1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Qualcomm ICE (Inline Crypto Engine) support.
4 *
5 * Copyright (c) 2013-2019, The Linux Foundation. All rights reserved.
6 * Copyright (c) 2019, Google LLC
7 * Copyright (c) 2023, Linaro Limited
8 */
9
10 #include <linux/bitfield.h>
11 #include <linux/cleanup.h>
12 #include <linux/clk.h>
13 #include <linux/delay.h>
14 #include <linux/device.h>
15 #include <linux/iopoll.h>
16 #include <linux/of.h>
17 #include <linux/of_platform.h>
18 #include <linux/platform_device.h>
19 #include <linux/xarray.h>
20
21 #include <linux/firmware/qcom/qcom_scm.h>
22
23 #include <soc/qcom/ice.h>
24
25 #define AES_256_XTS_KEY_SIZE 64 /* for raw keys only */
26
27 #define QCOM_ICE_HWKM_V1 1 /* HWKM version 1 */
28 #define QCOM_ICE_HWKM_V2 2 /* HWKM version 2 */
29
30 #define QCOM_ICE_HWKM_MAX_WRAPPED_KEY_SIZE 100 /* Maximum HWKM wrapped key size */
31
32 /*
33 * Wrapped key size depends upon HWKM version:
34 * HWKM version 1 supports 68 bytes
35 * HWKM version 2 supports 100 bytes
36 */
37 #define QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(v) ((v) == QCOM_ICE_HWKM_V1 ? 68 : 100)
38
39 /* QCOM ICE registers */
40
41 #define QCOM_ICE_REG_CONTROL 0x0000
42 #define QCOM_ICE_LEGACY_MODE_ENABLED BIT(0)
43
44 #define QCOM_ICE_REG_VERSION 0x0008
45
46 #define QCOM_ICE_REG_FUSE_SETTING 0x0010
47 #define QCOM_ICE_FUSE_SETTING_MASK BIT(0)
48 #define QCOM_ICE_FORCE_HW_KEY0_SETTING_MASK BIT(1)
49 #define QCOM_ICE_FORCE_HW_KEY1_SETTING_MASK BIT(2)
50
51 #define QCOM_ICE_REG_BIST_STATUS 0x0070
52 #define QCOM_ICE_BIST_STATUS_MASK GENMASK(31, 28)
53
54 #define QCOM_ICE_REG_ADVANCED_CONTROL 0x1000
55
56 #define QCOM_ICE_REG_CRYPTOCFG_BASE 0x4040
57 #define QCOM_ICE_REG_CRYPTOCFG_SIZE 0x80
58 #define QCOM_ICE_REG_CRYPTOCFG(slot) (QCOM_ICE_REG_CRYPTOCFG_BASE + \
59 QCOM_ICE_REG_CRYPTOCFG_SIZE * (slot))
60 union crypto_cfg {
61 __le32 regval;
62 struct {
63 u8 dusize;
64 u8 capidx;
65 u8 reserved;
66 #define QCOM_ICE_HWKM_CFG_ENABLE_VAL BIT(7)
67 u8 cfge;
68 };
69 };
70
71 /* QCOM ICE HWKM (Hardware Key Manager) registers */
72
73 #define HWKM_OFFSET 0x8000
74
75 #define QCOM_ICE_REG_HWKM_TZ_KM_CTL (HWKM_OFFSET + 0x1000)
76 #define QCOM_ICE_HWKM_DISABLE_CRC_CHECKS_VAL (BIT(1) | BIT(2))
77 /* In HWKM v1 the ICE legacy mode is controlled from HWKM register space */
78 #define QCOM_ICE_HWKM_ICE_LEGACY_MODE_ENABLED BIT(5)
79
80 #define QCOM_ICE_REG_HWKM_TZ_KM_STATUS (HWKM_OFFSET + 0x1004)
81 #define QCOM_ICE_HWKM_KT_CLEAR_DONE BIT(0)
82 #define QCOM_ICE_HWKM_BOOT_CMD_LIST0_DONE BIT(1)
83 #define QCOM_ICE_HWKM_BOOT_CMD_LIST1_DONE BIT(2)
84 #define QCOM_ICE_HWKM_CRYPTO_BIST_DONE(v) (((v) == QCOM_ICE_HWKM_V1) ? BIT(14) : BIT(7))
85 #define QCOM_ICE_HWKM_BIST_DONE(v) (((v) == QCOM_ICE_HWKM_V1) ? BIT(16) : BIT(9))
86
87 #define QCOM_ICE_REG_HWKM_BANK0_BANKN_IRQ_STATUS (HWKM_OFFSET + 0x2008)
88 #define QCOM_ICE_HWKM_RSP_FIFO_CLEAR_VAL BIT(3)
89
90 #define QCOM_ICE_REG_HWKM_BANK0_BBAC_0 (HWKM_OFFSET + 0x5000)
91 #define QCOM_ICE_REG_HWKM_BANK0_BBAC_1 (HWKM_OFFSET + 0x5004)
