1 // SPDX-License-Identifier: BSD-2-Clause
2 /*
3  * Copyright (c) 2022, Linaro Limited
4  * Copyright (c) 2022, Foundries.io Limited
5  */
6 
7 #include <assert.h>
8 #include <config.h>
9 #include <crypto/crypto.h>
10 #include <drivers/stm32_bsec.h>
11 #include <kernel/tee_common_otp.h>
12 #include <mempool.h>
13 #include <platform_config.h>
14 #include <stm32_util.h>
15 #include <string.h>
16 #include <string_ext.h>
17 
18 static bool stm32mp15_huk_init;
19 
stm32mp15_read_uid(uint32_t * uid)20 static TEE_Result stm32mp15_read_uid(uint32_t *uid)
21 {
22 	TEE_Result ret = TEE_ERROR_GENERIC;
23 	uint32_t *q = uid;
24 	uint32_t otp_idx = 0;
25 	size_t __maybe_unused sz = 0;
26 
27 	ret = stm32_bsec_find_otp_in_nvmem_layout("uid_otp", &otp_idx, &sz);
28 	if (ret)
29 		return ret;
30 	assert(sz == 3 * 32);
31 
32 	/*
33 	 * Shadow memory for UID words might not be locked: to guarante that
34 	 * the final values are read we must lock them.
35 	 */
36 	if (stm32_bsec_set_sw_lock(otp_idx) ||
37 	    stm32_bsec_shadow_read_otp(q++, otp_idx))
38 		return TEE_ERROR_GENERIC;
39 
40 	if (stm32_bsec_set_sw_lock(otp_idx + 1) ||
41 	    stm32_bsec_shadow_read_otp(q++, otp_idx + 1))
42 		return TEE_ERROR_GENERIC;
43 
44 	if (stm32_bsec_set_sw_lock(otp_idx + 2) ||
45 	    stm32_bsec_shadow_read_otp(q++, otp_idx + 2))
46 		return TEE_ERROR_GENERIC;
47 
48 	return TEE_SUCCESS;
49 }
50 
stm32mp15_read_otp(uint32_t otp,uint32_t * key,bool * locked)51 static TEE_Result stm32mp15_read_otp(uint32_t otp, uint32_t *key, bool *locked)
52 {
53 	bool tmp = true;
54 	uint32_t state = 0;
55 
56 	if (stm32_bsec_get_state(&state))
57 		panic();
58 
59 	if (state != BSEC_STATE_SEC_CLOSED) {
60 		/*
61 		 * When the device is not closed, the shadow memory for these
62 		 * words might not be locked: check and report them
63 		 */
64 		if (stm32_bsec_read_permanent_lock(otp, &tmp))
65 			return TEE_ERROR_GENERIC;
66 
67 		if (tmp && stm32_bsec_read_sw_lock(otp, &tmp))
68 			return TEE_ERROR_GENERIC;
69 	}
70 
71 	if (stm32_bsec_shadow_read_otp(key, otp))
72 		return TEE_ERROR_GENERIC;
73 
74 	*locked = *locked && tmp;
75 
76 	return TEE_SUCCESS;
77 }
78 
79 /*
80  *  AES-GCM: nonce must be unique per message and key.
81  *
82  *  This function always uses the same key - once its locked - with the same
83  *  unique message hence the nonce can be any constant.
