1 /*
2 * Copyright (c) 2020 HiSilicon (Shanghai) Technologies CO., LIMITED.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #ifdef CONFIG_TEE_HUKS_DEMO_SUPPORT
17
18 #include "stdio.h"
19 #include "stdlib.h"
20 #include <hi_at.h>
21 #include "hks_client.h"
22 #include "hks_types.h"
23 #include "hks_errno.h"
24 #include <hi_mem.h>
25 #include <hi_stdlib.h>
26 #include "hi_flash.h"
27 #include "hi3861_platform_base.h"
28 #include "hi_partition_table.h"
29 #include "hi_nv.h"
30 #include "hi_efuse.h"
31 #include "hi_time.h"
32 #include "hi_wifi_api.h"
33
34 #define FLASH_BASE_ADDR 0x400000
35
36 #define CERT_STORE_START_ADDR 0
37 #define CERT_TOTAL_LEN (1024*12)
38 #define MAX_CERT_KEY_CNT 100
39 #define CERT_KEY_START_FLAG 0xDEADBEEF
40
41 #define KEY_STORE_START_ADDR (1024 * 12)
42 #define KEY_LEN 512
43 #define MAX_KEY_CNT 8
44 #define KEY_DATA_MAX_LEN 380
45 #define KYY_PARAM_MAX_LEN 128
46 #define LEN_BYTE 4
47 #define CIPHER_PLAIN_LEN_MIN_DIFF 16
48
49 #define USR_DATA_START_ADDR (1024 * 16)
50 #define USR_DATA_LEN (1024 * 4)
51
app_hks_get_cert_bin_start_store_addr(hi_u32 * addr,hi_u32 * size)52 hi_void app_hks_get_cert_bin_start_store_addr(hi_u32 *addr, hi_u32 *size)
53 {
54 hi_u32 usr_partion_addr;
55 hi_u32 usr_partion_size;
56 hi_get_usr_partition_table(&usr_partion_addr, &usr_partion_size);
57
58 *addr = usr_partion_addr + CERT_STORE_START_ADDR;
59 *size = CERT_TOTAL_LEN;
60 }
61
get_cert_text_addr(hi_u32 start_addr,hi_u32 * len_array,hi_u32 cert_index)62 hi_u32 get_cert_text_addr(hi_u32 start_addr, hi_u32 *len_array, hi_u32 cert_index)
63 {
64 int before_total_len = 0;
65 for (hi_u32 i = 0; i < cert_index; i++) {
66 before_total_len += len_array[i];
67 }
68
69 return (start_addr + before_total_len);
70 }
71
app_hks_get_cert_store_addr(hi_u32 * addr,hi_u32 * size,hi_u32 cert_index)72 hi_u32 app_hks_get_cert_store_addr(hi_u32 *addr, hi_u32 *size, hi_u32 cert_index)
73 {
74 if (addr == HI_NULL || size == HI_NULL) {
75 return HI_ERR_FAILURE;
76 }
77 hi_u32 usr_partion_addr;
78 hi_u32 usr_partion_size;
79 hi_get_usr_partition_table(&usr_partion_addr, &usr_partion_size);
80
81 hi_u32 cert_key_start_addr = 0;
82 hi_u32 cert_bin_max_len = 0;
83 app_hks_get_cert_bin_start_store_addr(&cert_key_start_addr, &cert_bin_max_len);
84
85 hi_u32 start_flag = *((hi_u32 *)(HI_FLASH_BASE + cert_key_start_addr));
86 if (start_flag != CERT_KEY_START_FLAG) {
87 hi_at_printf("invalid cert:0x%x\r\n", start_flag);
88 return HI_ERR_FAILURE;
89 }
90
91 hi_u32 cert_key_cnt = *((hi_u32 *)(HI_FLASH_BASE + cert_key_start_addr + 0x4));
92 if (cert_index >= cert_key_cnt || cert_key_cnt > MAX_CERT_KEY_CNT) {
93 hi_at_printf("invalid cert index or cert_key_cnt\r\n");
94 return HI_ERR_FAILURE;
95 }
96
97 hi_u32 *cert_len_array = (hi_u32 *)malloc(cert_key_cnt * sizeof(hi_u32));
98 if (cert_len_array == HI_NULL) {
99 return HI_ERR_FAILURE;
100 }
101 for (hi_u32 i = 0; i < cert_key_cnt; i++) {
102 cert_len_array[i] = *((hi_u32 *)(HI_FLASH_BASE + cert_key_start_addr + 0x8 + i * 0x4));
103 }
104
105 hi_u32 cert_key_plain_size = cert_len_array[cert_index];
106 hi_u32 cert_key_plain_addr = get_cert_text_addr(cert_key_start_addr + 0x8 + cert_key_cnt * 0x4,
107 &cert_len_array[0], cert_index);
108 if (cert_key_plain_addr + cert_key_plain_size > cert_key_start_addr + cert_bin_max_len) {
109 hi_at_printf("cert size invalid:%d\r\n", cert_index);
110 free(cert_len_array);
111 return HI_ERR_FAILURE;
112 }
113
114 *addr = cert_key_plain_addr;
115 *size = cert_key_plain_size;
116
117 free(cert_len_array);
118 return HI_ERR_SUCCESS;
119 }
120
app_hks_get_key_store_addr(hi_u32 * addr,hi_u32 * size,hi_u32 key_index)121 hi_u32 app_hks_get_key_store_addr(hi_u32 *addr, hi_u32 *size, hi_u32 key_index)
122 {
123 if (addr == HI_NULL || size == HI_NULL) {
124 return HI_ERR_FAILURE;
125 }
126 hi_u32 usr_partion_addr;
127 hi_u32 usr_partion_size;
128 hi_get_usr_partition_table(&usr_partion_addr, &usr_partion_size);
129 if (key_index >= MAX_KEY_CNT) {
