1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 * Qualcomm ICE (Inline Crypto Engine) support. 4 * 5 * Copyright (c) 2013-2019, The Linux Foundation. All rights reserved. 6 * Copyright (c) 2019, Google LLC 7 * Copyright (c) 2023, Linaro Limited 8 */ 9 10 #include <linux/bitfield.h> 11 #include <linux/cleanup.h> 12 #include <linux/clk.h> 13 #include <linux/delay.h> 14 #include <linux/device.h> 15 #include <linux/iopoll.h> 16 #include <linux/of.h> 17 #include <linux/of_platform.h> 18 #include <linux/platform_device.h> 19 #include <linux/xarray.h> 20 21 #include <linux/firmware/qcom/qcom_scm.h> 22 23 #include <soc/qcom/ice.h> 24 25 #define AES_256_XTS_KEY_SIZE 64 /* for raw keys only */ 26 27 #define QCOM_ICE_HWKM_V1 1 /* HWKM version 1 */ 28 #define QCOM_ICE_HWKM_V2 2 /* HWKM version 2 */ 29 30 #define QCOM_ICE_HWKM_MAX_WRAPPED_KEY_SIZE 100 /* Maximum HWKM wrapped key size */ 31 32 /* 33 * Wrapped key size depends upon HWKM version: 34 * HWKM version 1 supports 68 bytes 35 * HWKM version 2 supports 100 bytes 36 */ 37 #define QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(v) ((v) == QCOM_ICE_HWKM_V1 ? 68 : 100) 38 39 /* QCOM ICE registers */ 40 41 #define QCOM_ICE_REG_CONTROL 0x0000 42 #define QCOM_ICE_LEGACY_MODE_ENABLED BIT(0) 43 44 #define QCOM_ICE_REG_VERSION 0x0008 45 46 #define QCOM_ICE_REG_FUSE_SETTING 0x0010 47 #define QCOM_ICE_FUSE_SETTING_MASK BIT(0) 48 #define QCOM_ICE_FORCE_HW_KEY0_SETTING_MASK BIT(1) 49 #define QCOM_ICE_FORCE_HW_KEY1_SETTING_MASK BIT(2) 50 51 #define QCOM_ICE_REG_BIST_STATUS 0x0070 52 #define QCOM_ICE_BIST_STATUS_MASK GENMASK(31, 28) 53 54 #define QCOM_ICE_REG_ADVANCED_CONTROL 0x1000 55 56 #define QCOM_ICE_REG_CRYPTOCFG_BASE 0x4040 57 #define QCOM_ICE_REG_CRYPTOCFG_SIZE 0x80 58 #define QCOM_ICE_REG_CRYPTOCFG(slot) (QCOM_ICE_REG_CRYPTOCFG_BASE + \ 59 QCOM_ICE_REG_CRYPTOCFG_SIZE * (slot)) 60 union crypto_cfg { 61 __le32 regval; 62 struct { 63 u8 dusize; 64 u8 capidx; 65 u8 reserved; 66 #define QCOM_ICE_HWKM_CFG_ENABLE_VAL BIT(7) 67 u8 cfge; 68 }; 69 }; 70 71 /* QCOM ICE HWKM (Hardware Key Manager) registers */ 72 73 #define HWKM_OFFSET 0x8000 74 75 #define QCOM_ICE_REG_HWKM_TZ_KM_CTL (HWKM_OFFSET + 0x1000) 76 #define QCOM_ICE_HWKM_DISABLE_CRC_CHECKS_VAL (BIT(1) | BIT(2)) 77 /* In HWKM v1 the ICE legacy mode is controlled from HWKM register space */ 78 #define QCOM_ICE_HWKM_ICE_LEGACY_MODE_ENABLED BIT(5) 79 80 #define QCOM_ICE_REG_HWKM_TZ_KM_STATUS (HWKM_OFFSET + 0x1004) 81 #define QCOM_ICE_HWKM_KT_CLEAR_DONE BIT(0) 82 #define QCOM_ICE_HWKM_BOOT_CMD_LIST0_DONE BIT(1) 83 #define QCOM_ICE_HWKM_BOOT_CMD_LIST1_DONE BIT(2) 84 #define QCOM_ICE_HWKM_CRYPTO_BIST_DONE(v) (((v) == QCOM_ICE_HWKM_V1) ? BIT(14) : BIT(7)) 85 #define QCOM_ICE_HWKM_BIST_DONE(v) (((v) == QCOM_ICE_HWKM_V1) ? BIT(16) : BIT(9)) 86 87 #define QCOM_ICE_REG_HWKM_BANK0_BANKN_IRQ_STATUS (HWKM_OFFSET + 0x2008) 88 #define QCOM_ICE_HWKM_RSP_FIFO_CLEAR_VAL BIT(3) 89 90 #define QCOM_ICE_REG_HWKM_BANK0_BBAC_0 (HWKM_OFFSET + 0x5000) 91 #define QCOM_ICE_REG_HWKM_BANK0_BBAC_1 (HWKM_OFFSET + 0x5004) 92 #define QCOM_ICE_REG_HWKM_BANK0_BBAC_2 (HWKM_OFFSET + 0x5008) 93 #define QCOM_ICE_REG_HWKM_BANK0_BBAC_3 (HWKM_OFFSET + 0x500C) 94 #define QCOM_ICE_REG_HWKM_BANK0_BBAC_4 (HWKM_OFFSET + 0x5010) 95 96 #define qcom_ice_writel(engine, val, reg) \ 