92 #define QCOM_ICE_REG_HWKM_BANK0_BBAC_2 (HWKM_OFFSET + 0x5008)
93 #define QCOM_ICE_REG_HWKM_BANK0_BBAC_3 (HWKM_OFFSET + 0x500C)
94 #define QCOM_ICE_REG_HWKM_BANK0_BBAC_4 (HWKM_OFFSET + 0x5010)
95
96 #define qcom_ice_writel(engine, val, reg) \
97 writel((val), (engine)->base + (reg))
98
99 #define qcom_ice_readl(engine, reg) \
100 readl((engine)->base + (reg))
101
102 static bool qcom_ice_use_wrapped_keys;
103 module_param_named(use_wrapped_keys, qcom_ice_use_wrapped_keys, bool, 0660);
104 MODULE_PARM_DESC(use_wrapped_keys,
105 "Support wrapped keys instead of raw keys, if available on the platform");
106
107 struct qcom_ice {
108 struct device *dev;
109 void __iomem *base;
110
111 struct clk *core_clk;
112 struct clk *iface_clk;
113 bool use_hwkm;
114 bool hwkm_init_complete;
115 u8 hwkm_version;
116 };
117
118 static DEFINE_XARRAY(ice_handles);
119 static DEFINE_MUTEX(ice_mutex);
120
qcom_ice_check_supported(struct qcom_ice * ice)121 static bool qcom_ice_check_supported(struct qcom_ice *ice)
122 {
123 u32 regval = qcom_ice_readl(ice, QCOM_ICE_REG_VERSION);
124 struct device *dev = ice->dev;
125 int major = FIELD_GET(GENMASK(31, 24), regval);
126 int minor = FIELD_GET(GENMASK(23, 16), regval);
127 int step = FIELD_GET(GENMASK(15, 0), regval);
128
129 /* For now this driver only supports ICE version 3 and 4. */
130 if (major != 3 && major != 4) {
131 dev_warn(dev, "Unsupported ICE version: v%d.%d.%d\n",
132 major, minor, step);
133 return false;
134 }
135
136 /* HWKM version v2 is present from ICE 3.2.1 onwards while version v1
137 * is present only in ICE 3.2.0. Earlier ICE version don't have HWKM.
138 */
139 if (major > 3 ||
140 (major == 3 && (minor >= 3 || (minor == 2 && step >= 1))))
141 ice->hwkm_version = QCOM_ICE_HWKM_V2;
142 else if ((major == 3) && (minor == 2))
143 ice->hwkm_version = QCOM_ICE_HWKM_V1;
144 else
145 ice->hwkm_version = 0;
146
147 dev_info(dev, "Found QC Inline Crypto Engine (ICE) v%d.%d.%d\n",
148 major, minor, step);
149
150 if (ice->hwkm_version)
151 dev_info(dev, "QC Hardware Key Manager (HWKM) version v%d\n",
152 ice->hwkm_version);
153
154 /* If fuses are blown, ICE might not work in the standard way. */
155 regval = qcom_ice_readl(ice, QCOM_ICE_REG_FUSE_SETTING);
156 if (regval & (QCOM_ICE_FUSE_SETTING_MASK |
157 QCOM_ICE_FORCE_HW_KEY0_SETTING_MASK |
158 QCOM_ICE_FORCE_HW_KEY1_SETTING_MASK)) {
159 dev_warn(dev, "Fuses are blown; ICE is unusable!\n");
160 return false;
161 }
162
163 /*
164 * Check for HWKM support and decide whether to use it or not. ICE
165 * v3.2.1 and later have HWKM v2. ICE v3.2.0 has HWKM v1. Earlier ICE
166 * versions don't have HWKM at all. However, for HWKM to be fully
167 * usable by Linux, the TrustZone software also needs to support certain
168 * SCM calls including the ones to generate and prepare keys. Support
169 * for these SCM calls is present for SoCs with HWKM v2 and is being
170 * added for SoCs with HWKM v1 as well but not every SoC with HWKM v1
171 * currently supports this. So, this driver checks for the SCM call
172 * support before it decides to use HWKM.
