From 185d48938d937477d91e693a0d575a2646c2dabf Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 2 Sep 2021 14:17:27 -0700 Subject: [PATCH] Fixes for building NXP SE050. Add support for automatic initialization of the SE050 if `WOLFSSL_SE050_INIT` is defined. Optionally can override the `portName` using `SE050_DEFAULT_PORT`. --- configure.ac | 12 +- wolfcrypt/src/port/nxp/README.md | 22 +++- wolfcrypt/src/port/nxp/se050_port.c | 142 ++++++++++++++++++++---- wolfcrypt/src/wc_port.c | 8 ++ wolfssl/wolfcrypt/port/nxp/se050_port.h | 23 +++- 5 files changed, 176 insertions(+), 31 deletions(-) diff --git a/configure.ac b/configure.ac index 100b96470..cdc5fb41d 100644 --- a/configure.ac +++ b/configure.ac @@ -1337,7 +1337,7 @@ AC_ARG_WITH([cryptoauthlib], ) # NXP SE050 -# current configure options line: "./configure --with-se050=/home/pi/Downloads/new_simw_top" +# Example: "./configure --with-se050=/home/pi/simw_top" ENABLED_SE050="no" trylibse050dir="" AC_ARG_WITH([se050], @@ -1356,14 +1356,20 @@ AC_ARG_WITH([se050], trylibse050dir="/usr/local/lib/" fi LDFLAGS="$LDFLAGS -L$trylibse050dir/build/sss" + CPPFLAGS="$CPPFLAGS -I$trylibse050dir/build" CPPFLAGS="$CPPFLAGS -I$trylibse050dir/sss/inc" + CPPFLAGS="$CPPFLAGS -I$trylibse050dir/sss/ex/inc" CPPFLAGS="$CPPFLAGS -I$trylibse050dir/sss/port/default" CPPFLAGS="$CPPFLAGS -I$trylibse050dir/hostlib/hostLib/inc" CPPFLAGS="$CPPFLAGS -I$trylibse050dir/hostlib/hostLib/libCommon/infra" AC_CHECK_FILES([$trylibse050dir/build/sss/libSSS_APIs.a], [SE050_STATIC=yes], [SE050_STATIC=no]) if test "x$SE050_STATIC" = "xyes"; then - LIB_STATIC_ADD="$trylibse050dir/build/sss/libSSS_APIs.a $LIB_STATIC_ADD" + LIB_STATIC_ADD="$trylibse050dir/build/sss/ex/src/libex_common.a \ + $trylibse050dir/build/sss/libSSS_APIs.a \ + $trylibse050dir/build/hostlib/hostLib/se05x/libse05x.a \ + $trylibse050dir/build/hostlib/hostLib/liba7x_utils.a \ + $trylibse050dir/build/hostlib/hostLib/libCommon/libsmCom.a $LIB_STATIC_ADD" else AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], [[ sss_mac_init(0); ]])],[ libse050_linked=yes ],[ libse050_linked=no ]) if test "x$libse050_linked" = "xno" ; then @@ -1381,7 +1387,7 @@ AC_ARG_WITH([se050], fi ENABLED_SE050="yes" - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SE050" + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_SE050 -DSSS_USE_FTR_FILE" ] ) diff --git a/wolfcrypt/src/port/nxp/README.md b/wolfcrypt/src/port/nxp/README.md index ac74f069b..742b45b35 100644 --- a/wolfcrypt/src/port/nxp/README.md +++ b/wolfcrypt/src/port/nxp/README.md @@ -4,7 +4,7 @@ Support for the NXP DCP, KSDK and SE050 hardware acceleration boards. ## NXP SE050 -Support for the SE050 on-board crypto hardware acceleration for symmetric AES, SHA1/SHA256/SHA384/SHA512, ECC (including ed25519) and RNG. **(discuss p-256 ECC)** +Support for the SE050 on-board crypto hardware acceleration for symmetric AES, SHA1/SHA256/SHA384/SHA512, ECC (including ed25519) and RNG. ## SE050 Acceleration @@ -16,6 +16,22 @@ The code required to communicate with the SE050 is the `EdgeLock SE05x Plug & Tr Follow the build instruction in AN12570 (EdgeLockTM SE05x Quick start guide with Raspberry Pi) [here](https://www.nxp.com/docs/en/application-note/AN12570.pdf). +In summary here are the steps for