Merge branch 'dev' of https://github.com/DarkFlippers/unleashed-firmware into xfw-dev --nobuild

firmware/targets/f18/api_symbols.csv

@@ -1,5 +1,5 @@
 entry,status,name,type,params
-Version,+,34.4,,
+Version,+,35.0,,
 Header,+,applications/services/bt/bt_service/bt.h,,
 Header,+,applications/services/cli/cli.h,,
 Header,+,applications/services/cli/cli_vcp.h,,
@@ -1035,14 +1035,20 @@ Function,+,furi_hal_cortex_instructions_per_microsecond,uint32_t,
 Function,+,furi_hal_cortex_timer_get,FuriHalCortexTimer,uint32_t
 Function,+,furi_hal_cortex_timer_is_expired,_Bool,FuriHalCortexTimer
 Function,+,furi_hal_cortex_timer_wait,void,FuriHalCortexTimer
+Function,+,furi_hal_crypto_ctr,_Bool,"const uint8_t*, const uint8_t*, const uint8_t*, uint8_t*, size_t"
 Function,+,furi_hal_crypto_decrypt,_Bool,"const uint8_t*, uint8_t*, size_t"
 Function,+,furi_hal_crypto_encrypt,_Bool,"const uint8_t*, uint8_t*, size_t"
+Function,+,furi_hal_crypto_gcm,_Bool,"const uint8_t*, const uint8_t*, const uint8_t*, size_t, const uint8_t*, uint8_t*, size_t, uint8_t*, _Bool"
+Function,+,furi_hal_crypto_gcm_decrypt_and_verify,FuriHalCryptoGCMState,"const uint8_t*, const uint8_t*, const uint8_t*, size_t, const uint8_t*, uint8_t*, size_t, const uint8_t*"
+Function,+,furi_hal_crypto_gcm_encrypt_and_tag,FuriHalCryptoGCMState,"const uint8_t*, const uint8_t*, const uint8_t*, size_t, const uint8_t*, uint8_t*, size_t, uint8_t*"
 Function,-,furi_hal_crypto_init,void,
-Function,+,furi_hal_crypto_store_add_key,_Bool,"FuriHalCryptoKey*, uint8_t*"
-Function,+,furi_hal_crypto_store_load_key,_Bool,"uint8_t, const uint8_t*"
-Function,+,furi_hal_crypto_store_unload_key,_Bool,uint8_t
-Function,+,furi_hal_crypto_verify_enclave,_Bool,"uint8_t*, uint8_t*"
-Function,+,furi_hal_crypto_verify_key,_Bool,uint8_t
+Function,+,furi_hal_crypto_load_key,_Bool,"const uint8_t*, const uint8_t*"
+Function,+,furi_hal_crypto_enclave_store_key,_Bool,"FuriHalCryptoKey*, uint8_t*"
+Function,+,furi_hal_crypto_enclave_load_key,_Bool,"uint8_t, const uint8_t*"
+Function,+,furi_hal_crypto_enclave_unload_key,_Bool,uint8_t
+Function,+,furi_hal_crypto_unload_key,_Bool,
+Function,+,furi_hal_crypto_enclave_verify,_Bool,"uint8_t*, uint8_t*"
+Function,+,furi_hal_crypto_enclave_ensure_key,_Bool,uint8_t
 Function,+,furi_hal_debug_disable,void,
 Function,+,furi_hal_debug_enable,void,
 Function,+,furi_hal_debug_is_gdb_session_active,_Bool,

firmware/targets/f7/api_symbols.csv

@@ -1169,14 +1169,20 @@ Function,+,furi_hal_cortex_instructions_per_microsecond,uint32_t,
 Function,+,furi_hal_cortex_timer_get,FuriHalCortexTimer,uint32_t
 Function,+,furi_hal_cortex_timer_is_expired,_Bool,FuriHalCortexTimer
 Function,+,furi_hal_cortex_timer_wait,void,FuriHalCortexTimer
+Function,+,furi_hal_crypto_ctr,_Bool,"const uint8_t*, const uint8_t*, const uint8_t*, uint8_t*, size_t"
 Function,+,furi_hal_crypto_decrypt,_Bool,"const uint8_t*, uint8_t*, size_t"
 Function,+,furi_hal_crypto_encrypt,_Bool,"const uint8_t*, uint8_t*, size_t"
+Function,+,furi_hal_crypto_gcm,_Bool,"const uint8_t*, const uint8_t*, const uint8_t*, size_t, const uint8_t*, uint8_t*, size_t, uint8_t*, _Bool"
+Function,+,furi_hal_crypto_gcm_decrypt_and_verify,FuriHalCryptoGCMState,"const uint8_t*, const uint8_t*, const uint8_t*, size_t, const uint8_t*, uint8_t*, size_t, const uint8_t*"
+Function,+,furi_hal_crypto_gcm_encrypt_and_tag,FuriHalCryptoGCMState,"const uint8_t*, const uint8_t*, const uint8_t*, size_t, const uint8_t*, uint8_t*, size_t, uint8_t*"
 Function,-,furi_hal_crypto_init,void,
-Function,+,furi_hal_crypto_store_add_key,_Bool,"FuriHalCryptoKey*, uint8_t*"
-Function,+,furi_hal_crypto_store_load_key,_Bool,"uint8_t, const uint8_t*"
-Function,+,furi_hal_crypto_store_unload_key,_Bool,uint8_t
-Function,+,furi_hal_crypto_verify_enclave,_Bool,"uint8_t*, uint8_t*"
-Function,+,furi_hal_crypto_verify_key,_Bool,uint8_t
+Function,+,furi_hal_crypto_load_key,_Bool,"const uint8_t*, const uint8_t*"
+Function,+,furi_hal_crypto_enclave_store_key,_Bool,"FuriHalCryptoKey*, uint8_t*"
+Function,+,furi_hal_crypto_enclave_load_key,_Bool,"uint8_t, const uint8_t*"
+Function,+,furi_hal_crypto_enclave_unload_key,_Bool,uint8_t
+Function,+,furi_hal_crypto_unload_key,_Bool,
+Function,+,furi_hal_crypto_enclave_verify,_Bool,"uint8_t*, uint8_t*"
+Function,+,furi_hal_crypto_enclave_ensure_key,_Bool,uint8_t
 Function,+,furi_hal_debug_disable,void,
 Function,+,furi_hal_debug_enable,void,
 Function,+,furi_hal_debug_is_gdb_session_active,_Bool,
@@ -1713,7 +1719,6 @@ Function,+,gui_add_framebuffer_callback,void,"Gui*, GuiCanvasCommitCallback, voi
 Function,+,gui_add_view_port,void,"Gui*, ViewPort*, GuiLayer"
 Function,+,gui_direct_draw_acquire,Canvas*,Gui*
 Function,+,gui_direct_draw_release,void,Gui*
-Function,-,gui_get_count_of_enabled_view_port_in_layer,uint8_t,"Gui*, GuiLayer"
 Function,+,gui_get_framebuffer_size,size_t,const Gui*
 Function,+,gui_remove_framebuffer_callback,void,"Gui*, GuiCanvasCommitCallback, void*"
 Function,+,gui_remove_view_port,void,"Gui*, ViewPort*"

