1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (C) Foundries Ltd. 2022. 4 * Author: Jorge Ramirez <jorge@foundries.io> 5 */ 6 7 #include <assert.h> 8 #include <crypto/crypto_impl.h> 9 #include <drvcrypt.h> 10 #include <drvcrypt_acipher.h> 11 #include <initcall.h> 12 #include <ipi.h> 13 #include <mm/core_memprot.h> 14 #include <string.h> 15 #include <tee/cache.h> 16 17 #define RSA_MAX_PRIV_EXP_LEN 512 18 #define RSA_MAX_PUB_EXP_LEN 4 19 #define RSA_MAX_MOD_LEN 512 20 21 static void crypto_bignum_bn2bin_pad(size_t size, 22 struct bignum *from, uint8_t *to) 23 { 24 size_t len = crypto_bignum_num_bytes(from); 25 26 crypto_bignum_bn2bin(from, to + size - len); 27 } 28 29 static TEE_Result do_encrypt(struct drvcrypt_rsa_ed *rsa_data) 30 { 31 struct rsa_public_key *p = rsa_data->key.key; 32 struct versal_rsa_input_param *cmd = NULL; 33 struct versal_mbox_mem cmd_buf = { }; 34 struct versal_mbox_mem cipher = { }; 35 struct versal_mbox_mem key = { }; 36 struct versal_mbox_mem msg = { }; 37 struct versal_cmd_args arg = { }; 38 TEE_Result ret = TEE_SUCCESS; 39 uint32_t err = 0; 40 41 switch (rsa_data->rsa_id) { 42 case DRVCRYPT_RSA_PKCS_V1_5: 43 return sw_crypto_acipher_rsaes_encrypt(rsa_data->algo, 44 rsa_data->key.key, 45 rsa_data->label.data, 46 rsa_data->label.length, 47 rsa_data->message.data, 48 rsa_data->message.length, 49 rsa_data->cipher.data, 50 &rsa_data->cipher.length); 51 case DRVCRYPT_RSA_OAEP: 52 return sw_crypto_acipher_rsaes_encrypt(rsa_data->algo, 53 rsa_data->key.key, 54 rsa_data->label.data, 55 rsa_data->label.length, 56 rsa_data->message.data, 57 rsa_data->message.length, 58 rsa_data->cipher.data, 59 &rsa_data->cipher.length); 60 case DRVCRYPT_RSA_NOPAD: 61 return sw_crypto_acipher_rsanopad_encrypt(rsa_data->key.key, 62 rsa_data->message.data, 63 rsa_data->message.length, 64 rsa_data->cipher.data, 65 &rsa_data->cipher.length); 66 case DRVCRYPT_RSASSA_PKCS_V1_5: 67 assert(rsa_data->hash_algo != TEE_ALG_SHA1); 68 assert(rsa_data->key.n_size != 128); 69 break; 70 case DRVCRYPT_RSASSA_PSS: 71 default: 72 assert(0); 73 } 74 75 versal_mbox_alloc(RSA_MAX_MOD_LEN + RSA_MAX_PUB_EXP_LEN, NULL, &key); 76 crypto_bignum_bn2bin_pad(rsa_data->key.n_size, p->n, key.buf); 77 crypto_bignum_bn2bin_pad(RSA_MAX_PUB_EXP_LEN, 78 p->e, (uint8_t *)key.buf + RSA_MAX_MOD_LEN); 79 80 versal_mbox_alloc(rsa_data->message.length, rsa_data->message.data, 81 &msg); 82 versal_mbox_alloc(rsa_data->cipher.length, NULL, &cipher); 83 versal_mbox_alloc(sizeof(*cmd), NULL, &cmd_buf); 84 85 cmd = cmd_buf.buf; 86 cmd->key_len = rsa_data->key.n_size; 87 cmd->data_addr = virt_to_phys(msg.buf); 88 cmd->key_addr = virt_to_phys(key.buf); 89 90 arg.ibuf[0].mem = cmd_buf; 91 arg.ibuf[1].mem = cipher; 92 arg.ibuf[2].mem = msg; 93 arg.ibuf[3].mem = key; 94 95 if (versal_crypto_request(VERSAL_RSA_PUBLIC_ENCRYPT, &arg, &err)) { 96 EMSG("Versal RSA: encrypt: error 0x%x [id:0x%x, len:%zu]", 97 err, rsa_data->rsa_id, rsa_data->key.n_size); 98 99 if (rsa_data->rsa_id == DRVCRYPT_RSASSA_PKCS_V1_5) 100 ret = TEE_ERROR_SIGNATURE_INVALID; 101 else 102 ret = TEE_ERROR_GENERIC; 103 } 104 105 if (!ret) { 106 rsa_data->cipher.length = rsa_data->key.n_size; 107 memcpy(rsa_data->cipher.data, cipher.buf, rsa_data->key.n_size); 108 } 109 110 free(cipher.buf); 111 free(cmd); 112 free(msg.buf); 113 free(key.buf); 114 115 return ret; 116 } 117 118 static TEE_Result do_decrypt(struct drvcrypt_rsa_ed *rsa_data) 119 { 120 struct versal_rsa_input_param *cmd = NULL; 121 struct rsa_keypair *p = rsa_data->key.key; 122 struct versal_mbox_mem cmd_buf = { }; 123 struct versal_mbox_mem cipher = { }; 124 struct versal_mbox_mem key = { }; 125 struct versal_mbox_mem msg = { }; 126 struct versal_cmd_args arg = { }; 127 TEE_Result ret = TEE_SUCCESS; 128 uint32_t err = 0; 129 130 switch (rsa_data->rsa_id) { 131 case DRVCRYPT_RSA_PKCS_V1_5: 132 return sw_crypto_acipher_rsaes_decrypt(rsa_data->algo, 133 rsa_data->key.key, 134 rsa_data->label.data, 135 rsa_data->label.length, 136 rsa_data->cipher.data, 137 rsa_data->cipher.length, 138 rsa_data->message.data, 139 &rsa_data->message.length); 140 case DRVCRYPT_RSA_OAEP: 141 return sw_crypto_acipher_rsaes_decrypt(rsa_data->algo, 142 rsa_data->key.key, 143 rsa_data->label.data, 144 rsa_data->label.length, 145 rsa_data->cipher.data, 146 rsa_data->cipher.length, 147 rsa_data->message.data, 148 &rsa_data->message.length); 149 case DRVCRYPT_RSA_NOPAD: 150 return sw_crypto_acipher_rsanopad_decrypt(rsa_data->key.key, 151 rsa_data->cipher.data, 152 rsa_data->cipher.length, 153 rsa_data->message.data, 154 &rsa_data->message.length); 155 case DRVCRYPT_RSASSA_PKCS_V1_5: 156 assert(rsa_data->hash_algo != TEE_ALG_SHA1); 157 assert(rsa_data->key.n_size != 128); 158 break; 159 case DRVCRYPT_RSASSA_PSS: 160 default: 161 assert(0); 162 } 163 164 versal_mbox_alloc(RSA_MAX_MOD_LEN + RSA_MAX_PRIV_EXP_LEN, NULL, &key); 165 crypto_bignum_bn2bin_pad(rsa_data->key.n_size, p->n, key.buf); 166 crypto_bignum_bn2bin_pad(rsa_data->key.n_size, p->d, 167 (uint8_t *)key.buf + RSA_MAX_MOD_LEN); 168 169 versal_mbox_alloc(rsa_data->cipher.length, rsa_data->cipher.data, 170 &cipher); 171 versal_mbox_alloc(rsa_data->message.length, NULL, &msg); 172 versal_mbox_alloc(sizeof(*cmd), NULL, &cmd_buf); 173 174 cmd = cmd_buf.buf; 175 cmd->key_len = rsa_data->key.n_size; 176 cmd->data_addr = virt_to_phys(cipher.buf); 177 cmd->key_addr = virt_to_phys(key.buf); 178 179 arg.ibuf[0].mem = cmd_buf; 180 arg.ibuf[1].mem = msg; 181 arg.ibuf[2].mem = cipher; 182 arg.ibuf[3].mem = key; 183 184 if (versal_crypto_request(VERSAL_RSA_PRIVATE_DECRYPT, &arg, &err)) { 185 EMSG("Versal RSA: decrypt: error 0x%x [id:0x%x, len:%zu]", 186 err, rsa_data->rsa_id, rsa_data->key.n_size); 187 ret = TEE_ERROR_GENERIC; 188 } 189 190 if (!ret) { 191 rsa_data->message.length = rsa_data->key.n_size; 192 memcpy(rsa_data->message.data, msg.buf, rsa_data->key.n_size); 193 } 194 195 free(cipher.buf); 196 free(cmd); 197 free(key.buf); 198 free(msg.buf); 199 200 return ret; 201 } 202 203 static TEE_Result do_ssa_sign(struct drvcrypt_rsa_ssa *p) 204 { 205 switch (p->algo) { 206 case TEE_ALG_RSASSA_PKCS1_V1_5: 207 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 208 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 209 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 210 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 211 if (p->key.n_size != 128) { 212 /* use DRVCRYPT_RSASSA_PKCS_V1_5, decrypt */ 213 return TEE_ERROR_NOT_IMPLEMENTED; 214 } 215 return sw_crypto_acipher_rsassa_sign(p->algo, 216 p->key.key, 217 p->salt_len, 218 p->message.data, 219 p->message.length, 220 p->signature.data, 221 &p->signature.length); 222 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 223 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 224 return sw_crypto_acipher_rsassa_sign(p->algo, 225 p->key.key, 226 p->salt_len, 227 p->message.data, 228 p->message.length, 229 