building: + +``` +# from simw-top directory +mkdir build +cd build +ccmake .. +# Change: +# `Host OS` to `Raspbian` +# `Host Crypto` to `None` +# `SMCOM` to `T1oI2C` +c # to configure +q +make +``` + ## Building wolfSSL To enable support run: @@ -26,7 +42,7 @@ make `` Where `PATH` is the directory location of `simw-top`. -Example: `./configure --with-se050=/Users/[user]/simw-top` +Example: `./configure --enable-debug --disable-shared --with-se050=/home/pi/simw-top CFLAGS="-DWOLFSSL_SE050_INIT"` ## Building Examples @@ -46,7 +62,7 @@ Open the `simw-top/demos/se05x/se05x_Minimal` directory and edit `se05x_Minimal. #include `` -If you would like to run our wolfcrypt test or benchmark tool, add: `#include "test.h"` or `#include benchmark.h`. +If you would like to run our wolfcrypt test or benchmark tool, add: `#include "test.h"` or `#include benchmark.h`. Below is the code that was replaced in `ex_sss_entry()` to run the wolfcrypt test: diff --git a/wolfcrypt/src/port/nxp/se050_port.c b/wolfcrypt/src/port/nxp/se050_port.c index c011f29ce..3444dcd81 100644 --- a/wolfcrypt/src/port/nxp/se050_port.c +++ b/wolfcrypt/src/port/nxp/se050_port.c @@ -26,18 +26,25 @@ #include #include + +#ifdef WOLFSSL_SE050 + #include #include #include #include #include - - -#ifdef WOLFSSL_SE050 +#include #include -#include "fsl_sss_api.h" -#include "fsl_sss_se05x_types.h" + +#ifdef WOLFSSL_SE050_INIT + #ifndef SE050_DEFAULT_PORT + #define SE050_DEFAULT_PORT "/dev/i2c-1" + #endif + + #include "ex_sss_boot.h" +#endif #ifdef WOLFSSL_SP_MATH struct sp_int; @@ -77,6 +84,34 @@ int wc_se050_SetConfig(sss_session_t *pSession, sss_key_store_t *pHostKeyStore, return 0; } +#ifdef WOLFSSL_SE050_INIT +int wc_se050_init(const char* portName) +{ + int ret; + sss_status_t status; + static ex_sss_boot_ctx_t pCtx; + + if (portName == NULL) { + portName = SE050_DEFAULT_PORT; + } + + status = ex_sss_boot_open(&pCtx, portName); + if (status == kStatus_SSS_Success) { + ret = wc_se050_SetConfig(&pCtx.session, + #if SSS_HAVE_HOSTCRYPTO_ANY + &pCtx.host_ks, + #else + NULL, + #endif + &pCtx.ks); + } + else { + ret = WC_HW_E; + } + return ret; +} +#endif + int se050_allocate_key(void) { static int keyId_allocater = 100; @@ -90,6 +125,10 @@ int se050_get_random_number(uint32_t count, uint8_t* rand_out) sss_rng_context_t rng; int ret = 0; + if (cfg_se050_i2c_pi == NULL) { + return WC_HW_E; + } + if (wolfSSL_CryptHwMutexLock() != 0) { return BAD_MUTEX_E; } @@ -157,6 +196,10 @@ int se050_hash_final(SE050_HASH_Context* se050Ctx, byte* hash, size_t digestLen, int leftover = (se050Ctx->len) % SSS_BLOCK_SIZE; const byte* blocks = data; + if (cfg_se050_i2c_pi == NULL) { + return WC_HW_E; + } + if (wolfSSL_CryptHwMutexLock() != 0) { return BAD_MUTEX_E; } @@ -167,18 +210,19 @@ int se050_hash_final(SE050_HASH_Context* se050Ctx, byte* hash, size_t digestLen, status = sss_digest_init(&digest_ctx); } if (status == kStatus_SSS_Success) { - /* used to send chunks of size 512 */ - while (status == kStatus_SSS_Success && size--) { - status = sss_digest_update(&digest_ctx, blocks, SSS_BLOCK_SIZE); - blocks += SSS_BLOCK_SIZE; + /* used to send chunks of size 512 */ + while (status == kStatus_SSS_Success && size--) { + status = sss_digest_update(&digest_ctx, blocks, SSS_BLOCK_SIZE); + blocks += SSS_BLOCK_SIZE; + } + if (status == kStatus_SSS_Success && leftover) { + status = sss_digest_update(&digest_ctx, blocks, leftover); + } + if (status == kStatus_SSS_Success) { + status = sss_digest_finish(&digest_ctx, hash, &digestLen); + } + sss_digest_context_free(&digest_ctx); } - if (status == kStatus_SSS_Success && leftover) { - status = sss_digest_update(&digest_ctx, blocks, leftover); - } - if (status == kStatus_SSS_Success) { - status = sss_digest_finish(&digest_ctx, hash, &digestLen); - } - sss_digest_context_free(&digest_ctx); wolfSSL_CryptHwMutexUnLock(); @@ -200,7 +244,9 @@ int se050_aes_set_key(Aes* aes, const byte* key, word32 len, int keyId = se050_allocate_key(); int ret = BAD_MUTEX_E; - WOLFSSL_MSG("se050_set_key"); + if (cfg_se050_i2c_pi == NULL) { + return WC_HW_E; + } (void)dir; (void)iv; @@ -252,6 +298,10 @@ int se050_aes_crypt(Aes* aes, const byte* in, byte* out, word32 sz, int dir, sss_key_store_t host_keystore; int ret = BAD_MUTEX_E; + if (cfg_se050_i2c_pi == NULL) { + return WC_HW_E; + } + XMEMSET(&mode, 0, sizeof(mode)); if (dir == AES_DECRYPTION) @@ -292,7 +342,8 @@ int se050_aes_crypt(Aes* aes, const byte* in, byte* out, word32 sz, int dir, } } if (status == kStatus_SSS_Success) { - status = sss_cipher_update(&aes->aes_ctx, in, sz, out, &sz); + size_t outSz = (size_t)sz; + status = sss_cipher_update(&aes->aes_ctx, in, sz, out, &outSz); } wolfSSL_CryptHwMutexUnLock(); @@ -308,11 +359,15 @@ void se050_aes_free(Aes* aes) sss_key_store_t host_keystore; sss_object_t keyObject; + if (cfg_se050_i2c_pi == NULL) { + return; + } + /* sets back to zero to indicate that a free has been called */ aes->ctxInitDone = 0; if (wolfSSL_CryptHwMutexLock() != 0) { - return BAD_MUTEX_E; + return; } status = sss_key_store_context_init(&host_keystore, cfg_se050_i2c_pi); @@ -350,6 +405,10 @@ int se050_ecc_sign_hash_ex(const byte* in, word32 inLen, byte* out, int keysize = (word32)key->dp->size; int ret = BAD_MUTEX_E; + if (cfg_se050_i2c_pi == NULL) { + return WC_HW_E; + } + /* truncate if digest is larger than 64 */ if (inLen > 64) inLen = 64; @@ -397,8 +456,10 @@ int se050_ecc_sign_hash_ex(const byte* in, word32 inLen, byte* out, } if (status == kStatus_SSS_Success) { + size_t outLenSz = (size_t)*outLen; status = sss_asymmetric_sign_digest(&ctx_asymm, (uint8_t *)in, inLen, - out, outLen); + out, &outLenSz); + *outLen = outLenSz; } sss_asymmetric_context_free(&ctx_asymm); @@ -427,10 +488,12 @@ int se050_ecc_verify_hash_ex(const byte* hash, word32 hashLen, byte* signature, int ret; int keySize = (word32)key->dp->size; - WOLFSSL_MSG("se050_ecc_verify_hash_ex"); - *res = 0; + if (cfg_se050_i2c_pi == NULL) { + return WC_HW_E; + } + if (hashLen > 64) hashLen = 64; @@ -547,6 +610,10 @@ int se050_ecc_free_key(struct ecc_key* key) int ret = WC_HW_E; sss_key_store_t host_keystore; + if (cfg_se050_i2c_pi == NULL) { + return WC_HW_E; + } + if (key->keyId <= 0) { return BAD_FUNC_ARG; } @@ -589,6 +656,11 @@ int se050_ecc_create_key(struct ecc_key* key, int curve_id, int keySize) size_t keyPairExportBitLen = sizeof(keyPairExport) * 8; int ret; + if (cfg_se050_i2c_pi == NULL) { + return WC_HW_E; + } + + (void)curve_id; if (wolfSSL_CryptHwMutexLock() != 0) { @@ -647,7 +719,11 @@ int