1*a0edacb8SPankaj Gupta /*
2*a0edacb8SPankaj Gupta * Copyright 2021 NXP
3*a0edacb8SPankaj Gupta *
4*a0edacb8SPankaj Gupta * SPDX-License-Identifier: BSD-3-Clause
5*a0edacb8SPankaj Gupta *
6*a0edacb8SPankaj Gupta */
7*a0edacb8SPankaj Gupta
8*a0edacb8SPankaj Gupta #include <errno.h>
9*a0edacb8SPankaj Gupta #include <stdbool.h>
10*a0edacb8SPankaj Gupta #include <stdint.h>
11*a0edacb8SPankaj Gupta #include <stdio.h>
12*a0edacb8SPankaj Gupta #include <stdlib.h>
13*a0edacb8SPankaj Gupta #include <string.h>
14*a0edacb8SPankaj Gupta
15*a0edacb8SPankaj Gupta #include <arch_helpers.h>
16*a0edacb8SPankaj Gupta #include "caam.h"
17*a0edacb8SPankaj Gupta #include <common/debug.h>
18*a0edacb8SPankaj Gupta #include <drivers/auth/crypto_mod.h>
19*a0edacb8SPankaj Gupta
20*a0edacb8SPankaj Gupta #include "jobdesc.h"
21*a0edacb8SPankaj Gupta #include "rsa.h"
22*a0edacb8SPankaj Gupta #include "sec_hw_specific.h"
23*a0edacb8SPankaj Gupta
24*a0edacb8SPankaj Gupta /* This array contains DER value for SHA-256 */
25*a0edacb8SPankaj Gupta static const uint8_t hash_identifier[] = {
26*a0edacb8SPankaj Gupta 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60,
27*a0edacb8SPankaj Gupta 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00,
28*a0edacb8SPankaj Gupta 0x04, 0x20
29*a0edacb8SPankaj Gupta };
30*a0edacb8SPankaj Gupta
rsa_done(uint32_t * desc,uint32_t status,void * arg,void * job_ring)31*a0edacb8SPankaj Gupta static void rsa_done(uint32_t *desc, uint32_t status, void *arg,
32*a0edacb8SPankaj Gupta void *job_ring)
33*a0edacb8SPankaj Gupta {
34*a0edacb8SPankaj Gupta INFO("RSA Desc SUCCESS with status %x\n", status);
35*a0edacb8SPankaj Gupta }
36*a0edacb8SPankaj Gupta
rsa_public_verif_sec(uint8_t * sign,uint8_t * to,uint8_t * rsa_pub_key,uint32_t klen)37*a0edacb8SPankaj Gupta static int rsa_public_verif_sec(uint8_t *sign, uint8_t *to,
38*a0edacb8SPankaj Gupta uint8_t *rsa_pub_key, uint32_t klen)
39*a0edacb8SPankaj Gupta {
40*a0edacb8SPankaj Gupta int ret = 0;
41*a0edacb8SPankaj Gupta struct rsa_context ctx __aligned(CACHE_WRITEBACK_GRANULE);
42*a0edacb8SPankaj Gupta struct job_descriptor jobdesc __aligned(CACHE_WRITEBACK_GRANULE);
43*a0edacb8SPankaj Gupta
44*a0edacb8SPankaj Gupta jobdesc.arg = NULL;
45*a0edacb8SPankaj Gupta jobdesc.callback = rsa_done;
46*a0edacb8SPankaj Gupta
47*a0edacb8SPankaj Gupta memset(&ctx, 0, sizeof(struct rsa_context));
48*a0edacb8SPankaj Gupta
49*a0edacb8SPankaj Gupta ctx.pkin.a = sign;
50*a0edacb8SPankaj Gupta ctx.pkin.a_siz = klen;
51*a0edacb8SPankaj Gupta ctx.pkin.n = rsa_pub_key;
52*a0edacb8SPankaj Gupta ctx.pkin.n_siz = klen;
53*a0edacb8SPankaj Gupta ctx.pkin.e = rsa_pub_key + klen;
54*a0edacb8SPankaj Gupta ctx.pkin.e_siz = klen;
55*a0edacb8SPankaj Gupta
56*a0edacb8SPankaj Gupta cnstr_jobdesc_pkha_rsaexp(jobdesc.desc, &ctx.pkin, to, klen);
57*a0edacb8SPankaj Gupta
58*a0edacb8SPankaj Gupta #if defined(SEC_MEM_NON_COHERENT) && defined(IMAGE_BL2)
59*a0edacb8SPankaj Gupta flush_dcache_range((uintptr_t)sign, klen);
60*a0edacb8SPankaj Gupta flush_dcache_range((uintptr_t)rsa_pub_key, 2 * klen);
61*a0edacb8SPankaj Gupta flush_dcache_range((uintptr_t)&ctx.pkin, sizeof(ctx.pkin));