130 return HI_ERR_FAILURE;
131 }
132
133 *addr = usr_partion_addr + KEY_STORE_START_ADDR + key_index * KEY_LEN;
134 *size = KEY_LEN;
135
136 return HI_ERR_SUCCESS;
137 }
138
app_hks_get_usr_data_store_addr(hi_u32 * addr,hi_u32 * size)139 hi_u32 app_hks_get_usr_data_store_addr(hi_u32 *addr, hi_u32 *size)
140 {
141 if (addr == HI_NULL || size == HI_NULL) {
142 return HI_ERR_FAILURE;
143 }
144
145 hi_u32 usr_partion_addr;
146 hi_u32 usr_partion_size;
147 hi_get_usr_partition_table(&usr_partion_addr, &usr_partion_size);
148
149 *addr = usr_partion_addr + USR_DATA_START_ADDR;
150 *size = USR_DATA_LEN;
151
152 return HI_ERR_SUCCESS;
153 }
154
155 #define ENC_PARAM_NONCE_LEN 16
156 #define ENC_PARAM_AAD_LEN 12
157
158 typedef struct encrypt_param_ {
159 hi_u16 nonce_size;
160 hi_u16 aad_size;
161 hi_u8 nonce[ENC_PARAM_NONCE_LEN];
162 hi_u8 aad[ENC_PARAM_AAD_LEN];
163 } encrypt_param;
164
hks_set_blob(hi_u8 type,hi_u32 size,hi_char * data,struct hks_blob * hks_blob_param)165 hi_u32 hks_set_blob(hi_u8 type, hi_u32 size, hi_char *data, struct hks_blob *hks_blob_param)
166 {
167 hi_u32 ret = HI_ERR_SUCCESS;
168
169 hks_blob_param->type = type;
170 hks_blob_param->size = size;
171
172 if (hks_blob_param->data != HI_NULL) {
173 /* free mem before malloc again */
174 free(hks_blob_param->data);
175 hks_blob_param->data = HI_NULL;
176 }
177
178 hks_blob_param->data = malloc(hks_blob_param->size + 1);
179 if (hks_blob_param->data == HI_NULL) {
180 printf("blob malloc fail\r\n");
181 return HI_ERR_FAILURE;
182 }
183
184 if (data != HI_NULL && hks_blob_param->size != 0) {
185 ret = memcpy_s(hks_blob_param->data, hks_blob_param->size, data, size);
186 if (ret != HI_ERR_SUCCESS) {
187 free(hks_blob_param->data);
188 hks_blob_param->data = HI_NULL;
189 }
190 }
191
192 return ret;
193 }
194
hks_get_key_data(hi_u32 flash_addr,struct hks_blob * blob_key_data)195 hi_void hks_get_key_data(hi_u32 flash_addr, struct hks_blob *blob_key_data)
196 {
197 blob_key_data->type = HKS_BLOB_TYPE_ENCRYPTED_KEY;
198 blob_key_data->data = (hi_u8*)(FLASH_BASE_ADDR + flash_addr + KYY_PARAM_MAX_LEN + LEN_BYTE);
199 blob_key_data->size = *((hi_u32 *)(FLASH_BASE_ADDR + flash_addr + KYY_PARAM_MAX_LEN));
200 }
201
hks_get_enc_param(hi_u32 flash_addr,encrypt_param * enc_param,struct hks_crypt_param * hks_encry_param)202 hi_u32 hks_get_enc_param(hi_u32 flash_addr, encrypt_param *enc_param, struct hks_crypt_param *hks_encry_param)
203 {
204 hi_u32 ret;
205
206 ret = hi_flash_read(flash_addr, sizeof(encrypt_param), (hi_u8 *)enc_param);
207 if (ret != HI_ERR_SUCCESS) {
208 return ret;
209 }
210
211 hks_encry_param->nonce.data = enc_param->nonce;
212 hks_encry_param->nonce.size = enc_param->nonce_size;
213 hks_encry_param->aad.data = enc_param->aad;
214 hks_encry_param->aad.size = enc_param->aad_size;
215
216 return ret;
217 }
218
219 #define CONN_DATA_KEY_LEN 64
220 #define CONN_DATA_CIPHER_DATA_MAX_LEN 220
221 #define CONN_DATA_ENC_PARAM_NONCE_SIZE 13
222
223 typedef struct encrypt_data_ {
224 hi_u32 cipher_data_size;
225 hi_u8 cipher_data[CONN_DATA_CIPHER_DATA_MAX_LEN];
226 } encrypt_cipher_data;
227
hks_set_conn_key_param(hi_u32 key_usage,struct hks_key_param * key_param)228 hi_u32 hks_set_conn_key_param(hi_u32 key_usage, struct hks_key_param *key_param)
229 {
230 key_param->key_type = HKS_KEY_TYPE_AES;
231 key_param->key_len = HKS_MAX_KEY_LEN_128;
232 key_param->key_usage = key_usage;
233 key_param->key_pad = 1;
234 key_param->key_mode = HKS_ALG_GCM;
235 key_param->key_domain = 0;
236 key_param->key_role = 0;
237
238 key_param->key_auth_id.type = 0;
239 key_param->key_auth_id.size = 0;
240
241 if (key_param->key_auth_id.data != HI_NULL) {
242 /* free mem before malloc again */
243 free(key_param->key_auth_id.data);
244 key_param->key_auth_id.data = HI_NULL;
245 }
246
247 return HI_ERR_SUCCESS;
248 }
249
