diff options
author | Sandrine Bailleux <sandrine.bailleux@arm.com> | 2023-04-24 15:46:26 +0200 |
---|---|---|
committer | TrustedFirmware Code Review <review@review.trustedfirmware.org> | 2023-04-24 15:46:26 +0200 |
commit | 7c7e7b621add44fff5dbff9641eb25ecc50b24f9 (patch) | |
tree | ae3dee316427ce2a314ebd7c636976eb4332faee /include | |
parent | ac57cf2fb62ea066bfac3594eeaa19dde8598c09 (diff) | |
parent | dee99f10b1dcea09091f4a1d53185153802dfb64 (diff) | |
download | arm-trusted-firmware-7c7e7b621add44fff5dbff9641eb25ecc50b24f9.tar.gz |
Merge changes from topic "mb/trusted-boot-update" into integration
* changes:
refactor(auth)!: unify REGISTER_CRYPTO_LIB
refactor(auth): replace plat_convert_pk
docs(auth): add auth_decrypt in CM chapter
feat(auth): compare platform and certificate ROTPK for authentication
docs(auth): add 'calc_hash' function's details in CM
Diffstat (limited to 'include')
-rw-r--r-- | include/drivers/auth/crypto_mod.h | 57 | ||||
-rw-r--r-- | include/plat/common/platform.h | 9 |
2 files changed, 26 insertions, 40 deletions
diff --git a/include/drivers/auth/crypto_mod.h b/include/drivers/auth/crypto_mod.h index 3a23df4b7..00ea8c620 100644 --- a/include/drivers/auth/crypto_mod.h +++ b/include/drivers/auth/crypto_mod.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015-2022, Arm Limited and Contributors. All rights reserved. + * Copyright (c) 2015-2023, Arm Limited and Contributors. All rights reserved. * * SPDX-License-Identifier: BSD-3-Clause */ @@ -52,8 +52,6 @@ typedef struct crypto_lib_desc_s { /* Verify a digital signature. Return one of the * 'enum crypto_ret_value' options */ -#if CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY || \ -CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC int (*verify_signature)(void *data_ptr, unsigned int data_len, void *sig_ptr, unsigned int sig_len, void *sig_alg, unsigned int sig_alg_len, @@ -62,17 +60,15 @@ CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC /* Verify a hash. Return one of the 'enum crypto_ret_value' options */ int (*verify_hash)(void *data_ptr, unsigned int data_len, void *digest_info_ptr, unsigned int digest_info_len); -#endif /* CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY || \ - CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC */ -#if CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY || \ -CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC /* Calculate a hash. Return hash value */ int (*calc_hash)(enum crypto_md_algo md_alg, void *data_ptr, unsigned int data_len, unsigned char output[CRYPTO_MD_MAX_SIZE]); -#endif /* CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY || \ - CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC */ + + /* Convert Public key (optional) */ + int (*convert_pk)(void *full_pk_ptr, unsigned int full_pk_len, + void **hashed_pk_ptr, unsigned int *hashed_pk_len); /* * Authenticated decryption. Return one of the @@ -94,16 +90,16 @@ static inline void crypto_mod_init(void) } #endif /* CRYPTO_SUPPORT */ -#if CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY || \ -CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC +#if (CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY) || \ + (CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC) int crypto_mod_verify_signature(void *data_ptr, unsigned int data_len, void *sig_ptr, unsigned int sig_len, void *sig_alg_ptr, unsigned int sig_alg_len, void *pk_ptr, unsigned int pk_len); int crypto_mod_verify_hash(void *data_ptr, unsigned int data_len, void *digest_info_ptr, unsigned int digest_info_len); -#endif /* CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY || \ - CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC */ +#endif /* (CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY) || \ + (CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC) */ int crypto_mod_auth_decrypt(enum crypto_dec_algo dec_algo, void *data_ptr, size_t len, const void *key, unsigned int key_len, @@ -111,44 +107,29 @@ int crypto_mod_auth_decrypt(enum crypto_dec_algo dec_algo, void *data_ptr, unsigned int iv_len, const void *tag, unsigned int tag_len); -#if CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY || \ -CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC +#if (CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY) || \ + (CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC) int crypto_mod_calc_hash(enum crypto_md_algo alg, void *data_ptr, unsigned int data_len, unsigned char output[CRYPTO_MD_MAX_SIZE]); -#endif /* CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY || \ - CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC */ +#endif /* (CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY) || \ + (CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC) */ + +int crypto_mod_convert_pk(void *full_pk_ptr, unsigned int full_pk_len, + void **hashed_pk_ptr, unsigned int *hashed_pk_len); -#if CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC /* Macro to register a cryptographic library */ #define REGISTER_CRYPTO_LIB(_name, _init, _verify_signature, _verify_hash, \ - _calc_hash, _auth_decrypt) \ - const crypto_lib_desc_t crypto_lib_desc = { \ - .name = _name, \ - .init = _init, \ - .verify_signature = _verify_signature, \ - .verify_hash = _verify_hash, \ - .calc_hash = _calc_hash, \ - .auth_decrypt = _auth_decrypt \ - } -#elif CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_ONLY -#define REGISTER_CRYPTO_LIB(_name, _init, _verify_signature, _verify_hash, \ - _auth_decrypt) \ + _calc_hash, _auth_decrypt, _convert_pk) \ const crypto_lib_desc_t crypto_lib_desc = { \ .name = _name, \ .init = _init, \ .verify_signature = _verify_signature, \ .verify_hash = _verify_hash, \ - .auth_decrypt = _auth_decrypt \ - } -#elif CRYPTO_SUPPORT == CRYPTO_HASH_CALC_ONLY -#define REGISTER_CRYPTO_LIB(_name, _init, _calc_hash) \ - const crypto_lib_desc_t crypto_lib_desc = { \ - .name = _name, \ - .init = _init, \ .calc_hash = _calc_hash, \ + .auth_decrypt = _auth_decrypt, \ + .convert_pk = _convert_pk \ } -#endif /* CRYPTO_SUPPORT == CRYPTO_AUTH_VERIFY_AND_HASH_CALC */ extern const crypto_lib_desc_t crypto_lib_desc; diff --git a/include/plat/common/platform.h b/include/plat/common/platform.h index a14d77504..d146a2945 100644 --- a/include/plat/common/platform.h +++ b/include/plat/common/platform.h @@ -44,10 +44,17 @@ enum fw_enc_status_t; * plat_get_rotpk_info() flags ******************************************************************************/ #define ROTPK_IS_HASH (1 << 0) + /* Flag used to skip verification of the certificate ROTPK while the platform ROTPK is not deployed */ #define ROTPK_NOT_DEPLOYED (1 << 1) +static inline bool is_rotpk_flags_valid(unsigned int flags) +{ + unsigned int valid_flags = ROTPK_IS_HASH; + return (flags == ROTPK_NOT_DEPLOYED) || ((flags & ~valid_flags) == 0); +} + /******************************************************************************* * plat_get_enc_key_info() flags ******************************************************************************/ @@ -345,8 +352,6 @@ int plat_get_nv_ctr(void *cookie, unsigned int *nv_ctr); int plat_set_nv_ctr(void *cookie, unsigned int nv_ctr); int plat_set_nv_ctr2(void *cookie, const struct auth_img_desc_s *img_desc, unsigned int nv_ctr); -int plat_convert_pk(void *full_pk_ptr, unsigned int full_pk_len, - void **hashed_pk_ptr, unsigned int *hash_pk_len); int get_mbedtls_heap_helper(void **heap_addr, size_t *heap_size); int plat_get_enc_key_info(enum fw_enc_status_t fw_enc_status, uint8_t *key, size_t *key_len, unsigned int *flags, |