acipher: add dynamic algorithm selection and decryption support

amey-raghatate · Akshay-Belsare · commit b44f47068cac · 2025-09-04T12:30:57.000+05:30
- Extend acipher example to support for RSA algorithms: - TEE_ALG_RSAES_PKCS1_V1_5 - TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1/224/256/384/512 - Users can select algorithm and key size at runtime via: `optee_example_acipher <key_size> <string> <algo>` - Supported key sizes: 2048, 3072, 4096 bits - Defaults to TA_ALG_PKCS1_V1_5 if no algorithm is specified - Enhances the acipher example for flexible testing of multiple RSA modes Signed-off-by: Amey Avinash Raghatate <ameyavinash.raghatate@amd.com> State: waiting Link: linaro-swg#133
diff --git a/acipher/host/main.c b/acipher/host/main.c
@@ -16,24 +16,29 @@
 /* For the UUID (found in the TA's h-file(s)) */
 #include <acipher_ta.h>
 
+#define ENCRYPT		1
+#define DECRYPT		0
+
 static void usage(int argc, char *argv[])
 {
 	const char *pname = "acipher";
 
 	if (argc)
 		pname = argv[0];
 
-	fprintf(stderr, "usage: %s <key_size> <string to encrypt>\n", pname);
+	fprintf(stderr, "%s: %s <key_size> <string to encrypt> <algo name>\n",
+		__func__, pname);
 	exit(1);
 }
 
 static void get_args(int argc, char *argv[], size_t *key_size, void **inbuf,
-		     size_t *inbuf_len)
+		     size_t *inbuf_len, uint32_t *algo_num)
 {
 	char *ep;
 	long ks;
+	char *algo;
 
-	if (argc != 3) {
+	if ((argc > 4) || (argc < 3)) {
 		warnx("Unexpected number of arguments %d (expected 2)",
 		      argc - 1);
 		usage(argc, argv);
@@ -52,6 +57,32 @@ static void get_args(int argc, char *argv[], size_t *key_size, void **inbuf,
 
 	*inbuf = argv[2];
 	*inbuf_len = strlen(argv[2]);
+
+	if (argc > 3) {
+		algo = argv[3];
+		printf("%s algo selected\n", algo);
+		if (strcmp(algo, "TA_ALG_OAEP_MGF1_SHA1") == 0) {
+			*algo_num = TA_ALG_OAEP_MGF1_SHA1;
+		} else if (strcmp(algo, "TA_ALG_OAEP_MGF1_SHA224") == 0) {
+			*algo_num = TA_ALG_OAEP_MGF1_SHA224;
+		} else if (strcmp(algo, "TA_ALG_OAEP_MGF1_SHA256") == 0) {
+			*algo_num = TA_ALG_OAEP_MGF1_SHA256;
+		} else if (strcmp(algo, "TA_ALG_OAEP_MGF1_SHA384") == 0) {
+			*algo_num = TA_ALG_OAEP_MGF1_SHA384;
+		} else if (strcmp(algo, "TA_ALG_OAEP_MGF1_SHA512") == 0) {
+			*algo_num = TA_ALG_OAEP_MGF1_SHA512;
+		} else if (strcmp(algo, "TA_ALG_PKCS1_V1_5") == 0) {
+			*algo_num = TA_ALG_PKCS1_V1_5;
+		} else {
+			printf("%s algo is invalid\n", algo);
+			usage(argc, argv);
+		}
+	} else {
+		printf("TA_ALG_PKCS1_V1_5 algo selected\n");
+		*algo_num = TA_ALG_PKCS1_V1_5;
+	}
+
+
 }
 
 static void teec_err(TEEC_Result res, uint32_t eo, const char *str)
@@ -69,10 +100,13 @@ int main(int argc, char *argv[])
 	size_t key_size;
 	void *inbuf;
 	size_t inbuf_len;
+	void *outbuf = NULL;
+	size_t outbuf_len = 0;
 	size_t n;
+	uint32_t algo_num;
 	const TEEC_UUID uuid = TA_ACIPHER_UUID;
 
-	get_args(argc, argv, &key_size, &inbuf, &inbuf_len);
+	get_args(argc, argv, &key_size, &inbuf, &inbuf_len, &algo_num);
 
 	res = TEEC_InitializeContext(NULL, &ctx);
 	if (res)
@@ -95,26 +129,62 @@ int main(int argc, char *argv[])
 	memset(&op, 0, sizeof(op));
 	op.paramTypes = TEEC_PARAM_TYPES(TEEC_MEMREF_TEMP_INPUT,
 					 TEEC_MEMREF_TEMP_OUTPUT,
-					 TEEC_NONE, TEEC_NONE);
+					 TEEC_VALUE_INPUT, TEEC_VALUE_INPUT);
 	op.params[0].tmpref.buffer = inbuf;
 	op.params[0].tmpref.size = inbuf_len;
+	op.params[2].value.a = ENCRYPT; /* encrypt */
+	op.params[3].value.a = algo_num;
 
 	res = TEEC_InvokeCommand(&sess, TA_ACIPHER_CMD_ENCRYPT, &op, &eo);
 	if (eo != TEEC_ORIGIN_TRUSTED_APP || res != TEEC_ERROR_SHORT_BUFFER)
 		teec_err(res, eo, "TEEC_InvokeCommand(TA_ACIPHER_CMD_ENCRYPT)");
 
