Support mbedtls crypto library #2705
Conversation
Initial step of mbedtls cryptos integration. Directory created and interface file is drafted. All function interfaces are set to "not supported". The mbedtls can be selected by specifying build flags "CFG_CRYPTOLIB_NAME=mbedtls" and "CFG_CRYPTOLIB_DIR=lib/libmbedtls" Signed-off-by: Edison Ai <[email protected]> Reviewed-by: Jens Wiklander <[email protected]>
1. Support mbedtls hash algorithm. 2. Add mbedtls source configure Signed-off-by: Edison Ai <[email protected]> Reviewed-by: Jens Wiklander <[email protected]>
edison-ai
force-pushed
the
merge_to_mbedtls-2.6.1
branch
from
1f52185 to
1ae0da7
Compare
|
There seems to be some confusion here. Only the commits: The purpose of the Since |
| @@ -1931,11 +1990,13 @@ static TEE_Result cipher_get_ctx_size(uint32_t algo, size_t *size) | |||
| #endif | |||
| #if defined(CFG_CRYPTO_XTS) | |||
| case TEE_ALG_AES_XTS: | |||
| return TEE_ERROR_NOT_SUPPORTED; | |||
| *size = sizeof(struct tee_symmetric_cts); | |||
| #endif | ||
| #if defined(CFG_CRYPTO_CTS) | ||
| case TEE_ALG_AES_CTS: | ||
| return TEE_ERROR_NOT_SUPPORTED; | ||
| *size = sizeof(struct tee_symmetric_xts); |
| @@ -2016,8 +2077,10 @@ TEE_Result crypto_cipher_alloc_ctx(void **ctx_ret, uint32_t algo) | |||
| return TEE_ERROR_NOT_SUPPORTED; | |||
| } | |||
|
|
|||
| if (!cipher_info) | |||
| if (algo != TEE_ALG_AES_XTS && algo != TEE_ALG_AES_CTS && | |||
| !cipher_info) { | |||
There was a problem hiding this comment.
Minor: the braces aren't needed.
| @@ -2049,13 +2116,26 @@ void crypto_cipher_free_ctx(void *ctx, uint32_t algo __maybe_unused) | |||
| * could never have succeded above. | |||
| */ | |||
| assert(!cipher_get_ctx_size(algo, &ctx_size)); | |||
| mbedtls_cipher_free(ctx); | |||
| #if defined(CFG_CRYPTO_XTS) || defined(CFG_CRYPTO_CTS) | |||
There was a problem hiding this comment.
Unless CFG_CRYPTO_XTS or CFG_CRYPTO_CTS is defined we'll potentially leak memory.
I see no harm in always having the if (...) below
There was a problem hiding this comment.
Yes, it is a mistake. Should not add them here.
| if (algo == TEE_ALG_AES_XTS || algo == TEE_ALG_AES_CTS) { | ||
| res = cipher_get_ctx_size(algo, &ctx_size); | ||
| assert(!res); | ||
| memcpy(dst_ctx, src_ctx, ctx_size); |
There was a problem hiding this comment.
I think a return; is needed after this line.
| @@ -2071,6 +2151,58 @@ TEE_Result crypto_cipher_init(void *ctx, uint32_t algo, | |||
| const mbedtls_cipher_info_t *cipher_info = NULL; | |||
| int lmd_res; | |||
| int lmd_mode; | |||
| #if defined(CFG_CRYPTO_CTS) | |||
| struct tee_symmetric_cts *cts; | |||
There was a problem hiding this comment.
These helper variables are only used in their if blocks below so please move the declarations.
|
|
||
| #if defined(CFG_CRYPTO_XTS) | ||
| if (algo == TEE_ALG_AES_XTS) { | ||
| res = tee_algo_to_ltc_cipherindex(algo, <c_cipherindex); |
There was a problem hiding this comment.
Could move these three lines into the other if (algo == TEE_ALG_AES_XTS) block below.
| @@ -2127,6 +2259,13 @@ TEE_Result crypto_cipher_update(void *ctx, uint32_t algo, | |||
| int lmd_res; | |||
| size_t olen; | |||
| size_t finish_olen; | |||
| #if defined(CFG_CRYPTO_CTS) | |||
| struct tee_symmetric_cts *cts; | |||
There was a problem hiding this comment.
