1 From d2e808b0dcca1b5e850274f770775c355ae36c48 Mon Sep 17 00:00:00 2001
2 From: Biwen Li <biwen.li@nxp.com>
3 Date: Tue, 30 Oct 2018 18:27:03 +0800
4 Subject: [PATCH 34/40] platfrom-security: support layerscape
5 This is an integrated patch of platform-security for
8 Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
9 Signed-off-by: Udit Agarwal <udit.agarwal@nxp.com>
10 Signed-off-by: Biwen Li <biwen.li@nxp.com>
12 Documentation/security/keys/secure-key.rst | 67 ++
14 drivers/tee/optee/Kconfig | 8 +
15 drivers/tee/optee/core.c | 2 +-
16 include/keys/secure-type.h | 33 +
17 security/keys/Kconfig | 11 +
18 security/keys/Makefile | 5 +
19 security/keys/encrypted-keys/Makefile | 2 +
20 security/keys/encrypted-keys/encrypted.c | 13 +-
21 security/keys/encrypted-keys/encrypted.h | 13 +
22 .../keys/encrypted-keys/masterkey_secure.c | 37 ++
23 security/keys/secure_key.c | 339 ++++++++++
24 security/keys/securekey_desc.c | 608 ++++++++++++++++++
25 security/keys/securekey_desc.h | 141 ++++
26 14 files changed, 1288 insertions(+), 3 deletions(-)
27 create mode 100644 Documentation/security/keys/secure-key.rst
28 create mode 100644 include/keys/secure-type.h
29 create mode 100644 security/keys/encrypted-keys/masterkey_secure.c
30 create mode 100644 security/keys/secure_key.c
31 create mode 100644 security/keys/securekey_desc.c
32 create mode 100644 security/keys/securekey_desc.h
35 +++ b/Documentation/security/keys/secure-key.rst
41 +Secure key is the new type added to kernel key ring service.
42 +Secure key is a symmetric type key of minimum length 32 bytes
43 +and with maximum possible length to be 128 bytes. It is produced
44 +in kernel using the CAAM crypto engine. Userspace can only see
45 +the blob for the corresponding key. All the blobs are displayed
46 +or loaded in hex ascii.
48 +Secure key can be created on platforms which supports CAAM
49 +hardware block. Secure key can also be used as a master key to
50 +create the encrypted keys along with the existing key types in
53 +Secure key uses CAAM hardware to generate the key and blobify its
54 +content for userspace. Generated blobs are tied up with the hardware
55 +secret key stored in CAAM, hence the same blob will not be able to
56 +de-blobify with the different secret key on another machine.
60 + keyctl add secure <name> "new <keylen>" <ring>
61 + keyctl load secure <name> "load <hex_blob>" <ring>
62 + keyctl print <key_id>
64 +"keyctl add secure" option will create the random data of the
65 +specified key len using CAAM and store it as a key in kernel.
66 +Key contents will be displayed as blobs to the user in hex ascii.
67 +User can input key len from 32 bytes to 128 bytes.
69 +"keyctl load secure" option will load the blob contents. In kernel,
70 +key will be deirved using input blob and CAAM, along with the secret
73 +"keyctl print" will return the hex string of the blob corresponding to
74 +key_id. Returned blob will be of key_len + 48 bytes. Extra 48 bytes are
75 +the header bytes added by the CAAM.
77 +Example of secure key usage::
79 +1. Create the secure key with name kmk-master of length 32 bytes::
81 + $ keyctl add secure kmk-master "new 32" @u
86 + 1030783626 --alswrv 0 65534 keyring: _uid_ses.0
87 + 695927745 --alswrv 0 65534 \_ keyring: _uid.0
88 + 46001928 --als-rv 0 0 \_ secure: kmk-master
90 +2. Print the blob contents for the kmk-master key::
92 + $ keyctl print 46001928
93 + d9743445b640f3d59c1670dddc0bc9c2
94 + 34fc9aab7dd05c965e6120025012f029b
95 + 07faa4776c4f6ed02899e35a135531e9a
96 + 6e5c2b51132f9d5aef28f68738e658296
97 + 3fe583177cfe50d2542b659a13039
99 + $ keyctl pipe 46001928 > secure_key.blob
101 +3. Load the blob in the user key ring::
103 + $ keyctl load secure kmk-master "load 'cat secure_key.blob'" @u
106 @@ -7646,6 +7646,18 @@ F: include/keys/trusted-type.h
107 F: security/keys/trusted.c
108 F: security/keys/trusted.h
111 +M: Udit Agarwal <udit.agarwal@nxp.com>
112 +R: Sahil Malhotra <sahil.malhotra@nxp.com>
113 +L: linux-security-module@vger.kernel.org
114 +L: keyrings@vger.kernel.org
116 +F: include/keys/secure-type.h
117 +F: security/keys/secure_key.c
118 +F: security/keys/securekey_desc.c
119 +F: security/keys/securekey_desc.h
120 +F: security/keys/encrypted-keys/masterkey_secure.c
123 M: David Howells <dhowells@redhat.com>
124 L: keyrings@vger.kernel.org
125 --- a/drivers/tee/optee/Kconfig
126 +++ b/drivers/tee/optee/Kconfig
127 @@ -6,3 +6,11 @@ config OPTEE
129 This implements the OP-TEE Trusted Execution Environment (TEE)
132 +config OPTEE_SHM_NUM_PRIV_PAGES
133 + int "Private Shared Memory Pages"
137 + This sets the number of private shared memory pages to be
138 + used by OP-TEE TEE driver.
