support Ed25519 sign/verify scheme

[sa-kib]

This PR adds Ed25519 support as defined in GlobalPlatform TEE Internal Core API v1.3, using libtomcrypt as the backend crypto implementation.
Companion PR for optee_test: #610

[jenswi-linaro]

Comment for the commit "libutee: add Ed25519 support"

In the description of the commit. Which version 1.3 or 1.3.1? I guess we would prefer version 1.3.1 as that's the latest.

[jenswi-linaro]

Please add a comment at the end of the define that this is from the v1.3 or v1.3.1 spec.

[jenswi-linaro]

Same for the other new defines in this commit.

[sa-kib]

done

[jenswi-linaro]

Comments for the commit "core: crypto: add Ed25519 support"

[jenswi-linaro]

Cast is not needed.

[sa-kib]

done

[jenswi-linaro]

We just key is enough for a local variable.

[sa-kib]

indeed, fixed

[jenswi-linaro]

The u is not needed here, 0 is enough.

[sa-kib]

fixed

[jenswi-linaro]

It looks like this should rather be a bool, same for cx_flag.

[sa-kib]

fixed

[jenswi-linaro]

s/uint8_t flag/bool with_ph/ or something like that. Same for crypto_acipher_ed25519ctx_verify().

[sa-kib]

I've put ph_flag -- just to be consistent with the rest of the code

[jenswi-linaro]

This might be a bit much to keep on the stack. This could be allocated using mempool_alloc(mempool_default, ...) instead, pretty much guaranteed to succeed. If the allocation fails there's an error in the mempool configuration.

[sa-kib]

sure, then I shall use mempool_calloc(..)

[jenswi-linaro]

Regarding the commit "core: libtomcrypt: add ed25519ctx and ed25519ph support"

Do you have any plans to upstream this?

[sjaeckel]

c.f. libtom/libtomcrypt#597

[larperaxis]

There is already plumbing in crypto.mk to include parts of tomcrypt to get full cipher support when using mbedtls. I would prefer that 25519 is available regardless of the chosen crypto library.

[jforissier]

@larperaxis that would be nice indeed but since CFG_CRYPTO_X25519 already excludes mbedtls, that should be handled in a separate PR.

[sa-kib]

@larperaxis @jforissier then I shall make a separate PR for this, thank you for taking a look

[sa-kib]

Comment for the commit "libutee: add Ed25519 support"

In the description of the commit. Which version 1.3 or 1.3.1? I guess we would prefer version 1.3.1 as that's the latest.

hi @jenswi-linaro , thanks for a review.
Indeed it's a v1.3.1, I've put corresponding references in new declarations and also changed commit messsage.

[jenswi-linaro]

This must be freed when we're done with it.

[sa-kib]

fixed by c54d157, along with other fixes that I've missed before.

[sjaeckel]

This misses a ctx_len

[sa-kib]

fixed in 3eba17f, thank you

[jforissier]

Ed25519

[sa-kib]

fixed

[jforissier]

Comments not needed, the names are obvious

[sa-kib]

fixed

[jforissier]

@larperaxis that would be nice indeed but since CFG_CRYPTO_X25519 already excludes mbedtls, that should be handled in a separate PR.

[jforissier]

Hi,

• Two very minor comments below. Please also check the CI checkpatch errors, the alignment issue should be fixed.
• I'd like the fixup commits to be squashed if @jenswi-linaro is OK with that. I did a git rebase -i --autosquash and there is an issue with the number of arguments to ed25519ph_sign() it seems.
• For commit "libutee: add Ed25519 support":
  Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

[jenswi-linaro]

Yes, please squash the fixup commits.

[sa-kib]

Hi,

hi @jforissier, thanks for review!

• Two very minor comments below. Please also check the CI checkpatch errors, the alignment issue should be fixed.

fixed

• I'd like the fixup commits to be squashed if @jenswi-linaro is OK with that. I did a git rebase -i --autosquash and there is an issue with the number of arguments to ed25519ph_sign() it seems.

done squashing & rebasing, but what's the issue with ed25519ph_sign() ?

