diff --git a/.github/workflows/test-configs.yml b/.github/workflows/test-configs.yml index a915232bf3..2ed917edef 100644 --- a/.github/workflows/test-configs.yml +++ b/.github/workflows/test-configs.yml @@ -320,6 +320,12 @@ jobs: arch: arm config-file: ./config/examples/stm32h5-tz.config + stm32h5_tz_tpm_test: + uses: ./.github/workflows/test-build.yml + with: + arch: arm + config-file: ./config/examples/stm32h5-tz-tpm.config + stm32h5_tz_dualbank_test: uses: ./.github/workflows/test-build.yml with: diff --git a/Makefile b/Makefile index 5357a90f28..453501cc22 100644 --- a/Makefile +++ b/Makefile @@ -531,6 +531,7 @@ cppcheck: cppcheck -f --enable=warning --enable=portability \ --suppress="ctunullpointer" --suppress="nullPointer" \ --suppress="objectIndex" --suppress="comparePointers" \ + --check-level=exhaustive \ --error-exitcode=89 --std=c89 src/*.c hal/*.c hal/spi/*.c hal/uart/*.c otp: tools/keytools/otp/otp-keystore-primer.bin FORCE diff --git a/arch.mk b/arch.mk index 61d9313d9f..7c0335c546 100644 --- a/arch.mk +++ b/arch.mk @@ -101,7 +101,7 @@ ifeq ($(ARCH),AARCH64) MATH_OBJS += $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/sp_c32.o MATH_OBJS += $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/sp_arm64.o endif - ifeq ($(NO_ARM_ASM),0) + ifneq ($(NO_ARM_ASM),1) ARCH_FLAGS=-mstrict-align CFLAGS+=$(ARCH_FLAGS) -DWOLFSSL_ARMASM -DWOLFSSL_ARMASM_INLINE -DWC_HASH_DATA_ALIGNMENT=8 -DWOLFSSL_AARCH64_PRIVILEGE_MODE WOLFCRYPT_OBJS += $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/cpuid.o \ @@ -250,7 +250,6 @@ ifeq ($(ARCH),ARM) WOLFBOOT_ORIGIN=0x10000000 ifeq ($(TZEN),1) LSCRIPT_IN=hal/$(TARGET).ld - CFLAGS+=-DTZEN else LSCRIPT_IN=hal/$(TARGET)-ns.ld endif @@ -323,7 +322,6 @@ else $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/port/arm/thumb2-chacha-asm.o \ $(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/port/arm/thumb2-chacha-asm_c.o - CORTEXM_ARM_EXTRA_CFLAGS+=-DWOLFSSL_ARMASM -DWOLFSSL_ARMASM_NO_HW_CRYPTO \ -DWOLFSSL_ARMASM_NO_NEON -DWOLFSSL_ARMASM_THUMB2 endif @@ -420,10 +418,6 @@ endif endif endif -ifeq ($(TZEN),1) - CFLAGS+=-DTZEN -endif - ## Renesas RX ifeq ($(ARCH),RENESAS_RX) diff --git a/config/examples/stm32h5-tz-tpm.config b/config/examples/stm32h5-tz-tpm.config new file mode 100644 index 0000000000..fbf69e49cf --- /dev/null +++ b/config/examples/stm32h5-tz-tpm.config @@ -0,0 +1,32 @@ +ARCH?=ARM +TZEN?=1 +TARGET?=stm32h5 +SIGN?=ECC256 +HASH?=SHA256 +DEBUG?=0 +VTOR?=1 +CORTEX_M0?=0 +CORTEX_M33?=1 +NO_ASM?=0 +NO_MPU=1 +EXT_FLASH?=0 +SPI_FLASH?=0 +ALLOW_DOWNGRADE?=0 +NVM_FLASH_WRITEONCE?=1 +WOLFBOOT_VERSION?=1 +V?=0 +SPMATH?=1 +RAM_CODE?=1 +DUALBANK_SWAP?=0 +WOLFBOOT_PARTITION_SIZE?=0xA0000 +WOLFBOOT_SECTOR_SIZE?=0x2000 +WOLFBOOT_PARTITION_BOOT_ADDRESS?=0x08060000 +WOLFBOOT_PARTITION_UPDATE_ADDRESS?=0x0C100000 +WOLFBOOT_PARTITION_SWAP_ADDRESS?=0x0C1A0000 +FLAGS_HOME=0 +DISABLE_BACKUP=0 +WOLFCRYPT_TZ=1 +WOLFCRYPT_TZ_PKCS11=1 +IMAGE_HEADER_SIZE?=1024 +ARMORED=1 +WOLFTPM=1 \ No newline at end of file diff --git a/hal/spi/spi_drv_stm32.c b/hal/spi/spi_drv_stm32.c index c99d1f3183..c732352a29 100644 --- a/hal/spi/spi_drv_stm32.c +++ b/hal/spi/spi_drv_stm32.c @@ -83,6 +83,8 @@ void RAMFUNCTION stm_gpio_config(uint32_t base, uint32_t pin, uint32_t mode, /* Enable GPIO clock */ RCC_GPIO_CLOCK_ER |= (1 << base_num); + /* Delay after an RCC peripheral clock enabling */ + reg = RCC_GPIO_CLOCK_ER; /* Set Mode and Alternate Function */ reg = GPIO_MODE(base) & ~(0x03UL << (pin * 2)); @@ -112,6 +114,10 @@ void RAMFUNCTION stm_gpio_config(uint32_t base, uint32_t pin, uint32_t mode, /* configure output speed 0=low, 1=med, 2=high, 3=very high */ reg = GPIO_OSPD(base) & ~(0x03UL << (pin * 2)); GPIO_OSPD(base) |= (speed << (pin * 2)); + +#if defined (__ARM_FEATURE_CMSE) && (__ARM_FEATURE_CMSE == 3U) + /* TODO: Consider setting GPIO_SECCFGR(base) */ +#endif } #if defined(SPI_FLASH) || defined(WOLFBOOT_TPM) @@ -369,24 +375,14 @@ int qspi_transfer(uint8_t fmode, const uint8_t cmd, #if defined(SPI_FLASH) || defined(WOLFBOOT_TPM) uint8_t RAMFUNCTION spi_read(void) { - volatile uint32_t reg; - do { - reg = SPI1_SR; - } while(!(reg & SPI_SR_RX_NOTEMPTY)); - return (uint8_t)SPI1_DR; + while (!(SPI1_SR & SPI_SR_RX_NOTEMPTY)); + return SPI1_RXDR; } void RAMFUNCTION spi_write(const char byte) { - int i; - volatile uint32_t reg; - do { - reg = SPI1_SR; - } while ((reg & SPI_SR_TX_EMPTY) == 0); - SPI1_DR = byte; - do { - reg = SPI1_SR; - } while ((reg & SPI_SR_TX_EMPTY) == 0); + while (!(SPI1_SR & SPI_SR_TX_EMPTY)); + SPI1_TXDR = (uint8_t)byte; } #endif /* SPI_FLASH || WOLFBOOT_TPM */ @@ -398,7 +394,6 @@ void RAMFUNCTION spi_init(int polarity, int phase) /* Setup clocks */ #if defined(QSPI_FLASH) || defined(OCTOSPI_FLASH) - #ifdef TARGET_stm32u5 /* Clock configuration for QSPI defaults to SYSCLK * (RM0456 section 11.8.47) @@ -413,6 +408,10 @@ void RAMFUNCTION spi_init(int polarity, int phase) #if defined(SPI_FLASH) || defined(WOLFBOOT_TPM) APB2_CLOCK_ER |= SPI1_APB2_CLOCK_ER_VAL; + #ifdef TARGET_stm32h5 + RCC_CCIPR3 &= ~ (RCC_CCIPR3_SPI1SEL_MASK << RCC_CCIPR3_SPI1SEL_SHIFT); + RCC_CCIPR3 |= (0 << RCC_CCIPR3_SPI1SEL_SHIFT); /* PLL1_Q */ + #endif #endif /* reset peripheral before setting up GPIO pins */ @@ -486,14 +485,39 @@ void RAMFUNCTION spi_init(int polarity, int phase) #endif #if defined(SPI_FLASH) || defined(WOLFBOOT_TPM) /* Configure SPI1 for master mode */ -# ifdef TARGET_stm32l0 - SPI1_CR1 = SPI_CR1_MASTER | (polarity << 1) | (phase << 0); -# else - /* baud rate 5 (hclk/6) */ - SPI1_CR1 = SPI_CR1_MASTER | (5 << 3) | (polarity << 1) | (phase << 0); -# endif + SPI1_CR1 &= ~SPI_CR1_SPI_EN; + #if defined(TARGET_stm32h5) + /* Clear any faults in the status register */ + SPI1_IFCR = (SPI_IFCR_SUSPC | SPI_IFCR_MODFC | SPI_IFCR_TIFREC | + SPI_IFCR_OVRC | SPI_IFCR_UDRC); + + /* baud rate 2 (hclk/8), data size (8-bits), CRC Size (8-bits), + * FIFO threshold level (1-data) */ + SPI1_CFG1 = ( + ((2 & SPI_CFG1_BAUDRATE_MASK) << SPI_CFG1_BAUDRATE_SHIFT) | + ((7 & SPI_CFG1_CRCSIZE_MASK) << SPI_CFG1_CRCSIZE_SHIFT) | + ((0 & SPI_CFG1_FTHLV_MASK) << SPI_CFG1_FTHLV_SHIFT) | + ((7 & SPI_CFG1_DSIZE_MASK) << SPI_CFG1_DSIZE_SHIFT)); + SPI1_CFG2 = SPI_CFG2_MASTER | SPI_CFG2_SSOE | + (polarity << SPI_CFG2_CLOCK_POL_SHIFT) | + (phase << SPI_CFG2_CLOCK_PHASE_SHIFT); + #else + #ifndef TARGET_stm32l0 /* use existing/default baud for L0 */ + /* Baud rate 5 (hclk/6), data size 8 bits */ + SPI1_CR1 |= ((5 & SPI_CR1_BAUDRATE_MASK) << SPI_CR1_BAUDRATE_SHIFT); + #endif + SPI1_CR1 &= ~((1 << SPI_CR1_CLOCK_POL_SHIFT) | (1 << SPI_CR1_CLOCK_PHASE_SHIFT)); + SPI1_CR1 |= SPI_CR1_MASTER | + (polarity << SPI_CR1_CLOCK_POL_SHIFT) | + (phase << SPI_CR1_CLOCK_PHASE_SHIFT); SPI1_CR2 |= SPI_CR2_SSOE; - SPI1_CR1 |= SPI_CR1_SPI_EN; + #endif + + SPI1_CR1 |= SPI_CR1_SPI_EN; /* Enable SPI */ + + #ifdef SPI_CR1_CSTART + SPI1_CR1 |= SPI_CR1_CSTART; /* use continuous start mode */ + #endif #endif /* SPI_FLASH || WOLFBOOOT_TPM */ } } @@ -505,8 +529,12 @@ void RAMFUNCTION spi_release(void) } if (initialized == 0) { spi_reset(); - #if defined (SPI_FLASH) || defined(WOLFBOOT_TPM) + #if defined(SPI_FLASH) || defined(WOLFBOOT_TPM) + #if defined(TARGET_stm32h5) + SPI1_CFG2 &= ~SPI_CFG2_SSOE; + #else SPI1_CR2 &= ~SPI_CR2_SSOE; + #endif SPI1_CR1 = 0; #endif stm_pins_release(); diff --git a/hal/spi/spi_drv_stm32.h b/hal/spi/spi_drv_stm32.h index ab4e6759b0..8197e3a2c9 100644 --- a/hal/spi/spi_drv_stm32.h +++ b/hal/spi/spi_drv_stm32.h @@ -29,7 +29,6 @@ #define GPIOC_BASE (0x40020800) #define GPIOD_BASE (0x40020C00) #define GPIOE_BASE (0x40021000) -#define GPIO_BASE GPIOA_BASE #define SPI_GPIO GPIOB_BASE #define SPI_CS_GPIO GPIOE_BASE #define SPI_CS_FLASH 1 /* Flash CS connected to GPIOE1 */ @@ -40,6 +39,28 @@ #define SPI_MOSI_PIN 5 /* SPI_MOSI PB5 */ #endif /* TARGET_stm32f4 */ + +#ifdef TARGET_stm32h5 +#include "hal/stm32h5.h" + +#define APB2_CLOCK_RST RCC_APB2_CLOCK_RSTR +#define APB2_CLOCK_ER RCC_APB2_CLOCK_ER +#define RCC_GPIO_CLOCK_ER RCC_AHB2ENR_CLOCK_ER + +/* Nucleo STM32H573ZI SPI_A Port (SPI1) */ +#define SPI_CLOCK_PIO_BASE GPIOA_BASE +#define SPI_MISO_PIO_BASE GPIOG_BASE +#define SPI_MOSI_PIO_BASE GPIOB_BASE +#define SPI_CS_TPM_PIO_BASE GPIOD_BASE + +#define SPI_PIN_AF 5 /* Alternate function for SPI pins */ +#define SPI_CLOCK_PIN 5 /* SPI_SCK: PA5 */ +#define SPI_MISO_PIN 9 /* SPI_MISO PG9 */ +#define SPI_MOSI_PIN 5 /* SPI_MOSI PB5 */ +#define SPI_CS_TPM 14 /* TPM CS connected to PD14 */ +#endif /* TARGET_stm32h5 */ + + #ifdef TARGET_stm32u5 #ifdef TZEN @@ -405,15 +426,67 @@ #define SPI1_APB2_CLOCK_ER_VAL (1 << 12) +#if defined(TARGET_stm32h5) +/* newer SPI/I2S peripheral */ +#define SPI1_CR1 (*(volatile uint32_t *)(SPI1_BASE)) +#define SPI1_CR2 (*(volatile uint32_t *)(SPI1_BASE + 0x04)) +#define SPI1_CFG1 (*(volatile uint32_t *)(SPI1_BASE + 0x08)) +#define SPI1_CFG2 (*(volatile uint32_t *)(SPI1_BASE + 0x0C)) +#define SPI1_SR (*(volatile uint32_t *)(SPI1_BASE + 0x14)) +#define SPI1_IFCR (*(volatile uint32_t *)(SPI1_BASE + 0x18)) +#define SPI1_TXDR (*(volatile uint8_t *)(SPI1_BASE + 0x20)) +#define SPI1_RXDR (*(volatile uint8_t *)(SPI1_BASE + 0x30)) + +#define SPI_CR1_SPI_EN (1 << 0) +#define SPI_CR1_MASRX (1 << 8) /* master automatic suspension in Receive mode */ +#define SPI_CR1_CSTART (1 << 9) /* Continous start */ +#define SPI_CR1_SSI (1 << 12) /* Internal slave select signal input level */ +#define SPI_CFG1_DSIZE_MASK (0x1F) +#define SPI_CFG1_DSIZE_SHIFT (0) +#define SPI_CFG1_FTHLV_MASK (0x1F) +#define SPI_CFG1_FTHLV_SHIFT (5) +#define SPI_CFG1_CRCSIZE_MASK (0x1F) +#define SPI_CFG1_CRCSIZE_SHIFT (16) +#define SPI_CFG1_BAUDRATE_MASK (0x07) +#define SPI_CFG1_BAUDRATE_SHIFT (28) + +#define SPI_CFG2_MASTER (1 << 22) +#define SPI_CFG2_LSBFIRST (1 << 23) +#define SPI_CFG2_CLOCK_PHASE_SHIFT (24) +#define SPI_CFG2_CLOCK_POL_SHIFT (25) +#define SPI_CFG2_SSM (1 << 26) +#define SPI_CFG2_SSOE (1 << 29) +#define SPI_CFG2_SSOM (1 << 30) +#define SPI_CFG2_AFCNTR (1 << 31) /* alternate function GPIOs control */ +#define SPI_CFG2_COMM_MASK (0x3) /* 0=full duplex, 1=simplex tx, 2=simplex rx, 3=half duplex */ +#define SPI_CFG2_COMM_SHIFT (17) + +#define SPI_IFCR_SUSPC (1 << 11) +#define SPI_IFCR_MODFC (1 << 9) +#define SPI_IFCR_TIFREC (1 << 8) +#define SPI_IFCR_CRCEC (1 << 7) +#define SPI_IFCR_OVRC (1 << 6) +#define SPI_IFCR_UDRC (1 << 5) +#define SPI_IFCR_TXTFC (1 << 4) +#define SPI_IFCR_EOTC (1 << 3) + +#define SPI_SR_RX_NOTEMPTY (1 << 0) +#define SPI_SR_TX_EMPTY (1 << 1) + +#else + +/* older SPI peripheral */ #define SPI1_CR1 (*(volatile uint32_t *)(SPI1_BASE)) #define SPI1_CR2 (*(volatile uint32_t *)(SPI1_BASE + 0x04)) #define SPI1_SR (*(volatile uint32_t *)(SPI1_BASE + 0x08)) -#define SPI1_DR (*(volatile uint32_t *)(SPI1_BASE + 0x0c)) +#define SPI1_TXDR (*(volatile uint8_t *)(SPI1_BASE + 0x0c)) +#define SPI1_RXDR (*(volatile uint8_t *)(SPI1_BASE + 0x0c)) -#define SPI_CR1_CLOCK_PHASE (1 << 0) -#define SPI_CR1_CLOCK_POLARITY (1 << 1) +#define SPI_CR1_CLOCK_PHASE_SHIFT (0) +#define SPI_CR1_CLOCK_POL_SHIFT (1) #define SPI_CR1_MASTER (1 << 2) -#define SPI_CR1_BAUDRATE (0x07 << 3) +#define SPI_CR1_BAUDRATE_MASK (0x07) +#define SPI_CR1_BAUDRATE_SHIFT (3) #define SPI_CR1_SPI_EN (1 << 6) #define SPI_CR1_LSBFIRST (1 << 7) #define