[api/service/doc] Add derive key service and api functions

Author: nils-cercariolo-st

api/stse_derive_keys.c

@@ -0,0 +1,218 @@
+/*!
+ ******************************************************************************
+ * \file    stse_derive_keys.h
+ * \brief   STSE Derive Keys API Layer (header)
+ * \author  STMicroelectronics - CS application team
+ *
+ ******************************************************************************
+ * \attention
+ *
+ * <h2><center>&copy; COPYRIGHT 2025 STMicroelectronics</center></h2>
+ *
+ * This software is licensed under terms that can be found in the LICENSE file in
+ * the root directory of this software component.
+ * If no LICENSE file comes with this software, it is provided AS-IS.
+ *
+ *****************************************************************************/
+
+#ifndef STSE_DERIVE_KEYS_H
+#define STSE_DERIVE_KEYS_H
+
+#include "services/stsafea/stsafea_derive_keys.h"
+
+/*! \defgroup stse_derive_keys STSE Derive Keys
+ * \ingroup stse_api
+ * \brief      STSE derive keys API set
+ * \details    The derive keys API set provides high level functions to derive keys in STSE devices.
+ * @{
+ */
+
+/**
+ * @brief Derive a single key from a master key stored in a slot.
+ * \details A wrapper for Extract+Expand. Derives a key using optional salt and context,
+ * returning the result to the host buffer.
+ * \param[in]   pSTSE        Pointer to STSE Handler.
+ * \param[in]   master_slot  Slot containing the master key (IKM).
+ * \param[in]   pSalt        Salt data (Optional, can be NULL).
+ * \param[in]   salt_length  Length of salt.
+ * \param[in]   pContext     Context/Info string (Optional, can be NULL).
+ * \param[in]   context_len  Length of context.
+ * \param[out]  pOutput_key  Buffer for the derived key (Pre-allocated).
+ * \param[in]   key_length   Desired derived key length.
+ * \return \ref STSE_OK on success ; \ref stse_ReturnCode_t error code otherwise
+ * \details 	\include{doc} stse_derive_key.dox
+ */
+stse_ReturnCode_t stse_derive_key(
+    stse_Handler_t *pSTSE,
+    PLAT_UI8 master_slot,
+    PLAT_UI8 *pSalt,
+    PLAT_UI16 salt_length,
+    PLAT_UI8 *pContext,
+    PLAT_UI16 context_len,
+    PLAT_UI8 *pOutput_key,
+    PLAT_UI16 key_length);
+
+/**
+ * @brief Simplest HKDF derivation using a context with explicit length.
+ * \details Derives a key from a master slot using the provided context.
+ * Uses a default empty salt.
+ * \param[in]   pSTSE        Pointer to STSE Handler.
+ * \param[in]   master_slot  Slot containing the master key.
+ * \param[in]   pContext     Context/Info data.
+ * \param[in]   context_len  Length of the context data.
+ * \param[out]  pOutput_key  Buffer for the derived key.
+ * \param[in]   key_length   Desired derived key length.
+ * \return \ref STSE_OK on success ; \ref stse_ReturnCode_t error code otherwise
+ * \details 	\include{doc} stse_derive_key_simple.dox
+ */
+stse_ReturnCode_t stse_derive_key_simple(
+    stse_Handler_t *pSTSE,
+    PLAT_UI8 master_slot,
+    PLAT_UI8 *pContext,
+    PLAT_UI16 context_len,
+    PLAT_UI8 *pOutput_key,
+    PLAT_UI16 key_length);
+
+/**
+ * @brief Perform HKDF-Extract only and store PRK in a slot.
+ * \details Creates a session/context-specific PRK inside the secure element.
+ * This PRK can be used for subsequent Expand operations.
+ * \param[in]   pSTSE        Pointer to STSE Handler.
+ * \param[in]   master_slot  Slot containing the master key.
+ * \param[in]   pSalt        Salt data.
+ * \param[in]   salt_length  Length of salt.
+ * \param[out]  pPrk_slot    Output: Slot number where PRK was stored.
+ * \return \ref STSE_OK on success ; \ref stse_ReturnCode_t error code otherwise.
+ * \details 	\include{doc} stse_derive_key_extract.dox
+ */
+stse_ReturnCode_t stse_derive_key_extract(
+    stse_Handler_t *pSTSE,
+    PLAT_UI8 master_slot,
+    PLAT_UI8 *pSalt,
+    PLAT_UI16 salt_length,
+    PLAT_UI8 *pPrk_slot);
+
+/**
+ * @brief Perform HKDF-Expand only from an existing PRK slot.
+ * \details Derives a key from a previously extracted PRK using the provided Context/Info.
+ * \param[in]   pSTSE        Pointer to STSE Handler.
+ * \param[in]   prk_slot     Slot containing the PRK (must be 32 bytes).
+ * \param[in]   pContext     Context/Info data.
+ * \param[in]   context_len  Length of context.
+ * \param[out]  pOutput_key  Buffer for the derived key.
+ * \param[in]   key_length   Desired derived key length.
+ * \return \ref STSE_OK on success ; \ref stse_ReturnCode_t error code otherwise.