97 writel((val), (engine)->base + (reg)) 98 99 #define qcom_ice_readl(engine, reg) \ 100 readl((engine)->base + (reg)) 101 102 static bool qcom_ice_use_wrapped_keys; 103 module_param_named(use_wrapped_keys, qcom_ice_use_wrapped_keys, bool, 0660); 104 MODULE_PARM_DESC(use_wrapped_keys, 105 "Support wrapped keys instead of raw keys, if available on the platform"); 106 107 struct qcom_ice { 108 struct device *dev; 109 void __iomem *base; 110 111 struct clk *core_clk; 112 struct clk *iface_clk; 113 bool use_hwkm; 114 bool hwkm_init_complete; 115 u8 hwkm_version; 116 }; 117 118 static DEFINE_XARRAY(ice_handles); 119 static DEFINE_MUTEX(ice_mutex); 120 121 static bool qcom_ice_check_supported(struct qcom_ice *ice) 122 { 123 u32 regval = qcom_ice_readl(ice, QCOM_ICE_REG_VERSION); 124 struct device *dev = ice->dev; 125 int major = FIELD_GET(GENMASK(31, 24), regval); 126 int minor = FIELD_GET(GENMASK(23, 16), regval); 127 int step = FIELD_GET(GENMASK(15, 0), regval); 128 129 /* For now this driver only supports ICE version 3 and 4. */ 130 if (major != 3 && major != 4) { 131 dev_warn(dev, "Unsupported ICE version: v%d.%d.%d\n", 132 major, minor, step); 133 return false; 134 } 135 136 /* HWKM version v2 is present from ICE 3.2.1 onwards while version v1 137 * is present only in ICE 3.2.0. Earlier ICE version don't have HWKM. 138 */ 139 if (major > 3 || 140 (major == 3 && (minor >= 3 || (minor == 2 && step >= 1)))) 141 ice->hwkm_version = QCOM_ICE_HWKM_V2; 142 else if ((major == 3) && (minor == 2)) 143 ice->hwkm_version = QCOM_ICE_HWKM_V1; 144 else 145 ice->hwkm_version = 0; 146 147 dev_info(dev, "Found QC Inline Crypto Engine (ICE) v%d.%d.%d\n", 148 major, minor, step); 149 150 if (ice->hwkm_version) 151 dev_info(dev, "QC Hardware Key Manager (HWKM) version v%d\n", 152 ice->hwkm_version); 153 154 /* If fuses are blown, ICE might not work in the standard way. */ 155 regval = qcom_ice_readl(ice, QCOM_ICE_REG_FUSE_SETTING); 156 if (regval & (QCOM_ICE_FUSE_SETTING_MASK | 157 QCOM_ICE_FORCE_HW_KEY0_SETTING_MASK | 158 QCOM_ICE_FORCE_HW_KEY1_SETTING_MASK)) { 159 dev_warn(dev, "Fuses are blown; ICE is unusable!\n"); 160 return false; 161 } 162 163 /* 164 * Check for HWKM support and decide whether to use it or not. ICE 165 * v3.2.1 and later have HWKM v2. ICE v3.2.0 has HWKM v1. Earlier ICE 166 * versions don't have HWKM at all. However, for HWKM to be fully 167 * usable by Linux, the TrustZone software also needs to support certain 168 * SCM calls including the ones to generate and prepare keys. Support 169 * for these SCM calls is present for SoCs with HWKM v2 and is being 170 * added for SoCs with HWKM v1 as well but not every SoC with HWKM v1 171 * currently supports this. So, this driver checks for the SCM call 172 * support before it decides to use HWKM. 173 * 174 * Also, since HWKM and legacy mode are mutually exclusive, and 175 * ICE-capable storage driver(s) need to know early on whether to 176 * advertise support for raw keys or wrapped keys, HWKM cannot be used 177 * unconditionally. A module parameter is used to opt into using it. 178 */ 179 if (ice->hwkm_version && qcom_scm_has_wrapped_key_support()) { 180 if (qcom_ice_use_wrapped_keys) { 181 dev_info(dev, "Using HWKM. Supporting wrapped keys only.