139 --- a/drivers/tee/optee/core.c
140 +++ b/drivers/tee/optee/core.c
143 #define DRIVER_NAME "optee"
145 -#define OPTEE_SHM_NUM_PRIV_PAGES 1
146 +#define OPTEE_SHM_NUM_PRIV_PAGES CONFIG_OPTEE_SHM_NUM_PRIV_PAGES
149 * optee_from_msg_param() - convert from OPTEE_MSG parameters to
151 +++ b/include/keys/secure-type.h
153 +/* SPDX-License-Identifier: GPL-2.0 */
155 + * Copyright (C) 2018 NXP.
159 +#ifndef _KEYS_SECURE_TYPE_H
160 +#define _KEYS_SECURE_TYPE_H
162 +#include <linux/key.h>
163 +#include <linux/rcupdate.h>
165 +/* Minimum key size to be used is 32 bytes and maximum key size fixed
167 + * Blob size to be kept is Maximum key size + blob header added by CAAM.
170 +#define MIN_KEY_SIZE 32
171 +#define MAX_KEY_SIZE 128
172 +#define BLOB_HEADER_SIZE 48
174 +#define MAX_BLOB_SIZE (MAX_KEY_SIZE + BLOB_HEADER_SIZE)
176 +struct secure_key_payload {
177 + struct rcu_head rcu;
178 + unsigned int key_len;
179 + unsigned int blob_len;
180 + unsigned char key[MAX_KEY_SIZE + 1];
181 + unsigned char blob[MAX_BLOB_SIZE];
184 +extern struct key_type key_type_secure;
186 --- a/security/keys/Kconfig
187 +++ b/security/keys/Kconfig
188 @@ -71,6 +71,17 @@ config TRUSTED_KEYS
190 If you are unsure as to whether this is required, answer N.
193 + tristate "SECURE_KEYS"
194 + depends on KEYS && CRYPTO_DEV_FSL_CAAM && CRYPTO_DEV_FSL_CAAM_JR
196 + This option provide support for creating secure-type key and blobs
197 + in kernel. Secure keys are random number symmetric keys generated
198 + from CAAM. The CAAM creates the blobs for the random key.
199 + Userspace will only be able to see the blob.
201 + If you are unsure as to whether this is required, answer N.
203 config ENCRYPTED_KEYS
204 tristate "ENCRYPTED KEYS"
206 --- a/security/keys/Makefile
207 +++ b/security/keys/Makefile
208 @@ -28,4 +28,9 @@ obj-$(CONFIG_KEY_DH_OPERATIONS) += dh.o
210 obj-$(CONFIG_BIG_KEYS) += big_key.o
211 obj-$(CONFIG_TRUSTED_KEYS) += trusted.o
212 +CFLAGS_secure_key.o += -I$(obj)/../../drivers/crypto/caam/
213 +CFLAGS_securekey_desc.o += -I$(obj)/../../drivers/crypto/caam/
214 +obj-$(CONFIG_SECURE_KEYS) += securekey.o
215 +securekey-y := securekey_desc.o \
217 obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted-keys/
218 --- a/security/keys/encrypted-keys/Makefile
219 +++ b/security/keys/encrypted-keys/Makefile
220 @@ -7,5 +7,7 @@ obj-$(CONFIG_ENCRYPTED_KEYS) += encrypte
222 encrypted-keys-y := encrypted.o ecryptfs_format.o
223 masterkey-$(CONFIG_TRUSTED_KEYS) := masterkey_trusted.o
224 +masterkey-$(CONFIG_SECURE_KEYS) := masterkey_secure.o
225 masterkey-$(CONFIG_TRUSTED_KEYS)-$(CONFIG_ENCRYPTED_KEYS) := masterkey_trusted.o
226 +masterkey-$(CONFIG_SECURE_KEYS)-$(CONFIG_ENCRYPTED_KEYS) := masterkey_secure.o
227 encrypted-keys-y += $(masterkey-y) $(masterkey-m-m)
228 --- a/security/keys/encrypted-keys/encrypted.c
229 +++ b/security/keys/encrypted-keys/encrypted.c
231 #include "ecryptfs_format.h"
233 static const char KEY_TRUSTED_PREFIX[] = "trusted:";
234 +static const char KEY_SECURE_PREFIX[] = "secure:";
235 static const char KEY_USER_PREFIX[] = "user:";
236 static const char hash_alg[] = "sha256";
237 static const char hmac_alg[] = "hmac(sha256)";
238 @@ -49,6 +50,7 @@ static unsigned int ivsize;
241 #define KEY_TRUSTED_PREFIX_LEN (sizeof (KEY_TRUSTED_PREFIX) - 1)
242 +#define KEY_SECURE_PREFIX_LEN (sizeof(KEY_SECURE_PREFIX) - 1)
243 #define KEY_USER_PREFIX_LEN (sizeof (KEY_USER_PREFIX) - 1)
244 #define KEY_ECRYPTFS_DESC_LEN 16
245 #define HASH_SIZE SHA256_DIGEST_SIZE
246 @@ -125,7 +127,7 @@ static int valid_ecryptfs_desc(const cha
248 * valid_master_desc - verify the 'key-type:desc' of a new/updated master-key
250 - * key-type:= "trusted:" | "user:"
251 + * key-type:= "trusted:" | "user:" | "secure:"
252 * desc:= master-key description
254 * Verify that 'key-type' is valid and that 'desc' exists. On key update,
255 @@ -140,6 +142,8 @@ static int valid_master_desc(const char
257 if (!strncmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN))
258 prefix_len = KEY_TRUSTED_PREFIX_LEN;
259 + else if (!strncmp(new_desc, KEY_SECURE_PREFIX, KEY_SECURE_PREFIX_LEN))
260 + prefix_len = KEY_SECURE_PREFIX_LEN;
261 else if (!strncmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN))
262 prefix_len = KEY_USER_PREFIX_LEN;
264 @@ -358,7 +362,7 @@ static int calc_hmac(u8 *digest, const u
266 enum derived_key_type { ENC_KEY, AUTH_KEY };
268 -/* Derive authentication/encryption key from trusted key */
269 +/* Derive authentication/encryption key from trusted/secure key */
