diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 34cde62..c9f34cd 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -21,7 +21,7 @@ jobs: run: | git clone https://github.com/rdkcentral/tasecureapi.git tasecureapi cd tasecureapi - cmake -S reference -B reference/cmake-build + cmake -S reference -B reference/cmake-build -DENABLE_SVP=ON cmake --build reference/cmake-build sudo cmake --install reference/cmake-build - name: Config diff --git a/CMakeLists.txt b/CMakeLists.txt index 837648c..661d2d4 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -17,6 +17,7 @@ cmake_minimum_required(VERSION 3.16) project(sec_api_2_adapter C CXX) +option(ENABLE_SVP "Enable SVP (Secure Video Path) support" ON) option(ENABLE_SOC_PROVISION_WIDEVINE "Enable Widevine Provisioning" OFF) option(ENABLE_SOC_PROVISION_PLAYREADY_2K "Enable PlayReady Model 2K Provisioning" OFF) option(ENABLE_SOC_PROVISION_PLAYREADY_3K "Enable PlayReady Model 3K Provisioning" OFF) @@ -48,6 +49,13 @@ else() message("clang-tidy disabled") endif () +if (ENABLE_SVP) + set(CMAKE_CXX_FLAGS "-DENABLE_SVP ${CMAKE_CXX_FLAGS}") + set(CMAKE_C_FLAGS "-DENABLE_SVP ${CMAKE_C_FLAGS}") +else() + message(STATUS "ENABLE_SVP is OFF: Building without SVP support") +endif() + if (DEFINED ENABLE_SOC_KEY_TESTS) set(CMAKE_CXX_FLAGS "-DENABLE_SOC_KEY_TESTS ${CMAKE_CXX_FLAGS}") set(CMAKE_C_FLAGS "-DENABLE_SOC_KEY_TESTS ${CMAKE_C_FLAGS}") diff --git a/include/sec_security_svp.h b/include/sec_security_svp.h index b1af5c9..532ff97 100644 --- a/include/sec_security_svp.h +++ b/include/sec_security_svp.h @@ -28,6 +28,7 @@ extern "C" { #endif +#ifdef ENABLE_SVP typedef struct svp_processor_buffer_struct { Sec_ProcessorHandle* processorHandle; sa_svp_buffer svp_buffer; @@ -52,6 +53,7 @@ Sec_Result SecOpaqueBuffer_CopyByIndex(Sec_OpaqueBufferHandle* outOpaqueBufferHa Sec_Result SecOpaqueBuffer_Create(Sec_OpaqueBufferHandle** opaqueBufferHandle, void* svp_memory, SEC_SIZE bufLength); sa_svp_buffer get_svp_buffer(Sec_ProcessorHandle* processorHandle, Sec_OpaqueBufferHandle* opaqueBufferHandle); void release_svp_buffer(Sec_ProcessorHandle* processorHandle, Sec_OpaqueBufferHandle* opaqueBufferHandle); +#endif // ENABLE_SVP #ifdef __cplusplus } diff --git a/src/sec_adapter_cipher.c b/src/sec_adapter_cipher.c index 1704e09..9216748 100644 --- a/src/sec_adapter_cipher.c +++ b/src/sec_adapter_cipher.c @@ -411,6 +411,10 @@ Sec_Result SecCipher_ProcessFragmented(Sec_CipherHandle* cipherHandle, SEC_BYTE* */ Sec_Result SecCipher_ProcessOpaque(Sec_CipherHandle* cipherHandle, Sec_OpaqueBufferHandle* inOpaqueBufferHandle, Sec_OpaqueBufferHandle* outOpaqueBufferHandle, SEC_SIZE inputSize, SEC_BOOL lastInput, SEC_SIZE* bytesWritten) { +#ifndef ENABLE_SVP + SEC_LOG_ERROR("SVP