feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Fixes and cleanups for NXP SE050 support.

Browse Source
This commit is contained in:
David Garske
2021-08-20 15:45:10 -07:00
parent 3f76a76c46
commit 29f051e585
12 changed files with 805 additions and 750 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
configure.ac
View File

@@ -1337,16 +1337,15 @@ AC_ARG_WITH([cryptoauthlib],
) )
# NXP SE050 # NXP SE050
#current configure options line: "./configure --with-se050=/home/pi/Downloads/new_simw_top" # current configure options line: "./configure --with-se050=/home/pi/Downloads/new_simw_top"
ENABLED_SE050="no" ENABLED_SE050="no"
trylibse050dir="" trylibse050dir=""
AC_ARG_WITH([se050], AC_ARG_WITH([se050],
[AS_HELP_STRING([--with-se050=PATH],[PATH to SE050 install (default /usr/local/lib/)])], [AS_HELP_STRING([--with-se050=PATH],[PATH to SE050 install (default /usr/local/lib/)])],
[ [
AC_MSG_CHECKING([for SE050]) AC_MSG_CHECKING([for SE050])
CPPFLAGS="$CPPFLAGS -DWOLFSSL_SE050"
LIBS="$LIBS -lSSS_APIs"
LIBS="$LIBS -lSSS_APIs"
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <fsl_sss_api.h>]], [[ sss_mac_init(0);]])],[ libse050_linked=yes ],[ libse050_linked=no ]) AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <fsl_sss_api.h>]], [[ sss_mac_init(0);]])],[ libse050_linked=yes ],[ libse050_linked=no ])
if test "x$libse050_linked" = "xno" ; then if test "x$libse050_linked" = "xno" ; then
@@ -1356,20 +1355,25 @@ AC_ARG_WITH([se050],
if test "x$withval" = "xyes" ; then if test "x$withval" = "xyes" ; then
trylibse050dir="/usr/local/lib/" trylibse050dir="/usr/local/lib/"
fi fi
LDFLAGS="$LDFLAGS -L$trylibse050dir/simw-top_build/raspbian_native_se050_t1oi2c/sss/" LDFLAGS="$LDFLAGS -L$trylibse050dir/build/sss"
CPPFLAGS="$CPPFLAGS -I$trylibse050dir/simw-top/sss/inc -I$trylibse050dir/simw-top/sss/port/default \ CPPFLAGS="$CPPFLAGS -I$trylibse050dir/sss/inc"
-I$trylibse050dir/simw-top/hostlib/hostLib/inc/ -I$trylibse050dir/simw-top/hostlib/hostLib/libCommon/infra " CPPFLAGS="$CPPFLAGS -I$trylibse050dir/sss/port/default"
CPPFLAGS="$CPPFLAGS -I$trylibse050dir/hostlib/hostLib/inc"
CPPFLAGS="$CPPFLAGS -I$trylibse050dir/hostlib/hostLib/libCommon/infra"
AC_CHECK_FILES([$trylibse050dir/build/sss/libSSS_APIs.a], [SE050_STATIC=yes], [SE050_STATIC=no])
AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <fsl_sss_api.h>]], [[ sss_mac_init(0); ]])],[ libse050_linked=yes ],[ libse050_linked=no ]) if test "x$SE050_STATIC" = "xyes"; then
LIB_STATIC_ADD="$trylibse050dir/build/sss/libSSS_APIs.a $LIB_STATIC_ADD"
if test "x$libse050_linked" = "xno" ; then else
AC_MSG_ERROR([SE050 isn't found. AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <fsl_sss_api.h>]], [[ sss_mac_init(0); ]])],[ libse050_linked=yes ],[ libse050_linked=no ])
If it's already installed, specify its path using --with-SE050=/dir/]) if test "x$libse050_linked" = "xno" ; then
AC_MSG_ERROR([SE050 isn't found.
If it's already installed, specify its path using --with-se050=/dir/])
fi
fi fi
AM_LDFLAGS="$AM_LDFLAGS -L$trylibse050dir/simw-top_build/raspbian_native_se050_t1oi2c/sss/"
AM_CFLAGS="$AM_CFLAGS -I$trylibse050dir/simw-top/sss/inc/ \ # Requires AES direct
-DWOLFSSL_AES_DIRECT" AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_AES_DIRECT"
AC_MSG_RESULT([yes]) AC_MSG_RESULT([yes])
else else
@@ -7079,6 +7083,7 @@ AM_CONDITIONAL([BUILD_RC2],[test "x$ENABLED_RC2" = "xyes"])
AM_CONDITIONAL([BUILD_QNXCAAM],[test "x$ENABLED_CAAM" = "xqnx"]) AM_CONDITIONAL([BUILD_QNXCAAM],[test "x$ENABLED_CAAM" = "xqnx"])
AM_CONDITIONAL([BUILD_IOTSAFE],[test "x$ENABLED_IOTSAFE" = "xyes"]) AM_CONDITIONAL([BUILD_IOTSAFE],[test "x$ENABLED_IOTSAFE" = "xyes"])
AM_CONDITIONAL([BUILD_IOTSAFE_HWRNG],[test "x$ENABLED_IOTSAFE_HWRNG" = "xyes"]) AM_CONDITIONAL([BUILD_IOTSAFE_HWRNG],[test "x$ENABLED_IOTSAFE_HWRNG" = "xyes"])
AM_CONDITIONAL([BUILD_SE050],[test "x$ENABLED_SE050" = "xyes"])
if test "$ax_enable_debug" = "yes" || if test "$ax_enable_debug" = "yes" ||
test "$ENABLED_STACKSIZE" != "no" || test "$ENABLED_STACKSIZE" != "no" ||
@@ -7453,6 +7458,7 @@ echo " * Crypto callbacks: $ENABLED_CRYPTOCB"
echo " * i.MX6 CAAM: $ENABLED_CAAM" echo " * i.MX6 CAAM: $ENABLED_CAAM"
echo " * IoT-Safe: $ENABLED_IOTSAFE" echo " * IoT-Safe: $ENABLED_IOTSAFE"
echo " * IoT-Safe HWRNG: $ENABLED_IOTSAFE_HWRNG" echo " * IoT-Safe HWRNG: $ENABLED_IOTSAFE_HWRNG"
echo " * NXP SE050: $ENABLED_SE050"
echo "" echo ""
echo "---" echo "---"

