1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (C) Foundries Ltd. 2022. 4 * Author: Jorge Ramirez <jorge@foundries.io> 5 */ 6 7 #include <assert.h> 8 #include <crypto/crypto_impl.h> 9 #include <drvcrypt.h> 10 #include <drvcrypt_acipher.h> 11 #include <initcall.h> 12 #include <ipi.h> 13 #include <mm/core_memprot.h> 14 #include <string.h> 15 #include <tee/cache.h> 16 17 #define RSA_MAX_PRIV_EXP_LEN 512 18 #define RSA_MAX_PUB_EXP_LEN 4 19 #define RSA_MAX_MOD_LEN 512 20 21 static void crypto_bignum_bn2bin_pad(size_t size, 22 struct bignum *from, uint8_t *to) 23 { 24 size_t len = crypto_bignum_num_bytes(from); 25 26 crypto_bignum_bn2bin(from, to + size - len); 27 } 28 29 static TEE_Result do_encrypt(struct drvcrypt_rsa_ed *rsa_data) 30 { 31 struct rsa_public_key *p = rsa_data->key.key; 32 struct versal_rsa_input_param *cmd = NULL; 33 struct versal_mbox_mem cmd_buf = { }; 34 struct versal_mbox_mem cipher = { }; 35 struct versal_mbox_mem key = { }; 36 struct versal_mbox_mem msg = { }; 37 struct versal_cmd_args arg = { }; 38 TEE_Result ret = TEE_SUCCESS; 39 uint32_t err = 0; 40 41 switch (rsa_data->rsa_id) { 42 case DRVCRYPT_RSA_PKCS_V1_5: 43 if (rsa_data->key.n_size != 128) 44 break; 45 46 return sw_crypto_acipher_rsaes_encrypt(rsa_data->algo, 47 rsa_data->key.key, 48 rsa_data->label.data, 49 rsa_data->label.length, 50 rsa_data->message.data, 51 rsa_data->message.length, 52 rsa_data->cipher.data, 53 &rsa_data->cipher.length); 54 case DRVCRYPT_RSA_OAEP: 55 return sw_crypto_acipher_rsaes_encrypt(rsa_data->algo, 56 rsa_data->key.key, 57 rsa_data->label.data, 58 rsa_data->label.length, 59 rsa_data->message.data, 60 rsa_data->message.length, 61 rsa_data->cipher.data, 62 &rsa_data->cipher.length); 63 case DRVCRYPT_RSA_NOPAD: 64 return sw_crypto_acipher_rsanopad_encrypt(rsa_data->key.key, 65 rsa_data->message.data, 66 rsa_data->message.length, 67 rsa_data->cipher.data, 68 &rsa_data->cipher.length); 69 case DRVCRYPT_RSASSA_PKCS_V1_5: 70 assert(rsa_data->hash_algo != TEE_ALG_SHA1); 71 assert(rsa_data->key.n_size != 128); 72 break; 73 case DRVCRYPT_RSASSA_PSS: 74 default: 75 assert(0); 76 } 77 78 versal_mbox_alloc(RSA_MAX_MOD_LEN + RSA_MAX_PUB_EXP_LEN, NULL, &key); 79 crypto_bignum_bn2bin_pad(rsa_data->key.n_size, p->n, key.buf); 80 crypto_bignum_bn2bin_pad(RSA_MAX_PUB_EXP_LEN, 81 p->e, (uint8_t *)key.buf + RSA_MAX_MOD_LEN); 82 83 versal_mbox_alloc(rsa_data->message.length, rsa_data->message.data, 84 &msg); 85 versal_mbox_alloc(rsa_data->cipher.length, NULL, &cipher); 86 versal_mbox_alloc(sizeof(*cmd), NULL, &cmd_buf); 87 88 cmd = cmd_buf.buf; 89 cmd->key_len = rsa_data->key.n_size; 90 cmd->data_addr = virt_to_phys(msg.buf); 91 cmd->key_addr = virt_to_phys(key.buf); 92 93 arg.ibuf[0].mem = cmd_buf; 94 arg.ibuf[1].mem = cipher; 95 arg.ibuf[2].mem = msg; 96 arg.ibuf[3].mem = key; 97 98 if (versal_crypto_request(VERSAL_RSA_PUBLIC_ENCRYPT, &arg, &err)) { 99 EMSG("Versal RSA: encrypt: error 0x%x [id:0x%x, len:%zu]", 100 err, rsa_data->rsa_id, rsa_data->key.n_size); 101 102 if (rsa_data->rsa_id == DRVCRYPT_RSASSA_PKCS_V1_5) 103 ret = TEE_ERROR_SIGNATURE_INVALID; 104 else 105 ret = TEE_ERROR_GENERIC; 106 } 107 108 if (!ret) { 109 rsa_data->cipher.length = rsa_data->key.n_size; 110 memcpy(rsa_data->cipher.data, cipher.buf, rsa_data->key.n_size); 111 } 112 113 free(cipher.buf); 114 free(cmd); 115 free(msg.buf); 116 free(key.buf); 117 118 return ret; 119 } 120 121 static TEE_Result do_decrypt(struct drvcrypt_rsa_ed *rsa_data) 122 { 123 struct