diff options
author | Clement Faure <clement.faure@nxp.com> | 2019-05-23 16:00:11 +0200 |
---|---|---|
committer | Ye Li <ye.li@nxp.com> | 2020-04-26 23:34:08 -0700 |
commit | cbc0a6698241cf12e131d8722220657ae4d684ae (patch) | |
tree | 787529fb9fb9fb9ad28d8d277634bcd69b75d618 | |
parent | bbd57835403ead1faf0432808fecfff0f10a5024 (diff) |
TEE-346 Add DEK blob encapsulation for imx8m
Add DEK blob encapsulation support for IMX8M through "dek_blob" command.
On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob
for encrypted boot.
The DEK blob is encapsulated by OP-TEE through a trusted application call.
U-boot sends and receives the DEK and the DEK blob binaries through OP-TEE
dynamic shared memory.
To enable the DEK blob encapsulation, add to the defconfig:
CONFIG_SECURE_BOOT=y
CONFIG_FAT_WRITE=y
CONFIG_CMD_DEKBLOB=y
Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
(cherry picked from commit 7ffd25bddc89db30612f4e805d103c7d8dde5d95)
-rw-r--r-- | arch/arm/dts/imx8mm-evk-u-boot.dtsi | 9 | ||||
-rw-r--r-- | arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi | 9 | ||||
-rw-r--r-- | arch/arm/dts/imx8mp-evk-u-boot.dtsi | 9 | ||||
-rw-r--r-- | arch/arm/mach-imx/Kconfig | 17 | ||||
-rw-r--r-- | arch/arm/mach-imx/cmd_dek.c | 100 | ||||
-rw-r--r-- | drivers/crypto/fsl/Makefile | 3 | ||||
-rw-r--r-- | include/fsl_sec.h | 4 |
7 files changed, 136 insertions, 15 deletions
diff --git a/arch/arm/dts/imx8mm-evk-u-boot.dtsi b/arch/arm/dts/imx8mm-evk-u-boot.dtsi index 1bca079e83..3a0b408979 100644 --- a/arch/arm/dts/imx8mm-evk-u-boot.dtsi +++ b/arch/arm/dts/imx8mm-evk-u-boot.dtsi @@ -3,6 +3,15 @@ * Copyright 2019 NXP */ +/ { + firmware { + optee { + compatible = "linaro,optee-tz"; + method = "smc"; + }; + }; +}; + &{/soc@0} { u-boot,dm-pre-reloc; u-boot,dm-spl; diff --git a/arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi b/arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi index 7a3ac72591..66adbbc067 100644 --- a/arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi +++ b/arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi @@ -3,6 +3,15 @@ * Copyright 2019 NXP */ +/ { + firmware { + optee { + compatible = "linaro,optee-tz"; + method = "smc"; + }; + }; +}; + &{/soc@0} { u-boot,dm-pre-reloc; u-boot,dm-spl; diff --git a/arch/arm/dts/imx8mp-evk-u-boot.dtsi b/arch/arm/dts/imx8mp-evk-u-boot.dtsi index 4675ada0a0..b67ff70ae7 100644 --- a/arch/arm/dts/imx8mp-evk-u-boot.dtsi +++ b/arch/arm/dts/imx8mp-evk-u-boot.dtsi @@ -3,6 +3,15 @@ * Copyright 2019 NXP */ +/ { + firmware { + optee { + compatible = "linaro,optee-tz"; + method = "smc"; + }; + }; +}; + &{/soc@0} { u-boot,dm-pre-reloc; u-boot,dm-spl; diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig index fe7e98d3f8..8b2228dae6 100644 --- a/arch/arm/mach-imx/Kconfig +++ b/arch/arm/mach-imx/Kconfig @@ -102,12 +102,29 @@ config CMD_BMODE config CMD_DEKBLOB bool "Support the 'dek_blob' command" + select IMX_CAAM_DEK_ENCAP if ARCH_MX6 || ARCH_MX7 || ARCH_MX7ULP + select IMX_OPTEE_DEK_ENCAP if ARCH_IMX8M help This