1 /* 2 * Copyright (c) 2022-2024, STMicroelectronics - All Rights Reserved 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 #include <assert.h> 8 #include <endian.h> 9 #include <errno.h> 10 11 #include <common/debug.h> 12 #include <drivers/auth/crypto_mod.h> 13 #include <drivers/io/io_storage.h> 14 #include <drivers/st/stm32_hash.h> 15 #include <drivers/st/stm32_pka.h> 16 #include <drivers/st/stm32_rng.h> 17 #include <drivers/st/stm32_saes.h> 18 #include <lib/utils.h> 19 #include <lib/xlat_tables/xlat_tables_v2.h> 20 #include <mbedtls/asn1.h> 21 #include <mbedtls/md.h> 22 #include <mbedtls/oid.h> 23 #include <mbedtls/platform.h> 24 #include <mbedtls/x509.h> 25 #include <plat/common/platform.h> 26 #include <tools_share/firmware_encrypted.h> 27 28 #include <platform_def.h> 29 30 #define CRYPTO_HASH_MAX_SIZE 32U 31 #define CRYPTO_SIGN_MAX_SIZE 64U 32 #define CRYPTO_PUBKEY_MAX_SIZE 64U 33 #define CRYPTO_MAX_TAG_SIZE 16U 34 35 /* brainpoolP256t1 OID is not defined in mbedTLS */ 36 #define OID_EC_GRP_BP256T1 MBEDTLS_OID_EC_BRAINPOOL_V1 "\x08" 37 38 #if STM32MP_CRYPTO_ROM_LIB 39 struct stm32mp_auth_ops { 40 uint32_t (*verify_signature)(uint8_t *hash_in, uint8_t *pubkey_in, 41 uint8_t *signature, uint32_t ecc_algo); 42 }; 43 44 static struct stm32mp_auth_ops auth_ops; 45 #endif 46 47 static void crypto_lib_init(void) 48 { 49 boot_api_context_t *boot_context __maybe_unused; 50 int ret; 51 52 NOTICE("TRUSTED_BOARD_BOOT support enabled\n"); 53 54 ret = stm32_hash_register(); 55 if (ret != 0) { 56 ERROR("HASH init (%d)\n", ret); 57 panic(); 58 } 59 60 if ((stm32mp_check_closed_device() == STM32MP_CHIP_SEC_CLOSED) || 61 stm32mp_is_auth_supported()) { 62 #if STM32MP_CRYPTO_ROM_LIB 63 boot_context = (boot_api_context_t *)stm32mp_get_boot_ctx_address(); 64 auth_ops.verify_signature = boot_context->bootrom_ecdsa_verify_signature; 65 #else 66 /* Use hardware peripherals */ 67 if (stm32_rng_init() != 0) { 68 panic(); 69 } 70 71 if (stm32_saes_driver_init() != 0) { 72 panic(); 73 } 74 75 if (stm32_pka_init() != 0) { 76 panic(); 77 } 78 #endif 79 } 80 } 81 82 static int get_plain_pk_from_asn1(void *pk_ptr, unsigned int pk_len, void **plain_pk, 83 size_t *len, int *pk_alg) 84 { 85 int ret; 86 mbedtls_pk_context mbedtls_pk = {0}; 87 unsigned char *p, *end; 88 mbedtls_asn1_buf alg_params = {0}; 89 mbedtls_asn1_buf alg_oid = {0}; 90 91 *plain_pk = NULL; 92 *len = 0U; 93 94 /* Parse the public key */ 95 mbedtls_pk_init(&mbedtls_pk); 96 p = (unsigned char *)pk_ptr; 97 end = (unsigned char *)(p + pk_len); 98 99 ret = mbedtls_asn1_get_tag(&p, end, len, 100 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); 101 if (ret != 0) { 102 return -EINVAL; 103 } 104 105 end = p + *len; 106 ret = mbedtls_asn1_get_alg(&p, end, &alg_oid, &alg_params); 107 if (ret != 0) { 108 VERBOSE("%s: mbedtls_asn1_get_alg (%d)\n", __func__, ret); 109 return -EINVAL; 110 } 111 112 if (pk_alg != NULL) { 113 if ((strlen(MBEDTLS_OID_EC_GRP_SECP256R1) == alg_params.len) && 114 (memcmp(MBEDTLS_OID_EC_GRP_SECP256R1, alg_params.p, alg_params.len) == 0)) { 115 *pk_alg = BOOT_API_ECDSA_ALGO_TYPE_P256NIST; 116 } else if ((strlen(OID_EC_GRP_BP256T1) == alg_params.len) && 117 (memcmp(OID_EC_GRP_BP256T1, alg_params.p, alg_params.len) == 0)) { 118 *pk_alg = BOOT_API_ECDSA_ALGO_TYPE_BRAINPOOL256; 119 } else { 120 ERROR("%s: Algorithm is not supported\n", __func__); 121 return -EINVAL; 122 } 123 } 124 125 ret = mbedtls_asn1_get_bitstring_null(&p, end, len); 126 if (ret != 0) { 127 VERBOSE("%s: mbedtls_asn1_get_bitstring_null (%d)\n", __func__, ret); 128 return -EINVAL; 129 } 130 131 /* We remove the ident (0x04) first byte. */ 132 if ((*len < 1U) || (p[0] != MBEDTLS_ASN1_OCTET_STRING)) { 133 VERBOSE("%s: not expected len or tag\n", __func__); 134 return -EINVAL; 135 } 136 137 *len = *len - 1U; 138 *plain_pk = p + 1U; 139 140 return 0; 141 } 142 143 #if STM32MP_CRYPTO_ROM_LIB 144 uint32_t verify_signature(uint8_t *hash_in, uint8_t *pubkey_in, 145 uint8_t *signature, uint32_t ecc_algo) 146 { 147 int ret; 148 149 ret = mmap_add_dynamic_region(STM32MP_ROM_BASE, STM32MP_ROM_BASE, 150 STM32MP_ROM_SIZE_2MB_ALIGNED, MT_CODE | MT_SECURE); 151 if (ret != 0) { 152 VERBOSE("%s: mmap_add_dynamic_region (%d)\n", __func__, ret); 153 return CRYPTO_ERR_SIGNATURE; 154 } 155 156 ret = auth_ops.verify_signature(hash_in, pubkey_in, signature, ecc_algo); 157 158 if (ret != BOOT_API_RETURN_OK) { 159 VERBOSE("%s: auth_ops.verify_sign (%d)\n", __func__, ret); 160 ret = CRYPTO_ERR_SIGNATURE; 161 } else { 162 ret = 0; 163 } 164 165 mmap_remove_dynamic_region(STM32MP_ROM_BASE, STM32MP_ROM_SIZE_2MB_ALIGNED); 166 167 return ret; 168 } 169 170 static int crypto_convert_pk(void *full_pk_ptr, unsigned int full_pk_len, 171 void **hashed_pk_ptr, unsigned int *hashed_pk_len) 172 { 173 size_t len; 174 int ret; 175 176 ret = get_plain_pk_from_asn1(full_pk_ptr, full_pk_len, hashed_pk_ptr, &len, NULL); 177 if (ret == 0) { 178 *hashed_pk_len = (unsigned int)len; 179 } 180 181 return ret; 182 } 183 #else /* STM32MP_CRYPTO_ROM_LIB*/ 184 static uint32_t verify_signature(uint8_t *hash_in, uint8_t *pubkey_in, 185 uint8_t *signature, uint32_t ecc_algo) 186 { 187 int ret = -1; 188 enum stm32_pka_ecdsa_curve_id cid; 189 190 switch (ecc_algo) { 191 case BOOT_API_ECDSA_ALGO_TYPE_P256NIST: 192 #if PKA_USE_NIST_P256 193 cid = PKA_NIST_P256; 194 ret = 0; 195 #else 196 WARN("%s nist_p256 requested but not included\n", __func__); 197 #endif 198 break; 199 case BOOT_API_ECDSA_ALGO_TYPE_BRAINPOOL256: 200 #if PKA_USE_BRAINPOOL_P256T1 201 cid = PKA_BRAINPOOL_P256T1; 202 ret = 0; 203 #else 204 WARN("%s brainpool_p256t1 requested but not included\n", __func__); 205 #endif 206 break; 207 default: 208 WARN("%s unexpected ecc_algo(%u)\n", __func__, ecc_algo); 209 break; 210 } 211 212 if (ret < 0) { 213 return CRYPTO_ERR_SIGNATURE; 214 } 215 216 ret = stm32_pka_ecdsa_verif(hash_in, 217 BOOT_API_SHA256_DIGEST_SIZE_IN_BYTES, 218 signature, BOOT_API_ECDSA_SIGNATURE_LEN_IN_BYTES / 2U, 219 signature + BOOT_API_ECDSA_SIGNATURE_LEN_IN_BYTES / 2U, 220 BOOT_API_ECDSA_SIGNATURE_LEN_IN_BYTES / 2U, 221 pubkey_in, BOOT_API_ECDSA_PUB_KEY_LEN_IN_BYTES / 2U, 222 pubkey_in + BOOT_API_ECDSA_PUB_KEY_LEN_IN_BYTES / 2U, 223 BOOT_API_ECDSA_PUB_KEY_LEN_IN_BYTES / 2U, cid); 224 if (ret < 0) { 225 return CRYPTO_ERR_SIGNATURE; 226 } 227 228 return 0; 229 } 230 231 static int crypto_convert_pk(void *full_pk_ptr, unsigned int full_pk_len, 232 void **hashed_pk_ptr, unsigned int *hashed_pk_len) 233 { 234 static uint8_t st_pk[CRYPTO_PUBKEY_MAX_SIZE + sizeof(uint32_t)]; 235 int ret; 236 void *plain_pk; 237 size_t len; 238 int curve_id; 239 uint32_t cid; 240 241 ret = get_plain_pk_from_asn1(full_pk_ptr, full_pk_len, &plain_pk, &len, &curve_id); 242 if ((ret != 0) || (len > CRYPTO_PUBKEY_MAX_SIZE)) { 243 return -EINVAL; 244 } 245 246 cid = curve_id; /* we want value of curve_id (1 or 2) in a uint32_t */ 247 248 memcpy(st_pk, &cid, sizeof(cid)); 249 memcpy(st_pk + sizeof(cid), plain_pk, len); 250 251 *hashed_pk_ptr = st_pk; 252 *hashed_pk_len = (unsigned int)(len + sizeof(cid)); 253 254 return 0; 255 } 256 #endif /* STM32MP_CRYPTO_ROM_LIB */ 257 258 static int get_plain_digest_from_asn1(void *digest_ptr, unsigned int digest_len, 259 uint8_t **out, size_t *out_len, mbedtls_md_type_t *md_alg) 260 { 261 int ret; 262 mbedtls_asn1_buf hash_oid, params; 263 size_t len; 264 unsigned char *p, *end; 265 266 *out = NULL; 267 *out_len = 0U; 268 269 /* Digest info should be an MBEDTLS_ASN1_SEQUENCE */ 270 p = (unsigned char *)digest_ptr; 271 end = p + digest_len; 272 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | 273 MBEDTLS_ASN1_SEQUENCE); 274 if (ret != 0) { 275 return ret; 276 } 277 278 /* Get the hash algorithm */ 279 ret = mbedtls_asn1_get_alg(&p, end, &hash_oid, ¶ms); 280 if (ret != 0) { 281 return ret; 282 } 283 284 ret = mbedtls_oid_get_md_alg(&hash_oid, md_alg); 285 if (ret != 0) { 286 return ret; 287 } 288 289 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING); 290 if (ret != 0) { 291 return ret; 292 } 293 294 /* Length of hash must match the algorithm's size */ 295 if (len != BOOT_API_SHA256_DIGEST_SIZE_IN_BYTES) { 296 return -1; 297 } 298 299 *out = p; 300 *out_len = len; 301 302 return 0; 303 } 304 305 static int crypto_verify_signature(void *data_ptr, unsigned int data_len, 306 void *sig_ptr, unsigned int sig_len, 307 void *sig_alg, unsigned int sig_alg_len, 308 void *pk_ptr, unsigned int pk_len) 309 { 310 uint8_t image_hash[CRYPTO_HASH_MAX_SIZE] = {0}; 311 uint8_t sig[CRYPTO_SIGN_MAX_SIZE]; 312 uint8_t my_pk[CRYPTO_PUBKEY_MAX_SIZE]; 313 int ret; 314 size_t len; 315 mbedtls_asn1_sequence seq; 316 mbedtls_asn1_sequence *cur; 317 unsigned char *p, *end; 318 int curve_id; 319 mbedtls_asn1_buf sig_oid, sig_params; 320 mbedtls_md_type_t md_alg; 321 mbedtls_pk_type_t pk_alg; 322 size_t bignum_len = sizeof(sig) / 2U; 323 unsigned int seq_num = 0U; 324 325 if ((stm32mp_check_closed_device() == STM32MP_CHIP_SEC_OPEN) && 326 !stm32mp_is_auth_supported()) { 327 return CRYPTO_SUCCESS; 328 } 329 330 /* Get pointers to signature OID and parameters */ 331 p = (unsigned char *)sig_alg; 332 end = (unsigned char *)(p + sig_alg_len); 333 ret = mbedtls_asn1_get_alg(&p, end, &sig_oid, &sig_params); 334 if (ret != 0) { 335 VERBOSE("%s: mbedtls_asn1_get_alg (%d)\n", __func__, ret); 336 return CRYPTO_ERR_SIGNATURE; 337 } 338 339 /* Get the actual signature algorithm (MD + PK) */ 340 ret = mbedtls_oid_get_sig_alg(&sig_oid, &md_alg, &pk_alg); 341 if (ret != 0) { 342 VERBOSE("%s: mbedtls_oid_get_sig_alg (%d)\n", __func__, ret); 343 return CRYPTO_ERR_SIGNATURE; 344 } 345 346 if ((md_alg != MBEDTLS_MD_SHA256) || (pk_alg != MBEDTLS_PK_ECDSA)) { 347 VERBOSE("%s: md_alg=%u pk_alg=%u\n", __func__, md_alg, pk_alg); 348 return CRYPTO_ERR_SIGNATURE; 349 } 350 351 ret = get_plain_pk_from_asn1(pk_ptr, pk_len, &pk_ptr, &len, &curve_id); 352 if (ret != 0) { 353 VERBOSE("%s: get_plain_pk_from_asn1 (%d)\n", __func__, ret); 354 return CRYPTO_ERR_SIGNATURE; 355 } 356 357 /* We expect a known pk_len */ 358 if (len != sizeof(my_pk)) { 359 VERBOSE("%s: pk_len=%zu sizeof(my_pk)=%zu)\n", __func__, len, sizeof(my_pk)); 360 return CRYPTO_ERR_SIGNATURE; 361 } 362 363 /* Need to copy as auth_ops.verify_signature 364 * expects aligned public key. 365 */ 366 memcpy(my_pk, pk_ptr, sizeof(my_pk)); 367 368 /* Get the signature (bitstring) */ 369 p = (unsigned char *)sig_ptr; 370 end = (unsigned char *)(p + sig_len); 371 ret = mbedtls_asn1_get_bitstring_null(&p, end, &len); 372 if (ret != 0) { 373 VERBOSE("%s: mbedtls_asn1_get_bitstring_null (%d)\n", __func__, ret); 374 return CRYPTO_ERR_SIGNATURE; 375 } 376 377 /* Get r and s from sequence */ 378 ret = mbedtls_asn1_get_sequence_of(&p, end, &seq, MBEDTLS_ASN1_INTEGER); 379 if (ret != 0) { 380 VERBOSE("%s: mbedtls_asn1_get_sequence_of (%d)\n", __func__, ret); 381 return CRYPTO_ERR_SIGNATURE; 382 } 383 384 /* We expect only 2 integers (r and s) from the sequence */ 385 if (seq.next->next != NULL) { 386 cur = seq.next; 387 mbedtls_asn1_sequence *next; 388 389 VERBOSE("%s: nb seq != 2\n", __func__); 390 /* Free all the sequences */ 391 while (cur != NULL) { 392 next = cur->next; 393 mbedtls_free(cur); 394 cur = next; 395 } 396 397 return CRYPTO_ERR_SIGNATURE; 398 } 399 400 /* 401 * ECDSA signatures are composed of a tuple (R,S) where R and S are between 0 and n. 402 * This means that the R and S can have a maximum of 32 each, but can also be smaller. 403 * Also seen the integer sequence may (sometime) start with 0x00 as MSB, but we can only 404 * manage exactly 2*32 bytes, we remove this higher byte if there are not 00, 405 * we will fail either. 406 */ 407 cur = &seq; 408 memset(sig, 0U, sizeof(sig)); 409 410 while (cur != NULL) { 411 size_t skip = 0U; 412 size_t seek = seq_num * bignum_len; 413 414 if (cur->buf.len > bignum_len) { 415 /* Remove extra 0x00 bytes */ 416 skip = cur->buf.len - bignum_len; 417 } else if (cur->buf.len < bignum_len) { 418 /* Add padding to match HW required size */ 419 seek += (bignum_len % cur->buf.len); 420 } 421 422 if (seek + cur->buf.len > sizeof(sig) + skip) { 423 panic(); 424 } 425 426 memcpy(sig + seek, cur->buf.p + skip, cur->buf.len - skip); 427 cur = cur->next; 428 seq_num++; 429 } 430 431 /* Need to free allocated 'next' in mbedtls_asn1_get_sequence_of */ 432 mbedtls_free(seq.next); 433 434 /* Compute hash