This type is used to contain Crypto-Service commands.
Enumerator |
---|
CRYPTO_SERVICE_PING | Ping to test communication with TOS Cryptography Service.
- Parameters
-
[in] | params[0] | NONE |
[in] | params[1] | NONE |
[in] | params[2] | NONE |
[in] | params[3] | NONE |
- Returns
- TEE_ERROR_BAD_PARAMETERS if parameter types are invalid
-
TEE_SUCCESS if success
|
CRYPTO_SERVICE_ENCRYPT | Perform Encryption operation This API is not implemented.
|
CRYPTO_SERVICE_DECRYPT | Perform Decryption operation This API is not implemented.
|
CRYPTO_SERVICE_DERIVE_KEK | Description
Derive keys from KEK0 with AES-CMAC directly into a key slot.
Perform AES-CMAC base key derivation operation using KEK0 (fuse) key
This API is identical to CRYPTO_SERVICE_DERIVE_KEK2 except that CRYPTO_SERVICE_DERIVE_KEK utilizes KEK0 and CRYPTO_SERVICE_DERIVE_KEK2 utilizes KEK2.
Refer to CRYPTO_SERVICE_DERIVE_KEK2 for information about the parameters, return values, and API behavior of CRYPTO_SERVICE_DERIVE_KEK.
|
CRYPTO_SERVICE_DIGEST_INIT | Description
This command provides functionality to initialize parameters for hash cryptographic operations. The INIT command is typically followed by corresponding UPDATE and DOFINAL commands to successfully complete the Digest(hash) cryptographic operation. This command is responsible for the following operations:
- Input validation of incoming parameters based on the various permutations of valid input values
- Allocating memory to instance an object of the Digest Class, within the context of the currently open session
- Initializing the data memebers of the newly instanced object with client provided values, sent as part of operation params
Parameters: - Parameters
-
[in] | params[0].value.a | Digest algorithm identifier (uint32_t);
Valid values:
TEE_ALG_SHA256
TEE_ALG_SHA384
TEE_ALG_SHA512 |
[in] | params[1] | NONE |
[in] | params[2] | NONE |
[in] | params[3] | NONE |
- Returns
- TEE_SUCCESS if success.
-
TEE_ERROR_BUSY if Digest context already exists.
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types.
-
TEE_ERROR_BAD_PARAMETERS if unsupported digest algorithm.
|
CRYPTO_SERVICE_DIGEST_UPDATE | Description
This command provides functionality to update the stage of hash cryptographic operations. The UPDATE command always follows an INIT command and is followed by the DOFINAL command to succesfully complete the Digest(hash) cryptographic operation. This delivers a block of data. This command is responsible for the following operations:
- Input validation of incoming parameters based on the various permutations of valid input values
- Allocating DMA memory to store the source and destination buffers, within the context of the currently open session
- Updating the data memebers of the object
Parameters: - Parameters
-
[in] | params[0] | NONE |
[in] | params[1].memref.buffer | Source plaintext buffer for Digest operation |
[in] | params[1].memref.size | Size of source buffer (uint32_t)
Max range:
1024 bytes |
[out] | params[2].memref.buffer | Destination ciphertext buffer for Digest operation |
[in,out] | params[2].memref.size | Size of destination buffer (uint32_t) this value is updated by TOS Cryptography Service
Max range:
1024 bytes |
[in] | params[3] | NONE |
- Returns
- TEE_SUCCESS if success.
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
-
TEE_ERROR_BAD_PARAMETERS if source length is greater than max support size. Or if source buffer is null.
-
TEE_ERROR_BAD_PARAMETERS if destination buffer is NULL
-
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed
-
TEE_ERROR_GENERIC in case of error.
|
CRYPTO_SERVICE_DIGEST_DO_FINAL | Description
This command provides functionality to update the stage of hash cryptographic operations. The DO_FINAL command typically follows an INIT command or/and UPDATE command to succesfully complete the Digest(hash) cryptographic operation. This delivers a block of data and finishes the operation. This command is responsible for the following operations:
- Input validation of incoming parameters based on the various permutations of valid input values
- Allocating DMA memory to store the source and destination buffers, within the context of the currently open session
- Updating the data memebers of the object
Parameters: - Parameters
-
[in] | params[0] | NONE |
[in] | params[1].memref.buffer | Source plaintext buffer for Digest operation |
[in] | params[1].memref.size | Size of source buffer (uint32_t);
Max range:
1024 bytes |
[out] | params[2].memref.buffer | Destination ciphertext buffer for Digest operation |
[in,out] | params[2].memref.size | Size of destination buffer (uint32_t); this value is updated by TOS Cryptography Service
Max range:
1024 bytes |
[in] | params[3] | NONE |
- Returns
- TEE_SUCCESS if success.
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
-
TEE_ERROR_BAD_PARAMETERS if source length is greater than max support size.
-
TEE_ERROR_BAD_PARAMETERS if destination buffer is NULL
-
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed
-
TEE_ERROR_GENERIC in case of error.
|
CRYPTO_SERVICE_DIGEST_FREE | Description
To release under layer context, and reset operation.
Parameters: - Parameters
-
[in] | params[0] | NONE |
[in] | params[1] | NONE |
[in] | params[2] | NONE |
[in] | params[3] | NONE |
|
CRYPTO_SERVICE_AES_INIT | Description
This command provides functionality to initialize parameters for AES symmetric-key cryptography operations. The INIT command is typically followed by corresponding UPDATE and DOFINAL commands to successfully complete an AES cryptography operation. This command is responsible for the following operations:
- Input validation of incoming parameters based on the various permutations of valid input values
- Allocating memory to instance an object of the AES Class, within the context of the currently open session
- Initializing the data memebers of the newly instanced object with client provided values, sent as part of operation params
Parameters: - Parameters
-
[in] | params[0].value.a | AES algorithm identifier (uint32_t)
Valid values:
TEE_ALG_AES_ECB_NOPAD
TEE_ALG_AES_CBC_NOPAD
TEE_ALG_AES_CTR
NV_TE_ALG_AES_ECB
NV_TE_ALG_AES_CBC
NV_TE_ALG_AES_CBC_256
NV_TE_ALG_AES_CBC_256_NOPAD
NV_TE_ALG_AES_CMAC_128
NV_TE_ALG_AES_CMAC_256 |
[in] | params[0].value.b | AES operation mode identifier (uint32_t);
Valid values:
TEE_MODE_ENCRYPT
TEE_MODE_DECRYPT |
In case of TEE_ALG_AES_CTR algorithm - Parameters
-
[in,out] | params[1].memref.buffer | Initialization vector (const uint8_t*) |
[in,out] | params[1].memref.size | Size of initialization vector (uint32_t)
Valid values:
16 bytes |
In case of other supported algorithms - Parameters
-
[in] | params[1].memref.buffer | Initialization vector (const uint8_t*) |
[in] | params[1].memref.size | Size of initialization vector (uint32_t)
Valid values:
16 bytes
Note: For all modes that don't require IV value and this paramType must be set to TYPE_NONE |
If not using a keyslot to supply key
- Parameters
-
[in] | params[2].memref.buffer | Optional key material in plaintext (const uint8_t*) |
[in] | params[2].memref.size | Size of buffer containing key material (uint32_t)
Valid values:
16 bytes
32 bytes |
[in] | params[3].value.a | Set to zero |
[in] | params[3].value.b | Maximum number of data blocks will be sent in update and do_final |
OR, if using a keyslot to supply key
- Parameters
-
[in] | params[2].value.a | Key Size in bytes (uint32_t) |
[in] | params[3].value.a | Opaque handle to keyslot returned with the appropriate AES key installed (uint32_t) |
[in] | params[3].value.b | Maximum number of data blocks will be sent in update and do_final |
Return Values - Returns
- TEE_ERROR_BUSY if AES context already exists
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
-
TEE_ERROR_BAD_PARAMETERS if invalid IV size, algorithm, mode, keyslot and keyslot usage.
