[PATCH v1 6/6] ARM: tegra: Use AES engine for crypto functions

Sun Jun 29 13:02:03 CEST 2025

From: Ion Agorria <ion at agorria.com>

Previously software based AES encryption was used with previously known
device specific keys (SBK), now that we have AES driver we can simply
delegate this to the engine without prior knowledge of the key (assuming
it is still loaded).

Signed-off-by: Ion Agorria <ion at agorria.com>
---
 arch/arm/include/asm/arch-tegra/crypto.h |  41 +++--
 arch/arm/mach-tegra/Kconfig              |   2 +
 arch/arm/mach-tegra/crypto.c             | 184 ++++++-----------------
 arch/arm/mach-tegra/tegra124/bct.c       |  20 +--
 arch/arm/mach-tegra/tegra20/bct.c        |  20 +--
 arch/arm/mach-tegra/tegra30/bct.c        |  20 +--
 6 files changed, 84 insertions(+), 203 deletions(-)

diff --git a/arch/arm/include/asm/arch-tegra/crypto.h b/arch/arm/include/asm/arch-tegra/crypto.h
index 73e8365a57d..930bc842039 100644
--- a/arch/arm/include/asm/arch-tegra/crypto.h
+++ b/arch/arm/include/asm/arch-tegra/crypto.h
@@ -10,40 +10,33 @@
 #define TEGRA_AES_SLOT_SBK		0
 
 /**
- * Sign a block of data
+ * sign_data_block - Sign a block of data
  *
- * \param source	Source data
- * \param length	Size of source data
- * \param signature	Destination address for signature, AES_KEY_LENGTH bytes
+ * @source		Source data
+ * @length		Size of source data in bytes
+ * @signature		Destination address for signature, AES_KEY_LENGTH bytes
+ * Return:		0 on success, negative value on failure
  */
 int sign_data_block(u8 *source, unsigned int length, u8 *signature);
 
 /**
- * Sign an encrypted block of data
+ * encrypt_data_block - Encrypt a block of data
  *
- * \param source	Source data
- * \param length	Size of source data
- * \param signature	Destination address for signature, AES_KEY_LENGTH bytes
- * \param key		AES128 encryption key
+ * @source		Source data
+ * @dest		Destination data
+ * @length		Size of source data in bytes
+ * Return:		0 on success, negative value on failure
  */
-int sign_enc_data_block(u8 *source, unsigned int length, u8 *signature, u8 *key);
+int encrypt_data_block(u8 *source, u8 *dest, unsigned int length);
 
 /**
- * Encrypt a block of data
+ * decrypt_data_block - Decrypt a block of data
  *
- * \param source	Source data
- * \param length	Size of source data
- * \param key		AES128 encryption key
+ * @source		Source data
+ * @dest		Destination data
+ * @length		Size of source data in bytes
+ * Return:		0 on success, negative value on failure
  */
-int encrypt_data_block(u8 *source, unsigned int length, u8 *key);
-
-/**
- * Decrypt a block of data
- *
- * \param source	Source data
- * \param length	Size of source data
- * \param key		AES128 encryption key
- */
-int decrypt_data_block(u8 *source, unsigned int length, u8 *key);
+int decrypt_data_block(u8 *source, u8 *dest, unsigned int length);
 
 #endif /* #ifndef _CRYPTO_H_ */
diff --git a/arch/arm/mach-tegra/Kconfig b/arch/arm/mach-tegra/Kconfig
index c3c352eceb1..32cdfebfc01 100644
--- a/arch/arm/mach-tegra/Kconfig
+++ b/arch/arm/mach-tegra/Kconfig
@@ -17,7 +17,9 @@ config TEGRA_CLKRST
 
 config TEGRA_CRYPTO
 	bool "Tegra AES128 crypto module"
+	select DM_AES
 	select AES
+	select TEGRA_AES
 
 config TEGRA_GP_PADCTRL
 	bool
diff --git a/arch/arm/mach-tegra/crypto.c b/arch/arm/mach-tegra/crypto.c
index 49e6a45243a..1005c815b36 100644
--- a/arch/arm/mach-tegra/crypto.c
+++ b/arch/arm/mach-tegra/crypto.c
@@ -4,164 +4,68 @@
  * (C) Copyright 2010 - 2011 NVIDIA Corporation <www.nvidia.com>
  */
 
+#include <dm.h>
 #include <log.h>
 #include <linux/errno.h>
 #include <asm/arch-tegra/crypto.h>
 #include "uboot_aes.h"
 