for the data covered by the signature */ 435 stm32_hash_init(HASH_SHA256); 436 437 ret = stm32_hash_final_update((uint8_t *)data_ptr, data_len, image_hash); 438 if (ret != 0) { 439 VERBOSE("%s: stm32_hash_final_update (%d)\n", __func__, ret); 440 return CRYPTO_ERR_SIGNATURE; 441 } 442 443 return verify_signature(image_hash, my_pk, sig, curve_id); 444 } 445 446 static int crypto_verify_hash(void *data_ptr, unsigned int data_len, 447 void *digest_info_ptr, 448 unsigned int digest_info_len) 449 { 450 int ret; 451 uint8_t calc_hash[BOOT_API_SHA256_DIGEST_SIZE_IN_BYTES]; 452 unsigned char *p; 453 mbedtls_md_type_t md_alg; 454 size_t len; 455 456 /* we receive an asn1 encapsulated digest, we flatten it */ 457 ret = get_plain_digest_from_asn1(digest_info_ptr, 458 digest_info_len, &p, &len, 459 &md_alg); 460 if ((ret != 0) || (md_alg != MBEDTLS_MD_SHA256) || (len != sizeof(calc_hash))) { 461 return CRYPTO_ERR_HASH; 462 } 463 464 digest_info_ptr = p; 465 digest_info_len = len; 466 467 stm32_hash_init(HASH_SHA256); 468 469 ret = stm32_hash_final_update(data_ptr, data_len, calc_hash); 470 if (ret != 0) { 471 VERBOSE("%s: hash failed\n", __func__); 472 return CRYPTO_ERR_HASH; 473 } 474 475 ret = memcmp(calc_hash, digest_info_ptr, digest_info_len); 476 if (ret != 0) { 477 VERBOSE("%s: not expected digest\n", __func__); 478 ret = CRYPTO_ERR_HASH; 479 } 480 481 return ret; 482 } 483 484 #if !defined(DECRYPTION_SUPPORT_none) 485 static int derive_key(uint8_t *key, size_t *key_len, size_t len, 486 unsigned int *flags, const uint8_t *img_id, size_t img_id_len) 487 { 488 size_t i, j; 489 490 assert(*key_len >= 32U); 491 492 /* 493 * Not a real derivation yet 494 * 495 * We expect a 32 bytes key, if OTP is only 16 bytes 496 * => duplicate. 497 */ 498 for (i = 0U, j = len; j < 32U; 499 i += sizeof(uint32_t), j += sizeof(uint32_t)) { 500 memcpy(key + j, key + i, sizeof(uint32_t)); 501 } 502 503 *key_len = 32U; 504 /* Variable 'key' store a real key */ 505 *flags = 0U; 506 507 return 0; 508 } 509 510 int plat_get_enc_key_info(enum fw_enc_status_t fw_enc_status, uint8_t *key, 511 size_t *key_len, unsigned int *flags, 512 const uint8_t *img_id, size_t img_id_len) 513 { 514 uint32_t otp_idx; 515 uint32_t otp_len; 516 size_t read_len; 517 size_t i; 518 519 if (fw_enc_status == FW_ENC_WITH_BSSK) { 520 return -EINVAL; 521 } 522 523 if (stm32_get_otp_index(ENCKEY_OTP, &otp_idx, &otp_len) != 0) { 524 VERBOSE("%s: get %s index error\n", __func__, ENCKEY_OTP); 525 return -EINVAL; 526 } 527 528 if (otp_len > (*key_len * CHAR_BIT)) { 529 VERBOSE("%s: length Error otp_len=%u key_len=%zu\n", __func__, 530 otp_len, *key_len * CHAR_BIT); 531 return -EINVAL; 532 } 533 534 read_len = otp_len / CHAR_BIT; 535 assert(read_len % sizeof(uint32_t) == 0); 536 537 for (i = 0U; i < read_len / sizeof(uint32_t); i++) { 538 uint32_t tmp; 539 uint32_t otp_val; 540 541 if (stm32_get_otp_value_from_idx(otp_idx + i, &otp_val) != 0) { 542 zeromem(key, *key_len); 543 VERBOSE("%s: unable to read from otp\n", __func__); 544 return -EINVAL; 545 } 546 547 tmp = bswap32(otp_val); 548 