drivers: caam: hal: add the support for imx8q

Add the CAAM HAL for the following platforms:
- imx8qm
- imx8qxp

These platforms feature a separate security controller that handles
the following re

drivers: caam: hal: add the support for imx8q

Add the CAAM HAL for the following platforms:
- imx8qm
- imx8qxp

These platforms feature a separate security controller that handles
the following resources/peripherals:
- RNG
- Peripheral owernership
- Clocks

To allocate and initialize the CAAM, the driver relies on the
MU driver and a secure controller API to communicate with the
security controller.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

drivers: caam: hal: make common initialization functions overideable

Define the following functions as weak:
* caam_hal_rng_instantiated()
* caam_hal_cfg_setup_nsjobring()

Add CAAM CAAM_NOT_INIT

drivers: caam: hal: make common initialization functions overideable

Define the following functions as weak:
* caam_hal_rng_instantiated()
* caam_hal_cfg_setup_nsjobring()

Add CAAM CAAM_NOT_INIT code for CAAM RNG initialization status.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>

show more ...

crypto: drivers: se050: fix rsa encrypt/decrypt

- Fix input/output buffers (they were swapped).
- Fix algorithm selection for RSAES

Test:
openssl rsautl -encrypt -inkey rsa-pubkey.pub \

crypto: drivers: se050: fix rsa encrypt/decrypt

- Fix input/output buffers (they were swapped).
- Fix algorithm selection for RSAES

Test:
openssl rsautl -encrypt -inkey rsa-pubkey.pub \
-in data -pubin -out data.crypt

pkcs11-tool --module /usr/lib/libckteec.so.0.1 \
--pin 87654321 --decrypt --id 01 \
--token-label fio --mechanism RSA-PKCS \
--input-file data.crypt > data.decrypted

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

crypto: drivers: se050: OEFID runtime detection

The CFG_CORE_SE05X_OEFID definition is not required as the SE05X OEFID
can be read during early init - before the SCP03 session has been
established.

crypto: drivers: se050: OEFID runtime detection

The CFG_CORE_SE05X_OEFID definition is not required as the SE05X OEFID
can be read during early init - before the SCP03 session has been
established.

The user we can continue to define its value so that the OP-TEE driver
only works when such OEFID is available.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

crypto: drivers: se050: ecc sign

The crypto API validates the size of the buffer that will hold the
resulting signature. This means that the SE05X driver can not use the
variable length buffer mecha

crypto: drivers: se050: ecc sign

The crypto API validates the size of the buffer that will hold the
resulting signature. This means that the SE05X driver can not use the
variable length buffer mechanism to request extra bytes to handle the
DER format.

To address this situation, this patch allocates a temporary buffer to
get the signature from the Plug-and-Trust subsystem; then, upon doing
the DER to binary conversion, copies the resulting data to the output
buffer.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

drivers: caam: acipher: initialize driver with the JR base address

Instead of systematically using the job ring 0 registers to initialize
the CAAM acipher drivers, use the job ring allocated to OPTE

drivers: caam: acipher: initialize driver with the JR base address

Instead of systematically using the job ring 0 registers to initialize
the CAAM acipher drivers, use the job ring allocated to OPTEE OS.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

drivers: caam: hash: initialize driver with the JR base address

Instead of systematically using the job ring 0 registers to initialize
the CAAM hash driver, use the job ring allocated to OPTEE OS.

drivers: caam: hash: initialize driver with the JR base address

Instead of systematically using the job ring 0 registers to initialize
the CAAM hash driver, use the job ring allocated to OPTEE OS.

Signed-off-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

drivers: stm32_cryp: prevent error trace when disabled

Changes stm32_crypt initialization function to not report an error
when the device is not defined or disabled in the embedded DT.

Prevents err

drivers: stm32_cryp: prevent error trace when disabled

Changes stm32_crypt initialization function to not report an error
when the device is not defined or disabled in the embedded DT.

Prevents error trace message seen at boot time:
E/TC:0 0 call_initcalls:43 Initcall __text_start + 0x0002b958 failed

Fixes: 5c3bcc386415 ("dts: stm32mp1: disable CRYP1 device")
Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

crypto: drivers: se050: object identifier range

With the introduction of the se050 APDU driver, external clients can
create persistent objects on the secure element non-volatile memory.

The unique

crypto: drivers: se050: object identifier range

With the introduction of the se050 APDU driver, external clients can
create persistent objects on the secure element non-volatile memory.

The unique identifiers for these objects do not necessarily need to
fall within the range defined for objects created using the
cyptographic operation interfaces (keypair_gen).

