blob: c7962ead2d54c565854077ae8988e8ad9b300a7a [file] [log] [blame]
Tom Rini10e47792018-05-06 17:58:06 -04001// SPDX-License-Identifier: GPL-2.0+
Raul Cardenasb5a36d82015-02-27 11:22:06 -06002/*
3 * Copyright 2008-2015 Freescale Semiconductor, Inc.
Clement Faure34295a22023-06-15 18:09:11 +08004 * Copyright 2022 NXP
Raul Cardenasb5a36d82015-02-27 11:22:06 -06005 *
Raul Cardenasb5a36d82015-02-27 11:22:06 -06006 * Command for encapsulating DEK blob
7 */
8
Tom Rini5ab32a02024-04-30 07:35:49 -06009#include <config.h>
Raul Cardenasb5a36d82015-02-27 11:22:06 -060010#include <command.h>
Simon Glass0f2af882020-05-10 11:40:05 -060011#include <log.h>
Raul Cardenasb5a36d82015-02-27 11:22:06 -060012#include <malloc.h>
Gaurav Jaindb4dd6a2022-03-24 11:50:33 +053013#include <memalign.h>
Raul Cardenasb5a36d82015-02-27 11:22:06 -060014#include <asm/byteorder.h>
15#include <linux/compiler.h>
16#include <fsl_sec.h>
17#include <asm/arch/clock.h>
Ulises Cardenas817ffc02015-05-04 09:53:28 -050018#include <mapmem.h>
Clement Faurea93b0d92021-03-25 17:30:33 +080019#include <tee.h>
Tom Rini5ab32a02024-04-30 07:35:49 -060020#include <vsprintf.h>
Clement Faure9cb2f972021-03-25 17:30:34 +080021#ifdef CONFIG_IMX_SECO_DEK_ENCAP
Sean Anderson952ed672023-10-14 16:47:44 -040022#include <imx_container.h>
Peng Fan2e0644a2023-04-28 12:08:09 +080023#include <firmware/imx/sci/sci.h>
Clement Faure9cb2f972021-03-25 17:30:34 +080024#endif
Clement Faure34295a22023-06-15 18:09:11 +080025#ifdef CONFIG_IMX_ELE_DEK_ENCAP
Sean Anderson952ed672023-10-14 16:47:44 -040026#include <imx_container.h>
Clement Faure34295a22023-06-15 18:09:11 +080027#include <asm/mach-imx/ele_api.h>
Clement Faure34295a22023-06-15 18:09:11 +080028#endif
29
Clement Faure9cb2f972021-03-25 17:30:34 +080030#include <cpu_func.h>
Raul Cardenasb5a36d82015-02-27 11:22:06 -060031
Raul Cardenasb5a36d82015-02-27 11:22:06 -060032/**
33* blob_dek() - Encapsulate the DEK as a blob using CAM's Key
34* @src: - Address of data to be encapsulated
35* @dst: - Desination address of encapsulated data
36* @len: - Size of data to be encapsulated
37*
38* Returns zero on success,and negative on error.
