From patchwork Thu Feb 17 15:57:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Emekcan Aras X-Patchwork-Id: 3695 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5D569C433FE for ; Thu, 17 Feb 2022 15:57:42 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web12.1546.1645113461307329825 for ; Thu, 17 Feb 2022 07:57:41 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: emekcan.aras@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id ED57A1396; Thu, 17 Feb 2022 07:57:40 -0800 (PST) Received: from e126835.arm.com (unknown [10.57.40.90]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 50FE43F718; Thu, 17 Feb 2022 07:57:39 -0800 (PST) From: emekcan.aras@arm.com To: meta-arm@lists.yoctoproject.org, jon.mason@arm.com Cc: nd@arm.com, Vishnu Banavath Subject: [PATCH 2/3] arm-bsp/security: trusted-services to fix psa-arch-tests Date: Thu, 17 Feb 2022 15:57:26 +0000 Message-Id: <20220217155727.2568107-3-emekcan.aras@arm.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220217155727.2568107-1-emekcan.aras@arm.com> References: <20220217155727.2568107-1-emekcan.aras@arm.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 17 Feb 2022 15:57:42 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/3009 From: Vishnu Banavath These changes are to fix failures in psa-arch-tests Signed-off-by: Vishnu Banavath --- ...0003-corstone1000-port-crypto-config.patch | 237 ++++ .../0033-Enhance-mbedtls-fetch-process.patch | 258 ++++ ...x-format-specifier-in-logging_caller.patch | 41 + ...for-mbedtls-and-psa-arch-tests-for-v.patch | 65 + ...n-verify-message-and-hash-operations.patch | 1080 +++++++++++++++++ ...nst-uninitialised-multi-part-transac.patch | 124 ++ ...038-Integrate-AEAD-operation-support.patch | 521 ++++++++ ...eration-to-one-shot-cipher-operation.patch | 96 ++ ...-Fix-multi-part-termination-on-error.patch | 241 ++++ ...tion-if-client-provided-buffer-is-to.patch | 50 + ...g-to-updated-t_cose-version-fc3a4b2c.patch | 95 ++ .../0043-pass-sysroot_yocto.patch | 111 ++ ...face-structure-aligned-with-tf-m-cha.patch | 30 + ...egrate-remaining-psa-ipc-client-APIs.patch | 494 ++++++++ ...et_key_usage_flags-definition-to-the.patch | 40 + ...-in-AEAD-for-psa-arch-test-54-and-58.patch | 120 ++ .../trusted-services/ts-corstone1000.inc | 22 +- 17 files changed, 3624 insertions(+), 1 deletion(-) create mode 100644 meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0003-corstone1000-port-crypto-config.patch create mode 100644 meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0033-Enhance-mbedtls-fetch-process.patch create mode 100644 meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0034-Fix-format-specifier-in-logging_caller.patch create mode 100644 meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0035-Update-refspecs-for-mbedtls-and-psa-arch-tests-for-v.patch create mode 100644 meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0036-Separate-sign-verify-message-and-hash-operations.patch create mode 100644 meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0037-Add-defence-against-uninitialised-multi-part-transac.patch create mode 100644 meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0038-Integrate-AEAD-operation-support.patch create mode 100644 meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0039-Add-IV-generation-to-one-shot-cipher-operation.patch create mode 100644 meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0040-Fix-multi-part-termination-on-error.patch create mode 100644 meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0041-Abort-AEAD-operation-if-client-provided-buffer-is-to.patch create mode 100644 meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0042-Peg-to-updated-t_cose-version-fc3a4b2c.patch create mode 100644 meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0043-pass-sysroot_yocto.patch create mode 100644 meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0044-Fix-Crypto-interface-structure-aligned-with-tf-m-cha.patch create mode 100644 meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0045-Integrate-remaining-psa-ipc-client-APIs.patch create mode 100644 meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0046-Fix-update-psa_set_key_usage_flags-definition-to-the.patch create mode 100644 meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0047-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch diff --git a/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0003-corstone1000-port-crypto-config.patch b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0003-corstone1000-port-crypto-config.patch new file mode 100644 index 00000000..1d7b8ae9 --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0003-corstone1000-port-crypto-config.patch @@ -0,0 +1,237 @@ +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Emekcan Aras + +From f86f5b42d853d2a65f6753362361bbb95aac1800 Mon Sep 17 00:00:00 2001 +From: Satish Kumar +Date: Sat, 11 Dec 2021 11:06:57 +0000 +Subject: [PATCH] corstone1000: port crypto config + +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Emekcan Aras + +Signed-off-by: Satish Kumar + +%% original patch: 0003-corstone1000-port-crypto-config.patch +--- + .../nspe/pal_crypto_config.h | 83 +++++++++++++++---- + 1 file changed, 66 insertions(+), 17 deletions(-) + +diff --git a/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_crypto_config.h b/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_crypto_config.h +index 844cd2e..c936bdd 100755 +--- a/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_crypto_config.h ++++ b/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_crypto_config.h +@@ -1,5 +1,5 @@ + /** @file +- * Copyright (c) 2021, Arm Limited or its affiliates. All rights reserved. ++ * Copyright (c) 2019-2020, Arm Limited or its affiliates. All rights reserved. + * SPDX-License-Identifier : Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); +@@ -34,10 +34,14 @@ + * + * Comment macros to disable the types + */ ++#ifndef TF_M_PROFILE_SMALL ++#ifndef TF_M_PROFILE_MEDIUM + #define ARCH_TEST_RSA + #define ARCH_TEST_RSA_1024 + #define ARCH_TEST_RSA_2048 + #define ARCH_TEST_RSA_3072 ++#endif ++#endif + + /** + * \def ARCH_TEST_ECC +@@ -50,11 +54,17 @@ + * Requires: ARCH_TEST_ECC + * Comment macros to disable the curve + */ ++#ifndef TF_M_PROFILE_SMALL + #define ARCH_TEST_ECC + #define ARCH_TEST_ECC_CURVE_SECP192R1 ++#ifndef TF_M_PROFILE_MEDIUM + #define ARCH_TEST_ECC_CURVE_SECP224R1 ++#endif + #define ARCH_TEST_ECC_CURVE_SECP256R1 ++#ifndef TF_M_PROFILE_MEDIUM + #define ARCH_TEST_ECC_CURVE_SECP384R1 ++#endif ++#endif + + /** + * \def ARCH_TEST_AES +@@ -78,10 +88,10 @@ + * + * Comment macros to disable the types + */ +-#define ARCH_TEST_DES +-#define ARCH_TEST_DES_1KEY +-#define ARCH_TEST_DES_2KEY +-#define ARCH_TEST_DES_3KEY ++//#define ARCH_TEST_DES ++//#define ARCH_TEST_DES_1KEY ++//#define ARCH_TEST_DES_2KEY ++//#define ARCH_TEST_DES_3KEY + + /** + * \def ARCH_TEST_RAW +@@ -104,7 +114,7 @@ + * + * Enable the ARC4 key type. + */ +-#define ARCH_TEST_ARC4 ++//#define ARCH_TEST_ARC4 + + /** + * \def ARCH_TEST_CIPHER_MODE_CTR +@@ -113,7 +123,11 @@ + * + * Requires: ARCH_TEST_CIPHER + */ ++#ifndef TF_M_PROFILE_SMALL ++#ifndef TF_M_PROFILE_MEDIUM + #define ARCH_TEST_CIPHER_MODE_CTR ++#endif ++#endif + + /** + * \def ARCH_TEST_CIPHER_MODE_CFB +@@ -138,7 +152,11 @@ + * + * Requires: ARCH_TEST_CIPHER, ARCH_TEST_AES, ARCH_TEST_CIPHER_MODE_CTR + */ ++#ifndef TF_M_PROFILE_SMALL ++#ifndef TF_M_PROFILE_MEDIUM + #define ARCH_TEST_CTR_AES ++#endif ++#endif + + /** + * \def ARCH_TEST_CBC_AES +@@ -157,7 +175,11 @@ + * + * Comment macros to disable the types + */ ++#ifndef TF_M_PROFILE_SMALL ++#ifndef TF_M_PROFILE_MEDIUM + #define ARCH_TEST_CBC_NO_PADDING ++#endif ++#endif + + /** + * \def ARCH_TEST_CFB_AES +@@ -177,11 +199,15 @@ + * + * Comment macros to disable the types + */ ++#ifndef TF_M_PROFILE_SMALL ++#ifndef TF_M_PROFILE_MEDIUM + #define ARCH_TEST_PKCS1V15 + #define ARCH_TEST_RSA_PKCS1V15_SIGN + #define ARCH_TEST_RSA_PKCS1V15_SIGN_RAW + #define ARCH_TEST_RSA_PKCS1V15_CRYPT + #define ARCH_TEST_RSA_OAEP ++#endif ++#endif + + /** + * \def ARCH_TEST_CBC_PKCS7 +@@ -190,7 +216,11 @@ + * + * Comment macros to disable the types + */ ++#ifndef TF_M_PROFILE_SMALL ++#ifndef TF_M_PROFILE_MEDIUM + #define ARCH_TEST_CBC_PKCS7 ++#endif ++#endif + + /** + * \def ARCH_TEST_ASYMMETRIC_ENCRYPTION +@@ -227,21 +257,27 @@ + * + * Comment macros to disable the types + */ +-// #define ARCH_TEST_MD2 +-// #define ARCH_TEST_MD4 +-#define ARCH_TEST_MD5 +-#define ARCH_TEST_RIPEMD160 +-#define ARCH_TEST_SHA1 ++//#define ARCH_TEST_MD2 ++//#define ARCH_TEST_MD4 ++//#define ARCH_TEST_MD5 ++//#define ARCH_TEST_RIPEMD160 ++//#define ARCH_TEST_SHA1 ++#ifndef TF_M_PROFILE_SMALL + #define ARCH_TEST_SHA224 ++#endif + #define ARCH_TEST_SHA256 ++#ifndef TF_M_PROFILE_SMALL ++#ifndef TF_M_PROFILE_MEDIUM + #define ARCH_TEST_SHA384 + #define ARCH_TEST_SHA512 +-// #define ARCH_TEST_SHA512_224 +-// #define ARCH_TEST_SHA512_256 +-// #define ARCH_TEST_SHA3_224 +-// #define ARCH_TEST_SHA3_256 +-// #define ARCH_TEST_SHA3_384 +-// #define ARCH_TEST_SHA3_512 ++#endif ++#endif ++//#define ARCH_TEST_SHA512_224 ++//#define ARCH_TEST_SHA512_256 ++//#define ARCH_TEST_SHA3_224 ++//#define ARCH_TEST_SHA3_256 ++//#define ARCH_TEST_SHA3_384 ++//#define ARCH_TEST_SHA3_512 + + /** + * \def ARCH_TEST_HKDF +@@ -261,7 +297,12 @@ + * + * Comment macros to disable the types + */ ++#ifndef TF_M_PROFILE_SMALL ++#ifndef TF_M_PROFILE_MEDIUM + #define ARCH_TEST_CMAC ++#endif ++#endif ++//#define ARCH_TEST_GMAC + #define ARCH_TEST_HMAC + + /** +@@ -281,7 +322,11 @@ + * Requires: ARCH_TEST_AES + * + */ ++#ifndef TF_M_PROFILE_SMALL ++#ifndef TF_M_PROFILE_MEDIUM + #define ARCH_TEST_GCM ++#endif ++#endif + + /** + * \def ARCH_TEST_TRUNCATED_MAC +@@ -300,7 +345,9 @@ + * + * Requires: ARCH_TEST_ECC + */ ++#ifndef TF_M_PROFILE_SMALL + #define ARCH_TEST_ECDH ++#endif + + /** + * \def ARCH_TEST_ECDSA +@@ -308,7 +355,9 @@ + * Enable the elliptic curve DSA library. + * Requires: ARCH_TEST_ECC + */ ++#ifndef TF_M_PROFILE_SMALL + #define ARCH_TEST_ECDSA ++#endif + + /** + * \def ARCH_TEST_DETERMINISTIC_ECDSA +-- +2.25.1 + diff --git a/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0033-Enhance-mbedtls-fetch-process.patch b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0033-Enhance-mbedtls-fetch-process.patch new file mode 100644 index 00000000..60f48262 --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0033-Enhance-mbedtls-fetch-process.patch @@ -0,0 +1,258 @@ +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Emekcan Aras + +From ddff15a07e2fb7eddfa1d988fce25d82cb22f7ee Mon Sep 17 00:00:00 2001 +From: Gyorgy Szing +Date: Wed, 8 Dec 2021 04:20:34 +0100 +Subject: [PATCH 01/15] Enhance mbedtls fetch process + +Update management of MbedTLS external component to be optimized +for download speed insted of availability. +The updated process is: + - check if binary is available. If yes configure build to use it + and stop. + - if not, check is source is available. If yes, build it and use + the resulting binary. + - if not, then download the source using git, compile it and use + the resulting binary + +The following variables can be set on the command line to alter the +behavior of the module: + - MBEDTLS_URL git repo URL to fetch from. + - MBEDTLS_REFSPEC revision to fetch + - MBEDTLS_SOURCE_DIR to specify location of source code in + local file syetem. + - MBEDTLS_INSTALL_DIR to specify location of binary. + +I.e. cmake -S <...> -B <...> -DMBEDTLS_INSTALL_DIR=~/mbedtls +will make the resulting binary installed to ~/mbedtls. This can be +used later to speed up a clean build an use the prebuilt binary. + +Change-Id: I8a9ad8b3303e6dfa0a7c9c3d7e4b4787b94d925a +Signed-off-by: Gyorgy Szing +--- + external/MbedTLS/MbedTLS.cmake | 192 ++++++++++++++++++++------------- + 1 file changed, 119 insertions(+), 73 deletions(-) + +diff --git a/external/MbedTLS/MbedTLS.cmake b/external/MbedTLS/MbedTLS.cmake +index 3cbaed15..935be765 100644 +--- a/external/MbedTLS/MbedTLS.cmake ++++ b/external/MbedTLS/MbedTLS.cmake +@@ -1,96 +1,142 @@ + #------------------------------------------------------------------------------- +-# Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved. ++# Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved. + # + # SPDX-License-Identifier: BSD-3-Clause + # + #------------------------------------------------------------------------------- + +-# Determine the number of processes to run while running parallel builds. +-# Pass -DPROCESSOR_COUNT= to cmake to override. +-if(NOT DEFINED PROCESSOR_COUNT) +- include(ProcessorCount) +- ProcessorCount(PROCESSOR_COUNT) +- set(PROCESSOR_COUNT ${PROCESSOR_COUNT} CACHE STRING "Number of cores to use for parallel builds.") +-endif() ++set(MBEDTLS_URL "https://github.com/ARMmbed/mbedtls.git" ++ CACHE STRING "Mbed TLS repository URL") ++set(MBEDTLS_REFSPEC "mbedtls-3.0.0" ++ CACHE STRING "Mbed TLS git refspec") ++set(MBEDTLS_SOURCE_DIR "${CMAKE_CURRENT_BINARY_DIR}/_deps/mbedtls-src" ++ CACHE PATH "MbedTLS source directory") ++set(MBEDTLS_INSTALL_DIR "${CMAKE_CURRENT_BINARY_DIR}/mbedtls_install" ++ CACHE PATH "Mbed TLS installation directory") + +-set(MBEDTLS_URL "https://github.com/ARMmbed/mbedtls.git" CACHE STRING "Mbed TLS repository URL") +-set(MBEDTLS_REFSPEC "mbedtls-3.0.0" CACHE STRING "Mbed TLS git refspec") +-set(MBEDTLS_INSTALL_PATH "${CMAKE_CURRENT_BINARY_DIR}/mbedtls_install" CACHE PATH "Mbed TLS installation directory") +-set(MBEDTLS_PACKAGE_PATH "${MBEDTLS_INSTALL_PATH}/lib/mbedtls/cmake" CACHE PATH "Mbed TLS CMake package directory") ++find_library(MBEDCRYPTO_LIB_FILE ++ NAMES libmbedcrypto.a mbedcrypto.a libmbedcrypto.lib mbedcrypto.lib ++ PATHS ${MBEDTLS_INSTALL_DIR} ++ PATH_SUFFIXES "lib" ++ DOC "Location of mberdrypto library." ++ NO_DEFAULT_PATH ++) + +-include(FetchContent) ++set(MBEDCRYPTO_LIB_FILE ${MBEDCRYPTO_LIB_FILE}) ++unset(MBEDCRYPTO_LIB_FILE CACHE) + +-# Checking git +-find_program(GIT_COMMAND "git") +-if (NOT GIT_COMMAND) +- message(FATAL_ERROR "Please install git") +-endif() ++set(MBEDTLS_BINARY_DIR "${CMAKE_CURRENT_BINARY_DIR}/_deps/mbedtls-build") + +-# Fetching Mbed TLS +-FetchContent_Declare( +- mbedtls +- GIT_REPOSITORY ${MBEDTLS_URL} +- GIT_TAG ${MBEDTLS_REFSPEC} +- GIT_SHALLOW TRUE +-) ++# Binary not found and it needs to be built. ++if (NOT MBEDCRYPTO_LIB_FILE) ++ # Determine the number of processes to run while running parallel builds. ++ # Pass -DPROCESSOR_COUNT= to cmake to override. ++ if(NOT DEFINED PROCESSOR_COUNT) ++ include(ProcessorCount) ++ ProcessorCount(PROCESSOR_COUNT) ++ set(PROCESSOR_COUNT ${PROCESSOR_COUNT} ++ CACHE STRING "Number of cores to use for parallel builds.") ++ endif() + +-# FetchContent_GetProperties exports mbedtls_SOURCE_DIR and mbedtls_BINARY_DIR variables +-FetchContent_GetProperties(mbedtls) +-if(NOT mbedtls_POPULATED) +- message(STATUS "Fetching Mbed TLS") +- FetchContent_Populate(mbedtls) +-endif() ++ # See if the source is available locally ++ find_file(MBEDCRYPTO_HEADER_FILE ++ NAMES crypto.h ++ PATHS ${MBEDTLS_SOURCE_DIR} ++ PATH_SUFFIXES "include/psa" ++ NO_DEFAULT_PATH ++ ) ++ set(MBEDCRYPTO_HEADER_FILE ${MBEDCRYPTO_HEADER_FILE}) ++ unset(MBEDCRYPTO_HEADER_FILE CACHE) + +-# Convert the include path list to a string. Needed to make parameter passing to +-# Mbed TLS build work fine. +-string(REPLACE ";" "\\;" MBEDTLS_EXTRA_INCLUDES "${MBEDTLS_EXTRA_INCLUDES}") ++ # Source not found, fetch it. ++ if (NOT MBEDCRYPTO_HEADER_FILE) ++ include(FetchContent) + +-find_package(Python3 COMPONENTS Interpreter) +-if (NOT Python3_Interpreter_FOUND) +- message(FATAL_ERROR "Python 3 interpreter not found.") +-endif() ++ # Checking git ++ find_program(GIT_COMMAND "git") ++ if (NOT GIT_COMMAND) ++ message(FATAL_ERROR "Please install git") ++ endif() + +-#Configure Mbed TLS to build only mbedcrypto lib +-execute_process(COMMAND ${Python3_EXECUTABLE} scripts/config.py crypto WORKING_DIRECTORY ${mbedtls_SOURCE_DIR}) +- +-# Advertise Mbed TLS as the provider of the psa crypto API +-set(PSA_CRYPTO_API_INCLUDE "${MBEDTLS_INSTALL_PATH}/include" CACHE STRING "PSA Crypto API include path") +- +-#Configure the library +-execute_process(COMMAND +- ${CMAKE_COMMAND} +- -DENABLE_PROGRAMS=OFF +- -DENABLE_TESTING=OFF +- -DUNSAFE_BUILD=ON +- -DCMAKE_INSTALL_PREFIX=${MBEDTLS_INSTALL_PATH} +- -DCMAKE_TOOLCHAIN_FILE=${TS_EXTERNAL_LIB_TOOLCHAIN_FILE} +- -DCMAKE_TRY_COMPILE_TARGET_TYPE=STATIC_LIBRARY +- -DEXTERNAL_DEFINITIONS=-DMBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}" +- -DEXTERNAL_INCLUDE_PATHS=${MBEDTLS_EXTRA_INCLUDES} +- -GUnix\ Makefiles +- ${mbedtls_SOURCE_DIR} +- WORKING_DIRECTORY +- ${mbedtls_BINARY_DIR} +- RESULT_VARIABLE _exec_error +-) ++ # Fetching Mbed TLS ++ FetchContent_Declare( ++ mbedtls ++ SOURCE_DIR ${MBEDTLS_SOURCE_DIR} ++ BINARY_DIR ${MBEDTLS_BINARY_DIR} ++ GIT_REPOSITORY ${MBEDTLS_URL} ++ GIT_TAG ${MBEDTLS_REFSPEC} ++ GIT_SHALLOW TRUE ++ ) + +-if (_exec_error) +- message(FATAL_ERROR "Configuration step of Mbed TLS failed with ${_exec_error}.") +-endif() ++ # FetchContent_GetProperties exports mbedtls_SOURCE_DIR and mbedtls_BINARY_DIR variables ++ FetchContent_GetProperties(mbedtls) ++ # FetchContent_Populate