173 *
174 * Also, since HWKM and legacy mode are mutually exclusive, and
175 * ICE-capable storage driver(s) need to know early on whether to
176 * advertise support for raw keys or wrapped keys, HWKM cannot be used
177 * unconditionally. A module parameter is used to opt into using it.
178 */
179 if (ice->hwkm_version && qcom_scm_has_wrapped_key_support()) {
180 if (qcom_ice_use_wrapped_keys) {
181 dev_info(dev, "Using HWKM. Supporting wrapped keys only.\n");
182 ice->use_hwkm = true;
183 } else {
184 dev_info(dev, "Not using HWKM. Supporting raw keys only.\n");
185 }
186 } else if (qcom_ice_use_wrapped_keys) {
187 dev_warn(dev, "A supported HWKM is not present. Ignoring qcom_ice.use_wrapped_keys=1.\n");
188 } else {
189 dev_info(dev, "A supported HWKM is not present. Supporting raw keys only.\n");
190 }
191 return true;
192 }
193
qcom_ice_low_power_mode_enable(struct qcom_ice * ice)194 static void qcom_ice_low_power_mode_enable(struct qcom_ice *ice)
195 {
196 u32 regval;
197
198 regval = qcom_ice_readl(ice, QCOM_ICE_REG_ADVANCED_CONTROL);
199
200 /* Enable low power mode sequence */
201 regval |= 0x7000;
202 qcom_ice_writel(ice, regval, QCOM_ICE_REG_ADVANCED_CONTROL);
203 }
204
qcom_ice_optimization_enable(struct qcom_ice * ice)205 static void qcom_ice_optimization_enable(struct qcom_ice *ice)
206 {
207 u32 regval;
208
209 /* ICE Optimizations Enable Sequence */
210 regval = qcom_ice_readl(ice, QCOM_ICE_REG_ADVANCED_CONTROL);
211 regval |= 0xd807100;
212 /* ICE HPG requires delay before writing */
213 udelay(5);
214 qcom_ice_writel(ice, regval, QCOM_ICE_REG_ADVANCED_CONTROL);
215 udelay(5);
216 }
217
218 /*
219 * Wait until the ICE BIST (built-in self-test) has completed.
220 *
221 * This may be necessary before ICE can be used.
222 * Note that we don't really care whether the BIST passed or failed;
223 * we really just want to make sure that it isn't still running. This is
224 * because (a) the BIST is a FIPS compliance thing that never fails in
225 * practice, (b) ICE is documented to reject crypto requests if the BIST
226 * fails, so we needn't do it in software too, and (c) properly testing
227 * storage encryption requires testing the full storage stack anyway,
228 * and not relying on hardware-level self-tests.
229 */
qcom_ice_wait_bist_status(struct qcom_ice * ice)230 static int qcom_ice_wait_bist_status(struct qcom_ice *ice)
231 {
232 u32 regval;
233 int err;
234
235 err = readl_poll_timeout(ice->base + QCOM_ICE_REG_BIST_STATUS,
236 regval, !(regval & QCOM_ICE_BIST_STATUS_MASK),
237 50, 5000);
238 if (err) {
239 dev_err(ice->dev, "Timed out waiting for ICE self-test to complete\n");
240 return err;
241 }
242
243 if (ice->use_hwkm &&
244 qcom_ice_readl(ice, QCOM_ICE_REG_HWKM_TZ_KM_STATUS) !=
245 (QCOM_ICE_HWKM_KT_CLEAR_DONE |
246 QCOM_ICE_HWKM_BOOT_CMD_LIST0_DONE |
247 QCOM_ICE_HWKM_BOOT_CMD_LIST1_DONE |
248 QCOM_ICE_HWKM_CRYPTO_BIST_DONE(ice->hwkm_version) |
249 QCOM_ICE_HWKM_BIST_DONE(ice->hwkm_version))) {
250 dev_err(ice->dev, "HWKM self-test error!\n");
251 /*
252 * Too late to revoke use_hwkm here, as it was already
253 * propagated up the stack into the crypto capabilities.
254 */
255 }
256 return 0;
257 }
258
qcom_ice_hwkm_init(struct qcom_ice * ice)259 static void qcom_ice_hwkm_init(struct qcom_ice *ice)
260 {
261 u32 regval;
262
263 if (!ice->use_hwkm)
264 return;
265
266 BUILD_BUG_ON(QCOM_ICE_HWKM_MAX_WRAPPED_KEY_SIZE >
267 BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE);
268 /*
269 * When ICE is in HWKM mode, it only supports wrapped keys.
270 * When ICE is in legacy mode, it only supports raw keys.
