Add Concat KDF (Concatenation Key Derivation Function, NIST SP 800-56A R1)

Concat KDF is a key derivation algorithm defined in section 5.8.1 of
the NIST Special Publication 800-56A Revision 1, "Reco

Add Concat KDF (Concatenation Key Derivation Function, NIST SP 800-56A R1)

Concat KDF is a key derivation algorithm defined in section 5.8.1 of
the NIST Special Publication 800-56A Revision 1, "Recommendation for Pair-Wise
Key Establishment Schemes Using Discrete Logarithm Cryptography"
(http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf)

This is a TEE implementation of the function, which supports the following
hash algorithms: SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512.
The actual key derivation is implemented in TEE_DeriveKey() thanks to
custom extensions to the GlobalPlatform API v1.0. Please refer to
documentation/extensions/crypto_concat_kdf.md for details.

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Xiaoqiang Du <xiaoqiang.du@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (STM platform)

show more ...

Fix #6686: Support passing Public Exponent when generating RSA key pair

Global Platform Internal API 1.0 is not accurate when describing
RSA key pair generation. It only indicates
No parameter i

Fix #6686: Support passing Public Exponent when generating RSA key pair

Global Platform Internal API 1.0 is not accurate when describing
RSA key pair generation. It only indicates
No parameter is required
This is why RSA key pair generation was always using 65537
as the public exponent.

Version 1.1 of the API is much more precise:
No parameter is required.
The TEE_ATTR_RSA_PUBLIC_EXPONENT attribute may be
specified; if omitted, the default value is 65537.

This patch implements this requirement.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (STM platform)
Reviewed-by: Laurent GERARD <laurent.gerard@st.com>
Reviewed-by: Jean-Michel DELORME <jean-michel.delorme@st.com>
Signed-off-by: Pascal Brand <pascal.brand@st.com>

show more ...

libtomcrypt: the len parameter of hash.final() is the max size

To be consistent with the behavior of crypto_ops.mac.final(), do not fail if
the length passed to crypto_ops.hash.final() is larger tha

libtomcrypt: the len parameter of hash.final() is the max size

To be consistent with the behavior of crypto_ops.mac.final(), do not fail if
the length passed to crypto_ops.hash.final() is larger than the hash size.

Also, use TEE_MAX_HASH_SIZE instead of defining another macro (MAX_DIGEST).

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Fix memory leak in tee_svc_cryp_derive_key()

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU virt)
Reviewed-by: Jens Wik

Fix memory leak in tee_svc_cryp_derive_key()

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jerome Forissier <jerome.forissier@linaro.org> (QEMU virt)
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>

show more ...

Clean syscall handling

* Implements a svc handler suitable to supply as a handler for
thread_svc_handler.
* Removes hardcoded call to tee_svc_sycall in
thread_svc_handler.
* Removes duplicated c

Clean syscall handling

* Implements a svc handler suitable to supply as a handler for
thread_svc_handler.
* Removes hardcoded call to tee_svc_sycall in
thread_svc_handler.
* Removes duplicated code for unwinding of stack after
tee_svc_enter_user_mode() replacing it with a single
tee_svc_unwind_enter_user_mode()

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU virt and FVP)
Reviewed-by: Etienne Carriere <etienne.carriere@st.com>
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (STM platform)

show more ...

MAC operations now supports NULL arguments

MAC algorithms support NULL arguments and zero length strings.

Note that the fix consists in a change of API in the internal crypto
interface. This change

MAC operations now supports NULL arguments

MAC algorithms support NULL arguments and zero length strings.

Note that the fix consists in a change of API in the internal crypto
interface. This change make hash_ops and mac_ops look the same in terms of
update and final step

Signed-off-by: Pascal Brand <pascal.brand@st.com>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (STM platform)
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Make function tee_cryp_init() generic

Signed-off-by: Pascal Brand <pascal.brand@st.com>
Reviewed-by: Joakim Bech <joakim.bech@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

Fix memory leak in tee_svc_cryp_obj_copy()

The following Trusted App would lead to a memory leak in the TEE core:

TEE_ObjectHandle o1, o2;
TEE_AllocateTransientObject(TEE_TYPE_RSA_KEYPAIR, 256,

Fix memory leak in tee_svc_cryp_obj_copy()