30
wolfcrypt/src/aes.c
View File

@@ -871,15 +871,16 @@ block cipher mechanism that uses n-bit binary string parameter key with 128-bits
#elif defined(WOLFSSL_SE050) #elif defined(WOLFSSL_SE050)
static int AES_ECB_encrypt(Aes* aes, const byte* inBlock, byte* outBlock, static int AES_ECB_encrypt(Aes* aes, const byte* inBlock, byte* outBlock,
int sz) int sz)
{ {
return se050_aes_crypt(aes, inBlock, outBlock, sz, AES_ENCRYPTION, kAlgorithm_SSS_AES_ECB); return se050_aes_crypt(aes, inBlock, outBlock, sz, AES_ENCRYPTION,
kAlgorithm_SSS_AES_ECB);
} }
static int AES_ECB_decrypt(Aes* aes, const byte* inBlock, byte* outBlock, static int AES_ECB_decrypt(Aes* aes, const byte* inBlock, byte* outBlock,
int sz) int sz)
{ {
return se050_aes_crypt(aes, inBlock, outBlock, sz, AES_DECRYPTION, kAlgorithm_SSS_AES_ECB); return se050_aes_crypt(aes, inBlock, outBlock, sz, AES_DECRYPTION,
kAlgorithm_SSS_AES_ECB);
} }
static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock) static int wc_AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
{ {
@@ -2603,24 +2604,27 @@ static void wc_AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen, const byte* iv, int wc_AesSetKey(Aes* aes, const byte* userKey, word32 keylen, const byte* iv,
int dir) int dir)
{ {
int ret = 0; int ret;
if (aes == NULL || !((keylen == 16) || (keylen == 24) || (keylen == 32))) { if (aes == NULL || (keylen != 16 && keylen != 24 && keylen != 32)) {
return BAD_FUNC_ARG; return BAD_FUNC_ARG;
} }
aes->ctxInitDone = 0; aes->ctxInitDone = 0;
#if defined(WOLFSSL_AES_CFB) || defined(WOLFSSL_AES_COUNTER) || \ #if defined(WOLFSSL_AES_CFB) || defined(WOLFSSL_AES_COUNTER) || \
defined(WOLFSSL_AES_OFB) defined(WOLFSSL_AES_OFB)
aes->left = 0; aes->left = 0;
#endif #endif
ret = se050_aes_set_key(aes, userKey, keylen, iv, dir); ret = se050_aes_set_key(aes, userKey, keylen, iv, dir);
if (ret == 0) { if (ret == 0) {
ret = wc_AesSetIV(aes, iv); ret = wc_AesSetIV(aes, iv);
} }
return ret; return ret;
} }
int wc_AesSetKeyDirect(Aes* aes, const byte* userKey, word32 keylen,
const byte* iv, int dir) int wc_AesSetKeyDirect(Aes* aes, const byte* userKey, word32 keylen,
const byte* iv, int dir)
{ {
return wc_AesSetKey(aes, userKey, keylen, iv, dir); return wc_AesSetKey(aes, userKey, keylen, iv, dir);
} }
@@ -3883,12 +3887,12 @@ int wc_AesSetIV(Aes* aes, const byte* iv)
int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz) int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
{ {
return se050_aes_crypt(aes, in, out, sz, AES_ENCRYPTION, return se050_aes_crypt(aes, in, out, sz, AES_ENCRYPTION,
kAlgorithm_SSS_AES_CBC); kAlgorithm_SSS_AES_CBC);
} }
int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz) int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
{ {
return se050_aes_crypt(aes, in, out, sz, AES_DECRYPTION, return se050_aes_crypt(aes, in, out, sz, AES_DECRYPTION,
kAlgorithm_SSS_AES_CBC); kAlgorithm_SSS_AES_CBC);
} }
#elif defined(WOLFSSL_SILABS_SE_ACCEL) #elif defined(WOLFSSL_SILABS_SE_ACCEL)

