drivers: stm32mp15_huk: use DT HUK NVMEM layout API

Adds the possibility to get the HUK from OTP definition in the device tree
using the function stm32_bsec_find_otp_in_nvmem_layout().

Signed-off-b

drivers: stm32mp15_huk: use DT HUK NVMEM layout API

Adds the possibility to get the HUK from OTP definition in the device tree
using the function stm32_bsec_find_otp_in_nvmem_layout().

Signed-off-by: Thomas BOURGOIN <thomas.bourgoin@foss.st.com>
Acked-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

se050: ecc: SE050-F shared secret

The SE050-F does not support shared secret generation.
Allow this operation to also fallback to its software implementation.

Fixes: 6cc77cdd73aa ("crypto: drivers:

se050: ecc: SE050-F shared secret

The SE050-F does not support shared secret generation.
Allow this operation to also fallback to its software implementation.

Fixes: 6cc77cdd73aa ("crypto: drivers: se050-f: ecc: can fallback to softw-ops")
Test: xtest regression_4009
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

drivers: imx_ele: add ELE driver

Add EdgeLock Enclave (or ELE) driver support.
ELE is a built-in security subsystem available on imx8ulp and imx93
providing security features to the Cortex-A.

Signe

drivers: imx_ele: add ELE driver

Add EdgeLock Enclave (or ELE) driver support.
ELE is a built-in security subsystem available on imx8ulp and imx93
providing security features to the Cortex-A.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: imx_mu: add support for imx93

Add MU support for imx93.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carr

drivers: imx_mu: add support for imx93

Add MU support for imx93.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

clk: stm32mp15: embed clock names only in debug mode

Don't embed clock names when not in debug mode, even when log level
is DEBUG_LEVEL. This saves few bytes of SYSRAM for the pager.

Acked-by: Gati

clk: stm32mp15: embed clock names only in debug mode

Don't embed clock names when not in debug mode, even when log level
is DEBUG_LEVEL. This saves few bytes of SYSRAM for the pager.

Acked-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: crypto: versal: do not use deprecated algorithm macros

The TEE_ALG_ECDSA_P384 and TEE_ALG_ECDSA_P521 constants are deprecated
since commit fe2fd3ff46c0 ("GP131: Add TEE_ALG_ECDH_DERIVE_SHAR

drivers: crypto: versal: do not use deprecated algorithm macros

The TEE_ALG_ECDSA_P384 and TEE_ALG_ECDSA_P521 constants are deprecated
since commit fe2fd3ff46c0 ("GP131: Add TEE_ALG_ECDH_DERIVE_SHARED_SECRET
and TEE_ALG_ECDSA_SHA*"). Therefore use TEE_ALG_ECDSA_SHA384 or
TEE_ALG_ECDSA_SHA512 instead (no functional change since the
aforementioned commit made them equal).

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: crypto: se050: do not use deprecated algorithm macros

The TEE_ALG_ECD{H,SA}_P* constants are deprecated since
commit fe2fd3ff46c0 ("GP131: Add TEE_ALG_ECDH_DERIVE_SHARED_SECRET and
TEE_ALG_

drivers: crypto: se050: do not use deprecated algorithm macros

The TEE_ALG_ECD{H,SA}_P* constants are deprecated since
commit fe2fd3ff46c0 ("GP131: Add TEE_ALG_ECDH_DERIVE_SHARED_SECRET and
TEE_ALG_ECDSA_SHA*"). Therefore use TEE_ALG_ECDSA_SHA* or
TEE_ALG_ECDH_DERIVE_SHARED_SECRET instead (no functional change since
the aforementioned commit made them equal)

Additional checks tying the curve to the algorithm do not apply anymore
since the key size (defined by the curve constant: TEE_ECC_CURVE_*) is
not the same as the hash size anymore (defined by the algorithm:
TEE_ALG_ECDSA_SHA* or TEE_ALG_ECDH_DERIVE_SHARED_SECRET).

