crypto: se050: adaptors: elliptic curve

APDU and utility functions required to support elliptic curve
cryptography.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander

crypto: se050: adaptors: elliptic curve

APDU and utility functions required to support elliptic curve
cryptography.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

ta: pkcs11: Add more checks before destroying object in a session

Few checks were missing in the implementaion of C_DestroyObject()
as per PKCS#11 Specification. These have been added now.
These che

ta: pkcs11: Add more checks before destroying object in a session

Few checks were missing in the implementaion of C_DestroyObject()
as per PKCS#11 Specification. These have been added now.
These checks are
- only session objects can be destroyed during a read only session
- only public objects can be destroyed unless the normal user is
logged in
- Certain objects may not be destroyed. Calling C_DestroyObject on
such objects will result in the CKR_ACTION_PROHIBITED error code.
An application can consult the object's CKA_DESTROYABLE
attribute to determine if an object may be destroyed or not.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

ta: pkcs11: Fix return value when trying to open parallel session

It is mandatory to have CKF_SERIAL_SESSION set when invoking
C_OpenSession(). When omitted CKR_SESSION_PARALLEL_NOT_SUPPORTED must b

ta: pkcs11: Fix return value when trying to open parallel session

It is mandatory to have CKF_SERIAL_SESSION set when invoking
C_OpenSession(). When omitted CKR_SESSION_PARALLEL_NOT_SUPPORTED must be
returned.

Specified in:
PKCS #11 Cryptographic Token Interface Base Specification Version 2.40
Plus Errata 01
5.6 Session management functions
C_OpenSession

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

drivers: crypto: se050: limitations to RSA crypto

The supported algorithms for encryption/decryption are:
PKCS1_OAEP
PKCS1_V1_5

When using PKCS1_PSS_MGF1 the se050 also has some restrictions on

drivers: crypto: se050: limitations to RSA crypto

The supported algorithms for encryption/decryption are:
PKCS1_OAEP
PKCS1_V1_5

When using PKCS1_PSS_MGF1 the se050 also has some restrictions on the
hash algorithms that can be used depending on the RSA key size.

Source: Plug And Trust MW documentation, Release v02,14,00 (Apr 03,
2020)

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

ta: pkcs11: Check for CKA_PRIVATE when creating objects

PKCS#11 Specification[1] states that Private session/token objects
cannot be created in Public sessions. So, add a check for access
type when

ta: pkcs11: Check for CKA_PRIVATE when creating objects

PKCS#11 Specification[1] states that Private session/token objects
cannot be created in Public sessions. So, add a check for access
type when creating objects.

[1] PKCS #11 Cryptographic Token Interface Usage Guide Version 2.40
(Table 3 - ACCESS TO DIFFERENT TYPES OBJECTS BY DIFFERENT TYPES
OF SESSIONS)

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Fix error returned

When trying to access an object of type CKA_PRIVATE without
logging in, the error returned should be
PKCS11_CKR_USER_NOT_LOGGED_IN.

Signed-off-by: Ruchika Gupta <ruch

ta: pkcs11: Fix error returned

When trying to access an object of type CKA_PRIVATE without
logging in, the error returned should be
PKCS11_CKR_USER_NOT_LOGGED_IN.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

mk/compile.mk: Fix handling of '+' in path for generated include guards

When building with bitbake with gitpkgv class git revision details have
'+' as delimeter.

Version details appears in path and

mk/compile.mk: Fix handling of '+' in path for generated include guards

When building with bitbake with gitpkgv class git revision details have
'+' as delimeter.

Version details appears in path and this causes following warnings during
the OP-TEE OS build:

In file included from core/arch/arm/kernel/entry_a64.S:11:
/build/.../optee-os/devel+gitrAUTOINC+e97c83bd6f-r0/build.zcu102/core/include/generated/asm-defines.h:1:123: warning: extra tokens at end of #ifndef directive
1 | #ifndef _build_..._optee_os_devel+gitrAUTOINC+e97c83bd6f_r0_build_zcu102_core_include_generated_asm_defines_h
| ^
/build/.../optee-os/devel+gitrAUTOINC+e97c83bd6f-r0/build.zcu102/core/include/generated/asm-defines.h:2:9: warning: missing whitespace after the macro name
2 | #define _build_..._optee_os_devel+gitrAUTOINC+e97c83bd6f_r0_build_zcu102_core_include_generated_asm_defines_h
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Use get_attribute_ptr() instead of get_attribute()

When just trying to determine if an attribute is present in the
list or not withour requiring the actual value of the attribute,
using

ta: pkcs11: Use get_attribute_ptr() instead of get_attribute()

When just trying to determine if an attribute is present in the
list or not withour requiring the actual value of the attribute,
using get_attribute_ptr() is better to use as it is more
light-weight than it's counterpart get_attribute().

Suggested-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add class_id in create_attributes_from_template()

Add a parameter to pass pkcs11_class_id. The parameter will be
used when attributes need to be created for a template
supporting public

ta: pkcs11: Add class_id in create_attributes_from_template()

Add a parameter to pass pkcs11_class_id. The parameter will be
used when attributes need to be created for a template
supporting public or private class key. It is unused for now.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add class and type hint in sanitize_client_object()

Specification allows one to pass templates while genrating
key/keypair where class and type may be omitted from the template.
In such

ta: pkcs11: Add class and type hint in sanitize_client_object()

Specification allows one to pass templates while genrating
key/keypair where class and type may be omitted from the template.
In such cases, pass class and type as hint in sanitize_client_object()
so that they can be added in the attribute list being prepared.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Fix for CKA_KEY_GEN_MECHANISM in create_attributes_from_template()

CKA_KEY_GEN_MECHANISM attribute is not added in the attribute list
(attrs) from the template (temp) when a key object i

ta: pkcs11: Fix for CKA_KEY_GEN_MECHANISM in create_attributes_from_template()

CKA_KEY_GEN_MECHANISM attribute is not added in the attribute list
(attrs) from the template (temp) when a key object is created as
it doesn't fall in mandatory/optional attribute. So, error checking for
this attribute should be done on the original source template(temp)
and not the attribute list(attrs) in create_attributes_from_template().

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Fix for CKA_LOCAL in create_attributes_from_template()

CKA_LOCAL attribute is not added in the attribute list
(attrs) from the template (temp) when a key object is created as
it doesn't

ta: pkcs11: Fix for CKA_LOCAL in create_attributes_from_template()

CKA_LOCAL attribute is not added in the attribute list
(attrs) from the template (temp) when a key object is created as
it doesn't fall in mandatory/optional attribute. So, error checking for
this attribute should be done on the original source template(temp)
and not the attribute list(attrs) in create_attributes_from_template().

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Add support for Key Generation

Adds support of mechanisms PKCS11_CKM_GENERIC_SECRET_KEY_GEN,
PKCS11_CKM_AES_KEY_GEN for key generation API.

Co-developed-by: Etienne Carriere <etienne.ca

ta: pkcs11: Add support for Key Generation

Adds support of mechanisms PKCS11_CKM_GENERIC_SECRET_KEY_GEN,
PKCS11_CKM_AES_KEY_GEN for key generation API.

Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Define TA mechanisms for Key Generation

Adds the mechanisms PKCS11_CKM_GENERIC_SECRET_KEY_GEN
in enum pkcs11_mechanism_id.

Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org

ta: pkcs11: Define TA mechanisms for Key Generation

Adds the mechanisms PKCS11_CKM_GENERIC_SECRET_KEY_GEN
in enum pkcs11_mechanism_id.

Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

ta: pkcs11: Define command for Key Generation

Add command PKCS11_CMD_GENERATE_KEY in enum pkcs11_ta_cmd.

Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carri

ta: pkcs11: Define command for Key Generation

Add command PKCS11_CMD_GENERATE_KEY in enum pkcs11_ta_cmd.

Co-developed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Reviewed-by: Vesa Jääskeläinen <vesa.jaaskelainen@vaisala.com>

show more ...

shippable: imx8mm/imx6ull: add plug and trust support

Validates the different SE050 configuration options with the Plug And
Trust library on arm64 and arm.

This will be useful to avoid regressions

shippable: imx8mm/imx6ull: add plug and trust support

Validates the different SE050 configuration options with the Plug And
Trust library on arm64 and arm.

This will be useful to avoid regressions when multiple crypto drivers
are enabled.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

ta: pkcs11: Fix the error code returned

While generating a key of type PKCS11_CKO_SECRET_KEY, if
CKA_VALUE_LEN field is not specified in the attribute
template, the error returned needs to be
PKCS11

ta: pkcs11: Fix the error code returned

While generating a key of type PKCS11_CKO_SECRET_KEY, if
CKA_VALUE_LEN field is not specified in the attribute
template, the error returned needs to be
PKCS11_CKR_TEMPLATE_INCOMPLETE.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

ta: pkcs11: Temporary workaround in sanitize_indirect_attr()

Since the type of key to be generated is implicit in the key generation
mechanism, the template does not need to supply a key type or cla

ta: pkcs11: Temporary workaround in sanitize_indirect_attr()

Since the type of key to be generated is implicit in the key generation
mechanism, the template does not need to supply a key type or class.
(CKA_CLASS and CKA_KEY_TYPE attributes). sanitize_indirect_attr()
expects these attributes to be available else gives an error.

The right way of handling this would be perhaps passing a hint
of the class and key type to this function if key is being generated
using key generated mechanisms. However, we don't have support for
wrap/derive key which uses the indirect attributes at present in the
code. So, we would not be able to test it. For now, just move the class
checking afer the attribute checking which helps avoid this error.

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>

show more ...

Use barrier_read_cntpct() to read CNTPCT

Arm ARM quite clearly mentions [1] [2] that such reads must be preceded
by an ISB to forbid re-ordering.

[1] https://developer.arm.com/documentation/ddi0487

Use barrier_read_cntpct() to read CNTPCT

Arm ARM quite clearly mentions [1] [2] that such reads must be preceded
by an ISB to forbid re-ordering.

[1] https://developer.arm.com/documentation/ddi0487/fc/ page D13-2863
"Synchronization requirements for AArch64 System registers" and page
G8-6146 "Ordering of reads of System registers".
[2] https://developer.arm.com/documentation/ddi0406/cd/ page B3-1441
"Ordering of reads of system control registers"

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reported-by: Olivier Deprez <Olivier.Deprez@arm.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: add isb() and barrier_read_cntpct()

Adds isb() and barrier_read_cntpct() to arm_user_sysreg.h, the latter to be
used as a helper when reading CNTPCT.

Reviewed-by: Jerome Forissier <jerome@

libutee: add isb() and barrier_read_cntpct()

Adds isb() and barrier_read_cntpct() to arm_user_sysreg.h, the latter to be
used as a helper when reading CNTPCT.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: add barrier_read_cntpct()

Adds barrier_read_cntpct() to arm.h. To be used as a helper when reading
CNTPCT.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <eti

core: add barrier_read_cntpct()

Adds barrier_read_cntpct() to arm.h. To be used as a helper when reading
CNTPCT.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: fix TEE_BigIntInit() memset()

The TEE_BigIntInit() supplied length is the number of words allocated
for the bigint, including headers. Prior to this patch it seems it was
assumed that lengt

libutee: fix TEE_BigIntInit() memset()

The TEE_BigIntInit() supplied length is the number of words allocated
for the bigint, including headers. Prior to this patch it seems it was
assumed that length was number of bits given the call to
TEE_BigIntSizeInU32(). With this patch correct this by removing the
TEE_BigIntSizeInU32() call.

Fixes: 062e3d01c039 ("ta: switch to to mbedtls for bignum")
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: TEE_CopyOperation() copy info.digestLength

When copying an operation include info.digestLength in the copied fields
which is needed for the authenticated encryption algorithms AES-GCM and
A

libutee: TEE_CopyOperation() copy info.digestLength

When copying an operation include info.digestLength in the copied fields
which is needed for the authenticated encryption algorithms AES-GCM and
AES-CCM.

Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>
Suggested-by: Tony He <tony.he@armchina.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

libutee: TEE_CopyOperation() check operation mode

Adds a check in TEE_CopyOperation() to panic if operation mode doesn't
match in the source and destination operations.

Reviewed-by: Jerome Forissie

libutee: TEE_CopyOperation() check operation mode

Adds a check in TEE_CopyOperation() to panic if operation mode doesn't
match in the source and destination operations.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: copy ctx_finalize in syscall_cryp_state_copy()

Copies the ctx_finalize() when a state is copied using
syscall_cryp_state_copy() in order to support proper cleanup of the
state once it's remove

core: copy ctx_finalize in syscall_cryp_state_copy()

Copies the ctx_finalize() when a state is copied using
syscall_cryp_state_copy() in order to support proper cleanup of the
state once it's removed.

Acked-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Suggested-by: Tony He <tony.he@armchina.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...