1 /* SPDX-License-Identifier: BSD-2-Clause */ 2 /* 3 * Copyright (c) 2014-2017, Linaro Limited 4 */ 5 6 /* 7 * This is the Cryptographic Provider API (CP API). 8 * 9 * This defines how most crypto syscalls that implement the Cryptographic 10 * Operations API can invoke the actual providers of cryptographic algorithms 11 * (such as LibTomCrypt). 12 * 13 * To add a new provider, you need to provide an implementation of this 14 * interface. 15 * 16 * The following parameters are commonly used. 17 * 18 * @ctx: context allocated by the syscall, for later use by the algorithm 19 * @algo: algorithm identifier (TEE_ALG_*) 20 */ 21 22 #ifndef __CRYPTO_CRYPTO_H 23 #define __CRYPTO_CRYPTO_H 24 25 #include <tee/tee_obj.h> 26 #include <tee_api_types.h> 27 28 TEE_Result crypto_init(void); 29 30 /* Message digest functions */ 31 TEE_Result crypto_hash_alloc_ctx(void **ctx, uint32_t algo); 32 TEE_Result crypto_hash_init(void *ctx); 33 TEE_Result crypto_hash_update(void *ctx, const uint8_t *data, size_t len); 34 TEE_Result crypto_hash_final(void *ctx, uint8_t *digest, size_t len); 35 void crypto_hash_free_ctx(void *ctx); 36 void crypto_hash_copy_state(void *dst_ctx, void *src_ctx); 37 38 /* Symmetric ciphers */ 39 TEE_Result crypto_cipher_alloc_ctx(void **ctx, uint32_t algo); 40 TEE_Result crypto_cipher_init(void *ctx, TEE_OperationMode mode, 41 const uint8_t *key1, size_t key1_len, 42 const uint8_t *key2, size_t key2_len, 43 const uint8_t *iv, size_t iv_len); 44 TEE_Result crypto_cipher_update(void *ctx, TEE_OperationMode mode, 45 bool last_block, const uint8_t *data, 46 size_t len, uint8_t *dst); 47 void crypto_cipher_final(void *ctx); 48 TEE_Result crypto_cipher_get_block_size(uint32_t algo, size_t *size); 49 void crypto_cipher_free_ctx(void *ctx); 50 void crypto_cipher_copy_state(void *dst_ctx, void *src_ctx); 51 52 /* Message Authentication Code functions */ 53 TEE_Result crypto_mac_alloc_ctx(void **ctx, uint32_t algo); 54 TEE_Result crypto_mac_init(void *ctx, const uint8_t *key, size_t len); 55 TEE_Result crypto_mac_update(void *ctx, const uint8_t *data, size_t len); 56 TEE_Result crypto_mac_final(void *ctx, uint8_t *digest, size_t digest_len); 57 void crypto_mac_free_ctx(void *ctx); 58 void crypto_mac_copy_state(void *dst_ctx, void *src_ctx); 59 60 /* Authenticated encryption */ 61 TEE_Result crypto_authenc_alloc_ctx(void **ctx, uint32_t algo); 62 TEE_Result crypto_authenc_init(void *ctx, TEE_OperationMode mode, 63 const uint8_t *key, size_t key_len, 64 const uint8_t *nonce, size_t nonce_len, 65 size_t tag_len, size_t aad_len, 66 size_t payload_len); 67 TEE_Result crypto_authenc_update_aad(void *ctx, TEE_OperationMode mode, 68 const uint8_t *data, size_t len); 69 TEE_Result crypto_authenc_update_payload(void *ctx, TEE_OperationMode mode, 70 const uint8_t *src_data, 71 size_t src_len, uint8_t *dst_data, 72 size_t *dst_len); 73 TEE_Result crypto_authenc_enc_final(void *ctx, const uint8_t *src_data, 74 size_t src_len, uint8_t *dst_data, 75 size_t *dst_len, uint8_t *dst_tag, 76 size_t *dst_tag_len); 77 TEE_Result crypto_authenc_dec_final(void *ctx, const uint8_t *src_data, 78 size_t src_len, uint8_t *dst_data, 79 size_t *dst_len, const uint8_t *tag, 80 size_t tag_len); 81 void crypto_authenc_final(void *ctx); 82 void crypto_authenc_free_ctx(void *ctx); 83 void