1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Qualcomm ICE (Inline Crypto Engine) support. 4 * 5 * Copyright (c) 2013-2019, The Linux Foundation. All rights reserved. 6 * Copyright (c) 2019, Google LLC 7 * Copyright (c) 2023, Linaro Limited 8 */ 9 10 #include <linux/bitfield.h> 11 #include <linux/cleanup.h> 12 #include <linux/clk.h> 13 #include <linux/delay.h> 14 #include <linux/device.h> 15 #include <linux/iopoll.h> 16 #include <linux/of.h> 17 #include <linux/of_platform.h> 18 #include <linux/platform_device.h> 19 20 #include <linux/firmware/qcom/qcom_scm.h> 21 22 #include <soc/qcom/ice.h> 23 24 #define AES_256_XTS_KEY_SIZE 64 25 26 /* QCOM ICE registers */ 27 #define QCOM_ICE_REG_VERSION 0x0008 28 #define QCOM_ICE_REG_FUSE_SETTING 0x0010 29 #define QCOM_ICE_REG_BIST_STATUS 0x0070 30 #define QCOM_ICE_REG_ADVANCED_CONTROL 0x1000 31 32 /* BIST ("built-in self-test") status flags */ 33 #define QCOM_ICE_BIST_STATUS_MASK GENMASK(31, 28) 34 35 #define QCOM_ICE_FUSE_SETTING_MASK 0x1 36 #define QCOM_ICE_FORCE_HW_KEY0_SETTING_MASK 0x2 37 #define QCOM_ICE_FORCE_HW_KEY1_SETTING_MASK 0x4 38 39 #define qcom_ice_writel(engine, val, reg) \ 40 writel((val), (engine)->base + (reg)) 41 42 #define qcom_ice_readl(engine, reg) \ 43 readl((engine)->base + (reg)) 44 45 struct qcom_ice { 46 struct device *dev; 47 void __iomem *base; 48 49 struct clk *core_clk; 50 }; 51 52 static bool qcom_ice_check_supported(struct qcom_ice *ice) 53 { 54 u32 regval = qcom_ice_readl(ice, QCOM_ICE_REG_VERSION); 55 struct device *dev = ice->dev; 56 int major = FIELD_GET(GENMASK(31, 24), regval); 57 int minor = FIELD_GET(GENMASK(23, 16), regval); 58 int step = FIELD_GET(GENMASK(15, 0), regval); 59 60 /* For now this driver only supports ICE version 3 and 4. */ 61 if (major != 3 && major != 4) { 62 dev_warn(dev, "Unsupported ICE version: v%d.%d.%d\n", 63 major, minor, step); 64 return false; 65 } 66 67 dev_info(dev, "Found QC Inline Crypto Engine (ICE) v%d.%d.%d\n", 68 major, minor, step); 69 70 /* If fuses are blown, ICE might not work in the standard way. */ 71 regval = qcom_ice_readl(ice, QCOM_ICE_REG_FUSE_SETTING); 72 if (regval & (QCOM_ICE_FUSE_SETTING_MASK | 73 QCOM_ICE_FORCE_HW_KEY0_SETTING_MASK | 74 QCOM_ICE_FORCE_HW_KEY1_SETTING_MASK)) { 75 dev_warn(dev, "Fuses are blown; ICE is unusable!\n"); 76 return false; 77 } 78 79 return true; 80 } 81 82 static void qcom_ice_low_power_mode_enable(struct qcom_ice *ice) 83 { 84 u32 regval; 85 86 regval = qcom_ice_readl(ice, QCOM_ICE_REG_ADVANCED_CONTROL); 87 88 /* Enable low power mode sequence */ 89 regval |= 0x7000; 90 qcom_ice_writel(ice, regval, QCOM_ICE_REG_ADVANCED_CONTROL); 91 } 92 93 static void qcom_ice_optimization_enable(struct qcom_ice *ice) 94 { 95 u32 regval; 96 97 /* ICE Optimizations Enable Sequence */ 98 regval = qcom_ice_readl(ice, QCOM_ICE_REG_ADVANCED_CONTROL); 99 regval |= 0xd807100; 100 /* ICE HPG requires delay before writing */ 101 udelay(5); 102 qcom_ice_writel(ice, regval, QCOM_ICE_REG_ADVANCED_CONTROL); 103 udelay(5); 104 } 105 106 /* 107 * Wait until the ICE BIST (built-in self-test) has completed. 