stm32mp_crypto_lib.c 17 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674
  1. /*
  2. * Copyright (c) 2022-2024, STMicroelectronics - All Rights Reserved
  3. *
  4. * SPDX-License-Identifier: BSD-3-Clause
  5. */
  6. #include <assert.h>
  7. #include <endian.h>
  8. #include <errno.h>
  9. #include <common/debug.h>
  10. #include <drivers/auth/crypto_mod.h>
  11. #include <drivers/io/io_storage.h>
  12. #include <drivers/st/stm32_hash.h>
  13. #include <drivers/st/stm32_pka.h>
  14. #include <drivers/st/stm32_rng.h>
  15. #include <drivers/st/stm32_saes.h>
  16. #include <lib/utils.h>
  17. #include <lib/xlat_tables/xlat_tables_v2.h>
  18. #include <mbedtls/asn1.h>
  19. #include <mbedtls/md.h>
  20. #include <mbedtls/oid.h>
  21. #include <mbedtls/platform.h>
  22. #include <mbedtls/x509.h>
  23. #include <plat/common/platform.h>
  24. #include <tools_share/firmware_encrypted.h>
  25. #include <platform_def.h>
  26. #define CRYPTO_HASH_MAX_SIZE 32U
  27. #define CRYPTO_SIGN_MAX_SIZE 64U
  28. #define CRYPTO_PUBKEY_MAX_SIZE 64U
  29. #define CRYPTO_MAX_TAG_SIZE 16U
  30. /* brainpoolP256t1 OID is not defined in mbedTLS */
  31. #define OID_EC_GRP_BP256T1 MBEDTLS_OID_EC_BRAINPOOL_V1 "\x08"
  32. #if STM32MP_CRYPTO_ROM_LIB
  33. struct stm32mp_auth_ops {
  34. uint32_t (*verify_signature)(uint8_t *hash_in, uint8_t *pubkey_in,
  35. uint8_t *signature, uint32_t ecc_algo);
  36. };
  37. static struct stm32mp_auth_ops auth_ops;
  38. #endif
  39. static void crypto_lib_init(void)
  40. {
  41. boot_api_context_t *boot_context __maybe_unused;
  42. int ret;
  43. NOTICE("TRUSTED_BOARD_BOOT support enabled\n");
  44. ret = stm32_hash_register();
  45. if (ret != 0) {
  46. ERROR("HASH init (%d)\n", ret);
  47. panic();
  48. }
  49. if ((stm32mp_check_closed_device() == STM32MP_CHIP_SEC_CLOSED) ||
  50. stm32mp_is_auth_supported()) {
  51. #if STM32MP_CRYPTO_ROM_LIB
  52. boot_context = (boot_api_context_t *)stm32mp_get_boot_ctx_address();
  53. auth_ops.verify_signature = boot_context->bootrom_ecdsa_verify_signature;
  54. #else
  55. /* Use hardware peripherals */
  56. if (stm32_rng_init() != 0) {
  57. panic();
  58. }
  59. if (stm32_saes_driver_init() != 0) {
  60. panic();
  61. }
  62. if (stm32_pka_init() != 0) {
  63. panic();
  64. }
  65. #endif
  66. }
  67. }
  68. static int get_plain_pk_from_asn1(void *pk_ptr, unsigned int pk_len, void **plain_pk,
  69. size_t *len, int *pk_alg)
  70. {
  71. int ret;
  72. mbedtls_pk_context mbedtls_pk = {0};
  73. unsigned char *p, *end;
  74. mbedtls_asn1_buf alg_params = {0};
  75. mbedtls_asn1_buf alg_oid = {0};
  76. *plain_pk = NULL;
  77. *len = 0U;
  78. /* Parse the public key */
  79. mbedtls_pk_init(&mbedtls_pk);
  80. p = (unsigned char *)pk_ptr;