crypto_authenc_copy_state(void *dst_ctx, void *src_ctx); 84 85 /* Informs crypto that the data in the buffer will be removed from storage */ 86 TEE_Result crypto_storage_obj_del(struct tee_obj *obj); 87 88 /* Implementation-defined big numbers */ 89 90 /* 91 * Allocate a bignum capable of holding an unsigned integer value of 92 * up to bitsize bits 93 */ 94 struct bignum *crypto_bignum_allocate(size_t size_bits); 95 TEE_Result crypto_bignum_bin2bn(const uint8_t *from, size_t fromsize, 96 struct bignum *to); 97 size_t crypto_bignum_num_bytes(struct bignum *a); 98 size_t crypto_bignum_num_bits(struct bignum *a); 99 void crypto_bignum_bn2bin(const struct bignum *from, uint8_t *to); 100 void crypto_bignum_copy(struct bignum *to, const struct bignum *from); 101 void crypto_bignum_free(struct bignum **a); 102 void crypto_bignum_clear(struct bignum *a); 103 104 /* return -1 if a<b, 0 if a==b, +1 if a>b */ 105 int32_t crypto_bignum_compare(struct bignum *a, struct bignum *b); 106 107 /* Asymmetric algorithms */ 108 109 struct rsa_keypair { 110 struct bignum *e; /* Public exponent */ 111 struct bignum *d; /* Private exponent */ 112 struct bignum *n; /* Modulus */ 113 114 /* Optional CRT parameters (all NULL if unused) */ 115 struct bignum *p; /* N = pq */ 116 struct bignum *q; 117 struct bignum *qp; /* 1/q mod p */ 118 struct bignum *dp; /* d mod (p-1) */ 119 struct bignum *dq; /* d mod (q-1) */ 120 }; 121 122 struct rsa_public_key { 123 struct bignum *e; /* Public exponent */ 124 struct bignum *n; /* Modulus */ 125 }; 126 127 struct dsa_keypair { 128 struct bignum *g; /* Generator of subgroup (public) */ 129 struct bignum *p; /* Prime number (public) */ 130 struct bignum *q; /* Order of subgroup (public) */ 131 struct bignum *y; /* Public key */ 132 struct bignum *x; /* Private key */ 133 }; 134 135 struct dsa_public_key { 136 struct bignum *g; /* Generator of subgroup (public) */ 137 struct bignum *p; /* Prime number (public) */ 138 struct bignum *q; /* Order of subgroup (public) */ 139 struct bignum *y; /* Public key */ 140 }; 141 142 struct dh_keypair { 143 struct bignum *g; /* Generator of Z_p (shared) */ 144 struct bignum *p; /* Prime modulus (shared) */ 145 struct bignum *x; /* Private key */ 146 struct bignum *y; /* Public key y = g^x */ 147 148 /* 149 * Optional parameters used by key generation. 150 * When not used, q == NULL and xbits == 0 151 */ 152 struct bignum *q; /* x must be in the range [2, q-2] */ 153 uint32_t xbits; /* Number of bits in the private key */ 154 }; 155 156 struct ecc_public_key { 157 struct bignum *x; /* Public value x */ 158 struct bignum *y; /* Public value y */ 159 uint32_t curve; /* Curve type */ 160 const struct crypto_ecc_public_ops *ops; /* Key Operations */ 161 }; 162 163 struct ecc_keypair { 164 struct bignum *d; /* Private value */ 165 struct bignum *x; /* Public value x */ 166 struct bignum *y; /* Public value y */ 167 uint32_t curve; /* Curve type */ 168 const struct crypto_ecc_keypair_ops *ops; /* Key Operations */ 169 }; 170 171 struct montgomery_keypair { 172 uint8_t *priv; /* Private value */ 173 uint8_t *pub; /* Public value */ 174 }; 175 176 struct ed25519_keypair { 177 uint8_t *priv; 178 uint8_t *pub; 179 uint32_t curve; 180 }; 181 182 struct ed25519_public_key { 183 uint8_t *pub; 184 uint32_t curve; 185 }; 186 187 /* 188 * Key allocation functions 189 * Allocate the bignum's inside a key structure. 