1 // SPDX-License-Identifier: BSD-2-Clause
2 /*
3 * Copyright (C) Foundries Ltd. 2022.
4 * Author: Jorge Ramirez <jorge@foundries.io>
5 */
6
7 #include <assert.h>
8 #include <crypto/crypto_impl.h>
9 #include <drvcrypt.h>
10 #include <drvcrypt_acipher.h>
11 #include <initcall.h>
12 #include <ipi.h>
13 #include <mm/core_memprot.h>
14 #include <string.h>
15 #include <tee/cache.h>
16
17 #define RSA_MAX_PRIV_EXP_LEN 512
18 #define RSA_MAX_PUB_EXP_LEN 4
19 #define RSA_MAX_MOD_LEN 512
20
crypto_bignum_bn2bin_pad(size_t size,struct bignum * from,uint8_t * to)21 static void crypto_bignum_bn2bin_pad(size_t size,
22 struct bignum *from, uint8_t *to)
23 {
24 size_t len = crypto_bignum_num_bytes(from);
25
26 crypto_bignum_bn2bin(from, to + size - len);
27 }
28
do_encrypt(struct drvcrypt_rsa_ed * rsa_data)29 static TEE_Result do_encrypt(struct drvcrypt_rsa_ed *rsa_data)
30 {
31 struct rsa_public_key *p = rsa_data->key.key;
32 struct versal_rsa_input_param *cmd = NULL;
33 struct versal_mbox_mem cmd_buf = { };
34 struct versal_mbox_mem cipher = { };
35 struct versal_mbox_mem key = { };
36 struct versal_mbox_mem msg = { };
37 struct versal_cmd_args arg = { };
38 TEE_Result ret = TEE_SUCCESS;
39 uint32_t err = 0;
40
41 switch (rsa_data->rsa_id) {
42 case DRVCRYPT_RSA_PKCS_V1_5:
43 return sw_crypto_acipher_rsaes_encrypt(rsa_data->algo,
44 rsa_data->key.key,
45 rsa_data->label.data,
46 rsa_data->label.length,
47 rsa_data->mgf_algo,
48 rsa_data->message.data,
49 rsa_data->message.length,
50 rsa_data->cipher.data,
51 &rsa_data->cipher.length);
52 case DRVCRYPT_RSA_OAEP:
53 return sw_crypto_acipher_rsaes_encrypt(rsa_data->algo,
54 rsa_data->key.key,
55 rsa_data->label.data,
56 rsa_data->label.length,
57 rsa_data->mgf_algo,
58 rsa_data->message.data,
59 rsa_data->message.length,
60 rsa_data->cipher.data,
61 &rsa_data->cipher.length);
62 case DRVCRYPT_RSA_NOPAD:
63 return sw_crypto_acipher_rsanopad_encrypt(rsa_data->key.key,
64 rsa_data->message.data,
65 rsa_data->message.length,
66 rsa_data->cipher.data,
67 &rsa_data->cipher.length);
68 case DRVCRYPT_RSASSA_PKCS_V1_5:
69 assert(rsa_data->hash_algo != TEE_ALG_SHA1);
70 assert(rsa_data->key.n_size != 128);
71 break;
72 case DRVCRYPT_RSASSA_PSS:
73 default:
74 assert(0);
75 }
76
77 ret = versal_mbox_alloc(RSA_MAX_MOD_LEN + RSA_MAX_PUB_EXP_LEN, NULL,
78 &key);
79 if (ret)
80 return ret;
81
82 crypto_bignum_bn2bin_pad(rsa_data->key.n_size, p->n, key.buf);
83 crypto_bignum_bn2bin_pad(RSA_MAX_PUB_EXP_LEN, p->e,
84 (uint8_t *)key.buf + rsa_data->key.n_size);
85
86 ret = versal_mbox_alloc(rsa_data->message.length,
87 rsa_data->message.data, &msg);
88 if (ret)
89 goto out;
90 ret = versal_mbox_alloc(rsa_data->cipher.length, NULL, &cipher);
91 if (ret)
92 goto out;
93 ret = versal_mbox_alloc(sizeof(*cmd), NULL, &cmd_buf);
94 if (ret)
95 goto out;
96
97 cmd = cmd_buf.buf;
98 cmd->key_len = rsa_data->key.n_size;
99 cmd->data_addr = virt_to_phys(msg.buf);
100 cmd->key_addr = virt_to_phys(key.buf);
101
102 arg.ibuf[0].mem = cmd_buf;
103 arg.ibuf[1].mem = cipher;
104 arg.ibuf[2].mem = msg;
105 arg.ibuf[3].mem = key;
106
107 if (versal_crypto_request(VERSAL_RSA_PUBLIC_ENCRYPT, &arg, &err)) {
