This is an automated email from the ASF dual-hosted git repository. yuanz pushed a commit to branch no-std in repository https://gitbox.apache.org/repos/asf/incubator-teaclave-trustzone-sdk.git
commit d4e7da9780b905dbb77971c43e5c406cb0a4b35d Author: Sumit Garg <[email protected]> AuthorDate: Wed Dec 6 20:34:08 2023 +0530 examples: signature_verification-rs: Rewrite to use GP TEE APIs As of now rust ring crate don't support no_std, so drop that support from TA. mbedtls can be a good alternative supporting no_std if we really need to use a separate user-space library. But here since GP TEE APIs already provides signature/verification APIs so that instead. Signed-off-by: Sumit Garg <[email protected]> --- .../signature_verification-rs/host/src/main.rs | 4 +- .../signature_verification-rs/proto/Cargo.toml | 2 +- .../signature_verification-rs/proto/src/lib.rs | 2 + examples/signature_verification-rs/ta/Cargo.lock | 142 -------------------- examples/signature_verification-rs/ta/Cargo.toml | 14 +- examples/signature_verification-rs/ta/build.rs | 2 +- examples/signature_verification-rs/ta/src/main.rs | 143 ++++++++++++++------- examples/signature_verification-rs/ta/ta_static.rs | 14 +- 8 files changed, 117 insertions(+), 206 deletions(-) diff --git a/examples/signature_verification-rs/host/src/main.rs b/examples/signature_verification-rs/host/src/main.rs index 71e6d66..c3c67ba 100644 --- a/examples/signature_verification-rs/host/src/main.rs +++ b/examples/signature_verification-rs/host/src/main.rs @@ -18,8 +18,8 @@ use optee_teec::{Context, Operation, ParamNone, ParamTmpRef, ParamType, Session, Uuid}; use proto::{Command, UUID}; -const PUBLIC_KEY_SIZE: usize = 32; -const SIGNATURE_SIZE: usize = 64; +const PUBLIC_KEY_SIZE: usize = 259; +const SIGNATURE_SIZE: usize = 256; fn sign( session: &mut Session, diff --git a/examples/signature_verification-rs/proto/Cargo.toml b/examples/signature_verification-rs/proto/Cargo.toml index a12d1c0..284c8d4 100644 --- a/examples/signature_verification-rs/proto/Cargo.toml +++ b/examples/signature_verification-rs/proto/Cargo.toml @@ -27,4 +27,4 @@ edition = "2018" [dependencies] [build_dependencies] -uuid = { version = "0.8" } +uuid = { version = "1.6.1", default-features = false } diff --git a/examples/signature_verification-rs/proto/src/lib.rs b/examples/signature_verification-rs/proto/src/lib.rs index b25e485..ae239a5 100644 --- a/examples/signature_verification-rs/proto/src/lib.rs +++ b/examples/signature_verification-rs/proto/src/lib.rs @@ -15,6 +15,8 @@ // specific language governing permissions and limitations // under the License. +#![no_std] + pub enum Command { Sign, Verify, diff --git a/examples/signature_verification-rs/ta/Cargo.lock b/examples/signature_verification-rs/ta/Cargo.lock deleted file mode 100644 index 13442b2..0000000 --- a/examples/signature_verification-rs/ta/Cargo.lock +++ /dev/null @@ -1,142 +0,0 @@ -# This file is automatically @generated by Cargo. -# It is not intended for manual editing. -version = 3 - -[[package]] -name = "bitflags" -version = "1.0.4" -source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "228047a76f468627ca71776ecdebd732a3423081fcf5125585bcd7c49886ce12" - -[[package]] -name = "cc" -version = "1.0.73" -source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "2fff2a6927b3bb87f9595d67196a70493f627687a71d87a0d692242c33f58c11" - -[[package]] -name = "hex" -version = "0.3.2" -source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "805026a5d0141ffc30abb3be3173848ad46a1b1664fe632428479619a3644d77" - -[[package]] -name = "lazy_static" -version = "1.4.0" -source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" - -[[package]] -name = "libc" -version = "0.2.99" - -[[package]] -name = "optee-utee" -version = "0.2.0" -dependencies = [ - "bitflags", - "hex", - "libc", - "optee-utee-macros", - "optee-utee-sys", - "uuid", -] - -[[package]] -name = "optee-utee-macros" -version = "0.2.0" -dependencies = [ - "quote", - "syn", -] - -[[package]] -name = "optee-utee-sys" -version = "0.2.0" -dependencies = [ - "libc", -] - -[[package]] -name = "proc-macro2" -version = "0.4.30" -source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "cf3d2011ab5c909338f7887f4fc896d35932e29146c12c8d01da6b22a80ba759" -dependencies = [ - "unicode-xid", -] - -[[package]] -name = "proto" -version = "0.2.0" -dependencies = [ - "uuid", -] - -[[package]] -name = "quote" -version = "0.6.13" -source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "6ce23b6b870e8f94f81fb0a363d65d86675884b34a09043c81e5562f11c1f8e1" -dependencies = [ - "proc-macro2", -] - -[[package]] -name = "ring" -version = "0.16.11" -source = "git+https://github.com/veracruz-project/ring.git?branch=veracruz#47996e06f9a2cc392091392f010d62e83e9ed0f4"; -dependencies = [ - "cc", - "lazy_static", - "optee-utee", - "spin", - "untrusted", -] - -[[package]] -name = "spin" -version = "0.5.2" -source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" - -[[package]] -name = "syn" -version = "0.15.44" -source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "9ca4b3b69a77cbe1ffc9e198781b7acb0c7365a883670e8f1c1bc66fba79a5c5" -dependencies = [ - "proc-macro2", - "quote", - "unicode-xid", -] - -[[package]] -name = "ta" -version = "0.2.0" -dependencies = [ - "libc", - "optee-utee", - "optee-utee-sys", - "proto", - "ring", - "uuid", -] - -[[package]] -name = "unicode-xid" -version = "0.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "fc72304796d0818e357ead4e000d19c9c174ab23dc11093ac919054d20a6a7fc" - -[[package]] -name = "untrusted" -version = "0.7.1" -source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a" - -[[package]] -name = "uuid" -version = "0.8.2" -source = "registry+https://github.com/rust-lang/crates.io-index"; -checksum = "bc5cf98d8186244414c848017f0e2676b3fcb46807f6668a97dfe67359a3c4b7" diff --git a/examples/signature_verification-rs/ta/Cargo.toml b/examples/signature_verification-rs/ta/Cargo.toml index 0a5a58a..a1f89c2 100644 --- a/examples/signature_verification-rs/ta/Cargo.toml +++ b/examples/signature_verification-rs/ta/Cargo.toml @@ -25,22 +25,14 @@ description = "An example of Rust OP-TEE TrustZone SDK." edition = "2018" [dependencies] -libc = { path = "../../../rust/libc" } proto = { path = "../proto" } -optee-utee-sys = { path = "../../../optee-utee/optee-utee-sys" } -optee-utee = { path = "../../../optee-utee" } -ring = { git = "https://github.com/veracruz-project/ring.git";, branch = "veracruz", version = "=0.16.11", features = ["std"] } +optee-utee-sys = { path = "../../../optee-utee/optee-utee-sys", default-features = false } +optee-utee = { path = "../../../optee-utee", default-features = false } [build_dependencies] -uuid = { version = "0.8" } +uuid = { version = "1.6.1", default-features = false } proto = { path = "../proto" } [profile.release] lto = true opt-level = 1 - -[patch."https://github.com/veracruz-project/rust-optee-trustzone-sdk.git";] -optee-utee = { path = "../../../optee-utee" } -libc = { path = "../../../rust/libc" } -[patch."https://github.com/veracruz-project/ring.git";] -optee-utee = { path = "../../../optee-utee" } diff --git a/examples/signature_verification-rs/ta/build.rs b/examples/signature_verification-rs/ta/build.rs index 4b4d42d..33f6cc0 100644 --- a/examples/signature_verification-rs/ta/build.rs +++ b/examples/signature_verification-rs/ta/build.rs @@ -47,7 +47,7 @@ fn main() -> std::io::Result<()> { Ok(ref v) if v == "arm" => { File::create(out.join("ta.lds"))?.write_all(include_bytes!("ta_arm.lds"))?; Path::new(&optee_os_dir).join("out/arm/export-ta_arm32/lib") - } + }, _ => { File::create(out.join("ta.lds"))?.write_all(include_bytes!