1 // SPDX-License-Identifier: BSD-2-Clause
2 /*
3 * Copyright (C) Foundries Ltd. 2022.
4 * Author: Jorge Ramirez <jorge@foundries.io>
5 */
6
7 #include <assert.h>
8 #include <crypto/crypto_impl.h>
9 #include <drvcrypt.h>
10 #include <drvcrypt_acipher.h>
11 #include <initcall.h>
12 #include <ipi.h>
13 #include <mm/core_memprot.h>
14 #include <string.h>
15 #include <tee/cache.h>
16
17 #define RSA_MAX_PRIV_EXP_LEN 512
18 #define RSA_MAX_PUB_EXP_LEN 4
19 #define RSA_MAX_MOD_LEN 512
20
crypto_bignum_bn2bin_pad(size_t size,struct bignum * from,uint8_t * to)21 static void crypto_bignum_bn2bin_pad(size_t size,
22 struct bignum *from, uint8_t *to)
23 {
24 size_t len = crypto_bignum_num_bytes(from);
25
26 crypto_bignum_bn2bin(from, to + size - len);
27 }
28
do_encrypt(struct drvcrypt_rsa_ed * rsa_data)29 static TEE_Result do_encrypt(struct drvcrypt_rsa_ed *rsa_data)
30 {
31 struct rsa_public_key *p = rsa_data->key.key;
32 struct versal_rsa_input_param *cmd = NULL;
33 struct versal_mbox_mem cmd_buf = { };
34 struct versal_mbox_mem cipher = { };
35 struct versal_mbox_mem key = { };
36 struct versal_mbox_mem msg = { };
37 struct versal_cmd_args arg = { };
38 TEE_Result ret = TEE_SUCCESS;
39 uint32_t err = 0;
40
41 switch (rsa_data->rsa_id) {
42 case DRVCRYPT_RSA_PKCS_V1_5:
43 return sw_crypto_acipher_rsaes_encrypt(rsa_data->algo,
44 rsa_data->key.key,
45 rsa_data->label.data,
46 rsa_data->label.length,
47 rsa_data->mgf_algo,
48 rsa_data->message.data,
49 rsa_data->message.length,
50 rsa_data->cipher.data,
51 &rsa_data->cipher.length);
52 case DRVCRYPT_RSA_OAEP:
53 return sw_crypto_acipher_rsaes_encrypt(rsa_data->algo,
54 rsa_data->key.key,
55 rsa_data->label.data,
56 rsa_data->label.length,
57 rsa_data->mgf_algo,
58 rsa_data->message.data,
59 rsa_data->message.length,
60 rsa_data->cipher.data,
61 &rsa_data->cipher.length);
62 case DRVCRYPT_RSA_NOPAD:
63 return sw_crypto_acipher_rsanopad_encrypt(rsa_data->key.key,
64 rsa_data->message.data,
65 rsa_data->message.length,
66 rsa_data->cipher.data,
67 &rsa_data->cipher.length);
68 case DRVCRYPT_RSASSA_PKCS_V1_5:
69 assert(rsa_data->hash_algo != TEE_ALG_SHA1);
70 assert(rsa_data->key.n_size != 128);
71 break;
72 case DRVCRYPT_RSASSA_PSS:
73 default:
74 assert(0);
75 }
76
77 versal_mbox_alloc(RSA_MAX_MOD_LEN + RSA_MAX_PUB_EXP_LEN, NULL, &key);
78 crypto_bignum_bn2bin_pad(rsa_data->key.n_size, p->n, key.buf);
79 crypto_bignum_bn2bin_pad(RSA_MAX_PUB_EXP_LEN,
80 p->e, (uint8_t *)key.buf + RSA_MAX_MOD_LEN);
81
82 versal_mbox_alloc(rsa_data->message.length, rsa_data->message.data,
83 &msg);
84 versal_mbox_alloc(rsa_data->cipher.length, NULL, &cipher);
85 versal_mbox_alloc(sizeof(*cmd), NULL, &cmd_buf);
86
87 cmd = cmd_buf.buf;
88 cmd->key_len = rsa_data->key.n_size;
89 cmd->data_addr = virt_to_phys(msg.buf);
90 cmd->key_addr = virt_to_phys(key.buf);
91
92 arg.ibuf[0].mem = cmd_buf;
93 arg.ibuf[1].mem = cipher;
94 arg.ibuf[2].mem = msg;
95 arg.ibuf[3].mem = key;
96
97 if (versal_crypto_request(VERSAL_RSA_PUBLIC_ENCRYPT, &arg, &err)) {
98 EMSG("Versal RSA: encrypt: error 0x%x [id:0x%x, len:%zu]",
99 err, rsa_data->rsa_id, rsa_data->key.n_size);
100
101 if (rsa_data->rsa_id == DRVCRYPT_RSASSA_PKCS_V1_5)
102 ret = TEE_ERROR_SIGNATURE_INVALID;
103 else
104 ret = TEE_ERROR_GENERIC;
105 }
106
107 if (!ret) {
108 rsa_data->cipher.length = rsa_data->key.n_size;
109 memcpy(rsa_data->cipher.data, cipher.buf, rsa_data->key.n_size);
110 }
111
112 free(cipher.buf);
113 free(cmd);
114 free(msg.buf);
115 free(key.buf);
116
117 return ret;
118 }
119
do_decrypt(struct drvcrypt_rsa_ed * rsa_data)120 static TEE_Result do_decrypt(struct drvcrypt_rsa_ed *rsa_data)
121 {
122 struct versal_rsa_input_param *cmd = NULL;
