2 * Copyright (c) 2017 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License
17 * @file tz-context.cpp
18 * @author Lukasz Kostyra (l.kostyra@samsung.com)
22 #include <tz-backend/tz-context.h>
23 #include <tz-backend/tz-memory.h>
24 #include <generic-backend/exception.h>
25 #include <generic-backend/crypto-params.h>
26 #include <generic-backend/encryption-params.h>
27 #include <dpl/log/log.h>
29 #include <km_serialization.h>
30 #include <km_ta_defines.h>
37 #include <unordered_map>
46 // A little bit of extra memory to add to output buffers.
48 // We need this extra memory to output for padding purposes - after encryption
49 // we can resize the result memory back to its proper size according to
50 // whatever TA will return us.
51 const uint32_t CIPHER_EXTRA_PADDING_SIZE = 16;
53 // Identifier of our TA
54 const TEEC_UUID KEY_MANAGER_TA_UUID = KM_TA_UUID;
56 //raw to hex string conversion to print persistent storage data ID
57 static std::string rawToHexString(const RawBuffer &raw)
63 snprintf(buf, sizeof(buf), "%02x", (e & 0xff));
64 dump.push_back(buf[0]);
65 dump.push_back(buf[1]);
72 * Maximum size for given key type in bytes according to key-manager-ta implementation.
73 * Note that they are greater than TEE Internal Core API v1.1.2.50 (Table 5-9) values.
75 const std::unordered_map<tz_algo_type, size_t> MAX_KEY_SIZE = {
76 { ALGO_RSA, 4096 / 8 },
77 { ALGO_RSA_SV, 4096 / 8 },
78 { ALGO_DSA_SV, 4096 / 8 }
81 void DeserializeKeyID(TrustZoneMemory &mem, RawBuffer &id)
83 LogDebug("Deserializing key ID");
85 KM_SymmetricInput* output = nullptr;
86 int ret = KM_ParamsDeserializationInit(mem.Get()->buffer, mem.Get()->size, &output);
88 ThrowErr(Exc::Crypto::InternalError, "Failed to initialize key ID data deserialization: ", ret);
91 KM_OutData* outData = nullptr;
92 ret = KM_ParamsDeserializeOutData(output, &outData);
94 ThrowErr(Exc::Crypto::InternalError, "Failed to deserialize key ID data: ", ret);
97 if (outData == nullptr || outData->data_size != KM_KEY_ID_SIZE) {
98 ThrowErr(Exc::Crypto::InternalError, "Deserialized invalid key ID");
101 // data_size should contain how much memory we actually took for our cipher operation
102 id.resize(outData->data_size);
103 memcpy(id.data(), outData->data, outData->data_size);
106 } // anonymous namespace
108 TrustZoneContext::TrustZoneContext()
109 : m_ContextInitialized(false)
110 , m_SessionInitialized(false)
115 TrustZoneContext::~TrustZoneContext()
120 TrustZoneContext& TrustZoneContext::Instance()
122 static TrustZoneContext instance;
126 void TrustZoneContext::generateIV(RawBuffer& iv)
128 // command ID = CMD_GENERATE_IV
130 // TEEC_Operation layout:
132 // [1].memref.buffer - output
133 // [1].memref.size - output size
135 // [0].value.a - return code
137 // IV generation is a simple call - no need to serialize data
138 // just provide the output buffer with size equal to iv.
139 uint32_t ivSize = Params::DEFAULT_AES_IV_LEN;
140 TrustZoneMemory ivMemory(m_Context, ivSize, TEEC_MEM_OUTPUT);
143 op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_INOUT, TEEC_MEMREF_WHOLE,
144 TEEC_NONE, TEEC_NONE);
145 op.params[1].memref.parent = ivMemory.Get();
146 op.params[1].memref.offset = 0;
147 op.params[1].memref.size = ivMemory.Get()->size;
148 Execute(CMD_GENERATE_IV, &op);
151 memcpy(iv.data(), ivMemory.Get()->buffer, ivMemory.Get()->size);
154 void TrustZoneContext::generateSKey(tz_algo_type algo,
155 uint32_t keySizeBits,
158 // command ID = CMD_GENERATE_KEY
160 // TEEC_Operation layout:
162 // [0].value.a - key type
163 // [0].value.b - key bit size
165 // [0].value.a - return code
166 // [1].memref - serialized key reference
168 KM_BufferSizeDesc bufSize;
170 memset(&bufSize, 0, sizeof(KM_BufferSizeDesc));
171 bufSize.out_size = KM_KEY_ID_SIZE;
172 uint32_t keyMemorySize = KM_CalcBufferSize(bufSize);
173 TrustZoneMemory keyMemory(m_Context, keyMemorySize, TEEC_MEM_OUTPUT);
176 op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_INOUT, TEEC_MEMREF_WHOLE,
177 TEEC_NONE, TEEC_NONE);
178 op.params[0].value.a = algo;
179 op.params[0].value.b = keySizeBits;
180 op.params[1].memref.parent = keyMemory.Get();
181 op.params[1].memref.offset = 0;
182 op.params[1].memref.size = keyMemorySize;
183 Execute(CMD_GENERATE_KEY, &op);
185 DeserializeKeyID(keyMemory, keyId);
188 void TrustZoneContext::generateSKeyPwd(tz_algo_type algo,
189 const RawBuffer &pwd,
191 const uint32_t keySizeBits,
195 // command ID = CMD_GENERATE_KEY_PWD
197 // TEEC_Operation layout:
199 // [0].value.a - key type
200 // [0].value.b - key size in bits
201 // [1].memref - input (seralized pwd/iv for pbkdf2)
203 // [0].value.a - return code
204 // [2].memref - serialized key reference ID
206 KM_BufferSizeDesc bufSize;
208 memset(&bufSize, 0, sizeof(KM_BufferSizeDesc));
209 bufSize.with_pwd_data = true;
210 bufSize.pwd_size = static_cast<uint32_t>(pwd.size());
211 bufSize.pwd_iv_size = static_cast<uint32_t>(iv.size());
212 uint32_t inMemorySize = KM_CalcBufferSize(bufSize);
