1 // SPDX-License-Identifier: BSD-2-Clause
2 /*
3 * Copyright (c) 2021, STMicroelectronics - All Rights Reserved
4 */
5
6 #include <assert.h>
7 #include <crypto/crypto.h>
8 #include <crypto/crypto_impl.h>
9 #include <crypto/internal_aes-gcm.h>
10 #include <drvcrypt.h>
11 #include <drvcrypt_authenc.h>
12 #include <initcall.h>
13 #include <stdlib.h>
14 #include <string.h>
15 #include <string_ext.h>
16 #include <tee_api_types.h>
17 #include <utee_defines.h>
18 #include <util.h>
19
20 #include "common.h"
21 #include "stm32_cryp.h"
22
23 #define MAX_TAG_SIZE 16U
24
25 struct stm32_ae_ctx {
26 struct crypto_authenc_ctx a_ctx;
27 struct stm32_cryp_context cryp;
28 enum stm32_cryp_algo_mode algo;
29 uint8_t tag_mask[MAX_TAG_SIZE];
30 };
31
xor_vec(uint8_t * r,uint8_t * a,uint8_t * b,size_t len)32 static void xor_vec(uint8_t *r, uint8_t *a, uint8_t *b, size_t len)
33 {
34 size_t i = 0;
35
36 for (i = 0; i < len; i++)
37 r[i] = a[i] ^ b[i];
38 }
39
to_stm32_ae_ctx(struct crypto_authenc_ctx * ctx)40 static struct stm32_ae_ctx *to_stm32_ae_ctx(struct crypto_authenc_ctx *ctx)
41 {
42 assert(ctx);
43
44 return container_of(ctx, struct stm32_ae_ctx, a_ctx);
45 }
46
stm32_ae_gcm_generate_iv(struct stm32_ae_ctx * c,uint32_t * iv,struct drvcrypt_authenc_init * dinit)47 static TEE_Result stm32_ae_gcm_generate_iv(struct stm32_ae_ctx *c,
48 uint32_t *iv,
49 struct drvcrypt_authenc_init *dinit)
50 {
51 TEE_Result res = TEE_SUCCESS;
52 uint8_t tag1[MAX_TAG_SIZE] = { 0 };
53 uint8_t tag2[MAX_TAG_SIZE] = { 0 };
54 uint32_t j0[MAX_TAG_SIZE / sizeof(uint32_t)] = { 0 };
55 uint8_t dummy_iv[MAX_TAG_SIZE] = { 0 };
56 struct stm32_cryp_context ctx = { };
57 uint8_t *data_out = NULL;
58
59 if (dinit->nonce.length == 12) {
60 memcpy(iv, dinit->nonce.data, dinit->nonce.length);
61 iv[3] = TEE_U32_TO_BIG_ENDIAN(2);
62 return TEE_SUCCESS;
63 }
64
65 /* Calculate GHASH(dinit->nonce.data) */
66 dummy_iv[15] = 2;
67
68 res = stm32_cryp_init(&ctx, true, STM32_CRYP_MODE_AES_GCM,
69 dinit->key.data, dinit->key.length,
70 dummy_iv, sizeof(dummy_iv));
71 if (res)
72 return res;
73
74 res = stm32_cryp_final(&ctx, tag1, sizeof(tag1));
75 if (res)
76 return res;
77
78 memset(&ctx, 0, sizeof(ctx));
79 res = stm32_cryp_init(&ctx, true, STM32_CRYP_MODE_AES_GCM,
80 dinit->key.data, dinit->key.length,
81 dummy_iv, sizeof(dummy_iv));
82 if (res)
83 return res;
84
85 data_out = malloc(dinit->nonce.length);
86 if (!data_out)
87 return TEE_ERROR_OUT_OF_MEMORY;
88
89 res = stm32_cryp_update_load(&ctx, dinit->nonce.data, data_out,
90 dinit->nonce.length);
91 free(data_out);
92
93 if (res)
94 return res;
95
96 res = stm32_cryp_final(&ctx, tag2, sizeof(tag2));
97 if (res)
98 return res;
99
100 xor_vec((uint8_t *)j0, tag1, tag2, sizeof(tag1));
101
102 memcpy(iv, j0, sizeof(j0));
103 iv[3] = TEE_U32_TO_BIG_ENDIAN(TEE_U32_FROM_BIG_ENDIAN(iv[3]) + 1);
