diff options
-rw-r--r-- | core/crypto.mk | 6 | ||||
-rw-r--r-- | core/crypto/crypto.c | 22 | ||||
-rw-r--r-- | core/include/crypto/crypto.h | 7 | ||||
-rw-r--r-- | core/lib/libtomcrypt/ecc.c | 3 | ||||
-rw-r--r-- | core/tee/tee_svc_cryp.c | 28 | ||||
-rw-r--r-- | lib/libutee/include/tee_api_defines.h | 3 | ||||
-rw-r--r-- | lib/libutee/include/utee_defines.h | 30 | ||||
-rw-r--r-- | lib/libutee/tee_api_operations.c | 2 |
8 files changed, 97 insertions, 4 deletions
diff --git a/core/crypto.mk b/core/crypto.mk index d7b5a074..0fdbac63 100644 --- a/core/crypto.mk +++ b/core/crypto.mk @@ -41,10 +41,14 @@ CFG_CRYPTO_DH ?= y CFG_CRYPTO_ECC ?= y ifeq ($(CFG_CRYPTOLIB_NAME),tomcrypt) CFG_CRYPTO_SM2_PKE ?= y +CFG_CRYPTO_SM2_DSA ?= y endif ifeq ($(CFG_CRYPTOLIB_NAME)-$(CFG_CRYPTO_SM2_PKE),mbedtls-y) $(error Error: CFG_CRYPTO_SM2_PKE=y requires CFG_CRYPTOLIB_NAME=tomcrypt) endif +ifeq ($(CFG_CRYPTOLIB_NAME)-$(CFG_CRYPTO_SM2_DSA),mbedtls-y) +$(error Error: CFG_CRYPTO_SM2_DSA=y requires CFG_CRYPTOLIB_NAME=tomcrypt) +endif # Authenticated encryption CFG_CRYPTO_CCM ?= y @@ -137,6 +141,7 @@ $(eval $(call cryp-dep-one, AES, ECB CBC CTR CTS XTS)) $(eval $(call cryp-dep-one, DES, ECB CBC)) # SM2 is Elliptic Curve Cryptography, it uses some generic ECC functions $(eval $(call cryp-dep-one, SM2_PKE, ECC)) +$(eval $(call cryp-dep-one, SM2_DSA, ECC)) ############################################################### # libtomcrypt (LTC) specifics, phase #1 @@ -168,6 +173,7 @@ core-ltc-vars += SHA1_ARM32_CE SHA1_ARM64_CE core-ltc-vars += SHA256_ARM32_CE SHA256_ARM64_CE core-ltc-vars += SIZE_OPTIMIZATION core-ltc-vars += SM2_PKE +core-ltc-vars += SM2_DSA # Assigned selected CFG_CRYPTO_xxx as _CFG_CORE_LTC_xxx $(foreach v, $(core-ltc-vars), $(eval _CFG_CORE_LTC_$(v) := $(CFG_CRYPTO_$(v)))) _CFG_CORE_LTC_MPI := $(CFG_CORE_MBEDTLS_MPI) diff --git a/core/crypto/crypto.c b/core/crypto/crypto.c index eeaa269b..578514da 100644 --- a/core/crypto/crypto.c +++ b/core/crypto/crypto.c @@ -711,3 +711,25 @@ TEE_Result crypto_acipher_sm2_pke_encrypt(struct ecc_public_key *key __unused, return TEE_ERROR_NOT_IMPLEMENTED; } #endif /* !CFG_CRYPTO_SM2_PKE */ + +#if !defined(CFG_CRYPTO_SM2_DSA) +TEE_Result crypto_acipher_sm2_dsa_sign(uint32_t algo __unused, + struct ecc_keypair *key __unused, + const uint8_t *msg __unused, + size_t msg_len __unused, + uint8_t *sig __unused, + size_t *sig_len __unused) +{ + return TEE_ERROR_NOT_IMPLEMENTED; +} + +TEE_Result crypto_acipher_sm2_dsa_verify(uint32_t algo __unused, + struct ecc_public_key *key __unused, + const uint8_t *msg __unused, + size_t msg_len __unused, + const