Change Cryptocell target to a feature

Change the Cryptocell310 target to `FEATURE_CRYPTOCELL310`

features/cryptocell/FEATURE_CRYPTOCELL310/Readme.md

@@ -12,10 +12,9 @@ To port your CC 310 driver to Mbed OS on your specific target, do the following:
 
 1. In `targets.json` add the following  to your target:
  	* `MBEDTLS_CONFIG_HW_SUPPORT` to `macros_add` key. This instructs Mbed TLS to look for an alternative cryptographic implementation.
- 	* `CRYPTOCELL` to `device_has_add` key. Use this in your common code that you need to remove from compilation in case CC exists in your board. Use `#if !defined(DEVICE_CRYPTOCELL)` and  `#if defined(DEVICE_CRYPTOCELL)`.
- 	* `CRYPTOCELL310` to `extra_labels_add` key. The build system uses this to look for the CC 310 code and binaries.
-1. In `objects.h`, include `objects_cryptocell.h`. You can use the `DEVICE_CRYPTOCELL` precompilation check as defined above.
-1. In `features/mbedtls/targets/TARGET_CRYPTOCELL310/TARGET_<target name>`, add your platform-specific libraries for all toolchains in `TOOLCHAIN_ARM`, `TOOLCHAIN_GCC_ARM` and `TOOLCHAIN_IAR` respectively.
+ 	* `CRYPTOCELL310` to `feature`. Use this in your common code that you need to remove from compilation in case CC exists in your board. Use `#if !defined(FEATURE_CRYPTOCELL310)` and  `#if defined(FEATURE_CRYPTOCELL310)`.
+1. In `objects.h`, include `objects_cryptocell.h`. You can use the `FEATURE_CRYPTOCELL310` precompilation check as defined above.
+1. In `features/cryptocell/FEATURE_CRYPTOCELL310/TARGET_<target name>`, add your platform-specific libraries for all toolchains in `TOOLCHAIN_ARM`, `TOOLCHAIN_GCC_ARM` and `TOOLCHAIN_IAR` respectively.
 1. Add your CC setup code:
 	* Implement `cc_platform_setup()` and `cc_platform_terminate()` to enable CC on your platform, in case you have board-specific setup functionality, required for CC setup. These functions can be empty.
 	* Define `cc_platform_ctx` in `cc_platform.h` in a way that suits your implementation.

features/cryptocell/FEATURE_CRYPTOCELL310/cc_internal.h

@@ -106,7 +106,9 @@ typedef struct
  *             different standard tests to pass.
  *
  *
- * \param grp_id           The mbedtls mbedtls_ecp_group_id to convert
+ * \param mbedtls_rand      The mbedtls rnd context pointer
+ * \param outSizeBytes      The size of the output buffer
+ * \param out_ptr           Pointer to the output buffer
  *
  * \return     \c The corresponding CRYS_ECPKI_DomainID_t.
  *                CRYS_ECPKI_DomainID_OffMode if not recognized.

