drivers: caam: rework the CAAM crypto makefile

Re-work the CAAM crypto makefile to make it more readable.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wikland

drivers: caam: rework the CAAM crypto makefile

Re-work the CAAM crypto makefile to make it more readable.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: remove CFG_NXP_CAAM_ACIPHER compilation flag

Remove useless CFG_NXP_CAAM_ACIPHER compilation flag. This flag acts as
a duplicate of CFG_CRYPTO_DRV_ACIPHER compilation flag.

Signed-of

drivers: caam: remove CFG_NXP_CAAM_ACIPHER compilation flag

Remove useless CFG_NXP_CAAM_ACIPHER compilation flag. This flag acts as
a duplicate of CFG_CRYPTO_DRV_ACIPHER compilation flag.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: dt_driver: move related content from dt.h to dt_driver.h

Moves so-called dt_driver related declarations and definitions from
dt.h to dt_drivers.h. Incidentally adds an inline description to
en

core: dt_driver: move related content from dt.h to dt_driver.h

Moves so-called dt_driver related declarations and definitions from
dt.h to dt_drivers.h. Incidentally adds an inline description to
enum dt_driver_type. This change clarifies when a source file shall
include dt.h and/or dt_driver.h.

This change updates driver source files to include none, one or both of
these header files where applicable.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

crypto: versal: ecc: allow software fallback on key allocation

The driver only supports ECDH/ECDSA key types. Other key types shall be
entirely handled by a software implementation enabled at compil

crypto: versal: ecc: allow software fallback on key allocation

The driver only supports ECDH/ECDSA key types. Other key types shall be
entirely handled by a software implementation enabled at compile time.

Fixes xtest regression 4006:
regression_4006.43 Asym Crypto case 426 algo 0x80000046 line 373

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

crypto: se050: ecc: allow software fallback on key allocation requests

The driver only supports ECDH/ECDSA key types. Other key types shall be
entirely handled by a software implementation enabled a

crypto: se050: ecc: allow software fallback on key allocation requests

The driver only supports ECDH/ECDSA key types. Other key types shall be
entirely handled by a software implementation enabled at compile time.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

crypto_api: acipher: ecc key allocation API, pass the key type

For Elliptic Curve, the cryptographic API can fallback to its software
operation instead of failing due to the lack of hardware support

crypto_api: acipher: ecc key allocation API, pass the key type

For Elliptic Curve, the cryptographic API can fallback to its software
operation instead of failing due to the lack of hardware support.

The relevant code can be see seen in the function
crypto_acipher_alloc_ecc_keypair(..).

crypto_api/acipher/ecc.c however does not pass the key type to the
relevant driver and therefore the backend driver can not take the
correct action at allocation time.

This commit addresses that limitation.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Clement Faure <clement.faure@nxp.com>

show more ...

core: replace _fdt_ prefix with fdt_ for device tree API

As per upstream discussion, there is no reason to keep _fdt_ prefix.
Replaces it with fdt_ for all occurrences.

Signed-off-by: Gatien Cheval

core: replace _fdt_ prefix with fdt_ for device tree API

As per upstream discussion, there is no reason to keep _fdt_ prefix.
Replaces it with fdt_ for all occurrences.

Signed-off-by: Gatien Chevallier <gatien.chevallier@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: caam: disable CFG_CRYPTO_SM2_* when ECC CAAM driver is enabled

Disable CFG_CRYPTO_SM2_PKE and CFG_CRYPTO_SM2_KEP as ECC CAAM driver
does not support ECC encryption.
Disable CFG_CRYPTO_SM2_D

drivers: caam: disable CFG_CRYPTO_SM2_* when ECC CAAM driver is enabled

Disable CFG_CRYPTO_SM2_PKE and CFG_CRYPTO_SM2_KEP as ECC CAAM driver
does not support ECC encryption.
Disable CFG_CRYPTO_SM2_DSA as ECC CAAM driver does not support ECC SM2
signature.