270 static int get_derived_key(u8 *derived_key, enum derived_key_type key_type,
271 const u8 *master_key, size_t master_keylen)
273 @@ -429,6 +433,11 @@ static struct key *request_master_key(st
274 mkey = request_trusted_key(epayload->master_desc +
275 KEY_TRUSTED_PREFIX_LEN,
276 master_key, master_keylen);
277 + } else if (!strncmp(epayload->master_desc, KEY_SECURE_PREFIX,
278 + KEY_SECURE_PREFIX_LEN)) {
279 + mkey = request_secure_key(epayload->master_desc +
280 + KEY_SECURE_PREFIX_LEN,
281 + master_key, master_keylen);
282 } else if (!strncmp(epayload->master_desc, KEY_USER_PREFIX,
283 KEY_USER_PREFIX_LEN)) {
284 mkey = request_user_key(epayload->master_desc +
285 --- a/security/keys/encrypted-keys/encrypted.h
286 +++ b/security/keys/encrypted-keys/encrypted.h
287 @@ -16,6 +16,19 @@ static inline struct key *request_truste
291 +#if defined(CONFIG_SECURE_KEYS)
292 +extern struct key *request_secure_key(const char *secure_desc,
293 + const u8 **master_key,
294 + size_t *master_keylen);
296 +static inline struct key *request_secure_key(const char *secure_desc,
297 + const u8 **master_key,
298 + size_t *master_keylen)
300 + return ERR_PTR(-EOPNOTSUPP);
305 static inline void dump_master_key(const u8 *master_key, size_t master_keylen)
308 +++ b/security/keys/encrypted-keys/masterkey_secure.c
310 +// SPDX-License-Identifier: GPL-2.0
312 + * Copyright (C) 2018 NXP.
316 +#include <linux/uaccess.h>
317 +#include <linux/module.h>
318 +#include <linux/err.h>
319 +#include <keys/secure-type.h>
320 +#include <keys/encrypted-type.h>
321 +#include "encrypted.h"
324 + * request_secure_key - request the secure key
326 + * Secure keys and their blobs are derived from CAAM hardware.
327 + * Userspace manages secure key-type data, but key data is not
328 + * visible in plain form. It is presented as blobs.
330 +struct key *request_secure_key(const char *secure_desc,
331 + const u8 **master_key, size_t *master_keylen)
333 + struct secure_key_payload *spayload;
336 + skey = request_key(&key_type_secure, secure_desc, NULL);
340 + down_read(&skey->sem);
341 + spayload = skey->payload.data[0];
342 + *master_key = spayload->key;
343 + *master_keylen = spayload->key_len;
348 +++ b/security/keys/secure_key.c
350 +// SPDX-License-Identifier: GPL-2.0
351 +/* Copyright (C) 2018 NXP
352 + * Secure key is generated using NXP CAAM hardware block. CAAM generates the
353 + * random number (used as a key) and creates its blob for the user.
356 +#include <linux/slab.h>
357 +#include <linux/parser.h>
358 +#include <linux/string.h>
359 +#include <linux/key-type.h>
360 +#include <linux/rcupdate.h>
361 +#include <keys/secure-type.h>
362 +#include <linux/completion.h>
364 +#include "securekey_desc.h"
366 +static const char hmac_alg[] = "hmac(sha1)";
367 +static const char hash_alg[] = "sha1";
369 +static struct crypto_shash *hashalg;
370 +static struct crypto_shash *hmacalg;
378 +static const match_table_t key_tokens = {
380 + {load_blob, "load"},
384 +static struct secure_key_payload *secure_payload_alloc(struct key *key)
386 + struct secure_key_payload *sec_key = NULL;
389 + ret = key_payload_reserve(key, sizeof(*sec_key));
393 + sec_key = kzalloc(sizeof(*sec_key), GFP_KERNEL);
402 + * parse_inputdata - parse the keyctl input data and fill in the
403 + * payload structure for key or its blob.
404 + * param[in]: data pointer to the data to be parsed for creating key.
405 + * param[in]: p pointer to secure key payload structure to fill parsed data
406 + * On success returns 0, otherwise -EINVAL.
408 +static int parse_inputdata(char *data, struct secure_key_payload *p)
410 + substring_t args[MAX_OPT_ARGS];
413 + int key_cmd = -EINVAL;
416 + c = strsep(&data, " \t");
422 + /* Get the keyctl command i.e. new_key or load_blob etc */
423 + key_cmd = match_token(c, key_tokens, args);
427 + /* first argument is key size */
428 + c = strsep(&data, " \t");
434 + ret = kstrtol(c, 10, &keylen);
435 + if (ret < 0 || keylen < MIN_KEY_SIZE ||
436 + keylen > MAX_KEY_SIZE) {
441 + p->key_len = keylen;
446 + /* first argument is blob data for CAAM*/
447 + c = strsep(&data, " \t");
453 + /* Blob_len = No of characters in blob/2 */
454 + p->blob_len = strlen(c) / 2;
455 + if (p->blob_len > MAX_BLOB_SIZE) {
460 + ret = hex2bin(p->blob, c, p->blob_len);
478 + * secure_instantiate - create a new secure type key.
479 + * Supports the operation to generate a new key. A random number
480 + * is generated from CAAM as key data and the corresponding red blob
481 + * is formed and stored as key_blob.
