MLK-24474: Add SIP call to enable FIPS mode

The configuration of the FIPS alter the SoC which is configured
and cannot be reverted so the support SHALL NOT be in
customer binary as it could lead to DoS of the SECO.

We add a SIP service to configure the FIPS mode. It is added
to the ATF because it is the only component with the required
permissions to successfully perform the call.
This service currently only allow to set the FIPS mode with
a value but can be extended.
IT can be called from other components like uboot or the OS.

The support is added only if the bl31 is compiled with
FIPS_CONFIG defined which happens when FIPS_CONFIG=on is passed
as option to Makefile.

Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
Acked-by: Anson Huang <anson.huang@nxp.com>
Acked-by: Ye Li <ye.li@nxp.com>

1 files changed, 23 insertions, 0 deletions

diff --git a/plat/imx/common/imx_sip_handler.c b/plat/imx/common/imx_sip_handler.c
index de968c37..903f6b8c 100644
--- a/plat/imx/common/imx_sip_handler.c
+++ b/plat/imx/common/imx_sip_handler.c
@@ -13,6 +13,7 @@
 #include <common/runtime_svc.h>
 #include <imx_sip_svc.h>
 #include <sci/sci.h>
+#include <errno.h>
 
 #if defined(PLAT_imx8qm) || defined(PLAT_imx8qx) || defined(PLAT_imx8dx) || defined(PLAT_imx8dxl)
 
@@ -249,3 +250,25 @@ int putchar(int c)
 	return c;
 }
 #endif
+
+int fips_config_handler(uint32_t smc_fid,
+			u_register_t x1,
+			u_register_t x2,
+			u_register_t x3,
+			u_register_t x4)
+{
+	sc_err_t sc_err = SC_ERR_NOTFOUND;
+	uint8_t cmd = x1;
+	uint8_t mode;
+
+	switch (cmd) {
+	case IMX_SIP_FIPS_CONFIG_SET:
+		mode = x2;
+		sc_err = sc_seco_set_fips_mode(ipc_handle, mode, NULL);
+		break;
+	default:
+		break;
+	}
+
+	return (sc_err == SC_ERR_NONE) ? 0 : -EINVAL;
+}