From: Jakub Wlostowski Date: Wed, 26 Mar 2025 10:33:06 +0000 (+0100) Subject: Fix key-manager-ta dependency X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=85335687d588ba8357a6e5dc0dec41bcdade2925;p=platform%2Fhal%2Fbackend%2Femulator%2Fsecurity-keys.git Fix key-manager-ta dependency Change-Id: I47af1c567f9acfc574efb87a1fe2e7af451b101f --- diff --git a/packaging/hal-backend-security-keys.spec b/packaging/hal-backend-security-keys.spec index fb0d8b5..47e3455 100644 --- a/packaging/hal-backend-security-keys.spec +++ b/packaging/hal-backend-security-keys.spec @@ -12,8 +12,6 @@ Requires(post): /sbin/ldconfig Requires(postun): /sbin/ldconfig # FIXME -BuildRequires: key-manager-ta-devel -BuildRequires: key-manager-ta-serialization-devel BuildRequires: pkgconfig(tef-libteec) # Disable hal-rootstrap-checker in order to use key-manager-ta %define disable_hal_rootstrap_checker 1 diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index a0181f5..a8906de 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -29,16 +29,16 @@ LINK_DIRECTORIES(${ROOTSTRAP_LIBRARY_DIRS}) PKG_CHECK_MODULES(SECURITY_KEYS_DEPS REQUIRED tef-libteec) INCLUDE_DIRECTORIES(SYSTEM ${SECURITY_KEYS_DEPS_INCLUDE_DIRS}) LINK_DIRECTORIES(${SECURITY_KEYS_DEPS_LIBRARY_DIRS}) -SET(KM_LINK_EXTRA_DEPS km_serialization) ADD_LIBRARY(${PROJECT_NAME} SHARED hal-backend-security-keys-api.cpp tz-memory.cpp tz-serializer.cpp - log.cpp) + log.cpp + km_serialization.cpp) TARGET_LINK_LIBRARIES(${PROJECT_NAME} ${ROOTSTRAP_LIBRARIES} -ldlog - ${SECURITY_KEYS_DEPS_LIBRARIES} ${KM_LINK_EXTRA_DEPS}) + ${SECURITY_KEYS_DEPS_LIBRARIES}) SET_TARGET_PROPERTIES(${PROJECT_NAME} PROPERTIES diff --git a/src/hal-backend-security-keys-api.cpp b/src/hal-backend-security-keys-api.cpp index 6de8b51..cba6638 100644 --- a/src/hal-backend-security-keys-api.cpp +++ b/src/hal-backend-security-keys-api.cpp @@ -24,12 +24,12 @@ #include #include #include -#include #include #include "crypto-params.h" #include "log.h" #include "tz-memory.h" +#include "km_ta_defines.h" #include "tz-serializer.h" #define EXPORT __attribute__ ((visibility("default"))) diff --git a/src/km_serialization.cpp b/src/km_serialization.cpp new file mode 100644 index 0000000..59589fb --- /dev/null +++ b/src/km_serialization.cpp @@ -0,0 +1,229 @@ +/* + * Copyright (c) 2025 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#include +#include +#include +#include "log.h" +#include "km_serialization.h" + +int KM_Serialize(void **buffer, + uint32_t *size_guard, + const void *data_to_serialize, + uint32_t size_to_serialize) +{ + unsigned char **ptr = (unsigned char **)buffer; + if (!buffer || !(*ptr) || !size_guard) { + LOGE("Invalid usage of serialization."); + return -2; + } + + if (*size_guard < size_to_serialize + sizeof(size_to_serialize)) { + LOGE("Cannot serialize - buffer too small."); + return -1; + } + + memcpy(*ptr, &size_to_serialize, sizeof(size_to_serialize)); + *ptr += sizeof(size_to_serialize); + if (data_to_serialize != NULL) { + memcpy(*ptr, data_to_serialize, size_to_serialize); + } + /** + * else - its not an error; it will be used to prepare output buffer of given size, + * but (on CA side), there will be no content yet + */ + *ptr += size_to_serialize; + *size_guard -= size_to_serialize + sizeof(size_to_serialize); + + return 0; +} + +int KM_SerializeFlag(void **buffer, + uint32_t *size_guard, + uint32_t flag) +{ + unsigned char **ptr = (unsigned char **)buffer; + if (!buffer || !