213 TrustZoneMemory inMemory(m_Context, inMemorySize, TEEC_MEM_INPUT);
215 memset(&bufSize, 0, sizeof(KM_BufferSizeDesc));
216 bufSize.out_size = KM_KEY_ID_SIZE;
217 bufSize.tag_size = Params::DEFAULT_AES_GCM_TAG_LEN_BYTES;
218 uint32_t keyMemorySize = KM_CalcBufferSize(bufSize);
219 TrustZoneMemory keyMemory(m_Context, keyMemorySize, TEEC_MEM_OUTPUT);
221 KM_SymmetricInput* input = nullptr;
222 int ret = KM_ParamsSerializationInit(inMemory.Get()->buffer, inMemory.Get()->size, &input);
224 ThrowErr(Exc::Crypto::InternalError, "Failed to initialize data serialization for TZ crypto operations");
227 ret = KM_ParamsSerializePwdData(input, pwd.data(), pwd.size(), iv.data(), iv.size(),
228 nullptr, 0, Params::DERIVED_KEY_LENGTH_BITS,
229 Params::DERIVED_KEY_ITERATIONS, bufSize.tag_size * 8);
231 ThrowErr(Exc::Crypto::InternalError, "Failed to serialize password data for TZ crypto operation: ", ret);
235 op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_INOUT, TEEC_MEMREF_WHOLE,
236 TEEC_MEMREF_WHOLE, TEEC_NONE);
237 op.params[0].value.a = algo;
238 op.params[0].value.b = keySizeBits;
239 op.params[1].memref.parent = inMemory.Get();
240 op.params[1].memref.offset = 0;
241 op.params[1].memref.size = inMemory.Get()->size;
242 op.params[2].memref.parent = keyMemory.Get();
243 op.params[2].memref.offset = 0;
244 op.params[2].memref.size = keyMemory.Get()->size;
245 Execute(CMD_GENERATE_KEY_PWD, &op);
247 DeserializeKeyID(keyMemory, keyId);
249 KM_SymmetricInput* output = nullptr;
250 ret = KM_ParamsDeserializationInit(keyMemory.Get()->buffer, keyMemory.Get()->size, &output);
252 ThrowErr(Exc::Crypto::InternalError, "Failed to initialize deserialization for generated key ID");
255 KM_OutData* outData = nullptr;
256 ret = KM_ParamsDeserializeOutData(output, &outData);
258 ThrowErr(Exc::Crypto::InternalError, "Failed to deserialize generated key ID");
261 KM_TagData* tagData = nullptr;
262 ret = KM_ParamsDeserializeTagData(output, &tagData);
264 ThrowErr(Exc::Crypto::InternalError, "Failed to deserialize key's tag");
267 if (outData == nullptr || outData->data_size != KM_KEY_ID_SIZE) {
268 ThrowErr(Exc::Crypto::InternalError, "Deserialized incorrect key ID");
271 if (tagData == nullptr || tagData->data_size != Params::DEFAULT_AES_GCM_TAG_LEN_BYTES) {
272 ThrowErr(Exc::Crypto::InternalError, "Deserialized incorrect key tag");
275 keyId.resize(KM_KEY_ID_SIZE);
276 memcpy(keyId.data(), outData->data, KM_KEY_ID_SIZE);
278 pwdTag.resize(Params::DEFAULT_AES_GCM_TAG_LEN_BYTES);
279 memcpy(pwdTag.data(), tagData->data, Params::DEFAULT_AES_GCM_TAG_LEN_BYTES);
282 void TrustZoneContext::GenerateAKey(tz_command commandId,
284 uint32_t keySizeBits,
285 const RawBuffer &pubPwd,
286 const RawBuffer &pubPwdIv,
287 const RawBuffer &privPwd,
288 const RawBuffer &privPwdIv,
290 RawBuffer &pubKeyTag,
291 RawBuffer &privKeyId,
292 RawBuffer &privKeyTag)
294 uint32_t pubTagSize = 0;
295 uint32_t privTagSize = 0;
297 uint32_t pubPwdExists = pubPwd.empty() ? 0 : 1;
298 sIn.Push(new TZSerializableFlag(pubPwdExists));
300 sIn.Push(new TZSerializablePwdData(pubPwd, pubPwdIv, Params::DEFAULT_AES_GCM_TAG_LEN_BITS));
301 pubTagSize = (Params::DEFAULT_AES_GCM_TAG_LEN_BITS + 7) >> 3;
303 uint32_t privPwdExists = privPwd.empty() ? 0 : 1;
304 sIn.Push(new TZSerializableFlag(privPwdExists));
306 sIn.Push(new TZSerializablePwdData(privPwd, privPwdIv, Params::DEFAULT_AES_GCM_TAG_LEN_BITS));
307 privTagSize = (Params::DEFAULT_AES_GCM_TAG_LEN_BITS + 7) >> 3;
310 TrustZoneMemory inMemory(m_Context, sIn.GetSize(), TEEC_MEM_INPUT);
311 sIn.Serialize(inMemory);
314 sOut.Push(new TZSerializableBinary(KM_KEY_ID_SIZE));
315 sOut.Push(new TZSerializableBinary(pubTagSize));
316 sOut.Push(new TZSerializableBinary(KM_KEY_ID_SIZE));
317 sOut.Push(new TZSerializableBinary(privTagSize));
319 TrustZoneMemory outMemory(m_Context, sOut.GetSize(), TEEC_MEM_OUTPUT);
322 op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_INOUT, TEEC_MEMREF_WHOLE,
323 TEEC_MEMREF_WHOLE, TEEC_NONE);
324 op.params[0].value.b = keySizeBits;
325 op.params[1].memref.parent = inMemory.Get();
326 op.params[1].memref.offset = 0;
327 op.params[1].memref.size = inMemory.Get()->size;
328 op.params[2].memref.parent = outMemory.Get();
329 op.params[2].memref.offset = 0;
330 op.params[2].memref.size = outMemory.Get()->size;
331 Execute(commandId, &op);
333 sOut.Deserialize(outMemory);
336 if (pubKeyId.size() != KM_KEY_ID_SIZE) {
337 ThrowErr(Exc::Crypto::InternalError, "Failed to deserialize public key ID");
341 sOut.Pull(pubKeyTag);
344 sOut.Pull(privKeyId);
345 if (privKeyId.size() != KM_KEY_ID_SIZE) {
346 ThrowErr(Exc::Crypto::InternalError, "Failed to deserialize private key ID");
350 sOut.Pull(privKeyTag);
354 void TrustZoneContext::generateRSAKey(uint32_t keySizeBits,
355 const RawBuffer &pubPwd,
356 const RawBuffer &pubPwdIv,
357 const RawBuffer &privPwd,
358 const RawBuffer &privPwdIv,
360 RawBuffer &pubKeyTag,
361 RawBuffer &privKeyId,
362 RawBuffer &privKeyTag)