\n"); 182 ice->use_hwkm = true; 183 } else { 184 dev_info(dev, "Not using HWKM. Supporting raw keys only.\n"); 185 } 186 } else if (qcom_ice_use_wrapped_keys) { 187 dev_warn(dev, "A supported HWKM is not present. Ignoring qcom_ice.use_wrapped_keys=1.\n"); 188 } else { 189 dev_info(dev, "A supported HWKM is not present. Supporting raw keys only.\n"); 190 } 191 return true; 192 } 193 194 static void qcom_ice_low_power_mode_enable(struct qcom_ice *ice) 195 { 196 u32 regval; 197 198 regval = qcom_ice_readl(ice, QCOM_ICE_REG_ADVANCED_CONTROL); 199 200 /* Enable low power mode sequence */ 201 regval |= 0x7000; 202 qcom_ice_writel(ice, regval, QCOM_ICE_REG_ADVANCED_CONTROL); 203 } 204 205 static void qcom_ice_optimization_enable(struct qcom_ice *ice) 206 { 207 u32 regval; 208 209 /* ICE Optimizations Enable Sequence */ 210 regval = qcom_ice_readl(ice, QCOM_ICE_REG_ADVANCED_CONTROL); 211 regval |= 0xd807100; 212 /* ICE HPG requires delay before writing */ 213 udelay(5); 214 qcom_ice_writel(ice, regval, QCOM_ICE_REG_ADVANCED_CONTROL); 215 udelay(5); 216 } 217 218 /* 219 * Wait until the ICE BIST (built-in self-test) has completed. 220 * 221 * This may be necessary before ICE can be used. 222 * Note that we don't really care whether the BIST passed or failed; 223 * we really just want to make sure that it isn't still running. This is 224 * because (a) the BIST is a FIPS compliance thing that never fails in 225 * practice, (b) ICE is documented to reject crypto requests if the BIST 226 * fails, so we needn't do it in software too, and (c) properly testing 227 * storage encryption requires testing the full storage stack anyway, 228 * and not relying on hardware-level self-tests. 229 */ 230 static int qcom_ice_wait_bist_status(struct qcom_ice *ice) 231 { 232 u32 regval; 233 int err; 234 235 err = readl_poll_timeout(ice->base + QCOM_ICE_REG_BIST_STATUS, 236 regval, !(regval & QCOM_ICE_BIST_STATUS_MASK), 237 50, 5000); 238 if (err) { 239 dev_err(ice->dev, "Timed out waiting for ICE self-test to complete\n"); 240 return err; 241 } 242 243 if (ice->use_hwkm && 244 qcom_ice_readl(ice, QCOM_ICE_REG_HWKM_TZ_KM_STATUS) != 245 (QCOM_ICE_HWKM_KT_CLEAR_DONE | 246 QCOM_ICE_HWKM_BOOT_CMD_LIST0_DONE | 247 QCOM_ICE_HWKM_BOOT_CMD_LIST1_DONE | 248 QCOM_ICE_HWKM_CRYPTO_BIST_DONE(ice->hwkm_version) | 249 QCOM_ICE_HWKM_BIST_DONE(ice->hwkm_version))) { 250 dev_err(ice->dev, "HWKM self-test error!\n"); 251 /* 252 * Too late to revoke use_hwkm here, as it was already 253 * propagated up the stack into the crypto capabilities. 254 */ 255 } 256 return 0; 257 } 258 259 static void qcom_ice_hwkm_init(struct qcom_ice *ice) 260 { 261 u32 regval; 262 263 if (!ice->use_hwkm) 264 return; 265 266 BUILD_BUG_ON(QCOM_ICE_HWKM_MAX_WRAPPED_KEY_SIZE > 267 BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE); 268 /* 269 * When ICE is in HWKM mode, it only supports wrapped keys. 270 * When ICE is in legacy mode, it only supports raw keys. 271 * 272 * Put ICE in HWKM mode. ICE defaults to legacy mode. 273 */ 274 if (ice->hwkm_version == QCOM_ICE_HWKM_V2) { 275 regval = qcom_ice_readl(ice, QCOM_ICE_REG_CONTROL); 276 regval &= ~QCOM_ICE_LEGACY_MODE_ENABLED; 277 qcom_ice_writel(ice, regval, QCOM_ICE_REG_CONTROL); 278 } else if (ice->hwkm_version == QCOM_ICE_HWKM_V1) { 279 regval = qcom_ice_readl(ice, QCOM_ICE_REG_HWKM_TZ_KM_CTL); 