(*ptr) || !size_guard) { + LOGE("Invalid usage of serialization."); + return -2; + } + + if (*size_guard < sizeof(flag)) { + LOGE("Cannot serialize - buffer too small."); + return -1; + } + + memcpy(*ptr, &flag, sizeof(flag)); + *ptr += sizeof(flag); + *size_guard -= sizeof(flag); + + return 0; +} + +int KM_SerializeBinaryData(void **buffer, + uint32_t *size_guard, + const KM_BinaryData *data) +{ + if (!data) { + LOGE("Invalid usage of serialization."); + return -1; + } + + return KM_Serialize(buffer, size_guard, data->data, data->data_size); +} + +int KM_SerializePwdDataRaw(void **buffer, + uint32_t *size_guard, + const void *pwd, + uint32_t pwd_size, + const void *iv, + uint32_t iv_size, + const void *tag, + uint32_t tag_size, + uint32_t derive_len_bits, + uint32_t it_count, + uint32_t tag_len_bits) +{ + if (KM_Serialize(buffer, size_guard, pwd, pwd_size)) + return -2; + if (KM_Serialize(buffer, size_guard, iv, iv_size)) + return -3; + if (KM_Serialize(buffer, size_guard, tag, tag_size)) + return -4; + if (KM_SerializeFlag(buffer, size_guard, derive_len_bits)) + return -5; + if (KM_SerializeFlag(buffer, size_guard, it_count)) + return -6; + if (KM_SerializeFlag(buffer, size_guard, tag_len_bits)) + return -7; + + return 0; +} + +int KM_SerializePwdData(void **buffer, + uint32_t *size_guard, + const KM_PwdData *data) +{ + if (!data) { + LOGE("Invalid usage of serialization."); + return -1; + } + + return KM_SerializePwdDataRaw(buffer, size_guard, data->pwd, data->pwd_size, + data->iv, data->iv_size, data->tag, data->tag_size, + data->derive_len_bits, data->it_count, data->tag_len_bits); +} + +/** + * Doesn't copy memory, just sets destination structure/data pointer properly & + * moves 'buffer' accordingly for further deserialization + */ +int KM_Deserialize(void **buffer, + uint32_t *size_guard, + void **destination_location, + uint32_t *size_to_deserialize) +{ + unsigned char **ptr = (unsigned char **)buffer; + unsigned char **ptr_dest = (unsigned char **)destination_location; + if (!buffer || !(*ptr)|| !size_guard || !destination_location || !size_to_deserialize) { + LOGE("Invalid usage of deserialization."); + return -2; + } + + if (*size_guard < sizeof(*size_to_deserialize)) { + LOGE("Cannot deserialize data, not enough data in the buffer."); + return -3; + } + + memcpy(size_to_deserialize, *ptr, sizeof(*size_to_deserialize)); + *size_guard -= sizeof(*size_to_deserialize); + if (*size_guard < *size_to_deserialize) { + LOGE("Cannot deserialize data, not enough data in the buffer."); + return -4; + } + + *ptr += sizeof(*size_to_deserialize); + *ptr_dest = *ptr; + *ptr += *size_to_deserialize; + *size_guard -= *size_to_deserialize; + + return 0; +} + +int KM_DeserializeFlag(void **buffer, + uint32_t *size_guard, + uint32_t *flag) +{ + unsigned char **ptr = (unsigned char **)buffer; + if (!buffer || !