will fail if the source directory is removed since it will try to ++ # do an "update" and not a "populate" action. As a workaround, remove the subbuild directory. ++ # Note: this fix assumes, the default subbuild location is used. ++ file(REMOVE_RECURSE "${CMAKE_CURRENT_BINARY_DIR}/_deps/mbedtls-subbuild") ++ ++ # If the source directory has been moved, the binary dir must be regenerated from scratch. ++ file(REMOVE_RECURSE "${MBEDTLS_BINARY_DIR}") + +-#TODO: add dependency to generated project on this file! +-#TODO: add custom target to rebuild Mbed TLS ++ if (NOT mbedtls_POPULATED) ++ message(STATUS "Fetching Mbed TLS") ++ FetchContent_Populate(mbedtls) ++ endif() ++ set_property(DIRECTORY APPEND PROPERTY CMAKE_CONFIGURE_DEPENDS ${MBEDTLS_SOURCE_DIR}) ++ endif() + +-#Build the library +-execute_process(COMMAND +- ${CMAKE_COMMAND} --build ${mbedtls_BINARY_DIR} --parallel ${PROCESSOR_COUNT} --target install ++ # Build mbedcrypto library ++ ++ # Convert the include path list to a string. Needed to make parameter passing to ++ # Mbed TLS build work fine. ++ string(REPLACE ";" "\\;" MBEDTLS_EXTRA_INCLUDES "${MBEDTLS_EXTRA_INCLUDES}") ++ ++ find_package(Python3 REQUIRED COMPONENTS Interpreter) ++ ++ #Configure Mbed TLS to build only mbedcrypto lib ++ execute_process(COMMAND ${Python3_EXECUTABLE} scripts/config.py crypto WORKING_DIRECTORY ${MBEDTLS_SOURCE_DIR}) ++ ++ # Advertise Mbed TLS as the provider of the psa crypto API ++ set(PSA_CRYPTO_API_INCLUDE "${MBEDTLS_INSTALL_DIR}/include" CACHE STRING "PSA Crypto API include path") ++ ++ #Configure the library ++ execute_process(COMMAND ++ ${CMAKE_COMMAND} -E env CROSS_COMPILE=${CROSS_COMPILE} ++ ${CMAKE_COMMAND} ++ -DENABLE_PROGRAMS=OFF ++ -DENABLE_TESTING=OFF ++ -DUNSAFE_BUILD=ON ++ -DCMAKE_INSTALL_PREFIX=${MBEDTLS_INSTALL_DIR} ++ -DCMAKE_TOOLCHAIN_FILE=${TS_EXTERNAL_LIB_TOOLCHAIN_FILE} ++ -DCMAKE_TRY_COMPILE_TARGET_TYPE=STATIC_LIBRARY ++ -DEXTERNAL_DEFINITIONS=-DMBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}" ++ -DEXTERNAL_INCLUDE_PATHS=${MBEDTLS_EXTRA_INCLUDES} ++ -GUnix\ Makefiles ++ ${MBEDTLS_SOURCE_DIR} ++ WORKING_DIRECTORY ++ ${MBEDTLS_BINARY_DIR} + RESULT_VARIABLE _exec_error + ) +-if (_exec_error) +- message(FATAL_ERROR "Build step of Mbed TLS failed with ${_exec_error}.") ++ ++ if (_exec_error) ++ message(FATAL_ERROR "Configuration step of Mbed TLS failed with ${_exec_error}.") ++ endif() ++ ++ #Build the library ++ execute_process(COMMAND ++ ${CMAKE_COMMAND} --build ${MBEDTLS_BINARY_DIR} --parallel ${PROCESSOR_COUNT} --target install ++ RESULT_VARIABLE _exec_error ++ ) ++ ++ if (_exec_error) ++ message(FATAL_ERROR "Build step of Mbed TLS failed with ${_exec_error}.") ++ endif() ++ ++ set(MBEDCRYPTO_LIB_FILE "${MBEDTLS_INSTALL_DIR}/lib/${CMAKE_STATIC_LIBRARY_PREFIX}mbedcrypto${CMAKE_STATIC_LIBRARY_SUFFIX}") + endif() + + #Create an imported target to have clean abstraction in the build-system. + add_library(mbedcrypto STATIC IMPORTED) +-set_property(TARGET mbedcrypto PROPERTY IMPORTED_LOCATION "${MBEDTLS_INSTALL_PATH}/lib/${CMAKE_STATIC_LIBRARY_PREFIX}mbedcrypto${CMAKE_STATIC_LIBRARY_SUFFIX}") +-set_property(TARGET mbedcrypto PROPERTY INTERFACE_INCLUDE_DIRECTORIES "${MBEDTLS_INSTALL_PATH}/include") ++set_property(DIRECTORY ${CMAKE_SOURCE_DIR} APPEND PROPERTY CMAKE_CONFIGURE_DEPENDS ${MBEDCRYPTO_LIB_FILE}) ++set_property(TARGET mbedcrypto PROPERTY IMPORTED_LOCATION ${MBEDCRYPTO_LIB_FILE}) ++set_property(TARGET mbedcrypto PROPERTY INTERFACE_INCLUDE_DIRECTORIES "${MBEDTLS_INSTALL_DIR}/include") +-- +2.25.1 diff --git a/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0034-Fix-format-specifier-in-logging_caller.patch b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0034-Fix-format-specifier-in-logging_caller.patch new file mode 100644 index 00000000..019d3c24 --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0034-Fix-format-specifier-in-logging_caller.patch @@ -0,0 +1,41 @@ +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Emekcan Aras + +From ba99622ba2f0048159bea2d0086173b8d5365473 Mon Sep 17 00:00:00 2001 +From: Julian Hall +Date: Fri, 11 Feb 2022 12:30:45 +0000 +Subject: [PATCH 02/15] Fix format specifier in logging_caller + +A previous change increased the width of the opstatus value +returned by an rpc endpoint from 32 to 64 bits. This change +corrects the printf format specifier in the rpc logging_caller +that corresponds to logging the opstatus value. + +Signed-off-by: Julian Hall +Change-Id: Ie695a6bf8cf8014317b85196d7b933d344782b2c +--- + components/rpc/common/logging/logging_caller.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/components/rpc/common/logging/logging_caller.c b/components/rpc/common/logging/logging_caller.c +index 07c33de5..cac03f2f 100644 +--- a/components/rpc/common/logging/logging_caller.c ++++ b/components/rpc/common/logging/logging_caller.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -87,7 +87,7 @@ static rpc_status_t call_invoke(void *context, rpc_call_handle handle, uint32_t + + if (status == TS_RPC_CALL_ACCEPTED) { + +- fprintf(this_instance->log_file, "op_status: %d\n", *opstatus); ++ fprintf(this_instance->log_file, "op_status: %ld\n", *opstatus); + fprintf(this_instance->log_file, "resp_len: %ld\n", *resp_len); + } + +-- +2.25.1 diff --git a/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0035-Update-refspecs-for-mbedtls-and-psa-arch-tests-for-v.patch b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0035-Update-refspecs-for-mbedtls-and-psa-arch-tests-for-v.patch new file mode 100644 index 00000000..bf788764 --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0035-Update-refspecs-for-mbedtls-and-psa-arch-tests-for-v.patch @@ -0,0 +1,65 @@ +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Emekcan Aras + +From ba6af6e6500a2ba25ab6c01d641383c24f9fab07 Mon Sep 17 00:00:00 2001 +From: Julian Hall +Date: Fri, 11 Feb 2022 13:42:59 +0000 +Subject: [PATCH 03/15] Update refspecs for mbedtls and psa-arch-tests for + v3.1.0 + +Updates external component refspecs to use mbedtls 3.1.0 and +compatible API tests from psa-arch-test. + +Signed-off-by: Julian Hall +Change-Id: I1b5cebd7de3c1885f5f8a8ea21ba5e4c52aefaf4 +--- + external/MbedTLS/MbedTLS.cmake | 2 +- + external/psa_arch_tests/psa_arch_tests.cmake | 17 ++++++----------- + 2 files changed, 7 insertions(+), 12 deletions(-) + +diff --git a/external/MbedTLS/MbedTLS.cmake b/external/MbedTLS/MbedTLS.cmake +index 935be765..3350d8a0 100644 +--- a/external/MbedTLS/MbedTLS.cmake ++++ b/external/MbedTLS/MbedTLS.cmake +@@ -7,7 +7,7 @@ + + set(MBEDTLS_URL "https://github.com/ARMmbed/mbedtls.git" + CACHE STRING "Mbed TLS repository URL") +-set(MBEDTLS_REFSPEC "mbedtls-3.0.0" ++set(MBEDTLS_REFSPEC "mbedtls-3.1.0" + CACHE STRING "Mbed TLS git refspec") + set(MBEDTLS_SOURCE_DIR "${CMAKE_CURRENT_BINARY_DIR}/_deps/mbedtls-src" + CACHE PATH "MbedTLS source directory") +diff --git a/external/psa_arch_tests/psa_arch_tests.cmake b/external/psa_arch_tests/psa_arch_tests.cmake +index e6ab73f7..f6d2fb9f 100644 +--- a/external/psa_arch_tests/psa_arch_tests.cmake ++++ b/external/psa_arch_tests/psa_arch_tests.cmake +@@ -5,20 +5,15 @@ + # + #------------------------------------------------------------------------------- + +-# Determine the number of processes to run while running parallel builds. +-# Pass -DPROCESSOR_COUNT= to cmake to override. +-if(NOT DEFINED PROCESSOR_COUNT) +- include(ProcessorCount) +- ProcessorCount(PROCESSOR_COUNT) +- set(PROCESSOR_COUNT ${PROCESSOR_COUNT} CACHE STRING "Number of cores to use for parallel builds.") +-endif() ++# Temporarily using modified tests used for tf-m verification ++set(PSA_ARCH_TESTS_URL "https://github.com/bensze01/psa-arch-tests.git" CACHE STRING "psa-arch-tests repository URL") ++set(PSA_ARCH_TESTS_REFSPEC "fix-multipart-aead" CACHE STRING "psa-arch-tests git refspec") + +-set(PSA_ARCH_TESTS_URL "https://github.com/ARM-software/psa-arch-tests.git" CACHE STRING "psa-arch-tests repository URL") +-set(PSA_ARCH_TESTS_REFSPEC "master" CACHE STRING "psa-arch-tests git refspec") ++#set(PSA_ARCH_TESTS_URL "https://github.com/ARM-software/psa-arch-tests.git" CACHE STRING "psa-arch-tests repository URL") ++#set(PSA_ARCH_TESTS_REFSPEC "2a1852252a9b9af655cbe02d5d3c930952d0d798" CACHE STRING "psa-arch-tests v22.01_API1.4_ADAC_BETA") + set(PSA_ARCH_TESTS_INSTALL_PATH "${CMAKE_CURRENT_BINARY_DIR}/psa-arch-tests_install" CACHE PATH "psa-arch-tests installation directory") + set(PSA_ARCH_TESTS_PACKAGE_PATH "${PSA_ARCH_TESTS_INSTALL_PATH}/libpsa-arch-tests/cmake" CACHE PATH "psa-arch-tests CMake package directory") +- +-include(FetchContent) ++set(PSA_ARCH_TESTS_SOURCE_DIR "${CMAKE_CURRENT_BINARY_DIR}/_deps/psa_arch_tests-src" CACHE PATH "psa-arch-tests source.") + + # Checking git + find_program(GIT_COMMAND "git") +-- +2.25.1 diff --git a/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0036-Separate-sign-verify-message-and-hash-operations.patch b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0036-Separate-sign-verify-message-and-hash-operations.patch new file mode 100644 index 00000000..87e023a1 --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0036-Separate-sign-verify-message-and-hash-operations.patch @@ -0,0 +1,1080 @@ +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Emekcan Aras + +From 5afda176526010872b5849622a69c1a4cafb76fd Mon Sep 17 00:00:00 2001 +From: Julian Hall +Date: Fri, 11 Feb 2022 14:08:13 +0000 +Subject: [PATCH 04/15] Separate sign/verify message and hash operations + +Previous versions of mbedtls didn't distinguish between +asymmetric sign and verify operations on a hash or message. +They are now treated as separate operations from a usage +control perspective. This change makes the corresponding +hash/message sepration in client and service provider +components. + +Signed-off-by: Julian Hall +Change-Id: Ic0041c694c026522c9b00c974d22261e9e2feadd +--- + .../caller/packed-c/crypto_caller_sign_hash.h | 29 +++++++- + .../packed-c/crypto_caller_verify_hash.h | 33 ++++++++- + .../caller/stub/crypto_caller_sign_hash.h | 11 ++- + .../caller/stub/crypto_caller_verify_hash.h | 11 ++- + .../service/crypto/client/cpp/crypto_client.h | 17 ++++- + .../packed-c/packedc_crypto_client.cpp | 22 +++++- + .../protocol/packed-c/packedc_crypto_client.h | 17 ++++- + .../protobuf/protobuf_crypto_client.cpp | 43 ++++++++++- + .../protobuf/protobuf_crypto_client.h | 27 ++++++- + .../crypto/client/psa/psa_sign_message.c | 24 +++--- + .../crypto/client/psa/psa_verify_message.c | 24 +++--- + .../service/crypto/provider/crypto_provider.c | 40 ++++++---- + .../serializer/crypto_provider_serializer.h | 6 +- + .../packedc_crypto_provider_serializer.c | 12 +-- + .../protobuf/pb_crypto_provider_serializer.c | 74 +++++++++---------- + .../check_crypto_opcode_alignment.cpp | 25 ++++--- + .../test/service/crypto_service_scenarios.cpp | 56 +++++++++++++- + .../test/service/crypto_service_scenarios.h | 3 +- + .../packed-c/crypto_service_packedc_tests.cpp | 7 +- + .../crypto_service_protobuf_tests.cpp | 7 +- + protocols/service/crypto/packed-c/opcodes.h | 4 +- + .../service/crypto/protobuf/opcodes.proto | 4 +- + 22 files changed, 366 insertions(+), 130 deletions(-) + +diff --git a/components/service/crypto/client/caller/packed-c/crypto_caller_sign_hash.h b/components/service/crypto/client/caller/packed-c/crypto_caller_sign_hash.h +index e807773e..4a9ed20d 100644 +--- a/components/service/crypto/client/caller/packed-c/crypto_caller_sign_hash.h ++++ b/components/service/crypto/client/caller/packed-c/crypto_caller_sign_hash.h +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -20,7 +20,8 @@ + extern "C" { + #endif + +-static inline psa_status_t crypto_caller_sign_hash(struct service_client *context, ++static inline psa_status_t crypto_caller_asym_sign_commom(struct service_client *context, ++ uint32_t opcode, + psa_key_id_t id, + psa_algorithm_t alg, + const uint8_t *hash, size_t hash_length, +@@ -60,7 +61,7 @@ static inline psa_status_t crypto_caller_sign_hash(struct service_client *contex + + context->rpc_status = + rpc_caller_invoke(context->caller, call_handle, +- TS_CRYPTO_OPCODE_SIGN_HASH, &opstatus, &resp_buf, &resp_len); ++ opcode, &opstatus, &resp_buf, &resp_len); + + if (context->rpc_status == TS_RPC_CALL_ACCEPTED) { + +@@ -98,6 +99,28 @@ static inline psa_status_t crypto_caller_sign_hash(struct service_client *contex + return psa_status; + } + ++static inline psa_status_t crypto_caller_sign_hash(struct service_client *context, ++ psa_key_id_t id, ++ psa_algorithm_t alg, ++ const uint8_t *hash, size_t hash_length, ++ uint8_t *signature, size_t signature_size, size_t *signature_length) ++{ ++ return crypto_caller_asym_sign_commom(context, TS_CRYPTO_OPCODE_SIGN_HASH, ++ id, alg, hash, hash_length, ++ signature, signature_size, signature_length); ++} ++ ++static inline psa_status_t crypto_caller_sign_message(struct service_client *context, ++ psa_key_id_t id, ++ psa_algorithm_t alg, ++ const uint8_t *hash, size_t hash_length, ++ uint8_t *signature, size_t signature_size, size_t *signature_length) ++{ ++ return crypto_caller_asym_sign_commom(context, TS_CRYPTO_OPCODE_SIGN_MESSAGE, ++ id, alg, hash, hash_length, ++ signature, signature_size, signature_length); ++} ++ + #ifdef __cplusplus + } + #endif +diff --git a/components/service/crypto/client/caller/packed-c/crypto_caller_verify_hash.h b/components/service/crypto/client/caller/packed-c/crypto_caller_verify_hash.h +index 47152946..daa11330 100644 +--- a/components/service/crypto/client/caller/packed-c/crypto_caller_verify_hash.h ++++ b/components/service/crypto/client/caller/packed-c/crypto_caller_verify_hash.h +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -20,7 +20,8 @@ + extern "C" { + #endif + +-static inline psa_status_t crypto_caller_verify_hash(struct service_client *context, ++static inline psa_status_t crypto_caller_asym_verify_common(struct service_client *context, ++ uint32_t opcode, + psa_key_id_t id, + psa_algorithm_t alg, + const uint8_t *hash, size_t hash_length, +@@ -65,7 +66,7 @@ static inline psa_status_t crypto_caller_verify_hash(struct service_client *cont + + context->rpc_status = + rpc_caller_invoke(context->caller, call_handle, +- TS_CRYPTO_OPCODE_VERIFY_HASH, &opstatus, &resp_buf, &resp_len); ++ opcode, &opstatus, &resp_buf, &resp_len); + + if (context->rpc_status == TS_RPC_CALL_ACCEPTED) psa_status = opstatus; + +@@ -75,6 +76,32 @@ static inline psa_status_t crypto_caller_verify_hash(struct service_client *cont + return psa_status; + } + ++static inline psa_status_t crypto_caller_verify_hash(struct service_client *context, ++ psa_key_id_t id, ++ psa_algorithm_t alg, ++ const uint8_t *hash, size_t hash_length, ++ const uint8_t *signature, size_t signature_length) ++{ ++ return crypto_caller_asym_verify_common(context, ++ TS_CRYPTO_OPCODE_VERIFY_HASH, ++ id, alg, ++ hash, hash_length, ++ signature, signature_length); ++} ++ ++static inline psa_status_t crypto_caller_verify_message(struct service_client *context, ++ psa_key_id_t id, ++ psa_algorithm_t alg, ++ const uint8_t *input, size_t input_length, ++ const uint8_t *signature, size_t signature_length) ++{ ++ return crypto_caller_asym_verify_common(context, ++ TS_CRYPTO_OPCODE_VERIFY_MESSAGE, ++ id, alg, ++ input, input_length, ++ signature, signature_length); ++} ++ + #ifdef __cplusplus + } + #endif +diff --git a/components/service/crypto/client/caller/stub/crypto_caller_sign_hash.h b/components/service/crypto/client/caller/stub/crypto_caller_sign_hash.h +index d09369a2..09049f5c 100644 +--- a/components/service/crypto/client/caller/stub/crypto_caller_sign_hash.h ++++ b/components/service/crypto/client/caller/stub/crypto_caller_sign_hash.h +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -23,6 +23,15 @@ static inline psa_status_t crypto_caller_sign_hash(struct service_client *contex + return PSA_ERROR_NOT_SUPPORTED; + } + ++static inline psa_status_t crypto_caller_sign_message(struct service_client *context, ++ psa_key_id_t id, ++ psa_algorithm_t alg, ++ const uint8_t *hash, size_t hash_length, ++ uint8_t *signature, size_t signature_size, size_t *signature_length) ++{ ++ return PSA_ERROR_NOT_SUPPORTED; ++} ++ + #ifdef __cplusplus + } + #endif +diff --git a/components/service/crypto/client/caller/stub/crypto_caller_verify_hash.h b/components/service/crypto/client/caller/stub/crypto_caller_verify_hash.h +index 20d11dcf..3f3eb878 100644 +--- a/components/service/crypto/client/caller/stub/crypto_caller_verify_hash.h ++++ b/components/service/crypto/client/caller/stub/crypto_caller_verify_hash.h +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -23,6 +23,15 @@ static inline psa_status_t crypto_caller_verify_hash(struct service_client *cont + return PSA_ERROR_NOT_SUPPORTED; + } + ++static inline psa_status_t crypto_caller_verify_message(struct service_client *context, ++ psa_key_id_t id, ++ psa_algorithm_t alg, ++ const uint8_t *input, size_t input_length, ++ const uint8_t *signature, size_t signature_length) ++{ ++ return PSA_ERROR_NOT_SUPPORTED; ++} ++ + #ifdef __cplusplus + } + #endif +diff --git a/components/service/crypto/client/cpp/crypto_client.h b/components/service/crypto/client/cpp/crypto_client.h +index 2a5e5b99..ccb0714a 