versal_rsa_input_param *cmd = NULL; 124 struct rsa_keypair *p = rsa_data->key.key; 125 struct versal_mbox_mem cmd_buf = { }; 126 struct versal_mbox_mem cipher = { }; 127 struct versal_mbox_mem key = { }; 128 struct versal_mbox_mem msg = { }; 129 struct versal_cmd_args arg = { }; 130 TEE_Result ret = TEE_SUCCESS; 131 uint32_t err = 0; 132 133 switch (rsa_data->rsa_id) { 134 case DRVCRYPT_RSA_PKCS_V1_5: 135 if (rsa_data->key.n_size != 128) 136 break; 137 138 return sw_crypto_acipher_rsaes_decrypt(rsa_data->algo, 139 rsa_data->key.key, 140 rsa_data->label.data, 141 rsa_data->label.length, 142 rsa_data->cipher.data, 143 rsa_data->cipher.length, 144 rsa_data->message.data, 145 &rsa_data->message.length); 146 case DRVCRYPT_RSA_OAEP: 147 return sw_crypto_acipher_rsaes_decrypt(rsa_data->algo, 148 rsa_data->key.key, 149 rsa_data->label.data, 150 rsa_data->label.length, 151 rsa_data->cipher.data, 152 rsa_data->cipher.length, 153 rsa_data->message.data, 154 &rsa_data->message.length); 155 case DRVCRYPT_RSA_NOPAD: 156 return sw_crypto_acipher_rsanopad_decrypt(rsa_data->key.key, 157 rsa_data->cipher.data, 158 rsa_data->cipher.length, 159 rsa_data->message.data, 160 &rsa_data->message.length); 161 case DRVCRYPT_RSASSA_PKCS_V1_5: 162 assert(rsa_data->hash_algo != TEE_ALG_SHA1); 163 assert(rsa_data->key.n_size != 128); 164 break; 165 case DRVCRYPT_RSASSA_PSS: 166 default: 167 assert(0); 168 } 169 170 versal_mbox_alloc(RSA_MAX_MOD_LEN + RSA_MAX_PRIV_EXP_LEN, NULL, &key); 171 crypto_bignum_bn2bin_pad(rsa_data->key.n_size, p->n, key.buf); 172 crypto_bignum_bn2bin_pad(rsa_data->key.n_size, p->d, 173 (uint8_t *)key.buf + RSA_MAX_MOD_LEN); 174 175 versal_mbox_alloc(rsa_data->cipher.length, rsa_data->cipher.data, 176 &cipher); 177 versal_mbox_alloc(rsa_data->message.length, NULL, &msg); 178 versal_mbox_alloc(sizeof(*cmd), NULL, &cmd_buf); 179 180 cmd = cmd_buf.buf; 181 cmd->key_len = rsa_data->key.n_size; 182 cmd->data_addr = virt_to_phys(cipher.buf); 183 cmd->key_addr = virt_to_phys(key.buf); 184 185 arg.ibuf[0].mem = cmd_buf; 186 arg.ibuf[1].mem = msg; 187 arg.ibuf[2].mem = cipher; 188 arg.ibuf[3].mem = key; 189 190 if (versal_crypto_request(VERSAL_RSA_PRIVATE_DECRYPT, &arg, &err)) { 191 EMSG("Versal RSA: decrypt: error 0x%x [id:0x%x, len:%zu]", 192 err, rsa_data->rsa_id, rsa_data->key.n_size); 193 ret = TEE_ERROR_GENERIC; 194 } 195 196 if (!ret) { 197 rsa_data->message.length = rsa_data->key.n_size; 198 memcpy(rsa_data->message.data, msg.buf, rsa_data->key.n_size); 199 } 200 201 free(cipher.buf); 202 free(cmd); 203 free(key.buf); 204 free(msg.buf); 205 206 return ret; 207 } 208 209 static TEE_Result do_ssa_sign(struct drvcrypt_rsa_ssa *p) 210 { 211 switch (p->algo) { 212 case TEE_ALG_RSASSA_PKCS1_V1_5: 213 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 214 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 215 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 216 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 217 if (p->key.n_size != 128) { 218 /* use DRVCRYPT_RSASSA_PKCS_V1_5, decrypt */ 219 return TEE_ERROR_NOT_IMPLEMENTED; 220 } 221 return sw_crypto_acipher_rsassa_sign(p->algo, 222 p->key.key, 223 p->salt_len, 224 p->message.data, 225 p->message.length, 226 p->signature.data, 227 &p->signature.length); 228 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 229 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 230 return sw_crypto_acipher_rsassa_sign(p->algo, 231 p->key.key, 232 p->salt_len, 233 p->message.data, 234 p->message.length, 