Add entropy inject to spm

2018-11-21 17:12:27 +02:00 · 2018-11-21 17:12:27 +02:00 · bd47a8c2b8
parent f4581faab0
commit bd47a8c2b8
8 changed files with 148 additions and 21 deletions
--- a/components/TARGET_PSA/services/crypto/COMPONENT_PSA_SRV_IPC/psa_crypto_spm.c
+++ b/components/TARGET_PSA/services/crypto/COMPONENT_PSA_SRV_IPC/psa_crypto_spm.c
@ -917,7 +917,30 @@ psa_status_t psa_generate_random( uint8_t *output,
    return( ( psa_status_t ) err_call );
 }

+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+/****************************************************************/
+/* PSA_ENTROPY_INJECT */
+/****************************************************************/

+psa_status_t mbedtls_psa_inject_entropy( const unsigned char *seed,
+                                         size_t seed_size )
+{
+    psa_error_t err_call;
+    psa_handle_t handle = PSA_NULL_HANDLE;
+    psa_invec_t in_vec = { seed, seed_size };
+
+    handle = psa_connect( PSA_ENTROPY_ID, MINOR_VER );
+    if( handle <= 0 )
+        return ( PSA_ERROR_COMMUNICATION_FAILURE );
+
+    err_call = psa_call( handle, &in_vec, 1, NULL, 0 );
+    psa_close( handle );
+    if( err_call < 0 )
+        err_call = ( psa_error_t ) PSA_ERROR_COMMUNICATION_FAILURE;
+
+    return( ( psa_status_t ) err_call );
+}
+#endif
 /****************************************************************/
 /* PSA Generator */
 /****************************************************************/
--- a/components/TARGET_PSA/services/crypto/COMPONENT_SPE/crypto_spe.h
+++ b/components/TARGET_PSA/services/crypto/COMPONENT_SPE/crypto_spe.h
@ -58,6 +58,7 @@ extern "C" {
 #define mbedtls_psa_crypto_free  mbedtls_psa_sec_crypto_free
 #define psa_key_derivation  psa_sec_key_derivation
 #define psa_generator_abort  psa_sec_generator_abort
+#define mbedtls_psa_inject_entropy  mbedtls_psa_sec_inject_entropy

 #include "crypto.h"

--- a/components/TARGET_PSA/services/crypto/COMPONENT_SPE/psa_crypto_partition.c
+++ b/components/TARGET_PSA/services/crypto/COMPONENT_SPE/psa_crypto_partition.c
@ -8,6 +8,7 @@
 #include "crypto_spe.h"
 #include "crypto_platform_spe.h"
 #include "psa_psa_f_partition.h"
+#include "mbedtls/entropy.h"

 #if defined(MBEDTLS_PLATFORM_C)
 #include "mbedtls/platform.h"
@ -1114,6 +1115,57 @@ static void psa_key_management_operation( void )
    psa_reply( msg.handle, status );
 }

+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+static void psa_entropy_operation( void )
+{
+    psa_msg_t msg = { 0 };
+    psa_status_t status = PSA_SUCCESS;
+    psa_get( PSA_ENTROPY_INJECT, &msg );
+
+    switch ( msg.type )
+    {
+        case PSA_IPC_CONNECT:
+        {
+            break; /* do nothing */
+        }
+        case PSA_IPC_CALL:
+        {
+            uint32_t bytes_read;
+            size_t seed_size = msg.in_size[0];
+            if( MBEDTLS_ENTROPY_MAX_SEED_SIZE < seed_size )
+            {
+                status = PSA_ERROR_INVALID_ARGUMENT;
+                break;
+            }
+            unsigned char *seed = mbedtls_calloc( 1, seed_size );
+            if( seed == NULL )
+            {
+                status = PSA_ERROR_INSUFFICIENT_MEMORY;
+                break;
+            }
+            bytes_read = psa_read( msg.handle, 0, seed, seed_size );
+            if( bytes_read != seed_size )
+            {
+                SPM_PANIC("SPM read length mismatch");
+            }
+            status = mbedtls_psa_inject_entropy( seed, seed_size );
+            mbedtls_free( seed );
+            break;
+        }
+        case PSA_IPC_DISCONNECT:
+        {
+            break; /* do nothing */
+        }
+        default:
+        {
+            status = PSA_ERROR_NOT_SUPPORTED;
+            break;
+        }
+    }
+    psa_reply( msg.handle, status );
+}
+#endif
+
 static void psa_rng_operation( void )
 {
    psa_msg_t msg = { 0 };
@ -1378,5 +1430,11 @@ void part_main(void *ptr)
        {
            psa_crypto_generator_operations( );
        }
+#if defined(MBEDTLS_ENTROPY_NV_SEED)
+        if( signals & PSA_ENTROPY_INJECT )
+        {
+            psa_entropy_operation( );
+        }
+#endif /* MBEDTLS_ENTROPY_NV_SEED */
    }
 }
--- a/components/TARGET_PSA/services/crypto/COMPONENT_SPE/psa_psa_f_partition.c
+++ b/components/TARGET_PSA/services/crypto/COMPONENT_SPE/psa_psa_f_partition.c
@ -1,4 +1,6 @@
-/* Copyright (c) 2017 ARM Limited
+/* Copyright (c) 2017-2018 ARM Limited
+ *
+ * SPDX-License-Identifier: Apache-2.0
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -26,6 +28,7 @@
 #include "spm_internal.h"
 #include "psa_psa_f_partition.h"
 #include "psa_psa_f_ifs.h"
+#include "psa_its_ifs.h"


