From: Sascha Hauer <s.hauer@pengutronix.de>
To: Barebox List <barebox@lists.infradead.org>
Cc: Steffen Trumtrar <s.trumtrar@pengutronix.de>
Subject: [PATCH 7/7] crypto: caam: add blobgen driver
Date: Fri, 12 Apr 2019 12:15:02 +0200 [thread overview]
Message-ID: <20190412101502.11904-8-s.hauer@pengutronix.de> (raw)
In-Reply-To: <20190412101502.11904-1-s.hauer@pengutronix.de>
From: Steffen Trumtrar <s.trumtrar@pengutronix.de>
The blobgen driver allows generating and reading of red blobs on the
i.MX6 CAAM crypto core.
Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
drivers/crypto/caam/Makefile | 1 +
drivers/crypto/caam/caam-blobgen.c | 229 +++++++++++++++++++++++++++++
drivers/crypto/caam/ctrl.c | 9 ++
drivers/crypto/caam/intern.h | 1 +
4 files changed, 240 insertions(+)
create mode 100644 drivers/crypto/caam/caam-blobgen.c
diff --git a/drivers/crypto/caam/Makefile b/drivers/crypto/caam/Makefile
index 7bd6f3e23c..933b9c0592 100644
--- a/drivers/crypto/caam/Makefile
+++ b/drivers/crypto/caam/Makefile
@@ -4,3 +4,4 @@
obj-$(CONFIG_CRYPTO_DEV_FSL_CAAM) += ctrl.o error.o jr.o
obj-$(CONFIG_CRYPTO_DEV_FSL_CAAM_RNG) += caamrng.o
obj-$(CONFIG_CRYPTO_DEV_FSL_CAAM_RNG_SELF_TEST) += rng_self_test.o
+obj-$(CONFIG_BLOBGEN) += caam-blobgen.o
diff --git a/drivers/crypto/caam/caam-blobgen.c b/drivers/crypto/caam/caam-blobgen.c
new file mode 100644
index 0000000000..acbe5a110d
--- /dev/null
+++ b/drivers/crypto/caam/caam-blobgen.c
@@ -0,0 +1,229 @@
+/*
+ * Copyright (C) 2015 Pengutronix, Steffen Trumtrar <kernel@pengutronix.de>
+ *
+ * This program is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License version 2 as published by the
+ * Free Software Foundation.
+ */
+#include <common.h>
+#include <asm/io.h>
+#include <base64.h>
+#include <blobgen.h>
+#include <crypto.h>
+#include <dma.h>
+#include <driver.h>
+#include <init.h>
+#include <fs.h>
+#include <fcntl.h>
+#include "intern.h"
+#include "desc.h"
+#include "desc_constr.h"
+#include "error.h"
+#include "jr.h"
+
+/*
+ * Upon completion, desc points to a buffer containing a CAAM job
+ * descriptor which encapsulates data into an externally-storable
+ * blob.
+ */
+#define INITIAL_DESCSZ 16
+/* 32 bytes key blob + 16 bytes HMAC identifier */
+#define BLOB_OVERHEAD (32 + 16)
+#define KEYMOD_LENGTH 16
+#define RED_BLOB_LENGTH 64
+#define MAX_BLOB_LEN 4096
+#define DESC_LEN 64
+
+struct blob_job_result {
+ int err;
+};
+
+struct blob_priv {
+ struct blobgen bg;
+ u32 desc[DESC_LEN];
+ dma_addr_t dma_modifier;
+ dma_addr_t dma_plaintext;
+ dma_addr_t dma_ciphertext;
+};
+
+static struct blob_priv *to_blob_priv(struct blobgen *bg)
+{
+ return container_of(bg, struct blob_priv, bg);
+}
+
+static void jr_jobdesc_blob_decap(struct blob_priv *ctx, u8 modlen, u16 input_size)
+{
+ u32 *desc = ctx->desc;
+ u16 in_sz;
+ u16 out_sz;
+
+ in_sz = input_size;
+ out_sz = input_size - BLOB_OVERHEAD;
+
+ init_job_desc(desc, 0);
+ /*
+ * The key modifier can be used to differentiate specific data.
+ * Or to prevent replay attacks.
