Commit graph

12 commits

Author SHA1 Message Date
Kshitiz Varshney
0d795c356a Uboot RNG Driver using Data Co-processor
This commit introduces Random number generator to uboot. It uses DCP
driver for number generation.
RNG driver can be invoked by using below command on uboot prompt:-
           rng <number of bytes>

Signed-off-by: Kshitiz Varshney <kshitiz.varshney@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
2023-01-12 11:25:46 -05:00
Clement Faure
56d2050f40 imx8m: Add DEK blob encapsulation for imx8m
Add DEK blob encapsulation support for IMX8M through "dek_blob" command.
On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob
for encrypted boot.
The DEK blob is encapsulated by OP-TEE through a trusted application call.
U-boot sends and receives the DEK and the DEK blob binaries through OP-TEE
dynamic shared memory.

To enable the DEK blob encapsulation, add to the defconfig:
CONFIG_SECURE_BOOT=y
CONFIG_FAT_WRITE=y
CONFIG_CMD_DEKBLOB=y

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
2021-04-08 20:29:52 +02:00
Breno Lima
30e39ac7c9 imx: imx7 Support for Manufacturing Protection
This code was originally developed by Raul Cardenas <raul.casas@nxp.com>
and modified to be applied in U-Boot imx_v2017.03.

More information about the initial submission can be seen
in the link below:
https://lists.denx.de/pipermail/u-boot/2016-February/245273.html

i.MX7D has an a protection feature for Manufacturing process.
This feature uses asymmetric encryption to sign and verify
authenticated software handled between parties. This command
enables the use of such feature.

The private key is unique and generated once per device.
And it is stored in secure memory and only accessible by CAAM.
Therefore, the public key generation and signature functions
are the only functions available for the user.

The manufacturing-protection authentication process can be used to
authenticate the chip to the OEM's server.

Command usage:

Print the public key for the device.
- mfgprot pubk

Generates Signature over given data.
- mfgprot sign <data_address> <data_size>

Signed-off-by: Raul Ulises Cardenas <raul.casas@nxp.com>
Signed-off-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
2021-04-08 09:18:29 +02:00
Michael Walle
ea95f2142e crypto/fsl: add RNG support
Register the random number generator with the rng subsystem in u-boot.
This way it can be used by EFI as well as for the 'rng' command.

Signed-off-by: Michael Walle <michael@walle.cc>
Tested-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reviewed-by: Priyanka Jain <priyanka.jain@nxp.com>
2020-07-27 14:16:29 +05:30
Tom Rini
83d290c56f SPDX: Convert all of our single license tags to Linux Kernel style
When U-Boot started using SPDX tags we were among the early adopters and
there weren't a lot of other examples to borrow from.  So we picked the
area of the file that usually had a full license text and replaced it
with an appropriate SPDX-License-Identifier: entry.  Since then, the
Linux Kernel has adopted SPDX tags and they place it as the very first
line in a file (except where shebangs are used, then it's second line)
and with slightly different comment styles than us.

In part due to community overlap, in part due to better tag visibility
and in part for other minor reasons, switch over to that style.

This commit changes all instances where we have a single declared
license in the tag as both the before and after are identical in tag
contents.  There's also a few places where I found we did not have a tag
and have introduced one.

Signed-off-by: Tom Rini <trini@konsulko.com>
2018-05-07 09:34:12 -04:00
Clemens Gruber
4c2cf973aa crypto/fsl: fix obj-yy in Makefile
When enabling CONFIG_CMD_BLOB and/or CONFIG_CMD_DEKBLOB, the build fails
with a linker error:
  ...
  LD      u-boot
arch/arm/mach-imx/built-in.o: In function `blob_encap_dek':
/home/clemens/dev/u-boot/arch/arm/mach-imx/cmd_dek.c:46: undefined
reference to `blob_dek'

This is due to an error in the Makefile, resulting in obj-yy/obj-yn/..
and fsl_blob.o is therefore not linked.

Fix it by splitting it up into two obj-y lines.

