meta-arm/meta-arm-bsp/recipes-security/trusted-services/secure-partitions/corstone1000/0036-Separate-sign-verify-message-and-hash-operations.patch

From b160f734006f4959d92377dc3aa8eabc3ac7c1da Mon Sep 17 00:00:00 2001
From: Julian Hall <julian.hall@arm.com>
Date: Fri, 11 Feb 2022 14:08:13 +0000
Subject: [PATCH] Separate sign/verify message and hash operations

Previous versions of mbedtls didn't distinguish between
asymmetric sign and verify operations on a hash or message.
They are now treated as separate operations from a usage
control perspective. This change makes the corresponding
hash/message sepration in client and service provider
components.

Signed-off-by: Julian Hall <julian.hall@arm.com>
Change-Id: Ic0041c694c026522c9b00c974d22261e9e2feadd

Upstream-Status: Pending [Not submitted to upstream yet]
Signed-off-by: Emekcan Aras <Emekcan.Aras@arm.com>


---
 .../caller/packed-c/crypto_caller_sign_hash.h | 29 +++++++-
 .../packed-c/crypto_caller_verify_hash.h      | 33 ++++++++-
 .../caller/stub/crypto_caller_sign_hash.h     | 11 ++-
 .../caller/stub/crypto_caller_verify_hash.h   | 11 ++-
 .../service/crypto/client/cpp/crypto_client.h | 17 ++++-
 .../packed-c/packedc_crypto_client.cpp        | 22 +++++-
 .../protocol/packed-c/packedc_crypto_client.h | 17 ++++-
 .../protobuf/protobuf_crypto_client.cpp       | 43 ++++++++++-
 .../protobuf/protobuf_crypto_client.h         | 27 ++++++-
 .../crypto/client/psa/psa_sign_message.c      | 24 +++---
 .../crypto/client/psa/psa_verify_message.c    | 24 +++---
 .../service/crypto/provider/crypto_provider.c | 40 ++++++----
 .../serializer/crypto_provider_serializer.h   |  6 +-
 .../packedc_crypto_provider_serializer.c      | 12 +--
 .../protobuf/pb_crypto_provider_serializer.c  | 74 +++++++++----------
 .../check_crypto_opcode_alignment.cpp         | 25 ++++---
 .../test/service/crypto_service_scenarios.cpp | 56 +++++++++++++-
 .../test/service/crypto_service_scenarios.h   |  3 +-
 .../packed-c/crypto_service_packedc_tests.cpp |  7 +-
 .../crypto_service_protobuf_tests.cpp         |  7 +-
 protocols/service/crypto/packed-c/opcodes.h   |  4 +-
 .../service/crypto/protobuf/opcodes.proto     |  4 +-
 22 files changed, 366 insertions(+), 130 deletions(-)

diff --git a/components/service/crypto/client/caller/packed-c/crypto_caller_sign_hash.h b/components/service/crypto/client/caller/packed-c/crypto_caller_sign_hash.h
index e807773e..4a9ed20d 100644
--- a/components/service/crypto/client/caller/packed-c/crypto_caller_sign_hash.h
+++ b/components/service/crypto/client/caller/packed-c/crypto_caller_sign_hash.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -20,7 +20,8 @@
 extern "C" {
 #endif
 
-static inline psa_status_t crypto_caller_sign_hash(struct service_client *context,
+static inline psa_status_t crypto_caller_asym_sign_commom(struct service_client *context,
+	uint32_t opcode,
 	psa_key_id_t id,
 	psa_algorithm_t alg,
 	const uint8_t *hash, size_t hash_length,
@@ -60,7 +61,7 @@ static inline psa_status_t crypto_caller_sign_hash(struct service_client *contex
 
 		context->rpc_status =
 			rpc_caller_invoke(context->caller, call_handle,
-						TS_CRYPTO_OPCODE_SIGN_HASH, &opstatus, &resp_buf, &resp_len);
+						opcode, &opstatus, &resp_buf, &resp_len);
 
 		if (context->rpc_status == TS_RPC_CALL_ACCEPTED) {
 
@@ -98,6 +99,28 @@ static inline psa_status_t crypto_caller_sign_hash(struct service_client *contex
 	return psa_status;
 }
 
+static inline psa_status_t crypto_caller_sign_hash(struct service_client *context,
+	psa_key_id_t id,
+	psa_algorithm_t alg,
+	const uint8_t *hash, size_t hash_length,
+	uint8_t *signature, size_t signature_size, size_t *signature_length)
+{
+	return crypto_caller_asym_sign_commom(context, TS_CRYPTO_OPCODE_SIGN_HASH,
+		id, alg, hash, hash_length,
+		signature, signature_size, signature_length);
+}
+
+static inline psa_status_t crypto_caller_sign_message(struct service_client *context,
+	psa_key_id_t id,
+	psa_algorithm_t alg,
+	const uint8_t *hash, size_t hash_length,
+	uint8_t *signature, size_t signature_size, size_t *signature_length)
+{
+	return crypto_caller_asym_sign_commom(context, TS_CRYPTO_OPCODE_SIGN_MESSAGE,
+		id, alg, hash, hash_length,
+		signature, signature_size, signature_length);
+}
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/components/service/crypto/client/caller/packed-c/crypto_caller_verify_hash.h b/components/service/crypto/client/caller/packed-c/crypto_caller_verify_hash.h
index 47152946..daa11330 100644
--- a/components/service/crypto/client/caller/packed-c/crypto_caller_verify_hash.h
+++ b/components/service/crypto/client/caller/packed-c/crypto_caller_verify_hash.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -20,7 +20,8 @@
 extern "C" {
 #endif
 
-static inline psa_status_t crypto_caller_verify_hash(struct service_client *context,
+static inline psa_status_t crypto_caller_asym_verify_common(struct service_client *context,
+	uint32_t opcode,
 	psa_key_id_t id,
 	psa_algorithm_t alg,
 	const uint8_t *hash, size_t hash_length,
@@ -65,7 +66,7 @@ static inline psa_status_t crypto_caller_verify_hash(struct service_client *cont
 
 		context->rpc_status =
 			rpc_caller_invoke(context->caller, call_handle,
-					TS_CRYPTO_OPCODE_VERIFY_HASH, &opstatus, &resp_buf, &resp_len);
+					opcode, &opstatus, &resp_buf, &resp_len);
 
 		if (context->rpc_status == TS_RPC_CALL_ACCEPTED) psa_status = opstatus;
 
