Issue #70: Disable SVP with build flag

.github/workflows/ci.yaml

@@ -21,7 +21,7 @@ jobs:
       run: |
         git clone https://github.com/rdkcentral/tasecureapi.git tasecureapi
         cd tasecureapi
-        cmake -S reference -B reference/cmake-build
+        cmake -S reference -B reference/cmake-build -DENABLE_SVP=ON
         cmake --build reference/cmake-build
         sudo cmake --install reference/cmake-build
     - name: Config

CMakeLists.txt

@@ -17,6 +17,7 @@
 cmake_minimum_required(VERSION 3.16)
 project(sec_api_2_adapter C CXX)
 
+option(ENABLE_SVP                          "Enable SVP (Secure Video Path) support" ON)
 option(ENABLE_SOC_PROVISION_WIDEVINE       "Enable Widevine Provisioning" OFF)
 option(ENABLE_SOC_PROVISION_PLAYREADY_2K   "Enable PlayReady Model 2K Provisioning" OFF)
 option(ENABLE_SOC_PROVISION_PLAYREADY_3K   "Enable PlayReady Model 3K Provisioning" OFF)
@@ -48,6 +49,13 @@ else()
     message("clang-tidy disabled")
 endif ()
 
+if (ENABLE_SVP)
+    set(CMAKE_CXX_FLAGS "-DENABLE_SVP ${CMAKE_CXX_FLAGS}")
+    set(CMAKE_C_FLAGS "-DENABLE_SVP ${CMAKE_C_FLAGS}")
+else()
+    message(STATUS "ENABLE_SVP is OFF: Building without SVP support")
+endif()
+
 if (DEFINED ENABLE_SOC_KEY_TESTS)
     set(CMAKE_CXX_FLAGS "-DENABLE_SOC_KEY_TESTS ${CMAKE_CXX_FLAGS}")
     set(CMAKE_C_FLAGS "-DENABLE_SOC_KEY_TESTS ${CMAKE_C_FLAGS}")

include/sec_security_svp.h

@@ -28,6 +28,7 @@
 extern "C" {
 #endif
 
+#ifdef ENABLE_SVP
 typedef struct svp_processor_buffer_struct {
     Sec_ProcessorHandle* processorHandle;
     sa_svp_buffer svp_buffer;
@@ -52,6 +53,7 @@ Sec_Result SecOpaqueBuffer_CopyByIndex(Sec_OpaqueBufferHandle* outOpaqueBufferHa
 Sec_Result SecOpaqueBuffer_Create(Sec_OpaqueBufferHandle** opaqueBufferHandle, void* svp_memory, SEC_SIZE bufLength);
 sa_svp_buffer get_svp_buffer(Sec_ProcessorHandle* processorHandle, Sec_OpaqueBufferHandle* opaqueBufferHandle);
 void release_svp_buffer(Sec_ProcessorHandle* processorHandle, Sec_OpaqueBufferHandle* opaqueBufferHandle);
+#endif // ENABLE_SVP
 
 #ifdef __cplusplus
 }

src/sec_adapter_cipher.c

@@ -411,6 +411,10 @@ Sec_Result SecCipher_ProcessFragmented(Sec_CipherHandle* cipherHandle, SEC_BYTE*
  */
 Sec_Result SecCipher_ProcessOpaque(Sec_CipherHandle* cipherHandle, Sec_OpaqueBufferHandle* inOpaqueBufferHandle,
         Sec_OpaqueBufferHandle* outOpaqueBufferHandle, SEC_SIZE inputSize, SEC_BOOL lastInput, SEC_SIZE* bytesWritten) {
+#ifndef ENABLE_SVP
+    SEC_LOG_ERROR("SVP not supported");
+    return SEC_RESULT_UNIMPLEMENTED_FEATURE;
+#else
     CHECK_HANDLE(cipherHandle)
     if (inOpaqueBufferHandle == NULL) {
         SEC_LOG_ERROR("Invalid inputHandle");
@@ -476,6 +480,7 @@ Sec_Result SecCipher_ProcessOpaque(Sec_CipherHandle* cipherHandle, Sec_OpaqueBuf
     }
 
     return SEC_RESULT_SUCCESS;
+#endif // ENABLE_SVP
 }
 
 Sec_Result SecCipher_ProcessCtrWithOpaqueDataShift(Sec_CipherHandle* cipherHandle,
@@ -495,7 +500,10 @@ Sec_Result SecCipher_ProcessCtrWithOpaqueDataShift(Sec_CipherHandle* cipherHandl
  */
 Sec_Result SecCipher_KeyCheckOpaque(Sec_CipherHandle* cipherHandle, Sec_OpaqueBufferHandle* opaqueBufferHandle,
         SEC_SIZE checkLength, SEC_BYTE* expected) {
-
+#ifndef ENABLE_SVP
+    SEC_LOG_ERROR("SVP not supported");
+    return SEC_RESULT_UNIMPLEMENTED_FEATURE;
+#else
 #if MIN_SA_VERSION(3, 1, 2)
     return SEC_RESULT_UNIMPLEMENTED_FEATURE;
 #else
@@ -532,6 +540,7 @@ Sec_Result SecCipher_KeyCheckOpaque(Sec_CipherHandle* cipherHandle, Sec_OpaqueBu
     CHECK_STATUS(status)
     return SEC_RESULT_SUCCESS;
 #endif
+#endif // ENABLE_SVP
 }
 
 /**
@@ -910,7 +919,10 @@ SEC_BOOL SecCipher_IsDecrypt(Sec_CipherMode mode) {
 Sec_Result SecCipher_ProcessOpaqueWithMap(Sec_CipherHandle* cipherHandle, SEC_BYTE* iv, SEC_BYTE* input,
         SEC_SIZE inputSize, SEC_BOOL lastInput, SEC_MAP* map, SEC_SIZE mapLength,
         Sec_OpaqueBufferHandle** opaqueBufferHandle, SEC_SIZE* bytesWritten) {
-
+#ifndef ENABLE_SVP
+    SEC_LOG_ERROR("SVP not supported");
+    return SEC_RESULT_UNIMPLEMENTED_FEATURE;
+#else
     if (cipherHandle == NULL) {
         SEC_LOG_ERROR("NULL cipherHandle");
         return SEC_RESULT_FAILURE;
@@ -1000,12 +1012,16 @@ Sec_Result SecCipher_ProcessOpaqueWithMap(Sec_CipherHandle* cipherHandle, SEC_BY
 
     *bytesWritten = out_buffer.context.svp.offset;
     return SEC_RESULT_SUCCESS;
+#endif // ENABLE_SVP
 }
 
 Sec_Result SecCipher_ProcessOpaqueWithMapAndPattern(Sec_CipherHandle* cipherHandle, SEC_BYTE* iv, SEC_BYTE* input,
         SEC_SIZE inputSize, SEC_BOOL lastInput, SEC_MAP* map, SEC_SIZE mapLength, SEC_SIZE numEncryptedBlocks,
         SEC_SIZE numClearBlocks, Sec_OpaqueBufferHandle** opaqueBufferHandle, SEC_SIZE* bytesWritten) {
-
+#ifndef ENABLE_SVP
+    SEC_LOG_ERROR("SVP not supported");
+    return SEC_RESULT_UNIMPLEMENTED_FEATURE;
+#else
     if (cipherHandle == NULL) {
         SEC_LOG_ERROR("NULL cipherHandle");
         return SEC_RESULT_FAILURE;
@@ -1094,11 +1110,15 @@ Sec_Result SecCipher_ProcessOpaqueWithMapAndPattern(Sec_CipherHandle* cipherHand
 
     *bytesWritten = out_buffer.context.svp.offset;
     return SEC_RESULT_SUCCESS;
+#endif // ENABLE_SVP
 }
 
 Sec_Result SecCipher_ProcessOpaqueWithMapAndHandle(Sec_CipherHandle* cipherHandle, SEC_BYTE* iv, uint32_t secureBufferHandle,
         SEC_BYTE* input, SEC_SIZE inputSize, SEC_BOOL lastInput, SEC_MAP* map, SEC_SIZE mapLength, SEC_SIZE* bytesWritten) {
-
+#ifndef ENABLE_SVP
+    SEC_LOG_ERROR("SVP not supported");
+    return SEC_RESULT_UNIMPLEMENTED_FEATURE;
+#else
     if (cipherHandle == NULL) {
         SEC_LOG_ERROR("NULL cipherHandle");
         return SEC_RESULT_FAILURE;
@@ -1199,6 +1219,7 @@ Sec_Result SecCipher_ProcessOpaqueWithMapAndHandle(Sec_CipherHandle* cipherHandl
 
     *bytesWritten = out_buffer.context.svp.offset;
     return SEC_RESULT_SUCCESS;
+#endif // ENABLE_SVP
 }
 
 Sec_Result get_cipher_algorithm(const Sec_CipherAlgorithm algorithm, SEC_BOOL is_unwrap,

src/sec_adapter_processor.c

@@ -377,8 +377,10 @@ Sec_Result SecProcessor_Release(Sec_ProcessorHandle* processorHandle) {
 
     pthread_mutex_unlock(&mutex);
 
+#ifdef ENABLE_SVP
     while (processorHandle->opaque_buffer_handle != NULL)
         release_svp_buffer(processorHandle, processorHandle->opaque_buffer_handle->opaqueBufferHandle);
+#endif // ENABLE_SVP
 
     /* release ram keys */
     while (processorHandle->ram_keys != NULL)
@@ -579,6 +581,7 @@ void sa_process_command(sa_command* command) {
                     va_arg(*command->arguments, void*));
             break;
 
+#ifdef ENABLE_SVP
         case SA_SVP_BUFFER_CREATE:
             command->result = sa_svp_buffer_create(va_arg(*command->arguments, sa_svp_buffer*),
                     va_arg(*command->arguments, void*), va_arg(*command->arguments, size_t));
@@ -617,6 +620,7 @@ void sa_process_command(sa_command* command) {
                     va_arg(*command->arguments, sa_digest_algorithm), va_arg(*command->arguments, void*),
                     va_arg(*command->arguments, size_t));
             break;
+#endif // ENABLE_SVP
 
         case SA_PROCESS_COMMON_ENCRYPTION:
             command->result = sa_process_common_encryption(va_arg(*command->arguments, size_t),

src/sec_adapter_svp.c

@@ -16,9 +16,11 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-#include "sa_svp.h"
 #include "sec_security_svp.h" // NOLINT
 