271 *
272 * Put ICE in HWKM mode. ICE defaults to legacy mode.
273 */
274 if (ice->hwkm_version == QCOM_ICE_HWKM_V2) {
275 regval = qcom_ice_readl(ice, QCOM_ICE_REG_CONTROL);
276 regval &= ~QCOM_ICE_LEGACY_MODE_ENABLED;
277 qcom_ice_writel(ice, regval, QCOM_ICE_REG_CONTROL);
278 } else if (ice->hwkm_version == QCOM_ICE_HWKM_V1) {
279 regval = qcom_ice_readl(ice, QCOM_ICE_REG_HWKM_TZ_KM_CTL);
280 regval &= ~QCOM_ICE_HWKM_ICE_LEGACY_MODE_ENABLED;
281 qcom_ice_writel(ice, regval, QCOM_ICE_REG_HWKM_TZ_KM_CTL);
282 }
283
284 /* Disable CRC checks. This HWKM feature is not used. */
285 qcom_ice_writel(ice, QCOM_ICE_HWKM_DISABLE_CRC_CHECKS_VAL,
286 QCOM_ICE_REG_HWKM_TZ_KM_CTL);
287
288 /*
289 * Allow the HWKM slave to read and write the keyslots in the ICE HWKM
290 * slave. Without this, TrustZone cannot program keys into ICE.
291 */
292 qcom_ice_writel(ice, GENMASK(31, 0), QCOM_ICE_REG_HWKM_BANK0_BBAC_0);
293 qcom_ice_writel(ice, GENMASK(31, 0), QCOM_ICE_REG_HWKM_BANK0_BBAC_1);
294 qcom_ice_writel(ice, GENMASK(31, 0), QCOM_ICE_REG_HWKM_BANK0_BBAC_2);
295 qcom_ice_writel(ice, GENMASK(31, 0), QCOM_ICE_REG_HWKM_BANK0_BBAC_3);
296 qcom_ice_writel(ice, GENMASK(31, 0), QCOM_ICE_REG_HWKM_BANK0_BBAC_4);
297
298 /* Clear the HWKM response FIFO. */
299 qcom_ice_writel(ice, QCOM_ICE_HWKM_RSP_FIFO_CLEAR_VAL,
300 QCOM_ICE_REG_HWKM_BANK0_BANKN_IRQ_STATUS);
301 ice->hwkm_init_complete = true;
302 }
303
qcom_ice_enable(struct qcom_ice * ice)304 int qcom_ice_enable(struct qcom_ice *ice)
305 {
306 qcom_ice_low_power_mode_enable(ice);
307 qcom_ice_optimization_enable(ice);
308 qcom_ice_hwkm_init(ice);
309 return qcom_ice_wait_bist_status(ice);
310 }
311 EXPORT_SYMBOL_GPL(qcom_ice_enable);
312
qcom_ice_resume(struct qcom_ice * ice)313 int qcom_ice_resume(struct qcom_ice *ice)
314 {
315 struct device *dev = ice->dev;
316 int err;
317
318 err = clk_prepare_enable(ice->core_clk);
319 if (err) {
320 dev_err(dev, "Failed to enable core clock: %d\n", err);
321 return err;
322 }
323
324 err = clk_prepare_enable(ice->iface_clk);
325 if (err) {
326 dev_err(dev, "Failed to enable iface clock: %d\n", err);
327 return err;
328 }
329 qcom_ice_hwkm_init(ice);
330 return qcom_ice_wait_bist_status(ice);
331 }
332 EXPORT_SYMBOL_GPL(qcom_ice_resume);
333
qcom_ice_suspend(struct qcom_ice * ice)334 int qcom_ice_suspend(struct qcom_ice *ice)
335 {
336 clk_disable_unprepare(ice->iface_clk);
337 clk_disable_unprepare(ice->core_clk);
338 ice->hwkm_init_complete = false;
339
340 return 0;
341 }
342 EXPORT_SYMBOL_GPL(qcom_ice_suspend);
343
translate_hwkm_slot(struct qcom_ice * ice,unsigned int slot)344 static unsigned int translate_hwkm_slot(struct qcom_ice *ice, unsigned int slot)
345 {
346 return ice->hwkm_version == QCOM_ICE_HWKM_V1 ? slot : slot * 2;
347 }
348
qcom_ice_program_wrapped_key(struct qcom_ice * ice,unsigned int slot,const struct blk_crypto_key * bkey)349 static int qcom_ice_program_wrapped_key(struct qcom_ice *ice, unsigned int slot,
350 const struct blk_crypto_key *bkey)
351 {
352 struct device *dev = ice->dev;
353 union crypto_cfg cfg = {
354 .dusize = bkey->crypto_cfg.data_unit_size / 512,
