Gitiles
Code Review Sign In
git01.mediatek.com / filogic / uboot / 06e298d8c40165c6a999ca6346191bb7c5769921 / . / arch / arm / mach-imx / cmd_dek.c
blob: 0be9df521a5c4e83d140ae5389b7a462754d20e2 [file] [log] [blame]
Tom Rini10e47792018-05-06 17:58:06 -0400[diff] [blame]1// SPDX-License-Identifier: GPL-2.0+
Raul Cardenasb5a36d82015-02-27 11:22:06 -0600[diff] [blame]2/*
3 * Copyright 2008-2015 Freescale Semiconductor, Inc.
4 *
Raul Cardenasb5a36d82015-02-27 11:22:06 -0600[diff] [blame]5 * Command for encapsulating DEK blob
6 */
7
8#include <common.h>
9#include <command.h>
Simon Glass0f2af882020-05-10 11:40:05 -0600[diff] [blame]10#include <log.h>
Raul Cardenasb5a36d82015-02-27 11:22:06 -0600[diff] [blame]11#include <malloc.h>
Gaurav Jaindb4dd6a2022-03-24 11:50:33 +0530[diff] [blame]12#include <memalign.h>
Raul Cardenasb5a36d82015-02-27 11:22:06 -0600[diff] [blame]13#include <asm/byteorder.h>
14#include <linux/compiler.h>
15#include <fsl_sec.h>
16#include <asm/arch/clock.h>
Ulises Cardenas817ffc02015-05-04 09:53:28 -0500[diff] [blame]17#include <mapmem.h>
Clement Faurea93b0d92021-03-25 17:30:33 +0800[diff] [blame]18#include <tee.h>
Clement Faure9cb2f972021-03-25 17:30:34 +0800[diff] [blame]19#ifdef CONFIG_IMX_SECO_DEK_ENCAP
Peng Fan2e0644a2023-04-28 12:08:09 +0800[diff] [blame]20#include <firmware/imx/sci/sci.h>
Ye Lieb101272021-08-07 16:00:37 +0800[diff] [blame]21#include <asm/mach-imx/image.h>
Clement Faure9cb2f972021-03-25 17:30:34 +0800[diff] [blame]22#endif
23#include <cpu_func.h>
Raul Cardenasb5a36d82015-02-27 11:22:06 -0600[diff] [blame]24
Raul Cardenasb5a36d82015-02-27 11:22:06 -0600[diff] [blame]25/**
26* blob_dek() - Encapsulate the DEK as a blob using CAM's Key
27* @src: - Address of data to be encapsulated
28* @dst: - Desination address of encapsulated data
29* @len: - Size of data to be encapsulated
30*
31* Returns zero on success,and negative on error.
32*/
Clement Faurea93b0d92021-03-25 17:30:33 +0800[diff] [blame]33#ifdef CONFIG_IMX_CAAM_DEK_ENCAP
34static int blob_encap_dek(u32 src_addr, u32 dst_addr, u32 len)
Raul Cardenasb5a36d82015-02-27 11:22:06 -0600[diff] [blame]35{
Clement Faurea93b0d92021-03-25 17:30:33 +0800[diff] [blame]36 u8 *src_ptr, *dst_ptr;
37
38 src_ptr = map_sysmem(src_addr, len / 8);
39 dst_ptr = map_sysmem(dst_addr, BLOB_SIZE(len / 8));
Raul Cardenasb5a36d82015-02-27 11:22:06 -0600[diff] [blame]40
Breno Limac5714232021-03-25 17:30:04 +0800[diff] [blame]41 hab_caam_clock_enable(1);
42
Tom Rini376b88a2022-10-28 20:27:13 -0400[diff] [blame]43 u32 out_jr_size = sec_in32(CFG_SYS_FSL_JR0_ADDR +
Breno Lima1c111162021-03-25 17:30:03 +0800[diff] [blame]44 FSL_CAAM_ORSR_JRa_OFFSET);
Breno Limad9a122d2021-03-25 17:30:05 +0800[diff] [blame]45 if (out_jr_size != FSL_CAAM_MAX_JR_SIZE)
Raul Cardenasb5a36d82015-02-27 11:22:06 -0600[diff] [blame]46 sec_init();
Raul Cardenasb5a36d82015-02-27 11:22:06 -0600[diff] [blame]47
48 if (!((len == 128) | (len == 192) | (len == 256))) {
49 debug("Invalid DEK size. Valid sizes are 128, 192 and 256b\n");