39*/
Clement Faurea93b0d92021-03-25 17:30:33 +080040#ifdef CONFIG_IMX_CAAM_DEK_ENCAP
41static int blob_encap_dek(u32 src_addr, u32 dst_addr, u32 len)
Raul Cardenasb5a36d82015-02-27 11:22:06 -060042{
Clement Faurea93b0d92021-03-25 17:30:33 +080043 u8 *src_ptr, *dst_ptr;
44
45 src_ptr = map_sysmem(src_addr, len / 8);
46 dst_ptr = map_sysmem(dst_addr, BLOB_SIZE(len / 8));
Raul Cardenasb5a36d82015-02-27 11:22:06 -060047
Breno Limac5714232021-03-25 17:30:04 +080048 hab_caam_clock_enable(1);
49
Tom Rini376b88a2022-10-28 20:27:13 -040050 u32 out_jr_size = sec_in32(CFG_SYS_FSL_JR0_ADDR +
Breno Lima1c111162021-03-25 17:30:03 +080051 FSL_CAAM_ORSR_JRa_OFFSET);
Breno Limad9a122d2021-03-25 17:30:05 +080052 if (out_jr_size != FSL_CAAM_MAX_JR_SIZE)
Raul Cardenasb5a36d82015-02-27 11:22:06 -060053 sec_init();
Raul Cardenasb5a36d82015-02-27 11:22:06 -060054
55 if (!((len == 128) | (len == 192) | (len == 256))) {
56 debug("Invalid DEK size. Valid sizes are 128, 192 and 256b\n");
57 return -1;
58 }
59
60 len /= 8;
Clement Faurea93b0d92021-03-25 17:30:33 +080061 return blob_dek(src_ptr, dst_ptr, len);
62}
63#endif /* CONFIG_IMX_CAAM_DEK_ENCAP */
64
65#ifdef CONFIG_IMX_OPTEE_DEK_ENCAP
66
67#define PTA_DEK_BLOB_PTA_UUID {0xef477737, 0x0db1, 0x4a9d, \
68 {0x84, 0x37, 0xf2, 0xf5, 0x35, 0xc0, 0xbd, 0x92} }
69
70#define OPTEE_BLOB_HDR_SIZE 8
71
72static int blob_encap_dek(u32 src_addr, u32 dst_addr, u32 len)
73{
74 struct udevice *dev = NULL;
75 struct tee_shm *shm_input, *shm_output;
76 struct tee_open_session_arg arg = {0};
77 struct tee_invoke_arg arg_func = {0};
78 const struct tee_optee_ta_uuid uuid = PTA_DEK_BLOB_PTA_UUID;
79 struct tee_param param[4] = {0};
80 int ret;
81
82 /* Get tee device */
83 dev = tee_find_device(NULL, NULL, NULL, NULL);
84 if (!dev) {
85 printf("Cannot get OP-TEE device\n");
86 return -1;
87 }
88
89 /* Set TA UUID */
90 tee_optee_ta_uuid_to_octets(arg.uuid, &uuid);
91
92 /* Open TA session */
93 ret = tee_open_session(dev, &arg, 0, NULL);
94 if (ret < 0) {
95 printf("Cannot open session with PTA Blob 0x%X\n", ret);
96 return -1;
97 }
98
99 /* Allocate shared input and output buffers for TA */
100 ret = tee_shm_register(dev, (void *)(ulong)src_addr, len / 8, 0x0, &shm_input);
101 if (ret < 0) {
102 printf("Cannot register input shared memory 0x%X\n", ret);
103 goto error;
104 }
105
106 ret = tee_shm_register(dev, (void *)(ulong)dst_addr,
107 BLOB_SIZE(len / 8) + OPTEE_BLOB_HDR_SIZE,
108 0x0, &shm_output);
109 if (ret < 0) {
110 printf("Cannot register output shared memory 0x%X\n", ret);
Ye Li06e298d2023-06-15 18:09:10 +0800111 tee_shm_free(shm_input);
Clement Faurea93b0d92021-03-25 17:30:33 +0800112 goto error;
113 }
114
115 param[0].u.memref.shm = shm_input;
116 param[0].u.memref.size = shm_input->size;
117 param[0].attr = TEE_PARAM_ATTR_TYPE_MEMREF_INPUT;
118 param[1].u.memref.shm = shm_output;
119 param[1].u.memref.size = shm_output->size;
120 param[1].attr = TEE_PARAM_ATTR_TYPE_MEMREF_OUTPUT;
