arno
/
trezor-firmware
mirror of https://github.com/trezor/trezor-firmware.git
1
0
Fork 0
Code Issues Releases Wiki Activity

feat(core): use U5 HW keys to additionally encrypt storage items

Browse Source 
[no changelog]
pull/3694/head
tychovrahe 2 months ago committed by TychoVrahe
parent f347a08fd1
commit e060ac68c5
3 changed files with 135 additions and 21 deletions
Show Stats Download Patch File Download Diff File

24
core/embed/trezorhal/secure_aes.h
Unescape View File

@ -24,17 +24,25 @@
#include <stddef.h>
#include <stdint.h>
typedef enum {
SECURE_AES_KEY_DHUK,
SECURE_AES_KEY_BHK,
SECURE_AES_KEY_XORK,
} secure_aes_keysel_t;
// Initializes secure AES module
secbool secure_aes_init(void);
// Encrypts a block of data using AES-256 EBB and (DHUK xor BHK) key
// Input and output must be aligned to 32 bits, size is in bytes
secbool secure_aes_encrypt(uint32_t* input, size_t size, uint32_t* output);
// Decrypts a block of data using AES-256 ECB and (DHUK xor BHK) key
// Input and output must be aligned to 32 bits, size is in bytes
secbool secure_aes_decrypt(uint32_t* input, size_t size, uint32_t* output);
// Encrypts a block of data using AES-256 ECB and HW key (DHUK, BHK or XORK)
// For optimal speed input and output should be aligned to 32 bits, size is in
// bytes
secbool secure_aes_ecb_encrypt_hw(const uint8_t* input, size_t size,
uint8_t* output, secure_aes_keysel_t key);
void secure_aes_test();
// Decrypts a block of data using AES-256 ECB and HW key (DHUK, BHK or XORK)
// For optimal speed input and output should be aligned to 32 bits, size is in
// bytes
secbool secure_aes_ecb_decrypt_hw(const uint8_t* input, size_t size,
uint8_t* output, secure_aes_keysel_t key);
#endif // TREZOR_HAL_SECURE_AES_H

