Remove libmpa in favor of libmbedtls

We currently have two "big numbers" library, Mbed TLS and MPA. Both can
be used by libutee to implement the TEE Internal Core API Arithmetical
functions, and by

Remove libmpa in favor of libmbedtls

We currently have two "big numbers" library, Mbed TLS and MPA. Both can
be used by libutee to implement the TEE Internal Core API Arithmetical
functions, and by the TEE core or pseudo-TAs. This situation is
reflected by two configuration variables allowing to choose between
libmbedtls and libmpa:

- CFG_TA_MBEDTLS_MPI (default y) configures libutee,
- CFG_CORE_MBEDTLS_MPI (default y) configures the TEE core/PTAs.

In addition there is CFG_TA_MBEDTLS (default y, mandatory when
CFG_TA_MBEDTLS_MPI is y) to build libmbedtls and install it into the
SDK for direct use by TAs (libmbedtls also has function to deal with
certificates for instance).

MBed TLS has been supported and used by default for just over a year;
and we have recently found an issue with the MPA implementation of the
integer multiplication with modulus (mpa_mulmod()) [1] [2]. Therefore,
now is a good time to remove libmpa and use libmbedtls instead.

Link: [1] https://github.com/OP-TEE/optee_os/pull/3541#issuecomment-577592381
Link: [2] https://github.com/OP-TEE/optee_test/pull/389
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: sm2: add missing status check

crypto_acipher_sm2_pke_decrypt() fails to check a return status from
LibTomCrypt. Add the missing check.

Fixes: f9a78287dd12 ("core: ltc: add support for SM

core: ltc: sm2: add missing status check

crypto_acipher_sm2_pke_decrypt() fails to check a return status from
LibTomCrypt. Add the missing check.

Fixes: f9a78287dd12 ("core: ltc: add support for SM2 PKE")
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: crypto: add support for SM2 KEP

Adds SM2 Key Exchange Protocol [1] using LibTomCrypt. The TA interface
complies with the GlobalPlatform TEE Internal Core API version 1.2.

SM2 KEP is enabled w

core: crypto: add support for SM2 KEP

Adds SM2 Key Exchange Protocol [1] using LibTomCrypt. The TA interface
complies with the GlobalPlatform TEE Internal Core API version 1.2.

SM2 KEP is enabled with CFG_CRYPTO_SM2_KEP=y (default y) wich currently
requires that CFG_CRYPTOLIB_NAME=tomcrypt. An Mbed TLS implementation
could be added later if needed.

[1] http://www.gmbz.org.cn/main/postDetail.html?id=20180724110812

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: add support for SM2 KEP

Adds support for the SM3 Key Exchange Protocol [1] for use by
OP-TEE core based on LibTomCrypt.

[1] http://www.gmbz.org.cn/main/postDetail.html?id=20180724110812

core: ltc: add support for SM2 KEP

Adds support for the SM3 Key Exchange Protocol [1] for use by
OP-TEE core based on LibTomCrypt.

[1] http://www.gmbz.org.cn/main/postDetail.html?id=20180724110812

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: SM2 PKE: export sm2_kdf()

The Key Derivation Function used by the SM2 Public Key Encryption
algorithm is also used by the Key Exchange Protocol. Move it to its
file in order to be able to

core: ltc: SM2 PKE: export sm2_kdf()

The Key Derivation Function used by the SM2 Public Key Encryption
algorithm is also used by the Key Exchange Protocol. Move it to its
file in order to be able to re-use it.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: SM2 DSA: fix configuration variable name

The name of the config variable indicating support for SM2 DSA is
_CFG_CORE_LTC_SM2_DSA, not _CFG_CORE_LTC_SM2_DSA_SM3.

Fixes: 76c7ba4b9ff7 ("cor

core: ltc: SM2 DSA: fix configuration variable name

The name of the config variable indicating support for SM2 DSA is
_CFG_CORE_LTC_SM2_DSA, not _CFG_CORE_LTC_SM2_DSA_SM3.

