core: pass TEE_ATTR_RSA_OAEP_MGF_HASH to RSA-OAEP implementations

OP-TEE currently doesn't support using a different hash for MGF1
with RSA-OAEP. However, this is required for AOSP compatibility
(e.

core: pass TEE_ATTR_RSA_OAEP_MGF_HASH to RSA-OAEP implementations

OP-TEE currently doesn't support using a different hash for MGF1
with RSA-OAEP. However, this is required for AOSP compatibility
(e.g. in EncryptionOperationsTest.RsaOaepWithMGFDigestSuccess [1]).

Pass the MGF1 attribute to crypto implementations. Note that
only libtomcrypt supports this feature at the moment, so other
implementations will either fail or fall back to libtomcrypt when
passed a different MGF1 hash.

Link: https://android.googlesource.com/platform/hardware/interfaces/+/refs/heads/main/security/keymint/aidl/vts/functional/KeyMintTest.cpp#5552 [1]
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add CFG_RSA_PUB_EXPONENT_3

When generating RSA key pairs, OP-TEE currently enforces a minimum public
exponent size of 65537 per NIST SP800-56B recommendations. However, AOSP
KeyMint VTS (Encry

core: add CFG_RSA_PUB_EXPONENT_3

When generating RSA key pairs, OP-TEE currently enforces a minimum public
exponent size of 65537 per NIST SP800-56B recommendations. However, AOSP
KeyMint VTS (EncryptionOperationsTest.RsaNoPaddingSuccess [1]) requires
implementations to support public exponent 3 for backwards compatibility.
Add CFG_RSA_PUB_EXPONENT_3 to allow public exponents >= 3.

Link: https://android.googlesource.com/platform/hardware/interfaces/+/refs/heads/main/security/keymint/aidl/vts/functional/KeyMintTest.cpp#5258 [1]
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: check if binary to bignum conversion succeed

Check return value of crypto_bignum_bin2bn().

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Jerome Forissier <jerome.forissier

core: check if binary to bignum conversion succeed

Check return value of crypto_bignum_bin2bn().

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: fix objectUsage handling for persistent objects

Before this patch was the object usage field stored in the
non-persistent part of an object handle, regardless of whether the
storage object was

core: fix objectUsage handling for persistent objects

Before this patch was the object usage field stored in the
non-persistent part of an object handle, regardless of whether the
storage object was persistent. This prevents updates to this field from
being restored the next time the persistent object is opened. Updates to
the field are also not replicated to eventual other open handles for the
object. Fix this by storing the "usage" bits in a new obj_info_usage
field in struct tee_pobj for persistent objects. Updates to the field
are also written into secure storage to preserve the content the next
time the object is opened.

Fixes: b01047730e77 ("Open-source the TEE Core")
Closes: https://github.com/OP-TEE/optee_os/issues/6495
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: tee_svc_cryp.c: replace get_used_bits()

Prior to this patch was get_used_bits() called in
tee_svc_cryp_obj_populate_type() to check that a bignum isn't too large.
While the code works it's mor

core: tee_svc_cryp.c: replace get_used_bits()

Prior to this patch was get_used_bits() called in
tee_svc_cryp_obj_populate_type() to check that a bignum isn't too large.
While the code works it's more complicated than necessary. The bignum
has just been imported so the normal bignum functions can be used
directly instead of copying the user space buffer again and feed it to
bit_ffs(). So replace the call to get_used_bits() with a call to
crypto_bignum_num_bits() on the newly imported bignum.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

crypto: add X448 support

Refer to the X25519 algorithm, add the X448 algorithm framework code.

Signed-off-by: loubaihui <loubaihui1@huawei.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.o

crypto: add X448 support

Refer to the X25519 algorithm, add the X448 algorithm framework code.

Signed-off-by: loubaihui <loubaihui1@huawei.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

crypto: rename struct x25519_keypair

Since X25519 and X448 have the same key pair structure,
so we rename struct x25519_keypair as struct montgomery_keypair.

Signed-off-by: loubaihui <loubaihui1@hu

crypto: rename struct x25519_keypair

Since X25519 and X448 have the same key pair structure,
so we rename struct x25519_keypair as struct montgomery_keypair.

Signed-off-by: loubaihui <loubaihui1@huawei.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: Apply finer-grained PAN

Prior to this commit, the PAN was disabled for most of the time,
within the thread scall handler. After resolving all outstanding
missing unprivileged access functions,

core: Apply finer-grained PAN

Prior to this commit, the PAN was disabled for most of the time,
within the thread scall handler. After resolving all outstanding
missing unprivileged access functions, we can now enable finer-
grained PAN, where the unprivileged access is only allowed inside
handful of special user-access functions.