This commit fixes the use case where a key stored in the SE05x device
(for example via a cloud service communicating to the optee-client's
libseteec) is imported into the pkcs#11 database and then used for
authentication (ie, EC sign)

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

core: drivers: caam: disable jobring in DT only in case of external DTB

On LX2160 board, Embedded DTB is enabled.
While booting with CAAM enabled, a crash comes in OP-TEE because it
tries to disable

core: drivers: caam: disable jobring in DT only in case of external DTB

On LX2160 board, Embedded DTB is enabled.
While booting with CAAM enabled, a crash comes in OP-TEE because it
tries to disable the Job Ring in Embedded DTB, which is read only.
So disable Job ring only when using External DTB.

Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: crypto: stm32_cryp: register secure peripheral

Adds registering of CRYP1 device as a secure peripheral when it is
registered as a crypto driver.

Fixes: 95134dac4b22 ("plat-stm32mp1: enable

drivers: crypto: stm32_cryp: register secure peripheral

Adds registering of CRYP1 device as a secure peripheral when it is
registered as a crypto driver.

Fixes: 95134dac4b22 ("plat-stm32mp1: enable CRYPTO HW if available")
Reviewed-by: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

crypto: drivers: se050: object identifier persistence property

The persistence of the object identifiers can be obtained by
interrogating the device. Since objects can now be created by external
act

crypto: drivers: se050: object identifier persistence property

The persistence of the object identifiers can be obtained by
interrogating the device. Since objects can now be created by external
actors using the APDU PTA, we will drop the current implementation
which flags the object transient property using a bit on the object
identifier itself.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

crypto: se050: APDU driver

This driver allows trusted applications to send raw APDU frames to the
SE050 device. The Plug-and-Trust subsystem will route the frames back
to OP-TEE for SCP03 encryption

crypto: se050: APDU driver

This driver allows trusted applications to send raw APDU frames to the
SE050 device. The Plug-and-Trust subsystem will route the frames back
to OP-TEE for SCP03 encryption and I2C transmission to the bus.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: crypto: Secure Element cryptographic interface

Extract cryptographic operations specific to Secure Elements from the
more generic cryptographic interface.

Also, the Secure Channel Protocol03

core: crypto: Secure Element cryptographic interface

Extract cryptographic operations specific to Secure Elements from the
more generic cryptographic interface.

Also, the Secure Channel Protocol03 is a global protocol supported by
most SEs and not NXP SE05X specific. Use this commit to reflect this
fact.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

crypto: se050: rename huk driver to die_id

The current HUK driver is not providing the platform Hardware Unique
Key but the DIE_ID.

This can logically be a source of confusion (and bugs) for many u

crypto: se050: rename huk driver to die_id

The current HUK driver is not providing the platform Hardware Unique
Key but the DIE_ID.

This can logically be a source of confusion (and bugs) for many users
not enabling this option.

This commit renames the huk.c file to die_id.c and replaces the
previous configuration option with another one that is semantically
accurate.

CFG_NXP_SE05X_HUK_DRV --> CFG_NXP_SE05X_DIEID_DRV

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Jerome Forissier <jerome@forissier.org>

show more ...

crypto: se050: Foundries Plug-and-Trust release 0.0.4

Notice that rebasing the Plug-and-Trust stack to pick up the NXP
Plug-and-Trust 3.03.00 release broke backwards compatibility with
previous OP-T

crypto: se050: Foundries Plug-and-Trust release 0.0.4

Notice that rebasing the Plug-and-Trust stack to pick up the NXP
Plug-and-Trust 3.03.00 release broke backwards compatibility with
previous OP-TEE versions. This is why this commit includes the
necessary update to adaptors/apdu.c

https://github.com/foundriesio/plug-and-trust/releases/tag/v0.0.3

Also the v.0.0.4 release includes support for APDU raw frame
transmission to the secure element (a new interface).
The OP-TEE PTA that makes use of that functionality shall be merged
after this commit.

https://github.com/foundriesio/plug-and-trust/releases/tag/v0.0.4

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: crypto: se05x: SCP03 keys for SE051A2 and SE051C2

Add SCP03 keys for SE051A2 and SE051C2 to support OEFID 0xA565 and 0xA564

Signed-off-by: Robert Krikke <robert.krikke@gmail.com>
Signed-of

drivers: crypto: se05x: SCP03 keys for SE051A2 and SE051C2

Add SCP03 keys for SE051A2 and SE051C2 to support OEFID 0xA565 and 0xA564

Signed-off-by: Robert Krikke <robert.krikke@gmail.com>
Signed-off-by: Gerard Koskamp <gerard.koskamp@nedap.com>
Acked-by: Jorge Ramirez-Ortiz <jorge@foundries.io>

show more ...

core: pm: add a name to registered pm_callback_handle

Adds an argument to register a name (string debug identifier) for
PM handlers registered to PM framework.

