From cbcd7bca2cbde1e43ede0c496ff4049061e0e004 Mon Sep 17 00:00:00 2001 From: Maxim Kostin Date: Mon, 19 May 2025 21:41:49 +0200 Subject: [PATCH 01/31] added support for Tropic01 crypto callbacks --- configure.ac | 47 +++ wolfcrypt/src/include.am | 5 + wolfcrypt/src/port/tropicsquare/tropic01.c | 355 ++++++++++++++++++ wolfcrypt/src/wc_port.c | 12 +- wolfssl/wolfcrypt/include.am | 5 + .../wolfcrypt/port/tropicsquare/tropic01.h | 82 ++++ 6 files changed, 505 insertions(+), 1 deletion(-) create mode 100644 wolfcrypt/src/port/tropicsquare/tropic01.c create mode 100644 wolfssl/wolfcrypt/port/tropicsquare/tropic01.h diff --git a/configure.ac b/configure.ac index 0a4010ad2..5220fbe74 100644 --- a/configure.ac +++ b/configure.ac @@ -2845,6 +2845,51 @@ AC_ARG_WITH([cryptoauthlib], ] ) + +# TropicSquare TROPIC01 +# Example: "./configure --with-tropic01=/home/pi/libtropic" +ENABLED_TROPIC01="no" +trylibtropicdir="" +AC_ARG_WITH([tropic01], + [AS_HELP_STRING([--with-tropic01=PATH],[PATH to install (default /usr/)])], + [ + AC_MSG_CHECKING([for tropic01]) + CPPFLAGS="$CPPFLAGS -DWOLFSSL_TROPIC01" + LIBS="$LIBS -llibtropic" + + AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], [[ lt_init(0); ]])],[ libtropic_linked=yes ],[ libtropic_linked=no ]) + + if test "x$libtropic_linked" = "xno" ; then + if test "x$withval" != "xno" ; then + trylibtropicdir=$withval + fi + if test "x$withval" = "xyes" ; then + trylibtropicdir="/usr" + fi + + LDFLAGS="$LDFLAGS -L$trylibtropicdir/lib" + CPPFLAGS="$CPPFLAGS -I$trylibtropicdir/lib" + + AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], [[ lt_init(0); ]])],[ libtropic_linked=yes ],[ libtropic_linked=no ]) + + if test "x$libtropic_linked" = "xno" ; then + AC_MSG_ERROR([libtropic isn't found. + If it's already installed, specify its path using --with-tropic01=/dir/]) + fi + + AM_LDFLAGS="$AM_LDFLAGS -L$trylibtropicdir/lib" + AM_CFLAGS="$AM_CFLAGS -I$trylibtropicdir/lib" + AC_MSG_RESULT([yes]) + else + AC_MSG_RESULT([yes]) + fi + + ENABLED_TROPIC01="yes" + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TROPIC01" + ] +) + + # NXP SE050 # Example: "./configure --with-se050=/home/pi/simw_top" ENABLED_SE050="no" @@ -10649,6 +10694,7 @@ AM_CONDITIONAL([BUILD_QNXCAAM],[test "x$ENABLED_CAAM_QNX" = "xyes"]) AM_CONDITIONAL([BUILD_IOTSAFE],[test "x$ENABLED_IOTSAFE" = "xyes"]) AM_CONDITIONAL([BUILD_IOTSAFE_HWRNG],[test "x$ENABLED_IOTSAFE_HWRNG" = "xyes"]) AM_CONDITIONAL([BUILD_SE050],[test "x$ENABLED_SE050" = "xyes"]) +AM_CONDITIONAL([BUILD_TROPIC01],[test "x$ENABLED_TROPIC01" = "xyes"]) AM_CONDITIONAL([BUILD_KDF],[test "x$ENABLED_KDF" = "xyes"]) AM_CONDITIONAL([BUILD_HMAC],[test "x$ENABLED_HMAC" = "xyes"]) AM_CONDITIONAL([BUILD_ERROR_STRINGS],[test "x$ENABLED_ERROR_STRINGS" = "xyes"]) @@ -11177,6 +11223,7 @@ echo " * i.MX CAAM: $ENABLED_CAAM" echo " * IoT-Safe: $ENABLED_IOTSAFE" echo " * IoT-Safe HWRNG: $ENABLED_IOTSAFE_HWRNG" echo " * NXP SE050: $ENABLED_SE050" +echo " * TROPIC01: $ENABLED_TROPIC01" echo " * Maxim Integrated MAXQ10XX: $ENABLED_MAXQ10XX" echo " * PSA: $ENABLED_PSA" echo " * System CA certs: $ENABLED_SYS_CA_CERTS" diff --git a/wolfcrypt/src/include.am b/wolfcrypt/src/include.am index 872dffd0f..36fcb914f 100644 --- a/wolfcrypt/src/include.am +++ b/wolfcrypt/src/include.am @@ -105,6 +105,7 @@ EXTRA_DIST += wolfcrypt/src/port/ti/ti-aes.c \ wolfcrypt/src/port/st/README.md \ wolfcrypt/src/port/st/STM32MP13.md \ wolfcrypt/src/port/st/STM32MP25.md \ + wolfcrypt/src/port/tropicsquare/tropic01.c \ wolfcrypt/src/port/af_alg/afalg_aes.c \ wolfcrypt/src/port/af_alg/afalg_hash.c \ wolfcrypt/src/port/kcapi/kcapi_aes.c \ @@ -220,6 +221,10 @@ if BUILD_SE050 src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/nxp/se050_port.c endif +if BUILD_TROPIC01 +src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/tropicsquare/tropic01.c +endif + if BUILD_PSA src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/psa/psa.c src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/psa/psa_hash.c diff --git a/wolfcrypt/src/port/tropicsquare/tropic01.c b/wolfcrypt/src/port/tropicsquare/tropic01.c new file mode 100644 index 000000000..0f0be4e62 --- /dev/null +++ b/wolfcrypt/src/port/tropicsquare/tropic01.c @@ -0,0 +1,355 @@ +/* tropic01.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + * +*/ + +#ifdef HAVE_CONFIG_H + #include +#endif + +#include +#include +#include +#include +#include +#include + +#include + +/* + * TROPIC01 hardware RNG implementation + */ +static int Tropic01_GetRandom(byte* out, word32 sz, Tropic01CryptoDevCtx* ctx) +{ + int ret = 0; + // Default factory pairing keys + byte pkey_index_0 = PAIRING_KEY_SLOT_INDEX_0; + // Engineering samples 01 keys: + byte sh0priv[] = {0xd0,0x99,0x92,0xb1,0xf1,0x7a,0xbc,0x4d,0xb9,0x37,0x17,0x68,0xa2,0x7d,0xa0,0x5b,0x18,0xfa,0xb8,0x56,0x13,0xa7,0x84,0x2c,0xa6,0x4c,0x79,0x10,0xf2,0x2e,0x71,0x6b}; + byte sh0pub[] = {0xe7,0xf7,0x35,0xba,0x19,0xa3,0x3f,0xd6,0x73,0x23,0xab,0x37,0x26,0x2d,0xe5,0x36,0x08,0xca,0x57,0x85,0x76,0x53,0x43,0x52,0xe1,0x8f,0x64,0xe6,0x13,0xd3,0x8d,0x54}; + lt_handle_t h; + lt_ret_t rett; + WOLFSSL_MSG_EX("TROPIC01: GetRandom: Requesting %u bytes", sz); + + if (out == NULL || ctx == NULL || !ctx->initialized || sz == 0) + return BAD_FUNC_ARG; + + /* Call TROPIC01 TRNG API to get random data */ + + + rett = lt_init(&h); + if(rett != LT_OK) { + //printf("Error lt_init(): %s", lt_ret_verbose(ret)); + return rett; + } + ret = verify_chip_and_start_secure_session(&h, sh0priv, sh0pub, pkey_index_0); + if(ret != LT_OK) { + //printf("Error sec channel: %s", lt_ret_verbose(ret)); + lt_deinit(&h); + return ret; + } + ret = lt_random_get(&h, out, sz); + if(ret != LT_OK) { + //printf("Error l3 cmd: %s", lt_ret_verbose(ret)); + lt_deinit(&h); + return ret; + } + ret = lt_deinit(&h); + if(ret != LT_OK) { + //printf("Error lt_deinit(): %s", lt_ret_verbose(ret)); + return ret; + } + WOLFSSL_MSG_EX("TROPIC01: GetRandom: Completed with ret=%d", ret); + return ret; +} + +/* + * Retrive the AES key from the secure memory of TROPIC01 + */ + +static int Tropic01_GetKey(Aes* aes, int keySlot, word32 keySz, Tropic01CryptoDevCtx* ctx) +{ + int ret; + // Default factory pairing keys + byte pkey_index_0 = PAIRING_KEY_SLOT_INDEX_0; + // Engineering samples 01 keys: + byte sh0priv[] = {0xd0,0x99,0x92,0xb1,0xf1,0x7a,0xbc,0x4d,0xb9,0x37,0x17,0x68,0xa2,0x7d,0xa0,0x5b,0x18,0xfa,0xb8,0x56,0x13,0xa7,0x84,0x2c,0xa6,0x4c,0x79,0x10,0xf2,0x2e,0x71,0x6b}; + byte sh0pub[] = {0xe7,0xf7,0x35,0xba,0x19,0xa3,0x3f,0xd6,0x73,0x23,0xab,0x37,0x26,0x2d,0xe5,0x36,0x08,0xca,0x57,0x85,0x76,0x53,0x43,0x52,0xe1,0x8f,0x64,0xe6,0x13,0xd3,0x8d,0x54}; + lt_handle_t h; + lt_ret_t rett; + WOLFSSL_MSG_EX("TROPIC01: GetKey: Retrieving key from slot %d", keySlot); + + if (aes == NULL || ctx == NULL || !ctx->initialized || keySlot < 0 || keySlot >= 511) + return BAD_FUNC_ARG; + + /* Check key size */ + if (keySz != 16 && keySz != 24 && keySz != 32) { + WOLFSSL_MSG_EX("TROPIC01: GetKey: Unsupported key size %u", keySz); + return BAD_FUNC_ARG; + } + + /* Retrieve key from TROPIC01 */ + rett = lt_init(&h); + if(rett != LT_OK) { + //printf("Error lt_init(): %s", lt_ret_verbose(ret)); + return rett; + } + ret = verify_chip_and_start_secure_session(&h, sh0priv, sh0pub, pkey_index_0); + if(ret != LT_OK) { + //printf("Error sec channel: %s", lt_ret_verbose(ret)); + lt_deinit(&h); + return ret; + } + ret = lt_r_mem_data_read(&h, keySlot, (byte*)aes->key, keySz); + if(ret != LT_OK) { + //printf("Error l3 cmd: %s", lt_ret_verbose(ret)); + lt_deinit(&h); + return 1; + } + ret = lt_deinit(&h); + if(ret != LT_OK) { + //printf("Error lt_deinit(): %s", lt_ret_verbose(ret)); + return ret; + } + + if (ret != 0) { + WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to retrieve key, ret=%d", ret); + return ret; + } + + WOLFSSL_MSG_EX("TROPIC01: GetKey: Key retrieved successfully"); + return 0; +} + +/** + * Find an available key slot in the TROPIC01 + */ +static int Tropic01_FindFreeKeySlot(Tropic01CryptoDevCtx* ctx) +{ + int i; + + WOLFSSL_MSG("TROPIC01: FindFreeKeySlot: Searching for available slot"); + + for (i = 0; i < 8; i++) { + if (ctx->keySlotUsage[i] == 0) { + ctx->keySlotUsage[i] = 1; + WOLFSSL_MSG_EX("TROPIC01: FindFreeKeySlot: Found slot %d", i); + return i; + } + } + + WOLFSSL_MSG("TROPIC01: FindFreeKeySlot: No free slots available"); + return -1; +} + +/** + * Store AES key in TROPIC01 secure memory + */ +static int Tropic01_StoreKey(Aes* aes, const byte* key, word32 keySz, Tropic01CryptoDevCtx* ctx) +{ + int ret; + int keySlot; + Tropic01KeyRef* keyRef; + + WOLFSSL_MSG_EX("TROPIC01: StoreKey: Storing key of size %u bytes", keySz); + + if (aes == NULL || key == NULL || ctx == NULL || !ctx->initialized) + return BAD_FUNC_ARG; + + /* Check key size */ + if (keySz != 16 && keySz != 24 && keySz != 32) { + WOLFSSL_MSG_EX("TROPIC01: StoreKey: Unsupported key size %u", keySz); + return BAD_FUNC_ARG; + } + + /* Find available key slot */ + keySlot = Tropic01_FindFreeKeySlot(ctx); + if (keySlot < 0) { + WOLFSSL_MSG("TROPIC01: StoreKey: No free key slots available"); + return MEMORY_E; + } + + /* Allocate key reference */ + keyRef = (Tropic01KeyRef*)XMALLOC(sizeof(Tropic01KeyRef), NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (keyRef == NULL) { + ctx->keySlotUsage[keySlot] = 0; + return MEMORY_E; + } + + /* Store key in TROPIC01 */ + /* Example TROPIC01_StoreKey call */ + ret = 0; /* Replace with actual implementation */ + + if (ret != 0) { + WOLFSSL_MSG_EX("TROPIC01: StoreKey: Failed to store key in slot %d, ret=%d", keySlot, ret); + XFREE(keyRef, NULL, DYNAMIC_TYPE_TMP_BUFFER); + ctx->keySlotUsage[keySlot] = 0; + return ret; + } + + /* Initialize key reference */ + keyRef->keySlot = keySlot; + keyRef->keySize = keySz; + keyRef->keyType = 0; + keyRef->isValid = 1; + + /* Store reference in AES structure */ + //aes->devKey = keySlot; + //aes->devCtx = keyRef; + + WOLFSSL_MSG_EX("TROPIC01: StoreKey: Key stored successfully in slot %d", keySlot); + return 0; +} + +/** + * Crypto Callback function for TROPIC01 + */ +int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) +{ + int ret = CRYPTOCB_UNAVAILABLE; + Tropic01CryptoDevCtx* tropicCtx = (Tropic01CryptoDevCtx*)ctx; + + + if (info == NULL || tropicCtx == NULL || !tropicCtx->initialized || devId == -2) + return BAD_FUNC_ARG; + + switch (info->algo_type) { + case WC_ALGO_TYPE_RNG: + WOLFSSL_MSG_EX("TROPIC01: CryptoCB: RNG generation request (%u bytes)", info->rng.sz); + ret = Tropic01_GetRandom(info->rng.out, info->rng.sz, tropicCtx); + break; + case WC_ALGO_TYPE_SEED: + WOLFSSL_MSG_EX("TROPIC01: CryptoCB: SEED generation request (%u bytes)", info->seed.sz); + ret = Tropic01_GetRandom(info->seed.seed, info->seed.sz, tropicCtx); + break; + case WC_ALGO_TYPE_CIPHER: + WOLFSSL_MSG_EX("TROPIC01: CryptoCB: AES request (%u bytes)", info->aes_setkey.keySz); + ret = Tropic01_StoreKey(NULL, NULL, 32, tropicCtx); + //ret = Tropic01_GetKey(NULL, NULL, TROPIC01_AES_MAX_KEY_SIZE, tropicCtx); +#if !defined(NO_AES) || !defined(NO_DES3) + #ifdef HAVE_AESGCM + if (info->cipher.type == WC_CIPHER_AES_GCM) { + if (info->cipher.enc) { + /* set devId to invalid, so software is used */ + info->cipher.aesgcm_enc.aes->devId = INVALID_DEVID; + ret = Tropic01_GetKey(info->cipher.aesgcm_enc.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE, tropicCtx); + if (ret != 0) { + WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-GCM encryption, ret=%d", ret); + return ret; + } + ret = wc_AesGcmEncrypt( + info->cipher.aesgcm_enc.aes, + info->cipher.aesgcm_enc.out, + info->cipher.aesgcm_enc.in, + info->cipher.aesgcm_enc.sz, + info->cipher.aesgcm_enc.iv, + info->cipher.aesgcm_enc.ivSz, + info->cipher.aesgcm_enc.authTag, + info->cipher.aesgcm_enc.authTagSz, + info->cipher.aesgcm_enc.authIn, + info->cipher.aesgcm_enc.authInSz); + + /* reset devId */ + info->cipher.aesgcm_enc.aes->devId = devId; + } + else { + /* set devId to invalid, so software is used */ + info->cipher.aesgcm_dec.aes->devId = INVALID_DEVID; + ret = Tropic01_GetKey(info->cipher.aesgcm_dec.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE, tropicCtx); + if (ret != 0) { + WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-GCM decryption, ret=%d", ret); + return ret; + } + ret = wc_AesGcmDecrypt( + info->cipher.aesgcm_dec.aes, + info->cipher.aesgcm_dec.out, + info->cipher.aesgcm_dec.in, + info->cipher.aesgcm_dec.sz, + info->cipher.aesgcm_dec.iv, + info->cipher.aesgcm_dec.ivSz, + info->cipher.aesgcm_dec.authTag, + info->cipher.aesgcm_dec.authTagSz, + info->cipher.aesgcm_dec.authIn, + info->cipher.aesgcm_dec.authInSz); + + /* reset devId */ + info->cipher.aesgcm_dec.aes->devId = devId; + } + } +#endif /* HAVE_AESGCM */ + #ifdef HAVE_AES_CBC + if (info->cipher.type == WC_CIPHER_AES_CBC) { + if (info->cipher.enc) { + /* set devId to invalid, so software is used */ + info->cipher.aescbc.aes->devId = INVALID_DEVID; + ret = Tropic01_GetKey(info->cipher.aescbc.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE, tropicCtx); + if (ret != 0) { + WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-CBC encryption, ret=%d", ret); + return ret; + } + ret = wc_AesCbcEncrypt( + info->cipher.aescbc.aes, + info->cipher.aescbc.out, + info->cipher.aescbc.in, + info->cipher.aescbc.sz); + + /* reset devId */ + info->cipher.aescbc.aes->devId = devId; + } + else { + /* set devId to invalid, so software is used */ + info->cipher.aescbc.aes->devId = INVALID_DEVID; + ret = Tropic01_GetKey(info->cipher.aescbc.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE, tropicCtx); + if (ret != 0) { + WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-CBC decryption, ret=%d", ret); + return ret; + } + ret = wc_AesCbcDecrypt( + info->cipher.aescbc.aes, + info->cipher.aescbc.out, + info->cipher.aescbc.in, + info->cipher.aescbc.sz); + + /* reset devId */ + info->cipher.aescbc.aes->devId = devId; + } + } + #endif /* HAVE_AES_CBC */ +#endif /* !NO_AES || !NO_DES3 */ + break; + + default: + WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Unsupported algorithm type %d", info->algo_type); + break; + } + + return ret; +} + +int Tropic01_Init(Tropic01CryptoDevCtx* ctx) +{ + if (ctx == NULL) + return BAD_FUNC_ARG; + + ctx->initialized = 1; + XMEMSET(ctx->keySlotUsage, 0, sizeof(ctx->keySlotUsage)); + + return 0; +} diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index ee876752e..ee4562ebc 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -68,6 +68,10 @@ #include #endif +#if defined(WOLFSSL_TROPIC01) + #include +#endif + #if (defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)) \ && !defined(WOLFCRYPT_ONLY) #include @@ -285,7 +289,13 @@ int wolfCrypt_Init(void) #if defined(WOLFSSL_STSAFEA100) stsafe_interface_init(); #endif - + #if defined(WOLFSSL_TROPIC01) + ret = Tropic01_Init(NULL); + if (ret != 0) { + WOLFSSL_MSG("Tropic01 init failed"); + return ret; + } + #endif #if defined(WOLFSSL_PSOC6_CRYPTO) ret = psoc6_crypto_port_init(); if (ret != 0) { diff --git a/wolfssl/wolfcrypt/include.am b/wolfssl/wolfcrypt/include.am index f6fadde7f..bf798d366 100644 --- a/wolfssl/wolfcrypt/include.am +++ b/wolfssl/wolfcrypt/include.am @@ -109,6 +109,7 @@ noinst_HEADERS+= \ wolfssl/wolfcrypt/port/silabs/silabs_random.h \ wolfssl/wolfcrypt/port/st/stm32.h \ wolfssl/wolfcrypt/port/st/stsafe.h \ + wolfssl/wolfcrypt/port/tropicsquare/tropic01.h \ wolfssl/wolfcrypt/port/Espressif/esp-sdk-lib.h \ wolfssl/wolfcrypt/port/Espressif/esp32-crypt.h \ wolfssl/wolfcrypt/port/Espressif/esp_crt_bundle.h \ @@ -229,6 +230,10 @@ if BUILD_SE050 nobase_include_HEADERS+= wolfssl/wolfcrypt/port/nxp/se050_port.h endif +if BUILD_TROPIC01 +nobase_include_HEADERS+= wolfssl/wolfcrypt/port/tropicsquare/tropic01.h +endif + if BUILD_MAXQ10XX nobase_include_HEADERS+= wolfssl/wolfcrypt/port/maxim/maxq10xx.h endif diff --git a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h new file mode 100644 index 000000000..08110e03d --- /dev/null +++ b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h @@ -0,0 +1,82 @@ +/* tropic01.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef _WOLFPORT_TROPIC01_H_ +#define _WOLFPORT_TROPIC01_H_ + +#include +#include +#include +#include + +#ifdef WOLF_CRYPTO_CB +#include +#endif + + +#ifdef WOLFSSL_TROPIC01 + +/* The TROPIC01 interface layer */ +/* Please contact wolfSSL for the TROPIC01 port files */ +#define LT_USE_TREZOR_CRYPTO 1 +#define LT_HELPERS + +#include "libtropic.h" +#include "libtropic_common.h" + + +#ifdef WOLF_CRYPTO_CB + +/* Device ID that's unique and valid (not INVALID_DEVID -2) */ +#define WOLF_TROPIC01_DEVID 0x75757; /* TROPIC01 ID*/ + + +#define TROPIC01_AES_MAX_KEY_SIZE 32 +#define TROPIC01_AES_KEY_SLOT_DEFAULT 8 +#define PAIRING_KEY_SLOT_INDEX_0 0 + + + +typedef struct { + int keySlot; /* Slot ID in TROPIC01 secure memory */ + word32 keySize; /* Size of the key in bytes (16, 24, or 32) */ + byte keyType; /* Type of key (e.g., AES_CBC, AES_GCM) */ + byte isValid; /* Flag indicating if this reference is valid */ +} Tropic01KeyRef; + +/* Context for TROPIC01 secure element */ +typedef struct { + int initialized; + byte keySlotUsage[8]; +} Tropic01CryptoDevCtx; + + +int Tropic01_Init(Tropic01CryptoDevCtx* ctx); +int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx); + +//static int Tropic01_GetRandom(byte* out, word32 sz, Tropic01CryptoDevCtx* ctx); +//static int Tropic01_GetKey(Aes* aes, int keySlot, word32 keySz, Tropic01CryptoDevCtx* ctx); + +#endif /* WOLF_CRYPTO_CB */ + +#endif /* WOLFSSL_TROPIC01*/ + +#endif /* _WOLFPORT_TROPIC01_H_ */ From 95007de18a4b283593125d2a148ae184750a830b Mon Sep 17 00:00:00 2001 From: kosmax871 Date: Thu, 22 May 2025 14:22:40 +0200 Subject: [PATCH 02/31] Support for static libraries --- configure.ac | 51 +++++++++++++++++++++------------------------------ 1 file changed, 21 insertions(+), 30 deletions(-) diff --git a/configure.ac b/configure.ac index 5220fbe74..71831cfd0 100644 --- a/configure.ac +++ b/configure.ac @@ -2854,38 +2854,29 @@ AC_ARG_WITH([tropic01], [AS_HELP_STRING([--with-tropic01=PATH],[PATH to install (default /usr/)])], [ AC_MSG_CHECKING([for tropic01]) - CPPFLAGS="$CPPFLAGS -DWOLFSSL_TROPIC01" - LIBS="$LIBS -llibtropic" - - AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], [[ lt_init(0); ]])],[ libtropic_linked=yes ],[ libtropic_linked=no ]) - - if test "x$libtropic_linked" = "xno" ; then - if test "x$withval" != "xno" ; then - trylibtropicdir=$withval - fi - if test "x$withval" = "xyes" ; then - trylibtropicdir="/usr" - fi - - LDFLAGS="$LDFLAGS -L$trylibtropicdir/lib" - CPPFLAGS="$CPPFLAGS -I$trylibtropicdir/lib" - - AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], [[ lt_init(0); ]])],[ libtropic_linked=yes ],[ libtropic_linked=no ]) - - if test "x$libtropic_linked" = "xno" ; then - AC_MSG_ERROR([libtropic isn't found. - If it's already installed, specify its path using --with-tropic01=/dir/]) - fi - - AM_LDFLAGS="$AM_LDFLAGS -L$trylibtropicdir/lib" - AM_CFLAGS="$AM_CFLAGS -I$trylibtropicdir/lib" - AC_MSG_RESULT([yes]) - else - AC_MSG_RESULT([yes]) + if test "x$withval" != "xno" ; then + trylibtropicdir=$withval + AC_MSG_NOTICE([Use provided PATH]) fi - + if test "x$withval" = "xyes" ; then + trylibtropicdir="libtropic" + AC_MSG_NOTICE([Use default PATH]) + fi + if test -e $trylibtropicdir/build/libtropic.a + then + LIB_STATIC_ADD="$LIB_STATIC_ADD $trylibtropicdir/build/libtropic.a" + LIB_STATIC_ADD="$LIB_STATIC_ADD $trylibtropicdir/build/trezor_crypto/libtrezor_crypto.a" + AM_CFLAGS="$AM_CFLAGS -I$trylibtropicdir/include" + AC_MSG_NOTICE([TropicSquare library is available]) + else + ENABLED_TROPIC01="no" + AC_MSG_ERROR([Could not find TropicSquare library]) + fi + enable_shared=no + enable_static=yes ENABLED_TROPIC01="yes" - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TROPIC01" + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TROPIC01" + AC_MSG_RESULT([yes]) ] ) From b366f814c7cf19f8bb39ddccd6ba290c3d6368fc Mon Sep 17 00:00:00 2001 From: kosmax871 Date: Thu, 22 May 2025 14:40:11 +0200 Subject: [PATCH 03/31] Draft of readme.md --- wolfcrypt/src/port/tropicsquare/README.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 wolfcrypt/src/port/tropicsquare/README.md diff --git a/wolfcrypt/src/port/tropicsquare/README.md b/wolfcrypt/src/port/tropicsquare/README.md new file mode 100644 index 000000000..1b49864ac --- /dev/null +++ b/wolfcrypt/src/port/tropicsquare/README.md @@ -0,0 +1,20 @@ +# tropic01 callbacks + + + +## How to build: + +1. Build libtropic project with all dependencies for the targeted platfrom (for example, Raspberry Pi 3/4/5). Preferably all static targets must be built with -fPIC option +2. Goto wolfssl main folder +3. ./autogen.sh +4. ./configure --with-tropic01=/home/pi/git/libtropic --enable-cryptocb --enable-static --disable-crypttests --disable-examples --disable-shared +Note. Please replace '/home/pi/git/libtropic' with an absolute path to your libtropic folder if necessary +5. make +6. the built library should be in ./wolfssl/src/.libs/libwolfssl.a + +## How to use: + + + + + From 6f48851862722b3ea257769537c7fe532d563a2a Mon Sep 17 00:00:00 2001 From: kosmax871 Date: Sun, 25 May 2025 20:43:56 +0200 Subject: [PATCH 04/31] some fixes and updates --- wolfcrypt/src/port/tropicsquare/tropic01.c | 246 +++++++----------- wolfcrypt/src/wc_port.c | 2 +- .../wolfcrypt/port/tropicsquare/tropic01.h | 11 +- 3 files changed, 95 insertions(+), 164 deletions(-) diff --git a/wolfcrypt/src/port/tropicsquare/tropic01.c b/wolfcrypt/src/port/tropicsquare/tropic01.c index 0f0be4e62..e97e201f8 100644 --- a/wolfcrypt/src/port/tropicsquare/tropic01.c +++ b/wolfcrypt/src/port/tropicsquare/tropic01.c @@ -33,71 +33,60 @@ #include +static Tropic01CryptoDevCtx g_ctx = {0}; +static lt_handle_t g_h; + +// Default factory pairing keys +byte pkey_index_0 = PAIRING_KEY_SLOT_INDEX_0; + // Engineering samples 01 keys: +byte sh0priv[] = {0xd0,0x99,0x92,0xb1,0xf1,0x7a,0xbc,0x4d,0xb9,0x37,0x17,0x68,0xa2,0x7d,0xa0,0x5b,0x18,0xfa,0xb8,0x56,0x13,0xa7,0x84,0x2c,0xa6,0x4c,0x79,0x10,0xf2,0x2e,0x71,0x6b}; +byte sh0pub[] = {0xe7,0xf7,0x35,0xba,0x19,0xa3,0x3f,0xd6,0x73,0x23,0xab,0x37,0x26,0x2d,0xe5,0x36,0x08,0xca,0x57,0x85,0x76,0x53,0x43,0x52,0xe1,0x8f,0x64,0xe6,0x13,0xd3,0x8d,0x54}; /* * TROPIC01 hardware RNG implementation */ -static int Tropic01_GetRandom(byte* out, word32 sz, Tropic01CryptoDevCtx* ctx) +static int Tropic01_GetRandom(byte* out, word32 sz) { int ret = 0; - // Default factory pairing keys - byte pkey_index_0 = PAIRING_KEY_SLOT_INDEX_0; - // Engineering samples 01 keys: - byte sh0priv[] = {0xd0,0x99,0x92,0xb1,0xf1,0x7a,0xbc,0x4d,0xb9,0x37,0x17,0x68,0xa2,0x7d,0xa0,0x5b,0x18,0xfa,0xb8,0x56,0x13,0xa7,0x84,0x2c,0xa6,0x4c,0x79,0x10,0xf2,0x2e,0x71,0x6b}; - byte sh0pub[] = {0xe7,0xf7,0x35,0xba,0x19,0xa3,0x3f,0xd6,0x73,0x23,0xab,0x37,0x26,0x2d,0xe5,0x36,0x08,0xca,0x57,0x85,0x76,0x53,0x43,0x52,0xe1,0x8f,0x64,0xe6,0x13,0xd3,0x8d,0x54}; - lt_handle_t h; - lt_ret_t rett; + + WOLFSSL_MSG_EX("TROPIC01: GetRandom: Requesting %u bytes", sz); - if (out == NULL || ctx == NULL || !ctx->initialized || sz == 0) + if (out == NULL || sz == 0) return BAD_FUNC_ARG; + /* Call TROPIC01 TRNG API to get random data */ - rett = lt_init(&h); - if(rett != LT_OK) { - //printf("Error lt_init(): %s", lt_ret_verbose(ret)); - return rett; - } - ret = verify_chip_and_start_secure_session(&h, sh0priv, sh0pub, pkey_index_0); + ret = lt_random_get(&g_h, out, sz); if(ret != LT_OK) { - //printf("Error sec channel: %s", lt_ret_verbose(ret)); - lt_deinit(&h); - return ret; - } - ret = lt_random_get(&h, out, sz); - if(ret != LT_OK) { - //printf("Error l3 cmd: %s", lt_ret_verbose(ret)); - lt_deinit(&h); - return ret; - } - ret = lt_deinit(&h); - if(ret != LT_OK) { - //printf("Error lt_deinit(): %s", lt_ret_verbose(ret)); - return ret; + WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to retrieve key, ret=%d", ret); + Tropic01_Deinit(); + return WC_HW_E; } + WOLFSSL_MSG_EX("TROPIC01: GetRandom: Completed with ret=%d", ret); - return ret; + /* + for (word32 i = 0; i < sz; i++) { + WOLFSSL_MSG_EX("TROPIC01: GetRandom: out[%d] = 0x%02x", i, out[i]); + } + */ + return 0; } /* * Retrive the AES key from the secure memory of TROPIC01 */ -static int Tropic01_GetKey(Aes* aes, int keySlot, word32 keySz, Tropic01CryptoDevCtx* ctx) +static int Tropic01_GetKey(Aes* aes, int keySlot, word32 keySz) { - int ret; - // Default factory pairing keys - byte pkey_index_0 = PAIRING_KEY_SLOT_INDEX_0; - // Engineering samples 01 keys: - byte sh0priv[] = {0xd0,0x99,0x92,0xb1,0xf1,0x7a,0xbc,0x4d,0xb9,0x37,0x17,0x68,0xa2,0x7d,0xa0,0x5b,0x18,0xfa,0xb8,0x56,0x13,0xa7,0x84,0x2c,0xa6,0x4c,0x79,0x10,0xf2,0x2e,0x71,0x6b}; - byte sh0pub[] = {0xe7,0xf7,0x35,0xba,0x19,0xa3,0x3f,0xd6,0x73,0x23,0xab,0x37,0x26,0x2d,0xe5,0x36,0x08,0xca,0x57,0x85,0x76,0x53,0x43,0x52,0xe1,0x8f,0x64,0xe6,0x13,0xd3,0x8d,0x54}; - lt_handle_t h; + lt_ret_t rett; WOLFSSL_MSG_EX("TROPIC01: GetKey: Retrieving key from slot %d", keySlot); - if (aes == NULL || ctx == NULL || !ctx->initialized || keySlot < 0 || keySlot >= 511) + if (aes == NULL || keySlot < 0 || keySlot >= 511) return BAD_FUNC_ARG; + /* Check key size */ if (keySz != 16 && keySz != 24 && keySz != 32) { @@ -106,117 +95,19 @@ static int Tropic01_GetKey(Aes* aes, int keySlot, word32 keySz, Tropic01CryptoDe } /* Retrieve key from TROPIC01 */ - rett = lt_init(&h); + + rett = lt_r_mem_data_read(&g_h, keySlot, (byte*)aes->key, keySz); if(rett != LT_OK) { - //printf("Error lt_init(): %s", lt_ret_verbose(ret)); - return rett; - } - ret = verify_chip_and_start_secure_session(&h, sh0priv, sh0pub, pkey_index_0); - if(ret != LT_OK) { - //printf("Error sec channel: %s", lt_ret_verbose(ret)); - lt_deinit(&h); - return ret; - } - ret = lt_r_mem_data_read(&h, keySlot, (byte*)aes->key, keySz); - if(ret != LT_OK) { - //printf("Error l3 cmd: %s", lt_ret_verbose(ret)); - lt_deinit(&h); - return 1; - } - ret = lt_deinit(&h); - if(ret != LT_OK) { - //printf("Error lt_deinit(): %s", lt_ret_verbose(ret)); - return ret; + WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to retrieve key, ret=%d", rett); + Tropic01_Deinit(); + return WC_HW_E; } - if (ret != 0) { - WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to retrieve key, ret=%d", ret); - return ret; - } WOLFSSL_MSG_EX("TROPIC01: GetKey: Key retrieved successfully"); return 0; } -/** - * Find an available key slot in the TROPIC01 - */ -static int Tropic01_FindFreeKeySlot(Tropic01CryptoDevCtx* ctx) -{ - int i; - - WOLFSSL_MSG("TROPIC01: FindFreeKeySlot: Searching for available slot"); - - for (i = 0; i < 8; i++) { - if (ctx->keySlotUsage[i] == 0) { - ctx->keySlotUsage[i] = 1; - WOLFSSL_MSG_EX("TROPIC01: FindFreeKeySlot: Found slot %d", i); - return i; - } - } - - WOLFSSL_MSG("TROPIC01: FindFreeKeySlot: No free slots available"); - return -1; -} - -/** - * Store AES key in TROPIC01 secure memory - */ -static int Tropic01_StoreKey(Aes* aes, const byte* key, word32 keySz, Tropic01CryptoDevCtx* ctx) -{ - int ret; - int keySlot; - Tropic01KeyRef* keyRef; - - WOLFSSL_MSG_EX("TROPIC01: StoreKey: Storing key of size %u bytes", keySz); - - if (aes == NULL || key == NULL || ctx == NULL || !ctx->initialized) - return BAD_FUNC_ARG; - - /* Check key size */ - if (keySz != 16 && keySz != 24 && keySz != 32) { - WOLFSSL_MSG_EX("TROPIC01: StoreKey: Unsupported key size %u", keySz); - return BAD_FUNC_ARG; - } - - /* Find available key slot */ - keySlot = Tropic01_FindFreeKeySlot(ctx); - if (keySlot < 0) { - WOLFSSL_MSG("TROPIC01: StoreKey: No free key slots available"); - return MEMORY_E; - } - - /* Allocate key reference */ - keyRef = (Tropic01KeyRef*)XMALLOC(sizeof(Tropic01KeyRef), NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (keyRef == NULL) { - ctx->keySlotUsage[keySlot] = 0; - return MEMORY_E; - } - - /* Store key in TROPIC01 */ - /* Example TROPIC01_StoreKey call */ - ret = 0; /* Replace with actual implementation */ - - if (ret != 0) { - WOLFSSL_MSG_EX("TROPIC01: StoreKey: Failed to store key in slot %d, ret=%d", keySlot, ret); - XFREE(keyRef, NULL, DYNAMIC_TYPE_TMP_BUFFER); - ctx->keySlotUsage[keySlot] = 0; - return ret; - } - - /* Initialize key reference */ - keyRef->keySlot = keySlot; - keyRef->keySize = keySz; - keyRef->keyType = 0; - keyRef->isValid = 1; - - /* Store reference in AES structure */ - //aes->devKey = keySlot; - //aes->devCtx = keyRef; - - WOLFSSL_MSG_EX("TROPIC01: StoreKey: Key stored successfully in slot %d", keySlot); - return 0; -} /** * Crypto Callback function for TROPIC01 @@ -224,24 +115,29 @@ static int Tropic01_StoreKey(Aes* aes, const byte* key, word32 keySz, Tropic01Cr int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) { int ret = CRYPTOCB_UNAVAILABLE; - Tropic01CryptoDevCtx* tropicCtx = (Tropic01CryptoDevCtx*)ctx; - if (info == NULL || tropicCtx == NULL || !tropicCtx->initialized || devId == -2) + if (info == NULL) return BAD_FUNC_ARG; + (void)ctx; + (void)devId; + if (g_ctx.initialized == 0) { + WOLFSSL_MSG("TROPIC01: CryptoCB: Device not initialized"); + return CRYPTOCB_UNAVAILABLE; + } switch (info->algo_type) { case WC_ALGO_TYPE_RNG: WOLFSSL_MSG_EX("TROPIC01: CryptoCB: RNG generation request (%u bytes)", info->rng.sz); - ret = Tropic01_GetRandom(info->rng.out, info->rng.sz, tropicCtx); + ret = Tropic01_GetRandom(info->rng.out, info->rng.sz); break; case WC_ALGO_TYPE_SEED: WOLFSSL_MSG_EX("TROPIC01: CryptoCB: SEED generation request (%u bytes)", info->seed.sz); - ret = Tropic01_GetRandom(info->seed.seed, info->seed.sz, tropicCtx); + ret = Tropic01_GetRandom(info->seed.seed, info->seed.sz); break; case WC_ALGO_TYPE_CIPHER: - WOLFSSL_MSG_EX("TROPIC01: CryptoCB: AES request (%u bytes)", info->aes_setkey.keySz); - ret = Tropic01_StoreKey(NULL, NULL, 32, tropicCtx); + WOLFSSL_MSG("TROPIC01: CryptoCB: AES request "); + //ret = Tropic01_StoreKey(NULL, NULL, 32); //ret = Tropic01_GetKey(NULL, NULL, TROPIC01_AES_MAX_KEY_SIZE, tropicCtx); #if !defined(NO_AES) || !defined(NO_DES3) #ifdef HAVE_AESGCM @@ -249,7 +145,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) if (info->cipher.enc) { /* set devId to invalid, so software is used */ info->cipher.aesgcm_enc.aes->devId = INVALID_DEVID; - ret = Tropic01_GetKey(info->cipher.aesgcm_enc.