Merge pull request #6794 from RonEld/cc310_porting

Cryptocell 310 support

Author: Cruz Monrreal

.astyleignore

@@ -1,5 +1,6 @@
 BUILD
 cmsis
+features/cryptocell
 features/mbedtls
 features/FEATURE_LWIP/lwip
 rtos/TARGET_CORTEX/rtx4

doxyfile_options

@@ -841,6 +841,7 @@ EXCLUDE_PATTERNS       = */tools/* \
                          */BUILD/* \
                          */rtos/TARGET_CORTEX/rtx* \
                          */cmsis/* \
+                         */features/cryptocell/* \
                          */features/mbedtls/* \
                          */features/storage/* \
                          */features/unsupported/* \

features/cryptocell/FEATURE_CRYPTOCELL310/Readme.md

@@ -0,0 +1,21 @@
+# Guidelines for porting Cryptocell to Mbed OS
+
+Cryptocell (CC) 310 is a hardware accelerator that can be ported to several boards, assuming these boards have CC 310 embedded in their hardware.
+
+The CC 310 driver consists of three libraries:
+
+* A common core library(`libcc_core.a`).
+* A platform-specific TRNG library, containing TRNG-related information, for sampling sufficient entropy on the specific platform(`libcc_trng.a`).
+* A platform-specific library containing extra information, such as the CC register's base addresses on the specific board. (`libcc_ext.a`)
+
+To port your CC 310 driver to Mbed OS on your specific target, do the following:
+
+1. In `targets.json` add the following  to your target:
+ 	* `MBEDTLS_CONFIG_HW_SUPPORT` to `macros_add` key. This instructs Mbed TLS to look for an alternative cryptographic implementation.
+ 	* `CRYPTOCELL310` to `feature`. Use this in your common code that you need to remove from compilation in case CC exists in your board. Use `#if !defined(FEATURE_CRYPTOCELL310)` and  `#if defined(FEATURE_CRYPTOCELL310)`.
+1. In `objects.h`, include `objects_cryptocell.h`. You can use the `FEATURE_CRYPTOCELL310` precompilation check as defined above.
+1. In `features/cryptocell/FEATURE_CRYPTOCELL310/TARGET_<target name>`, add your platform-specific libraries for all toolchains in `TOOLCHAIN_ARM`, `TOOLCHAIN_GCC_ARM` and `TOOLCHAIN_IAR` respectively.
+1. Add your CC setup code:
+	* Implement `cc_platform_setup()` and `cc_platform_terminate()` to enable CC on your platform, in case you have board-specific setup functionality, required for CC setup. These functions can be empty.
+	* Define `cc_platform_ctx` in `cc_platform.h` in a way that suits your implementation.
+ 

features/cryptocell/FEATURE_CRYPTOCELL310/TARGET_MCU_NRF52840/TOOLCHAIN_ARM/libcc_310_ext.ar

@@ -0,0 +1,33 @@
+/*
+  *  cc_platform.h
+  *
+  *  Copyright (C) 2018, Arm Limited, All Rights Reserved
+  *  SPDX-License-Identifier: Apache-2.0
+  *
+  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+  *  not use this file except in compliance with the License.
+  *  You may obtain a copy of the License at
+  *
+  *  http://www.apache.org/licenses/LICENSE-2.0
+  *
+  *  Unless required by applicable law or agreed to in writing, software
+  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  *  See the License for the specific language governing permissions and
+  *  limitations under the License.
+  *
+  */
+#ifndef __CC_PLATFORM_H_
+#define __CC_PLATFORM_H_
+/**
+ * \brief   The CC platform context structure.
+ *
+ * \note    This structure may be used to assist platform-specific
+ *          setup or teardown operations.
+ */
+typedef struct {
+    char dummy; /**< Placeholder member, as empty structs are not portable. */
+}
+cc_platform_ctx;
+
+#endif /* __CC_PLATFORM_H_ */

features/cryptocell/FEATURE_CRYPTOCELL310/TARGET_MCU_NRF52840/TOOLCHAIN_ARM/libcc_310_trng.ar

@@ -0,0 +1,33 @@
+ /*
+  *  cc_platform_nrf52840.c
+  *
+  *  Copyright (C) 2018, Arm Limited, All Rights Reserved
+  *  SPDX-License-Identifier: Apache-2.0
+  *
+  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+  *  not use this file except in compliance with the License.
+  *  You may obtain a copy of the License at
+  *
+  *  http://www.apache.org/licenses/LICENSE-2.0
+  *
+  *  Unless required by applicable law or agreed to in writing, software
+  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  *  See the License for the specific language governing permissions and
+  *  limitations under the License.
+  *
+  */
+
+#include "platform_alt.h"
+#include "nrf52840.h"
+
+int cc_platform_setup( cc_platform_ctx *ctx )
+{
+    NRF_CRYPTOCELL->ENABLE = 1;
+    return ( 0 );
+}
+
+void cc_platform_terminate( cc_platform_ctx *ctx )
+{
+    NRF_CRYPTOCELL->ENABLE = 0;
+}

features/cryptocell/FEATURE_CRYPTOCELL310/TARGET_MCU_NRF52840/TOOLCHAIN_ARM/libnrf_cc310_ext_softfp_0.9.9.a