The following Trusted App would lead to a memory leak in the TEE core:

TEE_ObjectHandle o1, o2;
TEE_AllocateTransientObject(TEE_TYPE_RSA_KEYPAIR, 256, &o1);
TEE_GenerateKey(o1, 256, NULL, 0);
TEE_AllocateTransientObject(TEE_TYPE_RSA_KEYPAIR, 256, &o2);
TEE_CopyObjectAttributes(o2, o1);
TEE_FreeTransientObject(o1);
TEE_FreeTransientObject(o2);

The leak was introduced by commit ffe040395b13 ("Add crypto provider internal
API").

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (STM platform)

show more ...

Merge tee_{core,uta}_trace.h into libutil

Merges tee_core_trace.h and tee_uta_trace.h into a common trace.h
in libutil. Since the trace functions now resides libutil they have
to rely on core and li

Merge tee_{core,uta}_trace.h into libutil

Merges tee_core_trace.h and tee_uta_trace.h into a common trace.h
in libutil. Since the trace functions now resides libutil they have
to rely on core and libutee to provide functions to print to the
log device.

* Keeps compatible interface from tee_kta_trace.h
* Adds TAMSG() and TAMSG_RAW() to log TA related events
* Removes the TRACE_ALWAYS level

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU virt platform)
Reviewed-by: Etienne Carriere <etienne.carriere@st.com>
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (STM platform)

show more ...

Move util.h from core into libutil

Moves util.h from core into libutil to make it available anywhere.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Pascal Brand <pascal.bra

Move util.h from core into libutil

Moves util.h from core into libutil to make it available anywhere.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@st.com>

show more ...

core_tlb_maintenance(TLBINV_BY_ASID) is on

It also contains code style cleanup

Signed-off-by: Pascal Brand <pascal.brand@st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by:

core_tlb_maintenance(TLBINV_BY_ASID) is on

It also contains code style cleanup

Signed-off-by: Pascal Brand <pascal.brand@st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (STM platform)

show more ...

Add crypto provider internal API

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Pascal Brand <pascal.brand@linaro.

Add crypto provider internal API

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (STM platform)

show more ...

Digest operations now supports NULL arguments

Hash algorithms should support NULL arguments and zero length strings.
Following changes will make is possible to call TEE_DigestUpdate and
TEE_DigestDo

Digest operations now supports NULL arguments

Hash algorithms should support NULL arguments and zero length strings.
Following changes will make is possible to call TEE_DigestUpdate and
TEE_DigestDoFinal interchangeably.

Following combinations are now working.
----------------------------------------
| TEE_DigestUpdate | TEE_DigestDoFinal |
----------------------------------------
| NULL | NULL |
| NULL | MESSAGE |
| MESSAGE | NULL |
| MESSAGE | MESSAGE |
| N/A | NULL |
| N/A | MESSAGE |
----------------------------------------

Signed-off-by: Joakim Bech <joakim.bech@linaro.org>
Tested-by: Joakim Bech <joakim.bech@linaro.org> (FVP)
Reviewed-by: Pascal Brand <pascal.brand@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (STM platform)

show more ...

Fix to finalize mac compute when there is not a last message chunk.

Code implemented in TAs may need to call TEE_MACComputeFinal,
without last message chunk.

Reviewed-by: Jens Wiklander <jens.wikla

Fix to finalize mac compute when there is not a last message chunk.

Code implemented in TAs may need to call TEE_MACComputeFinal,
without last message chunk.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (STM platform)
Tested-by: Thierry BINIGUER <thierry.biniguer@st.com>
Reviewed-by: Pascal BRAND <pascal.brand@st.com>
Tested-by: Etienne CARRIERE <etienne.carriere@st.com>
Reviewed-by: Etienne CARRIERE <etienne.carriere@st.com>
Signed-off-by: Pascal Brand <pascal.brand@st.com>

show more ...

core: generic buffer inside/outside/intersect routine

Remove multiple implementation of "is buffer inside a buffer" and
friends and rely on a generic core_is_buffer_inside/outside/intersect().

Revi

core: generic buffer inside/outside/intersect routine

Remove multiple implementation of "is buffer inside a buffer" and
friends and rely on a generic core_is_buffer_inside/outside/intersect().