("ta_aarch64.lds"))?; Path::new(&optee_os_dir).join("out/arm/export-ta_arm64/lib") diff --git a/examples/signature_verification-rs/ta/src/main.rs b/examples/signature_verification-rs/ta/src/main.rs index aa89ab3..0f34cc3 100644 --- a/examples/signature_verification-rs/ta/src/main.rs +++ b/examples/signature_verification-rs/ta/src/main.rs @@ -15,17 +15,33 @@ // specific language governing permissions and limitations // under the License. +#![no_std] #![no_main] +#![feature(c_size_t)] -use ring::signature::KeyPair; -use ring::{rand, signature}; +extern crate alloc; +use alloc::vec; use optee_utee::{ ta_close_session, ta_create, ta_destroy, ta_invoke_command, ta_open_session, trace_println, }; +use optee_utee::{AlgorithmId, AttributeId, AttributeMemref, Digest, Asymmetric, OperationMode}; use optee_utee::{Error, ErrorKind, Parameters, Result}; +use optee_utee::{TransientObject, TransientObjectType}; use proto::Command; +pub struct RsaSign { + pub key: TransientObject, +} + +impl Default for RsaSign { + fn default() -> Self { + Self { + key: TransientObject::null_object(), + } + } +} + #[ta_create] fn create() -> Result<()> { trace_println!("[+] TA create"); @@ -48,53 +64,54 @@ fn destroy() { trace_println!("[+] TA destroy"); } -#[ta_invoke_command] -fn invoke_command(cmd_id: u32, params: &mut Parameters) -> Result<()> { - trace_println!("[+] TA invoke command"); - match Command::from(cmd_id) { - Command::Sign => { - return sign(params); - } - Command::Verify => { - return verify(params); - } - _ => Err(Error::new(ErrorKind::BadParameters)), - } -} - fn sign(params: &mut Parameters) -> Result<()> { let mut p0 = unsafe { params.0.as_memref().unwrap() }; let mut p1 = unsafe { params.1.as_memref().unwrap() }; let mut p2 = unsafe { params.2.as_memref().unwrap() }; let message = p0.buffer(); + let mut pub_key_size: usize = 0; trace_println!("[+] message: {:?}", &message); - // Generate a key pair in PKCS#8 (v2) format. - let rng = rand::SystemRandom::new(); - let pkcs8_bytes = match signature::Ed25519KeyPair::generate_pkcs8(&rng) { - Ok(bytes) => bytes, - Err(e) => { - trace_println!("[+] error: {:?}", e); - return Err(Error::new(ErrorKind::Generic)); - } - }; - trace_println!("[+] pkcs8_bytes: {:?}", pkcs8_bytes.as_ref()); + let rsa_key = + TransientObject::allocate(TransientObjectType::RsaKeypair, 2048 as usize).unwrap(); + + rsa_key.generate_key(2048 as usize, &[])?; + + match rsa_key.ref_attribute(AttributeId::RsaModulus, &mut p1.buffer()) { + Ok(len) => Ok(pub_key_size += len), + Err(e) => Err(e), + }?; + + match rsa_key.ref_attribute(AttributeId::RsaPublicExponent, &mut p1.buffer()[pub_key_size..]) { + Ok(len) => Ok(pub_key_size += len), + Err(e) => Err(e), + }?; + + p1.set_updated_size(pub_key_size); + + let mut hash = [0u8; 32]; + let dig = Digest::allocate(AlgorithmId::Sha256).unwrap(); + + dig.do_final(&message, &mut hash)?; - let key_pair = match signature::Ed25519KeyPair::from_pkcs8(pkcs8_bytes.as_ref()) { - Ok(key_pair) => key_pair, + let key_info = rsa_key.info().unwrap(); + let mut signature = p2.buffer(); + + let rsa = Asymmetric::allocate(AlgorithmId::RsassaPkcs1V15Sha256, + OperationMode::Sign, + key_info.object_size()).unwrap(); + + rsa.set_key(&rsa_key)?; + match rsa.sign_digest(&[], &hash, &mut signature) { + Ok(len) => { + trace_println!("[+] signature: {:?}", p2.buffer()); + return Ok(p2.set_updated_size(len as usize)); + } Err(e) => { trace_println!("[+] error: {:?}", e); - return Err(Error::new(ErrorKind::Generic)); + return Err(Error::new(ErrorKind::SignatureInvalid)); } }; - let sig = key_pair.sign(message); - trace_println!("[+] public key: {:?}", key_pair.public_key().as_ref()); - trace_println!("[+] signature: {:?}", sig.as_ref()); - - p1.buffer().clone_from_slice(key_pair.public_key().as_ref()); - p2.buffer().clone_from_slice(sig.as_ref()); - - Ok(()) } fn verify(params: &mut Parameters) -> Result<()> { @@ -103,15 +120,39 @@ fn verify(params: &mut Parameters) -> Result<()> { let mut p2 = unsafe { params.2.as_memref().unwrap() }; let message = p0.buffer(); - let public_key_bytes = p1.buffer(); - let sig = p2.buffer(); + let mut pub_key_mod = vec![0u8; 256]; + let mut pub_key_exp = vec![0u8; p1.buffer().len() - 256]; + let signature = p2.buffer(); + + pub_key_mod.copy_from_slice(&p1.buffer()[..256]); + pub_key_exp.copy_from_slice(&p1.buffer()[256..]); + trace_println!