+ * \details 	\include{doc} stse_derive_key_expand.dox
+ */
+stse_ReturnCode_t stse_derive_key_expand(
+    stse_Handler_t *pSTSE,
+    PLAT_UI8 prk_slot,
+    PLAT_UI8 *pContext,
+    PLAT_UI16 context_len,
+    PLAT_UI8 *pOutput_key,
+    PLAT_UI16 key_length);
+
+/**
+ * @brief Derive encryption and MAC keys for a session.
+ * \details Convenience function:
+ * 1. Extract PRK from master using session_id.
+ * 2. Expand "ENC" -> Encryption Key.
+ * 3. Expand "MAC" -> Authentication Key.
+ * \param[in]   pSTSE        Pointer to STSE Handler.
+ * \param[in]   master_slot  Slot containing master key.
+ * \param[in]   session_id   Session identifier (salt).
+ * \param[out]  pEnc_key     Buffer for encryption key.
+ * \param[in]   enc_key_len  Length of encryption key.
+ * \param[out]  pMac_key     Buffer for MAC key.
+ * \param[in]   mac_key_len  Length of MAC key.
+ * \return \ref STSE_OK on success ; \ref stse_ReturnCode_t error code otherwise.
+ * \details 	\include{doc} stse_derive_session_keys.dox
+ */
+stse_ReturnCode_t stse_derive_session_keys(
+    stse_Handler_t *pSTSE,
+    PLAT_UI8 master_slot,
+    PLAT_UI32 session_id,
+    PLAT_UI8 *pEnc_key,
+    PLAT_UI16 enc_key_len,
+    PLAT_UI8 *pMac_key,
+    PLAT_UI16 mac_key_len);
+
+/**
+ * @brief Derive a key and store it securely in a slot.
+ * \details Performs Extract+Expand but routes result to an internal slot.
+ * The key is therefore never exposed.
+ * \param[in]   pSTSE        Pointer to STSE Handler.
+ * \param[in]   master_slot  Slot containing master key.
+ * \param[in]   pSalt        Salt data.
+ * \param[in]   salt_length  Length of salt.
+ * \param[in]   pContext     Context/Info data.
+ * \param[in]   context_len  Length of context.
+ * \param[in]   pKey_info    Configuration for the destination slot.
+ * \param[out]  pOutput_slot Output: Slot number where key was created.
+ * \return \ref STSE_OK on success ; \ref stse_ReturnCode_t error code otherwise.
+ * \details 	\include{doc} stse_derive_key_to_slot.dox
+ */
+stse_ReturnCode_t stse_derive_key_to_slot(
+    stse_Handler_t *pSTSE,
+    PLAT_UI8 master_slot,
+    PLAT_UI8 *pSalt,
+    PLAT_UI16 salt_length,
+    PLAT_UI8 *pContext,
+    PLAT_UI16 context_len,
+    stsafe_output_key_description_information_t *pKey_info,
+    PLAT_UI8 *pOutput_slot);
+
+/**
+ * @brief Efficiently derive multiple keys from a PRK in one command.
+ * \details Uses HKDF-Expand to generate up to 32 keys at once.
+ * Note: Uses the first context string for the entire batch.
+ * \param[in]   pSTSE        Pointer to STSE Handler.
+ * \param[in]   prk_slot     Slot containing PRK.
+ * \param[in]   pContexts    Array of context strings.
+ * \param[in]   pContext_lens Array of context lengths.
+ * \param[out]  pOutput_keys  Array of output buffers.
+ * \param[in]   pKey_lengths  Array of requested key lengths.
+ * \param[in]   num_keys     Number of keys to derive.
+ * \return \ref STSE_OK on success ; \ref stse_ReturnCode_t error code otherwise.
+ * \details 	\include{doc} stse_derive_key_expand_multiple.dox
+ */
+stse_ReturnCode_t stse_derive_key_expand_multiple(
+    stse_Handler_t *pSTSE,
+    PLAT_UI8 prk_slot,
+    PLAT_UI8 **pContexts,
+    PLAT_UI16 *pContext_lens,
+    PLAT_UI8 **pOutput_keys,
+    PLAT_UI16 *pKey_lengths,
+    PLAT_UI8 num_keys);
+
+/**
+ * @brief Derive a key using raw Input Key Material (IKM).
+ * \details Use when the source key is not stored in the secure element.
+ * The IKM is passed in the command payload and is not stored.
+ * \param[in]   pSTSE        Pointer to STSE Handler.
+ * \param[in]   pIkm         Pointer to Input Key Material.
+ * \param[in]   ikm_length   Length of IKM.
+ * \param[in]   pSalt        Salt data.
+ * \param[in]   salt_length  Length of salt.
+ * \param[in]   pContext     Context/Info data.
+ * \param[in]   context_len  Length of context.
+ * \param[out]  pOutput_key  Buffer for derived key.
+ * \param[in]   key_length   Length of derived key.
+ * \return \ref STSE_OK on success ; \ref stse_ReturnCode_t error code otherwise.
+ * \details 	\include{doc} stse_derive_key_from_ikm.dox
+ */
+stse_ReturnCode_t stse_derive_key_from_ikm(
+    stse_Handler_t *pSTSE,
+    PLAT_UI8 *pIkm,
+    PLAT_UI16 ikm_length,
+    PLAT_UI8 *pSalt,
+    PLAT_UI16 salt_length,
+    PLAT_UI8 *pContext,
+    PLAT_UI16 context_len,
+    PLAT_UI8 *pOutput_key,
+    PLAT_UI16 key_length);
+
+    
+#endif /* STSE_DERIVE_KEYS_H */
+
+/*! @}*/

