feedc0de/esp-idf
1
0
Fork 0
forked from espressif/esp-idf
Code Pull Requests Activity

feat(nvs_flash): Add a minimal XTS-AES layer for the bootloader

Browse Source
This commit is contained in:
harshal.patil
2024-12-06 09:07:54 +05:30
parent 4c38499303
commit 7c3832ff2a
5 changed files with 368 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
components/nvs_flash/CMakeLists.txt
View File

@@ -1,6 +1,11 @@
if(BOOTLOADER_BUILD)
# bootloader build simplified version
set(srcs "src/nvs_bootloader.c")
if(CONFIG_NVS_ENCRYPTION)
list(APPEND srcs "src/nvs_bootloader_aes.c"
"src/nvs_bootloader_xts_aes.c")
endif()
set(requires "esp_partition")
idf_component_register(SRCS "${srcs}"
@@ -52,7 +57,9 @@ else()
target_compile_options(${COMPONENT_LIB} PUBLIC --coverage)
target_link_libraries(${COMPONENT_LIB} PUBLIC --coverage)
else()
target_sources(${COMPONENT_LIB} PRIVATE "src/nvs_encrypted_partition.cpp")
target_sources(${COMPONENT_LIB} PRIVATE "src/nvs_encrypted_partition.cpp"
"src/nvs_bootloader_aes.c"
"src/nvs_bootloader_xts_aes.c")
target_link_libraries(${COMPONENT_LIB} PRIVATE idf::mbedtls)
endif()

23
components/nvs_flash/private_include/nvs_bootloader_aes.h Normal file
View File

@@ -0,0 +1,23 @@
/*
* SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
#pragma once
#include <stdint.h>
#include "sdkconfig.h"
#include "rom/aes.h"
#if CONFIG_IDF_TARGET_ESP32
enum AES_TYPE {
AES_ENC,
AES_DEC,
};
#endif /* CONFIG_IDF_TARGET_ESP32 */
int nvs_bootloader_aes_crypt_ecb(enum AES_TYPE mode,
const unsigned char *key,
enum AES_BITS key_bits,
const unsigned char input[16],
unsigned char output[16]);

94
components/nvs_flash/private_include/nvs_bootloader_xts_aes.h Normal file
View File

@@ -0,0 +1,94 @@
/*
* SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
#pragma once
#include <stdint.h>
#include "esp_err.h"
#include "nvs_bootloader_aes.h"
#ifdef __cplusplus
extern "C" {
#endif
/**
* \brief The XTS-AES context-type definition.
*/
typedef struct
{
uint8_t crypt_key[32]; /*!< The AES context to use for AES block
encryption or decryption. */
uint8_t tweak_key[32]; /*!< The AES context used for tweak
computation. */
} nvs_bootloader_xts_aes_context;
/** Invalid key length. */
#define NVS_BOOTLOADER_ERR_AES_INVALID_KEY_LENGTH -0x0020
/** Invalid data input length. */
#define NVS_BOOTLOADER_ERR_AES_INVALID_INPUT_LENGTH -0x0022
/**
* @brief Initializes the specified XTS-AES context.
*
* @param ctx The XTS-AES context to be initialized. This must not be \c NULL.
*/
void nvs_bootloader_xts_aes_init(nvs_bootloader_xts_aes_context *ctx);
/**
* @brief Clears the specified XTS-AES context.
*
* @param ctx The XTS-AES context to clear.
* If this is \c NULL, this function does nothing.
* Otherwise, the context must have been at least initialized.
*/
void nvs_bootloader_xts_aes_free(nvs_bootloader_xts_aes_context *ctx);
/**
* @brief Sets the XTS-AES encryption-decryption key
*
* @param ctx The XTS-AES context to which the key should be bound.
* It must be initialized.
* @param key The encryption key.
* This must be a readable buffer of size \p key_bytes bytes.
* @param key_bytes The size of data passed in bits. Valid options are:
* <ul><li>128 bits</li>
* <li>192 bits</li>
* <li>256 bits</li></ul>
* @return \c 0 indicating success.
*/
int nvs_bootloader_xts_aes_setkey(nvs_bootloader_xts_aes_context *ctx,
const unsigned char *key,
unsigned int key_bytes);
/**
* @brief Performs an XTS-AES encryption or decryption operation for an entire XTS data unit.
*
* @param ctx The XTS-AES context to use for XTS-AES operation
* It must be initialized and bound to a key.
* @param mode The AES operation: AES_ENC or AES_DEC.
* @param length The length of a data unit in bytes.
* @param data_unit The address of the data unit encoded as an array of 16
* bytes in little-endian format. For disk encryption, this
* is typically the index of the block device sector that
* contains the data.
* @param input The buffer holding the input data (which is an entire
* data unit). This function reads \p length Bytes from \p
* input.
* @param output The buffer holding the output data (which is an entire
* data unit). This function writes \p length Bytes to \p
* output.
* @return \c 0 on success.
* 1 on failure.
*/
int nvs_bootloader_aes_crypt_xts(nvs_bootloader_xts_aes_context *ctx,
enum AES_TYPE mode,
size_t length,
const unsigned char data_unit[16],
const unsigned char *input,
unsigned char *output);
#ifdef __cplusplus
}
#endif

