NVIDIA DRIVE OS Linux SDK API Reference

5.2.6 Release
For Test and Development only

Detailed Description

Typedefs

typedef uint32_t KeySlotHandle
 This type is used to define key slot handle to hold the key slot. More...
 

Enumerations

enum  NV_TE_CryptoServiceOperation {
  CRYPTO_SERVICE_PING = 0x00000000,
  CRYPTO_SERVICE_ENCRYPT = 0x00000001,
  CRYPTO_SERVICE_DECRYPT = 0x00000002,
  CRYPTO_SERVICE_DERIVE_KEK = 0x00000003,
  CRYPTO_SERVICE_DIGEST_INIT = 0x00000004,
  CRYPTO_SERVICE_DIGEST_UPDATE = 0x00000005,
  CRYPTO_SERVICE_DIGEST_DO_FINAL = 0x00000006,
  CRYPTO_SERVICE_DIGEST_FREE = 0x00000007,
  CRYPTO_SERVICE_AES_INIT = 0x00000008,
  CRYPTO_SERVICE_AES_UPDATE = 0x00000009,
  CRYPTO_SERVICE_AES_DO_FINAL = 0x0000000A,
  CRYPTO_SERVICE_AES_FREE = 0x0000000B,
  CRYPTO_SERVICE_MAC_INIT = 0x0000000C,
  CRYPTO_SERVICE_MAC_UPDATE = 0x0000000D,
  CRYPTO_SERVICE_MAC_DO_FINAL = 0x0000000E,
  CRYPTO_SERVICE_MAC_FREE = 0x0000000F,
  CRYPTO_SERVICE_RSA_HANDLE_REQUEST = 0x00000011,
  CRYPTO_SERVICE_DRBG_GENERATE = 0x00000013,
  CRYPTO_SERVICE_REQUEST_SE_KEYSLOT = 0x00000014,
  CRYPTO_SERVICE_UPDATE_SE_KEYSLOT = 0x00000015,
  CRYPTO_SERVICE_RELEASE_SE_KEYSLOT = 0x00000016,
  CRYPTO_SERVICE_UNWRAP_KEY = 0x00000017,
  CRYPTO_SERVICE_AES_CCM_INIT = 0x00000019,
  CRYPTO_SERVICE_CCM_HANDLE_REQUEST = 0x0000001A,
  CRYPTO_SERVICE_CCM_FREE = 0x0000001B,
  CRYPTO_SERVICE_ECDSA_INIT = 0x0000001C,
  CRYPTO_SERVICE_ECDSA_SET_KEY = 0x0000001D,
  CRYPTO_SERVICE_ECDSA_DO_FINAL = 0x0000001E,
  CRYPTO_SERVICE_ECDSA_FREE = 0x0000001F,
  CRYPTO_SERVICE_ED25519_INIT = 0x00000020,
  CRYPTO_SERVICE_ED25519_SET_KEY = 0x00000021,
  CRYPTO_SERVICE_ED25519_DO_FINAL = 0x00000022,
  CRYPTO_SERVICE_ED25519_FREE = 0x00000023,
  CRYPTO_SERVICE_DERIVE_KEY = 0x00000024,
  CRYPTO_SERVICE_SET_KEYSLOT_OIV = 0x00000025,
  CRYPTO_SERVICE_DERIVE_KEK2 = 0x00000027,
  CRYPTO_SERVICE_GENERATE_AES_KEY = 0x00000028,
  CRYPTO_SERVICE_DERIVE_KEY_NIST_SP800_108 = 0x00000029,
  CRYPTO_SERVICE_WRAP_KEK0_DERIVATION = 0x00000030,
  CRYPTO_SERVICE_WRAP_KEK2_DERIVATION = 0x00000031,
  CRYPTO_SERVICE_NIST_SP800_108_DERIVE_FROM_KEK0 = 0x00000032,
  CRYPTO_SERVICE_NIST_SP800_108_DERIVE_FROM_KEK2 = 0x00000033,
  CRYPTO_SERVICE_CCM_UNWRAP_CBC_WRAP_INIT_CCM = 0x00000034,
  CRYPTO_SERVICE_CCM_UNWRAP_CBC_WRAP_INIT_CBC = 0x00000035,
  CRYPTO_SERVICE_CCM_UNWRAP_CBC_WRAP_HANDLE_OPERATION = 0x00000036,
  CRYPTO_SERVICE_CCM_UNWRAP_CBC_WRAP_FREE = 0x00000037,
  CRYPTO_SERVICE_REWRAP_DERIVED_KEY_INIT = 0x00000038,
  CRYPTO_SERVICE_REWRAP_DERIVE_KEY_HANDLE_OPERATION = 0x00000039,
  CRYPTO_SERVICE_REWRAP_DERIVE_KEY_FREE = 0x00000040,
  CRYPTO_SERVICE_WRAP_KEK_NISTKDF_DERIVATION_INIT = 0X00000041,
  CRYPTO_SERVICE_WRAP_KEK_NISTKDF_DERIVATION_HANDLE_OPERATION = 0x00000042,
  CRYPTO_SERVICE_WRAP_KEK_NISTKDF_DERIVATION_FREE = 0X00000043,
  CRYPTO_SERVICE_ECC_SET_KEYSLOT = 0x00000044,
  CRYPTO_SERVICE_KEY_VALIDATE_KCV = 0x00000045
}
 This type is used to contain Crypto-Service commands. More...
 
enum  NV_TE_OperationAlgorithm {
  NV_TE_ALG_AES_ECB = 0x10000510,
  NV_TE_ALG_AES_CBC = 0x10000610,
  NV_TE_ALG_AES_CBC_256 = 0x10000710,
  NV_TE_ALG_AES_CBC_256_NOPAD = 0x10000810,
  NV_TE_ALG_AES_CMAC_128 = 0x20000110,
  NV_TE_ALG_AES_CMAC_256 = 0x20000130,
  NV_TE_ALG_ED25519PH = 0x70006050,
  NV_TE_ALG_AES_CMAC_192 = 0x20000120
}
 This type is used to contain operation algorithms. More...
 
enum  KeySlotUsageInfo {
  KEYSLOT_USAGE_SIGN = 1U,
  KEYSLOT_USAGE_VERIFY,
  KEYSLOT_USAGE_ENCRYPT,
  KEYSLOT_USAGE_DECRYPT,
  KEYSLOT_USAGE_MAC,
  KEYSLOT_USAGE_DERIVE,
  KEYSLOT_USAGE_DUAL_CRYPTO,
  KEYSLOT_USAGE_WRAPPING
}
 This type enumerates key usage metadata types. More...
 
enum  KeySlotType {
  KEYSLOT_TYPE_AES = 1U,
  KEYSLOT_TYPE_RSA,
  KEYSLOT_TYPE_PKA1
}
 This type is used to define key slot type. More...
 
enum  CmacIntent {
  CMAC_VERIFY = 0x0000FFFFU,
  CMAC_GENERATE = 0xFFFF0000U
}
 This type is used to define the intent of invoking the AES-CMAC operation. More...
 
enum  FuseKeySlot {
  CRYPTO_KEK0_KEYSLOT = 0U,
  CRYPTO_KEK2_KEYSLOT = 2U
}
 This type is used to define the fuse key slots which Crypto Service uses. More...
 

Typedef Documentation

◆ KeySlotHandle

typedef uint32_t KeySlotHandle

This type is used to define key slot handle to hold the key slot.

Definition at line 3096 of file nv_te_cryptographic_constants.h.

Enumeration Type Documentation

◆ CmacIntent

enum CmacIntent

This type is used to define the intent of invoking the AES-CMAC operation.

Enumerator
CMAC_VERIFY 
CMAC_GENERATE 

Definition at line 3108 of file nv_te_cryptographic_constants.h.

◆ FuseKeySlot

This type is used to define the fuse key slots which Crypto Service uses.

Enumerator
CRYPTO_KEK0_KEYSLOT 
CRYPTO_KEK2_KEYSLOT 

Definition at line 3115 of file nv_te_cryptographic_constants.h.

◆ KeySlotType

This type is used to define key slot type.