hks_encrypt_conn_para(struct hks_crypt_param * crypt_param_conn,struct hks_blob * plain_text,struct hks_blob * cipher_text)250 hi_u32 hks_encrypt_conn_para(struct hks_crypt_param *crypt_param_conn, struct hks_blob *plain_text,
251 struct hks_blob *cipher_text)
252 {
253 hi_u32 ret;
254
255 hi_u32 key_save_partition_addr = 0;
256 hi_u32 key_save_partition_size = 0;
257 ret = app_hks_get_key_store_addr(&key_save_partition_addr, &key_save_partition_size, 0);
258 if (ret != HI_ERR_SUCCESS) {
259 return ret;
260 }
261
262 /* get key param */
263 struct hks_key_param key_param = {0};
264 ret = hi_flash_read(key_save_partition_addr, sizeof(key_param), (hi_u8 *)&key_param);
265 if (ret != HI_ERR_SUCCESS) {
266 return ret;
267 }
268 key_param.key_usage = HKS_KEY_USAGE_ENCRYPT;
269
270 /* get key data */
271 struct hks_blob key_data_blob = {0};
272 hi_u32 key_size = 0;
273 ret = hi_flash_read(key_save_partition_addr + KYY_PARAM_MAX_LEN, LEN_BYTE, (hi_u8 *)&key_size);
274 if (ret != HI_ERR_SUCCESS) {
275 return ret;
276 }
277 hi_u8 key_data[KEY_DATA_MAX_LEN] = {0}; /* The data on the flash memory cannot be directly used here. */
278 ret = hi_flash_read(key_save_partition_addr + KYY_PARAM_MAX_LEN + LEN_BYTE, key_size, &key_data[0]);
279 if (ret != HI_ERR_SUCCESS) {
280 return ret;
281 }
282 key_data_blob.type = HKS_BLOB_TYPE_ENCRYPTED_KEY;
283 key_data_blob.data = &key_data[0];
284 key_data_blob.size = key_size;
285
286 /* encrypt */
287 ret = hks_symmetric_encrypt(&key_data_blob, &key_param, crypt_param_conn, plain_text, cipher_text);
288 if (ret != HI_ERR_SUCCESS) {
289 printf("hks_symmetric_encrypt ret = %d\n", ret);
290 return ret;
291 }
292
293 return ret;
294 }
295
hks_create_conn_enc_param(encrypt_param * enc_param,struct hks_crypt_param * blob_enc_param)296 hi_void hks_create_conn_enc_param(encrypt_param *enc_param, struct hks_crypt_param *blob_enc_param)
297 {
298 hi_char nonce_data[CONN_DATA_ENC_PARAM_NONCE_SIZE] = "1234";
299 hi_char* aad_data = "a";
300 memcpy_s(enc_param->nonce, sizeof(enc_param->nonce), nonce_data, sizeof(nonce_data));
301 enc_param->nonce_size = sizeof(nonce_data);
302 memcpy_s(enc_param->aad, sizeof(enc_param->aad), aad_data, strlen(aad_data));
303 enc_param->aad_size = strlen(aad_data);
304 blob_enc_param->nonce.data = enc_param->nonce;
305 blob_enc_param->nonce.size = enc_param->nonce_size;
306 blob_enc_param->aad.data = enc_param->aad;
307 blob_enc_param->aad.size = enc_param->aad_size;
308 }
309
310
hks_get_conn_cipher_data(hi_u32 flash_addr,struct hks_blob * blob_cipher_data)311 hi_void hks_get_conn_cipher_data(hi_u32 flash_addr, struct hks_blob *blob_cipher_data)
312 {
313 hi_u32 cipher_data_size = *((hi_u32*)(FLASH_BASE_ADDR + flash_addr + sizeof(encrypt_param)));
314 hi_u8 *cipher_data = (hi_u8*)(FLASH_BASE_ADDR + flash_addr + sizeof(encrypt_param) + LEN_BYTE);
315 blob_cipher_data->data = cipher_data;
316 blob_cipher_data->size = cipher_data_size;
317 }
318
app_hks_generate_conn_key(void)319 hi_u32 app_hks_generate_conn_key(void)
320 {
321 hi_u32 ret;
322 hi_u8 *flash_write_buffer = HI_NULL;
323
324 hi_u32 key_save_partition_addr = 0;
325 hi_u32 key_save_partition_size = 0;
326 struct hks_key_param conn_key_param = {0};
327 struct hks_blob blob_key = {0};
328
329 ret = app_hks_get_key_store_addr(&key_save_partition_addr, &key_save_partition_size, 0);
330 if (ret != HI_ERR_SUCCESS) {
331 return ret;
332 }
333
334 /* set key param */
335 ret = hks_set_conn_key_param(HKS_KEY_USAGE_ENCRYPT, &conn_key_param);
336 if (ret != HI_ERR_SUCCESS) {
337 printf("hks_set_key_param fail!\r\n");
338 return ret;
339 }
340
341 /* set key blob */
342 ret = hks_set_blob(HKS_BLOB_TYPE_BUFFER, CONN_DATA_KEY_LEN, "123", &blob_key);
343 if (ret != HI_ERR_SUCCESS) {
344 printf("hks_set_blob fail!\r\n");
345 return ret;
346 }
347
348 /* generate key */
349 ret = hks_generate_symmetric_key(&blob_key, &conn_key_param);
350 if (ret != HI_ERR_SUCCESS) {
351 free(blob_key.data);
352 printf("hks_generate_symmetric_key ret = %d\n", ret);
353 return ret;
354 }
355
356 /* save key param */