43
components/nvs_flash/src/nvs_bootloader_aes.c Normal file
View File

@@ -0,0 +1,43 @@
/*
* SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
#include <stdint.h>
#include <stdbool.h>
#include "nvs_bootloader_aes.h"
#include "sdkconfig.h"
int nvs_bootloader_aes_crypt_ecb(enum AES_TYPE mode,
const unsigned char *key,
enum AES_BITS key_bits,
const unsigned char input[16],
unsigned char output[16])
{
int ret = -1;
ets_aes_enable();
#if CONFIG_IDF_TARGET_ESP32
if (mode == AES_ENC) {
ret = ets_aes_setkey_enc(key, key_bits);
} else {
ret = ets_aes_setkey_dec(key, key_bits);
}
if (ret) {
ets_aes_crypt(input, output);
// In case of esp32, ets_aes_setkey_dec returns 1 on success,
// whereas for other targets ets_aes_setkey return 0 on success
ret = 0;
}
#else /* !CONFIG_IDF_TARGET_ESP32m*/
ret = ets_aes_setkey(mode, key, key_bits);
if (ret == 0) {
ets_aes_block(input, output);
}
#endif /* CONFIG_IDF_TARGET_ESP32 */
ets_aes_disable();
return ret;
}

200
components/nvs_flash/src/nvs_bootloader_xts_aes.c Normal file
View File

@@ -0,0 +1,200 @@
/*
* SPDX-FileCopyrightText: 2024-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
#include <stdint.h>
#include <string.h>
#include <assert.h>
#include "esp_err.h"
#include "nvs_bootloader_aes.h"
#include "nvs_bootloader_xts_aes.h"
/*
* NOTE: The implementation of the below APIs have been copied
* from the mbedtls (v3.6.2) implementation of the XTS-AES APIs.
*/
void nvs_bootloader_xts_aes_init(nvs_bootloader_xts_aes_context *ctx)
{
bzero(&ctx->crypt_key, sizeof(ctx->crypt_key));
bzero(&ctx->tweak_key, sizeof(ctx->tweak_key));
}
void nvs_bootloader_xts_aes_free(nvs_bootloader_xts_aes_context *ctx)
{
if (ctx) {
bzero(&ctx->crypt_key, sizeof(ctx->crypt_key));
bzero(&ctx->tweak_key, sizeof(ctx->tweak_key));
}
}
int nvs_bootloader_xts_aes_setkey(nvs_bootloader_xts_aes_context *ctx,
const unsigned char *key,
unsigned int key_bytes)
{
size_t xts_key_bytes = key_bytes / 2;
memcpy(&ctx->crypt_key, key, xts_key_bytes);
memcpy(&ctx->tweak_key, &key[xts_key_bytes], xts_key_bytes);
return 0;
}
/* Endianness with 64 bits values */
#ifndef GET_UINT64_LE
#define GET_UINT64_LE(n,b,i) \
{ \
(n) = ((uint64_t) (b)[(i) + 7] << 56) \
| ((uint64_t) (b)[(i) + 6] << 48) \
| ((uint64_t) (b)[(i) + 5] << 40) \
| ((uint64_t) (b)[(i) + 4] << 32) \
| ((uint64_t) (b)[(i) + 3] << 24) \
| ((uint64_t) (b)[(i) + 2] << 16) \
| ((uint64_t) (b)[(i) + 1] << 8) \
| ((uint64_t) (b)[(i) ] ); \
}
#endif
#ifndef PUT_UINT64_LE
#define PUT_UINT64_LE(n,b,i) \
{ \
(b)[(i) + 7] = (unsigned char) ((n) >> 56); \
(b)[(i) + 6] = (unsigned char) ((n) >> 48); \
(b)[(i) + 5] = (unsigned char) ((n) >> 40); \
(b)[(i) + 4] = (unsigned char) ((n) >> 32); \
(b)[(i) + 3] = (unsigned char) ((n) >> 24); \
(b)[(i) + 2] = (unsigned char) ((n) >> 16); \
(b)[(i) + 1] = (unsigned char) ((n) >> 8); \
(b)[(i) ] = (unsigned char) ((n) ); \
}
#endif
/*
* GF(2^128) multiplication function
*
* This function multiplies a field element by x in the polynomial field
* representation. It uses 64-bit word operations to gain speed but compensates
* for machine endianness and hence works correctly on both big and little
