1*83d290c5STom Rini // SPDX-License-Identifier: GPL-2.0+ 2b9eebfadSRuchika Gupta /* 3b9eebfadSRuchika Gupta * SEC Descriptor Construction Library 4b9eebfadSRuchika Gupta * Basic job descriptor construction 5b9eebfadSRuchika Gupta * 6b9eebfadSRuchika Gupta * Copyright 2014 Freescale Semiconductor, Inc. 7b9eebfadSRuchika Gupta * 8b9eebfadSRuchika Gupta */ 9b9eebfadSRuchika Gupta 10b9eebfadSRuchika Gupta #include <common.h> 110200020bSRaul Cardenas #include <fsl_sec.h> 12b9eebfadSRuchika Gupta #include "desc_constr.h" 13b9eebfadSRuchika Gupta #include "jobdesc.h" 1434276478SRuchika Gupta #include "rsa_caam.h" 15b9eebfadSRuchika Gupta 16f91e65a7SUlises Cardenas #if defined(CONFIG_MX6) || defined(CONFIG_MX7) 170200020bSRaul Cardenas /*! 180200020bSRaul Cardenas * Secure memory run command 190200020bSRaul Cardenas * 200200020bSRaul Cardenas * @param sec_mem_cmd Secure memory command register 210200020bSRaul Cardenas * @return cmd_status Secure memory command status register 220200020bSRaul Cardenas */ 230200020bSRaul Cardenas uint32_t secmem_set_cmd(uint32_t sec_mem_cmd) 240200020bSRaul Cardenas { 250200020bSRaul Cardenas uint32_t temp_reg; 260200020bSRaul Cardenas 27f91e65a7SUlises Cardenas ccsr_sec_t *sec = (void *)CONFIG_SYS_FSL_SEC_ADDR; 28f91e65a7SUlises Cardenas uint32_t sm_vid = SM_VERSION(sec_in32(&sec->smvid)); 29f91e65a7SUlises Cardenas uint32_t jr_id = 0; 30f91e65a7SUlises Cardenas 31f91e65a7SUlises Cardenas sec_out32(CAAM_SMCJR(sm_vid, jr_id), sec_mem_cmd); 320200020bSRaul Cardenas 330200020bSRaul Cardenas do { 34f91e65a7SUlises Cardenas temp_reg = sec_in32(CAAM_SMCSJR(sm_vid, jr_id)); 350200020bSRaul Cardenas } while (temp_reg & CMD_COMPLETE); 360200020bSRaul Cardenas 370200020bSRaul Cardenas return temp_reg; 380200020bSRaul Cardenas } 390200020bSRaul Cardenas 400200020bSRaul Cardenas /*! 410200020bSRaul Cardenas * CAAM page allocation: 420200020bSRaul Cardenas * Allocates a partition from secure memory, with the id 43fc0b5948SRobert P. J. Day * equal to partition_num. This will de-allocate the page 440200020bSRaul Cardenas * if it is already allocated. The partition will have 450200020bSRaul Cardenas * full access permissions. The permissions are set before, 460200020bSRaul Cardenas * running a job descriptor. A memory page of secure RAM 470200020bSRaul Cardenas * is allocated for the partition. 480200020bSRaul Cardenas * 490200020bSRaul Cardenas * @param page Number of the page to allocate. 500200020bSRaul Cardenas * @param partition Number of the partition to allocate. 