-static u8 zero_key[16];
-
-#define AES_CMAC_CONST_RB 0x87  /* from RFC 4493, Figure 2.2 */
-
-enum security_op {
-	SECURITY_SIGN		= 1 << 0,	/* Sign the data */
-	SECURITY_ENCRYPT	= 1 << 1,	/* Encrypt the data */
-	SECURITY_DECRYPT	= 1 << 2,	/* Dectypt the data */
-};
-
-/**
- * Shift a vector left by one bit
- *
- * \param in	Input vector
- * \param out	Output vector
- * \param size	Length of vector in bytes
- */
-static void left_shift_vector(u8 *in, u8 *out, int size)
+int sign_data_block(u8 *source, unsigned int length, u8 *signature)
 {
-	int carry = 0;
-	int i;
-
-	for (i = size - 1; i >= 0; i--) {
-		out[i] = (in[i] << 1) | carry;
-		carry = in[i] >> 7;	/* get most significant bit */
+	struct udevice *dev;
+	int ret;
+
+	/* Only one AES engine should be present */
+	ret = uclass_get_device(UCLASS_AES, 0, &dev);
+	if (ret) {
+		log_err("%s: failed to get tegra_aes: %d\n", __func__, ret);
+		return ret;
 	}
-}
-
-/**
- * Sign a block of data, putting the result into dst.
- *
- * \param key			Input AES key, length AES128_KEY_LENGTH
- * \param key_schedule		Expanded key to use
- * \param src			Source data of length 'num_aes_blocks' blocks
- * \param dst			Destination buffer, length AES128_KEY_LENGTH
- * \param num_aes_blocks	Number of AES blocks to encrypt
- */
-static void sign_object(u8 *key, u8 *key_schedule, u8 *src, u8 *dst,
-			u32 num_aes_blocks)
-{
-	u8 tmp_data[AES128_KEY_LENGTH];
-	u8 iv[AES128_KEY_LENGTH] = {0};
-	u8 left[AES128_KEY_LENGTH];
-	u8 k1[AES128_KEY_LENGTH];
-	u8 *cbc_chain_data;
-	unsigned int i;
 
-	cbc_chain_data = zero_key;	/* Convenient array of 0's for IV */
+	ret = dm_aes_select_key_slot(dev, 128, TEGRA_AES_SLOT_SBK);
+	if (ret)
+		return ret;
 
-	/* compute K1 constant needed by AES-CMAC calculation */
-	for (i = 0; i < AES128_KEY_LENGTH; i++)
-		tmp_data[i] = 0;
-
-	aes_cbc_encrypt_blocks(AES128_KEY_LENGTH, key_schedule, iv,
-			       tmp_data, left, 1);
-
-	left_shift_vector(left, k1, sizeof(left));
-
-	if ((left[0] >> 7) != 0) /* get MSB of L */
-		k1[AES128_KEY_LENGTH - 1] ^= AES_CMAC_CONST_RB;
-
-	/* compute the AES-CMAC value */
-	for (i = 0; i < num_aes_blocks; i++) {
-		/* Apply the chain data */
-		aes_apply_cbc_chain_data(cbc_chain_data, src, tmp_data);
-
-		/* for the final block, XOR K1 into the IV */
-		if (i == num_aes_blocks - 1)
-			aes_apply_cbc_chain_data(tmp_data, k1, tmp_data);
-
-		/* encrypt the AES block */
-		aes_encrypt(AES128_KEY_LENGTH, tmp_data,
-			    key_schedule, dst);
-
-		debug("sign_obj: block %d of %d\n", i, num_aes_blocks);
-
-		/* Update pointers for next loop. */
-		cbc_chain_data = dst;
-		src += AES128_KEY_LENGTH;
-	}
+	return dm_aes_cmac(dev, source, signature,
+			   DIV_ROUND_UP(length, AES_BLOCK_LENGTH));
 }
 