SPI_CR1_SSI (1 << 8) @@ -428,6 +501,7 @@ #define SPI_SR_TX_EMPTY (1 << 1) #define SPI_SR_BUSY (1 << 7) +#endif /* GPIO */ #define GPIO_MODE(base) (*(volatile uint32_t *)(base + 0x00)) /* GPIOx_MODER */ @@ -438,6 +512,9 @@ #define GPIO_BSRR(base) (*(volatile uint32_t *)(base + 0x18)) /* GPIOx_BSRR */ #define GPIO_AFL(base) (*(volatile uint32_t *)(base + 0x20)) /* GPIOx_AFRL */ #define GPIO_AFH(base) (*(volatile uint32_t *)(base + 0x24)) /* GPIOx_AFRH */ +#ifndef GPIO_SECCFGR +#define GPIO_SECCFGR(base) (*(volatile uint32_t *)(base + 0x30)) /* GPIOx_SECCFGR */ +#endif #define GPIO_MODE_INPUT (0) #define GPIO_MODE_OUTPUT (1) diff --git a/hal/stm32h5.c b/hal/stm32h5.c index 157d4bb6f7..2cd5435e85 100644 --- a/hal/stm32h5.c +++ b/hal/stm32h5.c @@ -272,25 +272,25 @@ static void clock_pll_off(void) } -/*This implementation will setup MSI 48 MHz as PLL Source Mux, PLLCLK as System Clock Source*/ +/* If PLL_SRC_HSE is set then HSE (8MHz) is used otherwise HSI 64 MHz is used + * and system clock is 250MHz */ static void clock_pll_on(void) { uint32_t reg32; uint32_t plln, pllm, pllq, pllp, pllr, hpre, apb1pre, apb2pre, apb3pre, flash_waitstates; - #if PLL_SRC_HSE - pllm = 4; - plln = 250; - pllp = 2; - pllq = 2; + pllm = 1; + plln = 62; + pllp = 2; /* 250Mhz */ + pllq = 5; /* 100Mhz */ pllr = 2; #else - pllm = 1; - plln = 129; + pllm = 4; + plln = 31; pllp = 2; - pllq = 2; + pllq = 5; pllr = 2; #endif flash_waitstates = 5; @@ -348,16 +348,16 @@ static void clock_pll_on(void) #endif DMB(); - RCC_PLL1DIVR = ((plln - 1) << RCC_PLLDIVR_DIVN_SHIFT) | ((pllp - 1) << RCC_PLLDIVR_DIVP_SHIFT) | - ((pllq - 1) << RCC_PLLDIVR_DIVQ_SHIFT) | ((pllr - 1) << RCC_PLLDIVR_DIVR_SHIFT); + RCC_PLL1DIVR = ((plln - 1) << RCC_PLLDIVR_DIVN_SHIFT) | + ((pllp - 1) << RCC_PLLDIVR_DIVP_SHIFT) | + ((pllq - 1) << RCC_PLLDIVR_DIVQ_SHIFT) | + ((pllr - 1) << RCC_PLLDIVR_DIVR_SHIFT); DMB(); - /* Disable Fractional PLL */ RCC_PLL1CFGR &= ~RCC_PLLCFGR_PLLFRACEN; DMB(); - /* Configure Fractional PLL factor */ RCC_PLL1FRACR = 0x00000000; DMB(); @@ -373,8 +373,8 @@ static void clock_pll_on(void) RCC_PLL1CFGR &= ~RCC_PLLCFGR_PLLVCOSEL; DMB(); - /* Enable PLL1 system clock out (DIV: P) */ - RCC_PLL1CFGR |= RCC_PLLCFGR_PLL1PEN; + /* Enable PLL1 system clock out (DIV: P and Q) */ + RCC_PLL1CFGR |= RCC_PLLCFGR_PLL1PEN | RCC_PLLCFGR_PLL1QEN; /* Enable PLL1 */ RCC_CR |= RCC_CR_PLL1ON; @@ -386,11 +386,13 @@ static void clock_pll_on(void) apb3pre = RCC_APB_PRESCALER_DIV_NONE; reg32 = RCC_CFGR2; reg32 &= ~( (0x0F << RCC_CFGR2_HPRE_SHIFT) | - (0x07 << RCC_CFGR2_PPRE1_SHIFT) | - (0x07 << RCC_CFGR2_PPRE2_SHIFT) | - (0x07 << RCC_CFGR2_PPRE3_SHIFT)); - reg32 |= ((hpre) << RCC_CFGR2_HPRE_SHIFT) | ((apb1pre) << RCC_CFGR2_PPRE1_SHIFT) | - ((apb2pre) << RCC_CFGR2_PPRE2_SHIFT) | ((apb3pre) << RCC_CFGR2_PPRE3_SHIFT); + (0x07 << RCC_CFGR2_PPRE1_SHIFT) | + (0x07 << RCC_CFGR2_PPRE2_SHIFT) | + (0x07 << RCC_CFGR2_PPRE3_SHIFT)); + reg32 |= ( (hpre) << RCC_CFGR2_HPRE_SHIFT) | + ((apb1pre) << RCC_CFGR2_PPRE1_SHIFT) | + ((apb2pre) << RCC_CFGR2_PPRE2_SHIFT) | + ((apb3pre) << RCC_CFGR2_PPRE3_SHIFT); RCC_CFGR2 = reg32; DMB(); @@ -431,8 +433,8 @@ static void periph_unsecure(void) volatile uint32_t *nvic_itns; uint32_t nvic_reg_pos, nvic_reg_off; - /*Enable clock for User LED GPIOs */ - RCC_AHB2_CLOCK_ER|= LED_AHB2_ENABLE; + /* Enable clock for User LED GPIOs */ + RCC_AHB2_CLOCK_ER |= LED_AHB2_ENABLE; /* Enable GPIO clock for accessing SECCFGR registers */ RCC_AHB2_CLOCK_ER |= GPIOA_AHB2_CLOCK_ER; @@ -448,10 +450,10 @@ static void periph_unsecure(void) PWR_CR2 |= PWR_CR2_IOSV; - /*Un-secure User LED GPIO pins */ - GPIO_SECCFGR(GPIOG_BASE) &= ~(1 << 4); - GPIO_SECCFGR(GPIOB_BASE) &= ~(1 << 0); - GPIO_SECCFGR(GPIOF_BASE) &= ~(1 << 4); + /* Un-secure User LED GPIO pins */ + GPIO_SECCFGR(GPIOG_BASE) &= ~(1 << LED_BOOT_PIN); /* PG4 - Nucleo board - Orange Led */ + GPIO_SECCFGR(GPIOB_BASE) &= ~(1 << LED_USR_PIN); /* PB0 - Nucleo board - Green Led */ + GPIO_SECCFGR(GPIOF_BASE) &= ~(1 << LED_EXTRA_PIN); /* PF4 - Nucleo board - Blue Led */ /* Unsecure LPUART1 */ GPIO_SECCFGR(GPIOB_BASE) &= ~(1<= FLASH_BANK2_BASE) hal_tz_claim_nonsecure_area(address, len); /* Convert into secure address space */ @@ -97,7 +97,7 @@ int RAMFUNCTION hal_flash_write(uint32_t address, const uint8_t *data, int len) *cr &= ~FLASH_CR_PG; i+=8; } -#if defined (__ARM_FEATURE_CMSE) && (__ARM_FEATURE_CMSE == 3U) +#if TZ_SECURE() hal_tz_release_nonsecure_area(); #endif return 0; @@ -170,7 +170,7 @@ int RAMFUNCTION hal_flash_erase(uint32_t address, int len) } else if(p >= (FLASH_BANK2_BASE) && (p <= (FLASH_TOP) )) { -#if defined (__ARM_FEATURE_CMSE) && (__ARM_FEATURE_CMSE == 3U) +#if TZ_SECURE() /* When in secure mode, skip erasing non-secure pages: will be erased upon claim */ return 0; #endif @@ -305,7 +305,7 @@ static void clock_pll_on(int powersave) DMB(); } -#if defined (__ARM_FEATURE_CMSE) && (__ARM_FEATURE_CMSE == 3U) +#if TZ_SECURE() static void periph_unsecure() { uint32_t pin; @@ -399,7 +399,7 @@ void hal_init(void) fork_bootloader(); #endif -#if defined (__ARM_FEATURE_CMSE) && (__ARM_FEATURE_CMSE == 3U) +#if TZ_SECURE() hal_tz_sau_init(); hal_gtzc_init(); #endif @@ -411,8 +411,8 @@ void hal_prepare_boot(void) { #ifdef WOLFBOOT_RESTORE_CLOCK clock_pll_off(); - #endif -#if defined (__ARM_FEATURE_CMSE) && (__ARM_FEATURE_CMSE == 3U) +#endif +#if TZ_SECURE() periph_unsecure(); #endif } diff --git a/hal/stm32l5.h b/hal/stm32l5.h index 0981ef29ab..6872fde2b9 100644 --- a/hal/stm32l5.h +++ b/hal/stm32l5.h @@ -27,10 +27,16 @@ #define ISB() __asm__ volatile ("isb") #define DSB() __asm__ volatile ("dsb") +#if (defined (__ARM_FEATURE_CMSE) && (__ARM_FEATURE_CMSE == 3U) && !defined(NONSECURE_APP)) +# define TZ_SECURE() (1) +#else +# define TZ_SECURE() (0) +#endif + /* STM32 L5 register configuration */ /*** RCC ***/ /*!< Memory & Instance aliases and base addresses for Non-Secure/Secure peripherals */ -#if defined (__ARM_FEATURE_CMSE) && (__ARM_FEATURE_CMSE == 3U) +#if TZ_SECURE() /*Secure */ #define RCC_BASE (0x50021000) //RM0438 - Table 4 #else @@ -126,7 +132,7 @@ /*** PWR ***/ /*!< Memory & Instance aliases and base addresses for Non-Secure/Secure peripherals */ -#if defined (__ARM_FEATURE_CMSE) && (__ARM_FEATURE_CMSE == 3U) +#if TZ_SECURE() /*Secure */ #define PWR_BASE (0x50007000) //RM0438 - Table 4 #else @@ -157,7 +163,7 @@ /*** FLASH ***/ #define SYSCFG_APB2_CLOCK_ER_VAL (1 << 0) //RM0438 - RCC_APB2ENR - SYSCFGEN -#if defined (__ARM_FEATURE_CMSE) && (__ARM_FEATURE_CMSE == 3U) +#if TZ_SECURE() /*Secure*/ #define FLASH_BASE (0x50022000) //RM0438 - Table 4 #define FLASH_KEYR (*(volatile uint32_t *)(FLASH_BASE + 0x0C)) @@ -234,7 +240,7 @@ #define FLASH_OPTKEY1 (0x08192A3BU) #define FLASH_OPTKEY2 (0x4C5D6E7FU) -/* GPIO*/ +/* GPIO */ #define GPIOA_BASE 0x52020000 #define GPIOB_BASE 0x52020400 #define GPIOC_BASE 0x52020800 diff --git a/hal/uart/uart_drv_stm32h5.c b/hal/uart/uart_drv_stm32h5.c index 54757302f6..37e2bf24ba 100644 --- a/hal/uart/uart_drv_stm32h5.c +++ b/hal/uart/uart_drv_stm32h5.c @@ -34,7 +34,7 @@ static void uart_pins_setup(void) { uint32_t reg; - RCC_AHB2ENR1_CLOCK_ER|= GPIOB_AHB2ENR1_CLOCK_ER; + RCC_AHB2ENR_CLOCK_ER |= GPIOB_AHB2ENR1_CLOCK_ER; /* Set mode = AF */ reg = GPIOB_MODE & ~ (0x03 << (UART1_RX_PIN * 2)); GPIOB_MODE = reg | (2 << (UART1_RX_PIN * 2)); @@ -52,7 +52,7 @@ static void uart_pins_setup(void) static void uart_pins_setup(void) { uint32_t reg; - RCC_AHB2ENR1_CLOCK_ER|= GPIOD_AHB2ENR1_CLOCK_ER; + RCC_AHB2ENR_CLOCK_ER |= GPIOD_AHB2ENR1_CLOCK_ER; /* Set mode = AF */ reg = GPIOD_MODE & ~ (0x03 << (UART3_RX_PIN * 2)); GPIOD_MODE = reg | (2 << (UART3_RX_PIN * 2)); diff --git a/include/image.h b/include/image.h index 36433160b8..6aa56da3f0 100644 --- a/include/image.h +++ b/include/image.h @@ -42,65 +42,6 @@ extern "C" { #include "encrypt.h" #endif - -int wolfBot_get_dts_size(void *dts_addr); - - -#ifndef RAMFUNCTION -#if defined(__WOLFBOOT) && defined(RAM_CODE) -# if defined(ARCH_ARM) -# define RAMFUNCTION __attribute__((used,section(".ramcode"),long_call)) -# else -# define RAMFUNCTION __attribute__((used,section(".ramcode"))) -# endif -#else -# define RAMFUNCTION -#endif -#endif - -#ifndef WEAKFUNCTION -# if defined(__GNUC__) || defined(__CC_ARM) -# define WEAKFUNCTION __attribute__((weak)) -# else -# define WEAKFUNCTION -# endif -#endif - -#ifndef UNUSEDFUNCTION -# if defined(__GNUC__) || defined(__CC_ARM) -# define UNUSEDFUNCTION __attribute__((unused)) -# else -# define UNUSEDFUNCTION -# endif -#endif - - -/* Helpers for memory alignment */ -#ifndef XALIGNED - #if defined(__GNUC__) || defined(__llvm__) || \ - defined(__IAR_SYSTEMS_ICC__) - #define XALIGNED(x) __attribute__ ( (aligned (x))) - #elif defined(__KEIL__) - #define XALIGNED(x) __align(x) - #elif defined(_MSC_VER) - /* disable align warning, we want alignment ! */ - #pragma warning(disable: 4324) - #define XALIGNED(x) __declspec (align (x)) - #else - #define XALIGNED(x) /* null expansion */ - #endif -#endif - -#ifndef XALIGNED_STACK - /* Don't enforce stack alignment on IAR */ - #if defined (__IAR_SYSTEMS_ICC__) - #define XALIGNED_STACK(x) - #else - #define XALIGNED_STACK(x) XALIGNED(x) - #endif -#endif - - #ifndef WOLFBOOT_FLAGS_INVERT #define SECT_FLAG_NEW 0x0F #define SECT_FLAG_SWAPPING 0x07 diff --git a/include/spi_drv.h b/include/spi_drv.h index dbd281e90f..77f40e95b3 100644 --- a/include/spi_drv.h +++ b/include/spi_drv.h @@ -42,7 +42,8 @@ #if defined(TARGET_stm32f4) || defined(TARGET_stm32f7) || \ defined(TARGET_stm32wb) || defined(TARGET_stm32l0) || \ - defined(TARGET_stm32u5) || defined(TARGET_stm32h7) + defined(TARGET_stm32u5) || defined(TARGET_stm32h7) || \ + defined(TARGET_stm32h5) #define WOLFBOOT_STM32_SPIDRV #include "hal/spi/spi_drv_stm32.h" #endif diff --git a/include/tpm.h b/include/tpm.h index a6b8a5feab..fb788914c9 100644 --- a/include/tpm.h +++ b/include/tpm.h @@ -48,7 +48,27 @@ extern WOLFTPM2_KEY wolftpm_srk; #define WOLFBOOT_MAX_SEAL_SZ MAX_SYM_DATA +/* API's that are callable from non-secure code */ +int CSME_NSE_API wolfBoot_tpm2_caps(WOLFTPM2_CAPS* caps); +int CSME_NSE_API wolfBoot_tpm2_get_handles(TPM_HANDLE handle, TPML_HANDLE* handles); +const char* CSME_NSE_API wolfBoot_tpm2_get_alg_name(TPM_ALG_ID alg, + char* name, int name_sz); +const char* CSME_NSE_API wolfBoot_tpm2_get_rc_string(int rc, + char* error, int error_sz); +int CSME_NSE_API wolfBoot_tpm2_get_capability(GetCapability_In* in, GetCapability_Out* out); +int CSME_NSE_API wolfBoot_tpm2_read_pcr(uint8_t pcrIndex, uint8_t* digest, int* digestSz); +int CSME_NSE_API wolfBoot_tpm2_read_cert(uint32_t handle, uint8_t* cert, uint32_t* certSz); + +#ifdef WOLFTPM_MFG_IDENTITY +int CSME_NSE_API wolfBoot_tpm2_get_aik(WOLFTPM2_KEY* aik, + uint8_t* masterPassword, uint16_t masterPasswordSz); +int CSME_NSE_API wolfBoot_tpm2_get_timestamp(WOLFTPM2_KEY* aik, GetTime_Out* getTime); +int CSME_NSE_API wolfBoot_tpm2_quote(WOLFTPM2_KEY* aik, + byte* pcrArray, word32 pcrArraySz, Quote_Out* quoteResult); +int CSME_NSE_API wolfBoot_tpm2_parse_attest(const TPM2B_ATTEST* in, TPMS_ATTEST* out); +#endif +/* Internal wolfBoot TPM API's */ int wolfBoot_tpm2_init(void); void wolfBoot_tpm2_deinit(void); diff --git a/include/user_settings.h b/include/user_settings.h