Yen Lin | c3813db | 2012-04-02 13:18:48 +0000 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (c) 2011 The Chromium OS Authors. |
| 3 | * (C) Copyright 2010 - 2011 NVIDIA Corporation <www.nvidia.com> |
| 4 | * |
| 5 | * See file CREDITS for list of people who contributed to this |
| 6 | * project. |
| 7 | * |
| 8 | * This program is free software; you can redistribute it and/or |
| 9 | * modify it under the terms of the GNU General Public License as |
| 10 | * published by the Free Software Foundation; either version 2 of |
| 11 | * the License, or (at your option) any later version. |
| 12 | * |
| 13 | * This program is distributed in the hope that it will be useful, |
| 14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 16 | * GNU General Public License for more details. |
| 17 | * |
| 18 | * You should have received a copy of the GNU General Public License |
| 19 | * along with this program; if not, write to the Free Software |
| 20 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, |
| 21 | * MA 02111-1307 USA |
| 22 | */ |
| 23 | |
| 24 | #include <common.h> |
| 25 | #include <asm/errno.h> |
| 26 | #include "crypto.h" |
| 27 | #include "aes.h" |
| 28 | |
| 29 | static u8 zero_key[16]; |
| 30 | |
| 31 | #define AES_CMAC_CONST_RB 0x87 /* from RFC 4493, Figure 2.2 */ |
| 32 | |
| 33 | enum security_op { |
| 34 | SECURITY_SIGN = 1 << 0, /* Sign the data */ |
| 35 | SECURITY_ENCRYPT = 1 << 1, /* Encrypt the data */ |
| 36 | }; |
| 37 | |
| 38 | static void debug_print_vector(char *name, u32 num_bytes, u8 *data) |
| 39 | { |
| 40 | u32 i; |
| 41 | |
| 42 | debug("%s [%d] @0x%08x", name, num_bytes, (u32)data); |
| 43 | for (i = 0; i < num_bytes; i++) { |
| 44 | if (i % 16 == 0) |
| 45 | debug(" = "); |
| 46 | debug("%02x", data[i]); |
| 47 | if ((i+1) % 16 != 0) |
| 48 | debug(" "); |
| 49 | } |
| 50 | debug("\n"); |
| 51 | } |
| 52 | |
| 53 | /** |
| 54 | * Apply chain data to the destination using EOR |
| 55 | * |
| 56 | * Each array is of length AES_AES_KEY_LENGTH. |
| 57 | * |
| 58 | * \param cbc_chain_data Chain data |
| 59 | * \param src Source data |
| 60 | * \param dst Destination data, which is modified here |
| 61 | */ |
| 62 | static void apply_cbc_chain_data(u8 *cbc_chain_data, u8 *src, u8 *dst) |
| 63 | { |
| 64 | int i; |
| 65 | |
| 66 | for (i = 0; i < 16; i++) |
| 67 | *dst++ = *src++ ^ *cbc_chain_data++; |
| 68 | } |
| 69 | |
| 70 | /** |
| 71 | * Encrypt some data with AES. |
| 72 | * |
| 73 | * \param key_schedule Expanded key to use |
| 74 | * \param src Source data to encrypt |
| 75 | * \param dst Destination buffer |
| 76 | * \param num_aes_blocks Number of AES blocks to encrypt |
| 77 | */ |
| 78 | static void encrypt_object(u8 *key_schedule, u8 *src, u8 *dst, |
| 79 | u32 num_aes_blocks) |
| 80 | { |
| 81 | u8 tmp_data[AES_KEY_LENGTH]; |
| 82 | u8 *cbc_chain_data; |
| 83 | u32 i; |
| 84 | |
| 85 | cbc_chain_data = zero_key; /* Convenient array of 0's for IV */ |
| 86 | |
| 87 | for (i = 0; i < num_aes_blocks; i++) { |
| 88 | debug("encrypt_object: block %d of %d\n", i, num_aes_blocks); |
| 89 | debug_print_vector("AES Src", AES_KEY_LENGTH, src); |
| 90 | |
| 91 | /* Apply the chain data */ |
| 92 | apply_cbc_chain_data(cbc_chain_data, src, tmp_data); |
| 93 | debug_print_vector("AES Xor", AES_KEY_LENGTH, tmp_data); |
| 94 | |
| 95 | /* encrypt the AES block */ |
| 96 | aes_encrypt(tmp_data, key_schedule, dst); |
| 97 | debug_print_vector("AES Dst", AES_KEY_LENGTH, dst); |
| 98 | |
| 99 | /* Update pointers for next loop. */ |
| 100 | cbc_chain_data = dst; |
| 101 | src += AES_KEY_LENGTH; |
| 102 | dst += AES_KEY_LENGTH; |
| 103 | } |
| 104 | } |
| 105 | |
| 106 | /** |
| 107 | * Shift a vector left by one bit |
| 108 | * |
| 109 | * \param in Input vector |
| 110 | * \param out Output vector |
| 111 | * \param size Length of vector in bytes |
| 112 | */ |
| 113 | static void left_shift_vector(u8 *in, u8 *out, int size) |
| 114 | { |
| 115 | int carry = 0; |
| 116 | int i; |
| 117 | |
| 118 | for (i = size - 1; i >= 0; i--) { |
| 119 | out[i] = (in[i] << 1) | carry; |
| 120 | carry = in[i] >> 7; /* get most significant bit */ |
| 121 | } |
| 122 | } |
| 123 | |
| 124 | /** |
| 125 | * Sign a block of data, putting the result into dst. |