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: atmel_tcb: Use matrix_dt_get_id() to correctly retrieve the id

Use matrix_dt_get_id() instead of manual address parsing to determine
which matrix ID is to be used. Previously it was plain w

drivers: atmel_tcb: Use matrix_dt_get_id() to correctly retrieve the id

Use matrix_dt_get_id() instead of manual address parsing to determine
which matrix ID is to be used. Previously it was plain wrong since it
compared a virtual address to a physical one and thus compute a wrong
value.

Signed-off-by: Clément Léger <clement.leger@bootlin.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

drivers: caam: add manufacturing protection feature

The CAAM features a "manufacturing protection" functionality.
It is a authentication process used to authenticate the chip to
the OEM's server. Th

drivers: caam: add manufacturing protection feature

The CAAM features a "manufacturing protection" functionality.
It is a authentication process used to authenticate the chip to
the OEM's server. The authentication process can ensure the chip:
* is a genuine NXP part
* is a correct part type
* has been properly fused
* is running a authenticated software
* runs in secure/trusted mode.

Signed-off-by: Cedric Neveux <cedric.neveux@nxp.com>
Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: crypto: add support MD5 hashes in RSA sign/verify/cipher

Introduce support of using MD5 hashes in RSA sign/verify/cipher
operations, which is required by AOSP Keymaster.

This is verified in

core: crypto: add support MD5 hashes in RSA sign/verify/cipher

Introduce support of using MD5 hashes in RSA sign/verify/cipher
operations, which is required by AOSP Keymaster.

This is verified in VerificationOperationsTest.RsaSuccess VTS Test [1],
which checks usage of such digests: NONE, MD5, SHA1, SHA_2_224, SHA_2_256,
SHA_2_384, SHA_2_512.

This patch has been inspired by commit[2]:

Link: [1] https://android.googlesource.com/platform/hardware/interfaces/+/master/keymaster/3.0/vts/functional/keymaster_hidl_hal_test.cpp
Link: [2] https://github.com/OP-TEE/optee_os/commit/199d0b7310d1705661a106358f1f0b46e4c5c587 ("core: crypto: add support MD5 hashes in RSA sign/verify")
Signed-off-by: Julien Masson <jmasson@baylibre.com>
Signed-off-by: Safae Ouajih <souajih@baylibre.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: drivers: zynqmp_csu_puf.c: increase regen time to 6ms

With further evaluation of the ZU+ PUF, we have determined that it is
possible for the PUF regeneration time to exceed 3ms. For this reas

core: drivers: zynqmp_csu_puf.c: increase regen time to 6ms

With further evaluation of the ZU+ PUF, we have determined that it is
possible for the PUF regeneration time to exceed 3ms. For this reason,
the 2023.1 version of the Xilinx xilskey library will bump the wait time
for PUF regeneration to 6ms. This patch brings optee in line with this
change.

Signed-off-by: Neal Frager <neal.frager@amd.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jorge Ramirez-Ortiz <jorge@foundries.io>

show more ...

drivers: crypto: add SM2 ECC encrypt and decrypt

Adds operation handlers for decryption with ECC public keys and
encryption with ECC private keys and implements SM2 curves asymmetric
ciphering.

Sig

drivers: crypto: add SM2 ECC encrypt and decrypt

Adds operation handlers for decryption with ECC public keys and
encryption with ECC private keys and implements SM2 curves asymmetric
ciphering.

Signed-off-by: Zexi Yu <yuzexi@hisilicon.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Clement Faure <clement.faure@nxp.com>

show more ...

drivers: crypto: add SM2 curve in crypto API

Add SM2 curve in function get_ecc_key_size_bytes().

Signed-off-by: Zexi Yu <yuzexi@hisilicon.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.or

drivers: crypto: add SM2 curve in crypto API

Add SM2 curve in function get_ecc_key_size_bytes().