43
wolfcrypt/src/ecc.c
View File

@@ -4701,8 +4701,7 @@ int wc_ecc_make_key_ex2(WC_RNG* rng, int keysize, ecc_key* key, int curve_id,
err = NOT_COMPILED_IN; err = NOT_COMPILED_IN;
} }
#elif defined(WOLFSSL_SE050) #elif defined(WOLFSSL_SE050)
key->keyId = se050_allocate_key(); err = se050_ecc_create_key(key, curve_id, keysize);
err = se050_ecc_create_key(key, key->keyId, keysize);
key->type = ECC_PRIVATEKEY; key->type = ECC_PRIVATEKEY;
#elif defined(WOLFSSL_CRYPTOCELL) #elif defined(WOLFSSL_CRYPTOCELL)
@@ -5008,6 +5007,11 @@ int wc_ecc_init_ex(ecc_key* key, void* heap, int devId)
#if defined(WOLFSSL_DSP) #if defined(WOLFSSL_DSP)
key->handle = -1; key->handle = -1;
#endif #endif
#ifdef WOLFSSL_SE050
key->keyId = -1;
#endif
return ret; return ret;
} }
@@ -5190,7 +5194,7 @@ static int wc_ecc_sign_hash_hw(const byte* in, word32 inlen,
#elif defined(WOLFSSL_KCAPI_ECC) #elif defined(WOLFSSL_KCAPI_ECC)
err = KcapiEcc_Sign(key, in, inlen, out, outlen); err = KcapiEcc_Sign(key, in, inlen, out, outlen);
(void)rng; (void)rng;
#elif defined (WOLFSSL_SE050) #elif defined(WOLFSSL_SE050)
err = se050_ecc_sign_hash_ex(in, inlen, out, outlen, key); err = se050_ecc_sign_hash_ex(in, inlen, out, outlen, key);
if (err == 0) if (err == 0)
err = DecodeECC_DSA_Sig(out, *outlen, r, s); err = DecodeECC_DSA_Sig(out, *outlen, r, s);
@@ -6295,7 +6299,7 @@ int wc_ecc_free(ecc_key* key)
#endif #endif
#ifdef WOLFSSL_SE050 #ifdef WOLFSSL_SE050
se050_ecc_free_key(key); se050_ecc_free_key(key);
#endif #endif
#if defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_ATECC608A) #if defined(WOLFSSL_ATECC508A) || defined(WOLFSSL_ATECC608A)
@@ -7116,22 +7120,23 @@ int wc_ecc_verify_hash_ex(mp_int *r, mp_int *s, const byte* hash,
err = KcapiEcc_Verify(key, hash, hashlen, sigRS, key->dp->size * 2); err = KcapiEcc_Verify(key, hash, hashlen, sigRS, key->dp->size * 2);
#elif defined(WOLFSSL_SE050) #elif defined(WOLFSSL_SE050)
/* Used when following a hardware sign operation */ {
/* Used when following a hardware sign operation */
int rLeadingZero = mp_leading_bit(r);
int sLeadingZero = mp_leading_bit(s);
int rLen = mp_unsigned_bin_size(r);
int sLen = mp_unsigned_bin_size(s);
word32 signatureLen = rLeadingZero + sLeadingZero +
rLen + sLen + SIG_HEADER_SZ; /* see StoreECC_DSA_Sig */
int rLeadingZero = mp_leading_bit(r); err = StoreECC_DSA_Sig(sigRS, &signatureLen, r, s);
int sLeadingZero = mp_leading_bit(s); if (err == 0) {
int rLen = mp_unsigned_bin_size(r); err = se050_ecc_verify_hash_ex(hash, hashlen, sigRS,
int sLen = mp_unsigned_bin_size(s); signatureLen, key, res);
}
word32 signatureLen = rLeadingZero + sLeadingZero + rLen + sLen + SIG_HEADER_SZ; /* see StoreECC_DSA_Sig */ if (err != 0)
return err;
err = StoreECC_DSA_Sig(sigRS, &signatureLen, r, s); }
if (err != 0)
return err;
err = se050_ecc_verify_hash_ex(hash, hashlen, sigRS, signatureLen, key, res);
if (err != 0)
return err;
#else #else
/* checking if private key with no public part */ /* checking if private key with no public part */
if (key->type == ECC_PRIVATEKEY_ONLY) { if (key->type == ECC_PRIVATEKEY_ONLY) {

