drivers: caam: introduce AE_CCM and AE_GCM compilation flags

imx6dl-sabresd, imx6q-sabresd, imx6sx-sdb does not support AES GCM

Signed-off-by: Olivier Masse <olivier.masse@nxp.com>
Signed-off-by: S

drivers: caam: introduce AE_CCM and AE_GCM compilation flags

imx6dl-sabresd, imx6q-sabresd, imx6sx-sdb does not support AES GCM

Signed-off-by: Olivier Masse <olivier.masse@nxp.com>
Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: Add AES GCM

Implement CAAM AES GCM

Signed-off-by: Olivier Masse <olivier.masse@nxp.com>
Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Jens Wiklander <jens.wiklande

drivers: caam: Add AES GCM

Implement CAAM AES GCM

Signed-off-by: Olivier Masse <olivier.masse@nxp.com>
Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: enable/disable prediction resistance based on CONFIG flag

With prediction resistance enabled, on every random number request
CAAM is forced to do reseeding of DRBG, which is time taki

drivers: caam: enable/disable prediction resistance based on CONFIG flag

With prediction resistance enabled, on every random number request
CAAM is forced to do reseeding of DRBG, which is time taking process
which leads to lower Random number generation performance.
So to give user the flexibility to enable/disable this feature a flag
CFG_CAAM_RNG_RUNTIME_PR is introduced.
By default it will be disabled and user can enable it as per its
requirement.

Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: fix CFG_CORE_BIGNUM_MAX_BITS

CFG_CORE_BIGNUM_MAX_BITS should be 4576
4096 (RSA Max key size) +
8 * 60 (Header serialization and Black blob overhead in bytes)

Signed-off-by: Sahil Mal

drivers: caam: fix CFG_CORE_BIGNUM_MAX_BITS

CFG_CORE_BIGNUM_MAX_BITS should be 4576
4096 (RSA Max key size) +
8 * 60 (Header serialization and Black blob overhead in bytes)

Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: add CAAM key driver

Add CAAM key driver and CAAM key object.
Add key blob encapsulation methods.
Add key serialize and deserialize functions for bignum encapsulation.

Signed-off-by:

drivers: caam: add CAAM key driver

Add CAAM key driver and CAAM key object.
Add key blob encapsulation methods.
Add key serialize and deserialize functions for bignum encapsulation.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: sm2 operation fallback

Fallback to software operations for SM2.

Reverts the temporary solution implemented in commit '3489781e9072
("drivers: caam: disable CFG_CRYPTO_SM2_* when ECC

drivers: caam: sm2 operation fallback

Fallback to software operations for SM2.

Reverts the temporary solution implemented in commit '3489781e9072
("drivers: caam: disable CFG_CRYPTO_SM2_* when ECC CAAM driver is
enabled")'.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Clement Faure <clement.faure@nxp.com>

show more ...

drivers: caam: Fix for TLS1.3 handshake failure

There is a limitation on some of i.MX8M series platforms.
When the input is marked as a hash value, it is moved first into
the Class 2 Context Registe

drivers: caam: Fix for TLS1.3 handshake failure

There is a limitation on some of i.MX8M series platforms.
When the input is marked as a hash value, it is moved first into
the Class 2 Context Register, which is only 40 bytes long.
From there, it is copied into the PKHA.
If HASH is more than 40bytes, extra bytes become zero, which is not
proper message representative,so signatures generation/verification
go wrong.

This makes a limitation when the hash size is longer than 40 bytes
and the signature component/private key size is longer than 40 bytes
As a workaround when the input is marked as a message representative,
then a different path is taken to bring the value into CAAM,
and the value stays intact.

CFG_NXP_CAAM_C2_CTX_REG_WA config flag is added to enable/disable
this workaround.
Currently it is enabled by default for i.MX8M platforms.

Fixes: 4b383f736e9e ("drivers: caam: implement NXP CAAM Driver - DSA")
Fixes: 503b5c013761 ("drivers: caam: implement NXP CAAM Driver - ECC")
Link: https://github.com/OP-TEE/optee_os/issues/6492
Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: provide plat_rng_init if CFG_WITH_SOFTWARE_PRNG=y

With CFG_NXP_CAAM_RNG_DRV enabled, OP-TEE will use the CAAM
to generate random numbers. Normal world access to the RNG is still
possi

drivers: caam: provide plat_rng_init if CFG_WITH_SOFTWARE_PRNG=y

With CFG_NXP_CAAM_RNG_DRV enabled, OP-TEE will use the CAAM
to generate random numbers. Normal world access to the RNG is still
possible as the CAAM is TrustZone aware and provides multiple separate
job rings.

For complete isolation, however, access to CAAM reset and clocks need to
be managed as well. This could be done in theory by restricting access
to the reset and clock controller peripherals to the secure world and
exporting limited access to some resources via SCMI. There is no such
support yet for the i.MX and thus some setups may prefer to avoid using
the CAAM in OP-TEE to stay safe from normal world inducing glitches.