364 // command ID = CMD_GENERATE_RSA_KEYPAIR
366 // TEEC_Operation layout:
368 // [0].value.b - key bit size
369 // [1].memref - reference to serialized buffer:
370 // flag marking the public key password presence,
371 // public key password data if the flag above is not 0,
372 // flag marking the private key password presence,
373 // public key private data if the flag above is not 0,
375 // [0].value.a - return code
378 // public key tag if password was present,
380 // private key tag if password was present,
384 GenerateAKey(CMD_GENERATE_RSA_KEYPAIR,
397 void TrustZoneContext::generateDSAKey(uint32_t keySizeBits,
398 const RawBuffer &prime,
399 const RawBuffer &subprime,
400 const RawBuffer &base,
401 const RawBuffer &pubPwd,
402 const RawBuffer &pubPwdIv,
403 const RawBuffer &privPwd,
404 const RawBuffer &privPwdIv,
406 RawBuffer &pubKeyTag,
407 RawBuffer &privKeyId,
408 RawBuffer &privKeyTag)
410 // command ID = CMD_GENERATE_DSA_KEYPAIR
412 // TEEC_Operation layout:
414 // [0].value.b - key bit size
415 // [1].memref - reference to serialized buffer:
416 // prime, subprime, base,
417 // flag marking the public key password presence,
418 // public key password data if the flag above is not 0,
419 // flag marking the private key password presence,
420 // public key private data if the flag above is not 0,
422 // [0].value.a - return code
425 // public key tag if password was present,
427 // private key tag if password was present,
430 sIn.Push(new TZSerializableBinary(prime));
431 sIn.Push(new TZSerializableBinary(subprime));
432 sIn.Push(new TZSerializableBinary(base));
434 GenerateAKey(CMD_GENERATE_DSA_KEYPAIR,
447 void TrustZoneContext::executeCrypt(tz_command cmd,
449 const RawBuffer &keyId,
452 const RawBuffer &data,
455 // command IDs = CMD_ENCRYPT, CMD_DECRYPT (from km_ta_defines.h)
457 // TEEC_Operation layout:
459 // [0].value.a - keyid
460 // [0].value.b - algo
461 // [1].memref - input data (serialized key/input)
463 // [0].value.a - return code
464 // [2].memref - serialized output buffer
466 if (keyId.size() != KM_KEY_ID_SIZE) {
467 ThrowErr(Exc::Crypto::InternalError, "TZ Backend received incorrect key buffer (size = "
468 + std::to_string(keyId.size()) + ")");
471 KM_BufferSizeDesc bufSize;
473 memset(&bufSize, 0, sizeof(KM_BufferSizeDesc));
474 bufSize.input_size = static_cast<uint32_t>(data.size());
475 bufSize.with_pwd_data = true;
476 bufSize.pwd_size = static_cast<uint32_t>(pwd.getPassword().size());
477 bufSize.pwd_iv_size = static_cast<uint32_t>(pwd.getIV().size());
478 bufSize.pwd_tag_size = static_cast<uint32_t>(pwd.getTag().size());
479 bufSize.iv_size = static_cast<uint32_t>(iv.size());
480 bufSize.key_id_size = static_cast<uint32_t>(keyId.size());
481 uint32_t inMemorySize = KM_CalcBufferSize(bufSize);
482 TrustZoneMemory inMemory(m_Context, inMemorySize, TEEC_MEM_INPUT);
484 memset(&bufSize, 0, sizeof(KM_BufferSizeDesc));
486 // decrypt operation does not require padding
487 bufSize.out_size = static_cast<uint32_t>(data.size());
488 if (cmd == CMD_ENCRYPT) {
489 if (algo == ALGO_RSA) {
490 // We don't know the key length
491 bufSize.out_size = MAX_KEY_SIZE.at(ALGO_RSA);
493 bufSize.out_size = static_cast<uint32_t>(data.size() + CIPHER_EXTRA_PADDING_SIZE);
496 uint32_t outMemorySize = KM_CalcBufferSize(bufSize);
497 TrustZoneMemory outMemory(m_Context, outMemorySize, TEEC_MEM_OUTPUT);
499 KM_SymmetricInput* input = nullptr;
500 int ret = KM_ParamsSerializationInit(inMemory.Get()->buffer, inMemory.Get()->size, &input);
502 ThrowErr(Exc::Crypto::InternalError, "Failed to initialize data serialization for TZ crypto operations");
505 ret = KM_ParamsSerializeInputData(input, data.data(), data.size());
507 ThrowErr(Exc::Crypto::InternalError, "Failed to serialize input data for TZ crypto operation: ", ret);
510 uint32_t pwdTagSizeBits = pwd.getTag().size() * 8;
511 ret = KM_ParamsSerializePwdData(input, pwd.getPassword().data(), pwd.getPassword().size(),
512 pwd.getIV().data(), pwd.getIV().size(),
513 pwd.getTag().data(), pwd.getTag().size(),
514 Params::DERIVED_KEY_LENGTH_BITS,
515 Params::DERIVED_KEY_ITERATIONS,
518 ThrowErr(Exc::Crypto::InternalError, "Failed to serialize password data for TZ crypto operation: ", ret);
521 ret = KM_ParamsSerializeIVData(input, iv.data(), iv.size());
523 ThrowErr(Exc::Crypto::InternalError, "Failed to serialize IV data for TZ crypto operation: ", ret);
526 ret = KM_ParamsSerializeKeyId(input, keyId.data(), keyId.size());
528 ThrowErr(Exc::Crypto::InternalError, "Failed to serialize key id data for TZ crypto operation: ", ret);
532 op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_INOUT, TEEC_MEMREF_WHOLE,
533 TEEC_MEMREF_WHOLE, TEEC_NONE);
534 op.params[0].value.a = algo;
535 op.params[1].memref.parent = inMemory.Get();
536 op.params[1].memref.offset = 0;
537 op.params[1].memref.size = inMemory.Get()->size;
538 op.params[2].memref.parent = outMemory.Get();
539 op.params[2].memref.offset = 0;
540 op.params[2].memref.size = outMemory.Get()->size;
