acipher: add dynamic algorithm selection and decryption support #133
Conversation
- Extend acipher example to support for RSA algorithms: - TEE_ALG_RSAES_PKCS1_V1_5 - TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1/224/256/384/512 - Users can select algorithm and key size at runtime via: `optee_example_acipher <key_size> <string> <algo>` - Supported key sizes: 2048, 3072, 4096 bits - Defaults to TA_ALG_PKCS1_V1_5 if no algorithm is specified - Enhances the acipher example for flexible testing of multiple RSA modes Signed-off-by: Amey Avinash Raghatate <ameyavinash.raghatate@amd.com>
Signed-off-by: Amey Avinash Raghatate <ameyavinash.raghatate@amd.com>
- Extend acipher example to support for RSA algorithms: - TEE_ALG_RSAES_PKCS1_V1_5 - TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA1/224/256/384/512 - Users can select algorithm and key size at runtime via: `optee_example_acipher <key_size> <string> <algo>` - Supported key sizes: 2048, 3072, 4096 bits - Defaults to TA_ALG_PKCS1_V1_5 if no algorithm is specified - Enhances the acipher example for flexible testing of multiple RSA modes Signed-off-by: Amey Avinash Raghatate <ameyavinash.raghatate@amd.com> State: waiting Link: linaro-swg#133
|
This pull request has been marked as a stale pull request because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this pull request will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time. |
|
@jforissier @etienne-lms Could you please take a moment to review this change? |
| TEEC_VALUE_INPUT, TEEC_VALUE_INPUT); | ||
| op.params[0].tmpref.buffer = outbuf; | ||
| op.params[0].tmpref.size = outbuf_len; | ||
| op.params[2].value.a = DECRYPT; /* decrypt */ |
There was a problem hiding this comment.
Having a command called TA_ACIPHER_CMD_ENCRYPT to do decryption is inconsistent. Please introduce TA_ACIPHER_CMD_DECRYPT instead.
acipher/host/main.c
Outdated
|
|
||
| res = TEEC_InvokeCommand(&sess, TA_ACIPHER_CMD_ENCRYPT, &op, &eo); | ||
| if (eo != TEEC_ORIGIN_TRUSTED_APP || res != TEEC_ERROR_SHORT_BUFFER) | ||
| teec_err(res, eo, "TEEC_InvokeCommand(TA_ACIPHER_CMD_DYCRYPT)"); |
There was a problem hiding this comment.
Actually the command is still TA_ACIPHER_CMD_ENCRYPT.
Maybe update the message here and below (line 191):
teec_err(res, eo, "Command TA_ACIPHER_CMD_ENCRYPT failed for decryption");and at line 159 above:
res = TEEC_InvokeCommand(&sess, TA_ACIPHER_CMD_ENCRYPT, &op, &eo);
if (res)
- teec_err(res, eo, "TEEC_InvokeCommand(TA_ACIPHER_CMD_ENCRYPT)");
+ teec_err(res, eo, "Command TA_ACIPHER_CMD_ENCRYPT failed for encryption");Alternatively, introduce a dedicated command for decryption: TA_ACIPHER_CMD_DECRYPT.
acipher/host/main.c
Outdated
|
|
||
| res = TEEC_InvokeCommand(&sess, TA_ACIPHER_CMD_ENCRYPT, &op, &eo); | ||
| if (res) | ||
| teec_err(res, eo, "TEEC_InvokeCommand(TA_ACIPHER_CMD_DYCRYPT)"); |
| /* | ||
| * in params[1].memref input | ||
| * out params[2].memref output | ||
| */ |
There was a problem hiding this comment.
Need to add the algo: in params[3].value algorithm (TA_ALG_*)
There was a problem hiding this comment.
Actually:
/*
* in params[0].memref Input data to cipher
* out params[1].memref Ciphered output data
* in params[2].value.a Mode: 0 for decryption, any other value for encryption
* in params[3].value.a Algorithm (TA_ALG_*)
*/
acipher/host/main.c
Outdated
| printf("TA_ALG_OAEP_MGF1_SHA224\n"); | ||
| printf("TA_ALG_OAEP_MGF1_SHA256\n"); | ||
| printf("TA_ALG_OAEP_MGF1_SHA384\n"); | ||
| printf("TA_ALG_OAEP_MGF1_SHA512\n"); |
There was a problem hiding this comment.
Some indentation would make this more readable.
