drivers: caam: fix function definition when CFG_CAAM_NO_ITR=y

There is a bug in the CAAM JR interruption enablement logic. When
CFG_CAAM_NO_ITR=y, the JR interruptions are used and when
CFG_CAAM_NO_

drivers: caam: fix function definition when CFG_CAAM_NO_ITR=y

There is a bug in the CAAM JR interruption enablement logic. When
CFG_CAAM_NO_ITR=y, the JR interruptions are used and when
CFG_CAAM_NO_ITR=n, the JR interruptions are not used.

Even with this wrong logic, the CAAM is still able to enqueue jobs.
When no JR interruptions are received, the CAAM will manually dequeue
jobs from the jobring by checking the number of jobs done in the output
ring slots full register.

CAAM JR interruptions are not mandatory for the CAAM to work properly
but it makes the dequeuing faster than polling the output ring slot full
register.

To avoid confusion, replace CFG_CAAM_NO_ITR with CFG_CAAM_ITR. The
CFG_CAAM_ITR is enabled by default and platforms not using the JR
interruptions would have this flag disabled instead.

Fixes: 3f45afc31 ("drivers: caam: disable the use of interrupts for some platforms")
Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>

show more ...

drivers: crypto: stm32_cryp: fix coding style issues

Removes spurious space characters in stm32_cryp driver implementation
to conform with optee_os coding style.

Reviewed-by: Jerome Forissier <jero

drivers: crypto: stm32_cryp: fix coding style issues

Removes spurious space characters in stm32_cryp driver implementation
to conform with optee_os coding style.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: crypto: stm32_cryp: probe as a dt_driver

Changes stm32_cryp driver to register as a DT driver and support
probe deferral on clock and reset controller resources.

Acked-by: Jerome Forissier

drivers: crypto: stm32_cryp: probe as a dt_driver

Changes stm32_cryp driver to register as a DT driver and support
probe deferral on clock and reset controller resources.

Acked-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: crypto: stm32_cryp: use rstctrl resources

Changes stm32_cryp driver to use rstctrl resources. Driver panics
upon rstctrl_dt_get_by_index() failure, even in case of driver probe
deferral err

drivers: crypto: stm32_cryp: use rstctrl resources

Changes stm32_cryp driver to use rstctrl resources. Driver panics
upon rstctrl_dt_get_by_index() failure, even in case of driver probe
deferral error as stm32_cryp is not yet defined as a DT_DRIVER. Such
port is out of the scope this change.

Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: crypto: add parameter checks for RSA signature

Add size check in the crypto driver for RSA sign and verify functions.
For both functions, the encoded message length has some size
constraint

drivers: crypto: add parameter checks for RSA signature

Add size check in the crypto driver for RSA sign and verify functions.
For both functions, the encoded message length has some size
constraints [1].

[1]: Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography
https://datatracker.ietf.org/doc/html/rfc3447#section-9.1.1

Fixes: f5a70e3ef ("drivers: crypto: generic resources for crypto device driver - RSA")
Signed-off-by: Cedric Neveux <cedric.neveux@nxp.com>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: crypto: se050: panic on initialization error

Failure to initialize the SE05x device is a critical operation as it will
effectively disable ciphers configured at build time.

This also match

drivers: crypto: se050: panic on initialization error

Failure to initialize the SE05x device is a critical operation as it will
effectively disable ciphers configured at build time.

This also matches the behaviour implemented by the other crypto drivers.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

crypto/aspeed: ast2600: Add HACE HW hash support

Aspeed AST2600 Hash and Crypto Engine (HACE) is designated to
accelerate the throughput of hash and symmetric encryption/decryption.

This patch adds

crypto/aspeed: ast2600: Add HACE HW hash support

Aspeed AST2600 Hash and Crypto Engine (HACE) is designated to
accelerate the throughput of hash and symmetric encryption/decryption.

This patch adds the driver support for AST2600 HACE to provide
HW-assisted hash for the SHA family. The initial driver structure
for Aspeed crypto engines is also constructed.

Signed-off-by: Chia-Wei Wang <chiawei_wang@aspeedtech.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

drivers: caam: instantiate RNG state handle with prediction resistance

Instantiate RNG state handles with Prediction Resistance (PR) support.
This way SW further downstream (e.g. Rich OS, boot loade

drivers: caam: instantiate RNG state handle with prediction resistance

Instantiate RNG state handles with Prediction Resistance (PR) support.
This way SW further downstream (e.g. Rich OS, boot loader etc.) is able
to use the "PR" bit in RNG generation descriptors (forcing TRNG
re-seeding before PRNG / DRBG outputs random data).