7
wolfcrypt/src/ed25519.c
View File

@@ -262,11 +262,12 @@ int wc_ed25519_sign_msg_ex(const byte* in, word32 inLen, byte* out,
word32 *outLen, ed25519_key* key, byte type, word32 *outLen, ed25519_key* key, byte type,
const byte* context, byte contextLen) const byte* context, byte contextLen)
{ {
int ret;
#ifdef WOLFSSL_SE050 #ifdef WOLFSSL_SE050
(void)context; (void)context;
(void)contextLen; (void)contextLen;
(void)type; (void)type;
int ret = se050_ed25519_sign_msg(in, inLen, out, outLen, key); ret = se050_ed25519_sign_msg(in, inLen, out, outLen, key);
#else #else
#ifdef FREESCALE_LTC_ECC #ifdef FREESCALE_LTC_ECC
byte tempBuf[ED25519_PRV_KEY_SIZE]; byte tempBuf[ED25519_PRV_KEY_SIZE];
@@ -277,7 +278,6 @@ int wc_ed25519_sign_msg_ex(const byte* in, word32 inLen, byte* out,
byte nonce[WC_SHA512_DIGEST_SIZE]; byte nonce[WC_SHA512_DIGEST_SIZE];
byte hram[WC_SHA512_DIGEST_SIZE]; byte hram[WC_SHA512_DIGEST_SIZE];
byte az[ED25519_PRV_KEY_SIZE]; byte az[ED25519_PRV_KEY_SIZE];
int ret;
/* sanity check on arguments */ /* sanity check on arguments */
if (in == NULL || out == NULL || outLen == NULL || key == NULL || if (in == NULL || out == NULL || outLen == NULL || key == NULL ||
@@ -681,8 +681,7 @@ int wc_ed25519_verify_msg_ex(const byte* sig, word32 sigLen, const byte* msg,
(void)type; (void)type;
(void)context; (void)context;
(void)contextLen; (void)contextLen;
if (ed25519Ctx != NULL) (void)ed25519Ctx;
(void)ed25519Ctx;
ret = se050_ed25519_verify_msg(sig, sigLen, msg, msgLen, key, res); ret = se050_ed25519_verify_msg(sig, sigLen, msg, msgLen, key, res);
#else #else
#ifdef WOLFSSL_ED25519_PERSISTENT_SHA #ifdef WOLFSSL_ED25519_PERSISTENT_SHA

6
wolfcrypt/src/include.am
View File

@@ -68,6 +68,8 @@ EXTRA_DIST += wolfcrypt/src/port/ti/ti-aes.c \
wolfcrypt/src/port/arm/armv8-32-sha512-asm.c \ wolfcrypt/src/port/arm/armv8-32-sha512-asm.c \
wolfcrypt/src/port/nxp/ksdk_port.c \ wolfcrypt/src/port/nxp/ksdk_port.c \
wolfcrypt/src/port/nxp/dcp_port.c \ wolfcrypt/src/port/nxp/dcp_port.c \
wolfcrypt/src/port/nxp/se050_port.c \
wolfcrypt/src/port/nxp/README.md \
wolfcrypt/src/port/atmel/README.md \ wolfcrypt/src/port/atmel/README.md \
wolfcrypt/src/port/xilinx/xil-sha3.c \ wolfcrypt/src/port/xilinx/xil-sha3.c \
wolfcrypt/src/port/xilinx/xil-aesgcm.c \ wolfcrypt/src/port/xilinx/xil-aesgcm.c \
@@ -174,3 +176,7 @@ src_libwolfssl_la_SOURCES += wolfcrypt/src/port/caam/wolfcaam_qnx.c
src_libwolfssl_la_SOURCES += wolfcrypt/src/port/caam/wolfcaam_ecdsa.c src_libwolfssl_la_SOURCES += wolfcrypt/src/port/caam/wolfcaam_ecdsa.c
src_libwolfssl_la_SOURCES += wolfcrypt/src/port/caam/wolfcaam_cmac.c src_libwolfssl_la_SOURCES += wolfcrypt/src/port/caam/wolfcaam_cmac.c
endif endif
if BUILD_SE050
src_libwolfssl_la_SOURCES += wolfcrypt/src/port/nxp/se050_port.c
endif