[jforissier]

what's the issue with ed25519ph_sign() ?

It is introduced with 7 arguments in patch number 2, then called with only 6 in patch number 3, then the final patch adds the missing argument (cxtlen).

Please change the subject of patch 2 from "core: libtomcrypt: add ed25519ctx and ed25519ph support" to "libtomcrypt: add ed25519ctx and ed25519ph support".

[sa-kib]

what's the issue with ed25519ph_sign() ?

It is introduced with 7 arguments in patch number 2, then called with only 6 in patch number 3, then the final patch adds the missing argument (cxtlen).

oh, I see, it's fixed already then

Please change the subject of patch 2 from "core: libtomcrypt: add ed25519ctx and ed25519ph support" to "libtomcrypt: add ed25519ctx and ed25519ph support".

yes, done

[jforissier]

oh, I see, it's fixed already then

No. The functions are introduced in patch 2 with a wrong signature, then modified in patch 3. I don't want that, please do the right thing the first time. Unless I'm missing something...

[sa-kib]

oh, I see, it's fixed already then

No. The functions are introduced in patch 2 with a wrong signature, then modified in patch 3. I don't want that, please do the right thing the first time. Unless I'm missing something...

my bad, I've messed with one of fixups.
Now I've done a proper fixup, squashed, rebased & verified.

[etienne-lms]

indentation issue?
not a strong opinion seen the already existing fuzzy indentation in this header file.

[jforissier]

That's a LibTomCrypt file so coding style is different.

[sa-kib]

yep, I've just tried to retain LTC coding style there.
But I can do it differently ofc, this header seems to have slightly different identation styles mixed.

[etienne-lms]

BSD-2-Clause?

[jenswi-linaro]

It seems that LTC is using this license consistently.

[sa-kib]

@sjaeckel created that file & code, so I didn't dare to change it.

[etienne-lms]

Yes indeed, keep as is.

[etienne-lms]

#ifdef LTC_CLEAN_STACK
  zeromem(buf, len);
#endif

?

[sa-kib]

agree, done in 4d7340e

[etienne-lms]

Why 512?

Prevent headvy stack consumption. I think you could get your way using hash_memory_multi().

[sa-kib]

in tweetnacl they do all allocations on stack, so we followed their a style (though other allocations in this library are considerably smaller).

As for 512 size considerations are:
255 (context size) + 32 context prefix + 1 flag + 1 ctx len
PREFIX=b"SigEd25519 no Ed25519 collisions" so minimal allocation of 289 seems to be required.
But there are another algorithms that might require context prefix. So it was rounded up to 512.

[sjaeckel]

@etienne-lms I also thought it could be worth it, but apparently tweetnacl itself is already very stack-heavy.

Each invocation of tweetnacl_crypto_hash[_ctx]() inside tweetnacl originates from a function that also calls other functions. Those other functions require way more stack than 512 bytes, ergo that stack size is already required.

If I counted correctly the call-stack of the two public API functions tweetnacl_crypto_sign[_open](): scalarbase() -> scalarmult() -> add() -> M() -> car25519() requires those stack variables:

typedef i64 gf[16];
  int i; //4 or 8
  i64 c; //8
  i64 i,j,t[31]; //264
  gf a,b,c,d,t,e,f,g,h; //1152
  u8 b; //1
  int i; //4 or 8
  gf q[4]; //512
// max. sum of the above: 1953 bytes

[sjaeckel]

I still liked the idea so there's the last commit of libtom/libtomcrypt#598

[Edit] I've pulled that commit out into a separate PR libtom/libtomcrypt#599 together with some others.

[sa-kib]

Patch backported as a fixup: ff58986

[etienne-lms]

test not strictly needed.

[sa-kib]

indeed, fixed in 4d7340e

[etienne-lms]

is it a programming error if ther are several TEE_ATTR_EDDSA_CTX attributes defined? Should the code warm or panic in such case?

[sa-kib]

Specification does not explicitly forbid passing several context strings, the decision what to do in this case seems to be left up to implementation. Yet the case with several context strings does look like a clear programming error, so it probably should panic indeed, I'll do a change.

