diff --git a/Makefile b/Makefile index e455635..8d910a4 100644 --- a/Makefile +++ b/Makefile @@ -39,12 +39,20 @@ CHECKCODE_ARGS := --no-patch # Do not check the coding style on imported library files or documentation files +INC_ARM_DIRS_TO_CHECK := $(sort $(filter-out \ + include/drivers/arm/cryptocell, \ + $(wildcard include/drivers/arm/*))) +INC_ARM_DIRS_TO_CHECK += include/drivers/arm/cryptocell/*.h +INC_DRV_DIRS_TO_CHECK := $(sort $(filter-out \ + include/drivers/arm, \ + $(wildcard include/drivers/*))) INC_LIB_DIRS_TO_CHECK := $(sort $(filter-out \ include/lib/libfdt \ include/lib/libc, \ $(wildcard include/lib/*))) INC_DIRS_TO_CHECK := $(sort $(filter-out \ - include/lib, \ + include/lib \ + include/drivers, \ $(wildcard include/*))) LIB_DIRS_TO_CHECK := $(sort $(filter-out \ lib/compiler-rt \ @@ -60,7 +68,9 @@ CHECK_PATHS := ${ROOT_DIRS_TO_CHECK} \ ${INC_DIRS_TO_CHECK} \ ${INC_LIB_DIRS_TO_CHECK} \ - ${LIB_DIRS_TO_CHECK} + ${LIB_DIRS_TO_CHECK} \ + ${INC_DRV_DIRS_TO_CHECK} \ + ${INC_ARM_DIRS_TO_CHECK} ################################################################################ diff --git a/drivers/auth/cryptocell/713/cryptocell_crypto.c b/drivers/auth/cryptocell/713/cryptocell_crypto.c new file mode 100644 index 0000000..5f390a2 --- /dev/null +++ b/drivers/auth/cryptocell/713/cryptocell_crypto.c @@ -0,0 +1,273 @@ +/* + * Copyright (c) 2017-2020 ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include +#include +#include + +#include +#include +#include + +#include + +#define LIB_NAME "CryptoCell 713 SBROM" +#define RSA_SALT_LEN 32 +#define RSA_EXPONENT 65537 + +/* + * AlgorithmIdentifier ::= SEQUENCE { + * algorithm OBJECT IDENTIFIER, + * parameters ANY DEFINED BY algorithm OPTIONAL + * } + * + * SubjectPublicKeyInfo ::= SEQUENCE { + * algorithm AlgorithmIdentifier, + * subjectPublicKey BIT STRING + * } + * + * DigestInfo ::= SEQUENCE { + * digestAlgorithm AlgorithmIdentifier, + * digest OCTET STRING + * } + * + * RSASSA-PSS-params ::= SEQUENCE { + * hashAlgorithm [0] HashAlgorithm, + * maskGenAlgorithm [1] MaskGenAlgorithm, + * saltLength [2] INTEGER, + * trailerField [3] TrailerField DEFAULT trailerFieldBC + * } + */ + +/* + * Initialize the library and export the descriptor + */ +static void init(void) +{ + CCError_t ret; + uint32_t lcs; + + /* Initialize CC SBROM */ + ret = CC_BsvInit((uintptr_t)PLAT_CRYPTOCELL_BASE); + if (ret != CC_OK) { + ERROR("CryptoCell CC_BsvInit() error %x\n", ret); + panic(); + } + + /* Initialize lifecycle state */ + ret = CC_BsvGetAndInitLcs((uintptr_t)PLAT_CRYPTOCELL_BASE, &lcs); + if (ret != CC_OK) { + ERROR("CryptoCell CC_BsvGetAndInitLcs() error %x\n", ret); + panic(); + } +} + +/* + * Verify a signature. + * + * Parameters are passed using the DER encoding format following the ASN.1 + * structures detailed above. + */ +static int verify_signature(void *data_ptr, unsigned int data_len, + void *sig_ptr, unsigned int sig_len, + void *sig_alg, unsigned int sig_alg_len, + void *pk_ptr, unsigned int pk_len) +{ + CCError_t error; + CCBsvNBuff_t NBuff; + CCBsvSignature_t signature; + int rc, exp; + mbedtls_asn1_buf sig_oid, alg_oid, params; + mbedtls_md_type_t md_alg; + mbedtls_pk_type_t pk_alg; + mbedtls_pk_rsassa_pss_options pss_opts; + size_t len; + uint8_t *p, *end; + CCHashResult_t digest; + CCBool_t is_verified; + /* This is a rather large array, we don't want it on stack */ + static uint32_t workspace[BSV_RSA_WORKSPACE_MIN_SIZE]; + + /* Verify the signature algorithm */ + /* Get pointers to signature OID and parameters */ + p = sig_alg; + end = p + sig_alg_len; + rc = mbedtls_asn1_get_alg(&p, end, &sig_oid, ¶ms); + if (rc != 0) + return CRYPTO_ERR_SIGNATURE; + + /* Get the actual signature algorithm (MD + PK) */ + rc = mbedtls_oid_get_sig_alg(&sig_oid, &md_alg, &pk_alg); + if (rc != 0) + return CRYPTO_ERR_SIGNATURE; + + /* The CryptoCell only supports RSASSA-PSS signature */ + if (pk_alg != MBEDTLS_PK_RSASSA_PSS || md_alg != MBEDTLS_MD_NONE) + return CRYPTO_ERR_SIGNATURE; + + /* Verify the RSASSA-PSS params */ + /* The trailer field is verified to be 0xBC internally by this API */ + rc = mbedtls_x509_get_rsassa_pss_params(¶ms, &md_alg, + &pss_opts.mgf1_hash_id, + &pss_opts.expected_salt_len); + if (rc != 0) + return CRYPTO_ERR_SIGNATURE; + + /* The CryptoCell only supports SHA256 as hash algorithm */ + if (md_alg != MBEDTLS_MD_SHA256 || + pss_opts.mgf1_hash_id != MBEDTLS_MD_SHA256) + return CRYPTO_ERR_SIGNATURE; + + if (pss_opts.expected_salt_len != RSA_SALT_LEN) + return CRYPTO_ERR_SIGNATURE; + + /* Parse the public key */ + p = pk_ptr; + end = p + pk_len; + rc = mbedtls_asn1_get_tag(&p, end, &len, + MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); + if (rc != 0) + return CRYPTO_ERR_SIGNATURE; + + end = p + len; + rc = mbedtls_asn1_get_alg_null(&p, end, &alg_oid); + if (rc != 0) + return CRYPTO_ERR_SIGNATURE; + + if (mbedtls_oid_get_pk_alg(&alg_oid, &pk_alg) != 0) + return CRYPTO_ERR_SIGNATURE; + + if (pk_alg != MBEDTLS_PK_RSA) + return CRYPTO_ERR_SIGNATURE; + + rc = mbedtls_asn1_get_bitstring_null(&p, end, &len); + if (rc != 0) + return CRYPTO_ERR_SIGNATURE; + + rc = mbedtls_asn1_get_tag(&p, end, &len, + MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE); + if (rc != 0) + return CRYPTO_ERR_SIGNATURE; + + rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_INTEGER); + if (rc != 0) + return CRYPTO_ERR_SIGNATURE; + + if (*p == 0) { + p++; len--; + } + if (len != BSV_CERT_RSA_KEY_SIZE_IN_BYTES || ((p + len) > end)) + return CRYPTO_ERR_SIGNATURE; + + /* + * Copy N from certificate. + */ + memcpy(NBuff, p, BSV_CERT_RSA_KEY_SIZE_IN_BYTES); + + /* Verify the RSA exponent */ + p += len; + rc = mbedtls_asn1_get_int(&p, end, &exp); + if (rc != 0) + return CRYPTO_ERR_SIGNATURE; + + if (exp != RSA_EXPONENT) + return CRYPTO_ERR_SIGNATURE; + + /* Get the signature (bitstring) */ + p = sig_ptr; + end = p + sig_len; + rc = mbedtls_asn1_get_bitstring_null(&p, end, &len); + if (rc != 0) + return CRYPTO_ERR_SIGNATURE; + + if (len != BSV_CERT_RSA_KEY_SIZE_IN_BYTES || ((p + len) > end)) + return CRYPTO_ERR_SIGNATURE; + + /* + * Copy the signature (in BE format) + */ + memcpy((uint8_t *)signature, p, BSV_CERT_RSA_KEY_SIZE_IN_BYTES); + + error = CC_BsvSha256((uintptr_t)PLAT_CRYPTOCELL_BASE, + data_ptr, data_len, digest); + if (error != CC_OK) + return CRYPTO_ERR_SIGNATURE; + + /* Verify the signature */ + error = CC_BsvRsaPssVerify((uintptr_t)PLAT_CRYPTOCELL_BASE, NBuff, + NULL, signature, digest, workspace, + BSV_RSA_WORKSPACE_MIN_SIZE, &is_verified); + if ((error != CC_OK) || (is_verified != CC_TRUE)) + return CRYPTO_ERR_SIGNATURE; + + /* Signature verification success */ + return CRYPTO_SUCCESS; +} + +/* + * Match a hash + * + * Digest info is passed in DER format following the ASN.1 structure detailed + * above. + */ +static int verify_hash(void *data_ptr, unsigned int data_len, + void *digest_info_ptr, unsigned int digest_info_len) +{ + mbedtls_asn1_buf hash_oid, params; + mbedtls_md_type_t md_alg; + uint8_t *p, *end, *hash; + CCHashResult_t pubKeyHash; + size_t len; + int rc; + CCError_t error; + + /* Digest info should be an MBEDTLS_ASN1_SEQUENCE */ + p = digest_info_ptr; + end = p + digest_info_len; + rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | + MBEDTLS_ASN1_SEQUENCE); + if (rc != 0) + return CRYPTO_ERR_HASH; + + /* Get the hash algorithm */ + rc = mbedtls_asn1_get_alg(&p, end, &hash_oid, ¶ms); + if (rc != 0) + return CRYPTO_ERR_HASH; + + rc = mbedtls_oid_get_md_alg(&hash_oid, &md_alg); + if (rc != 0) + return CRYPTO_ERR_HASH; + /* Verify that hash algorithm is SHA256 */ + if (md_alg != MBEDTLS_MD_SHA256) + return CRYPTO_ERR_HASH; + + /* Hash should be octet string type */ + rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING); + if (rc != 0) + return CRYPTO_ERR_HASH; + + /* Length of hash must match the algorithm's size */ + if (len != HASH_RESULT_SIZE_IN_BYTES) + return CRYPTO_ERR_HASH; + + hash = p; + error = CC_BsvSha256((uintptr_t)PLAT_CRYPTOCELL_BASE, data_ptr, + data_len, pubKeyHash); + if (error != CC_OK) + return CRYPTO_ERR_HASH; + + rc = memcmp(pubKeyHash, hash, HASH_RESULT_SIZE_IN_BYTES); + if (rc != 0) + return CRYPTO_ERR_HASH; + + return CRYPTO_SUCCESS; +} + +/* + * Register crypto library descriptor + */ +REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash, NULL); diff --git a/drivers/auth/cryptocell/713/cryptocell_plat_helpers.c b/drivers/auth/cryptocell/713/cryptocell_plat_helpers.c new file mode 100644 index 0000000..17e1280 --- /dev/null +++ b/drivers/auth/cryptocell/713/cryptocell_plat_helpers.c @@ -0,0 +1,109 @@ +/* + * Copyright (c) 2017-2020 ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#include +#include +#include + +#include +#include + +#include +#include +#include + +/* + * Return the ROTPK hash + * + * Return: 0 = success, Otherwise = error + */ +int cc_get_rotpk_hash(unsigned char *dst, unsigned int len, unsigned int *flags) +{ + CCError_t error; + uint32_t