 /* Threads stacks */
@ -168,8 +171,27 @@ spm_rot_service_t psa_f_rot_services[PSA_F_ROT_SRV_COUNT] = {
            .tail = NULL
        }
    },
+    {
+        .sid = PSA_ENTROPY_ID,
+        .mask = PSA_ENTROPY_INJECT,
+        .partition = NULL,
+        .min_version = 1,
+        .min_version_policy = PSA_MINOR_VERSION_POLICY_STRICT,
+        .allow_nspe = true,
+        .queue = {
+            .head = NULL,
+            .tail = NULL
+        }
+    },
 };

+/* External SIDs used by PSA_F */
+const uint32_t psa_f_external_sids[4] = {
+    PSA_ITS_GET,
+    PSA_ITS_SET,
+    PSA_ITS_INFO,
+    PSA_ITS_REMOVE,
+};

 static osRtxMutex_t psa_f_mutex = {0};
 static const osMutexAttr_t psa_f_mutex_attr = {
--- a/components/TARGET_PSA/services/crypto/COMPONENT_SPE/psa_psa_f_partition.h
+++ b/components/TARGET_PSA/services/crypto/COMPONENT_SPE/psa_psa_f_partition.h
@ -1,4 +1,6 @@
-/* Copyright (c) 2017 ARM Limited
+/* Copyright (c) 2017-2018 ARM Limited
+ *
+ * SPDX-License-Identifier: Apache-2.0
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -24,8 +26,8 @@

 #define PSA_F_ID 35

-#define PSA_F_ROT_SRV_COUNT (10UL)
-#define PSA_F_EXT_ROT_SRV_COUNT (0UL)
+#define PSA_F_ROT_SRV_COUNT (11UL)
+#define PSA_F_EXT_ROT_SRV_COUNT (4UL)

 /* PSA_F event flags */
 #define PSA_F_RESERVED1_POS (1UL)
@ -56,6 +58,8 @@
 #define PSA_CRYPTO_FREE (1UL << PSA_CRYPTO_FREE_POS)
 #define PSA_GENERATOR_POS (13UL)
 #define PSA_GENERATOR (1UL << PSA_GENERATOR_POS)
+#define PSA_ENTROPY_INJECT_POS (14UL)
+#define PSA_ENTROPY_INJECT (1UL << PSA_ENTROPY_INJECT_POS)

 #define PSA_F_WAIT_ANY_SID_MSK (\
    PSA_CRYPTO_INIT | \
@ -67,7 +71,8 @@
    PSA_KEY_MNG | \
    PSA_RNG | \
    PSA_CRYPTO_FREE | \
-    PSA_GENERATOR)
+    PSA_GENERATOR | \
+    PSA_ENTROPY_INJECT)

