From patchwork Tue Dec 14 11:07:23 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Abdellatif El Khlifi X-Patchwork-Id: 1474 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 95FA2C433EF for ; Tue, 14 Dec 2021 11:07:42 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.24307.1639480061755950526 for ; Tue, 14 Dec 2021 03:07:42 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: abdellatif.elkhlifi@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 64D50106F; Tue, 14 Dec 2021 03:07:41 -0800 (PST) Received: from e121910.arm.com (unknown [10.57.34.32]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 5B9C43F5A1; Tue, 14 Dec 2021 03:07:40 -0800 (PST) From: abdellatif.elkhlifi@arm.com To: meta-arm@lists.yoctoproject.org, Ross.Burton@arm.com Cc: nd@arm.com, Satish Kumar Subject: [PATCH 1/9] arm-bsp/secure-partitions: fixes required to run psa-arch-test Date: Tue, 14 Dec 2021 11:07:23 +0000 Message-Id: <20211214110731.9081-2-abdellatif.elkhlifi@arm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20211214110731.9081-1-abdellatif.elkhlifi@arm.com> References: <20211214110731.9081-1-abdellatif.elkhlifi@arm.com> List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Dec 2021 11:07:42 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/2679 From: Satish Kumar Fixes needed to run psa-arch-test Change-Id: Iba090e151298a216f8f1bf81a72bba4587bec389 Signed-off-by: Satish Kumar --- .../0019-Run-psa-arch-test.patch | 87 +++++++++++++++++++ .../trusted-services/ts-corstone1000.inc | 1 + 2 files changed, 88 insertions(+) create mode 100644 meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0019-Run-psa-arch-test.patch diff --git a/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0019-Run-psa-arch-test.patch b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0019-Run-psa-arch-test.patch new file mode 100644 index 0000000..f471d33 --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0019-Run-psa-arch-test.patch @@ -0,0 +1,87 @@ +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Satish Kumar + +From 0059e7e18bff28a29c4f8a043d7f3d6d2b98ba7f Mon Sep 17 00:00:00 2001 +From: Satish Kumar +Date: Sun, 12 Dec 2021 10:43:48 +0000 +Subject: [PATCH 1/5] Run psa-arch-test + +Fixes needed to run psa-arch-test + +Signed-off-by: Satish Kumar +--- + components/service/common/psa_ipc/service_psa_ipc.c | 1 + + .../backend/secure_storage_ipc/secure_storage_ipc.c | 8 -------- + .../service/secure_storage/include/psa/storage_common.h | 4 ++-- + external/openamp/openamp.cmake | 2 +- + 4 files changed, 4 insertions(+), 11 deletions(-) + +diff --git a/components/service/common/psa_ipc/service_psa_ipc.c b/components/service/common/psa_ipc/service_psa_ipc.c +index 95a07c1..5e5815d 100644 +--- a/components/service/common/psa_ipc/service_psa_ipc.c ++++ b/components/service/common/psa_ipc/service_psa_ipc.c +@@ -185,6 +185,7 @@ psa_status_t psa_call(struct rpc_caller *caller, psa_handle_t psa_handle, + resp_msg->params.out_vec); + + for (i = 0; i < resp_msg->params.out_len; i++) { ++ out_vec[i].len = out_vec_param[i].len; + memcpy(out_vec[i].base, rpc_caller_phys_to_virt(caller, out_vec_param[i].base), + out_vec[i].len); + } +diff --git a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c +index 9b55f77..a1f369d 100644 +--- a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c ++++ b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c +@@ -31,10 +31,6 @@ static psa_status_t secure_storage_ipc_set(void *context, uint32_t client_id, + + ipc->client.rpc_status = TS_RPC_CALL_ACCEPTED; + +- /* Validating input parameters */ +- if (p_data == NULL) +- return PSA_ERROR_INVALID_ARGUMENT; +- + psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, + TFM_PS_SET, in_vec, IOVEC_LEN(in_vec), NULL, 0); + if (psa_status < 0) +@@ -96,10 +92,6 @@ static psa_status_t secure_storage_ipc_get_info(void *context, + + (void)client_id; + +- /* Validating input parameters */ +- if (!p_info) +- return PSA_ERROR_INVALID_ARGUMENT; +- + psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, + TFM_PS_GET_INFO, in_vec, + IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); +diff --git a/components/service/secure_storage/include/psa/storage_common.h b/components/service/secure_storage/include/psa/storage_common.h +index 4f6ba2a..1fd6b40 100644 +--- a/components/service/secure_storage/include/psa/storage_common.h ++++ b/components/service/secure_storage/include/psa/storage_common.h +@@ -20,8 +20,8 @@ typedef uint64_t psa_storage_uid_t; + typedef uint32_t psa_storage_create_flags_t; + + struct psa_storage_info_t { +- size_t capacity; +- size_t size; ++ uint32_t capacity; ++ uint32_t size; + psa_storage_create_flags_t flags; + }; + +diff --git a/external/openamp/openamp.cmake b/external/openamp/openamp.cmake +index aae13ba..75ab229 100644 +--- a/external/openamp/openamp.cmake ++++ b/external/openamp/openamp.cmake +@@ -61,7 +61,7 @@ execute_process(COMMAND + -DCMAKE_SYSTEM_PROCESSOR=arm + -DEXTERNAL_INCLUDE_PATHS=${OPENAMP_EXTERNAL_INCLUDE_PATHS} + -DMACHINE=template +- -DRPMSG_BUFFER_SIZE=512 ++ -DRPMSG_BUFFER_SIZE=8192 + ${openamp_SOURCE_DIR} + WORKING_DIRECTORY + ${openamp_BINARY_DIR} +-- +2.17.1 + diff --git a/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc b/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc index e7165d5..80cc8dc 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc +++ b/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc @@ -29,6 +29,7 @@ SRC_URI:append = " \ file://0016-Add-uefi-test-deployment.patch \ file://0017-Fix-interface-ID-parameter-setting-in-sp-ffarpc_call.patch \ file://0018-Support-FFARPC-call-requests-with-no-shared-buffer.patch \ + file://0019-Run-psa-arch-test.patch \ " SRC_URI_MBED = "git://github.com/ARMmbed/mbed-crypto.git;protocol=https;branch=development;name=mbed;destsuffix=git/mbedcrypto" From patchwork Tue Dec 14 11:07:24 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Abdellatif El Khlifi X-Patchwork-Id: 1475 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 785ECC4332F for ; Tue, 14 Dec 2021 11:07:44 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.24308.1639480063616663350 for ; Tue, 14 Dec 2021 03:07:44 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: abdellatif.elkhlifi@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 3E30D6D; Tue, 14 Dec 2021 03:07:43 -0800 (PST) Received: from e121910.arm.com (unknown [10.57.34.32]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id C4B553F5A1; Tue, 14 Dec 2021 03:07:41 -0800 (PST) From: abdellatif.elkhlifi@arm.com To: meta-arm@lists.yoctoproject.org, Ross.Burton@arm.com Cc: nd@arm.com, Satish Kumar , Rui Miguel Silva Subject: [PATCH 2/9] arm-bsp/secure-partitions: corstone1000: Use address instead of pointers Date: Tue, 14 Dec 2021 11:07:24 +0000 Message-Id: <20211214110731.9081-3-abdellatif.elkhlifi@arm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20211214110731.9081-1-abdellatif.elkhlifi@arm.com> References: <20211214110731.9081-1-abdellatif.elkhlifi@arm.com> List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Dec 2021 11:07:44 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/2680 From: Satish Kumar Since secure enclave is 32bit and we 64bit there is an issue in the protocol communication design that force us to handle on our side the manipulation of address and pointers to make this work. Change-Id: Icb29fdec6928dba6da7e845b3a13d8a3560c5fe1 Signed-off-by: Rui Miguel Silva Signed-off-by: Satish Kumar --- ...0020-Use-address-instead-of-pointers.patch | 170 ++++++++++++++++++ .../trusted-services/ts-corstone1000.inc | 1 + 2 files changed, 171 insertions(+) create mode 100644 meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0020-Use-address-instead-of-pointers.patch diff --git a/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0020-Use-address-instead-of-pointers.patch b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0020-Use-address-instead-of-pointers.patch new file mode 100644 index 0000000..92d39c5 --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0020-Use-address-instead-of-pointers.patch @@ -0,0 +1,170 @@ +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Satish Kumar + +From 1974cdc2a0a4f3395131570d4080ffc1ddde4990 Mon Sep 17 00:00:00 2001 +From: Satish Kumar +Date: Sun, 12 Dec 2021 10:57:17 +0000 +Subject: [PATCH 2/5] Use address instead of pointers + +Since secure enclave is 32bit and we 64bit there is an issue +in the protocol communication design that force us to handle +on our side the manipulation of address and pointers to make +this work. + +Signed-off-by: Rui Miguel Silva +Signed-off-by: Satish Kumar +--- + .../service/common/include/psa/client.h | 15 ++++++++++++++ + .../service/common/psa_ipc/service_psa_ipc.c | 20 ++++++++++++------- + .../secure_storage_ipc/secure_storage_ipc.c | 20 +++++++++---------- + 3 files changed, 38 insertions(+), 17 deletions(-) + +diff --git a/components/service/common/include/psa/client.h b/components/service/common/include/psa/client.h +index 69ccf14..12dcd68 100644 +--- a/components/service/common/include/psa/client.h ++++ b/components/service/common/include/psa/client.h +@@ -81,6 +81,21 @@ struct __attribute__ ((__packed__)) psa_outvec { + uint32_t len; /*!< the size in bytes */ + }; + ++static void *psa_u32_to_ptr(uint32_t addr) ++{ ++ return (void *)(uintptr_t)addr; ++} ++ ++static uint32_t psa_ptr_to_u32(void *ptr) ++{ ++ return (uintptr_t)ptr; ++} ++ ++static uint32_t psa_ptr_const_to_u32(const void *ptr) ++{ ++ return (uintptr_t)ptr; ++} ++ + /*************************** PSA Client API **********************************/ + + /** +diff --git a/components/service/common/psa_ipc/service_psa_ipc.c b/components/service/common/psa_ipc/service_psa_ipc.c +index 5e5815d..435c6c0 100644 +--- a/components/service/common/psa_ipc/service_psa_ipc.c ++++ b/components/service/common/psa_ipc/service_psa_ipc.c +@@ -62,6 +62,11 @@ static size_t psa_call_out_vec_len(const struct psa_outvec *out_vec, size_t out_ + return resp_len; + } + ++static uint32_t psa_virt_to_phys_u32(struct rpc_caller *caller, void *va) ++{ ++ return (uintptr_t)rpc_caller_virt_to_phys(caller, va); ++} ++ + psa_handle_t psa_connect(struct rpc_caller *caller, uint32_t sid, + uint32_t version) + { +@@ -147,20 +152,20 @@ psa_status_t psa_call(struct rpc_caller *caller, psa_handle_t psa_handle, + req_msg->params.psa_call_params.handle = psa_handle; + req_msg->params.psa_call_params.type = type; + req_msg->params.psa_call_params.in_len = in_len; +- req_msg->params.psa_call_params.in_vec = rpc_caller_virt_to_phys(caller, in_vec_param); ++ req_msg->params.psa_call_params.in_vec = psa_virt_to_phys_u32(caller, in_vec_param); + req_msg->params.psa_call_params.out_len = out_len; +- req_msg->params.psa_call_params.out_vec = rpc_caller_virt_to_phys(caller, out_vec_param); ++ req_msg->params.psa_call_params.out_vec = psa_virt_to_phys_u32(caller, out_vec_param); + + for (i = 0; i < in_len; i++) { +- in_vec_param[i].base = rpc_caller_virt_to_phys(caller, payload); ++ in_vec_param[i].base = psa_virt_to_phys_u32(caller, payload); + in_vec_param[i].len = in_vec[i].len; + +- memcpy(payload, in_vec[i].base, in_vec[i].len); ++ memcpy(payload, psa_u32_to_ptr(in_vec[i].base), in_vec[i].len); + payload += in_vec[i].len; + } + + for (i = 0; i < out_len; i++) { +- out_vec_param[i].base = NULL; ++ out_vec_param[i].base = 0; + out_vec_param[i].len = out_vec[i].len; + } + +@@ -182,11 +187,12 @@ psa_status_t psa_call(struct rpc_caller *caller, psa_handle_t psa_handle, + goto caller_end; + + out_vec_param = (struct psa_outvec *)rpc_caller_phys_to_virt(caller, +- resp_msg->params.out_vec); ++ psa_u32_to_ptr(resp_msg->params.out_vec)); + + for (i = 0; i < resp_msg->params.out_len; i++) { + out_vec[i].len = out_vec_param[i].len; +- memcpy(out_vec[i].base, rpc_caller_phys_to_virt(caller, out_vec_param[i].base), ++ memcpy(psa_u32_to_ptr(out_vec[i].base), ++ rpc_caller_phys_to_virt(caller, psa_u32_to_ptr(out_vec_param[i].base)), + out_vec[i].len); + } + +diff --git a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c +index a1f369d..bda442a 100644 +--- a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c ++++ b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c +@@ -22,9 +22,9 @@ static psa_status_t secure_storage_ipc_set(void *context, uint32_t client_id, + psa_handle_t psa_handle; + psa_status_t psa_status; + struct psa_invec in_vec[] = { +- { .base = &uid, .len = sizeof(uid) }, +- { .base = p_data, .len = data_length }, +- { .base = &create_flags, .len = sizeof(create_flags) }, ++ { .base = psa_ptr_to_u32(&uid), .len = sizeof(uid) }, ++ { .base = psa_ptr_const_to_u32(p_data), .len = data_length }, ++ { .base = psa_ptr_to_u32(&create_flags), .len = sizeof(create_flags) }, + }; + + (void)client_id; +@@ -53,11 +53,11 @@ static psa_status_t secure_storage_ipc_get(void *context, + psa_status_t psa_status; + uint32_t offset = (uint32_t)data_offset; + struct psa_invec in_vec[] = { +- { .base = &uid, .len = sizeof(uid) }, +- { .base = &offset, .len = sizeof(offset) }, ++ { .base = psa_ptr_to_u32(&uid), .len = sizeof(uid) }, ++ { .base = psa_ptr_to_u32(&offset), .len = sizeof(offset) }, + }; + struct psa_outvec out_vec[] = { +- { .base = p_data, .len = data_size }, ++ { .base = psa_ptr_to_u32(p_data), .len = data_size }, + }; + + if (!p_data_length) { +@@ -84,10 +84,10 @@ static psa_status_t secure_storage_ipc_get_info(void *context, + psa_handle_t psa_handle; + psa_status_t psa_status; + struct psa_invec in_vec[] = { +- { .base = &uid, .len = sizeof(uid) }, ++ { .base = psa_ptr_to_u32(&uid), .len = sizeof(uid) }, + }; + struct psa_outvec out_vec[] = { +- { .base = p_info, .len = sizeof(*p_info) }, ++ { .base = psa_ptr_to_u32(p_info), .len = sizeof(*p_info) }, + }; + + (void)client_id; +@@ -110,7 +110,7 @@ static psa_status_t secure_storage_ipc_remove(void *context, + psa_handle_t psa_handle; + psa_status_t psa_status; + struct psa_invec in_vec[] = { +- { .base = &uid, .len = sizeof(uid) }, ++ { .base = psa_ptr_to_u32(&uid), .len = sizeof(uid) }, + }; + + (void)client_id; +@@ -164,7 +164,7 @@ static uint32_t secure_storage_get_support(void *context, uint32_t client_id) + psa_status_t psa_status; + uint32_t support_flags; + struct psa_outvec out_vec[] = { +- { .base = &support_flags, .len = sizeof(support_flags) }, ++ { .base = psa_ptr_to_u32(&support_flags), .len = sizeof(support_flags) }, + }; + + (void)client_id; +-- +2.17.1 + diff --git a/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc b/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc index 80cc8dc..6858986 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc +++ b/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc @@ -30,6 +30,7 @@ SRC_URI:append = " \ file://0017-Fix-interface-ID-parameter-setting-in-sp-ffarpc_call.patch \ file://0018-Support-FFARPC-call-requests-with-no-shared-buffer.patch \ file://0019-Run-psa-arch-test.patch \ + file://0020-Use-address-instead-of-pointers.patch \ " SRC_URI_MBED = "git://github.com/ARMmbed/mbed-crypto.git;protocol=https;branch=development;name=mbed;destsuffix=git/mbedcrypto" From patchwork Tue Dec 14 11:07:25 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Abdellatif El Khlifi X-Patchwork-Id: 1476 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8B5F3C433EF for ; Tue, 14 Dec 2021 11:07:46 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.24309.1639480065077048001 for ; Tue, 14 Dec 2021 03:07:45 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: abdellatif.elkhlifi@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id A82C56D; Tue, 14 Dec 2021 03:07:44 -0800 (PST) Received: from e121910.arm.com (unknown [10.57.34.32]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 893E23F5A1; Tue, 14 Dec 2021 03:07:43 -0800 (PST) From: abdellatif.elkhlifi@arm.com To: meta-arm@lists.yoctoproject.org, Ross.Burton@arm.com Cc: nd@arm.com, Satish Kumar Subject: [PATCH 3/9] arm-bsp/secure-partitions: corstone1000: Add psa ipc attestation to se proxy Date: Tue, 14 Dec 2021 11:07:25 +0000 Message-Id: <20211214110731.9081-4-abdellatif.elkhlifi@arm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20211214110731.9081-1-abdellatif.elkhlifi@arm.com> References: <20211214110731.9081-1-abdellatif.elkhlifi@arm.com> List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Dec 2021 11:07:46 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/2681 From: Satish Kumar Implement attestation client API as psa ipc and include it to se proxy deployment. Change-Id: I0a1130d2013717c6499da5bb2cd6cd11a752bcce Signed-off-by: Satish Kumar --- ...