482 + * Also supports the operation to load the blob and key is derived using
483 + * that blob from CAAM.
484 + * On success, return 0. Otherwise return errno.
486 +static int secure_instantiate(struct key *key,
487 + struct key_preparsed_payload *prep)
489 + struct secure_key_payload *payload = NULL;
490 + size_t datalen = prep->datalen;
494 + enum sk_req_type sk_op_type;
495 + struct device *dev = NULL;
497 + if (datalen <= 0 || datalen > 32767 || !prep->data) {
502 + data = kmalloc(datalen + 1, GFP_KERNEL);
508 + memcpy(data, prep->data, datalen);
509 + data[datalen] = '\0';
511 + payload = secure_payload_alloc(key);
517 + /* Allocate caam job ring for operation to be performed from CAAM */
518 + dev = caam_jr_alloc();
520 + pr_info("caam_jr_alloc failed\n");
525 + key_cmd = parse_inputdata(data, payload);
534 + * Red blob decryption to be done for load operation
535 + * to derive the key.
537 + sk_op_type = sk_red_blob_dec;
538 + ret = key_deblob(payload, sk_op_type, dev);
540 + pr_info("secure_key: key_blob decap fail (%d)\n", ret);
545 + /* Get Random number from caam of the specified length */
546 + sk_op_type = sk_get_random;
547 + ret = caam_get_random(payload, sk_op_type, dev);
549 + pr_info("secure_key: get_random fail (%d)\n", ret);
553 + /* Generate red blob of key random bytes with CAAM */
554 + sk_op_type = sk_red_blob_enc;
555 + ret = key_blob(payload, sk_op_type, dev);
557 + pr_info("secure_key: key_blob encap fail (%d)\n", ret);
572 + rcu_assign_keypointer(key, payload);
580 + * secure_read - copy the blob data to userspace in hex.
581 + * param[in]: key pointer to key struct
582 + * param[in]: buffer pointer to user data for creating key
583 + * param[in]: buflen is the length of the buffer
584 + * On success, return to userspace the secure key data size.
586 +static long secure_read(const struct key *key, char __user *buffer,
589 + const struct secure_key_payload *p = NULL;
594 + p = dereference_key_locked(key);
598 + if (buffer && buflen >= 2 * p->blob_len) {
599 + ascii_buf = kmalloc(2 * p->blob_len, GFP_KERNEL);
604 + for (i = 0; i < p->blob_len; i++)
605 + bufp = hex_byte_pack(bufp, p->blob[i]);
606 + if (copy_to_user(buffer, ascii_buf, 2 * p->blob_len) != 0) {
612 + return 2 * p->blob_len;
616 + * secure_destroy - clear and free the key's payload
618 +static void secure_destroy(struct key *key)
620 + kzfree(key->payload.data[0]);
623 +struct key_type key_type_secure = {
625 + .instantiate = secure_instantiate,
626 + .destroy = secure_destroy,
627 + .read = secure_read,
629 +EXPORT_SYMBOL_GPL(key_type_secure);
631 +static void secure_shash_release(void)
634 + crypto_free_shash(hashalg);
636 + crypto_free_shash(hmacalg);
639 +static int __init secure_shash_alloc(void)
643 + hmacalg = crypto_alloc_shash(hmac_alg, 0, CRYPTO_ALG_ASYNC);
644 + if (IS_ERR(hmacalg)) {
645 + pr_info("secure_key: could not allocate crypto %s\n",
647 + return PTR_ERR(hmacalg);
650 + hashalg = crypto_alloc_shash(hash_alg, 0, CRYPTO_ALG_ASYNC);
651 + if (IS_ERR(hashalg)) {
652 + pr_info("secure_key: could not allocate crypto %s\n",
654 + ret = PTR_ERR(hashalg);
661 + crypto_free_shash(hmacalg);
665 +static int __init init_secure_key(void)
669 + ret = secure_shash_alloc();
673 + ret = register_key_type(&key_type_secure);
675 + secure_shash_release();
679 +static void __exit cleanup_secure_key(void)
681 + secure_shash_release();
682 + unregister_key_type(&key_type_secure);
685 +late_initcall(init_secure_key);
686 +module_exit(cleanup_secure_key);
688 +MODULE_LICENSE("GPL");
690 +++ b/security/keys/securekey_desc.c
692 +// SPDX-License-Identifier: GPL-2.0
694 + * Copyright (C) 2018 NXP
698 +#include <keys/secure-type.h>
699 +#include "securekey_desc.h"
701 +/* key modifier for blob encapsulation & decapsulation descriptor */
702 +u8 key_modifier[] = "SECURE_KEY";
703 +u32 key_modifier_len = 10;
705 +void caam_sk_rng_desc(struct sk_req *skreq, struct sk_desc *skdesc)
707 + struct sk_fetch_rnd_data *fetch_rnd_data = NULL;
708 + struct random_desc *rnd_desc = NULL;
710 + u32 *desc = skreq->hwdesc;
712 + init_job_desc(desc, 0);
714 + fetch_rnd_data = &skreq->req_u.sk_fetch_rnd_data;
715 + rnd_desc = &skdesc->dma_u.random_descp;
716 + len = fetch_rnd_data->key_len;
718 + /* command 0x82500000 */
719 + append_cmd(desc, CMD_OPERATION | OP_TYPE_CLASS1_ALG |
720 + OP_ALG_ALGSEL_RNG);
721 + /* command 0x60340000 | len */
722 + append_cmd(desc, CMD_FIFO_STORE | FIFOST_TYPE_RNGSTORE | len);
723 + append_ptr(desc, rnd_desc->rnd_data);
726 +void caam_sk_redblob_encap_desc(struct sk_req *skreq, struct sk_desc *skdesc)
728 + struct redblob_encap_desc *red_blob_desc =
729 + &skdesc->dma_u.redblob_encapdesc;
730 + struct sk_red_blob_encap *red_blob_req =
731 + &skreq->req_u.sk_red_blob_encap;
732 + u32 *desc = skreq->hwdesc;
734 + init_job_desc(desc, 0);
736 + /* Load class 2 key with key modifier. */
737 + append_key_as_imm(desc, key_modifier, key_modifier_len,
738 + key_modifier_len, CLASS_2 | KEY_DEST_CLASS_REG);
740 + /* SEQ IN PTR Command. */
741 + append_seq_in_ptr(desc, red_blob_desc->in_data, red_blob_req->data_sz,
744 + /* SEQ OUT PTR Command. */
745 + append_seq_out_ptr(desc, red_blob_desc->redblob,
746 + red_blob_req->redblob_sz, 0);
748 + /* RedBlob encapsulation PROTOCOL Command. */
749 + append_operation(desc, OP_TYPE_ENCAP_PROTOCOL | OP_PCLID_BLOB);
752 +/* void caam_sk_redblob_decap_desc(struct sk_req *skreq, struct sk_desc *skdesc)
753 + * brief CAAM Descriptor creator from redblob to plaindata.