Fixes: 76c7ba4b9ff7 ("core: ltc: add support for SM2 DSA")
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: ecc_populate_ltc_private_key(): copy public part

A private key alone is not always useful; the public part of the
key is often needed. Adjust ecc_populate_ltc_private_key() accordingly.

core: ltc: ecc_populate_ltc_private_key(): copy public part

A private key alone is not always useful; the public part of the
key is often needed. Adjust ecc_populate_ltc_private_key() accordingly.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: SM2 DSA: fix bignum conversions

All integers used in the SM2 algorithms are encoded as 32 byte buffers
in big endian format. The current code does not properly pad the buffer
with zeros w

core: ltc: SM2 DSA: fix bignum conversions

All integers used in the SM2 algorithms are encoded as 32 byte buffers
in big endian format. The current code does not properly pad the buffer
with zeros when a value does not need the whole 32 bytes. Fix that.

Fixes: 76c7ba4b9ff7 ("core: ltc: add support for SM2 DSA")
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: SM2 PKE: fix bignum conversions

All integers used in the SM2 algorithms are encoded as 32 byte buffers
in big endian format. The current code does not properly pad the buffer
with zeros w

core: ltc: SM2 PKE: fix bignum conversions

All integers used in the SM2 algorithms are encoded as 32 byte buffers
in big endian format. The current code does not properly pad the buffer
with zeros when a value does not need the whole 32 bytes and has a few
other related issues. Fix that.

Fixes: f9a78287dd12 ("core: ltc: add support for SM2 PKE")
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: acipher_helpers.h: add macro mp_to_unsigned_bin2()

Writing a bignum to a fixed size integer buffer in big endian order is
slightly cumbersome, because one has to take into account the act

core: ltc: acipher_helpers.h: add macro mp_to_unsigned_bin2()

Writing a bignum to a fixed size integer buffer in big endian order is
slightly cumbersome, because one has to take into account the actual
size of the bignum in order to have the zero padding on the left.
Let's say I am working with 256-bit numbers:

unsigned char buf[32] = { };
void *n = compute_some_bignum(...);

mp_to_unsigned_bin(n, buf + sizeof(buf) - mp_unsigned_bin_size(n));

This commit introduces mp_to_unsigned_bin2() which can be used like so:

unsigned char buf[32] = { };
void *n = compute_some_bignum(...);

mp_to_unsigned_bin2(n, buf, sizeof(buf));

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: SM2 DSA: fix bignum memory leaks

crypto_acipher_sm2_dsa_sign() and crypto_acipher_sm2_dsa_verify() leak
some bignum memory due to missing calls to ecc_free().
This is all the more problem

core: ltc: SM2 DSA: fix bignum memory leaks

crypto_acipher_sm2_dsa_sign() and crypto_acipher_sm2_dsa_verify() leak
some bignum memory due to missing calls to ecc_free().
This is all the more problematic that bignum allocations use a special
memory pool [1] that can easily cause deadlocks when misused.

This commit adds the missing calls.

[1] Commit a2eb5b55d169 ("libutils: add mempool API")

Fixes: 76c7ba4b9ff7 ("core: ltc: add support for SM2 DSA")
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: SM2 PKE: fix bignum memory leaks

crypto_acipher_sm2_pke_encrypt() and crypto_acipher_sm2_pke_decrypt()
leak some bignum memory due to missing calls to ecc_free() and also due
to the fact

core: ltc: SM2 PKE: fix bignum memory leaks

crypto_acipher_sm2_pke_encrypt() and crypto_acipher_sm2_pke_decrypt()
leak some bignum memory due to missing calls to ecc_free() and also due
to the fact that the x and y fields of an ecc_point are overwritten.
This is all the more problematic that bignum allocations use a special
memory pool [1] that can easily cause deadlocks when misused.

