[PATCH] imx: ele_ahab: Add HUK derivation support

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Mathieu Othacehe <othacehe@gnu.org>
To: Stefano Babic <sbabic@denx.de>,
	Fabio Estevam <festevam@gmail.com>, Tom Rini <trini@konsulko.com>,
	Sean Anderson <seanga2@gmail.com>
Cc: "NXP i . MX U-Boot Team" <uboot-imx@nxp.com>,
	u-boot@lists.denx.de, Mathieu Othacehe <othacehe@gnu.org>
Subject: [PATCH] imx: ele_ahab: Add HUK derivation support
Date: Tue, 13 Aug 2024 08:32:43 +0200	[thread overview]
Message-ID: <20240813063243.24249-1-othacehe@gnu.org> (raw)

Add a new ahab_derive command that derives the hardware unique key (HUK)
into a 16 or 32 bytes key and stores it at the given address.

Signed-off-by: Mathieu Othacehe <othacehe@gnu.org>
---
 arch/arm/include/asm/mach-imx/ele_api.h |  2 +
 arch/arm/mach-imx/ele_ahab.c            | 31 +++++++++++
 drivers/misc/imx_ele/ele_api.c          | 73 +++++++++++++++++++++++++
 3 files changed, 106 insertions(+)

diff --git a/arch/arm/include/asm/mach-imx/ele_api.h b/arch/arm/include/asm/mach-imx/ele_api.h
index a29b849d903..490292ab023 100644
--- a/arch/arm/include/asm/mach-imx/ele_api.h
+++ b/arch/arm/include/asm/mach-imx/ele_api.h
@@ -26,6 +26,7 @@
 #define ELE_GET_EVENTS_REQ (0xA2)
 #define ELE_COMMIT_REQ (0xA8)
 #define ELE_START_RNG (0xA3)
+#define ELE_CMD_DERIVE_KEY (0xA9)
 #define ELE_GENERATE_DEK_BLOB (0xAF)
 #define ELE_ENABLE_PATCH_REQ (0xC3)
 #define ELE_RELEASE_RDC_REQ (0xC4)
@@ -143,6 +144,7 @@ int ele_read_common_fuse(u16 fuse_id, u32 *fuse_words, u32 fuse_num, u32 *respon
 int ele_release_caam(u32 core_did, u32 *response);
 int ele_get_fw_version(u32 *fw_version, u32 *sha1, u32 *response);
 int ele_get_events(u32 *events, u32 *events_cnt, u32 *response);
+int ele_derive_huk(u8 *key, size_t key_size, u8 *ctx);
 int ele_commit(u16 fuse_id, u32 *response, u32 *info_type);
 int ele_generate_dek_blob(u32 key_id, u32 src_paddr, u32 dst_paddr, u32 max_output_size);
 int ele_dump_buffer(u32 *buffer, u32 buffer_length);
diff --git a/arch/arm/mach-imx/ele_ahab.c b/arch/arm/mach-imx/ele_ahab.c
index d02316ed6cb..e1946467468 100644
--- a/arch/arm/mach-imx/ele_ahab.c
+++ b/arch/arm/mach-imx/ele_ahab.c
@@ -625,6 +625,31 @@ static int do_ahab_return_lifecycle(struct cmd_tbl *cmdtp, int flag, int argc, c
 	return CMD_RET_SUCCESS;
 }
 
+static int do_ahab_derive(struct cmd_tbl *cmdtp, int flag, int argc,
+			  char *const argv[])
+{
+	ulong key;
+	size_t key_size;
+	char *seed = "_ELE_AHAB_SEED_";
+
+	if (argc != 3)
+		return CMD_RET_USAGE;
+
+	key = hextoul(argv[1], NULL);
+	key_size = simple_strtoul(argv[2], NULL, 10);
+	if (key_size != 16 && key_size != 32) {
+		printf("key size can only be 16 or 32\n");
+		return CMD_RET_FAILURE;
+	}
+
+	if (ele_derive_huk((u8 *)key, key_size, seed)) {
+		printf("Error in AHAB derive\n");
+		return CMD_RET_FAILURE;
+	}
+
+	return CMD_RET_SUCCESS;
+}
+
 static int do_ahab_commit(struct cmd_tbl *cmdtp, int flag, int argc,
 			  char *const argv[])
 {
@@ -681,6 +706,12 @@ U_BOOT_CMD(ahab_return_lifecycle, CONFIG_SYS_MAXARGS, 1, do_ahab_return_lifecycl
 	   "addr - Return lifecycle message block signed by OEM SRK\n"
 );
 
