1b9eebfadSRuchika Gupta /* 2b9eebfadSRuchika Gupta * SEC Descriptor Construction Library 3b9eebfadSRuchika Gupta * Basic job descriptor construction 4b9eebfadSRuchika Gupta * 5b9eebfadSRuchika Gupta * Copyright 2014 Freescale Semiconductor, Inc. 6b9eebfadSRuchika Gupta * 7b9eebfadSRuchika Gupta * SPDX-License-Identifier: GPL-2.0+ 8b9eebfadSRuchika Gupta * 9b9eebfadSRuchika Gupta */ 10b9eebfadSRuchika Gupta 11b9eebfadSRuchika Gupta #include <common.h> 120200020bSRaul Cardenas #include <fsl_sec.h> 13b9eebfadSRuchika Gupta #include "desc_constr.h" 14b9eebfadSRuchika Gupta #include "jobdesc.h" 1534276478SRuchika Gupta #include "rsa_caam.h" 16b9eebfadSRuchika Gupta 17f91e65a7SUlises Cardenas #if defined(CONFIG_MX6) || defined(CONFIG_MX7) 180200020bSRaul Cardenas /*! 190200020bSRaul Cardenas * Secure memory run command 200200020bSRaul Cardenas * 210200020bSRaul Cardenas * @param sec_mem_cmd Secure memory command register 220200020bSRaul Cardenas * @return cmd_status Secure memory command status register 230200020bSRaul Cardenas */ 240200020bSRaul Cardenas uint32_t secmem_set_cmd(uint32_t sec_mem_cmd) 250200020bSRaul Cardenas { 260200020bSRaul Cardenas uint32_t temp_reg; 270200020bSRaul Cardenas 28f91e65a7SUlises Cardenas ccsr_sec_t *sec = (void *)CONFIG_SYS_FSL_SEC_ADDR; 29f91e65a7SUlises Cardenas uint32_t sm_vid = SM_VERSION(sec_in32(&sec->smvid)); 30f91e65a7SUlises Cardenas uint32_t jr_id = 0; 31f91e65a7SUlises Cardenas 32f91e65a7SUlises Cardenas sec_out32(CAAM_SMCJR(sm_vid, jr_id), sec_mem_cmd); 330200020bSRaul Cardenas 340200020bSRaul Cardenas do { 35f91e65a7SUlises Cardenas temp_reg = sec_in32(CAAM_SMCSJR(sm_vid, jr_id)); 360200020bSRaul Cardenas } while (temp_reg & CMD_COMPLETE); 370200020bSRaul Cardenas 380200020bSRaul Cardenas return temp_reg; 390200020bSRaul Cardenas } 400200020bSRaul Cardenas 410200020bSRaul Cardenas /*! 420200020bSRaul Cardenas * CAAM page allocation: 430200020bSRaul Cardenas * Allocates a partition from secure memory, with the id 44fc0b5948SRobert P. J. Day * equal to partition_num. This will de-allocate the page 450200020bSRaul Cardenas * if it is already allocated. The partition will have 460200020bSRaul Cardenas * full access permissions. The permissions are set before, 470200020bSRaul Cardenas * running a job descriptor. A memory page of secure RAM 480200020bSRaul Cardenas * is allocated for the partition. 490200020bSRaul Cardenas * 500200020bSRaul Cardenas * @param page Number of the page to allocate. 510200020bSRaul Cardenas * @param partition Number of the partition to allocate. 