uint8_t *sig __unused, + size_t sig_len __unused) +{ + return TEE_ERROR_NOT_IMPLEMENTED; +} +#endif /* !CFG_CRYPTO_SM2_DSA */ diff --git a/core/include/crypto/crypto.h b/core/include/crypto/crypto.h index 7da74461..e9138758 100644 --- a/core/include/crypto/crypto.h +++ b/core/include/crypto/crypto.h @@ -244,6 +244,13 @@ TEE_Result crypto_acipher_sm2_pke_decrypt(struct ecc_keypair *key, TEE_Result crypto_acipher_sm2_pke_encrypt(struct ecc_public_key *key, const uint8_t *src, size_t src_len, uint8_t *dst, size_t *dst_len); +TEE_Result crypto_acipher_sm2_dsa_sign(uint32_t algo, struct ecc_keypair *key, + const uint8_t *msg, size_t msg_len, + uint8_t *sig, size_t *sig_len); +TEE_Result crypto_acipher_sm2_dsa_verify(uint32_t algo, + struct ecc_public_key *key, + const uint8_t *msg, size_t msg_len, + const uint8_t *sig, size_t sig_len); /* * Verifies a SHA-256 hash, doesn't require crypto_init() to be called in diff --git a/core/lib/libtomcrypt/ecc.c b/core/lib/libtomcrypt/ecc.c index 051da77e..92d773af 100644 --- a/core/lib/libtomcrypt/ecc.c +++ b/core/lib/libtomcrypt/ecc.c @@ -128,7 +128,8 @@ static TEE_Result ecc_get_curve_info(uint32_t curve, uint32_t algo, size_bits = 256; size_bytes = 32; name = "SM2"; - if ((algo != 0) && (algo != TEE_ALG_SM2_PKE)) + if ((algo != 0) && (algo != TEE_ALG_SM2_PKE) && + (algo != TEE_ALG_SM2_DSA_SM3)) return TEE_ERROR_BAD_PARAMETERS; break; default: diff --git a/core/tee/tee_svc_cryp.c b/core/tee/tee_svc_cryp.c index 622fd299..17d8decf 100644 --- a/core/tee/tee_svc_cryp.c +++ b/core/tee/tee_svc_cryp.c @@ -487,6 +487,14 @@ static const struct tee_cryp_obj_type_props tee_cryp_obj_props[] = { sizeof(struct ecc_keypair), tee_cryp_obj_ecc_keypair_attrs), + PROP(TEE_TYPE_SM2_DSA_PUBLIC_KEY, 1, 256, 256, + sizeof(struct ecc_public_key), + tee_cryp_obj_ecc_pub_key_attrs), + + PROP(TEE_TYPE_SM2_DSA_KEYPAIR, 1, 256, 256, + sizeof(struct ecc_keypair), + tee_cryp_obj_ecc_keypair_attrs), + PROP(TEE_TYPE_SM2_PKE_PUBLIC_KEY, 1, 256, 256, sizeof(struct ecc_public_key), tee_cryp_obj_ecc_pub_key_attrs), @@ -1145,6 +1153,9 @@ TEE_Result tee_obj_attr_copy_from(struct tee_obj *o, const struct tee_obj *src) } else if (o->info.objectType == TEE_TYPE_ECDH_PUBLIC_KEY) { if (src->info.objectType != TEE_TYPE_ECDH_KEYPAIR) return TEE_ERROR_BAD_PARAMETERS; + } else if (o->info.objectType == TEE_TYPE_SM2_DSA_PUBLIC_KEY) { + if (src->info.objectType != TEE_TYPE_SM2_DSA_KEYPAIR) + return TEE_ERROR_BAD_PARAMETERS; } else if (o->info.objectType == TEE_TYPE_SM2_PKE_PUBLIC_KEY) { if (src->info.objectType != TEE_TYPE_SM2_PKE_KEYPAIR) return TEE_ERROR_BAD_PARAMETERS; @@ -1236,12 +1247,14 @@ TEE_Result tee_obj_set_type(struct tee_obj *o, uint32_t obj_type, break; case TEE_TYPE_ECDSA_PUBLIC_KEY: case TEE_TYPE_ECDH_PUBLIC_KEY: + case TEE_TYPE_SM2_DSA_PUBLIC_KEY: case TEE_TYPE_SM2_PKE_PUBLIC_KEY: res = crypto_acipher_alloc_ecc_public_key(o->attr, max_key_size); break; case TEE_TYPE_ECDSA_KEYPAIR: case TEE_TYPE_ECDH_KEYPAIR: + case TEE_TYPE_SM2_DSA_KEYPAIR: case TEE_TYPE_SM2_PKE_KEYPAIR: res = crypto_acipher_alloc_ecc_keypair(o->attr, max_key_size); break; @@ -2033,6 +2046,12 @@ static TEE_Result tee_svc_cryp_check_key_type(const struct tee_obj *o, else req_key_type = TEE_TYPE_SM2_PKE_KEYPAIR; break; + case TEE_MAIN_ALGO_SM2_DSA_SM3: + if (mode == TEE_MODE_VERIFY) + req_key_type = TEE_TYPE_SM2_DSA_PUBLIC_KEY; + else + req_key_type = TEE_TYPE_SM2_DSA_KEYPAIR; + break; #if defined(CFG_CRYPTO_HKDF) case TEE_MAIN_ALGO_HKDF: req_key_type = TEE_TYPE_HKDF_IKM; @@ -3505,6 +3524,10 @@ TEE_Result syscall_asymm_operate(unsigned long state, res = crypto_acipher_ecc_sign(cs->algo, o->attr, src_data, src_len, dst_data, &dlen); break; + case TEE_ALG_SM2_DSA_SM3: + res = crypto_acipher_sm2_dsa_sign(cs->algo, o->attr, src_data, + src_len, dst_data, &dlen); + break; default: res = TEE_ERROR_BAD_PARAMETERS; @@ -3628,6 +3651,11 @@ TEE_Result syscall_asymm_verify(unsigned long state, data_len, sig, sig_len); break; + case TEE_MAIN_ALGO_SM2_DSA_SM3: + res = crypto_acipher_sm2_dsa_verify(cs->algo, o->attr, data, + data_len, sig, sig_len); + break; + default: res = TEE_ERROR_NOT_SUPPORTED; } diff --git a/lib/libutee/include/tee_api_defines.h b/lib/libutee/include/tee_api_defines.h index d60c03be..fa64d3ad 100644 --- a/lib/libutee/include/tee_api_defines.h +++ b/lib/libutee/include/tee_api_defines.h @@ -161,6 +161,7 @@ #define TEE_ALG_DSA_SHA1 0x70002131 #define TEE_ALG_DSA_SHA224 0x70003131 #define TEE_ALG_DSA_SHA256 0x70004131 +#define TEE_ALG_SM2_DSA_SM3 0x70006045 #define TEE_ALG_DH_DERIVE_SHARED_SECRET 0x80000032 #define TEE_ALG_MD5 0x50000001 #define TEE_ALG_SHA1 0x50000002 @@ -221,6 +222,8 @@ #define TEE_TYPE_ECDSA_KEYPAIR 0xA1000041 #define TEE_TYPE_ECDH_PUBLIC_KEY 0xA0000042 #define TEE_TYPE_ECDH_KEYPAIR 0xA1000042 +#define TEE_TYPE_SM2_DSA_PUBLIC_KEY 0xA0000045 +#define TEE_TYPE_SM2_DSA_KEYPAIR 0xA1000045 #define TEE_TYPE_SM2_PKE_PUBLIC_KEY 0xA0000047 #define TEE_TYPE_SM2_PKE_KEYPAIR 0xA1000047 #define TEE_TYPE_GENERIC_SECRET 0xA0000000 diff --git a/lib/libutee/include/utee_defines.h b/lib/libutee/include/utee_defines.h index 6255d1b2..e442cb39 100644 --- a/lib/libutee/include/utee_defines.h +++ b/lib/libutee/include/utee_defines.h @@ -30,6 +30,7 @@ #define TEE_MAIN_ALGO_DH 0x32 #define TEE_MAIN_ALGO_ECDSA 0x41 #define TEE_MAIN_ALGO_ECDH 0x42 +#define TEE_MAIN_ALGO_SM2_DSA_SM3 0x45 /* Not in v1.2 spec */ #define TEE_MAIN_ALGO_SM2_PKE 0x47 /* Not in v1.2 spec */ #define TEE_MAIN_ALGO_HKDF 0xC0 /* OP-TEE extension */ #define TEE_MAIN_ALGO_CONCAT_KDF 0xC1 /* OP-TEE extension */ @@ -75,8 +76,24 @@ static inline uint32_t __tee_alg_get_main_alg(uint32_t algo) /* Bits [11:8] */ #define TEE_ALG_GET_CHAIN_MODE(algo) (((algo) >> 8) & 0xF) +/* + * Value not defined in the GP spec, and not used as bits 15-12 of any TEE_ALG* + * value. TEE_ALG_SM2_DSA_SM3 has value 0x6 for bits 15-12 which would yield the + * SHA512 digest if we were to apply the bit masks that were valid up to the TEE + * Internal Core API v1.1. + */ +#define __TEE_MAIN_HASH_SM3 0x7 + +static inline uint32_t __tee_alg_get_digest_hash(uint32_t algo) +{ + if (algo == TEE_ALG_SM2_DSA_SM3) + return __TEE_MAIN_HASH_SM3; + /* Bits [15:12] */ -#define TEE_ALG_GET_DIGEST_HASH(algo) (((algo) >> 12) & 0xF) + return (algo >> 12) & 0xF; +} + +#define TEE_ALG_GET_DIGEST_HASH(algo) __tee_alg_get_digest_hash(algo) /* Bits [23:20] */ #define TEE_ALG_GET_INTERNAL_HASH(algo) (((algo) >> 20) & 0x7) @@ -94,9 +111,16 @@ static inline uint32_t __tee_alg_get_key_type(uint32_t algo, bool with_priv) #define TEE_ALG_GET_KEY_TYPE(algo, with_private_key) \ __tee_alg_get_key_type(algo, with_private_key) +static inline uint32_t __tee_alg_hash_algo(uint32_t main_hash) +{ + if (main_hash == __TEE_MAIN_HASH_SM3) + return TEE_ALG_SM3; + + return (TEE_OPERATION_DIGEST << 28) | main_hash; +} + /* Return hash algorithm based on main hash */ -#define TEE_ALG_HASH_ALGO(main_hash) \ - (TEE_OPERATION_DIGEST << 28 | (main_hash)) +#define TEE_ALG_HASH_ALGO(main_hash) __tee_alg_hash_algo(main_hash) /* Extract internal hash and return hash algorithm */ #define TEE_INTERNAL_HASH_TO_ALGO(algo) \ diff --git a/lib/libutee/tee_api_operations.c b/lib/libutee/tee_api_operations.c index e3368f90..e8a9efbe 100644 --- a/lib/libutee/tee_api_operations.c +++ b/lib/libutee/tee_api_operations.c @@ -85,6 +85,7 @@ TEE_Result TEE_AllocateOperation(TEE_OperationHandle *operation, case TEE_ALG_ECDSA_P256: case TEE_ALG_ECDH_P256: case TEE_ALG_SM2_PKE: + case TEE_ALG_SM2_DSA_SM3: if (maxKeySize != 256) return TEE_ERROR_NOT_SUPPORTED; break; @@ -160,6 +161,7 @@ TEE_Result TEE_AllocateOperation(TEE_OperationHandle *operation, case TEE_ALG_ECDSA_P256: case TEE_ALG_ECDSA_P384: case TEE_ALG_ECDSA_P521: + case TEE_ALG_SM2_DSA_SM3: if (mode == TEE_MODE_SIGN) { with_private_key = true; req_key_usage = TEE_USAGE_SIGN; |