rpifwcrypto: Initial revision #139
Open
+833
−3
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@roliver-rpi Adding early draft PR here so that we can start integrating this in parallel with firmware dependencies. |
|
Firmware changes are now merged (but not released) |
Client side library and application for the Raspberry Pi firmware cryptography service. The firmware mailbox based crypto service provides limited support for cryptographic operations using a ECDSA P-256 stored in OTP (using rpi-otp-private-key). The current operations are * Get number of OTP keys * Get status for key * Set status for a key (runtime lock) * ECDSA SHA256 signature * HMAC SHA256 (max message size 2KB) e.g. LUKS passphrase = HMAC(device-unique-ley, serial64 + EMMC CID) rpifwcrypto is a command line application designed to allow the crypto operations to be easily used in shell scripts. rpifwcrypto.h provides a library interface so that this can be embedded in other applications. Direct usage of mailbox API (vcmailbox) is not recommended because this is a new feature and the mailbox API is not frozen.
pelwell
approved these changes
Aug 15, 2025
| # Find GnuTLS package | ||
| find_package(GnuTLS REQUIRED) | ||
|
|
||
| add_compile_definitions(LIBRARY_BUILD=1) |
There was a problem hiding this comment.
This line is a hangover from the original - pinctrl or piolib, I imagine - and appears not to be used here.
| install(TARGETS rpi-fw-crypto RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR}) | ||
| install(TARGETS rpifwcrypto | ||
| ARCHIVE DESTINATION ${CMAKE_INSTALL_LIBDIR} | ||
| PUBLIC_HEADER DESTINATION ${CMAKE_INSTALL_INCLUDEDIR}) |
| mbox_close(mb); | ||
|
|
||
| return (rc < 0) ? rc : RPI_FW_CRYPTO_SUCCESS; | ||
| } |
| } | ||
| #endif | ||
|
|
||
| #endif /* RPI_FW_CRYPTO_H */ |
| @@ -74,7 +74,6 @@ static void mbox_close(int file_desc) { | |||
| close(file_desc); | |||
| } | |||
|
|
|||
|
|
|||
There was a problem hiding this comment.
Is this intentional? If so, there's another double-blank on lines 57-58.
| return rc; | ||
|
|
||
| if (msg.resp.length > sig_max_len) | ||
| { |
There was a problem hiding this comment.
This brace usage doesn't match the rest of this code, but there are other examples.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Client side library and application for the Raspberry Pi firmware cryptography service. The firmware mailbox based crypto service provides limited support for cryptographic operations using a ECDSA p256 private core stored in OTP (using rpi-otp-private-key).
The current operations are
rpifwcrypto is a command line application designed to allow the
crypto operations to be easily used in shell scripts.
rpifwcrypto.h provides a library interface so that this can be
embedded in other applications.
Direct usage of mailbox API (vcmailbox) is not recommended
because this is a new feature and the mailbox API is not frozen.