1 /* 2 * Copyright (c) 2022-2024, STMicroelectronics - All Rights Reserved 3 * 4 * SPDX-License-Identifier: BSD-3-Clause 5 */ 6 7 #include <assert.h> 8 #include <endian.h> 9 #include <errno.h> 10 11 #include <common/debug.h> 12 #include <drivers/auth/crypto_mod.h> 13 #include <drivers/io/io_storage.h> 14 #include <drivers/st/bsec.h> 15 #include <drivers/st/stm32_hash.h> 16 #include <drivers/st/stm32_pka.h> 17 #include <drivers/st/stm32_rng.h> 18 #include <drivers/st/stm32_saes.h> 19 #include <lib/utils.h> 20 #include <lib/xlat_tables/xlat_tables_v2.h> 21 #include <mbedtls/asn1.h> 22 #include <mbedtls/md.h> 23 #include <mbedtls/oid.h> 24 #include <mbedtls/platform.h> 25 #include <mbedtls/x509.h> 26 #include <plat/common/platform.h> 27 #include <tools_share/firmware_encrypted.h> 28 29 #include <platform_def.h> 30 31 #define CRYPTO_HASH_MAX_SIZE 32U 32 #define CRYPTO_SIGN_MAX_SIZE 64U 33 #define CRYPTO_PUBKEY_MAX_SIZE 64U 34 #define CRYPTO_MAX_TAG_SIZE 16U 35 36 /* brainpoolP256t1 OID is not defined in mbedTLS */ 37 #define OID_EC_GRP_BP256T1 MBEDTLS_OID_EC_BRAINPOOL_V1 "\x08" 38 39 #if STM32MP_CRYPTO_ROM_LIB 40 struct stm32mp_auth_ops { 41 uint32_t (*verify_signature)(uint8_t *hash_in, uint8_t *pubkey_in, 42 uint8_t *signature, uint32_t ecc_algo); 43 }; 44 45 static struct stm32mp_auth_ops auth_ops; 46 #endif 47 48 static void crypto_lib_init(void) 49 { 50 boot_api_context_t *boot_context __maybe_unused; 51 int ret; 52 53 NOTICE("TRUSTED_BOARD_BOOT support enabled\n"); 54 55 ret = stm32_hash_register(); 56 if (ret != 0) { 57 ERROR("HASH init (%d)\n", ret); 58 panic(); 59 } 60 61 if ((stm32mp_check_closed_device() == STM32MP_CHIP_SEC_CLOSED) || 62 stm32mp_is_auth_supported()) { 63 #if STM32MP_CRYPTO_ROM_LIB 64 boot_context = (boot_api_context_t *)stm32mp_get_boot_ctx_address(); 65 auth_ops.verify_signature = boot_context->bootrom_ecdsa_verify_signature; 66 #else 67 /* Use hardware peripherals */ 68 if (stm32_rng_init() != 0) { 69 panic(); 70 } 71 72 if (stm32_saes_driver_init() != 0) { 73 panic(); 74 } 75 76 if (stm32_pka_init() != 0) { 77 panic(); 78 } 79 #endif 80 } 81 } 82 83 static int get_plain_pk_from_asn1(void *pk_ptr, unsigned int pk_len, void **plain_pk, 84 size_t *len, int *pk_alg) 85 { 86 int ret; 87 mbedtls_pk_context mbedtls_pk = {0}; 88 unsigned char *p, *end; 89 mbedtls_asn1_buf alg_params = {0}; 90 mbedtls_asn1_buf alg_oid = {0}; 91 92 *plain_pk = NULL; 93 *len = 0U; 94 95 /* Parse the public key */ 96 mbedtls_pk_init(&mbedtls_pk); 97 p = (unsigned char *)pk_ptr; 98 end = (unsigned char *)(p + pk_len); 99 100 ret = mbedtls_asn1_get_tag(&p, end, len, 101 MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); 102 if (ret != 0) { 103 return -EINVAL; 104 } 105 106 end = p + *len; 107 ret = mbedtls_asn1_get_alg(&p, end, &alg_oid, &alg_params); 108 if (ret != 0) { 109 VERBOSE("%s: mbedtls_asn1_get_alg (%d)\n", __func__, ret); 110 return -EINVAL; 111 } 112 113 if (pk_alg != NULL) { 114 if ((strlen(MBEDTLS_OID_EC_GRP_SECP256R1) == alg_params.len) && 115 (memcmp(MBEDTLS_OID_EC_GRP_SECP256R1, alg_params.p, alg_params.len) == 