new file mode 100644
@@ -0,0 +1,237 @@
+Upstream-Status: Pending [Not submitted to upstream yet]
+Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
+
+From f86f5b42d853d2a65f6753362361bbb95aac1800 Mon Sep 17 00:00:00 2001
+From: Satish Kumar <satish.kumar01@arm.com>
+Date: Sat, 11 Dec 2021 11:06:57 +0000
+Subject: [PATCH] corstone1000: port crypto config
+
+Upstream-Status: Pending [Not submitted to upstream yet]
+Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
+
+Signed-off-by: Satish Kumar <satish.kumar01@arm.com>
+
+%% original patch: 0003-corstone1000-port-crypto-config.patch
+---
+ .../nspe/pal_crypto_config.h | 83 +++++++++++++++----
+ 1 file changed, 66 insertions(+), 17 deletions(-)
+
+diff --git a/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_crypto_config.h b/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_crypto_config.h
+index 844cd2e..c936bdd 100755
+--- a/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_crypto_config.h
++++ b/api-tests/platform/targets/tgt_dev_apis_linux/nspe/pal_crypto_config.h
+@@ -1,5 +1,5 @@
+ /** @file
+- * Copyright (c) 2021, Arm Limited or its affiliates. All rights reserved.
++ * Copyright (c) 2019-2020, Arm Limited or its affiliates. All rights reserved.
+ * SPDX-License-Identifier : Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+@@ -34,10 +34,14 @@
+ *
+ * Comment macros to disable the types
+ */
++#ifndef TF_M_PROFILE_SMALL
++#ifndef TF_M_PROFILE_MEDIUM
+ #define ARCH_TEST_RSA
+ #define ARCH_TEST_RSA_1024
+ #define ARCH_TEST_RSA_2048
+ #define ARCH_TEST_RSA_3072
++#endif
++#endif
+
+ /**
+ * \def ARCH_TEST_ECC
+@@ -50,11 +54,17 @@
+ * Requires: ARCH_TEST_ECC
+ * Comment macros to disable the curve
+ */
++#ifndef TF_M_PROFILE_SMALL
+ #define ARCH_TEST_ECC
+ #define ARCH_TEST_ECC_CURVE_SECP192R1
++#ifndef TF_M_PROFILE_MEDIUM
+ #define ARCH_TEST_ECC_CURVE_SECP224R1
++#endif
+ #define ARCH_TEST_ECC_CURVE_SECP256R1
++#ifndef TF_M_PROFILE_MEDIUM
+ #define ARCH_TEST_ECC_CURVE_SECP384R1
++#endif
++#endif
+
+ /**
+ * \def ARCH_TEST_AES
+@@ -78,10 +88,10 @@
+ *
+ * Comment macros to disable the types
+ */
+-#define ARCH_TEST_DES
+-#define ARCH_TEST_DES_1KEY
+-#define ARCH_TEST_DES_2KEY
+-#define ARCH_TEST_DES_3KEY
++//#define ARCH_TEST_DES
++//#define ARCH_TEST_DES_1KEY
++//#define ARCH_TEST_DES_2KEY
++//#define ARCH_TEST_DES_3KEY
+
+ /**
+ * \def ARCH_TEST_RAW
+@@ -104,7 +114,7 @@
+ *
+ * Enable the ARC4 key type.
+ */
+-#define ARCH_TEST_ARC4
++//#define ARCH_TEST_ARC4
+
+ /**
+ * \def ARCH_TEST_CIPHER_MODE_CTR
+@@ -113,7 +123,11 @@
+ *
+ * Requires: ARCH_TEST_CIPHER
+ */
++#ifndef TF_M_PROFILE_SMALL
++#ifndef TF_M_PROFILE_MEDIUM
+ #define ARCH_TEST_CIPHER_MODE_CTR
++#endif
++#endif
+
+ /**
+ * \def ARCH_TEST_CIPHER_MODE_CFB
+@@ -138,7 +152,11 @@
+ *
+ * Requires: ARCH_TEST_CIPHER, ARCH_TEST_AES, ARCH_TEST_CIPHER_MODE_CTR
+ */
++#ifndef TF_M_PROFILE_SMALL
++#ifndef TF_M_PROFILE_MEDIUM
+ #define ARCH_TEST_CTR_AES
++#endif
++#endif
+
+ /**
+ * \def ARCH_TEST_CBC_AES
+@@ -157,7 +175,11 @@
+ *
+ * Comment macros to disable the types
+ */
++#ifndef TF_M_PROFILE_SMALL
++#ifndef TF_M_PROFILE_MEDIUM
+ #define ARCH_TEST_CBC_NO_PADDING
++#endif
++#endif
+
+ /**
+ * \def ARCH_TEST_CFB_AES
+@@ -177,11 +199,15 @@
+ *
+ * Comment macros to disable the types
+ */
++#ifndef TF_M_PROFILE_SMALL
++#ifndef TF_M_PROFILE_MEDIUM
+ #define ARCH_TEST_PKCS1V15
+ #define ARCH_TEST_RSA_PKCS1V15_SIGN
+ #define ARCH_TEST_RSA_PKCS1V15_SIGN_RAW
+ #define ARCH_TEST_RSA_PKCS1V15_CRYPT
+ #define ARCH_TEST_RSA_OAEP
++#endif
++#endif
+
+ /**
+ * \def ARCH_TEST_CBC_PKCS7
+@@ -190,7 +216,11 @@
+ *
+ * Comment macros to disable the types
+ */
++#ifndef TF_M_PROFILE_SMALL
++#ifndef TF_M_PROFILE_MEDIUM
+ #define ARCH_TEST_CBC_PKCS7
++#endif
++#endif
+
+ /**
+ * \def ARCH_TEST_ASYMMETRIC_ENCRYPTION
+@@ -227,21 +257,27 @@
+ *
+ * Comment macros to disable the types
+ */
+-// #define ARCH_TEST_MD2
+-// #define ARCH_TEST_MD4
+-#define ARCH_TEST_MD5
+-#define ARCH_TEST_RIPEMD160
+-#define ARCH_TEST_SHA1
++//#define ARCH_TEST_MD2
++//#define ARCH_TEST_MD4
++//#define ARCH_TEST_MD5
++//#define ARCH_TEST_RIPEMD160
++//#define ARCH_TEST_SHA1
++#ifndef TF_M_PROFILE_SMALL
+ #define ARCH_TEST_SHA224
++#endif
+ #define ARCH_TEST_SHA256
++#ifndef TF_M_PROFILE_SMALL
++#ifndef TF_M_PROFILE_MEDIUM
+ #define ARCH_TEST_SHA384
+ #define ARCH_TEST_SHA512
+-// #define ARCH_TEST_SHA512_224
+-// #define ARCH_TEST_SHA512_256
+-// #define ARCH_TEST_SHA3_224
+-// #define ARCH_TEST_SHA3_256
+-// #define ARCH_TEST_SHA3_384
+-// #define ARCH_TEST_SHA3_512
++#endif
++#endif
++//#define ARCH_TEST_SHA512_224
++//#define ARCH_TEST_SHA512_256
++//#define ARCH_TEST_SHA3_224
++//#define ARCH_TEST_SHA3_256
++//#define ARCH_TEST_SHA3_384
++//#define ARCH_TEST_SHA3_512
+
+ /**
+ * \def ARCH_TEST_HKDF
+@@ -261,7 +297,12 @@
+ *
+ * Comment macros to disable the types
+ */
++#ifndef TF_M_PROFILE_SMALL
++#ifndef TF_M_PROFILE_MEDIUM
+ #define ARCH_TEST_CMAC
++#endif
++#endif
++//#define ARCH_TEST_GMAC
+ #define ARCH_TEST_HMAC
+
+ /**
+@@ -281,7 +322,11 @@
+ * Requires: ARCH_TEST_AES
+ *
+ */
++#ifndef TF_M_PROFILE_SMALL
++#ifndef TF_M_PROFILE_MEDIUM
+ #define ARCH_TEST_GCM
++#endif
++#endif
+
+ /**
+ * \def ARCH_TEST_TRUNCATED_MAC
+@@ -300,7 +345,9 @@
+ *
+ * Requires: ARCH_TEST_ECC
+ */
++#ifndef TF_M_PROFILE_SMALL
+ #define ARCH_TEST_ECDH
++#endif
+
+ /**
+ * \def ARCH_TEST_ECDSA
+@@ -308,7 +355,9 @@
+ * Enable the elliptic curve DSA library.
+ * Requires: ARCH_TEST_ECC
+ */
++#ifndef TF_M_PROFILE_SMALL
+ #define ARCH_TEST_ECDSA
++#endif
+
+ /**
+ * \def ARCH_TEST_DETERMINISTIC_ECDSA
+--
+2.25.1
+
new file mode 100644
@@ -0,0 +1,258 @@
+Upstream-Status: Pending [Not submitted to upstream yet]
+Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
+
+From ddff15a07e2fb7eddfa1d988fce25d82cb22f7ee Mon Sep 17 00:00:00 2001
+From: Gyorgy Szing <Gyorgy.Szing@arm.com>
+Date: Wed, 8 Dec 2021 04:20:34 +0100
+Subject: [PATCH 01/15] Enhance mbedtls fetch process
+
+Update management of MbedTLS external component to be optimized
+for download speed insted of availability.
+The updated process is:
+ - check if binary is available. If yes configure build to use it
+ and stop.
+ - if not, check is source is available. If yes, build it and use
+ the resulting binary.
+ - if not, then download the source using git, compile it and use
+ the resulting binary
+
+The following variables can be set on the command line to alter the
+behavior of the module:
+ - MBEDTLS_URL git repo URL to fetch from.
+ - MBEDTLS_REFSPEC revision to fetch
+ - MBEDTLS_SOURCE_DIR to specify location of source code in
+ local file syetem.
+ - MBEDTLS_INSTALL_DIR to specify location of binary.
+
+I.e. cmake -S <...> -B <...> -DMBEDTLS_INSTALL_DIR=~/mbedtls
+will make the resulting binary installed to ~/mbedtls. This can be
+used later to speed up a clean build an use the prebuilt binary.
+
+Change-Id: I8a9ad8b3303e6dfa0a7c9c3d7e4b4787b94d925a
+Signed-off-by: Gyorgy Szing <Gyorgy.Szing@arm.com>
+---
+ external/MbedTLS/MbedTLS.cmake | 192 ++++++++++++++++++++-------------
+ 1 file changed, 119 insertions(+), 73 deletions(-)
+
+diff --git a/external/MbedTLS/MbedTLS.cmake b/external/MbedTLS/MbedTLS.cmake
+index 3cbaed15..935be765 100644
+--- a/external/MbedTLS/MbedTLS.cmake
++++ b/external/MbedTLS/MbedTLS.cmake
+@@ -1,96 +1,142 @@
+ #-------------------------------------------------------------------------------
+-# Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
++# Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
+ #
+ # SPDX-License-Identifier: BSD-3-Clause
+ #
+ #-------------------------------------------------------------------------------
+
+-# Determine the number of processes to run while running parallel builds.
+-# Pass -DPROCESSOR_COUNT=<n> to cmake to override.
+-if(NOT DEFINED PROCESSOR_COUNT)
+- include(ProcessorCount)
+- ProcessorCount(PROCESSOR_COUNT)
+- set(PROCESSOR_COUNT ${PROCESSOR_COUNT} CACHE STRING "Number of cores to use for parallel builds.")
+-endif()
++set(MBEDTLS_URL "https://github.com/ARMmbed/mbedtls.git"
++ CACHE STRING "Mbed TLS repository URL")
++set(MBEDTLS_REFSPEC "mbedtls-3.0.0"
++ CACHE STRING "Mbed TLS git refspec")
++set(MBEDTLS_SOURCE_DIR "${CMAKE_CURRENT_BINARY_DIR}/_deps/mbedtls-src"
++ CACHE PATH "MbedTLS source directory")
++set(MBEDTLS_INSTALL_DIR "${CMAKE_CURRENT_BINARY_DIR}/mbedtls_install"
++ CACHE PATH "Mbed TLS installation directory")
+
+-set(MBEDTLS_URL "https://github.com/ARMmbed/mbedtls.git" CACHE STRING "Mbed TLS repository URL")
+-set(MBEDTLS_REFSPEC "mbedtls-3.0.0" CACHE STRING "Mbed TLS git refspec")
+-set(MBEDTLS_INSTALL_PATH "${CMAKE_CURRENT_BINARY_DIR}/mbedtls_install" CACHE PATH "Mbed TLS installation directory")
+-set(MBEDTLS_PACKAGE_PATH "${MBEDTLS_INSTALL_PATH}/lib/mbedtls/cmake" CACHE PATH "Mbed TLS CMake package directory")
++find_library(MBEDCRYPTO_LIB_FILE
++ NAMES libmbedcrypto.a mbedcrypto.a libmbedcrypto.lib mbedcrypto.lib
++ PATHS ${MBEDTLS_INSTALL_DIR}
++ PATH_SUFFIXES "lib"
++ DOC "Location of mberdrypto library."
++ NO_DEFAULT_PATH
++)
+
+-include(FetchContent)
++set(MBEDCRYPTO_LIB_FILE ${MBEDCRYPTO_LIB_FILE})
++unset(MBEDCRYPTO_LIB_FILE CACHE)
+
+-# Checking git
+-find_program(GIT_COMMAND "git")
+-if (NOT GIT_COMMAND)
+- message(FATAL_ERROR "Please install git")
+-endif()
++set(MBEDTLS_BINARY_DIR "${CMAKE_CURRENT_BINARY_DIR}/_deps/mbedtls-build")
+
+-# Fetching Mbed TLS
+-FetchContent_Declare(
+- mbedtls
+- GIT_REPOSITORY ${MBEDTLS_URL}
+- GIT_TAG ${MBEDTLS_REFSPEC}
+- GIT_SHALLOW TRUE
+-)
++# Binary not found and it needs to be built.
++if (NOT MBEDCRYPTO_LIB_FILE)
++ # Determine the number of processes to run while running parallel builds.
++ # Pass -DPROCESSOR_COUNT=<n> to cmake to override.
++ if(NOT DEFINED PROCESSOR_COUNT)
++ include(ProcessorCount)
++ ProcessorCount(PROCESSOR_COUNT)
++ set(PROCESSOR_COUNT ${PROCESSOR_COUNT}
++ CACHE STRING "Number of cores to use for parallel builds.")
++ endif()
+
+-# FetchContent_GetProperties exports mbedtls_SOURCE_DIR and mbedtls_BINARY_DIR variables
+-FetchContent_GetProperties(mbedtls)
+-if(NOT mbedtls_POPULATED)
+- message(STATUS "Fetching Mbed TLS")
+- FetchContent_Populate(mbedtls)
+-endif()
++ # See if the source is available locally
++ find_file(MBEDCRYPTO_HEADER_FILE
++ NAMES crypto.h
++ PATHS ${MBEDTLS_SOURCE_DIR}
++ PATH_SUFFIXES "include/psa"
++ NO_DEFAULT_PATH
++ )
++ set(MBEDCRYPTO_HEADER_FILE ${MBEDCRYPTO_HEADER_FILE})
++ unset(MBEDCRYPTO_HEADER_FILE CACHE)
+
+-# Convert the include path list to a string. Needed to make parameter passing to
+-# Mbed TLS build work fine.
+-string(REPLACE ";" "\\;" MBEDTLS_EXTRA_INCLUDES "${MBEDTLS_EXTRA_INCLUDES}")
++ # Source not found, fetch it.
++ if (NOT MBEDCRYPTO_HEADER_FILE)
++ include(FetchContent)
+
+-find_package(Python3 COMPONENTS Interpreter)
+-if (NOT Python3_Interpreter_FOUND)
+- message(FATAL_ERROR "Python 3 interpreter not found.")
+-endif()
++ # Checking git
++ find_program(GIT_COMMAND "git")
++ if (NOT GIT_COMMAND)
++ message(FATAL_ERROR "Please install git")
++ endif()
+
+-#Configure Mbed TLS to build only mbedcrypto lib
+-execute_process(COMMAND ${Python3_EXECUTABLE} scripts/config.py crypto WORKING_DIRECTORY ${mbedtls_SOURCE_DIR})
+-
+-# Advertise Mbed TLS as the provider of the psa crypto API
+-set(PSA_CRYPTO_API_INCLUDE "${MBEDTLS_INSTALL_PATH}/include" CACHE STRING "PSA Crypto API include path")
+-
+-#Configure the library
+-execute_process(COMMAND
+- ${CMAKE_COMMAND}
+- -DENABLE_PROGRAMS=OFF
+- -DENABLE_TESTING=OFF
+- -DUNSAFE_BUILD=ON
+- -DCMAKE_INSTALL_PREFIX=${MBEDTLS_INSTALL_PATH}
+- -DCMAKE_TOOLCHAIN_FILE=${TS_EXTERNAL_LIB_TOOLCHAIN_FILE}
+- -DCMAKE_TRY_COMPILE_TARGET_TYPE=STATIC_LIBRARY
+- -DEXTERNAL_DEFINITIONS=-DMBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}"
+- -DEXTERNAL_INCLUDE_PATHS=${MBEDTLS_EXTRA_INCLUDES}
+- -GUnix\ Makefiles
+- ${mbedtls_SOURCE_DIR}
+- WORKING_DIRECTORY
+- ${mbedtls_BINARY_DIR}
+- RESULT_VARIABLE _exec_error
+-)
++ # Fetching Mbed TLS
++ FetchContent_Declare(
++ mbedtls
++ SOURCE_DIR ${MBEDTLS_SOURCE_DIR}
++ BINARY_DIR ${MBEDTLS_BINARY_DIR}
++ GIT_REPOSITORY ${MBEDTLS_URL}
++ GIT_TAG ${MBEDTLS_REFSPEC}
++ GIT_SHALLOW TRUE
++ )
+
+-if (_exec_error)
+- message(FATAL_ERROR "Configuration step of Mbed TLS failed with ${_exec_error}.")
+-endif()
++ # FetchContent_GetProperties exports mbedtls_SOURCE_DIR and mbedtls_BINARY_DIR variables
++ FetchContent_GetProperties(mbedtls)
++ # FetchContent_Populate will fail if the source directory is removed since it will try to
++ # do an "update" and not a "populate" action. As a workaround, remove the subbuild directory.
++ # Note: this fix assumes, the default subbuild location is used.
++ file(REMOVE_RECURSE "${CMAKE_CURRENT_BINARY_DIR}/_deps/mbedtls-subbuild")
++
++ # If the source directory has been moved, the binary dir must be regenerated from scratch.
++ file(REMOVE_RECURSE "${MBEDTLS_BINARY_DIR}")
+
+-#TODO: add dependency to generated project on this file!
+-#TODO: add custom target to rebuild Mbed TLS
++ if (NOT mbedtls_POPULATED)
++ message(STATUS "Fetching Mbed TLS")
++ FetchContent_Populate(mbedtls)
++ endif()
++ set_property(DIRECTORY APPEND PROPERTY CMAKE_CONFIGURE_DEPENDS ${MBEDTLS_SOURCE_DIR})
++ endif()
+
+-#Build the library
+-execute_process(COMMAND
+- ${CMAKE_COMMAND} --build ${mbedtls_BINARY_DIR} --parallel ${PROCESSOR_COUNT} --target install
++ # Build mbedcrypto library
++
++ # Convert the include path list to a string. Needed to make parameter passing to
++ # Mbed TLS build work fine.