98
wolfcrypt/src/port/nxp/README.md Normal file
View File

@@ -0,0 +1,98 @@
# NXP Ports
Support for the NXP DCP, KSDK and SE050 hardware acceleration boards.
## NXP SE050
Support for the SE050 on-board crypto hardware acceleration for symmetric AES, SHA1/SHA256/SHA384/SHA512, ECC (including ed25519) and RNG. **(discuss p-256 ECC)**
## SE050 Acceleration
For details about SE050 HW acceleration, see [NXP's SE050 page](https://www.nxp.com/products/security-and-authentication/authentication/edgelock-se050-plug-trust-secure-element-family-enhanced-iot-security-with-maximum-flexibility:SE050).
## Building simw-top
The code required to communicate with the SE050 is the `EdgeLock SE05x Plug & Trust Middleware (03.03.00)`, which can be found here [link](https://www.nxp.com/products/security-and-authentication/authentication/edgelock-se050-plug-trust-secure-element-family-enhanced-iot-security-with-maximum-flexibility:SE050?tab=Design_Tools_Tab) (An NXP account is required to download).
Follow the build instruction in AN12570 (EdgeLockTM SE05x Quick start guide with Raspberry Pi) [here](https://www.nxp.com/docs/en/application-note/AN12570.pdf).
## Building wolfSSL
To enable support run:
``sh
./configure --with-se050=PATH
make
``
Where `PATH` is the directory location of `simw-top`.
Example: `./configure --with-se050=/Users/[user]/simw-top`
## Building Examples
Confirm that you are able to run the examples from the directory:
``sh
/simw-top_build/raspbian_native_se050_t1oi2c/bin/
``
Modify one of those examples in order to tie into wolfSSL. The `./se05x_Minimal` is the easiest one to modify.
Open the `simw-top/demos/se05x/se05x_Minimal` directory and edit `se05x_Minimal.c`. Add these headers to source file:
``c
#include <wolfssl/options.h>
#include <wolfssl/wolfcrypt/types.h>
#include <wolfssl/wolfcrypt/port/nxp/se050_port.h>
``
If you would like to run our wolfcrypt test or benchmark tool, add: `#include "test.h"` or `#include benchmark.h`.
Below is the code that was replaced in `ex_sss_entry()` to run the wolfcrypt test:
``c
sss_status_t status = kStatus_SSS_Success;
int ret;
sss_session_t *pSession2 = (sss_session_t *)&pCtx->session;
sss_key_store_t *pHostSession = (sss_key_store_t *)&pCtx->host_ks;
LOG_I("running setconfig");
ret = wc_se050_SetConfig(pSession2, pHostSession);
if (ret != 0) {
return kStatus_SSS_Fail;
}
LOG_I("ran setconfig correctly");
wolfcrypt_test(NULL);
LOG_I("ran wolfcrypt test");
return status;
``
Note: `wolfcrypt_test(NULL);` can be replaced with `benchmark_test();`
The two variables used in `wc_se050_SetConfig` are session and key store variables that are required to reference parts of the hardware.
The Makefile needs to be edited. At the top of the Makefile, the base wolfssl directory needs to be added to `INCLUDE_FLAGS`.
Next, Inside `CFLAGS`, the `se05x_Minimal` directory needs to be added so that test.c and benchmark.c are included.
Finally, underneath 'all', test.c, test.h, benchmark.c and benchmark.h need to be added, along with `-L[wolfssl directory] -lwolfssl` at the end of the line.
### Wolfcrypt Test
To run the wolfcrypt test, two files, `test.h` and `test.c` need to be added to the `./se05x_Minimal` directory. These files can be found inside of `/wolfcrypt/test`.
Make sure `NO_MAIN_DRIVER` is defined to avoid `int main()` conflicts. Either in the Makefile or modify test.h to define it.
You should be able to run `wolfcrypt_test()` now.
### wolfCrypt Benchmark
To run the benchmark, both `benchmark.c` and `benchmark.h` need to be copied from wolfcrypt/benchmark to the `./se05x_Minimal` directory.
In addition, the entire `./certs` directory will need to copied into the directory.
Make sure `NO_MAIN_DRIVER` is defined to avoid `int main()` conflicts. Either in the Makefile or modify test.h to define it.
Now you can run `benchmark_test()`.
## Support
For questions please email support@wolfssl.com

1173
wolfcrypt/src/port/nxp/se050_port.c
View File

File diff suppressed because it is too large Load Diff

2
wolfcrypt/src/random.c
View File

@@ -2582,7 +2582,7 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
(void)os; (void)os;
if(output == NULL) { if (output == NULL) {
return BUFFER_E; return BUFFER_E;
} }
ret = wolfSSL_CryptHwMutexLock(); ret = wolfSSL_CryptHwMutexLock();

1
wolfcrypt/src/sha.c
View File

@@ -347,7 +347,6 @@
(void)devId; (void)devId;
return se050_hash_init(&sha->se050Ctx, heap); return se050_hash_init(&sha->se050Ctx, heap);
} }
int wc_ShaUpdate(wc_Sha* sha, const byte* data, word32 len) int wc_ShaUpdate(wc_Sha* sha, const byte* data, word32 len)

