From: Om Prakash Singh <quic_omprsing@quicinc.com>
To: Gaurav Kashyap <quic_gaurkash@quicinc.com>,
<linux-scsi@vger.kernel.org>, <linux-arm-msm@vger.kernel.org>,
<ebiggers@google.com>, <neil.armstrong@linaro.org>,
<srinivas.kandagatla@linaro.org>
Cc: <linux-mmc@vger.kernel.org>, <linux-block@vger.kernel.org>,
<linux-fscrypt@vger.kernel.org>, <omprsing@qti.qualcomm.com>,
<quic_psodagud@quicinc.com>, <abel.vesa@linaro.org>,
<quic_spuppala@quicinc.com>, <kernel@quicinc.com>
Subject: Re: [PATCH v3 04/12] soc: qcom: ice: support for hardware wrapped keys
Date: Fri, 8 Dec 2023 13:15:52 +0530 [thread overview]
Message-ID: <0de13ec3-2b74-46bb-a32a-9066e637d5b1@quicinc.com> (raw)
In-Reply-To: <20231122053817.3401748-5-quic_gaurkash@quicinc.com>
On 11/22/2023 11:08 AM, Gaurav Kashyap wrote:
> Now that HWKM support is added to ICE, extend the ICE
> driver to support hardware wrapped keys programming coming
> in from the storage controllers (ufs and emmc). The patches that follow
> will add ufs and emmc support.
>
> Derive software secret support is also added by forwarding the
> call the corresponding scm api.
>
> Signed-off-by: Gaurav Kashyap <quic_gaurkash@quicinc.com>
> ---
> drivers/soc/qcom/ice.c | 114 +++++++++++++++++++++++++++++++++++++----
> include/soc/qcom/ice.h | 4 ++
> 2 files changed, 107 insertions(+), 11 deletions(-)
>
> diff --git a/drivers/soc/qcom/ice.c b/drivers/soc/qcom/ice.c
> index adf9cab848fa..ee7c0beef3d2 100644
> --- a/drivers/soc/qcom/ice.c
> +++ b/drivers/soc/qcom/ice.c
> @@ -27,6 +27,8 @@
> #define QCOM_ICE_REG_BIST_STATUS 0x0070
> #define QCOM_ICE_REG_ADVANCED_CONTROL 0x1000
> #define QCOM_ICE_REG_CONTROL 0x0
> +#define QCOM_ICE_LUT_KEYS_CRYPTOCFG_R16 0x4040
> +
> /* QCOM ICE HWKM registers */
> #define QCOM_ICE_REG_HWKM_TZ_KM_CTL 0x1000
> #define QCOM_ICE_REG_HWKM_TZ_KM_STATUS 0x1004
> @@ -37,6 +39,7 @@
> #define QCOM_ICE_REG_HWKM_BANK0_BBAC_3 0x500C
> #define QCOM_ICE_REG_HWKM_BANK0_BBAC_4 0x5010
>
> +/* QCOM ICE HWKM BIST vals */
> #define QCOM_ICE_HWKM_BIST_DONE_V1_VAL 0x11
> #define QCOM_ICE_HWKM_BIST_DONE_V2_VAL 0x287
>
> @@ -47,6 +50,8 @@
> #define QCOM_ICE_FORCE_HW_KEY0_SETTING_MASK 0x2
> #define QCOM_ICE_FORCE_HW_KEY1_SETTING_MASK 0x4
>
> +#define QCOM_ICE_LUT_KEYS_CRYPTOCFG_OFFSET 0x80
> +
> #define QCOM_ICE_HWKM_REG_OFFSET 0x8000
> #define HWKM_OFFSET(reg) ((reg) + QCOM_ICE_HWKM_REG_OFFSET)
>
> @@ -67,6 +72,16 @@ struct qcom_ice {
> bool hwkm_init_complete;
> };
>
> +union crypto_cfg {
> + __le32 regval;
> + struct {
> + u8 dusize;
> + u8 capidx;
> + u8 reserved;
> + u8 cfge;
> + };
> +};
> +
> static bool qcom_ice_check_supported(struct qcom_ice *ice)
> {
> u32 regval = qcom_ice_readl(ice, QCOM_ICE_REG_VERSION);
> @@ -237,6 +252,8 @@ static void qcom_ice_hwkm_init(struct qcom_ice *ice)
> /* Clear HWKM response FIFO before doing anything */
> qcom_ice_writel(ice, 0x8,
> HWKM_OFFSET(QCOM_ICE_REG_HWKM_BANK0_BANKN_IRQ_STATUS));
> +
> + ice->hwkm_init_complete = true;
This this change should go with previous patch 3/12.
