1 /* 2 * Copyright (c) 2022, STMicroelectronics - All Rights Reserved 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 #include <assert.h> 8 #include <endian.h> 9 #include <errno.h> 10 11 #include <common/debug.h> 12 #include <drivers/auth/crypto_mod.h> 13 #include <drivers/io/io_storage.h> 14 #include <drivers/st/bsec.h> 15 #include <drivers/st/stm32_hash.h> 16 #include <drivers/st/stm32_pka.h> 17 #include <drivers/st/stm32_rng.h> 18 #include <drivers/st/stm32_saes.h> 19 #include <lib/xlat_tables/xlat_tables_v2.h> 20 #include <mbedtls/asn1.h> 21 #include <mbedtls/md.h> 22 #include <mbedtls/oid.h> 23 #include <mbedtls/platform.h> 24 #include <mbedtls/x509.h> 25 #include <plat/common/platform.h> 26 #include <tools_share/firmware_encrypted.h> 27 28 #include <platform_def.h> 29 30 #define CRYPTO_HASH_MAX_SIZE 32U 31 #define CRYPTO_SIGN_MAX_SIZE 64U 32 #define CRYPTO_PUBKEY_MAX_SIZE 64U 33 #define CRYPTO_MAX_TAG_SIZE 16U 34 35 /* brainpoolP256t1 OID is not defined in mbedTLS */ 36 #define OID_EC_GRP_BP256T1 MBEDTLS_OID_EC_BRAINPOOL_V1 "\x08" 37 38 #if STM32MP_CRYPTO_ROM_LIB 39 struct stm32mp_auth_ops { 40 uint32_t (*verify_signature)(uint8_t *hash_in, uint8_t *pubkey_in, 41 uint8_t *signature, uint32_t ecc_algo); 42 }; 43 44 static struct stm32mp_auth_ops auth_ops; 45 #endif 46 47 static void crypto_lib_init(void) 48 { 49 boot_api_context_t *boot_context __maybe_unused; 50 int ret; 51 52 NOTICE("TRUSTED_BOARD_BOOT support enabled\n"); 53 54 ret = stm32_hash_register(); 55 if (ret != 0) { 56 ERROR("HASH init (%d)\n", ret); 57 panic(); 58 } 59 60 if (stm32mp_is_closed_device() || stm32mp_is_auth_supported()) { 61 #if STM32MP_CRYPTO_ROM_LIB 62 boot_context = (boot_api_context_t *)stm32mp_get_boot_ctx_address(); 63 auth_ops.verify_signature = boot_context->bootrom_ecdsa_verify_signature; 64 #else 65 /* Use hardware peripherals */ 66 if (stm32_rng_init() != 0) { 67 panic(); 68 } 69 70 if (stm32_saes_driver_init() != 0) { 71 panic(); 72 } 73 74 if (stm32_pka_init() != 0) { 75 panic(); 76 } 77 #endif 78 } 79 } 80 81 int get_plain_pk_from_asn1(void *pk_ptr, unsigned int pk_len, void **plain_pk, 82 unsigned int *len, int *pk_alg) 83 { 84 int ret; 85 mbedtls_pk_context mbedtls_pk = {0}; 86 unsigned char *p, *end; 87 mbedtls_asn1_buf alg_params = {0}; 88 mbedtls_asn1_buf alg_oid = {0}; 89 90 *plain_pk = NULL; 91 *len = 0U; 92 93 /* Parse the public key */ 94 mbedtls_pk_init(&mbedtls_pk); 95 p = (unsigned char *)pk_ptr; 96 end = (unsigned char *)(p + pk_len); 97 98 ret = mbedtls_asn1_get_tag(&p, end, len, 99 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); 100 if (ret != 0) { 101 return -EINVAL; 102 } 103 104 end = p + *len; 105 ret = mbedtls_asn1_get_alg(&p, end, &alg_oid, &alg_params); 106 if (ret != 0) { 107 VERBOSE("%s: mbedtls_asn1_get_alg (%d)\n", __func__, ret); 108 return -EINVAL; 109 } 110 111 if (pk_alg != NULL) { 112 if ((strlen(MBEDTLS_OID_EC_GRP_SECP256R1) == alg_params.len) && 113 (memcmp(MBEDTLS_OID_EC_GRP_SECP256R1, alg_params.p, alg_params.len) == 0)) { 114 *pk_alg = BOOT_API_ECDSA_ALGO_TYPE_P256NIST; 115 } else if ((strlen(OID_EC_GRP_BP256T1) == alg_params.len) && 116 (memcmp(OID_EC_GRP_BP256T1, alg_params.p, alg_params.len) == 0)) { 117 *pk_alg = BOOT_API_ECDSA_ALGO_TYPE_BRAINPOOL256; 118 } else { 119 ERROR("%s: Algorithm is not supported\n", __func__); 120 return -EINVAL; 121 } 122 } 123 124 ret = mbedtls_asn1_get_bitstring_null(&p, end, len); 125 if (ret != 0) { 126 VERBOSE("%s: mbedtls_asn1_get_bitstring_null (%d)\n", __func__, ret); 127 return -EINVAL; 128 } 129 130 /* We remove the ident (0x04) first byte. */ 131 if ((*len < 1U) || (p[0] != MBEDTLS_ASN1_OCTET_STRING)) { 132 VERBOSE("%s: not expected len or tag\n", __func__); 133 return -EINVAL; 134 } 135 136 *len = *len - 1U; 137 *plain_pk = p + 1U; 138 139 return 0; 140 } 141 142 #if STM32MP_CRYPTO_ROM_LIB 143 uint32_t verify_signature(uint8_t *hash_in, uint8_t *pubkey_in, 144 uint8_t *signature, uint32_t ecc_algo) 145 { 146 int ret; 147 148 ret = mmap_add_dynamic_region(STM32MP_ROM_BASE, STM32MP_ROM_BASE, 149 STM32MP_ROM_SIZE_2MB_ALIGNED, MT_CODE | MT_SECURE); 150 if (ret != 0) { 151 VERBOSE("%s: mmap_add_dynamic_region (%d)\n", __func__, ret); 152 return CRYPTO_ERR_SIGNATURE; 153 } 154 155 ret = auth_ops.verify_signature(hash_in, pubkey_in, signature, ecc_algo); 156 157 if (ret != BOOT_API_RETURN_OK) { 158 VERBOSE("%s: auth_ops.verify_sign (%d)\n", __func__, ret); 159 ret = CRYPTO_ERR_SIGNATURE; 160 } else { 161 ret = 0; 162 } 163 164 mmap_remove_dynamic_region(STM32MP_ROM_BASE, STM32MP_ROM_SIZE_2MB_ALIGNED); 165 166 return ret; 167 } 168 169 int plat_convert_pk(void *full_pk_ptr, unsigned int full_pk_len, 170 void **hashed_pk_ptr, unsigned int *hashed_pk_len) 171 { 172 return get_plain_pk_from_asn1(full_pk_ptr, full_pk_len, hashed_pk_ptr, hashed_pk_len, NULL); 173 } 174 #else /* STM32MP_CRYPTO_ROM_LIB*/ 175 static uint32_t verify_signature(uint8_t *hash_in, uint8_t *pubkey_in, 176 uint8_t *signature, uint32_t ecc_algo) 177 { 178 int ret = -1; 179 enum stm32_pka_ecdsa_curve_id cid; 180 181 switch (ecc_algo) { 182 case BOOT_API_ECDSA_ALGO_TYPE_P256NIST: 183 #if PKA_USE_NIST_P256 184 cid = PKA_NIST_P256; 185 ret = 0; 186 #else 187 WARN("%s nist_p256 requested but not included\n", __func__); 188 #endif 189 break; 190 case BOOT_API_ECDSA_ALGO_TYPE_BRAINPOOL256: 191 #if PKA_USE_BRAINPOOL_P256T1 192 cid = PKA_BRAINPOOL_P256T1; 193 ret = 0; 194 #else 195 WARN("%s brainpool_p256t1 requested but not included\n", __func__); 196 #endif 197 break; 198 default: 199 WARN("%s unexpected ecc_algo(%u)\n", __func__, ecc_algo); 200 break; 201 } 202 203 if (ret < 0) { 204 return CRYPTO_ERR_SIGNATURE; 205 } 206 207 ret = stm32_pka_ecdsa_verif(hash_in, 208 BOOT_API_SHA256_DIGEST_SIZE_IN_BYTES, 209 signature, BOOT_API_ECDSA_SIGNATURE_LEN_IN_BYTES / 2U, 210 signature + BOOT_API_ECDSA_SIGNATURE_LEN_IN_BYTES / 2U, 211 BOOT_API_ECDSA_SIGNATURE_LEN_IN_BYTES / 2U, 212 pubkey_in, BOOT_API_ECDSA_PUB_KEY_LEN_IN_BYTES / 2U, 213 pubkey_in + BOOT_API_ECDSA_PUB_KEY_LEN_IN_BYTES / 2U, 214 BOOT_API_ECDSA_PUB_KEY_LEN_IN_BYTES / 