[PATCH v2] crypto/fsl: Add support for black key blob
Gaurav Jain
gaurav.jain at nxp.com
Wed Sep 28 12:39:52 CEST 2022
modified caam descriptor to support black key blob.
Signed-off-by: Gaurav Jain <gaurav.jain at nxp.com>
---
changes in v2:
- rebase to latest
cmd/blob.c | 12 ++++++++----
drivers/crypto/fsl/desc.h | 1 +
drivers/crypto/fsl/fsl_blob.c | 21 +++++++++++++--------
drivers/crypto/fsl/jobdesc.c | 24 +++++++++++++++++++-----
drivers/crypto/fsl/jobdesc.h | 8 ++++++--
5 files changed, 47 insertions(+), 19 deletions(-)
diff --git a/cmd/blob.c b/cmd/blob.c
index e2efae7a11..5c459b6f19 100644
--- a/cmd/blob.c
+++ b/cmd/blob.c
@@ -21,10 +21,12 @@
* @src: - Address of data to be decapsulated
* @dst: - Address of data to be decapsulated
* @len: - Size of data to be decapsulated
+ * @keycolor - Determines if the source data is covered (black key) or
+ * plaintext.
*
* Returns zero on success,and negative on error.
*/
-__weak int blob_decap(u8 *key_mod, u8 *src, u8 *dst, u32 len)
+__weak int blob_decap(u8 *key_mod, u8 *src, u8 *dst, u32 len, u8 keycolor)
{
return 0;
}
@@ -35,10 +37,12 @@ __weak int blob_decap(u8 *key_mod, u8 *src, u8 *dst, u32 len)
* @src: - Address of data to be encapsulated
* @dst: - Address of data to be encapsulated
* @len: - Size of data to be encapsulated
+ * @keycolor - Determines if the source data is covered (black key) or
+ * plaintext.
*
* Returns zero on success,and negative on error.
*/
-__weak int blob_encap(u8 *key_mod, u8 *src, u8 *dst, u32 len)
+__weak int blob_encap(u8 *key_mod, u8 *src, u8 *dst, u32 len, u8 keycolor)
{
return 0;
}
@@ -91,9 +95,9 @@ static int do_blob(struct cmd_tbl *cmdtp, int flag, int argc,
#endif
if (enc)
- ret = blob_encap(km_ptr, src_ptr, dst_ptr, len);
+ ret = blob_encap(km_ptr, src_ptr, dst_ptr, len, 0);
else
- ret = blob_decap(km_ptr, src_ptr, dst_ptr, len);
+ ret = blob_decap(km_ptr, src_ptr, dst_ptr, len, 0);
return ret;
}
diff --git a/drivers/crypto/fsl/desc.h b/drivers/crypto/fsl/desc.h
index 5705c4f944..4c148a2fc4 100644
--- a/drivers/crypto/fsl/desc.h
+++ b/drivers/crypto/fsl/desc.h
@@ -435,6 +435,7 @@
/* Assuming OP_TYPE = OP_TYPE_UNI_PROTOCOL */
#define OP_PCLID_SECMEM 0x08
#define OP_PCLID_BLOB (0x0d << OP_PCLID_SHIFT)
+#define OP_PCL_BLOB_BLACK 0x0004
#define OP_PCLID_SECRETKEY (0x11 << OP_PCLID_SHIFT)
#define OP_PCLID_PUBLICKEYPAIR (0x14 << OP_PCLID_SHIFT)
#define OP_PCLID_DSA_SIGN (0x15 << OP_PCLID_SHIFT)
diff --git a/drivers/crypto/fsl/fsl_blob.c b/drivers/crypto/fsl/fsl_blob.c
index 9b6e4bca06..034e6ae5df 100644
--- a/drivers/crypto/fsl/fsl_blob.c
+++ b/drivers/crypto/fsl/fsl_blob.c
@@ -1,6 +1,7 @@
// SPDX-License-Identifier: GPL-2.0+
/*
* Copyright 2014 Freescale Semiconductor, Inc.
+ * Copyright 2022 NXP
*
*/
@@ -22,13 +23,15 @@
* @src: - Source address (blob)
* @dst: - Destination address (data)
* @len: - Size of decapsulated data
+ * @keycolor - Determines if the source data is covered (black key) or
+ * plaintext.