235 p->signature.data, 236 &p->signature.length); 237 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 238 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 239 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 240 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 241 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 242 return sw_crypto_acipher_rsassa_sign(p->algo, 243 p->key.key, 244 p->salt_len, 245 p->message.data, 246 p->message.length, 247 p->signature.data, 248 &p->signature.length); 249 default: 250 break; 251 } 252 253 return TEE_ERROR_BAD_PARAMETERS; 254 } 255 256 static TEE_Result do_ssa_verify(struct drvcrypt_rsa_ssa *p) 257 { 258 switch (p->algo) { 259 case TEE_ALG_RSASSA_PKCS1_V1_5: 260 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224: 261 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256: 262 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384: 263 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512: 264 if (p->key.n_size != 128) { 265 /* use DRVCRYPT_RSASSA_PKCS_V1_5, encrypt */ 266 return TEE_ERROR_NOT_IMPLEMENTED; 267 } 268 return sw_crypto_acipher_rsassa_verify(p->algo, 269 p->key.key, 270 p->salt_len, 271 p->message.data, 272 p->message.length, 273 p->signature.data, 274 p->signature.length); 275 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5: 276 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1: 277 return sw_crypto_acipher_rsassa_verify(p->algo, 278 p->key.key, 279 p->salt_len, 280 p->message.data, 281 p->message.length, 282 p->signature.data, 283 p->signature.length); 284 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1: 285 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224: 286 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256: 287 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384: 288 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512: 289 return sw_crypto_acipher_rsassa_verify(p->algo, 290 p->key.key, 291 p->salt_len, 292 p->message.data, 293 p->message.length, 294 p->signature.data, 295 p->signature.length); 296 default: 297 break; 298 } 299 300 return TEE_ERROR_BAD_PARAMETERS; 301 } 302 303 static TEE_Result do_gen_keypair(struct rsa_keypair *s, size_t size_bits) 304 { 305 return sw_crypto_acipher_gen_rsa_key(s, size_bits); 306 } 307 308 static TEE_Result do_alloc_keypair(struct rsa_keypair *s, size_t size_bits) 309 { 310 return sw_crypto_acipher_alloc_rsa_keypair(s, size_bits); 311 } 312 313 static TEE_Result do_alloc_publickey(struct rsa_public_key *key, size_t bits) 314 { 315 return sw_crypto_acipher_alloc_rsa_public_key(key, bits); 316 } 317 318 static void do_free_publickey(struct rsa_public_key *s) 319 { 320 sw_crypto_acipher_free_rsa_public_key(s); 321 } 322 323 static void do_free_keypair(struct rsa_keypair *s) 324 { 325 sw_crypto_acipher_free_rsa_keypair(s); 326 } 327 328 static struct drvcrypt_rsa driver_rsa = { 329 .alloc_publickey = do_alloc_publickey, 330 .free_publickey = do_free_publickey, 331 .alloc_keypair = do_alloc_keypair, 332 .optional.ssa_verify = do_ssa_verify, 333 .optional.ssa_sign = do_ssa_sign, 334 .free_keypair = do_free_keypair, 335 .gen_keypair = do_gen_keypair, 336 .encrypt = do_encrypt, 337 .decrypt = do_decrypt, 338 }; 339 340 static TEE_Result rsa_init(void) 341 { 342 struct versal_cmd_args arg = { }; 343 344 if (versal_crypto_request(VERSAL_RSA_KAT, &arg, NULL)) 345 return TEE_ERROR_GENERIC; 346 347 return drvcrypt_register_rsa(&driver_rsa); 348 } 349 350 driver_init(rsa_init); 351