mcxa/html/a01150.html

/*--------------------------------------------------------------------------*/

/* Copyright 2024-2025 NXP                                                  */

/*                                                                          */

/* NXP Confidential and Proprietary. This software is owned or controlled   */

/* by NXP and may only be used strictly in accordance with the applicable   */

/* license terms.  By expressly accepting such terms or by downloading,     */

/* installing, activating and/or otherwise using the software, you are      */

/* agreeing that you have read, and that you agree to comply with and are   */

/* bound by, such license terms.  If you do not agree to be bound by the    */

/* applicable license terms, then you may not retain, install, activate or  */

/* otherwise use the software.                                              */

/*--------------------------------------------------------------------------*/


#include <mcuxClSession.h>

#include <mcuxClKey.h>

#include <mcuxClAes.h> // Interface to AES-related definitions and types

#include <mcuxCsslFlowProtection.h>

#include <mcuxClCore_FunctionIdentifiers.h> // Code flow protection

#include <mcuxClBuffer.h>

#include <mcuxClCore_Examples.h>

#include <mcuxClExample_Session_Helper.h>

#include <mcuxClExample_RNG_Helper.h>


// Test vector is taken from https://datatracker.ietf.org/doc/html/rfc3394

static const uint32_t keyData[MCUXCLAES_AES128_KEY_SIZE / 4U] = {

  0x33221100U, 0x77665544U, 0xBBAA9988U, 0xFFEEDDCCU

};


static const uint32_t kwk256Data[MCUXCLAES_AES256_KEY_SIZE / 4U] = {

  0x03020100U, 0x07060504U, 0x0B0A0908U, 0x0F0E0D0CU,

  0x13121110U, 0x17161514U, 0x1B1A1918U, 0x1F1E1D1CU

};


static const uint32_t expectedwrappedKeyData[MCUXCLAES_ENCODING_RFC3394_AES128_KEY_SIZE / 4U] = {

  0xF9C3E864U, 0xA25B0FCEU, 0x7977E963U, 0x2A8A8105U,

  0x1E19C893U, 0xE78A6E7DU

};


MCUXCLEXAMPLE_FUNCTION(mcuxClKey_Wrap_Rfc3394_Sgi_kwkAlreadyLoaded_example)

{

  /**************************************************************************/

  /* Preparation                                                            */

  /**************************************************************************/


  mcuxClSession_Descriptor_t sessionDesc;

  mcuxClSession_Handle_t session = &sessionDesc;


  /* Allocate and initialize session */

  MCUXCLEXAMPLE_ALLOCATE_AND_INITIALIZE_SESSION(session, MCUXCLEXAMPLE_MAX_WA(MCUXCLKEY_ENCODE_CPU_WA_SIZE, MCUXCLRANDOM_NCINIT_WACPU_SIZE), 0U);


  /* Initialize the PRNG */

  MCUXCLEXAMPLE_INITIALIZE_PRNG(session);


  /**************************************************************************/

  /* Load the Key data of the KWK to mimic that it is already loaded.       */

  /*                                                                        */

  /* !! ATTENTION !!                                                        */

  /*                                                                        */

  /* This step is only done to have some form of verification in this       */

  /* example for the end-result. It is never needed to call the             */

  /* mcuxClKey_loadCopro two times in a row (without a key flush in between) */

  /* in a real scenario.                                                    */

  /* The dummy key handle used here will be discarded after the load to SGI.*/

  /**************************************************************************/


  uint32_t dummyKwkDesc[MCUXCLKEY_DESCRIPTOR_SIZE_IN_WORDS];

  MCUX_CSSL_ANALYSIS_START_PATTERN_REINTERPRET_MEMORY_OF_OPAQUE_TYPES()

  mcuxClKey_Handle_t dummyKwk = (mcuxClKey_Handle_t) &dummyKwkDesc;

  MCUX_CSSL_ANALYSIS_STOP_PATTERN_REINTERPRET_MEMORY_OF_OPAQUE_TYPES()


  MCUX_CSSL_FP_FUNCTION_CALL_BEGIN(kid_status, kid_token, mcuxClKey_init(

    /* mcuxClSession_Handle_t session:        */ session,

    /* mcuxClKey_Handle_t key:                */ dummyKwk,

    /* mcuxClKey_Type_t type:                 */ mcuxClKey_Type_Aes256,

    /* uint8_t * pKeyData:                   */ (const uint8_t*)kwk256Data,

    /* uint32_t keyDataLength:               */ sizeof(kwk256Data))