This commit fixes these problems.

[1] Commit a2eb5b55d169 ("libutils: add mempool API")

Fixes: f9a78287dd12 ("core: ltc: add support for SM2 PKE")
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: SM2 PKE: add missing return status check

The status of function ltc_ecc_is_point_at_infinity() is not checked in
crypto_acipher_sm2_pke_encrypt(). Fix that.

Fixes: f9a78287dd12 ("core: l

core: ltc: SM2 PKE: add missing return status check

The status of function ltc_ecc_is_point_at_infinity() is not checked in
crypto_acipher_sm2_pke_encrypt(). Fix that.

Fixes: f9a78287dd12 ("core: ltc: add support for SM2 PKE")
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: crypto add support for SM2 DSA

Adds SM2 Digital Signature Algorithm [1] using LibTomCrypt. The TA
interface complies with the GlobalPlatform TEE Internal Core API
version 1.2.

SM2 DSA is enab

core: crypto add support for SM2 DSA

Adds SM2 Digital Signature Algorithm [1] using LibTomCrypt. The TA
interface complies with the GlobalPlatform TEE Internal Core API
version 1.2.

SM2 DSA is enabled with CFG_CRYPTO_SM2_DSA=y (default y) which currently
requires that CFG_CRYPTOLIB_NAME=tomcrypt. An Mbed TLS implementation
could be added later if needed.

[1] http://www.gmbz.org.cn/main/postDetail.html?id=20180724110812

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: add support for SM2 DSA

Adds support for the SM2 Digital Signature Algorithm [1] for use by
OP-TEE core based on LibTomCrypt.

[1] http://www.gmbz.org.cn/main/postDetail.html?id=20180724

core: ltc: add support for SM2 DSA

Adds support for the SM2 Digital Signature Algorithm [1] for use by
OP-TEE core based on LibTomCrypt.

[1] http://www.gmbz.org.cn/main/postDetail.html?id=20180724110812

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: crypto: add support for SM2 PKE

Adds SM2 Public Key Encryption [1] using LibTomCrypt. The TA interface
complies with the GlobalPlatform TEE Internal Core API version 1.2.

SM2 is enabled with

core: crypto: add support for SM2 PKE

Adds SM2 Public Key Encryption [1] using LibTomCrypt. The TA interface
complies with the GlobalPlatform TEE Internal Core API version 1.2.

SM2 is enabled with CFG_CRYPTO_SM2_PKE=y (default y) which currently
requires that CFG_CRYPTOLIB_NAME=tomcrypt. An Mbed TLS implementation
could be added later if needed.

[1] http://www.gmbz.org.cn/main/postDetail.html?id=20180724110812

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: add support for SM2 PKE

SM2 is a set of public key cryptographic algorithms based on elliptic
curves published by the Chinese Commercial Cryptography Administration
Office [1]. The standa

core: ltc: add support for SM2 PKE

SM2 is a set of public key cryptographic algorithms based on elliptic
curves published by the Chinese Commercial Cryptography Administration
Office [1]. The standard has three main parts which define:

- A Digital Signature Algorithm (part 2)
- A Key Exchange Protocol (part 3)
- A Public Key Encryption method (part 4)

This commit implements the PKE LibTomcrypt for use by the OP-TEE core.
It uses the LibTomCrypt ECC and arithmetic helper functions as well as
the OP-TEE hash interface for the SM3 algorithm.

As far as the ECC point encoding goes, only the uncompressed form is
supported, as permitted by the standard. In practice, it means that the
cipher text always starts with the byte value 0x04. Other forms cannot
be decrypted by this implementation.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: export ECC key helper functions

The static functions ecc_populate_ltc_private_key() and
ecc_populate_ltc_public_key() will be useful for other ECC algorithms
than the ones currently handl

core: ltc: export ECC key helper functions

The static functions ecc_populate_ltc_private_key() and
ecc_populate_ltc_public_key() will be useful for other ECC algorithms
than the ones currently handled by core/lib/libtomcrypt/ecc.c, namely:
the SM2 family of algorithms. Therefore, export these functions in
"acipher_helpers.h".