index 0c6d56ab1d..e86c935e51 100644 --- a/include/user_settings.h +++ b/include/user_settings.h @@ -410,6 +410,7 @@ extern int tolower(int c); #ifndef XTPM_WAIT #define XTPM_WAIT() /* no delay */ #endif + #define HASH_COUNT 3 /* enable more PCR hash types */ /* TPM remap printf */ #if defined(DEBUG_WOLFTPM) && !defined(ARCH_SIM) diff --git a/include/wolfboot/wc_secure.h b/include/wolfboot/wc_secure.h index b5b3ff5ded..a607b30944 100644 --- a/include/wolfboot/wc_secure.h +++ b/include/wolfboot/wc_secure.h @@ -28,6 +28,14 @@ /* Data types shared between wolfBoot and the non-secure application */ +#ifndef CSME_NSE_API +# if defined (__ARM_FEATURE_CMSE) && (__ARM_FEATURE_CMSE == 3U) +# define CSME_NSE_API __attribute__((cmse_nonsecure_entry)) +# else +# define CSME_NSE_API +# endif +#endif + #ifdef WOLFCRYPT_SECURE_MODE struct wcs_sign_call_params { @@ -52,36 +60,35 @@ struct wcs_verify_call_params #ifdef WOLFBOOT_SECURE_CALLS - /* Secure calls prototypes for the non-secure world */ /* RAW file read */ -int __attribute__((cmse_nonsecure_entry)) wcs_slot_read(int slot_id, +int CSME_NSE_API wcs_slot_read(int slot_id, uint8_t *buffer, uint32_t len); /* ECC */ -int __attribute__((cmse_nonsecure_entry)) wcs_ecc_import_public(int ecc_curve, +int CSME_NSE_API wcs_ecc_import_public(int ecc_curve, uint8_t *pubkey, uint32_t key_size); -int __attribute__((cmse_nonsecure_entry)) wcs_ecc_keygen(uint32_t key_size, +int CSME_NSE_API wcs_ecc_keygen(uint32_t key_size, int ecc_curve); -int __attribute__((cmse_nonsecure_entry)) wcs_ecc_getpublic(int slot_id, +int CSME_NSE_API wcs_ecc_getpublic(int slot_id, uint8_t *pubkey, uint32_t *pubkeySz); -int __attribute__((cmse_nonsecure_entry)) wcs_ecdh_shared(int privkey_slot_id, +int CSME_NSE_API wcs_ecdh_shared(int privkey_slot_id, int pubkey_slot_id, uint32_t outlen); /* ECC Calls with wrapper for arguments (ABI only allows 4 arguments) */ -int __attribute__((cmse_nonsecure_entry)) +int CSME_NSE_API wcs_ecc_sign_call(struct wcs_sign_call_params *p); -int __attribute__((cmse_nonsecure_entry)) +int CSME_NSE_API wcs_ecc_verify_call(struct wcs_verify_call_params *p); /* RNG */ -int __attribute__((cmse_nonsecure_entry)) wcs_get_random(uint8_t *rand, +int CSME_NSE_API wcs_get_random(uint8_t *rand, uint32_t size); /* exposed API for sign/verify with all needed arguments */ diff --git a/include/wolfboot/wcs_pkcs11.h b/include/wolfboot/wcs_pkcs11.h index b833c56f1a..614a65e243 100644 --- a/include/wolfboot/wcs_pkcs11.h +++ b/include/wolfboot/wcs_pkcs11.h @@ -191,157 +191,157 @@ struct C_DeriveKey_nsc_args { CK_OBJECT_HANDLE_PTR phKey; }; -CK_RV __attribute__((cmse_nonsecure_entry)) C_Initialize_nsc_call(CK_VOID_PTR pInitArgs); +CK_RV CSME_NSE_API C_Initialize_nsc_call(CK_VOID_PTR pInitArgs); -CK_RV __attribute__((cmse_nonsecure_entry)) C_Finalize_nsc_call(CK_VOID_PTR pReserved); +CK_RV CSME_NSE_API C_Finalize_nsc_call(CK_VOID_PTR pReserved); -CK_RV __attribute__((cmse_nonsecure_entry)) C_GetInfo_nsc_call(CK_INFO_PTR pInfo); -CK_RV __attribute__((cmse_nonsecure_entry)) C_GetFunctionList_nsc_call(CK_FUNCTION_LIST_PTR_PTR ppFunctionList); +CK_RV CSME_NSE_API C_GetInfo_nsc_call(CK_INFO_PTR pInfo); +CK_RV CSME_NSE_API C_GetFunctionList_nsc_call(CK_FUNCTION_LIST_PTR_PTR ppFunctionList); -CK_RV __attribute__((cmse_nonsecure_entry)) C_GetSlotList_nsc_call(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount); +CK_RV CSME_NSE_API C_GetSlotList_nsc_call(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount); -CK_RV __attribute__((cmse_nonsecure_entry)) C_GetSlotInfo_nsc_call(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo); +CK_RV CSME_NSE_API C_GetSlotInfo_nsc_call(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo); -CK_RV __attribute__((cmse_nonsecure_entry)) C_GetTokenInfo_nsc_call(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo); +CK_RV CSME_NSE_API C_GetTokenInfo_nsc_call(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo); -CK_RV __attribute__((cmse_nonsecure_entry)) C_GetMechanismList_nsc_call(CK_SLOT_ID slotID, CK_MECHANISM_TYPE_PTR pMechanismList, CK_ULONG_PTR pulCount); +CK_RV CSME_NSE_API C_GetMechanismList_nsc_call(CK_SLOT_ID slotID, CK_MECHANISM_TYPE_PTR pMechanismList, CK_ULONG_PTR pulCount); -CK_RV __attribute__((cmse_nonsecure_entry)) C_GetMechanismInfo_nsc_call(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, CK_MECHANISM_INFO_PTR pInfo); +CK_RV CSME_NSE_API C_GetMechanismInfo_nsc_call(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, CK_MECHANISM_INFO_PTR pInfo); -CK_RV __attribute__((cmse_nonsecure_entry)) C_InitToken_nsc_call(CK_SLOT_ID slotID, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen, CK_UTF8CHAR_PTR pLabel); +CK_RV CSME_NSE_API C_InitToken_nsc_call(CK_SLOT_ID slotID, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen, CK_UTF8CHAR_PTR pLabel); -CK_RV __attribute__((cmse_nonsecure_entry)) C_InitPIN_nsc_call(CK_SESSION_HANDLE hSession, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen); +CK_RV CSME_NSE_API C_InitPIN_nsc_call(CK_SESSION_HANDLE hSession, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen); -CK_RV __attribute__((cmse_nonsecure_entry)) C_SetPIN_nsc_call(struct C_SetPIN_nsc_args *args); +CK_RV CSME_NSE_API C_SetPIN_nsc_call(struct C_SetPIN_nsc_args *args); -CK_RV __attribute__((cmse_nonsecure_entry)) C_OpenSession_nsc_call(struct C_OpenSession_nsc_args *args); -CK_RV __attribute__((cmse_nonsecure_entry)) C_CloseSession_nsc_call(CK_SESSION_HANDLE hSession); +CK_RV CSME_NSE_API C_OpenSession_nsc_call(struct C_OpenSession_nsc_args *args); +CK_RV CSME_NSE_API C_CloseSession_nsc_call(CK_SESSION_HANDLE hSession); -CK_RV __attribute__((cmse_nonsecure_entry)) C_CloseAllSessions_nsc_call(CK_SLOT_ID slotID); +CK_RV CSME_NSE_API C_CloseAllSessions_nsc_call(CK_SLOT_ID slotID); -CK_RV __attribute__((cmse_nonsecure_entry)) C_GetSessionInfo_nsc_call(CK_SESSION_HANDLE hSession, CK_SESSION_INFO_PTR pInfo); -CK_RV __attribute__((cmse_nonsecure_entry)) C_GetOperationState_nsc_call( +CK_RV CSME_NSE_API C_GetSessionInfo_nsc_call(CK_SESSION_HANDLE hSession, CK_SESSION_INFO_PTR pInfo); +CK_RV CSME_NSE_API C_GetOperationState_nsc_call( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pOperationState, CK_ULONG_PTR pulOperationStateLen); -CK_RV __attribute__((cmse_nonsecure_entry)) C_SetOperationState_nsc_call(struct C_SetOperationState_nsc_args *args); -CK_RV __attribute__((cmse_nonsecure_entry)) C_Login_nsc_call(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, +CK_RV CSME_NSE_API C_SetOperationState_nsc_call(struct C_SetOperationState_nsc_args *args); +CK_RV CSME_NSE_API C_Login_nsc_call(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen); -CK_RV __attribute__((cmse_nonsecure_entry)) C_Logout_nsc_call(CK_SESSION_HANDLE hSession); +CK_RV CSME_NSE_API C_Logout_nsc_call(CK_SESSION_HANDLE hSession); -CK_RV __attribute__((cmse_nonsecure_entry)) C_CreateObject_nsc_call(CK_SESSION_HANDLE hSession, +CK_RV CSME_NSE_API C_CreateObject_nsc_call(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phObject); -CK_RV __attribute__((cmse_nonsecure_entry)) C_DestroyObject_nsc_call(CK_SESSION_HANDLE hSession, +CK_RV CSME_NSE_API C_DestroyObject_nsc_call(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject); -CK_RV __attribute__((cmse_nonsecure_entry)) C_GetObjectSize_nsc_call(CK_SESSION_HANDLE hSession, +CK_RV CSME_NSE_API C_GetObjectSize_nsc_call(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize); -CK_RV __attribute__((cmse_nonsecure_entry)) C_GetAttributeValue_nsc_call(CK_SESSION_HANDLE hSession, +CK_RV CSME_NSE_API C_GetAttributeValue_nsc_call(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount); -CK_RV __attribute__((cmse_nonsecure_entry)) C_SetAttributeValue_nsc_call(CK_SESSION_HANDLE hSession, +CK_RV CSME_NSE_API C_SetAttributeValue_nsc_call(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount); -CK_RV __attribute__((cmse_nonsecure_entry)) C_FindObjectsInit_nsc_call(CK_SESSION_HANDLE hSession, +CK_RV CSME_NSE_API C_FindObjectsInit_nsc_call(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount); -CK_RV __attribute__((cmse_nonsecure_entry)) C_FindObjects_nsc_call(CK_SESSION_HANDLE hSession, +CK_RV CSME_NSE_API C_FindObjects_nsc_call(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject, CK_ULONG ulMaxObjectCount, CK_ULONG_PTR pulObjectCount); -CK_RV __attribute__((cmse_nonsecure_entry)) C_CopyObject_nsc_call(struct C_CopyObject_nsc_args *args); +CK_RV CSME_NSE_API C_CopyObject_nsc_call(struct C_CopyObject_nsc_args *args); -CK_RV __attribute__((cmse_nonsecure_entry)) C_FindObjectsFinal_nsc_call(CK_SESSION_HANDLE hSession); +CK_RV CSME_NSE_API C_FindObjectsFinal_nsc_call(CK_SESSION_HANDLE hSession); -CK_RV __attribute__((cmse_nonsecure_entry)) C_EncryptInit_nsc_call(CK_SESSION_HANDLE hSession, +CK_RV CSME_NSE_API C_EncryptInit_nsc_call(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey); -CK_RV __attribute__((cmse_nonsecure_entry)) C_Encrypt_nsc_call(struct C_Encrypt_nsc_args *args); +CK_RV CSME_NSE_API C_Encrypt_nsc_call(struct C_Encrypt_nsc_args *args); -CK_RV __attribute__((cmse_nonsecure_entry)) C_EncryptUpdate_nsc_call(struct C_EncryptUpdate_nsc_args *args); +CK_RV CSME_NSE_API C_EncryptUpdate_nsc_call(struct C_EncryptUpdate_nsc_args *args); -CK_RV __attribute__((cmse_nonsecure_entry)) C_EncryptFinal_nsc_call(CK_SESSION_HANDLE hSession, +CK_RV CSME_NSE_API C_EncryptFinal_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pLastEncryptedPart, CK_ULONG_PTR pulLastEncryptedPartLen); -CK_RV __attribute__((cmse_nonsecure_entry)) C_DecryptInit_nsc_call(CK_SESSION_HANDLE hSession, +CK_RV CSME_NSE_API C_DecryptInit_nsc_call(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey); -CK_RV __attribute__((cmse_nonsecure_entry)) C_Decrypt_nsc_call(struct C_Decrypt_nsc_args *args); -CK_RV __attribute__((cmse_nonsecure_entry)) C_DecryptUpdate_nsc_call(struct C_DecryptUpdate_nsc_args *args); +CK_RV CSME_NSE_API C_Decrypt_nsc_call(struct C_Decrypt_nsc_args *args); +CK_RV CSME_NSE_API C_DecryptUpdate_nsc_call(struct C_DecryptUpdate_nsc_args *args); -CK_RV __attribute__((cmse_nonsecure_entry)) C_DecryptFinal_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pLastPart, +CK_RV CSME_NSE_API C_DecryptFinal_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pLastPart, CK_ULONG_PTR pulLastPartLen); -CK_RV __attribute__((cmse_nonsecure_entry)) C_DigestInit_nsc_call(CK_SESSION_HANDLE hSession, +CK_RV CSME_NSE_API C_DigestInit_nsc_call(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism); -CK_RV __attribute__((cmse_nonsecure_entry)) C_Digest_nsc_call(struct C_Digest_nsc_args *args); -CK_RV __attribute__((cmse_nonsecure_entry)) C_DigestUpdate_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen); -CK_RV __attribute__((cmse_nonsecure_entry)) C_DigestKey_nsc_call(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey); +CK_RV CSME_NSE_API C_Digest_nsc_call(struct C_Digest_nsc_args *args); +CK_RV CSME_NSE_API C_DigestUpdate_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen); +CK_RV CSME_NSE_API C_DigestKey_nsc_call(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey); -CK_RV __attribute__((cmse_nonsecure_entry)) C_DigestFinal_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest, CK_ULONG_PTR