not supported"); + return SEC_RESULT_UNIMPLEMENTED_FEATURE; +#else CHECK_HANDLE(cipherHandle) if (inOpaqueBufferHandle == NULL) { SEC_LOG_ERROR("Invalid inputHandle"); @@ -476,6 +480,7 @@ Sec_Result SecCipher_ProcessOpaque(Sec_CipherHandle* cipherHandle, Sec_OpaqueBuf } return SEC_RESULT_SUCCESS; +#endif // ENABLE_SVP } Sec_Result SecCipher_ProcessCtrWithOpaqueDataShift(Sec_CipherHandle* cipherHandle, @@ -495,7 +500,10 @@ Sec_Result SecCipher_ProcessCtrWithOpaqueDataShift(Sec_CipherHandle* cipherHandl */ Sec_Result SecCipher_KeyCheckOpaque(Sec_CipherHandle* cipherHandle, Sec_OpaqueBufferHandle* opaqueBufferHandle, SEC_SIZE checkLength, SEC_BYTE* expected) { - +#ifndef ENABLE_SVP + SEC_LOG_ERROR("SVP not supported"); + return SEC_RESULT_UNIMPLEMENTED_FEATURE; +#else #if MIN_SA_VERSION(3, 1, 2) return SEC_RESULT_UNIMPLEMENTED_FEATURE; #else @@ -532,6 +540,7 @@ Sec_Result SecCipher_KeyCheckOpaque(Sec_CipherHandle* cipherHandle, Sec_OpaqueBu CHECK_STATUS(status) return SEC_RESULT_SUCCESS; #endif +#endif // ENABLE_SVP } /** @@ -910,7 +919,10 @@ SEC_BOOL SecCipher_IsDecrypt(Sec_CipherMode mode) { Sec_Result SecCipher_ProcessOpaqueWithMap(Sec_CipherHandle* cipherHandle, SEC_BYTE* iv, SEC_BYTE* input, SEC_SIZE inputSize, SEC_BOOL lastInput, SEC_MAP* map, SEC_SIZE mapLength, Sec_OpaqueBufferHandle** opaqueBufferHandle, SEC_SIZE* bytesWritten) { - +#ifndef ENABLE_SVP + SEC_LOG_ERROR("SVP not supported"); + return SEC_RESULT_UNIMPLEMENTED_FEATURE; +#else if (cipherHandle == NULL) { SEC_LOG_ERROR("NULL cipherHandle"); return SEC_RESULT_FAILURE; @@ -1000,12 +1012,16 @@ Sec_Result SecCipher_ProcessOpaqueWithMap(Sec_CipherHandle* cipherHandle, SEC_BY *bytesWritten = out_buffer.context.svp.offset; return SEC_RESULT_SUCCESS; +#endif // ENABLE_SVP } Sec_Result SecCipher_ProcessOpaqueWithMapAndPattern(Sec_CipherHandle* cipherHandle, SEC_BYTE* iv, SEC_BYTE* input, SEC_SIZE inputSize, SEC_BOOL lastInput, SEC_MAP* map, SEC_SIZE mapLength, SEC_SIZE numEncryptedBlocks, SEC_SIZE numClearBlocks, Sec_OpaqueBufferHandle** opaqueBufferHandle, SEC_SIZE* bytesWritten) { - +#ifndef ENABLE_SVP + SEC_LOG_ERROR("SVP not supported"); + return SEC_RESULT_UNIMPLEMENTED_FEATURE; +#else if (cipherHandle == NULL) { SEC_LOG_ERROR("NULL cipherHandle"); return SEC_RESULT_FAILURE; @@ -1094,11 +1110,15 @@ Sec_Result SecCipher_ProcessOpaqueWithMapAndPattern(Sec_CipherHandle* cipherHand *bytesWritten = out_buffer.context.svp.offset; return SEC_RESULT_SUCCESS; +#endif // ENABLE_SVP } Sec_Result SecCipher_ProcessOpaqueWithMapAndHandle(Sec_CipherHandle* cipherHandle, SEC_BYTE* iv, uint32_t secureBufferHandle, SEC_BYTE* input, SEC_SIZE inputSize, SEC_BOOL lastInput, SEC_MAP* map, SEC_SIZE mapLength, SEC_SIZE* bytesWritten) { - +#ifndef