1 /*
2 * Copyright (c) 2022-2023, STMicroelectronics - All Rights Reserved
3 *
4 * SPDX-License-Identifier: BSD-3-Clause
5 */
6
7 #include <assert.h>
8 #include <endian.h>
9 #include <errno.h>
10
11 #include <common/debug.h>
12 #include <drivers/auth/crypto_mod.h>
13 #include <drivers/io/io_storage.h>
14 #include <drivers/st/bsec.h>
15 #include <drivers/st/stm32_hash.h>
16 #include <drivers/st/stm32_pka.h>
17 #include <drivers/st/stm32_rng.h>
18 #include <drivers/st/stm32_saes.h>
19 #include <lib/utils.h>
20 #include <lib/xlat_tables/xlat_tables_v2.h>
21 #include <mbedtls/asn1.h>
22 #include <mbedtls/md.h>
23 #include <mbedtls/oid.h>
24 #include <mbedtls/platform.h>
25 #include <mbedtls/x509.h>
26 #include <plat/common/platform.h>
27 #include <tools_share/firmware_encrypted.h>
28
29 #include <platform_def.h>
30
31 #define CRYPTO_HASH_MAX_SIZE 32U
32 #define CRYPTO_SIGN_MAX_SIZE 64U
33 #define CRYPTO_PUBKEY_MAX_SIZE 64U
34 #define CRYPTO_MAX_TAG_SIZE 16U
35
36 /* brainpoolP256t1 OID is not defined in mbedTLS */
37 #define OID_EC_GRP_BP256T1 MBEDTLS_OID_EC_BRAINPOOL_V1 "\x08"
38
39 #if STM32MP_CRYPTO_ROM_LIB
40 struct stm32mp_auth_ops {
41 uint32_t (*verify_signature)(uint8_t *hash_in, uint8_t *pubkey_in,
42 uint8_t *signature, uint32_t ecc_algo);
43 };
44
45 static struct stm32mp_auth_ops auth_ops;
46 #endif
47
crypto_lib_init(void)48 static void crypto_lib_init(void)
49 {
50 boot_api_context_t *boot_context __maybe_unused;
51 int ret;
52
53 NOTICE("TRUSTED_BOARD_BOOT support enabled\n");
54
55 ret = stm32_hash_register();
56 if (ret != 0) {
57 ERROR("HASH init (%d)\n", ret);
58 panic();
59 }
60
61 if (stm32mp_is_closed_device() || stm32mp_is_auth_supported()) {
62 #if STM32MP_CRYPTO_ROM_LIB
63 boot_context = (boot_api_context_t *)stm32mp_get_boot_ctx_address();
64 auth_ops.verify_signature = boot_context->bootrom_ecdsa_verify_signature;
65 #else
66 /* Use hardware peripherals */
67 if (stm32_rng_init() != 0) {
68 panic();
69 }
70
71 if (stm32_saes_driver_init() != 0) {
72 panic();
73 }
74
75 if (stm32_pka_init() != 0) {
76 panic();
77 }
78 #endif
79 }
80 }
81
get_plain_pk_from_asn1(void * pk_ptr,unsigned int pk_len,void ** plain_pk,size_t * len,int * pk_alg)82 static int get_plain_pk_from_asn1(void *pk_ptr, unsigned int pk_len, void **plain_pk,
83 size_t *len, int *pk_alg)
84 {
85 int ret;
86 mbedtls_pk_context mbedtls_pk = {0};
87 unsigned char *p, *end;
88 mbedtls_asn1_buf alg_params = {0};
89 mbedtls_asn1_buf alg_oid = {0};
90
91 *plain_pk = NULL;
92 *len = 0U;
93
94 /* Parse the public key */
95 mbedtls_pk_init(&mbedtls_pk);
96 p = (unsigned char *)pk_ptr;
97 end = (unsigned char *)(p + pk_len);
98
99 ret = mbedtls_asn1_get_tag(&p, end, len,
100 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