firmware/targets/f7/furi_hal/furi_hal_crypto.c

@@ -1,4 +1,5 @@
 #include <furi_hal_crypto.h>
+#include <furi_hal_cortex.h>
 #include <furi_hal_bt.h>
 #include <furi_hal_random.h>
 #include <furi_hal_bus.h>
@@ -13,7 +14,7 @@
 #define ENCLAVE_SIGNATURE_SIZE 16
 
 #define CRYPTO_BLK_LEN (4 * sizeof(uint32_t))
-#define CRYPTO_TIMEOUT (1000)
+#define CRYPTO_TIMEOUT_US (1000000)
 
 #define CRYPTO_MODE_ENCRYPT 0U
 #define CRYPTO_MODE_INIT (AES_CR_MODE_0)
@@ -24,6 +25,19 @@
 #define CRYPTO_KEYSIZE_256B (AES_CR_KEYSIZE)
 #define CRYPTO_AES_CBC (AES_CR_CHMOD_0)
 
+#define CRYPTO_AES_CTR (AES_CR_CHMOD_1)
+#define CRYPTO_CTR_IV_LEN (12U)
+#define CRYPTO_CTR_CTR_LEN (4U)
+
+#define CRYPTO_AES_GCM (AES_CR_CHMOD_1 | AES_CR_CHMOD_0)
+#define CRYPTO_GCM_IV_LEN (12U)
+#define CRYPTO_GCM_CTR_LEN (4U)
+#define CRYPTO_GCM_TAG_LEN (16U)
+#define CRYPTO_GCM_PH_INIT (0x0U << AES_CR_GCMPH_Pos)
+#define CRYPTO_GCM_PH_HEADER (AES_CR_GCMPH_0)
+#define CRYPTO_GCM_PH_PAYLOAD (AES_CR_GCMPH_1)
+#define CRYPTO_GCM_PH_FINAL (AES_CR_GCMPH_1 | AES_CR_GCMPH_0)
+
 static FuriMutex* furi_hal_crypto_mutex = NULL;
 static bool furi_hal_crypto_mode_init_done = false;
 
@@ -80,7 +94,7 @@ static bool furi_hal_crypto_generate_unique_keys(uint8_t start_slot, uint8_t end
         key.size = FuriHalCryptoKeySize256;
         key.data = key_data;
         furi_hal_random_fill_buf(key_data, 32);
-        if(!furi_hal_crypto_store_add_key(&key, &slot)) {
+        if(!furi_hal_crypto_enclave_store_key(&key, &slot)) {
             explicit_bzero(key_data, sizeof(key_data));
             FURI_LOG_E(TAG, "Error writing key to slot %u", slot);
             return false;
@@ -90,21 +104,21 @@ static bool furi_hal_crypto_generate_unique_keys(uint8_t start_slot, uint8_t end
     return true;
 }
 
-bool furi_hal_crypto_verify_key(uint8_t key_slot) {
+bool furi_hal_crypto_enclave_ensure_key(uint8_t key_slot) {
     uint8_t keys_nb = 0;
     uint8_t valid_keys_nb = 0;
     uint8_t last_valid_slot = ENCLAVE_FACTORY_KEY_SLOTS;
     uint8_t empty_iv[16] = {0};
-    furi_hal_crypto_verify_enclave(&keys_nb, &valid_keys_nb);
+    furi_hal_crypto_enclave_verify(&keys_nb, &valid_keys_nb);
     if(key_slot <= ENCLAVE_FACTORY_KEY_SLOTS) { // It's a factory key
         if(key_slot > keys_nb) return false;
     } else { // Unique key
         if(keys_nb < ENCLAVE_FACTORY_KEY_SLOTS) // Some factory keys are missing
             return false;
         for(uint8_t i = key_slot; i > ENCLAVE_FACTORY_KEY_SLOTS; i--) {
-            if(furi_hal_crypto_store_load_key(i, empty_iv)) {
+            if(furi_hal_crypto_enclave_load_key(i, empty_iv)) {
                 last_valid_slot = i;
-                furi_hal_crypto_store_unload_key(i);
+                furi_hal_crypto_enclave_unload_key(i);
                 break;
             }
         }
@@ -116,14 +130,14 @@ bool furi_hal_crypto_verify_key(uint8_t key_slot) {
     return true;
 }
 
