Commit cbc0a6698241cf12e131d8722220657ae4d684ae
Committed by
Ye Li
Ye Li
1 parent
bbd5783540
Exists in
smarc_8mq-imx_v2020.04_5.4.24_2.1.0
and in
3 other branches
TEE-346 Add DEK blob encapsulation for imx8m
Add DEK blob encapsulation support for IMX8M through "dek_blob" command. On ARMv8, u-boot runs in non-secure, thus cannot encapsulate a DEK blob for encrypted boot. The DEK blob is encapsulated by OP-TEE through a trusted application call. U-boot sends and receives the DEK and the DEK blob binaries through OP-TEE dynamic shared memory. To enable the DEK blob encapsulation, add to the defconfig: CONFIG_SECURE_BOOT=y CONFIG_FAT_WRITE=y CONFIG_CMD_DEKBLOB=y Signed-off-by: Clement Faure <clement.faure@nxp.com> Reviewed-by: Ye Li <ye.li@nxp.com> (cherry picked from commit 7ffd25bddc89db30612f4e805d103c7d8dde5d95)
Showing 7 changed files with 136 additions and 15 deletions Side-by-side Diff
arch/arm/dts/imx8mm-evk-u-boot.dtsi
arch/arm/dts/imx8mn-ddr4-evk-u-boot.dtsi
arch/arm/dts/imx8mp-evk-u-boot.dtsi
arch/arm/mach-imx/Kconfig
| ... | ... | @@ -102,11 +102,28 @@ |
| 102 | 102 | |
| 103 | 103 | config CMD_DEKBLOB |
| 104 | 104 | bool "Support the 'dek_blob' command" |
| 105 | + select IMX_CAAM_DEK_ENCAP if ARCH_MX6 || ARCH_MX7 || ARCH_MX7ULP | |
| 106 | + select IMX_OPTEE_DEK_ENCAP if ARCH_IMX8M | |
| 105 | 107 | help |
| 106 | 108 | This enables the 'dek_blob' command which is used with the |
| 107 | 109 | Freescale secure boot mechanism. This command encapsulates and |
| 108 | 110 | creates a blob of data. See also CMD_BLOB and doc/README.mxc_hab for |
| 109 | 111 | more information. |
| 112 | + | |
| 113 | +config IMX_CAAM_DEK_ENCAP | |
| 114 | + bool "Support the DEK blob encapsulation with CAAM U-Boot driver" | |
| 115 | + help | |
| 116 | + This enables the DEK blob encapsulation with the U-Boot CAAM driver. | |
| 117 | + This option is only available on imx6, imx7 and imx7ulp. | |
| 118 | + | |
| 119 | +config IMX_OPTEE_DEK_ENCAP | |
| 120 | + select TEE | |
| 121 | + select OPTEE | |
| 122 | + bool "Support the DEK blob encapsulation with OP-TEE" | |
| 123 | + help | |
| 124 | + This enabled the DEK blob encapsulation with OP-TEE. The communication | |
| 125 | + with OP-TEE is done through a SMC call and OP-TEE shared memory. This | |
| 126 | + option is available on imx8mm. | |
| 110 | 127 | |
| 111 | 128 | config CMD_PRIBLOB |
| 112 | 129 | bool "Support the set_priblob_bitfield command" |
arch/arm/mach-imx/cmd_dek.c
| ... | ... | @@ -13,6 +13,7 @@ |
| 13 | 13 | #include <fsl_sec.h> |
| 14 | 14 | #include <asm/arch/clock.h> |
| 15 | 15 | #include <mapmem.h> |
| 16 | +#include <tee.h> | |
| 16 | 17 | |
| 17 | 18 | /** |
| 18 | 19 | * blob_dek() - Encapsulate the DEK as a blob using CAM's Key |
| 19 | 20 | |
| 20 | 21 | |
| ... | ... | @@ -22,10 +23,14 @@ |
| 22 | 23 | * |
| 23 | 24 | * Returns zero on success,and negative on error. |
| 24 | 25 | */ |
| 25 | -static int blob_encap_dek(const u8 *src, u8 *dst, u32 len) | |
| 26 | +#ifdef CONFIG_IMX_CAAM_DEK_ENCAP | |
| 27 | +static int blob_encap_dek(uint32_t src_addr, uint32_t dst_addr, uint32_t len) | |