754 + * param[in] skreq Pointer to secure key request structure
755 + * param[in] skdesc Pointer to secure key descriptor structure
757 +void caam_sk_redblob_decap_desc(struct sk_req *skreq, struct sk_desc *skdesc)
759 + struct redblob_decap_desc *red_blob_desc =
760 + &skdesc->dma_u.redblob_decapdesc;
761 + struct sk_red_blob_decap *red_blob_req =
762 + &skreq->req_u.sk_red_blob_decap;
763 + u32 *desc = skreq->hwdesc;
765 + init_job_desc(desc, 0);
767 + /* Load class 2 key with key modifier. */
768 + append_key_as_imm(desc, key_modifier, key_modifier_len,
769 + key_modifier_len, CLASS_2 | KEY_DEST_CLASS_REG);
771 + /* SEQ IN PTR Command. */
772 + append_seq_in_ptr(desc, red_blob_desc->redblob,
773 + red_blob_req->redblob_sz, 0);
775 + /* SEQ OUT PTR Command. */
776 + append_seq_out_ptr(desc, red_blob_desc->out_data,
777 + red_blob_req->data_sz, 0);
779 + /* RedBlob decapsulation PROTOCOL Command. */
780 + append_operation(desc, OP_TYPE_DECAP_PROTOCOL | OP_PCLID_BLOB);
783 +/* int caam_sk_get_random_map(struct device *dev, struct sk_req *req,
784 + * struct sk_desc *skdesc)
785 + * brief DMA map the buffer virtual pointers to physical address.
786 + * param[in] dev Pointer to job ring device structure
787 + * param[in] req Pointer to secure key request structure
788 + * param[in] skdesc Pointer to secure key descriptor structure
789 + * return 0 on success, error value otherwise.
791 +int caam_sk_get_random_map(struct device *dev, struct sk_req *req,
792 + struct sk_desc *skdesc)
794 + struct sk_fetch_rnd_data *fetch_rnd_data;
795 + struct random_desc *rnd_desc;
797 + fetch_rnd_data = &req->req_u.sk_fetch_rnd_data;
798 + rnd_desc = &skdesc->dma_u.random_descp;
800 + rnd_desc->rnd_data = dma_map_single(dev, fetch_rnd_data->data,
801 + fetch_rnd_data->key_len, DMA_FROM_DEVICE);
803 + if (dma_mapping_error(dev, rnd_desc->rnd_data)) {
804 + dev_err(dev, "Unable to map memory\n");
805 + goto sk_random_map_fail;
813 +/* int caam_sk_redblob_encap_map(struct device *dev, struct sk_req *req,
814 + * struct sk_desc *skdesc)
815 + * brief DMA map the buffer virtual pointers to physical address.
816 + * param[in] dev Pointer to job ring device structure
817 + * param[in] req Pointer to secure key request structure
818 + * param[in] skdesc Pointer to secure key descriptor structure
819 + * return 0 on success, error value otherwise.
821 +int caam_sk_redblob_encap_map(struct device *dev, struct sk_req *req,
822 + struct sk_desc *skdesc)
824 + struct sk_red_blob_encap *red_blob_encap;
825 + struct redblob_encap_desc *red_blob_desc;
827 + red_blob_encap = &req->req_u.sk_red_blob_encap;
828 + red_blob_desc = &skdesc->dma_u.redblob_encapdesc;
830 + red_blob_desc->in_data = dma_map_single(dev, red_blob_encap->data,
831 + red_blob_encap->data_sz, DMA_TO_DEVICE);
832 + if (dma_mapping_error(dev, red_blob_desc->in_data)) {
833 + dev_err(dev, "Unable to map memory\n");
837 + red_blob_desc->redblob = dma_map_single(dev, red_blob_encap->redblob,
838 + red_blob_encap->redblob_sz, DMA_FROM_DEVICE);
839 + if (dma_mapping_error(dev, red_blob_desc->redblob)) {
840 + dev_err(dev, "Unable to map memory\n");
841 + goto sk_redblob_fail;
847 + dma_unmap_single(dev, red_blob_desc->in_data, red_blob_encap->data_sz,
853 +/* static int caam_sk_redblob_decap_map(struct device *dev,
854 + * struct sk_req *req,
855 + * struct sk_desc *skdesc)
856 + * brief DMA map the buffer virtual pointers to physical address.