+#ifdef ENABLE_SVP
+#include "sa_svp.h"
+
 sa_svp_buffer get_svp_buffer(Sec_ProcessorHandle* processorHandle, Sec_OpaqueBufferHandle* opaqueBufferHandle) {
     if (processorHandle == NULL || opaqueBufferHandle == NULL)
         return INVALID_HANDLE;
@@ -376,3 +378,61 @@ Sec_Result SecOpaqueBuffer_CopyByIndex(Sec_OpaqueBufferHandle* outOpaqueBufferHa
     CHECK_STATUS(status)
     return SEC_RESULT_SUCCESS;
 }
+
+#else // ENABLE_SVP
+
+// Stub implementations when SVP is disabled
+
+// Deprecated
+Sec_Result Sec_OpaqueBufferMalloc(SEC_SIZE bufLength, void** handle, void* params) {
+    SEC_LOG_ERROR("SVP not supported");
+    return SEC_RESULT_UNIMPLEMENTED_FEATURE;
+}
+
+Sec_Result SecOpaqueBuffer_Malloc(SEC_SIZE bufLength, Sec_OpaqueBufferHandle** opaqueBufferHandle) {
+    SEC_LOG_ERROR("SVP not supported");
+    return SEC_RESULT_UNIMPLEMENTED_FEATURE;
+}
+
+Sec_Result Sec_OpaqueBufferWrite(Sec_OpaqueBufferHandle* opaqueBufferHandle, SEC_SIZE offset, void* data,
+        SEC_SIZE length) {
+    SEC_LOG_ERROR("SVP not supported");
+    return SEC_RESULT_UNIMPLEMENTED_FEATURE;
+}
+
+Sec_Result SecOpaqueBuffer_Write(Sec_OpaqueBufferHandle* opaqueBufferHandle, SEC_SIZE offset, SEC_BYTE* data,
+        SEC_SIZE length) {
+    SEC_LOG_ERROR("SVP not supported");
+    return SEC_RESULT_UNIMPLEMENTED_FEATURE;
+}
+
+Sec_Result Sec_OpaqueBufferFree(Sec_OpaqueBufferHandle* opaqueBufferHandle, void* params) {
+    SEC_LOG_ERROR("SVP not supported");
+    return SEC_RESULT_UNIMPLEMENTED_FEATURE;
+}
+
+Sec_Result SecOpaqueBuffer_Free(Sec_OpaqueBufferHandle* opaqueBufferHandle) {
+    SEC_LOG_ERROR("SVP not supported");
+    return SEC_RESULT_UNIMPLEMENTED_FEATURE;
+}
+
+Sec_Result SecOpaqueBuffer_Copy(Sec_OpaqueBufferHandle* outOpaqueBufferHandle, SEC_SIZE out_offset,
+        Sec_OpaqueBufferHandle* inOpaqueBufferHandle, SEC_SIZE in_offset, SEC_SIZE num_to_copy) {
+    SEC_LOG_ERROR("SVP not supported");
+    return SEC_RESULT_UNIMPLEMENTED_FEATURE;
+}
+
+Sec_Result SecOpaqueBuffer_Release(Sec_OpaqueBufferHandle* opaqueBufferHandle, Sec_ProtectedMemHandle** svpHandle) {
+    SEC_LOG_ERROR("SVP not supported");
+    return SEC_RESULT_UNIMPLEMENTED_FEATURE;
+}
+
+Sec_Result SecCodeIntegrity_SecureBootEnabled(void) {
+    return SEC_RESULT_UNIMPLEMENTED_FEATURE;
+}
+
+Sec_Result SecSVP_SetTime(time_t time) {
+    return SEC_RESULT_UNIMPLEMENTED_FEATURE;
+}
+
+#endif // ENABLE_SVP

test/main/cpp/sec_api_utest_main.cpp

@@ -1440,7 +1440,9 @@ int testIt(int argc, char* argv[]) { // NOLINT
     EC_SIGNATURE_TESTS(&suite, TESTKEY_EC_PUB, TESTKEY_EC_PRIV, TESTKC_GENERATED, 128);
     EC_SIGNATURE_TESTS(&suite, TESTKEY_EC_PUB, TESTKEY_EC_PRIV, TESTKC_EXPORTED, 128);
 
-    OPAQUE_WITH_MAP_TESTS(&suite, TESTKEY_AES128, TESTKC_RAW, SEC_STORAGELOC_RAM);
+    if (TestCreds::supports(CAPABILITY_SVP)) {
+        OPAQUE_WITH_MAP_TESTS(&suite, TESTKEY_AES128, TESTKC_RAW, SEC_STORAGELOC_RAM);
+    }
 
     runWrappedTests(&suite);
 

test/openssl/src/test_creds_soc.cpp

@@ -211,6 +211,10 @@ Sec_Result TestCreds::preprovisionSoc(TestCtx* ctx) {
 
 bool TestCreds::supports(Capability cap) {
     //return whether a specific capability is supported in the target soc
+#ifndef ENABLE_SVP
+    if (cap == CAPABILITY_SVP)
+        return false;
+#endif
 #ifdef ENABLE_SOC_KEY_TESTS
     return cap != CAPABILITY_HKDF_CMAC;
 #else