101 if (ret != 0) {
102 return -EINVAL;
103 }
104
105 end = p + *len;
106 ret = mbedtls_asn1_get_alg(&p, end, &alg_oid, &alg_params);
107 if (ret != 0) {
108 VERBOSE("%s: mbedtls_asn1_get_alg (%d)\n", __func__, ret);
109 return -EINVAL;
110 }
111
112 if (pk_alg != NULL) {
113 if ((strlen(MBEDTLS_OID_EC_GRP_SECP256R1) == alg_params.len) &&
114 (memcmp(MBEDTLS_OID_EC_GRP_SECP256R1, alg_params.p, alg_params.len) == 0)) {
115 *pk_alg = BOOT_API_ECDSA_ALGO_TYPE_P256NIST;
116 } else if ((strlen(OID_EC_GRP_BP256T1) == alg_params.len) &&
117 (memcmp(OID_EC_GRP_BP256T1, alg_params.p, alg_params.len) == 0)) {
118 *pk_alg = BOOT_API_ECDSA_ALGO_TYPE_BRAINPOOL256;
119 } else {
120 ERROR("%s: Algorithm is not supported\n", __func__);
121 return -EINVAL;
122 }
123 }
124
125 ret = mbedtls_asn1_get_bitstring_null(&p, end, len);
126 if (ret != 0) {
127 VERBOSE("%s: mbedtls_asn1_get_bitstring_null (%d)\n", __func__, ret);
128 return -EINVAL;
129 }
130
131 /* We remove the ident (0x04) first byte. */
132 if ((*len < 1U) || (p[0] != MBEDTLS_ASN1_OCTET_STRING)) {
133 VERBOSE("%s: not expected len or tag\n", __func__);
134 return -EINVAL;
135 }
136
137 *len = *len - 1U;
138 *plain_pk = p + 1U;
139
140 return 0;
141 }
142
143 #if STM32MP_CRYPTO_ROM_LIB
verify_signature(uint8_t * hash_in,uint8_t * pubkey_in,uint8_t * signature,uint32_t ecc_algo)144 uint32_t verify_signature(uint8_t *hash_in, uint8_t *pubkey_in,
145 uint8_t *signature, uint32_t ecc_algo)
146 {
147 int ret;
148
149 ret = mmap_add_dynamic_region(STM32MP_ROM_BASE, STM32MP_ROM_BASE,
150 STM32MP_ROM_SIZE_2MB_ALIGNED, MT_CODE | MT_SECURE);
151 if (ret != 0) {
152 VERBOSE("%s: mmap_add_dynamic_region (%d)\n", __func__, ret);
153 return CRYPTO_ERR_SIGNATURE;
154 }
155
156 ret = auth_ops.verify_signature(hash_in, pubkey_in, signature, ecc_algo);
157
158 if (ret != BOOT_API_RETURN_OK) {
159 VERBOSE("%s: auth_ops.verify_sign (%d)\n", __func__, ret);
160 ret = CRYPTO_ERR_SIGNATURE;
161 } else {
162 ret = 0;
163 }
164
165 mmap_remove_dynamic_region(STM32MP_ROM_BASE, STM32MP_ROM_SIZE_2MB_ALIGNED);
166
167 return ret;
168 }
169
crypto_convert_pk(void * full_pk_ptr,unsigned int full_pk_len,void ** hashed_pk_ptr,unsigned int * hashed_pk_len)170 static int crypto_convert_pk(void *full_pk_ptr, unsigned int full_pk_len,
171 void **hashed_pk_ptr, unsigned int *hashed_pk_len)
172 {
173 size_t len;
174 int ret;
175
176 ret = get_plain_pk_from_asn1(full_pk_ptr, full_pk_len, hashed_pk_ptr, &len, NULL);
177 if (ret == 0) {
178 *hashed_pk_len = (unsigned int)len;
179 }
180
181 return ret;
182 }
183 #else /* STM32MP_CRYPTO_ROM_LIB*/
verify_signature(uint8_t * hash_in,uint8_t * pubkey_in,uint8_t * signature,uint32_t ecc_algo)184 static uint32_t verify_signature(uint8_t *hash_in, uint8_t *pubkey_in,