-Add-psa-ipc-attestation-to-se-proxy.patch | 268 ++++++++++++++++++ .../trusted-services/ts-corstone1000.inc | 1 + 2 files changed, 269 insertions(+) create mode 100644 meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0021-Add-psa-ipc-attestation-to-se-proxy.patch diff --git a/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0021-Add-psa-ipc-attestation-to-se-proxy.patch b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0021-Add-psa-ipc-attestation-to-se-proxy.patch new file mode 100644 index 0000000..23b38da --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0021-Add-psa-ipc-attestation-to-se-proxy.patch @@ -0,0 +1,268 @@ +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Rui Miguel Silva + +From 20bab8442387480d77cf5d7c8271758acf9ed181 Mon Sep 17 00:00:00 2001 +From: Rui Miguel Silva +Date: Tue, 7 Dec 2021 11:50:00 +0000 +Subject: [PATCH 3/5] Add psa ipc attestation to se proxy + +Implement attestation client API as psa ipc and include it to +se proxy deployment. + +Signed-off-by: Rui Miguel Silva +Signed-off-by: Satish Kumar +--- + .../client/psa_ipc/component.cmake | 13 +++ + .../client/psa_ipc/iat_ipc_client.c | 86 +++++++++++++++++++ + .../reporter/psa_ipc/component.cmake | 13 +++ + .../reporter/psa_ipc/psa_ipc_attest_report.c | 45 ++++++++++ + components/service/common/include/psa/sid.h | 4 + + deployments/se-proxy/opteesp/CMakeLists.txt | 3 +- + .../se-proxy/opteesp/service_proxy_factory.c | 6 ++ + 7 files changed, 169 insertions(+), 1 deletion(-) + create mode 100644 components/service/attestation/client/psa_ipc/component.cmake + create mode 100644 components/service/attestation/client/psa_ipc/iat_ipc_client.c + create mode 100644 components/service/attestation/reporter/psa_ipc/component.cmake + create mode 100644 components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c + +diff --git a/components/service/attestation/client/psa_ipc/component.cmake b/components/service/attestation/client/psa_ipc/component.cmake +new file mode 100644 +index 0000000..a5bc6b4 +--- /dev/null ++++ b/components/service/attestation/client/psa_ipc/component.cmake +@@ -0,0 +1,13 @@ ++#------------------------------------------------------------------------------- ++# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++# ++# SPDX-License-Identifier: BSD-3-Clause ++# ++#------------------------------------------------------------------------------- ++if (NOT DEFINED TGT) ++ message(FATAL_ERROR "mandatory parameter TGT is not defined.") ++endif() ++ ++target_sources(${TGT} PRIVATE ++ "${CMAKE_CURRENT_LIST_DIR}/iat_ipc_client.c" ++ ) +diff --git a/components/service/attestation/client/psa_ipc/iat_ipc_client.c b/components/service/attestation/client/psa_ipc/iat_ipc_client.c +new file mode 100644 +index 0000000..30bd0a1 +--- /dev/null ++++ b/components/service/attestation/client/psa_ipc/iat_ipc_client.c +@@ -0,0 +1,86 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#include ++#include ++ ++#include "../psa/iat_client.h" ++#include ++#include ++#include ++#include ++#include ++ ++/** ++ * @brief The singleton psa_iat_client instance ++ * ++ * The psa attestation C API assumes a single backend service provider. ++ */ ++static struct service_client instance; ++ ++ ++psa_status_t psa_iat_client_init(struct rpc_caller *caller) ++{ ++ return service_client_init(&instance, caller); ++} ++ ++void psa_iat_client_deinit(void) ++{ ++ service_client_deinit(&instance); ++} ++ ++int psa_iat_client_rpc_status(void) ++{ ++ return instance.rpc_status; ++} ++ ++psa_status_t psa_initial_attest_get_token(const uint8_t *auth_challenge, ++ size_t challenge_size, ++ uint8_t *token_buf, ++ size_t token_buf_size, ++ size_t *token_size) ++{ ++ psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; ++ struct rpc_caller *caller = instance.caller; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_const_to_u32(auth_challenge), .len = challenge_size}, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(token_buf), .len = token_buf_size}, ++ }; ++ ++ if (!token_buf || !token_buf_size) ++ return PSA_ERROR_INVALID_ARGUMENT; ++ ++ status = psa_call(caller, TFM_ATTESTATION_SERVICE_HANDLE, ++ TFM_ATTEST_GET_TOKEN, in_vec, IOVEC_LEN(in_vec), ++ out_vec, IOVEC_LEN(out_vec)); ++ if (status == PSA_SUCCESS) { ++ *token_size = out_vec[0].len; ++ } ++ ++ return status; ++} ++ ++psa_status_t psa_initial_attest_get_token_size(size_t challenge_size, ++ size_t *token_size) ++{ ++ struct rpc_caller *caller = instance.caller; ++ psa_status_t status; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&challenge_size), .len = sizeof(uint32_t)} ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(token_size), .len = sizeof(uint32_t)} ++ }; ++ ++ status = psa_call(caller, TFM_ATTESTATION_SERVICE_HANDLE, ++ TFM_ATTEST_GET_TOKEN_SIZE, ++ in_vec, IOVEC_LEN(in_vec), ++ out_vec, IOVEC_LEN(out_vec)); ++ ++ return status; ++} +diff --git a/components/service/attestation/reporter/psa_ipc/component.cmake b/components/service/attestation/reporter/psa_ipc/component.cmake +new file mode 100644 +index 0000000..b37830c +--- /dev/null ++++ b/components/service/attestation/reporter/psa_ipc/component.cmake +@@ -0,0 +1,13 @@ ++#------------------------------------------------------------------------------- ++# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++# ++# SPDX-License-Identifier: BSD-3-Clause ++# ++#------------------------------------------------------------------------------- ++if (NOT DEFINED TGT) ++ message(FATAL_ERROR "mandatory parameter TGT is not defined.") ++endif() ++ ++target_sources(${TGT} PRIVATE ++ "${CMAKE_CURRENT_LIST_DIR}/psa_ipc_attest_report.c" ++ ) +diff --git a/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c b/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c +new file mode 100644 +index 0000000..15805e8 +--- /dev/null ++++ b/components/service/attestation/reporter/psa_ipc/psa_ipc_attest_report.c +@@ -0,0 +1,45 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++/** ++ * A attestation reporter for psa ipc ++ */ ++ ++#include ++#include ++#include ++#include ++ ++#define TOKEN_BUF_SIZE 1024 ++ ++static uint8_t token_buf[TOKEN_BUF_SIZE]; ++ ++int attest_report_create(int32_t client_id, const uint8_t *auth_challenge_data, ++ size_t auth_challenge_len, const uint8_t **report, ++ size_t *report_len) ++{ ++ *report = token_buf; ++ psa_status_t ret; ++ size_t token_size = 0; ++ ++ ret = psa_initial_attest_get_token(auth_challenge_data, ++ auth_challenge_len, token_buf, ++ TOKEN_BUF_SIZE, &token_size); ++ if (ret != PSA_SUCCESS) { ++ *report = NULL; ++ *report_len = 0; ++ return ret; ++ } ++ ++ *report_len = token_size; ++ ++ return PSA_SUCCESS; ++} ++ ++void attest_report_destroy(const uint8_t *report) ++{ ++ (void)report; ++} +diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h +index aaa973c..833f503 100644 +--- a/components/service/common/include/psa/sid.h ++++ b/components/service/common/include/psa/sid.h +@@ -50,6 +50,10 @@ extern "C" { + #define TFM_ATTESTATION_SERVICE_VERSION (1U) + #define TFM_ATTESTATION_SERVICE_HANDLE (0x40000103U) + ++/* Initial Attestation message types that distinguish Attest services. */ ++#define TFM_ATTEST_GET_TOKEN 1001 ++#define TFM_ATTEST_GET_TOKEN_SIZE 1002 ++ + /******** TFM_SP_FWU ********/ + #define TFM_FWU_WRITE_SID (0x000000A0U) + #define TFM_FWU_WRITE_VERSION (1U) +diff --git a/deployments/se-proxy/opteesp/CMakeLists.txt b/deployments/se-proxy/opteesp/CMakeLists.txt +index 663177b..af2225e 100644 +--- a/deployments/se-proxy/opteesp/CMakeLists.txt ++++ b/deployments/se-proxy/opteesp/CMakeLists.txt +@@ -77,12 +77,13 @@ add_components(TARGET "se-proxy" + "components/service/attestation/include" + "components/service/attestation/provider" + "components/service/attestation/provider/serializer/packed-c" ++ "components/service/attestation/reporter/psa_ipc" ++ "components/service/attestation/client/psa_ipc" + "components/rpc/openamp/caller/sp" + + # Stub service provider backends + "components/rpc/dummy" + "components/rpc/common/caller" +- "components/service/attestation/reporter/stub" + "components/service/attestation/key_mngr/stub" + "components/service/crypto/backend/stub" + "components/service/crypto/client/psa" +diff --git a/deployments/se-proxy/opteesp/service_proxy_factory.c b/deployments/se-proxy/opteesp/service_proxy_factory.c +index 5729005..4b8ccec 100644 +--- a/deployments/se-proxy/opteesp/service_proxy_factory.c ++++ b/deployments/se-proxy/opteesp/service_proxy_factory.c +@@ -23,12 +23,18 @@ struct openamp_caller openamp; + struct rpc_interface *attest_proxy_create(void) + { + struct rpc_interface *attest_iface; ++ struct rpc_caller *attest_caller; + + /* Static objects for proxy instance */ + static struct attest_provider attest_provider; + ++ attest_caller = openamp_caller_init(&openamp); ++ if (!attest_caller) ++ return NULL; ++ + /* Initialize the service provider */ + attest_iface = attest_provider_init(&attest_provider); ++ psa_iat_client_init(&openamp.rpc_caller); + + attest_provider_register_serializer(&attest_provider, + TS_RPC_ENCODING_PACKED_C, packedc_attest_provider_serializer_instance()); +-- +2.17.1 + diff --git a/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc b/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc index 6858986..4bfb6b7 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc +++ b/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc @@ -31,6 +31,7 @@ SRC_URI:append = " \ file://0018-Support-FFARPC-call-requests-with-no-shared-buffer.patch \ file://0019-Run-psa-arch-test.patch \ file://0020-Use-address-instead-of-pointers.patch \ + file://0021-Add-psa-ipc-attestation-to-se-proxy.patch \ " SRC_URI_MBED = "git://github.com/ARMmbed/mbed-crypto.git;protocol=https;branch=development;name=mbed;destsuffix=git/mbedcrypto" From patchwork Tue Dec 14 11:07:26 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Abdellatif El Khlifi X-Patchwork-Id: 1477 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 79831C433F5 for ; Tue, 14 Dec 2021 11:07:47 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web12.24663.1639480066497356469 for ; Tue, 14 Dec 2021 03:07:46 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: abdellatif.elkhlifi@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 3756A6D; Tue, 14 Dec 2021 03:07:46 -0800 (PST) Received: from e121910.arm.com (unknown [10.57.34.32]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 033B23F5A1; Tue, 14 Dec 2021 03:07:44 -0800 (PST) From: abdellatif.elkhlifi@arm.com To: meta-arm@lists.yoctoproject.org, Ross.Burton@arm.com Cc: nd@arm.com, Satish Kumar Subject: [PATCH 4/9] arm-bsp/secure-partitions: corstone1000: Setup its backend Date: Tue, 14 Dec 2021 11:07:26 +0000 Message-Id: <20211214110731.9081-5-abdellatif.elkhlifi@arm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20211214110731.9081-1-abdellatif.elkhlifi@arm.com> References: <20211214110731.9081-1-abdellatif.elkhlifi@arm.com> List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Dec 2021 11:07:47 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/2682 From: Satish Kumar Setup its backend as openamp rpc using secure storage ipc implementation. Change-Id: I0329c87d11de7a721b3eaf004935befa6e7389c8 Signed-off-by: Satish Kumar --- ...d-as-openamp-rpc-using-secure-storag.patch | 165 ++++++++++++++++++ .../trusted-services/ts-corstone1000.inc | 1 + 2 files changed, 166 insertions(+) create mode 100644 meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0022-Setup-its-backend-as-openamp-rpc-using-secure-storag.patch diff --git a/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0022-Setup-its-backend-as-openamp-rpc-using-secure-storag.patch b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0022-Setup-its-backend-as-openamp-rpc-using-secure-storag.patch new file mode 100644 index 0000000..b715169 --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0022-Setup-its-backend-as-openamp-rpc-using-secure-storag.patch @@ -0,0 +1,165 @@ +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Satish Kumar + +From 53d5b73b84deb7feb4f87f2792f50fc8018ac0d5 Mon Sep 17 00:00:00 2001 +From: Satish Kumar +Date: Thu, 9 Dec 2021 14:11:06 +0000 +Subject: [PATCH 4/5] Setup its backend as openamp rpc using secure storage ipc + implementation. + +Signed-off-by: Rui Miguel Silva +Signed-off-by: Satish Kumar +--- + components/service/common/include/psa/sid.h | 12 +++++----- + .../secure_storage_ipc/secure_storage_ipc.c | 20 ++++++++--------- + .../secure_storage_ipc/secure_storage_ipc.h | 1 + + .../se-proxy/opteesp/service_proxy_factory.c | 22 +++++++++++++------ + 4 files changed, 32 insertions(+), 23 deletions(-) + +diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h +index 833f503..4a951d4 100644 +--- a/components/service/common/include/psa/sid.h ++++ b/components/service/common/include/psa/sid.h +@@ -20,12 +20,12 @@ extern "C" { + /* Invalid UID */ + #define TFM_PS_INVALID_UID 0 + +-/* PS message types that distinguish PS services. */ +-#define TFM_PS_SET 1001 +-#define TFM_PS_GET 1002 +-#define TFM_PS_GET_INFO 1003 +-#define TFM_PS_REMOVE 1004 +-#define TFM_PS_GET_SUPPORT 1005 ++/* PS / ITS message types that distinguish PS services. */ ++#define TFM_PS_ITS_SET 1001 ++#define TFM_PS_ITS_GET 1002 ++#define TFM_PS_ITS_GET_INFO 1003 ++#define TFM_PS_ITS_REMOVE 1004 ++#define TFM_PS_ITS_GET_SUPPORT 1005 + + /******** TFM_SP_ITS ********/ + #define TFM_INTERNAL_TRUSTED_STORAGE_SERVICE_SID (0x00000070U) +diff --git a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c +index bda442a..0e1b48c 100644 +--- a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c ++++ b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.c +@@ -31,8 +31,8 @@ static psa_status_t secure_storage_ipc_set(void *context, uint32_t client_id, + + ipc->client.rpc_status = TS_RPC_CALL_ACCEPTED; + +- psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, +- TFM_PS_SET, in_vec, IOVEC_LEN(in_vec), NULL, 0); ++ psa_status = psa_call(caller, ipc->service_handle, TFM_PS_ITS_SET, ++ in_vec, IOVEC_LEN(in_vec), NULL, 0); + if (psa_status < 0) + EMSG("ipc_set: psa_call failed: %d", psa_status); + +@@ -65,8 +65,8 @@ static psa_status_t secure_storage_ipc_get(void *context, + return PSA_ERROR_INVALID_ARGUMENT; + } + +- psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, +- TFM_PS_GET, in_vec, IOVEC_LEN(in_vec), ++ psa_status = psa_call(caller, ipc->service_handle, ++ TFM_PS_ITS_GET, in_vec, IOVEC_LEN(in_vec), + out_vec, IOVEC_LEN(out_vec)); + if (psa_status == PSA_SUCCESS) + *p_data_length = out_vec[0].len; +@@ -92,8 +92,8 @@ static psa_status_t secure_storage_ipc_get_info(void *context, + + (void)client_id; + +- psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, +- TFM_PS_GET_INFO, in_vec, ++ psa_status = psa_call(caller, ipc->service_handle, ++ TFM_PS_ITS_GET_INFO, in_vec, + IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); + if (psa_status != PSA_SUCCESS) + EMSG("ipc_get_info: failed to psa_call: %d", psa_status); +@@ -115,8 +115,8 @@ static psa_status_t secure_storage_ipc_remove(void *context, + + (void)client_id; + +- psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, +- TFM_PS_REMOVE, in_vec, ++ psa_status = psa_call(caller, ipc->service_handle, ++ TFM_PS_ITS_REMOVE, in_vec, + IOVEC_LEN(in_vec), NULL, 0); + if (psa_status != PSA_SUCCESS) + EMSG("ipc_remove: failed to psa_call: %d", psa_status); +@@ -169,8 +169,8 @@ static uint32_t secure_storage_get_support(void *context, uint32_t client_id) + + (void)client_id; + +- psa_status = psa_call(caller, TFM_PROTECTED_STORAGE_SERVICE_HANDLE, +- TFM_PS_GET_SUPPORT, NULL, 0, ++ psa_status = psa_call(caller, ipc->service_handle, ++ TFM_PS_ITS_GET_SUPPORT, NULL, 0, + out_vec, IOVEC_LEN(out_vec)); + if (psa_status != PSA_SUCCESS) + EMSG("ipc_get_support: failed to psa_call: %d", psa_status); +diff --git a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h +index e8c1e8f..d9949f6 100644 +--- a/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h ++++ b/components/service/secure_storage/backend/secure_storage_ipc/secure_storage_ipc.h +@@ -21,6 +21,7 @@ struct secure_storage_ipc + { + struct storage_backend backend; + struct service_client client; ++ int32_t service_handle; + }; + + /** +diff --git a/deployments/se-proxy/opteesp/service_proxy_factory.c b/deployments/se-proxy/opteesp/service_proxy_factory.c +index 4b8ccec..1110ac4 100644 +--- a/deployments/se-proxy/opteesp/service_proxy_factory.c ++++ b/deployments/se-proxy/opteesp/service_proxy_factory.c +@@ -5,6 +5,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -60,23 +61,30 @@ struct rpc_interface *ps_proxy_create(void) + { + static struct secure_storage_provider ps_provider; + static struct secure_storage_ipc ps_backend; +- static struct rpc_caller *storage_caller; ++ struct rpc_caller *storage_caller; + struct storage_backend *backend; + + storage_caller = openamp_caller_init(&openamp); + if (!storage_caller) + return NULL; + backend = secure_storage_ipc_init(&ps_backend, &openamp.rpc_caller); ++ ps_backend.service_handle = TFM_PROTECTED_STORAGE_SERVICE_HANDLE; + + return secure_storage_provider_init(&ps_provider, backend); + } + + struct rpc_interface *its_proxy_create(void) + { +- static struct mock_store its_backend; +- static struct secure_storage_provider its_provider; +- +- struct storage_backend *backend = mock_store_init(&its_backend); +- +- return secure_storage_provider_init(&its_provider, backend); ++ static struct secure_storage_provider its_provider; ++ static struct secure_storage_ipc its_backend; ++ struct rpc_caller *storage_caller; ++ struct storage_backend *backend; ++ ++ storage_caller = openamp_caller_init(&openamp); ++ if (!storage_caller) ++ return NULL; ++ backend = secure_storage_ipc_init(&its_backend, &openamp.rpc_caller); ++ its_backend.service_handle = TFM_INTERNAL_TRUSTED_STORAGE_SERVICE_HANDLE; ++ ++ return secure_storage_provider_init(&its_provider, backend); + } +-- +2.17.1 + diff --git a/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc b/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc index 4bfb6b7..7134143 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc +++ b/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc @@ -32,6 +32,7 @@ SRC_URI:append = " \ file://0019-Run-psa-arch-test.patch \ file://0020-Use-address-instead-of-pointers.patch \ file://0021-Add-psa-ipc-attestation-to-se-proxy.patch \ + file://0022-Setup-its-backend-as-openamp-rpc-using-secure-storag.patch \ " SRC_URI_MBED = "git://github.com/ARMmbed/mbed-crypto.git;protocol=https;branch=development;name=mbed;destsuffix=git/mbedcrypto" From patchwork Tue Dec 14 11:07:27 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Abdellatif El Khlifi X-Patchwork-Id: 1480 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8D3F5C433FE for ; Tue, 14 Dec 2021 11:07:50 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.24310.1639480068916054924 for ; Tue, 14 Dec 2021 03:07:49 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: abdellatif.elkhlifi@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id EFB556D; Tue, 14 Dec 2021 03:07:47 -0800 (PST) Received: from e121910.arm.com (unknown [10.57.34.32]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 879193F5A1; Tue, 14 Dec 2021 03:07:46 -0800 (PST) From: abdellatif.elkhlifi@arm.com To: meta-arm@lists.yoctoproject.org, Ross.Burton@arm.com Cc: nd@arm.com, Satish Kumar Subject: [PATCH 5/9] arm-bsp/secure-partitions: corstone1000: add psa ipc crypto backend Date: Tue, 14 Dec 2021 11:07:27 +0000 Message-Id: <20211214110731.9081-6-abdellatif.elkhlifi@arm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20211214110731.9081-1-abdellatif.elkhlifi@arm.com> References: <20211214110731.9081-1-abdellatif.elkhlifi@arm.com> List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Dec 2021 11:07:50 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/2683 From: Satish Kumar Add psa ipc crypto backend and attach it to se proxy deployment. Change-Id: I072cd3f0661be33773a2132c2222dc4c7b8c6cb4 Signed-off-by: Satish Kumar --- .../0023-add-psa-ipc-crypto-backend.patch | 2587 +++++++++++++++++ .../trusted-services/ts-corstone1000.inc | 1 + 2 files changed, 2588 insertions(+) create mode 100644 meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0023-add-psa-ipc-crypto-backend.patch diff --git a/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0023-add-psa-ipc-crypto-backend.patch b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0023-add-psa-ipc-crypto-backend.patch new file mode 100644 index 0000000..56d125c --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0023-add-psa-ipc-crypto-backend.patch @@ -0,0 +1,2587 @@ +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Rui Miguel Silva + +From deb8fb7a7b214edc095c971f7a439e75b8e428d1 Mon Sep 17 00:00:00 2001 +From: Rui Miguel Silva +Date: Thu, 9 Dec 2021 14:17:39 +0000 +Subject: [PATCH 5/5] add psa ipc crypto backend + +Add psa ipc crypto backend and attach it to se proxy +deployment. + +Signed-off-by: Rui Miguel Silva +Signed-off-by: Satish Kumar +--- + components/service/common/include/psa/sid.h | 73 +++++ + .../crypto/backend/psa_ipc/component.cmake | 21 ++ + .../backend/psa_ipc/crypto_ipc_backend.c | 26 ++ + .../backend/psa_ipc/crypto_ipc_backend.h | 70 ++++ + .../client/caller/psa_ipc/crypto_caller.h | 34 ++ + .../caller/psa_ipc/crypto_caller_aead.h | 252 +++++++++++++++ + .../crypto_caller_asymmetric_decrypt.h | 76 +++++ + .../crypto_caller_asymmetric_encrypt.h | 76 +++++ + .../caller/psa_ipc/crypto_caller_cipher.h | 246 +++++++++++++++ + .../caller/psa_ipc/crypto_caller_copy_key.h | 57 ++++ + .../psa_ipc/crypto_caller_destroy_key.h | 51 +++ + .../caller/psa_ipc/crypto_caller_export_key.h | 59 ++++ + .../psa_ipc/crypto_caller_export_public_key.h | 59 ++++ + .../psa_ipc/crypto_caller_generate_key.h | 55 ++++ + .../psa_ipc/crypto_caller_generate_random.h | 57 ++++ + .../crypto_caller_get_key_attributes.h | 56 ++++ + .../caller/psa_ipc/crypto_caller_hash.h | 220 +++++++++++++ + .../caller/psa_ipc/crypto_caller_import_key.h | 57 ++++ + .../psa_ipc/crypto_caller_key_attributes.h | 51 +++ + .../psa_ipc/crypto_caller_key_derivation.h | 298 ++++++++++++++++++ + .../client/caller/psa_ipc/crypto_caller_mac.h | 207 ++++++++++++ + .../caller/psa_ipc/crypto_caller_purge_key.h | 51 +++ + .../caller/psa_ipc/crypto_caller_sign_hash.h | 64 ++++ + .../psa_ipc/crypto_caller_verify_hash.h | 59 ++++ + .../crypto/include/psa/crypto_client_struct.h | 8 +- + .../service/crypto/include/psa/crypto_sizes.h | 2 +- + deployments/se-proxy/opteesp/CMakeLists.txt | 2 +- + .../se-proxy/opteesp/service_proxy_factory.c | 15 +- + .../providers/arm/corstone1000/platform.cmake | 2 + + 29 files changed, 2293 insertions(+), 11 deletions(-) + create mode 100644 components/service/crypto/backend/psa_ipc/component.cmake + create mode 100644 components/service/crypto/backend/psa_ipc/crypto_ipc_backend.c + create mode 100644 components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h + create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller.h + create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h + create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_decrypt.h + create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_encrypt.h + create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_cipher.h + create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_copy_key.h + create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_destroy_key.h + create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_export_key.h + create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_export_public_key.h + create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_key.h + create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_random.h + create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_get_key_attributes.h + create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_hash.h + create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_import_key.h + create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_key_attributes.h + create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_key_derivation.h + create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_mac.h + create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_purge_key.h + create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h + create mode 100644 components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h + +diff --git a/components/service/common/include/psa/sid.h b/components/service/common/include/psa/sid.h +index 4a951d4..7a29cc2 100644 +--- a/components/service/common/include/psa/sid.h ++++ b/components/service/common/include/psa/sid.h +@@ -37,6 +37,79 @@ extern "C" { + #define TFM_CRYPTO_VERSION (1U) + #define TFM_CRYPTO_HANDLE (0x40000100U) + ++/** ++ * \brief Define a progressive numerical value for each SID which can be used ++ * when dispatching the requests to the service ++ */ ++enum { ++ TFM_CRYPTO_GET_KEY_ATTRIBUTES_SID = (0u), ++ TFM_CRYPTO_RESET_KEY_ATTRIBUTES_SID, ++ TFM_CRYPTO_OPEN_KEY_SID, ++ TFM_CRYPTO_CLOSE_KEY_SID, ++ TFM_CRYPTO_IMPORT_KEY_SID, ++ TFM_CRYPTO_DESTROY_KEY_SID, ++ TFM_CRYPTO_EXPORT_KEY_SID, ++ TFM_CRYPTO_EXPORT_PUBLIC_KEY_SID, ++ TFM_CRYPTO_PURGE_KEY_SID, ++ TFM_CRYPTO_COPY_KEY_SID, ++ TFM_CRYPTO_HASH_COMPUTE_SID, ++ TFM_CRYPTO_HASH_COMPARE_SID, ++ TFM_CRYPTO_HASH_SETUP_SID, ++ TFM_CRYPTO_HASH_UPDATE_SID, ++ TFM_CRYPTO_HASH_FINISH_SID, ++ TFM_CRYPTO_HASH_VERIFY_SID, ++ TFM_CRYPTO_HASH_ABORT_SID, ++ TFM_CRYPTO_HASH_CLONE_SID, ++ TFM_CRYPTO_MAC_COMPUTE_SID, ++ TFM_CRYPTO_MAC_VERIFY_SID, ++ TFM_CRYPTO_MAC_SIGN_SETUP_SID, ++ TFM_CRYPTO_MAC_VERIFY_SETUP_SID, ++ TFM_CRYPTO_MAC_UPDATE_SID, ++ TFM_CRYPTO_MAC_SIGN_FINISH_SID, ++ TFM_CRYPTO_MAC_VERIFY_FINISH_SID, ++ TFM_CRYPTO_MAC_ABORT_SID, ++ TFM_CRYPTO_CIPHER_ENCRYPT_SID, ++ TFM_CRYPTO_CIPHER_DECRYPT_SID, ++ TFM_CRYPTO_CIPHER_ENCRYPT_SETUP_SID, ++ TFM_CRYPTO_CIPHER_DECRYPT_SETUP_SID, ++ TFM_CRYPTO_CIPHER_GENERATE_IV_SID, ++ TFM_CRYPTO_CIPHER_SET_IV_SID, ++ TFM_CRYPTO_CIPHER_UPDATE_SID, ++ TFM_CRYPTO_CIPHER_FINISH_SID, ++ TFM_CRYPTO_CIPHER_ABORT_SID, ++ TFM_CRYPTO_AEAD_ENCRYPT_SID, ++ TFM_CRYPTO_AEAD_DECRYPT_SID, ++ TFM_CRYPTO_AEAD_ENCRYPT_SETUP_SID, ++ TFM_CRYPTO_AEAD_DECRYPT_SETUP_SID, ++ TFM_CRYPTO_AEAD_GENERATE_NONCE_SID, ++ TFM_CRYPTO_AEAD_SET_NONCE_SID, ++ TFM_CRYPTO_AEAD_SET_LENGTHS_SID, ++ TFM_CRYPTO_AEAD_UPDATE_AD_SID, ++ TFM_CRYPTO_AEAD_UPDATE_SID, ++ TFM_CRYPTO_AEAD_FINISH_SID, ++ TFM_CRYPTO_AEAD_VERIFY_SID, ++ TFM_CRYPTO_AEAD_ABORT_SID, ++ TFM_CRYPTO_SIGN_MESSAGE_SID, ++ TFM_CRYPTO_VERIFY_MESSAGE_SID, ++ TFM_CRYPTO_SIGN_HASH_SID, ++ TFM_CRYPTO_VERIFY_HASH_SID, ++ TFM_CRYPTO_ASYMMETRIC_ENCRYPT_SID, ++ TFM_CRYPTO_ASYMMETRIC_DECRYPT_SID, ++ TFM_CRYPTO_KEY_DERIVATION_SETUP_SID, ++ TFM_CRYPTO_KEY_DERIVATION_GET_CAPACITY_SID, ++ TFM_CRYPTO_KEY_DERIVATION_SET_CAPACITY_SID, ++ TFM_CRYPTO_KEY_DERIVATION_INPUT_BYTES_SID, ++ TFM_CRYPTO_KEY_DERIVATION_INPUT_KEY_SID, ++ TFM_CRYPTO_KEY_DERIVATION_KEY_AGREEMENT_SID, ++ TFM_CRYPTO_KEY_DERIVATION_OUTPUT_BYTES_SID, ++ TFM_CRYPTO_KEY_DERIVATION_OUTPUT_KEY_SID, ++ TFM_CRYPTO_KEY_DERIVATION_ABORT_SID, ++ TFM_CRYPTO_RAW_KEY_AGREEMENT_SID, ++ TFM_CRYPTO_GENERATE_RANDOM_SID, ++ TFM_CRYPTO_GENERATE_KEY_SID, ++ TFM_CRYPTO_SID_MAX, ++}; ++ + /******** TFM_SP_PLATFORM ********/ + #define TFM_SP_PLATFORM_SYSTEM_RESET_SID (0x00000040U) + #define TFM_SP_PLATFORM_SYSTEM_RESET_VERSION (1U) +diff --git a/components/service/crypto/backend/psa_ipc/component.cmake b/components/service/crypto/backend/psa_ipc/component.cmake +new file mode 100644 +index 0000000..93c297a +--- /dev/null ++++ b/components/service/crypto/backend/psa_ipc/component.cmake +@@ -0,0 +1,21 @@ ++#------------------------------------------------------------------------------- ++# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++# ++# SPDX-License-Identifier: BSD-3-Clause ++# ++#------------------------------------------------------------------------------- ++if (NOT DEFINED TGT) ++ message(FATAL_ERROR "mandatory parameter TGT is not defined.") ++endif() ++ ++target_sources(${TGT} PRIVATE ++ "${CMAKE_CURRENT_LIST_DIR}/crypto_ipc_backend.c" ++ ) ++ ++# The ipc crypto backend uses the psa crypto client to realize the ++# psa crypto API that the crypto provider depends on. This define ++# configures the psa crypto client to be built with the ipc crypto ++# caller. ++target_compile_definitions(${TGT} PRIVATE ++ PSA_CRYPTO_CLIENT_CALLER_SELECTION_H="service/crypto/client/caller/psa_ipc/crypto_caller.h" ++) +diff --git a/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.c b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.c +new file mode 100644 +index 0000000..e47cd4f +--- /dev/null ++++ b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.c +@@ -0,0 +1,26 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#include ++#include ++#include ++#include ++#include "crypto_ipc_backend.h" ++ ++psa_status_t crypto_ipc_backend_init(struct rpc_caller *caller) ++{ ++ psa_status_t status = psa_crypto_client_init(caller); ++ ++ if (status == PSA_SUCCESS) ++ status = psa_crypto_init(); ++ ++ return status; ++} ++ ++void crypto_ipc_backend_deinit(void) ++{ ++ psa_crypto_client_deinit(); ++} +diff --git a/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h +new file mode 100644 +index 0000000..c13c20e +--- /dev/null ++++ b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h +@@ -0,0 +1,70 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef CRYPTO_IPC_BACKEND_H ++#define CRYPTO_IPC_BACKEND_H ++ ++#include ++#include ++#include ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++/** ++ * \brief This type is used to overcome a limitation in the number of maximum ++ * IOVECs that can be used especially in psa_aead_encrypt and ++ * psa_aead_decrypt. To be removed in case the AEAD APIs number of ++ * parameters passed gets restructured ++ */ ++#define TFM_CRYPTO_MAX_NONCE_LENGTH (16u) ++struct psa_ipc_crypto_aead_pack_input { ++ uint8_t nonce[TFM_CRYPTO_MAX_NONCE_LENGTH]; ++ uint32_t nonce_length; ++}; ++ ++struct psa_ipc_crypto_pack_iovec { ++ uint32_t sfn_id; /*!< Secure function ID used to dispatch the ++ * request ++ */ ++ uint16_t step; /*!< Key derivation step */ ++ psa_key_id_t key_id; /*!< Key id */ ++ psa_algorithm_t alg; /*!< Algorithm */ ++ uint32_t op_handle; /*!< Frontend context handle associated to a ++ * multipart operation ++ */ ++ uint32_t capacity; /*!< Key derivation capacity */ ++ ++ struct psa_ipc_crypto_aead_pack_input aead_in; /*!