1 // SPDX-License-Identifier: BSD-2-Clause 2 /* 3 * Copyright (c) 2015, 2019, Linaro Limited 4 */ 5 6 #include <assert.h> 7 #include <inttypes.h> 8 #include <kernel/tee_common_otp.h> 9 #include <kernel/huk_subkey.h> 10 #include <signed_hdr.h> 11 #include <ta_pub_key.h> 12 13 /* 14 * Override these in your platform code to really fetch device-unique 15 * bits from e-fuses or whatever. 16 * 17 * The default implementation just sets it to a constant and cannot be 18 * used in a secure environment. 19 */ 20 21 #ifdef CFG_INSECURE 22 __weak TEE_Result tee_otp_get_hw_unique_key(struct tee_hw_unique_key *hwkey) 23 { 24 memset(&hwkey->data[0], 0, sizeof(hwkey->data)); 25 return TEE_SUCCESS; 26 } 27 #endif 28 29 __weak int tee_otp_get_die_id(uint8_t *buffer, size_t len) 30 { 31 if (huk_subkey_derive(HUK_SUBKEY_DIE_ID, NULL, 0, buffer, len)) 32 return -1; 33 34 return 0; 35 } 36 37 #ifdef CFG_WITH_USER_TA 38 /* 39 * Override this API on your platform to provide TA encryption key as 40 * per your security requirements. There can be two options for this key: 41 * 42 * 1) Unique per device encryption key. 43 * 2) Class wide encryption key. 44 * 45 * The default implementation chooses option (1). 46 */ 47 __weak TEE_Result tee_otp_get_ta_enc_key(uint32_t key_type __maybe_unused, 48 uint8_t *buffer, size_t len) 49 { 50 assert(key_type == SHDR_ENC_KEY_DEV_SPECIFIC); 51 52 if (huk_subkey_derive(HUK_SUBKEY_TA_ENC, ta_pub_key_modulus, 53 ta_pub_key_modulus_size, buffer, len)) 54 return TEE_ERROR_SECURITY; 55 56 return TEE_SUCCESS; 57 } 58 #endif 59