0)) { 116 *pk_alg = BOOT_API_ECDSA_ALGO_TYPE_P256NIST; 117 } else if ((strlen(OID_EC_GRP_BP256T1) == alg_params.len) && 118 (memcmp(OID_EC_GRP_BP256T1, alg_params.p, alg_params.len) == 0)) { 119 *pk_alg = BOOT_API_ECDSA_ALGO_TYPE_BRAINPOOL256; 120 } else { 121 ERROR("%s: Algorithm is not supported\n", __func__); 122 return -EINVAL; 123 } 124 } 125 126 ret = mbedtls_asn1_get_bitstring_null(&p, end, len); 127 if (ret != 0) { 128 VERBOSE("%s: mbedtls_asn1_get_bitstring_null (%d)\n", __func__, ret); 129 return -EINVAL; 130 } 131 132 /* We remove the ident (0x04) first byte. */ 133 if ((*len < 1U) || (p[0] != MBEDTLS_ASN1_OCTET_STRING)) { 134 VERBOSE("%s: not expected len or tag\n", __func__); 135 return -EINVAL; 136 } 137 138 *len = *len - 1U; 139 *plain_pk = p + 1U; 140 141 return 0; 142 } 143 144 #if STM32MP_CRYPTO_ROM_LIB 145 uint32_t verify_signature(uint8_t *hash_in, uint8_t *pubkey_in, 146 uint8_t *signature, uint32_t ecc_algo) 147 { 148 int ret; 149 150 ret = mmap_add_dynamic_region(STM32MP_ROM_BASE, STM32MP_ROM_BASE, 151 STM32MP_ROM_SIZE_2MB_ALIGNED, MT_CODE | MT_SECURE); 152 if (ret != 0) { 153 VERBOSE("%s: mmap_add_dynamic_region (%d)\n", __func__, ret); 154 return CRYPTO_ERR_SIGNATURE; 155 } 156 157 ret = auth_ops.verify_signature(hash_in, pubkey_in, signature, ecc_algo); 158 159 if (ret != BOOT_API_RETURN_OK) { 160 VERBOSE("%s: auth_ops.verify_sign (%d)\n", __func__, ret); 161 ret = CRYPTO_ERR_SIGNATURE; 162 } else { 163 ret = 0; 164 } 165 166 mmap_remove_dynamic_region(STM32MP_ROM_BASE, STM32MP_ROM_SIZE_2MB_ALIGNED); 167 168 return ret; 169 } 170 171 static int crypto_convert_pk(void *full_pk_ptr, unsigned int full_pk_len, 172 void **hashed_pk_ptr, unsigned int *hashed_pk_len) 173 { 174 size_t len; 175 int ret; 176 177 ret = get_plain_pk_from_asn1(full_pk_ptr, full_pk_len, hashed_pk_ptr, &len, NULL); 178 if (ret == 0) { 179 *hashed_pk_len = (unsigned int)len; 180 } 181 182 return ret; 183 } 184 #else /* STM32MP_CRYPTO_ROM_LIB*/ 185 static uint32_t verify_signature(uint8_t *hash_in, uint8_t *pubkey_in, 186 uint8_t *signature, uint32_t ecc_algo) 187 { 188 int ret = -1; 189 enum stm32_pka_ecdsa_curve_id cid; 190 191 switch (ecc_algo) { 192 case BOOT_API_ECDSA_ALGO_TYPE_P256NIST: 193 #if PKA_USE_NIST_P256 194 cid = PKA_NIST_P256; 195 ret = 0; 196 #else 197 WARN("%s nist_p256 requested but not included\n", __func__); 198 #endif 199 break; 200 case BOOT_API_ECDSA_ALGO_TYPE_BRAINPOOL256: 201 #if PKA_USE_BRAINPOOL_P256T1 202 cid = PKA_BRAINPOOL_P256T1; 203 ret = 0; 204 #else 205 WARN("%s brainpool_p256t1 requested but not included\n", __func__); 206 #endif 207 break; 208 default: 209 WARN("%s unexpected ecc_algo(%u)\n", __func__, ecc_algo); 210 break; 211 } 212 213 if (ret < 0) { 214 return CRYPTO_ERR_SIGNATURE; 215 } 216 217 ret = stm32_pka_ecdsa_verif(hash_in, 218 BOOT_API_SHA256_DIGEST_SIZE_IN_BYTES, 219 signature, BOOT_API_ECDSA_SIGNATURE_LEN_IN_BYTES / 2U, 220 signature + BOOT_API_ECDSA_SIGNATURE_LEN_IN_BYTES / 2U, 221 BOOT_API_ECDSA_SIGNATURE_LEN_IN_BYTES / 2U, 222 pubkey_in, BOOT_API_ECDSA_PUB_KEY_LEN_IN_BYTES / 2U, 223 pubkey_in + BOOT_API_ECDSA_PUB_KEY_LEN_IN_BYTES / 2U, 224 BOOT_API_ECDSA_PUB_KEY_LEN_IN_BYTES / 2U, cid); 225 if (ret < 0) { 226 return CRYPTO_ERR_SIGNATURE; 227 } 228 229 return 0; 230 } 231 232 static int crypto_convert_pk(void *full_pk_ptr, unsigned int full_pk_len, 233 void **hashed_pk_ptr, unsigned int *hashed_pk_len) 234 { 235 static uint8_t st_pk[CRYPTO_PUBKEY_MAX_SIZE + sizeof(uint32_t)]; 236 int ret; 237 void *plain_pk; 238 size_t len; 239 int curve_id; 240 uint32_t cid; 241 242 ret = get_plain_pk_from_asn1(full_pk_ptr, full_pk_len, &plain_pk, &len, &curve_id); 243 if ((ret != 0) || (len > CRYPTO_PUBKEY_MAX_SIZE)) { 244 return -EINVAL; 245 } 246 247 cid = curve_id; /* we want value of curve_id (1 or 2) in a uint32_t */ 248 249 memcpy(st_pk, &cid, sizeof(cid)); 250 memcpy(st_pk + sizeof(cid), plain_pk, len); 251 252 *hashed_pk_ptr = st_pk; 253 *hashed_pk_len = (unsigned int)(len + sizeof(cid)); 254 255 return 0; 256 } 257 #endif /* STM32MP_CRYPTO_ROM_LIB */ 258 259 static int get_plain_digest_from_asn1(void *digest_ptr, unsigned int digest_len, 260 uint8_t **out, size_t *out_len, mbedtls_md_type_t *md_alg) 261 { 262 int ret; 263 mbedtls_asn1_buf hash_oid, params; 264 size_t len; 265 unsigned char *p, *end; 266 267 *out = NULL; 268 *out_len = 0U; 269 270 /* Digest info should be an MBEDTLS_ASN1_SEQUENCE */ 271 p = (unsigned char *)digest_ptr; 272 end = p + digest_len; 273 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | 274 MBEDTLS_ASN1_SEQUENCE); 275 if (ret != 0) { 276 return ret; 277 } 278 279 /* Get the hash algorithm */ 280 ret = mbedtls_asn1_get_alg(&p, end, &hash_oid, ¶ms); 281 if (ret != 0) { 282 return ret; 283 } 284 285 ret = mbedtls_oid_get_md_alg(&hash_oid, md_alg); 286 if (ret != 0) { 287 return ret; 288 } 289 290 ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING); 291 if (ret != 0) { 292 return ret; 293 } 294 295 /* Length of hash must match the algorithm's size */ 296 if (len != BOOT_API_SHA256_DIGEST_SIZE_IN_BYTES) { 297 return -1; 298 } 299 300 *out = p; 301 *out_len = len; 302 303 return 0; 304 } 305 306 static int crypto_verify_signature(void *data_ptr, unsigned int data_len, 307 void *sig_ptr, unsigned int sig_len, 308 void *sig_alg, unsigned int sig_alg_len, 309 void *pk_ptr, unsigned int pk_len) 310 { 311 uint8_t image_hash[CRYPTO_HASH_MAX_SIZE] = {0}; 312 uint8_t sig[CRYPTO_SIGN_MAX_SIZE]; 313 uint8_t my_pk[CRYPTO_PUBKEY_MAX_SIZE]; 314 int ret; 315 size_t len; 316 mbedtls_asn1_sequence seq; 317 mbedtls_asn1_sequence *cur; 318 unsigned char *p, *end; 319 int curve_id; 320 mbedtls_asn1_buf sig_oid, sig_params; 321 mbedtls_md_type_t md_alg; 322 mbedtls_pk_type_t pk_alg; 323 size_t bignum_len = sizeof(sig) / 2U; 324 unsigned int seq_num = 0U; 325 326 if ((stm32mp_check_closed_device() == STM32MP_CHIP_SEC_OPEN) && 327 !stm32mp_is_auth_supported()) { 328 return CRYPTO_SUCCESS; 329 } 330 331 /* Get pointers to signature OID and parameters */ 332 p = (unsigned char *)sig_alg; 333 end = (unsigned char *)(p + sig_alg_len); 334 ret = mbedtls_asn1_get_alg(&p, end, &sig_oid, &sig_params); 335 if (ret != 0) { 