  81. end = (unsigned char *)(p + pk_len);
  82. ret = mbedtls_asn1_get_tag(&p, end, len,
  83. MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
  84. if (ret != 0) {
  85. return -EINVAL;
  86. }
  87. end = p + *len;
  88. ret = mbedtls_asn1_get_alg(&p, end, &alg_oid, &alg_params);
  89. if (ret != 0) {
  90. VERBOSE("%s: mbedtls_asn1_get_alg (%d)\n", __func__, ret);
  91. return -EINVAL;
  92. }
  93. if (pk_alg != NULL) {
  94. if ((strlen(MBEDTLS_OID_EC_GRP_SECP256R1) == alg_params.len) &&
  95. (memcmp(MBEDTLS_OID_EC_GRP_SECP256R1, alg_params.p, alg_params.len) == 0)) {
  96. *pk_alg = BOOT_API_ECDSA_ALGO_TYPE_P256NIST;
  97. } else if ((strlen(OID_EC_GRP_BP256T1) == alg_params.len) &&
  98. (memcmp(OID_EC_GRP_BP256T1, alg_params.p, alg_params.len) == 0)) {
  99. *pk_alg = BOOT_API_ECDSA_ALGO_TYPE_BRAINPOOL256;
  100. } else {
  101. ERROR("%s: Algorithm is not supported\n", __func__);
  102. return -EINVAL;
  103. }
  104. }
  105. ret = mbedtls_asn1_get_bitstring_null(&p, end, len);
  106. if (ret != 0) {
  107. VERBOSE("%s: mbedtls_asn1_get_bitstring_null (%d)\n", __func__, ret);
  108. return -EINVAL;
  109. }
  110. /* We remove the ident (0x04) first byte. */
  111. if ((*len < 1U) || (p[0] != MBEDTLS_ASN1_OCTET_STRING)) {
  112. VERBOSE("%s: not expected len or tag\n", __func__);
  113. return -EINVAL;
  114. }
  115. *len = *len - 1U;
  116. *plain_pk = p + 1U;
  117. return 0;
  118. }
  119. #if STM32MP_CRYPTO_ROM_LIB
  120. uint32_t verify_signature(uint8_t *hash_in, uint8_t *pubkey_in,
  121. uint8_t *signature, uint32_t ecc_algo)
  122. {
  123. int ret;
  124. ret = mmap_add_dynamic_region(STM32MP_ROM_BASE, STM32MP_ROM_BASE,
  125. STM32MP_ROM_SIZE_2MB_ALIGNED, MT_CODE | MT_SECURE);
  126. if (ret != 0) {
  127. VERBOSE("%s: mmap_add_dynamic_region (%d)\n", __func__, ret);
  128. return CRYPTO_ERR_SIGNATURE;
  129. }
  130. ret = auth_ops.verify_signature(hash_in, pubkey_in, signature, ecc_algo);
  131. if (ret != BOOT_API_RETURN_OK) {
  132. VERBOSE("%s: auth_ops.verify_sign (%d)\n", __func__, ret);
  133. ret = CRYPTO_ERR_SIGNATURE;
  134. } else {
  135. ret = 0;
  136. }
  137. mmap_remove_dynamic_region(STM32MP_ROM_BASE, STM32MP_ROM_SIZE_2MB_ALIGNED);
  138. return ret;
  139. }
  140. static int crypto_convert_pk(void *full_pk_ptr, unsigned int full_pk_len,
  141. void **hashed_pk_ptr, unsigned int *hashed_pk_len)
  142. {
  143. size_t len;
  144. int ret;
  145. ret = get_plain_pk_from_asn1(full_pk_ptr, full_pk_len, hashed_pk_ptr, &len, NULL);
  146. if (ret == 0) {
  147. *hashed_pk_len = (unsigned int)len;
  148. }
  149. return ret;
  150. }
  151. #else /* STM32MP_CRYPTO_ROM_LIB*/
  152. static uint32_t verify_signature(uint8_t *hash_in, uint8_t *pubkey_in,
