[PATCH v4 00/14] crypto: allwinner: enable sun8i-ce FIT crypto
James Hilliard
james.hilliard1 at gmail.com
Mon Jul 13 08:42:57 CEST 2026
This series enables Allwinner Crypto Engine backed FIT decryption and FIT
signature/hash validation for secure-boot flows on H6/H616-class boards,
covering both SPL and U-Boot proper.
The purpose is to use CE-backed AES, hash and ECDSA operations on H6/H616
instead of relying only on software crypto paths. CBC decrypts of at
least 256 KiB use both the AES and RAES engines in SPL and U-Boot proper.
Descriptor chains let software prepare and retire one chain while hardware
processes another.
On the H616 test board with the CE at 300 MHz, target-timed and fully
compared 64 MiB AES-256-CBC decrypts completed in 0.114 seconds both out of
place and in place, about 561 MiB/s. Five target-timed 64 MiB SHA-256 runs
completed in 0.333 seconds, about 192 MiB/s.
At a high level this adds:
- SPL driver-model crypto plumbing for AES and hash providers.
- FIT decrypt-to-buffer support and SPL FIT cipher support, so SPL can
decrypt an encrypted U-Boot proper FIT without allocating another full
payload buffer.
- A shared sun8i-ce parent driver with per-channel task sessions and AES
and hash children for H6/H616.
- Parallel AES/RAES CBC decrypt in SPL and U-Boot proper for operations
of at least 256 KiB, using two banks of ten task descriptors per engine
and requesting completion only from each chain tail.
- An H6/H616 ECDSA child for CE-backed FIT signature validation, plus common
ECDSA curve-size and key-encoding fixes for secp224r1, prime256v1,
secp384r1 and secp521r1.
- Driver-model AES and hash provider dispatch with software fallback for
unsupported operations and hard-error propagation.
The AES child supports software-provided AES-128/192/256 keys in ECB and
CBC modes, including exact in-place CBC decrypt. The hash child supports
the CE one-shot MD5/SHA1/SHA256/SHA384/SHA512 methods used by FIT
verification. The ECDSA child exposes the H6/H616 CE ECC verifier through
UCLASS_ECDSA.
Tested flows include:
- SPL loading an encrypted and signed U-Boot proper FIT with CE-backed
AES decryption, hash verification and ECDSA verification.
- U-Boot proper loading an encrypted and signed FIT with CE-backed AES
decryption, hash verification and ECDSA signature verification.
- U-Boot proper AES command paths using the DM AES provider.
- Target-timed 64 MiB AES-256-CBC decrypt both out of place and in place,
with repeated full-buffer comparisons.
- Target-timed 64 MiB SHA-256 hashing with repeated digest comparisons.
- Sandbox provider fallback, hard-error propagation, AES decrypt input
validation and all supported ECDSA curve sizes.
- U-Boot proper CE-backed FIT signature checks with secp224r1,
prime256v1, secp384r1 and secp521r1.
Signed-off-by: James Hilliard <james.hilliard1 at gmail.com>
---
Changes in v4:
- Enable CE ECDSA in SPL and U-Boot proper on both H6 and H616.
- Validate FIT cipher metadata before accessing key parameters.
- Rebase on U-Boot master.
- Try all registered AES and hash providers, preserving hard provider errors
and using software fallback only when no provider supports the operation.
- Treat -EINVAL as a hard provider error and reserve fallback for explicitly
unsupported operations.
- Require SPL_OF_CONTROL for SPL FIT decryption and fix disabled AES stubs.
- Correct AES-192/256 handling in the software DM provider and add provider,
decrypt-input and in-place-decrypt sandbox tests.
- Map SPL FIT destinations after post-processing determines the final size
and size decompression mappings for the maximum output.
- Exercise all supported ECDSA curve sizes in the host FIT signing test.
- Fold per-channel task sessions and engine ownership into the CE parent.
- Trim redundant CE scheduler state and checks, and derive each NIST curve's
a = p - 3 parameter instead of storing duplicate constants.
- Run CBC decrypts of at least 256 KiB across AES and RAES in SPL and
U-Boot proper with double-buffered ten-descriptor chains and tail-only
completion.
- Support exact in-place and aligned-offset dual-engine CBC decrypt.
- Submit ECDSA and hash work on their dedicated completion channels.
- Add target-timed 64 MiB AES-256-CBC and SHA-256 hardware results.
- Link to v3: https://patch.msgid.link/20260709-submit-ce-series-v2-v3-0-5017da8c9bef@gmail.com
Changes in v3:
- Rebase on U-Boot master.