190 * TEE core will later use crypto_bignum_free(). 191 */ 192 TEE_Result crypto_acipher_alloc_rsa_keypair(struct rsa_keypair *s, 193 size_t key_size_bits); 194 TEE_Result crypto_acipher_alloc_rsa_public_key(struct rsa_public_key *s, 195 size_t key_size_bits); 196 void crypto_acipher_free_rsa_public_key(struct rsa_public_key *s); 197 void crypto_acipher_free_rsa_keypair(struct rsa_keypair *s); 198 TEE_Result crypto_acipher_alloc_dsa_keypair(struct dsa_keypair *s, 199 size_t key_size_bits); 200 TEE_Result crypto_acipher_alloc_dsa_public_key(struct dsa_public_key *s, 201 size_t key_size_bits); 202 TEE_Result crypto_acipher_alloc_dh_keypair(struct dh_keypair *s, 203 size_t key_size_bits); 204 TEE_Result crypto_acipher_alloc_ecc_public_key(struct ecc_public_key *s, 205 uint32_t key_type, 206 size_t key_size_bits); 207 TEE_Result crypto_acipher_alloc_ecc_keypair(struct ecc_keypair *s, 208 uint32_t key_type, 209 size_t key_size_bits); 210 void crypto_acipher_free_ecc_public_key(struct ecc_public_key *s); 211 TEE_Result crypto_acipher_alloc_x25519_keypair(struct montgomery_keypair *s, 212 size_t key_size_bits); 213 TEE_Result crypto_acipher_alloc_x448_keypair(struct montgomery_keypair *s, 214 size_t key_size_bits); 215 TEE_Result crypto_acipher_alloc_ed25519_keypair(struct ed25519_keypair *s, 216 size_t key_size_bits); 217 TEE_Result 218 crypto_acipher_alloc_ed25519_public_key(struct ed25519_public_key *key, 219 size_t key_size); 220 221 /* 222 * Key generation functions 223 */ 224 TEE_Result crypto_acipher_gen_rsa_key(struct rsa_keypair *key, size_t key_size); 225 TEE_Result crypto_acipher_gen_dsa_key(struct dsa_keypair *key, size_t key_size); 226 TEE_Result crypto_acipher_gen_dh_key(struct dh_keypair *key, struct bignum *q, 227 size_t xbits, size_t key_size); 228 TEE_Result crypto_acipher_gen_ecc_key(struct ecc_keypair *key, size_t key_size); 229 TEE_Result crypto_acipher_gen_x25519_key(struct montgomery_keypair *key, 230 size_t key_size); 231 TEE_Result crypto_acipher_gen_x448_key(struct montgomery_keypair *key, 232 size_t key_size); 233 TEE_Result crypto_acipher_gen_ed25519_key(struct ed25519_keypair *key, 234 size_t key_size); 235 TEE_Result crypto_acipher_ed25519_sign(struct ed25519_keypair *key, 236 const uint8_t *msg, size_t msg_len, 237 uint8_t *sig, size_t *sig_len); 238 TEE_Result crypto_acipher_ed25519ctx_sign(struct ed25519_keypair *key, 239 const uint8_t *msg, size_t msg_len, 240 uint8_t *sig, size_t *sig_len, 241 bool ph_flag, 242 const uint8_t *ctx, size_t ctxlen); 243 TEE_Result crypto_acipher_ed25519_verify(struct ed25519_public_key *key, 244 const uint8_t *msg, size_t msg_len, 245 const uint8_t *sig, size_t sig_len); 246 TEE_Result crypto_acipher_ed25519ctx_verify(struct ed25519_public_key *key, 247 const uint8_t *msg, size_t msg_len, 248 const uint8_t *sig, size_t sig_len, 249 bool ph_flag, 250 const uint8_t *ctx, size_t ctxlen); 251 252 TEE_Result crypto_acipher_dh_shared_secret(struct dh_keypair *private_key, 253 struct bignum *public_key, 254 struct bignum *secret); 255 256 TEE_Result crypto_acipher_rsanopad_decrypt(struct rsa_keypair *key, 257 const uint8_t *src, size_t src_len, 258 uint8_t *dst, size_t *dst_len); 259 TEE_Result