50 return -1;
51 }
52
53 len /= 8;
Clement Faurea93b0d92021-03-25 17:30:33 +0800[diff] [blame]54 return blob_dek(src_ptr, dst_ptr, len);
55}
56#endif /* CONFIG_IMX_CAAM_DEK_ENCAP */
57
58#ifdef CONFIG_IMX_OPTEE_DEK_ENCAP
59
60#define PTA_DEK_BLOB_PTA_UUID {0xef477737, 0x0db1, 0x4a9d, \
61 {0x84, 0x37, 0xf2, 0xf5, 0x35, 0xc0, 0xbd, 0x92} }
62
63#define OPTEE_BLOB_HDR_SIZE 8
64
65static int blob_encap_dek(u32 src_addr, u32 dst_addr, u32 len)
66{
67 struct udevice *dev = NULL;
68 struct tee_shm *shm_input, *shm_output;
69 struct tee_open_session_arg arg = {0};
70 struct tee_invoke_arg arg_func = {0};
71 const struct tee_optee_ta_uuid uuid = PTA_DEK_BLOB_PTA_UUID;
72 struct tee_param param[4] = {0};
73 int ret;
74
75 /* Get tee device */
76 dev = tee_find_device(NULL, NULL, NULL, NULL);
77 if (!dev) {
78 printf("Cannot get OP-TEE device\n");
79 return -1;
80 }
81
82 /* Set TA UUID */
83 tee_optee_ta_uuid_to_octets(arg.uuid, &uuid);
84
85 /* Open TA session */
86 ret = tee_open_session(dev, &arg, 0, NULL);
87 if (ret < 0) {
88 printf("Cannot open session with PTA Blob 0x%X\n", ret);
89 return -1;
90 }
91
92 /* Allocate shared input and output buffers for TA */
93 ret = tee_shm_register(dev, (void *)(ulong)src_addr, len / 8, 0x0, &shm_input);
94 if (ret < 0) {
95 printf("Cannot register input shared memory 0x%X\n", ret);
96 goto error;
97 }
98
99 ret = tee_shm_register(dev, (void *)(ulong)dst_addr,
100 BLOB_SIZE(len / 8) + OPTEE_BLOB_HDR_SIZE,
101 0x0, &shm_output);
102 if (ret < 0) {
103 printf("Cannot register output shared memory 0x%X\n", ret);
Ye Li06e298d2023-06-15 18:09:10 +0800[diff] [blame^]104 tee_shm_free(shm_input);
Clement Faurea93b0d92021-03-25 17:30:33 +0800[diff] [blame]105 goto error;
106 }
107
108 param[0].u.memref.shm = shm_input;
109 param[0].u.memref.size = shm_input->size;
110 param[0].attr = TEE_PARAM_ATTR_TYPE_MEMREF_INPUT;
111 param[1].u.memref.shm = shm_output;
112 param[1].u.memref.size = shm_output->size;
113 param[1].attr = TEE_PARAM_ATTR_TYPE_MEMREF_OUTPUT;
114 param[2].attr = TEE_PARAM_ATTR_TYPE_NONE;
115 param[3].attr = TEE_PARAM_ATTR_TYPE_NONE;
116
117 arg_func.func = 0;
118 arg_func.session = arg.session;
119
120 /* Generate DEK blob */
121 arg_func.session = arg.session;
122 ret = tee_invoke_func(dev, &arg_func, 4, param);
123 if (ret < 0)
124 printf("Cannot generate Blob with PTA DEK Blob 0x%X\n", ret);
125
Clement Faurea93b0d92021-03-25 17:30:33 +0800[diff] [blame]126 /* Free shared memory */
127 tee_shm_free(shm_input);
128 tee_shm_free(shm_output);
129
Ye Li06e298d2023-06-15 18:09:10 +0800[diff] [blame^]130error:
Clement Faurea93b0d92021-03-25 17:30:33 +0800[diff] [blame]131 /* Close session */
132 ret = tee_close_session(dev, arg.session);
133 if (ret < 0)
134 printf("Cannot close session with PTA DEK Blob 0x%X\n", ret);
Raul Cardenasb5a36d82015-02-27 11:22:06 -0600[diff] [blame]135
136 return ret;
137}
Clement Faurea93b0d92021-03-25 17:30:33 +0800[diff] [blame]138#endif /* CONFIG_IMX_OPTEE_DEK_ENCAP */