104
105 /* Compute first mask=AES_ECB(J0_real) into tag1 */
106 memset(&ctx, 0, sizeof(ctx));
107 res = stm32_cryp_init(&ctx, false, STM32_CRYP_MODE_AES_ECB,
108 dinit->key.data, dinit->key.length,
109 NULL, 0);
110 if (res)
111 return res;
112
113 res = stm32_cryp_update(&ctx, true, (uint8_t *)j0, tag1,
114 sizeof(tag1));
115 if (res)
116 return res;
117
118 /* Compute second mask=AES_ECB(J0_used_by_HW) into tag2 */
119 memset(&ctx, 0, sizeof(ctx));
120 j0[3] = TEE_U32_TO_BIG_ENDIAN(1);
121 res = stm32_cryp_init(&ctx, false, STM32_CRYP_MODE_AES_ECB,
122 dinit->key.data, dinit->key.length,
123 NULL, 0);
124 if (res)
125 return res;
126
127 res = stm32_cryp_update(&ctx, true, (uint8_t *)j0, tag2,
128 sizeof(tag2));
129 if (res)
130 return res;
131
132 /*
133 * Save the mask we will apply in {enc,dec}_final() to the
134 * (wrongly) computed tag to get the expected one.
135 */
136 xor_vec(c->tag_mask, tag1, tag2, sizeof(c->tag_mask));
137
138 return TEE_SUCCESS;
139 }
140
stm32_ae_ccm_generate_b0(uint8_t * b0,struct drvcrypt_authenc_init * dinit)141 static void stm32_ae_ccm_generate_b0(uint8_t *b0,
142 struct drvcrypt_authenc_init *dinit)
143 {
144 size_t m = dinit->tag_len;
145 size_t l = 15 - dinit->nonce.length;
146 size_t payload_len = dinit->payload_len;
147 size_t i = 15;
148
149 /* The tag_len should be 4, 6, 8, 10, 12, 14 or 16 */
150 assert(m >= 4 && m <= 16 && (m % 2) == 0);
151
152 memset(b0, 0, TEE_AES_BLOCK_SIZE);
153 /* Flags: (Adata << 6) | (M' << 3) | L' */
154 b0[0] = ((dinit->aad_len ? 1 : 0) << 6) |
155 (((m - 2) / 2) << 3) |
156 (l - 1);
157
158 /* Nonce */
159 memcpy(b0 + 1, dinit->nonce.data, dinit->nonce.length);
160
161 /* Payload length */
162 for (i = 15; i >= 15 - l + 1; i--, payload_len >>= 8)
163 b0[i] = payload_len & 0xFF;
164 }
165
stm32_ae_ccm_push_b1(struct stm32_ae_ctx * c,struct drvcrypt_authenc_init * dinit)166 static TEE_Result stm32_ae_ccm_push_b1(struct stm32_ae_ctx *c,
167 struct drvcrypt_authenc_init *dinit)
168 {
169 uint8_t b1[TEE_AES_BLOCK_SIZE] = { 0 };
170 size_t len = 0;
171
172 if (dinit->aad_len == 0)
173 return TEE_SUCCESS;
174
175 if (dinit->aad_len < 0x100) {
176 b1[1] = dinit->aad_len;
177 len = 2;
178 } else if (dinit->aad_len < 0xFF00) {
179 b1[0] = dinit->aad_len / 0x100;
180 b1[1] = dinit->aad_len % 0x100;
181 len = 2;
182 } else if (dinit->aad_len <= UINT32_MAX) {
183 b1[0] = 0xFF;
184 b1[1] = 0xFE;
185 b1[2] = dinit->aad_len & GENMASK_32(7, 0);
186 b1[3] = (dinit->aad_len & GENMASK_32(15, 8)) >> 8;
187 b1[4] = (dinit->aad_len & GENMASK_32(23, 16)) >> 16;
188 b1[5] = (dinit->aad_len & GENMASK_32(31, 24)) >> 24;
189 len = 6;
190 } else {
191 b1[0] = 0xFF;
192 b1[1] = 0xFF;
193 b1[2] = dinit->aad_len & GENMASK_64(7, 0);
194 b1[3] = (dinit->aad_len & GENMASK_64(15, 8)) >> 8;