520200020bSRaul Cardenas * @return 0 on success, ERROR_IN_PAGE_ALLOC otherwise 530200020bSRaul Cardenas */ 540200020bSRaul Cardenas int caam_page_alloc(uint8_t page_num, uint8_t partition_num) 550200020bSRaul Cardenas { 560200020bSRaul Cardenas uint32_t temp_reg; 570200020bSRaul Cardenas 58f91e65a7SUlises Cardenas ccsr_sec_t *sec = (void *)CONFIG_SYS_FSL_SEC_ADDR; 59f91e65a7SUlises Cardenas uint32_t sm_vid = SM_VERSION(sec_in32(&sec->smvid)); 60f91e65a7SUlises Cardenas uint32_t jr_id = 0; 61f91e65a7SUlises Cardenas 620200020bSRaul Cardenas /* 630200020bSRaul Cardenas * De-Allocate partition_num if already allocated to ARM core 640200020bSRaul Cardenas */ 650200020bSRaul Cardenas if (sec_in32(CAAM_SMPO_0) & PARTITION_OWNER(partition_num)) { 660200020bSRaul Cardenas temp_reg = secmem_set_cmd(PARTITION(partition_num) | 670200020bSRaul Cardenas CMD_PART_DEALLOC); 680200020bSRaul Cardenas if (temp_reg & SMCSJR_AERR) { 690200020bSRaul Cardenas printf("Error: De-allocation status 0x%X\n", temp_reg); 700200020bSRaul Cardenas return ERROR_IN_PAGE_ALLOC; 710200020bSRaul Cardenas } 720200020bSRaul Cardenas } 730200020bSRaul Cardenas 740200020bSRaul Cardenas /* set the access rights to allow full access */ 75f91e65a7SUlises Cardenas sec_out32(CAAM_SMAG1JR(sm_vid, jr_id, partition_num), 0xF); 76f91e65a7SUlises Cardenas sec_out32(CAAM_SMAG2JR(sm_vid, jr_id, partition_num), 0xF); 77f91e65a7SUlises Cardenas sec_out32(CAAM_SMAPJR(sm_vid, jr_id, partition_num), 0xFF); 780200020bSRaul Cardenas 790200020bSRaul Cardenas /* Now need to allocate partition_num of secure RAM. */ 800200020bSRaul Cardenas /* De-Allocate page_num by starting with a page inquiry command */ 810200020bSRaul Cardenas temp_reg = secmem_set_cmd(PAGE(page_num) | CMD_INQUIRY); 820200020bSRaul Cardenas 830200020bSRaul Cardenas /* if the page is owned, de-allocate it */ 840200020bSRaul Cardenas if ((temp_reg & SMCSJR_PO) == PAGE_OWNED) { 850200020bSRaul Cardenas temp_reg = secmem_set_cmd(PAGE(page_num) | CMD_PAGE_DEALLOC); 860200020bSRaul Cardenas if (temp_reg & SMCSJR_AERR) { 870200020bSRaul Cardenas printf("Error: Allocation status 0x%X\n", temp_reg); 880200020bSRaul Cardenas return ERROR_IN_PAGE_ALLOC; 890200020bSRaul Cardenas } 900200020bSRaul Cardenas } 910200020bSRaul Cardenas 920200020bSRaul Cardenas /* Allocate page_num to partition_num */ 930200020bSRaul Cardenas temp_reg = secmem_set_cmd(PAGE(page_num) | PARTITION(partition_num) 940200020bSRaul Cardenas | CMD_PAGE_ALLOC); 950200020bSRaul Cardenas if (temp_reg & SMCSJR_AERR) { 960200020bSRaul Cardenas printf("Error: Allocation status 0x%X\n", temp_reg); 970200020bSRaul Cardenas return ERROR_IN_PAGE_ALLOC; 980200020bSRaul Cardenas } 990200020bSRaul Cardenas /* page inquiry command to ensure that the page was allocated */ 1000200020bSRaul Cardenas temp_reg = secmem_set_cmd(PAGE(page_num) | CMD_INQUIRY); 1010200020bSRaul Cardenas 1020200020bSRaul Cardenas /* if the page is not owned => problem */ 1030200020bSRaul Cardenas if ((temp_reg & SMCSJR_PO) != PAGE_OWNED) { 1040200020bSRaul Cardenas printf("Allocation of page %d in partition %d failed 0x%X\n", 1050200020bSRaul Cardenas