-
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory.
-
TEE_ERROR_GENERIC if key size is other than 16 or 32.
-
TEE_ERROR_BAD_PARAMETERS if key size is greater than 32.
-
TEE_ERROR_GENERIC Unable in instantiate object of class
-
TEE_SUCCESS Command successful, no errors
|
CRYPTO_SERVICE_AES_UPDATE | Description
This command provides functionality to update the stage of AES symmetric-key cryptography operations. The UPDATE command typically follows an INIT command and is followed by the DOFINAL command to succesfully complete an AES cryptography operation. This command is responsible for the following operations:
- Input validation of incoming parameters based on the various permutations of valid input values
- Allocating DMA memory to store the source and destination buffers, within the context of the currently open session
- Updating the data memebers of the object
Parameters: - Parameters
-
[in] | params[0] | NONE |
[in] | params[1].memref.buffer | Source buffer for AES operation (ciphertext/plaintext depending on operation mode) |
[in] | params[1].memref.size | Size of source buffer (uint32_t);
Valid range:
256 bytes |
[out] | params[2].memref.buffer | Destination buffer for AES operation (ciphertext/plaintext depending on operation mode) |
[in,out] | params[2].memref.size | Size of destination buffer (uint32_t); this value is updated by TOS Cryptography Service
Valid range:
256 bytes |
[in] | params[3] | NONE |
Return Values - Returns
- TEE_SUCCESS if success.
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
-
TEE_ERROR_GENERIC if source or destination length is more than supported size.
-
TEE_ERROR_BAD_PARAMETERS if source or destination length is greater than 1024 bytes.
-
TEE_ERROR_BAD_PARAMETERS if source or destination buffer is null.
-
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed
-
TEE_ERROR_GENERIC in case of other error.
|
CRYPTO_SERVICE_AES_DO_FINAL | Description
This command provides functionality to update the stage of AES symmetric-key cryptography operations. The DO_FINAL command typically follows an INIT command or and UPDATE command to succesfully complete an AES cryptography operation. This command is responsible for the following operations:
- Input validation of incoming parameters based on the various permutations of valid input values
- Allocating DMA memory to store the source and destination buffers, within the context of the currently open session
- Updating the data memebers of the object
Parameters: - Parameters
-
[in] | params[0] | NONE |
[in] | params[1].memref.buffer | Source buffer for AES operation (ciphertext/plaintext depending on operation mode) |
[in] | params[1].memref.size | Size of source buffer (uint32_t);
Valid range:
256 bytes |
[out] | params[2].memref.buffer | Destination buffer for AES operation (ciphertext/plaintext depending on operation mode) |
[in,out] | params[2].memref.size | Size of destination buffer (uint32_t); this value is updated by TOS Cryptography Service
Valid range:
256 bytes |
[in] | params[3] | NONE |
Return Values - Returns
- TEE_SUCCESS Command successful, no errors
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
-
TEE_ERROR_GENERIC if source or destination length is greater than supported size.
-
TEE_ERROR_BAD_PARAMETERS if source or destination length is greater than 1024 bytes.
-
TEE_ERROR_BAD_PARAMETERS if source or destination buffer is null.
-
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed.
-
TEE_ERROR_GENERIC in case of other error.
|
CRYPTO_SERVICE_AES_FREE | Description
To release under layer context, and reset operation.
Parameters: params[0]: none params[1]: none params[2]: none params[3]: none - Returns
- TEE_ERROR_BAD_PARAMETERS Failed input parameter validation
-
TEE_ERROR_GENERIC No exist AES operation to free
-
TEE_SUCCESS Command successful, no errors
|
CRYPTO_SERVICE_MAC_INIT | Description
This command provides functionality to initialize parameters for Message Authentication Code(MAC) cryptographic operations. The INIT command is typically followed by corresponding UPDATE and DOFINAL commands to successfully complete the MAC cryptographic operation. This command is responsible for the following operations:
- Input validation of incoming parameters based on the various permutations of valid input values
- Allocating memory to instance an object of MAC Class, within the context of the currently open session
- Initializing the data memebers of the newly instanced object with client provided values, sent as part of operation params
Parameters: - Parameters
-
[in] | params[0].value.a | MAC algorithm identifier (uint32_t);
Valid values:
NV_TE_ALG_AES_CMAC_128
NV_TE_ALG_AES_CMAC_256
TEE_ALG_HMAC_SHA256
TEE_ALG_HMAC_SHA384
TEE_ALG_HMAC_SHA512 |
[in] | params[1] | NONE |
If not using a keyslot to supply key
- Parameters
-
[in] | params[2].memref.buffer | Buffer containing public key |
[in] | params[2].memref.size | Size of public key (uint32_t);
Valid values:
16 bytes
32 bytes |
[in] | params[3].value.a | Set this to zero |
OR, if using a keyslot to supply key
Note: SE HW supports using HW keyslots for AES based MAC algos only
- Parameters
-
[in] | params[2].value.a | key_size of the key in key slot |
[in] | params[3].value.a | key slot handle of the keyslot holding the key. |
[in] | params[3].value.b | Specifies whether the MAC operation incase of CMAC is for generation or verification purpose.
Valid values:
CMAC_VERIFY
CMAC_GENERATE |
- Returns
- TEE_ERROR_BUSY MAC context already exists
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
-
TEE_ERROR_BAD_PARAMETERS if invalid IV size, algorithm, mode, keyslot and keyslot usage.
-
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory.
-
TEE_ERROR_GENERIC if key size is other than 16 or 32.
-
TEE_ERROR_BAD_PARAMETERS if key size is greater than 32.
-
TEE_ERROR_GENERIC Unable in instantiate object of class or any other error.
-
TEE_SUCCESS if command is successful, no errors
|
CRYPTO_SERVICE_MAC_UPDATE | Description
This command provides functionality to update the stage of MAC cryptographic operation. The UPDATE command always follows an INIT command and is followed by the DOFINAL command to succesfully complete the MAC cryptographic operation. This delivers a block of data. This command is responsible for the following operations:
- Input validation of incoming parameters based on the various permutations of valid input values
- Allocating DMA memory to store the source and destination buffers, within the context of the currently open session
- Updating the data memebers of the object
Parameters: - Parameters
-
[in] | params[0] | NONE |
[in] | params[1].memref.buffer | Source plaintext buffer for MAC operation |
[in] | params[1].memref.size | Size of source buffer (uint32_t)
Valid range:
1024 bytes |
[out] | params[2].memref.buffer | Destination buffer for MAC operation |
[in,out] | params[2].memref.size | Size of destination buffer (uint32_t) this value is updated by TOS Cryptography Service |
[in] | params[3] | NONE |
- Returns
- TEE_SUCCESS if success.