++ string(REPLACE ";" "\\;" MBEDTLS_EXTRA_INCLUDES "${MBEDTLS_EXTRA_INCLUDES}")
++
++ find_package(Python3 REQUIRED COMPONENTS Interpreter)
++
++ #Configure Mbed TLS to build only mbedcrypto lib
++ execute_process(COMMAND ${Python3_EXECUTABLE} scripts/config.py crypto WORKING_DIRECTORY ${MBEDTLS_SOURCE_DIR})
++
++ # Advertise Mbed TLS as the provider of the psa crypto API
++ set(PSA_CRYPTO_API_INCLUDE "${MBEDTLS_INSTALL_DIR}/include" CACHE STRING "PSA Crypto API include path")
++
++ #Configure the library
++ execute_process(COMMAND
++ ${CMAKE_COMMAND} -E env CROSS_COMPILE=${CROSS_COMPILE}
++ ${CMAKE_COMMAND}
++ -DENABLE_PROGRAMS=OFF
++ -DENABLE_TESTING=OFF
++ -DUNSAFE_BUILD=ON
++ -DCMAKE_INSTALL_PREFIX=${MBEDTLS_INSTALL_DIR}
++ -DCMAKE_TOOLCHAIN_FILE=${TS_EXTERNAL_LIB_TOOLCHAIN_FILE}
++ -DCMAKE_TRY_COMPILE_TARGET_TYPE=STATIC_LIBRARY
++ -DEXTERNAL_DEFINITIONS=-DMBEDTLS_USER_CONFIG_FILE="${MBEDTLS_USER_CONFIG_FILE}"
++ -DEXTERNAL_INCLUDE_PATHS=${MBEDTLS_EXTRA_INCLUDES}
++ -GUnix\ Makefiles
++ ${MBEDTLS_SOURCE_DIR}
++ WORKING_DIRECTORY
++ ${MBEDTLS_BINARY_DIR}
+ RESULT_VARIABLE _exec_error
+ )
+-if (_exec_error)
+- message(FATAL_ERROR "Build step of Mbed TLS failed with ${_exec_error}.")
++
++ if (_exec_error)
++ message(FATAL_ERROR "Configuration step of Mbed TLS failed with ${_exec_error}.")
++ endif()
++
++ #Build the library
++ execute_process(COMMAND
++ ${CMAKE_COMMAND} --build ${MBEDTLS_BINARY_DIR} --parallel ${PROCESSOR_COUNT} --target install
++ RESULT_VARIABLE _exec_error
++ )
++
++ if (_exec_error)
++ message(FATAL_ERROR "Build step of Mbed TLS failed with ${_exec_error}.")
++ endif()
++
++ set(MBEDCRYPTO_LIB_FILE "${MBEDTLS_INSTALL_DIR}/lib/${CMAKE_STATIC_LIBRARY_PREFIX}mbedcrypto${CMAKE_STATIC_LIBRARY_SUFFIX}")
+ endif()
+
+ #Create an imported target to have clean abstraction in the build-system.
+ add_library(mbedcrypto STATIC IMPORTED)
+-set_property(TARGET mbedcrypto PROPERTY IMPORTED_LOCATION "${MBEDTLS_INSTALL_PATH}/lib/${CMAKE_STATIC_LIBRARY_PREFIX}mbedcrypto${CMAKE_STATIC_LIBRARY_SUFFIX}")
+-set_property(TARGET mbedcrypto PROPERTY INTERFACE_INCLUDE_DIRECTORIES "${MBEDTLS_INSTALL_PATH}/include")
++set_property(DIRECTORY ${CMAKE_SOURCE_DIR} APPEND PROPERTY CMAKE_CONFIGURE_DEPENDS ${MBEDCRYPTO_LIB_FILE})
++set_property(TARGET mbedcrypto PROPERTY IMPORTED_LOCATION ${MBEDCRYPTO_LIB_FILE})
++set_property(TARGET mbedcrypto PROPERTY INTERFACE_INCLUDE_DIRECTORIES "${MBEDTLS_INSTALL_DIR}/include")
+--
+2.25.1
new file mode 100644
@@ -0,0 +1,41 @@
+Upstream-Status: Pending [Not submitted to upstream yet]
+Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
+
+From ba99622ba2f0048159bea2d0086173b8d5365473 Mon Sep 17 00:00:00 2001
+From: Julian Hall <julian.hall@arm.com>
+Date: Fri, 11 Feb 2022 12:30:45 +0000
+Subject: [PATCH 02/15] Fix format specifier in logging_caller
+
+A previous change increased the width of the opstatus value
+returned by an rpc endpoint from 32 to 64 bits. This change
+corrects the printf format specifier in the rpc logging_caller
+that corresponds to logging the opstatus value.
+
+Signed-off-by: Julian Hall <julian.hall@arm.com>
+Change-Id: Ie695a6bf8cf8014317b85196d7b933d344782b2c
+---
+ components/rpc/common/logging/logging_caller.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/components/rpc/common/logging/logging_caller.c b/components/rpc/common/logging/logging_caller.c
+index 07c33de5..cac03f2f 100644
+--- a/components/rpc/common/logging/logging_caller.c
++++ b/components/rpc/common/logging/logging_caller.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+@@ -87,7 +87,7 @@ static rpc_status_t call_invoke(void *context, rpc_call_handle handle, uint32_t
+
+ if (status == TS_RPC_CALL_ACCEPTED) {
+
+- fprintf(this_instance->log_file, "op_status: %d\n", *opstatus);
++ fprintf(this_instance->log_file, "op_status: %ld\n", *opstatus);
+ fprintf(this_instance->log_file, "resp_len: %ld\n", *resp_len);
+ }
+
+--
+2.25.1
new file mode 100644
@@ -0,0 +1,65 @@
+Upstream-Status: Pending [Not submitted to upstream yet]
+Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
+
+From ba6af6e6500a2ba25ab6c01d641383c24f9fab07 Mon Sep 17 00:00:00 2001
+From: Julian Hall <julian.hall@arm.com>
+Date: Fri, 11 Feb 2022 13:42:59 +0000
+Subject: [PATCH 03/15] Update refspecs for mbedtls and psa-arch-tests for
+ v3.1.0
+
+Updates external component refspecs to use mbedtls 3.1.0 and
+compatible API tests from psa-arch-test.
+
+Signed-off-by: Julian Hall <julian.hall@arm.com>
+Change-Id: I1b5cebd7de3c1885f5f8a8ea21ba5e4c52aefaf4
+---
+ external/MbedTLS/MbedTLS.cmake | 2 +-
+ external/psa_arch_tests/psa_arch_tests.cmake | 17 ++++++-----------
+ 2 files changed, 7 insertions(+), 12 deletions(-)
+
+diff --git a/external/MbedTLS/MbedTLS.cmake b/external/MbedTLS/MbedTLS.cmake
+index 935be765..3350d8a0 100644
+--- a/external/MbedTLS/MbedTLS.cmake
++++ b/external/MbedTLS/MbedTLS.cmake
+@@ -7,7 +7,7 @@
+
+ set(MBEDTLS_URL "https://github.com/ARMmbed/mbedtls.git"
+ CACHE STRING "Mbed TLS repository URL")
+-set(MBEDTLS_REFSPEC "mbedtls-3.0.0"
++set(MBEDTLS_REFSPEC "mbedtls-3.1.0"
+ CACHE STRING "Mbed TLS git refspec")
+ set(MBEDTLS_SOURCE_DIR "${CMAKE_CURRENT_BINARY_DIR}/_deps/mbedtls-src"
+ CACHE PATH "MbedTLS source directory")
+diff --git a/external/psa_arch_tests/psa_arch_tests.cmake b/external/psa_arch_tests/psa_arch_tests.cmake
+index e6ab73f7..f6d2fb9f 100644
+--- a/external/psa_arch_tests/psa_arch_tests.cmake
++++ b/external/psa_arch_tests/psa_arch_tests.cmake
+@@ -5,20 +5,15 @@
+ #
+ #-------------------------------------------------------------------------------
+
+-# Determine the number of processes to run while running parallel builds.
+-# Pass -DPROCESSOR_COUNT=<n> to cmake to override.
+-if(NOT DEFINED PROCESSOR_COUNT)
+- include(ProcessorCount)
+- ProcessorCount(PROCESSOR_COUNT)
+- set(PROCESSOR_COUNT ${PROCESSOR_COUNT} CACHE STRING "Number of cores to use for parallel builds.")
+-endif()
++# Temporarily using modified tests used for tf-m verification
++set(PSA_ARCH_TESTS_URL "https://github.com/bensze01/psa-arch-tests.git" CACHE STRING "psa-arch-tests repository URL")
++set(PSA_ARCH_TESTS_REFSPEC "fix-multipart-aead" CACHE STRING "psa-arch-tests git refspec")
+
+-set(PSA_ARCH_TESTS_URL "https://github.com/ARM-software/psa-arch-tests.git" CACHE STRING "psa-arch-tests repository URL")
+-set(PSA_ARCH_TESTS_REFSPEC "master" CACHE STRING "psa-arch-tests git refspec")
++#set(PSA_ARCH_TESTS_URL "https://github.com/ARM-software/psa-arch-tests.git" CACHE STRING "psa-arch-tests repository URL")
++#set(PSA_ARCH_TESTS_REFSPEC "2a1852252a9b9af655cbe02d5d3c930952d0d798" CACHE STRING "psa-arch-tests v22.01_API1.4_ADAC_BETA")
+ set(PSA_ARCH_TESTS_INSTALL_PATH "${CMAKE_CURRENT_BINARY_DIR}/psa-arch-tests_install" CACHE PATH "psa-arch-tests installation directory")
+ set(PSA_ARCH_TESTS_PACKAGE_PATH "${PSA_ARCH_TESTS_INSTALL_PATH}/libpsa-arch-tests/cmake" CACHE PATH "psa-arch-tests CMake package directory")
+-
+-include(FetchContent)
++set(PSA_ARCH_TESTS_SOURCE_DIR "${CMAKE_CURRENT_BINARY_DIR}/_deps/psa_arch_tests-src" CACHE PATH "psa-arch-tests source.")
+
+ # Checking git
+ find_program(GIT_COMMAND "git")
+--
+2.25.1
new file mode 100644
@@ -0,0 +1,1080 @@
+Upstream-Status: Pending [Not submitted to upstream yet]
+Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
+
+From 5afda176526010872b5849622a69c1a4cafb76fd Mon Sep 17 00:00:00 2001
+From: Julian Hall <julian.hall@arm.com>
+Date: Fri, 11 Feb 2022 14:08:13 +0000
+Subject: [PATCH 04/15] Separate sign/verify message and hash operations
+
+Previous versions of mbedtls didn't distinguish between
+asymmetric sign and verify operations on a hash or message.
+They are now treated as separate operations from a usage
+control perspective. This change makes the corresponding
+hash/message sepration in client and service provider
+components.
+
+Signed-off-by: Julian Hall <julian.hall@arm.com>
+Change-Id: Ic0041c694c026522c9b00c974d22261e9e2feadd
+---
+ .../caller/packed-c/crypto_caller_sign_hash.h | 29 +++++++-
+ .../packed-c/crypto_caller_verify_hash.h | 33 ++++++++-
+ .../caller/stub/crypto_caller_sign_hash.h | 11 ++-
+ .../caller/stub/crypto_caller_verify_hash.h | 11 ++-
+ .../service/crypto/client/cpp/crypto_client.h | 17 ++++-
+ .../packed-c/packedc_crypto_client.cpp | 22 +++++-
+ .../protocol/packed-c/packedc_crypto_client.h | 17 ++++-
+ .../protobuf/protobuf_crypto_client.cpp | 43 ++++++++++-
+ .../protobuf/protobuf_crypto_client.h | 27 ++++++-
+ .../crypto/client/psa/psa_sign_message.c | 24 +++---
+ .../crypto/client/psa/psa_verify_message.c | 24 +++---
+ .../service/crypto/provider/crypto_provider.c | 40 ++++++----
+ .../serializer/crypto_provider_serializer.h | 6 +-
+ .../packedc_crypto_provider_serializer.c | 12 +--
+ .../protobuf/pb_crypto_provider_serializer.c | 74 +++++++++----------
+ .../check_crypto_opcode_alignment.cpp | 25 ++++---
+ .../test/service/crypto_service_scenarios.cpp | 56 +++++++++++++-
+ .../test/service/crypto_service_scenarios.h | 3 +-
+ .../packed-c/crypto_service_packedc_tests.cpp | 7 +-
+ .../crypto_service_protobuf_tests.cpp | 7 +-
+ protocols/service/crypto/packed-c/opcodes.h | 4 +-
+ .../service/crypto/protobuf/opcodes.proto | 4 +-
+ 22 files changed, 366 insertions(+), 130 deletions(-)
+
+diff --git a/components/service/crypto/client/caller/packed-c/crypto_caller_sign_hash.h b/components/service/crypto/client/caller/packed-c/crypto_caller_sign_hash.h
+index e807773e..4a9ed20d 100644
+--- a/components/service/crypto/client/caller/packed-c/crypto_caller_sign_hash.h
++++ b/components/service/crypto/client/caller/packed-c/crypto_caller_sign_hash.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+@@ -20,7 +20,8 @@
+ extern "C" {
+ #endif
+
+-static inline psa_status_t crypto_caller_sign_hash(struct service_client *context,
++static inline psa_status_t crypto_caller_asym_sign_commom(struct service_client *context,
++ uint32_t opcode,
+ psa_key_id_t id,
+ psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+@@ -60,7 +61,7 @@ static inline psa_status_t crypto_caller_sign_hash(struct service_client *contex
+
+ context->rpc_status =
+ rpc_caller_invoke(context->caller, call_handle,
+- TS_CRYPTO_OPCODE_SIGN_HASH, &opstatus, &resp_buf, &resp_len);
++ opcode, &opstatus, &resp_buf, &resp_len);
+
+ if (context->rpc_status == TS_RPC_CALL_ACCEPTED) {
+
+@@ -98,6 +99,28 @@ static inline psa_status_t crypto_caller_sign_hash(struct service_client *contex
+ return psa_status;
+ }
+
++static inline psa_status_t crypto_caller_sign_hash(struct service_client *context,
++ psa_key_id_t id,
++ psa_algorithm_t alg,
++ const uint8_t *hash, size_t hash_length,
++ uint8_t *signature, size_t signature_size, size_t *signature_length)
++{
++ return crypto_caller_asym_sign_commom(context, TS_CRYPTO_OPCODE_SIGN_HASH,
++ id, alg, hash, hash_length,
++ signature, signature_size, signature_length);
++}
++
++static inline psa_status_t crypto_caller_sign_message(struct service_client *context,
++ psa_key_id_t id,
++ psa_algorithm_t alg,
++ const uint8_t *hash, size_t hash_length,
++ uint8_t *signature, size_t signature_size, size_t *signature_length)
++{
++ return crypto_caller_asym_sign_commom(context, TS_CRYPTO_OPCODE_SIGN_MESSAGE,
++ id, alg, hash, hash_length,
++ signature, signature_size, signature_length);
++}
++
+ #ifdef __cplusplus
+ }
+ #endif
+diff --git a/components/service/crypto/client/caller/packed-c/crypto_caller_verify_hash.h b/components/service/crypto/client/caller/packed-c/crypto_caller_verify_hash.h
+index 47152946..daa11330 100644
+--- a/components/service/crypto/client/caller/packed-c/crypto_caller_verify_hash.h
++++ b/components/service/crypto/client/caller/packed-c/crypto_caller_verify_hash.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+@@ -20,7 +20,8 @@
+ extern "C" {
+ #endif
+
+-static inline psa_status_t crypto_caller_verify_hash(struct service_client *context,
++static inline psa_status_t crypto_caller_asym_verify_common(struct service_client *context,
++ uint32_t opcode,
+ psa_key_id_t id,
+ psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+@@ -65,7 +66,7 @@ static inline psa_status_t crypto_caller_verify_hash(struct service_client *cont
+
+ context->rpc_status =
+ rpc_caller_invoke(context->caller, call_handle,
+- TS_CRYPTO_OPCODE_VERIFY_HASH, &opstatus, &resp_buf, &resp_len);
++ opcode, &opstatus, &resp_buf, &resp_len);
+
+ if (context->rpc_status == TS_RPC_CALL_ACCEPTED) psa_status = opstatus;
+
+@@ -75,6 +76,32 @@ static inline psa_status_t crypto_caller_verify_hash(struct service_client *cont
+ return psa_status;
+ }
+
++static inline psa_status_t crypto_caller_verify_hash(struct service_client *context,
++ psa_key_id_t id,
++ psa_algorithm_t alg,
++ const uint8_t *hash, size_t hash_length,
++ const uint8_t *signature, size_t signature_length)
++{
++ return crypto_caller_asym_verify_common(context,
++ TS_CRYPTO_OPCODE_VERIFY_HASH,
++ id, alg,
++ hash, hash_length,
++ signature, signature_length);
++}
++
++static inline psa_status_t crypto_caller_verify_message(struct service_client *context,
++ psa_key_id_t id,
++ psa_algorithm_t alg,
++ const uint8_t *input, size_t input_length,
++ const uint8_t *signature, size_t signature_length)
++{
++ return crypto_caller_asym_verify_common(context,
++ TS_CRYPTO_OPCODE_VERIFY_MESSAGE,
++ id, alg,
++ input, input_length,
++ signature, signature_length);
++}
++
+ #ifdef __cplusplus
+ }
+ #endif
+diff --git a/components/service/crypto/client/caller/stub/crypto_caller_sign_hash.h b/components/service/crypto/client/caller/stub/crypto_caller_sign_hash.h
+index d09369a2..09049f5c 100644
+--- a/components/service/crypto/client/caller/stub/crypto_caller_sign_hash.h
++++ b/components/service/crypto/client/caller/stub/crypto_caller_sign_hash.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+@@ -23,6 +23,15 @@ static inline psa_status_t crypto_caller_sign_hash(struct service_client *contex
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
++static inline psa_status_t crypto_caller_sign_message(struct service_client *context,
++ psa_key_id_t id,
++ psa_algorithm_t alg,
++ const uint8_t *hash, size_t hash_length,
++ uint8_t *signature, size_t signature_size, size_t *signature_length)
++{
++ return PSA_ERROR_NOT_SUPPORTED;
++}
++
+ #ifdef __cplusplus
+ }
+ #endif
+diff --git a/components/service/crypto/client/caller/stub/crypto_caller_verify_hash.h b/components/service/crypto/client/caller/stub/crypto_caller_verify_hash.h
+index 20d11dcf..3f3eb878 100644
+--- a/components/service/crypto/client/caller/stub/crypto_caller_verify_hash.h
++++ b/components/service/crypto/client/caller/stub/crypto_caller_verify_hash.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+@@ -23,6 +23,15 @@ static inline psa_status_t crypto_caller_verify_hash(struct service_client *cont
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
++static inline psa_status_t crypto_caller_verify_message(struct service_client *context,
++ psa_key_id_t id,
++ psa_algorithm_t alg,
++ const uint8_t *input, size_t input_length,
++ const uint8_t *signature, size_t signature_length)
++{
++ return PSA_ERROR_NOT_SUPPORTED;
++}
++
+ #ifdef __cplusplus
+ }
+ #endif
+diff --git a/components/service/crypto/client/cpp/crypto_client.h b/components/service/crypto/client/cpp/crypto_client.h
+index 2a5e5b99..ccb0714a 100644
+--- a/components/service/crypto/client/cpp/crypto_client.h
++++ b/components/service/crypto/client/cpp/crypto_client.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+@@ -57,7 +57,7 @@ public:
+ psa_key_id_t id,