@@ -75,6 +76,32 @@ static inline psa_status_t crypto_caller_verify_hash(struct service_client *cont
 	return psa_status;
 }
 
+static inline psa_status_t crypto_caller_verify_hash(struct service_client *context,
+	psa_key_id_t id,
+	psa_algorithm_t alg,
+	const uint8_t *hash, size_t hash_length,
+	const uint8_t *signature, size_t signature_length)
+{
+	return crypto_caller_asym_verify_common(context,
+		TS_CRYPTO_OPCODE_VERIFY_HASH,
+		id, alg,
+		hash, hash_length,
+		signature, signature_length);
+}
+
+static inline psa_status_t crypto_caller_verify_message(struct service_client *context,
+	psa_key_id_t id,
+	psa_algorithm_t alg,
+	const uint8_t *input, size_t input_length,
+	const uint8_t *signature, size_t signature_length)
+{
+	return crypto_caller_asym_verify_common(context,
+		TS_CRYPTO_OPCODE_VERIFY_MESSAGE,
+		id, alg,
+		input, input_length,
+		signature, signature_length);
+}
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/components/service/crypto/client/caller/stub/crypto_caller_sign_hash.h b/components/service/crypto/client/caller/stub/crypto_caller_sign_hash.h
index d09369a2..09049f5c 100644
--- a/components/service/crypto/client/caller/stub/crypto_caller_sign_hash.h
+++ b/components/service/crypto/client/caller/stub/crypto_caller_sign_hash.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -23,6 +23,15 @@ static inline psa_status_t crypto_caller_sign_hash(struct service_client *contex
 	return PSA_ERROR_NOT_SUPPORTED;
 }
 
+static inline psa_status_t crypto_caller_sign_message(struct service_client *context,
+	psa_key_id_t id,
+	psa_algorithm_t alg,
+	const uint8_t *hash, size_t hash_length,
+	uint8_t *signature, size_t signature_size, size_t *signature_length)
+{
+	return PSA_ERROR_NOT_SUPPORTED;
+}
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/components/service/crypto/client/caller/stub/crypto_caller_verify_hash.h b/components/service/crypto/client/caller/stub/crypto_caller_verify_hash.h
index 20d11dcf..3f3eb878 100644
--- a/components/service/crypto/client/caller/stub/crypto_caller_verify_hash.h
+++ b/components/service/crypto/client/caller/stub/crypto_caller_verify_hash.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -23,6 +23,15 @@ static inline psa_status_t crypto_caller_verify_hash(struct service_client *cont
 	return PSA_ERROR_NOT_SUPPORTED;
 }
 
+static inline psa_status_t crypto_caller_verify_message(struct service_client *context,
+	psa_key_id_t id,
+	psa_algorithm_t alg,
+	const uint8_t *input, size_t input_length,
+	const uint8_t *signature, size_t signature_length)
+{
+	return PSA_ERROR_NOT_SUPPORTED;
+}
+
 #ifdef __cplusplus
 }
 #endif
diff --git a/components/service/crypto/client/cpp/crypto_client.h b/components/service/crypto/client/cpp/crypto_client.h
index 2a5e5b99..ccb0714a 100644
--- a/components/service/crypto/client/cpp/crypto_client.h
+++ b/components/service/crypto/client/cpp/crypto_client.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -57,7 +57,7 @@ public:
 		psa_key_id_t id,
 		uint8_t *data, size_t data_size, size_t *data_length) = 0;
 
-	/* Sign/verify methods */
+	/* Sign/verify hash methods */
 	virtual psa_status_t sign_hash(
 		psa_key_id_t id,
 		psa_algorithm_t alg,
@@ -70,6 +70,19 @@ public:
 		const uint8_t *hash, size_t hash_length,
 		const uint8_t *signature, size_t signature_length) = 0;
 
+	/* Sign/verify message methods */
+	virtual psa_status_t sign_message(
+		psa_key_id_t id,
+		psa_algorithm_t alg,
+		const uint8_t *message, size_t message_length,
+		uint8_t *signature, size_t signature_size, size_t *signature_length) = 0;
+
+	virtual psa_status_t verify_message(
+		psa_key_id_t id,
+		psa_algorithm_t alg,
+		const uint8_t *message, size_t message_length,
+		const uint8_t *signature, size_t signature_length) = 0;
+
 	/* Asymmetric encrypt/decrypt */
 	virtual psa_status_t asymmetric_encrypt(
 		psa_key_id_t id,
diff --git a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp
index 4d9d8f41..4e10f9be 100644
--- a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp
+++ b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -107,6 +107,26 @@ psa_status_t packedc_crypto_client::verify_hash(
 		signature, signature_length);
 }
 
+psa_status_t packedc_crypto_client::sign_message(
+	psa_key_id_t id, psa_algorithm_t alg,
+	const uint8_t *message, size_t message_length,
+	uint8_t *signature, size_t signature_size, size_t *signature_length)
+{
+	return crypto_caller_sign_message(&m_client, id, alg,
+		message, message_length,
+		signature, signature_size, signature_length);
+}
+
+psa_status_t packedc_crypto_client::verify_message(
+	psa_key_id_t id, psa_algorithm_t alg,
+	const uint8_t *message, size_t message_length,
+	const uint8_t *signature, size_t signature_length)
+{
+	return crypto_caller_verify_message(&m_client, id, alg,
+		message, message_length,
+		signature, signature_length);
+}
+
 psa_status_t packedc_crypto_client::asymmetric_encrypt(
 	psa_key_id_t id, psa_algorithm_t alg,
 	const uint8_t *input, size_t input_length,
diff --git a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h
index 377b51d1..d74ba609 100644
--- a/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h
+++ b/components/service/crypto/client/cpp/protocol/packed-c/packedc_crypto_client.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -54,7 +54,7 @@ public:
 		psa_key_id_t id,
 		uint8_t *data, size_t data_size, size_t *data_length);
 
-	/* Sign/verify methods */
+	/* Sign/verify hash methods */
 	psa_status_t sign_hash(
 		psa_key_id_t id,
 		psa_algorithm_t alg,
@@ -67,6 +67,19 @@ public:
 		const uint8_t *hash, size_t hash_length,
 		const uint8_t *signature, size_t signature_length);
 
