1*683b6d2cSMarouene Boubakri // SPDX-License-Identifier: BSD-2-Clause 2*683b6d2cSMarouene Boubakri /* 3*683b6d2cSMarouene Boubakri * Copyright (c) 2015, 2019, Linaro Limited 4*683b6d2cSMarouene Boubakri */ 5*683b6d2cSMarouene Boubakri 6*683b6d2cSMarouene Boubakri #include <assert.h> 7*683b6d2cSMarouene Boubakri #include <inttypes.h> 8*683b6d2cSMarouene Boubakri #include <kernel/tee_common_otp.h> 9*683b6d2cSMarouene Boubakri #include <kernel/huk_subkey.h> 10*683b6d2cSMarouene Boubakri #include <signed_hdr.h> 11*683b6d2cSMarouene Boubakri #include <ta_pub_key.h> 12*683b6d2cSMarouene Boubakri 13*683b6d2cSMarouene Boubakri /* 14*683b6d2cSMarouene Boubakri * Override these in your platform code to really fetch device-unique 15*683b6d2cSMarouene Boubakri * bits from e-fuses or whatever. 16*683b6d2cSMarouene Boubakri * 17*683b6d2cSMarouene Boubakri * The default implementation just sets it to a constant. 18*683b6d2cSMarouene Boubakri */ 19*683b6d2cSMarouene Boubakri 20*683b6d2cSMarouene Boubakri __weak TEE_Result tee_otp_get_hw_unique_key(struct tee_hw_unique_key *hwkey) 21*683b6d2cSMarouene Boubakri { 22*683b6d2cSMarouene Boubakri memset(&hwkey->data[0], 0, sizeof(hwkey->data)); 23*683b6d2cSMarouene Boubakri return TEE_SUCCESS; 24*683b6d2cSMarouene Boubakri } 25*683b6d2cSMarouene Boubakri 26*683b6d2cSMarouene Boubakri __weak int tee_otp_get_die_id(uint8_t *buffer, size_t len) 27*683b6d2cSMarouene Boubakri { 28*683b6d2cSMarouene Boubakri if (huk_subkey_derive(HUK_SUBKEY_DIE_ID, NULL, 0, buffer, len)) 29*683b6d2cSMarouene Boubakri return -1; 30*683b6d2cSMarouene Boubakri 31*683b6d2cSMarouene Boubakri return 0; 32*683b6d2cSMarouene Boubakri } 33*683b6d2cSMarouene Boubakri 34*683b6d2cSMarouene Boubakri #ifdef CFG_WITH_USER_TA 35*683b6d2cSMarouene Boubakri /* 36*683b6d2cSMarouene Boubakri * Override this API on your platform to provide TA encryption key as 37*683b6d2cSMarouene Boubakri * per your security requirements. There can be two options for this key: 38*683b6d2cSMarouene Boubakri * 39*683b6d2cSMarouene Boubakri * 1) Unique per device encryption key. 40*683b6d2cSMarouene Boubakri * 2) Class wide encryption key. 41*683b6d2cSMarouene Boubakri * 42*683b6d2cSMarouene Boubakri * The default implementation chooses option (1). 43*683b6d2cSMarouene Boubakri */ 44*683b6d2cSMarouene Boubakri __weak TEE_Result tee_otp_get_ta_enc_key(uint32_t key_type __maybe_unused, 45*683b6d2cSMarouene Boubakri uint8_t *buffer, size_t len) 46*683b6d2cSMarouene Boubakri { 47*683b6d2cSMarouene Boubakri assert(key_type == SHDR_ENC_KEY_DEV_SPECIFIC); 48*683b6d2cSMarouene Boubakri 49*683b6d2cSMarouene Boubakri if (huk_subkey_derive(HUK_SUBKEY_TA_ENC, ta_pub_key_modulus, 50*683b6d2cSMarouene Boubakri ta_pub_key_modulus_size, buffer, len)) 51*683b6d2cSMarouene Boubakri return TEE_ERROR_SECURITY; 52*683b6d2cSMarouene Boubakri 53*683b6d2cSMarouene Boubakri return TEE_SUCCESS; 54*683b6d2cSMarouene Boubakri } 55*683b6d2cSMarouene Boubakri #endif 56