@@ -0,0 +1,153 @@
+/*
+ *  cc_internal.c
+ *
+ *  Internal utility functions and definitions,
+ *  used for converting mbedtls types to CC types, and vice versa
+ *
+ *  Copyright (C) 2018, Arm Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ */
+
+#include "cc_internal.h"
+#include "crys_ecpki_error.h"
+#include "crys_ec_mont_edw_error.h"
+
+CRYS_ECPKI_DomainID_t convert_mbedtls_grp_id_to_crys_domain_id( mbedtls_ecp_group_id grp_id )
+{
+    switch( grp_id )
+    {
+    case MBEDTLS_ECP_DP_SECP192K1:
+        return ( CRYS_ECPKI_DomainID_secp192k1 );
+    case MBEDTLS_ECP_DP_SECP192R1:
+        return ( CRYS_ECPKI_DomainID_secp192r1 );
+    case MBEDTLS_ECP_DP_SECP224K1:
+        return ( CRYS_ECPKI_DomainID_secp224k1 );
+    case MBEDTLS_ECP_DP_SECP224R1:
+        return ( CRYS_ECPKI_DomainID_secp224r1 );
+    case MBEDTLS_ECP_DP_SECP256K1:
+        return ( CRYS_ECPKI_DomainID_secp256k1 );
+    case MBEDTLS_ECP_DP_SECP256R1:
+        return ( CRYS_ECPKI_DomainID_secp256r1 );
+    case MBEDTLS_ECP_DP_SECP384R1:
+        return ( CRYS_ECPKI_DomainID_secp384r1 );
+    case MBEDTLS_ECP_DP_SECP521R1:
+        return ( CRYS_ECPKI_DomainID_secp521r1 );
+    default:
+        return ( CRYS_ECPKI_DomainID_OffMode );
+    }
+
+}
+
+uint32_t convert_mbedtls_to_cc_rand( void* mbedtls_rnd_ctx, uint16_t outSizeBytes, uint8_t* out_ptr )
+{
+    uint16_t i = 0;
+    uint8_t temp = 0;
+    mbedtls_rand_func_container* mbedtls_rand = (mbedtls_rand_func_container*)mbedtls_rnd_ctx;
+
+    if( mbedtls_rand->f_rng( mbedtls_rand->ctx, out_ptr, outSizeBytes ) != 0 )
+        return ( MBEDTLS_ERR_ECP_RANDOM_FAILED );
+
+    /*
+     * CC requires the random data as LE, so reversing the data
+     * (although this is random, but test vectors are in specific Endianess)
+     */
+    while ( i < ( outSizeBytes / 2 ) )
+    {
+        temp = out_ptr[outSizeBytes - 1 - i];
+        out_ptr[outSizeBytes - 1 - i] = out_ptr[i];
+        out_ptr[i] = temp;
+        ++i;
+    }
+    /*
+     * CC increases the random data by one, to put the vector in the proper range (1 to  n),
+     * The RFC tests supply a data buffer within range, and in order to generate the proper ephemeral key,
+     * need to decrease one from this data, before CC increases the data, so the output will be as expected
+     */
+    i = 0;
+    while( out_ptr[i] == 0 )
+    {
+        ++i;
+    }
+    while( i > 0 )
+    {
+        --out_ptr[i];
+        --i;
+    }
+    --out_ptr[0];
+    return ( 0 );
+}
+
+int convert_CrysError_to_mbedtls_err( CRYSError_t Crys_err )
+{
+    switch( Crys_err )
+    {
+    case CRYS_OK:
+        return ( 0 );
+
+    case CRYS_ECDH_SVDP_DH_INVALID_USER_PRIV_KEY_PTR_ERROR:
+    case CRYS_ECDH_SVDP_DH_USER_PRIV_KEY_VALID_TAG_ERROR:
+    case CRYS_ECDH_SVDP_DH_INVALID_PARTNER_PUBL_KEY_PTR_ERROR:
+    case CRYS_ECDH_SVDP_DH_PARTNER_PUBL_KEY_VALID_TAG_ERROR:
+    case CRYS_ECDH_SVDP_DH_INVALID_SHARED_SECRET_VALUE_PTR_ERROR:
+    case CRYS_ECDH_SVDP_DH_INVALID_TEMP_DATA_PTR_ERROR:
+    case CRYS_ECDH_SVDP_DH_INVALID_SHARED_SECRET_VALUE_SIZE_PTR_ERROR:
+    case CRYS_ECDH_SVDP_DH_NOT_CONCENT_PUBL_AND_PRIV_DOMAIN_ID_ERROR:
+    case CRYS_ECDH_SVDP_DH_INVALID_SHARED_SECRET_VALUE_SIZE_ERROR:
+    case CRYS_ECMONT_INVALID_INPUT_POINTER_ERROR:
+    case CRYS_ECMONT_INVALID_INPUT_SIZE_ERROR:
+    case CRYS_ECMONT_INVALID_DOMAIN_ID_ERROR:
+    case CRYS_ECDSA_SIGN_INVALID_USER_CONTEXT_PTR_ERROR:
+    case CRYS_ECDSA_SIGN_INVALID_USER_PRIV_KEY_PTR_ERROR:
+    case CRYS_ECDSA_SIGN_ILLEGAL_HASH_OP_MODE_ERROR:
+    case CRYS_ECDSA_SIGN_USER_PRIV_KEY_VALIDATION_TAG_ERROR:
+    case CRYS_ECDSA_SIGN_USER_CONTEXT_VALIDATION_TAG_ERROR:
+    case CRYS_ECDSA_SIGN_INVALID_MESSAGE_DATA_IN_PTR_ERROR:
+    case CRYS_ECDSA_SIGN_INVALID_MESSAGE_DATA_IN_SIZE_ERROR:
+    case CRYS_ECDSA_SIGN_INVALID_SIGNATURE_OUT_PTR_ERROR:
+    case CRYS_ECDSA_SIGN_INVALID_SIGNATURE_OUT_SIZE_PTR_ERROR:
+    case CRYS_ECDSA_SIGN_INVALID_IS_EPHEMER_KEY_INTERNAL_ERROR:
+    case CRYS_ECDSA_SIGN_INVALID_EPHEMERAL_KEY_PTR_ERROR:
+    case CRYS_ECDSA_VERIFY_INVALID_SIGNER_PUBL_KEY_PTR_ERROR:
+    case CRYS_ECDSA_VERIFY_SIGNER_PUBL_KEY_VALIDATION_TAG_ERROR:
+    case CRYS_ECDSA_VERIFY_INVALID_USER_CONTEXT_PTR_ERROR:
+    case CRYS_ECDSA_VERIFY_INVALID_SIGNATURE_IN_PTR_ERROR:
+    case CRYS_ECDSA_VERIFY_INVALID_SIGNATURE_SIZE_ERROR:
+    case CRYS_ECPKI_INVALID_RND_CTX_PTR_ERROR:
+    case CRYS_ECPKI_INVALID_RND_FUNC_PTR_ERROR:
+    case CRYS_ECDSA_SIGN_INVALID_SIGNATURE_OUT_SIZE_ERROR:
+        return ( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
+
+    case CRYS_ECDSA_VERIFY_INCONSISTENT_VERIFY_ERROR:
+        return ( MBEDTLS_ERR_ECP_VERIFY_FAILED );
+
+    case CRYS_ECMONT_IS_NOT_SUPPORTED:
+    case CRYS_ECEDW_IS_NOT_SUPPORTED:
+        return ( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
+
+    case CRYS_ECEDW_RND_GEN_VECTOR_FUNC_ERROR:
+        return ( MBEDTLS_ERR_ECP_RANDOM_FAILED );
+
+    case CRYS_ECPKI_GEN_KEY_INVALID_PRIVATE_KEY_PTR_ERROR:
+    case CRYS_ECPKI_EXPORT_PUBL_KEY_INVALID_PUBL_KEY_DATA_ERROR:
+    case CRYS_ECPKI_BUILD_KEY_INVALID_PRIV_KEY_DATA_ERROR:
+        return ( MBEDTLS_ERR_ECP_INVALID_KEY );
+
+    default:
+        return ( MBEDTLS_ERR_ECP_HW_ACCEL_FAILED );
+    }
+
+
+}

