xref: /optee_os/core/drivers/crypto/caam/crypto.mk (revision 95eea104aeffdc502bd0f598a328f4ff4d18e138)

ifeq ($(CFG_NXP_CAAM),y)
# CAAM Debug: define 3x32 bits value (same bit used to debug a module)
# CFG_DBG_CAAM_TRACE  Module print trace
# CFG_DBG_CAAM_DESC   Module descriptor dump
# CFG_DBG_CAAM_BUF    Module buffer dump
#
# DBG_HAL    BIT32(0)  // HAL trace
# DBG_CTRL   BIT32(1)  // Controller trace
# DBG_MEM    BIT32(2)  // Memory utility trace
# DBG_SGT    BIT32(3)  // Scatter Gather trace
# DBG_PWR    BIT32(4)  // Power trace
# DBG_JR     BIT32(5)  // Job Ring trace
# DBG_RNG    BIT32(6)  // RNG trace
# DBG_HASH   BIT32(7)  // Hash trace
# DBG_RSA    BIT32(8)  // RSA trace
# DBG_CIPHER BIT32(9)  // Cipher trace
# DBG_BLOB   BIT32(10) // BLOB trace
# DBG_DMAOBJ BIT32(11) // DMA Object Trace
# DBG_ECC    BIT32(12) // ECC trace
# DBG_DH     BIT32(13) // DH Trace
# DBG_DSA    BIT32(14) // DSA trace
# DBG_MP     BIT32(15) // MP trace
# DBG_AE     BIT32(17) // AE trace
CFG_DBG_CAAM_TRACE ?= 0x2
CFG_DBG_CAAM_DESC ?= 0x0
CFG_DBG_CAAM_BUF ?= 0x0