This is a temporary fix until a proper software crypto fallback
is implemented.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: fix MP abstraction layer functions

Compile manufacturing HAL functions only if the platform supports it.

Fixes: d538d2936c22 ("drivers: caam: add manufacturing protection feature")
S

drivers: caam: fix MP abstraction layer functions

Compile manufacturing HAL functions only if the platform supports it.

Fixes: d538d2936c22 ("drivers: caam: add manufacturing protection feature")
Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: math: add CFG_NXP_CAAM_MATH_DRV compilation flag

Add CFG_NXP_CAAM_MATH_DRV compilation flag for caam_math.c
Remove CFG_NXP_CAAM_ACIPHER_DRV flag.
Bind the compilation of caam_rsa.c an

drivers: caam: math: add CFG_NXP_CAAM_MATH_DRV compilation flag

Add CFG_NXP_CAAM_MATH_DRV compilation flag for caam_math.c
Remove CFG_NXP_CAAM_ACIPHER_DRV flag.
Bind the compilation of caam_rsa.c and caam_prime_rsa.c to
CFG_NXP_CAAM_RSA_DRV.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: crypto: add support for SM2_DSA_SM3

Adds TEE_TYPE_SM2_DSA_SM3_PUBLIC_KEY to
drvcrypt_asym_alloc_ecc_public_key() and adds
TEE_TYPE_SM2_DSA_SM3_KEYPAIR to drvcrypt_asym_alloc_ecc_keypair().

drivers: crypto: add support for SM2_DSA_SM3

Adds TEE_TYPE_SM2_DSA_SM3_PUBLIC_KEY to
drvcrypt_asym_alloc_ecc_public_key() and adds
TEE_TYPE_SM2_DSA_SM3_KEYPAIR to drvcrypt_asym_alloc_ecc_keypair(). Adds
support for TEE_MAIN_ALGO_SM2_DSA_SM3 in ecc_sign and ecc_verify.

Signed-off-by: Zexi Yu <yuzexi@hisilicon.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: se050: allow configuring the Secure Element applet

Add CFG_CORE_SE05X_VER to allow configuring the desirable applet
version.
This enables making the driver compatible with newer elements.

drivers: se050: allow configuring the Secure Element applet

Add CFG_CORE_SE05X_VER to allow configuring the desirable applet
version.
This enables making the driver compatible with newer elements.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

se050: ecc: SE050-F shared secret

The SE050-F does not support shared secret generation.
Allow this operation to also fallback to its software implementation.

Fixes: 6cc77cdd73aa ("crypto: drivers:

se050: ecc: SE050-F shared secret

The SE050-F does not support shared secret generation.
Allow this operation to also fallback to its software implementation.

Fixes: 6cc77cdd73aa ("crypto: drivers: se050-f: ecc: can fallback to softw-ops")
Test: xtest regression_4009
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

drivers: crypto: versal: do not use deprecated algorithm macros

The TEE_ALG_ECDSA_P384 and TEE_ALG_ECDSA_P521 constants are deprecated
since commit fe2fd3ff46c0 ("GP131: Add TEE_ALG_ECDH_DERIVE_SHAR

drivers: crypto: versal: do not use deprecated algorithm macros

The TEE_ALG_ECDSA_P384 and TEE_ALG_ECDSA_P521 constants are deprecated
since commit fe2fd3ff46c0 ("GP131: Add TEE_ALG_ECDH_DERIVE_SHARED_SECRET
and TEE_ALG_ECDSA_SHA*"). Therefore use TEE_ALG_ECDSA_SHA384 or
TEE_ALG_ECDSA_SHA512 instead (no functional change since the
aforementioned commit made them equal).