features/cryptocell/FEATURE_CRYPTOCELL310/ecdsa_alt.c.mod

@@ -0,0 +1,327 @@
+/*
+ *  ecdsa_alt.c
+ *
+ *  Copyright (C) 2018, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ */
+
+#include "mbedtls/ecdsa.h"
+#include <string.h>
+#include "crys_ecpki_ecdsa.h"
+#include "crys_ecpki_build.h"
+#include "crys_common.h"
+#include "crys_ecpki_kg.h"
+#include "crys_ecpki_domain.h"
+#include "crys_ec_edw_api.h"
+#include "mbedtls/platform.h"
+#include "cc_internal.h"
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n ) {
+    volatile unsigned char *p = (unsigned char*)v;
+    while( n-- ) *p++ = 0;
+}
+
+
+static CRYS_ECPKI_HASH_OpMode_t message_size_to_hash_mode( size_t blen )
+{
+    CRYS_ECPKI_HASH_OpMode_t hash_mode;
+    switch( blen )
+    {
+    case CRYS_HASH_SHA1_DIGEST_SIZE_IN_WORDS*sizeof(uint32_t):
+            hash_mode = CRYS_ECPKI_AFTER_HASH_SHA1_mode;
+    break;
+    case CRYS_HASH_SHA224_DIGEST_SIZE_IN_WORDS*sizeof(uint32_t):
+            hash_mode = CRYS_ECPKI_AFTER_HASH_SHA224_mode;
+    break;
+    case CRYS_HASH_SHA256_DIGEST_SIZE_IN_WORDS*sizeof(uint32_t):
+            hash_mode = CRYS_ECPKI_AFTER_HASH_SHA256_mode;
+    break;
+    case CRYS_HASH_SHA384_DIGEST_SIZE_IN_WORDS*sizeof(uint32_t):
+            hash_mode = CRYS_ECPKI_AFTER_HASH_SHA384_mode;
+    break;
+    case CRYS_HASH_SHA512_DIGEST_SIZE_IN_WORDS*sizeof(uint32_t):
+            hash_mode = CRYS_ECPKI_AFTER_HASH_SHA512_mode;
+    break;
+    default:
+        hash_mode = CRYS_ECPKI_HASH_OpModeLast;
+    }
+
+    return hash_mode;
+}
+
+#if defined(MBEDTLS_ECDSA_SIGN_ALT)
+int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s,
+                const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+                int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    int ret = 0;
+    CRYSError_t CrysRet = CRYS_OK;
+    void* pHeap = NULL;
+    size_t heapSize = 0;
+    uint8_t* pSignature = NULL;
+    CRYS_ECPKI_HASH_OpMode_t hash_mode = message_size_to_hash_mode( blen );
+    uint32_t signature_size =  ( ( grp->nbits + 7 ) / 8 ) *2;
+    const uint32_t signature_size_for_heap = signature_size;
+    mbedtls_rand_func_container cc_rand = { f_rng, p_rng };
+    const CRYS_ECPKI_Domain_t*  pDomain =  CRYS_ECPKI_GetEcDomain ( convert_mbedtls_grp_id_to_crys_domain_id( grp->id ) );
+
+    if( blen > 0xFFFFFFFF )
+    {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    if ( pDomain != NULL )
+    {
+        uint8_t temp_buf[ MAX_KEY_SIZE_IN_BYTES ] = {0};
+        cc_ecc_ws_sign_params_t* signParams = mbedtls_calloc( 1, sizeof(cc_ecc_ws_sign_params_t) );
+        if ( signParams == NULL)
+            return ( MBEDTLS_ERR_ECP_ALLOC_FAILED );
+        pHeap = signParams;
+        heapSize = sizeof(cc_ecc_ws_sign_params_t);
+
+        pSignature = mbedtls_calloc( 1, signature_size_for_heap );
+        if ( pSignature == NULL)
+        {
+            ret = MBEDTLS_ERR_ECP_ALLOC_FAILED;
+            goto cleanup;
+        }
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( d, temp_buf, mbedtls_mpi_size( d ) ) );
+
+        CrysRet = CRYS_ECPKI_BuildPrivKey( pDomain,
+                                       temp_buf,
+                                       mbedtls_mpi_size( d ),
+                                       &signParams->privKey);
+        if( CrysRet != CRYS_OK )
+        {
+            ret = convert_CrysError_to_mbedtls_err( CrysRet );
+            mbedtls_zeroize( temp_buf, sizeof(temp_buf) );
+            goto cleanup;
+        }
+
+        CrysRet =  CRYS_ECDSA_Sign( &cc_rand,
+                                convert_mbedtls_to_cc_rand,
+                                &signParams->signContext,
+                                &signParams->privKey,
+                                hash_mode,
+                                (uint8_t*)buf,
+                                blen,
+                                pSignature,
+                                &signature_size );
+        mbedtls_zeroize( temp_buf, sizeof(temp_buf) );
+        if( CrysRet != CRYS_OK )
+        {
+            ret = convert_CrysError_to_mbedtls_err( CrysRet );
+            goto cleanup;
+        }
+
+    }
+    else
+    {
+        ret =  MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+        goto cleanup;
+    }
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( r, pSignature, ( ( grp->nbits + 7 ) / 8 ) ) );
+
+    MBEDTLS_MPI_CHK( mbedtls_mpi_read_binary( s, pSignature + ( ( grp->nbits + 7 ) / 8 ), ( ( grp->nbits + 7 ) / 8 ) ) );
+
+
+cleanup:
+
+    if ( pHeap )
+    {
+        mbedtls_zeroize( pHeap, heapSize );
+        mbedtls_free( pHeap );
+    }
+
+    if( pSignature )
+    {
+        mbedtls_zeroize( pSignature, signature_size_for_heap );
+        mbedtls_free( pSignature );
+
+    }
+
+    return ( ret ) ;
+}
+#endif /* MBEDTLS_ECDSA_SIGN_ALT*/
+
+#if defined(MBEDTLS_ECDSA_VERIFY_ALT)
+//need to normalize the coordinates
+int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp,
+                  const unsigned char *buf, size_t blen,
+                  const mbedtls_ecp_point *Q, const mbedtls_mpi *r, const mbedtls_mpi *s)
+{
+    int ret = 0;
+    CRYSError_t CrysRet = CRYS_OK;
+    void* pHeap = NULL;
+    size_t heapSize = 0;
+    uint8_t * pSignature = NULL;
+    CRYS_ECPKI_HASH_OpMode_t hash_mode = message_size_to_hash_mode( blen );
