diff --git a/drivers/auth/cryptocell/712/cryptocell_crypto.c b/drivers/auth/cryptocell/712/cryptocell_crypto.c new file mode 100644 index 0000000..395c550 --- /dev/null +++ b/drivers/auth/cryptocell/712/cryptocell_crypto.c @@ -0,0 +1,305 @@ +/* + * Copyright (c) 2017-2019, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include +#include + +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +#define LIB_NAME "CryptoCell 712 SBROM" +#define RSA_SALT_LEN 32 +#define RSA_EXPONENT 65537 + +/* + * AlgorithmIdentifier ::= SEQUENCE { + * algorithm OBJECT IDENTIFIER, + * parameters ANY DEFINED BY algorithm OPTIONAL + * } + * + * SubjectPublicKeyInfo ::= SEQUENCE { + * algorithm AlgorithmIdentifier, + * subjectPublicKey BIT STRING + * } + * + * DigestInfo ::= SEQUENCE { + * digestAlgorithm AlgorithmIdentifier, + * digest OCTET STRING + * } + * + * RSASSA-PSS-params ::= SEQUENCE { + * hashAlgorithm [0] HashAlgorithm, + * maskGenAlgorithm [1] MaskGenAlgorithm, + * saltLength [2] INTEGER, + * trailerField [3] TrailerField DEFAULT trailerFieldBC + * } + */ + +/* + * Initialize the library and export the descriptor + */ +static void init(void) +{ + CCError_t ret; + uint32_t lcs; + + /* Initialize CC SBROM */ + ret = CC_BsvSbromInit((uintptr_t)PLAT_CRYPTOCELL_BASE); + if (ret != CC_OK) { + ERROR("CryptoCell CC_BsvSbromInit() error %x\n", ret); + panic(); + } + + /* Initialize lifecycle state */ + ret = CC_BsvLcsGetAndInit((uintptr_t)PLAT_CRYPTOCELL_BASE, &lcs); + if (ret != CC_OK) { + ERROR("CryptoCell CC_BsvLcsGetAndInit() error %x\n", ret); + panic(); + } + + /* If the lifecyclestate is `SD`, then stop further execution */ + if (lcs == CC_BSV_SECURITY_DISABLED_LCS) { + ERROR("CryptoCell LCS is security-disabled\n"); + panic(); + } +} + +/* + * Verify a signature. + * + * Parameters are passed using the DER encoding format following the ASN.1 + * structures detailed above. + */ +static int verify_signature(void *data_ptr, unsigned int data_len, + void *sig_ptr, unsigned int sig_len, + void *sig_alg, unsigned int sig_alg_len, + void *pk_ptr, unsigned int pk_len) +{ + CCError_t error; + CCSbNParams_t pk; + CCSbSignature_t signature; + int rc, exp; + mbedtls_asn1_buf sig_oid, alg_oid, params; + mbedtls_md_type_t md_alg; + mbedtls_pk_type_t pk_alg; + mbedtls_pk_rsassa_pss_options pss_opts; + size_t len; + uint8_t *p, *end; + /* Temp buf to store the public key modulo (N) in LE format */ + uint32_t RevN[SB_RSA_MOD_SIZE_IN_WORDS]; + + /* Verify the signature algorithm */ + /* Get pointers to signature OID and parameters */ + p = sig_alg; + end = p + sig_alg_len; + rc = mbedtls_asn1_get_alg(&p, end, &sig_oid, ¶ms); + if (rc != 0) + return CRYPTO_ERR_SIGNATURE; + + /* Get the actual signature algorithm (MD + PK) */ + rc = mbedtls_oid_get_sig_alg(&sig_oid, &md_alg, &pk_alg); + if (rc != 0) + return CRYPTO_ERR_SIGNATURE; + + /* The CryptoCell only supports RSASSA-PSS signature */ + if (pk_alg != MBEDTLS_PK_RSASSA_PSS || md_alg != MBEDTLS_MD_NONE) + return CRYPTO_ERR_SIGNATURE; + + /* Verify the RSASSA-PSS params */ + /* The trailer field is verified to be 0xBC internally by this API */ + rc = mbedtls_x509_get_rsassa_pss_params(¶ms, &md_alg, + &pss_opts.mgf1_hash_id, + &pss_opts.expected_salt_len); + if (rc != 0) + return CRYPTO_ERR_SIGNATURE; + + /* The CryptoCell only supports SHA256 as hash algorithm */ + if (md_alg != MBEDTLS_MD_SHA256 || pss_opts.mgf1_hash_id != MBEDTLS_MD_SHA256) + return CRYPTO_ERR_SIGNATURE; + + if (pss_opts.expected_salt_len != RSA_SALT_LEN) + return CRYPTO_ERR_SIGNATURE; + + /* Parse the public key */ + p = pk_ptr; + end = p + pk_len; + rc = mbedtls_asn1_get_tag(&p, end, &len, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + if (rc != 0) + return CRYPTO_ERR_SIGNATURE; + + end = p + len; + rc = mbedtls_asn1_get_alg_null(&p, end, &alg_oid); + if (rc != 0) + return CRYPTO_ERR_SIGNATURE; + + if (mbedtls_oid_get_pk_alg(&alg_oid, &pk_alg) != 0) + return CRYPTO_ERR_SIGNATURE; + + if (pk_alg != MBEDTLS_PK_RSA) + return CRYPTO_ERR_SIGNATURE; + + rc = mbedtls_asn1_get_bitstring_null(&p, end, &len); + if (rc != 0) + return CRYPTO_ERR_SIGNATURE; + + rc = mbedtls_asn1_get_tag(&p, end, &len, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + if (rc != 0) + return CRYPTO_ERR_SIGNATURE; + + rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_INTEGER); + if (rc != 0) + return CRYPTO_ERR_SIGNATURE; + + if (*p == 0) { + p++; len--; + } + if (len != RSA_MOD_SIZE_IN_BYTES || ((p + len) > end)) + return CRYPTO_ERR_SIGNATURE; + + /* + * The CCSbVerifySignature() API expects N and Np in BE format and + * the signature in LE format. Copy N from certificate. + */ + memcpy(pk.N, p, RSA_MOD_SIZE_IN_BYTES); + + /* Verify the RSA exponent */ + p += len; + rc = mbedtls_asn1_get_int(&p, end, &exp); + if (rc != 0) + return CRYPTO_ERR_SIGNATURE; + + if (exp != RSA_EXPONENT) + return CRYPTO_ERR_SIGNATURE; + + /* + * Calculate the Np (Barrett n' value). The RSA_CalcNp() API expects + * N in LE format. Hence reverse N into a temporary buffer `RevN`. + */ + UTIL_ReverseMemCopy((uint8_t *)RevN, (uint8_t *)pk.N, sizeof(RevN)); + + RSA_CalcNp((uintptr_t)PLAT_CRYPTOCELL_BASE, RevN, pk.Np); + + /* Np is in LE format. Reverse it to BE */ + UTIL_ReverseBuff((uint8_t *)pk.Np, sizeof(pk.Np)); + + /* Get the signature (bitstring) */ + p = sig_ptr; + end = p + sig_len; + rc = mbedtls_asn1_get_bitstring_null(&p, end, &len); + if (rc != 0) + return CRYPTO_ERR_SIGNATURE; + + if (len != RSA_MOD_SIZE_IN_BYTES || ((p + len) > end)) + return CRYPTO_ERR_SIGNATURE; + + /* + * The signature is BE format. Convert it to LE before calling + * CCSbVerifySignature(). + */ + UTIL_ReverseMemCopy((uint8_t *)signature.sig, p, RSA_MOD_SIZE_IN_BYTES); + + /* + * CryptoCell utilises DMA internally to transfer data. Flush the data + * from caches. + */ + flush_dcache_range((uintptr_t)data_ptr, data_len); + + /* Verify the signature */ + error = CCSbVerifySignature((uintptr_t)PLAT_CRYPTOCELL_BASE, + (uint32_t *)data_ptr, &pk, &signature, + data_len, RSA_PSS_2048); + if (error != CC_OK) + return CRYPTO_ERR_SIGNATURE; + + /* Signature verification success */ + return CRYPTO_SUCCESS; +} + +/* + * Match a hash + * + * Digest info is passed in DER format following the ASN.1 structure detailed + * above. + */ +static int verify_hash(void *data_ptr, unsigned int data_len, + void *digest_info_ptr, unsigned int digest_info_len) +{ + mbedtls_asn1_buf hash_oid, params; + mbedtls_md_type_t md_alg; + uint8_t *p, *end, *hash; + CCHashResult_t pubKeyHash; + size_t len; + int rc; + CCError_t error; + + /* Digest info should be an MBEDTLS_ASN1_SEQUENCE */ + p = digest_info_ptr; + end = p + digest_info_len; + rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE); + if (rc != 0) + return CRYPTO_ERR_HASH; + + /* Get the hash algorithm */ + rc = mbedtls_asn1_get_alg(&p, end, &hash_oid, ¶ms); + if (rc != 0) + return CRYPTO_ERR_HASH; + + rc = mbedtls_oid_get_md_alg(&hash_oid, &md_alg); + if (rc != 0) + return CRYPTO_ERR_HASH; + /* Verify that hash algorithm is SHA256 */ + if (md_alg != MBEDTLS_MD_SHA256) + return CRYPTO_ERR_HASH; + + /* Hash should be octet string type */ + rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING); + if (rc != 0) + return CRYPTO_ERR_HASH; + + /* Length of hash must match the algorithm's size */ + if (len != HASH_RESULT_SIZE_IN_BYTES) + return CRYPTO_ERR_HASH; + + /* + * CryptoCell utilises DMA internally to transfer data. Flush the data + * from caches. + */ + flush_dcache_range((uintptr_t)data_ptr, data_len); + + hash = p; + error = SBROM_CryptoHash((uintptr_t)PLAT_CRYPTOCELL_BASE, + (uintptr_t)data_ptr, data_len, pubKeyHash); + if (error != CC_OK) + return CRYPTO_ERR_HASH; + + rc = memcmp(pubKeyHash, hash, HASH_RESULT_SIZE_IN_BYTES); + if (rc != 0) + return CRYPTO_ERR_HASH; + + return CRYPTO_SUCCESS; +} + +/* + * Register crypto library descriptor + */ +REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash); + diff --git a/drivers/auth/cryptocell/712/cryptocell_plat_helpers.c b/drivers/auth/cryptocell/712/cryptocell_plat_helpers.c new file mode 100644 index 0000000..53d77db --- /dev/null +++ b/drivers/auth/cryptocell/712/cryptocell_plat_helpers.c @@ -0,0 +1,113 @@ +/* + * Copyright (c) 2017-2019, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include +#include +#include + +#include + +#include +#include + +#include +#include +#include +#include + +/* + * Return the ROTPK hash + * + * dst: buffer into which the ROTPK hash will be copied into + * len: length of the provided buffer, which must be at least enough for a + * SHA256 hash + * flags: a pointer to integer that will be set to indicate the ROTPK status + * + * Return: 0 = success, Otherwise = error + */ +int cc_get_rotpk_hash(unsigned char *dst, unsigned int len, unsigned int *flags) +{ + CCError_t error; + uint32_t lcs; + + assert(dst != NULL); + assert(len >= HASH_RESULT_SIZE_IN_WORDS); + assert(flags != NULL); + + error = NVM_GetLCS(PLAT_CRYPTOCELL_BASE, &lcs); + if (error != CC_OK) + return 1; + + /* If the lifecycle state is `SD`, return failure */ + if (lcs == CC_BSV_SECURITY_DISABLED_LCS) + return 1; + + /* + * If the lifecycle state is `CM` or `DM`, ROTPK shouldn't be verified. + * Return success after setting ROTPK_NOT_DEPLOYED flag + */ + if ((lcs == CC_BSV_CHIP_MANUFACTURE_LCS) || + (lcs == CC_BSV_DEVICE_MANUFACTURE_LCS)) { + *flags = ROTPK_NOT_DEPLOYED; + return 0; + } + + /* Copy the DER header */ + error = NVM_ReadHASHPubKey(PLAT_CRYPTOCELL_BASE, + CC_SB_HASH_BOOT_KEY_256B, + (uint32_t *)dst, HASH_RESULT_SIZE_IN_WORDS); + if (error != CC_OK) + return 1; + + *flags = ROTPK_IS_HASH; + return 0; +} + +/* + * Return the non-volatile counter value stored in the platform. The cookie + * specifies the OID of the counter in the certificate. + * + * Return: 0 = success, Otherwise = error + */ +int plat_get_nv_ctr(void *cookie, unsigned int *nv_ctr) +{ + CCError_t error = CC_FAIL; + + if (strcmp(cookie, TRUSTED_FW_NVCOUNTER_OID) == 0) { + error = NVM_GetSwVersion(PLAT_CRYPTOCELL_BASE, + CC_SW_VERSION_COUNTER1, nv_ctr); + } else if (strcmp(cookie, NON_TRUSTED_FW_NVCOUNTER_OID) == 0) { + error = NVM_GetSwVersion(PLAT_CRYPTOCELL_BASE, + CC_SW_VERSION_COUNTER2, nv_ctr); + } + + return (error != CC_OK); +} + +/* + * Store a new non-volatile counter value in the counter specified by the OID + * in the cookie. This function is not expected to be called if the Lifecycle + * state is RMA as the values in the certificate are expected to always match + * the nvcounter values. But if called when the LCS is RMA, the underlying + * helper functions will return success but without updating the counter. + * + * Return: 0 = success, Otherwise = error + */ +int plat_set_nv_ctr(void *cookie, unsigned int nv_ctr) +{ + CCError_t error = CC_FAIL; + + if (strcmp(cookie, TRUSTED_FW_NVCOUNTER_OID) == 0) { + error = NVM_SetSwVersion(PLAT_CRYPTOCELL_BASE, + CC_SW_VERSION_COUNTER1, nv_ctr); + } else if (strcmp(cookie, NON_TRUSTED_FW_NVCOUNTER_OID) == 0) { + error = NVM_SetSwVersion(PLAT_CRYPTOCELL_BASE, + CC_SW_VERSION_COUNTER2, nv_ctr); + } + + return (error != CC_OK); +} + diff --git a/drivers/auth/cryptocell/cryptocell_crypto.c b/drivers/auth/cryptocell/cryptocell_crypto.c deleted file mode 100644 index 6bf27a9..0000000 --- a/drivers/auth/cryptocell/cryptocell_crypto.c +++ /dev/null @@ -1,305 +0,0 @@ -/* - * Copyright (c) 2017-2019, ARM Limited and Contributors. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - */ - -#include -#include - -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include - -#define LIB_NAME "CryptoCell SBROM" -#define RSA_SALT_LEN 32 -#define RSA_EXPONENT 65537 - -/* - * AlgorithmIdentifier ::= SEQUENCE { - * algorithm OBJECT IDENTIFIER, - * parameters ANY DEFINED BY algorithm OPTIONAL - * } - * - * SubjectPublicKeyInfo ::= SEQUENCE { - * algorithm AlgorithmIdentifier, - * subjectPublicKey BIT STRING - * } - * - * DigestInfo ::= SEQUENCE { - * digestAlgorithm AlgorithmIdentifier, - * digest OCTET STRING - * } - * - * RSASSA-PSS-params ::= SEQUENCE { - * hashAlgorithm [0] HashAlgorithm, - * maskGenAlgorithm [1] MaskGenAlgorithm, - * saltLength [2] INTEGER, - * trailerField [3] TrailerField DEFAULT trailerFieldBC - * } - */ - -/* - * Initialize the library and export the descriptor - */ -static void init(void) -{ - CCError_t ret; - uint32_t lcs; - - /* Initialize CC SBROM */ - ret = CC_BsvSbromInit((uintptr_t)PLAT_CRYPTOCELL_BASE); - if (ret != CC_OK) { - ERROR("CryptoCell CC_BsvSbromInit() error %x\n", ret); - panic(); - } - - /* Initialize lifecycle state */ - ret = CC_BsvLcsGetAndInit((uintptr_t)PLAT_CRYPTOCELL_BASE, &lcs); - if (ret != CC_OK) { - ERROR("CryptoCell CC_BsvLcsGetAndInit() error %x\n", ret); - panic(); - } - - /* If the lifecyclestate is `SD`, then stop further execution */ - if (lcs == CC_BSV_SECURITY_DISABLED_LCS) { - ERROR("CryptoCell LCS is security-disabled\n"); - panic(); - } -} - -/* - * Verify a signature. - * - * Parameters are passed using the DER encoding format following the ASN.1 - * structures detailed above. - */ -static int verify_signature(void *data_ptr, unsigned int data_len, - void *sig_ptr, unsigned int sig_len, - void *sig_alg, unsigned int sig_alg_len, - void *pk_ptr, unsigned int pk_len) -{ - CCError_t error; - CCSbNParams_t pk; - CCSbSignature_t signature; - int rc, exp; - mbedtls_asn1_buf sig_oid, alg_oid, params; - mbedtls_md_type_t md_alg; - mbedtls_pk_type_t pk_alg; - mbedtls_pk_rsassa_pss_options pss_opts; - size_t len; - uint8_t *p, *end; - /* Temp buf to store the public key modulo (N) in LE format */ - uint32_t RevN[SB_RSA_MOD_SIZE_IN_WORDS]; - - /* Verify the signature algorithm */ - /* Get pointers to signature OID and parameters */ - p = sig_alg; - end = p + sig_alg_len; - rc = mbedtls_asn1_get_alg(&p, end, &sig_oid, ¶ms); - if (rc != 0) - return CRYPTO_ERR_SIGNATURE; - - /* Get the actual signature algorithm (MD + PK) */ - rc = mbedtls_oid_get_sig_alg(&sig_oid, &md_alg, &pk_alg); - if (rc != 0) - return CRYPTO_ERR_SIGNATURE; - - /* The CryptoCell only supports RSASSA-PSS signature */ - if (pk_alg != MBEDTLS_PK_RSASSA_PSS || md_alg != MBEDTLS_MD_NONE) - return CRYPTO_ERR_SIGNATURE; - - /* Verify the RSASSA-PSS params */ - /* The trailer field is verified to be 0xBC internally by this API */ - rc = mbedtls_x509_get_rsassa_pss_params(¶ms, &md_alg, - &pss_opts.mgf1_hash_id, - &pss_opts.expected_salt_len); - if (rc != 0) - return CRYPTO_ERR_SIGNATURE; - - /* The CryptoCell only supports SHA256 as hash algorithm */ - if (md_alg != MBEDTLS_MD_SHA256 || pss_opts.mgf1_hash_id != MBEDTLS_MD_SHA256) - return CRYPTO_ERR_SIGNATURE; - - if (pss_opts.expected_salt_len != RSA_SALT_LEN) - return CRYPTO_ERR_SIGNATURE; - - /* Parse the public key */ - p = pk_ptr; - end = p + pk_len; - rc = mbedtls_asn1_get_tag(&p, end, &len, - MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); - if (rc != 0) - return