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: crypto: se050: do not use deprecated algorithm macros

The TEE_ALG_ECD{H,SA}_P* constants are deprecated since
commit fe2fd3ff46c0 ("GP131: Add TEE_ALG_ECDH_DERIVE_SHARED_SECRET and
TEE_ALG_

drivers: crypto: se050: do not use deprecated algorithm macros

The TEE_ALG_ECD{H,SA}_P* constants are deprecated since
commit fe2fd3ff46c0 ("GP131: Add TEE_ALG_ECDH_DERIVE_SHARED_SECRET and
TEE_ALG_ECDSA_SHA*"). Therefore use TEE_ALG_ECDSA_SHA* or
TEE_ALG_ECDH_DERIVE_SHARED_SECRET instead (no functional change since
the aforementioned commit made them equal)

Additional checks tying the curve to the algorithm do not apply anymore
since the key size (defined by the curve constant: TEE_ECC_CURVE_*) is
not the same as the hash size anymore (defined by the algorithm:
TEE_ALG_ECDSA_SHA* or TEE_ALG_ECDH_DERIVE_SHARED_SECRET).

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: add manufacturing protection feature

The CAAM features a "manufacturing protection" functionality.
It is a authentication process used to authenticate the chip to
the OEM's server. Th

drivers: caam: add manufacturing protection feature

The CAAM features a "manufacturing protection" functionality.
It is a authentication process used to authenticate the chip to
the OEM's server. The authentication process can ensure the chip:
* is a genuine NXP part
* is a correct part type
* has been properly fused
* is running a authenticated software
* runs in secure/trusted mode.

Signed-off-by: Cedric Neveux <cedric.neveux@nxp.com>
Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: crypto: add support MD5 hashes in RSA sign/verify/cipher

Introduce support of using MD5 hashes in RSA sign/verify/cipher
operations, which is required by AOSP Keymaster.

This is verified in

core: crypto: add support MD5 hashes in RSA sign/verify/cipher

Introduce support of using MD5 hashes in RSA sign/verify/cipher
operations, which is required by AOSP Keymaster.

This is verified in VerificationOperationsTest.RsaSuccess VTS Test [1],
which checks usage of such digests: NONE, MD5, SHA1, SHA_2_224, SHA_2_256,
SHA_2_384, SHA_2_512.

This patch has been inspired by commit[2]:

Link: [1] https://android.googlesource.com/platform/hardware/interfaces/+/master/keymaster/3.0/vts/functional/keymaster_hidl_hal_test.cpp
Link: [2] https://github.com/OP-TEE/optee_os/commit/199d0b7310d1705661a106358f1f0b46e4c5c587 ("core: crypto: add support MD5 hashes in RSA sign/verify")
Signed-off-by: Julien Masson <jmasson@baylibre.com>
Signed-off-by: Safae Ouajih <souajih@baylibre.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: crypto: add SM2 ECC encrypt and decrypt

Adds operation handlers for decryption with ECC public keys and
encryption with ECC private keys and implements SM2 curves asymmetric
ciphering.

Sig

drivers: crypto: add SM2 ECC encrypt and decrypt

Adds operation handlers for decryption with ECC public keys and
encryption with ECC private keys and implements SM2 curves asymmetric
ciphering.

Signed-off-by: Zexi Yu <yuzexi@hisilicon.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Clement Faure <clement.faure@nxp.com>

show more ...

drivers: crypto: add SM2 curve in crypto API

Add SM2 curve in function get_ecc_key_size_bytes().

Signed-off-by: Zexi Yu <yuzexi@hisilicon.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.or

drivers: crypto: add SM2 curve in crypto API

Add SM2 curve in function get_ecc_key_size_bytes().

Signed-off-by: Zexi Yu <yuzexi@hisilicon.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Clement Faure <clement.faure@nxp.com>

show more ...

drivers: caam: enable the CAAM clock when submitting a new job

Make sure the CAAM clock is running before writing to CAAM registers
when submitting a new CAAM job.
Otherwise, it would generate an OP

drivers: caam: enable the CAAM clock when submitting a new job

Make sure the CAAM clock is running before writing to CAAM registers
when submitting a new CAAM job.
Otherwise, it would generate an OPTEE data-abort.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: caam: add missing header file

Fix the following warning:

In file included from core/drivers/crypto/caam/hal/imx_8m/hal_cfg.c:8:
core/drivers/crypto/caam/hal/imx_8m/../../include/caam_hal_j

drivers: caam: add missing header file

Fix the following warning:

In file included from core/drivers/crypto/caam/hal/imx_8m/hal_cfg.c:8:
core/drivers/crypto/caam/hal/imx_8m/../../include/caam_hal_jr.h:22:16: warning: ‘enum caam_jr_owner’ declared inside parameter list will not be visible outside of this definition or declaration
22 | enum caam_jr_owner owner);
| ^~~~~~~~~~~~~

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: drivers: crypto: caam: Check PKCS_V1_5 decryption buffer size

Check if original buffer is large enough for a result of
RSA PKCS_V1_5 decryption operation.
With this change PKCS11 variable leng

core: drivers: crypto: caam: Check PKCS_V1_5 decryption buffer size

Check if original buffer is large enough for a result of
RSA PKCS_V1_5 decryption operation.
With this change PKCS11 variable length buffers are supported
for all RSA operations:
- Crypto API checks it for PKCS_V1_5 and OAEP encryptions.
- OAEP decryption already supports it.

This fixes: https://github.com/OP-TEE/optee_os/issues/5841

Acked-by: Clement Faure <clement.faure@nxp.com>
Signed-off-by: Anton Antonov <Anton.Antonov@arm.com>

show more ...

versal: enable the crypto driver

The crypto driver API provides an extra indirection level to enable
different ciphers.

Since Versal ACAP supports acipher and authenc, enable them.

Falling-back to

versal: enable the crypto driver

The crypto driver API provides an extra indirection level to enable
different ciphers.

Since Versal ACAP supports acipher and authenc, enable them.

Falling-back to software operations (RSA sign/verify) triggers a
fault detection; we will disable this config while a solution is
found.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

crypto: versal: rsa: only support sign/verify operations

RSA encryption/decryption is not supported (the PLM does not
return the size of the encrypted/decrypted buffers).

Signed-off-by: Jorge Ramir

crypto: versal: rsa: only support sign/verify operations

RSA encryption/decryption is not supported (the PLM does not
return the size of the encrypted/decrypted buffers).

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

crypto: versal: ecc: sign/verify fix

Both the message (hash) and the generated signatures must be swapped.

The following custom tests were executed for P384 (prime384v1) and
P521 (nistp521) curves.

crypto: versal: ecc: sign/verify fix

Both the message (hash) and the generated signatures must be swapped.

The following custom tests were executed for P384 (prime384v1) and
P521 (nistp521) curves.

Signing and verifying using pkcs#11 alone (ie like done in xtest) was
not sufficient to capture this bug.

PTOOL='pkcs11-tool --module /usr/lib/libckteec.so.0.1.0'
SO_PIN=55555555
PIN=44444444
FILE=hello

printf "OP-TEE: create key pair"
$PTOOL --id 01 --label ldts --token-label fio --pin $PIN \
--keypairgen \
--key-type EC:prime384v1

printf "OP-TEE: read the public key"
$PTOOL -l --pin $PIN --id 01 \
--read-object --type pubkey --output-file pubkey.spki

printf "Openssl: export key to PEM"
openssl ec -inform DER -outform PEM -in pubkey.spki -pubin > pubkey.pub

printf "Create file to sign"
echo "hello world" > $FILE

printf "OpenSSL: create the file sha384"
openssl dgst -binary -sha384 $FILE > $FILE.hash

printf "OP-TEE: generate signature "
$PTOOL --pin $PIN --id 01 --label ldts --token-label fio \
--sign
--input-file $FILE.hash
--output-file $FILE.sig
--mechanism ECDSA
-f openssl

printf "OpenSSL: verify signature"
openssl dgst -sha384 -verify pubkey.pub -signature "$FILE".sig "$FILE"

printf "OP-TEE: verify signature"
$PTOOL --pin $PIN --id 01 --label ldts --token-label fio \
--verify \
--input-file $FILE.hash \
--signature-format openssl \
--signature-file $FILE.sig \
--mechanism ECDSA

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...