It is used as an input in keyslot management commands

Enumerator
KEYSLOT_TYPE_AES 
KEYSLOT_TYPE_RSA 
KEYSLOT_TYPE_PKA1 

Definition at line 3100 of file nv_te_cryptographic_constants.h.

◆ KeySlotUsageInfo

This type enumerates key usage metadata types.

Enumerator
KEYSLOT_USAGE_SIGN 
KEYSLOT_USAGE_VERIFY 
KEYSLOT_USAGE_ENCRYPT 
KEYSLOT_USAGE_DECRYPT 
KEYSLOT_USAGE_MAC 
KEYSLOT_USAGE_DERIVE 
KEYSLOT_USAGE_DUAL_CRYPTO 
KEYSLOT_USAGE_WRAPPING 

KEYSLOT_USAGE_ENCRYPT, KEYSLOT_USAGE_DECRYPT and KEYSLOT_USAGE_DERIVE are allowed in compound operation usage using this type.

Definition at line 3081 of file nv_te_cryptographic_constants.h.

◆ NV_TE_CryptoServiceOperation

This type is used to contain Crypto-Service commands.

Below is the description of each command's TEE_Param NV_TE_CryptoServiceOperation Implementation defined as an enum in nv_te_internal/nv_te_cryptographic_constants.h

Enumerator
CRYPTO_SERVICE_PING 

Ping to test communication with TOS Cryptography Service.

Parameters
[in]params[0]NONE
[in]params[1]NONE
[in]params[2]NONE
[in]params[3]NONE
Returns
TEE_ERROR_BAD_PARAMETERS if parameter types are invalid
TEE_SUCCESS if success
CRYPTO_SERVICE_ENCRYPT 

Perform Encryption operation This API is not implemented.

CRYPTO_SERVICE_DECRYPT 

Perform Decryption operation This API is not implemented.

CRYPTO_SERVICE_DERIVE_KEK 

Description

Derive keys from KEK0 with AES-CMAC directly into a key slot.

Perform AES-CMAC base key derivation operation using KEK0 (fuse) key

This API is identical to CRYPTO_SERVICE_DERIVE_KEK2 except that CRYPTO_SERVICE_DERIVE_KEK utilizes KEK0 and CRYPTO_SERVICE_DERIVE_KEK2 utilizes KEK2.

Refer to CRYPTO_SERVICE_DERIVE_KEK2 for information about the parameters, return values, and API behavior of CRYPTO_SERVICE_DERIVE_KEK.

CRYPTO_SERVICE_DIGEST_INIT 

Description

This command provides functionality to initialize parameters for hash cryptographic operations. The INIT command is typically followed by corresponding UPDATE and DOFINAL commands to successfully complete the Digest(hash) cryptographic operation. This command is responsible for the following operations:

  1. Input validation of incoming parameters based on the various permutations of valid input values
  2. Allocating memory to instance an object of the Digest Class, within the context of the currently open session
  3. Initializing the data memebers of the newly instanced object with client provided values, sent as part of operation params

Parameters:

Parameters
[in]params[0].value.aDigest algorithm identifier (uint32_t);
Valid values:
TEE_ALG_SHA256
TEE_ALG_SHA384
TEE_ALG_SHA512
[in]params[1]NONE
[in]params[2]NONE
[in]params[3]NONE
Returns
TEE_SUCCESS if success.
TEE_ERROR_BUSY if Digest context already exists.
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types.
TEE_ERROR_BAD_PARAMETERS if unsupported digest algorithm.
CRYPTO_SERVICE_DIGEST_UPDATE 

Description

This command provides functionality to update the stage of hash cryptographic operations. The UPDATE command always follows an INIT command and is followed by the DOFINAL command to succesfully complete the Digest(hash) cryptographic operation. This delivers a block of data. This command is responsible for the following operations:

  1. Input validation of incoming parameters based on the various permutations of valid input values
  2. Allocating DMA memory to store the source and destination buffers, within the context of the currently open session
  3. Updating the data memebers of the object

Parameters:

Parameters
[in]params[0]NONE
[in]params[1].memref.bufferSource plaintext buffer for Digest operation
[in]params[1].memref.sizeSize of source buffer (uint32_t)
Max range:
1024 bytes
[out]params[2].memref.bufferDestination ciphertext buffer for Digest operation
[in,out]params[2].memref.sizeSize of destination buffer (uint32_t) this value is updated by TOS Cryptography Service
Max range:
1024 bytes
[in]params[3]NONE
Returns
TEE_SUCCESS if success.
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
TEE_ERROR_BAD_PARAMETERS if source length is greater than max support size. Or if source buffer is null.
TEE_ERROR_BAD_PARAMETERS if destination buffer is NULL
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed
TEE_ERROR_GENERIC in case of error.
CRYPTO_SERVICE_DIGEST_DO_FINAL 

Description

This command provides functionality to update the stage of hash cryptographic operations. The DO_FINAL command typically follows an INIT command or/and UPDATE command to succesfully complete the Digest(hash) cryptographic operation. This delivers a block of data and finishes the operation. This command is responsible for the following operations:

  1. Input validation of incoming parameters based on the various permutations of valid input values
  2. Allocating DMA memory to store the source and destination buffers, within the context of the currently open session
  3. Updating the data memebers of the object

Parameters:

Parameters
[in]params[0]NONE
[in]params[1].memref.bufferSource plaintext buffer for Digest operation
[in]params[1].memref.sizeSize of source buffer (uint32_t);
Max range:
1024 bytes
[out]params[2].memref.bufferDestination ciphertext buffer for Digest operation
[in,out]params[2].memref.sizeSize of destination buffer (uint32_t); this value is updated by TOS Cryptography Service
Max range:
1024 bytes
[in]params[3]NONE
Returns
TEE_SUCCESS if success.
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
TEE_ERROR_BAD_PARAMETERS if source length is greater than max support size.
TEE_ERROR_BAD_PARAMETERS if destination buffer is NULL
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed
TEE_ERROR_GENERIC in case of error.
CRYPTO_SERVICE_DIGEST_FREE 

Description

To release under layer context, and reset operation.

Parameters:

Parameters
[in]params[0]NONE
[in]params[1]NONE
[in]params[2]NONE
[in]params[3]NONE
CRYPTO_SERVICE_AES_INIT 

Description

This command provides functionality to initialize parameters for AES symmetric-key cryptography operations. The INIT command is typically followed by corresponding UPDATE and DOFINAL commands to successfully complete an AES cryptography operation. This command is responsible for the following operations:

  1. Input validation of incoming parameters based on the various permutations of valid input values
  2. Allocating memory to instance an object of the AES Class, within the context of the currently open session
  3. Initializing the data memebers of the newly instanced object with client provided values, sent as part of operation params

Parameters:

Parameters
[in]params[0].value.aAES algorithm identifier (uint32_t)
Valid values:
TEE_ALG_AES_ECB_NOPAD
TEE_ALG_AES_CBC_NOPAD
TEE_ALG_AES_CTR
NV_TE_ALG_AES_ECB
NV_TE_ALG_AES_CBC
NV_TE_ALG_AES_CBC_256
NV_TE_ALG_AES_CBC_256_NOPAD
NV_TE_ALG_AES_CMAC_128
NV_TE_ALG_AES_CMAC_256
[in]params[0].value.bAES operation mode identifier (uint32_t);
Valid values:
TEE_MODE_ENCRYPT
TEE_MODE_DECRYPT

In case of TEE_ALG_AES_CTR algorithm

Parameters
[in,out]params[1].memref.bufferInitialization vector (const uint8_t*)
[in,out]params[1].memref.sizeSize of initialization vector (uint32_t)
Valid values:
16 bytes

In case of other supported algorithms

Parameters
[in]params[1].memref.bufferInitialization vector (const uint8_t*)
[in]params[1].memref.sizeSize of initialization vector (uint32_t)
Valid values:
16 bytes
Note: For all modes that don't require IV value and this paramType must be set to TYPE_NONE

If not using a keyslot to supply key

Parameters
[in]params[2].memref.bufferOptional key material in plaintext (const uint8_t*)
[in]params[2].memref.sizeSize of buffer containing key material (uint32_t)
Valid values:
16 bytes
32 bytes
[in]params[3].value.aSet to zero
[in]params[3].value.bMaximum number of data blocks will be sent in update and do_final

