1 // SPDX-License-Identifier: BSD-2-Clause
2 /*
3 * Copyright (C) Foundries Ltd. 2022.
4 * Author: Jorge Ramirez <jorge@foundries.io>
5 */
6
7 #include <assert.h>
8 #include <crypto/crypto_impl.h>
9 #include <drvcrypt.h>
10 #include <drvcrypt_acipher.h>
11 #include <initcall.h>
12 #include <ipi.h>
13 #include <mm/core_memprot.h>
14 #include <string.h>
15 #include <tee/cache.h>
16
17 #define RSA_MAX_PRIV_EXP_LEN 512
18 #define RSA_MAX_PUB_EXP_LEN 4
19 #define RSA_MAX_MOD_LEN 512
20
crypto_bignum_bn2bin_pad(size_t size,struct bignum * from,uint8_t * to)21 static void crypto_bignum_bn2bin_pad(size_t size,
22 struct bignum *from, uint8_t *to)
23 {
24 size_t len = crypto_bignum_num_bytes(from);
25
26 crypto_bignum_bn2bin(from, to + size - len);
27 }
28
do_encrypt(struct drvcrypt_rsa_ed * rsa_data)29 static TEE_Result do_encrypt(struct drvcrypt_rsa_ed *rsa_data)
30 {
31 struct rsa_public_key *p = rsa_data->key.key;
32 struct versal_rsa_input_param *cmd = NULL;
33 struct versal_mbox_mem cmd_buf = { };
34 struct versal_mbox_mem cipher = { };
35 struct versal_mbox_mem key = { };
36 struct versal_mbox_mem msg = { };
37 struct versal_cmd_args arg = { };
38 TEE_Result ret = TEE_SUCCESS;
39 uint32_t err = 0;
40
41 switch (rsa_data->rsa_id) {
42 case DRVCRYPT_RSA_PKCS_V1_5:
43 if (rsa_data->key.n_size != 128)
44 break;
45
46 return sw_crypto_acipher_rsaes_encrypt(rsa_data->algo,
47 rsa_data->key.key,
48 rsa_data->label.data,
49 rsa_data->label.length,
50 rsa_data->message.data,
51 rsa_data->message.length,
52 rsa_data->cipher.data,
53 &rsa_data->cipher.length);
54 case DRVCRYPT_RSA_OAEP:
55 return sw_crypto_acipher_rsaes_encrypt(rsa_data->algo,
56 rsa_data->key.key,
57 rsa_data->label.data,
58 rsa_data->label.length,
59 rsa_data->message.data,
60 rsa_data->message.length,
61 rsa_data->cipher.data,
62 &rsa_data->cipher.length);
63 case DRVCRYPT_RSA_NOPAD:
64 return sw_crypto_acipher_rsanopad_encrypt(rsa_data->key.key,
65 rsa_data->message.data,
66 rsa_data->message.length,
67 rsa_data->cipher.data,
68 &rsa_data->cipher.length);
69 case DRVCRYPT_RSASSA_PKCS_V1_5:
70 assert(rsa_data->hash_algo != TEE_ALG_SHA1);
71 assert(rsa_data->key.n_size != 128);
72 break;
73 case DRVCRYPT_RSASSA_PSS:
74 default:
75 assert(0);
76 }
77
78 versal_mbox_alloc(RSA_MAX_MOD_LEN + RSA_MAX_PUB_EXP_LEN, NULL, &key);
79 crypto_bignum_bn2bin_pad(rsa_data->key.n_size, p->n, key.buf);
80 crypto_bignum_bn2bin_pad(RSA_MAX_PUB_EXP_LEN,
81 p->e, (uint8_t *)key.buf + RSA_MAX_MOD_LEN);
82
83 versal_mbox_alloc(rsa_data->message.length, rsa_data->message.data,
84 &msg);
85 versal_mbox_alloc(rsa_data->cipher.length, NULL, &cipher);
86 versal_mbox_alloc(sizeof(*cmd), NULL, &cmd_buf);
87
88 cmd = cmd_buf.buf;
89 cmd->key_len = rsa_data->key.n_size;
90 cmd->data_addr = virt_to_phys(msg.buf);
91 cmd->key_addr = virt_to_phys(key.buf);
92
93 arg.ibuf[0].mem = cmd_buf;
94 arg.ibuf[1].mem = cipher;
95 arg.ibuf[2].mem = msg;
96 arg.ibuf[3].mem = key;
97
98 if (versal_crypto_request(VERSAL_RSA_PUBLIC_ENCRYPT, &arg, &err)) {
99 EMSG("Versal RSA: encrypt: error 0x%x [id:0x%x, len:%zu]",
100 err, rsa_data->rsa_id, rsa_data->key.n_size);
101
102 if (rsa_data->rsa_id == DRVCRYPT_RSASSA_PKCS_V1_5)
103 ret = TEE_ERROR_SIGNATURE_INVALID;
104 else
105 ret = TEE_ERROR_GENERIC;
106 }
107
108 if (!ret) {
109 rsa_data->cipher.length = rsa_data->key.n_size;
110 memcpy(rsa_data->cipher.data, cipher.buf, rsa_data->key.n_size);
111 }
112
113 free(cipher.buf);
114 free(cmd);
115 free(msg.buf);
116 free(key.buf);
117
118 return ret;
119 }
120
do_decrypt(struct drvcrypt_rsa_ed * rsa_data)121 static TEE_Result do_decrypt(struct drvcrypt_rsa_ed *rsa_data)
122 {