  153. uint8_t *signature, uint32_t ecc_algo)
  154. {
  155. int ret = -1;
  156. enum stm32_pka_ecdsa_curve_id cid;
  157. switch (ecc_algo) {
  158. case BOOT_API_ECDSA_ALGO_TYPE_P256NIST:
  159. #if PKA_USE_NIST_P256
  160. cid = PKA_NIST_P256;
  161. ret = 0;
  162. #else
  163. WARN("%s nist_p256 requested but not included\n", __func__);
  164. #endif
  165. break;
  166. case BOOT_API_ECDSA_ALGO_TYPE_BRAINPOOL256:
  167. #if PKA_USE_BRAINPOOL_P256T1
  168. cid = PKA_BRAINPOOL_P256T1;
  169. ret = 0;
  170. #else
  171. WARN("%s brainpool_p256t1 requested but not included\n", __func__);
  172. #endif
  173. break;
  174. default:
  175. WARN("%s unexpected ecc_algo(%u)\n", __func__, ecc_algo);
  176. break;
  177. }
  178. if (ret < 0) {
  179. return CRYPTO_ERR_SIGNATURE;
  180. }
  181. ret = stm32_pka_ecdsa_verif(hash_in,
  182. BOOT_API_SHA256_DIGEST_SIZE_IN_BYTES,
  183. signature, BOOT_API_ECDSA_SIGNATURE_LEN_IN_BYTES / 2U,
  184. signature + BOOT_API_ECDSA_SIGNATURE_LEN_IN_BYTES / 2U,
  185. BOOT_API_ECDSA_SIGNATURE_LEN_IN_BYTES / 2U,
  186. pubkey_in, BOOT_API_ECDSA_PUB_KEY_LEN_IN_BYTES / 2U,
  187. pubkey_in + BOOT_API_ECDSA_PUB_KEY_LEN_IN_BYTES / 2U,
  188. BOOT_API_ECDSA_PUB_KEY_LEN_IN_BYTES / 2U, cid);
  189. if (ret < 0) {
  190. return CRYPTO_ERR_SIGNATURE;
  191. }
  192. return 0;
  193. }
  194. static int crypto_convert_pk(void *full_pk_ptr, unsigned int full_pk_len,
  195. void **hashed_pk_ptr, unsigned int *hashed_pk_len)
  196. {
  197. static uint8_t st_pk[CRYPTO_PUBKEY_MAX_SIZE + sizeof(uint32_t)];
  198. int ret;
  199. void *plain_pk;
  200. size_t len;
  201. int curve_id;
  202. uint32_t cid;
  203. ret = get_plain_pk_from_asn1(full_pk_ptr, full_pk_len, &plain_pk, &len, &curve_id);
  204. if ((ret != 0) || (len > CRYPTO_PUBKEY_MAX_SIZE)) {
  205. return -EINVAL;
  206. }
  207. cid = curve_id; /* we want value of curve_id (1 or 2) in a uint32_t */
  208. memcpy(st_pk, &cid, sizeof(cid));
  209. memcpy(st_pk + sizeof(cid), plain_pk, len);
  210. *hashed_pk_ptr = st_pk;
  211. *hashed_pk_len = (unsigned int)(len + sizeof(cid));
  212. return 0;
  213. }
  214. #endif /* STM32MP_CRYPTO_ROM_LIB */
  215. static int get_plain_digest_from_asn1(void *digest_ptr, unsigned int digest_len,
  216. uint8_t **out, size_t *out_len, mbedtls_md_type_t *md_alg)
  217. {
  218. int ret;
  219. mbedtls_asn1_buf hash_oid, params;
  220. size_t len;
  221. unsigned char *p, *end;
  222. *out = NULL;
  223. *out_len = 0U;
  224. /* Digest info should be an MBEDTLS_ASN1_SEQUENCE */
  225. p = (unsigned char *)digest_ptr;
  226. end = p + digest_len;
  227. ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
  228. MBEDTLS_ASN1_SEQUENCE);
  229. if (ret != 0) {
  230. return ret;
  231. }