Signed-off-by: Clemens Gruber <clemens.gruber@pqgruber.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
2017-09-04 09:02:07 -04:00
Ruchika Gupta
057c220055 Correct License and Copyright information on few files
gpio.h - Added missing copyright in few files.
rsa-mod-exp.h - Corrected copyright in the file.
fsl_sec.h - Added missing license in files
drivers/crypto/fsl/Makefile - Removed the incomplete GPLv2 license and replaced it with GPLv2+ license

Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com>
2015-08-12 20:47:46 -04:00
Raul Cardenas
0200020bc2 imx6: Added DEK blob generator command
Freescale's SEC block has built-in Data Encryption
Key(DEK) Blob Protocol which provides a method for
protecting a DEK for non-secure memory storage.
SEC block protects data in a data structure called
a Secret Key Blob, which provides both confidentiality
and integrity protection.
Every time the blob encapsulation is executed,
a AES-256 key is randomly generated to encrypt the DEK.
This key is encrypted with the OTP Secret key
from SoC. The resulting blob consists of the encrypted
AES-256 key, the encrypted DEK, and a 16-bit MAC.

During decapsulation, the reverse process is performed
to get back the original DEK. A caveat to the blob
decapsulation process,  is that the DEK is decrypted
in secure-memory and can only be read by FSL SEC HW.
The DEK is used to decrypt data during encrypted boot.

Commands added
--------------
  dek_blob - encapsulating DEK as a cryptgraphic blob

Commands Syntax
---------------
  dek_blob src dst len

    Encapsulate and create blob of a len-bits DEK at
    address src and store the result at address dst.

Signed-off-by: Raul Cardenas <Ulises.Cardenas@freescale.com>
Signed-off-by: Nitin Garg <nitin.garg@freescale.com>

Signed-off-by: Ulises Cardenas <ulises.cardenas@freescale.com>

Signed-off-by: Ulises Cardenas-B45798 <Ulises.Cardenas@freescale.com>
2015-03-02 09:57:06 +01:00
Ruchika Gupta
34276478f7 DM: crypto/fsl - Add Freescale rsa DM driver
Driver added for RSA Modular Exponentiation using Freescale Hardware
Accelerator CAAM. The driver uses UCLASS_MOD_EXP

Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com>
CC: Simon Glass <sjg@chromium.org>
Acked-by: Simon Glass <sjg@chromium.org>
2015-01-29 17:09:58 -07:00
Ruchika Gupta
0181937fa3 crypto/fsl: Add fixup for crypto node
Era property is added in the crypto node in device tree.
Move the code to do so from arch/powerpc/mpc8xxx/fdt.c to
drivers/sec/sec.c so that it can be used across arm and
powerpc platforms having crypto node.

Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com>
[York Sun: Fix commit message indentation]
Reviewed-by: York Sun <yorksun@freescale.com>
2015-01-23 22:29:14 -06:00
Ruchika Gupta
c5de15cbc8 crypto/fsl: Add command for encapsulating/decapsulating blobs
Freescale's SEC block has built-in Blob Protocol which provides
a method for protecting user-defined data across system power
cycles. SEC block protects data in a data structure called a Blob,
which provides both confidentiality and integrity protection.

Encapsulating data as a blob
Each time that the Blob Protocol is used to protect data, a
different randomly generated key is used to encrypt the data.
This random key is itself encrypted using a key which is derived
from SoC's non volatile secret key and a 16 bit Key identifier.
The resulting encrypted key along with encrypted data is called a blob.
The non volatile secure key is available for use only during secure boot.

During decapsulation, the reverse process is performed to get back
the original data.

Commands added
--------------
    blob enc - encapsulating data as a cryptgraphic blob
    blob dec - decapsulating cryptgraphic blob to get the data

Commands Syntax
---------------
	blob enc src dst len km

	Encapsulate and create blob of data $len bytes long
	at address $src and store the result at address $dst.
	$km is the 16 byte key modifier is also required for
	generation/use as key for cryptographic operation. Key
	modifier should be 16 byte long.

	blob dec src dst len km

	Decapsulate the  blob of data at address $src and
	store result of $len byte at addr $dst.
	$km is the 16 byte key modifier is also required for
	generation/use as key for cryptographic operation. Key
	modifier should be 16 byte long.

Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com>
Reviewed-by: York Sun <yorksun@freescale.com>
2014-10-16 14:20:40 -07:00
Ruchika Gupta
b9eebfade9 fsl_sec: Add hardware accelerated SHA256 and SHA1
SHA-256 and SHA-1 accelerated using SEC hardware in Freescale SoC's
The driver for SEC (CAAM) IP is based on linux drivers/crypto/caam.
The platforms needto add the MACRO CONFIG_FSL_CAAM inorder to
enable initialization of this hardware IP.

Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com>
Reviewed-by: York Sun <yorksun@freescale.com>
2014-10-16 14:17:07 -07:00