84  */
aes_gcm_encrypt_uid(uint8_t * key,size_t key_len,uint8_t * out,size_t * out_len)85 static TEE_Result aes_gcm_encrypt_uid(uint8_t *key, size_t key_len,
86 				      uint8_t *out, size_t *out_len)
87 {
88 	TEE_Result ret = TEE_ERROR_GENERIC;
89 	const uint8_t nonce[12] = { 0x55 };
90 	uint32_t uid[4] = { 0 };
91 	uint8_t tag[16] = { 0 };
92 	size_t nonce_len = sizeof(nonce);
93 	size_t tag_len = sizeof(tag);
94 	size_t uid_len = sizeof(uid);
95 	void *ctx = NULL;
96 
97 	ret = stm32mp15_read_uid(uid);
98 	if (ret)
99 		goto out;
100 
101 	ret = crypto_authenc_alloc_ctx(&ctx, TEE_ALG_AES_GCM);
102 	if (ret)
103 		goto out;
104 
105 	ret = crypto_authenc_init(ctx, TEE_MODE_ENCRYPT, key, key_len, nonce,
106 				  nonce_len, TEE_AES_BLOCK_SIZE, 0, uid_len);
107 	if (ret)
108 		goto out_free_ctx;
109 
110 	ret = crypto_authenc_enc_final(ctx, (uint8_t *)uid, sizeof(uid),
111 				       out, out_len, tag, &tag_len);
112 	if (ret)
113 		goto out_free_ctx;
114 
115 	crypto_authenc_final(ctx);
116 out_free_ctx:
117 	crypto_authenc_free_ctx(ctx);
118 out:
119 	if (ret)
120 		memzero_explicit(out, *out_len);
121 
122 	return ret;
123 }
124 
tee_otp_get_hw_unique_key(struct tee_hw_unique_key * hwkey)125 TEE_Result tee_otp_get_hw_unique_key(struct tee_hw_unique_key *hwkey)
126 {
127 	uint32_t otp_key[4] = { 0 };
128 	size_t len = sizeof(otp_key);
129 	TEE_Result ret = TEE_SUCCESS;
130 	uint32_t *key = otp_key;
131 	bool lock = true;
132 
133 	static_assert(CFG_STM32MP15_HUK_BSEC_KEY_0 < STM32MP1_OTP_MAX_ID);
134 	static_assert(CFG_STM32MP15_HUK_BSEC_KEY_1 < STM32MP1_OTP_MAX_ID);
135 	static_assert(CFG_STM32MP15_HUK_BSEC_KEY_2 < STM32MP1_OTP_MAX_ID);
136 	static_assert(CFG_STM32MP15_HUK_BSEC_KEY_3 < STM32MP1_OTP_MAX_ID);
137 
138 	ret = stm32mp15_read_otp(CFG_STM32MP15_HUK_BSEC_KEY_0, key++, &lock);
139 	if (ret)
140 		goto out;
141 
142 	ret = stm32mp15_read_otp(CFG_STM32MP15_HUK_BSEC_KEY_1, key++, &lock);
143 	if (ret)
144 		goto out;
145 
146 	ret = stm32mp15_read_otp(CFG_STM32MP15_HUK_BSEC_KEY_2, key++, &lock);
147 	if (ret)
148 		goto out;
149 
150 	ret = stm32mp15_read_otp(CFG_STM32MP15_HUK_BSEC_KEY_3, key++, &lock);
151 	if (ret)
152 		goto out;
153 
154 	if (IS_ENABLED(CFG_STM32MP15_HUK_BSEC_KEY)) {
155 		static_assert(sizeof(otp_key) == HW_UNIQUE_KEY_LENGTH);
156 		memcpy(hwkey->data, otp_key, HW_UNIQUE_KEY_LENGTH);
157 		ret = TEE_SUCCESS;
158 		goto out;
159 	}
160 
161 	if (IS_ENABLED(CFG_STM32MP15_HUK_BSEC_DERIVE_UID)) {
162 		ret = aes_gcm_encrypt_uid((uint8_t *)otp_key, len, hwkey->data,
163 					  &len);
164 		if (len != HW_UNIQUE_KEY_LENGTH)
165 			ret = TEE_ERROR_GENERIC;
166 		goto out;
167 	}
168 
169 	panic();
170 
171 out:
172 	memzero_explicit(otp_key, HW_UNIQUE_KEY_LENGTH);
173 
174 	if (!ret && !stm32mp15_huk_init) {
175 		stm32mp15_huk_init = true;
176 		IMSG("HUK %slocked", lock ? "" : "un");
177 		DHEXDUMP(hwkey->data, HW_UNIQUE_KEY_LENGTH);
178 	}
179 
180 	return ret;
181 }
182 
183