Gitiles
Code Review Sign In
git01.mediatek.com / filogic / atf / c68b8af4ae17eb6736fe931628c6e4d76cbd0db8 / . / plat / st / common / stm32mp_crypto_lib.c
blob: 373a0081500884732d25e501fe51c5503287179c [file] [log] [blame]
Lionel Debievefd02b802022-10-05 16:16:50 +0200[diff] [blame]1/*
Yann Gautierc68b8af2023-01-24 09:39:47 +0100[diff] [blame^]2 * Copyright (c) 2022-2023, STMicroelectronics - All Rights Reserved
Lionel Debievefd02b802022-10-05 16:16:50 +0200[diff] [blame]3 *
4 * SPDX-License-Identifier: BSD-3-Clause
5 */
6
7#include <assert.h>
8#include <endian.h>
9#include <errno.h>
10
11#include <common/debug.h>
12#include <drivers/auth/crypto_mod.h>
13#include <drivers/io/io_storage.h>
14#include <drivers/st/bsec.h>
15#include <drivers/st/stm32_hash.h>
16#include <drivers/st/stm32_pka.h>
17#include <drivers/st/stm32_rng.h>
18#include <drivers/st/stm32_saes.h>
Yann Gautier93d30f52022-12-12 14:53:45 +0100[diff] [blame]19#include <lib/utils.h>
Lionel Debievefd02b802022-10-05 16:16:50 +0200[diff] [blame]20#include <lib/xlat_tables/xlat_tables_v2.h>
21#include <mbedtls/asn1.h>
22#include <mbedtls/md.h>
23#include <mbedtls/oid.h>
24#include <mbedtls/platform.h>
25#include <mbedtls/x509.h>
26#include <plat/common/platform.h>
27#include <tools_share/firmware_encrypted.h>
28
29#include <platform_def.h>
30
31#define CRYPTO_HASH_MAX_SIZE 32U
32#define CRYPTO_SIGN_MAX_SIZE 64U
33#define CRYPTO_PUBKEY_MAX_SIZE 64U
34#define CRYPTO_MAX_TAG_SIZE 16U
35
36/* brainpoolP256t1 OID is not defined in mbedTLS */
37#define OID_EC_GRP_BP256T1 MBEDTLS_OID_EC_BRAINPOOL_V1 "\x08"
38
39#if STM32MP_CRYPTO_ROM_LIB
40struct stm32mp_auth_ops {
41 uint32_t (*verify_signature)(uint8_t *hash_in, uint8_t *pubkey_in,
42 uint8_t *signature, uint32_t ecc_algo);
43};
44
45static struct stm32mp_auth_ops auth_ops;
46#endif
47
48static void crypto_lib_init(void)
49{
50 boot_api_context_t *boot_context __maybe_unused;
51 int ret;
52
53 NOTICE("TRUSTED_BOARD_BOOT support enabled\n");
54
55 ret = stm32_hash_register();
56 if (ret != 0) {
57 ERROR("HASH init (%d)\n", ret);
58 panic();
59 }
60
61 if (stm32mp_is_closed_device() || stm32mp_is_auth_supported()) {
62#if STM32MP_CRYPTO_ROM_LIB
63 boot_context = (boot_api_context_t *)stm32mp_get_boot_ctx_address();
64 auth_ops.verify_signature = boot_context->bootrom_ecdsa_verify_signature;
65#else
66 /* Use hardware peripherals */
67 if (stm32_rng_init() != 0) {
68 panic();
69 }
70
71 if (stm32_saes_driver_init() != 0) {
72 panic();
73 }
74
75 if (stm32_pka_init() != 0) {
76 panic();
77 }
78#endif
79 }
80}
81
Yann Gautier34b49882022-12-12 14:56:39 +0100[diff] [blame]82static int get_plain_pk_from_asn1(void *pk_ptr, unsigned int pk_len, void **plain_pk,
