1 /*
2  * Copyright (c) 2011 The Chromium OS Authors.
3  * (C) Copyright 2010 - 2011 NVIDIA Corporation <www.nvidia.com>
4  *
5  * SPDX-License-Identifier:	GPL-2.0+
6  */
7 
8 #include <common.h>
9 #include <linux/errno.h>
10 #include "crypto.h"
11 #include "aes.h"
12 
13 static u8 zero_key[16];
14 
15 #define AES_CMAC_CONST_RB 0x87  /* from RFC 4493, Figure 2.2 */
16 
17 enum security_op {
18 	SECURITY_SIGN		= 1 << 0,	/* Sign the data */
19 	SECURITY_ENCRYPT	= 1 << 1,	/* Encrypt the data */
20 };
21 
22 /**
23  * Shift a vector left by one bit
24  *
25  * \param in	Input vector
26  * \param out	Output vector
27  * \param size	Length of vector in bytes
28  */
29 static void left_shift_vector(u8 *in, u8 *out, int size)
30 {
31 	int carry = 0;
32 	int i;
33 
34 	for (i = size - 1; i >= 0; i--) {
35 		out[i] = (in[i] << 1) | carry;
36 		carry = in[i] >> 7;	/* get most significant bit */
37 	}
38 }
39 
40 /**
41  * Sign a block of data, putting the result into dst.
42  *
43  * \param key			Input AES key, length AES_KEY_LENGTH
44  * \param key_schedule		Expanded key to use
45  * \param src			Source data of length 'num_aes_blocks' blocks
46  * \param dst			Destination buffer, length AES_KEY_LENGTH
47  * \param num_aes_blocks	Number of AES blocks to encrypt
48  */
49 static void sign_object(u8 *key, u8 *key_schedule, u8 *src, u8 *dst,
50 			u32 num_aes_blocks)
51 {
52 	u8 tmp_data[AES_KEY_LENGTH];
53 	u8 left[AES_KEY_LENGTH];
54 	u8 k1[AES_KEY_LENGTH];
55 	u8 *cbc_chain_data;
56 	unsigned i;
57 
58 	cbc_chain_data = zero_key;	/* Convenient array of 0's for IV */
59 
60 	/* compute K1 constant needed by AES-CMAC calculation */
61 	for (i = 0; i < AES_KEY_LENGTH; i++)
62 		tmp_data[i] = 0;
63 
64 	aes_cbc_encrypt_blocks(key_schedule, tmp_data, left, 1);
65 
66 	left_shift_vector(left, k1, sizeof(left));
67 
68 	if ((left[0] >> 7) != 0) /* get MSB of L */
69 		k1[AES_KEY_LENGTH-1] ^= AES_CMAC_CONST_RB;
70 
71 	/* compute the AES-CMAC value */
72 	for (i = 0; i < num_aes_blocks; i++) {
73 		/* Apply the chain data */
74 		aes_apply_cbc_chain_data(cbc_chain_data, src, tmp_data);
75 
76 		/* for the final block, XOR K1 into the IV */
77 		if (i == num_aes_blocks - 1)
78 			aes_apply_cbc_chain_data(tmp_data, k1, tmp_data);
79 
80 		/* encrypt the AES block */
81 		aes_encrypt(tmp_data, key_schedule, dst);
82 
83 		debug("sign_obj: block %d of %d\n", i, num_aes_blocks);
84 
85 		/* Update pointers for next loop. */
86 		cbc_chain_data = dst;
87 		src += AES_KEY_LENGTH;
88 	}
89 }
90 
91 /**
92  * Encrypt and sign a block of data (depending on security mode).
93  *
94  * \param key		Input AES key, length AES_KEY_LENGTH
95  * \param oper		Security operations mask to perform (enum security_op)
96  * \param src		Source data
97  * \param length	Size of source data
98  * \param sig_dst	Destination address for signature, AES_KEY_LENGTH bytes
99  */
100 static int encrypt_and_sign(u8 *key, enum security_op oper, u8 *src,
101 			    u32 length, u8 *sig_dst)
102 {
103 	u32 num_aes_blocks;
104 	u8 key_schedule[AES_EXPAND_KEY_LENGTH];
105 
106 	debug("encrypt_and_sign: length = %d\n", length);
107 
108 	/*
109 	 * The only need for a key is for signing/checksum purposes, so
110 	 * if not encrypting, expand a key of 0s.
111 	 */
112 	aes_expand_key(oper & SECURITY_ENCRYPT ? key : zero_key, key_schedule);
113 
114 	num_aes_blocks = (length + AES_KEY_LENGTH - 1) / AES_KEY_LENGTH;
115 
116 	if (oper & SECURITY_ENCRYPT) {
117 		/* Perform this in place, resulting in src being encrypted. */
118 		debug("encrypt_and_sign: begin encryption\n");
119 		aes_cbc_encrypt_blocks(key_schedule, src, src, num_aes_blocks);
120 		debug("encrypt_and_sign: end encryption\n");
121 	}
122 
123 	if (oper & SECURITY_SIGN) {
124 		/* encrypt the data, overwriting the result in signature. */
125 		debug("encrypt_and_sign: begin signing\n");
126 		sign_object(key, key_schedule, src, sig_dst, num_aes_blocks);
127 		debug("encrypt_and_sign: end signing\n");
128 	}
129 
130 	return 0;
131 }
132 
133 int sign_data_block(u8 *source, unsigned length, u8 *signature)
134 {
135 	return encrypt_and_sign(zero_key, SECURITY_SIGN, source,
136 				length, signature);
137 }
138