+	/* Sign/verify message methods */
+	psa_status_t sign_message(
+		psa_key_id_t id,
+		psa_algorithm_t alg,
+		const uint8_t *message, size_t message_length,
+		uint8_t *signature, size_t signature_size, size_t *signature_length);
+
+	psa_status_t verify_message(
+		psa_key_id_t id,
+		psa_algorithm_t alg,
+		const uint8_t *message, size_t message_length,
+		const uint8_t *signature, size_t signature_length);
+
 	/* Asymmetric encrypt/decrypt */
 	psa_status_t asymmetric_encrypt(
 		psa_key_id_t id,
diff --git a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp
index 17780351..28c8f6fb 100644
--- a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp
+++ b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.cpp
@@ -386,6 +386,25 @@ psa_status_t protobuf_crypto_client::export_public_key(psa_key_id_t id,
 psa_status_t protobuf_crypto_client::sign_hash(psa_key_id_t id, psa_algorithm_t alg,
 							const uint8_t *hash, size_t hash_length,
 							uint8_t *signature, size_t signature_size, size_t *signature_length)
+{
+	return asym_sign(ts_crypto_Opcode_SIGN_HASH, id, alg,
+				hash, hash_length,
+				signature, signature_size, signature_length);
+}
+
+psa_status_t protobuf_crypto_client::sign_message(psa_key_id_t id, psa_algorithm_t alg,
+							const uint8_t *message, size_t message_length,
+							uint8_t *signature, size_t signature_size, size_t *signature_length)
+{
+	return asym_sign(ts_crypto_Opcode_SIGN_MESSAGE, id, alg,
+				message, message_length,
+				signature, signature_size, signature_length);
+}
+
+psa_status_t protobuf_crypto_client::asym_sign(uint32_t opcode,
+							psa_key_id_t id, psa_algorithm_t alg,
+							const uint8_t *hash, size_t hash_length,
+							uint8_t *signature, size_t signature_size, size_t *signature_length)
 {
 	size_t req_len;
 	pb_bytes_array_t *hash_byte_array =
@@ -416,7 +435,7 @@ psa_status_t protobuf_crypto_client::sign_hash(psa_key_id_t id, psa_algorithm_t
 			pb_encode(&ostream, ts_crypto_SignHashIn_fields, &req_msg);
 
 			m_client.rpc_status = rpc_caller_invoke(m_client.caller, call_handle,
-						ts_crypto_Opcode_SIGN_HASH, &opstatus, &resp_buf, &resp_len);
+						opcode, &opstatus, &resp_buf, &resp_len);
 
 			if (m_client.rpc_status == TS_RPC_CALL_ACCEPTED) {
 
@@ -462,10 +481,28 @@ psa_status_t protobuf_crypto_client::sign_hash(psa_key_id_t id, psa_algorithm_t
 	return psa_status;
 }
 
-
 psa_status_t protobuf_crypto_client::verify_hash(psa_key_id_t id, psa_algorithm_t alg,
 						const uint8_t *hash, size_t hash_length,
 						const uint8_t *signature, size_t signature_length)
+{
+	return asym_verify(ts_crypto_Opcode_VERIFY_HASH, id, alg,
+				hash, hash_length,
+				signature, signature_length);
+}
+
+psa_status_t protobuf_crypto_client::verify_message(psa_key_id_t id, psa_algorithm_t alg,
+						const uint8_t *message, size_t message_length,
+						const uint8_t *signature, size_t signature_length)
+{
+	return asym_verify(ts_crypto_Opcode_VERIFY_MESSAGE, id, alg,
+				message, message_length,
+				signature, signature_length);
+}
+
+psa_status_t protobuf_crypto_client::asym_verify(uint32_t opcode,
+						psa_key_id_t id, psa_algorithm_t alg,
+						const uint8_t *hash, size_t hash_length,
+						const uint8_t *signature, size_t signature_length)
 {
 	size_t req_len;
 	pb_bytes_array_t *hash_byte_array =
@@ -497,7 +534,7 @@ psa_status_t protobuf_crypto_client::verify_hash(psa_key_id_t id, psa_algorithm_
 			pb_encode(&ostream, ts_crypto_VerifyHashIn_fields, &req_msg);
 
 			m_client.rpc_status = rpc_caller_invoke(m_client.caller, call_handle,
-						ts_crypto_Opcode_VERIFY_HASH, &opstatus, &resp_buf, &resp_len);
+						opcode, &opstatus, &resp_buf, &resp_len);
 
 			if (m_client.rpc_status == TS_RPC_CALL_ACCEPTED) psa_status = opstatus;
 
diff --git a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h
index 085d9cfa..abe4439e 100644
--- a/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h
+++ b/components/service/crypto/client/cpp/protocol/protobuf/protobuf_crypto_client.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -54,7 +54,7 @@ public:
 		psa_key_id_t id,
 		uint8_t *data, size_t data_size, size_t *data_length);
 
-	/* Sign/verify methods */
+	/* Sign/verify hash methods */
 	psa_status_t sign_hash(
 		psa_key_id_t id,
 		psa_algorithm_t alg,
@@ -67,6 +67,19 @@ public:
 		const uint8_t *hash, size_t hash_length,
 		const uint8_t *signature, size_t signature_length);
 
+	/* Sign/verify message methods */
+	psa_status_t sign_message(
+		psa_key_id_t id,
+		psa_algorithm_t alg,
+		const uint8_t *message, size_t message_length,
+		uint8_t *signature, size_t signature_size, size_t *signature_length);
+
+	psa_status_t verify_message(
+		psa_key_id_t id,
+		psa_algorithm_t alg,
+		const uint8_t *message, size_t message_length,
+		const uint8_t *signature, size_t signature_length);
+
 	/* Asymmetric encrypt/decrypt */
 	psa_status_t asymmetric_encrypt(
 		psa_key_id_t id,
@@ -221,6 +234,16 @@ public:
 
 private:
 