temp_reg, page_num, partition_num); 1060200020bSRaul Cardenas 1070200020bSRaul Cardenas return ERROR_IN_PAGE_ALLOC; 1080200020bSRaul Cardenas } 1090200020bSRaul Cardenas 1100200020bSRaul Cardenas return 0; 1110200020bSRaul Cardenas } 1120200020bSRaul Cardenas 1130200020bSRaul Cardenas int inline_cnstr_jobdesc_blob_dek(uint32_t *desc, const uint8_t *plain_txt, 1140200020bSRaul Cardenas uint8_t *dek_blob, uint32_t in_sz) 1150200020bSRaul Cardenas { 116f91e65a7SUlises Cardenas ccsr_sec_t *sec = (void *)CONFIG_SYS_FSL_SEC_ADDR; 117f91e65a7SUlises Cardenas uint32_t sm_vid = SM_VERSION(sec_in32(&sec->smvid)); 118f91e65a7SUlises Cardenas uint32_t jr_id = 0; 119f91e65a7SUlises Cardenas 1200200020bSRaul Cardenas uint32_t ret = 0; 1210200020bSRaul Cardenas u32 aad_w1, aad_w2; 1220200020bSRaul Cardenas /* output blob will have 32 bytes key blob in beginning and 1230200020bSRaul Cardenas * 16 byte HMAC identifier at end of data blob */ 1240200020bSRaul Cardenas uint32_t out_sz = in_sz + KEY_BLOB_SIZE + MAC_SIZE; 1250200020bSRaul Cardenas /* Setting HDR for blob */ 1260200020bSRaul Cardenas uint8_t wrapped_key_hdr[8] = {HDR_TAG, 0x00, WRP_HDR_SIZE + out_sz, 1270200020bSRaul Cardenas HDR_PAR, HAB_MOD, HAB_ALG, in_sz, HAB_FLG}; 1280200020bSRaul Cardenas 1290200020bSRaul Cardenas /* initialize the blob array */ 1300200020bSRaul Cardenas memset(dek_blob, 0, out_sz + 8); 1310200020bSRaul Cardenas /* Copy the header into the DEK blob buffer */ 1320200020bSRaul Cardenas memcpy(dek_blob, wrapped_key_hdr, sizeof(wrapped_key_hdr)); 1330200020bSRaul Cardenas 1340200020bSRaul Cardenas /* allocating secure memory */ 1350200020bSRaul Cardenas ret = caam_page_alloc(PAGE_1, PARTITION_1); 1360200020bSRaul Cardenas if (ret) 1370200020bSRaul Cardenas return ret; 1380200020bSRaul Cardenas 1390200020bSRaul Cardenas /* Write DEK to secure memory */ 1400200020bSRaul Cardenas memcpy((uint32_t *)SEC_MEM_PAGE1, (uint32_t *)plain_txt, in_sz); 1410200020bSRaul Cardenas 1420200020bSRaul Cardenas unsigned long start = (unsigned long)SEC_MEM_PAGE1 & 1430200020bSRaul Cardenas ~(ARCH_DMA_MINALIGN - 1); 1440200020bSRaul Cardenas unsigned long end = ALIGN(start + 0x1000, ARCH_DMA_MINALIGN); 1450200020bSRaul Cardenas flush_dcache_range(start, end); 1460200020bSRaul Cardenas 1470200020bSRaul Cardenas /* Now configure the access rights of the partition */ 148f91e65a7SUlises Cardenas sec_out32(CAAM_SMAG1JR(sm_vid, jr_id, PARTITION_1), KS_G1); 149f91e65a7SUlises Cardenas sec_out32(CAAM_SMAG2JR(sm_vid, jr_id, PARTITION_1), 0); 150f91e65a7SUlises Cardenas sec_out32(CAAM_SMAPJR(sm_vid, jr_id, PARTITION_1), PERM); 1510200020bSRaul Cardenas 1520200020bSRaul Cardenas /* construct aad for AES */ 1530200020bSRaul Cardenas aad_w1 = (in_sz << OP_ALG_ALGSEL_SHIFT) | KEY_AES_SRC | LD_CCM_MODE; 1540200020bSRaul Cardenas aad_w2 = 0x0; 1550200020bSRaul Cardenas 