1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (C) Foundries Ltd. 2022. 4 * Author: Jorge Ramirez <jorge@foundries.io> 5 */ 6 7 #include <assert.h> 8 #include <crypto/crypto_impl.h> 9 #include <drvcrypt.h> 10 #include <drvcrypt_acipher.h> 11 #include <initcall.h> 12 #include <ipi.h> 13 #include <mm/core_memprot.h> 14 #include <string.h> 15 #include <tee/cache.h> 16 17 #define RSA_MAX_PRIV_EXP_LEN 512 18 #define RSA_MAX_PUB_EXP_LEN 4 19 #define RSA_MAX_MOD_LEN 512 20 21 static void crypto_bignum_bn2bin_pad(size_t size, 22 struct bignum *from, uint8_t *to) 23 { 24 size_t len = crypto_bignum_num_bytes(from); 25 26 crypto_bignum_bn2bin(from, to + size - len); 27 } 28 29 static TEE_Result do_encrypt(struct drvcrypt_rsa_ed *rsa_data) 30 { 31 struct rsa_public_key *p = rsa_data->key.key; 32 struct versal_rsa_input_param *cmd = NULL; 33 struct versal_mbox_mem cmd_buf = { }; 34 struct versal_mbox_mem cipher = { }; 35 struct versal_mbox_mem key = { }; 36 struct versal_mbox_mem msg = { }; 37 struct versal_cmd_args arg = { }; 38 TEE_Result ret = TEE_SUCCESS; 39 uint32_t err = 0; 40 41 switch (rsa_data->rsa_id) { 42 case DRVCRYPT_RSA_PKCS_V1_5: 43 return sw_crypto_acipher_rsaes_encrypt(rsa_data->algo, 44 rsa_data->key.key, 45 rsa_data->label.data, 46 rsa_data->label.length, 47 rsa_data->mgf_algo, 48 rsa_data->message.data, 49 rsa_data->message.length, 50 rsa_data->cipher.data, 51 &rsa_data->cipher.length); 52 case DRVCRYPT_RSA_OAEP: 53 return sw_crypto_acipher_rsaes_encrypt(rsa_data->algo, 54 rsa_data->key.key, 55 rsa_data->label.data, 56 rsa_data->label.length, 57 rsa_data->mgf_algo, 58 rsa_data->message.data, 59 rsa_data->message.length, 60 rsa_data->cipher.data, 61 &rsa_data->cipher.length); 62 case DRVCRYPT_RSA_NOPAD: 63 return sw_crypto_acipher_rsanopad_encrypt(rsa_data->key.key, 64 rsa_data->message.data, 65 rsa_data->message.length, 66 rsa_data->cipher.data, 67 &rsa_data->cipher.length); 68 case DRVCRYPT_RSASSA_PKCS_V1_5: 69 assert(rsa_data->hash_algo != TEE_ALG_SHA1); 70 assert(rsa_data->key.n_size != 128); 71 break; 72 case DRVCRYPT_RSASSA_PSS: 73 default: 74 assert(0); 75 } 76 77 versal_mbox_alloc(RSA_MAX_MOD_LEN + RSA_MAX_PUB_EXP_LEN, NULL, &key); 78 crypto_bignum_bn2bin_pad(rsa_data->key.n_size, p->n, key.buf); 79 crypto_bignum_bn2bin_pad(RSA_MAX_PUB_EXP_LEN, 80 p->e, (uint8_t *)key.buf + RSA_MAX_MOD_LEN); 81 82 versal_mbox_alloc(rsa_data->message.length, rsa_data->message.data, 83 &msg); 84 versal_mbox_alloc(rsa_data->cipher.length, NULL, &cipher); 85 versal_mbox_alloc(sizeof(*cmd), NULL, &cmd_buf); 86 87 cmd = cmd_buf.buf; 88 cmd->key_len = rsa_data->key.n_size; 89 cmd->data_addr = virt_to_phys(msg.buf); 90 cmd->key_addr = virt_to_phys(key.buf); 91 92 arg.ibuf[0].mem = cmd_buf; 93 arg.ibuf[1].mem = cipher; 94 arg.ibuf[2].mem = msg; 95 arg.ibuf[3].mem = key; 96 97 if (versal_crypto_request(VERSAL_RSA_PUBLIC_ENCRYPT, &arg, &err)) { 98 EMSG("Versal RSA: encrypt: error 0x%x [id:0x%x, len:%zu]", 99 err, rsa_data->rsa_id, rsa_data->key.n_size); 100 101 if (rsa_data->rsa_id == DRVCRYPT_RSASSA_PKCS_V1_5) 102 ret = TEE_ERROR_SIGNATURE_INVALID; 103 else 104 ret = TEE_ERROR_GENERIC; 105 } 106 107 if (!ret) { 108 rsa_data->cipher.length = rsa_data->key.n_size; 109 memcpy(rsa_data->cipher.data, cipher.buf, rsa_data->key.n_size); 110 } 111 112 free(cipher.buf); 113 free(cmd); 114 free(msg.buf); 115 free(key.buf); 116 117 return ret; 118 } 119 120 static TEE_Result do_decrypt(struct drvcrypt_rsa_ed *rsa_data) 121 { 122 struct