+	psa_status_t asym_sign(uint32_t opcode,
+		psa_key_id_t id, psa_algorithm_t alg,
+		const uint8_t *hash, size_t hash_length,
+		uint8_t *signature, size_t signature_size, size_t *signature_length);
+
+	psa_status_t asym_verify(uint32_t opcode,
+		psa_key_id_t id, psa_algorithm_t alg,
+		const uint8_t *hash, size_t hash_length,
+		const uint8_t *signature, size_t signature_length);
+
 	void translate_key_attributes(
 		ts_crypto_KeyAttributes &proto_attributes,
 		const psa_key_attributes_t &psa_attributes);
diff --git a/components/service/crypto/client/psa/psa_sign_message.c b/components/service/crypto/client/psa/psa_sign_message.c
index dc2f7e80..b6446253 100644
--- a/components/service/crypto/client/psa/psa_sign_message.c
+++ b/components/service/crypto/client/psa/psa_sign_message.c
@@ -1,13 +1,15 @@
 /*
- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
 
 #include <psa/crypto.h>
+#include "psa_crypto_client.h"
+#include "crypto_caller_selector.h"
 
 psa_status_t psa_sign_message(
-	psa_key_id_t key,
+	psa_key_id_t id,
 	psa_algorithm_t alg,
 	const uint8_t *input,
 	size_t input_length,
@@ -15,19 +17,11 @@ psa_status_t psa_sign_message(
 	size_t signature_size,
 	size_t *signature_length)
 {
-	size_t hash_len;
-	uint8_t hash[PSA_HASH_MAX_SIZE];
+	if (psa_crypto_client_instance.init_status != PSA_SUCCESS)
+		return psa_crypto_client_instance.init_status;
 
-	psa_status_t psa_status = psa_hash_compute(PSA_ALG_SIGN_GET_HASH(alg),
+	return crypto_caller_sign_message(&psa_crypto_client_instance.base,
+		id, alg,
 		input, input_length,
-		hash, sizeof(hash), &hash_len);
-
-	if (psa_status == PSA_SUCCESS) {
-
-		psa_status = psa_sign_hash(key, alg,
-			hash, hash_len,
-			signature, signature_size, signature_length);
-	}
-
-	return psa_status;
+		signature, signature_size, signature_length);
 }
diff --git a/components/service/crypto/client/psa/psa_verify_message.c b/components/service/crypto/client/psa/psa_verify_message.c
index d0fbc7c8..57c2c5e8 100644
--- a/components/service/crypto/client/psa/psa_verify_message.c
+++ b/components/service/crypto/client/psa/psa_verify_message.c
@@ -1,32 +1,26 @@
 /*
- * Copyright (c) 2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2021-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
 
 #include <psa/crypto.h>
+#include "psa_crypto_client.h"
+#include "crypto_caller_selector.h"
 
 psa_status_t psa_verify_message(
-	psa_key_id_t key,
+	psa_key_id_t id,
 	psa_algorithm_t alg,
 	const uint8_t *input,
 	size_t input_length,
 	const uint8_t * signature,
 	size_t signature_length)
 {
-	size_t hash_len;
-	uint8_t hash[PSA_HASH_MAX_SIZE];
+	if (psa_crypto_client_instance.init_status != PSA_SUCCESS)
+		return psa_crypto_client_instance.init_status;
 
-	psa_status_t psa_status = psa_hash_compute(PSA_ALG_SIGN_GET_HASH(alg),
+	return crypto_caller_verify_message(&psa_crypto_client_instance.base,
+		id, alg,
 		input, input_length,
-		hash, sizeof(hash), &hash_len);
-
-	if (psa_status == PSA_SUCCESS) {
-
-		psa_status = psa_verify_hash(key, alg,
-			hash, hash_len,
-			signature, signature_length);
-	}
-
-	return psa_status;
+		signature, signature_length);
 }
diff --git a/components/service/crypto/provider/crypto_provider.c b/components/service/crypto/provider/crypto_provider.c
index d0fc7cac..67a5b340 100644
--- a/components/service/crypto/provider/crypto_provider.c
+++ b/components/service/crypto/provider/crypto_provider.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -16,8 +16,8 @@ static rpc_status_t destroy_key_handler(void *context, struct call_req* req);
 static rpc_status_t export_key_handler(void *context, struct call_req* req);
 static rpc_status_t export_public_key_handler(void *context, struct call_req* req);
 static rpc_status_t import_key_handler(void *context, struct call_req* req);
-static rpc_status_t sign_hash_handler(void *context, struct call_req* req);
-static rpc_status_t verify_hash_handler(void *context, struct call_req* req);
+static rpc_status_t asymmetric_sign_handler(void *context, struct call_req* req);
+static rpc_status_t asymmetric_verify_handler(void *context, struct call_req* req);
 static rpc_status_t asymmetric_decrypt_handler(void *context, struct call_req* req);
 static rpc_status_t asymmetric_encrypt_handler(void *context, struct call_req* req);
 static rpc_status_t generate_random_handler(void *context, struct call_req* req);
@@ -32,14 +32,16 @@ static const struct service_handler handler_table[] = {
 	{TS_CRYPTO_OPCODE_EXPORT_KEY,           export_key_handler},
 	{TS_CRYPTO_OPCODE_EXPORT_PUBLIC_KEY,    export_public_key_handler},
 	{TS_CRYPTO_OPCODE_IMPORT_KEY,           import_key_handler},
-	{TS_CRYPTO_OPCODE_SIGN_HASH,            sign_hash_handler},
-	{TS_CRYPTO_OPCODE_VERIFY_HASH,          verify_hash_handler},
+	{TS_CRYPTO_OPCODE_SIGN_HASH,            asymmetric_sign_handler},
+	{TS_CRYPTO_OPCODE_VERIFY_HASH,          asymmetric_verify_handler},
 	{TS_CRYPTO_OPCODE_ASYMMETRIC_DECRYPT,   asymmetric_decrypt_handler},
 	{TS_CRYPTO_OPCODE_ASYMMETRIC_ENCRYPT,   asymmetric_encrypt_handler},
 	{TS_CRYPTO_OPCODE_GENERATE_RANDOM,      generate_random_handler},
 	{TS_CRYPTO_OPCODE_COPY_KEY,          	copy_key_handler},
 	{TS_CRYPTO_OPCODE_PURGE_KEY,          	purge_key_handler},
 	{TS_CRYPTO_OPCODE_GET_KEY_ATTRIBUTES, 	get_key_attributes_handler},
+	{TS_CRYPTO_OPCODE_SIGN_MESSAGE,         asymmetric_sign_handler},
+	{TS_CRYPTO_OPCODE_VERIFY_MESSAGE,       asymmetric_verify_handler},
 };
 
 struct rpc_interface *crypto_provider_init(struct crypto_provider *context)
@@ -272,7 +274,7 @@ static rpc_status_t import_key_handler(void *context, struct call_req* req)
 	return rpc_status;
 }
 