27
wolfcrypt/src/sha512.c
View File

@@ -49,6 +49,10 @@
#include <wolfssl/wolfcrypt/cryptocb.h> #include <wolfssl/wolfcrypt/cryptocb.h>
#endif #endif
#ifdef WOLFSSL_SE050
#include <wolfssl/wolfcrypt/port/nxp/se050_port.h>
#endif
/* deprecated USE_SLOW_SHA2 (replaced with USE_SLOW_SHA512) */ /* deprecated USE_SLOW_SHA2 (replaced with USE_SLOW_SHA512) */
#if defined(USE_SLOW_SHA2) && !defined(USE_SLOW_SHA512) #if defined(USE_SLOW_SHA2) && !defined(USE_SLOW_SHA512)
#define USE_SLOW_SHA512 #define USE_SLOW_SHA512
@@ -200,7 +204,6 @@
/* functions defined in wolfcrypt/src/port/kcapi/kcapi_hash.c */ /* functions defined in wolfcrypt/src/port/kcapi/kcapi_hash.c */
#elif defined(WOLFSSL_SE050) #elif defined(WOLFSSL_SE050)
//#include <wolfssl/wolfcrypt/port/nxp/se050_port.h>
int wc_InitSha512(wc_Sha512* sha512) int wc_InitSha512(wc_Sha512* sha512)
{ {
if (sha512 == NULL) if (sha512 == NULL)
@@ -224,17 +227,31 @@
int wc_Sha512Final(wc_Sha512* sha512, byte* hash) int wc_Sha512Final(wc_Sha512* sha512, byte* hash)
{ {
int ret = 0; int ret = 0;
int devId = INVALID_DEVID;
if (sha512 == NULL) {
return BAD_FUNC_ARG;
}
#ifdef WOLF_CRYPTO_CB
devId = sha512->devId;
#endif
ret = se050_hash_final(&sha512->se050Ctx, hash, WC_SHA512_DIGEST_SIZE, ret = se050_hash_final(&sha512->se050Ctx, hash, WC_SHA512_DIGEST_SIZE,
kAlgorithm_SSS_SHA512); kAlgorithm_SSS_SHA512);
(void)wc_InitSha512_ex(sha512); (void)wc_InitSha512_ex(sha512, sha512->heap, devId);
return ret; return ret;
} }
int wc_Sha512FinalRaw(wc_Sha512* sha512, byte* hash) int wc_Sha512FinalRaw(wc_Sha512* sha512, byte* hash)
{ {
int ret = 0; int ret = 0;
int devId = INVALID_DEVID;
if (sha512 == NULL) {
return BAD_FUNC_ARG;
}
#ifdef WOLF_CRYPTO_CB
devId = sha512->devId;
#endif
ret = se050_hash_final(&sha512->se050Ctx, hash, WC_SHA512_DIGEST_SIZE, ret = se050_hash_final(&sha512->se050Ctx, hash, WC_SHA512_DIGEST_SIZE,
kAlgorithm_SSS_SHA512); kAlgorithm_SSS_SHA512);
(void)wc_InitSha512(sha512); (void)wc_InitSha512_ex(sha512, sha512->heap, devId);
return ret; return ret;
} }
void wc_Sha512Free(wc_Sha512* sha512) void wc_Sha512Free(wc_Sha512* sha512)
@@ -948,6 +965,7 @@ int wc_Sha512Update(wc_Sha512* sha512, const byte* data, word32 len)
#else #else
#ifndef WOLFSSL_SE050
static WC_INLINE int Sha512Final(wc_Sha512* sha512) static WC_INLINE int Sha512Final(wc_Sha512* sha512)
{ {
byte* local = (byte*)sha512->buffer; byte* local = (byte*)sha512->buffer;
@@ -1207,6 +1225,7 @@ int wc_Sha512Transform(wc_Sha512* sha, const unsigned char* data)
} }
#endif /* OPENSSL_EXTRA */ #endif /* OPENSSL_EXTRA */
#endif /* WOLFSSL_SHA512 */ #endif /* WOLFSSL_SHA512 */
#endif /* WOLFSSL_SE050 */
/* -------------------------------------------------------------------------- */ /* -------------------------------------------------------------------------- */
/* SHA384 */ /* SHA384 */
@@ -1217,8 +1236,6 @@ int wc_Sha512Transform(wc_Sha512* sha, const unsigned char* data)
!defined(WOLFSSL_QNX_CAAM) !defined(WOLFSSL_QNX_CAAM)
/* functions defined in wolfcrypt/src/port/caam/caam_sha.c */ /* functions defined in wolfcrypt/src/port/caam/caam_sha.c */
#elif defined(WOLFSSL_SE050) #elif defined(WOLFSSL_SE050)
#include <wolfssl/wolfcrypt/port/nxp/se050_port.h>
int wc_InitSha384_ex(wc_Sha384* sha384, void* heap, int devId) int wc_InitSha384_ex(wc_Sha384* sha384, void* heap, int devId)
{ {
if (sha384 == NULL) { if (sha384 == NULL) {

