crypto: support software key management based on MTD

This patch adds support for managing cryptographic keys using MTD storage.

It enables the persistence of keys across reboots using a software-based key management system.

Includes fixes for compilation warnings and validation logic.

Signed-off-by: makejian <makejian@xiaomi.com>

boards/sim/sim/sim/configs/crypto/defconfig

@@ -20,7 +20,7 @@ CONFIG_BOOT_RUNFROMEXTSRAM=y
 CONFIG_BUILTIN=y
 CONFIG_CRYPTO=y
 CONFIG_CRYPTO_CRYPTODEV=y
-CONFIG_CRYPTO_CRYPTODEV_SOFTWARE=y
+CONFIG_CRYPTO_CRYPTODEV_SOFTWARE_CRYPTO=y
 CONFIG_CRYPTO_MBEDTLS=y
 CONFIG_CRYPTO_RANDOM_POOL=y
 CONFIG_CRYPTO_SW_AES=y

crypto/CMakeLists.txt

@@ -28,7 +28,8 @@ if(CONFIG_CRYPTO)
 
   if(CONFIG_CRYPTO_CRYPTODEV)
     list(APPEND SRCS cryptodev.c)
-    if(CONFIG_CRYPTO_CRYPTODEV_SOFTWARE)
+    if(CONFIG_CRYPTO_CRYPTODEV_SOFTWARE_CRYPTO
+       OR CONFIG_CRYPTO_CRYPTODEV_SOFTWARE_KEYMGMT)
       list(APPEND SRCS cryptosoft.c)
       list(APPEND SRCS xform.c)
     endif()

crypto/Kconfig

@@ -40,11 +40,36 @@ config CRYPTO_CRYPTODEV
 	depends on ALLOW_BSD_COMPONENTS
 	default n
 
-config CRYPTO_CRYPTODEV_SOFTWARE
-	bool "cryptodev software support"
+config CRYPTO_CRYPTODEV_SOFTWARE_CRYPTO
+	bool "cryptodev software cipher support"
 	depends on CRYPTO_CRYPTODEV && CRYPTO_SW_AES
 	default n
 
+config CRYPTO_CRYPTODEV_SOFTWARE_KEYMGMT
+	bool "cryptodev software key management support"
+	depends on CRYPTO_CRYPTODEV && !MTD_CONFIG_NONE
+	default n
+
+if CRYPTO_CRYPTODEV_SOFTWARE_KEYMGMT
+
+config CRYPTO_CRYPTODEV_SOFTWARE_KEYMGMT_DEVICE
+	string "device of trusted storage"
+	default "/dev/nvs"
+
+config CRYPTO_CRYPTODEV_SOFTWARE_KEYMGMT_NSLOTS
+	int "Maximum number of key in cache"
+	default 4
+
+config CRYPTO_CRYPTODEV_SOFTWARE_KEYMGMT_BUFSIZE
+	int "Maximum size of key buffer in cache (bytes)"
+	default 64
+
+config CRYPTO_CRYPTODEV_SOFTWARE_KEYMGMT_NKEYS
+	int "Maximum number of key in flash"
+	default 32
+
+endif # CRYPTO_CRYPTODEV_SOFTWARE_KEYMGMT
+
 config CRYPTO_CRYPTODEV_HARDWARE
 	bool "cryptodev hardware support"
 	depends on CRYPTO_CRYPTODEV

crypto/Makefile

@@ -32,7 +32,7 @@ CRYPTO_CSRCS += crypto.c testmngr.c
 
 ifeq ($(CONFIG_CRYPTO_CRYPTODEV),y)
   CRYPTO_CSRCS += cryptodev.c
-ifeq ($(CONFIG_CRYPTO_CRYPTODEV_SOFTWARE),y)
+ifneq ($(CONFIG_CRYPTO_CRYPTODEV_SOFTWARE_CRYPTO)$(CONFIG_CRYPTO_CRYPTODEV_SOFTWARE_KEYMGMT),)
   CRYPTO_CSRCS += cryptosoft.c
   CRYPTO_CSRCS += xform.c
 endif