-static rpc_status_t sign_hash_handler(void *context, struct call_req* req)
+static rpc_status_t asymmetric_sign_handler(void *context, struct call_req* req)
 {
 	rpc_status_t rpc_status = TS_RPC_ERROR_SERIALIZATION_NOT_SUPPORTED;
 	struct call_param_buf *req_buf = call_req_get_req_buf(req);
@@ -284,7 +286,7 @@ static rpc_status_t sign_hash_handler(void *context, struct call_req* req)
 	uint8_t hash_buffer[PSA_HASH_MAX_SIZE];
 
 	if (serializer)
-		rpc_status = serializer->deserialize_sign_hash_req(req_buf, &id, &alg, hash_buffer, &hash_len);
+		rpc_status = serializer->deserialize_asymmetric_sign_req(req_buf, &id, &alg, hash_buffer, &hash_len);
 
 	if (rpc_status == TS_RPC_CALL_ACCEPTED) {
 
@@ -292,14 +294,16 @@ static rpc_status_t sign_hash_handler(void *context, struct call_req* req)
 		size_t sig_len;
 		uint8_t sig_buffer[PSA_SIGNATURE_MAX_SIZE];
 
-		psa_status = psa_sign_hash(id, alg,
-					hash_buffer, hash_len,
-					sig_buffer, sizeof(sig_buffer), &sig_len);
+		psa_status = (call_req_get_opcode(req) == TS_CRYPTO_OPCODE_SIGN_HASH) ?
+			psa_sign_hash(id, alg, hash_buffer, hash_len,
+				sig_buffer, sizeof(sig_buffer), &sig_len) :
+			psa_sign_message(id, alg, hash_buffer, hash_len,
+				sig_buffer, sizeof(sig_buffer), &sig_len);
 
 		if (psa_status == PSA_SUCCESS) {
 
 			struct call_param_buf *resp_buf = call_req_get_resp_buf(req);
-			rpc_status = serializer->serialize_sign_hash_resp(resp_buf, sig_buffer, sig_len);
+			rpc_status = serializer->serialize_asymmetric_sign_resp(resp_buf, sig_buffer, sig_len);
 		}
 
 		call_req_set_opstatus(req, psa_status);
@@ -308,7 +312,7 @@ static rpc_status_t sign_hash_handler(void *context, struct call_req* req)
 	return rpc_status;
 }
 
-static rpc_status_t verify_hash_handler(void *context, struct call_req* req)
+static rpc_status_t asymmetric_verify_handler(void *context, struct call_req* req)
 {
 	rpc_status_t rpc_status = TS_RPC_ERROR_SERIALIZATION_NOT_SUPPORTED;
 	struct call_param_buf *req_buf = call_req_get_req_buf(req);
@@ -322,7 +326,7 @@ static rpc_status_t verify_hash_handler(void *context, struct call_req* req)
 	uint8_t sig_buffer[PSA_SIGNATURE_MAX_SIZE];
 
 	if (serializer)
-		rpc_status = serializer->deserialize_verify_hash_req(req_buf, &id, &alg,
+		rpc_status = serializer->deserialize_asymmetric_verify_req(req_buf, &id, &alg,
 											hash_buffer, &hash_len,
 											sig_buffer, &sig_len);
 
@@ -330,9 +334,13 @@ static rpc_status_t verify_hash_handler(void *context, struct call_req* req)
 
 		psa_status_t psa_status;
 
-		psa_status = psa_verify_hash(id, alg,
-					hash_buffer, hash_len,
-					sig_buffer, sig_len);
+		psa_status = (call_req_get_opcode(req) == TS_CRYPTO_OPCODE_VERIFY_HASH) ?
+			psa_verify_hash(id, alg,
+				hash_buffer, hash_len,
+				sig_buffer, sig_len) :
+			psa_verify_message(id, alg,
+				hash_buffer, hash_len,
+				sig_buffer, sig_len);
 
 		call_req_set_opstatus(req, psa_status);
 	}
diff --git a/components/service/crypto/provider/serializer/crypto_provider_serializer.h b/components/service/crypto/provider/serializer/crypto_provider_serializer.h
index 68940cae..57364f24 100644
--- a/components/service/crypto/provider/serializer/crypto_provider_serializer.h
+++ b/components/service/crypto/provider/serializer/crypto_provider_serializer.h
@@ -79,15 +79,15 @@ struct crypto_provider_serializer {
                                         const psa_key_attributes_t *attributes);
 
     /* Operation: sign_hash */
-    rpc_status_t (*deserialize_sign_hash_req)(const struct call_param_buf *req_buf,
+    rpc_status_t (*deserialize_asymmetric_sign_req)(const struct call_param_buf *req_buf,
                                         psa_key_id_t *id, psa_algorithm_t *alg,
                                         uint8_t *hash, size_t *hash_len);
 
-    rpc_status_t (*serialize_sign_hash_resp)(struct call_param_buf *resp_buf,
+    rpc_status_t (*serialize_asymmetric_sign_resp)(struct call_param_buf *resp_buf,
                                         const uint8_t *sig, size_t sig_len);
 
     /* Operation: verify_hash */
-    rpc_status_t (*deserialize_verify_hash_req)(const struct call_param_buf *req_buf,
+    rpc_status_t (*deserialize_asymmetric_verify_req)(const struct call_param_buf *req_buf,
                                         psa_key_id_t *id, psa_algorithm_t *alg,
                                         uint8_t *hash, size_t *hash_len,
                                         uint8_t *sig, size_t *sig_len);
diff --git a/components/service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.c b/components/service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.c
index c70db865..4a7e59f0 100644
--- a/components/service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.c
+++ b/components/service/crypto/provider/serializer/packed-c/packedc_crypto_provider_serializer.c
@@ -333,7 +333,7 @@ static rpc_status_t serialize_get_key_attributes_resp(struct call_param_buf *res
 }
 