857 + * param[in] dev Pointer to job ring device structure
858 + * param[in] req Pointer to secure key request structure
859 + * param[in] skdesc Pointer to secure key descriptor structure
860 + * return 0 on success, error value otherwise.
862 +int caam_sk_redblob_decap_map(struct device *dev, struct sk_req *req,
863 + struct sk_desc *skdesc)
865 + struct sk_red_blob_decap *red_blob_decap;
866 + struct redblob_decap_desc *red_blob_desc;
868 + red_blob_decap = &req->req_u.sk_red_blob_decap;
869 + red_blob_desc = &skdesc->dma_u.redblob_decapdesc;
871 + red_blob_desc->redblob = dma_map_single(dev, red_blob_decap->redblob,
872 + red_blob_decap->redblob_sz, DMA_TO_DEVICE);
873 + if (dma_mapping_error(dev, red_blob_desc->redblob)) {
874 + dev_err(dev, "Unable to map memory\n");
875 + goto sk_redblob_fail;
878 + red_blob_desc->out_data = dma_map_single(dev, red_blob_decap->data,
879 + red_blob_decap->data_sz, DMA_FROM_DEVICE);
880 + if (dma_mapping_error(dev, red_blob_desc->out_data)) {
881 + dev_err(dev, "Unable to map memory\n");
888 + dma_unmap_single(dev, red_blob_desc->redblob,
889 + red_blob_decap->redblob_sz, DMA_TO_DEVICE);
894 +/* @fn void securekey_unmap(struct device *dev,
895 + * struct sk_desc *skdesc, struct sk_req *req)
896 + * @brief DMA unmap the buffer pointers.
897 + * @param[in] dev Pointer to job ring device structure
898 + * @param[in] skdesc Pointer to secure key descriptor structure
899 + * @param[in] req Pointer to secure key request structure
901 +void securekey_unmap(struct device *dev,
902 + struct sk_desc *skdesc, struct sk_req *req)
905 + switch (req->type) {
906 + case sk_get_random:
908 + struct sk_fetch_rnd_data *fetch_rnd_data;
909 + struct random_desc *rnd_desc;
911 + fetch_rnd_data = &req->req_u.sk_fetch_rnd_data;
912 + rnd_desc = &skdesc->dma_u.random_descp;
914 + /* Unmap Descriptor buffer pointers. */
915 + dma_unmap_single(dev, rnd_desc->rnd_data,
916 + fetch_rnd_data->key_len,
920 + case sk_red_blob_enc:
922 + struct sk_red_blob_encap *red_blob_encap;
923 + struct redblob_encap_desc *red_blob_desc;
925 + red_blob_encap = &req->req_u.sk_red_blob_encap;
926 + red_blob_desc = &skdesc->dma_u.redblob_encapdesc;
928 + /* Unmap Descriptor buffer pointers. */
929 + dma_unmap_single(dev, red_blob_desc->in_data,
930 + red_blob_encap->data_sz,
933 + dma_unmap_single(dev, red_blob_desc->redblob,
934 + red_blob_encap->redblob_sz,
939 + case sk_red_blob_dec:
941 + struct sk_red_blob_decap *red_blob_decap;
942 + struct redblob_decap_desc *red_blob_desc;
944 + red_blob_decap = &req->req_u.sk_red_blob_decap;
945 + red_blob_desc = &skdesc->dma_u.redblob_decapdesc;
947 + /* Unmap Descriptor buffer pointers. */
948 + dma_unmap_single(dev, red_blob_desc->redblob,
949 + red_blob_decap->redblob_sz,
952 + dma_unmap_single(dev, red_blob_desc->out_data,
953 + red_blob_decap->data_sz,
959 + dev_err(dev, "Unable to find request type\n");
965 +/* int caam_securekey_desc_init(struct device *dev, struct sk_req *req)
966 + * brief CAAM Descriptor creator for secure key operations.
967 + * param[in] dev Pointer to job ring device structure
968 + * param[in] req Pointer to secure key request structure
969 + * return 0 on success, error value otherwise.
971 +int caam_securekey_desc_init(struct device *dev, struct sk_req *req)
973 + struct sk_desc *skdesc = NULL;
976 + switch (req->type) {
977 + case sk_get_random:
979 + skdesc = kmalloc(sizeof(*skdesc), GFP_DMA);
984 + skdesc->req_type = req->type;
986 + if (caam_sk_get_random_map(dev, req, skdesc)) {
987 + dev_err(dev, "caam get_random map fail\n");
991 + caam_sk_rng_desc(req, skdesc);
994 + case sk_red_blob_enc:
996 + skdesc = kmalloc(sizeof(*skdesc), GFP_DMA);
1002 + skdesc->req_type = req->type;
1004 + if (caam_sk_redblob_encap_map(dev, req, skdesc)) {
1005 + dev_err(dev, "caam redblob_encap map fail\n");
1010 + /* Descriptor function to create redblob from data. */
1011 + caam_sk_redblob_encap_desc(req, skdesc);
1015 + case sk_red_blob_dec:
1017 + skdesc = kmalloc(sizeof(*skdesc), GFP_DMA);
1023 + skdesc->req_type = req->type;
1025 + if (caam_sk_redblob_decap_map(dev, req, skdesc)) {
1026 + dev_err(dev, "caam redblob_decap map fail\n");
1031 + /* Descriptor function to decap data from redblob. */
1032 + caam_sk_redblob_decap_desc(req, skdesc);
1036 + pr_debug("Unknown request type\n");
1041 + req->desc_pointer = (void *)skdesc;
1047 +/* static void caam_op_done (struct device *dev, u32 *desc, u32 ret,
1049 + * brief callback function to be called when descriptor executed.