355 .capidx = QCOM_SCM_ICE_CIPHER_AES_256_XTS,
356 .cfge = QCOM_ICE_HWKM_CFG_ENABLE_VAL,
357 };
358 int err;
359
360 if (!ice->use_hwkm) {
361 dev_err_ratelimited(dev, "Got wrapped key when not using HWKM\n");
362 return -EINVAL;
363 }
364 if (!ice->hwkm_init_complete) {
365 dev_err_ratelimited(dev, "HWKM not yet initialized\n");
366 return -EINVAL;
367 }
368
369 /* Clear CFGE before programming the key. */
370 qcom_ice_writel(ice, 0x0, QCOM_ICE_REG_CRYPTOCFG(slot));
371
372 /* Call into TrustZone to program the wrapped key using HWKM. */
373 err = qcom_scm_ice_set_key(translate_hwkm_slot(ice, slot), bkey->bytes,
374 bkey->size, cfg.capidx, cfg.dusize);
375 if (err) {
376 dev_err_ratelimited(dev,
377 "qcom_scm_ice_set_key failed; err=%d, slot=%u\n",
378 err, slot);
379 return err;
380 }
381
382 /* Set CFGE after programming the key. */
383 qcom_ice_writel(ice, le32_to_cpu(cfg.regval),
384 QCOM_ICE_REG_CRYPTOCFG(slot));
385 return 0;
386 }
387
qcom_ice_program_key(struct qcom_ice * ice,unsigned int slot,const struct blk_crypto_key * blk_key)388 int qcom_ice_program_key(struct qcom_ice *ice, unsigned int slot,
389 const struct blk_crypto_key *blk_key)
390 {
391 struct device *dev = ice->dev;
392 union {
393 u8 bytes[AES_256_XTS_KEY_SIZE];
394 u32 words[AES_256_XTS_KEY_SIZE / sizeof(u32)];
395 } key;
396 int i;
397 int err;
398
399 /* Only AES-256-XTS has been tested so far. */
400 if (blk_key->crypto_cfg.crypto_mode !=
401 BLK_ENCRYPTION_MODE_AES_256_XTS) {
402 dev_err_ratelimited(dev, "Unsupported crypto mode: %d\n",
403 blk_key->crypto_cfg.crypto_mode);
404 return -EINVAL;
405 }
406
407 if (blk_key->crypto_cfg.key_type == BLK_CRYPTO_KEY_TYPE_HW_WRAPPED)
408 return qcom_ice_program_wrapped_key(ice, slot, blk_key);
409
410 if (ice->use_hwkm) {
411 dev_err_ratelimited(dev, "Got raw key when using HWKM\n");
412 return -EINVAL;
413 }
414
415 if (blk_key->size != AES_256_XTS_KEY_SIZE) {
416 dev_err_ratelimited(dev, "Incorrect key size\n");
417 return -EINVAL;
418 }
419 memcpy(key.bytes, blk_key->bytes, AES_256_XTS_KEY_SIZE);
420
421 /* The SCM call requires that the key words are encoded in big endian */
422 for (i = 0; i < ARRAY_SIZE(key.words); i++)
423 __cpu_to_be32s(&key.words[i]);
424
425 err = qcom_scm_ice_set_key(slot, key.bytes, AES_256_XTS_KEY_SIZE,
426 QCOM_SCM_ICE_CIPHER_AES_256_XTS,
427 blk_key->crypto_cfg.data_unit_size / 512);
428
429 memzero_explicit(&key, sizeof(key));
430
431 return err;
432 }
433 EXPORT_SYMBOL_GPL(qcom_ice_program_key);
434
qcom_ice_evict_key(struct qcom_ice * ice,int slot)435 int qcom_ice_evict_key(struct qcom_ice *ice, int slot)
436 {
437 if (ice->hwkm_init_complete)
438 slot = translate_hwkm_slot(ice, slot);
439 return qcom_scm_ice_invalidate_key(slot);
440 }
441 EXPORT_SYMBOL_GPL(qcom_ice_evict_key);
442
443 /**
444 * qcom_ice_get_supported_key_type() - Get the supported key type
445 * @ice: ICE driver data
446 *
447 * Return: the blk-crypto key type that the ICE driver is configured to use.
448 * This is the key type that ICE-capable storage drivers should advertise as
449 * supported in the crypto capabilities of any disks they register.
450 */
qcom_ice_get_supported_key_type(struct qcom_ice * ice)451 enum blk_crypto_key_type qcom_ice_get_supported_key_type(struct qcom_ice *ice)
452 {
453 if (ice->use_hwkm)
454 return BLK_CRYPTO_KEY_TYPE_HW_WRAPPED;
455 return BLK_CRYPTO_KEY_TYPE_RAW;
456 }
457 EXPORT_SYMBOL_GPL(qcom_ice_get_supported_key_type);
458
459 /**
460 * qcom_ice_derive_sw_secret() - Derive software secret from wrapped key
461 * @ice: ICE driver data
462 * @eph_key: an ephemerally-wrapped key
463 * @eph_key_size: size of @eph_key in bytes
464 * @sw_secret: output buffer for the software secret
465 *
466 * Use HWKM to derive the "software secret" from a hardware-wrapped key that is
467 * given in ephemerally-wrapped form.
468 *
469 * Return: 0 on success; -EBADMSG if the given ephemerally-wrapped key is
470 * invalid; or another -errno value.
471 */
qcom_ice_derive_sw_secret(struct qcom_ice * ice,const u8 * eph_key,size_t eph_key_size,u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE])472 int qcom_ice_derive_sw_secret(struct qcom_ice *ice,
473 const u8 *eph_key, size_t eph_key_size,
474 u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE])
475 {
476 int err = qcom_scm_derive_sw_secret(eph_key, eph_key_size,
477 sw_secret,
478 BLK_CRYPTO_SW_SECRET_SIZE);
479 if (err == -EIO || err == -EINVAL)
480 err = -EBADMSG; /* probably invalid key */
481 return err;
482 }
483 EXPORT_SYMBOL_GPL(qcom_ice_derive_sw_secret);
484
485 /**
486 * qcom_ice_generate_key() - Generate a wrapped key for inline encryption
487 * @ice: ICE driver data
488 * @lt_key: output buffer for the long-term wrapped key
489 *
490 * Use HWKM to generate a new key and return it as a long-term wrapped key.
491 *
492 * Return: the size of the resulting wrapped key on success; -errno on failure.
493 */
qcom_ice_generate_key(struct qcom_ice * ice,u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])494 int qcom_ice_generate_key(struct qcom_ice *ice,
495 u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])
496 {
497 int err;
498
499 err = qcom_scm_generate_ice_key(lt_key,
500 QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version));
501 if (err)
502 return err;
503
504 return QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version);
505 }
506 EXPORT_SYMBOL_GPL(qcom_ice_generate_key);
507
508 /**
509 * qcom_ice_prepare_key() - Prepare a wrapped key for inline encryption
510 * @ice: ICE driver data
511 * @lt_key: a long-term wrapped key
512 * @lt_key_size: size of @lt_key in bytes
513 * @eph_key: output buffer for the ephemerally-wrapped key
514 *
515 * Use HWKM to re-wrap a long-term wrapped key with the per-boot ephemeral key.
516 *
517 * Return: the size of the resulting wrapped key on success; -EBADMSG if the
518 * given long-term wrapped key is invalid; or another -errno value.
519 */
qcom_ice_prepare_key(struct qcom_ice * ice,const u8 * lt_key,size_t lt_key_size,u8 eph_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])520 int qcom_ice_prepare_key(struct qcom_ice *ice,
521 const u8 *lt_key, size_t lt_key_size,
522 u8 eph_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])
523 {
524 int err;
525
526 err = qcom_scm_prepare_ice_key(lt_key, lt_key_size,
527 eph_key, QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version));
528 if (err == -EIO || err == -EINVAL)
529 err = -EBADMSG; /* probably invalid key */
530 if (err)
531 return err;
532
533 return QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version);
534 }
535 EXPORT_SYMBOL_GPL(qcom_ice_prepare_key);
536
537 /**
538 * qcom_ice_import_key() - Import a raw key for inline encryption
539 * @ice: ICE driver data
540 * @raw_key: the raw key to import
541 * @raw_key_size: size of @raw_key in bytes
542 * @lt_key: output buffer for the long-term wrapped key
543 *
544 * Use HWKM to import a raw key and return it as a long-term wrapped key.
545 *
546 * Return: the size of the resulting wrapped key on success; -errno on failure.
547 */
qcom_ice_import_key(struct qcom_ice * ice,const u8 * raw_key,size_t raw_key_size,u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])548 int qcom_ice_import_key(struct qcom_ice *ice,
549 const u8 *raw_key, size_t raw_key_size,
550 u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE])
551 {
552 int err;
553
554 err = qcom_scm_import_ice_key(raw_key, raw_key_size,
555 lt_key, QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version));
556 if (err)
557 return err;
558
559 return QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version);
560 }
561 EXPORT_SYMBOL_GPL(qcom_ice_import_key);
562
qcom_ice_create(struct device * dev,void __iomem * base)563 static struct qcom_ice *qcom_ice_create(struct device *dev,
564 void __iomem *base)
565 {
566 struct qcom_ice *engine;
567
568 if (!qcom_scm_is_available())
569 return ERR_PTR(-EPROBE_DEFER);
570
571 if (!qcom_scm_ice_available()) {
572 dev_warn(dev, "ICE SCM interface not found\n");
573 return ERR_PTR(-EOPNOTSUPP);
574 }
575
576 engine = devm_kzalloc(dev, sizeof(*engine), GFP_KERNEL);
577 if (!engine)
578 return ERR_PTR(-ENOMEM);
579
580 engine->dev = dev;
581 engine->base = base;
582
583 /*
584 * Legacy DT binding uses different clk names for each consumer,
585 * so lets try those first. If none of those are a match, it means
586 * the we only have one clock and it is part of the dedicated DT node.
587 * Also, enable the clock before we check what HW version the driver
588 * supports.
589 */
590 engine->core_clk = devm_clk_get_optional_enabled(dev, "ice_core_clk");
591 if (!engine->core_clk)
592 engine->core_clk = devm_clk_get_optional_enabled(dev, "ice");
593 if (!engine->core_clk)
594 engine->core_clk = devm_clk_get_optional_enabled(dev, "core");
595 if (!engine->core_clk)
596 engine->core_clk = devm_clk_get_enabled(dev, NULL);
597 if (IS_ERR(engine->core_clk))
598 return ERR_CAST(engine->core_clk);
599
600 engine->iface_clk = devm_clk_get_optional_enabled(dev, "iface");
601 if (IS_ERR(engine->iface_clk))
602 return ERR_CAST(engine->iface_clk);
603
604 if (!qcom_ice_check_supported(engine))
605 return ERR_PTR(-EOPNOTSUPP);
606
607 dev_dbg(dev, "Registered Qualcomm Inline Crypto Engine\n");
608
609 return engine;
610 }
611
612 /**
613 * of_qcom_ice_get() - get an ICE instance from a DT node
614 * @dev: device pointer for the consumer device
615 *
616 * This function will provide an ICE instance either by creating one for the
617 * consumer device if its DT node provides the 'ice' reg range and the 'ice'
618 * clock (for legacy DT style). On the other hand, if consumer provides a
619 * phandle via 'qcom,ice' property to an ICE DT, the ICE instance will already
620 * be created and so this function will return that instead.
621 *
622 * Return: ICE pointer on success, NULL if there is no ICE data provided by the
623 * consumer or ERR_PTR() on error.
624 */
of_qcom_ice_get(struct device * dev)625 static struct qcom_ice *of_qcom_ice_get(struct device *dev)
626 {
627 struct platform_device *pdev = to_platform_device(dev);
628 struct qcom_ice *ice;
629 struct resource *res;
630 void __iomem *base;
631 struct device_link *link;
632
633 if (!dev || !dev->of_node)
634 return ERR_PTR(-ENODEV);
635
636 /*
637 * In order to support legacy style devicetree bindings, we need
638 * to create the ICE instance using the consumer device and the reg
639 * range called 'ice' it provides.
640 */
641 res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "ice");
642 if (res) {
643 base = devm_ioremap_resource(&pdev->dev, res);
644 if (IS_ERR(base))
645 return ERR_CAST(base);
646
647 /* create ICE instance using consumer dev */
648 return qcom_ice_create(&pdev->dev, base);
649 }
650
651 guard(mutex)(&ice_mutex);
652
653 /*
654 * If the consumer node does not provider an 'ice' reg range
655 * (legacy DT binding), then it must at least provide a phandle
656 * to the ICE devicetree node, otherwise ICE is not supported.
