crypto: se050: SCP03 enabled only session.

The SE050F FIPS 140-2 certified device makes SCP03 mandatory from
boot.

To support this use case, we introduce CFG_CORE_SCP03_ONLY. Its
functionality is d

crypto: se050: SCP03 enabled only session.

The SE050F FIPS 140-2 certified device makes SCP03 mandatory from
boot.

To support this use case, we introduce CFG_CORE_SCP03_ONLY. Its
functionality is described in crypto.mk.

Some information regarding the SE050F device below [1]

[1] https://www.nxp.com/docs/en/application-note/AN12436.pdf

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

crypto: se050: add support for the SE050F

Add the SCP03 keys to support the NXP SE050F device

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@li

crypto: se050: add support for the SE050F

Add the SCP03 keys to support the NXP SE050F device

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

crypto: se050: fix SE050F2 identifier

Used the wrong identifier for the SE050F2 board. This would cause the
SCP03 symmetric keys to be rejected by the Secure Element and so the
secure session could

crypto: se050: fix SE050F2 identifier

Used the wrong identifier for the SE050F2 board. This would cause the
SCP03 symmetric keys to be rejected by the Secure Element and so the
secure session could not be started.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

core: crypto-api: rsa: pass algorithm to implementation

This is required for drivers that might only support some
of the algorithms and want to delegate the operation to
their software implementatio

core: crypto-api: rsa: pass algorithm to implementation

This is required for drivers that might only support some
of the algorithms and want to delegate the operation to
their software implementations

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Clement Faure <clement.faure@nxp.com>

show more ...

crypto: se050: updates to the crypto object deletion interface

Keys created on the Secure Element NVM via the PKCS#11 TA are removed
by scanning the data buffer holding the reference to the key duri

crypto: se050: updates to the crypto object deletion interface

Keys created on the Secure Element NVM via the PKCS#11 TA are removed
by scanning the data buffer holding the reference to the key during
the release of the object.

The storage allocated to hold those keys (ECC/RSA) is always below the
page size length which seems like a reasonable figure to use for future
extensions.

- This commit avoids scanning objects larger than that length.

This commit also updates the interface to delegate the actual handling
of the object to the crypto driver instead of passing just the raw data
contained in the object.

The cryptographic layer is also being allowed to block the deletion of
the object. This is to cover the scenario where the I2C device is not
accessible while a reference to the key is being removed from the secure
storage in the filesystem.

Incidentally also fixes regression 6018: this test releases an object
of size 0xA0000 which can't be scanned due to this part of the code
hitting an Out of Memory condition.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

se050: glue: i2c_stm32

To add support in the device tree - since the NXP SE05x device node
has not been agreed yet - the user must provide an alias to the bus
where the device is located.

Once the

se050: glue: i2c_stm32

To add support in the device tree - since the NXP SE05x device node
has not been agreed yet - the user must provide an alias to the bus
where the device is located.

Once the SE05X node has been agreed, support will be added to all
OP-TEE supported platforms.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

crypto_api: acipher: correct ECC NIST-P521 key size

NIST P521 uses 521-bit private keys.

This change might impact platforms that expect a certain alignment
on the key size (i.e. CAAM)

Signed-off-b

crypto_api: acipher: correct ECC NIST-P521 key size

NIST P521 uses 521-bit private keys.

This change might impact platforms that expect a certain alignment
on the key size (i.e. CAAM)

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: ecc: key size must be a multiple of 8

Enforce the alignment required by the CAAM hardware.

Notice that the NIST-P521 curve uses a 521 bit private key
hence why this change is needed.

drivers: caam: ecc: key size must be a multiple of 8

Enforce the alignment required by the CAAM hardware.

Notice that the NIST-P521 curve uses a 521 bit private key
hence why this change is needed.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

crypto-api: rsassa: pass algorithm to implementation

This is required for drivers that might only support some of the
algorithms.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: J

crypto-api: rsassa: pass algorithm to implementation

This is required for drivers that might only support some of the
algorithms.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Clement Faure <clement.faure@nxp.com>

show more ...

drivers: se050: optional I2C access via trampoline

Platforms with secure I2C buses (i.e: STM32MP1) or those with only
a secure element on the bus might prefer not to delegate the I2C
traffic to the

drivers: se050: optional I2C access via trampoline

Platforms with secure I2C buses (i.e: STM32MP1) or those with only
a secure element on the bus might prefer not to delegate the I2C
traffic to the REE.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

drivers: se050: rng: Switch to hw_get_random_bytes()

hw_get_random_byte() is no longer used. The default crypto_rng_read()
calls hw_get_random_bytes() now so we do not need to override this
and can

drivers: se050: rng: Switch to hw_get_random_bytes()

hw_get_random_byte() is no longer used. The default crypto_rng_read()
calls hw_get_random_bytes() now so we do not need to override this
and can simply implement just hw_get_random_bytes().

Signed-off-by: Andrew Davis <afd@ti.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: rng: Switch to hw_get_random_bytes()

hw_get_random_byte() is no longer used. The default crypto_rng_read()
calls hw_get_random_bytes() now so we do not need to override this
and can s

drivers: caam: rng: Switch to hw_get_random_bytes()

hw_get_random_byte() is no longer used. The default crypto_rng_read()
calls hw_get_random_bytes() now so we do not need to override this
and can simply implement just hw_get_random_bytes().