(*ptr)|| !size_guard || !flag) { + LOGE("Invalid usage of deserialization."); + return -1; + } + + if (*size_guard < sizeof(*flag)) { + LOGE("Cannot deserialize data, not enough data in the buffer."); + return -2; + } + + memcpy(flag, *ptr, sizeof(*flag)); + *ptr += sizeof(*flag); + *size_guard -= sizeof(*flag); + + return 0; +} + +int KM_DeserializeBinaryData(void **buffer, + uint32_t *size_guard, + KM_BinaryData *data) +{ + if (!data) { + LOGE("Invalid usage of deserialization."); + return -1; + } + + data->data = NULL; + data->data_size = 0; + + return KM_Deserialize(buffer, size_guard, &(data->data), &(data->data_size)); +} + +uint32_t KM_SizeOfFlag(void) +{ + return sizeof(uint32_t); +} + +uint32_t KM_SizeOfBinaryData(KM_BinaryData* data) +{ + if (!data) { + LOGE("Invalid usage of serialization KM_SizeOf*."); + return 0; + } + + return data->data_size + sizeof(data->data_size); +} + +uint32_t KM_SizeOfPwdData(KM_PwdData* data) +{ + if (!data) { + LOGE("Invalid usage of serialization KM_SizeOf*."); + return 0; + } + + return data->pwd_size + sizeof(data->pwd_size) + + data->iv_size + sizeof(data->iv_size) + + data->tag_size + sizeof(data->tag_size) + + KM_SizeOfFlag() * 3; +} diff --git a/src/km_serialization.h b/src/km_serialization.h new file mode 100644 index 0000000..488d145 --- /dev/null +++ b/src/km_serialization.h @@ -0,0 +1,112 @@ +/* + * Copyright (c) 2025 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#pragma once + +#include + +#ifdef __cplusplus +extern "C" +{ +#endif + +/** + * Structure for storing data necessary to protect data with password. + */ +typedef struct { + uint32_t pwd_size; + uint32_t iv_size; + uint32_t tag_size; + uint32_t derive_len_bits; + uint32_t it_count; + uint32_t tag_len_bits; + void *pwd; + void *iv; + void *tag; +} KM_PwdData; + +/** + * Structure for storing serialization data & functions for storing arbitrary data. + */ +typedef struct { + uint32_t data_size; + void *data; +} KM_BinaryData; + +/** + * Below functions assume 'buffer' is already of proper size & size_guard contains + * number of bytes left in the buffer till its end; all functions copy memory to the buffer, + * move the 'buffer' pointer forward for further serialization & decrease size_guard if it's possible; + * return 0 on success, non-zero on error + */ +int KM_Serialize(void **buffer, + uint32_t *size_guard, + const void *data_to_serialize, + uint32_t size_to_serialize); + +int KM_SerializeFlag(void **buffer, + uint32_t *size_guard, + uint32_t flag); + +int KM_SerializeBinaryData(void **buffer, + uint32_t *size_guard, + const KM_BinaryData *data); + +int KM_SerializePwdDataRaw(void **buffer, + uint32_t *size_guard, + const void *pwd, + uint32_t pwd_size, + const void *iv, + uint32_t iv_size, + const void *tag, + uint32_t tag_size, + uint32_t derive_len_bits, + uint32_t it_count, + uint32_t tag_len_bits); + +int KM_SerializePwdData(void **buffer, + uint32_t *size_guard, + const KM_PwdData *data); + +/** + * Functions don't copy memory, just set destination structure/data pointer properly, + * move 'buffer' accordingly for further deserialization & decrease size_guard; + * only deserialization of a flag actually copies some data; + * return 0 on success, non-zero on error + */ +int KM_Deserialize(void **buffer, + uint32_t *size_guard, + void **destination_location, + uint32_t *size_to_deserialize); + +int KM_DeserializeFlag(void **buffer, + uint32_t *size_guard, + uint32_t *flag); + +int KM_DeserializeBinaryData(void **buffer, + uint32_t *size_guard, + KM_BinaryData *data); + +/** + * Functions related to size calculations - needed to calculate size of shared memory to be used for