OR, if using a keyslot to supply key

Parameters
[in]params[2].value.aKey Size in bytes (uint32_t)
[in]params[3].value.aOpaque handle to keyslot returned with the appropriate AES key installed (uint32_t)
[in]params[3].value.bMaximum number of data blocks will be sent in update and do_final

Return Values

Returns
TEE_ERROR_BUSY if AES context already exists
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
TEE_ERROR_BAD_PARAMETERS if invalid IV size, algorithm, mode, keyslot and keyslot usage.
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory.
TEE_ERROR_GENERIC if key size is other than 16 or 32.
TEE_ERROR_BAD_PARAMETERS if key size is greater than 32.
TEE_ERROR_GENERIC Unable in instantiate object of class
TEE_SUCCESS Command successful, no errors
CRYPTO_SERVICE_AES_UPDATE 

Description

This command provides functionality to update the stage of AES symmetric-key cryptography operations. The UPDATE command typically follows an INIT command and is followed by the DOFINAL command to succesfully complete an AES cryptography operation. This command is responsible for the following operations:

  1. Input validation of incoming parameters based on the various permutations of valid input values
  2. Allocating DMA memory to store the source and destination buffers, within the context of the currently open session
  3. Updating the data memebers of the object

Parameters:

Parameters
[in]params[0]NONE
[in]params[1].memref.bufferSource buffer for AES operation (ciphertext/plaintext depending on operation mode)
[in]params[1].memref.sizeSize of source buffer (uint32_t);
Valid range:
256 bytes
[out]params[2].memref.bufferDestination buffer for AES operation (ciphertext/plaintext depending on operation mode)
[in,out]params[2].memref.sizeSize of destination buffer (uint32_t); this value is updated by TOS Cryptography Service
Valid range:
256 bytes
[in]params[3]NONE

Return Values

Returns
TEE_SUCCESS if success.
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
TEE_ERROR_GENERIC if source or destination length is more than supported size.
TEE_ERROR_BAD_PARAMETERS if source or destination length is greater than 1024 bytes.
TEE_ERROR_BAD_PARAMETERS if source or destination buffer is null.
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed
TEE_ERROR_GENERIC in case of other error.
CRYPTO_SERVICE_AES_DO_FINAL 

Description

This command provides functionality to update the stage of AES symmetric-key cryptography operations. The DO_FINAL command typically follows an INIT command or and UPDATE command to succesfully complete an AES cryptography operation. This command is responsible for the following operations:

  1. Input validation of incoming parameters based on the various permutations of valid input values
  2. Allocating DMA memory to store the source and destination buffers, within the context of the currently open session
  3. Updating the data memebers of the object

Parameters:

Parameters
[in]params[0]NONE
[in]params[1].memref.bufferSource buffer for AES operation (ciphertext/plaintext depending on operation mode)
[in]params[1].memref.sizeSize of source buffer (uint32_t);
Valid range:
256 bytes
[out]params[2].memref.bufferDestination buffer for AES operation (ciphertext/plaintext depending on operation mode)
[in,out]params[2].memref.sizeSize of destination buffer (uint32_t); this value is updated by TOS Cryptography Service
Valid range:
256 bytes
[in]params[3]NONE

Return Values

Returns
TEE_SUCCESS Command successful, no errors
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
TEE_ERROR_GENERIC if source or destination length is greater than supported size.
TEE_ERROR_BAD_PARAMETERS if source or destination length is greater than 1024 bytes.
TEE_ERROR_BAD_PARAMETERS if source or destination buffer is null.
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed.
TEE_ERROR_GENERIC in case of other error.
CRYPTO_SERVICE_AES_FREE 

Description

To release under layer context, and reset operation.

Parameters: params[0]: none params[1]: none params[2]: none params[3]: none

Returns
TEE_ERROR_BAD_PARAMETERS Failed input parameter validation
TEE_ERROR_GENERIC No exist AES operation to free
TEE_SUCCESS Command successful, no errors
CRYPTO_SERVICE_MAC_INIT 

Description

This command provides functionality to initialize parameters for Message Authentication Code(MAC) cryptographic operations. The INIT command is typically followed by corresponding UPDATE and DOFINAL commands to successfully complete the MAC cryptographic operation. This command is responsible for the following operations:

  1. Input validation of incoming parameters based on the various permutations of valid input values
  2. Allocating memory to instance an object of MAC Class, within the context of the currently open session
  3. Initializing the data memebers of the newly instanced object with client provided values, sent as part of operation params

Parameters:

Parameters
[in]params[0].value.aMAC algorithm identifier (uint32_t);
Valid values:
NV_TE_ALG_AES_CMAC_128
NV_TE_ALG_AES_CMAC_256
TEE_ALG_HMAC_SHA256
TEE_ALG_HMAC_SHA384
TEE_ALG_HMAC_SHA512
[in]params[1]NONE

If not using a keyslot to supply key

Parameters
[in]params[2].memref.bufferBuffer containing public key
[in]params[2].memref.sizeSize of public key (uint32_t);
Valid values:
16 bytes
32 bytes
[in]params[3].value.aSet this to zero

OR, if using a keyslot to supply key
Note: SE HW supports using HW keyslots for AES based MAC algos only

Parameters
[in]params[2].value.akey_size of the key in key slot
[in]params[3].value.akey slot handle of the keyslot holding the key.
[in]params[3].value.bSpecifies whether the MAC operation incase of CMAC is for generation or verification purpose.
Valid values:
CMAC_VERIFY
CMAC_GENERATE
Returns
TEE_ERROR_BUSY MAC context already exists
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
TEE_ERROR_BAD_PARAMETERS if invalid IV size, algorithm, mode, keyslot and keyslot usage.
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory.
TEE_ERROR_GENERIC if key size is other than 16 or 32.
TEE_ERROR_BAD_PARAMETERS if key size is greater than 32.
TEE_ERROR_GENERIC Unable in instantiate object of class or any other error.
TEE_SUCCESS if command is successful, no errors
CRYPTO_SERVICE_MAC_UPDATE 

Description

This command provides functionality to update the stage of MAC cryptographic operation. The UPDATE command always follows an INIT command and is followed by the DOFINAL command to succesfully complete the MAC cryptographic operation. This delivers a block of data. This command is responsible for the following operations:

  1. Input validation of incoming parameters based on the various permutations of valid input values
  2. Allocating DMA memory to store the source and destination buffers, within the context of the currently open session
  3. Updating the data memebers of the object

Parameters:

Parameters
[in]params[0]NONE
[in]params[1].memref.bufferSource plaintext buffer for MAC operation
[in]params[1].memref.sizeSize of source buffer (uint32_t)
Valid range:
1024 bytes
[out]params[2].memref.bufferDestination buffer for MAC operation
[in,out]params[2].memref.sizeSize of destination buffer (uint32_t) this value is updated by TOS Cryptography Service
[in]params[3]NONE
Returns
TEE_SUCCESS if success.
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
TEE_ERROR_BAD_PARAMETERS if source or destination length is greater than 1024 bytes.
TEE_ERROR_BAD_PARAMETERS if source or destination buffer is null.
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed.
TEE_ERROR_GENERIC in case of other error.
CRYPTO_SERVICE_MAC_DO_FINAL 

Description

This command provides functionality to update the stage of MAC cryptographic operations. The DO_FINAL command typically follows an INIT command or/and UPDATE command to succesfully complete the MAC cryptographic operation. This delivers a block of data and finishes the operation. This command is responsible for the following operations:

  1. Input validation of incoming parameters based on the various permutations of valid input values
  2. Allocating DMA memory to store the source and destination buffers, within the context of the currently open session
  3. Updating the data memebers of the object

Parameters:

Parameters
[in]params[0]NONE
[in]params[1].memref.bufferSource buffer for MAC operation
[in]params[1].memref.sizeSize of source buffer (uint32_t);
Valid range:
1024 bytes
[in,out]params[2].memref.bufferDestination buffer for MAC operation
[in,out]params[2].memref.sizeSize of destination buffer (uint32_t); this value is updated by TOS Cryptography Service
Valid range:
1024 bytes
[in]params[3]NONE
Returns
TEE_SUCCESS if success.
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
TEE_ERROR_BAD_PARAMETERS if source or destination length is greater than 1024 bytes.
TEE_ERROR_BAD_PARAMETERS if source or destination buffer is null.
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed.
TEE_ERROR_GENERIC in case of other error.
CRYPTO_SERVICE_MAC_FREE 

Description

To release under layer context, and reset operation.