Caller can provide a NULL reference o

core: pm: add a name to registered pm_callback_handle

Adds an argument to register a name (string debug identifier) for
PM handlers registered to PM framework.

Caller can provide a NULL reference or a valid string pointer. When pager
is enabled, the registration ensures the name lies in an unpaged section,
possibly allocating heap for that purpose.

Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Gatien Chevallier <gatien.chevallier@st.com>

show more ...

crypto: stm32: use CRYP IP for authenc algorithm

Add STM32 CRYP as an Authenticated Encryption provider for GCM and CCM.

Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
Reviewed-

crypto: stm32: use CRYP IP for authenc algorithm

Add STM32 CRYP as an Authenticated Encryption provider for GCM and CCM.

Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: crypto: implement crypto driver - AUTHENC

Add a generic cryptographic Authenticated Encryption driver interface
connecting TEE Crypto generic APIs to HW driver interface.

Signed-off-by: Ni

drivers: crypto: implement crypto driver - AUTHENC

Add a generic cryptographic Authenticated Encryption driver interface
connecting TEE Crypto generic APIs to HW driver interface.

Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
Acked-by: Cedric Neveux <cedric.neveux@nxp.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

crypto: stm32: use CRYP IP for CIPHER algorithms

Add CRYP IP drivers, and add STM32 CRYP as a drvcrypt cipher provider.

Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
Reviewed-b

crypto: stm32: use CRYP IP for CIPHER algorithms

Add CRYP IP drivers, and add STM32 CRYP as a drvcrypt cipher provider.

Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

core: kernel: use size_t instead of ssize_t for _fdt_reg_size()

Size is read from the reg device tree property as an unsigned value
coming from fdt32_to_cpu().
Use a size_t with associated error cod

core: kernel: use size_t instead of ssize_t for _fdt_reg_size()

Size is read from the reg device tree property as an unsigned value
coming from fdt32_to_cpu().
Use a size_t with associated error code DT_INFO_INVALID_REG_SIZE as
return in prototype. Update the current users according to this change.

Signed-off-by: Lionel Debieve <lionel.debieve@foss.st.com>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>

show more ...

drivers: crypto: rsa/ecc/dsa: input parameter validation

To comply with the PKCS#11 convention for functions returning output
in a variable-length buffer, prefer to check the required size of the
ou

drivers: crypto: rsa/ecc/dsa: input parameter validation

To comply with the PKCS#11 convention for functions returning output
in a variable-length buffer, prefer to check the required size of the
output buffer before the existence of the output buffer itself.

This will save callers from having to allocate a buffer that might not
be used.

Signed-off-by: Jorge Ramirez-Ortiz <jorge@foundries.io>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Reviewed-by: Etienne Carriere <etienne.carriere@linaro.org>
Acked-by: Clement Faure <clement.faure@nxp.com>
Acked-by: Cedric Neveux <cedric.neveux@nxp.com>

show more ...

drivers: crypto: fix RSAES-OAEP encryption length check

According to PKCS#1 v2.2: RSA Cryptography Standard, for RSAES-OAEP
Encryption operation function, the following length check must be done
pri

drivers: crypto: fix RSAES-OAEP encryption length check

According to PKCS#1 v2.2: RSA Cryptography Standard, for RSAES-OAEP
Encryption operation function, the following length check must be done
prior the encryptioon operation [1]:

Return error if mLen > k - 2*hlen - 2

Because (k - 2*hlen - 2) must be superior or equal to zero, return an
error also if 2*hlen >= k - 2

Links: [1] https://datatracker.ietf.org/doc/html/rfc8017
Fixes: f5a70e3efb ("drivers: crypto: generic resources for crypto device driver - RSA")
Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

drivers: caam: check destination buffer size before copying message

At the end of the RSA-OAEP decryption operation, check if the
destination message buffer is big enough to hold the output of the
d

drivers: caam: check destination buffer size before copying message

At the end of the RSA-OAEP decryption operation, check if the
destination message buffer is big enough to hold the output of the
decryption operation.
If the buffer is too small, return TEE_ERROR_SHORT_BUFFER error code
along the expected buffer size.

Fixes: 796ea6d867 ("drivers: caam: implement NXP CAAM Driver - RSA")
Signed-off-by: Clement Faure <clement.faure@nxp.com>
Reviewed-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...