WolfSSL
/
wolfBoot
mirror of https://github.com/wolfSSL/wolfBoot.git
1
0
Fork 0
Code Issues Releases Wiki Activity

TZ: PKCS11 wrappers via wolfPKCS11 in S world

pull/275/head
Daniele Lacamera 2023-04-20 11:38:54 +02:00
parent c849ddfebb
commit f7d6c17685
12 changed files with 838 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitmodules vendored
View File

@ -4,3 +4,6 @@
[submodule "lib/wolfTPM"]
path = lib/wolfTPM
url = https://github.com/wolfssl/wolfTPM
[submodule "lib/wolfPKCS11"]
path = lib/wolfPKCS11
url = https://github.com/wolfSSL/wolfPKCS11.git

2
hal/stm32_tz.c
View File

@ -166,7 +166,7 @@ static void sau_init_region(uint32_t region, uint32_t start_addr,
void hal_tz_sau_init(void)
{
/* Non-secure callable: NSC functions area */
sau_init_region(0, 0x0C020000, 0x0C040000, 1);
sau_init_region(0, 0x0C038000, 0x0C040000, 1);
/* Non-secure: application flash area */
sau_init_region(1, 0x08040000, 0x0804FFFF, 0);

7
hal/stm32l5.ld
View File

@ -3,7 +3,8 @@ MEMORY
FLASH (rx) : ORIGIN = @WOLFBOOT_ORIGIN@, LENGTH = @BOOTLOADER_PARTITION_SIZE@
RAM (rwx) : ORIGIN = 0x30000000, LENGTH = 0x00016000
RAM_KV (rw): ORIGIN = 0x30016000, LENGTH = 0x2000
FLASH_NSC(rx): ORIGIN = @WOLFBOOT_ORIGIN@ + 0x20000, LENGTH = 0x20000
FLASH_KEYVAULT(rw): ORIGIN = @WOLFBOOT_ORIGIN@ + 0x20000, LENGTH = 0x18000
FLASH_NSC(rx): ORIGIN = @WOLFBOOT_ORIGIN@ + 0x38000, LENGTH = 0x8000
}
SECTIONS
@ -62,3 +63,7 @@ END_STACK = ORIGIN(RAM) + LENGTH(RAM);
_keyvault_origin = ORIGIN(RAM_KV);
_keyvault_size = LENGTH(RAM_KV);
_flash_keyvault = ORIGIN(FLASH_KEYVAULT);
_flash_keyvault_size = LENGTH(FLASH_KEYVAULT);

18
include/user_settings.h
View File

@ -243,7 +243,7 @@ int hal_trng_get_entropy(unsigned char *out, unsigned len);
# endif
#endif
#ifdef EXT_ENCRYPTED
#if defined(EXT_ENCRYPTED) || defined(SECURE_PKCS11)
# define HAVE_PWDBASED
#else
# define NO_PWDBASED
@ -308,6 +308,16 @@ int hal_trng_get_entropy(unsigned char *out, unsigned len);
#define NO_ECC_KEY_EXPORT
#endif
/* Disables - For minimum wolfCrypt build */
#ifndef WOLFBOOT_TPM
# if !defined(ENCRYPT_WITH_AES128) && !defined(ENCRYPT_WITH_AES256) && !defined(WOLFCRYPT_SECURE_MODE)
# define NO_AES
# endif
# if !defined(SECURE_PKCS11)
# define NO_HMAC
# endif
#endif
#define NO_CMAC
#define NO_CODING
#define WOLFSSL_NO_PEM
@ -382,4 +392,10 @@ int hal_trng_get_entropy(unsigned char *out, unsigned len);
#define XPRINTF uart_printf
#endif
#ifdef SECURE_PKCS11
typedef unsigned long time_t;
#endif
#endif /* !H_USER_SETTINGS_ */

