cryptocell: add cryptocell 712 RSA 3K support

Add the support needed to enable using CryptoCell integration with with RSA 3K support. Signed-off-by: Gilad Ben-Yossef <gilad.benyossef@arm.com> Change-Id: I95527cb0c41ae012109e8968dd20a4ae9fe67f17
2025-04-16 09:34:18 +00:00 · 2019-09-15 13:29:29 +03:00 · 2019-09-15 13:29:29 +03:00 · b8622922c8
commit b8622922c8
parent 87b582ef5b
5 changed files with 41 additions and 12 deletions
--- a/docs/getting_started/build-options.rst
+++ b/docs/getting_started/build-options.rst
@ -350,6 +350,21 @@ Common build options
   compliant and is retained only for compatibility. The default value of this
   flag is ``rsa`` which is the TBBR compliant PKCS#1 RSA 2.1 scheme.

+-  ``KEY_SIZE``: This build flag enables the user to select the key size for
+   the algorithm specified by ``KEY_ALG``. The valid values for ``KEY_SIZE``
+   depend on the chosen algorithm and the cryptographic module.
+
+   +-----------+------------------------------------+
+   |  KEY_ALG  |        Possible key sizes          |
+   +===========+====================================+
+   |    rsa    | 1024 , 2048 (default), 3072, 4096* |
+   +-----------+------------------------------------+
+   |   ecdsa   |            unavailable             |
+   +-----------+------------------------------------+
+
+   * Only 2048 bits size is available with CryptoCell 712 SBROM release 1.
+     Only 3072 bits size is available with CryptoCell 712 SBROM release 2.
+
 -  ``HASH_ALG``: This build flag enables the user to select the secure hash
   algorithm. It accepts 3 values: ``sha256``, ``sha384`` and ``sha512``.
   The default value of this flag is ``sha256``.
--- a/drivers/auth/cryptocell/712/cryptocell_crypto.c
+++ b/drivers/auth/cryptocell/712/cryptocell_crypto.c
@ -225,7 +225,7 @@ static int verify_signature(void *data_ptr, unsigned int data_len,
 	/* Verify the signature */
 	error = CCSbVerifySignature((uintptr_t)PLAT_CRYPTOCELL_BASE,
 			(uint32_t *)data_ptr, &pk, &signature,
-			data_len, RSA_PSS_2048);
+			data_len, RSA_PSS);
 	if (error != CC_OK)
 		return CRYPTO_ERR_SIGNATURE;

--- a/drivers/auth/cryptocell/cryptocell_crypto.mk
+++ b/drivers/auth/cryptocell/cryptocell_crypto.mk
@ -1,5 +1,5 @@
 #
-# Copyright (c) 2017, ARM Limited and Contributors. All rights reserved.
+# Copyright (c) 2017-2019, ARM Limited and Contributors. All rights reserved.
 #
 # SPDX-License-Identifier: BSD-3-Clause
 #
@ -12,6 +12,8 @@ TF_MBEDTLS_KEY_ALG_ID		:=	TF_MBEDTLS_RSA
 # Needs to be set to drive mbed TLS configuration correctly
 $(eval $(call add_define,TF_MBEDTLS_KEY_ALG_ID))

+$(eval $(call add_define,KEY_SIZE))
+
 # CCSBROM_LIB_PATH must be set to the Cryptocell SBROM library path
 ifeq (${CCSBROM_LIB_PATH},)
  $(error Error: CCSBROM_LIB_PATH not set)
--- a/include/drivers/arm/cryptocell/712/rsa.h
+++ b/include/drivers/arm/cryptocell/712/rsa.h
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2017-2019, ARM Limited and Contributors. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
@ -21,19 +21,21 @@ extern "C"

 /************************ Defines ******************************/

-/* the modulus size ion bits */
+/* the modulus size in bits */
+#if (KEY_SIZE == 2048)
 #define RSA_MOD_SIZE_IN_BITS				2048UL
+#elif (KEY_SIZE == 3072)
+#define RSA_MOD_SIZE_IN_BITS				3072UL
+#else
+#error Unsupported CryptoCell key size requested
+#endif
+
 #define RSA_MOD_SIZE_IN_BYTES				(CALC_FULL_BYTES(RSA_MOD_SIZE_IN_BITS))
 #define RSA_MOD_SIZE_IN_WORDS				(CALC_FULL_32BIT_WORDS(RSA_MOD_SIZE_IN_BITS))
 #define RSA_MOD_SIZE_IN_256BITS				(RSA_MOD_SIZE_IN_WORDS/8)
 #define RSA_EXP_SIZE_IN_BITS				17UL
 #define RSA_EXP_SIZE_IN_BYTES				(CALC_FULL_BYTES(RSA_EXP_SIZE_IN_BITS))

-/* size of buffer for Barrett modulus tag NP, used in PKA algorithms */
-#define RSA_HW_PKI_PKA_BARRETT_MOD_TAG_SIZE_IN_BITS	132
-#define RSA_HW_PKI_PKA_BARRETT_MOD_TAG_SIZE_IN_BYTES	(CALC_FULL_BYTES(RSA_HW_PKI_PKA_BARRETT_MOD_TAG_SIZE_IN_BITS))
-#define RSA_HW_PKI_PKA_BARRETT_MOD_TAG_SIZE_IN_WORDS	(CALC_FULL_32BIT_WORDS(RSA_HW_PKI_PKA_BARRETT_MOD_TAG_SIZE_IN_BITS))
-
 /*
 * @brief The RSA_CalcNp calculates Np value and saves it into Np_ptr:
 *
--- a/include/drivers/arm/cryptocell/712/secureboot_gen_defs.h
+++ b/include/drivers/arm/cryptocell/712/secureboot_gen_defs.h
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved.
+ * Copyright (c) 2017-2019, ARM Limited and Contributors. All rights reserved.
 *
 * SPDX-License-Identifier: BSD-3-Clause
 */
@ -24,7 +24,14 @@ extern "C"
 /***********************/

 /*RSA definitions*/
+#if (KEY_SIZE == 2048)
 #define SB_RSA_MOD_SIZE_IN_WORDS		 64
+#elif (KEY_SIZE == 3072)
+#define SB_RSA_MOD_SIZE_IN_WORDS		96
+#else
+#error Unsupported CryptoCell key size requested
+#endif
+
 #define SB_RSA_HW_PKI_PKA_BARRETT_MOD_TAG_SIZE_IN_WORDS 5


@ -43,9 +50,12 @@ typedef struct {
 /********* Supported algorithms definitions ***********/

 /*! RSA supported algorithms */
+/* Note: this applies to either 2k or 3k based on CryptoCell SBROM library
+ * version - it means 2k in version 1 and 3k in version 2 (yes, really).
+ */
 typedef enum {
-	RSA_PSS_2048           = 0x01,			/*!< RSA PSS 2048 after hash SHA 256 */
-	RSA_PKCS15_2048	       = 0x02,			/*!< RSA PKX15 */
+	RSA_PSS                = 0x01,			/*!< RSA PSS after hash SHA 256 */
+	RSA_PKCS15	       = 0x02,			/*!< RSA PKX15 */
 	RSA_Last               = 0x7FFFFFFF
 } CCSbRsaAlg_t;