| Age | Commit message (Collapse) | Author |
|---|
|
Fixes the preallocation to make room for the actual content also in
crypto_bignum_allocate() by calling mbedtls_mpi_grow().
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Adds tomcrypt_init() which is only available when LTC isn't configured
as the crypto lib. tomcrypt_init() performs the same initialization as
crypto_init() does when LTC is configured as the crypto lib.
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Adds #if defined(_CFG_CORE_LTC_ACIPHER) around code only needed if LTC
is configured for asymmetric ciphers (RSA, DSA, DH or ECC).
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
LTC is only taking _CFG_CORE_LTC_ prefixed variables into account for
configuration.
_CFG_CORE_LTC_ prefixed variables are assigned based on CFG_CRYPTO_ and
other variables for unchanged LTC configuration.
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Removes #include of files not needed any longer.
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Changes the name of the registered prng descriptor from "prng_mpa" to
"prng_crypto" to better reflect the source of the prng.
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Moves the remaining external source files from tomcrypt src directory.
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Moves remaining exported aes functions to aes.c
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Moves remaining exported hash functions to hash.c
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Moves the DH wrappers in tee_ltc_provider.c to its own file, dh.c.
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Moves the RSA wrappers in tee_ltc_provider.c to its own file, rsa.c.
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Moves the ECC wrappers in tee_ltc_provider.c to its own file, ecc.c.
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Moves the DSA wrappers in tee_ltc_provider.c to its own file, dsa.c.
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Upstream has changed dsa_import() to use inlen instead of MAX_RSA_SIZE.
This is needed when compiling LTC with DSA but without RSA support.
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Adds size of expanded AES encryption key to crypto_aes_expand_enc_key()
and crypto_aes_enc_block() to make the functions more safe to call.
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Summer Qin <summer.qin@arm.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Moves the AES-CTS implementation from LTC wrapper to core/crypto.
The AES-CTS implementation can be overridden in a crypto library by
setting CFG_CRYPTO_CTS_FROM_CRYPTOLIB:=y
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Uses struct crypto_authenc_ops pointer in crypto context for authenc
ciphers (AES-GCM and AES-CCM) as a glue layer instead of a switch(algo)
in each cryto_authenc_*() function.
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Uses struct crypto_cipher_ops pointer in crypto context for ciphers as a
glue layer instead of a switch(algo) in each crypto_cipher_*() function.
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Uses struct crypto_mac_ops pointer in crypto context for MACs as a
glue layer instead of a switch(algo) in each crypto_mac_*() function.
Moves CBC-MAC implementation from LTC wrapper to core/crypto.
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Uses struct crypto_hash_ops pointer in crypto context for hashes as a
glue layer instead of a switch(algo) in each crypto_hash_*() function.
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Remove useless newline character in few generic debug traces.
Remove argument __func__ from a FMSG trace since already
output by macro FMSG().
Remove error trace from syscall_storage_obj_read() that, prior
this change, output failing error code from storage read()
handler. This is useless and not done for other storage handlers
return code.
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
|
|
Now that we have consttime_memcmp(), buf_compare_ct() is redundant.
Every time buf_compare_ct() is used, consttime_memcmp() may be used
instead.
This commit removes buf_compare_ct(). A compatibility wrapper is kept
in <string_ext.h> to avoid knowingly breaking the build of any TA that
may use it.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Prior to this patch was _TEE_MathAPI_Init() in
lib/libutee/tee_api_arith_mpi.c supplying a data buffer which was only 4
byte aligned while mempool_alloc_pool() requires the alignment of long.
This will work in 32-bit mode, but could lead to alignment problem in
64-bit mode. The same problem can happen with
lib/libutee/tee_api_arith_mpa.c, but so far it has remained hidden.
Incorrect alignment can result in errors like:
E/TA: assertion '!((vaddr_t)data & (POOL_ALIGN - 1))' failed at lib/libutils/ext/mempool.c:134 in mempool_alloc_pool()
This fix introduces MEMPOOL_ALIGN which specifies required alignment of
data supplied to mempool_alloc_pool().
Fixes: 062e3d01c039 ("ta: switch to to mbedtls for bignum")
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v8)
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
When there is some data already pending in the cbc->block and the input
data size is not large enough to do cbc_encrypt(), the pending data is
going to be overwritten. For example, a serial input with size like 3,3...
uncovers this bug.
Signed-off-by: Oliver Chiang <rockerfeynman@gmail.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU)
|
|
SHA-512/256 is an approved hash algorithm and a vetted conditioner as
per NIST.SP.800-90B spec. We have used it to condition raw thermal
sensor noise on Developerbox to condense entropy.
It is imported from libtomcrypt:
Git url: https://github.com/libtom/libtomcrypt.git, release tag: v1.18.0.