  );


  if((MCUX_CSSL_FP_FUNCTION_CALLED(mcuxClKey_init) != kid_token) || (MCUXCLKEY_STATUS_OK != kid_status))

  {

    return MCUXCLEXAMPLE_STATUS_ERROR;

  }

  MCUX_CSSL_FP_FUNCTION_CALL_END();


  /* Load the key data into SGI */

  MCUX_CSSL_FP_FUNCTION_CALL_BEGIN(kld_status, kld_token, mcuxClKey_loadCopro(

    /* mcuxClSession_Handle_t session:      */ session,

    /* mcuxClKey_Handle_t key:              */ dummyKwk,

    /* uint32_t loadOptions:               */ MCUXCLKEY_LOADOPTION_SLOT_SGI_KEY_6)

  );


  if((MCUX_CSSL_FP_FUNCTION_CALLED(mcuxClKey_loadCopro) != kld_token) || (MCUXCLKEY_STATUS_OK != kld_status))

  {

    return MCUXCLEXAMPLE_STATUS_ERROR;

  }

  MCUX_CSSL_FP_FUNCTION_CALL_END();


  /**************************************************************************/

  /* Key Init and "load" the key-wrapping key                               */

  /**************************************************************************/


  uint32_t keyWrappingKeyDesc[MCUXCLKEY_DESCRIPTOR_SIZE_IN_WORDS];

  MCUX_CSSL_ANALYSIS_START_PATTERN_REINTERPRET_MEMORY_OF_OPAQUE_TYPES()

  mcuxClKey_Handle_t keyWrappingKey = (mcuxClKey_Handle_t) &keyWrappingKeyDesc;

  MCUX_CSSL_ANALYSIS_STOP_PATTERN_REINTERPRET_MEMORY_OF_OPAQUE_TYPES()


  MCUX_CSSL_FP_FUNCTION_CALL_BEGIN(kiKwk_status, kiKwk_token, mcuxClKey_init(

    /* mcuxClSession_Handle_t session:        */ session,

    /* mcuxClKey_Handle_t key:                */ keyWrappingKey,

    /* mcuxClKey_Type_t type:                 */ mcuxClKey_Type_Aes256,

    /* uint8_t * pKeyData:                   */ (uint8_t *) NULL, /* not needed, key is already loaded */

    /* uint32_t keyDataLength:               */ 0u /* not needed, key is already loaded */)

  );


  if((MCUX_CSSL_FP_FUNCTION_CALLED(mcuxClKey_init) != kiKwk_token) || (MCUXCLKEY_STATUS_OK != kiKwk_status))

  {

    return MCUXCLEXAMPLE_STATUS_ERROR;

  }

  MCUX_CSSL_FP_FUNCTION_CALL_END();


  MCUX_CSSL_FP_FUNCTION_CALL_BEGIN(klKwk_status, klKwk_token, mcuxClKey_loadCopro(

    /* mcuxClSession_Handle_t session:      */ session,

    /* mcuxClKey_Handle_t key:              */ keyWrappingKey,

    /* uint32_t loadOptions:               */ MCUXCLKEY_LOADOPTION_SLOT_SGI_KEY_6

                                              | MCUXCLKEY_LOADOPTION_ALREADYLOADED)

  );


  if((MCUX_CSSL_FP_FUNCTION_CALLED(mcuxClKey_loadCopro) != klKwk_token) || (MCUXCLKEY_STATUS_OK != klKwk_status))

  {

    return MCUXCLEXAMPLE_STATUS_ERROR;

  }

  MCUX_CSSL_FP_FUNCTION_CALL_END();


  /**************************************************************************/

  /* Key Init+Wrap using the Key_encode API                                 */

  /**************************************************************************/


  uint32_t keyDesc[MCUXCLKEY_DESCRIPTOR_SIZE_IN_WORDS];

  MCUX_CSSL_ANALYSIS_START_PATTERN_REINTERPRET_MEMORY_OF_OPAQUE_TYPES()

  mcuxClKey_Handle_t key = (mcuxClKey_Handle_t) &keyDesc;

  MCUX_CSSL_ANALYSIS_STOP_PATTERN_REINTERPRET_MEMORY_OF_OPAQUE_TYPES()

  uint8_t wrappedKeyData[MCUXCLAES_ENCODING_RFC3394_AES128_KEY_SIZE];

  uint32_t wrappedKeyLen = 0u;