322
include/wolfboot/wcs_pkcs11.h 100644
View File

@ -0,0 +1,322 @@
#include "wolfpkcs11/pkcs11.h"
#ifndef WOLFBOOT_PKCS11_H
#define WOLFBOOT_PKCS11_H
struct C_SetPIN_nsc_args {
CK_SESSION_HANDLE hSession;
CK_UTF8CHAR_PTR pOldPin;
CK_ULONG ulOldLen;
CK_UTF8CHAR_PTR pNewPin;
CK_ULONG ulNewLen;
};
struct C_OpenSession_nsc_args {
CK_SLOT_ID slotID;
CK_FLAGS flags;
CK_VOID_PTR pApplication;
CK_NOTIFY Notify;
CK_SESSION_HANDLE_PTR phSession;
};
struct C_SetOperationState_nsc_args {
CK_SESSION_HANDLE hSession;
CK_BYTE_PTR pOperationState;
CK_ULONG ulOperationStateLen;
CK_OBJECT_HANDLE hEncryptionKey;
CK_OBJECT_HANDLE hAuthenticationKey;
};
struct C_CopyObject_nsc_args {
CK_SESSION_HANDLE hSession;
CK_OBJECT_HANDLE hObject;
CK_ATTRIBUTE_PTR pTemplate;
CK_ULONG ulCount;
CK_OBJECT_HANDLE_PTR phNewObject;
};
struct C_Encrypt_nsc_args {
CK_SESSION_HANDLE hSession;
CK_BYTE_PTR pData;
CK_ULONG ulDataLen;
CK_BYTE_PTR pEncryptedData;
CK_ULONG_PTR pulEncryptedDataLen;
};
struct C_EncryptUpdate_nsc_args {
CK_SESSION_HANDLE hSession;
CK_BYTE_PTR pPart;
CK_ULONG ulPartLen;
CK_BYTE_PTR pEncryptedPart;
CK_ULONG_PTR pulEncryptedPartLen;
};
struct C_Decrypt_nsc_args {
CK_SESSION_HANDLE hSession;
CK_BYTE_PTR pEncryptedData;
CK_ULONG ulEncryptedDataLen;
CK_BYTE_PTR pData;
CK_ULONG_PTR pulDataLen;
};
struct C_DecryptUpdate_nsc_args {
CK_SESSION_HANDLE hSession;
CK_BYTE_PTR pEncryptedPart;
CK_ULONG ulEncryptedPartLen;
CK_BYTE_PTR pPart;
CK_ULONG_PTR pulPartLen;
};
struct C_Digest_nsc_args {
CK_SESSION_HANDLE hSession;
CK_BYTE_PTR pData;
CK_ULONG ulDataLen;
CK_BYTE_PTR pDigest;
CK_ULONG_PTR pulDigestLen;
};
struct C_Sign_nsc_args {
CK_SESSION_HANDLE hSession;
CK_BYTE_PTR pData;
CK_ULONG ulDataLen;
CK_BYTE_PTR pSignature;
CK_ULONG_PTR pulSignatureLen;
};
struct C_SignRecover_nsc_args {
CK_SESSION_HANDLE hSession;
CK_BYTE_PTR pData;
CK_ULONG ulDataLen;
CK_BYTE_PTR pSignature;
CK_ULONG_PTR pulSignatureLen;
};
struct C_Verify_nsc_args {
CK_SESSION_HANDLE hSession;
CK_BYTE_PTR pData;
CK_ULONG ulDataLen;
CK_BYTE_PTR pSignature;
CK_ULONG ulSignatureLen;
};
struct C_VerifyRecover_nsc_args {
CK_SESSION_HANDLE hSession;
CK_BYTE_PTR pSignature;
CK_ULONG ulSignatureLen;
CK_BYTE_PTR pData;
CK_ULONG_PTR pulDataLen;
};
struct C_DigestEncryptUpdate_nsc_args {
CK_SESSION_HANDLE hSession;
CK_BYTE_PTR pPart;
CK_ULONG ulPartLen;
CK_BYTE_PTR pEncryptedPart;
CK_ULONG_PTR pulEncryptedPartLen;
};
struct C_DecryptDigestUpdate_nsc_args {
CK_SESSION_HANDLE hSession;
CK_BYTE_PTR pEncryptedPart;
CK_ULONG ulEncryptedPartLen;
CK_BYTE_PTR pPart;
CK_ULONG_PTR pulPartLen;
};
struct C_SignEncryptUpdate_nsc_args {
CK_SESSION_HANDLE hSession;
CK_BYTE_PTR pPart;
CK_ULONG ulPartLen;
CK_BYTE_PTR pEncryptedPart;
CK_ULONG_PTR pulEncryptedPartLen;
};
struct C_DecryptVerifyUpdate_nsc_args {
CK_SESSION_HANDLE hSession;
CK_BYTE_PTR pEncryptedPart;
CK_ULONG ulEncryptedPartLen;
CK_BYTE_PTR pPart;
CK_ULONG_PTR pulPartLen;
};
struct C_GenerateKey_nsc_args {
CK_SESSION_HANDLE hSession;
CK_MECHANISM_PTR pMechanism;
CK_ATTRIBUTE_PTR pTemplate;
CK_ULONG ulCount;
CK_OBJECT_HANDLE_PTR phKey;
};
struct C_GenerateKeyPair_nsc_args {
CK_SESSION_HANDLE hSession;
CK_MECHANISM_PTR pMechanism;
CK_ATTRIBUTE_PTR pPublicKeyTemplate;
CK_ULONG ulPublicKeyAttributeCount;
CK_ATTRIBUTE_PTR pPrivateKeyTemplate;
CK_ULONG ulPrivateKeyAttributeCount;
CK_OBJECT_HANDLE_PTR phPublicKey;
CK_OBJECT_HANDLE_PTR phPrivateKey;
};
struct C_WrapKey_nsc_args {
CK_SESSION_HANDLE hSession;
CK_MECHANISM_PTR pMechanism;
CK_OBJECT_HANDLE hWrappingKey;
CK_OBJECT_HANDLE hKey;
CK_BYTE_PTR pWrappedKey;
CK_ULONG_PTR pulWrappedKeyLen;
};
struct C_UnwrapKey_nsc_args {
CK_SESSION_HANDLE hSession;
CK_MECHANISM_PTR pMechanism;
CK_OBJECT_HANDLE hUnwrappingKey;
CK_BYTE_PTR pWrappedKey;
CK_ULONG ulWrappedKeyLen;
CK_ATTRIBUTE_PTR pTemplate;
CK_ULONG ulAttributeCount;
CK_OBJECT_HANDLE_PTR phKey;
};
struct C_DeriveKey_nsc_args {
CK_SESSION_HANDLE hSession;
CK_MECHANISM_PTR pMechanism;
CK_OBJECT_HANDLE hBaseKey;
CK_ATTRIBUTE_PTR pTemplate;
CK_ULONG ulAttributeCount;
CK_OBJECT_HANDLE_PTR phKey;
};
CK_RV __attribute__((cmse_nonsecure_entry)) C_Initialize_nsc_call(CK_VOID_PTR pInitArgs);
