From patchwork Tue Oct 20 06:33:42 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michal Simek <michal.simek@xilinx.com>
X-Patchwork-Id: 1384639
X-Patchwork-Delegate: monstr@monstr.eu
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
 (client-ip=85.214.62.61; helo=phobos.denx.de;
 envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
 dmarc=none (p=none dis=none) header.from=xilinx.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=monstr-eu.20150623.gappssmtp.com
 header.i=@monstr-eu.20150623.gappssmtp.com header.a=rsa-sha256
 header.s=20150623 header.b=TqNEt7Li;
	dkim-atps=neutral
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4CFkPx54T4z9sRK
	for <incoming@patchwork.ozlabs.org>; Tue, 20 Oct 2020 17:35:01 +1100 (AEDT)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id D447682441;
	Tue, 20 Oct 2020 08:34:08 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=none (p=none dis=none) header.from=xilinx.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=monstr-eu.20150623.gappssmtp.com
 header.i=@monstr-eu.20150623.gappssmtp.com header.b="TqNEt7Li";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 8737B82429; Tue, 20 Oct 2020 08:34:04 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham
 autolearn_force=no version=3.4.2
Received: from mail-wr1-x442.google.com (mail-wr1-x442.google.com
 [IPv6:2a00:1450:4864:20::442])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id E223F81260
 for <u-boot@lists.denx.de>; Tue, 20 Oct 2020 08:33:57 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=none (p=none dis=none) header.from=xilinx.com
Authentication-Results: phobos.denx.de;
 spf=none smtp.mailfrom=monstr@monstr.eu
Received: by mail-wr1-x442.google.com with SMTP id n15so664307wrq.2
 for <u-boot@lists.denx.de>; Mon, 19 Oct 2020 23:33:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=monstr-eu.20150623.gappssmtp.com; s=20150623;
 h=sender:from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=/QcKMwk2R1nBf9UIbpThnENrYSHLR4I62V2KuM4oL+8=;
 b=TqNEt7LiuYn6BxNBvrFSYYS895Z9enBd/bZq4cMKiB3qKYQxfFIxoSH5JJkRrG+Hcd
 nOf6Y1jd1gxEoj+VPWkFoZRRgho0/b+xPRYs3JBBaemxnKTCO1o5dEXt0X2MmlT7loxR
 iCqHQlZ4tOMj0f8fQ/Y0KXlzsR3EDwHBkHbm0J2R0joCNK1zpPTHf9raXKLLJNR6/l1I
 JrHKyu6Pt7j2ZeqVVt7mmMC+C6vv6RGKysVan6HuGMUjvFoJySjz+gzs7e4DC54TSACo
 Z7O6TpgBvu8QSgtRPXWDS8E9ZpzbjQ25bjcfuayWsPsogj6pj4ZQblBkcx3C4+mlAX+K
 TEpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:sender:from:to:cc:subject:date:message-id
 :in-reply-to:references:mime-version:content-transfer-encoding;
 bh=/QcKMwk2R1nBf9UIbpThnENrYSHLR4I62V2KuM4oL+8=;
 b=mWvYlTx+tpksGSN4rTvp2KVysI3roLKzZK+TDVHnqST3J9+mCrzsFWW5qKpVTwSolm
 a1Lz71dzjBSD64xw265nXTBKk1l16d1QJ+ZykzPnkM7ekxrR7KHR2Wz5fDtobUpeWnal
 +Z934KmT/ciM0Q8dH3NeRrXMQnNBHN6STV+vuW7MTYGpaGFfgURF/kZaDMVLBI5XjiTb
 nPtq6O0RFoBfR2eAWpFtslCTFD28wgOFXpzJeKKnELGBt0x0LjGVdpaf+4XDrde2FX1E
 0ysrbIpB7Ni3h173p7ATqrJJl0+j04Fo/JE2exKqU8qFEjuDHjsNCAAT8BvKYBYDlH8Y
 HbTA==
X-Gm-Message-State: AOAM533F/vUCBuAjlRJQZ/dQPXCZA8RxJAWYJDZPkvGDV8Sr0OXPgdhD
 i9pFewBwE1yS5Xamo35nuJs8+BwJfiB5DtDM
X-Google-Smtp-Source: 
 ABdhPJz20XCvVbRIrAjGHvBQ98W0VmvhV1gNoKxlNHPRQV9x1AXOLh8HMmKfEMC5bpt92My1GodtVA==
X-Received: by 2002:adf:f78d:: with SMTP id q13mr1555523wrp.258.1603175632264;
 Mon, 19 Oct 2020 23:33:52 -0700 (PDT)
Received: from localhost (nat-35.starnet.cz. [178.255.168.35])
 by smtp.gmail.com with ESMTPSA id f14sm1250556wrt.53.2020.10.19.23.33.51
 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
 Mon, 19 Oct 2020 23:33:51 -0700 (PDT)
From: Michal Simek <michal.simek@xilinx.com>
To: u-boot@lists.denx.de,
	git@xilinx.com
Cc: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>,
 Ibai Erkiaga <ibai.erkiaga-elorza@xilinx.com>,
 Luca Ceresoli <luca@lucaceresoli.net>, Michal Simek <monstr@monstr.eu>,
 T Karthik Reddy <t.karthik.reddy@xilinx.com>
Subject: [PATCH v2 1/4] arm64: zynqmp: Add support for encryption and
 decryption on data blob
Date: Tue, 20 Oct 2020 08:33:42 +0200
Message-Id: 
 <959a34b984da32d806ef7a60b520dc8943288718.1603175622.git.michal.simek@xilinx.com>
X-Mailer: git-send-email 2.28.0
In-Reply-To: <cover.1603175622.git.michal.simek@xilinx.com>
References: <cover.1603175622.git.michal.simek@xilinx.com>
MIME-Version: 1.0
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.102.3 at phobos.denx.de
X-Virus-Status: Clean

