From 476b8382f07dc61578646a45971a6fc0b2eb63cd Mon Sep 17 00:00:00 2001 From: Shachar Levy Date: Thu, 28 Mar 2024 00:00:31 +0000 Subject: [PATCH] Merged PR 10172292: Add symcrypt build for optee env ## Description: ## Admin Checklist: - [ ] You have updated documentation in symcrypt.h to reflect any changes in behavior - [ ] You have updated CHANGELOG.md to reflect any changes in behavior - [ ] You have updated symcryptunittest to exercise any new functionality - [ ] If you have introduced any symbols in symcrypt.h you have updated production and test dynamic export symbols (exports.ver / exports.def / symcrypt.src) and tested the updated dynamic modules with symcryptunittest - [ ] If you have introduced functionality that varies based on CPU features, you have manually tested with and without relevant features - [ ] If you have made significant changes to a particular algorithm, you have checked that performance numbers reported by symcryptunittest are in line with expectations - [ ] If you have added new algorithms/modes, you have updated the status indicator text for the associated modules if necessary Add symcrypt build for optee env Signed-off-by: v-shlevy Related work items: #49419416 --- cmake-configs/SymCrypt-Platforms.cmake | 21 ++++- inc/symcrypt.h | 2 + inc/symcrypt_internal.h | 5 ++ lib/CMakeLists.txt | 21 ++++- lib/env_opteeTa.c | 80 +++++++++++++++++++ modules/linux/CMakeLists.txt | 13 ++- modules/linux/common/callbacks_pthread.c | 73 +++++++++++++++++ .../linux/common/callbacks_singlethreaded.c | 52 ++++++++++++ modules/linux/common/module.c | 72 ----------------- .../common/optional/module_linuxUserMode.c | 10 +++ modules/linux/common/precomp.h | 1 - modules/linux/common/rng.c | 19 +++-- modules/linux/generic/CMakeLists.txt | 4 +- modules/linux/oe_full/CMakeLists.txt | 4 +- modules/linux/optee/CMakeLists.txt | 10 +++ modules/linux/optee/module_opteeTa.c | 10 +++ modules/linux/optee/rng.c | 61 ++++++++++++++ scripts/build.py | 14 ++++ 18 files changed, 382 insertions(+), 90 deletions(-) create mode 100644 lib/env_opteeTa.c create mode 100644 modules/linux/common/callbacks_pthread.c create mode 100644 modules/linux/common/callbacks_singlethreaded.c create mode 100644 modules/linux/common/optional/module_linuxUserMode.c create mode 100644 modules/linux/optee/CMakeLists.txt create mode 100644 modules/linux/optee/module_opteeTa.c create mode 100644 modules/linux/optee/rng.c diff --git a/cmake-configs/SymCrypt-Platforms.cmake b/cmake-configs/SymCrypt-Platforms.cmake index 3602aad..53b59d2 100644 --- a/cmake-configs/SymCrypt-Platforms.cmake +++ b/cmake-configs/SymCrypt-Platforms.cmake @@ -3,7 +3,11 @@ # Choose which environment to use based on the host platform # We don't support cross-compiling from one platform to another (e.g. compiling Windows binaries on Linux) if(CMAKE_SYSTEM_NAME MATCHES "Linux") - set(SYMCRYPT_TARGET_ENV "LinuxUserMode") + if(SYMCRYPT_OPTEE MATCHES "ON") + set(SYMCRYPT_TARGET_ENV "OPTEE") + else() + set(SYMCRYPT_TARGET_ENV "LinuxUserMode") + endif() elseif(CMAKE_SYSTEM_NAME MATCHES "Windows") set(SYMCRYPT_TARGET_ENV "WindowsUserMode") else() @@ -51,6 +55,21 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux") # Enable