2U, cid); 215 if (ret < 0) { 216 return CRYPTO_ERR_SIGNATURE; 217 } 218 219 return 0; 220 } 221 222 int plat_convert_pk(void *full_pk_ptr, unsigned int full_pk_len, 223 void **hashed_pk_ptr, unsigned int *hashed_pk_len) 224 { 225 static uint8_t st_pk[CRYPTO_PUBKEY_MAX_SIZE + sizeof(uint32_t)]; 226 int ret; 227 void *plain_pk; 228 unsigned int len; 229 int curve_id; 230 uint32_t cid; 231 232 ret = get_plain_pk_from_asn1(full_pk_ptr, full_pk_len, &plain_pk, &len, &curve_id); 233 if ((ret != 0) || (len > CRYPTO_PUBKEY_MAX_SIZE)) { 234 return -EINVAL; 235 } 236 237 cid = curve_id; /* we want value of curve_id (1 or 2) in a uint32_t */ 238 239 memcpy(st_pk, &cid, sizeof(cid)); 240 memcpy(st_pk + sizeof(cid), plain_pk, len); 241 242 *hashed_pk_ptr = st_pk; 243 *hashed_pk_len = len + sizeof(cid); 244 245 return 0; 246 } 247 #endif /* STM32MP_CRYPTO_ROM_LIB */ 248 249 static int get_plain_digest_from_asn1(void *digest_ptr, unsigned int digest_len, 250 uint8_t **out, size_t *out_len, mbedtls_md_type_t *md_alg) 251 { 252 int ret; 253 mbedtls_asn1_buf hash_oid, params; 254 size_t len; 255 unsigned char *p, *end; 256 257 *out = NULL; 258 *out_len = 0U; 259 260 /* Digest info should be an MBEDTLS_ASN1_SEQUENCE */ 261 p = (unsigned char *)digest_ptr; 262 end = p + digest_len; 263 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | 264 MBEDTLS_ASN1_SEQUENCE); 265 if (ret != 0) { 266 return ret; 267 } 268 269 /* Get the hash algorithm */ 270 ret = mbedtls_asn1_get_alg(&p, end, &hash_oid, ¶ms); 271 if (ret != 0) { 272 return ret; 273 } 274 275 ret = mbedtls_oid_get_md_alg(&hash_oid, md_alg); 276 if (ret != 0) { 277 return ret; 278 } 279 280 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING); 281 if (ret != 0) { 282 return ret; 283 } 284 285 /* Length of hash must match the algorithm's size */ 286 if (len != BOOT_API_SHA256_DIGEST_SIZE_IN_BYTES) { 287 return -1; 288 } 289 290 *out = p; 291 *out_len = len; 292 293 return 0; 294 } 295 296 static int crypto_verify_signature(void *data_ptr, unsigned int data_len, 297 void *sig_ptr, unsigned int sig_len, 298 void *sig_alg, unsigned int sig_alg_len, 299 void *pk_ptr, unsigned int pk_len) 300 { 301 uint8_t image_hash[CRYPTO_HASH_MAX_SIZE] = {0}; 302 uint8_t sig[CRYPTO_SIGN_MAX_SIZE]; 303 uint8_t my_pk[CRYPTO_PUBKEY_MAX_SIZE]; 304 int ret; 305 size_t len; 306 mbedtls_asn1_sequence seq; 307 mbedtls_asn1_sequence *cur; 308 unsigned char *p, *end; 309 int curve_id; 310 mbedtls_asn1_buf sig_oid, sig_params; 311 mbedtls_md_type_t md_alg; 312 mbedtls_pk_type_t pk_alg; 313 size_t bignum_len = sizeof(sig) / 2U; 314 unsigned int seq_num = 0U; 315 316 if (!stm32mp_is_closed_device() && !stm32mp_is_auth_supported()) { 317 return CRYPTO_SUCCESS; 318 } 319 320 /* Get pointers to signature OID and parameters */ 321 p = (unsigned char *)sig_alg; 322 end = (unsigned char *)(p + sig_alg_len); 323 ret = mbedtls_asn1_get_alg(&p, end, &sig_oid, &sig_params); 324 if (ret != 0) { 325 VERBOSE("%s: mbedtls_asn1_get_alg (%d)\n", __func__, ret); 326 return CRYPTO_ERR_SIGNATURE; 