CK_RV __attribute__((cmse_nonsecure_entry)) C_Finalize_nsc_call(CK_VOID_PTR pReserved);
CK_RV __attribute__((cmse_nonsecure_entry)) C_GetInfo_nsc_call(CK_INFO_PTR pInfo);
CK_RV __attribute__((cmse_nonsecure_entry)) C_GetFunctionList_nsc_call(CK_FUNCTION_LIST_PTR_PTR ppFunctionList);
CK_RV __attribute__((cmse_nonsecure_entry)) C_GetSlotList_nsc_call(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount);
CK_RV __attribute__((cmse_nonsecure_entry)) C_GetSlotInfo_nsc_call(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo);
CK_RV __attribute__((cmse_nonsecure_entry)) C_GetTokenInfo_nsc_call(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo);
CK_RV __attribute__((cmse_nonsecure_entry)) C_GetMechanismList_nsc_call(CK_SLOT_ID slotID, CK_MECHANISM_TYPE_PTR pMechanismList, CK_ULONG_PTR pulCount);
CK_RV __attribute__((cmse_nonsecure_entry)) C_GetMechanismInfo_nsc_call(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, CK_MECHANISM_INFO_PTR pInfo);
CK_RV __attribute__((cmse_nonsecure_entry)) C_InitToken_nsc_call(CK_SLOT_ID slotID, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen, CK_UTF8CHAR_PTR pLabel);
CK_RV __attribute__((cmse_nonsecure_entry)) C_InitPIN_nsc_call(CK_SESSION_HANDLE hSession, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen);
CK_RV __attribute__((cmse_nonsecure_entry)) C_SetPIN_nsc_call(struct C_SetPIN_nsc_args *args);
CK_RV __attribute__((cmse_nonsecure_entry)) C_OpenSession_nsc_call(struct C_OpenSession_nsc_args *args);
CK_RV __attribute__((cmse_nonsecure_entry)) C_CloseSession_nsc_call(CK_SESSION_HANDLE hSession);
CK_RV __attribute__((cmse_nonsecure_entry)) C_CloseAllSessions_nsc_call(CK_SLOT_ID slotID);
CK_RV __attribute__((cmse_nonsecure_entry)) C_GetSessionInfo_nsc_call(CK_SESSION_HANDLE hSession, CK_SESSION_INFO_PTR pInfo);
CK_RV __attribute__((cmse_nonsecure_entry)) C_GetOperationState_nsc_call(
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pOperationState,
CK_ULONG_PTR pulOperationStateLen);
CK_RV __attribute__((cmse_nonsecure_entry)) C_SetOperationState_nsc_call(struct C_SetOperationState_nsc_args *args);
CK_RV __attribute__((cmse_nonsecure_entry)) C_Login_nsc_call(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen);
CK_RV __attribute__((cmse_nonsecure_entry)) C_Logout_nsc_call(CK_SESSION_HANDLE hSession);
CK_RV __attribute__((cmse_nonsecure_entry)) C_CreateObject_nsc_call(CK_SESSION_HANDLE hSession,
CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
CK_OBJECT_HANDLE_PTR phObject);
CK_RV __attribute__((cmse_nonsecure_entry)) C_DestroyObject_nsc_call(CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hObject);
CK_RV __attribute__((cmse_nonsecure_entry)) C_GetObjectSize_nsc_call(CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize);
CK_RV __attribute__((cmse_nonsecure_entry)) C_GetAttributeValue_nsc_call(CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hObject,
CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount);
CK_RV __attribute__((cmse_nonsecure_entry)) C_SetAttributeValue_nsc_call(CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hObject,
CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount);
CK_RV __attribute__((cmse_nonsecure_entry)) C_FindObjectsInit_nsc_call(CK_SESSION_HANDLE hSession,
CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount);
CK_RV __attribute__((cmse_nonsecure_entry)) C_FindObjects_nsc_call(CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE_PTR phObject,
CK_ULONG ulMaxObjectCount,
CK_ULONG_PTR pulObjectCount);
CK_RV __attribute__((cmse_nonsecure_entry)) C_CopyObject_nsc_call(struct C_CopyObject_nsc_args *args);
CK_RV __attribute__((cmse_nonsecure_entry)) C_FindObjectsFinal_nsc_call(CK_SESSION_HANDLE hSession);
CK_RV __attribute__((cmse_nonsecure_entry)) C_EncryptInit_nsc_call(CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey);
CK_RV __attribute__((cmse_nonsecure_entry)) C_Encrypt_nsc_call(struct C_Encrypt_nsc_args *args);
CK_RV __attribute__((cmse_nonsecure_entry)) C_EncryptUpdate_nsc_call(struct C_EncryptUpdate_nsc_args *args);
CK_RV __attribute__((cmse_nonsecure_entry)) C_EncryptFinal_nsc_call(CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pLastEncryptedPart,
CK_ULONG_PTR pulLastEncryptedPartLen);
