1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2021, STMicroelectronics - All Rights Reserved 4 */ 5 6 #include <assert.h> 7 #include <crypto/crypto.h> 8 #include <crypto/crypto_impl.h> 9 #include <crypto/internal_aes-gcm.h> 10 #include <drvcrypt.h> 11 #include <drvcrypt_authenc.h> 12 #include <initcall.h> 13 #include <stdlib.h> 14 #include <string.h> 15 #include <string_ext.h> 16 #include <tee_api_types.h> 17 #include <utee_defines.h> 18 #include <util.h> 19 20 #include "common.h" 21 #include "stm32_cryp.h" 22 23 #define MAX_TAG_SIZE 16U 24 25 struct stm32_ae_ctx { 26 struct crypto_authenc_ctx a_ctx; 27 struct stm32_cryp_context cryp; 28 enum stm32_cryp_algo_mode algo; 29 uint8_t tag_mask[MAX_TAG_SIZE]; 30 }; 31 32 static void xor_vec(uint8_t *r, uint8_t *a, uint8_t *b, size_t len) 33 { 34 size_t i = 0; 35 36 for (i = 0; i < len; i++) 37 r[i] = a[i] ^ b[i]; 38 } 39 40 static struct stm32_ae_ctx *to_stm32_ae_ctx(struct crypto_authenc_ctx *ctx) 41 { 42 assert(ctx); 43 44 return container_of(ctx, struct stm32_ae_ctx, a_ctx); 45 } 46 47 static TEE_Result stm32_ae_gcm_generate_iv(struct stm32_ae_ctx *c, 48 uint32_t *iv, 49 struct drvcrypt_authenc_init *dinit) 50 { 51 TEE_Result res = TEE_SUCCESS; 52 uint8_t tag1[MAX_TAG_SIZE] = { 0 }; 53 uint8_t tag2[MAX_TAG_SIZE] = { 0 }; 54 uint32_t j0[MAX_TAG_SIZE / sizeof(uint32_t)] = { 0 }; 55 uint8_t dummy_iv[MAX_TAG_SIZE] = { 0 }; 56 struct stm32_cryp_context ctx = { }; 57 uint8_t *data_out = NULL; 58 59 if (dinit->nonce.length == 12) { 60 memcpy(iv, dinit->nonce.data, dinit->nonce.length); 61 iv[3] = TEE_U32_TO_BIG_ENDIAN(2); 62 return TEE_SUCCESS; 63 } 64 65 /* Calculate GHASH(dinit->nonce.data) */ 66 dummy_iv[15] = 2; 67 68 res = stm32_cryp_init(&ctx, true, STM32_CRYP_MODE_AES_GCM, 69 dinit->key.data, dinit->key.length, 70 dummy_iv, sizeof(dummy_iv)); 71 if (res) 72 return res; 73 74 res = stm32_cryp_final(&ctx, tag1, sizeof(tag1)); 75 if (res) 76 return res; 77 78 memset(&ctx, 0, sizeof(ctx)); 79 res = stm32_cryp_init(&ctx, true, STM32_CRYP_MODE_AES_GCM, 80 dinit->key.data, dinit->key.length, 81 dummy_iv, sizeof(dummy_iv)); 82 if (res) 83 return res; 84 85 data_out = malloc(dinit->nonce.length); 86 if (!data_out) 87 return TEE_ERROR_OUT_OF_MEMORY; 88 89 res = stm32_cryp_update_load(&ctx, dinit->nonce.data, data_out, 90 dinit->nonce.length); 91 free(data_out); 92 93 if (res) 94 return res; 95 96 res = stm32_cryp_final(&ctx, tag2, sizeof(tag2)); 97 if (res) 98 return res; 99 100 xor_vec((uint8_t *)j0, tag1, tag2, sizeof(tag1)); 101 102 memcpy(iv, j0, sizeof(j0)); 103 iv[3] = TEE_U32_TO_BIG_ENDIAN(TEE_U32_FROM_BIG_ENDIAN(iv[3]) + 1); 104 105 /* Compute first mask=AES_ECB(J0_real) into tag1 */ 106 memset(&ctx, 0, sizeof(ctx)); 107 res = stm32_cryp_init(&ctx, false, STM32_CRYP_MODE_AES_ECB, 108 dinit->key.data, dinit->key.length, 109 NULL, 0); 110 if (res) 111 return res; 112 113 res = stm32_cryp_update(&ctx, true, (uint8_t *)j0, tag1, 114 sizeof(tag1)); 115 if (res) 116 return res; 117 118 /* Compute second mask=AES_ECB(J0_used_by_HW) into tag2 */ 119 memset(&ctx, 0, sizeof(ctx)); 120 j0[3] = TEE_U32_TO_BIG_ENDIAN(1); 121 res = stm32_cryp_init(&ctx, false, STM32_CRYP_MODE_AES_ECB, 122 dinit->key.data, dinit->key.length, 123 NULL, 0); 124 if (res) 125 return res; 126 127 res = stm32_cryp_update(&ctx, true, (uint8_t *)j0, tag2, 128 sizeof(tag2)); 129 if (res) 130 return res; 131 132 /* 133 * Save the mask