libmbedtls: support mbedTLS in kernel mode

Initial step of mbedtls cryptos integration. Directory created and interface file is drafted. All function interfaces are set to "not supported". The mbedtls can be selected by specifying build flags "CFG_CRYPTOLIB_NAME=mbedtls" and "CFG_CRYPTOLIB_DIR=lib/libmbedtls" Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org> Signed-off-by: Edison Ai <edison.ai@arm.com> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
author: Edison Ai <edison.ai@arm.com> 2017-12-15 16:38:30 +0800
committer: Jérôme Forissier <jerome.forissier@linaro.org> 2019-04-01 09:34:25 +0200
commit: 77327d7a47019cf9f66972403d0de1c32fe4cdee (patch)
tree: 0e13ba3fceeeb60bb53997c66863590c98b57f8a
parent: 8452b18172c76723ca6bd0606c8696d8c588673b (diff)
6 files changed, 400 insertions, 0 deletions
diff --git a/core/core.mk b/core/core.mk
index 3efa5d1f..ff5443a6 100644
--- a/core/core.mk
+++ b/core/core.mk
@@ -100,6 +100,10 @@ include mk/lib.mk
 endif
 endif #tomcrypt
 
+ifeq ($(CFG_CRYPTOLIB_NAME),mbedtls)
+$(call force,CFG_CRYPTO_RSASSA_NA1,n,not supported by mbedtls)
+endif
+
 ifeq ($(firstword $(subst /, ,$(CFG_CRYPTOLIB_DIR))),core)
 # If a library can be compiled for both core and user space a base-prefix
 # is needed in order to avoid conflicts in the output. However, if the
diff --git a/lib/libmbedtls/core/stubbed.c b/lib/libmbedtls/core/stubbed.c
new file mode 100644
index 00000000..9e803199
--- /dev/null
+++ b/lib/libmbedtls/core/stubbed.c
@@ -0,0 +1,380 @@
+// SPDX-License-Identifier: BSD-2-Clause
+/*
+ * Copyright (C) 2018, ARM Limited
+ * Copyright (C) 2019, Linaro Limited
+ */
+
+#include <assert.h>
+#include <compiler.h>
+#include <crypto/crypto.h>
+#include <crypto/crypto_impl.h>
+#include <kernel/panic.h>
+#include <stdlib.h>
+
+/******************************************************************************
+ * Asymmetric algorithms
+ ******************************************************************************/
+
+#if defined(CFG_CRYPTO_RSA) || defined(CFG_CRYPTO_DSA) || \
+    defined(CFG_CRYPTO_DH) || defined(CFG_CRYPTO_ECC)
+struct bignum *crypto_bignum_allocate(size_t size_bits __unused)
+{
+	return NULL;
+}
+
+TEE_Result crypto_bignum_bin2bn(const uint8_t *from __unused,
+				size_t fromsize __unused,
+				struct bignum *to __unused)
+{
+	return TEE_ERROR_NOT_IMPLEMENTED;
+}
+
+size_t crypto_bignum_num_bytes(struct bignum *a __unused)
+{
+	return 0;
+}
+
+size_t crypto_bignum_num_bits(struct bignum *a __unused)
+{
+	return 0;
+}
+
+void crypto_bignum_bn2bin(const struct bignum *from __unused,
+			  uint8_t *to __unused)
+{
+}
+
+void crypto_bignum_copy(struct bignum *to __unused,
+			const struct bignum *from __unused)
+{
+}
+
