The cryptography core in CYW43907, also known as crypto, is a dedicated hardware core present in the applications processor. It is used for performing cryptographic operations such as encryption and hashing in dedicated engines. The following operations are supported:

 

Encryption:
AES module which supports CBC, ECB, CTR, CFB modes
DES module to support DES and 3DES encryption with ECB and CBC modes

 

Hashing:
MD5, SHA1, SHA224, and SHA256 to support HMAC

 

Using hardware crypto in WICED

 

The hwcrypto is used in mbedTLS cryptographic operations as well as secure boot. By default, hwcrypto is enabled for mbedTLS operations. The macro PLATFORM_HAS_HW_CRYPTO_SUPPORT is used for enabling hwcrypto for mbedTLS and it is defined in BCM4390x.mk as shown below:

GLOBAL_DEFINES +=  PLATFORM_HAS_HW_CRYPTO_SUPPORT
$(NAME)_SOURCES += platform_crypto.c

To disable hwcrypto, the above statements should be commented out. The PLATFORM_HAS_HW_CRYPTO_SUPPORT effectively enables the following macros in mbedtls/config.h:

MBEDTLS_AES_ALT
MBEDTLS_DES_ALT
MBEDTLS_MD5_ALT
MBEDTLS_SHA256_ALT
MBEDTLS_SHA1_ALT

The above macros are used for enabling hwcrypto APIs defined in files marked with _alt.c in mbedtls_open/library. For instance, when MBEDTLS_AES_ALT is enabled, the APIs present in aes_alt.c are enabled which would call the driver functions such as hw_aes_crypt() in platform_tiny_crypto.c.

An SPU message is processed by the crypto core. Its contains the following:

 

           INPUT HEADER                       OUTPUT HEADER

     +-------------------------+         +------------------------+

     | Message Header (MH )    |         | Message Header (MH)    |

     +-------------------------+         +------------------------+

     | Extended Header (EH)    |         | Extended Header (EH)   |

     +-------------------------+         +------------------------+

     | SCTX Header 0  (SCTX0)  |         | Output data : Payload  |

     +-------------------------+         +------------------------+

     | SCTX Header 1  (SCTX1)  |         | Status                 |

     +-------------------------+         +------------------------+

     | SCTX Header 2  (SCTX2)  |

     +-------------------------+

     | BufferDescriptor (BDESC)|

     +-------------------------+

     | Buffer Data (BD)        |

     +-------------------------+

     | Input data : Payload    |

     +-------------------------+

     | Status                  |

     +-------------------------+

 

Where SCTX is the security context.

 

The DMA descriptors to SPU-M have the following format:

     INPUT DMA Descriptors                           OUTPUT DMA Descriptors

    +--------------------------+                    +--------------------------+

    | Header                   |                    | Header                   |

    | (MH + EH + SCTX0 + SCTX1 |                    | (MH + EH + BDA )         |

    |  SCTX2 + SCTX3)          |                    +--------------------------+

    +--------------------------+                    | start_aligned_buffer@    |

    | Payload 1                |                    | (PLATFORM_L1_CACHE_BYTES |

    | (MAX_DMA_BUFFER_SIZE)    |                    +--------------------------+

    +--------------------------+                    | Payload 1                |

    | Payload 2*               |                    | (MAX_DMA_BUFFER_SIZE)    |

    | (MAX_DMA_BUFFER_SIZE)    |                    +--------------------------+

    +--------------------------+                    | Payload 2*               |

    | Payload 3*               |                    | (MAX_DMA_BUFFER_SIZE)    |

    | (MAX_DMA_BUFFER_SIZE)    |                    +--------------------------+

    +--------------------------+                    | Payload 3*               |

    | Payload 4*               |                    | (MAX_DMA_BUFFER_SIZE)    |

    | (MAX_DMA_BUFFER_SIZE)    |                    +--------------------------+

    +--------------------------+                    | Payload 4*               |

    | STATUS                   |                    | (BYTES_IN_WORD)          |

    | (BYTES_IN_WORD)          |                    +--------------------------+

    +--------------------------+                    | end_aligned_buffer@      |

                                                    | (MAX_DMA_BUFFER_SIZE)    |

                                                    +--------------------------+

                                                    | HASH_OUTPUT#             |

                                                    | (BYTES_IN_WORD)          |

                                                    +--------------------------+

                                                    | STATUS                   |

                                                    | (BYTES_IN_WORD)          |

                                                    +--------------------------+

    *
    * * : Payload2/3/4 only required if Payload1/2/3 > MAX_DMA_BUFFER_SIZE
    * # : Hash output present only if cmd.hash_output is Not NULL
    * @ : Start/end aligned buffer is needed to ensure that the Start address and size of DMA is
    *     PLATFORM_L1_CACHE_BYTES aligned
    */

The following macros are defined in platform_tiny_crypto.c:

 

MAX_DMA_BUFFER_SIZE: This is the maximum size of DMA descriptor buffer which is 16kB. If the DMA payload size exceeds MAX_DMA_BUFFER_SIZE, it is split into chunks of MAX_DMA_BUFFER_SIZE. This is implemented in hwcrypto_split_dma_data() called in populate_input_descriptors().

 

MAX_TX_DMADESCRIPTOS: This is the maximum size of input DMA descriptors as shown in the format above. Its value is 1 (header) +  4 (payload) + 1 (padded hash input) + 1 (status)

 

MAX_RX_DMADESCRIPTOS: This is the maximum size of output DMA descriptors as shown in the format above. Its value is 1 (header) +  4 (payload) + 2 (aligned payload buffers) + 1 (hashoutput) + 1 (status)

 

HWCRYPTO_MAX_PAYLOAD_SIZE: This is the maximum hwcrypto payload size that the SPU-M can handle at a time during cryptographic operation.

 

Other macros specific to encryption and hashing have been listed in crypto_api.h.

 

A sample WICED code for testing AES-CBC using hwcrypto has been attached.