TEE-346 Add DEK blob encapsulation for imx8m

Add DEK blob encapsulation support for IMX8M through "dek_blob" command. On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob for encrypted boot. The DEK blob is encapsulated by OP-TEE through a trusted application call. U-boot sends and receives the DEK and the DEK blob binaries through OP-TEE dynamic shared memory. To enable the DEK blob encapsulation, add to the defconfig: CONFIG_SECURE_BOOT=y CONFIG_FAT_WRITE=y CONFIG_CMD_DEKBLOB=y Signed-off-by: Clement Faure <clement.faure@nxp.com> Reviewed-by: Ye Li <ye.li@nxp.com> (cherry picked from commit 7ffd25bddc89db30612f4e805d103c7d8dde5d95)
author: Clement Faure <clement.faure@nxp.com> 2019-05-23 16:00:11 +0200
committer: Ye Li <ye.li@nxp.com> 2020-04-26 23:34:08 -0700
commit: cbc0a6698241cf12e131d8722220657ae4d684ae (patch)
tree: 787529fb9fb9fb9ad28d8d277634bcd69b75d618
parent: bbd57835403ead1faf0432808fecfff0f10a5024 (diff)
7 files changed, 136 insertions, 15 deletions
diff --git a/arch/arm/dts/imx8mm-evk-u-boot.dtsi b/arch/arm/dts/imx8mm-evk-u-boot.dtsi
index 1bca079e83..3a0b408979 100644
--- a/arch/arm/dts/imx8mm-evk-u-boot.dtsi
+++ b/arch/arm/dts/imx8mm-evk-u-boot.dtsi
@@ -3,6 +3,15 @@
  * Copyright 2019 NXP
  */
 
+/ {
+	firmware {
+		optee {
+			compatible = "linaro,optee-tz";
+			method = "smc";
+		};
+	};
+};
+
 &{/soc@0} {
 	u-boot,dm-pre-reloc;
 	u-boot,dm-spl;
diff --git a/arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi b/arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi
index 7a3ac72591..66adbbc067 100644
--- a/arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi
+++ b/arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi
@@ -3,6 +3,15 @@
  * Copyright 2019 NXP
  */
 
+/ {
+	firmware {
+		optee {
+			compatible = "linaro,optee-tz";
+			method = "smc";
+		};
+	};
+};
+
 &{/soc@0} {
 	u-boot,dm-pre-reloc;
 	u-boot,dm-spl;
diff --git a/arch/arm/dts/imx8mp-evk-u-boot.dtsi b/arch/arm/dts/imx8mp-evk-u-boot.dtsi
index 4675ada0a0..b67ff70ae7 100644
--- a/arch/arm/dts/imx8mp-evk-u-boot.dtsi
+++ b/arch/arm/dts/imx8mp-evk-u-boot.dtsi
@@ -3,6 +3,15 @@
  * Copyright 2019 NXP
  */
 
+/ {
+	firmware {
+		optee {
+			compatible = "linaro,optee-tz";
+			method = "smc";
+		};
+	};
+};
+
 &{/soc@0} {
 	u-boot,dm-pre-reloc;
 	u-boot,dm-spl;
diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig
index fe7e98d3f8..8b2228dae6 100644
--- a/arch/arm/mach-imx/Kconfig
+++ b/arch/arm/mach-imx/Kconfig
@@ -102,12 +102,29 @@ config CMD_BMODE
 
 config CMD_DEKBLOB
 	bool "Support the 'dek_blob' command"
+	select IMX_CAAM_DEK_ENCAP if ARCH_MX6 || ARCH_MX7 || ARCH_MX7ULP
+	select IMX_OPTEE_DEK_ENCAP if ARCH_IMX8M
 	help
 	  This enables the 'dek_blob' command which is used with the
 	  Freescale secure boot mechanism. This command encapsulates and
 	  creates a blob of data. See also CMD_BLOB and doc/README.mxc_hab for
 	  more information.
 