1560200020bSRaul Cardenas init_job_desc(desc, 0); 1570200020bSRaul Cardenas 1580200020bSRaul Cardenas append_cmd(desc, CMD_LOAD | CLASS_2 | KEY_IMM | KEY_ENC | 1590200020bSRaul Cardenas (0x0c << LDST_OFFSET_SHIFT) | 0x08); 1600200020bSRaul Cardenas 1610200020bSRaul Cardenas append_u32(desc, aad_w1); 1620200020bSRaul Cardenas 1630200020bSRaul Cardenas append_u32(desc, aad_w2); 1640200020bSRaul Cardenas 1650200020bSRaul Cardenas append_cmd_ptr(desc, (dma_addr_t)SEC_MEM_PAGE1, in_sz, CMD_SEQ_IN_PTR); 1660200020bSRaul Cardenas 1670200020bSRaul Cardenas append_cmd_ptr(desc, (dma_addr_t)dek_blob + 8, out_sz, CMD_SEQ_OUT_PTR); 1680200020bSRaul Cardenas 1690200020bSRaul Cardenas append_operation(desc, OP_TYPE_ENCAP_PROTOCOL | OP_PCLID_BLOB | 1700200020bSRaul Cardenas OP_PCLID_SECMEM); 1710200020bSRaul Cardenas 1720200020bSRaul Cardenas return ret; 1730200020bSRaul Cardenas } 1740200020bSRaul Cardenas #endif 175c5de15cbSRuchika Gupta 176b9eebfadSRuchika Gupta void inline_cnstr_jobdesc_hash(uint32_t *desc, 177b9eebfadSRuchika Gupta const uint8_t *msg, uint32_t msgsz, uint8_t *digest, 178b9eebfadSRuchika Gupta u32 alg_type, uint32_t alg_size, int sg_tbl) 179b9eebfadSRuchika Gupta { 180b9eebfadSRuchika Gupta /* SHA 256 , output is of length 32 words */ 181b9eebfadSRuchika Gupta uint32_t storelen = alg_size; 182b9eebfadSRuchika Gupta u32 options; 183b9eebfadSRuchika Gupta dma_addr_t dma_addr_in, dma_addr_out; 184b9eebfadSRuchika Gupta 185b9eebfadSRuchika Gupta dma_addr_in = virt_to_phys((void *)msg); 186b9eebfadSRuchika Gupta dma_addr_out = virt_to_phys((void *)digest); 187b9eebfadSRuchika Gupta 188b9eebfadSRuchika Gupta init_job_desc(desc, 0); 189b9eebfadSRuchika Gupta append_operation(desc, OP_TYPE_CLASS2_ALG | 190b9eebfadSRuchika Gupta OP_ALG_AAI_HASH | OP_ALG_AS_INITFINAL | 191b9eebfadSRuchika Gupta OP_ALG_ENCRYPT | OP_ALG_ICV_OFF | alg_type); 192b9eebfadSRuchika Gupta 193b9eebfadSRuchika Gupta options = LDST_CLASS_2_CCB | FIFOLD_TYPE_MSG | FIFOLD_TYPE_LAST2; 194b9eebfadSRuchika Gupta if (sg_tbl) 195b9eebfadSRuchika Gupta options |= FIFOLDST_SGF; 196b9eebfadSRuchika Gupta if (msgsz > 0xffff) { 197b9eebfadSRuchika Gupta options |= FIFOLDST_EXT; 198b9eebfadSRuchika Gupta append_fifo_load(desc, dma_addr_in, 0, options); 199b9eebfadSRuchika Gupta append_cmd(desc, msgsz); 200b9eebfadSRuchika Gupta } else { 201b9eebfadSRuchika Gupta append_fifo_load(desc, dma_addr_in, msgsz, options); 202b9eebfadSRuchika Gupta } 203b9eebfadSRuchika Gupta 204b9eebfadSRuchika Gupta append_store(desc, dma_addr_out, storelen, 205b9eebfadSRuchika Gupta LDST_CLASS_2_CCB | LDST_SRCDST_BYTE_CONTEXT); 206b9eebfadSRuchika Gupta } 207511fc86dSRuchika Gupta #ifndef CONFIG_SPL_BUILD 208c5de15cbSRuchika Gupta void inline_cnstr_jobdesc_blob_encap(uint32_t *desc, uint8_t *key_idnfr, 209c5de15cbSRuchika Gupta uint8_t *plain_txt, uint8_t *enc_blob, 