510200020bSRaul Cardenas * @return 0 on success, ERROR_IN_PAGE_ALLOC otherwise 520200020bSRaul Cardenas */ 530200020bSRaul Cardenas int caam_page_alloc(uint8_t page_num, uint8_t partition_num) 540200020bSRaul Cardenas { 550200020bSRaul Cardenas uint32_t temp_reg; 560200020bSRaul Cardenas 57f91e65a7SUlises Cardenas ccsr_sec_t *sec = (void *)CONFIG_SYS_FSL_SEC_ADDR; 58f91e65a7SUlises Cardenas uint32_t sm_vid = SM_VERSION(sec_in32(&sec->smvid)); 59f91e65a7SUlises Cardenas uint32_t jr_id = 0; 60f91e65a7SUlises Cardenas 610200020bSRaul Cardenas /* 620200020bSRaul Cardenas * De-Allocate partition_num if already allocated to ARM core 630200020bSRaul Cardenas */ 640200020bSRaul Cardenas if (sec_in32(CAAM_SMPO_0) & PARTITION_OWNER(partition_num)) { 650200020bSRaul Cardenas temp_reg = secmem_set_cmd(PARTITION(partition_num) | 660200020bSRaul Cardenas CMD_PART_DEALLOC); 670200020bSRaul Cardenas if (temp_reg & SMCSJR_AERR) { 680200020bSRaul Cardenas printf("Error: De-allocation status 0x%X\n", temp_reg); 690200020bSRaul Cardenas return ERROR_IN_PAGE_ALLOC; 700200020bSRaul Cardenas } 710200020bSRaul Cardenas } 720200020bSRaul Cardenas 730200020bSRaul Cardenas /* set the access rights to allow full access */ 74f91e65a7SUlises Cardenas sec_out32(CAAM_SMAG1JR(sm_vid, jr_id, partition_num), 0xF); 75f91e65a7SUlises Cardenas sec_out32(CAAM_SMAG2JR(sm_vid, jr_id, partition_num), 0xF); 76f91e65a7SUlises Cardenas sec_out32(CAAM_SMAPJR(sm_vid, jr_id, partition_num), 0xFF); 770200020bSRaul Cardenas 780200020bSRaul Cardenas /* Now need to allocate partition_num of secure RAM. */ 790200020bSRaul Cardenas /* De-Allocate page_num by starting with a page inquiry command */ 800200020bSRaul Cardenas temp_reg = secmem_set_cmd(PAGE(page_num) | CMD_INQUIRY); 810200020bSRaul Cardenas 820200020bSRaul Cardenas /* if the page is owned, de-allocate it */ 830200020bSRaul Cardenas if ((temp_reg & SMCSJR_PO) == PAGE_OWNED) { 840200020bSRaul Cardenas temp_reg = secmem_set_cmd(PAGE(page_num) | CMD_PAGE_DEALLOC); 850200020bSRaul Cardenas if (temp_reg & SMCSJR_AERR) { 860200020bSRaul Cardenas printf("Error: Allocation status 0x%X\n", temp_reg); 870200020bSRaul Cardenas return ERROR_IN_PAGE_ALLOC; 880200020bSRaul Cardenas } 890200020bSRaul Cardenas } 900200020bSRaul Cardenas 910200020bSRaul Cardenas /* Allocate page_num to partition_num */ 920200020bSRaul Cardenas temp_reg = secmem_set_cmd(PAGE(page_num) | PARTITION(partition_num) 930200020bSRaul Cardenas | CMD_PAGE_ALLOC); 940200020bSRaul Cardenas if (temp_reg & SMCSJR_AERR) { 950200020bSRaul Cardenas printf("Error: Allocation status 0x%X\n", temp_reg); 960200020bSRaul Cardenas return ERROR_IN_PAGE_ALLOC; 970200020bSRaul Cardenas } 980200020bSRaul Cardenas /* page inquiry command to ensure that the page was allocated */ 990200020bSRaul Cardenas temp_reg = secmem_set_cmd(PAGE(page_num) | CMD_INQUIRY); 1000200020bSRaul Cardenas 1010200020bSRaul Cardenas /* if the page is not owned => problem */ 1020200020bSRaul Cardenas if ((temp_reg & SMCSJR_PO) != PAGE_OWNED) { 1030200020bSRaul Cardenas printf("Allocation of page %d in partition %d failed 0x%X\n", 1040200020bSRaul Cardenas temp_reg, page_num, partition_num); 