108 EMSG("Versal RSA: encrypt: error 0x%x [id:0x%x, len:%zu]",
109 err, rsa_data->rsa_id, rsa_data->key.n_size);
110
111 if (rsa_data->rsa_id == DRVCRYPT_RSASSA_PKCS_V1_5)
112 ret = TEE_ERROR_SIGNATURE_INVALID;
113 else
114 ret = TEE_ERROR_GENERIC;
115 }
116
117 if (!ret) {
118 rsa_data->cipher.length = rsa_data->key.n_size;
119 memcpy(rsa_data->cipher.data, cipher.buf, rsa_data->key.n_size);
120 }
121
122 out:
123 versal_mbox_free(&cmd_buf);
124 versal_mbox_free(&cipher);
125 versal_mbox_free(&msg);
126 versal_mbox_free(&key);
127
128 return ret;
129 }
130
do_decrypt(struct drvcrypt_rsa_ed * rsa_data)131 static TEE_Result do_decrypt(struct drvcrypt_rsa_ed *rsa_data)
132 {
133 struct versal_rsa_input_param *cmd = NULL;
134 struct rsa_keypair *p = rsa_data->key.key;
135 struct versal_mbox_mem cmd_buf = { };
136 struct versal_mbox_mem cipher = { };
137 struct versal_mbox_mem key = { };
138 struct versal_mbox_mem msg = { };
139 struct versal_cmd_args arg = { };
140 TEE_Result ret = TEE_SUCCESS;
141 uint32_t err = 0;
142 #if defined(PLATFORM_FLAVOR_net)
143 struct versal_rsa_key_param *keyp = NULL;
144 struct versal_mbox_mem keyp_buf = { };
145 #endif
146
147 switch (rsa_data->rsa_id) {
148 case DRVCRYPT_RSA_PKCS_V1_5:
149 return sw_crypto_acipher_rsaes_decrypt(rsa_data->algo,
150 rsa_data->key.key,
151 rsa_data->label.data,
152 rsa_data->label.length,
153 rsa_data->mgf_algo,
154 rsa_data->cipher.data,
155 rsa_data->cipher.length,
156 rsa_data->message.data,
157 &rsa_data->message.length);
158 case DRVCRYPT_RSA_OAEP:
159 return sw_crypto_acipher_rsaes_decrypt(rsa_data->algo,
160 rsa_data->key.key,
161 rsa_data->label.data,
162 rsa_data->label.length,
163 rsa_data->mgf_algo,
164 rsa_data->cipher.data,
165 rsa_data->cipher.length,
166 rsa_data->message.data,
167 &rsa_data->message.length);
168 case DRVCRYPT_RSA_NOPAD:
169 return sw_crypto_acipher_rsanopad_decrypt(rsa_data->key.key,
170 rsa_data->cipher.data,
171 rsa_data->cipher.length,
172 rsa_data->message.data,
173 &rsa_data->message.length);
174 case DRVCRYPT_RSASSA_PKCS_V1_5:
175 assert(rsa_data->hash_algo != TEE_ALG_SHA1);
176 assert(rsa_data->key.n_size != 128);
177 break;
178 case DRVCRYPT_RSASSA_PSS:
179 default:
180 assert(0);
181 }
182
183 ret = versal_mbox_alloc(RSA_MAX_MOD_LEN + RSA_MAX_PRIV_EXP_LEN, NULL,
184 &key);
185 if (ret)
186 return ret;
187
188 crypto_bignum_bn2bin_pad(rsa_data->key.n_size, p->n, key.buf);
189 crypto_bignum_bn2bin_pad(rsa_data->key.n_size, p->d,
190 (uint8_t *)key.buf + rsa_data->key.n_size);
191
192 #if defined(PLATFORM_FLAVOR_net)
193 ret = versal_mbox_alloc(sizeof(*keyp), NULL, &keyp_buf);
194 if (ret)
195 goto out;
196 #endif
197
198 ret = versal_mbox_alloc(rsa_data->cipher.length, rsa_data->cipher.data,
199 &cipher);
200 if (ret)
201 goto out;
202 ret = versal_mbox_alloc(rsa_data->message.length, NULL, &msg);
203 if (ret)
204 goto out;
205 ret = versal_mbox_alloc(sizeof(*cmd), NULL, &cmd_buf);
206 if (ret)
207 goto out;
208
209 cmd = cmd_buf.buf;
210 cmd->key_len = rsa_data->key.n_size;
211 cmd->data_addr = virt_to_phys(cipher.buf);
212 #if !defined(PLATFORM_FLAVOR_net)
213 cmd->key_addr = virt_to_phys(key.buf);
214 #else
215 keyp = keyp_buf.buf;