CK_RV __attribute__((cmse_nonsecure_entry)) C_DecryptInit_nsc_call(CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey);
CK_RV __attribute__((cmse_nonsecure_entry)) C_Decrypt_nsc_call(struct C_Decrypt_nsc_args *args);
CK_RV __attribute__((cmse_nonsecure_entry)) C_DecryptUpdate_nsc_call(struct C_DecryptUpdate_nsc_args *args);
CK_RV __attribute__((cmse_nonsecure_entry)) C_DecryptFinal_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pLastPart,
CK_ULONG_PTR pulLastPartLen);
CK_RV __attribute__((cmse_nonsecure_entry)) C_DigestInit_nsc_call(CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism);
CK_RV __attribute__((cmse_nonsecure_entry)) C_Digest_nsc_call(struct C_Digest_nsc_args *args);
CK_RV __attribute__((cmse_nonsecure_entry)) C_DigestUpdate_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen);
CK_RV __attribute__((cmse_nonsecure_entry)) C_DigestKey_nsc_call(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey);
CK_RV __attribute__((cmse_nonsecure_entry)) C_DigestFinal_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest, CK_ULONG_PTR pulDigestLen);
CK_RV __attribute__((cmse_nonsecure_entry)) C_SignInit_nsc_call(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey);
CK_RV __attribute__((cmse_nonsecure_entry)) C_Sign_nsc_call(struct C_Sign_nsc_args *args);
CK_RV __attribute__((cmse_nonsecure_entry)) C_SignUpdate_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen);
CK_RV __attribute__((cmse_nonsecure_entry)) C_SignFinal_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen);
CK_RV __attribute__((cmse_nonsecure_entry)) C_SignRecoverInit_nsc_call(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey);
CK_RV __attribute__((cmse_nonsecure_entry)) C_SignRecover_nsc_call(struct C_SignRecover_nsc_args *args);
CK_RV __attribute__((cmse_nonsecure_entry)) C_VerifyInit_nsc_call(CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey);
CK_RV __attribute__((cmse_nonsecure_entry)) C_Verify_nsc_call(struct C_Verify_nsc_args *args);
CK_RV __attribute__((cmse_nonsecure_entry)) C_VerifyUpdate_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
CK_ULONG ulPartLen);
CK_RV __attribute__((cmse_nonsecure_entry)) C_VerifyFinal_nsc_call(CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen);
CK_RV __attribute__((cmse_nonsecure_entry)) C_VerifyRecoverInit_nsc_call(CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism,
CK_OBJECT_HANDLE hKey);
CK_RV __attribute__((cmse_nonsecure_entry)) C_VerifyRecover_nsc_call(struct C_VerifyRecover_nsc_args *args);
CK_RV __attribute__((cmse_nonsecure_entry)) C_DigestEncryptUpdate_nsc_call(struct C_DigestEncryptUpdate_nsc_args *args);
CK_RV __attribute__((cmse_nonsecure_entry)) C_DecryptDigestUpdate_nsc_call(struct C_DecryptDigestUpdate_nsc_args *args);
CK_RV __attribute__((cmse_nonsecure_entry)) C_SignEncryptUpdate_nsc_call(struct C_SignEncryptUpdate_nsc_args *args);
CK_RV __attribute__((cmse_nonsecure_entry)) C_DecryptVerifyUpdate_nsc_call(struct C_DecryptVerifyUpdate_nsc_args *args);
CK_RV __attribute__((cmse_nonsecure_entry)) C_GenerateKey_nsc_call(struct C_GenerateKey_nsc_args *args);
CK_RV __attribute__((cmse_nonsecure_entry)) C_GenerateKeyPair_nsc_call(struct C_GenerateKeyPair_nsc_args *args);
CK_RV __attribute__((cmse_nonsecure_entry)) C_WrapKey_nsc_call(struct C_WrapKey_nsc_args *args);
CK_RV __attribute__((cmse_nonsecure_entry)) C_UnwrapKey_nsc_call(struct C_UnwrapKey_nsc_args *args);
CK_RV __attribute__((cmse_nonsecure_entry)) C_DeriveKey_nsc_call(struct C_DeriveKey_nsc_args *args);
CK_RV __attribute__((cmse_nonsecure_entry)) C_SeedRandom_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed, CK_ULONG ulSeedLen);
CK_RV __attribute__((cmse_nonsecure_entry)) C_GenerateRandom_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pRandomData, CK_ULONG ulRandomLen);
CK_RV __attribute__((cmse_nonsecure_entry)) C_GetFunctionStatus_nsc_call(CK_SESSION_HANDLE hSession);
CK_RV __attribute__((cmse_nonsecure_entry)) C_CancelFunction_nsc_call(CK_SESSION_HANDLE hSession);
CK_RV __attribute__((cmse_nonsecure_entry)) C_WaitForSlotEvent_nsc_call(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot, CK_VOID_PTR pReserved);
#endif