p->signature.data, 230 &p->signature.length); 231 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 232 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 233 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 234 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 235 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 236 return sw_crypto_acipher_rsassa_sign(p->algo, 237 p->key.key, 238 p->salt_len, 239 p->message.data, 240 p->message.length, 241 p->signature.data, 242 &p->signature.length); 243 default: 244 break; 245 } 246 247 return TEE_ERROR_BAD_PARAMETERS; 248 } 249 250 static TEE_Result do_ssa_verify(struct drvcrypt_rsa_ssa *p) 251 { 252 switch (p->algo) { 253 case TEE_ALG_RSASSA_PKCS1_V1_5: 254 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 255 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 256 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 257 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 258 if (p->key.n_size != 128) { 259 /* use DRVCRYPT_RSASSA_PKCS_V1_5, encrypt */ 260 return TEE_ERROR_NOT_IMPLEMENTED; 261 } 262 return sw_crypto_acipher_rsassa_verify(p->algo, 263 p->key.key, 264 p->salt_len, 265 p->message.data, 266 p->message.length, 267 p->signature.data, 268 p->signature.length); 269 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 270 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 271 return sw_crypto_acipher_rsassa_verify(p->algo, 272 p->key.key, 273 p->salt_len, 274 p->message.data, 275 p->message.length, 276 p->signature.data, 277 p->signature.length); 278 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 279 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 280 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 281 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 282 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 283 return sw_crypto_acipher_rsassa_verify(p->algo, 284 p->key.key, 285 p->salt_len, 286 p->message.data, 287 p->message.length, 288 p->signature.data, 289 p->signature.length); 290 default: 291 break; 292 } 293 294 return TEE_ERROR_BAD_PARAMETERS; 295 } 296 297 static TEE_Result do_gen_keypair(struct rsa_keypair *s, size_t size_bits) 298 { 299 return sw_crypto_acipher_gen_rsa_key(s, size_bits); 300 } 301 302 static TEE_Result do_alloc_keypair(struct rsa_keypair *s, size_t size_bits) 303 { 304 return sw_crypto_acipher_alloc_rsa_keypair(s, size_bits); 305 } 306 307 static TEE_Result do_alloc_publickey(struct rsa_public_key *key, size_t bits) 308 { 309 return sw_crypto_acipher_alloc_rsa_public_key(key, bits); 310 } 311 312 static void do_free_publickey(struct rsa_public_key *s) 313 { 314 sw_crypto_acipher_free_rsa_public_key(s); 315 } 316 317 static void do_free_keypair(struct rsa_keypair *s) 318 { 319 sw_crypto_acipher_free_rsa_keypair(s); 320 } 321 322 static struct drvcrypt_rsa driver_rsa = { 323 .alloc_publickey = do_alloc_publickey, 324 .free_publickey = do_free_publickey, 325 .alloc_keypair = do_alloc_keypair, 326 .optional.ssa_verify = do_ssa_verify, 327 .optional.ssa_sign = do_ssa_sign, 328 .free_keypair = do_free_keypair, 329 .gen_keypair = do_gen_keypair, 330 .encrypt = do_encrypt, 331 .decrypt = do_decrypt, 332 }; 333 334 static TEE_Result rsa_init(void) 335 { 336 struct versal_cmd_args arg = { }; 337 338 if (versal_crypto_request(VERSAL_RSA_KAT, &arg, NULL)) 339 return TEE_ERROR_GENERIC; 340 341 return drvcrypt_register_rsa(&driver_rsa); 342 } 343 344 driver_init(rsa_init); 345