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE, tropicCtx); + ret = Tropic01_GetKey(info->cipher.aesgcm_enc.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-GCM encryption, ret=%d", ret); return ret; @@ -272,7 +168,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) else { /* set devId to invalid, so software is used */ info->cipher.aesgcm_dec.aes->devId = INVALID_DEVID; - ret = Tropic01_GetKey(info->cipher.aesgcm_dec.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE, tropicCtx); + ret = Tropic01_GetKey(info->cipher.aesgcm_dec.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-GCM decryption, ret=%d", ret); return ret; @@ -299,7 +195,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) if (info->cipher.enc) { /* set devId to invalid, so software is used */ info->cipher.aescbc.aes->devId = INVALID_DEVID; - ret = Tropic01_GetKey(info->cipher.aescbc.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE, tropicCtx); + ret = Tropic01_GetKey(info->cipher.aescbc.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-CBC encryption, ret=%d", ret); return ret; @@ -316,7 +212,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) else { /* set devId to invalid, so software is used */ info->cipher.aescbc.aes->devId = INVALID_DEVID; - ret = Tropic01_GetKey(info->cipher.aescbc.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE, tropicCtx); + ret = Tropic01_GetKey(info->cipher.aescbc.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-CBC decryption, ret=%d", ret); return ret; @@ -330,26 +226,60 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) /* reset devId */ info->cipher.aescbc.aes->devId = devId; } + for (int i = 0; i < info->cipher.aescbc.aes->keylen; i++) { + WOLFSSL_MSG_EX("TROPIC01: CryptoCB: aes->key[%d] = 0x%02x", i, info->cipher.aescbc.aes->key[i]); + } + for (word32 i = 0; i < info->cipher.aescbc.sz; i++) { + WOLFSSL_MSG_EX("TROPIC01: CryptoCB: out[%d] = 0x%02x", i, info->cipher.aescbc.out[i]); + } } #endif /* HAVE_AES_CBC */ #endif /* !NO_AES || !NO_DES3 */ break; default: - WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Unsupported algorithm type %d", info->algo_type); + //WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Unsupported algorithm type %d", info->algo_type); break; } return ret; } -int Tropic01_Init(Tropic01CryptoDevCtx* ctx) +int Tropic01_Init() { - if (ctx == NULL) - return BAD_FUNC_ARG; + lt_ret_t ret; - ctx->initialized = 1; - XMEMSET(ctx->keySlotUsage, 0, sizeof(ctx->keySlotUsage)); + g_ctx.initialized = 0; + ret = lt_init(&g_h); + if(ret != LT_OK) { + WOLFSSL_MSG_EX("TROPIC01: lt_init failed with a code %d", ret); + return WC_HW_E; + } + ret = verify_chip_and_start_secure_session(&g_h, sh0priv, sh0pub, pkey_index_0); + if(ret != LT_OK) { + WOLFSSL_MSG_EX("TROPIC01: secure session failed with a code %d", ret); + lt_deinit(&g_h); + return WC_HW_E; + } + g_ctx.initialized = 1; + WOLFSSL_MSG("TROPIC01: Crypto device initialized successfully"); return 0; } + +int Tropic01_Deinit() +{ + lt_ret_t ret; + + if (g_ctx.initialized) { + ret = lt_deinit(&g_h); + if(ret != LT_OK) { + WOLFSSL_MSG_EX("TROPIC01: lt_deinit failed with a code %d", ret); + return WC_HW_E; + } + g_ctx.initialized = 0; + WOLFSSL_MSG("TROPIC01: Crypto device deinitialized successfully"); + } + + return 0; +} diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index ee4562ebc..5e25e4b91 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -290,7 +290,7 @@ int wolfCrypt_Init(void) stsafe_interface_init(); #endif #if defined(WOLFSSL_TROPIC01) - ret = Tropic01_Init(NULL); + ret = Tropic01_Init(); if (ret != 0) { WOLFSSL_MSG("Tropic01 init failed"); return ret; diff --git a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h index 08110e03d..61eeedfd0 100644 --- a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h +++ b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h @@ -39,18 +39,18 @@ #define LT_USE_TREZOR_CRYPTO 1 #define LT_HELPERS -#include "libtropic.h" -#include "libtropic_common.h" +#include +#include #ifdef WOLF_CRYPTO_CB /* Device ID that's unique and valid (not INVALID_DEVID -2) */ -#define WOLF_TROPIC01_DEVID 0x75757; /* TROPIC01 ID*/ +#define WOLF_TROPIC01_DEVID 0x75757 /* TROPIC01 ID*/ #define TROPIC01_AES_MAX_KEY_SIZE 32 -#define TROPIC01_AES_KEY_SLOT_DEFAULT 8 +#define TROPIC01_AES_KEY_SLOT_DEFAULT 1 #define PAIRING_KEY_SLOT_INDEX_0 0 @@ -69,7 +69,8 @@ typedef struct { } Tropic01CryptoDevCtx; -int Tropic01_Init(Tropic01CryptoDevCtx* ctx); +int Tropic01_Init(void); +int Tropic01_Deinit(void); int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx); //static int Tropic01_GetRandom(byte* out, word32 sz, Tropic01CryptoDevCtx* ctx); From 7696e33d7d2f03c4fdba4eb6a60f8a09d0770ed5 Mon Sep 17 00:00:00 2001 From: Maxim Kostin Date: Mon, 26 May 2025 21:58:06 +0200 Subject: [PATCH 05/31] added support of ED25519 --- wolfcrypt/src/port/tropicsquare/tropic01.c | 96 ++++++++++++++++++- .../wolfcrypt/port/tropicsquare/tropic01.h | 6 +- 2 files changed, 96 insertions(+), 6 deletions(-) diff --git a/wolfcrypt/src/port/tropicsquare/tropic01.c b/wolfcrypt/src/port/tropicsquare/tropic01.c index e97e201f8..0be403168 100644 --- a/wolfcrypt/src/port/tropicsquare/tropic01.c +++ b/wolfcrypt/src/port/tropicsquare/tropic01.c @@ -74,6 +74,45 @@ static int Tropic01_GetRandom(byte* out, word32 sz) return 0; } +#if defined(HAVE_ED25519) && defined(HAVE_ED25519_MAKE_KEY) + +static int Tropic01_GenerateKeyED25519(byte* pubkey, int keySlot, word32 sz) +{ + lt_ret_t ret = 0; + + WOLFSSL_MSG_EX("TROPIC01: GenerateKeyED25519: Requesting %u bytes", sz); + + if (pubkey == NULL || sz != 32) + return BAD_FUNC_ARG; + + ret = lt_ecc_key_erase(&g_h, keySlot); + if(ret != LT_OK) { + WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to erase key, ret=%d", ret); + Tropic01_Deinit(); + return WC_HW_E; + } + + ret = lt_ecc_key_generate(&g_h, keySlot, CURVE_ED25519); + if(ret != LT_OK) { + WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to generate key, ret=%d", ret); + Tropic01_Deinit(); + return WC_HW_E; + } + lt_ecc_curve_type_t curve = 2; + ecc_key_origin_t origin = 2; + ret = lt_ecc_key_read(&g_h, keySlot, pubkey, sz, &curve, &origin); + if(ret != LT_OK) { + WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to read pub key, ret=%d", ret); + Tropic01_Deinit(); + return WC_HW_E; + } + + WOLFSSL_MSG_EX("TROPIC01: GenerateKeyED25519: Completed with ret=%d", ret); + + return 0; +} +#endif + /* * Retrive the AES key from the secure memory of TROPIC01 */ @@ -120,7 +159,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) if (info == NULL) return BAD_FUNC_ARG; (void)ctx; - (void)devId; + // (void)devId; if (g_ctx.initialized == 0) { WOLFSSL_MSG("TROPIC01: CryptoCB: Device not initialized"); @@ -135,6 +174,53 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) WOLFSSL_MSG_EX("TROPIC01: CryptoCB: SEED generation request (%u bytes)", info->seed.sz); ret = Tropic01_GetRandom(info->seed.seed, info->seed.sz); break; + case WC_ALGO_TYPE_PK: +#if defined(HAVE_ED25519) && defined(HAVE_ED25519_MAKE_KEY) + if (info->pk.type == WC_PK_TYPE_ED25519_KEYGEN) { + WOLFSSL_MSG("TROPIC01: CryptoCB: ED25519 key generation request"); + ret = Tropic01_GenerateKeyED25519(info->pk.ed25519kg.key, TROPIC01_ED25519_KEY_SLOT_DEFAULT, info->pk.ed25519kg.size); + + } + #ifdef HAVE_ED25519_SIGN + else if (info->pk.type == WC_PK_TYPE_ED25519_SIGN) { + + WOLFSSL_MSG("TROPIC01: CryptoCB: ED25519 signing request"); + ret = Tropic01_GetKey(info->pk.ed25519sign.key, TROPIC01_ED25519_RMEM_SLOT_DEFAULT, TROPIC01_ED25519_MAX_KEY_SIZE); + if (ret != 0) { + WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-GCM encryption, ret=%d", ret); + return ret; + } + /* set devId to invalid, so software is used */ + info->pk.ed25519sign.key->devId = INVALID_DEVID; + + ret = wc_ed25519_sign_msg_ex( + info->pk.ed25519sign.in, info->pk.ed25519sign.inLen, + info->pk.ed25519sign.out, info->pk.ed25519sign.outLen, + info->pk.ed25519sign.key, info->pk.ed25519sign.type, + info->pk.ed25519sign.context, info->pk.ed25519sign.contextLen); + + /* reset devId */ + info->pk.ed25519sign.key->devId = devId; + } + #endif + #ifdef HAVE_ED25519_VERIFY + else if (info->pk.type == WC_PK_TYPE_ED25519_VERIFY) { + /* set devId to invalid, so software is used */ + info->pk.ed25519verify.key->devId = INVALID_DEVID; + + ret = wc_ed25519_verify_msg_ex( + info->pk.ed25519verify.sig, info->pk.ed25519verify.sigLen, + info->pk.ed25519verify.msg, info->pk.ed25519verify.msgLen, + info->pk.ed25519verify.res, info->pk.ed25519verify.key, + info->pk.ed25519verify.type, info->pk.ed25519verify.context, + info->pk.ed25519verify.contextLen); + + /* reset devId */ + info->pk.ed25519verify.key->devId = devIdArg; + } + #endif // HAVE_ ED25519_VERIFY +#endif /* HAVE_ED25519 */ + break; case WC_ALGO_TYPE_CIPHER: WOLFSSL_MSG("TROPIC01: CryptoCB: AES request "); //ret = Tropic01_StoreKey(NULL, NULL, 32); @@ -145,7 +231,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) if (info->cipher.enc) { /* set devId to invalid, so software is used */ info->cipher.aesgcm_enc.aes->devId = INVALID_DEVID; - ret = Tropic01_GetKey(info->cipher.aesgcm_enc.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); + ret = Tropic01_GetKey(info->cipher.aesgcm_enc.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-GCM encryption, ret=%d", ret); return ret; @@ -168,7 +254,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) else { /* set devId to invalid, so software is used */ info->cipher.aesgcm_dec.aes->devId = INVALID_DEVID; - ret = Tropic01_GetKey(info->cipher.aesgcm_dec.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); + ret = Tropic01_GetKey(info->cipher.aesgcm_dec.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-GCM decryption, ret=%d", ret); return ret; @@ -195,7 +281,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) if (info->cipher.enc) { /* set devId to invalid, so software is used */ info->cipher.aescbc.aes->devId = INVALID_DEVID; - ret = Tropic01_GetKey(info->cipher.aescbc.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); + ret = Tropic01_GetKey(info->cipher.aescbc.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-CBC encryption, ret=%d", ret); return ret; @@ -212,7 +298,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) else { /* set devId to invalid, so software is used */ info->cipher.aescbc.aes->devId = INVALID_DEVID; - ret = Tropic01_GetKey(info->cipher.aescbc.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); + ret = Tropic01_GetKey(info->cipher.aescbc.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-CBC decryption, ret=%d", ret); return ret; diff --git a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h index 61eeedfd0..83d8ade03 100644 --- a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h +++ b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h @@ -50,7 +50,11 @@ #define TROPIC01_AES_MAX_KEY_SIZE 32 -#define TROPIC01_AES_KEY_SLOT_DEFAULT 1 +#define TROPIC01_ED25519_MAX_KEY_SIZE 32 +#define TROPIC01_AES_RMEM_SLOT_DEFAULT 1 +#define TROPIC01_ED25519_RMEM_SLOT_DEFAULT 2 +#define TROPIC01_ED25519_KEY_SLOT_DEFAULT 1 + #define PAIRING_KEY_SLOT_INDEX_0 0 From 0f2d965d81a28583eeaf06c6a2acfe4c505a9c10 Mon Sep 17 00:00:00 2001 From: Maxim Kostin Date: Tue, 27 May 2025 21:28:59 +0200 Subject: [PATCH 06/31] ed25519 fixes --- wolfcrypt/src/port/tropicsquare/tropic01.c | 104 ++++++++++++------ .../wolfcrypt/port/tropicsquare/tropic01.h | 10 +- 2 files changed, 80 insertions(+), 34 deletions(-) diff --git a/wolfcrypt/src/port/tropicsquare/tropic01.c b/wolfcrypt/src/port/tropicsquare/tropic01.c index 0be403168..0a733fa57 100644 --- a/wolfcrypt/src/port/tropicsquare/tropic01.c +++ b/wolfcrypt/src/port/tropicsquare/tropic01.c @@ -98,8 +98,8 @@ static int Tropic01_GenerateKeyED25519(byte* pubkey, int keySlot, word32 sz) Tropic01_Deinit(); return WC_HW_E; } - lt_ecc_curve_type_t curve = 2; - ecc_key_origin_t origin = 2; + lt_ecc_curve_type_t curve = CURVE_ED25519; + ecc_key_origin_t origin = CURVE_GENERATED; ret = lt_ecc_key_read(&g_h, keySlot, pubkey, sz, &curve, &origin); if(ret != LT_OK) { WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to read pub key, ret=%d", ret); @@ -114,14 +114,14 @@ static int Tropic01_GenerateKeyED25519(byte* pubkey, int keySlot, word32 sz) #endif /* - * Retrive the AES key from the secure memory of TROPIC01 + * Retrive the AES key from the secure R memory of TROPIC01 */ -static int Tropic01_GetKey(Aes* aes, int keySlot, word32 keySz) +static int Tropic01_GetKeyAES(Aes* aes, int keySlot, word32 keySz) { lt_ret_t rett; - WOLFSSL_MSG_EX("TROPIC01: GetKey: Retrieving key from slot %d", keySlot); + WOLFSSL_MSG_EX("TROPIC01: Get AES Key: Retrieving key from slot %d", keySlot); if (aes == NULL || keySlot < 0 || keySlot >= 511) return BAD_FUNC_ARG; @@ -129,7 +129,7 @@ static int Tropic01_GetKey(Aes* aes, int keySlot, word32 keySz) /* Check key size */ if (keySz != 16 && keySz != 24 && keySz != 32) { - WOLFSSL_MSG_EX("TROPIC01: GetKey: Unsupported key size %u", keySz); + WOLFSSL_MSG_EX("TROPIC01: Get AES Key: Unsupported key size %u", keySz); return BAD_FUNC_ARG; } @@ -137,16 +137,45 @@ static int Tropic01_GetKey(Aes* aes, int keySlot, word32 keySz) rett = lt_r_mem_data_read(&g_h, keySlot, (byte*)aes->key, keySz); if(rett != LT_OK) { - WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to retrieve key, ret=%d", rett); + WOLFSSL_MSG_EX("TROPIC01: Get AES Key: Failed to retrieve key, ret=%d", rett); Tropic01_Deinit(); return WC_HW_E; } - WOLFSSL_MSG_EX("TROPIC01: GetKey: Key retrieved successfully"); + WOLFSSL_MSG_EX("TROPIC01: Get AES Key: Key retrieved successfully"); return 0; } +static int Tropic01_GetKeyECC(byte* ecckey, int keySlot, word32 keySz) +{ + + lt_ret_t rett; + WOLFSSL_MSG_EX("TROPIC01: Get ECC Key: Retrieving key from slot %d", keySlot); + + if (ecckey == NULL || keySlot < 0 || keySlot >= 511) + return BAD_FUNC_ARG; + + + /* Check key size */ + if (keySz != 16 && keySz != 24 && keySz != 32) { + WOLFSSL_MSG_EX("TROPIC01: Get ECC Key: Unsupported key size %u", keySz); + return BAD_FUNC_ARG; + } + + /* Retrieve key from TROPIC01 */ + + rett = lt_r_mem_data_read(&g_h, keySlot, (byte*)ecckey, keySz); + if(rett != LT_OK) { + WOLFSSL_MSG_EX("TROPIC01: Get ECC Key: Failed to retrieve key, ret=%d", rett); + Tropic01_Deinit(); + return WC_HW_E; + } + + + WOLFSSL_MSG_EX("TROPIC01: Get ECC Key: Key retrieved successfully"); + return 0; +} /** * Crypto Callback function for TROPIC01 @@ -178,20 +207,22 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) #if defined(HAVE_ED25519) && defined(HAVE_ED25519_MAKE_KEY) if (info->pk.type == WC_PK_TYPE_ED25519_KEYGEN) { WOLFSSL_MSG("TROPIC01: CryptoCB: ED25519 key generation request"); - ret = Tropic01_GenerateKeyED25519(info->pk.ed25519kg.key, TROPIC01_ED25519_KEY_SLOT_DEFAULT, info->pk.ed25519kg.size); + ret = Tropic01_GenerateKeyED25519(info->pk.ed25519kg.key->p, TROPIC01_ED25519_ECC_SLOT_DEFAULT, info->pk.ed25519kg.size); } #ifdef HAVE_ED25519_SIGN else if (info->pk.type == WC_PK_TYPE_ED25519_SIGN) { WOLFSSL_MSG("TROPIC01: CryptoCB: ED25519 signing request"); - ret = Tropic01_GetKey(info->pk.ed25519sign.key, TROPIC01_ED25519_RMEM_SLOT_DEFAULT, TROPIC01_ED25519_MAX_KEY_SIZE); - if (ret != 0) { - WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-GCM encryption, ret=%d", ret); - return ret; - } + // retrieve private key from TROPIC01 secure R memory + ret = Tropic01_GetKeyECC(info->pk.ed25519sign.key->k, TROPIC01_ED25519_PRIV_RMEM_SLOT_DEFAULT, TROPIC01_ED25519_PRIV_KEY_SIZE); + if (ret != 0) { + WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get ECC key for ED25519 sign, ret=%d", ret); + return ret; + } /* set devId to invalid, so software is used */ info->pk.ed25519sign.key->devId = INVALID_DEVID; + info->pk.ed25519sign.key->pubKeySet = 1; ret = wc_ed25519_sign_msg_ex( info->pk.ed25519sign.in, info->pk.ed25519sign.inLen, @@ -205,6 +236,14 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) #endif #ifdef HAVE_ED25519_VERIFY else if (info->pk.type == WC_PK_TYPE_ED25519_VERIFY) { + WOLFSSL_MSG("TROPIC01: CryptoCB: ED25519 verification request"); + // retrieve public key from TROPIC01 secure R memory + ret = Tropic01_GetKeyECC(info->pk.ed25519sign.key->p, TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT, TROPIC01_ED25519_PUB_KEY_SIZE); + if (ret != 0) { + WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get ECC key for ED25519 verification, ret=%d", ret); + return ret; + } + /* set devId to invalid, so software is used */ info->pk.ed25519verify.key->devId = INVALID_DEVID; @@ -212,11 +251,10 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) info->pk.ed25519verify.sig, info->pk.ed25519verify.sigLen, info->pk.ed25519verify.msg, info->pk.ed25519verify.msgLen, info->pk.ed25519verify.res, info->pk.ed25519verify.key, - info->pk.ed25519verify.type, info->pk.ed25519verify.context, - info->pk.ed25519verify.contextLen); + info->pk.ed25519verify.type, NULL, 0); /* reset devId */ - info->pk.ed25519verify.key->devId = devIdArg; + info->pk.ed25519verify.key->devId = devId; } #endif // HAVE_ ED25519_VERIFY #endif /* HAVE_ED25519 */ @@ -229,13 +267,14 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) #ifdef HAVE_AESGCM if (info->cipher.type == WC_CIPHER_AES_GCM) { if (info->cipher.enc) { - /* set devId to invalid, so software is used */ - info->cipher.aesgcm_enc.aes->devId = INVALID_DEVID; - ret = Tropic01_GetKey(info->cipher.aesgcm_enc.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); + + ret = Tropic01_GetKeyAES(info->cipher.aesgcm_enc.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-GCM encryption, ret=%d", ret); return ret; } + /* set devId to invalid, so software is used */ + info->cipher.aesgcm_enc.aes->devId = INVALID_DEVID; ret = wc_AesGcmEncrypt( info->cipher.aesgcm_enc.aes, info->cipher.aesgcm_enc.out, @@ -252,13 +291,14 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) info->cipher.aesgcm_enc.aes->devId = devId; } else { - /* set devId to invalid, so software is used */ - info->cipher.aesgcm_dec.aes->devId = INVALID_DEVID; - ret = Tropic01_GetKey(info->cipher.aesgcm_dec.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); + + ret = Tropic01_GetKeyAES(info->cipher.aesgcm_dec.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-GCM decryption, ret=%d", ret); return ret; } + /* set devId to invalid, so software is used */ + info->cipher.aesgcm_dec.aes->devId = INVALID_DEVID; ret = wc_AesGcmDecrypt( info->cipher.aesgcm_dec.aes, info->cipher.aesgcm_dec.out, @@ -279,13 +319,14 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) #ifdef HAVE_AES_CBC if (info->cipher.type == WC_CIPHER_AES_CBC) { if (info->cipher.enc) { - /* set devId to invalid, so software is used */ - info->cipher.aescbc.aes->devId = INVALID_DEVID; - ret = Tropic01_GetKey(info->cipher.aescbc.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); + + ret = Tropic01_GetKeyAES(info->cipher.aescbc.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-CBC encryption, ret=%d", ret); return ret; } + /* set devId to invalid, so software is used */ + info->cipher.aescbc.aes->devId = INVALID_DEVID; ret = wc_AesCbcEncrypt( info->cipher.aescbc.aes, info->cipher.aescbc.out, @@ -296,13 +337,14 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) info->cipher.aescbc.aes->devId = devId; } else { - /* set devId to invalid, so software is used */ - info->cipher.aescbc.aes->devId = INVALID_DEVID; - ret = Tropic01_GetKey(info->cipher.aescbc.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); + + ret = Tropic01_GetKeyAES(info->cipher.aescbc.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-CBC decryption, ret=%d", ret); return ret; - } + } + /* set devId to invalid, so software is used */ + info->cipher.aescbc.aes->devId = INVALID_DEVID; ret = wc_AesCbcDecrypt( info->cipher.aescbc.aes, info->cipher.aescbc.out, @@ -324,7 +366,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) break; default: - //WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Unsupported algorithm type %d", info->algo_type); + WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Unsupported algorithm type %d", info->algo_type); break; } diff --git a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h index 83d8ade03..4f21e7515 100644 --- a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h +++ b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h @@ -50,10 +50,14 @@ #define TROPIC01_AES_MAX_KEY_SIZE 32 -#define TROPIC01_ED25519_MAX_KEY_SIZE 32 #define TROPIC01_AES_RMEM_SLOT_DEFAULT 1 -#define TROPIC01_ED25519_RMEM_SLOT_DEFAULT 2 -#define TROPIC01_ED25519_KEY_SLOT_DEFAULT 1 + +#define TROPIC01_ED25519_PRIV_KEY_SIZE 32 +#define TROPIC01_ED25519_PUB_KEY_SIZE 32 + +#define TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT 2 +#define TROPIC01_ED25519_PRIV_RMEM_SLOT_DEFAULT 3 +#define TROPIC01_ED25519_ECC_SLOT_DEFAULT 1 #define PAIRING_KEY_SLOT_INDEX_0 0 From 1c45d155d1d7877203e270ee6cc0d82a46d43877 Mon Sep 17 00:00:00 2001 From: Maxim Kostin Date: Wed, 28 May 2025 19:01:12 +0200 Subject: [PATCH 07/31] README.md added --- wolfcrypt/src/port/tropicsquare/README.md | 225 +++++++++++++++++++++- 1 file changed, 215 insertions(+), 10 deletions(-) diff --git a/wolfcrypt/src/port/tropicsquare/README.md b/wolfcrypt/src/port/tropicsquare/README.md index 1b49864ac..6e9a72f30 100644 --- a/wolfcrypt/src/port/tropicsquare/README.md +++ b/wolfcrypt/src/port/tropicsquare/README.md @@ -1,20 +1,225 @@ -# tropic01 callbacks +# wolfSSL TROPIC01 Secure Element Integration Guide + +![wolfSSL+TROPIC01](https://img.shields.io/badge/wolfSSL-TROPIC01-blue) +Integration guide for using Tropic Square's TROPIC01 secure element with wolfSSL/wolfCrypt cryptography library. -## How to build: +## Table of Contents +- [wolfSSL TROPIC01 Secure Element Integration Guide](#wolfssl-tropic01-secure-element-integration-guide) + - [Table of Contents](#table-of-contents) + - [TROPIC01 Secure Element with an open architecture](#tropic01-secure-element-with-an-open-architecture) + - [Hardware Overview](#hardware-overview) + - [TROPIC01 Specifications](#tropic01-specifications) + - [Available Evaluation and Development Kits](#available-evaluation-and-development-kits) + - [Get samples](#get-samples) + - [Build Configuration](#build-configuration) + - [Pre-requirements](#pre-requirements) + - [Keys installation](#keys-installation) + - [Build TROPIC01 SDK (libtropic)](#build-tropic01-sdk-libtropic) + - [Build wolfSSL](#build-wolfssl) + - [Build test application](#build-test-application) -1. Build libtropic project with all dependencies for the targeted platfrom (for example, Raspberry Pi 3/4/5). Preferably all static targets must be built with -fPIC option -2. Goto wolfssl main folder -3. ./autogen.sh -4. ./configure --with-tropic01=/home/pi/git/libtropic --enable-cryptocb --enable-static --disable-crypttests --disable-examples --disable-shared -Note. Please replace '/home/pi/git/libtropic' with an absolute path to your libtropic folder if necessary -5. make -6. the built library should be in ./wolfssl/src/.libs/libwolfssl.a +## TROPIC01 Secure Element with an open architecture -## How to use: +The TROPIC01 secure element is built with tamper-proof technology and advanced attack countermeasures to ensure robust asset protection, securing electronic devices against a wide range of potential attacks. It securely supplies and stores the cryptographic keys of embedded solutions. +The TROPIC01 datasheet is available via [this link](https://www.nxp.com/docs/en/application-note/AN12570.pdf) + +## Hardware Overview + +### TROPIC01 Specifications +- **Crypto Accelerators**: + - Elliptic curve cryptography + - Ed25519 EdDSA signing + - P-256 ECDSA signing + - Diffie-Hellman X25519 key exchange + - Keccak based PIN authentication engine +- **Tamper Resistance**: + - Voltage glitch detector + - Temperature detector + - Electromagnetic pulse detector + - Laser detector + - Active shield +- **Interface to Host MCU/MPU**: + - SPI + - Encrypted channel with forward secrecy +- **Entropy Source**: + - Physically Unclonable Function (PUF) + - True Random Number Generator (TRNG) + +### Available Evaluation and Development Kits +- USB Stick with TROPIC01 ([here](https://github.com/tropicsquare/tropic01?tab=readme-ov-file#usb-stick-with-tropic01)) +- Raspberry PI shield ([here](https://github.com/tropicsquare/tropic01?tab=readme-ov-file#rpi-shield-ts1501)) +- Arduino shield ([here](https://github.com/tropicsquare/tropic01?tab=readme-ov-file#arduino-shield-ts14)) + +### Get samples +To get samples and DevKits, please fill in [this form](https://tropicsquare.com/tropic01-samples#form) + +## Build Configuration + +### Pre-requirements +1. Install toolchain (incl. compiler or cross-compiler). For example, GNU Toolchain (gcc) or ARM cross compiling toolchain (armv8-rpi3-linux-gnueabihf) +2. Install CMake and Autotools +3. Install Git client + + Some guideline for RPi is [here](https://earthly.dev/blog/cross-compiling-raspberry-pi/) + +Also, for Raspberry PI there are a few more steps: + +1. In raspi-config go to "Interface Options" and enable SPI +2. Install wiringPI: + +```sh +$ sudo apt update +$ sudo apt install wiringpi +``` + +### Keys installation + +For the integration with wolfSSL there are a few pre-defined slots for the secure keys storage (the slots mapping might be changed in tropic01.h): +```sh +TROPIC01_AES_RMEM_SLOT_DEFAULT 1 // slot in R-memory for AES key +TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT 2 // slot in R-memory for ED25519 Public key +TROPIC01_ED25519_PRIV_RMEM_SLOT_DEFAULT 3 //slot in R-memory for ED25519 Private key +TROPIC01_ED25519_ECC_SLOT_DEFAULT 1 // slot in ECC keys storage for both public and private keys +PAIRING_KEY_SLOT_INDEX_0 0 //pairing keys slot +``` +All R-memory based keys must be pre-provisioned in the TROPIC01 Secure Element separately. For example, it might be done with libtropic-util tool available [here] (https://github.com/tropicsquare/libtropic-util) + +### Build TROPIC01 SDK (libtropic) + +wolfSSL uses the "TROPIC01 SDK" (aka libtropic) to interface with TROPIC01. This SDK can be cloned from the TropicSquare GitHub https://github.com/tropicsquare/libtropic + +Once the repo was downloade, please follow [this guidline](https://github.com/tropicsquare/libtropic/blob/master/docs/index.md#integration-examples) on how to configure and build TROPIC01 SDK + +or simply run the following commands: +```sh + $ git clone https://github.com/tropicsquare/libtropic.git + $ cd libtropic + $ mkdir build && cd build + $ cmake -DLT_USE_TREZOR_CRYPTO=1 .. + $ make +``` + +### Build wolfSSL +To compile wolfSSL with TROPIC01 support using Autoconf/configure: +```sh +$ cd wolfssl +$ ./autogen.sh +$ ./configure --with-tropic01=PATH --enable-cryptocb --enable-static --disable-crypttests --disable-examples --disable-shared --enable-ed25519 +$ make +$ sudo make install +``` +where PATH is an absolute path to the libtropic folder, for example + + --with-tropic01=/home/pi/git/libtropic + +for the debugging output, add + + --enable-debug + +### Build test application + +The test application for Raspberry Shield and USB stick can be cloned from the TropicSquare GitHub https://github.com/tropicsquare/tropic01-wolfssl-test + +To build and run the test application, please run the next commands + +```sh +$ git clone git@github.com:tropicsquare/tropic01-wolfssl-test.git +$ cd tropic01-wolfssl-test +``` +if necesary open and edit Makefile in this folder + +set correct values for CC and LIBTROPIC_DIR