-/**
- * Decrypt, encrypt or sign a block of data (depending on security mode).
- *
- * \param key		Input AES key, length AES128_KEY_LENGTH
- * \param oper		Security operations mask to perform (enum security_op)
- * \param src		Source data
- * \param length	Size of source data
- * \param sig_dst	Destination address for signature, AES128_KEY_LENGTH bytes
- */
-static int tegra_crypto_core(u8 *key, enum security_op oper, u8 *src,
-			     u32 length, u8 *sig_dst)
+int encrypt_data_block(u8 *source, u8 *dest, unsigned int length)
 {
-	u32 num_aes_blocks;
-	u8 key_schedule[AES128_EXPAND_KEY_LENGTH];
-	u8 iv[AES128_KEY_LENGTH] = {0};
-
-	debug("%s: length = %d\n", __func__, length);
-
-	aes_expand_key(key, AES128_KEY_LENGTH, key_schedule);
-
-	num_aes_blocks = (length + AES128_KEY_LENGTH - 1) / AES128_KEY_LENGTH;
-
-	if (oper & SECURITY_DECRYPT) {
-		/* Perform this in place, resulting in src being decrypted. */
-		debug("%s: begin decryption\n", __func__);
-		aes_cbc_decrypt_blocks(AES128_KEY_LENGTH, key_schedule, iv, src,
-				       src, num_aes_blocks);
-		debug("%s: end decryption\n", __func__);
-	}
-
-	if (oper & SECURITY_ENCRYPT) {
-		/* Perform this in place, resulting in src being encrypted. */
-		debug("%s: begin encryption\n", __func__);
-		aes_cbc_encrypt_blocks(AES128_KEY_LENGTH, key_schedule, iv, src,
-				       src, num_aes_blocks);
-		debug("%s: end encryption\n", __func__);
-	}
-
-	if (oper & SECURITY_SIGN) {
-		/* encrypt the data, overwriting the result in signature. */
-		debug("%s: begin signing\n", __func__);
-		sign_object(key, key_schedule, src, sig_dst, num_aes_blocks);
-		debug("%s: end signing\n", __func__);
+	struct udevice *dev;
+	int ret;
+
+	/* Only one AES engine should be present */
+	ret = uclass_get_device(UCLASS_AES, 0, &dev);
+	if (ret) {
+		log_err("%s: failed to get tegra_aes: %d\n", __func__, ret);
+		return ret;
 	}
 
-	return 0;
-}
+	ret = dm_aes_select_key_slot(dev, 128, TEGRA_AES_SLOT_SBK);
+	if (ret)
+		return ret;
 
-/**
- * Tegra crypto group
- */
-int sign_data_block(u8 *source, unsigned int length, u8 *signature)
-{
-	return tegra_crypto_core(zero_key, SECURITY_SIGN, source,
-				 length, signature);
+	return dm_aes_cbc_encrypt(dev, (u8 *)AES_ZERO_BLOCK, source, dest,
+				  DIV_ROUND_UP(length, AES_BLOCK_LENGTH));
 }
 
-int sign_enc_data_block(u8 *source, unsigned int length, u8 *signature, u8 *key)
+int decrypt_data_block(u8 *source, u8 *dest, unsigned int length)
 {
-	return tegra_crypto_core(key, SECURITY_SIGN, source,
-				 length, signature);
-}
+	struct udevice *dev;
+	int ret;
+
+	/* Only one AES engine should be present */
+	ret = uclass_get_device(UCLASS_AES, 0, &dev);
+	if (ret) {
+		log_err("%s: failed to get tegra_aes: %d\n", __func__, ret);
+		return ret;
+	}
 
-int encrypt_data_block(u8 *source, unsigned int length, u8 *key)
-{
-	return tegra_crypto_core(key, SECURITY_ENCRYPT, source,
-				 length, NULL);
-}
+	ret = dm_aes_select_key_slot(dev, 128, TEGRA_AES_SLOT_SBK);
+	if (ret)
+		return ret;
 
-int decrypt_data_block(u8 *source, unsigned int length, u8 *key)
-{
-	return tegra_crypto_core(key, SECURITY_DECRYPT, source,
-				 length, NULL);
+	return dm_aes_cbc_decrypt(dev, (u8 *)AES_ZERO_BLOCK, source, dest,
+				  DIV_ROUND_UP(length, AES_BLOCK_LENGTH));
 }
diff --git a/arch/arm/mach-tegra/tegra124/bct.c b/arch/arm/mach-tegra/tegra124/bct.c
index a71aa87fce1..26004188444 100644
--- a/arch/arm/mach-tegra/tegra124/bct.c
+++ b/arch/arm/mach-tegra/tegra124/bct.c
@@ -8,12 +8,10 @@
 #include <log.h>
 #include <vsprintf.h>
 #include <asm/arch-tegra/crypto.h>
+#include <asm/arch-tegra/fuse.h>
 #include "bct.h"
 #include "uboot_aes.h"
 