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
-
TEE_ERROR_BAD_PARAMETERS if source or destination length is greater than 1024 bytes.
-
TEE_ERROR_BAD_PARAMETERS if source or destination buffer is null.
-
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed.
-
TEE_ERROR_GENERIC in case of other error.
|
CRYPTO_SERVICE_MAC_DO_FINAL | Description
This command provides functionality to update the stage of MAC cryptographic operations. The DO_FINAL command typically follows an INIT command or/and UPDATE command to succesfully complete the MAC cryptographic operation. This delivers a block of data and finishes the operation. This command is responsible for the following operations:
- Input validation of incoming parameters based on the various permutations of valid input values
- Allocating DMA memory to store the source and destination buffers, within the context of the currently open session
- Updating the data memebers of the object
Parameters: - Parameters
-
[in] | params[0] | NONE |
[in] | params[1].memref.buffer | Source buffer for MAC operation |
[in] | params[1].memref.size | Size of source buffer (uint32_t);
Valid range:
1024 bytes |
[in,out] | params[2].memref.buffer | Destination buffer for MAC operation |
[in,out] | params[2].memref.size | Size of destination buffer (uint32_t); this value is updated by TOS Cryptography Service
Valid range:
1024 bytes |
[in] | params[3] | NONE |
- Returns
- TEE_SUCCESS if success.
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
-
TEE_ERROR_BAD_PARAMETERS if source or destination length is greater than 1024 bytes.
-
TEE_ERROR_BAD_PARAMETERS if source or destination buffer is null.
-
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed.
-
TEE_ERROR_GENERIC in case of other error.
|
CRYPTO_SERVICE_MAC_FREE | Description
To release under layer context, and reset operation.
Parameters: - Parameters
-
[in] | params[0] | NONE |
[in] | params[1] | NONE |
[in] | params[2] | NONE |
[in] | params[3] | NONE |
- Returns
- TEE_ERROR_BAD_PARAMETERS Failed input parameter validation
-
TEE_ERROR_GENERIC No exist MAC operation to free
-
TEE_SUCCESS Command successful, no errors
|
CRYPTO_SERVICE_RSA_HANDLE_REQUEST | Description
This command provides functionality for RSA sign or verify operation. This command is responsible for the following operations:
- Input validation of incoming parameters based on the various permutations of valid input values
- Allocating memory to instance an object of the Digest Class, within the context of the currently open session
- Initializing the data members of the newly instanced object with client provided values, sent as part of operation params
- Perform sign or verify operation.
Parameters: - Parameters
-
[in] | params[0].value.a | RSA algorithm identifier (uint32_t);
Valid values:
TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256
TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384
TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512
TEE_ALG_RSASSA_PKCS1_V1_5_SHA256
TEE_ALG_RSASSA_PKCS1_V1_5_SHA384
TEE_ALG_RSASSA_PKCS1_V1_5_SHA512 |
[in] | params[0].value.b | RSA operation mode (uint32_t);
Valid values:
TEE_MODE_VERIFY
TEE_MODE_SIGN |
[in] | params[1].memref.buffer | Digest or plaintext source data buffer for RSA operation |
[in] | params[1].memref.size | Size of source buffer (uint32_t); |
In case of RSA verify operation
- Parameters
-
[in] | params[2].memref.buffer | Source buffer with signature data |
[in] | params[2].memref.size | Size of source buffer (uint32_t);
Valid range:
1024 bytes |
In case of RSA sign operation
- Parameters
-
[out] | params[2].memref.buffer | Destination signed data buffer |
[in,out] | params[2].memref.size | Size of destination buffer (uint32_t);
Valid range:
1024 bytes |
[in] | params[3].value.a | PKA1 key slot handle |
[out] | params[3].value.a | Result of RSA operation. Meaningful only if operation succeeds |
[in] | params[3].value.b | RSA operation flag, 1: source is digest; 0: source is raw data |
- Returns
- TEE_SUCCESS if success.
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
-
TEE_ERROR_BAD_PARAMETERS if digest size or signature size is more than max supported size.
-
TEE_ERROR_BAD_PARAMETERS if digest or signature buffer is null.
-
TEE_ERROR_BAD_PARAMETERS if invalid keyslot type or keyslot handle is 0.
-
TEE_ERROR_NOT_SUPPORTED if unsupported algorithm is given as input.
-
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed.
-
TEE_ERROR_GENERIC if: Failed to get key slot index. OR Failed to setup crypto context. OR RSA operation failed.
|
CRYPTO_SERVICE_DRBG_GENERATE | Description
This command provides functionality to generate DRBG random number This command is responsible for the following operations:
- Input validation of incoming parameters based on the various permutations of valid input values
- Allocating memory for HW context and command arguments.
- Initializing the data memebers to command argument with client provided values, sent as part of operation params
- Perform Crypto operation to generate random number.
Parameters: - Parameters
-
[out] | params[0].memref.buffer | Destination buffer to store random number |
[in] | params[0].memref.size | Size of destination buffer (uint32_t)
Valid range:
1024 bytes |
[in] | params[1] | NONE |
[in] | params[2] | NONE |
[in] | params[3] | NONE |
- Returns
- TEE_SUCCESS if success.
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
-
TEE_ERROR_BAD_PARAMETERS if input buffer is more than max supported size.
-
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed.
-
TEE_ERROR_GENERIC if crypto operation failed
|
CRYPTO_SERVICE_REQUEST_SE_KEYSLOT | Description
This command provides functionality to request a key slot with specific type. It is responsible for the following operations:
- Input validation of incoming parameters based on the various permutations of valid input values
- Set requested parameters to keyslot.
Parameters: - Parameters
-
[in] | params[0].value.a | Valid Keyslot type.
Valid values:
KEYSLOT_TYPE_AES
KEYSLOT_TYPE_PKA1 |
[in] | params[0].value.b | Valid Keyslot usage info.
Valid values:
For KEYSLOT_TYPE_AES: KEYSLOT_USAGE_ENCRYPT, KEYSLOT_USAGE_DECRYPT, KEYSLOT_USAGE_MAC and KEYSLOT_USAGE_DERIVE
For KEYSLOT_TYPE_PKA1: KEYSLOT_USAGE_SIGN KEYSLOT_USAGE_VERIFY |
[out] | params[1].value.a | Pointer to returned keyslot handle (KeySlotHandle*). |
- Returns
- TEE_SUCCESS if success
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types
-
TEE_ERROR_BAD_PARAMETERS if unknown keyslot usage.
-
TEE_ERROR_BAD_STATE if KeySlotMgr is not initialized
-
TEE_ERROR_ACCESS_DENIED if caller is not a valid keyslot owner
-
TEE_ERROR_BUSY if keyslot is in use
|
CRYPTO_SERVICE_UPDATE_SE_KEYSLOT | Description
This command provides functionality to set a key slot with key material. It is responsible for the following operations:
- Input validation of incoming parameters based on the various permutations of valid input values
- Set requested parameters to keyslot.
PKA1 Keyslot Parameters
- Parameters
-
[in] | params[0].value.a | Valid Keyslot type.