543 KM_SymmetricInput* output = nullptr;
544 ret = KM_ParamsDeserializationInit(outMemory.Get()->buffer, outMemory.Get()->size, &output);
546 ThrowErr(Exc::Crypto::InternalError, "Failed to initialize output data deserialization: ", ret);
549 KM_OutData* outData = nullptr;
550 ret = KM_ParamsDeserializeOutData(output, &outData);
552 ThrowErr(Exc::Crypto::InternalError, "Failed to deserialize output data: ", ret);
555 // data_size should contain how much memory we actually took for our cipher operation
556 out.resize(outData->data_size);
557 memcpy(out.data(), outData->data, outData->data_size);
560 void TrustZoneContext::executeEncryptAE(const RawBuffer &keyId,
564 const RawBuffer &aad,
565 const RawBuffer &data,
569 // command ID = CMD_ENCRYPT (from km_ta_defines.h)
571 // TEEC_Operation layout:
573 // [0].value.a - keyid
574 // [0].value.b - algo
575 // [1].memref - input data (serialized key/input/iv/aad)
577 // [0].value.a - return code
578 // [2].memref - output
580 if (keyId.size() != KM_KEY_ID_SIZE) {
581 ThrowErr(Exc::Crypto::InternalError, "TZ Backend received incorrect key buffer");
584 uint32_t tagSizeBytes = (tagSizeBits + 7) / 8;
585 KM_BufferSizeDesc bufSize;
587 memset(&bufSize, 0, sizeof(KM_BufferSizeDesc));
588 bufSize.input_size = static_cast<uint32_t>(data.size());
589 bufSize.with_pwd_data = true;
590 bufSize.pwd_size = static_cast<uint32_t>(pwd.getPassword().size());
591 bufSize.pwd_iv_size = static_cast<uint32_t>(pwd.getIV().size());
592 bufSize.pwd_tag_size = static_cast<uint32_t>(pwd.getTag().size());
593 bufSize.iv_size = static_cast<uint32_t>(iv.size());
594 bufSize.key_id_size = static_cast<uint32_t>(keyId.size());
595 bufSize.with_ae_data = true;
596 bufSize.aad_size = static_cast<uint32_t>(aad.size());
597 uint32_t inMemorySize = KM_CalcBufferSize(bufSize);
598 TrustZoneMemory inMemory(m_Context, inMemorySize, TEEC_MEM_INPUT);
600 memset(&bufSize, 0, sizeof(KM_BufferSizeDesc));
601 bufSize.out_size = static_cast<uint32_t>(data.size() + CIPHER_EXTRA_PADDING_SIZE);
602 bufSize.tag_size = static_cast<uint32_t>(tagSizeBytes);
603 uint32_t outMemorySize = KM_CalcBufferSize(bufSize);
604 TrustZoneMemory outMemory(m_Context, outMemorySize, TEEC_MEM_OUTPUT);
606 KM_SymmetricInput* input = nullptr;
607 int ret = KM_ParamsSerializationInit(inMemory.Get()->buffer, inMemory.Get()->size, &input);
609 ThrowErr(Exc::Crypto::InternalError, "Failed to initialize data serialization for TZ crypto operations");
612 ret = KM_ParamsSerializeInputData(input, data.data(), data.size());
614 ThrowErr(Exc::Crypto::InternalError, "Failed to serialize input data for TZ crypto operation: ", ret);
617 uint32_t pwdTagSizeBits = pwd.getTag().size() * 8;
618 ret = KM_ParamsSerializePwdData(input, pwd.getPassword().data(), pwd.getPassword().size(),
619 pwd.getIV().data(), pwd.getIV().size(),
620 pwd.getTag().data(), pwd.getTag().size(),
621 Params::DERIVED_KEY_LENGTH_BITS,
622 Params::DERIVED_KEY_ITERATIONS,
625 ThrowErr(Exc::Crypto::InternalError, "Failed to serialize password data for TZ crypto operation: ", ret);
628 ret = KM_ParamsSerializeIVData(input, iv.data(), iv.size());
630 ThrowErr(Exc::Crypto::InternalError, "Failed to serialize IV data for TZ crypto operation: ", ret);
633 ret = KM_ParamsSerializeKeyId(input, keyId.data(), keyId.size());
635 ThrowErr(Exc::Crypto::InternalError, "Failed to serialize key id data for TZ crypto operation: ", ret);
638 ret = KM_ParamsSerializeAEData(input, tagSizeBits, 0, aad.data(), aad.size());
640 ThrowErr(Exc::Crypto::InternalError, "Failed to serialize auth data for TZ crypto operation: ", ret);
644 op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_INOUT, TEEC_MEMREF_WHOLE,
645 TEEC_MEMREF_WHOLE, TEEC_NONE);
646 op.params[0].value.a = ALGO_AES_GCM;
647 op.params[1].memref.parent = inMemory.Get();
648 op.params[1].memref.offset = 0;
649 op.params[1].memref.size = inMemory.Get()->size;
650 op.params[2].memref.parent = outMemory.Get();
651 op.params[2].memref.offset = 0;
652 op.params[2].memref.size = outMemory.Get()->size;
653 Execute(CMD_ENCRYPT, &op);
655 KM_SymmetricInput* output = nullptr;
656 ret = KM_ParamsDeserializationInit(outMemory.Get()->buffer, outMemory.Get()->size, &output);
658 ThrowErr(Exc::Crypto::InternalError, "Failed to initialize output data deserialization: ", ret);
661 KM_OutData* outData = nullptr;
662 ret = KM_ParamsDeserializeOutData(output, &outData);
664 ThrowErr(Exc::Crypto::InternalError, "Failed to deserialize output data: ", ret);
667 KM_TagData* tagData = nullptr;
668 ret = KM_ParamsDeserializeTagData(output, &tagData);
670 ThrowErr(Exc::Crypto::InternalError, "Failed to deserialize tag data: ", ret);
673 out.resize(outData->data_size);
674 memcpy(out.data(), outData->data, outData->data_size);
676 if (tagData->data_size) {
677 tag.resize(tagData->data_size);
678 memcpy(tag.data(), tagData->data, tagData->data_size);
682 void TrustZoneContext::executeDecryptAE(const RawBuffer &keyId,
686 const RawBuffer &tag,
687 const RawBuffer &aad,
