core: pass TEE_ATTR_RSA_OAEP_MGF_HASH to RSA-OAEP implementations

OP-TEE currently doesn't support using a different hash for MGF1
with RSA-OAEP. However, this is required for AOSP compatibility
(e.

core: pass TEE_ATTR_RSA_OAEP_MGF_HASH to RSA-OAEP implementations

OP-TEE currently doesn't support using a different hash for MGF1
with RSA-OAEP. However, this is required for AOSP compatibility
(e.g. in EncryptionOperationsTest.RsaOaepWithMGFDigestSuccess [1]).

Pass the MGF1 attribute to crypto implementations. Note that
only libtomcrypt supports this feature at the moment, so other
implementations will either fail or fall back to libtomcrypt when
passed a different MGF1 hash.

Link: https://android.googlesource.com/platform/hardware/interfaces/+/refs/heads/main/security/keymint/aidl/vts/functional/KeyMintTest.cpp#5552 [1]
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Squashed commit upgrading to libtomcrypt-1.18.2-develop-20240412

Squash merging branch import/libtomcrypt-1.18.2-develop-20240412

165e1fe7816a ("core: ltc: update for libtomcrypt changes")
ff29487

Squashed commit upgrading to libtomcrypt-1.18.2-develop-20240412

Squash merging branch import/libtomcrypt-1.18.2-develop-20240412

165e1fe7816a ("core: ltc: update for libtomcrypt changes")
ff294871020d ("core: ltc: rsa_verify_hash: fix panic on hash mismatch")
43363afc3d5e ("core: ltc: add fault mitigation in crypto_acipher_rsassa_verify()")
d3040d8bc691 ("libtomcrypt: Remove prng_state* NULL pointer check from ed25519_make_key()")
a1e9686a20cf ("libtomcrypt: ctr_encrypt(): adjust for OP-TEE CE accelerated routines")
eba1524a3989 ("libtomcrypt: define LTC_MPI at the same time as LTC_DER")
e8f42d80d27f ("core: libtomcrypt: Remove prng_state* NULL pointer check from x25519_make_key()")
edb8618bfe6c ("core: ltc: add SM2 curve parameters")
1713825bebd1 ("core: ltc: make key in accel_ecb_encrypt() and accel_ecb_decrypt() const")
53d2509130ce ("core: ltc: fix 'switch case misses default'")
5c7e0de468d1 ("core: ltc: add custom DH key generation function dh_make_key()")
cba20f6a156e ("core: ltc: tomcrypt_custom.h: OP-TEE thread support")
7f247add8fd9 ("libtomcrypt: implement zeromem() with memzero_explicit()")
96ac368c5e68 ("LTC: add GHASH acceleration")
79bd5cb8391c ("ltc: make cipher_descriptor a pointer to descriptors")
a9f0d677e922 ("ltc: make hash_descriptor a pointer to descriptors")
82feb7ac9709 ("ltc: make prng_descriptor a pointer to descriptors")
ae75124e3113 ("libtomcrypt: tomcrypt_private.h: add HASH_PROCESS_NBLOCKS")
a4281f43ea65 ("ECC: optimize the pool of temporary variables")
b32f84118399 ("Import LibTomCrypt v1.18.2 branch "develop" (Apr 12, 2024)")
035c58eeb602 ("Remove LibTomCrypt")

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_armv8a)

show more ...

Squashed commit upgrading to mbedtls-3.4.0

Squash merging branch import/mbedtls-3.4.0

8225713449d3 ("libmbedtls: fix unrecognized compiler option")
f03730842d7b ("core: ltc: configure internal MD5"