+config IMX_CAAM_DEK_ENCAP
+	bool "Support the DEK blob encapsulation with CAAM U-Boot driver"
+	help
+	  This enables the DEK blob encapsulation with the U-Boot CAAM driver.
+	  This option is only available on imx6, imx7 and imx7ulp.
+
+config IMX_OPTEE_DEK_ENCAP
+	select TEE
+	select OPTEE
+	bool "Support the DEK blob encapsulation with OP-TEE"
+	help
+	  This enabled the DEK blob encapsulation with OP-TEE. The communication
+	  with OP-TEE is done through a SMC call and OP-TEE shared memory. This
+	  option is available on imx8mm.
+
 config CMD_PRIBLOB
 	bool "Support the set_priblob_bitfield command"
 	depends on HAS_CAAM && IMX_HAB
diff --git a/arch/arm/mach-imx/cmd_dek.c b/arch/arm/mach-imx/cmd_dek.c
index 6ea76fe244..a4f61ec1a0 100644
--- a/arch/arm/mach-imx/cmd_dek.c
+++ b/arch/arm/mach-imx/cmd_dek.c
@@ -13,6 +13,7 @@
 #include <fsl_sec.h>
 #include <asm/arch/clock.h>
 #include <mapmem.h>
+#include <tee.h>
 
 /**
 * blob_dek() - Encapsulate the DEK as a blob using CAM's Key
@@ -22,9 +23,13 @@
 *
 * Returns zero on success,and negative on error.
 */
-static int blob_encap_dek(const u8 *src, u8 *dst, u32 len)
+#ifdef CONFIG_IMX_CAAM_DEK_ENCAP
+static int blob_encap_dek(uint32_t src_addr, uint32_t dst_addr, uint32_t len)
 {
-	int ret = 0;
+	uint8_t *src_ptr, *dst_ptr;
+
+	src_ptr = map_sysmem(src_addr, len / 8);
+	dst_ptr = map_sysmem(dst_addr, BLOB_SIZE(len / 8));
 
 	hab_caam_clock_enable(1);
 
@@ -39,10 +44,90 @@ static int blob_encap_dek(const u8 *src, u8 *dst, u32 len)
 	}
 
 	len /= 8;
-	ret = blob_dek(src, dst, len);
+	return blob_dek(src_ptr, dst_ptr, len);
+}
+#endif /* CONFIG_IMX_CAAM_DEK_ENCAP */
+
+#ifdef CONFIG_IMX_OPTEE_DEK_ENCAP
+
+#define PTA_DEK_BLOB_PTA_UUID {0xef477737, 0x0db1, 0x4a9d, \
+	{0x84, 0x37, 0xf2, 0xf5, 0x35, 0xc0, 0xbd, 0x92} }
+
+#define OPTEE_BLOB_HDR_SIZE		8
+
+static int blob_encap_dek(uint32_t src_addr, uint32_t dst_addr, uint32_t len)
+{
+	struct udevice *dev = NULL;
+	struct tee_shm *shm_input, *shm_output;
+	struct tee_open_session_arg arg = {0};
+	struct tee_invoke_arg arg_func = {0};
+	const struct tee_optee_ta_uuid uuid = PTA_DEK_BLOB_PTA_UUID;
+	struct tee_param param[4] = {0};
+	int ret;
+
+	/* Get tee device */
+	dev = tee_find_device(NULL, NULL, NULL, NULL);
+	if (dev == NULL) {
+		printf("Cannot get OP-TEE device\n");
+		return -1;
+	}
+
+	/* Set TA UUID */
+	tee_optee_ta_uuid_to_octets(arg.uuid, &uuid);
+
+	/* Open TA session */
+	ret = tee_open_session(dev, &arg, 0, NULL);
+	if (ret < 0) {
+		printf("Cannot open session with PTA Blob 0x%X\n", ret);
+		return -1;
+	}
+
+	/* Allocate shared input and output buffers for TA */
+	ret = tee_shm_register(dev, (void *)(ulong)src_addr, len / 8, 0x0, &shm_input);
+	if (ret < 0) {
+		printf("Cannot register input shared memory 0x%X\n", ret);
+		goto error;
+	}
+
+	ret = tee_shm_register(dev, (void *)(ulong)dst_addr,
+			       BLOB_SIZE(len / 8) + OPTEE_BLOB_HDR_SIZE,
+			       0x0, &shm_output);
+	if (ret < 0) {
+		printf("Cannot register output shared memory 0x%X\n", ret);
+		goto error;
+	}
+
+	param[0].u.memref.shm	= shm_input;
+	param[0].u.memref.size	= shm_input->size;
+	param[0].attr		= TEE_PARAM_ATTR_TYPE_MEMREF_INPUT;
+	param[1].u.memref.shm	= shm_output;
+	param[1].u.memref.size	= shm_output->size;
+	param[1].attr		= TEE_PARAM_ATTR_TYPE_MEMREF_OUTPUT;
+	param[2].attr		= TEE_PARAM_ATTR_TYPE_NONE;
+	param[3].attr		= TEE_PARAM_ATTR_TYPE_NONE;
+
+	arg_func.func = 0;
+	arg_func.session = arg.session;
+
+	/* Generate DEK blob */
+	arg_func.session = arg.session;
+	ret = tee_invoke_func(dev, &arg_func, 4, param);
+	if (ret < 0)
+		printf("Cannot generate Blob with PTA DEK Blob 0x%X\n", ret);
+
+error:
+	/* Free shared memory */
+	tee_shm_free(shm_input);
+	tee_shm_free(shm_output);
+
+	/* Close session */
+	ret = tee_close_session(dev, arg.session);
+	if (ret < 0)
+		printf("Cannot close session with PTA DEK Blob 0x%X\n", ret);
 
