drivers/crypto: Add mbedTLS shim crypto driver

This exposes the CCM operations through generic Crypto API.

Change-Id: I09346e77bf8821c208305a7aa2805cf49cb42d71
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>

drivers/crypto/Kconfig

@@ -61,6 +61,29 @@ config CRYPTO_TINYCRYPT_SHIM_DRV_NAME
 	help
 	Device name for TinyCrypt Pseudo device.
 
+config CRYPTO_MBEDTLS_SHIM
+	bool "Enable mbedTLS shim driver [EXPERIMENTAL] "
+	default n
+	select MBEDTLS
+	select MBEDTLS_ENABLE_HEAP
+	help
+	Enable mbedTLS shim layer compliant with crypto APIs. You will need
+	to fill in a relevant value to CONFIG_MBEDTLS_HEAP_SIZE.
+
+config CRYPTO_MBEDTLS_SHIM_DRV_NAME
+	string "Device name for mbedTLS Pseudo device"
+	default "CRYPTO_MTLS"
+	depends on CRYPTO_MBEDTLS_SHIM
+	help
+	Device name for mbedTLS Pseudo device.
+
+config CRYPTO_MBEDTLS_SHIM_MAX_SESSION
+	int "Maximum of sessions mbedTLS shim driver can handle"
+	default 2
+	help
+	This can be used to tweak the amount of sessions the driver
+	can handle in parallel.
+
 source "drivers/crypto/Kconfig.ataes132a"
 
 endif # CRYPTO

drivers/crypto/Makefile

@@ -2,3 +2,4 @@ ccflags-$(CONFIG_CRYPTO_TINYCRYPT_SHIM) += -I${srctree}/ext/lib/crypto/tinycrypt
 
 obj-$(CONFIG_CRYPTO_TINYCRYPT_SHIM) += crypto_tc_shim.o
 obj-$(CONFIG_CRYPTO_ATAES132A) += crypto_ataes132a.o
+obj-$(CONFIG_CRYPTO_MBEDTLS_SHIM) += crypto_mtls_shim.o