357 ret = hi_flash_write(key_save_partition_addr, sizeof(conn_key_param), (const hi_u8*)&conn_key_param, HI_TRUE);
358 if (ret != HI_ERR_SUCCESS) {
359 free(blob_key.data);
360 printf("save key param fail, ret:0x%x\r\n", ret);
361 return ret;
362 }
363
364 /* save key data */
365 flash_write_buffer = malloc(blob_key.size + sizeof(uint32_t));
366 if (flash_write_buffer == HI_NULL) {
367 free(blob_key.data);
368 return HI_ERR_FAILURE;
369 }
370
371 ret = memcpy_s(flash_write_buffer, sizeof(uint32_t), &(blob_key.size), sizeof(uint32_t));
372 ret |= memcpy_s(flash_write_buffer + sizeof(uint32_t), key_save_partition_size, blob_key.data, blob_key.size);
373 ret |= hi_flash_write(key_save_partition_addr + KYY_PARAM_MAX_LEN, blob_key.size + sizeof(uint32_t),
374 flash_write_buffer, HI_TRUE);
375 free(flash_write_buffer);
376 free(blob_key.data);
377
378 if (ret != HI_ERR_SUCCESS) {
379 printf("save key data fail, ret:0x%x\r\n", ret);
380 }
381
382 return ret;
383 }
384
app_hks_encrypt_conn_para(hi_wifi_assoc_request * req)385 hi_u32 app_hks_encrypt_conn_para(hi_wifi_assoc_request *req)
386 {
387 hi_u32 ret;
388 struct hks_crypt_param blob_crypt_param_conn = {0};
389 struct hks_blob blob_plain_text = {0};
390 struct hks_blob blob_cipher_text_with_tag = {0};
391
392 hi_u32 encrpt_param_data_save_partition_addr = 0;
393 hi_u32 encrpt_param_data_save_partition_size = 0;
394 ret = app_hks_get_usr_data_store_addr(&encrpt_param_data_save_partition_addr,
395 &encrpt_param_data_save_partition_size);
396 if (ret != HI_ERR_SUCCESS) {
397 return ret;
398 }
399
400 /* get plain connect data */
401 blob_plain_text.data = (hi_u8 *)req;
402 blob_plain_text.size = sizeof(hi_wifi_assoc_request);
403
404 /* create enc param */
405 encrypt_param enc_param = {0};
406 hks_create_conn_enc_param(&enc_param, &blob_crypt_param_conn);
407
408 /* create cipher blob */
409 ret = hks_set_blob(0, sizeof(hi_wifi_assoc_request) + CIPHER_PLAIN_LEN_MIN_DIFF, "1234",
410 &blob_cipher_text_with_tag);
411 if (ret != HI_ERR_SUCCESS) {
412 printf("set_value_of_hks_blob fail!\r\n");
413 return ret;
414 }
415
416 /* start encrypt */
417 ret = hks_encrypt_conn_para(&blob_crypt_param_conn, &blob_plain_text, &blob_cipher_text_with_tag);
418 if (ret != HI_ERR_SUCCESS) {
419 free(blob_cipher_text_with_tag.data);
420 printf("hks_encrypt conn para fail!\r\n");
421 return HI_ERR_FAILURE;
422 }
423
424 if (blob_cipher_text_with_tag.size > (sizeof(encrypt_cipher_data) - sizeof(hi_u32))) {
425 free(blob_cipher_text_with_tag.data);
426 printf("cipher text too long\r\n");
427 return HI_ERR_FAILURE;
428 }
429
430 /* save enc param and cipher conn data */
431 ret = hi_flash_write(encrpt_param_data_save_partition_addr, sizeof(enc_param), (const hi_u8*)&enc_param, HI_TRUE);
432
433 encrypt_cipher_data enc_data = {0};
434 enc_data.cipher_data_size = blob_cipher_text_with_tag.size;
435 ret |= memcpy_s(enc_data.cipher_data, sizeof(enc_data.cipher_data), blob_cipher_text_with_tag.data,
436 blob_cipher_text_with_tag.size);
437 ret |= hi_flash_write(encrpt_param_data_save_partition_addr + sizeof(encrypt_param),
438 sizeof(hi_u32) + blob_cipher_text_with_tag.size, (const hi_u8*)&enc_data, HI_TRUE);
439
440 free(blob_cipher_text_with_tag.data);
441
442 return ret;
443 }
444
app_hks_decrypt_conn_param(hi_wifi_assoc_request * req)445 hi_u32 app_hks_decrypt_conn_param(hi_wifi_assoc_request *req)
446 {
447 if (req == HI_NULL) {
448 return HI_ERR_FAILURE;
449 }
450
451 hi_u32 ret;
452 hi_u32 key_save_partition_addr = 0;
453 hi_u32 key_save_partition_size = 0;
454 ret = app_hks_get_key_store_addr(&key_save_partition_addr, &key_save_partition_size, 0);
455 if (ret != HI_ERR_SUCCESS) {
456 return ret;
457 }
458
459 /* get key param */
460 struct hks_key_param key_param = {0};
461 ret = hi_flash_read(key_save_partition_addr, sizeof(key_param), (hi_u8 *)&key_param);
462 if (ret != HI_ERR_SUCCESS) {
463 return ret;
464 }
465 key_param.key_usage = HKS_KEY_USAGE_DECRYPT;
466