< FixMe: Temporarily used for ++ * AEAD until the API is ++ * restructured ++ */ ++}; ++ ++#define iov_size sizeof(struct psa_ipc_crypto_pack_iovec) ++ ++/** ++ * \brief Initialize the psa ipc crypto backend ++ * ++ * Initializes a crypto backend that uses the psa API client with a ++ * psa_ipc_backend caller to realize the PSA crypto API used by the crypto ++ * service proviser. ++ * ++ * \return PSA_SUCCESS if backend initialized successfully ++ */ ++psa_status_t crypto_ipc_backend_init(struct rpc_caller *caller); ++ ++/** ++ * \brief Clean-up to free any resource used by the crypto backend ++ */ ++void crypto_ipc_backend_deinit(void); ++ ++#ifdef __cplusplus ++} /* extern "C" */ ++#endif ++ ++#endif /* CRYPTO_IPC_BACKEND_H */ +diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller.h +new file mode 100644 +index 0000000..0a97218 +--- /dev/null ++++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller.h +@@ -0,0 +1,34 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef PSA_IPC_CRYPTO_CALLER_H ++#define PSA_IPC_CRYPTO_CALLER_H ++ ++/** ++ * Includes all header files that form the psa ipc crypto caller ++ * interface. May be used by a client that needs to call operations ++ * provided by a crypto service instance using the psa ipc interface. ++ */ ++#include "crypto_caller_aead.h" ++#include "crypto_caller_asymmetric_decrypt.h" ++#include "crypto_caller_asymmetric_encrypt.h" ++#include "crypto_caller_cipher.h" ++#include "crypto_caller_copy_key.h" ++#include "crypto_caller_destroy_key.h" ++#include "crypto_caller_export_key.h" ++#include "crypto_caller_export_public_key.h" ++#include "crypto_caller_generate_key.h" ++#include "crypto_caller_generate_random.h" ++#include "crypto_caller_get_key_attributes.h" ++#include "crypto_caller_hash.h" ++#include "crypto_caller_import_key.h" ++#include "crypto_caller_key_derivation.h" ++#include "crypto_caller_mac.h" ++#include "crypto_caller_purge_key.h" ++#include "crypto_caller_sign_hash.h" ++#include "crypto_caller_verify_hash.h" ++ ++#endif /* PSA_IPC_CRYPTO_CALLER_H */ +diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h +new file mode 100644 +index 0000000..78517fe +--- /dev/null ++++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h +@@ -0,0 +1,252 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef PSA_IPC_CRYPTO_CALLER_AEAD_H ++#define PSA_IPC_CRYPTO_CALLER_AEAD_H ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "crypto_caller_key_attributes.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++static inline psa_status_t crypto_caller_aead_encrypt( ++ struct service_client *context, ++ psa_key_id_t key, ++ psa_algorithm_t alg, ++ const uint8_t *nonce, ++ size_t nonce_length, ++ const uint8_t *additional_data, ++ size_t additional_data_length, ++ const uint8_t *plaintext, ++ size_t plaintext_length, ++ uint8_t *aeadtext, ++ size_t aeadtext_size, ++ size_t *aeadtext_length) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ size_t in_len; ++ int i; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_AEAD_ENCRYPT_SID, ++ .key_id = key, ++ .alg = alg, ++ .aead_in = { .nonce = {0}, .nonce_length = nonce_length }, ++ }; ++ ++ if (!additional_data && additional_data_length) ++ return PSA_ERROR_INVALID_ARGUMENT; ++ ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ { .base = psa_ptr_const_to_u32(plaintext), ++ .len = plaintext_length }, ++ { .base = psa_ptr_const_to_u32(additional_data), ++ .len = additional_data_length}, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(aeadtext), .len = aeadtext_size }, ++ }; ++ ++ if (nonce_length > TFM_CRYPTO_MAX_NONCE_LENGTH) ++ return PSA_ERROR_INVALID_ARGUMENT; ++ ++ if (nonce) { ++ for (i = 0; i < nonce_length; i++) ++ iov.aead_in.nonce[i] = nonce[i]; ++ } ++ ++ in_len = IOVEC_LEN(in_vec); ++ ++ if (!additional_data) ++ in_len--; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ in_len, out_vec, IOVEC_LEN(out_vec)); ++ ++ *aeadtext_length = out_vec[0].len; ++ ++ return status; ++} ++ ++static inline psa_status_t crypto_caller_aead_decrypt( ++ struct service_client *context, ++ psa_key_id_t key, ++ psa_algorithm_t alg, ++ const uint8_t *nonce, ++ size_t nonce_length, ++ const uint8_t *additional_data, ++ size_t additional_data_length, ++ const uint8_t *aeadtext, ++ size_t aeadtext_length, ++ uint8_t *plaintext, ++ size_t plaintext_size, ++ size_t *plaintext_length) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ size_t in_len; ++ int i; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_AEAD_DECRYPT_SID, ++ .key_id = key, ++ .alg = alg, ++ .aead_in = { .nonce = {0}, .nonce_length = nonce_length }, ++ }; ++ ++ if (!additional_data && additional_data_length) ++ return PSA_ERROR_INVALID_ARGUMENT; ++ ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ { .base = psa_ptr_const_to_u32(aeadtext), ++ .len = aeadtext_length }, ++ { .base = psa_ptr_const_to_u32(additional_data), ++ .len = additional_data_length}, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(plaintext), .len = plaintext_size }, ++ }; ++ ++ if (nonce_length > TFM_CRYPTO_MAX_NONCE_LENGTH) ++ return PSA_ERROR_INVALID_ARGUMENT; ++ ++ if (nonce) { ++ for (i = 0; i < nonce_length; i++) ++ iov.aead_in.nonce[i] = nonce[i]; ++ } ++ ++ in_len = IOVEC_LEN(in_vec); ++ ++ if (!additional_data) ++ in_len--; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ in_len, out_vec, IOVEC_LEN(out_vec)); ++ ++ *plaintext_length = out_vec[0].len; ++ ++ return status; ++} ++ ++static inline psa_status_t crypto_caller_aead_encrypt_setup( ++ struct service_client *context, ++ uint32_t *op_handle, ++ psa_key_id_t key, ++ psa_algorithm_t alg) ++{ ++ return PSA_ERROR_NOT_SUPPORTED; ++} ++ ++static inline psa_status_t crypto_caller_aead_decrypt_setup( ++ struct service_client *context, ++ uint32_t *op_handle, ++ psa_key_id_t key, ++ psa_algorithm_t alg) ++{ ++ return PSA_ERROR_NOT_SUPPORTED; ++} ++ ++static inline psa_status_t crypto_caller_aead_generate_nonce( ++ struct service_client *context, ++ uint32_t op_handle, ++ uint8_t *nonce, ++ size_t nonce_size, ++ size_t *nonce_length) ++{ ++ return PSA_ERROR_NOT_SUPPORTED; ++} ++ ++static inline psa_status_t crypto_caller_aead_set_nonce( ++ struct service_client *context, ++ uint32_t op_handle, ++ const uint8_t *nonce, ++ size_t nonce_length) ++{ ++ return PSA_ERROR_NOT_SUPPORTED; ++} ++ ++static inline psa_status_t crypto_caller_aead_set_lengths( ++ struct service_client *context, ++ uint32_t op_handle, ++ size_t ad_length, ++ size_t plaintext_length) ++{ ++ return PSA_ERROR_NOT_SUPPORTED; ++} ++ ++static inline psa_status_t crypto_caller_aead_update_ad( ++ struct service_client *context, ++ uint32_t op_handle, ++ const uint8_t *input, ++ size_t input_length) ++{ ++ return PSA_ERROR_NOT_SUPPORTED; ++} ++ ++static inline psa_status_t crypto_caller_aead_update( ++ struct service_client *context, ++ uint32_t op_handle, ++ const uint8_t *input, ++ size_t input_length, ++ uint8_t *output, ++ size_t output_size, ++ size_t *output_length) ++{ ++ return PSA_ERROR_NOT_SUPPORTED; ++} ++ ++static inline psa_status_t crypto_caller_aead_finish( ++ struct service_client *context, ++ uint32_t op_handle, ++ uint8_t *aeadtext, ++ size_t aeadtext_size, ++ size_t *aeadtext_length, ++ uint8_t *tag, ++ size_t tag_size, ++ size_t *tag_length) ++{ ++ return PSA_ERROR_NOT_SUPPORTED; ++} ++ ++static inline psa_status_t crypto_caller_aead_verify( ++ struct service_client *context, ++ uint32_t op_handle, ++ uint8_t *plaintext, ++ size_t plaintext_size, ++ size_t *plaintext_length, ++ const uint8_t *tag, ++ size_t tag_length) ++{ ++ return PSA_ERROR_NOT_SUPPORTED; ++} ++ ++static inline psa_status_t crypto_caller_aead_abort( ++ struct service_client *context, ++ uint32_t op_handle) ++{ ++ return PSA_ERROR_NOT_SUPPORTED; ++} ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* PSA_IPC_CRYPTO_CALLER_AEAD_H */ +diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_decrypt.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_decrypt.h +new file mode 100644 +index 0000000..ff01815 +--- /dev/null ++++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_decrypt.h +@@ -0,0 +1,76 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef PSA_IPC_CRYPTO_CALLER_ASYMMETRIC_DECRYPT_H ++#define PSA_IPC_CRYPTO_CALLER_ASYMMETRIC_DECRYPT_H ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "crypto_caller_key_attributes.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++static inline psa_status_t crypto_caller_asymmetric_decrypt( ++ struct service_client *context, ++ psa_key_id_t id, ++ psa_algorithm_t alg, ++ const uint8_t *input, size_t input_length, ++ const uint8_t *salt, size_t salt_length, ++ uint8_t *output, size_t output_size, ++ size_t *output_length) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ size_t in_len; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_ASYMMETRIC_DECRYPT_SID, ++ .key_id = id, ++ .alg = alg, ++ }; ++ ++ /* Sanitize optional input */ ++ if (!salt && salt_length) ++ return PSA_ERROR_INVALID_ARGUMENT; ++ ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ { .base = psa_ptr_const_to_u32(input), .len = input_length }, ++ { .base = psa_ptr_const_to_u32(salt), .len = salt_length }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(output), .len = output_size }, ++ }; ++ ++ ++ in_len = IOVEC_LEN(in_vec); ++ if (!salt) ++ in_len--; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ in_len, out_vec, IOVEC_LEN(out_vec)); ++ ++ *output_length = out_vec[0].len; ++ ++ return status; ++} ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* PSA_IPC_CRYPTO_CALLER_ASYMMETRIC_DECRYPT_H */ +diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_encrypt.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_encrypt.h +new file mode 100644 +index 0000000..1daf168 +--- /dev/null ++++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_asymmetric_encrypt.h +@@ -0,0 +1,76 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef PSA_IPC_CRYPTO_CALLER_ASYMMETRIC_ENCRYPT_H ++#define PSA_IPC_CRYPTO_CALLER_ASYMMETRIC_ENCRYPT_H ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "crypto_caller_key_attributes.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++static inline psa_status_t crypto_caller_asymmetric_encrypt( ++ struct service_client *context, ++ psa_key_id_t id, ++ psa_algorithm_t alg, ++ const uint8_t *input, size_t input_length, ++ const uint8_t *salt, size_t salt_length, ++ uint8_t *output, size_t output_size, ++ size_t *output_length) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ size_t in_len; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_ASYMMETRIC_ENCRYPT_SID, ++ .key_id = id, ++ .alg = alg, ++ }; ++ ++ /* Sanitize optional input */ ++ if (!salt && salt_length) ++ return PSA_ERROR_INVALID_ARGUMENT; ++ ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ { .base = psa_ptr_const_to_u32(input), .len = input_length }, ++ { .base = psa_ptr_const_to_u32(salt), .len = salt_length }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(output), .len = output_size }, ++ }; ++ ++ ++ in_len = IOVEC_LEN(in_vec); ++ if (!salt) ++ in_len--; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ in_len, out_vec, IOVEC_LEN(out_vec)); ++ ++ *output_length = out_vec[0].len; ++ ++ return status; ++} ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* PSA_IPC_CRYPTO_CALLER_ASYMMETRIC_ENCRYPT_H */ +diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_cipher.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_cipher.h +new file mode 100644 +index 0000000..fbefb28 +--- /dev/null ++++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_cipher.h +@@ -0,0 +1,246 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef PSA_IPC_CRYPTO_CALLER_CIPHER_H ++#define PSA_IPC_CRYPTO_CALLER_CIPHER_H ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "crypto_caller_key_attributes.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++static inline psa_status_t crypto_caller_cipher_encrypt_setup( ++ struct service_client *context, ++ uint32_t *op_handle, ++ psa_key_id_t key, ++ psa_algorithm_t alg) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_CIPHER_ENCRYPT_SETUP_SID, ++ .key_id = key, ++ .alg = alg, ++ .op_handle = *op_handle, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(op_handle), .len = sizeof(uint32_t) } ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ return status; ++} ++ ++static inline psa_status_t crypto_caller_cipher_decrypt_setup( ++ struct service_client *context, ++ uint32_t *op_handle, ++ psa_key_id_t key, ++ psa_algorithm_t alg) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_CIPHER_DECRYPT_SETUP_SID, ++ .key_id = key, ++ .alg = alg, ++ .op_handle = *op_handle, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(op_handle), .len = sizeof(uint32_t) } ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ return status; ++} ++ ++static inline psa_status_t crypto_caller_cipher_generate_iv( ++ struct service_client *context, ++ uint32_t op_handle, ++ uint8_t *iv, ++ size_t iv_size, ++ size_t *iv_length) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_CIPHER_GENERATE_IV_SID, ++ .op_handle = op_handle, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, ++ { .base = psa_ptr_to_u32(iv), .len = iv_size }, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ *iv_length = out_vec[1].len; ++ ++ return status; ++} ++ ++static inline psa_status_t crypto_caller_cipher_set_iv( ++ struct service_client *context, ++ uint32_t op_handle, ++ const uint8_t *iv, ++ size_t iv_length) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_CIPHER_SET_IV_SID, ++ .op_handle = op_handle, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ { .base = psa_ptr_const_to_u32(iv), .len = iv_length }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ return status; ++} ++ ++static inline psa_status_t crypto_caller_cipher_update( ++ struct service_client *context, ++ uint32_t op_handle, ++ const uint8_t *input, ++ size_t input_length, ++ uint8_t *output, ++ size_t output_size, ++ size_t *output_length) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_CIPHER_UPDATE_SID, ++ .op_handle = op_handle, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ { .base = psa_ptr_const_to_u32(input), .len = input_length }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, ++ { .base = psa_ptr_to_u32(output), .len = output_size }, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ *output_length = out_vec[1].len; ++ ++ return status; ++} ++ ++static inline psa_status_t crypto_caller_cipher_finish( ++ struct service_client *context, ++ uint32_t op_handle, ++ uint8_t *output, ++ size_t output_size, ++ size_t *output_length) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_CIPHER_FINISH_SID, ++ .op_handle = op_handle, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, ++ { .base = psa_ptr_to_u32(output), .len = output_size }, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ *output_length = out_vec[1].len; ++ ++ return status; ++} ++ ++static inline psa_status_t crypto_caller_cipher_abort( ++ struct service_client *context, ++ uint32_t op_handle) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_CIPHER_ABORT_SID, ++ .op_handle = op_handle, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ return status; ++} ++ ++static inline size_t crypto_caller_cipher_max_update_size(const struct service_client *context) ++{ ++ /* Returns the maximum number of bytes that may be ++ * carried as a parameter of the cipher_update operation ++ * using the ipc encoding. ++ */ ++ size_t payload_space = context->service_info.max_payload; ++ size_t overhead = iov_size; ++ ++ /* Allow for output to be a whole number of blocks */ ++ overhead += PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE; ++ ++ return (payload_space > overhead) ? payload_space - overhead : 0; ++} ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* PSA_IPC_CRYPTO_CALLER_CIPHER_H */ +diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_copy_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_copy_key.h +new file mode 100644 +index 0000000..9a98817 +--- /dev/null ++++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_copy_key.h +@@ -0,0 +1,57 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef PSA_IPC_CRYPTO_CALLER_COPY_KEY_H ++#define PSA_IPC_CRYPTO_CALLER_COPY_KEY_H ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "crypto_caller_key_attributes.