# CAAM default drivers
caam-drivers = RNG BLOB

# CAAM default drivers connected to the HW crypto API
caam-crypto-drivers = CIPHER HASH HMAC CMAC AE_CCM

ifneq (,$(filter $(PLATFORM_FLAVOR),ls1012ardb ls1043ardb ls1046ardb))
$(call force, CFG_CAAM_BIG_ENDIAN,y)
$(call force, CFG_JR_BLOCK_SIZE,0x10000)
$(call force, CFG_JR_INDEX,2)
$(call force, CFG_JR_INT,105)
$(call force, CFG_CAAM_SGT_ALIGN,4)
$(call force, CFG_CAAM_64BIT,y)
$(call force, CFG_NXP_CAAM_SGT_V1,y)
$(call force, CFG_CAAM_ITR,n)
caam-crypto-drivers += RSA DSA ECC DH MATH AE_GCM
else ifneq (,$(filter $(PLATFORM_FLAVOR),ls1088ardb ls2088ardb ls1028ardb))
$(call force, CFG_CAAM_LITTLE_ENDIAN,y)
$(call force, CFG_JR_BLOCK_SIZE,0x10000)
$(call force, CFG_JR_INDEX,2)
$(call force, CFG_JR_INT,174)
$(call force, CFG_NXP_CAAM_SGT_V2,y)
$(call force, CFG_CAAM_SGT_ALIGN,4)
$(call force, CFG_CAAM_64BIT,y)
$(call force, CFG_CAAM_ITR,n)
caam-crypto-drivers += RSA DSA ECC DH MATH AE_GCM
else ifneq (,$(filter $(PLATFORM_FLAVOR),lx2160aqds lx2160ardb))
$(call force, CFG_CAAM_LITTLE_ENDIAN,y)
$(call force, CFG_JR_BLOCK_SIZE,0x10000)
$(call force, CFG_JR_INDEX,2)
$(call force, CFG_JR_INT, 174)
$(call force, CFG_NB_JOBS_QUEUE, 80)
$(call force, CFG_NXP_CAAM_SGT_V2,y)
$(call force, CFG_CAAM_SGT_ALIGN,4)
$(call force, CFG_CAAM_64BIT,y)
$(call force, CFG_CAAM_ITR,n)
caam-crypto-drivers += RSA DSA ECC DH MATH AE_GCM
else ifneq (,$(filter $(PLATFORM_FLAVOR),$(mx8qm-flavorlist) $(mx8qx-flavorlist)))
$(call force, CFG_CAAM_SIZE_ALIGN,4)
$(call force, CFG_JR_BLOCK_SIZE,0x10000)
$(call force, CFG_JR_INDEX,3)
$(call force, CFG_JR_INT,486)
$(call force, CFG_NXP_CAAM_SGT_V1,y)
caam-crypto-drivers += RSA DSA ECC DH MATH AE_GCM
else ifneq (,$(filter $(PLATFORM_FLAVOR),$(mx8dxl-flavorlist)))
$(call force, CFG_CAAM_SIZE_ALIGN,4)
$(call force, CFG_JR_BLOCK_SIZE,0x10000)
$(call force, CFG_JR_INDEX,3)
$(call force, CFG_JR_INT,356)
$(call force, CFG_NXP_CAAM_SGT_V1,y)
$(call force, CFG_CAAM_JR_DISABLE_NODE,n)
caam-crypto-drivers += RSA DSA ECC DH MATH AE_GCM
else ifneq (,$(filter $(PLATFORM_FLAVOR),$(mx8mm-flavorlist) $(mx8mn-flavorlist) \
	$(mx8mp-flavorlist) $(mx8mq-flavorlist)))
$(call force, CFG_JR_BLOCK_SIZE,0x1000)
$(call force, CFG_JR_INDEX,2)
$(call force, CFG_JR_INT,146)
$(call force, CFG_NXP_CAAM_SGT_V1,y)
$(call force, CFG_JR_HAB_INDEX,0)
# There is a limitation on i.MX8M platforms regarding ECDSA Sign/Verify
# Size of Class 2 Context register is 40bytes, because of which sign/verify
# of a hash of more than 40bytes fails. So a workaround is implemented for
# this issue, controlled by CFG_NXP_CAAM_C2_CTX_REG_WA flag.
$(call force, CFG_NXP_CAAM_C2_CTX_REG_WA,y)
caam-drivers += MP DEK
caam-crypto-drivers += RSA DSA ECC DH MATH AE_GCM
else ifneq (,$(filter $(PLATFORM_FLAVOR),$(mx8ulp-flavorlist)))
$(call force, CFG_JR_BLOCK_SIZE,0x1000)
$(call force, CFG_JR_INDEX,2)
$(call force, CFG_JR_INT,114)
$(call force, CFG_NXP_CAAM_SGT_V1,y)
$(call force, CFG_CAAM_ITR,n)
caam-crypto-drivers += AE_GCM
else ifneq (,$(filter $(PLATFORM_FLAVOR),$(mx7ulp-flavorlist)))
$(call force, CFG_JR_BLOCK_SIZE,0x1000)
$(call force, CFG_JR_INDEX,0)
$(call force, CFG_JR_INT,137)
$(call force, CFG_NXP_CAAM_SGT_V1,y)
$(call force, CFG_CAAM_ITR,n)
caam-crypto-drivers += AE_GCM
else ifneq (,$(filter $(PLATFORM_FLAVOR),$(mx6ul-flavorlist) $(mx7d-flavorlist) \
	$(mx7s-flavorlist)))
$(call force, CFG_JR_BLOCK_SIZE,0x1000)
$(call force, CFG_JR_INDEX,0)
$(call force, CFG_JR_INT,137)
$(call force, CFG_NXP_CAAM_SGT_V1,y)
caam-drivers += MP
caam-crypto-drivers += RSA DSA ECC DH MATH AE_GCM
else ifneq (,$(filter $(PLATFORM_FLAVOR),$(mx6q-flavorlist) $(mx6qp-flavorlist) \
	$(mx6sx-flavorlist) $(mx6d-flavorlist) $(mx6dl-flavorlist) \
	$(mx6s-flavorlist) $(mx8ulp-flavorlist)))
$(call force, CFG_JR_BLOCK_SIZE,0x1000)
$(call force, CFG_JR_INDEX,0)
$(call force, CFG_JR_INT,137)
$(call force, CFG_NXP_CAAM_SGT_V1,y)
else
$(error Unsupported PLATFORM_FLAVOR "$(PLATFORM_FLAVOR)")
endif

# Disable the i.MX CAAM driver
$(call force,CFG_IMX_CAAM,n,Mandated by CFG_NXP_CAAM)

# CAAM buffer alignment size
CFG_CAAM_SIZE_ALIGN ?= 1

# Default padding number for SGT allocation
CFG_CAAM_SGT_ALIGN ?= 1

# Enable job ring interruption
CFG_CAAM_ITR ?= y

# Keep the CFG_JR_INDEX as secure at runtime
CFG_NXP_CAAM_RUNTIME_JR ?= y

# Define the RSA Private Key Format used by the CAAM
#   Format #1: (n, d)
#   Format #2: (p, q, d)
#   Format #3: (p, q, dp, dq, qp)
CFG_NXP_CAAM_RSA_KEY_FORMAT ?= 3