1
lib/wolfPKCS11 160000

@ -0,0 +1 @@
Subproject commit eca242ea16d77d698a61eb4a9b20dca0853da20e

26
options.mk
View File

@ -536,6 +536,32 @@ ifeq ($(WOLFBOOT_HUGE_STACK),1)
CFLAGS+=-DWOLFBOOT_HUGE_STACK
endif
ifeq ($(SECURE_PKCS11),1)
CFLAGS+=-DSECURE_PKCS11
CFLAGS+=-DCK_CALLABLE="__attribute__((cmse_nonsecure_entry))"
CFLAGS+=-DHAVE_PBKDF2
CFLAGS+=-DWOLFPKCS11_CUSTOM_STORE
CFLAGS+=-DWOLFBOOT_SECURE_PKCS11 -Ilib/wolfPKCS11
CFLAGS+=-DWOLFPKCS11_USER_SETTINGS
CFLAGS+=-DWOLFSSL_AES_COUNTER -DWOLFSSL_AES_DIRECT -DWOLFSSL_AES_GCM
CFLAGS+=-DENCRYPT_WITH_AES128 -DWOLFSSL_AES_128
CFLAGS+=-DHAVE_SCRYPT
CFLAGS+=-DHAVE_AESGCM
CFLAGS+=-DNO_PKCS11_TIME
OBJS+=src/pkcs11_store.o
OBJS+=src/pkcs11_callable.o
WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/aes.o
WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/pwdbased.o
WOLFCRYPT_OBJS+=./lib/wolfssl/wolfcrypt/src/hmac.o
WOLFCRYPT_OBJS+=./lib/wolfPKCS11/src/crypto.o \
./lib/wolfPKCS11/src/internal.o \
./lib/wolfPKCS11/src/slot.o \
./lib/wolfPKCS11/src/wolfpkcs11.o
endif
OBJS+=$(PUBLIC_KEY_OBJS)
OBJS+=$(UPDATE_OBJS)
ifeq ($(WOLFTPM),1)
OBJS+=\
./src/tpm.o \