a baseline of features for the compiler to support everywhere # Assumes that the compiler will not emit crypto instructions as a result of normal C code set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -march=armv8-a+simd+crypto") + + if(SYMCRYPT_TARGET_ENV MATCHES "OPTEE") + # TA DEV KIT is require for OPTEE TA compilation + if(DEFINED TA_DEV_KIT_INC) + # Get the compiler toolchain include + execute_process(COMMAND ${CMAKE_C_COMPILER} -print-file-name=include OUTPUT_VARIABLE TOOLCHAIN_INCLUDE) + string(STRIP "${TOOLCHAIN_INCLUDE}" TOOLCHAIN_INCLUDE) + # OPTEE env has a different stdlib and doesn't support atomic operations or multithreading. + add_compile_options(-mno-outline-atomics -nostdinc -isystem ${TOOLCHAIN_INCLUDE}) + include_directories(${TA_DEV_KIT_INC}) + else() + message(FATAL_ERROR "TA_DEV_KIT_INC must be defined for OPTEE build") + endif() + endif() + # GCC complains about implicit casting between ASIMD registers (i.e. uint8x16_t -> uint64x2_t) by default, # whereas clang and MSVC do not. Setting -flax-vector-conversions to build Arm64 intrinsics code with GCC. set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -flax-vector-conversions") diff --git a/inc/symcrypt.h b/inc/symcrypt.h index b5aab51..a0b0a7f 100644 --- a/inc/symcrypt.h +++ b/inc/symcrypt.h @@ -493,6 +493,8 @@ SymCryptUint64Bytesize( UINT64 value ); // // SYMCRYPT_ENVIRONMENT_LINUX_USERMODE // use for Linux // +// SYMCRYPT_ENVIRONMENT_OPTEE_TA // use for OPTEE +// // SYMCRYPT_ENVIRONMENT_GENERIC // use for all other situations // diff --git a/inc/symcrypt_internal.h b/inc/symcrypt_internal.h index 9c90aa3..49511b7 100644 --- a/inc/symcrypt_internal.h +++ b/inc/symcrypt_internal.h @@ -2884,6 +2884,7 @@ SYMCRYPT_EXTERN_C_END #define SYMCRYPT_ENVIRONMENT_WINDOWS_KERNELMODE_LEGACY SYMCRYPT_ENVIRONMENT_GENERIC +#ifdef NTDDI_VERSION #if (NTDDI_VERSION >= NTDDI_WIN7) #define SYMCRYPT_ENVIRONMENT_WINDOWS_KERNELMODE_WIN7_N_LATER SYMCRYPT_ENVIRONMENT_DEFS( WindowsKernelmodeWin7nLater ) #endif @@ -2909,12 +2910,16 @@ SYMCRYPT_EXTERN_C_END #if (NTDDI_VERSION >= NTDDI_WIN10) #define SYMCRYPT_ENVIRONMENT_WINDOWS_USERMODE_WIN10_SGX SYMCRYPT_ENVIRONMENT_DEFS( Win10Sgx ) #endif +#endif // NTDDI_VERSION #define SYMCRYPT_ENVIRONMENT_WINDOWS_USERMODE_LATEST SYMCRYPT_ENVIRONMENT_WINDOWS_USERMODE_WIN8_1_N_LATER #define SYMCRYPT_ENVIRONMENT_LINUX_USERMODE SYMCRYPT_ENVIRONMENT_DEFS( LinuxUsermode ) + +#define SYMCRYPT_ENVIRONMENT_OPTEE_TA SYMCRYPT_ENVIRONMENT_DEFS( OpteeTa ) + ////////////////////////////////////////////////////////// // // SymCryptWipe & SymCryptWipeKnownSize diff --git a/lib/CMakeLists.txt b/lib/CMakeLists.txt index 89ca13a..1cdd5d4 100644 --- a/lib/CMakeLists.txt +++ b/lib/CMakeLists.txt @@ -393,9 +393,24 @@ if(NOT WIN32) endif() endif() - add_library(symcrypt_linuxusermode STATIC env_linuxUserMode.c) - set_target_properties(symcrypt_linuxusermode PROPERTIES PREFIX "") - target_link_libraries(symcrypt_linuxusermode symcrypt_common) + if(SYMCRYPT_TARGET_ENV MATCHES "LinuxUserMode") + add_library(symcrypt_linuxusermode STATIC env_linuxUserMode.c) + set_target_properties(symcrypt_linuxusermode PROPERTIES PREFIX "") + target_link_libraries(symcrypt_linuxusermode