I'd prefer if the #if was skipped and the __maybe_unused tag was used instead, here and the two other locals below.
There was a problem hiding this comment.
Sorry for just copy code to here directly. I will fix it.
|
|
||
| #if defined(CFG_CRYPTO_CBC_MAC) | ||
| /* | ||
| * CBC-MAC is not implemented in Libtomcrypt |
There was a problem hiding this comment.
s/Libtomcrypt/mbedtls/
| return TEE_ERROR_NOT_SUPPORTED; | ||
| cbc = (struct cbc_state *)ctx; | ||
|
|
||
| res = tee_algo_to_ltc_cipherindex(algo, <c_cipherindex); |
There was a problem hiding this comment.
How come the mbedtls implementation of AES/DES/DES3 isn't used instead?
There was a problem hiding this comment.
Sorry not notice it before. I will refine it by using mbedtls.
|
For "libmbedtls: Support DSA algorithm" please apply: |
|
I'm done with the review for the moment. |
|
For "libmbedtls: GCM and CCM enhance for integrate", "libmbedtls: fix no CRT issue" and "libmbedtls: add interfaces in mbedtls for context memory operation", I will drop them in this PR. Because they had been in #2439. |
|
We've advanced far enough in this PR that it would make sense to start merging that #2439. |
edison-ai
force-pushed
the
merge_to_mbedtls-2.6.1
branch
from
1ae0da7 to
fcc6a08
Compare
Adds support for symmetrical ciphers. The CTS and XTS modes are not supported in mbedTLS and will be dealt with later. Signed-off-by: Edison Ai <[email protected]> Reviewed-by: Jens Wiklander <[email protected]>
Adds size of expanded AES encryption key to crypto_aes_expand_enc_key() and crypto_aes_enc_block() to make the functions more safe to call. Signed-off-by: Summer Qin <[email protected]> Reviewed-by: Jens Wiklander <[email protected]>
These two implement interfaces will be used by AES-GCM algo. Signed-off-by: Summer Qin <[email protected]> Reviewed-by: Jens Wiklander <[email protected]>
Implement HMAC function which based on mbedtls. Signed-off-by: Edison Ai <[email protected]> Reviewed-by: Jens Wiklander <[email protected]>
Implement CMAC function which based on mbedtls. Signed-off-by: Edison Ai <[email protected]> Reviewed-by: Jens Wiklander <[email protected]>
Implement bignum function which based on mbedtls. Signed-off-by: Edison Ai <[email protected]> Reviewed-by: Jens Wiklander <[email protected]>
Support RSA: RSASSA_PKCS1_V1_5 RSASSA_PKCS1_PSS_MGF1 RSAES_PKCS1_V1_5 RSAES_PKCS1_OAEP_MGF1 Signed-off-by: Edison Ai <[email protected]> Reviewed-by: Jens Wiklander <[email protected]>
Implement DH function which based on mbedtls. Signed-off-by: Edison Ai <[email protected]> Reviewed-by: Jens Wiklander <[email protected]>
Support mbedtls ECC: ecdh and ecdsa. Signed-off-by: Edison Ai <[email protected]> Reviewed-by: Jens Wiklander <[email protected]>
Implement CCM function which based on mbedtls. Signed-off-by: Shawn Shan <[email protected]> Reviewed-by: Jens Wiklander <[email protected]>
DSA is not supported in MbedTLS, call libtomcrypt directly. Signed-off-by: Edison Ai <[email protected]> Reviewed-by: Jens Wiklander <[email protected]>
Cipher CTS and XTS are not supported in MbedTLS, call libtomcrypt directly. Signed-off-by: Edison Ai <[email protected]>
CBC MAC supported in MbedTLS, implement is by using cipher. Signed-off-by: Edison Ai <[email protected]>
edison-ai
force-pushed
the
merge_to_mbedtls-2.6.1
branch
from
fcc6a08 to
a1a3d47
Compare
|
There are a couple of compiler errors in lib/libmbedtls/core/tee_lmd_provider.c (see IBART). |
|
@jbech-linaro Yes. It is because I remove 3 patches form this PR for them are in another PR #2439. As discuss, I remove them here. |
Not at this point, that's a feature on the IBART to-do list and was actually one of the reasons I started writing IBART. So if it's a cross dependency, then we have to live with that (the error) for now. |
|
Replaced by the now merged #2904 |
Move #2345 here.