libptateec: manufacturing protection PTA

This abstraction provides TEEC access to stable PTAs present in the
OP-TEE upstream tree.

The first of these miscellaenous PTAs to be integrated in the library
is the iMX Manufacturing Protection [1] for which two functions are
provided:
  - Retrieval of the EC Public Key.
  - Signature generation.

[1] AN13676, i.MX RT1170 Manufacturing Protection

Signed-off-by: Jorge Ramirez-Ortiz <[email protected]>

CMakeLists.txt

@@ -48,3 +48,4 @@ if(WITH_TEEACL)
     add_subdirectory (libteeacl)
 endif(WITH_TEEACL)
 add_subdirectory (libseteec)
+add_subdirectory (libptateec)

Makefile

@@ -22,7 +22,7 @@ includedir ?= $(INCLUDEDIR)
 WITH_TEEACL ?= 1
 
 .PHONY: all build build-libteec build-libckteec build-libseteec \
-	build-libteeacl install copy_export clean cscope \
+	build-libteeacl built-libptateec install copy_export clean cscope \
 	clean-cscope \
 	checkpatch-pre-req checkpatch-modified-patch checkpatch-modified-file \
 	checkpatch-last-commit-patch checkpatch-last-commit-file \
@@ -40,7 +40,7 @@ build-tee-supplicant: build-libteec
 	@echo "Building tee-supplicant"
 	$(MAKE) --directory=tee-supplicant  --no-print-directory --no-builtin-variables CFG_TEE_SUPP_LOG_LEVEL=$(CFG_TEE_SUPP_LOG_LEVEL)
 
-build: build-libteec build-tee-supplicant build-libckteec build-libseteec
+build: build-libteec build-tee-supplicant build-libckteec build-libseteec build-libptateec
 ifeq ($(WITH_TEEACL),1)
 build: build-libteeacl
 endif
@@ -57,10 +57,14 @@ build-libteeacl:
 	@echo "Building libteeacl.so"
 	@$(MAKE) --directory=libteeacl --no-print-directory --no-builtin-variables
 
+build-libptateec: build-libteec
+	@echo "Building libptateec.so"
+	@$(MAKE) --directory=libptateec --no-print-directory --no-builtin-variables
+
 install: copy_export
 
 clean: clean-libteec clean-tee-supplicant clean-cscope clean-libckteec \
-	clean-libseteec
+	clean-libseteec clean-libptateec
 ifeq ($(WITH_TEEACL),1)
 clean: clean-libteeacl
 endif
@@ -80,6 +84,9 @@ clean-libseteec:
 clean-libteeacl:
 	@$(MAKE) --directory=libteeacl --no-print-directory clean
 
+clean-libptateec:
+	@$(MAKE) --directory=libptateec --no-print-directory clean
+
 cscope:
 	@echo "  CSCOPE"
 	${VPREFIX}find ${CURDIR} -name "*.[chsS]" > cscope.files
@@ -172,3 +179,6 @@ endif
 	cp libseteec/include/*.h $(DESTDIR)$(includedir)
 	cp -d ${O}/libseteec/libseteec.so* $(DESTDIR)$(libdir)
 	cp -d ${O}/libseteec/libseteec.a $(DESTDIR)$(libdir)
+	cp libptateec/include/*.h $(DESTDIR)$(INCLUDEDIR)
+	cp -d ${O}/libptateec/libptateec.so* $(DESTDIR)$(LIBDIR)
+	cp -d ${O}/libptateec/libptateec.a $(DESTDIR)$(LIBDIR)

libptateec/CMakeLists.txt

@@ -0,0 +1,66 @@
+project(ptateec
+	VERSION 0.1.0
+	LANGUAGES C)
+
+################################################################################
+# Packages
+################################################################################
+find_package(Threads REQUIRED)
+if(NOT THREADS_FOUND)
+	message(FATAL_ERROR "Threads not found")
+endif()
+
+include(GNUInstallDirs)
+
+################################################################################
+# Source files
+################################################################################
+set (SRC
+	src/pta.c
+	src/pta_imx_manufacturing_protection.c
+)
+
+################################################################################
+# Built library
+################################################################################
+add_library (ptateec ${SRC})
+
+set_target_properties (ptateec PROPERTIES
+	VERSION ${PROJECT_VERSION}
+	SOVERSION ${PROJECT_VERSION_MAJOR}
+)
+
+################################################################################
+# Flags always set
+################################################################################
+target_compile_definitions (ptateec
+	PRIVATE -D_GNU_SOURCE
+	PRIVATE -DBINARY_PREFIX="LT"
+)
+
+################################################################################
+# Optional flags
+################################################################################
+
+################################################################################
+# Public and private header and library dependencies
+################################################################################
+target_include_directories(ptateec
+	PUBLIC $<BUILD_INTERFACE:${CMAKE_CURRENT_SOURCE_DIR}/include>
+	$<INSTALL_INTERFACE:include>
+	PRIVATE src
+)
+
+target_link_libraries (ptateec
+	PRIVATE pthread
+	PRIVATE teec
+)
+
+################################################################################
+# Install targets
+################################################################################
+install (TARGETS ptateec
+	DESTINATION ${CMAKE_INSTALL_LIBDIR}
+)
+
+add_subdirectory(include)