There are some exceptions where we toggle PAN to allow the OP-TEE
core to access user memory, instead of using user-access functions
or bounce buffers. Those are crypto services and ldelf syscall
handlers. Those are chosen to avoid potential large bounce buffer
allocations.

Signed-off-by: Seonghyun Park <seonghp@amazon.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: use user-access functions for crypto service

Use user-access functions for crypto service functions, excluding
encryption, decryption and hasn operations, which might require
large bounce buff

core: use user-access functions for crypto service

Use user-access functions for crypto service functions, excluding
encryption, decryption and hasn operations, which might require
large bounce buffer allocations. Besides these operations, user-
access functions are applied for those functions that takes
attributes, IVs, big numbers, and auxiliary data from the user-
space.

Signed-off-by: Seonghyun Park <seonghp@amazon.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: crypto_bignum_free(): add indirection and set pointer to NULL

To prevent human mistake, crypto_bignum_free() sets the location of the
bignum pointer to NULL after freeing it.

Signed-off-by: J

core: crypto_bignum_free(): add indirection and set pointer to NULL

To prevent human mistake, crypto_bignum_free() sets the location of the
bignum pointer to NULL after freeing it.

Signed-off-by: Jihwan Park <jihwp@amazon.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: tee_svc_cryp: report RSAES_PKCS1_OAEP_MGF1 bad hash ID

Fixes syscall_asymm_operate() to report inconsistent hash algorithm
specified as attribute for TEE_ALG_RSAES_PKCS1_OAEP_MGF1_* operations

core: tee_svc_cryp: report RSAES_PKCS1_OAEP_MGF1 bad hash ID

Fixes syscall_asymm_operate() to report inconsistent hash algorithm
specified as attribute for TEE_ALG_RSAES_PKCS1_OAEP_MGF1_* operations
as OP-TEE only supports the hash predefined for the request algorithm
TEE_ALG_RSAES_PKCS1_OAEP_MGF1_xxx.

Link: https://github.com/OP-TEE/optee_os/issues/6143
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

core: crypto: change TEE_AEDecryptFinal() tag param's attribute

Due to tag parameter was passed in from REE side share memory
same as cipher-text source and nonce buffer/parameters.
Then memory acce

core: crypto: change TEE_AEDecryptFinal() tag param's attribute

Due to tag parameter was passed in from REE side share memory
same as cipher-text source and nonce buffer/parameters.
Then memory access sanity-check marks CCM TAG buffer as
ACCESS_DENIED, which triggers user TA panic.

Change tag parameter's attribute from [in] to [inbuf]. This fix is
expected to be addressed in next GP TEE Internal Core API specification.

Link: https://github.com/OP-TEE/optee_os/issues/5946
Signed-off-by: lei zhou <lei.zhou@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: crypto: add support MD5 hashes in RSA sign/verify/cipher

Introduce support of using MD5 hashes in RSA sign/verify/cipher
operations, which is required by AOSP Keymaster.

This is verified in

core: crypto: add support MD5 hashes in RSA sign/verify/cipher

Introduce support of using MD5 hashes in RSA sign/verify/cipher
operations, which is required by AOSP Keymaster.

This is verified in VerificationOperationsTest.RsaSuccess VTS Test [1],
which checks usage of such digests: NONE, MD5, SHA1, SHA_2_224, SHA_2_256,
SHA_2_384, SHA_2_512.

This patch has been inspired by commit[2]:

Link: [1] https://android.googlesource.com/platform/hardware/interfaces/+/master/keymaster/3.0/vts/functional/keymaster_hidl_hal_test.cpp
Link: [2] https://github.com/OP-TEE/optee_os/commit/199d0b7310d1705661a106358f1f0b46e4c5c587 ("core: crypto: add support MD5 hashes in RSA sign/verify")
Signed-off-by: Julien Masson <jmasson@baylibre.com>
Signed-off-by: Safae Ouajih <souajih@baylibre.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: crypto: change supported HMAC key size ranges

Change supported HMAC key size range from 64 to 1024 when
CFG_HMAC_64_1024_RANGE config is enabled, This is required
to successfully pass AOSP Key

core: crypto: change supported HMAC key size ranges

Change supported HMAC key size range from 64 to 1024 when
CFG_HMAC_64_1024_RANGE config is enabled, This is required
to successfully pass AOSP Keymaster VTS tests.

From TEE Internal Core API specificaion:
"Table 5-9, support for other sizes or algorithms
is implementation-defined."