memcpy(key + i * sizeof(uint32_t), &tmp, sizeof(tmp)); 549 } 550 551 /* Now we have the OTP values in key till read_len */ 552 553 if (derive_key(key, key_len, read_len, flags, img_id, 554 img_id_len) != 0) { 555 zeromem(key, *key_len); 556 return -EINVAL; 557 } 558 559 return 0; 560 } 561 562 static enum stm32_saes_key_selection select_key(unsigned int key_flags) 563 { 564 if ((key_flags & ENC_KEY_IS_IDENTIFIER) != 0U) { 565 panic(); 566 } 567 568 /* Use the provided key buffer */ 569 return STM32_SAES_KEY_SOFT; 570 } 571 572 static int stm32_decrypt_aes_gcm(void *data, size_t data_len, 573 const void *key, unsigned int key_len, 574 unsigned int key_flags, 575 const void *iv, unsigned int iv_len, 576 const void *tag, unsigned int tag_len) 577 { 578 int ret; 579 struct stm32_saes_context ctx; 580 unsigned char tag_buf[CRYPTO_MAX_TAG_SIZE]; 581 enum stm32_saes_key_selection key_mode; 582 unsigned int diff = 0U; 583 unsigned int i; 584 585 key_mode = select_key(key_flags); 586 587 ret = stm32_saes_init(&ctx, true, STM32_SAES_MODE_GCM, key_mode, key, 588 key_len, iv, iv_len); 589 if (ret != 0) { 590 return CRYPTO_ERR_INIT; 591 } 592 593 ret = stm32_saes_update_assodata(&ctx, true, NULL, 0U); 594 if (ret != 0) { 595 return CRYPTO_ERR_DECRYPTION; 596 } 597 598 ret = stm32_saes_update_load(&ctx, true, data, data, data_len); 599 if (ret != 0) { 600 return CRYPTO_ERR_DECRYPTION; 601 } 602 603 ret = stm32_saes_final(&ctx, tag_buf, sizeof(tag_buf)); 604 if (ret != 0) { 605 return CRYPTO_ERR_DECRYPTION; 606 } 607 608 /* Check tag in "constant-time" */ 609 for (i = 0U; i < tag_len; i++) { 610 diff |= ((const unsigned char *)tag)[i] ^ tag_buf[i]; 611 } 612 613 if (diff != 0U) { 614 return CRYPTO_ERR_DECRYPTION; 615 } 616 617 return CRYPTO_SUCCESS; 618 } 619 620 /* 621 * Authenticated decryption of an image 622 * 623 */ 624 static int crypto_auth_decrypt(enum crypto_dec_algo dec_algo, void *data_ptr, size_t len, 625 const void *key, unsigned int key_len, unsigned int key_flags, 626 const void *iv, unsigned int iv_len, const void *tag, 627 unsigned int tag_len) 628 { 629 int rc = -1; 630 uint32_t real_iv[4]; 631 632 switch (dec_algo) { 633 case CRYPTO_GCM_DECRYPT: 634 /* 635 * GCM expect a Nonce 636 * The AES IV is the nonce (a uint32_t[3]) 637 * then a counter (a uint32_t big endian) 638 * The counter starts at 2. 639 */ 640 memcpy(real_iv, iv, iv_len); 641 real_iv[3] = htobe32(0x2U); 642 643 rc = stm32_decrypt_aes_gcm(data_ptr, len, key, key_len, key_flags, 644 real_iv, sizeof(real_iv), tag, tag_len); 645 break; 646 default: 647 rc = CRYPTO_ERR_DECRYPTION; 648 break; 649 } 650 651 if (rc != 0) { 652 return rc; 653 } 654 655 return CRYPTO_SUCCESS; 656 } 657 658 REGISTER_CRYPTO_LIB("stm32_crypto_lib", 659 crypto_lib_init, 660 crypto_verify_signature, 661 crypto_verify_hash, 662 NULL, 663 crypto_auth_decrypt, 664 crypto_convert_pk); 665 666 #else /* No decryption support */ 667 REGISTER_CRYPTO_LIB("stm32_crypto_lib", 668 crypto_lib_init, 669 crypto_verify_signature, 670 crypto_verify_hash, 671 NULL, 672 NULL, 673 crypto_convert_pk); 674 #endif 675