100644 +--- a/components/service/crypto/client/cpp/crypto_client.h ++++ b/components/service/crypto/client/cpp/crypto_client.h +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -57,7 +57,7 @@ public: + psa_key_id_t id, + uint8_t *data, size_t data_size, size_t *data_length) = 0; + +- /* Sign/verify methods */ ++ /* Sign/verify hash methods */ + virtual psa_status_t sign_hash( + psa_key_id_t id, + psa_algorithm_t alg, +@@ -70,6 +70,19 @@ public: + const uint8_t *hash, size_t hash_length, + const uint8_t *signature, size_t signature_length) = 0; + ++ /* Sign/verify message methods */ ++ virtual psa_status_t sign_message( ++ psa_key_id_t id, ++ psa_algorithm_t alg, ++ const uint8_t *message, size_t message_length, ++ uint8_t *signature, size_t signature_size, size_t *signature_length) = 0; ++ ++ virtual psa_status_t verify_message( ++ psa_key_id_t id, ++ psa_algorithm_t alg, ++ const uint8_t *message, size_t message_length, ++ const uint8_t *signature, size_t signature_length) = 0; ++ + /* Asymmetric encrypt/decrypt */ + virtual psa_status_t asymmetric_encrypt( + psa_key_id_t id, +diff --git a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp +index 4d9d8f41..4e10f9be 100644 +--- a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp ++++ b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -107,6 +107,26 @@ psa_status_t packedc_crypto_client::verify_hash( + signature, signature_length); + } + ++psa_status_t packedc_crypto_client::sign_message( ++ psa_key_id_t id, psa_algorithm_t alg, ++ const uint8_t *message, size_t message_length, ++ uint8_t *signature, size_t signature_size, size_t *signature_length) ++{ ++ return crypto_caller_sign_message(&m_client, id, alg, ++ message, message_length, ++ signature, signature_size, signature_length); ++} ++ ++psa_status_t packedc_crypto_client::verify_message( ++ psa_key_id_t id, psa_algorithm_t alg, ++ const uint8_t *message, size_t message_length, ++ const uint8_t *signature, size_t signature_length) ++{ ++ return crypto_caller_verify_message(&m_client, id, alg, ++ message, message_length, ++ signature, signature_length); ++} ++ + psa_status_t packedc_crypto_client::asymmetric_encrypt( + psa_key_id_t id, psa_algorithm_t alg, + const uint8_t *input, size_t input_length, +diff --git a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h +index 377b51d1..d74ba609 100644 +--- a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h ++++ b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -54,7 +54,7 @@ public: + psa_key_id_t id, + uint8_t *data, size_t data_size, size_t *data_length); + +- /* Sign/verify methods */ ++ /* Sign/verify hash methods */ + psa_status_t sign_hash( + psa_key_id_t id, + psa_algorithm_t alg, +@@ -67,6 +67,19 @@ public: + const uint8_t *hash, size_t hash_length, + const uint8_t *signature, size_t signature_length); + ++ /* Sign/verify message methods */ ++ psa_status_t sign_message( ++ psa_key_id_t id, ++ psa_algorithm_t alg, ++ const uint8_t *message, size_t message_length, ++ uint8_t *signature, size_t signature_size, size_t *signature_length); ++ ++ psa_status_t verify_message( ++ psa_key_id_t id, ++ psa_algorithm_t alg, ++ const uint8_t *message, size_t message_length, ++ const uint8_t *signature, size_t signature_length); ++ + /* Asymmetric encrypt/decrypt */ + psa_status_t asymmetric_encrypt( + psa_key_id_t id, +diff --git a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp +index 17780351..28c8f6fb 100644 +--- a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp ++++ b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp +@@ -386,6 +386,25 @@ psa_status_t protobuf_crypto_client::export_public_key(psa_key_id_t id, + psa_status_t protobuf_crypto_client::sign_hash(psa_key_id_t id, psa_algorithm_t alg, + const uint8_t *hash, size_t hash_length, + uint8_t *signature, size_t signature_size, size_t *signature_length) ++{ ++ return asym_sign(ts_crypto_Opcode_SIGN_HASH, id, alg, ++ hash, hash_length, ++ signature, signature_size, signature_length); ++} ++ ++psa_status_t protobuf_crypto_client::sign_message(psa_key_id_t id, psa_algorithm_t alg, ++ const uint8_t *message, size_t message_length, ++ uint8_t *signature, size_t signature_size, size_t *signature_length) ++{ ++ return asym_sign(ts_crypto_Opcode_SIGN_MESSAGE, id, alg, ++ message, message_length, ++ signature, signature_size, signature_length); ++} ++ ++psa_status_t protobuf_crypto_client::asym_sign(uint32_t opcode, ++ psa_key_id_t id, psa_algorithm_t alg, ++ const uint8_t *hash, size_t hash_length, ++ uint8_t *signature, size_t signature_size, size_t *signature_length) + { + size_t req_len; + pb_bytes_array_t *hash_byte_array = +@@ -416,7 +435,7 @@ psa_status_t protobuf_crypto_client::sign_hash(psa_key_id_t id, psa_algorithm_t + pb_encode(&ostream, ts_crypto_SignHashIn_fields, &req_msg); + + m_client.rpc_status = rpc_caller_invoke(m_client.caller, call_handle, +- ts_crypto_Opcode_SIGN_HASH, &opstatus, &resp_buf, &resp_len); ++ opcode, &opstatus, &resp_buf, &resp_len); + + if (m_client.rpc_status == TS_RPC_CALL_ACCEPTED) { + +@@ -462,10 +481,28 @@ psa_status_t protobuf_crypto_client::sign_hash(psa_key_id_t id, psa_algorithm_t + return psa_status; + } + +- + psa_status_t protobuf_crypto_client::verify_hash(psa_key_id_t id, psa_algorithm_t alg, + const uint8_t *hash, size_t hash_length, + const uint8_t *signature, size_t signature_length) ++{ ++ return asym_verify(ts_crypto_Opcode_VERIFY_HASH, id, alg, ++ hash, hash_length, ++ signature, signature_length); ++} ++ ++psa_status_t protobuf_crypto_client::verify_message(psa_key_id_t id, psa_algorithm_t alg, ++ const uint8_t *message, size_t message_length, ++ const uint8_t *signature, size_t signature_length) ++{ ++ return asym_verify(ts_crypto_Opcode_VERIFY_MESSAGE, id, alg, ++ message, message_length, ++ signature, signature_length); ++} ++ ++psa_status_t protobuf_crypto_client::asym_verify(uint32_t opcode, ++ psa_key_id_t id, psa_algorithm_t alg, ++ const uint8_t *hash, size_t hash_length, ++ const uint8_t *signature, size_t signature_length) + { + size_t req_len; + pb_bytes_array_t *hash_byte_array = +@@ -497,7 +534,7 @@ psa_status_t protobuf_crypto_client::verify_hash(psa_key_id_t id, psa_algorithm_ + pb_encode(&ostream, ts_crypto_VerifyHashIn_fields, &req_msg); + + m_client.rpc_status = rpc_caller_invoke(m_client.caller, call_handle, +- ts_crypto_Opcode_VERIFY_HASH, &opstatus, &resp_buf, &resp_len); ++ opcode, &opstatus, &resp_buf, &resp_len); + + if (m_client.rpc_status == TS_RPC_CALL_ACCEPTED) psa_status = opstatus; + +diff --git a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h +index 085d9cfa..abe4439e 100644 +--- a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h ++++ b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -54,7 +54,7 @@ public: + psa_key_id_t id, + uint8_t *data, size_t data_size, size_t *data_length); + +- /* Sign/verify methods */ ++ /* Sign/verify hash methods */ + psa_status_t sign_hash( + psa_key_id_t id, + psa_algorithm_t alg, +@@ -67,6 +67,19 @@ public: + const uint8_t *hash, size_t hash_length, + const uint8_t *signature, size_t signature_length); + ++ /* Sign/verify message methods */ ++ psa_status_t sign_message( ++ psa_key_id_t id, ++ psa_algorithm_t alg, ++ const uint8_t *message, size_t message_length, ++ uint8_t *signature, size_t signature_size, size_t *signature_length); ++ ++ psa_status_t verify_message( ++ psa_key_id_t id, ++ psa_algorithm_t alg, ++ const uint8_t *message, size_t message_length, ++ const uint8_t *signature, size_t signature_length); ++ + /* Asymmetric encrypt/decrypt */ + psa_status_t asymmetric_encrypt( + psa_key_id_t id, +@@ -221,6 +234,16 @@ public: + + private: + ++ psa_status_t asym_sign(uint32_t opcode, ++ psa_key_id_t id, psa_algorithm_t alg, ++ const uint8_t *hash, size_t hash_length, ++ uint8_t *signature, size_t signature_size, size_t *signature_length); ++ ++ psa_status_t asym_verify(uint32_t opcode, ++ psa_key_id_t id, psa_algorithm_t alg, ++ const uint8_t *hash, size_t hash_length, ++ const uint8_t *signature, size_t signature_length); ++ + void translate_key_attributes( + ts_crypto_KeyAttributes &proto_attributes, + const psa_key_attributes_t &psa_attributes); +diff --git a/components/service/crypto/client/psa/psa_sign_message.c b/components/service/crypto/client/psa/psa_sign_message.c +index dc2f7e80..b6446253 100644 +--- a/components/service/crypto/client/psa/psa_sign_message.c ++++ b/components/service/crypto/client/psa/psa_sign_message.c +@@ -1,13 +1,15 @@ + /* +- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + + #include ++#include "psa_crypto_client.h" ++#include "crypto_caller_selector.h" + + psa_status_t psa_sign_message( +- psa_key_id_t key, ++ psa_key_id_t id, + psa_algorithm_t alg, + const uint8_t *input, + size_t input_length, +@@ -15,19 +17,11 @@ psa_status_t psa_sign_message( + size_t signature_size, + size_t *signature_length) + { +- size_t hash_len; +- uint8_t hash[PSA_HASH_MAX_SIZE]; ++ if (psa_crypto_client_instance.init_status != PSA_SUCCESS) ++ return psa_crypto_client_instance.init_status; + +- psa_status_t psa_status = psa_hash_compute(PSA_ALG_SIGN_GET_HASH(alg), ++ return crypto_caller_sign_message(&psa_crypto_client_instance.base, ++ id, alg, + input, input_length, +- hash, sizeof(hash), &hash_len); +- +- if (psa_status == PSA_SUCCESS) { +- +- psa_status = psa_sign_hash(key, alg, +- hash, hash_len, +- signature, signature_size, signature_length); +- } +- +- return psa_status; ++ signature, signature_size, signature_length); + } +diff --git a/components/service/crypto/client/psa/psa_verify_message.c b/components/service/crypto/client/psa/psa_verify_message.c +index d0fbc7c8..57c2c5e8 100644 +--- a/components/service/crypto/client/psa/psa_verify_message.c ++++ b/components/service/crypto/client/psa/psa_verify_message.c +@@ -1,32 +1,26 @@ + /* +- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + + #include ++#include "psa_crypto_client.h" ++#include "crypto_caller_selector.h" + + psa_status_t psa_verify_message( +- psa_key_id_t key, ++ psa_key_id_t id, + psa_algorithm_t alg, + const uint8_t *input, + size_t input_length, + const uint8_t * signature, + size_t signature_length) + { +- size_t hash_len; +- uint8_t hash[PSA_HASH_MAX_SIZE]; ++ if (psa_crypto_client_instance.init_status != PSA_SUCCESS) ++ return psa_crypto_client_instance.init_status; + +- psa_status_t psa_status = psa_hash_compute(PSA_ALG_SIGN_GET_HASH(alg), ++ return crypto_caller_verify_message(&psa_crypto_client_instance.base, ++ id, alg, + input, input_length, +- hash, sizeof(hash), &hash_len); +- +- if (psa_status == PSA_SUCCESS) { +- +- psa_status = psa_verify_hash(key, alg, +- hash, hash_len, +- signature, signature_length); +- } +- +- return psa_status; ++ signature, signature_length); + } +diff --git a/components/service/crypto/provider/crypto_provider.c b/components/service/crypto/provider/crypto_provider.c +index d0fc7cac..67a5b340 100644 +--- a/components/service/crypto/provider/crypto_provider.c ++++ b/components/service/crypto/provider/crypto_provider.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -16,8 +16,8 @@ static rpc_status_t destroy_key_handler(void *context, struct call_req* req); + static rpc_status_t export_key_handler(void *context, struct call_req* req); + static rpc_status_t export_public_key_handler(void *context, struct call_req* req); + static rpc_status_t import_key_handler(void *context, struct call_req* req); +-static rpc_status_t sign_hash_handler(void *context, struct call_req* req); +-static rpc_status_t verify_hash_handler(void *context, struct call_req* req); ++static rpc_status_t asymmetric_sign_handler(void *context, struct call_req* req); ++static rpc_status_t asymmetric_verify_handler(void *context, struct call_req* req); + static rpc_status_t asymmetric_decrypt_handler(void *context, struct call_req* req); + static rpc_status_t asymmetric_encrypt_handler(void *context, struct call_req* req); + static rpc_status_t generate_random_handler(void *context, struct call_req* req); +@@ -32,14 +32,16 @@ static const struct service_handler handler_table[] = { + {TS_CRYPTO_OPCODE_EXPORT_KEY, export_key_handler}, + {TS_CRYPTO_OPCODE_EXPORT_PUBLIC_KEY, export_public_key_handler}, + {TS_CRYPTO_OPCODE_IMPORT_KEY, import_key_handler}, +- {TS_CRYPTO_OPCODE_SIGN_HASH, sign_hash_handler}, +- {TS_CRYPTO_OPCODE_VERIFY_HASH, verify_hash_handler}, ++ {TS_CRYPTO_OPCODE_SIGN_HASH, asymmetric_sign_handler}, ++ {TS_CRYPTO_OPCODE_VERIFY_HASH, asymmetric_verify_handler}, + {TS_CRYPTO_OPCODE_ASYMMETRIC_DECRYPT, asymmetric_decrypt_handler}, + {TS_CRYPTO_OPCODE_ASYMMETRIC_ENCRYPT, asymmetric_encrypt_handler}, + {TS_CRYPTO_OPCODE_GENERATE_RANDOM, generate_random_handler}, + {TS_CRYPTO_OPCODE_COPY_KEY, copy_key_handler}, + {TS_CRYPTO_OPCODE_PURGE_KEY, purge_key_handler}, + {TS_CRYPTO_OPCODE_GET_KEY_ATTRIBUTES, get_key_attributes_handler}, ++ {TS_CRYPTO_OPCODE_SIGN_MESSAGE, asymmetric_sign_handler}, ++ {TS_CRYPTO_OPCODE_VERIFY_MESSAGE, asymmetric_verify_handler}, + }; + + struct rpc_interface *crypto_provider_init(struct crypto_provider *context) +@@ -272,7 +274,7 @@ static rpc_status_t import_key_handler(void *context, struct call_req* req) + return rpc_status; + } + +-static rpc_status_t sign_hash_handler(void *context, struct call_req* req) ++static rpc_status_t asymmetric_sign_handler(void *context, struct call_req* req) + { + rpc_status_t rpc_status = TS_RPC_ERROR_SERIALIZATION_NOT_SUPPORTED; + struct call_param_buf *req_buf = call_req_get_req_buf(req); +@@ -284,7 +286,7 @@ static rpc_status_t sign_hash_handler(void *context, struct call_req* req) + uint8_t hash_buffer[PSA_HASH_MAX_SIZE]; + + if (serializer) +- rpc_status = serializer->deserialize_sign_hash_req(req_buf, &id, &alg, hash_buffer, &hash_len); ++ rpc_status = serializer->deserialize_asymmetric_sign_req(req_buf, &id, &alg, hash_buffer, &hash_len); + + if (rpc_status == TS_RPC_CALL_ACCEPTED) { + +@@ -292,14 +294,16 @@ static rpc_status_t sign_hash_handler(void *context, struct call_req* req) + size_t sig_len; + uint8_t sig_buffer[PSA_SIGNATURE_MAX_SIZE]; + +- psa_status = psa_sign_hash(id, alg, +- hash_buffer, hash_len, +- sig_buffer, sizeof(sig_buffer), &sig_len); ++ psa_status = (call_req_get_opcode(req) == TS_CRYPTO_OPCODE_SIGN_HASH) ? ++ psa_sign_hash(id, alg, hash_buffer, hash_len, ++ sig_buffer, sizeof(sig_buffer), &sig_len) : ++ psa_sign_message(id, alg, hash_buffer, hash_len, ++ sig_buffer, sizeof(sig_buffer), &sig_len); + + if (psa_status == PSA_SUCCESS) { + + struct call_param_buf *resp_buf = call_req_get_resp_buf(req); +- rpc_status = serializer->serialize_sign_hash_resp(resp_buf, sig_buffer, sig_len); ++ rpc_status = serializer->serialize_asymmetric_sign_resp(resp_buf, sig_buffer, sig_len); + } + + call_req_set_opstatus(req, psa_status); +@@ -308,7 +312,7 @@ static rpc_status_t sign_hash_handler(void *context, struct call_req* req) + return rpc_status; + } + +-static rpc_status_t verify_hash_handler(void *context, struct call_req* req) ++static rpc_status_t asymmetric_verify_handler(void *context, struct call_req* req) + { + rpc_status_t rpc_status = TS_RPC_ERROR_SERIALIZATION_NOT_SUPPORTED; + struct call_param_buf *req_buf = call_req_get_req_buf(req); +@@ -322,7 +326,7 @@ static rpc_status_t verify_hash_handler(void *context, struct call_req* req) + uint8_t sig_buffer[PSA_SIGNATURE_MAX_SIZE]; + + if (serializer) +- rpc_status = serializer->deserialize_verify_hash_req(req_buf, &id, &alg, ++ rpc_status = serializer->deserialize_asymmetric_verify_req(req_buf, &id, &alg, + hash_buffer, &hash_len, + sig_buffer, &sig_len); + +@@ -330,9 +334,13 @@ static rpc_status_t verify_hash_handler(void *context, struct call_req* req) + + psa_status_t psa_status; + +- psa_status = psa_verify_hash(id, alg, +- hash_buffer, hash_len, +- sig_buffer, sig_len); ++ psa_status = (call_req_get_opcode(req) == TS_CRYPTO_OPCODE_VERIFY_HASH) ? ++ psa_verify_hash(id, alg, ++ hash_buffer, hash_len, ++ sig_buffer, sig_len) : ++ psa_verify_message(id, alg, ++ hash_buffer, hash_len, ++ sig_buffer, sig_len); + + call_req_set_opstatus(req, psa_status); + } +diff --git a/components/service/crypto/provider/serializer/crypto_provider_serializer.h b/components/service/crypto/provider/serializer/crypto_provider_serializer.h +index 68940cae..57364f24 100644 +--- a/components/service/crypto/provider/serializer/crypto_provider_serializer.h ++++ b/components/service/crypto/provider/serializer/crypto_provider_serializer.h +@@ -79,15 +79,15 @@ struct crypto_provider_serializer { + const psa_key_attributes_t *attributes); + + /* Operation: sign_hash */ +- rpc_status_t (*deserialize_sign_hash_req)(const struct call_param_buf *req_buf, ++ rpc_status_t (*deserialize_asymmetric_sign_req)(const struct call_param_buf *req_buf, + psa_key_id_t *id, psa_algorithm_t *alg, + uint8_t *hash, size_t *hash_len); + +- rpc_status_t (*serialize_sign_hash_resp)(struct call_param_buf *resp_buf, ++ rpc_status_t (*serialize_asymmetric_sign_resp)(struct call_param_buf *resp_buf, + const uint8_t *sig, size_t sig_len); + + /* Operation: verify_hash */ +- rpc_status_t (*deserialize_verify_hash_req)(const struct call_param_buf *req_buf, ++ rpc_status_t (*deserialize_asymmetric_verify_req)(const struct