Adds new STM32 Bare support for Hash, SAES/AES and PKA

Author: dgarske

.wolfssl_known_macro_extras

@@ -1,4 +1,8 @@
+AES_CR_CCFC
 AES_GCM_GMULT_NCT
+AES_ICR_CCF
+AES_ISR_CCF
+AES_SR_CCF
 AFX_RESOURCE_DLL
 AFX_TARG_ENU
 ALLOW_BINARY_MISMATCH_INTROSPECTION
@@ -266,7 +270,11 @@ HARDWARE_CACHE_COHERENCY
 HASH_AlgoMode_HASH
 HASH_AlgoMode_HMAC
 HASH_BYTE_SWAP
+HASH_CR_ALGO_1
+HASH_CR_DATATYPE_0
+HASH_CR_DATATYPE_1
 HASH_CR_LKEY
+HASH_CR_MODE
 HASH_DIGEST
 HASH_DataType_8b
 HASH_IMR_DCIE
@@ -496,6 +504,14 @@ PTHREAD_STACK_MIN
 QAT_ENABLE_HASH
 QAT_ENABLE_RNG
 QAT_USE_POLLING_CHECK
+RCC_AHB1ENR_PKAEN
+RCC_AHB2ENR1_AESEN
+RCC_AHB2ENR1_HASHEN
+RCC_AHB2ENR1_PKAEN
+RCC_AHB2ENR_HASHEN
+RCC_AHB2ENR_PKAEN
+RCC_AHB2ENR_SAESEN
+RCC_AHB3ENR_AESEN
 RC_NO_RNG
 REDIRECTION_IN3_KEYELMID
 REDIRECTION_IN3_KEYID
@@ -678,6 +694,11 @@ WC_SLHDSA_KERNEL_ASM
 WC_SLHDSA_NO_ASM
 WC_SLHDSA_VERBOSE_DEBUG
 WC_SSIZE_TYPE
+WC_STM32_AES_CLK_ENABLE_INST
+WC_STM32_AES_INST
+WC_STM32_HAS_DHUK
+WC_STM32_SAES_CLK_DISABLE
+WC_STM32_SAES_CLK_ENABLE
 WC_STRICT_SIG
 WC_USE_PIE_FENCEPOSTS_FOR_FIPS
 WC_WANT_FLAG_DONT_USE_VECTOR_OPS
@@ -739,6 +760,9 @@ WOLFSSL_CLANG_TIDY
 WOLFSSL_CLIENT_EXAMPLE
 WOLFSSL_CONTIKI
 WOLFSSL_CRL_ALLOW_MISSING_CDP
+WOLFSSL_DHUK
+WOLFSSL_DHUK_DEVID
+WOLFSSL_DHUK_WRAPPED_DEVID
 WOLFSSL_DILITHIUM_ASSIGN_KEY
 WOLFSSL_DILITHIUM_NO_ASN1
 WOLFSSL_DILITHIUM_NO_CHECK_KEY
@@ -895,6 +919,7 @@ WOLFSSL_RNG_USE_FULL_SEED
 WOLFSSL_RSA_CHECK_D_ON_DECRYPT
 WOLFSSL_RSA_DECRYPT_TO_0_LEN
 WOLFSSL_RW_THREADED
+WOLFSSL_SAES_DEVID
 WOLFSSL_SAKKE_SMALL
 WOLFSSL_SAKKE_SMALL_MODEXP
 WOLFSSL_SE050_AUTO_ERASE
@@ -920,8 +945,11 @@ WOLFSSL_SP_ARM32_UDIV
 WOLFSSL_SP_FAST_NCT_EXPTMOD
 WOLFSSL_SP_INT_SQR_VOLATILE
 WOLFSSL_STACK_CHECK
+WOLFSSL_STM32C5
 WOLFSSL_STM32F427_RNG
 WOLFSSL_STM32U5_DHUK
+WOLFSSL_STM32_BARE
+WOLFSSL_STM32_USE_SAES
 WOLFSSL_STRONGEST_HASH_SIG
 WOLFSSL_STSAFE_TAKES_SLOT
 WOLFSSL_TELIT_M2MB

