* [U-Boot] [PATCH 1/5] arch/powerpc/cpu/mpc8xxx: PAMU driver support
2013-03-28 10:46 [U-Boot] [PATCH 0/5] FSL SECURE BOOT: Add support for next level image validation Ruchika Gupta
@ 2013-03-28 10:46 ` Ruchika Gupta
2013-05-22 19:47 ` Andy Fleming
2013-08-19 23:07 ` [U-Boot] [U-Boot, " York Sun
2013-03-28 10:46 ` [U-Boot] [PATCH 2/5] powerpc/pamu : PAMU configuration for accessing SEC block Ruchika Gupta
` (4 subsequent siblings)
5 siblings, 2 replies; 13+ messages in thread
From: Ruchika Gupta @ 2013-03-28 10:46 UTC (permalink / raw)
To: u-boot
PAMU driver basic support for usage in Secure Boot.
In secure boot PAMU is not in bypass mode. Hence to use
any peripheral (SEC Job ring in our case), PAMU has to be
configured.
The Header file fsl_pamu.h and few functions in driver have been derived
from Freescale Libos.
Signed-off-by: Kuldip Giroh <kuldip.giroh@freescale.com>
Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com>
---
Based upon git://git.denx.de/u-boot.git branch master
arch/powerpc/cpu/mpc8xxx/Makefile | 3 +-
arch/powerpc/cpu/mpc8xxx/fsl_pamu.c | 488 +++++++++++++++++++++++++++++++++
arch/powerpc/include/asm/fsl_pamu.h | 193 +++++++++++++
arch/powerpc/include/asm/immap_85xx.h | 18 ++
4 files changed, 701 insertions(+), 1 deletions(-)
create mode 100644 arch/powerpc/cpu/mpc8xxx/fsl_pamu.c
create mode 100644 arch/powerpc/include/asm/fsl_pamu.h
diff --git a/arch/powerpc/cpu/mpc8xxx/Makefile b/arch/powerpc/cpu/mpc8xxx/Makefile
index 3dc8e05..097599e 100644
--- a/arch/powerpc/cpu/mpc8xxx/Makefile
+++ b/arch/powerpc/cpu/mpc8xxx/Makefile
@@ -1,5 +1,5 @@
#
-# Copyright 2009-2010 Freescale Semiconductor, Inc.
+# Copyright 2009-2010, 2012 Freescale Semiconductor, Inc.
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
@@ -33,6 +33,7 @@ COBJS-$(CONFIG_FSL_IFC) += fsl_ifc.o
COBJS-$(CONFIG_FSL_LBC) += fsl_lbc.o
COBJS-$(CONFIG_SYS_SRIO) += srio.o
COBJS-$(CONFIG_FSL_LAW) += law.o
+COBJS-$(CONFIG_FSL_CORENET) += fsl_pamu.o
endif
diff --git a/arch/powerpc/cpu/mpc8xxx/fsl_pamu.c b/arch/powerpc/cpu/mpc8xxx/fsl_pamu.c
new file mode 100644
index 0000000..bdbec07
--- /dev/null
+++ b/arch/powerpc/cpu/mpc8xxx/fsl_pamu.c
@@ -0,0 +1,488 @@
+/*
+ * FSL PAMU driver
+ *
+ * Copyright 2012 Freescale Semiconductor, Inc.
+ * All Rights Reserved
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * * Neither the name of Freescale Semiconductor nor the
+ * names of its contributors may be used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * ALTERNATIVELY, this software may be distributed under the terms of the
+ * GNU General Public License ("GPL") as published by the Free Software
+ * Foundation, either version 2 of that License or (at your option) any
+ * later version.
+ *
+ * THIS SOFTWARE IS PROVIDED BY Freescale Semiconductor ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Freescale Semiconductor BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * Few functions in this file have been picked up from Freescale LibOS library
+ */
+
+#include <common.h>
+#include <malloc.h>
+#include <asm/fsl_pamu.h>
+
+paace_t *ppaact;
+paace_t *sec;
+
+static inline int __ilog2_roundup_64(uint64_t val)
+{
+
+ if ((val & (val - 1)) == 0)
+ return __ilog2_u64(val);
+ else
+ return __ilog2_u64(val) + 1;
+}
+
+
+static inline int count_lsb_zeroes(unsigned long val)
+{
+ return ffs(val) - 1;
+}
+
+static unsigned int map_addrspace_size_to_wse(uint64_t addrspace_size)
+{
+ /* window size is 2^(WSE+1) bytes */
+ return count_lsb_zeroes(addrspace_size >> PAMU_PAGE_SHIFT) +
+ PAMU_PAGE_SHIFT - 1;
+}
+
+static unsigned int map_subwindow_cnt_to_wce(uint32_t subwindow_cnt)
+{
+ /* window count is 2^(WCE+1) bytes */
+ return count_lsb_zeroes(subwindow_cnt) - 1;
+}
+
+static void pamu_setup_default_xfer_to_host_ppaace(paace_t *ppaace)
+{
+ set_bf(ppaace->addr_bitfields, PAACE_AF_PT, PAACE_PT_PRIMARY);
+ set_bf(ppaace->domain_attr.to_host.coherency_required, PAACE_DA_HOST_CR,
+ PAACE_M_COHERENCE_REQ);
+}
+
+static void pamu_setup_default_xfer_to_host_spaace(paace_t *spaace)
+{
+ set_bf(spaace->addr_bitfields, PAACE_AF_PT, PAACE_PT_SECONDARY);
+ set_bf(spaace->domain_attr.to_host.coherency_required, PAACE_DA_HOST_CR,
+ PAACE_M_COHERENCE_REQ);
+}
+
+static unsigned long get_fspi(void)
+{
+ static int i;
+ unsigned long fspi = i * DEFAULT_NUM_SUBWINDOWS;
+ i++;
+ return fspi;
+}
+
+
+/** Sets up PPAACE entry for specified liodn
+ *
+ * @param[in] liodn Logical IO device number
+ * @param[in] win_addr starting address of DSA window
+ * @param[in] win-size size of DSA window
+ * @param[in] omi Operation mapping index -- if ~omi == 0 then omi
+ not defined
+ * @param[in] stashid cache stash id for associated cpu -- if ~stashid == 0
+ then stashid not defined
+ * @param[in] snoopid snoop id for hardware coherency -- if ~snoopid == 0
+ then snoopid not defined
+ * @param[in] subwin_cnt number of sub-windows
+ *
+ * @return Returns 0 upon success else error code < 0 returned
+ */
+static int pamu_config_ppaace(uint32_t liodn, uint64_t win_addr,
+ uint64_t win_size, uint32_t omi,
+ uint32_t snoopid, uint32_t stashid,
+ uint32_t subwin_cnt)
+{
+ unsigned long fspi;
+ paace_t *ppaace;
+
+ if ((win_size & (win_size - 1)) || win_size < PAMU_PAGE_SIZE)
+ return -1;
+
+ if (win_addr & (win_size - 1))
+ return -2;
+
+ if (liodn > NUM_PPAACT_ENTRIES) {
+ printf("Entries in PPACT not sufficient\n");
+ return -3;
+ }
+
+ ppaace = &ppaact[liodn];
+
+ /* window size is 2^(WSE+1) bytes */
+ set_bf(ppaace->addr_bitfields, PPAACE_AF_WSE,
+ map_addrspace_size_to_wse(win_size));
+
+ pamu_setup_default_xfer_to_host_ppaace(ppaace);
+
+ if (sizeof(phys_addr_t) > 4)
+ ppaace->wbah = (u64)win_addr >> (PAMU_PAGE_SHIFT + 20);
+ else
+ ppaace->wbah = 0;
+
+ set_bf(ppaace->addr_bitfields, PPAACE_AF_WBAL,
+ (win_addr >> PAMU_PAGE_SHIFT));
+
+ /* set up operation mapping if it's configured */
+ if (omi < OME_NUMBER_ENTRIES) {
+ set_bf(ppaace->impl_attr, PAACE_IA_OTM, PAACE_OTM_INDEXED);
+ ppaace->op_encode.index_ot.omi = omi;
+ } else if (~omi != 0)
+ return -3;
+
+ /* configure stash id */
+ if (~stashid != 0)
+ set_bf(ppaace->impl_attr, PAACE_IA_CID, stashid);
+
+ /* configure snoop id */
+ if (~snoopid != 0)
+ ppaace->domain_attr.to_host.snpid = snoopid;
+
+ if (subwin_cnt) {
+ /* We have a single SPAACE for 1 LIODN. So index would
+ be always 0 */
+ fspi = get_fspi();
+
+ /* window count is 2^(WCE+1) bytes */
+ set_bf(ppaace->impl_attr, PAACE_IA_WCE,
+ map_subwindow_cnt_to_wce(subwin_cnt));
+ set_bf(ppaace->addr_bitfields, PPAACE_AF_MW, 0x1);
+ ppaace->fspi = fspi;
+ } else
+ set_bf(ppaace->addr_bitfields, PAACE_AF_AP, PAACE_AP_PERMS_ALL);
+
+ asm volatile("sync" : : : "memory");
+ /* Mark the ppace entry valid */
+ ppaace->addr_bitfields |= PAACE_V_VALID;
+ asm volatile("sync" : : : "memory");
+
+ return 0;
+}
+
+static int pamu_config_spaace(uint32_t liodn,
+ uint64_t subwin_size, uint64_t subwin_addr, uint64_t size,
+ uint32_t omi, uint32_t snoopid, uint32_t stashid)
+{
+ paace_t *paace;
+ unsigned long fspi;
+ /* Align start addr of subwin to subwindoe size */
+ uint64_t sec_addr = subwin_addr & ~(subwin_size - 1);
+ uint64_t end_addr = subwin_addr + size;
+ int size_shift = __ilog2_u64(subwin_size);
+ uint64_t win_size = 0;
+ uint32_t index, swse;
+
+ /* Recalculate the size */
+ size = end_addr - sec_addr;
+
+ if (!subwin_size)
+ return -1;
+
+ if (liodn > NUM_PPAACT_ENTRIES) {
+ printf("LIODN Number to be programmed %d"
+ "greater than number of PPAACT entries %d\n",
+ liodn, NUM_PPAACT_ENTRIES);
+ return -1;
+ }
+
+ while (sec_addr < end_addr) {
+#ifdef DEBUG
+ printf("sec_addr < end_addr is %llx < %llx\n", sec_addr,
+ end_addr);
+#endif
+ paace = &ppaact[liodn];
+ if (!paace)
+ return -1;
+
+ fspi = paace->fspi;
+
+ /* Calculating the win_size here as if we map in index 0,
+ paace entry woudl need to be programmed for SWSE */
+ win_size = end_addr - sec_addr;
+ win_size = 1 << __ilog2_roundup_64(win_size);
+
+ if (win_size > subwin_size)
+ win_size = subwin_size;
+ else if (win_size < PAMU_PAGE_SIZE)
+ win_size = PAMU_PAGE_SIZE;
+
+#ifdef DEBUG
+ printf("win_size is %x\n", win_size);
+#endif
+
+ swse = map_addrspace_size_to_wse(win_size);
+ index = fspi + (sec_addr >> size_shift);
+
+ if (index == 0 || (index % DEFAULT_NUM_SUBWINDOWS) == 0) {
+ set_bf(paace->win_bitfields, PAACE_WIN_SWSE, swse);
+ set_bf(paace->addr_bitfields, PAACE_AF_AP,
+ PAACE_AP_PERMS_ALL);
+ sec_addr += subwin_size;
+ continue;
+ }
+
+ paace = sec + index - 1;
+
+#ifdef DEBUG
+ printf("SPAACT:Writing at location %p, index %d\n", paace,
+ index);
+#endif
+
+ pamu_setup_default_xfer_to_host_spaace(paace);
+ set_bf(paace->addr_bitfields, SPAACE_AF_LIODN, liodn);
+ set_bf(paace->addr_bitfields, PAACE_AF_AP, PAACE_AP_PERMS_ALL);
+
+ /* configure snoop id */
+ if (~snoopid != 0)
+ paace->domain_attr.to_host.snpid = snoopid;
+
+ if (paace->addr_bitfields & PAACE_V_VALID) {
+#ifdef DEBUG
+ printf("Reached overlap condition\n");
+ printf("%d < %d\n", get_bf(paace->win_bitfields,
+ PAACE_WIN_SWSE), swse);
+#endif
+ if (get_bf(paace->win_bitfields, PAACE_WIN_SWSE) < swse)
+ set_bf(paace->win_bitfields, PAACE_WIN_SWSE,
+ swse);
+ } else
+ set_bf(paace->win_bitfields, PAACE_WIN_SWSE, swse);
+
+ paace->addr_bitfields |= PAACE_V_VALID;
+ sec_addr += subwin_size;
+ }
+
+ return 0;
+}
+
+int pamu_init(void)
+{
+ u32 base_addr = CONFIG_SYS_PAMU_ADDR;
+ ccsr_pamu_t *regs;
+ u32 i = 0;
+ u64 ppaact_phys, ppaact_lim, ppaact_size;
+ u64 spaact_phys, spaact_lim, spaact_size;
+
+ ppaact_size = sizeof(paace_t) * NUM_PPAACT_ENTRIES;
+ spaact_size = sizeof(paace_t) * NUM_SPAACT_ENTRIES;
+
+ /* Allocate space for Primary PAACT Table */
+ ppaact = memalign(PAMU_TABLE_ALIGNMENT, ppaact_size);
+ if (!ppaact)
+ return -1;
+ memset(ppaact, 0, ppaact_size);
+
+ /* Allocate space for Secondary PAACT Table */
+ sec = memalign(PAMU_TABLE_ALIGNMENT, spaact_size);
+ if (!sec)
+ return -1;
+ memset(sec, 0, spaact_size);
+
+ ppaact_phys = virt_to_phys((void *)ppaact);
+ ppaact_lim = ppaact_phys + ppaact_size;
+
+ spaact_phys = (uint64_t)virt_to_phys((void *)sec);
+ spaact_lim = spaact_phys + spaact_size;
+
+ /* Configure all PAMU's */
+ for (i = 0; i < CONFIG_NUM_PAMU; i++) {
+ regs = (ccsr_pamu_t *)base_addr;
+
+ out_be32(®s->ppbah, ppaact_phys >> 32);
+ out_be32(®s->ppbal, (uint32_t)ppaact_phys);
+
+ out_be32(®s->pplah, (ppaact_lim) >> 32);
+ out_be32(®s->pplal, (uint32_t)ppaact_lim);
+
+ if (sec != NULL) {
+ out_be32(®s->spbah, spaact_phys >> 32);
+ out_be32(®s->spbal, (uint32_t)spaact_phys);
+ out_be32(®s->splah, spaact_lim >> 32);
+ out_be32(®s->splal, (uint32_t)spaact_lim);
+ }
+ asm volatile("sync" : : : "memory");
+
+ base_addr += PAMU_OFFSET;
+ }
+
+ return 0;
+}
+
+void pamu_enable(void)
+{
+ u32 i = 0;
+ u32 base_addr = CONFIG_SYS_PAMU_ADDR;
+ for (i = 0; i < CONFIG_NUM_PAMU; i++) {
+ setbits_be32((void *)base_addr + PAMU_PCR_OFFSET,
+ PAMU_PCR_PE);
+ asm volatile("sync" : : : "memory");
+ base_addr += PAMU_OFFSET;
+ }
+}
+
+void pamu_reset(void)
+{
+ u32 i = 0;
+ u32 base_addr = CONFIG_SYS_PAMU_ADDR;
+ ccsr_pamu_t *regs;
+
+ for (i = 0; i < CONFIG_NUM_PAMU; i++) {
+ regs = (ccsr_pamu_t *)base_addr;
+ /* Clear PPAACT Base register */
+ out_be32(®s->ppbah, 0);
+ out_be32(®s->ppbal, 0);
+ out_be32(®s->pplah, 0);
+ out_be32(®s->pplal, 0);
+ out_be32(®s->spbah, 0);
+ out_be32(®s->spbal, 0);
+ out_be32(®s->splah, 0);
+ out_be32(®s->splal, 0);
+
+ clrbits_be32((void *)regs + PAMU_PCR_OFFSET, PAMU_PCR_PE);
+ asm volatile("sync" : : : "memory");
+ base_addr += PAMU_OFFSET;
+ }
+}
+
+void pamu_disable(void)
+{
+ u32 i = 0;
+ u32 base_addr = CONFIG_SYS_PAMU_ADDR;
+
+
+ for (i = 0; i < CONFIG_NUM_PAMU; i++) {
+ clrbits_be32((void *)base_addr + PAMU_PCR_OFFSET, PAMU_PCR_PE);
+ asm volatile("sync" : : : "memory");
+ base_addr += PAMU_OFFSET;
+ }
+}
+
+
+static uint64_t find_max(uint64_t arr[], int num)
+{
+ int i = 0;
+ int max = 0;
+ for (i = 1 ; i < num; i++)
+ if (arr[max] < arr[i])
+ max = i;
+
+ return arr[max];
+}
+
+static uint64_t find_min(uint64_t arr[], int num)
+{
+ int i = 0;
+ int min = 0;
+ for (i = 1 ; i < num; i++)
+ if (arr[min] > arr[i])
+ min = i;
+
+ return arr[min];
+}
+
+static uint32_t get_win_cnt(uint64_t size)
+{
+ uint32_t win_cnt = DEFAULT_NUM_SUBWINDOWS;
+
+ while (win_cnt && (size/win_cnt) < PAMU_PAGE_SIZE)
+ win_cnt >>= 1;
+
+ return win_cnt;
+}
+
+int config_pamu(struct pamu_addr_tbl *tbl, int num_entries, uint32_t liodn)
+{
+ int i = 0;
+ int ret = 0;
+ uint32_t num_sec_windows = 0;
+ uint32_t num_windows = 0;
+ uint64_t min_addr, max_addr;
+ uint64_t size;
+ uint64_t subwin_size;
+ int sizebit;
+
+ min_addr = find_min(tbl->start_addr, num_entries);
+ max_addr = find_max(tbl->end_addr, num_entries);
+ size = max_addr - min_addr + 1;
+
+ if (!size)
+ return -1;
+
+ sizebit = __ilog2_roundup_64(size);
+ size = 1 << sizebit;
+#ifdef DEBUG
+ printf("min start_addr is %llx\n", min_addr);
+ printf("max end_addr is %llx\n", max_addr);
+ printf("size found is %llx\n", size);
+#endif
+
+ if (size < PAMU_PAGE_SIZE)
+ size = PAMU_PAGE_SIZE;
+
+ while (1) {
+ min_addr = min_addr & ~(size - 1);
+ if (min_addr + size > max_addr)
+ break;
+ size <<= 1;
+ if (!size)
+ return -1;
+ }
+#ifdef DEBUG
+ printf("PAACT :Base addr is %llx\n", min_addr);
+ printf("PAACT : Size is %llx\n", size);
+#endif
+ num_windows = get_win_cnt(size);
+ /* For a single window, no spaact entries are required
+ * sec_sub_window count = 0 */
+ if (num_windows > 1)
+ num_sec_windows = num_windows;
+ else
+ num_sec_windows = 0;
+
+ ret = pamu_config_ppaace(liodn, min_addr,
+ size , -1, -1, -1, num_sec_windows);
+
+ if (ret < 0)
+ return ret;
+
+#ifdef DEBUG
+ printf("configured ppace\n");
+#endif
+
+ if (num_sec_windows) {
+ subwin_size = size >> count_lsb_zeroes(num_sec_windows);
+#ifdef DEBUG
+ printf("subwin_size is %llx\n", subwin_size);
+#endif
+
+ for (i = 0; i < num_entries; i++) {
+ ret = pamu_config_spaace(liodn,
+ subwin_size, tbl->start_addr[i] - min_addr,
+ tbl->size[i], -1, -1, -1);
+
+ if (ret < 0)
+ return ret;
+ }
+ }
+
+ return ret;
+}
diff --git a/arch/powerpc/include/asm/fsl_pamu.h b/arch/powerpc/include/asm/fsl_pamu.h
new file mode 100644
index 0000000..e2cfe97
--- /dev/null
+++ b/arch/powerpc/include/asm/fsl_pamu.h
@@ -0,0 +1,193 @@
+/* Copyright (c) 2012 Freescale Semiconductor, Inc.
+ * All Rights Reserved
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * * Neither the name of Freescale Semiconductor nor the
+ * names of its contributors may be used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * ALTERNATIVELY, this software may be distributed under the terms of the
+ * GNU General Public License ("GPL") as published by the Free Software
+ * Foundation, either version 2 of that License or (at your option) any
+ * later version.
+ *
+ * THIS SOFTWARE IS PROVIDED BY Freescale Semiconductor ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Freescale Semiconductor BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef __PAMU_H
+#define __PAMU_H
+
+#define CONFIG_NUM_PAMU 16
+#define NUM_PPAACT_ENTRIES 512
+#define NUM_SPAACT_ENTRIES 128
+
+/* PAMU_OFFSET to the next pamu space in ccsr */
+#define PAMU_OFFSET 0x1000
+
+#define PAMU_TABLE_ALIGNMENT 0x00001000
+
+#define PAMU_PAGE_SHIFT 12
+#define PAMU_PAGE_SIZE 4096U
+
+#define PAACE_M_COHERENCE_REQ 0x01
+
+#define PAACE_DA_HOST_CR 0x80
+#define PAACE_DA_HOST_CR_SHIFT 7
+
+#define PAACE_AF_PT 0x00000002
+#define PAACE_AF_PT_SHIFT 1
+
+#define PAACE_PT_PRIMARY 0x0
+#define PAACE_PT_SECONDARY 0x1
+
+#define PPAACE_AF_WBAL 0xfffff000
+#define PPAACE_AF_WBAL_SHIFT 12
+
+#define OME_NUMBER_ENTRIES 16 /* based on P4080 2.0 silicon plan */
+
+#define PAACE_IA_CID 0x00FF0000
+#define PAACE_IA_CID_SHIFT 16
+#define PAACE_IA_WCE 0x000000F0
+#define PAACE_IA_WCE_SHIFT 4
+#define PAACE_IA_ATM 0x0000000C
+#define PAACE_IA_ATM_SHIFT 2
+#define PAACE_IA_OTM 0x00000003
+#define PAACE_IA_OTM_SHIFT 0
+
+#define PAACE_OTM_NO_XLATE 0x00
+#define PAACE_OTM_IMMEDIATE 0x01
+#define PAACE_OTM_INDEXED 0x02
+#define PAACE_OTM_RESERVED 0x03
+#define PAACE_ATM_NO_XLATE 0x00
+#define PAACE_ATM_WINDOW_XLATE 0x01
+#define PAACE_ATM_PAGE_XLATE 0x02
+#define PAACE_ATM_WIN_PG_XLATE \
+ (PAACE_ATM_WINDOW_XLATE | PAACE_ATM_PAGE_XLATE)
+#define PAACE_WIN_TWBAL 0xfffff000
+#define PAACE_WIN_TWBAL_SHIFT 12
+#define PAACE_WIN_SWSE 0x00000fc0
+#define PAACE_WIN_SWSE_SHIFT 6
+
+#define PAACE_AF_AP 0x00000018
+#define PAACE_AF_AP_SHIFT 3
+#define PAACE_AF_DD 0x00000004
+#define PAACE_AF_DD_SHIFT 2
+#define PAACE_AF_PT 0x00000002
+#define PAACE_AF_PT_SHIFT 1
+#define PAACE_AF_V 0x00000001
+#define PAACE_AF_V_SHIFT 0
+#define PPAACE_AF_WSE 0x00000fc0
+#define PPAACE_AF_WSE_SHIFT 6
+#define PPAACE_AF_MW 0x00000020
+#define PPAACE_AF_MW_SHIFT 5
+
+#define PAACE_AP_PERMS_DENIED 0x0
+#define PAACE_AP_PERMS_QUERY 0x1
+#define PAACE_AP_PERMS_UPDATE 0x2
+#define PAACE_AP_PERMS_ALL 0x3
+
+#define SPAACE_AF_LIODN 0xffff0000
+#define SPAACE_AF_LIODN_SHIFT 16
+#define PAACE_V_VALID 0x1
+
+#define set_bf(v, m, x) (v = ((v) & ~(m)) | (((x) << \
+ (m##_SHIFT)) & (m)))
+#define get_bf(v, m) (((v) & (m)) >> (m##_SHIFT))
+
+#define DEFAULT_NUM_SUBWINDOWS 128
+#define PAMU_PCR_OFFSET 0xc10
+#define PAMU_PCR_PE 0x40000000
+
+struct pamu_addr_tbl {
+ phys_addr_t start_addr[10];
+ phys_addr_t end_addr[10];
+ phys_size_t size[10];
+};
+
+typedef struct paace_t {
+ /* PAACE Offset 0x00 */
+ uint32_t wbah; /* only valid for Primary PAACE */
+ uint32_t addr_bitfields; /* See P/S PAACE_AF_* */
+
+ /* PAACE Offset 0x08 */
+ /* Interpretation of first 32 bits dependent on DD above */
+ union {
+ struct {
+ /* Destination ID, see PAACE_DID_* defines */
+ uint8_t did;
+ /* Partition ID */
+ uint8_t pid;
+ /* Snoop ID */
+ uint8_t snpid;
+ /* coherency_required : 1 reserved : 7 */
+ uint8_t coherency_required; /* See PAACE_DA_* */
+ } to_host;
+ struct {
+ /* Destination ID, see PAACE_DID_* defines */
+ uint8_t did;
+ uint8_t reserved1;
+ uint16_t reserved2;
+ } to_io;
+ } domain_attr;
+
+ /* Implementation attributes + window count + address & operation
+ * translation modes
+ */
+ uint32_t impl_attr; /* See PAACE_IA_* */
+
+ /* PAACE Offset 0x10 */
+ /* Translated window base address */
+ uint32_t twbah;
+ uint32_t win_bitfields; /* See PAACE_WIN_* */
+
+ /* PAACE Offset 0x18 */
+ /* first secondary paace entry */
+ uint32_t fspi; /* only valid for Primary PAACE */
+ union {
+ struct {
+ uint8_t ioea;
+ uint8_t moea;
+ uint8_t ioeb;
+ uint8_t moeb;
+ } immed_ot;
+ struct {
+ uint16_t reserved;
+ uint16_t omi;
+ } index_ot;
+ } op_encode;
+
+ /* PAACE Offset 0x20 */
+ uint32_t reserved1[2]; /* not currently implemented */
+
+ /* PAACE Offset 0x28 */
+ uint32_t reserved2[2]; /* not currently implemented */
+
+ /* PAACE Offset 0x30 */
+ uint32_t reserved3[2]; /* not currently implemented */
+
+ /* PAACE Offset 0x38 */
+ uint32_t reserved4[2]; /* not currently implemented */
+
+} paace_t;
+
+int pamu_init(void);
+void pamu_enable(void);
+void pamu_disable(void);
+int config_pamu(struct pamu_addr_tbl *tbl, int num_entries, uint32_t liodn);
+
+#endif
diff --git a/arch/powerpc/include/asm/immap_85xx.h b/arch/powerpc/include/asm/immap_85xx.h
index 4eb3f79..17e0f39 100644
--- a/arch/powerpc/include/asm/immap_85xx.h
+++ b/arch/powerpc/include/asm/immap_85xx.h
@@ -2829,6 +2829,21 @@ typedef struct ccsr_pme {
u8 res4[0x400];
} ccsr_pme_t;
+typedef struct ccsr_pamu {
+ u32 ppbah;
+ u32 ppbal;
+ u32 pplah;
+ u32 pplal;
+ u32 spbah;
+ u32 spbal;
+ u32 splah;
+ u32 splal;
+ u32 obah;
+ u32 obal;
+ u32 olah;
+ u32 olal;
+} ccsr_pamu_t;
+
typedef struct ccsr_usb_phy {
u8 res0[0x18];
u32 usb_enable_override;
@@ -2905,6 +2920,7 @@ struct ccsr_pman {
#define CONFIG_SYS_FSL_CORENET_SERDES_OFFSET 0xEA000
#define CONFIG_SYS_FSL_CORENET_SERDES2_OFFSET 0xEB000
#define CONFIG_SYS_FSL_CPC_OFFSET 0x10000
+#define CONFIG_SYS_FSL_PAMU_OFFSET 0x20000
#define CONFIG_SYS_MPC85xx_DMA1_OFFSET 0x100000
#define CONFIG_SYS_MPC85xx_DMA2_OFFSET 0x101000
#define CONFIG_SYS_MPC85xx_DMA_OFFSET CONFIG_SYS_MPC85xx_DMA1_OFFSET
@@ -3085,6 +3101,8 @@ struct ccsr_pman {
(CONFIG_SYS_IMMR + CONFIG_SYS_FSL_FM2_OFFSET)
#define CONFIG_SYS_FSL_SRIO_ADDR \
(CONFIG_SYS_IMMR + CONFIG_SYS_FSL_SRIO_OFFSET)
+#define CONFIG_SYS_PAMU_ADDR \
+ (CONFIG_SYS_IMMR + CONFIG_SYS_FSL_PAMU_OFFSET)
#define CONFIG_SYS_PCI1_ADDR \
(CONFIG_SYS_IMMR + CONFIG_SYS_MPC85xx_PCI1_OFFSET)
--
1.7.7.6
^ permalink raw reply related [flat|nested] 13+ messages in thread* [U-Boot] [PATCH 1/5] arch/powerpc/cpu/mpc8xxx: PAMU driver support
2013-03-28 10:46 ` [U-Boot] [PATCH 1/5] arch/powerpc/cpu/mpc8xxx: PAMU driver support Ruchika Gupta
@ 2013-05-22 19:47 ` Andy Fleming
2013-08-19 23:07 ` [U-Boot] [U-Boot, " York Sun
1 sibling, 0 replies; 13+ messages in thread
From: Andy Fleming @ 2013-05-22 19:47 UTC (permalink / raw)
To: u-boot
On Thu, Mar 28, 2013 at 5:46 AM, Ruchika Gupta
<ruchika.gupta@freescale.com>wrote:
> PAMU driver basic support for usage in Secure Boot.
> In secure boot PAMU is not in bypass mode. Hence to use
> any peripheral (SEC Job ring in our case), PAMU has to be
> configured.
>
> The Header file fsl_pamu.h and few functions in driver have been derived
> from Freescale Libos.
>
> Signed-off-by: Kuldip Giroh <kuldip.giroh@freescale.com>
> Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com>
> ---
> Based upon git://git.denx.de/u-boot.git branch master
>
You don't really have to say this as a) It's assumed, b) It becomes quickly
obsolete (as it is now). You probably only need to mention it if you're
based on an unusual git repo.
diff --git a/arch/powerpc/cpu/mpc8xxx/fsl_pamu.c
b/arch/powerpc/cpu/mpc8xxx/fsl_pamu.c
new file mode 100644
index 0000000..bdbec07
--- /dev/null
+++ b/arch/powerpc/cpu/mpc8xxx/fsl_pamu.c
[...]
+
+static inline int __ilog2_roundup_64(uint64_t val)
+{
+
+ if ((val & (val - 1)) == 0)
+ return __ilog2_u64(val);
+ else
+ return __ilog2_u64(val) + 1;
+}
These sorts of functions seem like they belong
in arch/powerpc/include/asm/bitops.h
> +
> +
> +static inline int count_lsb_zeroes(unsigned long val)
> +{
> + return ffs(val) - 1;
> +}
> +
>
[...]
> +static int pamu_config_ppaace(uint32_t liodn, uint64_t win_addr,
> + uint64_t win_size, uint32_t omi,
> + uint32_t snoopid, uint32_t stashid,
> + uint32_t subwin_cnt)
> +{
> + unsigned long fspi;
> + paace_t *ppaace;
> +
> + if ((win_size & (win_size - 1)) || win_size < PAMU_PAGE_SIZE)
> + return -1;
> +
> + if (win_addr & (win_size - 1))
> + return -2;
> +
> + if (liodn > NUM_PPAACT_ENTRIES) {
> + printf("Entries in PPACT not sufficient\n");
> + return -3;
> + }
>
These return values should really have names to define, up-front, what they
mean.
> +
> + ppaace = &ppaact[liodn];
> +
> + /* window size is 2^(WSE+1) bytes */
> + set_bf(ppaace->addr_bitfields, PPAACE_AF_WSE,
> + map_addrspace_size_to_wse(win_size));
> +
> + pamu_setup_default_xfer_to_host_ppaace(ppaace);
> +
> + if (sizeof(phys_addr_t) > 4)
> + ppaace->wbah = (u64)win_addr >> (PAMU_PAGE_SHIFT + 20);
> + else
> + ppaace->wbah = 0;
> +
> + set_bf(ppaace->addr_bitfields, PPAACE_AF_WBAL,
> + (win_addr >> PAMU_PAGE_SHIFT));
> +
> + /* set up operation mapping if it's configured */
> + if (omi < OME_NUMBER_ENTRIES) {
> + set_bf(ppaace->impl_attr, PAACE_IA_OTM, PAACE_OTM_INDEXED);
> + ppaace->op_encode.index_ot.omi = omi;
> + } else if (~omi != 0)
> + return -3;
>
ditto here
> +static int pamu_config_spaace(uint32_t liodn,
> + uint64_t subwin_size, uint64_t subwin_addr, uint64_t size,
> + uint32_t omi, uint32_t snoopid, uint32_t stashid)
> +{
> + paace_t *paace;
> + unsigned long fspi;
> + /* Align start addr of subwin to subwindoe size */
> + uint64_t sec_addr = subwin_addr & ~(subwin_size - 1);
> + uint64_t end_addr = subwin_addr + size;
> + int size_shift = __ilog2_u64(subwin_size);
> + uint64_t win_size = 0;
> + uint32_t index, swse;
> +
> + /* Recalculate the size */
> + size = end_addr - sec_addr;
> +
> + if (!subwin_size)
> + return -1;
>
Also need a named constant here
> +
> + if (liodn > NUM_PPAACT_ENTRIES) {
> + printf("LIODN Number to be programmed %d"
> + "greater than number of PPAACT entries %d\n",
> + liodn, NUM_PPAACT_ENTRIES);
> + return -1;
> + }
>
And here
> +
> + while (sec_addr < end_addr) {
> +#ifdef DEBUG
> + printf("sec_addr < end_addr is %llx < %llx\n", sec_addr,
> + end_addr);
> +#endif
> + paace = &ppaact[liodn];
> + if (!paace)
> + return -1;
>
And here
+
+int pamu_init(void)
+{
+ u32 base_addr = CONFIG_SYS_PAMU_ADDR;
void *base_addr = (void *)CONFIG_SYS_PAMU_ADDR;
+ ccsr_pamu_t *regs;
+ u32 i = 0;
+ u64 ppaact_phys, ppaact_lim, ppaact_size;
+ u64 spaact_phys, spaact_lim, spaact_size;
+
+ ppaact_size = sizeof(paace_t) * NUM_PPAACT_ENTRIES;
+ spaact_size = sizeof(paace_t) * NUM_SPAACT_ENTRIES;
+
+ /* Allocate space for Primary PAACT Table */
+ ppaact = memalign(PAMU_TABLE_ALIGNMENT, ppaact_size);
+ if (!ppaact)
+ return -1;
Named constant.