| 126 | * |
| 127 | * \param key Input AES key, length AES_KEY_LENGTH |
| 128 | * \param key_schedule Expanded key to use |
| 129 | * \param src Source data of length 'num_aes_blocks' blocks |
| 130 | * \param dst Destination buffer, length AES_KEY_LENGTH |
| 131 | * \param num_aes_blocks Number of AES blocks to encrypt |
| 132 | */ |
| 133 | static void sign_object(u8 *key, u8 *key_schedule, u8 *src, u8 *dst, |
| 134 | u32 num_aes_blocks) |
| 135 | { |
| 136 | u8 tmp_data[AES_KEY_LENGTH]; |
| 137 | u8 left[AES_KEY_LENGTH]; |
| 138 | u8 k1[AES_KEY_LENGTH]; |
| 139 | u8 *cbc_chain_data; |
| 140 | unsigned i; |
| 141 | |
| 142 | cbc_chain_data = zero_key; /* Convenient array of 0's for IV */ |
| 143 | |
| 144 | /* compute K1 constant needed by AES-CMAC calculation */ |
| 145 | for (i = 0; i < AES_KEY_LENGTH; i++) |
| 146 | tmp_data[i] = 0; |
| 147 | |
| 148 | encrypt_object(key_schedule, tmp_data, left, 1); |
| 149 | debug_print_vector("AES(key, nonce)", AES_KEY_LENGTH, left); |
| 150 | |
| 151 | left_shift_vector(left, k1, sizeof(left)); |
| 152 | debug_print_vector("L", AES_KEY_LENGTH, left); |
| 153 | |
| 154 | if ((left[0] >> 7) != 0) /* get MSB of L */ |
| 155 | k1[AES_KEY_LENGTH-1] ^= AES_CMAC_CONST_RB; |
| 156 | debug_print_vector("K1", AES_KEY_LENGTH, k1); |
| 157 | |
| 158 | /* compute the AES-CMAC value */ |
| 159 | for (i = 0; i < num_aes_blocks; i++) { |
| 160 | /* Apply the chain data */ |
| 161 | apply_cbc_chain_data(cbc_chain_data, src, tmp_data); |
| 162 | |
| 163 | /* for the final block, XOR K1 into the IV */ |
| 164 | if (i == num_aes_blocks - 1) |
| 165 | apply_cbc_chain_data(tmp_data, k1, tmp_data); |
| 166 | |
| 167 | /* encrypt the AES block */ |
| 168 | aes_encrypt(tmp_data, key_schedule, dst); |
| 169 | |
| 170 | debug("sign_obj: block %d of %d\n", i, num_aes_blocks); |
| 171 | debug_print_vector("AES-CMAC Src", AES_KEY_LENGTH, src); |
| 172 | debug_print_vector("AES-CMAC Xor", AES_KEY_LENGTH, tmp_data); |
| 173 | debug_print_vector("AES-CMAC Dst", AES_KEY_LENGTH, dst); |
| 174 | |
| 175 | /* Update pointers for next loop. */ |
| 176 | cbc_chain_data = dst; |
| 177 | src += AES_KEY_LENGTH; |
| 178 | } |
| 179 | |
| 180 | debug_print_vector("AES-CMAC Hash", AES_KEY_LENGTH, dst); |
| 181 | } |
| 182 | |
| 183 | /** |
| 184 | * Encrypt and sign a block of data (depending on security mode). |
| 185 | * |
| 186 | * \param key Input AES key, length AES_KEY_LENGTH |
| 187 | * \param oper Security operations mask to perform (enum security_op) |
| 188 | * \param src Source data |
| 189 | * \param length Size of source data |
| 190 | * \param sig_dst Destination address for signature, AES_KEY_LENGTH bytes |
| 191 | */ |
| 192 | static int encrypt_and_sign(u8 *key, enum security_op oper, u8 *src, |
| 193 | u32 length, u8 *sig_dst) |
| 194 | { |
| 195 | u32 num_aes_blocks; |
| 196 | u8 key_schedule[AES_EXPAND_KEY_LENGTH]; |
| 197 | |
| 198 | debug("encrypt_and_sign: length = %d\n", length); |
| 199 | debug_print_vector("AES key", AES_KEY_LENGTH, key); |
| 200 | |
| 201 | /* |
| 202 | * The only need for a key is for signing/checksum purposes, so |
| 203 | * if not encrypting, expand a key of 0s. |
| 204 | */ |
| 205 | aes_expand_key(oper & SECURITY_ENCRYPT ? key : zero_key, key_schedule); |
| 206 | |
| 207 | num_aes_blocks = (length + AES_KEY_LENGTH - 1) / AES_KEY_LENGTH; |
| 208 | |
| 209 | if (oper & SECURITY_ENCRYPT) { |
| 210 | /* Perform this in place, resulting in src being encrypted. */ |
| 211 | debug("encrypt_and_sign: begin encryption\n"); |
| 212 | encrypt_object(key_schedule, src, src, num_aes_blocks); |
| 213 | debug("encrypt_and_sign: end encryption\n"); |
| 214 | } |
| 215 | |
| 216 | if (oper & SECURITY_SIGN) { |
| 217 | /* encrypt the data, overwriting the result in signature. */ |
| 218 | debug("encrypt_and_sign: begin signing\n"); |
| 219 | sign_object(key, key_schedule, src, sig_dst, num_aes_blocks); |
| 220 | debug("encrypt_and_sign: end signing\n"); |
| 221 | } |
| 222 | |
| 223 | return 0; |
| 224 | } |
| 225 | |
| 226 | int sign_data_block(u8 *source, unsigned length, u8 *signature) |
| 227 | { |
| 228 | return encrypt_and_sign(zero_key, SECURITY_SIGN, source, |
| 229 | length, signature); |
| 230 | } |