From 9979423e00aed884765682ef010785f798d97408 Mon Sep 17 00:00:00 2001 From: Jakub Wlostowski Date: Mon, 31 Mar 2025 16:24:09 +0200 Subject: [PATCH] Add SE backend functions Change-Id: Ic9310d381262417a2dd7f0cbf96fae58f7cfb7a6 --- src/crypto-params.h | 1 + src/hal-backend-security-keys-api.cpp | 77 +++++++++++++++++++++++++++ 2 files changed, 78 insertions(+) diff --git a/src/crypto-params.h b/src/crypto-params.h index 4dcee71..7913958 100644 --- a/src/crypto-params.h +++ b/src/crypto-params.h @@ -29,4 +29,5 @@ public: static const int DERIVED_KEY_LENGTH_BITS = DERIVED_KEY_LENGTH * 8; // as above, in bits static const int DERIVED_KEY_ITERATIONS = 1024; // iteration count used to derive key static const uint32_t CIPHER_EXTRA_PADDING_SIZE = 16; //extra memory to add to output buffers for padding purposes + static const size_t DBP_KEY_SIZE = 32; // database protection key size in bytes }; \ No newline at end of file diff --git a/src/hal-backend-security-keys-api.cpp b/src/hal-backend-security-keys-api.cpp index cba6638..664f08d 100644 --- a/src/hal-backend-security-keys-api.cpp +++ b/src/hal-backend-security-keys-api.cpp @@ -24,6 +24,7 @@ #include #include #include +#include #include #include "crypto-params.h" @@ -39,6 +40,8 @@ namespace { // Identifier of our key-manager TA const TEEC_UUID KEY_MANAGER_TA_UUID = KM_TA_UUID; +static unsigned char* DBP_KEY = NULL; + tz_algo_type to_tz_algo_type(hal_security_keys_algo_type_e type) { switch (type) { @@ -1781,6 +1784,78 @@ int security_keys_get_max_chunk_size(const hal_security_keys_context_s context, EXCEPTION_GUARD_END } +int security_keys_create_key_dbp(const bool destroy_old) +{ + EXCEPTION_GUARD_START + + if (!destroy_old && DBP_KEY) + return HAL_SECURITY_KEYS_ERROR_NOT_PERMITTED; + + if (!DBP_KEY) { + DBP_KEY = (unsigned char*)calloc(Params::DBP_KEY_SIZE, sizeof(unsigned char)); + if (!DBP_KEY) + return HAL_SECURITY_KEYS_ERROR_OUT_OF_MEMORY; + } else { + memset(DBP_KEY, 0, Params::DBP_KEY_SIZE); + } + + memset(DBP_KEY, 1, Params::DBP_KEY_SIZE); + + return 0; + + EXCEPTION_GUARD_END +} + +int security_keys_encrypt_data_dbp(const hal_security_keys_dbp_scheme_version_e dbp_scheme_version, + const hal_security_keys_data_s data, + const hal_security_keys_data_s iv, + hal_security_keys_data_s* out) +{ + EXCEPTION_GUARD_START + + if (dbp_scheme_version != HAL_SECURITY_KEYS_DBP_SCHEME_VERSION_1) + return HAL_SECURITY_KEYS_ERROR_INVALID_PARAMETER; + + if (!DBP_KEY) + return HAL_SECURITY_KEYS_ERROR_NO_KEY; + + if (!data.buffer || data.length == 0 || data.length % AES_BLOCK_SIZE != 0 || + !iv.buffer || iv.length != AES_BLOCK_SIZE) + return HAL_SECURITY_KEYS_ERROR_INVALID_PARAMETER; + + AES_KEY aes_key; + int ret = AES_set_encrypt_key(DBP_KEY, Params::DBP_KEY_SIZE * 8, &aes_key); + if (ret != 0) { + LOGE("Failed setting AES encryption key: " << ret); + return HAL_SECURITY_KEYS_ERROR_INTERNAL_ERROR; + } + + unsigned char* iv_temp = (unsigned char*)malloc(iv.length); + if (!iv_temp) + return HAL_SECURITY_KEYS_ERROR_OUT_OF_MEMORY; + memcpy(iv_temp, iv.buffer, iv.length); + + out->buffer = (unsigned char*)malloc(data.length); + if (!(out->buffer)) { + free(iv_temp); + return HAL_SECURITY_KEYS_ERROR_OUT_OF_MEMORY; + } + out->length = data.length; + + AES_cbc_encrypt(data.buffer, + out->buffer, + data.length, + &aes_key, + iv_temp, + AES_ENCRYPT); + + free(iv_temp); + + return 0; + + EXCEPTION_GUARD_END +} + static int security_keys_backend_init(void **data) { hal_backend_security_keys_funcs *security_keys_funcs; @@ -1825,6 +1900,8 @@ static int security_keys_backend_init(void **data) security_keys_funcs->derive_kbkdf = security_keys_derive_kbkdf; security_keys_funcs->derive_hybrid_kbkdf = security_keys_derive_hybrid_kbkdf; security_keys_funcs->get_max_chunk_size = security_keys_get_max_chunk_size; + security_keys_funcs->create_key_dbp = security_keys_create_key_dbp; + security_keys_funcs->encrypt_data_dbp = security_keys_encrypt_data_dbp; return 0; } -- 2.34.1