Lionel Debievefd02b802022-10-05 16:16:50 +0200[diff] [blame]83 unsigned int *len, int *pk_alg)
84{
85 int ret;
86 mbedtls_pk_context mbedtls_pk = {0};
87 unsigned char *p, *end;
88 mbedtls_asn1_buf alg_params = {0};
89 mbedtls_asn1_buf alg_oid = {0};
90
91 *plain_pk = NULL;
92 *len = 0U;
93
94 /* Parse the public key */
95 mbedtls_pk_init(&mbedtls_pk);
96 p = (unsigned char *)pk_ptr;
97 end = (unsigned char *)(p + pk_len);
98
99 ret = mbedtls_asn1_get_tag(&p, end, len,
100 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE);
101 if (ret != 0) {
102 return -EINVAL;
103 }
104
105 end = p + *len;
106 ret = mbedtls_asn1_get_alg(&p, end, &alg_oid, &alg_params);
107 if (ret != 0) {
108 VERBOSE("%s: mbedtls_asn1_get_alg (%d)\n", __func__, ret);
109 return -EINVAL;
110 }
111
112 if (pk_alg != NULL) {
113 if ((strlen(MBEDTLS_OID_EC_GRP_SECP256R1) == alg_params.len) &&
114 (memcmp(MBEDTLS_OID_EC_GRP_SECP256R1, alg_params.p, alg_params.len) == 0)) {
115 *pk_alg = BOOT_API_ECDSA_ALGO_TYPE_P256NIST;
116 } else if ((strlen(OID_EC_GRP_BP256T1) == alg_params.len) &&
117 (memcmp(OID_EC_GRP_BP256T1, alg_params.p, alg_params.len) == 0)) {
118 *pk_alg = BOOT_API_ECDSA_ALGO_TYPE_BRAINPOOL256;
119 } else {
120 ERROR("%s: Algorithm is not supported\n", __func__);
121 return -EINVAL;
122 }
123 }
124
125 ret = mbedtls_asn1_get_bitstring_null(&p, end, len);
126 if (ret != 0) {
127 VERBOSE("%s: mbedtls_asn1_get_bitstring_null (%d)\n", __func__, ret);
128 return -EINVAL;
129 }
130
131 /* We remove the ident (0x04) first byte. */
132 if ((*len < 1U) || (p[0] != MBEDTLS_ASN1_OCTET_STRING)) {
133 VERBOSE("%s: not expected len or tag\n", __func__);
134 return -EINVAL;
135 }
136
137 *len = *len - 1U;
138 *plain_pk = p + 1U;
139
140 return 0;
141}
142
143#if STM32MP_CRYPTO_ROM_LIB
144uint32_t verify_signature(uint8_t *hash_in, uint8_t *pubkey_in,
145 uint8_t *signature, uint32_t ecc_algo)
146{
147 int ret;
148
149 ret = mmap_add_dynamic_region(STM32MP_ROM_BASE, STM32MP_ROM_BASE,
150 STM32MP_ROM_SIZE_2MB_ALIGNED, MT_CODE | MT_SECURE);
151 if (ret != 0) {
152 VERBOSE("%s: mmap_add_dynamic_region (%d)\n", __func__, ret);
153 return CRYPTO_ERR_SIGNATURE;
154 }
155
156 ret = auth_ops.verify_signature(hash_in, pubkey_in, signature, ecc_algo);
157
158 if (ret != BOOT_API_RETURN_OK) {
159 VERBOSE("%s: auth_ops.verify_sign (%d)\n", __func__, ret);
160 ret = CRYPTO_ERR_SIGNATURE;
161 } else {
162 ret = 0;
163 }
164
165 mmap_remove_dynamic_region(STM32MP_ROM_BASE, STM32MP_ROM_SIZE_2MB_ALIGNED);
166
167 return ret;
168}
169
Yann Gautierc68b8af2023-01-24 09:39:47 +0100[diff] [blame^]170static int crypto_convert_pk(void *full_pk_ptr, unsigned int full_pk_len,
171 void **hashed_pk_ptr, unsigned int *hashed_pk_len)
Lionel Debievefd02b802022-10-05 16:16:50 +0200[diff] [blame]172{