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: add implementations for .addmod and .submod

Adds the addmod() and submod() functions which are missing from the
ltc_mp descriptor. It is a bug, because crypto functions never check the
fu

core: ltc: add implementations for .addmod and .submod

Adds the addmod() and submod() functions which are missing from the
ltc_mp descriptor. It is a bug, because crypto functions never check the
functions pointers before using them.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: add SM2 curve parameters

Adds the recommended curve parameters for SM2 [1] [2].

[1] http://www.gmbz.org.cn/main/postDetail.html?id=20180724110812
[2] https://tools.ietf.org/id/draft-ribo

core: ltc: add SM2 curve parameters

Adds the recommended curve parameters for SM2 [1] [2].

[1] http://www.gmbz.org.cn/main/postDetail.html?id=20180724110812
[2] https://tools.ietf.org/id/draft-ribose-openpgp-oscca-00.html

Signed-off-by: Jerome Forissier <jerome@forissier.org>

show more ...

ltc: check range in _rijndael_ecb_ functions

There is no check that the 'skey' structure has been properly
initialized. For example, the skey->rijndael.Nr is assumed to contain a
positive number cor

ltc: check range in _rijndael_ecb_ functions

There is no check that the 'skey' structure has been properly
initialized. For example, the skey->rijndael.Nr is assumed to contain a
positive number corresponding to the number of AES rounds to perform. In
_rijndael_ecb_encrypt the skey->rijndael.Nr is subtracted by two, which
can result in an integer underflow if the structure hasn't been
initialized correctly.

By clamping the value for skey->rijndael.Nr into the valid rounds for
AES we can return an error instead of ending up reading outside the
boundaries (of skey->rijndael.eK).

Patch manually picked from [1].

Link: [1] https://github.com/libtom/libtomcrypt/commit/7b4a5c1dcf2803e9c6cbcbc2458db9317e6fb8ca
Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7)
Reported-by: Martijn Bogaard <bogaard@riscure.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

Fixes #507 in LTC - vulnerability in der_decode_utf8_string()

Fix a vulnerability in der_decode_utf8_string as specified here:
https://github.com/libtom/libtomcrypt/issues/507

Patch manually picked

Fixes #507 in LTC - vulnerability in der_decode_utf8_string()

Fix a vulnerability in der_decode_utf8_string as specified here:
https://github.com/libtom/libtomcrypt/issues/507

Patch manually picked from:
https://github.com/libtom/libtomcrypt/commit/25c26a3b7a9ad8192ccc923e15cf62bf0108ef94

Signed-off-by: Luigi Coniglio <werew@ret2libc.com>
[Joakim Bech: Extended commit message]
Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (QEMU v7)
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

build: make cfg-one-enabled return 'n' instead of an empty string

Modify cfg-one-enabled in the same way the parent commit modified
cfg-all-enabled.

Signed-off-by: Jerome Forissier <jerome@forissie

build: make cfg-one-enabled return 'n' instead of an empty string

Modify cfg-one-enabled in the same way the parent commit modified
cfg-all-enabled.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

