imx: cmd_dek: add ELE DEK Blob generation support

Add ELE DEK Blob generation for the cmd_dek command. Signed-off-by: Clement Faure <clement.faure@nxp.com> Signed-off-by: Peng Fan <peng.fan@nxp.com>
2024-11-13 08:27:23 +00:00 · 2023-06-15 18:09:11 +08:00 · 2023-06-15 18:09:11 +08:00 · 859f4e02a8
commit 859f4e02a8
parent f0e974e1e4
2 changed files with 91 additions and 0 deletions
--- a/arch/arm/mach-imx/Kconfig
+++ b/arch/arm/mach-imx/Kconfig
@ -86,6 +86,7 @@ config CMD_DEKBLOB
 	select IMX_CAAM_DEK_ENCAP if ARCH_MX6 || ARCH_MX7 || ARCH_MX7ULP
 	select IMX_OPTEE_DEK_ENCAP if ARCH_IMX8M
 	select IMX_SECO_DEK_ENCAP if ARCH_IMX8
+	select IMX_ELE_DEK_ENCAP if ARCH_IMX8ULP || ARCH_IMX9
 	help
 	  This enables the 'dek_blob' command which is used with the
 	  Freescale secure boot mechanism. This command encapsulates and
@ -113,6 +114,12 @@ config IMX_SECO_DEK_ENCAP
 	  This enabled the DEK blob encapsulation with the SECO API. This option
 	  is only available on imx8.

+config IMX_ELE_DEK_ENCAP
+	bool "Support the DEK blob encapsulation with ELE"
+	help
+	  This enabled the DEK blob encapsulation with the ELE API. This option
+	  is only available on imx8ulp and imx9.
+
 config CMD_PRIBLOB
 	bool "Support the set_priblob_bitfield command"
 	depends on HAS_CAAM && IMX_HAB
--- a/arch/arm/mach-imx/cmd_dek.c
+++ b/arch/arm/mach-imx/cmd_dek.c
@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0+
 /*
 * Copyright 2008-2015 Freescale Semiconductor, Inc.
+ * Copyright 2022 NXP
 *
 * Command for encapsulating DEK blob
 */
@ -20,6 +21,11 @@
 #include <firmware/imx/sci/sci.h>
 #include <asm/mach-imx/image.h>
 #endif
+#ifdef CONFIG_IMX_ELE_DEK_ENCAP
+#include <asm/mach-imx/ele_api.h>
+#include <asm/mach-imx/image.h>
+#endif
+
 #include <cpu_func.h>

 /**
@ -284,6 +290,84 @@ error:
 }
 #endif /* CONFIG_IMX_SECO_DEK_ENCAP */

+#ifdef CONFIG_IMX_ELE_DEK_ENCAP
+
+#define DEK_BLOB_HDR_SIZE 8
+#define AHAB_PRIVATE_KEY 0x81
+#define AHAB_DEK_BLOB	 0x01
+#define AHAB_ALG_AES	 0x03
+#define AHAB_128_AES_KEY 0x10
+#define AHAB_192_AES_KEY 0x18
+#define AHAB_256_AES_KEY 0x20
+
+static int blob_encap_dek(u32 src_addr, u32 dst_addr, u32 len)
+{
+	u8 in_size, out_size;
+	u8 *src_ptr, *dst_ptr;
+	struct generate_key_blob_hdr hdr;
+
+	/* Set sizes */
+	in_size = sizeof(struct generate_key_blob_hdr) + len / 8;
+	out_size = BLOB_SIZE(len / 8) + DEK_BLOB_HDR_SIZE;
+
+	/* Get src and dst virtual addresses */
+	src_ptr = map_sysmem(src_addr, in_size);
+	dst_ptr = map_sysmem(dst_addr, out_size);
+
+	/* Check addr input */
+	if (!(src_ptr && dst_ptr)) {
+		debug("src_addr or dst_addr invalid\n");
+		return -1;
+	}
+
+	/* Build key header */
+	hdr.version = 0x0;
+	hdr.length_lsb = in_size;
+	hdr.length_msb = 0x00;
+	hdr.tag = AHAB_PRIVATE_KEY;
+	hdr.flags = AHAB_DEK_BLOB;
+	hdr.algorithm = AHAB_ALG_AES;
+	hdr.mode = 0x0; /* Not used by the ELE */
+
+	switch (len) {
+	case 128:
+		hdr.size = AHAB_128_AES_KEY;
+		break;
+	case 192:
+		hdr.size = AHAB_192_AES_KEY;
+		break;
+	case 256:
+		hdr.size = AHAB_256_AES_KEY;
+		break;
+	default:
+		/* Not supported */
+		debug("Invalid DEK size. Valid sizes are 128, 192 and 256b\n");
+		return -1;
+	}
+
+	/* Move input key and append blob header */
+	memmove((void *)(src_ptr + sizeof(struct generate_key_blob_hdr)),
+		(void *)src_ptr, len / 8);
+	memcpy((void *)src_ptr, (void *)&hdr,
+	       sizeof(struct generate_key_blob_hdr));
+
+	/* Flush the cache */
+	flush_dcache_range(src_addr, src_addr + in_size);
+	flush_dcache_range((ulong)dst_ptr, (ulong)(dst_ptr +
+			roundup(out_size, ARCH_DMA_MINALIGN)));
+
+	/* Call ELE */
+	if (ele_generate_dek_blob(0x00, src_addr, dst_addr, out_size))
+		return -1;
+
+	/* Invalidate output buffer */
+	invalidate_dcache_range((ulong)dst_ptr, (ulong)(dst_ptr +
+			roundup(out_size, ARCH_DMA_MINALIGN)));
+
+	return 0;
+}
+#endif /* CONFIG_IMX_ELE_DEK_ENCAP */
+
 /**
 * do_dek_blob() - Handle the "dek_blob" command-line command
 * @cmdtp:  Command data struct pointer