ENABLE_SVP + SEC_LOG_ERROR("SVP not supported"); + return SEC_RESULT_UNIMPLEMENTED_FEATURE; +#else if (cipherHandle == NULL) { SEC_LOG_ERROR("NULL cipherHandle"); return SEC_RESULT_FAILURE; @@ -1199,6 +1219,7 @@ Sec_Result SecCipher_ProcessOpaqueWithMapAndHandle(Sec_CipherHandle* cipherHandl *bytesWritten = out_buffer.context.svp.offset; return SEC_RESULT_SUCCESS; +#endif // ENABLE_SVP } Sec_Result get_cipher_algorithm(const Sec_CipherAlgorithm algorithm, SEC_BOOL is_unwrap, diff --git a/src/sec_adapter_processor.c b/src/sec_adapter_processor.c index 08cde8e..f7db790 100644 --- a/src/sec_adapter_processor.c +++ b/src/sec_adapter_processor.c @@ -377,8 +377,10 @@ Sec_Result SecProcessor_Release(Sec_ProcessorHandle* processorHandle) { pthread_mutex_unlock(&mutex); +#ifdef ENABLE_SVP while (processorHandle->opaque_buffer_handle != NULL) release_svp_buffer(processorHandle, processorHandle->opaque_buffer_handle->opaqueBufferHandle); +#endif // ENABLE_SVP /* release ram keys */ while (processorHandle->ram_keys != NULL) @@ -579,6 +581,7 @@ void sa_process_command(sa_command* command) { va_arg(*command->arguments, void*)); break; +#ifdef ENABLE_SVP case SA_SVP_BUFFER_CREATE: command->result = sa_svp_buffer_create(va_arg(*command->arguments, sa_svp_buffer*), va_arg(*command->arguments, void*), va_arg(*command->arguments, size_t)); @@ -617,6 +620,7 @@ void sa_process_command(sa_command* command) { va_arg(*command->arguments, sa_digest_algorithm), va_arg(*command->arguments, void*), va_arg(*command->arguments, size_t)); break; +#endif // ENABLE_SVP case SA_PROCESS_COMMON_ENCRYPTION: command->result = sa_process_common_encryption(va_arg(*command->arguments, size_t), diff --git a/src/sec_adapter_svp.c b/src/sec_adapter_svp.c index a06beb4..a7a189c 100644 --- a/src/sec_adapter_svp.c +++ b/src/sec_adapter_svp.c @@ -16,9 +16,11 @@ * SPDX-License-Identifier: Apache-2.0 */ -#include "sa_svp.h" #include "sec_security_svp.h" // NOLINT +#ifdef ENABLE_SVP +#include "sa_svp.h" + sa_svp_buffer get_svp_buffer(Sec_ProcessorHandle* processorHandle, Sec_OpaqueBufferHandle* opaqueBufferHandle) { if (processorHandle == NULL || opaqueBufferHandle == NULL) return INVALID_HANDLE; @@ -376,3 +378,61 @@ Sec_Result SecOpaqueBuffer_CopyByIndex(Sec_OpaqueBufferHandle* outOpaqueBufferHa CHECK_STATUS(status) return SEC_RESULT_SUCCESS; } + +#else // ENABLE_SVP + +// Stub implementations when SVP is disabled + +// Deprecated +Sec_Result Sec_OpaqueBufferMalloc(SEC_SIZE bufLength, void** handle, void* params) { + SEC_LOG_ERROR("SVP not supported"); + return SEC_RESULT_UNIMPLEMENTED_FEATURE; +} + +Sec_Result SecOpaqueBuffer_Malloc(SEC_SIZE bufLength, Sec_OpaqueBufferHandle** opaqueBufferHandle) { + SEC_LOG_ERROR("SVP not