lcs; + int i; + uint32_t *key = (uint32_t *)dst; + + assert(dst != NULL); + assert(len >= HASH_RESULT_SIZE_IN_WORDS); + assert(flags != NULL); + + error = CC_BsvLcsGet(PLAT_CRYPTOCELL_BASE, &lcs); + if (error != CC_OK) + return 1; + + if ((lcs == CC_BSV_CHIP_MANUFACTURE_LCS) || (lcs == CC_BSV_RMA_LCS)) { + *flags = ROTPK_NOT_DEPLOYED; + return 0; + } + + error = CC_BsvPubKeyHashGet(PLAT_CRYPTOCELL_BASE, + CC_SB_HASH_BOOT_KEY_256B, + key, HASH_RESULT_SIZE_IN_WORDS); + + if (error == CC_BSV_HASH_NOT_PROGRAMMED_ERR) { + *flags = ROTPK_NOT_DEPLOYED; + return 0; + } + + if (error == CC_OK) { + + /* Keys are stored in OTP in little-endian format */ + for (i = 0; i < HASH_RESULT_SIZE_IN_WORDS; i++) + key[i] = le32toh(key[i]); + + *flags = ROTPK_IS_HASH; + return 0; + } + + return 1; +} + +/* + * Return the non-volatile counter value stored in the platform. The cookie + * specifies the OID of the counter in the certificate. + * + * Return: 0 = success, Otherwise = error + */ +int plat_get_nv_ctr(void *cookie, unsigned int *nv_ctr) +{ + CCError_t error = CC_FAIL; + + if (strcmp(cookie, TRUSTED_FW_NVCOUNTER_OID) == 0) { + error = CC_BsvSwVersionGet(PLAT_CRYPTOCELL_BASE, + CC_SW_VERSION_TRUSTED, nv_ctr); + } else if (strcmp(cookie, NON_TRUSTED_FW_NVCOUNTER_OID) == 0) { + error = CC_BsvSwVersionGet(PLAT_CRYPTOCELL_BASE, + CC_SW_VERSION_NON_TRUSTED, nv_ctr); + } + + return (error != CC_OK); +} + +/* + * Store a new non-volatile counter value in the counter specified by the OID + * in the cookie. This function is not expected to be called if the Lifecycle + * state is RMA as the values in the certificate are expected to always match + * the nvcounter values. But if called when the LCS is RMA, the underlying + * helper functions will return success but without updating the counter. + * + * Return: 0 = success, Otherwise = error + */ +int plat_set_nv_ctr(void *cookie, unsigned int nv_ctr) +{ + CCError_t error = CC_FAIL; + + if (strcmp(cookie, TRUSTED_FW_NVCOUNTER_OID) == 0) { + error = CC_BsvSwVersionSet(PLAT_CRYPTOCELL_BASE, + CC_SW_VERSION_TRUSTED, nv_ctr); + } else if (strcmp(cookie, NON_TRUSTED_FW_NVCOUNTER_OID) == 0) { + error = CC_BsvSwVersionSet(PLAT_CRYPTOCELL_BASE, + CC_SW_VERSION_NON_TRUSTED, nv_ctr); + } + + return (error != CC_OK); +} + diff --git a/drivers/auth/cryptocell/cryptocell_crypto.mk b/drivers/auth/cryptocell/cryptocell_crypto.mk index 2fc4ddb..db39047 100644 --- a/drivers/auth/cryptocell/cryptocell_crypto.mk +++ b/drivers/auth/cryptocell/cryptocell_crypto.mk @@ -1,5 +1,5 @@ # -# Copyright (c) 2017-2019, ARM Limited and Contributors. All rights reserved. +# Copyright (c) 2017-2020, ARM Limited and Contributors. All rights reserved. # # SPDX-License-Identifier: BSD-3-Clause # @@ -22,6 +22,8 @@ CRYPTOCELL_VERSION ?= 712 ifeq (${CRYPTOCELL_VERSION},712) CCSBROM_LIB_FILENAME := cc_712sbromx509 +else ifeq (${CRYPTOCELL_VERSION},713) + CCSBROM_LIB_FILENAME := cc_713bsv else $(error Error: CRYPTOCELL_VERSION set to invalid version) endif diff --git a/include/drivers/arm/cryptocell/713/bsv_api.h b/include/drivers/arm/cryptocell/713/bsv_api.h new file mode 100644 index 0000000..dc49473 --- /dev/null +++ b/include/drivers/arm/cryptocell/713/bsv_api.h @@ -0,0 +1,221 @@ +/* + * Copyright (c) 2017-2020 ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef _BSV_API_H +#define _BSV_API_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +/*! +@file +@brief This file contains the Boot Services APIs and definitions. + +@defgroup cc_bsv_api CryptoCell Boot Services APIs and definitions +@{ +@ingroup cc_bsv +*/ + +#include "cc_pal_types.h" +#include "cc_sec_defs.h" +#include "cc_boot_defs.h" + +/* Life cycle state definitions. */ +#define CC_BSV_CHIP_MANUFACTURE_LCS 0x0 /*!< The CM life-cycle state (LCS) value. */ +#define CC_BSV_DEVICE_MANUFACTURE_LCS 0x1 /*!< The DM life-cycle state (LCS) value. */ +#define CC_BSV_SECURE_LCS 0x5 /*!< The Secure life-cycle state (LCS) value. */ +#define CC_BSV_RMA_LCS 0x7 /*!< The RMA life-cycle state (LCS) value. */ +#define CC_BSV_INVALID_LCS 0xff /*!< The invalid life-cycle state (LCS) value. */ + +/*---------------------------- + TYPES +-----------------------------------*/ + +/*---------------------------- + PUBLIC FUNCTIONS +-----------------------------------*/ + + +/*! +@brief This function verifies the product and version numbers of the HW, and initializes it. + +\warning This function must be the first CryptoCell-7xx SBROM library API called. + +@return \c CC_OK on success. +@return A non-zero value from bsv_error.h on failure. +*/ +CCError_t CC_BsvInit( + unsigned long hwBaseAddress /*!