* endian machines.
*/
static void bootloader_gf128mul_x_ble(unsigned char r[16],
const unsigned char x[16])
{
uint64_t a, b, ra, rb;
GET_UINT64_LE(a, x, 0);
GET_UINT64_LE(b, x, 8);
ra = (a << 1) ^ 0x0087 >> (8 - ((b >> 63) << 3));
rb = (a >> 63) | (b << 1);
PUT_UINT64_LE(ra, r, 0);
PUT_UINT64_LE(rb, r, 8);
}
/*
* XTS-AES buffer encryption/decryption
*/
int nvs_bootloader_aes_crypt_xts(nvs_bootloader_xts_aes_context *ctx,
enum AES_TYPE mode,
size_t length,
const unsigned char data_unit[16],
const unsigned char *input,
unsigned char *output)
{
int ret;
size_t blocks = length / 16;
size_t leftover = length % 16;
unsigned char tweak[16] = {};
unsigned char prev_tweak[16] = {};
unsigned char tmp[16] = {};
/* Sectors must be at least 16 bytes. */
if (length < 16) {
return NVS_BOOTLOADER_ERR_AES_INVALID_INPUT_LENGTH;
}
/* NIST SP 80-38E disallows data units larger than 2**20 blocks. */
if (length > ( 1 << 20 ) * 16) {
return NVS_BOOTLOADER_ERR_AES_INVALID_INPUT_LENGTH;
}
/* Compute the tweak. */
ret = nvs_bootloader_aes_crypt_ecb(AES_ENC, (const unsigned char *) &ctx->tweak_key,
AES256, data_unit, tweak);
if (ret != 0) {
return (ret);
}
while (blocks--) {
size_t i;
if (leftover && (mode == AES_DEC) && blocks == 0) {
/* We are on the last block in a decrypt operation that has
* leftover bytes, so we need to use the next tweak for this block,
* and this tweak for the lefover bytes. Save the current tweak for
* the leftovers and then update the current tweak for use on this,
* the last full block. */
memcpy(prev_tweak, tweak, sizeof(tweak));
bootloader_gf128mul_x_ble(tweak, tweak);
}
for (i = 0; i < 16; i++) {
tmp[i] = input[i] ^ tweak[i];
}
ret = nvs_bootloader_aes_crypt_ecb(mode, (const unsigned char *) &ctx->crypt_key, AES256, tmp, tmp);
if (ret != 0) {
return (ret);
}
for (i = 0; i < 16; i++) {
output[i] = tmp[i] ^ tweak[i];
}
/* Update the tweak for the next block. */
bootloader_gf128mul_x_ble(tweak, tweak);
output += 16;
input += 16;
}
if (leftover) {
/* If we are on the leftover bytes in a decrypt operation, we need to
* use the previous tweak for these bytes (as saved in prev_tweak). */
unsigned char *t = mode == AES_DEC ? prev_tweak : tweak;
/* We are now on the final part of the data unit, which doesn't divide
* evenly by 16. It's time for ciphertext stealing. */
size_t i;
unsigned char *prev_output = output - 16;
/* Copy ciphertext bytes from the previous block to our output for each
* byte of ciphertext we won't steal. At the same time, copy the
* remainder of the input for this final round (since the loop bounds
* are the same). */
for (i = 0; i < leftover; i++) {
output[i] = prev_output[i];
tmp[i] = input[i] ^ t[i];
}
/* Copy ciphertext bytes from the previous block for input in this
* round. */
for (; i < 16; i++) {
tmp[i] = prev_output[i] ^ t[i];
}
ret = nvs_bootloader_aes_crypt_ecb(mode, (const unsigned char *) &ctx->crypt_key, AES256, tmp, tmp);
if (ret != 0) {
return ret;
}
/* Write the result back to the previous block, overriding the previous
* output we copied. */
for (i = 0; i < 16; i++) {
prev_output[i] = tmp[i] ^ t[i];
}
}
return 0;
}