Signed-off-by: Igor Opaniuk <igor.opaniuk@linaro.org>
Signed-off-by: Safae Ouajih <souajih@baylibre.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: crypto: fix memory leak in Ed25519 support

The software implementation of ED25519 algorithm has a memory leak in the
key and key pair allocation. Upon every public key allocation, a key pair
i

core: crypto: fix memory leak in Ed25519 support

The software implementation of ED25519 algorithm has a memory leak in the
key and key pair allocation. Upon every public key allocation, a key pair
is allocated (public and private components). When freeing the public
key, only the public component is freed. To reproduce the issue:

$ while xtest 4016; do :; done

Until the following error:

* regression_4016 Test TEE Internal API ED25519 sign/verify
E/LD: copy_section_headers:1124 sys_copy_from_ta_bin
E/TC:? 0 ldelf_init_with_ldelf:131 ldelf failed with res: 0xffff000c /usr/src/debug/optee-test/master.imx-r0/host/xtest/regression_4000.c:6062: xtest_teec_open_session(&session, &crypt_user_ta_uuid, ((void *)0), &ret_orig) has an unexpected value: 0xffff000c = TEEC_ERROR_OUT_OF_MEMORY, expected 0x0 = TEEC_SUCCESS
regression_4016 FAILED

To fix the memory leak, a separate public key allocation function must
be defined along a ED25519 public key structure.

Fixes: 0aaad418ac8b ("core: crypto: add Ed25519 support")
Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: syscall_hash_final() support XOF

Adds support in syscall_hash_final() for Extendable Output Functions,
that is, TEE_ALG_SHAKE128 and TEE_ALG_SHAKE256 for now.

Acked-by: Etienne Carriere <etie

core: syscall_hash_final() support XOF

Adds support in syscall_hash_final() for Extendable Output Functions,
that is, TEE_ALG_SHAKE128 and TEE_ALG_SHAKE256 for now.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: crypto: add API for SHA-3

Adds an API for the SHA-3 [1] algorithms SHA3-224, SHA3_256, SHA3_384,
SHA3_512, SHAKE128, and SHAKE256. SHAKE128 and SHAKE256 are
Extendable-Output Functions (XOF),

core: crypto: add API for SHA-3

Adds an API for the SHA-3 [1] algorithms SHA3-224, SHA3_256, SHA3_384,
SHA3_512, SHAKE128, and SHAKE256. SHAKE128 and SHAKE256 are
Extendable-Output Functions (XOF), but handled as hashes in the API.

Adds API for SHA-3 based HMAC functions.

For XOF algorithms crypto_hash_final() can be called multiple times and
generate an arbitrary amount of data. Note that this data will have a
common prefix if done over the same input (see A.2 in [1]).

[1] https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

GP131: Update TEE_AsymmetricEncrypt() and TEE_AsymmetricDecrypt()

Updates TEE_AsymmetricEncrypt() and TEE_AsymmetricDecrypt() according to
TEE Internal Core API version 1.3.1. The srcLen and dstLen

GP131: Update TEE_AsymmetricEncrypt() and TEE_AsymmetricDecrypt()

Updates TEE_AsymmetricEncrypt() and TEE_AsymmetricDecrypt() according to
TEE Internal Core API version 1.3.1. The srcLen and dstLen parameters
are changed to use size_t instead of uint32_t

Adds the optional attribute TEE_ATTR_RSA_OAEP_MGF_HASH which if provided
specifies the MGF1 hash function to use. Prior to GP v1.3.1 it was
implementation defined. OP-TEE only supports using the same MGF1 hash
function as the internal hash function of the algorithim, that is, for
the algorithm TEE_ALG_RSAES_PKCS1_OAEP_MGF1_x that hash function
TEE_ALG_x is used.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

GP131: Update HKDF defines

OP-TEE provides an HKDF implementation as an extension to the TEE
Internal Core API which predates version 1.3 of the specification where
HKDF was officially introduced.

GP131: Update HKDF defines

OP-TEE provides an HKDF implementation as an extension to the TEE
Internal Core API which predates version 1.3 of the specification where
HKDF was officially introduced.

Update with the official defines and resolve name clashes. With this
OP-TEE supports both the old extension and the new official API.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

GP131: Add TEE_ALG_ECDH_DERIVE_SHARED_SECRET and TEE_ALG_ECDSA_SHA*

Adds the defines
- TEE_ALG_ECDH_DERIVE_SHARED_SECRET
- TEE_ALG_ECDSA_SHA1
- TEE_ALG_ECDSA_SHA224
- TEE_ALG_ECDSA_SHA256
- TEE_ALG_