supported"); + return SEC_RESULT_UNIMPLEMENTED_FEATURE; +} + +Sec_Result Sec_OpaqueBufferWrite(Sec_OpaqueBufferHandle* opaqueBufferHandle, SEC_SIZE offset, void* data, + SEC_SIZE length) { + SEC_LOG_ERROR("SVP not supported"); + return SEC_RESULT_UNIMPLEMENTED_FEATURE; +} + +Sec_Result SecOpaqueBuffer_Write(Sec_OpaqueBufferHandle* opaqueBufferHandle, SEC_SIZE offset, SEC_BYTE* data, + SEC_SIZE length) { + SEC_LOG_ERROR("SVP not supported"); + return SEC_RESULT_UNIMPLEMENTED_FEATURE; +} + +Sec_Result Sec_OpaqueBufferFree(Sec_OpaqueBufferHandle* opaqueBufferHandle, void* params) { + SEC_LOG_ERROR("SVP not supported"); + return SEC_RESULT_UNIMPLEMENTED_FEATURE; +} + +Sec_Result SecOpaqueBuffer_Free(Sec_OpaqueBufferHandle* opaqueBufferHandle) { + SEC_LOG_ERROR("SVP not supported"); + return SEC_RESULT_UNIMPLEMENTED_FEATURE; +} + +Sec_Result SecOpaqueBuffer_Copy(Sec_OpaqueBufferHandle* outOpaqueBufferHandle, SEC_SIZE out_offset, + Sec_OpaqueBufferHandle* inOpaqueBufferHandle, SEC_SIZE in_offset, SEC_SIZE num_to_copy) { + SEC_LOG_ERROR("SVP not supported"); + return SEC_RESULT_UNIMPLEMENTED_FEATURE; +} + +Sec_Result SecOpaqueBuffer_Release(Sec_OpaqueBufferHandle* opaqueBufferHandle, Sec_ProtectedMemHandle** svpHandle) { + SEC_LOG_ERROR("SVP not supported"); + return SEC_RESULT_UNIMPLEMENTED_FEATURE; +} + +Sec_Result SecCodeIntegrity_SecureBootEnabled(void) { + return SEC_RESULT_UNIMPLEMENTED_FEATURE; +} + +Sec_Result SecSVP_SetTime(time_t time) { + return SEC_RESULT_UNIMPLEMENTED_FEATURE; +} + +#endif // ENABLE_SVP diff --git a/test/main/cpp/sec_api_utest_main.cpp b/test/main/cpp/sec_api_utest_main.cpp index bdc7f59..1e58f68 100644 --- a/test/main/cpp/sec_api_utest_main.cpp +++ b/test/main/cpp/sec_api_utest_main.cpp @@ -1440,7 +1440,9 @@ int testIt(int argc, char* argv[]) { // NOLINT EC_SIGNATURE_TESTS(&suite, TESTKEY_EC_PUB, TESTKEY_EC_PRIV, TESTKC_GENERATED, 128); EC_SIGNATURE_TESTS(&suite, TESTKEY_EC_PUB, TESTKEY_EC_PRIV, TESTKC_EXPORTED, 128); - OPAQUE_WITH_MAP_TESTS(&suite, TESTKEY_AES128, TESTKC_RAW, SEC_STORAGELOC_RAM); + if (TestCreds::supports(CAPABILITY_SVP)) { + OPAQUE_WITH_MAP_TESTS(&suite, TESTKEY_AES128, TESTKC_RAW, SEC_STORAGELOC_RAM); + } runWrappedTests(&suite); diff --git a/test/openssl/src/test_creds_soc.cpp b/test/openssl/src/test_creds_soc.cpp index b5e1e42..a104a61 100644 --- a/test/openssl/src/test_creds_soc.cpp +++ b/test/openssl/src/test_creds_soc.cpp @@ -211,6 +211,10 @@ Sec_Result TestCreds::preprovisionSoc(TestCtx* ctx) { bool TestCreds::supports(Capability cap) { //return whether a specific capability is supported in the target soc +#ifndef ENABLE_SVP + if (cap == CAPABILITY_SVP) + return false; +#endif #ifdef ENABLE_SOC_KEY_TESTS return cap != CAPABILITY_HKDF_CMAC; #else