173 return get_plain_pk_from_asn1(full_pk_ptr, full_pk_len, hashed_pk_ptr, hashed_pk_len, NULL);
174}
175#else /* STM32MP_CRYPTO_ROM_LIB*/
176static uint32_t verify_signature(uint8_t *hash_in, uint8_t *pubkey_in,
177 uint8_t *signature, uint32_t ecc_algo)
178{
179 int ret = -1;
180 enum stm32_pka_ecdsa_curve_id cid;
181
182 switch (ecc_algo) {
183 case BOOT_API_ECDSA_ALGO_TYPE_P256NIST:
184#if PKA_USE_NIST_P256
185 cid = PKA_NIST_P256;
186 ret = 0;
187#else
188 WARN("%s nist_p256 requested but not included\n", __func__);
189#endif
190 break;
191 case BOOT_API_ECDSA_ALGO_TYPE_BRAINPOOL256:
192#if PKA_USE_BRAINPOOL_P256T1
193 cid = PKA_BRAINPOOL_P256T1;
194 ret = 0;
195#else
196 WARN("%s brainpool_p256t1 requested but not included\n", __func__);
197#endif
198 break;
199 default:
200 WARN("%s unexpected ecc_algo(%u)\n", __func__, ecc_algo);
201 break;
202 }
203
204 if (ret < 0) {
205 return CRYPTO_ERR_SIGNATURE;
206 }
207
208 ret = stm32_pka_ecdsa_verif(hash_in,
209 BOOT_API_SHA256_DIGEST_SIZE_IN_BYTES,
210 signature, BOOT_API_ECDSA_SIGNATURE_LEN_IN_BYTES / 2U,
211 signature + BOOT_API_ECDSA_SIGNATURE_LEN_IN_BYTES / 2U,
212 BOOT_API_ECDSA_SIGNATURE_LEN_IN_BYTES / 2U,
213 pubkey_in, BOOT_API_ECDSA_PUB_KEY_LEN_IN_BYTES / 2U,
214 pubkey_in + BOOT_API_ECDSA_PUB_KEY_LEN_IN_BYTES / 2U,
215 BOOT_API_ECDSA_PUB_KEY_LEN_IN_BYTES / 2U, cid);
216 if (ret < 0) {
217 return CRYPTO_ERR_SIGNATURE;
218 }
219
220 return 0;
221}
222
Yann Gautierc68b8af2023-01-24 09:39:47 +0100[diff] [blame^]223static int crypto_convert_pk(void *full_pk_ptr, unsigned int full_pk_len,
224 void **hashed_pk_ptr, unsigned int *hashed_pk_len)
Lionel Debievefd02b802022-10-05 16:16:50 +0200[diff] [blame]225{
226 static uint8_t st_pk[CRYPTO_PUBKEY_MAX_SIZE + sizeof(uint32_t)];
227 int ret;
228 void *plain_pk;
229 unsigned int len;
230 int curve_id;
231 uint32_t cid;
232
233 ret = get_plain_pk_from_asn1(full_pk_ptr, full_pk_len, &plain_pk, &len, &curve_id);
234 if ((ret != 0) || (len > CRYPTO_PUBKEY_MAX_SIZE)) {
235 return -EINVAL;
236 }
237
238 cid = curve_id; /* we want value of curve_id (1 or 2) in a uint32_t */
239
240 memcpy(st_pk, &cid, sizeof(cid));
241 memcpy(st_pk + sizeof(cid), plain_pk, len);
242
243 *hashed_pk_ptr = st_pk;
244 *hashed_pk_len = len + sizeof(cid);
245
246 return 0;
247}
248#endif /* STM32MP_CRYPTO_ROM_LIB */
249
250static int get_plain_digest_from_asn1(void *digest_ptr, unsigned int digest_len,
251 uint8_t **out, size_t *out_len, mbedtls_md_type_t *md_alg)
252{
253 int ret;
254 mbedtls_asn1_buf hash_oid, params;
255 size_t len;
256 unsigned char *p, *end;
257
258 *out = NULL;
259 *out_len = 0U;
260
261 /* Digest info should be an MBEDTLS_ASN1_SEQUENCE */
262 p = (unsigned char *)digest_ptr;
