Secure Element Symmetric Ciphers#

Encryption and Decryption using secure element keys in block modes other than ECB must be done in multiple parts, using the following flow:

  • psa_drv_se_cipher_setup_t

  • psa_drv_se_cipher_set_iv_t (optional depending upon block mode)

  • psa_drv_se_cipher_update_t

  • psa_drv_se_cipher_update_t

  • ...

  • psa_drv_se_cipher_finish_t

If a previously started secure element Cipher operation needs to be terminated, it should be done so by the psa_drv_se_cipher_abort_t. Failure to do so may result in allocated resources not being freed or in other undefined behavior.

In situations where a PSA Cryptographic API implementation is using a block mode not-supported by the underlying hardware or driver, it can construct the block mode itself, while calling the psa_drv_se_cipher_ecb_t function for the cipher operations.

Modules#

psa_drv_se_cipher_t

Typedefs#

typedef psa_status_t(*
psa_drv_se_cipher_setup_t)(psa_drv_se_context_t *drv_context, void *op_context, psa_key_slot_number_t key_slot, psa_algorithm_t algorithm, psa_encrypt_or_decrypt_t direction)

A function that provides the cipher setup function for a secure element driver.

typedef psa_status_t(*
psa_drv_se_cipher_set_iv_t)(void *op_context, const uint8_t *p_iv, size_t iv_length)

A function that sets the initialization vector (if necessary) for an secure element cipher operation.

typedef psa_status_t(*
psa_drv_se_cipher_update_t)(void *op_context, const uint8_t *p_input, size_t input_size, uint8_t *p_output, size_t output_size, size_t *p_output_length)

A function that continues a previously started secure element cipher operation.

typedef psa_status_t(*
psa_drv_se_cipher_finish_t)(void *op_context, uint8_t *p_output, size_t output_size, size_t *p_output_length)

A function that completes a previously started secure element cipher operation.

typedef psa_status_t(*
psa_drv_se_cipher_abort_t)(void *op_context)

A function that aborts a previously started secure element cipher operation.

typedef psa_status_t(*
psa_drv_se_cipher_ecb_t)(psa_drv_se_context_t *drv_context, psa_key_slot_number_t key_slot, psa_algorithm_t algorithm, psa_encrypt_or_decrypt_t direction, const uint8_t *p_input, size_t input_size, uint8_t *p_output, size_t output_size)

A function that performs the ECB block mode for secure element cipher operations.

Typedef Documentation#

psa_drv_se_cipher_setup_t#

typedef psa_status_t(* psa_drv_se_cipher_setup_t) (psa_drv_se_context_t *drv_context, void *op_context, psa_key_slot_number_t key_slot, psa_algorithm_t algorithm, psa_encrypt_or_decrypt_t direction) )(psa_drv_se_context_t *drv_context, void *op_context, psa_key_slot_number_t key_slot, psa_algorithm_t algorithm, psa_encrypt_or_decrypt_t direction)

A function that provides the cipher setup function for a secure element driver.

Parameters
[inout]drv_context

The driver context structure.

[inout]op_context

A structure that will contain the hardware-specific cipher context.

[in]key_slot

The slot of the key to be used for the operation

[in]algorithm

The algorithm to be used in the cipher operation

[in]direction

Indicates whether the operation is an encrypt or decrypt


Definition at line 391 of file util/third_party/mbedtls/include/psa/crypto_se_driver.h

psa_drv_se_cipher_set_iv_t#

typedef psa_status_t(* psa_drv_se_cipher_set_iv_t) (void *op_context, const uint8_t *p_iv, size_t iv_length) )(void *op_context, const uint8_t *p_iv, size_t iv_length)

A function that sets the initialization vector (if necessary) for an secure element cipher operation.

Parameters
[inout]op_context

A structure that contains the previously set up hardware-specific cipher context

[in]p_iv

A buffer containing the initialization vector

[in]iv_length

The size (in bytes) of the p_iv buffer

Rationale: The psa_se_cipher_* operation in the PSA Cryptographic API has two IV functions: one to set the IV, and one to generate it internally. The generate function is not necessary for the drivers to implement as the PSA Crypto implementation can do the generation using its RNG features.


Definition at line 412 of file util/third_party/mbedtls/include/psa/crypto_se_driver.h

psa_drv_se_cipher_update_t#

typedef psa_status_t(* psa_drv_se_cipher_update_t) (void *op_context, const uint8_t *p_input, size_t input_size, uint8_t *p_output, size_t output_size, size_t *p_output_length) )(void *op_context, const uint8_t *p_input, size_t input_size, uint8_t *p_output, size_t output_size, size_t *p_output_length)

A function that continues a previously started secure element cipher operation.

Parameters
[inout]op_context

A hardware-specific structure for the previously started cipher operation

[in]p_input

A buffer containing the data to be encrypted/decrypted

[in]input_size

The size in bytes of the buffer pointed to by p_input

[out]p_output

The caller-allocated buffer where the output will be placed

[in]output_size

The allocated size in bytes of the p_output buffer

[out]p_output_length

After completion, will contain the number of bytes placed in the p_output buffer


Definition at line 434 of file util/third_party/mbedtls/include/psa/crypto_se_driver.h

psa_drv_se_cipher_finish_t#

typedef psa_status_t(* psa_drv_se_cipher_finish_t) (void *op_context, uint8_t *p_output, size_t output_size, size_t *p_output_length) )(void *op_context, uint8_t *p_output, size_t output_size, size_t *p_output_length)

A function that completes a previously started secure element cipher operation.

Parameters
[inout]op_context

A hardware-specific structure for the previously started cipher operation

[out]p_output

The caller-allocated buffer where the output will be placed

[in]output_size

The allocated size in bytes of the p_output buffer

[out]p_output_length

After completion, will contain the number of bytes placed in the p_output buffer


Definition at line 455 of file util/third_party/mbedtls/include/psa/crypto_se_driver.h

psa_drv_se_cipher_abort_t#

typedef psa_status_t(* psa_drv_se_cipher_abort_t) (void *op_context) )(void *op_context)

A function that aborts a previously started secure element cipher operation.

Parameters
[inout]op_context

A hardware-specific structure for the previously started cipher operation


Definition at line 466 of file util/third_party/mbedtls/include/psa/crypto_se_driver.h

psa_drv_se_cipher_ecb_t#

typedef psa_status_t(* psa_drv_se_cipher_ecb_t) (psa_drv_se_context_t *drv_context, psa_key_slot_number_t key_slot, psa_algorithm_t algorithm, psa_encrypt_or_decrypt_t direction, const uint8_t *p_input, size_t input_size, uint8_t *p_output, size_t output_size) )(psa_drv_se_context_t *drv_context, psa_key_slot_number_t key_slot, psa_algorithm_t algorithm, psa_encrypt_or_decrypt_t direction, const uint8_t *p_input, size_t input_size, uint8_t *p_output, size_t output_size)

A function that performs the ECB block mode for secure element cipher operations.

Parameters
[inout]drv_context

The driver context structure.

[in]key_slot

The slot of the key to be used for the operation

[in]algorithm

The algorithm to be used in the cipher operation

[in]direction

Indicates whether the operation is an encrypt or decrypt

[in]p_input

A buffer containing the data to be encrypted/decrypted

[in]input_size

The size in bytes of the buffer pointed to by p_input

[out]p_output

The caller-allocated buffer where the output will be placed

[in]output_size

The allocated size in bytes of the p_output buffer

Note: this function should only be used with implementations that do not provide a needed higher-level operation.


Definition at line 491 of file util/third_party/mbedtls/include/psa/crypto_se_driver.h