  232. /* Get the hash algorithm */
  233. ret = mbedtls_asn1_get_alg(&p, end, &hash_oid, &params);
  234. if (ret != 0) {
  235. return ret;
  236. }
  237. ret = mbedtls_oid_get_md_alg(&hash_oid, md_alg);
  238. if (ret != 0) {
  239. return ret;
  240. }
  241. ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING);
  242. if (ret != 0) {
  243. return ret;
  244. }
  245. /* Length of hash must match the algorithm's size */
  246. if (len != BOOT_API_SHA256_DIGEST_SIZE_IN_BYTES) {
  247. return -1;
  248. }
  249. *out = p;
  250. *out_len = len;
  251. return 0;
  252. }
  253. static int crypto_verify_signature(void *data_ptr, unsigned int data_len,
  254. void *sig_ptr, unsigned int sig_len,
  255. void *sig_alg, unsigned int sig_alg_len,
  256. void *pk_ptr, unsigned int pk_len)
  257. {
  258. uint8_t image_hash[CRYPTO_HASH_MAX_SIZE] = {0};
  259. uint8_t sig[CRYPTO_SIGN_MAX_SIZE];
  260. uint8_t my_pk[CRYPTO_PUBKEY_MAX_SIZE];
  261. int ret;
  262. size_t len;
  263. mbedtls_asn1_sequence seq;
  264. mbedtls_asn1_sequence *cur;
  265. unsigned char *p, *end;
  266. int curve_id;
  267. mbedtls_asn1_buf sig_oid, sig_params;
  268. mbedtls_md_type_t md_alg;
  269. mbedtls_pk_type_t pk_alg;
  270. size_t bignum_len = sizeof(sig) / 2U;
  271. unsigned int seq_num = 0U;
  272. if ((stm32mp_check_closed_device() == STM32MP_CHIP_SEC_OPEN) &&
  273. !stm32mp_is_auth_supported()) {
  274. return CRYPTO_SUCCESS;
  275. }
  276. /* Get pointers to signature OID and parameters */
  277. p = (unsigned char *)sig_alg;
  278. end = (unsigned char *)(p + sig_alg_len);
  279. ret = mbedtls_asn1_get_alg(&p, end, &sig_oid, &sig_params);
  280. if (ret != 0) {
  281. VERBOSE("%s: mbedtls_asn1_get_alg (%d)\n", __func__, ret);
  282. return CRYPTO_ERR_SIGNATURE;
  283. }
  284. /* Get the actual signature algorithm (MD + PK) */
  285. ret = mbedtls_oid_get_sig_alg(&sig_oid, &md_alg, &pk_alg);
  286. if (ret != 0) {
  287. VERBOSE("%s: mbedtls_oid_get_sig_alg (%d)\n", __func__, ret);
  288. return CRYPTO_ERR_SIGNATURE;
  289. }
  290. if ((md_alg != MBEDTLS_MD_SHA256) || (pk_alg != MBEDTLS_PK_ECDSA)) {
  291. VERBOSE("%s: md_alg=%u pk_alg=%u\n", __func__, md_alg, pk_alg);
  292. return CRYPTO_ERR_SIGNATURE;
  293. }
  294. ret = get_plain_pk_from_asn1(pk_ptr, pk_len, &pk_ptr, &len, &curve_id);
  295. if (ret != 0) {
  296. VERBOSE("%s: get_plain_pk_from_asn1 (%d)\n", __func__, ret);
  297. return CRYPTO_ERR_SIGNATURE;
  298. }
  299. /* We expect a known pk_len */
  300. if (len != sizeof(my_pk)) {
  301. VERBOSE("%s: pk_len=%zu sizeof(my_pk)=%zu)\n", __func__, len, sizeof(my_pk));
  302. return CRYPTO_ERR_SIGNATURE;
  303. }
  304. /* Need to copy as auth_ops.verify_signature
  305. * expects aligned public key.