263 end = p + digest_len;
264 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
265 MBEDTLS_ASN1_SEQUENCE);
266 if (ret != 0) {
267 return ret;
268 }
269
270 /* Get the hash algorithm */
271 ret = mbedtls_asn1_get_alg(&p, end, &hash_oid, &params);
272 if (ret != 0) {
273 return ret;
274 }
275
276 ret = mbedtls_oid_get_md_alg(&hash_oid, md_alg);
277 if (ret != 0) {
278 return ret;
279 }
280
281 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING);
282 if (ret != 0) {
283 return ret;
284 }
285
286 /* Length of hash must match the algorithm's size */
287 if (len != BOOT_API_SHA256_DIGEST_SIZE_IN_BYTES) {
288 return -1;
289 }
290
291 *out = p;
292 *out_len = len;
293
294 return 0;
295}
296
297static int crypto_verify_signature(void *data_ptr, unsigned int data_len,
298 void *sig_ptr, unsigned int sig_len,
299 void *sig_alg, unsigned int sig_alg_len,
300 void *pk_ptr, unsigned int pk_len)
301{
302 uint8_t image_hash[CRYPTO_HASH_MAX_SIZE] = {0};
303 uint8_t sig[CRYPTO_SIGN_MAX_SIZE];
304 uint8_t my_pk[CRYPTO_PUBKEY_MAX_SIZE];
305 int ret;
306 size_t len;
307 mbedtls_asn1_sequence seq;
308 mbedtls_asn1_sequence *cur;
309 unsigned char *p, *end;
310 int curve_id;
311 mbedtls_asn1_buf sig_oid, sig_params;
312 mbedtls_md_type_t md_alg;
313 mbedtls_pk_type_t pk_alg;
314 size_t bignum_len = sizeof(sig) / 2U;
315 unsigned int seq_num = 0U;
316
317 if (!stm32mp_is_closed_device() && !stm32mp_is_auth_supported()) {
318 return CRYPTO_SUCCESS;
319 }
320
321 /* Get pointers to signature OID and parameters */
322 p = (unsigned char *)sig_alg;
323 end = (unsigned char *)(p + sig_alg_len);
324 ret = mbedtls_asn1_get_alg(&p, end, &sig_oid, &sig_params);
325 if (ret != 0) {
326 VERBOSE("%s: mbedtls_asn1_get_alg (%d)\n", __func__, ret);
327 return CRYPTO_ERR_SIGNATURE;
328 }
329
330 /* Get the actual signature algorithm (MD + PK) */
331 ret = mbedtls_oid_get_sig_alg(&sig_oid, &md_alg, &pk_alg);
332 if (ret != 0) {
333 VERBOSE("%s: mbedtls_oid_get_sig_alg (%d)\n", __func__, ret);
334 return CRYPTO_ERR_SIGNATURE;
335 }
336
337 if ((md_alg != MBEDTLS_MD_SHA256) || (pk_alg != MBEDTLS_PK_ECDSA)) {
338 VERBOSE("%s: md_alg=%u pk_alg=%u\n", __func__, md_alg, pk_alg);
339 return CRYPTO_ERR_SIGNATURE;
340 }
341
342 ret = get_plain_pk_from_asn1(pk_ptr, pk_len, &pk_ptr, &pk_len, &curve_id);
343 if (ret != 0) {
344 VERBOSE("%s: get_plain_pk_from_asn1 (%d)\n", __func__, ret);
345 return CRYPTO_ERR_SIGNATURE;
346 }
347
348 /* We expect a known pk_len */
349 if (pk_len != sizeof(my_pk)) {
350 VERBOSE("%s: pk_len=%u sizeof(my_pk)=%zu)\n", __func__, pk_len, sizeof(my_pk));
351 return CRYPTO_ERR_SIGNATURE;
352 }
353
354 /* Need to copy as auth_ops.verify_signature
355 * expects aligned public key.