185 uint8_t *signature, uint32_t ecc_algo)
186 {
187 int ret = -1;
188 enum stm32_pka_ecdsa_curve_id cid;
189
190 switch (ecc_algo) {
191 case BOOT_API_ECDSA_ALGO_TYPE_P256NIST:
192 #if PKA_USE_NIST_P256
193 cid = PKA_NIST_P256;
194 ret = 0;
195 #else
196 WARN("%s nist_p256 requested but not included\n", __func__);
197 #endif
198 break;
199 case BOOT_API_ECDSA_ALGO_TYPE_BRAINPOOL256:
200 #if PKA_USE_BRAINPOOL_P256T1
201 cid = PKA_BRAINPOOL_P256T1;
202 ret = 0;
203 #else
204 WARN("%s brainpool_p256t1 requested but not included\n", __func__);
205 #endif
206 break;
207 default:
208 WARN("%s unexpected ecc_algo(%u)\n", __func__, ecc_algo);
209 break;
210 }
211
212 if (ret < 0) {
213 return CRYPTO_ERR_SIGNATURE;
214 }
215
216 ret = stm32_pka_ecdsa_verif(hash_in,
217 BOOT_API_SHA256_DIGEST_SIZE_IN_BYTES,
218 signature, BOOT_API_ECDSA_SIGNATURE_LEN_IN_BYTES / 2U,
219 signature + BOOT_API_ECDSA_SIGNATURE_LEN_IN_BYTES / 2U,
220 BOOT_API_ECDSA_SIGNATURE_LEN_IN_BYTES / 2U,
221 pubkey_in, BOOT_API_ECDSA_PUB_KEY_LEN_IN_BYTES / 2U,
222 pubkey_in + BOOT_API_ECDSA_PUB_KEY_LEN_IN_BYTES / 2U,
223 BOOT_API_ECDSA_PUB_KEY_LEN_IN_BYTES / 2U, cid);
224 if (ret < 0) {
225 return CRYPTO_ERR_SIGNATURE;
226 }
227
228 return 0;
229 }
230
crypto_convert_pk(void * full_pk_ptr,unsigned int full_pk_len,void ** hashed_pk_ptr,unsigned int * hashed_pk_len)231 static int crypto_convert_pk(void *full_pk_ptr, unsigned int full_pk_len,
232 void **hashed_pk_ptr, unsigned int *hashed_pk_len)
233 {
234 static uint8_t st_pk[CRYPTO_PUBKEY_MAX_SIZE + sizeof(uint32_t)];
235 int ret;
236 void *plain_pk;
237 size_t len;
238 int curve_id;
239 uint32_t cid;
240
241 ret = get_plain_pk_from_asn1(full_pk_ptr, full_pk_len, &plain_pk, &len, &curve_id);
242 if ((ret != 0) || (len > CRYPTO_PUBKEY_MAX_SIZE)) {
243 return -EINVAL;
244 }
245
246 cid = curve_id; /* we want value of curve_id (1 or 2) in a uint32_t */
247
248 memcpy(st_pk, &cid, sizeof(cid));
249 memcpy(st_pk + sizeof(cid), plain_pk, len);
250
251 *hashed_pk_ptr = st_pk;
252 *hashed_pk_len = (unsigned int)(len + sizeof(cid));
253
254 return 0;
255 }
256 #endif /* STM32MP_CRYPTO_ROM_LIB */
257
get_plain_digest_from_asn1(void * digest_ptr,unsigned int digest_len,uint8_t ** out,size_t * out_len,mbedtls_md_type_t * md_alg)258 static int get_plain_digest_from_asn1(void *digest_ptr, unsigned int digest_len,
259 uint8_t **out, size_t *out_len, mbedtls_md_type_t *md_alg)
260 {
261 int ret;
262 mbedtls_asn1_buf hash_oid, params;
263 size_t len;
264 unsigned char *p, *end;
265
266 *out = NULL;
267 *out_len = 0U;
268
269 /* Digest info should be an MBEDTLS_ASN1_SEQUENCE */
270 p = (unsigned char *)digest_ptr;
271 end = p + digest_len;
272 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
273 MBEDTLS_ASN1_SEQUENCE);