+	outbuf_len = op.params[1].tmpref.size;
 	op.params[1].tmpref.buffer = malloc(op.params[1].tmpref.size);
 	if (!op.params[1].tmpref.buffer)
 		err(1, "Cannot allocate out buffer of size %zu",
-		    op.params[1].tmpref.size);
+		    outbuf_len);
 
 	res = TEEC_InvokeCommand(&sess, TA_ACIPHER_CMD_ENCRYPT, &op, &eo);
 	if (res)
 		teec_err(res, eo, "TEEC_InvokeCommand(TA_ACIPHER_CMD_ENCRYPT)");
 
+	outbuf = malloc(outbuf_len);
+	if (!outbuf)
+		err(1, "Cannot allocate out buffer of size %zu", outbuf_len);
+
+	memmove(outbuf, op.params[1].tmpref.buffer, outbuf_len);
 	printf("Encrypted buffer: ");
-	for (n = 0; n < op.params[1].tmpref.size; n++)
-		printf("%02x ", ((uint8_t *)op.params[1].tmpref.buffer)[n]);
+	for (n = 0; n < outbuf_len; n++)
+		printf("%02x ", ((uint8_t *)outbuf)[n]);
 	printf("\n");
+
+	memset(&op, 0, sizeof(op));
+	op.paramTypes = TEEC_PARAM_TYPES(TEEC_MEMREF_TEMP_INPUT,
+					 TEEC_MEMREF_TEMP_OUTPUT,
+					 TEEC_VALUE_INPUT, TEEC_VALUE_INPUT);
+	op.params[0].tmpref.buffer = outbuf;
+	op.params[0].tmpref.size = outbuf_len;
+	op.params[2].value.a = DECRYPT; /* decrypt */
+	op.params[3].value.a = algo_num;
+
+	res = TEEC_InvokeCommand(&sess, TA_ACIPHER_CMD_ENCRYPT, &op, &eo);
+	if (eo != TEEC_ORIGIN_TRUSTED_APP || res != TEEC_ERROR_SHORT_BUFFER)
+		teec_err(res, eo, "TEEC_InvokeCommand(TA_ACIPHER_CMD_DYCRYPT)");
+
+	op.params[1].tmpref.buffer = malloc(op.params[1].tmpref.size);
+	if (!op.params[1].tmpref.buffer)
+		err(1, "Cannot allocate out buffer of size %zu",
+		    outbuf_len);
+
+	res = TEEC_InvokeCommand(&sess, TA_ACIPHER_CMD_ENCRYPT, &op, &eo);
+	if (res)
+		teec_err(res, eo, "TEEC_InvokeCommand(TA_ACIPHER_CMD_DYCRYPT)");
+
+	if (memcmp(inbuf, op.params[1].tmpref.buffer, op.params[1].tmpref.size))
+		printf("message is not matching\n");
+	else
+		printf("message is matching successfully\n");
+
 	return 0;
 }
diff --git a/acipher/ta/acipher_ta.c b/acipher/ta/acipher_ta.c
@@ -32,7 +32,8 @@ static TEE_Result cmd_gen_key(struct acipher *state, uint32_t pt,
 
 	res = TEE_AllocateTransientObject(key_type, key_size, &key);
 	if (res) {
-		EMSG("TEE_AllocateTransientObject(%#" PRIx32 ", %" PRId32 "): %#" PRIx32, key_type, key_size, res);
+		EMSG("TEE_AllocateTransientObject(%#" PRIx32 ", %" PRId32 "): %#"
+		     PRIx32, key_type, key_size, res);
 		return res;
 	}
 
@@ -49,6 +50,33 @@ static TEE_Result cmd_gen_key(struct acipher *state, uint32_t pt,
 	return TEE_SUCCESS;
 }
 
