[PATCH 14/30] imx: cmd_dek: add ELE DEK Blob generation support
Peng Fan (OSS)
peng.fan at oss.nxp.com
Fri Jun 2 08:45:51 CEST 2023
From: Clement Faure <clement.faure at nxp.com>
Add ELE DEK Blob generation for the cmd_dek command.
Signed-off-by: Clement Faure <clement.faure at nxp.com>
Signed-off-by: Peng Fan <peng.fan at nxp.com>
---
arch/arm/mach-imx/Kconfig | 7 ++++
arch/arm/mach-imx/cmd_dek.c | 84 +++++++++++++++++++++++++++++++++++++
2 files changed, 91 insertions(+)
diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig
index 3266545c266..2cca89d4bb1 100644
--- a/arch/arm/mach-imx/Kconfig
+++ b/arch/arm/mach-imx/Kconfig
@@ -86,6 +86,7 @@ config CMD_DEKBLOB
select IMX_CAAM_DEK_ENCAP if ARCH_MX6 || ARCH_MX7 || ARCH_MX7ULP
select IMX_OPTEE_DEK_ENCAP if ARCH_IMX8M
select IMX_SECO_DEK_ENCAP if ARCH_IMX8
+ select IMX_ELE_DEK_ENCAP if ARCH_IMX8ULP || ARCH_IMX9
help
This enables the 'dek_blob' command which is used with the
Freescale secure boot mechanism. This command encapsulates and
@@ -113,6 +114,12 @@ config IMX_SECO_DEK_ENCAP
This enabled the DEK blob encapsulation with the SECO API. This option
is only available on imx8.
+config IMX_ELE_DEK_ENCAP
+ bool "Support the DEK blob encapsulation with ELE"
+ help
+ This enabled the DEK blob encapsulation with the ELE API. This option
+ is only available on imx8ulp and imx9.
+
config CMD_PRIBLOB
bool "Support the set_priblob_bitfield command"
depends on HAS_CAAM && IMX_HAB
diff --git a/arch/arm/mach-imx/cmd_dek.c b/arch/arm/mach-imx/cmd_dek.c
index 0be9df521a5..6fa5b41fcd3 100644
--- a/arch/arm/mach-imx/cmd_dek.c
+++ b/arch/arm/mach-imx/cmd_dek.c
@@ -1,6 +1,7 @@
// SPDX-License-Identifier: GPL-2.0+
/*
* Copyright 2008-2015 Freescale Semiconductor, Inc.
+ * Copyright 2022 NXP
*
* Command for encapsulating DEK blob
*/
@@ -20,6 +21,11 @@
#include <firmware/imx/sci/sci.h>
#include <asm/mach-imx/image.h>
#endif
+#ifdef CONFIG_IMX_ELE_DEK_ENCAP
+#include <asm/mach-imx/ele_api.h>
+#include <asm/mach-imx/image.h>
+#endif
+
#include <cpu_func.h>
/**
@@ -284,6 +290,84 @@ error:
}
#endif /* CONFIG_IMX_SECO_DEK_ENCAP */
+#ifdef CONFIG_IMX_ELE_DEK_ENCAP
+
+#define DEK_BLOB_HDR_SIZE 8
+#define AHAB_PRIVATE_KEY 0x81
+#define AHAB_DEK_BLOB 0x01
+#define AHAB_ALG_AES 0x03
+#define AHAB_128_AES_KEY 0x10
+#define AHAB_192_AES_KEY 0x18
+#define AHAB_256_AES_KEY 0x20
+
+static int blob_encap_dek(u32 src_addr, u32 dst_addr, u32 len)
+{
+ u8 in_size, out_size;
+ u8 *src_ptr, *dst_ptr;
+ struct generate_key_blob_hdr hdr;
+
+ /* Set sizes */
+ in_size = sizeof(struct generate_key_blob_hdr) + len / 8;
+ out_size = BLOB_SIZE(len / 8) + DEK_BLOB_HDR_SIZE;
+
+ /* Get src and dst virtual addresses */
+ src_ptr = map_sysmem(src_addr, in_size);
+ dst_ptr = map_sysmem(dst_addr, out_size);
+
+ /* Check addr input */
+ if (!(src_ptr && dst_ptr)) {
+ debug("src_addr or dst_addr invalid\n");
+ return -1;
+ }
+
+ /* Build key header */
+ hdr.version = 0x0;
+ hdr.length_lsb = in_size;
+ hdr.length_msb = 0x00;
+ hdr.tag = AHAB_PRIVATE_KEY;
+ hdr.flags = AHAB_DEK_BLOB;
+ hdr.algorithm = AHAB_ALG_AES;
+ hdr.mode = 0x0; /* Not used by the ELE */
+
+ switch (len) {
+ case 128:
+ hdr.size = AHAB_128_AES_KEY;
+ break;
+ case 192:
+ hdr.size = AHAB_192_AES_KEY;
+ break;
+ case 256:
+ hdr.size = AHAB_256_AES_KEY;
+ break;
+ default:
+ /* Not supported */
+ debug("Invalid DEK size. Valid sizes are 128, 192 and 256b\n");
+ return -1;
+ }
+
+ /* Move input key and append blob header */
+ memmove((void *)(src_ptr + sizeof(struct generate_key_blob_hdr)),
+ (void *)src_ptr, len / 8);
+ memcpy((void *)src_ptr, (void *)&hdr,
+ sizeof(struct generate_key_blob_hdr));
+
+ /* Flush the cache */
+ flush_dcache_range(src_addr, src_addr + in_size);
+ flush_dcache_range((ulong)dst_ptr, (ulong)(dst_ptr +
+ roundup(out_size, ARCH_DMA_MINALIGN)));
+
+ /* Call ELE */
+ if (ele_generate_dek_blob(0x00, src_addr, dst_addr, out_size))
+ return -1;
+
+ /* Invalidate output buffer */
+ invalidate_dcache_range((ulong)dst_ptr, (ulong)(dst_ptr +
+ roundup(out_size, ARCH_DMA_MINALIGN)));
+
+ return 0;
+}
+#endif /* CONFIG_IMX_ELE_DEK_ENCAP */
+
/**
* do_dek_blob() - Handle the "dek_blob" command-line command
* @cmdtp: Command data struct pointer
--
2.40.0
More information about the U-Boot
mailing list