versal_rsa_input_param *cmd = NULL; 123 struct rsa_keypair *p = rsa_data->key.key; 124 struct versal_mbox_mem cmd_buf = { }; 125 struct versal_mbox_mem cipher = { }; 126 struct versal_mbox_mem key = { }; 127 struct versal_mbox_mem msg = { }; 128 struct versal_cmd_args arg = { }; 129 TEE_Result ret = TEE_SUCCESS; 130 uint32_t err = 0; 131 132 switch (rsa_data->rsa_id) { 133 case DRVCRYPT_RSA_PKCS_V1_5: 134 return sw_crypto_acipher_rsaes_decrypt(rsa_data->algo, 135 rsa_data->key.key, 136 rsa_data->label.data, 137 rsa_data->label.length, 138 rsa_data->mgf_algo, 139 rsa_data->cipher.data, 140 rsa_data->cipher.length, 141 rsa_data->message.data, 142 &rsa_data->message.length); 143 case DRVCRYPT_RSA_OAEP: 144 return sw_crypto_acipher_rsaes_decrypt(rsa_data->algo, 145 rsa_data->key.key, 146 rsa_data->label.data, 147 rsa_data->label.length, 148 rsa_data->mgf_algo, 149 rsa_data->cipher.data, 150 rsa_data->cipher.length, 151 rsa_data->message.data, 152 &rsa_data->message.length); 153 case DRVCRYPT_RSA_NOPAD: 154 return sw_crypto_acipher_rsanopad_decrypt(rsa_data->key.key, 155 rsa_data->cipher.data, 156 rsa_data->cipher.length, 157 rsa_data->message.data, 158 &rsa_data->message.length); 159 case DRVCRYPT_RSASSA_PKCS_V1_5: 160 assert(rsa_data->hash_algo != TEE_ALG_SHA1); 161 assert(rsa_data->key.n_size != 128); 162 break; 163 case DRVCRYPT_RSASSA_PSS: 164 default: 165 assert(0); 166 } 167 168 versal_mbox_alloc(RSA_MAX_MOD_LEN + RSA_MAX_PRIV_EXP_LEN, NULL, &key); 169 crypto_bignum_bn2bin_pad(rsa_data->key.n_size, p->n, key.buf); 170 crypto_bignum_bn2bin_pad(rsa_data->key.n_size, p->d, 171 (uint8_t *)key.buf + RSA_MAX_MOD_LEN); 172 173 versal_mbox_alloc(rsa_data->cipher.length, rsa_data->cipher.data, 174 &cipher); 175 versal_mbox_alloc(rsa_data->message.length, NULL, &msg); 176 versal_mbox_alloc(sizeof(*cmd), NULL, &cmd_buf); 177 178 cmd = cmd_buf.buf; 179 cmd->key_len = rsa_data->key.n_size; 180 cmd->data_addr = virt_to_phys(cipher.buf); 181 cmd->key_addr = virt_to_phys(key.buf); 182 183 arg.ibuf[0].mem = cmd_buf; 184 arg.ibuf[1].mem = msg; 185 arg.ibuf[2].mem = cipher; 186 arg.ibuf[3].mem = key; 187 188 if (versal_crypto_request(VERSAL_RSA_PRIVATE_DECRYPT, &arg, &err)) { 189 EMSG("Versal RSA: decrypt: error 0x%x [id:0x%x, len:%zu]", 190 err, rsa_data->rsa_id, rsa_data->key.n_size); 191 ret = TEE_ERROR_GENERIC; 192 } 193 194 if (!ret) { 195 rsa_data->message.length = rsa_data->key.n_size; 196 memcpy(rsa_data->message.data, msg.buf, rsa_data->key.n_size); 197 } 198 199 free(cipher.buf); 200 free(cmd); 201 free(key.buf); 202 free(msg.buf); 203 204 return ret; 205 } 206 207 static TEE_Result do_ssa_sign(struct drvcrypt_rsa_ssa *p) 208 { 209 switch (p->algo) { 210 case TEE_ALG_RSASSA_PKCS1_V1_5: 211 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 212 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 213 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 214 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 215 if (p->key.n_size != 128) { 216 /* use DRVCRYPT_RSASSA_PKCS_V1_5, decrypt */ 217 return TEE_ERROR_NOT_IMPLEMENTED; 218 } 219 return sw_crypto_acipher_rsassa_sign(p->algo, 220 p->key.key, 221 p->salt_len, 222 p->message.data, 223 p->message.length, 224 p->signature.data, 225 &p->signature.length); 226 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 227 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 228 return sw_crypto_acipher_rsassa_sign(p->algo, 229 p->key.key, 230 p->salt_len, 231 p->message.data, 