CRYPTO_ERR_SIGNATURE; - - end = p + len; - rc = mbedtls_asn1_get_alg_null(&p, end, &alg_oid); - if (rc != 0) - return CRYPTO_ERR_SIGNATURE; - - if (mbedtls_oid_get_pk_alg(&alg_oid, &pk_alg) != 0) - return CRYPTO_ERR_SIGNATURE; - - if (pk_alg != MBEDTLS_PK_RSA) - return CRYPTO_ERR_SIGNATURE; - - rc = mbedtls_asn1_get_bitstring_null(&p, end, &len); - if (rc != 0) - return CRYPTO_ERR_SIGNATURE; - - rc = mbedtls_asn1_get_tag(&p, end, &len, - MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); - if (rc != 0) - return CRYPTO_ERR_SIGNATURE; - - rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_INTEGER); - if (rc != 0) - return CRYPTO_ERR_SIGNATURE; - - if (*p == 0) { - p++; len--; - } - if (len != RSA_MOD_SIZE_IN_BYTES || ((p + len) > end)) - return CRYPTO_ERR_SIGNATURE; - - /* - * The CCSbVerifySignature() API expects N and Np in BE format and - * the signature in LE format. Copy N from certificate. - */ - memcpy(pk.N, p, RSA_MOD_SIZE_IN_BYTES); - - /* Verify the RSA exponent */ - p += len; - rc = mbedtls_asn1_get_int(&p, end, &exp); - if (rc != 0) - return CRYPTO_ERR_SIGNATURE; - - if (exp != RSA_EXPONENT) - return CRYPTO_ERR_SIGNATURE; - - /* - * Calculate the Np (Barrett n' value). The RSA_CalcNp() API expects - * N in LE format. Hence reverse N into a temporary buffer `RevN`. - */ - UTIL_ReverseMemCopy((uint8_t *)RevN, (uint8_t *)pk.N, sizeof(RevN)); - - RSA_CalcNp((uintptr_t)PLAT_CRYPTOCELL_BASE, RevN, pk.Np); - - /* Np is in LE format. Reverse it to BE */ - UTIL_ReverseBuff((uint8_t *)pk.Np, sizeof(pk.Np)); - - /* Get the signature (bitstring) */ - p = sig_ptr; - end = p + sig_len; - rc = mbedtls_asn1_get_bitstring_null(&p, end, &len); - if (rc != 0) - return CRYPTO_ERR_SIGNATURE; - - if (len != RSA_MOD_SIZE_IN_BYTES || ((p + len) > end)) - return CRYPTO_ERR_SIGNATURE; - - /* - * The signature is BE format. Convert it to LE before calling - * CCSbVerifySignature(). - */ - UTIL_ReverseMemCopy((uint8_t *)signature.sig, p, RSA_MOD_SIZE_IN_BYTES); - - /* - * CryptoCell utilises DMA internally to transfer data. Flush the data - * from caches. - */ - flush_dcache_range((uintptr_t)data_ptr, data_len); - - /* Verify the signature */ - error = CCSbVerifySignature((uintptr_t)PLAT_CRYPTOCELL_BASE, - (uint32_t *)data_ptr, &pk, &signature, - data_len, RSA_PSS_2048); - if (error != CC_OK) - return CRYPTO_ERR_SIGNATURE; - - /* Signature verification success */ - return CRYPTO_SUCCESS; -} - -/* - * Match a hash - * - * Digest info is passed in DER format following the ASN.1 structure detailed - * above. - */ -static int verify_hash(void *data_ptr, unsigned int data_len, - void *digest_info_ptr, unsigned int digest_info_len) -{ - mbedtls_asn1_buf hash_oid, params; - mbedtls_md_type_t md_alg; - uint8_t *p, *end, *hash; - CCHashResult_t pubKeyHash; - size_t len; - int rc; - CCError_t error; - - /* Digest info should be an MBEDTLS_ASN1_SEQUENCE */ - p = digest_info_ptr; - end = p + digest_info_len; - rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE); - if (rc != 0) - return CRYPTO_ERR_HASH; - - /* Get the hash algorithm */ - rc = mbedtls_asn1_get_alg(&p, end, &hash_oid, ¶ms); - if (rc != 0) - return CRYPTO_ERR_HASH; - - rc = mbedtls_oid_get_md_alg(&hash_oid, &md_alg); - if (rc != 0) - return CRYPTO_ERR_HASH; - /* Verify that hash algorithm is SHA256 */ - if (md_alg != MBEDTLS_MD_SHA256) - return CRYPTO_ERR_HASH; - - /* Hash should be octet string type */ - rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING); - if (rc != 0) - return CRYPTO_ERR_HASH; - - /* Length of hash must match the algorithm's size */ - if (len != HASH_RESULT_SIZE_IN_BYTES) - return CRYPTO_ERR_HASH; - - /* - * CryptoCell utilises DMA internally to transfer data. Flush the data - * from caches. - */ - flush_dcache_range((uintptr_t)data_ptr, data_len); - - hash = p; - error = SBROM_CryptoHash((uintptr_t)PLAT_CRYPTOCELL_BASE, - (uintptr_t)data_ptr, data_len, pubKeyHash); - if (error != CC_OK) - return CRYPTO_ERR_HASH; - - rc = memcmp(pubKeyHash, hash, HASH_RESULT_SIZE_IN_BYTES); - if (rc != 0) - return CRYPTO_ERR_HASH; - - return CRYPTO_SUCCESS; -} - -/* - * Register crypto library descriptor - */ -REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash); - diff --git a/drivers/auth/cryptocell/cryptocell_crypto.mk b/drivers/auth/cryptocell/cryptocell_crypto.mk index 27c1e85..d42a2e7 100644 --- a/drivers/auth/cryptocell/cryptocell_crypto.mk +++ b/drivers/auth/cryptocell/cryptocell_crypto.mk @@ -17,11 +17,20 @@ $(error Error: CCSBROM_LIB_PATH not set) endif -TF_LDFLAGS += -L$(CCSBROM_LIB_PATH) -LDLIBS += -lcc_712sbromx509 +CRYPTOCELL_VERSION ?= 712 +ifeq (${CRYPTOCELL_VERSION},712) + CCSBROM_LIB_FILENAME := cc_712sbromx509 +else + $(error Error: CRYPTOCELL_VERSION set to invalid version) +endif -CRYPTOCELL_SOURCES := drivers/auth/cryptocell/cryptocell_crypto.c \ - drivers/auth/cryptocell/cryptocell_plat_helpers.c +CRYPTOCELL_SRC_DIR := drivers/auth/cryptocell/${CRYPTOCELL_VERSION}/ + +CRYPTOCELL_SOURCES := ${CRYPTOCELL_SRC_DIR}/cryptocell_crypto.c \ + ${CRYPTOCELL_SRC_DIR}/cryptocell_plat_helpers.c + +TF_LDFLAGS += -L$(CCSBROM_LIB_PATH) +LDLIBS += -l$(CCSBROM_LIB_FILENAME) BL1_SOURCES += ${CRYPTOCELL_SOURCES} BL2_SOURCES += ${CRYPTOCELL_SOURCES} diff --git a/drivers/auth/cryptocell/cryptocell_plat_helpers.c b/drivers/auth/cryptocell/cryptocell_plat_helpers.c deleted file mode 100644 index 1bd9c6b..0000000 --- a/drivers/auth/cryptocell/cryptocell_plat_helpers.c +++ /dev/null @@ -1,113 +0,0 @@ -/* - * Copyright (c) 2017-2019, ARM Limited and Contributors. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - */ - -#include -#include -#include - -#include - -#include -#include - -#include -#include -#include -#include - -/* - * Return the ROTPK hash - * - * dst: buffer into which the ROTPK hash will be copied into - * len: length of the provided buffer, which must be at least enough for a - * SHA256 hash - * flags: a pointer to integer that will be set to indicate the ROTPK status - * - * Return: 0 = success, Otherwise = error - */ -int cc_get_rotpk_hash(unsigned char *dst, unsigned int len, unsigned int *flags) -{ - CCError_t error; - uint32_t lcs; - - assert(dst != NULL); - assert(len >= HASH_RESULT_SIZE_IN_WORDS); - assert(flags != NULL); - - error = NVM_GetLCS(PLAT_CRYPTOCELL_BASE, &lcs); - if (error != CC_OK) - return 1; - - /* If the lifecycle state is `SD`, return failure */ - if (lcs == CC_BSV_SECURITY_DISABLED_LCS) - return 1; - - /* - * If the lifecycle state is `CM` or `DM`, ROTPK shouldn't be verified. - * Return success after setting ROTPK_NOT_DEPLOYED flag - */ - if ((lcs == CC_BSV_CHIP_MANUFACTURE_LCS) || - (lcs == CC_BSV_DEVICE_MANUFACTURE_LCS)) { - *flags = ROTPK_NOT_DEPLOYED; - return 0; - } - - /* Copy the DER header */ - error = NVM_ReadHASHPubKey(PLAT_CRYPTOCELL_BASE, - CC_SB_HASH_BOOT_KEY_256B, - (uint32_t *)dst, HASH_RESULT_SIZE_IN_WORDS); - if (error != CC_OK) - return 1; - - *flags = ROTPK_IS_HASH; - return 0; -} - -/* - * Return the non-volatile counter value stored in the platform. The cookie - * specifies the OID of the counter in the certificate. - * - * Return: 0 = success, Otherwise = error - */ -int plat_get_nv_ctr(void *cookie, unsigned int *nv_ctr) -{ - CCError_t error = CC_FAIL; - - if (strcmp(cookie, TRUSTED_FW_NVCOUNTER_OID) == 0) { - error = NVM_GetSwVersion(PLAT_CRYPTOCELL_BASE, - CC_SW_VERSION_COUNTER1, nv_ctr); - } else if (strcmp(cookie, NON_TRUSTED_FW_NVCOUNTER_OID) == 0) { - error = NVM_GetSwVersion(PLAT_CRYPTOCELL_BASE, - CC_SW_VERSION_COUNTER2, nv_ctr); - } - - return (error != CC_OK); -} - -/* - * Store a new non-volatile counter value in the counter specified by the OID - * in the cookie. This function is not expected to be called if the Lifecycle - * state is RMA as the values in the certificate are expected to always match - * the nvcounter values. But if called when the LCS is RMA, the underlying - * helper functions will return success but without updating the counter. - * - * Return: 0 = success, Otherwise = error - */ -int plat_set_nv_ctr(void *cookie, unsigned int nv_ctr) -{ - CCError_t error = CC_FAIL; - - if (strcmp(cookie, TRUSTED_FW_NVCOUNTER_OID) == 0) { - error = NVM_SetSwVersion(PLAT_CRYPTOCELL_BASE, - CC_SW_VERSION_COUNTER1, nv_ctr); - } else if (strcmp(cookie, NON_TRUSTED_FW_NVCOUNTER_OID) == 0) { - error = NVM_SetSwVersion(PLAT_CRYPTOCELL_BASE, - CC_SW_VERSION_COUNTER2, nv_ctr); - } - - return (error != CC_OK); -} - diff --git a/include/drivers/arm/cryptocell/712/cc_crypto_boot_defs.h b/include/drivers/arm/cryptocell/712/cc_crypto_boot_defs.h new file mode 100644 index 0000000..2cb8938 --- /dev/null +++ b/include/drivers/arm/cryptocell/712/cc_crypto_boot_defs.h @@ -0,0 +1,34 @@ +/* + * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef _CC_CRYPTO_BOOT_DEFS_H +#define _CC_CRYPTO_BOOT_DEFS_H + +/*! @file +@brief This file contains SBROM definitions +*/ + +/*! Version counters value. */ +typedef enum { + + CC_SW_VERSION_COUNTER1 = 1, /*!< Counter 1 - trusted version. */ + CC_SW_VERSION_COUNTER2, /*!< Counter 2 - non trusted version. */ + + CC_SW_VERSION_MAX = 0x7FFFFFFF + +} CCSbSwVersionId_t; + +/* HASH boot key definition */ +typedef enum { + CC_SB_HASH_BOOT_KEY_0_128B = 0, /*!< 128-bit truncated SHA256 digest of public key 0. */ + CC_SB_HASH_BOOT_KEY_1_128B = 1, /*!< 128-bit truncated SHA256 digest of public key 1. */ + CC_SB_HASH_BOOT_KEY_256B = 2, /*!< 256-bit SHA256 digest of public key. */ + CC_SB_HASH_BOOT_NOT_USED = 0xFF, + CC_SB_HASH_MAX_NUM = 0x7FFFFFFF, /*!\internal use external 128-bit truncated SHA256 digest */ +} CCSbPubKeyIndexType_t; + + +#endif diff --git a/include/drivers/arm/cryptocell/712/cc_pal_sb_plat.h b/include/drivers/arm/cryptocell/712/cc_pal_sb_plat.h new file mode 100644 index 0000000..212a710 --- /dev/null +++ b/include/drivers/arm/cryptocell/712/cc_pal_sb_plat.h @@ -0,0 +1,33 @@ +/* + * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +/*! +@file +@brief This file contains the platform-dependent definitions that are used in the SBROM code. +*/ + +#ifndef _CC_PAL_SB_PLAT_H +#define _CC_PAL_SB_PLAT_H + +#include "cc_pal_types.h" + + +#ifdef __cplusplus +extern "C" +{ +#endif + +/*! Definition of DMA address type, can be 32 bits or 64 bits according to CryptoCell's HW. */ +typedef uint64_t CCDmaAddr_t; +/*! Definition of CryptoCell address type, can be 32 bits or 64 bits according to platform. */ +typedef uintptr_t CCAddr_t; + + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/include/drivers/arm/cryptocell/712/cc_pal_types.h b/include/drivers/arm/cryptocell/712/cc_pal_types.h new file mode 100644 index 0000000..8c09b23 --- /dev/null +++ b/include/drivers/arm/cryptocell/712/cc_pal_types.h @@ -0,0 +1,40 @@ +/* + * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef CC_PAL_TYPES_H +#define CC_PAL_TYPES_H + +/*! +@file +@brief This file contains platform-dependent definitions and types. +*/ + +#include "cc_pal_types_plat.h" + +typedef enum { + CC_FALSE = 0, + CC_TRUE = 1 +} CCBool; + +#define CC_SUCCESS 0UL +#define CC_FAIL 1UL + +#define CC_1K_SIZE_IN_BYTES 1024 +#define CC_BITS_IN_BYTE 8 +#define CC_BITS_IN_32BIT_WORD 32 +#define CC_32BIT_WORD_SIZE (sizeof(uint32_t)) + +#define CC_OK CC_SUCCESS + +#define CC_UNUSED_PARAM(prm) ((void)prm) + +#define CC_MAX_UINT32_VAL (0xFFFFFFFF) + +#define CALC_FULL_BYTES(numBits) (((numBits) + (CC_BITS_IN_BYTE - 1))/CC_BITS_IN_BYTE) +#define CALC_FULL_32BIT_WORDS(numBits) (((numBits) + (CC_BITS_IN_32BIT_WORD - 1))/CC_BITS_IN_32BIT_WRD) +#define CALC_32BIT_WORDS_FROM_BYTES(sizeBytes) (((sizeBytes) + CC_32BIT_WORD_SIZE - 1)/CC_32BIT_WORD_SIZE) + +#endif diff --git a/include/drivers/arm/cryptocell/712/cc_pal_types_plat.h b/include/drivers/arm/cryptocell/712/cc_pal_types_plat.h new file mode 100644 index 0000000..8410024 --- /dev/null +++ b/include/drivers/arm/cryptocell/712/cc_pal_types_plat.h @@ -0,0 +1,25 @@ +/* + * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +/*! @file +@brief This file contains basic type definitions that are platform-dependent. +*/ +#ifndef _CC_PAL_TYPES_PLAT_H +#define _CC_PAL_TYPES_PLAT_H +/* Host specific types for standard (ISO-C99) compilant platforms */ + +#include +#include + +typedef uint32_t CCStatus; + +#define CCError_t CCStatus +#define CC_INFINITE 0xFFFFFFFF + +#define CEXPORT_C +#define CIMPORT_C + +#endif /*_CC_PAL_TYPES_PLAT_H*/ diff --git a/include/drivers/arm/cryptocell/712/cc_sec_defs.h b/include/drivers/arm/cryptocell/712/cc_sec_defs.h new file mode 100644 index 0000000..d419218 --- /dev/null +++ b/include/drivers/arm/cryptocell/712/cc_sec_defs.h @@ -0,0 +1,34 @@ +/* + * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef _CC_SEC_DEFS_H +#define _CC_SEC_DEFS_H + +/*! +@file +@brief This file contains general hash definitions and types. +*/ + + +#ifdef __cplusplus +extern "C" +{ +#endif + +/*! The hashblock size in words. */ +#define HASH_BLOCK_SIZE_IN_WORDS 16 +/*! The hash - SHA2 results in words. */ +#define HASH_RESULT_SIZE_IN_WORDS 8 +#define HASH_RESULT_SIZE_IN_BYTES 32 + +/*! Definition for hash result array. */ +typedef uint32_t CCHashResult_t[HASH_RESULT_SIZE_IN_WORDS]; + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/include/drivers/arm/cryptocell/712/crypto_driver.h b/include/drivers/arm/cryptocell/712/crypto_driver.h new file mode 100644 index 0000000..18104dd --- /dev/null +++ b/include/drivers/arm/cryptocell/712/crypto_driver.h @@ -0,0 +1,35 @@ +/* + * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef _CRYPTO_DRIVER_H +#define _CRYPTO_DRIVER_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include "cc_pal_sb_plat.h" +#include "cc_sec_defs.h" + +/*---------------------------- + PUBLIC FUNCTIONS +-----------------------------------*/ +/*! + * @brief This function gives the functionality of integrated hash + * + * @param[in] hwBaseAddress - CryptoCell base address + * @param[out] hashResult - the HASH result. + * + */ +CCError_t SBROM_CryptoHash(unsigned long hwBaseAddress, CCDmaAddr_t inputDataAddr, uint32_t BlockSize, + CCHashResult_t hashResult); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/include/drivers/arm/cryptocell/712/nvm.h b/include/drivers/arm/cryptocell/712/nvm.h new file mode 100644 index 0000000..a70289f --- /dev/null +++ b/include/drivers/arm/cryptocell/712/nvm.h @@ -0,0 +1,55 @@ +/* + * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef _NVM__H +#define _NVM__H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include "cc_crypto_boot_defs.h" +#include "cc_pal_types.h" +#include "cc_sec_defs.h" + +/*------------------------------------ + DEFINES +-------------------------------------*/ + +/** + * @brief This function reads the LCS from the SRAM/NVM + * + * @param[in] hwBaseAddress - CryptoCell base address + * + * @param[in/out] lcs_ptr - pointer to memory to store the LCS + * + * @return CCError_t - On success the value CC_OK is returned, and on failure -a value from NVM_error.h + */ +CCError_t