+ uint8_t *data, size_t data_size, size_t *data_length) = 0;
+
+- /* Sign/verify methods */
++ /* Sign/verify hash methods */
+ virtual psa_status_t sign_hash(
+ psa_key_id_t id,
+ psa_algorithm_t alg,
+@@ -70,6 +70,19 @@ public:
+ const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length) = 0;
+
++ /* Sign/verify message methods */
++ virtual psa_status_t sign_message(
++ psa_key_id_t id,
++ psa_algorithm_t alg,
++ const uint8_t *message, size_t message_length,
++ uint8_t *signature, size_t signature_size, size_t *signature_length) = 0;
++
++ virtual psa_status_t verify_message(
++ psa_key_id_t id,
++ psa_algorithm_t alg,
++ const uint8_t *message, size_t message_length,
++ const uint8_t *signature, size_t signature_length) = 0;
++
+ /* Asymmetric encrypt/decrypt */
+ virtual psa_status_t asymmetric_encrypt(
+ psa_key_id_t id,
+diff --git a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp
+index 4d9d8f41..4e10f9be 100644
+--- a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp
++++ b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+@@ -107,6 +107,26 @@ psa_status_t packedc_crypto_client::verify_hash(
+ signature, signature_length);
+ }
+
++psa_status_t packedc_crypto_client::sign_message(
++ psa_key_id_t id, psa_algorithm_t alg,
++ const uint8_t *message, size_t message_length,
++ uint8_t *signature, size_t signature_size, size_t *signature_length)
++{
++ return crypto_caller_sign_message(&m_client, id, alg,
++ message, message_length,
++ signature, signature_size, signature_length);
++}
++
++psa_status_t packedc_crypto_client::verify_message(
++ psa_key_id_t id, psa_algorithm_t alg,
++ const uint8_t *message, size_t message_length,
++ const uint8_t *signature, size_t signature_length)
++{
++ return crypto_caller_verify_message(&m_client, id, alg,
++ message, message_length,
++ signature, signature_length);
++}
++
+ psa_status_t packedc_crypto_client::asymmetric_encrypt(
+ psa_key_id_t id, psa_algorithm_t alg,
+ const uint8_t *input, size_t input_length,
+diff --git a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h
+index 377b51d1..d74ba609 100644
+--- a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h
++++ b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+@@ -54,7 +54,7 @@ public:
+ psa_key_id_t id,
+ uint8_t *data, size_t data_size, size_t *data_length);
+
+- /* Sign/verify methods */
++ /* Sign/verify hash methods */
+ psa_status_t sign_hash(
+ psa_key_id_t id,
+ psa_algorithm_t alg,
+@@ -67,6 +67,19 @@ public:
+ const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length);
+
++ /* Sign/verify message methods */
++ psa_status_t sign_message(
++ psa_key_id_t id,
++ psa_algorithm_t alg,
++ const uint8_t *message, size_t message_length,
++ uint8_t *signature, size_t signature_size, size_t *signature_length);
++
++ psa_status_t verify_message(
++ psa_key_id_t id,
++ psa_algorithm_t alg,
++ const uint8_t *message, size_t message_length,
++ const uint8_t *signature, size_t signature_length);
++
+ /* Asymmetric encrypt/decrypt */
+ psa_status_t asymmetric_encrypt(
+ psa_key_id_t id,
+diff --git a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp
+index 17780351..28c8f6fb 100644
+--- a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp
++++ b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp
+@@ -386,6 +386,25 @@ psa_status_t protobuf_crypto_client::export_public_key(psa_key_id_t id,
+ psa_status_t protobuf_crypto_client::sign_hash(psa_key_id_t id, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+ uint8_t *signature, size_t signature_size, size_t *signature_length)
++{
++ return asym_sign(ts_crypto_Opcode_SIGN_HASH, id, alg,
++ hash, hash_length,
++ signature, signature_size, signature_length);
++}
++
++psa_status_t protobuf_crypto_client::sign_message(psa_key_id_t id, psa_algorithm_t alg,
++ const uint8_t *message, size_t message_length,
++ uint8_t *signature, size_t signature_size, size_t *signature_length)
++{
++ return asym_sign(ts_crypto_Opcode_SIGN_MESSAGE, id, alg,
++ message, message_length,
++ signature, signature_size, signature_length);
++}
++
++psa_status_t protobuf_crypto_client::asym_sign(uint32_t opcode,
++ psa_key_id_t id, psa_algorithm_t alg,
++ const uint8_t *hash, size_t hash_length,
++ uint8_t *signature, size_t signature_size, size_t *signature_length)
+ {
+ size_t req_len;
+ pb_bytes_array_t *hash_byte_array =
+@@ -416,7 +435,7 @@ psa_status_t protobuf_crypto_client::sign_hash(psa_key_id_t id, psa_algorithm_t
+ pb_encode(&ostream, ts_crypto_SignHashIn_fields, &req_msg);
+
+ m_client.rpc_status = rpc_caller_invoke(m_client.caller, call_handle,
+- ts_crypto_Opcode_SIGN_HASH, &opstatus, &resp_buf, &resp_len);
++ opcode, &opstatus, &resp_buf, &resp_len);
+
+ if (m_client.rpc_status == TS_RPC_CALL_ACCEPTED) {
+
+@@ -462,10 +481,28 @@ psa_status_t protobuf_crypto_client::sign_hash(psa_key_id_t id, psa_algorithm_t
+ return psa_status;
+ }
+
+-
+ psa_status_t protobuf_crypto_client::verify_hash(psa_key_id_t id, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length)
++{
++ return asym_verify(ts_crypto_Opcode_VERIFY_HASH, id, alg,
++ hash, hash_length,
++ signature, signature_length);
++}
++
++psa_status_t protobuf_crypto_client::verify_message(psa_key_id_t id, psa_algorithm_t alg,
++ const uint8_t *message, size_t message_length,
++ const uint8_t *signature, size_t signature_length)
++{
++ return asym_verify(ts_crypto_Opcode_VERIFY_MESSAGE, id, alg,
++ message, message_length,
++ signature, signature_length);
++}
++
++psa_status_t protobuf_crypto_client::asym_verify(uint32_t opcode,
++ psa_key_id_t id, psa_algorithm_t alg,
++ const uint8_t *hash, size_t hash_length,
++ const uint8_t *signature, size_t signature_length)
+ {
+ size_t req_len;
+ pb_bytes_array_t *hash_byte_array =
+@@ -497,7 +534,7 @@ psa_status_t protobuf_crypto_client::verify_hash(psa_key_id_t id, psa_algorithm_
+ pb_encode(&ostream, ts_crypto_VerifyHashIn_fields, &req_msg);
+
+ m_client.rpc_status = rpc_caller_invoke(m_client.caller, call_handle,
+- ts_crypto_Opcode_VERIFY_HASH, &opstatus, &resp_buf, &resp_len);
++ opcode, &opstatus, &resp_buf, &resp_len);
+
+ if (m_client.rpc_status == TS_RPC_CALL_ACCEPTED) psa_status = opstatus;
+
+diff --git a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h
+index 085d9cfa..abe4439e 100644
+--- a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h
++++ b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+@@ -54,7 +54,7 @@ public:
+ psa_key_id_t id,
+ uint8_t *data, size_t data_size, size_t *data_length);
+
+- /* Sign/verify methods */
++ /* Sign/verify hash methods */
+ psa_status_t sign_hash(
+ psa_key_id_t id,
+ psa_algorithm_t alg,
+@@ -67,6 +67,19 @@ public:
+ const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length);
+
++ /* Sign/verify message methods */
++ psa_status_t sign_message(
++ psa_key_id_t id,
++ psa_algorithm_t alg,
++ const uint8_t *message, size_t message_length,
++ uint8_t *signature, size_t signature_size, size_t *signature_length);
++
++ psa_status_t verify_message(
++ psa_key_id_t id,
++ psa_algorithm_t alg,
++ const uint8_t *message, size_t message_length,
++ const uint8_t *signature, size_t signature_length);
++
+ /* Asymmetric encrypt/decrypt */
+ psa_status_t asymmetric_encrypt(
+ psa_key_id_t id,
+@@ -221,6 +234,16 @@ public:
+
+ private:
+
++ psa_status_t asym_sign(uint32_t opcode,
++ psa_key_id_t id, psa_algorithm_t alg,
++ const uint8_t *hash, size_t hash_length,
++ uint8_t *signature, size_t signature_size, size_t *signature_length);
++
++ psa_status_t asym_verify(uint32_t opcode,
++ psa_key_id_t id, psa_algorithm_t alg,
++ const uint8_t *hash, size_t hash_length,
++ const uint8_t *signature, size_t signature_length);
++
+ void translate_key_attributes(
+ ts_crypto_KeyAttributes &proto_attributes,
+ const psa_key_attributes_t &psa_attributes);
+diff --git a/components/service/crypto/client/psa/psa_sign_message.c b/components/service/crypto/client/psa/psa_sign_message.c
+index dc2f7e80..b6446253 100644
+--- a/components/service/crypto/client/psa/psa_sign_message.c
++++ b/components/service/crypto/client/psa/psa_sign_message.c
+@@ -1,13 +1,15 @@
+ /*
+- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+ #include <psa/crypto.h>
++#include "psa_crypto_client.h"
++#include "crypto_caller_selector.h"
+
+ psa_status_t psa_sign_message(
+- psa_key_id_t key,
++ psa_key_id_t id,
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+@@ -15,19 +17,11 @@ psa_status_t psa_sign_message(
+ size_t signature_size,
+ size_t *signature_length)
+ {
+- size_t hash_len;
+- uint8_t hash[PSA_HASH_MAX_SIZE];
++ if (psa_crypto_client_instance.init_status != PSA_SUCCESS)
++ return psa_crypto_client_instance.init_status;
+
+- psa_status_t psa_status = psa_hash_compute(PSA_ALG_SIGN_GET_HASH(alg),
++ return crypto_caller_sign_message(&psa_crypto_client_instance.base,
++ id, alg,
+ input, input_length,
+- hash, sizeof(hash), &hash_len);
+-
+- if (psa_status == PSA_SUCCESS) {
+-
+- psa_status = psa_sign_hash(key, alg,
+- hash, hash_len,
+- signature, signature_size, signature_length);
+- }
+-
+- return psa_status;
++ signature, signature_size, signature_length);
+ }
+diff --git a/components/service/crypto/client/psa/psa_verify_message.c b/components/service/crypto/client/psa/psa_verify_message.c
+index d0fbc7c8..57c2c5e8 100644
+--- a/components/service/crypto/client/psa/psa_verify_message.c
++++ b/components/service/crypto/client/psa/psa_verify_message.c
+@@ -1,32 +1,26 @@
+ /*
+- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+ #include <psa/crypto.h>
++#include "psa_crypto_client.h"
++#include "crypto_caller_selector.h"
+
+ psa_status_t psa_verify_message(
+- psa_key_id_t key,
++ psa_key_id_t id,
+ psa_algorithm_t alg,
+ const uint8_t *input,
+ size_t input_length,
+ const uint8_t * signature,
+ size_t signature_length)
+ {
+- size_t hash_len;
+- uint8_t hash[PSA_HASH_MAX_SIZE];
++ if (psa_crypto_client_instance.init_status != PSA_SUCCESS)
++ return psa_crypto_client_instance.init_status;
+
+- psa_status_t psa_status = psa_hash_compute(PSA_ALG_SIGN_GET_HASH(alg),
++ return crypto_caller_verify_message(&psa_crypto_client_instance.base,
++ id, alg,
+ input, input_length,
+- hash, sizeof(hash), &hash_len);
+-
+- if (psa_status == PSA_SUCCESS) {
+-
+- psa_status = psa_verify_hash(key, alg,
+- hash, hash_len,
+- signature, signature_length);
+- }
+-
+- return psa_status;
++ signature, signature_length);
+ }
+diff --git a/components/service/crypto/provider/crypto_provider.c b/components/service/crypto/provider/crypto_provider.c
+index d0fc7cac..67a5b340 100644
+--- a/components/service/crypto/provider/crypto_provider.c
++++ b/components/service/crypto/provider/crypto_provider.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+@@ -16,8 +16,8 @@ static rpc_status_t destroy_key_handler(void *context, struct call_req* req);
+ static rpc_status_t export_key_handler(void *context, struct call_req* req);
+ static rpc_status_t export_public_key_handler(void *context, struct call_req* req);
+ static rpc_status_t import_key_handler(void *context, struct call_req* req);
+-static rpc_status_t sign_hash_handler(void *context, struct call_req* req);
+-static rpc_status_t verify_hash_handler(void *context, struct call_req* req);
++static rpc_status_t asymmetric_sign_handler(void *context, struct call_req* req);
++static rpc_status_t asymmetric_verify_handler(void *context, struct call_req* req);
+ static rpc_status_t asymmetric_decrypt_handler(void *context, struct call_req* req);
+ static rpc_status_t asymmetric_encrypt_handler(void *context, struct call_req* req);
+ static rpc_status_t generate_random_handler(void *context, struct call_req* req);
+@@ -32,14 +32,16 @@ static const struct service_handler handler_table[] = {
+ {TS_CRYPTO_OPCODE_EXPORT_KEY, export_key_handler},
+ {TS_CRYPTO_OPCODE_EXPORT_PUBLIC_KEY, export_public_key_handler},
+ {TS_CRYPTO_OPCODE_IMPORT_KEY, import_key_handler},
+- {TS_CRYPTO_OPCODE_SIGN_HASH, sign_hash_handler},
+- {TS_CRYPTO_OPCODE_VERIFY_HASH, verify_hash_handler},
++ {TS_CRYPTO_OPCODE_SIGN_HASH, asymmetric_sign_handler},
++ {TS_CRYPTO_OPCODE_VERIFY_HASH, asymmetric_verify_handler},
+ {TS_CRYPTO_OPCODE_ASYMMETRIC_DECRYPT, asymmetric_decrypt_handler},
+ {TS_CRYPTO_OPCODE_ASYMMETRIC_ENCRYPT, asymmetric_encrypt_handler},
+ {TS_CRYPTO_OPCODE_GENERATE_RANDOM, generate_random_handler},
+ {TS_CRYPTO_OPCODE_COPY_KEY, copy_key_handler},
+ {TS_CRYPTO_OPCODE_PURGE_KEY, purge_key_handler},
+ {TS_CRYPTO_OPCODE_GET_KEY_ATTRIBUTES, get_key_attributes_handler},
++ {TS_CRYPTO_OPCODE_SIGN_MESSAGE, asymmetric_sign_handler},
++ {TS_CRYPTO_OPCODE_VERIFY_MESSAGE, asymmetric_verify_handler},
+ };
+
+ struct rpc_interface *crypto_provider_init(struct crypto_provider *context)
+@@ -272,7 +274,7 @@ static rpc_status_t import_key_handler(void *context, struct call_req* req)
+ return rpc_status;
+ }
+
+-static rpc_status_t sign_hash_handler(void *context, struct call_req* req)
++static rpc_status_t asymmetric_sign_handler(void *context, struct call_req* req)
+ {
+ rpc_status_t rpc_status = TS_RPC_ERROR_SERIALIZATION_NOT_SUPPORTED;
+ struct call_param_buf *req_buf = call_req_get_req_buf(req);
+@@ -284,7 +286,7 @@ static rpc_status_t sign_hash_handler(void *context, struct call_req* req)
+ uint8_t hash_buffer[PSA_HASH_MAX_SIZE];
+
+ if (serializer)
+- rpc_status = serializer->deserialize_sign_hash_req(req_buf, &id, &alg, hash_buffer, &hash_len);
++ rpc_status = serializer->deserialize_asymmetric_sign_req(req_buf, &id, &alg, hash_buffer, &hash_len);
+
+ if (rpc_status == TS_RPC_CALL_ACCEPTED) {
+
+@@ -292,14 +294,16 @@ static rpc_status_t sign_hash_handler(void *context, struct call_req* req)
+ size_t sig_len;
+ uint8_t sig_buffer[PSA_SIGNATURE_MAX_SIZE];
+
+- psa_status = psa_sign_hash(id, alg,
+- hash_buffer, hash_len,
+- sig_buffer, sizeof(sig_buffer), &sig_len);
++ psa_status = (call_req_get_opcode(req) == TS_CRYPTO_OPCODE_SIGN_HASH) ?
++ psa_sign_hash(id, alg, hash_buffer, hash_len,
++ sig_buffer, sizeof(sig_buffer), &sig_len) :
++ psa_sign_message(id, alg, hash_buffer, hash_len,
++ sig_buffer, sizeof(sig_buffer), &sig_len);
+
+ if (psa_status == PSA_SUCCESS) {
+
+ struct call_param_buf *resp_buf = call_req_get_resp_buf(req);
+- rpc_status = serializer->serialize_sign_hash_resp(resp_buf, sig_buffer, sig_len);
++ rpc_status = serializer->serialize_asymmetric_sign_resp(resp_buf, sig_buffer, sig_len);
+ }
+
+ call_req_set_opstatus(req, psa_status);
+@@ -308,7 +312,7 @@ static rpc_status_t sign_hash_handler(void *context, struct call_req* req)
+ return rpc_status;
+ }
+
+-static rpc_status_t verify_hash_handler(void *context, struct call_req* req)
++static rpc_status_t asymmetric_verify_handler(void *context, struct call_req* req)
+ {
+ rpc_status_t rpc_status = TS_RPC_ERROR_SERIALIZATION_NOT_SUPPORTED;
+ struct call_param_buf *req_buf = call_req_get_req_buf(req);
+@@ -322,7 +326,7 @@ static rpc_status_t verify_hash_handler(void *context, struct call_req* req)
+ uint8_t sig_buffer[PSA_SIGNATURE_MAX_SIZE];
+
+ if (serializer)
+- rpc_status = serializer->deserialize_verify_hash_req(req_buf, &id, &alg,
++ rpc_status = serializer->deserialize_asymmetric_verify_req(req_buf, &id, &alg,
+ hash_buffer, &hash_len,
+ sig_buffer, &sig_len);
+
+@@ -330,9 +334,13 @@ static rpc_status_t verify_hash_handler(void *context, struct call_req* req)
+
+ psa_status_t psa_status;
+
+- psa_status = psa_verify_hash(id, alg,
+- hash_buffer, hash_len,
+- sig_buffer, sig_len);
++ psa_status = (call_req_get_opcode(req) == TS_CRYPTO_OPCODE_VERIFY_HASH) ?