communication + */ +uint32_t KM_SizeOfFlag(void); +uint32_t KM_SizeOfBinaryData(KM_BinaryData* data); +uint32_t KM_SizeOfPwdData(KM_PwdData* data); + +#ifdef __cplusplus +} +#endif diff --git a/src/km_ta_defines.h b/src/km_ta_defines.h new file mode 100644 index 0000000..7ee3cf5 --- /dev/null +++ b/src/km_ta_defines.h @@ -0,0 +1,180 @@ +/* + * Copyright (c) 2025 Samsung Electronics Co., Ltd All Rights Reserved + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License + */ + +#pragma once + +/** + * Important - below definitions are copied from key-manager-ta and must remain coherent + */ + +/** + * Enumeration for commands that can be called from key-manager-ta. + */ +typedef enum { + CMD_NOP = 0, + CMD_GENERATE_KEY, /** Generate random symmetric key */ + CMD_IMPORT_ENCRYPTED_KEY, /** Key Manager TA import encrypted key from normal world. + Not implemented */ + CMD_ENCRYPT, /** TA encrypt provided data with key. + Form of encryption depends on algorithm type */ + CMD_DECRYPT, /** TA decrypt provided data with key + Form of decryption depends on algorithm type */ + CMD_SIGN, /** TA sign data. Only for ALGO_RSA_SV|ALGO_DSA_SV */ + CMD_VERIFY, /** TA verify signature. Only for ALGO_RSA_SV|ALGO_DSA_SV */ + CMD_GENERATE_IV, /** TA generate random IV */ + CMD_GENERATE_KEY_PWD, /** TA generate random key and encrypt it with password */ + CMD_DESTROY_KEY, /** TA destroy key from storage */ + CMD_IMPORT_DATA, /** Key Manager binary data saving to persistent storage + TA will encrypt data with password if provided */ + CMD_GET_DATA, /** Key Manager binary data retrieving from persistent storage + TA will decrypt data with password if provided */ + CMD_GET_DATA_SIZE, /** Key Manager binary data size to be retrieved from persistent storage */ + CMD_DESTROY_DATA, /** Key Manager binary data removal from persistent storage */ + CMD_GENERATE_RSA_KEYPAIR, /** Generate random RSA key pair */ + CMD_GENERATE_DSA_KEYPAIR, /** Generate random DSA key pair */ + CMD_GENERATE_EC_KEYPAIR, /** Generate random EC key pair */ + CMD_GENERATE_KEM_KEYPAIR, /** Generate random KEM key pair */ + CMD_DERIVE, /** Derive secret or key */ + CMD_DERIVE_HYBRID, /** Hybrid derive secret or key */ + CMD_IMPORT_WRAPPED_KEY, /** Import a wrapped key */ + CMD_EXPORT_WRAPPED_KEY, /** Export a key in a wrapped form */ + CMD_CIPHER_INIT, /** Initialize encryption/decryption context */ + CMD_CIPHER_INIT_AAD, /** Supply another AAD chunk for the context */ + CMD_CIPHER_UPDATE, /** Add a chunk of data for encryption/decryption */ + CMD_CIPHER_FINALIZE, /** Finish the encryption/decryption */ + CMD_CIPHER_CLEANUP, /** Release resources related to the context in the TA */ + CMD_GET_MAX_CHUNK_SIZE, /** Get maximum chunk size that can be passed to TA */ + CMD_WRAP_CONCATENATED_DATA, /** Wrap concatenated key|data with wrapping key and export */ + CMD_UNWRAP_CONCATENATED_DATA, /** Unwrap concatenated key|data with wrapping key, + import key and export data */ + CMD_ENCAPSULATE_KEY, /** Generate shared secret, encapsulate it and produce a ciphertext */ + CMD_DECAPSULATE_KEY, /** Decapsulate shared secret from the ciphertext and key */ +} tz_command; + +/** + * Enumeration for algorithms definitions. + * Algorithms with suffix GEN should be used to key generations. + * Algorithms with suffix SV should be used to data