pulDigestLen); +CK_RV CSME_NSE_API C_DigestFinal_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest, CK_ULONG_PTR pulDigestLen); -CK_RV __attribute__((cmse_nonsecure_entry)) C_SignInit_nsc_call(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey); +CK_RV CSME_NSE_API C_SignInit_nsc_call(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey); -CK_RV __attribute__((cmse_nonsecure_entry)) C_Sign_nsc_call(struct C_Sign_nsc_args *args); -CK_RV __attribute__((cmse_nonsecure_entry)) C_SignUpdate_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen); +CK_RV CSME_NSE_API C_Sign_nsc_call(struct C_Sign_nsc_args *args); +CK_RV CSME_NSE_API C_SignUpdate_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen); -CK_RV __attribute__((cmse_nonsecure_entry)) C_SignFinal_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen); +CK_RV CSME_NSE_API C_SignFinal_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen); -CK_RV __attribute__((cmse_nonsecure_entry)) C_SignRecoverInit_nsc_call(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey); +CK_RV CSME_NSE_API C_SignRecoverInit_nsc_call(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey); -CK_RV __attribute__((cmse_nonsecure_entry)) C_SignRecover_nsc_call(struct C_SignRecover_nsc_args *args); -CK_RV __attribute__((cmse_nonsecure_entry)) C_VerifyInit_nsc_call(CK_SESSION_HANDLE hSession, +CK_RV CSME_NSE_API C_SignRecover_nsc_call(struct C_SignRecover_nsc_args *args); +CK_RV CSME_NSE_API C_VerifyInit_nsc_call(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey); -CK_RV __attribute__((cmse_nonsecure_entry)) C_Verify_nsc_call(struct C_Verify_nsc_args *args); +CK_RV CSME_NSE_API C_Verify_nsc_call(struct C_Verify_nsc_args *args); -CK_RV __attribute__((cmse_nonsecure_entry)) C_VerifyUpdate_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, +CK_RV CSME_NSE_API C_VerifyUpdate_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen); -CK_RV __attribute__((cmse_nonsecure_entry)) C_VerifyFinal_nsc_call(CK_SESSION_HANDLE hSession, +CK_RV CSME_NSE_API C_VerifyFinal_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen); -CK_RV __attribute__((cmse_nonsecure_entry)) C_VerifyRecoverInit_nsc_call(CK_SESSION_HANDLE hSession, +CK_RV CSME_NSE_API C_VerifyRecoverInit_nsc_call(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey); -CK_RV __attribute__((cmse_nonsecure_entry)) C_VerifyRecover_nsc_call(struct C_VerifyRecover_nsc_args *args); +CK_RV CSME_NSE_API C_VerifyRecover_nsc_call(struct C_VerifyRecover_nsc_args *args); -CK_RV __attribute__((cmse_nonsecure_entry)) C_DigestEncryptUpdate_nsc_call(struct C_DigestEncryptUpdate_nsc_args *args); +CK_RV CSME_NSE_API C_DigestEncryptUpdate_nsc_call(struct C_DigestEncryptUpdate_nsc_args *args); -CK_RV __attribute__((cmse_nonsecure_entry)) C_DecryptDigestUpdate_nsc_call(struct C_DecryptDigestUpdate_nsc_args *args); +CK_RV CSME_NSE_API C_DecryptDigestUpdate_nsc_call(struct C_DecryptDigestUpdate_nsc_args *args); -CK_RV __attribute__((cmse_nonsecure_entry)) C_SignEncryptUpdate_nsc_call(struct C_SignEncryptUpdate_nsc_args *args); +CK_RV CSME_NSE_API C_SignEncryptUpdate_nsc_call(struct C_SignEncryptUpdate_nsc_args *args); -CK_RV __attribute__((cmse_nonsecure_entry)) C_DecryptVerifyUpdate_nsc_call(struct C_DecryptVerifyUpdate_nsc_args *args); +CK_RV CSME_NSE_API C_DecryptVerifyUpdate_nsc_call(struct C_DecryptVerifyUpdate_nsc_args *args); -CK_RV __attribute__((cmse_nonsecure_entry)) C_GenerateKey_nsc_call(struct C_GenerateKey_nsc_args *args); +CK_RV CSME_NSE_API C_GenerateKey_nsc_call(struct C_GenerateKey_nsc_args *args); -CK_RV __attribute__((cmse_nonsecure_entry)) C_GenerateKeyPair_nsc_call(struct C_GenerateKeyPair_nsc_args *args); +CK_RV CSME_NSE_API C_GenerateKeyPair_nsc_call(struct C_GenerateKeyPair_nsc_args *args); -CK_RV __attribute__((cmse_nonsecure_entry)) C_WrapKey_nsc_call(struct C_WrapKey_nsc_args *args); +CK_RV CSME_NSE_API C_WrapKey_nsc_call(struct C_WrapKey_nsc_args *args); -CK_RV __attribute__((cmse_nonsecure_entry)) C_UnwrapKey_nsc_call(struct C_UnwrapKey_nsc_args *args); +CK_RV CSME_NSE_API C_UnwrapKey_nsc_call(struct C_UnwrapKey_nsc_args *args); -CK_RV __attribute__((cmse_nonsecure_entry)) C_DeriveKey_nsc_call(struct C_DeriveKey_nsc_args *args); -CK_RV __attribute__((cmse_nonsecure_entry)) C_SeedRandom_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed, CK_ULONG ulSeedLen); +CK_RV CSME_NSE_API C_DeriveKey_nsc_call(struct C_DeriveKey_nsc_args *args); +CK_RV CSME_NSE_API C_SeedRandom_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed, CK_ULONG ulSeedLen); -CK_RV __attribute__((cmse_nonsecure_entry)) C_GenerateRandom_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pRandomData, CK_ULONG ulRandomLen); -CK_RV __attribute__((cmse_nonsecure_entry)) C_GetFunctionStatus_nsc_call(CK_SESSION_HANDLE hSession); +CK_RV CSME_NSE_API C_GenerateRandom_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pRandomData, CK_ULONG ulRandomLen); +CK_RV CSME_NSE_API C_GetFunctionStatus_nsc_call(CK_SESSION_HANDLE hSession); -CK_RV __attribute__((cmse_nonsecure_entry)) C_CancelFunction_nsc_call(CK_SESSION_HANDLE hSession); -CK_RV __attribute__((cmse_nonsecure_entry)) C_WaitForSlotEvent_nsc_call(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot, CK_VOID_PTR pReserved); +CK_RV CSME_NSE_API C_CancelFunction_nsc_call(CK_SESSION_HANDLE hSession); +CK_RV CSME_NSE_API C_WaitForSlotEvent_nsc_call(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot, CK_VOID_PTR pReserved); #endif /* SECURE_PKCS11 */ #endif /* !WOLFBOOT_PKCS11_H */ diff --git a/include/wolfboot/wolfboot.h b/include/wolfboot/wolfboot.h index 09a14fb273..09be8c75f0 100644 --- a/include/wolfboot/wolfboot.h +++ b/include/wolfboot/wolfboot.h @@ -34,9 +34,61 @@ extern "C" { #include "target.h" #endif #include "wolfboot/version.h" - -#ifdef WOLFCRYPT_SECURE_MODE #include "wolfboot/wc_secure.h" + + +#ifndef RAMFUNCTION +# if defined(__WOLFBOOT) && defined(RAM_CODE) +# if defined(ARCH_ARM) +# define RAMFUNCTION __attribute__((used,section(".ramcode"),long_call)) +# else +# define RAMFUNCTION __attribute__((used,section(".ramcode"))) +# endif +# else +# define RAMFUNCTION +#endif +#endif + +#ifndef WEAKFUNCTION +# if defined(__GNUC__) || defined(__CC_ARM) +# define WEAKFUNCTION __attribute__((weak)) +# else +# define WEAKFUNCTION +# endif +#endif + +#ifndef UNUSEDFUNCTION +# if defined(__GNUC__) || defined(__CC_ARM) +# define UNUSEDFUNCTION __attribute__((unused)) +# else +# define UNUSEDFUNCTION +# endif +#endif + + +/* Helpers for memory alignment */ +#ifndef XALIGNED + #if defined(__GNUC__) || defined(__llvm__) || \ + defined(__IAR_SYSTEMS_ICC__) + #define XALIGNED(x) __attribute__ ( (aligned (x))) + #elif defined(__KEIL__) + #define XALIGNED(x) __align(x) + #elif defined(_MSC_VER) + /* disable align warning, we want alignment ! */ + #pragma warning(disable: 4324) + #define XALIGNED(x) __declspec (align (x)) + #else + #define XALIGNED(x) /* null expansion */ + #endif +#endif + +#ifndef XALIGNED_STACK + /* Don't enforce stack alignment on IAR */ + #if defined(__IAR_SYSTEMS_ICC__) + #define XALIGNED_STACK(x) + #else + #define XALIGNED_STACK(x) XALIGNED(x) + #endif #endif @@ -420,28 +472,28 @@ int wolfBoot_erase_encrypt_key(void); */ /* Call wolfBoot_success from non-secure application */ -__attribute__((cmse_nonsecure_entry)) +CSME_NSE_API void wolfBoot_nsc_success(void); /* Call wolfBoot_update_trigger from non-secure application */ -__attribute__((cmse_nonsecure_entry)) +CSME_NSE_API void wolfBoot_nsc_update_trigger(void); /* Call wolfBoot_get_image_version from non-secure application */ -__attribute__((cmse_nonsecure_entry)) +CSME_NSE_API uint32_t wolfBoot_nsc_get_image_version(uint8_t part); #define wolfBoot_nsc_current_firmware_version() wolfBoot_nsc_get_image_version(PART_BOOT) #define wolfBoot_nsc_update_firmware_version() wolfBoot_nsc_get_image_version(PART_UPDATE) /* Call wolfBoot_get_partition_state from non-secure application */ -__attribute__((cmse_nonsecure_entry)) +CSME_NSE_API int wolfBoot_nsc_get_partition_state(uint8_t part, uint8_t *st); /* Erase one or more sectors in the update partition. * - address: offset within the update partition ('0' corresponds to PARTITION_UPDATE_ADDRESS) * - len: size, in bytes */ -__attribute__((cmse_nonsecure_entry)) +CSME_NSE_API int wolfBoot_nsc_erase_update(uint32_t address, uint32_t len); /* Write the content of buffer `buf` and size `len` to the update partition, @@ -449,7 +501,7 @@ int wolfBoot_nsc_erase_update(uint32_t address, uint32_t len); * - address: offset within the update partition ('0' corresponds to PARTITION_UPDATE_ADDRESS) * - len: size, in bytes */ -__attribute__((cmse_nonsecure_entry)) +CSME_NSE_API int wolfBoot_nsc_write_update(uint32_t address, const uint8_t *buf, uint32_t len); #endif /* !__WOLFBOOT && WOLFCRYPT_SECURE_MODE */ diff --git a/options.mk b/options.mk index 5614127b1c..5881575199 100644 --- a/options.mk +++ b/options.mk @@ -725,9 +725,13 @@ ifeq ($(WOLFTPM),1) endif endif endif - WOLFCRYPT_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/aes.o - WOLFCRYPT_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/hmac.o - WOLFCRYPT_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/random.o + ifneq ($(WOLFCRYPT_TZ_PKCS11),1) + ifneq ($(ENCRYPT),1) + WOLFCRYPT_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/aes.o + endif + WOLFCRYPT_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/hmac.o + WOLFCRYPT_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/random.o + endif ifeq ($(DEBUG),1) CFLAGS+=-DWOLFBOOT_DEBUG_TPM=1 endif @@ -1045,3 +1049,7 @@ endif ifneq ($(WOLFBOOT_RESTORE_CLOCK),0) CFLAGS += -DWOLFBOOT_RESTORE_CLOCK endif + +ifeq ($(TZEN),1) + CFLAGS+=-DTZEN +endif diff --git a/src/image.c b/src/image.c index 2f7652bf34..d8e0195bd4 100644 --- a/src/image.c +++ b/src/image.c @@ -41,6 +41,7 @@ #include "loader.h" #include "image.h" +#include "wolfboot/wolfboot.h" #include "hal.h" #include "spi_drv.h" #include "printf.h" diff --git a/src/libwolfboot.c b/src/libwolfboot.c index ddbe0282be..3cdf2d45de 100644 --- a/src/libwolfboot.c +++ b/src/libwolfboot.c @@ -2021,31 +2021,31 @@ int wolfBoot_ram_decrypt(uint8_t *src, uint8_t *dst) #endif /* EXT_ENCRYPTED */ #if defined(__WOLFBOOT) && defined(WOLFCRYPT_SECURE_MODE) -__attribute__((cmse_nonsecure_entry)) +CSME_NSE_API void wolfBoot_nsc_success(void) { wolfBoot_success(); } -__attribute__((cmse_nonsecure_entry)) +CSME_NSE_API void wolfBoot_nsc_update_trigger(void) { wolfBoot_update_trigger(); } -__attribute__((cmse_nonsecure_entry)) +CSME_NSE_API uint32_t wolfBoot_nsc_get_image_version(uint8_t part) { return wolfBoot_get_image_version(part); } -__attribute__((cmse_nonsecure_entry)) +CSME_NSE_API int wolfBoot_nsc_get_partition_state(uint8_t part, uint8_t *st) { return wolfBoot_get_partition_state(part, st); } -__attribute__((cmse_nonsecure_entry)) +CSME_NSE_API int wolfBoot_nsc_erase_update(uint32_t address, uint32_t len) { int ret; @@ -2061,7 +2061,7 @@ int wolfBoot_nsc_erase_update(uint32_t address, uint32_t len) return ret; } -__attribute__((cmse_nonsecure_entry)) +CSME_NSE_API int wolfBoot_nsc_write_update(uint32_t address, const uint8_t *buf, uint32_t len) { int