356 */
357 memcpy(my_pk, pk_ptr, sizeof(my_pk));
358
359 /* Get the signature (bitstring) */
360 p = (unsigned char *)sig_ptr;
361 end = (unsigned char *)(p + sig_len);
362 ret = mbedtls_asn1_get_bitstring_null(&p, end, &len);
363 if (ret != 0) {
364 VERBOSE("%s: mbedtls_asn1_get_bitstring_null (%d)\n", __func__, ret);
365 return CRYPTO_ERR_SIGNATURE;
366 }
367
368 /* Get r and s from sequence */
369 ret = mbedtls_asn1_get_sequence_of(&p, end, &seq, MBEDTLS_ASN1_INTEGER);
370 if (ret != 0) {
371 VERBOSE("%s: mbedtls_asn1_get_sequence_of (%d)\n", __func__, ret);
372 return CRYPTO_ERR_SIGNATURE;
373 }
374
375 /* We expect only 2 integers (r and s) from the sequence */
376 if (seq.next->next != NULL) {
377 cur = seq.next;
378 mbedtls_asn1_sequence *next;
379
380 VERBOSE("%s: nb seq != 2\n", __func__);
381 /* Free all the sequences */
382 while (cur != NULL) {
383 next = cur->next;
384 mbedtls_free(cur);
385 cur = next;
386 }
387
388 return CRYPTO_ERR_SIGNATURE;
389 }
390
391 /*
392 * ECDSA signatures are composed of a tuple (R,S) where R and S are between 0 and n.
393 * This means that the R and S can have a maximum of 32 each, but can also be smaller.
394 * Also seen the integer sequence may (sometime) start with 0x00 as MSB, but we can only
395 * manage exactly 2*32 bytes, we remove this higher byte if there are not 00,
396 * we will fail either.
397 */
398 cur = &seq;
399 memset(sig, 0U, sizeof(sig));
400
401 while (cur != NULL) {
402 size_t skip = 0U;
403 size_t seek = seq_num * bignum_len;
404
405 if (cur->buf.len > bignum_len) {
406 /* Remove extra 0x00 bytes */
407 skip = cur->buf.len - bignum_len;
408 } else if (cur->buf.len < bignum_len) {
409 /* Add padding to match HW required size */
410 seek += (bignum_len % cur->buf.len);
411 }
412
413 if (seek + cur->buf.len > sizeof(sig) + skip) {
414 panic();
415 }
416
417 memcpy(sig + seek, cur->buf.p + skip, cur->buf.len - skip);
418 cur = cur->next;
419 seq_num++;
420 }
421
422 /* Need to free allocated 'next' in mbedtls_asn1_get_sequence_of */
423 mbedtls_free(seq.next);
424
425 /* Compute hash for the data covered by the signature */
426 stm32_hash_init(HASH_SHA256);
427
428 ret = stm32_hash_final_update((uint8_t *)data_ptr, data_len, image_hash);
429 if (ret != 0) {
430 VERBOSE("%s: stm32_hash_final_update (%d)\n", __func__, ret);
431 return CRYPTO_ERR_SIGNATURE;
432 }
433
434 return verify_signature(image_hash, my_pk, sig, curve_id);
435}
436
437static int crypto_verify_hash(void *data_ptr, unsigned int data_len,
438 void *digest_info_ptr,
439 unsigned int digest_info_len)
440{
441 int ret;
442 uint8_t calc_hash[BOOT_API_SHA256_DIGEST_SIZE_IN_BYTES];
443 unsigned char *p;
444 mbedtls_md_type_t md_alg;
445 size_t len;
446
447 /* we receive an asn1 encapsulated digest, we flatten it */