Signed-off-by: Sumit Garg <sumit.garg@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
|
|
GCC 8.x warns when building core/lib/zlib/inflate.c:
$ make PLATFORM=hikey-hikey960 out/arm-plat-hikey/core/lib/zlib/inflate.o
[...]
core/lib/zlib/inflate.c: In function ‘inflate’:
core/lib/zlib/inflate.c:842:25: warning: this statement may fall through [-Wimplicit-fallthrough=]
state->mode = DICT;
~~~~~~~~~~~~^~~~~~
core/lib/zlib/inflate.c:843:9: note: here
case DICT:
^~~~
[...]
Fix that by adding some /* Fall through */ comments.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
This change integrates the LTC_PKCS_1_V1_5_NA1 into OPTEE as an
extension as TEE_ALG_RSASSA_PKCS1_V1_5. This scheme allows to do
PKCS#1 v1.5 EMSA without ASN.1 around the hash. It is used for
implementing the pkcs#11 CKM_RSA_PKCS mechanism for signing and
verifying in SKS.
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
|
|
This change ports LTC_PKCS_1_V1_5_NA1 from libtomcrypt v1.18.2. This
scheme allows to do PKCS#1 v1.5 EMSA without ASN.1 around the hash. It
is used for implementing the pkcs#11 CKM_RSA_PKCS mechanism for signing
and verifying in SKS. This commit is a cherry pick of aa4bae5ae9a2 from
the libtomcrypt repository.
Link: <https://github.com/libtom/libtomcrypt/commit/aa4bae5ae9a2>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Gabor Szekely <szvgabor@gmail.com>
|
|
Drops LTC_NO_ASM and configures endian and word size accordingly, that
is, little endian and 32-bit or 64-bit depending on arm architecture.
Defines ulong32 and ulong64 based on uint32_t and uint64_t to make
sure that the types are always defined correctly.
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Adds a mpi_desc.c wrapper to LTC in order to enable usage of bignum
(mpi) routines from mbedtls.
CFG_MBEDTLS_MPI=y (default y) builds the bignum routines for mbedtls and
also enables their usage in LTC and by that replaces libmpa for
privileged mode usage.
User mode TAs still use libmpa.
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
This import adds FDT overlay plus brings in the latest bugfixes upstream.
As noted in the below url, there is a performance problem with 1.4.7 so we
target version 1.4.6-9 instead.
https://github.com/ARM-software/arm-trusted-firmware/pull/1657
Upstream commit aadd0b65c987 ("checks: centralize printing of property
names in failure messages")
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Suggested-by: Jens Wiklander <jens.wiklander@linaro.org>
Suggested-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
|
|
Moves all crypto_bignum*() functions from tee_ltc_provider.c to
mpa_desc.c in order to contain libmpa dependencies.
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Renames tomcrypt_mpa.h to tomcrypt_mp.h in order to make it
implementation neutral.
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Moves all initialization of external_mem_pool to mpa_desc.c and also
makes external_mem_pool static as there's no external references.
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Removes the -Wdeclaration-after-statement compiler flag to allow mixed
declaration and code
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
MPA is used in two configurations, either in kernel mode or in user mode.
In kernel mode random is always drawn with crypto_rng_read() and in
user mode utee_cryp_random_number_generate() is used instead.
This patch makes the code easier to follow by replacing the call via a
function pointer to a normal function call instead.
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Adds a new cryptographically secure pseudo random number generator known
as Fortuna. The implementation is based on the description in [0]. This
implementation replaces the implementation in LTC which was used until
now.
Gathering of entropy has been refined with crypto_rng_add_event() to
better match how entropy is added to Fortuna. A enum crypto_rng_src
identifies the source of the event. The source also controls how the
event is added. There are two options available, queue it in a circular
buffer for later processing or adding it directly to a pool. The former
option is suitable when being called from an interrupt handler or some
other place where RPC to normal world is forbidden.
plat_prng_add_jitter_entropy_norpc() is removed and
plat_prng_add_jitter_entropy() is updated to use this new entropy source
scheme.
The configuration of LTC is simplified by this, now PRNG is always drawn
via prng_mpa_desc.
plat_rng_init() takes care of initializing the PRNG in order to allow
platforms to override or enhance the Fortuna integration.
[0] Link:https://www.schneier.com/academic/paperfiles/fortuna.pdf
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Update the Aarch64 Crypto Extension accelerated CBC encryption/decryption
routines to the latest upstream implementation in the Linux kernel
(v4.17-rc7).
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960)
CC: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Fixes: https://github.com/OP-TEE/optee_os/issues/2355
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
There is a problem with how the counter is incremented in our Aarch32
implementation of ce_aes_ctr_encrypt(). When 3 or more 16-byte blocks of
data are processed, the counter is incremented one time too many and
invalid data is produced as a result [1].