467 /* get key data */
468 struct hks_blob key_data_blob = {0};
469 hks_get_key_data(key_save_partition_addr, &key_data_blob);
470
471 hi_u32 cipher_data_save_addr = 0;
472 hi_u32 cipher_data_partition_size = 0;
473 ret = app_hks_get_usr_data_store_addr(&cipher_data_save_addr, &cipher_data_partition_size);
474 if (ret != HI_ERR_SUCCESS) {
475 return ret;
476 }
477
478 /* get enc param */
479 encrypt_param enc_param = {0};
480 struct hks_crypt_param hks_encry_param = {0};
481 ret = hks_get_enc_param(cipher_data_save_addr, &enc_param, &hks_encry_param);
482 if (ret != HI_ERR_SUCCESS) {
483 return ret;
484 }
485
486 /* get cipher data */
487 struct hks_blob cipher_text_blob = {0};
488 hks_get_conn_cipher_data(cipher_data_save_addr, &cipher_text_blob);
489
490 /* start decrypt */
491 struct hks_blob plain_text_blob = {0};
492 plain_text_blob.size = cipher_text_blob.size - CIPHER_PLAIN_LEN_MIN_DIFF;
493 plain_text_blob.data = (hi_u8 *)req;
494
495 ret = hks_symmetric_decrypt(&key_data_blob, &key_param, &hks_encry_param, &plain_text_blob, &cipher_text_blob);
496 if (ret != HI_ERR_SUCCESS) {
497 printf("hks_symmetric_decrypt ret = %d\r\n", ret);
498 return ret;
499 }
500
501 return ret;
502 }
503
504 #define CERT_KEY_LEN 64
505 #define CERT_ENC_PARAM_NONCE_SIZE 13
506
hks_set_cert_key_param(hi_u32 key_usage,struct hks_key_param * key_param)507 hi_u32 hks_set_cert_key_param(hi_u32 key_usage, struct hks_key_param *key_param)
508 {
509 key_param->key_type = HKS_KEY_TYPE_AES;
510 key_param->key_len = HKS_MAX_KEY_LEN_128;
511 key_param->key_usage = key_usage;
512 key_param->key_pad = 1;
513 key_param->key_mode = HKS_ALG_GCM;
514 key_param->key_domain = 0;
515 key_param->key_role = 0;
516
517 key_param->key_auth_id.type = 0;
518 key_param->key_auth_id.size = 0;
519
520 if (key_param->key_auth_id.data != HI_NULL) {
521 free(key_param->key_auth_id.data);
522 key_param->key_auth_id.data = HI_NULL;
523 }
524
525 return HI_ERR_SUCCESS;
526 }
527
hks_encrypt_cert(struct hks_crypt_param * crypt_param_conn,struct hks_blob * plain_text,struct hks_blob * cipher_text)528 hi_u32 hks_encrypt_cert(struct hks_crypt_param *crypt_param_conn, struct hks_blob *plain_text,
529 struct hks_blob *cipher_text)
530 {
531 hi_u32 ret;
532
533 hi_u32 key_save_partition_addr = 0;
534 hi_u32 key_save_partition_size = 0;
535 ret = app_hks_get_key_store_addr(&key_save_partition_addr, &key_save_partition_size, 1);
536 if (ret != HI_ERR_SUCCESS) {
537 return ret;
538 }
539
540 /* get key param */
541 struct hks_key_param key_param = {0};
542 ret = hi_flash_read(key_save_partition_addr, sizeof(key_param), (hi_u8 *)&key_param);
543 if (ret != HI_ERR_SUCCESS) {
544 return ret;
545 }
546 key_param.key_usage = HKS_KEY_USAGE_ENCRYPT;
547
548 /* get key data */
549 struct hks_blob key_data_blob = {0};
550 hi_u32 key_size = 0;
551 hi_flash_read(key_save_partition_addr + KYY_PARAM_MAX_LEN, LEN_BYTE, (hi_u8 *)&key_size);
552 hi_u8 key_data[KEY_DATA_MAX_LEN] = {0}; /* 此处不能直接使用flash上数据 */
553 ret = hi_flash_read(key_save_partition_addr + KYY_PARAM_MAX_LEN + LEN_BYTE, key_size, &key_data[0]);
554 if (ret != HI_ERR_SUCCESS) {
555 return ret;
556 }
557 key_data_blob.type = HKS_BLOB_TYPE_ENCRYPTED_KEY;
558 key_data_blob.data = &key_data[0];
559 key_data_blob.size = key_size;
560
561 /* encrypt */
562 ret = hks_symmetric_encrypt(&key_data_blob, &key_param, crypt_param_conn, plain_text, cipher_text);
563 if (ret != HI_ERR_SUCCESS) {
564 hi_at_printf("hks_symmetric_encrypt ret = %d\n", ret);
565 return ret;
566 }
567
568 return ret;
569 }
570
hks_create_cert_enc_param(encrypt_param * enc_param,struct hks_crypt_param * blob_enc_param)571 hi_void hks_create_cert_enc_param(encrypt_param *enc_param, struct hks_crypt_param *blob_enc_param)
572 {
573 hi_char nonce_data[CONN_DATA_ENC_PARAM_NONCE_SIZE] = "1234";
574 hi_char* aad_data = "a";
575 memcpy_s(enc_param->nonce, sizeof(enc_param->nonce), nonce_data, sizeof(nonce_data));