+ */
+ append_key(desc, ctx->dma_modifier, modlen, CLASS_2);
+ append_seq_in_ptr(desc, ctx->dma_ciphertext, in_sz, 0);
+ append_seq_out_ptr(desc, ctx->dma_plaintext, out_sz, 0);
+ append_operation(desc, OP_TYPE_DECAP_PROTOCOL | OP_PCLID_BLOB);
+}
+
+static void jr_jobdesc_blob_encap(struct blob_priv *ctx, u8 modlen, u16 input_size)
+{
+ u32 *desc = ctx->desc;
+ u16 in_sz;
+ u16 out_sz;
+
+ in_sz = input_size;
+ out_sz = input_size + BLOB_OVERHEAD;
+
+ init_job_desc(desc, 0);
+ /*
+ * The key modifier can be used to differentiate specific data.
+ * Or to prevent replay attacks.
+ */
+ append_key(desc, ctx->dma_modifier, modlen, CLASS_2);
+ append_seq_in_ptr(desc, ctx->dma_plaintext, in_sz, 0);
+ append_seq_out_ptr(desc, ctx->dma_ciphertext, out_sz, 0);
+ append_operation(desc, OP_TYPE_ENCAP_PROTOCOL | OP_PCLID_BLOB);
+}
+
+static void blob_job_done(struct device_d *dev, u32 *desc, u32 err, void *arg)
+{
+ struct blob_job_result *res = arg;
+
+ if (!res)
+ return;
+
+ if (err)
+ caam_jr_strstatus(dev, err);
+
+ res->err = err;
+}
+
+static int caam_blob_decrypt(struct blobgen *bg, const char *modifier,
+ const void *blob, int blobsize, void **plain,
+ int *plainsize)
+{
+ struct blob_priv *ctx = to_blob_priv(bg);
+ struct device_d *jrdev = bg->dev.parent;
+ struct blob_job_result testres;
+ int modifier_len = strlen(modifier);
+ u32 *desc = ctx->desc;
+ int ret;
+
+ if (blobsize <= BLOB_OVERHEAD)
+ return -EINVAL;
+
+ *plainsize = blobsize - BLOB_OVERHEAD;
+
+ *plain = dma_alloc(*plainsize);
+ if (!*plain)
+ return -ENOMEM;
+
+ memset(desc, 0, DESC_LEN);
+
+ ctx->dma_modifier = (dma_addr_t)modifier;
+ ctx->dma_plaintext = (dma_addr_t)*plain;
+ ctx->dma_ciphertext = (dma_addr_t)blob;
+
+ jr_jobdesc_blob_decap(ctx, modifier_len, blobsize);
+
+ dma_sync_single_for_device((unsigned long)desc, desc_bytes(desc),
+ DMA_TO_DEVICE);
+
+ dma_sync_single_for_device((unsigned long)modifier, modifier_len,
+ DMA_TO_DEVICE);
+ dma_sync_single_for_device((unsigned long)*plain, *plainsize,
+ DMA_FROM_DEVICE);
+ dma_sync_single_for_device((unsigned long)blob, blobsize,
+ DMA_TO_DEVICE);
+
+ testres.err = 0;
+
+ ret = caam_jr_enqueue(jrdev, desc, blob_job_done, &testres);
+ if (ret)
+ dev_err(jrdev, "decryption error\n");
+
+ ret = testres.err;
+
+ dma_sync_single_for_cpu((unsigned long)modifier, modifier_len,
+ DMA_TO_DEVICE);
+ dma_sync_single_for_cpu((unsigned long)*plain, *plainsize,
+ DMA_FROM_DEVICE);
+ dma_sync_single_for_cpu((unsigned long)blob, blobsize,
+ DMA_TO_DEVICE);
+
+ return ret;
+}
+
+static int caam_blob_encrypt(struct blobgen *bg, const char *modifier,
+ const void *plain, int plainsize, void *blob,
+ int *blobsize)
+{
+ struct blob_priv *ctx = to_blob_priv(bg);
+ struct device_d *jrdev = bg->dev.parent;
+ struct blob_job_result testres;
+ int modifier_len = strlen(modifier);
+ u32 *desc = ctx->desc;
+ int ret;
+
+ *blobsize = plainsize + BLOB_OVERHEAD;
+
+ memset(desc, 0, DESC_LEN);
+
+ ctx->dma_modifier = (dma_addr_t)modifier;
+ ctx->dma_plaintext = (dma_addr_t)plain;
+ ctx->dma_ciphertext = (dma_addr_t)blob;
+
+ jr_jobdesc_blob_encap(ctx, modifier_len, plainsize);
+
+ dma_sync_single_for_device((unsigned long)desc, desc_bytes(desc),