More generally, the way the counter is handled is quite convoluted. It is
incremented:
- In the generic LibTomCrypt code in ctr_encrypt_sub(),
- In the Crypto Extension glue layer in aes_ctr_encrypt_nblocks(),
- In the CE accelerated assembly code in ce_aes_ctr_encrypt().
We can easily get rid of the second one. We can also avoid always calling
the non-accelerated function on the first block of data.
This commit simplifies the C code to reflect the following rules:
- The core encryption functions (accelerated or not) should use the
counter value as is to process the first block of data,
- They should increment it for each block that is processed and return it
as an output parameter
The AArch32 and AArch64 CE assembler implementations are updated to the
latest available in the upstream Linux kernel (v4.17-rc7), thus
incorporating further improvements/simplifications by Ard Biesheuvel.
These functions handle the counter as described above so they fit our use
case perfectly.
Fixes: [1] https://github.com/OP-TEE/optee_os/issues/2305
CC: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960, 32/64, CE/no CE)
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
In mpa_desc.c rename rand() to mpa_rand() to avoid conflict with the C99
function rand().
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Since a while the source files license info are defined by SPDX
identifiers. We can safely remove the verbose license text from the
files that are owned by either only STMicroelectronics or only both
Linaro and STMicroelectronics.
Signed-off-by: Etienne Carriere <etienne.carriere@st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
The GP TEE Internal Core specification mandates that
TEE_AsymmetricVerifyDigest() must return TEE_SUCCESS if the signature
is valid, TEE_ERROR_SIGNATURE_INVALID if it is invalid, or panic if any
other error oocurs.
In the current implementation, TEE_ERROR_SIGNATURE_INVALID will never
happen with the DSA algorithms. Fix that by properly checking the
return code and signature status of the LibTomCrypt function.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
The GP TEE Internal Core specification mandates that
TEE_AsymmetricVerifyDigest() must return TEE_SUCCESS if the signature
is valid, TEE_ERROR_SIGNATURE_INVALID if it is invalid, or panic if any
other error oocurs.
In the current implementation, TEE_ERROR_SIGNATURE_INVALID will never
happen with the ECC algorithms. Fix that by properly checking the
return code and signature status of the LibTomCrypt function.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
The GP TEE Internal Core specification mandates that
TEE_AsymmetricVerifyDigest() must return TEE_SUCCESS if the signature
is valid, TEE_ERROR_SIGNATURE_INVALID if it is invalid, or panic if any
other error oocurs.
In the current implementation, all errors returned by the LibTomCrypt
RSA signature verification function are translated to
TEE_ERROR_SIGNATURE_INVALID. It is incorrect. Fix that by introducing
a helper function to properly handle both the return code and the
signature verification status.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Uses the Use mempool API from libutils for bignum allocations.
Reviewed-by: Volodymyr Babchuk <vlad.babchuk@gmail.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Upstream commit 7d418b34b3fe ("Fix GCM counter reuse"):
GCM should error out after processing (2^32)-1 blocks / (2^39)-256 bits
[Note: LibTomCrypt GCM is used when CFG_CRYPTO_AES_GCM_FROM_CRYPTOLIB=y
which is not the default]
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU)
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960)
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reported-by: Oliver Chiang <oliver.chiang@mstarsemi.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Commit 628a9a10ca36 ("ltc: ctr: improve performance") reveals a bug in
the Aarch32 accelerated crypto code (AES CTR mode), which causes xtest
9159 to fail with some invalid buffer content: encrypting 96 bytes of
data in one pass does not yield the same result than encrypting 3 * 32
bytes. The problem is fixed by adding a missing counter increment in
ce_aes_ctr_encrypt().
Fixes: 9ff4f2ccc026 ("arm32: AES using ARMv8-A cryptographic extensions")
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (HiKey960)
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
Make the size of big numbers in the TEE core configurable. The default
(4096 bits) may be reduced if such a large key size is not needed, to
save core memory.
Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
|
|
When accel_ctr_encrypt() is not used, accel_ecb_encrypt() is used via
ecb_encrypt() instead. The accel_ecb_encrypt() is frequently called at
every single block process. VFP assembly code called from the
accel_ecb_encrypt() is protected by
tomcrypt_arm_neon_enable()/disable(). FIQ enable/disable and VFP
register save/restore (64bitx32 registers!) to/from memory are done in
the tomcrypt_arm_neon_enable()/disable(). These overhead exist in each
single block process cause the degradation of system performance
eventually. Cases where h/w accelerated AES-CTR did not show any effects
or showed less performance than pure software processing have been
observed.
This patch resolves the issue by increasing utilization rate of
accel_ctr_encrypt().
Signed-off-by: Tetsuya Yoshizaki <yoshizaki.tetsuya@socionext.com>
Signed-off-by: Victor Chong <victor.chong@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
|