[sa-kib]

done in 9f65a72 -- only one context is permitted, also disposed of boilerplate code.

[etienne-lms]

This is a somewhat magic number. I believe the context size must be <256 as per the algo spec. If so, a macro with a explicit name would be better.

[sa-kib]

done in 785b4be

[etienne-lms]

not needed since mempool_calloc() zeroes the allocated buffer.

[sa-kib]

fixed in 785b4be

[etienne-lms]

ditto

[sa-kib]

fixed in 785b4be

[etienne-lms]

check ctx != NULL

[sa-kib]

fixed in 785b4be

[jforissier]

Please do not use the "core:" prefix for pure LibTomCrypt changes. I know LTC is used only in the TEE core not as a user space library, but I prefer to reserve "core: libtomcrypt: ..." for the OP-TEE specific adaptation layer and "libtomcrypt: ..." for the the rest. Makes it a bit easier to see which commit touches what.

Overall this looks good to me, I will review again once fixups are squashed, @etienne-lms let us now when you want them squashed. EDIT: oops, a compile issue has to be fixed (see CI).

[etienne-lms]

few minor comments.
@sa-kib, you can squash the fixup commits.

[etienne-lms]

	uint8_t *priv;	/* Private value */
	uint8_t *pub;	/* Public value */

for consistency?

[sa-kib]

it was agreed with @jforissier to be unnecessary.

[etienne-lms]

ok

[etienne-lms]

a well named macro would be nice but I guess it rather depends on libtomcrypt maintainers.

[etienne-lms]

Yes indeed, keep as is.

[etienne-lms]

Public key content is not that sensible. I think it's not worth wiping its content.

[jforissier]

With the below minor comments addressed (and please also fix the long line in the commit description spotted by checkpatch):

"libtomcrypt: fix excessive memory clean"
"libtomcrypt: add ed25519ctx and ed25519ph support"
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

"core: libtomcrypt: add Ed25519 support"
"core: crypto: add Ed25519 support "
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

[jforissier]

Use n = 0 here (although it is already initialized)

[sa-kib]

done

[jforissier]

if (!*ctx)

[sa-kib]

done

[jforissier]

if (!*ctx_len)

[sa-kib]

done

[sa-kib]

squashed & rebased. Also get rid of mempool_alloc(), as we don't modify context and to make things a bit simpler.

[etienne-lms]

Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org> for commit
"libtomcrypt: fix excessive memory clean"

Acked-by: Etienne Carriere <etienne.carriere@linaro.org> for commits:
"libutee: add Ed25519 support"
"libtomcrypt: add ed25519ctx and ed25519ph support"
"core: libtomcrypt: add Ed25519 support"
"core: crypto: add Ed25519 support"

[sjaeckel]

Maybe you want to update your libtomcrypt? c.f. libtom/libtomcrypt#599

[jforissier]

Maybe you want to update your libtomcrypt? c.f. libtom/libtomcrypt#599

That would be a good thing to do indeed. The last full sync dates back to 4 years ago, although we have picked a few fixes from upstream since then. It doesn't necessarily have to be done before this PR is merged however.

@sjaeckel can we consider that the current "develop" branch is stable?

[sjaeckel]

@sjaeckel can we consider that the current "develop" branch is stable?

yes, I'd say current develop is pretty stable.

The only things happening sometime would be:

1. what will happen with the ECC API after An attempt to fix #449 (ECDSA forcing DER/ASN.1) libtom/libtomcrypt#450 and Feature/rfc6979 libtom/libtomcrypt#477 are tackled... but I don't expect this to be really big changes, for 477 I've even a compatible way in mind.
2. whether we will follow up on [WIP/RFC] Remove prng registry libtom/libtomcrypt#515 and the other registries
3. Add PEM support libtom/libtomcrypt#587 will change the *_import_pkcs8() APIs, but I doubt you'll use them

The last full sync dates back to 4 years ago

Also I didn't mean a full sync, only the relevant changes of the mentioned PR

[sa-kib]

hi @jenswi-linaro, can this PR be considered in fit for inclusion?

