must be 82 * RSE_AMOUNT * 32 in size. 83 * \param[in] slot The KMU slot to derive and lock the seed into. 84 * 85 * \return 0 on success, non-zero on error. 86 */ 87 int rse_derive_session_key(const uint8_t *ivs, size_t ivs_len, 88 enum rse_kmu_slot_id_t slot); 89 90 /** 91 * \brief Derive the CM provisioning key, and lock into two 92 * KMU slots. 93 * 94 * \note Due to a limitation in KMU key export, keys used 95 * for AEAD (such as this one) require two slots. The 96 * slots used will be `slot` and `slot + 1`. It is 97 * invalid for `slot` to be `KMU_USER_SLOT_MAX` 98 * 99 * \param[in] slot The KMU slot to derive and lock the seed into. 100 * 101 * \return 0 on success, non-zero on error. 102 */ 103 int rse_derive_cm_provisioning_key(enum rse_kmu_slot_id_t slot); 104 105 /** 106 * \brief Derive the DM provisioning key, and lock into two 107 * KMU slots. 108 * 109 * \note Due to a limitation in KMU key export, keys used 110 * for AEAD (such as this one) require two slots. The 111 * slots used will be `slot` and `slot + 1`. It is 112 * invalid for `slot` to be `KMU_USER_SLOT_MAX` 113 * 114 * \param[in] slot The KMU slot to derive and lock the seed into. 115 * 116 * \return 0 on success, non-zero on error. 117 */ 118 int rse_derive_dm_provisioning_key(enum rse_kmu_slot_id_t slot); 119 120 #ifdef __cplusplus 121 } 122 #endif 123 124 #endif /* __RSE_KEY_DERIVATION_H__ */ 125