variables, for example: + + CC = gcc + + LIBTROPIC_DIR = /home/pi/git/libtropic + +then run the following commands to build and run test application for USB stick: + +```sh +$ make +$ ./lt-wolfssl-test +``` +or for Raspberry PI shield (make sure you fulfield all prerequirements first): +```sh +$ make RPI_SPI =1 +$ ./lt-wolfssl-test +``` + +In case of success the output of the test application should look like this: + +```sh +wolfSSL Crypto Callback Test Application +======================================== +wolfSSL Entering wolfCrypt_Init +TROPIC01: Crypto device initialized successfully +wolfCrypt initialized successfully +Registering crypto callback with device ID 481111... +Crypto callback registered successfully +RNG_HEALTH_TEST_CHECK_SIZE = 128 +sizeof(seedB_data) = 128 +TROPIC01: CryptoCB: SEED generation request (52 bytes) +TROPIC01: GetRandom: Requesting 52 bytes +TROPIC01: GetRandom: Completed with ret=0 +TROPIC01: CryptoCB: RNG generation request (32 bytes) +TROPIC01: GetRandom: Requesting 32 bytes +TROPIC01: GetRandom: Completed with ret=0 +Generated 32 random bytes: +94F589E8 9C59B5A2 C8426FB6 9C548623 +358551CE 07238D37 EBF7FEE5 42BEB299 + +RNG test completed successfully + +AES test starting: +TROPIC01: CryptoCB: AES request +TROPIC01: Get AES Key: Retrieving key from slot 1 +TROPIC01: Get AES Key: Key retrieved successfully +Plain message: +01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 +Encrypted message: +89 44 11 3E 2E 07 52 9C CB 5F B1 70 7E 9C 42 D6 +AES test completed successfully + +ED25519 COMPREHENSIVE TESTING SUITE + +=== Ed25519 Key Generation Test === +✓ Ed25519 key structure initialized successfully +TROPIC01: CryptoCB: RNG generation request (32 bytes) +TROPIC01: GetRandom: Requesting 32 bytes +TROPIC01: GetRandom: Completed with ret=0 +✓ Ed25519 key pair generated successfully +Generated Public Key (32 bytes): +5D28BB98 AF86844E 5C2D48B6 473EA116 +0A98B568 3313915D 1565C540 AA3EB250 +✓ Ed25519 key generation test completed successfully + +=== Ed25519 Message Signing Test === +DEV_ID: 481111 +TROPIC01: CryptoCB: RNG generation request (64 bytes) +TROPIC01: GetRandom: Requesting 64 bytes +TROPIC01: GetRandom: Completed with ret=0 +Test Message (64 bytes): +000CD9C2 0FA2E218 67737744 4550F217 +5082408B 9F21F92B 06A570C4 C18AA073 +1B23836F 1CDC760B 7242F8A7 83B8EC9A +BF9E6D84 2E605AA1 0A168E88 FDEF38DA +TROPIC01: CryptoCB: ED25519 signing request +TROPIC01: Get ECC Key: Retrieving key from slot 3 +TROPIC01: Get ECC Key: Key retrieved successfully +✓ Message signed successfully +Signature length: 64 bytes +Generated Signature (64 bytes): +AE4B42CF 46F8F369 4F559390 0EDDA701 +A73A562B 3D03F429 8706309D 63E2120B +82B2A91F 6D7A7519 0CD62215 CABE3183 +433F4125 2CC017EB BD1E59A1 4A22CC09 +✓ Ed25519 message signing test completed successfully +wolfSSL Entering wolfCrypt_Cleanup +``` From 7e25669e6fe38663330312347665a46f190913af Mon Sep 17 00:00:00 2001 From: Maxim Kostin Date: Thu, 29 May 2025 12:25:12 +0200 Subject: [PATCH 08/31] Refactor TROPIC01 integration: update README, enhance pairing key handling, and improve error messages --- configure.ac | 10 ++-- wolfcrypt/src/port/tropicsquare/README.md | 42 +++++++++------- wolfcrypt/src/port/tropicsquare/tropic01.c | 50 +++++++++++++------ .../wolfcrypt/port/tropicsquare/tropic01.h | 3 +- 4 files changed, 66 insertions(+), 39 deletions(-) diff --git a/configure.ac b/configure.ac index 71831cfd0..1b89a8196 100644 --- a/configure.ac +++ b/configure.ac @@ -2853,24 +2853,24 @@ trylibtropicdir="" AC_ARG_WITH([tropic01], [AS_HELP_STRING([--with-tropic01=PATH],[PATH to install (default /usr/)])], [ - AC_MSG_CHECKING([for tropic01]) + AC_MSG_CHECKING([for libtropic]) if test "x$withval" != "xno" ; then trylibtropicdir=$withval - AC_MSG_NOTICE([Use provided PATH]) + # AC_MSG_NOTICE([Use provided PATH]) fi if test "x$withval" = "xyes" ; then trylibtropicdir="libtropic" - AC_MSG_NOTICE([Use default PATH]) + # AC_MSG_NOTICE([Use default PATH]) fi if test -e $trylibtropicdir/build/libtropic.a then LIB_STATIC_ADD="$LIB_STATIC_ADD $trylibtropicdir/build/libtropic.a" LIB_STATIC_ADD="$LIB_STATIC_ADD $trylibtropicdir/build/trezor_crypto/libtrezor_crypto.a" AM_CFLAGS="$AM_CFLAGS -I$trylibtropicdir/include" - AC_MSG_NOTICE([TropicSquare library is available]) + # AC_MSG_NOTICE([TropicSquare library is available]) else ENABLED_TROPIC01="no" - AC_MSG_ERROR([Could not find TropicSquare library]) + AC_MSG_ERROR([Could not find libtropic - TropicSquare library]) fi enable_shared=no enable_static=yes diff --git a/wolfcrypt/src/port/tropicsquare/README.md b/wolfcrypt/src/port/tropicsquare/README.md index 6e9a72f30..c97288217 100644 --- a/wolfcrypt/src/port/tropicsquare/README.md +++ b/wolfcrypt/src/port/tropicsquare/README.md @@ -33,7 +33,7 @@ The TROPIC01 datasheet is available via [this link](https://www.nxp.com/docs/en/ - Ed25519 EdDSA signing - P-256 ECDSA signing - Diffie-Hellman X25519 key exchange - - Keccak based PIN authentication engine + - Keccak-based PIN authentication engine - **Tamper Resistance**: - Voltage glitch detector - Temperature detector @@ -58,13 +58,14 @@ To get samples and DevKits, please fill in [this form](https://tropicsquare.com/ ## Build Configuration ### Pre-requirements -1. Install toolchain (incl. compiler or cross-compiler). For example, GNU Toolchain (gcc) or ARM cross compiling toolchain (armv8-rpi3-linux-gnueabihf) -2. Install CMake and Autotools -3. Install Git client +1. Get one of the targeted hardware platforms. For example, Linux PC + TROPIC01 USB stick or Raspberry PI 3/4/5 + TROPIC01 RPI shield +2. Install toolchain (incl. compiler or cross-compiler). For example, GNU Toolchain (gcc) or ARM cross-compiling toolchain (armv8-rpi3-linux-gnueabihf) +3. Install CMake and Autotools +4. Install Git - Some guideline for RPi is [here](https://earthly.dev/blog/cross-compiling-raspberry-pi/) + Some guidelines for RPi are available [here](https://earthly.dev/blog/cross-compiling-raspberry-pi/) -Also, for Raspberry PI there are a few more steps: +Also, for Raspberry PI, there are a few more steps: 1. In raspi-config go to "Interface Options" and enable SPI 2. Install wiringPI: @@ -76,7 +77,7 @@ $ sudo apt install wiringpi ### Keys installation -For the integration with wolfSSL there are a few pre-defined slots for the secure keys storage (the slots mapping might be changed in tropic01.h): +For the integration with wolfSSL, there are a few pre-defined slots for the secure keys storage (the slots mapping might be changed in tropic01.h): ```sh TROPIC01_AES_RMEM_SLOT_DEFAULT 1 // slot in R-memory for AES key TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT 2 // slot in R-memory for ED25519 Public key @@ -84,15 +85,15 @@ TROPIC01_ED25519_PRIV_RMEM_SLOT_DEFAULT 3 //slot in R-memory for ED25519 Private TROPIC01_ED25519_ECC_SLOT_DEFAULT 1 // slot in ECC keys storage for both public and private keys PAIRING_KEY_SLOT_INDEX_0 0 //pairing keys slot ``` -All R-memory based keys must be pre-provisioned in the TROPIC01 Secure Element separately. For example, it might be done with libtropic-util tool available [here] (https://github.com/tropicsquare/libtropic-util) +All R-memory based keys must be pre-provisioned in the TROPIC01 Secure Element separately. For example, it might be done with the libtropic-util tool available [here] (https://github.com/tropicsquare/libtropic-util) ### Build TROPIC01 SDK (libtropic) wolfSSL uses the "TROPIC01 SDK" (aka libtropic) to interface with TROPIC01. This SDK can be cloned from the TropicSquare GitHub https://github.com/tropicsquare/libtropic -Once the repo was downloade, please follow [this guidline](https://github.com/tropicsquare/libtropic/blob/master/docs/index.md#integration-examples) on how to configure and build TROPIC01 SDK +Once the repo was downloaded, please follow [this guideline](https://github.com/tropicsquare/libtropic/blob/master/docs/index.md#integration-examples) on how to configure and build TROPIC01 SDK -or simply run the following commands: +Or run the following commands: ```sh $ git clone https://github.com/tropicsquare/libtropic.git $ cd libtropic @@ -102,7 +103,12 @@ or simply run the following commands: ``` ### Build wolfSSL -To compile wolfSSL with TROPIC01 support using Autoconf/configure: +1. Clone wolfSSL from the wolfSSL GitHub (https://github.com/wolfSSL/wolfssl) + +2. Make sure that the version of wolfSSL supports TROPIC01 - check if the folder wolfssl/wolfcrypt/src/port/tropicsquare exists + +3. To compile wolfSSL with TROPIC01 support using Autoconf/configure: + ```sh $ cd wolfssl $ ./autogen.sh @@ -114,7 +120,7 @@ where PATH is an absolute path to the libtropic folder, for example --with-tropic01=/home/pi/git/libtropic -for the debugging output, add +For the debugging output, add --enable-debug @@ -122,27 +128,27 @@ for the debugging output, add The test application for Raspberry Shield and USB stick can be cloned from the TropicSquare GitHub https://github.com/tropicsquare/tropic01-wolfssl-test -To build and run the test application, please run the next commands +To build and run the test application, please run the following commands ```sh $ git clone git@github.com:tropicsquare/tropic01-wolfssl-test.git $ cd tropic01-wolfssl-test ``` -if necesary open and edit Makefile in this folder +If necessary, open and edit the Makefile in this folder -set correct values for CC and LIBTROPIC_DIR variables, for example: +Set correct values for CC and LIBTROPIC_DIR variables, for example: CC = gcc LIBTROPIC_DIR = /home/pi/git/libtropic -then run the following commands to build and run test application for USB stick: +Then run the following commands to build and run the test application for the USB stick: ```sh $ make $ ./lt-wolfssl-test ``` -or for Raspberry PI shield (make sure you fulfield all prerequirements first): +or for Raspberry PI shield (make sure you fulfill all prerequisites first): ```sh @@ -150,7 +156,7 @@ $ make RPI_SPI =1 $ ./lt-wolfssl-test ``` -In case of success the output of the test application should look like this: +In case of success, the output of the test application should look like this: ```sh wolfSSL Crypto Callback Test Application diff --git a/wolfcrypt/src/port/tropicsquare/tropic01.c b/wolfcrypt/src/port/tropicsquare/tropic01.c index 0a733fa57..dcae3caf5 100644 --- a/wolfcrypt/src/port/tropicsquare/tropic01.c +++ b/wolfcrypt/src/port/tropicsquare/tropic01.c @@ -36,11 +36,11 @@ static Tropic01CryptoDevCtx g_ctx = {0}; static lt_handle_t g_h; -// Default factory pairing keys +// Pairing keys for TROPIC01 (use Tropic01_SetPairingKeys() to set them) byte pkey_index_0 = PAIRING_KEY_SLOT_INDEX_0; - // Engineering samples 01 keys: -byte sh0priv[] = {0xd0,0x99,0x92,0xb1,0xf1,0x7a,0xbc,0x4d,0xb9,0x37,0x17,0x68,0xa2,0x7d,0xa0,0x5b,0x18,0xfa,0xb8,0x56,0x13,0xa7,0x84,0x2c,0xa6,0x4c,0x79,0x10,0xf2,0x2e,0x71,0x6b}; -byte sh0pub[] = {0xe7,0xf7,0x35,0xba,0x19,0xa3,0x3f,0xd6,0x73,0x23,0xab,0x37,0x26,0x2d,0xe5,0x36,0x08,0xca,0x57,0x85,0x76,0x53,0x43,0x52,0xe1,0x8f,0x64,0xe6,0x13,0xd3,0x8d,0x54}; +byte sh0priv[32] = {0}; +byte sh0pub[32] = {0}; + /* * TROPIC01 hardware RNG implementation */ @@ -57,7 +57,6 @@ static int Tropic01_GetRandom(byte* out, word32 sz) /* Call TROPIC01 TRNG API to get random data */ - ret = lt_random_get(&g_h, out, sz); if(ret != LT_OK) { WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to retrieve key, ret=%d", ret); @@ -66,16 +65,13 @@ static int Tropic01_GetRandom(byte* out, word32 sz) } WOLFSSL_MSG_EX("TROPIC01: GetRandom: Completed with ret=%d", ret); - /* - for (word32 i = 0; i < sz; i++) { - WOLFSSL_MSG_EX("TROPIC01: GetRandom: out[%d] = 0x%02x", i, out[i]); - } - */ return 0; } #if defined(HAVE_ED25519) && defined(HAVE_ED25519_MAKE_KEY) - +/* + * TROPIC01 ECC keys generation implementation + */ static int Tropic01_GenerateKeyED25519(byte* pubkey, int keySlot, word32 sz) { lt_ret_t ret = 0; @@ -147,6 +143,9 @@ static int Tropic01_GetKeyAES(Aes* aes, int keySlot, word32 keySz) return 0; } +/* + * Retrive the ECC key from the secure R memory of TROPIC01 + */ static int Tropic01_GetKeyECC(byte* ecckey, int keySlot, word32 keySz) { @@ -261,8 +260,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) break; case WC_ALGO_TYPE_CIPHER: WOLFSSL_MSG("TROPIC01: CryptoCB: AES request "); - //ret = Tropic01_StoreKey(NULL, NULL, 32); - //ret = Tropic01_GetKey(NULL, NULL, TROPIC01_AES_MAX_KEY_SIZE, tropicCtx); + #if !defined(NO_AES) || !defined(NO_DES3) #ifdef HAVE_AESGCM if (info->cipher.type == WC_CIPHER_AES_GCM) { @@ -354,24 +352,48 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) /* reset devId */ info->cipher.aescbc.aes->devId = devId; } + /* for (int i = 0; i < info->cipher.aescbc.aes->keylen; i++) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: aes->key[%d] = 0x%02x", i, info->cipher.aescbc.aes->key[i]); } for (word32 i = 0; i < info->cipher.aescbc.sz; i++) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: out[%d] = 0x%02x", i, info->cipher.aescbc.out[i]); } + */ } #endif /* HAVE_AES_CBC */ #endif /* !NO_AES || !NO_DES3 */ break; default: - WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Unsupported algorithm type %d", info->algo_type); + // WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Unsupported algorithm type %d", info->algo_type); break; } return ret; } +/* Set TROPIC01 pairing keys */ +int Tropic01_SetPairingKeys(int keyIndex, const byte* keyPub, const byte* keyPriv) +{ + + if (keyPub == NULL || keyPriv == NULL || keyIndex < 0 || keyIndex > 3) { + WOLFSSL_MSG_EX("TROPIC01: SetPairingKeys: Invalid arguments"); + return BAD_FUNC_ARG; + } + + WOLFSSL_MSG_EX("TROPIC01: SetPairingKeys: Setting pairing key in slot %d", keyIndex); + + for (int i = 0; i < 32; i++) { + + sh0priv[i] = keyPriv[i]; + sh0pub[i] = keyPub[i]; + } + + WOLFSSL_MSG("TROPIC01: SetPairingKeys: Pairing key set successfully"); + WOLFSSL_MSG_EX("TROPIC01: sh0priv: %02X %02X %02X %02X ...", keyPriv[0], keyPriv[1], keyPriv[2], keyPriv[3]); + WOLFSSL_MSG_EX("TROPIC01: sh0pub: %02X %02X %02X %02X ...", keyPub[0], keyPub[1], keyPub[2], keyPub[3]); + return 0; +} int Tropic01_Init() { diff --git a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h index 4f21e7515..58db30817 100644 --- a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h +++ b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h @@ -79,10 +79,9 @@ typedef struct { int Tropic01_Init(void); int Tropic01_Deinit(void); +int Tropic01_SetPairingKeys(int keyIndex, const byte* keyPub, const byte* keyPriv); int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx); -//static int Tropic01_GetRandom(byte* out, word32 sz, Tropic01CryptoDevCtx* ctx); -//static int Tropic01_GetKey(Aes* aes, int keySlot, word32 keySz, Tropic01CryptoDevCtx* ctx); #endif /* WOLF_CRYPTO_CB */ From daf5d4b015231861d72be88c56e235a0615435cd Mon Sep 17 00:00:00 2001 From: kosmax871 Date: Thu, 29 May 2025 12:43:52 +0200 Subject: [PATCH 09/31] Update README.md --- wolfcrypt/src/port/tropicsquare/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfcrypt/src/port/tropicsquare/README.md b/wolfcrypt/src/port/tropicsquare/README.md index c97288217..35f944065 100644 --- a/wolfcrypt/src/port/tropicsquare/README.md +++ b/wolfcrypt/src/port/tropicsquare/README.md @@ -152,7 +152,7 @@ or for Raspberry PI shield (make sure you fulfill all prerequisites first): ```sh -$ make RPI_SPI =1 +$ make RPI_SPI=1 $ ./lt-wolfssl-test ``` From 698ca293260c04cf92496b5a8e1e970829d114c2 Mon Sep 17 00:00:00 2001 From: Maxim Kostin Date: Fri, 30 May 2025 11:21:28 +0200 Subject: [PATCH 10/31] Changes for the PR https://github.com/wolfSSL/wolfssl/pull/8812 --- wolfcrypt/src/include.am | 1 + wolfcrypt/src/port/tropicsquare/tropic01.c | 22 ++++++++++--------- .../wolfcrypt/port/tropicsquare/tropic01.h | 1 + 3 files changed, 14 insertions(+), 10 deletions(-) diff --git a/wolfcrypt/src/include.am b/wolfcrypt/src/include.am index 36fcb914f..04058c3e8 100644 --- a/wolfcrypt/src/include.am +++ b/wolfcrypt/src/include.am @@ -106,6 +106,7 @@ EXTRA_DIST += wolfcrypt/src/port/ti/ti-aes.c \ wolfcrypt/src/port/st/STM32MP13.md \ wolfcrypt/src/port/st/STM32MP25.md \ wolfcrypt/src/port/tropicsquare/tropic01.c \ + wolfcrypt/src/port/tropicsquare/README.md \ wolfcrypt/src/port/af_alg/afalg_aes.c \ wolfcrypt/src/port/af_alg/afalg_hash.c \ wolfcrypt/src/port/kcapi/kcapi_aes.c \ diff --git a/wolfcrypt/src/port/tropicsquare/tropic01.c b/wolfcrypt/src/port/tropicsquare/tropic01.c index dcae3caf5..88ff521a5 100644 --- a/wolfcrypt/src/port/tropicsquare/tropic01.c +++ b/wolfcrypt/src/port/tropicsquare/tropic01.c @@ -19,6 +19,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA * */ +#ifdef WOLFSSL_TROPIC01 #ifdef HAVE_CONFIG_H #include @@ -36,10 +37,10 @@ static Tropic01CryptoDevCtx g_ctx = {0}; static lt_handle_t g_h; -// Pairing keys for TROPIC01 (use Tropic01_SetPairingKeys() to set them) -byte pkey_index_0 = PAIRING_KEY_SLOT_INDEX_0; -byte sh0priv[32] = {0}; -byte sh0pub[32] = {0}; +/* Pairing keys for TROPIC01 (use Tropic01_SetPairingKeys() to set them)*/ +static byte pkey_index_0 = PAIRING_KEY_SLOT_INDEX_0; +static byte sh0priv[32] = {0}; +static byte sh0pub[32] = {0}; /* * TROPIC01 hardware RNG implementation @@ -187,7 +188,6 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) if (info == NULL) return BAD_FUNC_ARG; (void)ctx; - // (void)devId; if (g_ctx.initialized == 0) { WOLFSSL_MSG("TROPIC01: CryptoCB: Device not initialized"); @@ -213,7 +213,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) else if (info->pk.type == WC_PK_TYPE_ED25519_SIGN) { WOLFSSL_MSG("TROPIC01: CryptoCB: ED25519 signing request"); - // retrieve private key from TROPIC01 secure R memory + /* retrieve private key from TROPIC01 secure R memory */ ret = Tropic01_GetKeyECC(info->pk.ed25519sign.key->k, TROPIC01_ED25519_PRIV_RMEM_SLOT_DEFAULT, TROPIC01_ED25519_PRIV_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get ECC key for ED25519 sign, ret=%d", ret); @@ -236,7 +236,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) #ifdef HAVE_ED25519_VERIFY else if (info->pk.type == WC_PK_TYPE_ED25519_VERIFY) { WOLFSSL_MSG("TROPIC01: CryptoCB: ED25519 verification request"); - // retrieve public key from TROPIC01 secure R memory + /* retrieve public key from TROPIC01 secure R memory */ ret = Tropic01_GetKeyECC(info->pk.ed25519sign.key->p, TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT, TROPIC01_ED25519_PUB_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get ECC key for ED25519 verification, ret=%d", ret); @@ -255,7 +255,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) /* reset devId */ info->pk.ed25519verify.key->devId = devId; } - #endif // HAVE_ ED25519_VERIFY + #endif /* HAVE_ ED25519_VERIFY */ #endif /* HAVE_ED25519 */ break; case WC_ALGO_TYPE_CIPHER: @@ -366,7 +366,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) break; default: - // WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Unsupported algorithm type %d", info->algo_type); + break; } @@ -383,7 +383,7 @@ int Tropic01_SetPairingKeys(int keyIndex, const byte* keyPub, const byte* keyPri WOLFSSL_MSG_EX("TROPIC01: SetPairingKeys: Setting pairing key in slot %d", keyIndex); - for (int i = 0; i < 32; i++) { + for (int i = 0; i < TROPIC01_PAIRING_KEY_SIZE; i++) { sh0priv[i] = keyPriv[i]; sh0pub[i] = keyPub[i]; @@ -433,3 +433,5 @@ int Tropic01_Deinit() return 0; } + +#endif /* WOLFSSL_TROPIC01 */ diff --git a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h index 58db30817..7f0cf1afd 100644 --- a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h +++ b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h @@ -60,6 +60,7 @@ #define TROPIC01_ED25519_ECC_SLOT_DEFAULT 1 #define PAIRING_KEY_SLOT_INDEX_0 0 +#define TROPIC01_PAIRING_KEY_SIZE 32 From e635afd26a4f352438380cb81401d0abe06616a2 Mon Sep 17 00:00:00 2001 From: Maxim Kostin Date: Mon, 2 Jun 2025 20:12:41 +0200 Subject: [PATCH 11/31] Refactor Tropic01 interface: clean up code formatting and improve function declarations --- configure.ac | 15 +- wolfcrypt/src/port/tropicsquare/tropic01.c | 228 +++++++++++------- .../wolfcrypt/port/tropicsquare/tropic01.h | 13 +- 3 files changed, 154 insertions(+), 102 deletions(-) diff --git a/configure.ac b/configure.ac index a35400056..c3c6902a6 100644 --- a/configure.ac +++ b/configure.ac @@ -2860,27 +2860,24 @@ AC_ARG_WITH([tropic01], AC_MSG_CHECKING([for libtropic]) if test "x$withval" != "xno" ; then trylibtropicdir=$withval - # AC_MSG_NOTICE([Use provided PATH]) fi if test "x$withval" = "xyes" ; then - trylibtropicdir="libtropic" - # AC_MSG_NOTICE([Use default PATH]) + trylibtropicdir="libtropic" fi if test -e $trylibtropicdir/build/libtropic.a then LIB_STATIC_ADD="$LIB_STATIC_ADD $trylibtropicdir/build/libtropic.a" - LIB_STATIC_ADD="$LIB_STATIC_ADD $trylibtropicdir/build/trezor_crypto/libtrezor_crypto.a" + LIB_STATIC_ADD="$LIB_STATIC_ADD $trylibtropicdir/build/trezor_crypto/libtrezor_crypto.a" AM_CFLAGS="$AM_CFLAGS -I$trylibtropicdir/include" - # AC_MSG_NOTICE([TropicSquare library is available]) else ENABLED_TROPIC01="no" - AC_MSG_ERROR([Could not find libtropic - TropicSquare library]) + AC_MSG_ERROR([Could not find libtropic - TropicSquare library]) fi - enable_shared=no + enable_shared=no enable_static=yes ENABLED_TROPIC01="yes" - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TROPIC01" - AC_MSG_RESULT([yes]) + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TROPIC01" + AC_MSG_RESULT([yes]) ] ) diff --git a/wolfcrypt/src/port/tropicsquare/tropic01.c b/wolfcrypt/src/port/tropicsquare/tropic01.c index 88ff521a5..460d78ecf 100644 --- a/wolfcrypt/src/port/tropicsquare/tropic01.c +++ b/wolfcrypt/src/port/tropicsquare/tropic01.c @@ -19,12 +19,13 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA * */ -#ifdef WOLFSSL_TROPIC01 #ifdef HAVE_CONFIG_H #include #endif +#ifdef WOLFSSL_TROPIC01 + #include #include #include @@ -38,7 +39,7 @@ static Tropic01CryptoDevCtx g_ctx = {0}; static lt_handle_t g_h; /* Pairing keys for TROPIC01 (use Tropic01_SetPairingKeys() to set them)*/ -static byte pkey_index_0 = PAIRING_KEY_SLOT_INDEX_0; +static byte pk_index = PAIRING_KEY_SLOT_INDEX_0; static byte sh0priv[32] = {0}; static byte sh0pub[32] = {0}; @@ -48,23 +49,21 @@ static byte sh0pub[32] = {0}; static int Tropic01_GetRandom(byte* out, word32 sz) { int ret = 0; - - WOLFSSL_MSG_EX("TROPIC01: GetRandom: Requesting %u bytes", sz); - + if (out == NULL || sz == 0) return BAD_FUNC_ARG; - - + + /* Call TROPIC01 TRNG API to get random data */ - + ret = lt_random_get(&g_h, out, sz); - if(ret != LT_OK) { + if (ret != LT_OK) { WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to retrieve key, ret=%d", ret); Tropic01_Deinit(); return WC_HW_E; } - + WOLFSSL_MSG_EX("TROPIC01: GetRandom: Completed with ret=%d", ret); return 0; } @@ -76,19 +75,19 @@ static int Tropic01_GetRandom(byte* out, word32 sz) static int Tropic01_GenerateKeyED25519(byte* pubkey, int keySlot, word32 sz) { lt_ret_t ret = 0; - + WOLFSSL_MSG_EX("TROPIC01: GenerateKeyED25519: Requesting %u bytes", sz); - + if (pubkey == NULL || sz != 32) return BAD_FUNC_ARG; - + ret = lt_ecc_key_erase(&g_h, keySlot); if(ret != LT_OK) { WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to erase key, ret=%d", ret); Tropic01_Deinit(); return WC_HW_E; } - + ret = lt_ecc_key_generate(&g_h, keySlot, CURVE_ED25519); if(ret != LT_OK) { WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to generate key, ret=%d", ret); @@ -103,76 +102,94 @@ static int Tropic01_GenerateKeyED25519(byte* pubkey, int keySlot, word32 sz) Tropic01_Deinit(); return WC_HW_E; } - + WOLFSSL_MSG_EX("TROPIC01: GenerateKeyED25519: Completed with ret=%d", ret); - + return 0; } #endif /* - * Retrive the AES key from the secure R memory of TROPIC01 + * Retrive the AES key from the secure R memory of TROPIC01 */ static int Tropic01_GetKeyAES(Aes* aes, int keySlot, word32 keySz) { lt_ret_t rett; - WOLFSSL_MSG_EX("TROPIC01: Get AES Key: Retrieving key from slot %d", keySlot); - + WOLFSSL_MSG_EX( + "TROPIC01: Get AES Key: Retrieving key from slot %d", + keySlot + ); + if (aes == NULL || keySlot < 0 || keySlot >= 511) return BAD_FUNC_ARG; - - + + /* Check key size */ if (keySz != 16 && keySz != 24 && keySz != 32) { - WOLFSSL_MSG_EX("TROPIC01: Get AES Key: Unsupported key size %u", keySz); + WOLFSSL_MSG_EX( + "TROPIC01: Get AES Key: Unsupported key size %u", + keySz + ); return BAD_FUNC_ARG; } - + /* Retrieve key from TROPIC01 */ - + rett = lt_r_mem_data_read(&g_h, keySlot, (byte*)aes->key, keySz); if(rett != LT_OK) { - WOLFSSL_MSG_EX("TROPIC01: Get AES Key: Failed to retrieve key, ret=%d", rett); + WOLFSSL_MSG_EX( + "TROPIC01: Get AES Key: Failed to retrieve key, ret=%d", + rett + ); Tropic01_Deinit(); return WC_HW_E; } - - + + WOLFSSL_MSG_EX("TROPIC01: Get AES Key: Key retrieved successfully"); return 0; } /* - * Retrive the ECC key from the secure R memory of TROPIC01 + * Retrive the ECC key from the secure R memory of TROPIC01 */ static int Tropic01_GetKeyECC(byte* ecckey, int keySlot, word32 keySz) { lt_ret_t rett; - WOLFSSL_MSG_EX("TROPIC01: Get ECC Key: Retrieving key from slot %d", keySlot); - + WOLFSSL_MSG_EX( + "TROPIC01: Get ECC Key: Retrieving key from slot %d", + keySlot + ); + if (ecckey == NULL || keySlot < 0 || keySlot >= 511) return BAD_FUNC_ARG; - - + + /* Check key size */ if (keySz != 16 && keySz != 24 && keySz != 32) { - WOLFSSL_MSG_EX("TROPIC01: Get ECC Key: Unsupported key size %u", keySz); + WOLFSSL_MSG_EX( + "TROPIC01: Get ECC Key: Unsupported key size %u", + keySz + ); return BAD_FUNC_ARG; } - + /* Retrieve key from TROPIC01 */ - + rett = lt_r_mem_data_read(&g_h, keySlot, (byte*)ecckey, keySz); if(rett != LT_OK) { - WOLFSSL_MSG_EX("TROPIC01: Get ECC Key: Failed to retrieve key, ret=%d", rett); + WOLFSSL_MSG_EX( + "TROPIC01: Get ECC Key: Failed to retrieve key, ret=%d", + rett + ); Tropic01_Deinit(); return WC_HW_E; } - - + + WOLFSSL_MSG_EX("TROPIC01: Get ECC Key: Key retrieved successfully"); return 0; } @@ -184,7 +201,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) { int ret = CRYPTOCB_UNAVAILABLE; - + if (info == NULL) return BAD_FUNC_ARG; (void)ctx; @@ -195,28 +212,42 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) } switch (info->algo_type) { case WC_ALGO_TYPE_RNG: - WOLFSSL_MSG_EX("TROPIC01: CryptoCB: RNG generation request (%u bytes)", info->rng.sz); + WOLFSSL_MSG_EX( + "TROPIC01: CryptoCB: RNG generation request (%u bytes)", + info->rng.sz + ); ret = Tropic01_GetRandom(info->rng.out, info->rng.sz); break; case WC_ALGO_TYPE_SEED: - WOLFSSL_MSG_EX("TROPIC01: CryptoCB: SEED generation request (%u bytes)", info->seed.sz); + WOLFSSL_MSG_EX( + "TROPIC01: CryptoCB: SEED generation request (%u bytes)", + info->seed.sz + ); ret = Tropic01_GetRandom(info->seed.seed, info->seed.sz); - break; + break; case WC_ALGO_TYPE_PK: #if defined(HAVE_ED25519) && defined(HAVE_ED25519_MAKE_KEY) if (info->pk.type == WC_PK_TYPE_ED25519_KEYGEN) { WOLFSSL_MSG("TROPIC01: CryptoCB: ED25519 key generation request"); - ret = Tropic01_GenerateKeyED25519(info->pk.ed25519kg.key->p, TROPIC01_ED25519_ECC_SLOT_DEFAULT, info->pk.ed25519kg.size); - + ret = Tropic01_GenerateKeyED25519( + info->pk.ed25519kg.key->p, + TROPIC01_ED25519_ECC_SLOT_DEFAULT, + info->pk.ed25519kg.size); + } #ifdef HAVE_ED25519_SIGN else if (info->pk.type == WC_PK_TYPE_ED25519_SIGN) { WOLFSSL_MSG("TROPIC01: CryptoCB: ED25519 signing request"); /* retrieve private key from TROPIC01 secure R memory */ - ret = Tropic01_GetKeyECC(info->pk.ed25519sign.key->k, TROPIC01_ED25519_PRIV_RMEM_SLOT_DEFAULT, TROPIC01_ED25519_PRIV_KEY_SIZE); + ret = Tropic01_GetKeyECC( + info->pk.ed25519sign.key->k, + TROPIC01_ED25519_PRIV_RMEM_SLOT_DEFAULT, + TROPIC01_ED25519_PRIV_KEY_SIZE); if (ret != 0) { - WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get ECC key for ED25519 sign, ret=%d", ret); + WOLFSSL_MSG_EX( + "TROPIC01: CryptoCB: Failed to get ED25519 key, ret=%d", + ret); return ret; } /* set devId to invalid, so software is used */ @@ -237,9 +268,14 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) else if (info->pk.type == WC_PK_TYPE_ED25519_VERIFY) { WOLFSSL_MSG("TROPIC01: CryptoCB: ED25519 verification request"); /* retrieve public key from TROPIC01 secure R memory */ - ret = Tropic01_GetKeyECC(info->pk.ed25519sign.key->p, TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT, TROPIC01_ED25519_PUB_KEY_SIZE); + ret = Tropic01_GetKeyECC( + info->pk.ed25519sign.key->p, + TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT, + TROPIC01_ED25519_PUB_KEY_SIZE); if (ret != 0) { - WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get ECC key for ED25519 verification, ret=%d", ret); + WOLFSSL_MSG_EX( + "TROPIC01: CryptoCB: Failed to get ED25519 key, ret=%d", + ret); return ret; } @@ -255,20 +291,25 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) /* reset devId */ info->pk.ed25519verify.key->devId = devId; } - #endif /* HAVE_ ED25519_VERIFY */ + #endif /* HAVE_ED25519_VERIFY */ #endif /* HAVE_ED25519 */ break; case WC_ALGO_TYPE_CIPHER: WOLFSSL_MSG("TROPIC01: CryptoCB: AES request "); - + #if !defined(NO_AES) || !defined(NO_DES3) #ifdef HAVE_AESGCM if (info->cipher.type == WC_CIPHER_AES_GCM) { if (info->cipher.enc) { - - ret = Tropic01_GetKeyAES(info->cipher.aesgcm_enc.