api/stse_derive_keys.h

@@ -0,0 +1,44 @@
+\b Description
+The following diagram illustrates the interactions performed between the Host and the target STSE device to derive a key and return it to the host.
+\n\n
+
+@startuml
+    participant "HOST" as HOST
+    participant "STSE" as STSE
+
+    activate HOST $STSE_ACTIVITY
+    group stse_derive_key
+        HOST -> STSE : Derive Key Command (HKDF Extract + Expand)\n[Input: Slot + Salt + Info]
+        activate STSE $STSE_ACTIVITY
+        return Response (Derived Key Data)
+    end
+    deactivate HOST
+@enduml
+
+\n\n \b Use-case \b example
+\n The following applicative code snippet illustrates how to derive a key using a salt and context.
+\n\n
+
+\code{.c}
+    /* ## Derive Key to Host Buffer */
+    PLAT_UI8 derived_key[32];
+    PLAT_UI8 salt[] = {0x01, 0x02, 0x03, 0x04};
+    PLAT_UI8 context[] = "app-context";
+    
+    stse_ret = stse_derive_key(
+        &stse_handler,
+        STSE_MASTER_KEY_SLOT, 
+        salt, sizeof(salt),
+        context, sizeof(context)-1,
+        derived_key, 32
+    );
+    
+    if (stse_ret != STSE_OK)
+    {
+        /* Handle Error */
+    }
+\endcode
+
+\sa stse_init
+
+<div style="page-break-after: always;"></div>