  306. */
  307. memcpy(my_pk, pk_ptr, sizeof(my_pk));
  308. /* Get the signature (bitstring) */
  309. p = (unsigned char *)sig_ptr;
  310. end = (unsigned char *)(p + sig_len);
  311. ret = mbedtls_asn1_get_bitstring_null(&p, end, &len);
  312. if (ret != 0) {
  313. VERBOSE("%s: mbedtls_asn1_get_bitstring_null (%d)\n", __func__, ret);
  314. return CRYPTO_ERR_SIGNATURE;
  315. }
  316. /* Get r and s from sequence */
  317. ret = mbedtls_asn1_get_sequence_of(&p, end, &seq, MBEDTLS_ASN1_INTEGER);
  318. if (ret != 0) {
  319. VERBOSE("%s: mbedtls_asn1_get_sequence_of (%d)\n", __func__, ret);
  320. return CRYPTO_ERR_SIGNATURE;
  321. }
  322. /* We expect only 2 integers (r and s) from the sequence */
  323. if (seq.next->next != NULL) {
  324. cur = seq.next;
  325. mbedtls_asn1_sequence *next;
  326. VERBOSE("%s: nb seq != 2\n", __func__);
  327. /* Free all the sequences */
  328. while (cur != NULL) {
  329. next = cur->next;
  330. mbedtls_free(cur);
  331. cur = next;
  332. }
  333. return CRYPTO_ERR_SIGNATURE;
  334. }
  335. /*
  336. * ECDSA signatures are composed of a tuple (R,S) where R and S are between 0 and n.
  337. * This means that the R and S can have a maximum of 32 each, but can also be smaller.
  338. * Also seen the integer sequence may (sometime) start with 0x00 as MSB, but we can only
  339. * manage exactly 2*32 bytes, we remove this higher byte if there are not 00,
  340. * we will fail either.
  341. */
  342. cur = &seq;
  343. memset(sig, 0U, sizeof(sig));
  344. while (cur != NULL) {
  345. size_t skip = 0U;
  346. size_t seek = seq_num * bignum_len;
  347. if (cur->buf.len > bignum_len) {
  348. /* Remove extra 0x00 bytes */
  349. skip = cur->buf.len - bignum_len;
  350. } else if (cur->buf.len < bignum_len) {
  351. /* Add padding to match HW required size */
  352. seek += (bignum_len % cur->buf.len);
  353. }
  354. if (seek + cur->buf.len > sizeof(sig) + skip) {
  355. panic();
  356. }
  357. memcpy(sig + seek, cur->buf.p + skip, cur->buf.len - skip);
  358. cur = cur->next;
  359. seq_num++;
  360. }
  361. /* Need to free allocated 'next' in mbedtls_asn1_get_sequence_of */
  362. mbedtls_free(seq.next);
  363. /* Compute hash for the data covered by the signature */
  364. stm32_hash_init(HASH_SHA256);
  365. ret = stm32_hash_final_update((uint8_t *)data_ptr, data_len, image_hash);
  366. if (ret != 0) {
  367. VERBOSE("%s: stm32_hash_final_update (%d)\n", __func__, ret);
  368. return CRYPTO_ERR_SIGNATURE;
  369. }
  370. return verify_signature(image_hash, my_pk, sig, curve_id);
  371. }
  372. static int crypto_verify_hash(void *data_ptr, unsigned int data_len,
  373. void *digest_info_ptr,
  374. unsigned int digest_info_len)
  375. {
  376. int ret;
  377. uint8_t calc_hash[BOOT_API_SHA256_DIGEST_SIZE_IN_BYTES];
  378. unsigned char *p;
  379. mbedtls_md_type_t md_alg;
  380. size_t len;
  381. /* we receive an asn1 encapsulated digest, we flatten it */
