tree-wide: use power-of-2 rounding macros where applicable

Use ROUNDUP2(), ROUNDUP2_OVERFLOW(), ROUNDUP2_DIV() and ROUNDDOWN2() at
places where the rounding argument is a variable value and we want

tree-wide: use power-of-2 rounding macros where applicable

Use ROUNDUP2(), ROUNDUP2_OVERFLOW(), ROUNDUP2_DIV() and ROUNDDOWN2() at
places where the rounding argument is a variable value and we want to
leverage the implementation of these routines optimized for a
power-of-2 rounding argument.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: handle buffer_two_blocks correctly

For operations with buffer_two_blocks true, calculate the required size
of the out buffer (req_dlen) correctly in TEE_CipherUpdate().
tee_buffer_update()

libutee: handle buffer_two_blocks correctly

For operations with buffer_two_blocks true, calculate the required size
of the out buffer (req_dlen) correctly in TEE_CipherUpdate().
tee_buffer_update() is fixed with a matching update.

buffer_two_blocks set to true mandates buffering at least one block + a
byte and at most two full blocks.

Fix needed by TEE_ALG_AES_CTS and TEE_ALG_AES_XTS.

Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

libutee: process a full buffer immediately

In tee_buffer_update, libutee currently delays processing an input
block until more space is needed in the buffer, which is perfectly
valid behavior, but d

libutee: process a full buffer immediately

In tee_buffer_update, libutee currently delays processing an input
block until more space is needed in the buffer, which is perfectly
valid behavior, but doesn't match AOSP compatibility requirements.

Specifically, both CTS (testKatEncryptOneByteAtATime [1]) and VTS
(EncryptionOperationsTest.*OneByteAtATime [2]) expect block cipher
implementations to produce an output block as soon as a full block
of input has been received. Change libutee behavior to be AOSP
compatible.

Link: https://android.googlesource.com/platform/cts/+/refs/heads/main/tests/tests/keystore/src/android/keystore/cts/BlockCipherTestBase.java#779 [1]
Link: https://android.googlesource.com/platform/hardware/interfaces/+/refs/heads/main/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp#827 [2]
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: TEE_AllocateOperation(): maxKeySize of digests may take any value

Commit [1] introduced a check to enforce the "maxKeySize" parameter of
digest operations to always be zero. This is a viola

libutee: TEE_AllocateOperation(): maxKeySize of digests may take any value

Commit [1] introduced a check to enforce the "maxKeySize" parameter of
digest operations to always be zero. This is a violation of the Global
Platform specification [2].

Revert commit [1] to allow maxKeySize to take any value for digest
operations.

[1] commit cf5c060cec76 ("libutee: TEE_AllocateOperation(): digest
operations must have 0 max key size")
Link: https://github.com/OP-TEE/optee_os/commit/cf5c060cec76

[2] TEE Internal Core API Specification – Public Release v1.3.1,
§6.2.1 TEE_AllocateOperation:

The parameter maxKeySize SHALL be a valid value as defined in
Table 5-9 for the algorithm, for algorithms referenced in Table
5-9. For all other algorithms, the maxKeySize parameter may have
any value.

CC: Jens Wiklander <jens.wiklander@linaro.org>
Fixes: cf5c060cec76 ("libutee: TEE_AllocateOperation(): digest operations must have 0 max key size")
Signed-off-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: crypto: add support MD5 hashes in RSA sign/verify/cipher

Introduce support of using MD5 hashes in RSA sign/verify/cipher
operations, which is required by AOSP Keymaster.

This is verified in

core: crypto: add support MD5 hashes in RSA sign/verify/cipher

Introduce support of using MD5 hashes in RSA sign/verify/cipher
operations, which is required by AOSP Keymaster.

This is verified in VerificationOperationsTest.RsaSuccess VTS Test [1],
which checks usage of such digests: NONE, MD5, SHA1, SHA_2_224, SHA_2_256,
SHA_2_384, SHA_2_512.