*
* Note: Start and end of the key_mod, src and dst buffers have to be aligned to
* the cache line size (ARCH_DMA_MINALIGN) for the CAAM operation to succeed.
*
* Returns zero on success, negative on error.
*/
-int blob_decap(u8 *key_mod, u8 *src, u8 *dst, u32 len)
+int blob_decap(u8 *key_mod, u8 *src, u8 *dst, u32 len, u8 keycolor)
{
int ret, size, i = 0;
u32 *desc;
@@ -55,7 +58,7 @@ int blob_decap(u8 *key_mod, u8 *src, u8 *dst, u32 len)
flush_dcache_range((unsigned long)src,
(unsigned long)src + size);
- inline_cnstr_jobdesc_blob_decap(desc, key_mod, src, dst, len);
+ inline_cnstr_jobdesc_blob_decap(desc, key_mod, src, dst, len, keycolor);
debug("Descriptor dump:\n");
for (i = 0; i < 14; i++)
@@ -65,8 +68,8 @@ int blob_decap(u8 *key_mod, u8 *src, u8 *dst, u32 len)
flush_dcache_range((unsigned long)desc,
(unsigned long)desc + size);
- flush_dcache_range((unsigned long)dst,
- (unsigned long)dst + size);
+ size = ALIGN(len, ARCH_DMA_MINALIGN);
+ invalidate_dcache_range((unsigned long)dst, (unsigned long)dst + size);
ret = run_descriptor_jr(desc);
@@ -94,13 +97,15 @@ int blob_decap(u8 *key_mod, u8 *src, u8 *dst, u32 len)
* @src: - Source address (data)
* @dst: - Destination address (blob)
* @len: - Size of data to be encapsulated
+ * @keycolor - Determines if the source data is covered (black key) or
+ * plaintext.
*
* Note: Start and end of the key_mod, src and dst buffers have to be aligned to
* the cache line size (ARCH_DMA_MINALIGN) for the CAAM operation to succeed.
*
* Returns zero on success, negative on error.
*/
-int blob_encap(u8 *key_mod, u8 *src, u8 *dst, u32 len)
+int blob_encap(u8 *key_mod, u8 *src, u8 *dst, u32 len, u8 keycolor)
{
int ret, size, i = 0;
u32 *desc;
@@ -127,7 +132,7 @@ int blob_encap(u8 *key_mod, u8 *src, u8 *dst, u32 len)
flush_dcache_range((unsigned long)src,
(unsigned long)src + size);
- inline_cnstr_jobdesc_blob_encap(desc, key_mod, src, dst, len);
+ inline_cnstr_jobdesc_blob_encap(desc, key_mod, src, dst, len, keycolor);
debug("Descriptor dump:\n");
for (i = 0; i < 14; i++)
@@ -137,8 +142,8 @@ int blob_encap(u8 *key_mod, u8 *src, u8 *dst, u32 len)
flush_dcache_range((unsigned long)desc,
(unsigned long)desc + size);
- flush_dcache_range((unsigned long)dst,
- (unsigned long)dst + size);
+ size = ALIGN(BLOB_SIZE(len), ARCH_DMA_MINALIGN);
+ invalidate_dcache_range((unsigned long)dst, (unsigned long)dst + size);
ret = run_descriptor_jr(desc);
diff --git a/drivers/crypto/fsl/jobdesc.c b/drivers/crypto/fsl/jobdesc.c
index 542b1652d8..1280e6122e 100644
--- a/drivers/crypto/fsl/jobdesc.c
+++ b/drivers/crypto/fsl/jobdesc.c
@@ -4,7 +4,7 @@
* Basic job descriptor construction
*
* Copyright 2014 Freescale Semiconductor, Inc.