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); + + ret = Tropic01_GetKeyAES( + info->cipher.aesgcm_enc.aes, + TROPIC01_AES_RMEM_SLOT_DEFAULT, + TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { - WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-GCM encryption, ret=%d", ret); + WOLFSSL_MSG_EX( + "TROPIC01: CryptoCB: Failed to get AES key,ret=%d", + ret); return ret; } /* set devId to invalid, so software is used */ @@ -289,10 +330,15 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) info->cipher.aesgcm_enc.aes->devId = devId; } else { - - ret = Tropic01_GetKeyAES(info->cipher.aesgcm_dec.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); + + ret = Tropic01_GetKeyAES( + info->cipher.aesgcm_dec.aes, + TROPIC01_AES_RMEM_SLOT_DEFAULT, + TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { - WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-GCM decryption, ret=%d", ret); + WOLFSSL_MSG_EX( + "TROPIC01: CryptoCB: Failed to get AES key,ret=%d", + ret); return ret; } /* set devId to invalid, so software is used */ @@ -317,10 +363,15 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) #ifdef HAVE_AES_CBC if (info->cipher.type == WC_CIPHER_AES_CBC) { if (info->cipher.enc) { - - ret = Tropic01_GetKeyAES(info->cipher.aescbc.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); + + ret = Tropic01_GetKeyAES( + info->cipher.aescbc.aes, + TROPIC01_AES_RMEM_SLOT_DEFAULT, + TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { - WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-CBC encryption, ret=%d", ret); + WOLFSSL_MSG_EX( + "TROPIC01: CryptoCB: Failed to get AES key, ret=%d", + ret); return ret; } /* set devId to invalid, so software is used */ @@ -335,14 +386,19 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) info->cipher.aescbc.aes->devId = devId; } else { - - ret = Tropic01_GetKeyAES(info->cipher.aescbc.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); + + ret = Tropic01_GetKeyAES( + info->cipher.aescbc.aes, + TROPIC01_AES_RMEM_SLOT_DEFAULT, + TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { - WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-CBC decryption, ret=%d", ret); + WOLFSSL_MSG_EX( + "TROPIC01: CryptoCB: Failed to get AES key, ret=%d", + ret); return ret; } /* set devId to invalid, so software is used */ - info->cipher.aescbc.aes->devId = INVALID_DEVID; + info->cipher.aescbc.aes->devId = INVALID_DEVID; ret = wc_AesCbcDecrypt( info->cipher.aescbc.aes, info->cipher.aescbc.out, @@ -352,50 +408,48 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) /* reset devId */ info->cipher.aescbc.aes->devId = devId; } - /* - for (int i = 0; i < info->cipher.aescbc.aes->keylen; i++) { - WOLFSSL_MSG_EX("TROPIC01: CryptoCB: aes->key[%d] = 0x%02x", i, info->cipher.aescbc.aes->key[i]); - } - for (word32 i = 0; i < info->cipher.aescbc.sz; i++) { - WOLFSSL_MSG_EX("TROPIC01: CryptoCB: out[%d] = 0x%02x", i, info->cipher.aescbc.out[i]); - } - */ } #endif /* HAVE_AES_CBC */ -#endif /* !NO_AES || !NO_DES3 */ +#endif /* !NO_AES || !NO_DES3 */ break; - + default: - + break; } return ret; } /* Set TROPIC01 pairing keys */ -int Tropic01_SetPairingKeys(int keyIndex, const byte* keyPub, const byte* keyPriv) +int Tropic01_SetPairingKeys(int kIndex, const byte* kPub, const byte* kPriv) { - - if (keyPub == NULL || keyPriv == NULL || keyIndex < 0 || keyIndex > 3) { + + if (kPub == NULL || kPriv == NULL || kIndex < 0 || kIndex > 3) { WOLFSSL_MSG_EX("TROPIC01: SetPairingKeys: Invalid arguments"); return BAD_FUNC_ARG; } - WOLFSSL_MSG_EX("TROPIC01: SetPairingKeys: Setting pairing key in slot %d", keyIndex); + WOLFSSL_MSG_EX( + "TROPIC01: SetPairingKeys: Setting pairing key in slot %d", + kIndex); for (int i = 0; i < TROPIC01_PAIRING_KEY_SIZE; i++) { - - sh0priv[i] = keyPriv[i]; - sh0pub[i] = keyPub[i]; + + sh0priv[i] = kPriv[i]; + sh0pub[i] = kPub[i]; } WOLFSSL_MSG("TROPIC01: SetPairingKeys: Pairing key set successfully"); - WOLFSSL_MSG_EX("TROPIC01: sh0priv: %02X %02X %02X %02X ...", keyPriv[0], keyPriv[1], keyPriv[2], keyPriv[3]); - WOLFSSL_MSG_EX("TROPIC01: sh0pub: %02X %02X %02X %02X ...", keyPub[0], keyPub[1], keyPub[2], keyPub[3]); + WOLFSSL_MSG_EX( + "TROPIC01: sh0priv: %02X %02X %02X %02X ...", + kPriv[0], kPriv[1], kPriv[2], kPriv[3]); + WOLFSSL_MSG_EX( + "TROPIC01: sh0pub: %02X %02X %02X %02X ...", + kPub[0], kPub[1], kPub[2], kPub[3]); return 0; } -int Tropic01_Init() +int Tropic01_Init(void) { lt_ret_t ret; @@ -405,7 +459,7 @@ int Tropic01_Init() WOLFSSL_MSG_EX("TROPIC01: lt_init failed with a code %d", ret); return WC_HW_E; } - ret = verify_chip_and_start_secure_session(&g_h, sh0priv, sh0pub, pkey_index_0); + ret = verify_chip_and_start_secure_session(&g_h, sh0priv, sh0pub, pk_index); if(ret != LT_OK) { WOLFSSL_MSG_EX("TROPIC01: secure session failed with a code %d", ret); lt_deinit(&g_h); @@ -413,11 +467,11 @@ int Tropic01_Init() } g_ctx.initialized = 1; WOLFSSL_MSG("TROPIC01: Crypto device initialized successfully"); - + return 0; } -int Tropic01_Deinit() +int Tropic01_Deinit(void) { lt_ret_t ret; diff --git a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h index 7f0cf1afd..b8410d99e 100644 --- a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h +++ b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h @@ -55,8 +55,8 @@ #define TROPIC01_ED25519_PRIV_KEY_SIZE 32 #define TROPIC01_ED25519_PUB_KEY_SIZE 32 -#define TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT 2 -#define TROPIC01_ED25519_PRIV_RMEM_SLOT_DEFAULT 3 +#define TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT 2 +#define TROPIC01_ED25519_PRIV_RMEM_SLOT_DEFAULT 3 #define TROPIC01_ED25519_ECC_SLOT_DEFAULT 1 #define PAIRING_KEY_SLOT_INDEX_0 0 @@ -78,10 +78,11 @@ typedef struct { } Tropic01CryptoDevCtx; -int Tropic01_Init(void); -int Tropic01_Deinit(void); -int Tropic01_SetPairingKeys(int keyIndex, const byte* keyPub, const byte* keyPriv); -int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx); +WOLFSSL_API int Tropic01_Init(void); +WOLFSSL_API int Tropic01_Deinit(void); +WOLFSSL_API int Tropic01_SetPairingKeys( + int kIndex, const byte* kPub, const byte* kPriv); +WOLFSSL_API int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx); #endif /* WOLF_CRYPTO_CB */ From 0fe8fa764589ac951191b1247b8a22b4bb266dc8 Mon Sep 17 00:00:00 2001 From: Maxim Kostin Date: Fri, 6 Jun 2025 19:46:27 +0200 Subject: [PATCH 12/31] Add Tropic01_Deinit call in wolfCrypt_Cleanup for proper resource management --- wolfcrypt/src/port/tropicsquare/tropic01.c | 49 ++++++++++------------ wolfcrypt/src/wc_port.c | 3 ++ 2 files changed, 26 insertions(+), 26 deletions(-) diff --git a/wolfcrypt/src/port/tropicsquare/tropic01.c b/wolfcrypt/src/port/tropicsquare/tropic01.c index 460d78ecf..bb854f667 100644 --- a/wolfcrypt/src/port/tropicsquare/tropic01.c +++ b/wolfcrypt/src/port/tropicsquare/tropic01.c @@ -24,10 +24,11 @@ #include #endif +#include + #ifdef WOLFSSL_TROPIC01 #include -#include #include #include #include @@ -60,7 +61,6 @@ static int Tropic01_GetRandom(byte* out, word32 sz) ret = lt_random_get(&g_h, out, sz); if (ret != LT_OK) { WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to retrieve key, ret=%d", ret); - Tropic01_Deinit(); return WC_HW_E; } @@ -82,24 +82,21 @@ static int Tropic01_GenerateKeyED25519(byte* pubkey, int keySlot, word32 sz) return BAD_FUNC_ARG; ret = lt_ecc_key_erase(&g_h, keySlot); - if(ret != LT_OK) { + if (ret != LT_OK) { WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to erase key, ret=%d", ret); - Tropic01_Deinit(); return WC_HW_E; } ret = lt_ecc_key_generate(&g_h, keySlot, CURVE_ED25519); - if(ret != LT_OK) { + if (ret != LT_OK) { WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to generate key, ret=%d", ret); - Tropic01_Deinit(); return WC_HW_E; } lt_ecc_curve_type_t curve = CURVE_ED25519; ecc_key_origin_t origin = CURVE_GENERATED; ret = lt_ecc_key_read(&g_h, keySlot, pubkey, sz, &curve, &origin); - if(ret != LT_OK) { + if (ret != LT_OK) { WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to read pub key, ret=%d", ret); - Tropic01_Deinit(); return WC_HW_E; } @@ -138,12 +135,11 @@ static int Tropic01_GetKeyAES(Aes* aes, int keySlot, word32 keySz) /* Retrieve key from TROPIC01 */ rett = lt_r_mem_data_read(&g_h, keySlot, (byte*)aes->key, keySz); - if(rett != LT_OK) { + if (rett != LT_OK) { WOLFSSL_MSG_EX( "TROPIC01: Get AES Key: Failed to retrieve key, ret=%d", rett ); - Tropic01_Deinit(); return WC_HW_E; } @@ -180,12 +176,11 @@ static int Tropic01_GetKeyECC(byte* ecckey, int keySlot, word32 keySz) /* Retrieve key from TROPIC01 */ rett = lt_r_mem_data_read(&g_h, keySlot, (byte*)ecckey, keySz); - if(rett != LT_OK) { + if (rett != LT_OK) { WOLFSSL_MSG_EX( "TROPIC01: Get ECC Key: Failed to retrieve key, ret=%d", rett ); - Tropic01_Deinit(); return WC_HW_E; } @@ -226,17 +221,18 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) ret = Tropic01_GetRandom(info->seed.seed, info->seed.sz); break; case WC_ALGO_TYPE_PK: -#if defined(HAVE_ED25519) && defined(HAVE_ED25519_MAKE_KEY) +#ifdef HAVE_ED25519 + #ifdef HAVE_ED25519_MAKE_KEY if (info->pk.type == WC_PK_TYPE_ED25519_KEYGEN) { WOLFSSL_MSG("TROPIC01: CryptoCB: ED25519 key generation request"); ret = Tropic01_GenerateKeyED25519( info->pk.ed25519kg.key->p, TROPIC01_ED25519_ECC_SLOT_DEFAULT, info->pk.ed25519kg.size); - } - #ifdef HAVE_ED25519_SIGN - else if (info->pk.type == WC_PK_TYPE_ED25519_SIGN) { + #endif /* HAVE_ED25519_MAKE_KEY */ + #ifdef HAVE_ED25519_SIGN + if (info->pk.type == WC_PK_TYPE_ED25519_SIGN) { WOLFSSL_MSG("TROPIC01: CryptoCB: ED25519 signing request"); /* retrieve private key from TROPIC01 secure R memory */ @@ -263,9 +259,9 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) /* reset devId */ info->pk.ed25519sign.key->devId = devId; } - #endif - #ifdef HAVE_ED25519_VERIFY - else if (info->pk.type == WC_PK_TYPE_ED25519_VERIFY) { + #endif /* HAVE_ED25519_SIGN */ + #ifdef HAVE_ED25519_VERIFY + if (info->pk.type == WC_PK_TYPE_ED25519_VERIFY) { WOLFSSL_MSG("TROPIC01: CryptoCB: ED25519 verification request"); /* retrieve public key from TROPIC01 secure R memory */ ret = Tropic01_GetKeyECC( @@ -291,13 +287,13 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) /* reset devId */ info->pk.ed25519verify.key->devId = devId; } - #endif /* HAVE_ED25519_VERIFY */ + #endif /* HAVE_ED25519_VERIFY */ #endif /* HAVE_ED25519 */ break; case WC_ALGO_TYPE_CIPHER: WOLFSSL_MSG("TROPIC01: CryptoCB: AES request "); -#if !defined(NO_AES) || !defined(NO_DES3) +#if !defined(NO_AES) #ifdef HAVE_AESGCM if (info->cipher.type == WC_CIPHER_AES_GCM) { if (info->cipher.enc) { @@ -410,7 +406,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) } } #endif /* HAVE_AES_CBC */ -#endif /* !NO_AES || !NO_DES3 */ +#endif /* !NO_AES */ break; default: @@ -423,6 +419,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) /* Set TROPIC01 pairing keys */ int Tropic01_SetPairingKeys(int kIndex, const byte* kPub, const byte* kPriv) { + int i; if (kPub == NULL || kPriv == NULL || kIndex < 0 || kIndex > 3) { WOLFSSL_MSG_EX("TROPIC01: SetPairingKeys: Invalid arguments"); @@ -433,7 +430,7 @@ int Tropic01_SetPairingKeys(int kIndex, const byte* kPub, const byte* kPriv) "TROPIC01: SetPairingKeys: Setting pairing key in slot %d", kIndex); - for (int i = 0; i < TROPIC01_PAIRING_KEY_SIZE; i++) { + for (i = 0; i < TROPIC01_PAIRING_KEY_SIZE; i++) { sh0priv[i] = kPriv[i]; sh0pub[i] = kPub[i]; @@ -455,12 +452,12 @@ int Tropic01_Init(void) g_ctx.initialized = 0; ret = lt_init(&g_h); - if(ret != LT_OK) { + if (ret != LT_OK) { WOLFSSL_MSG_EX("TROPIC01: lt_init failed with a code %d", ret); return WC_HW_E; } ret = verify_chip_and_start_secure_session(&g_h, sh0priv, sh0pub, pk_index); - if(ret != LT_OK) { + if (ret != LT_OK) { WOLFSSL_MSG_EX("TROPIC01: secure session failed with a code %d", ret); lt_deinit(&g_h); return WC_HW_E; @@ -477,7 +474,7 @@ int Tropic01_Deinit(void) if (g_ctx.initialized) { ret = lt_deinit(&g_h); - if(ret != LT_OK) { + if (ret != LT_OK) { WOLFSSL_MSG_EX("TROPIC01: lt_deinit failed with a code %d", ret); return WC_HW_E; } diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index 5e25e4b91..6dcabbb0e 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -515,6 +515,9 @@ int wolfCrypt_Cleanup(void) #ifdef WOLFSSL_SILABS_SE_ACCEL ret = sl_se_deinit(); #endif + #if defined(WOLFSSL_TROPIC01) + Tropic01_Deinit(); + #endif #if defined(WOLFSSL_RENESAS_TSIP) tsip_Close(); #endif From 7b0b2e9f0c602afe25b6042a92390d779afea394 Mon Sep 17 00:00:00 2001 From: Maxim Kostin Date: Mon, 9 Jun 2025 16:06:56 +0200 Subject: [PATCH 13/31] Added AES IV retrieval from TROPIC01 and use of new R-Memory slot definitions --- wolfcrypt/src/port/tropicsquare/tropic01.c | 91 ++++++++++++------- .../wolfcrypt/port/tropicsquare/tropic01.h | 10 +- 2 files changed, 67 insertions(+), 34 deletions(-) diff --git a/wolfcrypt/src/port/tropicsquare/tropic01.c b/wolfcrypt/src/port/tropicsquare/tropic01.c index bb854f667..added7090 100644 --- a/wolfcrypt/src/port/tropicsquare/tropic01.c +++ b/wolfcrypt/src/port/tropicsquare/tropic01.c @@ -107,10 +107,10 @@ static int Tropic01_GenerateKeyED25519(byte* pubkey, int keySlot, word32 sz) #endif /* - * Retrive the AES key from the secure R memory of TROPIC01 + * Retrieve the AES key from the secure R memory of TROPIC01 */ -static int Tropic01_GetKeyAES(Aes* aes, int keySlot, word32 keySz) +static int Tropic01_GetKeyAES(byte* aesKey, int keySlot, word32 keySz) { lt_ret_t rett; @@ -119,7 +119,7 @@ static int Tropic01_GetKeyAES(Aes* aes, int keySlot, word32 keySz) keySlot ); - if (aes == NULL || keySlot < 0 || keySlot >= 511) + if (aesKey == NULL || keySlot < 0 || keySlot >= 511) return BAD_FUNC_ARG; @@ -134,7 +134,7 @@ static int Tropic01_GetKeyAES(Aes* aes, int keySlot, word32 keySz) /* Retrieve key from TROPIC01 */ - rett = lt_r_mem_data_read(&g_h, keySlot, (byte*)aes->key, keySz); + rett = lt_r_mem_data_read(&g_h, keySlot, aesKey, keySz); if (rett != LT_OK) { WOLFSSL_MSG_EX( "TROPIC01: Get AES Key: Failed to retrieve key, ret=%d", @@ -149,7 +149,7 @@ static int Tropic01_GetKeyAES(Aes* aes, int keySlot, word32 keySz) } /* - * Retrive the ECC key from the secure R memory of TROPIC01 + * Retrieve the ECC key from the secure R memory of TROPIC01 */ static int Tropic01_GetKeyECC(byte* ecckey, int keySlot, word32 keySz) { @@ -195,7 +195,8 @@ static int Tropic01_GetKeyECC(byte* ecckey, int keySlot, word32 keySz) int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) { int ret = CRYPTOCB_UNAVAILABLE; - + byte lt_key[TROPIC01_AES_MAX_KEY_SIZE] = {0}; + byte lt_iv[TROPIC01_AES_MAX_KEY_SIZE] = {0}; if (info == NULL) return BAD_FUNC_ARG; @@ -296,16 +297,33 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) #if !defined(NO_AES) #ifdef HAVE_AESGCM if (info->cipher.type == WC_CIPHER_AES_GCM) { - if (info->cipher.enc) { - - ret = Tropic01_GetKeyAES( - info->cipher.aesgcm_enc.aes, - TROPIC01_AES_RMEM_SLOT_DEFAULT, + ret = Tropic01_GetKeyAES( + lt_key, + TROPIC01_AES_KEY_RMEM_SLOT, TROPIC01_AES_MAX_KEY_SIZE); - if (ret != 0) { - WOLFSSL_MSG_EX( + if (ret != 0) { + WOLFSSL_MSG_EX( "TROPIC01: CryptoCB: Failed to get AES key,ret=%d", ret); + return ret; + } + ret = Tropic01_GetKeyAES( + lt_iv, + TROPIC01_AES_IV_RMEM_SLOT, + TROPIC01_AES_MAX_KEY_SIZE); + if (ret != 0) { + WOLFSSL_MSG_EX( + "TROPIC01: CryptoCB: Failed to get AES IV, ret=%d", + ret); + return ret; + } + if (info->cipher.enc) { + ret = wc_AesSetKey(info->cipher.aesgcm_enc.aes, lt_key, + WC_AES_BLOCK_SIZE, lt_iv, AES_ENCRYPTION); + if (ret != 0) { + WOLFSSL_MSG_EX( + "TROPIC01: CryptoCB: Failed to set AES key, ret=%d", + ret); return ret; } /* set devId to invalid, so software is used */ @@ -327,14 +345,12 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) } else { - ret = Tropic01_GetKeyAES( - info->cipher.aesgcm_dec.aes, - TROPIC01_AES_RMEM_SLOT_DEFAULT, - TROPIC01_AES_MAX_KEY_SIZE); + ret = wc_AesSetKey(info->cipher.aesgcm_dec.aes, lt_key, + WC_AES_BLOCK_SIZE, lt_iv, AES_DECRYPTION); if (ret != 0) { WOLFSSL_MSG_EX( - "TROPIC01: CryptoCB: Failed to get AES key,ret=%d", - ret); + "TROPIC01: CryptoCB: Failed to set AES key, ret=%d", + ret); return ret; } /* set devId to invalid, so software is used */ @@ -358,15 +374,30 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) #endif /* HAVE_AESGCM */ #ifdef HAVE_AES_CBC if (info->cipher.type == WC_CIPHER_AES_CBC) { + ret = Tropic01_GetKeyAES( + lt_key, + TROPIC01_AES_KEY_RMEM_SLOT, + TROPIC01_AES_MAX_KEY_SIZE); + if (ret != 0) { + WOLFSSL_MSG_EX( + "TROPIC01: CryptoCB: Failed to get AES key,ret=%d", ret); + return ret; + } + ret = Tropic01_GetKeyAES( + lt_iv, + TROPIC01_AES_IV_RMEM_SLOT, + TROPIC01_AES_MAX_KEY_SIZE); + if (ret != 0) { + WOLFSSL_MSG_EX( + "TROPIC01: CryptoCB: Failed to get AES IV, ret=%d", ret); + return ret; + } if (info->cipher.enc) { - - ret = Tropic01_GetKeyAES( - info->cipher.aescbc.aes, - TROPIC01_AES_RMEM_SLOT_DEFAULT, - TROPIC01_AES_MAX_KEY_SIZE); + ret = wc_AesSetKey(info->cipher.aescbc.aes, lt_key, + WC_AES_BLOCK_SIZE, lt_iv, AES_ENCRYPTION); if (ret != 0) { WOLFSSL_MSG_EX( - "TROPIC01: CryptoCB: Failed to get AES key, ret=%d", + "TROPIC01: CryptoCB: Failed to set AES key, ret=%d", ret); return ret; } @@ -383,14 +414,12 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) } else { - ret = Tropic01_GetKeyAES( - info->cipher.aescbc.aes, - TROPIC01_AES_RMEM_SLOT_DEFAULT, - TROPIC01_AES_MAX_KEY_SIZE); + ret = wc_AesSetKey(info->cipher.aescbc.aes, lt_key, + WC_AES_BLOCK_SIZE, lt_iv, AES_DECRYPTION); if (ret != 0) { WOLFSSL_MSG_EX( - "TROPIC01: CryptoCB: Failed to get AES key, ret=%d", - ret); + "TROPIC01: CryptoCB: Failed to set AES key, ret=%d", + ret); return ret; } /* set devId to invalid, so software is used */ diff --git a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h index b8410d99e..e5660cee3 100644 --- a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h +++ b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h @@ -50,13 +50,17 @@ #define TROPIC01_AES_MAX_KEY_SIZE 32 -#define TROPIC01_AES_RMEM_SLOT_DEFAULT 1 + +/* R-Memory slots allocation */ +#define TROPIC01_AES_KEY_RMEM_SLOT 0 +#define TROPIC01_AES_IV_RMEM_SLOT 1 +#define TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT 2 +#define TROPIC01_ED25519_PRIV_RMEM_SLOT_DEFAULT 3 + #define TROPIC01_ED25519_PRIV_KEY_SIZE 32 #define TROPIC01_ED25519_PUB_KEY_SIZE 32 -#define TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT 2 -#define TROPIC01_ED25519_PRIV_RMEM_SLOT_DEFAULT 3 #define TROPIC01_ED25519_ECC_SLOT_DEFAULT 1 #define PAIRING_KEY_SLOT_INDEX_0 0 From 519b314cf28e4c2fce5eec2289a341d71aaefcae Mon Sep 17 00:00:00 2001 From: Maxim Kostin Date: Mon, 9 Jun 2025 17:12:46 +0200 Subject: [PATCH 14/31] Fix formatting inconsistencies in README.md --- wolfcrypt/src/port/tropicsquare/README.md | 42 +++++++++++------------ 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/wolfcrypt/src/port/tropicsquare/README.md b/wolfcrypt/src/port/tropicsquare/README.md index 35f944065..cd118f63b 100644 --- a/wolfcrypt/src/port/tropicsquare/README.md +++ b/wolfcrypt/src/port/tropicsquare/README.md @@ -1,6 +1,6 @@ # wolfSSL TROPIC01 Secure Element Integration Guide -![wolfSSL+TROPIC01](https://img.shields.io/badge/wolfSSL-TROPIC01-blue) +![wolfSSL+TROPIC01](https://img.shields.io/badge/wolfSSL-TROPIC01-blue) Integration guide for using Tropic Square's TROPIC01 secure element with wolfSSL/wolfCrypt cryptography library. @@ -40,16 +40,16 @@ The TROPIC01 datasheet is available via [this link](https://www.nxp.com/docs/en/ - Electromagnetic pulse detector - Laser detector - Active shield -- **Interface to Host MCU/MPU**: +- **Interface to Host MCU/MPU**: - SPI - - Encrypted channel with forward secrecy + - Encrypted channel with forward secrecy - **Entropy Source**: - Physically Unclonable Function (PUF) - True Random Number Generator (TRNG) -### Available Evaluation and Development Kits +### Available Evaluation and Development Kits - USB Stick with TROPIC01 ([here](https://github.com/tropicsquare/tropic01?tab=readme-ov-file#usb-stick-with-tropic01)) -- Raspberry PI shield ([here](https://github.com/tropicsquare/tropic01?tab=readme-ov-file#rpi-shield-ts1501)) +- Raspberry PI shield ([here](https://github.com/tropicsquare/tropic01?tab=readme-ov-file#rpi-shield-ts1501)) - Arduino shield ([here](https://github.com/tropicsquare/tropic01?tab=readme-ov-file#arduino-shield-ts14)) ### Get samples @@ -59,9 +59,9 @@ To get samples and DevKits, please fill in [this form](https://tropicsquare.com/ ### Pre-requirements 1. Get one of the targeted hardware platforms. For example, Linux PC + TROPIC01 USB stick or Raspberry PI 3/4/5 + TROPIC01 RPI shield -2. Install toolchain (incl. compiler or cross-compiler). For example, GNU Toolchain (gcc) or ARM cross-compiling toolchain (armv8-rpi3-linux-gnueabihf) -3. Install CMake and Autotools -4. Install Git +2. Install toolchain (incl. compiler or cross-compiler). For example, GNU Toolchain (gcc) or ARM cross-compiling toolchain (armv8-rpi3-linux-gnueabihf) +3. Install CMake and Autotools +4. Install Git Some guidelines for RPi are available [here](https://earthly.dev/blog/cross-compiling-raspberry-pi/) @@ -79,8 +79,8 @@ $ sudo apt install wiringpi For the integration with wolfSSL, there are a few pre-defined slots for the secure keys storage (the slots mapping might be changed in tropic01.h): ```sh -TROPIC01_AES_RMEM_SLOT_DEFAULT 1 // slot in R-memory for AES key -TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT 2 // slot in R-memory for ED25519 Public key +TROPIC01_AES_RMEM_SLOT_DEFAULT 1 // slot in R-memory for AES key +TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT 2 // slot in R-memory for ED25519 Public key TROPIC01_ED25519_PRIV_RMEM_SLOT_DEFAULT 3 //slot in R-memory for ED25519 Private key TROPIC01_ED25519_ECC_SLOT_DEFAULT 1 // slot in ECC keys storage for both public and private keys PAIRING_KEY_SLOT_INDEX_0 0 //pairing keys slot @@ -105,10 +105,10 @@ Or run the following commands: ### Build wolfSSL 1. Clone wolfSSL from the wolfSSL GitHub (https://github.com/wolfSSL/wolfssl) -2. Make sure that the version of wolfSSL supports TROPIC01 - check if the folder wolfssl/wolfcrypt/src/port/tropicsquare exists +2. Make sure that the version of wolfSSL supports TROPIC01 - check if the folder wolfssl/wolfcrypt/src/port/tropicsquare exists 3. To compile wolfSSL with TROPIC01 support using Autoconf/configure: - + ```sh $ cd wolfssl $ ./autogen.sh @@ -116,11 +116,11 @@ $ ./configure --with-tropic01=PATH --enable-cryptocb --enable-static --disable-c $ make $ sudo make install ``` -where PATH is an absolute path to the libtropic folder, for example +where PATH is an absolute path to the libtropic folder, for example --with-tropic01=/home/pi/git/libtropic - -For the debugging output, add + +For the debugging output, add --enable-debug @@ -138,7 +138,7 @@ If necessary, open and edit the Makefile in this folder Set correct values for CC and LIBTROPIC_DIR variables, for example: - CC = gcc + CC = gcc LIBTROPIC_DIR = /home/pi/git/libtropic @@ -181,13 +181,13 @@ Generated 32 random bytes: RNG test completed successfully AES test starting: -TROPIC01: CryptoCB: AES request +TROPIC01: CryptoCB: AES request TROPIC01: Get AES Key: Retrieving key from slot 1 TROPIC01: Get AES Key: Key retrieved successfully Plain message: -01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 +01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 Encrypted message: -89 44 11 3E 2E 07 52 9C CB 5F B1 70 7E 9C 42 D6 +89 44 11 3E 2E 07 52 9C CB 5F B1 70 7E 9C 42 D6 AES test completed successfully ED25519 COMPREHENSIVE TESTING SUITE @@ -227,5 +227,5 @@ A73A562B 3D03F429 8706309D 63E2120B wolfSSL Entering wolfCrypt_Cleanup ``` - - + + From abdcf4dbc58865f1d12cbe689bbe411f7997070e Mon Sep 17 00:00:00 2001 From: Maxim Kostin Date: Wed, 11 Jun 2025 21:09:22 +0200 Subject: [PATCH 15/31] improve ED25519 key handling in CryptoCb function --- wolfcrypt/src/port/tropicsquare/tropic01.c | 28 ++++++++++++++-------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/wolfcrypt/src/port/tropicsquare/tropic01.c b/wolfcrypt/src/port/tropicsquare/tropic01.c index added7090..cd58db1e6 100644 --- a/wolfcrypt/src/port/tropicsquare/tropic01.c +++ b/wolfcrypt/src/port/tropicsquare/tropic01.c @@ -243,19 +243,28 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) TROPIC01_ED25519_PRIV_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX( - "TROPIC01: CryptoCB: Failed to get ED25519 key, ret=%d", + "TROPIC01: CryptoCB: Failed to get ED25519 PRIVkey,ret=%d", + ret); + return ret; + } + ret = Tropic01_GetKeyECC( + info->pk.ed25519sign.key->p, + TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT, + TROPIC01_ED25519_PUB_KEY_SIZE); + if (ret != 0) { + WOLFSSL_MSG_EX( + "TROPIC01: CryptoCB: Failed to get ED25519 PUBkey,ret=%d", ret); return ret; } /* set devId to invalid, so software is used */ info->pk.ed25519sign.key->devId = INVALID_DEVID; + info->pk.ed25519sign.key->privKeySet = 1; info->pk.ed25519sign.key->pubKeySet = 1; - - ret = wc_ed25519_sign_msg_ex( + ret = wc_ed25519_sign_msg( info->pk.ed25519sign.in, info->pk.ed25519sign.inLen, info->pk.ed25519sign.out, info->pk.ed25519sign.outLen, - info->pk.ed25519sign.key, info->pk.ed25519sign.type, - info->pk.ed25519sign.context, info->pk.ed25519sign.contextLen); + info->pk.ed25519sign.key); /* reset devId */ info->pk.ed25519sign.key->devId = devId; @@ -266,7 +275,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) WOLFSSL_MSG("TROPIC01: CryptoCB: ED25519 verification request"); /* retrieve public key from TROPIC01 secure R memory */ ret = Tropic01_GetKeyECC( - info->pk.ed25519sign.key->p, + info->pk.ed25519verify.key->p, TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT, TROPIC01_ED25519_PUB_KEY_SIZE); if (ret != 0) { @@ -278,12 +287,11 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) /* set devId to invalid, so software is used */ info->pk.ed25519verify.key->devId = INVALID_DEVID; - - ret = wc_ed25519_verify_msg_ex( + info->pk.ed25519verify.key->pubKeySet = 1; + ret = wc_ed25519_verify_msg( info->pk.ed25519verify.sig, info->pk.ed25519verify.sigLen, info->pk.ed25519verify.msg, info->pk.ed25519verify.msgLen, - info->pk.ed25519verify.res, info->pk.ed25519verify.key, - info->pk.ed25519verify.type, NULL, 0); + info->pk.ed25519verify.res, info->pk.ed25519verify.key); /* reset devId */ info->pk.ed25519verify.key->devId = devId; From 385be1c08a08e91fcc86688839c7834d7e479044 Mon Sep 17 00:00:00 2001 From: Maxim Kostin Date: Mon, 19 May 2025 21:41:49 +0200 Subject: [PATCH 16/31] added support for Tropic01 crypto callbacks --- configure.ac | 47 +++ wolfcrypt/src/include.am | 5 + wolfcrypt/src/port/tropicsquare/tropic01.c | 355 ++++++++++++++++++ wolfcrypt/src/wc_port.c | 12 +- wolfssl/wolfcrypt/include.am | 5 + .../wolfcrypt/port/tropicsquare/tropic01.h | 82 ++++ 6 files changed, 505 insertions(+), 1 deletion(-) create mode 100644 wolfcrypt/src/port/tropicsquare/tropic01.c create mode 100644 wolfssl/wolfcrypt/port/tropicsquare/tropic01.h diff --git a/configure.ac b/configure.ac index a6765405c..ab54cd664 100644 --- a/configure.ac +++ b/configure.ac @@ -2849,6 +2849,51 @@ AC_ARG_WITH([cryptoauthlib], ] ) + +# TropicSquare TROPIC01 +# Example: "./configure --with-tropic01=/home/pi/libtropic" +ENABLED_TROPIC01="no" +trylibtropicdir="" +AC_ARG_WITH([tropic01], + [AS_HELP_STRING([--with-tropic01=PATH],[PATH to install (default /usr/)])], + [ + AC_MSG_CHECKING([for tropic01]) + CPPFLAGS="$CPPFLAGS -DWOLFSSL_TROPIC01" + LIBS="$LIBS -llibtropic" + + AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], [[ lt_init(0); ]])],[ libtropic_linked=yes ],[ libtropic_linked=no ]) + + if test "x$libtropic_linked" = "xno" ; then + if test "x$withval" != "xno" ; then + trylibtropicdir=$withval + fi + if test "x$withval" = "xyes" ; then + trylibtropicdir="/usr" + fi + + LDFLAGS="$LDFLAGS -L$trylibtropicdir/lib" + CPPFLAGS="$CPPFLAGS -I$trylibtropicdir/lib" + + AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], [[ lt_init(0); ]])],[ libtropic_linked=yes ],[ libtropic_linked=no ]) + + if test "x$libtropic_linked" = "xno" ; then + AC_MSG_ERROR([libtropic isn't found. + If it's already installed, specify its path using --with-tropic01=/dir/]) + fi + + AM_LDFLAGS="$AM_LDFLAGS -L$trylibtropicdir/lib" + AM_CFLAGS="$AM_CFLAGS -I$trylibtropicdir/lib" + AC_MSG_RESULT([yes]) + else + AC_MSG_RESULT([yes]) + fi + + ENABLED_TROPIC01="yes" + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TROPIC01" + ] +) + + # NXP