216 memset(keyp, 0, sizeof(*keyp));
217 keyp->exp_addr = virt_to_phys((uint8_t *)key.buf +
218 rsa_data->key.n_size);
219 keyp->mod_addr = virt_to_phys(key.buf);
220 keyp->opmode = VERSAL_RSA_OPMODE_EXPQ;
221 cmd->key_addr = virt_to_phys(keyp_buf.buf);
222 #endif
223
224 arg.ibuf[0].mem = cmd_buf;
225 arg.ibuf[1].mem = msg;
226 arg.ibuf[2].mem = cipher;
227 arg.ibuf[3].mem = key;
228 #if defined(PLATFORM_FLAVOR_net)
229 arg.ibuf[4].mem = keyp_buf;
230 #endif
231
232 if (versal_crypto_request(VERSAL_RSA_PRIVATE_DECRYPT, &arg, &err)) {
233 EMSG("Versal RSA: decrypt: error 0x%x [id:0x%x, len:%zu]",
234 err, rsa_data->rsa_id, rsa_data->key.n_size);
235 ret = TEE_ERROR_GENERIC;
236 }
237
238 if (!ret) {
239 rsa_data->message.length = rsa_data->key.n_size;
240 memcpy(rsa_data->message.data, msg.buf, rsa_data->key.n_size);
241 }
242
243 out:
244 versal_mbox_free(&cmd_buf);
245 versal_mbox_free(&msg);
246 versal_mbox_free(&cipher);
247 #if defined(PLATFORM_FLAVOR_net)
248 versal_mbox_free(&keyp_buf);
249 #endif
250 versal_mbox_free(&key);
251
252 return ret;
253 }
254
do_ssa_sign(struct drvcrypt_rsa_ssa * p)255 static TEE_Result do_ssa_sign(struct drvcrypt_rsa_ssa *p)
256 {
257 switch (p->algo) {
258 case TEE_ALG_RSASSA_PKCS1_V1_5:
259 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224:
260 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256:
261 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384:
262 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512:
263 if (p->key.n_size != 128) {
264 /* use DRVCRYPT_RSASSA_PKCS_V1_5, decrypt */
265 return TEE_ERROR_NOT_IMPLEMENTED;
266 }
267 return sw_crypto_acipher_rsassa_sign(p->algo,
268 p->key.key,
269 p->salt_len,
270 p->message.data,
271 p->message.length,
272 p->signature.data,
273 &p->signature.length);
274 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5:
275 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1:
276 return sw_crypto_acipher_rsassa_sign(p->algo,
277 p->key.key,
278 p->salt_len,
279 p->message.data,
280 p->message.length,
281 p->signature.data,
282 &p->signature.length);
283 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1:
284 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224:
285 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256:
286 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384:
287 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512:
288 return sw_crypto_acipher_rsassa_sign(p->algo,
289 p->key.key,
290 p->salt_len,
291 p->message.data,
292 p->message.length,
293 p->signature.data,
294 &p->signature.length);
295 default:
296 break;
297 }
298
299 return TEE_ERROR_BAD_PARAMETERS;
300 }
301
do_ssa_verify(struct drvcrypt_rsa_ssa * p)302 static TEE_Result do_ssa_verify(struct drvcrypt_rsa_ssa *p)
303 {
304 switch (p->algo) {
305 case TEE_ALG_RSASSA_PKCS1_V1_5:
306 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224:
307 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256:
308 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384:
309 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512:
310 if (p->key.n_size != 128) {
311 /* use DRVCRYPT_RSASSA_PKCS_V1_5, encrypt */
312 return TEE_ERROR_NOT_IMPLEMENTED;
