drivers: crypto: stm32: h7: add AES CCM and GCM support

[GeorgeCGV]

Adds support for AES-CCM and AES-GCM cipher modes.

The support is limited to the following STM32 H7 SoCs:
STM32H723XX, STM32H725XX, STM32H730XX, STM32H730XXQ, and STM32H735XX, as they share the same reference manual.

Note: testing was performed on the STM32H730XX.

Crypto sample output:

Cipher Sample
ECB Mode
Output length (encryption): 16
ECB mode ENCRYPT - Match
Output length (decryption): 16
ECB mode DECRYPT - Match
CBC Mode
Output length (encryption): 80
CBC mode ENCRYPT - Match
Output length (decryption): 64
CBC mode DECRYPT - Match
CTR Mode
Output length (encryption): 64
CTR mode ENCRYPT - Match
Output length (decryption): 64
CTR mode DECRYPT - Match
CCM Mode
Output length (encryption): 23
CCM mode ENCRYPT - Match
Output length (decryption): 23
CCM mode DECRYPT - Match
GCM Mode
Output length (encryption): 42
GCM mode ENCRYPT - Match
Output length (decryption): 42
GCM mode DECRYPT - Match

The pull request is open for review but not yet ready to be merged (therefore, labeled DNM) due to an issue in the STM32 H7 HAL related to GCM tag generation during decryption: STMicroelectronics/stm32h7xx-hal-driver#88.

[mathieuchopstm]

I'm wondering if, instead of hardcoded SoCs in Kconfig, we shouldn't create a new compatible for the IP embedded in H7, as it is also used on other series so the code can probably shared (e.g., STM32F72xx/F73xx).

This can always be integrated later, so OK for me in current state..

[GeorgeCGV]

I'm wondering if, instead of hardcoded SoCs in Kconfig, we shouldn't create a new compatible for the IP embedded in H7, as it is also used on other series so the code can probably shared (e.g., STM32F72xx/F73xx).

Ideally, as more boards are tested and the necessary adjustments are made, this condition will no longer be needed. It is mainly here because testing is performed on the STM32H730XX, which shares the same RM with STM32H723XX, STM32H725XX, STM32H730XXQ, and STM32H735XX.

[erwango]

I'm wondering if, instead of hardcoded SoCs in Kconfig, we shouldn't create a new compatible for the IP embedded in H7, as it is also used on other series so the code can probably shared (e.g., STM32F72xx/F73xx).

It will be harder to impose to the next ones if this is done this way today. Let's do it now.

[GeorgeCGV]

@erwango @mathieuchopstm reworked the memory comparison approach.
The Kconfig no longer has dependencies on any particular SoC.

I guess depending on mbedtls is ok for ct memcmp.

[erwango]

The Kconfig no longer has dependencies on any particular SoC.

It still does actually. Did you push the right branch ?

[GeorgeCGV]

The Kconfig no longer has dependencies on any particular SoC.

It still does actually. Did you push the right branch ?

Do you mean? (.c, not Kconfig)

#if defined(CONFIG_SOC_STM32H723XX) || defined(CONFIG_SOC_STM32H725XX) ||	\
	defined(CONFIG_SOC_STM32H730XX) || defined(CONFIG_SOC_STM32H730XXQ) ||	\
	defined(CONFIG_SOC_STM32H735XX)
#define STM32_CRYPTO_GCM_CCM_SUPPORT 1
#endif

The most recent push to Kconfig includes a new option that relies on the mbedtls.

[etienne-lms]

Sorry for the late feedback. Looks all good to me.

[erwango]

@GeorgeCGV Can you confirm this is still blocked at HAL level ? (Hence the DNM)

[GeorgeCGV]

@erwango yes, unfortunately. No updates from ST regarding the HAL issue - STMicroelectronics/stm32h7xx-hal-driver#88.
Perhaps the DNM can be removed to facilitate the identification of issues in other families. On H7, the GCM won't work entirely, but CCM does.

[GeorgeCGV]

Rebased

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
1.6% Duplication on New Code

See analysis details on SonarQube Cloud

[etienne-lms]

For info, the issue in the HAL has been addressed internally. Hopefully to be available in the next HAL release.

In the meantime, @GeorgeCGV, do you want to have at least CCM functional and introduce a st,ccm-supported DT property enable the feature on H7?

For info, I've been through the STM32 SoCs series and those that have a CRYP instance actually support GCM and CCM. The issue for extending your changes to all SoCs is that some SOCs have specific HAL APIs that do not match the H7 ones you used in your implementation here. Once crypto_stm32.c driver adapted done, we would be able to fully remove the gcm-ccm-supported DT property.

Saying that, I realize that maybe your patch could enable STM32_CRYPTO_GCM_CCM_SUPPORT (in crypto_stm32.c) only for known supported SoCs (that is currently when CONFIG_SOC_SERIES_STM32H7X=y) and removing DT property gcm-ccm-supported.

[GeorgeCGV]

@etienne-lms, there is no rush to upstream this.

Saying that, I realize that maybe your patch could enable STM32_CRYPTO_GCM_CCM_SUPPORT (in crypto_stm32.c) only for known supported SoCs (that is currently when CONFIG_SOC_SERIES_STM32H7X=y) and removing DT property gcm-ccm-supported.

This is how it used to be at the beginning of the PR. The discussions then led to the creation of the DT property.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
1.6% Duplication on New Code

See analysis details on SonarQube Cloud

[GeorgeCGV]

Rebased, and a minor ccm fix: gcm_params were used at one place instead of ccm_params.

[GeorgeCGV]

A new issue STMicroelectronics/stm32h7xx-hal-driver#104 has been discovered in the CubeH7 HAL related to the AES CCM.

Fixing this inside the driver is not practical, because it would require allocating an aligned copy of the payload, which adds unnecessary overhead.