688 const RawBuffer &data,
691 // command ID = CMD_DECRYPT (from km_ta_defines.h)
693 // TEEC_Operation layout:
695 // [0].value.a - keyid
696 // [0].value.b - algo
697 // [1].memref - input data (serialized key/input/iv/tag/aad)
699 // [0].value.a - output size
700 // [2].memref - output (decrypted data)
702 if (keyId.size() != KM_KEY_ID_SIZE) {
703 ThrowErr(Exc::Crypto::InternalError, "TZ Backend received incorrect key buffer");
706 KM_BufferSizeDesc bufSize;
708 memset(&bufSize, 0, sizeof(KM_BufferSizeDesc));
709 bufSize.input_size = static_cast<uint32_t>(data.size());
710 bufSize.with_pwd_data = true;
711 bufSize.pwd_size = static_cast<uint32_t>(pwd.getPassword().size());
712 bufSize.pwd_iv_size = static_cast<uint32_t>(pwd.getIV().size());
713 bufSize.pwd_tag_size = static_cast<uint32_t>(pwd.getTag().size());
714 bufSize.iv_size = static_cast<uint32_t>(iv.size());
715 bufSize.key_id_size = static_cast<uint32_t>(keyId.size());
716 bufSize.with_ae_data = true;
717 bufSize.aad_size = static_cast<uint32_t>(aad.size());
718 bufSize.tag_size = static_cast<uint32_t>(tag.size());
719 uint32_t inMemorySize = KM_CalcBufferSize(bufSize);
720 TrustZoneMemory inMemory(m_Context, inMemorySize, TEEC_MEM_INPUT);
722 memset(&bufSize, 0, sizeof(KM_BufferSizeDesc));
723 bufSize.out_size = static_cast<uint32_t>(data.size());
724 uint32_t outMemorySize = KM_CalcBufferSize(bufSize);
725 TrustZoneMemory outMemory(m_Context, outMemorySize, TEEC_MEM_OUTPUT);
727 KM_SymmetricInput* input = nullptr;
728 int ret = KM_ParamsSerializationInit(inMemory.Get()->buffer, inMemory.Get()->size, &input);
730 ThrowErr(Exc::Crypto::InternalError, "Failed to initialize data serialization for TZ crypto operations");
733 ret = KM_ParamsSerializeInputData(input, data.data(), data.size());
735 ThrowErr(Exc::Crypto::InternalError, "Failed to serialize input data for TZ crypto operation: ", ret);
738 uint32_t pwdTagSizeBits = pwd.getTag().size() * 8;
739 ret = KM_ParamsSerializePwdData(input, pwd.getPassword().data(), pwd.getPassword().size(),
740 pwd.getIV().data(), pwd.getIV().size(),
741 pwd.getTag().data(), pwd.getTag().size(),
742 Params::DERIVED_KEY_LENGTH_BITS,
743 Params::DERIVED_KEY_ITERATIONS,
746 ThrowErr(Exc::Crypto::InternalError, "Failed to serialize password data for TZ crypto operation: ", ret);
749 ret = KM_ParamsSerializeIVData(input, iv.data(), iv.size());
751 ThrowErr(Exc::Crypto::InternalError, "Failed to serialize IV data for TZ crypto operation: ", ret);
754 ret = KM_ParamsSerializeKeyId(input, keyId.data(), keyId.size());
756 ThrowErr(Exc::Crypto::InternalError, "Failed to serialize key id data for TZ crypto operation: ", ret);
759 ret = KM_ParamsSerializeAEData(input, tagSizeBits, 0, aad.data(), aad.size());
761 ThrowErr(Exc::Crypto::InternalError, "Failed to serialize auth data for TZ crypto operation: ", ret);
764 ret = KM_ParamsSerializeTagData(input, tag.data(), tag.size());
766 ThrowErr(Exc::Crypto::InternalError, "Failed to serialize tag data for TZ crypto operation: ", ret);
770 op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_INOUT, TEEC_MEMREF_WHOLE,
771 TEEC_MEMREF_WHOLE, TEEC_NONE);
772 op.params[0].value.a = ALGO_AES_GCM;
773 op.params[1].memref.parent = inMemory.Get();
774 op.params[1].memref.offset = 0;
775 op.params[1].memref.size = inMemory.Get()->size;
776 op.params[2].memref.parent = outMemory.Get();
777 op.params[2].memref.offset = 0;
778 op.params[2].memref.size = outMemory.Get()->size;
779 Execute(CMD_DECRYPT, &op);
781 KM_SymmetricInput* output = nullptr;
782 ret = KM_ParamsDeserializationInit(outMemory.Get()->buffer, outMemory.Get()->size, &output);
784 ThrowErr(Exc::Crypto::InternalError, "Failed to initialize output data deserialization: ", ret);
787 KM_OutData* outData = nullptr;
788 ret = KM_ParamsDeserializeOutData(output, &outData);
790 ThrowErr(Exc::Crypto::InternalError, "Failed to deserialize output data: ", ret);
793 out.resize(outData->data_size);
794 memcpy(out.data(), outData->data, outData->data_size);
797 void TrustZoneContext::executeSign(tz_algo_type algo,
799 const RawBuffer &keyId,
801 const RawBuffer &message,
802 RawBuffer &signature)
804 // command ID = CMD_SIGN (from km_ta_defines.h)
806 // TEEC_Operation layout:
808 // [0].value.a - algorithm type (tz_algo_type)
809 // [0].value.b - hash type (tz_hash_type)
810 // [1].memref - reference to serialized buffer:
811 // KM_ParamsSerializeInputData with data to sign
812 // KM_ParamsSerializeKeyId with key id
814 // [0].value.a - return code
815 // [2].memref - reference to serialized buffer:
816 // KM_ParamsSerializeOutData with signature data
818 if (keyId.size() != KM_KEY_ID_SIZE) {
819 ThrowErr(Exc::Crypto::InternalError, "TZ Backend received incorrect key buffer (size = "
820 + std::to_string(keyId.size()) + ")");
823 KM_BufferSizeDesc bufSize;
825 memset(&bufSize, 0, sizeof(KM_BufferSizeDesc));
826 bufSize.input_size = static_cast<uint32_t>(message.size());
827 bufSize.with_pwd_data = true;