wolfcrypt/src/aes.c

@@ -227,6 +227,16 @@ block cipher mechanism that uses n-bit binary string parameter key with 128-bits
     static WARN_UNUSED_RESULT int wc_AesEncrypt(
         Aes* aes, const byte* inBlock, byte* outBlock)
     {
+    #ifdef WOLFSSL_STM32_BARE
+        /* Bare-metal driver handles mutex, clock and key/IV internally. */
+    #ifdef WOLFSSL_DHUK
+        if (aes->devId == WOLFSSL_DHUK_WRAPPED_DEVID) {
+            return wc_Stm32_Aes_DhukOp(aes, outBlock, inBlock,
+                                       WC_AES_BLOCK_SIZE, 1 /* encrypt */);
+        }
+    #endif
+        return wc_Stm32_Aes_Ecb(aes, outBlock, inBlock, WC_AES_BLOCK_SIZE, 1);
+    #else
         int ret = 0;
     #ifdef WOLFSSL_STM32_CUBEMX
         CRYP_HandleTypeDef hcryp;
@@ -241,13 +251,13 @@ block cipher mechanism that uses n-bit binary string parameter key with 128-bits
             return ret;
 #endif
 
-    #ifdef WOLFSSL_STM32U5_DHUK
+    #ifdef WOLFSSL_DHUK
         ret = wolfSSL_CryptHwMutexLock();
         if (ret != 0)
             return ret;
 
         /* Handle making use of wrapped key */
-        if (aes->devId == WOLFSSL_STM32U5_DHUK_WRAPPED_DEVID) {
+        if (aes->devId == WOLFSSL_DHUK_WRAPPED_DEVID) {
             CRYP_ConfigTypeDef Config = {0};
 
             ret = wc_Stm32_Aes_UnWrap(aes, &hcryp, (const byte*)aes->key,
@@ -367,6 +377,7 @@ block cipher mechanism that uses n-bit binary string parameter key with 128-bits
         wc_Stm32_Aes_Cleanup();
 
         return ret;
+    #endif /* !WOLFSSL_STM32_BARE */
     }
 #endif /* WOLFSSL_AES_DIRECT || HAVE_AESGCM || HAVE_AESCCM */
 
@@ -375,6 +386,15 @@ block cipher mechanism that uses n-bit binary string parameter key with 128-bits
     static WARN_UNUSED_RESULT int wc_AesDecrypt(
         Aes* aes, const byte* inBlock, byte* outBlock)
     {
+    #ifdef WOLFSSL_STM32_BARE
+    #ifdef WOLFSSL_DHUK
+        if (aes->devId == WOLFSSL_DHUK_WRAPPED_DEVID) {
+            return wc_Stm32_Aes_DhukOp(aes, outBlock, inBlock,
+                                       WC_AES_BLOCK_SIZE, 0 /* decrypt */);
+        }
+    #endif
+        return wc_Stm32_Aes_Ecb(aes, outBlock, inBlock, WC_AES_BLOCK_SIZE, 0);
+    #else
         int ret = 0;
     #ifdef WOLFSSL_STM32_CUBEMX
         CRYP_HandleTypeDef hcryp;
@@ -389,13 +409,13 @@ block cipher mechanism that uses n-bit binary string parameter key with 128-bits
             return ret;
 #endif
 
-    #ifdef WOLFSSL_STM32U5_DHUK
+    #ifdef WOLFSSL_DHUK
         ret = wolfSSL_CryptHwMutexLock();
         if (ret != 0)
             return ret;
 
         /* Handle making use of wrapped key */
-        if (aes->devId == WOLFSSL_STM32U5_DHUK_WRAPPED_DEVID) {
+        if (aes->devId == WOLFSSL_DHUK_WRAPPED_DEVID) {
             CRYP_ConfigTypeDef Config;
 
             XMEMSET(&Config, 0, sizeof(Config));
@@ -521,6 +541,7 @@ block cipher mechanism that uses n-bit binary string parameter key with 128-bits
         wc_Stm32_Aes_Cleanup();
 
         return ret;
+    #endif /* !WOLFSSL_STM32_BARE */
     }
     #endif /* WOLFSSL_AES_DIRECT */
 #endif /* HAVE_AES_DECRYPT */
@@ -5576,7 +5597,34 @@ int wc_AesSetIV(Aes* aes, const byte* iv)
 #ifdef HAVE_AES_CBC
 #if defined(STM32_CRYPTO)
 