symcrypt_common) + elseif(SYMCRYPT_TARGET_ENV MATCHES "OPTEE") + # Remove files from symcrypt_common that are not supported in optee env. + # aes-asm.c - use SymCryptAesDecryptAsm which is not defined for ARM64 + # cpuid_um.c - include auxv.h and use getauxval + # session.c - use atomic operations (__atomic_compare_exchange) + list(REMOVE_ITEM SOURCES_COMMON + aes-asm.c + cpuid_um.c + session.c) + + add_library(symcrypt_envOpteeTa STATIC env_opteeTa.c) + set_target_properties(symcrypt_envOpteeTa PROPERTIES PREFIX "") + target_link_libraries(symcrypt_envOpteeTa symcrypt_common) + endif() endif() include_directories(${CMAKE_SOURCE_DIR}/inc) diff --git a/lib/env_opteeTa.c b/lib/env_opteeTa.c new file mode 100644 index 0000000..9162e36 --- /dev/null +++ b/lib/env_opteeTa.c @@ -0,0 +1,80 @@ +// +// env_opteeTa.c +// Platform-specific code for OPTEE TA. +// +// Copyright (c) Microsoft Corporation. Licensed under the MIT license. +// + +#include "precomp.h" + +// OPTEE TA specific data +#define TEE_ERROR_BAD_STATE 0xFFFF0007 + +typedef uint32_t TEE_Result; + +void TEE_Panic(TEE_Result panicCode); + + +SYMCRYPT_CPU_FEATURES SYMCRYPT_CALL SymCryptCpuFeaturesNeverPresentEnvOpteeTa(void) +{ + return 0; +} + +VOID +SYMCRYPT_CALL +SymCryptInitEnvOpteeTa( UINT32 version ) +{ + if( g_SymCryptFlags & SYMCRYPT_FLAG_LIB_INITIALIZED ) + { + return; + } + + // Optee module relies on the unconditional availability of certain CPU features (ASIMD, AES, PMULL, SHA256) + g_SymCryptCpuFeaturesNotPresent = (SYMCRYPT_CPU_FEATURES) ~(SYMCRYPT_CPU_FEATURE_NEON|SYMCRYPT_CPU_FEATURE_NEON_AES|SYMCRYPT_CPU_FEATURE_NEON_PMULL|SYMCRYPT_CPU_FEATURE_NEON_SHA256); + + SymCryptInitEnvCommon( version ); +} + +_Analysis_noreturn_ +VOID +SYMCRYPT_CALL +SymCryptFatalEnvOpteeTa( ULONG fatalCode ) +{ + UINT32 fatalCodeVar; + + SymCryptFatalIntercept( fatalCode ); + + // + // Put the fatal code in a location where it shows up in the dump + // + SYMCRYPT_FORCE_WRITE32( &fatalCodeVar, fatalCode ); + + // + // Our first preference is to fastfail, + // the second to create an AV, which can trigger a core dump so that we get to + // see what is going wrong. + // + __fastfail( FAST_FAIL_CRYPTO_LIBRARY ); + + TEE_Panic(TEE_ERROR_BAD_STATE); + + // + // Next we write to the NULL pointer, this causes an AV + // + SYMCRYPT_FORCE_WRITE32( (volatile UINT32 *)NULL, fatalCode ); + + SymCryptFatalHang( fatalCode ); +} + +VOID +SYMCRYPT_CALL +SymCryptTestInjectErrorEnvOpteeTa( PBYTE pbBuf, SIZE_T cbBuf ) +{ + // + // This feature is only used during testing. In production it is always + // an empty function that the compiler can optimize away. + // + UNREFERENCED_PARAMETER( pbBuf ); + UNREFERENCED_PARAMETER( cbBuf ); +} + diff --git a/modules/linux/CMakeLists.txt b/modules/linux/CMakeLists.txt index 272b115..ed64d57 100644 --- a/modules/linux/CMakeLists.txt +++ b/modules/linux/CMakeLists.txt @@ -1,5 +1,12 @@ add_subdirectory(common) # Common functionality for Linux modules -add_subdirectory(generic) # Generic Linux module -if(SYMCRYPT_USE_ASM AND SYMCRYPT_TARGET_ARCH MATCHES "AMD64") - add_subdirectory(oe_full) # OpenEnclave with all functionality + +if(SYMCRYPT_TARGET_ENV MATCHES "LinuxUserMode") + + add_subdirectory(generic) # Generic