call_param_buf *req_buf, + psa_key_id_t *id, psa_algorithm_t *alg, + uint8_t *hash, size_t *hash_len, + uint8_t *sig, size_t *sig_len); +diff --git a/components/service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.c b/components/service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.c +index c70db865..4a7e59f0 100644 +--- a/components/service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.c ++++ b/components/service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.c +@@ -333,7 +333,7 @@ static rpc_status_t serialize_get_key_attributes_resp(struct call_param_buf *res + } + + /* Operation: sign_hash */ +-static rpc_status_t deserialize_sign_hash_req(const struct call_param_buf *req_buf, ++static rpc_status_t deserialize_asymmetric_sign_req(const struct call_param_buf *req_buf, + psa_key_id_t *id, psa_algorithm_t *alg, + uint8_t *hash, size_t *hash_len) + { +@@ -378,7 +378,7 @@ static rpc_status_t deserialize_sign_hash_req(const struct call_param_buf *req_b + return rpc_status; + } + +-static rpc_status_t serialize_sign_hash_resp(struct call_param_buf *resp_buf, ++static rpc_status_t serialize_asymmetric_sign_resp(struct call_param_buf *resp_buf, + const uint8_t *sig, size_t sig_len) + { + rpc_status_t rpc_status = TS_RPC_ERROR_INTERNAL; +@@ -401,7 +401,7 @@ static rpc_status_t serialize_sign_hash_resp(struct call_param_buf *resp_buf, + } + + /* Operation: verify_hash */ +-static rpc_status_t deserialize_verify_hash_req(const struct call_param_buf *req_buf, ++static rpc_status_t deserialize_asymmetric_verify_req(const struct call_param_buf *req_buf, + psa_key_id_t *id, psa_algorithm_t *alg, + uint8_t *hash, size_t *hash_len, + uint8_t *sig, size_t *sig_len) +@@ -695,9 +695,9 @@ const struct crypto_provider_serializer *packedc_crypto_provider_serializer_inst + deserialize_purge_key_req, + deserialize_get_key_attributes_req, + serialize_get_key_attributes_resp, +- deserialize_sign_hash_req, +- serialize_sign_hash_resp, +- deserialize_verify_hash_req, ++ deserialize_asymmetric_sign_req, ++ serialize_asymmetric_sign_resp, ++ deserialize_asymmetric_verify_req, + deserialize_asymmetric_decrypt_req, + serialize_asymmetric_decrypt_resp, + deserialize_asymmetric_encrypt_req, +diff --git a/components/service/crypto/provider/serializer/protobuf/pb_crypto_provider_serializer.c b/components/service/crypto/provider/serializer/protobuf/pb_crypto_provider_serializer.c +index 7767d20a..083a581a 100644 +--- a/components/service/crypto/provider/serializer/protobuf/pb_crypto_provider_serializer.c ++++ b/components/service/crypto/provider/serializer/protobuf/pb_crypto_provider_serializer.c +@@ -267,9 +267,9 @@ static rpc_status_t serialize_get_key_attributes_resp(struct call_param_buf *res + } + + /* Operation: sign_hash */ +-static rpc_status_t deserialize_sign_hash_req(const struct call_param_buf *req_buf, +- psa_key_id_t *id, psa_algorithm_t *alg, +- uint8_t *hash, size_t *hash_len) ++static rpc_status_t deserialize_asymmetric_sign_req(const struct call_param_buf *req_buf, ++ psa_key_id_t *id, psa_algorithm_t *alg, ++ uint8_t *hash, size_t *hash_len) + { + rpc_status_t rpc_status = TS_RPC_ERROR_INVALID_REQ_BODY; + ts_crypto_SignHashIn recv_msg = ts_crypto_SignHashIn_init_default; +@@ -295,8 +295,8 @@ static rpc_status_t deserialize_sign_hash_req(const struct call_param_buf *req_b + return rpc_status; + } + +-static rpc_status_t serialize_sign_hash_resp(struct call_param_buf *resp_buf, +- const uint8_t *sig, size_t sig_len) ++static rpc_status_t serialize_asymmetric_sign_resp(struct call_param_buf *resp_buf, ++ const uint8_t *sig, size_t sig_len) + { + size_t packed_resp_size; + rpc_status_t rpc_status = TS_RPC_ERROR_INTERNAL; +@@ -323,10 +323,10 @@ static rpc_status_t serialize_sign_hash_resp(struct call_param_buf *resp_buf, + } + + /* Operation: verify_hash */ +-static rpc_status_t deserialize_verify_hash_req(const struct call_param_buf *req_buf, +- psa_key_id_t *id, psa_algorithm_t *alg, +- uint8_t *hash, size_t *hash_len, +- uint8_t *sig, size_t *sig_len) ++static rpc_status_t deserialize_asymmetric_verify_req(const struct call_param_buf *req_buf, ++ psa_key_id_t *id, psa_algorithm_t *alg, ++ uint8_t *hash, size_t *hash_len, ++ uint8_t *sig, size_t *sig_len) + { + rpc_status_t rpc_status = TS_RPC_ERROR_INVALID_REQ_BODY; + ts_crypto_VerifyHashIn recv_msg = ts_crypto_VerifyHashIn_init_default; +@@ -538,32 +538,32 @@ static rpc_status_t serialize_generate_random_resp(struct call_param_buf *resp_b + /* Singleton method to provide access to the serializer instance */ + const struct crypto_provider_serializer *pb_crypto_provider_serializer_instance(void) + { +- static const struct crypto_provider_serializer instance = { +- max_deserialised_parameter_size, +- deserialize_generate_key_req, +- serialize_generate_key_resp, +- deserialize_destroy_key_req, +- deserialize_export_key_req, +- serialize_export_key_resp, +- deserialize_export_public_key_req, +- serialize_export_public_key_resp, +- deserialize_import_key_req, +- serialize_import_key_resp, +- deserialize_copy_key_req, +- serialize_copy_key_resp, +- deserialize_purge_key_req, +- deserialize_get_key_attributes_req, +- serialize_get_key_attributes_resp, +- deserialize_sign_hash_req, +- serialize_sign_hash_resp, +- deserialize_verify_hash_req, +- deserialize_asymmetric_decrypt_req, +- serialize_asymmetric_decrypt_resp, +- deserialize_asymmetric_encrypt_req, +- serialize_asymmetric_encrypt_resp, +- deserialize_generate_random_req, +- serialize_generate_random_resp +- }; +- +- return &instance; ++ static const struct crypto_provider_serializer instance = { ++ max_deserialised_parameter_size, ++ deserialize_generate_key_req, ++ serialize_generate_key_resp, ++ deserialize_destroy_key_req, ++ deserialize_export_key_req, ++ serialize_export_key_resp, ++ deserialize_export_public_key_req, ++ serialize_export_public_key_resp, ++ deserialize_import_key_req, ++ serialize_import_key_resp, ++ deserialize_copy_key_req, ++ serialize_copy_key_resp, ++ deserialize_purge_key_req, ++ deserialize_get_key_attributes_req, ++ serialize_get_key_attributes_resp, ++ deserialize_asymmetric_sign_req, ++ serialize_asymmetric_sign_resp, ++ deserialize_asymmetric_verify_req, ++ deserialize_asymmetric_decrypt_req, ++ serialize_asymmetric_decrypt_resp, ++ deserialize_asymmetric_encrypt_req, ++ serialize_asymmetric_encrypt_resp, ++ deserialize_generate_random_req, ++ serialize_generate_random_resp ++ }; ++ ++ return &instance; + } +diff --git a/components/service/crypto/test/protocol/check_crypto_opcode_alignment.cpp b/components/service/crypto/test/protocol/check_crypto_opcode_alignment.cpp +index bd6c66ee..da01abf4 100644 +--- a/components/service/crypto/test/protocol/check_crypto_opcode_alignment.cpp ++++ b/components/service/crypto/test/protocol/check_crypto_opcode_alignment.cpp +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -18,15 +18,16 @@ TEST_GROUP(CryptoProtocolOpcodeChecks) + + TEST(CryptoProtocolOpcodeChecks, checkPackedcToProtobuf) + { +- CHECK_EQUAL(TS_CRYPTO_OPCODE_GENERATE_KEY, ts_crypto_Opcode_GENERATE_KEY); +- CHECK_EQUAL(TS_CRYPTO_OPCODE_DESTROY_KEY, ts_crypto_Opcode_DESTROY_KEY); +- CHECK_EQUAL(TS_CRYPTO_OPCODE_EXPORT_KEY, ts_crypto_Opcode_EXPORT_KEY); +- CHECK_EQUAL(TS_CRYPTO_OPCODE_EXPORT_PUBLIC_KEY, ts_crypto_Opcode_EXPORT_PUBLIC_KEY); +- CHECK_EQUAL(TS_CRYPTO_OPCODE_IMPORT_KEY, ts_crypto_Opcode_IMPORT_KEY); +- CHECK_EQUAL(TS_CRYPTO_OPCODE_SIGN_HASH, ts_crypto_Opcode_SIGN_HASH); +- CHECK_EQUAL(TS_CRYPTO_OPCODE_VERIFY_HASH, ts_crypto_Opcode_VERIFY_HASH); +- CHECK_EQUAL(TS_CRYPTO_OPCODE_ASYMMETRIC_DECRYPT, ts_crypto_Opcode_ASYMMETRIC_DECRYPT); +- CHECK_EQUAL(TS_CRYPTO_OPCODE_ASYMMETRIC_ENCRYPT, ts_crypto_Opcode_ASYMMETRIC_ENCRYPT); +- CHECK_EQUAL(TS_CRYPTO_OPCODE_GENERATE_RANDOM, ts_crypto_Opcode_GENERATE_RANDOM); ++ CHECK_EQUAL(TS_CRYPTO_OPCODE_GENERATE_KEY, ts_crypto_Opcode_GENERATE_KEY); ++ CHECK_EQUAL(TS_CRYPTO_OPCODE_DESTROY_KEY, ts_crypto_Opcode_DESTROY_KEY); ++ CHECK_EQUAL(TS_CRYPTO_OPCODE_EXPORT_KEY, ts_crypto_Opcode_EXPORT_KEY); ++ CHECK_EQUAL(TS_CRYPTO_OPCODE_EXPORT_PUBLIC_KEY, ts_crypto_Opcode_EXPORT_PUBLIC_KEY); ++ CHECK_EQUAL(TS_CRYPTO_OPCODE_IMPORT_KEY, ts_crypto_Opcode_IMPORT_KEY); ++ CHECK_EQUAL(TS_CRYPTO_OPCODE_SIGN_HASH, ts_crypto_Opcode_SIGN_HASH); ++ CHECK_EQUAL(TS_CRYPTO_OPCODE_VERIFY_HASH, ts_crypto_Opcode_VERIFY_HASH); ++ CHECK_EQUAL(TS_CRYPTO_OPCODE_ASYMMETRIC_DECRYPT, ts_crypto_Opcode_ASYMMETRIC_DECRYPT); ++ CHECK_EQUAL(TS_CRYPTO_OPCODE_ASYMMETRIC_ENCRYPT, ts_crypto_Opcode_ASYMMETRIC_ENCRYPT); ++ CHECK_EQUAL(TS_CRYPTO_OPCODE_GENERATE_RANDOM, ts_crypto_Opcode_GENERATE_RANDOM); ++ CHECK_EQUAL(TS_CRYPTO_OPCODE_SIGN_MESSAGE, ts_crypto_Opcode_SIGN_MESSAGE); ++ CHECK_EQUAL(TS_CRYPTO_OPCODE_VERIFY_MESSAGE, ts_crypto_Opcode_VERIFY_MESSAGE); + } +- +diff --git a/components/service/crypto/test/service/crypto_service_scenarios.cpp b/components/service/crypto/test/service/crypto_service_scenarios.cpp +index ec2c6736..b3345551 100644 +--- a/components/service/crypto/test/service/crypto_service_scenarios.cpp ++++ b/components/service/crypto/test/service/crypto_service_scenarios.cpp +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -290,6 +290,56 @@ void crypto_service_scenarios::signAndVerifyHash() + CHECK_EQUAL(PSA_SUCCESS, status); + } + ++void crypto_service_scenarios::signAndVerifyMessage() ++{ ++ psa_status_t status; ++ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; ++ psa_key_id_t key_id; ++ ++ psa_set_key_id(&attributes, 14); ++ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE); ++ psa_set_key_algorithm(&attributes, PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256)); ++ psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)); ++ psa_set_key_bits(&attributes, 256); ++ ++ /* Generate a key */ ++ status = m_crypto_client->generate_key(&attributes, &key_id); ++ CHECK_EQUAL(PSA_SUCCESS, status); ++ ++ psa_reset_key_attributes(&attributes); ++ ++ /* Sign a message */ ++ uint8_t message[21]; ++ uint8_t signature[PSA_SIGNATURE_MAX_SIZE]; ++ size_t signature_length; ++ ++ memset(message, 0x99, sizeof(message)); ++ ++ status = m_crypto_client->sign_message(key_id, ++ PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256), message, sizeof(message), ++ signature, sizeof(signature), &signature_length); ++ ++ CHECK_EQUAL(PSA_SUCCESS, status); ++ CHECK(signature_length > 0); ++ ++ /* Verify the signature */ ++ status = m_crypto_client->verify_message(key_id, ++ PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256), message, sizeof(message), ++ signature, signature_length); ++ CHECK_EQUAL(PSA_SUCCESS, status); ++ ++ /* Change the message and expect verify to fail */ ++ message[0] = 0x72; ++ status = m_crypto_client->verify_message(key_id, ++ PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256), message, sizeof(message), ++ signature, signature_length); ++ CHECK_EQUAL(PSA_ERROR_INVALID_SIGNATURE, status); ++ ++ /* Remove the key */ ++ status = m_crypto_client->destroy_key(key_id); ++ CHECK_EQUAL(PSA_SUCCESS, status); ++} ++ + void crypto_service_scenarios::signAndVerifyEat() + { + /* Sign and verify a hash using EAT key type and algorithm */ +@@ -348,7 +398,7 @@ void crypto_service_scenarios::asymEncryptDecrypt() + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_key_id_t key_id; + +- psa_set_key_id(&attributes, 14); ++ psa_set_key_id(&attributes, 15); + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT); + psa_set_key_algorithm(&attributes, PSA_ALG_RSA_PKCS1V15_CRYPT); + psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR); +@@ -394,7 +444,7 @@ void crypto_service_scenarios::asymEncryptDecryptWithSalt() + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_key_id_t key_id; + +- psa_set_key_id(&attributes, 15); ++ psa_set_key_id(&attributes, 16); + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT); + psa_set_key_algorithm(&attributes, PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256)); + psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR); +diff --git a/components/service/crypto/test/service/crypto_service_scenarios.h b/components/service/crypto/test/service/crypto_service_scenarios.h +index c65eba26..23671644 100644 +--- a/components/service/crypto/test/service/crypto_service_scenarios.h ++++ b/components/service/crypto/test/service/crypto_service_scenarios.h +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -24,6 +24,7 @@ public: + void asymEncryptDecrypt(); + void asymEncryptDecryptWithSalt(); + void signAndVerifyHash(); ++ void signAndVerifyMessage(); + void signAndVerifyEat(); + void exportAndImportKeyPair(); + void exportPublicKey(); +diff --git a/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp b/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp +index 79eddfbb..ea238432 100644 +--- a/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp ++++ b/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -87,6 +87,11 @@ TEST(CryptoServicePackedcTests, signAndVerifyHash) + m_scenarios->signAndVerifyHash(); + } + ++TEST(CryptoServicePackedcTests, signAndVerifyMessage) ++{ ++ m_scenarios->signAndVerifyMessage(); ++} ++ + TEST(CryptoServicePackedcTests, signAndVerifyEat) + { + m_scenarios->signAndVerifyEat(); +diff --git a/components/service/crypto/test/service/protobuf/crypto_service_protobuf_tests.cpp b/components/service/crypto/test/service/protobuf/crypto_service_protobuf_tests.cpp +index 1230752c..c172ad4a 100644 +--- a/components/service/crypto/test/service/protobuf/crypto_service_protobuf_tests.cpp ++++ b/components/service/crypto/test/service/protobuf/crypto_service_protobuf_tests.cpp +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -77,6 +77,11 @@ TEST(CryptoServiceProtobufTests, signAndVerifyHash) + m_scenarios->signAndVerifyHash(); + } + ++TEST(CryptoServiceProtobufTests, signAndVerifyMessage) ++{ ++ m_scenarios->signAndVerifyMessage(); ++} ++ + TEST(CryptoServiceProtobufTests, asymEncryptDecrypt) + { + m_scenarios->asymEncryptDecrypt(); +diff --git a/protocols/service/crypto/packed-c/opcodes.h b/protocols/service/crypto/packed-c/opcodes.h +index a07bd57e..5aebf2fa 100644 +--- a/protocols/service/crypto/packed-c/opcodes.h ++++ b/protocols/service/crypto/packed-c/opcodes.h +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -25,6 +25,8 @@ + #define TS_CRYPTO_OPCODE_COPY_KEY (TS_CRYPTO_OPCODE_BASE + 13) + #define TS_CRYPTO_OPCODE_PURGE_KEY (TS_CRYPTO_OPCODE_BASE + 14) + #define TS_CRYPTO_OPCODE_GET_KEY_ATTRIBUTES (TS_CRYPTO_OPCODE_BASE + 15) ++#define TS_CRYPTO_OPCODE_SIGN_MESSAGE (TS_CRYPTO_OPCODE_BASE + 16) ++#define TS_CRYPTO_OPCODE_VERIFY_MESSAGE (TS_CRYPTO_OPCODE_BASE + 17) + + /* Hash operations */ + #define TS_CRYPTO_OPCODE_HASH_BASE (0x0200) +diff --git a/protocols/service/crypto/protobuf/opcodes.proto b/protocols/service/crypto/protobuf/opcodes.proto +index 094d3a02..ef64d044 100644 +--- a/protocols/service/crypto/protobuf/opcodes.proto ++++ b/protocols/service/crypto/protobuf/opcodes.proto +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved. + * SPDX-License-Identifier: BSD-3-Clause + */ + syntax = "proto3"; +@@ -18,4 +18,6 @@ enum Opcode { + ASYMMETRIC_DECRYPT = 0x010a; + ASYMMETRIC_ENCRYPT = 0x010b; + GENERATE_RANDOM = 0x010c; ++ SIGN_MESSAGE = 0x0110; ++ VERIFY_MESSAGE = 0x0111; + } +-- +2.25.1 diff --git a/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0037-Add-defence-against-uninitialised-multi-part-transac.patch b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0037-Add-defence-against-uninitialised-multi-part-transac.patch new file mode 100644 index 00000000..af156b0a --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0037-Add-defence-against-uninitialised-multi-part-transac.patch @@ -0,0 +1,124 @@ +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Emekcan Aras + +From 68e189877ea1aa893facafb8b336e92112555e07 Mon Sep 17 00:00:00 2001 +From: Julian Hall +Date: Fri, 11 Feb 2022 14:19:26 +0000 +Subject: [PATCH 05/15] Add defence against uninitialised multi-part + transaction + +Adds checks for the condition where there is an attempt to +setup a multi-part transaction without first initialising +transaction state. + +Signed-off-by: Julian Hall +Change-Id: I754479260fed0490d8f32b41a077d26028dc9903 +--- + components/service/crypto/client/psa/psa_cipher.c | 14 +++++++++++++- + components/service/crypto/client/psa/psa_hash.c | 8 +++++++- + components/service/crypto/client/psa/psa_mac.c | 10 ++++++++-- + 3 files changed, 28 insertions(+), 4 deletions(-) + +diff --git a/components/service/crypto/client/psa/psa_cipher.c b/components/service/crypto/client/psa/psa_cipher.c +index 70836ea6..3ab8ea21 100644 +--- a/components/service/crypto/client/psa/psa_cipher.c ++++ b/components/service/crypto/client/psa/psa_cipher.