-/* Device with "sbk burned: false" will expose zero key */
-const u8 nosbk[AES128_KEY_LENGTH] = { 0 };
-
 /*
  * @param  bct		boot config table start in RAM
  * @param  ect		bootloader start in RAM
@@ -25,29 +23,25 @@ static int bct_patch(u8 *bct, u8 *ebt, u32 ebt_size)
 	struct nvboot_config_table *bct_tbl = NULL;
 	u8 ebt_hash[AES128_KEY_LENGTH] = { 0 };
 	u8 bct_hash[AES128_KEY_LENGTH] = { 0 };
-	u8 sbk[AES128_KEY_LENGTH] = { 0 };
 	u8 *sbct = bct + UBCT_LENGTH;
 	bool encrypted;
 	int ret;
 
 	ebt_size = roundup(ebt_size, EBT_ALIGNMENT);
 
-	memcpy(sbk, (u8 *)(bct + UBCT_LENGTH + SBCT_LENGTH),
-	       NVBOOT_CMAC_AES_HASH_LENGTH * 4);
-
-	encrypted = memcmp(&sbk, &nosbk, AES128_KEY_LENGTH);
+	encrypted = tegra_fuse_get_operation_mode() == MODE_ODM_PRODUCTION_SECURE;
 
 	if (encrypted) {
-		ret = decrypt_data_block(sbct, SBCT_LENGTH, sbk);
+		ret = decrypt_data_block(sbct, sbct, SBCT_LENGTH);
 		if (ret)
 			return 1;
 
-		ret = encrypt_data_block(ebt, ebt_size, sbk);
+		ret = encrypt_data_block(ebt, ebt, ebt_size);
 		if (ret)
 			return 1;
 	}
 
-	ret = sign_enc_data_block(ebt, ebt_size, ebt_hash, sbk);
+	ret = sign_data_block(ebt, ebt_size, ebt_hash);
 	if (ret)
 		return 1;
 
@@ -60,12 +54,12 @@ static int bct_patch(u8 *bct, u8 *ebt, u32 ebt_size)
 	bct_tbl->bootloader[0].length = ebt_size;
 
 	if (encrypted) {
-		ret = encrypt_data_block(sbct, SBCT_LENGTH, sbk);
+		ret = encrypt_data_block(sbct, sbct, SBCT_LENGTH);
 		if (ret)
 			return 1;
 	}
 
-	ret = sign_enc_data_block(sbct, SBCT_LENGTH, bct_hash, sbk);
+	ret = sign_data_block(sbct, SBCT_LENGTH, bct_hash);
 	if (ret)
 		return 1;
 
diff --git a/arch/arm/mach-tegra/tegra20/bct.c b/arch/arm/mach-tegra/tegra20/bct.c
index b647b6b26d2..7a8c2990757 100644
--- a/arch/arm/mach-tegra/tegra20/bct.c
+++ b/arch/arm/mach-tegra/tegra20/bct.c
@@ -8,12 +8,10 @@
 #include <log.h>
 #include <vsprintf.h>
 #include <asm/arch-tegra/crypto.h>
+#include <asm/arch-tegra/fuse.h>
 #include "bct.h"
 #include "uboot_aes.h"
 
-/* Device with "sbk burned: false" will expose zero key */
-const u8 nosbk[AES128_KEY_LENGTH] = { 0 };
-
 /*
  * @param  bct		boot config table start in RAM
  * @param  ect		bootloader start in RAM
@@ -24,7 +22,6 @@ static int bct_patch(u8 *bct, u8 *ebt, u32 ebt_size)
 {
 	struct nvboot_config_table *bct_tbl = NULL;
 	u8 ebt_hash[AES128_KEY_LENGTH] = { 0 };
-	u8 sbk[AES128_KEY_LENGTH] = { 0 };
 	u8 *bct_hash = bct;
 	bool encrypted;
 	int ret;
@@ -33,22 +30,19 @@ static int bct_patch(u8 *bct, u8 *ebt, u32 ebt_size)
 
 	ebt_size = roundup(ebt_size, EBT_ALIGNMENT);
 
-	memcpy(sbk, (u8 *)(bct + BCT_LENGTH),
-	       NVBOOT_CMAC_AES_HASH_LENGTH * 4);
-
-	encrypted = memcmp(&sbk, &nosbk, AES128_KEY_LENGTH);
+	encrypted = tegra_fuse_get_operation_mode() == MODE_ODM_PRODUCTION_SECURE;
 
 	if (encrypted) {
-		ret = decrypt_data_block(bct, BCT_LENGTH, sbk);
+		ret = decrypt_data_block(bct, bct, BCT_LENGTH);
 		if (ret)
 			return 1;
 