828 bufSize.pwd_size = static_cast<uint32_t>(pwd.getPassword().size());
829 bufSize.pwd_iv_size = static_cast<uint32_t>(pwd.getIV().size());
830 bufSize.pwd_tag_size = static_cast<uint32_t>(pwd.getTag().size());
831 bufSize.key_id_size = static_cast<uint32_t>(keyId.size());
832 uint32_t inMemorySize = KM_CalcBufferSize(bufSize);
833 TrustZoneMemory inMemory(m_Context, inMemorySize, TEEC_MEM_INPUT);
835 memset(&bufSize, 0, sizeof(KM_BufferSizeDesc));
836 bufSize.out_size = MAX_KEY_SIZE.at(algo);
837 uint32_t outMemorySize = KM_CalcBufferSize(bufSize);
838 TrustZoneMemory outMemory(m_Context, outMemorySize, TEEC_MEM_OUTPUT);
840 KM_SymmetricInput* input = nullptr;
841 int ret = KM_ParamsSerializationInit(inMemory.Get()->buffer, inMemory.Get()->size, &input);
843 ThrowErr(Exc::Crypto::InternalError, "Failed to initialize data serialization for TZ sign operations");
846 ret = KM_ParamsSerializeInputData(input, message.data(), message.size());
848 ThrowErr(Exc::Crypto::InternalError, "Failed to serialize input data for TZ sign operation: ", ret);
851 uint32_t pwdTagSizeBits = pwd.getTag().size() * 8;
852 ret = KM_ParamsSerializePwdData(input, pwd.getPassword().data(), pwd.getPassword().size(),
853 pwd.getIV().data(), pwd.getIV().size(),
854 pwd.getTag().data(), pwd.getTag().size(),
855 Params::DERIVED_KEY_LENGTH_BITS,
856 Params::DERIVED_KEY_ITERATIONS,
859 ThrowErr(Exc::Crypto::InternalError, "Failed to serialize password data for TZ sign operation: ", ret);
862 ret = KM_ParamsSerializeKeyId(input, keyId.data(), keyId.size());
864 ThrowErr(Exc::Crypto::InternalError, "Failed to serialize key id data for TZ sign operation: ", ret);
868 op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_INOUT, TEEC_MEMREF_WHOLE,
869 TEEC_MEMREF_WHOLE, TEEC_NONE);
870 op.params[0].value.a = algo;
871 op.params[0].value.b = hash;
872 op.params[1].memref.parent = inMemory.Get();
873 op.params[1].memref.offset = 0;
874 op.params[1].memref.size = inMemory.Get()->size;
875 op.params[2].memref.parent = outMemory.Get();
876 op.params[2].memref.offset = 0;
877 op.params[2].memref.size = outMemory.Get()->size;
878 Execute(CMD_SIGN, &op);
880 KM_SymmetricInput* output = nullptr;
881 ret = KM_ParamsDeserializationInit(outMemory.Get()->buffer, outMemory.Get()->size, &output);
883 ThrowErr(Exc::Crypto::InternalError, "Failed to initialize output data deserialization: ", ret);
886 KM_OutData* outData = nullptr;
887 ret = KM_ParamsDeserializeOutData(output, &outData);
889 ThrowErr(Exc::Crypto::InternalError, "Failed to deserialize output data: ", ret);
892 signature.resize(outData->data_size);
893 memcpy(signature.data(), outData->data, outData->data_size);
896 int TrustZoneContext::executeVerify(tz_algo_type algo,
898 const RawBuffer &keyId,
900 const RawBuffer &message,
901 const RawBuffer &signature)
903 // command ID = CMD_VERIFY (from km_ta_defines.h)
905 // TEEC_Operation layout:
907 // [0].value.a - algorithm type (tz_algo_type)
908 // [0].value.b - hash type (tz_hash_type)
909 // [1].memref - reference to serialized buffer:
910 // KM_ParamsSerializeInputData with verify data (signature hidden in Tag data)
911 // KM_ParamsSerializeKeyId with key id
913 // [0].value.a - return code
915 if (keyId.size() != KM_KEY_ID_SIZE) {
916 ThrowErr(Exc::Crypto::InternalError, "TZ Backend received incorrect key buffer (size = "
917 + std::to_string(keyId.size()) + ")");
920 KM_BufferSizeDesc bufSize;
922 memset(&bufSize, 0, sizeof(KM_BufferSizeDesc));
923 bufSize.input_size = static_cast<uint32_t>(message.size());
924 bufSize.with_pwd_data = true;
925 bufSize.pwd_size = static_cast<uint32_t>(pwd.getPassword().size());
926 bufSize.pwd_iv_size = static_cast<uint32_t>(pwd.getIV().size());
927 bufSize.pwd_tag_size = static_cast<uint32_t>(pwd.getTag().size());
928 bufSize.key_id_size = static_cast<uint32_t>(keyId.size());
929 bufSize.tag_size = static_cast<uint32_t>(signature.size());
930 uint32_t inMemorySize = KM_CalcBufferSize(bufSize);
931 TrustZoneMemory inMemory(m_Context, inMemorySize, TEEC_MEM_INPUT);
933 KM_SymmetricInput* input = nullptr;
934 int ret = KM_ParamsSerializationInit(inMemory.Get()->buffer, inMemory.Get()->size, &input);
936 ThrowErr(Exc::Crypto::InternalError, "Failed to initialize data serialization for TZ sign operations");
939 ret = KM_ParamsSerializeInputData(input, message.data(), message.size());
941 ThrowErr(Exc::Crypto::InternalError, "Failed to serialize input data for TZ sign operation: ", ret);
944 uint32_t pwdTagSizeBits = pwd.getTag().size() * 8;
945 ret = KM_ParamsSerializePwdData(input, pwd.getPassword().data(), pwd.getPassword().size(),
946 pwd.getIV().data(), pwd.getIV().size(),
947 pwd.getTag().data(), pwd.getTag().size(),
948 Params::DERIVED_KEY_LENGTH_BITS,
949 Params::DERIVED_KEY_ITERATIONS,
952 ThrowErr(Exc::Crypto::InternalError, "Failed to serialize password data for TZ sign operation: ", ret);
955 ret = KM_ParamsSerializeKeyId(input, keyId.data(), keyId.size());