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -13,6 +13,12 @@ psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation, + psa_key_id_t key, + psa_algorithm_t alg) + { ++ if (psa_crypto_client_instance.init_status != PSA_SUCCESS) ++ return psa_crypto_client_instance.init_status; ++ ++ if (operation->handle) ++ return PSA_ERROR_BAD_STATE; ++ + return crypto_caller_cipher_encrypt_setup(&psa_crypto_client_instance.base, + &operation->handle, + key, alg); +@@ -22,6 +28,12 @@ psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation, + psa_key_id_t key, + psa_algorithm_t alg) + { ++ if (psa_crypto_client_instance.init_status != PSA_SUCCESS) ++ return psa_crypto_client_instance.init_status; ++ ++ if (operation->handle) ++ return PSA_ERROR_BAD_STATE; ++ + return crypto_caller_cipher_decrypt_setup(&psa_crypto_client_instance.base, + &operation->handle, + key, alg); +diff --git a/components/service/crypto/client/psa/psa_hash.c b/components/service/crypto/client/psa/psa_hash.c +index 7005c390..83278de6 100644 +--- a/components/service/crypto/client/psa/psa_hash.c ++++ b/components/service/crypto/client/psa/psa_hash.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -14,6 +14,9 @@ psa_status_t psa_hash_setup(psa_hash_operation_t *operation, + if (psa_crypto_client_instance.init_status != PSA_SUCCESS) + return psa_crypto_client_instance.init_status; + ++ if (operation->handle) ++ return PSA_ERROR_BAD_STATE; ++ + return crypto_caller_hash_setup(&psa_crypto_client_instance.base, + &operation->handle, alg); + } +@@ -55,6 +58,9 @@ psa_status_t psa_hash_verify(psa_hash_operation_t *operation, + psa_status_t psa_hash_clone(const psa_hash_operation_t *source_operation, + psa_hash_operation_t *target_operation) + { ++ if (target_operation->handle) ++ return PSA_ERROR_BAD_STATE; ++ + return crypto_caller_hash_clone(&psa_crypto_client_instance.base, + source_operation->handle, + &target_operation->handle); +diff --git a/components/service/crypto/client/psa/psa_mac.c b/components/service/crypto/client/psa/psa_mac.c +index 5efa1c4d..5c5eb32a 100644 +--- a/components/service/crypto/client/psa/psa_mac.c ++++ b/components/service/crypto/client/psa/psa_mac.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -16,6 +16,9 @@ psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation, + if (psa_crypto_client_instance.init_status != PSA_SUCCESS) + return psa_crypto_client_instance.init_status; + ++ if (operation->handle) ++ return PSA_ERROR_BAD_STATE; ++ + return crypto_caller_mac_sign_setup(&psa_crypto_client_instance.base, + &operation->handle, + key, alg); +@@ -28,7 +31,10 @@ psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation, + if (psa_crypto_client_instance.init_status != PSA_SUCCESS) + return psa_crypto_client_instance.init_status; + +- return crypto_caller_mac_sign_setup(&psa_crypto_client_instance.base, ++ if (operation->handle) ++ return PSA_ERROR_BAD_STATE; ++ ++ return crypto_caller_mac_verify_setup(&psa_crypto_client_instance.base, + &operation->handle, + key, alg); + } +-- +2.25.1 diff --git a/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0038-Integrate-AEAD-operation-support.patch b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0038-Integrate-AEAD-operation-support.patch new file mode 100644 index 00000000..9c2ac43a --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0038-Integrate-AEAD-operation-support.patch @@ -0,0 +1,521 @@ +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Emekcan Aras + +From d800f7eaa25efca41535a223ef5d524651dee103 Mon Sep 17 00:00:00 2001 +From: Julian Hall +Date: Fri, 11 Feb 2022 14:24:53 +0000 +Subject: [PATCH 06/15] Integrate AEAD operation support + +Resolves issues and integrates AEAD support into the crypto service +provider and clients. + +Signed-off-by: Julian Hall +Change-Id: I5fbe78a2dd825f592e26fd665f60c18b576f9de9 +--- + .../caller/packed-c/crypto_caller_aead.h | 70 +++--- + .../client/caller/stub/crypto_caller_aead.h | 12 +- + .../service/crypto/client/psa/psa_aead.c | 221 +++++++++++++++--- + .../factory/full/crypto_provider_factory.c | 16 +- + .../component-test/component-test.cmake | 4 +- + deployments/crypto/opteesp/CMakeLists.txt | 4 +- + deployments/libts/linux-pc/CMakeLists.txt | 4 +- + deployments/se-proxy/opteesp/CMakeLists.txt | 4 +- + 8 files changed, 263 insertions(+), 72 deletions(-) + +diff --git a/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h b/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h +index 3d9947d5..c4ffb20c 100644 +--- a/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h ++++ b/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -20,38 +20,6 @@ + extern "C" { + #endif + +-static inline psa_status_t crypto_caller_aead_encrypt(struct service_client *context, +- psa_key_id_t key, +- psa_algorithm_t alg, +- const uint8_t *nonce, +- size_t nonce_length, +- const uint8_t *additional_data, +- size_t additional_data_length, +- const uint8_t *plaintext, +- size_t plaintext_length, +- uint8_t *aeadtext, +- size_t aeadtext_size, +- size_t *aeadtext_length) +-{ +- return PSA_ERROR_NOT_SUPPORTED; +-} +- +-static inline psa_status_t crypto_caller_aead_decrypt(struct service_client *context, +- psa_key_id_t key, +- psa_algorithm_t alg, +- const uint8_t *nonce, +- size_t nonce_length, +- const uint8_t *additional_data, +- size_t additional_data_length, +- const uint8_t *aeadtext, +- size_t aeadtext_length, +- uint8_t *plaintext, +- size_t plaintext_size, +- size_t *plaintext_length) +-{ +- return PSA_ERROR_NOT_SUPPORTED; +-} +- + static inline psa_status_t common_aead_setup(struct service_client *context, + uint32_t *op_handle, + psa_key_id_t key, +@@ -247,7 +215,7 @@ static inline psa_status_t crypto_caller_aead_set_lengths(struct service_client + { + psa_status_t psa_status = PSA_ERROR_GENERIC_ERROR; + struct ts_crypto_aead_set_lengths_in req_msg; +- size_t req_fixed_len = sizeof(struct ts_crypto_aead_abort_in); ++ size_t req_fixed_len = sizeof(struct ts_crypto_aead_set_lengths_in); + size_t req_len = req_fixed_len; + + req_msg.op_handle = op_handle; +@@ -611,6 +579,40 @@ static inline psa_status_t crypto_caller_aead_abort(struct service_client *conte + return psa_status; + } + ++/** ++ * The maximum data length that may be carried in an update operation will be ++ * constrained by the maximum call payload capacity imposed by the end-to-end ++ * RPC call path. These functions return the maximum update size when serialization ++ * overheads are considered. This allows large paylaods to be processed in ++ * maximum size chunks. ++ */ ++static inline size_t crypto_caller_aead_max_update_ad_size(const struct service_client *context) ++{ ++ /* Returns the maximum number of bytes of additional data that may be ++ * carried as a parameter of the aead_update_ad operation ++ * using the packed-c encoding. ++ */ ++ size_t payload_space = context->service_info.max_payload; ++ size_t overhead = sizeof(struct ts_crypto_aead_update_ad_in) + TLV_HDR_LEN; ++ ++ return (payload_space > overhead) ? payload_space - overhead : 0; ++} ++ ++static inline size_t crypto_caller_aead_max_update_size(const struct service_client *context) ++{ ++ /* Returns the maximum number of bytes that may be ++ * carried as a parameter of the aead_update operation ++ * using the packed-c encoding. ++ */ ++ size_t payload_space = context->service_info.max_payload; ++ size_t overhead = sizeof(struct ts_crypto_aead_update_in) + TLV_HDR_LEN; ++ ++ /* Allow for output to be a whole number of blocks */ ++ overhead += PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE; ++ ++ return (payload_space > overhead) ? payload_space - overhead : 0; ++} ++ + #ifdef __cplusplus + } + #endif +diff --git a/components/service/crypto/client/caller/stub/crypto_caller_aead.h b/components/service/crypto/client/caller/stub/crypto_caller_aead.h +index 18aa8cec..455e7ac1 100644 +--- a/components/service/crypto/client/caller/stub/crypto_caller_aead.h ++++ b/components/service/crypto/client/caller/stub/crypto_caller_aead.h +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -135,6 +135,16 @@ static inline psa_status_t crypto_caller_aead_abort(struct service_client *conte + return PSA_ERROR_NOT_SUPPORTED; + } + ++static inline size_t crypto_caller_aead_max_update_ad_size(const struct service_client *context) ++{ ++ return 0; ++} ++ ++static inline size_t crypto_caller_aead_max_update_size(const struct service_client *context) ++{ ++ return 0; ++} ++ + #ifdef __cplusplus + } + #endif +diff --git a/components/service/crypto/client/psa/psa_aead.c b/components/service/crypto/client/psa/psa_aead.c +index 22fd3da1..e4579e63 100644 +--- a/components/service/crypto/client/psa/psa_aead.c ++++ b/components/service/crypto/client/psa/psa_aead.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -8,37 +8,6 @@ + #include "psa_crypto_client.h" + #include "crypto_caller_selector.h" + +- +-psa_status_t psa_aead_encrypt(psa_key_id_t key, +- psa_algorithm_t alg, +- const uint8_t *nonce, +- size_t nonce_length, +- const uint8_t *additional_data, +- size_t additional_data_length, +- const uint8_t *plaintext, +- size_t plaintext_length, +- uint8_t *aeadtext, +- size_t aeadtext_size, +- size_t *aeadtext_length) +-{ +- return PSA_ERROR_NOT_SUPPORTED; +-} +- +-psa_status_t psa_aead_decrypt(psa_key_id_t key, +- psa_algorithm_t alg, +- const uint8_t *nonce, +- size_t nonce_length, +- const uint8_t *additional_data, +- size_t additional_data_length, +- const uint8_t *aeadtext, +- size_t aeadtext_length, +- uint8_t *plaintext, +- size_t plaintext_size, +- size_t *plaintext_length) +-{ +- return PSA_ERROR_NOT_SUPPORTED; +-} +- + psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation, + psa_key_id_t key, + psa_algorithm_t alg) +@@ -143,3 +112,191 @@ psa_status_t psa_aead_abort(psa_aead_operation_t *operation) + return crypto_caller_aead_abort(&psa_crypto_client_instance.base, + operation->handle); + } ++ ++static psa_status_t multi_aead_update_ad(psa_aead_operation_t *operation, ++ const uint8_t *input, ++ size_t input_length) ++{ ++ psa_status_t psa_status = PSA_SUCCESS; ++ size_t max_update_size = ++ crypto_caller_aead_max_update_ad_size(&psa_crypto_client_instance.base); ++ size_t bytes_input = 0; ++ ++ if (!max_update_size) { ++ ++ /* Don't know the max update size so assume that the entire ++ * input and output can be handled in a single update. If ++ * this isn't true, the first aead update operation will fail ++ * safely. ++ */ ++ max_update_size = input_length; ++ } ++ ++ while (bytes_input < input_length) { ++ ++ size_t bytes_remaining = input_length - bytes_input; ++ size_t update_len = (bytes_remaining < max_update_size) ? ++ bytes_remaining : ++ max_update_size; ++ ++ psa_status = psa_aead_update_ad(operation, ++ &input[bytes_input], update_len); ++ ++ if (psa_status != PSA_SUCCESS) break; ++ ++ bytes_input += update_len; ++ } ++ ++ return psa_status; ++} ++ ++static psa_status_t multi_aead_update(psa_aead_operation_t *operation, ++ const uint8_t *input, ++ size_t input_length, ++ uint8_t *output, ++ size_t output_size, ++ size_t *output_length) ++{ ++ psa_status_t psa_status = PSA_SUCCESS; ++ size_t max_update_size = ++ crypto_caller_aead_max_update_size(&psa_crypto_client_instance.base); ++ size_t bytes_input = 0; ++ size_t bytes_output = 0; ++ ++ *output_length = 0; ++ ++ if (!max_update_size) { ++ ++ /* Don't know the max update size so assume that the entire ++ * input and output can be handled in a single update. If ++ * this isn't true, the first aead update operation will fail ++ * safely. ++ */ ++ max_update_size = input_length; ++ } ++ ++ while ((bytes_input < input_length) && (bytes_output < output_size)) { ++ ++ size_t update_output_len = 0; ++ size_t bytes_remaining = input_length - bytes_input; ++ size_t update_len = (bytes_remaining < max_update_size) ? ++ bytes_remaining : ++ max_update_size; ++ ++ psa_status = psa_aead_update(operation, ++ &input[bytes_input], update_len, ++ &output[bytes_output], output_size - bytes_output, &update_output_len); ++ ++ if (psa_status != PSA_SUCCESS) break; ++ ++ bytes_input += update_len; ++ bytes_output += update_output_len; ++ } ++ ++ if (psa_status == PSA_SUCCESS) { ++ ++ *output_length = bytes_output; ++ } ++ ++ return psa_status; ++} ++ ++psa_status_t psa_aead_encrypt(psa_key_id_t key, ++ psa_algorithm_t alg, ++ const uint8_t *nonce, ++ size_t nonce_length, ++ const uint8_t *additional_data, ++ size_t additional_data_length, ++ const uint8_t *plaintext, ++ size_t plaintext_length, ++ uint8_t *aeadtext, ++ size_t aeadtext_size, ++ size_t *aeadtext_length) ++{ ++ psa_aead_operation_t operation = psa_aead_operation_init(); ++ size_t bytes_output = 0; ++ *aeadtext_length = 0; ++ ++ psa_status_t psa_status = psa_aead_encrypt_setup(&operation, key, alg); ++ if (psa_status != PSA_SUCCESS) return psa_status; ++ ++ if ((psa_status = psa_aead_set_lengths(&operation, additional_data_length, plaintext_length), ++ psa_status == PSA_SUCCESS) && ++ (psa_status = psa_aead_set_nonce(&operation, nonce, nonce_length), ++ psa_status == PSA_SUCCESS) && ++ (psa_status = multi_aead_update_ad(&operation, additional_data, additional_data_length), ++ psa_status == PSA_SUCCESS) && ++ (psa_status = multi_aead_update(&operation, plaintext, plaintext_length, ++ aeadtext, aeadtext_size, &bytes_output), ++ psa_status == PSA_SUCCESS)) ++ { ++ size_t remaining_aead_len = 0; ++ size_t tag_len = 0; ++ ++ psa_status = psa_aead_finish(&operation, ++ NULL, 0, &remaining_aead_len, ++ &aeadtext[bytes_output], aeadtext_size - bytes_output, &tag_len); ++ ++ if (psa_status == PSA_SUCCESS) { ++ ++ *aeadtext_length = bytes_output + remaining_aead_len + tag_len; ++ } ++ } ++ else { ++ ++ psa_aead_abort(&operation); ++ } ++ ++ return psa_status; ++} ++ ++psa_status_t psa_aead_decrypt(psa_key_id_t key, ++ psa_algorithm_t alg, ++ const uint8_t *nonce, ++ size_t nonce_length, ++ const uint8_t *additional_data, ++ size_t additional_data_length, ++ const uint8_t *aeadtext, ++ size_t aeadtext_length, ++ uint8_t *plaintext, ++ size_t plaintext_size, ++ size_t *plaintext_length) ++{ ++ psa_aead_operation_t operation = psa_aead_operation_init(); ++ size_t bytes_output = 0; ++ *plaintext_length = 0; ++ ++ psa_status_t psa_status = psa_aead_decrypt_setup(&operation, key, alg); ++ if (psa_status != PSA_SUCCESS) return psa_status; ++ ++ size_t tag_len = PSA_ALG_AEAD_GET_TAG_LENGTH(alg); ++ size_t ciphertext_len = (aeadtext_length > tag_len) ? aeadtext_length - tag_len : 0; ++ ++ if ((psa_status = psa_aead_set_lengths(&operation, additional_data_length, ciphertext_len), ++ psa_status == PSA_SUCCESS) && ++ (psa_status = psa_aead_set_nonce(&operation, nonce, nonce_length), ++ psa_status == PSA_SUCCESS) && ++ (psa_status = multi_aead_update_ad(&operation, additional_data, additional_data_length), ++ psa_status == PSA_SUCCESS) && ++ (psa_status = multi_aead_update(&operation, aeadtext, ciphertext_len, ++ plaintext, plaintext_size, &bytes_output), ++ psa_status == PSA_SUCCESS)) ++ { ++ size_t remaining_plaintext_len = 0; ++ ++ psa_status = psa_aead_verify(&operation, ++ NULL, 0, &remaining_plaintext_len, ++ &aeadtext[bytes_output], aeadtext_length - bytes_output); ++ ++ if (psa_status == PSA_SUCCESS) { ++ ++ *plaintext_length = bytes_output + remaining_plaintext_len; ++ } ++ } ++ else { ++ ++ psa_aead_abort(&operation); ++ } ++ ++ return psa_status; ++} +diff --git a/components/service/crypto/factory/full/crypto_provider_factory.c b/components/service/crypto/factory/full/crypto_provider_factory.c +index 2d926eb6..ee2b4473 100644 +--- a/components/service/crypto/factory/full/crypto_provider_factory.c ++++ b/components/service/crypto/factory/full/crypto_provider_factory.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2021, Arm Limited. All rights reserved. ++ * Copyright (c) 2021-2022, Arm Limited. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + * +@@ -17,6 +17,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + +@@ -34,6 +36,7 @@ static struct full_crypto_provider + struct cipher_provider cipher_provider; + struct key_derivation_provider key_derivation_provider; + struct mac_provider mac_provider; ++ struct aead_provider aead_provider; + + } instance; + +@@ -98,6 +101,17 @@ struct crypto_provider *crypto_provider_factory_create(void) + crypto_provider_extend(&instance.crypto_provider, + &instance.mac_provider.base_provider); + ++ /** ++ * Extend with aead operations ++ */ ++ aead_provider_init(&instance.aead_provider); ++ ++ aead_provider_register_serializer(&instance.aead_provider, ++ TS_RPC_ENCODING_PACKED_C, packedc_aead_provider_serializer_instance()); ++ ++ crypto_provider_extend(&instance.crypto_provider, ++ &instance.aead_provider.base_provider); ++ + return &instance.crypto_provider; + } + +diff --git a/deployments/component-test/component-test.cmake b/deployments/component-test/component-test.cmake +index a0233c34..c3b015ab 100644 +--- a/deployments/component-test/component-test.cmake ++++ b/deployments/component-test/component-test.cmake +@@ -1,5 +1,5 @@ + #------------------------------------------------------------------------------- +-# Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved. ++# Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved. + # + # SPDX-License-Identifier: BSD-3-Clause + # +@@ -85,6 +85,8 @@ add_components( + "components/service/crypto/provider/extension/key_derivation/serializer/packed-c" + "components/service/crypto/provider/extension/mac" + "components/service/crypto/provider/extension/mac/serializer/packed-c" ++ "components/service/crypto/provider/extension/aead" ++ "components/service/crypto/provider/extension/aead/serializer/packed-c" + "components/service/crypto/provider/test" + "components/service/crypto/backend/mbedcrypto" + "components/service/crypto/factory/full" +diff --git a/deployments/crypto/opteesp/CMakeLists.txt b/deployments/crypto/opteesp/CMakeLists.txt +index 8ada74e9..eb5d0847 100644 +--- a/deployments/crypto/opteesp/CMakeLists.txt ++++ b/deployments/crypto/opteesp/CMakeLists.txt +@@ -1,5 +1,5 @@ + #------------------------------------------------------------------------------- +-# Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved. ++# Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved. + # + # SPDX-License-Identifier: BSD-3-Clause + # +@@ -62,6 +62,8 @@ add_components(TARGET "crypto-sp" + "components/service/crypto/provider/extension/key_derivation/serializer/packed-c" + "components/service/crypto/provider/extension/mac" + "components/service/crypto/provider/extension/mac/serializer/packed-c" ++ "components/service/crypto/provider/extension/aead" ++ "components/service/crypto/provider/extension/aead/serializer/packed-c" + "components/service/crypto/factory/full" + "components/service/crypto/backend/mbedcrypto" + "components/service/crypto/backend/mbedcrypto/trng_adapter/platform" +diff --git a/deployments/libts/linux-pc/CMakeLists.txt b/deployments/libts/linux-pc/CMakeLists.txt +index fc98407c..97eaaa73 100644 +--- a/deployments/libts/linux-pc/CMakeLists.txt ++++ b/deployments/libts/linux-pc/CMakeLists.txt +@@ -1,5 +1,5 @@ + #------------------------------------------------------------------------------- +-# Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved. ++# Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved. + # + # SPDX-License-Identifier: BSD-3-Clause + # +@@ -71,6 +71,8 @@ add_components( + "components/service/crypto/provider/extension/key_derivation/serializer/packed-c" + "components/service/crypto/provider/extension/mac" + "components/service/crypto/provider/extension/mac/serializer/packed-c" ++ "components/service/crypto/provider/extension/aead" ++ "components/service/crypto/provider/extension/aead/serializer/packed-c" + "components/service/crypto/factory/full" + "components/service/crypto/backend/mbedcrypto" + "components/service/crypto/backend/mbedcrypto/trng_adapter/linux" +diff --git a/deployments/se-proxy/opteesp/CMakeLists.txt b/deployments/se-proxy/opteesp/CMakeLists.txt +index 953bb716..24a8ca65 100644 +--- a/deployments/se-proxy/opteesp/CMakeLists.txt ++++ b/deployments/se-proxy/opteesp/CMakeLists.txt +@@ -1,5 +1,5 @@ + #------------------------------------------------------------------------------- +-# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++# Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved. + # + # SPDX-License-Identifier: BSD-3-Clause + # +@@ -70,6 +70,8 @@ add_components(TARGET "se-proxy" + "components/service/crypto/provider/extension/key_derivation/serializer/packed-c" + "components/service/crypto/provider/extension/mac" + "components/service/crypto/provider/extension/mac/serializer/packed-c" ++ "components/service/crypto/provider/extension/aead" ++ "components/service/crypto/provider/extension/aead/serializer/packed-c" + "components/service/crypto/factory/full" + "components/service/secure_storage/include" + "components/service/secure_storage/frontend/secure_storage_provider" +-- +2.25.1 diff --git a/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0039-Add-IV-generation-to-one-shot-cipher-operation.patch b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0039-Add-IV-generation-to-one-shot-cipher-operation.patch new file mode 100644 index 00000000..c4c83c91 --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0039-Add-IV-generation-to-one-shot-cipher-operation.patch @@ -0,0 +1,96 @@ +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Emekcan Aras + +From 0e743c9e00249b0fe50b1b2d28d06a8568569736 Mon Sep 17 00:00:00 2001 +From: Julian Hall +Date: Tue, 15 Feb 2022 15:46:58 +0000 +Subject: [PATCH 07/15] Add IV generation to one-shot cipher operation + +The functions psa_cipher_encrypt and psa_cipher_decrypt are +one-shot operations that can take an arbitrary sized input. +These operations are implemented as client-side functions +that use multi-part cipher operations to allow large inputs +to be handled. The existing implementations were missing the +generation and setting of the IV at the start of the data. +This was leading to PSA Arch test failures (248 & 249). This +commit adds the missing IV handling and resolves the test +failures. + +Signed-off-by: Julian Hall +Change-Id: I4afb555ee7062ebb387e5bb27fb1e082288ad8c7 +--- + .../service/crypto/client/psa/psa_cipher.c | 40 +++++++++++++++---- + 1 file changed, 33 insertions(+), 7 deletions(-) + +diff --git a/components/service/crypto/client/psa/psa_cipher.c b/components/service/crypto/client/psa/psa_cipher.c +index 3ab8ea21..111af829 100644 +--- a/components/service/crypto/client/psa/psa_cipher.c ++++ b/components/service/crypto/client/psa/psa_cipher.c +@@ -8,7 +8,6 @@ + #include "psa_crypto_client.h" + #include "crypto_caller_selector.h" + +- + psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation, + psa_key_id_t key, + psa_algorithm_t alg) +@@ -171,9 +170,16 @@ psa_status_t psa_cipher_encrypt(psa_key_id_t key, + + if (psa_status == PSA_SUCCESS) { + ++ size_t ciphertext_len = 0; ++ size_t iv_len = 0; ++ ++ psa_cipher_generate_iv(&operation, output, output_size, &iv_len); ++ + psa_status = multi_cipher_update(&operation, + input, input_length, +- output, output_size, output_length); ++ &output[iv_len], output_size - iv_len, &ciphertext_len); ++ ++ *output_length = iv_len + ciphertext_len; + } + + return psa_status; +@@ -187,14 +193,34 @@ psa_status_t psa_cipher_decrypt(psa_key_id_t key, + size_t output_size, + size_t *output_length) + { +- psa_cipher_operation_t operation = psa_cipher_operation_init(); +- psa_status_t psa_status = psa_cipher_decrypt_setup(&operation, key, alg); ++ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; ++ psa_status_t psa_status = psa_get_key_attributes(key, &attributes); + + if (psa_status == PSA_SUCCESS) { + +- psa_status = multi_cipher_update(&operation, +- input, input_length, +- output, output_size, output_length); ++ psa_cipher_operation_t operation = psa_cipher_operation_init(); ++ psa_status = psa_cipher_decrypt_setup(&operation, key, alg); ++ ++ if (psa_status == PSA_SUCCESS) { ++ ++ size_t iv_len = PSA_CIPHER_IV_LENGTH(psa_get_key_type(&attributes), alg); ++ ++ if (input_length >= iv_len) { ++ ++ psa_cipher_set_iv(&operation, input, iv_len); ++ ++ psa_status = multi_cipher_update(&operation, ++ &input[iv_len], input_length - iv_len, ++ output, output_size, output_length); ++ } ++ else { ++ ++ psa_cipher_abort(&operation); ++ psa_status = PSA_ERROR_INVALID_ARGUMENT; ++ } ++ } ++ ++ psa_reset_key_attributes(&attributes); + } + + return psa_status; +-- +2.25.1 diff --git a/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0040-Fix-multi-part-termination-on-error.patch b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0040-Fix-multi-part-termination-on-error.patch new file mode 100644 index 00000000..05e3b975 --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0040-Fix-multi-part-termination-on-error.patch @@ -0,0 +1,241 @@ +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Emekcan Aras + +From 51563497958036271a23de8ae28f174db1296689 Mon Sep 17 00:00:00 2001 +From: Julian Hall +Date: Wed, 16 Feb 2022 10:37:04 +0000 +Subject: [PATCH 08/15] Fix multi-part termination on error + +For multi-part operations, the PSA Crypto API specifies that if +the final operation does not return PSA_SUCCESS, the abort +operaion must be called by a client to clean-up the operation. +This change modifies behaviour in-line with the API definition. + +Signed-off-by: Julian Hall +Change-Id: Ia3d3ec004164647a7ab5988cac45c39c22e76e9a +--- + components/service/crypto/client/psa/psa_aead.c | 8 ++++++++ + components/service/crypto/client/psa/psa_cipher.c | 4 ++++ + components/service/crypto/client/psa/psa_hash.c | 10 ++++++++++ + components/service/crypto/client/psa/psa_mac.c | 10 ++++++++++ + .../crypto/provider/extension/aead/aead_provider.c | 10 +++++----- + .../provider/extension/cipher/cipher_provider.c | 6 +++--- + .../crypto/provider/extension/hash/hash_provider.c | 6 +++--- + .../crypto/provider/extension/mac/mac_provider.c | 11 +++++++---- + 8 files changed, 50 insertions(+), 15 deletions(-) + +diff --git a/components/service/crypto/client/psa/psa_aead.c b/components/service/crypto/client/psa/psa_aead.c +index e4579e63..559eb6a3 100644 +--- a/components/service/crypto/client/psa/psa_aead.c ++++ b/components/service/crypto/client/psa/psa_aead.c +@@ -241,6 +241,10 @@ psa_status_t psa_aead_encrypt(psa_key_id_t key, + + *aeadtext_length = bytes_output + remaining_aead_len + tag_len; + } ++ else { ++ ++ psa_aead_abort(&operation); ++ } + } + else { + +@@ -292,6 +296,10 @@ psa_status_t psa_aead_decrypt(psa_key_id_t key, + + *plaintext_length = bytes_output + remaining_plaintext_len; + } ++ else { ++ ++ psa_aead_abort(&operation); ++ } + } + else { + +diff --git a/components/service/crypto/client/psa/psa_cipher.c b/components/service/crypto/client/psa/psa_cipher.c +index 111af829..4e4264b6 100644 +--- a/components/service/crypto/client/psa/psa_cipher.c ++++ b/components/service/crypto/client/psa/psa_cipher.c +@@ -146,6 +146,10 @@ static psa_status_t multi_cipher_update(psa_cipher_operation_t *operation, + + *output_length = bytes_output + finish_output_len; + } ++ else { ++ ++ psa_cipher_abort(operation); ++ } + } + else { + +diff --git a/components/service/crypto/client/psa/psa_hash.c b/components/service/crypto/client/psa/psa_hash.c +index 83278de6..e5dd0030 100644 +--- a/components/service/crypto/client/psa/psa_hash.c ++++ b/components/service/crypto/client/psa/psa_hash.c +@@ -137,6 +137,11 @@ psa_status_t psa_hash_compare(psa_algorithm_t alg, + if (psa_status == PSA_SUCCESS) { + + psa_status = psa_hash_verify(&operation, hash, hash_length); ++ ++ if (psa_status != PSA_SUCCESS) { ++ ++ psa_hash_abort(&operation); ++ } + } + + return psa_status; +@@ -155,6 +160,11 @@ psa_status_t psa_hash_compute(psa_algorithm_t alg, + if (psa_status == PSA_SUCCESS) { + + psa_status = psa_hash_finish(&operation, hash, hash_size, hash_length); ++ ++ if (psa_status != PSA_SUCCESS) { ++ ++ psa_hash_abort(&operation); ++ } + } + + return psa_status; +diff --git a/components/service/crypto/client/psa/psa_mac.c b/components/service/crypto/client/psa/psa_mac.c +index 5c5eb32a..a3db8644 100644 +--- a/components/service/crypto/client/psa/psa_mac.c ++++ b/components/service/crypto/client/psa/psa_mac.c +@@ -129,6 +129,11 @@ psa_status_t psa_mac_verify(psa_key_id_t key, + if (psa_status == PSA_SUCCESS) { + + psa_status = psa_mac_verify_finish(&operation, mac, mac_length); ++ ++ if (psa_status != PSA_SUCCESS) { ++ ++ psa_mac_abort(&operation); ++ } + } + + return psa_status; +@@ -153,6 +158,11 @@ psa_status_t psa_mac_compute(psa_key_id_t key, + if (psa_status == PSA_SUCCESS) { + + psa_status = psa_mac_sign_finish(&operation, mac, mac_size, mac_length); ++ ++ if (psa_status != PSA_SUCCESS) { ++ ++ psa_mac_abort(&operation); ++ } + } + + return psa_status; +diff --git a/components/service/crypto/provider/extension/aead/aead_provider.c b/components/service/crypto/provider/extension/aead/aead_provider.c +index f4e81a03..14a25436 100644 +--- a/components/service/crypto/provider/extension/aead/aead_provider.c ++++ b/components/service/crypto/provider/extension/aead/aead_provider.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -369,9 +369,9 @@ static rpc_status_t aead_finish_handler(void *context, struct call_req *req) + rpc_status = serializer->serialize_aead_finish_resp(resp_buf, + ciphertext, ciphertext_len, + tag, tag_len); +- } + +- crypto_context_pool_free(&this_instance->context_pool, crypto_context); ++ crypto_context_pool_free(&this_instance->context_pool, crypto_context); ++ } + } + + call_req_set_opstatus(req, psa_status); +@@ -418,9 +418,9 @@ static rpc_status_t aead_verify_handler(void *context, struct call_req *req) + struct call_param_buf *resp_buf = call_req_get_resp_buf(req); + rpc_status = serializer->serialize_aead_verify_resp(resp_buf, + plaintext, plaintext_len); +- } + +- crypto_context_pool_free(&this_instance->context_pool, crypto_context); ++ crypto_context_pool_free(&this_instance->context_pool, crypto_context); ++ } + } + + call_req_set_opstatus(req, psa_status); +diff --git a/components/service/crypto/provider/extension/cipher/cipher_provider.c b/components/service/crypto/provider/extension/cipher/cipher_provider.c +index 8e7a86de..a5dd0371 100644 +--- a/components/service/crypto/provider/extension/cipher/cipher_provider.c ++++ b/components/service/crypto/provider/extension/cipher/cipher_provider.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -283,9 +283,9 @@ static rpc_status_t cipher_finish_handler(void *context, struct call_req* req) + + struct call_param_buf *resp_buf = call_req_get_resp_buf(req); + rpc_status = serializer->serialize_cipher_finish_resp(resp_buf, output, output_len); +- } + +- crypto_context_pool_free(&this_instance->context_pool, crypto_context); ++ crypto_context_pool_free(&this_instance->context_pool, crypto_context); ++ } + } + + call_req_set_opstatus(req, psa_status); +diff --git a/components/service/crypto/provider/extension/hash/hash_provider.c b/components/service/crypto/provider/extension/hash/hash_provider.c +index 2c560513..fd39d440 100644 +--- a/components/service/crypto/provider/extension/hash/hash_provider.c ++++ b/components/service/crypto/provider/extension/hash/hash_provider.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -179,9 +179,9 @@ static rpc_status_t hash_finish_handler(void *context, struct call_req* req) + + struct call_param_buf *resp_buf = call_req_get_resp_buf(req); + rpc_status = serializer->serialize_hash_finish_resp(resp_buf, hash, hash_len); +- } + +- crypto_context_pool_free(&this_instance->context_pool, crypto_context); ++ crypto_context_pool_free(&this_instance->context_pool, crypto_context); ++ } + } + + call_req_set_opstatus(req, psa_status); +diff --git a/components/service/crypto/provider/extension/mac/mac_provider.c b/components/service/crypto/provider/extension/mac/mac_provider.c +index 96fe4cf3..eef55586 100644 +--- a/components/service/crypto/provider/extension/mac/mac_provider.c ++++ b/components/service/crypto/provider/extension/mac/mac_provider.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ +@@ -181,9 +181,9 @@ static rpc_status_t mac_sign_finish_handler(void *context, struct call_req* req) + + struct call_param_buf *resp_buf = call_req_get_resp_buf(req); + rpc_status = serializer->serialize_mac_sign_finish_resp(resp_buf, mac, mac_len); +- } + +- crypto_context_pool_free(&this_instance->context_pool, crypto_context); ++ crypto_context_pool_free(&this_instance->context_pool, crypto_context); ++ } + } + + call_req_set_opstatus(req, psa_status); +@@ -220,7 +220,10 @@ static rpc_status_t mac_verify_finish_handler(void *context, struct call_req* re + + psa_status = psa_mac_verify_finish(&crypto_context->op.mac, mac, mac_len); + +- crypto_context_pool_free(&this_instance->context_pool, crypto_context); ++ if (psa_status == PSA_SUCCESS) { ++ ++ crypto_context_pool_free(&this_instance->context_pool, crypto_context); ++ } + } + + call_req_set_opstatus(req, psa_status); +-- +2.25.1 diff --git a/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0041-Abort-AEAD-operation-if-client-provided-buffer-is-to.patch b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0041-Abort-AEAD-operation-if-client-provided-buffer-is-to.patch new file mode 100644 index 00000000..84f71e51 --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0041-Abort-AEAD-operation-if-client-provided-buffer-is-to.patch @@ -0,0 +1,50 @@ +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Emekcan Aras + +From c0549d9949d9c19a120b7bde3409201a5db8f2b2 Mon Sep 17 00:00:00 2001 +From: Julian Hall +Date: Wed, 16 Feb 2022 11:36:09 +0000 +Subject: [PATCH 09/15] Abort AEAD operation if client provided buffer is too + small + +To enable PSA Arch test c258 to pass, handling is added in the +PSA API client adaptor for AEAD (psa_aead.c) to abort an AEAD +operation if an update operation is performed but the client +provided buffer for the output is too small. + +Signed-off-by: Julian Hall +Change-Id: Ib4b26ebc0a83a8928e1b643fba4becd935f6deb0 +--- + components/service/crypto/client/psa/psa_aead.