Signed-off-by: Zexi Yu <yuzexi@hisilicon.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Clement Faure <clement.faure@nxp.com>

show more ...

drivers: caam: enable the CAAM clock when submitting a new job

Make sure the CAAM clock is running before writing to CAAM registers
when submitting a new CAAM job.
Otherwise, it would generate an OP

drivers: caam: enable the CAAM clock when submitting a new job

Make sure the CAAM clock is running before writing to CAAM registers
when submitting a new CAAM job.
Otherwise, it would generate an OPTEE data-abort.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: caam: add missing header file

Fix the following warning:

In file included from core/drivers/crypto/caam/hal/imx_8m/hal_cfg.c:8:
core/drivers/crypto/caam/hal/imx_8m/../../include/caam_hal_j

drivers: caam: add missing header file

Fix the following warning:

In file included from core/drivers/crypto/caam/hal/imx_8m/hal_cfg.c:8:
core/drivers/crypto/caam/hal/imx_8m/../../include/caam_hal_jr.h:22:16: warning: ‘enum caam_jr_owner’ declared inside parameter list will not be visible outside of this definition or declaration
22 | enum caam_jr_owner owner);
| ^~~~~~~~~~~~~

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: clk: sam: remove hard coded USB clock setup

Now that USB clock is exposed and usable from the device-tree, we can rely
on the "assigned-clock" properties that have been added in the
device-

drivers: clk: sam: remove hard coded USB clock setup

Now that USB clock is exposed and usable from the device-tree, we can rely
on the "assigned-clock" properties that have been added in the
device-tree.

Signed-off-by: Clément Léger <clement.leger@bootlin.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: clk: sam: export audiopll_fracck and usbck

This allows to modify the clocks rate and parents from the device-tree
using assigned-clock-parents/rate properties rather than hardcoding the
clo

drivers: clk: sam: export audiopll_fracck and usbck

This allows to modify the clocks rate and parents from the device-tree
using assigned-clock-parents/rate properties rather than hardcoding the
clocks rate.

Signed-off-by: Clément Léger <clement.leger@bootlin.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: clk: sam: add a macro for count of main clocks

Add a macro instead of using clock index name to define the count of main
clocks. This will ease the changes when exposing new clocks.

Signed

drivers: clk: sam: add a macro for count of main clocks

Add a macro instead of using clock index name to define the count of main
clocks. This will ease the changes when exposing new clocks.

Signed-off-by: Clément Léger <clement.leger@bootlin.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: drivers: crypto: caam: Check PKCS_V1_5 decryption buffer size

Check if original buffer is large enough for a result of
RSA PKCS_V1_5 decryption operation.
With this change PKCS11 variable leng

core: drivers: crypto: caam: Check PKCS_V1_5 decryption buffer size

Check if original buffer is large enough for a result of
RSA PKCS_V1_5 decryption operation.
With this change PKCS11 variable length buffers are supported
for all RSA operations:
- Crypto API checks it for PKCS_V1_5 and OAEP encryptions.
- OAEP decryption already supports it.

This fixes: https://github.com/OP-TEE/optee_os/issues/5841

Acked-by: Clement Faure <clement.faure@nxp.com>
Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>

show more ...

drivers: stm32_*: remove code for when DT is not supported

This change removes implementation managing cases when CFG_EMBED_DTB or
CFG_DT are disabled. This change aims to simplify source files and

drivers: stm32_*: remove code for when DT is not supported

This change removes implementation managing cases when CFG_EMBED_DTB or
CFG_DT are disabled. This change aims to simplify source files and is
related to commit [1] from which stm32mp1 platform requires DTB for the
drivers configuration.

Link: [1] 474ad1856b56 ("plat-stm32mp1: conf: mandate the use of device tree on STM32MP1x platforms")
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

versal: enable the crypto driver

The crypto driver API provides an extra indirection level to enable
different ciphers.

Since Versal ACAP supports acipher and authenc, enable them.

Falling-back to

versal: enable the crypto driver

The crypto driver API provides an extra indirection level to enable
different ciphers.