> }
>
> int qcom_ice_enable(struct qcom_ice *ice)
> @@ -284,6 +301,51 @@ int qcom_ice_suspend(struct qcom_ice *ice)
> }
> EXPORT_SYMBOL_GPL(qcom_ice_suspend);
>
> +/*
> + * HW dictates the internal mapping between the ICE and HWKM slots,
> + * which are different for different versions, make the translation
> + * here. For v1 however, the translation is done in trustzone.
> + */
> +static int translate_hwkm_slot(struct qcom_ice *ice, int slot)
> +{
> + return (ice->hwkm_version == 1) ? slot : (slot * 2);
> +}
> +
> +static int qcom_ice_program_wrapped_key(struct qcom_ice *ice,
> + const struct blk_crypto_key *key,
> + u8 data_unit_size, int slot)
> +{
> + int hwkm_slot;
> + int err;
> + union crypto_cfg cfg;
> +
> + hwkm_slot = translate_hwkm_slot(ice, slot);
> +
> + memset(&cfg, 0, sizeof(cfg));
> + cfg.dusize = data_unit_size;
> + cfg.capidx = QCOM_SCM_ICE_CIPHER_AES_256_XTS;
> + cfg.cfge = 0x80;
use macro for constant value "0x80"
> +
> + /* Clear CFGE */
> + qcom_ice_writel(ice, 0x0, QCOM_ICE_LUT_KEYS_CRYPTOCFG_R16 +
> + QCOM_ICE_LUT_KEYS_CRYPTOCFG_OFFSET * slot);
> +
> + /* Call trustzone to program the wrapped key using hwkm */
> + err = qcom_scm_ice_set_key(hwkm_slot, key->raw, key->size,
> + QCOM_SCM_ICE_CIPHER_AES_256_XTS, data_unit_size);
> + if (err) {
> + pr_err("%s:SCM call Error: 0x%x slot %d\n", __func__, err,
> + slot);
> + return err;
> + }
> +
> + /* Enable CFGE after programming key */
> + qcom_ice_writel(ice, cfg.regval, QCOM_ICE_LUT_KEYS_CRYPTOCFG_R16 +
> + QCOM_ICE_LUT_KEYS_CRYPTOCFG_OFFSET * slot);
> +
> + return err;
> +}
> +
> int qcom_ice_program_key(struct qcom_ice *ice,
> u8 algorithm_id, u8 key_size,
> const struct blk_crypto_key *bkey,
> @@ -299,24 +361,31 @@ int qcom_ice_program_key(struct qcom_ice *ice,
>
> /* Only AES-256-XTS has been tested so far. */
> if (algorithm_id != QCOM_ICE_CRYPTO_ALG_AES_XTS ||
> - key_size != QCOM_ICE_CRYPTO_KEY_SIZE_256) {
> + (key_size != QCOM_ICE_CRYPTO_KEY_SIZE_256 &&
> + key_size != QCOM_ICE_CRYPTO_KEY_SIZE_WRAPPED)) {
Can you please check the logic with && operation. the condition will
always be false.
> dev_err_ratelimited(dev,
> "Unhandled crypto capability; algorithm_id=%d, key_size=%d\n",
> algorithm_id, key_size);
> return -EINVAL;
> }
>
> - memcpy(key.bytes, bkey->raw, AES_256_XTS_KEY_SIZE);
> -
> - /* The SCM call requires that the key words are encoded in big endian */
> - for (i = 0; i < ARRAY_SIZE(key.words); i++)
> - __cpu_to_be32s(&key.words[i]);
> + if (bkey->crypto_cfg.key_type == BLK_CRYPTO_KEY_TYPE_HW_WRAPPED) {
> + if (!ice->use_hwkm)
> + return -EINVAL;
having error log in failure case would help in debugging.
