Djam/arm-trusted-firmware
1
0
Fork 0
mirror of https://github.com/ARM-software/arm-trusted-firmware.git synced 2025-04-16 09:34:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(psa): interface with RSS for retrieving ROTPK

Browse source 
Adding the AP/RSS interface for reading the ROTPK.

The read interface implements the psa_call:
psa_call(RSS_CRYPTO_HANDLE, PSA_IPC_CALL,
         in_vec, IOVEC_LEN(in_vec),
         out_vec,  IOVEC_LEN(out_vec));

where the in_vec indicates which of the 3 ROTPKs we want,
and the out_vec stores the ROTPK value we get back from RSS.

Through this service, we will be able to read any of the 3
ROTPKs used on a CCA platform:
- ROTPK for CCA firmware (BL2, BL31, RMM).
- ROTPK for secure firmware.
- ROTPK for non-secure firmware.

Change-Id: I44c615588235cc797fdf38870b74b4c422be0a72
Signed-off-by: Lauren Wehrmeister <lauren.wehrmeister@arm.com>
This commit is contained in:
laurenw-arm 2023-06-13 16:40:51 -05:00
parent 2503c8f320
commit 50316e226f
4 changed files with 105 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
include/lib/psa/psa_manifest/sid.h
View file

@ -8,6 +8,9 @@
#ifndef PSA_MANIFEST_SID_H #ifndef PSA_MANIFEST_SID_H
#define PSA_MANIFEST_SID_H #define PSA_MANIFEST_SID_H
/******** RSS_SP_CRYPTO ********/
#define RSS_CRYPTO_HANDLE (0x40000100U)
/******** RSS_SP_PLATFORM ********/ /******** RSS_SP_PLATFORM ********/
#define RSS_PLATFORM_SERVICE_HANDLE (0x40000105U) #define RSS_PLATFORM_SERVICE_HANDLE (0x40000105U)

58
include/lib/psa/rss_crypto_defs.h Normal file
View file

@ -0,0 +1,58 @@
/*
* Copyright (c) 2023, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
*/
#ifndef RSS_CRYPTO_DEFS_H
#define RSS_CRYPTO_DEFS_H
/* Declares types that encode errors, algorithms, key types, policies, etc. */
#include "psa/crypto_types.h"
/*
* Value identifying export public key function API, used to dispatch the request
* to the corresponding API implementation in the Crypto service backend.
*
*/
#define RSS_CRYPTO_EXPORT_PUBLIC_KEY_SID (uint16_t)(0x701)
/*
* The persistent key identifiers for RSS builtin keys.
*/
enum rss_key_id_builtin_t {
RSS_BUILTIN_KEY_ID_HOST_S_ROTPK = 0x7FFF816Cu,
RSS_BUILTIN_KEY_ID_HOST_NS_ROTPK,
RSS_BUILTIN_KEY_ID_HOST_CCA_ROTPK,
};
/*
* This type is used to overcome a limitation within RSS firmware in the number of maximum
* IOVECs it can use especially in psa_aead_encrypt and psa_aead_decrypt.
*/
#define RSS_CRYPTO_MAX_NONCE_LENGTH (16u)
struct rss_crypto_aead_pack_input {
uint8_t nonce[RSS_CRYPTO_MAX_NONCE_LENGTH];
uint32_t nonce_length;
};
/*
* Structure used to pack non-pointer types in a call
*/
struct rss_crypto_pack_iovec {
psa_key_id_t key_id; /* Key id */
psa_algorithm_t alg; /* Algorithm */
uint32_t op_handle; /* Frontend context handle associated
to a multipart operation */
uint32_t capacity; /* Key derivation capacity */
uint32_t ad_length; /* Additional Data length for multipart AEAD */
uint32_t plaintext_length; /* Plaintext length for multipart AEAD */
struct rss_crypto_aead_pack_input aead_in; /* Packs AEAD-related inputs */
uint16_t function_id; /* Used to identify the function in the API dispatcher
to the service backend. See rss_crypto_func_sid for
detail */
uint16_t step; /* Key derivation step */
};
#endif /* RSS_CRYPTO_DEFS_H */

16
include/lib/psa/rss_platform_api.h
View file

@ -11,6 +11,7 @@
#include <stdint.h> #include <stdint.h>
#include "psa/error.h" #include "psa/error.h"
#include <rss_crypto_defs.h>
#define RSS_PLATFORM_API_ID_NV_READ (1010) #define RSS_PLATFORM_API_ID_NV_READ (1010)
#define RSS_PLATFORM_API_ID_NV_INCREMENT (1011) #define RSS_PLATFORM_API_ID_NV_INCREMENT (1011)
@ -41,4 +42,19 @@ psa_status_t
rss_platform_nv_counter_read(uint32_t counter_id, rss_platform_nv_counter_read(uint32_t counter_id,
uint32_t size, uint8_t *val); uint32_t size, uint8_t *val);
/*
* Reads the public key or the public part of a key pair in binary format.
*
* key Identifier of the key to export.
* data Buffer where the key data is to be written.
* data_size Size of the data buffer in bytes.
* data_length On success, the number of bytes that make up the key data.
*
* PSA_SUCCESS if the value is read correctly. Otherwise,
* it returns a PSA_ERROR.
*/
psa_status_t
rss_platform_key_read(enum rss_key_id_builtin_t key, uint8_t *data,
size_t data_size, size_t *data_length);
#endif /* RSS_PLATFORM_API_H */ #endif /* RSS_PLATFORM_API_H */

30
lib/psa/rss_platform.c
View file

@ -5,10 +5,9 @@
* *
*/ */
#include <stdint.h>
#include <psa/client.h> #include <psa/client.h>
#include <psa_manifest/sid.h> #include <psa_manifest/sid.h>
#include <rss_crypto_defs.h>
#include <rss_platform_api.h> #include <rss_platform_api.h>
psa_status_t psa_status_t
@ -41,3 +40,30 @@ rss_platform_nv_counter_read(uint32_t counter_id,
RSS_PLATFORM_API_ID_NV_READ, RSS_PLATFORM_API_ID_NV_READ,
in_vec, 1, out_vec, 1); in_vec, 1, out_vec, 1);
} }
psa_status_t
rss_platform_key_read(enum rss_key_id_builtin_t key, uint8_t *data,
size_t data_size, size_t *data_length)
{
psa_status_t status;
struct rss_crypto_pack_iovec iov = {
.function_id = RSS_CRYPTO_EXPORT_PUBLIC_KEY_SID,
.key_id = key,
};
psa_invec in_vec[] = {
{.base = &iov, .len = sizeof(struct rss_crypto_pack_iovec)},
};
psa_outvec out_vec[] = {
{.base = data, .len = data_size}
};
status = psa_call(RSS_CRYPTO_HANDLE, PSA_IPC_CALL,
in_vec, IOVEC_LEN(in_vec),
out_vec, IOVEC_LEN(out_vec));
*data_length = out_vec[0].len;
return status;
}