crypto_acipher_rsanopad_encrypt(struct rsa_public_key *key, 260 const uint8_t *src, size_t src_len, 261 uint8_t *dst, size_t *dst_len); 262 TEE_Result crypto_acipher_rsaes_decrypt(uint32_t algo, struct rsa_keypair *key, 263 const uint8_t *label, size_t label_len, 264 uint32_t mgf_algo, 265 const uint8_t *src, size_t src_len, 266 uint8_t *dst, size_t *dst_len); 267 TEE_Result crypto_acipher_rsaes_encrypt(uint32_t algo, 268 struct rsa_public_key *key, 269 const uint8_t *label, size_t label_len, 270 uint32_t mgf_algo, 271 const uint8_t *src, size_t src_len, 272 uint8_t *dst, size_t *dst_len); 273 /* RSA SSA sign/verify: if salt_len == -1, use default value */ 274 TEE_Result crypto_acipher_rsassa_sign(uint32_t algo, struct rsa_keypair *key, 275 int salt_len, const uint8_t *msg, 276 size_t msg_len, uint8_t *sig, 277 size_t *sig_len); 278 TEE_Result crypto_acipher_rsassa_verify(uint32_t algo, 279 struct rsa_public_key *key, 280 int salt_len, const uint8_t *msg, 281 size_t msg_len, const uint8_t *sig, 282 size_t sig_len); 283 TEE_Result crypto_acipher_dsa_sign(uint32_t algo, struct dsa_keypair *key, 284 const uint8_t *msg, size_t msg_len, 285 uint8_t *sig, size_t *sig_len); 286 TEE_Result crypto_acipher_dsa_verify(uint32_t algo, struct dsa_public_key *key, 287 const uint8_t *msg, size_t msg_len, 288 const uint8_t *sig, size_t sig_len); 289 TEE_Result crypto_acipher_ecc_sign(uint32_t algo, struct ecc_keypair *key, 290 const uint8_t *msg, size_t msg_len, 291 uint8_t *sig, size_t *sig_len); 292 TEE_Result crypto_acipher_ecc_verify(uint32_t algo, struct ecc_public_key *key, 293 const uint8_t *msg, size_t msg_len, 294 const uint8_t *sig, size_t sig_len); 295 TEE_Result crypto_acipher_ecc_shared_secret(struct ecc_keypair *private_key, 296 struct ecc_public_key *public_key, 297 void *secret, 298 unsigned long *secret_len); 299 TEE_Result crypto_acipher_sm2_pke_decrypt(struct ecc_keypair *key, 300 const uint8_t *src, size_t src_len, 301 uint8_t *dst, size_t *dst_len); 302 TEE_Result crypto_acipher_sm2_pke_encrypt(struct ecc_public_key *key, 303 const uint8_t *src, size_t src_len, 304 uint8_t *dst, size_t *dst_len); 305 TEE_Result crypto_acipher_x25519_shared_secret(struct montgomery_keypair 306 *private_key, 307 void *public_key, void *secret, 308 unsigned long *secret_len); 309 TEE_Result crypto_acipher_x448_shared_secret(struct montgomery_keypair 310 *private_key, 311 void *public_key, void *secret, 312 unsigned long *secret_len); 313 314 struct sm2_kep_parms { 315 uint8_t *out; 316 size_t out_len; 317 bool is_initiator; 318 const uint8_t *initiator_id; 319 size_t initiator_id_len; 320 const uint8_t *responder_id; 321 size_t responder_id_len; 322 const uint8_t *conf_in; 323 size_t conf_in_len; 324 uint8_t *conf_out; 325 size_t conf_out_len; 326 }; 327 328 TEE_Result crypto_acipher_sm2_kep_derive(struct ecc_keypair *my_key, 329 struct ecc_keypair *my_eph_key, 330 struct ecc_public_key *peer_key, 331 struct ecc_public_key *peer_eph_key, 332 struct sm2_kep_parms *p); 333 334 /* 335 * Verifies a SHA-256 hash, doesn't require crypto_init() to be called in 336 * advance and has as few dependencies as possible. 337 * 338 * This function is primarily used by pager and early initialization code 339 * where the complete crypto library isn't available. 