  MCUX_CSSL_FP_FUNCTION_CALL_BEGIN(ke_status, ke_token, mcuxClKey_encode(

    /* mcuxClSession_Handle_t session:        */ session,

    /* mcuxClKey_Encoding_t encoding:         */ mcuxClAes_Encoding_Rfc3394,

    /* mcuxClKey_Handle_t encodedKey:         */ key,

    /* mcuxClKey_Type_t type:                 */ mcuxClKey_Type_Aes128,

    /* const uint8_t * pPlainKeyData:        */ (const uint8_t*)keyData,

    /* uint32_t plainKeyDataLength:          */ sizeof(keyData),

    /* const uint8_t * pAuxData:             */ (uint8_t*) keyWrappingKeyDesc,

    /* uint32_t auxDataLength:               */ sizeof(keyWrappingKeyDesc),

    /* uint8_t * pEncodedKeyData:            */ wrappedKeyData,

    /* uint32_t* const pEncodedKeyDataLength:*/ &wrappedKeyLen)

  );


  if((MCUX_CSSL_FP_FUNCTION_CALLED(mcuxClKey_encode) != ke_token) || (MCUXCLKEY_STATUS_OK != ke_status))

  {

    return MCUXCLEXAMPLE_STATUS_ERROR;

  }

  MCUX_CSSL_FP_FUNCTION_CALL_END();


  /**************************************************************************/

  /* Verification                                                           */

  /**************************************************************************/


  MCUX_CSSL_ANALYSIS_START_SUPPRESS_ALREADY_INITIALIZED("Initialized by mcuxClKey_encode")

  if(!mcuxClCore_assertEqual(wrappedKeyData, (const uint8_t*)expectedwrappedKeyData, sizeof(expectedwrappedKeyData)))

  MCUX_CSSL_ANALYSIS_STOP_SUPPRESS_ALREADY_INITIALIZED()

  {

    return MCUXCLEXAMPLE_STATUS_ERROR;

  }


  if (MCUXCLAES_ENCODING_RFC3394_AES128_KEY_SIZE != wrappedKeyLen)

  {

    return MCUXCLEXAMPLE_STATUS_ERROR;

  }


  /**************************************************************************/

  /* Crypto Operation                                                       */

  /**************************************************************************/


  /**************************************************************************/

  /* Flush the loaded keys                                                  */

  /**************************************************************************/


  MCUX_CSSL_FP_FUNCTION_CALL_BEGIN(kf1_status, kf1_token, mcuxClKey_flush(

    /* mcuxClSession_Handle_t session:      */ session,

    /* mcuxClKey_Handle_t key:              */ dummyKwk)

  );


  if((MCUX_CSSL_FP_FUNCTION_CALLED(mcuxClKey_flush) != kf1_token) || (MCUXCLKEY_STATUS_OK != kf1_status))

  {

    return MCUXCLEXAMPLE_STATUS_ERROR;

  }

  MCUX_CSSL_FP_FUNCTION_CALL_END();


  MCUX_CSSL_FP_FUNCTION_CALL_BEGIN(kf2_status, kf2_token, mcuxClKey_flush(

    /* mcuxClSession_Handle_t session:      */ session,

    /* mcuxClKey_Handle_t key:              */ keyWrappingKey)

  );


  if((MCUX_CSSL_FP_FUNCTION_CALLED(mcuxClKey_flush) != kf2_token) || (MCUXCLKEY_STATUS_OK != kf2_status))

  {

    return MCUXCLEXAMPLE_STATUS_ERROR;

  }

  MCUX_CSSL_FP_FUNCTION_CALL_END();


  /**************************************************************************/

  /* Destroy the current session                                            */

  /**************************************************************************/


  if(!mcuxClExample_Session_Clean(session))

  {

      return MCUXCLEXAMPLE_STATUS_ERROR;

  }


  return MCUXCLEXAMPLE_STATUS_OK;

}

mcuxClAes.h
Top-level include file for the mcuxClAes component.

mcuxClBuffer.h
Top-level include file for the mcuxClBuffer component.

mcuxClCore_FunctionIdentifiers.h
Definition of function identifiers for the flow protection mechanism.

mcuxClKey.h
Top-level include file for the mcuxClKey component.

mcuxClSession.h
Top-level include file for the mcuxClSession component.

mcuxCsslFlowProtection.h
Provides the API for the CSSL flow protection mechanism.

MCUXCLAES_ENCODING_RFC3394_AES128_KEY_SIZE
#define MCUXCLAES_ENCODING_RFC3394_AES128_KEY_SIZE
RFC3394 encoding of AES-128 key material, encoded key size in bytes.
Definition mcuxClAes_Constants.h:49

MCUXCLAES_AES128_KEY_SIZE
#define MCUXCLAES_AES128_KEY_SIZE
AES-128 key size in bytes.
Definition mcuxClAes_Constants.h:40

MCUXCLAES_AES256_KEY_SIZE
#define MCUXCLAES_AES256_KEY_SIZE
AES-256 key size in bytes.
Definition mcuxClAes_Constants.h:44

mcuxClAes_Encoding_Rfc3394
static const mcuxClKey_Encoding_t mcuxClAes_Encoding_Rfc3394
Key encoding for RFC3394 key wrap/unwrap.
Definition mcuxClAes_KeyEncodingMechanisms.h:47

mcuxClKey_Type_Aes256
static const mcuxClKey_Type_t mcuxClKey_Type_Aes256
Key type pointer for AES-256 based keys.
Definition mcuxClAes_KeyTypes.h:63

mcuxClKey_Type_Aes128
static const mcuxClKey_Type_t mcuxClKey_Type_Aes128
Key type pointer for AES-128 based keys.
Definition mcuxClAes_KeyTypes.h:51

MCUXCLKEY_STATUS_OK
#define MCUXCLKEY_STATUS_OK
Key operation successful.
Definition mcuxClKey_Constants.h:40

MCUXCLKEY_LOADOPTION_SLOT_SGI_KEY_6
#define MCUXCLKEY_LOADOPTION_SLOT_SGI_KEY_6
SGI key slot 6.
Definition mcuxClKey_Constants.h:178

MCUXCLKEY_LOADOPTION_ALREADYLOADED
#define MCUXCLKEY_LOADOPTION_ALREADYLOADED
Option: the key is already loaded; only set the fields in the key object.
Definition mcuxClKey_Constants.h:187

mcuxClKey_init
mcuxClKey_Status_t mcuxClKey_init(mcuxClSession_Handle_t session, mcuxClKey_Handle_t key, mcuxClKey_Type_t type, const uint8_t *pKeyData, uint32_t keyDataLength)
Initializes a key handle.

mcuxClKey_flush
mcuxClKey_Status_t mcuxClKey_flush(mcuxClSession_Handle_t session, mcuxClKey_Handle_t key)
Flush key from destination which can be a key slot of coprocessor or memory buffer.

mcuxClKey_loadCopro
mcuxClKey_Status_t mcuxClKey_loadCopro(mcuxClSession_Handle_t session, mcuxClKey_Handle_t key, uint32_t loadOptions)
Load key into destination key slot of a coprocessor.

mcuxClKey_encode
mcuxClKey_Status_t mcuxClKey_encode(mcuxClSession_Handle_t session, mcuxClKey_Encoding_t encoding, mcuxClKey_Handle_t encodedKey, mcuxClKey_Type_t type, const uint8_t *pPlainKeyData, uint32_t plainKeyDataLength, const uint8_t *pAuxData, uint32_t auxDataLength, uint8_t *pEncodedKeyData, uint32_t *const pEncodedKeyDataLength)
Key descriptor initialization function including applying a encoding mechanism.

mcuxClKey_Handle_t
mcuxClKey_Descriptor_t *const mcuxClKey_Handle_t
Key handle type.
Definition mcuxClKey_Types.h:91

mcuxClSession_Handle_t
mcuxClSession_Descriptor_t *const mcuxClSession_Handle_t
Type for mcuxClSession Handle.
Definition mcuxClSession_Types.h:98

MCUX_CSSL_FP_FUNCTION_CALL_BEGIN
#define MCUX_CSSL_FP_FUNCTION_CALL_BEGIN(...)
Call a flow protected function and check the protection token.
Definition mcuxCsslFlowProtection.h:623

MCUX_CSSL_FP_FUNCTION_CALLED
#define MCUX_CSSL_FP_FUNCTION_CALLED(...)
Expectation of a called function.
Definition mcuxCsslFlowProtection.h:777

MCUX_CSSL_FP_FUNCTION_CALL_END
#define MCUX_CSSL_FP_FUNCTION_CALL_END(...)
End a function call section started by MCUX_CSSL_FP_FUNCTION_CALL_BEGIN.
Definition mcuxCsslFlowProtection.h:658