274 if (ret != 0) {
275 return ret;
276 }
277
278 /* Get the hash algorithm */
279 ret = mbedtls_asn1_get_alg(&p, end, &hash_oid, ¶ms);
280 if (ret != 0) {
281 return ret;
282 }
283
284 ret = mbedtls_oid_get_md_alg(&hash_oid, md_alg);
285 if (ret != 0) {
286 return ret;
287 }
288
289 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING);
290 if (ret != 0) {
291 return ret;
292 }
293
294 /* Length of hash must match the algorithm's size */
295 if (len != BOOT_API_SHA256_DIGEST_SIZE_IN_BYTES) {
296 return -1;
297 }
298
299 *out = p;
300 *out_len = len;
301
302 return 0;
303 }
304
crypto_verify_signature(void * data_ptr,unsigned int data_len,void * sig_ptr,unsigned int sig_len,void * sig_alg,unsigned int sig_alg_len,void * pk_ptr,unsigned int pk_len)305 static int crypto_verify_signature(void *data_ptr, unsigned int data_len,
306 void *sig_ptr, unsigned int sig_len,
307 void *sig_alg, unsigned int sig_alg_len,
308 void *pk_ptr, unsigned int pk_len)
309 {
310 uint8_t image_hash[CRYPTO_HASH_MAX_SIZE] = {0};
311 uint8_t sig[CRYPTO_SIGN_MAX_SIZE];
312 uint8_t my_pk[CRYPTO_PUBKEY_MAX_SIZE];
313 int ret;
314 size_t len;
315 mbedtls_asn1_sequence seq;
316 mbedtls_asn1_sequence *cur;
317 unsigned char *p, *end;
318 int curve_id;
319 mbedtls_asn1_buf sig_oid, sig_params;
320 mbedtls_md_type_t md_alg;
321 mbedtls_pk_type_t pk_alg;
322 size_t bignum_len = sizeof(sig) / 2U;
323 unsigned int seq_num = 0U;
324
325 if (!stm32mp_is_closed_device() && !stm32mp_is_auth_supported()) {
326 return CRYPTO_SUCCESS;
327 }
328
329 /* Get pointers to signature OID and parameters */
330 p = (unsigned char *)sig_alg;
331 end = (unsigned char *)(p + sig_alg_len);
332 ret = mbedtls_asn1_get_alg(&p, end, &sig_oid, &sig_params);
333 if (ret != 0) {
334 VERBOSE("%s: mbedtls_asn1_get_alg (%d)\n", __func__, ret);
335 return CRYPTO_ERR_SIGNATURE;
336 }
337
338 /* Get the actual signature algorithm (MD + PK) */
339 ret = mbedtls_oid_get_sig_alg(&sig_oid, &md_alg, &pk_alg);
340 if (ret != 0) {
341 VERBOSE("%s: mbedtls_oid_get_sig_alg (%d)\n", __func__, ret);
342 return CRYPTO_ERR_SIGNATURE;
343 }
344
345 if ((md_alg != MBEDTLS_MD_SHA256) || (pk_alg != MBEDTLS_PK_ECDSA)) {
346 VERBOSE("%s: md_alg=%u pk_alg=%u\n", __func__, md_alg, pk_alg);
347 return CRYPTO_ERR_SIGNATURE;
348 }
349
350 ret = get_plain_pk_from_asn1(pk_ptr, pk_len, &pk_ptr, &len, &curve_id);
351 if (ret != 0) {
352 VERBOSE("%s: get_plain_pk_from_asn1 (%d)\n", __func__, ret);
353 return CRYPTO_ERR_SIGNATURE;
354 }
355
356 /* We expect a known pk_len */
357 if (len != sizeof(my_pk)) {
358 VERBOSE("%s: pk_len=%zu sizeof(my_pk)=%zu)\n", __func__, len, sizeof(my_pk));
359 return CRYPTO_ERR_SIGNATURE;
360 }
361
362 /* Need to copy as auth_ops.verify_signature
363 * expects aligned public key.