 	return ret;
 }
+#endif /* CONFIG_IMX_OPTEE_DEK_ENCAP */
 
 /**
  * do_dek_blob() - Handle the "dek_blob" command-line command
@@ -57,8 +142,6 @@ static int blob_encap_dek(const u8 *src, u8 *dst, u32 len)
 static int do_dek_blob(cmd_tbl_t *cmdtp, int flag, int argc, char *const argv[])
 {
 	uint32_t src_addr, dst_addr, len;
-	uint8_t *src_ptr, *dst_ptr;
-	int ret = 0;
 
 	if (argc != 4)
 		return CMD_RET_USAGE;
@@ -67,12 +150,7 @@ static int do_dek_blob(cmd_tbl_t *cmdtp, int flag, int argc, char *const argv[])
 	dst_addr = simple_strtoul(argv[2], NULL, 16);
 	len = simple_strtoul(argv[3], NULL, 10);
 
-	src_ptr = map_sysmem(src_addr, len/8);
-	dst_ptr = map_sysmem(dst_addr, BLOB_SIZE(len/8));
-
-	ret = blob_encap_dek(src_ptr, dst_ptr, len);
-
-	return ret;
+	return blob_encap_dek(src_addr, dst_addr, len);
 }
 
 /***************************************************/
diff --git a/drivers/crypto/fsl/Makefile b/drivers/crypto/fsl/Makefile
index 80893e833a..0b7a79547c 100644
--- a/drivers/crypto/fsl/Makefile
+++ b/drivers/crypto/fsl/Makefile
@@ -4,7 +4,6 @@
 
 obj-y += sec.o
 obj-$(CONFIG_FSL_CAAM) += jr.o fsl_hash.o jobdesc.o error.o
-obj-$(CONFIG_CMD_BLOB) += fsl_blob.o
-obj-$(CONFIG_CMD_DEKBLOB) += fsl_blob.o
+obj-$(CONFIG_CMD_BLOB)$(CONFIG_IMX_CAAM_DEK_ENCAP) += fsl_blob.o
 obj-$(CONFIG_RSA_FREESCALE_EXP) += fsl_rsa.o
 obj-$(CONFIG_FSL_MFGPROT) += fsl_mfgprot.o
diff --git a/include/fsl_sec.h b/include/fsl_sec.h
index 00b8c14fb1..5068388bf2 100644
--- a/include/fsl_sec.h
+++ b/include/fsl_sec.h
@@ -28,6 +28,8 @@
 #error Neither CONFIG_SYS_FSL_SEC_LE nor CONFIG_SYS_FSL_SEC_BE is defined
 #endif
 
+#define BLOB_SIZE(x)		((x) + 32 + 16) /* Blob buffer size */
+
 /* Security Engine Block (MS = Most Sig., LS = Least Sig.) */
 #if CONFIG_SYS_FSL_SEC_COMPAT >= 4
 /* RNG4 TRNG test registers */
@@ -228,8 +230,6 @@ struct sg_entry {
 #define SG_ENTRY_OFFSET_SHIFT	0
 };
 
-#define BLOB_SIZE(x)		((x) + 32 + 16) /* Blob buffer size */
-
 #if defined(CONFIG_MX6) || defined(CONFIG_MX7) || \
 	defined(CONFIG_MX7ULP) || defined(CONFIG_IMX8M)
 /* Job Ring Base Address */
author	Clement Faure <clement.faure@nxp.com>	2019-05-23 16:00:11 +0200
committer	Ye Li <ye.li@nxp.com>	2020-04-26 23:34:08 -0700
commit	cbc0a6698241cf12e131d8722220657ae4d684ae (patch)
tree	787529fb9fb9fb9ad28d8d277634bcd69b75d618
parent	bbd57835403ead1faf0432808fecfff0f10a5024 (diff)