336 VERBOSE("%s: mbedtls_asn1_get_alg (%d)\n", __func__, ret); 337 return CRYPTO_ERR_SIGNATURE; 338 } 339 340 /* Get the actual signature algorithm (MD + PK) */ 341 ret = mbedtls_oid_get_sig_alg(&sig_oid, &md_alg, &pk_alg); 342 if (ret != 0) { 343 VERBOSE("%s: mbedtls_oid_get_sig_alg (%d)\n", __func__, ret); 344 return CRYPTO_ERR_SIGNATURE; 345 } 346 347 if ((md_alg != MBEDTLS_MD_SHA256) || (pk_alg != MBEDTLS_PK_ECDSA)) { 348 VERBOSE("%s: md_alg=%u pk_alg=%u\n", __func__, md_alg, pk_alg); 349 return CRYPTO_ERR_SIGNATURE; 350 } 351 352 ret = get_plain_pk_from_asn1(pk_ptr, pk_len, &pk_ptr, &len, &curve_id); 353 if (ret != 0) { 354 VERBOSE("%s: get_plain_pk_from_asn1 (%d)\n", __func__, ret); 355 return CRYPTO_ERR_SIGNATURE; 356 } 357 358 /* We expect a known pk_len */ 359 if (len != sizeof(my_pk)) { 360 VERBOSE("%s: pk_len=%zu sizeof(my_pk)=%zu)\n", __func__, len, sizeof(my_pk)); 361 return CRYPTO_ERR_SIGNATURE; 362 } 363 364 /* Need to copy as auth_ops.verify_signature 365 * expects aligned public key. 366 */ 367 memcpy(my_pk, pk_ptr, sizeof(my_pk)); 368 369 /* Get the signature (bitstring) */ 370 p = (unsigned char *)sig_ptr; 371 end = (unsigned char *)(p + sig_len); 372 ret = mbedtls_asn1_get_bitstring_null(&p, end, &len); 373 if (ret != 0) { 374 VERBOSE("%s: mbedtls_asn1_get_bitstring_null (%d)\n", __func__, ret); 375 return CRYPTO_ERR_SIGNATURE; 376 } 377 378 /* Get r and s from sequence */ 379 ret = mbedtls_asn1_get_sequence_of(&p, end, &seq, MBEDTLS_ASN1_INTEGER); 380 if (ret != 0) { 381 VERBOSE("%s: mbedtls_asn1_get_sequence_of (%d)\n", __func__, ret); 382 return CRYPTO_ERR_SIGNATURE; 383 } 384 385 /* We expect only 2 integers (r and s) from the sequence */ 386 if (seq.next->next != NULL) { 387 cur = seq.next; 388 mbedtls_asn1_sequence *next; 389 390 VERBOSE("%s: nb seq != 2\n", __func__); 391 /* Free all the sequences */ 392 while (cur != NULL) { 393 next = cur->next; 394 mbedtls_free(cur); 395 cur = next; 396 } 397 398 return CRYPTO_ERR_SIGNATURE; 399 } 400 401 /* 402 * ECDSA signatures are composed of a tuple (R,S) where R and S are between 0 and n. 403 * This means that the R and S can have a maximum of 32 each, but can also be smaller. 404 * Also seen the integer sequence may (sometime) start with 0x00 as MSB, but we can only 405 * manage exactly 2*32 bytes, we remove this higher byte if there are not 00, 406 * we will fail either. 407 */ 408 cur = &seq; 409 memset(sig, 0U, sizeof(sig)); 410 411 while (cur != NULL) { 412 size_t skip = 0U; 413 size_t seek = seq_num * bignum_len; 414 415 if (cur->buf.len > bignum_len) { 416 /* Remove extra 0x00 bytes */ 417 skip = cur->buf.len - bignum_len; 418 } else if (cur->buf.len < bignum_len) { 419 /* Add padding to match HW required size */ 420 seek += (bignum_len % cur->buf.len); 421 } 422 423 if (seek + cur->buf.len > sizeof(sig) + skip) { 424 panic(); 425 } 426 427 memcpy(sig + seek, cur->buf.p + skip, cur->buf.len - skip); 428 cur = cur->next; 429 seq_num++; 430 } 431 432 /* Need to free allocated 'next' in mbedtls_asn1_get_sequence_of */ 433 mbedtls_free(seq.next); 434 435 /* Compute hash for the data covered by the signature */ 436 stm32_hash_init(HASH_SHA256); 437 438 ret = stm32_hash_final_update((uint8_t *)data_ptr, data_len, image_hash); 439 if (ret != 0) { 440 VERBOSE("%s: stm32_hash_final_update (%d)\n", __func__, ret); 441 return CRYPTO_ERR_SIGNATURE; 442 } 443 444 return verify_signature(image_hash, my_pk, sig, curve_id); 445 } 446 447 static int crypto_verify_hash(void *data_ptr, unsigned int data_len, 448 void *digest_info_ptr, 449 unsigned int digest_info_len) 450 { 451 int ret; 452 uint8_t calc_hash[BOOT_API_SHA256_DIGEST_SIZE_IN_BYTES]; 453 unsigned char *p; 454 mbedtls_md_type_t md_alg; 455 size_t len; 456 457 /* we receive an asn1 encapsulated digest, we flatten it */ 458 ret = get_plain_digest_from_asn1(digest_info_ptr, 459 digest_info_len, &p, &len, 460 &md_alg); 461 if ((ret != 0) || (md_alg != MBEDTLS_MD_SHA256) || (len != sizeof(calc_hash))) { 462 return CRYPTO_ERR_HASH; 463 } 464 465 digest_info_ptr = p; 466 digest_info_len = len; 467 468 stm32_hash_init(HASH_SHA256); 469 470 ret = stm32_hash_final_update(data_ptr, data_len, calc_hash); 471 if (ret != 0) { 472 VERBOSE("%s: hash failed\n", __func__); 473 return CRYPTO_ERR_HASH; 474 } 475 476 ret = memcmp(calc_hash, digest_info_ptr, digest_info_len); 477 if (ret != 0) { 478 VERBOSE("%s: not expected digest\n", __func__); 479 ret = CRYPTO_ERR_HASH; 480 } 481 482 return ret; 483 } 484 485 #if !defined(DECRYPTION_SUPPORT_none) 486 static int derive_key(uint8_t *key, size_t *key_len, size_t len, 487 unsigned int *flags, const uint8_t *img_id, size_t img_id_len) 488 { 489 size_t i, j; 490 491 assert(*key_len >= 32U); 492 493 /* 494 * Not a real derivation yet 495 * 496 * We expect a 32 bytes key, if OTP is only 16 bytes 497 * => duplicate. 498 */ 499 for (i = 0U, j = len; j < 32U; 500 i += sizeof(uint32_t), j += sizeof(uint32_t)) { 501 memcpy(key + j, key + i, sizeof(uint32_t)); 502 } 503 504 *key_len = 32U; 505 /* Variable 'key' store a real key */ 506 *flags = 0U; 507 508 return 0; 509 } 510 511 int plat_get_enc_key_info(enum fw_enc_status_t fw_enc_status, uint8_t *key, 512 size_t *key_len, unsigned int *flags, 513 const uint8_t *img_id, size_t img_id_len) 514 { 515 uint32_t otp_idx; 516 uint32_t otp_len; 517 size_t read_len; 518 size_t i; 519 520 if (fw_enc_status == FW_ENC_WITH_BSSK) { 521 return -EINVAL; 522 } 523 524 if (stm32_get_otp_index(ENCKEY_OTP, &otp_idx, &otp_len) != 0) { 525 VERBOSE("%s: get %s index error\n", __func__, ENCKEY_OTP); 526 return -EINVAL; 527 } 528 529 if (otp_len > (*key_len * CHAR_BIT)) { 530 VERBOSE("%s: length Error otp_len=%u key_len=%zu\n", __func__, 531 otp_len, *key_len * CHAR_BIT); 532 return -EINVAL; 533 } 534 535 read_len = otp_len / CHAR_BIT; 536 assert(read_len % sizeof(uint32_t) == 0); 537 538 for (i = 0U; i < read_len / sizeof(uint32_t); i++) { 539 uint32_t tmp; 540 uint32_t otp_val; 541 542 if (stm32_get_otp_value_from_idx(otp_idx + i, &otp_val) != 0) { 543 zeromem(key, *key_len); 544 VERBOSE("%s: unable to read from otp\n", __func__); 545 return -EINVAL; 546 } 547 548 tmp = bswap32(otp_val); 549 