libptateec/Makefile

@@ -0,0 +1,71 @@
+include ../flags.mk
+include ../config.mk
+
+OUT_DIR := $(OO)/libptateec
+
+.PHONY: all libptateec clean
+
+all: libptateec
+install: libptateec
+
+LIB_NAME	:= libptateec
+MAJOR_VERSION	:= 0
+MINOR_VERSION	:= 1
+PATCH_VERSION	:= 0
+
+LIB_MAJOR		:= $(LIB_NAME).so.$(MAJOR_VERSION)
+LIB_MAJ_MIN		:= $(LIB_NAME).so.$(MAJOR_VERSION).$(MINOR_VERSION)
+LIB_MAJ_MIN_PAT		:= $(LIB_NAME).so.$(MAJOR_VERSION).$(MINOR_VERSION).$(PATCH_VERSION)
+LIBPTATEEC_SO_LIBRARY	:= $(LIB_MAJ_MIN_PAT)
+LIBPTATEEC_AR_LIBRARY	:= $(LIB_NAME).a
+
+LIBPTATEEC_SRC_DIR	:= src
+
+LIBPTATEEC_SRCS	= pta.c \
+		  pta_imx_manufacturing_protection.c
+
+LIBPTATEEC_INCLUDES	= ${CURDIR}/include
+LIBPTATEEC_INCLUDES 	+= ${CURDIR}/../public
+
+LIBPTATEEC_CFLAGS	:= $(addprefix -I, $(LIBPTATEEC_INCLUDES)) \
+			$(CFLAGS) -D_GNU_SOURCE -fPIC
+
+LIBPTATEEC_LFLAGS	:= $(LDFLAGS) -L$(OUT_DIR)/../libteec -lteec -lpthread
+
+LIBPTATEEC_OBJ_DIR	:= $(OUT_DIR)
+LIBPTATEEC_OBJS		:= $(patsubst %.c,$(LIBPTATEEC_OBJ_DIR)/%.o, $(LIBPTATEEC_SRCS))
+
+$(LIBPTATEEC_OBJ_DIR)/%.o: ${LIBPTATEEC_SRC_DIR}/%.c
+	$(VPREFIX)mkdir -p $(LIBPTATEEC_OBJ_DIR)
+	@echo "  CC      $<"
+	$(VPREFIX)$(CC) $(LIBPTATEEC_CFLAGS) -c $< -o $@
+
+libptateec: $(OUT_DIR)/$(LIBPTATEEC_SO_LIBRARY)
+
+$(OUT_DIR)/$(LIBPTATEEC_SO_LIBRARY): $(LIBPTATEEC_OBJS)
+	@echo "  LINK    $@"
+	$(VPREFIX)$(CC) -shared -Wl,-soname,$(LIB_MAJOR) -o $@ $+ $(LIBPTATEEC_LFLAGS)
+	@echo ""
+
+libptateec: $(OUT_DIR)/$(LIBPTATEEC_AR_LIBRARY)
+
+$(OUT_DIR)/$(LIBPTATEEC_AR_LIBRARY): $(LIBPTATEEC_OBJS)
+	@echo "  AR      $@"
+	$(VPREFIX)$(AR) rcs $@ $+
+
+libptateec:
+	$(VPREFIX)ln -sf $(LIB_MAJ_MIN_PAT) $(OUT_DIR)/$(LIB_MAJ_MIN)
+	$(VPREFIX)ln -sf $(LIB_MAJ_MIN) $(OUT_DIR)/$(LIB_MAJOR)
+	$(VPREFIX)ln -sf $(LIB_MAJOR) $(OUT_DIR)/$(LIB_NAME).so
+
+################################################################################
+# Cleaning up configuration
+################################################################################
+clean:
+	$(RM) $(LIBPTATEEC_OBJS)
+	$(RM) $(OUT_DIR)/$(LIB_MAJ_MIN_PAT)
+	$(RM) $(OUT_DIR)/$(LIB_MAJ_MIN)
+	$(RM) $(OUT_DIR)/$(LIB_MAJOR)
+	$(RM) $(OUT_DIR)/$(LIBPTATEEC_SO_LIBRARY)
+	$(RM) $(OUT_DIR)/$(LIBPTATEEC_AR_LIBRARY)
+	$(call rmdir,$(OUT_DIR))