108 * 109 * This may be necessary before ICE can be used. 110 * Note that we don't really care whether the BIST passed or failed; 111 * we really just want to make sure that it isn't still running. This is 112 * because (a) the BIST is a FIPS compliance thing that never fails in 113 * practice, (b) ICE is documented to reject crypto requests if the BIST 114 * fails, so we needn't do it in software too, and (c) properly testing 115 * storage encryption requires testing the full storage stack anyway, 116 * and not relying on hardware-level self-tests. 117 */ 118 static int qcom_ice_wait_bist_status(struct qcom_ice *ice) 119 { 120 u32 regval; 121 int err; 122 123 err = readl_poll_timeout(ice->base + QCOM_ICE_REG_BIST_STATUS, 124 regval, !(regval & QCOM_ICE_BIST_STATUS_MASK), 125 50, 5000); 126 if (err) 127 dev_err(ice->dev, "Timed out waiting for ICE self-test to complete\n"); 128 129 return err; 130 } 131 132 int qcom_ice_enable(struct qcom_ice *ice) 133 { 134 qcom_ice_low_power_mode_enable(ice); 135 qcom_ice_optimization_enable(ice); 136 137 return qcom_ice_wait_bist_status(ice); 138 } 139 EXPORT_SYMBOL_GPL(qcom_ice_enable); 140 141 int qcom_ice_resume(struct qcom_ice *ice) 142 { 143 struct device *dev = ice->dev; 144 int err; 145 146 err = clk_prepare_enable(ice->core_clk); 147 if (err) { 148 dev_err(dev, "failed to enable core clock (%d)\n", 149 err); 150 return err; 151 } 152 153 return qcom_ice_wait_bist_status(ice); 154 } 155 EXPORT_SYMBOL_GPL(qcom_ice_resume); 156 157 int qcom_ice_suspend(struct qcom_ice *ice) 158 { 159 clk_disable_unprepare(ice->core_clk); 160 161 return 0; 162 } 163 EXPORT_SYMBOL_GPL(qcom_ice_suspend); 164 165 int qcom_ice_program_key(struct qcom_ice *ice, unsigned int slot, 166 const struct blk_crypto_key *blk_key) 167 { 168 struct device *dev = ice->dev; 169 union { 170 u8 bytes[AES_256_XTS_KEY_SIZE]; 171 u32 words[AES_256_XTS_KEY_SIZE / sizeof(u32)]; 172 } key; 173 int i; 174 int err; 175 176 /* Only AES-256-XTS has been tested so far. */ 177 if (blk_key->crypto_cfg.crypto_mode != 178 BLK_ENCRYPTION_MODE_AES_256_XTS) { 179 dev_err_ratelimited(dev, "Unsupported crypto mode: %d\n", 180 blk_key->crypto_cfg.crypto_mode); 181 return -EINVAL; 182 } 183 184 if (blk_key->size != AES_256_XTS_KEY_SIZE) { 185 dev_err_ratelimited(dev, "Incorrect key size\n"); 186 return -EINVAL; 187 } 188 memcpy(key.bytes, blk_key->bytes, AES_256_XTS_KEY_SIZE); 189 190 /* The SCM call requires that the key words are encoded in big endian */ 191 for (i = 0; i < ARRAY_SIZE(key.words); i++) 192 __cpu_to_be32s(&key.words[i]); 193 194 err = qcom_scm_ice_set_key(slot, key.bytes, AES_256_XTS_KEY_SIZE, 195 QCOM_SCM_ICE_CIPHER_AES_256_XTS, 196 blk_key->crypto_cfg.data_unit_size / 512); 197 198 memzero_explicit(&key, sizeof(key)); 199 200 return err; 201 } 202 EXPORT_SYMBOL_GPL(qcom_ice_program_key); 203 204 int qcom_ice_evict_key(struct qcom_ice *ice, int slot) 205 { 206 return qcom_scm_ice_invalidate_key(slot); 207 } 208 EXPORT_SYMBOL_GPL(qcom_ice_evict_key); 209 210 static struct qcom_ice *qcom_ice_create(struct