364 */
365 memcpy(my_pk, pk_ptr, sizeof(my_pk));
366
367 /* Get the signature (bitstring) */
368 p = (unsigned char *)sig_ptr;
369 end = (unsigned char *)(p + sig_len);
370 ret = mbedtls_asn1_get_bitstring_null(&p, end, &len);
371 if (ret != 0) {
372 VERBOSE("%s: mbedtls_asn1_get_bitstring_null (%d)\n", __func__, ret);
373 return CRYPTO_ERR_SIGNATURE;
374 }
375
376 /* Get r and s from sequence */
377 ret = mbedtls_asn1_get_sequence_of(&p, end, &seq, MBEDTLS_ASN1_INTEGER);
378 if (ret != 0) {
379 VERBOSE("%s: mbedtls_asn1_get_sequence_of (%d)\n", __func__, ret);
380 return CRYPTO_ERR_SIGNATURE;
381 }
382
383 /* We expect only 2 integers (r and s) from the sequence */
384 if (seq.next->next != NULL) {
385 cur = seq.next;
386 mbedtls_asn1_sequence *next;
387
388 VERBOSE("%s: nb seq != 2\n", __func__);
389 /* Free all the sequences */
390 while (cur != NULL) {
391 next = cur->next;
392 mbedtls_free(cur);
393 cur = next;
394 }
395
396 return CRYPTO_ERR_SIGNATURE;
397 }
398
399 /*
400 * ECDSA signatures are composed of a tuple (R,S) where R and S are between 0 and n.
401 * This means that the R and S can have a maximum of 32 each, but can also be smaller.
402 * Also seen the integer sequence may (sometime) start with 0x00 as MSB, but we can only
403 * manage exactly 2*32 bytes, we remove this higher byte if there are not 00,
404 * we will fail either.
405 */
406 cur = &seq;
407 memset(sig, 0U, sizeof(sig));
408
409 while (cur != NULL) {
410 size_t skip = 0U;
411 size_t seek = seq_num * bignum_len;
412
413 if (cur->buf.len > bignum_len) {
414 /* Remove extra 0x00 bytes */
415 skip = cur->buf.len - bignum_len;
416 } else if (cur->buf.len < bignum_len) {
417 /* Add padding to match HW required size */
418 seek += (bignum_len % cur->buf.len);
419 }
420
421 if (seek + cur->buf.len > sizeof(sig) + skip) {
422 panic();
423 }
424
425 memcpy(sig + seek, cur->buf.p + skip, cur->buf.len - skip);
426 cur = cur->next;
427 seq_num++;
428 }
429
430 /* Need to free allocated 'next' in mbedtls_asn1_get_sequence_of */
431 mbedtls_free(seq.next);
432
433 /* Compute hash for the data covered by the signature */
434 stm32_hash_init(HASH_SHA256);
435
436 ret = stm32_hash_final_update((uint8_t *)data_ptr, data_len, image_hash);
437 if (ret != 0) {
438 VERBOSE("%s: stm32_hash_final_update (%d)\n", __func__, ret);
439 return CRYPTO_ERR_SIGNATURE;
440 }
441
442 return verify_signature(image_hash, my_pk, sig, curve_id);
443 }
444
crypto_verify_hash(void * data_ptr,unsigned int data_len,void * digest_info_ptr,unsigned int digest_info_len)445 static int crypto_verify_hash(void *data_ptr, unsigned int data_len,
446 void *digest_info_ptr,
447 unsigned int digest_info_len)
448 {
449 int ret;
450 uint8_t calc_hash[BOOT_API_SHA256_DIGEST_SIZE_IN_BYTES];
451 unsigned char *p;
452 mbedtls_md_type_t md_alg;
453 size_t len;
454
455 /* we receive an asn1 encapsulated digest, we flatten it */
456 ret = get_plain_digest_from_asn1(digest_info_ptr,
457 digest_info_len, &p, &len,
458 &md_alg);