+    size_t temp_size = 0;
+    uint32_t signature_size = ( ( grp->nbits + 7 ) / 8 ) * 2;
+    const CRYS_ECPKI_Domain_t*  pDomain =  CRYS_ECPKI_GetEcDomain ( convert_mbedtls_grp_id_to_crys_domain_id( grp->id ) );
+
+    if( blen > 0xFFFFFFFF )
+    {
+        ret = MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+        goto cleanup;
+    }
+
+    if ( pDomain )
+    {
+        uint8_t temp_buf[ 2*MAX_KEY_SIZE_IN_BYTES + 1 ] = {0};
+
+        cc_ecc_ws_verify_params_t* verifyParams = mbedtls_calloc( 1, sizeof(cc_ecc_ws_verify_params_t) );
+        if ( verifyParams == NULL)
+            return ( MBEDTLS_ERR_ECP_ALLOC_FAILED );
+        pHeap = verifyParams;
+        heapSize = sizeof(cc_ecc_ws_verify_params_t);
+
+        pSignature = mbedtls_calloc( 1, signature_size );
+        if ( pSignature == NULL)
+        {
+            ret = MBEDTLS_ERR_ECP_ALLOC_FAILED;
+            goto cleanup;
+        }
+
+        MBEDTLS_MPI_CHK( mbedtls_ecp_point_write_binary( grp, Q, MBEDTLS_ECP_PF_UNCOMPRESSED,
+                                        &temp_size, temp_buf, sizeof(temp_buf) ) );
+
+        CrysRet = CRYS_ECPKI_BuildPublKey(pDomain, temp_buf, temp_size, &verifyParams->pubKey);
+        if( CrysRet != CRYS_OK )
+        {
+            ret = convert_CrysError_to_mbedtls_err( CrysRet );
+            goto cleanup;
+        }
+
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( r, pSignature, ( ( grp->nbits + 7 ) / 8 )  ) );
+        MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( s, pSignature + ( ( grp->nbits + 7 ) / 8 ), ( ( grp->nbits + 7 ) / 8 ) ) );
+        CrysRet =  CRYS_ECDSA_Verify ( &verifyParams->verifyContext,
+                                       &verifyParams->pubKey,
+                                       hash_mode,
+                                       pSignature,
+                                       signature_size,
+                                       (uint8_t*)buf,
+                                       blen );
+        if( CrysRet != CRYS_OK )
+        {
+            ret = convert_CrysError_to_mbedtls_err( CrysRet );
+            goto cleanup;
+        }
+    }
+    else
+        ret =  MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+
+cleanup:
+
+    if( pHeap )
+    {
+        mbedtls_zeroize( pHeap, heapSize );
+        mbedtls_free( pHeap );
+    }
+    if( pSignature )
+    {
+        mbedtls_zeroize( pSignature, signature_size );
+        mbedtls_free( pSignature );
+
+    }
+
+    return ret;
+}
+#endif /* MBEDTLS_ECDSA_VERIFY_ALT */
+
+#if defined(MBEDTLS_ECDSA_GENKEY_ALT)
+int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid,
+                  int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
+{
+    int ret = 0;
+    CRYSError_t CrysRet = CRYS_OK;
+    void* pHeap = NULL;
+    size_t heapSize = 0;
+    uint32_t key_size = 2*MAX_KEY_SIZE_IN_BYTES + 1;
+    const CRYS_ECPKI_Domain_t*  pDomain =  CRYS_ECPKI_GetEcDomain ( convert_mbedtls_grp_id_to_crys_domain_id( gid ) );
+    mbedtls_rand_func_container cc_rand = { f_rng, p_rng };
+
+
+    if ( pDomain )
+    {
+        uint8_t temp_buf[ 2 * MAX_KEY_SIZE_IN_BYTES + 1 ] = {0};
+
+        cc_ecc_ws_keygen_params_t* kgParams =  mbedtls_calloc( 1, sizeof(cc_ecc_ws_keygen_params_t) );
+        if ( kgParams == NULL )
+            return ( MBEDTLS_ERR_ECP_ALLOC_FAILED );
+
+        pHeap = kgParams;
+        heapSize = sizeof(cc_ecc_ws_keygen_params_t);
+
+        CrysRet =  CRYS_ECPKI_GenKeyPair( &cc_rand, convert_mbedtls_to_cc_rand, pDomain,
+                                          &kgParams->privKey, &kgParams->pubKey,
+                                          &kgParams->kgTempData, NULL );
+        if ( CrysRet != CRYS_OK )
+        {
+            ret = convert_CrysError_to_mbedtls_err( CrysRet );
+            goto cleanup;
+        }
+
+        MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &ctx->grp, gid ) );
+
+        CrysRet = CRYS_ECPKI_ExportPublKey( &kgParams->pubKey, CRYS_EC_PointUncompressed, temp_buf,  &key_size );
+        if ( CrysRet != CRYS_OK )
+        {
+            ret = convert_CrysError_to_mbedtls_err( CrysRet );
+            goto cleanup;
+        }
+
+        ret = mbedtls_ecp_point_read_binary( &ctx->grp, &ctx->Q, temp_buf, key_size );
+        if ( ret != 0 )
+            goto cleanup;
+
+        memset ( temp_buf, 0 , sizeof(temp_buf) );
+
+        CrysRet = CRYS_COMMON_ConvertLswMswWordsToMsbLsbBytes( temp_buf, (ctx->grp.nbits+7)/8,
+                                                               kgParams->privKey.PrivKeyDbBuff,
+                                                               4*((((ctx->grp.nbits+7)/8)+3)/4) );
+        if ( CrysRet != CRYS_OK )
+        {
+            ret = convert_CrysError_to_mbedtls_err( CrysRet );
+            mbedtls_zeroize( temp_buf, sizeof(temp_buf) );
+            goto cleanup;
+        }
+
+        ret = mbedtls_mpi_read_binary( &ctx->d, temp_buf, (ctx->grp.nbits+7)/8 );
+        mbedtls_zeroize( temp_buf, sizeof(temp_buf) );
+        if ( ret != 0 )
+        {
+            goto cleanup;
+        }
+
+    }
+    else
+        ret =  MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
+
+
+cleanup:
+    if ( pHeap )
+    {
+        mbedtls_zeroize( pHeap, heapSize );
+        mbedtls_free ( pHeap );
+    }
+    return ( ret );
+}
+#endif /* MBEDTLS_ECDSA_GENKEY_ALT */