> + memset(ppaact, 0, ppaact_size);
> +
> + /* Allocate space for Secondary PAACT Table */
> + sec = memalign(PAMU_TABLE_ALIGNMENT, spaact_size);
> + if (!sec)
> + return -1;
>
And here
> + memset(sec, 0, spaact_size);
> +
> + ppaact_phys = virt_to_phys((void *)ppaact);
> + ppaact_lim = ppaact_phys + ppaact_size;
> +
> + spaact_phys = (uint64_t)virt_to_phys((void *)sec);
> + spaact_lim = spaact_phys + spaact_size;
> +
> + /* Configure all PAMU's */
> + for (i = 0; i < CONFIG_NUM_PAMU; i++) {
> + regs = (ccsr_pamu_t *)base_addr;
>
No need for cast once base_addr is more sane.
> +
> + out_be32(®s->ppbah, ppaact_phys >> 32);
> + out_be32(®s->ppbal, (uint32_t)ppaact_phys);
> +
> + out_be32(®s->pplah, (ppaact_lim) >> 32);
> + out_be32(®s->pplal, (uint32_t)ppaact_lim);
> +
> + if (sec != NULL) {
> + out_be32(®s->spbah, spaact_phys >> 32);
> + out_be32(®s->spbal, (uint32_t)spaact_phys);
> + out_be32(®s->splah, spaact_lim >> 32);
> + out_be32(®s->splal, (uint32_t)spaact_lim);
> + }
> + asm volatile("sync" : : : "memory");
> +
> + base_addr += PAMU_OFFSET;
> + }
> +
> + return 0;
> +}
> +
> +void pamu_enable(void)
> +{
> + u32 i = 0;
> + u32 base_addr = CONFIG_SYS_PAMU_ADDR;
>
void *base_addr = (void *)CONFIG_SYS_PAMU_ADDR;
> + for (i = 0; i < CONFIG_NUM_PAMU; i++) {
> + setbits_be32((void *)base_addr + PAMU_PCR_OFFSET,
> + PAMU_PCR_PE);
>
And then eliminate the "(void *)" here
> + asm volatile("sync" : : : "memory");
> + base_addr += PAMU_OFFSET;
> + }
> +}
> +
> +void pamu_reset(void)
> +{
> + u32 i = 0;
> + u32 base_addr = CONFIG_SYS_PAMU_ADDR;
>
void *base_addr = (void *)CONFIG_SYS_PAMU_ADDR;
In general, why would you declare an address as u32? We have 32 and 64-bit
processors that use PAMU. Does this work at all on e5500 or e6500?
+ ccsr_pamu_t *regs;
> +
> + for (i = 0; i < CONFIG_NUM_PAMU; i++) {
> + regs = (ccsr_pamu_t *)base_addr;
>
Get rid of cast by following above recommendation.
> + /* Clear PPAACT Base register */
> + out_be32(®s->ppbah, 0);
> + out_be32(®s->ppbal, 0);
> + out_be32(®s->pplah, 0);
> + out_be32(®s->pplal, 0);
> + out_be32(®s->spbah, 0);
> + out_be32(®s->spbal, 0);
> + out_be32(®s->splah, 0);
> + out_be32(®s->splal, 0);
> +
> + clrbits_be32((void *)regs + PAMU_PCR_OFFSET, PAMU_PCR_PE);
> + asm volatile("sync" : : : "memory");
> + base_addr += PAMU_OFFSET;
> + }
> +}
> +
> +void pamu_disable(void)
> +{
> + u32 i = 0;
> + u32 base_addr = CONFIG_SYS_PAMU_ADDR;
>
ditto here.
> +
> +
> + for (i = 0; i < CONFIG_NUM_PAMU; i++) {
> + clrbits_be32((void *)base_addr + PAMU_PCR_OFFSET,
> PAMU_PCR_PE);
>
And this cast
> + asm volatile("sync" : : : "memory");
> + base_addr += PAMU_OFFSET;
> + }
> +}
> +
> +
>
[...]
> +int config_pamu(struct pamu_addr_tbl *tbl, int num_entries, uint32_t
> liodn)
> +{
> + int i = 0;
> + int ret = 0;
> + uint32_t num_sec_windows = 0;
> + uint32_t num_windows = 0;
> + uint64_t min_addr, max_addr;
> + uint64_t size;
> + uint64_t subwin_size;
> + int sizebit;
> +
> + min_addr = find_min(tbl->start_addr, num_entries);
> + max_addr = find_max(tbl->end_addr, num_entries);
> + size = max_addr - min_addr + 1;
> +
> + if (!size)
> + return -1;
>
Named constant
> +
> + sizebit = __ilog2_roundup_64(size);
> + size = 1 << sizebit;
> +#ifdef DEBUG
> + printf("min start_addr is %llx\n", min_addr);
> + printf("max end_addr is %llx\n", max_addr);
> + printf("size found is %llx\n", size);
> +#endif
> +
> + if (size < PAMU_PAGE_SIZE)
> + size = PAMU_PAGE_SIZE;
> +
> + while (1) {
> + min_addr = min_addr & ~(size - 1);
> + if (min_addr + size > max_addr)
> + break;
> + size <<= 1;
> + if (!size)
> + return -1;
>
Named constant
diff --git a/arch/powerpc/include/asm/fsl_pamu.h
b/arch/powerpc/include/asm/fsl_pamu.h
new file mode 100644
index 0000000..e2cfe97
--- /dev/null
+++ b/arch/powerpc/include/asm/fsl_pamu.h
@@ -0,0 +1,193 @@
> +
> +#define CONFIG_NUM_PAMU 16
> +#define NUM_PPAACT_ENTRIES 512
> +#define NUM_SPAACT_ENTRIES 128
>
Aren't these values variable, depending on the platform?
> +
> +/* PAMU_OFFSET to the next pamu space in ccsr */
> +#define PAMU_OFFSET 0x1000
> +
> +#define PAMU_TABLE_ALIGNMENT 0x00001000
> +
> +#define PAMU_PAGE_SHIFT 12
> +#define PAMU_PAGE_SIZE 4096U
> +
> +#define PAACE_M_COHERENCE_REQ 0x01
> +
> +#define PAACE_DA_HOST_CR 0x80
> +#define PAACE_DA_HOST_CR_SHIFT 7
> +
> +#define PAACE_AF_PT 0x00000002
> +#define PAACE_AF_PT_SHIFT 1
> +
> +#define PAACE_PT_PRIMARY 0x0
> +#define PAACE_PT_SECONDARY 0x1
> +
> +#define PPAACE_AF_WBAL 0xfffff000
> +#define PPAACE_AF_WBAL_SHIFT 12
> +
> +#define OME_NUMBER_ENTRIES 16 /* based on P4080 2.0 silicon
> plan */
>
...Is this P4080-specific?
Andy
^ permalink raw reply related [flat|nested] 13+ messages in thread* [U-Boot] [U-Boot, 1/5] arch/powerpc/cpu/mpc8xxx: PAMU driver support
2013-03-28 10:46 ` [U-Boot] [PATCH 1/5] arch/powerpc/cpu/mpc8xxx: PAMU driver support Ruchika Gupta
2013-05-22 19:47 ` Andy Fleming
@ 2013-08-19 23:07 ` York Sun
1 sibling, 0 replies; 13+ messages in thread
From: York Sun @ 2013-08-19 23:07 UTC (permalink / raw)
To: u-boot
On 03/28/2013 03:46 AM, Ruchika Gupta wrote:
> PAMU driver basic support for usage in Secure Boot.
> In secure boot PAMU is not in bypass mode. Hence to use
> any peripheral (SEC Job ring in our case), PAMU has to be
> configured.
>
> The Header file fsl_pamu.h and few functions in driver have been derived
> from Freescale Libos.
>
> Signed-off-by: Kuldip Giroh <kuldip.giroh@freescale.com>
> Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com>
>
>
Ruchika and Kuldip,
Please update your patches for this series. They were first sent on
March 28, 2013.
York
^ permalink raw reply [flat|nested] 13+ messages in thread
* [U-Boot] [PATCH 2/5] powerpc/pamu : PAMU configuration for accessing SEC block
2013-03-28 10:46 [U-Boot] [PATCH 0/5] FSL SECURE BOOT: Add support for next level image validation Ruchika Gupta
2013-03-28 10:46 ` [U-Boot] [PATCH 1/5] arch/powerpc/cpu/mpc8xxx: PAMU driver support Ruchika Gupta
@ 2013-03-28 10:46 ` Ruchika Gupta
2013-03-28 10:46 ` [U-Boot] [PATCH 3/5] drivers/sec : Freescale SEC driver Ruchika Gupta
` (3 subsequent siblings)
5 siblings, 0 replies; 13+ messages in thread
From: Ruchika Gupta @ 2013-03-28 10:46 UTC (permalink / raw)
To: u-boot
Signed-off-by: Kuldip Giroh <kuldip.giroh@freescale.com>
Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com>
---
Based upon git://git.denx.de/u-boot.git branch master
arch/powerpc/cpu/mpc8xxx/Makefile | 2 +-
arch/powerpc/cpu/mpc8xxx/fsl_pamu_table.c | 68 +++++++++++++++++++++++++++++
arch/powerpc/include/asm/fsl_pamu.h | 1 +
3 files changed, 70 insertions(+), 1 deletions(-)
create mode 100644 arch/powerpc/cpu/mpc8xxx/fsl_pamu_table.c
diff --git a/arch/powerpc/cpu/mpc8xxx/Makefile b/arch/powerpc/cpu/mpc8xxx/Makefile
index 097599e..7099136 100644
--- a/arch/powerpc/cpu/mpc8xxx/Makefile
+++ b/arch/powerpc/cpu/mpc8xxx/Makefile
@@ -33,7 +33,7 @@ COBJS-$(CONFIG_FSL_IFC) += fsl_ifc.o
COBJS-$(CONFIG_FSL_LBC) += fsl_lbc.o
COBJS-$(CONFIG_SYS_SRIO) += srio.o
COBJS-$(CONFIG_FSL_LAW) += law.o
-COBJS-$(CONFIG_FSL_CORENET) += fsl_pamu.o
+COBJS-$(CONFIG_FSL_CORENET) += fsl_pamu.o fsl_pamu_table.o
endif
diff --git a/arch/powerpc/cpu/mpc8xxx/fsl_pamu_table.c b/arch/powerpc/cpu/mpc8xxx/fsl_pamu_table.c
new file mode 100644
index 0000000..44cceee
--- /dev/null
+++ b/arch/powerpc/cpu/mpc8xxx/fsl_pamu_table.c
@@ -0,0 +1,68 @@
+/*
+ * Copyright 2012 Freescale Semiconductor, Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of
+ * the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston,
+ * MA 02111-1307 USA
+ */
+
+#include <common.h>
+#include <asm/fsl_pamu.h>
+
+DECLARE_GLOBAL_DATA_PTR;
+
+void construct_pamu_addr_table(struct pamu_addr_tbl *tbl, int *num_entries)
+{
+ int i = 0;
+
+ tbl->start_addr[i] =
+ (uint64_t)virt_to_phys((void *)CONFIG_SYS_SDRAM_BASE);
+ tbl->size[i] = (phys_size_t)(min(gd->ram_size, CONFIG_MAX_MEM_MAPPED));
+ tbl->end_addr[i] = tbl->start_addr[i] + tbl->size[i] - 1;
+
+ i++;
+ tbl->start_addr[i] =
+ (uint64_t)virt_to_phys((void *)CONFIG_SYS_FLASH_BASE_PHYS);
+ tbl->size[i] = 256 * 1024 * 1024; /* 256MB flash */
+ tbl->end_addr[i] = tbl->start_addr[i] + tbl->size[i] - 1;
+
+ i++;
+#ifdef DEBUG
+ int j;
+ printf("address\t\t\tsize\n");
+ for (j = 0; j < i ; j++)
+ printf("%llx \t\t\t%llx\n", tbl->start_addr[j], tbl->size[j]);
+#endif
+
+ *num_entries = i;
+}
+
+int sec_config_pamu_table(uint32_t liodn_ns, uint32_t liodn_s)
+{
+ struct pamu_addr_tbl tbl;
+ int num_entries = 0;
+ int ret = 0;
+
+ construct_pamu_addr_table(&tbl, &num_entries);
+
+ ret = config_pamu(&tbl, num_entries, liodn_ns);
+ if (ret)
+ return ret;
+
+ ret = config_pamu(&tbl, num_entries, liodn_s);
+ if (ret)
+ return ret;
+
+ return ret;
+}
diff --git a/arch/powerpc/include/asm/fsl_pamu.h b/arch/powerpc/include/asm/fsl_pamu.h
index e2cfe97..85ef9bf 100644
--- a/arch/powerpc/include/asm/fsl_pamu.h
+++ b/arch/powerpc/include/asm/fsl_pamu.h
@@ -189,5 +189,6 @@ int pamu_init(void);
void pamu_enable(void);
void pamu_disable(void);
int config_pamu(struct pamu_addr_tbl *tbl, int num_entries, uint32_t liodn);
+int sec_config_pamu_table(uint32_t liodn_ns, uint32_t liodn_s);
#endif
--
1.7.7.6
^ permalink raw reply related [flat|nested] 13+ messages in thread* [U-Boot] [PATCH 3/5] drivers/sec : Freescale SEC driver
2013-03-28 10:46 [U-Boot] [PATCH 0/5] FSL SECURE BOOT: Add support for next level image validation Ruchika Gupta
2013-03-28 10:46 ` [U-Boot] [PATCH 1/5] arch/powerpc/cpu/mpc8xxx: PAMU driver support Ruchika Gupta
2013-03-28 10:46 ` [U-Boot] [PATCH 2/5] powerpc/pamu : PAMU configuration for accessing SEC block Ruchika Gupta
@ 2013-03-28 10:46 ` Ruchika Gupta
2013-03-28 10:46 ` [U-Boot] [PATCH 4/5] FSL SEC Driver : Add support for descriptor creation Ruchika Gupta
` (2 subsequent siblings)
5 siblings, 0 replies; 13+ messages in thread
From: Ruchika Gupta @ 2013-03-28 10:46 UTC (permalink / raw)
To: u-boot
SEC driver support is required in secure boot
Following files have been picked up from caam driver in Linux :
include/desc.h
The file drivers/sec/jr.c has some functions derived from caam driver in
Linux.
Signed-off-by: Kuldip Giroh <kuldip.giroh@freescale.com>
Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com>
---
Based upon git://git.denx.de/u-boot.git branch master
Makefile | 1 +
arch/powerpc/include/asm/immap_85xx.h | 50 +-
arch/powerpc/include/asm/types.h | 5 +-
drivers/sec/Makefile | 46 +
drivers/sec/jr.c | 319 +++++++
include/desc.h | 1605 +++++++++++++++++++++++++++++++++
include/jr.h | 129 +++
7 files changed, 2152 insertions(+), 3 deletions(-)
create mode 100644 drivers/sec/Makefile
create mode 100644 drivers/sec/jr.c
create mode 100644 include/desc.h
create mode 100644 include/jr.h
diff --git a/Makefile b/Makefile
index 12763ce..2b63585 100644
--- a/Makefile
+++ b/Makefile
@@ -329,6 +329,7 @@ LIBS-y += common/libcommon.o
LIBS-y += lib/libfdt/libfdt.o
LIBS-y += api/libapi.o
LIBS-y += post/libpost.o
+LIBS-y += drivers/sec/libsec.o
LIBS-y += test/libtest.o
ifneq ($(CONFIG_AM33XX)$(CONFIG_OMAP34XX)$(CONFIG_OMAP44XX)$(CONFIG_OMAP54XX),)
diff --git a/arch/powerpc/include/asm/immap_85xx.h b/arch/powerpc/include/asm/immap_85xx.h
index 17e0f39..ac8f608 100644
--- a/arch/powerpc/include/asm/immap_85xx.h
+++ b/arch/powerpc/include/asm/immap_85xx.h
@@ -2692,6 +2692,50 @@ enum {
/* Security Engine Block (MS = Most Sig., LS = Least Sig.) */
#if CONFIG_SYS_FSL_SEC_COMPAT >= 4
+/*
+ * caam_job_ring - direct job ring setup
+ * 1-4 possible per instantiation, base + 1000/2000/3000/4000
+ * Padded out to 0x1000
+ */
+typedef struct jr_regs {
+ /* Input Ring */
+ u32 irba_h; /*IRBAx - Input desc ring baseaddr */
+ u32 irba_l;
+ u8 res1[4];
+ u32 irs; /*IRSx - Input ring size */
+ u8 res2[4];
+ u32 irsa; /* IRSAx - Input ring room remaining */
+ u8 res3[4];
+ u32 irja; /* IRJAx - Input ring jobs added */
+
+ /* Output ring */
+ u32 orba_h; /* ORBAx - Output status ring base addr */
+ u32 orba_l;
+ u8 res4[4];
+ u32 ors; /* ORSx - Output ring size */
+ u8 res5[4];
+ u32 orjr; /* ORJRx - Output ring jobs removed */
+ u8 res6[4];
+ u32 orsf; /* ORSFx - Output ring slots full */
+
+ /* Status /Configuration */
+ u8 res7[4];
+ u32 jrsta; /* JRSTAx - JobR output status */
+ u8 res8[4]; /* JRINTx - JobR interrupt status */
+ u32 jrint; /* JRINTx - JobR interrupt status */
+ u32 jrcfg0; /* JRxCFG - Ring configuration */
+ u32 jrcfg1;
+
+ /*Index. CAAM maintains "head" of each queue */
+ u8 res9[4];
+ u32 irri; /* IRRIx - Input ring read index */
+ u8 res10[4];
+ u32 orwi; /* ORWIx - Output ring write index */
+ u8 res11[4];
+ u32 jrcr; /* JRCRx - JobR command */
+ u8 res12[0xf90];
+} jr_regs_t;
+
typedef struct ccsr_sec {
u32 res0;
u32 mcfgr; /* Master CFG Register */
@@ -2735,7 +2779,8 @@ typedef struct ccsr_sec {
u32 chanum_ls; /* CHA Number Register, LS */
u32 secvid_ms; /* SEC Version ID Register, MS */
u32 secvid_ls; /* SEC Version ID Register, LS */
- u8 res9[0x6020];
+ struct jr_regs jr[4]; /* SEC JOB RINGS */
+ u8 res9[0x2020];
u32 qilcr_ms; /* Queue Interface LIODN CFG Register, MS */
u32 qilcr_ls; /* Queue Interface LIODN CFG Register, LS */
u8 res10[0x8fd8];
@@ -2828,7 +2873,7 @@ typedef struct ccsr_pme {
u32 pm_ip_rev_2; /* PME IP Block Revision Reg 1*/
u8 res4[0x400];
} ccsr_pme_t;
-
+
typedef struct ccsr_pamu {
u32 ppbah;
u32 ppbal;
@@ -2949,6 +2994,7 @@ struct ccsr_pman {
#define CONFIG_SYS_MPC85xx_SATA1_OFFSET 0x220000
#define CONFIG_SYS_MPC85xx_SATA2_OFFSET 0x221000
#define CONFIG_SYS_FSL_SEC_OFFSET 0x300000
+#define CONFIG_SYS_SNVS_OFFSET 0x314000
#define CONFIG_SYS_FSL_CORENET_PME_OFFSET 0x316000
#define CONFIG_SYS_FSL_QMAN_OFFSET 0x318000
#define CONFIG_SYS_FSL_BMAN_OFFSET 0x31a000
diff --git a/arch/powerpc/include/asm/types.h b/arch/powerpc/include/asm/types.h
index b27a6b7..ec9a4c3 100644
--- a/arch/powerpc/include/asm/types.h
+++ b/arch/powerpc/include/asm/types.h
@@ -41,8 +41,11 @@ typedef unsigned long long u64;
#define BITS_PER_LONG 32
-/* DMA addresses are 32-bits wide */
+#ifdef CONFIG_PHYS_64BIT
+typedef unsigned long long dma_addr_t;
+#else
typedef u32 dma_addr_t;
+#endif
#ifdef CONFIG_PHYS_64BIT
typedef unsigned long long phys_addr_t;
diff --git a/drivers/sec/Makefile b/drivers/sec/Makefile
new file mode 100644
index 0000000..33c707e
--- /dev/null
+++ b/drivers/sec/Makefile
@@ -0,0 +1,46 @@
+#
+# (C) Copyright 2000-2007, 2012
+# Wolfgang Denk, DENX Software Engineering, wd at denx.de.
+#
+# See file CREDITS for list of people who contributed to this
+# project.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; either version 2 of
+# the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston,
+# MA 02111-1307 USA
+#
+
+include $(TOPDIR)/config.mk
+
+LIB := $(obj)libsec.o
+
+COBJS-$(CONFIG_SECURE_BOOT) += jr.o
+
+COBJS := $(COBJS-y)
+SRCS := $(COBJS:.o=.c)
+OBJS := $(addprefix $(obj),$(COBJS))
+
+all: $(LIB)
+
+$(LIB): $(obj).depend $(OBJS)
+ $(call cmd_link_o_target, $(OBJS))
+
+#########################################################################
+
+# defines $(obj).depend target
+include $(SRCTREE)/rules.mk
+
+sinclude $(obj).depend
+
+#########################################################################
diff --git a/drivers/sec/jr.c b/drivers/sec/jr.c
new file mode 100644
index 0000000..1399be6
--- /dev/null
+++ b/drivers/sec/jr.c
@@ -0,0 +1,319 @@
+/*
+ * Copyright 2011, 2012 Freescale Semiconductor, Inc.
+ * All Rights Reserved
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * * Neither the name of Freescale Semiconductor nor the
+ * names of its contributors may be used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * ALTERNATIVELY, this software may be distributed under the terms of the
+ * GNU General Public License ("GPL") as published by the Free Software
+ * Foundation, either version 2 of that License or (at your option) any
+ * later version.
+ *
+ * THIS SOFTWARE IS PROVIDED BY Freescale Semiconductor ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Freescale Semiconductor BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <common.h>
+#include <malloc.h>
+#include <asm/immap_85xx.h>
+#include <jr.h>
+#include <asm/fsl_pamu.h>
+
+#define CIRC_CNT(head, tail, size) (((head) - (tail)) & (size - 1))
+#define CIRC_SPACE(head, tail, size) CIRC_CNT((tail), (head) + 1, (size))
+
+struct jobring jr;
+
+static inline void jr_reset_liodn(void)
+{
+ ccsr_sec_t *sec = (void *)CONFIG_SYS_FSL_SEC_ADDR;
+ out_be32(&sec->jrliodnr[0].ls, 0);
+ asm volatile("sync" : : : "memory");
+}
+
+static inline void jr_disable_irq(void)
+{
+ ccsr_sec_t *sec = (void *)CONFIG_SYS_FSL_SEC_ADDR;
+ struct jr_regs *regs = &sec->jr[0];
+ uint32_t jrcfg = in_be32(®s->jrcfg1);
+
+ jrcfg = jrcfg | JR_INTMASK;
+
+ out_be32(®s->jrcfg1, jrcfg);
+ asm volatile("sync" : : : "memory");
+
+}
+
+static void jr_initregs(struct jobring *jr)
+{
+ ccsr_sec_t *sec = (void *)CONFIG_SYS_FSL_SEC_ADDR;
+ struct jr_regs *regs = &sec->jr[0];
+ phys_addr_t ip_base = virt_to_phys((void *)jr->input_ring);
+ phys_addr_t op_base = virt_to_phys((void *)jr->output_ring);
+
+#ifdef CONFIG_PHYS_64BIT
+ out_be32(®s->irba_h, ip_base >> 32);
+#else
+ out_be32(®s->irba_h, 0x0);
+#endif
+ out_be32(®s->irba_l, (uint32_t)ip_base);
+#ifdef CONFIG_PHYS_64BIT
+ out_be32(®s->orba_h, op_base >> 32);
+#else
+ out_be32(®s->orba_h, 0x0);
+#endif
+ out_be32(®s->orba_l, (uint32_t)op_base);
+ out_be32(®s->ors, JR_SIZE);
+ out_be32(®s->irs, JR_SIZE);
+
+ asm volatile("sync" : : : "memory");
+ if (!jr->irq)
+ jr_disable_irq();
+}
+
+int jr_init(struct jobring *jr)
+{
+ memset(jr, 0, sizeof(struct jobring));
+
+ jr->jq_id = DEFAULT_JR_ID;
+ jr->irq = DEFAULT_IRQ;
+
+#ifdef CONFIG_FSL_CORENET
+ jr->liodn = DEFAULT_JR_LIODN;
+#endif
+ jr->size = JR_SIZE;
+ jr->input_ring = (dma_addr_t *) malloc(JR_SIZE * sizeof(dma_addr_t));
+ if (!jr->input_ring)
+ return -1;
+ jr->output_ring =
+ (struct op_ring *)malloc(JR_SIZE * sizeof(struct op_ring));
+ if (!jr->output_ring)
+ return -1;
+
+ memset(jr->input_ring, 0, JR_SIZE * sizeof(dma_addr_t));
+ memset(jr->output_ring, 0, JR_SIZE * sizeof(struct op_ring));
+
+ jr_initregs(jr);
+
+ return 0;
+}
+
+int jr_sw_cleanup(struct jobring *jr)
+{
+ jr->head = 0;
+ jr->tail = 0;
+ jr->read_idx = 0;
+ jr->write_idx = 0;
+ memset(jr->info, 0, sizeof(jr->info));
+ memset(jr->input_ring, 0, jr->size * sizeof(dma_addr_t));
+ memset(jr->output_ring, 0, jr->size * sizeof(struct op_ring));
+
+ return 0;
+}
+
+int sec_init(void)
+{
+ int ret = 0;
+
+#ifdef CONFIG_FSL_CORENET
+ uint32_t liodnr;
+ uint32_t liodn_ns;
+ uint32_t liodn_s;
+#endif
+
+#ifdef CONFIG_PHYS_64BIT
+ ccsr_sec_t *sec = (void *)CONFIG_SYS_FSL_SEC_ADDR;
+ uint32_t mcr = in_be32(&sec->mcfgr);
+
+ out_be32(&sec->mcfgr, mcr | 1 << MCFGR_PS_SHIFT);
+#endif
+
+#ifdef CONFIG_FSL_CORENET
+ liodnr = in_be32(&sec->jrliodnr[0].ls);
+ liodn_ns = (liodnr & JRNSLIODN_MASK) >> JRNSLIODN_SHIFT;
+ liodn_s = (liodnr & JRSLIODN_MASK) >> JRSLIODN_SHIFT;
+#endif
+ ret = jr_init(&jr);
+ if (ret < 0)
+ return -1;
+
+#ifdef CONFIG_FSL_CORENET
+ ret = sec_config_pamu_table(liodn_ns, liodn_s);
+ if (ret < 0)
+ return -1;
+#endif
+
+ return ret;
+}
+
+int jr_hw_reset(void)
+{
+ ccsr_sec_t *sec = (void *)CONFIG_SYS_FSL_SEC_ADDR;
+ struct jr_regs *regs = &sec->jr[0];
+ uint32_t timeout = 100000;
+ uint32_t jrint, jrcr;
+
+ out_be32(®s->jrcr, JRCR_RESET);
+ do {
+ jrint = in_be32(®s->jrint);
+ } while (((jrint & JRINT_ERR_HALT_MASK) ==
+ JRINT_ERR_HALT_INPROGRESS) && --timeout);
+
+ jrint = in_be32(®s->jrint);
+ if (((jrint & JRINT_ERR_HALT_MASK) !=
+ JRINT_ERR_HALT_INPROGRESS) && timeout == 0)
+ return -1;
+
+ timeout = 100000;
+ out_be32(®s->jrcr, JRCR_RESET);
+ do {
+ jrcr = in_be32(®s->jrcr);
+ } while ((jrcr & JRCR_RESET) && --timeout);
+
+ if (timeout == 0)
+ return -1;
+
+ return 0;
+}
+
+int jr_reset(void)
+{
+ if (jr_hw_reset() < 0)
+ return -1;
+
+ /* Clean up the jobring structure maintained by software */
+ jr_sw_cleanup(&jr);
+
+ return 0;
+}
+
+int sec_reset(void)
+{
+ ccsr_sec_t *sec = (void *)CONFIG_SYS_FSL_SEC_ADDR;
+ uint32_t mcfgr = in_be32(&sec->mcfgr);
+ uint32_t timeout = 100000;
+
+ mcfgr |= MCFGR_SWRST;
+ out_be32(&sec->mcfgr, mcfgr);
+
+ mcfgr |= MCFGR_DMA_RST;
+ out_be32(&sec->mcfgr, mcfgr);
+ do {
+ mcfgr = in_be32(&sec->mcfgr);
+ } while ((mcfgr & MCFGR_DMA_RST) == MCFGR_DMA_RST && --timeout);
+
+ if (timeout == 0)
+ return -1;
+
+ timeout = 100000;
+ do {
+ mcfgr = in_be32(&sec->mcfgr);
+ } while ((mcfgr & MCFGR_SWRST) == MCFGR_SWRST && --timeout);
+
+ if (timeout == 0)
+ return -1;
+
+ return 0;
+}
+
+/* -1 --- error, can't enqueue -- no space available */
+int jr_enqueue(struct jobring *jr, uint32_t * desc_addr,
+ void (*callback) (uint32_t desc, uint32_t status, void *arg),
+ void *arg)
+{
+ ccsr_sec_t *sec = (void *)CONFIG_SYS_FSL_SEC_ADDR;
+ struct jr_regs *regs = &sec->jr[0];
+ int head = jr->head;
+ dma_addr_t desc_phys_addr = virt_to_phys(desc_addr);
+
+ if (in_be32(®s->irsa) == 0
+ || CIRC_SPACE(jr->head, jr->tail, jr->size) <= 0)
+ return JQ_ENQ_ERR;
+
+ jr->input_ring[head] = desc_phys_addr;
+ jr->info[head].desc_phys_addr = desc_phys_addr;
+ jr->info[head].desc_addr = (uint32_t) desc_addr;
+ jr->info[head].callback = (void *) callback;
+ jr->info[head].arg = arg;
+ jr->info[head].op_done = 0;
+
+ jr->head = (head + 1) & (jr->size - 1);
+
+ out_be32(®s->irja, 1);
+ asm volatile("sync" : : : "memory");
+
+ return 0;
+}
+
+int jr_dequeue(struct jobring *jr)
+{
+ ccsr_sec_t *sec = (void *)CONFIG_SYS_FSL_SEC_ADDR;
+ struct jr_regs *regs = &sec->jr[0];
+ int head = jr->head;
+ int tail = jr->tail;
+ int idx, i, found;
+ void (*callback) (uint32_t desc, uint32_t status, void *arg);
+ void *arg = NULL;
+
+ while (in_be32(®s->orsf) && CIRC_CNT(jr->head, jr->tail, jr->size)) {
+ found = 0;
+
+ dma_addr_t op_desc = jr->output_ring[jr->tail].desc;
+ uint32_t status = jr->output_ring[jr->tail].status;
+ uint32_t desc_virt;
+
+ for (i = 0; CIRC_CNT(head, tail + i, jr->size) >= 1; i++) {
+ idx = (tail + i) & (jr->size - 1);
+ if (op_desc == jr->info[idx].desc_phys_addr) {
+ desc_virt = jr->info[idx].desc_addr;
+ found = 1;
+ break;
+ }
+ }
+
+ /* Error condition if match not found */
+ if (!found)
+ return JQ_DEQ_ERR;
+
+ jr->info[idx].op_done = 1;
+ callback = (void *) jr->info[idx].callback;
+ arg = jr->info[idx].arg;
+
+ /* When the job on tail idx gets done, increment
+ * tail till the point where job completed out of oredr has
+ * been taken into account
+ */
+ if (idx == tail)
+ do {
+ tail = (tail + 1) & (jr->size - 1);
+ } while (jr->info[tail].op_done);
+
+ jr->tail = tail;
+ jr->read_idx = (jr->read_idx + 1) & (jr->size - 1);
+
+ out_be32(®s->orjr, 1);
+ asm volatile("sync" : : : "memory");
+ jr->info[idx].op_done = 0;
+
+ callback(desc_virt, status, arg);
+ }
+
+ return 0;
+}
diff --git a/include/desc.h b/include/desc.h
new file mode 100644
index 0000000..1b0b080
--- /dev/null
+++ b/include/desc.h
@@ -0,0 +1,1605 @@
+/*
+ * CAAM descriptor composition header
+ * Definitions to support CAAM descriptor instruction generation
+ *
+ * Copyright 2008-2011, 2012 Freescale Semiconductor, Inc.
+ */
+
+#ifndef DESC_H
+#define DESC_H
+
+/* Max size of any CAAM descriptor in 32-bit words, inclusive of header */
+#define MAX_CAAM_DESCSIZE 64
+
+/* Block size of any entity covered/uncovered with a KEK/TKEK */
+#define KEK_BLOCKSIZE 16
+
+/*
+ * Supported descriptor command types as they show up
+ * inside a descriptor command word.
+ */
+#define CMD_SHIFT 27
+#define CMD_MASK 0xf8000000
+
+#define CMD_KEY (0x00 << CMD_SHIFT)
+#define CMD_SEQ_KEY (0x01 << CMD_SHIFT)
+#define CMD_LOAD (0x02 << CMD_SHIFT)
+#define CMD_SEQ_LOAD (0x03 << CMD_SHIFT)
+#define CMD_FIFO_LOAD (0x04 << CMD_SHIFT)
+#define CMD_SEQ_FIFO_LOAD (0x05 << CMD_SHIFT)
+#define CMD_STORE (0x0a << CMD_SHIFT)
+#define CMD_SEQ_STORE (0x0b << CMD_SHIFT)
+#define CMD_FIFO_STORE (0x0c << CMD_SHIFT)
+#define CMD_SEQ_FIFO_STORE (0x0d << CMD_SHIFT)
+#define CMD_MOVE_LEN (0x0e << CMD_SHIFT)
+#define CMD_MOVE (0x0f << CMD_SHIFT)
+#define CMD_OPERATION (0x10 << CMD_SHIFT)
+#define CMD_SIGNATURE (0x12 << CMD_SHIFT)
+#define CMD_JUMP (0x14 << CMD_SHIFT)
+#define CMD_MATH (0x15 << CMD_SHIFT)
+#define CMD_DESC_HDR (0x16 << CMD_SHIFT)
+#define CMD_SHARED_DESC_HDR (0x17 << CMD_SHIFT)
+#define CMD_SEQ_IN_PTR (0x1e << CMD_SHIFT)
+#define CMD_SEQ_OUT_PTR (0x1f << CMD_SHIFT)
+
+/* General-purpose class selector for all commands */
+#define CLASS_SHIFT 25
+#define CLASS_MASK (0x03 << CLASS_SHIFT)
+
+#define CLASS_NONE (0x00 << CLASS_SHIFT)
+#define CLASS_1 (0x01 << CLASS_SHIFT)
+#define CLASS_2 (0x02 << CLASS_SHIFT)
+#define CLASS_BOTH (0x03 << CLASS_SHIFT)
+
+/*
+ * Descriptor header command constructs
+ * Covers shared, job, and trusted descriptor headers
+ */
+
+/*
+ * Do Not Run - marks a descriptor inexecutable if there was
+ * a preceding error somewhere
+ */
+#define HDR_DNR 0x01000000
+
+/*
+ * ONE - should always be set. Combination of ONE (always
+ * set) and ZRO (always clear) forms an endianness sanity check
+ */
+#define HDR_ONE 0x00800000
+#define HDR_ZRO 0x00008000
+
+/* Start Index or SharedDesc Length */
+#define HDR_START_IDX_MASK 0x3f
+#define HDR_START_IDX_SHIFT 16
+
+/* If shared descriptor header, 6-bit length */
+#define HDR_DESCLEN_SHR_MASK 0x3f
+
+/* If non-shared header, 7-bit length */
+#define HDR_DESCLEN_MASK 0x7f
+
+/* This is a TrustedDesc (if not SharedDesc) */
+#define HDR_TRUSTED 0x00004000
+
+/* Make into TrustedDesc (if not SharedDesc) */
+#define HDR_MAKE_TRUSTED 0x00002000
+
+/* Save context if self-shared (if SharedDesc) */
+#define HDR_SAVECTX 0x00001000
+
+/* Next item points to SharedDesc */
+#define HDR_SHARED 0x00001000
+
+/*
+ * Reverse Execution Order - execute JobDesc first, then
+ * execute SharedDesc (normally SharedDesc goes first).
+ */
+#define HDR_REVERSE 0x00000800
+
+/* Propogate DNR property to SharedDesc */
+#define HDR_PROP_DNR 0x00000800
+
+/* JobDesc/SharedDesc share property */
+#define HDR_SD_SHARE_MASK 0x03
+#define HDR_SD_SHARE_SHIFT 8
+#define HDR_JD_SHARE_MASK 0x07
+#define HDR_JD_SHARE_SHIFT 8
+
+#define HDR_SHARE_NEVER (0x00 << HDR_SD_SHARE_SHIFT)
+#define HDR_SHARE_WAIT (0x01 << HDR_SD_SHARE_SHIFT)
+#define HDR_SHARE_SERIAL (0x02 << HDR_SD_SHARE_SHIFT)
+#define HDR_SHARE_ALWAYS (0x03 << HDR_SD_SHARE_SHIFT)
+#define HDR_SHARE_DEFER (0x04 << HDR_SD_SHARE_SHIFT)
+
+/* JobDesc/SharedDesc descriptor length */
+#define HDR_JD_LENGTH_MASK 0x7f
+#define HDR_SD_LENGTH_MASK 0x3f
+
+/*
+ * KEY/SEQ_KEY Command Constructs
+ */
+
+/* Key Destination Class: 01 = Class 1, 02 - Class 2 */
+#define KEY_DEST_CLASS_SHIFT 25 /* use CLASS_1 or CLASS_2 */
+#define KEY_DEST_CLASS_MASK (0x03 << KEY_DEST_CLASS_SHIFT)
+
+/* Scatter-Gather Table/Variable Length Field */
+#define KEY_SGF 0x01000000
+#define KEY_VLF 0x01000000
+
+/* Immediate - Key follows command in the descriptor */
+#define KEY_IMM 0x00800000
+
+/*
+ * Encrypted - Key is encrypted either with the KEK, or
+ * with the TDKEK if TK is set
+ */
+#define KEY_ENC 0x00400000
+
+/*
+ * No Write Back - Do not allow key to be FIFO STOREd
+ */
+#define KEY_NWB 0x00200000
+
+/*
+ * Enhanced Encryption of Key
+ */
+#define KEY_EKT 0x00100000
+
+/*
+ * Encrypted with Trusted Key
+ */
+#define KEY_TK 0x00008000
+
+/*
+ * KDEST - Key Destination: 0 - class key register,
+ * 1 - PKHA 'e', 2 - AFHA Sbox, 3 - MDHA split-key
+ */
+#define KEY_DEST_SHIFT 16
+#define KEY_DEST_MASK (0x03 << KEY_DEST_SHIFT)
+
+#define KEY_DEST_CLASS_REG (0x00 << KEY_DEST_SHIFT)
+#define KEY_DEST_PKHA_E (0x01 << KEY_DEST_SHIFT)
+#define KEY_DEST_AFHA_SBOX (0x02 << KEY_DEST_SHIFT)
+#define KEY_DEST_MDHA_SPLIT (0x03 << KEY_DEST_SHIFT)
+
+/* Length in bytes */
+#define KEY_LENGTH_MASK 0x000003ff
+
+/*
+ * LOAD/SEQ_LOAD/STORE/SEQ_STORE Command Constructs
+ */
+
+/*
+ * Load/Store Destination: 0 = class independent CCB,
+ * 1 = class 1 CCB, 2 = class 2 CCB, 3 = DECO
+ */
+#define LDST_CLASS_SHIFT 25
+#define LDST_CLASS_MASK (0x03 << LDST_CLASS_SHIFT)
+#define LDST_CLASS_IND_CCB (0x00 << LDST_CLASS_SHIFT)
+#define LDST_CLASS_1_CCB (0x01 << LDST_CLASS_SHIFT)
+#define LDST_CLASS_2_CCB (0x02 << LDST_CLASS_SHIFT)
+#define LDST_CLASS_DECO (0x03 << LDST_CLASS_SHIFT)
+
+/* Scatter-Gather Table/Variable Length Field */
+#define LDST_SGF 0x01000000
+#define LDST_VLF LDST_SGF
+
+/* Immediate - Key follows this command in descriptor */
+#define LDST_IMM_MASK 1
+#define LDST_IMM_SHIFT 23
+#define LDST_IMM (LDST_IMM_MASK << LDST_IMM_SHIFT)
+
+/* SRC/DST - Destination for LOAD, Source for STORE */
+#define LDST_SRCDST_SHIFT 16
+#define LDST_SRCDST_MASK (0x7f << LDST_SRCDST_SHIFT)
+
+#define LDST_SRCDST_BYTE_CONTEXT (0x20 << LDST_SRCDST_SHIFT)
+#define LDST_SRCDST_BYTE_KEY (0x40 << LDST_SRCDST_SHIFT)
+#define LDST_SRCDST_BYTE_INFIFO (0x7c << LDST_SRCDST_SHIFT)
+#define LDST_SRCDST_BYTE_OUTFIFO (0x7e << LDST_SRCDST_SHIFT)
+
+#define LDST_SRCDST_WORD_MODE_REG (0x00 << LDST_SRCDST_SHIFT)
+#define LDST_SRCDST_WORD_KEYSZ_REG (0x01 << LDST_SRCDST_SHIFT)
+#define LDST_SRCDST_WORD_DATASZ_REG (0x02 << LDST_SRCDST_SHIFT)
+#define LDST_SRCDST_WORD_ICVSZ_REG (0x03 << LDST_SRCDST_SHIFT)
+#define LDST_SRCDST_WORD_CHACTRL (0x06 << LDST_SRCDST_SHIFT)
+#define LDST_SRCDST_WORD_DECOCTRL (0x06 << LDST_SRCDST_SHIFT)
+#define LDST_SRCDST_WORD_IRQCTRL (0x07 << LDST_SRCDST_SHIFT)
+#define LDST_SRCDST_WORD_DECO_PCLOVRD (0x07 << LDST_SRCDST_SHIFT)
+#define LDST_SRCDST_WORD_CLRW (0x08 << LDST_SRCDST_SHIFT)
+#define LDST_SRCDST_WORD_DECO_MATH0 (0x08 << LDST_SRCDST_SHIFT)
+#define LDST_SRCDST_WORD_STAT (0x09 << LDST_SRCDST_SHIFT)
+#define LDST_SRCDST_WORD_DECO_MATH1 (0x09 << LDST_SRCDST_SHIFT)
+#define LDST_SRCDST_WORD_DECO_MATH2 (0x0a << LDST_SRCDST_SHIFT)
+#define LDST_SRCDST_WORD_DECO_AAD_SZ (0x0b << LDST_SRCDST_SHIFT)
+#define LDST_SRCDST_WORD_DECO_MATH3 (0x0b << LDST_SRCDST_SHIFT)
+#define LDST_SRCDST_WORD_CLASS1_ICV_SZ (0x0c << LDST_SRCDST_SHIFT)
+#define LDST_SRCDST_WORD_ALTDS_CLASS1 (0x0f << LDST_SRCDST_SHIFT)
+#define LDST_SRCDST_WORD_PKHA_A_SZ (0x10 << LDST_SRCDST_SHIFT)
+#define LDST_SRCDST_WORD_PKHA_B_SZ (0x11 << LDST_SRCDST_SHIFT)
+#define LDST_SRCDST_WORD_PKHA_N_SZ (0x12 << LDST_SRCDST_SHIFT)
+#define LDST_SRCDST_WORD_PKHA_E_SZ (0x13 << LDST_SRCDST_SHIFT)
+#define LDST_SRCDST_WORD_DESCBUF (0x40 << LDST_SRCDST_SHIFT)
+#define LDST_SRCDST_WORD_INFO_FIFO (0x7a << LDST_SRCDST_SHIFT)
+
+/* Offset in source/destination */
+#define LDST_OFFSET_SHIFT 8
+#define LDST_OFFSET_MASK (0xff << LDST_OFFSET_SHIFT)
+
+/* LDOFF definitions used when DST = LDST_SRCDST_WORD_DECOCTRL */
+/* These could also be shifted by LDST_OFFSET_SHIFT - this reads better */
+#define LDOFF_CHG_SHARE_SHIFT 0
+#define LDOFF_CHG_SHARE_MASK (0x3 << LDOFF_CHG_SHARE_SHIFT)
+#define LDOFF_CHG_SHARE_NEVER (0x1 << LDOFF_CHG_SHARE_SHIFT)
+#define LDOFF_CHG_SHARE_OK_NO_PROP (0x2 << LDOFF_CHG_SHARE_SHIFT)
+#define LDOFF_CHG_SHARE_OK_PROP (0x3 << LDOFF_CHG_SHARE_SHIFT)
+
+#define LDOFF_ENABLE_AUTO_NFIFO (1 << 2)
+#define LDOFF_DISABLE_AUTO_NFIFO (1 << 3)
+
+#define LDOFF_CHG_NONSEQLIODN_SHIFT 4
+#define LDOFF_CHG_NONSEQLIODN_MASK (0x3 << LDOFF_CHG_NONSEQLIODN_SHIFT)
+#define LDOFF_CHG_NONSEQLIODN_SEQ (0x1 << LDOFF_CHG_NONSEQLIODN_SHIFT)
+#define LDOFF_CHG_NONSEQLIODN_NON_SEQ (0x2 << LDOFF_CHG_NONSEQLIODN_SHIFT)
+#define LDOFF_CHG_NONSEQLIODN_TRUSTED (0x3 << LDOFF_CHG_NONSEQLIODN_SHIFT)
+
+#define LDOFF_CHG_SEQLIODN_SHIFT 6
+#define LDOFF_CHG_SEQLIODN_MASK (0x3 << LDOFF_CHG_SEQLIODN_SHIFT)
+#define LDOFF_CHG_SEQLIODN_SEQ (0x1 << LDOFF_CHG_SEQLIODN_SHIFT)
+#define LDOFF_CHG_SEQLIODN_NON_SEQ (0x2 << LDOFF_CHG_SEQLIODN_SHIFT)
+#define LDOFF_CHG_SEQLIODN_TRUSTED (0x3 << LDOFF_CHG_SEQLIODN_SHIFT)
+
+/* Data length in bytes */
+#define LDST_LEN_SHIFT 0
+#define LDST_LEN_MASK (0xff << LDST_LEN_SHIFT)
+
+/* Special Length definitions when dst=deco-ctrl */
+#define LDLEN_ENABLE_OSL_COUNT (1 << 7)
+#define LDLEN_RST_CHA_OFIFO_PTR (1 << 6)
+#define LDLEN_RST_OFIFO (1 << 5)
+#define LDLEN_SET_OFIFO_OFF_VALID (1 << 4)
+#define LDLEN_SET_OFIFO_OFF_RSVD (1 << 3)
+#define LDLEN_SET_OFIFO_OFFSET_SHIFT 0
+#define LDLEN_SET_OFIFO_OFFSET_MASK (3 << LDLEN_SET_OFIFO_OFFSET_SHIFT)
+
+/*
+ * FIFO_LOAD/FIFO_STORE/SEQ_FIFO_LOAD/SEQ_FIFO_STORE
+ * Command Constructs
+ */
+
+/*
+ * Load Destination: 0 = skip (SEQ_FIFO_LOAD only),
+ * 1 = Load for Class1, 2 = Load for Class2, 3 = Load both
+ * Store Source: 0 = normal, 1 = Class1key, 2 = Class2key
+ */
+#define FIFOLD_CLASS_SHIFT 25
+#define FIFOLD_CLASS_MASK (0x03 << FIFOLD_CLASS_SHIFT)
+#define FIFOLD_CLASS_SKIP (0x00 << FIFOLD_CLASS_SHIFT)
+#define FIFOLD_CLASS_CLASS1 (0x01 << FIFOLD_CLASS_SHIFT)
+#define FIFOLD_CLASS_CLASS2 (0x02 << FIFOLD_CLASS_SHIFT)
+#define FIFOLD_CLASS_BOTH (0x03 << FIFOLD_CLASS_SHIFT)
+
+#define FIFOST_CLASS_SHIFT 25
+#define FIFOST_CLASS_MASK (0x03 << FIFOST_CLASS_SHIFT)
+#define FIFOST_CLASS_NORMAL (0x00 << FIFOST_CLASS_SHIFT)
+#define FIFOST_CLASS_CLASS1KEY (0x01 << FIFOST_CLASS_SHIFT)
+#define FIFOST_CLASS_CLASS2KEY (0x02 << FIFOST_CLASS_SHIFT)
+
+/*
+ * Scatter-Gather Table/Variable Length Field
+ * If set for FIFO_LOAD, refers to a SG table. Within
+ * SEQ_FIFO_LOAD, is variable input sequence
+ */
+#define FIFOLDST_SGF_SHIFT 24
+#define FIFOLDST_SGF_MASK (1 << FIFOLDST_SGF_SHIFT)
+#define FIFOLDST_VLF_MASK (1 << FIFOLDST_SGF_SHIFT)
+#define FIFOLDST_SGF (1 << FIFOLDST_SGF_SHIFT)
+#define FIFOLDST_VLF (1 << FIFOLDST_SGF_SHIFT)
+
+/* Immediate - Data follows command in descriptor */
+#define FIFOLD_IMM_SHIFT 23
+#define FIFOLD_IMM_MASK (1 << FIFOLD_IMM_SHIFT)
+#define FIFOLD_IMM (1 << FIFOLD_IMM_SHIFT)
+
+/* Continue - Not the last FIFO store to come */
+#define FIFOST_CONT_SHIFT 23
+#define FIFOST_CONT_MASK (1 << FIFOST_CONT_SHIFT)
+#define FIFOST_CONT_MASK (1 << FIFOST_CONT_SHIFT)
+
+/*
+ * Extended Length - use 32-bit extended length that
+ * follows the pointer field. Illegal with IMM set
+ */
+#define FIFOLDST_EXT_SHIFT 22
+#define FIFOLDST_EXT_MASK (1 << FIFOLDST_EXT_SHIFT)
+#define FIFOLDST_EXT (1 << FIFOLDST_EXT_SHIFT)
+
+/* Input data type.*/
+#define FIFOLD_TYPE_SHIFT 16
+#define FIFOLD_CONT_TYPE_SHIFT 19 /* shift past last-flush bits */
+#define FIFOLD_TYPE_MASK (0x3f << FIFOLD_TYPE_SHIFT)
+
+/* PK types */
+#define FIFOLD_TYPE_PK (0x00 << FIFOLD_TYPE_SHIFT)
+#define FIFOLD_TYPE_PK_MASK (0x30 << FIFOLD_TYPE_SHIFT)
+#define FIFOLD_TYPE_PK_TYPEMASK (0x0f << FIFOLD_TYPE_SHIFT)
+#define FIFOLD_TYPE_PK_A0 (0x00 << FIFOLD_TYPE_SHIFT)
+#define FIFOLD_TYPE_PK_A1 (0x01 << FIFOLD_TYPE_SHIFT)
+#define FIFOLD_TYPE_PK_A2 (0x02 << FIFOLD_TYPE_SHIFT)
+#define FIFOLD_TYPE_PK_A3 (0x03 << FIFOLD_TYPE_SHIFT)
+#define FIFOLD_TYPE_PK_B0 (0x04 << FIFOLD_TYPE_SHIFT)
+#define FIFOLD_TYPE_PK_B1 (0x05 << FIFOLD_TYPE_SHIFT)
+#define FIFOLD_TYPE_PK_B2 (0x06 << FIFOLD_TYPE_SHIFT)
+#define FIFOLD_TYPE_PK_B3 (0x07 << FIFOLD_TYPE_SHIFT)
+#define FIFOLD_TYPE_PK_N (0x08 << FIFOLD_TYPE_SHIFT)
+#define FIFOLD_TYPE_PK_A (0x0c << FIFOLD_TYPE_SHIFT)
+#define FIFOLD_TYPE_PK_B (0x0d << FIFOLD_TYPE_SHIFT)
+
+/* Other types. Need to OR in last/flush bits as desired */
+#define FIFOLD_TYPE_MSG_MASK (0x38 << FIFOLD_TYPE_SHIFT)
+#define FIFOLD_TYPE_MSG (0x10 << FIFOLD_TYPE_SHIFT)
+#define FIFOLD_TYPE_MSG1OUT2 (0x18 << FIFOLD_TYPE_SHIFT)
+#define FIFOLD_TYPE_IV (0x20 << FIFOLD_TYPE_SHIFT)
+#define FIFOLD_TYPE_BITDATA (0x28 << FIFOLD_TYPE_SHIFT)
+#define FIFOLD_TYPE_AAD (0x30 << FIFOLD_TYPE_SHIFT)
+#define FIFOLD_TYPE_ICV (0x38 << FIFOLD_TYPE_SHIFT)
+
+/* Last/Flush bits for use with "other" types above */
+#define FIFOLD_TYPE_ACT_MASK (0x07 << FIFOLD_TYPE_SHIFT)
+#define FIFOLD_TYPE_NOACTION (0x00 << FIFOLD_TYPE_SHIFT)
+#define FIFOLD_TYPE_FLUSH1 (0x01 << FIFOLD_TYPE_SHIFT)
+#define FIFOLD_TYPE_LAST1 (0x02 << FIFOLD_TYPE_SHIFT)
+#define FIFOLD_TYPE_LAST2FLUSH (0x03 << FIFOLD_TYPE_SHIFT)
+#define FIFOLD_TYPE_LAST2 (0x04 << FIFOLD_TYPE_SHIFT)
+#define FIFOLD_TYPE_LAST2FLUSH1 (0x05 << FIFOLD_TYPE_SHIFT)
+#define FIFOLD_TYPE_LASTBOTH (0x06 << FIFOLD_TYPE_SHIFT)
+#define FIFOLD_TYPE_LASTBOTHFL (0x07 << FIFOLD_TYPE_SHIFT)
+
+#define FIFOLDST_LEN_MASK 0xffff
+#define FIFOLDST_EXT_LEN_MASK 0xffffffff
+
+/* Output data types */
+#define FIFOST_TYPE_SHIFT 16
+#define FIFOST_TYPE_MASK (0x3f << FIFOST_TYPE_SHIFT)
+
+#define FIFOST_TYPE_PKHA_A0 (0x00 << FIFOST_TYPE_SHIFT)
+#define FIFOST_TYPE_PKHA_A1 (0x01 << FIFOST_TYPE_SHIFT)
+#define FIFOST_TYPE_PKHA_A2 (0x02 << FIFOST_TYPE_SHIFT)
+#define FIFOST_TYPE_PKHA_A3 (0x03 << FIFOST_TYPE_SHIFT)
+#define FIFOST_TYPE_PKHA_B0 (0x04 << FIFOST_TYPE_SHIFT)
+#define FIFOST_TYPE_PKHA_B1 (0x05 << FIFOST_TYPE_SHIFT)
+#define FIFOST_TYPE_PKHA_B2 (0x06 << FIFOST_TYPE_SHIFT)
+#define FIFOST_TYPE_PKHA_B3 (0x07 << FIFOST_TYPE_SHIFT)
+#define FIFOST_TYPE_PKHA_N (0x08 << FIFOST_TYPE_SHIFT)
+#define FIFOST_TYPE_PKHA_A (0x0c << FIFOST_TYPE_SHIFT)
+#define FIFOST_TYPE_PKHA_B (0x0d << FIFOST_TYPE_SHIFT)
+#define FIFOST_TYPE_AF_SBOX_JKEK (0x10 << FIFOST_TYPE_SHIFT)
+#define FIFOST_TYPE_AF_SBOX_TKEK (0x21 << FIFOST_TYPE_SHIFT)
+#define FIFOST_TYPE_PKHA_E_JKEK (0x22 << FIFOST_TYPE_SHIFT)
+#define FIFOST_TYPE_PKHA_E_TKEK (0x23 << FIFOST_TYPE_SHIFT)
+#define FIFOST_TYPE_KEY_KEK (0x24 << FIFOST_TYPE_SHIFT)
+#define FIFOST_TYPE_KEY_TKEK (0x25 << FIFOST_TYPE_SHIFT)
+#define FIFOST_TYPE_SPLIT_KEK (0x26 << FIFOST_TYPE_SHIFT)
+#define FIFOST_TYPE_SPLIT_TKEK (0x27 << FIFOST_TYPE_SHIFT)
+#define FIFOST_TYPE_OUTFIFO_KEK (0x28 << FIFOST_TYPE_SHIFT)
+#define FIFOST_TYPE_OUTFIFO_TKEK (0x29 << FIFOST_TYPE_SHIFT)
+#define FIFOST_TYPE_MESSAGE_DATA (0x30 << FIFOST_TYPE_SHIFT)
+#define FIFOST_TYPE_RNGSTORE (0x34 << FIFOST_TYPE_SHIFT)
+#define FIFOST_TYPE_RNGFIFO (0x35 << FIFOST_TYPE_SHIFT)
+#define FIFOST_TYPE_SKIP (0x3f << FIFOST_TYPE_SHIFT)
+
+/*
+ * OPERATION Command Constructs
+ */
+
+/* Operation type selectors - OP TYPE */
+#define OP_TYPE_SHIFT 24
+#define OP_TYPE_MASK (0x07 << OP_TYPE_SHIFT)
+
+#define OP_TYPE_UNI_PROTOCOL (0x00 << OP_TYPE_SHIFT)
+#define OP_TYPE_PK (0x01 << OP_TYPE_SHIFT)
+#define OP_TYPE_CLASS1_ALG (0x02 << OP_TYPE_SHIFT)
+#define OP_TYPE_CLASS2_ALG (0x04 << OP_TYPE_SHIFT)
+#define OP_TYPE_DECAP_PROTOCOL (0x06 << OP_TYPE_SHIFT)
+#define OP_TYPE_ENCAP_PROTOCOL (0x07 << OP_TYPE_SHIFT)
+
+/* ProtocolID selectors - PROTID */
+#define OP_PCLID_SHIFT 16
+#define OP_PCLID_MASK (0xff << 16)
+
+/* Assuming OP_TYPE = OP_TYPE_UNI_PROTOCOL */
+#define OP_PCLID_IKEV1_PRF (0x01 << OP_PCLID_SHIFT)
+#define OP_PCLID_IKEV2_PRF (0x02 << OP_PCLID_SHIFT)
+#define OP_PCLID_SSL30_PRF (0x08 << OP_PCLID_SHIFT)
+#define OP_PCLID_TLS10_PRF (0x09 << OP_PCLID_SHIFT)
+#define OP_PCLID_TLS11_PRF (0x0a << OP_PCLID_SHIFT)
+#define OP_PCLID_DTLS10_PRF (0x0c << OP_PCLID_SHIFT)
+#define OP_PCLID_PRF (0x06 << OP_PCLID_SHIFT)
+#define OP_PCLID_BLOB (0x0d << OP_PCLID_SHIFT)
+#define OP_PCLID_SECRETKEY (0x11 << OP_PCLID_SHIFT)
+#define OP_PCLID_PUBLICKEYPAIR (0x14 << OP_PCLID_SHIFT)
+#define OP_PCLID_DSASIGN (0x15 << OP_PCLID_SHIFT)
+#define OP_PCLID_DSAVERIFY (0x16 << OP_PCLID_SHIFT)
+
+/* Assuming OP_TYPE = OP_TYPE_DECAP_PROTOCOL/ENCAP_PROTOCOL */
+#define OP_PCLID_IPSEC (0x01 << OP_PCLID_SHIFT)
+#define OP_PCLID_SRTP (0x02 << OP_PCLID_SHIFT)
+#define OP_PCLID_MACSEC (0x03 << OP_PCLID_SHIFT)
+#define OP_PCLID_WIFI (0x04 << OP_PCLID_SHIFT)
+#define OP_PCLID_WIMAX (0x05 << OP_PCLID_SHIFT)
+#define OP_PCLID_SSL30 (0x08 << OP_PCLID_SHIFT)
+#define OP_PCLID_TLS10 (0x09 << OP_PCLID_SHIFT)
+#define OP_PCLID_TLS11 (0x0a << OP_PCLID_SHIFT)
+#define OP_PCLID_TLS12 (0x0b << OP_PCLID_SHIFT)
+#define OP_PCLID_DTLS (0x0c << OP_PCLID_SHIFT)
+
+/*
+ * ProtocolInfo selectors
+ */
+#define OP_PCLINFO_MASK 0xffff
+
+/* for OP_PCLID_IPSEC */
+#define OP_PCL_IPSEC_CIPHER_MASK 0xff00
+#define OP_PCL_IPSEC_AUTH_MASK 0x00ff
+
+#define OP_PCL_IPSEC_DES_IV64 0x0100
+#define OP_PCL_IPSEC_DES 0x0200
+#define OP_PCL_IPSEC_3DES 0x0300
+#define OP_PCL_IPSEC_AES_CBC 0x0c00
+#define OP_PCL_IPSEC_AES_CTR 0x0d00
+#define OP_PCL_IPSEC_AES_XTS 0x1600
+#define OP_PCL_IPSEC_AES_CCM8 0x0e00
+#define OP_PCL_IPSEC_AES_CCM12 0x0f00
+#define OP_PCL_IPSEC_AES_CCM16 0x1000
+#define OP_PCL_IPSEC_AES_GCM8 0x1200
+#define OP_PCL_IPSEC_AES_GCM12 0x1300
+#define OP_PCL_IPSEC_AES_GCM16 0x1400
+
+#define OP_PCL_IPSEC_HMAC_NULL 0x0000
+#define OP_PCL_IPSEC_HMAC_MD5_96 0x0001
+#define OP_PCL_IPSEC_HMAC_SHA1_96 0x0002
+#define OP_PCL_IPSEC_AES_XCBC_MAC_96 0x0005
+#define OP_PCL_IPSEC_HMAC_MD5_128 0x0006
+#define OP_PCL_IPSEC_HMAC_SHA1_160 0x0007
+#define OP_PCL_IPSEC_HMAC_SHA2_256_128 0x000c
+#define OP_PCL_IPSEC_HMAC_SHA2_384_192 0x000d
+#define OP_PCL_IPSEC_HMAC_SHA2_512_256 0x000e
+
+/* For SRTP - OP_PCLID_SRTP */
+#define OP_PCL_SRTP_CIPHER_MASK 0xff00
+#define OP_PCL_SRTP_AUTH_MASK 0x00ff
+
+#define OP_PCL_SRTP_AES_CTR 0x0d00
+
+#define OP_PCL_SRTP_HMAC_SHA1_160 0x0007
+
+/* For SSL 3.0 - OP_PCLID_SSL30 */
+#define OP_PCL_SSL30_AES_128_CBC_SHA 0x002f
+#define OP_PCL_SSL30_AES_128_CBC_SHA_2 0x0030
+#define OP_PCL_SSL30_AES_128_CBC_SHA_3 0x0031
+#define OP_PCL_SSL30_AES_128_CBC_SHA_4 0x0032
+#define OP_PCL_SSL30_AES_128_CBC_SHA_5 0x0033
+#define OP_PCL_SSL30_AES_128_CBC_SHA_6 0x0034
+#define OP_PCL_SSL30_AES_128_CBC_SHA_7 0x008c
+#define OP_PCL_SSL30_AES_128_CBC_SHA_8 0x0090
+#define OP_PCL_SSL30_AES_128_CBC_SHA_9 0x0094
+#define OP_PCL_SSL30_AES_128_CBC_SHA_10 0xc004
+#define OP_PCL_SSL30_AES_128_CBC_SHA_11 0xc009
+#define OP_PCL_SSL30_AES_128_CBC_SHA_12 0xc00e
+#define OP_PCL_SSL30_AES_128_CBC_SHA_13 0xc013
+#define OP_PCL_SSL30_AES_128_CBC_SHA_14 0xc018
+#define OP_PCL_SSL30_AES_128_CBC_SHA_15 0xc01d
+#define OP_PCL_SSL30_AES_128_CBC_SHA_16 0xc01e
+#define OP_PCL_SSL30_AES_128_CBC_SHA_17 0xc01f
+
+#define OP_PCL_SSL30_AES_256_CBC_SHA 0x0035
+#define OP_PCL_SSL30_AES_256_CBC_SHA_2 0x0036
+#define OP_PCL_SSL30_AES_256_CBC_SHA_3 0x0037
+#define OP_PCL_SSL30_AES_256_CBC_SHA_4 0x0038
+#define OP_PCL_SSL30_AES_256_CBC_SHA_5 0x0039
+#define OP_PCL_SSL30_AES_256_CBC_SHA_6 0x003a
+#define OP_PCL_SSL30_AES_256_CBC_SHA_7 0x008d
+#define OP_PCL_SSL30_AES_256_CBC_SHA_8 0x0091
+#define OP_PCL_SSL30_AES_256_CBC_SHA_9 0x0095
+#define OP_PCL_SSL30_AES_256_CBC_SHA_10 0xc005
+#define OP_PCL_SSL30_AES_256_CBC_SHA_11 0xc00a
+#define OP_PCL_SSL30_AES_256_CBC_SHA_12 0xc00f
+#define OP_PCL_SSL30_AES_256_CBC_SHA_13 0xc014
+#define OP_PCL_SSL30_AES_256_CBC_SHA_14 0xc019
+#define OP_PCL_SSL30_AES_256_CBC_SHA_15 0xc020
+#define OP_PCL_SSL30_AES_256_CBC_SHA_16 0xc021
+#define OP_PCL_SSL30_AES_256_CBC_SHA_17 0xc022
+
+#define OP_PCL_SSL30_3DES_EDE_CBC_MD5 0x0023
+
+#define OP_PCL_SSL30_3DES_EDE_CBC_SHA 0x001f
+#define OP_PCL_SSL30_3DES_EDE_CBC_SHA_2 0x008b
+#define OP_PCL_SSL30_3DES_EDE_CBC_SHA_3 0x008f
+#define OP_PCL_SSL30_3DES_EDE_CBC_SHA_4 0x0093
+#define OP_PCL_SSL30_3DES_EDE_CBC_SHA_5 0x000a
+#define OP_PCL_SSL30_3DES_EDE_CBC_SHA_6 0x000d
+#define OP_PCL_SSL30_3DES_EDE_CBC_SHA_7 0x0010
+#define OP_PCL_SSL30_3DES_EDE_CBC_SHA_8 0x0013
+#define OP_PCL_SSL30_3DES_EDE_CBC_SHA_9 0x0016
+#define OP_PCL_SSL30_3DES_EDE_CBC_SHA_10 0x001b
+#define OP_PCL_SSL30_3DES_EDE_CBC_SHA_11 0xc003
+#define OP_PCL_SSL30_3DES_EDE_CBC_SHA_12 0xc008
+#define OP_PCL_SSL30_3DES_EDE_CBC_SHA_13 0xc00d
+#define OP_PCL_SSL30_3DES_EDE_CBC_SHA_14 0xc012
+#define OP_PCL_SSL30_3DES_EDE_CBC_SHA_15 0xc017
+#define OP_PCL_SSL30_3DES_EDE_CBC_SHA_16 0xc01a
+#define OP_PCL_SSL30_3DES_EDE_CBC_SHA_17 0xc01b
+#define OP_PCL_SSL30_3DES_EDE_CBC_SHA_18 0xc01c
+
+#define OP_PCL_SSL30_DES40_CBC_MD5 0x0029
+
+#define OP_PCL_SSL30_DES_CBC_MD5 0x0022
+
+#define OP_PCL_SSL30_DES40_CBC_SHA 0x0008
+#define OP_PCL_SSL30_DES40_CBC_SHA_2 0x000b
+#define OP_PCL_SSL30_DES40_CBC_SHA_3 0x000e
+#define OP_PCL_SSL30_DES40_CBC_SHA_4 0x0011
+#define OP_PCL_SSL30_DES40_CBC_SHA_5 0x0014
+#define OP_PCL_SSL30_DES40_CBC_SHA_6 0x0019
+#define OP_PCL_SSL30_DES40_CBC_SHA_7 0x0026
+
+#define OP_PCL_SSL30_DES_CBC_SHA 0x001e
+#define OP_PCL_SSL30_DES_CBC_SHA_2 0x0009
+#define OP_PCL_SSL30_DES_CBC_SHA_3 0x000c
+#define OP_PCL_SSL30_DES_CBC_SHA_4 0x000f
+#define OP_PCL_SSL30_DES_CBC_SHA_5 0x0012
+#define OP_PCL_SSL30_DES_CBC_SHA_6 0x0015
+#define OP_PCL_SSL30_DES_CBC_SHA_7 0x001a
+
+#define OP_PCL_SSL30_RC4_128_MD5 0x0024
+#define OP_PCL_SSL30_RC4_128_MD5_2 0x0004
+#define OP_PCL_SSL30_RC4_128_MD5_3 0x0018
+
+#define OP_PCL_SSL30_RC4_40_MD5 0x002b
+#define OP_PCL_SSL30_RC4_40_MD5_2 0x0003
+#define OP_PCL_SSL30_RC4_40_MD5_3 0x0017
+
+#define OP_PCL_SSL30_RC4_128_SHA 0x0020
+#define OP_PCL_SSL30_RC4_128_SHA_2 0x008a
+#define OP_PCL_SSL30_RC4_128_SHA_3 0x008e
+#define OP_PCL_SSL30_RC4_128_SHA_4 0x0092
+#define OP_PCL_SSL30_RC4_128_SHA_5 0x0005
+#define OP_PCL_SSL30_RC4_128_SHA_6 0xc002
+#define OP_PCL_SSL30_RC4_128_SHA_7 0xc007
+#define OP_PCL_SSL30_RC4_128_SHA_8 0xc00c
+#define OP_PCL_SSL30_RC4_128_SHA_9 0xc011
+#define OP_PCL_SSL30_RC4_128_SHA_10 0xc016
+
+#define OP_PCL_SSL30_RC4_40_SHA 0x0028
+
+
+/* For TLS 1.0 - OP_PCLID_TLS10 */
+#define OP_PCL_TLS10_AES_128_CBC_SHA 0x002f
+#define OP_PCL_TLS10_AES_128_CBC_SHA_2 0x0030
+#define OP_PCL_TLS10_AES_128_CBC_SHA_3 0x0031
+#define OP_PCL_TLS10_AES_128_CBC_SHA_4 0x0032
+#define OP_PCL_TLS10_AES_128_CBC_SHA_5 0x0033
+#define OP_PCL_TLS10_AES_128_CBC_SHA_6 0x0034
+#define OP_PCL_TLS10_AES_128_CBC_SHA_7 0x008c
+#define OP_PCL_TLS10_AES_128_CBC_SHA_8 0x0090
+#define OP_PCL_TLS10_AES_128_CBC_SHA_9 0x0094
+#define OP_PCL_TLS10_AES_128_CBC_SHA_10 0xc004
+#define OP_PCL_TLS10_AES_128_CBC_SHA_11 0xc009
+#define OP_PCL_TLS10_AES_128_CBC_SHA_12 0xc00e
+#define OP_PCL_TLS10_AES_128_CBC_SHA_13 0xc013
+#define OP_PCL_TLS10_AES_128_CBC_SHA_14 0xc018
+#define OP_PCL_TLS10_AES_128_CBC_SHA_15 0xc01d
+#define OP_PCL_TLS10_AES_128_CBC_SHA_16 0xc01e
+#define OP_PCL_TLS10_AES_128_CBC_SHA_17 0xc01f
+
+#define OP_PCL_TLS10_AES_256_CBC_SHA 0x0035
+#define OP_PCL_TLS10_AES_256_CBC_SHA_2 0x0036
+#define OP_PCL_TLS10_AES_256_CBC_SHA_3 0x0037
+#define OP_PCL_TLS10_AES_256_CBC_SHA_4 0x0038
+#define OP_PCL_TLS10_AES_256_CBC_SHA_5 0x0039
+#define OP_PCL_TLS10_AES_256_CBC_SHA_6 0x003a
+#define OP_PCL_TLS10_AES_256_CBC_SHA_7 0x008d
+#define OP_PCL_TLS10_AES_256_CBC_SHA_8 0x0091
+#define OP_PCL_TLS10_AES_256_CBC_SHA_9 0x0095
+#define OP_PCL_TLS10_AES_256_CBC_SHA_10 0xc005
+#define OP_PCL_TLS10_AES_256_CBC_SHA_11 0xc00a
+#define OP_PCL_TLS10_AES_256_CBC_SHA_12 0xc00f
+#define OP_PCL_TLS10_AES_256_CBC_SHA_13 0xc014
+#define OP_PCL_TLS10_AES_256_CBC_SHA_14 0xc019
+#define OP_PCL_TLS10_AES_256_CBC_SHA_15 0xc020
+#define OP_PCL_TLS10_AES_256_CBC_SHA_16 0xc021
+#define OP_PCL_TLS10_AES_256_CBC_SHA_17 0xc022
+
+/* #define OP_PCL_TLS10_3DES_EDE_CBC_MD5 0x0023 */
+
+#define OP_PCL_TLS10_3DES_EDE_CBC_SHA 0x001f
+#define OP_PCL_TLS10_3DES_EDE_CBC_SHA_2 0x008b
+#define OP_PCL_TLS10_3DES_EDE_CBC_SHA_3 0x008f
+#define OP_PCL_TLS10_3DES_EDE_CBC_SHA_4 0x0093
+#define OP_PCL_TLS10_3DES_EDE_CBC_SHA_5 0x000a
+#define OP_PCL_TLS10_3DES_EDE_CBC_SHA_6 0x000d
+#define OP_PCL_TLS10_3DES_EDE_CBC_SHA_7 0x0010
+#define OP_PCL_TLS10_3DES_EDE_CBC_SHA_8 0x0013
+#define OP_PCL_TLS10_3DES_EDE_CBC_SHA_9 0x0016
+#define OP_PCL_TLS10_3DES_EDE_CBC_SHA_10 0x001b
+#define OP_PCL_TLS10_3DES_EDE_CBC_SHA_11 0xc003
+#define OP_PCL_TLS10_3DES_EDE_CBC_SHA_12 0xc008
+#define OP_PCL_TLS10_3DES_EDE_CBC_SHA_13 0xc00d
+#define OP_PCL_TLS10_3DES_EDE_CBC_SHA_14 0xc012
+#define OP_PCL_TLS10_3DES_EDE_CBC_SHA_15 0xc017
+#define OP_PCL_TLS10_3DES_EDE_CBC_SHA_16 0xc01a
+#define OP_PCL_TLS10_3DES_EDE_CBC_SHA_17 0xc01b
+#define OP_PCL_TLS10_3DES_EDE_CBC_SHA_18 0xc01c
+
+#define OP_PCL_TLS10_DES40_CBC_MD5 0x0029
+
+#define OP_PCL_TLS10_DES_CBC_MD5 0x0022
+
+#define OP_PCL_TLS10_DES40_CBC_SHA 0x0008
+#define OP_PCL_TLS10_DES40_CBC_SHA_2 0x000b
+#define OP_PCL_TLS10_DES40_CBC_SHA_3 0x000e
+#define OP_PCL_TLS10_DES40_CBC_SHA_4 0x0011
+#define OP_PCL_TLS10_DES40_CBC_SHA_5 0x0014
+#define OP_PCL_TLS10_DES40_CBC_SHA_6 0x0019
+#define OP_PCL_TLS10_DES40_CBC_SHA_7 0x0026
+
+
+#define OP_PCL_TLS10_DES_CBC_SHA 0x001e
+#define OP_PCL_TLS10_DES_CBC_SHA_2 0x0009
+#define OP_PCL_TLS10_DES_CBC_SHA_3 0x000c
+#define OP_PCL_TLS10_DES_CBC_SHA_4 0x000f
+#define OP_PCL_TLS10_DES_CBC_SHA_5 0x0012
+#define OP_PCL_TLS10_DES_CBC_SHA_6 0x0015
+#define OP_PCL_TLS10_DES_CBC_SHA_7 0x001a
+
+#define OP_PCL_TLS10_RC4_128_MD5 0x0024
+#define OP_PCL_TLS10_RC4_128_MD5_2 0x0004
+#define OP_PCL_TLS10_RC4_128_MD5_3 0x0018
+
+#define OP_PCL_TLS10_RC4_40_MD5 0x002b
+#define OP_PCL_TLS10_RC4_40_MD5_2 0x0003
+#define OP_PCL_TLS10_RC4_40_MD5_3 0x0017
+
+#define OP_PCL_TLS10_RC4_128_SHA 0x0020
+#define OP_PCL_TLS10_RC4_128_SHA_2 0x008a
+#define OP_PCL_TLS10_RC4_128_SHA_3 0x008e
+#define OP_PCL_TLS10_RC4_128_SHA_4 0x0092
+#define OP_PCL_TLS10_RC4_128_SHA_5 0x0005
+#define OP_PCL_TLS10_RC4_128_SHA_6 0xc002
+#define OP_PCL_TLS10_RC4_128_SHA_7 0xc007
+#define OP_PCL_TLS10_RC4_128_SHA_8 0xc00c
+#define OP_PCL_TLS10_RC4_128_SHA_9 0xc011
+#define OP_PCL_TLS10_RC4_128_SHA_10 0xc016
+
+#define OP_PCL_TLS10_RC4_40_SHA 0x0028
+
+#define OP_PCL_TLS10_3DES_EDE_CBC_MD5 0xff23
+#define OP_PCL_TLS10_3DES_EDE_CBC_SHA160 0xff30
+#define OP_PCL_TLS10_3DES_EDE_CBC_SHA224 0xff34
+#define OP_PCL_TLS10_3DES_EDE_CBC_SHA256 0xff36
+#define OP_PCL_TLS10_3DES_EDE_CBC_SHA384 0xff33
+#define OP_PCL_TLS10_3DES_EDE_CBC_SHA512 0xff35
+#define OP_PCL_TLS10_AES_128_CBC_SHA160 0xff80
+#define OP_PCL_TLS10_AES_128_CBC_SHA224 0xff84
+#define OP_PCL_TLS10_AES_128_CBC_SHA256 0xff86
+#define OP_PCL_TLS10_AES_128_CBC_SHA384 0xff83
+#define OP_PCL_TLS10_AES_128_CBC_SHA512 0xff85
+#define OP_PCL_TLS10_AES_192_CBC_SHA160 0xff20
+#define OP_PCL_TLS10_AES_192_CBC_SHA224 0xff24
+#define OP_PCL_TLS10_AES_192_CBC_SHA256 0xff26
+#define OP_PCL_TLS10_AES_192_CBC_SHA384 0xff23
+#define OP_PCL_TLS10_AES_192_CBC_SHA512 0xff25
+#define OP_PCL_TLS10_AES_256_CBC_SHA160 0xff60
+#define OP_PCL_TLS10_AES_256_CBC_SHA224 0xff64
+#define OP_PCL_TLS10_AES_256_CBC_SHA256 0xff66
+#define OP_PCL_TLS10_AES_256_CBC_SHA384 0xff63
+#define OP_PCL_TLS10_AES_256_CBC_SHA512 0xff65
+
+
+
+/* For TLS 1.1 - OP_PCLID_TLS11 */
+#define OP_PCL_TLS11_AES_128_CBC_SHA 0x002f
+#define OP_PCL_TLS11_AES_128_CBC_SHA_2 0x0030
+#define OP_PCL_TLS11_AES_128_CBC_SHA_3 0x0031
+#define OP_PCL_TLS11_AES_128_CBC_SHA_4 0x0032
+#define OP_PCL_TLS11_AES_128_CBC_SHA_5 0x0033
+#define OP_PCL_TLS11_AES_128_CBC_SHA_6 0x0034
+#define OP_PCL_TLS11_AES_128_CBC_SHA_7 0x008c
+#define OP_PCL_TLS11_AES_128_CBC_SHA_8 0x0090
+#define OP_PCL_TLS11_AES_128_CBC_SHA_9 0x0094
+#define OP_PCL_TLS11_AES_128_CBC_SHA_10 0xc004
+#define OP_PCL_TLS11_AES_128_CBC_SHA_11 0xc009
+#define OP_PCL_TLS11_AES_128_CBC_SHA_12 0xc00e
+#define OP_PCL_TLS11_AES_128_CBC_SHA_13 0xc013
+#define OP_PCL_TLS11_AES_128_CBC_SHA_14 0xc018
+#define OP_PCL_TLS11_AES_128_CBC_SHA_15 0xc01d
+#define OP_PCL_TLS11_AES_128_CBC_SHA_16 0xc01e
+#define OP_PCL_TLS11_AES_128_CBC_SHA_17 0xc01f
+
+#define OP_PCL_TLS11_AES_256_CBC_SHA 0x0035
+#define OP_PCL_TLS11_AES_256_CBC_SHA_2 0x0036
+#define OP_PCL_TLS11_AES_256_CBC_SHA_3 0x0037
+#define OP_PCL_TLS11_AES_256_CBC_SHA_4 0x0038
+#define OP_PCL_TLS11_AES_256_CBC_SHA_5 0x0039
+#define OP_PCL_TLS11_AES_256_CBC_SHA_6 0x003a
+#define OP_PCL_TLS11_AES_256_CBC_SHA_7 0x008d
+#define OP_PCL_TLS11_AES_256_CBC_SHA_8 0x0091
+#define OP_PCL_TLS11_AES_256_CBC_SHA_9 0x0095
+#define OP_PCL_TLS11_AES_256_CBC_SHA_10 0xc005
+#define OP_PCL_TLS11_AES_256_CBC_SHA_11 0xc00a
+#define OP_PCL_TLS11_AES_256_CBC_SHA_12 0xc00f
+#define OP_PCL_TLS11_AES_256_CBC_SHA_13 0xc014
+#define OP_PCL_TLS11_AES_256_CBC_SHA_14 0xc019
+#define OP_PCL_TLS11_AES_256_CBC_SHA_15 0xc020
+#define OP_PCL_TLS11_AES_256_CBC_SHA_16 0xc021
+#define OP_PCL_TLS11_AES_256_CBC_SHA_17 0xc022
+
+/* #define OP_PCL_TLS11_3DES_EDE_CBC_MD5 0x0023 */
+
+#define OP_PCL_TLS11_3DES_EDE_CBC_SHA 0x001f
+#define OP_PCL_TLS11_3DES_EDE_CBC_SHA_2 0x008b
+#define OP_PCL_TLS11_3DES_EDE_CBC_SHA_3 0x008f
+#define OP_PCL_TLS11_3DES_EDE_CBC_SHA_4 0x0093
+#define OP_PCL_TLS11_3DES_EDE_CBC_SHA_5 0x000a
+#define OP_PCL_TLS11_3DES_EDE_CBC_SHA_6 0x000d
+#define OP_PCL_TLS11_3DES_EDE_CBC_SHA_7 0x0010
+#define OP_PCL_TLS11_3DES_EDE_CBC_SHA_8 0x0013
+#define OP_PCL_TLS11_3DES_EDE_CBC_SHA_9 0x0016
+#define OP_PCL_TLS11_3DES_EDE_CBC_SHA_10 0x001b
+#define OP_PCL_TLS11_3DES_EDE_CBC_SHA_11 0xc003
+#define OP_PCL_TLS11_3DES_EDE_CBC_SHA_12 0xc008
+#define OP_PCL_TLS11_3DES_EDE_CBC_SHA_13 0xc00d
+#define OP_PCL_TLS11_3DES_EDE_CBC_SHA_14 0xc012
+#define OP_PCL_TLS11_3DES_EDE_CBC_SHA_15 0xc017
+#define OP_PCL_TLS11_3DES_EDE_CBC_SHA_16 0xc01a
+#define OP_PCL_TLS11_3DES_EDE_CBC_SHA_17 0xc01b
+#define OP_PCL_TLS11_3DES_EDE_CBC_SHA_18 0xc01c
+
+#define OP_PCL_TLS11_DES40_CBC_MD5 0x0029
+
+#define OP_PCL_TLS11_DES_CBC_MD5 0x0022
+
+#define OP_PCL_TLS11_DES40_CBC_SHA 0x0008
+#define OP_PCL_TLS11_DES40_CBC_SHA_2 0x000b
+#define OP_PCL_TLS11_DES40_CBC_SHA_3 0x000e
+#define OP_PCL_TLS11_DES40_CBC_SHA_4 0x0011
+#define OP_PCL_TLS11_DES40_CBC_SHA_5 0x0014
+#define OP_PCL_TLS11_DES40_CBC_SHA_6 0x0019
+#define OP_PCL_TLS11_DES40_CBC_SHA_7 0x0026
+
+#define OP_PCL_TLS11_DES_CBC_SHA 0x001e
+#define OP_PCL_TLS11_DES_CBC_SHA_2 0x0009
+#define OP_PCL_TLS11_DES_CBC_SHA_3 0x000c
+#define OP_PCL_TLS11_DES_CBC_SHA_4 0x000f
+#define OP_PCL_TLS11_DES_CBC_SHA_5 0x0012
+#define OP_PCL_TLS11_DES_CBC_SHA_6 0x0015
+#define OP_PCL_TLS11_DES_CBC_SHA_7 0x001a
+
+#define OP_PCL_TLS11_RC4_128_MD5 0x0024
+#define OP_PCL_TLS11_RC4_128_MD5_2 0x0004
+#define OP_PCL_TLS11_RC4_128_MD5_3 0x0018
+
+#define OP_PCL_TLS11_RC4_40_MD5 0x002b
+#define OP_PCL_TLS11_RC4_40_MD5_2 0x0003
+#define OP_PCL_TLS11_RC4_40_MD5_3 0x0017
+
+#define OP_PCL_TLS11_RC4_128_SHA 0x0020
+#define OP_PCL_TLS11_RC4_128_SHA_2 0x008a
+#define OP_PCL_TLS11_RC4_128_SHA_3 0x008e
+#define OP_PCL_TLS11_RC4_128_SHA_4 0x0092
+#define OP_PCL_TLS11_RC4_128_SHA_5 0x0005
+#define OP_PCL_TLS11_RC4_128_SHA_6 0xc002
+#define OP_PCL_TLS11_RC4_128_SHA_7 0xc007
+#define OP_PCL_TLS11_RC4_128_SHA_8 0xc00c
+#define OP_PCL_TLS11_RC4_128_SHA_9 0xc011
+#define OP_PCL_TLS11_RC4_128_SHA_10 0xc016
+
+#define OP_PCL_TLS11_RC4_40_SHA 0x0028
+
+#define OP_PCL_TLS11_3DES_EDE_CBC_MD5 0xff23
+#define OP_PCL_TLS11_3DES_EDE_CBC_SHA160 0xff30
+#define OP_PCL_TLS11_3DES_EDE_CBC_SHA224 0xff34
+#define OP_PCL_TLS11_3DES_EDE_CBC_SHA256 0xff36
+#define OP_PCL_TLS11_3DES_EDE_CBC_SHA384 0xff33
+#define OP_PCL_TLS11_3DES_EDE_CBC_SHA512 0xff35
+#define OP_PCL_TLS11_AES_128_CBC_SHA160 0xff80
+#define OP_PCL_TLS11_AES_128_CBC_SHA224 0xff84
+#define OP_PCL_TLS11_AES_128_CBC_SHA256 0xff86
+#define OP_PCL_TLS11_AES_128_CBC_SHA384 0xff83
+#define OP_PCL_TLS11_AES_128_CBC_SHA512 0xff85
+#define OP_PCL_TLS11_AES_192_CBC_SHA160 0xff20
+#define OP_PCL_TLS11_AES_192_CBC_SHA224 0xff24
+#define OP_PCL_TLS11_AES_192_CBC_SHA256 0xff26
+#define OP_PCL_TLS11_AES_192_CBC_SHA384 0xff23
+#define OP_PCL_TLS11_AES_192_CBC_SHA512 0xff25
+#define OP_PCL_TLS11_AES_256_CBC_SHA160 0xff60
+#define OP_PCL_TLS11_AES_256_CBC_SHA224 0xff64
+#define OP_PCL_TLS11_AES_256_CBC_SHA256 0xff66
+#define OP_PCL_TLS11_AES_256_CBC_SHA384 0xff63
+#define OP_PCL_TLS11_AES_256_CBC_SHA512 0xff65
+
+
+/* For TLS 1.2 - OP_PCLID_TLS12 */
+#define OP_PCL_TLS12_AES_128_CBC_SHA 0x002f
+#define OP_PCL_TLS12_AES_128_CBC_SHA_2 0x0030
+#define OP_PCL_TLS12_AES_128_CBC_SHA_3 0x0031
+#define OP_PCL_TLS12_AES_128_CBC_SHA_4 0x0032
+#define OP_PCL_TLS12_AES_128_CBC_SHA_5 0x0033
+#define OP_PCL_TLS12_AES_128_CBC_SHA_6 0x0034
+#define OP_PCL_TLS12_AES_128_CBC_SHA_7 0x008c
+#define OP_PCL_TLS12_AES_128_CBC_SHA_8 0x0090
+#define OP_PCL_TLS12_AES_128_CBC_SHA_9 0x0094
+#define OP_PCL_TLS12_AES_128_CBC_SHA_10 0xc004
+#define OP_PCL_TLS12_AES_128_CBC_SHA_11 0xc009
+#define OP_PCL_TLS12_AES_128_CBC_SHA_12 0xc00e
+#define OP_PCL_TLS12_AES_128_CBC_SHA_13 0xc013
+#define OP_PCL_TLS12_AES_128_CBC_SHA_14 0xc018
+#define OP_PCL_TLS12_AES_128_CBC_SHA_15 0xc01d
+#define OP_PCL_TLS12_AES_128_CBC_SHA_16 0xc01e
+#define OP_PCL_TLS12_AES_128_CBC_SHA_17 0xc01f
+
+#define OP_PCL_TLS12_AES_256_CBC_SHA 0x0035
+#define OP_PCL_TLS12_AES_256_CBC_SHA_2 0x0036
+#define OP_PCL_TLS12_AES_256_CBC_SHA_3 0x0037
+#define OP_PCL_TLS12_AES_256_CBC_SHA_4 0x0038
+#define OP_PCL_TLS12_AES_256_CBC_SHA_5 0x0039
+#define OP_PCL_TLS12_AES_256_CBC_SHA_6 0x003a
+#define OP_PCL_TLS12_AES_256_CBC_SHA_7 0x008d
+#define OP_PCL_TLS12_AES_256_CBC_SHA_8 0x0091
+#define OP_PCL_TLS12_AES_256_CBC_SHA_9 0x0095
+#define OP_PCL_TLS12_AES_256_CBC_SHA_10 0xc005
+#define OP_PCL_TLS12_AES_256_CBC_SHA_11 0xc00a
+#define OP_PCL_TLS12_AES_256_CBC_SHA_12 0xc00f
+#define OP_PCL_TLS12_AES_256_CBC_SHA_13 0xc014
+#define OP_PCL_TLS12_AES_256_CBC_SHA_14 0xc019
+#define OP_PCL_TLS12_AES_256_CBC_SHA_15 0xc020
+#define OP_PCL_TLS12_AES_256_CBC_SHA_16 0xc021
+#define OP_PCL_TLS12_AES_256_CBC_SHA_17 0xc022
+
+/* #define OP_PCL_TLS12_3DES_EDE_CBC_MD5 0x0023 */
+
+#define OP_PCL_TLS12_3DES_EDE_CBC_SHA 0x001f
+#define OP_PCL_TLS12_3DES_EDE_CBC_SHA_2 0x008b
+#define OP_PCL_TLS12_3DES_EDE_CBC_SHA_3 0x008f
+#define OP_PCL_TLS12_3DES_EDE_CBC_SHA_4 0x0093
+#define OP_PCL_TLS12_3DES_EDE_CBC_SHA_5 0x000a
+#define OP_PCL_TLS12_3DES_EDE_CBC_SHA_6 0x000d
+#define OP_PCL_TLS12_3DES_EDE_CBC_SHA_7 0x0010
+#define OP_PCL_TLS12_3DES_EDE_CBC_SHA_8 0x0013
+#define OP_PCL_TLS12_3DES_EDE_CBC_SHA_9 0x0016
+#define OP_PCL_TLS12_3DES_EDE_CBC_SHA_10 0x001b
+#define OP_PCL_TLS12_3DES_EDE_CBC_SHA_11 0xc003
+#define OP_PCL_TLS12_3DES_EDE_CBC_SHA_12 0xc008
+#define OP_PCL_TLS12_3DES_EDE_CBC_SHA_13 0xc00d
+#define OP_PCL_TLS12_3DES_EDE_CBC_SHA_14 0xc012
+#define OP_PCL_TLS12_3DES_EDE_CBC_SHA_15 0xc017
+#define OP_PCL_TLS12_3DES_EDE_CBC_SHA_16 0xc01a
+#define OP_PCL_TLS12_3DES_EDE_CBC_SHA_17 0xc01b
+#define OP_PCL_TLS12_3DES_EDE_CBC_SHA_18 0xc01c
+
+#define OP_PCL_TLS12_DES40_CBC_MD5 0x0029
+
+#define OP_PCL_TLS12_DES_CBC_MD5 0x0022
+
+#define OP_PCL_TLS12_DES40_CBC_SHA 0x0008
+#define OP_PCL_TLS12_DES40_CBC_SHA_2 0x000b
+#define OP_PCL_TLS12_DES40_CBC_SHA_3 0x000e
+#define OP_PCL_TLS12_DES40_CBC_SHA_4 0x0011
+#define OP_PCL_TLS12_DES40_CBC_SHA_5 0x0014
+#define OP_PCL_TLS12_DES40_CBC_SHA_6 0x0019
+#define OP_PCL_TLS12_DES40_CBC_SHA_7 0x0026
+
+#define OP_PCL_TLS12_DES_CBC_SHA 0x001e
+#define OP_PCL_TLS12_DES_CBC_SHA_2 0x0009
+#define OP_PCL_TLS12_DES_CBC_SHA_3 0x000c
+#define OP_PCL_TLS12_DES_CBC_SHA_4 0x000f
+#define OP_PCL_TLS12_DES_CBC_SHA_5 0x0012
+#define OP_PCL_TLS12_DES_CBC_SHA_6 0x0015
+#define OP_PCL_TLS12_DES_CBC_SHA_7 0x001a
+
+#define OP_PCL_TLS12_RC4_128_MD5 0x0024
+#define OP_PCL_TLS12_RC4_128_MD5_2 0x0004
+#define OP_PCL_TLS12_RC4_128_MD5_3 0x0018
+
+#define OP_PCL_TLS12_RC4_40_MD5 0x002b
+#define OP_PCL_TLS12_RC4_40_MD5_2 0x0003
+#define OP_PCL_TLS12_RC4_40_MD5_3 0x0017
+
+#define OP_PCL_TLS12_RC4_128_SHA 0x0020
+#define OP_PCL_TLS12_RC4_128_SHA_2 0x008a
+#define OP_PCL_TLS12_RC4_128_SHA_3 0x008e
+#define OP_PCL_TLS12_RC4_128_SHA_4 0x0092
+#define OP_PCL_TLS12_RC4_128_SHA_5 0x0005
+#define OP_PCL_TLS12_RC4_128_SHA_6 0xc002
+#define OP_PCL_TLS12_RC4_128_SHA_7 0xc007
+#define OP_PCL_TLS12_RC4_128_SHA_8 0xc00c
+#define OP_PCL_TLS12_RC4_128_SHA_9 0xc011
+#define OP_PCL_TLS12_RC4_128_SHA_10 0xc016
+
+#define OP_PCL_TLS12_RC4_40_SHA 0x0028
+
+/* #define OP_PCL_TLS12_AES_128_CBC_SHA256 0x003c */
+#define OP_PCL_TLS12_AES_128_CBC_SHA256_2 0x003e
+#define OP_PCL_TLS12_AES_128_CBC_SHA256_3 0x003f
+#define OP_PCL_TLS12_AES_128_CBC_SHA256_4 0x0040
+#define OP_PCL_TLS12_AES_128_CBC_SHA256_5 0x0067
+#define OP_PCL_TLS12_AES_128_CBC_SHA256_6 0x006c
+
+/* #define OP_PCL_TLS12_AES_256_CBC_SHA256 0x003d */
+#define OP_PCL_TLS12_AES_256_CBC_SHA256_2 0x0068
+#define OP_PCL_TLS12_AES_256_CBC_SHA256_3 0x0069
+#define OP_PCL_TLS12_AES_256_CBC_SHA256_4 0x006a
+#define OP_PCL_TLS12_AES_256_CBC_SHA256_5 0x006b
+#define OP_PCL_TLS12_AES_256_CBC_SHA256_6 0x006d
+
+/* AEAD_AES_xxx_CCM/GCM remain to be defined... */
+
+#define OP_PCL_TLS12_3DES_EDE_CBC_MD5 0xff23
+#define OP_PCL_TLS12_3DES_EDE_CBC_SHA160 0xff30
+#define OP_PCL_TLS12_3DES_EDE_CBC_SHA224 0xff34
+#define OP_PCL_TLS12_3DES_EDE_CBC_SHA256 0xff36
+#define OP_PCL_TLS12_3DES_EDE_CBC_SHA384 0xff33
+#define OP_PCL_TLS12_3DES_EDE_CBC_SHA512 0xff35
+#define OP_PCL_TLS12_AES_128_CBC_SHA160 0xff80
+#define OP_PCL_TLS12_AES_128_CBC_SHA224 0xff84
+#define OP_PCL_TLS12_AES_128_CBC_SHA256 0xff86
+#define OP_PCL_TLS12_AES_128_CBC_SHA384 0xff83
+#define OP_PCL_TLS12_AES_128_CBC_SHA512 0xff85
+#define OP_PCL_TLS12_AES_192_CBC_SHA160 0xff20
+#define OP_PCL_TLS12_AES_192_CBC_SHA224 0xff24
+#define OP_PCL_TLS12_AES_192_CBC_SHA256 0xff26
+#define OP_PCL_TLS12_AES_192_CBC_SHA384 0xff23
+#define OP_PCL_TLS12_AES_192_CBC_SHA512 0xff25
+#define OP_PCL_TLS12_AES_256_CBC_SHA160 0xff60
+#define OP_PCL_TLS12_AES_256_CBC_SHA224 0xff64
+#define OP_PCL_TLS12_AES_256_CBC_SHA256 0xff66
+#define OP_PCL_TLS12_AES_256_CBC_SHA384 0xff63
+#define OP_PCL_TLS12_AES_256_CBC_SHA512 0xff65
+
+/* For DTLS - OP_PCLID_DTLS */
+
+#define OP_PCL_DTLS_AES_128_CBC_SHA 0x002f
+#define OP_PCL_DTLS_AES_128_CBC_SHA_2 0x0030
+#define OP_PCL_DTLS_AES_128_CBC_SHA_3 0x0031
+#define OP_PCL_DTLS_AES_128_CBC_SHA_4 0x0032
+#define OP_PCL_DTLS_AES_128_CBC_SHA_5 0x0033
+#define OP_PCL_DTLS_AES_128_CBC_SHA_6 0x0034
+#define OP_PCL_DTLS_AES_128_CBC_SHA_7 0x008c
+#define OP_PCL_DTLS_AES_128_CBC_SHA_8 0x0090
+#define OP_PCL_DTLS_AES_128_CBC_SHA_9 0x0094
+#define OP_PCL_DTLS_AES_128_CBC_SHA_10 0xc004
+#define OP_PCL_DTLS_AES_128_CBC_SHA_11 0xc009
+#define OP_PCL_DTLS_AES_128_CBC_SHA_12 0xc00e
+#define OP_PCL_DTLS_AES_128_CBC_SHA_13 0xc013
+#define OP_PCL_DTLS_AES_128_CBC_SHA_14 0xc018
+#define OP_PCL_DTLS_AES_128_CBC_SHA_15 0xc01d
+#define OP_PCL_DTLS_AES_128_CBC_SHA_16 0xc01e
+#define OP_PCL_DTLS_AES_128_CBC_SHA_17 0xc01f
+
+#define OP_PCL_DTLS_AES_256_CBC_SHA 0x0035
+#define OP_PCL_DTLS_AES_256_CBC_SHA_2 0x0036
+#define OP_PCL_DTLS_AES_256_CBC_SHA_3 0x0037
+#define OP_PCL_DTLS_AES_256_CBC_SHA_4 0x0038
+#define OP_PCL_DTLS_AES_256_CBC_SHA_5 0x0039
+#define OP_PCL_DTLS_AES_256_CBC_SHA_6 0x003a
+#define OP_PCL_DTLS_AES_256_CBC_SHA_7 0x008d
+#define OP_PCL_DTLS_AES_256_CBC_SHA_8 0x0091
+#define OP_PCL_DTLS_AES_256_CBC_SHA_9 0x0095
+#define OP_PCL_DTLS_AES_256_CBC_SHA_10 0xc005
+#define OP_PCL_DTLS_AES_256_CBC_SHA_11 0xc00a
+#define OP_PCL_DTLS_AES_256_CBC_SHA_12 0xc00f
+#define OP_PCL_DTLS_AES_256_CBC_SHA_13 0xc014
+#define OP_PCL_DTLS_AES_256_CBC_SHA_14 0xc019
+#define OP_PCL_DTLS_AES_256_CBC_SHA_15 0xc020
+#define OP_PCL_DTLS_AES_256_CBC_SHA_16 0xc021
+#define OP_PCL_DTLS_AES_256_CBC_SHA_17 0xc022
+
+/* #define OP_PCL_DTLS_3DES_EDE_CBC_MD5 0x0023 */
+
+#define OP_PCL_DTLS_3DES_EDE_CBC_SHA 0x001f
+#define OP_PCL_DTLS_3DES_EDE_CBC_SHA_2 0x008b
+#define OP_PCL_DTLS_3DES_EDE_CBC_SHA_3 0x008f
+#define OP_PCL_DTLS_3DES_EDE_CBC_SHA_4 0x0093
+#define OP_PCL_DTLS_3DES_EDE_CBC_SHA_5 0x000a
+#define OP_PCL_DTLS_3DES_EDE_CBC_SHA_6 0x000d
+#define OP_PCL_DTLS_3DES_EDE_CBC_SHA_7 0x0010
+#define OP_PCL_DTLS_3DES_EDE_CBC_SHA_8 0x0013
+#define OP_PCL_DTLS_3DES_EDE_CBC_SHA_9 0x0016
+#define OP_PCL_DTLS_3DES_EDE_CBC_SHA_10 0x001b
+#define OP_PCL_DTLS_3DES_EDE_CBC_SHA_11 0xc003
+#define OP_PCL_DTLS_3DES_EDE_CBC_SHA_12 0xc008
+#define OP_PCL_DTLS_3DES_EDE_CBC_SHA_13 0xc00d
+#define OP_PCL_DTLS_3DES_EDE_CBC_SHA_14 0xc012
+#define OP_PCL_DTLS_3DES_EDE_CBC_SHA_15 0xc017
+#define OP_PCL_DTLS_3DES_EDE_CBC_SHA_16 0xc01a
+#define OP_PCL_DTLS_3DES_EDE_CBC_SHA_17 0xc01b
+#define OP_PCL_DTLS_3DES_EDE_CBC_SHA_18 0xc01c
+
+#define OP_PCL_DTLS_DES40_CBC_MD5 0x0029
+
+#define OP_PCL_DTLS_DES_CBC_MD5 0x0022
+
+#define OP_PCL_DTLS_DES40_CBC_SHA 0x0008
+#define OP_PCL_DTLS_DES40_CBC_SHA_2 0x000b
+#define OP_PCL_DTLS_DES40_CBC_SHA_3 0x000e
+#define OP_PCL_DTLS_DES40_CBC_SHA_4 0x0011
+#define OP_PCL_DTLS_DES40_CBC_SHA_5 0x0014
+#define OP_PCL_DTLS_DES40_CBC_SHA_6 0x0019
+#define OP_PCL_DTLS_DES40_CBC_SHA_7 0x0026
+
+
+#define OP_PCL_DTLS_DES_CBC_SHA 0x001e
+#define OP_PCL_DTLS_DES_CBC_SHA_2 0x0009
+#define OP_PCL_DTLS_DES_CBC_SHA_3 0x000c
+#define OP_PCL_DTLS_DES_CBC_SHA_4 0x000f
+#define OP_PCL_DTLS_DES_CBC_SHA_5 0x0012
+#define OP_PCL_DTLS_DES_CBC_SHA_6 0x0015
+#define OP_PCL_DTLS_DES_CBC_SHA_7 0x001a
+
+
+#define OP_PCL_DTLS_3DES_EDE_CBC_MD5 0xff23
+#define OP_PCL_DTLS_3DES_EDE_CBC_SHA160 0xff30
+#define OP_PCL_DTLS_3DES_EDE_CBC_SHA224 0xff34
+#define OP_PCL_DTLS_3DES_EDE_CBC_SHA256 0xff36
+#define OP_PCL_DTLS_3DES_EDE_CBC_SHA384 0xff33
+#define OP_PCL_DTLS_3DES_EDE_CBC_SHA512 0xff35
+#define OP_PCL_DTLS_AES_128_CBC_SHA160 0xff80
+#define OP_PCL_DTLS_AES_128_CBC_SHA224 0xff84
+#define OP_PCL_DTLS_AES_128_CBC_SHA256 0xff86
+#define OP_PCL_DTLS_AES_128_CBC_SHA384 0xff83
+#define OP_PCL_DTLS_AES_128_CBC_SHA512 0xff85
+#define OP_PCL_DTLS_AES_192_CBC_SHA160 0xff20
+#define OP_PCL_DTLS_AES_192_CBC_SHA224 0xff24
+#define OP_PCL_DTLS_AES_192_CBC_SHA256 0xff26
+#define OP_PCL_DTLS_AES_192_CBC_SHA384 0xff23
+#define OP_PCL_DTLS_AES_192_CBC_SHA512 0xff25
+#define OP_PCL_DTLS_AES_256_CBC_SHA160 0xff60
+#define OP_PCL_DTLS_AES_256_CBC_SHA224 0xff64
+#define OP_PCL_DTLS_AES_256_CBC_SHA256 0xff66
+#define OP_PCL_DTLS_AES_256_CBC_SHA384 0xff63
+#define OP_PCL_DTLS_AES_256_CBC_SHA512 0xff65
+
+/* 802.16 WiMAX protinfos */
+#define OP_PCL_WIMAX_OFDM 0x0201
+#define OP_PCL_WIMAX_OFDMA 0x0231
+
+/* 802.11 WiFi protinfos */
+#define OP_PCL_WIFI 0xac04
+
+/* MacSec protinfos */
+#define OP_PCL_MACSEC 0x0001
+
+/* PKI unidirectional protocol protinfo bits */
+#define OP_PCL_PKPROT_TEST 0x0008
+#define OP_PCL_PKPROT_DECRYPT 0x0004
+#define OP_PCL_PKPROT_ECC 0x0002
+#define OP_PCL_PKPROT_F2M 0x0001
+
+/* For non-protocol/alg-only op commands */
+#define OP_ALG_TYPE_SHIFT 24
+#define OP_ALG_TYPE_MASK (0x7 << OP_ALG_TYPE_SHIFT)
+#define OP_ALG_TYPE_CLASS1 2
+#define OP_ALG_TYPE_CLASS2 4
+
+#define OP_ALG_ALGSEL_SHIFT 16
+#define OP_ALG_ALGSEL_MASK (0xff << OP_ALG_ALGSEL_SHIFT)
+#define OP_ALG_ALGSEL_SUBMASK (0x0f << OP_ALG_ALGSEL_SHIFT)
+#define OP_ALG_ALGSEL_AES (0x10 << OP_ALG_ALGSEL_SHIFT)
+#define OP_ALG_ALGSEL_DES (0x20 << OP_ALG_ALGSEL_SHIFT)
+#define OP_ALG_ALGSEL_3DES (0x21 << OP_ALG_ALGSEL_SHIFT)
+#define OP_ALG_ALGSEL_ARC4 (0x30 << OP_ALG_ALGSEL_SHIFT)
+#define OP_ALG_ALGSEL_MD5 (0x40 << OP_ALG_ALGSEL_SHIFT)
+#define OP_ALG_ALGSEL_SHA1 (0x41 << OP_ALG_ALGSEL_SHIFT)
+#define OP_ALG_ALGSEL_SHA224 (0x42 << OP_ALG_ALGSEL_SHIFT)
+#define OP_ALG_ALGSEL_SHA256 (0x43 << OP_ALG_ALGSEL_SHIFT)
+#define OP_ALG_ALGSEL_SHA384 (0x44 << OP_ALG_ALGSEL_SHIFT)
+#define OP_ALG_ALGSEL_SHA512 (0x45 << OP_ALG_ALGSEL_SHIFT)
+#define OP_ALG_ALGSEL_RNG (0x50 << OP_ALG_ALGSEL_SHIFT)
+#define OP_ALG_ALGSEL_SNOW (0x60 << OP_ALG_ALGSEL_SHIFT)
+#define OP_ALG_ALGSEL_SNOW_F8 (0x60 << OP_ALG_ALGSEL_SHIFT)
+#define OP_ALG_ALGSEL_KASUMI (0x70 << OP_ALG_ALGSEL_SHIFT)
+#define OP_ALG_ALGSEL_CRC (0x90 << OP_ALG_ALGSEL_SHIFT)
+#define OP_ALG_ALGSEL_SNOW_F9 (0xA0 << OP_ALG_ALGSEL_SHIFT)
+
+#define OP_ALG_AAI_SHIFT 4
+#define OP_ALG_AAI_MASK (0x1ff << OP_ALG_AAI_SHIFT)
+
+/* blockcipher AAI set */
+#define OP_ALG_AAI_CTR_MOD128 (0x00 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_CTR_MOD8 (0x01 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_CTR_MOD16 (0x02 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_CTR_MOD24 (0x03 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_CTR_MOD32 (0x04 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_CTR_MOD40 (0x05 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_CTR_MOD48 (0x06 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_CTR_MOD56 (0x07 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_CTR_MOD64 (0x08 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_CTR_MOD72 (0x09 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_CTR_MOD80 (0x0a << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_CTR_MOD88 (0x0b << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_CTR_MOD96 (0x0c << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_CTR_MOD104 (0x0d << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_CTR_MOD112 (0x0e << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_CTR_MOD120 (0x0f << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_CBC (0x10 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_ECB (0x20 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_CFB (0x30 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_OFB (0x40 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_XTS (0x50 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_CMAC (0x60 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_XCBC_MAC (0x70 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_CCM (0x80 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_GCM (0x90 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_CBC_XCBCMAC (0xa0 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_CTR_XCBCMAC (0xb0 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_CHECKODD (0x80 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_DK (0x100 << OP_ALG_AAI_SHIFT)
+
+/* randomizer AAI set */
+#define OP_ALG_AAI_RNG (0x00 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_RNG_NOZERO (0x10 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_RNG_ODD (0x20 << OP_ALG_AAI_SHIFT)
+
+/* hmac/smac AAI set */
+#define OP_ALG_AAI_HASH (0x00 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_HMAC (0x01 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_SMAC (0x02 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_HMAC_PRECOMP (0x04 << OP_ALG_AAI_SHIFT)
+
+/* CRC AAI set*/
+#define OP_ALG_AAI_802 (0x01 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_3385 (0x02 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_CUST_POLY (0x04 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_DIS (0x10 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_DOS (0x20 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_DOC (0x40 << OP_ALG_AAI_SHIFT)
+
+/* Kasumi/SNOW AAI set */
+#define OP_ALG_AAI_F8 (0xc0 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_F9 (0xc8 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_GSM (0x10 << OP_ALG_AAI_SHIFT)
+#define OP_ALG_AAI_EDGE (0x20 << OP_ALG_AAI_SHIFT)
+
+
+#define OP_ALG_AS_SHIFT 2
+#define OP_ALG_AS_MASK (0x3 << OP_ALG_AS_SHIFT)
+#define OP_ALG_AS_UPDATE (0 << OP_ALG_AS_SHIFT)
+#define OP_ALG_AS_INIT (1 << OP_ALG_AS_SHIFT)
+#define OP_ALG_AS_FINALIZE (2 << OP_ALG_AS_SHIFT)
+#define OP_ALG_AS_INITFINAL (3 << OP_ALG_AS_SHIFT)
+
+#define OP_ALG_ICV_SHIFT 1
+#define OP_ALG_ICV_MASK (1 << OP_ALG_ICV_SHIFT)
+#define OP_ALG_ICV_OFF (0 << OP_ALG_ICV_SHIFT)
+#define OP_ALG_ICV_ON (1 << OP_ALG_ICV_SHIFT)
+
+#define OP_ALG_DIR_SHIFT 0
+#define OP_ALG_DIR_MASK 1
+#define OP_ALG_DECRYPT 0
+#define OP_ALG_ENCRYPT 1
+
+/* PKHA algorithm type set */
+#define OP_ALG_PK 0x00800000
+#define OP_ALG_PK_FUN_MASK 0x3f /* clrmem, modmath, or cpymem */
+
+/* PKHA mode clear memory functions */
+#define OP_ALG_PKMODE_A_RAM 0x80000
+#define OP_ALG_PKMODE_B_RAM 0x40000
+#define OP_ALG_PKMODE_E_RAM 0x20000
+#define OP_ALG_PKMODE_N_RAM 0x10000
+#define OP_ALG_PKMODE_CLEARMEM 0x00001
+
+/* PKHA mode modular-arithmetic functions */
+#define OP_ALG_PKMODE_MOD_IN_MONTY 0x80000
+#define OP_ALG_PKMODE_MOD_OUT_MONTY 0x40000
+#define OP_ALG_PKMODE_MOD_F2M 0x20000
+#define OP_ALG_PKMODE_MOD_R2_IN 0x10000
+#define OP_ALG_PKMODE_PRJECTV 0x00800
+#define OP_ALG_PKMODE_TIME_EQ 0x400
+#define OP_ALG_PKMODE_OUT_B 0x000
+#define OP_ALG_PKMODE_OUT_A 0x100
+#define OP_ALG_PKMODE_MOD_ADD 0x002
+#define OP_ALG_PKMODE_MOD_SUB_AB 0x003
+#define OP_ALG_PKMODE_MOD_SUB_BA 0x004
+#define OP_ALG_PKMODE_MOD_MULT 0x005
+#define OP_ALG_PKMODE_MOD_EXPO 0x006
+#define OP_ALG_PKMODE_MOD_REDUCT 0x007
+#define OP_ALG_PKMODE_MOD_INV 0x008
+#define OP_ALG_PKMODE_MOD_ECC_ADD 0x009
+#define OP_ALG_PKMODE_MOD_ECC_DBL 0x00a
+#define OP_ALG_PKMODE_MOD_ECC_MULT 0x00b
+#define OP_ALG_PKMODE_MOD_MONT_CNST 0x00c
+#define OP_ALG_PKMODE_MOD_CRT_CNST 0x00d
+#define OP_ALG_PKMODE_MOD_GCD 0x00e
+#define OP_ALG_PKMODE_MOD_PRIMALITY 0x00f
+
+/* PKHA mode copy-memory functions */
+#define OP_ALG_PKMODE_SRC_REG_SHIFT 13
+#define OP_ALG_PKMODE_SRC_REG_MASK (7 << OP_ALG_PKMODE_SRC_REG_SHIFT)
+#define OP_ALG_PKMODE_DST_REG_SHIFT 10
+#define OP_ALG_PKMODE_DST_REG_MASK (7 << OP_ALG_PKMODE_DST_REG_SHIFT)
+#define OP_ALG_PKMODE_SRC_SEG_SHIFT 8
+#define OP_ALG_PKMODE_SRC_SEG_MASK (3 << OP_ALG_PKMODE_SRC_SEG_SHIFT)
+#define OP_ALG_PKMODE_DST_SEG_SHIFT 6
+#define OP_ALG_PKMODE_DST_SEG_MASK (3 << OP_ALG_PKMODE_DST_SEG_SHIFT)
+
+#define OP_ALG_PKMODE_SRC_REG_A (0 << OP_ALG_PKMODE_SRC_REG_SHIFT)
+#define OP_ALG_PKMODE_SRC_REG_B (1 << OP_ALG_PKMODE_SRC_REG_SHIFT)
+#define OP_ALG_PKMODE_SRC_REG_N (3 << OP_ALG_PKMODE_SRC_REG_SHIFT)
+#define OP_ALG_PKMODE_DST_REG_A (0 << OP_ALG_PKMODE_DST_REG_SHIFT)
+#define OP_ALG_PKMODE_DST_REG_B (1 << OP_ALG_PKMODE_DST_REG_SHIFT)
+#define OP_ALG_PKMODE_DST_REG_E (2 << OP_ALG_PKMODE_DST_REG_SHIFT)
+#define OP_ALG_PKMODE_DST_REG_N (3 << OP_ALG_PKMODE_DST_REG_SHIFT)
+#define OP_ALG_PKMODE_SRC_SEG_0 (0 << OP_ALG_PKMODE_SRC_SEG_SHIFT)
+#define OP_ALG_PKMODE_SRC_SEG_1 (1 << OP_ALG_PKMODE_SRC_SEG_SHIFT)
+#define OP_ALG_PKMODE_SRC_SEG_2 (2 << OP_ALG_PKMODE_SRC_SEG_SHIFT)
+#define OP_ALG_PKMODE_SRC_SEG_3 (3 << OP_ALG_PKMODE_SRC_SEG_SHIFT)
+#define OP_ALG_PKMODE_DST_SEG_0 (0 << OP_ALG_PKMODE_DST_SEG_SHIFT)
+#define OP_ALG_PKMODE_DST_SEG_1 (1 << OP_ALG_PKMODE_DST_SEG_SHIFT)
+#define OP_ALG_PKMODE_DST_SEG_2 (2 << OP_ALG_PKMODE_DST_SEG_SHIFT)
+#define OP_ALG_PKMODE_DST_SEG_3 (3 << OP_ALG_PKMODE_DST_SEG_SHIFT)
+#define OP_ALG_PKMODE_CPYMEM_N_SZ 0x80
+#define OP_ALG_PKMODE_CPYMEM_SRC_SZ 0x81
+
+/*
+ * SEQ_IN_PTR Command Constructs
+ */
+
+/* Release Buffers */
+#define SQIN_RBS 0x04000000
+
+/* Sequence pointer is really a descriptor */
+#define SQIN_INL 0x02000000
+
+/* Sequence pointer is a scatter-gather table */
+#define SQIN_SGF 0x01000000
+
+/* Appends to a previous pointer */
+#define SQIN_PRE 0x00800000
+
+/* Use extended length following pointer */
+#define SQIN_EXT 0x00400000
+
+/* Restore sequence with pointer/length */
+#define SQIN_RTO 0x00200000
+
+/* Replace job descriptor */
+#define SQIN_RJD 0x00100000
+
+#define SQIN_LEN_SHIFT 0
+#define SQIN_LEN_MASK (0xffff << SQIN_LEN_SHIFT)
+
+/*
+ * SEQ_OUT_PTR Command Constructs
+ */
+
+/* Sequence pointer is a scatter-gather table */
+#define SQOUT_SGF 0x01000000
+
+/* Appends to a previous pointer */
+#define SQOUT_PRE 0x00800000
+
+/* Restore sequence with pointer/length */
+#define SQOUT_RTO 0x00200000
+
+/* Use extended length following pointer */
+#define SQOUT_EXT 0x00400000
+
+#define SQOUT_LEN_SHIFT 0
+#define SQOUT_LEN_MASK (0xffff << SQOUT_LEN_SHIFT)
+
+
+/*
+ * SIGNATURE Command Constructs
+ */
+
+/* TYPE field is all that's relevant */
+#define SIGN_TYPE_SHIFT 16
+#define SIGN_TYPE_MASK (0x0f << SIGN_TYPE_SHIFT)
+
+#define SIGN_TYPE_FINAL (0x00 << SIGN_TYPE_SHIFT)
+#define SIGN_TYPE_FINAL_RESTORE (0x01 << SIGN_TYPE_SHIFT)
+#define SIGN_TYPE_FINAL_NONZERO (0x02 << SIGN_TYPE_SHIFT)
+#define SIGN_TYPE_IMM_2 (0x0a << SIGN_TYPE_SHIFT)
+#define SIGN_TYPE_IMM_3 (0x0b << SIGN_TYPE_SHIFT)
+#define SIGN_TYPE_IMM_4 (0x0c << SIGN_TYPE_SHIFT)
+
+/*
+ * MOVE Command Constructs
+ */
+
+#define MOVE_AUX_SHIFT 25
+#define MOVE_AUX_MASK (3 << MOVE_AUX_SHIFT)
+#define MOVE_AUX_MS (2 << MOVE_AUX_SHIFT)
+#define MOVE_AUX_LS (1 << MOVE_AUX_SHIFT)
+
+#define MOVE_WAITCOMP_SHIFT 24
+#define MOVE_WAITCOMP_MASK (1 << MOVE_WAITCOMP_SHIFT)
+#define MOVE_WAITCOMP (1 << MOVE_WAITCOMP_SHIFT)
+
+#define MOVE_SRC_SHIFT 20
+#define MOVE_SRC_MASK (0x0f << MOVE_SRC_SHIFT)
+#define MOVE_SRC_CLASS1CTX (0x00 << MOVE_SRC_SHIFT)
+#define MOVE_SRC_CLASS2CTX (0x01 << MOVE_SRC_SHIFT)
+#define MOVE_SRC_OUTFIFO (0x02 << MOVE_SRC_SHIFT)
+#define MOVE_SRC_DESCBUF (0x03 << MOVE_SRC_SHIFT)
+#define MOVE_SRC_MATH0 (0x04 << MOVE_SRC_SHIFT)
+#define MOVE_SRC_MATH1 (0x05 << MOVE_SRC_SHIFT)
+#define MOVE_SRC_MATH2 (0x06 << MOVE_SRC_SHIFT)
+#define MOVE_SRC_MATH3 (0x07 << MOVE_SRC_SHIFT)
+#define MOVE_SRC_INFIFO (0x08 << MOVE_SRC_SHIFT)
+#define MOVE_SRC_INFIFO_CL (0x09 << MOVE_SRC_SHIFT)
+
+#define MOVE_DEST_SHIFT 16
+#define MOVE_DEST_MASK (0x0f << MOVE_DEST_SHIFT)
+#define MOVE_DEST_CLASS1CTX (0x00 << MOVE_DEST_SHIFT)
+#define MOVE_DEST_CLASS2CTX (0x01 << MOVE_DEST_SHIFT)
+#define MOVE_DEST_OUTFIFO (0x02 << MOVE_DEST_SHIFT)
+#define MOVE_DEST_DESCBUF (0x03 << MOVE_DEST_SHIFT)
+#define MOVE_DEST_MATH0 (0x04 << MOVE_DEST_SHIFT)
+#define MOVE_DEST_MATH1 (0x05 << MOVE_DEST_SHIFT)
+#define MOVE_DEST_MATH2 (0x06 << MOVE_DEST_SHIFT)
+#define MOVE_DEST_MATH3 (0x07 << MOVE_DEST_SHIFT)
+#define MOVE_DEST_CLASS1INFIFO (0x08 << MOVE_DEST_SHIFT)
+#define MOVE_DEST_CLASS2INFIFO (0x09 << MOVE_DEST_SHIFT)
+#define MOVE_DEST_PK_A (0x0c << MOVE_DEST_SHIFT)
+#define MOVE_DEST_CLASS1KEY (0x0d << MOVE_DEST_SHIFT)
+#define MOVE_DEST_CLASS2KEY (0x0e << MOVE_DEST_SHIFT)
+
+#define MOVE_OFFSET_SHIFT 8
+#define MOVE_OFFSET_MASK (0xff << MOVE_OFFSET_SHIFT)
+
+#define MOVE_LEN_SHIFT 0
+#define MOVE_LEN_MASK (0xff << MOVE_LEN_SHIFT)
+
+#define MOVELEN_MRSEL_SHIFT 0
+#define MOVELEN_MRSEL_MASK (0x3 << MOVE_LEN_SHIFT)
+
+/*
+ * MATH Command Constructs
+ */
+
+#define MATH_IFB_SHIFT 26
+#define MATH_IFB_MASK (1 << MATH_IFB_SHIFT)
+#define MATH_IFB (1 << MATH_IFB_SHIFT)
+
+#define MATH_NFU_SHIFT 25
+#define MATH_NFU_MASK (1 << MATH_NFU_SHIFT)
+#define MATH_NFU (1 << MATH_NFU_SHIFT)
+
+#define MATH_STL_SHIFT 24
+#define MATH_STL_MASK (1 << MATH_STL_SHIFT)
+#define MATH_STL (1 << MATH_STL_SHIFT)
+
+/* Function selectors */
+#define MATH_FUN_SHIFT 20
+#define MATH_FUN_MASK (0x0f << MATH_FUN_SHIFT)
+#define MATH_FUN_ADD (0x00 << MATH_FUN_SHIFT)
+#define MATH_FUN_ADDC (0x01 << MATH_FUN_SHIFT)
+#define MATH_FUN_SUB (0x02 << MATH_FUN_SHIFT)
+#define MATH_FUN_SUBB (0x03 << MATH_FUN_SHIFT)
+#define MATH_FUN_OR (0x04 << MATH_FUN_SHIFT)
+#define MATH_FUN_AND (0x05 << MATH_FUN_SHIFT)
+#define MATH_FUN_XOR (0x06 << MATH_FUN_SHIFT)
+#define MATH_FUN_LSHIFT (0x07 << MATH_FUN_SHIFT)
+#define MATH_FUN_RSHIFT (0x08 << MATH_FUN_SHIFT)
+#define MATH_FUN_SHLD (0x09 << MATH_FUN_SHIFT)
+#define MATH_FUN_ZBYT (0x0a << MATH_FUN_SHIFT)
+
+/* Source 0 selectors */
+#define MATH_SRC0_SHIFT 16
+#define MATH_SRC0_MASK (0x0f << MATH_SRC0_SHIFT)
+#define MATH_SRC0_REG0 (0x00 << MATH_SRC0_SHIFT)
+#define MATH_SRC0_REG1 (0x01 << MATH_SRC0_SHIFT)
+#define MATH_SRC0_REG2 (0x02 << MATH_SRC0_SHIFT)
+#define MATH_SRC0_REG3 (0x03 << MATH_SRC0_SHIFT)
+#define MATH_SRC0_IMM (0x04 << MATH_SRC0_SHIFT)
+#define MATH_SRC0_SEQINLEN (0x08 << MATH_SRC0_SHIFT)
+#define MATH_SRC0_SEQOUTLEN (0x09 << MATH_SRC0_SHIFT)
+#define MATH_SRC0_VARSEQINLEN (0x0a << MATH_SRC0_SHIFT)
+#define MATH_SRC0_VARSEQOUTLEN (0x0b << MATH_SRC0_SHIFT)
+#define MATH_SRC0_ZERO (0x0c << MATH_SRC0_SHIFT)
+
+/* Source 1 selectors */
+#define MATH_SRC1_SHIFT 12
+#define MATH_SRC1_MASK (0x0f << MATH_SRC1_SHIFT)
+#define MATH_SRC1_REG0 (0x00 << MATH_SRC1_SHIFT)
+#define MATH_SRC1_REG1 (0x01 << MATH_SRC1_SHIFT)
+#define MATH_SRC1_REG2 (0x02 << MATH_SRC1_SHIFT)
+#define MATH_SRC1_REG3 (0x03 << MATH_SRC1_SHIFT)
+#define MATH_SRC1_IMM (0x04 << MATH_SRC1_SHIFT)
+#define MATH_SRC1_INFIFO (0x0a << MATH_SRC1_SHIFT)
+#define MATH_SRC1_OUTFIFO (0x0b << MATH_SRC1_SHIFT)
+#define MATH_SRC1_ONE (0x0c << MATH_SRC1_SHIFT)
+
+/* Destination selectors */
+#define MATH_DEST_SHIFT 8
+#define MATH_DEST_MASK (0x0f << MATH_DEST_SHIFT)
+#define MATH_DEST_REG0 (0x00 << MATH_DEST_SHIFT)
+#define MATH_DEST_REG1 (0x01 << MATH_DEST_SHIFT)
+#define MATH_DEST_REG2 (0x02 << MATH_DEST_SHIFT)
+#define MATH_DEST_REG3 (0x03 << MATH_DEST_SHIFT)
+#define MATH_DEST_SEQINLEN (0x08 << MATH_DEST_SHIFT)
+#define MATH_DEST_SEQOUTLEN (0x09 << MATH_DEST_SHIFT)
+#define MATH_DEST_VARSEQINLEN (0x0a << MATH_DEST_SHIFT)
+#define MATH_DEST_VARSEQOUTLEN (0x0b << MATH_DEST_SHIFT)
+#define MATH_DEST_NONE (0x0f << MATH_DEST_SHIFT)
+
+/* Length selectors */
+#define MATH_LEN_SHIFT 0
+#define MATH_LEN_MASK (0x0f << MATH_LEN_SHIFT)
+#define MATH_LEN_1BYTE 0x01
+#define MATH_LEN_2BYTE 0x02
+#define MATH_LEN_4BYTE 0x04
+#define MATH_LEN_8BYTE 0x08
+
+/*
+ * JUMP Command Constructs
+ */
+
+#define JUMP_CLASS_SHIFT 25
+#define JUMP_CLASS_MASK (3 << JUMP_CLASS_SHIFT)
+#define JUMP_CLASS_NONE 0
+#define JUMP_CLASS_CLASS1 (1 << JUMP_CLASS_SHIFT)
+#define JUMP_CLASS_CLASS2 (2 << JUMP_CLASS_SHIFT)
+#define JUMP_CLASS_BOTH (3 << JUMP_CLASS_SHIFT)
+
+#define JUMP_JSL_SHIFT 24
+#define JUMP_JSL_MASK (1 << JUMP_JSL_SHIFT)
+#define JUMP_JSL (1 << JUMP_JSL_SHIFT)
+
+#define JUMP_TYPE_SHIFT 22
+#define JUMP_TYPE_MASK (0x03 << JUMP_TYPE_SHIFT)
+#define JUMP_TYPE_LOCAL (0x00 << JUMP_TYPE_SHIFT)
+#define JUMP_TYPE_NONLOCAL (0x01 << JUMP_TYPE_SHIFT)
+#define JUMP_TYPE_HALT (0x02 << JUMP_TYPE_SHIFT)
+#define JUMP_TYPE_HALT_USER (0x03 << JUMP_TYPE_SHIFT)
+
+#define JUMP_TEST_SHIFT 16
+#define JUMP_TEST_MASK (0x03 << JUMP_TEST_SHIFT)
+#define JUMP_TEST_ALL (0x00 << JUMP_TEST_SHIFT)
+#define JUMP_TEST_INVALL (0x01 << JUMP_TEST_SHIFT)
+#define JUMP_TEST_ANY (0x02 << JUMP_TEST_SHIFT)
+#define JUMP_TEST_INVANY (0x03 << JUMP_TEST_SHIFT)
+
+/* Condition codes. JSL bit is factored in */
+#define JUMP_COND_SHIFT 8
+#define JUMP_COND_MASK (0x100ff << JUMP_COND_SHIFT)
+#define JUMP_COND_PK_0 (0x80 << JUMP_COND_SHIFT)
+#define JUMP_COND_PK_GCD_1 (0x40 << JUMP_COND_SHIFT)
+#define JUMP_COND_PK_PRIME (0x20 << JUMP_COND_SHIFT)
+#define JUMP_COND_MATH_N (0x08 << JUMP_COND_SHIFT)
+#define JUMP_COND_MATH_Z (0x04 << JUMP_COND_SHIFT)
+#define JUMP_COND_MATH_C (0x02 << JUMP_COND_SHIFT)
+#define JUMP_COND_MATH_NV (0x01 << JUMP_COND_SHIFT)
+
+#define JUMP_COND_JRP ((0x80 << JUMP_COND_SHIFT) | JUMP_JSL)
+#define JUMP_COND_SHRD ((0x40 << JUMP_COND_SHIFT) | JUMP_JSL)
+#define JUMP_COND_SELF ((0x20 << JUMP_COND_SHIFT) | JUMP_JSL)
+#define JUMP_COND_CALM ((0x10 << JUMP_COND_SHIFT) | JUMP_JSL)
+#define JUMP_COND_NIP ((0x08 << JUMP_COND_SHIFT) | JUMP_JSL)
+#define JUMP_COND_NIFP ((0x04 << JUMP_COND_SHIFT) | JUMP_JSL)
+#define JUMP_COND_NOP ((0x02 << JUMP_COND_SHIFT) | JUMP_JSL)
+#define JUMP_COND_NCP ((0x01 << JUMP_COND_SHIFT) | JUMP_JSL)
+
+#define JUMP_OFFSET_SHIFT 0
+#define JUMP_OFFSET_MASK (0xff << JUMP_OFFSET_SHIFT)
+
+/*
+ * NFIFO ENTRY
+ * Data Constructs
+ *
+ */
+#define NFIFOENTRY_DEST_SHIFT 30
+#define NFIFOENTRY_DEST_MASK (3 << NFIFOENTRY_DEST_SHIFT)
+#define NFIFOENTRY_DEST_DECO (0 << NFIFOENTRY_DEST_SHIFT)
+#define NFIFOENTRY_DEST_CLASS1 (1 << NFIFOENTRY_DEST_SHIFT)
+#define NFIFOENTRY_DEST_CLASS2 (2 << NFIFOENTRY_DEST_SHIFT)
+#define NFIFOENTRY_DEST_BOTH (3 << NFIFOENTRY_DEST_SHIFT)
+
+#define NFIFOENTRY_LC2_SHIFT 29
+#define NFIFOENTRY_LC2_MASK (1 << NFIFOENTRY_LC2_SHIFT)
+#define NFIFOENTRY_LC2 (1 << NFIFOENTRY_LC2_SHIFT)
+
+#define NFIFOENTRY_LC1_SHIFT 28
+#define NFIFOENTRY_LC1_MASK (1 << NFIFOENTRY_LC1_SHIFT)
+#define NFIFOENTRY_LC1 (1 << NFIFOENTRY_LC1_SHIFT)
+
+#define NFIFOENTRY_FC2_SHIFT 27
+#define NFIFOENTRY_FC2_MASK (1 << NFIFOENTRY_FC2_SHIFT)
+#define NFIFOENTRY_FC2 (1 << NFIFOENTRY_FC2_SHIFT)
+
+#define NFIFOENTRY_FC1_SHIFT 26
+#define NFIFOENTRY_FC1_MASK (1 << NFIFOENTRY_FC1_SHIFT)
+#define NFIFOENTRY_FC1 (1 << NFIFOENTRY_FC1_SHIFT)
+
+#define NFIFOENTRY_STYPE_SHIFT 24
+#define NFIFOENTRY_STYPE_MASK (3 << NFIFOENTRY_STYPE_SHIFT)
+#define NFIFOENTRY_STYPE_DFIFO (0 << NFIFOENTRY_STYPE_SHIFT)
+#define NFIFOENTRY_STYPE_OFIFO (1 << NFIFOENTRY_STYPE_SHIFT)
+#define NFIFOENTRY_STYPE_PAD (2 << NFIFOENTRY_STYPE_SHIFT)
+#define NFIFOENTRY_STYPE_SNOOP (3 << NFIFOENTRY_STYPE_SHIFT)
+
+#define NFIFOENTRY_DTYPE_SHIFT 20
+#define NFIFOENTRY_DTYPE_MASK (0xF << NFIFOENTRY_DTYPE_SHIFT)
+
+#define NFIFOENTRY_DTYPE_SBOX (0x0 << NFIFOENTRY_DTYPE_SHIFT)
+#define NFIFOENTRY_DTYPE_AAD (0x1 << NFIFOENTRY_DTYPE_SHIFT)
+#define NFIFOENTRY_DTYPE_IV (0x2 << NFIFOENTRY_DTYPE_SHIFT)
+#define NFIFOENTRY_DTYPE_SAD (0x3 << NFIFOENTRY_DTYPE_SHIFT)
+#define NFIFOENTRY_DTYPE_ICV (0xA << NFIFOENTRY_DTYPE_SHIFT)
+#define NFIFOENTRY_DTYPE_SKIP (0xE << NFIFOENTRY_DTYPE_SHIFT)
+#define NFIFOENTRY_DTYPE_MSG (0xF << NFIFOENTRY_DTYPE_SHIFT)
+
+#define NFIFOENTRY_DTYPE_PK_A0 (0x0 << NFIFOENTRY_DTYPE_SHIFT)
+#define NFIFOENTRY_DTYPE_PK_A1 (0x1 << NFIFOENTRY_DTYPE_SHIFT)
+#define NFIFOENTRY_DTYPE_PK_A2 (0x2 << NFIFOENTRY_DTYPE_SHIFT)
+#define NFIFOENTRY_DTYPE_PK_A3 (0x3 << NFIFOENTRY_DTYPE_SHIFT)
+#define NFIFOENTRY_DTYPE_PK_B0 (0x4 << NFIFOENTRY_DTYPE_SHIFT)
+#define NFIFOENTRY_DTYPE_PK_B1 (0x5 << NFIFOENTRY_DTYPE_SHIFT)
+#define NFIFOENTRY_DTYPE_PK_B2 (0x6 << NFIFOENTRY_DTYPE_SHIFT)
+#define NFIFOENTRY_DTYPE_PK_B3 (0x7 << NFIFOENTRY_DTYPE_SHIFT)
+#define NFIFOENTRY_DTYPE_PK_N (0x8 << NFIFOENTRY_DTYPE_SHIFT)
+#define NFIFOENTRY_DTYPE_PK_E (0x9 << NFIFOENTRY_DTYPE_SHIFT)
+#define NFIFOENTRY_DTYPE_PK_A (0xC << NFIFOENTRY_DTYPE_SHIFT)
+#define NFIFOENTRY_DTYPE_PK_B (0xD << NFIFOENTRY_DTYPE_SHIFT)
+
+
+#define NFIFOENTRY_BND_SHIFT 19
+#define NFIFOENTRY_BND_MASK (1 << NFIFOENTRY_BND_SHIFT)
+#define NFIFOENTRY_BND (1 << NFIFOENTRY_BND_SHIFT)
+
+#define NFIFOENTRY_PTYPE_SHIFT 16
+#define NFIFOENTRY_PTYPE_MASK (0x7 << NFIFOENTRY_PTYPE_SHIFT)
+
+#define NFIFOENTRY_PTYPE_ZEROS (0x0 << NFIFOENTRY_PTYPE_SHIFT)
+#define NFIFOENTRY_PTYPE_RND_NOZEROS (0x1 << NFIFOENTRY_PTYPE_SHIFT)
+#define NFIFOENTRY_PTYPE_INCREMENT (0x2 << NFIFOENTRY_PTYPE_SHIFT)
+#define NFIFOENTRY_PTYPE_RND (0x3 << NFIFOENTRY_PTYPE_SHIFT)
+#define NFIFOENTRY_PTYPE_ZEROS_NZ (0x4 << NFIFOENTRY_PTYPE_SHIFT)
+#define NFIFOENTRY_PTYPE_RND_NZ_LZ (0x5 << NFIFOENTRY_PTYPE_SHIFT)
+#define NFIFOENTRY_PTYPE_N (0x6 << NFIFOENTRY_PTYPE_SHIFT)
+#define NFIFOENTRY_PTYPE_RND_NZ_N (0x7 << NFIFOENTRY_PTYPE_SHIFT)
+
+#define NFIFOENTRY_OC_SHIFT 15
+#define NFIFOENTRY_OC_MASK (1 << NFIFOENTRY_OC_SHIFT)
+#define NFIFOENTRY_OC (1 << NFIFOENTRY_OC_SHIFT)
+
+#define NFIFOENTRY_AST_SHIFT 14
+#define NFIFOENTRY_AST_MASK (1 << NFIFOENTRY_OC_SHIFT)
+#define NFIFOENTRY_AST (1 << NFIFOENTRY_OC_SHIFT)
+
+#define NFIFOENTRY_BM_SHIFT 11
+#define NFIFOENTRY_BM_MASK (1 << NFIFOENTRY_BM_SHIFT)
+#define NFIFOENTRY_BM (1 << NFIFOENTRY_BM_SHIFT)
+
+#define NFIFOENTRY_PS_SHIFT 10
+#define NFIFOENTRY_PS_MASK (1 << NFIFOENTRY_PS_SHIFT)
+#define NFIFOENTRY_PS (1 << NFIFOENTRY_PS_SHIFT)
+
+
+#define NFIFOENTRY_DLEN_SHIFT 0
+#define NFIFOENTRY_DLEN_MASK (0xFFF << NFIFOENTRY_DLEN_SHIFT)
+
+#define NFIFOENTRY_PLEN_SHIFT 0
+#define NFIFOENTRY_PLEN_MASK (0xFF << NFIFOENTRY_PLEN_SHIFT)
+
+/*
+ * PDB internal definitions
+ */
+
+/* IPSec ESP CBC Encap/Decap Options */
+#define PDBOPTS_ESPCBC_ARSNONE 0x00 /* no antireplay window */
+#define PDBOPTS_ESPCBC_ARS32 0x40 /* 32-entry antireplay window */
+#define PDBOPTS_ESPCBC_ARS64 0xc0 /* 64-entry antireplay window */
+#define PDBOPTS_ESPCBC_IVSRC 0x20 /* IV comes from internal random gen */
+#define PDBOPTS_ESPCBC_ESN 0x10 /* extended sequence included */
+#define PDBOPTS_ESPCBC_OUTFMT 0x08 /* output only decapsulation (decap) */
+#define PDBOPTS_ESPCBC_IPHDRSRC 0x08 /* IP header comes from PDB (encap) */
+#define PDBOPTS_ESPCBC_INCIPHDR 0x04 /* Prepend IP header to output frame */
+#define PDBOPTS_ESPCBC_IPVSN 0x02 /* process IPv6 header */
+#define PDBOPTS_ESPCBC_TUNNEL 0x01 /* tunnel mode next-header byte */
+
+#endif /* DESC_H */
diff --git a/include/jr.h b/include/jr.h
new file mode 100644
index 0000000..6edee47
--- /dev/null
+++ b/include/jr.h
@@ -0,0 +1,129 @@
+/*
+ * Copyright 2012 Freescale Semiconductor, Inc.
+ * All Rights Reserved
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * * Neither the name of Freescale Semiconductor nor the
+ * names of its contributors may be used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * ALTERNATIVELY, this software may be distributed under the terms of the
+ * GNU General Public License ("GPL") as published by the Free Software
+ * Foundation, either version 2 of that License or (at your option) any
+ * later version.
+ *
+ * THIS SOFTWARE IS PROVIDED BY Freescale Semiconductor ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Freescale Semiconductor BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef __JR_H
+#define __JR_H
+
+#include <linux/compiler.h>
+
+#define JR_SIZE 4
+/* Timeout currently defined as 10 sec */
+#define CONFIG_SEC_DEQ_TIMEOUT 10000000U
+
+#define DEFAULT_JR_ID 0
+#define DEFAULT_JR_LIODN 0
+#define DEFAULT_IRQ 0 /* Interrupts not to be configured */
+
+#define MCFGR_SWRST ((uint32_t)(1)<<31) /* Software Reset */
+#define MCFGR_DMA_RST ((uint32_t)(1)<<28) /* DMA Reset */
+#define MCFGR_PS_SHIFT 16
+#define JR_INTMASK 0x00000001
+#define JRCR_RESET 0x01
+#define JRINT_ERR_HALT_INPROGRESS 0x4
+#define JRINT_ERR_HALT_MASK 0xc
+#define JRNSLIODN_SHIFT 16
+#define JRNSLIODN_MASK 0x0fff0000
+#define JRSLIODN_SHIFT 0
+#define JRSLIODN_MASK 0x00000fff
+
+#define JQ_DEQ_ERR -1
+#define JQ_DEQ_TO_ERR -2
+#define JQ_ENQ_ERR -3
+
+struct op_ring {
+ dma_addr_t desc;
+ uint32_t status;
+} __packed;
+
+typedef struct jr_info {
+ void (*callback)(dma_addr_t desc, uint32_t status, void *arg);
+ dma_addr_t desc_phys_addr;
+ uint32_t desc_addr;
+ uint32_t desc_len;
+ uint32_t op_done;
+ void *arg;
+} jr_info_t;
+
+typedef struct jobring {
+ int jq_id;
+ int irq;
+ int liodn;
+ /* Head is the index where software would enq the descriptor in
+ * the i/p ring
+ */
+ int head;
+ /* Tail index would be used by s/w ehile enqueuing to determine if
+ * there is any space left in the s/w maintained i/p rings
+ */
+ /* Also in case of deq tail will be incremented only in case of
+ * in-order job completion
+ */
+ int tail;
+ /* Read index of the output ring. It may not match with tail in case
+ * of out of order completetion
+ */
+ int read_idx;
+ /* Write index to input ring. Would be always equal to head */
+ int write_idx;
+ /* Size of the rings. */
+ int size;
+ /* The ip and output rings have to be accessed by SEC. So the
+ * pointers will ahve to point to the housekeeping region provided
+ * by SEC
+ */
+ /*Circular Ring of i/p descriptors */
+ dma_addr_t *input_ring;
+ /* Circular Ring of o/p descriptors */
+ /* Circula Ring containing info regarding descriptors in i/p
+ * and o/p ring
+ */
+ /* This ring can be on the stack */
+ jr_info_t info[JR_SIZE];
+ struct op_ring *output_ring;
+} jobring_t;
+
+struct result {
+ int done;
+ int err;
+ uint32_t status;
+ char outstr[256];
+};
+
+int sec_init(void);
+int jr_reset(void);
+int jr_enqueue(struct jobring *jr, uint32_t *desc_addr,
+ void (*callback)(uint32_t desc, uint32_t status, void *arg),
+ void *arg);
+int jr_dequeue(struct jobring *jr);
+int caam_jr_strstatus(char *outstr, u32 status);
+
+#endif
--
1.7.7.6
^ permalink raw reply related [flat|nested] 13+ messages in thread* [U-Boot] [PATCH 4/5] FSL SEC Driver : Add support for descriptor creation
2013-03-28 10:46 [U-Boot] [PATCH 0/5] FSL SECURE BOOT: Add support for next level image validation Ruchika Gupta
` (2 preceding siblings ...)
2013-03-28 10:46 ` [U-Boot] [PATCH 3/5] drivers/sec : Freescale SEC driver Ruchika Gupta
@ 2013-03-28 10:46 ` Ruchika Gupta
2013-03-28 10:46 ` [U-Boot] [PATCH 5/5] Added command for validation of images in case of secure boot Ruchika Gupta
2013-03-28 14:52 ` [U-Boot] [PATCH 0/5] FSL SECURE BOOT: Add support for next level image validation Otavio Salvador
5 siblings, 0 replies; 13+ messages in thread
From: Ruchika Gupta @ 2013-03-28 10:46 UTC (permalink / raw)
To: u-boot
The patch add supports for descriptor creation for doing
1.SHA256 and RSA Modular exponentiation.
2. Cryptographic blob encryption/decryption
Following files have been picked up from caam driver in Linux :
drivers/sec/error.c
include/desc_constr.h
Signed-off-by: Kuldip Giroh <kuldip.giroh@freescale.com>
Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com>
---
Based upon git://git.denx.de/u-boot.git branch master
drivers/sec/Makefile | 2 +-
drivers/sec/error.c | 259 +++++++++++++++++++++++++++++++++++++++++++++++++
drivers/sec/jobdesc.c | 157 ++++++++++++++++++++++++++++++
drivers/sec/rsa_sec.c | 95 ++++++++++++++++++
drivers/sec/sha.c | 111 +++++++++++++++++++++
include/desc_constr.h | 200 ++++++++++++++++++++++++++++++++++++++
include/jobdesc.h | 55 +++++++++++
include/rsa_sec.h | 59 +++++++++++
include/sha.h | 100 +++++++++++++++++++
9 files changed, 1037 insertions(+), 1 deletions(-)
create mode 100644 drivers/sec/error.c
create mode 100644 drivers/sec/jobdesc.c
create mode 100644 drivers/sec/rsa_sec.c
create mode 100644 drivers/sec/sha.c
create mode 100644 include/desc_constr.h
create mode 100644 include/jobdesc.h
create mode 100644 include/rsa_sec.h
create mode 100644 include/sha.h
diff --git a/drivers/sec/Makefile b/drivers/sec/Makefile
index 33c707e..01eafba 100644
--- a/drivers/sec/Makefile
+++ b/drivers/sec/Makefile
@@ -25,7 +25,7 @@ include $(TOPDIR)/config.mk
LIB := $(obj)libsec.o
-COBJS-$(CONFIG_SECURE_BOOT) += jr.o
+COBJS-$(CONFIG_SECURE_BOOT) += jr.o jobdesc.o sha.o rsa_sec.o error.o
COBJS := $(COBJS-y)
SRCS := $(COBJS:.o=.c)
diff --git a/drivers/sec/error.c b/drivers/sec/error.c
new file mode 100644
index 0000000..f8bd273
--- /dev/null
+++ b/drivers/sec/error.c
@@ -0,0 +1,259 @@
+/*
+ * CAAM Error Reporting
+ *
+ * Copyright 2009-2012 Freescale Semiconductor, Inc.
+ */
+
+#include <common.h>
+#include <jr.h>
+#include <malloc.h>
+
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+
+#define JRSTA_SSRC_SHIFT 28
+#define JRSTA_CCBERR_CHAID_MASK 0x00f0
+#define JRSTA_CCBERR_CHAID_SHIFT 4
+#define JRSTA_CCBERR_ERRID_MASK 0x000
+
+#define JRSTA_DECOERR_JUMP 0x08000000
+#define JRSTA_DECOERR_INDEX_SHIFT 8
+#define JRSTA_DECOERR_INDEX_MASK 0xff00
+#define JRSTA_DECOERR_ERROR_MASK 0x00ff
+
+#define SPRINTFCAT(str, format, param, max_alloc) \
+{ \
+ char *tmp; \
+ \
+ tmp = malloc(sizeof(format) + max_alloc); \
+ sprintf(tmp, format, param); \
+ strcat(str, tmp); \
+ free(tmp); \
+}
+
+static void report_jump_idx(u32 status, char *outstr)
+{
+ u8 idx = (status & JRSTA_DECOERR_INDEX_MASK) >>
+ JRSTA_DECOERR_INDEX_SHIFT;
+
+ if (status & JRSTA_DECOERR_JUMP)
+ strcat(outstr, "jump tgt desc idx ");
+ else
+ strcat(outstr, "desc idx ");
+
+ SPRINTFCAT(outstr, "%d: ", idx, sizeof("255"));
+}
+
+static void report_ccb_status(u32 status, char *outstr)
+{
+ char *cha_id_list[] = {
+ "",
+ "AES",
+ "DES, 3DES",
+ "ARC4",
+ "MD5, SHA-1, SH-224, SHA-256, SHA-384, SHA-512",
+ "RNG",
+ "SNOW f8",
+ "Kasumi f8, f9",
+ "All Public Key Algorithms",
+ "CRC",
+ "SNOW f9",
+ };
+ char *err_id_list[] = {
+ "None. No error.",
+ "Mode error.",
+ "Data size error.",
+ "Key size error.",
+ "PKHA A memory size error.",
+ "PKHA B memory size error.",
+ "Data arrived out of sequence error.",
+ "PKHA divide-by-zero error.",
+ "PKHA modulus even error.",
+ "DES key parity error.",
+ "ICV check failed.",
+ "Hardware error.",
+ "Unsupported CCM AAD size.",
+ "Class 1 CHA is not reset",
+ "Invalid CHA combination was selected",
+ "Invalid CHA selected.",
+ };
+ u8 cha_id = (status & JRSTA_CCBERR_CHAID_MASK) >>
+ JRSTA_CCBERR_CHAID_SHIFT;
+ u8 err_id = status & JRSTA_CCBERR_ERRID_MASK;
+
+ report_jump_idx(status, outstr);
+
+ if (cha_id < ARRAY_SIZE(cha_id_list)) {
+ SPRINTFCAT(outstr, "%s: ", cha_id_list[cha_id],
+ strlen(cha_id_list[cha_id]));
+ } else {
+ SPRINTFCAT(outstr, "unidentified cha_id value 0x%02x: ",
+ cha_id, sizeof("ff"));
+ }
+
+ if (err_id < ARRAY_SIZE(err_id_list)) {
+ SPRINTFCAT(outstr, "%s", err_id_list[err_id],
+ strlen(err_id_list[err_id]));
+ } else {
+ SPRINTFCAT(outstr, "unidentified err_id value 0x%02x",
+ err_id, sizeof("ff"));
+ }
+}
+
+static void report_jump_status(u32 status, char *outstr)
+{
+ SPRINTFCAT(outstr, "%s() not implemented", __func__, sizeof(__func__));
+}
+
+static void report_deco_status(u32 status, char *outstr)
+{
+ const struct {
+ u8 value;
+ char *error_text;
+ } desc_error_list[] = {
+ { 0x00, "None. No error." },
+ { 0x01, "SGT Length Error. The descriptor is trying to read "
+ "more data than is contained in the SGT table." },
+ { 0x02, "Reserved." },
+ { 0x03, "Job Ring Control Error. There is a bad value in the "
+ "Job Ring Control register." },
+ { 0x04, "Invalid Descriptor Command. The Descriptor Command "
+ "field is invalid." },
+ { 0x05, "Reserved." },
+ { 0x06, "Invalid KEY Command" },
+ { 0x07, "Invalid LOAD Command" },
+ { 0x08, "Invalid STORE Command" },
+ { 0x09, "Invalid OPERATION Command" },
+ { 0x0A, "Invalid FIFO LOAD Command" },
+ { 0x0B, "Invalid FIFO STORE Command" },
+ { 0x0C, "Invalid MOVE Command" },
+ { 0x0D, "Invalid JUMP Command. A nonlocal JUMP Command is "
+ "invalid because the target is not a Job Header "
+ "Command, or the jump is from a Trusted Descriptor to "
+ "a Job Descriptor, or because the target Descriptor "
+ "contains a Shared Descriptor." },
+ { 0x0E, "Invalid MATH Command" },
+ { 0x0F, "Invalid SIGNATURE Command" },
+ { 0x10, "Invalid Sequence Command. A SEQ IN PTR OR SEQ OUT PTR "
+ "Command is invalid or a SEQ KEY, SEQ LOAD, SEQ FIFO "
+ "LOAD, or SEQ FIFO STORE decremented the input or "
+ "output sequence length below 0. This error may result "
+ "if a built-in PROTOCOL Command has encountered a "
+ "malformed PDU." },
+ { 0x11, "Skip data type invalid. The type must be 0xE or 0xF."},
+ { 0x12, "Shared Descriptor Header Error" },
+ { 0x13, "Header Error. Invalid length or parity, or certain "
+ "other problems." },
+ { 0x14, "Burster Error. Burster has gotten to an illegal "
+ "state" },
+ { 0x15, "Context Register Length Error. The descriptor is "
+ "trying to read or write past the end of the Context "
+ "Register. A SEQ LOAD or SEQ STORE with the VLF bit "
+ "set was executed with too large a length in the "
+ "variable length register (VSOL for SEQ STORE or VSIL "
+ "for SEQ LOAD)." },
+ { 0x16, "DMA Error" },
+ { 0x17, "Reserved." },
+ { 0x1A, "Job failed due to JR reset" },
+ { 0x1B, "Job failed due to Fail Mode" },
+ { 0x1C, "DECO Watchdog timer timeout error" },
+ { 0x1D, "DECO tried to copy a key from another DECO but the "
+ "other DECO's Key Registers were locked" },
+ { 0x1E, "DECO attempted to copy data from a DECO that had an "
+ "unmasked Descriptor error" },
+ { 0x1F, "LIODN error. DECO was trying to share from itself or "
+ "from another DECO but the two Non-SEQ LIODN values "
+ "didn't match or the 'shared from' DECO's Descriptor "
+ "required that the SEQ LIODNs be the same and they "
+ "aren't." },
+ { 0x20, "DECO has completed a reset initiated via the DRR "
+ "register" },
+ { 0x21, "Nonce error. When using EKT (CCM) key encryption "
+ "option in the FIFO STORE Command, the Nonce counter "
+ "reached its maximum value and this encryption mode "
+ "can no longer be used." },
+ { 0x22, "Meta data is too large (> 511 bytes) for TLS decap "
+ "(input frame; block ciphers) and IPsec decap (output "
+ "frame, when doing the next header byte update) and "
+ "DCRC (output frame)." },
+ { 0x80, "DNR (do not run) error" },
+ { 0x81, "undefined protocol command" },
+ { 0x82, "invalid setting in PDB" },
+ { 0x83, "Anti-replay LATE error" },
+ { 0x84, "Anti-replay REPLAY error" },
+ { 0x85, "Sequence number overflow" },
+ { 0x86, "Sigver invalid signature" },
+ { 0x87, "DSA Sign Illegal test descriptor" },
+ { 0x88, "Protocol Format Error - A protocol has seen an error "
+ "in the format of data received. When running RSA, "
+ "this means that formatting with random padding was "
+ "used, and did not follow the form: 0x00, 0x02, 8-to-N "
+ "bytes of non-zero pad, 0x00, F data." },
+ { 0x89, "Protocol Size Error - A protocol has seen an error in "
+ "size. When running RSA, pdb size N < (size of F) when "
+ "no formatting is used; or pdb size N < (F + 11) when "
+ "formatting is used." },
+ { 0xC1, "Blob Command error: Undefined mode" },
+ { 0xC2, "Blob Command error: Secure Memory Blob mode error" },
+ { 0xC4, "Blob Command error: Black Blob key or input size "
+ "error" },
+ { 0xC5, "Blob Command error: Invalid key destination" },
+ { 0xC8, "Blob Command error: Trusted/Secure mode error" },
+ { 0xF0, "IPsec TTL or hop limit field either came in as 0, "
+ "or was decremented to 0" },
+ { 0xF1, "3GPP HFN matches or exceeds the Threshold" },
+ };
+ u8 desc_error = status & JRSTA_DECOERR_ERROR_MASK;
+ int i;
+
+ report_jump_idx(status, outstr);
+
+ for (i = 0; i < ARRAY_SIZE(desc_error_list); i++)
+ if (desc_error_list[i].value == desc_error)
+ break;
+
+ if (i != ARRAY_SIZE(desc_error_list) && desc_error_list[i].error_text) {
+ SPRINTFCAT(outstr, "%s", desc_error_list[i].error_text,
+ strlen(desc_error_list[i].error_text));
+ } else {
+ SPRINTFCAT(outstr, "unidentified error value 0x%02x",
+ desc_error, sizeof("ff"));
+ }
+}
+
+static void report_jr_status(u32 status, char *outstr)
+{
+}
+
+static void report_cond_code_status(u32 status, char *outstr)
+{
+ SPRINTFCAT(outstr, "%s() not implemented", __func__, sizeof(__func__));
+}
+
+int caam_jr_strstatus(char *outstr, u32 status)
+{
+ int ret = 0;
+ struct stat_src {
+ void (*report_ssed)(u32 status, char *outstr);
+ char *error;
+ } status_src[] = {
+ { NULL, "No error" },
+ { NULL, NULL },
+ { report_ccb_status, "CCB" },
+ { report_jump_status, "Jump" },
+ { report_deco_status, "DECO" },
+ { NULL, NULL },
+ { report_jr_status, "Job Ring" },
+ { report_cond_code_status, "Condition Code" },
+ };
+ u32 ssrc = status >> JRSTA_SSRC_SHIFT;
+
+ sprintf(outstr, "%s: ", status_src[ssrc].error);
+
+ if (status_src[ssrc].report_ssed) {
+ status_src[ssrc].report_ssed(status, outstr);
+ ret = -1;
+ } else
+ ret = 0;
+
+ return ret;
+}
diff --git a/drivers/sec/jobdesc.c b/drivers/sec/jobdesc.c
new file mode 100644
index 0000000..21b4017
--- /dev/null
+++ b/drivers/sec/jobdesc.c
@@ -0,0 +1,157 @@
+/*
+ * SEC Descriptor Construction Library
+ * Basic job descriptor construction
+ *
+ * Copyright (c) 2012 Freescale Semiconductor, Inc.
+ * All Rights Reserved
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * * Neither the name of Freescale Semiconductor nor the
+ * names of its contributors may be used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * ALTERNATIVELY, this software may be distributed under the terms of the
+ * GNU General Public License ("GPL") as published by the Free Software
+ * Foundation, either version 2 of that License or (at your option) any
+ * later version.
+ *
+ * THIS SOFTWARE IS PROVIDED BY Freescale Semiconductor ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Freescale Semiconductor BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <common.h>
+#include <desc_constr.h>
+#include <jobdesc.h>
+
+void inline_cnstr_jobdesc_blob_encrypt(uint32_t *desc, uint8_t *key_idnfr,
+ uint32_t keysz, uint8_t *plain_txt, uint8_t *enc_blob,
+ uint32_t in_sz, uint32_t out_sz)
+{
+
+ dma_addr_t dma_addr_key_idnfr, dma_addr_in, dma_addr_out;
+ uint32_t key_sz = 16 ;
+
+ dma_addr_key_idnfr = virt_to_phys((void *)key_idnfr);
+ dma_addr_in = virt_to_phys((void *)plain_txt);
+ dma_addr_out = virt_to_phys((void *)enc_blob);
+
+ init_job_desc(desc, 0);
+ append_key(desc, dma_addr_key_idnfr, key_sz, CLASS_2);
+
+ if (in_sz > 0xffff) {
+ append_seq_in_ptr(desc, dma_addr_in, 0, SQIN_EXT);
+ append_cmd(desc, in_sz);
+ } else {
+ append_seq_in_ptr(desc, dma_addr_in, in_sz, 0);
+ }
+
+ if (out_sz > 0xffff) {
+ append_seq_out_ptr(desc, dma_addr_out, 0, SQOUT_EXT);
+ append_cmd(desc, out_sz);
+ } else {
+ append_seq_out_ptr(desc, dma_addr_out, out_sz, 0);
+ }
+ append_operation(desc, OP_TYPE_ENCAP_PROTOCOL | OP_PCLID_BLOB);
+}
+
+void inline_cnstr_jobdesc_blob_decrypt(uint32_t *desc, uint8_t *key_idnfr,
+ uint32_t keysz, uint8_t *enc_blob, uint8_t *plain_txt,
+ uint32_t in_sz, uint32_t out_sz)
+{
+ dma_addr_t dma_addr_key_idnfr, dma_addr_in, dma_addr_out;
+ uint32_t key_sz = 16 ;
+
+ dma_addr_key_idnfr = virt_to_phys((void *)key_idnfr);
+ dma_addr_in = virt_to_phys((void *)enc_blob);
+ dma_addr_out = virt_to_phys((void *)plain_txt);
+
+ init_job_desc(desc, 0);
+ append_key(desc, dma_addr_key_idnfr, key_sz, CLASS_2);
+ if (in_sz > 0xffff) {
+ append_seq_in_ptr(desc, dma_addr_in, 0, SQIN_EXT);
+ append_cmd(desc, in_sz);
+ } else {
+ append_seq_in_ptr(desc, dma_addr_in, in_sz, 0);
+ }
+
+ if (out_sz > 0xffff) {
+ append_seq_out_ptr(desc, dma_addr_out, 0, SQOUT_EXT);
+ append_cmd(desc, out_sz);
+ } else {
+ append_seq_out_ptr(desc, dma_addr_out, out_sz, 0);
+ }
+
+ append_operation(desc, OP_TYPE_DECAP_PROTOCOL | OP_PCLID_BLOB);
+}
+
+
+/* Change key size to bytes form bits in calling function*/
+void inline_cnstr_jobdesc_pkha_rsaexp(uint32_t *desc,
+ struct pk_in_params *pkin, uint8_t *out,
+ uint32_t out_siz)
+{
+ dma_addr_t dma_addr_e, dma_addr_a, dma_addr_n, dma_addr_out;
+
+ dma_addr_e = virt_to_phys((void *)pkin->e);
+ dma_addr_a = virt_to_phys((void *)pkin->a);
+ dma_addr_n = virt_to_phys((void *)pkin->n);
+ dma_addr_out = virt_to_phys((void *)out);
+
+ init_job_desc(desc, 0);
+ append_key(desc, dma_addr_e, pkin->e_siz, KEY_DEST_PKHA_E | CLASS_1);
+
+ append_fifo_load(desc, dma_addr_a,
+ pkin->a_siz, LDST_CLASS_1_CCB | FIFOLD_TYPE_PK_A);
+
+ append_fifo_load(desc, dma_addr_n,
+ pkin->n_siz, LDST_CLASS_1_CCB | FIFOLD_TYPE_PK_N);
+
+ append_operation(desc, OP_TYPE_PK | OP_ALG_PK | OP_ALG_PKMODE_MOD_EXPO);
+
+ append_fifo_store(desc, dma_addr_out, out_siz,
+ LDST_CLASS_1_CCB | FIFOST_TYPE_PKHA_B);
+}
+
+void inline_cnstr_jobdesc_sha256(uint32_t *desc,
+ uint8_t *msg, uint32_t msgsz,
+ uint8_t *digest)
+{
+ /* SHA 256 , output is of length 32 words */
+ uint32_t storelen = 32;
+ dma_addr_t dma_addr_in, dma_addr_out;
+
+ dma_addr_in = virt_to_phys((void *)msg);
+ dma_addr_out = virt_to_phys((void *)digest);
+
+ init_job_desc(desc, 0);
+ append_operation(desc,
+ OP_TYPE_CLASS2_ALG | OP_ALG_ALGSEL_SHA256 |
+ OP_ALG_AAI_HASH | OP_ALG_AS_INITFINAL | OP_ALG_ENCRYPT
+ | OP_ALG_ICV_OFF);
+ if (msgsz > 0xffff) {
+ append_fifo_load(desc, dma_addr_in, 0,
+ LDST_CLASS_2_CCB | FIFOLDST_SGF |
+ FIFOLD_TYPE_MSG | FIFOLD_TYPE_LAST2 |
+ FIFOLDST_EXT);
+ append_cmd(desc, msgsz);
+ } else
+ append_fifo_load(desc, dma_addr_in, msgsz,
+ LDST_CLASS_2_CCB | FIFOLDST_SGF |
+ FIFOLD_TYPE_MSG | FIFOLD_TYPE_LAST2);
+ append_store(desc, dma_addr_out, storelen,
+ LDST_CLASS_2_CCB | LDST_SRCDST_BYTE_CONTEXT);
+}
diff --git a/drivers/sec/rsa_sec.c b/drivers/sec/rsa_sec.c
new file mode 100644
index 0000000..6e114aa
--- /dev/null
+++ b/drivers/sec/rsa_sec.c
@@ -0,0 +1,95 @@
+/*
+ * Copyright 2012 Freescale Semiconductor, Inc.
+ * All Rights Reserved
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * * Neither the name of Freescale Semiconductor nor the
+ * names of its contributors may be used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * ALTERNATIVELY, this software may be distributed under the terms of the
+ * GNU General Public License ("GPL") as published by the Free Software
+ * Foundation, either version 2 of that License or (at your option) any
+ * later version.
+ *
+ * THIS SOFTWARE IS PROVIDED BY Freescale Semiconductor ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Freescale Semiconductor BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <common.h>
+#include <rsa_sec.h>
+#include <jobdesc.h>
+
+extern struct jobring jr;
+
+void rsa_done(uint32_t desc, uint32_t status, void *arg)
+{
+ struct result *x = arg;
+ x->status = status;
+#ifdef DEBUG
+ x->err = caam_jr_strstatus(x->outstr, status);
+#else
+ if (status)
+ x->err = -1;
+#endif
+
+ x->done = 1;
+}
+
+/* This functionw ould return teh status returned by SEC .
+ * If non zero , means there was some error reported by SEC */
+int rsa_public_verif_sec(unsigned char *sign, uint8_t *to, uint8_t *rsa_pub_key,
+ int klen, struct rsa_context *ctx)
+{
+ unsigned long long timeval;
+ unsigned long long timeout;
+ int ret = 0;
+ memset(ctx, 0, sizeof(struct rsa_context));
+
+ ctx->pkin.a = sign;
+ ctx->pkin.a_siz = klen;
+ ctx->pkin.n = rsa_pub_key;
+ ctx->pkin.n_siz = klen;
+ ctx->pkin.e = rsa_pub_key + klen;
+ ctx->pkin.e_siz = klen;
+
+ inline_cnstr_jobdesc_pkha_rsaexp(ctx->rsa_desc,
+ &ctx->pkin, to,
+ klen);
+
+ ret = jr_enqueue(&jr, ctx->rsa_desc, rsa_done, &ctx->op);
+ if (ret)
+ return ret;
+
+ timeval = get_ticks();
+ timeout = usec2ticks(CONFIG_SEC_DEQ_TIMEOUT);
+
+ while (ctx->op.done != 1) {
+ if (jr_dequeue(&jr))
+ return JQ_DEQ_ERR;
+
+ if ((get_ticks() - timeval) > timeout) {
+ printf("SEC Dequeue timed out\n");
+ return JQ_DEQ_TO_ERR;
+ }
+ }
+
+ if (ctx->op.err < 0)
+ return ctx->op.status;
+
+ return 0;
+}
diff --git a/drivers/sec/sha.c b/drivers/sec/sha.c
new file mode 100644
index 0000000..4bbae65
--- /dev/null
+++ b/drivers/sec/sha.c
@@ -0,0 +1,111 @@
+/*
+ * Copyright 2012 Freescale Semiconductor, Inc.
+ * All Rights Reserved
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * * Neither the name of Freescale Semiconductor nor the
+ * names of its contributors may be used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * ALTERNATIVELY, this software may be distributed under the terms of the
+ * GNU General Public License ("GPL") as published by the Free Software
+ * Foundation, either version 2 of that License or (at your option) any
+ * later version.
+ *
+ * THIS SOFTWARE IS PROVIDED BY Freescale Semiconductor ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Freescale Semiconductor BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <common.h>
+#include <jobdesc.h>
+#include <sha.h>
+
+extern struct jobring jr;
+
+void sha_done(uint32_t desc, uint32_t status, void *arg)
+{
+ struct result *x = arg;
+ x->status = status;
+ x->err = caam_jr_strstatus(x->outstr, status);
+ x->done = 1;
+}
+
+/* This function initializes the sha-256 context */
+void sha_init(struct sha_ctx *ctx)
+{
+ memset(ctx, 0, sizeof(struct sha_ctx));
+ ctx->jr = &jr;
+}
+
+void sha_update(struct sha_ctx *ctx, u8 *buffer, u32 length)
+{
+ dma_addr_t addr = virt_to_phys((void *)buffer);
+#ifdef CONFIG_PHYS_64BIT
+ ctx->sg_tbl[ctx->sg_num].addr_hi = addr >> 32;
+#else
+ ctx->sg_tbl[ctx->sg_num].addr_hi = 0x0;
+#endif
+ ctx->sg_tbl[ctx->sg_num].addr_lo = addr;
+ ctx->sg_tbl[ctx->sg_num].length = length;
+ ctx->sg_num++;
+}
+
+int sha_final(struct sha_ctx *ctx)
+{
+ int ret = 0, i = 0;
+ ctx->sg_tbl[ctx->sg_num - 1].final = 1;
+ uint32_t len = 0;
+
+ for (i = 0; i < ctx->sg_num; i++)
+ len += ctx->sg_tbl[i].length;
+
+ inline_cnstr_jobdesc_sha256(ctx->sha_desc,
+ (uint8_t *)ctx->sg_tbl, len, ctx->hash);
+
+ ret = jr_enqueue(ctx->jr, ctx->sha_desc, sha_done, &ctx->op);
+ if (ret)
+ return ret;
+
+ return ret;
+}
+
+
+/* This function completes the calulation of the sha-256 */
+int sha_digest(struct sha_ctx *ctx, uint8_t *digest)
+{
+ unsigned long long timeval = get_ticks();
+ unsigned long long timeout = usec2ticks(CONFIG_SEC_DEQ_TIMEOUT);
+ int ret = 0;
+
+ while (ctx->op.done != 1) {
+ ret = jr_dequeue(ctx->jr);
+ if (ret)
+ return ret;
+
+ if ((get_ticks() - timeval) > timeout) {
+ printf("SEC Dequeue timed out\n");
+ return JQ_DEQ_TO_ERR;
+ }
+ }
+
+ if (ctx->op.err < 0)
+ return ctx->op.status;
+
+ memcpy(digest, ctx->hash, sizeof(ctx->hash));
+
+ return 0;
+}
diff --git a/include/desc_constr.h b/include/desc_constr.h
new file mode 100644
index 0000000..e3e778f
--- /dev/null
+++ b/include/desc_constr.h
@@ -0,0 +1,200 @@
+/*
+ * caam descriptor construction helper functions
+ *
+ * Copyright 2008-2011, 2012 Freescale Semiconductor, Inc.
+ */
+
+#include "desc.h"
+
+#define IMMEDIATE (1 << 23)
+#define CAAM_CMD_SZ sizeof(u32)
+#define CAAM_PTR_SZ sizeof(dma_addr_t)
+#define CAAM_DESC_BYTES_MAX (CAAM_CMD_SZ * 64)
+
+#define PRINT_POS
+
+#define DISABLE_AUTO_INFO_FIFO (IMMEDIATE | LDST_CLASS_DECO | \
+ LDST_SRCDST_WORD_DECOCTRL | \
+ (LDOFF_DISABLE_AUTO_NFIFO << LDST_OFFSET_SHIFT))
+#define ENABLE_AUTO_INFO_FIFO (IMMEDIATE | LDST_CLASS_DECO | \
+ LDST_SRCDST_WORD_DECOCTRL | \
+ (LDOFF_ENABLE_AUTO_NFIFO << LDST_OFFSET_SHIFT))
+
+static inline int desc_len(u32 *desc)
+{
+ return *desc & HDR_DESCLEN_MASK;
+}
+
+static inline int desc_bytes(void *desc)
+{
+ return desc_len(desc) * CAAM_CMD_SZ;
+}
+
+static inline u32 *desc_end(u32 *desc)
+{
+ return desc + desc_len(desc);
+}
+
+static inline void *sh_desc_pdb(u32 *desc)
+{
+ return desc + 1;
+}
+
+static inline void init_desc(u32 *desc, u32 options)
+{
+ *desc = options | HDR_ONE | 1;
+}
+
+static inline void init_sh_desc(u32 *desc, u32 options)
+{
+ PRINT_POS;
+ init_desc(desc, CMD_SHARED_DESC_HDR | options);
+}
+
+static inline void init_sh_desc_pdb(u32 *desc, u32 options, size_t pdb_bytes)
+{
+ u32 pdb_len = pdb_bytes / CAAM_CMD_SZ + 1;
+
+ init_sh_desc(desc, ((pdb_len << HDR_START_IDX_SHIFT) + pdb_len) |
+ options);
+}
+
+static inline void init_job_desc(u32 *desc, u32 options)
+{
+ init_desc(desc, CMD_DESC_HDR | options);
+}
+
+static inline void append_ptr(u32 *desc, dma_addr_t ptr)
+{
+ dma_addr_t *offset = (dma_addr_t *)desc_end(desc);
+
+ *offset = ptr;
+
+ (*desc) += CAAM_PTR_SZ / CAAM_CMD_SZ;
+}
+
+static inline void init_job_desc_shared(u32 *desc, dma_addr_t ptr, int len,
+ u32 options)
+{
+ PRINT_POS;
+ init_job_desc(desc, HDR_SHARED | options |
+ (len << HDR_START_IDX_SHIFT));
+ append_ptr(desc, ptr);
+}
+
+static inline void append_data(u32 *desc, void *data, int len)
+{
+ u32 *offset = desc_end(desc);
+
+ if (len) /* avoid sparse warning: memcpy with byte count of 0 */
+ memcpy(offset, data, len);
+
+ (*desc) += (len + CAAM_CMD_SZ - 1) / CAAM_CMD_SZ;
+}
+
+static inline void append_cmd(u32 *desc, u32 command)
+{
+ u32 *cmd = desc_end(desc);
+
+ *cmd = command;
+
+ (*desc)++;
+}
+
+static inline void append_cmd_ptr(u32 *desc, dma_addr_t ptr, int len,
+ u32 command)
+{
+ append_cmd(desc, command | len);
+ append_ptr(desc, ptr);
+}
+
+static inline void append_cmd_data(u32 *desc, void *data, int len,
+ u32 command)
+{
+ append_cmd(desc, command | IMMEDIATE | len);
+ append_data(desc, data, len);
+}
+
+static inline u32 *append_jump(u32 *desc, u32 options)
+{
+ u32 *cmd = desc_end(desc);
+
+ PRINT_POS;
+ append_cmd(desc, CMD_JUMP | options);
+
+ return cmd;
+}
+
+static inline void set_jump_tgt_here(u32 *desc, u32 *jump_cmd)
+{
+ *jump_cmd = *jump_cmd | (desc_len(desc) - (jump_cmd - desc));
+}
+
+#define APPEND_CMD(cmd, op) \
+static inline void append_##cmd(u32 *desc, u32 options) \
+{ \
+ PRINT_POS; \
+ append_cmd(desc, CMD_##op | options); \
+}
+APPEND_CMD(operation, OPERATION)
+APPEND_CMD(move, MOVE)
+
+#define APPEND_CMD_LEN(cmd, op) \
+static inline void append_##cmd(u32 *desc, unsigned int len, u32 options) \
+{ \
+ PRINT_POS; \
+ append_cmd(desc, CMD_##op | len | options); \
+}
+APPEND_CMD_LEN(seq_store, SEQ_STORE)
+APPEND_CMD_LEN(seq_fifo_load, SEQ_FIFO_LOAD)
+APPEND_CMD_LEN(seq_fifo_store, SEQ_FIFO_STORE)
+
+#define APPEND_CMD_PTR(cmd, op) \
+static inline void append_##cmd(u32 *desc, dma_addr_t ptr, unsigned int len, \
+ u32 options) \
+{ \
+ PRINT_POS; \
+ append_cmd_ptr(desc, ptr, len, CMD_##op | options); \
+}
+APPEND_CMD_PTR(key, KEY)
+APPEND_CMD_PTR(seq_in_ptr, SEQ_IN_PTR)
+APPEND_CMD_PTR(seq_out_ptr, SEQ_OUT_PTR)
+APPEND_CMD_PTR(load, LOAD)
+APPEND_CMD_PTR(store, STORE)
+APPEND_CMD_PTR(fifo_load, FIFO_LOAD)
+APPEND_CMD_PTR(fifo_store, FIFO_STORE)
+
+#define APPEND_CMD_PTR_TO_IMM(cmd, op) \
+static inline void append_##cmd##_as_imm(u32 *desc, void *data, \
+ unsigned int len, u32 options) \
+{ \
+ PRINT_POS; \
+ append_cmd_data(desc, data, len, CMD_##op | options); \
+}
+APPEND_CMD_PTR_TO_IMM(load, LOAD);
+APPEND_CMD_PTR_TO_IMM(fifo_load, FIFO_LOAD);
+
+/*
+ * 2nd variant for commands whose specified immediate length differs
+ * from length of immediate data provided, e.g., split keys
+ */
+#define APPEND_CMD_PTR_TO_IMM2(cmd, op) \
+static inline void append_##cmd##_as_imm(u32 *desc, void *data, \
+ unsigned int data_len, \
+ unsigned int len, u32 options) \
+{ \
+ PRINT_POS; \
+ append_cmd(desc, CMD_##op | IMMEDIATE | len | options); \
+ append_data(desc, data, data_len); \
+}
+APPEND_CMD_PTR_TO_IMM2(key, KEY);
+
+#define APPEND_CMD_RAW_IMM(cmd, op, type) \
+static inline void append_##cmd##_imm_##type(u32 *desc, type immediate, \
+ u32 options) \
+{ \
+ PRINT_POS; \
+ append_cmd(desc, CMD_##op | IMMEDIATE | options | sizeof(type)); \
+ append_cmd(desc, immediate); \
+}
+APPEND_CMD_RAW_IMM(load, LOAD, u32);
diff --git a/include/jobdesc.h b/include/jobdesc.h
new file mode 100644
index 0000000..6eb2827
--- /dev/null
+++ b/include/jobdesc.h
@@ -0,0 +1,55 @@
+/*
+ * Copyright 2012 Freescale Semiconductor, Inc.
+ * All Rights Reserved
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * * Neither the name of Freescale Semiconductor nor the
+ * names of its contributors may be used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * ALTERNATIVELY, this software may be distributed under the terms of the
+ * GNU General Public License ("GPL") as published by the Free Software
+ * Foundation, either version 2 of that License or (at your option) any
+ * later version.
+ *
+ * THIS SOFTWARE IS PROVIDED BY Freescale Semiconductor ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Freescale Semiconductor BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef __JOBDESC_H
+#define __JOBDESC_H
+
+#include <common.h>
+#include <sha.h>
+#include <rsa_sec.h>
+
+void inline_cnstr_jobdesc_pkha_rsaexp(uint32_t *desc,
+ struct pk_in_params *pkin, uint8_t *out,
+ uint32_t out_siz);
+
+void inline_cnstr_jobdesc_sha256(uint32_t *desc,
+ uint8_t *msg, uint32_t msgsz, uint8_t *digest);
+
+void inline_cnstr_jobdesc_blob_encrypt(uint32_t *desc, uint8_t *key_idnfr,
+ uint32_t keysz, uint8_t *plain_txt, uint8_t *enc_blob, uint32_t in_sz,
+ uint32_t out_sz);
+
+void inline_cnstr_jobdesc_blob_decrypt(uint32_t *desc, uint8_t *key_idnfr,
+ uint32_t keysz, uint8_t *plain_txt, uint8_t *enc_blob, uint32_t in_sz,
+ uint32_t out_sz);
+
+#endif
diff --git a/include/rsa_sec.h b/include/rsa_sec.h
new file mode 100644
index 0000000..1f6e218
--- /dev/null
+++ b/include/rsa_sec.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright 2012 Freescale Semiconductor, Inc.
+ * All Rights Reserved
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * * Neither the name of Freescale Semiconductor nor the
+ * names of its contributors may be used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * ALTERNATIVELY, this software may be distributed under the terms of the
+ * GNU General Public License ("GPL") as published by the Free Software
+ * Foundation, either version 2 of that License or (at your option) any
+ * later version.
+ *
+ * THIS SOFTWARE IS PROVIDED BY Freescale Semiconductor ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Freescale Semiconductor BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef __RSA_SEC_H
+#define __RSA_SEC_H
+
+#include <common.h>
+#include <jr.h>
+
+struct pk_in_params {
+ uint8_t *e;
+ uint32_t e_siz;
+ uint8_t *n;
+ uint32_t n_siz;
+ uint8_t *a;
+ uint32_t a_siz;
+ uint8_t *b;
+ uint32_t b_siz;
+};
+
+struct rsa_context {
+ struct pk_in_params pkin;
+ uint32_t rsa_desc[64];
+ struct result op;
+};
+
+int rsa_public_verif_sec(unsigned char *sign, uint8_t *to, uint8_t *rsa_pub_key,
+ int klen, struct rsa_context *ctx);
+
+#endif
diff --git a/include/sha.h b/include/sha.h
new file mode 100644
index 0000000..ea4c4c8
--- /dev/null
+++ b/include/sha.h
@@ -0,0 +1,100 @@
+/*
+ * Copyright 2012 Freescale Semiconductor, Inc.
+ * All Rights Reserved
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * * Neither the name of Freescale Semiconductor nor the
+ * names of its contributors may be used to endorse or promote products
+ * derived from this software without specific prior written permission.
+ *
+ * ALTERNATIVELY, this software may be distributed under the terms of the
+ * GNU General Public License ("GPL") as published by the Free Software
+ * Foundation, either version 2 of that License or (at your option) any
+ * later version.
+ *
+ * THIS SOFTWARE IS PROVIDED BY Freescale Semiconductor ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL Freescale Semiconductor BE LIABLE FOR ANY
+ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _SHA_H
+#define _SHA_H
+
+#include <jr.h>
+
+/* number of bytes in the SHA256-256 digest */
+#define SHA256_DIGEST_SIZE 32
+
+/*
+ * number of words in the digest - Digest is kept internally
+ * as 8 32-bit words
+ */
+#define _SHA256_DIGEST_LENGTH 8
+
+/*
+ * block length - A block, treated as a sequence of
+ * 32-bit words
+ */
+#define SHA256_BLOCK_LENGTH 16
+
+/* number of bytes in the block */
+#define SHA256_DATA_SIZE 64
+
+#define MAX_SG 12
+
+/*
+ * Scatter Gather Entry - Speicifies the the Scatter Gather Format
+ * related information
+ */
+struct sg_entry {
+ uint16_t reserved_zero;
+ uint16_t addr_hi; /* Memory Address of the start of the
+ * buffer - hi
+ */
+ uint32_t addr_lo; /* Memory Address - lo */
+ unsigned int extension:1;
+ unsigned int final:1;
+ unsigned int length:30; /* Length of the data in the frame */
+ uint8_t reserved_zero2;
+ uint8_t bpid; /* Buffer Pool Id */
+ unsigned int reserved_offset:3;
+ unsigned int offset:13;
+};
+
+/*
+ * SHA256-256 context
+ * contain the following fields
+ * State
+ * count low
+ * count high
+ * block data buffer
+ * index to the buffer
+ */
+struct sha_ctx {
+ struct sg_entry sg_tbl[MAX_SG];
+ uint32_t sha_desc[64];
+ u8 hash[SHA256_DIGEST_SIZE];
+ struct result op;
+ uint32_t sg_num;
+ struct jobring *jr;
+};
+
+void sha_init(struct sha_ctx *ctx);
+void sha_update(struct sha_ctx *ctx, uint8_t *data, uint32_t length);
+int sha_final(struct sha_ctx *ctx);
+int sha_digest(struct sha_ctx *ctx, uint8_t *digest);
+
+#endif
--
1.7.7.6
^ permalink raw reply related [flat|nested] 13+ messages in thread* [U-Boot] [PATCH 5/5] Added command for validation of images in case of secure boot
2013-03-28 10:46 [U-Boot] [PATCH 0/5] FSL SECURE BOOT: Add support for next level image validation Ruchika Gupta
` (3 preceding siblings ...)
2013-03-28 10:46 ` [U-Boot] [PATCH 4/5] FSL SEC Driver : Add support for descriptor creation Ruchika Gupta
@ 2013-03-28 10:46 ` Ruchika Gupta
2013-03-28 14:52 ` [U-Boot] [PATCH 0/5] FSL SECURE BOOT: Add support for next level image validation Otavio Salvador
5 siblings, 0 replies; 13+ messages in thread
From: Ruchika Gupta @ 2013-03-28 10:46 UTC (permalink / raw)
To: u-boot
1. Default environment will be used for secure boot flow
which can't be edited or saved.
2. Command for secure boot is predefined in the default
environment which will run on autoboot (and autoboot is
the only option allowed in case of secure boot) and it
looks like this:
#define CONFIG_SECBOOT \
"setenv bs_hdraddr 0xe8e00000;" \
"esbc_validate $bs_hdraddr;" \
"source $img_addr;" \
"esbc_halt;"
#endif
3. esbc_validate command is meant for validating header and
signature of images (Boot Script and ESBC uboot client).
SHA-256 and RSA operations are performed using SEC block in HW.
This command works on both high-end (P4080) and
low-end (P1010) platforms.
Command usage:
esbc_validate img_hdr_addr [pub_key_hash]
4. Boot Script can contain esbc_validate commands and bootm command.
Uboot source command used in default secure boot command will
run the bootscript.
5. ESBC uboot client can be linux. Additionally, rootfs and device
tree blob can also be signed.
6. In the event of header or signature failure in validation,
ITS and ITF bits determine further course of action.
7. In case of soft failure, appropriate error is dumped on console
and next esbc_validate command is executed.
8. In case of hard failure, SoC is issued RESET REQUEST after
dumping error on the console.
9. Command esbc_halt added to ensure either bootm executes
after validation of images or core should just spin.
Signed-off-by: Kuldip Giroh <kuldip.giroh@freescale.com>
Signed-off-by: Ruchika Gupta <ruchika.gupta@freescale.com>
---
Based upon git://git.denx.de/u-boot.git branch master
arch/powerpc/cpu/mpc85xx/Makefile | 2 +
arch/powerpc/cpu/mpc85xx/cmd_esbc_validate.c | 54 +++
arch/powerpc/cpu/mpc85xx/cpu_init.c | 17 +
arch/powerpc/cpu/mpc85xx/fsl_sfp_snvs.c | 163 ++++++++
arch/powerpc/cpu/mpc85xx/fsl_validate.c | 543 ++++++++++++++++++++++++++
arch/powerpc/include/asm/fsl_secure_boot.h | 68 ++++-
arch/powerpc/include/asm/fsl_sfp_snvs.h | 42 ++
arch/powerpc/include/asm/immap_85xx.h | 55 +++
8 files changed, 943 insertions(+), 1 deletions(-)
create mode 100644 arch/powerpc/cpu/mpc85xx/cmd_esbc_validate.c
create mode 100644 arch/powerpc/cpu/mpc85xx/fsl_sfp_snvs.c
create mode 100644 arch/powerpc/cpu/mpc85xx/fsl_validate.c
create mode 100644 arch/powerpc/include/asm/fsl_sfp_snvs.h
diff --git a/arch/powerpc/cpu/mpc85xx/Makefile b/arch/powerpc/cpu/mpc85xx/Makefile
index 6776c85..66b7b67 100644
--- a/arch/powerpc/cpu/mpc85xx/Makefile
+++ b/arch/powerpc/cpu/mpc85xx/Makefile
@@ -109,6 +109,8 @@ COBJS-$(CONFIG_QE) += qe_io.o
COBJS-$(CONFIG_CPM2) += serial_scc.o
COBJS-$(CONFIG_SYS_FSL_QORIQ_CHASSIS1) += fsl_corenet_serdes.o
COBJS-$(CONFIG_SYS_FSL_QORIQ_CHASSIS2) += fsl_corenet2_serdes.o
+COBJS-$(CONFIG_SECURE_BOOT) += fsl_sfp_snvs.o
+COBJS-$(CONFIG_CMD_ESBC_VALIDATE) += cmd_esbc_validate.o fsl_validate.o
# SoC specific SERDES support
COBJS-$(CONFIG_MPC8536) += mpc8536_serdes.o
diff --git a/arch/powerpc/cpu/mpc85xx/cmd_esbc_validate.c b/arch/powerpc/cpu/mpc85xx/cmd_esbc_validate.c
new file mode 100644
index 0000000..a95f04e
--- /dev/null
+++ b/arch/powerpc/cpu/mpc85xx/cmd_esbc_validate.c
@@ -0,0 +1,54 @@
+/*
+ * Copyright 2010-2012 Freescale Semiconductor, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at your option)
+ * any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston,
+ * MA 02111-1307 USA
+ */
+
+#include <command.h>
+#include <common.h>
+#include <asm/fsl_validate.h>
+
+static int do_esbc_validate(cmd_tbl_t *cmdtp, int flag, int argc,
+ char * const argv[])
+{
+ if (argc < 2)
+ return cmd_usage(cmdtp);
+
+ return fsl_secboot_validate(cmdtp, flag, argc, argv);
+}
+
+U_BOOT_CMD(
+ esbc_validate, 3, 0, do_esbc_validate,
+ "Validates signature of a given image using RSA verification"
+ "algorithm as part of Freescale Secure Boot Process",
+ "<hdr_addr> <hash_val>"
+);
+
+static int do_esbc_halt(cmd_tbl_t *cmdtp, int flag, int argc,
+ char * const argv[])
+{
+ printf("Core is entering spin loop.\n");
+ while (1);
+
+ return 0;
+}
+
+U_BOOT_CMD(
+ esbc_halt, 1, 0, do_esbc_halt,
+ "Put the core in spin loop if control reaches to uboot"
+ "from bootscript",
+ ""
+);
diff --git a/arch/powerpc/cpu/mpc85xx/cpu_init.c b/arch/powerpc/cpu/mpc85xx/cpu_init.c
index de9d916..41d7bf8 100644
--- a/arch/powerpc/cpu/mpc85xx/cpu_init.c
+++ b/arch/powerpc/cpu/mpc85xx/cpu_init.c
@@ -46,6 +46,14 @@
#include <errno.h>
#endif
+#if defined(CONFIG_SECURE_BOOT) && defined(CONFIG_FSL_CORENET)
+#include <asm/fsl_pamu.h>
+#endif
+#ifdef CONFIG_SECURE_BOOT
+#include <jr.h>
+#include <asm/fsl_secboot_err.h>
+#endif
+
#include "../../../../drivers/block/fsl_sata.h"
DECLARE_GLOBAL_DATA_PTR;
@@ -650,6 +658,15 @@ skip_l2:
}
#endif
+#if defined(CONFIG_SECURE_BOOT) && defined(CONFIG_FSL_CORENET)
+ if (pamu_init() < 0)
+ fsl_secboot_handle_error(ERROR_ESBC_PAMU_INIT);
+#endif
+
+#ifdef CONFIG_SECURE_BOOT
+ if (sec_init() < 0)
+ fsl_secboot_handle_error(ERROR_ESBC_SEC_INIT);
+#endif
return 0;
}
diff --git a/arch/powerpc/cpu/mpc85xx/fsl_sfp_snvs.c b/arch/powerpc/cpu/mpc85xx/fsl_sfp_snvs.c
new file mode 100644
index 0000000..7382eea
--- /dev/null
+++ b/arch/powerpc/cpu/mpc85xx/fsl_sfp_snvs.c
@@ -0,0 +1,163 @@
+/*
+ * Copyright 2010-2012 Freescale Semiconductor, Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of
+ * the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston,
+ * MA 02111-1307 USA
+ */
+
+#include <asm/fsl_sfp_snvs.h>
+#include <configs/corenet_ds.h>
+#include <common.h>
+
+int change_sec_mon_state(u32 initial_state, u32 final_state)
+{
+ ccsr_snvs_regs_t *snvs_regs = (void *)(CONFIG_SYS_SNVS_ADDR);
+ u32 sts = in_be32(&snvs_regs->hp_stat);
+ int timeout = 10;
+
+ if ((sts & HPSR_SSM_ST_MASK) != initial_state)
+ return -1;
+
+ if (initial_state == HPSR_SSM_ST_TRUST) {
+ switch (final_state) {
+ case HPSR_SSM_ST_NON_SECURE:
+ printf("SNVS state transitioning to Soft Fail.\n");
+ setbits_be32(&snvs_regs->hp_com, HPCOMR_SW_SV);
+
+ /*
+ * poll till SNVS is in
+ * Soft Fail state
+ */
+ while (((sts & HPSR_SSM_ST_MASK) !=
+ HPSR_SSM_ST_SOFT_FAIL)) {
+ while (timeout) {
+ sts = in_be32(&snvs_regs->hp_stat);
+
+ if ((sts & HPSR_SSM_ST_MASK) ==
+ HPSR_SSM_ST_SOFT_FAIL)
+ break;
+
+ udelay(10);
+ timeout--;
+ }
+ }
+
+ if (timeout == 0) {
+ printf("SNVS state transition timeout.\n");
+ branch_to_self();
+ }
+
+ timeout = 10;
+
+ printf("SNVS state transitioning to Non Secure.\n");
+ setbits_be32(&snvs_regs->hp_com, HPCOMR_SSM_ST);
+
+ /*
+ * poll till SNVS is in
+ * Non Secure state
+ */
+ while (((sts & HPSR_SSM_ST_MASK) !=
+ HPSR_SSM_ST_NON_SECURE)) {
+ while (timeout) {
+ sts = in_be32(&snvs_regs->hp_stat);
+
+ if ((sts & HPSR_SSM_ST_MASK) ==
+ HPSR_SSM_ST_NON_SECURE)
+ break;
+
+ udelay(10);
+ timeout--;
+ }
+ }
+
+ if (timeout == 0) {
+ printf("SNVS state transition timeout.\n");
+ branch_to_self();
+ }
+ break;
+ case HPSR_SSM_ST_SOFT_FAIL:
+ printf("SNVS state transitioning to Soft Fail.\n");
+ setbits_be32(&snvs_regs->hp_com, HPCOMR_SW_FSV);
+
+ /*
+ * polling loop till SNVS is in
+ * Soft Fail state
+ */
+ while (((sts & HPSR_SSM_ST_MASK) !=
+ HPSR_SSM_ST_SOFT_FAIL)) {
+ while (timeout) {
+ sts = in_be32(&snvs_regs->hp_stat);
+
+ if ((sts & HPSR_SSM_ST_MASK) ==
+ HPSR_SSM_ST_SOFT_FAIL)
+ break;
+
+ udelay(10);
+ timeout--;
+ }
+ }
+
+ if (timeout == 0) {
+ printf("SNVS state transition timeout.\n");
+ branch_to_self();
+ }
+ break;
+ default:
+ return -1;
+ }
+ } else if (initial_state == HPSR_SSM_ST_NON_SECURE) {
+ switch (final_state) {
+ case HPSR_SSM_ST_SOFT_FAIL:
+ printf("SNVS state transitioning to Soft Fail.\n");
+ setbits_be32(&snvs_regs->hp_com, HPCOMR_SW_FSV);
+
+ /*
+ * polling loop till SNVS is in
+ * Soft Fail state
+ */
+ while (((sts & HPSR_SSM_ST_MASK) !=
+ HPSR_SSM_ST_SOFT_FAIL)) {
+ while (timeout) {
+ sts = in_be32(&snvs_regs->hp_stat);
+
+ if ((sts & HPSR_SSM_ST_MASK) ==
+ HPSR_SSM_ST_SOFT_FAIL)
+ break;
+
+ udelay(10);
+ timeout--;
+ }
+ }
+
+ if (timeout == 0) {
+ printf("SNVS state transition timeout.\n");
+ branch_to_self();
+ }
+ break;
+ default:
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+void generate_reset_req(void)
+{
+ ccsr_gur_t *gur = (void *)(CONFIG_SYS_MPC85xx_GUTS_ADDR);
+ printf("Generating reset request");
+ out_be32(&gur->rstcr, 0x2); /* HRESET_REQ */
+ branch_to_self();
+}
diff --git a/arch/powerpc/cpu/mpc85xx/fsl_validate.c b/arch/powerpc/cpu/mpc85xx/fsl_validate.c
new file mode 100644
index 0000000..a184933
--- /dev/null
+++ b/arch/powerpc/cpu/mpc85xx/fsl_validate.c
@@ -0,0 +1,543 @@
+/*
+ * Copyright 2010-2012 Freescale Semiconductor, Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of
+ * the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston,
+ * MA 02111-1307 USA
+ */
+
+#include <asm/fsl_validate.h>
+#include <asm/fsl_secboot_err.h>
+#include <asm/fsl_sfp_snvs.h>
+#include <command.h>
+#include <common.h>
+#include <malloc.h>
+#include <rsa_sec.h>
+#include <sha.h>
+#include <jr.h>
+#include <asm/fsl_pamu.h>
+
+#define SHA256_BITS 256
+#define SHA256_BYTES (256/8)
+#define SHA256_NIBBLES (256/4)
+#define NUM_HEX_CHARS (sizeof(ulong) * 2)
+
+
+/* This array contains DER value for SHA-256 */
+static const u8 hash_identifier[] = { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60,
+ 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00,
+ 0x04, 0x20
+ };
+
+static u8 hash_val[SHA256_BYTES];
+static const u8 barker_code[ESBC_BARKER_LEN] = { 0x68, 0x39, 0x27, 0x81 };
+
+void branch_to_self(void) __attribute__ ((noreturn));
+
+/*
+ * This function will put core in infinite loop.
+ * This will be called when the ESBC can not proceed further due
+ * to some errors.
+ */
+void branch_to_self(void)
+{
+ printf("Core is in infinite loop due to errors.\n");
+ while (1);
+}
+
+/*
+ * Handles the ESBC uboot client header verification failure.
+ * This function handles all the errors which might occur in the
+ * parsing and checking of ESBC uboot client header. It will also
+ * set the error bits in the SNVS.
+ */
+static void fsl_secboot_header_verification_failure(void)
+{
+ ccsr_snvs_regs_t *snvs_regs = (void *)(CONFIG_SYS_SNVS_ADDR);
+ ccsr_sfp_regs_t *sfp_regs = (void *)(CONFIG_SYS_SFP_ADDR);
+ u32 sts = in_be32(&snvs_regs->hp_stat);
+
+ /* 29th bit of OSPR is ITS */
+ u32 its = in_be32(&sfp_regs->ospr) >> 2;
+
+ /*
+ * Read the SNVS status register
+ * Read SSM_ST field
+ */
+ sts = in_be32(&snvs_regs->hp_stat);
+ if ((sts & HPSR_SSM_ST_MASK) == HPSR_SSM_ST_TRUST) {
+ if (its == 1)
+ change_sec_mon_state(HPSR_SSM_ST_TRUST,
+ HPSR_SSM_ST_SOFT_FAIL);
+ else
+ change_sec_mon_state(HPSR_SSM_ST_TRUST,
+ HPSR_SSM_ST_NON_SECURE);
+ }
+
+ generate_reset_req();
+}
+
+/*
+ * Handles the ESBC uboot client image verification failure.
+ * This function handles all the errors which might occur in the
+ * public key hash comparison and signature verification of
+ * ESBC uboot client image. It will also
+ * set the error bits in the SNVS.
+ */
+static void fsl_secboot_image_verification_failure(void)
+{
+ ccsr_snvs_regs_t *snvs_regs = (void *)(CONFIG_SYS_SNVS_ADDR);
+ ccsr_sfp_regs_t *sfp_regs = (void *)(CONFIG_SYS_SFP_ADDR);
+ u32 sts = in_be32(&snvs_regs->hp_stat);
+
+ /* 31st bit of OVPR is ITF */
+ u32 itf = in_be32(&sfp_regs->ovpr) & ITS_MASK >> ITS_BIT;
+
+ /*
+ * Read the SNVS status register
+ * Read SSM_ST field
+ */
+ sts = in_be32(&snvs_regs->hp_stat);
+ if ((sts & HPSR_SSM_ST_MASK) == HPSR_SSM_ST_TRUST) {
+ if (itf == 1) {
+ change_sec_mon_state(HPSR_SSM_ST_TRUST,
+ HPSR_SSM_ST_SOFT_FAIL);
+
+ generate_reset_req();
+ } else {
+ change_sec_mon_state(HPSR_SSM_ST_TRUST,
+ HPSR_SSM_ST_NON_SECURE);
+ }
+ }
+}
+
+static void fsl_secboot_bootscript_parse_failure(void)
+{
+ fsl_secboot_header_verification_failure();
+}
+
+/*
+ * Handles the errors in esbc boot.
+ * This function handles all the errors which might occur in the
+ * esbc boot phase. It will call the appropriate api to log the
+ * errors and set the error bits in the SNVS.
+ */
+void fsl_secboot_handle_error(int error)
+{
+ const struct fsl_secboot_errcode *e;
+
+ for (e = fsl_secboot_errcodes; e->errcode != ERROR_ESBC_CLIENT_MAX;
+ e++) {
+ if (e->errcode == error)
+ printf("ERROR :: %x :: %s\n", error, e->name);
+ }
+
+ switch (error) {
+ case ERROR_ESBC_CLIENT_HEADER_BARKER:
+ case ERROR_ESBC_CLIENT_HEADER_IMG_SIZE:
+ case ERROR_ESBC_CLIENT_HEADER_KEY_LEN:
+ case ERROR_ESBC_CLIENT_HEADER_SIG_LEN:
+ case ERROR_ESBC_CLIENT_HEADER_KEY_LEN_NOT_TWICE_SIG_LEN:
+ case ERROR_ESBC_CLIENT_HEADER_KEY_MOD_1:
+ case ERROR_ESBC_CLIENT_HEADER_KEY_MOD_2:
+ case ERROR_ESBC_CLIENT_HEADER_SIG_KEY_MOD:
+ case ERROR_ESBC_CLIENT_HEADER_SG_ESBC_EP:
+ case ERROR_ESBC_CLIENT_HEADER_SG_ENTIRES_BAD:
+ fsl_secboot_header_verification_failure();
+ break;
+ case ERROR_ESBC_SEC_RESET:
+ case ERROR_ESBC_SEC_DEQ:
+ case ERROR_ESBC_SEC_ENQ:
+ case ERROR_ESBC_SEC_DEQ_TO:
+ case ERROR_ESBC_SEC_JOBQ_STATUS:
+ case ERROR_ESBC_CLIENT_HASH_COMPARE_KEY:
+ case ERROR_ESBC_CLIENT_HASH_COMPARE_EM:
+ fsl_secboot_image_verification_failure();
+ break;
+ case ERROR_ESBC_MISSING_BOOTM:
+ fsl_secboot_bootscript_parse_failure();
+ break;
+ case ERROR_ESBC_WRONG_CMD:
+ default:
+ branch_to_self();
+ break;
+ }
+}
+
+static void fsl_secblk_handle_error(int error)
+{
+ switch (error) {
+ case JQ_ENQ_ERR:
+ fsl_secboot_handle_error(ERROR_ESBC_SEC_ENQ);
+ break;
+ case JQ_DEQ_ERR:
+ fsl_secboot_handle_error(ERROR_ESBC_SEC_DEQ);
+ break;
+ case JQ_DEQ_TO_ERR:
+ fsl_secboot_handle_error(ERROR_ESBC_SEC_DEQ_TO);
+ break;
+ default:
+ printf("Job Queue Output status %x\n", error);
+ fsl_secboot_handle_error(ERROR_ESBC_SEC_JOBQ_STATUS);
+ break;
+ }
+}
+
+/*
+ * Calculate hash of key obtained via offset present in ESBC uboot
+ * client hdr. This function calculates the hash of key which is obtained
+ * through offset present in ESBC uboot client header.
+ */
+static int calc_img_key_hash(struct sha_ctx *ctx,
+ struct fsl_secboot_img_priv *img)
+{
+ int i;
+ int ret = 0;
+
+ /* calc hash of the esbc key */
+ sha_init(ctx);
+ sha_update(ctx, img->img_key, img->hdr.key_len);
+ ret = sha_final(ctx);
+ if (ret)
+ return ret;
+
+ ret = sha_digest(ctx, hash_val);
+ if (ret)
+ return ret;
+
+ for (i = 0; i < SHA256_BYTES; i++)
+ img->img_key_hash[i] = hash_val[i];
+
+ return 0;
+}
+
+/*
+ * Calculate hash of ESBC hdr and ESBC. This function calculates the
+ * single hash of ESBC header and ESBC image. If SG flag is on, all
+ * SG entries are also hashed alongwith the complete SG table.
+ */
+static int calc_esbchdr_esbc_hash(struct sha_ctx *ctx,
+ struct fsl_secboot_img_priv *img)
+{
+ int i = 0;
+ int ret = 0;
+
+ /* calculate the hash of the CSF header */
+ sha_init(ctx);
+ sha_update(ctx, (u8 *) &img->hdr,
+ sizeof(struct fsl_secboot_img_hdr));
+ sha_update(ctx, img->img_key, img->hdr.key_len);
+
+ if (img->hdr.sg_flag) {
+ /* calculate hash of the SG table */
+ sha_update(ctx, (u8 *) &img->sgtbl,
+ img->hdr.sg_entries *
+ sizeof(struct fsl_secboot_sg_table));
+
+ /* calculate the hash of each entry in the table */
+ for (i = 0; i < img->hdr.sg_entries; i++)
+ sha_update(ctx, img->sgtbl[i].pdata,
+ img->sgtbl[i].len);
+ } else {
+ /* contiguous ESBC */
+ sha_update(ctx, (u8 *) img->hdr.pimg,
+ img->hdr.img_size);
+ }
+
+ ret = sha_final(ctx);
+ if (ret)
+ return ret;
+
+ ret = sha_digest(ctx, hash_val);
+ if (ret)
+ return ret;
+
+ return 0;
+}
+
+/*
+ * Construct encoded hash EM' wrt PKCSv1.5. This function calculates the
+ * pointers for padding, DER value and hash. And finally, constructs EM'
+ * which includes hash of complete CSF header and ESBC image. If SG flag
+ * is on, hash of SG table and entries is also included.
+ */
+static void construct_img_encoded_hash_second(struct fsl_secboot_img_priv *img)
+{
+ /*
+ * RSA PKCSv1.5 encoding format for encoded message is below
+ * EM = 0x0 || 0x1 || PS || 0x0 || DER || Hash
+ * PS is Padding String
+ * DER is DER value for SHA-256
+ * Hash is SHA-256 hash
+ * *********************************************************
+ * representative points to first byte of EM initially and is
+ * filled with 0x0
+ * representative is incremented by 1 and second byte is filled
+ * with 0x1
+ * padding points to third byte of EM
+ * digest points to full length of EM - 32 bytes
+ * hash_id (DER value) points to 19 bytes before pDigest
+ * separator is one byte which separates padding and DER
+ */
+
+ size_t len;
+ u8 *representative;
+ u8 *padding, *digest;
+ u8 *hash_id, *separator;
+ int i;
+
+ len = (img->hdr.key_len / 2) - 1;
+ representative = img->img_encoded_hash_second;
+ representative[0] = 0;
+ representative[1] = 1; /* block type 1 */
+
+ padding = &representative[2];
+ digest = &representative[1] + len - 32;
+ hash_id = digest - sizeof(hash_identifier);
+ separator = hash_id - 1;
+
+ /* fill padding area pointed by padding with 0xff */
+ memset(padding, 0xff, separator - padding);
+
+ /* fill byte pointed by separator */
+ *separator = 0;
+
+ /* fill SHA-256 DER value pointed by HashId */
+ memcpy(hash_id, hash_identifier, sizeof(hash_identifier));
+
+ /* fill hash pointed by Digest */
+ for (i = 0; i < SHA256_BYTES; i++)
+ digest[i] = hash_val[i];
+}
+
+/*
+ * Reads and validates the ESBC client header.
+ * This function reads key and signature from the ESBC client header.
+ * If Scatter/Gather flag is on, lengths and offsets of images
+ * present as SG entries are also read. This function also checks
+ * whether the header is valid or not.
+ */
+static int read_validate_esbc_client_header(struct fsl_secboot_img_priv *img)
+{
+ char buf[20];
+ struct fsl_secboot_img_hdr *hdr = &img->hdr;
+ void *esbc = (u8 *) img->ehdrloc;
+ u8 *k, *s;
+
+ /* check barker code */
+ if (memcmp(hdr->barker, barker_code, ESBC_BARKER_LEN))
+ return ERROR_ESBC_CLIENT_HEADER_BARKER;
+
+ sprintf(buf, "%p", hdr->pimg);
+ setenv("img_addr", buf);
+
+ if (!hdr->img_size)
+ return ERROR_ESBC_CLIENT_HEADER_IMG_SIZE;
+
+ /* key length should be twice of signature length */
+ if (hdr->key_len == 2 * hdr->sign_len) {
+ /* check key length */
+ if (!((hdr->key_len == 2 * KEY_SIZE_BYTES / 4) ||
+ (hdr->key_len == 2 * KEY_SIZE_BYTES / 2) ||
+ (hdr->key_len == 2 * KEY_SIZE_BYTES)))
+ return ERROR_ESBC_CLIENT_HEADER_KEY_LEN;
+
+ /* check signature length */
+ if (!((hdr->sign_len == KEY_SIZE_BYTES / 4) ||
+ (hdr->sign_len == KEY_SIZE_BYTES / 2) ||
+ (hdr->sign_len == KEY_SIZE_BYTES)))
+ return ERROR_ESBC_CLIENT_HEADER_SIG_LEN;
+ } else {
+ return ERROR_ESBC_CLIENT_HEADER_KEY_LEN_NOT_TWICE_SIG_LEN;
+ }
+
+ memcpy(&img->img_key, esbc + hdr->pkey, hdr->key_len);
+ memcpy(&img->img_sign, esbc + hdr->psign, hdr->sign_len);
+
+ /* No SG support */
+ if (hdr->sg_flag)
+ return ERROR_ESBC_CLIENT_HEADER_SG;
+
+ /* modulus most significant bit should be set */
+ k = (u8 *) &img->img_key;
+
+ if ((k[0] & 0x80) == 0)
+ return ERROR_ESBC_CLIENT_HEADER_KEY_MOD_1;
+
+ /* modulus value should be odd */
+ if ((k[hdr->key_len / 2 - 1] & 0x1) == 0)
+ return ERROR_ESBC_CLIENT_HEADER_KEY_MOD_2;
+
+ /* Check signature value < modulus value */
+ s = (u8 *) &img->img_sign;
+
+ if (!(memcmp(s, k, hdr->sign_len) < 0))
+ return ERROR_ESBC_CLIENT_HEADER_SIG_KEY_MOD;
+
+ return ESBC_VALID_HDR;
+}
+
+static inline int str2long(const char *p, ulong *num)
+{
+ char *endptr;
+
+ if (!p)
+ return 0;
+ else
+ *num = simple_strtoul(p, &endptr, 16);
+
+ return *p != '\0' && *endptr == '\0';
+}
+
+int fsl_secboot_validate(cmd_tbl_t *cmdtp, int flag, int argc,
+ char * const argv[])
+{
+ int hash_srk = 1;
+ ccsr_sfp_regs_t *sfp_regs = (void *)(CONFIG_SYS_SFP_ADDR);
+ ulong hash[SHA256_BYTES/sizeof(ulong)];
+ char hash_str[NUM_HEX_CHARS + 1];
+ struct sha_ctx ctx;
+ struct rsa_context rsa_ctx;
+ ulong addr = simple_strtoul(argv[1], NULL, 16);
+ struct fsl_secboot_img_priv *img;
+ struct fsl_secboot_img_hdr *hdr;
+ void *esbc;
+ int ret, i;
+ u32 srk_hash[8];
+
+ if (argc == 3) {
+ char *cp = argv[2];
+ int i = 0;
+
+ if (*cp == '0' && *(cp + 1) == 'x')
+ cp += 2;
+
+ /* The input string expected is in hex, where
+ * each 4 bits would be represented by a hex
+ * sha256 hash is 256 bits long, which would mean
+ * num of characters = 256 / 4
+ */
+ if (strlen(cp) != SHA256_NIBBLES) {
+ printf("%s is not a 256 bits hex string as expected\n",
+ argv[2]);
+ return -1;
+ }
+
+ for (i = 0; i < sizeof(hash)/sizeof(ulong); i++) {
+ strncpy(hash_str, cp + (i * NUM_HEX_CHARS),
+ NUM_HEX_CHARS);
+ hash_str[NUM_HEX_CHARS] = '\0';
+ if (!str2long(hash_str, &hash[i])) {
+ printf("%s is not a 256 bits hex string "
+ "as expected\n", argv[2]);
+ return -1;
+ }
+ }
+
+ hash_srk = 0;
+ }
+
+#ifdef CONFIG_FSL_CORENET
+ pamu_enable();
+#endif
+ img = malloc(sizeof(struct fsl_secboot_img_priv));
+
+ if (!img)
+ return -1;
+
+ memset(img, 0, sizeof(struct fsl_secboot_img_priv));
+
+ hdr = &img->hdr;
+ img->ehdrloc = addr;
+ esbc = (u8 *) img->ehdrloc;
+
+ memcpy(hdr, esbc, sizeof(struct fsl_secboot_img_hdr));
+
+ /* read and validate esbc header */
+ ret = read_validate_esbc_client_header(img);
+
+ if (ret != ESBC_VALID_HDR) {
+ fsl_secboot_handle_error(ret);
+ goto exit1;
+ return 0;
+ }
+
+ /* SRKH present in SFP */
+ for (i = 0; i < NUM_SRKH_REGS; i++)
+ srk_hash[i] = in_be32(&sfp_regs->srk_hash[i]);
+
+ /*
+ * Calculate hash of key obtained via offset present in
+ * ESBC uboot client hdr
+ */
+ ret = calc_img_key_hash(&ctx, img);
+ if (ret) {
+ fsl_secblk_handle_error(ret);
+ goto exit;
+ }
+
+ /* Compare hash obtained above with SRK hash present in SFP */
+ if (hash_srk)
+ ret = memcmp(srk_hash, img->img_key_hash, SHA256_BYTES);
+ else
+ ret = memcmp(&hash, &img->img_key_hash, SHA256_BYTES);
+
+ if (ret != 0) {
+ fsl_secboot_handle_error(ERROR_ESBC_CLIENT_HASH_COMPARE_KEY);
+ goto exit;
+ }
+
+ ret = calc_esbchdr_esbc_hash(&ctx, img);
+ if (ret) {
+ fsl_secblk_handle_error(ret);
+ goto exit;
+ }
+
+ /* Construct encoded hash EM' wrt PKCSv1.5 */
+ construct_img_encoded_hash_second(img);
+
+ ret = rsa_public_verif_sec(img->img_sign, img->img_encoded_hash,
+ img->img_key, img->hdr.key_len / 2, &rsa_ctx);
+ if (ret) {
+ fsl_secblk_handle_error(ret);
+ goto exit;
+ }
+
+ /*
+ * compare the encoded messages EM' and EM wrt RSA PKCSv1.5
+ * memcmp returns zero on success
+ * memcmp returns non-zero on failure
+ */
+ ret = memcmp(&img->img_encoded_hash_second, &img->img_encoded_hash,
+ img->hdr.sign_len);
+
+ if (ret) {
+ fsl_secboot_handle_error(ERROR_ESBC_CLIENT_HASH_COMPARE_EM);
+ goto exit;
+ }
+
+ printf("esbc_validate command successful\n");
+
+exit:
+ if (jr_reset() < 0) {
+ fsl_secboot_handle_error(ERROR_ESBC_SEC_RESET);
+ return 0;
+ }
+exit1:
+#ifdef CONFIG_FSL_CORENET
+ pamu_disable();
+#endif
+
+ return 0;
+}
diff --git a/arch/powerpc/include/asm/fsl_secure_boot.h b/arch/powerpc/include/asm/fsl_secure_boot.h
index d1c1967..6847362 100644
--- a/arch/powerpc/include/asm/fsl_secure_boot.h
+++ b/arch/powerpc/include/asm/fsl_secure_boot.h
@@ -1,5 +1,5 @@
/*
- * Copyright 2010-2011 Freescale Semiconductor, Inc.
+ * Copyright 2010-2012 Freescale Semiconductor, Inc.
*
* See file CREDITS for list of people who contributed to this
* project.
@@ -40,4 +40,70 @@
#endif
#define CONFIG_SYS_PBI_FLASH_WINDOW 0xcff80000
+/*
+ * Define the key hash for boot script here if public/private key pair used to
+ * sign bootscript are different from the SRK hash put in the fuse
+ * Example of defining KEY_HASH is
+ * #define CONFIG_BOOTSCRIPT_KEY_HASH \
+ * "41066b564c6ffcef40ccbc1e0a5d0d519604000c785d97bbefd25e4d288d1c8b"
+ */
+
+#define CONFIG_CMD_ESBC_VALIDATE
+
+#if defined(CONFIG_FSL_CORENET)
+#define CONFIG_BOOTSCRIPT_HDR_ADDR 0xe8e00000
+#else
+#define CONFIG_BOOTSCRIPT_HDR_ADDR 0xee020000
+#endif
+
+/*
+ * Control should not reach back to uboot after validation of images
+ * for secure boot flow and therefore bootscript should have
+ * the bootm command. If control reaches back to uboot anyhow
+ * after validating images, core should just spin.
+ */
+#ifdef CONFIG_BOOTSCRIPT_KEY_HASH
+#define CONFIG_SECBOOT \
+ "setenv bs_hdraddr " __stringify(CONFIG_BOOTSCRIPT_HDR_ADDR)";" \
+ "esbc_validate $bs_hdraddr " __stringify(CONFIG_BOOTSCRIPT_KEY_HASH)";"\
+ "source $img_addr;" \
+ "esbc_halt;"
+#else
+#define CONFIG_SECBOOT \
+ "setenv bs_hdraddr " __stringify(CONFIG_BOOTSCRIPT_HDR_ADDR)";" \
+ "esbc_validate $bs_hdraddr;" \
+ "source $img_addr;" \
+ "esbc_halt;"
+#endif
+
+/* For secure boot flow, default environment used will be used */
+#if defined(CONFIG_SYS_RAMBOOT)
+#if defined(CONFIG_RAMBOOT_SPIFLASH)
+#undef CONFIG_ENV_IS_IN_SPI_FLASH
+#elif defined(CONFIG_NAND)
+#undef CONFIG_ENV_IS_IN_NAND
+#endif
+#else /*CONFIG_SYS_RAMBOOT*/
+#undef CONFIG_ENV_IS_IN_FLASH
+#endif
+
+#define CONFIG_ENV_IS_NOWHERE
+
+/*
+ * We don't want boot delay for secure boot flow
+ * before autoboot starts
+ */
+#undef CONFIG_BOOTDELAY
+#define CONFIG_BOOTDELAY 0
+#undef CONFIG_BOOTCOMMAND
+#define CONFIG_BOOTCOMMAND CONFIG_SECBOOT
+
+/*
+ * CONFIG_ZERO_BOOTDELAY_CHECK should not be defined for
+ * secure boot flow as defining this would enable a user to
+ * reach uboot prompt by pressing some key before start of
+ * autoboot
+ */
+#undef CONFIG_ZERO_BOOTDELAY_CHECK
+
#endif
diff --git a/arch/powerpc/include/asm/fsl_sfp_snvs.h b/arch/powerpc/include/asm/fsl_sfp_snvs.h
new file mode 100644
index 0000000..c215359
--- /dev/null
+++ b/arch/powerpc/include/asm/fsl_sfp_snvs.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright 2010-2012 Freescale Semiconductor, Inc.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of
+ * the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston,
+ * MA 02111-1307 USA
+ */
+
+#ifndef _FSL_SFP_SNVS_
+#define _FSL_SFP_SNVS_
+
+#include <common.h>
+
+/* Number of SRKH registers */
+#define NUM_SRKH_REGS 8
+
+/*
+ * SNVS read. This specifies the possible reads
+ * from the SNVS
+ */
+enum {
+ SNVS_SSM_ST,
+ SNVS_SW_FSV,
+ SNVS_SW_SV,
+};
+
+void branch_to_self(void);
+int change_sec_mon_state(uint32_t initial_state, uint32_t final_state);
+void generate_reset_req(void);
+
+#endif
diff --git a/arch/powerpc/include/asm/immap_85xx.h b/arch/powerpc/include/asm/immap_85xx.h
index ac8f608..38f8b59 100644
--- a/arch/powerpc/include/asm/immap_85xx.h
+++ b/arch/powerpc/include/asm/immap_85xx.h
@@ -2949,6 +2949,48 @@ struct ccsr_pman {
u8 res_f4[0xf0c];
};
#endif
+#ifdef CONFIG_SFP_v3_0
+typedef struct ccsr_sfp_regs {
+ u32 ospr; /* 0x200 */
+ u32 reserved0[14];
+ u32 srk_hash[8]; /* 0x23c Super Root Key Hash */
+ u32 oem_uid; /* 0x9c OEM Unique ID */
+ u8 reserved2[0x04];
+ u32 ovpr; /* 0xA4 Intent To Secure */
+ u8 reserved4[0x08];
+ u32 fsl_uid; /* 0xB0 FSL Unique ID */
+} ccsr_sfp_regs_t;
+#else
+typedef struct ccsr_sfp_regs {
+ u8 reserved0[0x40];
+ u32 ospr; /* 0x40 OEM Security Policy Register */
+ u8 reserved2[0x38];
+ u32 srk_hash[8]; /* 0x7c Super Root Key Hash */
+ u32 oem_uid; /* 0x9c OEM Unique ID */
+ u8 reserved4[0x4];
+ u32 ovpr; /* 0xA4 OEM Validation Policy Register */
+ u8 reserved8[0x8];
+ u32 fsl_uid; /* 0xB0 FSL Unique ID */
+} ccsr_sfp_regs_t;
+#endif
+#define ITS_MASK 0x00000004
+#define ITS_BIT 2
+
+typedef struct ccsr_snvs_regs {
+ u8 reserved0[0x04];
+ u32 hp_com; /* 0x04 SNVS_HP Command Register */
+ u8 reserved2[0x0c];
+ u32 hp_stat; /* 0x08 SNVS_HP Status Register */
+} ccsr_snvs_regs_t;
+
+#define HPCOMR_SW_SV 0x100 /* Security Violation bit */
+#define HPCOMR_SW_FSV 0x200 /* Fatal Security Violation bit */
+#define HPCOMR_SSM_ST 0x1 /* SSM_ST field in SNVS command reg */
+#define HPSR_SSM_ST_CHECK 0x900 /* SNVS is in check state */
+#define HPSR_SSM_ST_NON_SECURE 0xb00 /* SNVS is in non secure state */
+#define HPSR_SSM_ST_TRUST 0xd00 /* SNVS is in trusted state */
+#define HPSR_SSM_ST_SOFT_FAIL 0x300 /* SNVS is in soft fail state */
+#define HPSR_SSM_ST_MASK 0xf00 /* Mask for SSM_ST field */
#ifdef CONFIG_FSL_CORENET
#define CONFIG_SYS_FSL_CORENET_CCM_OFFSET 0x0000
@@ -2962,6 +3004,14 @@ struct ccsr_pman {
#define CONFIG_SYS_MPC8xxx_DDR3_OFFSET 0xA000
#define CONFIG_SYS_FSL_CORENET_CLK_OFFSET 0xE1000
#define CONFIG_SYS_FSL_CORENET_RCPM_OFFSET 0xE2000
+#ifdef CONFIG_SFP_v3_0
+/* In SFPv3, OSPR register is now at offset 0x200.
+ * So directly mapping sfp register map to this address */
+#define CONFIG_SYS_OSPR_OFFSET 0x200
+#define CONFIG_SYS_SFP_OFFSET (0xE8000 + CONFIG_SYS_OSPR_OFFSET)
+#else
+#define CONFIG_SYS_SFP_OFFSET 0xE8000
+#endif
#define CONFIG_SYS_FSL_CORENET_SERDES_OFFSET 0xEA000
#define CONFIG_SYS_FSL_CORENET_SERDES2_OFFSET 0xEB000
#define CONFIG_SYS_FSL_CPC_OFFSET 0x10000
@@ -3163,6 +3213,11 @@ struct ccsr_pman {
#define CONFIG_SYS_PCIE4_ADDR \
(CONFIG_SYS_IMMR + CONFIG_SYS_MPC85xx_PCIE4_OFFSET)
+#define CONFIG_SYS_SFP_ADDR \
+ (CONFIG_SYS_IMMR + CONFIG_SYS_SFP_OFFSET)
+#define CONFIG_SYS_SNVS_ADDR \
+ (CONFIG_SYS_IMMR + CONFIG_SYS_SNVS_OFFSET)
+
#define TSEC_BASE_ADDR (CONFIG_SYS_IMMR + CONFIG_SYS_TSEC1_OFFSET)
#define MDIO_BASE_ADDR (CONFIG_SYS_IMMR + CONFIG_SYS_MDIO1_OFFSET)
--
1.7.7.6
^ permalink raw reply related [flat|nested] 13+ messages in thread* [U-Boot] [PATCH 0/5] FSL SECURE BOOT: Add support for next level image validation
2013-03-28 10:46 [U-Boot] [PATCH 0/5] FSL SECURE BOOT: Add support for next level image validation Ruchika Gupta
` (4 preceding siblings ...)
2013-03-28 10:46 ` [U-Boot] [PATCH 5/5] Added command for validation of images in case of secure boot Ruchika Gupta
@ 2013-03-28 14:52 ` Otavio Salvador
2013-03-29 4:43 ` Gupta Ruchika-R66431
5 siblings, 1 reply; 13+ messages in thread
From: Otavio Salvador @ 2013-03-28 14:52 UTC (permalink / raw)
To: u-boot
On Thu, Mar 28, 2013 at 7:46 AM, Ruchika Gupta
<ruchika.gupta@freescale.com> wrote:
> The patch set adds support for next level image validation (linux,
> rootfs, dtb) in secure boot scenarios.
It seems to focus in PowerPC, do you know if same code could be ported to ARM?
--
Otavio Salvador O.S. Systems
E-mail: otavio at ossystems.com.br http://www.ossystems.com.br
Mobile: +55 53 9981-7854 http://projetos.ossystems.com.br
^ permalink raw reply [flat|nested] 13+ messages in thread* [U-Boot] [PATCH 0/5] FSL SECURE BOOT: Add support for next level image validation
2013-03-28 14:52 ` [U-Boot] [PATCH 0/5] FSL SECURE BOOT: Add support for next level image validation Otavio Salvador
@ 2013-03-29 4:43 ` Gupta Ruchika-R66431
2013-03-29 22:37 ` Kim Phillips
0 siblings, 1 reply; 13+ messages in thread
From: Gupta Ruchika-R66431 @ 2013-03-29 4:43 UTC (permalink / raw)
To: u-boot
> -----Original Message-----
> From: otavio.salvador at gmail.com [mailto:otavio.salvador at gmail.com] On Behalf
> Of Otavio Salvador
> Sent: Thursday, March 28, 2013 8:23 PM
> To: Gupta Ruchika-R66431
> Cc: U-Boot Mailing List; Fleming Andy-AFLEMING
> Subject: Re: [U-Boot] [PATCH 0/5] FSL SECURE BOOT: Add support for next
> level image validation
>
> On Thu, Mar 28, 2013 at 7:46 AM, Ruchika Gupta <ruchika.gupta@freescale.com>
> wrote:
> > The patch set adds support for next level image validation (linux,
> > rootfs, dtb) in secure boot scenarios.
>
> It seems to focus in PowerPC, do you know if same code could be ported to
> ARM?
For the code to be ported to ARM platform, corresponding hardware blocks like cryptographic accelerator/SW support for crypto operations, IOMMU and a security monitor block will be required.
Ruchika
>
> --
> Otavio Salvador O.S. Systems
> E-mail: otavio at ossystems.com.br http://www.ossystems.com.br
> Mobile: +55 53 9981-7854 http://projetos.ossystems.com.br
^ permalink raw reply [flat|nested] 13+ messages in thread
* [U-Boot] [PATCH 0/5] FSL SECURE BOOT: Add support for next level image validation
2013-03-29 4:43 ` Gupta Ruchika-R66431
@ 2013-03-29 22:37 ` Kim Phillips
2013-03-30 5:01 ` Gupta Ruchika-R66431
2013-04-09 10:11 ` Gupta Ruchika-R66431
0 siblings, 2 replies; 13+ messages in thread
From: Kim Phillips @ 2013-03-29 22:37 UTC (permalink / raw)
To: u-boot
On Fri, 29 Mar 2013 04:43:23 +0000
Gupta Ruchika-R66431 <R66431@freescale.com> wrote:
> > From: otavio.salvador at gmail.com [mailto:otavio.salvador at gmail.com] On Behalf
> > Of Otavio Salvador
> > Sent: Thursday, March 28, 2013 8:23 PM
> > To: Gupta Ruchika-R66431
> > Cc: U-Boot Mailing List; Fleming Andy-AFLEMING
> > Subject: Re: [U-Boot] [PATCH 0/5] FSL SECURE BOOT: Add support for next
> > level image validation
> >
> > On Thu, Mar 28, 2013 at 7:46 AM, Ruchika Gupta <ruchika.gupta@freescale.com>
> > wrote:
> > > The patch set adds support for next level image validation (linux,
> > > rootfs, dtb) in secure boot scenarios.
> >
> > It seems to focus in PowerPC, do you know if same code could be ported to
> > ARM?
> For the code to be ported to ARM platform, corresponding hardware blocks like cryptographic accelerator/SW support for crypto operations, IOMMU and a security monitor block will be required.
i.mx6 has, and other future ARM-based devices will have, a CAAM, so
I see no reason why any of this code should be restricted to power
arch at all.
How does this patchseries integrate with this SHA offload
patchseries:
http://article.gmane.org/gmane.comp.boot-loaders.u-boot/156321
and this "verified boot" implementation:
http://article.gmane.org/gmane.comp.boot-loaders.u-boot/156422
?
Kim
^ permalink raw reply [flat|nested] 13+ messages in thread
* [U-Boot] [PATCH 0/5] FSL SECURE BOOT: Add support for next level image validation
2013-03-29 22:37 ` Kim Phillips
@ 2013-03-30 5:01 ` Gupta Ruchika-R66431
2013-04-09 10:11 ` Gupta Ruchika-R66431
1 sibling, 0 replies; 13+ messages in thread
From: Gupta Ruchika-R66431 @ 2013-03-30 5:01 UTC (permalink / raw)
To: u-boot
> -----Original Message-----
> From: Phillips Kim-R1AAHA
> Sent: Saturday, March 30, 2013 4:08 AM
> To: Gupta Ruchika-R66431
> Cc: Otavio Salvador; U-Boot Mailing List; Fleming Andy-AFLEMING
> Subject: Re: [U-Boot] [PATCH 0/5] FSL SECURE BOOT: Add support for next
> level image validation
>
> On Fri, 29 Mar 2013 04:43:23 +0000
> Gupta Ruchika-R66431 <R66431@freescale.com> wrote:
>
> > > From: otavio.salvador at gmail.com [mailto:otavio.salvador at gmail.com]
> > > On Behalf Of Otavio Salvador
> > > Sent: Thursday, March 28, 2013 8:23 PM
> > > To: Gupta Ruchika-R66431
> > > Cc: U-Boot Mailing List; Fleming Andy-AFLEMING
> > > Subject: Re: [U-Boot] [PATCH 0/5] FSL SECURE BOOT: Add support for
> > > next level image validation
> > >
> > > On Thu, Mar 28, 2013 at 7:46 AM, Ruchika Gupta
> > > <ruchika.gupta@freescale.com>
> > > wrote:
> > > > The patch set adds support for next level image validation (linux,
> > > > rootfs, dtb) in secure boot scenarios.
> > >
> > > It seems to focus in PowerPC, do you know if same code could be
> > > ported to ARM?
> > For the code to be ported to ARM platform, corresponding hardware blocks
> like cryptographic accelerator/SW support for crypto operations, IOMMU and a
> security monitor block will be required.
>
> i.mx6 has, and other future ARM-based devices will have, a CAAM, so I see no
> reason why any of this code should be restricted to power arch at all.
>
> How does this patchseries integrate with this SHA offload
> patchseries:
>
> http://article.gmane.org/gmane.comp.boot-loaders.u-boot/156321
>
> and this "verified boot" implementation:
>
> http://article.gmane.org/gmane.comp.boot-loaders.u-boot/156422
>
> ?
>
> Kim
Thanks for the suggestion Kim. I will have a look at the links you mentioned and see how my patches can fit in. Since I am on leave this week so my response on this will be a little delayed.
Ruchika
^ permalink raw reply [flat|nested] 13+ messages in thread
* [U-Boot] [PATCH 0/5] FSL SECURE BOOT: Add support for next level image validation
2013-03-29 22:37 ` Kim Phillips
2013-03-30 5:01 ` Gupta Ruchika-R66431
@ 2013-04-09 10:11 ` Gupta Ruchika-R66431
1 sibling, 0 replies; 13+ messages in thread
From: Gupta Ruchika-R66431 @ 2013-04-09 10:11 UTC (permalink / raw)
To: u-boot
> -----Original Message-----
> From: Phillips Kim-R1AAHA
> Sent: Saturday, March 30, 2013 4:08 AM
> To: Gupta Ruchika-R66431
> Cc: Otavio Salvador; U-Boot Mailing List; Fleming Andy-AFLEMING
> Subject: Re: [U-Boot] [PATCH 0/5] FSL SECURE BOOT: Add support for next
> level image validation
>
> On Fri, 29 Mar 2013 04:43:23 +0000
> Gupta Ruchika-R66431 <R66431@freescale.com> wrote:
>
> > > From: otavio.salvador at gmail.com [mailto:otavio.salvador at gmail.com]
> > > On Behalf Of Otavio Salvador
> > > Sent: Thursday, March 28, 2013 8:23 PM
> > > To: Gupta Ruchika-R66431
> > > Cc: U-Boot Mailing List; Fleming Andy-AFLEMING
> > > Subject: Re: [U-Boot] [PATCH 0/5] FSL SECURE BOOT: Add support for
> > > next level image validation
> > >
> > > On Thu, Mar 28, 2013 at 7:46 AM, Ruchika Gupta
> > > <ruchika.gupta@freescale.com>
> > > wrote:
> > > > The patch set adds support for next level image validation (linux,
> > > > rootfs, dtb) in secure boot scenarios.
> > >
> > > It seems to focus in PowerPC, do you know if same code could be
> > > ported to ARM?
> > For the code to be ported to ARM platform, corresponding hardware blocks
> like cryptographic accelerator/SW support for crypto operations, IOMMU and a
> security monitor block will be required.
>
> i.mx6 has, and other future ARM-based devices will have, a CAAM, so I see no
> reason why any of this code should be restricted to power arch at all.
>
> How does this patchseries integrate with this SHA offload
> patchseries:
>
> http://article.gmane.org/gmane.comp.boot-loaders.u-boot/156321
Once this patch series is applied on the main branch I will rebase my patch, align to this and re-send.
>
> and this "verified boot" implementation:
>
> http://article.gmane.org/gmane.comp.boot-loaders.u-boot/156422
>
> ?
Thanks for pointing this link out. We have been using bootscript approach for validating next level images, which works on validation of each of the Linux, rootfs and dtb image separately. The location of this bootscript is hardcoded in the board bootcmd file. However the approach pointed by this link is more generic, since it validates a single FIT image. I will work towards integrating our SoC's approach into this framework.
Ruchika
^ permalink raw reply [flat|nested] 13+ messages in thread