enables the 'dek_blob' command which is used with the Freescale secure boot mechanism. This command encapsulates and creates a blob of data. See also CMD_BLOB and doc/README.mxc_hab for more information. +config IMX_CAAM_DEK_ENCAP + bool "Support the DEK blob encapsulation with CAAM U-Boot driver" + help + This enables the DEK blob encapsulation with the U-Boot CAAM driver. + This option is only available on imx6, imx7 and imx7ulp. + +config IMX_OPTEE_DEK_ENCAP + select TEE + select OPTEE + bool "Support the DEK blob encapsulation with OP-TEE" + help + This enabled the DEK blob encapsulation with OP-TEE. The communication + with OP-TEE is done through a SMC call and OP-TEE shared memory. This + option is available on imx8mm. + config CMD_PRIBLOB bool "Support the set_priblob_bitfield command" depends on HAS_CAAM && IMX_HAB diff --git a/arch/arm/mach-imx/cmd_dek.c b/arch/arm/mach-imx/cmd_dek.c index 6ea76fe244..a4f61ec1a0 100644 --- a/arch/arm/mach-imx/cmd_dek.c +++ b/arch/arm/mach-imx/cmd_dek.c @@ -13,6 +13,7 @@ #include <fsl_sec.h> #include <asm/arch/clock.h> #include <mapmem.h> +#include <tee.h> /** * blob_dek() - Encapsulate the DEK as a blob using CAM's Key @@ -22,9 +23,13 @@ * * Returns zero on success,and negative on error. */ -static int blob_encap_dek(const u8 *src, u8 *dst, u32 len) +#ifdef CONFIG_IMX_CAAM_DEK_ENCAP +static int blob_encap_dek(uint32_t src_addr, uint32_t dst_addr, uint32_t len) { - int ret = 0; + uint8_t *src_ptr, *dst_ptr; + + src_ptr = map_sysmem(src_addr, len / 8); + dst_ptr = map_sysmem(dst_addr, BLOB_SIZE(len / 8)); hab_caam_clock_enable(1); @@ -39,10 +44,90 @@ static int blob_encap_dek(const u8 *src, u8 *dst, u32 len) } len /= 8; - ret = blob_dek(src, dst, len); + return blob_dek(src_ptr, dst_ptr, len); +} +#endif /* CONFIG_IMX_CAAM_DEK_ENCAP */ + +#ifdef CONFIG_IMX_OPTEE_DEK_ENCAP + +#define PTA_DEK_BLOB_PTA_UUID {0xef477737, 0x0db1, 0x4a9d, \ + {0x84, 0x37, 0xf2, 0xf5, 0x35, 0xc0, 0xbd, 0x92} } + +#define OPTEE_BLOB_HDR_SIZE 8 + +static int blob_encap_dek(uint32_t src_addr, uint32_t dst_addr, uint32_t len) +{ + struct udevice *dev = NULL; + struct tee_shm *shm_input, *shm_output; + struct tee_open_session_arg arg = {0}; + struct tee_invoke_arg arg_func = {0}; + const struct tee_optee_ta_uuid uuid = PTA_DEK_BLOB_PTA_UUID; + struct tee_param param[4] = {0}; + int ret; + + /* Get tee device */ + dev = tee_find_device(NULL, NULL, NULL, NULL); + if (dev == NULL) { + printf("Cannot get OP-TEE device\n"); + return -1; + } + + /* Set TA UUID */ + tee_optee_ta_uuid_to_octets(arg.uuid, &uuid); + + /* Open TA session */ + ret = tee_open_session(dev, &arg, 0, NULL); + if (ret < 0) { + printf("Cannot open session with PTA Blob 0x%X\n", ret); + return -1; + } + + /* Allocate shared input and output buffers for TA */ + ret = tee_shm_register(dev, (void *)(ulong)src_addr, len / 8, 0x0, &shm_input); + if (ret < 0) { + printf("Cannot register input shared memory 0x%X\n", ret); + goto error; + } + + ret = tee_shm_register(dev, (void *)(ulong)dst_addr, + BLOB_SIZE(len / 8) + OPTEE_BLOB_HDR_SIZE, + 0x0, &shm_output); + if (ret < 0) { + printf("Cannot register output shared memory 0x%X\n", ret); + goto error; + } + + param[0].u.memref.shm = shm_input; + param[0].u.memref.size = shm_input->size; + param[0].attr = TEE_PARAM_ATTR_TYPE_MEMREF_INPUT; + param[1].u.memref.shm = shm_output; + param[1].u.memref.size = shm_output->size; + param[1].attr = TEE_PARAM_ATTR_TYPE_MEMREF_OUTPUT; + param[2].attr = TEE_PARAM_ATTR_TYPE_NONE; + param[3].attr = TEE_PARAM_ATTR_TYPE_NONE; + + arg_func.func = 0; + arg_func.session = arg.session; + + /* Generate DEK blob */ + arg_func.session = arg.session; + ret = tee_invoke_func(dev, &arg_func, 4, param); + if (ret < 0) + printf("Cannot generate Blob with PTA DEK Blob 0x%X\n", ret); + +error: + /* Free shared memory */ + tee_shm_free(shm_input); + tee_shm_free(shm_output); + + /* Close session */ + ret = tee_close_session(dev, arg.session); + if (ret < 0) + printf("Cannot close session with PTA DEK Blob 0x%X\n", ret); return ret; } +#endif /* CONFIG_IMX_OPTEE_DEK_ENCAP */ /** * do_dek_blob() - Handle the "dek_blob" command-line command @@ -57,8 +142,6 @@ static int blob_encap_dek(const u8 *src, u8 *dst, u32 len) static int do_dek_blob(cmd_tbl_t *cmdtp, int flag, int argc, char *const argv[]) { uint32_t src_addr, dst_addr, len; - uint8_t *src_ptr, *dst_ptr; - int ret = 0; if (argc != 4) return CMD_RET_USAGE; @@ -67,12 +150,7 @@ static int do_dek_blob(cmd_tbl_t *cmdtp, int flag, int argc, char *const argv[]) dst_addr = simple_strtoul(argv[2], NULL, 16); len = simple_strtoul(argv[3], NULL, 10); - src_ptr = map_sysmem(src_addr, len/8); - dst_ptr = map_sysmem(dst_addr, BLOB_SIZE(len/8)); - - ret = blob_encap_dek(src_ptr, dst_ptr, len); - - return ret; + return blob_encap_dek(src_addr, dst_addr, len); } /***************************************************/ diff --git a/drivers/crypto/fsl/Makefile b/drivers/crypto/fsl/Makefile index 80893e833a..0b7a79547c 100644 --- a/drivers/crypto/fsl/Makefile +++ b/drivers/crypto/fsl/Makefile @@ -4,7 +4,6 @@ obj-y += sec.o obj-$(CONFIG_FSL_CAAM) += jr.o fsl_hash.o jobdesc.o error.o -obj-$(CONFIG_CMD_BLOB) += fsl_blob.o -obj-$(CONFIG_CMD_DEKBLOB) += fsl_blob.o +obj-$(CONFIG_CMD_BLOB)$(CONFIG_IMX_CAAM_DEK_ENCAP) += fsl_blob.o obj-$(CONFIG_RSA_FREESCALE_EXP) += fsl_rsa.o obj-$(CONFIG_FSL_MFGPROT) += fsl_mfgprot.o diff --git a/include/fsl_sec.h b/include/fsl_sec.h index 00b8c14fb1..5068388bf2 100644 --- a/include/fsl_sec.h +++ b/include/fsl_sec.h @@ -28,6 +28,8 @@ #error Neither CONFIG_SYS_FSL_SEC_LE nor CONFIG_SYS_FSL_SEC_BE is defined #endif +#define BLOB_SIZE(x) ((x) + 32 + 16) /* Blob buffer size */ + /* Security Engine Block (MS = Most Sig., LS = Least Sig.) */ #if CONFIG_SYS_FSL_SEC_COMPAT >= 4 /* RNG4 TRNG test registers */ @@ -228,8 +230,6 @@ struct sg_entry { #define SG_ENTRY_OFFSET_SHIFT 0 }; -#define BLOB_SIZE(x) ((x) + 32 + 16) /* Blob buffer size */ - #if defined(CONFIG_MX6) || defined(CONFIG_MX7) || \ defined(CONFIG_MX7ULP) || defined(CONFIG_IMX8M) /* Job Ring Base Address */ |