313 }
314 return sw_crypto_acipher_rsassa_verify(p->algo,
315 p->key.key,
316 p->salt_len,
317 p->message.data,
318 p->message.length,
319 p->signature.data,
320 p->signature.length);
321 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5:
322 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1:
323 return sw_crypto_acipher_rsassa_verify(p->algo,
324 p->key.key,
325 p->salt_len,
326 p->message.data,
327 p->message.length,
328 p->signature.data,
329 p->signature.length);
330 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1:
331 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224:
332 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256:
333 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384:
334 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512:
335 return sw_crypto_acipher_rsassa_verify(p->algo,
336 p->key.key,
337 p->salt_len,
338 p->message.data,
339 p->message.length,
340 p->signature.data,
341 p->signature.length);
342 default:
343 break;
344 }
345
346 return TEE_ERROR_BAD_PARAMETERS;
347 }
348
do_gen_keypair(struct rsa_keypair * s,size_t size_bits)349 static TEE_Result do_gen_keypair(struct rsa_keypair *s, size_t size_bits)
350 {
351 return sw_crypto_acipher_gen_rsa_key(s, size_bits);
352 }
353
do_alloc_keypair(struct rsa_keypair * s,size_t size_bits)354 static TEE_Result do_alloc_keypair(struct rsa_keypair *s, size_t size_bits)
355 {
356 return sw_crypto_acipher_alloc_rsa_keypair(s, size_bits);
357 }
358
do_alloc_publickey(struct rsa_public_key * key,size_t bits)359 static TEE_Result do_alloc_publickey(struct rsa_public_key *key, size_t bits)
360 {
361 return sw_crypto_acipher_alloc_rsa_public_key(key, bits);
362 }
363
do_free_publickey(struct rsa_public_key * s)364 static void do_free_publickey(struct rsa_public_key *s)
365 {
366 sw_crypto_acipher_free_rsa_public_key(s);
367 }
368
do_free_keypair(struct rsa_keypair * s)369 static void do_free_keypair(struct rsa_keypair *s)
370 {
371 sw_crypto_acipher_free_rsa_keypair(s);
372 }
373
374 static struct drvcrypt_rsa driver_rsa = {
375 .alloc_publickey = do_alloc_publickey,
376 .free_publickey = do_free_publickey,
377 .alloc_keypair = do_alloc_keypair,
378 .optional.ssa_verify = do_ssa_verify,
379 .optional.ssa_sign = do_ssa_sign,
380 .free_keypair = do_free_keypair,
381 .gen_keypair = do_gen_keypair,
382 .encrypt = do_encrypt,
383 .decrypt = do_decrypt,
384 };
385
rsa_init(void)386 static TEE_Result rsa_init(void)
387 {
388 uint32_t err = 0;
389 struct versal_cmd_args arg = { };
390
391 arg.data[arg.dlen++] = VERSAL_RSA_PUB_ENC_KAT;
392
393 if (versal_crypto_request(VERSAL_KAT, &arg, &err))
394 return TEE_ERROR_GENERIC;
395
396 if (err) {
397 DMSG("RSA_PUB_ENC_KAT returned 0x%" PRIx32, err);
398 return TEE_ERROR_GENERIC;
399 }
400
401 /* Clear previous request */
402 arg.dlen = 0;
403
404 arg.data[arg.dlen++] = VERSAL_RSA_PRIVATE_DEC_KAT;
405
406 if (versal_crypto_request(VERSAL_KAT, &arg, &err))
407 return TEE_ERROR_GENERIC;
408
409 if (err) {
410 DMSG("RSA_PRIVATE_DEC_KAT returned 0x%" PRIx32, err);
411 return TEE_ERROR_GENERIC;
412 }
413
414 return drvcrypt_register_rsa(&driver_rsa);
415 }
416
417 driver_init(rsa_init);
418