 /* Operation: sign_hash */
-static rpc_status_t deserialize_sign_hash_req(const struct call_param_buf *req_buf,
+static rpc_status_t deserialize_asymmetric_sign_req(const struct call_param_buf *req_buf,
                             psa_key_id_t *id, psa_algorithm_t *alg,
                             uint8_t *hash, size_t *hash_len)
 {
@@ -378,7 +378,7 @@ static rpc_status_t deserialize_sign_hash_req(const struct call_param_buf *req_b
     return rpc_status;
 }
 
-static rpc_status_t serialize_sign_hash_resp(struct call_param_buf *resp_buf,
+static rpc_status_t serialize_asymmetric_sign_resp(struct call_param_buf *resp_buf,
                             const uint8_t *sig, size_t sig_len)
 {
     rpc_status_t rpc_status = TS_RPC_ERROR_INTERNAL;
@@ -401,7 +401,7 @@ static rpc_status_t serialize_sign_hash_resp(struct call_param_buf *resp_buf,
 }
 
 /* Operation: verify_hash */
-static rpc_status_t deserialize_verify_hash_req(const struct call_param_buf *req_buf,
+static rpc_status_t deserialize_asymmetric_verify_req(const struct call_param_buf *req_buf,
                                 psa_key_id_t *id, psa_algorithm_t *alg,
                                 uint8_t *hash, size_t *hash_len,
                                 uint8_t *sig, size_t *sig_len)
@@ -695,9 +695,9 @@ const struct crypto_provider_serializer *packedc_crypto_provider_serializer_inst
         deserialize_purge_key_req,
         deserialize_get_key_attributes_req,
         serialize_get_key_attributes_resp,
-        deserialize_sign_hash_req,
-        serialize_sign_hash_resp,
-        deserialize_verify_hash_req,
+        deserialize_asymmetric_sign_req,
+        serialize_asymmetric_sign_resp,
+        deserialize_asymmetric_verify_req,
         deserialize_asymmetric_decrypt_req,
         serialize_asymmetric_decrypt_resp,
         deserialize_asymmetric_encrypt_req,
diff --git a/components/service/crypto/provider/serializer/protobuf/pb_crypto_provider_serializer.c b/components/service/crypto/provider/serializer/protobuf/pb_crypto_provider_serializer.c
index 7767d20a..083a581a 100644
--- a/components/service/crypto/provider/serializer/protobuf/pb_crypto_provider_serializer.c
+++ b/components/service/crypto/provider/serializer/protobuf/pb_crypto_provider_serializer.c
@@ -267,9 +267,9 @@ static rpc_status_t serialize_get_key_attributes_resp(struct call_param_buf *res
 }
 
 /* Operation: sign_hash */
-static rpc_status_t deserialize_sign_hash_req(const struct call_param_buf *req_buf,
-                            psa_key_id_t *id, psa_algorithm_t *alg,
-                            uint8_t *hash, size_t *hash_len)
+static rpc_status_t deserialize_asymmetric_sign_req(const struct call_param_buf *req_buf,
+							psa_key_id_t *id, psa_algorithm_t *alg,
+							uint8_t *hash, size_t *hash_len)
 {
     rpc_status_t rpc_status = TS_RPC_ERROR_INVALID_REQ_BODY;
     ts_crypto_SignHashIn recv_msg = ts_crypto_SignHashIn_init_default;
@@ -295,8 +295,8 @@ static rpc_status_t deserialize_sign_hash_req(const struct call_param_buf *req_b
     return rpc_status;
 }
 
-static rpc_status_t serialize_sign_hash_resp(struct call_param_buf *resp_buf,
-                            const uint8_t *sig, size_t sig_len)
+static rpc_status_t serialize_asymmetric_sign_resp(struct call_param_buf *resp_buf,
+							const uint8_t *sig, size_t sig_len)
 {
     size_t packed_resp_size;
     rpc_status_t rpc_status = TS_RPC_ERROR_INTERNAL;
@@ -323,10 +323,10 @@ static rpc_status_t serialize_sign_hash_resp(struct call_param_buf *resp_buf,
 }
 
 /* Operation: verify_hash */
-static rpc_status_t deserialize_verify_hash_req(const struct call_param_buf *req_buf,
-                                psa_key_id_t *id, psa_algorithm_t *alg,
-                                uint8_t *hash, size_t *hash_len,
-                                uint8_t *sig, size_t *sig_len)
+static rpc_status_t deserialize_asymmetric_verify_req(const struct call_param_buf *req_buf,
+								psa_key_id_t *id, psa_algorithm_t *alg,
+								uint8_t *hash, size_t *hash_len,
+								uint8_t *sig, size_t *sig_len)
 {
     rpc_status_t rpc_status = TS_RPC_ERROR_INVALID_REQ_BODY;
     ts_crypto_VerifyHashIn recv_msg = ts_crypto_VerifyHashIn_init_default;
@@ -538,32 +538,32 @@ static rpc_status_t serialize_generate_random_resp(struct call_param_buf *resp_b
 /* Singleton method to provide access to the serializer instance */
 const struct crypto_provider_serializer *pb_crypto_provider_serializer_instance(void)
 {
-    static const struct crypto_provider_serializer instance = {
-        max_deserialised_parameter_size,
-        deserialize_generate_key_req,
-        serialize_generate_key_resp,
-        deserialize_destroy_key_req,
-        deserialize_export_key_req,
-        serialize_export_key_resp,
-        deserialize_export_public_key_req,
-        serialize_export_public_key_resp,
-        deserialize_import_key_req,
-        serialize_import_key_resp,
-        deserialize_copy_key_req,
-        serialize_copy_key_resp,
-        deserialize_purge_key_req,
-        deserialize_get_key_attributes_req,
-        serialize_get_key_attributes_resp,
-        deserialize_sign_hash_req,
-        serialize_sign_hash_resp,
-        deserialize_verify_hash_req,
-        deserialize_asymmetric_decrypt_req,
-        serialize_asymmetric_decrypt_resp,
-        deserialize_asymmetric_encrypt_req,
-        serialize_asymmetric_encrypt_resp,
-        deserialize_generate_random_req,
-        serialize_generate_random_resp
-    };
-
-    return &instance;
+	static const struct crypto_provider_serializer instance = {
+		max_deserialised_parameter_size,
+		deserialize_generate_key_req,
+		serialize_generate_key_resp,
+		deserialize_destroy_key_req,
+		deserialize_export_key_req,
+		serialize_export_key_resp,
+		deserialize_export_public_key_req,
+		serialize_export_public_key_resp,
+		deserialize_import_key_req,
+		serialize_import_key_resp,
+		deserialize_copy_key_req,
+		serialize_copy_key_resp,
+		deserialize_purge_key_req,
+		deserialize_get_key_attributes_req,
+		serialize_get_key_attributes_resp,
+		deserialize_asymmetric_sign_req,
+		serialize_asymmetric_sign_resp,
+		deserialize_asymmetric_verify_req,
+		deserialize_asymmetric_decrypt_req,
+		serialize_asymmetric_decrypt_resp,
+		deserialize_asymmetric_encrypt_req,
+		serialize_asymmetric_encrypt_resp,
+		deserialize_generate_random_req,
+		serialize_generate_random_resp
+	};
+
+	return &instance;
 }
diff --git a/components/service/crypto/test/protocol/check_crypto_opcode_alignment.cpp b/components/service/crypto/test/protocol/check_crypto_opcode_alignment.cpp
index bd6c66ee..da01abf4 100644
--- a/components/service/crypto/test/protocol/check_crypto_opcode_alignment.cpp
+++ b/components/service/crypto/test/protocol/check_crypto_opcode_alignment.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -18,15 +18,16 @@ TEST_GROUP(CryptoProtocolOpcodeChecks)
 