device *dev, 211 void __iomem *base) 212 { 213 struct qcom_ice *engine; 214 215 if (!qcom_scm_is_available()) 216 return ERR_PTR(-EPROBE_DEFER); 217 218 if (!qcom_scm_ice_available()) { 219 dev_warn(dev, "ICE SCM interface not found\n"); 220 return NULL; 221 } 222 223 engine = devm_kzalloc(dev, sizeof(*engine), GFP_KERNEL); 224 if (!engine) 225 return ERR_PTR(-ENOMEM); 226 227 engine->dev = dev; 228 engine->base = base; 229 230 /* 231 * Legacy DT binding uses different clk names for each consumer, 232 * so lets try those first. If none of those are a match, it means 233 * the we only have one clock and it is part of the dedicated DT node. 234 * Also, enable the clock before we check what HW version the driver 235 * supports. 236 */ 237 engine->core_clk = devm_clk_get_optional_enabled(dev, "ice_core_clk"); 238 if (!engine->core_clk) 239 engine->core_clk = devm_clk_get_optional_enabled(dev, "ice"); 240 if (!engine->core_clk) 241 engine->core_clk = devm_clk_get_enabled(dev, NULL); 242 if (IS_ERR(engine->core_clk)) 243 return ERR_CAST(engine->core_clk); 244 245 if (!qcom_ice_check_supported(engine)) 246 return ERR_PTR(-EOPNOTSUPP); 247 248 dev_dbg(dev, "Registered Qualcomm Inline Crypto Engine\n"); 249 250 return engine; 251 } 252 253 /** 254 * of_qcom_ice_get() - get an ICE instance from a DT node 255 * @dev: device pointer for the consumer device 256 * 257 * This function will provide an ICE instance either by creating one for the 258 * consumer device if its DT node provides the 'ice' reg range and the 'ice' 259 * clock (for legacy DT style). On the other hand, if consumer provides a 260 * phandle via 'qcom,ice' property to an ICE DT, the ICE instance will already 261 * be created and so this function will return that instead. 262 * 263 * Return: ICE pointer on success, NULL if there is no ICE data provided by the 264 * consumer or ERR_PTR() on error. 265 */ 266 static struct qcom_ice *of_qcom_ice_get(struct device *dev) 267 { 268 struct platform_device *pdev = to_platform_device(dev); 269 struct qcom_ice *ice; 270 struct resource *res; 271 void __iomem *base; 272 struct device_link *link; 273 274 if (!dev || !dev->of_node) 275 return ERR_PTR(-ENODEV); 276 277 /* 278 * In order to support legacy style devicetree bindings, we need 279 * to create the ICE instance using the consumer device and the reg 280 * range called 'ice' it provides. 281 */ 282 res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "ice"); 283 if (res) { 284 base = devm_ioremap_resource(&pdev->dev, res); 285 if (IS_ERR(base)) 286 return ERR_CAST(base); 287 288 /* create ICE instance using consumer dev */ 289 return qcom_ice_create(&pdev->dev, base); 290 } 291 292 /* 293 * If the consumer node does not provider an 'ice' reg range 294 * (legacy DT binding), then it must at least provide a phandle 295 * to the ICE devicetree node, otherwise ICE is not supported. 