From 859f4e02a8fa9be522a5aefcc56a5dd8f702e5be Mon Sep 17 00:00:00 2001 From: Clement Faure Date: Thu, 15 Jun 2023 18:09:11 +0800 Subject: [PATCH] imx: cmd_dek: add ELE DEK Blob generation support Add ELE DEK Blob generation for the cmd_dek command. Signed-off-by: Clement Faure Signed-off-by: Peng Fan --- arch/arm/mach-imx/Kconfig | 7 ++++ arch/arm/mach-imx/cmd_dek.c | 84 +++++++++++++++++++++++++++++++++++++ 2 files changed, 91 insertions(+) diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig index 3266545c26..2cca89d4bb 100644 --- a/arch/arm/mach-imx/Kconfig +++ b/arch/arm/mach-imx/Kconfig @@ -86,6 +86,7 @@ config CMD_DEKBLOB select IMX_CAAM_DEK_ENCAP if ARCH_MX6 || ARCH_MX7 || ARCH_MX7ULP select IMX_OPTEE_DEK_ENCAP if ARCH_IMX8M select IMX_SECO_DEK_ENCAP if ARCH_IMX8 + select IMX_ELE_DEK_ENCAP if ARCH_IMX8ULP || ARCH_IMX9 help This enables the 'dek_blob' command which is used with the Freescale secure boot mechanism. This command encapsulates and @@ -113,6 +114,12 @@ config IMX_SECO_DEK_ENCAP This enabled the DEK blob encapsulation with the SECO API. This option is only available on imx8. +config IMX_ELE_DEK_ENCAP + bool "Support the DEK blob encapsulation with ELE" + help + This enabled the DEK blob encapsulation with the ELE API. This option + is only available on imx8ulp and imx9. + config CMD_PRIBLOB bool "Support the set_priblob_bitfield command" depends on HAS_CAAM && IMX_HAB diff --git a/arch/arm/mach-imx/cmd_dek.c b/arch/arm/mach-imx/cmd_dek.c index 0be9df521a..6fa5b41fcd 100644 --- a/arch/arm/mach-imx/cmd_dek.c +++ b/arch/arm/mach-imx/cmd_dek.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0+ /* * Copyright 2008-2015 Freescale Semiconductor, Inc. + * Copyright 2022 NXP * * Command for encapsulating DEK blob */ @@ -20,6 +21,11 @@ #include #include #endif +#ifdef CONFIG_IMX_ELE_DEK_ENCAP +#include +#include +#endif + #include /** @@ -284,6 +290,84 @@ error: } #endif /* CONFIG_IMX_SECO_DEK_ENCAP */ +#ifdef CONFIG_IMX_ELE_DEK_ENCAP + +#define DEK_BLOB_HDR_SIZE 8 +#define AHAB_PRIVATE_KEY 0x81 +#define AHAB_DEK_BLOB 0x01 +#define AHAB_ALG_AES 0x03 +#define AHAB_128_AES_KEY 0x10 +#define AHAB_192_AES_KEY 0x18 +#define AHAB_256_AES_KEY 0x20 + +static int blob_encap_dek(u32 src_addr, u32 dst_addr, u32 len) +{ + u8 in_size, out_size; + u8 *src_ptr, *dst_ptr; + struct generate_key_blob_hdr hdr; + + /* Set sizes */ + in_size = sizeof(struct generate_key_blob_hdr) + len / 8; + out_size = BLOB_SIZE(len / 8) + DEK_BLOB_HDR_SIZE; + + /* Get src and dst virtual addresses */ + src_ptr = map_sysmem(src_addr, in_size); + dst_ptr = map_sysmem(dst_addr, out_size); + + /* Check addr input */ + if (!(src_ptr && dst_ptr)) { + debug("src_addr or dst_addr invalid\n"); + return -1; + } + + /* Build key header */ + hdr.version = 0x0; + hdr.length_lsb = in_size; + hdr.length_msb = 0x00; + hdr.tag = AHAB_PRIVATE_KEY; + hdr.flags = AHAB_DEK_BLOB; + hdr.algorithm = AHAB_ALG_AES; + hdr.mode = 0x0; /* Not used by the ELE */ + + switch (len) { + case 128: + hdr.size = AHAB_128_AES_KEY; + break; + case 192: + hdr.size = AHAB_192_AES_KEY; + break; + case 256: + hdr.size = AHAB_256_AES_KEY; + break; + default: + /* Not supported */ + debug("Invalid DEK size. Valid sizes are 128, 192 and 256b\n"); + return -1; + } + + /* Move input key and append blob header */ + memmove((void *)(src_ptr + sizeof(struct generate_key_blob_hdr)), + (void *)src_ptr, len / 8); + memcpy((void *)src_ptr, (void *)&hdr, + sizeof(struct generate_key_blob_hdr)); + + /* Flush the cache */ + flush_dcache_range(src_addr, src_addr + in_size); + flush_dcache_range((ulong)dst_ptr, (ulong)(dst_ptr + + roundup(out_size, ARCH_DMA_MINALIGN))); + + /* Call ELE */ + if (ele_generate_dek_blob(0x00, src_addr, dst_addr, out_size)) + return -1; + + /* Invalidate output buffer */ + invalidate_dcache_range((ulong)dst_ptr, (ulong)(dst_ptr + + roundup(out_size, ARCH_DMA_MINALIGN))); + + return 0; +} +#endif /* CONFIG_IMX_ELE_DEK_ENCAP */ + /** * do_dek_blob() - Handle the "dek_blob" command-line command * @cmdtp: Command data struct pointer