393
src/pkcs11_callable.c 100644
View File

@ -0,0 +1,393 @@
#include "wolfpkcs11/pkcs11.h"
#include "wolfboot/wcs_pkcs11.h"
CK_RV __attribute__((cmse_nonsecure_entry)) C_Initialize_nsc_call(CK_VOID_PTR pInitArgs)
{
return C_Initialize(pInitArgs);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_Finalize_nsc_call(CK_VOID_PTR pReserved)
{
return C_Finalize(pReserved);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_GetInfo_nsc_call(CK_INFO_PTR pInfo)
{
return C_GetInfo(pInfo);
}
WP11_API CK_RV __attribute__((cmse_nonsecure_entry)) C_GetFunctionList_nsc_call(CK_FUNCTION_LIST_PTR_PTR ppFunctionList)
{
return C_GetFunctionList(ppFunctionList);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_GetSlotList_nsc_call(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount)
{
return C_GetSlotList(tokenPresent, pSlotList, pulCount);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_GetSlotInfo_nsc_call(CK_SLOT_ID slotID, CK_SLOT_INFO_PTR pInfo)
{
return C_GetSlotInfo(slotID, pInfo);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_GetTokenInfo_nsc_call(CK_SLOT_ID slotID, CK_TOKEN_INFO_PTR pInfo)
{
return C_GetTokenInfo(slotID, pInfo);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_GetMechanismList_nsc_call(CK_SLOT_ID slotID, CK_MECHANISM_TYPE_PTR pMechanismList, CK_ULONG_PTR pulCount)
{
return C_GetMechanismList(slotID, pMechanismList, pulCount);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_GetMechanismInfo_nsc_call(CK_SLOT_ID slotID, CK_MECHANISM_TYPE type, CK_MECHANISM_INFO_PTR pInfo)
{
return C_GetMechanismInfo(slotID, type, pInfo);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_InitToken_nsc_call(CK_SLOT_ID slotID, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen, CK_UTF8CHAR_PTR pLabel)
{
return C_InitToken(slotID, pPin, ulPinLen, pLabel);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_InitPIN_nsc_call(CK_SESSION_HANDLE hSession, CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen)
{
return C_InitPIN(hSession, pPin, ulPinLen);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_SetPIN_nsc_call(struct C_SetPIN_nsc_args *args)
{
return C_SetPIN(args->hSession, args->pOldPin, args->ulOldLen, args->pNewPin,
args->ulNewLen);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_OpenSession_nsc_call(struct C_OpenSession_nsc_args *args) {
return C_OpenSession(args->slotID, args->flags, args->pApplication, args->Notify, args->phSession);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_CloseSession_nsc_call(CK_SESSION_HANDLE hSession)
{
return C_CloseSession(hSession);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_CloseAllSessions_nsc_call(CK_SLOT_ID slotID)
{
return C_CloseAllSessions(slotID);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_GetSessionInfo_nsc_call(CK_SESSION_HANDLE hSession, CK_SESSION_INFO_PTR pInfo)
{
return C_GetSessionInfo(hSession, pInfo);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_GetOperationState_nsc_call(
CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pOperationState,
CK_ULONG_PTR pulOperationStateLen) {
return C_GetOperationState(hSession, pOperationState, pulOperationStateLen);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_SetOperationState_nsc_call(struct C_SetOperationState_nsc_args *args) {
return C_SetOperationState(args->hSession, args->pOperationState, args->ulOperationStateLen, args->hEncryptionKey, args->hAuthenticationKey);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_Login_nsc_call(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType,
CK_UTF8CHAR_PTR pPin, CK_ULONG ulPinLen) {
return C_Login(hSession, userType, pPin, ulPinLen);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_Logout_nsc_call(CK_SESSION_HANDLE hSession) {
return C_Logout(hSession);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_CreateObject_nsc_call(CK_SESSION_HANDLE hSession,
CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount,
CK_OBJECT_HANDLE_PTR phObject) {
return C_CreateObject(hSession, pTemplate, ulCount, phObject);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_DestroyObject_nsc_call(CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hObject) {
return C_DestroyObject(hSession, hObject);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_GetObjectSize_nsc_call(CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hObject, CK_ULONG_PTR pulSize) {
return C_GetObjectSize(hSession, hObject, pulSize);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_GetAttributeValue_nsc_call(CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hObject,
CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) {
return C_GetAttributeValue(hSession, hObject, pTemplate, ulCount);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_SetAttributeValue_nsc_call(CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE hObject,
CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) {
return C_SetAttributeValue(hSession, hObject, pTemplate, ulCount);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_FindObjectsInit_nsc_call(CK_SESSION_HANDLE hSession,
CK_ATTRIBUTE_PTR pTemplate, CK_ULONG ulCount) {
return C_FindObjectsInit(hSession, pTemplate, ulCount);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_FindObjects_nsc_call(CK_SESSION_HANDLE hSession,
CK_OBJECT_HANDLE_PTR phObject,
CK_ULONG ulMaxObjectCount,
CK_ULONG_PTR pulObjectCount) {
return C_FindObjects(hSession, phObject, ulMaxObjectCount, pulObjectCount);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_CopyObject_nsc_call(struct C_CopyObject_nsc_args *args) {
return C_CopyObject(args->hSession, args->hObject, args->pTemplate, args->ulCount, args->phNewObject);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_FindObjectsFinal_nsc_call(CK_SESSION_HANDLE hSession)
{
return C_FindObjectsFinal(hSession);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_EncryptInit_nsc_call(CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
{
return C_EncryptInit(hSession, pMechanism, hKey);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_Encrypt_nsc_call(struct C_Encrypt_nsc_args *args) {
return C_Encrypt(args->hSession, args->pData, args->ulDataLen, args->pEncryptedData, args->pulEncryptedDataLen);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_EncryptUpdate_nsc_call(struct C_EncryptUpdate_nsc_args *args) {
return C_EncryptUpdate(args->hSession, args->pPart, args->ulPartLen, args->pEncryptedPart, args->pulEncryptedPartLen);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_EncryptFinal_nsc_call(CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pLastEncryptedPart,
CK_ULONG_PTR pulLastEncryptedPartLen)
{
return C_EncryptFinal(hSession, pLastEncryptedPart, pulLastEncryptedPartLen);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_DecryptInit_nsc_call(CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
{
return C_DecryptInit(hSession, pMechanism, hKey);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_Decrypt_nsc_call(struct C_Decrypt_nsc_args *args) {
