crypto/ccree/cc_fips.c

ab8ec965SGilad Ben-Yossef// SPDX-License-Identifier: GPL-2.0
03963caeSGilad Ben-Yossef/* Copyright (C) 2012-2019 ARM Limited (or its affiliates). */
ab8ec965SGilad Ben-Yossef
ab8ec965SGilad Ben-Yossef#include <linux/kernel.h>
ab8ec965SGilad Ben-Yossef#include <linux/fips.h>
452c53d7SGilad Ben-Yossef#include <linux/notifier.h>
ab8ec965SGilad Ben-Yossef
ab8ec965SGilad Ben-Yossef#include "cc_driver.h"
ab8ec965SGilad Ben-Yossef#include "cc_fips.h"
ab8ec965SGilad Ben-Yossef
ab8ec965SGilad Ben-Yossefstatic void fips_dsr(unsigned long devarg);
ab8ec965SGilad Ben-Yossef
ab8ec965SGilad Ben-Yossefstruct cc_fips_handle {
ab8ec965SGilad Ben-Yossef	struct tasklet_struct tasklet;
452c53d7SGilad Ben-Yossef	struct notifier_block nb;
452c53d7SGilad Ben-Yossef	struct cc_drvdata *drvdata;
ab8ec965SGilad Ben-Yossef};
ab8ec965SGilad Ben-Yossef
ab8ec965SGilad Ben-Yossef/* The function called once at driver entry point to check
ab8ec965SGilad Ben-Yossef * whether TEE FIPS error occurred.
ab8ec965SGilad Ben-Yossef */
ab8ec965SGilad Ben-Yossefstatic bool cc_get_tee_fips_status(struct cc_drvdata *drvdata)
ab8ec965SGilad Ben-Yossef{
ab8ec965SGilad Ben-Yossef	u32 reg;
ab8ec965SGilad Ben-Yossef
ab8ec965SGilad Ben-Yossef	reg = cc_ioread(drvdata, CC_REG(GPR_HOST));
76a95bd8SGilad Ben-Yossef	/* Did the TEE report status? */
76a95bd8SGilad Ben-Yossef	if (reg & CC_FIPS_SYNC_TEE_STATUS)
76a95bd8SGilad Ben-Yossef		/* Yes. Is it OK? */
76a95bd8SGilad Ben-Yossef		return (reg & CC_FIPS_SYNC_MODULE_OK);
76a95bd8SGilad Ben-Yossef
76a95bd8SGilad Ben-Yossef	/* No. It's either not in use or will be reported later */
76a95bd8SGilad Ben-Yossef	return true;
ab8ec965SGilad Ben-Yossef}
ab8ec965SGilad Ben-Yossef
ab8ec965SGilad Ben-Yossef/*
ab8ec965SGilad Ben-Yossef * This function should push the FIPS REE library status towards the TEE library
ab8ec965SGilad Ben-Yossef * by writing the error state to HOST_GPR0 register.