-#ifdef WOLFSSL_STM32U5_DHUK
+#ifdef WOLFSSL_STM32_BARE
+    int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
+    {
+    #ifdef WOLFSSL_AES_CBC_LENGTH_CHECKS
+        if (sz % WC_AES_BLOCK_SIZE) {
+            return BAD_LENGTH_E;
+        }
+    #endif
+        if (sz == 0) {
+            return 0;
+        }
+        return wc_Stm32_Aes_Cbc(aes, out, in, sz, 1);
+    }
+    #ifdef HAVE_AES_DECRYPT
+    int wc_AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
+    {
+    #ifdef WOLFSSL_AES_CBC_LENGTH_CHECKS
+        if (sz % WC_AES_BLOCK_SIZE) {
+            return BAD_LENGTH_E;
+        }
+    #endif
+        if (sz == 0) {
+            return 0;
+        }
+        return wc_Stm32_Aes_Cbc(aes, out, in, sz, 0);
+    }
+    #endif /* HAVE_AES_DECRYPT */
+#elif defined(WOLFSSL_DHUK)
     int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
     {
         int ret = 0;
@@ -5596,7 +5644,7 @@ int wc_AesSetIV(Aes* aes, const byte* iv)
             return ret;
         }
 
-        if (aes->devId == WOLFSSL_STM32U5_DHUK_WRAPPED_DEVID) {
+        if (aes->devId == WOLFSSL_DHUK_WRAPPED_DEVID) {
             CRYP_ConfigTypeDef Config;
 
             XMEMSET(&Config, 0, sizeof(Config));
@@ -5662,7 +5710,7 @@ int wc_AesSetIV(Aes* aes, const byte* iv)
             return ret;
         }
 
-        if (aes->devId == WOLFSSL_STM32U5_DHUK_WRAPPED_DEVID) {
+        if (aes->devId == WOLFSSL_DHUK_WRAPPED_DEVID) {
             CRYP_ConfigTypeDef Config;
 
             XMEMSET(&Config, 0, sizeof(Config));
@@ -6956,6 +7004,11 @@ int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
 
         int wc_AesCtrEncryptBlock(Aes* aes, byte* out, const byte* in)
         {
+        #ifdef WOLFSSL_STM32_BARE
+            /* CTR per-block transform: ECB-encrypt the counter (passed in
+             * 'in'); aes.c handles counter increment and XOR with plaintext. */
+            return wc_Stm32_Aes_Ecb(aes, out, in, WC_AES_BLOCK_SIZE, 1);
+        #else
             int ret = 0;
         #ifdef WOLFSSL_STM32_CUBEMX
             CRYP_HandleTypeDef hcryp;
@@ -7066,6 +7119,7 @@ int wc_AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
             wolfSSL_CryptHwMutexUnLock();
             wc_Stm32_Aes_Cleanup();
             return ret;
+        #endif /* !WOLFSSL_STM32_BARE */
         }
 
 
@@ -10142,6 +10196,15 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
         authIn, authInSz);
 #endif
 
+#if defined(WOLFSSL_STM32_BARE) && defined(STM32_CRYPTO)
+    ret = wc_Stm32_Aes_Gcm(aes, out, in, sz, iv, ivSz,
+                           authTag, authTagSz,
+                           authIn, authInSz, 1 /* enc */);
+    if (ret != WC_NO_ERR_TRACE(CRYPTOCB_UNAVAILABLE))
+        return ret;
+    /* fall through to SW GCM (still uses HW AES via wc_AesEncrypt) */
+#endif /* WOLFSSL_STM32_BARE && STM32_CRYPTO */
+
 #ifdef STM32_CRYPTO_AES_GCM
     return wc_AesGcmEncrypt_STM32(
         aes, out, in, sz, iv, ivSz,
@@ -10871,6 +10934,10 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
 
 #endif
 
+    /* BARE: GCM decrypt always uses SW path (with HW AES blocks via
+     * wc_AesEncrypt). Encrypt is HW-accelerated above; decrypt + tag
+     * verification stays in well-tested SW for now. */
+
 #ifdef STM32_CRYPTO_AES_GCM
     /* The STM standard peripheral library API's doesn't support partial blocks */
     return wc_AesGcmDecrypt_STM32(
@@ -13695,7 +13762,7 @@ int wc_AesInit(Aes* aes, void* heap, int devId)
 
     aes->heap = heap;
 