280 regval &= ~QCOM_ICE_HWKM_ICE_LEGACY_MODE_ENABLED; 281 qcom_ice_writel(ice, regval, QCOM_ICE_REG_HWKM_TZ_KM_CTL); 282 } 283 284 /* Disable CRC checks. This HWKM feature is not used. */ 285 qcom_ice_writel(ice, QCOM_ICE_HWKM_DISABLE_CRC_CHECKS_VAL, 286 QCOM_ICE_REG_HWKM_TZ_KM_CTL); 287 288 /* 289 * Allow the HWKM slave to read and write the keyslots in the ICE HWKM 290 * slave. Without this, TrustZone cannot program keys into ICE. 291 */ 292 qcom_ice_writel(ice, GENMASK(31, 0), QCOM_ICE_REG_HWKM_BANK0_BBAC_0); 293 qcom_ice_writel(ice, GENMASK(31, 0), QCOM_ICE_REG_HWKM_BANK0_BBAC_1); 294 qcom_ice_writel(ice, GENMASK(31, 0), QCOM_ICE_REG_HWKM_BANK0_BBAC_2); 295 qcom_ice_writel(ice, GENMASK(31, 0), QCOM_ICE_REG_HWKM_BANK0_BBAC_3); 296 qcom_ice_writel(ice, GENMASK(31, 0), QCOM_ICE_REG_HWKM_BANK0_BBAC_4); 297 298 /* Clear the HWKM response FIFO. */ 299 qcom_ice_writel(ice, QCOM_ICE_HWKM_RSP_FIFO_CLEAR_VAL, 300 QCOM_ICE_REG_HWKM_BANK0_BANKN_IRQ_STATUS); 301 ice->hwkm_init_complete = true; 302 } 303 304 int qcom_ice_enable(struct qcom_ice *ice) 305 { 306 qcom_ice_low_power_mode_enable(ice); 307 qcom_ice_optimization_enable(ice); 308 qcom_ice_hwkm_init(ice); 309 return qcom_ice_wait_bist_status(ice); 310 } 311 EXPORT_SYMBOL_GPL(qcom_ice_enable); 312 313 int qcom_ice_resume(struct qcom_ice *ice) 314 { 315 struct device *dev = ice->dev; 316 int err; 317 318 err = clk_prepare_enable(ice->core_clk); 319 if (err) { 320 dev_err(dev, "Failed to enable core clock: %d\n", err); 321 return err; 322 } 323 324 err = clk_prepare_enable(ice->iface_clk); 325 if (err) { 326 dev_err(dev, "Failed to enable iface clock: %d\n", err); 327 return err; 328 } 329 qcom_ice_hwkm_init(ice); 330 return qcom_ice_wait_bist_status(ice); 331 } 332 EXPORT_SYMBOL_GPL(qcom_ice_resume); 333 334 int qcom_ice_suspend(struct qcom_ice *ice) 335 { 336 clk_disable_unprepare(ice->iface_clk); 337 clk_disable_unprepare(ice->core_clk); 338 ice->hwkm_init_complete = false; 339 340 return 0; 341 } 342 EXPORT_SYMBOL_GPL(qcom_ice_suspend); 343 344 static unsigned int translate_hwkm_slot(struct qcom_ice *ice, unsigned int slot) 345 { 346 return ice->hwkm_version == QCOM_ICE_HWKM_V1 ? slot : slot * 2; 347 } 348 349 static int qcom_ice_program_wrapped_key(struct qcom_ice *ice, unsigned int slot, 350 const struct blk_crypto_key *bkey) 351 { 352 struct device *dev = ice->dev; 353 union crypto_cfg cfg = { 354 .dusize = bkey->crypto_cfg.data_unit_size / 512, 355 .capidx = QCOM_SCM_ICE_CIPHER_AES_256_XTS, 356 .cfge = QCOM_ICE_HWKM_CFG_ENABLE_VAL, 357 }; 358 int err; 359 360 if (!ice->use_hwkm) { 361 dev_err_ratelimited(dev, "Got wrapped key when not using HWKM\n"); 362 return -EINVAL; 363 } 364 if (!ice->hwkm_init_complete) { 365 dev_err_ratelimited(dev, "HWKM not yet initialized\n"); 366 return -EINVAL; 367 } 368 369 /* Clear CFGE before programming the key. */ 370 qcom_ice_writel(ice, 0x0, QCOM_ICE_REG_CRYPTOCFG(slot)); 371 372 /* Call into TrustZone to program the wrapped key using HWKM. */ 373 err = qcom_scm_ice_set_key(translate_hwkm_slot(ice, slot), bkey->bytes, 374 bkey->size, cfg.capidx, cfg.dusize); 375 if (err) { 376 dev_err_ratelimited(dev, 377 "qcom_scm_ice_set_key failed; err=%d, slot=%u\n", 378 err, slot); 379 return err; 380 } 381 382 /* Set CFGE after