libptateec/include/CMakeLists.txt

@@ -0,0 +1,7 @@
+project (libptateec-headers C)
+
+FILE(GLOB INSTALL_HEADERS "*.h")
+
+add_library(${PROJECT_NAME} INTERFACE)
+
+install (FILES ${INSTALL_HEADERS} DESTINATION ${CMAKE_INSTALL_INCLUDEDIR})

libptateec/include/pta_tee.h

@@ -0,0 +1,54 @@
+/* SPDX-License-Identifier: BSD-2-Clause */
+/*
+ * Copyright (c) 2023, Foundries.io
+ */
+
+#ifndef PTA_TEE_H
+#define PTA_TEE_H
+
+#include <unistd.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * pta_imx_mprotect_get_key() - Retrieves the iMX CAAM Manufacturing Protection
+ * EC public key. The components x,y are retrieved in RAW format and should
+ * be converted to DER or PEM as required.
+ *
+ * For the 256 bit curve, this will generate two 32 byte components therefore
+ * requiring at least a 64 byte buffer.
+ *
+ * @return TEEC_ERROR_BAD_PARAMETERS	Invalid parameters provided on input.
+ * @return TEEC_ERROR_ACCESS_DENIED	Error opening the TEE session.
+ * @return TEEC_ERROR_GENERIC		Error unspecified.
+ * @return TEEC_ERROR_SHORT_BUFFER	Error small buffer provided.
+ * @return TEEC_SUCCESS			On success.
+ *
+ */
+TEEC_Result pta_imx_mprotect_get_key(char *key, size_t *len);
+
+/**
+ * pta_imx_mprotect_sign() - Signs a message using the Manufacturing Protection
+ * EC private key.
+ *
+ * This function takes message data as input and outputs a signature over a
+ * message composed of the content of the MPMR, followed by the input-data
+ * message.
+ *
+ * @return TEEC_ERROR_BAD_PARAMETERS	Invalid parameters provided on input.
+ * @return TEEC_ERROR_ACCESS_DENIED	Error opening the TEE session.
+ * @return TEEC_ERROR_GENERIC		Error unspecified.
+ * @return TEEC_ERROR_SHORT_BUFFER	Error small buffer provided.
+ * @return TEEC_SUCCESS			On success.
+ *
+ */
+TEEC_Result pta_imx_mprotect_sign(char *message, size_t mlen, char *signature,
+				  size_t *slen, char *mpmr, size_t *len);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /*PTA_TEE_H*/

libptateec/src/pta.c

@@ -0,0 +1,31 @@
+// SPDX-License-Identifier: BSD-2-Clause
+/*
+ * Copyright (c) 2023, Foundries.io Ltd
+ */
+
+#ifndef BINARY_PREFIX
+#define BINARY_PREFIX "ptateec"
+#endif
+
+#include "pta.h"
+
+bool pta_open_session(struct ta_context *ctx)
+{
+	TEEC_Result res = TEEC_SUCCESS;
+
+	if (pthread_mutex_lock(&ctx->lock))
+		return false;
+
+	if (!ctx->open) {
+		res = TEEC_InitializeContext(NULL, &ctx->context);
+		if (!res) {
+			res = TEEC_OpenSession(&ctx->context, &ctx->session,
+					       &ctx->uuid, TEEC_LOGIN_PUBLIC,
+					       NULL, NULL, NULL);
+			if (!res)
+				ctx->open = true;
+		}
+	}
+
+	return !pthread_mutex_unlock(&ctx->lock) && !res;
+}

libptateec/src/pta.h

@@ -0,0 +1,29 @@
+/* SPDX-License-Identifier: BSD-2-Clause */
+/*
+ * Copyright (c) 2023, Foundries.io Ltd
+ */
+#ifndef PTA_H
+#define PTA_H
+
+#include <errno.h>
+#include <inttypes.h>
+#include <pthread.h>
+#include <pta_tee.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <tee_client_api.h>
+#include <teec_trace.h>
+
+struct ta_context {
+	pthread_mutex_t lock;
+	TEEC_Context context;
+	TEEC_Session session;
+	TEEC_UUID uuid;
+	bool open;
+};
+
+bool pta_open_session(struct ta_context *ctx);
+
+#endif