Parameters:

Parameters
[in]params[0]NONE
[in]params[1]NONE
[in]params[2]NONE
[in]params[3]NONE
Returns
TEE_ERROR_BAD_PARAMETERS Failed input parameter validation
TEE_ERROR_GENERIC No exist MAC operation to free
TEE_SUCCESS Command successful, no errors
CRYPTO_SERVICE_RSA_HANDLE_REQUEST 

Description

This command provides functionality for RSA sign or verify operation. This command is responsible for the following operations:

  1. Input validation of incoming parameters based on the various permutations of valid input values
  2. Allocating memory to instance an object of the Digest Class, within the context of the currently open session
  3. Initializing the data members of the newly instanced object with client provided values, sent as part of operation params
  4. Perform sign or verify operation.

Parameters:

Parameters
[in]params[0].value.aRSA algorithm identifier (uint32_t);
Valid values:
TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256
TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384
TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512
TEE_ALG_RSASSA_PKCS1_V1_5_SHA256
TEE_ALG_RSASSA_PKCS1_V1_5_SHA384
TEE_ALG_RSASSA_PKCS1_V1_5_SHA512
[in]params[0].value.bRSA operation mode (uint32_t);
Valid values:
TEE_MODE_VERIFY
TEE_MODE_SIGN
[in]params[1].memref.bufferDigest or plaintext source data buffer for RSA operation
[in]params[1].memref.sizeSize of source buffer (uint32_t);

In case of RSA verify operation

Parameters
[in]params[2].memref.bufferSource buffer with signature data
[in]params[2].memref.sizeSize of source buffer (uint32_t);
Valid range:
1024 bytes

In case of RSA sign operation

Parameters
[out]params[2].memref.bufferDestination signed data buffer
[in,out]params[2].memref.sizeSize of destination buffer (uint32_t);
Valid range:
1024 bytes
[in]params[3].value.aPKA1 key slot handle
[out]params[3].value.aResult of RSA operation. Meaningful only if operation succeeds
[in]params[3].value.bRSA operation flag, 1: source is digest; 0: source is raw data
Returns
TEE_SUCCESS if success.
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
TEE_ERROR_BAD_PARAMETERS if digest size or signature size is more than max supported size.
TEE_ERROR_BAD_PARAMETERS if digest or signature buffer is null.
TEE_ERROR_BAD_PARAMETERS if invalid keyslot type or keyslot handle is 0.
TEE_ERROR_NOT_SUPPORTED if unsupported algorithm is given as input.
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed.
TEE_ERROR_GENERIC if: Failed to get key slot index. OR Failed to setup crypto context. OR RSA operation failed.
CRYPTO_SERVICE_DRBG_GENERATE 

Description

This command provides functionality to generate DRBG random number This command is responsible for the following operations:

  1. Input validation of incoming parameters based on the various permutations of valid input values
  2. Allocating memory for HW context and command arguments.
  3. Initializing the data memebers to command argument with client provided values, sent as part of operation params
  4. Perform Crypto operation to generate random number.

Parameters:

Parameters
[out]params[0].memref.bufferDestination buffer to store random number
[in]params[0].memref.sizeSize of destination buffer (uint32_t)
Valid range:
1024 bytes
[in]params[1]NONE
[in]params[2]NONE
[in]params[3]NONE
Returns
TEE_SUCCESS if success.
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
TEE_ERROR_BAD_PARAMETERS if input buffer is more than max supported size.
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed.
TEE_ERROR_GENERIC if crypto operation failed
CRYPTO_SERVICE_REQUEST_SE_KEYSLOT 

Description

This command provides functionality to request a key slot with specific type. It is responsible for the following operations:

  1. Input validation of incoming parameters based on the various permutations of valid input values
  2. Set requested parameters to keyslot.

Parameters:

Parameters
[in]params[0].value.aValid Keyslot type.
Valid values:
KEYSLOT_TYPE_AES
KEYSLOT_TYPE_PKA1
[in]params[0].value.bValid Keyslot usage info.
Valid values:
For KEYSLOT_TYPE_AES: KEYSLOT_USAGE_ENCRYPT, KEYSLOT_USAGE_DECRYPT, KEYSLOT_USAGE_MAC and KEYSLOT_USAGE_DERIVE
For KEYSLOT_TYPE_PKA1: KEYSLOT_USAGE_SIGN KEYSLOT_USAGE_VERIFY
[out]params[1].value.aPointer to returned keyslot handle (KeySlotHandle*).
Returns
TEE_SUCCESS if success
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types
TEE_ERROR_BAD_PARAMETERS if unknown keyslot usage.
TEE_ERROR_BAD_STATE if KeySlotMgr is not initialized
TEE_ERROR_ACCESS_DENIED if caller is not a valid keyslot owner
TEE_ERROR_BUSY if keyslot is in use
CRYPTO_SERVICE_UPDATE_SE_KEYSLOT 

Description

This command provides functionality to set a key slot with key material. It is responsible for the following operations:

  1. Input validation of incoming parameters based on the various permutations of valid input values
  2. Set requested parameters to keyslot.

PKA1 Keyslot Parameters

Parameters
[in]params[0].value.aValid Keyslot type.
Valid values: KEYSLOT_TYPE_PKA1
[in]params[0].value.bPKA1 key flag
Valid range:
0: RSA Key in little endianness
1: RSA Key in big endianness
2: ECDSA Nist curve point X and Y
3: EDDSA Nist curve compressed point
[in]params[1].value.aKeySlotHandle handle (handle of key slot to write.)
[in]params[1].value.bRSA key Montgomery flag, not meningful for EC key
0: RSA key without Montgomery values.
1: RSA key with Montgomery values.
[in]params[2].memref.bufferRSA key exponent, or EC pointX
[in]params[2].memref.sizeRSA key exponent size, EC pointX size
Valid range:
RSA key exponent, 4 bytes to 512 bytes
EC key pointX, 32 bytes
[in]params[3].memref.bufferRSA key modulus, or ECDSA pointY
[in]params[3].memref.sizeRSA modulus size, or ECDSA pointY size
[in]params[3],None,incase of ED25519 key
Valid range:
RSA modulus, 256 bytes to 512 bytes
ECDSA PointY, 32 bytes

AES Keyslot Parameters

Parameters
[in]params[0].value.aValid Keyslot type.
Valid values: KEYSLOT_TYPE_AES
[in]params[0].value.b0: KCV check disabled; 1: KCV check enabled
[in]params[1].value.aKeySlotHandle handle (handle of key slot to write.)
[in]params[2].memref.bufferAES key material
[in]params[2].memref.sizeAES key size
Valid range:
16 bytes or 32 bytes
[in]params[3].value.bValid KCV value if KCV check is enabled
Returns
TEE_SUCCESS if success
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null buffer.
TEE_ERROR_BAD_PARAMETERS if keyslot owner VMID check failed. Or if failed to get keyslot
TEE_ERROR_BAD_PARAMETERS if modulusOrIvSize or exponentOrKeySize is out of range(UINT32_MAX bits)
TEE_ERROR_GENERIC if failed to set key and/or iv in case of AES keyslot type
TEE_ERROR_GENERIC if failed to generate random number in case of AES keyslot type
TEE_ERROR_OUT_OF_MEMORY if dynamic memory allocation failed in case of AES keyslot
TEE_ERROR_GENERIC if key size is invalid.
TEE_ERROR_GENERIC if failed to write keyslot in case of PKA1 keyslot type
CRYPTO_SERVICE_RELEASE_SE_KEYSLOT 

Description

This command provides functionality to release a key slot. It is responsible for the following operations:

  1. Input validation of incoming parameters based on the various permutations of valid input values
  2. Release the given keyslot.