68
wolfssl/wolfcrypt/port/nxp/README.md
View File

@@ -1,68 +0,0 @@
# NXP Ports
Support for the NXP DCP, KSDK and SE050 hardware acceleration boards.
## NXP SE050
Support for the SE050 on-board crypto hardware acceleration for symmetric AES, SHA1/SHA256/SHA384/SHA512, ECC (including ed25519) and RNG. **(discuss p-256 ECC)**
## SE050 Acceleration
For details about SE050 HW acceleration, see [NXP's SE050 page](https://www.nxp.com/products/security-and-authentication/authentication/edgelock-se050-plug-trust-secure-element-family-enhanced-iot-security-with-maximum-flexibility:SE050).
## Building
To enable support run:
```
./configure --with-se050=PATH
```
Followed by:
```
make && make install
```
With PATH being the directory location of simw-top.
The code required to communicate with the SE050 can be found at this NXP [link](https://www.nxp.com/products/security-and-authentication/authentication/edgelock-se050-plug-trust-secure-element-family-enhanced-iot-security-with-maximum-flexibility:SE050?tab=Design_Tools_Tab) (An NXP account is required to download). Follow the instructions [here](https://www.nxp.com/docs/en/application-note/AN12570.pdf) to install and setup with a Raspberry Pi.
Confirm that you are able to run the examples from the
```
/simw-top_build/raspbian_native_se050_t1oi2c/bin/
```
directory. Once that's done, it's time to modify one of those examples in order to tie into wolfSSL.
The ``./se05x_Minimal `` is the easiest one to modify. Open the ``simw-top/demos/se05x/se05x_Minimal `` directory and edit ``se05x_Minimal.c``. Add these headers to source file:
```
#include <wolfssl/options.h>
#include <wolfssl/wolfcrypt/types.h>
#include <wolfssl/wolfcrypt/port/nxp/se050_port.h>
```
If you would like to run our wolfcrypt test or benchmark tool, add:
``#include "test.h"`` or ``#include benchmark.h``, respectively. Below is the code that was replaced in ``ex_sss_entry()`` that ran the wolfcrypt test:
```
sss_status_t status = kStatus_SSS_Success;
int ret;
sss_session_t *pSession2 = (sss_session_t *)&pCtx->session;
sss_key_store_t *pHostSession = (sss_key_store_t *)&pCtx->host_ks;
LOG_I("running setconfig");
ret = wolfcrypt_se050_SetConfig(pSession2, pHostSession);
if (ret != 0) {
return kStatus_SSS_Fail;
}
LOG_I("ran setconfig correctly");
wolfcrypt_test(NULL);
LOG_I("ran wolfcrypt test");
return status;
```
``wolfcrypt_test(NULL);`` can be replaced with ``benchmark_test();``
The two variables used in ``wolfcrypt_se050_SetConfig`` are session and key store variables that are required to reference parts of the hardware.
Next, the Makefile needs to be edited.
At the top of the Makefile, the base wolfssl directory needs to be added to ``INCLUDE_FLAGS``. Next, Inside ``CFLAGS``, the ``se05x_Minimal`` directory needs to be added so that test.c and benchmark.c are included. Finally, underneath 'all', test.c, test.h, benchmark.c and benchmark.h need to be added, along with ``-L (wolfssl directory) -lwolfssl`` at the end of the line.
## Wolfcrypt Test
To run the wolfcrypt test, two files, ``test.h`` and ``test.c`` need to be added to the ``./se05x_Minimal`` directory. These files can be found inside of ``/wolfcrypt/test``.
Next, ``#define NO_MAIN_DRIVER`` needs to be added to test.h.
You should be able to run `wolfcrypt_test()` now.
## Benchmark
To run the benchmark, both ``benchmark.c`` and ``benchmark.h`` need to be copied from wolfcrypt/benchmark to the `./se05x_Minimal` directory. In addition, the entire `./certs` directory will need to copied into the directory. ``#define NO_MAIN_DRIVER`` will need to be added to `benchmark.h`. You should be able to run `benchmark_test() ` now.