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/components/service/crypto/client/psa/psa_aead.c b/components/service/crypto/client/psa/psa_aead.c +index 559eb6a3..c820d222 100644 +--- a/components/service/crypto/client/psa/psa_aead.c ++++ b/components/service/crypto/client/psa/psa_aead.c +@@ -74,10 +74,22 @@ psa_status_t psa_aead_update(psa_aead_operation_t *operation, + size_t output_size, + size_t *output_length) + { +- return crypto_caller_aead_update(&psa_crypto_client_instance.base, ++ psa_status_t status = crypto_caller_aead_update(&psa_crypto_client_instance.base, + operation->handle, + input, input_length, + output, output_size, output_length); ++ ++ /* ++ * If too small a buffer has been provided for the output, the operation ++ * state will have been updated but the result can't be put anywhere. This ++ * is an unrecoveral condition so abort the operation. ++ */ ++ if (status == PSA_ERROR_BUFFER_TOO_SMALL) { ++ ++ psa_aead_abort(operation); ++ } ++ ++ return status; + } + + psa_status_t psa_aead_finish(psa_aead_operation_t *operation, +-- +2.25.1 diff --git a/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0042-Peg-to-updated-t_cose-version-fc3a4b2c.patch b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0042-Peg-to-updated-t_cose-version-fc3a4b2c.patch new file mode 100644 index 00000000..8ba59e0a --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0042-Peg-to-updated-t_cose-version-fc3a4b2c.patch @@ -0,0 +1,95 @@ +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Emekcan Aras + +From 9fb18f0cfba8f97fa71a5e7e7e3e31a43692a8e0 Mon Sep 17 00:00:00 2001 +From: Julian Hall +Date: Tue, 11 Jan 2022 09:43:52 +0000 +Subject: [PATCH 10/15] Peg to updated t_cose version fc3a4b2c + +The current version of TS fails to build due to a regression introduced +by a new t_cose version in the upstream project. +The issue is caused by the t_cose external component incorrectly using +tip of master as the upstream version id, which makes strict dependency +control impossible. Change the upstream version id to an SHA, to enable +controlling compatibility issues introduced by future upstream updates. + +At the same time update the dependency to the current latest version. +The upstream project is now compatile with mbedtls 3.0.0 API changes +so the previously required compatibility patch has been removed. + +Signed-off-by: Julian Hall +Change-Id: I9491a5210904cc369846da2af45b0f7e5913bed8 +--- + .../0002-add-tls3_0_0-compatibility.patch | 31 ------------------- + external/t_cose/t_cose.cmake | 5 ++- + 2 files changed, 2 insertions(+), 34 deletions(-) + delete mode 100644 external/t_cose/0002-add-tls3_0_0-compatibility.patch + +diff --git a/external/t_cose/0002-add-tls3_0_0-compatibility.patch b/external/t_cose/0002-add-tls3_0_0-compatibility.patch +deleted file mode 100644 +index 20a7d131..00000000 +--- a/external/t_cose/0002-add-tls3_0_0-compatibility.patch ++++ /dev/null +@@ -1,31 +0,0 @@ +-diff --git a/crypto_adapters/t_cose_psa_crypto.c b/crypto_adapters/t_cose_psa_crypto.c +-index 49c5b60..3aa7b58 100644 +---- a/crypto_adapters/t_cose_psa_crypto.c +-+++ b/crypto_adapters/t_cose_psa_crypto.c +-@@ -99,7 +99,7 @@ static enum t_cose_err_t psa_status_to_t_cose_error_signing(psa_status_t err) +- err == PSA_ERROR_INVALID_SIGNATURE ? T_COSE_ERR_SIG_VERIFY : +- err == PSA_ERROR_NOT_SUPPORTED ? T_COSE_ERR_UNSUPPORTED_SIGNING_ALG: +- err == PSA_ERROR_INSUFFICIENT_MEMORY ? T_COSE_ERR_INSUFFICIENT_MEMORY : +-- err == PSA_ERROR_TAMPERING_DETECTED ? T_COSE_ERR_TAMPERING_DETECTED : +-+ err == PSA_ERROR_CORRUPTION_DETECTED ? T_COSE_ERR_TAMPERING_DETECTED : +- T_COSE_ERR_SIG_FAIL; +- } +- +-@@ -152,7 +152,7 @@ t_cose_crypto_pub_key_verify(int32_t cose_algorithm_id, +- * Crypto ceases providing backwards compatibility then this code +- * has to be changed to use psa_verify_hash(). +- */ +-- psa_result = psa_asymmetric_verify(verification_key_psa, +-+ psa_result = psa_verify_hash(verification_key_psa, +- psa_alg_id, +- hash_to_verify.ptr, +- hash_to_verify.len, +-@@ -212,7 +212,7 @@ t_cose_crypto_pub_key_sign(int32_t cose_algorithm_id, +- * providing backwards compatibility then this code has to be +- * changed to use psa_sign_hash(). +- */ +-- psa_result = psa_asymmetric_sign(signing_key_psa, +-+ psa_result = psa_sign_hash(signing_key_psa, +- psa_alg_id, +- hash_to_sign.ptr, +- hash_to_sign.len, +diff --git a/external/t_cose/t_cose.cmake b/external/t_cose/t_cose.cmake +index 660824bd..9321466f 100644 +--- a/external/t_cose/t_cose.cmake ++++ b/external/t_cose/t_cose.cmake +@@ -1,5 +1,5 @@ + #------------------------------------------------------------------------------- +-# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++# Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved. + # + # SPDX-License-Identifier: BSD-3-Clause + # +@@ -16,7 +16,7 @@ endif() + + # External component details + set(T_COSE_URL "https://github.com/laurencelundblade/t_cose.git" CACHE STRING "t_cose repository URL") +-set(T_COSE_REFSPEC "master" CACHE STRING "t_cose git refspec") ++set(T_COSE_REFSPEC "fc3a4b2c7196ff582e8242de8bd4a1bc4eec577f" CACHE STRING "t_cose git refspec") + set(T_COSE_INSTALL_PATH "${CMAKE_CURRENT_BINARY_DIR}/t_cose_install" CACHE PATH "t_cose installation directory") + set(T_COSE_PACKAGE_PATH "${T_COSE_INSTALL_PATH}/libt_cose/cmake" CACHE PATH "t_cose CMake package directory") + +@@ -37,7 +37,6 @@ FetchContent_Declare( + + PATCH_COMMAND git stash + COMMAND git am ${CMAKE_CURRENT_LIST_DIR}/0001-add-install-definition.patch +- COMMAND git apply ${CMAKE_CURRENT_LIST_DIR}/0002-add-tls3_0_0-compatibility.patch + COMMAND git reset HEAD~1 + + ) +-- +2.25.1 + diff --git a/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0043-pass-sysroot_yocto.patch b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0043-pass-sysroot_yocto.patch new file mode 100644 index 00000000..5b2b7ce7 --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0043-pass-sysroot_yocto.patch @@ -0,0 +1,111 @@ +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Emekcan Aras + +From 386a086debf70f739a7dfc0bdce9c4f1053ba8d5 Mon Sep 17 00:00:00 2001 +From: Vishnu Banavath +Date: Wed, 16 Feb 2022 15:55:55 +0000 +Subject: [PATCH 11/15] pass sysroot_yocto + +--- + deployments/libts/libts-import.cmake | 3 +++ + external/MbedTLS/MbedTLS.cmake | 1 + + external/psa_arch_tests/psa_arch_tests.cmake | 25 +++++++++++++------- + 3 files changed, 20 insertions(+), 9 deletions(-) + +diff --git a/deployments/libts/libts-import.cmake b/deployments/libts/libts-import.cmake +index 792ba86c..b900ce3f 100644 +--- a/deployments/libts/libts-import.cmake ++++ b/deployments/libts/libts-import.cmake +@@ -27,9 +27,12 @@ set(LIBTS_BINARY_DIR "${CMAKE_CURRENT_BINARY_DIR}/_deps/libts-build" CACHE PATH + + file(MAKE_DIRECTORY ${LIBTS_BINARY_DIR}) + ++set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --sysroot=${SYSROOT_YOCTO}") ++ + #Configure the library + execute_process(COMMAND + ${CMAKE_COMMAND} ++ -DCMAKE_SYSROOT=${SYSROOT_YOCTO} + -DCMAKE_INSTALL_PREFIX=${LIBTS_INSTALL_PATH} + -GUnix\ Makefiles + ${LIBTS_SOURCE_DIR} +diff --git a/external/MbedTLS/MbedTLS.cmake b/external/MbedTLS/MbedTLS.cmake +index 3350d8a0..33467cf0 100644 +--- a/external/MbedTLS/MbedTLS.cmake ++++ b/external/MbedTLS/MbedTLS.cmake +@@ -103,6 +103,7 @@ if (NOT MBEDCRYPTO_LIB_FILE) + execute_process(COMMAND + ${CMAKE_COMMAND} -E env CROSS_COMPILE=${CROSS_COMPILE} + ${CMAKE_COMMAND} ++ -DCMAKE_SYSROOT=${SYSROOT_YOCTO} + -DENABLE_PROGRAMS=OFF + -DENABLE_TESTING=OFF + -DUNSAFE_BUILD=ON +diff --git a/external/psa_arch_tests/psa_arch_tests.cmake b/external/psa_arch_tests/psa_arch_tests.cmake +index f6d2fb9f..42f73a37 100644 +--- a/external/psa_arch_tests/psa_arch_tests.cmake ++++ b/external/psa_arch_tests/psa_arch_tests.cmake +@@ -5,30 +5,33 @@ + # + #------------------------------------------------------------------------------- + +-# Temporarily using modified tests used for tf-m verification ++# Determine the number of processes to run while running parallel builds. ++# Pass -DPROCESSOR_COUNT= to cmake to override. ++if(NOT DEFINED PROCESSOR_COUNT) ++ include(ProcessorCount) ++ ProcessorCount(PROCESSOR_COUNT) ++ set(PROCESSOR_COUNT ${PROCESSOR_COUNT} CACHE STRING "Number of cores to use for parallel builds.") ++endif() ++ + set(PSA_ARCH_TESTS_URL "https://github.com/bensze01/psa-arch-tests.git" CACHE STRING "psa-arch-tests repository URL") + set(PSA_ARCH_TESTS_REFSPEC "fix-multipart-aead" CACHE STRING "psa-arch-tests git refspec") +- +-#set(PSA_ARCH_TESTS_URL "https://github.com/ARM-software/psa-arch-tests.git" CACHE STRING "psa-arch-tests repository URL") +-#set(PSA_ARCH_TESTS_REFSPEC "2a1852252a9b9af655cbe02d5d3c930952d0d798" CACHE STRING "psa-arch-tests v22.01_API1.4_ADAC_BETA") + set(PSA_ARCH_TESTS_INSTALL_PATH "${CMAKE_CURRENT_BINARY_DIR}/psa-arch-tests_install" CACHE PATH "psa-arch-tests installation directory") + set(PSA_ARCH_TESTS_PACKAGE_PATH "${PSA_ARCH_TESTS_INSTALL_PATH}/libpsa-arch-tests/cmake" CACHE PATH "psa-arch-tests CMake package directory") +-set(PSA_ARCH_TESTS_SOURCE_DIR "${CMAKE_CURRENT_BINARY_DIR}/_deps/psa_arch_tests-src" CACHE PATH "psa-arch-tests source.") ++ ++include(FetchContent) + + # Checking git + find_program(GIT_COMMAND "git") + if (NOT GIT_COMMAND) + message(FATAL_ERROR "Please install git") + endif() +- ++if ("${PSA_ARCH_TESTS_PATH}" STREQUAL "DOWNLOAD") + # Fetching psa-arch-tests + FetchContent_Declare( + psa-arch-tests + GIT_REPOSITORY ${PSA_ARCH_TESTS_URL} + GIT_TAG ${PSA_ARCH_TESTS_REFSPEC} + GIT_SHALLOW TRUE +- PATCH_COMMAND git stash +- COMMAND git apply ${CMAKE_CURRENT_LIST_DIR}/modify_attest_config.patch + ) + + # FetchContent_GetProperties exports psa-arch-tests_SOURCE_DIR and psa-arch-tests_BINARY_DIR variables +@@ -37,7 +40,10 @@ if(NOT psa-arch-tests_POPULATED) + message(STATUS "Fetching psa-arch-tests") + FetchContent_Populate(psa-arch-tests) + endif() +- ++else() ++ set(psa-arch-tests_SOURCE_DIR "${TS_ROOT}/../psa-arch-tests") ++ set(psa-arch-tests_BINARY_DIR "${CMAKE_CURRENT_BINARY_DIR}") ++endif() + # Ensure list of include paths is separated correctly + string(REPLACE ";" "\\;" PSA_ARCH_TESTS_EXTERNAL_INCLUDE_PATHS "${PSA_ARCH_TESTS_EXTERNAL_INCLUDE_PATHS}") + +@@ -47,6 +53,7 @@ string(REPLACE ";" " " PSA_ARCH_TEST_EXTERNAL_DEFS "${PSA_ARCH_TEST_EXTERNAL_DEF + # Configure the psa-arch-test library + execute_process(COMMAND + ${CMAKE_COMMAND} ++ -DCMAKE_SYSROOT=${SYSROOT_YOCTO} + -DTOOLCHAIN=INHERIT + -DCMAKE_TOOLCHAIN_FILE=${TS_EXTERNAL_LIB_TOOLCHAIN_FILE} + -DPSA_INCLUDE_PATHS=${PSA_ARCH_TESTS_EXTERNAL_INCLUDE_PATHS} +-- +2.25.1 diff --git a/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0044-Fix-Crypto-interface-structure-aligned-with-tf-m-cha.patch b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0044-Fix-Crypto-interface-structure-aligned-with-tf-m-cha.patch new file mode 100644 index 00000000..94a184e2 --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0044-Fix-Crypto-interface-structure-aligned-with-tf-m-cha.patch @@ -0,0 +1,30 @@ +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Emekcan Aras + +From 8bb6a36a36defc9e6cc234404276bf5fea8e8ad4 Mon Sep 17 00:00:00 2001 +From: Satish Kumar +Date: Sun, 13 Feb 2022 09:01:10 +0000 +Subject: [PATCH 12/15] Fix: Crypto interface structure aligned with tf-m + change. + +NO NEED TO RAISE PR: The PR for this FIX is raied by Emek. +--- + components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h +index c13c20e8..ec25eaf8 100644 +--- a/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h ++++ b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h +@@ -38,7 +38,8 @@ struct psa_ipc_crypto_pack_iovec { + * multipart operation + */ + uint32_t capacity; /*!< Key derivation capacity */ +- ++ uint32_t ad_length; /*!< Additional Data length for multipart AEAD */ ++ uint32_t plaintext_length; /*!< Plaintext length for multipart AEAD */ + struct psa_ipc_crypto_aead_pack_input aead_in; /*!< FixMe: Temporarily used for + * AEAD until the API is + * restructured +-- +2.25.1 diff --git a/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0045-Integrate-remaining-psa-ipc-client-APIs.patch b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0045-Integrate-remaining-psa-ipc-client-APIs.patch new file mode 100644 index 00000000..0213b86a --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0045-Integrate-remaining-psa-ipc-client-APIs.patch @@ -0,0 +1,494 @@ +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Emekcan Aras + +From 0469b4650bb011ec157286dbae0f1cef5cbfbe41 Mon Sep 17 00:00:00 2001 +From: Satish Kumar +Date: Sun, 13 Feb 2022 09:49:51 +0000 +Subject: [PATCH 13/15] Integrate remaining psa-ipc client APIs. + +Signed-off-by: Satish Kumar +--- + .../caller/psa_ipc/crypto_caller_aead.h | 297 +++++++++++++++++- + .../caller/psa_ipc/crypto_caller_sign_hash.h | 35 +++ + .../psa_ipc/crypto_caller_verify_hash.h | 33 +- + 3 files changed, 352 insertions(+), 13 deletions(-) + +diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h +index 78517fe3..9c64fe62 100644 +--- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h ++++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h +@@ -152,7 +152,27 @@ static inline psa_status_t crypto_caller_aead_encrypt_setup( + psa_key_id_t key, + psa_algorithm_t alg) + { +- return PSA_ERROR_NOT_SUPPORTED; ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_AEAD_ENCRYPT_SETUP_SID, ++ .key_id = key, ++ .alg = alg, ++ .op_handle = (*op_handle), ++ }; ++ ++ struct psa_invec in_vec[] = { ++ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)} ++ }; ++ struct psa_outvec out_vec[] = { ++ {.base = psa_ptr_to_u32(op_handle), .len = sizeof(uint32_t)} ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ return status; + } + + static inline psa_status_t crypto_caller_aead_decrypt_setup( +@@ -161,7 +181,26 @@ static inline psa_status_t crypto_caller_aead_decrypt_setup( + psa_key_id_t key, + psa_algorithm_t alg) + { +- return PSA_ERROR_NOT_SUPPORTED; ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_AEAD_DECRYPT_SETUP_SID, ++ .key_id = key, ++ .alg = alg, ++ .op_handle = (*op_handle), ++ }; ++ ++ struct psa_invec in_vec[] = { ++ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)} ++ }; ++ struct psa_outvec out_vec[] = { ++ {.base = psa_ptr_to_u32(op_handle), .len = sizeof(uint32_t)} ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ return status; + } + + static inline psa_status_t crypto_caller_aead_generate_nonce( +@@ -171,7 +210,27 @@ static inline psa_status_t crypto_caller_aead_generate_nonce( + size_t nonce_size, + size_t *nonce_length) + { +- return PSA_ERROR_NOT_SUPPORTED; ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_AEAD_GENERATE_NONCE_SID, ++ .op_handle = op_handle, ++ }; ++ ++ struct psa_invec in_vec[] = { ++ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}, ++ }; ++ struct psa_outvec out_vec[] = { ++ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)}, ++ {.base = psa_ptr_to_u32(nonce), .len = nonce_size} ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ *nonce_length = out_vec[1].len; ++ return status; + } + + static inline psa_status_t crypto_caller_aead_set_nonce( +@@ -180,7 +239,25 @@ static inline psa_status_t crypto_caller_aead_set_nonce( + const uint8_t *nonce, + size_t nonce_length) + { +- return PSA_ERROR_NOT_SUPPORTED; ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_AEAD_SET_NONCE_SID, ++ .op_handle = op_handle, ++ }; ++ ++ struct psa_invec in_vec[] = { ++ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}, ++ {.base = psa_ptr_to_u32(nonce), .len = nonce_length} ++ }; ++ struct psa_outvec out_vec[] = { ++ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)} ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ return status; + } + + static inline psa_status_t crypto_caller_aead_set_lengths( +@@ -189,7 +266,27 @@ static inline psa_status_t crypto_caller_aead_set_lengths( + size_t ad_length, + size_t plaintext_length) + { +- return PSA_ERROR_NOT_SUPPORTED; ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_AEAD_SET_LENGTHS_SID, ++ .ad_length = ad_length, ++ .plaintext_length = plaintext_length, ++ .op_handle = op_handle, ++ }; ++ ++ struct psa_invec in_vec[] = { ++ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}, ++ }; ++ struct psa_outvec out_vec[] = { ++ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)} ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ return status; + } + + static inline psa_status_t crypto_caller_aead_update_ad( +@@ -198,7 +295,35 @@ static inline psa_status_t crypto_caller_aead_update_ad( + const uint8_t *input, + size_t input_length) + { +- return PSA_ERROR_NOT_SUPPORTED; ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_AEAD_UPDATE_AD_SID, ++ .op_handle = op_handle, ++ }; ++ ++ /* Sanitize the optional input */ ++ if ((input == NULL) && (input_length != 0)) { ++ return PSA_ERROR_INVALID_ARGUMENT; ++ } ++ ++ struct psa_invec in_vec[] = { ++ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}, ++ {.base = psa_ptr_const_to_u32(input), .len = input_length} ++ }; ++ struct psa_outvec out_vec[] = { ++ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)} ++ }; ++ ++ size_t in_len = IOVEC_LEN(in_vec); ++ ++ if (input == NULL) { ++ in_len--; ++ } ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ in_len, out_vec, IOVEC_LEN(out_vec)); ++ return status; + } + + static inline psa_status_t crypto_caller_aead_update( +@@ -210,7 +335,38 @@ static inline psa_status_t crypto_caller_aead_update( + size_t output_size, + size_t *output_length) + { +- return PSA_ERROR_NOT_SUPPORTED; ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_AEAD_UPDATE_SID, ++ .op_handle = op_handle, ++ }; ++ ++ /* Sanitize the optional input */ ++ if ((input == NULL) && (input_length != 0)) { ++ return PSA_ERROR_INVALID_ARGUMENT; ++ } ++ ++ struct psa_invec in_vec[] = { ++ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}, ++ {.base = psa_ptr_const_to_u32(input), .len = input_length} ++ }; ++ struct