576 enc_param->nonce_size = sizeof(nonce_data);
577 memcpy_s(enc_param->aad, sizeof(enc_param->aad), aad_data, strlen(aad_data));
578 enc_param->aad_size = strlen(aad_data);
579 blob_enc_param->nonce.data = enc_param->nonce;
580 blob_enc_param->nonce.size = enc_param->nonce_size;
581 blob_enc_param->aad.data = enc_param->aad;
582 blob_enc_param->aad.size = enc_param->aad_size;
583 }
584
hks_get_cert_cipher_data(hi_u32 flash_addr,struct hks_blob * blob_cipher_data,hi_u32 cipher_data_size)585 hi_void hks_get_cert_cipher_data(hi_u32 flash_addr, struct hks_blob *blob_cipher_data, hi_u32 cipher_data_size)
586 {
587 hi_u8 *cipher_data = (hi_u8*)(FLASH_BASE_ADDR + flash_addr + sizeof(encrypt_param));
588 blob_cipher_data->data = cipher_data;
589 blob_cipher_data->size = cipher_data_size - sizeof(encrypt_param);
590 }
591
hks_encrypt_cert_get_cipher(struct hks_crypt_param * param,struct hks_blob * plain_blob,struct hks_blob * cipher_blob,hi_u32 cert_index)592 hi_u32 hks_encrypt_cert_get_cipher(struct hks_crypt_param *param, struct hks_blob *plain_blob,
593 struct hks_blob *cipher_blob, hi_u32 cert_index)
594 {
595 hi_u32 ret;
596 /* create cipher blob */
597 ret = hks_set_blob(0, plain_blob->size + CIPHER_PLAIN_LEN_MIN_DIFF, "1234", cipher_blob);
598 if (ret != HI_ERR_SUCCESS) {
599 hi_at_printf("cipher set blob fail:%d\r\n", cert_index);
600 return ret;
601 }
602
603 /* start encrypt */
604 ret = hks_encrypt_cert(param, plain_blob, cipher_blob);
605 if (ret != HI_ERR_SUCCESS) {
606 free(cipher_blob->data);
607 cipher_blob->data = HI_NULL;
608 hi_at_printf("encrypt cert fail:%d\r\n", cert_index);
609 return ret;
610 }
611
612 return HI_ERR_SUCCESS;
613 }
614
free_ciphert_text_blob(struct hks_blob * blob_cipher_text_cert1,struct hks_blob * blob_cipher_text_cert2,struct hks_blob * blob_cipher_text_key3)615 hi_void free_ciphert_text_blob(struct hks_blob *blob_cipher_text_cert1, struct hks_blob *blob_cipher_text_cert2,
616 struct hks_blob *blob_cipher_text_key3)
617 {
618 if (blob_cipher_text_cert1->data != HI_NULL) {
619 free(blob_cipher_text_cert1->data);
620 blob_cipher_text_cert1->data = HI_NULL;
621 }
622 if (blob_cipher_text_cert2->data != HI_NULL) {
623 free(blob_cipher_text_cert2->data);
624 blob_cipher_text_cert2->data = HI_NULL;
625 }
626 if (blob_cipher_text_key3->data != HI_NULL) {
627 free(blob_cipher_text_key3->data);
628 blob_cipher_text_key3->data = HI_NULL;
629 }
630 }
631
write_cert_text_to_flash(hi_u32 base_addr,encrypt_param * param,struct hks_blob * cipher_blob,hi_u32 * size_array,hi_u32 cert_index)632 hi_u32 write_cert_text_to_flash(hi_u32 base_addr, encrypt_param *param, struct hks_blob *cipher_blob,
633 hi_u32 *size_array, hi_u32 cert_index)
634 {
635 hi_u32 ret = HI_ERR_SUCCESS;
636
637 hi_u32 cert_write_addr = base_addr;
638 if (cert_index != 0) {
639 int before_total_len = 0;
640 for (hi_u32 i = 0; i < cert_index; i++) {
641 before_total_len += size_array[i];
642 }
643 cert_write_addr += before_total_len;
644 }
645
646 ret |= hi_flash_write(cert_write_addr, sizeof(encrypt_param), (const hi_u8 *)param, HI_TRUE);
647 ret |= hi_flash_write(cert_write_addr + sizeof(encrypt_param), cipher_blob->size, cipher_blob->data, HI_TRUE);
648
649 return ret;
650 }
651
hks_encrypt_init_plain_blob(struct hks_blob * plain1,struct hks_blob * plain2,struct hks_blob * plain3)652 hi_u32 hks_encrypt_init_plain_blob(struct hks_blob *plain1, struct hks_blob *plain2, struct hks_blob *plain3)
653 {
654 hi_u32 ret;
655 /* get plain cert store addr */
656 hi_u32 cert1_partition_addr, cert1_partition_size, cert2_partition_addr, cert2_partition_size;
657 hi_u32 key3_partition_addr, key3_partition_size;
658 ret = app_hks_get_cert_store_addr(&cert1_partition_addr, &cert1_partition_size, 0x0);
659 ret |= app_hks_get_cert_store_addr(&cert2_partition_addr, &cert2_partition_size, 0x1);
660 ret |= app_hks_get_cert_store_addr(&key3_partition_addr, &key3_partition_size, 0x2);
661 if (ret != HI_ERR_SUCCESS) {
662 return ret;
663 }
