Cryptocell Key Sizes
Open, Needs TriagePublic

Description

We are just reviewing our cryptocell support in TF-A and noticed this:

include/drivers/arm/cryptocell/secureboot_gen_defs.h:

RSA_PSS_2048           = 0x01,			/*!< RSA PSS 2048 after hash SHA 256 */

drivers/auth/cryptocell/cryptocell_crypto.c:

	/* Verify the signature */
     	error = CCSbVerifySignature((uintptr_t)PLAT_CRYPTOCELL_BASE,
     			(uint32_t *)data_ptr, &pk, &signature,
     			data_len, RSA_PSS_2048);
     	if (error != CC_OK)
     		return CRYPTO_ERR_SIGNATURE;
CryptoCell API Code removed at ARM support's request 

(but basically the cryptocell version 2 release only supports 3072 keys and encodes parameter 6 of CCSbVerifySignature as 1 for 3072 keys)

So from this, we are calling into code which is dealing with 3072 bit keys according to the comments and constant names, but TF-A Uses 2048 bit keys ??

Cheers,

Neil

neil-jones-work updated the task description. (Show Details)

Hi Neil
The Cryptocell variant supported by TF-A is CC-712 which only has support for RSA 2048.

CryptoCell API Code removed at ARM support's request
(but basically the cryptocell version 2 release only supports 3072 keys and encodes parameter 6 of CCSbVerifySignature as 1 for 3072 keys)

I am not sure where this comments are in the source code. Could you let me know where did you get the above comments ?
There is a new variant, CC-713, which has RSA 3K support but it is not yet integrated with TF-A.

Best Regards
Soby Mathew

ARM Support have asked me not to post any Cryptocell code publicly.

If you send me your email I will send you the details.

Please email me at soby.mathew@arm.com