psa_outvec out_vec[] = { ++ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)}, ++ {.base = psa_ptr_const_to_u32(output), .len = output_size}, ++ }; ++ ++ size_t in_len = IOVEC_LEN(in_vec); ++ ++ if (input == NULL) { ++ in_len--; ++ } ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ in_len, out_vec, IOVEC_LEN(out_vec)); ++ ++ *output_length = out_vec[1].len; ++ return status; + } + + static inline psa_status_t crypto_caller_aead_finish( +@@ -223,7 +379,48 @@ static inline psa_status_t crypto_caller_aead_finish( + size_t tag_size, + size_t *tag_length) + { +- return PSA_ERROR_NOT_SUPPORTED; ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_AEAD_FINISH_SID, ++ .op_handle = op_handle, ++ }; ++ ++ /* Sanitize the optional output */ ++ if ((aeadtext == NULL) && (aeadtext_size != 0)) { ++ return PSA_ERROR_INVALID_ARGUMENT; ++ } ++ ++ struct psa_invec in_vec[] = { ++ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}, ++ }; ++ struct psa_outvec out_vec[] = { ++ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)}, ++ {.base = psa_ptr_const_to_u32(tag), .len = tag_size}, ++ {.base = psa_ptr_const_to_u32(aeadtext), .len = aeadtext_size} ++ }; ++ ++ size_t out_len = IOVEC_LEN(out_vec); ++ ++ if (aeadtext == NULL || aeadtext_size == 0) { ++ out_len--; ++ } ++ if ((out_len == 3) && (aeadtext_length == NULL)) { ++ return PSA_ERROR_INVALID_ARGUMENT; ++ } ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, out_len); ++ ++ *tag_length = out_vec[1].len; ++ ++ if (out_len == 3) { ++ *aeadtext_length = out_vec[2].len; ++ } else { ++ *aeadtext_length = 0; ++ } ++ return status; + } + + static inline psa_status_t crypto_caller_aead_verify( +@@ -235,14 +432,94 @@ static inline psa_status_t crypto_caller_aead_verify( + const uint8_t *tag, + size_t tag_length) + { +- return PSA_ERROR_NOT_SUPPORTED; ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_AEAD_VERIFY_SID, ++ .op_handle = op_handle, ++ }; ++ ++ /* Sanitize the optional output */ ++ if ((plaintext == NULL) && (plaintext_size != 0)) { ++ return PSA_ERROR_INVALID_ARGUMENT; ++ } ++ ++ struct psa_invec in_vec[] = { ++ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}, ++ {.base = psa_ptr_const_to_u32(tag), .len = tag_length} ++ }; ++ struct psa_outvec out_vec[] = { ++ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)}, ++ {.base = psa_ptr_const_to_u32(plaintext), .len = plaintext_size}, ++ }; ++ ++ size_t out_len = IOVEC_LEN(out_vec); ++ ++ if (plaintext == NULL || plaintext_size == 0) { ++ out_len--; ++ } ++ if ((out_len == 2) && (plaintext_length == NULL)) { ++ return PSA_ERROR_INVALID_ARGUMENT; ++ } ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, out_len); ++ ++ if (out_len == 2) { ++ *plaintext_length = out_vec[1].len; ++ } else { ++ *plaintext_length = 0; ++ } ++ return status; + } + + static inline psa_status_t crypto_caller_aead_abort( + struct service_client *context, + uint32_t op_handle) + { +- return PSA_ERROR_NOT_SUPPORTED; ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_AEAD_ABORT_SID, ++ .op_handle = op_handle, ++ }; ++ ++ struct psa_invec in_vec[] = { ++ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}, ++ }; ++ struct psa_outvec out_vec[] = { ++ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)}, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ return status; ++} ++ ++static inline size_t crypto_caller_aead_max_update_size(const struct service_client *context) ++{ ++ /* Returns the maximum number of bytes that may be ++ * carried as a parameter of the mac_update operation ++ * using the packed-c encoding. ++ */ ++ size_t payload_space = context->service_info.max_payload; ++ size_t overhead = iov_size; ++ ++ return (payload_space > overhead) ? payload_space - overhead : 0; ++} ++ ++static inline size_t crypto_caller_aead_max_update_ad_size(const struct service_client *context) ++{ ++ /* Returns the maximum number of bytes that may be ++ * carried as a parameter of the mac_update operation ++ * using the packed-c encoding. ++ */ ++ size_t payload_space = context->service_info.max_payload; ++ size_t overhead = iov_size; ++ ++ return (payload_space > overhead) ? payload_space - overhead : 0; + } + + #ifdef __cplusplus +diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h +index 71d88ced..e4a2b167 100644 +--- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h ++++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h +@@ -57,6 +57,41 @@ static inline psa_status_t crypto_caller_sign_hash(struct service_client *contex + return status; + } + ++static inline psa_status_t crypto_caller_sign_message(struct service_client *context, ++ psa_key_id_t id, ++ psa_algorithm_t alg, ++ const uint8_t *hash, ++ size_t hash_length, ++ uint8_t *signature, ++ size_t signature_size, ++ size_t *signature_length) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_SIGN_MESSAGE_SID, ++ .key_id = id, ++ .alg = alg, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ { .base = psa_ptr_const_to_u32(hash), .len = hash_length }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(signature), .len = signature_size }, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ *signature_length = out_vec[0].len; ++ ++ return status; ++} ++ ++ ++ + #ifdef __cplusplus + } + #endif +diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h +index e16f6e54..cc9279ee 100644 +--- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h ++++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h +@@ -24,19 +24,20 @@ + extern "C" { + #endif + +-static inline psa_status_t crypto_caller_verify_hash(struct service_client *context, ++static inline psa_status_t crypto_caller_common(struct service_client *context, + psa_key_id_t id, + psa_algorithm_t alg, + const uint8_t *hash, + size_t hash_length, + const uint8_t *signature, +- size_t signature_length) ++ size_t signature_length, ++ uint32_t sfn_id) + { + struct service_client *ipc = context; + struct rpc_caller *caller = ipc->caller; + psa_status_t status; + struct psa_ipc_crypto_pack_iovec iov = { +- .sfn_id = TFM_CRYPTO_VERIFY_HASH_SID, ++ .sfn_id = sfn_id, + .key_id = id, + .alg = alg, + }; +@@ -52,6 +53,32 @@ static inline psa_status_t crypto_caller_verify_hash(struct service_client *cont + return status; + } + ++static inline psa_status_t crypto_caller_verify_hash(struct service_client *context, ++ psa_key_id_t id, ++ psa_algorithm_t alg, ++ const uint8_t *hash, ++ size_t hash_length, ++ const uint8_t *signature, ++ size_t signature_length) ++{ ++ ++ return crypto_caller_common(context,id,alg,hash,hash_length, ++ signature,signature_length, TFM_CRYPTO_VERIFY_HASH_SID); ++} ++ ++static inline psa_status_t crypto_caller_verify_message(struct service_client *context, ++ psa_key_id_t id, ++ psa_algorithm_t alg, ++ const uint8_t *hash, ++ size_t hash_length, ++ const uint8_t *signature, ++ size_t signature_length) ++{ ++ ++ return crypto_caller_common(context,id,alg,hash,hash_length, ++ signature,signature_length, TFM_CRYPTO_VERIFY_MESSAGE_SID); ++} ++ + #ifdef __cplusplus + } + #endif +-- +2.25.1 diff --git a/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0046-Fix-update-psa_set_key_usage_flags-definition-to-the.patch b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0046-Fix-update-psa_set_key_usage_flags-definition-to-the.patch new file mode 100644 index 00000000..96965fef --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0046-Fix-update-psa_set_key_usage_flags-definition-to-the.patch @@ -0,0 +1,40 @@ +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Emekcan Aras + +From b3529f7a5bc1cff193fd0887c0f78348ef6043a4 Mon Sep 17 00:00:00 2001 +From: Satish Kumar +Date: Mon, 14 Feb 2022 17:52:00 +0000 +Subject: [PATCH 14/15] Fix : update psa_set_key_usage_flags definition to the + latest from the tf-m + +Signed-off-by: Satish Kumar +--- + components/service/crypto/include/psa/crypto_struct.h | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/components/service/crypto/include/psa/crypto_struct.h b/components/service/crypto/include/psa/crypto_struct.h +index 1bc55e37..b4a7ed4b 100644 +--- a/components/service/crypto/include/psa/crypto_struct.h ++++ b/components/service/crypto/include/psa/crypto_struct.h +@@ -155,9 +155,19 @@ static inline psa_key_lifetime_t psa_get_key_lifetime( + return( attributes->lifetime ); + } + ++static inline void psa_extend_key_usage_flags( psa_key_usage_t *usage_flags ) ++{ ++ if( *usage_flags & PSA_KEY_USAGE_SIGN_HASH ) ++ *usage_flags |= PSA_KEY_USAGE_SIGN_MESSAGE; ++ ++ if( *usage_flags & PSA_KEY_USAGE_VERIFY_HASH ) ++ *usage_flags |= PSA_KEY_USAGE_VERIFY_MESSAGE; ++} ++ + static inline void psa_set_key_usage_flags(psa_key_attributes_t *attributes, + psa_key_usage_t usage_flags) + { ++ psa_extend_key_usage_flags( &usage_flags ); + attributes->usage = usage_flags; + } + +-- +2.25.1 diff --git a/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0047-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0047-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch new file mode 100644 index 00000000..6e309bfb --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0047-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch @@ -0,0 +1,120 @@ +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Emekcan Aras + +From 500a359b65398d0a272a474566659fd5a21f44ff Mon Sep 17 00:00:00 2001 +From: Satish Kumar +Date: Mon, 14 Feb 2022 08:22:25 +0000 +Subject: [PATCH 15/15] Fixes in AEAD for psa-arch test 54 and 58. + +Signed-off-by: Satish Kumar +--- + .../crypto/client/caller/packed-c/crypto_caller_aead.h | 1 + + components/service/crypto/include/psa/crypto_sizes.h | 2 +- + .../crypto/provider/extension/aead/aead_provider.c | 8 ++++++-- + .../extension/aead/serializer/aead_provider_serializer.h | 1 + + .../packed-c/packedc_aead_provider_serializer.c | 2 ++ + protocols/service/crypto/packed-c/aead.h | 1 + + 6 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h b/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h +index c4ffb20c..a91f66c1 100644 +--- a/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h ++++ b/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h +@@ -309,6 +309,7 @@ static inline psa_status_t crypto_caller_aead_update(struct service_client *cont + size_t req_len = req_fixed_len; + + *output_length = 0; ++ req_msg.output_size = output_size; + req_msg.op_handle = op_handle; + + /* Mandatory input data parameter */ +diff --git a/components/service/crypto/include/psa/crypto_sizes.h b/components/service/crypto/include/psa/crypto_sizes.h +index 4d7bf6e9..e3c4df29 100644 +--- a/components/service/crypto/include/psa/crypto_sizes.h ++++ b/components/service/crypto/include/psa/crypto_sizes.h +@@ -351,7 +351,7 @@ + * just the largest size that may be generated by + * #psa_aead_generate_nonce(). + */ +-#define PSA_AEAD_NONCE_MAX_SIZE 12 ++#define PSA_AEAD_NONCE_MAX_SIZE 16 + + /** A sufficient output buffer size for psa_aead_update(). + * +diff --git a/components/service/crypto/provider/extension/aead/aead_provider.c b/components/service/crypto/provider/extension/aead/aead_provider.c +index 14a25436..6b144db8 100644 +--- a/components/service/crypto/provider/extension/aead/aead_provider.c ++++ b/components/service/crypto/provider/extension/aead/aead_provider.c +@@ -283,10 +283,11 @@ static rpc_status_t aead_update_handler(void *context, struct call_req *req) + uint32_t op_handle; + const uint8_t *input; + size_t input_len; ++ uint32_t recv_output_size; + + if (serializer) + rpc_status = serializer->deserialize_aead_update_req(req_buf, &op_handle, +- &input, &input_len); ++ &recv_output_size, &input, &input_len); + + if (rpc_status == TS_RPC_CALL_ACCEPTED) { + +@@ -300,9 +301,12 @@ static rpc_status_t aead_update_handler(void *context, struct call_req *req) + if (crypto_context) { + + size_t output_len = 0; +- size_t output_size = PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(input_len); ++ size_t output_size = PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(24); + uint8_t *output = malloc(output_size); + ++ if (recv_output_size < output_size) { ++ output_size = recv_output_size; ++ } + if (output) { + + psa_status = psa_aead_update(&crypto_context->op.aead, +diff --git a/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h b/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h +index bb1a2a97..0156aaba 100644 +--- a/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h ++++ b/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h +@@ -51,6 +51,7 @@ struct aead_provider_serializer { + /* Operation: aead_update */ + rpc_status_t (*deserialize_aead_update_req)(const struct call_param_buf *req_buf, + uint32_t *op_handle, ++ uint32_t *output_size, + const uint8_t **input, size_t *input_len); + + rpc_status_t (*serialize_aead_update_resp)(struct call_param_buf *resp_buf, +diff --git a/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c b/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c +index 6f00b3e3..45c739ab 100644 +--- a/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c ++++ b/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c +@@ -192,6 +192,7 @@ static rpc_status_t deserialize_aead_update_ad_req(const struct call_param_buf * + /* Operation: aead_update */ + static rpc_status_t deserialize_aead_update_req(const struct call_param_buf *req_buf, + uint32_t *op_handle, ++ uint32_t *output_size, + const uint8_t **input, size_t *input_len) + { + rpc_status_t rpc_status = TS_RPC_ERROR_INVALID_REQ_BODY; +@@ -208,6 +209,7 @@ static rpc_status_t deserialize_aead_update_req(const struct call_param_buf *req + memcpy(&recv_msg, req_buf->data, expected_fixed_len); + + *op_handle = recv_msg.op_handle; ++ *output_size = recv_msg.output_size; + + tlv_const_iterator_begin(&req_iter, + (uint8_t*)req_buf->data + expected_fixed_len, +diff --git a/protocols/service/crypto/packed-c/aead.h b/protocols/service/crypto/packed-c/aead.h +index 0be266b5..435fd3b5 100644 +--- a/protocols/service/crypto/packed-c/aead.h ++++ b/protocols/service/crypto/packed-c/aead.h +@@ -98,6 +98,7 @@ enum + struct __attribute__ ((__packed__)) ts_crypto_aead_update_in + { + uint32_t op_handle; ++ uint32_t output_size; + }; + + /* Variable length input parameter tags */ +-- +2.25.1 diff --git a/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc b/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc index 0c8a8f6c..58bd6dcb 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc +++ b/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc @@ -6,10 +6,11 @@ LIC_FILES_CHKSUM += "file://../mbedtls/LICENSE;md5=3b83ef96387f14655fc854ddc3c6b file://../nanopb/LICENSE.txt;md5=9db4b73a55a3994384112efcdb37c01f \ file://../openamp/LICENSE.md;md5=a8d8cf662ef6bf9936a1e1413585ecbf \ file://../libmetal/LICENSE.md;md5=fe0b8a4beea8f0813b606d15a3df3d3c \ + file://../psa-arch-tests/LICENSE.md;md5=2a944942e1496af1886903d274dedb13 \ " SRC_URI:append = " \ - ${SRC_URI_MBEDTLS} ${SRC_URI_NANOPB} ${SRC_URI_OPENAMP} ${SRC_URI_LIBMETAL} \ + ${SRC_URI_MBEDTLS} ${SRC_URI_NANOPB} ${SRC_URI_OPENAMP} ${SRC_URI_LIBMETAL} ${SRC_URI_ARCH-TESTS}\ file://0001-tools-cmake-common-applying-lowercase-project-convention.patch \ file://0002-fix-EARLY_TA_PATHS-env-variable.patch \ file://0003-se-proxy-dts-add-se-proxy-as-child-node.patch \ @@ -42,6 +43,22 @@ SRC_URI:append = " \ file://0030-Add-missing-features-to-setVariable.patch \ file://0031-Add-invalid-parameter-check-in-getNextVariableName.patch \ file://0032-smm_gateway-add-checks-for-null-attributes.patch \ + file://0033-Enhance-mbedtls-fetch-process.patch \ + file://0034-Fix-format-specifier-in-logging_caller.patch \ + file://0035-Update-refspecs-for-mbedtls-and-psa-arch-tests-for-v.patch \ + file://0036-Separate-sign-verify-message-and-hash-operations.patch \ + file://0037-Add-defence-against-uninitialised-multi-part-transac.patch \ + file://0038-Integrate-AEAD-operation-support.patch \ + file://0039-Add-IV-generation-to-one-shot-cipher-operation.patch \ + file://0040-Fix-multi-part-termination-on-error.patch \ + file://0041-Abort-AEAD-operation-if-client-provided-buffer-is-to.patch \ + file://0042-Peg-to-updated-t_cose-version-fc3a4b2c.patch \ + file://0043-pass-sysroot_yocto.patch \ + file://0044-Fix-Crypto-interface-structure-aligned-with-tf-m-cha.patch \ + file://0045-Integrate-remaining-psa-ipc-client-APIs.patch \ + file://0046-Fix-update-psa_set_key_usage_flags-definition-to-the.patch \ + file://0047-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch \ + file://0003-corstone1000-port-crypto-config.patch;patchdir=../psa-arch-tests \ " SRC_URI_MBEDTLS = "git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=development;name=mbedtls;destsuffix=git/mbedtls" @@ -56,6 +73,9 @@ SRCREV_openamp = "347397decaa43372fc4d00f965640ebde042966d" SRC_URI_LIBMETAL = "git://github.com/OpenAMP/libmetal.git;name=libmetal;protocol=https;branch=main;destsuffix=git/libmetal" SRCREV_libmetal = "f252f0e007fbfb8b3a52b1d5901250ddac96baad" +SRC_URI_ARCH-TESTS = "git://github.com/bensze01/psa-arch-tests.git;name=psa-arch-tests;protocol=https;nobranch=1;destsuffix=git/psa-arch-tests" +SRCREV_psa-arch-tests = "fix-multipart-aead" + TS_ENVIRONMENT_LINUX = "arm-linux" TS_PLATFORM = "arm/corstone1000" TS_ENVIRONMENT = "opteesp"