we will apply in {enc,dec}_final() to the 134 * (wrongly) computed tag to get the expected one. 135 */ 136 xor_vec(c->tag_mask, tag1, tag2, sizeof(c->tag_mask)); 137 138 return TEE_SUCCESS; 139 } 140 141 static void stm32_ae_ccm_generate_b0(uint8_t *b0, 142 struct drvcrypt_authenc_init *dinit) 143 { 144 size_t m = dinit->tag_len; 145 size_t l = 15 - dinit->nonce.length; 146 size_t payload_len = dinit->payload_len; 147 size_t i = 15; 148 149 /* The tag_len should be 4, 6, 8, 10, 12, 14 or 16 */ 150 assert(m >= 4 && m <= 16 && (m % 2) == 0); 151 152 memset(b0, 0, TEE_AES_BLOCK_SIZE); 153 /* Flags: (Adata << 6) | (M' << 3) | L' */ 154 b0[0] = ((dinit->aad_len ? 1 : 0) << 6) | 155 (((m - 2) / 2) << 3) | 156 (l - 1); 157 158 /* Nonce */ 159 memcpy(b0 + 1, dinit->nonce.data, dinit->nonce.length); 160 161 /* Payload length */ 162 for (i = 15; i >= 15 - l + 1; i--, payload_len >>= 8) 163 b0[i] = payload_len & 0xFF; 164 } 165 166 static TEE_Result stm32_ae_ccm_push_b1(struct stm32_ae_ctx *c, 167 struct drvcrypt_authenc_init *dinit) 168 { 169 uint8_t b1[TEE_AES_BLOCK_SIZE] = { 0 }; 170 size_t len = 0; 171 172 if (dinit->aad_len == 0) 173 return TEE_SUCCESS; 174 175 if (dinit->aad_len < 0x100) { 176 b1[1] = dinit->aad_len; 177 len = 2; 178 } else if (dinit->aad_len < 0xFF00) { 179 b1[0] = dinit->aad_len / 0x100; 180 b1[1] = dinit->aad_len % 0x100; 181 len = 2; 182 } else if (dinit->aad_len <= UINT32_MAX) { 183 b1[0] = 0xFF; 184 b1[1] = 0xFE; 185 b1[2] = dinit->aad_len & GENMASK_32(7, 0); 186 b1[3] = (dinit->aad_len & GENMASK_32(15, 8)) >> 8; 187 b1[4] = (dinit->aad_len & GENMASK_32(23, 16)) >> 16; 188 b1[5] = (dinit->aad_len & GENMASK_32(31, 24)) >> 24; 189 len = 6; 190 } else { 191 b1[0] = 0xFF; 192 b1[1] = 0xFF; 193 b1[2] = dinit->aad_len & GENMASK_64(7, 0); 194 b1[3] = (dinit->aad_len & GENMASK_64(15, 8)) >> 8; 195 b1[4] = (dinit->aad_len & GENMASK_64(23, 16)) >> 16; 196 b1[5] = (dinit->aad_len & GENMASK_64(31, 24)) >> 24; 197 b1[6] = (dinit->aad_len & GENMASK_64(39, 32)) >> 32; 198 b1[7] = (dinit->aad_len & GENMASK_64(47, 40)) >> 40; 199 b1[8] = (dinit->aad_len & GENMASK_64(55, 48)) >> 48; 200 b1[9] = (dinit->aad_len & GENMASK_64(63, 56)) >> 56; 201 len = 10; 202 } 203 204 return stm32_cryp_update_assodata(&c->cryp, b1, len); 205 } 206 207 static TEE_Result stm32_ae_initialize(struct drvcrypt_authenc_init *dinit) 208 { 209 TEE_Result res = TEE_SUCCESS; 210 uint32_t iv[4] = { 0 }; 211 struct stm32_ae_ctx *c = to_stm32_ae_ctx(dinit->ctx); 212 213 if (c->algo == STM32_CRYP_MODE_AES_GCM) { 214 res = stm32_ae_gcm_generate_iv(c, iv, dinit); 215 if (res) 216 return res; 217 } else if (c->algo == STM32_CRYP_MODE_AES_CCM) { 218 stm32_ae_ccm_generate_b0((uint8_t *)iv, dinit); 219 } 220 221 res = stm32_cryp_init(&c->cryp, !dinit->encrypt, c->algo, 222 dinit->key.data, dinit->key.length, iv, 223 sizeof(iv)); 224 if (res) 225 return res; 226 227 if (c->algo == STM32_CRYP_MODE_AES_CCM) 228 return stm32_ae_ccm_push_b1(c, dinit); 229 230 return TEE_SUCCESS; 231 } 232 233 static TEE_Result 234 stm32_ae_update_aad(struct drvcrypt_authenc_update_aad *dupdate) 235 { 236 struct stm32_ae_ctx *c = to_stm32_ae_ctx(dupdate->ctx); 237 238 return stm32_cryp_update_assodata(&c->cryp, dupdate->aad.data, 239 dupdate->aad.length); 240 } 241 242 static TEE_Result 243 stm32_ae_update_payload(struct drvcrypt_authenc_update_payload *dupdate) 244 { 245 struct stm32_ae_ctx *c = to_stm32_ae_ctx(dupdate->ctx); 246 size_t len = MIN(dupdate->src.length, dupdate->dst.length); 247 248 return stm32_cryp_update_load(&c->cryp, dupdate->src.data, 249 dupdate->dst.data, len); 250 } 251 252 static TEE_Result stm32_ae_encdec_final(struct stm32_ae_ctx *c, uint8_t *tag, 253 size_t tag_size) 254 { 255 TEE_Result res = TEE_SUCCESS; 256 uint8_t t[MAX_TAG_SIZE] = { 0 }; 257 258 res = stm32_cryp_final(&c->cryp, t, sizeof(t)); 259 if (res) 260 return res; 261 262 xor_vec(tag, t, c->tag_mask, tag_size); 263 264 return TEE_SUCCESS; 265 } 266 267 static TEE_Result stm32_ae_enc_final(struct drvcrypt_authenc_final *dfinal) 268 { 269 TEE_Result res = TEE_SUCCESS; 270 struct stm32_ae_ctx *c = to_stm32_ae_ctx(dfinal->ctx); 271 size_t len = MIN(dfinal->src.length, dfinal->dst.length); 272 273 res = stm32_cryp_update_load(&c->cryp, dfinal->src.data, 274 dfinal->dst.data, len); 275 if (res) 276 return res; 277 278 return stm32_ae_encdec_final(c, dfinal->tag.data, dfinal->tag.length); 279 } 280 281 static TEE_Result stm32_ae_dec_final(struct drvcrypt_authenc_final *dfinal) 282 { 283 TEE_Result res = TEE_SUCCESS; 284 struct stm32_ae_ctx *c = to_stm32_ae_ctx(dfinal->ctx); 285 size_t len = MIN(dfinal->src.length, dfinal->dst.length); 286 unsigned char tag_buf[MAX_TAG_SIZE] = { 0 }; 287 288 res = stm32_cryp_update_load(&c->cryp, dfinal->src.data, 289 dfinal->dst.data, len); 290 if (res) 291 return res; 292 293 res = stm32_ae_encdec_final(c, tag_buf, sizeof(tag_buf)); 294 if (res) 295 return res; 296 297 if (consttime_memcmp(tag_buf, dfinal->tag.data, dfinal->tag.length)) 298 return TEE_ERROR_MAC_INVALID; 299 300 return TEE_SUCCESS; 301 } 302 303 static void stm32_ae_final(void *ctx __unused) 304 { 305 } 306 307 static void stm32_ae_free(void *ctx) 308 { 309 struct stm32_ae_ctx *c = to_stm32_ae_ctx(ctx); 310 311 free(c); 312 } 313 314 static void stm32_ae_copy_state(void *dst_ctx, void *src_ctx) 315 { 316 struct stm32_ae_ctx *src = to_stm32_ae_ctx(src_ctx); 317 struct stm32_ae_ctx *dst = to_stm32_ae_ctx(dst_ctx); 318 319 memcpy(dst, src, sizeof(*dst)); 320 } 321 322 static TEE_Result alloc_ctx(void **ctx, enum stm32_cryp_algo_mode algo) 323 { 324 struct stm32_ae_ctx *c = calloc(1, sizeof(*c)); 325 326 if (!c) 327 return TEE_ERROR_OUT_OF_MEMORY; 328 329 c->algo = algo; 330 *ctx = &c->a_ctx; 331 332 return TEE_SUCCESS; 333 } 334 335 /* 336 * Allocate the SW authenc data context 337 * 338 * @ctx [out] Caller context variable 339 * @algo Algorithm ID of the context 340 */ 341 static TEE_Result stm32_ae_allocate(void **ctx, uint32_t algo) 342 { 343 /* Convert TEE_ALGO id to CRYP id */ 344 switch (algo) { 345 case TEE_ALG_AES_CCM: 346 return alloc_ctx(ctx, STM32_CRYP_MODE_AES_CCM); 347 case TEE_ALG_AES_GCM: 348 return alloc_ctx(ctx, STM32_CRYP_MODE_AES_GCM); 349 default: 350 return TEE_ERROR_NOT_IMPLEMENTED; 351 } 352 } 353 354 /* 355 * Registration of the Authenc Driver 356 */ 357 static struct drvcrypt_authenc driver_authenc = { 358 .alloc_ctx = stm32_ae_allocate, 359 .free_ctx = stm32_ae_free, 360 .init = stm32_ae_initialize, 361 .update_aad = stm32_ae_update_aad, 362 .update_payload = stm32_ae_update_payload, 363 .enc_final = stm32_ae_enc_final, 364 .dec_final = stm32_ae_dec_final, 365 .final = stm32_ae_final, 366 .copy_state = stm32_ae_copy_state, 367 }; 368 369 TEE_Result stm32_register_authenc(void) 370 { 371 return drvcrypt_register_authenc(&driver_authenc); 372 } 373