< [in] The base address of the CryptoCell HW registers. */ + ); + +/*! +@brief This function retrieves the HW LCS and performs validity checks. + +If the LCS is RMA, it also sets the OTP secret keys to a fixed value. + +@note An error is returned if there is an invalid LCS. If this happens, your code must +completely disable the device. + +@return \c CC_OK on success. +@return A non-zero value from bsv_error.h on failure. +*/ +CCError_t CC_BsvGetAndInitLcs( + unsigned long hwBaseAddress, /*!< [in] The base address of the CryptoCell HW registers. */ + uint32_t *pLcs /*!< [out] The value of the current LCS. */ + ); + +/*! +@brief This function retrieves the LCS from the NVM manager. + +@return \c CC_OK on success. +@return A non-zero value from bsv_error.h on failure. +*/ +CCError_t CC_BsvLcsGet( + unsigned long hwBaseAddress, /*!< [in] The base address of the CryptoCell HW registers. */ + uint32_t *pLcs /*!< [out] The value of the current LCS. */ + ); + +/*! +@brief This function reads software revocation counter from OTP memory, according to the provided sw version index. +SW version is stored in NVM counter and represented by ones. Meaning seVersion=5 would be stored as binary 0b11111; +hence: + the maximal of trusted is 32 + the maximal of non-trusted is 224 + +@return \c CC_OK on success. +@return A non-zero value from bsv_error.h on failure. +*/ +CCError_t CC_BsvSwVersionGet( + unsigned long hwBaseAddress, /*!< [in] HW registers base address. */ + CCSbSwVersionId_t id, /*!< [in] Enumeration defining the trusted/non-trusted counter to read. */ + uint32_t *swVersion /*!< [out] The value of the requested counter as read from OTP memory. */ + ); + +/*! +@brief This function sets the NVM counter according to swVersionID (trusted/non-trusted). + +@return \c CC_OK on success. +@return A non-zero value from bsv_error.h on failure. +*/ +CCError_t CC_BsvSwVersionSet( + unsigned long hwBaseAddress, /*!< [in] HW registers base address. */ + CCSbSwVersionId_t id, /*!< [in] Enumeration defining the trusted/non-trusted counter to read. */ + uint32_t swVersion /*!< [in] New value of the counter to be programmed in OTP memory. */ + ); + +/*! +@brief This function sets the "fatal error" flag in the NVM manager, to disable the use of +any HW keys or security services. + +@return \c CC_OK on success. +@return A non-zero value from bsv_error.h on failure. +*/ +CCError_t CC_BsvFatalErrorSet( + unsigned long hwBaseAddress /*!< [in] The base address of the CryptoCell HW registers. */ + ); + +/*! +@brief This function retrieves the public key hash from OTP memory, according to the provided index. + +@return \c CC_OK on success. +@return A non-zero value from bsv_error.h on failure. +*/ +CCError_t CC_BsvPubKeyHashGet( + unsigned long hwBaseAddress, /*!< [in] HW registers base address. */ + CCSbPubKeyIndexType_t keyIndex, /*!< [in] Enumeration defining the key hash to retrieve: 128-bit HBK0, 128-bit HBK1, or 256-bit HBK. */ + uint32_t *hashedPubKey, /*!< [out] A buffer to contain the public key HASH. */ + uint32_t hashResultSizeWords /*!< [in] The size of the hash in 32-bit words: + - Must be 4 for 128-bit hash. + - Must be 8 for 256bit hash. */ + ); + +/*! +@brief This function permanently sets the RMA LCS for the ICV and the OEM. + +@return \c CC_OK on success. +@return A non-zero value from bsv_error.h on failure. +*/ +CCError_t CC_BsvRMAModeEnable( + unsigned long hwBaseAddress /*!< [in] The base address of the CryptoCell HW registers. */ + ); + +/*! +@brief This function is called by the ICV code, to disable the OEM code from changing the ICV RMA bit flag. + +@return \c CC_OK on success. +@return A non-zero value from bsv_error.h on failure. +*/ +CCError_t CC_BsvICVRMAFlagBitLock( + unsigned long hwBaseAddress /*!< [in] The base address of the CryptoCell HW registers. */ + ); + +/*! +@brief This function locks the defined ICV class keys from further usage. + +@return \c CC_OK on success. +@return A non-zero value from bsv_error.h on failure. +*/ +CCError_t CC_BsvICVKeyLock( + unsigned long hwBaseAddress, /*!< [in] HW registers base address. */ + CCBool_t isICVProvisioningKeyLock, /*!< [in] Should the provisioning key be locked. */ + CCBool_t isICVCodeEncKeyLock /*!