+void crypto_bignum_free(struct bignum *a)
+{
+	if (a)
+		panic();
+}
+
+void crypto_bignum_clear(struct bignum *a __unused)
+{
+}
+
+/* return -1 if a<b, 0 if a==b, +1 if a>b */
+int32_t crypto_bignum_compare(struct bignum *a __unused,
+			      struct bignum *b __unused)
+{
+	return -1;
+}
+#endif
+
+
+#if defined(CFG_CRYPTO_RSA)
+TEE_Result crypto_acipher_alloc_rsa_keypair(struct rsa_keypair *s __unused,
+					    size_t key_size_bits __unused)
+{
+	return TEE_ERROR_NOT_IMPLEMENTED;
+}
+
+TEE_Result
+crypto_acipher_alloc_rsa_public_key(struct rsa_public_key *s __unused,
+				    size_t key_size_bits __unused)
+{
+	return TEE_ERROR_NOT_IMPLEMENTED;
+}
+
+void crypto_acipher_free_rsa_public_key(struct rsa_public_key *s __unused)
+{
+}
+
+TEE_Result crypto_acipher_gen_rsa_key(struct rsa_keypair *key __unused,
+				      size_t key_size __unused)
+{
+	return TEE_ERROR_NOT_IMPLEMENTED;
+}
+
+TEE_Result crypto_acipher_rsanopad_decrypt(struct rsa_keypair *key __unused,
+					   const uint8_t *src __unused,
+					   size_t src_len __unused,
+					   uint8_t *dst __unused,
+					   size_t *dst_len __unused)
+{
+	return TEE_ERROR_NOT_IMPLEMENTED;
+}
+
+TEE_Result crypto_acipher_rsanopad_encrypt(struct rsa_public_key *key __unused,
+					   const uint8_t *src __unused,
+					   size_t src_len __unused,
+					   uint8_t *dst __unused,
+					   size_t *dst_len __unused)
+{
+	return TEE_ERROR_NOT_IMPLEMENTED;
+}
+
+TEE_Result crypto_acipher_rsaes_decrypt(uint32_t algo __unused,
+					struct rsa_keypair *key __unused,
+					const uint8_t *label __unused,
+					size_t label_len __unused,
+					const uint8_t *src __unused,
+					size_t src_len __unused,
+					uint8_t *dst __unused,
+					size_t *dst_len __unused)
+{
+	return TEE_ERROR_NOT_IMPLEMENTED;
+}
+
+TEE_Result crypto_acipher_rsaes_encrypt(uint32_t algo __unused,
+					struct rsa_public_key *key __unused,
+					const uint8_t *label __unused,
+					size_t label_len __unused,
+					const uint8_t *src __unused,
+					size_t src_len __unused,
+					uint8_t *dst __unused,
+					size_t *dst_len __unused)
+{
+	return TEE_ERROR_NOT_IMPLEMENTED;
+}
+
+TEE_Result crypto_acipher_rsassa_sign(uint32_t algo __unused,
+				      struct rsa_keypair *key __unused,
+				      int salt_len __unused,
+				      const uint8_t *msg __unused,
+				      size_t msg_len __unused,
+				      uint8_t *sig __unused,
+				      size_t *sig_len __unused)
+{
+	return TEE_ERROR_NOT_IMPLEMENTED;
+}
+
+TEE_Result crypto_acipher_rsassa_verify(uint32_t algo __unused,
+					struct rsa_public_key *key __unused,
+					int salt_len __unused,
+					const uint8_t *msg __unused,
+					size_t msg_len __unused,
+					const uint8_t *sig __unused,
+					size_t sig_len __unused)