296 */ 297 struct device_node *node __free(device_node) = of_parse_phandle(dev->of_node, 298 "qcom,ice", 0); 299 if (!node) 300 return NULL; 301 302 pdev = of_find_device_by_node(node); 303 if (!pdev) { 304 dev_err(dev, "Cannot find device node %s\n", node->name); 305 return ERR_PTR(-EPROBE_DEFER); 306 } 307 308 ice = platform_get_drvdata(pdev); 309 if (!ice) { 310 dev_err(dev, "Cannot get ice instance from %s\n", 311 dev_name(&pdev->dev)); 312 platform_device_put(pdev); 313 return ERR_PTR(-EPROBE_DEFER); 314 } 315 316 link = device_link_add(dev, &pdev->dev, DL_FLAG_AUTOREMOVE_SUPPLIER); 317 if (!link) { 318 dev_err(&pdev->dev, 319 "Failed to create device link to consumer %s\n", 320 dev_name(dev)); 321 platform_device_put(pdev); 322 ice = ERR_PTR(-EINVAL); 323 } 324 325 return ice; 326 } 327 328 static void qcom_ice_put(const struct qcom_ice *ice) 329 { 330 struct platform_device *pdev = to_platform_device(ice->dev); 331 332 if (!platform_get_resource_byname(pdev, IORESOURCE_MEM, "ice")) 333 platform_device_put(pdev); 334 } 335 336 static void devm_of_qcom_ice_put(struct device *dev, void *res) 337 { 338 qcom_ice_put(*(struct qcom_ice **)res); 339 } 340 341 /** 342 * devm_of_qcom_ice_get() - Devres managed helper to get an ICE instance from 343 * a DT node. 344 * @dev: device pointer for the consumer device. 345 * 346 * This function will provide an ICE instance either by creating one for the 347 * consumer device if its DT node provides the 'ice' reg range and the 'ice' 348 * clock (for legacy DT style). On the other hand, if consumer provides a 349 * phandle via 'qcom,ice' property to an ICE DT, the ICE instance will already 350 * be created and so this function will return that instead. 351 * 352 * Return: ICE pointer on success, NULL if there is no ICE data provided by the 353 * consumer or ERR_PTR() on error. 354 */ 355 struct qcom_ice *devm_of_qcom_ice_get(struct device *dev) 356 { 357 struct qcom_ice *ice, **dr; 358 359 dr = devres_alloc(devm_of_qcom_ice_put, sizeof(*dr), GFP_KERNEL); 360 if (!dr) 361 return ERR_PTR(-ENOMEM); 362 363 ice = of_qcom_ice_get(dev); 364 if (!IS_ERR_OR_NULL(ice)) { 365 *dr = ice; 366 devres_add(dev, dr); 367 } else { 368 devres_free(dr); 369 } 370 371 return ice; 372 } 373 EXPORT_SYMBOL_GPL(devm_of_qcom_ice_get); 374 375 static int qcom_ice_probe(struct platform_device *pdev) 376 { 377 struct qcom_ice *engine; 378 void __iomem *base; 379 380 base = devm_platform_ioremap_resource(pdev, 0); 381 if (IS_ERR(base)) { 382 dev_warn(&pdev->dev, "ICE registers not found\n"); 383 return PTR_ERR(base); 384 } 385 386 engine = qcom_ice_create(&pdev->dev, base); 387 if (IS_ERR(engine)) 388 return PTR_ERR(engine); 389 390 platform_set_drvdata(pdev, engine); 391 392 return 0; 393 } 394 395 static const struct of_device_id qcom_ice_of_match_table[] = { 396 { .compatible = "qcom,inline-crypto-engine" }, 397 { }, 398 }; 399 MODULE_DEVICE_TABLE(of, qcom_ice_of_match_table); 400 401 static struct platform_driver qcom_ice_driver = { 402 .probe = qcom_ice_probe, 403 .driver = { 404 .name = "qcom-ice", 405 .of_match_table = qcom_ice_of_match_table, 406 }, 407 }; 408 409 module_platform_driver(qcom_ice_driver); 410 411 MODULE_DESCRIPTION("Qualcomm Inline Crypto Engine driver"); 412 MODULE_LICENSE("GPL"); 413