SE050 # Example: "./configure --with-se050=/home/pi/simw_top" ENABLED_SE050="no" @@ -10702,6 +10747,7 @@ AM_CONDITIONAL([BUILD_QNXCAAM],[test "x$ENABLED_CAAM_QNX" = "xyes"]) AM_CONDITIONAL([BUILD_IOTSAFE],[test "x$ENABLED_IOTSAFE" = "xyes"]) AM_CONDITIONAL([BUILD_IOTSAFE_HWRNG],[test "x$ENABLED_IOTSAFE_HWRNG" = "xyes"]) AM_CONDITIONAL([BUILD_SE050],[test "x$ENABLED_SE050" = "xyes"]) +AM_CONDITIONAL([BUILD_TROPIC01],[test "x$ENABLED_TROPIC01" = "xyes"]) AM_CONDITIONAL([BUILD_KDF],[test "x$ENABLED_KDF" = "xyes"]) AM_CONDITIONAL([BUILD_HMAC],[test "x$ENABLED_HMAC" = "xyes"]) AM_CONDITIONAL([BUILD_ERROR_STRINGS],[test "x$ENABLED_ERROR_STRINGS" = "xyes"]) @@ -11230,6 +11276,7 @@ echo " * i.MX CAAM: $ENABLED_CAAM" echo " * IoT-Safe: $ENABLED_IOTSAFE" echo " * IoT-Safe HWRNG: $ENABLED_IOTSAFE_HWRNG" echo " * NXP SE050: $ENABLED_SE050" +echo " * TROPIC01: $ENABLED_TROPIC01" echo " * Maxim Integrated MAXQ10XX: $ENABLED_MAXQ10XX" echo " * PSA: $ENABLED_PSA" echo " * System CA certs: $ENABLED_SYS_CA_CERTS" diff --git a/wolfcrypt/src/include.am b/wolfcrypt/src/include.am index 151245120..f1bfd526a 100644 --- a/wolfcrypt/src/include.am +++ b/wolfcrypt/src/include.am @@ -105,6 +105,7 @@ EXTRA_DIST += wolfcrypt/src/port/ti/ti-aes.c \ wolfcrypt/src/port/st/README.md \ wolfcrypt/src/port/st/STM32MP13.md \ wolfcrypt/src/port/st/STM32MP25.md \ + wolfcrypt/src/port/tropicsquare/tropic01.c \ wolfcrypt/src/port/af_alg/afalg_aes.c \ wolfcrypt/src/port/af_alg/afalg_hash.c \ wolfcrypt/src/port/kcapi/kcapi_aes.c \ @@ -221,6 +222,10 @@ if BUILD_SE050 src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/nxp/se050_port.c endif +if BUILD_TROPIC01 +src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/tropicsquare/tropic01.c +endif + if BUILD_PSA src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/psa/psa.c src_libwolfssl@LIBSUFFIX@_la_SOURCES += wolfcrypt/src/port/psa/psa_hash.c diff --git a/wolfcrypt/src/port/tropicsquare/tropic01.c b/wolfcrypt/src/port/tropicsquare/tropic01.c new file mode 100644 index 000000000..0f0be4e62 --- /dev/null +++ b/wolfcrypt/src/port/tropicsquare/tropic01.c @@ -0,0 +1,355 @@ +/* tropic01.c + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + * +*/ + +#ifdef HAVE_CONFIG_H + #include +#endif + +#include +#include +#include +#include +#include +#include + +#include + +/* + * TROPIC01 hardware RNG implementation + */ +static int Tropic01_GetRandom(byte* out, word32 sz, Tropic01CryptoDevCtx* ctx) +{ + int ret = 0; + // Default factory pairing keys + byte pkey_index_0 = PAIRING_KEY_SLOT_INDEX_0; + // Engineering samples 01 keys: + byte sh0priv[] = {0xd0,0x99,0x92,0xb1,0xf1,0x7a,0xbc,0x4d,0xb9,0x37,0x17,0x68,0xa2,0x7d,0xa0,0x5b,0x18,0xfa,0xb8,0x56,0x13,0xa7,0x84,0x2c,0xa6,0x4c,0x79,0x10,0xf2,0x2e,0x71,0x6b}; + byte sh0pub[] = {0xe7,0xf7,0x35,0xba,0x19,0xa3,0x3f,0xd6,0x73,0x23,0xab,0x37,0x26,0x2d,0xe5,0x36,0x08,0xca,0x57,0x85,0x76,0x53,0x43,0x52,0xe1,0x8f,0x64,0xe6,0x13,0xd3,0x8d,0x54}; + lt_handle_t h; + lt_ret_t rett; + WOLFSSL_MSG_EX("TROPIC01: GetRandom: Requesting %u bytes", sz); + + if (out == NULL || ctx == NULL || !ctx->initialized || sz == 0) + return BAD_FUNC_ARG; + + /* Call TROPIC01 TRNG API to get random data */ + + + rett = lt_init(&h); + if(rett != LT_OK) { + //printf("Error lt_init(): %s", lt_ret_verbose(ret)); + return rett; + } + ret = verify_chip_and_start_secure_session(&h, sh0priv, sh0pub, pkey_index_0); + if(ret != LT_OK) { + //printf("Error sec channel: %s", lt_ret_verbose(ret)); + lt_deinit(&h); + return ret; + } + ret = lt_random_get(&h, out, sz); + if(ret != LT_OK) { + //printf("Error l3 cmd: %s", lt_ret_verbose(ret)); + lt_deinit(&h); + return ret; + } + ret = lt_deinit(&h); + if(ret != LT_OK) { + //printf("Error lt_deinit(): %s", lt_ret_verbose(ret)); + return ret; + } + WOLFSSL_MSG_EX("TROPIC01: GetRandom: Completed with ret=%d", ret); + return ret; +} + +/* + * Retrive the AES key from the secure memory of TROPIC01 + */ + +static int Tropic01_GetKey(Aes* aes, int keySlot, word32 keySz, Tropic01CryptoDevCtx* ctx) +{ + int ret; + // Default factory pairing keys + byte pkey_index_0 = PAIRING_KEY_SLOT_INDEX_0; + // Engineering samples 01 keys: + byte sh0priv[] = {0xd0,0x99,0x92,0xb1,0xf1,0x7a,0xbc,0x4d,0xb9,0x37,0x17,0x68,0xa2,0x7d,0xa0,0x5b,0x18,0xfa,0xb8,0x56,0x13,0xa7,0x84,0x2c,0xa6,0x4c,0x79,0x10,0xf2,0x2e,0x71,0x6b}; + byte sh0pub[] = {0xe7,0xf7,0x35,0xba,0x19,0xa3,0x3f,0xd6,0x73,0x23,0xab,0x37,0x26,0x2d,0xe5,0x36,0x08,0xca,0x57,0x85,0x76,0x53,0x43,0x52,0xe1,0x8f,0x64,0xe6,0x13,0xd3,0x8d,0x54}; + lt_handle_t h; + lt_ret_t rett; + WOLFSSL_MSG_EX("TROPIC01: GetKey: Retrieving key from slot %d", keySlot); + + if (aes == NULL || ctx == NULL || !ctx->initialized || keySlot < 0 || keySlot >= 511) + return BAD_FUNC_ARG; + + /* Check key size */ + if (keySz != 16 && keySz != 24 && keySz != 32) { + WOLFSSL_MSG_EX("TROPIC01: GetKey: Unsupported key size %u", keySz); + return BAD_FUNC_ARG; + } + + /* Retrieve key from TROPIC01 */ + rett = lt_init(&h); + if(rett != LT_OK) { + //printf("Error lt_init(): %s", lt_ret_verbose(ret)); + return rett; + } + ret = verify_chip_and_start_secure_session(&h, sh0priv, sh0pub, pkey_index_0); + if(ret != LT_OK) { + //printf("Error sec channel: %s", lt_ret_verbose(ret)); + lt_deinit(&h); + return ret; + } + ret = lt_r_mem_data_read(&h, keySlot, (byte*)aes->key, keySz); + if(ret != LT_OK) { + //printf("Error l3 cmd: %s", lt_ret_verbose(ret)); + lt_deinit(&h); + return 1; + } + ret = lt_deinit(&h); + if(ret != LT_OK) { + //printf("Error lt_deinit(): %s", lt_ret_verbose(ret)); + return ret; + } + + if (ret != 0) { + WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to retrieve key, ret=%d", ret); + return ret; + } + + WOLFSSL_MSG_EX("TROPIC01: GetKey: Key retrieved successfully"); + return 0; +} + +/** + * Find an available key slot in the TROPIC01 + */ +static int Tropic01_FindFreeKeySlot(Tropic01CryptoDevCtx* ctx) +{ + int i; + + WOLFSSL_MSG("TROPIC01: FindFreeKeySlot: Searching for available slot"); + + for (i = 0; i < 8; i++) { + if (ctx->keySlotUsage[i] == 0) { + ctx->keySlotUsage[i] = 1; + WOLFSSL_MSG_EX("TROPIC01: FindFreeKeySlot: Found slot %d", i); + return i; + } + } + + WOLFSSL_MSG("TROPIC01: FindFreeKeySlot: No free slots available"); + return -1; +} + +/** + * Store AES key in TROPIC01 secure memory + */ +static int Tropic01_StoreKey(Aes* aes, const byte* key, word32 keySz, Tropic01CryptoDevCtx* ctx) +{ + int ret; + int keySlot; + Tropic01KeyRef* keyRef; + + WOLFSSL_MSG_EX("TROPIC01: StoreKey: Storing key of size %u bytes", keySz); + + if (aes == NULL || key == NULL || ctx == NULL || !ctx->initialized) + return BAD_FUNC_ARG; + + /* Check key size */ + if (keySz != 16 && keySz != 24 && keySz != 32) { + WOLFSSL_MSG_EX("TROPIC01: StoreKey: Unsupported key size %u", keySz); + return BAD_FUNC_ARG; + } + + /* Find available key slot */ + keySlot = Tropic01_FindFreeKeySlot(ctx); + if (keySlot < 0) { + WOLFSSL_MSG("TROPIC01: StoreKey: No free key slots available"); + return MEMORY_E; + } + + /* Allocate key reference */ + keyRef = (Tropic01KeyRef*)XMALLOC(sizeof(Tropic01KeyRef), NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (keyRef == NULL) { + ctx->keySlotUsage[keySlot] = 0; + return MEMORY_E; + } + + /* Store key in TROPIC01 */ + /* Example TROPIC01_StoreKey call */ + ret = 0; /* Replace with actual implementation */ + + if (ret != 0) { + WOLFSSL_MSG_EX("TROPIC01: StoreKey: Failed to store key in slot %d, ret=%d", keySlot, ret); + XFREE(keyRef, NULL, DYNAMIC_TYPE_TMP_BUFFER); + ctx->keySlotUsage[keySlot] = 0; + return ret; + } + + /* Initialize key reference */ + keyRef->keySlot = keySlot; + keyRef->keySize = keySz; + keyRef->keyType = 0; + keyRef->isValid = 1; + + /* Store reference in AES structure */ + //aes->devKey = keySlot; + //aes->devCtx = keyRef; + + WOLFSSL_MSG_EX("TROPIC01: StoreKey: Key stored successfully in slot %d", keySlot); + return 0; +} + +/** + * Crypto Callback function for TROPIC01 + */ +int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) +{ + int ret = CRYPTOCB_UNAVAILABLE; + Tropic01CryptoDevCtx* tropicCtx = (Tropic01CryptoDevCtx*)ctx; + + + if (info == NULL || tropicCtx == NULL || !tropicCtx->initialized || devId == -2) + return BAD_FUNC_ARG; + + switch (info->algo_type) { + case WC_ALGO_TYPE_RNG: + WOLFSSL_MSG_EX("TROPIC01: CryptoCB: RNG generation request (%u bytes)", info->rng.sz); + ret = Tropic01_GetRandom(info->rng.out, info->rng.sz, tropicCtx); + break; + case WC_ALGO_TYPE_SEED: + WOLFSSL_MSG_EX("TROPIC01: CryptoCB: SEED generation request (%u bytes)", info->seed.sz); + ret = Tropic01_GetRandom(info->seed.seed, info->seed.sz, tropicCtx); + break; + case WC_ALGO_TYPE_CIPHER: + WOLFSSL_MSG_EX("TROPIC01: CryptoCB: AES request (%u bytes)", info->aes_setkey.keySz); + ret = Tropic01_StoreKey(NULL, NULL, 32, tropicCtx); + //ret = Tropic01_GetKey(NULL, NULL, TROPIC01_AES_MAX_KEY_SIZE, tropicCtx); +#if !defined(NO_AES) || !defined(NO_DES3) + #ifdef HAVE_AESGCM + if (info->cipher.type == WC_CIPHER_AES_GCM) { + if (info->cipher.enc) { + /* set devId to invalid, so software is used */ + info->cipher.aesgcm_enc.aes->devId = INVALID_DEVID; + ret = Tropic01_GetKey(info->cipher.aesgcm_enc.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE, tropicCtx); + if (ret != 0) { + WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-GCM encryption, ret=%d", ret); + return ret; + } + ret = wc_AesGcmEncrypt( + info->cipher.aesgcm_enc.aes, + info->cipher.aesgcm_enc.out, + info->cipher.aesgcm_enc.in, + info->cipher.aesgcm_enc.sz, + info->cipher.aesgcm_enc.iv, + info->cipher.aesgcm_enc.ivSz, + info->cipher.aesgcm_enc.authTag, + info->cipher.aesgcm_enc.authTagSz, + info->cipher.aesgcm_enc.authIn, + info->cipher.aesgcm_enc.authInSz); + + /* reset devId */ + info->cipher.aesgcm_enc.aes->devId = devId; + } + else { + /* set devId to invalid, so software is used */ + info->cipher.aesgcm_dec.aes->devId = INVALID_DEVID; + ret = Tropic01_GetKey(info->cipher.aesgcm_dec.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE, tropicCtx); + if (ret != 0) { + WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-GCM decryption, ret=%d", ret); + return ret; + } + ret = wc_AesGcmDecrypt( + info->cipher.aesgcm_dec.aes, + info->cipher.aesgcm_dec.out, + info->cipher.aesgcm_dec.in, + info->cipher.aesgcm_dec.sz, + info->cipher.aesgcm_dec.iv, + info->cipher.aesgcm_dec.ivSz, + info->cipher.aesgcm_dec.authTag, + info->cipher.aesgcm_dec.authTagSz, + info->cipher.aesgcm_dec.authIn, + info->cipher.aesgcm_dec.authInSz); + + /* reset devId */ + info->cipher.aesgcm_dec.aes->devId = devId; + } + } +#endif /* HAVE_AESGCM */ + #ifdef HAVE_AES_CBC + if (info->cipher.type == WC_CIPHER_AES_CBC) { + if (info->cipher.enc) { + /* set devId to invalid, so software is used */ + info->cipher.aescbc.aes->devId = INVALID_DEVID; + ret = Tropic01_GetKey(info->cipher.aescbc.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE, tropicCtx); + if (ret != 0) { + WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-CBC encryption, ret=%d", ret); + return ret; + } + ret = wc_AesCbcEncrypt( + info->cipher.aescbc.aes, + info->cipher.aescbc.out, + info->cipher.aescbc.in, + info->cipher.aescbc.sz); + + /* reset devId */ + info->cipher.aescbc.aes->devId = devId; + } + else { + /* set devId to invalid, so software is used */ + info->cipher.aescbc.aes->devId = INVALID_DEVID; + ret = Tropic01_GetKey(info->cipher.aescbc.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE, tropicCtx); + if (ret != 0) { + WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-CBC decryption, ret=%d", ret); + return ret; + } + ret = wc_AesCbcDecrypt( + info->cipher.aescbc.aes, + info->cipher.aescbc.out, + info->cipher.aescbc.in, + info->cipher.aescbc.sz); + + /* reset devId */ + info->cipher.aescbc.aes->devId = devId; + } + } + #endif /* HAVE_AES_CBC */ +#endif /* !NO_AES || !NO_DES3 */ + break; + + default: + WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Unsupported algorithm type %d", info->algo_type); + break; + } + + return ret; +} + +int Tropic01_Init(Tropic01CryptoDevCtx* ctx) +{ + if (ctx == NULL) + return BAD_FUNC_ARG; + + ctx->initialized = 1; + XMEMSET(ctx->keySlotUsage, 0, sizeof(ctx->keySlotUsage)); + + return 0; +} diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index 6abc118b5..f31093ec1 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -69,6 +69,10 @@ #include #endif +#if defined(WOLFSSL_TROPIC01) + #include +#endif + #if (defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)) \ && !defined(WOLFCRYPT_ONLY) #include @@ -294,7 +298,13 @@ int wolfCrypt_Init(void) #if defined(WOLFSSL_STSAFEA100) stsafe_interface_init(); #endif - + #if defined(WOLFSSL_TROPIC01) + ret = Tropic01_Init(NULL); + if (ret != 0) { + WOLFSSL_MSG("Tropic01 init failed"); + return ret; + } + #endif #if defined(WOLFSSL_PSOC6_CRYPTO) ret = psoc6_crypto_port_init(); if (ret != 0) { diff --git a/wolfssl/wolfcrypt/include.am b/wolfssl/wolfcrypt/include.am index f6fadde7f..bf798d366 100644 --- a/wolfssl/wolfcrypt/include.am +++ b/wolfssl/wolfcrypt/include.am @@ -109,6 +109,7 @@ noinst_HEADERS+= \ wolfssl/wolfcrypt/port/silabs/silabs_random.h \ wolfssl/wolfcrypt/port/st/stm32.h \ wolfssl/wolfcrypt/port/st/stsafe.h \ + wolfssl/wolfcrypt/port/tropicsquare/tropic01.h \ wolfssl/wolfcrypt/port/Espressif/esp-sdk-lib.h \ wolfssl/wolfcrypt/port/Espressif/esp32-crypt.h \ wolfssl/wolfcrypt/port/Espressif/esp_crt_bundle.h \ @@ -229,6 +230,10 @@ if BUILD_SE050 nobase_include_HEADERS+= wolfssl/wolfcrypt/port/nxp/se050_port.h endif +if BUILD_TROPIC01 +nobase_include_HEADERS+= wolfssl/wolfcrypt/port/tropicsquare/tropic01.h +endif + if BUILD_MAXQ10XX nobase_include_HEADERS+= wolfssl/wolfcrypt/port/maxim/maxq10xx.h endif diff --git a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h new file mode 100644 index 000000000..08110e03d --- /dev/null +++ b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h @@ -0,0 +1,82 @@ +/* tropic01.h + * + * Copyright (C) 2006-2025 wolfSSL Inc. + * + * This file is part of wolfSSL. + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA + */ + +#ifndef _WOLFPORT_TROPIC01_H_ +#define _WOLFPORT_TROPIC01_H_ + +#include +#include +#include +#include + +#ifdef WOLF_CRYPTO_CB +#include +#endif + + +#ifdef WOLFSSL_TROPIC01 + +/* The TROPIC01 interface layer */ +/* Please contact wolfSSL for the TROPIC01 port files */ +#define LT_USE_TREZOR_CRYPTO 1 +#define LT_HELPERS + +#include "libtropic.h" +#include "libtropic_common.h" + + +#ifdef WOLF_CRYPTO_CB + +/* Device ID that's unique and valid (not INVALID_DEVID -2) */ +#define WOLF_TROPIC01_DEVID 0x75757; /* TROPIC01 ID*/ + + +#define TROPIC01_AES_MAX_KEY_SIZE 32 +#define TROPIC01_AES_KEY_SLOT_DEFAULT 8 +#define PAIRING_KEY_SLOT_INDEX_0 0 + + + +typedef struct { + int keySlot; /* Slot ID in TROPIC01 secure memory */ + word32 keySize; /* Size of the key in bytes (16, 24, or 32) */ + byte keyType; /* Type of key (e.g., AES_CBC, AES_GCM) */ + byte isValid; /* Flag indicating if this reference is valid */ +} Tropic01KeyRef; + +/* Context for TROPIC01 secure element */ +typedef struct { + int initialized; + byte keySlotUsage[8]; +} Tropic01CryptoDevCtx; + + +int Tropic01_Init(Tropic01CryptoDevCtx* ctx); +int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx); + +//static int Tropic01_GetRandom(byte* out, word32 sz, Tropic01CryptoDevCtx* ctx); +//static int Tropic01_GetKey(Aes* aes, int keySlot, word32 keySz, Tropic01CryptoDevCtx* ctx); + +#endif /* WOLF_CRYPTO_CB */ + +#endif /* WOLFSSL_TROPIC01*/ + +#endif /* _WOLFPORT_TROPIC01_H_ */ From 5664507e65d65077b9c760e74d97581c0fb0949d Mon Sep 17 00:00:00 2001 From: kosmax871 Date: Thu, 22 May 2025 14:22:40 +0200 Subject: [PATCH 17/31] Support for static libraries --- configure.ac | 51 +++++++++++++++++++++------------------------------ 1 file changed, 21 insertions(+), 30 deletions(-) diff --git a/configure.ac b/configure.ac index ab54cd664..17a038c15 100644 --- a/configure.ac +++ b/configure.ac @@ -2858,38 +2858,29 @@ AC_ARG_WITH([tropic01], [AS_HELP_STRING([--with-tropic01=PATH],[PATH to install (default /usr/)])], [ AC_MSG_CHECKING([for tropic01]) - CPPFLAGS="$CPPFLAGS -DWOLFSSL_TROPIC01" - LIBS="$LIBS -llibtropic" - - AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], [[ lt_init(0); ]])],[ libtropic_linked=yes ],[ libtropic_linked=no ]) - - if test "x$libtropic_linked" = "xno" ; then - if test "x$withval" != "xno" ; then - trylibtropicdir=$withval - fi - if test "x$withval" = "xyes" ; then - trylibtropicdir="/usr" - fi - - LDFLAGS="$LDFLAGS -L$trylibtropicdir/lib" - CPPFLAGS="$CPPFLAGS -I$trylibtropicdir/lib" - - AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], [[ lt_init(0); ]])],[ libtropic_linked=yes ],[ libtropic_linked=no ]) - - if test "x$libtropic_linked" = "xno" ; then - AC_MSG_ERROR([libtropic isn't found. - If it's already installed, specify its path using --with-tropic01=/dir/]) - fi - - AM_LDFLAGS="$AM_LDFLAGS -L$trylibtropicdir/lib" - AM_CFLAGS="$AM_CFLAGS -I$trylibtropicdir/lib" - AC_MSG_RESULT([yes]) - else - AC_MSG_RESULT([yes]) + if test "x$withval" != "xno" ; then + trylibtropicdir=$withval + AC_MSG_NOTICE([Use provided PATH]) fi - + if test "x$withval" = "xyes" ; then + trylibtropicdir="libtropic" + AC_MSG_NOTICE([Use default PATH]) + fi + if test -e $trylibtropicdir/build/libtropic.a + then + LIB_STATIC_ADD="$LIB_STATIC_ADD $trylibtropicdir/build/libtropic.a" + LIB_STATIC_ADD="$LIB_STATIC_ADD $trylibtropicdir/build/trezor_crypto/libtrezor_crypto.a" + AM_CFLAGS="$AM_CFLAGS -I$trylibtropicdir/include" + AC_MSG_NOTICE([TropicSquare library is available]) + else + ENABLED_TROPIC01="no" + AC_MSG_ERROR([Could not find TropicSquare library]) + fi + enable_shared=no + enable_static=yes ENABLED_TROPIC01="yes" - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TROPIC01" + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TROPIC01" + AC_MSG_RESULT([yes]) ] ) From b13fdaa05e1bedb4d3dd6bbaa9031270ec4e9d80 Mon Sep 17 00:00:00 2001 From: kosmax871 Date: Thu, 22 May 2025 14:40:11 +0200 Subject: [PATCH 18/31] Draft of readme.md --- wolfcrypt/src/port/tropicsquare/README.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 wolfcrypt/src/port/tropicsquare/README.md diff --git a/wolfcrypt/src/port/tropicsquare/README.md b/wolfcrypt/src/port/tropicsquare/README.md new file mode 100644 index 000000000..1b49864ac --- /dev/null +++ b/wolfcrypt/src/port/tropicsquare/README.md @@ -0,0 +1,20 @@ +# tropic01 callbacks + + + +## How to build: + +1. Build libtropic project with all dependencies for the targeted platfrom (for example, Raspberry Pi 3/4/5). Preferably all static targets must be built with -fPIC option +2. Goto wolfssl main folder +3. ./autogen.sh +4. ./configure --with-tropic01=/home/pi/git/libtropic --enable-cryptocb --enable-static --disable-crypttests --disable-examples --disable-shared +Note. Please replace '/home/pi/git/libtropic' with an absolute path to your libtropic folder if necessary +5. make +6. the built library should be in ./wolfssl/src/.libs/libwolfssl.a + +## How to use: + + + + + From 7c1980fe012d664feca8cbe6c66c97bf3ab96dcc Mon Sep 17 00:00:00 2001 From: kosmax871 Date: Sun, 25 May 2025 20:43:56 +0200 Subject: [PATCH 19/31] some fixes and updates --- wolfcrypt/src/port/tropicsquare/tropic01.c | 246 +++++++----------- wolfcrypt/src/wc_port.c | 2 +- .../wolfcrypt/port/tropicsquare/tropic01.h | 11 +- 3 files changed, 95 insertions(+), 164 deletions(-) diff --git a/wolfcrypt/src/port/tropicsquare/tropic01.c b/wolfcrypt/src/port/tropicsquare/tropic01.c index 0f0be4e62..e97e201f8 100644 --- a/wolfcrypt/src/port/tropicsquare/tropic01.c +++ b/wolfcrypt/src/port/tropicsquare/tropic01.c @@ -33,71 +33,60 @@ #include +static Tropic01CryptoDevCtx g_ctx = {0}; +static lt_handle_t g_h; + +// Default factory pairing keys +byte pkey_index_0 = PAIRING_KEY_SLOT_INDEX_0; + // Engineering samples 01 keys: +byte sh0priv[] = {0xd0,0x99,0x92,0xb1,0xf1,0x7a,0xbc,0x4d,0xb9,0x37,0x17,0x68,0xa2,0x7d,0xa0,0x5b,0x18,0xfa,0xb8,0x56,0x13,0xa7,0x84,0x2c,0xa6,0x4c,0x79,0x10,0xf2,0x2e,0x71,0x6b}; +byte sh0pub[] = {0xe7,0xf7,0x35,0xba,0x19,0xa3,0x3f,0xd6,0x73,0x23,0xab,0x37,0x26,0x2d,0xe5,0x36,0x08,0xca,0x57,0x85,0x76,0x53,0x43,0x52,0xe1,0x8f,0x64,0xe6,0x13,0xd3,0x8d,0x54}; /* * TROPIC01 hardware RNG implementation */ -static int Tropic01_GetRandom(byte* out, word32 sz, Tropic01CryptoDevCtx* ctx) +static int Tropic01_GetRandom(byte* out, word32 sz) { int ret = 0; - // Default factory pairing keys - byte pkey_index_0 = PAIRING_KEY_SLOT_INDEX_0; - // Engineering samples 01 keys: - byte sh0priv[] = {0xd0,0x99,0x92,0xb1,0xf1,0x7a,0xbc,0x4d,0xb9,0x37,0x17,0x68,0xa2,0x7d,0xa0,0x5b,0x18,0xfa,0xb8,0x56,0x13,0xa7,0x84,0x2c,0xa6,0x4c,0x79,0x10,0xf2,0x2e,0x71,0x6b}; - byte sh0pub[] = {0xe7,0xf7,0x35,0xba,0x19,0xa3,0x3f,0xd6,0x73,0x23,0xab,0x37,0x26,0x2d,0xe5,0x36,0x08,0xca,0x57,0x85,0x76,0x53,0x43,0x52,0xe1,0x8f,0x64,0xe6,0x13,0xd3,0x8d,0x54}; - lt_handle_t h; - lt_ret_t rett; + + WOLFSSL_MSG_EX("TROPIC01: GetRandom: Requesting %u bytes", sz); - if (out == NULL || ctx == NULL || !ctx->initialized || sz == 0) + if (out == NULL || sz == 0) return BAD_FUNC_ARG; + /* Call TROPIC01 TRNG API to get random data */ - rett = lt_init(&h); - if(rett != LT_OK) { - //printf("Error lt_init(): %s", lt_ret_verbose(ret)); - return rett; - } - ret = verify_chip_and_start_secure_session(&h, sh0priv, sh0pub, pkey_index_0); + ret = lt_random_get(&g_h, out, sz); if(ret != LT_OK) { - //printf("Error sec channel: %s", lt_ret_verbose(ret)); - lt_deinit(&h); - return ret; - } - ret = lt_random_get(&h, out, sz); - if(ret != LT_OK) { - //printf("Error l3 cmd: %s", lt_ret_verbose(ret)); - lt_deinit(&h); - return ret; - } - ret = lt_deinit(&h); - if(ret != LT_OK) { - //printf("Error lt_deinit(): %s", lt_ret_verbose(ret)); - return ret; + WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to retrieve key, ret=%d", ret); + Tropic01_Deinit(); + return WC_HW_E; } + WOLFSSL_MSG_EX("TROPIC01: GetRandom: Completed with ret=%d", ret); - return ret; + /* + for (word32 i = 0; i < sz; i++) { + WOLFSSL_MSG_EX("TROPIC01: GetRandom: out[%d] = 0x%02x", i, out[i]); + } + */ + return 0; } /* * Retrive the AES key from the secure memory of TROPIC01 */ -static int Tropic01_GetKey(Aes* aes, int keySlot, word32 keySz, Tropic01CryptoDevCtx* ctx) +static int Tropic01_GetKey(Aes* aes, int keySlot, word32 keySz) { - int ret; - // Default factory pairing keys - byte pkey_index_0 = PAIRING_KEY_SLOT_INDEX_0; - // Engineering samples 01 keys: - byte sh0priv[] = {0xd0,0x99,0x92,0xb1,0xf1,0x7a,0xbc,0x4d,0xb9,0x37,0x17,0x68,0xa2,0x7d,0xa0,0x5b,0x18,0xfa,0xb8,0x56,0x13,0xa7,0x84,0x2c,0xa6,0x4c,0x79,0x10,0xf2,0x2e,0x71,0x6b}; - byte sh0pub[] = {0xe7,0xf7,0x35,0xba,0x19,0xa3,0x3f,0xd6,0x73,0x23,0xab,0x37,0x26,0x2d,0xe5,0x36,0x08,0xca,0x57,0x85,0x76,0x53,0x43,0x52,0xe1,0x8f,0x64,0xe6,0x13,0xd3,0x8d,0x54}; - lt_handle_t h; + lt_ret_t rett; WOLFSSL_MSG_EX("TROPIC01: GetKey: Retrieving key from slot %d", keySlot); - if (aes == NULL || ctx == NULL || !ctx->initialized || keySlot < 0 || keySlot >= 511) + if (aes == NULL || keySlot < 0 || keySlot >= 511) return BAD_FUNC_ARG; + /* Check key size */ if (keySz != 16 && keySz != 24 && keySz != 32) { @@ -106,117 +95,19 @@ static int Tropic01_GetKey(Aes* aes, int keySlot, word32 keySz, Tropic01CryptoDe } /* Retrieve key from TROPIC01 */ - rett = lt_init(&h); + + rett = lt_r_mem_data_read(&g_h, keySlot, (byte*)aes->key, keySz); if(rett != LT_OK) { - //printf("Error lt_init(): %s", lt_ret_verbose(ret)); - return rett; - } - ret = verify_chip_and_start_secure_session(&h, sh0priv, sh0pub, pkey_index_0); - if(ret != LT_OK) { - //printf("Error sec channel: %s", lt_ret_verbose(ret)); - lt_deinit(&h); - return ret; - } - ret = lt_r_mem_data_read(&h, keySlot, (byte*)aes->key, keySz); - if(ret != LT_OK) { - //printf("Error l3 cmd: %s", lt_ret_verbose(ret)); - lt_deinit(&h); - return 1; - } - ret = lt_deinit(&h); - if(ret != LT_OK) { - //printf("Error lt_deinit(): %s", lt_ret_verbose(ret)); - return ret; + WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to retrieve key, ret=%d", rett); + Tropic01_Deinit(); + return WC_HW_E; } - if (ret != 0) { - WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to retrieve key, ret=%d", ret); - return ret; - } WOLFSSL_MSG_EX("TROPIC01: GetKey: Key retrieved successfully"); return 0; } -/** - * Find an available key slot in the TROPIC01 - */ -static int Tropic01_FindFreeKeySlot(Tropic01CryptoDevCtx* ctx) -{ - int i; - - WOLFSSL_MSG("TROPIC01: FindFreeKeySlot: Searching for available slot"); - - for (i = 0; i < 8; i++) { - if (ctx->keySlotUsage[i] == 0) { - ctx->keySlotUsage[i] = 1; - WOLFSSL_MSG_EX("TROPIC01: FindFreeKeySlot: Found slot %d", i); - return i; - } - } - - WOLFSSL_MSG("TROPIC01: FindFreeKeySlot: No free slots available"); - return -1; -} - -/** - * Store AES key in TROPIC01 secure memory - */ -static int Tropic01_StoreKey(Aes* aes, const byte* key, word32 keySz, Tropic01CryptoDevCtx* ctx) -{ - int ret; - int keySlot; - Tropic01KeyRef* keyRef; - - WOLFSSL_MSG_EX("TROPIC01: StoreKey: Storing key of size %u bytes", keySz); - - if (aes == NULL || key == NULL || ctx == NULL || !ctx->initialized) - return BAD_FUNC_ARG; - - /* Check key size */ - if (keySz != 16 && keySz != 24 && keySz != 32) { - WOLFSSL_MSG_EX("TROPIC01: StoreKey: Unsupported key size %u", keySz); - return BAD_FUNC_ARG; - } - - /* Find available key slot */ - keySlot = Tropic01_FindFreeKeySlot(ctx); - if (keySlot < 0) { - WOLFSSL_MSG("TROPIC01: StoreKey: No free key slots available"); - return MEMORY_E; - } - - /* Allocate key reference */ - keyRef = (Tropic01KeyRef*)XMALLOC(sizeof(Tropic01KeyRef), NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (keyRef == NULL) { - ctx->keySlotUsage[keySlot] = 0; - return MEMORY_E; - } - - /* Store key in TROPIC01 */ - /* Example TROPIC01_StoreKey call */ - ret = 0; /* Replace with actual implementation */ - - if (ret != 0) { - WOLFSSL_MSG_EX("TROPIC01: StoreKey: Failed to store key in slot %d, ret=%d", keySlot, ret); - XFREE(keyRef, NULL, DYNAMIC_TYPE_TMP_BUFFER); - ctx->keySlotUsage[keySlot] = 0; - return ret; - } - - /* Initialize key reference */ - keyRef->keySlot = keySlot; - keyRef->keySize = keySz; - keyRef->keyType = 0; - keyRef->isValid = 1; - - /* Store reference in AES structure */ - //aes->devKey = keySlot; - //aes->devCtx = keyRef; - - WOLFSSL_MSG_EX("TROPIC01: StoreKey: Key stored successfully in slot %d", keySlot); - return 0; -} /** * Crypto Callback function for TROPIC01 @@ -224,24 +115,29 @@ static int Tropic01_StoreKey(Aes* aes, const byte* key, word32 keySz, Tropic01Cr int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) { int ret = CRYPTOCB_UNAVAILABLE; - Tropic01CryptoDevCtx* tropicCtx = (Tropic01CryptoDevCtx*)ctx; - if (info == NULL || tropicCtx == NULL || !tropicCtx->initialized || devId == -2) + if (info == NULL) return BAD_FUNC_ARG; + (void)ctx; + (void)devId; + if (g_ctx.initialized == 0) { + WOLFSSL_MSG("TROPIC01: CryptoCB: Device not initialized"); + return CRYPTOCB_UNAVAILABLE; + } switch (info->algo_type) { case WC_ALGO_TYPE_RNG: WOLFSSL_MSG_EX("TROPIC01: CryptoCB: RNG generation request (%u bytes)", info->rng.sz); - ret = Tropic01_GetRandom(info->rng.out, info->rng.sz, tropicCtx); + ret = Tropic01_GetRandom(info->rng.out, info->rng.sz); break; case WC_ALGO_TYPE_SEED: WOLFSSL_MSG_EX("TROPIC01: CryptoCB: SEED generation request (%u bytes)", info->seed.sz); - ret = Tropic01_GetRandom(info->seed.seed, info->seed.sz, tropicCtx); + ret = Tropic01_GetRandom(info->seed.seed, info->seed.sz); break; case WC_ALGO_TYPE_CIPHER: - WOLFSSL_MSG_EX("TROPIC01: CryptoCB: AES request (%u bytes)", info->aes_setkey.keySz); - ret = Tropic01_StoreKey(NULL, NULL, 32, tropicCtx); + WOLFSSL_MSG("TROPIC01: CryptoCB: AES request "); + //ret = Tropic01_StoreKey(NULL, NULL, 32); //ret = Tropic01_GetKey(NULL, NULL, TROPIC01_AES_MAX_KEY_SIZE, tropicCtx); #if !defined(NO_AES) || !defined(NO_DES3) #ifdef HAVE_AESGCM @@ -249,7 +145,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) if (info->cipher.enc) { /* set devId to invalid, so software is used */ info->cipher.aesgcm_enc.aes->devId = INVALID_DEVID; - ret = Tropic01_GetKey(info->cipher.aesgcm_enc.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE, tropicCtx); + ret = Tropic01_GetKey(info->cipher.aesgcm_enc.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-GCM encryption, ret=%d", ret); return ret; @@ -272,7 +168,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) else { /* set devId to invalid, so software is used */ info->cipher.aesgcm_dec.aes->devId = INVALID_DEVID; - ret = Tropic01_GetKey(info->cipher.aesgcm_dec.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE, tropicCtx); + ret = Tropic01_GetKey(info->cipher.aesgcm_dec.