121 param[2].attr = TEE_PARAM_ATTR_TYPE_NONE;
122 param[3].attr = TEE_PARAM_ATTR_TYPE_NONE;
123
124 arg_func.func = 0;
125 arg_func.session = arg.session;
126
127 /* Generate DEK blob */
128 arg_func.session = arg.session;
129 ret = tee_invoke_func(dev, &arg_func, 4, param);
130 if (ret < 0)
131 printf("Cannot generate Blob with PTA DEK Blob 0x%X\n", ret);
132
Clement Faurea93b0d92021-03-25 17:30:33 +0800133 /* Free shared memory */
134 tee_shm_free(shm_input);
135 tee_shm_free(shm_output);
136
Ye Li06e298d2023-06-15 18:09:10 +0800137error:
Clement Faurea93b0d92021-03-25 17:30:33 +0800138 /* Close session */
139 ret = tee_close_session(dev, arg.session);
140 if (ret < 0)
141 printf("Cannot close session with PTA DEK Blob 0x%X\n", ret);
Raul Cardenasb5a36d82015-02-27 11:22:06 -0600142
143 return ret;
144}
Clement Faurea93b0d92021-03-25 17:30:33 +0800145#endif /* CONFIG_IMX_OPTEE_DEK_ENCAP */
Clement Faure9cb2f972021-03-25 17:30:34 +0800146#ifdef CONFIG_IMX_SECO_DEK_ENCAP
147
148#define DEK_BLOB_KEY_ID 0x0
149
150#define AHAB_PRIVATE_KEY 0x81
151#define AHAB_VERSION 0x00
152#define AHAB_MODE_CBC 0x67
153#define AHAB_ALG_AES 0x55
154#define AHAB_128_AES_KEY 0x10
155#define AHAB_192_AES_KEY 0x18
156#define AHAB_256_AES_KEY 0x20
157#define AHAB_FLAG_KEK 0x80
158#define AHAB_DEK_BLOB 0x01
159
160#define DEK_BLOB_HDR_SIZE 8
161#define SECO_PT 2U
162
163static int blob_encap_dek(u32 src_addr, u32 dst_addr, u32 len)
164{
Peng Fan25b7eb42023-06-15 18:08:58 +0800165 int err;
Clement Faure9cb2f972021-03-25 17:30:34 +0800166 sc_rm_mr_t mr_input, mr_output;
167 struct generate_key_blob_hdr hdr;
168 u8 in_size, out_size;
169 u8 *src_ptr, *dst_ptr;
170 int ret = 0;
171 int i;
172
173 /* Set sizes */
174 in_size = sizeof(struct generate_key_blob_hdr) + len / 8;
175 out_size = BLOB_SIZE(len / 8) + DEK_BLOB_HDR_SIZE;
176
177 /* Get src and dst virtual addresses */
178 src_ptr = map_sysmem(src_addr, in_size);
179 dst_ptr = map_sysmem(dst_addr, out_size);
180
181 /* Check addr input */
182 if (!(src_ptr && dst_ptr)) {
183 debug("src_addr or dst_addr invalid\n");
184 return -1;
185 }
186
187 /* Build key header */
188 hdr.version = AHAB_VERSION;
189 hdr.length_lsb = sizeof(struct generate_key_blob_hdr) + len / 8;
190 hdr.length_msb = 0x00;
191 hdr.tag = AHAB_PRIVATE_KEY;
192 hdr.flags = AHAB_DEK_BLOB;
193 hdr.algorithm = AHAB_ALG_AES;
194 hdr.mode = AHAB_MODE_CBC;
195
196 switch (len) {
197 case 128:
198 hdr.size = AHAB_128_AES_KEY;
199 break;
200 case 192:
201 hdr.size = AHAB_192_AES_KEY;
202 break;
203 case 256:
204 hdr.size = AHAB_256_AES_KEY;
205 break;
206 default:
207 /* Not supported */
208 debug("Invalid DEK size. Valid sizes are 128, 192 and 256b\n");
209 return -1;
210 }
211
212 /* Build input message */
213 memmove((void *)(src_ptr + sizeof(struct generate_key_blob_hdr)),
214 (void *)src_ptr, len / 8);
215 memcpy((void *)src_ptr, (void *)&hdr,
216 sizeof(struct generate_key_blob_hdr));
217
218 /* Flush the cache before triggering the CAAM DMA */