Note: current patch does not deal with RNG state handles that have
already been initialized, but without PR support (this could happen if
U-boot would run before OP-TEE etc.). In this case, RNG state handle
would have to be deinstantiated first, and then reinstantiated with
PR support.

Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

crypto: drivers: se050: remove implicit dependency

The SE05X device is platform independent and therefore does not need
the iMX I2C driver but the actual driver for the particular platform
is connec

crypto: drivers: se050: remove implicit dependency

The SE05X device is platform independent and therefore does not need
the iMX I2C driver but the actual driver for the particular platform
is connected into.

Implementing these changes required a fix in the Plug-and-Trust tree
(the addition of a missing dependency), therefore we will also bump
the Plug-and-Trust version used in the Azure pipeline.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

crypto: drivers: se050: rsa: sign_ssa error handling

SE NVM keys shall only be deleted using either the pkcs#11 interface
(if the key was created by pkcs#11) or the free_keypair crypto API
interface

crypto: drivers: se050: rsa: sign_ssa error handling

SE NVM keys shall only be deleted using either the pkcs#11 interface
(if the key was created by pkcs#11) or the free_keypair crypto API
interface and never as a result of some error handling operation.

Notice that calling free_keypair will invalidate any copy made of that
keypair since the keypair for a SE only holds a handle to the key
stored in the SE NVM.

Fixes: a3ca687d03b4 ("drivers: implement se050 driver")
Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

crypto: drivers: se050: rsa: decrypt_es, validate the output buffer

The size of the decrypted output is not known until decryption has
happened.

Use an intermediate buffer large enough to guarantee

crypto: drivers: se050: rsa: decrypt_es, validate the output buffer

The size of the decrypted output is not known until decryption has
happened.

Use an intermediate buffer large enough to guarantee that the
decrypted message will fit.

This allows the driver to validate the size of the output buffer
passed in the interface.

Fixes: xtest pkcs11_1023

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

crypto: drivers: se050: rsa: fix OAEP and revert regression

Revert a regression introduced in the encrypt operation when swapping
buffers (fixes part of 'commit e1c70d7c88ab ("crypto: drivers: se050

crypto: drivers: se050: rsa: fix OAEP and revert regression

Revert a regression introduced in the encrypt operation when swapping
buffers (fixes part of 'commit e1c70d7c88ab ("crypto: drivers: se050:
fix rsa encrypt/decrypt")'

Fix misuse of the hash_algo field during OAEP encrypt/decrypt.

All tests passing
* xtest -t regression 4006

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

crypto: drivers: se050: rsa: add RSA_NOPAD enc/dec support

Commit 8563cdc537a9 ("drivers: crypto: se050: limitations to RSA
crypto") removed RSA_NOPAD support based on the Plug And Trust MW
document

crypto: drivers: se050: rsa: add RSA_NOPAD enc/dec support

Commit 8563cdc537a9 ("drivers: crypto: se050: limitations to RSA
crypto") removed RSA_NOPAD support based on the Plug And Trust MW
documentation, Release v02,14,00 (Apr 03, 2020).

That documentation was incorrect as RSA_NOPAD is indeed supported by
the secure element as described in the SE050 APDU specification [1],
section 4.3.14, table 32.

This commit restores the functionality and fixes previous bugs.

Validated on xtest 4006 and 4011.

[1] https://www.nxp.com/docs/en/application-note/AN12413.pdf

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: caam: add imx8ulp CAAM HAL

Add imx8ulp CAAM HAL functions.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

drivers: caam: disable the use of interrupts for some platforms

On some i.MX platforms, all CAAM JRs share the same line of interrupts.
To avoid conflicts with the other job ring owners, skip the
en

drivers: caam: disable the use of interrupts for some platforms

On some i.MX platforms, all CAAM JRs share the same line of interrupts.
To avoid conflicts with the other job ring owners, skip the
enable/disable of job ring interruptions in OP-TEE CAAM driver.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

crypto: drivers: se050: ecc sign/verify padding

Pad small messages with zeroes during sign/verify.

Fixes xtest pkcs11_1019.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Etienn

crypto: drivers: se050: ecc sign/verify padding

Pad small messages with zeroes during sign/verify.

Fixes xtest pkcs11_1019.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: crypto: se050: build Plug-and-Trust using the TEE makefiles

Building the Plug-and-Trust library required building OP-TEE first in
order to get some architecture specific definitions.
This m

drivers: crypto: se050: build Plug-and-Trust using the TEE makefiles

Building the Plug-and-Trust library required building OP-TEE first in
order to get some architecture specific definitions.
This makes the integration with yocto metas unnecessarily complex.