signing/verification with key. + * Algorithms with suffix DRV should be used for key/secret derivation. + * Other algorithms should be used to encryption/decrytpion. + */ +typedef enum { + ALGO_NONE = 0, /** None */ + ALGO_AES_CTR, /** AES CTR */ + ALGO_AES_CBC, /** AES CBC */ + ALGO_AES_GCM, /** AES GCM */ + ALGO_AES_CFB, /** AES CFB */ + ALGO_RSA, /** RSA */ + ALGO_AES_GEN, /** AES GEN */ + ALGO_RSA_GEN, /** RSA GEN */ + ALGO_DSA_GEN, /** DSA GEN */ + ALGO_ECDSA_GEN, /** ECDSA GEN */ + ALGO_KEM_GEN, /** KEM GEN */ + ALGO_RSA_SV, /** RSA SV */ + ALGO_DSA_SV, /** DSA SV */ + ALGO_ECDSA_SV, /** ECDSA SV */ + ALGO_ECDH_DRV, /** ECDH DRV */ + ALGO_KBKDF_DRV, /** KBKDF DRV */ +} tz_algo_type; + +/** + * Enumeration for hash function type. + */ +typedef enum { + HASH_SHA1, /** SHA1 */ + HASH_SHA256, /** SHA256 */ + HASH_SHA384, /** SHA384 */ + HASH_SHA512, /** SHA512 */ +} tz_hash_type; + +/** + * Enumeration for data type, that can be stored on TA side. + */ +typedef enum { + TYPE_GENERIC_SECRET, /** Generic secret */ + TYPE_SKEY, /** Symmetric key */ + TYPE_AKEY_PRIVATE_DSA, /** Private DSA key */ + TYPE_AKEY_PRIVATE_RSA, /** Private RSA key */ + TYPE_AKEY_PUBLIC_DSA, /** Public DSA key */ + TYPE_AKEY_PUBLIC_RSA, /** Public RSA key */ + TYPE_AKEY_PRIVATE_EC, /** Private EC key */ + TYPE_AKEY_PUBLIC_EC, /** Public EC key */ + TYPE_AKEY_PRIVATE_KEM, /** Private KEM key */ + TYPE_AKEY_PUBLIC_KEM, /** Public KEM key */ +} tz_data_type; + +/** + * Enumeration for elliptic curve type supported by TA side. + */ +typedef enum { + EC_NIST_P192, /** P192 */ + EC_NIST_P256, /** P256 */ + EC_NIST_P384, /** P384 */ +} tz_ec; + +/** + * Enumeration for KEM type supported by TA side. + */ +typedef enum { + ML_KEM_768, /** ML KEM 768 */ + ML_KEM_1024, /** ML KEM 1024 */ +} tz_kem; + +/** + * Enumeration for keyed pseudo random function type supported by TA side. + */ +typedef enum { + PRF_HMAC_SHA256, /** SHA256 */ + PRF_HMAC_SHA384, /** SHA384 */ + PRF_HMAC_SHA512, /** SHA512 */ +} tz_prf; + +/** + * Enumeration for KBKDF pseudo random function type supported by TA side. + */ +typedef enum { + KBKDF_MODE_COUNTER, /** Counter mode */ +} tz_kbkdf_mode; + +/** + * Enumeration for counter location type supported by TA side. + */ +typedef enum { + KBKDF_LOC_BEFORE_FIXED, /** Before fixed */ + KBKDF_LOC_AFTER_FIXED, /** After fixed */ + KBKDF_LOC_MIDDLE_FIXED, /** Middle fixed */ +} tz_kbkdf_ctr_loc; + +// This must be somehow confronted with TEE_OBJECT_ID_MAX_LEN +#define KM_KEY_ID_SIZE 64 + +// Maximum additional size required for encrypted data +#define KM_ENCRYPTION_OVERHEAD 16 +// Maximum RSA Block Size for encrypted data, in bytes, assumes max RSA key size is 4096 bits +#define KM_RSA_BLOCK_SIZE 512 + +// Errors +#define KM_TA_SUCCESS 0 +#define KM_TA_ERROR_GENERIC 1 +#define KM_TA_ERROR_AUTH_FAILED 2 +#define KM_TA_ERROR_SIGNATURE 3 + +// UUID +#define KM_TA_UUID { 0x00000000, 0x0000, 0x0000, { 0x00, 0x00, 0x66, 0x66, 0x66, 0x55, 0x55, 0x55} } + +// Encryption/decryption flag +#define CIPHER_ENCRYPT 1 +#define CIPHER_DECRYPT 0 diff --git a/src/tz-serializer.h b/src/tz-serializer.h index bff9588..b2898af 100644 --- a/src/tz-serializer.h +++ b/src/tz-serializer.h @@ -22,8 +22,8 @@ #include #include -#include +#include "km_serialization.h" #include "tz-memory.h" class TZSerializable {