  382. ret = get_plain_digest_from_asn1(digest_info_ptr,
  383. digest_info_len, &p, &len,
  384. &md_alg);
  385. if ((ret != 0) || (md_alg != MBEDTLS_MD_SHA256) || (len != sizeof(calc_hash))) {
  386. return CRYPTO_ERR_HASH;
  387. }
  388. digest_info_ptr = p;
  389. digest_info_len = len;
  390. stm32_hash_init(HASH_SHA256);
  391. ret = stm32_hash_final_update(data_ptr, data_len, calc_hash);
  392. if (ret != 0) {
  393. VERBOSE("%s: hash failed\n", __func__);
  394. return CRYPTO_ERR_HASH;
  395. }
  396. ret = memcmp(calc_hash, digest_info_ptr, digest_info_len);
  397. if (ret != 0) {
  398. VERBOSE("%s: not expected digest\n", __func__);
  399. ret = CRYPTO_ERR_HASH;
  400. }
  401. return ret;
  402. }
  403. #if !defined(DECRYPTION_SUPPORT_none)
  404. static int derive_key(uint8_t *key, size_t *key_len, size_t len,
  405. unsigned int *flags, const uint8_t *img_id, size_t img_id_len)
  406. {
  407. size_t i, j;
  408. assert(*key_len >= 32U);
  409. /*
  410. * Not a real derivation yet
  411. *
  412. * We expect a 32 bytes key, if OTP is only 16 bytes
  413. * => duplicate.
  414. */
  415. for (i = 0U, j = len; j < 32U;
  416. i += sizeof(uint32_t), j += sizeof(uint32_t)) {
  417. memcpy(key + j, key + i, sizeof(uint32_t));
  418. }
  419. *key_len = 32U;
  420. /* Variable 'key' store a real key */
  421. *flags = 0U;
  422. return 0;
  423. }
  424. int plat_get_enc_key_info(enum fw_enc_status_t fw_enc_status, uint8_t *key,
  425. size_t *key_len, unsigned int *flags,
  426. const uint8_t *img_id, size_t img_id_len)
  427. {
  428. uint32_t otp_idx;
  429. uint32_t otp_len;
  430. size_t read_len;
  431. size_t i;
  432. if (fw_enc_status == FW_ENC_WITH_BSSK) {
  433. return -EINVAL;
  434. }
  435. if (stm32_get_otp_index(ENCKEY_OTP, &otp_idx, &otp_len) != 0) {
  436. VERBOSE("%s: get %s index error\n", __func__, ENCKEY_OTP);
  437. return -EINVAL;
  438. }
  439. if (otp_len > (*key_len * CHAR_BIT)) {
  440. VERBOSE("%s: length Error otp_len=%u key_len=%zu\n", __func__,
  441. otp_len, *key_len * CHAR_BIT);
  442. return -EINVAL;
  443. }
  444. read_len = otp_len / CHAR_BIT;
  445. assert(read_len % sizeof(uint32_t) == 0);
  446. for (i = 0U; i < read_len / sizeof(uint32_t); i++) {
  447. uint32_t tmp;
  448. uint32_t otp_val;
  449. if (stm32_get_otp_value_from_idx(otp_idx + i, &otp_val) != 0) {
  450. zeromem(key, *key_len);
  451. VERBOSE("%s: unable to read from otp\n", __func__);
  452. return -EINVAL;
  453. }
  454. tmp = bswap32(otp_val);
  455. memcpy(key + i * sizeof(uint32_t), &tmp, sizeof(tmp));
  456. }
  457. /* Now we have the OTP values in key till read_len */
  458. if (derive_key(key, key_len, read_len, flags, img_id,
  459. img_id_len) != 0) {
  460. zeromem(key, *key_len);
  461. return -EINVAL;
  462. }
  463. return 0;
  464. }
  465. static enum stm32_saes_key_selection select_key(unsigned int key_flags)