1050 + * param[in] dev Pointer to device structure
1051 + * param[in] desc descriptor pointer
1052 + * param[in] ret return status of Job submitted
1053 + * param[in] context void pointer
1055 +static void caam_op_done(struct device *dev, u32 *desc, u32 ret,
1058 + struct sk_req *req = context;
1061 + dev_err(dev, "caam op done err: %x\n", ret);
1062 + /* print the error source name. */
1063 + caam_jr_strstatus(dev, ret);
1065 + /* Call securekey_unmap function for unmapping the buffer pointers. */
1066 + securekey_unmap(dev, req->desc_pointer, req);
1069 + complete(&req->comp);
1073 +/* static int sk_job_submit(struct device *jrdev, struct sk_req *req)
1074 + * brief Enqueue a Job descriptor to Job ring and wait until SEC returns.
1075 + * param[in] jrdev Pointer to job ring device structure
1076 + * param[in] req Pointer to secure key request structure
1077 + * return 0 on success, error value otherwise.
1079 +static int sk_job_submit(struct device *jrdev, struct sk_req *req)
1083 + init_completion(&req->comp);
1085 + /* caam_jr_enqueue function for Enqueue a job descriptor */
1086 + ret = caam_jr_enqueue(jrdev, req->hwdesc, caam_op_done, req);
1088 + wait_for_completion_interruptible(&req->comp);
1094 +/* caam_get_random(struct secure_key_payload *p, enum sk_req_type fetch_rnd,
1095 + * struct device *dev)
1096 + * Create the random number of the specified length using CAAM block
1097 + * param[in]: out pointer to place the random bytes
1098 + * param[in]: length for the random data bytes.
1099 + * param[in]: dev Pointer to job ring device structure
1100 + * If operation is successful return 0, otherwise error.
1102 +int caam_get_random(struct secure_key_payload *p, enum sk_req_type fetch_rnd,
1103 + struct device *dev)
1105 + struct sk_fetch_rnd_data *fetch_rnd_data = NULL;
1106 + struct sk_req *req = NULL;
1108 + void *temp = NULL;
1110 + req = kmalloc(sizeof(struct sk_req), GFP_DMA);
1116 + req->type = fetch_rnd;
1117 + fetch_rnd_data = &(req->req_u.sk_fetch_rnd_data);
1119 + /* initialise with key length */
1120 + fetch_rnd_data->key_len = p->key_len;
1122 + temp = kmalloc(fetch_rnd_data->key_len, GFP_DMA);
1127 + fetch_rnd_data->data = temp;
1129 + ret = caam_securekey_desc_init(dev, req);
1132 + pr_info("caam_securekey_desc_init failed\n");
1136 + ret = sk_job_submit(dev, req);
1138 + /*Copy output to key buffer. */
1139 + memcpy(p->key, fetch_rnd_data->data, p->key_len);
1153 +EXPORT_SYMBOL(caam_get_random);
1155 +/* key_deblob(struct secure_key_payload *p, enum sk_req_type decap_type
1156 + * struct device *dev)
1157 + * Deblobify the blob to get the key data and fill in secure key payload struct
1158 + * param[in] p pointer to the secure key payload
1159 + * param[in] decap_type operation to be done.
1160 + * param[in] dev dev Pointer to job ring device structure
1161 + * If operation is successful return 0, otherwise error.
1163 +int key_deblob(struct secure_key_payload *p, enum sk_req_type decap_type,
1164 + struct device *dev)
1166 + unsigned int blob_len;
1167 + struct sk_red_blob_decap *d_blob;
1168 + struct sk_req *req = NULL;
1169 + int total_sz = 0, *temp = NULL, ret = 0;
1171 + req = kmalloc(sizeof(struct sk_req), GFP_DMA);
1177 + d_blob = &(req->req_u.sk_red_blob_decap);
1178 + blob_len = p->blob_len;
1179 + req->type = decap_type;
1182 + * Red blob size is the blob_len filled in payload struct
1183 + * Data_sz i.e. key is the blob_len - blob header size
1186 + d_blob->redblob_sz = blob_len;
1187 + d_blob->data_sz = blob_len - (SK_BLOB_KEY_SZ + SK_BLOB_MAC_SZ);
1188 + total_sz = d_blob->data_sz + d_blob->redblob_sz;
1190 + temp = kmalloc(total_sz, GFP_DMA);
1196 + req->mem_pointer = temp;
1197 + d_blob->redblob = temp;
1198 + d_blob->data = d_blob->redblob + d_blob->redblob_sz;
1199 + memcpy(d_blob->redblob, p->blob, blob_len);
1201 + ret = caam_securekey_desc_init(dev, req);
1204 + pr_info("caam_securekey_desc_init: Failed\n");
1208 + ret = sk_job_submit(dev, req);
1210 + /*Copy output to key buffer. */
1211 + p->key_len = d_blob->data_sz;
1212 + memcpy(p->key, d_blob->data, p->key_len);
1224 +EXPORT_SYMBOL(key_deblob);
1226 +/* key_blob(struct secure_key_payload *p, enum sk_req_type encap_type,
1227 + * struct device *dev)
1228 + * To blobify the key data to get the blob. This blob can only be seen by
1230 + * param[in] p pointer to the secure key payload
1231 + * param[in] decap_type operation to be done.
1232 + * param[in] dev dev Pointer to job ring device structure
1233 + * If operation is successful return 0, otherwise error.