crypto/crypto.c

@@ -344,6 +344,21 @@ int crypto_get_driverid(uint8_t flags)
   return -1;
 }
 
+int crypto_find_driverid(uint8_t flags)
+{
+  int i;
+
+  for (i = 0; i < crypto_drivers_num; i++)
+    {
+      if (crypto_drivers[i].cc_flags & flags)
+        {
+          return i;
+        }
+    }
+
+  return -EINVAL;
+}
+
 /* Register a crypto driver. It should be called once for each algorithm
  * supported by the driver.
  */

crypto/cryptodev.c

@@ -60,7 +60,7 @@ extern FAR struct cryptocap *crypto_drivers;
 extern int crypto_drivers_num;
 int usercrypto = 1;         /* userland may do crypto requests */
 int userasymcrypto = 1;     /* userland may do asymmetric crypto reqs */
-#ifdef CONFIG_CRYPTO_CRYPTODEV_SOFTWARE
+#ifdef CONFIG_CRYPTO_CRYPTODEV_SOFTWARE_CRYPTO
 int cryptodevallowsoft = 1; /* 0 is only use hardware crypto
                              * 1 is use hardware & software crypto
                              */
@@ -1155,10 +1155,14 @@ void devcrypto_register(void)
 {
   register_driver("/dev/crypto", &g_cryptoops, 0666, NULL);
 
-#ifdef CONFIG_CRYPTO_CRYPTODEV_SOFTWARE
+#ifdef CONFIG_CRYPTO_CRYPTODEV_SOFTWARE_CRYPTO
   swcr_init();
 #endif
 
+#ifdef CONFIG_CRYPTO_CRYPTODEV_SOFTWARE_KEYMGMT
+  swkey_init();
+#endif
+
 #ifdef CONFIG_CRYPTO_CRYPTODEV_HARDWARE
   hwcr_init();
 #endif

include/crypto/cryptodev.h

@@ -361,6 +361,7 @@ struct cryptocap
 #define CRYPTOCAP_F_ENCRYPT_MAC 0x04 /* Can do encrypt-then-MAC (IPsec) */
 #define CRYPTOCAP_F_MAC_ENCRYPT 0x08 /* Can do MAC-then-encrypt (TLS) */
 #define CRYPTOCAP_F_REMOTE      0x10 /* Remote core driver  */
+#define CRYPTOCAP_F_KEY_MGMT    0x20 /* Key management */
 
   CODE int (*cc_newsession)(FAR uint32_t *, FAR struct cryptoini *);
   CODE int (*cc_process)(FAR struct cryptop *);
@@ -449,6 +450,7 @@ int crypto_kregister(uint32_t, FAR int *,
                      CODE int (*)(FAR struct cryptkop *));
 int crypto_unregister(uint32_t, int);
 int crypto_get_driverid(uint8_t);
+int crypto_find_driverid(uint8_t);
 int crypto_invoke(FAR struct cryptop *);
 int crypto_kinvoke(FAR struct cryptkop *);
 int crypto_getfeat(FAR int *);

include/crypto/cryptosoft.h

@@ -37,6 +37,10 @@
 #include <crypto/cryptodev.h>
 #include <crypto/xform.h>
 
+/****************************************************************************
+ * Public Type Definitions
+ ****************************************************************************/
+
 /* Software session entry */
 
 struct swcr_data
@@ -93,4 +97,8 @@ int swcr_newsession(FAR uint32_t *, FAR struct cryptoini *);
 int swcr_freesession(uint64_t);
 void swcr_init(void);
 
+/* Software key management */
+
+void swkey_init(void);
+
 #endif /* __INCLUDE_CRYPTO_CRYPTOSOFT_H */