Parameters:

Parameters
[in]params[0].value.aValid Keyslot type of the key slot to release.
Valid values:
KEYSLOT_TYPE_AES
 KEYSLOT_TYPE_PKA1
[in]params[1].value.aKeySlotHandle handle (of key slot to release.)
[in]params[2]NONE
[in]params[3]NONE
Returns
TEE_SUCCESS if success
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null buffer.
TEE_ERROR_BAD_PARAMETERS if keyslot owner VMID check failed. Or if failed to get keyslot.
TEE_ERROR_GENERIC if failed to release keyslot
CRYPTO_SERVICE_UNWRAP_KEY 

Description

This command provides functionality to unwrap key to AES keyslot It is responsible for the following operations:

  1. Input validation of incoming parameters based on the various permutations of valid input values
  2. Unwrap the key.

Parameters:

Parameters
[in]params[0].value.aSupported algorithm.
Valid values:
TEE_ALG_AES_ECB_NOPAD
TEE_ALG_AES_CBC_NOPAD
TEE_ALG_AES_CTR
NV_TE_ALG_AES_ECB
NV_TE_ALG_AES_CBC
NV_TE_ALG_AES_CBC_256
NV_TE_ALG_AES_CBC_256_NOPAD
[in]params[0].value.btarget keyslot handle
[in]params[1].memref.bufferInitialization vector (IV)
[in]params[1].memref.sizeSize of initialization vector (uint32_t) Valid values: 0 byte for AES_ECB and AES_ECB_NOPAD algorithm, 16 bytes otherwise

If using plain key text for unwrapping key

Parameters
[in]params[2].memref.bufferUnwrapping key.
[in]params[2].memref.sizeKey Size in bytes (uint32_t). Valid range: 16 bytes 32 bytes

OR, if using keyslot for unwrapping key

Parameters
[in]params[2].value.akeyslot handle for unwrapping key.
[in]params[2].value.bKey Size in bytes (uint32_t) Valid range: 16 bytes 32 bytes
[in]params[3].memref.bufferwrapped Key
[in]params[3].memref.sizewrapped key size
Valid range:
16-bytes for _CBC and
32-bytes for _CBC_256
Returns
TEE_SUCCESS if success
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null buffer.
TEE_ERROR_BAD_PARAMETERS if unwrapping key, wrapped key is NULL.
TEE_ERROR_BAD_PARAMETERS if IV is NULL in case of non ECB & ECB_NOPAD algorithm
TEE_ERROR_BAD_PARAMETERS if keyslot is invalid. Or if unsupported AES algorithm
TEE_ERROR_OUT_OF_MEMORY if memory allocation for the key failed
TEE_ERROR_GENERIC if keysize is invalid
TEE_ERROR_GENERIC if SE operation failed
CRYPTO_SERVICE_AES_CCM_INIT 

Description

This command provides functionality to initialize parameters for AES-CCM cryptographic operations. The INIT command is always followed by corresponding HANDLE_REQUEST and FREE commands to successfully complete the AES-CCM cryptographic operation. This command is responsible for the following operations:

  1. Input validation of incoming parameters based on the various permutations of valid input values
  2. Allocating memory to instance an object of CCM Class, within the context of the currently open session
  3. Initializing the data memebers of the newly instanced object with client provided values, sent as part of operation params

Parameters:

Parameters
[in]params[0].value.aTag length
[in]params[0].value.bValid operation mode
Valid values:
TEE_MODE_ENCRYPT
TEE_MODE_DECRYPT
[in]params[1].memref.buffernonce
[in]params[1].memref.sizenonce size

If not using a keyslot to supply key

Parameters
[in]params[2].memref.bufferBuffer containing public key
[in]params[2].memref.sizeSize of public key (uint32_t);
Valid values:
16 or 32 bytes
[in]params[3].value.aSet this to zero

If using keyslot to supply key

Parameters
[in]params[2].value.acontains key size of the key in keyslot
[in]params[3].value.akey slot handle of the keyslot holding the key.
Returns
TEE_SUCCESS if success
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null buffer.
TEE_ERROR_BUSY CCM context already exists.
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed.
TEE_ERROR_BAD_PARAMETERS if invalid keyslot. Or if unsupported CCM operation mode.
TEE_ERROR_BAD_PARAMETERS if key size is more than 32 bytes.
TEE_ERROR_GENERIC is key size is other than supported size of 16 or 32 bytes
CRYPTO_SERVICE_CCM_HANDLE_REQUEST 

Description

This command provides functionality to perfor CCM DoFinal operation. This command is responsible for the following operations:

  1. Input validation of incoming parameters based on the various permutations of valid input values
  2. Allocating memory for source and destination buffer.
  3. Perform CCM operation.

Parameters:

Parameters
[in]params[0]NONE
[in]params[1].memref.bufferSource data buffer
[in]params[1].memref.sizeSize of source buffer (uint32_t);
Valid range:
1024 bytes
[out]params[2].memref.bufferDestination data buffer
[out]params[2].memref.sizeSize of destination data buffer (uint32_t);
Valid range:
1024 bytes
[in]params[3].memref.bufferAAD buffer
[in]params[3].memref.sizeSize of AAD buffer (uint32_t);
Valid range:
1024 bytes
Returns
TEE_SUCCESS if success
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null buffer.
TEE_ERROR_BAD_PARAMETERS if source or destination buffer is more than max supported size.
TEE_ERROR_GENERIC if source, destination or AAD buffer is null.
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory for src and dest buffer
TEE_ERROR_GENERIC if SE crypto operation failed
CRYPTO_SERVICE_CCM_FREE 

Description

To release under layer context, and reset operation.

Parameters:

Parameters
[in]params[0]NONE
[in]params[1]NONE
[in]params[2]NONE
[in]params[3]NONE
Returns
TEE_SUCCESS if success
TEE_ERROR_BAD_PARAMETERS if parameters are invalid
TEE_ERROR_GENERIC if error occured while freeing CCM context
CRYPTO_SERVICE_ECDSA_INIT 

Description

ECDSA initialize parameters, supports verification only.
Requirments for ECDSA:
1. ASN.1 DER format signature in big endian, which is Openssl compatible.
2. Big endian point coordinates.
3. Digested source data. Parameters:

Parameters
[in]params[0].value.aSupported algorithm identifier
Valid values:
TEE_ALG_ECDSA_SHA256
[in]params[0].value.bsupported Curve ID
Valid values:
TEE_ECC_CURVE_NIST_P256
[in]params[1]NONE
[in]params[2]NONE
[in]params[3]NONE
Returns
TEE_SUCCESS if success
TEE_ERROR_BAD_PARAMETERS if TEE_Param have wrong parameter types.
TEE_ERROR_BUSY if EC object already exist.
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory.
TEE_ERROR_GENERIC if SE INIT operation failed
CRYPTO_SERVICE_ECDSA_SET_KEY 

Description

ECDSA set_key parameters.

Parameters:

Parameters
[in]params[0].memref.bufferBuffer containing raw source data.
[in]params[0].memref.sizeSize of buffer containing point X (uint32_t);
[in]params[1].memref.bufferBuffer containing point Y.
[in]params[1].memref.sizeSize of buffer containing point Y (uint32_t);
[in]params[2]NONE
[in]params[3]NONE
Returns
TEE_SUCCESS if success
TEE_ERROR_BAD_PARAMETERS if TEE_Param have wrong parameter types or null buffer
TEE_ERROR_BAD_PARAMETERS if x_size or y_size is > TE_MAX_ECC_BYTES
TEE_ERROR_GENERIC if SE SET_KEY operation failed
CRYPTO_SERVICE_ECDSA_DO_FINAL 

Description

Deliver a block of data and finishes the operation.

Parameters:

Parameters
[in]params[0].memref.bufferSource buffer containing digest
[in]params[0].memref.sizeSize of buffer containing digest (uint32_t);
Valid range:
1024 bytes
[in]params[1].memref.bufferBuffer containing signature
[in]params[1].memref.sizeSize of signature (uint32_t);
Valid range:
maximum 1792 bytes
[in]params[2]NONE
[in]params[3]NONE
Returns
TEE_SUCCESS if success
TEE_ERROR_BAD_PARAMETERS if TEE_Param have wrong parameter types or null buffer.
TEE_ERROR_BAD_PARAMETERS if digest or signature buffer length is more than max supported size.
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory
TEE_ERROR_GENERIC if SE DO_FINAL operation failed
CRYPTO_SERVICE_ECDSA_FREE 

Description

To release under layer context, and reset operation.