For consistency: fprintf(stderr, ...) for each trace message?
fprintf(stderr, "Usage: %s <key_size> <string to encrypt> [<algo name>]\n\n",
pname);
fprintf(stderr, "<key_size>: key size in bits. Supported values are:\n");
fprintf(stderr, " 2048, 3072, 4096\n");
fprintf(stderr, "<algo_name>: algorithm name. Supported values are:\n");
fprintf(stderr, " TA_ALG_PKCS1_V1_5 (default)\n");
fprintf(stderr, " TA_ALG_OAEP_MGF1_SHA1\n");
fprintf(stderr, " TA_ALG_OAEP_MGF1_SHA224\n");
fprintf(stderr, " TA_ALG_OAEP_MGF1_SHA256\n");
fprintf(stderr, " TA_ALG_OAEP_MGF1_SHA384\n");
fprintf(stderr, " TA_ALG_OAEP_MGF1_SHA512\n");
acipher/host/main.c
Outdated
| if ((argc > 4) || (argc < 3)) { | ||
| warnx("Unexpected number of arguments %d (expected 2)", | ||
| argc - 1); |
There was a problem hiding this comment.
| if ((argc > 4) || (argc < 3)) { | |
| warnx("Unexpected number of arguments %d (expected 2)", | |
| argc - 1); | |
| if ((argc > 4) || (argc < 3)) { | |
| warnx("Unexpected number of arguments %d", argc - 1); |
acipher/host/main.c
Outdated
| } else if (strcmp(algo, "TA_ALG_PKCS1_V1_5") == 0) { | ||
| *algo_num = TA_ALG_PKCS1_V1_5; | ||
| } else { | ||
| printf("%s algo is invalid\n", algo); |
There was a problem hiding this comment.
For consistency:
| printf("%s algo is invalid\n", algo); | |
| fprintf(stderr, "%s algo is invalid\n", algo); |
acipher/host/main.c
Outdated
|
|
||
| res = TEEC_InvokeCommand(&sess, TA_ACIPHER_CMD_ENCRYPT, &op, &eo); | ||
| if (eo != TEEC_ORIGIN_TRUSTED_APP || res != TEEC_ERROR_SHORT_BUFFER) | ||
| teec_err(res, eo, "TEEC_InvokeCommand(TA_ACIPHER_CMD_DYCRYPT)"); |
There was a problem hiding this comment.
Actually the command is still TA_ACIPHER_CMD_ENCRYPT.
Maybe update the message here and below (line 191):
teec_err(res, eo, "Command TA_ACIPHER_CMD_ENCRYPT failed for decryption");and at line 159 above:
res = TEEC_InvokeCommand(&sess, TA_ACIPHER_CMD_ENCRYPT, &op, &eo);
if (res)
- teec_err(res, eo, "TEEC_InvokeCommand(TA_ACIPHER_CMD_ENCRYPT)");
+ teec_err(res, eo, "Command TA_ACIPHER_CMD_ENCRYPT failed for encryption");Alternatively, introduce a dedicated command for decryption: TA_ACIPHER_CMD_DECRYPT.
acipher/ta/acipher_ta.c
Outdated
| *algo = TEE_ALG_RSAES_PKCS1_OAEP_MGF1_SHA512; | ||
| return TEE_SUCCESS; | ||
| default: | ||
| EMSG("Invalid algo %u", param); |
There was a problem hiding this comment.
| EMSG("Invalid algo %u", param); | |
| EMSG("Invalid algo %"PRIu32, param); |
acipher/ta/acipher_ta.c
Outdated
| key_info.keySize); | ||
| if (res) { | ||
| EMSG("TEE_AllocateOperation(TEE_MODE_ENCRYPT, %#" PRIx32 ", %" PRId32 "): %#" PRIx32, alg, key_info.keySize, res); | ||
| EMSG("TEE_AllocateOperation(TEE_MODE_ENCRYPT, %#" |
There was a problem hiding this comment.
TEE_MODE_ENCRYPT or TEE_MODE_DECRYPT depending on encrypt.
acipher/ta/acipher_ta.c
Outdated
| if (res) { | ||
| EMSG("TEE_AllocateOperation(TEE_MODE_ENCRYPT, %#" PRIx32 ", %" PRId32 "): %#" PRIx32, alg, key_info.keySize, res); | ||
| EMSG("TEE_AllocateOperation(TEE_MODE_ENCRYPT, %#" | ||
| PRIx32 ", %" PRId32 "): %#" PRIx32, |
There was a problem hiding this comment.
The show argument do not match the order used in TEE_AllocateOperation(). Not a big issue but one may found that confusing.
| /* | ||
| * in params[1].memref input | ||
| * out params[2].memref output | ||
| */ |
There was a problem hiding this comment.
Actually:
/*
* in params[0].memref Input data to cipher
* out params[1].memref Ciphered output data
* in params[2].value.a Mode: 0 for decryption, any other value for encryption
* in params[3].value.a Algorithm (TA_ALG_*)
*/| #define TA_ALG_OAEP_MGF1_SHA256 3 | ||
| #define TA_ALG_OAEP_MGF1_SHA384 4 | ||
| #define TA_ALG_OAEP_MGF1_SHA512 5 | ||
|
|
There was a problem hiding this comment.
Maybe use GP TEE Internal Core API algorithm IDs? as suggestion by @jenswi-linaro in another P-R?
Nitpicking: could you remove the extra empty line.
Update acipher TA and host as per review comments. Signed-off-by: Amey Avinash Raghatate <ameyavinash.raghatate@amd.com>
4 participants
optee_example_acipher <key_size> <string> <algo>