- Add review tags from Svyatoslav Ryhel and Simon Glass.
- Simplify the AES decrypt helper guard and validation flow.
- Document the AES provider in-place CBC decrypt contract.
- Tighten SPL encrypted-FIT buffer handling and error reporting.
- Clean up the SPL DM hash fallback and Kconfig help text.
- Link to v2: https://patch.msgid.link/20260702-submit-ce-series-v2-v2-0-ffda5bed58af@gmail.com
---
James Hilliard (14):
cmd: aes: fix DM operation handling
crypto: hash: use DM providers from hash command
crypto: aes: allow DM AES in SPL
crypto: hash: allow DM hash in SPL
boot: image: try all DM hash providers
crypto: aes: fix software key-size handling
crypto: aes: add software-key provider dispatch
boot: image: add FIT decrypt-to-buffer helper
spl: fit: support encrypted payloads
clk: sunxi: add H6/H616 CE gates and reset
lib: ecdsa: support additional curve sizes
crypto: allwinner: add sun8i-ce AES driver
crypto: allwinner: add sun8i-ce ECDSA verifier
crypto: allwinner: add sun8i-ce hash driver
MAINTAINERS | 1 +
boot/Kconfig | 9 +
boot/image-cipher.c | 45 +-
boot/image-fit.c | 83 +-
cmd/aes.c | 8 +-
common/hash.c | 21 +
common/spl/spl_fit.c | 89 ++-
doc/mkimage.1 | 3 +
doc/usage/fit/signature.rst | 9 +-
drivers/clk/sunxi/clk_h6.c | 5 +
drivers/clk/sunxi/clk_h616.c | 5 +
drivers/crypto/Kconfig | 2 +
drivers/crypto/Makefile | 1 +
drivers/crypto/aes/Kconfig | 8 +
drivers/crypto/aes/aes-sw.c | 49 +-
drivers/crypto/aes/aes-uclass.c | 73 ++
drivers/crypto/allwinner/Kconfig | 3 +
drivers/crypto/allwinner/Makefile | 3 +
drivers/crypto/allwinner/sun8i-ce/Kconfig | 159 ++++
drivers/crypto/allwinner/sun8i-ce/Makefile | 6 +
drivers/crypto/allwinner/sun8i-ce/sun8i-ce-aes.c | 864 +++++++++++++++++++++
drivers/crypto/allwinner/sun8i-ce/sun8i-ce-core.c | 736 ++++++++++++++++++
drivers/crypto/allwinner/sun8i-ce/sun8i-ce-ecdsa.c | 362 +++++++++
drivers/crypto/allwinner/sun8i-ce/sun8i-ce-hash.c | 238 ++++++
drivers/crypto/allwinner/sun8i-ce/sun8i-ce.h | 98 +++
drivers/crypto/aspeed/aspeed_hace.c | 2 +-
drivers/crypto/aspeed/cptra_sha.c | 2 +-
drivers/crypto/hash/Kconfig | 13 +
drivers/crypto/hash/Makefile | 2 +-
drivers/crypto/hash/hash-uclass.c | 39 +-
drivers/crypto/tegra/tegra_aes.c | 7 +
include/image.h | 39 +-
include/u-boot/aes.h | 27 +-
include/u-boot/ecdsa.h | 22 +
include/u-boot/fdt-libcrypto.h | 6 +-
include/u-boot/hash.h | 24 +-
include/uboot_aes.h | 86 +-
lib/Makefile | 2 +-
lib/aes/aes-decrypt.c | 91 ++-
lib/ecdsa/Kconfig | 2 +-
lib/ecdsa/ecdsa-libcrypto.c | 141 ++--
lib/ecdsa/ecdsa-verify.c | 39 +-
lib/fdt-libcrypto.c | 60 +-
test/dm/Makefile | 1 +
test/dm/aes.c | 256 ++++++
test/dm/hash.c | 143 ++++
test/lib/Makefile | 3 +
test/lib/test_aes_decrypt.c | 89 +++
test/py/tests/test_fit_ecdsa.py | 18 +-
tools/image-sig-host.c | 7 +
50 files changed, 3756 insertions(+), 245 deletions(-)
---
base-commit: 6741b0dfb41dc82a284ab1cff4c58af6ef2f3f9c
change-id: 20260702-submit-ce-series-v2-4a77b170c68c
Best regards,
--
James Hilliard <james.hilliard1 at gmail.com>
More information about the U-Boot
mailing list