64
wolfssl/wolfcrypt/port/nxp/se050_port.h
View File

@@ -22,7 +22,6 @@
#ifndef _SE050_PORT_H_ #ifndef _SE050_PORT_H_
#define _SE050_PORT_H_ #define _SE050_PORT_H_
#include <wolfssl/wolfcrypt/settings.h> #include <wolfssl/wolfcrypt/settings.h>
#include "fsl_sss_api.h" #include "fsl_sss_api.h"
@@ -39,27 +38,25 @@ typedef struct {
} SE050_HASH_Context; } SE050_HASH_Context;
WOLFSSL_API int wolfcrypt_se050_SetConfig(sss_session_t *pSession, sss_key_store_t *pHostKeyStore, sss_key_store_t *pKeyStore); WOLFSSL_API int wc_se050_SetConfig(sss_session_t *pSession,
sss_key_store_t *pHostKeyStore, sss_key_store_t *pKeyStore);
int se050_allocate_key(void);
int se050_get_random_number(uint32_t count, uint8_t* rand_out);
int se050_hash_init(SE050_HASH_Context* se050Ctx, void* heap);
int se050_hash_update(SE050_HASH_Context* se050Ctx, const byte* data, word32 len);
int se050_hash_final(SE050_HASH_Context* se050Ctx, byte* hash, size_t digestLen, word32 algo);
void se050_hash_free(SE050_HASH_Context* se050Ctx);
WOLFSSL_LOCAL int se050_allocate_key(void);
WOLFSSL_LOCAL int se050_get_random_number(uint32_t count, uint8_t* rand_out);
WOLFSSL_LOCAL int se050_hash_init(SE050_HASH_Context* se050Ctx, void* heap);
WOLFSSL_LOCAL int se050_hash_update(SE050_HASH_Context* se050Ctx,
const byte* data, word32 len);
WOLFSSL_LOCAL int se050_hash_final(SE050_HASH_Context* se050Ctx, byte* hash,
size_t digestLen, word32 algo);
WOLFSSL_LOCAL void se050_hash_free(SE050_HASH_Context* se050Ctx);
struct Aes; struct Aes;
int se050_aes_set_key(struct Aes* aes, const byte* key, word32 len, const byte* iv, int dir); WOLFSSL_LOCAL int se050_aes_set_key(struct Aes* aes, const byte* key,
int se050_aes_crypt(struct Aes* aes, const byte* in, byte* out, word32 sz, int dir, sss_algorithm_t algorithm); word32 len, const byte* iv, int dir);
void se050_aes_free(struct Aes* aes); WOLFSSL_LOCAL int se050_aes_crypt(struct Aes* aes, const byte* in, byte* out,
//int se050_aes_ctr_crypt(struct Aes* aes, const byte* in, byte* out, word32 sz); word32 sz, int dir, sss_algorithm_t algorithm);
WOLFSSL_LOCAL void se050_aes_free(struct Aes* aes);
struct ecc_key; struct ecc_key;
@@ -74,25 +71,26 @@ struct WC_RNG;
struct mp_int; struct mp_int;
#define MATH_INT_T struct mp_int #define MATH_INT_T struct mp_int
#endif #endif
int se050_ecc_sign_hash_ex(const byte* in, word32 inLen, byte* out,
word32 *outLen, struct ecc_key* key);
int se050_ecc_verify_hash_ex(const byte* hash, word32 hashlen, byte* signature, WOLFSSL_LOCAL int se050_ecc_sign_hash_ex(const byte* in, word32 inLen,
word32 signatureLen, struct ecc_key* key, int* res); byte* out, word32 *outLen, struct ecc_key* key);
int se050_ecc_create_key(struct ecc_key* key, int keyId, int keySize); WOLFSSL_LOCAL int se050_ecc_verify_hash_ex(const byte* hash, word32 hashlen,
int se050_ecc_shared_secret(struct ecc_key* private_key, struct ecc_key* public_key, byte* out, byte* signature, word32 signatureLen, struct ecc_key* key, int* res);
word32* outlen);
int se050_ecc_free_key(struct ecc_key* key); WOLFSSL_LOCAL int se050_ecc_create_key(struct ecc_key* key, int curve_id, int keySize);
WOLFSSL_LOCAL int se050_ecc_shared_secret(struct ecc_key* private_key,
struct ecc_key* public_key, byte* out, word32* outlen);
WOLFSSL_LOCAL int se050_ecc_free_key(struct ecc_key* key);
struct ed25519_key; struct ed25519_key;
//#include <wolfssl/wolfcrypt/ed25519.h> WOLFSSL_LOCAL int se050_ed25519_create_key(struct ed25519_key* key);
int se050_ed25519_create_key(struct ed25519_key* key); WOLFSSL_LOCAL void se050_ed25519_free_key(struct ed25519_key* key);
void se050_ed25519_free_key(struct ed25519_key* key); WOLFSSL_LOCAL int se050_ed25519_sign_msg(const byte* in, word32 inLen,
int se050_ed25519_sign_msg(const byte* in, word32 inLen, byte* out, byte* out, word32 *outLen, struct ed25519_key* key);
word32 *outLen, struct ed25519_key* key);
int se050_ed25519_verify_msg(const byte* signature, word32 signatureLen, const byte* msg, WOLFSSL_LOCAL int se050_ed25519_verify_msg(const byte* signature,
word32 msgLen, struct ed25519_key* key, int* res); word32 signatureLen, const byte* msg, word32 msgLen,
struct ed25519_key* key, int* res);
#endif /* _SE050_PORT_H_ */ #endif /* _SE050_PORT_H_ */