This patch has been inspired by commit[2]:

Link: [1] https://android.googlesource.com/platform/hardware/interfaces/+/master/keymaster/3.0/vts/functional/keymaster_hidl_hal_test.cpp
Link: [2] https://github.com/OP-TEE/optee_os/commit/199d0b7310d1705661a106358f1f0b46e4c5c587 ("core: crypto: add support MD5 hashes in RSA sign/verify")
Signed-off-by: Julien Masson <jmasson@baylibre.com>
Signed-off-by: Safae Ouajih <souajih@baylibre.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

GP131: TEE_Asymmetric{En,De}crypt() add return codes

Adds TEE_ERROR_CIPHERTEXT_INVALID and TEE_ERROR_NOT_SUPPORTED to the
list of supported return code for TEE_AsymmetricEncrypt() and
TEE_Asymmetric

GP131: TEE_Asymmetric{En,De}crypt() add return codes

Adds TEE_ERROR_CIPHERTEXT_INVALID and TEE_ERROR_NOT_SUPPORTED to the
list of supported return code for TEE_AsymmetricEncrypt() and
TEE_AsymmetricDecrypt().

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

GP131: Update TEE_SetOperationKey*()

Update TEE_SetOperationKey() and TEE_SetOperationKey2() according to TEE
Internal Core API version 1.3.1.

Compatibility functions for v1.1 are added due an inco

GP131: Update TEE_SetOperationKey*()

Update TEE_SetOperationKey() and TEE_SetOperationKey2() according to TEE
Internal Core API version 1.3.1.

Compatibility functions for v1.1 are added due an incompatible change
highlighted by the GP compliance test suite. Prior to 1.3 the functions
where should panic if operation state isn't "initial", in 1.3 they are
instead required to always reset the operation state to "initial".

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

GP131: add TEE_DigestExtract()

Adds TEE_DigestExtract() to support Extendable Output Functions, that
is, for now TEE_ALG_SHAKE128 and TEE_ALG_SHAKE256.

Reviewed-by: Etienne Carriere <etienne.carrie

GP131: add TEE_DigestExtract()

Adds TEE_DigestExtract() to support Extendable Output Functions, that
is, for now TEE_ALG_SHAKE128 and TEE_ALG_SHAKE256.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: crypto: add API for SHA-3

Adds an API for the SHA-3 [1] algorithms SHA3-224, SHA3_256, SHA3_384,
SHA3_512, SHAKE128, and SHAKE256. SHAKE128 and SHAKE256 are
Extendable-Output Functions (XOF),

core: crypto: add API for SHA-3

Adds an API for the SHA-3 [1] algorithms SHA3-224, SHA3_256, SHA3_384,
SHA3_512, SHAKE128, and SHAKE256. SHAKE128 and SHAKE256 are
Extendable-Output Functions (XOF), but handled as hashes in the API.

Adds API for SHA-3 based HMAC functions.

For XOF algorithms crypto_hash_final() can be called multiple times and
generate an arbitrary amount of data. Note that this data will have a
common prefix if done over the same input (see A.2 in [1]).

[1] https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

GP131: Update TEE_FreeOperation()

Update TEE_FreeOperation() according to TEE Internal Core API version
1.3.1. TEE_FreeOperation() does nothing if operation is TEE_HANDLE_NULL.

Reviewed-by: Jerome

GP131: Update TEE_FreeOperation()

Update TEE_FreeOperation() according to TEE Internal Core API version
1.3.1. TEE_FreeOperation() does nothing if operation is TEE_HANDLE_NULL.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

GP131: Update TEE_GenerateRandom()

Update TEE_GenerateRandom() according to TEE Internal Core API version
1.3.1. The randomBufferLen parameter is changed to use size_t instead of
uint32_t.

Reviewed

GP131: Update TEE_GenerateRandom()

Update TEE_GenerateRandom() according to TEE Internal Core API version
1.3.1. The randomBufferLen parameter is changed to use size_t instead of
uint32_t.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

GP131: Update TEE_AsymmetricSignDigest() and TEE_AsymmetricVerifyDigest()

Updates TEE_AsymmetricSignDigest() and TEE_AsymmetricVerifyDigest()
according to TEE Internal Core API version 1.3.1. The di

GP131: Update TEE_AsymmetricSignDigest() and TEE_AsymmetricVerifyDigest()

Updates TEE_AsymmetricSignDigest() and TEE_AsymmetricVerifyDigest()
according to TEE Internal Core API version 1.3.1. The digestLen and
signatureLen parameters are changed to use size_t instead of uint32_t.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

GP131: Update TEE_AsymmetricEncrypt() and TEE_AsymmetricDecrypt()

Updates TEE_AsymmetricEncrypt() and TEE_AsymmetricDecrypt() according to
TEE Internal Core API version 1.3.1. The srcLen and dstLen

GP131: Update TEE_AsymmetricEncrypt() and TEE_AsymmetricDecrypt()

