1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (C) Foundries Ltd. 2022. 4 * Author: Jorge Ramirez <jorge@foundries.io> 5 */ 6 7 #include <assert.h> 8 #include <crypto/crypto_impl.h> 9 #include <drvcrypt.h> 10 #include <drvcrypt_acipher.h> 11 #include <initcall.h> 12 #include <ipi.h> 13 #include <mm/core_memprot.h> 14 #include <string.h> 15 #include <tee/cache.h> 16 17 #define RSA_MAX_PRIV_EXP_LEN 512 18 #define RSA_MAX_PUB_EXP_LEN 4 19 #define RSA_MAX_MOD_LEN 512 20 21 static void crypto_bignum_bn2bin_pad(size_t size, 22 struct bignum *from, uint8_t *to) 23 { 24 size_t len = crypto_bignum_num_bytes(from); 25 26 crypto_bignum_bn2bin(from, to + size - len); 27 } 28 29 static TEE_Result do_encrypt(struct drvcrypt_rsa_ed *rsa_data) 30 { 31 struct rsa_public_key *p = rsa_data->key.key; 32 struct versal_rsa_input_param *cmd = NULL; 33 struct versal_mbox_mem cmd_buf = { }; 34 struct versal_mbox_mem cipher = { }; 35 struct versal_mbox_mem key = { }; 36 struct versal_mbox_mem msg = { }; 37 struct versal_cmd_args arg = { }; 38 TEE_Result ret = TEE_SUCCESS; 39 uint32_t err = 0; 40 41 switch (rsa_data->rsa_id) { 42 case DRVCRYPT_RSA_PKCS_V1_5: 43 return sw_crypto_acipher_rsaes_encrypt(rsa_data->algo, 44 rsa_data->key.key, 45 rsa_data->label.data, 46 rsa_data->label.length, 47 rsa_data->mgf_algo, 48 rsa_data->message.data, 49 rsa_data->message.length, 50 rsa_data->cipher.data, 51 &rsa_data->cipher.length); 52 case DRVCRYPT_RSA_OAEP: 53 return sw_crypto_acipher_rsaes_encrypt(rsa_data->algo, 54 rsa_data->key.key, 55 rsa_data->label.data, 56 rsa_data->label.length, 57 rsa_data->mgf_algo, 58 rsa_data->message.data, 59 rsa_data->message.length, 60 rsa_data->cipher.data, 61 &rsa_data->cipher.length); 62 case DRVCRYPT_RSA_NOPAD: 63 return sw_crypto_acipher_rsanopad_encrypt(rsa_data->key.key, 64 rsa_data->message.data, 65 rsa_data->message.length, 66 rsa_data->cipher.data, 67 &rsa_data->cipher.length); 68 case DRVCRYPT_RSASSA_PKCS_V1_5: 69 assert(rsa_data->hash_algo != TEE_ALG_SHA1); 70 assert(rsa_data->key.n_size != 128); 71 break; 72 case DRVCRYPT_RSASSA_PSS: 73 default: 74 assert(0); 75 } 76 77 ret = versal_mbox_alloc(RSA_MAX_MOD_LEN + RSA_MAX_PUB_EXP_LEN, NULL, 78 &key); 79 if (ret) 80 return ret; 81 82 crypto_bignum_bn2bin_pad(rsa_data->key.n_size, p->n, key.buf); 83 crypto_bignum_bn2bin_pad(RSA_MAX_PUB_EXP_LEN, p->e, 84 (uint8_t *)key.buf + rsa_data->key.n_size); 85 86 ret = versal_mbox_alloc(rsa_data->message.length, 87 rsa_data->message.data, &msg); 88 if (ret) 89 goto out; 90 ret = versal_mbox_alloc(rsa_data->cipher.length, NULL, &cipher); 91 if (ret) 92 goto out; 93 ret = versal_mbox_alloc(sizeof(*cmd), NULL, &cmd_buf); 94 if (ret) 95 goto out; 96 97 cmd = cmd_buf.buf; 98 cmd->key_len = rsa_data->key.n_size; 99 cmd->data_addr = virt_to_phys(msg.buf); 100 cmd->key_addr = virt_to_phys(key.buf); 101 102 arg.ibuf[0].mem = cmd_buf; 103 arg.ibuf[1].mem = cipher; 104 arg.ibuf[2].mem = msg; 105 arg.ibuf[3].mem = key; 106 107 if (versal_crypto_request(VERSAL_RSA_PUBLIC_ENCRYPT, &arg, &err)) { 