327 } 328 329 /* Get the actual signature algorithm (MD + PK) */ 330 ret = mbedtls_oid_get_sig_alg(&sig_oid, &md_alg, &pk_alg); 331 if (ret != 0) { 332 VERBOSE("%s: mbedtls_oid_get_sig_alg (%d)\n", __func__, ret); 333 return CRYPTO_ERR_SIGNATURE; 334 } 335 336 if ((md_alg != MBEDTLS_MD_SHA256) || (pk_alg != MBEDTLS_PK_ECDSA)) { 337 VERBOSE("%s: md_alg=%u pk_alg=%u\n", __func__, md_alg, pk_alg); 338 return CRYPTO_ERR_SIGNATURE; 339 } 340 341 ret = get_plain_pk_from_asn1(pk_ptr, pk_len, &pk_ptr, &pk_len, &curve_id); 342 if (ret != 0) { 343 VERBOSE("%s: get_plain_pk_from_asn1 (%d)\n", __func__, ret); 344 return CRYPTO_ERR_SIGNATURE; 345 } 346 347 /* We expect a known pk_len */ 348 if (pk_len != sizeof(my_pk)) { 349 VERBOSE("%s: pk_len=%u sizeof(my_pk)=%zu)\n", __func__, pk_len, sizeof(my_pk)); 350 return CRYPTO_ERR_SIGNATURE; 351 } 352 353 /* Need to copy as auth_ops.verify_signature 354 * expects aligned public key. 355 */ 356 memcpy(my_pk, pk_ptr, sizeof(my_pk)); 357 358 /* Get the signature (bitstring) */ 359 p = (unsigned char *)sig_ptr; 360 end = (unsigned char *)(p + sig_len); 361 ret = mbedtls_asn1_get_bitstring_null(&p, end, &len); 362 if (ret != 0) { 363 VERBOSE("%s: mbedtls_asn1_get_bitstring_null (%d)\n", __func__, ret); 364 return CRYPTO_ERR_SIGNATURE; 365 } 366 367 /* Get r and s from sequence */ 368 ret = mbedtls_asn1_get_sequence_of(&p, end, &seq, MBEDTLS_ASN1_INTEGER); 369 if (ret != 0) { 370 VERBOSE("%s: mbedtls_asn1_get_sequence_of (%d)\n", __func__, ret); 371 return CRYPTO_ERR_SIGNATURE; 372 } 373 374 /* We expect only 2 integers (r and s) from the sequence */ 375 if (seq.next->next != NULL) { 376 cur = seq.next; 377 mbedtls_asn1_sequence *next; 378 379 VERBOSE("%s: nb seq != 2\n", __func__); 380 /* Free all the sequences */ 381 while (cur != NULL) { 382 next = cur->next; 383 mbedtls_free(cur); 384 cur = next; 385 } 386 387 return CRYPTO_ERR_SIGNATURE; 388 } 389 390 /* 391 * ECDSA signatures are composed of a tuple (R,S) where R and S are between 0 and n. 392 * This means that the R and S can have a maximum of 32 each, but can also be smaller. 393 * Also seen the integer sequence may (sometime) start with 0x00 as MSB, but we can only 394 * manage exactly 2*32 bytes, we remove this higher byte if there are not 00, 395 * we will fail either. 396 */ 397 cur = &seq; 398 memset(sig, 0U, sizeof(sig)); 399 400 while (cur != NULL) { 401 size_t skip = 0U; 402 size_t seek = seq_num * bignum_len; 403 404 if (cur->buf.len > bignum_len) { 405 /* Remove extra 0x00 bytes */ 406 skip = cur->buf.len - bignum_len; 407 } else if (cur->buf.len < bignum_len) { 408 /* Add padding to match HW required size */ 409 seek += (bignum_len % cur->buf.len); 410 } 411 412 if (seek + cur->buf.len > sizeof(sig) + skip) { 413 panic(); 414 } 415 416 memcpy(sig + seek, cur->buf.p + skip, cur->buf.len - skip); 417 cur = cur->next; 418 seq_num++; 419 } 420 421 /* Need to free allocated 'next' in mbedtls_asn1_get_sequence_of */ 422 mbedtls_free(seq.next); 423 424 /* Compute hash for the data covered by the