  466. {
  467. if ((key_flags & ENC_KEY_IS_IDENTIFIER) != 0U) {
  468. panic();
  469. }
  470. /* Use the provided key buffer */
  471. return STM32_SAES_KEY_SOFT;
  472. }
  473. static int stm32_decrypt_aes_gcm(void *data, size_t data_len,
  474. const void *key, unsigned int key_len,
  475. unsigned int key_flags,
  476. const void *iv, unsigned int iv_len,
  477. const void *tag, unsigned int tag_len)
  478. {
  479. int ret;
  480. struct stm32_saes_context ctx;
  481. unsigned char tag_buf[CRYPTO_MAX_TAG_SIZE];
  482. enum stm32_saes_key_selection key_mode;
  483. unsigned int diff = 0U;
  484. unsigned int i;
  485. key_mode = select_key(key_flags);
  486. ret = stm32_saes_init(&ctx, true, STM32_SAES_MODE_GCM, key_mode, key,
  487. key_len, iv, iv_len);
  488. if (ret != 0) {
  489. return CRYPTO_ERR_INIT;
  490. }
  491. ret = stm32_saes_update_assodata(&ctx, true, NULL, 0U);
  492. if (ret != 0) {
  493. return CRYPTO_ERR_DECRYPTION;
  494. }
  495. ret = stm32_saes_update_load(&ctx, true, data, data, data_len);
  496. if (ret != 0) {
  497. return CRYPTO_ERR_DECRYPTION;
  498. }
  499. ret = stm32_saes_final(&ctx, tag_buf, sizeof(tag_buf));
  500. if (ret != 0) {
  501. return CRYPTO_ERR_DECRYPTION;
  502. }
  503. /* Check tag in "constant-time" */
  504. for (i = 0U; i < tag_len; i++) {
  505. diff |= ((const unsigned char *)tag)[i] ^ tag_buf[i];
  506. }
  507. if (diff != 0U) {
  508. return CRYPTO_ERR_DECRYPTION;
  509. }
  510. return CRYPTO_SUCCESS;
  511. }
  512. /*
  513. * Authenticated decryption of an image
  514. *
  515. */
  516. static int crypto_auth_decrypt(enum crypto_dec_algo dec_algo, void *data_ptr, size_t len,
  517. const void *key, unsigned int key_len, unsigned int key_flags,
  518. const void *iv, unsigned int iv_len, const void *tag,
  519. unsigned int tag_len)
  520. {
  521. int rc = -1;
  522. uint32_t real_iv[4];
  523. switch (dec_algo) {
  524. case CRYPTO_GCM_DECRYPT:
  525. /*
  526. * GCM expect a Nonce
  527. * The AES IV is the nonce (a uint32_t[3])
  528. * then a counter (a uint32_t big endian)
  529. * The counter starts at 2.
  530. */
  531. memcpy(real_iv, iv, iv_len);
  532. real_iv[3] = htobe32(0x2U);
  533. rc = stm32_decrypt_aes_gcm(data_ptr, len, key, key_len, key_flags,
  534. real_iv, sizeof(real_iv), tag, tag_len);
  535. break;
  536. default:
  537. rc = CRYPTO_ERR_DECRYPTION;
  538. break;
  539. }
  540. if (rc != 0) {
  541. return rc;
  542. }
  543. return CRYPTO_SUCCESS;
  544. }
  545. REGISTER_CRYPTO_LIB("stm32_crypto_lib",
  546. crypto_lib_init,
  547. crypto_verify_signature,
  548. crypto_verify_hash,
  549. NULL,
  550. crypto_auth_decrypt,
  551. crypto_convert_pk);
  552. #else /* No decryption support */
  553. REGISTER_CRYPTO_LIB("stm32_crypto_lib",
  554. crypto_lib_init,
  555. crypto_verify_signature,
  556. crypto_verify_hash,
  557. NULL,
  558. NULL,
  559. crypto_convert_pk);
  560. #endif