< [in] Should the encryption key be locked. */ + ); + + +/*! +@brief This function retrieves the value of "secure disable" bit. + +@return \c CC_OK on success. +@return A non-zero value from bsv_error.h on failure. +*/ +CCError_t CC_BsvSecureDisableGet( + unsigned long hwBaseAddress, /*!< [in] HW registers base address. */ + CCBool_t *isSDEnabled /*!< [out] The value of the SD Enable bit. */ + ); + + +/*! +@brief This function derives the platform key (Kplt) from the Kpicv, and then decrypts the customer key (Kcst) +from the EKcst (burned in the OTP). The decryption is done only in Secure and RMA LCS mode using AES-ECB. +The customer ROM should invoke this function during early boot, prior to running any non-ROM code, only if Kcst exists. +The resulting Kcst is saved in a HW register. + +@return \c CC_OK on success. +@return A non-zero value from bsv_error.h on failure. +*/ +CCError_t CC_BsvCustomerKeyDecrypt( + unsigned long hwBaseAddress /*!< [in] The base address of the CryptoCell HW registers. */ + ); +#ifdef __cplusplus +} +#endif + +/*! +@brief This function derives the unique SoC_ID for the device, as hashed (Hbk || AES_CMAC (HUK)). + +@note SoC_ID is required to create debug certificates. + +The OEM or ICV must provide a method for a developer to discover the SoC_ID of a target +device without having to first enable debugging. +One suggested implementation is to have the device ROM code compute the SoC_ID and place +it in a specific location in the flash memory, from where it can be accessed by the developer. + +@return \c CC_OK on success. +@return A non-zero value from bsv_error.h on failure. +*/ +CCError_t CC_BsvSocIDCompute( + unsigned long hwBaseAddress, /*!< [in] The base address of the CryptoCell HW registers. */ + CCHashResult_t hashResult /*!< [out] The derived SoC_ID. */ + ); + +#endif /* _BSV_API_H */ + +/** +@} + */ + diff --git a/include/drivers/arm/cryptocell/713/bsv_crypto_api.h b/include/drivers/arm/cryptocell/713/bsv_crypto_api.h new file mode 100644 index 0000000..1e60579 --- /dev/null +++ b/include/drivers/arm/cryptocell/713/bsv_crypto_api.h @@ -0,0 +1,76 @@ +/* + * Copyright (c) 2017-2020 ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef _BSV_CRYPTO_API_H +#define _BSV_CRYPTO_API_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +/*! +@file +@brief This file contains the cryptographic ROM APIs of the Boot Services. + +@defgroup cc_bsv_crypto_api CryptoCell Boot Services cryptographic ROM APIs +@{ +@ingroup cc_bsv +*/ + +#include "cc_pal_types.h" +#include "cc_sec_defs.h" +#include "cc_address_defs.h" +#include "bsv_crypto_defs.h" + +/*---------------------------- + PUBLIC FUNCTIONS +-----------------------------------*/ + +/*! +@brief This function calculates the SHA-256 digest over contiguous memory +in an integrated operation. + +@return \c CC_OK on success. +@return A non-zero value from bsv_error.h on failure. +*/ +CCError_t CC_BsvSha256( + unsigned long hwBaseAddress, /*!< [in] The base address of the CryptoCell HW registers. */ + uint8_t *pDataIn, /*!< [in] A pointer to the input buffer to be hashed. The buffer must be contiguous. */ + size_t dataSize, /*!< [in] The size of the data to be hashed, in bytes. */ + CCHashResult_t hashBuff /*!< [out] A pointer to a word-aligned 32-byte buffer. */ + ); + + +/*! +@brief This function allows you to calculate SHA256 digest of an image with decryption base on AES-CTR, +with HW or user key. + +@return \c CC_OK on success. +@return A non-zero value from bsv_error.h on failure. (in this case, hashBuff will be returned clean, while the output data should be cleaned by the user). +*/ +CCError_t CC_BsvCryptoImageDecrypt( unsigned long hwBaseAddress, /*!< [in] The base address of the CryptoCell HW registers. */ + CCBsvflowMode_t flow, /*!< [in] The supported operations are: HASH, AES to HASH, AES and HASH. */ + CCBsvKeyType_t keyType, /*!< [in] The key type to use: Kce, Kceicv, or user key. */ + uint8_t *pUserKey, /*!< [in] A pointer to the user key buffer in case keyType is CC_BSV_USER_KEY. */ + size_t userKeySize, /*!< [in] The user key size in bytes (128bits) in case keyType is CC_BSV_USER_KEY. */ + uint8_t *pIvBuf, /*!< [in] A pointer to the IV / counter buffer. */ + uint8_t *pInputData, /*!< [in] A pointer to the input data. */ + uint8_t *pOutputData, /*!< [out] A pointer to the output buffer. (optional – should be null in case of hash only). */ + size_t dataSize, /*!< [in] The size of the input data in bytes. MUST be multiple of AES block size. */ + CCHashResult_t hashBuff /*!