-bool furi_hal_crypto_verify_enclave(uint8_t* keys_nb, uint8_t* valid_keys_nb) {
+bool furi_hal_crypto_enclave_verify(uint8_t* keys_nb, uint8_t* valid_keys_nb) {
     furi_assert(keys_nb);
     furi_assert(valid_keys_nb);
     uint8_t keys = 0;
     uint8_t keys_valid = 0;
     uint8_t buffer[ENCLAVE_SIGNATURE_SIZE];
     for(size_t key_slot = 0; key_slot < ENCLAVE_FACTORY_KEY_SLOTS; key_slot++) {
-        if(furi_hal_crypto_store_load_key(key_slot + 1, enclave_signature_iv[key_slot])) {
+        if(furi_hal_crypto_enclave_load_key(key_slot + 1, enclave_signature_iv[key_slot])) {
             keys++;
             if(furi_hal_crypto_encrypt(
                    enclave_signature_input[key_slot], buffer, ENCLAVE_SIGNATURE_SIZE)) {
@@ -131,7 +145,7 @@ bool furi_hal_crypto_verify_enclave(uint8_t* keys_nb, uint8_t* valid_keys_nb) {
                     memcmp(buffer, enclave_signature_expected[key_slot], ENCLAVE_SIGNATURE_SIZE) ==
                     0;
             }
-            furi_hal_crypto_store_unload_key(key_slot + 1);
+            furi_hal_crypto_enclave_unload_key(key_slot + 1);
         }
     }
     *keys_nb = keys;
@@ -142,7 +156,7 @@ bool furi_hal_crypto_verify_enclave(uint8_t* keys_nb, uint8_t* valid_keys_nb) {
         return false;
 }
 
-bool furi_hal_crypto_store_add_key(FuriHalCryptoKey* key, uint8_t* slot) {
+bool furi_hal_crypto_enclave_store_key(FuriHalCryptoKey* key, uint8_t* slot) {
     furi_assert(key);
     furi_assert(slot);
 
@@ -208,6 +222,16 @@ static void crypto_key_init(uint32_t* key, uint32_t* iv) {
     AES1->IVR0 = iv[3];
 }
 
+static bool furi_hal_crypto_wait_flag(uint32_t flag) {
+    FuriHalCortexTimer timer = furi_hal_cortex_timer_get(CRYPTO_TIMEOUT_US);
+    while(!READ_BIT(AES1->SR, flag)) {
+        if(furi_hal_cortex_timer_is_expired(timer)) {
+            return false;
+        }
+    }
+    return true;
+}
+
 static bool crypto_process_block(uint32_t* in, uint32_t* out, uint8_t blk_len) {
     furi_check((blk_len <= 4) && (blk_len > 0));
 
@@ -219,14 +243,8 @@ static bool crypto_process_block(uint32_t* in, uint32_t* out, uint8_t blk_len) {
         }
     }
 
-    uint32_t countdown = CRYPTO_TIMEOUT;
-    while(!READ_BIT(AES1->SR, AES_SR_CCF)) {
-        if(LL_SYSTICK_IsActiveCounterFlag()) {
-            countdown--;
-        }
-        if(countdown == 0) {
-            return false;
-        }
+    if(!furi_hal_crypto_wait_flag(AES_SR_CCF)) {
+        return false;
     }
 
     SET_BIT(AES1->CR, AES_CR_CCFC);
@@ -240,7 +258,7 @@ static bool crypto_process_block(uint32_t* in, uint32_t* out, uint8_t blk_len) {
     return true;
 }
 
-bool furi_hal_crypto_store_load_key(uint8_t slot, const uint8_t* iv) {
+bool furi_hal_crypto_enclave_load_key(uint8_t slot, const uint8_t* iv) {
     furi_assert(slot > 0 && slot <= 100);
     furi_assert(furi_hal_crypto_mutex);
     furi_check(furi_mutex_acquire(furi_hal_crypto_mutex, FuriWaitForever) == FuriStatusOk);
@@ -263,7 +281,7 @@ bool furi_hal_crypto_store_load_key(uint8_t slot, const uint8_t* iv) {
     }
 }
 
-bool furi_hal_crypto_store_unload_key(uint8_t slot) {
+bool furi_hal_crypto_enclave_unload_key(uint8_t slot) {
     if(!furi_hal_bt_is_alive()) {
         return false;
     }
@@ -279,6 +297,27 @@ bool furi_hal_crypto_store_unload_key(uint8_t slot) {
     return (shci_state == SHCI_Success);
 }
 
+bool furi_hal_crypto_load_key(const uint8_t* key, const uint8_t* iv) {
+    furi_assert(furi_hal_crypto_mutex);
+    furi_check(furi_mutex_acquire(furi_hal_crypto_mutex, FuriWaitForever) == FuriStatusOk);
+
+    furi_hal_bus_enable(FuriHalBusAES1);
+
+    furi_hal_crypto_mode_init_done = false;
+    crypto_key_init((uint32_t*)key, (uint32_t*)iv);
+
+    return true;
+}
+
+bool furi_hal_crypto_unload_key(void) {
+    CLEAR_BIT(AES1->CR, AES_CR_EN);
+
+    furi_hal_bus_disable(FuriHalBusAES1);
+
+    furi_check(furi_mutex_release(furi_hal_crypto_mutex) == FuriStatusOk);
+    return true;
+}
+
 bool furi_hal_crypto_encrypt(const uint8_t* input, uint8_t* output, size_t size) {
     bool state = false;
 