62*a0edacb8SPankaj Gupta inv_dcache_range((uintptr_t)to, klen);
63*a0edacb8SPankaj Gupta
64*a0edacb8SPankaj Gupta dmbsy();
65*a0edacb8SPankaj Gupta dsbsy();
66*a0edacb8SPankaj Gupta isb();
67*a0edacb8SPankaj Gupta #endif
68*a0edacb8SPankaj Gupta
69*a0edacb8SPankaj Gupta /* Finally, generate the requested random data bytes */
70*a0edacb8SPankaj Gupta ret = run_descriptor_jr(&jobdesc);
71*a0edacb8SPankaj Gupta if (ret != 0) {
72*a0edacb8SPankaj Gupta ERROR("Error in running descriptor\n");
73*a0edacb8SPankaj Gupta ret = -1;
74*a0edacb8SPankaj Gupta }
75*a0edacb8SPankaj Gupta #if defined(SEC_MEM_NON_COHERENT) && defined(IMAGE_BL2)
76*a0edacb8SPankaj Gupta inv_dcache_range((uintptr_t)to, klen);
77*a0edacb8SPankaj Gupta dmbsy();
78*a0edacb8SPankaj Gupta dsbsy();
79*a0edacb8SPankaj Gupta isb();
80*a0edacb8SPankaj Gupta #endif
81*a0edacb8SPankaj Gupta return ret;
82*a0edacb8SPankaj Gupta }
83*a0edacb8SPankaj Gupta
84*a0edacb8SPankaj Gupta /*
85*a0edacb8SPankaj Gupta * Construct encoded hash EM' wrt PKCSv1.5. This function calculates the
86*a0edacb8SPankaj Gupta * pointers for padding, DER value and hash. And finally, constructs EM'
87*a0edacb8SPankaj Gupta * which includes hash of complete CSF header and ESBC image. If SG flag
88*a0edacb8SPankaj Gupta * is on, hash of SG table and entries is also included.
89*a0edacb8SPankaj Gupta */
construct_img_encoded_hash_second(uint8_t * hash,uint8_t hash_len,uint8_t * encoded_hash_second,unsigned int key_len)90*a0edacb8SPankaj Gupta static int construct_img_encoded_hash_second(uint8_t *hash, uint8_t hash_len,
91*a0edacb8SPankaj Gupta uint8_t *encoded_hash_second,
92*a0edacb8SPankaj Gupta unsigned int key_len)
93*a0edacb8SPankaj Gupta {
94*a0edacb8SPankaj Gupta /*
95*a0edacb8SPankaj Gupta * RSA PKCSv1.5 encoding format for encoded message is below
96*a0edacb8SPankaj Gupta * EM = 0x0 || 0x1 || PS || 0x0 || DER || Hash
97*a0edacb8SPankaj Gupta * PS is Padding String
98*a0edacb8SPankaj Gupta * DER is DER value for SHA-256
99*a0edacb8SPankaj Gupta * Hash is SHA-256 hash
100*a0edacb8SPankaj Gupta * *********************************************************
101*a0edacb8SPankaj Gupta * representative points to first byte of EM initially and is
102*a0edacb8SPankaj Gupta * filled with 0x0
103*a0edacb8SPankaj Gupta * representative is incremented by 1 and second byte is filled
104*a0edacb8SPankaj Gupta * with 0x1
105*a0edacb8SPankaj Gupta * padding points to third byte of EM
106*a0edacb8SPankaj Gupta * digest points to full length of EM - 32 bytes
107*a0edacb8SPankaj Gupta * hash_id (DER value) points to 19 bytes before pDigest
108*a0edacb8SPankaj Gupta * separator is one byte which separates padding and DER
109*a0edacb8SPankaj Gupta */
110*a0edacb8SPankaj Gupta
111*a0edacb8SPankaj Gupta unsigned int len;
112*a0edacb8SPankaj Gupta uint8_t *representative;
113*a0edacb8SPankaj Gupta uint8_t *padding, *digest;
114*a0edacb8SPankaj Gupta uint8_t *hash_id, *separator;
115*a0edacb8SPankaj Gupta int i;
116*a0edacb8SPankaj Gupta int ret = 0;
117*a0edacb8SPankaj Gupta
118*a0edacb8SPankaj Gupta if (hash_len != SHA256_BYTES) {
119*a0edacb8SPankaj Gupta return -1;