drivers/crypto/crypto_mtls_shim.c

@@ -0,0 +1,196 @@
+/*
+ * Copyright (c) 2017 Intel Corporation.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/**
+ * @file Shim layer for mbedTLS, crypto API compliant.
+ */
+
+#define SYS_LOG_LEVEL CONFIG_SYS_LOG_CRYPTO_LEVEL
+#include <logging/sys_log.h>
+
+#include <kernel.h>
+#include <init.h>
+#include <errno.h>
+#include <crypto/cipher.h>
+
+#if !defined(CONFIG_MBEDTLS_CFG_FILE)
+#include "mbedtls/config.h"
+#else
+#include CONFIG_MBEDTLS_CFG_FILE
+#endif /* CONFIG_MBEDTLS_CFG_FILE */
+
+#include <mbedtls/ccm.h>
+#include <mbedtls/aes.h>
+
+#define MTLS_SUPPORT (CAP_RAW_KEY | CAP_SEPARATE_IO_BUFS | CAP_SYNC_OPS)
+
+struct mtls_shim_session {
+	mbedtls_ccm_context mtls;
+	bool in_use;
+};
+
+#define CRYPTO_MAX_SESSION CONFIG_CRYPTO_MBEDTLS_SHIM_MAX_SESSION
+
+struct mtls_shim_session mtls_sessions[CRYPTO_MAX_SESSION];
+
+#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
+#include "mbedtls/memory_buffer_alloc.h"
+#else
+#error "You need to define MBEDTLS_MEMORY_BUFFER_ALLOC_C"
+#endif /* MBEDTLS_MEMORY_BUFFER_ALLOC_C */
+
+static int mtls_ccm_encrypt_auth(struct cipher_ctx *ctx,
+				 struct cipher_aead_pkt *apkt,
+				 u8_t *nonce)
+{
+	mbedtls_ccm_context *mtls_ctx =
+		&((struct mtls_shim_session *)ctx->drv_sessn_state)->mtls;
+	int ret;
+
+	ret = mbedtls_ccm_encrypt_and_tag(mtls_ctx, apkt->pkt->in_len, nonce,
+					  ctx->mode_params.ccm_info.nonce_len,
+					  apkt->ad, apkt->ad_len,
+					  apkt->pkt->in_buf,
+					  apkt->pkt->out_buf, apkt->tag,
+					  ctx->mode_params.ccm_info.tag_len);
+	if (ret) {
+		SYS_LOG_ERR("Could non encrypt/auth (%d)", ret);
+
+		/*ToDo: try to return relevant code depending on ret? */
+		return -EINVAL;
+	}
+
+	return 0;
+}
+
+static int mtls_ccm_decrypt_auth(struct cipher_ctx *ctx,
+				 struct cipher_aead_pkt *apkt,
+				 u8_t *nonce)
+{
+	mbedtls_ccm_context *mtls_ctx =
+		&((struct mtls_shim_session *)ctx->drv_sessn_state)->mtls;
+	int ret;
+
+	ret = mbedtls_ccm_auth_decrypt(mtls_ctx, apkt->pkt->in_len, nonce,
+				       ctx->mode_params.ccm_info.nonce_len,
+				       apkt->ad, apkt->ad_len,
+				       apkt->pkt->in_buf,
+				       apkt->pkt->out_buf, apkt->tag,
+				       ctx->mode_params.ccm_info.tag_len);
+	if (ret) {
+		SYS_LOG_ERR("Could non decrypt/auth (%d)", ret);
+
+		/*ToDo: try to return relevant code depending on ret? */
+		return -EINVAL;
+	}
+
+	return 0;
+}
+
+static int mtls_get_unused_session_index(void)
+{
+	int i;
+
+	for (i = 0; i < CRYPTO_MAX_SESSION; i++) {
+		if (!mtls_sessions[i].in_use) {
+			mtls_sessions[i].in_use = true;
+			return i;
+		}
+	}
+
+	return -1;
+}
+
+int mtls_session_setup(struct device *dev, struct cipher_ctx *ctx,
+		       enum cipher_algo algo, enum cipher_mode mode,
+		       enum cipher_op op_type)
+{
+	mbedtls_ccm_context *mtls_ctx;
+	int ctx_idx;
+	int ret;
+
+	if (ctx->flags & ~(MTLS_SUPPORT)) {
+		SYS_LOG_ERR("Unsupported flag");
+		return -EINVAL;
+	}
+
+	if (algo != CRYPTO_CIPHER_ALGO_AES) {
+		SYS_LOG_ERR("Unsupported algo");
+		return -EINVAL;
+	}
+
+	if (mode != CRYPTO_CIPHER_MODE_CCM) {
+		SYS_LOG_ERR("Unsupported mode");
+		return -EINVAL;
+	}
+
+	if (ctx->keylen != 16) {
+		SYS_LOG_ERR("%u key size is not supported", ctx->keylen);
+		return -EINVAL;
+	}
+
+	ctx_idx = mtls_get_unused_session_index();
+	if (ctx_idx < 0) {
+		SYS_LOG_ERR("No free session for now");
+		return -ENOSPC;
+	}
+
+	mtls_ctx = &mtls_sessions[ctx_idx].mtls;
+
+	mbedtls_ccm_init(mtls_ctx);
+
+	ret = mbedtls_ccm_setkey(mtls_ctx, MBEDTLS_CIPHER_ID_AES,
+				 ctx->key.bit_stream, ctx->keylen * 8);
+	if (ret) {
+		SYS_LOG_ERR("Could not setup the key (%d)", ret);
+		mtls_sessions[ctx_idx].in_use = false;
+
+		return -EINVAL;
+	}
+
+	ctx->drv_sessn_state = &mtls_sessions[ctx_idx];
+
+	if (op_type == CRYPTO_CIPHER_OP_ENCRYPT) {
+		ctx->ops.ccm_crypt_hndlr = mtls_ccm_encrypt_auth;
+	} else {
+		ctx->ops.ccm_crypt_hndlr = mtls_ccm_decrypt_auth;
+	}
+
+	return ret;
+}
+
+int mtls_session_free(struct device *dev, struct cipher_ctx *ctx)
+{
+	struct mtls_shim_session *mtls_session =
+		(struct mtls_shim_session *)ctx->drv_sessn_state;
+
+	mbedtls_ccm_free(&mtls_session->mtls);
+	mtls_session->in_use = false;
+
+	return 0;
+}
+
+int mtls_query_caps(struct device *dev)
+{
+	return MTLS_SUPPORT;
+}
+
+static int mtls_shim_init(struct device *dev)
+{
+	return 0;
+}
+
+static struct crypto_driver_api mtls_crypto_funcs = {
+	.begin_session = mtls_session_setup,
+	.free_session = mtls_session_free,
+	.crypto_async_callback_set = NULL,
+	.query_hw_caps = mtls_query_caps,
+};
+
+DEVICE_AND_API_INIT(crypto_mtls, CONFIG_CRYPTO_MBEDTLS_SHIM_DRV_NAME,
+		    &mtls_shim_init, NULL, NULL,
+		    POST_KERNEL, CONFIG_CRYPTO_INIT_PRIORITY,
+		    (void *)&mtls_crypto_funcs);