@@ -310,14 +349,8 @@ bool furi_hal_crypto_decrypt(const uint8_t* input, uint8_t* output, size_t size)
 
         SET_BIT(AES1->CR, AES_CR_EN);
 
-        uint32_t countdown = CRYPTO_TIMEOUT;
-        while(!READ_BIT(AES1->SR, AES_SR_CCF)) {
-            if(LL_SYSTICK_IsActiveCounterFlag()) {
-                countdown--;
-            }
-            if(countdown == 0) {
-                return false;
-            }
+        if(!furi_hal_crypto_wait_flag(AES_SR_CCF)) {
+            return false;
         }
 
         SET_BIT(AES1->CR, AES_CR_CCFC);
@@ -343,3 +376,360 @@ bool furi_hal_crypto_decrypt(const uint8_t* input, uint8_t* output, size_t size)
 
     return state;
 }
+
+static void crypto_key_init_bswap(uint32_t* key, uint32_t* iv, uint32_t chaining_mode) {
+    CLEAR_BIT(AES1->CR, AES_CR_EN);
+    MODIFY_REG(
+        AES1->CR,
+        AES_CR_DATATYPE | AES_CR_KEYSIZE | AES_CR_CHMOD,
+        CRYPTO_DATATYPE_32B | CRYPTO_KEYSIZE_256B | chaining_mode);
+
+    if(key != NULL) {
+        AES1->KEYR7 = __builtin_bswap32(key[0]);
+        AES1->KEYR6 = __builtin_bswap32(key[1]);
+        AES1->KEYR5 = __builtin_bswap32(key[2]);
+        AES1->KEYR4 = __builtin_bswap32(key[3]);
+        AES1->KEYR3 = __builtin_bswap32(key[4]);
+        AES1->KEYR2 = __builtin_bswap32(key[5]);
+        AES1->KEYR1 = __builtin_bswap32(key[6]);
+        AES1->KEYR0 = __builtin_bswap32(key[7]);
+    }
+
+    AES1->IVR3 = __builtin_bswap32(iv[0]);
+    AES1->IVR2 = __builtin_bswap32(iv[1]);
+    AES1->IVR1 = __builtin_bswap32(iv[2]);
+    AES1->IVR0 = __builtin_bswap32(iv[3]);
+}
+
+static bool
+    furi_hal_crypto_load_key_bswap(const uint8_t* key, const uint8_t* iv, uint32_t chaining_mode) {
+    furi_assert(furi_hal_crypto_mutex);
+    furi_check(furi_mutex_acquire(furi_hal_crypto_mutex, FuriWaitForever) == FuriStatusOk);
+
+    furi_hal_bus_enable(FuriHalBusAES1);
+
+    crypto_key_init_bswap((uint32_t*)key, (uint32_t*)iv, chaining_mode);
+
+    return true;
+}
+
+static bool wait_for_crypto(void) {
+    if(!furi_hal_crypto_wait_flag(AES_SR_CCF)) {
+        return false;
+    }
+
+    SET_BIT(AES1->CR, AES_CR_CCFC);
+
+    return true;
+}
+
+static bool furi_hal_crypto_process_block_bswap(const uint8_t* in, uint8_t* out, size_t bytes) {
+    uint32_t block[CRYPTO_BLK_LEN / 4];
+    memset(block, 0, sizeof(block));
+
+    memcpy(block, in, bytes);
+
+    block[0] = __builtin_bswap32(block[0]);
+    block[1] = __builtin_bswap32(block[1]);
+    block[2] = __builtin_bswap32(block[2]);
+    block[3] = __builtin_bswap32(block[3]);
+
+    if(!crypto_process_block(block, block, CRYPTO_BLK_LEN / 4)) {
+        return false;
+    }
+
+    block[0] = __builtin_bswap32(block[0]);
+    block[1] = __builtin_bswap32(block[1]);
+    block[2] = __builtin_bswap32(block[2]);
+    block[3] = __builtin_bswap32(block[3]);
+
+    memcpy(out, block, bytes);
+
+    return true;
+}
+
+static bool furi_hal_crypto_process_block_no_read_bswap(const uint8_t* in, size_t bytes) {
+    uint32_t block[CRYPTO_BLK_LEN / 4];
+    memset(block, 0, sizeof(block));
+
+    memcpy(block, in, bytes);
+
+    AES1->DINR = __builtin_bswap32(block[0]);
+    AES1->DINR = __builtin_bswap32(block[1]);
+    AES1->DINR = __builtin_bswap32(block[2]);
+    AES1->DINR = __builtin_bswap32(block[3]);
+
+    return wait_for_crypto();
+}
+
+static void furi_hal_crypto_ctr_prep_iv(uint8_t* iv) {
+    /* append counter to IV */
+    iv[CRYPTO_CTR_IV_LEN] = 0;
+    iv[CRYPTO_CTR_IV_LEN + 1] = 0;
+    iv[CRYPTO_CTR_IV_LEN + 2] = 0;
+    iv[CRYPTO_CTR_IV_LEN + 3] = 1;
+}
+
+static bool furi_hal_crypto_ctr_payload(const uint8_t* input, uint8_t* output, size_t length) {
+    SET_BIT(AES1->CR, AES_CR_EN);
+    MODIFY_REG(AES1->CR, AES_CR_MODE, CRYPTO_MODE_ENCRYPT);
+
+    size_t last_block_bytes = length % CRYPTO_BLK_LEN;
+
+    size_t i;
+    for(i = 0; i < length - last_block_bytes; i += CRYPTO_BLK_LEN) {
+        if(!furi_hal_crypto_process_block_bswap(&input[i], &output[i], CRYPTO_BLK_LEN)) {
+            CLEAR_BIT(AES1->CR, AES_CR_EN);
+            return false;
+        }
+    }
+
+    if(last_block_bytes > 0) {
+        if(!furi_hal_crypto_process_block_bswap(&input[i], &output[i], last_block_bytes)) {
+            CLEAR_BIT(AES1->CR, AES_CR_EN);
+            return false;
+        }
+    }
+
+    CLEAR_BIT(AES1->CR, AES_CR_EN);
+    return true;
+}
+
+bool furi_hal_crypto_ctr(
+    const uint8_t* key,
+    const uint8_t* iv,
+    const uint8_t* input,
+    uint8_t* output,
+    size_t length) {
+    /* prepare IV and counter */
+    uint8_t iv_and_counter[CRYPTO_CTR_IV_LEN + CRYPTO_CTR_CTR_LEN];
+    memcpy(iv_and_counter, iv, CRYPTO_CTR_IV_LEN); //-V1086
+    furi_hal_crypto_ctr_prep_iv(iv_and_counter);
+
+    /* load key and IV and set the mode to CTR */
+    if(!furi_hal_crypto_load_key_bswap(key, iv_and_counter, CRYPTO_AES_CTR)) {
+        furi_hal_crypto_unload_key();
+        return false;
+    }
+
+    /* process the input and write to output */
+    bool state = furi_hal_crypto_ctr_payload(input, output, length);
+
+    furi_hal_crypto_unload_key();
+
+    return state;
+}
+
+static void furi_hal_crypto_gcm_prep_iv(uint8_t* iv) {
+    /* append counter to IV */
+    iv[CRYPTO_GCM_IV_LEN] = 0;
+    iv[CRYPTO_GCM_IV_LEN + 1] = 0;
+    iv[CRYPTO_GCM_IV_LEN + 2] = 0;
+    iv[CRYPTO_GCM_IV_LEN + 3] = 2;
+}
+
+static bool furi_hal_crypto_gcm_init(bool decrypt) {
+    /* GCM init phase */
+
+    MODIFY_REG(AES1->CR, AES_CR_GCMPH, CRYPTO_GCM_PH_INIT);
+    if(decrypt) {