Parameters:

Parameters
[in]params[0]NONE
[in]params[1]NONE
[in]params[2]NONE
[in]params[3]NONE
Returns
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported parameter types.
CRYPTO_SERVICE_ED25519_INIT 

Description

ED25519 initialize parameters, supports verification only.
Requirments for ED25519:
1. Little endian signature, 64 bytes in all.
2. Little endian commpressed point.
3. Raw message source data in little endian or pre-hash data. Parameters:

Parameters
[in]params[0].value.aSupported algorithm identifier
Valid values:
TEE_ALG_ED25519
NV_TE_ALG_ED25519PH
[in]params[0].value.bsupported Curve ID
Valid values:
TEE_ECC_CURVE_25519
[in]params[1]NONE
[in]params[2]NONE
[in]params[3]NONE
Returns
TEE_SUCCESS if success
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported parameter types.
TEE_ERROR_BUSY if EC object already exist.
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory
TEE_ERROR_GENERIC if SE INIT operation failed
CRYPTO_SERVICE_ED25519_SET_KEY 

Description

ED25519 set_key parameters.

Parameters:

Parameters
[in]params[0].memref.bufferBuffer containing compressed_point
[in]params[0].memref.sizeSize of buffer containing compressed_point(uint32_t);
[in]params[1]NONE
[in]params[2]NONE
[in]params[3]NONE
Returns
TEE_SUCCESS if success
TEE_ERROR_BAD_PARAMETERS if TEE_Param have wrong parameter types or null buffer
TEE_ERROR_BAD_PARAMETERS if compressed_point > CCC_ED25519_COMPRESSED_POINT_SIZE
TEE_ERROR_GENERIC if SE SET_KEY operation failed
CRYPTO_SERVICE_ED25519_DO_FINAL 

Description

Deliver a block of data and finishes the operation.

Parameters:

Parameters
[in]params[0].memref.bufferSource buffer containing raw message or digest
[in]params[0].memref.sizeSize of buffer containing raw message or digest (uint32_t);
Valid range:
maximum 1792 bytes
[in]params[1].memref.bufferBuffer containing signature
[in]params[1].memref.sizeSize of signature (uint32_t);
Valid range:
1024 bytes
[in]params[2]NONE
[in]params[3]NONE
Returns
TEE_SUCCESS if success
TEE_ERROR_BAD_PARAMETERS if TEE_Param have wrong parameter types or null buffer
TEE_ERROR_BAD_PARAMETERS if digest or signature buffer length is more than max supported size
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory
TEE_ERROR_GENERIC if SE DO_FINAL operation failed
CRYPTO_SERVICE_ED25519_FREE 

Description

To release under layer context, and reset operation.

Parameters:

Parameters
[in]params[0]NONE
[in]params[1]NONE
[in]params[2]NONE
[in]params[3]NONE
Returns
TEE_SUCCESS if success
TEE_ERROR_BAD_PARAMETERS if wrong parameter types
TEE_ERROR_GENERIC if failed to free ED25519 context
CRYPTO_SERVICE_DERIVE_KEY 

Description

Derive key using AES-CMAC into a key slot.

Parameters:

Parameters
[in]params[0].value.aContains target keyslot handle
[in]params[1].memref.bufferContaining source buffer
[in]params[1].memref.sizeSize of source data (uint32_t);
Valid range:
1024 bytes

if using key

Parameters
[in]params[2].memref.bufferContaining key
[in]params[2].memref.sizeSize of key (uint32_t);
Valid values:
16 or 32 bytes

OR, if using a keyslot to supply key

Note
The KeySlot should be requested for KEYSLOT_USAGE_DERIVE usage.
Parameters
[in]params[2].value.akey_size, in case of using key slot
[in]params[3].value.aSource keySlot handle
Note
if input key materials are in key slot already, set this, and also key size in params[2].value.a. otherwise, set this to zero!
Returns
TEE_SUCCESS if success
TEE_ERROR_BAD_PARAMETERS if wrong parameter types
TEE_ERROR_BAD_PARAMETERS if fialed to check keyslot owner
TEE_ERROR_BAD_PARAMETERS if fialed to get keyslot index
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory
TEE_ERROR_GENERIC if key size is invalid
TEE_ERROR_GENERIC if failed to generate random number
TEE_ERROR_GENERIC if failed to set IV
TEE_ERROR_GENERIC if SE DO_FINAL operation failed
CRYPTO_SERVICE_SET_KEYSLOT_OIV 

Description

To set random generated IV to an AES key slot

Parameters:

Parameters
[in]params[0].value.akeyslot type
Valid values: KEYSLOT_TYPE_AES
[in]params[1].value.akeyslot handle
[in]params[2]NONE
[in]params[3]NONE
Returns
TEE_SUCCESS if success
TEE_ERROR_BAD_PARAMETERS if wrong parameter types
TEE_ERROR_BAD_PARAMETERS if failed to check keyslot owner VMID
TEE_ERROR_BAD_PARAMETERS if failed to check keyslot owner
TEE_ERROR_BAD_PARAMETERS if failed to get keyslot
TEE_ERROR_GENERIC if failed to write keyslot
CRYPTO_SERVICE_DERIVE_KEK2 

Description

Derive keys from KEK2 with AES-CMAC directly into a key slot.

Perform AES-CMAC base key derivation operation using KEK2 (fuse) key Parameters:

Parameters
[in]params[0].value.atarget key slot handle
[in]params[0].value.b1: if KCV check is enabled; 0: otherwise
[in]params[1].memref.bufferContaining source buffer
[in]params[1].memref.sizeSize of source data (16 or 32 bytes)
[in]params[2].value.aKEK key size, 16 or 32 bytes, respectively.
[in]params[3].value.aValid KCV value if KCV check is enabled
Returns
TEE_SUCCESS if success
TEE_ERROR_BAD_PARAMETERS if wrong parameter types
TEE_ERROR_BAD_PARAMETERS if failed to check keyslot owner
TEE_ERROR_BAD_PARAMETERS if failed to get keyslot index
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory
TEE_ERROR_GENERIC if failed to generate random number
TEE_ERROR_GENERIC if failed to set IV
TEE_ERROR_GENERIC if SE DO_FINAL operation failed
CRYPTO_SERVICE_GENERATE_AES_KEY 

Description

This command provides functionality to generate a AES key Supported Key Size: 128 bits Pre-allocated AES key in a keyslot is required for this operation API returns a wrapped key It is responsible for the following operations:

  1. Input validation of incoming parameters based on the various permutations of valid input values
  2. Generate a key using DRBG
  3. Encrypt with AES-CBC and return the wrapped key

Parameters:

Parameters
[in]params[0].value.akeysize of key in keyslot
[in]params[0].value.bkeyslot handle
[in,out]params[1].memref.bufferAs input param, it stores the caller supplied initialization vector. As output param, it stores the calulated KCV of the randomly generated key.
[in,out]params[1].memref.sizeAs input parameter it stores initialization vector size. As output parameter it stores the size of KCV buffer.
[out]params[2].memref.bufferDestination buffer for encrypted key
[out]params[2].memref.sizeDestination buffer size
[in]params[3].value.aKey size to generate
Returns
TEE_SUCCESS if success
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null buffer.
TEE_ERROR_BAD_PARAMETERS if source or destination length is greater than 1024 bytes.
TEE_ERROR_BAD_PARAMETERS if source or destination buffer is null.
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed.
TEE_ERROR_GENERIC in case of other error.
CRYPTO_SERVICE_DERIVE_KEY_NIST_SP800_108 

Description

Derive key using NIST SP800-108 compliant KDF (AES-CMAC based) into a key slot.