Squashed commit upgrading to mbedtls-3.4.0

Squash merging branch import/mbedtls-3.4.0

8225713449d3 ("libmbedtls: fix unrecognized compiler option")
f03730842d7b ("core: ltc: configure internal MD5")
2b0d0c50127c ("core: ltc: configure internal SHA-1 and SHA-224")
0e48a6e17630 ("libmedtls: core: update to mbedTLS 3.4.0 API")
049882b143af ("libutee: update to mbedTLS 3.4.0 API")
982307bf6169 ("core: LTC mpi_desc.c: update to mbedTLS 3.4.0 API")
33218e9eff7b ("ta: pkcs11: update to mbedTLS 3.4.0 API")
6956420cc064 ("libmbedtls: fix cipher_wrap.c for NIST AES Key Wrap mode")
ad67ef0b43fd ("libmbedtls: fix cipher_wrap.c for chacha20 and chachapoly")
7300f4d97bbf ("libmbedtls: add fault mitigation in mbedtls_rsa_rsassa_pkcs1_v15_verify()")
cec89b62a86d ("libmbedtls: add fault mitigation in mbedtls_rsa_rsassa_pss_verify_ext()")
e7e048796c44 ("libmbedtls: add SM2 curve")
096beff2cd31 ("libmbedtls: mbedtls_mpi_exp_mod(): optimize mempool usage")
7108668efd3f ("libmbedtls: mbedtls_mpi_exp_mod(): reduce stack usage")
0ba4eb8d0572 ("libmbedtls: mbedtls_mpi_exp_mod() initialize W")
3fd6ecf00382 ("libmbedtls: fix no CRT issue")
d5ea7e9e9aa7 ("libmbedtls: add interfaces in mbedtls for context memory operation")
2b0fb3f1fa3d ("libmedtls: mpi_miller_rabin: increase count limit")
2c3301ab99bb ("libmbedtls: add mbedtls_mpi_init_mempool()")
9a111f0da04b ("libmbedtls: make mbedtls_mpi_mont*() available")
804fe3a374f5 ("mbedtls: configure mbedtls to reach for config")
b28a41531427 ("mbedtls: remove default include/mbedtls/config.h")
dfafe507bbef ("Import mbedtls-3.4.0")

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (vexpress-qemu_armv8a)

show more ...

core: crypto_bignum_free(): add indirection and set pointer to NULL

To prevent human mistake, crypto_bignum_free() sets the location of the
bignum pointer to NULL after freeing it.

Signed-off-by: J

core: crypto_bignum_free(): add indirection and set pointer to NULL

To prevent human mistake, crypto_bignum_free() sets the location of the
bignum pointer to NULL after freeing it.

Signed-off-by: Jihwan Park <jihwp@amazon.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: crypto: add support MD5 hashes in RSA sign/verify/cipher

Introduce support of using MD5 hashes in RSA sign/verify/cipher
operations, which is required by AOSP Keymaster.

This is verified in

core: crypto: add support MD5 hashes in RSA sign/verify/cipher

Introduce support of using MD5 hashes in RSA sign/verify/cipher
operations, which is required by AOSP Keymaster.

This is verified in VerificationOperationsTest.RsaSuccess VTS Test [1],
which checks usage of such digests: NONE, MD5, SHA1, SHA_2_224, SHA_2_256,
SHA_2_384, SHA_2_512.

This patch has been inspired by commit[2]:

Link: [1] https://android.googlesource.com/platform/hardware/interfaces/+/master/keymaster/3.0/vts/functional/keymaster_hidl_hal_test.cpp
Link: [2] https://github.com/OP-TEE/optee_os/commit/199d0b7310d1705661a106358f1f0b46e4c5c587 ("core: crypto: add support MD5 hashes in RSA sign/verify")
Signed-off-by: Julien Masson <jmasson@baylibre.com>
Signed-off-by: Safae Ouajih <souajih@baylibre.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: LTC rsa.c: use mempool_alloc() instead of malloc()

Replace the calls to malloc() and free() with calls to mempool_alloc()
and mempool_free() in order to guarantee that we don't have to return

core: LTC rsa.c: use mempool_alloc() instead of malloc()

Replace the calls to malloc() and free() with calls to mempool_alloc()
and mempool_free() in order to guarantee that we don't have to return
TEE_ERROR_OUT_OF_MEMORY and cause a panic in the TA.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: add fault mitigation in crypto_acipher_rsassa_verify()

Adds fault mitigations in crypto_acipher_rsassa_verify() and dependent
functions in libTomCrypt in order to include the critical fin

core: ltc: add fault mitigation in crypto_acipher_rsassa_verify()

Adds fault mitigations in crypto_acipher_rsassa_verify() and dependent
functions in libTomCrypt in order to include the critical final
memcompare.

