From 7ad9e7ab4cc7ede448bffd37ecd6ec69002e17e3 Mon Sep 17 00:00:00 2001 From: Franck LENORMAND Date: Mon, 10 Aug 2020 12:07:47 +0200 Subject: MLK-24474: Add SIP call to enable FIPS mode The configuration of the FIPS alter the SoC which is configured and cannot be reverted so the support SHALL NOT be in customer binary as it could lead to DoS of the SECO. We add a SIP service to configure the FIPS mode. It is added to the ATF because it is the only component with the required permissions to successfully perform the call. This service currently only allow to set the FIPS mode with a value but can be extended. IT can be called from other components like uboot or the OS. The support is added only if the bl31 is compiled with FIPS_CONFIG defined which happens when FIPS_CONFIG=on is passed as option to Makefile. Signed-off-by: Franck LENORMAND Acked-by: Anson Huang Acked-by: Ye Li --- plat/imx/common/imx_sip_handler.c | 23 +++++++++++++++++++++++ plat/imx/common/imx_sip_svc.c | 4 ++++ plat/imx/common/include/imx_sip_svc.h | 6 ++++++ plat/imx/imx8qx/platform.mk | 4 ++++ 4 files changed, 37 insertions(+) diff --git a/plat/imx/common/imx_sip_handler.c b/plat/imx/common/imx_sip_handler.c index de968c37..903f6b8c 100644 --- a/plat/imx/common/imx_sip_handler.c +++ b/plat/imx/common/imx_sip_handler.c @@ -13,6 +13,7 @@ #include #include #include +#include #if defined(PLAT_imx8qm) || defined(PLAT_imx8qx) || defined(PLAT_imx8dx) || defined(PLAT_imx8dxl) @@ -249,3 +250,25 @@ int putchar(int c) return c; } #endif + +int fips_config_handler(uint32_t smc_fid, + u_register_t x1, + u_register_t x2, + u_register_t x3, + u_register_t x4) +{ + sc_err_t sc_err = SC_ERR_NOTFOUND; + uint8_t cmd = x1; + uint8_t mode; + + switch (cmd) { + case IMX_SIP_FIPS_CONFIG_SET: + mode = x2; + sc_err = sc_seco_set_fips_mode(ipc_handle, mode, NULL); + break; + default: + break; + } + + return (sc_err == SC_ERR_NONE) ? 0 : -EINVAL; +} diff --git a/plat/imx/common/imx_sip_svc.c b/plat/imx/common/imx_sip_svc.c index 2fad4740..f0b9efd3 100644 --- a/plat/imx/common/imx_sip_svc.c +++ b/plat/imx/common/imx_sip_svc.c @@ -71,6 +71,10 @@ static uintptr_t imx_sip_handler(unsigned int smc_fid, return imx_otp_handler(smc_fid, handle, x1, x2); case IMX_SIP_MISC_SET_TEMP: SMC_RET1(handle, imx_misc_set_temp_handler(smc_fid, x1, x2, x3, x4)); +#ifdef FIPS_CONFIG + case IMX_SIP_FIPS_CONFIG: + SMC_RET1(handle, fips_config_handler(smc_fid, x1, x2, x3, x4)); +#endif #endif case IMX_SIP_BUILDINFO: SMC_RET1(handle, imx_buildinfo_handler(smc_fid, x1, x2, x3, x4)); diff --git a/plat/imx/common/include/imx_sip_svc.h b/plat/imx/common/include/imx_sip_svc.h index 92bde837..2852c2ad 100644 --- a/plat/imx/common/include/imx_sip_svc.h +++ b/plat/imx/common/include/imx_sip_svc.h @@ -61,6 +61,10 @@ #define IMX_SIP_MISC_SET_TEMP 0xC200000C #define IMX_SIP_DDR_DVFS 0xc2000004 + +#define IMX_SIP_FIPS_CONFIG 0xc200000D +#define IMX_SIP_FIPS_CONFIG_SET 0x1 + #if defined(PLAT_imx8mq) int imx_soc_info_handler(uint32_t smc_fid, u_register_t x1, u_register_t x2, u_register_t x3); @@ -101,6 +105,8 @@ int imx_misc_set_temp_handler(uint32_t smc_fid, u_register_t x1, u_register_t x2, u_register_t x3, u_register_t x4); int imx_get_cpu_rev(uint32_t *cpu_id, uint32_t *cpu_rev); +int fips_config_handler(uint32_t smc_fid, u_register_t x1, u_register_t x2, + u_register_t x3, u_register_t x4); #endif uint64_t imx_buildinfo_handler(uint32_t smc_fid, u_register_t x1, u_register_t x2, u_register_t x3, diff --git a/plat/imx/imx8qx/platform.mk b/plat/imx/imx8qx/platform.mk index 435240f8..bdfd821e 100644 --- a/plat/imx/imx8qx/platform.mk +++ b/plat/imx/imx8qx/platform.mk @@ -54,3 +54,7 @@ $(eval $(call add_define,BL32_SIZE)) ifeq (${SPD},trusty) BL31_CFLAGS += -DPLAT_XLAT_TABLES_DYNAMIC=1 endif + +ifeq (${FIPS_CONFIG},on) + BL31_CFLAGS += -DFIPS_CONFIG +endif -- cgit v1.2.3