From: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>

This patch adds support for encryption and decryption on a given data
blob using different key sources such as userkey(KUP), device key and
PUF key. Inorder to support this a new zynqmp command(zynqmp aes) has
been introduced.

Command:
zynqmp aes srcaddr ivaddr len aesop keysrc dstaddr [keyaddr]\n"
	Encrypts or decrypts blob of data at src address and puts it\n"
	back to dstaddr using key and iv at keyaddr and ivaddr\n"
	respectively. keysrc values specifies from which source key\n"
	has to be used, it can be User/Device/PUF key. A value of 0\n"
	for KUP(user key),1 for DeviceKey and 2 for PUF key. The\n"
	aesop value would specify the operationwhich can be 0 for\n"
	decrypt and 1 for encrypt(1) operation\n";

Signed-off-by: Siva Durga Prasad Paladugu <siva.durga.paladugu@xilinx.com>
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
---

Changes in v2:
- Fix cmd_tbl parameters
- Add - in help

 arch/arm/mach-zynqmp/include/mach/sys_proto.h |  1 +
 board/xilinx/zynqmp/cmds.c                    | 82 ++++++++++++++++++-
 2 files changed, 82 insertions(+), 1 deletion(-)

diff --git a/arch/arm/mach-zynqmp/include/mach/sys_proto.h b/arch/arm/mach-zynqmp/include/mach/sys_proto.h
index f2b3ceab1358..df944bde09eb 100644
--- a/arch/arm/mach-zynqmp/include/mach/sys_proto.h
+++ b/arch/arm/mach-zynqmp/include/mach/sys_proto.h
@@ -9,6 +9,7 @@
 
 #define ZYNQMP_CSU_SILICON_VER_MASK	0xF
 #define KEY_PTR_LEN	32
+#define IV_SIZE		12
 
 #define ZYNQMP_FPGA_BIT_AUTH_DDR	1
 #define ZYNQMP_FPGA_BIT_AUTH_OCM	2
diff --git a/board/xilinx/zynqmp/cmds.c b/board/xilinx/zynqmp/cmds.c
index c0d28a73e45d..b816af73792b 100644
--- a/board/xilinx/zynqmp/cmds.c
+++ b/board/xilinx/zynqmp/cmds.c
@@ -9,11 +9,22 @@
 #include <cpu_func.h>
 #include <env.h>
 #include <malloc.h>
+#include <memalign.h>
 #include <zynqmp_firmware.h>
 #include <asm/arch/hardware.h>
 #include <asm/arch/sys_proto.h>
 #include <asm/io.h>
 
+struct aes {
+	u64 srcaddr;
+	u64 ivaddr;
+	u64 keyaddr;
+	u64 dstaddr;
+	u64 len;
+	u64 op;
+	u64 keysrc;
+};
+
 static int do_zynqmp_verify_secure(struct cmd_tbl *cmdtp, int flag, int argc,
 				   char *const argv[])
 {
@@ -107,6 +118,66 @@ static int do_zynqmp_mmio_write(struct cmd_tbl *cmdtp, int flag, int argc,
 	return ret;
 }
 