Linux module + + if(SYMCRYPT_USE_ASM AND SYMCRYPT_TARGET_ARCH MATCHES "AMD64") + add_subdirectory(oe_full) # OpenEnclave with all functionality + endif() +elseif(SYMCRYPT_TARGET_ENV MATCHES "OPTEE") + add_subdirectory(optee) # OPTEE module endif() \ No newline at end of file diff --git a/modules/linux/common/callbacks_pthread.c b/modules/linux/common/callbacks_pthread.c new file mode 100644 index 0000000..7ce2fc3 --- /dev/null +++ b/modules/linux/common/callbacks_pthread.c @@ -0,0 +1,73 @@ +// +// callbacks_pthread.c +// Contains symcrypt call back functions for pthreads +// +// Copyright (c) Microsoft Corporation. Licensed under the MIT license. +// + +#include +#include "precomp.h" + +PVOID +SYMCRYPT_CALL +SymCryptCallbackAlloc( SIZE_T nBytes ) +{ + return aligned_alloc(SYMCRYPT_ASYM_ALIGN_VALUE, nBytes); +} + +VOID +SYMCRYPT_CALL +SymCryptCallbackFree( VOID * pMem ) +{ + free( pMem ); +} + +SYMCRYPT_ERROR +SYMCRYPT_CALL +SymCryptCallbackRandom( PBYTE pbBuffer, SIZE_T cbBuffer ) +{ + SymCryptRandom( pbBuffer, cbBuffer ); + return SYMCRYPT_NO_ERROR; +} + + +PVOID +SYMCRYPT_CALL +SymCryptCallbackAllocateMutexFastInproc(void) +{ + PVOID ptr = malloc(sizeof(pthread_mutex_t)); + + if( ptr ) + { + if( pthread_mutex_init( (pthread_mutex_t *)ptr, NULL ) != 0 ) + { + free(ptr); + ptr = NULL; + } + } + + return ptr; +} + +VOID +SYMCRYPT_CALL +SymCryptCallbackFreeMutexFastInproc( PVOID pMutex ) +{ + pthread_mutex_destroy( (pthread_mutex_t *)pMutex ); + + free(pMutex); +} + +VOID +SYMCRYPT_CALL +SymCryptCallbackAcquireMutexFastInproc( PVOID pMutex ) +{ + pthread_mutex_lock( (pthread_mutex_t *)pMutex ); +} + +VOID +SYMCRYPT_CALL +SymCryptCallbackReleaseMutexFastInproc( PVOID pMutex ) +{ + pthread_mutex_unlock( (pthread_mutex_t *)pMutex ); +} \ No newline at end of file diff --git a/modules/linux/common/callbacks_singlethreaded.c b/modules/linux/common/callbacks_singlethreaded.c new file mode 100644 index 0000000..158bb8a --- /dev/null +++ b/modules/linux/common/callbacks_singlethreaded.c @@ -0,0 +1,52 @@ +// +// callbacks_singlethreaded.c +// Contains symcrypt call back functions for single threaded applications. +// +// Copyright (c) Microsoft Corporation. Licensed under the MIT license. +// + +#include "precomp.h" + +PVOID +SYMCRYPT_CALL +SymCryptCallbackAlloc( SIZE_T nBytes ) +{ + return aligned_alloc(SYMCRYPT_ASYM_ALIGN_VALUE, nBytes);; +} + +VOID +SYMCRYPT_CALL +SymCryptCallbackFree( VOID * pMem ) +{ + free( pMem ); +} + +SYMCRYPT_ERROR +SYMCRYPT_CALL +SymCryptCallbackRandom( PBYTE pbBuffer, SIZE_T cbBuffer ) +{ + SymCryptRandom( pbBuffer, cbBuffer ); + return SYMCRYPT_NO_ERROR; +} + +PVOID +SYMCRYPT_CALL +SymCryptCallbackAllocateMutexFastInproc(void) +{ + static const BYTE byte = 0; + + // we want to return a valid non-NULL address so caller can check for NULL + return (PVOID)&byte; +} + +VOID +SYMCRYPT_CALL +SymCryptCallbackFreeMutexFastInproc( PVOID pMutex ) {} + +VOID +SYMCRYPT_CALL +SymCryptCallbackAcquireMutexFastInproc( PVOID pMutex ) {} + +VOID +SYMCRYPT_CALL +SymCryptCallbackReleaseMutexFastInproc( PVOID pMutex ) {} \ No newline at end of file diff --git a/modules/linux/common/module.c b/modules/linux/common/module.c index c3c75ad..ee4b63d 