programming the key. */ 383 qcom_ice_writel(ice, le32_to_cpu(cfg.regval), 384 QCOM_ICE_REG_CRYPTOCFG(slot)); 385 return 0; 386 } 387 388 int qcom_ice_program_key(struct qcom_ice *ice, unsigned int slot, 389 const struct blk_crypto_key *blk_key) 390 { 391 struct device *dev = ice->dev; 392 union { 393 u8 bytes[AES_256_XTS_KEY_SIZE]; 394 u32 words[AES_256_XTS_KEY_SIZE / sizeof(u32)]; 395 } key; 396 int i; 397 int err; 398 399 /* Only AES-256-XTS has been tested so far. */ 400 if (blk_key->crypto_cfg.crypto_mode != 401 BLK_ENCRYPTION_MODE_AES_256_XTS) { 402 dev_err_ratelimited(dev, "Unsupported crypto mode: %d\n", 403 blk_key->crypto_cfg.crypto_mode); 404 return -EINVAL; 405 } 406 407 if (blk_key->crypto_cfg.key_type == BLK_CRYPTO_KEY_TYPE_HW_WRAPPED) 408 return qcom_ice_program_wrapped_key(ice, slot, blk_key); 409 410 if (ice->use_hwkm) { 411 dev_err_ratelimited(dev, "Got raw key when using HWKM\n"); 412 return -EINVAL; 413 } 414 415 if (blk_key->size != AES_256_XTS_KEY_SIZE) { 416 dev_err_ratelimited(dev, "Incorrect key size\n"); 417 return -EINVAL; 418 } 419 memcpy(key.bytes, blk_key->bytes, AES_256_XTS_KEY_SIZE); 420 421 /* The SCM call requires that the key words are encoded in big endian */ 422 for (i = 0; i < ARRAY_SIZE(key.words); i++) 423 __cpu_to_be32s(&key.words[i]); 424 425 err = qcom_scm_ice_set_key(slot, key.bytes, AES_256_XTS_KEY_SIZE, 426 QCOM_SCM_ICE_CIPHER_AES_256_XTS, 427 blk_key->crypto_cfg.data_unit_size / 512); 428 429 memzero_explicit(&key, sizeof(key)); 430 431 return err; 432 } 433 EXPORT_SYMBOL_GPL(qcom_ice_program_key); 434 435 int qcom_ice_evict_key(struct qcom_ice *ice, int slot) 436 { 437 if (ice->hwkm_init_complete) 438 slot = translate_hwkm_slot(ice, slot); 439 return qcom_scm_ice_invalidate_key(slot); 440 } 441 EXPORT_SYMBOL_GPL(qcom_ice_evict_key); 442 443 /** 444 * qcom_ice_get_supported_key_type() - Get the supported key type 445 * @ice: ICE driver data 446 * 447 * Return: the blk-crypto key type that the ICE driver is configured to use. 448 * This is the key type that ICE-capable storage drivers should advertise as 449 * supported in the crypto capabilities of any disks they register. 450 */ 451 enum blk_crypto_key_type qcom_ice_get_supported_key_type(struct qcom_ice *ice) 452 { 453 if (ice->use_hwkm) 454 return BLK_CRYPTO_KEY_TYPE_HW_WRAPPED; 455 return BLK_CRYPTO_KEY_TYPE_RAW; 456 } 457 EXPORT_SYMBOL_GPL(qcom_ice_get_supported_key_type); 458 459 /** 460 * qcom_ice_derive_sw_secret() - Derive software secret from wrapped key 461 * @ice: ICE driver data 462 * @eph_key: an ephemerally-wrapped key 463 * @eph_key_size: size of @eph_key in bytes 464 * @sw_secret: output buffer for the software secret 465 * 466 * Use HWKM to derive the "software secret" from a hardware-wrapped key that is 467 * given in ephemerally-wrapped form. 468 * 469 * Return: 0 on success; -EBADMSG if the given ephemerally-wrapped key is 470 * invalid; or another -errno value. 