195 b1[4] = (dinit->aad_len & GENMASK_64(23, 16)) >> 16;
196 b1[5] = (dinit->aad_len & GENMASK_64(31, 24)) >> 24;
197 b1[6] = (dinit->aad_len & GENMASK_64(39, 32)) >> 32;
198 b1[7] = (dinit->aad_len & GENMASK_64(47, 40)) >> 40;
199 b1[8] = (dinit->aad_len & GENMASK_64(55, 48)) >> 48;
200 b1[9] = (dinit->aad_len & GENMASK_64(63, 56)) >> 56;
201 len = 10;
202 }
203
204 return stm32_cryp_update_assodata(&c->cryp, b1, len);
205 }
206
stm32_ae_initialize(struct drvcrypt_authenc_init * dinit)207 static TEE_Result stm32_ae_initialize(struct drvcrypt_authenc_init *dinit)
208 {
209 TEE_Result res = TEE_SUCCESS;
210 uint32_t iv[4] = { 0 };
211 struct stm32_ae_ctx *c = to_stm32_ae_ctx(dinit->ctx);
212
213 if (c->algo == STM32_CRYP_MODE_AES_GCM) {
214 res = stm32_ae_gcm_generate_iv(c, iv, dinit);
215 if (res)
216 return res;
217 } else if (c->algo == STM32_CRYP_MODE_AES_CCM) {
218 stm32_ae_ccm_generate_b0((uint8_t *)iv, dinit);
219 }
220
221 res = stm32_cryp_init(&c->cryp, !dinit->encrypt, c->algo,
222 dinit->key.data, dinit->key.length, iv,
223 sizeof(iv));
224 if (res)
225 return res;
226
227 if (c->algo == STM32_CRYP_MODE_AES_CCM)
228 return stm32_ae_ccm_push_b1(c, dinit);
229
230 return TEE_SUCCESS;
231 }
232
233 static TEE_Result
stm32_ae_update_aad(struct drvcrypt_authenc_update_aad * dupdate)234 stm32_ae_update_aad(struct drvcrypt_authenc_update_aad *dupdate)
235 {
236 struct stm32_ae_ctx *c = to_stm32_ae_ctx(dupdate->ctx);
237
238 return stm32_cryp_update_assodata(&c->cryp, dupdate->aad.data,
239 dupdate->aad.length);
240 }
241
242 static TEE_Result
stm32_ae_update_payload(struct drvcrypt_authenc_update_payload * dupdate)243 stm32_ae_update_payload(struct drvcrypt_authenc_update_payload *dupdate)
244 {
245 struct stm32_ae_ctx *c = to_stm32_ae_ctx(dupdate->ctx);
246 size_t len = MIN(dupdate->src.length, dupdate->dst.length);
247
248 return stm32_cryp_update_load(&c->cryp, dupdate->src.data,
249 dupdate->dst.data, len);
250 }
251
stm32_ae_encdec_final(struct stm32_ae_ctx * c,uint8_t * tag,size_t tag_size)252 static TEE_Result stm32_ae_encdec_final(struct stm32_ae_ctx *c, uint8_t *tag,
253 size_t tag_size)
254 {
255 TEE_Result res = TEE_SUCCESS;
256 uint8_t t[MAX_TAG_SIZE] = { 0 };
257
258 res = stm32_cryp_final(&c->cryp, t, sizeof(t));
259 if (res)
260 return res;
261
262 xor_vec(tag, t, c->tag_mask, tag_size);
263
264 return TEE_SUCCESS;
265 }
266
stm32_ae_enc_final(struct drvcrypt_authenc_final * dfinal)267 static TEE_Result stm32_ae_enc_final(struct drvcrypt_authenc_final *dfinal)
268 {
269 TEE_Result res = TEE_SUCCESS;
270 struct stm32_ae_ctx *c = to_stm32_ae_ctx(dfinal->ctx);
271 size_t len = MIN(dfinal->src.length, dfinal->dst.length);
272
273 res = stm32_cryp_update_load(&c->cryp, dfinal->src.data,
274 dfinal->dst.data, len);
275 if (res)
276 return res;