1235 +int key_blob(struct secure_key_payload *p, enum sk_req_type encap_type,
1236 + struct device *dev)
1238 + unsigned int key_len;
1239 + struct sk_red_blob_encap *k_blob;
1240 + struct sk_req *req = NULL;
1241 + int total_sz = 0, *temp = NULL, ret = 0;
1243 + req = kmalloc(sizeof(struct sk_req), GFP_DMA);
1249 + key_len = p->key_len;
1251 + req->type = encap_type;
1252 + k_blob = &(req->req_u.sk_red_blob_encap);
1255 + * Data_sz i.e. key len and the corresponding blob_len is
1256 + * key_len + BLOB header size.
1259 + k_blob->data_sz = key_len;
1260 + k_blob->redblob_sz = key_len + SK_BLOB_KEY_SZ + SK_BLOB_MAC_SZ;
1261 + total_sz = k_blob->data_sz + k_blob->redblob_sz;
1263 + temp = kmalloc(total_sz, GFP_DMA);
1269 + req->mem_pointer = temp;
1270 + k_blob->data = temp;
1272 + k_blob->redblob = k_blob->data + k_blob->data_sz;
1273 + memcpy(k_blob->data, p->key, key_len);
1275 + ret = caam_securekey_desc_init(dev, req);
1278 + pr_info("caam_securekey_desc_init failed\n");
1282 + ret = sk_job_submit(dev, req);
1284 + /*Copy output to key buffer. */
1285 + p->blob_len = k_blob->redblob_sz;
1286 + memcpy(p->blob, k_blob->redblob, p->blob_len);
1293 + kfree(req->mem_pointer);
1299 +EXPORT_SYMBOL(key_blob);
1301 +++ b/security/keys/securekey_desc.h
1303 +/* SPDX-License-Identifier: GPL-2.0 */
1305 + * Copyright 2018 NXP
1308 +#ifndef _SECUREKEY_DESC_H_
1309 +#define _SECUREKEY_DESC_H_
1311 +#include "compat.h"
1313 +#include "intern.h"
1315 +#include "desc_constr.h"
1320 +#define SK_BLOB_KEY_SZ 32 /* Blob key size. */
1321 +#define SK_BLOB_MAC_SZ 16 /* Blob MAC size. */
1324 + * brief defines different kinds of operations supported by this module.
1334 + * struct random_des
1335 + * param[out] rnd_data output buffer for random data.
1337 +struct random_desc {
1338 + dma_addr_t rnd_data;
1341 +/* struct redblob_encap_desc
1342 + * details Structure containing dma address for redblob encapsulation.
1343 + * param[in] in_data input data to redblob encap descriptor.
1344 + * param[out] redblob output buffer for redblob.
1346 +struct redblob_encap_desc {
1347 + dma_addr_t in_data;
1348 + dma_addr_t redblob;
1351 +/* struct redblob_decap_desc
1352 + * details Structure containing dma address for redblob decapsulation.
1353 + * param[in] redblob input buffer to redblob decap descriptor.
1354 + * param[out] out_data output data from redblob decap descriptor.
1356 +struct redblob_decap_desc {
1357 + dma_addr_t redblob;
1358 + dma_addr_t out_data;
1362 + * details Structure for securekey descriptor creation.
1363 + * param[in] req_type operation supported.
1364 + * param[in] dma_u union of struct for supported operation.
1369 + struct redblob_encap_desc redblob_encapdesc;
1370 + struct redblob_decap_desc redblob_decapdesc;
1371 + struct random_desc random_descp;
1375 +/* struct sk_fetch_rnd_data
1376 + * decriptor structure containing key length.
1378 +struct sk_fetch_rnd_data {
1383 +/* struct sk_red_blob_encap
1384 + * details Structure containing buffer pointers for redblob encapsulation.
1385 + * param[in] data Input data.
1386 + * param[in] data_sz size of Input data.
1387 + * param[out] redblob output buffer for redblob.
1388 + * param[in] redblob_sz size of redblob.
1390 +struct sk_red_blob_encap {
1394 + uint32_t redblob_sz;
1397 +/* struct sk_red_blob_decap
1398 + * details Structure containing buffer pointers for redblob decapsulation.
1399 + * param[in] redblob Input redblob.
1400 + * param[in] redblob_sz size of redblob.
1401 + * param[out] data output buffer for data.
1402 + * param[in] data_sz size of output data.
1404 +struct sk_red_blob_decap {
1406 + uint32_t redblob_sz;
1412 + * details Structure for securekey request creation.
1413 + * param[in] type operation supported.
1414 + * param[in] req_u union of struct for supported operation.
1415 + * param[out] ret return status of CAAM operation.
1416 + * param[in] mem_pointer memory pointer for allocated kernel memory.
1417 + * param[in] desc_pointer Pointer to securekey descriptor creation structure.
1418 + * param[in] comp struct completion object.
1419 + * param[in] hwdesc contains descriptor instructions.
1422 + enum sk_req_type type;
1425 + struct sk_red_blob_encap sk_red_blob_encap;
1426 + struct sk_red_blob_decap sk_red_blob_decap;
1427 + struct sk_fetch_rnd_data sk_fetch_rnd_data;
1430 + void *mem_pointer;
1431 + void *desc_pointer;
1432 + struct completion comp;
1433 + u32 hwdesc[MAX_CAAM_DESCSIZE];
1436 +int caam_get_random(struct secure_key_payload *p, enum sk_req_type fetch_rnd,
1437 + struct device *dev);
1438 +int key_blob(struct secure_key_payload *p, enum sk_req_type encap_type,
1439 + struct device *dev);
1440 +int key_deblob(struct secure_key_payload *p, enum sk_req_type decap_type,
1441 + struct device *dev);
1443 +#endif /*_SECUREKEY_DESC_H_*/