Updates TEE_AsymmetricEncrypt() and TEE_AsymmetricDecrypt() according to
TEE Internal Core API version 1.3.1. The srcLen and dstLen parameters
are changed to use size_t instead of uint32_t

Adds the optional attribute TEE_ATTR_RSA_OAEP_MGF_HASH which if provided
specifies the MGF1 hash function to use. Prior to GP v1.3.1 it was
implementation defined. OP-TEE only supports using the same MGF1 hash
function as the internal hash function of the algorithim, that is, for
the algorithm TEE_ALG_RSAES_PKCS1_OAEP_MGF1_x that hash function
TEE_ALG_x is used.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

GP131: Update TEE_AE* functions

Updates the following functions:
- TEE_AEInit()
- TEE_AEUpdateAAD()
- TEE_AEUpdate()
- TEE_AEEncryptFinal()
- TEE_AEDecryptFinal()
according to TEE Internal Core API

GP131: Update TEE_AE* functions

Updates the following functions:
- TEE_AEInit()
- TEE_AEUpdateAAD()
- TEE_AEUpdate()
- TEE_AEEncryptFinal()
- TEE_AEDecryptFinal()
according to TEE Internal Core API version 1.3.1. The nonceLen, AADLen,
payloadLen, AADdataLen, srcLen, destLen and tagLen parameters are
changed to use size_t instead of uint32_t.

Note that the tagLen parameter of TEE_AEInit() is still of the type
uint32_t.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

GP131: Update TEE_{Digest,Cipher,MAC}* functions

Updates the following functions:
- TEE_CipherDoFinal()
- TEE_CipherInit()
- TEE_CipherUpdate()
- TEE_DigestDoFinal()
- TEE_DigestUpdate()
- TEE_MACCo

GP131: Update TEE_{Digest,Cipher,MAC}* functions

Updates the following functions:
- TEE_CipherDoFinal()
- TEE_CipherInit()
- TEE_CipherUpdate()
- TEE_DigestDoFinal()
- TEE_DigestUpdate()
- TEE_MACCompareFinal()
- TEE_MACComputeFinal()
- TEE_MACInit()
- TEE_MACUpdate()
according to TEE Internal Core API version 1.3.1. The chunkSize,
chunkLen, hashLen, srcLen, destLen, IVLen, messageLen and macLen
parameters are changed to use size_t instead of uint32_t.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

GP131: Update TEE_GetOperationInfoMultiple()

Update TEE_GetOperationInfoMultiple() according to TEE Internal Core API
version 1.3.1. The size parameter is changed to use size_t instead of
uint32_t.

GP131: Update TEE_GetOperationInfoMultiple()

Update TEE_GetOperationInfoMultiple() according to TEE Internal Core API
version 1.3.1. The size parameter is changed to use size_t instead of
uint32_t.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

GP131: Update TEE_GetProperty*() functions

Update the TEE_GetProperty*() functions to according to TEE Internal
Core API version 1.3.1. A new function TEE_GetPropertyAsU64() is added
and size_t poin

GP131: Update TEE_GetProperty*() functions

Update the TEE_GetProperty*() functions to according to TEE Internal
Core API version 1.3.1. A new function TEE_GetPropertyAsU64() is added
and size_t pointer are used instead of uint32_t pointers for the length
of buffers.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

GP131: Update TEE_Attribute

Updates TEE_Attribute according to TEE Internal Core API version 1.3.1.

A compatibility type with a __GP11_ prefix is added for compatibility
with version 1.1. The follo

GP131: Update TEE_Attribute

Updates TEE_Attribute according to TEE Internal Core API version 1.3.1.

A compatibility type with a __GP11_ prefix is added for compatibility
with version 1.1. The following API functions:
- TEE_AsymmetricDecrypt()
- TEE_AsymmetricEncrypt()
- TEE_AsymmetricSignDigest()
- TEE_AsymmetricVerifyDigest()
- TEE_DeriveKey()
- TEE_GenerateKey()
- TEE_InitRefAttribute()
- TEE_InitValueAttribute()
- TEE_PopulateTransientObject()
are updated in a similar manner

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

GP131: Update TEE_ObjectInfo

Updates TEE_ObjectInfo according to TEE Internal Core API version 1.3.1.

A compatibility type with a __GP11_ prefix is added for compatibility
with version 1.1. A few A

GP131: Update TEE_ObjectInfo

Updates TEE_ObjectInfo according to TEE Internal Core API version 1.3.1.