664
665 /* get plain cert */
666 hi_u32 cert1_plain_addr = FLASH_BASE_ADDR + cert1_partition_addr;
667 hi_u32 cert2_plain_addr = FLASH_BASE_ADDR + cert2_partition_addr;
668 hi_u32 key3_plain_addr = FLASH_BASE_ADDR + key3_partition_addr;
669
670 plain1->data = (hi_u8 *)cert1_plain_addr;
671 plain1->size = cert1_partition_size;
672 plain2->data = (hi_u8 *)cert2_plain_addr;
673 plain2->size = cert2_partition_size;
674 plain3->data = (hi_u8 *)key3_plain_addr;
675 plain3->size = key3_partition_size;
676
677 return HI_ERR_SUCCESS;
678 }
679
app_hks_generate_cert_key(void)680 hi_u32 app_hks_generate_cert_key(void)
681 {
682 hi_u32 ret;
683 hi_u8 *flash_write_buffer = HI_NULL;
684
685 struct hks_key_param conn_key_param = {0};
686 struct hks_blob blob_key = {0};
687
688 hi_u32 key_save_partition_addr = 0;
689 hi_u32 key_save_partition_size = 0;
690 ret = app_hks_get_key_store_addr(&key_save_partition_addr, &key_save_partition_size, 1);
691 if (ret != HI_ERR_SUCCESS) {
692 return ret;
693 }
694
695 /* set key param */
696 ret = hks_set_cert_key_param(HKS_KEY_USAGE_ENCRYPT, &conn_key_param);
697 if (ret != HI_ERR_SUCCESS) {
698 printf("hks_set_key_param fail!\r\n");
699 return ret;
700 }
701
702 /* set key blob */
703 ret = hks_set_blob(HKS_BLOB_TYPE_BUFFER, CERT_KEY_LEN, "123", &blob_key);
704 if (ret != HI_ERR_SUCCESS) {
705 printf("hks_set_blob fail!\r\n");
706 return ret;
707 }
708
709 /* generate key */
710 ret = hks_generate_symmetric_key(&blob_key, &conn_key_param);
711 if (ret != HI_ERR_SUCCESS) {
712 free(blob_key.data);
713 printf("hks_generate_symmetric_key ret = %d\n", ret);
714 return ret;
715 }
716
717 /* save key param */
718 ret = hi_flash_write(key_save_partition_addr, sizeof(conn_key_param), (const hi_u8*)&conn_key_param, HI_TRUE);
719 if (ret != HI_ERR_SUCCESS) {
720 free(blob_key.data);
721 printf("save key param fail, ret:0x%x\r\n", ret);
722 return ret;
723 }
724
725 /* save key data */
726 flash_write_buffer = malloc(blob_key.size + sizeof(uint32_t));
727 if (flash_write_buffer == HI_NULL) {
728 free(blob_key.data);
729 return HI_ERR_FAILURE;
730 }
731 memcpy_s(flash_write_buffer, sizeof(uint32_t), &(blob_key.size), sizeof(uint32_t));
732 memcpy_s(flash_write_buffer + sizeof(uint32_t), key_save_partition_size, blob_key.data, blob_key.size);
733 ret = hi_flash_write(key_save_partition_addr + KYY_PARAM_MAX_LEN, blob_key.size + sizeof(uint32_t),
734 flash_write_buffer, HI_TRUE);
735 free(flash_write_buffer);
736 free(blob_key.data);
737 if (ret != HI_ERR_SUCCESS) {
738 printf("save key data fail, ret:0x%x\r\n", ret);
739 }
740
741 return ret;
742 }
743
app_hks_encrypt_cert(hi_void)744 hi_u32 app_hks_encrypt_cert(hi_void)
745 {
746 hi_u32 ret;
747
748 struct hks_blob blob_plain1 = {0};
749 struct hks_blob blob_plain2 = {0};
750 struct hks_blob blob_plain3 = {0};
751 ret = hks_encrypt_init_plain_blob(&blob_plain1, &blob_plain2, &blob_plain3);
752 if (ret != HI_ERR_SUCCESS) {
753 return ret;
754 }
755
756 struct hks_blob blob_cipher1 = {0};
757 struct hks_blob blob_cipher2 = {0};
758 struct hks_blob blob_cipher3 = {0};
759
760 /* create enc param */
761 encrypt_param enc_param = {0};
762 struct hks_crypt_param blob_crypt_param_cert = {0};
763 hks_create_cert_enc_param(&enc_param, &blob_crypt_param_cert);
764
765 /* start encrypt */
766 ret = hks_encrypt_cert_get_cipher(&blob_crypt_param_cert, &blob_plain1, &blob_cipher1, 0x0);
767 ret |= hks_encrypt_cert_get_cipher(&blob_crypt_param_cert, &blob_plain2, &blob_cipher2, 0x1);
768 ret |= hks_encrypt_cert_get_cipher(&blob_crypt_param_cert, &blob_plain3, &blob_cipher3, 0x2);
769 if (ret != HI_ERR_SUCCESS) {
770 free_ciphert_text_blob(&blob_cipher1, &blob_cipher2, &blob_cipher3);
771 return ret;
772 }
773
774 hi_u32 cipher_size_array[0x3] = {blob_cipher1.size, blob_cipher2.size, blob_cipher3.size};
775 hi_u32 cipher_text_total_len = cipher_size_array[0x0] + cipher_size_array[0x1] + cipher_size_array[0x2];
776
777 hi_u32 cipher_store_addr = 0;