+        MODIFY_REG(AES1->CR, AES_CR_MODE, CRYPTO_MODE_DECRYPT);
+    } else {
+        MODIFY_REG(AES1->CR, AES_CR_MODE, CRYPTO_MODE_ENCRYPT);
+    }
+
+    SET_BIT(AES1->CR, AES_CR_EN);
+
+    if(!wait_for_crypto()) {
+        CLEAR_BIT(AES1->CR, AES_CR_EN);
+        return false;
+    }
+
+    return true;
+}
+
+static bool furi_hal_crypto_gcm_header(const uint8_t* aad, size_t aad_length) {
+    /* GCM header phase */
+
+    MODIFY_REG(AES1->CR, AES_CR_GCMPH, CRYPTO_GCM_PH_HEADER);
+    SET_BIT(AES1->CR, AES_CR_EN);
+
+    size_t last_block_bytes = aad_length % CRYPTO_BLK_LEN;
+
+    size_t i;
+    for(i = 0; i < aad_length - last_block_bytes; i += CRYPTO_BLK_LEN) {
+        if(!furi_hal_crypto_process_block_no_read_bswap(&aad[i], CRYPTO_BLK_LEN)) {
+            CLEAR_BIT(AES1->CR, AES_CR_EN);
+            return false;
+        }
+    }
+
+    if(last_block_bytes > 0) {
+        if(!furi_hal_crypto_process_block_no_read_bswap(&aad[i], last_block_bytes)) {
+            CLEAR_BIT(AES1->CR, AES_CR_EN);
+            return false;
+        }
+    }
+
+    return true;
+}
+
+static bool furi_hal_crypto_gcm_payload(
+    const uint8_t* input,
+    uint8_t* output,
+    size_t length,
+    bool decrypt) {
+    /* GCM payload phase */
+
+    MODIFY_REG(AES1->CR, AES_CR_GCMPH, CRYPTO_GCM_PH_PAYLOAD);
+    SET_BIT(AES1->CR, AES_CR_EN);
+
+    size_t last_block_bytes = length % CRYPTO_BLK_LEN;
+
+    size_t i;
+    for(i = 0; i < length - last_block_bytes; i += CRYPTO_BLK_LEN) {
+        if(!furi_hal_crypto_process_block_bswap(&input[i], &output[i], CRYPTO_BLK_LEN)) {
+            CLEAR_BIT(AES1->CR, AES_CR_EN);
+            return false;
+        }
+    }
+
+    if(last_block_bytes > 0) {
+        if(!decrypt) {
+            MODIFY_REG(
+                AES1->CR, AES_CR_NPBLB, (CRYPTO_BLK_LEN - last_block_bytes) << AES_CR_NPBLB_Pos);
+        }
+        if(!furi_hal_crypto_process_block_bswap(&input[i], &output[i], last_block_bytes)) {
+            CLEAR_BIT(AES1->CR, AES_CR_EN);
+            return false;
+        }
+    }
+
+    return true;
+}
+
+static bool furi_hal_crypto_gcm_finish(size_t aad_length, size_t payload_length, uint8_t* tag) {
+    /* GCM final phase */
+
+    MODIFY_REG(AES1->CR, AES_CR_GCMPH, CRYPTO_GCM_PH_FINAL);
+
+    uint32_t last_block[CRYPTO_BLK_LEN / 4];
+    memset(last_block, 0, sizeof(last_block));
+    last_block[1] = __builtin_bswap32((uint32_t)(aad_length * 8));
+    last_block[3] = __builtin_bswap32((uint32_t)(payload_length * 8));
+
+    if(!furi_hal_crypto_process_block_bswap((uint8_t*)&last_block[0], tag, CRYPTO_BLK_LEN)) {
+        CLEAR_BIT(AES1->CR, AES_CR_EN);
+        return false;
+    }
+
+    return true;
+}
+
+static bool furi_hal_crypto_gcm_compare_tag(const uint8_t* tag1, const uint8_t* tag2) {
+    uint8_t diff = 0;
+
+    size_t i;
+    for(i = 0; i < CRYPTO_GCM_TAG_LEN; i++) {
+        diff |= tag1[i] ^ tag2[i];
+    }
+
+    return (diff == 0);
+}
+
+bool furi_hal_crypto_gcm(
+    const uint8_t* key,
+    const uint8_t* iv,
+    const uint8_t* aad,
+    size_t aad_length,
+    const uint8_t* input,
+    uint8_t* output,
+    size_t length,
+    uint8_t* tag,
+    bool decrypt) {
+    /* GCM init phase */
+
+    /* prepare IV and counter */
+    uint8_t iv_and_counter[CRYPTO_GCM_IV_LEN + CRYPTO_GCM_CTR_LEN];
+    memcpy(iv_and_counter, iv, CRYPTO_GCM_IV_LEN); //-V1086
+    furi_hal_crypto_gcm_prep_iv(iv_and_counter);
+
+    /* load key and IV and set the mode to CTR */
+    if(!furi_hal_crypto_load_key_bswap(key, iv_and_counter, CRYPTO_AES_GCM)) {
+        furi_hal_crypto_unload_key();
+        return false;
+    }
+
+    if(!furi_hal_crypto_gcm_init(decrypt)) {
+        furi_hal_crypto_unload_key();
+        return false;
+    }
+
+    /* GCM header phase */
+
+    if(aad_length > 0) {
+        if(!furi_hal_crypto_gcm_header(aad, aad_length)) {
+            furi_hal_crypto_unload_key();
+            return false;
+        }
+    }
+
+    /* GCM payload phase */
+
+    if(!furi_hal_crypto_gcm_payload(input, output, length, decrypt)) {
+        furi_hal_crypto_unload_key();
+        return false;
+    }
+
+    /* GCM final phase */
+
+    if(!furi_hal_crypto_gcm_finish(aad_length, length, tag)) {
+        furi_hal_crypto_unload_key();
+        return false;
+    }
+
+    furi_hal_crypto_unload_key();
+    return true;
+}
+
+FuriHalCryptoGCMState furi_hal_crypto_gcm_encrypt_and_tag(
+    const uint8_t* key,
+    const uint8_t* iv,
+    const uint8_t* aad,
+    size_t aad_length,
+    const uint8_t* input,
+    uint8_t* output,
+    size_t length,
+    uint8_t* tag) {
+    if(!furi_hal_crypto_gcm(key, iv, aad, aad_length, input, output, length, tag, false)) {
+        memset(output, 0, length);
+        memset(tag, 0, CRYPTO_GCM_TAG_LEN);
+        return FuriHalCryptoGCMStateError;
+    }
+
+    return FuriHalCryptoGCMStateOk;
+}
+
+FuriHalCryptoGCMState furi_hal_crypto_gcm_decrypt_and_verify(
+    const uint8_t* key,
+    const uint8_t* iv,
+    const uint8_t* aad,
+    size_t aad_length,
+    const uint8_t* input,
+    uint8_t* output,
+    size_t length,
+    const uint8_t* tag) {
+    uint8_t dtag[CRYPTO_GCM_TAG_LEN];
+
+    if(!furi_hal_crypto_gcm(key, iv, aad, aad_length, input, output, length, dtag, true)) {
+        memset(output, 0, length);
+        return FuriHalCryptoGCMStateError;
+    }
+
+    if(!furi_hal_crypto_gcm_compare_tag(dtag, tag)) {
+        memset(output, 0, length);
+        return FuriHalCryptoGCMStateAuthFailure;
+    }
+
+    return FuriHalCryptoGCMStateOk;
+}