Since Versal ACAP supports acipher and authenc, enable them.

Falling-back to software operations (RSA sign/verify) triggers a
fault detection; we will disable this config while a solution is
found.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

crypto: versal: rsa: only support sign/verify operations

RSA encryption/decryption is not supported (the PLM does not
return the size of the encrypted/decrypted buffers).

Signed-off-by: Jorge Ramir

crypto: versal: rsa: only support sign/verify operations

RSA encryption/decryption is not supported (the PLM does not
return the size of the encrypted/decrypted buffers).

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

crypto: versal: ecc: sign/verify fix

Both the message (hash) and the generated signatures must be swapped.

The following custom tests were executed for P384 (prime384v1) and
P521 (nistp521) curves.

crypto: versal: ecc: sign/verify fix

Both the message (hash) and the generated signatures must be swapped.

The following custom tests were executed for P384 (prime384v1) and
P521 (nistp521) curves.

Signing and verifying using pkcs#11 alone (ie like done in xtest) was
not sufficient to capture this bug.

PTOOL='pkcs11-tool --module /usr/lib/libckteec.so.0.1.0'
SO_PIN=55555555
PIN=44444444
FILE=hello

printf "OP-TEE: create key pair"
$PTOOL --id 01 --label ldts --token-label fio --pin $PIN \
--keypairgen \
--key-type EC:prime384v1

printf "OP-TEE: read the public key"
$PTOOL -l --pin $PIN --id 01 \
--read-object --type pubkey --output-file pubkey.spki

printf "Openssl: export key to PEM"
openssl ec -inform DER -outform PEM -in pubkey.spki -pubin > pubkey.pub

printf "Create file to sign"
echo "hello world" > $FILE

printf "OpenSSL: create the file sha384"
openssl dgst -binary -sha384 $FILE > $FILE.hash

printf "OP-TEE: generate signature "
$PTOOL --pin $PIN --id 01 --label ldts --token-label fio \
--sign
--input-file $FILE.hash
--output-file $FILE.sig
--mechanism ECDSA
-f openssl

printf "OpenSSL: verify signature"
openssl dgst -sha384 -verify pubkey.pub -signature "$FILE".sig "$FILE"

printf "OP-TEE: verify signature"
$PTOOL --pin $PIN --id 01 --label ldts --token-label fio \
--verify \
--input-file $FILE.hash \
--signature-format openssl \
--signature-file $FILE.sig \
--mechanism ECDSA

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: drivers: nxp: always disable povdd after trying to fuse the SFP

- The LX series manual specifies that the POVDD pin should always be
reset to GND before powering off or resetting the SoC.
-

core: drivers: nxp: always disable povdd after trying to fuse the SFP

- The LX series manual specifies that the POVDD pin should always be
reset to GND before powering off or resetting the SoC.
- The SFP driver will leave the POVDD pin raised if it encounters an
error while fusing.
- Change SFP driver to always unset POVDD after any fuse attempt.

Signed-off-by: Andrew Mustea <andrew.mustea@microsoft.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Reviewed-by: Sahil Malhotra <sahil.malhotra@nxp.com>

show more ...

core: drivers: nxp: bit shift the ITS and SB bits when reading the SFP

- The Intent to Secure (ITS) and Secure Boot (SB) flags are written to a
given pointer in ls_sfp_get_its() and ls_sfp_get_sb(

core: drivers: nxp: bit shift the ITS and SB bits when reading the SFP

- The Intent to Secure (ITS) and Secure Boot (SB) flags are written to a
given pointer in ls_sfp_get_its() and ls_sfp_get_sb() respectively.
- The written values are equivalent to the entire masked OSPR0 and OSPR1
registers.
- The two functions should instead update a pointer with a boolean
integer containing the bit shifted value of the desired flag.

Signed-off-by: Andrew Mustea <andrew.mustea@microsoft.com>
Reviewed-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...