448 ret = get_plain_digest_from_asn1(digest_info_ptr,
449 digest_info_len, &p, &len,
450 &md_alg);
451 if ((ret != 0) || (md_alg != MBEDTLS_MD_SHA256) || (len != sizeof(calc_hash))) {
452 return CRYPTO_ERR_HASH;
453 }
454
455 digest_info_ptr = p;
456 digest_info_len = len;
457
458 stm32_hash_init(HASH_SHA256);
459
460 ret = stm32_hash_final_update(data_ptr, data_len, calc_hash);
461 if (ret != 0) {
462 VERBOSE("%s: hash failed\n", __func__);
463 return CRYPTO_ERR_HASH;
464 }
465
466 ret = memcmp(calc_hash, digest_info_ptr, digest_info_len);
467 if (ret != 0) {
468 VERBOSE("%s: not expected digest\n", __func__);
469 ret = CRYPTO_ERR_HASH;
470 }
471
472 return ret;
473}
474
475#if !defined(DECRYPTION_SUPPORT_none)
476static int derive_key(uint8_t *key, size_t *key_len, size_t len,
477 unsigned int *flags, const uint8_t *img_id, size_t img_id_len)
478{
479 size_t i, j;
480
481 assert(*key_len >= 32U);
482
483 /*
484 * Not a real derivation yet
485 *
486 * But we expect a 32 bytes key, and OTP is only 16 bytes
487 * => duplicate.
488 */
489 for (i = 0U, j = len; j < 32U;
490 i += sizeof(uint32_t), j += sizeof(uint32_t)) {
491 memcpy(key + j, key + i, sizeof(uint32_t));
492 }
493
494 *key_len = 32U;
495 /* Variable 'key' store a real key */
496 *flags = 0U;
497
498 return 0;
499}
500
501int plat_get_enc_key_info(enum fw_enc_status_t fw_enc_status, uint8_t *key,
502 size_t *key_len, unsigned int *flags,
503 const uint8_t *img_id, size_t img_id_len)
504{
505 uint32_t otp_idx;
506 uint32_t otp_len;
507 size_t read_len;
508 size_t i;
509
510 if (fw_enc_status == FW_ENC_WITH_BSSK) {
511 return -EINVAL;
512 }
513
514 if (stm32_get_otp_index(ENCKEY_OTP, &otp_idx, &otp_len) != 0) {
515 VERBOSE("%s: get %s index error\n", __func__, ENCKEY_OTP);
516 return -EINVAL;
517 }
518
519 if (otp_len > (*key_len * CHAR_BIT)) {
520 VERBOSE("%s: length Error otp_len=%u key_len=%u\n", __func__,
521 otp_len, *key_len * CHAR_BIT);
522 return -EINVAL;
523 }
524
525 read_len = otp_len / CHAR_BIT;
526 assert(read_len % sizeof(uint32_t) == 0);
527
528 for (i = 0U; i < read_len / sizeof(uint32_t); i++) {
529 uint32_t tmp;
530 uint32_t otp_val;
531
532 if (stm32_get_otp_value_from_idx(otp_idx + i, &otp_val) != 0) {
533 zeromem(key, *key_len);
534 VERBOSE("%s: unable to read from otp\n", __func__);
535 return -EINVAL;
536 }
537
538 tmp = bswap32(otp_val);
539 memcpy(key + i * sizeof(uint32_t), &tmp, sizeof(tmp));
540 }
541
542 /* Now we have the OTP values in key till read_len */
543
544 if (derive_key(key, key_len, read_len, flags, img_id,
545 img_id_len) != 0) {
546 zeromem(key, *key_len);
547 return -EINVAL;
548 }
549
550 return 0;
551}
552
553static enum stm32_saes_key_selection select_key(unsigned int key_flags)
554{
555 if ((key_flags & ENC_KEY_IS_IDENTIFIER) != 0U) {
556 panic();
557 }
558
559 /* Use the provided key buffer */