ret; diff --git a/src/pkcs11_callable.c b/src/pkcs11_callable.c index 1677807d50..b9f0c7c350 100644 --- a/src/pkcs11_callable.c +++ b/src/pkcs11_callable.c @@ -19,149 +19,151 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ - +#include "wolfboot/wc_secure.h" #include "wolfboot/wcs_pkcs11.h" #ifdef SECURE_PKCS11 -CK_RV __attribute__((cmse_nonsecure_entry)) C_Initialize_nsc_call(CK_VOID_PTR pInitArgs) +#include "image.h" + +CK_RV CSME_NSE_API C_Initialize_nsc_call(CK_VOID_PTR pInitArgs) { return C_Initialize(pInitArgs); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_Finalize_nsc_call(CK_VOID_PTR pReserved) +CK_RV CSME_NSE_API C_Finalize_nsc_call(CK_VOID_PTR pReserved) { return C_Finalize(pReserved); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_GetInfo_nsc_call(CK_INFO_PTR pInfo) +CK_RV CSME_NSE_API C_GetInfo_nsc_call(CK_INFO_PTR pInfo) { return C_GetInfo(pInfo); } -WP11_API CK_RV __attribute__((cmse_nonsecure_entry)) C_GetFunctionList_nsc_call(CK_FUNCTION_LIST_PTR_PTR ppFunctionList) +WP11_API CK_RV CSME_NSE_API C_GetFunctionList_nsc_call(CK_FUNCTION_LIST_PTR_PTR ppFunctionList) { return C_GetFunctionList(ppFunctionList); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_GetSlotList_nsc_call(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) +CK_RV CSME_NSE_API C_GetSlotList_nsc_call(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) { return C_GetSlotList(tokenPresent, pSlotList, pulCount); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_GetSlotInfo_nsc_call(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) +CK_RV CSME_NSE_API C_GetSlotInfo_nsc_call(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo) { return C_GetSlotInfo(slotID, pInfo); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_GetTokenInfo_nsc_call(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) +CK_RV CSME_NSE_API C_GetTokenInfo_nsc_call(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo) { return C_GetTokenInfo(slotID, pInfo); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_GetMechanismList_nsc_call(CK_SLOT_ID slotID, CK_MECHANISM_TYPE_PTR pMechanismList, CK_ULONG_PTR pulCount) +CK_RV CSME_NSE_API C_GetMechanismList_nsc_call(CK_SLOT_ID slotID, CK_MECHANISM_TYPE_PTR pMechanismList, CK_ULONG_PTR pulCount) { return C_GetMechanismList(slotID, pMechanismList, pulCount); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_GetMechanismInfo_nsc_call(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, CK_MECHANISM_INFO_PTR pInfo) +CK_RV CSME_NSE_API C_GetMechanismInfo_nsc_call(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, CK_MECHANISM_INFO_PTR pInfo) { return C_GetMechanismInfo(slotID, type, pInfo); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_InitToken_nsc_call(CK_SLOT_ID slotID, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen, CK_UTF8CHAR_PTR pLabel) +CK_RV CSME_NSE_API C_InitToken_nsc_call(CK_SLOT_ID slotID, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen, CK_UTF8CHAR_PTR pLabel) { return C_InitToken(slotID, pPin, ulPinLen, pLabel); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_InitPIN_nsc_call(CK_SESSION_HANDLE hSession, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen) +CK_RV CSME_NSE_API C_InitPIN_nsc_call(CK_SESSION_HANDLE hSession, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen) { return C_InitPIN(hSession, pPin, ulPinLen); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_SetPIN_nsc_call(struct C_SetPIN_nsc_args *args) +CK_RV CSME_NSE_API C_SetPIN_nsc_call(struct C_SetPIN_nsc_args *args) { return C_SetPIN(args->hSession, args->pOldPin, args->ulOldLen, args->pNewPin, args->ulNewLen); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_OpenSession_nsc_call(struct C_OpenSession_nsc_args *args) { +CK_RV CSME_NSE_API C_OpenSession_nsc_call(struct C_OpenSession_nsc_args *args) { return C_OpenSession(args->slotID, args->flags, args->pApplication, args->Notify, args->phSession); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_CloseSession_nsc_call(CK_SESSION_HANDLE hSession) +CK_RV CSME_NSE_API C_CloseSession_nsc_call(CK_SESSION_HANDLE hSession) { return C_CloseSession(hSession); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_CloseAllSessions_nsc_call(CK_SLOT_ID slotID) +CK_RV CSME_NSE_API C_CloseAllSessions_nsc_call(CK_SLOT_ID slotID) { return C_CloseAllSessions(slotID); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_GetSessionInfo_nsc_call(CK_SESSION_HANDLE hSession, CK_SESSION_INFO_PTR pInfo) +CK_RV CSME_NSE_API C_GetSessionInfo_nsc_call(CK_SESSION_HANDLE hSession, CK_SESSION_INFO_PTR pInfo) { return C_GetSessionInfo(hSession, pInfo); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_GetOperationState_nsc_call( +CK_RV CSME_NSE_API C_GetOperationState_nsc_call( CK_SESSION_HANDLE hSession, CK_BYTE_PTR pOperationState, CK_ULONG_PTR pulOperationStateLen) { return C_GetOperationState(hSession, pOperationState, pulOperationStateLen); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_SetOperationState_nsc_call(struct C_SetOperationState_nsc_args *args) { +CK_RV CSME_NSE_API C_SetOperationState_nsc_call(struct C_SetOperationState_nsc_args *args) { return C_SetOperationState(args->hSession, args->pOperationState, args->ulOperationStateLen, args->hEncryptionKey, args->hAuthenticationKey); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_Login_nsc_call(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, +CK_RV CSME_NSE_API C_Login_nsc_call(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen) { return C_Login(hSession, userType, pPin, ulPinLen); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_Logout_nsc_call(CK_SESSION_HANDLE hSession) { +CK_RV CSME_NSE_API C_Logout_nsc_call(CK_SESSION_HANDLE hSession) { return C_Logout(hSession); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_CreateObject_nsc_call(CK_SESSION_HANDLE hSession, +CK_RV CSME_NSE_API C_CreateObject_nsc_call(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount, CK_OBJECT_HANDLE_PTR phObject) { return C_CreateObject(hSession, pTemplate, ulCount, phObject); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_DestroyObject_nsc_call(CK_SESSION_HANDLE hSession, +CK_RV CSME_NSE_API C_DestroyObject_nsc_call(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject) { return C_DestroyObject(hSession, hObject); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_GetObjectSize_nsc_call(CK_SESSION_HANDLE hSession, +CK_RV CSME_NSE_API C_GetObjectSize_nsc_call(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize) { return C_GetObjectSize(hSession, hObject, pulSize); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_GetAttributeValue_nsc_call(CK_SESSION_HANDLE hSession, +CK_RV CSME_NSE_API C_GetAttributeValue_nsc_call(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) { return C_GetAttributeValue(hSession, hObject, pTemplate, ulCount); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_SetAttributeValue_nsc_call(CK_SESSION_HANDLE hSession, +CK_RV CSME_NSE_API C_SetAttributeValue_nsc_call(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) { return C_SetAttributeValue(hSession, hObject, pTemplate, ulCount); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_FindObjectsInit_nsc_call(CK_SESSION_HANDLE hSession, +CK_RV CSME_NSE_API C_FindObjectsInit_nsc_call(CK_SESSION_HANDLE hSession, CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) { return C_FindObjectsInit(hSession, pTemplate, ulCount); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_FindObjects_nsc_call(CK_SESSION_HANDLE hSession, +CK_RV CSME_NSE_API C_FindObjects_nsc_call(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE_PTR phObject, CK_ULONG ulMaxObjectCount, CK_ULONG_PTR pulObjectCount) { @@ -169,197 +171,197 @@ CK_RV __attribute__((cmse_nonsecure_entry)) C_FindObjects_nsc_call(CK_SESSION_HA } -CK_RV __attribute__((cmse_nonsecure_entry)) C_CopyObject_nsc_call(struct C_CopyObject_nsc_args *args) { +CK_RV CSME_NSE_API C_CopyObject_nsc_call(struct C_CopyObject_nsc_args *args) { return C_CopyObject(args->hSession, args->hObject, args->pTemplate, args->ulCount, args->phNewObject); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_FindObjectsFinal_nsc_call(CK_SESSION_HANDLE hSession) +CK_RV CSME_NSE_API C_FindObjectsFinal_nsc_call(CK_SESSION_HANDLE hSession) { return C_FindObjectsFinal(hSession); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_EncryptInit_nsc_call(CK_SESSION_HANDLE hSession, +CK_RV CSME_NSE_API C_EncryptInit_nsc_call(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) { return C_EncryptInit(hSession, pMechanism, hKey); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_Encrypt_nsc_call(struct C_Encrypt_nsc_args *args) { +CK_RV CSME_NSE_API C_Encrypt_nsc_call(struct C_Encrypt_nsc_args *args) { return C_Encrypt(args->hSession, args->pData, args->ulDataLen, args->pEncryptedData, args->pulEncryptedDataLen); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_EncryptUpdate_nsc_call(struct C_EncryptUpdate_nsc_args *args) { +CK_RV CSME_NSE_API C_EncryptUpdate_nsc_call(struct C_EncryptUpdate_nsc_args *args) { return C_EncryptUpdate(args->hSession, args->pPart, args->ulPartLen, args->pEncryptedPart, args->pulEncryptedPartLen); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_EncryptFinal_nsc_call(CK_SESSION_HANDLE hSession, +CK_RV CSME_NSE_API C_EncryptFinal_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pLastEncryptedPart, CK_ULONG_PTR pulLastEncryptedPartLen) { return C_EncryptFinal(hSession, pLastEncryptedPart, pulLastEncryptedPartLen); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_DecryptInit_nsc_call(CK_SESSION_HANDLE hSession, +CK_RV CSME_NSE_API C_DecryptInit_nsc_call(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) { return C_DecryptInit(hSession, pMechanism, hKey); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_Decrypt_nsc_call(struct C_Decrypt_nsc_args *args) { +CK_RV CSME_NSE_API C_Decrypt_nsc_call(struct C_Decrypt_nsc_args *args) { return C_Decrypt(args->hSession, args->pEncryptedData, args->ulEncryptedDataLen, args->pData, args->pulDataLen); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_DecryptUpdate_nsc_call(struct C_DecryptUpdate_nsc_args *args) { +CK_RV CSME_NSE_API C_DecryptUpdate_nsc_call(struct C_DecryptUpdate_nsc_args *args) { return C_DecryptUpdate(args->hSession, args->pEncryptedPart, args->ulEncryptedPartLen, args->pPart, args->pulPartLen); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_DecryptFinal_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pLastPart, +CK_RV CSME_NSE_API C_DecryptFinal_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pLastPart, CK_ULONG_PTR pulLastPartLen) { return C_DecryptFinal(hSession, pLastPart, pulLastPartLen); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_DigestInit_nsc_call(CK_SESSION_HANDLE hSession, +CK_RV CSME_NSE_API C_DigestInit_nsc_call(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism) { return C_DigestInit(hSession, pMechanism); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_Digest_nsc_call(struct C_Digest_nsc_args *args) { +CK_RV CSME_NSE_API C_Digest_nsc_call(struct C_Digest_nsc_args *args) { return