+static int do_zynqmp_aes(struct cmd_tbl *cmdtp, int flag, int argc,
+			 char * const argv[])
+{
+	ALLOC_CACHE_ALIGN_BUFFER(struct aes, aes, 1);
+	int ret;
+	u32 ret_payload[PAYLOAD_ARG_CNT];
+
+	if (zynqmp_firmware_version() <= PMUFW_V1_0) {
+		puts("ERR: PMUFW v1.0 or less is detected\n");
+		puts("ERR: Encrypt/Decrypt feature is not supported\n");
+		puts("ERR: Please upgrade PMUFW\n");
+		return CMD_RET_FAILURE;
+	}
+
+	if (argc < cmdtp->maxargs - 1)
+		return CMD_RET_USAGE;
+
+	aes->srcaddr = simple_strtoul(argv[2], NULL, 16);
+	aes->ivaddr = simple_strtoul(argv[3], NULL, 16);
+	aes->len = simple_strtoul(argv[4], NULL, 16);
+	aes->op = simple_strtoul(argv[5], NULL, 16);
+	aes->keysrc = simple_strtoul(argv[6], NULL, 16);
+	aes->dstaddr = simple_strtoul(argv[7], NULL, 16);
+
+	flush_dcache_range((ulong)aes, (ulong)(aes) +
+			   roundup(sizeof(struct aes), ARCH_DMA_MINALIGN));
+
+	if (aes->srcaddr && aes->ivaddr && aes->dstaddr) {
+		flush_dcache_range(aes->srcaddr,
+				   (aes->srcaddr +
+				    roundup(aes->len, ARCH_DMA_MINALIGN)));
+		flush_dcache_range(aes->ivaddr,
+				   (aes->ivaddr +
+				    roundup(IV_SIZE, ARCH_DMA_MINALIGN)));
+		flush_dcache_range(aes->dstaddr,
+				   (aes->dstaddr +
+				    roundup(aes->len, ARCH_DMA_MINALIGN)));
+	}
+
+	if (aes->keysrc == 0) {
+		if (argc < cmdtp->maxargs)
+			return CMD_RET_USAGE;
+
+		aes->keyaddr = simple_strtoul(argv[8], NULL, 16);
+		if (aes->keyaddr)
+			flush_dcache_range(aes->keyaddr,
+					   (aes->keyaddr +
+					    roundup(KEY_PTR_LEN,
+						    ARCH_DMA_MINALIGN)));
+	}
+
+	ret = xilinx_pm_request(PM_SECURE_AES, upper_32_bits((ulong)aes),
+				lower_32_bits((ulong)aes), 0, 0, ret_payload);
+	if (ret || ret_payload[1])
+		printf("Failed: AES op status:0x%x, errcode:0x%x\n",
+		       ret, ret_payload[1]);
+
+	return ret;
+}
+
 #ifdef CONFIG_DEFINE_TCM_OCM_MMAP
 static int do_zynqmp_tcm_init(struct cmd_tbl *cmdtp, int flag, int argc,
 			      char *const argv[])
@@ -153,6 +224,7 @@ static struct cmd_tbl cmd_zynqmp_sub[] = {
 	U_BOOT_CMD_MKENT(pmufw, 4, 0, do_zynqmp_pmufw, "", ""),
 	U_BOOT_CMD_MKENT(mmio_read, 3, 0, do_zynqmp_mmio_read, "", ""),
 	U_BOOT_CMD_MKENT(mmio_write, 5, 0, do_zynqmp_mmio_write, "", ""),
+	U_BOOT_CMD_MKENT(aes, 9, 0, do_zynqmp_aes, "", ""),
 #ifdef CONFIG_DEFINE_TCM_OCM_MMAP
 	U_BOOT_CMD_MKENT(tcminit, 3, 0, do_zynqmp_tcm_init, "", ""),
 #endif
@@ -196,6 +268,14 @@ static char zynqmp_help_text[] =
 	"zynqmp mmio_read address - read from address\n"
 	"zynqmp mmio_write address mask value - write value after masking to\n"
 	"					address\n"
+	"zynqmp aes srcaddr ivaddr len aesop keysrc dstaddr [keyaddr] -\n"
+	"	Encrypts or decrypts blob of data at src address and puts it\n"
+	"	back to dstaddr using key and iv at keyaddr and ivaddr\n"
+	"	respectively. keysrc value specifies from which source key\n"
+	"	has to be used, it can be User/Device/PUF key. A value of 0\n"
+	"	for KUP(user key),1 for DeviceKey and 2 for PUF key. The\n"
+	"	aesop value specifies the operation which can be 0 for\n"
+	"	decrypt and 1 for encrypt operation\n"
 #ifdef CONFIG_DEFINE_TCM_OCM_MMAP
 	"zynqmp tcminit mode - Initialize the TCM with zeros. TCM needs to be\n"
 	"		       initialized before accessing to avoid ECC\n"
@@ -208,7 +288,7 @@ static char zynqmp_help_text[] =
 #endif
 
 U_BOOT_CMD(
-	zynqmp, 5, 1, do_zynqmp,
+	zynqmp, 9, 1, do_zynqmp,
 	"ZynqMP sub-system",
 	zynqmp_help_text
 )