 /*
 #define PSA_F_WAIT_ANY_MSK (\
--- a/components/TARGET_PSA/services/crypto/crypto_partition_psa.json
+++ b/components/TARGET_PSA/services/crypto/crypto_partition_psa.json
@ -86,8 +86,22 @@
      "non_secure_clients": true,
      "minor_version": 1,
      "minor_policy": "STRICT"
+    },
+    {
+      "name": "PSA_ENTROPY_ID",
+      "identifier": "0x00000F0A",
+      "signal": "PSA_ENTROPY_INJECT",
+      "non_secure_clients": true,
+      "minor_version": 1,
+      "minor_policy": "STRICT"
    }
  ],
+  "extern_sids": [
+    "PSA_ITS_GET",
+    "PSA_ITS_SET",
+    "PSA_ITS_INFO",
+    "PSA_ITS_REMOVE"
+  ],
  "source_files": [
    "COMPONENT_SPE/psa_crypto_partition.c"
  ]
--- a/components/TARGET_PSA/services/crypto/psa_psa_f_ifs.h
+++ b/components/TARGET_PSA/services/crypto/psa_psa_f_ifs.h
@ -1,4 +1,6 @@
-/* Copyright (c) 2017 ARM Limited
+/* Copyright (c) 2017-2018 ARM Limited
+ *
+ * SPDX-License-Identifier: Apache-2.0
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -32,5 +34,6 @@
 #define PSA_RNG_ID 0x00000F07
 #define PSA_CRYPTO_FREE_ID 0x00000F08
 #define PSA_GENERATOR_ID 0x00000F09
+#define PSA_ENTROPY_ID 0x00000F0A

 #endif // PSA_PSA_F_PARTITION_ROT_SERVICES_H
--- a/components/TARGET_PSA/spm/COMPONENT_SPE/psa_setup.c
+++ b/components/TARGET_PSA/spm/COMPONENT_SPE/psa_setup.c
@ -27,23 +27,13 @@
 #include "spm_internal.h"
 #include "handles_manager.h"
 #include "cmsis.h"
-#include "psa_psa_f_partition.h"
 #include "psa_its_partition.h"
+#include "psa_psa_f_partition.h"

+extern const uint32_t psa_f_external_sids[4];

 __attribute__((weak))
 spm_partition_t g_partitions[2] = {
-    {
-        .partition_id = PSA_F_ID,
-        .thread_id = 0,
-        .flags_rot_srv = PSA_F_WAIT_ANY_SID_MSK,
-        .flags_interrupts = 0,
-        .rot_services = NULL,
-        .rot_services_count = PSA_F_ROT_SRV_COUNT,
-        .extern_sids = NULL,
-        .extern_sids_count = PSA_F_EXT_ROT_SRV_COUNT,
-        .irq_mapper = NULL,
-    },
    {
        .partition_id = ITS_ID,
        .thread_id = 0,
@ -55,6 +45,17 @@ spm_partition_t g_partitions[2] = {
        .extern_sids_count = ITS_EXT_ROT_SRV_COUNT,
        .irq_mapper = NULL,
    },
+    {
+        .partition_id = PSA_F_ID,
+        .thread_id = 0,
+        .flags_rot_srv = PSA_F_WAIT_ANY_SID_MSK,
+        .flags_interrupts = 0,
+        .rot_services = NULL,
+        .rot_services_count = PSA_F_ROT_SRV_COUNT,
+        .extern_sids = psa_f_external_sids,
+        .extern_sids_count = PSA_F_EXT_ROT_SRV_COUNT,
+        .irq_mapper = NULL,
+    },
 };

 /* Check all the defined memory regions for overlapping. */
@ -67,8 +68,8 @@ __attribute__((weak))
 const uint32_t mem_region_count = 0;

 // forward declaration of partition initializers
-void psa_f_init(spm_partition_t *partition);
 void its_init(spm_partition_t *partition);
+void psa_f_init(spm_partition_t *partition);

 __attribute__((weak))
 uint32_t init_partitions(spm_partition_t **partitions)
@ -77,8 +78,8 @@ uint32_t init_partitions(spm_partition_t **partitions)
        SPM_PANIC("partitions is NULL!\n");
    }

-    psa_f_init(&(g_partitions[0]));
-    its_init(&(g_partitions[1]));
+    its_init(&(g_partitions[0]));
+    psa_f_init(&(g_partitions[1]));

    *partitions = g_partitions;
    return 2;