# Disable device tree status of the secure job ring
CFG_CAAM_JR_DISABLE_NODE ?= y

# Define the default CAAM private key encryption generation and the bignum
# maximum size needed.
# CAAM_KEY_PLAIN_TEXT    -> 4096 bits
# CAAM_KEY_BLACK_ECB|CCM -> 4576 bits
# 4096 (RSA Max key size) +  12 * 8 (Header serialization) +
# 48 * 8 (Black blob overhead in bytes) = 4576 bits
CFG_CORE_BIGNUM_MAX_BITS ?= 4576

# CAAM RNG Prediction Resistance
# When this flag is y, the CAAM RNG is reseeded on every random number request.
# In this case the performance is drastically reduced.
CFG_CAAM_RNG_RUNTIME_PR ?= n

# Enable CAAM non-crypto drivers
$(foreach drv, $(caam-drivers), $(eval CFG_NXP_CAAM_$(drv)_DRV ?= y))

# Prefer CAAM HWRNG over PRNG seeded by CAAM
ifeq ($(CFG_NXP_CAAM_RNG_DRV), y)
CFG_WITH_SOFTWARE_PRNG ?= n
endif

# DEK driver requires the SM driver to be enabled
ifeq ($(CFG_NXP_CAAM_DEK_DRV), y)
$(call force, CFG_NXP_CAAM_SM_DRV,y,Mandated by CFG_NXP_CAAM_DEK_DRV)
endif

ifeq ($(CFG_CRYPTO_DRIVER), y)
CFG_CRYPTO_DRIVER_DEBUG ?= 0

# Enable CAAM Crypto drivers
$(foreach drv, $(caam-crypto-drivers), $(eval CFG_NXP_CAAM_$(drv)_DRV ?= y))

# Enable MAC crypto driver
ifeq ($(call cfg-one-enabled,CFG_NXP_CAAM_HMAC_DRV CFG_NXP_CAAM_CMAC_DRV),y)
$(call force, CFG_CRYPTO_DRV_MAC,y,Mandated by CFG_NXP_CAAM_HMAC/CMAC_DRV)
endif

# Enable CIPHER crypto driver
ifeq ($(CFG_NXP_CAAM_CIPHER_DRV), y)
$(call force, CFG_CRYPTO_DRV_CIPHER,y,Mandated by CFG_NXP_CAAM_CIPHER_DRV)
endif

# Enable AE crypto driver
ifeq ($(call cfg-one-enabled,CFG_NXP_CAAM_AE_CCM_DRV CFG_NXP_CAAM_AE_GCM_DRV),y)
$(call force, CFG_CRYPTO_DRV_AUTHENC,y,Mandated by CFG_NXP_CAAM_AE_CCM/GCM_DRV)
endif

# Enable HASH crypto driver
ifeq ($(CFG_NXP_CAAM_HASH_DRV), y)
$(call force, CFG_CRYPTO_DRV_HASH,y,Mandated by CFG_NXP_CAAM_HASH_DRV)
endif

# Enable RSA crypto driver
ifeq ($(CFG_NXP_CAAM_RSA_DRV), y)
$(call force, CFG_CRYPTO_DRV_RSA,y,Mandated by CFG_NXP_CAAM_RSA_DRV)
endif

# Enable ECC crypto driver
ifeq ($(CFG_NXP_CAAM_ECC_DRV), y)
$(call force, CFG_CRYPTO_DRV_ECC,y,Mandated by CFG_NXP_CAAM_ECC_DRV)
endif

# Enable DSA crypto driver
ifeq ($(CFG_NXP_CAAM_DSA_DRV), y)
$(call force, CFG_CRYPTO_DRV_DSA,y,Mandated by CFG_NXP_CAAM_DSA_DRV)
endif

# Enable DH crypto driver
ifeq ($(CFG_NXP_CAAM_DH_DRV), y)
$(call force, CFG_CRYPTO_DRV_DH,y,Mandated by CFG_NXP_CAAM_DH_DRV)
endif

# Enable ACIPHER crypto driver
ifeq ($(call cfg-one-enabled,CFG_CRYPTO_DRV_RSA CFG_CRYPTO_DRV_ECC \
	CFG_CRYPTO_DRV_DSA CFG_CRYPTO_DRV_DH),y)
$(call force, CFG_CRYPTO_DRV_ACIPHER,y,Mandated by CFG_CRYPTO_DRV_{RSA|ECC|DSA|DH})
endif

endif # CFG_CRYPTO_DRIVER
endif # CFG_NXP_CAAM