| 26 | 28 | { |
| 27 | - int ret = 0; | |
| 29 | + uint8_t *src_ptr, *dst_ptr; | |
| 28 | 30 | |
| 31 | + src_ptr = map_sysmem(src_addr, len / 8); | |
| 32 | + dst_ptr = map_sysmem(dst_addr, BLOB_SIZE(len / 8)); | |
| 33 | + | |
| 29 | 34 | hab_caam_clock_enable(1); |
| 30 | 35 | |
| 31 | 36 | u32 out_jr_size = sec_in32(CONFIG_SYS_FSL_JR0_ADDR + |
| 32 | 37 | |
| 33 | 38 | |
| ... | ... | @@ -39,10 +44,90 @@ |
| 39 | 44 | } |
| 40 | 45 | |
| 41 | 46 | len /= 8; |
| 42 | - ret = blob_dek(src, dst, len); | |
| 47 | + return blob_dek(src_ptr, dst_ptr, len); | |
| 48 | +} | |
| 49 | +#endif /* CONFIG_IMX_CAAM_DEK_ENCAP */ | |
| 43 | 50 | |
| 51 | +#ifdef CONFIG_IMX_OPTEE_DEK_ENCAP | |
| 52 | + | |
| 53 | +#define PTA_DEK_BLOB_PTA_UUID {0xef477737, 0x0db1, 0x4a9d, \ | |
| 54 | + {0x84, 0x37, 0xf2, 0xf5, 0x35, 0xc0, 0xbd, 0x92} } | |
| 55 | + | |
| 56 | +#define OPTEE_BLOB_HDR_SIZE 8 | |
| 57 | + | |
| 58 | +static int blob_encap_dek(uint32_t src_addr, uint32_t dst_addr, uint32_t len) | |
| 59 | +{ | |
| 60 | + struct udevice *dev = NULL; | |
| 61 | + struct tee_shm *shm_input, *shm_output; | |
| 62 | + struct tee_open_session_arg arg = {0}; | |
| 63 | + struct tee_invoke_arg arg_func = {0}; | |
| 64 | + const struct tee_optee_ta_uuid uuid = PTA_DEK_BLOB_PTA_UUID; | |
| 65 | + struct tee_param param[4] = {0}; | |
| 66 | + int ret; | |
| 67 | + | |
| 68 | + /* Get tee device */ | |
| 69 | + dev = tee_find_device(NULL, NULL, NULL, NULL); | |
| 70 | + if (dev == NULL) { | |
| 71 | + printf("Cannot get OP-TEE device\n"); | |
| 72 | + return -1; | |
| 73 | + } | |
| 74 | + | |
| 75 | + /* Set TA UUID */ | |
| 76 | + tee_optee_ta_uuid_to_octets(arg.uuid, &uuid); | |
| 77 | + | |
| 78 | + /* Open TA session */ | |
| 79 | + ret = tee_open_session(dev, &arg, 0, NULL); | |
| 80 | + if (ret < 0) { | |
| 81 | + printf("Cannot open session with PTA Blob 0x%X\n", ret); | |
| 82 | + return -1; | |
| 83 | + } | |
| 84 | + | |
| 85 | + /* Allocate shared input and output buffers for TA */ | |
| 86 | + ret = tee_shm_register(dev, (void *)(ulong)src_addr, len / 8, 0x0, &shm_input); | |
| 87 | + if (ret < 0) { | |
| 88 | + printf("Cannot register input shared memory 0x%X\n", ret); | |
| 89 | + goto error; | |
| 90 | + } | |
| 91 | + | |
| 92 | + ret = tee_shm_register(dev, (void *)(ulong)dst_addr, | |
| 93 | + BLOB_SIZE(len / 8) + OPTEE_BLOB_HDR_SIZE, | |
| 94 | + 0x0, &shm_output); | |
| 95 | + if (ret < 0) { | |
| 96 | + printf("Cannot register output shared memory 0x%X\n", ret); | |
| 97 | + goto error; | |
| 98 | + } | |
| 99 | + | |
| 100 | + param[0].u.memref.shm = shm_input; | |
| 101 | + param[0].u.memref.size = shm_input->size; | |
| 102 | + param[0].attr = TEE_PARAM_ATTR_TYPE_MEMREF_INPUT; | |
| 103 | + param[1].u.memref.shm = shm_output; | |
| 104 | + param[1].u.memref.size = shm_output->size; | |
| 105 | + param[1].attr = TEE_PARAM_ATTR_TYPE_MEMREF_OUTPUT; | |
| 106 | + param[2].attr = TEE_PARAM_ATTR_TYPE_NONE; | |
| 107 | + param[3].attr = TEE_PARAM_ATTR_TYPE_NONE; | |
| 108 | + | |
| 109 | + arg_func.func = 0; | |