return C_Decrypt(args->hSession, args->pEncryptedData, args->ulEncryptedDataLen, args->pData, args->pulDataLen);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_DecryptUpdate_nsc_call(struct C_DecryptUpdate_nsc_args *args) {
return C_DecryptUpdate(args->hSession, args->pEncryptedPart, args->ulEncryptedPartLen, args->pPart, args->pulPartLen);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_DecryptFinal_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pLastPart,
CK_ULONG_PTR pulLastPartLen)
{
return C_DecryptFinal(hSession, pLastPart, pulLastPartLen);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_DigestInit_nsc_call(CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism)
{
return C_DigestInit(hSession, pMechanism);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_Digest_nsc_call(struct C_Digest_nsc_args *args) {
return C_Digest(args->hSession, args->pData, args->ulDataLen, args->pDigest, args->pulDigestLen);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_DigestUpdate_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen)
{
return C_DigestUpdate(hSession, pPart, ulPartLen);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_DigestKey_nsc_call(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hKey)
{
return C_DigestKey(hSession, hKey);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_DigestFinal_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pDigest, CK_ULONG_PTR pulDigestLen)
{
return C_DigestFinal(hSession, pDigest, pulDigestLen);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_SignInit_nsc_call(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
{
return C_SignInit(hSession, pMechanism, hKey);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_Sign_nsc_call(struct C_Sign_nsc_args *args) {
return C_Sign(args->hSession, args->pData, args->ulDataLen, args->pSignature, args->pulSignatureLen);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_SignUpdate_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart, CK_ULONG ulPartLen)
{
return C_SignUpdate(hSession, pPart, ulPartLen);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_SignFinal_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSignature, CK_ULONG_PTR pulSignatureLen)
{
return C_SignFinal(hSession, pSignature, pulSignatureLen);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_SignRecoverInit_nsc_call(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
{
return C_SignRecoverInit(hSession, pMechanism, hKey);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_SignRecover_nsc_call(struct C_SignRecover_nsc_args *args) {
return C_SignRecover(args->hSession, args->pData, args->ulDataLen, args->pSignature, args->pulSignatureLen);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_VerifyInit_nsc_call(CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism, CK_OBJECT_HANDLE hKey)
{
return C_VerifyInit(hSession, pMechanism, hKey);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_Verify_nsc_call(struct C_Verify_nsc_args *args) {
return C_Verify(args->hSession, args->pData, args->ulDataLen, args->pSignature, args->ulSignatureLen);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_VerifyUpdate_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pPart,
CK_ULONG ulPartLen)
{
return C_VerifyUpdate(hSession, pPart, ulPartLen);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_VerifyFinal_nsc_call(CK_SESSION_HANDLE hSession,
CK_BYTE_PTR pSignature, CK_ULONG ulSignatureLen)
{
return C_VerifyFinal(hSession, pSignature, ulSignatureLen);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_VerifyRecoverInit_nsc_call(CK_SESSION_HANDLE hSession,
CK_MECHANISM_PTR pMechanism,
CK_OBJECT_HANDLE hKey)
{
return C_VerifyRecoverInit(hSession, pMechanism, hKey);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_VerifyRecover_nsc_call(struct C_VerifyRecover_nsc_args *args) {
return C_VerifyRecover(args->hSession, args->pSignature, args->ulSignatureLen, args->pData, args->pulDataLen);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_DigestEncryptUpdate_nsc_call(struct C_DigestEncryptUpdate_nsc_args *args) {
return C_DigestEncryptUpdate(args->hSession, args->pPart, args->ulPartLen, args->pEncryptedPart, args->pulEncryptedPartLen);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_DecryptDigestUpdate_nsc_call(struct C_DecryptDigestUpdate_nsc_args *args) {
return C_DecryptDigestUpdate(args->hSession, args->pEncryptedPart, args->ulEncryptedPartLen, args->pPart, args->pulPartLen);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_SignEncryptUpdate_nsc_call(struct C_SignEncryptUpdate_nsc_args *args) {
return C_SignEncryptUpdate(args->hSession, args->pPart, args->ulPartLen, args->pEncryptedPart, args->pulEncryptedPartLen);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_DecryptVerifyUpdate_nsc_call(struct C_DecryptVerifyUpdate_nsc_args *args) {
return C_DecryptVerifyUpdate(args->hSession, args->pEncryptedPart, args->ulEncryptedPartLen, args->pPart, args->pulPartLen);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_GenerateKey_nsc_call(struct C_GenerateKey_nsc_args *args) {
return C_GenerateKey(args->hSession, args->pMechanism, args->pTemplate, args->ulCount, args->phKey);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_GenerateKeyPair_nsc_call(struct C_GenerateKeyPair_nsc_args *args) {
return C_GenerateKeyPair(args->hSession, args->pMechanism, args->pPublicKeyTemplate, args->ulPublicKeyAttributeCount, args->pPrivateKeyTemplate, args->ulPrivateKeyAttributeCount, args->phPublicKey, args->phPrivateKey);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_WrapKey_nsc_call(struct C_WrapKey_nsc_args *args) {
return C_WrapKey(args->hSession, args->pMechanism, args->hWrappingKey, args->hKey, args->pWrappedKey, args->pulWrappedKeyLen);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_UnwrapKey_nsc_call(struct C_UnwrapKey_nsc_args *args) {
return C_UnwrapKey(args->hSession, args->pMechanism, args->hUnwrappingKey, args->pWrappedKey, args->ulWrappedKeyLen, args->pTemplate, args->ulAttributeCount, args->phKey);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_DeriveKey_nsc_call(struct C_DeriveKey_nsc_args *args) {
return C_DeriveKey(args->hSession, args->pMechanism, args->hBaseKey, args->pTemplate, args->ulAttributeCount, args->phKey);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_SeedRandom_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pSeed, CK_ULONG ulSeedLen)
{
return C_SeedRandom(hSession, pSeed, ulSeedLen);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_GenerateRandom_nsc_call(CK_SESSION_HANDLE hSession, CK_BYTE_PTR pRandomData, CK_ULONG ulRandomLen)
{
return C_GenerateRandom(hSession, pRandomData, ulRandomLen);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_GetFunctionStatus_nsc_call(CK_SESSION_HANDLE hSession)
{
return C_GetFunctionStatus(hSession);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_CancelFunction_nsc_call(CK_SESSION_HANDLE hSession)
{
return C_CancelFunction(hSession);
}
CK_RV __attribute__((cmse_nonsecure_entry)) C_WaitForSlotEvent_nsc_call(CK_FLAGS flags, CK_SLOT_ID_PTR pSlot, CK_VOID_PTR pReserved)
{
return C_WaitForSlotEvent(flags, pSlot, pReserved);
}