778 hi_u32 cipher_store_size = 0;
779 app_hks_get_cert_bin_start_store_addr(&cipher_store_addr, &cipher_store_size);
780 if (cipher_text_total_len > (cipher_store_size - 0x5 * sizeof(hi_u32))) {
781 hi_at_printf("cipher total len bigger than:%d", cipher_store_size);
782 free_ciphert_text_blob(&blob_cipher1, &blob_cipher2, &blob_cipher3);
783 return HI_ERR_FAILURE;
784 }
785
786 /* overwrite cipher cert to plain cert */
787 /* Write Header Structure.CNcomment:写入头结构 */
788 hi_u32 cert_start_flag = CERT_KEY_START_FLAG;
789 hi_u32 cert_total_cnt = 0x3;
790 ret = hi_flash_write(cipher_store_addr, sizeof(hi_u32), (const hi_u8*)&cert_start_flag, HI_TRUE);
791 ret = hi_flash_write(cipher_store_addr + sizeof(hi_u32), sizeof(hi_u32), (const hi_u8*)&cert_total_cnt, HI_TRUE);
792 for (hi_u32 i = 0; i < cert_total_cnt; i++) {
793 cipher_size_array[i] += sizeof(encrypt_param);
794 }
795 ret = hi_flash_write(cipher_store_addr + 0x2 * sizeof(hi_u32), 0x3 * sizeof(hi_u32),
796 (const hi_u8*)&cipher_size_array, HI_TRUE);
797
798 /* Writing the Ciphertext Certificate/Key Content.CNcomment:写入密文证书/秘钥内容 */
799 hi_u32 cert_text_write_addr = cipher_store_addr + 0x5 * sizeof(hi_u32);
800 /* write cert1 */
801 ret = write_cert_text_to_flash(cert_text_write_addr, &enc_param, &blob_cipher1, &cipher_size_array[0], 0x0);
802 /* write cert2 */
803 ret |= write_cert_text_to_flash(cert_text_write_addr, &enc_param, &blob_cipher2, &cipher_size_array[0], 0x1);
804 /* write cert3 */
805 ret |= write_cert_text_to_flash(cert_text_write_addr, &enc_param, &blob_cipher3, &cipher_size_array[0], 0x2);
806
807 free_ciphert_text_blob(&blob_cipher1, &blob_cipher2, &blob_cipher3);
808
809 return ret;
810 }
811
app_hks_decrypt_cert(hi_u32 * plain_size,hi_u8 * plain_data)812 hi_u32 app_hks_decrypt_cert(hi_u32 *plain_size, hi_u8 *plain_data)
813 {
814 hi_u32 ret;
815
816 if (plain_data == HI_NULL) {
817 return HI_ERR_FAILURE;
818 }
819
820 hi_u32 key_save_partition_addr = 0;
821 hi_u32 key_save_partition_size = 0;
822 ret = app_hks_get_key_store_addr(&key_save_partition_addr, &key_save_partition_size, 1);
823 if (ret != HI_ERR_SUCCESS) {
824 return ret;
825 }
826
827 /* get key param */
828 struct hks_key_param key_param = {0};
829 ret = hi_flash_read(key_save_partition_addr, sizeof(key_param), (hi_u8 *)&key_param);
830 if (ret != HI_ERR_SUCCESS) {
831 return ret;
832 }
833 key_param.key_usage = HKS_KEY_USAGE_DECRYPT;
834
835 /* get key data */
836 struct hks_blob key_data_blob = {0};
837 hks_get_key_data(key_save_partition_addr, &key_data_blob);
838
839 /* get cipher text addr and size */
840 /* The demo decrypts only the first certificate file.CNcomment:demo仅解密第1个证书文件 */
841 hi_u32 cipher_data_save_addr = 0;
842 hi_u32 cipher_data_size = 0;
843 ret = app_hks_get_cert_store_addr(&cipher_data_save_addr, &cipher_data_size, 0);
844 if (ret != HI_ERR_SUCCESS) {
845 return ret;
846 }
847
848 /* get enc param */
849 encrypt_param enc_param = {0};
850 struct hks_crypt_param hks_encry_param = {0};
851 ret = hks_get_enc_param(cipher_data_save_addr, &enc_param, &hks_encry_param);
852 if (ret != HI_ERR_SUCCESS) {
853 return ret;
854 }
855
856 /* get cipher data */
857 struct hks_blob cipher_text_blob = {0};
858 hks_get_cert_cipher_data(cipher_data_save_addr, &cipher_text_blob, cipher_data_size);
859
860 /* start decrypt */
861 struct hks_blob plain_text_blob = {0};
862 plain_text_blob.size = cipher_text_blob.size - CIPHER_PLAIN_LEN_MIN_DIFF;
863 if ((*plain_size) < plain_text_blob.size) {
864 hi_at_printf("plain_size too small\r\n");
865 return HI_ERR_FAILURE;
866 }
867 plain_text_blob.data = plain_data;
868
869 ret = hks_symmetric_decrypt(&key_data_blob, &key_param, &hks_encry_param, &plain_text_blob, &cipher_text_blob);
870 if (ret != HI_ERR_SUCCESS) {
871 hi_at_printf("hks_symmetric_decrypt ret = %d\r\n", ret);
872 return ret;
873 }
874 *plain_size = plain_text_blob.size;
875
876 return HI_ERR_SUCCESS;
877 }
878
879 #endif
880