108
core/embed/trezorhal/stm32u5/secure_aes.c
Unescape View File

@ -22,6 +22,10 @@
#include <stdio.h>
#include <stm32u5xx_hal_cryp.h>
#include <string.h>
#include "memzero.h"
#define AES_BLOCK_SIZE 16
secbool secure_aes_init(void) {
RCC_OscInitTypeDef osc_init_def = {0};
@ -50,20 +54,40 @@ static void secure_aes_load_bhk(void) {
TAMP->BKP7R;
}
secbool secure_aes_encrypt(uint32_t* input, size_t size, uint32_t* output) {
static uint32_t get_keysel(secure_aes_keysel_t key) {
switch (key) {
case SECURE_AES_KEY_DHUK:
return CRYP_KEYSEL_HW;
case SECURE_AES_KEY_BHK:
return CRYP_KEYSEL_SW;
case SECURE_AES_KEY_XORK:
return CRYP_KEYSEL_HSW;
default:
return 0;
}
}
secbool secure_aes_ecb_encrypt_hw(const uint8_t* input, size_t size,
uint8_t* output, secure_aes_keysel_t key) {
CRYP_HandleTypeDef hcryp = {0};
uint32_t iv[] = {0, 0, 0, 0};
if (size % AES_BLOCK_SIZE != 0) {
return secfalse;
}
uint32_t keysel = get_keysel(key);
hcryp.Instance = SAES;
hcryp.Init.DataType = CRYP_NO_SWAP;
hcryp.Init.KeySelect = CRYP_KEYSEL_HSW;
hcryp.Init.KeySelect = keysel;
hcryp.Init.KeySize = CRYP_KEYSIZE_256B;
hcryp.Init.pKey = NULL;
hcryp.Init.pInitVect = iv;
hcryp.Init.Algorithm = CRYP_AES_ECB;
hcryp.Init.Header = NULL;
hcryp.Init.HeaderSize = 0;
hcryp.Init.DataWidthUnit = CRYP_DATAWIDTHUNIT_WORD;
hcryp.Init.DataWidthUnit = CRYP_DATAWIDTHUNIT_BYTE;
hcryp.Init.HeaderWidthUnit = CRYP_HEADERWIDTHUNIT_BYTE;
hcryp.Init.KeyIVConfigSkip = CRYP_KEYIVCONFIG_ALWAYS;
hcryp.Init.KeyMode = CRYP_KEYMODE_NORMAL;
@ -72,10 +96,37 @@ secbool secure_aes_encrypt(uint32_t* input, size_t size, uint32_t* output) {
return secfalse;
}
secure_aes_load_bhk();
if (keysel == CRYP_KEYSEL_HSW || keysel == CRYP_KEYSEL_SW) {
secure_aes_load_bhk();
}
if (HAL_CRYP_Encrypt(&hcryp, input, size, output, HAL_MAX_DELAY) != HAL_OK) {
return secfalse;
if ((size_t)input % sizeof(uint32_t) != 0 ||
(size_t)output % sizeof(uint32_t) != 0) {
size_t tmp_size = size;
while (tmp_size >= AES_BLOCK_SIZE) {
uint32_t input_buffer[AES_BLOCK_SIZE / sizeof(uint32_t)];
uint32_t output_buffer[AES_BLOCK_SIZE / sizeof(uint32_t)];
memcpy(input_buffer, input, AES_BLOCK_SIZE);
if (HAL_CRYP_Encrypt(&hcryp, input_buffer, AES_BLOCK_SIZE, output_buffer,
HAL_MAX_DELAY) != HAL_OK) {
memzero(input_buffer, sizeof(input_buffer));
memzero(output_buffer, sizeof(output_buffer));
return secfalse;
}
memcpy(output, output_buffer, AES_BLOCK_SIZE);
input += AES_BLOCK_SIZE;
output += AES_BLOCK_SIZE;
tmp_size -= AES_BLOCK_SIZE;
memzero(input_buffer, sizeof(input_buffer));
memzero(output_buffer, sizeof(output_buffer));
}
} else {
if (HAL_CRYP_Encrypt(&hcryp, (uint32_t*)input, size, (uint32_t*)output,
HAL_MAX_DELAY) != HAL_OK) {
return secfalse;
}
}
HAL_CRYP_DeInit(&hcryp);
@ -83,13 +134,20 @@ secbool secure_aes_encrypt(uint32_t* input, size_t size, uint32_t* output) {
return sectrue;
}
secbool secure_aes_decrypt(uint32_t* input, size_t size, uint32_t* output) {
secbool secure_aes_ecb_decrypt_hw(const uint8_t* input, size_t size,
uint8_t* output, secure_aes_keysel_t key) {
CRYP_HandleTypeDef hcryp = {0};
uint32_t iv[] = {0, 0, 0, 0};
if (size % AES_BLOCK_SIZE != 0) {
return secfalse;
}
uint32_t keysel = get_keysel(key);
hcryp.Instance = SAES;
hcryp.Init.DataType = CRYP_NO_SWAP;
hcryp.Init.KeySelect = CRYP_KEYSEL_HSW;
hcryp.Init.KeySelect = keysel;
hcryp.Init.KeySize = CRYP_KEYSIZE_256B;
hcryp.Init.pKey = NULL;
hcryp.Init.pInitVect = iv;
@ -104,11 +162,37 @@ secbool secure_aes_decrypt(uint32_t* input, size_t size, uint32_t* output) {
if (HAL_CRYP_Init(&hcryp) != HAL_OK) {
return secfalse;
}
if (keysel == CRYP_KEYSEL_HSW || keysel == CRYP_KEYSEL_SW) {
secure_aes_load_bhk();
}
secure_aes_load_bhk();
if (HAL_CRYP_Decrypt(&hcryp, input, size, output, HAL_MAX_DELAY) != HAL_OK) {
return secfalse;
if ((size_t)input % sizeof(uint32_t) != 0 ||
(size_t)output % sizeof(uint32_t) != 0) {
size_t tmp_size = size;
while (tmp_size >= AES_BLOCK_SIZE) {
uint32_t input_buffer[AES_BLOCK_SIZE / sizeof(uint32_t)];
uint32_t output_buffer[AES_BLOCK_SIZE / sizeof(uint32_t)];
memcpy(input_buffer, input, AES_BLOCK_SIZE);
if (HAL_CRYP_Decrypt(&hcryp, input_buffer, AES_BLOCK_SIZE, output_buffer,
HAL_MAX_DELAY) != HAL_OK) {
memzero(input_buffer, sizeof(input_buffer));
memzero(output_buffer, sizeof(output_buffer));
return secfalse;
}
memcpy(output, output_buffer, AES_BLOCK_SIZE);
input += AES_BLOCK_SIZE;
output += AES_BLOCK_SIZE;
tmp_size -= AES_BLOCK_SIZE;
memzero(input_buffer, sizeof(input_buffer));
memzero(output_buffer, sizeof(output_buffer));
}
} else {
if (HAL_CRYP_Decrypt(&hcryp, (uint32_t*)input, size, (uint32_t*)output,
HAL_MAX_DELAY) != HAL_OK) {
return secfalse;
}
}
HAL_CRYP_DeInit(&hcryp);