50
src/pkcs11_store.c 100644
View File

@ -0,0 +1,50 @@
/* pkcs11_store.c
*
* Copyright (C) 2023 wolfSSL Inc.
*
* This file is part of wolfBoot.
*
* wolfBoot is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfBoot is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#include "wolfpkcs11/pkcs11.h"
#include "wolfpkcs11/store.h"
int wolfPKCS11_Store_Open(int type, CK_ULONG id1, CK_ULONG id2, int read,
void** store)
{
/* Stub */
return -1;
}
void wolfPKCS11_Store_Close(void* store)
{
/* Stub */
}
int wolfPKCS11_Store_Read(void* store, unsigned char* buffer, int len)
{
/* Stub */
return -1;
}
int wolfPKCS11_Store_Write(void* store, unsigned char* buffer, int len)
{
/* Stub */
return -1;
}

29
src/wc_callable.c
View File

@ -9,6 +9,9 @@
#include "hal.h"
#include <stdint.h>
#ifdef CRYPTO_CB_HSM
/* From linker script, dedicated RAM area in secure mode */
extern uint32_t _keyvault_origin, _keyvault_size;
@ -481,17 +484,6 @@ wcs_ecdh_shared(int privkey_slot_id, int pubkey_slot_id, word32 outlen)
return shared_slot_id;
}
int __attribute__((cmse_nonsecure_entry))
wcs_get_random(uint8_t *rand, uint32_t size)
{
int ret;
WC_RNG wcs_rng;
wc_InitRng(&wcs_rng);
ret = wc_RNG_GenerateBlock(&wcs_rng, rand, size);
wc_FreeRng(&wcs_rng);
return ret;
}
int __attribute__((cmse_nonsecure_entry))
wcs_slot_read(int slot_id, uint8_t *buffer, uint32_t len)
{
@ -524,11 +516,26 @@ wcs_slot_read(int slot_id, uint8_t *buffer, uint32_t len)
XMEMCPY(buffer, &item->key.raw, len);
return len;
}
#endif /* CRYPTO_CB_HSM */
int __attribute__((cmse_nonsecure_entry))
wcs_get_random(uint8_t *rand, uint32_t size)
{
int ret;
WC_RNG wcs_rng;
wc_InitRng(&wcs_rng);
ret = wc_RNG_GenerateBlock(&wcs_rng, rand, size);
wc_FreeRng(&wcs_rng);
return ret;
}
void wcs_Init(void)
{
hal_trng_init();
#ifdef CRYPTO_CB_HSM
keyvault_init();
#endif
}
#endif

2
test-app/app_stm32l5.c
View File

@ -112,8 +112,6 @@ void main(void)
for (i = 0; i < (rand / 100000000); i++)
;
wcs_slot_read(0, (unsigned char *)CaBuf, 2048);
#endif
hal_init();
uart_init(115200, 8, 'N', 1);

1
tools/config.mk
View File

@ -69,6 +69,7 @@ ifeq ($(ARCH),)
DELTA_UPDATES?=0
DELTA_BLOCK_SIZE?=256
WOLFBOOT_HUGE_STACK?=0
SECURE_PKCS11?=0
ARMORED?=0
ELF?=0
FORCE_32BIT=0