++ psa_verify_hash(id, alg,
++ hash_buffer, hash_len,
++ sig_buffer, sig_len) :
++ psa_verify_message(id, alg,
++ hash_buffer, hash_len,
++ sig_buffer, sig_len);
+
+ call_req_set_opstatus(req, psa_status);
+ }
+diff --git a/components/service/crypto/provider/serializer/crypto_provider_serializer.h b/components/service/crypto/provider/serializer/crypto_provider_serializer.h
+index 68940cae..57364f24 100644
+--- a/components/service/crypto/provider/serializer/crypto_provider_serializer.h
++++ b/components/service/crypto/provider/serializer/crypto_provider_serializer.h
+@@ -79,15 +79,15 @@ struct crypto_provider_serializer {
+ const psa_key_attributes_t *attributes);
+
+ /* Operation: sign_hash */
+- rpc_status_t (*deserialize_sign_hash_req)(const struct call_param_buf *req_buf,
++ rpc_status_t (*deserialize_asymmetric_sign_req)(const struct call_param_buf *req_buf,
+ psa_key_id_t *id, psa_algorithm_t *alg,
+ uint8_t *hash, size_t *hash_len);
+
+- rpc_status_t (*serialize_sign_hash_resp)(struct call_param_buf *resp_buf,
++ rpc_status_t (*serialize_asymmetric_sign_resp)(struct call_param_buf *resp_buf,
+ const uint8_t *sig, size_t sig_len);
+
+ /* Operation: verify_hash */
+- rpc_status_t (*deserialize_verify_hash_req)(const struct call_param_buf *req_buf,
++ rpc_status_t (*deserialize_asymmetric_verify_req)(const struct call_param_buf *req_buf,
+ psa_key_id_t *id, psa_algorithm_t *alg,
+ uint8_t *hash, size_t *hash_len,
+ uint8_t *sig, size_t *sig_len);
+diff --git a/components/service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.c b/components/service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.c
+index c70db865..4a7e59f0 100644
+--- a/components/service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.c
++++ b/components/service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.c
+@@ -333,7 +333,7 @@ static rpc_status_t serialize_get_key_attributes_resp(struct call_param_buf *res
+ }
+
+ /* Operation: sign_hash */
+-static rpc_status_t deserialize_sign_hash_req(const struct call_param_buf *req_buf,
++static rpc_status_t deserialize_asymmetric_sign_req(const struct call_param_buf *req_buf,
+ psa_key_id_t *id, psa_algorithm_t *alg,
+ uint8_t *hash, size_t *hash_len)
+ {
+@@ -378,7 +378,7 @@ static rpc_status_t deserialize_sign_hash_req(const struct call_param_buf *req_b
+ return rpc_status;
+ }
+
+-static rpc_status_t serialize_sign_hash_resp(struct call_param_buf *resp_buf,
++static rpc_status_t serialize_asymmetric_sign_resp(struct call_param_buf *resp_buf,
+ const uint8_t *sig, size_t sig_len)
+ {
+ rpc_status_t rpc_status = TS_RPC_ERROR_INTERNAL;
+@@ -401,7 +401,7 @@ static rpc_status_t serialize_sign_hash_resp(struct call_param_buf *resp_buf,
+ }
+
+ /* Operation: verify_hash */
+-static rpc_status_t deserialize_verify_hash_req(const struct call_param_buf *req_buf,
++static rpc_status_t deserialize_asymmetric_verify_req(const struct call_param_buf *req_buf,
+ psa_key_id_t *id, psa_algorithm_t *alg,
+ uint8_t *hash, size_t *hash_len,
+ uint8_t *sig, size_t *sig_len)
+@@ -695,9 +695,9 @@ const struct crypto_provider_serializer *packedc_crypto_provider_serializer_inst
+ deserialize_purge_key_req,
+ deserialize_get_key_attributes_req,
+ serialize_get_key_attributes_resp,
+- deserialize_sign_hash_req,
+- serialize_sign_hash_resp,
+- deserialize_verify_hash_req,
++ deserialize_asymmetric_sign_req,
++ serialize_asymmetric_sign_resp,
++ deserialize_asymmetric_verify_req,
+ deserialize_asymmetric_decrypt_req,
+ serialize_asymmetric_decrypt_resp,
+ deserialize_asymmetric_encrypt_req,
+diff --git a/components/service/crypto/provider/serializer/protobuf/pb_crypto_provider_serializer.c b/components/service/crypto/provider/serializer/protobuf/pb_crypto_provider_serializer.c
+index 7767d20a..083a581a 100644
+--- a/components/service/crypto/provider/serializer/protobuf/pb_crypto_provider_serializer.c
++++ b/components/service/crypto/provider/serializer/protobuf/pb_crypto_provider_serializer.c
+@@ -267,9 +267,9 @@ static rpc_status_t serialize_get_key_attributes_resp(struct call_param_buf *res
+ }
+
+ /* Operation: sign_hash */
+-static rpc_status_t deserialize_sign_hash_req(const struct call_param_buf *req_buf,
+- psa_key_id_t *id, psa_algorithm_t *alg,
+- uint8_t *hash, size_t *hash_len)
++static rpc_status_t deserialize_asymmetric_sign_req(const struct call_param_buf *req_buf,
++ psa_key_id_t *id, psa_algorithm_t *alg,
++ uint8_t *hash, size_t *hash_len)
+ {
+ rpc_status_t rpc_status = TS_RPC_ERROR_INVALID_REQ_BODY;
+ ts_crypto_SignHashIn recv_msg = ts_crypto_SignHashIn_init_default;
+@@ -295,8 +295,8 @@ static rpc_status_t deserialize_sign_hash_req(const struct call_param_buf *req_b
+ return rpc_status;
+ }
+
+-static rpc_status_t serialize_sign_hash_resp(struct call_param_buf *resp_buf,
+- const uint8_t *sig, size_t sig_len)
++static rpc_status_t serialize_asymmetric_sign_resp(struct call_param_buf *resp_buf,
++ const uint8_t *sig, size_t sig_len)
+ {
+ size_t packed_resp_size;
+ rpc_status_t rpc_status = TS_RPC_ERROR_INTERNAL;
+@@ -323,10 +323,10 @@ static rpc_status_t serialize_sign_hash_resp(struct call_param_buf *resp_buf,
+ }
+
+ /* Operation: verify_hash */
+-static rpc_status_t deserialize_verify_hash_req(const struct call_param_buf *req_buf,
+- psa_key_id_t *id, psa_algorithm_t *alg,
+- uint8_t *hash, size_t *hash_len,
+- uint8_t *sig, size_t *sig_len)
++static rpc_status_t deserialize_asymmetric_verify_req(const struct call_param_buf *req_buf,
++ psa_key_id_t *id, psa_algorithm_t *alg,
++ uint8_t *hash, size_t *hash_len,
++ uint8_t *sig, size_t *sig_len)
+ {
+ rpc_status_t rpc_status = TS_RPC_ERROR_INVALID_REQ_BODY;
+ ts_crypto_VerifyHashIn recv_msg = ts_crypto_VerifyHashIn_init_default;
+@@ -538,32 +538,32 @@ static rpc_status_t serialize_generate_random_resp(struct call_param_buf *resp_b
+ /* Singleton method to provide access to the serializer instance */
+ const struct crypto_provider_serializer *pb_crypto_provider_serializer_instance(void)
+ {
+- static const struct crypto_provider_serializer instance = {
+- max_deserialised_parameter_size,
+- deserialize_generate_key_req,
+- serialize_generate_key_resp,
+- deserialize_destroy_key_req,
+- deserialize_export_key_req,
+- serialize_export_key_resp,
+- deserialize_export_public_key_req,
+- serialize_export_public_key_resp,
+- deserialize_import_key_req,
+- serialize_import_key_resp,
+- deserialize_copy_key_req,
+- serialize_copy_key_resp,
+- deserialize_purge_key_req,
+- deserialize_get_key_attributes_req,
+- serialize_get_key_attributes_resp,
+- deserialize_sign_hash_req,
+- serialize_sign_hash_resp,
+- deserialize_verify_hash_req,
+- deserialize_asymmetric_decrypt_req,
+- serialize_asymmetric_decrypt_resp,
+- deserialize_asymmetric_encrypt_req,
+- serialize_asymmetric_encrypt_resp,
+- deserialize_generate_random_req,
+- serialize_generate_random_resp
+- };
+-
+- return &instance;
++ static const struct crypto_provider_serializer instance = {
++ max_deserialised_parameter_size,
++ deserialize_generate_key_req,
++ serialize_generate_key_resp,
++ deserialize_destroy_key_req,
++ deserialize_export_key_req,
++ serialize_export_key_resp,
++ deserialize_export_public_key_req,
++ serialize_export_public_key_resp,
++ deserialize_import_key_req,
++ serialize_import_key_resp,
++ deserialize_copy_key_req,
++ serialize_copy_key_resp,
++ deserialize_purge_key_req,
++ deserialize_get_key_attributes_req,
++ serialize_get_key_attributes_resp,
++ deserialize_asymmetric_sign_req,
++ serialize_asymmetric_sign_resp,
++ deserialize_asymmetric_verify_req,
++ deserialize_asymmetric_decrypt_req,
++ serialize_asymmetric_decrypt_resp,
++ deserialize_asymmetric_encrypt_req,
++ serialize_asymmetric_encrypt_resp,
++ deserialize_generate_random_req,
++ serialize_generate_random_resp
++ };
++
++ return &instance;
+ }
+diff --git a/components/service/crypto/test/protocol/check_crypto_opcode_alignment.cpp b/components/service/crypto/test/protocol/check_crypto_opcode_alignment.cpp
+index bd6c66ee..da01abf4 100644
+--- a/components/service/crypto/test/protocol/check_crypto_opcode_alignment.cpp
++++ b/components/service/crypto/test/protocol/check_crypto_opcode_alignment.cpp
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+@@ -18,15 +18,16 @@ TEST_GROUP(CryptoProtocolOpcodeChecks)
+
+ TEST(CryptoProtocolOpcodeChecks, checkPackedcToProtobuf)
+ {
+- CHECK_EQUAL(TS_CRYPTO_OPCODE_GENERATE_KEY, ts_crypto_Opcode_GENERATE_KEY);
+- CHECK_EQUAL(TS_CRYPTO_OPCODE_DESTROY_KEY, ts_crypto_Opcode_DESTROY_KEY);
+- CHECK_EQUAL(TS_CRYPTO_OPCODE_EXPORT_KEY, ts_crypto_Opcode_EXPORT_KEY);
+- CHECK_EQUAL(TS_CRYPTO_OPCODE_EXPORT_PUBLIC_KEY, ts_crypto_Opcode_EXPORT_PUBLIC_KEY);
+- CHECK_EQUAL(TS_CRYPTO_OPCODE_IMPORT_KEY, ts_crypto_Opcode_IMPORT_KEY);
+- CHECK_EQUAL(TS_CRYPTO_OPCODE_SIGN_HASH, ts_crypto_Opcode_SIGN_HASH);
+- CHECK_EQUAL(TS_CRYPTO_OPCODE_VERIFY_HASH, ts_crypto_Opcode_VERIFY_HASH);
+- CHECK_EQUAL(TS_CRYPTO_OPCODE_ASYMMETRIC_DECRYPT, ts_crypto_Opcode_ASYMMETRIC_DECRYPT);
+- CHECK_EQUAL(TS_CRYPTO_OPCODE_ASYMMETRIC_ENCRYPT, ts_crypto_Opcode_ASYMMETRIC_ENCRYPT);
+- CHECK_EQUAL(TS_CRYPTO_OPCODE_GENERATE_RANDOM, ts_crypto_Opcode_GENERATE_RANDOM);
++ CHECK_EQUAL(TS_CRYPTO_OPCODE_GENERATE_KEY, ts_crypto_Opcode_GENERATE_KEY);
++ CHECK_EQUAL(TS_CRYPTO_OPCODE_DESTROY_KEY, ts_crypto_Opcode_DESTROY_KEY);
++ CHECK_EQUAL(TS_CRYPTO_OPCODE_EXPORT_KEY, ts_crypto_Opcode_EXPORT_KEY);
++ CHECK_EQUAL(TS_CRYPTO_OPCODE_EXPORT_PUBLIC_KEY, ts_crypto_Opcode_EXPORT_PUBLIC_KEY);
++ CHECK_EQUAL(TS_CRYPTO_OPCODE_IMPORT_KEY, ts_crypto_Opcode_IMPORT_KEY);
++ CHECK_EQUAL(TS_CRYPTO_OPCODE_SIGN_HASH, ts_crypto_Opcode_SIGN_HASH);
++ CHECK_EQUAL(TS_CRYPTO_OPCODE_VERIFY_HASH, ts_crypto_Opcode_VERIFY_HASH);
++ CHECK_EQUAL(TS_CRYPTO_OPCODE_ASYMMETRIC_DECRYPT, ts_crypto_Opcode_ASYMMETRIC_DECRYPT);
++ CHECK_EQUAL(TS_CRYPTO_OPCODE_ASYMMETRIC_ENCRYPT, ts_crypto_Opcode_ASYMMETRIC_ENCRYPT);
++ CHECK_EQUAL(TS_CRYPTO_OPCODE_GENERATE_RANDOM, ts_crypto_Opcode_GENERATE_RANDOM);
++ CHECK_EQUAL(TS_CRYPTO_OPCODE_SIGN_MESSAGE, ts_crypto_Opcode_SIGN_MESSAGE);
++ CHECK_EQUAL(TS_CRYPTO_OPCODE_VERIFY_MESSAGE, ts_crypto_Opcode_VERIFY_MESSAGE);
+ }
+-
+diff --git a/components/service/crypto/test/service/crypto_service_scenarios.cpp b/components/service/crypto/test/service/crypto_service_scenarios.cpp
+index ec2c6736..b3345551 100644
+--- a/components/service/crypto/test/service/crypto_service_scenarios.cpp
++++ b/components/service/crypto/test/service/crypto_service_scenarios.cpp
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+@@ -290,6 +290,56 @@ void crypto_service_scenarios::signAndVerifyHash()
+ CHECK_EQUAL(PSA_SUCCESS, status);
+ }
+
++void crypto_service_scenarios::signAndVerifyMessage()
++{
++ psa_status_t status;
++ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
++ psa_key_id_t key_id;
++
++ psa_set_key_id(&attributes, 14);
++ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE);
++ psa_set_key_algorithm(&attributes, PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256));
++ psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1));
++ psa_set_key_bits(&attributes, 256);
++
++ /* Generate a key */
++ status = m_crypto_client->generate_key(&attributes, &key_id);
++ CHECK_EQUAL(PSA_SUCCESS, status);
++
++ psa_reset_key_attributes(&attributes);
++
++ /* Sign a message */
++ uint8_t message[21];
++ uint8_t signature[PSA_SIGNATURE_MAX_SIZE];
++ size_t signature_length;
++
++ memset(message, 0x99, sizeof(message));
++
++ status = m_crypto_client->sign_message(key_id,
++ PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256), message, sizeof(message),
++ signature, sizeof(signature), &signature_length);
++
++ CHECK_EQUAL(PSA_SUCCESS, status);
++ CHECK(signature_length > 0);
++
++ /* Verify the signature */
++ status = m_crypto_client->verify_message(key_id,
++ PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256), message, sizeof(message),
++ signature, signature_length);
++ CHECK_EQUAL(PSA_SUCCESS, status);
++
++ /* Change the message and expect verify to fail */
++ message[0] = 0x72;
++ status = m_crypto_client->verify_message(key_id,
++ PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256), message, sizeof(message),
++ signature, signature_length);
++ CHECK_EQUAL(PSA_ERROR_INVALID_SIGNATURE, status);
++
++ /* Remove the key */
++ status = m_crypto_client->destroy_key(key_id);
++ CHECK_EQUAL(PSA_SUCCESS, status);
++}
++
+ void crypto_service_scenarios::signAndVerifyEat()
+ {
+ /* Sign and verify a hash using EAT key type and algorithm */
+@@ -348,7 +398,7 @@ void crypto_service_scenarios::asymEncryptDecrypt()
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_key_id_t key_id;
+
+- psa_set_key_id(&attributes, 14);
++ psa_set_key_id(&attributes, 15);
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
+ psa_set_key_algorithm(&attributes, PSA_ALG_RSA_PKCS1V15_CRYPT);
+ psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
+@@ -394,7 +444,7 @@ void crypto_service_scenarios::asymEncryptDecryptWithSalt()
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_key_id_t key_id;
+
+- psa_set_key_id(&attributes, 15);
++ psa_set_key_id(&attributes, 16);
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
+ psa_set_key_algorithm(&attributes, PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256));
+ psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
+diff --git a/components/service/crypto/test/service/crypto_service_scenarios.h b/components/service/crypto/test/service/crypto_service_scenarios.h
+index c65eba26..23671644 100644
+--- a/components/service/crypto/test/service/crypto_service_scenarios.h
++++ b/components/service/crypto/test/service/crypto_service_scenarios.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+@@ -24,6 +24,7 @@ public:
+ void asymEncryptDecrypt();
+ void asymEncryptDecryptWithSalt();
+ void signAndVerifyHash();
++ void signAndVerifyMessage();
+ void signAndVerifyEat();
+ void exportAndImportKeyPair();
+ void exportPublicKey();
+diff --git a/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp b/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp
+index 79eddfbb..ea238432 100644
+--- a/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp
++++ b/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+@@ -87,6 +87,11 @@ TEST(CryptoServicePackedcTests, signAndVerifyHash)
+ m_scenarios->signAndVerifyHash();
+ }
+
++TEST(CryptoServicePackedcTests, signAndVerifyMessage)
++{
++ m_scenarios->signAndVerifyMessage();
++}
++
+ TEST(CryptoServicePackedcTests, signAndVerifyEat)
+ {
+ m_scenarios->signAndVerifyEat();
+diff --git a/components/service/crypto/test/service/protobuf/crypto_service_protobuf_tests.cpp b/components/service/crypto/test/service/protobuf/crypto_service_protobuf_tests.cpp
+index 1230752c..c172ad4a 100644
+--- a/components/service/crypto/test/service/protobuf/crypto_service_protobuf_tests.cpp
++++ b/components/service/crypto/test/service/protobuf/crypto_service_protobuf_tests.cpp
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+@@ -77,6 +77,11 @@ TEST(CryptoServiceProtobufTests, signAndVerifyHash)
+ m_scenarios->signAndVerifyHash();
+ }
+
++TEST(CryptoServiceProtobufTests, signAndVerifyMessage)
++{
++ m_scenarios->signAndVerifyMessage();
++}
++
+ TEST(CryptoServiceProtobufTests, asymEncryptDecrypt)
+ {
+ m_scenarios->asymEncryptDecrypt();
+diff --git a/protocols/service/crypto/packed-c/opcodes.h b/protocols/service/crypto/packed-c/opcodes.h
+index a07bd57e..5aebf2fa 100644
+--- a/protocols/service/crypto/packed-c/opcodes.h
++++ b/protocols/service/crypto/packed-c/opcodes.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+@@ -25,6 +25,8 @@
+ #define TS_CRYPTO_OPCODE_COPY_KEY (TS_CRYPTO_OPCODE_BASE + 13)
+ #define TS_CRYPTO_OPCODE_PURGE_KEY (TS_CRYPTO_OPCODE_BASE + 14)
+ #define TS_CRYPTO_OPCODE_GET_KEY_ATTRIBUTES (TS_CRYPTO_OPCODE_BASE + 15)
++#define TS_CRYPTO_OPCODE_SIGN_MESSAGE (TS_CRYPTO_OPCODE_BASE + 16)
++#define TS_CRYPTO_OPCODE_VERIFY_MESSAGE (TS_CRYPTO_OPCODE_BASE + 17)
+
+ /* Hash operations */
+ #define TS_CRYPTO_OPCODE_HASH_BASE (0x0200)
+diff --git a/protocols/service/crypto/protobuf/opcodes.proto b/protocols/service/crypto/protobuf/opcodes.proto
+index 094d3a02..ef64d044 100644
+--- a/protocols/service/crypto/protobuf/opcodes.proto
++++ b/protocols/service/crypto/protobuf/opcodes.proto
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+ syntax = "proto3";
+@@ -18,4 +18,6 @@ enum Opcode {
+ ASYMMETRIC_DECRYPT = 0x010a;
+ ASYMMETRIC_ENCRYPT = 0x010b;
+ GENERATE_RANDOM = 0x010c;
++ SIGN_MESSAGE = 0x0110;
++ VERIFY_MESSAGE = 0x0111;
+ }
+--
+2.25.1
new file mode 100644
@@ -0,0 +1,124 @@
+Upstream-Status: Pending [Not submitted to upstream yet]
+Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
+
+From 68e189877ea1aa893facafb8b336e92112555e07 Mon Sep 17 00:00:00 2001
+From: Julian Hall <julian.hall@arm.com>
+Date: Fri, 11 Feb 2022 14:19:26 +0000
+Subject: [PATCH 05/15] Add defence against uninitialised multi-part
+ transaction
+
+Adds checks for the condition where there is an attempt to
+setup a multi-part transaction without first initialising
+transaction state.