219 flush_dcache_range(src_addr, src_addr + in_size);
220
221 /* Find input memory region */
222 err = sc_rm_find_memreg((-1), &mr_input, src_addr & ~(CONFIG_SYS_CACHELINE_SIZE - 1),
223 ALIGN(src_addr + in_size, CONFIG_SYS_CACHELINE_SIZE));
224 if (err) {
225 printf("Error: find memory region 0x%X\n", src_addr);
226 return -ENOMEM;
227 }
228
229 /* Find output memory region */
230 err = sc_rm_find_memreg((-1), &mr_output, dst_addr & ~(CONFIG_SYS_CACHELINE_SIZE - 1),
231 ALIGN(dst_addr + out_size, CONFIG_SYS_CACHELINE_SIZE));
232 if (err) {
233 printf("Error: find memory region 0x%X\n", dst_addr);
234 return -ENOMEM;
235 }
236
237 /* Set memory region permissions for SECO */
238 err = sc_rm_set_memreg_permissions(-1, mr_input, SECO_PT,
239 SC_RM_PERM_FULL);
240 if (err) {
241 printf("Set permission failed for input memory region\n");
242 ret = -EPERM;
243 goto error;
244 }
245
246 err = sc_rm_set_memreg_permissions(-1, mr_output, SECO_PT,
247 SC_RM_PERM_FULL);
248 if (err) {
249 printf("Set permission failed for output memory region\n");
250 ret = -EPERM;
251 goto error;
252 }
253
254 /* Flush output data before SECO operation */
255 flush_dcache_range((ulong)dst_ptr, (ulong)(dst_ptr +
256 roundup(out_size, ARCH_DMA_MINALIGN)));
257
258 /* Generate DEK blob */
259 err = sc_seco_gen_key_blob((-1), 0x0, src_addr, dst_addr, out_size);
260 if (err) {
261 ret = -EPERM;
262 goto error;
263 }
264
265 /* Invalidate output buffer */
266 invalidate_dcache_range((ulong)dst_ptr, (ulong)(dst_ptr +
267 roundup(out_size, ARCH_DMA_MINALIGN)));
268
269 printf("DEK Blob\n");
270 for (i = 0; i < DEK_BLOB_HDR_SIZE + BLOB_SIZE(len / 8); i++)
271 printf("%02X", dst_ptr[i]);
272 printf("\n");
273
274error:
275 /* Remove memory region permission to SECO */
276 err = sc_rm_set_memreg_permissions(-1, mr_input, SECO_PT,
277 SC_RM_PERM_NONE);
278 if (err) {
279 printf("Error: remove permission failed for input\n");
280 ret = -EPERM;
281 }
282
283 err = sc_rm_set_memreg_permissions(-1, mr_output, SECO_PT,
284 SC_RM_PERM_NONE);
285 if (err) {
286 printf("Error: remove permission failed for output\n");
287 ret = -EPERM;
288 }
289
290 return ret;
291}
292#endif /* CONFIG_IMX_SECO_DEK_ENCAP */
Raul Cardenasb5a36d82015-02-27 11:22:06 -0600293
Clement Faure34295a22023-06-15 18:09:11 +0800294#ifdef CONFIG_IMX_ELE_DEK_ENCAP
295
296#define DEK_BLOB_HDR_SIZE 8
297#define AHAB_PRIVATE_KEY 0x81
298#define AHAB_DEK_BLOB 0x01
299#define AHAB_ALG_AES 0x03
300#define AHAB_128_AES_KEY 0x10
301#define AHAB_192_AES_KEY 0x18
302#define AHAB_256_AES_KEY 0x20
303
304static int blob_encap_dek(u32 src_addr, u32 dst_addr, u32 len)
305{
306 u8 in_size, out_size;
307 u8 *src_ptr, *dst_ptr;
308 struct generate_key_blob_hdr hdr;
309
310 /* Set sizes */
311 in_size = sizeof(struct generate_key_blob_hdr) + len / 8;
312 out_size = BLOB_SIZE(len / 8) + DEK_BLOB_HDR_SIZE;
313
314 /* Get src and dst virtual addresses */
315 src_ptr = map_sysmem(src_addr, in_size);