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++static inline psa_status_t crypto_caller_copy_key(struct service_client *context, ++ psa_key_id_t source_key, ++ const psa_key_attributes_t *attributes, ++ psa_key_id_t *target_key) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_COPY_KEY_SID, ++ .key_id = source_key, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, ++ { .base = psa_ptr_const_to_u32(attributes), .len = sizeof(psa_key_attributes_t) }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(target_key), .len = sizeof(psa_key_id_t) } ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ return status; ++} ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* PSA_IPC_CRYPTO_CALLER_COPY_KEY_H */ +diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_destroy_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_destroy_key.h +new file mode 100644 +index 0000000..d00f4fa +--- /dev/null ++++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_destroy_key.h +@@ -0,0 +1,51 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef PSA_IPC_CRYPTO_CALLER_DESTROY_KEY_H ++#define PSA_IPC_CRYPTO_CALLER_DESTROY_KEY_H ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "crypto_caller_key_attributes.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++static inline psa_status_t crypto_caller_destroy_key(struct service_client *context, ++ psa_key_id_t id) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_DESTROY_KEY_SID, ++ .key_id = id, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), NULL, 0); ++ ++ return status; ++} ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* PSA_IPC_CRYPTO_CALLER_DESTROY_KEY_H */ +diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_key.h +new file mode 100644 +index 0000000..8ac5477 +--- /dev/null ++++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_key.h +@@ -0,0 +1,59 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef PSA_IPC_CRYPTO_CALLER_EXPORT_KEY_H ++#define PSA_IPC_CRYPTO_CALLER_EXPORT_KEY_H ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "crypto_caller_key_attributes.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++static inline psa_status_t crypto_caller_export_key(struct service_client *context, ++ psa_key_id_t id, ++ uint8_t *data, ++ size_t data_size, ++ size_t *data_length) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_EXPORT_KEY_SID, ++ .key_id = id, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(data), .len = data_size } ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ *data_length = out_vec[0].len; ++ ++ return status; ++} ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* PSA_IPC_CRYPTO_CALLER_EXPORT_KEY_H */ +diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_public_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_public_key.h +new file mode 100644 +index 0000000..b24c47f +--- /dev/null ++++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_export_public_key.h +@@ -0,0 +1,59 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef PSA_IPC_CRYPTO_CALLER_EXPORT_PUBLIC_KEY_H ++#define PSA_IPC_CRYPTO_CALLER_EXPORT_PUBLIC_KEY_H ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "crypto_caller_key_attributes.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++static inline psa_status_t crypto_caller_export_public_key(struct service_client *context, ++ psa_key_id_t id, ++ uint8_t *data, ++ size_t data_size, ++ size_t *data_length) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_EXPORT_PUBLIC_KEY_SID, ++ .key_id = id, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(data), .len = data_size } ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ *data_length = out_vec[0].len; ++ ++ return status; ++} ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* PSA_IPC_CRYPTO_CALLER_EXPORT_PUBLIC_KEY_H */ +diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_key.h +new file mode 100644 +index 0000000..1b66ed4 +--- /dev/null ++++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_key.h +@@ -0,0 +1,55 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef PSA_IPC_CRYPTO_CALLER_GENERATE_KEY_H ++#define PSA_IPC_CRYPTO_CALLER_GENERATE_KEY_H ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "crypto_caller_key_attributes.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++static inline psa_status_t crypto_caller_generate_key(struct service_client *context, ++ const psa_key_attributes_t *attributes, ++ psa_key_id_t *id) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_GENERATE_KEY_SID, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, ++ { .base = psa_ptr_const_to_u32(attributes), .len = sizeof(psa_key_attributes_t) }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(id), .len = sizeof(psa_key_id_t) } ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ return status; ++} ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* PSA_IPC_CRYPTO_CALLER_GENERATE_KEY_H */ +diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_random.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_random.h +new file mode 100644 +index 0000000..7c53823 +--- /dev/null ++++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_generate_random.h +@@ -0,0 +1,57 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef PSA_IPC_CRYPTO_CALLER_GENERATE_RANDOM_H ++#define PSA_IPC_CRYPTO_CALLER_GENERATE_RANDOM_H ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "crypto_caller_key_attributes.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++static inline psa_status_t crypto_caller_generate_random(struct service_client *context, ++ uint8_t *output, ++ size_t output_size) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_GENERATE_RANDOM_SID, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(output), .len = output_size } ++ }; ++ ++ if (!output_size) ++ return PSA_SUCCESS; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ return status; ++} ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* PSA_IPC_CRYPTO_CALLER_GENERATE_RANDOM_H */ +diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_get_key_attributes.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_get_key_attributes.h +new file mode 100644 +index 0000000..22f1d18 +--- /dev/null ++++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_get_key_attributes.h +@@ -0,0 +1,56 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef PSA_IPC_CRYPTO_CALLER_GET_KEY_ATTRIBUTES_H ++#define PSA_IPC_CRYPTO_CALLER_GET_KEY_ATTRIBUTES_H ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "crypto_caller_key_attributes.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++static inline psa_status_t crypto_caller_get_key_attributes( ++ struct service_client *context, ++ psa_key_id_t key, ++ psa_key_attributes_t *attributes) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_GET_KEY_ATTRIBUTES_SID, ++ .key_id = key, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(attributes), .len = sizeof(psa_key_attributes_t) } ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ return status; ++} ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* PSA_IPC_CRYPTO_CALLER_GET_KEY_ATTRIBUTES_H */ +diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_hash.h +new file mode 100644 +index 0000000..9f37908 +--- /dev/null ++++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_hash.h +@@ -0,0 +1,220 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef PSA_IPC_CRYPTO_CALLER_HASH_H ++#define PSA_IPC_CRYPTO_CALLER_HASH_H ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "crypto_caller_key_attributes.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++static inline psa_status_t crypto_caller_hash_setup( ++ struct service_client *context, ++ uint32_t *op_handle, ++ psa_algorithm_t alg) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_HASH_SETUP_SID, ++ .alg = alg, ++ .op_handle = *op_handle, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(op_handle), .len = sizeof(uint32_t) } ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ return status; ++} ++ ++static inline psa_status_t crypto_caller_hash_update( ++ struct service_client *context, ++ uint32_t op_handle, ++ const uint8_t *input, ++ size_t input_length) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_HASH_UPDATE_SID, ++ .op_handle = op_handle, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ { .base = psa_ptr_const_to_u32(input), .len = input_length }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ return status; ++} ++ ++static inline psa_status_t crypto_caller_hash_finish( ++ struct service_client *context, ++ uint32_t op_handle, ++ uint8_t *hash, ++ size_t hash_size, ++ size_t *hash_length) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_HASH_FINISH_SID, ++ .op_handle = op_handle, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, ++ { .base = psa_ptr_to_u32(hash), .len = hash_size}, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ *hash_length = out_vec[1].len; ++ ++ return status; ++} ++ ++static inline psa_status_t crypto_caller_hash_abort( ++ struct service_client *context, ++ uint32_t op_handle) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_HASH_ABORT_SID, ++ .op_handle = op_handle, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ return status; ++} ++ ++static inline psa_status_t crypto_caller_hash_verify( ++ struct service_client *context, ++ uint32_t op_handle, ++ const uint8_t *hash, ++ size_t hash_length) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_HASH_VERIFY_SID, ++ .op_handle = op_handle, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ { .base = psa_ptr_const_to_u32(hash), .len = hash_length}, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ return status; ++} ++ ++static inline psa_status_t crypto_caller_hash_clone( ++ struct service_client *context, ++ uint32_t source_op_handle, ++ uint32_t *target_op_handle) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_HASH_CLONE_SID, ++ .op_handle = source_op_handle, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(target_op_handle), ++ .len = sizeof(uint32_t) }, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ return status; ++} ++ ++static inline psa_status_t crypto_caller_hash_suspend(struct service_client *context, ++ uint32_t op_handle, ++ uint8_t *hash_state, ++ size_t hash_state_size, ++ size_t *hash_state_length) ++{ ++ return PSA_ERROR_NOT_SUPPORTED; ++} ++ ++static inline psa_status_t crypto_caller_hash_resume(struct service_client *context, ++ uint32_t op_handle, ++ const uint8_t *hash_state, ++ size_t hash_state_length) ++{ ++ return PSA_ERROR_NOT_SUPPORTED; ++} ++ ++static inline size_t crypto_caller_hash_max_update_size(const struct service_client *context) ++{ ++ /* Returns the maximum number of bytes that may be ++ * carried as a parameter of the hash_update operation ++ * using the packed-c encoding. ++ */ ++ size_t payload_space = context->service_info.max_payload; ++ size_t overhead = iov_size; ++ ++ return (payload_space > overhead) ? payload_space - overhead : 0; ++} ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* PSA_IPC_CRYPTO_CALLER_HASH_H */ +diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_import_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_import_key.h +new file mode 100644 +index 0000000..d470336 +--- /dev/null ++++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_import_key.h +@@ -0,0 +1,57 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef PSA_IPC_CRYPTO_CALLER_IMPORT_KEY_H ++#define PSA_IPC_CRYPTO_CALLER_IMPORT_KEY_H ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "crypto_caller_key_attributes.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++static inline psa_status_t crypto_caller_import_key(struct service_client *context, ++ const psa_key_attributes_t *attributes, ++ const uint8_t *data, size_t data_length, ++ psa_key_id_t *id) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_IMPORT_KEY_SID, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, ++ { .base = psa_ptr_const_to_u32(attributes), .len = sizeof(psa_key_attributes_t) }, ++ { .base = psa_ptr_const_to_u32(data), .len = data_length } ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(id), .len = sizeof(psa_key_id_t) } ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ return status; ++} ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* PACKEDC_CRYPTO_CALLER_IMPORT_KEY_H */ +diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_key_attributes.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_key_attributes.h +new file mode 100644 +index 0000000..2fad2f0 +--- /dev/null ++++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_key_attributes.h +@@ -0,0 +1,51 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef PACKEDC_CRYPTO_CALLER_KEY_ATTRIBUTES_H ++#define PACKEDC_CRYPTO_CALLER_KEY_ATTRIBUTES_H ++ ++#include ++#include ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++static inline void packedc_crypto_caller_translate_key_attributes_to_proto( ++ struct ts_crypto_key_attributes *proto_attributes, ++ const psa_key_attributes_t *psa_attributes) ++{ ++ proto_attributes->type = psa_get_key_type(psa_attributes); ++ proto_attributes->key_bits = psa_get_key_bits(psa_attributes); ++ proto_attributes->lifetime = psa_get_key_lifetime(psa_attributes); ++ proto_attributes->id = psa_get_key_id(psa_attributes); ++ ++ proto_attributes->policy.usage = psa_get_key_usage_flags(psa_attributes); ++ proto_attributes->policy.alg = psa_get_key_algorithm(psa_attributes); ++ } ++ ++static inline void packedc_crypto_caller_translate_key_attributes_from_proto( ++ psa_key_attributes_t *psa_attributes, ++ const struct ts_crypto_key_attributes *proto_attributes) ++{ ++ psa_set_key_type(psa_attributes, proto_attributes->type); ++ psa_set_key_bits(psa_attributes, proto_attributes->key_bits); ++ psa_set_key_lifetime(psa_attributes, proto_attributes->lifetime); ++ ++ if (proto_attributes->lifetime == PSA_KEY_LIFETIME_PERSISTENT) { ++ ++ psa_set_key_id(psa_attributes, proto_attributes->id); ++ } ++ ++ psa_set_key_usage_flags(psa_attributes, proto_attributes->policy.usage); ++ psa_set_key_algorithm(psa_attributes, proto_attributes->policy.alg); ++} ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* PACKEDC_CRYPTO_CALLER_KEY_ATTRIBUTES_H */ +diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_key_derivation.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_key_derivation.h +new file mode 100644 +index 0000000..5ce4fb6 +--- /dev/null ++++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_key_derivation.h +@@ -0,0 +1,298 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef PSA_IPC_CRYPTO_CALLER_KEY_DERIVATION_H ++#define PSA_IPC_CRYPTO_CALLER_KEY_DERIVATION_H ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "crypto_caller_key_attributes.