From fac431ed6755c1b66511838e350a987b2ddcb9fb Mon Sep 17 00:00:00 2001 From: Franck LENORMAND Date: Mon, 10 Aug 2020 10:12:42 +0200 Subject: MLK-24474: Add SECO API sc_seco_set_fips_mode The SCFW API sc_seco_set_fips_mode allow to configure the mode of the FIPS feature on SoC. This configuration is performed on fuses and cannot be reverted. Signed-off-by: Franck LENORMAND Acked-by: Anson Huang Acked-by: Ye Li --- plat/imx/common/include/sci/sci.h | 1 + .../imx/common/include/sci/svc/seco/sci_seco_api.h | 31 ++++++++++++++++++++++ plat/imx/common/sci/svc/seco/sci_seco_rpc.h | 1 + plat/imx/common/sci/svc/seco/seco_rpc_clnt.c | 21 +++++++++++++++ 4 files changed, 54 insertions(+) diff --git a/plat/imx/common/include/sci/sci.h b/plat/imx/common/include/sci/sci.h index 2c45bb8b..71eb18e5 100644 --- a/plat/imx/common/include/sci/sci.h +++ b/plat/imx/common/include/sci/sci.h @@ -17,5 +17,6 @@ #include #include #include +#include #endif /* SCI_H */ diff --git a/plat/imx/common/include/sci/svc/seco/sci_seco_api.h b/plat/imx/common/include/sci/svc/seco/sci_seco_api.h index b7a9342f..ea28c7be 100644 --- a/plat/imx/common/include/sci/svc/seco/sci_seco_api.h +++ b/plat/imx/common/include/sci/svc/seco/sci_seco_api.h @@ -771,6 +771,37 @@ sc_err_t sc_seco_secvio_config(sc_ipc_t ipc, uint8_t id, uint8_t access, sc_err_t sc_seco_secvio_dgo_config(sc_ipc_t ipc, uint8_t id, uint8_t access, uint32_t *data); +/*! + * This function configures the SECO in FIPS mode + * + * Only the owner of the SC_R_SYSTEM resource or a partition with access + * permissions to SC_R_SYSTEM can do this. + * + * This function permanently configures the SECO in FIPS approved mode. When in + * FIPS approved mode the following services will be disabled and receive a + * failure response: + * - Encrypted boot is not supported + * - Attestation is not supported + * - Manufacturing protection is not supported + * - DTCP load + * - SHE services are not supported + * - Assign JR is not supported (all JRs owned by SECO) + * + * @param[in] ipc IPC handle + * @param[in] mode FIPS mode + * @param[out] reason pointer to return failure reason + * + * @return Returns and error code (SC_ERR_NONE = success). + * + * Return errors codes: + * - SC_ERR_UNAVAILABLE if SECO not available, + * - SC_ERR_NOACCESS if caller does not have SC_R_SYSTEM access, + * - SC_ERR_IPC if SECO response has bad header tag or size, + * - SC_ERR_VERSION if SECO response has bad version, + * - Others, see the [Security Service Detailed Description](\ref seco_err) section + */ +sc_err_t sc_seco_set_fips_mode(sc_ipc_t ipc, uint8_t mode, uint32_t *status); + /* @} */ #endif /* SC_SECO_API_H */ diff --git a/plat/imx/common/sci/svc/seco/sci_seco_rpc.h b/plat/imx/common/sci/svc/seco/sci_seco_rpc.h index 3688b6d7..ed3fc061 100644 --- a/plat/imx/common/sci/svc/seco/sci_seco_rpc.h +++ b/plat/imx/common/sci/svc/seco/sci_seco_rpc.h @@ -51,6 +51,7 @@ #define SECO_FUNC_SECVIO_ENABLE 25U /* Index for sc_seco_secvio_enable() RPC call */ #define SECO_FUNC_SECVIO_CONFIG 26U /* Index for sc_seco_secvio_config() RPC call */ #define SECO_FUNC_SECVIO_DGO_CONFIG 27U /* Index for sc_seco_secvio_dgo_config() RPC call */ +#define SECO_FUNC_SET_FIPS_MODE 29U /* Index for sc_seco_set_fips_mode() RPC call */ /*@}*/ /* Types */ diff --git a/plat/imx/common/sci/svc/seco/seco_rpc_clnt.c b/plat/imx/common/sci/svc/seco/seco_rpc_clnt.c index 5b98ebd2..03923a69 100644 --- a/plat/imx/common/sci/svc/seco/seco_rpc_clnt.c +++ b/plat/imx/common/sci/svc/seco/seco_rpc_clnt.c @@ -626,4 +626,25 @@ sc_err_t sc_seco_secvio_dgo_config(sc_ipc_t ipc, uint8_t id, uint8_t access, return err; } +sc_err_t sc_seco_set_fips_mode(sc_ipc_t ipc, uint8_t mode, uint32_t *status) +{ + sc_rpc_msg_t msg; + sc_err_t err; + + RPC_VER(&msg) = SC_RPC_VERSION; + RPC_SIZE(&msg) = 2U; + RPC_SVC(&msg) = U8(SC_RPC_SVC_SECO); + RPC_FUNC(&msg) = U8(SECO_FUNC_SET_FIPS_MODE); + + RPC_U8(&msg, 0U) = mode; + + sc_call_rpc(ipc, &msg, SC_FALSE); + + if (status) + *status = (uint32_t)RPC_U32(&msg, 0U); + + err = RPC_R8(&msg); + return (sc_err_t)err; +} + /**@}*/ -- cgit v1.2.3