("[+] message: {:?}", &message); - trace_println!("[+] public_key: {:?}", &public_key_bytes); - trace_println!("[+] signature: {:?}", &sig); + trace_println!("[+] public_key_mod: {:?}", &pub_key_mod); + trace_println!("[+] public_key_exp: {:?}", &pub_key_exp); + trace_println!("[+] signature: {:?}", &signature); + + let mut rsa_pub_key = + TransientObject::allocate(TransientObjectType::RsaPublicKey, 2048 as usize).unwrap(); + + let mod_attr = AttributeMemref::from_ref(AttributeId::RsaModulus, &pub_key_mod); + let exp_attr = AttributeMemref::from_ref(AttributeId::RsaPublicExponent, &pub_key_exp); + + rsa_pub_key.populate(&[mod_attr.into(), exp_attr.into()])?; + + let mut hash = [0u8; 32]; + let dig = Digest::allocate(AlgorithmId::Sha256).unwrap(); + + dig.do_final(&message, &mut hash)?; + + let key_info = rsa_pub_key.info().unwrap(); - // Verify the signature of the message using the public key. - let public_key = signature::UnparsedPublicKey::new(&signature::ED25519, public_key_bytes); - match public_key.verify(message, sig) { + let rsa = Asymmetric::allocate(AlgorithmId::RsassaPkcs1V15Sha256, + OperationMode::Verify, + key_info.object_size()).unwrap(); + + rsa.set_key(&rsa_pub_key)?; + match rsa.verify_digest(&[], &hash, &signature) { Ok(_) => { trace_println!("[+] verify ok"); return Ok(()); @@ -123,6 +164,20 @@ fn verify(params: &mut Parameters) -> Result<()> { }; } +#[ta_invoke_command] +fn invoke_command(cmd_id: u32, params: &mut Parameters) -> Result<()> { + trace_println!("[+] TA invoke command"); + match Command::from(cmd_id) { + Command::Sign => { + return sign(params); + } + Command::Verify => { + return verify(params); + } + _ => Err(Error::new(ErrorKind::BadParameters)), + } +} + // TA configurations const TA_FLAGS: u32 = 0; const TA_DATA_SIZE: u32 = 4 * 1024 * 1024; diff --git a/examples/signature_verification-rs/ta/ta_static.rs b/examples/signature_verification-rs/ta/ta_static.rs index b31f8c3..53ca210 100644 --- a/examples/signature_verification-rs/ta/ta_static.rs +++ b/examples/signature_verification-rs/ta/ta_static.rs @@ -15,8 +15,12 @@ // specific language governing permissions and limitations // under the License. +use core::ffi::*; +use core::mem; +use core::primitive::u64; + #[no_mangle] -pub static mut trace_level: libc::c_int = TRACE_LEVEL; +pub static mut trace_level: c_int = TRACE_LEVEL; #[no_mangle] pub static trace_ext_prefix: &[u8] = TRACE_EXT_PREFIX; @@ -27,7 +31,7 @@ pub static ta_head: optee_utee_sys::ta_head = optee_utee_sys::ta_head { uuid: TA_UUID, stack_size: TA_STACK_SIZE + TA_FRAMEWORK_STACK_SIZE, flags: TA_FLAGS, - depr_entry: std::u64::MAX, + depr_entry: u64::MAX, }; #[no_mangle] @@ -35,13 +39,13 @@ pub static ta_head: optee_utee_sys::ta_head = optee_utee_sys::ta_head { pub static ta_heap: [u8; TA_DATA_SIZE as usize] = [0; TA_DATA_SIZE as usize]; #[no_mangle] -pub static ta_heap_size: libc::size_t = std::mem::size_of::<u8>() * TA_DATA_SIZE as usize; +pub static ta_heap_size: c_size_t = mem::size_of::<u8>() * TA_DATA_SIZE as usize; static FLAG_BOOL: bool = (TA_FLAGS & optee_utee_sys::TA_FLAG_SINGLE_INSTANCE) != 0; static FLAG_MULTI: bool = (TA_FLAGS & optee_utee_sys::TA_FLAG_MULTI_SESSION) != 0; static FLAG_INSTANCE: bool = (TA_FLAGS & optee_utee_sys::TA_FLAG_INSTANCE_KEEP_ALIVE) != 0; #[no_mangle] -pub static ta_num_props: libc::size_t = 9; +pub static ta_num_props: c_size_t = 9; #[no_mangle] pub static ta_props: [optee_utee_sys::user_ta_property; 9] = [ @@ -93,6 +97,6 @@ pub static ta_props: [optee_utee_sys::user_ta_property; 9] = [ ]; #[no_mangle] -pub unsafe extern "C" fn tahead_get_trace_level() -> libc::c_int { +pub unsafe extern "C" fn tahead_get_trace_level() -> c_int { return trace_level; } --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