100644 --- a/modules/linux/common/module.c +++ b/modules/linux/common/module.c @@ -7,7 +7,6 @@ #include "precomp.h" -SYMCRYPT_ENVIRONMENT_LINUX_USERMODE // Module main function executed by the runtime upon load VOID __attribute__((constructor)) SymCryptModuleMain(void) @@ -75,77 +74,6 @@ VOID __attribute__((destructor)) SymCryptModuleDestructor(void) SymCryptRngUninit(); } -PVOID -SYMCRYPT_CALL -SymCryptCallbackAlloc( SIZE_T nBytes ) -{ - PVOID ptr = NULL; - if(posix_memalign( &ptr, SYMCRYPT_ASYM_ALIGN_VALUE, nBytes ) != 0) - { - return NULL; - } - - return ptr; -} - -VOID -SYMCRYPT_CALL -SymCryptCallbackFree( VOID * pMem ) -{ - free( pMem ); -} - -SYMCRYPT_ERROR -SYMCRYPT_CALL -SymCryptCallbackRandom( PBYTE pbBuffer, SIZE_T cbBuffer ) -{ - SymCryptRandom( pbBuffer, cbBuffer ); - return SYMCRYPT_NO_ERROR; -} - - -PVOID -SYMCRYPT_CALL -SymCryptCallbackAllocateMutexFastInproc(void) -{ - PVOID ptr = malloc(sizeof(pthread_mutex_t)); - - if( ptr ) - { - if( pthread_mutex_init( (pthread_mutex_t *)ptr, NULL ) != 0 ) - { - free(ptr); - ptr = NULL; - } - } - - return ptr; -} - -VOID -SYMCRYPT_CALL -SymCryptCallbackFreeMutexFastInproc( PVOID pMutex ) -{ - pthread_mutex_destroy( (pthread_mutex_t *)pMutex ); - - free(pMutex); -} - -VOID -SYMCRYPT_CALL -SymCryptCallbackAcquireMutexFastInproc( PVOID pMutex ) -{ - pthread_mutex_lock( (pthread_mutex_t *)pMutex ); -} - -VOID -SYMCRYPT_CALL -SymCryptCallbackReleaseMutexFastInproc( PVOID pMutex ) -{ - pthread_mutex_unlock( (pthread_mutex_t *)pMutex ); -} - - VOID SYMCRYPT_CALL SymCryptModuleInit( UINT32 api, UINT32 minor ) { if( api != SYMCRYPT_CODE_VERSION_API || diff --git a/modules/linux/common/optional/module_linuxUserMode.c b/modules/linux/common/optional/module_linuxUserMode.c new file mode 100644 index 0000000..74438a5 --- /dev/null +++ b/modules/linux/common/optional/module_linuxUserMode.c @@ -0,0 +1,10 @@ +// +// module_linuxUserMode.c +// SymCrypt env defined for linux user mode +// +// Copyright (c) Microsoft Corporation. Licensed under the MIT license. +// + +#include "precomp.h" + +SYMCRYPT_ENVIRONMENT_LINUX_USERMODE diff --git a/modules/linux/common/precomp.h b/modules/linux/common/precomp.h index 24c9435..cac989a 100644 --- a/modules/linux/common/precomp.h +++ b/modules/linux/common/precomp.h @@ -4,7 +4,6 @@ // Copyright (c) Microsoft Corporation. Licensed under the MIT license. // -#include #include #include #include diff --git a/modules/linux/common/rng.c b/modules/linux/common/rng.c index f9db50b..7afbaf2 100644 --- a/modules/linux/common/rng.c +++ b/modules/linux/common/rng.c @@ -13,7 +13,8 @@ #define RANDOM_NUM_CACHE_SIZE 128 #define MAX_GENERATE_BEFORE_RESEED 8192 -pthread_mutex_t g_rngLock; // lock around access to following global variable +PVOID g_rngLock; // lock around access to following global variable + BOOLEAN g_RngStateInstantiated = FALSE; SYMCRYPT_RNG_AES_STATE g_AesRngState; @@ -53,7 +54,9 @@ VOID SYMCRYPT_CALL SymCryptRngInit(void) { - if( pthread_mutex_init( &g_rngLock, NULL ) != 0) + g_rngLock = SymCryptCallbackAllocateMutexFastInproc(); + + if (g_rngLock == NULL) { SymCryptFatal( 'rngi' ); } @@ -112,7 +115,7 @@ SymCryptRngUninit(void) SymCryptEntropyFipsUninit(); SymCryptEntropySecureUninit(); SymCryptRngAesUninstantiate( &g_AesRngState ); - pthread_mutex_destroy( &g_rngLock ); + SymCryptCallbackFreeMutexFastInproc( g_rngLock ); } // This function fills pbRandom with cbRandom bytes. For small requests, @@ -130,8 +133,8 @@ SymCryptRandom( PBYTE pbRandom, SIZE_T cbRandom ) { return; } - - pthread_mutex_lock( &g_rngLock ); + + SymCryptCallbackAcquireMutexFastInproc( g_rngLock ); if( !g_RngStateInstantiated ) { @@ -223,7 +226,7 @@ SymCryptRandom( PBYTE pbRandom, SIZE_T cbRandom ) ); } - pthread_mutex_unlock( &g_rngLock ); + SymCryptCallbackReleaseMutexFastInproc( g_rngLock ); } // This function mixes the provided entropy into the RNG state using a call to SymCryptRngAesGenerateSmall @@ -247,7 +250,7 @@ SymCryptProvideEntropy( PCBYTE pbEntropy, SIZE_T cbEntropy ) // Get hash result in additionalInput buffer. SymCryptSha256Result( &hashState, additionalInput ); - pthread_mutex_lock( &g_rngLock ); + SymCryptCallbackAcquireMutexFastInproc( g_rngLock ); scError = SymCryptRngAesGenerateSmall( &g_AesRngState, @@ -260,7 +263,7 @@ SymCryptProvideEntropy( PCBYTE pbEntropy, SIZE_T cbEntropy ) SymCryptFatal( 'acdx' ); } - pthread_mutex_unlock( &g_rngLock ); + SymCryptCallbackReleaseMutexFastInproc( g_rngLock ); SymCryptWipeKnownSize( additionalInput, sizeof(additionalInput) ); } diff --git a/modules/linux/generic/CMakeLists.txt b/modules/linux/generic/CMakeLists.txt index 32f0a68..2ca6979 100644 --- a/modules/linux/generic/CMakeLists.txt +++ b/modules/linux/generic/CMakeLists.txt @@ -2,7 +2,9 @@ set(SOURCES statusindicator.c ../common/optional/rngfipsjitter.c ../common/optional/rngforkdetection.c - ../common/optional/rngsecureurandom.c) + ../common/optional/rngsecureurandom.c + ../common/optional/module_linuxUserMode.c + ../common/callbacks_pthread.c) # Enable integrity verification if compiling for AMD64 or ARM64 or ARM if(SYMCRYPT_TARGET_ARCH MATCHES "AMD64|ARM") diff --git a/modules/linux/oe_full/CMakeLists.txt b/modules/linux/oe_full/CMakeLists.txt index fec04e1..65b8c22 100644 --- a/modules/linux/oe_full/CMakeLists.txt +++ b/modules/linux/oe_full/CMakeLists.txt @@ -1,7 +1,9 @@ set(SOURCES ../common/integrity.c statusindicator.c - rng.c) + rng.c + ../common/optional/module_linuxUserMode.c + ../common/callbacks_pthread.c) include_directories(${CMAKE_SOURCE_DIR}/inc ../common) diff --git a/modules/linux/optee/CMakeLists.txt b/modules/linux/optee/CMakeLists.txt new file mode 100644 index 0000000..4e1f1f0 --- /dev/null +++ b/modules/linux/optee/CMakeLists.txt @@ -0,0 +1,10 @@ +set(SOURCES + rng.c + module_opteeTa.c + ../common/nointegrity.c + ../common/callbacks_singlethreaded.c) + +include_directories(../common) + +# Build SymCrypt lib for OPTEE +add_library(symcrypt_optee STATIC ${SOURCES} $ $ $) \ No newline at end of file diff --git a/modules/linux/optee/module_opteeTa.c b/modules/linux/optee/module_opteeTa.c new file mode 100644 index 0000000..3a78ea4 --- /dev/null +++ b/modules/linux/optee/module_opteeTa.c @@ -0,0 +1,10 @@ +// +// module_opteeTa.c +// SymCrypt env defined for optee TA +// +// Copyright (c) Microsoft Corporation. Licensed under the MIT license. +// + +#include "precomp.h" + +SYMCRYPT_ENVIRONMENT_OPTEE_TA diff --git