[jenswi-linaro]

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

[jforissier]

@sa-kib sorry for the delay on this PR. On second thought, I'd like to have it merged after LibTomCrypt is updated in the master branch (that is #5539 which will be squash-merged into master). In the meantime, I have tried re-basing your patches onto the new LTC (without the two libtomcrypt: patches of course, which are already included upstream) and I there were only minor conflicts/issues. You will need to apply the below diff to "core: libtomcrypt: add Ed25519 support" and all should be well.

diff --git a/core/lib/libtomcrypt/ed25519.c b/core/lib/libtomcrypt/ed25519.c
index 33c1d852..b85629b8 100644
--- a/core/lib/libtomcrypt/ed25519.c
+++ b/core/lib/libtomcrypt/ed25519.c
@@ -7,6 +7,7 @@
 #include <crypto/crypto.h>
 #include <stdlib.h>
 #include <string.h>
+#include <string_ext.h>
 #include <tee_api_types.h>
 #include <trace.h>
 #include <utee_defines.h>
@@ -65,7 +66,7 @@ TEE_Result crypto_acipher_ed25519_sign(struct ed25519_keypair *key,
 	unsigned long siglen;
 	curve25519_key private_key = {
 		.type = PK_PRIVATE,
-		.algo = PKA_ED25519,
+		.algo = LTC_OID_ED25519,
 	};
 
 	if (!key)
@@ -94,7 +95,7 @@ TEE_Result crypto_acipher_ed25519ctx_sign(struct ed25519_keypair *key,
 	unsigned long siglen;
 	curve25519_key private_key = {
 		.type = PK_PRIVATE,
-		.algo = PKA_ED25519,
+		.algo = LTC_OID_ED25519,
 	};
 
 	if (!key)
@@ -126,7 +127,7 @@ TEE_Result crypto_acipher_ed25519_verify(struct ed25519_keypair *key,
 	int stat = 0;
 	curve25519_key public_key = {
 		.type = PK_PUBLIC,
-		.algo = PKA_ED25519,
+		.algo = LTC_OID_ED25519,
 	};
 
 	if (!key)
@@ -153,7 +154,7 @@ TEE_Result crypto_acipher_ed25519ctx_verify(struct ed25519_keypair *key,
 	int stat = 0;
 	curve25519_key public_key = {
 		.type = PK_PUBLIC,
-		.algo = PKA_ED25519,
+		.algo = LTC_OID_ED25519,
 	};
 
 	if (!key)
diff --git a/core/lib/libtomcrypt/src/pk/ec25519/sub.mk b/core/lib/libtomcrypt/src/pk/ec25519/sub.mk
index e3d07c0e..5040c391 100644
--- a/core/lib/libtomcrypt/src/pk/ec25519/sub.mk
+++ b/core/lib/libtomcrypt/src/pk/ec25519/sub.mk
@@ -1,2 +1,3 @@
+srcs-y += ec25519_crypto_ctx.c
 srcs-y += ec25519_export.c
 srcs-y += tweetnacl.c
diff --git a/core/lib/libtomcrypt/src/pk/ed25519/sub.mk b/core/lib/libtomcrypt/src/pk/ed25519/sub.mk
index bdd41059..cb2206da 100644
--- a/core/lib/libtomcrypt/src/pk/ed25519/sub.mk
+++ b/core/lib/libtomcrypt/src/pk/ed25519/sub.mk
@@ -3,6 +3,5 @@ srcs-y += ed25519_import.c
 srcs-y += ed25519_import_pkcs8.c
 srcs-y += ed25519_import_x509.c
 srcs-y += ed25519_make_key.c
-srcs-y += ed25519_set_key.c
 srcs-y += ed25519_sign.c
 srcs-y += ed25519_verify.c

[jforissier]

@sa-kib @varder I have now merged the LibTomCrypt update, so could you please rebase this PR on top of master and apply the Ack/Review tags given above? Thanks!

[jforissier]

@sa-kib @varder thanks for this contribution and for working with upstream LibTomCrypt too. I am merging this despite the IBART failure because I know it is caused by the missing commit b7563ba in your branch.