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-GCM decryption, ret=%d", ret); return ret; @@ -299,7 +195,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) if (info->cipher.enc) { /* set devId to invalid, so software is used */ info->cipher.aescbc.aes->devId = INVALID_DEVID; - ret = Tropic01_GetKey(info->cipher.aescbc.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE, tropicCtx); + ret = Tropic01_GetKey(info->cipher.aescbc.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-CBC encryption, ret=%d", ret); return ret; @@ -316,7 +212,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) else { /* set devId to invalid, so software is used */ info->cipher.aescbc.aes->devId = INVALID_DEVID; - ret = Tropic01_GetKey(info->cipher.aescbc.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE, tropicCtx); + ret = Tropic01_GetKey(info->cipher.aescbc.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-CBC decryption, ret=%d", ret); return ret; @@ -330,26 +226,60 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) /* reset devId */ info->cipher.aescbc.aes->devId = devId; } + for (int i = 0; i < info->cipher.aescbc.aes->keylen; i++) { + WOLFSSL_MSG_EX("TROPIC01: CryptoCB: aes->key[%d] = 0x%02x", i, info->cipher.aescbc.aes->key[i]); + } + for (word32 i = 0; i < info->cipher.aescbc.sz; i++) { + WOLFSSL_MSG_EX("TROPIC01: CryptoCB: out[%d] = 0x%02x", i, info->cipher.aescbc.out[i]); + } } #endif /* HAVE_AES_CBC */ #endif /* !NO_AES || !NO_DES3 */ break; default: - WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Unsupported algorithm type %d", info->algo_type); + //WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Unsupported algorithm type %d", info->algo_type); break; } return ret; } -int Tropic01_Init(Tropic01CryptoDevCtx* ctx) +int Tropic01_Init() { - if (ctx == NULL) - return BAD_FUNC_ARG; + lt_ret_t ret; - ctx->initialized = 1; - XMEMSET(ctx->keySlotUsage, 0, sizeof(ctx->keySlotUsage)); + g_ctx.initialized = 0; + ret = lt_init(&g_h); + if(ret != LT_OK) { + WOLFSSL_MSG_EX("TROPIC01: lt_init failed with a code %d", ret); + return WC_HW_E; + } + ret = verify_chip_and_start_secure_session(&g_h, sh0priv, sh0pub, pkey_index_0); + if(ret != LT_OK) { + WOLFSSL_MSG_EX("TROPIC01: secure session failed with a code %d", ret); + lt_deinit(&g_h); + return WC_HW_E; + } + g_ctx.initialized = 1; + WOLFSSL_MSG("TROPIC01: Crypto device initialized successfully"); return 0; } + +int Tropic01_Deinit() +{ + lt_ret_t ret; + + if (g_ctx.initialized) { + ret = lt_deinit(&g_h); + if(ret != LT_OK) { + WOLFSSL_MSG_EX("TROPIC01: lt_deinit failed with a code %d", ret); + return WC_HW_E; + } + g_ctx.initialized = 0; + WOLFSSL_MSG("TROPIC01: Crypto device deinitialized successfully"); + } + + return 0; +} diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index f31093ec1..72214d588 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -299,7 +299,7 @@ int wolfCrypt_Init(void) stsafe_interface_init(); #endif #if defined(WOLFSSL_TROPIC01) - ret = Tropic01_Init(NULL); + ret = Tropic01_Init(); if (ret != 0) { WOLFSSL_MSG("Tropic01 init failed"); return ret; diff --git a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h index 08110e03d..61eeedfd0 100644 --- a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h +++ b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h @@ -39,18 +39,18 @@ #define LT_USE_TREZOR_CRYPTO 1 #define LT_HELPERS -#include "libtropic.h" -#include "libtropic_common.h" +#include +#include #ifdef WOLF_CRYPTO_CB /* Device ID that's unique and valid (not INVALID_DEVID -2) */ -#define WOLF_TROPIC01_DEVID 0x75757; /* TROPIC01 ID*/ +#define WOLF_TROPIC01_DEVID 0x75757 /* TROPIC01 ID*/ #define TROPIC01_AES_MAX_KEY_SIZE 32 -#define TROPIC01_AES_KEY_SLOT_DEFAULT 8 +#define TROPIC01_AES_KEY_SLOT_DEFAULT 1 #define PAIRING_KEY_SLOT_INDEX_0 0 @@ -69,7 +69,8 @@ typedef struct { } Tropic01CryptoDevCtx; -int Tropic01_Init(Tropic01CryptoDevCtx* ctx); +int Tropic01_Init(void); +int Tropic01_Deinit(void); int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx); //static int Tropic01_GetRandom(byte* out, word32 sz, Tropic01CryptoDevCtx* ctx); From cd76615e494e4de41ecb87a0e63bb291f0cecaf3 Mon Sep 17 00:00:00 2001 From: Maxim Kostin Date: Mon, 26 May 2025 21:58:06 +0200 Subject: [PATCH 20/31] added support of ED25519 --- wolfcrypt/src/port/tropicsquare/tropic01.c | 96 ++++++++++++++++++- .../wolfcrypt/port/tropicsquare/tropic01.h | 6 +- 2 files changed, 96 insertions(+), 6 deletions(-) diff --git a/wolfcrypt/src/port/tropicsquare/tropic01.c b/wolfcrypt/src/port/tropicsquare/tropic01.c index e97e201f8..0be403168 100644 --- a/wolfcrypt/src/port/tropicsquare/tropic01.c +++ b/wolfcrypt/src/port/tropicsquare/tropic01.c @@ -74,6 +74,45 @@ static int Tropic01_GetRandom(byte* out, word32 sz) return 0; } +#if defined(HAVE_ED25519) && defined(HAVE_ED25519_MAKE_KEY) + +static int Tropic01_GenerateKeyED25519(byte* pubkey, int keySlot, word32 sz) +{ + lt_ret_t ret = 0; + + WOLFSSL_MSG_EX("TROPIC01: GenerateKeyED25519: Requesting %u bytes", sz); + + if (pubkey == NULL || sz != 32) + return BAD_FUNC_ARG; + + ret = lt_ecc_key_erase(&g_h, keySlot); + if(ret != LT_OK) { + WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to erase key, ret=%d", ret); + Tropic01_Deinit(); + return WC_HW_E; + } + + ret = lt_ecc_key_generate(&g_h, keySlot, CURVE_ED25519); + if(ret != LT_OK) { + WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to generate key, ret=%d", ret); + Tropic01_Deinit(); + return WC_HW_E; + } + lt_ecc_curve_type_t curve = 2; + ecc_key_origin_t origin = 2; + ret = lt_ecc_key_read(&g_h, keySlot, pubkey, sz, &curve, &origin); + if(ret != LT_OK) { + WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to read pub key, ret=%d", ret); + Tropic01_Deinit(); + return WC_HW_E; + } + + WOLFSSL_MSG_EX("TROPIC01: GenerateKeyED25519: Completed with ret=%d", ret); + + return 0; +} +#endif + /* * Retrive the AES key from the secure memory of TROPIC01 */ @@ -120,7 +159,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) if (info == NULL) return BAD_FUNC_ARG; (void)ctx; - (void)devId; + // (void)devId; if (g_ctx.initialized == 0) { WOLFSSL_MSG("TROPIC01: CryptoCB: Device not initialized"); @@ -135,6 +174,53 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) WOLFSSL_MSG_EX("TROPIC01: CryptoCB: SEED generation request (%u bytes)", info->seed.sz); ret = Tropic01_GetRandom(info->seed.seed, info->seed.sz); break; + case WC_ALGO_TYPE_PK: +#if defined(HAVE_ED25519) && defined(HAVE_ED25519_MAKE_KEY) + if (info->pk.type == WC_PK_TYPE_ED25519_KEYGEN) { + WOLFSSL_MSG("TROPIC01: CryptoCB: ED25519 key generation request"); + ret = Tropic01_GenerateKeyED25519(info->pk.ed25519kg.key, TROPIC01_ED25519_KEY_SLOT_DEFAULT, info->pk.ed25519kg.size); + + } + #ifdef HAVE_ED25519_SIGN + else if (info->pk.type == WC_PK_TYPE_ED25519_SIGN) { + + WOLFSSL_MSG("TROPIC01: CryptoCB: ED25519 signing request"); + ret = Tropic01_GetKey(info->pk.ed25519sign.key, TROPIC01_ED25519_RMEM_SLOT_DEFAULT, TROPIC01_ED25519_MAX_KEY_SIZE); + if (ret != 0) { + WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-GCM encryption, ret=%d", ret); + return ret; + } + /* set devId to invalid, so software is used */ + info->pk.ed25519sign.key->devId = INVALID_DEVID; + + ret = wc_ed25519_sign_msg_ex( + info->pk.ed25519sign.in, info->pk.ed25519sign.inLen, + info->pk.ed25519sign.out, info->pk.ed25519sign.outLen, + info->pk.ed25519sign.key, info->pk.ed25519sign.type, + info->pk.ed25519sign.context, info->pk.ed25519sign.contextLen); + + /* reset devId */ + info->pk.ed25519sign.key->devId = devId; + } + #endif + #ifdef HAVE_ED25519_VERIFY + else if (info->pk.type == WC_PK_TYPE_ED25519_VERIFY) { + /* set devId to invalid, so software is used */ + info->pk.ed25519verify.key->devId = INVALID_DEVID; + + ret = wc_ed25519_verify_msg_ex( + info->pk.ed25519verify.sig, info->pk.ed25519verify.sigLen, + info->pk.ed25519verify.msg, info->pk.ed25519verify.msgLen, + info->pk.ed25519verify.res, info->pk.ed25519verify.key, + info->pk.ed25519verify.type, info->pk.ed25519verify.context, + info->pk.ed25519verify.contextLen); + + /* reset devId */ + info->pk.ed25519verify.key->devId = devIdArg; + } + #endif // HAVE_ ED25519_VERIFY +#endif /* HAVE_ED25519 */ + break; case WC_ALGO_TYPE_CIPHER: WOLFSSL_MSG("TROPIC01: CryptoCB: AES request "); //ret = Tropic01_StoreKey(NULL, NULL, 32); @@ -145,7 +231,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) if (info->cipher.enc) { /* set devId to invalid, so software is used */ info->cipher.aesgcm_enc.aes->devId = INVALID_DEVID; - ret = Tropic01_GetKey(info->cipher.aesgcm_enc.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); + ret = Tropic01_GetKey(info->cipher.aesgcm_enc.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-GCM encryption, ret=%d", ret); return ret; @@ -168,7 +254,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) else { /* set devId to invalid, so software is used */ info->cipher.aesgcm_dec.aes->devId = INVALID_DEVID; - ret = Tropic01_GetKey(info->cipher.aesgcm_dec.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); + ret = Tropic01_GetKey(info->cipher.aesgcm_dec.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-GCM decryption, ret=%d", ret); return ret; @@ -195,7 +281,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) if (info->cipher.enc) { /* set devId to invalid, so software is used */ info->cipher.aescbc.aes->devId = INVALID_DEVID; - ret = Tropic01_GetKey(info->cipher.aescbc.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); + ret = Tropic01_GetKey(info->cipher.aescbc.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-CBC encryption, ret=%d", ret); return ret; @@ -212,7 +298,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) else { /* set devId to invalid, so software is used */ info->cipher.aescbc.aes->devId = INVALID_DEVID; - ret = Tropic01_GetKey(info->cipher.aescbc.aes, TROPIC01_AES_KEY_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); + ret = Tropic01_GetKey(info->cipher.aescbc.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-CBC decryption, ret=%d", ret); return ret; diff --git a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h index 61eeedfd0..83d8ade03 100644 --- a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h +++ b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h @@ -50,7 +50,11 @@ #define TROPIC01_AES_MAX_KEY_SIZE 32 -#define TROPIC01_AES_KEY_SLOT_DEFAULT 1 +#define TROPIC01_ED25519_MAX_KEY_SIZE 32 +#define TROPIC01_AES_RMEM_SLOT_DEFAULT 1 +#define TROPIC01_ED25519_RMEM_SLOT_DEFAULT 2 +#define TROPIC01_ED25519_KEY_SLOT_DEFAULT 1 + #define PAIRING_KEY_SLOT_INDEX_0 0 From 0eecfbfb3550dfcc8f281673056d84e67383f7f8 Mon Sep 17 00:00:00 2001 From: Maxim Kostin Date: Tue, 27 May 2025 21:28:59 +0200 Subject: [PATCH 21/31] ed25519 fixes --- wolfcrypt/src/port/tropicsquare/tropic01.c | 104 ++++++++++++------ .../wolfcrypt/port/tropicsquare/tropic01.h | 10 +- 2 files changed, 80 insertions(+), 34 deletions(-) diff --git a/wolfcrypt/src/port/tropicsquare/tropic01.c b/wolfcrypt/src/port/tropicsquare/tropic01.c index 0be403168..0a733fa57 100644 --- a/wolfcrypt/src/port/tropicsquare/tropic01.c +++ b/wolfcrypt/src/port/tropicsquare/tropic01.c @@ -98,8 +98,8 @@ static int Tropic01_GenerateKeyED25519(byte* pubkey, int keySlot, word32 sz) Tropic01_Deinit(); return WC_HW_E; } - lt_ecc_curve_type_t curve = 2; - ecc_key_origin_t origin = 2; + lt_ecc_curve_type_t curve = CURVE_ED25519; + ecc_key_origin_t origin = CURVE_GENERATED; ret = lt_ecc_key_read(&g_h, keySlot, pubkey, sz, &curve, &origin); if(ret != LT_OK) { WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to read pub key, ret=%d", ret); @@ -114,14 +114,14 @@ static int Tropic01_GenerateKeyED25519(byte* pubkey, int keySlot, word32 sz) #endif /* - * Retrive the AES key from the secure memory of TROPIC01 + * Retrive the AES key from the secure R memory of TROPIC01 */ -static int Tropic01_GetKey(Aes* aes, int keySlot, word32 keySz) +static int Tropic01_GetKeyAES(Aes* aes, int keySlot, word32 keySz) { lt_ret_t rett; - WOLFSSL_MSG_EX("TROPIC01: GetKey: Retrieving key from slot %d", keySlot); + WOLFSSL_MSG_EX("TROPIC01: Get AES Key: Retrieving key from slot %d", keySlot); if (aes == NULL || keySlot < 0 || keySlot >= 511) return BAD_FUNC_ARG; @@ -129,7 +129,7 @@ static int Tropic01_GetKey(Aes* aes, int keySlot, word32 keySz) /* Check key size */ if (keySz != 16 && keySz != 24 && keySz != 32) { - WOLFSSL_MSG_EX("TROPIC01: GetKey: Unsupported key size %u", keySz); + WOLFSSL_MSG_EX("TROPIC01: Get AES Key: Unsupported key size %u", keySz); return BAD_FUNC_ARG; } @@ -137,16 +137,45 @@ static int Tropic01_GetKey(Aes* aes, int keySlot, word32 keySz) rett = lt_r_mem_data_read(&g_h, keySlot, (byte*)aes->key, keySz); if(rett != LT_OK) { - WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to retrieve key, ret=%d", rett); + WOLFSSL_MSG_EX("TROPIC01: Get AES Key: Failed to retrieve key, ret=%d", rett); Tropic01_Deinit(); return WC_HW_E; } - WOLFSSL_MSG_EX("TROPIC01: GetKey: Key retrieved successfully"); + WOLFSSL_MSG_EX("TROPIC01: Get AES Key: Key retrieved successfully"); return 0; } +static int Tropic01_GetKeyECC(byte* ecckey, int keySlot, word32 keySz) +{ + + lt_ret_t rett; + WOLFSSL_MSG_EX("TROPIC01: Get ECC Key: Retrieving key from slot %d", keySlot); + + if (ecckey == NULL || keySlot < 0 || keySlot >= 511) + return BAD_FUNC_ARG; + + + /* Check key size */ + if (keySz != 16 && keySz != 24 && keySz != 32) { + WOLFSSL_MSG_EX("TROPIC01: Get ECC Key: Unsupported key size %u", keySz); + return BAD_FUNC_ARG; + } + + /* Retrieve key from TROPIC01 */ + + rett = lt_r_mem_data_read(&g_h, keySlot, (byte*)ecckey, keySz); + if(rett != LT_OK) { + WOLFSSL_MSG_EX("TROPIC01: Get ECC Key: Failed to retrieve key, ret=%d", rett); + Tropic01_Deinit(); + return WC_HW_E; + } + + + WOLFSSL_MSG_EX("TROPIC01: Get ECC Key: Key retrieved successfully"); + return 0; +} /** * Crypto Callback function for TROPIC01 @@ -178,20 +207,22 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) #if defined(HAVE_ED25519) && defined(HAVE_ED25519_MAKE_KEY) if (info->pk.type == WC_PK_TYPE_ED25519_KEYGEN) { WOLFSSL_MSG("TROPIC01: CryptoCB: ED25519 key generation request"); - ret = Tropic01_GenerateKeyED25519(info->pk.ed25519kg.key, TROPIC01_ED25519_KEY_SLOT_DEFAULT, info->pk.ed25519kg.size); + ret = Tropic01_GenerateKeyED25519(info->pk.ed25519kg.key->p, TROPIC01_ED25519_ECC_SLOT_DEFAULT, info->pk.ed25519kg.size); } #ifdef HAVE_ED25519_SIGN else if (info->pk.type == WC_PK_TYPE_ED25519_SIGN) { WOLFSSL_MSG("TROPIC01: CryptoCB: ED25519 signing request"); - ret = Tropic01_GetKey(info->pk.ed25519sign.key, TROPIC01_ED25519_RMEM_SLOT_DEFAULT, TROPIC01_ED25519_MAX_KEY_SIZE); - if (ret != 0) { - WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-GCM encryption, ret=%d", ret); - return ret; - } + // retrieve private key from TROPIC01 secure R memory + ret = Tropic01_GetKeyECC(info->pk.ed25519sign.key->k, TROPIC01_ED25519_PRIV_RMEM_SLOT_DEFAULT, TROPIC01_ED25519_PRIV_KEY_SIZE); + if (ret != 0) { + WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get ECC key for ED25519 sign, ret=%d", ret); + return ret; + } /* set devId to invalid, so software is used */ info->pk.ed25519sign.key->devId = INVALID_DEVID; + info->pk.ed25519sign.key->pubKeySet = 1; ret = wc_ed25519_sign_msg_ex( info->pk.ed25519sign.in, info->pk.ed25519sign.inLen, @@ -205,6 +236,14 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) #endif #ifdef HAVE_ED25519_VERIFY else if (info->pk.type == WC_PK_TYPE_ED25519_VERIFY) { + WOLFSSL_MSG("TROPIC01: CryptoCB: ED25519 verification request"); + // retrieve public key from TROPIC01 secure R memory + ret = Tropic01_GetKeyECC(info->pk.ed25519sign.key->p, TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT, TROPIC01_ED25519_PUB_KEY_SIZE); + if (ret != 0) { + WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get ECC key for ED25519 verification, ret=%d", ret); + return ret; + } + /* set devId to invalid, so software is used */ info->pk.ed25519verify.key->devId = INVALID_DEVID; @@ -212,11 +251,10 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) info->pk.ed25519verify.sig, info->pk.ed25519verify.sigLen, info->pk.ed25519verify.msg, info->pk.ed25519verify.msgLen, info->pk.ed25519verify.res, info->pk.ed25519verify.key, - info->pk.ed25519verify.type, info->pk.ed25519verify.context, - info->pk.ed25519verify.contextLen); + info->pk.ed25519verify.type, NULL, 0); /* reset devId */ - info->pk.ed25519verify.key->devId = devIdArg; + info->pk.ed25519verify.key->devId = devId; } #endif // HAVE_ ED25519_VERIFY #endif /* HAVE_ED25519 */ @@ -229,13 +267,14 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) #ifdef HAVE_AESGCM if (info->cipher.type == WC_CIPHER_AES_GCM) { if (info->cipher.enc) { - /* set devId to invalid, so software is used */ - info->cipher.aesgcm_enc.aes->devId = INVALID_DEVID; - ret = Tropic01_GetKey(info->cipher.aesgcm_enc.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); + + ret = Tropic01_GetKeyAES(info->cipher.aesgcm_enc.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-GCM encryption, ret=%d", ret); return ret; } + /* set devId to invalid, so software is used */ + info->cipher.aesgcm_enc.aes->devId = INVALID_DEVID; ret = wc_AesGcmEncrypt( info->cipher.aesgcm_enc.aes, info->cipher.aesgcm_enc.out, @@ -252,13 +291,14 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) info->cipher.aesgcm_enc.aes->devId = devId; } else { - /* set devId to invalid, so software is used */ - info->cipher.aesgcm_dec.aes->devId = INVALID_DEVID; - ret = Tropic01_GetKey(info->cipher.aesgcm_dec.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); + + ret = Tropic01_GetKeyAES(info->cipher.aesgcm_dec.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-GCM decryption, ret=%d", ret); return ret; } + /* set devId to invalid, so software is used */ + info->cipher.aesgcm_dec.aes->devId = INVALID_DEVID; ret = wc_AesGcmDecrypt( info->cipher.aesgcm_dec.aes, info->cipher.aesgcm_dec.out, @@ -279,13 +319,14 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) #ifdef HAVE_AES_CBC if (info->cipher.type == WC_CIPHER_AES_CBC) { if (info->cipher.enc) { - /* set devId to invalid, so software is used */ - info->cipher.aescbc.aes->devId = INVALID_DEVID; - ret = Tropic01_GetKey(info->cipher.aescbc.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); + + ret = Tropic01_GetKeyAES(info->cipher.aescbc.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-CBC encryption, ret=%d", ret); return ret; } + /* set devId to invalid, so software is used */ + info->cipher.aescbc.aes->devId = INVALID_DEVID; ret = wc_AesCbcEncrypt( info->cipher.aescbc.aes, info->cipher.aescbc.out, @@ -296,13 +337,14 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) info->cipher.aescbc.aes->devId = devId; } else { - /* set devId to invalid, so software is used */ - info->cipher.aescbc.aes->devId = INVALID_DEVID; - ret = Tropic01_GetKey(info->cipher.aescbc.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); + + ret = Tropic01_GetKeyAES(info->cipher.aescbc.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-CBC decryption, ret=%d", ret); return ret; - } + } + /* set devId to invalid, so software is used */ + info->cipher.aescbc.aes->devId = INVALID_DEVID; ret = wc_AesCbcDecrypt( info->cipher.aescbc.aes, info->cipher.aescbc.out, @@ -324,7 +366,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) break; default: - //WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Unsupported algorithm type %d", info->algo_type); + WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Unsupported algorithm type %d", info->algo_type); break; } diff --git a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h index 83d8ade03..4f21e7515 100644 --- a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h +++ b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h @@ -50,10 +50,14 @@ #define TROPIC01_AES_MAX_KEY_SIZE 32 -#define TROPIC01_ED25519_MAX_KEY_SIZE 32 #define TROPIC01_AES_RMEM_SLOT_DEFAULT 1 -#define TROPIC01_ED25519_RMEM_SLOT_DEFAULT 2 -#define TROPIC01_ED25519_KEY_SLOT_DEFAULT 1 + +#define TROPIC01_ED25519_PRIV_KEY_SIZE 32 +#define TROPIC01_ED25519_PUB_KEY_SIZE 32 + +#define TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT 2 +#define TROPIC01_ED25519_PRIV_RMEM_SLOT_DEFAULT 3 +#define TROPIC01_ED25519_ECC_SLOT_DEFAULT 1 #define PAIRING_KEY_SLOT_INDEX_0 0 From 296bfd258c7dc12c2c66810d4a50793c62430682 Mon Sep 17 00:00:00 2001 From: Maxim Kostin Date: Wed, 28 May 2025 19:01:12 +0200 Subject: [PATCH 22/31] README.md added --- wolfcrypt/src/port/tropicsquare/README.md | 225 +++++++++++++++++++++- 1 file changed, 215 insertions(+), 10 deletions(-) diff --git a/wolfcrypt/src/port/tropicsquare/README.md b/wolfcrypt/src/port/tropicsquare/README.md index 1b49864ac..6e9a72f30 100644 --- a/wolfcrypt/src/port/tropicsquare/README.md +++ b/wolfcrypt/src/port/tropicsquare/README.md @@ -1,20 +1,225 @@ -# tropic01 callbacks +# wolfSSL TROPIC01 Secure Element Integration Guide + +![wolfSSL+TROPIC01](https://img.shields.io/badge/wolfSSL-TROPIC01-blue) +Integration guide for using Tropic Square's TROPIC01 secure element with wolfSSL/wolfCrypt cryptography library. -## How to build: +## Table of Contents +- [wolfSSL TROPIC01 Secure Element Integration Guide](#wolfssl-tropic01-secure-element-integration-guide) + - [Table of Contents](#table-of-contents) + - [TROPIC01 Secure Element with an open architecture](#tropic01-secure-element-with-an-open-architecture) + - [Hardware Overview](#hardware-overview) + - [TROPIC01 Specifications](#tropic01-specifications) + - [Available Evaluation and Development Kits](#available-evaluation-and-development-kits) + - [Get samples](#get-samples) + - [Build Configuration](#build-configuration) + - [Pre-requirements](#pre-requirements) + - [Keys installation](#keys-installation) + - [Build TROPIC01 SDK (libtropic)](#build-tropic01-sdk-libtropic) + - [Build wolfSSL](#build-wolfssl) + - [Build test application](#build-test-application) -1. Build libtropic project with all dependencies for the targeted platfrom (for example, Raspberry Pi 3/4/5). Preferably all static targets must be built with -fPIC option -2. Goto wolfssl main folder -3. ./autogen.sh -4. ./configure --with-tropic01=/home/pi/git/libtropic --enable-cryptocb --enable-static --disable-crypttests --disable-examples --disable-shared -Note. Please replace '/home/pi/git/libtropic' with an absolute path to your libtropic folder if necessary -5. make -6. the built library should be in ./wolfssl/src/.libs/libwolfssl.a +## TROPIC01 Secure Element with an open architecture -## How to use: +The TROPIC01 secure element is built with tamper-proof technology and advanced attack countermeasures to ensure robust asset protection, securing electronic devices against a wide range of potential attacks. It securely supplies and stores the cryptographic keys of embedded solutions. +The TROPIC01 datasheet is available via [this link](https://www.nxp.com/docs/en/application-note/AN12570.pdf) + +## Hardware Overview + +### TROPIC01 Specifications +- **Crypto Accelerators**: + - Elliptic curve cryptography + - Ed25519 EdDSA signing + - P-256 ECDSA signing + - Diffie-Hellman X25519 key exchange + - Keccak based PIN authentication engine +- **Tamper Resistance**: + - Voltage glitch detector + - Temperature detector + - Electromagnetic pulse detector + - Laser detector + - Active shield +- **Interface to Host MCU/MPU**: + - SPI + - Encrypted channel with forward secrecy +- **Entropy Source**: + - Physically Unclonable Function (PUF) + - True Random Number Generator (TRNG) + +### Available Evaluation and Development Kits +- USB Stick with TROPIC01 ([here](https://github.com/tropicsquare/tropic01?tab=readme-ov-file#usb-stick-with-tropic01)) +- Raspberry PI shield ([here](https://github.com/tropicsquare/tropic01?tab=readme-ov-file#rpi-shield-ts1501)) +- Arduino shield ([here](https://github.com/tropicsquare/tropic01?tab=readme-ov-file#arduino-shield-ts14)) + +### Get samples +To get samples and DevKits, please fill in [this form](https://tropicsquare.com/tropic01-samples#form) + +## Build Configuration + +### Pre-requirements +1. Install toolchain (incl. compiler or cross-compiler). For example, GNU Toolchain (gcc) or ARM cross compiling toolchain (armv8-rpi3-linux-gnueabihf) +2. Install CMake and Autotools +3. Install Git client + + Some guideline for RPi is [here](https://earthly.dev/blog/cross-compiling-raspberry-pi/) + +Also, for Raspberry PI there are a few more steps: + +1. In raspi-config go to "Interface Options" and enable SPI +2. Install wiringPI: + +```sh +$ sudo apt update +$ sudo apt install wiringpi +``` + +### Keys installation + +For the integration with wolfSSL there are a few pre-defined slots for the secure keys storage (the slots mapping might be changed in tropic01.h): +```sh +TROPIC01_AES_RMEM_SLOT_DEFAULT 1 // slot in R-memory for AES key +TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT 2 // slot in R-memory for ED25519 Public key +TROPIC01_ED25519_PRIV_RMEM_SLOT_DEFAULT 3 //slot in R-memory for ED25519 Private key +TROPIC01_ED25519_ECC_SLOT_DEFAULT 1 // slot in ECC keys storage for both public and private keys +PAIRING_KEY_SLOT_INDEX_0 0 //pairing keys slot +``` +All R-memory based keys must be pre-provisioned in the TROPIC01 Secure Element separately. For example, it might be done with libtropic-util tool available [here] (https://github.com/tropicsquare/libtropic-util) + +### Build TROPIC01 SDK (libtropic) + +wolfSSL uses the "TROPIC01 SDK" (aka libtropic) to interface with TROPIC01. This SDK can be cloned from the TropicSquare GitHub https://github.com/tropicsquare/libtropic + +Once the repo was downloade, please follow [this guidline](https://github.com/tropicsquare/libtropic/blob/master/docs/index.md#integration-examples) on how to configure and build TROPIC01 SDK + +or simply run the following commands: +```sh + $ git clone https://github.com/tropicsquare/libtropic.git + $ cd libtropic + $ mkdir build && cd build + $ cmake -DLT_USE_TREZOR_CRYPTO=1 .. + $ make +``` + +### Build wolfSSL +To compile wolfSSL with TROPIC01 support using Autoconf/configure: +```sh +$ cd wolfssl +$ ./autogen.sh +$ ./configure --with-tropic01=PATH --enable-cryptocb --enable-static --disable-crypttests --disable-examples --disable-shared --enable-ed25519 +$ make +$ sudo make install +``` +where PATH is an absolute path to the libtropic folder, for example + + --with-tropic01=/home/pi/git/libtropic + +for the debugging output, add + + --enable-debug + +### Build test application + +The test application for Raspberry Shield and USB stick can be cloned from the TropicSquare GitHub https://github.com/tropicsquare/tropic01-wolfssl-test + +To build and run the test application, please run the next commands + +```sh +$ git clone git@github.com:tropicsquare/tropic01-wolfssl-test.git +$ cd tropic01-wolfssl-test +``` +if necesary open and edit Makefile in this folder + +set correct values for CC and LIBTROPIC_DIR variables, for example: + + CC = gcc + + LIBTROPIC_DIR = /home/pi/git/libtropic + +then run the following commands to build and run test application for USB stick: + +```sh +$ make +$ ./lt-wolfssl-test +``` +or for Raspberry PI shield (make sure you fulfield all prerequirements first): +```sh +$ make RPI_SPI =1 +$ ./lt-wolfssl-test +``` + +In case of success the output of the test application should look like this: + +```sh +wolfSSL Crypto Callback Test Application +======================================== +wolfSSL Entering wolfCrypt_Init +TROPIC01: Crypto device initialized successfully +wolfCrypt initialized successfully +Registering crypto callback with device ID 481111... +Crypto callback registered successfully +RNG_HEALTH_TEST_CHECK_SIZE = 128 +sizeof(seedB_data) = 128 +TROPIC01: CryptoCB: SEED generation request (52 bytes) +TROPIC01: GetRandom: Requesting 52 bytes +TROPIC01: GetRandom: Completed with ret=0 +TROPIC01: CryptoCB: RNG generation request (32 bytes) +TROPIC01: GetRandom: Requesting 32 bytes +TROPIC01: GetRandom: Completed with ret=0 +Generated 32 random bytes: +94F589E8 9C59B5A2 C8426FB6 9C548623 +358551CE 07238D37 EBF7FEE5 42BEB299 + +RNG test completed successfully + +AES test starting: +TROPIC01: CryptoCB: AES request +TROPIC01: Get AES Key: Retrieving key from slot 1 +TROPIC01: Get AES Key: Key retrieved successfully +Plain message: +01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 +Encrypted message: +89 44 11 3E 2E 07 52 9C CB 5F B1 70 7E 9C 42 D6 +AES test completed successfully + +ED25519 COMPREHENSIVE TESTING SUITE + +=== Ed25519 Key Generation Test === +✓ Ed25519 key structure initialized successfully +TROPIC01: CryptoCB: RNG generation request (32 bytes) +TROPIC01: GetRandom: Requesting 32 bytes +TROPIC01: GetRandom: Completed with ret=0 +✓ Ed25519 key pair generated successfully +Generated Public Key (32 bytes): +5D28BB98 AF86844E 5C2D48B6 473EA116 +0A98B568 3313915D 1565C540 AA3EB250 +✓ Ed25519 