memcpy(key + i * sizeof(uint32_t), &tmp, sizeof(tmp)); 550 } 551 552 /* Now we have the OTP values in key till read_len */ 553 554 if (derive_key(key, key_len, read_len, flags, img_id, 555 img_id_len) != 0) { 556 zeromem(key, *key_len); 557 return -EINVAL; 558 } 559 560 return 0; 561 } 562 563 static enum stm32_saes_key_selection select_key(unsigned int key_flags) 564 { 565 if ((key_flags & ENC_KEY_IS_IDENTIFIER) != 0U) { 566 panic(); 567 } 568 569 /* Use the provided key buffer */ 570 return STM32_SAES_KEY_SOFT; 571 } 572 573 static int stm32_decrypt_aes_gcm(void *data, size_t data_len, 574 const void *key, unsigned int key_len, 575 unsigned int key_flags, 576 const void *iv, unsigned int iv_len, 577 const void *tag, unsigned int tag_len) 578 { 579 int ret; 580 struct stm32_saes_context ctx; 581 unsigned char tag_buf[CRYPTO_MAX_TAG_SIZE]; 582 enum stm32_saes_key_selection key_mode; 583 unsigned int diff = 0U; 584 unsigned int i; 585 586 key_mode = select_key(key_flags); 587 588 ret = stm32_saes_init(&ctx, true, STM32_SAES_MODE_GCM, key_mode, key, 589 key_len, iv, iv_len); 590 if (ret != 0) { 591 return CRYPTO_ERR_INIT; 592 } 593 594 ret = stm32_saes_update_assodata(&ctx, true, NULL, 0U); 595 if (ret != 0) { 596 return CRYPTO_ERR_DECRYPTION; 597 } 598 599 ret = stm32_saes_update_load(&ctx, true, data, data, data_len); 600 if (ret != 0) { 601 return CRYPTO_ERR_DECRYPTION; 602 } 603 604 ret = stm32_saes_final(&ctx, tag_buf, sizeof(tag_buf)); 605 if (ret != 0) { 606 return CRYPTO_ERR_DECRYPTION; 607 } 608 609 /* Check tag in "constant-time" */ 610 for (i = 0U; i < tag_len; i++) { 611 diff |= ((const unsigned char *)tag)[i] ^ tag_buf[i]; 612 } 613 614 if (diff != 0U) { 615 return CRYPTO_ERR_DECRYPTION; 616 } 617 618 return CRYPTO_SUCCESS; 619 } 620 621 /* 622 * Authenticated decryption of an image 623 * 624 */ 625 static int crypto_auth_decrypt(enum crypto_dec_algo dec_algo, void *data_ptr, size_t len, 626 const void *key, unsigned int key_len, unsigned int key_flags, 627 const void *iv, unsigned int iv_len, const void *tag, 628 unsigned int tag_len) 629 { 630 int rc = -1; 631 uint32_t real_iv[4]; 632 633 switch (dec_algo) { 634 case CRYPTO_GCM_DECRYPT: 635 /* 636 * GCM expect a Nonce 637 * The AES IV is the nonce (a uint32_t[3]) 638 * then a counter (a uint32_t big endian) 639 * The counter starts at 2. 640 */ 641 memcpy(real_iv, iv, iv_len); 642 real_iv[3] = htobe32(0x2U); 643 644 rc = stm32_decrypt_aes_gcm(data_ptr, len, key, key_len, key_flags, 645 real_iv, sizeof(real_iv), tag, tag_len); 646 break; 647 default: 648 rc = CRYPTO_ERR_DECRYPTION; 649 break; 650 } 651 652 if (rc != 0) { 653 return rc; 654 } 655 656 return CRYPTO_SUCCESS; 657 } 658 659 REGISTER_CRYPTO_LIB("stm32_crypto_lib", 660 crypto_lib_init, 661 crypto_verify_signature, 662 crypto_verify_hash, 663 NULL, 664 crypto_auth_decrypt, 665 crypto_convert_pk); 666 667 #else /* No decryption support */ 668 REGISTER_CRYPTO_LIB("stm32_crypto_lib", 669 crypto_lib_init, 670 crypto_verify_signature, 671 crypto_verify_hash, 672 NULL, 673 NULL, 674 crypto_convert_pk); 675 #endif 676