Clement Faure9cb2f972021-03-25 17:30:34 +0800[diff] [blame]139#ifdef CONFIG_IMX_SECO_DEK_ENCAP
140
141#define DEK_BLOB_KEY_ID 0x0
142
143#define AHAB_PRIVATE_KEY 0x81
144#define AHAB_VERSION 0x00
145#define AHAB_MODE_CBC 0x67
146#define AHAB_ALG_AES 0x55
147#define AHAB_128_AES_KEY 0x10
148#define AHAB_192_AES_KEY 0x18
149#define AHAB_256_AES_KEY 0x20
150#define AHAB_FLAG_KEK 0x80
151#define AHAB_DEK_BLOB 0x01
152
153#define DEK_BLOB_HDR_SIZE 8
154#define SECO_PT 2U
155
156static int blob_encap_dek(u32 src_addr, u32 dst_addr, u32 len)
157{
Peng Fan25b7eb42023-06-15 18:08:58 +0800[diff] [blame]158 int err;
Clement Faure9cb2f972021-03-25 17:30:34 +0800[diff] [blame]159 sc_rm_mr_t mr_input, mr_output;
160 struct generate_key_blob_hdr hdr;
161 u8 in_size, out_size;
162 u8 *src_ptr, *dst_ptr;
163 int ret = 0;
164 int i;
165
166 /* Set sizes */
167 in_size = sizeof(struct generate_key_blob_hdr) + len / 8;
168 out_size = BLOB_SIZE(len / 8) + DEK_BLOB_HDR_SIZE;
169
170 /* Get src and dst virtual addresses */
171 src_ptr = map_sysmem(src_addr, in_size);
172 dst_ptr = map_sysmem(dst_addr, out_size);
173
174 /* Check addr input */
175 if (!(src_ptr && dst_ptr)) {
176 debug("src_addr or dst_addr invalid\n");
177 return -1;
178 }
179
180 /* Build key header */
181 hdr.version = AHAB_VERSION;
182 hdr.length_lsb = sizeof(struct generate_key_blob_hdr) + len / 8;
183 hdr.length_msb = 0x00;
184 hdr.tag = AHAB_PRIVATE_KEY;
185 hdr.flags = AHAB_DEK_BLOB;
186 hdr.algorithm = AHAB_ALG_AES;
187 hdr.mode = AHAB_MODE_CBC;
188
189 switch (len) {
190 case 128:
191 hdr.size = AHAB_128_AES_KEY;
192 break;
193 case 192:
194 hdr.size = AHAB_192_AES_KEY;
195 break;
196 case 256:
197 hdr.size = AHAB_256_AES_KEY;
198 break;
199 default:
200 /* Not supported */
201 debug("Invalid DEK size. Valid sizes are 128, 192 and 256b\n");
202 return -1;
203 }
204
205 /* Build input message */
206 memmove((void *)(src_ptr + sizeof(struct generate_key_blob_hdr)),
207 (void *)src_ptr, len / 8);
208 memcpy((void *)src_ptr, (void *)&hdr,
209 sizeof(struct generate_key_blob_hdr));
210
211 /* Flush the cache before triggering the CAAM DMA */
212 flush_dcache_range(src_addr, src_addr + in_size);
213
214 /* Find input memory region */
215 err = sc_rm_find_memreg((-1), &mr_input, src_addr & ~(CONFIG_SYS_CACHELINE_SIZE - 1),
216 ALIGN(src_addr + in_size, CONFIG_SYS_CACHELINE_SIZE));
217 if (err) {
218 printf("Error: find memory region 0x%X\n", src_addr);
219 return -ENOMEM;
220 }
221
222 /* Find output memory region */
223 err = sc_rm_find_memreg((-1), &mr_output, dst_addr & ~(CONFIG_SYS_CACHELINE_SIZE - 1),
224 ALIGN(dst_addr + out_size, CONFIG_SYS_CACHELINE_SIZE));
225 if (err) {
226 printf("Error: find memory region 0x%X\n", dst_addr);
227 return -ENOMEM;
228 }
229
230 /* Set memory region permissions for SECO */
231 err = sc_rm_set_memreg_permissions(-1, mr_input, SECO_PT,
232 SC_RM_PERM_FULL);
233 if (err) {