< [out] A pointer to a word-aligned 32-byte digest output buffer. */ + ); + +#ifdef __cplusplus +} +#endif + +#endif + +/** +@} + */ + diff --git a/include/drivers/arm/cryptocell/713/bsv_crypto_asym_api.h b/include/drivers/arm/cryptocell/713/bsv_crypto_asym_api.h new file mode 100644 index 0000000..406e1ef --- /dev/null +++ b/include/drivers/arm/cryptocell/713/bsv_crypto_asym_api.h @@ -0,0 +1,100 @@ +/* + * Copyright (c) 2017-2020 ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef _BSV_CRYPTO_ASYM_API_H +#define _BSV_CRYPTO_ASYM_API_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +/*! +@file +@brief This file contains the cryptographic Asymmetric ROM APIs of the Boot Services. + +@defgroup cc_bsv_crypto_asym_api CryptoCell Boot Services cryptographic Asymmetric ROM APIs +@{ +@ingroup cc_bsv +*/ + +#include "cc_pal_types.h" +#include "cc_pka_hw_plat_defs.h" +#include "cc_sec_defs.h" +#include "bsv_crypto_api.h" + +/*! Defines the workspace size in bytes needed for internal Asymmetric operations. */ +#define BSV_RSA_WORKSPACE_MIN_SIZE (4*BSV_CERT_RSA_KEY_SIZE_IN_BYTES +\ + 2*RSA_PKA_BARRETT_MOD_TAG_BUFF_SIZE_IN_BYTES) + +/*! Definition for the RSA public modulus array. */ +typedef uint32_t CCBsvNBuff_t[BSV_CERT_RSA_KEY_SIZE_IN_WORDS]; + +/*! Definition for the RSA Barrett mod tag array. */ +typedef uint32_t CCBsvNpBuff_t[RSA_PKA_BARRETT_MOD_TAG_BUFF_SIZE_IN_BYTES]; + +/*! Definition for the RSA signature array. */ +typedef uint32_t CCBsvSignature_t[BSV_CERT_RSA_KEY_SIZE_IN_WORDS]; + + +/*---------------------------- + PUBLIC FUNCTIONS +-----------------------------------*/ + +/*! +@brief This function performs the primitive operation of RSA, meaning exponent and modulus. + outBuff = (pInBuff ^ Exp) mod NBuff. ( Exp = 0x10001 ) + + The function supports 2k and 3K bit size of modulus, based on compile time define. + There are no restriction on pInBuff location, however its size must be equal to BSV_RSA_KEY_SIZE_IN_BYTES and its + value must be smaller than the modulus. + + +@return \c CC_OK on success. +@return A non-zero value from bsv_error.h on failure. +*/ +CCError_t CC_BsvRsaPrimVerify (unsigned long hwBaseAddress, /*!< [in] The base address of the CryptoCell HW registers. */ + CCBsvNBuff_t NBuff, /*!< [in] The modulus buffer big endian format. */ + CCBsvNpBuff_t NpBuff, /*!< [in] The barret tag buffer big endian format - optional. */ + uint32_t *pInBuff, /*!< [in] The DataIn buffer to be encrypted. */ + size_t inBuffSize, /*!< [in] The DataIn buffer size in bytes, must be BSV_RSA_KEY_SIZE_IN_BYTES. */ + CCBsvSignature_t pOutBuff, /*!< [out] The encrypted buffer in big endian format. */ + uint32_t *pWorkSpace, /*!< [in] The pointer to user allocated buffer for internal use. */ + size_t workBufferSize /*!< [in] The size in bytes of pWorkSpace, must be at-least BSV_RSA_WORKSPACE_MIN_SIZE. */ +); + + +/*! +@brief This function performs RSA PSS verify. + + The function should support 2k and 3K bit size of modulus, based on compile time define. + +@return \c CC_OK on success. +@return A non-zero value from bsv_error.h on failure. +*/ +CCError_t CC_BsvRsaPssVerify (unsigned long hwBaseAddress, /*!< [in] The base address of the CryptoCell HW registers. */ + CCBsvNBuff_t NBuff, /*!< [in] The modulus buffer big endian format. */ + CCBsvNpBuff_t NpBuff, /*!< [in] The barret tag buffer big endian format - optional. */ + CCBsvSignature_t signature, /*!< [in] The signature buffer to verify - big endian format. */ + CCHashResult_t hashedData, /*!< [in] The data-in buffer to be verified as sha256 digest. */ + uint32_t *pWorkSpace, /*!< [in] The pointer to user allocated buffer for internal use. */ + size_t workBufferSize, /*!< [in] The size in bytes of pWorkSpace, must be at-least BSV_RSA_WORKSPACE_MIN_SIZE. */ + CCBool_t *pIsVerified /*!< [out] The flag indicates whether the signature is verified or not. + If verified value will be CC_TRUE, otherwise CC_FALSE */ +); + + + +#ifdef __cplusplus +} +#endif + +#endif + +/** +@} + */ + diff --git a/include/drivers/arm/cryptocell/713/bsv_crypto_defs.h b/include/drivers/arm/cryptocell/713/bsv_crypto_defs.h new file mode 100644 index 0000000..9ea354d --- /dev/null +++ b/include/drivers/arm/cryptocell/713/bsv_crypto_defs.h @@ -0,0 +1,94 @@ +/* + * Copyright (c) 2017-2020 ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef _BSV_CRYPTO_DEFS_H +#define _BSV_CRYPTO_DEFS_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +/*! +@file +@brief This file contains the definitions of the cryptographic ROM APIs. + +@defgroup cc_bsv_crypto_defs CryptoCell Boot Services cryptographic ROM API definitions +@{ +@ingroup cc_bsv +*/ + +/*! AES supported HW key code table. */ +typedef enum { + + CC_BSV_USER_KEY = 0, /*!