From: Clement Faure Date: Thu, 25 Mar 2021 09:30:33 +0000 (+0800) Subject: imx8m: Add DEK blob encapsulation for imx8m X-Git-Url: http://git.dujemihanovic.xyz/?a=commitdiff_plain;h=56d2050f40287fe46757d4cbe69d62a1381c3c64;p=u-boot.git imx8m: Add DEK blob encapsulation for imx8m Add DEK blob encapsulation support for IMX8M through "dek_blob" command. On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob for encrypted boot. The DEK blob is encapsulated by OP-TEE through a trusted application call. U-boot sends and receives the DEK and the DEK blob binaries through OP-TEE dynamic shared memory. To enable the DEK blob encapsulation, add to the defconfig: CONFIG_SECURE_BOOT=y CONFIG_FAT_WRITE=y CONFIG_CMD_DEKBLOB=y Signed-off-by: Clement Faure Reviewed-by: Ye Li Signed-off-by: Peng Fan --- diff --git a/arch/arm/dts/imx8mm-evk-u-boot.dtsi b/arch/arm/dts/imx8mm-evk-u-boot.dtsi index 7f48912b49..6d204526af 100644 --- a/arch/arm/dts/imx8mm-evk-u-boot.dtsi +++ b/arch/arm/dts/imx8mm-evk-u-boot.dtsi @@ -9,6 +9,13 @@ wdt = <&wdog1>; u-boot,dm-spl; }; + + firmware { + optee { + compatible = "linaro,optee-tz"; + method = "smc"; + }; + }; }; &{/soc@0} { diff --git a/arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi b/arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi index 8cd15be7a8..a0fd2a3098 100644 --- a/arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi +++ b/arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi @@ -9,6 +9,12 @@ wdt = <&wdog1>; u-boot,dm-spl; }; + firmware { + optee { + compatible = "linaro,optee-tz"; + method = "smc"; + }; + }; }; &{/soc@0} { diff --git a/arch/arm/dts/imx8mp-evk-u-boot.dtsi b/arch/arm/dts/imx8mp-evk-u-boot.dtsi index 6a91404d7b..27075c5217 100644 --- a/arch/arm/dts/imx8mp-evk-u-boot.dtsi +++ b/arch/arm/dts/imx8mp-evk-u-boot.dtsi @@ -9,6 +9,12 @@ wdt = <&wdog1>; u-boot,dm-spl; }; + firmware { + optee { + compatible = "linaro,optee-tz"; + method = "smc"; + }; + }; }; &{/soc@0} { diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig index 27b0b081ad..3bcfced8f0 100644 --- a/arch/arm/mach-imx/Kconfig +++ b/arch/arm/mach-imx/Kconfig @@ -75,12 +75,29 @@ config CMD_BMODE config CMD_DEKBLOB bool "Support the 'dek_blob' command" + select IMX_CAAM_DEK_ENCAP if ARCH_MX6 || ARCH_MX7 || ARCH_MX7ULP + select IMX_OPTEE_DEK_ENCAP if ARCH_IMX8M help This enables the 'dek_blob' command which is used with the Freescale secure boot mechanism. This command encapsulates and creates a blob of data. See also CMD_BLOB and doc/imx/habv4/* for more information. +config IMX_CAAM_DEK_ENCAP + bool "Support the DEK blob encapsulation with CAAM U-Boot driver" + help + This enables the DEK blob encapsulation with the U-Boot CAAM driver. + This option is only available on imx6, imx7 and imx7ulp. + +config IMX_OPTEE_DEK_ENCAP + select TEE + select OPTEE + bool "Support the DEK blob encapsulation with OP-TEE" + help + This enabled the DEK blob encapsulation with OP-TEE. The communication + with OP-TEE is done through a SMC call and OP-TEE shared memory. This + option is available on imx8mm. + config CMD_PRIBLOB bool "Support the set_priblob_bitfield command" depends on HAS_CAAM && IMX_HAB diff --git a/arch/arm/mach-imx/cmd_dek.c b/arch/arm/mach-imx/cmd_dek.c index bd380429c0..75aec2cef0 100644 --- a/arch/arm/mach-imx/cmd_dek.c +++ b/arch/arm/mach-imx/cmd_dek.c @@ -14,6 +14,7 @@ #include #include #include +#include /** * blob_dek() - Encapsulate the DEK as a blob using CAM's Key @@ -23,9 +24,13 @@ * * Returns zero on success,and negative on error. */ -static int blob_encap_dek(const u8 *src, u8 *dst, u32 len) +#ifdef CONFIG_IMX_CAAM_DEK_ENCAP +static int blob_encap_dek(u32 src_addr, u32 dst_addr, u32 len) { - int ret = 0; + u8 *src_ptr, *dst_ptr; + + src_ptr = map_sysmem(src_addr, len / 8); + dst_ptr = map_sysmem(dst_addr, BLOB_SIZE(len / 8)); hab_caam_clock_enable(1); @@ -40,10 +45,90 @@ static int blob_encap_dek(const u8 *src, u8 *dst, u32 len) } len /= 8; - ret = blob_dek(src, dst, len); + return blob_dek(src_ptr, dst_ptr, len); +} +#endif /* CONFIG_IMX_CAAM_DEK_ENCAP */ + +#ifdef CONFIG_IMX_OPTEE_DEK_ENCAP + +#define PTA_DEK_BLOB_PTA_UUID {0xef477737, 0x0db1, 0x4a9d, \ + {0x84, 0x37, 0xf2, 0xf5, 0x35, 0xc0, 0xbd, 0x92} } + +#define OPTEE_BLOB_HDR_SIZE 8 + +static int blob_encap_dek(u32 src_addr, u32 dst_addr, u32 len) +{ + struct udevice *dev = NULL; + struct tee_shm *shm_input, *shm_output; + struct tee_open_session_arg arg = {0}; + struct tee_invoke_arg arg_func = {0}; + const struct tee_optee_ta_uuid uuid = PTA_DEK_BLOB_PTA_UUID; + struct tee_param param[4] = {0}; + int ret; + + /* Get tee device */ + dev = tee_find_device(NULL, NULL, NULL, NULL); + if (!dev) { + printf("Cannot get OP-TEE device\n"); + return -1; + } + + /* Set TA UUID */ + tee_optee_ta_uuid_to_octets(arg.uuid, &uuid); + + /* Open TA session */ + ret = tee_open_session(dev, &arg, 0, NULL); + if (ret < 0) { + printf("Cannot open session with PTA Blob 0x%X\n", ret); + return -1; + } + + /* Allocate shared input and output buffers for TA */ + ret = tee_shm_register(dev, (void *)(ulong)src_addr, len / 8, 0x0, &shm_input); + if (ret < 0) { + printf("Cannot register input shared memory 0x%X\n", ret); + goto error; + } + + ret = tee_shm_register(dev, (void *)(ulong)dst_addr, + BLOB_SIZE(len / 8) + OPTEE_BLOB_HDR_SIZE, + 0x0, &shm_output); + if (ret < 0) { + printf("Cannot register output shared memory 0x%X\n", ret); + goto error; + } + + param[0].u.memref.shm = shm_input; + param[0].u.memref.size = shm_input->size; + param[0].attr = TEE_PARAM_ATTR_TYPE_MEMREF_INPUT; + param[1].u.memref.shm = shm_output; + param[1].u.memref.size = shm_output->size; + param[1].attr = TEE_PARAM_ATTR_TYPE_MEMREF_OUTPUT; + param[2].attr = TEE_PARAM_ATTR_TYPE_NONE; + param[3].attr = TEE_PARAM_ATTR_TYPE_NONE; + + arg_func.func = 0; + arg_func.session = arg.session; + + /* Generate DEK blob */ + arg_func.session = arg.session; + ret = tee_invoke_func(dev, &arg_func, 4, param); + if (ret < 0) + printf("Cannot generate Blob with PTA DEK Blob 0x%X\n", ret); + +error: + /* Free shared memory */ + tee_shm_free(shm_input); + tee_shm_free(shm_output); + + /* Close session */ + ret = tee_close_session(dev, arg.session); + if (ret < 0) + printf("Cannot close session with PTA DEK Blob 0x%X\n", ret); return ret; } +#endif /* CONFIG_IMX_OPTEE_DEK_ENCAP */ /** * do_dek_blob() - Handle the "dek_blob" command-line command @@ -59,8 +144,6 @@ static int do_dek_blob(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[]) { uint32_t src_addr, dst_addr, len; - uint8_t *src_ptr, *dst_ptr; - int ret = 0; if (argc != 4) return CMD_RET_USAGE; @@ -69,12 +152,7 @@ static int do_dek_blob(struct cmd_tbl *cmdtp, int flag, int argc, dst_addr = simple_strtoul(argv[2], NULL, 16); len = simple_strtoul(argv[3], NULL, 10); - src_ptr = map_sysmem(src_addr, len/8); - dst_ptr = map_sysmem(dst_addr, BLOB_SIZE(len/8)); - - ret = blob_encap_dek(src_ptr, dst_ptr, len); - - return ret; + return blob_encap_dek(src_addr, dst_addr, len); } /***************************************************/ diff --git a/drivers/crypto/fsl/Makefile b/drivers/crypto/fsl/Makefile index eb689c1b9f..f9c3ccecfc 100644 --- a/drivers/crypto/fsl/Makefile +++ b/drivers/crypto/fsl/Makefile @@ -4,8 +4,7 @@ obj-y += sec.o obj-$(CONFIG_FSL_CAAM) += jr.o fsl_hash.o jobdesc.o error.o -obj-$(CONFIG_CMD_BLOB) += fsl_blob.o -obj-$(CONFIG_CMD_DEKBLOB) += fsl_blob.o +obj-$(CONFIG_CMD_BLOB)$(CONFIG_IMX_CAAM_DEK_ENCAP) += fsl_blob.o obj-$(CONFIG_RSA_FREESCALE_EXP) += fsl_rsa.o obj-$(CONFIG_FSL_CAAM_RNG) += rng.o obj-$(CONFIG_FSL_MFGPROT) += fsl_mfgprot.o diff --git a/include/fsl_sec.h b/include/fsl_sec.h index 09ce916297..c4121696f8 100644 --- a/include/fsl_sec.h +++ b/include/fsl_sec.h @@ -28,6 +28,8 @@ #error Neither CONFIG_SYS_FSL_SEC_LE nor CONFIG_SYS_FSL_SEC_BE is defined #endif +#define BLOB_SIZE(x) ((x) + 32 + 16) /* Blob buffer size */ + /* Security Engine Block (MS = Most Sig., LS = Least Sig.) */ #if CONFIG_SYS_FSL_SEC_COMPAT >= 4 /* RNG4 TRNG test registers */ @@ -265,8 +267,6 @@ struct sg_entry { #define SG_ENTRY_OFFSET_SHIFT 0 }; -#define BLOB_SIZE(x) ((x) + 32 + 16) /* Blob buffer size */ - #if defined(CONFIG_MX6) || defined(CONFIG_MX7) || \ defined(CONFIG_MX7ULP) || defined(CONFIG_IMX8M) /* Job Ring Base Address */