+
+Signed-off-by: Julian Hall <julian.hall@arm.com>
+Change-Id: I754479260fed0490d8f32b41a077d26028dc9903
+---
+ components/service/crypto/client/psa/psa_cipher.c | 14 +++++++++++++-
+ components/service/crypto/client/psa/psa_hash.c | 8 +++++++-
+ components/service/crypto/client/psa/psa_mac.c | 10 ++++++++--
+ 3 files changed, 28 insertions(+), 4 deletions(-)
+
+diff --git a/components/service/crypto/client/psa/psa_cipher.c b/components/service/crypto/client/psa/psa_cipher.c
+index 70836ea6..3ab8ea21 100644
+--- a/components/service/crypto/client/psa/psa_cipher.c
++++ b/components/service/crypto/client/psa/psa_cipher.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+@@ -13,6 +13,12 @@ psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
+ psa_key_id_t key,
+ psa_algorithm_t alg)
+ {
++ if (psa_crypto_client_instance.init_status != PSA_SUCCESS)
++ return psa_crypto_client_instance.init_status;
++
++ if (operation->handle)
++ return PSA_ERROR_BAD_STATE;
++
+ return crypto_caller_cipher_encrypt_setup(&psa_crypto_client_instance.base,
+ &operation->handle,
+ key, alg);
+@@ -22,6 +28,12 @@ psa_status_t psa_cipher_decrypt_setup(psa_cipher_operation_t *operation,
+ psa_key_id_t key,
+ psa_algorithm_t alg)
+ {
++ if (psa_crypto_client_instance.init_status != PSA_SUCCESS)
++ return psa_crypto_client_instance.init_status;
++
++ if (operation->handle)
++ return PSA_ERROR_BAD_STATE;
++
+ return crypto_caller_cipher_decrypt_setup(&psa_crypto_client_instance.base,
+ &operation->handle,
+ key, alg);
+diff --git a/components/service/crypto/client/psa/psa_hash.c b/components/service/crypto/client/psa/psa_hash.c
+index 7005c390..83278de6 100644
+--- a/components/service/crypto/client/psa/psa_hash.c
++++ b/components/service/crypto/client/psa/psa_hash.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+@@ -14,6 +14,9 @@ psa_status_t psa_hash_setup(psa_hash_operation_t *operation,
+ if (psa_crypto_client_instance.init_status != PSA_SUCCESS)
+ return psa_crypto_client_instance.init_status;
+
++ if (operation->handle)
++ return PSA_ERROR_BAD_STATE;
++
+ return crypto_caller_hash_setup(&psa_crypto_client_instance.base,
+ &operation->handle, alg);
+ }
+@@ -55,6 +58,9 @@ psa_status_t psa_hash_verify(psa_hash_operation_t *operation,
+ psa_status_t psa_hash_clone(const psa_hash_operation_t *source_operation,
+ psa_hash_operation_t *target_operation)
+ {
++ if (target_operation->handle)
++ return PSA_ERROR_BAD_STATE;
++
+ return crypto_caller_hash_clone(&psa_crypto_client_instance.base,
+ source_operation->handle,
+ &target_operation->handle);
+diff --git a/components/service/crypto/client/psa/psa_mac.c b/components/service/crypto/client/psa/psa_mac.c
+index 5efa1c4d..5c5eb32a 100644
+--- a/components/service/crypto/client/psa/psa_mac.c
++++ b/components/service/crypto/client/psa/psa_mac.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+@@ -16,6 +16,9 @@ psa_status_t psa_mac_sign_setup(psa_mac_operation_t *operation,
+ if (psa_crypto_client_instance.init_status != PSA_SUCCESS)
+ return psa_crypto_client_instance.init_status;
+
++ if (operation->handle)
++ return PSA_ERROR_BAD_STATE;
++
+ return crypto_caller_mac_sign_setup(&psa_crypto_client_instance.base,
+ &operation->handle,
+ key, alg);
+@@ -28,7 +31,10 @@ psa_status_t psa_mac_verify_setup(psa_mac_operation_t *operation,
+ if (psa_crypto_client_instance.init_status != PSA_SUCCESS)
+ return psa_crypto_client_instance.init_status;
+
+- return crypto_caller_mac_sign_setup(&psa_crypto_client_instance.base,
++ if (operation->handle)
++ return PSA_ERROR_BAD_STATE;
++
++ return crypto_caller_mac_verify_setup(&psa_crypto_client_instance.base,
+ &operation->handle,
+ key, alg);
+ }
+--
+2.25.1
new file mode 100644
@@ -0,0 +1,521 @@
+Upstream-Status: Pending [Not submitted to upstream yet]
+Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
+
+From d800f7eaa25efca41535a223ef5d524651dee103 Mon Sep 17 00:00:00 2001
+From: Julian Hall <julian.hall@arm.com>
+Date: Fri, 11 Feb 2022 14:24:53 +0000
+Subject: [PATCH 06/15] Integrate AEAD operation support
+
+Resolves issues and integrates AEAD support into the crypto service
+provider and clients.
+
+Signed-off-by: Julian Hall <julian.hall@arm.com>
+Change-Id: I5fbe78a2dd825f592e26fd665f60c18b576f9de9
+---
+ .../caller/packed-c/crypto_caller_aead.h | 70 +++---
+ .../client/caller/stub/crypto_caller_aead.h | 12 +-
+ .../service/crypto/client/psa/psa_aead.c | 221 +++++++++++++++---
+ .../factory/full/crypto_provider_factory.c | 16 +-
+ .../component-test/component-test.cmake | 4 +-
+ deployments/crypto/opteesp/CMakeLists.txt | 4 +-
+ deployments/libts/linux-pc/CMakeLists.txt | 4 +-
+ deployments/se-proxy/opteesp/CMakeLists.txt | 4 +-
+ 8 files changed, 263 insertions(+), 72 deletions(-)
+
+diff --git a/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h b/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h
+index 3d9947d5..c4ffb20c 100644
+--- a/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h
++++ b/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+@@ -20,38 +20,6 @@
+ extern "C" {
+ #endif
+
+-static inline psa_status_t crypto_caller_aead_encrypt(struct service_client *context,
+- psa_key_id_t key,
+- psa_algorithm_t alg,
+- const uint8_t *nonce,
+- size_t nonce_length,
+- const uint8_t *additional_data,
+- size_t additional_data_length,
+- const uint8_t *plaintext,
+- size_t plaintext_length,
+- uint8_t *aeadtext,
+- size_t aeadtext_size,
+- size_t *aeadtext_length)
+-{
+- return PSA_ERROR_NOT_SUPPORTED;
+-}
+-
+-static inline psa_status_t crypto_caller_aead_decrypt(struct service_client *context,
+- psa_key_id_t key,
+- psa_algorithm_t alg,
+- const uint8_t *nonce,
+- size_t nonce_length,
+- const uint8_t *additional_data,
+- size_t additional_data_length,
+- const uint8_t *aeadtext,
+- size_t aeadtext_length,
+- uint8_t *plaintext,
+- size_t plaintext_size,
+- size_t *plaintext_length)
+-{
+- return PSA_ERROR_NOT_SUPPORTED;
+-}
+-
+ static inline psa_status_t common_aead_setup(struct service_client *context,
+ uint32_t *op_handle,
+ psa_key_id_t key,
+@@ -247,7 +215,7 @@ static inline psa_status_t crypto_caller_aead_set_lengths(struct service_client
+ {
+ psa_status_t psa_status = PSA_ERROR_GENERIC_ERROR;
+ struct ts_crypto_aead_set_lengths_in req_msg;
+- size_t req_fixed_len = sizeof(struct ts_crypto_aead_abort_in);
++ size_t req_fixed_len = sizeof(struct ts_crypto_aead_set_lengths_in);
+ size_t req_len = req_fixed_len;
+
+ req_msg.op_handle = op_handle;
+@@ -611,6 +579,40 @@ static inline psa_status_t crypto_caller_aead_abort(struct service_client *conte
+ return psa_status;
+ }
+
++/**
++ * The maximum data length that may be carried in an update operation will be
++ * constrained by the maximum call payload capacity imposed by the end-to-end
++ * RPC call path. These functions return the maximum update size when serialization
++ * overheads are considered. This allows large paylaods to be processed in
++ * maximum size chunks.
++ */
++static inline size_t crypto_caller_aead_max_update_ad_size(const struct service_client *context)
++{
++ /* Returns the maximum number of bytes of additional data that may be
++ * carried as a parameter of the aead_update_ad operation
++ * using the packed-c encoding.
++ */
++ size_t payload_space = context->service_info.max_payload;
++ size_t overhead = sizeof(struct ts_crypto_aead_update_ad_in) + TLV_HDR_LEN;
++
++ return (payload_space > overhead) ? payload_space - overhead : 0;
++}
++
++static inline size_t crypto_caller_aead_max_update_size(const struct service_client *context)
++{
++ /* Returns the maximum number of bytes that may be
++ * carried as a parameter of the aead_update operation
++ * using the packed-c encoding.
++ */
++ size_t payload_space = context->service_info.max_payload;
++ size_t overhead = sizeof(struct ts_crypto_aead_update_in) + TLV_HDR_LEN;
++
++ /* Allow for output to be a whole number of blocks */
++ overhead += PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE;
++
++ return (payload_space > overhead) ? payload_space - overhead : 0;
++}
++
+ #ifdef __cplusplus
+ }
+ #endif
+diff --git a/components/service/crypto/client/caller/stub/crypto_caller_aead.h b/components/service/crypto/client/caller/stub/crypto_caller_aead.h
+index 18aa8cec..455e7ac1 100644
+--- a/components/service/crypto/client/caller/stub/crypto_caller_aead.h
++++ b/components/service/crypto/client/caller/stub/crypto_caller_aead.h
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+@@ -135,6 +135,16 @@ static inline psa_status_t crypto_caller_aead_abort(struct service_client *conte
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
++static inline size_t crypto_caller_aead_max_update_ad_size(const struct service_client *context)
++{
++ return 0;
++}
++
++static inline size_t crypto_caller_aead_max_update_size(const struct service_client *context)
++{
++ return 0;
++}
++
+ #ifdef __cplusplus
+ }
+ #endif
+diff --git a/components/service/crypto/client/psa/psa_aead.c b/components/service/crypto/client/psa/psa_aead.c
+index 22fd3da1..e4579e63 100644
+--- a/components/service/crypto/client/psa/psa_aead.c
++++ b/components/service/crypto/client/psa/psa_aead.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+@@ -8,37 +8,6 @@
+ #include "psa_crypto_client.h"
+ #include "crypto_caller_selector.h"
+
+-
+-psa_status_t psa_aead_encrypt(psa_key_id_t key,
+- psa_algorithm_t alg,
+- const uint8_t *nonce,
+- size_t nonce_length,
+- const uint8_t *additional_data,
+- size_t additional_data_length,
+- const uint8_t *plaintext,
+- size_t plaintext_length,
+- uint8_t *aeadtext,
+- size_t aeadtext_size,
+- size_t *aeadtext_length)
+-{
+- return PSA_ERROR_NOT_SUPPORTED;
+-}
+-
+-psa_status_t psa_aead_decrypt(psa_key_id_t key,
+- psa_algorithm_t alg,
+- const uint8_t *nonce,
+- size_t nonce_length,
+- const uint8_t *additional_data,
+- size_t additional_data_length,
+- const uint8_t *aeadtext,
+- size_t aeadtext_length,
+- uint8_t *plaintext,
+- size_t plaintext_size,
+- size_t *plaintext_length)
+-{
+- return PSA_ERROR_NOT_SUPPORTED;
+-}
+-
+ psa_status_t psa_aead_encrypt_setup(psa_aead_operation_t *operation,
+ psa_key_id_t key,
+ psa_algorithm_t alg)
+@@ -143,3 +112,191 @@ psa_status_t psa_aead_abort(psa_aead_operation_t *operation)
+ return crypto_caller_aead_abort(&psa_crypto_client_instance.base,
+ operation->handle);
+ }
++
++static psa_status_t multi_aead_update_ad(psa_aead_operation_t *operation,
++ const uint8_t *input,
++ size_t input_length)
++{
++ psa_status_t psa_status = PSA_SUCCESS;
++ size_t max_update_size =
++ crypto_caller_aead_max_update_ad_size(&psa_crypto_client_instance.base);
++ size_t bytes_input = 0;
++
++ if (!max_update_size) {
++
++ /* Don't know the max update size so assume that the entire
++ * input and output can be handled in a single update. If
++ * this isn't true, the first aead update operation will fail
++ * safely.
++ */
++ max_update_size = input_length;
++ }
++
++ while (bytes_input < input_length) {
++
++ size_t bytes_remaining = input_length - bytes_input;
++ size_t update_len = (bytes_remaining < max_update_size) ?
++ bytes_remaining :
++ max_update_size;
++
++ psa_status = psa_aead_update_ad(operation,
++ &input[bytes_input], update_len);
++
++ if (psa_status != PSA_SUCCESS) break;
++
++ bytes_input += update_len;
++ }
++
++ return psa_status;
++}
++
++static psa_status_t multi_aead_update(psa_aead_operation_t *operation,
++ const uint8_t *input,
++ size_t input_length,
++ uint8_t *output,
++ size_t output_size,
++ size_t *output_length)
++{
++ psa_status_t psa_status = PSA_SUCCESS;
++ size_t max_update_size =
++ crypto_caller_aead_max_update_size(&psa_crypto_client_instance.base);
++ size_t bytes_input = 0;
++ size_t bytes_output = 0;
++
++ *output_length = 0;
++
++ if (!max_update_size) {
++
++ /* Don't know the max update size so assume that the entire
++ * input and output can be handled in a single update. If
++ * this isn't true, the first aead update operation will fail
++ * safely.
++ */
++ max_update_size = input_length;
++ }
++
++ while ((bytes_input < input_length) && (bytes_output < output_size)) {
++
++ size_t update_output_len = 0;
++ size_t bytes_remaining = input_length - bytes_input;
++ size_t update_len = (bytes_remaining < max_update_size) ?
++ bytes_remaining :
++ max_update_size;
++
++ psa_status = psa_aead_update(operation,
++ &input[bytes_input], update_len,
++ &output[bytes_output], output_size - bytes_output, &update_output_len);
++
++ if (psa_status != PSA_SUCCESS) break;
++
++ bytes_input += update_len;
++ bytes_output += update_output_len;
++ }
++
++ if (psa_status == PSA_SUCCESS) {
++
++ *output_length = bytes_output;
++ }
++
++ return psa_status;
++}
++
++psa_status_t psa_aead_encrypt(psa_key_id_t key,
++ psa_algorithm_t alg,
++ const uint8_t *nonce,
++ size_t nonce_length,
++ const uint8_t *additional_data,
++ size_t additional_data_length,
++ const uint8_t *plaintext,
++ size_t plaintext_length,
++ uint8_t *aeadtext,
++ size_t aeadtext_size,
++ size_t *aeadtext_length)
++{
++ psa_aead_operation_t operation = psa_aead_operation_init();
++ size_t bytes_output = 0;
++ *aeadtext_length = 0;
++
++ psa_status_t psa_status = psa_aead_encrypt_setup(&operation, key, alg);
++ if (psa_status != PSA_SUCCESS) return psa_status;
++
++ if ((psa_status = psa_aead_set_lengths(&operation, additional_data_length, plaintext_length),
++ psa_status == PSA_SUCCESS) &&
++ (psa_status = psa_aead_set_nonce(&operation, nonce, nonce_length),
++ psa_status == PSA_SUCCESS) &&
++ (psa_status = multi_aead_update_ad(&operation, additional_data, additional_data_length),
++ psa_status == PSA_SUCCESS) &&
++ (psa_status = multi_aead_update(&operation, plaintext, plaintext_length,
++ aeadtext, aeadtext_size, &bytes_output),
++ psa_status == PSA_SUCCESS))
++ {
++ size_t remaining_aead_len = 0;
++ size_t tag_len = 0;
++
++ psa_status = psa_aead_finish(&operation,
++ NULL, 0, &remaining_aead_len,
++ &aeadtext[bytes_output], aeadtext_size - bytes_output, &tag_len);
++
++ if (psa_status == PSA_SUCCESS) {
++
++ *aeadtext_length = bytes_output + remaining_aead_len + tag_len;
++ }
++ }
++ else {
++
++ psa_aead_abort(&operation);
++ }
++
++ return psa_status;
++}
++
++psa_status_t psa_aead_decrypt(psa_key_id_t key,
++ psa_algorithm_t alg,
++ const uint8_t *nonce,
++ size_t nonce_length,
++ const uint8_t *additional_data,
++ size_t additional_data_length,
++ const uint8_t *aeadtext,
++ size_t aeadtext_length,
++ uint8_t *plaintext,
++ size_t plaintext_size,
++ size_t *plaintext_length)
++{
++ psa_aead_operation_t operation = psa_aead_operation_init();
++ size_t bytes_output = 0;
++ *plaintext_length = 0;
++
++ psa_status_t psa_status = psa_aead_decrypt_setup(&operation, key, alg);
++ if (psa_status != PSA_SUCCESS) return psa_status;
++
++ size_t tag_len = PSA_ALG_AEAD_GET_TAG_LENGTH(alg);
++ size_t ciphertext_len = (aeadtext_length > tag_len) ? aeadtext_length - tag_len : 0;
++
++ if ((psa_status = psa_aead_set_lengths(&operation, additional_data_length, ciphertext_len),
++ psa_status == PSA_SUCCESS) &&
++ (psa_status = psa_aead_set_nonce(&operation, nonce, nonce_length),
++ psa_status == PSA_SUCCESS) &&
++ (psa_status = multi_aead_update_ad(&operation, additional_data, additional_data_length),
++ psa_status == PSA_SUCCESS) &&
++ (psa_status = multi_aead_update(&operation, aeadtext, ciphertext_len,
++ plaintext, plaintext_size, &bytes_output),
++ psa_status == PSA_SUCCESS))
++ {
++ size_t remaining_plaintext_len = 0;
++
++ psa_status = psa_aead_verify(&operation,
++ NULL, 0, &remaining_plaintext_len,
++ &aeadtext[bytes_output], aeadtext_length - bytes_output);
++
++ if (psa_status == PSA_SUCCESS) {
++
++ *plaintext_length = bytes_output + remaining_plaintext_len;
++ }
++ }
++ else {
++
++ psa_aead_abort(&operation);
++ }
++
++ return psa_status;
++}
+diff --git a/components/service/crypto/factory/full/crypto_provider_factory.c b/components/service/crypto/factory/full/crypto_provider_factory.c
+index 2d926eb6..ee2b4473 100644
+--- a/components/service/crypto/factory/full/crypto_provider_factory.c
++++ b/components/service/crypto/factory/full/crypto_provider_factory.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2021, Arm Limited. All rights reserved.
++ * Copyright (c) 2021-2022, Arm Limited. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+@@ -17,6 +17,8 @@
+ #include <service/crypto/provider/extension/key_derivation/serializer/packed-c/packedc_key_derivation_provider_serializer.h>
+ #include <service/crypto/provider/extension/mac/mac_provider.h>
+ #include <service/crypto/provider/extension/mac/serializer/packed-c/packedc_mac_provider_serializer.h>
++#include <service/crypto/provider/extension/aead/aead_provider.h>
++#include <service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.h>
+ #include <service/discovery/provider/discovery_provider.h>
+ #include <service/discovery/provider/serializer/packed-c/packedc_discovery_provider_serializer.h>
+
+@@ -34,6 +36,7 @@ static struct full_crypto_provider
+ struct cipher_provider cipher_provider;
+ struct key_derivation_provider key_derivation_provider;
+ struct mac_provider mac_provider;
++ struct aead_provider aead_provider;
+
+ } instance;
+
+@@ -98,6 +101,17 @@ struct crypto_provider *crypto_provider_factory_create(void)
+ crypto_provider_extend(&instance.crypto_provider,
+ &instance.mac_provider.base_provider);
+
++ /**
++ * Extend with aead operations
++ */
++ aead_provider_init(&instance.aead_provider);
++
++ aead_provider_register_serializer(&instance.aead_provider,
++ TS_RPC_ENCODING_PACKED_C, packedc_aead_provider_serializer_instance());
++
++ crypto_provider_extend(&instance.crypto_provider,
++ &instance.aead_provider.base_provider);
++
+ return &instance.crypto_provider;
+ }
+
+diff --git a/deployments/component-test/component-test.cmake b/deployments/component-test/component-test.cmake
+index a0233c34..c3b015ab 100644
+--- a/deployments/component-test/component-test.cmake
++++ b/deployments/component-test/component-test.cmake
+@@ -1,5 +1,5 @@
+ #-------------------------------------------------------------------------------
+-# Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
++# Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
+ #
+ # SPDX-License-Identifier: BSD-3-Clause
+ #
+@@ -85,6 +85,8 @@ add_components(
+ "components/service/crypto/provider/extension/key_derivation/serializer/packed-c"
+ "components/service/crypto/provider/extension/mac"
+ "components/service/crypto/provider/extension/mac/serializer/packed-c"
++ "components/service/crypto/provider/extension/aead"
++ "components/service/crypto/provider/extension/aead/serializer/packed-c"
+ "components/service/crypto/provider/test"
+ "components/service/crypto/backend/mbedcrypto"
+ "components/service/crypto/factory/full"
+diff --git a/deployments/crypto/opteesp/CMakeLists.txt b/deployments/crypto/opteesp/CMakeLists.txt
+index 8ada74e9..eb5d0847 100644
+--- a/deployments/crypto/opteesp/CMakeLists.txt
++++ b/deployments/crypto/opteesp/CMakeLists.txt
+@@ -1,5 +1,5 @@
+ #-------------------------------------------------------------------------------
+-# Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
++# Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
+ #
+ # SPDX-License-Identifier: BSD-3-Clause
+ #
+@@ -62,6 +62,8 @@ add_components(TARGET "crypto-sp"
+ "components/service/crypto/provider/extension/key_derivation/serializer/packed-c"
+ "components/service/crypto/provider/extension/mac"
+ "components/service/crypto/provider/extension/mac/serializer/packed-c"
++ "components/service/crypto/provider/extension/aead"
++ "components/service/crypto/provider/extension/aead/serializer/packed-c"
+ "components/service/crypto/factory/full"
+ "components/service/crypto/backend/mbedcrypto"
+ "components/service/crypto/backend/mbedcrypto/trng_adapter/platform"
+diff --git a/deployments/libts/linux-pc/CMakeLists.txt b/deployments/libts/linux-pc/CMakeLists.txt
+index fc98407c..97eaaa73 100644
+--- a/deployments/libts/linux-pc/CMakeLists.txt
++++ b/deployments/libts/linux-pc/CMakeLists.txt
+@@ -1,5 +1,5 @@
+ #-------------------------------------------------------------------------------
+-# Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
++# Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
+ #
+ # SPDX-License-Identifier: BSD-3-Clause
+ #
+@@ -71,6 +71,8 @@ add_components(
+ "components/service/crypto/provider/extension/key_derivation/serializer/packed-c"
+ "components/service/crypto/provider/extension/mac"
+ "components/service/crypto/provider/extension/mac/serializer/packed-c"
++ "components/service/crypto/provider/extension/aead"
++ "components/service/crypto/provider/extension/aead/serializer/packed-c"
+ "components/service/crypto/factory/full"
+ "components/service/crypto/backend/mbedcrypto"
+ "components/service/crypto/backend/mbedcrypto/trng_adapter/linux"
+diff --git a/deployments/se-proxy/opteesp/CMakeLists.txt b/deployments/se-proxy/opteesp/CMakeLists.txt
+index 953bb716..24a8ca65 100644
+--- a/deployments/se-proxy/opteesp/CMakeLists.txt
++++ b/deployments/se-proxy/opteesp/CMakeLists.txt
+@@ -1,5 +1,5 @@
+ #-------------------------------------------------------------------------------
+-# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
++# Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
+ #
+ # SPDX-License-Identifier: BSD-3-Clause
+ #
+@@ -70,6 +70,8 @@ add_components(TARGET "se-proxy"
+ "components/service/crypto/provider/extension/key_derivation/serializer/packed-c"
+ "components/service/crypto/provider/extension/mac"
+ "components/service/crypto/provider/extension/mac/serializer/packed-c"
++ "components/service/crypto/provider/extension/aead"
++ "components/service/crypto/provider/extension/aead/serializer/packed-c"
+ "components/service/crypto/factory/full"
+ "components/service/secure_storage/include"
+ "components/service/secure_storage/frontend/secure_storage_provider"
+--
+2.25.1
new file mode 100644
@@ -0,0 +1,96 @@
+Upstream-Status: Pending [Not submitted to upstream yet]
+Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
+
+From 0e743c9e00249b0fe50b1b2d28d06a8568569736 Mon Sep 17 00:00:00 2001
+From: Julian Hall <julian.hall@arm.com>
+Date: Tue, 15 Feb 2022 15:46:58 +0000
+Subject: [PATCH 07/15] Add IV generation to one-shot cipher operation
+
+The functions psa_cipher_encrypt and psa_cipher_decrypt are
+one-shot operations that can take an arbitrary sized input.