+{
+	return TEE_ERROR_NOT_IMPLEMENTED;
+}
+#endif /* CFG_CRYPTO_RSA */
+
+#if defined(CFG_CRYPTO_DSA)
+TEE_Result crypto_acipher_alloc_dsa_keypair(struct dsa_keypair *s __unused,
+					    size_t key_size_bits __unused)
+{
+	return TEE_ERROR_NOT_IMPLEMENTED;
+}
+
+TEE_Result
+crypto_acipher_alloc_dsa_public_key(struct dsa_public_key *s __unused,
+				    size_t key_size_bits __unused)
+{
+	return TEE_ERROR_NOT_IMPLEMENTED;
+}
+
+TEE_Result crypto_acipher_gen_dsa_key(struct dsa_keypair *key __unused,
+				      size_t key_size __unused)
+{
+	return TEE_ERROR_NOT_IMPLEMENTED;
+}
+
+TEE_Result crypto_acipher_dsa_sign(uint32_t algo __unused,
+				   struct dsa_keypair *key __unused,
+				   const uint8_t *msg __unused,
+				   size_t msg_len __unused,
+				   uint8_t *sig __unused,
+				   size_t *sig_len __unused)
+{
+	return TEE_ERROR_NOT_IMPLEMENTED;
+}
+
+TEE_Result crypto_acipher_dsa_verify(uint32_t algo __unused,
+				     struct dsa_public_key *key __unused,
+				     const uint8_t *msg __unused,
+				     size_t msg_len __unused,
+				     const uint8_t *sig __unused,
+				     size_t sig_len __unused)
+{
+	return TEE_ERROR_NOT_IMPLEMENTED;
+}
+#endif /* CFG_CRYPTO_DSA */
+
+#if defined(CFG_CRYPTO_DH)
+TEE_Result crypto_acipher_alloc_dh_keypair(struct dh_keypair *s __unused,
+					   size_t key_size_bits __unused)
+{
+	return TEE_ERROR_NOT_IMPLEMENTED;
+}
+
+TEE_Result crypto_acipher_gen_dh_key(struct dh_keypair *key __unused,
+				     struct bignum *q __unused,
+				     size_t xbits __unused)
+{
+	return TEE_ERROR_NOT_IMPLEMENTED;
+}
+
+TEE_Result
+crypto_acipher_dh_shared_secret(struct dh_keypair *private_key __unused,
+				struct bignum *public_key __unused,
+				struct bignum *secret __unused)
+{
+	return TEE_ERROR_NOT_IMPLEMENTED;
+}
+#endif /* CFG_CRYPTO_DH */
+
+#if defined(CFG_CRYPTO_ECC)
+TEE_Result
+crypto_acipher_alloc_ecc_public_key(struct ecc_public_key *s __unused,
+				    size_t key_size_bits __unused)
+{
+	return TEE_ERROR_NOT_IMPLEMENTED;
+}
+
+TEE_Result crypto_acipher_alloc_ecc_keypair(struct ecc_keypair *s __unused,
+					    size_t key_size_bits __unused)
+{
+	return TEE_ERROR_NOT_IMPLEMENTED;
+}
+
+void crypto_acipher_free_ecc_public_key(struct ecc_public_key *s __unused)
+{
+}
+
+TEE_Result crypto_acipher_gen_ecc_key(struct ecc_keypair *key __unused)
+{
+	return TEE_ERROR_NOT_IMPLEMENTED;
+}
+
+TEE_Result crypto_acipher_ecc_sign(uint32_t algo __unused,
+				   struct ecc_keypair *key __unused,
+				   const uint8_t *msg __unused,
+				   size_t msg_len __unused,
+				   uint8_t *sig __unused,
+				   size_t *sig_len __unused)
+{
+	return TEE_ERROR_NOT_IMPLEMENTED;
+}
+
+TEE_Result crypto_acipher_ecc_verify(uint32_t algo __unused,