232 p->message.length, 233 p->signature.data, 234 &p->signature.length); 235 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 236 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 237 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 238 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 239 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 240 return sw_crypto_acipher_rsassa_sign(p->algo, 241 p->key.key, 242 p->salt_len, 243 p->message.data, 244 p->message.length, 245 p->signature.data, 246 &p->signature.length); 247 default: 248 break; 249 } 250 251 return TEE_ERROR_BAD_PARAMETERS; 252 } 253 254 static TEE_Result do_ssa_verify(struct drvcrypt_rsa_ssa *p) 255 { 256 switch (p->algo) { 257 case TEE_ALG_RSASSA_PKCS1_V1_5: 258 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 259 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 260 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 261 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 262 if (p->key.n_size != 128) { 263 /* use DRVCRYPT_RSASSA_PKCS_V1_5, encrypt */ 264 return TEE_ERROR_NOT_IMPLEMENTED; 265 } 266 return sw_crypto_acipher_rsassa_verify(p->algo, 267 p->key.key, 268 p->salt_len, 269 p->message.data, 270 p->message.length, 271 p->signature.data, 272 p->signature.length); 273 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 274 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 275 return sw_crypto_acipher_rsassa_verify(p->algo, 276 p->key.key, 277 p->salt_len, 278 p->message.data, 279 p->message.length, 280 p->signature.data, 281 p->signature.length); 282 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 283 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 284 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 285 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 286 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 287 return sw_crypto_acipher_rsassa_verify(p->algo, 288 p->key.key, 289 p->salt_len, 290 p->message.data, 291 p->message.length, 292 p->signature.data, 293 p->signature.length); 294 default: 295 break; 296 } 297 298 return TEE_ERROR_BAD_PARAMETERS; 299 } 300 301 static TEE_Result do_gen_keypair(struct rsa_keypair *s, size_t size_bits) 302 { 303 return sw_crypto_acipher_gen_rsa_key(s, size_bits); 304 } 305 306 static TEE_Result do_alloc_keypair(struct rsa_keypair *s, size_t size_bits) 307 { 308 return sw_crypto_acipher_alloc_rsa_keypair(s, size_bits); 309 } 310 311 static TEE_Result do_alloc_publickey(struct rsa_public_key *key, size_t bits) 312 { 313 return sw_crypto_acipher_alloc_rsa_public_key(key, bits); 314 } 315 316 static void do_free_publickey(struct rsa_public_key *s) 317 { 318 sw_crypto_acipher_free_rsa_public_key(s); 319 } 320 321 static void do_free_keypair(struct rsa_keypair *s) 322 { 323 sw_crypto_acipher_free_rsa_keypair(s); 324 } 325 326 static struct drvcrypt_rsa driver_rsa = { 327 .alloc_publickey = do_alloc_publickey, 328 .free_publickey = do_free_publickey, 329 .alloc_keypair = do_alloc_keypair, 330 .optional.ssa_verify = do_ssa_verify, 331 .optional.ssa_sign = do_ssa_sign, 332 .free_keypair = do_free_keypair, 333 .gen_keypair = do_gen_keypair, 334 .encrypt = do_encrypt, 335 .decrypt = do_decrypt, 336 }; 337 338 static TEE_Result rsa_init(void) 339 { 340 struct versal_cmd_args arg = { }; 341 342 if (versal_crypto_request(VERSAL_RSA_KAT, &arg, NULL)) 343 return TEE_ERROR_GENERIC; 344 345 return drvcrypt_register_rsa(&driver_rsa); 346 } 347 348 driver_init(rsa_init); 349