1683b6d2cSMarouene Boubakri // SPDX-License-Identifier: BSD-2-Clause
2683b6d2cSMarouene Boubakri /*
3683b6d2cSMarouene Boubakri * Copyright (c) 2015, 2019, Linaro Limited
4683b6d2cSMarouene Boubakri */
5683b6d2cSMarouene Boubakri
6683b6d2cSMarouene Boubakri #include <assert.h>
7683b6d2cSMarouene Boubakri #include <inttypes.h>
8683b6d2cSMarouene Boubakri #include <kernel/tee_common_otp.h>
9683b6d2cSMarouene Boubakri #include <kernel/huk_subkey.h>
10683b6d2cSMarouene Boubakri #include <signed_hdr.h>
11683b6d2cSMarouene Boubakri #include <ta_pub_key.h>
12683b6d2cSMarouene Boubakri
13683b6d2cSMarouene Boubakri /*
14683b6d2cSMarouene Boubakri * Override these in your platform code to really fetch device-unique
15683b6d2cSMarouene Boubakri * bits from e-fuses or whatever.
16683b6d2cSMarouene Boubakri *
17*fe33e974SSascha Hauer * The default implementation just sets it to a constant and cannot be
18*fe33e974SSascha Hauer * used in a secure environment.
19683b6d2cSMarouene Boubakri */
20683b6d2cSMarouene Boubakri
21*fe33e974SSascha Hauer #ifdef CFG_INSECURE
tee_otp_get_hw_unique_key(struct tee_hw_unique_key * hwkey)22683b6d2cSMarouene Boubakri __weak TEE_Result tee_otp_get_hw_unique_key(struct tee_hw_unique_key *hwkey)
23683b6d2cSMarouene Boubakri {
24683b6d2cSMarouene Boubakri memset(&hwkey->data[0], 0, sizeof(hwkey->data));
25683b6d2cSMarouene Boubakri return TEE_SUCCESS;
26683b6d2cSMarouene Boubakri }
27*fe33e974SSascha Hauer #endif
28683b6d2cSMarouene Boubakri
tee_otp_get_die_id(uint8_t * buffer,size_t len)29683b6d2cSMarouene Boubakri __weak int tee_otp_get_die_id(uint8_t *buffer, size_t len)
30683b6d2cSMarouene Boubakri {
31683b6d2cSMarouene Boubakri if (huk_subkey_derive(HUK_SUBKEY_DIE_ID, NULL, 0, buffer, len))
32683b6d2cSMarouene Boubakri return -1;
33683b6d2cSMarouene Boubakri
34683b6d2cSMarouene Boubakri return 0;
35683b6d2cSMarouene Boubakri }
36683b6d2cSMarouene Boubakri
37683b6d2cSMarouene Boubakri #ifdef CFG_WITH_USER_TA
38683b6d2cSMarouene Boubakri /*
39683b6d2cSMarouene Boubakri * Override this API on your platform to provide TA encryption key as
40683b6d2cSMarouene Boubakri * per your security requirements. There can be two options for this key:
41683b6d2cSMarouene Boubakri *
42683b6d2cSMarouene Boubakri * 1) Unique per device encryption key.
43683b6d2cSMarouene Boubakri * 2) Class wide encryption key.
44683b6d2cSMarouene Boubakri *
45683b6d2cSMarouene Boubakri * The default implementation chooses option (1).
46683b6d2cSMarouene Boubakri */
tee_otp_get_ta_enc_key(uint32_t key_type __maybe_unused,uint8_t * buffer,size_t len)47683b6d2cSMarouene Boubakri __weak TEE_Result tee_otp_get_ta_enc_key(uint32_t key_type __maybe_unused,
48683b6d2cSMarouene Boubakri uint8_t *buffer, size_t len)
49683b6d2cSMarouene Boubakri {
50683b6d2cSMarouene Boubakri assert(key_type == SHDR_ENC_KEY_DEV_SPECIFIC);
51683b6d2cSMarouene Boubakri
52683b6d2cSMarouene Boubakri if (huk_subkey_derive(HUK_SUBKEY_TA_ENC, ta_pub_key_modulus,
53683b6d2cSMarouene Boubakri ta_pub_key_modulus_size, buffer, len))
54683b6d2cSMarouene Boubakri return TEE_ERROR_SECURITY;
55683b6d2cSMarouene Boubakri
56683b6d2cSMarouene Boubakri return TEE_SUCCESS;
57683b6d2cSMarouene Boubakri }
58683b6d2cSMarouene Boubakri #endif
59