firmware/targets/f7/furi_hal/furi_hal_info.c

@@ -283,7 +283,7 @@ void furi_hal_info_get(PropertyValueCallback out, char sep, void* context) {
         // Signature verification
         uint8_t enclave_keys = 0;
         uint8_t enclave_valid_keys = 0;
-        bool enclave_valid = furi_hal_crypto_verify_enclave(&enclave_keys, &enclave_valid_keys);
+        bool enclave_valid = furi_hal_crypto_enclave_verify(&enclave_keys, &enclave_valid_keys);
         if(sep == '.') {
             property_value_out(
                 &property_context, "%d", 3, "enclave", "keys", "valid", enclave_valid_keys);

firmware/targets/furi_hal_include/furi_hal_crypto.h

@@ -1,6 +1,40 @@
 /**
  * @file furi_hal_crypto.h
+ *
  * Cryptography HAL API
+ *
+ * !!! READ THIS FIRST !!!
+ *
+ * Flipper was never designed to be secure, nor it passed cryptography audit.
+ * Despite of the fact that keys are stored in secure enclave there are some
+ * types of attack that can be performed against AES engine to recover
+ * keys(theoretical). Also there is no way to securely deliver user keys to
+ * device and never will be. In addition device is fully open and there is no
+ * way to guarantee safety of your data, it can be easily dumped with debugger
+ * or modified code.
+ *
+ * Secure enclave on WB series is implemented on core2 FUS side and can be used
+ * only if core2 alive. Enclave is responsible for storing, loading and
+ * unloading keys to and from enclave/AES in secure manner(AES engine key
+ * registers will be locked when key from enclave loaded)
+ *
+ * There are 11 keys that we provision at factory:
+ * - 0 - Master key for secure key delivery. Impossible to use for anything but
+ *   key provisioning. We don't plan to use it too.
+ * - 1 - 10 - Keys used by firmware. All devices got the same set of keys. You
+ *   also can use them in your applications.
+ *
+ * Also there is a slot 11 that we use for device unique key. This slot is
+ * intentionally left blank till the moment of first use, so you can ensure that
+ * we don't know your unique key. Also you can provision this key by your self
+ * with crypto cli or API.
+ *
+ * Other slots can be used for your needs. But since enclave is sequential
+ * append only, we can not guarantee you that slots you want are free. NEVER USE
+ * THEM FOR PUBLIC APPLICATIONS.
+ *
+ * Also you can directly load raw keys into AES engine and use it for your
+ * needs.
  */
 #pragma once
 