560 return STM32_SAES_KEY_SOFT;
561}
562
563static int stm32_decrypt_aes_gcm(void *data, size_t data_len,
564 const void *key, unsigned int key_len,
565 unsigned int key_flags,
566 const void *iv, unsigned int iv_len,
567 const void *tag, unsigned int tag_len)
568{
569 int ret;
570 struct stm32_saes_context ctx;
571 unsigned char tag_buf[CRYPTO_MAX_TAG_SIZE];
572 enum stm32_saes_key_selection key_mode;
573 unsigned int diff = 0U;
574 unsigned int i;
575
576 key_mode = select_key(key_flags);
577
578 ret = stm32_saes_init(&ctx, true, STM32_SAES_MODE_GCM, key_mode, key,
579 key_len, iv, iv_len);
580 if (ret != 0) {
581 return CRYPTO_ERR_INIT;
582 }
583
584 ret = stm32_saes_update_assodata(&ctx, true, NULL, 0U);
585 if (ret != 0) {
586 return CRYPTO_ERR_DECRYPTION;
587 }
588
589 ret = stm32_saes_update_load(&ctx, true, data, data, data_len);
590 if (ret != 0) {
591 return CRYPTO_ERR_DECRYPTION;
592 }
593
594 ret = stm32_saes_final(&ctx, tag_buf, sizeof(tag_buf));
595 if (ret != 0) {
596 return CRYPTO_ERR_DECRYPTION;
597 }
598
599 /* Check tag in "constant-time" */
600 for (i = 0U; i < tag_len; i++) {
601 diff |= ((const unsigned char *)tag)[i] ^ tag_buf[i];
602 }
603
604 if (diff != 0U) {
605 return CRYPTO_ERR_DECRYPTION;
606 }
607
608 return CRYPTO_SUCCESS;
609}
610
611/*
612 * Authenticated decryption of an image
613 *
614 */
615static int crypto_auth_decrypt(enum crypto_dec_algo dec_algo, void *data_ptr, size_t len,
616 const void *key, unsigned int key_len, unsigned int key_flags,
617 const void *iv, unsigned int iv_len, const void *tag,
618 unsigned int tag_len)
619{
620 int rc = -1;
621 uint32_t real_iv[4];
622
623 switch (dec_algo) {
624 case CRYPTO_GCM_DECRYPT:
625 /*
626 * GCM expect a Nonce
627 * The AES IV is the nonce (a uint32_t[3])
628 * then a counter (a uint32_t big endian)
629 * The counter starts at 2.
630 */
631 memcpy(real_iv, iv, iv_len);
632 real_iv[3] = htobe32(0x2U);
633
634 rc = stm32_decrypt_aes_gcm(data_ptr, len, key, key_len, key_flags,
635 real_iv, sizeof(real_iv), tag, tag_len);
636 break;
637 default:
638 rc = CRYPTO_ERR_DECRYPTION;
639 break;
640 }
641
642 if (rc != 0) {
643 return rc;
644 }
645
646 return CRYPTO_SUCCESS;
647}
648
649REGISTER_CRYPTO_LIB("stm32_crypto_lib",
650 crypto_lib_init,
651 crypto_verify_signature,
652 crypto_verify_hash,
Yann Gautierc68b8af2023-01-24 09:39:47 +0100[diff] [blame^]653 crypto_auth_decrypt,
654 crypto_convert_pk);
Lionel Debievefd02b802022-10-05 16:16:50 +0200[diff] [blame]655
656#else /* No decryption support */
657REGISTER_CRYPTO_LIB("stm32_crypto_lib",
658 crypto_lib_init,
659 crypto_verify_signature,
660 crypto_verify_hash,
Yann Gautierc68b8af2023-01-24 09:39:47 +0100[diff] [blame^]661 NULL,
662 crypto_convert_pk);
Lionel Debievefd02b802022-10-05 16:16:50 +0200[diff] [blame]663#endif