-#if defined(WOLF_CRYPTO_CB) || defined(WOLFSSL_STM32U5_DHUK)
+#if defined(WOLF_CRYPTO_CB) || defined(WOLFSSL_DHUK)
     aes->devId = devId;
     aes->devCtx = NULL;
 #else

wolfcrypt/src/ecc.c

@@ -286,8 +286,12 @@ ECC Curve Sizes:
 #if !defined(WOLFSSL_ATECC508A) && !defined(WOLFSSL_ATECC608A) && \
     !defined(WOLFSSL_CRYPTOCELL) && !defined(WOLFSSL_SILABS_SE_ACCEL) && \
     !defined(WOLFSSL_KCAPI_ECC) && !defined(WOLFSSL_SE050) && \
-    !defined(WOLFSSL_XILINX_CRYPT_VERSAL) && !defined(WOLFSSL_STM32_PKA) && \
+    !defined(WOLFSSL_XILINX_CRYPT_VERSAL) && \
+    !(defined(WOLFSSL_STM32_PKA) && !defined(WOLFSSL_STM32_BARE)) && \
     !defined(WOLFSSL_PSOC6_CRYPTO)
+    /* WOLFSSL_STM32_BARE+PKA still uses the SW ECDSA helper paths
+     * (sign/verify) since the bare-metal driver only implements ECCMul
+     * HW; the SP-less SW ECDSA fallback then drives that HW. */
     #undef  HAVE_ECC_VERIFY_HELPER
     #define HAVE_ECC_VERIFY_HELPER
 #endif
@@ -6947,7 +6951,12 @@ static int deterministic_sign_helper(const byte* in, word32 inlen, ecc_key* key)
 #endif /* WOLFSSL_ECDSA_DETERMINISTIC_K ||
           WOLFSSL_ECDSA_DETERMINISTIC_K_VARIANT */
 
-#if defined(WOLFSSL_STM32_PKA)
+/* Under WOLFSSL_STM32_BARE the bare-metal PKA driver implements only
+ * ECCMul HW (the building block used by ECDH and the SP-less SW ECDSA
+ * path). HW ECDSA sign/verify is intentionally not wired up in v1 of
+ * the bare driver -- fall back to the standard SW ECDSA which itself
+ * calls wc_ecc_mulmod_ex2() (HW-accelerated). */
+#if defined(WOLFSSL_STM32_PKA) && !defined(WOLFSSL_STM32_BARE)
 int wc_ecc_sign_hash_ex(const byte* in, word32 inlen, WC_RNG* rng,
                      ecc_key* key, mp_int *r, mp_int *s)
 {
@@ -8763,7 +8772,8 @@ int wc_ecc_verify_hash(const byte* sig, word32 siglen, const byte* hash,
 
 #ifndef WOLF_CRYPTO_CB_ONLY_ECC
 
-#if !defined(WOLFSSL_STM32_PKA) && !defined(WOLFSSL_PSOC6_CRYPTO) && \
+#if !(defined(WOLFSSL_STM32_PKA) && !defined(WOLFSSL_STM32_BARE)) && \
+    !defined(WOLFSSL_PSOC6_CRYPTO) && \
     !defined(WOLF_CRYPTO_CB_ONLY_ECC)
 static int wc_ecc_check_r_s_range(ecc_key* key, mp_int* r, mp_int* s)
 {
@@ -9279,7 +9289,10 @@ static int ecc_verify_hash(mp_int *r, mp_int *s, const byte* hash,
 int wc_ecc_verify_hash_ex(mp_int *r, mp_int *s, const byte* hash,
                     word32 hashlen, int* res, ecc_key* key)
 {
-#if defined(WOLFSSL_STM32_PKA)
+#if defined(WOLFSSL_STM32_PKA) && !defined(WOLFSSL_STM32_BARE)
+    /* See comment above wc_ecc_sign_hash_ex(): BARE uses SW ECDSA
+     * verify which internally accelerates the scalar muls via the
+     * bare-metal HW wc_ecc_mulmod_ex2(). */
     return stm32_ecc_verify_hash_ex(r, s, hash, hashlen, res, key);
 #elif defined(WOLFSSL_PSOC6_CRYPTO)
     return psoc6_ecc_verify_hash_ex(r, s, hash, hashlen, res, key);