A compatibility type with a __GP11_ prefix is added for compatibility
with version 1.1. A few API functions (TEE_GetObjectInfo(),
TEE_GetObjectInfo1, and TEE_GetNextPersistentObject()) are updated in a
similar manner.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

GP131: Add TEE_ALG_ECDH_DERIVE_SHARED_SECRET and TEE_ALG_ECDSA_SHA*

Adds the defines
- TEE_ALG_ECDH_DERIVE_SHARED_SECRET
- TEE_ALG_ECDSA_SHA1
- TEE_ALG_ECDSA_SHA224
- TEE_ALG_ECDSA_SHA256
- TEE_ALG_

GP131: Add TEE_ALG_ECDH_DERIVE_SHARED_SECRET and TEE_ALG_ECDSA_SHA*

Adds the defines
- TEE_ALG_ECDH_DERIVE_SHARED_SECRET
- TEE_ALG_ECDSA_SHA1
- TEE_ALG_ECDSA_SHA224
- TEE_ALG_ECDSA_SHA256
- TEE_ALG_ECDSA_SHA386
- TEE_ALG_ECDSA_SHA512
from TEE Internal Core API version 1.3.1 to replace the previous now
deprecated defines:
- TEE_ALG_ECDSA_P192
- TEE_ALG_ECDSA_P224
- TEE_ALG_ECDSA_P256
- TEE_ALG_ECDSA_P384
- TEE_ALG_ECDSA_P521
- TEE_ALG_ECDH_P192
- TEE_ALG_ECDH_P224
- TEE_ALG_ECDH_P256
- TEE_ALG_ECDH_P384
- TEE_ALG_ECDH_P521

The new defines have new values and the values from the old defines are
not reused.

The syscall ABI maintains compatibility by handling both the old and new
values in parallel from now on.

Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core, libutee: introduce TEE_ALG_SM4_XTS

In this patch, The sm4-xts algorithm is supported in the GP process.

Signed-off-by: Pingan Xie <xiepingan3@huawei.com>
Reviewed-by: Xiaoxu Zeng <zengxiaoxu@

core, libutee: introduce TEE_ALG_SM4_XTS

In this patch, The sm4-xts algorithm is supported in the GP process.

Signed-off-by: Pingan Xie <xiepingan3@huawei.com>
Reviewed-by: Xiaoxu Zeng <zengxiaoxu@huawei.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

Use struct utee_object_info in TA syscall abi

TEE_ObjectInfo was until now used in the syscall ABI provided to TAs.
TEE_ObjectInfo changes in later versions of the TEE Internal Core API so
add an in

Use struct utee_object_info in TA syscall abi

TEE_ObjectInfo was until now used in the syscall ABI provided to TAs.
TEE_ObjectInfo changes in later versions of the TEE Internal Core API so
add an independent definition with struct utee_object_info in order to
preserve a stable ABI.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: add Ed25519 support

This commit adds Ed25519 support as defined in TEE Internal Core API v1.3.1

Signed-off-by: Sergiy Kibrik <Sergiy_Kibrik@epam.com>
Signed-off-by: Valerii Chubar <valerii

libutee: add Ed25519 support

This commit adds Ed25519 support as defined in TEE Internal Core API v1.3.1

Signed-off-by: Sergiy Kibrik <Sergiy_Kibrik@epam.com>
Signed-off-by: Valerii Chubar <valerii_chubar@epam.com>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: add X25519 support

This commit adds X25519 support to libutee as defined in
TEE Internal Core API v1.2.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier

libutee: add X25519 support

This commit adds X25519 support to libutee as defined in
TEE Internal Core API v1.2.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Sohaib ul Hassan <sohaib.ul.hassan@unikie.com>
[jf: minor edit to commit description]
Signed-off-by: Jerome Forissier <jerone.forissier@linaro.org>

show more ...

libutee: Panic when IV is provided for ECB modes

Ideally, the ECB mode doesn't need an IV at all.
The GlobalPlatform spec says "IV required: No" for
the algorithms that use this mode (Table 6-6b).

libutee: Panic when IV is provided for ECB modes

Ideally, the ECB mode doesn't need an IV at all.
The GlobalPlatform spec says "IV required: No" for
the algorithms that use this mode (Table 6-6b).

So, in order to be inclined to the requirement of the
spec, the implementation can panic when IV is provided
for ECB modes.

Signed-off-by: Sadiq Hussain <sadiq.muchumarri@intel.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...