Squashed commit upgrading to libtomcrypt-1.18.2-develop-20180819

Squash merging branch import/libtomcrypt-1.18.2-develop-20180819

5ecac6e9227c ("core: ltc: adapt to new version of LibTomCrypt")
54d

Squashed commit upgrading to libtomcrypt-1.18.2-develop-20180819

Squash merging branch import/libtomcrypt-1.18.2-develop-20180819

5ecac6e9227c ("core: ltc: adapt to new version of LibTomCrypt")
54d7f2f10c33 ("core: ltc: aes_modes_armv8a_ce_a64.S: get rid of literal load of addend vector")
68b1adf4c3db ("core: ltc: aes_modes_armv8a_ce_a64.S: fix incorrect assembly syntax")
b73cfbef058f ("core: ltc: make key in accel_ecb_encrypt() and accel_ecb_decrypt() const")
7160452f6698 ("core: ltc: fix 'switch case misses default'")
05313fd03df1 ("core: ltc: move AES CE files under aes/")
00ed54001f7d ("core: ltc: add custom DH key generation function dh_make_key()")
279e09ee4c7c ("core: ltc: tomcrypt_custom.h: OP-TEE thread support")
e61adb1a2203 ("core: crypto: libtomcrypt: fix LTC_CLEAN_STACK bug")
5c75c2d02f13 ("core: LTC use only _CFG_CORE_LTC_ variables")
5decfe20864a ("core: crypto: arm64 ce: update AES CBC routines")
c54b6344cc4e ("core: crypto: cleanup and fix CE accelerated AES CTR")
3f4d78d04eef ("core: crypto: arm32: add counter increment in ce_aes_ctr_encrypt()")
a85a4f88e39d ("Remove 'All rights reserved' from Linaro files")
14ec45d62762 ("Remove license notice from Linaro files")
084691667db2 ("Add SPDX license identifiers")
48de810896b8 ("LTC: add GHASH acceleration")
9f4ecf2ea898 ("arm32: AES using ARMv8-A cryptographic extensions")
a360627e4130 ("arm64: libtomcrypt: rename AES CE files")
48dab9f6464b ("arm64: libtomcrypt: move inline assembly to .S file")
7479ed2a4be9 ("ltc: bugfix find_prng()")
271db0fe9309 ("ltc: make cipher_descriptor a pointer to descriptors")
cbf6e51b6086 ("ltc: make hash_descriptor a pointer to descriptors")
6982b2b65910 ("ltc: make prng_descriptor a pointer to descriptors")
034ed64a6bb2 ("arm: Fix SHA-1 with cryptographic extensions")
468fcca20d8b ("arm64: SHA-224/SHA-256 using ARMv8-A cryptographic extensions")
a55567f8611c ("arm: update SHA-256 32-bit CE implementation to process multiple blocks")
ee62ece8ecf4 ("arm: update SHA-1 32-bit CE implementation to process multiple blocks")
4287faa43c7c ("arm64: SHA-1 using ARMv8-A cryptographic extensions")
0c6c51d33f05 ("ECC: optimize the pool of temporary variables")
f79f07210b95 ("arm64: AES XTS using ARMv8-A cryptographic extensions")
dc3e64eee4af ("arm64: AES using ARMv8-A cryptographic extensions")
fcad408195d8 ("SHA-1 ARMv8 crypto extension implementation")
e9fa8daa66ed ("SHA-256 ARMv8 crypto extension implementation")
36c11ddb0f2f ("Import LibTomCrypt v1.18.2 branch "develop" (Aug 19, 2019)")
01c7a0fe164c ("Remove LibTomCrypt")

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: aes_modes_armv8a_ce_a64.S: get rid of literal load of addend vector

Cherry pick of Linux kernel commit ed6ed11830a9 ("crypto:
arm64/aes-modes - get rid of literal load of addend vector").

core: ltc: aes_modes_armv8a_ce_a64.S: get rid of literal load of addend vector

Cherry pick of Linux kernel commit ed6ed11830a9 ("crypto:
arm64/aes-modes - get rid of literal load of addend vector"). Original
commit message:

"
Replace the literal load of the addend vector with a sequence that
performs each add individually. This sequence is only 2 instructions
longer than the original, and 2% faster on Cortex-A53.

This is an improvement by itself, but also works around a Clang issue,
whose integrated assembler does not implement the GNU ARM asm syntax
completely, and does not support the =literal notation for FP registers
(more info at https://bugs.llvm.org/show_bug.cgi?id=38642)
"

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

show more ...