targets/TARGET_NORDIC/TARGET_NRF5x/TARGET_NRF52/objects.h

@@ -54,7 +54,7 @@ extern "C" {
 
 #include "nrf_uart.h"
 
-#if defined(DEVICE_CRYPTOCELL)
+#if defined(FEATURE_CRYPTOCELL310)
 #include "objects_cryptocell.h"
 #else
 struct trng_s {

targets/TARGET_NORDIC/TARGET_NRF5x/TARGET_NRF52/trng_api.c

@@ -37,7 +37,7 @@
  */
 
 #if defined(DEVICE_TRNG)
-#if !defined(DEVICE_CRYPTOCELL)
+#if !defined(FEATURE_CRYPTOCELL310)
 #include "hal/trng_api.h"
 #include "hal/critical_section_api.h"
 
@@ -119,5 +119,5 @@ int trng_get_bytes(trng_t *obj, uint8_t *output, size_t length, size_t *output_l
 
     return result;
 }
-#endif/* !DEVICE_CRYPTOCELL */
+#endif/* !FEATURE_CRYPTOCELL310 */
 #endif

targets/targets.json

@@ -3683,8 +3683,7 @@
         "supported_form_factors": ["ARDUINO"],
         "inherits": ["MCU_NRF52840"],
         "macros_add": ["MBEDTLS_CONFIG_HW_SUPPORT"],
-        "device_has_add": ["CRYPTOCELL"],
-        "extra_labels_add": ["CRYPTOCELL310"],
+        "features": ["CRYPTOCELL310"],
         "release_versions": ["5"],
         "device_name": "nRF52840_xxAA"
     },

tools/config/__init__.py

@@ -369,7 +369,7 @@ class Config(object):
 
     # Allowed features in configurations
     __allowed_features = [
-        "UVISOR", "BLE", "CLIENT", "IPV4", "LWIP", "COMMON_PAL", "STORAGE", "NANOSTACK",
+        "UVISOR", "BLE", "CLIENT", "IPV4", "LWIP", "COMMON_PAL", "STORAGE", "NANOSTACK","CRYPTOCELL310",
         # Nanostack configurations
         "LOWPAN_BORDER_ROUTER", "LOWPAN_HOST", "LOWPAN_ROUTER", "NANOSTACK_FULL", "THREAD_BORDER_ROUTER", "THREAD_END_DEVICE", "THREAD_ROUTER", "ETHERNET_HOST"
         ]