HV: wrap and enable hkdf_sha256 key derivation based on mbedtls

Derive multiple seeds to support multiple guest VMs Signed-off-by: Chen, Gang G <gang.g.chen@intel.com>
2026-01-04 23:24:56 +00:00 · 2018-08-21 08:11:40 +08:00
parent 12aa2a40a2
commit 8d35f4e0e8
11 changed files with 50 additions and 34 deletions
--- a/hypervisor/lib/crypto/mbedtls/hkdf.c
+++ b/hypervisor/lib/crypto/mbedtls/hkdf.c
@@ -168,7 +168,7 @@ int mbedtls_hkdf_expand( const mbedtls_md_info_t *md, const unsigned char *prk,
        }

        num_to_copy = i != n ? hash_len : okm_len - where;
-        memcpy( okm + where, t, num_to_copy );
+        memcpy_s( okm + where, num_to_copy, t, num_to_copy );
        where += hash_len;
        t_len = hash_len;
    }
--- a/hypervisor/lib/crypto/mbedtls/md.c
+++ b/hypervisor/lib/crypto/mbedtls/md.c
@@ -24,6 +24,7 @@
 *  This file is part of mbed TLS (https://tls.mbed.org)
 */

+#include <hypervisor.h>
 #include "md.h"
 #include "md_internal.h"

--- a/hypervisor/lib/crypto/mbedtls/md.h
+++ b/hypervisor/lib/crypto/mbedtls/md.h
@@ -28,12 +28,14 @@
 #ifndef MBEDTLS_MD_H
 #define MBEDTLS_MD_H

+#include <rtl.h>
 #define MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE                -0x5080  /**< The selected feature is not available. */
 #define MBEDTLS_ERR_MD_BAD_INPUT_DATA                     -0x5100  /**< Bad input parameters to function. */
 #define MBEDTLS_ERR_MD_ALLOC_FAILED                       -0x5180  /**< Failed to allocate memory. */
 #define MBEDTLS_ERR_MD_FILE_IO_ERROR                      -0x5200  /**< Opening or reading of file failed. */
 #define MBEDTLS_ERR_MD_HW_ACCEL_FAILED                    -0x5280  /**< MD hardware accelerator failed. */

+#define mbedtls_platform_zeroize(buf, len) memset(buf, 0, len)
 #define mbedtls_calloc    calloc
 #define mbedtls_free      free

--- a/hypervisor/lib/crypto/mbedtls/md_wrap.c
+++ b/hypervisor/lib/crypto/mbedtls/md_wrap.c
@@ -24,6 +24,7 @@
 *  This file is part of mbed TLS (https://tls.mbed.org)
 */

+#include <hypervisor.h>
 #include "md_internal.h"
 #include "sha256.h"

--- a/hypervisor/lib/crypto/mbedtls/sha256.c
+++ b/hypervisor/lib/crypto/mbedtls/sha256.c
@@ -221,7 +221,7 @@ int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx,

    if( left && ilen >= fill )
    {
-        memcpy( (void *) (ctx->buffer + left), input, fill );
+        memcpy_s( (void *) (ctx->buffer + left), fill, input, fill );

        if( ( ret = mbedtls_internal_sha256_process( ctx, ctx->buffer ) ) != 0 )
            return( ret );
@@ -241,7 +241,7 @@ int mbedtls_sha256_update_ret( mbedtls_sha256_context *ctx,
    }

    if( ilen > 0 )
-        memcpy( (void *) (ctx->buffer + left), input, ilen );
+        memcpy_s( (void *) (ctx->buffer + left), ilen, input, ilen );

    return( 0 );
 }
--- a/hypervisor/lib/crypto/mbedtls/sha256.h
+++ b/hypervisor/lib/crypto/mbedtls/sha256.h
@@ -28,6 +28,7 @@
 #ifndef MBEDTLS_SHA256_H
 #define MBEDTLS_SHA256_H

+#include <types.h>
 #define MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED                -0x0037  /**< SHA-256 hardware accelerator failed */

 /**