Valid values: KEYSLOT_TYPE_PKA1 |
[in] | params[0].value.b | PKA1 key flag
Valid range:
0: RSA Key in little endianness
1: RSA Key in big endianness
2: ECDSA Nist curve point X and Y
3: EDDSA Nist curve compressed point |
[in] | params[1].value.a | KeySlotHandle handle (handle of key slot to write.) |
[in] | params[1].value.b | RSA key Montgomery flag, not meningful for EC key
0: RSA key without Montgomery values.
1: RSA key with Montgomery values. |
[in] | params[2].memref.buffer | RSA key exponent, or EC pointX |
[in] | params[2].memref.size | RSA key exponent size, EC pointX size
Valid range:
RSA key exponent, 4 bytes to 512 bytes
EC key pointX, 32 bytes |
[in] | params[3].memref.buffer | RSA key modulus, or ECDSA pointY |
[in] | params[3].memref.size | RSA modulus size, or ECDSA pointY size |
[in] | params[3],None,in | case of ED25519 key
Valid range:
RSA modulus, 256 bytes to 512 bytes
ECDSA PointY, 32 bytes |
AES Keyslot Parameters
- Parameters
-
[in] | params[0].value.a | Valid Keyslot type.
Valid values: KEYSLOT_TYPE_AES |
[in] | params[0].value.b | 0: KCV check disabled; 1: KCV check enabled |
[in] | params[1].value.a | KeySlotHandle handle (handle of key slot to write.) |
[in] | params[2].memref.buffer | AES key material |
[in] | params[2].memref.size | AES key size
Valid range:
16 bytes or 32 bytes |
[in] | params[3].value.b | Valid KCV value if KCV check is enabled |
- Returns
- TEE_SUCCESS if success
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null buffer.
-
TEE_ERROR_BAD_PARAMETERS if keyslot owner VMID check failed. Or if failed to get keyslot
-
TEE_ERROR_BAD_PARAMETERS if modulusOrIvSize or exponentOrKeySize is out of range(UINT32_MAX bits)
-
TEE_ERROR_GENERIC if failed to set key and/or iv in case of AES keyslot type
-
TEE_ERROR_GENERIC if failed to generate random number in case of AES keyslot type
-
TEE_ERROR_OUT_OF_MEMORY if dynamic memory allocation failed in case of AES keyslot
-
TEE_ERROR_GENERIC if key size is invalid.
-
TEE_ERROR_GENERIC if failed to write keyslot in case of PKA1 keyslot type
|
CRYPTO_SERVICE_RELEASE_SE_KEYSLOT | Description
This command provides functionality to release a key slot. It is responsible for the following operations:
- Input validation of incoming parameters based on the various permutations of valid input values
- Release the given keyslot.
Parameters: - Parameters
-
[in] | params[0].value.a | Valid Keyslot type of the key slot to release.
Valid values:
KEYSLOT_TYPE_AES
KEYSLOT_TYPE_PKA1 |
[in] | params[1].value.a | KeySlotHandle handle (of key slot to release.) |
[in] | params[2] | NONE |
[in] | params[3] | NONE |
- Returns
- TEE_SUCCESS if success
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null buffer.
-
TEE_ERROR_BAD_PARAMETERS if keyslot owner VMID check failed. Or if failed to get keyslot.
-
TEE_ERROR_GENERIC if failed to release keyslot
|
CRYPTO_SERVICE_UNWRAP_KEY | Description
This command provides functionality to unwrap key to AES keyslot It is responsible for the following operations:
- Input validation of incoming parameters based on the various permutations of valid input values
- Unwrap the key.
Parameters: - Parameters
-
[in] | params[0].value.a | Supported algorithm.
Valid values:
TEE_ALG_AES_ECB_NOPAD
TEE_ALG_AES_CBC_NOPAD
TEE_ALG_AES_CTR
NV_TE_ALG_AES_ECB
NV_TE_ALG_AES_CBC
NV_TE_ALG_AES_CBC_256
NV_TE_ALG_AES_CBC_256_NOPAD |
[in] | params[0].value.b | target keyslot handle |
[in] | params[1].memref.buffer | Initialization vector (IV) |
[in] | params[1].memref.size | Size of initialization vector (uint32_t) Valid values: 0 byte for AES_ECB and AES_ECB_NOPAD algorithm, 16 bytes otherwise |
If using plain key text for unwrapping key
- Parameters
-
[in] | params[2].memref.buffer | Unwrapping key. |
[in] | params[2].memref.size | Key Size in bytes (uint32_t). Valid range: 16 bytes 32 bytes |
OR, if using keyslot for unwrapping key
- Parameters
-
[in] | params[2].value.a | keyslot handle for unwrapping key. |
[in] | params[2].value.b | Key Size in bytes (uint32_t) Valid range: 16 bytes 32 bytes |
[in] | params[3].memref.buffer | wrapped Key |
[in] | params[3].memref.size | wrapped key size
Valid range:
16-bytes for _CBC and
32-bytes for _CBC_256 |
- Returns
- TEE_SUCCESS if success
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null buffer.
-
TEE_ERROR_BAD_PARAMETERS if unwrapping key, wrapped key is NULL.
-
TEE_ERROR_BAD_PARAMETERS if IV is NULL in case of non ECB & ECB_NOPAD algorithm
-
TEE_ERROR_BAD_PARAMETERS if keyslot is invalid. Or if unsupported AES algorithm
-
TEE_ERROR_OUT_OF_MEMORY if memory allocation for the key failed
-
TEE_ERROR_GENERIC if keysize is invalid
-
TEE_ERROR_GENERIC if SE operation failed
|
CRYPTO_SERVICE_AES_CCM_INIT | Description
This command provides functionality to initialize parameters for AES-CCM cryptographic operations. The INIT command is always followed by corresponding HANDLE_REQUEST and FREE commands to successfully complete the AES-CCM cryptographic operation. This command is responsible for the following operations:
- Input validation of incoming parameters based on the various permutations of valid input values
- Allocating memory to instance an object of CCM Class, within the context of the currently open session
- Initializing the data memebers of the newly instanced object with client provided values, sent as part of operation params
Parameters: - Parameters
-
[in] | params[0].value.a | Tag length |
[in] | params[0].value.b | Valid operation mode
Valid values:
TEE_MODE_ENCRYPT
TEE_MODE_DECRYPT |
[in] | params[1].memref.buffer | nonce |
[in] | params[1].memref.size | nonce size |
If not using a keyslot to supply key
- Parameters
-
[in] | params[2].memref.buffer | Buffer containing public key |
[in] | params[2].memref.size | Size of public key (uint32_t);
Valid values:
16 or 32 bytes |
[in] | params[3].value.a | Set this to zero |
If using keyslot to supply key
- Parameters
-
[in] | params[2].value.a | contains key size of the key in keyslot |
[in] | params[3].value.a | key slot handle of the keyslot holding the key. |
- Returns
- TEE_SUCCESS if success
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null buffer.
-
TEE_ERROR_BUSY CCM context already exists.
-
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed.
-
TEE_ERROR_BAD_PARAMETERS if invalid keyslot. Or if unsupported CCM operation mode.
-
TEE_ERROR_BAD_PARAMETERS if key size is more than 32 bytes.
-
TEE_ERROR_GENERIC is key size is other than supported size of 16 or 32 bytes
|
CRYPTO_SERVICE_CCM_HANDLE_REQUEST | Description
This command provides functionality to perfor CCM DoFinal operation. This command is responsible for the following operations:
- Input validation of incoming parameters based on the various permutations of valid input values
- Allocating memory for source and destination buffer.
- Perform CCM operation.
Parameters: - Parameters
-
[in] | params[0] | NONE |
[in] | params[1].memref.buffer | Source data buffer |
[in] | params[1].memref.size | Size of source buffer (uint32_t);
Valid range:
1024 bytes |
[out] | params[2].memref.buffer | Destination data buffer |
[out] | params[2].memref.size | Size of destination data buffer (uint32_t);
Valid range:
1024 bytes |
[in] | params[3].memref.buffer | AAD buffer |
[in] | params[3].memref.size | Size of AAD buffer (uint32_t);
Valid range:
1024 bytes |
- Returns
- TEE_SUCCESS if success
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null buffer.
-
TEE_ERROR_BAD_PARAMETERS if source or destination buffer is more than max supported size.
-
TEE_ERROR_GENERIC if source, destination or AAD buffer is null.
-
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory for src and dest buffer
-
TEE_ERROR_GENERIC if SE crypto operation failed
|
CRYPTO_SERVICE_CCM_FREE | Description
To release under layer context, and reset operation.
Parameters: - Parameters
-
[in] | params[0] | NONE |
[in] | params[1] | NONE |
[in] | params[2] | NONE |
[in] | params[3] | NONE |
- Returns
- TEE_SUCCESS if success
-
TEE_ERROR_BAD_PARAMETERS if parameters are invalid
-
TEE_ERROR_GENERIC if error occured while freeing CCM context
|
CRYPTO_SERVICE_ECDSA_INIT | Description
ECDSA initialize parameters, supports verification only.
Requirments for ECDSA:
1. ASN.1 DER format signature in big endian, which is Openssl compatible.
2. Big endian point coordinates.
3. Digested source data. Parameters: - Parameters
-
[in] | params[0].value.a | Supported algorithm identifier
Valid values:
TEE_ALG_ECDSA_SHA256 |
[in] | params[0].value.b | supported Curve ID
Valid values:
TEE_ECC_CURVE_NIST_P256 |
[in] | params[1] | NONE |
[in] | params[2] | NONE |
[in] | params[3] | NONE |
- Returns
- TEE_SUCCESS if success
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have wrong parameter types.
-
TEE_ERROR_BUSY if EC object already exist.
-
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory.
-
TEE_ERROR_GENERIC if SE INIT operation failed
|
CRYPTO_SERVICE_ECDSA_SET_KEY | Description
ECDSA set_key parameters.
Parameters: - Parameters
-
[in] | params[0].memref.buffer | Buffer containing raw source data. |
[in] | params[0].memref.size | Size of buffer containing point X (uint32_t); |
[in] | params[1].memref.buffer | Buffer containing point Y. |
[in] | params[1].memref.size | Size of buffer containing point Y (uint32_t); |
[in] | params[2] | NONE |
[in] | params[3] | NONE |
- Returns
- TEE_SUCCESS if success
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have wrong parameter types or null buffer
-
TEE_ERROR_BAD_PARAMETERS if x_size or y_size is > TE_MAX_ECC_BYTES
-
TEE_ERROR_GENERIC if SE SET_KEY operation failed
|
CRYPTO_SERVICE_ECDSA_DO_FINAL | Description
Deliver a block of data and finishes the operation.
Parameters: - Parameters
-
[in] | params[0].memref.buffer | Source buffer containing digest |
[in] | params[0].memref.size | Size of buffer containing digest (uint32_t);
Valid range:
1024 bytes |
[in] | params[1].memref.buffer | Buffer containing signature |
[in] | params[1].memref.size | Size of signature (uint32_t);
Valid range:
maximum 1792 bytes |
[in] | params[2] | NONE |
[in] | params[3] | NONE |
- Returns
- TEE_SUCCESS if success
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have wrong parameter types or null buffer.
-
TEE_ERROR_BAD_PARAMETERS if digest or signature buffer length is more than max supported size.
-
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory
-
TEE_ERROR_GENERIC if SE DO_FINAL operation failed
|
CRYPTO_SERVICE_ECDSA_FREE | Description
To release under layer context, and reset operation.
Parameters: - Parameters
-
[in] | params[0] | NONE |
[in] | params[1] | NONE |
[in] | params[2] | NONE |
[in] | params[3] | NONE |
- Returns
- TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported parameter types.
|
CRYPTO_SERVICE_ED25519_INIT | Description
ED25519 initialize parameters, supports verification only.
Requirments for ED25519:
1. Little endian signature, 64 bytes in all.
2. Little endian commpressed point.
3. Raw message source data in little endian or pre-hash data. Parameters: - Parameters
-
[in] | params[0].value.a | Supported algorithm identifier
Valid values:
TEE_ALG_ED25519
NV_TE_ALG_ED25519PH |
[in] | params[0].value.b | supported Curve ID
Valid values:
TEE_ECC_CURVE_25519 |
[in] | params[1] | NONE |
[in] | params[2] | NONE |
[in] | params[3] | NONE |
- Returns
- TEE_SUCCESS if success
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported parameter types.
-
TEE_ERROR_BUSY if EC object already exist.
-
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory
-
TEE_ERROR_GENERIC if SE INIT operation failed
|
CRYPTO_SERVICE_ED25519_SET_KEY | Description
ED25519 set_key parameters.
Parameters: - Parameters
-
[in] | params[0].memref.buffer | Buffer containing compressed_point |
[in] | params[0].memref.size | Size of buffer containing compressed_point(uint32_t); |
[in] | params[1] | NONE |
[in] | params[2] | NONE |
[in] | params[3] | NONE |
- Returns
- TEE_SUCCESS if success
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have wrong parameter types or null buffer
-
TEE_ERROR_BAD_PARAMETERS if compressed_point > CCC_ED25519_COMPRESSED_POINT_SIZE
-
TEE_ERROR_GENERIC if SE SET_KEY operation failed
|
CRYPTO_SERVICE_ED25519_DO_FINAL | Description
Deliver a block of data and finishes the operation.
Parameters: - Parameters
-
[in] | params[0].memref.buffer | Source buffer containing raw message or digest |
[in] | params[0].memref.size | Size of buffer containing raw message or digest (uint32_t);
Valid range:
maximum 1792 bytes |
[in] | params[1].memref.buffer | Buffer containing signature |
[in] | params[1].memref.size | Size of signature (uint32_t);
Valid range:
1024 bytes |
[in] | params[2] | NONE |
[in] | params[3] | NONE |
- Returns
- TEE_SUCCESS if success
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have wrong parameter types or null buffer
-
TEE_ERROR_BAD_PARAMETERS if digest or signature buffer length is more than max supported size
-
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory
-
TEE_ERROR_GENERIC if SE DO_FINAL operation failed
|
CRYPTO_SERVICE_ED25519_FREE | Description
To release under layer context, and reset operation.
Parameters: - Parameters
-
[in] | params[0] | NONE |
[in] | params[1] | NONE |
[in] | params[2] | NONE |
[in] | params[3] | NONE |
- Returns
- TEE_SUCCESS if success
-
TEE_ERROR_BAD_PARAMETERS if wrong parameter types
-
TEE_ERROR_GENERIC if failed to free ED25519 context
|
CRYPTO_SERVICE_DERIVE_KEY | Description
Derive key using AES-CMAC into a key slot.
Parameters: - Parameters
-
[in] | params[0].value.a | Contains target keyslot handle |
[in] | params[1].memref.buffer | Containing source buffer |
[in] | params[1].memref.size | Size of source data (uint32_t);
Valid range:
1024 bytes |
if using key - Parameters
-
[in] | params[2].memref.buffer | Containing key |
[in] | params[2].memref.size | Size of key (uint32_t);
Valid values:
16 or 32 bytes |
OR, if using a keyslot to supply key - Note
- The KeySlot should be requested for KEYSLOT_USAGE_DERIVE usage.
- Parameters
-
[in] | params[2].value.a | key_size, in case of using key slot |
[in] | params[3].value.a | Source keySlot handle |
- Note
- if input key materials are in key slot already, set this, and also key size in params[2].value.a. otherwise, set this to zero!
- Returns
- TEE_SUCCESS if success
-
TEE_ERROR_BAD_PARAMETERS if wrong parameter types
-
TEE_ERROR_BAD_PARAMETERS if fialed to check keyslot owner
-
TEE_ERROR_BAD_PARAMETERS if fialed to get keyslot index
-
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory
-
TEE_ERROR_GENERIC if key size is invalid
-
TEE_ERROR_GENERIC if failed to generate random number
-
TEE_ERROR_GENERIC if failed to set IV
-
TEE_ERROR_GENERIC if SE DO_FINAL operation failed
|
CRYPTO_SERVICE_SET_KEYSLOT_OIV | Description
To set random generated IV to an AES key slot
Parameters: - Parameters
-
[in] | params[0].value.a | keyslot type
Valid values: KEYSLOT_TYPE_AES |
[in] | params[1].value.a | keyslot handle |
[in] | params[2] | NONE |
[in] | params[3] | NONE |
- Returns
- TEE_SUCCESS if success
-
TEE_ERROR_BAD_PARAMETERS if wrong parameter types
-
TEE_ERROR_BAD_PARAMETERS if failed to check keyslot owner VMID
-
TEE_ERROR_BAD_PARAMETERS if failed to check keyslot owner
-
TEE_ERROR_BAD_PARAMETERS if failed to get keyslot
-
TEE_ERROR_GENERIC if failed to write keyslot
|
CRYPTO_SERVICE_DERIVE_KEK2 | Description
Derive keys from KEK2 with AES-CMAC directly into a key slot.
Perform AES-CMAC base key derivation operation using KEK2 (fuse) key Parameters: - Parameters
-
[in] | params[0].value.a | target key slot handle |
[in] | params[0].value.b | 1: if KCV check is enabled; 0: otherwise |
[in] | params[1].memref.buffer | Containing source buffer |
[in] | params[1].memref.size | Size of source data (16 or 32 bytes) |
[in] | params[2].value.a | KEK key size, 16 or 32 bytes, respectively. |
[in] | params[3].value.a | Valid KCV value if KCV check is enabled |
- Returns
- TEE_SUCCESS if success
-
TEE_ERROR_BAD_PARAMETERS if wrong parameter types
-
TEE_ERROR_BAD_PARAMETERS if failed to check keyslot owner
-
TEE_ERROR_BAD_PARAMETERS if failed to get keyslot index
-
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory
-
TEE_ERROR_GENERIC if failed to generate random number
-
TEE_ERROR_GENERIC if failed to set IV
-
TEE_ERROR_GENERIC if SE DO_FINAL operation failed
|
CRYPTO_SERVICE_GENERATE_AES_KEY | Description
This command provides functionality to generate a AES key Supported Key Size: 128 bits Pre-allocated AES key in a keyslot is required for this operation API returns a wrapped key It is responsible for the following operations:
- Input validation of incoming parameters based on the various permutations of valid input values
- Generate a key using DRBG
- Encrypt with AES-CBC and return the wrapped key
Parameters: - Parameters
-
[in] | params[0].value.a | keysize of key in keyslot |
[in] | params[0].value.b | keyslot handle |
[in,out] | params[1].memref.buffer | As input param, it stores the caller supplied initialization vector. As output param, it stores the calulated KCV of the randomly generated key. |
[in,out] | params[1].memref.size | As input parameter it stores initialization vector size. As output parameter it stores the size of KCV buffer. |
[out] | params[2].memref.buffer | Destination buffer for encrypted key |
[out] | params[2].memref.size | Destination buffer size |
[in] | params[3].value.a | Key size to generate |
- Returns
- TEE_SUCCESS if success
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null buffer.
-
TEE_ERROR_BAD_PARAMETERS if source or destination length is greater than 1024 bytes.
-
TEE_ERROR_BAD_PARAMETERS if source or destination buffer is null.
-
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed.
-
TEE_ERROR_GENERIC in case of other error.
|
CRYPTO_SERVICE_DERIVE_KEY_NIST_SP800_108 | Description
Derive key using NIST SP800-108 compliant KDF (AES-CMAC based) into a key slot.
Parameters: - Parameters
-
[in] | params[0].value.a | Contains target keyslot handle. |
[in] | params[0].value.b | Contains derived key size. |
[in] | params[1].memref.buffer | Containing label buffer. |
[in] | params[1].memref.size | Size of label data (uint32_t). |
[in] | params[2].memref.buffer | Containing context buffer. |
[in] | params[2].memref.size | Size of context data (uint32_t). |
if using key - Parameters
-
[in] | params[3].memref.buffer | Containing key. |
[in] | params[3].memref.size | Size of key (uint32_t).
Valid values:
16 or 32 bytes |
OR, if using a keyslot to supply key - Note
- The KeySlot should be requested for KEYSLOT_USAGE_DERIVE usage.
- Parameters
-
[in] | params[3].value.a | Source KeySlot handle. |
[in] | params[3].value.b | size of key. |
- Returns
- TEE_SUCCESS if success
-
TEE_ERROR_BAD_PARAMETERS if wrong parameter types.
-
TEE_ERROR_BAD_PARAMETERS if failed to check keyslot owner.
-
TEE_ERROR_BAD_PARAMETERS if failed to get keyslot index.
-
TEE_ERROR_BAD_PARAMETERS if invalid keyslot usage info.
-
TEE_ERROR_BAD_PARAMETERS if invalid target keyslot.
-
TEE_ERROR_BAD_PARAMETERS if unsupported key length.
-
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory.
-
TEE_ERROR_GENERIC if failed to clean keyslot.
-
TEE_ERROR_GENERIC if failed to generate random number.
-
TEE_ERROR_GENERIC if operation context setup failed.
-
TEE_ERROR_GENERIC if SE DO_FINAL operation failed.
-
TEE_ERROR_BAD_STATE if failed to derive key in target keyslot.
|
CRYPTO_SERVICE_WRAP_KEK0_DERIVATION | Description
Derive keys from 128 bits KEK0 with AES-CMAC, and then encrypt/wrap the derived key with AES-CBC and return a memory buffer constained the wrapped key.
Parameters: - Parameters
-
[out] | params[0].memref.buffer | Contains the wrapped result |
[out] | params[0].memref.size | Size of the wrapped reslut |
[in] | params[1].memref.buffer | Contains source buffer |
[in] | params[1].memref.size | Size of source data (<=1024 bytes) |
[in] | params[2].memref.buffer | Contains IV. |
[in] | params[2].memref.size | Size of IV |
[in] | params[3].value.a | Contains size of the wrapping root key. |
[in] | params[3].vaule.b | Contains keyslot handle of the wrapping root key. |
returns: - Returns
- TEE_SUCCESS if success
-
TEE_ERROR_BAD_PARAMETERS if wrong parameters
-
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory
-
TEE_ERROR_GENERIC if any other errors.
|
CRYPTO_SERVICE_WRAP_KEK2_DERIVATION | Description
Same as CRYPTO_SERVICE_WRAP_KEK0_DERIVATION except using KEK2 to derive.
|
CRYPTO_SERVICE_NIST_SP800_108_DERIVE_FROM_KEK0 | Description
Derive key materials with 128 bits KEK0 using NIST SP800-108 complaint KDF(AES-CMAC based) into a key slot.
Parameters: - Parameters
-
[in] | params[0].value.a | Contains target keyslot handle. |
[in] | params[0].value.b | Contains derived key size in bit.
Valid values:
128 or 256 bits |
[in] | params[1].memref.buffer | Containing label buffer. |
[in] | params[1].memref.size | Size of label data (uint32_t). |
[in] | params[2].memref.buffer | Containing context buffer. |
[in] | params[2].memref.size | Size of context data (uint32_t). |
[in] | params[3] | NONE. |
- Returns
- TEE_SUCCESS if success
-
TEE_ERROR_BAD_PARAMETERS if wrong parameter types.
-
TEE_ERROR_BAD_PARAMETERS if failed to check keyslot owner.
-
TEE_ERROR_BAD_PARAMETERS if failed to get keyslot index.
-
TEE_ERROR_BAD_PARAMETERS if invalid keyslot usage info.
-
TEE_ERROR_BAD_PARAMETERS if invalid target keyslot.
-
TEE_ERROR_BAD_PARAMETERS if unsupported key length.
-
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory.
-
TEE_ERROR_GENERIC if failed to clean keyslot.
-
TEE_ERROR_GENERIC if failed to generate random number.
-
TEE_ERROR_GENERIC if operation context setup failed.
-
TEE_ERROR_GENERIC if SE DO_FINAL operation failed.
-
TEE_ERROR_BAD_STATE if failed to derive key in target keyslot.
|
CRYPTO_SERVICE_NIST_SP800_108_DERIVE_FROM_KEK2 | Description
Same as CRYPTO_SERVICE_NIST_SP800_108_DERIVE_FROM_KEK0 except using KEK2 to derive.
|
CRYPTO_SERVICE_CCM_UNWRAP_CBC_WRAP_INIT_CCM | Description
This command provides functionality to initialize parameters for AES CCM symmetric-key decryption operation in the compound operation of rewrapping the result of a CCM decryption operation.
Parameters: - Parameters
-
[in] | params[0].value.a | Tag Length |
[in] | params[1].memref.buffer | nonce |
[in] | params[1].memref.size | nonce size |
[in] | params[2].value.a | contains key size of the key in keyslot. Valid value: 16 bytes |
[in] | params[3].value.a | key slot handle of the keyslot holding the key. |
- Returns
- TEE_SUCCESS if success.
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null buffer.
-
TEE_ERROR_BUSY CCM context already exists.
-
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed.
-
TEE_ERROR_BAD_PARAMETERS if invalid keyslot Or, if unsupported CCM operation mode.
-
TEE_ERROR_BAD_PARAMETERS if key size is different from 16 bytes.
|
CRYPTO_SERVICE_CCM_UNWRAP_CBC_WRAP_INIT_CBC | Description
This command provides functionality to initialize parameters for AES CBC symmetric-key encryption operation in the compound operation of rewrapping the result of a CCM decryption operation.
Parameters: - Parameters
-
[in] | params[2].memref.buffer | Initialization vector (IV). |
[in] | params[2].memref.size | Size of initialization vector (uint32_t). Valid values: 16 bytes |
[in] | params[3].value.a | Keyslot handle to the key used for re-wrapping. |
[in] | params[3].value.b | Size of key used for re-wrapping. Valid Values: 16 bytes |
Return Values - Returns
- TEE_ERROR_BUSY if AES context already exists.
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
-
TEE_ERROR_BAD_PARAMETERS if invalid IV size, algorithm, mode, keyslot and keyslot usage.
-
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory.
-
TEE_ERROR_BAD_PARAMETERS if key size is different from 16 bytes.
-
TEE_ERROR_GENERIC Unable in instantiate object of class
-
TEE_SUCCESS Command successful, no errors.
|
CRYPTO_SERVICE_CCM_UNWRAP_CBC_WRAP_HANDLE_OPERATION | Description
This command provides functionality to perform a. CCM DoFinal operation to decrypt a buffer by using a client supplied key. b. Store the unwrapped key in device mapped TZSYSRAM. c. AES DoFinal to rewrap the unwrapped key with AES-128-CBC-NOPAD using a key that is already loaded in a keyslot. d. The wrapped output is returned to the caller.
Parameters: - Parameters
-
[in] | params[1].memref.buffer | Source data buffer. |
[in] | params[1].memref.size | Size of source buffer (uint32_t);
Valid range:
1024 bytes. |
[in] | params[2].memref.buffer | AAD buffer. |
[in] | params[2].memref.size | Size of AAD buffer (uint32_t);
Valid range:
1024 bytes |
[out] | params[3].memref.buffer | Destination data buffer. |
[out] | params[3].memref.size | Size of destination data buffer (uint32_t);
Valid range:
1024 bytes |
- Returns
- TEE_SUCCESS Command successful, no errors
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
-
TEE_ERROR_GENERIC if source or destination length is greater than supported size.
-
TEE_ERROR_BAD_PARAMETERS if source or destination length is greater than 1024 bytes.
-
TEE_ERROR_BAD_PARAMETERS if source or destination buffer is null.
-
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed.
-
TEE_ERROR_GENERIC in case of other error.
|
CRYPTO_SERVICE_CCM_UNWRAP_CBC_WRAP_FREE | Description
To release under layer context, and reset operation.
Parameters: - Parameters
-
[in] | params[0] | NONE |
[in] | params[1] | NONE |
[in] | params[2] | NONE |
[in] | params[3] | NONE |
- Returns
- TEE_SUCCESS if success
-
TEE_ERROR_BAD_PARAMETERS if parameters are invalid.
-
TEE_ERROR_GENERIC if error occured while freeing CBC & CCM context.
|
CRYPTO_SERVICE_REWRAP_DERIVED_KEY_INIT | Description
This command provides functionality to initialize parameters for AES-CBC symmetric-key encryption operation in the compound operation of wrapping user key derivation.
Parameters: - Parameters
-
[in] | params[2].memref.buffer | Initialization vector (IV). |
[in] | params[2].memref.size | Size of initialization vector (uint32_t).
Valid values: 16 bytes |
[in] | params[3].value.a | Keyslot handle to the key used for re-wrapping of derived key. |
[in] | params[3].value.b | Size of key used for re-wrapping.
Valid Values: 16 bytes |
Return Values - Returns
- TEE_ERROR_BUSY if AES context already exists.
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
-
TEE_ERROR_BAD_PARAMETERS if invalid IV size, algorithm, mode, keyslot and keyslot usage.
-
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory.
-
TEE_ERROR_BAD_PARAMETERS if key size is different from 16 bytes.