120*a0edacb8SPankaj Gupta }
121*a0edacb8SPankaj Gupta
122*a0edacb8SPankaj Gupta /* Key length = Modulus length */
123*a0edacb8SPankaj Gupta len = (key_len / 2U) - 1U;
124*a0edacb8SPankaj Gupta representative = encoded_hash_second;
125*a0edacb8SPankaj Gupta representative[0] = 0U;
126*a0edacb8SPankaj Gupta representative[1] = 1U; /* block type 1 */
127*a0edacb8SPankaj Gupta
128*a0edacb8SPankaj Gupta padding = &representative[2];
129*a0edacb8SPankaj Gupta digest = &representative[1] + len - 32;
130*a0edacb8SPankaj Gupta hash_id = digest - sizeof(hash_identifier);
131*a0edacb8SPankaj Gupta separator = hash_id - 1;
132*a0edacb8SPankaj Gupta
133*a0edacb8SPankaj Gupta /* fill padding area pointed by padding with 0xff */
134*a0edacb8SPankaj Gupta memset(padding, 0xff, separator - padding);
135*a0edacb8SPankaj Gupta
136*a0edacb8SPankaj Gupta /* fill byte pointed by separator */
137*a0edacb8SPankaj Gupta *separator = 0U;
138*a0edacb8SPankaj Gupta
139*a0edacb8SPankaj Gupta /* fill SHA-256 DER value pointed by HashId */
140*a0edacb8SPankaj Gupta memcpy(hash_id, hash_identifier, sizeof(hash_identifier));
141*a0edacb8SPankaj Gupta
142*a0edacb8SPankaj Gupta /* fill hash pointed by Digest */
143*a0edacb8SPankaj Gupta for (i = 0; i < SHA256_BYTES; i++) {
144*a0edacb8SPankaj Gupta digest[i] = hash[i];
145*a0edacb8SPankaj Gupta }
146*a0edacb8SPankaj Gupta
147*a0edacb8SPankaj Gupta return ret;
148*a0edacb8SPankaj Gupta }
149*a0edacb8SPankaj Gupta
rsa_verify_signature(void * hash_ptr,unsigned int hash_len,void * sig_ptr,unsigned int sig_len,void * pk_ptr,unsigned int pk_len)150*a0edacb8SPankaj Gupta int rsa_verify_signature(void *hash_ptr, unsigned int hash_len,
151*a0edacb8SPankaj Gupta void *sig_ptr, unsigned int sig_len,
152*a0edacb8SPankaj Gupta void *pk_ptr, unsigned int pk_len)
153*a0edacb8SPankaj Gupta {
154*a0edacb8SPankaj Gupta uint8_t img_encoded_hash_second[RSA_4K_KEY_SZ_BYTES];
155*a0edacb8SPankaj Gupta uint8_t encoded_hash[RSA_4K_KEY_SZ_BYTES] __aligned(CACHE_WRITEBACK_GRANULE);
156*a0edacb8SPankaj Gupta int ret = 0;
157*a0edacb8SPankaj Gupta
158*a0edacb8SPankaj Gupta ret = construct_img_encoded_hash_second(hash_ptr, hash_len,
159*a0edacb8SPankaj Gupta img_encoded_hash_second,
160*a0edacb8SPankaj Gupta pk_len);
161*a0edacb8SPankaj Gupta if (ret != 0) {
162*a0edacb8SPankaj Gupta ERROR("Encoded Hash Failure\n");
163*a0edacb8SPankaj Gupta return CRYPTO_ERR_SIGNATURE;
164*a0edacb8SPankaj Gupta }
165*a0edacb8SPankaj Gupta
166*a0edacb8SPankaj Gupta ret = rsa_public_verif_sec(sig_ptr, encoded_hash, pk_ptr, pk_len / 2);
167*a0edacb8SPankaj Gupta if (ret != 0) {
168*a0edacb8SPankaj Gupta ERROR("RSA signature Failure\n");
169*a0edacb8SPankaj Gupta return CRYPTO_ERR_SIGNATURE;
170*a0edacb8SPankaj Gupta }
171*a0edacb8SPankaj Gupta
172*a0edacb8SPankaj Gupta ret = memcmp(img_encoded_hash_second, encoded_hash, sig_len);
173*a0edacb8SPankaj Gupta if (ret != 0) {
174*a0edacb8SPankaj Gupta ERROR("Comparison Failure\n");
175*a0edacb8SPankaj Gupta return CRYPTO_ERR_SIGNATURE;
176*a0edacb8SPankaj Gupta }
177*a0edacb8SPankaj Gupta
178*a0edacb8SPankaj Gupta return CRYPTO_SUCCESS;
179*a0edacb8SPankaj Gupta }
180