ab8ec965SGilad Ben-Yossef */
ab8ec965SGilad Ben-Yossefvoid cc_set_ree_fips_status(struct cc_drvdata *drvdata, bool status)
ab8ec965SGilad Ben-Yossef{
ab8ec965SGilad Ben-Yossef	int val = CC_FIPS_SYNC_REE_STATUS;
ab8ec965SGilad Ben-Yossef
27b3b22dSGilad Ben-Yossef	if (drvdata->hw_rev < CC_HW_REV_712)
27b3b22dSGilad Ben-Yossef		return;
27b3b22dSGilad Ben-Yossef
ab8ec965SGilad Ben-Yossef	val |= (status ? CC_FIPS_SYNC_MODULE_OK : CC_FIPS_SYNC_MODULE_ERROR);
ab8ec965SGilad Ben-Yossef
ab8ec965SGilad Ben-Yossef	cc_iowrite(drvdata, CC_REG(HOST_GPR0), val);
ab8ec965SGilad Ben-Yossef}
ab8ec965SGilad Ben-Yossef
452c53d7SGilad Ben-Yossef/* Push REE side FIPS test failure to TEE side */
452c53d7SGilad Ben-Yossefstatic int cc_ree_fips_failure(struct notifier_block *nb, unsigned long unused1,
452c53d7SGilad Ben-Yossef			       void *unused2)
452c53d7SGilad Ben-Yossef{
452c53d7SGilad Ben-Yossef	struct cc_fips_handle *fips_h =
452c53d7SGilad Ben-Yossef				container_of(nb, struct cc_fips_handle, nb);
452c53d7SGilad Ben-Yossef	struct cc_drvdata *drvdata = fips_h->drvdata;
452c53d7SGilad Ben-Yossef	struct device *dev = drvdata_to_dev(drvdata);
452c53d7SGilad Ben-Yossef
452c53d7SGilad Ben-Yossef	cc_set_ree_fips_status(drvdata, false);
452c53d7SGilad Ben-Yossef	dev_info(dev, "Notifying TEE of FIPS test failure...\n");
452c53d7SGilad Ben-Yossef
452c53d7SGilad Ben-Yossef	return NOTIFY_OK;
452c53d7SGilad Ben-Yossef}
452c53d7SGilad Ben-Yossef
ab8ec965SGilad Ben-Yossefvoid cc_fips_fini(struct cc_drvdata *drvdata)
ab8ec965SGilad Ben-Yossef{
ab8ec965SGilad Ben-Yossef	struct cc_fips_handle *fips_h = drvdata->fips_handle;
ab8ec965SGilad Ben-Yossef
27b3b22dSGilad Ben-Yossef	if (drvdata->hw_rev < CC_HW_REV_712 || !fips_h)
27b3b22dSGilad Ben-Yossef		return;
ab8ec965SGilad Ben-Yossef
452c53d7SGilad Ben-Yossef	atomic_notifier_chain_unregister(&fips_fail_notif_chain, &fips_h->nb);
452c53d7SGilad Ben-Yossef
ab8ec965SGilad Ben-Yossef	/* Kill tasklet */
ab8ec965SGilad Ben-Yossef	tasklet_kill(&fips_h->tasklet);
ab8ec965SGilad Ben-Yossef	drvdata->fips_handle = NULL;
ab8ec965SGilad Ben-Yossef}
ab8ec965SGilad Ben-Yossef
ab8ec965SGilad Ben-Yossefvoid fips_handler(struct cc_drvdata *drvdata)
ab8ec965SGilad Ben-Yossef{
ab8ec965SGilad Ben-Yossef	struct cc_fips_handle *fips_handle_ptr = drvdata->fips_handle;
ab8ec965SGilad Ben-Yossef
27b3b22dSGilad Ben-Yossef	if (drvdata->hw_rev < CC_HW_REV_712)
27b3b22dSGilad Ben-Yossef		return;
27b3b22dSGilad Ben-Yossef
ab8ec965SGilad Ben-Yossef	tasklet_schedule(&fips_handle_ptr->tasklet);
ab8ec965SGilad Ben-Yossef}
ab8ec965SGilad Ben-Yossef
ab8ec965SGilad Ben-Yossefstatic inline void tee_fips_error(struct device *dev)
ab8ec965SGilad Ben-Yossef{
ab8ec965SGilad Ben-Yossef	if (fips_enabled)
ab8ec965SGilad Ben-Yossef		panic("ccree: TEE reported cryptographic error in fips mode!\n");
ab8ec965SGilad Ben-Yossef	else