+These operations are implemented as client-side functions
+that use multi-part cipher operations to allow large inputs
+to be handled. The existing implementations were missing the
+generation and setting of the IV at the start of the data.
+This was leading to PSA Arch test failures (248 & 249). This
+commit adds the missing IV handling and resolves the test
+failures.
+
+Signed-off-by: Julian Hall <julian.hall@arm.com>
+Change-Id: I4afb555ee7062ebb387e5bb27fb1e082288ad8c7
+---
+ .../service/crypto/client/psa/psa_cipher.c | 40 +++++++++++++++----
+ 1 file changed, 33 insertions(+), 7 deletions(-)
+
+diff --git a/components/service/crypto/client/psa/psa_cipher.c b/components/service/crypto/client/psa/psa_cipher.c
+index 3ab8ea21..111af829 100644
+--- a/components/service/crypto/client/psa/psa_cipher.c
++++ b/components/service/crypto/client/psa/psa_cipher.c
+@@ -8,7 +8,6 @@
+ #include "psa_crypto_client.h"
+ #include "crypto_caller_selector.h"
+
+-
+ psa_status_t psa_cipher_encrypt_setup(psa_cipher_operation_t *operation,
+ psa_key_id_t key,
+ psa_algorithm_t alg)
+@@ -171,9 +170,16 @@ psa_status_t psa_cipher_encrypt(psa_key_id_t key,
+
+ if (psa_status == PSA_SUCCESS) {
+
++ size_t ciphertext_len = 0;
++ size_t iv_len = 0;
++
++ psa_cipher_generate_iv(&operation, output, output_size, &iv_len);
++
+ psa_status = multi_cipher_update(&operation,
+ input, input_length,
+- output, output_size, output_length);
++ &output[iv_len], output_size - iv_len, &ciphertext_len);
++
++ *output_length = iv_len + ciphertext_len;
+ }
+
+ return psa_status;
+@@ -187,14 +193,34 @@ psa_status_t psa_cipher_decrypt(psa_key_id_t key,
+ size_t output_size,
+ size_t *output_length)
+ {
+- psa_cipher_operation_t operation = psa_cipher_operation_init();
+- psa_status_t psa_status = psa_cipher_decrypt_setup(&operation, key, alg);
++ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
++ psa_status_t psa_status = psa_get_key_attributes(key, &attributes);
+
+ if (psa_status == PSA_SUCCESS) {
+
+- psa_status = multi_cipher_update(&operation,
+- input, input_length,
+- output, output_size, output_length);
++ psa_cipher_operation_t operation = psa_cipher_operation_init();
++ psa_status = psa_cipher_decrypt_setup(&operation, key, alg);
++
++ if (psa_status == PSA_SUCCESS) {
++
++ size_t iv_len = PSA_CIPHER_IV_LENGTH(psa_get_key_type(&attributes), alg);
++
++ if (input_length >= iv_len) {
++
++ psa_cipher_set_iv(&operation, input, iv_len);
++
++ psa_status = multi_cipher_update(&operation,
++ &input[iv_len], input_length - iv_len,
++ output, output_size, output_length);
++ }
++ else {
++
++ psa_cipher_abort(&operation);
++ psa_status = PSA_ERROR_INVALID_ARGUMENT;
++ }
++ }
++
++ psa_reset_key_attributes(&attributes);
+ }
+
+ return psa_status;
+--
+2.25.1
new file mode 100644
@@ -0,0 +1,241 @@
+Upstream-Status: Pending [Not submitted to upstream yet]
+Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
+
+From 51563497958036271a23de8ae28f174db1296689 Mon Sep 17 00:00:00 2001
+From: Julian Hall <julian.hall@arm.com>
+Date: Wed, 16 Feb 2022 10:37:04 +0000
+Subject: [PATCH 08/15] Fix multi-part termination on error
+
+For multi-part operations, the PSA Crypto API specifies that if
+the final operation does not return PSA_SUCCESS, the abort
+operaion must be called by a client to clean-up the operation.
+This change modifies behaviour in-line with the API definition.
+
+Signed-off-by: Julian Hall <julian.hall@arm.com>
+Change-Id: Ia3d3ec004164647a7ab5988cac45c39c22e76e9a
+---
+ components/service/crypto/client/psa/psa_aead.c | 8 ++++++++
+ components/service/crypto/client/psa/psa_cipher.c | 4 ++++
+ components/service/crypto/client/psa/psa_hash.c | 10 ++++++++++
+ components/service/crypto/client/psa/psa_mac.c | 10 ++++++++++
+ .../crypto/provider/extension/aead/aead_provider.c | 10 +++++-----
+ .../provider/extension/cipher/cipher_provider.c | 6 +++---
+ .../crypto/provider/extension/hash/hash_provider.c | 6 +++---
+ .../crypto/provider/extension/mac/mac_provider.c | 11 +++++++----
+ 8 files changed, 50 insertions(+), 15 deletions(-)
+
+diff --git a/components/service/crypto/client/psa/psa_aead.c b/components/service/crypto/client/psa/psa_aead.c
+index e4579e63..559eb6a3 100644
+--- a/components/service/crypto/client/psa/psa_aead.c
++++ b/components/service/crypto/client/psa/psa_aead.c
+@@ -241,6 +241,10 @@ psa_status_t psa_aead_encrypt(psa_key_id_t key,
+
+ *aeadtext_length = bytes_output + remaining_aead_len + tag_len;
+ }
++ else {
++
++ psa_aead_abort(&operation);
++ }
+ }
+ else {
+
+@@ -292,6 +296,10 @@ psa_status_t psa_aead_decrypt(psa_key_id_t key,
+
+ *plaintext_length = bytes_output + remaining_plaintext_len;
+ }
++ else {
++
++ psa_aead_abort(&operation);
++ }
+ }
+ else {
+
+diff --git a/components/service/crypto/client/psa/psa_cipher.c b/components/service/crypto/client/psa/psa_cipher.c
+index 111af829..4e4264b6 100644
+--- a/components/service/crypto/client/psa/psa_cipher.c
++++ b/components/service/crypto/client/psa/psa_cipher.c
+@@ -146,6 +146,10 @@ static psa_status_t multi_cipher_update(psa_cipher_operation_t *operation,
+
+ *output_length = bytes_output + finish_output_len;
+ }
++ else {
++
++ psa_cipher_abort(operation);
++ }
+ }
+ else {
+
+diff --git a/components/service/crypto/client/psa/psa_hash.c b/components/service/crypto/client/psa/psa_hash.c
+index 83278de6..e5dd0030 100644
+--- a/components/service/crypto/client/psa/psa_hash.c
++++ b/components/service/crypto/client/psa/psa_hash.c
+@@ -137,6 +137,11 @@ psa_status_t psa_hash_compare(psa_algorithm_t alg,
+ if (psa_status == PSA_SUCCESS) {
+
+ psa_status = psa_hash_verify(&operation, hash, hash_length);
++
++ if (psa_status != PSA_SUCCESS) {
++
++ psa_hash_abort(&operation);
++ }
+ }
+
+ return psa_status;
+@@ -155,6 +160,11 @@ psa_status_t psa_hash_compute(psa_algorithm_t alg,
+ if (psa_status == PSA_SUCCESS) {
+
+ psa_status = psa_hash_finish(&operation, hash, hash_size, hash_length);
++
++ if (psa_status != PSA_SUCCESS) {
++
++ psa_hash_abort(&operation);
++ }
+ }
+
+ return psa_status;
+diff --git a/components/service/crypto/client/psa/psa_mac.c b/components/service/crypto/client/psa/psa_mac.c
+index 5c5eb32a..a3db8644 100644
+--- a/components/service/crypto/client/psa/psa_mac.c
++++ b/components/service/crypto/client/psa/psa_mac.c
+@@ -129,6 +129,11 @@ psa_status_t psa_mac_verify(psa_key_id_t key,
+ if (psa_status == PSA_SUCCESS) {
+
+ psa_status = psa_mac_verify_finish(&operation, mac, mac_length);
++
++ if (psa_status != PSA_SUCCESS) {
++
++ psa_mac_abort(&operation);
++ }
+ }
+
+ return psa_status;
+@@ -153,6 +158,11 @@ psa_status_t psa_mac_compute(psa_key_id_t key,
+ if (psa_status == PSA_SUCCESS) {
+
+ psa_status = psa_mac_sign_finish(&operation, mac, mac_size, mac_length);
++
++ if (psa_status != PSA_SUCCESS) {
++
++ psa_mac_abort(&operation);
++ }
+ }
+
+ return psa_status;
+diff --git a/components/service/crypto/provider/extension/aead/aead_provider.c b/components/service/crypto/provider/extension/aead/aead_provider.c
+index f4e81a03..14a25436 100644
+--- a/components/service/crypto/provider/extension/aead/aead_provider.c
++++ b/components/service/crypto/provider/extension/aead/aead_provider.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+@@ -369,9 +369,9 @@ static rpc_status_t aead_finish_handler(void *context, struct call_req *req)
+ rpc_status = serializer->serialize_aead_finish_resp(resp_buf,
+ ciphertext, ciphertext_len,
+ tag, tag_len);
+- }
+
+- crypto_context_pool_free(&this_instance->context_pool, crypto_context);
++ crypto_context_pool_free(&this_instance->context_pool, crypto_context);
++ }
+ }
+
+ call_req_set_opstatus(req, psa_status);
+@@ -418,9 +418,9 @@ static rpc_status_t aead_verify_handler(void *context, struct call_req *req)
+ struct call_param_buf *resp_buf = call_req_get_resp_buf(req);
+ rpc_status = serializer->serialize_aead_verify_resp(resp_buf,
+ plaintext, plaintext_len);
+- }
+
+- crypto_context_pool_free(&this_instance->context_pool, crypto_context);
++ crypto_context_pool_free(&this_instance->context_pool, crypto_context);
++ }
+ }
+
+ call_req_set_opstatus(req, psa_status);
+diff --git a/components/service/crypto/provider/extension/cipher/cipher_provider.c b/components/service/crypto/provider/extension/cipher/cipher_provider.c
+index 8e7a86de..a5dd0371 100644
+--- a/components/service/crypto/provider/extension/cipher/cipher_provider.c
++++ b/components/service/crypto/provider/extension/cipher/cipher_provider.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+@@ -283,9 +283,9 @@ static rpc_status_t cipher_finish_handler(void *context, struct call_req* req)
+
+ struct call_param_buf *resp_buf = call_req_get_resp_buf(req);
+ rpc_status = serializer->serialize_cipher_finish_resp(resp_buf, output, output_len);
+- }
+
+- crypto_context_pool_free(&this_instance->context_pool, crypto_context);
++ crypto_context_pool_free(&this_instance->context_pool, crypto_context);
++ }
+ }
+
+ call_req_set_opstatus(req, psa_status);
+diff --git a/components/service/crypto/provider/extension/hash/hash_provider.c b/components/service/crypto/provider/extension/hash/hash_provider.c
+index 2c560513..fd39d440 100644
+--- a/components/service/crypto/provider/extension/hash/hash_provider.c
++++ b/components/service/crypto/provider/extension/hash/hash_provider.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+@@ -179,9 +179,9 @@ static rpc_status_t hash_finish_handler(void *context, struct call_req* req)
+
+ struct call_param_buf *resp_buf = call_req_get_resp_buf(req);
+ rpc_status = serializer->serialize_hash_finish_resp(resp_buf, hash, hash_len);
+- }
+
+- crypto_context_pool_free(&this_instance->context_pool, crypto_context);
++ crypto_context_pool_free(&this_instance->context_pool, crypto_context);
++ }
+ }
+
+ call_req_set_opstatus(req, psa_status);
+diff --git a/components/service/crypto/provider/extension/mac/mac_provider.c b/components/service/crypto/provider/extension/mac/mac_provider.c
+index 96fe4cf3..eef55586 100644
+--- a/components/service/crypto/provider/extension/mac/mac_provider.c
++++ b/components/service/crypto/provider/extension/mac/mac_provider.c
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
++ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+@@ -181,9 +181,9 @@ static rpc_status_t mac_sign_finish_handler(void *context, struct call_req* req)
+
+ struct call_param_buf *resp_buf = call_req_get_resp_buf(req);
+ rpc_status = serializer->serialize_mac_sign_finish_resp(resp_buf, mac, mac_len);
+- }
+
+- crypto_context_pool_free(&this_instance->context_pool, crypto_context);
++ crypto_context_pool_free(&this_instance->context_pool, crypto_context);
++ }
+ }
+
+ call_req_set_opstatus(req, psa_status);
+@@ -220,7 +220,10 @@ static rpc_status_t mac_verify_finish_handler(void *context, struct call_req* re
+
+ psa_status = psa_mac_verify_finish(&crypto_context->op.mac, mac, mac_len);
+
+- crypto_context_pool_free(&this_instance->context_pool, crypto_context);
++ if (psa_status == PSA_SUCCESS) {
++
++ crypto_context_pool_free(&this_instance->context_pool, crypto_context);
++ }
+ }
+
+ call_req_set_opstatus(req, psa_status);
+--
+2.25.1
new file mode 100644
@@ -0,0 +1,50 @@
+Upstream-Status: Pending [Not submitted to upstream yet]
+Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
+
+From c0549d9949d9c19a120b7bde3409201a5db8f2b2 Mon Sep 17 00:00:00 2001
+From: Julian Hall <julian.hall@arm.com>
+Date: Wed, 16 Feb 2022 11:36:09 +0000
+Subject: [PATCH 09/15] Abort AEAD operation if client provided buffer is too
+ small
+
+To enable PSA Arch test c258 to pass, handling is added in the
+PSA API client adaptor for AEAD (psa_aead.c) to abort an AEAD
+operation if an update operation is performed but the client
+provided buffer for the output is too small.
+
+Signed-off-by: Julian Hall <julian.hall@arm.com>
+Change-Id: Ib4b26ebc0a83a8928e1b643fba4becd935f6deb0
+---
+ components/service/crypto/client/psa/psa_aead.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/components/service/crypto/client/psa/psa_aead.c b/components/service/crypto/client/psa/psa_aead.c
+index 559eb6a3..c820d222 100644
+--- a/components/service/crypto/client/psa/psa_aead.c
++++ b/components/service/crypto/client/psa/psa_aead.c
+@@ -74,10 +74,22 @@ psa_status_t psa_aead_update(psa_aead_operation_t *operation,
+ size_t output_size,
+ size_t *output_length)
+ {
+- return crypto_caller_aead_update(&psa_crypto_client_instance.base,
++ psa_status_t status = crypto_caller_aead_update(&psa_crypto_client_instance.base,
+ operation->handle,
+ input, input_length,
+ output, output_size, output_length);
++
++ /*
++ * If too small a buffer has been provided for the output, the operation
++ * state will have been updated but the result can't be put anywhere. This
++ * is an unrecoveral condition so abort the operation.
++ */
++ if (status == PSA_ERROR_BUFFER_TOO_SMALL) {
++
++ psa_aead_abort(operation);
++ }
++
++ return status;
+ }
+
+ psa_status_t psa_aead_finish(psa_aead_operation_t *operation,
+--
+2.25.1
new file mode 100644
@@ -0,0 +1,95 @@
+Upstream-Status: Pending [Not submitted to upstream yet]
+Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
+
+From 9fb18f0cfba8f97fa71a5e7e7e3e31a43692a8e0 Mon Sep 17 00:00:00 2001
+From: Julian Hall <julian.hall@arm.com>
+Date: Tue, 11 Jan 2022 09:43:52 +0000
+Subject: [PATCH 10/15] Peg to updated t_cose version fc3a4b2c
+
+The current version of TS fails to build due to a regression introduced
+by a new t_cose version in the upstream project.
+The issue is caused by the t_cose external component incorrectly using
+tip of master as the upstream version id, which makes strict dependency
+control impossible. Change the upstream version id to an SHA, to enable
+controlling compatibility issues introduced by future upstream updates.
+
+At the same time update the dependency to the current latest version.
+The upstream project is now compatile with mbedtls 3.0.0 API changes
+so the previously required compatibility patch has been removed.
+
+Signed-off-by: Julian Hall <julian.hall@arm.com>
+Change-Id: I9491a5210904cc369846da2af45b0f7e5913bed8
+---
+ .../0002-add-tls3_0_0-compatibility.patch | 31 -------------------
+ external/t_cose/t_cose.cmake | 5 ++-
+ 2 files changed, 2 insertions(+), 34 deletions(-)
+ delete mode 100644 external/t_cose/0002-add-tls3_0_0-compatibility.patch
+
+diff --git a/external/t_cose/0002-add-tls3_0_0-compatibility.patch b/external/t_cose/0002-add-tls3_0_0-compatibility.patch
+deleted file mode 100644
+index 20a7d131..00000000
+--- a/external/t_cose/0002-add-tls3_0_0-compatibility.patch
++++ /dev/null
+@@ -1,31 +0,0 @@
+-diff --git a/crypto_adapters/t_cose_psa_crypto.c b/crypto_adapters/t_cose_psa_crypto.c
+-index 49c5b60..3aa7b58 100644
+---- a/crypto_adapters/t_cose_psa_crypto.c
+-+++ b/crypto_adapters/t_cose_psa_crypto.c
+-@@ -99,7 +99,7 @@ static enum t_cose_err_t psa_status_to_t_cose_error_signing(psa_status_t err)
+- err == PSA_ERROR_INVALID_SIGNATURE ? T_COSE_ERR_SIG_VERIFY :
+- err == PSA_ERROR_NOT_SUPPORTED ? T_COSE_ERR_UNSUPPORTED_SIGNING_ALG:
+- err == PSA_ERROR_INSUFFICIENT_MEMORY ? T_COSE_ERR_INSUFFICIENT_MEMORY :
+-- err == PSA_ERROR_TAMPERING_DETECTED ? T_COSE_ERR_TAMPERING_DETECTED :
+-+ err == PSA_ERROR_CORRUPTION_DETECTED ? T_COSE_ERR_TAMPERING_DETECTED :
+- T_COSE_ERR_SIG_FAIL;
+- }
+-
+-@@ -152,7 +152,7 @@ t_cose_crypto_pub_key_verify(int32_t cose_algorithm_id,
+- * Crypto ceases providing backwards compatibility then this code
+- * has to be changed to use psa_verify_hash().