123 struct versal_rsa_input_param *cmd = NULL;
124 struct rsa_keypair *p = rsa_data->key.key;
125 struct versal_mbox_mem cmd_buf = { };
126 struct versal_mbox_mem cipher = { };
127 struct versal_mbox_mem key = { };
128 struct versal_mbox_mem msg = { };
129 struct versal_cmd_args arg = { };
130 TEE_Result ret = TEE_SUCCESS;
131 uint32_t err = 0;
132
133 switch (rsa_data->rsa_id) {
134 case DRVCRYPT_RSA_PKCS_V1_5:
135 if (rsa_data->key.n_size != 128)
136 break;
137
138 return sw_crypto_acipher_rsaes_decrypt(rsa_data->algo,
139 rsa_data->key.key,
140 rsa_data->label.data,
141 rsa_data->label.length,
142 rsa_data->cipher.data,
143 rsa_data->cipher.length,
144 rsa_data->message.data,
145 &rsa_data->message.length);
146 case DRVCRYPT_RSA_OAEP:
147 return sw_crypto_acipher_rsaes_decrypt(rsa_data->algo,
148 rsa_data->key.key,
149 rsa_data->label.data,
150 rsa_data->label.length,
151 rsa_data->cipher.data,
152 rsa_data->cipher.length,
153 rsa_data->message.data,
154 &rsa_data->message.length);
155 case DRVCRYPT_RSA_NOPAD:
156 return sw_crypto_acipher_rsanopad_decrypt(rsa_data->key.key,
157 rsa_data->cipher.data,
158 rsa_data->cipher.length,
159 rsa_data->message.data,
160 &rsa_data->message.length);
161 case DRVCRYPT_RSASSA_PKCS_V1_5:
162 assert(rsa_data->hash_algo != TEE_ALG_SHA1);
163 assert(rsa_data->key.n_size != 128);
164 break;
165 case DRVCRYPT_RSASSA_PSS:
166 default:
167 assert(0);
168 }
169
170 versal_mbox_alloc(RSA_MAX_MOD_LEN + RSA_MAX_PRIV_EXP_LEN, NULL, &key);
171 crypto_bignum_bn2bin_pad(rsa_data->key.n_size, p->n, key.buf);
172 crypto_bignum_bn2bin_pad(rsa_data->key.n_size, p->d,
173 (uint8_t *)key.buf + RSA_MAX_MOD_LEN);
174
175 versal_mbox_alloc(rsa_data->cipher.length, rsa_data->cipher.data,
176 &cipher);
177 versal_mbox_alloc(rsa_data->message.length, NULL, &msg);
178 versal_mbox_alloc(sizeof(*cmd), NULL, &cmd_buf);
179
180 cmd = cmd_buf.buf;
181 cmd->key_len = rsa_data->key.n_size;
182 cmd->data_addr = virt_to_phys(cipher.buf);
183 cmd->key_addr = virt_to_phys(key.buf);
184
185 arg.ibuf[0].mem = cmd_buf;
186 arg.ibuf[1].mem = msg;
187 arg.ibuf[2].mem = cipher;
188 arg.ibuf[3].mem = key;
189
190 if (versal_crypto_request(VERSAL_RSA_PRIVATE_DECRYPT, &arg, &err)) {
191 EMSG("Versal RSA: decrypt: error 0x%x [id:0x%x, len:%zu]",
192 err, rsa_data->rsa_id, rsa_data->key.n_size);
193 ret = TEE_ERROR_GENERIC;
194 }
195
196 if (!ret) {
197 rsa_data->message.length = rsa_data->key.n_size;
198 memcpy(rsa_data->message.data, msg.buf, rsa_data->key.n_size);
199 }
200
201 free(cipher.buf);
202 free(cmd);
203 free(key.buf);
204 free(msg.buf);
205
206 return ret;
207 }
208
do_ssa_sign(struct drvcrypt_rsa_ssa * p)209 static TEE_Result do_ssa_sign(struct drvcrypt_rsa_ssa *p)
210 {
211 switch (p->algo) {
212 case TEE_ALG_RSASSA_PKCS1_V1_5:
213 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224:
214 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256:
215 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384:
216 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512:
217 if (p->key.n_size != 128) {
218 /* use DRVCRYPT_RSASSA_PKCS_V1_5, decrypt */
219 return TEE_ERROR_NOT_IMPLEMENTED;
220 }
221 return sw_crypto_acipher_rsassa_sign(p->algo,
222 p->key.key,
223 p->salt_len,
224 p->message.data,
225 p->message.length,
226 p->signature.data,
227 &p->signature.length);
228 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5:
229 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1:
230 return sw_crypto_acipher_rsassa_sign(p->algo,
231 p->key.key,
232 p->salt_len,
233 p->message.data,
234 p->message.length,
235 p->signature.data,
236 &p->signature.length);
237 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1:
238 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224:
239 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256:
240 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384:
241 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512:
242 return sw_crypto_acipher_rsassa_sign(p->algo,
243 p->key.key,
244 p->salt_len,
245 p->message.data,
246 p->message.length,
247 p->signature.data,
248 &p->signature.length);
249 default:
250 break;
251 }
252
253 return TEE_ERROR_BAD_PARAMETERS;
254 }
255
do_ssa_verify(struct drvcrypt_rsa_ssa * p)256 static TEE_Result do_ssa_verify(struct drvcrypt_rsa_ssa *p)
257 {
258 switch (p->algo) {
259 case TEE_ALG_RSASSA_PKCS1_V1_5:
260 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA224:
261 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA256:
262 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA384:
263 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA512:
264 if (p->key.n_size != 128) {
265 /* use DRVCRYPT_RSASSA_PKCS_V1_5, encrypt */
266 return TEE_ERROR_NOT_IMPLEMENTED;
267 }
268 return sw_crypto_acipher_rsassa_verify(p->algo,
269 p->key.key,
270 p->salt_len,
271 p->message.data,
272 p->message.length,
273 p->signature.data,
274 p->signature.length);
275 case TEE_ALG_RSASSA_PKCS1_V1_5_MD5:
276 case TEE_ALG_RSASSA_PKCS1_V1_5_SHA1:
277 return sw_crypto_acipher_rsassa_verify(p->algo,
278 p->key.key,
279 p->salt_len,
280 p->message.data,
281 p->message.length,
282 p->signature.data,
283 p->signature.length);
284 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA1:
285 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA224:
286 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA256:
287 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA384:
288 case TEE_ALG_RSASSA_PKCS1_PSS_MGF1_SHA512:
289 return sw_crypto_acipher_rsassa_verify(p->algo,
290 p->key.key,
291 p->salt_len,
292 p->message.data,
293 p->message.length,
294 p->signature.data,
295 p->signature.length);
296 default:
297 break;
298 }
299
300 return TEE_ERROR_BAD_PARAMETERS;
301 }
302
do_gen_keypair(struct rsa_keypair * s,size_t size_bits)303 static TEE_Result do_gen_keypair(struct rsa_keypair *s, size_t size_bits)
304 {
305 return sw_crypto_acipher_gen_rsa_key(s, size_bits);
306 }
307
do_alloc_keypair(struct rsa_keypair * s,size_t size_bits)308 static TEE_Result do_alloc_keypair(struct rsa_keypair *s, size_t size_bits)
309 {
310 return sw_crypto_acipher_alloc_rsa_keypair(s, size_bits);
311 }
312
do_alloc_publickey(struct rsa_public_key * key,size_t bits)313 static TEE_Result do_alloc_publickey(struct rsa_public_key *key, size_t bits)
314 {
315 return sw_crypto_acipher_alloc_rsa_public_key(key, bits);
316 }
317
do_free_publickey(struct rsa_public_key * s)318 static void do_free_publickey(struct rsa_public_key *s)
319 {
320 sw_crypto_acipher_free_rsa_public_key(s);
321 }
322
do_free_keypair(struct rsa_keypair * s)323 static void do_free_keypair(struct rsa_keypair *s)
324 {
325 sw_crypto_acipher_free_rsa_keypair(s);
326 }
327
328 static struct drvcrypt_rsa driver_rsa = {
329 .alloc_publickey = do_alloc_publickey,
330 .free_publickey = do_free_publickey,
331 .alloc_keypair = do_alloc_keypair,
332 .optional.ssa_verify = do_ssa_verify,
333 .optional.ssa_sign = do_ssa_sign,
334 .free_keypair = do_free_keypair,
335 .gen_keypair = do_gen_keypair,
336 .encrypt = do_encrypt,
337 .decrypt = do_decrypt,
338 };
339
rsa_init(void)340 static TEE_Result rsa_init(void)
341 {
342 struct versal_cmd_args arg = { };
343
344 if (versal_crypto_request(VERSAL_RSA_KAT, &arg, NULL))
345 return TEE_ERROR_GENERIC;
346
347 return drvcrypt_register_rsa(&driver_rsa);
348 }
349
350 driver_init(rsa_init);
351