1050200020bSRaul Cardenas 1060200020bSRaul Cardenas return ERROR_IN_PAGE_ALLOC; 1070200020bSRaul Cardenas } 1080200020bSRaul Cardenas 1090200020bSRaul Cardenas return 0; 1100200020bSRaul Cardenas } 1110200020bSRaul Cardenas 1120200020bSRaul Cardenas int inline_cnstr_jobdesc_blob_dek(uint32_t *desc, const uint8_t *plain_txt, 1130200020bSRaul Cardenas uint8_t *dek_blob, uint32_t in_sz) 1140200020bSRaul Cardenas { 115f91e65a7SUlises Cardenas ccsr_sec_t *sec = (void *)CONFIG_SYS_FSL_SEC_ADDR; 116f91e65a7SUlises Cardenas uint32_t sm_vid = SM_VERSION(sec_in32(&sec->smvid)); 117f91e65a7SUlises Cardenas uint32_t jr_id = 0; 118f91e65a7SUlises Cardenas 1190200020bSRaul Cardenas uint32_t ret = 0; 1200200020bSRaul Cardenas u32 aad_w1, aad_w2; 1210200020bSRaul Cardenas /* output blob will have 32 bytes key blob in beginning and 1220200020bSRaul Cardenas * 16 byte HMAC identifier at end of data blob */ 1230200020bSRaul Cardenas uint32_t out_sz = in_sz + KEY_BLOB_SIZE + MAC_SIZE; 1240200020bSRaul Cardenas /* Setting HDR for blob */ 1250200020bSRaul Cardenas uint8_t wrapped_key_hdr[8] = {HDR_TAG, 0x00, WRP_HDR_SIZE + out_sz, 1260200020bSRaul Cardenas HDR_PAR, HAB_MOD, HAB_ALG, in_sz, HAB_FLG}; 1270200020bSRaul Cardenas 1280200020bSRaul Cardenas /* initialize the blob array */ 1290200020bSRaul Cardenas memset(dek_blob, 0, out_sz + 8); 1300200020bSRaul Cardenas /* Copy the header into the DEK blob buffer */ 1310200020bSRaul Cardenas memcpy(dek_blob, wrapped_key_hdr, sizeof(wrapped_key_hdr)); 1320200020bSRaul Cardenas 1330200020bSRaul Cardenas /* allocating secure memory */ 1340200020bSRaul Cardenas ret = caam_page_alloc(PAGE_1, PARTITION_1); 1350200020bSRaul Cardenas if (ret) 1360200020bSRaul Cardenas return ret; 1370200020bSRaul Cardenas 1380200020bSRaul Cardenas /* Write DEK to secure memory */ 1390200020bSRaul Cardenas memcpy((uint32_t *)SEC_MEM_PAGE1, (uint32_t *)plain_txt, in_sz); 1400200020bSRaul Cardenas 1410200020bSRaul Cardenas unsigned long start = (unsigned long)SEC_MEM_PAGE1 & 1420200020bSRaul Cardenas ~(ARCH_DMA_MINALIGN - 1); 1430200020bSRaul Cardenas unsigned long end = ALIGN(start + 0x1000, ARCH_DMA_MINALIGN); 1440200020bSRaul Cardenas flush_dcache_range(start, end); 1450200020bSRaul Cardenas 1460200020bSRaul Cardenas /* Now configure the access rights of the partition */ 147f91e65a7SUlises Cardenas sec_out32(CAAM_SMAG1JR(sm_vid, jr_id, PARTITION_1), KS_G1); 148f91e65a7SUlises Cardenas sec_out32(CAAM_SMAG2JR(sm_vid, jr_id, PARTITION_1), 0); 149f91e65a7SUlises Cardenas sec_out32(CAAM_SMAPJR(sm_vid, jr_id, PARTITION_1), PERM); 1500200020bSRaul Cardenas 1510200020bSRaul Cardenas /* construct aad for AES */ 1520200020bSRaul Cardenas aad_w1 = (in_sz << OP_ALG_ALGSEL_SHIFT) | KEY_AES_SRC | LD_CCM_MODE; 1530200020bSRaul Cardenas aad_w2 = 0x0; 1540200020bSRaul Cardenas 1550200020bSRaul