[RFC] Hardware crypto APIs


Joseph, Jithu
 

The purpose of these APIs, is to provide applications, a hardware independent way to perform encryption/decryption (ZEP-328 - https://jira.zephyrproject.org/browse/ZEP-328 ).
In other words Crypto hardware drivers implement functions as mandated by the header file, and apps can use the standard driver model way to open the crypto device and invoke functions (defined in the header), to realize cipher operations (encryption/decryption), using standard cipher modes like ECB, CBC, CTR etc.

Here are the list of patches and what they do :

1. cipher.h header (https://gerrit.zephyrproject.org/r/#/c/3311/ ) - defines the cipher interface for encryption/decryption.

2. Sample driver - https://gerrit.zephyrproject.org/r/#/c/3312 -A sample driver using the above interface (and using tinycrypt s/w library for actual encryption)

3. Sample app - https://gerrit.zephyrproject.org/r/#/c/3313/ - Sample app using the crypto interface

Cipher.h primer - Apps are meant to first open a context, by specifying one time parameters like key, algorithm and modes (via cipher_ctx struct). These one-time parameters are used to program the hardware crypto block . The driver returns the corresponding encryption, decryption functions pointers relevant to the chosen mode. Subsequently, apps can invoke them (multiple times) using standard "mode" functions defined in the header. The below sequence diagram tries to portray this pictorially. (You will need to enable fixed font size in mail client to see it as intended . e.g on outlook File > Options > Mail > Stationery and Fonts > Set the font for plain text e-mails to a monospaced font (say) Courier New. )

+-------------------------------------------------------------------------------------------------+
| +-------+ +---------+ +-------------+ |
| | App | |Crypto | | Crypto | |
| +---+---+ |Driver | | H/W block | |
| | +----+----+ +-------+-----+ |
| | | | |
| +-------------------------------------------------------------------------------------+ |
| | | Session Context setup phase | | | |
| +-------------------------------------------------------------------------------------+ |
| | +--------------------------------+ | | |
| | |cipher_begin_session(*dev, *ctx)| | | |
| +---------->where: +------> program h/w | |
| | |ctx -> Key, Algo type, mode etc | +----+with one time->| |
| | +--------------------------------+ | parameters | |
| | | | |
| | returns function pointers corresponding | | |
| <-------to the selected mode in ctx->ops <-----+ | |
| | | | |
| +-------------------------------------------------------------------------------------+ |
| | |Operation Phase (possibly repeated multiple times)| | | |
| +-------------------------------------------------------------------------------------+ |
| | +------------------------------+ | | |
| | | cipher_xx_yy(*ctx, *pkt, ..) | | | |
| +---> | where: | | | |
| | +---------> Pkt -> Input/Output buffers +---------> | |
| | | | xx -> mode (ecb,cbc, ctr etc)| +--------------------> |
| |nex| | yy -> encrypt / decrypt | <--------------------+ |
| |op | | .. -> IVs, CTRs (mode spec) | | | |
| | | +------------------------------+ | | |
| ^ | | | |
| | Provide the result | | |
| | | <------------------------------------------------+ | |
| +---+ | | |
| +------------------------------------------------------------------------------------+ |
| | | Session Freeing phase | | | |
| +------------------------------------------------------------------------------------+ |
| | | | |
| | cipher_free_session(*dev, *ctx) | | |
| +------------------------------------------------> | Clear session info |
| | +---from h/w---------> |
| | | | |
| <--------------------------------------------------+ | |
| | | | |
| | | | |
| -------------------------------------------------------------------------------------------+ |
| +---v---+ +---------+ +-------v-----+ |
| | App | |Crypto | | Crypto | |
| +-------+ |Driver | | H/W block | |
| +---------+ +-------------+ |
| |
| |
+-------------------------------------------------------------------------------------------------+

This interface is expected to evolve as SOCs with hardware crypto support start coming in (with possibly newer requirements) , the current API is intended as a starting point. Comments are welcome.


Thanks
Jithu


[Acknowledgments : Geoffrey Thorpe <geoff.thorpe(a)nxp.com> and Tomasz Bursztyka <tomasz.bursztyka(a)linux.intel.com>, for their initial review comments on gerrit ]

Join devel@lists.zephyrproject.org to automatically receive all group messages.