957 ThrowErr(Exc::Crypto::InternalError, "Failed to serialize key id data for TZ sign operation: ", ret);
960 ret = KM_ParamsSerializeTagData(input, signature.data(), signature.size());
962 ThrowErr(Exc::Crypto::InternalError, "Failed to serialize signature data for TZ sign operation: ", ret);
966 op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_INOUT, TEEC_MEMREF_WHOLE,
967 TEEC_NONE, TEEC_NONE);
968 op.params[0].value.a = algo;
969 op.params[0].value.b = hash;
970 op.params[1].memref.parent = inMemory.Get();
971 op.params[1].memref.offset = 0;
972 op.params[1].memref.size = inMemory.Get()->size;
973 Execute(CMD_VERIFY, &op);
975 int opRet = op.params[0].value.a;
978 return CKM_API_SUCCESS;
979 case KM_TA_ERROR_SIGNATURE:
980 LogWarning("Signature verification failed");
981 return CKM_API_ERROR_VERIFICATION_FAILED;
983 assert(false); // This condition should be checked inside Execute() function
984 ThrowErr(Exc::Crypto::InternalError, "Unknown TA error during operation: ", opRet);
988 void TrustZoneContext::executeDestroy(const RawBuffer &keyId)
990 // command ID = CMD_DESTROY_KEY (from km_ta_defines.h)
992 // TEEC_Operation layout:
994 // [1].memref - input data (serialized key ID)
996 // [0].value.a - return code
998 if (keyId.size() != KM_KEY_ID_SIZE) {
999 ThrowErr(Exc::Crypto::InternalError, "TZ Backend received incorrect key buffer");
1002 KM_BufferSizeDesc bufSize;
1004 memset(&bufSize, 0, sizeof(KM_BufferSizeDesc));
1005 bufSize.key_id_size = static_cast<uint32_t>(keyId.size());
1006 uint32_t inMemorySize = KM_CalcBufferSize(bufSize);
1007 TrustZoneMemory inMemory(m_Context, inMemorySize, TEEC_MEM_INPUT);
1009 KM_SymmetricInput* input = nullptr;
1010 int ret = KM_ParamsSerializationInit(inMemory.Get()->buffer, inMemory.Get()->size, &input);
1012 ThrowErr(Exc::Crypto::InternalError, "Failed to initialize data serialization: ", ret);
1015 ret = KM_ParamsSerializeInputData(input, keyId.data(), keyId.size());
1017 ThrowErr(Exc::Crypto::InternalError, "Failed to serialize key ID to destroy: ", ret);
1021 op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_OUTPUT, TEEC_MEMREF_WHOLE,
1022 TEEC_NONE, TEEC_NONE);
1023 op.params[1].memref.parent = inMemory.Get();
1024 op.params[1].memref.offset = 0;
1025 op.params[1].memref.size = inMemory.Get()->size;
1026 Execute(CMD_DESTROY_KEY, &op);
1029 void TrustZoneContext::importData(
1030 const uint32_t dataType,
1031 const RawBuffer &data,
1032 const Crypto::EncryptionParams &encData,
1033 const RawBuffer &pwd,
1034 const RawBuffer &iv,
1035 const uint32_t keySizeBits,
1036 const uint32_t pwdTagSizeBits,
1040 // command ID = CMD_IMPORT_DATA
1042 // [1].memref - reference to serialized buffer:
1043 // uint32_t dataType contains information about type stored as binary data
1044 // KM_BinaryData with binary data
1045 // uint32_t binary/key size in bits
1046 // KM_BinaryData IV for data decryption with built in key
1047 // KM_BinaryData TAG for data decryption with built in key
1048 // uint32_t boolean value - true if password is provided
1049 // KM_PwdData with password (optional)
1051 // [0].value.a - return code
1052 // [2].memref - reference to serialized buffer:
1053 // KM_BinaryData with data id
1054 // KM_BinaryData with tag id (optional, if password was provided)
1057 sIn.Push(new TZSerializableFlag(dataType));
1058 sIn.Push(new TZSerializableBinary(data));
1059 sIn.Push(new TZSerializableFlag(keySizeBits));
1060 sIn.Push(new TZSerializableBinary(encData.iv));
1061 sIn.Push(new TZSerializableBinary(encData.tag));
1063 uint32_t pwd_flag = pwd.empty() ? 0 : 1;
1064 sIn.Push(new TZSerializableFlag(pwd_flag));
1066 sIn.Push(new TZSerializablePwdData(pwd, iv, pwdTagSizeBits));
1068 TrustZoneMemory inMemory(m_Context, sIn.GetSize(), TEEC_MEM_INPUT);
1069 sIn.Serialize(inMemory);
1073 sOut.Push(new TZSerializableBinary(KM_DATA_ID_SIZE));
1075 sOut.Push(new TZSerializableBinary(pwdTagSizeBits / 8));
1078 TrustZoneMemory outMemory(m_Context, sOut.GetSize(), TEEC_MEM_OUTPUT);
1081 op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_INOUT, TEEC_MEMREF_WHOLE,
1082 TEEC_MEMREF_WHOLE, TEEC_NONE);
1083 op.params[1].memref.parent = inMemory.Get();
1084 op.params[1].memref.offset = 0;
1085 op.params[1].memref.size = inMemory.Get()->size;
1086 op.params[2].memref.parent = outMemory.Get();
1087 op.params[2].memref.offset = 0;
1088 op.params[2].memref.size = outMemory.Get()->size;
1090 Execute(CMD_IMPORT_DATA, &op);
1092 sOut.Deserialize(outMemory);
1098 LogDebug("Imported object ID is (hex): " << rawToHexString(dataId));
1101 void TrustZoneContext::GetDataSize(const RawBuffer &dataId, uint32_t &dataSize)
1103 // command ID = CMD_GET_DATA_SIZE
1104 // TA will decrypt data with password if provided
1106 // [1].memref - reference to serialized buffer:
1107 // KM_BinaryData with object ID
1109 // [0].value.a - return code
1110 // [0].value.b - size of buffer to be passed from CA
1111 LogDebug("Object ID (passed to CMD_GET_DATA_SIZE) is (hex): " << rawToHexString(dataId));
1114 sIn.Push(new TZSerializableBinary(dataId));