 TEST(CryptoProtocolOpcodeChecks, checkPackedcToProtobuf)
 {
-    CHECK_EQUAL(TS_CRYPTO_OPCODE_GENERATE_KEY, ts_crypto_Opcode_GENERATE_KEY);
-    CHECK_EQUAL(TS_CRYPTO_OPCODE_DESTROY_KEY, ts_crypto_Opcode_DESTROY_KEY);
-    CHECK_EQUAL(TS_CRYPTO_OPCODE_EXPORT_KEY, ts_crypto_Opcode_EXPORT_KEY);
-    CHECK_EQUAL(TS_CRYPTO_OPCODE_EXPORT_PUBLIC_KEY, ts_crypto_Opcode_EXPORT_PUBLIC_KEY);
-    CHECK_EQUAL(TS_CRYPTO_OPCODE_IMPORT_KEY, ts_crypto_Opcode_IMPORT_KEY);
-    CHECK_EQUAL(TS_CRYPTO_OPCODE_SIGN_HASH, ts_crypto_Opcode_SIGN_HASH);
-    CHECK_EQUAL(TS_CRYPTO_OPCODE_VERIFY_HASH, ts_crypto_Opcode_VERIFY_HASH);
-    CHECK_EQUAL(TS_CRYPTO_OPCODE_ASYMMETRIC_DECRYPT, ts_crypto_Opcode_ASYMMETRIC_DECRYPT);
-    CHECK_EQUAL(TS_CRYPTO_OPCODE_ASYMMETRIC_ENCRYPT, ts_crypto_Opcode_ASYMMETRIC_ENCRYPT);
-    CHECK_EQUAL(TS_CRYPTO_OPCODE_GENERATE_RANDOM, ts_crypto_Opcode_GENERATE_RANDOM);
+	CHECK_EQUAL(TS_CRYPTO_OPCODE_GENERATE_KEY, ts_crypto_Opcode_GENERATE_KEY);
+	CHECK_EQUAL(TS_CRYPTO_OPCODE_DESTROY_KEY, ts_crypto_Opcode_DESTROY_KEY);
+	CHECK_EQUAL(TS_CRYPTO_OPCODE_EXPORT_KEY, ts_crypto_Opcode_EXPORT_KEY);
+	CHECK_EQUAL(TS_CRYPTO_OPCODE_EXPORT_PUBLIC_KEY, ts_crypto_Opcode_EXPORT_PUBLIC_KEY);
+	CHECK_EQUAL(TS_CRYPTO_OPCODE_IMPORT_KEY, ts_crypto_Opcode_IMPORT_KEY);
+	CHECK_EQUAL(TS_CRYPTO_OPCODE_SIGN_HASH, ts_crypto_Opcode_SIGN_HASH);
+	CHECK_EQUAL(TS_CRYPTO_OPCODE_VERIFY_HASH, ts_crypto_Opcode_VERIFY_HASH);
+	CHECK_EQUAL(TS_CRYPTO_OPCODE_ASYMMETRIC_DECRYPT, ts_crypto_Opcode_ASYMMETRIC_DECRYPT);
+	CHECK_EQUAL(TS_CRYPTO_OPCODE_ASYMMETRIC_ENCRYPT, ts_crypto_Opcode_ASYMMETRIC_ENCRYPT);
+	CHECK_EQUAL(TS_CRYPTO_OPCODE_GENERATE_RANDOM, ts_crypto_Opcode_GENERATE_RANDOM);
+	CHECK_EQUAL(TS_CRYPTO_OPCODE_SIGN_MESSAGE, ts_crypto_Opcode_SIGN_MESSAGE);
+	CHECK_EQUAL(TS_CRYPTO_OPCODE_VERIFY_MESSAGE, ts_crypto_Opcode_VERIFY_MESSAGE);
 }
-
diff --git a/components/service/crypto/test/service/crypto_service_scenarios.cpp b/components/service/crypto/test/service/crypto_service_scenarios.cpp
index ec2c6736..b3345551 100644
--- a/components/service/crypto/test/service/crypto_service_scenarios.cpp
+++ b/components/service/crypto/test/service/crypto_service_scenarios.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -290,6 +290,56 @@ void crypto_service_scenarios::signAndVerifyHash()
 	CHECK_EQUAL(PSA_SUCCESS, status);
 }
 