signature */ 425 stm32_hash_init(HASH_SHA256); 426 427 ret = stm32_hash_final_update((uint8_t *)data_ptr, data_len, image_hash); 428 if (ret != 0) { 429 VERBOSE("%s: stm32_hash_final_update (%d)\n", __func__, ret); 430 return CRYPTO_ERR_SIGNATURE; 431 } 432 433 return verify_signature(image_hash, my_pk, sig, curve_id); 434 } 435 436 static int crypto_verify_hash(void *data_ptr, unsigned int data_len, 437 void *digest_info_ptr, 438 unsigned int digest_info_len) 439 { 440 int ret; 441 uint8_t calc_hash[BOOT_API_SHA256_DIGEST_SIZE_IN_BYTES]; 442 unsigned char *p; 443 mbedtls_md_type_t md_alg; 444 size_t len; 445 446 /* we receive an asn1 encapsulated digest, we flatten it */ 447 ret = get_plain_digest_from_asn1(digest_info_ptr, 448 digest_info_len, &p, &len, 449 &md_alg); 450 if ((ret != 0) || (md_alg != MBEDTLS_MD_SHA256) || (len != sizeof(calc_hash))) { 451 return CRYPTO_ERR_HASH; 452 } 453 454 digest_info_ptr = p; 455 digest_info_len = len; 456 457 stm32_hash_init(HASH_SHA256); 458 459 ret = stm32_hash_final_update(data_ptr, data_len, calc_hash); 460 if (ret != 0) { 461 VERBOSE("%s: hash failed\n", __func__); 462 return CRYPTO_ERR_HASH; 463 } 464 465 ret = memcmp(calc_hash, digest_info_ptr, digest_info_len); 466 if (ret != 0) { 467 VERBOSE("%s: not expected digest\n", __func__); 468 ret = CRYPTO_ERR_HASH; 469 } 470 471 return ret; 472 } 473 474 #if !defined(DECRYPTION_SUPPORT_none) 475 static int derive_key(uint8_t *key, size_t *key_len, size_t len, 476 unsigned int *flags, const uint8_t *img_id, size_t img_id_len) 477 { 478 size_t i, j; 479 480 assert(*key_len >= 32U); 481 482 /* 483 * Not a real derivation yet 484 * 485 * But we expect a 32 bytes key, and OTP is only 16 bytes 486 * => duplicate. 487 */ 488 for (i = 0U, j = len; j < 32U; 489 i += sizeof(uint32_t), j += sizeof(uint32_t)) { 490 memcpy(key + j, key + i, sizeof(uint32_t)); 491 } 492 493 *key_len = 32U; 494 /* Variable 'key' store a real key */ 495 *flags = 0U; 496 497 return 0; 498 } 499 500 int plat_get_enc_key_info(enum fw_enc_status_t fw_enc_status, uint8_t *key, 501 size_t *key_len, unsigned int *flags, 502 const uint8_t *img_id, size_t img_id_len) 503 { 504 uint32_t otp_idx; 505 uint32_t otp_len; 506 size_t read_len; 507 size_t i; 508 509 if (fw_enc_status == FW_ENC_WITH_BSSK) { 510 return -EINVAL; 511 } 512 513 if (stm32_get_otp_index(ENCKEY_OTP, &otp_idx, &otp_len) != 0) { 514 VERBOSE("%s: get %s index error\n", __func__, ENCKEY_OTP); 515 return -EINVAL; 516 } 517 518 if (otp_len > (*key_len * CHAR_BIT)) { 519 VERBOSE("%s: length Error otp_len=%u key_len=%u\n", __func__, 520 otp_len, *key_len * CHAR_BIT); 521 return -EINVAL; 522 } 523 524 read_len = otp_len / CHAR_BIT; 525 assert(read_len % sizeof(uint32_t) == 0); 526 527 for (i = 0U; i < read_len / sizeof(uint32_t); i++) { 528 uint32_t tmp; 529 uint32_t otp_val; 530 531 if (stm32_get_otp_value_from_idx(otp_idx + i, &otp_val) != 0) { 532 zeromem(key, *key_len); 533 VERBOSE("%s: unable to read from otp\n", __func__); 534 return -EINVAL; 535 } 536 537 tmp = bswap32(otp_val); 538 memcpy(key + i * sizeof(uint32_t), &tmp, sizeof(tmp)); 539 } 540 541 /* Now we have the OTP values in key till read_len */ 542 543 if (derive_key(key, key_len, read_len, flags, img_id, 544 img_id_len) != 0) { 545 zeromem(key, *key_len); 546 return -EINVAL; 547 } 548 549 return 0; 550 } 551 552 static enum stm32_saes_key_selection select_key(unsigned int key_flags) 553 { 554 if ((key_flags & ENC_KEY_IS_IDENTIFIER) != 0U) { 555 panic(); 556 } 557 558 /* Use the provided key buffer */ 559 return STM32_SAES_KEY_SOFT; 560 } 561 562 static int stm32_decrypt_aes_gcm(void *data, size_t data_len, 563 const void *key, unsigned int key_len, 564 unsigned int key_flags, 565 const void *iv, unsigned int iv_len, 566 const void *tag, unsigned int tag_len) 567 { 568 int ret; 569 struct stm32_saes_context ctx; 570 unsigned char tag_buf[CRYPTO_MAX_TAG_SIZE]; 571 enum stm32_saes_key_selection key_mode; 572 unsigned int diff = 0U; 573 unsigned int i; 574 575 key_mode = select_key(key_flags); 576 577 ret = stm32_saes_init(&ctx, true, STM32_SAES_MODE_GCM, key_mode, key, 578 key_len, iv, iv_len); 579 if (ret != 0) { 580 return CRYPTO_ERR_INIT; 581 } 582 583 ret = stm32_saes_update_assodata(&ctx, true, NULL, 0U); 584 if (ret != 0) { 585 return CRYPTO_ERR_DECRYPTION; 586 } 587 588 ret = stm32_saes_update_load(&ctx, true, data, data, data_len); 589 if (ret != 0) { 590 return CRYPTO_ERR_DECRYPTION; 591 } 592 593 ret = stm32_saes_final(&ctx, tag_buf, sizeof(tag_buf)); 594 if (ret != 0) { 595 return CRYPTO_ERR_DECRYPTION; 596 } 597 598 /* Check tag in "constant-time" */ 599 for (i = 0U; i < tag_len; i++) { 600 diff |= ((const unsigned char *)tag)[i] ^ tag_buf[i]; 601 } 602 603 if (diff != 0U) { 604 return CRYPTO_ERR_DECRYPTION; 605 } 606 607 return CRYPTO_SUCCESS; 608 } 609 610 /* 611 * Authenticated decryption of an image 612 * 613 */ 614 static int crypto_auth_decrypt(enum crypto_dec_algo dec_algo, void *data_ptr, size_t len, 615 const void *key, unsigned int key_len, unsigned int key_flags, 616 const void *iv, unsigned int iv_len, const void *tag, 617 unsigned int tag_len) 618 { 619 int rc = -1; 620 uint32_t real_iv[4]; 621 622 switch (dec_algo) { 623 case CRYPTO_GCM_DECRYPT: 624 /* 625 * GCM expect a Nonce 626 * The AES IV is the nonce (a uint32_t[3]) 627 * then a counter (a uint32_t big endian) 628 * The counter starts at 2. 629 */ 630 memcpy(real_iv, iv, iv_len); 631 real_iv[3] = htobe32(0x2U); 632 633 rc = stm32_decrypt_aes_gcm(data_ptr, len, key, key_len, key_flags, 634 real_iv, sizeof(real_iv), tag, tag_len); 635 break; 636 default: 637 rc = CRYPTO_ERR_DECRYPTION; 638 break; 639 } 640 641 if (rc != 0) { 642 return rc; 643 } 644 645 return CRYPTO_SUCCESS; 646 } 647 648 REGISTER_CRYPTO_LIB("stm32_crypto_lib", 649 crypto_lib_init, 650 crypto_verify_signature, 651 crypto_verify_hash, 652 crypto_auth_decrypt); 653 654 #else /* No decryption support */ 655 REGISTER_CRYPTO_LIB("stm32_crypto_lib", 656 crypto_lib_init, 657 crypto_verify_signature, 658 crypto_verify_hash, 659 NULL); 660 661 #endif 662