diff options
author | Franck LENORMAND <franck.lenormand@nxp.com> | 2020-08-10 10:12:42 +0200 |
---|---|---|
committer | Franck LENORMAND <franck.lenormand@nxp.com> | 2020-08-13 15:13:52 +0200 |
commit | fac431ed6755c1b66511838e350a987b2ddcb9fb (patch) | |
tree | 64ae1f3e99554546c6fa04b3835995134db5c83f | |
parent | e39a0c329049cc8e281adda98fa3071b4bdac87a (diff) |
MLK-24474: Add SECO API sc_seco_set_fips_mode
The SCFW API sc_seco_set_fips_mode allow to configure the
mode of the FIPS feature on SoC. This configuration is
performed on fuses and cannot be reverted.
Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
Acked-by: Anson Huang <anson.huang@nxp.com>
Acked-by: Ye Li <ye.li@nxp.com>
-rw-r--r-- | plat/imx/common/include/sci/sci.h | 1 | ||||
-rw-r--r-- | plat/imx/common/include/sci/svc/seco/sci_seco_api.h | 31 | ||||
-rw-r--r-- | plat/imx/common/sci/svc/seco/sci_seco_rpc.h | 1 | ||||
-rw-r--r-- | plat/imx/common/sci/svc/seco/seco_rpc_clnt.c | 21 |
4 files changed, 54 insertions, 0 deletions
diff --git a/plat/imx/common/include/sci/sci.h b/plat/imx/common/include/sci/sci.h index 2c45bb8b..71eb18e5 100644 --- a/plat/imx/common/include/sci/sci.h +++ b/plat/imx/common/include/sci/sci.h @@ -17,5 +17,6 @@ #include <sci/svc/rm/sci_rm_api.h> #include <sci/svc/timer/sci_timer_api.h> #include <sci/svc/misc/sci_misc_api.h> +#include <sci/svc/seco/sci_seco_api.h> #endif /* SCI_H */ diff --git a/plat/imx/common/include/sci/svc/seco/sci_seco_api.h b/plat/imx/common/include/sci/svc/seco/sci_seco_api.h index b7a9342f..ea28c7be 100644 --- a/plat/imx/common/include/sci/svc/seco/sci_seco_api.h +++ b/plat/imx/common/include/sci/svc/seco/sci_seco_api.h @@ -771,6 +771,37 @@ sc_err_t sc_seco_secvio_config(sc_ipc_t ipc, uint8_t id, uint8_t access, sc_err_t sc_seco_secvio_dgo_config(sc_ipc_t ipc, uint8_t id, uint8_t access, uint32_t *data); +/*! + * This function configures the SECO in FIPS mode + * + * Only the owner of the SC_R_SYSTEM resource or a partition with access + * permissions to SC_R_SYSTEM can do this. + * + * This function permanently configures the SECO in FIPS approved mode. When in + * FIPS approved mode the following services will be disabled and receive a + * failure response: + * - Encrypted boot is not supported + * - Attestation is not supported + * - Manufacturing protection is not supported + * - DTCP load + * - SHE services are not supported + * - Assign JR is not supported (all JRs owned by SECO) + * + * @param[in] ipc IPC handle + * @param[in] mode FIPS mode + * @param[out] reason pointer to return failure reason + * + * @return Returns and error code (SC_ERR_NONE = success). + * + * Return errors codes: + * - SC_ERR_UNAVAILABLE if SECO not available, + * - SC_ERR_NOACCESS if caller does not have SC_R_SYSTEM access, + * - SC_ERR_IPC if SECO response has bad header tag or size, + * - SC_ERR_VERSION if SECO response has bad version, + * - Others, see the [Security Service Detailed Description](\ref seco_err) section + */ +sc_err_t sc_seco_set_fips_mode(sc_ipc_t ipc, uint8_t mode, uint32_t *status); + /* @} */ #endif /* SC_SECO_API_H */ diff --git a/plat/imx/common/sci/svc/seco/sci_seco_rpc.h b/plat/imx/common/sci/svc/seco/sci_seco_rpc.h index 3688b6d7..ed3fc061 100644 --- a/plat/imx/common/sci/svc/seco/sci_seco_rpc.h +++ b/plat/imx/common/sci/svc/seco/sci_seco_rpc.h @@ -51,6 +51,7 @@ #define SECO_FUNC_SECVIO_ENABLE 25U /* Index for sc_seco_secvio_enable() RPC call */ #define SECO_FUNC_SECVIO_CONFIG 26U /* Index for sc_seco_secvio_config() RPC call */ #define SECO_FUNC_SECVIO_DGO_CONFIG 27U /* Index for sc_seco_secvio_dgo_config() RPC call */ +#define SECO_FUNC_SET_FIPS_MODE 29U /* Index for sc_seco_set_fips_mode() RPC call */ /*@}*/ /* Types */ diff --git a/plat/imx/common/sci/svc/seco/seco_rpc_clnt.c b/plat/imx/common/sci/svc/seco/seco_rpc_clnt.c index 5b98ebd2..03923a69 100644 --- a/plat/imx/common/sci/svc/seco/seco_rpc_clnt.c +++ b/plat/imx/common/sci/svc/seco/seco_rpc_clnt.c @@ -626,4 +626,25 @@ sc_err_t sc_seco_secvio_dgo_config(sc_ipc_t ipc, uint8_t id, uint8_t access, return err; } +sc_err_t sc_seco_set_fips_mode(sc_ipc_t ipc, uint8_t mode, uint32_t *status) +{ + sc_rpc_msg_t msg; + sc_err_t err; + + RPC_VER(&msg) = SC_RPC_VERSION; + RPC_SIZE(&msg) = 2U; + RPC_SVC(&msg) = U8(SC_RPC_SVC_SECO); + RPC_FUNC(&msg) = U8(SECO_FUNC_SET_FIPS_MODE); + + RPC_U8(&msg, 0U) = mode; + + sc_call_rpc(ipc, &msg, SC_FALSE); + + if (status) + *status = (uint32_t)RPC_U32(&msg, 0U); + + err = RPC_R8(&msg); + return (sc_err_t)err; +} + /**@}*/ |