NVM_GetLCS(unsigned long hwBaseAddress, uint32_t *lcs_ptr); + +/** + * @brief The NVM_ReadHASHPubKey function is a NVM interface function - + * The function retrieves the HASH of the device Public key from the SRAM/NVM + * + * @param[in] hwBaseAddress - CryptoCell base address + * + * @param[in] pubKeyIndex - Index of HASH in the OTP + * + * @param[out] PubKeyHASH - the public key HASH. + * + * @param[in] hashSizeInWords - hash size (valid values: 4W, 8W) + * + * @return CCError_t - On success the value CC_OK is returned, and on failure -a value from NVM_error.h + */ + +CCError_t NVM_ReadHASHPubKey(unsigned long hwBaseAddress, CCSbPubKeyIndexType_t pubKeyIndex, CCHashResult_t PubKeyHASH, uint32_t hashSizeInWords); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/include/drivers/arm/cryptocell/712/nvm_otp.h b/include/drivers/arm/cryptocell/712/nvm_otp.h new file mode 100644 index 0000000..390d62b --- /dev/null +++ b/include/drivers/arm/cryptocell/712/nvm_otp.h @@ -0,0 +1,59 @@ +/* + * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef _NVM_OTP_H +#define _NVM_OTP_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include "cc_crypto_boot_defs.h" +#include "cc_pal_types.h" + +/*------------------------------------ + DEFINES +-------------------------------------*/ + + + +/** + * @brief The NVM_GetSwVersion function is a NVM interface function - + * The function retrieves the SW version from the SRAM/NVM. + * In case of OTP, we support up to 16 anti-rollback counters (taken from the certificate) + * + * @param[in] hwBaseAddress - CryptoCell base address + * + * @param[in] counterId - relevant only for OTP (valid values: 1,2) + * + * @param[out] swVersion - the minimum SW version + * + * @return CCError_t - On success the value CC_OK is returned, and on failure -a value from NVM_error.h + */ +CCError_t NVM_GetSwVersion(unsigned long hwBaseAddress, CCSbSwVersionId_t counterId, uint32_t *swVersion); + + +/** + * @brief The NVM_SetSwVersion function is a NVM interface function - + * The function writes the SW version into the SRAM/NVM. + * In case of OTP, we support up to 16 anti-rollback counters (taken from the certificate) + * + * @param[in] hwBaseAddress - CryptoCell base address + * + * @param[in] counterId - relevant only for OTP (valid values: 1,2) + * + * @param[in] swVersion - the minimum SW version + * + * @return CCError_t - On success the value CC_OK is returned, and on failure -a value from NVM_error.h + */ +CCError_t NVM_SetSwVersion(unsigned long hwBaseAddress, CCSbSwVersionId_t counterId, uint32_t swVersion); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/include/drivers/arm/cryptocell/712/rsa.h b/include/drivers/arm/cryptocell/712/rsa.h new file mode 100644 index 0000000..cd9925b --- /dev/null +++ b/include/drivers/arm/cryptocell/712/rsa.h @@ -0,0 +1,55 @@ +/* + * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef RSA_H +#define RSA_H + +/* + * All the includes that are needed for code using this module to + * compile correctly should be #included here. + */ + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include "cc_pal_types.h" + +/************************ Defines ******************************/ + +/* the modulus size ion bits */ +#define RSA_MOD_SIZE_IN_BITS 2048UL +#define RSA_MOD_SIZE_IN_BYTES (CALC_FULL_BYTES(RSA_MOD_SIZE_IN_BITS)) +#define RSA_MOD_SIZE_IN_WORDS (CALC_FULL_32BIT_WORDS(RSA_MOD_SIZE_IN_BITS)) +#define RSA_MOD_SIZE_IN_256BITS (RSA_MOD_SIZE_IN_WORDS/8) +#define RSA_EXP_SIZE_IN_BITS 17UL +#define RSA_EXP_SIZE_IN_BYTES (CALC_FULL_BYTES(RSA_EXP_SIZE_IN_BITS)) + +/* size of buffer for Barrett modulus tag NP, used in PKA algorithms */ +#define RSA_HW_PKI_PKA_BARRETT_MOD_TAG_SIZE_IN_BITS 132 +#define RSA_HW_PKI_PKA_BARRETT_MOD_TAG_SIZE_IN_BYTES (CALC_FULL_BYTES(RSA_HW_PKI_PKA_BARRETT_MOD_TAG_SIZE_IN_BITS)) +#define RSA_HW_PKI_PKA_BARRETT_MOD_TAG_SIZE_IN_WORDS (CALC_FULL_32BIT_WORDS(RSA_HW_PKI_PKA_BARRETT_MOD_TAG_SIZE_IN_BITS)) + +/* + * @brief The RSA_CalcNp calculates Np value and saves it into Np_ptr: + * + * + + * @param[in] hwBaseAddress - HW base address. Relevant for HW + * implementation, for SW it is ignored. + * @N_ptr[in] - The pointer to the modulus buffer. + * @Np_ptr[out] - pointer to Np vector buffer. Its size must be >= 160. + */ +void RSA_CalcNp(unsigned long hwBaseAddress, + uint32_t *N_ptr, + uint32_t *Np_ptr); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/include/drivers/arm/cryptocell/712/sbrom_bsv_api.h b/include/drivers/arm/cryptocell/712/sbrom_bsv_api.h new file mode 100644 index 0000000..de83546 --- /dev/null +++ b/include/drivers/arm/cryptocell/712/sbrom_bsv_api.h @@ -0,0 +1,72 @@ +/* + * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef _SBROM_BSV_API_H +#define _SBROM_BSV_API_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +/*! @file +@brief This file contains all SBROM library APIs and definitions. +*/ +#include "cc_pal_types.h" + +/* Life cycle state definitions */ +#define CC_BSV_CHIP_MANUFACTURE_LCS 0x0 /*!< CM lifecycle value. */ +#define CC_BSV_DEVICE_MANUFACTURE_LCS 0x1 /*!< DM lifecycle value. */ +#define CC_BSV_SECURITY_DISABLED_LCS 0x3 /*!< SD lifecycle value. */ +#define CC_BSV_SECURE_LCS 0x5 /*!< Secure lifecycle value. */ +#define CC_BSV_RMA_LCS 0x7 /*!< RMA lifecycle value. */ + +/*---------------------------- + PUBLIC FUNCTIONS +-----------------------------------*/ + +/*! +@brief This function should be the first ARM TrustZone CryptoCell TEE SBROM library API called. +It verifies the HW product and version numbers. + +@return CC_OK On success. +@return A non-zero value from sbrom_bsv_error.h on failure. +*/ +CCError_t CC_BsvSbromInit( + unsigned long hwBaseAddress /*!< [in] HW registers base address. */ + ); + + +/*! +@brief This function can be used for checking the LCS value, after CC_BsvLcsGetAndInit was called by the Boot ROM. + +@return CC_OK On success. +@return A non-zero value from sbrom_bsv_error.h on failure. +*/ +CCError_t CC_BsvLcsGet( + unsigned long hwBaseAddress, /*!< [in] HW registers base address. */ + uint32_t *pLcs /*!< [out] Returned lifecycle state. */ + ); + +/*! +@brief This function retrieves the HW security lifecycle state, performs validity checks, +and additional initializations in case the LCS is RMA (sets the Kce to fixed value). +\note Invalid LCS results in an error returned. +In this case, the customer's code must completely disable the device. + +@return CC_OK On success. +@return A non-zero value from sbrom_bsv_error.h on failure. +*/ +CCError_t CC_BsvLcsGetAndInit( + unsigned long hwBaseAddress, /*!< [in] HW registers base address. */ + uint32_t *pLcs /*!< [out] Returned lifecycle state. */ + ); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/include/drivers/arm/cryptocell/712/secureboot_base_func.h b/include/drivers/arm/cryptocell/712/secureboot_base_func.h new file mode 100644 index 0000000..6db596e --- /dev/null +++ b/include/drivers/arm/cryptocell/712/secureboot_base_func.h @@ -0,0 +1,49 @@ +/* + * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef _SECURE_BOOT_BASE_FUNC_H +#define _SECURE_BOOT_BASE_FUNC_H + + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include "cc_pal_types.h" +#include "secureboot_gen_defs.h" + + +/*---------------------------- + PUBLIC FUNCTIONS +-----------------------------------*/ + +/** + * @brief This function calculates the HASH over the given data and than verify + * RSA signature on that hashed data + * + * @param[in] hwBaseAddr - CryptoCell base address + * @param[in] pData - pointer to the data to be verified + * @param[in] pNParams - a pointer to the public key parameters + * @param[in] pSignature - a pointer to the signature structure + * @param[in] sizeOfData - size of the data to calculate the HASH on (in bytes) + * @param[in] RSAAlg - RSA algorithm to use + * + * @return CCError_t - On success the value CC_OK is returned, + * on failure - a value from BootImagesVerifier_error.h + */ +CCError_t CCSbVerifySignature(unsigned long hwBaseAddress, + uint32_t *pData, + CCSbNParams_t *pNParams, + CCSbSignature_t *pSignature, + uint32_t sizeOfData, + CCSbRsaAlg_t RSAAlg); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/include/drivers/arm/cryptocell/712/secureboot_gen_defs.h b/include/drivers/arm/cryptocell/712/secureboot_gen_defs.h new file mode 100644 index 0000000..68b9ef8 --- /dev/null +++ b/include/drivers/arm/cryptocell/712/secureboot_gen_defs.h @@ -0,0 +1,56 @@ +/* + * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef _SECURE_BOOT_GEN_DEFS_H +#define _SECURE_BOOT_GEN_DEFS_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +/*! @file +@brief This file contains all of the definitions and structures that are used for the secure boot. +*/ + +#include "cc_pal_sb_plat.h" +#include "cc_sec_defs.h" + + +/* General definitions */ +/***********************/ + +/*RSA definitions*/ +#define SB_RSA_MOD_SIZE_IN_WORDS 64 +#define SB_RSA_HW_PKI_PKA_BARRETT_MOD_TAG_SIZE_IN_WORDS 5 + + +/*! Public key data structure. */ +typedef struct { + uint32_t N[SB_RSA_MOD_SIZE_IN_WORDS]; /*!< N public key, big endian representation. */ + uint32_t Np[SB_RSA_HW_PKI_PKA_BARRETT_MOD_TAG_SIZE_IN_WORDS]; /*!< Np (Barrett n' value). */ +} CCSbNParams_t; + +/*! Signature structure. */ +typedef struct { + uint32_t sig[SB_RSA_MOD_SIZE_IN_WORDS]; /*!< RSA PSS signature. */ +} CCSbSignature_t; + + +/********* Supported algorithms definitions ***********/ + +/*! RSA supported algorithms */ +typedef enum { + RSA_PSS_2048 = 0x01, /*!< RSA PSS 2048 after hash SHA 256 */ + RSA_PKCS15_2048 = 0x02, /*!< RSA PKX15 */ + RSA_Last = 0x7FFFFFFF +} CCSbRsaAlg_t; + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/include/drivers/arm/cryptocell/712/util.h b/include/drivers/arm/cryptocell/712/util.h new file mode 100644 index 0000000..18fb599 --- /dev/null +++ b/include/drivers/arm/cryptocell/712/util.h @@ -0,0 +1,72 @@ +/* + * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef UTIL_H +#define UTIL_H + +/* + * All the includes that are needed for code using this module to + * compile correctly should be #included here. + */ + +#ifdef __cplusplus +extern "C" +{ +#endif + +/************************ Defines ******************************/ + +/* invers the bytes on a word- used for output from HASH */ +#ifdef BIG__ENDIAN +#define UTIL_INVERSE_UINT32_BYTES(val) (val) +#else +#define UTIL_INVERSE_UINT32_BYTES(val) \ + (((val) >> 24) | (((val) & 0x00FF0000) >> 8) | (((val) & 0x0000FF00) << 8) | (((val) & 0x000000FF) << 24)) +#endif + +/* invers the bytes on a word - used for input data for HASH */ +#ifdef BIG__ENDIAN +#define UTIL_REVERT_UINT32_BYTES(val) \ + (((val) >> 24) | (((val) & 0x00FF0000) >> 8) | (((val) & 0x0000FF00) << 8) | (((val) & 0x000000FF) << 24)) +#else +#define UTIL_REVERT_UINT32_BYTES(val) (val) +#endif + + /* ------------------------------------------------------------ + ** + * @brief This function executes a reverse bytes copying from one buffer to another buffer. + * + * @param[in] dst_ptr - The pointer to destination buffer. + * @param[in] src_ptr - The pointer to source buffer. + * @param[in] size - The size in bytes. + * + */ + +void UTIL_ReverseMemCopy(uint8_t *dst_ptr, uint8_t *src_ptr, uint32_t size); + + + /* ------------------------------------------------------------ + ** + * @brief This function executes a reversed byte copy on a specified buffer. + * + * on a 6 byte byffer: + * + * buff[5] <---> buff[0] + * buff[4] <---> buff[1] + * buff[3] <---> buff[2] + * + * @param[in] dst_ptr - The counter buffer. + * @param[in] src_ptr - The counter size in bytes. + * + */ +void UTIL_ReverseBuff(uint8_t *buff_ptr, uint32_t size); + + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/include/drivers/arm/cryptocell/cc_crypto_boot_defs.h b/include/drivers/arm/cryptocell/cc_crypto_boot_defs.h deleted file mode 100644 index 2cb8938..0000000 --- a/include/drivers/arm/cryptocell/cc_crypto_boot_defs.h +++ /dev/null @@ -1,34 +0,0 @@ -/* - * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - */ - -#ifndef _CC_CRYPTO_BOOT_DEFS_H -#define _CC_CRYPTO_BOOT_DEFS_H - -/*! @file -@brief This file contains SBROM definitions -*/ - -/*! Version counters value. */ -typedef enum { - - CC_SW_VERSION_COUNTER1 = 1, /*!< Counter 1 - trusted version. */ - CC_SW_VERSION_COUNTER2, /*!< Counter 2 - non trusted version. */ - - CC_SW_VERSION_MAX = 0x7FFFFFFF - -} CCSbSwVersionId_t; - -/* HASH boot key definition */ -typedef enum { - CC_SB_HASH_BOOT_KEY_0_128B = 0, /*!< 128-bit truncated SHA256 digest of public key 0. */ - CC_SB_HASH_BOOT_KEY_1_128B = 1, /*!< 128-bit truncated SHA256 digest of public key 1. */ - CC_SB_HASH_BOOT_KEY_256B = 2, /*!< 256-bit SHA256 digest of public key. */ - CC_SB_HASH_BOOT_NOT_USED = 0xFF, - CC_SB_HASH_MAX_NUM = 0x7FFFFFFF, /*!\internal use external 128-bit truncated SHA256 digest */ -} CCSbPubKeyIndexType_t; - - -#endif diff --git a/include/drivers/arm/cryptocell/cc_pal_sb_plat.h b/include/drivers/arm/cryptocell/cc_pal_sb_plat.h deleted file mode 100644 index 212a710..0000000 --- a/include/drivers/arm/cryptocell/cc_pal_sb_plat.h +++ /dev/null @@ -1,33 +0,0 @@ -/* - * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - */ - -/*! -@file -@brief This file contains the platform-dependent definitions that are used in the SBROM code. -*/ - -#ifndef _CC_PAL_SB_PLAT_H -#define _CC_PAL_SB_PLAT_H - -#include "cc_pal_types.h" - - -#ifdef __cplusplus -extern "C" -{ -#endif - -/*! Definition of DMA address type, can be 32 bits or 64 bits according to CryptoCell's HW. */ -typedef uint64_t CCDmaAddr_t; -/*! Definition of CryptoCell address type, can be 32 bits or 64 bits according to platform. */ -typedef uintptr_t CCAddr_t; - - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/include/drivers/arm/cryptocell/cc_pal_types.h b/include/drivers/arm/cryptocell/cc_pal_types.h deleted file mode 100644 index 8c09b23..0000000 --- a/include/drivers/arm/cryptocell/cc_pal_types.h +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - */ - -#ifndef CC_PAL_TYPES_H -#define CC_PAL_TYPES_H - -/*! -@file -@brief This file contains platform-dependent definitions and types. -*/ - -#include "cc_pal_types_plat.h" - -typedef enum { - CC_FALSE = 0, - CC_TRUE = 1 -} CCBool; - -#define CC_SUCCESS 0UL -#define CC_FAIL 1UL - -#define CC_1K_SIZE_IN_BYTES 1024 -#define CC_BITS_IN_BYTE 8 -#define CC_BITS_IN_32BIT_WORD 32 -#define CC_32BIT_WORD_SIZE (sizeof(uint32_t)) - -#define CC_OK CC_SUCCESS - -#define CC_UNUSED_PARAM(prm) ((void)prm) - -#define CC_MAX_UINT32_VAL (0xFFFFFFFF) - -#define CALC_FULL_BYTES(numBits) (((numBits) + (CC_BITS_IN_BYTE - 1))/CC_BITS_IN_BYTE) -#define CALC_FULL_32BIT_WORDS(numBits) (((numBits) + (CC_BITS_IN_32BIT_WORD - 1))/CC_BITS_IN_32BIT_WRD) -#define CALC_32BIT_WORDS_FROM_BYTES(sizeBytes) (((sizeBytes) + CC_32BIT_WORD_SIZE - 1)/CC_32BIT_WORD_SIZE) - -#endif diff --git a/include/drivers/arm/cryptocell/cc_pal_types_plat.h b/include/drivers/arm/cryptocell/cc_pal_types_plat.h deleted file mode 100644 index 8410024..0000000 --- a/include/drivers/arm/cryptocell/cc_pal_types_plat.h +++ /dev/null @@ -1,25 +0,0 @@ -/* - * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - */ - -/*! @file -@brief This file contains basic type definitions that are platform-dependent. -*/ -#ifndef _CC_PAL_TYPES_PLAT_H -#define _CC_PAL_TYPES_PLAT_H -/* Host specific types for standard (ISO-C99) compilant platforms */ - -#include -#include - -typedef uint32_t CCStatus; - -#define CCError_t CCStatus -#define CC_INFINITE 0xFFFFFFFF - -#define CEXPORT_C -#define CIMPORT_C - -#endif /*_CC_PAL_TYPES_PLAT_H*/ diff --git a/include/drivers/arm/cryptocell/cc_sec_defs.h b/include/drivers/arm/cryptocell/cc_sec_defs.h deleted file mode 100644 index d419218..0000000 --- a/include/drivers/arm/cryptocell/cc_sec_defs.h +++ /dev/null @@ -1,34 +0,0 @@ -/* - * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - */ - -#ifndef _CC_SEC_DEFS_H -#define _CC_SEC_DEFS_H - -/*! -@file -@brief This file contains general hash definitions and types. -*/ - - -#ifdef __cplusplus -extern "C" -{ -#endif - -/*! The hashblock size in words. */ -#define HASH_BLOCK_SIZE_IN_WORDS 16 -/*! The hash - SHA2 results in words. */ -#define HASH_RESULT_SIZE_IN_WORDS 8 -#define HASH_RESULT_SIZE_IN_BYTES 32 - -/*! Definition for hash result array. */ -typedef uint32_t CCHashResult_t[HASH_RESULT_SIZE_IN_WORDS]; - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/include/drivers/arm/cryptocell/crypto_driver.h b/include/drivers/arm/cryptocell/crypto_driver.h deleted file mode 100644 index 18104dd..0000000 --- a/include/drivers/arm/cryptocell/crypto_driver.h +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - */ - -#ifndef _CRYPTO_DRIVER_H -#define _CRYPTO_DRIVER_H - -#ifdef __cplusplus -extern "C" -{ -#endif - -#include "cc_pal_sb_plat.h" -#include "cc_sec_defs.h" - -/*---------------------------- - PUBLIC FUNCTIONS ------------------------------------*/ -/*! - * @brief This function gives the functionality of integrated hash - * - * @param[in] hwBaseAddress - CryptoCell base address - * @param[out] hashResult - the HASH result. - * - */ -CCError_t SBROM_CryptoHash(unsigned long hwBaseAddress, CCDmaAddr_t inputDataAddr, uint32_t BlockSize, - CCHashResult_t hashResult); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/include/drivers/arm/cryptocell/nvm.h b/include/drivers/arm/cryptocell/nvm.h deleted file mode 100644 index a70289f..0000000 --- a/include/drivers/arm/cryptocell/nvm.h +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - */ - -#ifndef _NVM__H -#define _NVM__H - -#ifdef __cplusplus -extern "C" -{ -#endif - -#include "cc_crypto_boot_defs.h" -#include "cc_pal_types.h" -#include "cc_sec_defs.h" - -/*------------------------------------ - DEFINES --------------------------------------*/ - -/** - * @brief This function reads the LCS from the SRAM/NVM - * - * @param[in] hwBaseAddress - CryptoCell base address - * - * @param[in/out] lcs_ptr - pointer to memory to store the LCS - * - * @return CCError_t - On success the value CC_OK is returned, and on failure -a value from NVM_error.h - */ -CCError_t NVM_GetLCS(unsigned long hwBaseAddress, uint32_t *lcs_ptr); - -/** - * @brief The NVM_ReadHASHPubKey function is a NVM interface function - - * The function retrieves the HASH of the device Public key from the SRAM/NVM - * - * @param[in] hwBaseAddress - CryptoCell base address - * - * @param[in] pubKeyIndex - Index of HASH in the OTP - * - * @param[out] PubKeyHASH - the public key HASH. - * - * @param[in] hashSizeInWords - hash size (valid values: 4W, 8W) - * - * @return CCError_t - On success the value CC_OK is returned, and on failure -a value from NVM_error.h - */ - -CCError_t NVM_ReadHASHPubKey(unsigned long hwBaseAddress, CCSbPubKeyIndexType_t pubKeyIndex, CCHashResult_t PubKeyHASH, uint32_t hashSizeInWords); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/include/drivers/arm/cryptocell/nvm_otp.h b/include/drivers/arm/cryptocell/nvm_otp.h deleted file mode 100644 index 390d62b..0000000 --- a/include/drivers/arm/cryptocell/nvm_otp.h +++ /dev/null @@ -1,59 +0,0 @@ -/* - * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - */ - -#ifndef _NVM_OTP_H -#define _NVM_OTP_H - -#ifdef __cplusplus -extern "C" -{ -#endif - -#include "cc_crypto_boot_defs.h" -#include "cc_pal_types.h" - -/*------------------------------------ - DEFINES --------------------------------------*/ - - - -/** - * @brief The NVM_GetSwVersion function is a NVM interface function - - * The function retrieves the SW version from the SRAM/NVM. - * In case of OTP, we support up to 16 anti-rollback counters (taken from the certificate) - * - * @param[in] hwBaseAddress - CryptoCell base address - * - * @param[in] counterId - relevant only for OTP (valid values: 1,2) - * - * @param[out] swVersion - the minimum SW version - * - * @return CCError_t - On success the value CC_OK is returned, and on failure -a value from NVM_error.h - */ -CCError_t NVM_GetSwVersion(unsigned long hwBaseAddress, CCSbSwVersionId_t counterId, uint32_t *swVersion); - - -/** - * @brief The NVM_SetSwVersion function is a NVM interface function - - * The function writes the SW version into the SRAM/NVM. - * In case of OTP, we support up to 16 anti-rollback counters (taken from the certificate) - * - * @param[in] hwBaseAddress - CryptoCell base address - * - * @param[in] counterId - relevant only for OTP (valid values: 1,2) - * - * @param[in] swVersion - the minimum SW version - * - * @return CCError_t - On success the value CC_OK is returned, and on failure -a value from NVM_error.h - */ -CCError_t NVM_SetSwVersion(unsigned long hwBaseAddress, CCSbSwVersionId_t counterId, uint32_t swVersion); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/include/drivers/arm/cryptocell/rsa.h b/include/drivers/arm/cryptocell/rsa.h deleted file mode 100644 index cd9925b..0000000 --- a/include/drivers/arm/cryptocell/rsa.h +++ /dev/null @@ -1,55 +0,0 @@ -/* - * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - */ - -#ifndef RSA_H -#define RSA_H - -/* - * All the includes that are needed for code using this module to - * compile correctly should be #included here. - */ - -#ifdef __cplusplus -extern "C" -{ -#endif - -#include "cc_pal_types.h" - -/************************ Defines ******************************/ - -/* the modulus size ion bits */ -#define RSA_MOD_SIZE_IN_BITS 2048UL -#define RSA_MOD_SIZE_IN_BYTES (CALC_FULL_BYTES(RSA_MOD_SIZE_IN_BITS)) -#define RSA_MOD_SIZE_IN_WORDS (CALC_FULL_32BIT_WORDS(RSA_MOD_SIZE_IN_BITS)) -#define RSA_MOD_SIZE_IN_256BITS (RSA_MOD_SIZE_IN_WORDS/8) -#define RSA_EXP_SIZE_IN_BITS 17UL -#define RSA_EXP_SIZE_IN_BYTES (CALC_FULL_BYTES(RSA_EXP_SIZE_IN_BITS)) - -/* size of buffer for Barrett modulus tag NP, used in PKA algorithms */ -#define RSA_HW_PKI_PKA_BARRETT_MOD_TAG_SIZE_IN_BITS 132 -#define RSA_HW_PKI_PKA_BARRETT_MOD_TAG_SIZE_IN_BYTES (CALC_FULL_BYTES(RSA_HW_PKI_PKA_BARRETT_MOD_TAG_SIZE_IN_BITS)) -#define RSA_HW_PKI_PKA_BARRETT_MOD_TAG_SIZE_IN_WORDS (CALC_FULL_32BIT_WORDS(RSA_HW_PKI_PKA_BARRETT_MOD_TAG_SIZE_IN_BITS)) - -/* - * @brief The RSA_CalcNp calculates Np value and saves it into Np_ptr: - * - * - - * @param[in] hwBaseAddress - HW base address. Relevant for HW - * implementation, for SW it is ignored. - * @N_ptr[in] - The pointer to the modulus buffer. - * @Np_ptr[out] - pointer to Np vector buffer. Its size must be >= 160. - */ -void RSA_CalcNp(unsigned long hwBaseAddress, - uint32_t *N_ptr, - uint32_t *Np_ptr); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/include/drivers/arm/cryptocell/sbrom_bsv_api.h b/include/drivers/arm/cryptocell/sbrom_bsv_api.h deleted file mode 100644 index de83546..0000000 --- a/include/drivers/arm/cryptocell/sbrom_bsv_api.h +++ /dev/null @@ -1,72 +0,0 @@ -/* - * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - */ - -#ifndef _SBROM_BSV_API_H -#define _SBROM_BSV_API_H - -#ifdef __cplusplus -extern "C" -{ -#endif - -/*! @file -@brief This file contains all SBROM library APIs and definitions. -*/ -#include "cc_pal_types.h" - -/* Life cycle state definitions */ -#define CC_BSV_CHIP_MANUFACTURE_LCS 0x0 /*!< CM lifecycle value. */ -#define CC_BSV_DEVICE_MANUFACTURE_LCS 0x1 /*!< DM lifecycle value. */ -#define CC_BSV_SECURITY_DISABLED_LCS 0x3 /*!< SD lifecycle value. */ -#define CC_BSV_SECURE_LCS 0x5 /*!< Secure lifecycle value. */ -#define CC_BSV_RMA_LCS 0x7 /*!< RMA lifecycle value. */ - -/*---------------------------- - PUBLIC FUNCTIONS ------------------------------------*/ - -/*! -@brief This function should be the first ARM TrustZone CryptoCell TEE SBROM library API called. -It verifies the HW product and version numbers. - -@return CC_OK On success. -@return A non-zero value from sbrom_bsv_error.h on failure. -*/ -CCError_t CC_BsvSbromInit( - unsigned long hwBaseAddress /*!< [in] HW registers base address. */ - ); - - -/*! -@brief This function can be used for checking the LCS value, after CC_BsvLcsGetAndInit was called by the Boot ROM. - -@return CC_OK On success. -@return A non-zero value from sbrom_bsv_error.h on failure. -*/ -CCError_t CC_BsvLcsGet( - unsigned long hwBaseAddress, /*!< [in] HW registers base address. */ - uint32_t *pLcs /*!< [out] Returned lifecycle state. */ - ); - -/*! -@brief This function retrieves the HW security lifecycle state, performs validity checks, -and additional initializations in case the LCS is RMA (sets the Kce to fixed value). -\note Invalid LCS results in an error returned. -In this case, the customer's code must completely disable the device. - -@return CC_OK On success. -@return A non-zero value from sbrom_bsv_error.h on failure. -*/ -CCError_t CC_BsvLcsGetAndInit( - unsigned long hwBaseAddress, /*!< [in] HW registers base address. */ - uint32_t *pLcs /*!< [out] Returned lifecycle state. */ - ); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/include/drivers/arm/cryptocell/secureboot_base_func.h b/include/drivers/arm/cryptocell/secureboot_base_func.h deleted file mode 100644 index 6db596e..0000000 --- a/include/drivers/arm/cryptocell/secureboot_base_func.h +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - */ - -#ifndef _SECURE_BOOT_BASE_FUNC_H -#define _SECURE_BOOT_BASE_FUNC_H - - -#ifdef __cplusplus -extern "C" -{ -#endif - -#include "cc_pal_types.h" -#include "secureboot_gen_defs.h" - - -/*---------------------------- - PUBLIC FUNCTIONS ------------------------------------*/ - -/** - * @brief This function calculates the HASH over the given data and than verify - * RSA signature on that hashed data - * - * @param[in] hwBaseAddr - CryptoCell base address - * @param[in] pData - pointer to the data to be verified - * @param[in] pNParams - a pointer to the public key parameters - * @param[in] pSignature - a pointer to the signature structure - * @param[in] sizeOfData - size of the data to calculate the HASH on (in bytes) - * @param[in] RSAAlg - RSA algorithm to use - * - * @return CCError_t - On success the value CC_OK is returned, - * on failure - a value from BootImagesVerifier_error.h - */ -CCError_t CCSbVerifySignature(unsigned long hwBaseAddress, - uint32_t *pData, - CCSbNParams_t *pNParams, - CCSbSignature_t *pSignature, - uint32_t sizeOfData, - CCSbRsaAlg_t RSAAlg); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/include/drivers/arm/cryptocell/secureboot_gen_defs.h b/include/drivers/arm/cryptocell/secureboot_gen_defs.h deleted file mode 100644 index 68b9ef8..0000000 --- a/include/drivers/arm/cryptocell/secureboot_gen_defs.h +++ /dev/null @@ -1,56 +0,0 @@ -/* - * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - */ - -#ifndef _SECURE_BOOT_GEN_DEFS_H -#define _SECURE_BOOT_GEN_DEFS_H - -#ifdef __cplusplus -extern "C" -{ -#endif - -/*! @file -@brief This file contains all of the definitions and structures that are used for the secure boot. -*/ - -#include "cc_pal_sb_plat.h" -#include "cc_sec_defs.h" - - -/* General definitions */ -/***********************/ - -/*RSA definitions*/ -#define SB_RSA_MOD_SIZE_IN_WORDS 64 -#define SB_RSA_HW_PKI_PKA_BARRETT_MOD_TAG_SIZE_IN_WORDS 5 - - -/*! Public key data structure. */ -typedef struct { - uint32_t N[SB_RSA_MOD_SIZE_IN_WORDS]; /*!< N public key, big endian representation. */ - uint32_t Np[SB_RSA_HW_PKI_PKA_BARRETT_MOD_TAG_SIZE_IN_WORDS]; /*!< Np (Barrett n' value). */ -} CCSbNParams_t; - -/*! Signature structure. */ -typedef struct { - uint32_t sig[SB_RSA_MOD_SIZE_IN_WORDS]; /*!< RSA PSS signature. */ -} CCSbSignature_t; - - -/********* Supported algorithms definitions ***********/ - -/*! RSA supported algorithms */ -typedef enum { - RSA_PSS_2048 = 0x01, /*!< RSA PSS 2048 after hash SHA 256 */ - RSA_PKCS15_2048 = 0x02, /*!< RSA PKX15 */ - RSA_Last = 0x7FFFFFFF -} CCSbRsaAlg_t; - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/include/drivers/arm/cryptocell/util.h b/include/drivers/arm/cryptocell/util.h deleted file mode 100644 index 18fb599..0000000 --- a/include/drivers/arm/cryptocell/util.h +++ /dev/null @@ -1,72 +0,0 @@ -/* - * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. - * - * SPDX-License-Identifier: BSD-3-Clause - */ - -#ifndef UTIL_H -#define UTIL_H - -/* - * All the includes that are needed for code using this module to - * compile correctly should be #included here. - */ - -#ifdef __cplusplus -extern "C" -{ -#endif - -/************************ Defines ******************************/ - -/* invers the bytes on a word- used for output from HASH */ -#ifdef BIG__ENDIAN -#define UTIL_INVERSE_UINT32_BYTES(val) (val) -#else -#define UTIL_INVERSE_UINT32_BYTES(val) \ - (((val) >> 24) | (((val) & 0x00FF0000) >> 8) | (((val) & 0x0000FF00) << 8) | (((val) & 0x000000FF) << 24)) -#endif - -/* invers the bytes on a word - used for input data for HASH */ -#ifdef BIG__ENDIAN -#define UTIL_REVERT_UINT32_BYTES(val) \ - (((val) >> 24) | (((val) & 0x00FF0000) >> 8) | (((val) & 0x0000FF00) << 8) | (((val) & 0x000000FF) << 24)) -#else -#define UTIL_REVERT_UINT32_BYTES(val) (val) -#endif - - /* ------------------------------------------------------------ - ** - * @brief This function executes a reverse bytes copying from one buffer to another buffer. - * - * @param[in] dst_ptr - The pointer to destination buffer. - * @param[in] src_ptr - The pointer to source buffer. - * @param[in] size - The size in bytes. - * - */ - -void UTIL_ReverseMemCopy(uint8_t *dst_ptr, uint8_t *src_ptr, uint32_t size); - - - /* ------------------------------------------------------------ - ** - * @brief This function executes a reversed byte copy on a specified buffer. - * - * on a 6 byte byffer: - * - * buff[5] <---> buff[0] - * buff[4] <---> buff[1] - * buff[3] <---> buff[2] - * - * @param[in] dst_ptr - The counter buffer. - * @param[in] src_ptr - The counter size in bytes. - * - */ -void UTIL_ReverseBuff(uint8_t *buff_ptr, uint32_t size); - - -#ifdef __cplusplus -} -#endif - -#endif