+ DMA_TO_DEVICE);
+
+ dma_sync_single_for_device((unsigned long)modifier, modifier_len,
+ DMA_TO_DEVICE);
+ dma_sync_single_for_device((unsigned long)plain, plainsize,
+ DMA_TO_DEVICE);
+ dma_sync_single_for_device((unsigned long)blob, *blobsize,
+ DMA_FROM_DEVICE);
+
+ testres.err = 0;
+
+ ret = caam_jr_enqueue(jrdev, desc, blob_job_done, &testres);
+ if (ret)
+ dev_err(jrdev, "encryption error\n");
+
+ ret = testres.err;
+
+ dma_sync_single_for_cpu((unsigned long)modifier, modifier_len,
+ DMA_TO_DEVICE);
+ dma_sync_single_for_cpu((unsigned long)plain, plainsize,
+ DMA_TO_DEVICE);
+ dma_sync_single_for_cpu((unsigned long)blob, *blobsize,
+ DMA_FROM_DEVICE);
+
+ return ret;
+}
+
+int caam_blob_gen_probe(struct device_d *dev, struct device_d *jrdev)
+{
+ struct blob_priv *ctx;
+ struct blobgen *bg;
+ int ret;
+
+ ctx = xzalloc(sizeof(*ctx));
+ bg = &ctx->bg;
+ bg->max_payload_size = MAX_BLOB_LEN - BLOB_OVERHEAD;
+ bg->encrypt = caam_blob_encrypt;
+ bg->decrypt = caam_blob_decrypt;
+
+ ret = blob_gen_register(jrdev, bg);
+ if (ret)
+ free(ctx);
+
+ return ret;
+}
diff --git a/drivers/crypto/caam/ctrl.c b/drivers/crypto/caam/ctrl.c
index 4fe3eea3e6..06b075e74a 100644
--- a/drivers/crypto/caam/ctrl.c
+++ b/drivers/crypto/caam/ctrl.c
@@ -654,6 +654,15 @@ static int caam_probe(struct device_d *dev)
}
}
+ if (IS_ENABLED(CONFIG_BLOBGEN)) {
+ ret = caam_blob_gen_probe(dev, ctrlpriv->jrpdev[0]);
+ if (ret) {
+ dev_err(dev, "failed to instantiate blobgen device");
+ caam_remove(dev);
+ return ret;
+ }
+ }
+
/* NOTE: RTIC detection ought to go here, around Si time */
caam_id = (u64)rd_reg32(&ctrl->perfmon.caam_id_ms) << 32 |
(u64)rd_reg32(&ctrl->perfmon.caam_id_ls);
diff --git a/drivers/crypto/caam/intern.h b/drivers/crypto/caam/intern.h
index fe19a2c8d2..6dfcea26ac 100644
--- a/drivers/crypto/caam/intern.h
+++ b/drivers/crypto/caam/intern.h
@@ -93,5 +93,6 @@ void caam_jr_algapi_init(struct device *dev);
void caam_jr_algapi_remove(struct device *dev);
int caam_rng_probe(struct device_d *dev, struct device_d *jrdev);
+int caam_blob_gen_probe(struct device_d *dev, struct device_d *jrdev);
int caam_jr_probe(struct device_d *dev);
#endif /* INTERN_H */
--
2.20.1
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
prev parent reply other threads:[~2019-04-12 10:15 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-12 10:14 [PATCH 0/7] Add support for encrypted blobs Sascha Hauer
2019-04-12 10:14 ` [PATCH 1/7] crypto/caam: Add missing include Sascha Hauer
2019-04-12 10:14 ` [PATCH 2/7] lib: add base64 helpers Sascha Hauer
2019-04-12 10:14 ` [PATCH 3/7] include: crypto: import des.h from kernel Sascha Hauer
2019-04-12 10:14 ` [PATCH 4/7] include: crypto: import ablkcipher struct " Sascha Hauer
2019-04-12 10:15 ` [PATCH 5/7] lib: add blobgen framework Sascha Hauer
2019-04-12 10:15 ` [PATCH 6/7] crypto: add new imx-scc driver Sascha Hauer
2019-04-12 10:15 ` Sascha Hauer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190412101502.11904-8-s.hauer@pengutronix.de \
--to=s.hauer@pengutronix.de \
--cc=barebox@lists.infradead.org \
--cc=s.trumtrar@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox