1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Qualcomm ICE (Inline Crypto Engine) support.
4 *
5 * Copyright (c) 2013-2019, The Linux Foundation. All rights reserved.
6 * Copyright (c) 2019, Google LLC
7 * Copyright (c) 2023, Linaro Limited
8 */
9
10 #include <linux/bitfield.h>
11 #include <linux/cleanup.h>
12 #include <linux/clk.h>
13 #include <linux/delay.h>
14 #include <linux/device.h>
15 #include <linux/iopoll.h>
16 #include <linux/of.h>
17 #include <linux/of_platform.h>
18 #include <linux/platform_device.h>
19
20 #include <linux/firmware/qcom/qcom_scm.h>
21
22 #include <soc/qcom/ice.h>
23
24 #define AES_256_XTS_KEY_SIZE 64 /* for raw keys only */
25
26 #define QCOM_ICE_HWKM_V1 1 /* HWKM version 1 */
27 #define QCOM_ICE_HWKM_V2 2 /* HWKM version 2 */
28
29 #define QCOM_ICE_HWKM_MAX_WRAPPED_KEY_SIZE 100 /* Maximum HWKM wrapped key size */
30
31 /*
32 * Wrapped key size depends upon HWKM version:
33 * HWKM version 1 supports 68 bytes
34 * HWKM version 2 supports 100 bytes
35 */
36 #define QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(v) ((v) == QCOM_ICE_HWKM_V1 ? 68 : 100)
37
38 /* QCOM ICE registers */
39
40 #define QCOM_ICE_REG_CONTROL 0x0000
41 #define QCOM_ICE_LEGACY_MODE_ENABLED BIT(0)
42
43 #define QCOM_ICE_REG_VERSION 0x0008
44
45 #define QCOM_ICE_REG_FUSE_SETTING 0x0010
46 #define QCOM_ICE_FUSE_SETTING_MASK BIT(0)
47 #define QCOM_ICE_FORCE_HW_KEY0_SETTING_MASK BIT(1)
48 #define QCOM_ICE_FORCE_HW_KEY1_SETTING_MASK BIT(2)
49
50 #define QCOM_ICE_REG_BIST_STATUS 0x0070
51 #define QCOM_ICE_BIST_STATUS_MASK GENMASK(31, 28)
52
53 #define QCOM_ICE_REG_ADVANCED_CONTROL 0x1000
54
55 #define QCOM_ICE_REG_CRYPTOCFG_BASE 0x4040
56 #define QCOM_ICE_REG_CRYPTOCFG_SIZE 0x80
57 #define QCOM_ICE_REG_CRYPTOCFG(slot) (QCOM_ICE_REG_CRYPTOCFG_BASE + \
58 QCOM_ICE_REG_CRYPTOCFG_SIZE * (slot))
59 union crypto_cfg {
60 __le32 regval;
61 struct {
62 u8 dusize;
63 u8 capidx;
64 u8 reserved;
65 #define QCOM_ICE_HWKM_CFG_ENABLE_VAL BIT(7)
66 u8 cfge;
67 };
68 };
69
70 /* QCOM ICE HWKM (Hardware Key Manager) registers */
71
72 #define HWKM_OFFSET 0x8000
73
74 #define QCOM_ICE_REG_HWKM_TZ_KM_CTL (HWKM_OFFSET + 0x1000)
75 #define QCOM_ICE_HWKM_DISABLE_CRC_CHECKS_VAL (BIT(1) | BIT(2))
76 /* In HWKM v1 the ICE legacy mode is controlled from HWKM register space */
77 #define QCOM_ICE_HWKM_ICE_LEGACY_MODE_ENABLED BIT(5)
78
79 #define QCOM_ICE_REG_HWKM_TZ_KM_STATUS (HWKM_OFFSET + 0x1004)
80 #define QCOM_ICE_HWKM_KT_CLEAR_DONE BIT(0)
81 #define QCOM_ICE_HWKM_BOOT_CMD_LIST0_DONE BIT(1)
82 #define QCOM_ICE_HWKM_BOOT_CMD_LIST1_DONE BIT(2)
83 #define QCOM_ICE_HWKM_CRYPTO_BIST_DONE(v) (((v) == QCOM_ICE_HWKM_V1) ? BIT(14) : BIT(7))
84 #define QCOM_ICE_HWKM_BIST_DONE(v) (((v) == QCOM_ICE_HWKM_V1) ? BIT(16) : BIT(9))
85
86 #define QCOM_ICE_REG_HWKM_BANK0_BANKN_IRQ_STATUS (HWKM_OFFSET + 0x2008)
87 #define QCOM_ICE_HWKM_RSP_FIFO_CLEAR_VAL BIT(3)
88
89 #define QCOM_ICE_REG_HWKM_BANK0_BBAC_0 (HWKM_OFFSET + 0x5000)
90 #define QCOM_ICE_REG_HWKM_BANK0_BBAC_1 (HWKM_OFFSET + 0x5004)
91 #define QCOM_ICE_REG_HWKM_BANK0_BBAC_2 (HWKM_OFFSET + 0x5008)
92 #define QCOM_ICE_REG_HWKM_BANK0_BBAC_3 (HWKM_OFFSET + 0x500C)
93 #define QCOM_ICE_REG_HWKM_BANK0_BBAC_4 (HWKM_OFFSET + 0x5010)
94
95 #define qcom_ice_writel(engine, val, reg) \
96 writel((val), (engine)->base + (reg))
97
98 #define qcom_ice_readl(engine, reg) \
99 readl((engine)->base + (reg))
100
101 static bool qcom_ice_use_wrapped_keys;
102 module_param_named(use_wrapped_keys, qcom_ice_use_wrapped_keys, bool, 0660);
103 MODULE_PARM_DESC(use_wrapped_keys,
104 "Support wrapped keys instead of raw keys, if available on the platform");
105
106 struct qcom_ice {
107 struct device *dev;
108 void __iomem *base;
109
110 struct clk *core_clk;
111 bool use_hwkm;
112 bool hwkm_init_complete;
113 u8 hwkm_version;
114 };
115
qcom_ice_check_supported(struct qcom_ice * ice)116 static bool qcom_ice_check_supported(struct qcom_ice *ice)
117 {
118 u32 regval = qcom_ice_readl(ice, QCOM_ICE_REG_VERSION);
119 struct device *dev = ice->dev;
120 int major = FIELD_GET(GENMASK(31, 24), regval);
121 int minor = FIELD_GET(GENMASK(23, 16), regval);
122 int step = FIELD_GET(GENMASK(15, 0), regval);
123
124 /* For now this driver only supports ICE version 3 and 4. */
125 if (major != 3 && major != 4) {
126 dev_warn(dev, "Unsupported ICE version: v%d.%d.%d\n",
127 major, minor, step);
128 return false;
129 }
130
131 /* HWKM version v2 is present from ICE 3.2.1 onwards while version v1
132 * is present only in ICE 3.2.0. Earlier ICE version don't have HWKM.
133 */
134 if (major > 3 ||
135 (major == 3 && (minor >= 3 || (minor == 2 && step >= 1))))
136 ice->hwkm_version = QCOM_ICE_HWKM_V2;
137 else if ((major == 3) && (minor == 2))
138 ice->hwkm_version = QCOM_ICE_HWKM_V1;
139 else
140 ice->hwkm_version = 0;
141
142 dev_info(dev, "Found QC Inline Crypto Engine (ICE) v%d.%d.%d\n",
143 major, minor, step);
144
145 if (ice->hwkm_version)
146 dev_info(dev, "QC Hardware Key Manager (HWKM) version v%d\n",
147 ice->hwkm_version);
148
149 /* If fuses are blown, ICE might not work in the standard way. */
150 regval = qcom_ice_readl(ice, QCOM_ICE_REG_FUSE_SETTING);
151 if (regval & (QCOM_ICE_FUSE_SETTING_MASK |
152 QCOM_ICE_FORCE_HW_KEY0_SETTING_MASK |
153 QCOM_ICE_FORCE_HW_KEY1_SETTING_MASK)) {
154 dev_warn(dev, "Fuses are blown; ICE is unusable!\n");
155 return false;
156 }
157
158 /*
159 * Check for HWKM support and decide whether to use it or not. ICE
160 * v3.2.1 and later have HWKM v2. ICE v3.2.0 has HWKM v1. Earlier ICE
161 * versions don't have HWKM at all. However, for HWKM to be fully
162 * usable by Linux, the TrustZone software also needs to support certain
163 * SCM calls including the ones to generate and prepare keys. Support
164 * for these SCM calls is present for SoCs with HWKM v2 and is being
165 * added for SoCs with HWKM v1 as well but not every SoC with HWKM v1
166 * currently supports this. So, this driver checks for the SCM call
167 * support before it decides to use HWKM.
168 *
169 * Also, since HWKM and legacy mode are mutually exclusive, and
170 * ICE-capable storage driver(s) need to know early on whether to
171 * advertise support for raw keys or wrapped keys, HWKM cannot be used
172 * unconditionally. A module parameter is used to opt into using it.
173 */
174 if (ice->hwkm_version && qcom_scm_has_wrapped_key_support()) {
175 if (qcom_ice_use_wrapped_keys) {
176 dev_info(dev, "Using HWKM. Supporting wrapped keys only.\n");
177 ice->use_hwkm = true;
178 } else {
179 dev_info(dev, "Not using HWKM. Supporting raw keys only.\n");
180 }
181 } else if (qcom_ice_use_wrapped_keys) {
182 dev_warn(dev, "A supported HWKM is not present. Ignoring qcom_ice.use_wrapped_keys=1.\n");
183 } else {
184 dev_info(dev, "A supported HWKM is not present. Supporting raw keys only.\n");
185 }
186 return true;
187 }
188
qcom_ice_low_power_mode_enable(struct qcom_ice * ice)189 static void qcom_ice_low_power_mode_enable(struct qcom_ice *ice)
190 {
191 u32 regval;
192
193 regval = qcom_ice_readl(ice, QCOM_ICE_REG_ADVANCED_CONTROL);
194
195 /* Enable low power mode sequence */
196 regval |= 0x7000;
197 qcom_ice_writel(ice, regval, QCOM_ICE_REG_ADVANCED_CONTROL);
198 }
199
qcom_ice_optimization_enable(struct qcom_ice * ice)200 static void qcom_ice_optimization_enable(struct qcom_ice *ice)
201 {
202 u32 regval;
203
204 /* ICE Optimizations Enable Sequence */
205 regval = qcom_ice_readl(ice, QCOM_ICE_REG_ADVANCED_CONTROL);
206 regval |= 0xd807100;
207 /* ICE HPG requires delay before writing */
208 udelay(5);
209 qcom_ice_writel(ice, regval, QCOM_ICE_REG_ADVANCED_CONTROL);
210 udelay(5);
211 }
212
213 /*
214 * Wait until the ICE BIST (built-in self-test) has completed.
215 *
216 * This may be necessary before ICE can be used.
217 * Note that we don't really care whether the BIST passed or failed;
218 * we really just want to make sure that it isn't still running. This is
219 * because (a) the BIST is a FIPS compliance thing that never fails in
220 * practice, (b) ICE is documented to reject crypto requests if the BIST
221 * fails, so we needn't do it in software too, and (c) properly testing
222 * storage encryption requires testing the full storage stack anyway,
223 * and not relying on hardware-level self-tests.
224 */
qcom_ice_wait_bist_status(struct qcom_ice * ice)225 static int qcom_ice_wait_bist_status(struct qcom_ice *ice)
226 {
227 u32 regval;
228 int err;
229
230 err = readl_poll_timeout(ice->base + QCOM_ICE_REG_BIST_STATUS,
231 regval, !(regval & QCOM_ICE_BIST_STATUS_MASK),
232 50, 5000);
233 if (err) {
234 dev_err(ice->dev, "Timed out waiting for ICE self-test to complete\n");
235 return err;
236 }
237
238 if (ice->use_hwkm &&
239 qcom_ice_readl(ice, QCOM_ICE_REG_HWKM_TZ_KM_STATUS) !=
240 (QCOM_ICE_HWKM_KT_CLEAR_DONE |
241 QCOM_ICE_HWKM_BOOT_CMD_LIST0_DONE |
242 QCOM_ICE_HWKM_BOOT_CMD_LIST1_DONE |
243 QCOM_ICE_HWKM_CRYPTO_BIST_DONE(ice->hwkm_version) |
244 QCOM_ICE_HWKM_BIST_DONE(ice->hwkm_version))) {
245 dev_err(ice->dev, "HWKM self-test error!\n");
246 /*
247 * Too late to revoke use_hwkm here, as it was already
248 * propagated up the stack into the crypto capabilities.
249 */
250 }
251 return 0;
252 }
253
qcom_ice_hwkm_init(struct qcom_ice * ice)254 static void qcom_ice_hwkm_init(struct qcom_ice *ice)
255 {
256 u32 regval;
257
258 if (!ice->use_hwkm)
259 return;
260
261 BUILD_BUG_ON(QCOM_ICE_HWKM_MAX_WRAPPED_KEY_SIZE >
262 BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE);
263 /*
264 * When ICE is in HWKM mode, it only supports wrapped keys.
265 * When ICE is in legacy mode, it only supports raw keys.
266 *
267 * Put ICE in HWKM mode. ICE defaults to legacy mode.
268 */
269 if (ice->hwkm_version == QCOM_ICE_HWKM_V2) {
270 regval = qcom_ice_readl(ice, QCOM_ICE_REG_CONTROL);
271 regval &= ~QCOM_ICE_LEGACY_MODE_ENABLED;
272 qcom_ice_writel(ice, regval, QCOM_ICE_REG_CONTROL);
273 } else if (ice->hwkm_version == QCOM_ICE_HWKM_V1) {
274 regval = qcom_ice_readl(ice, QCOM_ICE_REG_HWKM_TZ_KM_CTL);
275 regval &= ~QCOM_ICE_HWKM_ICE_LEGACY_MODE_ENABLED;
276 qcom_ice_writel(ice, regval, QCOM_ICE_REG_HWKM_TZ_KM_CTL);
277 }
278
279 /* Disable CRC checks. This HWKM feature is not used. */
280 qcom_ice_writel(ice, QCOM_ICE_HWKM_DISABLE_CRC_CHECKS_VAL,
281 QCOM_ICE_REG_HWKM_TZ_KM_CTL);
282
283 /*
284 * Allow the HWKM slave to read and write the keyslots in the ICE HWKM
285 * slave. Without this, TrustZone cannot program keys into ICE.
286 */
287 qcom_ice_writel(ice, GENMASK(31, 0), QCOM_ICE_REG_HWKM_BANK0_BBAC_0);
288 qcom_ice_writel(ice, GENMASK(31, 0), QCOM_ICE_REG_HWKM_BANK0_BBAC_1);
289 qcom_ice_writel(ice, GENMASK(31, 0), QCOM_ICE_REG_HWKM_BANK0_BBAC_2);
290 qcom_ice_writel(ice, GENMASK(31, 0), QCOM_ICE_REG_HWKM_BANK0_BBAC_3);
291 qcom_ice_writel(ice, GENMASK(31, 0), QCOM_ICE_REG_HWKM_BANK0_BBAC_4);
292
293 /* Clear the HWKM response FIFO. */
294 qcom_ice_writel(ice, QCOM_ICE_HWKM_RSP_FIFO_CLEAR_VAL,
295 QCOM_ICE_REG_HWKM_BANK0_BANKN_IRQ_STATUS);
296 ice->hwkm_init_complete = true;
297 }
298
qcom_ice_enable(struct qcom_ice * ice)299 int qcom_ice_enable(struct qcom_ice *ice)
300 {
301 qcom_ice_low_power_mode_enable(ice);
302 qcom_ice_optimization_enable(ice);
303 qcom_ice_hwkm_init(ice);
304 return qcom_ice_wait_bist_status(ice);
305 }
306 EXPORT_SYMBOL_GPL(qcom_ice_enable);
307
qcom_ice_resume(struct qcom_ice * ice)308 int qcom_ice_resume(struct qcom_ice *ice)
309 {
310 struct device *dev = ice->dev;
311 int err;
312
313 err = clk_prepare_enable(ice->core_clk);
314 if (err) {
315 dev_err(dev, "failed to enable core clock (%d)\n",
316 err);
317 return err;
318 }
319 qcom_ice_hwkm_init(ice);
320 return qcom_ice_wait_bist_status(ice);
321 }
322 EXPORT_SYMBOL_GPL(qcom_ice_resume);
323
qcom_ice_suspend(struct qcom_ice * ice)324 int qcom_ice_suspend(struct qcom_ice *ice)
325 {
326 clk_disable_unprepare(ice->core_clk);
327 ice->hwkm_init_complete = false;
328
329 return 0;
330 }
331 EXPORT_SYMBOL_GPL(qcom_ice_suspend);
332
translate_hwkm_slot(struct qcom_ice * ice,unsigned int slot)333 static unsigned int translate_hwkm_slot(struct qcom_ice *ice, unsigned int slot)
334 {
335 return ice->hwkm_version == QCOM_ICE_HWKM_V1 ? slot : slot * 2;
336 }
337
qcom_ice_program_wrapped_key(struct qcom_ice * ice,unsigned int slot,const struct blk_crypto_key * bkey)338 static int qcom_ice_program_wrapped_key(struct qcom_ice *ice, unsigned int slot,
339 const struct blk_crypto_key *bkey)
340 {
341 struct device *dev = ice->dev;
342 union crypto_cfg cfg = {
343 .dusize = bkey->crypto_cfg.data_unit_size / 512,
344 .capidx = QCOM_SCM_ICE_CIPHER_AES_256_XTS,
345 .cfge = QCOM_ICE_HWKM_CFG_ENABLE_VAL,
346 };
347 int err;
348
349 if (!ice->use_hwkm) {
350 dev_err_ratelimited(dev, "Got wrapped key when not using HWKM\n");
351 return -EINVAL;
352 }
353 if (!ice->hwkm_init_complete) {
354 dev_err_ratelimited(dev, "HWKM not yet initialized\n");
355 return -EINVAL;
356 }
357
358 /* Clear CFGE before programming the key. */
359 qcom_ice_writel(ice, 0x0, QCOM_ICE_REG_CRYPTOCFG(slot));
360
361 /* Call into TrustZone to program the wrapped key using HWKM. */
362 err = qcom_scm_ice_set_key(translate_hwkm_slot(ice, slot), bkey->bytes,
363 bkey->size, cfg.capidx, cfg.dusize);
364 if (err) {
365 dev_err_ratelimited(dev,
366 "qcom_scm_ice_set_key failed; err=%d, slot=%u\n",
367 err, slot);
368 return err;
369 }
370
371 /* Set CFGE after programming the key. */
372 qcom_ice_writel(ice, le32_to_cpu(cfg.regval),
373 QCOM_ICE_REG_CRYPTOCFG(slot));
374 return 0;
375 }
376
qcom_ice_program_key(struct qcom_ice * ice,unsigned int slot,const struct blk_crypto_key * blk_key)377 int qcom_ice_program_key(struct qcom_ice *ice, unsigned int slot,
378 const struct blk_crypto_key *blk_key)
379 {
380 struct device *dev = ice->dev;
381 union {
382 u8 bytes[AES_256_XTS_KEY_SIZE];
383 u32 words[AES_256_XTS_KEY_SIZE / sizeof(u32)];
384 } key;
385 int i;
386 int err;
387
388 /* Only AES-256-XTS has been tested so far. */
389 if (blk_key->crypto_cfg.crypto_mode !=
390 BLK_ENCRYPTION_MODE_AES_256_XTS) {
391 dev_err_ratelimited(dev, "Unsupported crypto mode: %d\n",
392 blk_key->crypto_cfg.crypto_mode);
393 return -EINVAL;
394 }
395
396 if (blk_key->crypto_cfg.key_type == BLK_CRYPTO_KEY_TYPE_HW_WRAPPED)
397 return qcom_ice_program_wrapped_key(ice, slot, blk_key);
398
399 if (ice->use_hwkm) {
400 dev_err_ratelimited(dev, "Got raw key when using HWKM\n");
401 return -EINVAL;
402 }
403
404 if (blk_key->size != AES_256_XTS_KEY_SIZE) {
405 dev_err_ratelimited(dev, "Incorrect key size\n");
406 return -EINVAL;
407 }
408 memcpy(key.bytes, blk_key->bytes, AES_256_XTS_KEY_SIZE);
409
410 /* The SCM call requires that the key words are encoded in big endian */
411 for (i = 0; i < ARRAY_SIZE(key.words); i++)
412 __cpu_to_be32s(&key.words[i]);
413
414 err = qcom_scm_ice_set_key(slot, key.bytes, AES_256_XTS_KEY_SIZE,
415 QCOM_SCM_ICE_CIPHER_AES_256_XTS,
416 blk_key->crypto_cfg.data_unit_size / 512);
417
418 memzero_explicit(&key, sizeof(key));
419
420 return err;
421 }
422 EXPORT_SYMBOL_GPL(qcom_ice_program_key);
423
qcom_ice_evict_key(struct qcom_ice * ice,int slot)424 int qcom_ice_evict_key(struct qcom_ice *ice, int slot)
425 {
426 if (ice->hwkm_init_complete)
427 slot = translate_hwkm_slot(ice, slot);
428 return qcom_scm_ice_invalidate_key(slot);
429 }
430 EXPORT_SYMBOL_GPL(qcom_ice_evict_key);
431
432 /**
433 * qcom_ice_get_supported_key_type() - Get the supported key type
434 * @ice: ICE driver data
435 *
436 * Return: the blk-crypto key type that the ICE driver is configured to use.
437 * This is the key type that ICE-capable storage drivers should advertise as
438 * supported in the crypto capabilities of any disks they register.
439 */
qcom_ice_get_supported_key_type(struct qcom_ice * ice)440 enum blk_crypto_key_type qcom_ice_get_supported_key_type(struct qcom_ice *ice)
441 {
442 if (ice->use_hwkm)
443 return BLK_CRYPTO_KEY_TYPE_HW_WRAPPED;
444 return BLK_CRYPTO_KEY_TYPE_RAW;
445 }
446 EXPORT_SYMBOL_GPL(qcom_ice_get_supported_key_type);
447
448 /**
449 * qcom_ice_derive_sw_secret() - Derive software secret from wrapped key
450 * @ice: ICE driver data
451 * @eph_key: an ephemerally-wrapped key
452 * @eph_key_size: size of @eph_key in bytes
453 * @sw_secret: output buffer for the software secret
454 *
455 * Use HWKM to derive the "software secret" from a hardware-wrapped key that is
456 * given in ephemerally-wrapped form.
457 *
458 * Return: 0 on success; -EBADMSG if the given ephemerally-wrapped key is
459 * invalid; or another -errno value.
460 */
qcom_ice_derive_sw_secret(struct qcom_ice * ice,const u8 * eph_key,size_t eph_key_size,u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE])461 int qcom_ice_derive_sw_secret(struct qcom_ice *ice,
462 const u8 *eph_key, size_t eph_key_size,
463 u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE])
464 {
465 int err = qcom_scm_derive_sw_secret(eph_key, eph_key_size,
466 sw_secret,
467 BLK_CRYPTO_SW_SECRET_SIZE);
468 if (err == -EIO || err == -EINVAL)
469 err = -EBADMSG; /* probably invalid key */
470 return err;
471 }
472 EXPORT_SYMBOL_GPL(qcom_ice_derive_sw_secret);
473
474 /**
475 * qcom_ice_generate_key() - Generate a wrapped key for inline encryption
476 * @ice: ICE driver data
477 * @lt_key: output buffer for the long-term wrapped key
478 *
479 * Use HWKM to generate a new key and return it as a long-term wrapped key.
480 *
481 * Return: the size of the resulting wrapped key on success; -errno on failure.
482 */
qcom_ice_generate_key(struct qcom_ice * ice,u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])483 int qcom_ice_generate_key(struct qcom_ice *ice,
484 u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])
485 {
486 int err;
487
488 err = qcom_scm_generate_ice_key(lt_key,
489 QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version));
490 if (err)
491 return err;
492
493 return QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version);
494 }
495 EXPORT_SYMBOL_GPL(qcom_ice_generate_key);
496
497 /**
498 * qcom_ice_prepare_key() - Prepare a wrapped key for inline encryption
499 * @ice: ICE driver data
500 * @lt_key: a long-term wrapped key
501 * @lt_key_size: size of @lt_key in bytes
502 * @eph_key: output buffer for the ephemerally-wrapped key
503 *
504 * Use HWKM to re-wrap a long-term wrapped key with the per-boot ephemeral key.
505 *
506 * Return: the size of the resulting wrapped key on success; -EBADMSG if the
507 * given long-term wrapped key is invalid; or another -errno value.
508 */
qcom_ice_prepare_key(struct qcom_ice * ice,const u8 * lt_key,size_t lt_key_size,u8 eph_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])509 int qcom_ice_prepare_key(struct qcom_ice *ice,
510 const u8 *lt_key, size_t lt_key_size,
511 u8 eph_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])
512 {
513 int err;
514
515 err = qcom_scm_prepare_ice_key(lt_key, lt_key_size,
516 eph_key, QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version));
517 if (err == -EIO || err == -EINVAL)
518 err = -EBADMSG; /* probably invalid key */
519 if (err)
520 return err;
521
522 return QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version);
523 }
524 EXPORT_SYMBOL_GPL(qcom_ice_prepare_key);
525
526 /**
527 * qcom_ice_import_key() - Import a raw key for inline encryption
528 * @ice: ICE driver data
529 * @raw_key: the raw key to import
530 * @raw_key_size: size of @raw_key in bytes
531 * @lt_key: output buffer for the long-term wrapped key
532 *
533 * Use HWKM to import a raw key and return it as a long-term wrapped key.
534 *
535 * Return: the size of the resulting wrapped key on success; -errno on failure.
536 */
qcom_ice_import_key(struct qcom_ice * ice,const u8 * raw_key,size_t raw_key_size,u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])537 int qcom_ice_import_key(struct qcom_ice *ice,
538 const u8 *raw_key, size_t raw_key_size,
539 u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])
540 {
541 int err;
542
543 err = qcom_scm_import_ice_key(raw_key, raw_key_size,
544 lt_key, QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version));
545 if (err)
546 return err;
547
548 return QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version);
549 }
550 EXPORT_SYMBOL_GPL(qcom_ice_import_key);
551
qcom_ice_create(struct device * dev,void __iomem * base)552 static struct qcom_ice *qcom_ice_create(struct device *dev,
553 void __iomem *base)
554 {
555 struct qcom_ice *engine;
556
557 if (!qcom_scm_is_available())
558 return ERR_PTR(-EPROBE_DEFER);
559
560 if (!qcom_scm_ice_available()) {
561 dev_warn(dev, "ICE SCM interface not found\n");
562 return NULL;
563 }
564
565 engine = devm_kzalloc(dev, sizeof(*engine), GFP_KERNEL);
566 if (!engine)
567 return ERR_PTR(-ENOMEM);
568
569 engine->dev = dev;
570 engine->base = base;
571
572 /*
573 * Legacy DT binding uses different clk names for each consumer,
574 * so lets try those first. If none of those are a match, it means
575 * the we only have one clock and it is part of the dedicated DT node.
576 * Also, enable the clock before we check what HW version the driver
577 * supports.
578 */
579 engine->core_clk = devm_clk_get_optional_enabled(dev, "ice_core_clk");
580 if (!engine->core_clk)
581 engine->core_clk = devm_clk_get_optional_enabled(dev, "ice");
582 if (!engine->core_clk)
583 engine->core_clk = devm_clk_get_enabled(dev, NULL);
584 if (IS_ERR(engine->core_clk))
585 return ERR_CAST(engine->core_clk);
586
587 if (!qcom_ice_check_supported(engine))
588 return ERR_PTR(-EOPNOTSUPP);
589
590 dev_dbg(dev, "Registered Qualcomm Inline Crypto Engine\n");
591
592 return engine;
593 }
594
595 /**
596 * of_qcom_ice_get() - get an ICE instance from a DT node
597 * @dev: device pointer for the consumer device
598 *
599 * This function will provide an ICE instance either by creating one for the
600 * consumer device if its DT node provides the 'ice' reg range and the 'ice'
601 * clock (for legacy DT style). On the other hand, if consumer provides a
602 * phandle via 'qcom,ice' property to an ICE DT, the ICE instance will already
603 * be created and so this function will return that instead.
604 *
605 * Return: ICE pointer on success, NULL if there is no ICE data provided by the
606 * consumer or ERR_PTR() on error.
607 */
of_qcom_ice_get(struct device * dev)608 static struct qcom_ice *of_qcom_ice_get(struct device *dev)
609 {
610 struct platform_device *pdev = to_platform_device(dev);
611 struct qcom_ice *ice;
612 struct resource *res;
613 void __iomem *base;
614 struct device_link *link;
615
616 if (!dev || !dev->of_node)
617 return ERR_PTR(-ENODEV);
618
619 /*
620 * In order to support legacy style devicetree bindings, we need
621 * to create the ICE instance using the consumer device and the reg
622 * range called 'ice' it provides.
623 */
624 res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "ice");
625 if (res) {
626 base = devm_ioremap_resource(&pdev->dev, res);
627 if (IS_ERR(base))
628 return ERR_CAST(base);
629
630 /* create ICE instance using consumer dev */
631 return qcom_ice_create(&pdev->dev, base);
632 }
633
634 /*
635 * If the consumer node does not provider an 'ice' reg range
636 * (legacy DT binding), then it must at least provide a phandle
637 * to the ICE devicetree node, otherwise ICE is not supported.