key generation test completed successfully + +=== Ed25519 Message Signing Test === +DEV_ID: 481111 +TROPIC01: CryptoCB: RNG generation request (64 bytes) +TROPIC01: GetRandom: Requesting 64 bytes +TROPIC01: GetRandom: Completed with ret=0 +Test Message (64 bytes): +000CD9C2 0FA2E218 67737744 4550F217 +5082408B 9F21F92B 06A570C4 C18AA073 +1B23836F 1CDC760B 7242F8A7 83B8EC9A +BF9E6D84 2E605AA1 0A168E88 FDEF38DA +TROPIC01: CryptoCB: ED25519 signing request +TROPIC01: Get ECC Key: Retrieving key from slot 3 +TROPIC01: Get ECC Key: Key retrieved successfully +✓ Message signed successfully +Signature length: 64 bytes +Generated Signature (64 bytes): +AE4B42CF 46F8F369 4F559390 0EDDA701 +A73A562B 3D03F429 8706309D 63E2120B +82B2A91F 6D7A7519 0CD62215 CABE3183 +433F4125 2CC017EB BD1E59A1 4A22CC09 +✓ Ed25519 message signing test completed successfully +wolfSSL Entering wolfCrypt_Cleanup +``` From 2f210b3907ab377521f25b951c7e721ff50ab1aa Mon Sep 17 00:00:00 2001 From: Maxim Kostin Date: Thu, 29 May 2025 12:25:12 +0200 Subject: [PATCH 23/31] Refactor TROPIC01 integration: update README, enhance pairing key handling, and improve error messages --- configure.ac | 10 ++-- wolfcrypt/src/port/tropicsquare/README.md | 42 +++++++++------- wolfcrypt/src/port/tropicsquare/tropic01.c | 50 +++++++++++++------ .../wolfcrypt/port/tropicsquare/tropic01.h | 3 +- 4 files changed, 66 insertions(+), 39 deletions(-) diff --git a/configure.ac b/configure.ac index 17a038c15..1181ccb2b 100644 --- a/configure.ac +++ b/configure.ac @@ -2857,24 +2857,24 @@ trylibtropicdir="" AC_ARG_WITH([tropic01], [AS_HELP_STRING([--with-tropic01=PATH],[PATH to install (default /usr/)])], [ - AC_MSG_CHECKING([for tropic01]) + AC_MSG_CHECKING([for libtropic]) if test "x$withval" != "xno" ; then trylibtropicdir=$withval - AC_MSG_NOTICE([Use provided PATH]) + # AC_MSG_NOTICE([Use provided PATH]) fi if test "x$withval" = "xyes" ; then trylibtropicdir="libtropic" - AC_MSG_NOTICE([Use default PATH]) + # AC_MSG_NOTICE([Use default PATH]) fi if test -e $trylibtropicdir/build/libtropic.a then LIB_STATIC_ADD="$LIB_STATIC_ADD $trylibtropicdir/build/libtropic.a" LIB_STATIC_ADD="$LIB_STATIC_ADD $trylibtropicdir/build/trezor_crypto/libtrezor_crypto.a" AM_CFLAGS="$AM_CFLAGS -I$trylibtropicdir/include" - AC_MSG_NOTICE([TropicSquare library is available]) + # AC_MSG_NOTICE([TropicSquare library is available]) else ENABLED_TROPIC01="no" - AC_MSG_ERROR([Could not find TropicSquare library]) + AC_MSG_ERROR([Could not find libtropic - TropicSquare library]) fi enable_shared=no enable_static=yes diff --git a/wolfcrypt/src/port/tropicsquare/README.md b/wolfcrypt/src/port/tropicsquare/README.md index 6e9a72f30..c97288217 100644 --- a/wolfcrypt/src/port/tropicsquare/README.md +++ b/wolfcrypt/src/port/tropicsquare/README.md @@ -33,7 +33,7 @@ The TROPIC01 datasheet is available via [this link](https://www.nxp.com/docs/en/ - Ed25519 EdDSA signing - P-256 ECDSA signing - Diffie-Hellman X25519 key exchange - - Keccak based PIN authentication engine + - Keccak-based PIN authentication engine - **Tamper Resistance**: - Voltage glitch detector - Temperature detector @@ -58,13 +58,14 @@ To get samples and DevKits, please fill in [this form](https://tropicsquare.com/ ## Build Configuration ### Pre-requirements -1. Install toolchain (incl. compiler or cross-compiler). For example, GNU Toolchain (gcc) or ARM cross compiling toolchain (armv8-rpi3-linux-gnueabihf) -2. Install CMake and Autotools -3. Install Git client +1. Get one of the targeted hardware platforms. For example, Linux PC + TROPIC01 USB stick or Raspberry PI 3/4/5 + TROPIC01 RPI shield +2. Install toolchain (incl. compiler or cross-compiler). For example, GNU Toolchain (gcc) or ARM cross-compiling toolchain (armv8-rpi3-linux-gnueabihf) +3. Install CMake and Autotools +4. Install Git - Some guideline for RPi is [here](https://earthly.dev/blog/cross-compiling-raspberry-pi/) + Some guidelines for RPi are available [here](https://earthly.dev/blog/cross-compiling-raspberry-pi/) -Also, for Raspberry PI there are a few more steps: +Also, for Raspberry PI, there are a few more steps: 1. In raspi-config go to "Interface Options" and enable SPI 2. Install wiringPI: @@ -76,7 +77,7 @@ $ sudo apt install wiringpi ### Keys installation -For the integration with wolfSSL there are a few pre-defined slots for the secure keys storage (the slots mapping might be changed in tropic01.h): +For the integration with wolfSSL, there are a few pre-defined slots for the secure keys storage (the slots mapping might be changed in tropic01.h): ```sh TROPIC01_AES_RMEM_SLOT_DEFAULT 1 // slot in R-memory for AES key TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT 2 // slot in R-memory for ED25519 Public key @@ -84,15 +85,15 @@ TROPIC01_ED25519_PRIV_RMEM_SLOT_DEFAULT 3 //slot in R-memory for ED25519 Private TROPIC01_ED25519_ECC_SLOT_DEFAULT 1 // slot in ECC keys storage for both public and private keys PAIRING_KEY_SLOT_INDEX_0 0 //pairing keys slot ``` -All R-memory based keys must be pre-provisioned in the TROPIC01 Secure Element separately. For example, it might be done with libtropic-util tool available [here] (https://github.com/tropicsquare/libtropic-util) +All R-memory based keys must be pre-provisioned in the TROPIC01 Secure Element separately. For example, it might be done with the libtropic-util tool available [here] (https://github.com/tropicsquare/libtropic-util) ### Build TROPIC01 SDK (libtropic) wolfSSL uses the "TROPIC01 SDK" (aka libtropic) to interface with TROPIC01. This SDK can be cloned from the TropicSquare GitHub https://github.com/tropicsquare/libtropic -Once the repo was downloade, please follow [this guidline](https://github.com/tropicsquare/libtropic/blob/master/docs/index.md#integration-examples) on how to configure and build TROPIC01 SDK +Once the repo was downloaded, please follow [this guideline](https://github.com/tropicsquare/libtropic/blob/master/docs/index.md#integration-examples) on how to configure and build TROPIC01 SDK -or simply run the following commands: +Or run the following commands: ```sh $ git clone https://github.com/tropicsquare/libtropic.git $ cd libtropic @@ -102,7 +103,12 @@ or simply run the following commands: ``` ### Build wolfSSL -To compile wolfSSL with TROPIC01 support using Autoconf/configure: +1. Clone wolfSSL from the wolfSSL GitHub (https://github.com/wolfSSL/wolfssl) + +2. Make sure that the version of wolfSSL supports TROPIC01 - check if the folder wolfssl/wolfcrypt/src/port/tropicsquare exists + +3. To compile wolfSSL with TROPIC01 support using Autoconf/configure: + ```sh $ cd wolfssl $ ./autogen.sh @@ -114,7 +120,7 @@ where PATH is an absolute path to the libtropic folder, for example --with-tropic01=/home/pi/git/libtropic -for the debugging output, add +For the debugging output, add --enable-debug @@ -122,27 +128,27 @@ for the debugging output, add The test application for Raspberry Shield and USB stick can be cloned from the TropicSquare GitHub https://github.com/tropicsquare/tropic01-wolfssl-test -To build and run the test application, please run the next commands +To build and run the test application, please run the following commands ```sh $ git clone git@github.com:tropicsquare/tropic01-wolfssl-test.git $ cd tropic01-wolfssl-test ``` -if necesary open and edit Makefile in this folder +If necessary, open and edit the Makefile in this folder -set correct values for CC and LIBTROPIC_DIR variables, for example: +Set correct values for CC and LIBTROPIC_DIR variables, for example: CC = gcc LIBTROPIC_DIR = /home/pi/git/libtropic -then run the following commands to build and run test application for USB stick: +Then run the following commands to build and run the test application for the USB stick: ```sh $ make $ ./lt-wolfssl-test ``` -or for Raspberry PI shield (make sure you fulfield all prerequirements first): +or for Raspberry PI shield (make sure you fulfill all prerequisites first): ```sh @@ -150,7 +156,7 @@ $ make RPI_SPI =1 $ ./lt-wolfssl-test ``` -In case of success the output of the test application should look like this: +In case of success, the output of the test application should look like this: ```sh wolfSSL Crypto Callback Test Application diff --git a/wolfcrypt/src/port/tropicsquare/tropic01.c b/wolfcrypt/src/port/tropicsquare/tropic01.c index 0a733fa57..dcae3caf5 100644 --- a/wolfcrypt/src/port/tropicsquare/tropic01.c +++ b/wolfcrypt/src/port/tropicsquare/tropic01.c @@ -36,11 +36,11 @@ static Tropic01CryptoDevCtx g_ctx = {0}; static lt_handle_t g_h; -// Default factory pairing keys +// Pairing keys for TROPIC01 (use Tropic01_SetPairingKeys() to set them) byte pkey_index_0 = PAIRING_KEY_SLOT_INDEX_0; - // Engineering samples 01 keys: -byte sh0priv[] = {0xd0,0x99,0x92,0xb1,0xf1,0x7a,0xbc,0x4d,0xb9,0x37,0x17,0x68,0xa2,0x7d,0xa0,0x5b,0x18,0xfa,0xb8,0x56,0x13,0xa7,0x84,0x2c,0xa6,0x4c,0x79,0x10,0xf2,0x2e,0x71,0x6b}; -byte sh0pub[] = {0xe7,0xf7,0x35,0xba,0x19,0xa3,0x3f,0xd6,0x73,0x23,0xab,0x37,0x26,0x2d,0xe5,0x36,0x08,0xca,0x57,0x85,0x76,0x53,0x43,0x52,0xe1,0x8f,0x64,0xe6,0x13,0xd3,0x8d,0x54}; +byte sh0priv[32] = {0}; +byte sh0pub[32] = {0}; + /* * TROPIC01 hardware RNG implementation */ @@ -57,7 +57,6 @@ static int Tropic01_GetRandom(byte* out, word32 sz) /* Call TROPIC01 TRNG API to get random data */ - ret = lt_random_get(&g_h, out, sz); if(ret != LT_OK) { WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to retrieve key, ret=%d", ret); @@ -66,16 +65,13 @@ static int Tropic01_GetRandom(byte* out, word32 sz) } WOLFSSL_MSG_EX("TROPIC01: GetRandom: Completed with ret=%d", ret); - /* - for (word32 i = 0; i < sz; i++) { - WOLFSSL_MSG_EX("TROPIC01: GetRandom: out[%d] = 0x%02x", i, out[i]); - } - */ return 0; } #if defined(HAVE_ED25519) && defined(HAVE_ED25519_MAKE_KEY) - +/* + * TROPIC01 ECC keys generation implementation + */ static int Tropic01_GenerateKeyED25519(byte* pubkey, int keySlot, word32 sz) { lt_ret_t ret = 0; @@ -147,6 +143,9 @@ static int Tropic01_GetKeyAES(Aes* aes, int keySlot, word32 keySz) return 0; } +/* + * Retrive the ECC key from the secure R memory of TROPIC01 + */ static int Tropic01_GetKeyECC(byte* ecckey, int keySlot, word32 keySz) { @@ -261,8 +260,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) break; case WC_ALGO_TYPE_CIPHER: WOLFSSL_MSG("TROPIC01: CryptoCB: AES request "); - //ret = Tropic01_StoreKey(NULL, NULL, 32); - //ret = Tropic01_GetKey(NULL, NULL, TROPIC01_AES_MAX_KEY_SIZE, tropicCtx); + #if !defined(NO_AES) || !defined(NO_DES3) #ifdef HAVE_AESGCM if (info->cipher.type == WC_CIPHER_AES_GCM) { @@ -354,24 +352,48 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) /* reset devId */ info->cipher.aescbc.aes->devId = devId; } + /* for (int i = 0; i < info->cipher.aescbc.aes->keylen; i++) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: aes->key[%d] = 0x%02x", i, info->cipher.aescbc.aes->key[i]); } for (word32 i = 0; i < info->cipher.aescbc.sz; i++) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: out[%d] = 0x%02x", i, info->cipher.aescbc.out[i]); } + */ } #endif /* HAVE_AES_CBC */ #endif /* !NO_AES || !NO_DES3 */ break; default: - WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Unsupported algorithm type %d", info->algo_type); + // WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Unsupported algorithm type %d", info->algo_type); break; } return ret; } +/* Set TROPIC01 pairing keys */ +int Tropic01_SetPairingKeys(int keyIndex, const byte* keyPub, const byte* keyPriv) +{ + + if (keyPub == NULL || keyPriv == NULL || keyIndex < 0 || keyIndex > 3) { + WOLFSSL_MSG_EX("TROPIC01: SetPairingKeys: Invalid arguments"); + return BAD_FUNC_ARG; + } + + WOLFSSL_MSG_EX("TROPIC01: SetPairingKeys: Setting pairing key in slot %d", keyIndex); + + for (int i = 0; i < 32; i++) { + + sh0priv[i] = keyPriv[i]; + sh0pub[i] = keyPub[i]; + } + + WOLFSSL_MSG("TROPIC01: SetPairingKeys: Pairing key set successfully"); + WOLFSSL_MSG_EX("TROPIC01: sh0priv: %02X %02X %02X %02X ...", keyPriv[0], keyPriv[1], keyPriv[2], keyPriv[3]); + WOLFSSL_MSG_EX("TROPIC01: sh0pub: %02X %02X %02X %02X ...", keyPub[0], keyPub[1], keyPub[2], keyPub[3]); + return 0; +} int Tropic01_Init() { diff --git a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h index 4f21e7515..58db30817 100644 --- a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h +++ b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h @@ -79,10 +79,9 @@ typedef struct { int Tropic01_Init(void); int Tropic01_Deinit(void); +int Tropic01_SetPairingKeys(int keyIndex, const byte* keyPub, const byte* keyPriv); int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx); -//static int Tropic01_GetRandom(byte* out, word32 sz, Tropic01CryptoDevCtx* ctx); -//static int Tropic01_GetKey(Aes* aes, int keySlot, word32 keySz, Tropic01CryptoDevCtx* ctx); #endif /* WOLF_CRYPTO_CB */ From 375af753aac654fdcb0f87592943196a450a5e05 Mon Sep 17 00:00:00 2001 From: Maxim Kostin Date: Fri, 30 May 2025 11:21:28 +0200 Subject: [PATCH 24/31] Changes for the PR https://github.com/wolfSSL/wolfssl/pull/8812 --- wolfcrypt/src/include.am | 1 + wolfcrypt/src/port/tropicsquare/tropic01.c | 22 ++++++++++--------- .../wolfcrypt/port/tropicsquare/tropic01.h | 1 + 3 files changed, 14 insertions(+), 10 deletions(-) diff --git a/wolfcrypt/src/include.am b/wolfcrypt/src/include.am index f1bfd526a..7d44a3663 100644 --- a/wolfcrypt/src/include.am +++ b/wolfcrypt/src/include.am @@ -106,6 +106,7 @@ EXTRA_DIST += wolfcrypt/src/port/ti/ti-aes.c \ wolfcrypt/src/port/st/STM32MP13.md \ wolfcrypt/src/port/st/STM32MP25.md \ wolfcrypt/src/port/tropicsquare/tropic01.c \ + wolfcrypt/src/port/tropicsquare/README.md \ wolfcrypt/src/port/af_alg/afalg_aes.c \ wolfcrypt/src/port/af_alg/afalg_hash.c \ wolfcrypt/src/port/kcapi/kcapi_aes.c \ diff --git a/wolfcrypt/src/port/tropicsquare/tropic01.c b/wolfcrypt/src/port/tropicsquare/tropic01.c index dcae3caf5..88ff521a5 100644 --- a/wolfcrypt/src/port/tropicsquare/tropic01.c +++ b/wolfcrypt/src/port/tropicsquare/tropic01.c @@ -19,6 +19,7 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA * */ +#ifdef WOLFSSL_TROPIC01 #ifdef HAVE_CONFIG_H #include @@ -36,10 +37,10 @@ static Tropic01CryptoDevCtx g_ctx = {0}; static lt_handle_t g_h; -// Pairing keys for TROPIC01 (use Tropic01_SetPairingKeys() to set them) -byte pkey_index_0 = PAIRING_KEY_SLOT_INDEX_0; -byte sh0priv[32] = {0}; -byte sh0pub[32] = {0}; +/* Pairing keys for TROPIC01 (use Tropic01_SetPairingKeys() to set them)*/ +static byte pkey_index_0 = PAIRING_KEY_SLOT_INDEX_0; +static byte sh0priv[32] = {0}; +static byte sh0pub[32] = {0}; /* * TROPIC01 hardware RNG implementation @@ -187,7 +188,6 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) if (info == NULL) return BAD_FUNC_ARG; (void)ctx; - // (void)devId; if (g_ctx.initialized == 0) { WOLFSSL_MSG("TROPIC01: CryptoCB: Device not initialized"); @@ -213,7 +213,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) else if (info->pk.type == WC_PK_TYPE_ED25519_SIGN) { WOLFSSL_MSG("TROPIC01: CryptoCB: ED25519 signing request"); - // retrieve private key from TROPIC01 secure R memory + /* retrieve private key from TROPIC01 secure R memory */ ret = Tropic01_GetKeyECC(info->pk.ed25519sign.key->k, TROPIC01_ED25519_PRIV_RMEM_SLOT_DEFAULT, TROPIC01_ED25519_PRIV_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get ECC key for ED25519 sign, ret=%d", ret); @@ -236,7 +236,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) #ifdef HAVE_ED25519_VERIFY else if (info->pk.type == WC_PK_TYPE_ED25519_VERIFY) { WOLFSSL_MSG("TROPIC01: CryptoCB: ED25519 verification request"); - // retrieve public key from TROPIC01 secure R memory + /* retrieve public key from TROPIC01 secure R memory */ ret = Tropic01_GetKeyECC(info->pk.ed25519sign.key->p, TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT, TROPIC01_ED25519_PUB_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get ECC key for ED25519 verification, ret=%d", ret); @@ -255,7 +255,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) /* reset devId */ info->pk.ed25519verify.key->devId = devId; } - #endif // HAVE_ ED25519_VERIFY + #endif /* HAVE_ ED25519_VERIFY */ #endif /* HAVE_ED25519 */ break; case WC_ALGO_TYPE_CIPHER: @@ -366,7 +366,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) break; default: - // WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Unsupported algorithm type %d", info->algo_type); + break; } @@ -383,7 +383,7 @@ int Tropic01_SetPairingKeys(int keyIndex, const byte* keyPub, const byte* keyPri WOLFSSL_MSG_EX("TROPIC01: SetPairingKeys: Setting pairing key in slot %d", keyIndex); - for (int i = 0; i < 32; i++) { + for (int i = 0; i < TROPIC01_PAIRING_KEY_SIZE; i++) { sh0priv[i] = keyPriv[i]; sh0pub[i] = keyPub[i]; @@ -433,3 +433,5 @@ int Tropic01_Deinit() return 0; } + +#endif /* WOLFSSL_TROPIC01 */ diff --git a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h index 58db30817..7f0cf1afd 100644 --- a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h +++ b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h @@ -60,6 +60,7 @@ #define TROPIC01_ED25519_ECC_SLOT_DEFAULT 1 #define PAIRING_KEY_SLOT_INDEX_0 0 +#define TROPIC01_PAIRING_KEY_SIZE 32 From 5696582adde13e986df5d2a059f35489171ebe0a Mon Sep 17 00:00:00 2001 From: kosmax871 Date: Thu, 29 May 2025 12:43:52 +0200 Subject: [PATCH 25/31] Update README.md --- wolfcrypt/src/port/tropicsquare/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfcrypt/src/port/tropicsquare/README.md b/wolfcrypt/src/port/tropicsquare/README.md index c97288217..35f944065 100644 --- a/wolfcrypt/src/port/tropicsquare/README.md +++ b/wolfcrypt/src/port/tropicsquare/README.md @@ -152,7 +152,7 @@ or for Raspberry PI shield (make sure you fulfill all prerequisites first): ```sh -$ make RPI_SPI =1 +$ make RPI_SPI=1 $ ./lt-wolfssl-test ``` From 172728bf7f5e520c726f9203ceb14c694b4476a2 Mon Sep 17 00:00:00 2001 From: Maxim Kostin Date: Mon, 2 Jun 2025 20:12:41 +0200 Subject: [PATCH 26/31] Refactor Tropic01 interface: clean up code formatting and improve function declarations --- configure.ac | 15 +- wolfcrypt/src/port/tropicsquare/tropic01.c | 228 +++++++++++------- .../wolfcrypt/port/tropicsquare/tropic01.h | 13 +- 3 files changed, 154 insertions(+), 102 deletions(-) diff --git a/configure.ac b/configure.ac index 1181ccb2b..96c9ac49c 100644 --- a/configure.ac +++ b/configure.ac @@ -2860,27 +2860,24 @@ AC_ARG_WITH([tropic01], AC_MSG_CHECKING([for libtropic]) if test "x$withval" != "xno" ; then trylibtropicdir=$withval - # AC_MSG_NOTICE([Use provided PATH]) fi if test "x$withval" = "xyes" ; then - trylibtropicdir="libtropic" - # AC_MSG_NOTICE([Use default PATH]) + trylibtropicdir="libtropic" fi if test -e $trylibtropicdir/build/libtropic.a then LIB_STATIC_ADD="$LIB_STATIC_ADD $trylibtropicdir/build/libtropic.a" - LIB_STATIC_ADD="$LIB_STATIC_ADD $trylibtropicdir/build/trezor_crypto/libtrezor_crypto.a" + LIB_STATIC_ADD="$LIB_STATIC_ADD $trylibtropicdir/build/trezor_crypto/libtrezor_crypto.a" AM_CFLAGS="$AM_CFLAGS -I$trylibtropicdir/include" - # AC_MSG_NOTICE([TropicSquare library is available]) else ENABLED_TROPIC01="no" - AC_MSG_ERROR([Could not find libtropic - TropicSquare library]) + AC_MSG_ERROR([Could not find libtropic - TropicSquare library]) fi - enable_shared=no + enable_shared=no enable_static=yes ENABLED_TROPIC01="yes" - AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TROPIC01" - AC_MSG_RESULT([yes]) + AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_TROPIC01" + AC_MSG_RESULT([yes]) ] ) diff --git a/wolfcrypt/src/port/tropicsquare/tropic01.c b/wolfcrypt/src/port/tropicsquare/tropic01.c index 88ff521a5..460d78ecf 100644 --- a/wolfcrypt/src/port/tropicsquare/tropic01.c +++ b/wolfcrypt/src/port/tropicsquare/tropic01.c @@ -19,12 +19,13 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA * */ -#ifdef WOLFSSL_TROPIC01 #ifdef HAVE_CONFIG_H #include #endif +#ifdef WOLFSSL_TROPIC01 + #include #include #include @@ -38,7 +39,7 @@ static Tropic01CryptoDevCtx g_ctx = {0}; static lt_handle_t g_h; /* Pairing keys for TROPIC01 (use Tropic01_SetPairingKeys() to set them)*/ -static byte pkey_index_0 = PAIRING_KEY_SLOT_INDEX_0; +static byte pk_index = PAIRING_KEY_SLOT_INDEX_0; static byte sh0priv[32] = {0}; static byte sh0pub[32] = {0}; @@ -48,23 +49,21 @@ static byte sh0pub[32] = {0}; static int Tropic01_GetRandom(byte* out, word32 sz) { int ret = 0; - - WOLFSSL_MSG_EX("TROPIC01: GetRandom: Requesting %u bytes", sz); - + if (out == NULL || sz == 0) return BAD_FUNC_ARG; - - + + /* Call TROPIC01 TRNG API to get random data */ - + ret = lt_random_get(&g_h, out, sz); - if(ret != LT_OK) { + if (ret != LT_OK) { WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to retrieve key, ret=%d", ret); Tropic01_Deinit(); return WC_HW_E; } - + WOLFSSL_MSG_EX("TROPIC01: GetRandom: Completed with ret=%d", ret); return 0; } @@ -76,19 +75,19 @@ static int Tropic01_GetRandom(byte* out, word32 sz) static int Tropic01_GenerateKeyED25519(byte* pubkey, int keySlot, word32 sz) { lt_ret_t ret = 0; - + WOLFSSL_MSG_EX("TROPIC01: GenerateKeyED25519: Requesting %u bytes", sz); - + if (pubkey == NULL || sz != 32) return BAD_FUNC_ARG; - + ret = lt_ecc_key_erase(&g_h, keySlot); if(ret != LT_OK) { WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to erase key, ret=%d", ret); Tropic01_Deinit(); return WC_HW_E; } - + ret = lt_ecc_key_generate(&g_h, keySlot, CURVE_ED25519); if(ret != LT_OK) { WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to generate key, ret=%d", ret); @@ -103,76 +102,94 @@ static int Tropic01_GenerateKeyED25519(byte* pubkey, int keySlot, word32 sz) Tropic01_Deinit(); return WC_HW_E; } - + WOLFSSL_MSG_EX("TROPIC01: GenerateKeyED25519: Completed with ret=%d", ret); - + return 0; } #endif /* - * Retrive the AES key from the secure R memory of TROPIC01 + * Retrive the AES key from the secure R memory of TROPIC01 */ static int Tropic01_GetKeyAES(Aes* aes, int keySlot, word32 keySz) { lt_ret_t rett; - WOLFSSL_MSG_EX("TROPIC01: Get AES Key: Retrieving key from slot %d", keySlot); - + WOLFSSL_MSG_EX( + "TROPIC01: Get AES Key: Retrieving key from slot %d", + keySlot + ); + if (aes == NULL || keySlot < 0 || keySlot >= 511) return BAD_FUNC_ARG; - - + + /* Check key size */ if (keySz != 16 && keySz != 24 && keySz != 32) { - WOLFSSL_MSG_EX("TROPIC01: Get AES Key: Unsupported key size %u", keySz); + WOLFSSL_MSG_EX( + "TROPIC01: Get AES Key: Unsupported key size %u", + keySz + ); return BAD_FUNC_ARG; } - + /* Retrieve key from TROPIC01 */ - + rett = lt_r_mem_data_read(&g_h, keySlot, (byte*)aes->key, keySz); if(rett != LT_OK) { - WOLFSSL_MSG_EX("TROPIC01: Get AES Key: Failed to retrieve key, ret=%d", rett); + WOLFSSL_MSG_EX( + "TROPIC01: Get AES Key: Failed to retrieve key, ret=%d", + rett + ); Tropic01_Deinit(); return WC_HW_E; } - - + + WOLFSSL_MSG_EX("TROPIC01: Get AES Key: Key retrieved successfully"); return 0; } /* - * Retrive the ECC key from the secure R memory of TROPIC01 + * Retrive the ECC key from the secure R memory of TROPIC01 */ static int Tropic01_GetKeyECC(byte* ecckey, int keySlot, word32 keySz) { lt_ret_t rett; - WOLFSSL_MSG_EX("TROPIC01: Get ECC Key: Retrieving key from slot %d", keySlot); - + WOLFSSL_MSG_EX( + "TROPIC01: Get ECC Key: Retrieving key from slot %d", + keySlot + ); + if (ecckey == NULL || keySlot < 0 || keySlot >= 511) return BAD_FUNC_ARG; - - + + /* Check key size */ if (keySz != 16 && keySz != 24 && keySz != 32) { - WOLFSSL_MSG_EX("TROPIC01: Get ECC Key: Unsupported key size %u", keySz); + WOLFSSL_MSG_EX( + "TROPIC01: Get ECC Key: Unsupported key size %u", + keySz + ); return BAD_FUNC_ARG; } - + /* Retrieve key from TROPIC01 */ - + rett = lt_r_mem_data_read(&g_h, keySlot, (byte*)ecckey, keySz); if(rett != LT_OK) { - WOLFSSL_MSG_EX("TROPIC01: Get ECC Key: Failed to retrieve key, ret=%d", rett); + WOLFSSL_MSG_EX( + "TROPIC01: Get ECC Key: Failed to retrieve key, ret=%d", + rett + ); Tropic01_Deinit(); return WC_HW_E; } - - + + WOLFSSL_MSG_EX("TROPIC01: Get ECC Key: Key retrieved successfully"); return 0; } @@ -184,7 +201,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) { int ret = CRYPTOCB_UNAVAILABLE; - + if (info == NULL) return BAD_FUNC_ARG; (void)ctx; @@ -195,28 +212,42 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) } switch (info->algo_type) { case WC_ALGO_TYPE_RNG: - WOLFSSL_MSG_EX("TROPIC01: CryptoCB: RNG generation request (%u bytes)", info->rng.sz); + WOLFSSL_MSG_EX( + "TROPIC01: CryptoCB: RNG generation request (%u bytes)", + info->rng.sz + ); ret = Tropic01_GetRandom(info->rng.out, info->rng.sz); break; case WC_ALGO_TYPE_SEED: - WOLFSSL_MSG_EX("TROPIC01: CryptoCB: SEED generation request (%u bytes)", info->seed.sz); + WOLFSSL_MSG_EX( + "TROPIC01: CryptoCB: SEED generation request (%u bytes)", + info->seed.sz + ); ret = Tropic01_GetRandom(info->seed.seed, info->seed.sz); - break; + break; case WC_ALGO_TYPE_PK: #if defined(HAVE_ED25519) && defined(HAVE_ED25519_MAKE_KEY) if (info->pk.type == WC_PK_TYPE_ED25519_KEYGEN) { WOLFSSL_MSG("TROPIC01: CryptoCB: ED25519 key generation request"); - ret = Tropic01_GenerateKeyED25519(info->pk.ed25519kg.key->p, TROPIC01_ED25519_ECC_SLOT_DEFAULT, info->pk.ed25519kg.size); - + ret = Tropic01_GenerateKeyED25519( + info->pk.ed25519kg.key->p, + TROPIC01_ED25519_ECC_SLOT_DEFAULT, + info->pk.ed25519kg.size); + } #ifdef HAVE_ED25519_SIGN else if (info->pk.type == WC_PK_TYPE_ED25519_SIGN) { WOLFSSL_MSG("TROPIC01: CryptoCB: ED25519 signing request"); /* retrieve private key from TROPIC01 secure R memory */ - ret = Tropic01_GetKeyECC(info->pk.ed25519sign.key->k, TROPIC01_ED25519_PRIV_RMEM_SLOT_DEFAULT, TROPIC01_ED25519_PRIV_KEY_SIZE); + ret = Tropic01_GetKeyECC( + info->pk.ed25519sign.key->k, + TROPIC01_ED25519_PRIV_RMEM_SLOT_DEFAULT, + TROPIC01_ED25519_PRIV_KEY_SIZE); if (ret != 0) { - WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get ECC key for ED25519 sign, ret=%d", ret); + WOLFSSL_MSG_EX( + "TROPIC01: CryptoCB: Failed to get ED25519 key, ret=%d", + ret); return ret; } /* set devId to invalid, so software is used */ @@ -237,9 +268,14 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) else if (info->pk.type == WC_PK_TYPE_ED25519_VERIFY) { WOLFSSL_MSG("TROPIC01: CryptoCB: ED25519 verification request"); /* retrieve public key from TROPIC01 secure R memory */ - ret = Tropic01_GetKeyECC(info->pk.ed25519sign.key->p, TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT, TROPIC01_ED25519_PUB_KEY_SIZE); + ret = Tropic01_GetKeyECC( + info->pk.ed25519sign.key->p, + TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT, + TROPIC01_ED25519_PUB_KEY_SIZE); if (ret != 0) { - WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get ECC key for ED25519 verification, ret=%d", ret); + WOLFSSL_MSG_EX( + "TROPIC01: CryptoCB: Failed to get ED25519 key, ret=%d", + ret); return ret; } @@ -255,20 +291,25 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) /* reset devId */ info->pk.ed25519verify.key->devId = devId; } - #endif /* HAVE_ ED25519_VERIFY */ + #endif /* HAVE_ED25519_VERIFY */ #endif /* HAVE_ED25519 */ break; case WC_ALGO_TYPE_CIPHER: WOLFSSL_MSG("TROPIC01: CryptoCB: AES request "); - + #if !defined(NO_AES) || !defined(NO_DES3) #ifdef HAVE_AESGCM if (info->cipher.type == WC_CIPHER_AES_GCM) { if (info->cipher.enc) { - - ret = Tropic01_GetKeyAES(info->cipher.aesgcm_enc.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); + + ret = Tropic01_GetKeyAES( + info->cipher.aesgcm_enc.aes, + TROPIC01_AES_RMEM_SLOT_DEFAULT, + TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { - WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-GCM encryption, ret=%d", ret); + WOLFSSL_MSG_EX( + "TROPIC01: CryptoCB: Failed to get AES key,ret=%d", + ret); return ret; } /* set devId to invalid, so software is used */ @@ -289,10 +330,15 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) info->cipher.aesgcm_enc.aes->devId = devId; } else { - - ret = Tropic01_GetKeyAES(info->cipher.aesgcm_dec.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); + + ret = Tropic01_GetKeyAES( + info->cipher.aesgcm_dec.aes, + TROPIC01_AES_RMEM_SLOT_DEFAULT, + TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { - WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-GCM decryption, ret=%d", ret); + WOLFSSL_MSG_EX( + "TROPIC01: CryptoCB: Failed to get AES key,ret=%d", + ret); return ret; } /* set devId to invalid, so software is used */ @@ -317,10 +363,15 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) #ifdef HAVE_AES_CBC if (info->cipher.type == WC_CIPHER_AES_CBC) { if (info->cipher.enc) { - - ret = Tropic01_GetKeyAES(info->cipher.aescbc.