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (STM platform)
Signed-off-by: Pascal Brand <pascal.brand@st.com>

show more ...

Cleanup

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Pascal Brand <pascal.brand@st.com>

Fix wrong parameter in GCM authentication

Signed-off-by: Pascal Brand <pascal.brand@st.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.o

Fix wrong parameter in GCM authentication

Signed-off-by: Pascal Brand <pascal.brand@st.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org> (STM platform)

show more ...

Remove unused function tee_pobj_init

Reviewed-by: Pascal Brand <pascal.brand@linaro.org>

CCM Authentication optimization

CCM is now optimized. Instead of being computed twice,
libtomcrypt code has been optimized so that classical ccm_init, ccm_process,...
can be used incrementally (wh

CCM Authentication optimization

CCM is now optimized. Instead of being computed twice,
libtomcrypt code has been optimized so that classical ccm_init, ccm_process,...
can be used incrementally (when the whole stream is not available when
starting the authentication).
CCM way of proceeding is now very closed to GCM authentication.

Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>
Tested-by: Pascal Brand <pascal.brand@linaro.org>

show more ...

Reenable warnings for all non-3rd party code

* Reenables warnings for all non-3rd party code
* Renames dprintf macro to dprintf_level

Fix strict-aliasing for DEBUG=0

XTS implementation

Fix libtomcrypt XTS: when applying XTS
encryption / decryption, onto partial buffers,
the tweak is now updated.

Signed-off-by: Pascal Brand <pascal.brand@st.com>

plat-vexpress: fix non-debug build

Fixes a number of build errors when 'PLATFORM=vexpress' and 'DEBUG=':
- '<var> may be used uninitialized'
- 'dereferencing type-punned pointer will break strict-al

plat-vexpress: fix non-debug build

Fixes a number of build errors when 'PLATFORM=vexpress' and 'DEBUG=':
- '<var> may be used uninitialized'
- 'dereferencing type-punned pointer will break strict-aliasing rules'
This one is addressed by adding -fno-strict-aliasing to the cflags for the
problematic files, which is a temporary solution.
- 'inlining failed'

Also, make sure tee_svc_syscall_table is aligned on a 32-bit boundary.
Otherwise, an alignment fault might occur:
ERR [0x0] TEE-CORE:tee_pager_print_error_abort:101: data-abort at 0x602f16b
FSR 0x1 PC 0x6007bd4 TTBR0 0x603804A CONTEXIDR 0x1
CPUID 0x80000001 DBGPCSR 0x0 CPSR 0x80000013 (read from SPSR)
ERR [0x0] TEE-CORE:tee_pager_handle_abort:164: [TEE_PAGER] alignement fault! (trap CPU)

Note: on Foundation_v8, I measured a ~3x speedup between debug and non-debug
builds for asymmetric crypto tests.

show more ...

Fix GCM Authentication

Authentication tag length, given during the enc_final(),
was wrong. It was the max of the tag buffer, instead of the
value provided during the init.

Other cleanup also takes

Fix GCM Authentication

Authentication tag length, given during the enc_final(),
was wrong. It was the max of the tag buffer, instead of the
value provided during the init.

Other cleanup also takes place to simplify CCM authentication.

Change-Id: I14c02b2a39a51fb485b0ff04707895f91fcc73a3
Reviewed-on: https://gerrit.st.com/12369
Tested-by: Pascal BRAND <pascal.brand@st.com>
Tested-by: Jean-Michel DELORME <jean-michel.delorme@st.com>
Reviewed-by: Jean-Michel DELORME <jean-michel.delorme@st.com>
Signed-off-by: Pascal Brand <pascal.brand@st.com>

show more ...

Implemented wait in normal world

Instead of busy waiting in secure world, it is more efficient to wait
in normal world such that HLOS can schedule another task to execute
while waiting

- Added a ne

Implemented wait in normal world

Instead of busy waiting in secure world, it is more efficient to wait
in normal world such that HLOS can schedule another task to execute
while waiting

- Added a new RPC command to wait in linux driver
- Remove wait_specific() hook in time_source, it seems can be a generic
function.
- This patch depends on "Implemented wait in normal world" in
optee_linuxdrver

show more ...