007c3ff11f
The NXP Cryptographic Acceleration and Assurance Module (CAAM) can be used to protect user-defined data across system reboot: - When the system is fused and boots into secure state, the master key is a unique never-disclosed device-specific key - random key is encrypted by key derived from master key - data is encrypted using the random key - encrypted data and its encrypted random key are stored alongside - This blob can now be safely stored in non-volatile memory On next power-on: - blob is loaded into CAAM - CAAM writes decrypted data either into memory or key register Add functions to realize encrypting and decrypting into memory alongside the CAAM driver. They will be used in a later commit as a source for the trusted key seal/unseal mechanism. Reviewed-by: David Gstir <david@sigma-star.at> Reviewed-by: Pankaj Gupta <pankaj.gupta@nxp.com> Tested-by: Tim Harvey <tharvey@gateworks.com> Tested-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com> Tested-by: Pankaj Gupta <pankaj.gupta@nxp.com> Tested-by: Michael Walle <michael@walle.cc> # on ls1028a (non-E and E) Tested-by: John Ernberg <john.ernberg@actia.se> # iMX8QXP Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de> Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
104 lines
2.9 KiB
C
104 lines
2.9 KiB
C
/* SPDX-License-Identifier: GPL-2.0-only */
|
|
/*
|
|
* Copyright (C) 2020 Pengutronix, Ahmad Fatoum <kernel@pengutronix.de>
|
|
*/
|
|
|
|
#ifndef __CAAM_BLOB_GEN
|
|
#define __CAAM_BLOB_GEN
|
|
|
|
#include <linux/types.h>
|
|
#include <linux/errno.h>
|
|
|
|
#define CAAM_BLOB_KEYMOD_LENGTH 16
|
|
#define CAAM_BLOB_OVERHEAD (32 + 16)
|
|
#define CAAM_BLOB_MAX_LEN 4096
|
|
|
|
struct caam_blob_priv;
|
|
|
|
/**
|
|
* struct caam_blob_info - information for CAAM blobbing
|
|
* @input: pointer to input buffer (must be DMAable)
|
|
* @input_len: length of @input buffer in bytes.
|
|
* @output: pointer to output buffer (must be DMAable)
|
|
* @output_len: length of @output buffer in bytes.
|
|
* @key_mod: key modifier
|
|
* @key_mod_len: length of @key_mod in bytes.
|
|
* May not exceed %CAAM_BLOB_KEYMOD_LENGTH
|
|
*/
|
|
struct caam_blob_info {
|
|
void *input;
|
|
size_t input_len;
|
|
|
|
void *output;
|
|
size_t output_len;
|
|
|
|
const void *key_mod;
|
|
size_t key_mod_len;
|
|
};
|
|
|
|
/**
|
|
* caam_blob_gen_init - initialize blob generation
|
|
* Return: pointer to new &struct caam_blob_priv instance on success
|
|
* and ``ERR_PTR(-ENODEV)`` if CAAM has no hardware blobbing support
|
|
* or no job ring could be allocated.
|
|
*/
|
|
struct caam_blob_priv *caam_blob_gen_init(void);
|
|
|
|
/**
|
|
* caam_blob_gen_exit - free blob generation resources
|
|
* @priv: instance returned by caam_blob_gen_init()
|
|
*/
|
|
void caam_blob_gen_exit(struct caam_blob_priv *priv);
|
|
|
|
/**
|
|
* caam_process_blob - encapsulate or decapsulate blob
|
|
* @priv: instance returned by caam_blob_gen_init()
|
|
* @info: pointer to blobbing info describing key, blob and
|
|
* key modifier buffers.
|
|
* @encap: true for encapsulation, false for decapsulation
|
|
*
|
|
* Return: %0 and sets ``info->output_len`` on success and a negative
|
|
* error code otherwise.
|
|
*/
|
|
int caam_process_blob(struct caam_blob_priv *priv,
|
|
struct caam_blob_info *info, bool encap);
|
|
|
|
/**
|
|
* caam_encap_blob - encapsulate blob
|
|
* @priv: instance returned by caam_blob_gen_init()
|
|
* @info: pointer to blobbing info describing input key,
|
|
* output blob and key modifier buffers.
|
|
*
|
|
* Return: %0 and sets ``info->output_len`` on success and
|
|
* a negative error code otherwise.
|
|
*/
|
|
static inline int caam_encap_blob(struct caam_blob_priv *priv,
|
|
struct caam_blob_info *info)
|
|
{
|
|
if (info->output_len < info->input_len + CAAM_BLOB_OVERHEAD)
|
|
return -EINVAL;
|
|
|
|
return caam_process_blob(priv, info, true);
|
|
}
|
|
|
|
/**
|
|
* caam_decap_blob - decapsulate blob
|
|
* @priv: instance returned by caam_blob_gen_init()
|
|
* @info: pointer to blobbing info describing output key,
|
|
* input blob and key modifier buffers.
|
|
*
|
|
* Return: %0 and sets ``info->output_len`` on success and
|
|
* a negative error code otherwise.
|
|
*/
|
|
static inline int caam_decap_blob(struct caam_blob_priv *priv,
|
|
struct caam_blob_info *info)
|
|
{
|
|
if (info->input_len < CAAM_BLOB_OVERHEAD ||
|
|
info->output_len < info->input_len - CAAM_BLOB_OVERHEAD)
|
|
return -EINVAL;
|
|
|
|
return caam_process_blob(priv, info, false);
|
|
}
|
|
|
|
#endif
|