-
TEE_ERROR_GENERIC Unable in instantiate object of class
-
TEE_SUCCESS Command successful, no errors.
|
CRYPTO_SERVICE_REWRAP_DERIVE_KEY_HANDLE_OPERATION | Description
This command provides the functionality to: a. Perform key derivation using NIST-SP800-108 compliant (AES-CMAC) based KDF from a caller supplied root key, label and context. b. The derived key is stored in buffer allocated from TZSysram. c. Wrapping of derived key is performed using caller supplied key using AES-CBC algorithm. d. The wrapped Key along with the KCV is returned back to the caller.
Parameters: - Parameters
-
[in,out] | params[0].memref.buffer | As input param it stores the caller supplied context. As output param it stores the wrapped Key. |
[in,out] | params[0].memref.size | As input param, it stores the size of buffer which should be sufficient to hold the wrapped key as well as the context string. As output param, it stores the actual size of wrapped key.
Valid Range:
16 Bytes to 502 bytes |
[in,out] | params[1].memref.buffer | As input param it stores the caller supplied label string. As output param it stores the calulated KCV of the derived key. |
[in] | params[1].memref.size | As input param it stores the size of buffer which should be sufficient to hold the derived key KCV and the label string.
Valid Range:
16 Bytes to 502 bytes |
[in] | params[2].value.a | It stores the keyslot handle of the caller supplied root Key. |
[in] | params[2].value.b | It stores the derived key length in bits.
Valid Values:
128 bits and 256 bits |
[in] | params[3].value.a | It stores the length of caller supplied label string. |
[in] | params[3].value.b | It stores the length of caller supplied context string. |
- Returns
- TEE_SUCCESS Command successful, no errors
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
-
TEE_ERROR_GENERIC if source or destination length is greater than supported size.
-
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed.
-
TEE_ERROR_GENERIC in case of other error.
|
CRYPTO_SERVICE_REWRAP_DERIVE_KEY_FREE | Description
To release under layer context, and reset operation.
Parameters: - Parameters
-
[in] | params[0] | NONE |
[in] | params[1] | NONE |
[in] | params[2] | NONE |
[in] | params[3] | NONE |
- Returns
- TEE_SUCCESS if success
-
TEE_ERROR_BAD_PARAMETERS if parameters are invalid.
-
TEE_ERROR_GENERIC if error occured while freeing CBC context.
|
CRYPTO_SERVICE_WRAP_KEK_NISTKDF_DERIVATION_INIT | Description
This command provides functionality to initialize parameters for AES-CBC symmetric-key encryption operation in the compound operation of wrapping the KEK Derivation.
Parameters: - Parameters
-
[in] | params[2].memref.buffer | Initialization vector (IV). |
[in] | params[2].memref.size | Size of initialization vector (uint32_t). valid values: 16 bytes |
[in] | params[3].value.a | Keyslot handle to the key used for wrapping the derived key. |
[in] | params[3].value.b | Size of key used for re-wrapping. valid values: 16 bytes |
Return Values - Returns
- TEE_ERROR_BUSY if AES context already exists.
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
-
TEE_ERROR_BAD_PARAMETERS if invalid IV size, algorithm, mode, keyslot and keyslot usage.
-
TEE_ERROR_OUT_OF_MEMORY if failed to allocate memory.
-
TEE_ERROR_BAD_PARAMETERS if key size is different from 16 bytes.
-
TEE_ERROR_GENERIC Unable in instantiate object of class
-
TEE_SUCCESS Command successful, no errors.
|
CRYPTO_SERVICE_WRAP_KEK_NISTKDF_DERIVATION_HANDLE_OPERATION | Description This command provides functionality to perform: a.
Derive key from KEK0/KEK2 keyslot as specified by the caller using NIST SP800-108 compliant (AES-CMAC based) KDF. b. Calculate KCV for the derived key. c. Perform AES DoFinal to wrap the derived key with AES-128-CBC-NOPAD using a key that is already loaded in a keyslot. d. Return the wrapped output to the caller along with the KCV.
- Parameters
-
[in] | params[0].memref.buffer | Containing label buffer. |
[in] | params[0].memref.size | Size of label data (uint32_t). |
[in,out] | params[1].memref.buffer | As input param it stores the context string. As output param it stores the KCV of the derived key. [in, out] params[1].memref.size As input param it stores the size of buffer supplied. As output param it stores the size of KCV buffer returned. valid values: 3 bytes to 502 bytes
Note: Since this is an inout param, the size of buffer should be at least 3 bytes to store the KCV value since context string can be 1 byte as well. |
[out] | params[2].memref.buffer | It stores the wrapped key |
[out] | params[2].memref.size | wrapped key length. valid values: 16 Bytes and 32 Bytes |
[in] | params[3].value.a | It stores the context length. |
[in] | params[3].value.b | It stores the value to determine whether KEK0/KEK2 is to be used for key derivation. valid values: CRYPTO_KEK0_KEYSLOT for KEK0 CRYPTO_KEK2_KEYSLOT for KEK2 |
Return Values - Returns
- TEE_SUCCESS Command successful, no errors
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
-
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed.
-
TEE_ERROR_GENERIC in case of other error.
|
CRYPTO_SERVICE_WRAP_KEK_NISTKDF_DERIVATION_FREE | Description
To release under layer context, and reset operation.
Parameters: - Parameters
-
[in] | params[0] | NONE |
[in] | params[1] | NONE |
[in] | params[2] | NONE |
[in] | params[3] | NONE |
- Returns
- TEE_SUCCESS if success
-
TEE_ERROR_BAD_PARAMETERS if parameters are invalid.
-
TEE_ERROR_GENERIC if error occured while freeing CBC context.
|
CRYPTO_SERVICE_ECC_SET_KEYSLOT | Set key slot handle for ED25519 or ECDSA operation.
This is exclusive with CRYPTO_SERVICE_ED25519_SET_KEY and CRYPTO_SERVICE_ECDSA_SET_KEY.
Parameters: - Parameters
-
[in] | params[0].value.a | PKA1 Keyslot handle in which ED25519 or ECDSA key is installed. |
[in] | params[1] | NONE |
[in] | params[2] | NONE |
[in] | params[3] | NONE |
- Returns
- TEE_SUCCESS if success
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have wrong parameter types or null buffer
-
TEE_ERROR_GENERIC if SE SET_KEY operation failed
|
CRYPTO_SERVICE_KEY_VALIDATE_KCV | Description This command provides functionality to perform KCV verification for the key which is provided in keyslot handle.
Fcuntionality as below: a. Validate param types b. Calculate KCV for the key in keyslot c. Compare the calculated KCV with the KCV recevieved in input and return the result
- Parameters
-
[in] | params[0].value.a | key slot handle containing the key |
[in] | params[0].value.b | key_size of the key in key slot |
[in] | params[1].memref.buffer | Valid KCV for the key in kesylot |
[in] | params[1].memref.size | KCV size |
Return Values - Returns
- TEE_SUCCESS Command successful, no errors
-
TEE_ERROR_BAD_STATE on KCV mis-match
-
TEE_ERROR_BAD_PARAMETERS if TEE_Param have unsupported param types or null pointer.
-
TEE_ERROR_OUT_OF_MEMORY if memory allocation failed.
-
TEE_ERROR_GENERIC in case of other error.
|