-		ret = encrypt_data_block(ebt, ebt_size, sbk);
+		ret = encrypt_data_block(ebt, ebt, ebt_size);
 		if (ret)
 			return 1;
 	}
 
-	ret = sign_enc_data_block(ebt, ebt_size, ebt_hash, sbk);
+	ret = sign_data_block(ebt, ebt_size, ebt_hash);
 	if (ret)
 		return 1;
 
@@ -61,12 +55,12 @@ static int bct_patch(u8 *bct, u8 *ebt, u32 ebt_size)
 	bct_tbl->bootloader[0].length = ebt_size;
 
 	if (encrypted) {
-		ret = encrypt_data_block(bct, BCT_LENGTH, sbk);
+		ret = encrypt_data_block(bct, bct, BCT_LENGTH);
 		if (ret)
 			return 1;
 	}
 
-	ret = sign_enc_data_block(bct, BCT_LENGTH, bct_hash, sbk);
+	ret = sign_data_block(bct, BCT_LENGTH, bct_hash);
 	if (ret)
 		return 1;
 
diff --git a/arch/arm/mach-tegra/tegra30/bct.c b/arch/arm/mach-tegra/tegra30/bct.c
index 250009ea8d8..92350969488 100644
--- a/arch/arm/mach-tegra/tegra30/bct.c
+++ b/arch/arm/mach-tegra/tegra30/bct.c
@@ -8,12 +8,10 @@
 #include <log.h>
 #include <vsprintf.h>
 #include <asm/arch-tegra/crypto.h>
+#include <asm/arch-tegra/fuse.h>
 #include "bct.h"
 #include "uboot_aes.h"
 
-/* Device with "sbk burned: false" will expose zero key */
-const u8 nosbk[AES128_KEY_LENGTH] = { 0 };
-
 /*
  * @param  bct		boot config table start in RAM
  * @param  ect		bootloader start in RAM
@@ -24,7 +22,6 @@ static int bct_patch(u8 *bct, u8 *ebt, u32 ebt_size)
 {
 	struct nvboot_config_table *bct_tbl = NULL;
 	u8 ebt_hash[AES128_KEY_LENGTH] = { 0 };
-	u8 sbk[AES128_KEY_LENGTH] = { 0 };
 	u8 *bct_hash = bct;
 	bool encrypted;
 	int ret;
@@ -33,22 +30,19 @@ static int bct_patch(u8 *bct, u8 *ebt, u32 ebt_size)
 
 	ebt_size = roundup(ebt_size, EBT_ALIGNMENT);
 
-	memcpy(sbk, (u8 *)(bct + BCT_LENGTH),
-	       NVBOOT_CMAC_AES_HASH_LENGTH * 4);
-
-	encrypted = memcmp(&sbk, &nosbk, AES128_KEY_LENGTH);
+	encrypted = tegra_fuse_get_operation_mode() == MODE_ODM_PRODUCTION_SECURE;
 
 	if (encrypted) {
-		ret = decrypt_data_block(bct, BCT_LENGTH, sbk);
+		ret = decrypt_data_block(bct, bct, BCT_LENGTH);
 		if (ret)
 			return 1;
 
-		ret = encrypt_data_block(ebt, ebt_size, sbk);
+		ret = encrypt_data_block(ebt, ebt, ebt_size);
 		if (ret)
 			return 1;
 	}
 
-	ret = sign_enc_data_block(ebt, ebt_size, ebt_hash, sbk);
+	ret = sign_data_block(ebt, ebt_size, ebt_hash);
 	if (ret)
 		return 1;
 
@@ -61,12 +55,12 @@ static int bct_patch(u8 *bct, u8 *ebt, u32 ebt_size)
 	bct_tbl->bootloader[0].length = ebt_size;
 
 	if (encrypted) {
-		ret = encrypt_data_block(bct, BCT_LENGTH, sbk);
+		ret = encrypt_data_block(bct, bct, BCT_LENGTH);
 		if (ret)
 			return 1;
 	}
 
-	ret = sign_enc_data_block(bct, BCT_LENGTH, bct_hash, sbk);
+	ret = sign_data_block(bct, BCT_LENGTH, bct_hash);
 	if (ret)
 		return 1;
 
-- 
2.48.1

