ecdh: new example demonstrating ECDH shared secret derivation

ecdh/Android.mk

@@ -0,0 +1,17 @@
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+LOCAL_CFLAGS += -DANDROID_BUILD
+LOCAL_CFLAGS += -Wall
+
+LOCAL_SRC_FILES += host/main.c
+
+LOCAL_C_INCLUDES := $(LOCAL_PATH)/ta/include
+
+LOCAL_SHARED_LIBRARIES := libteec
+LOCAL_MODULE := optee_example_ecdh
+LOCAL_VENDOR_MODULE := true
+LOCAL_MODULE_TAGS := optional
+include $(BUILD_EXECUTABLE)
+
+include $(LOCAL_PATH)/ta/Android.mk

ecdh/CMakeLists.txt

@@ -0,0 +1,13 @@
+project (optee_example_ecdh C)
+
+set (SRC host/main.c)
+
+add_executable (${PROJECT_NAME} ${SRC})
+
+target_include_directories(${PROJECT_NAME}
+			   PRIVATE ta/include
+			   PRIVATE include)
+
+target_link_libraries (${PROJECT_NAME} PRIVATE teec)
+
+install (TARGETS ${PROJECT_NAME} DESTINATION ${CMAKE_INSTALL_BINDIR})

ecdh/Makefile

@@ -0,0 +1,15 @@
+export V ?= 0
+
+# If _HOST or _TA specific compilers are not specified, then use CROSS_COMPILE
+HOST_CROSS_COMPILE ?= $(CROSS_COMPILE)
+TA_CROSS_COMPILE ?= $(CROSS_COMPILE)
+
+.PHONY: all
+all:
+	$(MAKE) -C host CROSS_COMPILE="$(HOST_CROSS_COMPILE)" --no-builtin-variables
+	$(MAKE) -C ta CROSS_COMPILE="$(TA_CROSS_COMPILE)" LDFLAGS=""
+
+.PHONY: clean
+clean:
+	$(MAKE) -C host clean
+	$(MAKE) -C ta clean

ecdh/host/Makefile

@@ -0,0 +1,28 @@
+CC      ?= $(CROSS_COMPILE)gcc
+LD      ?= $(CROSS_COMPILE)ld
+AR      ?= $(CROSS_COMPILE)ar
+NM      ?= $(CROSS_COMPILE)nm
+OBJCOPY ?= $(CROSS_COMPILE)objcopy
+OBJDUMP ?= $(CROSS_COMPILE)objdump
+READELF ?= $(CROSS_COMPILE)readelf
+
+OBJS = main.o
+
+CFLAGS += -Wall -I../ta/include -I./include
+CFLAGS += -I$(TEEC_EXPORT)/include
+LDADD += -lteec -L$(TEEC_EXPORT)/lib
+
+BINARY = optee_example_ecdh
+
+.PHONY: all
+all: $(BINARY)
+
+$(BINARY): $(OBJS)
+	$(CC) $(LDFLAGS) -o $@ $< $(LDADD)
+
+.PHONY: clean
+clean:
+	rm -f $(OBJS) $(BINARY)
+
+%.o: %.c
+	$(CC) $(CFLAGS) -c $< -o $@

ecdh/host/main.c

@@ -0,0 +1,75 @@
+// SPDX-License-Identifier: BSD-2-Clause
+/*
+ * Copyright (c) 2025, Advanced Micro Devices, Inc. All rights reserved.
+ */
+
+#include <err.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <tee_client_api.h>
+
+#include <ecdh_ta.h>
+
+static void hexdump(const void *p, size_t len)
+{
+	const unsigned char *b = (const unsigned char *)p;
+
+	for (size_t i = 0; i < len; i++) {
+		printf("%02x", b[i]);
+		if ((i + 1) % 32 == 0)
+			printf("\n");
+	}
+	if (len % 32)
+		printf("\n");
+}
+
+int main(void)
+{
+	TEEC_Result res = TEEC_ERROR_GENERIC;
+	TEEC_Context ctx = {0};
+	TEEC_Session sess = {0};
+	TEEC_Operation op = {0};
+	TEEC_UUID uuid = TA_ECDH_UUID;
+	uint32_t err_origin = 0;
+	size_t secret_len = 0;
+	uint32_t curve = TA_ECDH_ECC_CURVE_NIST_P384;
+	uint8_t secret[ECDH_BUF_BYTES];
+
+	res = TEEC_InitializeContext(NULL, &ctx);
+	if (res != TEEC_SUCCESS)
+		errx(1, "TEEC_InitializeContext failed with code 0x%x", res);
+
+	res = TEEC_OpenSession(&ctx, &sess, &uuid, TEEC_LOGIN_PUBLIC, NULL,
+			       NULL, &err_origin);
+	if (res != TEEC_SUCCESS)
+		errx(1, "TEEC_OpenSession failed 0x%x origin 0x%x",
+		     res, err_origin);
+
+	memset(&op, 0, sizeof(op));
+	op.paramTypes = TEEC_PARAM_TYPES(TEEC_VALUE_INOUT,
+					 TEEC_NONE,
+					 TEEC_NONE,
+					 TEEC_MEMREF_TEMP_OUTPUT);
+
+	op.params[0].value.a = curve;        /* IN: curve id */
+	op.params[0].value.b = 0;            /* OUT: secret len */
+	op.params[3].tmpref.buffer = secret; /* OUT buffer for secret */
+	op.params[3].tmpref.size = sizeof(secret);
+
+	res = TEEC_InvokeCommand(&sess, TA_ECDH_CMD_DERIVE_SELFTEST,
+				 &op, &err_origin);
+	if (res != TEEC_SUCCESS)
+		errx(1, "Invoke TA_ECDH_CMD_DERIVE_SELFTEST failed 0x%x origin 0x%x",
+		     res, err_origin);
+
+	secret_len = op.params[0].value.b;
+
+	printf("ECDH shared secret (%zu bytes) on curve id %u:\n",
+	       secret_len, curve);
+	hexdump(secret, secret_len);
+
+	TEEC_CloseSession(&sess);
+	TEEC_FinalizeContext(&ctx);
+	return 0;
+}

ecdh/ta/Android.mk

@@ -0,0 +1,3 @@
+LOCAL_PATH := $(call my-dir)
+local_module := 50c82425-94da-4072-a3e0-58ef063767c0.ta
+include $(BUILD_OPTEE_MK)

ecdh/ta/Makefile

@@ -0,0 +1,13 @@
+CFG_TEE_TA_LOG_LEVEL ?= 4
+CFG_TA_OPTEE_CORE_API_COMPAT_1_1=y
+
+# The UUID for the Trusted Application
+BINARY=50c82425-94da-4072-a3e0-58ef063767c0
+
+-include $(TA_DEV_KIT_DIR)/mk/ta_dev_kit.mk
+
+ifeq ($(wildcard $(TA_DEV_KIT_DIR)/mk/ta_dev_kit.mk), )
+clean:
+	@echo 'Note: $$(TA_DEV_KIT_DIR)/mk/ta_dev_kit.mk not found, cannot clean TA'
+	@echo 'Note: TA_DEV_KIT_DIR=$(TA_DEV_KIT_DIR)'
+endif