a/modules/linux/optee/rng.c b/modules/linux/optee/rng.c new file mode 100644 index 0000000..b931fe2 --- /dev/null +++ b/modules/linux/optee/rng.c @@ -0,0 +1,61 @@ +// +// rng.c +// Defines secure entropy functions using TEE_GenerateRandom() as the source +// +// Copyright (c) Microsoft Corporation. Licensed under the MIT license. +// + +#include "precomp.h" +#include "rng.h" + +// TEE_GenerateRandom gets FIPS/secure RNG from OPTEE (will be Unresolved symbol and will be resolved in linker phase with OPTEE Application) +void TEE_GenerateRandom(void *randomBuffer, size_t randomBufferLen); + +VOID +SYMCRYPT_CALL +SymCryptEntropyFipsInit() +{} + +VOID +SYMCRYPT_CALL +SymCryptEntropyFipsUninit() +{} + +VOID +SYMCRYPT_CALL +SymCryptEntropyFipsGet( _Out_writes_( cbResult ) PBYTE pbResult, SIZE_T cbResult ) +{ + // TEE_GenerateRandom gets FIPS/secure RNG from OPTEE (implementation is platform specific) + TEE_GenerateRandom((void *)pbResult, cbResult); +} + +VOID +SYMCRYPT_CALL +SymCryptEntropySecureInit() +{} + +VOID +SYMCRYPT_CALL +SymCryptEntropySecureUninit() +{} + +VOID +SYMCRYPT_CALL +SymCryptEntropySecureGet( _Out_writes_( cbResult ) PBYTE pbResult, SIZE_T cbResult ) +{ + // TEE_GenerateRandom gets FIPS/secure RNG from OPTEE (implementation is platform specific) + TEE_GenerateRandom((void *)pbResult, cbResult); +} + +// Fork is not supported in Optee so no need to detect it +VOID +SYMCRYPT_CALL +SymCryptRngForkDetectionInit() +{} + +BOOLEAN +SYMCRYPT_CALL +SymCryptRngForkDetect() +{ + return FALSE; +} diff --git a/scripts/build.py b/scripts/build.py index 423ac36..bbf0c89 100755 --- a/scripts/build.py +++ b/scripts/build.py @@ -120,6 +120,12 @@ def configure_cmake(args : argparse.Namespace) -> None: if args.openssl_branch: cmake_args.append("-DOPENSSL_BUILD_BRANCH=" + args.openssl_branch) + # OPTEE + if args.optee: + cmake_args.append("-DSYMCRYPT_OPTEE=ON") + + if args.ta_dev_kit_inc: + cmake_args.append("-DTA_DEV_KIT_INC=" + args.ta_dev_kit_inc) if args.clean and args.build_dir.exists(): shutil.rmtree(args.build_dir) @@ -146,6 +152,9 @@ def build_cmake(args : argparse.Namespace) -> None: if args.parallel_build: cmake_args.append("-j") + if args.target: + cmake_args.append("--target " + args.target) + invoke_build_tool("cmake", cmake_args) def build_msbuild(args : argparse.Namespace) -> None: @@ -217,6 +226,11 @@ def main() -> None: parser_cmake.add_argument("--openssl", action = "store_true", help = "Enable OpenSSL performance comparison.", default = False) parser_cmake.add_argument("--openssl-branch", type = str, help = "Checkout and build specified branch of OpenSSL.", default = None) parser_cmake.add_argument("--openssl-build-from-source", action = "store_true", help = "Build OpenSSL from source.", default = False) + parser_cmake.add_argument("--target", type = str, help = "Build a specific target.") + + # OPTEE + parser_cmake.add_argument("--optee", action = "store_true", help = "Build SymCrypt for OPTEE env.", default = False) + parser_cmake.add_argument("--ta_dev_kit_inc", type = str, help = "TA DEV KIT include folder, needed for OPTEE TA compilation.") # MSBuild build options parser_msbuild = subparsers.add_parser("msbuild", help = "Build using MSBuild.")