Cardenas init_job_desc(desc, 0); 1560200020bSRaul Cardenas 1570200020bSRaul Cardenas append_cmd(desc, CMD_LOAD | CLASS_2 | KEY_IMM | KEY_ENC | 1580200020bSRaul Cardenas (0x0c << LDST_OFFSET_SHIFT) | 0x08); 1590200020bSRaul Cardenas 1600200020bSRaul Cardenas append_u32(desc, aad_w1); 1610200020bSRaul Cardenas 1620200020bSRaul Cardenas append_u32(desc, aad_w2); 1630200020bSRaul Cardenas 1640200020bSRaul Cardenas append_cmd_ptr(desc, (dma_addr_t)SEC_MEM_PAGE1, in_sz, CMD_SEQ_IN_PTR); 1650200020bSRaul Cardenas 1660200020bSRaul Cardenas append_cmd_ptr(desc, (dma_addr_t)dek_blob + 8, out_sz, CMD_SEQ_OUT_PTR); 1670200020bSRaul Cardenas 1680200020bSRaul Cardenas append_operation(desc, OP_TYPE_ENCAP_PROTOCOL | OP_PCLID_BLOB | 1690200020bSRaul Cardenas OP_PCLID_SECMEM); 1700200020bSRaul Cardenas 1710200020bSRaul Cardenas return ret; 1720200020bSRaul Cardenas } 1730200020bSRaul Cardenas #endif 174c5de15cbSRuchika Gupta 175b9eebfadSRuchika Gupta void inline_cnstr_jobdesc_hash(uint32_t *desc, 176b9eebfadSRuchika Gupta const uint8_t *msg, uint32_t msgsz, uint8_t *digest, 177b9eebfadSRuchika Gupta u32 alg_type, uint32_t alg_size, int sg_tbl) 178b9eebfadSRuchika Gupta { 179b9eebfadSRuchika Gupta /* SHA 256 , output is of length 32 words */ 180b9eebfadSRuchika Gupta uint32_t storelen = alg_size; 181b9eebfadSRuchika Gupta u32 options; 182b9eebfadSRuchika Gupta dma_addr_t dma_addr_in, dma_addr_out; 183b9eebfadSRuchika Gupta 184b9eebfadSRuchika Gupta dma_addr_in = virt_to_phys((void *)msg); 185b9eebfadSRuchika Gupta dma_addr_out = virt_to_phys((void *)digest); 186b9eebfadSRuchika Gupta 187b9eebfadSRuchika Gupta init_job_desc(desc, 0); 188b9eebfadSRuchika Gupta append_operation(desc, OP_TYPE_CLASS2_ALG | 189b9eebfadSRuchika Gupta OP_ALG_AAI_HASH | OP_ALG_AS_INITFINAL | 190b9eebfadSRuchika Gupta OP_ALG_ENCRYPT | OP_ALG_ICV_OFF | alg_type); 191b9eebfadSRuchika Gupta 192b9eebfadSRuchika Gupta options = LDST_CLASS_2_CCB | FIFOLD_TYPE_MSG | FIFOLD_TYPE_LAST2; 193b9eebfadSRuchika Gupta if (sg_tbl) 194b9eebfadSRuchika Gupta options |= FIFOLDST_SGF; 195b9eebfadSRuchika Gupta if (msgsz > 0xffff) { 196b9eebfadSRuchika Gupta options |= FIFOLDST_EXT; 197b9eebfadSRuchika Gupta append_fifo_load(desc, dma_addr_in, 0, options); 198b9eebfadSRuchika Gupta append_cmd(desc, msgsz); 199b9eebfadSRuchika Gupta } else { 200b9eebfadSRuchika Gupta append_fifo_load(desc, dma_addr_in, msgsz, options); 201b9eebfadSRuchika Gupta } 202b9eebfadSRuchika Gupta 203b9eebfadSRuchika Gupta append_store(desc, dma_addr_out, storelen, 204b9eebfadSRuchika Gupta LDST_CLASS_2_CCB | LDST_SRCDST_BYTE_CONTEXT); 205b9eebfadSRuchika Gupta } 206511fc86dSRuchika Gupta #ifndef CONFIG_SPL_BUILD 207c5de15cbSRuchika Gupta void inline_cnstr_jobdesc_blob_encap(uint32_t *desc, uint8_t *key_idnfr, 208c5de15cbSRuchika Gupta uint8_t *plain_txt, uint8_t *enc_blob, 209c5de15cbSRuchika Gupta uint32_t in_sz) 210c5de15cbSRuchika Gupta { 211c5de15cbSRuchika Gupta dma_addr_t dma_addr_key_idnfr, dma_addr_in, dma_addr_out; 212c5de15cbSRuchika Gupta uint32_t key_sz = KEY_IDNFR_SZ_BYTES; 213c5de15cbSRuchika Gupta /* output blob will have 32 bytes key blob in beginning and 214c5de15cbSRuchika Gupta * 16 byte HMAC identifier at end of data blob */ 215c5de15cbSRuchika Gupta uint32_t out_sz = in_sz + KEY_BLOB_SIZE + MAC_SIZE; 216c5de15cbSRuchika Gupta 217c5de15cbSRuchika Gupta dma_addr_key_idnfr = virt_to_phys((void *)key_idnfr); 218c5de15cbSRuchika Gupta dma_addr_in = virt_to_phys((void *)plain_txt); 219c5de15cbSRuchika Gupta dma_addr_out = virt_to_phys((void *)enc_blob); 220c5de15cbSRuchika Gupta 221c5de15cbSRuchika Gupta init_job_desc(desc, 0); 222c5de15cbSRuchika Gupta 223c5de15cbSRuchika Gupta append_key(desc, dma_addr_key_idnfr, key_sz, CLASS_2); 224c5de15cbSRuchika Gupta 225c5de15cbSRuchika Gupta append_seq_in_ptr(desc, dma_addr_in, in_sz, 0); 226c5de15cbSRuchika Gupta 227c5de15cbSRuchika Gupta append_seq_out_ptr(desc, dma_addr_out, out_sz, 0); 228c5de15cbSRuchika Gupta 229c5de15cbSRuchika Gupta append_operation(desc, OP_TYPE_ENCAP_PROTOCOL | OP_PCLID_BLOB); 230c5de15cbSRuchika Gupta } 231c5de15cbSRuchika Gupta 232c5de15cbSRuchika Gupta void inline_cnstr_jobdesc_blob_decap(uint32_t *desc, uint8_t *key_idnfr, 233c5de15cbSRuchika Gupta uint8_t *enc_blob, uint8_t *plain_txt, 234c5de15cbSRuchika Gupta uint32_t out_sz) 235c5de15cbSRuchika Gupta { 236c5de15cbSRuchika Gupta dma_addr_t dma_addr_key_idnfr, dma_addr_in, dma_addr_out; 237c5de15cbSRuchika Gupta uint32_t key_sz = KEY_IDNFR_SZ_BYTES; 238c5de15cbSRuchika Gupta uint32_t in_sz = out_sz + KEY_BLOB_SIZE + MAC_SIZE; 239c5de15cbSRuchika Gupta 240c5de15cbSRuchika Gupta dma_addr_key_idnfr = virt_to_phys((void *)key_idnfr); 241c5de15cbSRuchika Gupta dma_addr_in = virt_to_phys((void *)enc_blob); 242c5de15cbSRuchika Gupta dma_addr_out = virt_to_phys((void *)plain_txt); 243c5de15cbSRuchika Gupta 244c5de15cbSRuchika Gupta init_job_desc(desc, 0); 245c5de15cbSRuchika Gupta 246c5de15cbSRuchika Gupta append_key(desc, dma_addr_key_idnfr, key_sz, CLASS_2); 247c5de15cbSRuchika Gupta 248c5de15cbSRuchika Gupta append_seq_in_ptr(desc, dma_addr_in, in_sz, 0); 249c5de15cbSRuchika Gupta 250c5de15cbSRuchika Gupta append_seq_out_ptr(desc, dma_addr_out, out_sz, 0); 251c5de15cbSRuchika Gupta 252c5de15cbSRuchika Gupta append_operation(desc, OP_TYPE_DECAP_PROTOCOL | OP_PCLID_BLOB); 253c5de15cbSRuchika Gupta } 254511fc86dSRuchika Gupta #endif 255c5de15cbSRuchika Gupta /* 256c5de15cbSRuchika Gupta * Descriptor to instantiate RNG State Handle 0 in normal mode and 257c5de15cbSRuchika Gupta * load the JDKEK, TDKEK and TDSK registers 258c5de15cbSRuchika Gupta */ 259dfaec760SLukas Auer void inline_cnstr_jobdesc_rng_instantiation(uint32_t *desc, int handle) 260c5de15cbSRuchika Gupta { 261c5de15cbSRuchika Gupta u32 *jump_cmd; 262c5de15cbSRuchika Gupta 263c5de15cbSRuchika Gupta init_job_desc(desc, 0); 264c5de15cbSRuchika Gupta 265c5de15cbSRuchika Gupta /* INIT RNG in non-test mode */ 266c5de15cbSRuchika Gupta append_operation(desc, OP_TYPE_CLASS1_ALG | OP_ALG_ALGSEL_RNG | 267dfaec760SLukas Auer (handle << OP_ALG_AAI_SHIFT) | OP_ALG_AS_INIT); 268c5de15cbSRuchika Gupta 269dfaec760SLukas Auer /* For SH0, Secure Keys must be generated as well */ 270dfaec760SLukas Auer if (handle == 0) { 271c5de15cbSRuchika Gupta /* wait for done */ 272c5de15cbSRuchika Gupta jump_cmd = append_jump(desc, JUMP_CLASS_CLASS1); 273c5de15cbSRuchika Gupta set_jump_tgt_here(desc, jump_cmd); 274c5de15cbSRuchika Gupta 275c5de15cbSRuchika Gupta /* 276c5de15cbSRuchika Gupta * load 1 to clear written reg: 277dfaec760SLukas Auer * resets the done interrupt and returns the RNG to idle. 278c5de15cbSRuchika Gupta */ 279c5de15cbSRuchika Gupta append_load_imm_u32(desc, 1, LDST_SRCDST_WORD_CLRW); 280c5de15cbSRuchika Gupta 281c5de15cbSRuchika Gupta /* generate secure keys (non-test) */ 282c5de15cbSRuchika Gupta append_operation(desc, OP_TYPE_CLASS1_ALG | OP_ALG_ALGSEL_RNG | 283c5de15cbSRuchika Gupta OP_ALG_RNG4_SK); 284c5de15cbSRuchika Gupta } 285dfaec760SLukas Auer } 28634276478SRuchika Gupta 28734276478SRuchika Gupta /* Change key size to bytes form bits in calling function*/ 28834276478SRuchika Gupta void inline_cnstr_jobdesc_pkha_rsaexp(uint32_t *desc, 28934276478SRuchika Gupta struct pk_in_params *pkin, uint8_t *out, 29034276478SRuchika Gupta uint32_t out_siz) 29134276478SRuchika Gupta { 29234276478SRuchika Gupta dma_addr_t dma_addr_e, dma_addr_a, dma_addr_n, dma_addr_out; 29334276478SRuchika Gupta 29434276478SRuchika Gupta dma_addr_e = virt_to_phys((void *)pkin->e); 29534276478SRuchika Gupta dma_addr_a = virt_to_phys((void *)pkin->a); 29634276478SRuchika Gupta dma_addr_n = virt_to_phys((void *)pkin->n); 29734276478SRuchika Gupta dma_addr_out = virt_to_phys((void *)out); 29834276478SRuchika Gupta 29934276478SRuchika Gupta init_job_desc(desc, 0); 30034276478SRuchika Gupta append_key(desc, dma_addr_e, pkin->e_siz, KEY_DEST_PKHA_E | CLASS_1); 30134276478SRuchika Gupta 30234276478SRuchika Gupta append_fifo_load(desc, dma_addr_a, 30334276478SRuchika Gupta pkin->a_siz, LDST_CLASS_1_CCB | FIFOLD_TYPE_PK_A); 30434276478SRuchika Gupta 30534276478SRuchika Gupta append_fifo_load(desc, dma_addr_n, 30634276478SRuchika Gupta pkin->n_siz, LDST_CLASS_1_CCB | FIFOLD_TYPE_PK_N); 30734276478SRuchika Gupta 30834276478SRuchika Gupta append_operation(desc, OP_TYPE_PK | OP_ALG_PK | OP_ALG_PKMODE_MOD_EXPO); 30934276478SRuchika Gupta 31034276478SRuchika Gupta append_fifo_store(desc, dma_addr_out, out_siz, 31134276478SRuchika Gupta LDST_CLASS_1_CCB | FIFOST_TYPE_PKHA_B); 31234276478SRuchika Gupta } 313