GP131: Add TEE_ALG_ECDH_DERIVE_SHARED_SECRET and TEE_ALG_ECDSA_SHA*

Adds the defines
- TEE_ALG_ECDH_DERIVE_SHARED_SECRET
- TEE_ALG_ECDSA_SHA1
- TEE_ALG_ECDSA_SHA224
- TEE_ALG_ECDSA_SHA256
- TEE_ALG_ECDSA_SHA386
- TEE_ALG_ECDSA_SHA512
from TEE Internal Core API version 1.3.1 to replace the previous now
deprecated defines:
- TEE_ALG_ECDSA_P192
- TEE_ALG_ECDSA_P224
- TEE_ALG_ECDSA_P256
- TEE_ALG_ECDSA_P384
- TEE_ALG_ECDSA_P521
- TEE_ALG_ECDH_P192
- TEE_ALG_ECDH_P224
- TEE_ALG_ECDH_P256
- TEE_ALG_ECDH_P384
- TEE_ALG_ECDH_P521

The new defines have new values and the values from the old defines are
not reused.

The syscall ABI maintains compatibility by handling both the old and new
values in parallel from now on.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: crypto: fix TEE_ATTR_EDDSA_PREHASH interpretation

Commit 0aaad418ac8b ("core: crypto: add Ed25519 support") introduced
support for the ED25519 algorithm. This included parsing a
TEE_ATTR_EDDSA

core: crypto: fix TEE_ATTR_EDDSA_PREHASH interpretation

Commit 0aaad418ac8b ("core: crypto: add Ed25519 support") introduced
support for the ED25519 algorithm. This included parsing a
TEE_ATTR_EDDSA_PREHASH parameter that unfortunately was not fully
compliant with the standard. So fix this with a more strict
interpretation of TEE_ATTR_EDDSA_PREHASH as described in the
specification.

Fixes: 0aaad418ac8b ("core: crypto: add Ed25519 support")
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Valerii Chubar <valerii_chubar@epam.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: crypto: Fix tee_obj_attr_copy_from for X25519

Make sure in tee_obj_attr_copy_from() if the source object type
is TEE_TYPE_X25519_KEYPAIR the destination object type should be
TEE_TYPE_X25519_P

core: crypto: Fix tee_obj_attr_copy_from for X25519

Make sure in tee_obj_attr_copy_from() if the source object type
is TEE_TYPE_X25519_KEYPAIR the destination object type should be
TEE_TYPE_X25519_PUBLIC_KEY. The function should extract public
key attributes if presented with a key pair object.

According to the TEE Internal Core API Specification v1.2 we should
check if the source is of type *_KEYPAIR then the destination is a
subset of type *_PUBLIC_KEY when populating the destination object as
listed in the Table 5-11.

Fixes: 90040fa4c81c ("core: crypto: add X25519 support")
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Sohaib ul Hassan <sohaib.ul.hassan@unikie.com>

show more ...

Fix TEE_ATTR_ECC_EPHEMERAL_PUBLIC_VALUE_*

Commit 5b385b3f835d ("core: crypto: add support for SM2 KEP")defined by
mistake the wrong values for these two. To fix this we're are renaming
these IDs alt

Fix TEE_ATTR_ECC_EPHEMERAL_PUBLIC_VALUE_*

Commit 5b385b3f835d ("core: crypto: add support for SM2 KEP")defined by
mistake the wrong values for these two. To fix this we're are renaming
these IDs alternative IDs which OP-TEE will recognize in addition to the
correct official values when deriving a key using the TEE_ALG_SM2_KEP
algorithm.

TEE_ATTR_ECC_EPHEMERAL_PUBLIC_VALUE_X and
TEE_ATTR_ECC_EPHEMERAL_PUBLIC_VALUE_Y are only used as input parameters
so there is no need to translate back to the old invalid values.

Fixes: 5b385b3f835d ("core: crypto: add support for SM2 KEP")
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core, libutee: introduce TEE_ALG_SM4_XTS

In this patch, The sm4-xts algorithm is supported in the GP process.

Signed-off-by: Pingan Xie <xiepingan3@huawei.com>
Reviewed-by: Xiaoxu Zeng <zengxiaoxu@

core, libutee: introduce TEE_ALG_SM4_XTS

In this patch, The sm4-xts algorithm is supported in the GP process.

Signed-off-by: Pingan Xie <xiepingan3@huawei.com>
Reviewed-by: Xiaoxu Zeng <zengxiaoxu@huawei.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

Use struct utee_object_info in TA syscall abi

TEE_ObjectInfo was until now used in the syscall ABI provided to TAs.
TEE_ObjectInfo changes in later versions of the TEE Internal Core API so
add an in

Use struct utee_object_info in TA syscall abi

TEE_ObjectInfo was until now used in the syscall ABI provided to TAs.
TEE_ObjectInfo changes in later versions of the TEE Internal Core API so
add an independent definition with struct utee_object_info in order to
preserve a stable ABI.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...