These setups may still need random numbers in OP-TEE. Therefore, access
so have them
access the CAAM only once at startup to initialize OP-TEE's PRNG and
defer subsequent use of the CAAM to the normal world, whenever
CFG_WITH_SOFTWARE_PRNG=y.

Reviewed-by: Clement Faure <clement.faure@nxp.com>
Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>

show more ...

drivers: crypto: caam: fix job ring interruption number

The job ring interruption number is 356 for job ring 3.

Fixes: b21f12209671 ("drivers: crypto: caam: use job ring 3 on i.mx8dxlevk")
Signed-o

drivers: crypto: caam: fix job ring interruption number

The job ring interruption number is 356 for job ring 3.

Fixes: b21f12209671 ("drivers: crypto: caam: use job ring 3 on i.mx8dxlevk")
Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

drivers: crypto: caam: use job ring 3 on i.mx8dxlevk

Use the job ring #3 on i.mx8dxl to avoid resource conflict with other
software stacks.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acke

drivers: crypto: caam: use job ring 3 on i.mx8dxlevk

Use the job ring #3 on i.mx8dxl to avoid resource conflict with other
software stacks.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

drivers: caam: add support for mx8dxl

Add support for mx8dxl platforms.
The HAL support is identical to mx8qm/qxp platforms.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Fo

drivers: caam: add support for mx8dxl

Add support for mx8dxl platforms.
The HAL support is identical to mx8qm/qxp platforms.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

drivers: caam: add DEK blob support

The CAAM can generate a specific key blob called DEK blob - Data
Encryption Key blob. It encapsulates and encrypts the plain text key used
to encrypt the boot ima

drivers: caam: add DEK blob support

The CAAM can generate a specific key blob called DEK blob - Data
Encryption Key blob. It encapsulates and encrypts the plain text key used
to encrypt the boot image. This blob is decapsulated by the HAB - High
Assurance boot at boot to decrypt the boot image.

The DEK blob is a specific CAAM blob as it requires a header and the key
must be encapsulated from the CAAM secure memory.

Enable the CAAM DEK blob support on imx8m platforms.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: rework the CAAM crypto makefile

Re-work the CAAM crypto makefile to make it more readable.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wikland

drivers: caam: rework the CAAM crypto makefile

Re-work the CAAM crypto makefile to make it more readable.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: remove CFG_NXP_CAAM_ACIPHER compilation flag

Remove useless CFG_NXP_CAAM_ACIPHER compilation flag. This flag acts as
a duplicate of CFG_CRYPTO_DRV_ACIPHER compilation flag.

Signed-of

drivers: caam: remove CFG_NXP_CAAM_ACIPHER compilation flag

Remove useless CFG_NXP_CAAM_ACIPHER compilation flag. This flag acts as
a duplicate of CFG_CRYPTO_DRV_ACIPHER compilation flag.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: disable CFG_CRYPTO_SM2_* when ECC CAAM driver is enabled

Disable CFG_CRYPTO_SM2_PKE and CFG_CRYPTO_SM2_KEP as ECC CAAM driver
does not support ECC encryption.
Disable CFG_CRYPTO_SM2_D

drivers: caam: disable CFG_CRYPTO_SM2_* when ECC CAAM driver is enabled

Disable CFG_CRYPTO_SM2_PKE and CFG_CRYPTO_SM2_KEP as ECC CAAM driver
does not support ECC encryption.
Disable CFG_CRYPTO_SM2_DSA as ECC CAAM driver does not support ECC SM2
signature.

This is a temporary fix until a proper software crypto fallback
is implemented.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: add manufacturing protection feature

The CAAM features a "manufacturing protection" functionality.
It is a authentication process used to authenticate the chip to
the OEM's server. Th

drivers: caam: add manufacturing protection feature

The CAAM features a "manufacturing protection" functionality.
It is a authentication process used to authenticate the chip to
the OEM's server. The authentication process can ensure the chip:
* is a genuine NXP part
* is a correct part type
* has been properly fused
* is running a authenticated software
* runs in secure/trusted mode.

Signed-off-by: Cedric Neveux <cedric.neveux@nxp.com>
Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

plat-imx, plat-ls: replace crypto_conf.mk by common drivers/crypto/caam/crypto.mk

move platform specific conf file to crypto drivers one.
CFG_CRYPTO_DRIVER should be define in driver conf file
inste

plat-imx, plat-ls: replace crypto_conf.mk by common drivers/crypto/caam/crypto.mk

move platform specific conf file to crypto drivers one.
CFG_CRYPTO_DRIVER should be define in driver conf file
instead of platform configuration file.

Signed-off-by: Olivier Masse <olivier.masse@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Clement Faure <clement.faure@nxp.com>

show more ...