@@ -12,10 +46,27 @@
 extern "C" {
 #endif
 
+/** Factory provisioned master key slot. Should never be used. */
+#define FURI_HAL_CRYPTO_ENCLAVE_MASTER_KEY_SLOT (0u)
+
+/** Factory provisioned keys slot range. All of them are exactly same on all flippers. */
+#define FURI_HAL_CRYPTO_ENCLAVE_FACTORY_KEY_SLOT_START (1u)
+#define FURI_HAL_CRYPTO_ENCLAVE_FACTORY_KEY_SLOT_END (10u)
+
+/** Device unique key slot. This key generated on first use or provisioned by user. Use furi_hal_crypto_enclave_ensure_key before using this slot. */
+#define FURI_HAL_CRYPTO_ENCLAVE_UNIQUE_KEY_SLOT (11u)
+
+/** User key slot range. This slots can be used for your needs, but never use them in public apps. */
+#define FURI_HAL_CRYPTO_ENCLAVE_USER_KEY_SLOT_START (12u)
+#define FURI_HAL_CRYPTO_ENCLAVE_USER_KEY_SLOT_END (100u)
+
+/** [Deprecated] Indicates availability of advanced crypto functions, will be dropped before v1.0 */
+#define FURI_HAL_CRYPTO_ADVANCED_AVAIL 1
+
 /** FuriHalCryptoKey Type */
 typedef enum {
     FuriHalCryptoKeyTypeMaster, /**< Master key */
-    FuriHalCryptoKeyTypeSimple, /**< Simple enencrypted key */
+    FuriHalCryptoKeyTypeSimple, /**< Simple unencrypted key */
     FuriHalCryptoKeyTypeEncrypted, /**< Encrypted with Master key */
 } FuriHalCryptoKeyType;
 
@@ -32,40 +83,89 @@ typedef struct {
     uint8_t* data;
 } FuriHalCryptoKey;
 
-/** Initialize cryptography layer This includes AES engines, PKA and RNG
- */
+/** FuriHalCryptoGCMState Result of a GCM operation */
+typedef enum {
+    FuriHalCryptoGCMStateOk, /**< operation successful */
+    FuriHalCryptoGCMStateError, /**< error during encryption/decryption */
+    FuriHalCryptoGCMStateAuthFailure, /**< tags do not match, auth failed */
+} FuriHalCryptoGCMState;
+
+/** Initialize cryptography layer(includes AES engines, PKA and RNG) */
 void furi_hal_crypto_init();
 
-bool furi_hal_crypto_verify_enclave(uint8_t* keys_nb, uint8_t* valid_keys_nb);
-
-bool furi_hal_crypto_verify_key(uint8_t key_slot);
-
-/** Store key in crypto storage
+/** Verify factory provisioned keys
  *
- * @param      key   FuriHalCryptoKey to store. Only Master, Simple or
- *                   Encrypted
- * @param      slot  pinter to int where store slot number will be saved
+ * @param      keys_nb        The keys number of
+ * @param      valid_keys_nb  The valid keys number of
+ *
+ * @return     true if all enclave keys are intact, false otherwise
+ */
+bool furi_hal_crypto_enclave_verify(uint8_t* keys_nb, uint8_t* valid_keys_nb);
+
+/** Ensure that requested slot and slots before this slot contains keys.
+ *
+ * This function is used to provision FURI_HAL_CRYPTO_ENCLAVE_UNIQUE_KEY_SLOT. Also you
+ * may want to use it to generate some unique keys in user key slot range.
+ *
+ * @warning    Because of the sequential nature of the secure enclave this
+ *             method will generate key for all slots from
+ *             FURI_HAL_CRYPTO_ENCLAVE_FACTORY_KEY_SLOT_END to the slot your requested.
+ *             Keys are generated using on-chip RNG.
+ *
+ * @param[in]  key_slot  The key slot to enclave
+ *
+ * @return     true if key exists or created, false if enclave corrupted
+ */
+bool furi_hal_crypto_enclave_ensure_key(uint8_t key_slot);
+
+/** Store key in crypto enclave
+ *
+ * @param      key   FuriHalCryptoKey to be stored
+ * @param      slot  pointer to int where enclave slot will be stored
  *
  * @return     true on success
  */
-bool furi_hal_crypto_store_add_key(FuriHalCryptoKey* key, uint8_t* slot);
+bool furi_hal_crypto_enclave_store_key(FuriHalCryptoKey* key, uint8_t* slot);
 
-/** Init AES engine and load key from crypto store
+/** Init AES engine and load key from crypto enclave
  *
- * @param      slot  store slot number
+ * @warning    Use only with furi_hal_crypto_enclave_unload_key()
+ *
+ * @param      slot  enclave slot
  * @param[in]  iv    pointer to 16 bytes Initialization Vector data
  *
  * @return     true on success
  */
-bool furi_hal_crypto_store_load_key(uint8_t slot, const uint8_t* iv);
+bool furi_hal_crypto_enclave_load_key(uint8_t slot, const uint8_t* iv);
 