24
storage/storage.c
Unescape View File

@ -36,6 +36,10 @@
#include "optiga.h"
#endif
#ifdef STM32U5
#include "secure_aes.h"
#endif
// The APP namespace which is reserved for storage related values.
#define APP_STORAGE 0x00
@ -491,7 +495,17 @@ static void derive_kek(const uint8_t *pin, size_t pin_len,
pbkdf2_hmac_sha256_Update(&ctx, PIN_ITER_COUNT / 10);
ui_progress(PIN_PBKDF2_MS / 10);
}
#ifdef STM32U5
uint8_t pre_kek[SHA256_DIGEST_LENGTH] = {0};
pbkdf2_hmac_sha256_Final(&ctx, pre_kek);
ensure(secure_aes_ecb_encrypt_hw(pre_kek, SHA256_DIGEST_LENGTH, kek,
SECURE_AES_KEY_XORK),
"secure_aes derive kek failed");
memzero(pre_kek, sizeof(pre_kek));
#else
pbkdf2_hmac_sha256_Final(&ctx, kek);
#endif
pbkdf2_hmac_sha256_Init(&ctx, pin, pin_len, salt, salt_len, 2);
for (int i = 6; i <= 10; i++) {
@ -541,8 +555,16 @@ static void stretch_pin_optiga(const uint8_t *pin, size_t pin_len,
pbkdf2_hmac_sha256_Update(&ctx, PIN_ITER_COUNT / 10);
ui_progress(PIN_PBKDF2_MS / 10);
}
#ifdef STM32U5
uint8_t stretched_pin_tmp[OPTIGA_PIN_SECRET_SIZE] = {0};
pbkdf2_hmac_sha256_Final(&ctx, stretched_pin_tmp);
ensure(secure_aes_ecb_encrypt_hw(stretched_pin_tmp, OPTIGA_PIN_SECRET_SIZE,
stretched_pin, SECURE_AES_KEY_XORK),
"secure_aes pin stretch failed");
memzero(stretched_pin_tmp, sizeof(stretched_pin_tmp));
#else
pbkdf2_hmac_sha256_Final(&ctx, stretched_pin);
#endif
memzero(&ctx, sizeof(ctx));
}
#endif

Write Preview
Loading…
Cancel
Save