The following commit simplifies the build sequence: the user would
need to clone the Plug-and-Trust tree [1] to an accessible location in
the filesystem and then build OP-TEE as usual passing the path to the
Plug-and-Trust tree in CFG_NXP_SE05X_PLUG_AND_TRUST.

[1] https://github.com/foundriesio/plug-and-trust.git

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

drivers: caam: fix aligned buffer allocation for DMA

For aligned memory buffer and DMA CAAM access, the allocated buffer size
must be rounded up to a certain value depending of the DMA behaviour on

drivers: caam: fix aligned buffer allocation for DMA

For aligned memory buffer and DMA CAAM access, the allocated buffer size
must be rounded up to a certain value depending of the DMA behaviour on
the platform.
For the imx8qm/qxp, the allocated aligned buffer size must be rounded up
to 4 bytes.

Signed-off-by: Remi Koman <remi.koman@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

crypto: drivers: se050: ecc shared secret

Allow clients to inject their own keypairs to derive the secret - the
previous implementation only allowed for secure element NVM based
keypairs to be used.

crypto: drivers: se050: ecc shared secret

Allow clients to inject their own keypairs to derive the secret - the
previous implementation only allowed for secure element NVM based
keypairs to be used.

By default, the secure element does not store all the possible EC
curves in its internal memory; however attempting to inject a keypair
when the curve is not in the secure element would cause the injection
to fail.

This commit addresses that situation by generating those curves in the
SE whenever they are not available.

Tested with TEE_ALG_ECDH_P192, TEE_ALG_ECDH_P224, TEE_ALG_ECDH_P256
and TEE_ALG_ECDH_P384 and TEE_ALG_ECDH_P521 (xtest 4009 passing)

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: crypto: rsa: handle not implemented sign/verify operations

Route the unimplemented RSA sign/verify optional cases to their
software implementations.

Signed-off-by: Jorge Ramirez-Ortiz <jor

drivers: crypto: rsa: handle not implemented sign/verify operations

Route the unimplemented RSA sign/verify optional cases to their
software implementations.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: add CAAM registers for imx8q platforms

Add CAAM register definitions for the following platforms:
* imx8qm
* imx8qxp

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by:

drivers: caam: add CAAM registers for imx8q platforms

Add CAAM register definitions for the following platforms:
* imx8qm
* imx8qxp

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

drivers: caam: hal: add the support for imx8q

Add the CAAM HAL for the following platforms:
- imx8qm
- imx8qxp

These platforms feature a separate security controller that handles
the following re

drivers: caam: hal: add the support for imx8q

Add the CAAM HAL for the following platforms:
- imx8qm
- imx8qxp

These platforms feature a separate security controller that handles
the following resources/peripherals:
- RNG
- Peripheral owernership
- Clocks

To allocate and initialize the CAAM, the driver relies on the
MU driver and a secure controller API to communicate with the
security controller.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

drivers: caam: hal: make common initialization functions overideable

Define the following functions as weak:
* caam_hal_rng_instantiated()
* caam_hal_cfg_setup_nsjobring()

Add CAAM CAAM_NOT_INIT

drivers: caam: hal: make common initialization functions overideable

Define the following functions as weak:
* caam_hal_rng_instantiated()
* caam_hal_cfg_setup_nsjobring()

Add CAAM CAAM_NOT_INIT code for CAAM RNG initialization status.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

crypto: drivers: se050: fix rsa encrypt/decrypt

- Fix input/output buffers (they were swapped).
- Fix algorithm selection for RSAES

Test:
openssl rsautl -encrypt -inkey rsa-pubkey.pub \

crypto: drivers: se050: fix rsa encrypt/decrypt

- Fix input/output buffers (they were swapped).
- Fix algorithm selection for RSAES

Test:
openssl rsautl -encrypt -inkey rsa-pubkey.pub \
-in data -pubin -out data.crypt

pkcs11-tool --module /usr/lib/libckteec.so.0.1 \
--pin 87654321 --decrypt --id 01 \
--token-label fio --mechanism RSA-PKCS \
--input-file data.crypt > data.decrypted

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

crypto: drivers: se050: OEFID runtime detection

The CFG_CORE_SE05X_OEFID definition is not required as the SE05X OEFID
can be read during early init - before the SCP03 session has been
established.

crypto: drivers: se050: OEFID runtime detection

The CFG_CORE_SE05X_OEFID definition is not required as the SE05X OEFID
can be read during early init - before the SCP03 session has been
established.

The user we can continue to define its value so that the OP-TEE driver
only works when such OEFID is available.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...