340 */ 341 TEE_Result hash_sha256_check(const uint8_t *hash, const uint8_t *data, 342 size_t data_size); 343 344 /* 345 * Computes a SHA-512/256 hash, vetted conditioner as per NIST.SP.800-90B. 346 * It doesn't require crypto_init() to be called in advance and has as few 347 * dependencies as possible. 348 * 349 * This function could be used inside interrupt context where the crypto 350 * library can't be used due to mutex handling. 351 */ 352 TEE_Result hash_sha512_256_compute(uint8_t *digest, const uint8_t *data, 353 size_t data_size); 354 355 #define CRYPTO_RNG_SRC_IS_QUICK(sid) (!!((sid) & 1)) 356 357 /* 358 * enum crypto_rng_src - RNG entropy source 359 * 360 * Identifiers for different RNG entropy sources. The lowest bit indicates 361 * if the source is to be merely queued (bit is 1) or if it's delivered 362 * directly to the pool. The difference is that in the latter case RPC to 363 * normal world can be performed and in the former it must not. 364 */ 365 enum crypto_rng_src { 366 CRYPTO_RNG_SRC_JITTER_SESSION = (0 << 1 | 0), 367 CRYPTO_RNG_SRC_JITTER_RPC = (1 << 1 | 1), 368 CRYPTO_RNG_SRC_NONSECURE = (1 << 1 | 0), 369 }; 370 371 /* 372 * crypto_rng_init() - initialize the RNG 373 * @data: buffer with initial seed 374 * @dlen: length of @data 375 */ 376 TEE_Result crypto_rng_init(const void *data, size_t dlen); 377 378 /* 379 * crypto_rng_add_event() - supply entropy to RNG from a source 380 * @sid: Source identifier, should be unique for a specific source 381 * @pnum: Pool number, acquired using crypto_rng_get_next_pool_num() 382 * @data: Data associated with the event 383 * @dlen: Length of @data 384 * 385 * @sid controls whether the event is merly queued in a ring buffer or if 386 * it's added to one of the pools directly. If CRYPTO_RNG_SRC_IS_QUICK() is 387 * true (lowest bit set) events are queue otherwise added to corresponding 388 * pool. If CRYPTO_RNG_SRC_IS_QUICK() is false, eventual queued events are 389 * added to their queues too. 390 */ 391 void crypto_rng_add_event(enum crypto_rng_src sid, unsigned int *pnum, 392 const void *data, size_t dlen); 393 394 /* 395 * crypto_rng_read() - read cryptograhically secure RNG 396 * @buf: Buffer to hold the data 397 * @len: Length of buffer. 398 * 399 * Eventual queued events are also added to their pools during this 400 * function call. 401 */ 402 TEE_Result crypto_rng_read(void *buf, size_t len); 403 404 /* 405 * crypto_aes_expand_enc_key() - Expand an AES key 406 * @key: AES key buffer 407 * @key_len: Size of the @key buffer in bytes 408 * @enc_key: Expanded AES encryption key buffer 409 * @enc_keylen: Size of the @enc_key buffer in bytes 410 * @rounds: Number of rounds to be used during encryption 411 */ 412 TEE_Result crypto_aes_expand_enc_key(const void *key, size_t key_len, 413 void *enc_key, size_t enc_keylen, 414 unsigned int *rounds); 415 416 /* 417 * crypto_aes_enc_block() - Encrypt an AES block 418 * @enc_key: Expanded AES encryption key 419 * @enc_keylen: Size of @enc_key in bytes 420 * @rounds: Number of rounds 421 * @src: Source buffer of one AES block (16 bytes) 422 * @dst: Destination buffer of one AES block (16 bytes) 423 */ 424 void crypto_aes_enc_block(const void *enc_key, size_t enc_keylen, 425 unsigned int rounds, const void *src, void *dst); 426 427 #endif /* __CRYPTO_CRYPTO_H */ 428