doc/resources/dox_files/APIs/derive_keys/stse_derive_key.dox

@@ -0,0 +1,37 @@
+\b Description
+This command performs the HKDF-Expand step only. It takes a previously extracted PRK (stored in a slot) and expands it into a new key using the provided context information.
+\n\n
+
+@startuml
+    participant "HOST" as HOST
+    participant "STSE" as STSE
+
+    activate HOST $STSE_ACTIVITY
+    group stse_derive_key_expand
+        HOST -> STSE : Derive Key Command (HKDF Expand Only)\n[Input: PRK Slot + Info]
+        activate STSE $STSE_ACTIVITY
+        return Response (Derived Key Data)
+    end
+    deactivate HOST
+@enduml
+
+\n\n \b Use-case \b example
+\n\n
+
+\code{.c}
+    /* ## HKDF Expand from PRK */
+    PLAT_UI8 output_key[16];
+    PLAT_UI8 context[] = "expansion-context";
+    
+    /* Assumes prk_slot was populated by a previous extract call */
+    stse_ret = stse_derive_key_expand(
+        &stse_handler,
+        prk_slot,
+        context, sizeof(context)-1,
+        output_key, 16
+    );
+\endcode
+
+\sa stse_init
+
+<div style="page-break-after: always;"></div>

doc/resources/dox_files/APIs/derive_keys/stse_derive_key_expand.dox

@@ -0,0 +1,43 @@
+\b Description
+This function uses the HKDF-Expand command to derive multiple keys (up to 32) in a single transaction. This is more efficient than calling stse_derive_key_expand() multiple times.
+\n\n
+
+@startuml
+    participant "HOST" as HOST
+    participant "STSE" as STSE
+
+    activate HOST $STSE_ACTIVITY
+    group stse_derive_key_expand_multiple
+        HOST -> STSE : Derive Key Command (NumKeys=N)\n[Input: PRK Slot + Context]
+        activate STSE $STSE_ACTIVITY
+        STSE -> STSE : Generate Key 1, Key 2... Key N
+        return Response (Key 1 Data, Key 2 Data... Key N Data)
+    end
+    deactivate HOST
+@enduml
+
+\n\n \b Use-case \b example
+\n\n
+
+\code{.c}
+    /* ## Derive Multiple Keys */
+    PLAT_UI8 *outputs[2];
+    PLAT_UI16 lengths[2] = {16, 16};
+    PLAT_UI8 key1[16], key2[16];
+    
+    outputs[0] = key1;
+    outputs[1] = key2;
+
+    stse_ret = stse_derive_key_expand_multiple(
+        &stse_handler,
+        prk_slot,
+        NULL, NULL, /* Use default/no context */
+        outputs,
+        lengths,
+        2
+    );
+\endcode
+
+\sa stse_init
+
+<div style="page-break-after: always;"></div>

doc/resources/dox_files/APIs/derive_keys/stse_derive_key_expand_multiple.dox

@@ -0,0 +1,37 @@
+\b Description
+This command performs the HKDF-Extract step only. It generates a Pseudo-Random Key (PRK) from the input key material and salt, storing the result in an internal secure slot.
+\n\n
+
+@startuml
+    participant "HOST" as HOST
+    participant "STSE" as STSE
+
+    activate HOST $STSE_ACTIVITY
+    group stse_derive_key_extract
+        HOST -> STSE : Derive Key Command (HKDF Extract Only)\n[Input: Master Slot + Salt]
+        activate STSE $STSE_ACTIVITY
+        STSE -> STSE : Generate PRK -> Store in internal slot
+        return Response (PRK Slot Number)
+    end
+    deactivate HOST
+@enduml
+
+\n\n \b Use-case \b example
+\n\n
+
+\code{.c}
+    /* ## HKDF Extract PRK */
+    PLAT_UI8 salt[] = {0xAA, 0xBB, 0xCC, 0xDD};
+    PLAT_UI8 prk_slot;
+    
+    stse_ret = stse_derive_key_extract(
+        &stse_handler,
+        STSE_MASTER_KEY_SLOT,
+        salt, sizeof(salt),
+        &prk_slot
+    );
+\endcode
+
+\sa stse_init
+
+<div style="page-break-after: always;"></div>