ab8ec965SGilad Ben-Yossef		dev_err(dev, "TEE reported error!\n");
ab8ec965SGilad Ben-Yossef}
ab8ec965SGilad Ben-Yossef
897ab231SOfir Drang/*
897ab231SOfir Drang * This function check if cryptocell tee fips error occurred
897ab231SOfir Drang * and in such case triggers system error
897ab231SOfir Drang */
897ab231SOfir Drangvoid cc_tee_handle_fips_error(struct cc_drvdata *p_drvdata)
897ab231SOfir Drang{
897ab231SOfir Drang	struct device *dev = drvdata_to_dev(p_drvdata);
897ab231SOfir Drang
897ab231SOfir Drang	if (!cc_get_tee_fips_status(p_drvdata))
897ab231SOfir Drang		tee_fips_error(dev);
897ab231SOfir Drang}
897ab231SOfir Drang
ab8ec965SGilad Ben-Yossef/* Deferred service handler, run as interrupt-fired tasklet */
ab8ec965SGilad Ben-Yossefstatic void fips_dsr(unsigned long devarg)
ab8ec965SGilad Ben-Yossef{
ab8ec965SGilad Ben-Yossef	struct cc_drvdata *drvdata = (struct cc_drvdata *)devarg;
897ab231SOfir Drang	u32 irq, val;
ab8ec965SGilad Ben-Yossef
ab8ec965SGilad Ben-Yossef	irq = (drvdata->irq & (CC_GPR0_IRQ_MASK));
ab8ec965SGilad Ben-Yossef
ab8ec965SGilad Ben-Yossef	if (irq) {
897ab231SOfir Drang		cc_tee_handle_fips_error(drvdata);
ab8ec965SGilad Ben-Yossef	}
ab8ec965SGilad Ben-Yossef
*e86eca41SHadar Gat	/* after verifying that there is nothing to do,
ab8ec965SGilad Ben-Yossef	 * unmask AXI completion interrupt.
ab8ec965SGilad Ben-Yossef	 */
ab8ec965SGilad Ben-Yossef	val = (CC_REG(HOST_IMR) & ~irq);
ab8ec965SGilad Ben-Yossef	cc_iowrite(drvdata, CC_REG(HOST_IMR), val);
ab8ec965SGilad Ben-Yossef}
ab8ec965SGilad Ben-Yossef
ab8ec965SGilad Ben-Yossef/* The function called once at driver entry point .*/
ab8ec965SGilad Ben-Yossefint cc_fips_init(struct cc_drvdata *p_drvdata)
ab8ec965SGilad Ben-Yossef{
ab8ec965SGilad Ben-Yossef	struct cc_fips_handle *fips_h;
ab8ec965SGilad Ben-Yossef	struct device *dev = drvdata_to_dev(p_drvdata);
ab8ec965SGilad Ben-Yossef
27b3b22dSGilad Ben-Yossef	if (p_drvdata->hw_rev < CC_HW_REV_712)
27b3b22dSGilad Ben-Yossef		return 0;
27b3b22dSGilad Ben-Yossef
dcb2cf1dSGilad Ben-Yossef	fips_h = devm_kzalloc(dev, sizeof(*fips_h), GFP_KERNEL);
ab8ec965SGilad Ben-Yossef	if (!fips_h)
ab8ec965SGilad Ben-Yossef		return -ENOMEM;
ab8ec965SGilad Ben-Yossef
ab8ec965SGilad Ben-Yossef	p_drvdata->fips_handle = fips_h;
ab8ec965SGilad Ben-Yossef
ab8ec965SGilad Ben-Yossef	dev_dbg(dev, "Initializing fips tasklet\n");
ab8ec965SGilad Ben-Yossef	tasklet_init(&fips_h->tasklet, fips_dsr, (unsigned long)p_drvdata);
452c53d7SGilad Ben-Yossef	fips_h->drvdata = p_drvdata;
452c53d7SGilad Ben-Yossef	fips_h->nb.notifier_call = cc_ree_fips_failure;
452c53d7SGilad Ben-Yossef	atomic_notifier_chain_register(&fips_fail_notif_chain, &fips_h->nb);
ab8ec965SGilad Ben-Yossef
897ab231SOfir Drang	cc_tee_handle_fips_error(p_drvdata);
ab8ec965SGilad Ben-Yossef
ab8ec965SGilad Ben-Yossef	return 0;
ab8ec965SGilad Ben-Yossef}