471 */ 472 int qcom_ice_derive_sw_secret(struct qcom_ice *ice, 473 const u8 *eph_key, size_t eph_key_size, 474 u8 sw_secret[BLK_CRYPTO_SW_SECRET_SIZE]) 475 { 476 int err = qcom_scm_derive_sw_secret(eph_key, eph_key_size, 477 sw_secret, 478 BLK_CRYPTO_SW_SECRET_SIZE); 479 if (err == -EIO || err == -EINVAL) 480 err = -EBADMSG; /* probably invalid key */ 481 return err; 482 } 483 EXPORT_SYMBOL_GPL(qcom_ice_derive_sw_secret); 484 485 /** 486 * qcom_ice_generate_key() - Generate a wrapped key for inline encryption 487 * @ice: ICE driver data 488 * @lt_key: output buffer for the long-term wrapped key 489 * 490 * Use HWKM to generate a new key and return it as a long-term wrapped key. 491 * 492 * Return: the size of the resulting wrapped key on success; -errno on failure. 493 */ 494 int qcom_ice_generate_key(struct qcom_ice *ice, 495 u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE]) 496 { 497 int err; 498 499 err = qcom_scm_generate_ice_key(lt_key, 500 QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version)); 501 if (err) 502 return err; 503 504 return QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version); 505 } 506 EXPORT_SYMBOL_GPL(qcom_ice_generate_key); 507 508 /** 509 * qcom_ice_prepare_key() - Prepare a wrapped key for inline encryption 510 * @ice: ICE driver data 511 * @lt_key: a long-term wrapped key 512 * @lt_key_size: size of @lt_key in bytes 513 * @eph_key: output buffer for the ephemerally-wrapped key 514 * 515 * Use HWKM to re-wrap a long-term wrapped key with the per-boot ephemeral key. 516 * 517 * Return: the size of the resulting wrapped key on success; -EBADMSG if the 518 * given long-term wrapped key is invalid; or another -errno value. 519 */ 520 int qcom_ice_prepare_key(struct qcom_ice *ice, 521 const u8 *lt_key, size_t lt_key_size, 522 u8 eph_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE]) 523 { 524 int err; 525 526 err = qcom_scm_prepare_ice_key(lt_key, lt_key_size, 527 eph_key, QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version)); 528 if (err == -EIO || err == -EINVAL) 529 err = -EBADMSG; /* probably invalid key */ 530 if (err) 531 return err; 532 533 return QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version); 534 } 535 EXPORT_SYMBOL_GPL(qcom_ice_prepare_key); 536 537 /** 538 * qcom_ice_import_key() - Import a raw key for inline encryption 539 * @ice: ICE driver data 540 * @raw_key: the raw key to import 541 * @raw_key_size: size of @raw_key in bytes 542 * @lt_key: output buffer for the long-term wrapped key 543 * 544 * Use HWKM to import a raw key and return it as a long-term wrapped key. 545 * 546 * Return: the size of the resulting wrapped key on success; -errno on failure. 547 */ 548 int qcom_ice_import_key(struct qcom_ice *ice, 549 const u8 *raw_key, size_t raw_key_size, 550 u8 lt_key[BLK_CRYPTO_MAX_HW_WRAPPED_KEY_SIZE]) 551 { 552 int err; 553 554 err = qcom_scm_import_ice_key(raw_key, raw_key_size, 555 lt_key, QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version)); 556 if (err) 557 return err; 558 559 return QCOM_ICE_HWKM_WRAPPED_KEY_SIZE(ice->hwkm_version); 560 } 561 EXPORT_SYMBOL_GPL(qcom_ice_import_key); 562 563 static struct qcom_ice *qcom_ice_create(struct device *dev, 564 void __iomem *base) 565 { 566 struct qcom_ice *engine; 567 568 if (!qcom_scm_is_available()) 569 return ERR_PTR(-EPROBE_DEFER); 570 571 if (!qcom_scm_ice_available()) { 572 dev_warn(dev, "ICE SCM interface not found\n"); 573 return ERR_PTR(-EOPNOTSUPP); 574 } 575 576 engine = devm_kzalloc(dev, sizeof(*engine), GFP_KERNEL); 577 if (!engine) 578 return ERR_PTR(-ENOMEM); 579 580 engine->dev = dev; 581 engine->base = base; 582 583 /* 584 * Legacy DT binding uses different clk names for each consumer, 585 * so lets try those first. If none of those are a match, it means 586 * the we only have one clock and it is part of the dedicated DT node. 587 * Also, enable the clock before we check what HW version the driver 588 * supports. 