> + err = qcom_ice_program_wrapped_key(ice, bkey, data_unit_size,
> + slot);
> + } else {
> + memcpy(key.bytes, bkey->raw, AES_256_XTS_KEY_SIZE);
>
> - err = qcom_scm_ice_set_key(slot, key.bytes, AES_256_XTS_KEY_SIZE,
> - QCOM_SCM_ICE_CIPHER_AES_256_XTS,
> - data_unit_size);
> + /* The SCM call requires that the key words are encoded in big endian */
> + for (i = 0; i < ARRAY_SIZE(key.words); i++)
> + __cpu_to_be32s(&key.words[i]);
>
> - memzero_explicit(&key, sizeof(key));
> + err = qcom_scm_ice_set_key(slot, key.bytes, AES_256_XTS_KEY_SIZE,
> + QCOM_SCM_ICE_CIPHER_AES_256_XTS,
> + data_unit_size);
> + memzero_explicit(&key, sizeof(key));
> + }
>
> return err;
> }
> @@ -324,7 +393,21 @@ EXPORT_SYMBOL_GPL(qcom_ice_program_key);
>
> int qcom_ice_evict_key(struct qcom_ice *ice, int slot)
> {
> - return qcom_scm_ice_invalidate_key(slot);
> + int hwkm_slot = slot;
> +
> + if (ice->use_hwkm) {
> + hwkm_slot = translate_hwkm_slot(ice, slot);
> + /*
> + * Ignore calls to evict key when HWKM is supported and hwkm init
> + * is not yet done. This is to avoid the clearing all slots call
> + * during a storage reset when ICE is still in legacy mode. HWKM slave
> + * in ICE takes care of zeroing out the keytable on reset.
> + */
> + if (!ice->hwkm_init_complete)
> + return 0;
> + }
> +
> + return qcom_scm_ice_invalidate_key(hwkm_slot);
> }
> EXPORT_SYMBOL_GPL(qcom_ice_evict_key);
>
> @@ -334,6 +417,15 @@ bool qcom_ice_hwkm_supported(struct qcom_ice *ice)
> }
> EXPORT_SYMBOL_GPL(qcom_ice_hwkm_supported);
>
> +int qcom_ice_derive_sw_secret(struct qcom_ice *ice, const u8 wkey[],
> + unsigned int wkey_size,
> + u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE])
> +{
> + return qcom_scm_derive_sw_secret(wkey, wkey_size,
> + sw_secret, BLK_CRYPTO_SW_SECRET_SIZE);
> +}
> +EXPORT_SYMBOL_GPL(qcom_ice_derive_sw_secret);
> +
> static struct qcom_ice *qcom_ice_create(struct device *dev,
> void __iomem *base)
> {
> diff --git a/include/soc/qcom/ice.h b/include/soc/qcom/ice.h
> index 1f52e82e3e1c..dabe0d3a1fd0 100644
> --- a/include/soc/qcom/ice.h
> +++ b/include/soc/qcom/ice.h
> @@ -17,6 +17,7 @@ enum qcom_ice_crypto_key_size {
> QCOM_ICE_CRYPTO_KEY_SIZE_192 = 0x2,
> QCOM_ICE_CRYPTO_KEY_SIZE_256 = 0x3,
> QCOM_ICE_CRYPTO_KEY_SIZE_512 = 0x4,
> + QCOM_ICE_CRYPTO_KEY_SIZE_WRAPPED = 0x5,
> };
>
> enum qcom_ice_crypto_alg {
> @@ -35,5 +36,8 @@ int qcom_ice_program_key(struct qcom_ice *ice,
> u8 data_unit_size, int slot);
> int qcom_ice_evict_key(struct qcom_ice *ice, int slot);
> bool qcom_ice_hwkm_supported(struct qcom_ice *ice);
> +int qcom_ice_derive_sw_secret(struct qcom_ice *ice, const u8 wkey[],
> + unsigned int wkey_size,
> + u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE]);
> struct qcom_ice *of_qcom_ice_get(struct device *dev);
> #endif /* __QCOM_ICE_H__ */