459 if ((ret != 0) || (md_alg != MBEDTLS_MD_SHA256) || (len != sizeof(calc_hash))) {
460 return CRYPTO_ERR_HASH;
461 }
462
463 digest_info_ptr = p;
464 digest_info_len = len;
465
466 stm32_hash_init(HASH_SHA256);
467
468 ret = stm32_hash_final_update(data_ptr, data_len, calc_hash);
469 if (ret != 0) {
470 VERBOSE("%s: hash failed\n", __func__);
471 return CRYPTO_ERR_HASH;
472 }
473
474 ret = memcmp(calc_hash, digest_info_ptr, digest_info_len);
475 if (ret != 0) {
476 VERBOSE("%s: not expected digest\n", __func__);
477 ret = CRYPTO_ERR_HASH;
478 }
479
480 return ret;
481 }
482
483 #if !defined(DECRYPTION_SUPPORT_none)
derive_key(uint8_t * key,size_t * key_len,size_t len,unsigned int * flags,const uint8_t * img_id,size_t img_id_len)484 static int derive_key(uint8_t *key, size_t *key_len, size_t len,
485 unsigned int *flags, const uint8_t *img_id, size_t img_id_len)
486 {
487 size_t i, j;
488
489 assert(*key_len >= 32U);
490
491 /*
492 * Not a real derivation yet
493 *
494 * We expect a 32 bytes key, if OTP is only 16 bytes
495 * => duplicate.
496 */
497 for (i = 0U, j = len; j < 32U;
498 i += sizeof(uint32_t), j += sizeof(uint32_t)) {
499 memcpy(key + j, key + i, sizeof(uint32_t));
500 }
501
502 *key_len = 32U;
503 /* Variable 'key' store a real key */
504 *flags = 0U;
505
506 return 0;
507 }
508
plat_get_enc_key_info(enum fw_enc_status_t fw_enc_status,uint8_t * key,size_t * key_len,unsigned int * flags,const uint8_t * img_id,size_t img_id_len)509 int plat_get_enc_key_info(enum fw_enc_status_t fw_enc_status, uint8_t *key,
510 size_t *key_len, unsigned int *flags,
511 const uint8_t *img_id, size_t img_id_len)
512 {
513 uint32_t otp_idx;
514 uint32_t otp_len;
515 size_t read_len;
516 size_t i;
517
518 if (fw_enc_status == FW_ENC_WITH_BSSK) {
519 return -EINVAL;
520 }
521
522 if (stm32_get_otp_index(ENCKEY_OTP, &otp_idx, &otp_len) != 0) {
523 VERBOSE("%s: get %s index error\n", __func__, ENCKEY_OTP);
524 return -EINVAL;
525 }
526
527 if (otp_len > (*key_len * CHAR_BIT)) {
528 VERBOSE("%s: length Error otp_len=%u key_len=%zu\n", __func__,
529 otp_len, *key_len * CHAR_BIT);
530 return -EINVAL;
531 }
532
533 read_len = otp_len / CHAR_BIT;
534 assert(read_len % sizeof(uint32_t) == 0);
535
536 for (i = 0U; i < read_len / sizeof(uint32_t); i++) {
537 uint32_t tmp;
538 uint32_t otp_val;
539
540 if (stm32_get_otp_value_from_idx(otp_idx + i, &otp_val) != 0) {
541 zeromem(key, *key_len);
542 VERBOSE("%s: unable to read from otp\n", __func__);
543 return -EINVAL;
544 }
545
546 tmp = bswap32(otp_val);
547 memcpy(key + i * sizeof(uint32_t), &tmp, sizeof(tmp));
548 }
549
550 /* Now we have the OTP values in key till read_len */
551
552 if (derive_key(key, key_len, read_len, flags, img_id,
553 img_id_len) != 0) {
554 zeromem(key, *key_len);
555 return -EINVAL;
556 }
557
558 return 0;
559 }
560
select_key(unsigned int key_flags)561 static enum stm32_saes_key_selection select_key(unsigned int key_flags)
562 {
563 if ((key_flags & ENC_KEY_IS_IDENTIFIER) != 0U) {
564 panic();
565 }
566