+void crypto_service_scenarios::signAndVerifyMessage()
+{
+	psa_status_t status;
+	psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+	psa_key_id_t key_id;
+
+	psa_set_key_id(&attributes, 14);
+	psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE | PSA_KEY_USAGE_VERIFY_MESSAGE);
+	psa_set_key_algorithm(&attributes, PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256));
+	psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1));
+	psa_set_key_bits(&attributes, 256);
+
+	/* Generate a key */
+	status = m_crypto_client->generate_key(&attributes, &key_id);
+	CHECK_EQUAL(PSA_SUCCESS, status);
+
+	psa_reset_key_attributes(&attributes);
+
+	/* Sign a message */
+	uint8_t message[21];
+	uint8_t signature[PSA_SIGNATURE_MAX_SIZE];
+	size_t signature_length;
+
+	memset(message, 0x99, sizeof(message));
+
+	status = m_crypto_client->sign_message(key_id,
+		PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256), message, sizeof(message),
+		signature, sizeof(signature), &signature_length);
+
+	CHECK_EQUAL(PSA_SUCCESS, status);
+	CHECK(signature_length > 0);
+
+	/* Verify the signature */
+	status = m_crypto_client->verify_message(key_id,
+		PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256), message, sizeof(message),
+		signature, signature_length);
+	CHECK_EQUAL(PSA_SUCCESS, status);
+
+	/* Change the message and expect verify to fail */
+	message[0] = 0x72;
+	status = m_crypto_client->verify_message(key_id,
+		PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256), message, sizeof(message),
+		signature, signature_length);
+	CHECK_EQUAL(PSA_ERROR_INVALID_SIGNATURE, status);
+
+	/* Remove the key */
+	status = m_crypto_client->destroy_key(key_id);
+	CHECK_EQUAL(PSA_SUCCESS, status);
+}
+
 void crypto_service_scenarios::signAndVerifyEat()
 {
 	/* Sign and verify a hash using EAT key type and algorithm */
@@ -348,7 +398,7 @@ void crypto_service_scenarios::asymEncryptDecrypt()
 	psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
 	psa_key_id_t key_id;
 
-	psa_set_key_id(&attributes, 14);
+	psa_set_key_id(&attributes, 15);
 	psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
 	psa_set_key_algorithm(&attributes, PSA_ALG_RSA_PKCS1V15_CRYPT);
 	psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
@@ -394,7 +444,7 @@ void crypto_service_scenarios::asymEncryptDecryptWithSalt()
 	psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
 	psa_key_id_t key_id;
 
-	psa_set_key_id(&attributes, 15);
+	psa_set_key_id(&attributes, 16);
 	psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
 	psa_set_key_algorithm(&attributes,  PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256));
 	psa_set_key_type(&attributes, PSA_KEY_TYPE_RSA_KEY_PAIR);
diff --git a/components/service/crypto/test/service/crypto_service_scenarios.h b/components/service/crypto/test/service/crypto_service_scenarios.h
index c65eba26..23671644 100644
--- a/components/service/crypto/test/service/crypto_service_scenarios.h
+++ b/components/service/crypto/test/service/crypto_service_scenarios.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -24,6 +24,7 @@ public:
 	void asymEncryptDecrypt();
 	void asymEncryptDecryptWithSalt();
 	void signAndVerifyHash();
+	void signAndVerifyMessage();
 	void signAndVerifyEat();
 	void exportAndImportKeyPair();
 	void exportPublicKey();
diff --git a/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp b/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp
index 79eddfbb..ea238432 100644
--- a/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp
+++ b/components/service/crypto/test/service/packed-c/crypto_service_packedc_tests.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -87,6 +87,11 @@ TEST(CryptoServicePackedcTests, signAndVerifyHash)
 	m_scenarios->signAndVerifyHash();
 }
 
+TEST(CryptoServicePackedcTests, signAndVerifyMessage)
+{
+	m_scenarios->signAndVerifyMessage();
+}
+
 TEST(CryptoServicePackedcTests, signAndVerifyEat)
 {
 	m_scenarios->signAndVerifyEat();
diff --git a/components/service/crypto/test/service/protobuf/crypto_service_protobuf_tests.cpp b/components/service/crypto/test/service/protobuf/crypto_service_protobuf_tests.cpp
index 1230752c..c172ad4a 100644
--- a/components/service/crypto/test/service/protobuf/crypto_service_protobuf_tests.cpp
+++ b/components/service/crypto/test/service/protobuf/crypto_service_protobuf_tests.cpp
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -77,6 +77,11 @@ TEST(CryptoServiceProtobufTests, signAndVerifyHash)
     m_scenarios->signAndVerifyHash();
 }
 
+TEST(CryptoServiceProtobufTests, signAndVerifyMessage)
+{
+    m_scenarios->signAndVerifyMessage();
+}
+
 TEST(CryptoServiceProtobufTests, asymEncryptDecrypt)
 {
     m_scenarios->asymEncryptDecrypt();
diff --git a/protocols/service/crypto/packed-c/opcodes.h b/protocols/service/crypto/packed-c/opcodes.h
index a07bd57e..5aebf2fa 100644
--- a/protocols/service/crypto/packed-c/opcodes.h
+++ b/protocols/service/crypto/packed-c/opcodes.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -25,6 +25,8 @@
 #define TS_CRYPTO_OPCODE_COPY_KEY               (TS_CRYPTO_OPCODE_BASE + 13)
 #define TS_CRYPTO_OPCODE_PURGE_KEY              (TS_CRYPTO_OPCODE_BASE + 14)
 #define TS_CRYPTO_OPCODE_GET_KEY_ATTRIBUTES     (TS_CRYPTO_OPCODE_BASE + 15)
+#define TS_CRYPTO_OPCODE_SIGN_MESSAGE           (TS_CRYPTO_OPCODE_BASE + 16)
+#define TS_CRYPTO_OPCODE_VERIFY_MESSAGE         (TS_CRYPTO_OPCODE_BASE + 17)
 
 /* Hash operations */
 #define TS_CRYPTO_OPCODE_HASH_BASE              (0x0200)
diff --git a/protocols/service/crypto/protobuf/opcodes.proto b/protocols/service/crypto/protobuf/opcodes.proto
index 094d3a02..ef64d044 100644
--- a/protocols/service/crypto/protobuf/opcodes.proto
+++ b/protocols/service/crypto/protobuf/opcodes.proto
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020-2021, Arm Limited and Contributors. All rights reserved.
+ * Copyright (c) 2020-2022, Arm Limited and Contributors. All rights reserved.
  * SPDX-License-Identifier: BSD-3-Clause
  */
 syntax = "proto3";
@@ -18,4 +18,6 @@ enum Opcode {
   ASYMMETRIC_DECRYPT  = 0x010a;
   ASYMMETRIC_ENCRYPT  = 0x010b;
   GENERATE_RANDOM     = 0x010c;
+  SIGN_MESSAGE        = 0x0110;
+  VERIFY_MESSAGE      = 0x0111;
 }