1 /* 2 * Copyright (c) 2026, Arm Limited. All rights reserved. 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 * 6 */ 7 8 #ifndef __SFCP_ENCRYPTION_H__ 9 #define __SFCP_ENCRYPTION_H__ 10 11 #include <stdint.h> 12 13 #include <drivers/arm/sfcp.h> 14 #include "sfcp_defs.h" 15 #include "sfcp_trusted_subnet.h" 16 17 #ifdef __cplusplus 18 extern "C" { 19 #endif 20 21 /* Assume the maximum trusted subnet ID is the number of nodes in the system */ 22 #define SFCP_MAX_TRUSTED_SUBNET_ID (SFCP_NUMBER_NODES) 23 24 enum sfcp_trusted_subnet_state_t { 25 SFCP_TRUSTED_SUBNET_STATE_NOT_REGISTERED = 0, 26 27 /* SFCP session key derivation state */ 28 SFCP_TRUSTED_SUBNET_STATE_SESSION_KEY_SETUP_REQUIRED, 29 30 SFCP_TRUSTED_SUBNET_STATE_SESSION_KEY_SETUP_INITIATOR_STARTED, 31 SFCP_TRUSTED_SUBNET_STATE_SESSION_KEY_SETUP_SENT_CLIENT_REQUEST, 32 SFCP_TRUSTED_SUBNET_STATE_SESSION_KEY_SETUP_RECIEVED_SERVER_GET_REQUEST, 33 SFCP_TRUSTED_SUBNET_STATE_SESSION_KEY_SETUP_RECIEVED_CLIENT_REQUEST, 34 SFCP_TRUSTED_SUBNET_STATE_SESSION_KEY_RECEIVED_CLIENT_REQUEST_SERVER_REPLY, 35 SFCP_TRUSTED_SUBNET_STATE_SESSION_KEY_SETUP_SENT_GET_IV_MSG, 36 SFCP_TRUSTED_SUBNET_STATE_SESSION_KEY_SETUP_SENT_GET_IV_REPLY, 37 SFCP_TRUSTED_SUBNET_STATE_SESSION_KEY_SETUP_SENT_SEND_IVS_MSG, 38 SFCP_TRUSTED_SUBNET_STATE_SESSION_KEY_SETUP_SENT_SEND_IVS_REPLY, 39 40 /* SFCP re-keying state */ 41 SFCP_TRUSTED_SUBNET_STATE_RE_KEYING_REQUIRED, 42 SFCP_TRUSTED_SUBNET_STATE_RE_KEYING_INITIATOR_STARTED, 43 SFCP_TRUSTED_SUBNET_STATE_RE_KEYING_SENT_CLIENT_REQUEST, 44 SFCP_TRUSTED_SUBNET_STATE_RE_KEYING_RECEIVED_CLIENT_REQUEST_SERVER_REPLY, 45 SFCP_TRUSTED_SUBNET_STATE_RE_KEYING_RECEIVED_CLIENT_REQUEST, 46 SFCP_TRUSTED_SUBNET_STATE_RE_KEYING_SEND_SEND_IVS_MSG, 47 SFCP_TRUSTED_SUBNET_STATE_RE_KEYING_RECEIVED_SEND_IVS_MSG, 48 49 /* Mutual authentication */ 50 SFCP_TRUSTED_SUBNET_STATE_MUTUAL_AUTH_REQUIRED, 51 SFCP_TRUSTED_SUBNET_STATE_MUTUAL_AUTH_WAITING_FOR_AUTH_MSG, 52 SFCP_TRUSTED_SUBNET_STATE_MUTUAL_AUTH_SENT_AUTH_MSG, 53 SFCP_TRUSTED_SUBNET_STATE_MUTUAL_AUTH_COMPLETED, 54 55 SFCP_TRUSTED_SUBNET_STATE_SESSION_KEY_SETUP_VALID, 56 SFCP_TRUSTED_SUBNET_STATE_SESSION_KEY_SETUP_NOT_REQUIRED 57 }; 58 59 enum sfcp_error_t sfcp_get_trusted_subnet_by_id( 60 uint8_t trusted_subnet_id, 61 struct sfcp_trusted_subnet_config_t **trusted_subnet); 62 63 enum sfcp_error_t sfcp_get_number_trusted_subnets(size_t *num_trusted_subnets); 64 65 enum sfcp_error_t sfcp_trusted_subnet_get_server( 66 struct sfcp_trusted_subnet_config_t *trusted_subnet, 67 sfcp_node_id_t *server_node); 68 69 enum sfcp_error_t sfcp_trusted_subnet_state_init(void); 70 71 enum sfcp_error_t 72 sfcp_trusted_subnet_get_state(uint8_t trusted_subnet_id, 73 enum sfcp_trusted_subnet_state_t *state); 74 75 enum sfcp_error_t 76 sfcp_trusted_subnet_set_state(uint8_t trusted_subnet_id, 77 enum sfcp_trusted_subnet_state_t state); 78 79 enum sfcp_error_t sfcp_get_trusted_subnet_for_node( 80 sfcp_node_id_t node, 81 struct sfcp_trusted_subnet_config_t **trusted_subnet); 82 83 enum sfcp_error_t sfcp_trusted_subnet_get_send_seq_num( 84 struct sfcp_trusted_subnet_config_t *trusted_subnet, 85 sfcp_node_id_t remote_node, uint16_t *seq_num); 86 87 enum sfcp_error_t sfcp_trusted_subnet_check_recv_seq_num( 88 struct sfcp_trusted_subnet_config_t *trusted_subnet, 89 sfcp_node_id_t remote_node, uint16_t seq_num); 90 91 enum sfcp_error_t sfcp_trusted_subnet_state_requires_handshake_encryption( 92 uint8_t trusted_subnet_id, bool *requires_handshake, 93 bool *requires_encryption); 94 95 enum sfcp_error_t sfcp_encryption_handshake_initiator(uint8_t trusted_subnet_id, 96 bool block); 97 98 enum sfcp_error_t sfcp_encryption_handshake_responder( 99 struct sfcp_packet_t *packet, size_t packet_size, 100 sfcp_node_id_t remote_node, uint8_t message_id, bool packet_encrypted, 101 uint8_t *payload, size_t payload_size, bool *is_handshake_msg); 102 103 enum sfcp_error_t sfcp_encrypt_msg(struct sfcp_packet_t *msg, 104 size_t packet_size, 105 uint8_t trusted_subnet_id, 106 sfcp_node_id_t remote_node); 107 108 enum sfcp_error_t sfcp_decrypt_msg(struct sfcp_packet_t *msg, 109 size_t packet_size, 110 sfcp_node_id_t remote_node); 111 112 enum sfcp_error_t sfcp_encrypt_reply(struct sfcp_packet_t *reply, 113 size_t packet_size, 114 uint8_t trusted_subnet_id, 115 sfcp_node_id_t remote_node); 116 117 enum sfcp_error_t sfcp_decrypt_reply(struct sfcp_packet_t *reply, 118 size_t packet_size, 119 sfcp_node_id_t remote_node); 120 121 #ifdef __cplusplus 122 } 123 #endif 124 125 #endif /* __SFCP_ENCRYPTION_H__ */ 126