657 */
658 struct device_node *node __free(device_node) = of_parse_phandle(dev->of_node,
659 "qcom,ice", 0);
660 if (!node)
661 return ERR_PTR(-EOPNOTSUPP);
662
663 pdev = of_find_device_by_node(node);
664 if (!pdev) {
665 dev_err(dev, "Cannot find device node %s\n", node->name);
666 return ERR_PTR(-ENODEV);
667 }
668
669 ice = xa_load(&ice_handles, pdev->dev.of_node->phandle);
670 if (IS_ERR_OR_NULL(ice)) {
671 platform_device_put(pdev);
672 if (!ice)
673 return ERR_PTR(-EPROBE_DEFER);
674 else
675 return ice;
676 }
677
678 link = device_link_add(dev, &pdev->dev, DL_FLAG_AUTOREMOVE_SUPPLIER);
679 if (!link) {
680 dev_err(&pdev->dev,
681 "Failed to create device link to consumer %s\n",
682 dev_name(dev));
683 platform_device_put(pdev);
684 ice = ERR_PTR(-EINVAL);
685 }
686
687 return ice;
688 }
689
qcom_ice_put(const struct qcom_ice * ice)690 static void qcom_ice_put(const struct qcom_ice *ice)
691 {
692 struct platform_device *pdev = to_platform_device(ice->dev);
693
694 if (!platform_get_resource_byname(pdev, IORESOURCE_MEM, "ice"))
695 platform_device_put(pdev);
696 }
697
devm_of_qcom_ice_put(struct device * dev,void * res)698 static void devm_of_qcom_ice_put(struct device *dev, void *res)
699 {
700 qcom_ice_put(*(struct qcom_ice **)res);
701 }
702
703 /**
704 * devm_of_qcom_ice_get() - Devres managed helper to get an ICE instance from
705 * a DT node.
706 * @dev: device pointer for the consumer device.
707 *
708 * This function will provide an ICE instance either by creating one for the
709 * consumer device if its DT node provides the 'ice' reg range and the 'ice'
710 * clock (for legacy DT style). On the other hand, if consumer provides a
711 * phandle via 'qcom,ice' property to an ICE DT, the ICE instance will already
712 * be created and so this function will return that instead.
713 *
714 * Return: ICE pointer on success, ERR_PTR() on error.
715 */
devm_of_qcom_ice_get(struct device * dev)716 struct qcom_ice *devm_of_qcom_ice_get(struct device *dev)
717 {
718 struct qcom_ice *ice, **dr;
719
720 dr = devres_alloc(devm_of_qcom_ice_put, sizeof(*dr), GFP_KERNEL);
721 if (!dr)
722 return ERR_PTR(-ENOMEM);
723
724 ice = of_qcom_ice_get(dev);
725 if (!IS_ERR(ice)) {
726 *dr = ice;
727 devres_add(dev, dr);
728 } else {
729 devres_free(dr);
730 }
731
732 return ice;
733 }
734 EXPORT_SYMBOL_GPL(devm_of_qcom_ice_get);
735
qcom_ice_probe(struct platform_device * pdev)736 static int qcom_ice_probe(struct platform_device *pdev)
737 {
738 unsigned long phandle = pdev->dev.of_node->phandle;
739 struct qcom_ice *engine;
740 void __iomem *base;
741
742 guard(mutex)(&ice_mutex);
743
744 base = devm_platform_ioremap_resource(pdev, 0);
745 if (IS_ERR(base)) {
746 dev_warn(&pdev->dev, "ICE registers not found\n");
747 /* Store the error pointer for devm_of_qcom_ice_get() */
748 xa_store(&ice_handles, phandle, (__force void *)base, GFP_KERNEL);
749 return PTR_ERR(base);
750 }
751
752 engine = qcom_ice_create(&pdev->dev, base);
753 if (IS_ERR(engine)) {
754 /* Store the error pointer for devm_of_qcom_ice_get() */
755 xa_store(&ice_handles, phandle, engine, GFP_KERNEL);
756 return PTR_ERR(engine);
757 }
758
759 xa_store(&ice_handles, phandle, engine, GFP_KERNEL);
760
761 return 0;
762 }
763
qcom_ice_remove(struct platform_device * pdev)764 static void qcom_ice_remove(struct platform_device *pdev)
765 {
766 unsigned long phandle = pdev->dev.of_node->phandle;
767
768 guard(mutex)(&ice_mutex);
769 xa_store(&ice_handles, phandle, NULL, GFP_KERNEL);
770 }
771
772 static const struct of_device_id qcom_ice_of_match_table[] = {
773 { .compatible = "qcom,inline-crypto-engine" },
774 { },
775 };
776 MODULE_DEVICE_TABLE(of, qcom_ice_of_match_table);
777
778 static struct platform_driver qcom_ice_driver = {
779 .probe = qcom_ice_probe,
780 .remove = qcom_ice_remove,
781 .driver = {
782 .name = "qcom-ice",
783 .of_match_table = qcom_ice_of_match_table,
784 },
785 };
786
787 module_platform_driver(qcom_ice_driver);
788
789 MODULE_DESCRIPTION("Qualcomm Inline Crypto Engine driver");
790 MODULE_LICENSE("GPL");
791