C_Digest(args->hSession, args->pData, args->ulDataLen, args->pDigest, args->pulDigestLen); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_DigestUpdate_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen) +CK_RV CSME_NSE_API C_DigestUpdate_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen) { return C_DigestUpdate(hSession, pPart, ulPartLen); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_DigestKey_nsc_call(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey) +CK_RV CSME_NSE_API C_DigestKey_nsc_call(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey) { return C_DigestKey(hSession, hKey); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_DigestFinal_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest, CK_ULONG_PTR pulDigestLen) +CK_RV CSME_NSE_API C_DigestFinal_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest, CK_ULONG_PTR pulDigestLen) { return C_DigestFinal(hSession, pDigest, pulDigestLen); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_SignInit_nsc_call(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) +CK_RV CSME_NSE_API C_SignInit_nsc_call(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) { return C_SignInit(hSession, pMechanism, hKey); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_Sign_nsc_call(struct C_Sign_nsc_args *args) { +CK_RV CSME_NSE_API C_Sign_nsc_call(struct C_Sign_nsc_args *args) { return C_Sign(args->hSession, args->pData, args->ulDataLen, args->pSignature, args->pulSignatureLen); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_SignUpdate_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen) +CK_RV CSME_NSE_API C_SignUpdate_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen) { return C_SignUpdate(hSession, pPart, ulPartLen); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_SignFinal_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen) +CK_RV CSME_NSE_API C_SignFinal_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen) { return C_SignFinal(hSession, pSignature, pulSignatureLen); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_SignRecoverInit_nsc_call(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) +CK_RV CSME_NSE_API C_SignRecoverInit_nsc_call(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) { return C_SignRecoverInit(hSession, pMechanism, hKey); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_SignRecover_nsc_call(struct C_SignRecover_nsc_args *args) { +CK_RV CSME_NSE_API C_SignRecover_nsc_call(struct C_SignRecover_nsc_args *args) { return C_SignRecover(args->hSession, args->pData, args->ulDataLen, args->pSignature, args->pulSignatureLen); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_VerifyInit_nsc_call(CK_SESSION_HANDLE hSession, +CK_RV CSME_NSE_API C_VerifyInit_nsc_call(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) { return C_VerifyInit(hSession, pMechanism, hKey); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_Verify_nsc_call(struct C_Verify_nsc_args *args) { +CK_RV CSME_NSE_API C_Verify_nsc_call(struct C_Verify_nsc_args *args) { return C_Verify(args->hSession, args->pData, args->ulDataLen, args->pSignature, args->ulSignatureLen); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_VerifyUpdate_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, +CK_RV CSME_NSE_API C_VerifyUpdate_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen) { return C_VerifyUpdate(hSession, pPart, ulPartLen); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_VerifyFinal_nsc_call(CK_SESSION_HANDLE hSession, +CK_RV CSME_NSE_API C_VerifyFinal_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen) { return C_VerifyFinal(hSession, pSignature, ulSignatureLen); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_VerifyRecoverInit_nsc_call(CK_SESSION_HANDLE hSession, +CK_RV CSME_NSE_API C_VerifyRecoverInit_nsc_call(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey) { return C_VerifyRecoverInit(hSession, pMechanism, hKey); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_VerifyRecover_nsc_call(struct C_VerifyRecover_nsc_args *args) { +CK_RV CSME_NSE_API C_VerifyRecover_nsc_call(struct C_VerifyRecover_nsc_args *args) { return C_VerifyRecover(args->hSession, args->pSignature, args->ulSignatureLen, args->pData, args->pulDataLen); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_DigestEncryptUpdate_nsc_call(struct C_DigestEncryptUpdate_nsc_args *args) { +CK_RV CSME_NSE_API C_DigestEncryptUpdate_nsc_call(struct C_DigestEncryptUpdate_nsc_args *args) { return C_DigestEncryptUpdate(args->hSession, args->pPart, args->ulPartLen, args->pEncryptedPart, args->pulEncryptedPartLen); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_DecryptDigestUpdate_nsc_call(struct C_DecryptDigestUpdate_nsc_args *args) { +CK_RV CSME_NSE_API C_DecryptDigestUpdate_nsc_call(struct C_DecryptDigestUpdate_nsc_args *args) { return C_DecryptDigestUpdate(args->hSession, args->pEncryptedPart, args->ulEncryptedPartLen, args->pPart, args->pulPartLen); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_SignEncryptUpdate_nsc_call(struct C_SignEncryptUpdate_nsc_args *args) { +CK_RV CSME_NSE_API C_SignEncryptUpdate_nsc_call(struct C_SignEncryptUpdate_nsc_args *args) { return C_SignEncryptUpdate(args->hSession, args->pPart, args->ulPartLen, args->pEncryptedPart, args->pulEncryptedPartLen); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_DecryptVerifyUpdate_nsc_call(struct C_DecryptVerifyUpdate_nsc_args *args) { +CK_RV CSME_NSE_API C_DecryptVerifyUpdate_nsc_call(struct C_DecryptVerifyUpdate_nsc_args *args) { return C_DecryptVerifyUpdate(args->hSession, args->pEncryptedPart, args->ulEncryptedPartLen, args->pPart, args->pulPartLen); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_GenerateKey_nsc_call(struct C_GenerateKey_nsc_args *args) { +CK_RV CSME_NSE_API C_GenerateKey_nsc_call(struct C_GenerateKey_nsc_args *args) { return C_GenerateKey(args->hSession, args->pMechanism, args->pTemplate, args->ulCount, args->phKey); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_GenerateKeyPair_nsc_call(struct C_GenerateKeyPair_nsc_args *args) { +CK_RV CSME_NSE_API C_GenerateKeyPair_nsc_call(struct C_GenerateKeyPair_nsc_args *args) { return C_GenerateKeyPair(args->hSession, args->pMechanism, args->pPublicKeyTemplate, args->ulPublicKeyAttributeCount, args->pPrivateKeyTemplate, args->ulPrivateKeyAttributeCount, args->phPublicKey, args->phPrivateKey); @@ -367,47 +369,47 @@ CK_RV __attribute__((cmse_nonsecure_entry)) C_GenerateKeyPair_nsc_call(struct C_ -CK_RV __attribute__((cmse_nonsecure_entry)) C_WrapKey_nsc_call(struct C_WrapKey_nsc_args *args) { +CK_RV CSME_NSE_API C_WrapKey_nsc_call(struct C_WrapKey_nsc_args *args) { return C_WrapKey(args->hSession, args->pMechanism, args->hWrappingKey, args->hKey, args->pWrappedKey, args->pulWrappedKeyLen); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_UnwrapKey_nsc_call(struct C_UnwrapKey_nsc_args *args) { +CK_RV CSME_NSE_API C_UnwrapKey_nsc_call(struct C_UnwrapKey_nsc_args *args) { return C_UnwrapKey(args->hSession, args->pMechanism, args->hUnwrappingKey, args->pWrappedKey, args->ulWrappedKeyLen, args->pTemplate, args->ulAttributeCount, args->phKey); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_DeriveKey_nsc_call(struct C_DeriveKey_nsc_args *args) { +CK_RV CSME_NSE_API C_DeriveKey_nsc_call(struct C_DeriveKey_nsc_args *args) { return C_DeriveKey(args->hSession, args->pMechanism, args->hBaseKey, args->pTemplate, args->ulAttributeCount, args->phKey); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_SeedRandom_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed, CK_ULONG ulSeedLen) +CK_RV CSME_NSE_API C_SeedRandom_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed, CK_ULONG ulSeedLen) { return C_SeedRandom(hSession, pSeed, ulSeedLen); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_GenerateRandom_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pRandomData, CK_ULONG ulRandomLen) +CK_RV CSME_NSE_API C_GenerateRandom_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pRandomData, CK_ULONG ulRandomLen) { return C_GenerateRandom(hSession, pRandomData, ulRandomLen); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_GetFunctionStatus_nsc_call(CK_SESSION_HANDLE hSession) +CK_RV CSME_NSE_API C_GetFunctionStatus_nsc_call(CK_SESSION_HANDLE hSession) { return C_GetFunctionStatus(hSession); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_CancelFunction_nsc_call(CK_SESSION_HANDLE hSession) +CK_RV CSME_NSE_API C_CancelFunction_nsc_call(CK_SESSION_HANDLE hSession) { return C_CancelFunction(hSession); } -CK_RV __attribute__((cmse_nonsecure_entry)) C_WaitForSlotEvent_nsc_call(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot, CK_VOID_PTR pReserved) +CK_RV CSME_NSE_API C_WaitForSlotEvent_nsc_call(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot, CK_VOID_PTR pReserved) { return C_WaitForSlotEvent(flags, pSlot, pReserved); } diff --git a/src/tpm.c b/src/tpm.c index 8d6a4c817f..a99bd92726 100644 --- a/src/tpm.c +++ b/src/tpm.c @@ -1133,6 +1133,175 @@ static int wolfRNG_GetSeedCB(OS_Seed* os, uint8_t* seed, uint32_t sz) } #endif + +/* API's that are callable from non-secure code */ +int CSME_NSE_API wolfBoot_tpm2_caps(WOLFTPM2_CAPS* caps) +{ + memset(caps, 0, sizeof(*caps)); + return wolfTPM2_GetCapabilities(&wolftpm_dev, caps); +} + +int CSME_NSE_API wolfBoot_tpm2_get_handles(TPM_HANDLE handle, TPML_HANDLE* handles) +{ + memset(handles, 0, sizeof(*handles)); + return wolfTPM2_GetHandles(handle, handles); +} + +const char* CSME_NSE_API wolfBoot_tpm2_get_alg_name(TPM_ALG_ID alg, + char* name, int name_sz) +{ + const char* s_name; + if (name == NULL || name_sz <= 0) { + return NULL; + } + s_name = TPM2_GetAlgName(alg); + if (s_name != NULL && name != NULL && name_sz > 0) { + strncpy(name, s_name, name_sz - 1); + name[name_sz - 1] = '\0'; + } + else { + strcpy(name, "Unknown"); + } + return (const char*)name; +} + +const char* CSME_NSE_API wolfBoot_tpm2_get_rc_string(int rc, char* error, int error_sz) +{ + const char* s_error; + if (error == NULL || error_sz <= 0) { + return NULL; + } + s_error = TPM2_GetRCString(rc); + if (s_error != NULL && error != NULL && error_sz > 0) { + strncpy(error, s_error, error_sz - 1); + error[error_sz - 1] = '\0'; + } + else { + strcpy(error, "Unknown"); + } + return (const char*)error; +} + +int CSME_NSE_API wolfBoot_tpm2_get_capability(GetCapability_In* in, GetCapability_Out* out) +{ + return (int)TPM2_GetCapability(in, out); +} + +int CSME_NSE_API wolfBoot_tpm2_read_pcr(uint8_t pcrIndex, uint8_t* digest, int* digestSz) +{ + return wolfTPM2_ReadPCR(&wolftpm_dev, pcrIndex, WOLFBOOT_TPM_PCR_ALG, + digest, digestSz); +} + +int CSME_NSE_API wolfBoot_tpm2_read_cert(uint32_t handle, uint8_t* cert, uint32_t* certSz) +{ + wolfTPM2_SetAuthPassword(&wolftpm_dev, 0, NULL); + return wolfTPM2_NVReadCert(&wolftpm_dev, handle, cert, certSz); +} + +#ifdef WOLFTPM_MFG_IDENTITY +int CSME_NSE_API wolfBoot_tpm2_get_aik(WOLFTPM2_KEY* aik, + uint8_t* masterPassword, uint16_t masterPasswordSz) +{ + int rc; + if (aik == NULL) { + return BAD_FUNC_ARG; + } + + /* Load existing AIK and set auth */ + rc = wolfTPM2_ReadPublicKey(&wolftpm_dev, aik, TPM2_IAK_KEY_HANDLE); + if (rc == 0) { + /* Custom should supply their own custom master password used during + * device provisioning. If