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++static inline psa_status_t crypto_caller_key_derivation_setup( ++ struct service_client *context, ++ uint32_t *op_handle, ++ psa_algorithm_t alg) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_SETUP_SID, ++ .alg = alg, ++ .op_handle = *op_handle, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(op_handle), .len = sizeof(uint32_t) } ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ return status; ++} ++ ++static inline psa_status_t crypto_caller_key_derivation_get_capacity( ++ struct service_client *context, ++ const uint32_t op_handle, ++ size_t *capacity) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_GET_CAPACITY_SID, ++ .op_handle = op_handle, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(capacity), .len = sizeof(uint32_t) } ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ return status; ++} ++ ++static inline psa_status_t crypto_caller_key_derivation_set_capacity( ++ struct service_client *context, ++ uint32_t op_handle, ++ size_t capacity) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_SET_CAPACITY_SID, ++ .capacity = capacity, ++ .op_handle = op_handle, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), NULL, 0); ++ ++ return status; ++} ++ ++static inline psa_status_t crypto_caller_key_derivation_input_bytes( ++ struct service_client *context, ++ uint32_t op_handle, ++ psa_key_derivation_step_t step, ++ const uint8_t *data, ++ size_t data_length) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_INPUT_BYTES_SID, ++ .step = step, ++ .op_handle = op_handle, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ { .base = psa_ptr_const_to_u32(data), .len = data_length }, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), NULL, 0); ++ ++ return status; ++} ++ ++static inline psa_status_t crypto_caller_key_derivation_input_key( ++ struct service_client *context, ++ uint32_t op_handle, ++ psa_key_derivation_step_t step, ++ psa_key_id_t key) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_INPUT_KEY_SID, ++ .key_id = key, ++ .step = step, ++ .op_handle = op_handle, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), NULL, 0); ++ ++ return status; ++} ++ ++static inline psa_status_t crypto_caller_key_derivation_output_bytes( ++ struct service_client *context, ++ uint32_t op_handle, ++ uint8_t *output, ++ size_t output_length) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_OUTPUT_BYTES_SID, ++ .op_handle = op_handle, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(output), .len = output_length }, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ return status; ++} ++ ++static inline psa_status_t crypto_caller_key_derivation_output_key( ++ struct service_client *context, ++ const psa_key_attributes_t *attributes, ++ uint32_t op_handle, ++ psa_key_id_t *key) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_OUTPUT_KEY_SID, ++ .op_handle = op_handle, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ { .base = psa_ptr_const_to_u32(attributes), ++ .len = sizeof(psa_key_attributes_t) }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(key), .len = sizeof(psa_key_id_t)}, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ return status; ++} ++ ++static inline psa_status_t crypto_caller_key_derivation_abort( ++ struct service_client *context, ++ uint32_t op_handle) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_ABORT_SID, ++ .op_handle = op_handle, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ return status; ++} ++ ++static inline psa_status_t crypto_caller_key_derivation_key_agreement( ++ struct service_client *context, ++ uint32_t op_handle, ++ psa_key_derivation_step_t step, ++ psa_key_id_t private_key, ++ const uint8_t *peer_key, ++ size_t peer_key_length) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_KEY_DERIVATION_KEY_AGREEMENT_SID, ++ .key_id = private_key, ++ .step = step, ++ .op_handle = op_handle, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ { .base = psa_ptr_const_to_u32(peer_key), ++ .len = peer_key_length}, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), NULL, 0); ++ ++ return status; ++} ++ ++static inline psa_status_t crypto_caller_raw_key_agreement( ++ struct service_client *context, ++ psa_algorithm_t alg, ++ psa_key_id_t private_key, ++ const uint8_t *peer_key, ++ size_t peer_key_length, ++ uint8_t *output, ++ size_t output_size, ++ size_t *output_length) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_RAW_KEY_AGREEMENT_SID, ++ .alg = alg, ++ .key_id = private_key, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ { .base = psa_ptr_const_to_u32(peer_key), ++ .len = peer_key_length}, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(output), .len = output_size }, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ *output_length = out_vec[0].len; ++ ++ return status; ++} ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* PSA_IPC_CRYPTO_CALLER_KEY_DERIVATION_H */ +diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_mac.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_mac.h +new file mode 100644 +index 0000000..3a82019 +--- /dev/null ++++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_mac.h +@@ -0,0 +1,207 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef PSA_IPC_CRYPTO_CALLER_MAC_H ++#define PSA_IPC_CRYPTO_CALLER_MAC_H ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "crypto_caller_key_attributes.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++static inline psa_status_t crypto_caller_mac_sign_setup( ++ struct service_client *context, ++ uint32_t *op_handle, ++ psa_key_id_t key, ++ psa_algorithm_t alg) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_MAC_SIGN_SETUP_SID, ++ .key_id = key, ++ .alg = alg, ++ .op_handle = *op_handle, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(op_handle), .len = sizeof(uint32_t) }, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ return status; ++} ++ ++static inline psa_status_t crypto_caller_mac_verify_setup( ++ struct service_client *context, ++ uint32_t *op_handle, ++ psa_key_id_t key, ++ psa_algorithm_t alg) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_MAC_VERIFY_SETUP_SID, ++ .key_id = key, ++ .alg = alg, ++ .op_handle = *op_handle, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(op_handle), .len = sizeof(uint32_t) }, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ return status; ++} ++ ++static inline psa_status_t crypto_caller_mac_update( ++ struct service_client *context, ++ uint32_t op_handle, ++ const uint8_t *input, ++ size_t input_length) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_MAC_UPDATE_SID, ++ .op_handle = op_handle, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ { .base = psa_ptr_const_to_u32(input), .len = input_length }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ return status; ++} ++ ++static inline psa_status_t crypto_caller_mac_sign_finish( ++ struct service_client *context, ++ uint32_t op_handle, ++ uint8_t *mac, ++ size_t mac_size, ++ size_t *mac_length) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_MAC_SIGN_FINISH_SID, ++ .op_handle = op_handle, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, ++ { .base = psa_ptr_to_u32(mac), .len = mac_size }, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ *mac_length = out_vec[1].len; ++ ++ return status; ++} ++ ++static inline psa_status_t crypto_caller_mac_verify_finish( ++ struct service_client *context, ++ uint32_t op_handle, ++ const uint8_t *mac, ++ size_t mac_length) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_MAC_VERIFY_FINISH_SID, ++ .op_handle = op_handle, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ { .base = psa_ptr_const_to_u32(mac), .len = mac_length }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ return status; ++} ++ ++static inline psa_status_t crypto_caller_mac_abort( ++ struct service_client *context, ++ uint32_t op_handle) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_MAC_ABORT_SID, ++ .op_handle = op_handle, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t) }, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ return status; ++} ++ ++static inline size_t crypto_caller_mac_max_update_size(const struct service_client *context) ++{ ++ /* Returns the maximum number of bytes that may be ++ * carried as a parameter of the mac_update operation ++ * using the packed-c encoding. ++ */ ++ size_t payload_space = context->service_info.max_payload; ++ size_t overhead = iov_size; ++ ++ return (payload_space > overhead) ? payload_space - overhead : 0; ++} ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* PSA_IPC_CRYPTO_CALLER_MAC_H */ +diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_purge_key.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_purge_key.h +new file mode 100644 +index 0000000..a3a796e +--- /dev/null ++++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_purge_key.h +@@ -0,0 +1,51 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef PACKEDC_CRYPTO_CALLER_PURGE_KEY_H ++#define PACKEDC_CRYPTO_CALLER_PURGE_KEY_H ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "crypto_caller_key_attributes.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++static inline psa_status_t crypto_caller_purge_key(struct service_client *context, ++ psa_key_id_t id) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_PURGE_KEY_SID, ++ .key_id = id, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), NULL, 0); ++ ++ return status; ++} ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* PACKEDC_CRYPTO_CALLER_PURGE_KEY_H */ +diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h +new file mode 100644 +index 0000000..71d88ce +--- /dev/null ++++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h +@@ -0,0 +1,64 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef PSA_IPC_CRYPTO_CALLER_SIGN_HASH_H ++#define PSA_IPC_CRYPTO_CALLER_SIGN_HASH_H ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "crypto_caller_key_attributes.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++static inline psa_status_t crypto_caller_sign_hash(struct service_client *context, ++ psa_key_id_t id, ++ psa_algorithm_t alg, ++ const uint8_t *hash, ++ size_t hash_length, ++ uint8_t *signature, ++ size_t signature_size, ++ size_t *signature_length) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_SIGN_HASH_SID, ++ .key_id = id, ++ .alg = alg, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = iov_size }, ++ { .base = psa_ptr_const_to_u32(hash), .len = hash_length }, ++ }; ++ struct psa_outvec out_vec[] = { ++ { .base = psa_ptr_to_u32(signature), .len = signature_size }, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec)); ++ ++ *signature_length = out_vec[0].len; ++ ++ return status; ++} ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* PSA_IPC_CRYPTO_CALLER_SIGN_HASH_H */ +diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h +new file mode 100644 +index 0000000..e16f6e5 +--- /dev/null ++++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h +@@ -0,0 +1,59 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef PSA_IPC_CRYPTO_CALLER_VERIFY_HASH_H ++#define PSA_IPC_CRYPTO_CALLER_VERIFY_HASH_H ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "crypto_caller_key_attributes.h" ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++static inline psa_status_t crypto_caller_verify_hash(struct service_client *context, ++ psa_key_id_t id, ++ psa_algorithm_t alg, ++ const uint8_t *hash, ++ size_t hash_length, ++ const uint8_t *signature, ++ size_t signature_length) ++{ ++ struct service_client *ipc = context; ++ struct rpc_caller *caller = ipc->caller; ++ psa_status_t status; ++ struct psa_ipc_crypto_pack_iovec iov = { ++ .sfn_id = TFM_CRYPTO_VERIFY_HASH_SID, ++ .key_id = id, ++ .alg = alg, ++ }; ++ struct psa_invec in_vec[] = { ++ { .base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec) }, ++ { .base = psa_ptr_const_to_u32(hash), .len = hash_length }, ++ { .base = psa_ptr_const_to_u32(signature), .len = signature_length}, ++ }; ++ ++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec, ++ IOVEC_LEN(in_vec), NULL, 0); ++ ++ return status; ++} ++ ++#ifdef __cplusplus ++} ++#endif ++ ++#endif /* PSA_IPC_CRYPTO_CALLER_VERIFY_HASH_H */ +diff --git a/components/service/crypto/include/psa/crypto_client_struct.h b/components/service/crypto/include/psa/crypto_client_struct.h +index abd420c..bf95c98 100644 +--- a/components/service/crypto/include/psa/crypto_client_struct.h ++++ b/components/service/crypto/include/psa/crypto_client_struct.h +@@ -31,12 +31,12 @@ extern "C" { + * data structure internally. */ + struct psa_client_key_attributes_s + { ++ uint16_t type; ++ uint16_t bits; + uint32_t lifetime; +- uint32_t id; +- uint32_t alg; ++ psa_key_id_t id; + uint32_t usage; +- size_t bits; +- uint16_t type; ++ uint32_t alg; + }; + + #define PSA_CLIENT_KEY_ATTRIBUTES_INIT {0, 0, 0, 0, 0, 0} +diff --git a/components/service/crypto/include/psa/crypto_sizes.h b/components/service/crypto/include/psa/crypto_sizes.h +index 7a0149b..4d7bf6e 100644 +--- a/components/service/crypto/include/psa/crypto_sizes.h ++++ b/components/service/crypto/include/psa/crypto_sizes.h +@@ -81,7 +81,7 @@ + #define PSA_HASH_MAX_SIZE 64 + #define PSA_HMAC_MAX_HASH_BLOCK_SIZE 128 + #else +-#define PSA_HASH_MAX_SIZE 32 ++#define PSA_HASH_MAX_SIZE 64 + #define PSA_HMAC_MAX_HASH_BLOCK_SIZE 64 + #endif + +diff --git a/deployments/se-proxy/opteesp/CMakeLists.txt b/deployments/se-proxy/opteesp/CMakeLists.txt +index af2225e..2190428 100644 +--- a/deployments/se-proxy/opteesp/CMakeLists.txt ++++ b/deployments/se-proxy/opteesp/CMakeLists.txt +@@ -85,7 +85,7 @@ add_components(TARGET "se-proxy" + "components/rpc/dummy" + "components/rpc/common/caller" + "components/service/attestation/key_mngr/stub" +- "components/service/crypto/backend/stub" ++ "components/service/crypto/backend/psa_ipc" + "components/service/crypto/client/psa" + "components/service/secure_storage/backend/mock_store" + ) +diff --git a/deployments/se-proxy/opteesp/service_proxy_factory.c b/deployments/se-proxy/opteesp/service_proxy_factory.c +index 1110ac4..7edeef8 100644 +--- a/deployments/se-proxy/opteesp/service_proxy_factory.c ++++ b/deployments/se-proxy/opteesp/service_proxy_factory.c +@@ -15,7 +15,7 @@ + #include + + /* Stub backends */ +-#include ++#include + #include + #include + +@@ -47,12 +47,17 @@ struct rpc_interface *crypto_proxy_create(void) + { + struct rpc_interface *crypto_iface = NULL; + struct crypto_provider *crypto_provider; ++ struct rpc_caller *crypto_caller; + +- if (stub_crypto_backend_init() == PSA_SUCCESS) { ++ crypto_caller = openamp_caller_init(&openamp); ++ if (!crypto_caller) ++ return NULL; ++ ++ if (crypto_ipc_backend_init(&openamp.rpc_caller) != PSA_SUCCESS) ++ return NULL; + +- crypto_provider = crypto_provider_factory_create(); +- crypto_iface = service_provider_get_rpc_interface(&crypto_provider->base_provider); +- } ++ crypto_provider = crypto_provider_factory_create(); ++ crypto_iface = service_provider_get_rpc_interface(&crypto_provider->base_provider); + + return crypto_iface; + } +diff --git a/platform/providers/arm/corstone1000/platform.cmake b/platform/providers/arm/corstone1000/platform.cmake +index bb778bb..51e5faa 100644 +--- a/platform/providers/arm/corstone1000/platform.cmake ++++ b/platform/providers/arm/corstone1000/platform.cmake +@@ -8,3 +8,5 @@ + + # include MHU driver + include(${TS_ROOT}/platform/drivers/arm/mhu_driver/component.cmake) ++ ++add_compile_definitions(MBEDTLS_ECP_DP_SECP521R1_ENABLED) +-- +2.17.1 + diff --git a/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc b/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc index 7134143..5be9be7 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc +++ b/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc @@ -33,6 +33,7 @@ SRC_URI:append = " \ file://0020-Use-address-instead-of-pointers.patch \ file://0021-Add-psa-ipc-attestation-to-se-proxy.patch \ file://0022-Setup-its-backend-as-openamp-rpc-using-secure-storag.patch \ + file://0023-add-psa-ipc-crypto-backend.patch \ " SRC_URI_MBED = "git://github.com/ARMmbed/mbed-crypto.git;protocol=https;branch=development;name=mbed;destsuffix=git/mbedcrypto" From patchwork Tue Dec 14 11:07:28 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Abdellatif El Khlifi X-Patchwork-Id: 1478 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 74715C433EF for ; Tue, 14 Dec 2021 11:07:50 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web11.24270.1639480069880306278 for ; Tue, 14 Dec 2021 03:07:50 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: abdellatif.elkhlifi@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 838F66D; Tue, 14 Dec 2021 03:07:49 -0800 (PST) Received: from e121910.arm.com (unknown [10.57.34.32]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 58E493F5A1; Tue, 14 Dec 2021 03:07:48 -0800 (PST) From: abdellatif.elkhlifi@arm.com To: meta-arm@lists.yoctoproject.org, Ross.Burton@arm.com Cc: nd@arm.com, Emekcan Aras Subject: [PATCH 6/9] arm-bsp/trusted-firmware-m: corstone1000: Aligning with TF-M master Date: Tue, 14 Dec 2021 11:07:28 +0000 Message-Id: <20211214110731.9081-7-abdellatif.elkhlifi@arm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20211214110731.9081-1-abdellatif.elkhlifi@arm.com> References: <20211214110731.9081-1-abdellatif.elkhlifi@arm.com> List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Dec 2021 11:07:50 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/2684 From: Emekcan Aras Setting the last master branch SHA for openamp changes. Change-Id: I58bc0a1adb7754af901fc1734ffeb92aad191fe5 Signed-off-by: Emekcan Aras --- .../trusted-firmware-m/trusted-firmware-m-corstone1000.