| 110 | + arg_func.session = arg.session; | |
| 111 | + | |
| 112 | + /* Generate DEK blob */ | |
| 113 | + arg_func.session = arg.session; | |
| 114 | + ret = tee_invoke_func(dev, &arg_func, 4, param); | |
| 115 | + if (ret < 0) | |
| 116 | + printf("Cannot generate Blob with PTA DEK Blob 0x%X\n", ret); | |
| 117 | + | |
| 118 | +error: | |
| 119 | + /* Free shared memory */ | |
| 120 | + tee_shm_free(shm_input); | |
| 121 | + tee_shm_free(shm_output); | |
| 122 | + | |
| 123 | + /* Close session */ | |
| 124 | + ret = tee_close_session(dev, arg.session); | |
| 125 | + if (ret < 0) | |
| 126 | + printf("Cannot close session with PTA DEK Blob 0x%X\n", ret); | |
| 127 | + | |
| 44 | 128 | return ret; |
| 45 | 129 | } |
| 130 | +#endif /* CONFIG_IMX_OPTEE_DEK_ENCAP */ | |
| 46 | 131 | |
| 47 | 132 | /** |
| 48 | 133 | * do_dek_blob() - Handle the "dek_blob" command-line command |
| ... | ... | @@ -57,8 +142,6 @@ |
| 57 | 142 | static int do_dek_blob(cmd_tbl_t *cmdtp, int flag, int argc, char *const argv[]) |
| 58 | 143 | { |
| 59 | 144 | uint32_t src_addr, dst_addr, len; |
| 60 | - uint8_t *src_ptr, *dst_ptr; | |
| 61 | - int ret = 0; | |
| 62 | 145 | |
| 63 | 146 | if (argc != 4) |
| 64 | 147 | return CMD_RET_USAGE; |
| ... | ... | @@ -67,12 +150,7 @@ |
| 67 | 150 | dst_addr = simple_strtoul(argv[2], NULL, 16); |
| 68 | 151 | len = simple_strtoul(argv[3], NULL, 10); |
| 69 | 152 | |
| 70 | - src_ptr = map_sysmem(src_addr, len/8); | |
| 71 | - dst_ptr = map_sysmem(dst_addr, BLOB_SIZE(len/8)); | |
| 72 | - | |
| 73 | - ret = blob_encap_dek(src_ptr, dst_ptr, len); | |
| 74 | - | |
| 75 | - return ret; | |
| 153 | + return blob_encap_dek(src_addr, dst_addr, len); | |
| 76 | 154 | } |
| 77 | 155 | |
| 78 | 156 | /***************************************************/ |
drivers/crypto/fsl/Makefile
| ... | ... | @@ -4,8 +4,7 @@ |
| 4 | 4 | |
| 5 | 5 | obj-y += sec.o |
| 6 | 6 | obj-$(CONFIG_FSL_CAAM) += jr.o fsl_hash.o jobdesc.o error.o |
| 7 | -obj-$(CONFIG_CMD_BLOB) += fsl_blob.o | |
| 8 | -obj-$(CONFIG_CMD_DEKBLOB) += fsl_blob.o | |
| 7 | +obj-$(CONFIG_CMD_BLOB)$(CONFIG_IMX_CAAM_DEK_ENCAP) += fsl_blob.o | |
| 9 | 8 | obj-$(CONFIG_RSA_FREESCALE_EXP) += fsl_rsa.o |
| 10 | 9 | obj-$(CONFIG_FSL_MFGPROT) += fsl_mfgprot.o |
include/fsl_sec.h
| ... | ... | @@ -28,6 +28,8 @@ |
| 28 | 28 | #error Neither CONFIG_SYS_FSL_SEC_LE nor CONFIG_SYS_FSL_SEC_BE is defined |
| 29 | 29 | #endif |
| 30 | 30 | |
| 31 | +#define BLOB_SIZE(x) ((x) + 32 + 16) /* Blob buffer size */ | |
| 32 | + | |
| 31 | 33 | /* Security Engine Block (MS = Most Sig., LS = Least Sig.) */ |
| 32 | 34 | #if CONFIG_SYS_FSL_SEC_COMPAT >= 4 |
| 33 | 35 | /* RNG4 TRNG test registers */ |
| ... | ... | @@ -227,8 +229,6 @@ |
| 227 | 229 | #define SG_ENTRY_OFFSET_MASK 0x00001FFF |
| 228 | 230 | #define SG_ENTRY_OFFSET_SHIFT 0 |
| 229 | 231 | }; |
| 230 | - | |
| 231 | -#define BLOB_SIZE(x) ((x) + 32 + 16) /* Blob buffer size */ | |
| 232 | 232 | |
| 233 | 233 | #if defined(CONFIG_MX6) || defined(CONFIG_MX7) || \ |
| 234 | 234 | defined(CONFIG_MX7ULP) || defined(CONFIG_IMX8M) |