- * Copyright 2018 NXP
+ * Copyright 2018, 2022 NXP
*
*/
@@ -210,13 +210,14 @@ void inline_cnstr_jobdesc_hash(uint32_t *desc,
#ifndef CONFIG_SPL_BUILD
void inline_cnstr_jobdesc_blob_encap(uint32_t *desc, uint8_t *key_idnfr,
uint8_t *plain_txt, uint8_t *enc_blob,
- uint32_t in_sz)
+ uint32_t in_sz, uint8_t keycolor)
{
caam_dma_addr_t dma_addr_key_idnfr, dma_addr_in, dma_addr_out;
uint32_t key_sz = KEY_IDNFR_SZ_BYTES;
/* output blob will have 32 bytes key blob in beginning and
* 16 byte HMAC identifier at end of data blob */
uint32_t out_sz = in_sz + KEY_BLOB_SIZE + MAC_SIZE;
+ uint32_t bk_store;
dma_addr_key_idnfr = virt_to_phys((void *)key_idnfr);
dma_addr_in = virt_to_phys((void *)plain_txt);
@@ -230,16 +231,23 @@ void inline_cnstr_jobdesc_blob_encap(uint32_t *desc, uint8_t *key_idnfr,
append_seq_out_ptr(desc, dma_addr_out, out_sz, 0);
- append_operation(desc, OP_TYPE_ENCAP_PROTOCOL | OP_PCLID_BLOB);
+ bk_store = OP_PCLID_BLOB;
+
+ /* An input black key cannot be stored in a red blob */
+ if (keycolor == BLACK_KEY)
+ bk_store |= OP_PCL_BLOB_BLACK;
+
+ append_operation(desc, OP_TYPE_ENCAP_PROTOCOL | bk_store);
}
void inline_cnstr_jobdesc_blob_decap(uint32_t *desc, uint8_t *key_idnfr,
uint8_t *enc_blob, uint8_t *plain_txt,
- uint32_t out_sz)
+ uint32_t out_sz, uint8_t keycolor)
{
caam_dma_addr_t dma_addr_key_idnfr, dma_addr_in, dma_addr_out;
uint32_t key_sz = KEY_IDNFR_SZ_BYTES;
uint32_t in_sz = out_sz + KEY_BLOB_SIZE + MAC_SIZE;
+ uint32_t bk_store;
dma_addr_key_idnfr = virt_to_phys((void *)key_idnfr);
dma_addr_in = virt_to_phys((void *)enc_blob);
@@ -253,7 +261,13 @@ void inline_cnstr_jobdesc_blob_decap(uint32_t *desc, uint8_t *key_idnfr,
append_seq_out_ptr(desc, dma_addr_out, out_sz, 0);
- append_operation(desc, OP_TYPE_DECAP_PROTOCOL | OP_PCLID_BLOB);
+ bk_store = OP_PCLID_BLOB;
+
+ /* An input black key cannot be stored in a red blob */
+ if (keycolor == BLACK_KEY)
+ bk_store |= OP_PCL_BLOB_BLACK;
+
+ append_operation(desc, OP_TYPE_DECAP_PROTOCOL | bk_store);
}
#endif
/*
diff --git a/drivers/crypto/fsl/jobdesc.h b/drivers/crypto/fsl/jobdesc.h
index c4501abd26..99ac049c3e 100644
--- a/drivers/crypto/fsl/jobdesc.h
+++ b/drivers/crypto/fsl/jobdesc.h
@@ -1,6 +1,7 @@
/* SPDX-License-Identifier: GPL-2.0+ */
/*
* Copyright 2014 Freescale Semiconductor, Inc.
+ * Copyright 2022 NXP
*
*/
@@ -13,6 +14,9 @@
#define KEY_IDNFR_SZ_BYTES 16
+/* Encrypted key */
+#define BLACK_KEY 1
+
#ifdef CONFIG_CMD_DEKBLOB
/* inline_cnstr_jobdesc_blob_dek:
* Intializes and constructs the job descriptor for DEK encapsulation
@@ -33,11 +37,11 @@ void inline_cnstr_jobdesc_hash(uint32_t *desc,
void inline_cnstr_jobdesc_blob_encap(uint32_t *desc, uint8_t *key_idnfr,
uint8_t *plain_txt, uint8_t *enc_blob,
- uint32_t in_sz);
+ uint32_t in_sz, uint8_t keycolor);
void inline_cnstr_jobdesc_blob_decap(uint32_t *desc, uint8_t *key_idnfr,
uint8_t *enc_blob, uint8_t *plain_txt,
- uint32_t out_sz);
+ uint32_t out_sz, uint8_t keycolor);
void inline_cnstr_jobdesc_rng_instantiation(u32 *desc, int handle, int do_sk);
--
2.25.1
More information about the U-Boot
mailing list