+static TEE_Result select_algo(uint32_t param, uint32_t *algo)
+{
+	switch (param) {
+	case TA_ALG_PKCS1_V1_5:
+		*algo = TEE_ALG_RSAES_PKCS1_V1_5;
+		return TEE_SUCCESS;
+	case TA_ALG_OAEP_MGF1_SHA1:
+		*algo = TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1;
+		return TEE_SUCCESS;
+	case TA_ALG_OAEP_MGF1_SHA224:
+		*algo = TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA224;
+		return TEE_SUCCESS;
+	case TA_ALG_OAEP_MGF1_SHA256:
+		*algo = TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA256;
+		return TEE_SUCCESS;
+	case TA_ALG_OAEP_MGF1_SHA384:
+		*algo = TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA384;
+		return TEE_SUCCESS;
+	case TA_ALG_OAEP_MGF1_SHA512:
+		*algo = TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512;
+		return TEE_SUCCESS;
+	default:
+		EMSG("Invalid algo %u", param);
+		return TEE_ERROR_BAD_PARAMETERS;
+	}
+}
+
 static TEE_Result cmd_enc(struct acipher *state, uint32_t pt,
 			  TEE_Param params[TEE_NUM_PARAMS])
 {
@@ -57,13 +85,14 @@ static TEE_Result cmd_enc(struct acipher *state, uint32_t pt,
 	uint32_t inbuf_len;
 	void *outbuf;
 	uint32_t outbuf_len;
+	uint32_t alg_num;
 	TEE_OperationHandle op;
 	TEE_ObjectInfo key_info;
-	const uint32_t alg = TEE_ALG_RSAES_PKCS1_V1_5;
+	uint32_t encrypt;
 	const uint32_t exp_pt = TEE_PARAM_TYPES(TEE_PARAM_TYPE_MEMREF_INPUT,
 						TEE_PARAM_TYPE_MEMREF_OUTPUT,
-						TEE_PARAM_TYPE_NONE,
-						TEE_PARAM_TYPE_NONE);
+						TEE_PARAM_TYPE_VALUE_INPUT,
+						TEE_PARAM_TYPE_VALUE_INPUT);
 
 	if (pt != exp_pt)
 		return TEE_ERROR_BAD_PARAMETERS;
@@ -81,10 +110,21 @@ static TEE_Result cmd_enc(struct acipher *state, uint32_t pt,
 	outbuf = params[1].memref.buffer;
 	outbuf_len = params[1].memref.size;
 
-	res = TEE_AllocateOperation(&op, alg, TEE_MODE_ENCRYPT,
+	res = select_algo(params[3].value.a, &alg_num);
+	if (res != TEE_SUCCESS)
+		return res;
+
+	if (params[2].value.a)
+		encrypt = TEE_MODE_ENCRYPT;
+	else
+		encrypt = TEE_MODE_DECRYPT;
+
+	res = TEE_AllocateOperation(&op, alg_num, encrypt,
 				    key_info.keySize);
 	if (res) {
-		EMSG("TEE_AllocateOperation(TEE_MODE_ENCRYPT, %#" PRIx32 ", %" PRId32 "): %#" PRIx32, alg, key_info.keySize, res);
+		EMSG("TEE_AllocateOperation(TEE_MODE_ENCRYPT, %#"
+		     PRIx32 ", %" PRId32 "): %#" PRIx32,
+		     alg_num, key_info.keySize, res);
 		return res;
 	}
 
@@ -94,10 +134,22 @@ static TEE_Result cmd_enc(struct acipher *state, uint32_t pt,
 		goto out;
 	}
 
-	res = TEE_AsymmetricEncrypt(op, NULL, 0, inbuf, inbuf_len, outbuf,
-				    &outbuf_len);
-	if (res) {
-		EMSG("TEE_AsymmetricEncrypt(%" PRId32 ", %" PRId32 "): %#" PRIx32, inbuf_len, params[1].memref.size, res);
+	if (encrypt == TEE_MODE_ENCRYPT) {
+		res = TEE_AsymmetricEncrypt(op, NULL, 0, inbuf,
+					    inbuf_len, outbuf, &outbuf_len);
+		if (res) {
+			EMSG("TEE_AsymmetricEncrypt(%" PRId32 ", %"
+			     PRId32 "): %#" PRIx32, inbuf_len,
+			     params[1].memref.size, res);
+		}
+	} else {
+		res = TEE_AsymmetricDecrypt(op, NULL, 0, inbuf, inbuf_len,
+					    outbuf, &outbuf_len);
+		if (res) {
+			EMSG("TEE_AsymmetricDecrypt(%" PRId32 ", %"
+			     PRId32 "): %#" PRIx32, inbuf_len,
+			     params[1].memref.size, res);
+		}
 	}
 	params[1].memref.size = outbuf_len;
 
diff --git a/acipher/ta/include/acipher_ta.h b/acipher/ta/include/acipher_ta.h
@@ -22,4 +22,12 @@
  */
 #define TA_ACIPHER_CMD_ENCRYPT		1
 
+#define TA_ALG_PKCS1_V1_5		0
+#define TA_ALG_OAEP_MGF1_SHA1		1
+#define TA_ALG_OAEP_MGF1_SHA224		2
+#define TA_ALG_OAEP_MGF1_SHA256		3
+#define TA_ALG_OAEP_MGF1_SHA384		4
+#define TA_ALG_OAEP_MGF1_SHA512		5
+
+
 #endif /* __ACIPHER_TA_H */