567 /* Use the provided key buffer */
568 return STM32_SAES_KEY_SOFT;
569 }
570
stm32_decrypt_aes_gcm(void * data,size_t data_len,const void * key,unsigned int key_len,unsigned int key_flags,const void * iv,unsigned int iv_len,const void * tag,unsigned int tag_len)571 static int stm32_decrypt_aes_gcm(void *data, size_t data_len,
572 const void *key, unsigned int key_len,
573 unsigned int key_flags,
574 const void *iv, unsigned int iv_len,
575 const void *tag, unsigned int tag_len)
576 {
577 int ret;
578 struct stm32_saes_context ctx;
579 unsigned char tag_buf[CRYPTO_MAX_TAG_SIZE];
580 enum stm32_saes_key_selection key_mode;
581 unsigned int diff = 0U;
582 unsigned int i;
583
584 key_mode = select_key(key_flags);
585
586 ret = stm32_saes_init(&ctx, true, STM32_SAES_MODE_GCM, key_mode, key,
587 key_len, iv, iv_len);
588 if (ret != 0) {
589 return CRYPTO_ERR_INIT;
590 }
591
592 ret = stm32_saes_update_assodata(&ctx, true, NULL, 0U);
593 if (ret != 0) {
594 return CRYPTO_ERR_DECRYPTION;
595 }
596
597 ret = stm32_saes_update_load(&ctx, true, data, data, data_len);
598 if (ret != 0) {
599 return CRYPTO_ERR_DECRYPTION;
600 }
601
602 ret = stm32_saes_final(&ctx, tag_buf, sizeof(tag_buf));
603 if (ret != 0) {
604 return CRYPTO_ERR_DECRYPTION;
605 }
606
607 /* Check tag in "constant-time" */
608 for (i = 0U; i < tag_len; i++) {
609 diff |= ((const unsigned char *)tag)[i] ^ tag_buf[i];
610 }
611
612 if (diff != 0U) {
613 return CRYPTO_ERR_DECRYPTION;
614 }
615
616 return CRYPTO_SUCCESS;
617 }
618
619 /*
620 * Authenticated decryption of an image
621 *
622 */
crypto_auth_decrypt(enum crypto_dec_algo dec_algo,void * data_ptr,size_t len,const void * key,unsigned int key_len,unsigned int key_flags,const void * iv,unsigned int iv_len,const void * tag,unsigned int tag_len)623 static int crypto_auth_decrypt(enum crypto_dec_algo dec_algo, void *data_ptr, size_t len,
624 const void *key, unsigned int key_len, unsigned int key_flags,
625 const void *iv, unsigned int iv_len, const void *tag,
626 unsigned int tag_len)
627 {
628 int rc = -1;
629 uint32_t real_iv[4];
630
631 switch (dec_algo) {
632 case CRYPTO_GCM_DECRYPT:
633 /*
634 * GCM expect a Nonce
635 * The AES IV is the nonce (a uint32_t[3])
636 * then a counter (a uint32_t big endian)
637 * The counter starts at 2.
638 */
639 memcpy(real_iv, iv, iv_len);
640 real_iv[3] = htobe32(0x2U);
641
642 rc = stm32_decrypt_aes_gcm(data_ptr, len, key, key_len, key_flags,
643 real_iv, sizeof(real_iv), tag, tag_len);
644 break;
645 default:
646 rc = CRYPTO_ERR_DECRYPTION;
647 break;
648 }
649
650 if (rc != 0) {
651 return rc;
652 }
653
654 return CRYPTO_SUCCESS;
655 }
656
657 REGISTER_CRYPTO_LIB("stm32_crypto_lib",
658 crypto_lib_init,
659 crypto_verify_signature,
660 crypto_verify_hash,
661 NULL,
662 crypto_auth_decrypt,
663 crypto_convert_pk);
664
665 #else /* No decryption support */
666 REGISTER_CRYPTO_LIB("stm32_crypto_lib",
667 crypto_lib_init,
668 crypto_verify_signature,
669 crypto_verify_hash,
670 NULL,
671 NULL,
672 crypto_convert_pk);
673 #endif
674