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-corstone1000.inc b/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-corstone1000.inc index c418877..3799907 100644 --- a/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-corstone1000.inc +++ b/meta-arm-bsp/recipes-bsp/trusted-firmware-m/trusted-firmware-m-corstone1000.inc @@ -9,7 +9,7 @@ TFM_PLATFORM_IS_FVP ?= "FALSE" EXTRA_OECMAKE += "-DPLATFORM_IS_FVP=${TFM_PLATFORM_IS_FVP}" SRCBRANCH_tfm = "master" -SRCREV_tfm = "dc605e057470bb0eb0e92c2aafb443300a90c43f" +SRCREV_tfm = "dc2ab10fa12b5ac01d4ff1aa9ebc3779507c7cf0" SRCREV_mcuboot = "29099e1d17f93ae1d09fe945ad191b703aacd3d8" PV = "1.5+git${SRCREV_tfm}" From patchwork Tue Dec 14 11:07:29 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Abdellatif El Khlifi X-Patchwork-Id: 1479 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 79AF8C433EF for ; Tue, 14 Dec 2021 11:07:52 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web12.24665.1639480071249156512 for ; Tue, 14 Dec 2021 03:07:51 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: abdellatif.elkhlifi@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id E4AA26D; Tue, 14 Dec 2021 03:07:50 -0800 (PST) Received: from e121910.arm.com (unknown [10.57.34.32]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id CAE363F5A1; Tue, 14 Dec 2021 03:07:49 -0800 (PST) From: abdellatif.elkhlifi@arm.com To: meta-arm@lists.yoctoproject.org, Ross.Burton@arm.com Cc: nd@arm.com, Emekcan Aras , Emekcan Aras Subject: [PATCH 7/9] arm-bsp/psa-arch-tests: corstone1000: configuring crypto and attestation test Date: Tue, 14 Dec 2021 11:07:29 +0000 Message-Id: <20211214110731.9081-8-abdellatif.elkhlifi@arm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20211214110731.9081-1-abdellatif.elkhlifi@arm.com> References: <20211214110731.9081-1-abdellatif.elkhlifi@arm.com> List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Dec 2021 11:07:52 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/2685 From: Emekcan Aras This commit configures crypto and attestation tests for Corstone1000 platform. It also fixes CMake issues on the current trusted-service CMake source files to enable this configuration. Change-Id: I334d661c1bc349e03f92611d6010360c08e6cc89 Signed-off-by: Emekcan Aras --- .../psa-arch-tests-corstone1000.inc | 4 +- ...rch-test-Fixing-psa-arch-tests-cmake.patch | 49 ++++ ...0003-corstone1000-port-crypto-config.patch | 237 ++++++++++++++++++ 3 files changed, 289 insertions(+), 1 deletion(-) create mode 100644 meta-arm-bsp/recipes-security/trusted-services/psa-arch-tests/corstone1000/0002-arm-bsp-psa-arch-test-Fixing-psa-arch-tests-cmake.patch create mode 100644 meta-arm-bsp/recipes-security/trusted-services/psa-arch-tests/corstone1000/0003-corstone1000-port-crypto-config.patch diff --git a/meta-arm-bsp/recipes-security/trusted-services/psa-arch-tests-corstone1000.inc b/meta-arm-bsp/recipes-security/trusted-services/psa-arch-tests-corstone1000.inc index f1aea12..da619d4 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/psa-arch-tests-corstone1000.inc +++ b/meta-arm-bsp/recipes-security/trusted-services/psa-arch-tests-corstone1000.inc @@ -9,6 +9,8 @@ COMPATIBLE_MACHINE = "corstone1000" SRC_URI:append = "\ file://0001-psa-arch-test-sysroot_compiler_flags_fix.patch \ + file://0002-arm-bsp-psa-arch-test-Fixing-psa-arch-tests-cmake.patch \ + file://0003-corstone1000-port-crypto-config.patch;patchdir=../psa-arch-tests \ " FILES:${PN} += "${libdir}/libts.so* ${libdir}/deployments ${bindir}/psa-*" @@ -40,4 +42,4 @@ do_install() { psafile_filename="`basename -s .bin ${psafile_fullpath}`" install -D -p -m 0755 ${psafile_fullpath} ${D}/${bindir}/${psafile_filename} done -} \ No newline at end of file +} diff --git a/meta-arm-bsp/recipes-security/trusted-services/psa-arch-tests/corstone1000/0002-arm-bsp-psa-arch-test-Fixing-psa-arch-tests-cmake.patch b/meta-arm-bsp/recipes-security/trusted-services/psa-arch-tests/corstone1000/0002-arm-bsp-psa-arch-test-Fixing-psa-arch-tests-cmake.patch new file mode 100644 index 0000000..24b48e4 --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/psa-arch-tests/corstone1000/0002-arm-bsp-psa-arch-test-Fixing-psa-arch-tests-cmake.patch @@ -0,0 +1,49 @@ +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Emekcan Aras + +From 4a1f2fd2c3c3f8e00364d3b1a8c76a61e41a483f Mon Sep 17 00:00:00 2001 +From: Emekcan Aras +Date: Sat, 11 Dec 2021 09:32:44 +0000 +Subject: [PATCH] arm-bsp/psa-arch-test: Fixing psa-arch-tests cmake + +Signed-off-by: Emekcan Aras +--- + external/psa_arch_tests/psa_arch_tests.cmake | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/external/psa_arch_tests/psa_arch_tests.cmake b/external/psa_arch_tests/psa_arch_tests.cmake +index af00cfc..e4b4f6b 100644 +--- a/external/psa_arch_tests/psa_arch_tests.cmake ++++ b/external/psa_arch_tests/psa_arch_tests.cmake +@@ -25,15 +25,13 @@ find_program(GIT_COMMAND "git") + if (NOT GIT_COMMAND) + message(FATAL_ERROR "Please install git") + endif() +- ++if ("${PSA_ARCH_TESTS_PATH}" STREQUAL "DOWNLOAD") + # Fetching psa-arch-tests + FetchContent_Declare( + psa-arch-tests + GIT_REPOSITORY ${PSA_ARCH_TESTS_URL} + GIT_TAG ${PSA_ARCH_TESTS_REFSPEC} + GIT_SHALLOW TRUE +- PATCH_COMMAND git stash +- COMMAND git apply ${CMAKE_CURRENT_LIST_DIR}/modify_attest_config.patch + ) + + # FetchContent_GetProperties exports psa-arch-tests_SOURCE_DIR and psa-arch-tests_BINARY_DIR variables +@@ -42,7 +40,10 @@ if(NOT psa-arch-tests_POPULATED) + message(STATUS "Fetching psa-arch-tests") + FetchContent_Populate(psa-arch-tests) + endif() +- ++else() ++ set(psa-arch-tests_SOURCE_DIR "${TS_ROOT}/../psa-arch-tests") ++ set(psa-arch-tests_BINARY_DIR "${CMAKE_CURRENT_BINARY_DIR}") ++endif() + # Ensure list of include paths is separated correctly + string(REPLACE ";" "\\;" PSA_ARCH_TESTS_EXTERNAL_INCLUDE_PATHS "${PSA_ARCH_TESTS_EXTERNAL_INCLUDE_PATHS}") + +-- +2.25.1 + diff --git a/meta-arm-bsp/recipes-security/trusted-services/psa-arch-tests/corstone1000/0003-corstone1000-port-crypto-config.patch b/meta-arm-bsp/recipes-security/trusted-services/psa-arch-tests/corstone1000/0003-corstone1000-port-crypto-config.patch new file mode 100644 index 0000000..1d7b8ae --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/psa-arch-tests/corstone1000/0003-corstone1000-port-crypto-config.patch @@ -0,0 +1,237 @@ +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Emekcan Aras + +From f86f5b42d853d2a65f6753362361bbb95aac1800 Mon Sep 17 00:00:00 2001 +From: Satish Kumar +Date: Sat, 11 Dec 2021 11:06:57 +0000 +Subject: [PATCH] corstone1000: port crypto config + +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Emekcan Aras + +Signed-off-by: Satish Kumar + +%% original patch: 0003-corstone1000-port-crypto-config.patch +--- + .../nspe/pal_crypto_config.h | 83 +++++++++++++++---- + 1 file changed, 66 insertions(+), 17 deletions(-) + +diff --git a/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_crypto_config.h b/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_crypto_config.h +index 844cd2e..c936bdd 100755 +--- a/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_crypto_config.h ++++ b/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_crypto_config.h +@@ -1,5 +1,5 @@ + /** @file +- * Copyright (c) 2021, Arm Limited or its affiliates. All rights reserved. ++ * Copyright (c) 2019-2020, Arm Limited or its affiliates. All rights reserved. + * SPDX-License-Identifier : Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); +@@ -34,10 +34,14 @@ + * + * Comment macros to disable the types + */ ++#ifndef TF_M_PROFILE_SMALL ++#ifndef TF_M_PROFILE_MEDIUM + #define ARCH_TEST_RSA + #define ARCH_TEST_RSA_1024 + #define ARCH_TEST_RSA_2048 + #define ARCH_TEST_RSA_3072 ++#endif ++#endif + + /** + * \def ARCH_TEST_ECC +@@ -50,11 +54,17 @@ + * Requires: ARCH_TEST_ECC + * Comment macros to disable the curve + */ ++#ifndef TF_M_PROFILE_SMALL + #define ARCH_TEST_ECC + #define ARCH_TEST_ECC_CURVE_SECP192R1 ++#ifndef TF_M_PROFILE_MEDIUM + #define ARCH_TEST_ECC_CURVE_SECP224R1 ++#endif + #define ARCH_TEST_ECC_CURVE_SECP256R1 ++#ifndef TF_M_PROFILE_MEDIUM + #define ARCH_TEST_ECC_CURVE_SECP384R1 ++#endif ++#endif + + /** + * \def ARCH_TEST_AES +@@ -78,10 +88,10 @@ + * + * Comment macros to disable the types + */ +-#define ARCH_TEST_DES +-#define ARCH_TEST_DES_1KEY +-#define ARCH_TEST_DES_2KEY +-#define ARCH_TEST_DES_3KEY ++//#define ARCH_TEST_DES ++//#define ARCH_TEST_DES_1KEY ++//#define ARCH_TEST_DES_2KEY ++//#define ARCH_TEST_DES_3KEY + + /** + * \def ARCH_TEST_RAW +@@ -104,7 +114,7 @@ + * + * Enable the ARC4 key type. + */ +-#define ARCH_TEST_ARC4 ++//#define ARCH_TEST_ARC4 + + /** + * \def ARCH_TEST_CIPHER_MODE_CTR +@@ -113,7 +123,11 @@ + * + * Requires: ARCH_TEST_CIPHER + */ ++#ifndef TF_M_PROFILE_SMALL ++#ifndef TF_M_PROFILE_MEDIUM + #define ARCH_TEST_CIPHER_MODE_CTR ++#endif ++#endif + + /** + * \def ARCH_TEST_CIPHER_MODE_CFB +@@ -138,7 +152,11 @@ + * + * Requires: ARCH_TEST_CIPHER, ARCH_TEST_AES, ARCH_TEST_CIPHER_MODE_CTR + */ ++#ifndef TF_M_PROFILE_SMALL ++#ifndef TF_M_PROFILE_MEDIUM + #define ARCH_TEST_CTR_AES ++#endif ++#endif + + /** + * \def ARCH_TEST_CBC_AES +@@ -157,7 +175,11 @@ + * + * Comment macros to disable the types + */ ++#ifndef TF_M_PROFILE_SMALL ++#ifndef TF_M_PROFILE_MEDIUM + #define ARCH_TEST_CBC_NO_PADDING ++#endif ++#endif + + /** + * \def ARCH_TEST_CFB_AES +@@ -177,11 +199,15 @@ + * + * Comment macros to disable the types + */ ++#ifndef TF_M_PROFILE_SMALL ++#ifndef TF_M_PROFILE_MEDIUM + #define ARCH_TEST_PKCS1V15 + #define ARCH_TEST_RSA_PKCS1V15_SIGN + #define ARCH_TEST_RSA_PKCS1V15_SIGN_RAW + #define ARCH_TEST_RSA_PKCS1V15_CRYPT + #define ARCH_TEST_RSA_OAEP ++#endif ++#endif + + /** + * \def ARCH_TEST_CBC_PKCS7 +@@ -190,7 +216,11 @@ + * + * Comment macros to disable the types + */ ++#ifndef TF_M_PROFILE_SMALL ++#ifndef TF_M_PROFILE_MEDIUM + #define ARCH_TEST_CBC_PKCS7 ++#endif ++#endif + + /** + * \def ARCH_TEST_ASYMMETRIC_ENCRYPTION +@@ -227,21 +257,27 @@ + * + * Comment macros to disable the types + */ +-// #define ARCH_TEST_MD2 +-// #define ARCH_TEST_MD4 +-#define ARCH_TEST_MD5 +-#define ARCH_TEST_RIPEMD160 +-#define ARCH_TEST_SHA1 ++//#define ARCH_TEST_MD2 ++//#define ARCH_TEST_MD4 ++//#define ARCH_TEST_MD5 ++//#define ARCH_TEST_RIPEMD160 ++//#define ARCH_TEST_SHA1 ++#ifndef TF_M_PROFILE_SMALL + #define ARCH_TEST_SHA224 ++#endif + #define ARCH_TEST_SHA256 ++#ifndef TF_M_PROFILE_SMALL ++#ifndef TF_M_PROFILE_MEDIUM + #define ARCH_TEST_SHA384 + #define ARCH_TEST_SHA512 +-// #define ARCH_TEST_SHA512_224 +-// #define ARCH_TEST_SHA512_256 +-// #define ARCH_TEST_SHA3_224 +-// #define ARCH_TEST_SHA3_256 +-// #define ARCH_TEST_SHA3_384 +-// #define ARCH_TEST_SHA3_512 ++#endif ++#endif ++//#define ARCH_TEST_SHA512_224 ++//#define ARCH_TEST_SHA512_256 ++//#define ARCH_TEST_SHA3_224 ++//#define ARCH_TEST_SHA3_256 ++//#define ARCH_TEST_SHA3_384 ++//#define ARCH_TEST_SHA3_512 + + /** + * \def ARCH_TEST_HKDF +@@ -261,7 +297,12 @@ + * + * Comment macros to disable the types + */ ++#ifndef TF_M_PROFILE_SMALL ++#ifndef TF_M_PROFILE_MEDIUM + #define ARCH_TEST_CMAC ++#endif ++#endif ++//#define ARCH_TEST_GMAC + #define ARCH_TEST_HMAC + + /** +@@ -281,7 +322,11 @@ + * Requires: ARCH_TEST_AES + * + */ ++#ifndef TF_M_PROFILE_SMALL ++#ifndef TF_M_PROFILE_MEDIUM + #define ARCH_TEST_GCM ++#endif ++#endif + + /** + * \def ARCH_TEST_TRUNCATED_MAC +@@ -300,7 +345,9 @@ + * + * Requires: ARCH_TEST_ECC + */ ++#ifndef TF_M_PROFILE_SMALL + #define ARCH_TEST_ECDH ++#endif + + /** + * \def ARCH_TEST_ECDSA +@@ -308,7 +355,9 @@ + * Enable the elliptic curve DSA library. + * Requires: ARCH_TEST_ECC + */ ++#ifndef TF_M_PROFILE_SMALL + #define ARCH_TEST_ECDSA ++#endif + + /** + * \def ARCH_TEST_DETERMINISTIC_ECDSA +-- +2.25.1 + From patchwork Tue Dec 14 11:07:30 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Abdellatif El Khlifi X-Patchwork-Id: 1481 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 730B0C433F5 for ; Tue, 14 Dec 2021 11:07:53 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web10.24311.1639480072642925690 for ; Tue, 14 Dec 2021 03:07:52 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: abdellatif.elkhlifi@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 4138E106F; Tue, 14 Dec 2021 03:07:52 -0800 (PST) Received: from e121910.arm.com (unknown [10.57.34.32]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 379A13F5A1; Tue, 14 Dec 2021 03:07:51 -0800 (PST) From: abdellatif.elkhlifi@arm.com To: meta-arm@lists.yoctoproject.org, Ross.Burton@arm.com Cc: nd@arm.com, Gowtham Suresh Kumar Subject: [PATCH 8/9] arm-bsp/secure-partitions: corstone1000: Increase SMM Gateway variable handling capacity Date: Tue, 14 Dec 2021 11:07:30 +0000 Message-Id: <20211214110731.9081-9-abdellatif.elkhlifi@arm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20211214110731.9081-1-abdellatif.elkhlifi@arm.com> References: <20211214110731.9081-1-abdellatif.elkhlifi@arm.com> List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Dec 2021 11:07:53 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/2686 From: Gowtham Suresh Kumar The maximum number of UEFI variables that can be supported by SMM gateway is currently 40. When more than 40 variables are written, or read SMM gateway returns error code. Currently this value is increased to 100 to support more UEFI variables. Change-Id: I3ebef8052fd01c5b1c19cdfe71ab3c02447a005b Signed-off-by: Gowtham Suresh Kumar --- ...MM-gateway-UEFI-variable-macro-value.patch | 35 +++++++++++++++++++ .../trusted-services/ts-corstone1000.inc | 1 + 2 files changed, 36 insertions(+) create mode 100644 meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0024-Increase-SMM-gateway-UEFI-variable-macro-value.patch diff --git a/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0024-Increase-SMM-gateway-UEFI-variable-macro-value.patch b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0024-Increase-SMM-gateway-UEFI-variable-macro-value.patch new file mode 100644 index 0000000..00f80ef --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0024-Increase-SMM-gateway-UEFI-variable-macro-value.patch @@ -0,0 +1,35 @@ +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Gowtham Suresh Kumar + +From 9b9261f73f93a5ac7ad823da376858b56560a08b Mon Sep 17 00:00:00 2001 +From: Gowtham Suresh Kumar +Date: Sun, 12 Dec 2021 17:07:03 +0000 +Subject: [PATCH] Increase SMM gateway UEFI variable macro value + +The maximum number of UEFI variables that be supported by SMM +gateway is currently 40. When more than 40 variables are written, +or read SMM gateway returns error code. Currently this value is +increased to 100 to support more UEFI variables. + +Signed-off-by: Gowtham Suresh Kumar +--- + deployments/smm-gateway/smm_gateway.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/deployments/smm-gateway/smm_gateway.c b/deployments/smm-gateway/smm_gateway.c +index 7828b3a..7e6729e 100644 +--- a/deployments/smm-gateway/smm_gateway.c ++++ b/deployments/smm-gateway/smm_gateway.c +@@ -20,6 +20,9 @@ + #define SMM_GATEWAY_NV_STORE_SN "sn:ffa:751bf801-3dde-4768-a514-0f10aeed1790:0" + #endif + ++/* Maximum number of UEFI variables set to 100 */ ++#define SMM_GATEWAY_MAX_UEFI_VARIABLES (100) ++ + /* Default maximum number of UEFI variables */ + #ifndef SMM_GATEWAY_MAX_UEFI_VARIABLES + #define SMM_GATEWAY_MAX_UEFI_VARIABLES (40) +-- +2.17.1 + diff --git a/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc b/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc index 5be9be7..5afb131 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc +++ b/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc @@ -34,6 +34,7 @@ SRC_URI:append = " \ file://0021-Add-psa-ipc-attestation-to-se-proxy.patch \ file://0022-Setup-its-backend-as-openamp-rpc-using-secure-storag.patch \ file://0023-add-psa-ipc-crypto-backend.patch \ + file://0024-Increase-SMM-gateway-UEFI-variable-macro-value.patch \ " SRC_URI_MBED = "git://github.com/ARMmbed/mbed-crypto.git;protocol=https;branch=development;name=mbed;destsuffix=git/mbedcrypto" From patchwork Tue Dec 14 11:07:31 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Abdellatif El Khlifi X-Patchwork-Id: 1482 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8C469C433EF for ; Tue, 14 Dec 2021 11:07:55 +0000 (UTC) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by mx.groups.io with SMTP id smtpd.web12.24666.1639480074372211103 for ; Tue, 14 Dec 2021 03:07:54 -0800 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: arm.com, ip: 217.140.110.172, mailfrom: abdellatif.elkhlifi@arm.com) Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id B30B06D; Tue, 14 Dec 2021 03:07:53 -0800 (PST) Received: from e121910.arm.com (unknown [10.57.34.32]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 9128C3F5A1; Tue, 14 Dec 2021 03:07:52 -0800 (PST) From: abdellatif.elkhlifi@arm.com To: meta-arm@lists.yoctoproject.org, Ross.Burton@arm.com Cc: nd@arm.com, Vishnu Banavath Subject: [PATCH 9/9] arm-bsp/secure-partitions: add capsule update interface to SE proxy SP Date: Tue, 14 Dec 2021 11:07:31 +0000 Message-Id: <20211214110731.9081-10-abdellatif.elkhlifi@arm.