This fault mitigation is only enabled with the calling function enabled
fault mitigations and CFG_CORE_FAULT_MITIGATION is 'y'.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: rsa: support the crypto driver

Allow the software implementations to coexist with the crypto driver
API.

This way drivers using the Crypto API can fallback to their software
based implem

core: ltc: rsa: support the crypto driver

Allow the software implementations to coexist with the crypto driver
API.

This way drivers using the Crypto API can fallback to their software
based implementations if they need to.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libtomcrypt: fix rsa key generation public exponent

Fix libtomcrypt crypto_acipher_gen_rsa_key() to call rsa_make_key_bn_e()
API to generate a RSA key with a public exponent up to 256 bits.

RSA sta

libtomcrypt: fix rsa key generation public exponent

Fix libtomcrypt crypto_acipher_gen_rsa_key() to call rsa_make_key_bn_e()
API to generate a RSA key with a public exponent up to 256 bits.

RSA standard specify that public exponent e can be between 65537 (included)
and 2^256 (excluded).

Signed-off-by: Cedric Neveux <cedric.neveux@nxp.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: ltc: use crypto_acipher_free_rsa_keypair() instead of open-coding

There is a function to free an RSA keypair, use it instead of
duplicating the code.

Signed-off-by: Jerome Forissier <jerome@f

core: ltc: use crypto_acipher_free_rsa_keypair() instead of open-coding

There is a function to free an RSA keypair, use it instead of
duplicating the code.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: ltc: crypto_acipher_free_rsa_keypair(): add missing free for s->dq

The crypto_acipher_free_rsa_keypair() function lacks a call to
crypto_bignum_free() for the dq member of the key. Add it.

Fi

core: ltc: crypto_acipher_free_rsa_keypair(): add missing free for s->dq

The crypto_acipher_free_rsa_keypair() function lacks a call to
crypto_bignum_free() for the dq member of the key. Add it.

Fixes: a1d5c81f8834 ("crypto: add function to free rsa keypair")
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

crypto: add function to free rsa keypair

There was no function to proper free a rsa kepair from inside a PTA.
Now there is crypto_acipher_free_rsa_keypair().

Signed-off-by: Elias von Däniken <elias

crypto: add function to free rsa keypair

There was no function to proper free a rsa kepair from inside a PTA.
Now there is crypto_acipher_free_rsa_keypair().

Signed-off-by: Elias von Däniken <elias.vondaeniken@bluewin.ch>
Acked-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: merge tee_*_get_digest_size() into a single function

Rename tee_hash_get_digest_size() to tee_alg_get_digest_size().

Change tee_alg_get_digest_size() to use new libutee macro
TEE_ALG_GET_DIGE

core: merge tee_*_get_digest_size() into a single function

Rename tee_hash_get_digest_size() to tee_alg_get_digest_size().

Change tee_alg_get_digest_size() to use new libutee macro
TEE_ALG_GET_DIGEST_SIZE.

Remove tee_mac_get_digest_size() as its functionality
is handled by tee_alg_get_digest_size() now.

Signed-off-by: Albert Schwarzkopf <a.schwarzkopf@phytec.de>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: export ECC key helper functions

The static functions ecc_populate_ltc_private_key() and
ecc_populate_ltc_public_key() will be useful for other ECC algorithms
than the ones currently handl

core: ltc: export ECC key helper functions

The static functions ecc_populate_ltc_private_key() and
ecc_populate_ltc_public_key() will be useful for other ECC algorithms
than the ones currently handled by core/lib/libtomcrypt/ecc.c, namely:
the SM2 family of algorithms. Therefore, export these functions in
"acipher_helpers.h".