-/** Unload key engine and deinit AES engine
+/** Unload key and deinit AES engine
  *
- * @param      slot  store slot number
+ * @warning    Use only with furi_hal_crypto_enclave_load_key()
+ *
+ * @param      slot  enclave slot
  *
  * @return     true on success
  */
-bool furi_hal_crypto_store_unload_key(uint8_t slot);
+bool furi_hal_crypto_enclave_unload_key(uint8_t slot);
+
+/** Init AES engine and load supplied key
+ *
+ * @warning    Use only with furi_hal_crypto_unload_key()
+ *
+ * @param[in]  key   pointer to 32 bytes key data
+ * @param[in]  iv    pointer to 16 bytes Initialization Vector data
+ *
+ * @return     true on success
+ */
+bool furi_hal_crypto_load_key(const uint8_t* key, const uint8_t* iv);
+
+/** Unload key and de-init AES engine
+ *
+ * @warning    Use this function only with furi_hal_crypto_load_key()
+ *
+ * @return     true on success
+ */
+bool furi_hal_crypto_unload_key(void);
 
 /** Encrypt data
  *
@@ -87,6 +187,109 @@ bool furi_hal_crypto_encrypt(const uint8_t* input, uint8_t* output, size_t size)
  */
 bool furi_hal_crypto_decrypt(const uint8_t* input, uint8_t* output, size_t size);
 
+/** Encrypt the input using AES-CTR
+ *
+ * Decryption can be performed by supplying the ciphertext as input. Inits and
+ * deinits the AES engine internally.
+ *
+ * @param[in]  key     pointer to 32 bytes key data
+ * @param[in]  iv      pointer to 12 bytes Initialization Vector data
+ * @param[in]  input   pointer to input data
+ * @param[out] output  pointer to output data
+ * @param      length  length of the input and output in bytes
+ *
+ * @return     true on success
+ */
+bool furi_hal_crypto_ctr(
+    const uint8_t* key,
+    const uint8_t* iv,
+    const uint8_t* input,
+    uint8_t* output,
+    size_t length);
+
+/** Encrypt/decrypt the input using AES-GCM
+ *
+ * When decrypting the tag generated needs to be compared to the tag attached to
+ * the ciphertext in a constant-time fashion. If the tags are not equal, the
+ * decryption failed and the plaintext returned needs to be discarded. Inits and
+ * deinits the AES engine internally.
+ *
+ * @param[in]  key         pointer to 32 bytes key data
+ * @param[in]  iv          pointer to 12 bytes Initialization Vector data
+ * @param[in]  aad         pointer to additional authentication data
+ * @param      aad_length  length of the additional authentication data in bytes
+ * @param[in]  input       pointer to input data
+ * @param[out] output      pointer to output data
+ * @param      length      length of the input and output in bytes
+ * @param[out] tag         pointer to 16 bytes space for the tag
+ * @param      decrypt     true for decryption, false otherwise
+ *
+ * @return     true on success
+ */
+bool furi_hal_crypto_gcm(
+    const uint8_t* key,
+    const uint8_t* iv,
+    const uint8_t* aad,
+    size_t aad_length,
+    const uint8_t* input,
+    uint8_t* output,
+    size_t length,
+    uint8_t* tag,
+    bool decrypt);
+
+/** Encrypt the input using AES-GCM and generate a tag
+ *
+ * Inits and deinits the AES engine internally.
+ *
+ * @param[in]  key         pointer to 32 bytes key data
+ * @param[in]  iv          pointer to 12 bytes Initialization Vector data
+ * @param[in]  aad         pointer to additional authentication data
+ * @param      aad_length  length of the additional authentication data in bytes
+ * @param[in]  input       pointer to input data
+ * @param[out] output      pointer to output data
+ * @param      length      length of the input and output in bytes
+ * @param[out] tag         pointer to 16 bytes space for the tag
+ *
+ * @return     FuriHalCryptoGCMStateOk on success, FuriHalCryptoGCMStateError on
+ *             failure
+ */
+FuriHalCryptoGCMState furi_hal_crypto_gcm_encrypt_and_tag(
+    const uint8_t* key,
+    const uint8_t* iv,
+    const uint8_t* aad,
+    size_t aad_length,
+    const uint8_t* input,
+    uint8_t* output,
+    size_t length,
+    uint8_t* tag);
+
+/** Decrypt the input using AES-GCM and verify the provided tag
+ *
+ * Inits and deinits the AES engine internally.
+ *
+ * @param[in]  key         pointer to 32 bytes key data
+ * @param[in]  iv          pointer to 12 bytes Initialization Vector data
+ * @param[in]  aad         pointer to additional authentication data
+ * @param      aad_length  length of the additional authentication data in bytes
+ * @param[in]  input       pointer to input data
+ * @param[out] output      pointer to output data
+ * @param      length      length of the input and output in bytes
+ * @param[out] tag         pointer to 16 bytes tag
+ *
+ * @return     FuriHalCryptoGCMStateOk on success, FuriHalCryptoGCMStateError on
+ *             failure, FuriHalCryptoGCMStateAuthFailure if the tag does not
+ *             match
+ */
+FuriHalCryptoGCMState furi_hal_crypto_gcm_decrypt_and_verify(
+    const uint8_t* key,
+    const uint8_t* iv,
+    const uint8_t* aad,
+    size_t aad_length,
+    const uint8_t* input,
+    uint8_t* output,
+    size_t length,
+    const uint8_t* tag);
+
 #ifdef __cplusplus
 }
 #endif