638 */
639 struct device_node *node __free(device_node) = of_parse_phandle(dev->of_node,
640 "qcom,ice", 0);
641 if (!node)
642 return NULL;
643
644 pdev = of_find_device_by_node(node);
645 if (!pdev) {
646 dev_err(dev, "Cannot find device node %s\n", node->name);
647 return ERR_PTR(-EPROBE_DEFER);
648 }
649
650 ice = platform_get_drvdata(pdev);
651 if (!ice) {
652 dev_err(dev, "Cannot get ice instance from %s\n",
653 dev_name(&pdev->dev));
654 platform_device_put(pdev);
655 return ERR_PTR(-EPROBE_DEFER);
656 }
657
658 link = device_link_add(dev, &pdev->dev, DL_FLAG_AUTOREMOVE_SUPPLIER);
659 if (!link) {
660 dev_err(&pdev->dev,
661 "Failed to create device link to consumer %s\n",
662 dev_name(dev));
663 platform_device_put(pdev);
664 ice = ERR_PTR(-EINVAL);
665 }
666
667 return ice;
668 }
669
qcom_ice_put(const struct qcom_ice * ice)670 static void qcom_ice_put(const struct qcom_ice *ice)
671 {
672 struct platform_device *pdev = to_platform_device(ice->dev);
673
674 if (!platform_get_resource_byname(pdev, IORESOURCE_MEM, "ice"))
675 platform_device_put(pdev);
676 }
677
devm_of_qcom_ice_put(struct device * dev,void * res)678 static void devm_of_qcom_ice_put(struct device *dev, void *res)
679 {
680 qcom_ice_put(*(struct qcom_ice **)res);
681 }
682
683 /**
684 * devm_of_qcom_ice_get() - Devres managed helper to get an ICE instance from
685 * a DT node.
686 * @dev: device pointer for the consumer device.
687 *
688 * This function will provide an ICE instance either by creating one for the
689 * consumer device if its DT node provides the 'ice' reg range and the 'ice'
690 * clock (for legacy DT style). On the other hand, if consumer provides a
691 * phandle via 'qcom,ice' property to an ICE DT, the ICE instance will already
692 * be created and so this function will return that instead.
693 *
694 * Return: ICE pointer on success, NULL if there is no ICE data provided by the
695 * consumer or ERR_PTR() on error.
696 */
devm_of_qcom_ice_get(struct device * dev)697 struct qcom_ice *devm_of_qcom_ice_get(struct device *dev)
698 {
699 struct qcom_ice *ice, **dr;
700
701 dr = devres_alloc(devm_of_qcom_ice_put, sizeof(*dr), GFP_KERNEL);
702 if (!dr)
703 return ERR_PTR(-ENOMEM);
704
705 ice = of_qcom_ice_get(dev);
706 if (!IS_ERR_OR_NULL(ice)) {
707 *dr = ice;
708 devres_add(dev, dr);
709 } else {
710 devres_free(dr);
711 }
712
713 return ice;
714 }
715 EXPORT_SYMBOL_GPL(devm_of_qcom_ice_get);
716
qcom_ice_probe(struct platform_device * pdev)717 static int qcom_ice_probe(struct platform_device *pdev)
718 {
719 struct qcom_ice *engine;
720 void __iomem *base;
721
722 base = devm_platform_ioremap_resource(pdev, 0);
723 if (IS_ERR(base)) {
724 dev_warn(&pdev->dev, "ICE registers not found\n");
725 return PTR_ERR(base);
726 }
727
728 engine = qcom_ice_create(&pdev->dev, base);
729 if (IS_ERR(engine))
730 return PTR_ERR(engine);
731
732 platform_set_drvdata(pdev, engine);
733
734 return 0;
735 }
736
737 static const struct of_device_id qcom_ice_of_match_table[] = {
738 { .compatible = "qcom,inline-crypto-engine" },
739 { },
740 };
741 MODULE_DEVICE_TABLE(of, qcom_ice_of_match_table);
742
743 static struct platform_driver qcom_ice_driver = {
744 .probe = qcom_ice_probe,
745 .driver = {
746 .name = "qcom-ice",
747 .of_match_table = qcom_ice_of_match_table,
748 },
749 };
750
751 module_platform_driver(qcom_ice_driver);
752
753 MODULE_DESCRIPTION("Qualcomm Inline Crypto Engine driver");
754 MODULE_LICENSE("GPL");
755