features/cryptocell/FEATURE_CRYPTOCELL310/TARGET_MCU_NRF52840/TOOLCHAIN_ARM/libnrf_cc310_trng_softfp_0.9.9.a

@@ -0,0 +1,133 @@
+/*
+ *  cc_internal.h
+ *
+ *  Internal utility functions and definitions,
+ *  used for converting mbedtls types to CC types, and vice versa
+ *
+ *  Copyright (C) 2018, Arm Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ */
+
+#ifndef __CC_INTERNAL_H__
+#define __CC_INTERNAL_H__
+#include "crys_ecpki_types.h"
+#include "crys_ec_mont_api.h"
+#include "mbedtls/ecp.h"
+#include <stddef.h>
+#include <stdint.h>
+
+#define CURVE_25519_KEY_SIZE    32
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define MAX_KEY_SIZE_IN_BYTES ( ( CRYS_ECPKI_MODUL_MAX_LENGTH_IN_WORDS ) * SASI_32BIT_WORD_SIZE)
+
+/* ECC utility functions and structures*/
+typedef struct cc_ecc_ws_keygen_params{
+    CRYS_ECPKI_UserPublKey_t pubKey;
+    CRYS_ECPKI_UserPrivKey_t privKey;
+    CRYS_ECPKI_KG_TempData_t kgTempData;
+} cc_ecc_ws_keygen_params_t;
+
+typedef struct cc_ecc_ws_comp_shared_params{
+    CRYS_ECPKI_UserPublKey_t pubKey;
+    CRYS_ECPKI_UserPrivKey_t privKey;
+    CRYS_ECDH_TempData_t     ecdhTempData;
+} cc_ecc_ws_comp_shared_params_t;
+
+typedef struct cc_ecc_ws_verify_params{
+    CRYS_ECPKI_UserPublKey_t pubKey;
+    CRYS_ECDSA_VerifyUserContext_t verifyContext;
+} cc_ecc_ws_verify_params_t;
+
+typedef struct cc_ecc_ws_sign_params{
+    CRYS_ECPKI_UserPrivKey_t privKey;
+    CRYS_ECDSA_SignUserContext_t signContext;
+} cc_ecc_ws_sign_params_t;
+
+typedef struct cc_ecc_25519_keygen_params{
+    uint8_t pubKey[CURVE_25519_KEY_SIZE];
+    uint8_t privKey[CURVE_25519_KEY_SIZE];
+    CRYS_ECMONT_TempBuff_t kgTempData;
+} cc_ecc_25519_keygen_params_t;
+
+typedef cc_ecc_25519_keygen_params_t cc_ecc_25519_comp_shared_params_t;
+
+/**
+ * \brief      This function converts mbedtls type mbedtls_ecp_group_id
+ *             to Cryptocell type CRYS_ECPKI_DomainID_t
+ *
+ * \param grp_id           The mbedtls mbedtls_ecp_group_id to convert
+ *
+ * \return     \c The corresponding CRYS_ECPKI_DomainID_t.
+ *                CRYS_ECPKI_DomainID_OffMode if not recognized.
+ */
+CRYS_ECPKI_DomainID_t convert_mbedtls_grp_id_to_crys_domain_id( mbedtls_ecp_group_id grp_id );
+
+/* f_rng conversion from mbedtls type to cc type*/
+typedef struct
+{
+    int  (*f_rng)( void* ctx, unsigned char* output, size_t outSizeBytes );
+    void* ctx;
+
+}mbedtls_rand_func_container;
+
+/**
+ * \brief      This function converts mbedtls f_rng type to
+ *             Cryptocell f_rng type(SaSiRndGenerateVectWorkFunc_t)
+ *
+ *             Note: The Mbed TLS type f_rng signature is:
+ *             int  (*f_rng)( void* ctx, unsigned char* output, size_t outSizeBytes );
+ *             while CC f_rng signature is:
+ *             uint32_t (*SaSiRndGenerateVectWorkFunc_t)(
+ *                        void  *rndState_ptr,
+ *                        uint16_t outSizeBytes,
+ *                        uint8_t          *out_ptr)
+ *
+ *             so the Mbed TLS f_rng can't  be sent as is to the CC API.
+ *
+ *             In addition, this function manipulates the different random data,
+ *             to adjust between the way Cryptocell reads the random data. This is done for
+ *             different standard tests to pass.
+ *
+ *
+ * \param mbedtls_rand      The mbedtls rnd context pointer
+ * \param outSizeBytes      The size of the output buffer
+ * \param out_ptr           Pointer to the output buffer
+ *
+ * \return     \c The corresponding CRYS_ECPKI_DomainID_t.
+ *                CRYS_ECPKI_DomainID_OffMode if not recognized.
+ */
+
+uint32_t convert_mbedtls_to_cc_rand( void* mbedtls_rand, uint16_t outSizeBytes, uint8_t* out_ptr );
+
+/**
+ * \brief      This function convertsCryptocell error
+ *             Mbed TLS related error.
+ *
+ *
+ * \return     \c The corresponding Mbed TLS error,
+ *                MBEDTLS_ERR_ECP_HW_ACCEL_FAILED as default, if none found
+ */
+int convert_CrysError_to_mbedtls_err( CRYSError_t Crys_err );
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* __CC_INTERNAL_H__ */