1116 TrustZoneMemory inMemory(m_Context, sIn.GetSize(), TEEC_MEM_INPUT);
1117 sIn.Serialize(inMemory);
1120 op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_OUTPUT, TEEC_MEMREF_WHOLE,
1121 TEEC_NONE, TEEC_NONE);
1123 op.params[1].memref.parent = inMemory.Get();
1124 op.params[1].memref.offset = 0;
1125 op.params[1].memref.size = inMemory.Get()->size;
1126 Execute(CMD_GET_DATA_SIZE, &op);
1127 dataSize = op.params[0].value.b;
1130 void TrustZoneContext::getData(const RawBuffer &dataId,
1134 // command ID = CMD_GET_DATA
1135 // TA will decrypt data with password if provided
1137 // [1].memref - reference to serialized buffer:
1138 // KM_BinaryData with object ID
1139 // uint32_t boolean value - true if password is provided
1140 // KM_PwdData with password (optional)
1142 // [0].value.a - return code
1143 // [2].memref - reference to serialized buffer:
1144 // KM_BinaryData with binary data
1145 LogDebug("Object ID (passed to CMD_GET_DATA) is (hex): " << rawToHexString(dataId));
1148 sIn.Push(new TZSerializableBinary(dataId));
1150 uint32_t pwd_flag = pwd.getPassword().empty() ? 0 : 1;
1151 sIn.Push(new TZSerializableFlag(pwd_flag));
1154 sIn.Push(new TZSerializablePwdData(pwd.getPassword(),
1156 Params::DEFAULT_AES_GCM_TAG_LEN_BITS,
1160 TrustZoneMemory inMemory(m_Context, sIn.GetSize(), TEEC_MEM_INPUT);
1161 sIn.Serialize(inMemory);
1163 uint32_t data_size = 0;
1164 GetDataSize(dataId, data_size);
1167 sOut.Push(new TZSerializableBinary(data_size));
1168 TrustZoneMemory outMemory(m_Context, sOut.GetSize(), TEEC_MEM_OUTPUT);
1169 sOut.Serialize(outMemory);
1172 op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_INOUT, TEEC_MEMREF_WHOLE,
1173 TEEC_MEMREF_WHOLE, TEEC_NONE);
1174 op.params[1].memref.parent = inMemory.Get();
1175 op.params[1].memref.offset = 0;
1176 op.params[1].memref.size = inMemory.Get()->size;
1177 op.params[2].memref.parent = outMemory.Get();
1178 op.params[2].memref.offset = 0;
1179 op.params[2].memref.size = outMemory.Get()->size;
1181 Execute(CMD_GET_DATA, &op);
1183 sOut.Deserialize(outMemory);
1188 void TrustZoneContext::destroyData(const RawBuffer &dataId)
1190 // command ID = CMD_DESTROY_DATA
1191 // TEEC_Operation parameters layout:
1193 // [1].memref - reference to serialized buffer:
1194 // KM_BinaryData with object ID
1196 // [0].value.a - return code
1197 LogDebug("Object ID (passed to CMD_GET_DATA) is (hex): " << rawToHexString(dataId));
1199 sIn.Push(new TZSerializableBinary(dataId));
1201 TrustZoneMemory inMemory(m_Context, sIn.GetSize(), TEEC_MEM_INPUT);
1202 sIn.Serialize(inMemory);
1205 op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_OUTPUT, TEEC_MEMREF_WHOLE,
1206 TEEC_NONE, TEEC_NONE);
1208 op.params[1].memref.parent = inMemory.Get();
1209 op.params[1].memref.offset = 0;
1210 op.params[1].memref.size = inMemory.Get()->size;
1211 Execute(CMD_DESTROY_DATA, &op);
1214 void TrustZoneContext::Initialize()
1220 op.paramTypes = TEEC_PARAM_TYPES(TEEC_NONE, TEEC_NONE, TEEC_NONE, TEEC_NONE);
1222 result = TEEC_InitializeContext(nullptr, &m_Context);
1223 if (result != TEEC_SUCCESS) {
1224 ThrowErr(Exc::Crypto::InternalError, "Failed to initialize TEE context: ", result);
1226 m_ContextInitialized = true;
1228 result = TEEC_OpenSession(&m_Context, &m_Session, &KEY_MANAGER_TA_UUID, 0, nullptr, &op, &retOrigin);
1229 if (result != TEEC_SUCCESS) {
1230 ThrowErr(Exc::Crypto::InternalError, "Failed to open session to Key Manager TA: ", result);
1232 m_SessionInitialized = true;
1235 void TrustZoneContext::Destroy()
1237 if (m_SessionInitialized) {
1238 TEEC_CloseSession(&m_Session);
1239 m_SessionInitialized = false;
1242 if (m_ContextInitialized) {
1243 TEEC_FinalizeContext(&m_Context);
1244 m_ContextInitialized = false;
1248 void TrustZoneContext::Reload()
1254 void TrustZoneContext::Execute(tz_command commandID, TEEC_Operation* op)
1256 uint32_t retOrigin = 0;
1257 LogDebug("Executing TZ operation " << commandID);
1259 TEEC_Result result = TEEC_InvokeCommand(&m_Session, static_cast<unsigned int>(commandID), op, &retOrigin);
1260 if (result != TEEC_SUCCESS) {
1262 case TEEC_ERROR_TARGET_DEAD:
1264 ThrowErr(Exc::Crypto::InternalError, "TA panicked while executing command ",
1265 static_cast<unsigned int>(commandID));
1266 case TEEC_ERROR_BAD_PARAMETERS:
1267 ThrowErr(Exc::Crypto::InputParam, "Incorrect parameters provided to TA");
1269 ThrowErr(Exc::Crypto::InternalError, "TA failed to invoke command ",
1270 static_cast<unsigned int>(commandID), " with error: ", std::hex,
1271 static_cast<unsigned int>(result), " with origin: ", std::hex,
1276 int ta_ret = op->params[0].value.a;
1279 case KM_TA_ERROR_SIGNATURE:
1281 case KM_TA_ERROR_AUTH_FAILED:
1282 // Authentication cipher failed - notify with proper exception
1283 ThrowErr(Exc::AuthenticationFailed, "Crypto operation authentication failed");
1285 ThrowErr(Exc::Crypto::InternalError, "Unknown TA error during operation: ", ta_ret);
1289 } // namespace Internals
1291 } // namespace Crypto