108 EMSG("Versal RSA: encrypt: error 0x%x [id:0x%x, len:%zu]", 109 err, rsa_data->rsa_id, rsa_data->key.n_size); 110 111 if (rsa_data->rsa_id == DRVCRYPT_RSASSA_PKCS_V1_5) 112 ret = TEE_ERROR_SIGNATURE_INVALID; 113 else 114 ret = TEE_ERROR_GENERIC; 115 } 116 117 if (!ret) { 118 rsa_data->cipher.length = rsa_data->key.n_size; 119 memcpy(rsa_data->cipher.data, cipher.buf, rsa_data->key.n_size); 120 } 121 122 out: 123 versal_mbox_free(&cmd_buf); 124 versal_mbox_free(&cipher); 125 versal_mbox_free(&msg); 126 versal_mbox_free(&key); 127 128 return ret; 129 } 130 131 static TEE_Result do_decrypt(struct drvcrypt_rsa_ed *rsa_data) 132 { 133 struct versal_rsa_input_param *cmd = NULL; 134 struct rsa_keypair *p = rsa_data->key.key; 135 struct versal_mbox_mem cmd_buf = { }; 136 struct versal_mbox_mem cipher = { }; 137 struct versal_mbox_mem key = { }; 138 struct versal_mbox_mem msg = { }; 139 struct versal_cmd_args arg = { }; 140 TEE_Result ret = TEE_SUCCESS; 141 uint32_t err = 0; 142 #if defined(PLATFORM_FLAVOR_net) 143 struct versal_rsa_key_param *keyp = NULL; 144 struct versal_mbox_mem keyp_buf = { }; 145 #endif 146 147 switch (rsa_data->rsa_id) { 148 case DRVCRYPT_RSA_PKCS_V1_5: 149 return sw_crypto_acipher_rsaes_decrypt(rsa_data->algo, 150 rsa_data->key.key, 151 rsa_data->label.data, 152 rsa_data->label.length, 153 rsa_data->mgf_algo, 154 rsa_data->cipher.data, 155 rsa_data->cipher.length, 156 rsa_data->message.data, 157 &rsa_data->message.length); 158 case DRVCRYPT_RSA_OAEP: 159 return sw_crypto_acipher_rsaes_decrypt(rsa_data->algo, 160 rsa_data->key.key, 161 rsa_data->label.data, 162 rsa_data->label.length, 163 rsa_data->mgf_algo, 164 rsa_data->cipher.data, 165 rsa_data->cipher.length, 166 rsa_data->message.data, 167 &rsa_data->message.length); 168 case DRVCRYPT_RSA_NOPAD: 169 return sw_crypto_acipher_rsanopad_decrypt(rsa_data->key.key, 170 rsa_data->cipher.data, 171 rsa_data->cipher.length, 172 rsa_data->message.data, 173 &rsa_data->message.length); 174 case DRVCRYPT_RSASSA_PKCS_V1_5: 175 assert(rsa_data->hash_algo != TEE_ALG_SHA1); 176 assert(rsa_data->key.n_size != 128); 177 break; 178 case DRVCRYPT_RSASSA_PSS: 179 default: 180 assert(0); 181 } 182 183 ret = versal_mbox_alloc(RSA_MAX_MOD_LEN + RSA_MAX_PRIV_EXP_LEN, NULL, 184 &key); 185 if (ret) 186 return ret; 187 188 crypto_bignum_bn2bin_pad(rsa_data->key.n_size, p->n, key.buf); 189 crypto_bignum_bn2bin_pad(rsa_data->key.n_size, p->d, 190 (uint8_t *)key.buf + rsa_data->key.n_size); 191 192 #if defined(PLATFORM_FLAVOR_net) 193 ret = versal_mbox_alloc(sizeof(*keyp), NULL, &keyp_buf); 194 if (ret) 195 goto out; 196 #endif 197 198 ret = versal_mbox_alloc(rsa_data->cipher.length, rsa_data->cipher.data, 199 &cipher); 200 if (ret) 201 goto out; 202 ret = versal_mbox_alloc(rsa_data->message.length, NULL, &msg); 203 if (ret) 204 goto out; 205 ret = versal_mbox_alloc(sizeof(*cmd), NULL, &cmd_buf); 206 if (ret) 207 goto out; 208 209 cmd = cmd_buf.buf; 210 cmd->key_len = rsa_data->key.n_size; 211 cmd->data_addr = virt_to_phys(cipher.buf); 