+U_BOOT_CMD(ahab_derive, CONFIG_SYS_MAXARGS, 3, do_ahab_derive,
+	   "Derive the hardware unique key",
+	   "addr [16|32]\n"
+	   "Store at addr the derivation of the HUK on 16 or 32 bytes.\n"
+);
+
 U_BOOT_CMD(ahab_commit, CONFIG_SYS_MAXARGS, 1, do_ahab_commit,
 	   "commit into the fuses any new SRK revocation and FW version information\n"
 	   "that have been found into the NXP (ELE FW) and OEM containers",
diff --git a/drivers/misc/imx_ele/ele_api.c b/drivers/misc/imx_ele/ele_api.c
index e0ec22c7abf..0eaf51e31c8 100644
--- a/drivers/misc/imx_ele/ele_api.c
+++ b/drivers/misc/imx_ele/ele_api.c
@@ -1,12 +1,14 @@
 // SPDX-License-Identifier: GPL-2.0
 /*
  * Copyright 2020, 2023 NXP
+ * Copyright 2024 Mathieu Othacehe <othacehe@gnu.org>
  *
  */
 
 #include <common.h>
 #include <hang.h>
 #include <malloc.h>
+#include <memalign.h>
 #include <asm/io.h>
 #include <dm.h>
 #include <asm/mach-imx/ele_api.h>
@@ -528,6 +530,77 @@ int ele_start_rng(void)
 	return ret;
 }
 
+int ele_derive_huk(u8 *key, size_t key_size, u8 *seed)
+{
+	struct udevice *dev = gd->arch.ele_dev;
+	struct ele_msg msg;
+	int msg_size = sizeof(struct ele_msg);
+	const size_t seed_size = 16;
+	u8 *seed_aligned, *key_aligned;
+	int ret, size;
+
+	if (!dev) {
+		printf("ele dev is not initialized\n");
+		return -ENODEV;
+	}
+
+	if (key_size != 16 && key_size != 32) {
+		printf("key size can only be 16 or 32\n");
+		return -EINVAL;
+	}
+
+	seed_aligned = memalign(ARCH_DMA_MINALIGN, seed_size);
+	if (!seed_aligned) {
+		printf("failed to alloc memory\n");
+		return -EINVAL;
+	}
+	memcpy(seed_aligned, seed, seed_size);
+
+	key_aligned = memalign(ARCH_DMA_MINALIGN, key_size);
+	if (!key_aligned) {
+		printf("failed to alloc memory\n");
+		ret = -EINVAL;
+		goto ret_seed;
+	}
+
+	size = ALIGN(seed_size, ARCH_DMA_MINALIGN);
+	flush_dcache_range((ulong)seed_aligned,
+			   (ulong)seed_aligned + size);
+
+	size = ALIGN(key_size, ARCH_DMA_MINALIGN);
+	invalidate_dcache_range((ulong)key_aligned,
+				(ulong)key_aligned + size);
+
+	msg.version = ELE_VERSION;
+	msg.tag = ELE_CMD_TAG;
+	msg.size = 7;
+	msg.command = ELE_CMD_DERIVE_KEY;
+	msg.data[0] = upper_32_bits((ulong)key_aligned);
+	msg.data[1] = lower_32_bits((ulong)key_aligned);
+	msg.data[2] = upper_32_bits((ulong)seed_aligned);
+	msg.data[3] = lower_32_bits((ulong)seed_aligned);
+	msg.data[4] = seed_size << 16 | key_size;
+	msg.data[5] = compute_crc(&msg);
+
+	ret = misc_call(dev, false, &msg, msg_size, &msg, msg_size);
+	if (ret) {
+		printf("Error: %s: ret %d, response 0x%x\n",
+		       __func__, ret, msg.data[0]);
+		goto ret_key;
+	}
+
+	invalidate_dcache_range((ulong)key_aligned,
+				(ulong)key_aligned + size);
+	memcpy(key, key_aligned, key_size);
+
+ret_key:
+	free(key_aligned);
+ret_seed:
+	free(seed_aligned);
+
+	return ret;
+}
+
 int ele_commit(u16 fuse_id, u32 *response, u32 *info_type)
 {
 	struct udevice *dev = gd->arch.ele_dev;
-- 
2.45.2

next             reply	other threads:[~2024-08-13  6:32 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-08-13  6:32 Mathieu Othacehe [this message]
2024-08-16 10:49 ` [PATCH] imx: ele_ahab: Add HUK derivation support Fabio Estevam
2024-08-16 11:11 ` Ye Li
2024-08-20  7:35   ` Mathieu Othacehe

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:a29b849d90 dfblob:490292ab02 dfblob:d02316ed6c
dfblob:e194646746 dfblob:e0ec22c7ab dfblob:0eaf51e31c )
 OR (
bs:"[PATCH] imx: ele_ahab: Add HUK derivation support" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240813063243.24249-1-othacehe@gnu.org \
    --to=othacehe@gnu.org \
    --cc=festevam@gmail.com \
    --cc=sbabic@denx.de \
    --cc=seanga2@gmail.com \
    --cc=trini@konsulko.com \
    --cc=u-boot@lists.denx.de \
    --cc=uboot-imx@nxp.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.