589 */ 590 engine->core_clk = devm_clk_get_optional_enabled(dev, "ice_core_clk"); 591 if (!engine->core_clk) 592 engine->core_clk = devm_clk_get_optional_enabled(dev, "ice"); 593 if (!engine->core_clk) 594 engine->core_clk = devm_clk_get_optional_enabled(dev, "core"); 595 if (!engine->core_clk) 596 engine->core_clk = devm_clk_get_enabled(dev, NULL); 597 if (IS_ERR(engine->core_clk)) 598 return ERR_CAST(engine->core_clk); 599 600 engine->iface_clk = devm_clk_get_optional_enabled(dev, "iface"); 601 if (IS_ERR(engine->iface_clk)) 602 return ERR_CAST(engine->iface_clk); 603 604 if (!qcom_ice_check_supported(engine)) 605 return ERR_PTR(-EOPNOTSUPP); 606 607 dev_dbg(dev, "Registered Qualcomm Inline Crypto Engine\n"); 608 609 return engine; 610 } 611 612 /** 613 * of_qcom_ice_get() - get an ICE instance from a DT node 614 * @dev: device pointer for the consumer device 615 * 616 * This function will provide an ICE instance either by creating one for the 617 * consumer device if its DT node provides the 'ice' reg range and the 'ice' 618 * clock (for legacy DT style). On the other hand, if consumer provides a 619 * phandle via 'qcom,ice' property to an ICE DT, the ICE instance will already 620 * be created and so this function will return that instead. 621 * 622 * Return: ICE pointer on success, NULL if there is no ICE data provided by the 623 * consumer or ERR_PTR() on error. 624 */ 625 static struct qcom_ice *of_qcom_ice_get(struct device *dev) 626 { 627 struct platform_device *pdev = to_platform_device(dev); 628 struct qcom_ice *ice; 629 struct resource *res; 630 void __iomem *base; 631 struct device_link *link; 632 633 if (!dev || !dev->of_node) 634 return ERR_PTR(-ENODEV); 635 636 /* 637 * In order to support legacy style devicetree bindings, we need 638 * to create the ICE instance using the consumer device and the reg 639 * range called 'ice' it provides. 640 */ 641 res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "ice"); 642 if (res) { 643 base = devm_ioremap_resource(&pdev->dev, res); 644 if (IS_ERR(base)) 645 return ERR_CAST(base); 646 647 /* create ICE instance using consumer dev */ 648 return qcom_ice_create(&pdev->dev, base); 649 } 650 651 guard(mutex)(&ice_mutex); 652 653 /* 654 * If the consumer node does not provider an 'ice' reg range 655 * (legacy DT binding), then it must at least provide a phandle 656 * to the ICE devicetree node, otherwise ICE is not supported. 657 */ 658 struct device_node *node __free(device_node) = of_parse_phandle(dev->of_node, 659 "qcom,ice", 0); 660 if (!node) 661 return ERR_PTR(-EOPNOTSUPP); 662 663 pdev = of_find_device_by_node(node); 664 if (!pdev) { 665 dev_err(dev, "Cannot find device node %s\n", node->name); 666 return ERR_PTR(-ENODEV); 667 } 668 669 ice = xa_load(&ice_handles, pdev->dev.of_node->phandle); 670 if (IS_ERR_OR_NULL(ice)) { 671 platform_device_put(pdev); 672 if (!ice) 673 return ERR_PTR(-EPROBE_DEFER); 674 else 675 return ice; 676 } 677 678 link = device_link_add(dev, &pdev->dev, DL_FLAG_AUTOREMOVE_SUPPLIER); 679 if (!link) { 680 dev_err(&pdev->dev, 681 "Failed to create device link to consumer %s\n", 682 dev_name(dev)); 683 platform_device_put(pdev); 684 ice = ERR_PTR(-EINVAL); 685 } 686 687 return ice; 688 } 689 690 static void qcom_ice_put(const struct qcom_ice *ice) 691 { 692 struct platform_device *pdev = to_platform_device(ice->dev); 693 694 if (!platform_get_resource_byname(pdev, IORESOURCE_MEM, "ice")) 695 platform_device_put(pdev); 696 } 697 698 static void devm_of_qcom_ice_put(struct device *dev, void *res) 699 { 700 qcom_ice_put(*(struct qcom_ice **)res); 701 } 702 703 /** 704 * devm_of_qcom_ice_get() - Devres managed helper to get an ICE instance from 705 * a DT node. 706 * @dev: device pointer for the consumer device. 707 * 708 * This function will provide an ICE instance either by creating one for the 709 * consumer device if its DT node provides the 'ice' reg range and the 'ice' 710 * clock (for legacy DT style). On the other hand, if consumer provides a 711 * phandle via 'qcom,ice' property to an ICE DT, the ICE instance will already 712 * be created and so this function will return that instead. 713 * 714 * Return: ICE pointer on success, ERR_PTR() on error. 715 */ 716 struct qcom_ice *devm_of_qcom_ice_get(struct device *dev) 717 { 718 struct qcom_ice *ice, **dr; 719 720 dr = devres_alloc(devm_of_qcom_ice_put, sizeof(*dr), GFP_KERNEL); 721 if (!dr) 722 return ERR_PTR(-ENOMEM); 723 724 ice = of_qcom_ice_get(dev); 725 if (!IS_ERR(ice)) { 726 *dr = ice; 727 devres_add(dev, dr); 728 } else { 729 devres_free(dr); 730 } 731 732 return ice; 733 } 734 EXPORT_SYMBOL_GPL(devm_of_qcom_ice_get); 735 736 static int qcom_ice_probe(struct platform_device *pdev) 737 { 738 unsigned long phandle = pdev->dev.of_node->phandle; 739 struct qcom_ice *engine; 740 void __iomem *base; 741 742 guard(mutex)(&ice_mutex); 743 744 base = devm_platform_ioremap_resource(pdev, 0); 745 if (IS_ERR(base)) { 746 dev_warn(&pdev->dev, "ICE registers not found\n"); 747 /* Store the error pointer for devm_of_qcom_ice_get() */ 748 xa_store(&ice_handles, phandle, (__force void *)base, GFP_KERNEL); 749 return PTR_ERR(base); 750 } 751 752 engine = qcom_ice_create(&pdev->dev, base); 753 if (IS_ERR(engine)) { 754 /* Store the error pointer for devm_of_qcom_ice_get() */ 755 xa_store(&ice_handles, phandle, engine, GFP_KERNEL); 756 return PTR_ERR(engine); 757 } 758 759 xa_store(&ice_handles, phandle, engine, GFP_KERNEL); 760 761 return 0; 762 } 763 764 static void qcom_ice_remove(struct platform_device *pdev) 765 { 766 unsigned long phandle = pdev->dev.of_node->phandle; 767 768 guard(mutex)(&ice_mutex); 769 xa_store(&ice_handles, phandle, NULL, GFP_KERNEL); 770 } 771 772 static const struct of_device_id qcom_ice_of_match_table[] = { 773 { .compatible = "qcom,inline-crypto-engine" }, 774 { }, 775 }; 776 MODULE_DEVICE_TABLE(of, qcom_ice_of_match_table); 777 778 static struct platform_driver qcom_ice_driver = { 779 .probe = qcom_ice_probe, 780 .remove = qcom_ice_remove, 781 .driver = { 782 .name = "qcom-ice", 783 .of_match_table = qcom_ice_of_match_table, 784 }, 785 }; 786 787 module_platform_driver(qcom_ice_driver); 788 789 MODULE_DESCRIPTION("Qualcomm Inline Crypto Engine driver"); 790 MODULE_LICENSE("GPL"); 791