+- */
+-- psa_result = psa_asymmetric_verify(verification_key_psa,
+-+ psa_result = psa_verify_hash(verification_key_psa,
+- psa_alg_id,
+- hash_to_verify.ptr,
+- hash_to_verify.len,
+-@@ -212,7 +212,7 @@ t_cose_crypto_pub_key_sign(int32_t cose_algorithm_id,
+- * providing backwards compatibility then this code has to be
+- * changed to use psa_sign_hash().
+- */
+-- psa_result = psa_asymmetric_sign(signing_key_psa,
+-+ psa_result = psa_sign_hash(signing_key_psa,
+- psa_alg_id,
+- hash_to_sign.ptr,
+- hash_to_sign.len,
+diff --git a/external/t_cose/t_cose.cmake b/external/t_cose/t_cose.cmake
+index 660824bd..9321466f 100644
+--- a/external/t_cose/t_cose.cmake
++++ b/external/t_cose/t_cose.cmake
+@@ -1,5 +1,5 @@
+ #-------------------------------------------------------------------------------
+-# Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
++# Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
+ #
+ # SPDX-License-Identifier: BSD-3-Clause
+ #
+@@ -16,7 +16,7 @@ endif()
+
+ # External component details
+ set(T_COSE_URL "https://github.com/laurencelundblade/t_cose.git" CACHE STRING "t_cose repository URL")
+-set(T_COSE_REFSPEC "master" CACHE STRING "t_cose git refspec")
++set(T_COSE_REFSPEC "fc3a4b2c7196ff582e8242de8bd4a1bc4eec577f" CACHE STRING "t_cose git refspec")
+ set(T_COSE_INSTALL_PATH "${CMAKE_CURRENT_BINARY_DIR}/t_cose_install" CACHE PATH "t_cose installation directory")
+ set(T_COSE_PACKAGE_PATH "${T_COSE_INSTALL_PATH}/libt_cose/cmake" CACHE PATH "t_cose CMake package directory")
+
+@@ -37,7 +37,6 @@ FetchContent_Declare(
+
+ PATCH_COMMAND git stash
+ COMMAND git am ${CMAKE_CURRENT_LIST_DIR}/0001-add-install-definition.patch
+- COMMAND git apply ${CMAKE_CURRENT_LIST_DIR}/0002-add-tls3_0_0-compatibility.patch
+ COMMAND git reset HEAD~1
+
+ )
+--
+2.25.1
+
new file mode 100644
@@ -0,0 +1,111 @@
+Upstream-Status: Pending [Not submitted to upstream yet]
+Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
+
+From 386a086debf70f739a7dfc0bdce9c4f1053ba8d5 Mon Sep 17 00:00:00 2001
+From: Vishnu Banavath <vishnu.banavath@arm.com>
+Date: Wed, 16 Feb 2022 15:55:55 +0000
+Subject: [PATCH 11/15] pass sysroot_yocto
+
+---
+ deployments/libts/libts-import.cmake | 3 +++
+ external/MbedTLS/MbedTLS.cmake | 1 +
+ external/psa_arch_tests/psa_arch_tests.cmake | 25 +++++++++++++-------
+ 3 files changed, 20 insertions(+), 9 deletions(-)
+
+diff --git a/deployments/libts/libts-import.cmake b/deployments/libts/libts-import.cmake
+index 792ba86c..b900ce3f 100644
+--- a/deployments/libts/libts-import.cmake
++++ b/deployments/libts/libts-import.cmake
+@@ -27,9 +27,12 @@ set(LIBTS_BINARY_DIR "${CMAKE_CURRENT_BINARY_DIR}/_deps/libts-build" CACHE PATH
+
+ file(MAKE_DIRECTORY ${LIBTS_BINARY_DIR})
+
++set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --sysroot=${SYSROOT_YOCTO}")
++
+ #Configure the library
+ execute_process(COMMAND
+ ${CMAKE_COMMAND}
++ -DCMAKE_SYSROOT=${SYSROOT_YOCTO}
+ -DCMAKE_INSTALL_PREFIX=${LIBTS_INSTALL_PATH}
+ -GUnix\ Makefiles
+ ${LIBTS_SOURCE_DIR}
+diff --git a/external/MbedTLS/MbedTLS.cmake b/external/MbedTLS/MbedTLS.cmake
+index 3350d8a0..33467cf0 100644
+--- a/external/MbedTLS/MbedTLS.cmake
++++ b/external/MbedTLS/MbedTLS.cmake
+@@ -103,6 +103,7 @@ if (NOT MBEDCRYPTO_LIB_FILE)
+ execute_process(COMMAND
+ ${CMAKE_COMMAND} -E env CROSS_COMPILE=${CROSS_COMPILE}
+ ${CMAKE_COMMAND}
++ -DCMAKE_SYSROOT=${SYSROOT_YOCTO}
+ -DENABLE_PROGRAMS=OFF
+ -DENABLE_TESTING=OFF
+ -DUNSAFE_BUILD=ON
+diff --git a/external/psa_arch_tests/psa_arch_tests.cmake b/external/psa_arch_tests/psa_arch_tests.cmake
+index f6d2fb9f..42f73a37 100644
+--- a/external/psa_arch_tests/psa_arch_tests.cmake
++++ b/external/psa_arch_tests/psa_arch_tests.cmake
+@@ -5,30 +5,33 @@
+ #
+ #-------------------------------------------------------------------------------
+
+-# Temporarily using modified tests used for tf-m verification
++# Determine the number of processes to run while running parallel builds.
++# Pass -DPROCESSOR_COUNT=<n> to cmake to override.
++if(NOT DEFINED PROCESSOR_COUNT)
++ include(ProcessorCount)
++ ProcessorCount(PROCESSOR_COUNT)
++ set(PROCESSOR_COUNT ${PROCESSOR_COUNT} CACHE STRING "Number of cores to use for parallel builds.")
++endif()
++
+ set(PSA_ARCH_TESTS_URL "https://github.com/bensze01/psa-arch-tests.git" CACHE STRING "psa-arch-tests repository URL")
+ set(PSA_ARCH_TESTS_REFSPEC "fix-multipart-aead" CACHE STRING "psa-arch-tests git refspec")
+-
+-#set(PSA_ARCH_TESTS_URL "https://github.com/ARM-software/psa-arch-tests.git" CACHE STRING "psa-arch-tests repository URL")
+-#set(PSA_ARCH_TESTS_REFSPEC "2a1852252a9b9af655cbe02d5d3c930952d0d798" CACHE STRING "psa-arch-tests v22.01_API1.4_ADAC_BETA")
+ set(PSA_ARCH_TESTS_INSTALL_PATH "${CMAKE_CURRENT_BINARY_DIR}/psa-arch-tests_install" CACHE PATH "psa-arch-tests installation directory")
+ set(PSA_ARCH_TESTS_PACKAGE_PATH "${PSA_ARCH_TESTS_INSTALL_PATH}/libpsa-arch-tests/cmake" CACHE PATH "psa-arch-tests CMake package directory")
+-set(PSA_ARCH_TESTS_SOURCE_DIR "${CMAKE_CURRENT_BINARY_DIR}/_deps/psa_arch_tests-src" CACHE PATH "psa-arch-tests source.")
++
++include(FetchContent)
+
+ # Checking git
+ find_program(GIT_COMMAND "git")
+ if (NOT GIT_COMMAND)
+ message(FATAL_ERROR "Please install git")
+ endif()
+-
++if ("${PSA_ARCH_TESTS_PATH}" STREQUAL "DOWNLOAD")
+ # Fetching psa-arch-tests
+ FetchContent_Declare(
+ psa-arch-tests
+ GIT_REPOSITORY ${PSA_ARCH_TESTS_URL}
+ GIT_TAG ${PSA_ARCH_TESTS_REFSPEC}
+ GIT_SHALLOW TRUE
+- PATCH_COMMAND git stash
+- COMMAND git apply ${CMAKE_CURRENT_LIST_DIR}/modify_attest_config.patch
+ )
+
+ # FetchContent_GetProperties exports psa-arch-tests_SOURCE_DIR and psa-arch-tests_BINARY_DIR variables
+@@ -37,7 +40,10 @@ if(NOT psa-arch-tests_POPULATED)
+ message(STATUS "Fetching psa-arch-tests")
+ FetchContent_Populate(psa-arch-tests)
+ endif()
+-
++else()
++ set(psa-arch-tests_SOURCE_DIR "${TS_ROOT}/../psa-arch-tests")
++ set(psa-arch-tests_BINARY_DIR "${CMAKE_CURRENT_BINARY_DIR}")
++endif()
+ # Ensure list of include paths is separated correctly
+ string(REPLACE ";" "\\;" PSA_ARCH_TESTS_EXTERNAL_INCLUDE_PATHS "${PSA_ARCH_TESTS_EXTERNAL_INCLUDE_PATHS}")
+
+@@ -47,6 +53,7 @@ string(REPLACE ";" " " PSA_ARCH_TEST_EXTERNAL_DEFS "${PSA_ARCH_TEST_EXTERNAL_DEF
+ # Configure the psa-arch-test library
+ execute_process(COMMAND
+ ${CMAKE_COMMAND}
++ -DCMAKE_SYSROOT=${SYSROOT_YOCTO}
+ -DTOOLCHAIN=INHERIT
+ -DCMAKE_TOOLCHAIN_FILE=${TS_EXTERNAL_LIB_TOOLCHAIN_FILE}
+ -DPSA_INCLUDE_PATHS=${PSA_ARCH_TESTS_EXTERNAL_INCLUDE_PATHS}
+--
+2.25.1
new file mode 100644
@@ -0,0 +1,30 @@
+Upstream-Status: Pending [Not submitted to upstream yet]
+Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
+
+From 8bb6a36a36defc9e6cc234404276bf5fea8e8ad4 Mon Sep 17 00:00:00 2001
+From: Satish Kumar <satish.kumar01@arm.com>
+Date: Sun, 13 Feb 2022 09:01:10 +0000
+Subject: [PATCH 12/15] Fix: Crypto interface structure aligned with tf-m
+ change.
+
+NO NEED TO RAISE PR: The PR for this FIX is raied by Emek.
+---
+ components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h
+index c13c20e8..ec25eaf8 100644
+--- a/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h
++++ b/components/service/crypto/backend/psa_ipc/crypto_ipc_backend.h
+@@ -38,7 +38,8 @@ struct psa_ipc_crypto_pack_iovec {
+ * multipart operation
+ */
+ uint32_t capacity; /*!< Key derivation capacity */
+-
++ uint32_t ad_length; /*!< Additional Data length for multipart AEAD */
++ uint32_t plaintext_length; /*!< Plaintext length for multipart AEAD */
+ struct psa_ipc_crypto_aead_pack_input aead_in; /*!< FixMe: Temporarily used for
+ * AEAD until the API is
+ * restructured
+--
+2.25.1
new file mode 100644
@@ -0,0 +1,494 @@
+Upstream-Status: Pending [Not submitted to upstream yet]
+Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
+
+From 0469b4650bb011ec157286dbae0f1cef5cbfbe41 Mon Sep 17 00:00:00 2001
+From: Satish Kumar <satish.kumar01@arm.com>
+Date: Sun, 13 Feb 2022 09:49:51 +0000
+Subject: [PATCH 13/15] Integrate remaining psa-ipc client APIs.
+
+Signed-off-by: Satish Kumar <satish.kumar01@arm.com>
+---
+ .../caller/psa_ipc/crypto_caller_aead.h | 297 +++++++++++++++++-
+ .../caller/psa_ipc/crypto_caller_sign_hash.h | 35 +++
+ .../psa_ipc/crypto_caller_verify_hash.h | 33 +-
+ 3 files changed, 352 insertions(+), 13 deletions(-)
+
+diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h
+index 78517fe3..9c64fe62 100644
+--- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h
++++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_aead.h
+@@ -152,7 +152,27 @@ static inline psa_status_t crypto_caller_aead_encrypt_setup(
+ psa_key_id_t key,
+ psa_algorithm_t alg)
+ {
+- return PSA_ERROR_NOT_SUPPORTED;
++ struct service_client *ipc = context;
++ struct rpc_caller *caller = ipc->caller;
++ psa_status_t status;
++ struct psa_ipc_crypto_pack_iovec iov = {
++ .sfn_id = TFM_CRYPTO_AEAD_ENCRYPT_SETUP_SID,
++ .key_id = key,
++ .alg = alg,
++ .op_handle = (*op_handle),
++ };
++
++ struct psa_invec in_vec[] = {
++ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}
++ };
++ struct psa_outvec out_vec[] = {
++ {.base = psa_ptr_to_u32(op_handle), .len = sizeof(uint32_t)}
++ };
++
++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec,
++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec));
++
++ return status;
+ }
+
+ static inline psa_status_t crypto_caller_aead_decrypt_setup(
+@@ -161,7 +181,26 @@ static inline psa_status_t crypto_caller_aead_decrypt_setup(
+ psa_key_id_t key,
+ psa_algorithm_t alg)
+ {
+- return PSA_ERROR_NOT_SUPPORTED;
++ struct service_client *ipc = context;
++ struct rpc_caller *caller = ipc->caller;
++ psa_status_t status;
++ struct psa_ipc_crypto_pack_iovec iov = {
++ .sfn_id = TFM_CRYPTO_AEAD_DECRYPT_SETUP_SID,
++ .key_id = key,
++ .alg = alg,
++ .op_handle = (*op_handle),
++ };
++
++ struct psa_invec in_vec[] = {
++ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)}
++ };
++ struct psa_outvec out_vec[] = {
++ {.base = psa_ptr_to_u32(op_handle), .len = sizeof(uint32_t)}
++ };
++
++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec,
++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec));
++ return status;
+ }
+
+ static inline psa_status_t crypto_caller_aead_generate_nonce(
+@@ -171,7 +210,27 @@ static inline psa_status_t crypto_caller_aead_generate_nonce(
+ size_t nonce_size,
+ size_t *nonce_length)
+ {
+- return PSA_ERROR_NOT_SUPPORTED;
++ struct service_client *ipc = context;
++ struct rpc_caller *caller = ipc->caller;
++ psa_status_t status;
++ struct psa_ipc_crypto_pack_iovec iov = {
++ .sfn_id = TFM_CRYPTO_AEAD_GENERATE_NONCE_SID,
++ .op_handle = op_handle,
++ };
++
++ struct psa_invec in_vec[] = {
++ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)},
++ };
++ struct psa_outvec out_vec[] = {
++ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)},
++ {.base = psa_ptr_to_u32(nonce), .len = nonce_size}
++ };
++
++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec,
++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec));
++
++ *nonce_length = out_vec[1].len;
++ return status;
+ }
+
+ static inline psa_status_t crypto_caller_aead_set_nonce(
+@@ -180,7 +239,25 @@ static inline psa_status_t crypto_caller_aead_set_nonce(
+ const uint8_t *nonce,
+ size_t nonce_length)
+ {
+- return PSA_ERROR_NOT_SUPPORTED;
++ struct service_client *ipc = context;
++ struct rpc_caller *caller = ipc->caller;
++ psa_status_t status;
++ struct psa_ipc_crypto_pack_iovec iov = {
++ .sfn_id = TFM_CRYPTO_AEAD_SET_NONCE_SID,
++ .op_handle = op_handle,
++ };
++
++ struct psa_invec in_vec[] = {
++ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)},
++ {.base = psa_ptr_to_u32(nonce), .len = nonce_length}
++ };
++ struct psa_outvec out_vec[] = {
++ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)}
++ };
++
++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec,
++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec));
++ return status;
+ }
+
+ static inline psa_status_t crypto_caller_aead_set_lengths(
+@@ -189,7 +266,27 @@ static inline psa_status_t crypto_caller_aead_set_lengths(
+ size_t ad_length,
+ size_t plaintext_length)
+ {
+- return PSA_ERROR_NOT_SUPPORTED;
++ struct service_client *ipc = context;
++ struct rpc_caller *caller = ipc->caller;
++ psa_status_t status;
++ struct psa_ipc_crypto_pack_iovec iov = {
++ .sfn_id = TFM_CRYPTO_AEAD_SET_LENGTHS_SID,
++ .ad_length = ad_length,
++ .plaintext_length = plaintext_length,
++ .op_handle = op_handle,
++ };
++
++ struct psa_invec in_vec[] = {
++ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)},
++ };
++ struct psa_outvec out_vec[] = {
++ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)}
++ };
++
++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec,
++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec));
++
++ return status;
+ }
+
+ static inline psa_status_t crypto_caller_aead_update_ad(
+@@ -198,7 +295,35 @@ static inline psa_status_t crypto_caller_aead_update_ad(
+ const uint8_t *input,
+ size_t input_length)
+ {
+- return PSA_ERROR_NOT_SUPPORTED;
++ struct service_client *ipc = context;
++ struct rpc_caller *caller = ipc->caller;
++ psa_status_t status;
++ struct psa_ipc_crypto_pack_iovec iov = {
++ .sfn_id = TFM_CRYPTO_AEAD_UPDATE_AD_SID,
++ .op_handle = op_handle,
++ };
++
++ /* Sanitize the optional input */
++ if ((input == NULL) && (input_length != 0)) {
++ return PSA_ERROR_INVALID_ARGUMENT;
++ }
++
++ struct psa_invec in_vec[] = {
++ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)},
++ {.base = psa_ptr_const_to_u32(input), .len = input_length}
++ };
++ struct psa_outvec out_vec[] = {
++ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)}
++ };
++
++ size_t in_len = IOVEC_LEN(in_vec);
++
++ if (input == NULL) {
++ in_len--;
++ }
++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec,
++ in_len, out_vec, IOVEC_LEN(out_vec));
++ return status;
+ }
+
+ static inline psa_status_t crypto_caller_aead_update(
+@@ -210,7 +335,38 @@ static inline psa_status_t crypto_caller_aead_update(
+ size_t output_size,
+ size_t *output_length)
+ {
+- return PSA_ERROR_NOT_SUPPORTED;
++ struct service_client *ipc = context;
++ struct rpc_caller *caller = ipc->caller;
++ psa_status_t status;
++ struct psa_ipc_crypto_pack_iovec iov = {
++ .sfn_id = TFM_CRYPTO_AEAD_UPDATE_SID,
++ .op_handle = op_handle,
++ };
++
++ /* Sanitize the optional input */
++ if ((input == NULL) && (input_length != 0)) {
++ return PSA_ERROR_INVALID_ARGUMENT;
++ }
++
++ struct psa_invec in_vec[] = {
++ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)},
++ {.base = psa_ptr_const_to_u32(input), .len = input_length}
++ };
++ struct psa_outvec out_vec[] = {
++ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)},
++ {.base = psa_ptr_const_to_u32(output), .len = output_size},
++ };
++
++ size_t in_len = IOVEC_LEN(in_vec);
++
++ if (input == NULL) {
++ in_len--;
++ }
++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec,
++ in_len, out_vec, IOVEC_LEN(out_vec));
++
++ *output_length = out_vec[1].len;
++ return status;
+ }
+
+ static inline psa_status_t crypto_caller_aead_finish(
+@@ -223,7 +379,48 @@ static inline psa_status_t crypto_caller_aead_finish(
+ size_t tag_size,
+ size_t *tag_length)
+ {
+- return PSA_ERROR_NOT_SUPPORTED;
++ struct service_client *ipc = context;
++ struct rpc_caller *caller = ipc->caller;
++ psa_status_t status;
++ struct psa_ipc_crypto_pack_iovec iov = {
++ .sfn_id = TFM_CRYPTO_AEAD_FINISH_SID,
++ .op_handle = op_handle,
++ };
++
++ /* Sanitize the optional output */
++ if ((aeadtext == NULL) && (aeadtext_size != 0)) {
++ return PSA_ERROR_INVALID_ARGUMENT;
++ }
++
++ struct psa_invec in_vec[] = {
++ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)},
++ };
++ struct psa_outvec out_vec[] = {
++ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)},
++ {.base = psa_ptr_const_to_u32(tag), .len = tag_size},
++ {.base = psa_ptr_const_to_u32(aeadtext), .len = aeadtext_size}
++ };
++
++ size_t out_len = IOVEC_LEN(out_vec);
++
++ if (aeadtext == NULL || aeadtext_size == 0) {
++ out_len--;
++ }
++ if ((out_len == 3) && (aeadtext_length == NULL)) {
++ return PSA_ERROR_INVALID_ARGUMENT;
++ }
++
++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec,
++ IOVEC_LEN(in_vec), out_vec, out_len);
++
++ *tag_length = out_vec[1].len;
++
++ if (out_len == 3) {
++ *aeadtext_length = out_vec[2].len;
++ } else {
++ *aeadtext_length = 0;
++ }
++ return status;
+ }
+
+ static inline psa_status_t crypto_caller_aead_verify(
+@@ -235,14 +432,94 @@ static inline psa_status_t crypto_caller_aead_verify(
+ const uint8_t *tag,
+ size_t tag_length)
+ {
+- return PSA_ERROR_NOT_SUPPORTED;
++ struct service_client *ipc = context;
++ struct rpc_caller *caller = ipc->caller;
++ psa_status_t status;
++ struct psa_ipc_crypto_pack_iovec iov = {
++ .sfn_id = TFM_CRYPTO_AEAD_VERIFY_SID,
++ .op_handle = op_handle,
++ };
++
++ /* Sanitize the optional output */
++ if ((plaintext == NULL) && (plaintext_size != 0)) {
++ return PSA_ERROR_INVALID_ARGUMENT;
++ }
++
++ struct psa_invec in_vec[] = {
++ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)},
++ {.base = psa_ptr_const_to_u32(tag), .len = tag_length}
++ };
++ struct psa_outvec out_vec[] = {
++ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)},
++ {.base = psa_ptr_const_to_u32(plaintext), .len = plaintext_size},
++ };
++
++ size_t out_len = IOVEC_LEN(out_vec);
++
++ if (plaintext == NULL || plaintext_size == 0) {
++ out_len--;
++ }
++ if ((out_len == 2) && (plaintext_length == NULL)) {
++ return PSA_ERROR_INVALID_ARGUMENT;
++ }
++
++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec,
++ IOVEC_LEN(in_vec), out_vec, out_len);
++
++ if (out_len == 2) {
++ *plaintext_length = out_vec[1].len;
++ } else {
++ *plaintext_length = 0;
++ }
++ return status;
+ }
+
+ static inline psa_status_t crypto_caller_aead_abort(
+ struct service_client *context,
+ uint32_t op_handle)
+ {
+- return PSA_ERROR_NOT_SUPPORTED;
++ struct service_client *ipc = context;
++ struct rpc_caller *caller = ipc->caller;
++ psa_status_t status;
++ struct psa_ipc_crypto_pack_iovec iov = {
++ .sfn_id = TFM_CRYPTO_AEAD_ABORT_SID,
++ .op_handle = op_handle,
++ };
++
++ struct psa_invec in_vec[] = {
++ {.base = psa_ptr_to_u32(&iov), .len = sizeof(struct psa_ipc_crypto_pack_iovec)},
++ };
++ struct psa_outvec out_vec[] = {
++ {.base = psa_ptr_to_u32(&op_handle), .len = sizeof(uint32_t)},
++ };
++
++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec,
++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec));
++ return status;
++}
++
++static inline size_t crypto_caller_aead_max_update_size(const struct service_client *context)
++{
++ /* Returns the maximum number of bytes that may be
++ * carried as a parameter of the mac_update operation
++ * using the packed-c encoding.