Signed-off-by: Andrew Davis <afd@ti.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: increase the minimum entropy delay the imx6sx

The i.MX6SX requires to start the RNG instantiation at a higher
entropy delay to provide a stable RNG generation and avoid RNG
hardware e

drivers: caam: increase the minimum entropy delay the imx6sx

The i.MX6SX requires to start the RNG instantiation at a higher
entropy delay to provide a stable RNG generation and avoid RNG
hardware errors.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: map the CAAM registers with the CAAM_SIZE value

Add the CAAM register MMU mapping with the appropriate size CAAM_SIZE.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by:

drivers: caam: map the CAAM registers with the CAAM_SIZE value

Add the CAAM register MMU mapping with the appropriate size CAAM_SIZE.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: se050: scp: add support for more boards

Add the board specific persistent keys required to stablish the SCP03
sessions with the secure element.

See https://www.nxp.com/docs/en/application-

drivers: se050: scp: add support for more boards

Add the board specific persistent keys required to stablish the SCP03
sessions with the secure element.

See https://www.nxp.com/docs/en/application-note/AN12436.pdf

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: set OTP as master key

Before the CAAM initialization, set the OTP as the SNVS master key
if the device is in closed state.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-

drivers: caam: set OTP as master key

Before the CAAM initialization, set the OTP as the SNVS master key
if the device is in closed state.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

drivers: caam: fix cache operation on SGT table

The cache operation of the SGT table in caam_sgt_derive() was wrong and
it did not take into account the CAAM "burst" defined by the value
CFG_CAAM_SG

drivers: caam: fix cache operation on SGT table

The cache operation of the SGT table in caam_sgt_derive() was wrong and
it did not take into account the CAAM "burst" defined by the value
CFG_CAAM_SGT_ALIGN.
The cache operation of the SGT table in caam_sgt_cache_op() is done
correctly however.

This patch adds caam_sgt_entries_cache_clean() to do this operation and
avoid implementation errors.

Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

drivers: crypto: remove unnecessary header

Remove the following header:
* utee_defines.h

Fixes: f5a70e3e ("drivers: crypto: generic resources for crypto device driver - RSA")
Signed-off-by: Clement

drivers: crypto: remove unnecessary header

Remove the following header:
* utee_defines.h

Fixes: f5a70e3e ("drivers: crypto: generic resources for crypto device driver - RSA")
Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: crypto: remove unnecessary header

Remove the following header:
* utee_defines.h

Fixes: e43ab7a8 ("core: driver: generic resources for crypto cipher driver")
Signed-off-by: Clement Faure <

drivers: crypto: remove unnecessary header

Remove the following header:
* utee_defines.h

Fixes: e43ab7a8 ("core: driver: generic resources for crypto cipher driver")
Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: remove unnecessary header

Remove the following header:
* caam_utils_mem.h

Fixes: 2d7a8964 ("driver: implement CAAM driver")
Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acke

drivers: caam: remove unnecessary header

Remove the following header:
* caam_utils_mem.h

Fixes: 2d7a8964 ("driver: implement CAAM driver")
Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: fix potential memory leak

Free CAAM buffer pabufs before exiting the function in case of an error.

Fixes: 38923d487 ("drivers: caam: implement CAAM DMA Object")
Signed-off-by: Clemen

drivers: caam: fix potential memory leak

Free CAAM buffer pabufs before exiting the function in case of an error.

Fixes: 38923d487 ("drivers: caam: implement CAAM DMA Object")
Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: avoid arithmetic operation for pointer assignment

To parse the pointer array priv->sgtdata[], use this syntax array[idx]
instead of array + idx.
The new syntax is easier to read and l

drivers: caam: avoid arithmetic operation for pointer assignment

To parse the pointer array priv->sgtdata[], use this syntax array[idx]
instead of array + idx.
The new syntax is easier to read and less prone to errors.

Fixes: 38923d48 ("drivers: caam: implement CAAM DMA Object")
Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: crypto: aspeed: hace: fix digest incorrect problem

1. The processing status variable is not set to TEE_SUCCESS if
everything works fine.
2. DMA memory needs physically contiguous memory. Al

drivers: crypto: aspeed: hace: fix digest incorrect problem

1. The processing status variable is not set to TEE_SUCCESS if
everything works fine.
2. DMA memory needs physically contiguous memory. Allocate aligned
DMA memory and copy data from/to DMA memory to make sure consistency
of data.

Signed-off-by: Neal Liu <neal_liu@aspeedtech.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

drivers: crypto: aspeed: hace: resolve build issues

Resolve various build and typo issues.

Fixes: commit e752c173aa0f ("crypto/aspeed: ast2600: Add HACE HW hash support")
Signed-off-by: Neal Liu <n

drivers: crypto: aspeed: hace: resolve build issues

Resolve various build and typo issues.

Fixes: commit e752c173aa0f ("crypto/aspeed: ast2600: Add HACE HW hash support")
Signed-off-by: Neal Liu <neal_liu@aspeedtech.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

drivers: caam: add JR interrupt only if CFG_CAAM_ITR=y

Adding the JR interrupt in the OPTEE CAAM driver, even if not used in
OPTEE, prevents the Linux CAAM driver from using the JR interrupt on
plat

drivers: caam: add JR interrupt only if CFG_CAAM_ITR=y

Adding the JR interrupt in the OPTEE CAAM driver, even if not used in
OPTEE, prevents the Linux CAAM driver from using the JR interrupt on
platforms sharing the same line of interruption for all job rings.

To dequeue job from the job ring, the Linux CAAM driver would pull the
number of jobs done from the output ring slot full register.

The fix is to add the JR interrupt only if CFG_CAAM_ITR=y. This
allows the Linux CAAM driver to dequeue jobs faster than polling from
a register.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...