277
278 return stm32_ae_encdec_final(c, dfinal->tag.data, dfinal->tag.length);
279 }
280
stm32_ae_dec_final(struct drvcrypt_authenc_final * dfinal)281 static TEE_Result stm32_ae_dec_final(struct drvcrypt_authenc_final *dfinal)
282 {
283 TEE_Result res = TEE_SUCCESS;
284 struct stm32_ae_ctx *c = to_stm32_ae_ctx(dfinal->ctx);
285 size_t len = MIN(dfinal->src.length, dfinal->dst.length);
286 unsigned char tag_buf[MAX_TAG_SIZE] = { 0 };
287
288 res = stm32_cryp_update_load(&c->cryp, dfinal->src.data,
289 dfinal->dst.data, len);
290 if (res)
291 return res;
292
293 res = stm32_ae_encdec_final(c, tag_buf, sizeof(tag_buf));
294 if (res)
295 return res;
296
297 if (consttime_memcmp(tag_buf, dfinal->tag.data, dfinal->tag.length))
298 return TEE_ERROR_MAC_INVALID;
299
300 return TEE_SUCCESS;
301 }
302
stm32_ae_final(void * ctx __unused)303 static void stm32_ae_final(void *ctx __unused)
304 {
305 }
306
stm32_ae_free(void * ctx)307 static void stm32_ae_free(void *ctx)
308 {
309 struct stm32_ae_ctx *c = to_stm32_ae_ctx(ctx);
310
311 free(c);
312 }
313
stm32_ae_copy_state(void * dst_ctx,void * src_ctx)314 static void stm32_ae_copy_state(void *dst_ctx, void *src_ctx)
315 {
316 struct stm32_ae_ctx *src = to_stm32_ae_ctx(src_ctx);
317 struct stm32_ae_ctx *dst = to_stm32_ae_ctx(dst_ctx);
318
319 memcpy(dst, src, sizeof(*dst));
320 }
321
alloc_ctx(void ** ctx,enum stm32_cryp_algo_mode algo)322 static TEE_Result alloc_ctx(void **ctx, enum stm32_cryp_algo_mode algo)
323 {
324 struct stm32_ae_ctx *c = calloc(1, sizeof(*c));
325
326 if (!c)
327 return TEE_ERROR_OUT_OF_MEMORY;
328
329 c->algo = algo;
330 *ctx = &c->a_ctx;
331
332 return TEE_SUCCESS;
333 }
334
335 /*
336 * Allocate the SW authenc data context
337 *
338 * @ctx [out] Caller context variable
339 * @algo Algorithm ID of the context
340 */
stm32_ae_allocate(void ** ctx,uint32_t algo)341 static TEE_Result stm32_ae_allocate(void **ctx, uint32_t algo)
342 {
343 /* Convert TEE_ALGO id to CRYP id */
344 switch (algo) {
345 case TEE_ALG_AES_CCM:
346 return alloc_ctx(ctx, STM32_CRYP_MODE_AES_CCM);
347 case TEE_ALG_AES_GCM:
348 return alloc_ctx(ctx, STM32_CRYP_MODE_AES_GCM);
349 default:
350 return TEE_ERROR_NOT_IMPLEMENTED;
351 }
352 }
353
354 /*
355 * Registration of the Authenc Driver
356 */
357 static struct drvcrypt_authenc driver_authenc = {
358 .alloc_ctx = stm32_ae_allocate,
359 .free_ctx = stm32_ae_free,
360 .init = stm32_ae_initialize,
361 .update_aad = stm32_ae_update_aad,
362 .update_payload = stm32_ae_update_payload,
363 .enc_final = stm32_ae_enc_final,
364 .dec_final = stm32_ae_dec_final,
365 .final = stm32_ae_final,
366 .copy_state = stm32_ae_copy_state,
367 };
368
stm32_register_authenc(void)369 TEE_Result stm32_register_authenc(void)
370 {
371 return drvcrypt_register_authenc(&driver_authenc);
372 }
373