++ */
++ size_t payload_space = context->service_info.max_payload;
++ size_t overhead = iov_size;
++
++ return (payload_space > overhead) ? payload_space - overhead : 0;
++}
++
++static inline size_t crypto_caller_aead_max_update_ad_size(const struct service_client *context)
++{
++ /* Returns the maximum number of bytes that may be
++ * carried as a parameter of the mac_update operation
++ * using the packed-c encoding.
++ */
++ size_t payload_space = context->service_info.max_payload;
++ size_t overhead = iov_size;
++
++ return (payload_space > overhead) ? payload_space - overhead : 0;
+ }
+
+ #ifdef __cplusplus
+diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h
+index 71d88ced..e4a2b167 100644
+--- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h
++++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_sign_hash.h
+@@ -57,6 +57,41 @@ static inline psa_status_t crypto_caller_sign_hash(struct service_client *contex
+ return status;
+ }
+
++static inline psa_status_t crypto_caller_sign_message(struct service_client *context,
++ psa_key_id_t id,
++ psa_algorithm_t alg,
++ const uint8_t *hash,
++ size_t hash_length,
++ uint8_t *signature,
++ size_t signature_size,
++ size_t *signature_length)
++{
++ struct service_client *ipc = context;
++ struct rpc_caller *caller = ipc->caller;
++ psa_status_t status;
++ struct psa_ipc_crypto_pack_iovec iov = {
++ .sfn_id = TFM_CRYPTO_SIGN_MESSAGE_SID,
++ .key_id = id,
++ .alg = alg,
++ };
++ struct psa_invec in_vec[] = {
++ { .base = psa_ptr_to_u32(&iov), .len = iov_size },
++ { .base = psa_ptr_const_to_u32(hash), .len = hash_length },
++ };
++ struct psa_outvec out_vec[] = {
++ { .base = psa_ptr_to_u32(signature), .len = signature_size },
++ };
++
++ status = psa_call(caller, TFM_CRYPTO_HANDLE, PSA_IPC_CALL, in_vec,
++ IOVEC_LEN(in_vec), out_vec, IOVEC_LEN(out_vec));
++
++ *signature_length = out_vec[0].len;
++
++ return status;
++}
++
++
++
+ #ifdef __cplusplus
+ }
+ #endif
+diff --git a/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h b/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h
+index e16f6e54..cc9279ee 100644
+--- a/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h
++++ b/components/service/crypto/client/caller/psa_ipc/crypto_caller_verify_hash.h
+@@ -24,19 +24,20 @@
+ extern "C" {
+ #endif
+
+-static inline psa_status_t crypto_caller_verify_hash(struct service_client *context,
++static inline psa_status_t crypto_caller_common(struct service_client *context,
+ psa_key_id_t id,
+ psa_algorithm_t alg,
+ const uint8_t *hash,
+ size_t hash_length,
+ const uint8_t *signature,
+- size_t signature_length)
++ size_t signature_length,
++ uint32_t sfn_id)
+ {
+ struct service_client *ipc = context;
+ struct rpc_caller *caller = ipc->caller;
+ psa_status_t status;
+ struct psa_ipc_crypto_pack_iovec iov = {
+- .sfn_id = TFM_CRYPTO_VERIFY_HASH_SID,
++ .sfn_id = sfn_id,
+ .key_id = id,
+ .alg = alg,
+ };
+@@ -52,6 +53,32 @@ static inline psa_status_t crypto_caller_verify_hash(struct service_client *cont
+ return status;
+ }
+
++static inline psa_status_t crypto_caller_verify_hash(struct service_client *context,
++ psa_key_id_t id,
++ psa_algorithm_t alg,
++ const uint8_t *hash,
++ size_t hash_length,
++ const uint8_t *signature,
++ size_t signature_length)
++{
++
++ return crypto_caller_common(context,id,alg,hash,hash_length,
++ signature,signature_length, TFM_CRYPTO_VERIFY_HASH_SID);
++}
++
++static inline psa_status_t crypto_caller_verify_message(struct service_client *context,
++ psa_key_id_t id,
++ psa_algorithm_t alg,
++ const uint8_t *hash,
++ size_t hash_length,
++ const uint8_t *signature,
++ size_t signature_length)
++{
++
++ return crypto_caller_common(context,id,alg,hash,hash_length,
++ signature,signature_length, TFM_CRYPTO_VERIFY_MESSAGE_SID);
++}
++
+ #ifdef __cplusplus
+ }
+ #endif
+--
+2.25.1
new file mode 100644
@@ -0,0 +1,40 @@
+Upstream-Status: Pending [Not submitted to upstream yet]
+Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
+
+From b3529f7a5bc1cff193fd0887c0f78348ef6043a4 Mon Sep 17 00:00:00 2001
+From: Satish Kumar <satish.kumar01@arm.com>
+Date: Mon, 14 Feb 2022 17:52:00 +0000
+Subject: [PATCH 14/15] Fix : update psa_set_key_usage_flags definition to the
+ latest from the tf-m
+
+Signed-off-by: Satish Kumar <satish.kumar01@arm.com>
+---
+ components/service/crypto/include/psa/crypto_struct.h | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/components/service/crypto/include/psa/crypto_struct.h b/components/service/crypto/include/psa/crypto_struct.h
+index 1bc55e37..b4a7ed4b 100644
+--- a/components/service/crypto/include/psa/crypto_struct.h
++++ b/components/service/crypto/include/psa/crypto_struct.h
+@@ -155,9 +155,19 @@ static inline psa_key_lifetime_t psa_get_key_lifetime(
+ return( attributes->lifetime );
+ }
+
++static inline void psa_extend_key_usage_flags( psa_key_usage_t *usage_flags )
++{
++ if( *usage_flags & PSA_KEY_USAGE_SIGN_HASH )
++ *usage_flags |= PSA_KEY_USAGE_SIGN_MESSAGE;
++
++ if( *usage_flags & PSA_KEY_USAGE_VERIFY_HASH )
++ *usage_flags |= PSA_KEY_USAGE_VERIFY_MESSAGE;
++}
++
+ static inline void psa_set_key_usage_flags(psa_key_attributes_t *attributes,
+ psa_key_usage_t usage_flags)
+ {
++ psa_extend_key_usage_flags( &usage_flags );
+ attributes->usage = usage_flags;
+ }
+
+--
+2.25.1
new file mode 100644
@@ -0,0 +1,120 @@
+Upstream-Status: Pending [Not submitted to upstream yet]
+Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>
+
+From 500a359b65398d0a272a474566659fd5a21f44ff Mon Sep 17 00:00:00 2001
+From: Satish Kumar <satish.kumar01@arm.com>
+Date: Mon, 14 Feb 2022 08:22:25 +0000
+Subject: [PATCH 15/15] Fixes in AEAD for psa-arch test 54 and 58.
+
+Signed-off-by: Satish Kumar <satish.kumar01@arm.com>
+---
+ .../crypto/client/caller/packed-c/crypto_caller_aead.h | 1 +
+ components/service/crypto/include/psa/crypto_sizes.h | 2 +-
+ .../crypto/provider/extension/aead/aead_provider.c | 8 ++++++--
+ .../extension/aead/serializer/aead_provider_serializer.h | 1 +
+ .../packed-c/packedc_aead_provider_serializer.c | 2 ++
+ protocols/service/crypto/packed-c/aead.h | 1 +
+ 6 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h b/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h
+index c4ffb20c..a91f66c1 100644
+--- a/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h
++++ b/components/service/crypto/client/caller/packed-c/crypto_caller_aead.h
+@@ -309,6 +309,7 @@ static inline psa_status_t crypto_caller_aead_update(struct service_client *cont
+ size_t req_len = req_fixed_len;
+
+ *output_length = 0;
++ req_msg.output_size = output_size;
+ req_msg.op_handle = op_handle;
+
+ /* Mandatory input data parameter */
+diff --git a/components/service/crypto/include/psa/crypto_sizes.h b/components/service/crypto/include/psa/crypto_sizes.h
+index 4d7bf6e9..e3c4df29 100644
+--- a/components/service/crypto/include/psa/crypto_sizes.h
++++ b/components/service/crypto/include/psa/crypto_sizes.h
+@@ -351,7 +351,7 @@
+ * just the largest size that may be generated by
+ * #psa_aead_generate_nonce().
+ */
+-#define PSA_AEAD_NONCE_MAX_SIZE 12
++#define PSA_AEAD_NONCE_MAX_SIZE 16
+
+ /** A sufficient output buffer size for psa_aead_update().
+ *
+diff --git a/components/service/crypto/provider/extension/aead/aead_provider.c b/components/service/crypto/provider/extension/aead/aead_provider.c
+index 14a25436..6b144db8 100644
+--- a/components/service/crypto/provider/extension/aead/aead_provider.c
++++ b/components/service/crypto/provider/extension/aead/aead_provider.c
+@@ -283,10 +283,11 @@ static rpc_status_t aead_update_handler(void *context, struct call_req *req)
+ uint32_t op_handle;
+ const uint8_t *input;
+ size_t input_len;
++ uint32_t recv_output_size;
+
+ if (serializer)
+ rpc_status = serializer->deserialize_aead_update_req(req_buf, &op_handle,
+- &input, &input_len);
++ &recv_output_size, &input, &input_len);
+
+ if (rpc_status == TS_RPC_CALL_ACCEPTED) {
+
+@@ -300,9 +301,12 @@ static rpc_status_t aead_update_handler(void *context, struct call_req *req)
+ if (crypto_context) {
+
+ size_t output_len = 0;
+- size_t output_size = PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(input_len);
++ size_t output_size = PSA_AEAD_UPDATE_OUTPUT_MAX_SIZE(24);
+ uint8_t *output = malloc(output_size);
+
++ if (recv_output_size < output_size) {
++ output_size = recv_output_size;
++ }
+ if (output) {
+
+ psa_status = psa_aead_update(&crypto_context->op.aead,
+diff --git a/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h b/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h
+index bb1a2a97..0156aaba 100644
+--- a/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h
++++ b/components/service/crypto/provider/extension/aead/serializer/aead_provider_serializer.h
+@@ -51,6 +51,7 @@ struct aead_provider_serializer {
+ /* Operation: aead_update */
+ rpc_status_t (*deserialize_aead_update_req)(const struct call_param_buf *req_buf,
+ uint32_t *op_handle,
++ uint32_t *output_size,
+ const uint8_t **input, size_t *input_len);
+
+ rpc_status_t (*serialize_aead_update_resp)(struct call_param_buf *resp_buf,
+diff --git a/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c b/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c
+index 6f00b3e3..45c739ab 100644
+--- a/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c
++++ b/components/service/crypto/provider/extension/aead/serializer/packed-c/packedc_aead_provider_serializer.c
+@@ -192,6 +192,7 @@ static rpc_status_t deserialize_aead_update_ad_req(const struct call_param_buf *
+ /* Operation: aead_update */
+ static rpc_status_t deserialize_aead_update_req(const struct call_param_buf *req_buf,
+ uint32_t *op_handle,
++ uint32_t *output_size,
+ const uint8_t **input, size_t *input_len)
+ {
+ rpc_status_t rpc_status = TS_RPC_ERROR_INVALID_REQ_BODY;
+@@ -208,6 +209,7 @@ static rpc_status_t deserialize_aead_update_req(const struct call_param_buf *req
+ memcpy(&recv_msg, req_buf->data, expected_fixed_len);
+
+ *op_handle = recv_msg.op_handle;
++ *output_size = recv_msg.output_size;
+
+ tlv_const_iterator_begin(&req_iter,
+ (uint8_t*)req_buf->data + expected_fixed_len,
+diff --git a/protocols/service/crypto/packed-c/aead.h b/protocols/service/crypto/packed-c/aead.h
+index 0be266b5..435fd3b5 100644
+--- a/protocols/service/crypto/packed-c/aead.h
++++ b/protocols/service/crypto/packed-c/aead.h
+@@ -98,6 +98,7 @@ enum
+ struct __attribute__ ((__packed__)) ts_crypto_aead_update_in
+ {
+ uint32_t op_handle;
++ uint32_t output_size;
+ };
+
+ /* Variable length input parameter tags */
+--
+2.25.1
@@ -6,10 +6,11 @@ LIC_FILES_CHKSUM += "file://../mbedtls/LICENSE;md5=3b83ef96387f14655fc854ddc3c6b
file://../nanopb/LICENSE.txt;md5=9db4b73a55a3994384112efcdb37c01f \
file://../openamp/LICENSE.md;md5=a8d8cf662ef6bf9936a1e1413585ecbf \
file://../libmetal/LICENSE.md;md5=fe0b8a4beea8f0813b606d15a3df3d3c \
+ file://../psa-arch-tests/LICENSE.md;md5=2a944942e1496af1886903d274dedb13 \
"
SRC_URI:append = " \
- ${SRC_URI_MBEDTLS} ${SRC_URI_NANOPB} ${SRC_URI_OPENAMP} ${SRC_URI_LIBMETAL} \
+ ${SRC_URI_MBEDTLS} ${SRC_URI_NANOPB} ${SRC_URI_OPENAMP} ${SRC_URI_LIBMETAL} ${SRC_URI_ARCH-TESTS}\
file://0001-tools-cmake-common-applying-lowercase-project-convention.patch \
file://0002-fix-EARLY_TA_PATHS-env-variable.patch \
file://0003-se-proxy-dts-add-se-proxy-as-child-node.patch \
@@ -42,6 +43,22 @@ SRC_URI:append = " \
file://0030-Add-missing-features-to-setVariable.patch \
file://0031-Add-invalid-parameter-check-in-getNextVariableName.patch \
file://0032-smm_gateway-add-checks-for-null-attributes.patch \
+ file://0033-Enhance-mbedtls-fetch-process.patch \
+ file://0034-Fix-format-specifier-in-logging_caller.patch \
+ file://0035-Update-refspecs-for-mbedtls-and-psa-arch-tests-for-v.patch \
+ file://0036-Separate-sign-verify-message-and-hash-operations.patch \
+ file://0037-Add-defence-against-uninitialised-multi-part-transac.patch \
+ file://0038-Integrate-AEAD-operation-support.patch \
+ file://0039-Add-IV-generation-to-one-shot-cipher-operation.patch \
+ file://0040-Fix-multi-part-termination-on-error.patch \
+ file://0041-Abort-AEAD-operation-if-client-provided-buffer-is-to.patch \
+ file://0042-Peg-to-updated-t_cose-version-fc3a4b2c.patch \
+ file://0043-pass-sysroot_yocto.patch \
+ file://0044-Fix-Crypto-interface-structure-aligned-with-tf-m-cha.patch \
+ file://0045-Integrate-remaining-psa-ipc-client-APIs.patch \
+ file://0046-Fix-update-psa_set_key_usage_flags-definition-to-the.patch \
+ file://0047-Fixes-in-AEAD-for-psa-arch-test-54-and-58.patch \
+ file://0003-corstone1000-port-crypto-config.patch;patchdir=../psa-arch-tests \
"
SRC_URI_MBEDTLS = "git://github.com/ARMmbed/mbedtls.git;protocol=https;branch=development;name=mbedtls;destsuffix=git/mbedtls"
@@ -56,6 +73,9 @@ SRCREV_openamp = "347397decaa43372fc4d00f965640ebde042966d"
SRC_URI_LIBMETAL = "git://github.com/OpenAMP/libmetal.git;name=libmetal;protocol=https;branch=main;destsuffix=git/libmetal"
SRCREV_libmetal = "f252f0e007fbfb8b3a52b1d5901250ddac96baad"
+SRC_URI_ARCH-TESTS = "git://github.com/bensze01/psa-arch-tests.git;name=psa-arch-tests;protocol=https;nobranch=1;destsuffix=git/psa-arch-tests"
+SRCREV_psa-arch-tests = "fix-multipart-aead"
+
TS_ENVIRONMENT_LINUX = "arm-linux"
TS_PLATFORM = "arm/corstone1000"
TS_ENVIRONMENT = "opteesp"