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); + + ret = Tropic01_GetKeyAES( + info->cipher.aescbc.aes, + TROPIC01_AES_RMEM_SLOT_DEFAULT, + TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { - WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-CBC encryption, ret=%d", ret); + WOLFSSL_MSG_EX( + "TROPIC01: CryptoCB: Failed to get AES key, ret=%d", + ret); return ret; } /* set devId to invalid, so software is used */ @@ -335,14 +386,19 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) info->cipher.aescbc.aes->devId = devId; } else { - - ret = Tropic01_GetKeyAES(info->cipher.aescbc.aes, TROPIC01_AES_RMEM_SLOT_DEFAULT, TROPIC01_AES_MAX_KEY_SIZE); + + ret = Tropic01_GetKeyAES( + info->cipher.aescbc.aes, + TROPIC01_AES_RMEM_SLOT_DEFAULT, + TROPIC01_AES_MAX_KEY_SIZE); if (ret != 0) { - WOLFSSL_MSG_EX("TROPIC01: CryptoCB: Failed to get key for AES-CBC decryption, ret=%d", ret); + WOLFSSL_MSG_EX( + "TROPIC01: CryptoCB: Failed to get AES key, ret=%d", + ret); return ret; } /* set devId to invalid, so software is used */ - info->cipher.aescbc.aes->devId = INVALID_DEVID; + info->cipher.aescbc.aes->devId = INVALID_DEVID; ret = wc_AesCbcDecrypt( info->cipher.aescbc.aes, info->cipher.aescbc.out, @@ -352,50 +408,48 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) /* reset devId */ info->cipher.aescbc.aes->devId = devId; } - /* - for (int i = 0; i < info->cipher.aescbc.aes->keylen; i++) { - WOLFSSL_MSG_EX("TROPIC01: CryptoCB: aes->key[%d] = 0x%02x", i, info->cipher.aescbc.aes->key[i]); - } - for (word32 i = 0; i < info->cipher.aescbc.sz; i++) { - WOLFSSL_MSG_EX("TROPIC01: CryptoCB: out[%d] = 0x%02x", i, info->cipher.aescbc.out[i]); - } - */ } #endif /* HAVE_AES_CBC */ -#endif /* !NO_AES || !NO_DES3 */ +#endif /* !NO_AES || !NO_DES3 */ break; - + default: - + break; } return ret; } /* Set TROPIC01 pairing keys */ -int Tropic01_SetPairingKeys(int keyIndex, const byte* keyPub, const byte* keyPriv) +int Tropic01_SetPairingKeys(int kIndex, const byte* kPub, const byte* kPriv) { - - if (keyPub == NULL || keyPriv == NULL || keyIndex < 0 || keyIndex > 3) { + + if (kPub == NULL || kPriv == NULL || kIndex < 0 || kIndex > 3) { WOLFSSL_MSG_EX("TROPIC01: SetPairingKeys: Invalid arguments"); return BAD_FUNC_ARG; } - WOLFSSL_MSG_EX("TROPIC01: SetPairingKeys: Setting pairing key in slot %d", keyIndex); + WOLFSSL_MSG_EX( + "TROPIC01: SetPairingKeys: Setting pairing key in slot %d", + kIndex); for (int i = 0; i < TROPIC01_PAIRING_KEY_SIZE; i++) { - - sh0priv[i] = keyPriv[i]; - sh0pub[i] = keyPub[i]; + + sh0priv[i] = kPriv[i]; + sh0pub[i] = kPub[i]; } WOLFSSL_MSG("TROPIC01: SetPairingKeys: Pairing key set successfully"); - WOLFSSL_MSG_EX("TROPIC01: sh0priv: %02X %02X %02X %02X ...", keyPriv[0], keyPriv[1], keyPriv[2], keyPriv[3]); - WOLFSSL_MSG_EX("TROPIC01: sh0pub: %02X %02X %02X %02X ...", keyPub[0], keyPub[1], keyPub[2], keyPub[3]); + WOLFSSL_MSG_EX( + "TROPIC01: sh0priv: %02X %02X %02X %02X ...", + kPriv[0], kPriv[1], kPriv[2], kPriv[3]); + WOLFSSL_MSG_EX( + "TROPIC01: sh0pub: %02X %02X %02X %02X ...", + kPub[0], kPub[1], kPub[2], kPub[3]); return 0; } -int Tropic01_Init() +int Tropic01_Init(void) { lt_ret_t ret; @@ -405,7 +459,7 @@ int Tropic01_Init() WOLFSSL_MSG_EX("TROPIC01: lt_init failed with a code %d", ret); return WC_HW_E; } - ret = verify_chip_and_start_secure_session(&g_h, sh0priv, sh0pub, pkey_index_0); + ret = verify_chip_and_start_secure_session(&g_h, sh0priv, sh0pub, pk_index); if(ret != LT_OK) { WOLFSSL_MSG_EX("TROPIC01: secure session failed with a code %d", ret); lt_deinit(&g_h); @@ -413,11 +467,11 @@ int Tropic01_Init() } g_ctx.initialized = 1; WOLFSSL_MSG("TROPIC01: Crypto device initialized successfully"); - + return 0; } -int Tropic01_Deinit() +int Tropic01_Deinit(void) { lt_ret_t ret; diff --git a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h index 7f0cf1afd..b8410d99e 100644 --- a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h +++ b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h @@ -55,8 +55,8 @@ #define TROPIC01_ED25519_PRIV_KEY_SIZE 32 #define TROPIC01_ED25519_PUB_KEY_SIZE 32 -#define TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT 2 -#define TROPIC01_ED25519_PRIV_RMEM_SLOT_DEFAULT 3 +#define TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT 2 +#define TROPIC01_ED25519_PRIV_RMEM_SLOT_DEFAULT 3 #define TROPIC01_ED25519_ECC_SLOT_DEFAULT 1 #define PAIRING_KEY_SLOT_INDEX_0 0 @@ -78,10 +78,11 @@ typedef struct { } Tropic01CryptoDevCtx; -int Tropic01_Init(void); -int Tropic01_Deinit(void); -int Tropic01_SetPairingKeys(int keyIndex, const byte* keyPub, const byte* keyPriv); -int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx); +WOLFSSL_API int Tropic01_Init(void); +WOLFSSL_API int Tropic01_Deinit(void); +WOLFSSL_API int Tropic01_SetPairingKeys( + int kIndex, const byte* kPub, const byte* kPriv); +WOLFSSL_API int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx); #endif /* WOLF_CRYPTO_CB */ From 3b198babe38771cb3bcb3b0c3760e2b4d80c06c0 Mon Sep 17 00:00:00 2001 From: Maxim Kostin Date: Fri, 6 Jun 2025 19:46:27 +0200 Subject: [PATCH 27/31] Add Tropic01_Deinit call in wolfCrypt_Cleanup for proper resource management --- wolfcrypt/src/port/tropicsquare/tropic01.c | 49 ++++++++++------------ wolfcrypt/src/wc_port.c | 3 ++ 2 files changed, 26 insertions(+), 26 deletions(-) diff --git a/wolfcrypt/src/port/tropicsquare/tropic01.c b/wolfcrypt/src/port/tropicsquare/tropic01.c index 460d78ecf..bb854f667 100644 --- a/wolfcrypt/src/port/tropicsquare/tropic01.c +++ b/wolfcrypt/src/port/tropicsquare/tropic01.c @@ -24,10 +24,11 @@ #include #endif +#include + #ifdef WOLFSSL_TROPIC01 #include -#include #include #include #include @@ -60,7 +61,6 @@ static int Tropic01_GetRandom(byte* out, word32 sz) ret = lt_random_get(&g_h, out, sz); if (ret != LT_OK) { WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to retrieve key, ret=%d", ret); - Tropic01_Deinit(); return WC_HW_E; } @@ -82,24 +82,21 @@ static int Tropic01_GenerateKeyED25519(byte* pubkey, int keySlot, word32 sz) return BAD_FUNC_ARG; ret = lt_ecc_key_erase(&g_h, keySlot); - if(ret != LT_OK) { + if (ret != LT_OK) { WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to erase key, ret=%d", ret); - Tropic01_Deinit(); return WC_HW_E; } ret = lt_ecc_key_generate(&g_h, keySlot, CURVE_ED25519); - if(ret != LT_OK) { + if (ret != LT_OK) { WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to generate key, ret=%d", ret); - Tropic01_Deinit(); return WC_HW_E; } lt_ecc_curve_type_t curve = CURVE_ED25519; ecc_key_origin_t origin = CURVE_GENERATED; ret = lt_ecc_key_read(&g_h, keySlot, pubkey, sz, &curve, &origin); - if(ret != LT_OK) { + if (ret != LT_OK) { WOLFSSL_MSG_EX("TROPIC01: GetKey: Failed to read pub key, ret=%d", ret); - Tropic01_Deinit(); return WC_HW_E; } @@ -138,12 +135,11 @@ static int Tropic01_GetKeyAES(Aes* aes, int keySlot, word32 keySz) /* Retrieve key from TROPIC01 */ rett = lt_r_mem_data_read(&g_h, keySlot, (byte*)aes->key, keySz); - if(rett != LT_OK) { + if (rett != LT_OK) { WOLFSSL_MSG_EX( "TROPIC01: Get AES Key: Failed to retrieve key, ret=%d", rett ); - Tropic01_Deinit(); return WC_HW_E; } @@ -180,12 +176,11 @@ static int Tropic01_GetKeyECC(byte* ecckey, int keySlot, word32 keySz) /* Retrieve key from TROPIC01 */ rett = lt_r_mem_data_read(&g_h, keySlot, (byte*)ecckey, keySz); - if(rett != LT_OK) { + if (rett != LT_OK) { WOLFSSL_MSG_EX( "TROPIC01: Get ECC Key: Failed to retrieve key, ret=%d", rett ); - Tropic01_Deinit(); return WC_HW_E; } @@ -226,17 +221,18 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) ret = Tropic01_GetRandom(info->seed.seed, info->seed.sz); break; case WC_ALGO_TYPE_PK: -#if defined(HAVE_ED25519) && defined(HAVE_ED25519_MAKE_KEY) +#ifdef HAVE_ED25519 + #ifdef HAVE_ED25519_MAKE_KEY if (info->pk.type == WC_PK_TYPE_ED25519_KEYGEN) { WOLFSSL_MSG("TROPIC01: CryptoCB: ED25519 key generation request"); ret = Tropic01_GenerateKeyED25519( info->pk.ed25519kg.key->p, TROPIC01_ED25519_ECC_SLOT_DEFAULT, info->pk.ed25519kg.size); - } - #ifdef HAVE_ED25519_SIGN - else if (info->pk.type == WC_PK_TYPE_ED25519_SIGN) { + #endif /* HAVE_ED25519_MAKE_KEY */ + #ifdef HAVE_ED25519_SIGN + if (info->pk.type == WC_PK_TYPE_ED25519_SIGN) { WOLFSSL_MSG("TROPIC01: CryptoCB: ED25519 signing request"); /* retrieve private key from TROPIC01 secure R memory */ @@ -263,9 +259,9 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) /* reset devId */ info->pk.ed25519sign.key->devId = devId; } - #endif - #ifdef HAVE_ED25519_VERIFY - else if (info->pk.type == WC_PK_TYPE_ED25519_VERIFY) { + #endif /* HAVE_ED25519_SIGN */ + #ifdef HAVE_ED25519_VERIFY + if (info->pk.type == WC_PK_TYPE_ED25519_VERIFY) { WOLFSSL_MSG("TROPIC01: CryptoCB: ED25519 verification request"); /* retrieve public key from TROPIC01 secure R memory */ ret = Tropic01_GetKeyECC( @@ -291,13 +287,13 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) /* reset devId */ info->pk.ed25519verify.key->devId = devId; } - #endif /* HAVE_ED25519_VERIFY */ + #endif /* HAVE_ED25519_VERIFY */ #endif /* HAVE_ED25519 */ break; case WC_ALGO_TYPE_CIPHER: WOLFSSL_MSG("TROPIC01: CryptoCB: AES request "); -#if !defined(NO_AES) || !defined(NO_DES3) +#if !defined(NO_AES) #ifdef HAVE_AESGCM if (info->cipher.type == WC_CIPHER_AES_GCM) { if (info->cipher.enc) { @@ -410,7 +406,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) } } #endif /* HAVE_AES_CBC */ -#endif /* !NO_AES || !NO_DES3 */ +#endif /* !NO_AES */ break; default: @@ -423,6 +419,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) /* Set TROPIC01 pairing keys */ int Tropic01_SetPairingKeys(int kIndex, const byte* kPub, const byte* kPriv) { + int i; if (kPub == NULL || kPriv == NULL || kIndex < 0 || kIndex > 3) { WOLFSSL_MSG_EX("TROPIC01: SetPairingKeys: Invalid arguments"); @@ -433,7 +430,7 @@ int Tropic01_SetPairingKeys(int kIndex, const byte* kPub, const byte* kPriv) "TROPIC01: SetPairingKeys: Setting pairing key in slot %d", kIndex); - for (int i = 0; i < TROPIC01_PAIRING_KEY_SIZE; i++) { + for (i = 0; i < TROPIC01_PAIRING_KEY_SIZE; i++) { sh0priv[i] = kPriv[i]; sh0pub[i] = kPub[i]; @@ -455,12 +452,12 @@ int Tropic01_Init(void) g_ctx.initialized = 0; ret = lt_init(&g_h); - if(ret != LT_OK) { + if (ret != LT_OK) { WOLFSSL_MSG_EX("TROPIC01: lt_init failed with a code %d", ret); return WC_HW_E; } ret = verify_chip_and_start_secure_session(&g_h, sh0priv, sh0pub, pk_index); - if(ret != LT_OK) { + if (ret != LT_OK) { WOLFSSL_MSG_EX("TROPIC01: secure session failed with a code %d", ret); lt_deinit(&g_h); return WC_HW_E; @@ -477,7 +474,7 @@ int Tropic01_Deinit(void) if (g_ctx.initialized) { ret = lt_deinit(&g_h); - if(ret != LT_OK) { + if (ret != LT_OK) { WOLFSSL_MSG_EX("TROPIC01: lt_deinit failed with a code %d", ret); return WC_HW_E; } diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index 72214d588..1d4ba2158 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -524,6 +524,9 @@ int wolfCrypt_Cleanup(void) #ifdef WOLFSSL_SILABS_SE_ACCEL ret = sl_se_deinit(); #endif + #if defined(WOLFSSL_TROPIC01) + Tropic01_Deinit(); + #endif #if defined(WOLFSSL_RENESAS_TSIP) tsip_Close(); #endif From bab7677273d4b7d6485c2f55f8e9096d4d919112 Mon Sep 17 00:00:00 2001 From: Maxim Kostin Date: Mon, 9 Jun 2025 16:06:56 +0200 Subject: [PATCH 28/31] Added AES IV retrieval from TROPIC01 and use of new R-Memory slot definitions --- wolfcrypt/src/port/tropicsquare/tropic01.c | 91 ++++++++++++------- .../wolfcrypt/port/tropicsquare/tropic01.h | 10 +- 2 files changed, 67 insertions(+), 34 deletions(-) diff --git a/wolfcrypt/src/port/tropicsquare/tropic01.c b/wolfcrypt/src/port/tropicsquare/tropic01.c index bb854f667..added7090 100644 --- a/wolfcrypt/src/port/tropicsquare/tropic01.c +++ b/wolfcrypt/src/port/tropicsquare/tropic01.c @@ -107,10 +107,10 @@ static int Tropic01_GenerateKeyED25519(byte* pubkey, int keySlot, word32 sz) #endif /* - * Retrive the AES key from the secure R memory of TROPIC01 + * Retrieve the AES key from the secure R memory of TROPIC01 */ -static int Tropic01_GetKeyAES(Aes* aes, int keySlot, word32 keySz) +static int Tropic01_GetKeyAES(byte* aesKey, int keySlot, word32 keySz) { lt_ret_t rett; @@ -119,7 +119,7 @@ static int Tropic01_GetKeyAES(Aes* aes, int keySlot, word32 keySz) keySlot ); - if (aes == NULL || keySlot < 0 || keySlot >= 511) + if (aesKey == NULL || keySlot < 0 || keySlot >= 511) return BAD_FUNC_ARG; @@ -134,7 +134,7 @@ static int Tropic01_GetKeyAES(Aes* aes, int keySlot, word32 keySz) /* Retrieve key from TROPIC01 */ - rett = lt_r_mem_data_read(&g_h, keySlot, (byte*)aes->key, keySz); + rett = lt_r_mem_data_read(&g_h, keySlot, aesKey, keySz); if (rett != LT_OK) { WOLFSSL_MSG_EX( "TROPIC01: Get AES Key: Failed to retrieve key, ret=%d", @@ -149,7 +149,7 @@ static int Tropic01_GetKeyAES(Aes* aes, int keySlot, word32 keySz) } /* - * Retrive the ECC key from the secure R memory of TROPIC01 + * Retrieve the ECC key from the secure R memory of TROPIC01 */ static int Tropic01_GetKeyECC(byte* ecckey, int keySlot, word32 keySz) { @@ -195,7 +195,8 @@ static int Tropic01_GetKeyECC(byte* ecckey, int keySlot, word32 keySz) int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) { int ret = CRYPTOCB_UNAVAILABLE; - + byte lt_key[TROPIC01_AES_MAX_KEY_SIZE] = {0}; + byte lt_iv[TROPIC01_AES_MAX_KEY_SIZE] = {0}; if (info == NULL) return BAD_FUNC_ARG; @@ -296,16 +297,33 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) #if !defined(NO_AES) #ifdef HAVE_AESGCM if (info->cipher.type == WC_CIPHER_AES_GCM) { - if (info->cipher.enc) { - - ret = Tropic01_GetKeyAES( - info->cipher.aesgcm_enc.aes, - TROPIC01_AES_RMEM_SLOT_DEFAULT, + ret = Tropic01_GetKeyAES( + lt_key, + TROPIC01_AES_KEY_RMEM_SLOT, TROPIC01_AES_MAX_KEY_SIZE); - if (ret != 0) { - WOLFSSL_MSG_EX( + if (ret != 0) { + WOLFSSL_MSG_EX( "TROPIC01: CryptoCB: Failed to get AES key,ret=%d", ret); + return ret; + } + ret = Tropic01_GetKeyAES( + lt_iv, + TROPIC01_AES_IV_RMEM_SLOT, + TROPIC01_AES_MAX_KEY_SIZE); + if (ret != 0) { + WOLFSSL_MSG_EX( + "TROPIC01: CryptoCB: Failed to get AES IV, ret=%d", + ret); + return ret; + } + if (info->cipher.enc) { + ret = wc_AesSetKey(info->cipher.aesgcm_enc.aes, lt_key, + WC_AES_BLOCK_SIZE, lt_iv, AES_ENCRYPTION); + if (ret != 0) { + WOLFSSL_MSG_EX( + "TROPIC01: CryptoCB: Failed to set AES key, ret=%d", + ret); return ret; } /* set devId to invalid, so software is used */ @@ -327,14 +345,12 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) } else { - ret = Tropic01_GetKeyAES( - info->cipher.aesgcm_dec.aes, - TROPIC01_AES_RMEM_SLOT_DEFAULT, - TROPIC01_AES_MAX_KEY_SIZE); + ret = wc_AesSetKey(info->cipher.aesgcm_dec.aes, lt_key, + WC_AES_BLOCK_SIZE, lt_iv, AES_DECRYPTION); if (ret != 0) { WOLFSSL_MSG_EX( - "TROPIC01: CryptoCB: Failed to get AES key,ret=%d", - ret); + "TROPIC01: CryptoCB: Failed to set AES key, ret=%d", + ret); return ret; } /* set devId to invalid, so software is used */ @@ -358,15 +374,30 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) #endif /* HAVE_AESGCM */ #ifdef HAVE_AES_CBC if (info->cipher.type == WC_CIPHER_AES_CBC) { + ret = Tropic01_GetKeyAES( + lt_key, + TROPIC01_AES_KEY_RMEM_SLOT, + TROPIC01_AES_MAX_KEY_SIZE); + if (ret != 0) { + WOLFSSL_MSG_EX( + "TROPIC01: CryptoCB: Failed to get AES key,ret=%d", ret); + return ret; + } + ret = Tropic01_GetKeyAES( + lt_iv, + TROPIC01_AES_IV_RMEM_SLOT, + TROPIC01_AES_MAX_KEY_SIZE); + if (ret != 0) { + WOLFSSL_MSG_EX( + "TROPIC01: CryptoCB: Failed to get AES IV, ret=%d", ret); + return ret; + } if (info->cipher.enc) { - - ret = Tropic01_GetKeyAES( - info->cipher.aescbc.aes, - TROPIC01_AES_RMEM_SLOT_DEFAULT, - TROPIC01_AES_MAX_KEY_SIZE); + ret = wc_AesSetKey(info->cipher.aescbc.aes, lt_key, + WC_AES_BLOCK_SIZE, lt_iv, AES_ENCRYPTION); if (ret != 0) { WOLFSSL_MSG_EX( - "TROPIC01: CryptoCB: Failed to get AES key, ret=%d", + "TROPIC01: CryptoCB: Failed to set AES key, ret=%d", ret); return ret; } @@ -383,14 +414,12 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) } else { - ret = Tropic01_GetKeyAES( - info->cipher.aescbc.aes, - TROPIC01_AES_RMEM_SLOT_DEFAULT, - TROPIC01_AES_MAX_KEY_SIZE); + ret = wc_AesSetKey(info->cipher.aescbc.aes, lt_key, + WC_AES_BLOCK_SIZE, lt_iv, AES_DECRYPTION); if (ret != 0) { WOLFSSL_MSG_EX( - "TROPIC01: CryptoCB: Failed to get AES key, ret=%d", - ret); + "TROPIC01: CryptoCB: Failed to set AES key, ret=%d", + ret); return ret; } /* set devId to invalid, so software is used */ diff --git a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h index b8410d99e..e5660cee3 100644 --- a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h +++ b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h @@ -50,13 +50,17 @@ #define TROPIC01_AES_MAX_KEY_SIZE 32 -#define TROPIC01_AES_RMEM_SLOT_DEFAULT 1 + +/* R-Memory slots allocation */ +#define TROPIC01_AES_KEY_RMEM_SLOT 0 +#define TROPIC01_AES_IV_RMEM_SLOT 1 +#define TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT 2 +#define TROPIC01_ED25519_PRIV_RMEM_SLOT_DEFAULT 3 + #define TROPIC01_ED25519_PRIV_KEY_SIZE 32 #define TROPIC01_ED25519_PUB_KEY_SIZE 32 -#define TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT 2 -#define TROPIC01_ED25519_PRIV_RMEM_SLOT_DEFAULT 3 #define TROPIC01_ED25519_ECC_SLOT_DEFAULT 1 #define PAIRING_KEY_SLOT_INDEX_0 0 From 60f442b04ec37ed1b88676b5d352c58bb0adf1c4 Mon Sep 17 00:00:00 2001 From: Maxim Kostin Date: Mon, 9 Jun 2025 17:12:46 +0200 Subject: [PATCH 29/31] Fix formatting inconsistencies in README.md --- wolfcrypt/src/port/tropicsquare/README.md | 42 +++++++++++------------ 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/wolfcrypt/src/port/tropicsquare/README.md b/wolfcrypt/src/port/tropicsquare/README.md index 35f944065..cd118f63b 100644 --- a/wolfcrypt/src/port/tropicsquare/README.md +++ b/wolfcrypt/src/port/tropicsquare/README.md @@ -1,6 +1,6 @@ # wolfSSL TROPIC01 Secure Element Integration Guide -![wolfSSL+TROPIC01](https://img.shields.io/badge/wolfSSL-TROPIC01-blue) +![wolfSSL+TROPIC01](https://img.shields.io/badge/wolfSSL-TROPIC01-blue) Integration guide for using Tropic Square's TROPIC01 secure element with wolfSSL/wolfCrypt cryptography library. @@ -40,16 +40,16 @@ The TROPIC01 datasheet is available via [this link](https://www.nxp.com/docs/en/ - Electromagnetic pulse detector - Laser detector - Active shield -- **Interface to Host MCU/MPU**: +- **Interface to Host MCU/MPU**: - SPI - - Encrypted channel with forward secrecy + - Encrypted channel with forward secrecy - **Entropy Source**: - Physically Unclonable Function (PUF) - True Random Number Generator (TRNG) -### Available Evaluation and Development Kits +### Available Evaluation and Development Kits - USB Stick with TROPIC01 ([here](https://github.com/tropicsquare/tropic01?tab=readme-ov-file#usb-stick-with-tropic01)) -- Raspberry PI shield ([here](https://github.com/tropicsquare/tropic01?tab=readme-ov-file#rpi-shield-ts1501)) +- Raspberry PI shield ([here](https://github.com/tropicsquare/tropic01?tab=readme-ov-file#rpi-shield-ts1501)) - Arduino shield ([here](https://github.com/tropicsquare/tropic01?tab=readme-ov-file#arduino-shield-ts14)) ### Get samples @@ -59,9 +59,9 @@ To get samples and DevKits, please fill in [this form](https://tropicsquare.com/ ### Pre-requirements 1. Get one of the targeted hardware platforms. For example, Linux PC + TROPIC01 USB stick or Raspberry PI 3/4/5 + TROPIC01 RPI shield -2. Install toolchain (incl. compiler or cross-compiler). For example, GNU Toolchain (gcc) or ARM cross-compiling toolchain (armv8-rpi3-linux-gnueabihf) -3. Install CMake and Autotools -4. Install Git +2. Install toolchain (incl. compiler or cross-compiler). For example, GNU Toolchain (gcc) or ARM cross-compiling toolchain (armv8-rpi3-linux-gnueabihf) +3. Install CMake and Autotools +4. Install Git Some guidelines for RPi are available [here](https://earthly.dev/blog/cross-compiling-raspberry-pi/) @@ -79,8 +79,8 @@ $ sudo apt install wiringpi For the integration with wolfSSL, there are a few pre-defined slots for the secure keys storage (the slots mapping might be changed in tropic01.h): ```sh -TROPIC01_AES_RMEM_SLOT_DEFAULT 1 // slot in R-memory for AES key -TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT 2 // slot in R-memory for ED25519 Public key +TROPIC01_AES_RMEM_SLOT_DEFAULT 1 // slot in R-memory for AES key +TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT 2 // slot in R-memory for ED25519 Public key TROPIC01_ED25519_PRIV_RMEM_SLOT_DEFAULT 3 //slot in R-memory for ED25519 Private key TROPIC01_ED25519_ECC_SLOT_DEFAULT 1 // slot in ECC keys storage for both public and private keys PAIRING_KEY_SLOT_INDEX_0 0 //pairing keys slot @@ -105,10 +105,10 @@ Or run the following commands: ### Build wolfSSL 1. Clone wolfSSL from the wolfSSL GitHub (https://github.com/wolfSSL/wolfssl) -2. Make sure that the version of wolfSSL supports TROPIC01 - check if the folder wolfssl/wolfcrypt/src/port/tropicsquare exists +2. Make sure that the version of wolfSSL supports TROPIC01 - check if the folder wolfssl/wolfcrypt/src/port/tropicsquare exists 3. To compile wolfSSL with TROPIC01 support using Autoconf/configure: - + ```sh $ cd wolfssl $ ./autogen.sh @@ -116,11 +116,11 @@ $ ./configure --with-tropic01=PATH --enable-cryptocb --enable-static --disable-c $ make $ sudo make install ``` -where PATH is an absolute path to the libtropic folder, for example +where PATH is an absolute path to the libtropic folder, for example --with-tropic01=/home/pi/git/libtropic - -For the debugging output, add + +For the debugging output, add --enable-debug @@ -138,7 +138,7 @@ If necessary, open and edit the Makefile in this folder Set correct values for CC and LIBTROPIC_DIR variables, for example: - CC = gcc + CC = gcc LIBTROPIC_DIR = /home/pi/git/libtropic @@ -181,13 +181,13 @@ Generated 32 random bytes: RNG test completed successfully AES test starting: -TROPIC01: CryptoCB: AES request +TROPIC01: CryptoCB: AES request TROPIC01: Get AES Key: Retrieving key from slot 1 TROPIC01: Get AES Key: Key retrieved successfully Plain message: -01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 +01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 Encrypted message: -89 44 11 3E 2E 07 52 9C CB 5F B1 70 7E 9C 42 D6 +89 44 11 3E 2E 07 52 9C CB 5F B1 70 7E 9C 42 D6 AES test completed successfully ED25519 COMPREHENSIVE TESTING SUITE @@ -227,5 +227,5 @@ A73A562B 3D03F429 8706309D 63E2120B wolfSSL Entering wolfCrypt_Cleanup ``` - - + + From f865e0de97fe86a6fb104903e47ef0e6d93c2373 Mon Sep 17 00:00:00 2001 From: Maxim Kostin Date: Wed, 11 Jun 2025 21:09:22 +0200 Subject: [PATCH 30/31] improve ED25519 key handling in CryptoCb function --- wolfcrypt/src/port/tropicsquare/tropic01.c | 28 ++++++++++++++-------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/wolfcrypt/src/port/tropicsquare/tropic01.c b/wolfcrypt/src/port/tropicsquare/tropic01.c index added7090..cd58db1e6 100644 --- a/wolfcrypt/src/port/tropicsquare/tropic01.c +++ b/wolfcrypt/src/port/tropicsquare/tropic01.c @@ -243,19 +243,28 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) TROPIC01_ED25519_PRIV_KEY_SIZE); if (ret != 0) { WOLFSSL_MSG_EX( - "TROPIC01: CryptoCB: Failed to get ED25519 key, ret=%d", + "TROPIC01: CryptoCB: Failed to get ED25519 PRIVkey,ret=%d", + ret); + return ret; + } + ret = Tropic01_GetKeyECC( + info->pk.ed25519sign.key->p, + TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT, + TROPIC01_ED25519_PUB_KEY_SIZE); + if (ret != 0) { + WOLFSSL_MSG_EX( + "TROPIC01: CryptoCB: Failed to get ED25519 PUBkey,ret=%d", ret); return ret; } /* set devId to invalid, so software is used */ info->pk.ed25519sign.key->devId = INVALID_DEVID; + info->pk.ed25519sign.key->privKeySet = 1; info->pk.ed25519sign.key->pubKeySet = 1; - - ret = wc_ed25519_sign_msg_ex( + ret = wc_ed25519_sign_msg( info->pk.ed25519sign.in, info->pk.ed25519sign.inLen, info->pk.ed25519sign.out, info->pk.ed25519sign.outLen, - info->pk.ed25519sign.key, info->pk.ed25519sign.type, - info->pk.ed25519sign.context, info->pk.ed25519sign.contextLen); + info->pk.ed25519sign.key); /* reset devId */ info->pk.ed25519sign.key->devId = devId; @@ -266,7 +275,7 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) WOLFSSL_MSG("TROPIC01: CryptoCB: ED25519 verification request"); /* retrieve public key from TROPIC01 secure R memory */ ret = Tropic01_GetKeyECC( - info->pk.ed25519sign.key->p, + info->pk.ed25519verify.key->p, TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT, TROPIC01_ED25519_PUB_KEY_SIZE); if (ret != 0) { @@ -278,12 +287,11 @@ int Tropic01_CryptoCb(int devId, wc_CryptoInfo* info, void* ctx) /* set devId to invalid, so software is used */ info->pk.ed25519verify.key->devId = INVALID_DEVID; - - ret = wc_ed25519_verify_msg_ex( + info->pk.ed25519verify.key->pubKeySet = 1; + ret = wc_ed25519_verify_msg( info->pk.ed25519verify.sig, info->pk.ed25519verify.sigLen, info->pk.ed25519verify.msg, info->pk.ed25519verify.msgLen, - info->pk.ed25519verify.res, info->pk.ed25519verify.key, - info->pk.ed25519verify.type, NULL, 0); + info->pk.ed25519verify.res, info->pk.ed25519verify.key); /* reset devId */ info->pk.ed25519verify.key->devId = devId; From 037ccbaa057ac82592bec3e14aef12a30f9e3ad9 Mon Sep 17 00:00:00 2001 From: Maxim Kostin Date: Mon, 16 Jun 2025 21:12:19 +0200 Subject: [PATCH 31/31] Update TROPIC01 integration guide and header file for key slot definitions and datasheet link --- wolfcrypt/src/port/tropicsquare/README.md | 9 ++--- .../wolfcrypt/port/tropicsquare/tropic01.h | 34 ++++++++++++------- 2 files changed, 27 insertions(+), 16 deletions(-) diff --git a/wolfcrypt/src/port/tropicsquare/README.md b/wolfcrypt/src/port/tropicsquare/README.md index cd118f63b..4b1df37ad 100644 --- a/wolfcrypt/src/port/tropicsquare/README.md +++ b/wolfcrypt/src/port/tropicsquare/README.md @@ -23,7 +23,7 @@ Integration guide for using Tropic Square's TROPIC01 secure element with wolfSSL ## TROPIC01 Secure Element with an open architecture The TROPIC01 secure element is built with tamper-proof technology and advanced attack countermeasures to ensure robust asset protection, securing electronic devices against a wide range of potential attacks. It securely supplies and stores the cryptographic keys of embedded solutions. -The TROPIC01 datasheet is available via [this link](https://www.nxp.com/docs/en/application-note/AN12570.pdf) +The TROPIC01 datasheet is available via [this link](https://github.com/tropicsquare/tropic01/blob/main/doc/datasheet/ODD_tropic01_datasheet_revA6.pdf) ## Hardware Overview @@ -71,15 +71,16 @@ Also, for Raspberry PI, there are a few more steps: 2. Install wiringPI: ```sh -$ sudo apt update -$ sudo apt install wiringpi +$ wget https://github.com/WiringPi/WiringPi/releases/download/3.14/wiringpi_3.14_arm64.deb +$ sudo apt install ./wiringpi_3.14_arm64.deb ``` ### Keys installation For the integration with wolfSSL, there are a few pre-defined slots for the secure keys storage (the slots mapping might be changed in tropic01.h): ```sh -TROPIC01_AES_RMEM_SLOT_DEFAULT 1 // slot in R-memory for AES key +TROPIC01_AES_KEY_RMEM_SLOT 0 // slot in R-memory for AES key +TROPIC01_AES_IV_RMEM_SLOT 1 // slot in R-memory for AES IV TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT 2 // slot in R-memory for ED25519 Public key TROPIC01_ED25519_PRIV_RMEM_SLOT_DEFAULT 3 //slot in R-memory for ED25519 Private key TROPIC01_ED25519_ECC_SLOT_DEFAULT 1 // slot in ECC keys storage for both public and private keys diff --git a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h index e5660cee3..8bdb740c6 100644 --- a/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h +++ b/wolfssl/wolfcrypt/port/tropicsquare/tropic01.h @@ -50,23 +50,34 @@ #define TROPIC01_AES_MAX_KEY_SIZE 32 - -/* R-Memory slots allocation */ -#define TROPIC01_AES_KEY_RMEM_SLOT 0 -#define TROPIC01_AES_IV_RMEM_SLOT 1 -#define TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT 2 -#define TROPIC01_ED25519_PRIV_RMEM_SLOT_DEFAULT 3 - - +#define TROPIC01_PAIRING_KEY_SIZE 32 #define TROPIC01_ED25519_PRIV_KEY_SIZE 32 #define TROPIC01_ED25519_PUB_KEY_SIZE 32 +/* R-Memory slots allocation */ +#ifndef TROPIC01_AES_KEY_RMEM_SLOT +#define TROPIC01_AES_KEY_RMEM_SLOT 0 +#endif /* TROPIC01_AES_KEY_RMEM_SLOT */ + +#ifndef TROPIC01_AES_IV_RMEM_SLOT +#define TROPIC01_AES_IV_RMEM_SLOT 1 +#endif /* TROPIC01_AES_IV_RMEM_SLOT */ + +#ifndef TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT +#define TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT 2 +#endif /* TROPIC01_ED25519_PUB_RMEM_SLOT_DEFAULT */ + +#ifndef TROPIC01_ED25519_PRIV_RMEM_SLOT_DEFAULT +#define TROPIC01_ED25519_PRIV_RMEM_SLOT_DEFAULT 3 +#endif /* TROPIC01_ED25519_PRIV_RMEM_SLOT_DEFAULT */ + +#ifndef TROPIC01_ED25519_ECC_SLOT_DEFAULT #define TROPIC01_ED25519_ECC_SLOT_DEFAULT 1 +#endif /* TROPIC01_ED25519_ECC_SLOT_DEFAULT */ +#ifndef PAIRING_KEY_SLOT_INDEX_0 #define PAIRING_KEY_SLOT_INDEX_0 0 -#define TROPIC01_PAIRING_KEY_SIZE 32 - - +#endif /* PAIRING_KEY_SLOT_INDEX_0 */ typedef struct { int keySlot; /* Slot ID in TROPIC01 secure memory */ @@ -78,7 +89,6 @@ typedef struct { /* Context for TROPIC01 secure element */ typedef struct { int initialized; - byte keySlotUsage[8]; } Tropic01CryptoDevCtx;