Parameters:

Parameters
[in]params[0].value.aContains target keyslot handle.
[in]params[0].value.bContains derived key size.
[in]params[1].memref.bufferContaining label buffer.
[in]params[1].memref.sizeSize of label data (uint32_t).
[in]params[2].memref.bufferContaining context buffer.
[in]params[2].memref.sizeSize of context data (uint32_t).

if using key

Parameters
[in]params[3].memref.bufferContaining key.
[in]params[3].memref.sizeSize of key (uint32_t).
Valid values:
16 or 32 bytes

OR, if using a keyslot to supply key

Note
The KeySlot should be requested for KEYSLOT_USAGE_DERIVE usage.
Parameters
[in]params[3].value.aSource KeySlot handle.
[in]params[3].value.bsize of key.
Returns
TEE_SUCCESS if success
TEE_ERROR_BAD_PARAMETERS if wrong parameter types.
TEE_ERROR_BAD_PARAMETERS if failed to check keyslot owner.
TEE_ERROR_BAD_PARAMETERS if failed to get keyslot index.
TEE_ERROR_BAD_PARAMETERS if invalid keyslot usage info.
TEE_ERROR_BAD_PARAMETERS if invalid target keyslot.
TEE_ERROR_BAD_PARAMETERS if unsupported key length.
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory.
TEE_ERROR_GENERIC if failed to clean keyslot.
TEE_ERROR_GENERIC if failed to generate random number.
TEE_ERROR_GENERIC if operation context setup failed.
TEE_ERROR_GENERIC if SE DO_FINAL operation failed.
TEE_ERROR_BAD_STATE if failed to derive key in target keyslot.
CRYPTO_SERVICE_WRAP_KEK0_DERIVATION 

Description

Derive keys from 128 bits KEK0 with AES-CMAC, and then encrypt/wrap the derived key with AES-CBC and return a memory buffer constained the wrapped key.

Parameters:

Parameters
[out]params[0].memref.bufferContains the wrapped result
[out]params[0].memref.sizeSize of the wrapped reslut
[in]params[1].memref.bufferContains source buffer
[in]params[1].memref.sizeSize of source data (<=1024 bytes)
[in]params[2].memref.bufferContains IV.
[in]params[2].memref.sizeSize of IV
[in]params[3].value.aContains size of the wrapping root key.
[in]params[3].vaule.bContains keyslot handle of the wrapping root key.

returns:

Returns
TEE_SUCCESS if success
TEE_ERROR_BAD_PARAMETERS if wrong parameters
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory
TEE_ERROR_GENERIC if any other errors.
CRYPTO_SERVICE_WRAP_KEK2_DERIVATION 

Description

Same as CRYPTO_SERVICE_WRAP_KEK0_DERIVATION except using KEK2 to derive.

CRYPTO_SERVICE_NIST_SP800_108_DERIVE_FROM_KEK0 

Description

Derive key materials with 128 bits KEK0 using NIST SP800-108 complaint KDF(AES-CMAC based) into a key slot.

Parameters:

Parameters
[in]params[0].value.aContains target keyslot handle.
[in]params[0].value.bContains derived key size in bit.
Valid values:
128 or 256 bits
[in]params[1].memref.bufferContaining label buffer.
[in]params[1].memref.sizeSize of label data (uint32_t).
[in]params[2].memref.bufferContaining context buffer.
[in]params[2].memref.sizeSize of context data (uint32_t).
[in]params[3]NONE.
Returns
TEE_SUCCESS if success
TEE_ERROR_BAD_PARAMETERS if wrong parameter types.
TEE_ERROR_BAD_PARAMETERS if failed to check keyslot owner.
TEE_ERROR_BAD_PARAMETERS if failed to get keyslot index.
TEE_ERROR_BAD_PARAMETERS if invalid keyslot usage info.
TEE_ERROR_BAD_PARAMETERS if invalid target keyslot.
TEE_ERROR_BAD_PARAMETERS if unsupported key length.
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory.
TEE_ERROR_GENERIC if failed to clean keyslot.
TEE_ERROR_GENERIC if failed to generate random number.
TEE_ERROR_GENERIC if operation context setup failed.
TEE_ERROR_GENERIC if SE DO_FINAL operation failed.
TEE_ERROR_BAD_STATE if failed to derive key in target keyslot.
CRYPTO_SERVICE_NIST_SP800_108_DERIVE_FROM_KEK2 

Description

Same as CRYPTO_SERVICE_NIST_SP800_108_DERIVE_FROM_KEK0 except using KEK2 to derive.

CRYPTO_SERVICE_CCM_UNWRAP_CBC_WRAP_INIT_CCM 

Description

This command provides functionality to initialize parameters for AES CCM symmetric-key decryption operation in the compound operation of rewrapping the result of a CCM decryption operation.

Parameters:

Parameters
[in]params[0].value.aTag Length
[in]params[1].memref.buffernonce
[in]params[1].memref.sizenonce size
[in]params[2].value.acontains key size of the key in keyslot. Valid value: 16 bytes
[in]params[3].value.akey slot handle of the keyslot holding the key.
Returns
TEE_SUCCESS if success.
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null buffer.
TEE_ERROR_BUSY CCM context already exists.
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed.
TEE_ERROR_BAD_PARAMETERS if invalid keyslot Or, if unsupported CCM operation mode.
TEE_ERROR_BAD_PARAMETERS if key size is different from 16 bytes.
CRYPTO_SERVICE_CCM_UNWRAP_CBC_WRAP_INIT_CBC 

Description

This command provides functionality to initialize parameters for AES CBC symmetric-key encryption operation in the compound operation of rewrapping the result of a CCM decryption operation.

Parameters:

Parameters
[in]params[2].memref.bufferInitialization vector (IV).
[in]params[2].memref.sizeSize of initialization vector (uint32_t). Valid values: 16 bytes
[in]params[3].value.aKeyslot handle to the key used for re-wrapping.
[in]params[3].value.bSize of key used for re-wrapping. Valid Values: 16 bytes

Return Values

Returns
TEE_ERROR_BUSY if AES context already exists.
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
TEE_ERROR_BAD_PARAMETERS if invalid IV size, algorithm, mode, keyslot and keyslot usage.
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory.
TEE_ERROR_BAD_PARAMETERS if key size is different from 16 bytes.
TEE_ERROR_GENERIC Unable in instantiate object of class
TEE_SUCCESS Command successful, no errors.
CRYPTO_SERVICE_CCM_UNWRAP_CBC_WRAP_HANDLE_OPERATION 

Description

This command provides functionality to perform a. CCM DoFinal operation to decrypt a buffer by using a client supplied key. b. Store the unwrapped key in device mapped TZSYSRAM. c. AES DoFinal to rewrap the unwrapped key with AES-128-CBC-NOPAD using a key that is already loaded in a keyslot. d. The wrapped output is returned to the caller.

Parameters:

Parameters
[in]params[1].memref.bufferSource data buffer.
[in]params[1].memref.sizeSize of source buffer (uint32_t);
Valid range:
1024 bytes.
[in]params[2].memref.bufferAAD buffer.
[in]params[2].memref.sizeSize of AAD buffer (uint32_t);
Valid range:
1024 bytes
[out]params[3].memref.bufferDestination data buffer.
[out]params[3].memref.sizeSize of destination data buffer (uint32_t);
Valid range:
1024 bytes
Returns
TEE_SUCCESS Command successful, no errors
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
TEE_ERROR_GENERIC if source or destination length is greater than supported size.
TEE_ERROR_BAD_PARAMETERS if source or destination length is greater than 1024 bytes.
TEE_ERROR_BAD_PARAMETERS if source or destination buffer is null.
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed.
TEE_ERROR_GENERIC in case of other error.
CRYPTO_SERVICE_CCM_UNWRAP_CBC_WRAP_FREE 

Description

To release under layer context, and reset operation.

Parameters:

Parameters
[in]params[0]NONE
[in]params[1]NONE
[in]params[2]NONE
[in]params[3]NONE
Returns
TEE_SUCCESS if success
TEE_ERROR_BAD_PARAMETERS if parameters are invalid.
TEE_ERROR_GENERIC if error occured while freeing CBC & CCM context.
CRYPTO_SERVICE_REWRAP_DERIVED_KEY_INIT 

Description

This command provides functionality to initialize parameters for AES-CBC symmetric-key encryption operation in the compound operation of wrapping user key derivation.