+				     struct ecc_public_key *key __unused,
+				     const uint8_t *msg __unused,
+				     size_t msg_len __unused,
+				     const uint8_t *sig __unused,
+				     size_t sig_len __unused)
+{
+	return TEE_ERROR_NOT_IMPLEMENTED;
+}
+
+TEE_Result
+crypto_acipher_ecc_shared_secret(struct ecc_keypair *private_key __unused,
+				 struct ecc_public_key *public_key __unused,
+				 void *secret __unused,
+				 unsigned long *secret_len __unused)
+{
+	return TEE_ERROR_NOT_IMPLEMENTED;
+}
+#endif /* CFG_CRYPTO_ECC */
+
+TEE_Result crypto_init(void)
+{
+	return TEE_ERROR_NOT_IMPLEMENTED;
+}
+
+#if defined(CFG_CRYPTO_SHA256)
+TEE_Result hash_sha256_check(const uint8_t *hash  __unused,
+		const uint8_t *data __unused,
+		size_t data_size __unused)
+{
+	return TEE_ERROR_NOT_IMPLEMENTED;
+}
+#endif
+
+TEE_Result crypto_aes_expand_enc_key(const void *key __unused,
+				     size_t key_len __unused,
+				     void *enc_key __unused,
+				     size_t enc_keylen __unused,
+				     unsigned int *rounds __unused)
+{
+	return TEE_ERROR_NOT_IMPLEMENTED;
+}
+
+void crypto_aes_enc_block(const void *enc_key __unused,
+			  size_t enc_keylen __unused,
+			  unsigned int rounds __unused,
+			  const void *src __unused, void *dst __unused)
+{
+}
+
+/* Stubs for the crypto alloc ctx functions matching crypto_impl.h */
+#undef CRYPTO_ALLOC_CTX_NOT_IMPLEMENTED
+
+#define CRYPTO_ALLOC_CTX_NOT_IMPLEMENTED(name, type) \
+	TEE_Result \
+	crypto_##name##_alloc_ctx(struct crypto_##type##_ctx **ctx __unused) \
+	{ return TEE_ERROR_NOT_IMPLEMENTED; }
+
+#if defined(CFG_CRYPTO_MD5)
+CRYPTO_ALLOC_CTX_NOT_IMPLEMENTED(md5, hash)
+#endif
+
+#if defined(CFG_CRYPTO_SHA1)
+CRYPTO_ALLOC_CTX_NOT_IMPLEMENTED(sha1, hash)
+#endif
+
+#if defined(CFG_CRYPTO_SHA224)
+CRYPTO_ALLOC_CTX_NOT_IMPLEMENTED(sha224, hash)
+#endif
+
+#if defined(CFG_CRYPTO_SHA256)
+CRYPTO_ALLOC_CTX_NOT_IMPLEMENTED(sha256, hash)
+#endif
+
+#if defined(CFG_CRYPTO_SHA384)
+CRYPTO_ALLOC_CTX_NOT_IMPLEMENTED(sha384, hash)
+#endif
+
+#if defined(CFG_CRYPTO_SHA512)
+CRYPTO_ALLOC_CTX_NOT_IMPLEMENTED(sha512, hash)
+#endif
+
+#if defined(CFG_CRYPTO_HMAC)
+CRYPTO_ALLOC_CTX_NOT_IMPLEMENTED(hmac_md5, mac)
+CRYPTO_ALLOC_CTX_NOT_IMPLEMENTED(hmac_sha1, mac)
+CRYPTO_ALLOC_CTX_NOT_IMPLEMENTED(hmac_sha224, mac)
+CRYPTO_ALLOC_CTX_NOT_IMPLEMENTED(hmac_sha256, mac)
+CRYPTO_ALLOC_CTX_NOT_IMPLEMENTED(hmac_sha384, mac)
+CRYPTO_ALLOC_CTX_NOT_IMPLEMENTED(hmac_sha512, mac)
+#endif
+
+#if defined(CFG_CRYPTO_CMAC)
+CRYPTO_ALLOC_CTX_NOT_IMPLEMENTED(aes_cmac, mac)
+#endif
+
+#if defined(CFG_CRYPTO_AES) && defined(CFG_CRYPTO_ECB)
+CRYPTO_ALLOC_CTX_NOT_IMPLEMENTED(aes_ecb, cipher)
+#endif
+
+#if defined(CFG_CRYPTO_AES) && defined(CFG_CRYPTO_CBC)
+CRYPTO_ALLOC_CTX_NOT_IMPLEMENTED(aes_cbc, cipher)