se050_ecc_shared_secret(ecc_key* private_key, ecc_key* public_key, size_t ecdhKeyLen = keySize; size_t ecdhKeyBitLen = keySize; int ret = WC_HW_E; - + + if (cfg_se050_i2c_pi == NULL) { + return WC_HW_E; + } + if (private_key->keyId <= 0 || public_key->keyId <= 0) { return BAD_FUNC_ARG; } @@ -711,8 +787,10 @@ int se050_ecc_shared_secret(ecc_key* private_key, ecc_key* public_key, } if (status == kStatus_SSS_Success) { - status = sss_key_store_get_key(hostKeyStore, &deriveKey, out, outlen, + size_t outlenSz = (size_t)*outlen; + status = sss_key_store_get_key(hostKeyStore, &deriveKey, out, &outlenSz, &ecdhKeyBitLen); + *outlen = outlenSz; } if (ctx_derive_key.session != NULL) sss_derive_key_context_free(&ctx_derive_key); @@ -741,6 +819,10 @@ int se050_ed25519_create_key(ed25519_key* key) int keyId; int ret = 0; + if (cfg_se050_i2c_pi == NULL) { + return WC_HW_E; + } + if (wolfSSL_CryptHwMutexLock() != 0) { return BAD_MUTEX_E; } @@ -786,6 +868,10 @@ void se050_ed25519_free_key(ed25519_key* key) sss_object_t newKey; sss_key_store_t host_keystore; + if (cfg_se050_i2c_pi == NULL) { + return; + } + if (wolfSSL_CryptHwMutexLock() != 0) { return BAD_MUTEX_E; } @@ -819,6 +905,10 @@ int se050_ed25519_sign_msg(const byte* in, word32 inLen, byte* out, inLen = 64; *outLen = 64; + if (cfg_se050_i2c_pi == NULL) { + return WC_HW_E; + } + if (wolfSSL_CryptHwMutexLock() != 0) { return BAD_MUTEX_E; } @@ -869,6 +959,10 @@ int se050_ed25519_verify_msg(const byte* signature, word32 signatureLen, sss_key_store_t host_keystore; int ret = 0; + if (cfg_se050_i2c_pi == NULL) { + return WC_HW_E; + } + msgLen = 64; if (wolfSSL_CryptHwMutexLock() != 0) { diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index 23fb898d8..01570b0ed 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -91,6 +91,10 @@ #include #endif +#if defined(WOLFSSL_SE050) && defined(WOLFSSL_SE050_INIT) +#include +#endif + #ifdef WOLFSSL_SCE #include "hal_data.h" #endif @@ -230,6 +234,10 @@ int wolfCrypt_Init(void) ret = sl_se_init(); #endif + #if defined(WOLFSSL_SE050) && defined(WOLFSSL_SE050_INIT) + ret = wc_se050_init(NULL); + #endif + #ifdef WOLFSSL_ARMASM WOLFSSL_MSG("Using ARM hardware acceleration"); #endif diff --git a/wolfssl/wolfcrypt/port/nxp/se050_port.h b/wolfssl/wolfcrypt/port/nxp/se050_port.h index 9208b4443..d5a7447cd 100644 --- a/wolfssl/wolfcrypt/port/nxp/se050_port.h +++ b/wolfssl/wolfcrypt/port/nxp/se050_port.h @@ -23,8 +23,25 @@ #define _SE050_PORT_H_ #include +#include +#ifdef __GNUC__ +#pragma GCC diagnostic push +#pragma GCC diagnostic ignored "-Wundef" +#pragma GCC diagnostic ignored "-Wredundant-decls" +#endif + +#include "fsl_sss_se05x_types.h" +#include "fsl_sss_se05x_apis.h" + +#if (SSS_HAVE_SSS > 1) #include "fsl_sss_api.h" +#endif + +#ifdef __GNUC__ +#pragma GCC diagnostic pop +#endif + enum { SSS_BLOCK_SIZE = 512 @@ -37,10 +54,14 @@ typedef struct { word32 len; } SE050_HASH_Context; - +/* Public Functions */ WOLFSSL_API int wc_se050_SetConfig(sss_session_t *pSession, sss_key_store_t *pHostKeyStore, sss_key_store_t *pKeyStore); +#ifdef WOLFSSL_SE050_INIT +WOLFSSL_API int wc_se050_init(const char* portName); +#endif +/* Private Functions */ WOLFSSL_LOCAL int se050_allocate_key(void); WOLFSSL_LOCAL int se050_get_random_number(uint32_t count, uint8_t* rand_out);