123 struct rsa_keypair *p = rsa_data->key.key;
124 struct versal_mbox_mem cmd_buf = { };
125 struct versal_mbox_mem cipher = { };
126 struct versal_mbox_mem key = { };
127 struct versal_mbox_mem msg = { };
128 struct versal_cmd_args arg = { };
129 TEE_Result ret = TEE_SUCCESS;
130 uint32_t err = 0;
131
132 switch (rsa_data->rsa_id) {
133 case DRVCRYPT_RSA_PKCS_V1_5:
134 return sw_crypto_acipher_rsaes_decrypt(rsa_data->algo,
135 rsa_data->key.key,
136 rsa_data->label.data,
137 rsa_data->label.length,
138 rsa_data->mgf_algo,
139 rsa_data->cipher.data,
140 rsa_data->cipher.length,
141 rsa_data->message.data,
142 &rsa_data->message.length);
143 case DRVCRYPT_RSA_OAEP:
144 return sw_crypto_acipher_rsaes_decrypt(rsa_data->algo,
145 rsa_data->key.key,
146 rsa_data->label.data,
147 rsa_data->label.length,
148 rsa_data->mgf_algo,
149 rsa_data->cipher.data,
150 rsa_data->cipher.length,
151 rsa_data->message.data,
152 &rsa_data->message.length);
153 case DRVCRYPT_RSA_NOPAD:
154 return sw_crypto_acipher_rsanopad_decrypt(rsa_data->key.key,
155 rsa_data->cipher.data,
156 rsa_data->cipher.length,
157 rsa_data->message.data,
158 &rsa_data->message.length);
159 case DRVCRYPT_RSASSA_PKCS_V1_5:
160 assert(rsa_data->hash_algo != TEE_ALG_SHA1);
161 assert(rsa_data->key.n_size != 128);
162 break;
163 case DRVCRYPT_RSASSA_PSS:
164 default:
165 assert(0);
166 }
167
168 versal_mbox_alloc(RSA_MAX_MOD_LEN + RSA_MAX_PRIV_EXP_LEN, NULL, &key);
169 crypto_bignum_bn2bin_pad(rsa_data->key.n_size, p->n, key.buf);
170 crypto_bignum_bn2bin_pad(rsa_data->key.n_size, p->d,
171 (uint8_t *)key.buf + RSA_MAX_MOD_LEN);
172
173 versal_mbox_alloc(rsa_data->cipher.length, rsa_data->cipher.data,
174 &cipher);
175 versal_mbox_alloc(rsa_data->message.length, NULL, &msg);
176 versal_mbox_alloc(sizeof(*cmd), NULL, &cmd_buf);
177
178 cmd = cmd_buf.buf;
179 cmd->key_len = rsa_data->key.n_size;
180 cmd->data_addr = virt_to_phys(cipher.buf);
181 cmd->key_addr = virt_to_phys(key.buf);
182
183 arg.ibuf[0].mem = cmd_buf;
184 arg.ibuf[1].mem = msg;
185 arg.ibuf[2].mem = cipher;
186 arg.ibuf[3].mem = key;
187
188 if (versal_crypto_request(VERSAL_RSA_PRIVATE_DECRYPT, &arg, &err)) {
189 EMSG("Versal RSA: decrypt: error 0x%x [id:0x%x, len:%zu]",
190 err, rsa_data->rsa_id, rsa_data->key.n_size);
191 ret = TEE_ERROR_GENERIC;
192 }
193
194 if (!ret) {
195 rsa_data->message.length = rsa_data->key.n_size;
196 memcpy(rsa_data->message.data, msg.buf, rsa_data->key.n_size);
197 }
198
199 free(cipher.buf);
200 free(cmd);
201 free(key.buf);
202 free(msg.buf);
203
204 return ret;
205 }
206
do_ssa_sign(struct drvcrypt_rsa_ssa * p)207 static TEE_Result do_ssa_sign(struct drvcrypt_rsa_ssa *p)
208 {
209 switch (p->algo) {
210 case TEE_ALG_RSASSA_PKCS1_V1_5:
211 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224:
212 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256:
213 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384:
214 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512:
215 if (p->key.n_size != 128) {
216 /* use DRVCRYPT_RSASSA_PKCS_V1_5, decrypt */
217 return TEE_ERROR_NOT_IMPLEMENTED;
218 }
219 return sw_crypto_acipher_rsassa_sign(p->algo,
220 p->key.key,
221 p->salt_len,
222 p->message.data,
223 p->message.length,
224 p->signature.data,
225 &p->signature.length);
226 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5:
227 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1:
228 return sw_crypto_acipher_rsassa_sign(p->algo,
229 p->key.key,
230 p->salt_len,
231 p->message.data,
232 p->message.length,
233 p->signature.data,
234 &p->signature.length);
235 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1:
236 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224:
237 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256:
238 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384:
239 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512:
240 return sw_crypto_acipher_rsassa_sign(p->algo,
241 p->key.key,
242 p->salt_len,
243 p->message.data,
244 p->message.length,
245 p->signature.data,
246 &p->signature.length);
247 default:
248 break;
249 }
250
251 return TEE_ERROR_BAD_PARAMETERS;
252 }
253
do_ssa_verify(struct drvcrypt_rsa_ssa * p)254 static TEE_Result do_ssa_verify(struct drvcrypt_rsa_ssa *p)
255 {
256 switch (p->algo) {
257 case TEE_ALG_RSASSA_PKCS1_V1_5:
258 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224:
259 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256:
260 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384:
261 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512:
262 if (p->key.n_size != 128) {
263 /* use DRVCRYPT_RSASSA_PKCS_V1_5, encrypt */
264 return TEE_ERROR_NOT_IMPLEMENTED;
265 }
266 return sw_crypto_acipher_rsassa_verify(p->algo,
267 p->key.key,
268 p->salt_len,
269 p->message.data,
270 p->message.length,
271 p->signature.data,
272 p->signature.length);
273 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5:
274 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1:
275 return sw_crypto_acipher_rsassa_verify(p->algo,
276 p->key.key,
277 p->salt_len,
278 p->message.data,
279 p->message.length,
280 p->signature.data,
281 p->signature.length);
282 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1:
283 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224:
284 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256:
285 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384:
286 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512:
287 return sw_crypto_acipher_rsassa_verify(p->algo,
288 p->key.key,
289 p->salt_len,
290 p->message.data,
291 p->message.length,
292 p->signature.data,
293 p->signature.length);
294 default:
295 break;
296 }
297
298 return TEE_ERROR_BAD_PARAMETERS;
299 }
300
do_gen_keypair(struct rsa_keypair * s,size_t size_bits)301 static TEE_Result do_gen_keypair(struct rsa_keypair *s, size_t size_bits)
302 {
303 return sw_crypto_acipher_gen_rsa_key(s, size_bits);
304 }
305
do_alloc_keypair(struct rsa_keypair * s,size_t size_bits)306 static TEE_Result do_alloc_keypair(struct rsa_keypair *s, size_t size_bits)
307 {
308 return sw_crypto_acipher_alloc_rsa_keypair(s, size_bits);
309 }
310
do_alloc_publickey(struct rsa_public_key * key,size_t bits)311 static TEE_Result do_alloc_publickey(struct rsa_public_key *key, size_t bits)
312 {
313 return sw_crypto_acipher_alloc_rsa_public_key(key, bits);
314 }
315
do_free_publickey(struct rsa_public_key * s)316 static void do_free_publickey(struct rsa_public_key *s)
317 {
318 sw_crypto_acipher_free_rsa_public_key(s);
319 }
320
do_free_keypair(struct rsa_keypair * s)321 static void do_free_keypair(struct rsa_keypair *s)
322 {
323 sw_crypto_acipher_free_rsa_keypair(s);
324 }
325
326 static struct drvcrypt_rsa driver_rsa = {
327 .alloc_publickey = do_alloc_publickey,
328 .free_publickey = do_free_publickey,
329 .alloc_keypair = do_alloc_keypair,
330 .optional.ssa_verify = do_ssa_verify,
331 .optional.ssa_sign = do_ssa_sign,
332 .free_keypair = do_free_keypair,
333 .gen_keypair = do_gen_keypair,
334 .encrypt = do_encrypt,
335 .decrypt = do_decrypt,
336 };
337
rsa_init(void)338 static TEE_Result rsa_init(void)
339 {
340 struct versal_cmd_args arg = { };
341
342 if (versal_crypto_request(VERSAL_RSA_KAT, &arg, NULL))
343 return TEE_ERROR_GENERIC;
344
345 return drvcrypt_register_rsa(&driver_rsa);
346 }
347
348 driver_init(rsa_init);
349