rpifwcrypto: Initial revision

Client side library and application for the Raspberry Pi firmware
cryptography service. The firmware mailbox based crypto service
provides limited support for cryptographic operations using
a ECDSA p256 private core stored in OTP (using rpi-otp-private-key).

The current operations are
* Get number of OTP keys
* Get status for key
* Set status for a key (runtime lock)
* ECDSA SHA256 signature
* HMAC SHA256 (max message size 2KB)

 rpifwcrypto is a command line application designed to allow the
 crypto operations to be easily used in shell scripts.

 rpifwcrypto.h provides a library interface so that this can be
 embedded in other applications.

 Direct usage of mailbox API (vcmailbox) is not recommended
 because this is a new feature and the mailbox API is not frozen.

Author: timg236

CMakeLists.txt

@@ -15,3 +15,4 @@ add_subdirectory(raspinfo)
 add_subdirectory(vcgencmd)
 add_subdirectory(vclog)
 add_subdirectory(vcmailbox)
+add_subdirectory(rpifwcrypto)

README.md

@@ -18,15 +18,18 @@ A collection of scripts and simple applications
 * [piolib](piolib/) - A library for accessing the Pi 5's PIO hardware.
 * [raspinfo](raspinfo/) - A short script to dump information about the Pi. Intended for
     the submission of bug reports.
+* [rpifwcrypto](rpifwcrypto/) - A command line application and library for the
+    firmware cryptography services. Intended for use with Raspberry Pi Connect and
+    secure-boot provisioner.
 * [vclog](vclog/) - A tool to get VideoCore 'assert' or 'msg' logs
     with optional -f to wait for new logs to arrive.
 
 
 **Build Instructions**
 
-Install the prerequisites with "sudo apt install cmake device-tree-compiler libfdt-dev" - you need at least version 3.10 of cmake. Run the following commands to build and install everything, or see the README files in the subdirectories to just build utilities individually:
+Install the prerequisites with "sudo apt install cmake device-tree-compiler libfdt-dev libgnutls28-dev" - you need at least version 3.10 of cmake. Run the following commands to build and install everything, or see the README files in the subdirectories to just build utilities individually:
 
  - *cmake .*
-    N.B. Use *cmake -DBUILD_SHARED_LIBS=1 .* to build the libraries in the subprojects (libdtovl, gpiolib and piolib) as shared (as opposed to static) libraries.
+    N.B. Use *cmake -DBUILD_SHARED_LIBS=1 .* to build the libraries in the subprojects (libdtovl, gpiolib, librpifwcrypto and piolib) as shared (as opposed to static) libraries.
  - *make*
  - *sudo make install*

rpifwcrypto/.gitignore

@@ -0,0 +1 @@
+build/

rpifwcrypto/CMakeLists.txt

@@ -0,0 +1,29 @@
+cmake_minimum_required(VERSION 3.10...3.27)
+include(GNUInstallDirs)
+
+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Werror")
+
+# Set project name
+project(rpifwcrypto)
+
+# Find GnuTLS package
+find_package(GnuTLS REQUIRED)
+
+add_compile_definitions(LIBRARY_BUILD=1)
+
+# Create the shared library
+add_library(rpifwcrypto rpifwcrypto.c)
+target_sources(rpifwcrypto PUBLIC rpifwcrypto.h)
+set_target_properties(rpifwcrypto PROPERTIES PUBLIC_HEADER rpifwcrypto.h)
+set_target_properties(rpifwcrypto PROPERTIES SOVERSION 0)
+
+# Create the executable
+add_executable(rpi-fw-crypto main.c)
+target_link_libraries(rpi-fw-crypto rpifwcrypto ${GNUTLS_LIBRARIES})
+target_include_directories(rpi-fw-crypto PRIVATE ${GNUTLS_INCLUDE_DIRS})
+
+# Install rules
+install(TARGETS rpi-fw-crypto RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR})
+install(TARGETS rpifwcrypto
+        ARCHIVE DESTINATION ${CMAKE_INSTALL_LIBDIR}
+        PUBLIC_HEADER DESTINATION ${CMAKE_INSTALL_INCLUDEDIR})