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20211214110731.9081-1-abdellatif.elkhlifi@arm.com> References: <20211214110731.9081-1-abdellatif.elkhlifi@arm.com> List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Dec 2021 11:07:55 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/meta-arm/message/2687 From: Vishnu Banavath This change is to add capsule update interface to SE proxy SP. This interface sends following events to secure enclave * firmware update request - SE will read the capsule and will flash the image to flash to previous active bank * kernel boot event - SE will delete timer on reciption of this event and marks all the images as accepted if in trial state Change-Id: I7cf9b729128d1e07e891253661fcd891191e8024 Signed-off-by: Vishnu Banavath --- ...ub-capsule-update-service-components.patch | 416 ++++++++++++++++++ .../trusted-services/ts-corstone1000.inc | 1 + 2 files changed, 417 insertions(+) create mode 100644 meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0025-Add-stub-capsule-update-service-components.patch diff --git a/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0025-Add-stub-capsule-update-service-components.patch b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0025-Add-stub-capsule-update-service-components.patch new file mode 100644 index 0000000..949729c --- /dev/null +++ b/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/0025-Add-stub-capsule-update-service-components.patch @@ -0,0 +1,416 @@ +Upstream-Status: Pending [Not submitted to upstream yet] +Signed-off-by: Vishnu Banavath + +From 57d310a83190705d63bf77f29dd0d15956ec28b1 Mon Sep 17 00:00:00 2001 +From: Julian Hall +Date: Tue, 12 Oct 2021 15:45:41 +0100 +Subject: [PATCH] Add stub capsule update service components + +To facilitate development of a capsule update service provider, +stub components are added to provide a starting point for an +implementation. The capsule update service provider is integrated +into the se-proxy/opteesp deployment. + +Signed-off-by: Vishnu Banavath +Signed-off-by: Julian Hall +Change-Id: I0d4049bb4de5af7ca80806403301692507085d28 + +diff --git a/components/service/capsule_update/backend/capsule_update_backend.h b/components/service/capsule_update/backend/capsule_update_backend.h +new file mode 100644 +index 0000000..f3144ff +--- /dev/null ++++ b/components/service/capsule_update/backend/capsule_update_backend.h +@@ -0,0 +1,24 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef CAPSULE_UPDATE_BACKEND_H ++#define CAPSULE_UPDATE_BACKEND_H ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++/** ++ * Defines the common capsule update backend interface. Concrete backends ++ * implement this interface for different types of platform. ++ */ ++ ++ ++#ifdef __cplusplus ++} /* extern "C" */ ++#endif ++ ++#endif /* CAPSULE_UPDATE_BACKEND_H */ +diff --git a/components/service/capsule_update/provider/capsule_update_provider.c b/components/service/capsule_update/provider/capsule_update_provider.c +new file mode 100644 +index 0000000..9bbd7ab +--- /dev/null ++++ b/components/service/capsule_update/provider/capsule_update_provider.c +@@ -0,0 +1,133 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#include ++#include ++#include ++ ++#include ++#include ++#include "capsule_update_provider.h" ++ ++ ++#define CAPSULE_UPDATE_REQUEST (0x1) ++#define KERNEL_STARTED_EVENT (0x2) ++ ++enum corstone1000_ioctl_id_t { ++ IOCTL_CORSTONE1000_FWU_FLASH_IMAGES = 0, ++ IOCTL_CORSTONE1000_FWU_HOST_ACK, ++}; ++ ++/* Service request handlers */ ++static rpc_status_t update_capsule_handler(void *context, struct call_req *req); ++static rpc_status_t boot_confirmed_handler(void *context, struct call_req *req); ++ ++/* Handler mapping table for service */ ++static const struct service_handler handler_table[] = { ++ {CAPSULE_UPDATE_OPCODE_UPDATE_CAPSULE, update_capsule_handler}, ++ {CAPSULE_UPDATE_OPCODE_BOOT_CONFIRMED, boot_confirmed_handler} ++}; ++ ++struct rpc_interface *capsule_update_provider_init( ++ struct capsule_update_provider *context) ++{ ++ struct rpc_interface *rpc_interface = NULL; ++ ++ if (context) { ++ ++ service_provider_init( ++ &context->base_provider, ++ context, ++ handler_table, ++ sizeof(handler_table)/sizeof(struct service_handler)); ++ ++ rpc_interface = service_provider_get_rpc_interface(&context->base_provider); ++ } ++ ++ return rpc_interface; ++} ++ ++void capsule_update_provider_deinit(struct capsule_update_provider *context) ++{ ++ (void)context; ++} ++ ++static rpc_status_t event_handler(uint32_t opcode, struct rpc_caller *caller) ++{ ++ uint32_t ioctl_id; ++ psa_handle_t handle; ++ rpc_status_t rpc_status = TS_RPC_CALL_ACCEPTED; ++ ++ struct psa_invec in_vec[] = { ++ { .base = &ioctl_id, .len = sizeof(ioctl_id) } ++ }; ++ ++ if(!caller) { ++ EMSG("event_handler rpc_caller is NULL"); ++ rpc_status = TS_RPC_ERROR_RESOURCE_FAILURE; ++ return rpc_status; ++ } ++ ++ MSG("event handler opcode %x", opcode); ++ switch(opcode) { ++ case CAPSULE_UPDATE_REQUEST: ++ /* Openamp call with IOCTL for firmware update*/ ++ ioctl_id = IOCTL_CORSTONE1000_FWU_FLASH_IMAGES; ++ handle = psa_connect(caller, TFM_SP_PLATFORM_IOCTL_SID, ++ TFM_SP_PLATFORM_IOCTL_VERSION); ++ if (handle <= 0) { ++ EMSG("%s Invalid handle", __func__); ++ rpc_status = TS_RPC_ERROR_INVALID_PARAMETER; ++ return rpc_status; ++ } ++ psa_call(caller,handle, PSA_IPC_CALL, ++ in_vec,IOVEC_LEN(in_vec), NULL, 0); ++ break; ++ ++ case KERNEL_STARTED_EVENT: ++ ioctl_id = IOCTL_CORSTONE1000_FWU_HOST_ACK; ++ /*openamp call with IOCTL for kernel start*/ ++ handle = psa_connect(caller, TFM_SP_PLATFORM_IOCTL_SID, ++ TFM_SP_PLATFORM_IOCTL_VERSION); ++ if (handle <= 0) { ++ EMSG("%s Invalid handle", __func__); ++ rpc_status = TS_RPC_ERROR_INVALID_PARAMETER; ++ return rpc_status; ++ } ++ psa_call(caller,handle, PSA_IPC_CALL, ++ in_vec,IOVEC_LEN(in_vec), NULL, 0); ++ break; ++ default: ++ EMSG("%s unsupported opcode", __func__); ++ rpc_status = TS_RPC_ERROR_INVALID_PARAMETER; ++ return rpc_status; ++ } ++ return rpc_status; ++ ++} ++ ++static rpc_status_t update_capsule_handler(void *context, struct call_req *req) ++{ ++ struct capsule_update_provider *this_instance = (struct capsule_update_provider*)context; ++ struct rpc_caller *caller = this_instance->client.caller; ++ uint32_t opcode = req->opcode; ++ rpc_status_t rpc_status = TS_RPC_ERROR_NOT_READY; ++ ++ rpc_status = event_handler(opcode, caller); ++ return rpc_status; ++} ++ ++static rpc_status_t boot_confirmed_handler(void *context, struct call_req *req) ++{ ++ struct capsule_update_provider *this_instance = (struct capsule_update_provider*)context; ++ struct rpc_caller *caller = this_instance->client.caller; ++ uint32_t opcode = req->opcode; ++ rpc_status_t rpc_status = TS_RPC_ERROR_NOT_READY; ++ ++ rpc_status = event_handler(opcode, caller); ++ ++ return rpc_status; ++} +diff --git a/components/service/capsule_update/provider/capsule_update_provider.h b/components/service/capsule_update/provider/capsule_update_provider.h +new file mode 100644 +index 0000000..3de4985 +--- /dev/null ++++ b/components/service/capsule_update/provider/capsule_update_provider.h +@@ -0,0 +1,51 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef CAPSULE_UPDATE_PROVIDER_H ++#define CAPSULE_UPDATE_PROVIDER_H ++ ++#include ++#include ++#include ++#include ++ ++#ifdef __cplusplus ++extern "C" { ++#endif ++ ++/** ++ * The capsule_update_provider is a service provider that accepts update capsule ++ * requests and delegates them to a suitable backend that applies the update. ++ */ ++struct capsule_update_provider ++{ ++ struct service_provider base_provider; ++ struct service_client client; ++}; ++ ++/** ++ * \brief Initialize an instance of the capsule update service provider ++ * ++ * @param[in] context The instance to initialize ++ * ++ * \return An rpc_interface or NULL on failure ++ */ ++struct rpc_interface *capsule_update_provider_init( ++ struct capsule_update_provider *context); ++ ++/** ++ * \brief Cleans up when the instance is no longer needed ++ * ++ * \param[in] context The instance to de-initialize ++ */ ++void capsule_update_provider_deinit( ++ struct capsule_update_provider *context); ++ ++#ifdef __cplusplus ++} /* extern "C" */ ++#endif ++ ++#endif /* CAPSULE_UPDATE_PROVIDER_H */ +diff --git a/components/service/capsule_update/provider/component.cmake b/components/service/capsule_update/provider/component.cmake +new file mode 100644 +index 0000000..1d412eb +--- /dev/null ++++ b/components/service/capsule_update/provider/component.cmake +@@ -0,0 +1,13 @@ ++#------------------------------------------------------------------------------- ++# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++# ++# SPDX-License-Identifier: BSD-3-Clause ++# ++#------------------------------------------------------------------------------- ++if (NOT DEFINED TGT) ++ message(FATAL_ERROR "mandatory parameter TGT is not defined.") ++endif() ++ ++target_sources(${TGT} PRIVATE ++ "${CMAKE_CURRENT_LIST_DIR}/capsule_update_provider.c" ++ ) +diff --git a/deployments/se-proxy/opteesp/CMakeLists.txt b/deployments/se-proxy/opteesp/CMakeLists.txt +index 2190428..953bb71 100644 +--- a/deployments/se-proxy/opteesp/CMakeLists.txt ++++ b/deployments/se-proxy/opteesp/CMakeLists.txt +@@ -80,6 +80,7 @@ add_components(TARGET "se-proxy" + "components/service/attestation/reporter/psa_ipc" + "components/service/attestation/client/psa_ipc" + "components/rpc/openamp/caller/sp" ++ "components/service/capsule_update/provider" + + # Stub service provider backends + "components/rpc/dummy" +diff --git a/deployments/se-proxy/opteesp/se_proxy_sp.c b/deployments/se-proxy/opteesp/se_proxy_sp.c +index ef90d9e..11b014b 100644 +--- a/deployments/se-proxy/opteesp/se_proxy_sp.c ++++ b/deployments/se-proxy/opteesp/se_proxy_sp.c +@@ -48,6 +48,9 @@ void __noreturn sp_main(struct ffa_init_info *init_info) + rpc_iface = attest_proxy_create(); + rpc_demux_attach(&rpc_demux, SE_PROXY_INTERFACE_ID_ATTEST, rpc_iface); + ++ rpc_iface = capsule_update_proxy_create(); ++ rpc_demux_attach(&rpc_demux, SE_PROXY_INTERFACE_ID_CAPSULE_UPDATE, rpc_iface); ++ + /* End of boot phase */ + sp_msg_wait(&req_msg); + +diff --git a/deployments/se-proxy/opteesp/service_proxy_factory.c b/deployments/se-proxy/opteesp/service_proxy_factory.c +index 7edeef8..591cc9e 100644 +--- a/deployments/se-proxy/opteesp/service_proxy_factory.c ++++ b/deployments/se-proxy/opteesp/service_proxy_factory.c +@@ -13,6 +13,7 @@ + #include + #include + #include ++#include + + /* Stub backends */ + #include +@@ -93,3 +94,18 @@ struct rpc_interface *its_proxy_create(void) + + return secure_storage_provider_init(&its_provider, backend); + } ++ ++struct rpc_interface *capsule_update_proxy_create(void) ++{ ++ static struct capsule_update_provider capsule_update_provider; ++ static struct rpc_caller *capsule_update_caller; ++ ++ capsule_update_caller = openamp_caller_init(&openamp); ++ ++ if (!capsule_update_caller) ++ return NULL; ++ ++ capsule_update_provider.client.caller = capsule_update_caller; ++ ++ return capsule_update_provider_init(&capsule_update_provider); ++} +diff --git a/deployments/se-proxy/opteesp/service_proxy_factory.h b/deployments/se-proxy/opteesp/service_proxy_factory.h +index 298d407..02aa7fe 100644 +--- a/deployments/se-proxy/opteesp/service_proxy_factory.h ++++ b/deployments/se-proxy/opteesp/service_proxy_factory.h +@@ -17,6 +17,7 @@ struct rpc_interface *attest_proxy_create(void); + struct rpc_interface *crypto_proxy_create(void); + struct rpc_interface *ps_proxy_create(void); + struct rpc_interface *its_proxy_create(void); ++struct rpc_interface *capsule_update_proxy_create(void); + + #ifdef __cplusplus + } +diff --git a/deployments/se-proxy/se_proxy_interfaces.h b/deployments/se-proxy/se_proxy_interfaces.h +index 48908f8..3d4a7c2 100644 +--- a/deployments/se-proxy/se_proxy_interfaces.h ++++ b/deployments/se-proxy/se_proxy_interfaces.h +@@ -8,9 +8,10 @@ + #define SE_PROXY_INTERFACES_H + + /* Interface IDs from service endpoints available from an se-proxy deployment */ +-#define SE_PROXY_INTERFACE_ID_ITS (0) +-#define SE_PROXY_INTERFACE_ID_PS (1) +-#define SE_PROXY_INTERFACE_ID_CRYPTO (2) +-#define SE_PROXY_INTERFACE_ID_ATTEST (3) ++#define SE_PROXY_INTERFACE_ID_ITS (0) ++#define SE_PROXY_INTERFACE_ID_PS (1) ++#define SE_PROXY_INTERFACE_ID_CRYPTO (2) ++#define SE_PROXY_INTERFACE_ID_ATTEST (3) ++#define SE_PROXY_INTERFACE_ID_CAPSULE_UPDATE (4) + + #endif /* SE_PROXY_INTERFACES_H */ +diff --git a/protocols/service/capsule_update/capsule_update_proto.h b/protocols/service/capsule_update/capsule_update_proto.h +new file mode 100644 +index 0000000..8f326cd +--- /dev/null ++++ b/protocols/service/capsule_update/capsule_update_proto.h +@@ -0,0 +1,13 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef CAPSULE_UPDATE_PROTO_H ++#define CAPSULE_UPDATE_PROTO_H ++ ++#include ++#include ++ ++#endif /* CAPSULE_UPDATE_PROTO_H */ +diff --git a/protocols/service/capsule_update/opcodes.h b/protocols/service/capsule_update/opcodes.h +new file mode 100644 +index 0000000..8185a09 +--- /dev/null ++++ b/protocols/service/capsule_update/opcodes.h +@@ -0,0 +1,17 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef CAPSULE_UPDATE_OPCODES_H ++#define CAPSULE_UPDATE_OPCODES_H ++ ++/** ++ * Opcode definitions for the capsule update service ++ */ ++ ++#define CAPSULE_UPDATE_OPCODE_UPDATE_CAPSULE 1 ++#define CAPSULE_UPDATE_OPCODE_BOOT_CONFIRMED 2 ++ ++#endif /* CAPSULE_UPDATE_OPCODES_H */ +diff --git a/protocols/service/capsule_update/parameters.h b/protocols/service/capsule_update/parameters.h +new file mode 100644 +index 0000000..285d924 +--- /dev/null ++++ b/protocols/service/capsule_update/parameters.h +@@ -0,0 +1,15 @@ ++/* ++ * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved. ++ * ++ * SPDX-License-Identifier: BSD-3-Clause ++ */ ++ ++#ifndef CAPSULE_UPDATE_PARAMETERS_H ++#define CAPSULE_UPDATE_PARAMETERS_H ++ ++/** ++ * Operation parameter definitions for the capsule update service access protocol. ++ */ ++ ++ ++#endif /* CAPSULE_UPDATE_PARAMETERS_H */ +-- +2.25.1 + diff --git a/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc b/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc index 5afb131..bb34f54 100644 --- a/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc +++ b/meta-arm-bsp/recipes-security/trusted-services/ts-corstone1000.inc @@ -35,6 +35,7 @@ SRC_URI:append = " \ file://0022-Setup-its-backend-as-openamp-rpc-using-secure-storag.patch \ file://0023-add-psa-ipc-crypto-backend.patch \ file://0024-Increase-SMM-gateway-UEFI-variable-macro-value.patch \ + file://0025-Add-stub-capsule-update-service-components.patch \ " SRC_URI_MBED = "git://github.com/ARMmbed/mbed-crypto.git;protocol=https;branch=development;name=mbed;destsuffix=git/mbedcrypto"