234 printf("Set permission failed for input memory region\n");
235 ret = -EPERM;
236 goto error;
237 }
238
239 err = sc_rm_set_memreg_permissions(-1, mr_output, SECO_PT,
240 SC_RM_PERM_FULL);
241 if (err) {
242 printf("Set permission failed for output memory region\n");
243 ret = -EPERM;
244 goto error;
245 }
246
247 /* Flush output data before SECO operation */
248 flush_dcache_range((ulong)dst_ptr, (ulong)(dst_ptr +
249 roundup(out_size, ARCH_DMA_MINALIGN)));
250
251 /* Generate DEK blob */
252 err = sc_seco_gen_key_blob((-1), 0x0, src_addr, dst_addr, out_size);
253 if (err) {
254 ret = -EPERM;
255 goto error;
256 }
257
258 /* Invalidate output buffer */
259 invalidate_dcache_range((ulong)dst_ptr, (ulong)(dst_ptr +
260 roundup(out_size, ARCH_DMA_MINALIGN)));
261
262 printf("DEK Blob\n");
263 for (i = 0; i < DEK_BLOB_HDR_SIZE + BLOB_SIZE(len / 8); i++)
264 printf("%02X", dst_ptr[i]);
265 printf("\n");
266
267error:
268 /* Remove memory region permission to SECO */
269 err = sc_rm_set_memreg_permissions(-1, mr_input, SECO_PT,
270 SC_RM_PERM_NONE);
271 if (err) {
272 printf("Error: remove permission failed for input\n");
273 ret = -EPERM;
274 }
275
276 err = sc_rm_set_memreg_permissions(-1, mr_output, SECO_PT,
277 SC_RM_PERM_NONE);
278 if (err) {
279 printf("Error: remove permission failed for output\n");
280 ret = -EPERM;
281 }
282
283 return ret;
284}
285#endif /* CONFIG_IMX_SECO_DEK_ENCAP */
Raul Cardenasb5a36d82015-02-27 11:22:06 -0600[diff] [blame]286
287/**
288 * do_dek_blob() - Handle the "dek_blob" command-line command
289 * @cmdtp: Command data struct pointer
290 * @flag: Command flag
291 * @argc: Command-line argument count
292 * @argv: Array of command-line arguments
293 *
294 * Returns zero on success, CMD_RET_USAGE in case of misuse and negative
295 * on error.
296 */
Simon Glassed38aef2020-05-10 11:40:03 -0600[diff] [blame]297static int do_dek_blob(struct cmd_tbl *cmdtp, int flag, int argc,
298 char *const argv[])
Raul Cardenasb5a36d82015-02-27 11:22:06 -0600[diff] [blame]299{
300 uint32_t src_addr, dst_addr, len;
Raul Cardenasb5a36d82015-02-27 11:22:06 -0600[diff] [blame]301
302 if (argc != 4)
303 return CMD_RET_USAGE;
304
Simon Glass3ff49ec2021-07-24 09:03:29 -0600[diff] [blame]305 src_addr = hextoul(argv[1], NULL);
306 dst_addr = hextoul(argv[2], NULL);
Simon Glassff9b9032021-07-24 09:03:30 -0600[diff] [blame]307 len = dectoul(argv[3], NULL);
Raul Cardenasb5a36d82015-02-27 11:22:06 -0600[diff] [blame]308
Clement Faurea93b0d92021-03-25 17:30:33 +0800[diff] [blame]309 return blob_encap_dek(src_addr, dst_addr, len);
Raul Cardenasb5a36d82015-02-27 11:22:06 -0600[diff] [blame]310}
311
312/***************************************************/
313static char dek_blob_help_text[] =
314 "src dst len - Encapsulate and create blob of data\n"
315 " $len bits long at address $src and\n"
316 " store the result at address $dst.\n";
317
318U_BOOT_CMD(
319 dek_blob, 4, 1, do_dek_blob,
320 "Data Encryption Key blob encapsulation",
321 dek_blob_help_text
322);