316 dst_ptr = map_sysmem(dst_addr, out_size);
317
318 /* Check addr input */
319 if (!(src_ptr && dst_ptr)) {
320 debug("src_addr or dst_addr invalid\n");
321 return -1;
322 }
323
324 /* Build key header */
325 hdr.version = 0x0;
326 hdr.length_lsb = in_size;
327 hdr.length_msb = 0x00;
328 hdr.tag = AHAB_PRIVATE_KEY;
329 hdr.flags = AHAB_DEK_BLOB;
330 hdr.algorithm = AHAB_ALG_AES;
331 hdr.mode = 0x0; /* Not used by the ELE */
332
333 switch (len) {
334 case 128:
335 hdr.size = AHAB_128_AES_KEY;
336 break;
337 case 192:
338 hdr.size = AHAB_192_AES_KEY;
339 break;
340 case 256:
341 hdr.size = AHAB_256_AES_KEY;
342 break;
343 default:
344 /* Not supported */
345 debug("Invalid DEK size. Valid sizes are 128, 192 and 256b\n");
346 return -1;
347 }
348
349 /* Move input key and append blob header */
350 memmove((void *)(src_ptr + sizeof(struct generate_key_blob_hdr)),
351 (void *)src_ptr, len / 8);
352 memcpy((void *)src_ptr, (void *)&hdr,
353 sizeof(struct generate_key_blob_hdr));
354
355 /* Flush the cache */
356 flush_dcache_range(src_addr, src_addr + in_size);
357 flush_dcache_range((ulong)dst_ptr, (ulong)(dst_ptr +
358 roundup(out_size, ARCH_DMA_MINALIGN)));
359
360 /* Call ELE */
361 if (ele_generate_dek_blob(0x00, src_addr, dst_addr, out_size))
362 return -1;
363
364 /* Invalidate output buffer */
365 invalidate_dcache_range((ulong)dst_ptr, (ulong)(dst_ptr +
366 roundup(out_size, ARCH_DMA_MINALIGN)));
367
368 return 0;
369}
370#endif /* CONFIG_IMX_ELE_DEK_ENCAP */
371
Raul Cardenasb5a36d82015-02-27 11:22:06 -0600372/**
373 * do_dek_blob() - Handle the "dek_blob" command-line command
374 * @cmdtp: Command data struct pointer
375 * @flag: Command flag
376 * @argc: Command-line argument count
377 * @argv: Array of command-line arguments
378 *
379 * Returns zero on success, CMD_RET_USAGE in case of misuse and negative
380 * on error.
381 */
Simon Glassed38aef2020-05-10 11:40:03 -0600382static int do_dek_blob(struct cmd_tbl *cmdtp, int flag, int argc,
383 char *const argv[])
Raul Cardenasb5a36d82015-02-27 11:22:06 -0600384{
385 uint32_t src_addr, dst_addr, len;
Raul Cardenasb5a36d82015-02-27 11:22:06 -0600386
387 if (argc != 4)
388 return CMD_RET_USAGE;
389
Simon Glass3ff49ec2021-07-24 09:03:29 -0600390 src_addr = hextoul(argv[1], NULL);
391 dst_addr = hextoul(argv[2], NULL);
Simon Glassff9b9032021-07-24 09:03:30 -0600392 len = dectoul(argv[3], NULL);
Raul Cardenasb5a36d82015-02-27 11:22:06 -0600393
Clement Faurea93b0d92021-03-25 17:30:33 +0800394 return blob_encap_dek(src_addr, dst_addr, len);
Raul Cardenasb5a36d82015-02-27 11:22:06 -0600395}
396
397/***************************************************/
398static char dek_blob_help_text[] =
399 "src dst len - Encapsulate and create blob of data\n"
400 " $len bits long at address $src and\n"
401 " store the result at address $dst.\n";
402
403U_BOOT_CMD(
404 dek_blob, 4, 1, do_dek_blob,
405 "Data Encryption Key blob encapsulation",
406 dek_blob_help_text
407);