210c5de15cbSRuchika Gupta uint32_t in_sz) 211c5de15cbSRuchika Gupta { 212c5de15cbSRuchika Gupta dma_addr_t dma_addr_key_idnfr, dma_addr_in, dma_addr_out; 213c5de15cbSRuchika Gupta uint32_t key_sz = KEY_IDNFR_SZ_BYTES; 214c5de15cbSRuchika Gupta /* output blob will have 32 bytes key blob in beginning and 215c5de15cbSRuchika Gupta * 16 byte HMAC identifier at end of data blob */ 216c5de15cbSRuchika Gupta uint32_t out_sz = in_sz + KEY_BLOB_SIZE + MAC_SIZE; 217c5de15cbSRuchika Gupta 218c5de15cbSRuchika Gupta dma_addr_key_idnfr = virt_to_phys((void *)key_idnfr); 219c5de15cbSRuchika Gupta dma_addr_in = virt_to_phys((void *)plain_txt); 220c5de15cbSRuchika Gupta dma_addr_out = virt_to_phys((void *)enc_blob); 221c5de15cbSRuchika Gupta 222c5de15cbSRuchika Gupta init_job_desc(desc, 0); 223c5de15cbSRuchika Gupta 224c5de15cbSRuchika Gupta append_key(desc, dma_addr_key_idnfr, key_sz, CLASS_2); 225c5de15cbSRuchika Gupta 226c5de15cbSRuchika Gupta append_seq_in_ptr(desc, dma_addr_in, in_sz, 0); 227c5de15cbSRuchika Gupta 228c5de15cbSRuchika Gupta append_seq_out_ptr(desc, dma_addr_out, out_sz, 0); 229c5de15cbSRuchika Gupta 230c5de15cbSRuchika Gupta append_operation(desc, OP_TYPE_ENCAP_PROTOCOL | OP_PCLID_BLOB); 231c5de15cbSRuchika Gupta } 232c5de15cbSRuchika Gupta 233c5de15cbSRuchika Gupta void inline_cnstr_jobdesc_blob_decap(uint32_t *desc, uint8_t *key_idnfr, 234c5de15cbSRuchika Gupta uint8_t *enc_blob, uint8_t *plain_txt, 235c5de15cbSRuchika Gupta uint32_t out_sz) 236c5de15cbSRuchika Gupta { 237c5de15cbSRuchika Gupta dma_addr_t dma_addr_key_idnfr, dma_addr_in, dma_addr_out; 238c5de15cbSRuchika Gupta uint32_t key_sz = KEY_IDNFR_SZ_BYTES; 239c5de15cbSRuchika Gupta uint32_t in_sz = out_sz + KEY_BLOB_SIZE + MAC_SIZE; 240c5de15cbSRuchika Gupta 241c5de15cbSRuchika Gupta dma_addr_key_idnfr = virt_to_phys((void *)key_idnfr); 242c5de15cbSRuchika Gupta dma_addr_in = virt_to_phys((void *)enc_blob); 243c5de15cbSRuchika Gupta dma_addr_out = virt_to_phys((void *)plain_txt); 244c5de15cbSRuchika Gupta 245c5de15cbSRuchika Gupta init_job_desc(desc, 0); 246c5de15cbSRuchika Gupta 247c5de15cbSRuchika Gupta append_key(desc, dma_addr_key_idnfr, key_sz, CLASS_2); 248c5de15cbSRuchika Gupta 249c5de15cbSRuchika Gupta append_seq_in_ptr(desc, dma_addr_in, in_sz, 0); 250c5de15cbSRuchika Gupta 251c5de15cbSRuchika Gupta append_seq_out_ptr(desc, dma_addr_out, out_sz, 0); 252c5de15cbSRuchika Gupta 253c5de15cbSRuchika Gupta append_operation(desc, OP_TYPE_DECAP_PROTOCOL | OP_PCLID_BLOB); 254c5de15cbSRuchika Gupta } 255511fc86dSRuchika Gupta #endif 256c5de15cbSRuchika Gupta /* 257c5de15cbSRuchika Gupta * Descriptor to instantiate RNG State Handle 0 in normal mode and 258c5de15cbSRuchika Gupta * load the JDKEK, TDKEK and TDSK registers 259c5de15cbSRuchika Gupta */ 260*dfaec760SLukas Auer void inline_cnstr_jobdesc_rng_instantiation(uint32_t *desc, int handle) 261c5de15cbSRuchika Gupta { 262c5de15cbSRuchika Gupta u32 *jump_cmd; 263c5de15cbSRuchika Gupta 264c5de15cbSRuchika Gupta init_job_desc(desc, 0); 265c5de15cbSRuchika Gupta 266c5de15cbSRuchika Gupta /* INIT RNG in non-test mode */ 267c5de15cbSRuchika Gupta append_operation(desc, OP_TYPE_CLASS1_ALG | OP_ALG_ALGSEL_RNG | 268*dfaec760SLukas Auer (handle << OP_ALG_AAI_SHIFT) | OP_ALG_AS_INIT); 269c5de15cbSRuchika Gupta 270*dfaec760SLukas Auer /* For SH0, Secure Keys must be generated as well */ 271*dfaec760SLukas Auer if (handle == 0) { 272c5de15cbSRuchika Gupta /* wait for done */ 273c5de15cbSRuchika Gupta jump_cmd = append_jump(desc, JUMP_CLASS_CLASS1); 274c5de15cbSRuchika Gupta set_jump_tgt_here(desc, jump_cmd); 275c5de15cbSRuchika Gupta 276c5de15cbSRuchika Gupta /* 277c5de15cbSRuchika Gupta * load 1 to clear written reg: 278*dfaec760SLukas Auer * resets the done interrupt and returns the RNG to idle. 279c5de15cbSRuchika Gupta */ 280c5de15cbSRuchika Gupta append_load_imm_u32(desc, 1, LDST_SRCDST_WORD_CLRW); 281c5de15cbSRuchika Gupta 282c5de15cbSRuchika Gupta /* generate secure keys (non-test) */ 283c5de15cbSRuchika Gupta append_operation(desc, OP_TYPE_CLASS1_ALG | OP_ALG_ALGSEL_RNG | 284c5de15cbSRuchika Gupta OP_ALG_RNG4_SK); 285c5de15cbSRuchika Gupta } 286*dfaec760SLukas Auer } 28734276478SRuchika Gupta 28834276478SRuchika Gupta /* Change key size to bytes form bits in calling function*/ 28934276478SRuchika Gupta void inline_cnstr_jobdesc_pkha_rsaexp(uint32_t *desc, 29034276478SRuchika Gupta struct pk_in_params *pkin, uint8_t *out, 29134276478SRuchika Gupta uint32_t out_siz) 29234276478SRuchika Gupta { 29334276478SRuchika Gupta dma_addr_t dma_addr_e, dma_addr_a, dma_addr_n, dma_addr_out; 29434276478SRuchika Gupta 29534276478SRuchika Gupta dma_addr_e = virt_to_phys((void *)pkin->e); 29634276478SRuchika Gupta dma_addr_a = virt_to_phys((void *)pkin->a); 29734276478SRuchika Gupta dma_addr_n = virt_to_phys((void *)pkin->n); 29834276478SRuchika Gupta dma_addr_out = virt_to_phys((void *)out); 29934276478SRuchika Gupta 30034276478SRuchika Gupta init_job_desc(desc, 0); 30134276478SRuchika Gupta append_key(desc, dma_addr_e, pkin->e_siz, KEY_DEST_PKHA_E | CLASS_1); 30234276478SRuchika Gupta 30334276478SRuchika Gupta append_fifo_load(desc, dma_addr_a, 30434276478SRuchika Gupta pkin->a_siz, LDST_CLASS_1_CCB | FIFOLD_TYPE_PK_A); 30534276478SRuchika Gupta 30634276478SRuchika Gupta append_fifo_load(desc, dma_addr_n, 30734276478SRuchika Gupta pkin->n_siz, LDST_CLASS_1_CCB | FIFOLD_TYPE_PK_N); 30834276478SRuchika Gupta 30934276478SRuchika Gupta append_operation(desc, OP_TYPE_PK | OP_ALG_PK | OP_ALG_PKMODE_MOD_EXPO); 31034276478SRuchika Gupta 31134276478SRuchika Gupta append_fifo_store(desc, dma_addr_out, out_siz, 31234276478SRuchika Gupta LDST_CLASS_1_CCB | FIFOST_TYPE_PKHA_B); 31334276478SRuchika Gupta } 314