212 #if !defined(PLATFORM_FLAVOR_net) 213 cmd->key_addr = virt_to_phys(key.buf); 214 #else 215 keyp = keyp_buf.buf; 216 memset(keyp, 0, sizeof(*keyp)); 217 keyp->exp_addr = virt_to_phys((uint8_t *)key.buf + 218 rsa_data->key.n_size); 219 keyp->mod_addr = virt_to_phys(key.buf); 220 keyp->opmode = VERSAL_RSA_OPMODE_EXPQ; 221 cmd->key_addr = virt_to_phys(keyp_buf.buf); 222 #endif 223 224 arg.ibuf[0].mem = cmd_buf; 225 arg.ibuf[1].mem = msg; 226 arg.ibuf[2].mem = cipher; 227 arg.ibuf[3].mem = key; 228 #if defined(PLATFORM_FLAVOR_net) 229 arg.ibuf[4].mem = keyp_buf; 230 #endif 231 232 if (versal_crypto_request(VERSAL_RSA_PRIVATE_DECRYPT, &arg, &err)) { 233 EMSG("Versal RSA: decrypt: error 0x%x [id:0x%x, len:%zu]", 234 err, rsa_data->rsa_id, rsa_data->key.n_size); 235 ret = TEE_ERROR_GENERIC; 236 } 237 238 if (!ret) { 239 rsa_data->message.length = rsa_data->key.n_size; 240 memcpy(rsa_data->message.data, msg.buf, rsa_data->key.n_size); 241 } 242 243 out: 244 versal_mbox_free(&cmd_buf); 245 versal_mbox_free(&msg); 246 versal_mbox_free(&cipher); 247 #if defined(PLATFORM_FLAVOR_net) 248 versal_mbox_free(&keyp_buf); 249 #endif 250 versal_mbox_free(&key); 251 252 return ret; 253 } 254 255 static TEE_Result do_ssa_sign(struct drvcrypt_rsa_ssa *p) 256 { 257 switch (p->algo) { 258 case TEE_ALG_RSASSA_PKCS1_V1_5: 259 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 260 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 261 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 262 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 263 if (p->key.n_size != 128) { 264 /* use DRVCRYPT_RSASSA_PKCS_V1_5, decrypt */ 265 return TEE_ERROR_NOT_IMPLEMENTED; 266 } 267 return sw_crypto_acipher_rsassa_sign(p->algo, 268 p->key.key, 269 p->salt_len, 270 p->message.data, 271 p->message.length, 272 p->signature.data, 273 &p->signature.length); 274 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 275 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 276 return sw_crypto_acipher_rsassa_sign(p->algo, 277 p->key.key, 278 p->salt_len, 279 p->message.data, 280 p->message.length, 281 p->signature.data, 282 &p->signature.length); 283 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 284 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 285 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 286 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 287 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 288 return sw_crypto_acipher_rsassa_sign(p->algo, 289 p->key.key, 290 p->salt_len, 291 p->message.data, 292 p->message.length, 293 p->signature.data, 294 &p->signature.length); 295 default: 296 break; 297 } 298 299 return TEE_ERROR_BAD_PARAMETERS; 300 } 301 302 static TEE_Result do_ssa_verify(struct drvcrypt_rsa_ssa *p) 303 { 304 switch (p->algo) { 305 case TEE_ALG_RSASSA_PKCS1_V1_5: 306 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 307 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 308 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 309 