next prev parent reply other threads:[~2023-12-08 7:48 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-22 5:38 [PATCH v3 00/12] Hardware wrapped key support for qcom ice and ufs Gaurav Kashyap
2023-11-22 5:38 ` [PATCH v3 01/12] ice, ufs, mmc: use blk_crypto_key for program_key Gaurav Kashyap
2023-12-08 6:22 ` Om Prakash Singh
2023-11-22 5:38 ` [PATCH v3 02/12] qcom_scm: scm call for deriving a software secret Gaurav Kashyap
2023-11-22 17:43 ` Trilok Soni
2023-12-08 6:38 ` Om Prakash Singh
2023-12-12 4:09 ` Gaurav Kashyap
2023-11-22 5:38 ` [PATCH v3 03/12] soc: qcom: ice: add hwkm support in ice Gaurav Kashyap
2023-12-08 4:11 ` Bjorn Andersson
2023-12-12 3:53 ` Gaurav Kashyap
2023-12-08 6:04 ` Om Prakash Singh
2023-12-12 3:58 ` Gaurav Kashyap
2023-12-08 6:06 ` Om Prakash Singh
2023-12-08 6:11 ` Om Prakash Singh
2023-11-22 5:38 ` [PATCH v3 04/12] soc: qcom: ice: support for hardware wrapped keys Gaurav Kashyap
2023-12-08 7:45 ` Om Prakash Singh [this message]
2023-12-12 4:04 ` Gaurav Kashyap
2023-11-22 5:38 ` [PATCH v3 05/12] ufs: core: support wrapped keys in ufs core Gaurav Kashyap
2023-12-08 3:42 ` Bjorn Andersson
2023-11-22 5:38 ` [PATCH v3 06/12] ufs: host: wrapped keys support in ufs qcom Gaurav Kashyap
2023-12-08 7:54 ` Om Prakash Singh
2023-11-22 5:38 ` [PATCH v3 07/12] qcom_scm: scm call for create, prepare and import keys Gaurav Kashyap
2023-12-13 8:11 ` Mukesh Ojha
2023-11-22 5:38 ` [PATCH v3 08/12] ufs: core: add support for generate, import and prepare keys Gaurav Kashyap
2023-12-08 3:49 ` Bjorn Andersson
2023-12-08 8:17 ` Om Prakash Singh
2023-11-22 5:38 ` [PATCH v3 09/12] soc: qcom: support for generate, import and prepare key Gaurav Kashyap
2023-12-08 8:26 ` Om Prakash Singh
2023-11-22 5:38 ` [PATCH v3 10/12] ufs: host: " Gaurav Kashyap
2023-12-08 8:29 ` Om Prakash Singh
2023-11-22 5:38 ` [PATCH v3 11/12] arm64: dts: qcom: sm8650: add hwkm support to ufs ice Gaurav Kashyap
2023-12-08 3:51 ` Bjorn Andersson
2023-12-08 8:45 ` Om Prakash Singh
2023-12-08 8:46 ` Om Prakash Singh
2023-11-22 5:38 ` [PATCH v3 12/12] dt-bindings: crypto: ice: document the hwkm property Gaurav Kashyap
2023-11-22 9:53 ` Krzysztof Kozlowski
2023-12-08 4:16 ` Bjorn Andersson
2023-11-22 9:55 ` [PATCH v3 00/12] Hardware wrapped key support for qcom ice and ufs Krzysztof Kozlowski
2023-12-05 17:33 ` neil.armstrong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0de13ec3-2b74-46bb-a32a-9066e637d5b1@quicinc.com \
--to=quic_omprsing@quicinc.com \
--cc=abel.vesa@linaro.org \
--cc=ebiggers@google.com \
--cc=kernel@quicinc.com \
--cc=linux-arm-msm@vger.kernel.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-mmc@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=neil.armstrong@linaro.org \
--cc=omprsing@qti.qualcomm.com \
--cc=quic_gaurkash@quicinc.com \
--cc=quic_psodagud@quicinc.com \
--cc=quic_spuppala@quicinc.com \
--cc=srinivas.kandagatla@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).