+#endif
+
+#if defined(CFG_CRYPTO_AES) && defined(CFG_CRYPTO_CTR)
+CRYPTO_ALLOC_CTX_NOT_IMPLEMENTED(aes_ctr, cipher)
+#endif
+
+#if defined(CFG_CRYPTO_AES) && defined(CFG_CRYPTO_XTS)
+CRYPTO_ALLOC_CTX_NOT_IMPLEMENTED(aes_xts, cipher)
+#endif
+
+#if defined(CFG_CRYPTO_DES) && defined(CFG_CRYPTO_ECB)
+CRYPTO_ALLOC_CTX_NOT_IMPLEMENTED(des_ecb, cipher)
+CRYPTO_ALLOC_CTX_NOT_IMPLEMENTED(des3_ecb, cipher)
+#endif
+
+#if defined(CFG_CRYPTO_DES) && defined(CFG_CRYPTO_CBC)
+CRYPTO_ALLOC_CTX_NOT_IMPLEMENTED(des_cbc, cipher)
+CRYPTO_ALLOC_CTX_NOT_IMPLEMENTED(des3_cbc, cipher)
+#endif
+
+#if defined(CFG_CRYPTO_CCM)
+CRYPTO_ALLOC_CTX_NOT_IMPLEMENTED(aes_ccm, authenc)
+#endif
diff --git a/lib/libmbedtls/core/sub.mk b/lib/libmbedtls/core/sub.mk
new file mode 100644
index 00000000..d1c5df14
--- /dev/null
+++ b/lib/libmbedtls/core/sub.mk
@@ -0,0 +1,3 @@
+cflags-lib-$(CFG_CRYPTO_SIZE_OPTIMIZATION) += -Os
+
+srcs-y += stubbed.c
diff --git a/lib/libmbedtls/include/mbedtls_config_kernel.h b/lib/libmbedtls/include/mbedtls_config_kernel.h
index 55330496..dd37f824 100644
--- a/lib/libmbedtls/include/mbedtls_config_kernel.h
+++ b/lib/libmbedtls/include/mbedtls_config_kernel.h
@@ -14,6 +14,11 @@
 #define MBEDTLS_GENPRIME
 #endif
 
+/* Test if Mbedtls is the primary crypto lib */
+#ifdef CFG_CRYPTOLIB_NAME_mbedtls
+
+#endif /*CFG_CRYPTOLIB_NAME_mbedtls*/
+
 #include <mbedtls/check_config.h>
 
 #endif /* __MBEDTLS_CONFIG_KERNEL_H */
diff --git a/lib/libmbedtls/sub.mk b/lib/libmbedtls/sub.mk
index da16e569..66d61b74 100644
--- a/lib/libmbedtls/sub.mk
+++ b/lib/libmbedtls/sub.mk
@@ -94,3 +94,7 @@ srcs-$(sm-$(ta-target)) += $(addprefix mbedtls/library/, $(SRCS_TLS))
 
 cflags-lib-y += -Wno-redundant-decls
 cflags-lib-y += -Wno-switch-default
+
+ifeq ($(CFG_CRYPTOLIB_NAME_mbedtls),y)
+subdirs-$(sm-core) += core
+endif
diff --git a/mk/config.mk b/mk/config.mk
index 69df72db..6196b39f 100644
--- a/mk/config.mk
+++ b/mk/config.mk
@@ -437,6 +437,10 @@ CFG_TA_MBEDTLS_SELF_TEST ?= y
 # for the API in <crypto/crypto.h>
 # CFG_CRYPTOLIB_NAME is used as libname and
 # CFG_CRYPTOLIB_DIR is used as libdir when compiling the library
+#
+# It's also possible to configure to use mbedtls instead of tomcrypt.
+# Then the variables should be assigned as "CFG_CRYPTOLIB_NAME=mbedtls" and
+# "CFG_CRYPTOLIB_DIR=lib/libmbedtls" respectively.
 CFG_CRYPTOLIB_NAME ?= tomcrypt
 CFG_CRYPTOLIB_DIR ?= core/lib/libtomcrypt
author	Edison Ai <edison.ai@arm.com>	2017-12-15 16:38:30 +0800
committer	Jérôme Forissier <jerome.forissier@linaro.org>	2019-04-01 09:34:25 +0200
commit	77327d7a47019cf9f66972403d0de1c32fe4cdee (patch)
tree	0e13ba3fceeeb60bb53997c66863590c98b57f8a
parent	8452b18172c76723ca6bd0606c8696d8c588673b (diff)