using a sample TPM supply NULL to use the + * default password. */ + rc = wolfTPM2_SetIdentityAuth(&wolftpm_dev, &aik->handle, + masterPassword, masterPasswordSz); + } + return rc; +} + +int CSME_NSE_API wolfBoot_tpm2_get_timestamp(WOLFTPM2_KEY* aik, GetTime_Out* getTime) +{ + int rc; + WOLFTPM2_HANDLE eh_handle; + /* sample master password for EH */ + uint8_t Master_EH_AuthValue[] = { + 0xDE, 0xEF, 0x8C, 0xDF, 0x1B, 0x77, 0xBD, 0x00, + 0x30, 0x58, 0x5E, 0x47, 0xB8, 0x21, 0x46, 0x0B + }; + + if (aik == NULL || getTime == NULL) { + return BAD_FUNC_ARG; + } + + memset(getTime, 0, sizeof(*getTime)); + memset(&eh_handle, 0, sizeof(eh_handle)); + + eh_handle.hndl = TPM_RH_ENDORSEMENT; + + /* Calculate EH auth value */ + rc = wolfTPM2_SetIdentityAuth(&wolftpm_dev, &eh_handle, + Master_EH_AuthValue, (uint16_t)sizeof(Master_EH_AuthValue)); + if (rc == 0) { + /* Set EH auth */ + wolfTPM2_SetAuthHandle(&wolftpm_dev, 0, &eh_handle); + + /* set auth for using the AIK */ + wolfTPM2_SetAuthHandle(&wolftpm_dev, 1, &aik->handle); + } + if (rc == 0) { + rc = wolfTPM2_GetTime(aik, getTime); + } + + wolfTPM2_UnsetAuth(&wolftpm_dev, 1); + wolfTPM2_UnsetAuth(&wolftpm_dev, 0); + + return rc; +} + +int CSME_NSE_API wolfBoot_tpm2_parse_attest(const TPM2B_ATTEST* in, TPMS_ATTEST* out) +{ + return TPM2_ParseAttest(in, out); +} + +int CSME_NSE_API wolfBoot_tpm2_quote(WOLFTPM2_KEY* aik, + byte* pcrArray, word32 pcrArraySz, Quote_Out* quoteResult) +{ + int rc; + Quote_In quoteAsk; + TPMT_ASYM_SCHEME* scheme; + + if (aik == NULL || pcrArray == NULL || pcrArraySz == 0 || + quoteResult == NULL) { + return BAD_FUNC_ARG; + } + + /* set auth for using the AIK */ + wolfTPM2_SetAuthHandle(&wolftpm_dev, 0, &aik->handle); + + /* Prepare Quote request */ + XMEMSET("eAsk, 0, sizeof(quoteAsk)); + XMEMSET(quoteResult, 0, sizeof(*quoteResult)); + + scheme = &aik->pub.publicArea.parameters.asymDetail.scheme; + quoteAsk.signHandle = aik->handle.hndl; + quoteAsk.inScheme.scheme = scheme->scheme; + quoteAsk.inScheme.details.any.hashAlg = scheme->details.anySig.hashAlg; + quoteAsk.qualifyingData.size = 0; /* optional */ + /* Choose PCR(s) for signing */ + TPM2_SetupPCRSelArray("eAsk.PCRselect, scheme->details.anySig.hashAlg, + pcrArray, pcrArraySz); + + /* Get AIK signed attestation of PCR(s) */ + rc = TPM2_Quote("eAsk, quoteResult); + + wolfTPM2_UnsetAuth(&wolftpm_dev, 0); + + return rc; +} +#endif /* WOLFTPM_MFG_IDENTITY */ + + /** * @brief Initialize the TPM2 device and retrieve its capabilities. * diff --git a/src/update_flash.c b/src/update_flash.c index 1a396cdd0c..406734bb0e 100644 --- a/src/update_flash.c +++ b/src/update_flash.c @@ -27,7 +27,6 @@ #include "image.h" #include "hal.h" #include "spi_flash.h" -#include "wolfboot/wolfboot.h" #include "target.h" #include "delta.h" @@ -1265,7 +1264,8 @@ void RAMFUNCTION wolfBoot_start(void) #endif -#ifdef WOLFBOOT_TPM +#if defined(WOLFBOOT_TPM) && !defined(WOLFCRYPT_SECURE_MODE) + /* leave TPM2 available to be called from non-secure callable */ wolfBoot_tpm2_deinit(); #endif diff --git a/src/wc_callable.c b/src/wc_callable.c index 0545d8220f..8ccc646316 100644 --- a/src/wc_callable.c +++ b/src/wc_callable.c @@ -19,6 +19,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA */ #ifdef WOLFCRYPT_SECURE_MODE + #include "wolfssl/wolfcrypt/settings.h" #include "wolfssl/ssl.h" #include "wolfssl/wolfcrypt/ecc.h" @@ -31,8 +32,7 @@ static WC_RNG wcs_rng; -int __attribute__((cmse_nonsecure_entry)) -wcs_get_random(uint8_t *rand, uint32_t size) +int CSME_NSE_API wcs_get_random(uint8_t *rand, uint32_t size) { return wc_RNG_GenerateBlock(&wcs_rng, rand, size); } @@ -43,4 +43,4 @@ void wcs_Init(void) wc_InitRng(&wcs_rng); } -#endif +#endif /* WOLFCRYPT_SECURE_MODE */ diff --git a/test-app/Makefile b/test-app/Makefile index 33c14c1150..4e167b4c41 100644 --- a/test-app/Makefile +++ b/test-app/Makefile @@ -90,6 +90,7 @@ ifeq ($(TZEN),1) ifeq ($(WOLFCRYPT_TZ),1) APP_OBJS+=../src/wc_secure_calls.o ifeq ($(WOLFCRYPT_TZ_PKCS11),1) + CFLAGS+=-DWOLFSSL_USER_SETTINGS -DWOLFTPM_USER_SETTINGS CFLAGS+=-DWOLFBOOT_PKCS11_APP -DSECURE_PKCS11 CFLAGS+=-I"$(WOLFBOOT_LIB_WOLFPKCS11)" APP_OBJS+=./wcs/pkcs11_test_ecc.o @@ -117,6 +118,15 @@ ifeq ($(TZEN),1) APP_OBJS+=./wcs/coding.o APP_OBJS+=./wcs/wc_encrypt.o APP_OBJS+=./wcs/wc_port.o + + ifeq ($(SPMATH),1) + CFLAGS+=-DWOLFSSL_HAVE_SP_RSA -DWOLFSSL_HAVE_SP_ECC + ifneq ($(NO_ASM),1) + CFLAGS+=-fomit-frame-pointer # required with debug builds only + CFLAGS+=-DWOLFSSL_SP_ARM_CORTEX_M_ASM + APP_OBJS+=./wcs/sp_cortexm.o + endif + endif endif CFLAGS+=-DWOLFBOOT_SECURE_CALLS -Wstack-usage=19184 LDFLAGS+=--specs=nosys.specs -u _printf_float diff --git a/test-app/app_stm32h5.c b/test-app/app_stm32h5.c index bd3fa5e5e2..ddf199c987 100644 --- a/test-app/app_stm32h5.c +++ b/test-app/app_stm32h5.c @@ -35,6 +35,10 @@ #include "target.h" #include "image.h" +#ifdef WOLFBOOT_TPM +#include "tpm.h" +#endif + #ifdef SECURE_PKCS11 #include "wcs/user_settings.h" #include "wolfssl/wolfcrypt/settings.h" @@ -55,44 +59,16 @@ static uint32_t uart_processed = 0; static int uart_rx_isr(unsigned char *c, int len); static int uart_poll(void); -#define LED_BOOT_PIN (4) /* PG4 - Nucleo - Red Led */ -#define LED_USR_PIN (0) /* PB0 - Nucleo - Green Led */ -#define LED_EXTRA_PIN (4) /* PF4 - Nucleo - Orange Led */ +#define LED_BOOT_PIN (4) /* PG4 - Nucleo - Red Led */ +#define LED_USR_PIN (0) /* PB0 - Nucleo - Green Led */ +#define LED_EXTRA_PIN (4) /* PF4 - Nucleo - Orange Led */ #define NVIC_USART3_IRQN (60) -/*Non-Secure */ -#define RCC_BASE (0x44020C00) /* RM0481 - Table 3 */ -#define GPIOG_BASE 0x42021800 -#define GPIOB_BASE 0x42020400 -#define GPIOF_BASE 0x42021400 - -#define GPIOG_MODER (*(volatile uint32_t *)(GPIOG_BASE + 0x00)) -#define GPIOG_PUPDR (*(volatile uint32_t *)(GPIOG_BASE + 0x0C)) -#define GPIOG_BSRR (*(volatile uint32_t *)(GPIOG_BASE + 0x18)) - -#define GPIOB_MODER (*(volatile uint32_t *)(GPIOB_BASE + 0x00)) -#define GPIOB_PUPDR (*(volatile uint32_t *)(GPIOB_BASE + 0x0C)) -#define GPIOB_BSRR (*(volatile uint32_t *)(GPIOB_BASE + 0x18)) - -#define GPIOF_MODER (*(volatile uint32_t *)(GPIOF_BASE + 0x00)) -#define GPIOF_PUPDR (*(volatile uint32_t *)(GPIOF_BASE + 0x0C)) -#define GPIOF_BSRR (*(volatile uint32_t *)(GPIOF_BASE + 0x18)) - -#define RCC_AHB2ENR1_CLOCK_ER (*(volatile uint32_t *)(RCC_BASE + 0x8C )) -#define GPIOG_AHB2ENR1_CLOCK_ER (1 << 6) -#define GPIOF_AHB2ENR1_CLOCK_ER (1 << 5) -#define GPIOB_AHB2ENR1_CLOCK_ER (1 << 1) -#define GPIOD_AHB2ENR1_CLOCK_ER (1 << 3) /* SysTick */ static uint32_t cpu_freq = 250000000; -#define SYSTICK_BASE (0xE000E010) -#define SYSTICK_CSR (*(volatile uint32_t *)(SYSTICK_BASE + 0x00)) -#define SYSTICK_RVR (*(volatile uint32_t *)(SYSTICK_BASE + 0x04)) -#define SYSTICK_CVR (*(volatile uint32_t *)(SYSTICK_BASE + 0x08)) -#define SYSTICK_CALIB (*(volatile uint32_t *)(SYSTICK_BASE + 0x0C)) int clock_gettime (clockid_t clock_id, struct timespec *tp) { @@ -119,9 +95,9 @@ static void boot_led_on(void) uint32_t reg; uint32_t pin = LED_BOOT_PIN; - RCC_AHB2ENR1_CLOCK_ER|= GPIOG_AHB2ENR1_CLOCK_ER; + RCC_AHB2ENR_CLOCK_ER |= GPIOG_AHB2ENR1_CLOCK_ER; /* Delay after an RCC peripheral clock enabling */ - reg = RCC_AHB2ENR1_CLOCK_ER; + reg = RCC_AHB2ENR_CLOCK_ER; reg = GPIOG_MODER & ~(0x03 << (pin * 2)); GPIOG_MODER = reg | (1 << (pin * 2)); @@ -139,9 +115,9 @@ void usr_led_on(void) uint32_t reg; uint32_t pin = LED_USR_PIN; - RCC_AHB2ENR1_CLOCK_ER|= GPIOB_AHB2ENR1_CLOCK_ER; + RCC_AHB2ENR_CLOCK_ER |= GPIOB_AHB2ENR1_CLOCK_ER; /* Delay after an RCC peripheral clock enabling */ - reg = RCC_AHB2ENR1_CLOCK_ER; + reg = RCC_AHB2ENR_CLOCK_ER; reg = GPIOB_MODER & ~(0x03 << (pin * 2)); GPIOB_MODER = reg | (1 << (pin * 2)); @@ -159,9 +135,9 @@ void extra_led_on(void) uint32_t reg; uint32_t pin = LED_EXTRA_PIN; - RCC_AHB2ENR1_CLOCK_ER|= GPIOF_AHB2ENR1_CLOCK_ER; + RCC_AHB2ENR_CLOCK_ER|= GPIOF_AHB2ENR1_CLOCK_ER; /* Delay after an RCC peripheral clock enabling */ - reg = RCC_AHB2ENR1_CLOCK_ER; + reg = RCC_AHB2ENR_CLOCK_ER; reg = GPIOF_MODER & ~(0x03 << (pin * 2)); GPIOF_MODER = reg | (1 << (pin * 2)); @@ -174,9 +150,6 @@ void extra_led_off(void) GPIOF_BSRR |= (1 << (LED_EXTRA_PIN + 16)); } -static char CaBuf[2048]; -static uint8_t my_pubkey[200]; - extern int ecdsa_sign_verify(int devId); /* Command line commands */ @@ -191,7 +164,15 @@ static int cmd_timestamp(const char *args); static int cmd_update(const char *args); static int cmd_update_xmodem(const char *args); static int cmd_reboot(const char *args); - +#ifdef WOLFBOOT_TPM +static int cmd_tpm_info(const char *args); +#ifdef WOLFTPM_MFG_IDENTITY +static int cmd_tpm_idevid(const char *args); +static int cmd_tpm_iak(const char *args); +static int cmd_tpm_signed_timestamp(const char *args); +static int cmd_tpm_quote(const char *args); +#endif +#endif #define CMD_BUFFER_SIZE 256 @@ -208,17 +189,26 @@ struct console_command { struct console_command COMMANDS[] = { - { cmd_help, "help", "shows this help message"}, - { cmd_info, "info", "display information about the system and partitions"}, - { cmd_success, "success", "confirm a successful update"}, - { cmd_login_pkcs11, "pkcs11", "enable and test crypto calls with PKCS11 in secure mode" }, - { cmd_random, "random", "generate a random number"}, - { cmd_timestamp, "timestamp", "print the current timestamp"}, - { cmd_benchmark, "benchmark", "run the wolfCrypt benchmark"}, - { cmd_test, "test", "run the wolfCrypt test"}, - { cmd_update_xmodem, "update", "update the firmware via XMODEM"}, - { cmd_reboot, "reboot", "reboot the system"}, - { NULL, "", ""} + {cmd_help, "help", "shows this help message"}, + {cmd_info, "info", "display information about the system and partitions"}, + {cmd_success, "success", "confirm a successful update"}, + {cmd_login_pkcs11, "pkcs11", "enable and test crypto calls with PKCS11 in secure mode" }, + {cmd_random, "random", "generate a random number"}, + {cmd_timestamp, "timestamp", "print the current systick/timestamp"}, + {cmd_benchmark, "benchmark", "run the wolfCrypt benchmark"}, + {cmd_test, "test", "run the wolfCrypt test"}, + {cmd_update_xmodem, "update", "update the firmware via XMODEM"}, + {cmd_reboot, "reboot", "reboot the system"}, +#ifdef WOLFBOOT_TPM + {cmd_tpm_info, "tpm", "get TPM capabilities"}, +#ifdef WOLFTPM_MFG_IDENTITY + {cmd_tpm_idevid, "idevid", "show Initial Device Identification (IDevID) certificate"}, + {cmd_tpm_iak, "iak", "show Initial Attestation Identification (IAK) certificate"}, + {cmd_tpm_signed_timestamp, "signed_time", "TPM IAK signed timestamp attestation report"}, + {cmd_tpm_quote, "quote", "TPM IAK signed PCR(s) attestation report"}, +#endif +#endif + {NULL, "", ""} }; #define AIRCR *(volatile uint32_t *)(0xE000ED0C) @@ -453,9 +443,47 @@ static const char *part_state_name(uint8_t state) } } +#define LINE_LEN 16 +void print_hex(const uint8_t* buffer, uint32_t length, int dumpChars) +{ + uint32_t i, sz; + + if (!buffer) { + printf("\tNULL\n"); + return; + } + + while (length > 0) { + sz = length; + if (sz > LINE_LEN) + sz = LINE_LEN; + + printf("\t"); + for (i = 0; i < LINE_LEN; i++) { + if (i < length) + printf("%02x ", buffer[i]); + else + printf(" "); + } + if (dumpChars) { + printf("| "); + for (i = 0; i < sz; i++) { + if (buffer[i] > 31 && buffer[i] < 127) + printf("%c", buffer[i]); + else + printf("."); + } + } + printf("\r\n"); + + buffer += sz; + length -= sz; + } +} + static int cmd_info(const char *args) { - int i, j; + int i; uint32_t cur_fw_version, update_fw_version; uint32_t n_keys; uint16_t hdrSz; @@ -511,13 +539,7 @@ static int cmd_info(const char *args) printf(" Public Key #%d: size %lu, type %lx, mask %08lx\r\n", i, size, type, mask); printf(" ====================================\r\n "); - for (j = 0; j < size; j++) { - printf("%02X ", keybuf[j]); - if (j % 16 == 15) { - printf("\r\n "); - } - } - printf("\r\n"); + print_hex(keybuf, size, 0); } return 0; } @@ -564,9 +586,10 @@ static int cmd_timestamp(const char *args) { struct timespec tp = {}; clock_gettime(0, &tp); - printf("Current timestamp: %llu.