Change Details

We are just reviewing our cryptocell support in TF-A and noticed this: include/drivers/arm/cryptocell/secureboot_gen_defs.h: ```RSA_PSS_2048 = 0x01, /*!< RSA PSS 2048 after hash SHA 256 */``` drivers/auth/cryptocell/cryptocell_crypto.c: ``` /* Verify the signature */ error = CCSbVerifySignature((uintptr_t)PLAT_CRYPTOCELL_BASE, (uint32_t *)data_ptr, &pk, &signature, data_len, RSA_PSS_2048); if (error != CC_OK) return CRYPTO_ERR_SIGNATURE; ``` sw-cc712tee-sbrom-2.0.0.3c72/codesafe/src/secure_boot/secure_boot_gen/secureboot_gen_defs.h: RSA_PSS_3072 = 0x01, /*!< RSA PSS 3072 after hash SHA 256 */ sw-cc712tee-sbrom-2.0.0.3c72/codesafe/src/secure_boot/secure_boot_gen/secureboot_base_func.c: CCError_t CCSbVerifySignature(unsigned long hwBaseAddress, uint32_t *pData, CCSbNParams_t *pNParams, CCSbSignature_t *pSignature, uint32_t sizeOfData, CCSbRsaAlg_t RSAAlg) { [...] /* Currently only RSA_PSS_3072 is supported */ if (RSAAlg != RSA_PSS_3072){ CC_PAL_LOG_DEBUG("UNSUPPORTED RSA ALGORITHM\n"); return CC_BOOT_IMG_VERIFIER_UNSUPPORTED_RSA_ALGORITHM; } So from this, we are calling into code which is dealing with 3072 bit keys according to the comments and constant names, but TF-A Uses 2048 bit keys ?? Cheers, Neil

We are just reviewing our cryptocell support in TF-A and noticed this: include/drivers/arm/cryptocell/secureboot_gen_defs.h: ```RSA_PSS_2048 = 0x01, /*!< RSA PSS 2048 after hash SHA 256 */``` drivers/auth/cryptocell/cryptocell_crypto.c: ``` /* Verify the signature */ error = CCSbVerifySignature((uintptr_t)PLAT_CRYPTOCELL_BASE, (uint32_t *)data_ptr, &pk, &signature, data_len, RSA_PSS_2048); if (error != CC_OK) return CRYPTO_ERR_SIGNATURE; ``` ``` Code removed at ARM support's request (but basically the cryptocell version 2 release only supports 3072 keys and encodes parameter 6 of CCSbVerifySignature as 1 for 3072 keys) ``` So from this, we are calling into code which is dealing with 3072 bit keys according to the comments and constant names, but TF-A Uses 2048 bit keys ?? Cheers, Neil

We are just reviewing our cryptocell support in TF-A and noticed this: include/drivers/arm/cryptocell/secureboot_gen_defs.h: ```RSA_PSS_2048 = 0x01, /*!< RSA PSS 2048 after hash SHA 256 */``` drivers/auth/cryptocell/cryptocell_crypto.c: ``` /* Verify the signature */ error = CCSbVerifySignature((uintptr_t)PLAT_CRYPTOCELL_BASE, (uint32_t *)data_ptr, &pk, &signature, data_len, RSA_PSS_2048); if (error != CC_OK) return CRYPTO_ERR_SIGNATURE; ``` sw-cc712tee-sbrom-2.0.0.3c72/codesafe/src/secure_boot/secure_boot_gen/secureboot_gen_defs.h: RSA_PSS_3072 = 0x01, /*!< RSA PSS 3072 after hash SHA 256 */ sw-cc712tee-sbrom-2.0.0.3c72/codesafe/src/secure_boot/secure_boot_gen/secureboot_base_func.c: CCError_t CCSbVerifySignature(unsigned long hwBaseAddress, uint32_t *pData, CCSbNParams_t *pNParams, CCSbSignature_t *pSignature, uint32_t sizeOfData, CCSbRsaAlg_t RSAAlg) { [...] /* Currently only RSA_PSS_3072 is supported */ if (RSAAlg != RSA_PSS_3072){ CC_PAL_LOG_DEBUG("UNSUPPORTED RSA ALGORITHM\n");``` return CC_BOOT_IMG_VERIFIER_UNSUPPORTED_RSA_ALGORITHM;Code removed at ARM support's request (but basically the cryptocell version 2 release only supports 3072 keys and encodes parameter 6 of CCSbVerifySignature as 1 for 3072 keys) }``` So from this, we are calling into code which is dealing with 3072 bit keys according to the comments and constant names, but TF-A Uses 2048 bit keys ?? Cheers, Neil