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Squashed commit upgrading to libtomcrypt-1.18.2-develop-20180819

Squash merging branch import/libtomcrypt-1.18.2-develop-20180819

5ecac6e9227c ("core: ltc: adapt to new version of LibTomCrypt")
54d

Squashed commit upgrading to libtomcrypt-1.18.2-develop-20180819

Squash merging branch import/libtomcrypt-1.18.2-develop-20180819

5ecac6e9227c ("core: ltc: adapt to new version of LibTomCrypt")
54d7f2f10c33 ("core: ltc: aes_modes_armv8a_ce_a64.S: get rid of literal load of addend vector")
68b1adf4c3db ("core: ltc: aes_modes_armv8a_ce_a64.S: fix incorrect assembly syntax")
b73cfbef058f ("core: ltc: make key in accel_ecb_encrypt() and accel_ecb_decrypt() const")
7160452f6698 ("core: ltc: fix 'switch case misses default'")
05313fd03df1 ("core: ltc: move AES CE files under aes/")
00ed54001f7d ("core: ltc: add custom DH key generation function dh_make_key()")
279e09ee4c7c ("core: ltc: tomcrypt_custom.h: OP-TEE thread support")
e61adb1a2203 ("core: crypto: libtomcrypt: fix LTC_CLEAN_STACK bug")
5c75c2d02f13 ("core: LTC use only _CFG_CORE_LTC_ variables")
5decfe20864a ("core: crypto: arm64 ce: update AES CBC routines")
c54b6344cc4e ("core: crypto: cleanup and fix CE accelerated AES CTR")
3f4d78d04eef ("core: crypto: arm32: add counter increment in ce_aes_ctr_encrypt()")
a85a4f88e39d ("Remove 'All rights reserved' from Linaro files")
14ec45d62762 ("Remove license notice from Linaro files")
084691667db2 ("Add SPDX license identifiers")
48de810896b8 ("LTC: add GHASH acceleration")
9f4ecf2ea898 ("arm32: AES using ARMv8-A cryptographic extensions")
a360627e4130 ("arm64: libtomcrypt: rename AES CE files")
48dab9f6464b ("arm64: libtomcrypt: move inline assembly to .S file")
7479ed2a4be9 ("ltc: bugfix find_prng()")
271db0fe9309 ("ltc: make cipher_descriptor a pointer to descriptors")
cbf6e51b6086 ("ltc: make hash_descriptor a pointer to descriptors")
6982b2b65910 ("ltc: make prng_descriptor a pointer to descriptors")
034ed64a6bb2 ("arm: Fix SHA-1 with cryptographic extensions")
468fcca20d8b ("arm64: SHA-224/SHA-256 using ARMv8-A cryptographic extensions")
a55567f8611c ("arm: update SHA-256 32-bit CE implementation to process multiple blocks")
ee62ece8ecf4 ("arm: update SHA-1 32-bit CE implementation to process multiple blocks")
4287faa43c7c ("arm64: SHA-1 using ARMv8-A cryptographic extensions")
0c6c51d33f05 ("ECC: optimize the pool of temporary variables")
f79f07210b95 ("arm64: AES XTS using ARMv8-A cryptographic extensions")
dc3e64eee4af ("arm64: AES using ARMv8-A cryptographic extensions")
fcad408195d8 ("SHA-1 ARMv8 crypto extension implementation")
e9fa8daa66ed ("SHA-256 ARMv8 crypto extension implementation")
36c11ddb0f2f ("Import LibTomCrypt v1.18.2 branch "develop" (Aug 19, 2019)")
01c7a0fe164c ("Remove LibTomCrypt")

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: LTC use only _CFG_CORE_LTC_ variables

LTC is only taking _CFG_CORE_LTC_ prefixed variables into account for
configuration.

_CFG_CORE_LTC_ prefixed variables are assigned based on CFG_CRYPTO_

core: LTC use only _CFG_CORE_LTC_ variables

LTC is only taking _CFG_CORE_LTC_ prefixed variables into account for
configuration.

_CFG_CORE_LTC_ prefixed variables are assigned based on CFG_CRYPTO_ and
other variables for unchanged LTC configuration.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: rename prng_mpa to prng_crypto

Changes the name of the registered prng descriptor from "prng_mpa" to
"prng_crypto" to better reflect the source of the prng.

Acked-by: Jerome Forissier <j

core: ltc: rename prng_mpa to prng_crypto

Changes the name of the registered prng descriptor from "prng_mpa" to
"prng_crypto" to better reflect the source of the prng.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: move rsa wrappers to separate file

Moves the RSA wrappers in tee_ltc_provider.c to its own file, rsa.c.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wikla

core: ltc: move rsa wrappers to separate file

Moves the RSA wrappers in tee_ltc_provider.c to its own file, rsa.c.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...