%03lu\r\n", tp.tv_sec, tp.tv_nsec/1000000); + printf("Current timestamp: %lu.%03lu\r\n", + (long unsigned int)tp.tv_sec, tp.tv_nsec/1000000); printf("Current systick: %u\r\n", jiffies); - printf("VTOR: %08lx\r\n", (*(volatile uint32_t *)(0xE000ED08))); + printf("VTOR: 0x%08lx\r\n", (*(volatile uint32_t *)(0xE000ED08))); return 0; } @@ -687,6 +710,276 @@ static int cmd_test(const char *args) return 0; } +#ifdef WOLFBOOT_TPM +#include +#include + +static int TPM2_PCRs_Print(void) +{ + int rc; + int pcrCount, pcrIndex; + GetCapability_In capIn; + GetCapability_Out capOut; + TPML_PCR_SELECTION* pcrSel; + char algName[24]; + + /* List available PCR's */ + XMEMSET(&capIn, 0, sizeof(capIn)); + capIn.capability = TPM_CAP_PCRS; + capIn.property = 0; + capIn.propertyCount = 1; + rc = wolfBoot_tpm2_get_capability(&capIn, &capOut); + if (rc == TPM_RC_SUCCESS) { + pcrSel = &capOut.capabilityData.data.assignedPCR; + printf("Assigned PCR's:\r\n"); + for (pcrCount=0; pcrCount < (int)pcrSel->count; pcrCount++) { + + printf("\t%s: ", wolfBoot_tpm2_get_alg_name( + pcrSel->pcrSelections[pcrCount].hash, algName, sizeof(algName))); + for (pcrIndex=0; + pcrIndexpcrSelections[pcrCount].sizeofSelect*8; + pcrIndex++) { + if ((pcrSel->pcrSelections[pcrCount].pcrSelect[pcrIndex/8] & + ((1 << (pcrIndex % 8)))) != 0) { + printf(" %d", pcrIndex); + } + } + printf("\r\n"); + } + } + return rc; +} + +static int cmd_tpm_info(const char *args) +{ + int rc; + WOLFTPM2_CAPS caps; + TPML_HANDLE handles; +#ifdef WOLFBOOT_MEASURED_PCR_A + byte hashBuf[TPM_MAX_DIGEST_SIZE]; + int hashSz; +#endif + + printf("Get TPM 2.0 module information\r\n"); + + rc = wolfBoot_tpm2_caps(&caps); + if (rc == 0) { + printf("Mfg %s (%d), Vendor %s, Fw %u.%u (0x%x), " + "FIPS 140-2 %d, CC-EAL4 %d\r\n", + caps.mfgStr, caps.mfg, caps.vendorStr, caps.fwVerMajor, + caps.fwVerMinor, caps.fwVerVendor, caps.fips140_2, caps.cc_eal4); + } + + /* List the active persistent handles */ + rc = wolfBoot_tpm2_get_handles(PERSISTENT_FIRST, &handles); + if (rc >= 0) { + int i; + printf("Found %d persistent handles\r\n", rc); + for (i=0; i<(int)handles.count; i++) { + printf("\tHandle 0x%x\r\n", (unsigned int)handles.handle[i]); + } + rc = 0; + } + + /* Print the available PCR's */ + if (rc == 0) { + rc = TPM2_PCRs_Print(); + } + +#ifdef WOLFBOOT_MEASURED_PCR_A + /* Read measured boot PCR */ + if (rc == 0) { + char algName[24]; + printf("Measured boot: PCR %d - %s\r\n", WOLFBOOT_MEASURED_PCR_A, + wolfBoot_tpm2_get_alg_name(WOLFBOOT_TPM_PCR_ALG, algName, sizeof(algName))); + hashSz = 0; + rc = wolfBoot_tpm2_read_pcr(WOLFBOOT_MEASURED_PCR_A, hashBuf, &hashSz); + if (rc == 0) { + int i; + printf("PCR (%d bytes): ", hashSz); + for (i = 0; i < hashSz; i++) { + printf("%02x", hashBuf[i]); + } + printf("\r\n"); + } + } +#endif + + if (rc != 0) { + char error[100]; + printf("TPM error 0x%x: %s\r\n", + rc, wolfBoot_tpm2_get_rc_string(rc, error, sizeof(error))); + } + + return rc; +} + +#ifdef WOLFTPM_MFG_IDENTITY + +/* Forward declarations */ +static void print_signature(const TPMT_SIGNATURE* sig); + +static int cmd_tpm_idevid(const char *args) +{ + int rc; + uint8_t cert[1024]; + uint32_t certSz = (uint32_t)sizeof(cert); + uint32_t handle = TPM2_IDEVID_CERT_HANDLE; + + rc = wolfBoot_tpm2_read_cert(handle, cert, &certSz); + if (rc == 0) { + printf("IDevID Handle 0x%x\r\n", (unsigned int)handle); + print_hex(cert, certSz, 1); + } + else { + char error[100]; + printf("TPM error 0x%x: %s\r\n", + rc, wolfBoot_tpm2_get_rc_string(rc, error, sizeof(error))); + } + return rc; +} + +static int cmd_tpm_iak(const char *args) +{ + int rc; + uint8_t cert[1024]; + uint32_t certSz = (uint32_t)sizeof(cert); + uint32_t handle = TPM2_IAK_CERT_HANDLE; + + rc = wolfBoot_tpm2_read_cert(handle, cert, &certSz); + if (rc == 0) { + printf("IAK Handle 0x%x\r\n", (unsigned int)handle); + print_hex(cert, certSz, 1); + } + else { + char error[100]; + printf("TPM error 0x%x: %s\r\n", + rc, wolfBoot_tpm2_get_rc_string(rc, error, sizeof(error))); + } + return rc; +} + +static int cmd_tpm_signed_timestamp(const char *args) +{ + int rc; + WOLFTPM2_KEY aik; + GetTime_Out getTime; + TPMS_ATTEST timeAttest; + + rc = wolfBoot_tpm2_get_aik(&aik, NULL, 0); + if (rc == 0) { + rc = wolfBoot_tpm2_get_timestamp(&aik, &getTime); + } + if (rc == 0) { + rc = wolfBoot_tpm2_parse_attest(&getTime.timeInfo, &timeAttest); + } + if (rc == 0) { + if (timeAttest.magic != TPM_GENERATED_VALUE) { + printf("\tError, attested data not generated by the TPM = 0x%X\n", + (unsigned int)timeAttest.magic); + } + + printf("TPM with signature attests (type 0x%x):\n", timeAttest.type); + /* time value in milliseconds that advances while the TPM is powered */ + printf("\tTPM uptime since last power-up (in ms): %lu\n", + (unsigned long)timeAttest.attested.time.time.time); + /* time value in milliseconds that advances while the TPM is powered */ + printf("\tTPM clock, total time the TPM has been on (in ms): %lu\n", + (unsigned long)timeAttest.attested.time.time.clockInfo.clock); + /* number of occurrences of TPM Reset since the last TPM2_Clear() */ + printf("\tReset Count: %u\n", + (unsigned int)timeAttest.attested.time.time.clockInfo.resetCount); + /* number of times that TPM2_Shutdown() or _TPM_Hash_Start have occurred since the last TPM Reset or TPM2_Clear(). */ + printf("\tRestart Count: %u\n", + (unsigned int)timeAttest.attested.time.time.clockInfo.restartCount); + /* This parameter is set to YES when the value reported in Clock is guaranteed to be unique for the current Owner */ + printf("\tClock Safe: %u\n", + timeAttest.attested.time.time.clockInfo.safe); + /* a TPM vendor-specific value indicating the version number of the firmware */ + printf("\tFirmware Version (vendor specific): 0x%lX\n", + (unsigned long)timeAttest.attested.time.firmwareVersion); + + print_signature(&getTime.signature); + } + + if (rc != 0) { + char error[100]; + printf("TPM get timestamp error 0x%x: %s\r\n", + rc, wolfBoot_tpm2_get_rc_string(rc, error, sizeof(error))); + } + + return rc; +} + +static void print_signature(const TPMT_SIGNATURE* sig) +{ + char algName[24]; + printf("\tTPM generated %s signature:\n", + wolfBoot_tpm2_get_alg_name(sig->sigAlg, algName, sizeof(algName))); + printf("\tHash algorithm: %s\n", + wolfBoot_tpm2_get_alg_name(sig->signature.any.hashAlg, algName, sizeof(algName))); + switch (sig->sigAlg) { + case TPM_ALG_ECDSA: + case TPM_ALG_ECDAA: + printf("\tR size: %d\n", sig->signature.ecdsa.signatureR.size); + print_hex(sig->signature.ecdsa.signatureR.buffer, sig->signature.ecdsa.signatureR.size, 0); + printf("\tS size: %d\n", sig->signature.ecdsa.signatureS.size); + print_hex(sig->signature.ecdsa.signatureS.buffer, sig->signature.ecdsa.signatureS.size, 0); + break; + case TPM_ALG_RSASSA: + case TPM_ALG_RSAPSS: + printf("\tSignature size: %d\n", sig->signature.rsassa.sig.size); + print_hex(sig->signature.rsassa.sig.buffer, sig->signature.rsassa.sig.size, 0); + break; + }; +} + +static int cmd_tpm_quote(const char *args) +{ + int rc; + WOLFTPM2_KEY aik; + Quote_Out quoteResult; + TPMS_ATTEST quoteAttest; + uint8_t pcrArray[1]; + uint32_t pcrArraySz = 0; + +#ifdef WOLFBOOT_MEASURED_PCR_A + pcrArray[0] = WOLFBOOT_MEASURED_PCR_A; + pcrArraySz++; +#else + pcrArray[0] = 16; /* test PCR */ + pcrArraySz++; +#endif + + rc = wolfBoot_tpm2_get_aik(&aik, NULL, 0); + if (rc == 0) { + rc = wolfBoot_tpm2_quote(&aik, pcrArray, pcrArraySz, "eResult); + } + if (rc == 0) { + rc = wolfBoot_tpm2_parse_attest("eResult.quoted, "eAttest); + } + if (rc == 0) { + printf("TPM with signature attests (type 0x%x):\n", quoteAttest.type); + printf("\tTPM signed %lu PCRs\n", + (unsigned long)quoteAttest.attested.quote.pcrSelect.count); + + printf("\tPCR digest:\n"); + print_hex(quoteAttest.attested.quote.pcrDigest.buffer, + quoteAttest.attested.quote.pcrDigest.size, 0); + + print_signature("eResult.signature); + } + else { + char error[100]; + printf("TPM quote error 0x%x: %s\r\n", rc, + wolfBoot_tpm2_get_rc_string(rc, error, sizeof(error))); + } + return rc; +} +#endif /* WOLFTPM_MFG_IDENTITY */ +#endif /* WOLFBOOT_TPM */ + + static int parse_cmd(const char *cmd) { int retval = -2; @@ -813,6 +1106,11 @@ void main(void) printf("Version : 0x%lx\r\n", app_version); printf("========================\r\n"); + cmd_info(NULL); +#ifdef WOLFBOOT_TPM + cmd_tpm_info(NULL); +#endif + console_loop(); while(1) diff --git a/test-app/app_stm32l5.c b/test-app/app_stm32l5.c index 0896c6f2b3..a81652dd33 100644 --- a/test-app/app_stm32l5.c +++ b/test-app/app_stm32l5.c @@ -134,8 +134,6 @@ void extra_led_off(void) GPIOB_BSRR |= (1 << (LED_EXTRA_PIN + 16)); } -static char CaBuf[2048]; -static uint8_t my_pubkey[200]; extern int ecdsa_sign_verify(int devId); diff --git a/test-app/wcs/pkcs11_stub.c b/test-app/wcs/pkcs11_stub.c index e7ba9ed1cf..9833c7adac 100644 --- a/test-app/wcs/pkcs11_stub.c +++ b/test-app/wcs/pkcs11_stub.c @@ -1,3 +1,25 @@ +/* pkcs11_stub.c + * + * Copyright (C) 2025 wolfSSL Inc. + * + * This file is part of wolfBoot. + * + * wolfBoot is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * wolfBoot is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#include "wolfboot/wc_secure.h" #include "wolfpkcs11/pkcs11.h" #include "wolfboot/wcs_pkcs11.h" @@ -439,7 +461,7 @@ CK_RV C_SignRecover(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pData, .pulSignatureLen = pulSignatureLen }; return C_SignRecover_nsc_call(&args); -} +} CK_RV C_VerifyInit(CK_SESSION_HANDLE hSession, diff --git a/test-app/wcs/user_settings.h b/test-app/wcs/user_settings.h index 7fdb865258..4d6bbce320 100644 --- a/test-app/wcs/user_settings.h +++ b/test-app/wcs/user_settings.h @@ -54,15 +54,17 @@ extern int tolower(int c); /* ECC */ +#define ECC_USER_CURVES #define HAVE_ECC -#define HAVE_ECC256 +#undef NO_ECC256 #define HAVE_ECC384 - +#ifdef WOLFSSL_HAVE_SP_ECC + #define WOLFSSL_SP_384 +#endif #ifndef NO_RSA /* RSA */ #define HAVE_RSA - #define WOLFSSL_KEY_GEN #define RSA_LOW_MEM #define WOLFSSL_RSA_VERIFY_INLINE #define WC_ASN_HASH_SHA256 @@ -102,6 +104,9 @@ extern int tolower(int c); #define WOLFSSL_AES_DIRECT #endif +#define HAVE_AESGCM +#define GCM_TABLE_4BIT + /* Hardening */ #define TFM_TIMING_RESISTANT #define ECC_TIMING_RESISTANT @@ -134,6 +139,7 @@ extern int tolower(int c); #define NO_ERROR_STRINGS #define NO_KDF +#define WC_TEST_NO_CRYPTOCB_SW_TEST #define BENCH_EMBEDDED #ifdef SECURE_PKCS11