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 310 if (p->key.n_size != 128) { 311 /* use DRVCRYPT_RSASSA_PKCS_V1_5, encrypt */ 312 return TEE_ERROR_NOT_IMPLEMENTED; 313 } 314 return sw_crypto_acipher_rsassa_verify(p->algo, 315 p->key.key, 316 p->salt_len, 317 p->message.data, 318 p->message.length, 319 p->signature.data, 320 p->signature.length); 321 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 322 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 323 return sw_crypto_acipher_rsassa_verify(p->algo, 324 p->key.key, 325 p->salt_len, 326 p->message.data, 327 p->message.length, 328 p->signature.data, 329 p->signature.length); 330 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 331 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 332 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 333 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 334 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 335 return sw_crypto_acipher_rsassa_verify(p->algo, 336 p->key.key, 337 p->salt_len, 338 p->message.data, 339 p->message.length, 340 p->signature.data, 341 p->signature.length); 342 default: 343 break; 344 } 345 346 return TEE_ERROR_BAD_PARAMETERS; 347 } 348 349 static TEE_Result do_gen_keypair(struct rsa_keypair *s, size_t size_bits) 350 { 351 return sw_crypto_acipher_gen_rsa_key(s, size_bits); 352 } 353 354 static TEE_Result do_alloc_keypair(struct rsa_keypair *s, size_t size_bits) 355 { 356 return sw_crypto_acipher_alloc_rsa_keypair(s, size_bits); 357 } 358 359 static TEE_Result do_alloc_publickey(struct rsa_public_key *key, size_t bits) 360 { 361 return sw_crypto_acipher_alloc_rsa_public_key(key, bits); 362 } 363 364 static void do_free_publickey(struct rsa_public_key *s) 365 { 366 sw_crypto_acipher_free_rsa_public_key(s); 367 } 368 369 static void do_free_keypair(struct rsa_keypair *s) 370 { 371 sw_crypto_acipher_free_rsa_keypair(s); 372 } 373 374 static struct drvcrypt_rsa driver_rsa = { 375 .alloc_publickey = do_alloc_publickey, 376 .free_publickey = do_free_publickey, 377 .alloc_keypair = do_alloc_keypair, 378 .optional.ssa_verify = do_ssa_verify, 379 .optional.ssa_sign = do_ssa_sign, 380 .free_keypair = do_free_keypair, 381 .gen_keypair = do_gen_keypair, 382 .encrypt = do_encrypt, 383 .decrypt = do_decrypt, 384 }; 385 386 static TEE_Result rsa_init(void) 387 { 388 uint32_t err = 0; 389 struct versal_cmd_args arg = { }; 390 391 arg.data[arg.dlen++] = VERSAL_RSA_PUB_ENC_KAT; 392 393 if (versal_crypto_request(VERSAL_KAT, &arg, &err)) 394 return TEE_ERROR_GENERIC; 395 396 if (err) { 397 DMSG("RSA_PUB_ENC_KAT returned 0x%" PRIx32, err); 398 return TEE_ERROR_GENERIC; 399 } 400 401 /* Clear previous request */ 402 arg.dlen = 0; 403 404 arg.data[arg.dlen++] = VERSAL_RSA_PRIVATE_DEC_KAT; 405 406 if (versal_crypto_request(VERSAL_KAT, &arg, &err)) 407 return TEE_ERROR_GENERIC; 408 409 if (err) { 410 DMSG("RSA_PRIVATE_DEC_KAT returned 0x%" PRIx32, err); 411 return TEE_ERROR_GENERIC; 412 } 413 414 return drvcrypt_register_rsa(&driver_rsa); 415 } 416 417 driver_init(rsa_init); 418