Parameters:

Parameters
[in]params[2].memref.bufferInitialization vector (IV).
[in]params[2].memref.sizeSize of initialization vector (uint32_t).
Valid values: 16 bytes
[in]params[3].value.aKeyslot handle to the key used for re-wrapping of derived key.
[in]params[3].value.bSize of key used for re-wrapping.
Valid Values: 16 bytes

Return Values

Returns
TEE_ERROR_BUSY if AES context already exists.
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
TEE_ERROR_BAD_PARAMETERS if invalid IV size, algorithm, mode, keyslot and keyslot usage.
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory.
TEE_ERROR_BAD_PARAMETERS if key size is different from 16 bytes.
TEE_ERROR_GENERIC Unable in instantiate object of class
TEE_SUCCESS Command successful, no errors.
CRYPTO_SERVICE_REWRAP_DERIVE_KEY_HANDLE_OPERATION 

Description

This command provides the functionality to: a. Perform key derivation using NIST-SP800-108 compliant (AES-CMAC) based KDF from a caller supplied root key, label and context. b. The derived key is stored in buffer allocated from TZSysram. c. Wrapping of derived key is performed using caller supplied key using AES-CBC algorithm. d. The wrapped Key along with the KCV is returned back to the caller.

Parameters:

Parameters
[in,out]params[0].memref.bufferAs input param it stores the caller supplied context. As output param it stores the wrapped Key.
[in,out]params[0].memref.sizeAs input param, it stores the size of buffer which should be sufficient to hold the wrapped key as well as the context string. As output param, it stores the actual size of wrapped key.
Valid Range:
16 Bytes to 502 bytes
[in,out]params[1].memref.bufferAs input param it stores the caller supplied label string. As output param it stores the calulated KCV of the derived key.
[in]params[1].memref.sizeAs input param it stores the size of buffer which should be sufficient to hold the derived key KCV and the label string.
Valid Range:
16 Bytes to 502 bytes
[in]params[2].value.aIt stores the keyslot handle of the caller supplied root Key.
[in]params[2].value.bIt stores the derived key length in bits.
Valid Values:
128 bits and 256 bits
[in]params[3].value.aIt stores the length of caller supplied label string.
[in]params[3].value.bIt stores the length of caller supplied context string.
Returns
TEE_SUCCESS Command successful, no errors
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
TEE_ERROR_GENERIC if source or destination length is greater than supported size.
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed.
TEE_ERROR_GENERIC in case of other error.
CRYPTO_SERVICE_REWRAP_DERIVE_KEY_FREE 

Description

To release under layer context, and reset operation.

Parameters:

Parameters
[in]params[0]NONE
[in]params[1]NONE
[in]params[2]NONE
[in]params[3]NONE
Returns
TEE_SUCCESS if success
TEE_ERROR_BAD_PARAMETERS if parameters are invalid.
TEE_ERROR_GENERIC if error occured while freeing CBC context.
CRYPTO_SERVICE_WRAP_KEK_NISTKDF_DERIVATION_INIT 

Description

This command provides functionality to initialize parameters for AES-CBC symmetric-key encryption operation in the compound operation of wrapping the KEK Derivation.

Parameters:

Parameters
[in]params[2].memref.bufferInitialization vector (IV).
[in]params[2].memref.sizeSize of initialization vector (uint32_t). valid values: 16 bytes
[in]params[3].value.aKeyslot handle to the key used for wrapping the derived key.
[in]params[3].value.bSize of key used for re-wrapping. valid values: 16 bytes

Return Values

Returns
TEE_ERROR_BUSY if AES context already exists.
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
TEE_ERROR_BAD_PARAMETERS if invalid IV size, algorithm, mode, keyslot and keyslot usage.
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory.
TEE_ERROR_BAD_PARAMETERS if key size is different from 16 bytes.
TEE_ERROR_GENERIC Unable in instantiate object of class
TEE_SUCCESS Command successful, no errors.
CRYPTO_SERVICE_WRAP_KEK_NISTKDF_DERIVATION_HANDLE_OPERATION 

Description This command provides functionality to perform: a.

Derive key from KEK0/KEK2 keyslot as specified by the caller using NIST SP800-108 compliant (AES-CMAC based) KDF. b. Calculate KCV for the derived key. c. Perform AES DoFinal to wrap the derived key with AES-128-CBC-NOPAD using a key that is already loaded in a keyslot. d. Return the wrapped output to the caller along with the KCV.

Parameters
[in]params[0].memref.bufferContaining label buffer.
[in]params[0].memref.sizeSize of label data (uint32_t).
[in,out]params[1].memref.bufferAs input param it stores the context string. As output param it stores the KCV of the derived key. [in, out] params[1].memref.size As input param it stores the size of buffer supplied. As output param it stores the size of KCV buffer returned. valid values: 3 bytes to 502 bytes
Note: Since this is an inout param, the size of buffer should be at least 3 bytes to store the KCV value since context string can be 1 byte as well.
[out]params[2].memref.bufferIt stores the wrapped key
[out]params[2].memref.sizewrapped key length. valid values: 16 Bytes and 32 Bytes
[in]params[3].value.aIt stores the context length.
[in]params[3].value.bIt stores the value to determine whether KEK0/KEK2 is to be used for key derivation. valid values: CRYPTO_KEK0_KEYSLOT for KEK0 CRYPTO_KEK2_KEYSLOT for KEK2

Return Values

Returns
TEE_SUCCESS Command successful, no errors
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed.
TEE_ERROR_GENERIC in case of other error.
CRYPTO_SERVICE_WRAP_KEK_NISTKDF_DERIVATION_FREE 

Description

To release under layer context, and reset operation.

Parameters:

Parameters
[in]params[0]NONE
[in]params[1]NONE
[in]params[2]NONE
[in]params[3]NONE
Returns
TEE_SUCCESS if success
TEE_ERROR_BAD_PARAMETERS if parameters are invalid.
TEE_ERROR_GENERIC if error occured while freeing CBC context.
CRYPTO_SERVICE_ECC_SET_KEYSLOT 

Set key slot handle for ED25519 or ECDSA operation.

This is exclusive with CRYPTO_SERVICE_ED25519_SET_KEY and CRYPTO_SERVICE_ECDSA_SET_KEY.

Parameters:

Parameters
[in]params[0].value.aPKA1 Keyslot handle in which ED25519 or ECDSA key is installed.
[in]params[1]NONE
[in]params[2]NONE
[in]params[3]NONE
Returns
TEE_SUCCESS if success
TEE_ERROR_BAD_PARAMETERS if TEE_Param have wrong parameter types or null buffer
TEE_ERROR_GENERIC if SE SET_KEY operation failed
CRYPTO_SERVICE_KEY_VALIDATE_KCV 

Description This command provides functionality to perform KCV verification for the key which is provided in keyslot handle.

Fcuntionality as below: a. Validate param types b. Calculate KCV for the key in keyslot c. Compare the calculated KCV with the KCV recevieved in input and return the result

Parameters
[in]params[0].value.akey slot handle containing the key
[in]params[0].value.bkey_size of the key in key slot
[in]params[1].memref.bufferValid KCV for the key in kesylot
[in]params[1].memref.sizeKCV size

Return Values

Returns
TEE_SUCCESS Command successful, no errors
TEE_ERROR_BAD_STATE on KCV mis-match
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed.
TEE_ERROR_GENERIC in case of other error.

Definition at line 48 of file nv_te_cryptographic_constants.h.

◆ NV_TE_OperationAlgorithm

This type is used to contain operation algorithms.

Enumerator
NV_TE_ALG_AES_ECB 

AES-ECB w/ 128 bit key.

NV_TE_ALG_AES_CBC 

AES-CBC w/ 128 bit key.

NV_TE_ALG_AES_CBC_256 

AES-CBC w/ 256 bit key.

NV_TE_ALG_AES_CBC_256_NOPAD 

AES-CBC w/ 256 bit key without padding.

NV_TE_ALG_AES_CMAC_128 

AES-CMAC w/ 128 bit key.

NV_TE_ALG_AES_CMAC_256 

AES-CMAC w/ 256 bit key.

NV_TE_ALG_ED25519PH 

ED25519 pre-hash.

NV_TE_ALG_AES_CMAC_192 

AES-CMAC w/ 192 bit key.

Definition at line 1505 of file nv_te_cryptographic_constants.h.