< Definition for a user key. */ + CC_BSV_HUK_KEY = 1, /*!< Definition for the HW unique key. */ + CC_BSV_RTL_KEY = 2, /*!< Definition for the RTL key. */ + CC_BSV_SESSION_KEY = 3, /*!< Definition for the Session key. */ + CC_BSV_CE_KEY = 4, /*!< Definition for the Kce. */ + CC_BSV_PLT_KEY = 5, /*!< Definition for the Platform key. */ + CC_BSV_KCST_KEY = 6, /*!< Definition for Kcst. */ + CC_BSV_ICV_PROV_KEY = 0xd, /*!< Definition for the Kpicv. */ + CC_BSV_ICV_CE_KEY = 0xe, /*!< Definition for the Kceicv. */ + CC_BSV_PROV_KEY = 0xf, /*!< Definition for the Kcp. */ + CC_BSV_END_OF_KEY_TYPE = INT32_MAX, /*!< Reserved. */ +}CCBsvKeyType_t; + +/*! AES directions. */ +typedef enum bsvAesDirection { + BSV_AES_DIRECTION_ENCRYPT = 0, /*!< Encrypt.*/ + BSV_AES_DIRECTION_DECRYPT = 1, /*!< Decrypt.*/ + BSV_AES_NUM_OF_ENCRYPT_MODES, /*!< The maximal number of operations. */ + BSV_AES_DIRECTION_RESERVE32B = INT32_MAX /*!< Reserved.*/ +}bsvAesDirection_t; + +/*! Definitions of the cryptographic flow supported as part of the Secure Boot. */ +typedef enum { + CC_BSV_CRYPTO_HASH_MODE = 0, /*!< Hash mode only. */ + CC_BSV_CRYPTO_AES_CTR_AND_HASH_MODE = 1, /*!< Data goes into the AES and Hash engines. */ + CC_BSV_CRYPTO_AES_CTR_TO_HASH_MODE = 2 /*!< Data goes into the AES and from the AES to the Hash engine. */ +}CCBsvflowMode_t; + +/*! CryptoImage HW completion sequence mode */ +typedef enum +{ + BSV_CRYPTO_COMPLETION_NO_WAIT = 0, /*!< The driver waits only before reading the output. */ + BSV_CRYPTO_COMPLETION_WAIT_UPON_END = 1 /*!< The driver waits after each chunk of data. */ +}bsvCryptoCompletionMode_t; + + +/*! AES-CMAC result size, in words. */ +#define CC_BSV_CMAC_RESULT_SIZE_IN_WORDS 4 /* 128b */ +/*! AES-CMAC result size, in bytes. */ +#define CC_BSV_CMAC_RESULT_SIZE_IN_BYTES 16 /* 128b */ +/*! AES-CCM 128bit key size, in bytes. */ +#define CC_BSV_CCM_KEY_SIZE_BYTES 16 +/*! AES-CCM 128bit key size, in words. */ +#define CC_BSV_CCM_KEY_SIZE_WORDS 4 +/*! AES-CCM NONCE size, in bytes. */ +#define CC_BSV_CCM_NONCE_SIZE_BYTES 12 + + +/*! AES-CMAC result buffer. */ +typedef uint32_t CCBsvCmacResult_t[CC_BSV_CMAC_RESULT_SIZE_IN_WORDS]; +/*! AES-CCM key buffer.*/ +typedef uint32_t CCBsvCcmKey_t[CC_BSV_CCM_KEY_SIZE_WORDS]; +/*! AES-CCM nonce buffer.*/ +typedef uint8_t CCBsvCcmNonce_t[CC_BSV_CCM_NONCE_SIZE_BYTES]; +/*! AES-CCM MAC buffer.*/ +typedef uint8_t CCBsvCcmMacRes_t[CC_BSV_CMAC_RESULT_SIZE_IN_BYTES]; + + +#ifdef __cplusplus +} +#endif + +#endif + +/** +@} + */ + diff --git a/include/drivers/arm/cryptocell/713/bsv_error.h b/include/drivers/arm/cryptocell/713/bsv_error.h new file mode 100644 index 0000000..4d72e60 --- /dev/null +++ b/include/drivers/arm/cryptocell/713/bsv_error.h @@ -0,0 +1,161 @@ +/* + * Copyright (c) 2017-2020 ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef _BSV_ERROR_H +#define _BSV_ERROR_H + +#ifdef __cplusplus +extern "C" +{ +#endif + +/*! +@file +@brief This file defines the error code types that are returned from the Boot Services APIs. + +@defgroup cc_bsv_error CryptoCell Boot Services error codes +@{ +@ingroup cc_bsv +*/ + +/*! Defines the base address for Boot Services errors. */ +#define CC_BSV_BASE_ERROR 0x0B000000 +/*! Defines the base address for Boot Services cryptographic errors. */ +#define CC_BSV_CRYPTO_ERROR 0x0C000000 + +/*! Illegal input parameter. */ +#define CC_BSV_ILLEGAL_INPUT_PARAM_ERR (CC_BSV_BASE_ERROR + 0x00000001) +/*! Illegal HUK value. */ +#define CC_BSV_ILLEGAL_HUK_VALUE_ERR (CC_BSV_BASE_ERROR + 0x00000002) +/*! Illegal Kcp value. */ +#define CC_BSV_ILLEGAL_KCP_VALUE_ERR (CC_BSV_BASE_ERROR + 0x00000003) +/*! Illegal Kce value. */ +#define CC_BSV_ILLEGAL_KCE_VALUE_ERR (CC_BSV_BASE_ERROR + 0x00000004) +/*! Illegal Kpicv value. */ +#define CC_BSV_ILLEGAL_KPICV_VALUE_ERR (CC_BSV_BASE_ERROR + 0x00000005) +/*! Illegal Kceicv value. */ +#define CC_BSV_ILLEGAL_KCEICV_VALUE_ERR (CC_BSV_BASE_ERROR + 0x00000006) +/*! Illegal EKcst value. */ +#define CC_BSV_ILLEGAL_EKCST_VALUE_ERR (CC_BSV_BASE_ERROR + 0x00000007) +/*! Hash boot key not programmed in the OTP. */ +#define CC_BSV_HASH_NOT_PROGRAMMED_ERR (CC_BSV_BASE_ERROR + 0x00000008) +/*! Illegal Hash boot key zero count in the OTP. */ +#define CC_BSV_HBK_ZERO_COUNT_ERR (CC_BSV_BASE_ERROR + 0x00000009) +/*! Illegal LCS. */ +#define CC_BSV_ILLEGAL_LCS_ERR (CC_BSV_BASE_ERROR + 0x0000000A) +/*! OTP write compare failure. */ +#define CC_BSV_OTP_WRITE_CMP_FAIL_ERR (CC_BSV_BASE_ERROR + 0x0000000B) +/*! OTP access error */ +#define CC_BSV_OTP_ACCESS_ERR (CC_BSV_BASE_ERROR + 0x0000000C) +/*! Erase key in OTP failed. */ +#define CC_BSV_ERASE_KEY_FAILED_ERR (CC_BSV_BASE_ERROR + 0x0000000D) +/*! Illegal PIDR. */ +#define CC_BSV_ILLEGAL_PIDR_ERR (CC_BSV_BASE_ERROR + 0x0000000E) +/*! Illegal CIDR. */ +#define CC_BSV_ILLEGAL_CIDR_ERR (CC_BSV_BASE_ERROR + 0x0000000F) +/*! Device failed to move to fatal error state. */ +#define CC_BSV_FAILED_TO_SET_FATAL_ERR (CC_BSV_BASE_ERROR + 0x00000010) +/*! Failed to set RMA LCS. */ +#define CC_BSV_FAILED_TO_SET_RMA_ERR (CC_BSV_BASE_ERROR + 0x00000011) +/*! Illegal RMA indication. */ +#define CC_BSV_ILLEGAL_RMA_INDICATION_ERR (CC_BSV_BASE_ERROR + 0x00000012) +/*! Boot Services version is not initialized. */ +#define CC_BSV_VER_IS_NOT_INITIALIZED_ERR (CC_BSV_BASE_ERROR + 0x00000013) +/*! APB secure mode is locked. */ +#define CC_BSV_APB_SECURE_IS_LOCKED_ERR (CC_BSV_BASE_ERROR + 0x00000014) +/*! APB privilege mode is locked. */ +#define CC_BSV_APB_PRIVILEG_IS_LOCKED_ERR (CC_BSV_BASE_ERROR + 0x00000015) +/*! Illegal operation. */ +#define CC_BSV_ILLEGAL_OPERATION_ERR (CC_BSV_BASE_ERROR + 0x00000016) +/*! Illegal asset size. */ +#define CC_BSV_ILLEGAL_ASSET_SIZE_ERR (CC_BSV_BASE_ERROR + 0x00000017) +/*! Illegal asset value. */ +#define CC_BSV_ILLEGAL_ASSET_VAL_ERR (CC_BSV_BASE_ERROR + 0x00000018) +/*! Kpicv is locked. */ +#define CC_BSV_KPICV_IS_LOCKED_ERR (CC_BSV_BASE_ERROR + 0x00000019) +/*! Illegal SW version. */ +#define CC_BSV_ILLEGAL_SW_VERSION_ERR (CC_BSV_BASE_ERROR + 0x0000001A) +/*! AO write operation. */ +#define CC_BSV_AO_WRITE_FAILED_ERR (CC_BSV_BASE_ERROR + 0x0000001B) +/*! Chip state is already initialized. */ +#define CC_BSV_CHIP_INITIALIZED_ERR (CC_BSV_BASE_ERROR + 0x0000001C) +/*! SP is not enabled. */ +#define CC_BSV_SP_NOT_ENABLED_ERR (CC_BSV_BASE_ERROR + 0x0000001D) +/*! Production secure provisioning - header fields. */ +#define CC_BSV_PROD_PKG_HEADER_ERR (CC_BSV_BASE_ERROR + 0x0000001E) +/*! Production secure provisioning - header MAC. */ +#define CC_BSV_PROD_PKG_HEADER_MAC_ERR (CC_BSV_BASE_ERROR + 0x0000001F) +/*! Overrun buffer or size. */ +#define CC_BSV_OVERRUN_ERR (CC_BSV_BASE_ERROR + 0x00000020) +/*! Kceicv is locked. */ +#define CC_BSV_KCEICV_IS_LOCKED_ERR (CC_BSV_BASE_ERROR + 0x00000021) +/*! Chip indication is CHIP_STATE_ERROR. */ +#define CC_BSV_CHIP_INDICATION_ERR (CC_BSV_BASE_ERROR + 0x00000022) +/*! Device is locked in fatal error state. */ +#define CC_BSV_FATAL_ERR_IS_LOCKED_ERR (CC_BSV_BASE_ERROR + 0x00000023) +/*! Device has security disable feature enabled. */ +#define CC_BSV_SECURE_DISABLE_ERROR (CC_BSV_BASE_ERROR + 0x00000024) +/*! Device has Kcst in disabled state */ +#define CC_BSV_KCST_DISABLE_ERROR (CC_BSV_BASE_ERROR + 0x00000025) + + +/*! Illegal data-in pointer. */ +#define CC_BSV_CRYPTO_INVALID_DATA_IN_POINTER_ERROR (CC_BSV_CRYPTO_ERROR + 0x00000001) +/*! Illegal data-out pointer. */ +#define CC_BSV_CRYPTO_INVALID_DATA_OUT_POINTER_ERROR (CC_BSV_CRYPTO_ERROR + 0x00000002) +/*! Illegal data size. */ +#define CC_BSV_CRYPTO_INVALID_DATA_SIZE_ERROR (CC_BSV_CRYPTO_ERROR + 0x00000003) +/*! Illegal key type. */ +#define CC_BSV_CRYPTO_INVALID_KEY_TYPE_ERROR (CC_BSV_CRYPTO_ERROR + 0x00000004) +/*! Illegal key size. */ +#define CC_BSV_CRYPTO_INVALID_KEY_SIZE_ERROR (CC_BSV_CRYPTO_ERROR + 0x00000005) +/*! Invalid key pointer. */ +#define CC_BSV_CRYPTO_INVALID_KEY_POINTER_ERROR (CC_BSV_CRYPTO_ERROR + 0x00000006) +/*! Illegal key DMA type. */ +#define CC_BSV_CRYPTO_INVALID_KEY_DMA_TYPE_ERROR (CC_BSV_CRYPTO_ERROR + 0x00000007) +/*! Illegal IV pointer. */ +#define CC_BSV_CRYPTO_INVALID_IV_POINTER_ERROR (CC_BSV_CRYPTO_ERROR + 0x00000008) +/*! Illegal cipher mode. */ +#define CC_BSV_CRYPTO_INVALID_CIPHER_MODE_ERROR (CC_BSV_CRYPTO_ERROR + 0x00000009) +/*! Illegal result buffer pointer. */ +#define CC_BSV_CRYPTO_INVALID_RESULT_BUFFER_POINTER_ERROR (CC_BSV_CRYPTO_ERROR + 0x0000000A) +/*! Invalid DMA type. */ +#define CC_BSV_CRYPTO_INVALID_DMA_TYPE_ERROR (CC_BSV_CRYPTO_ERROR + 0x0000000B) +/*! Invalid in/out buffers overlapping. */ +#define CC_BSV_CRYPTO_DATA_OUT_DATA_IN_OVERLAP_ERROR (CC_BSV_CRYPTO_ERROR + 0x0000000C) +/*! Invalid KDF label size. */ +#define CC_BSV_CRYPTO_ILLEGAL_KDF_LABEL_ERROR (CC_BSV_CRYPTO_ERROR + 0x0000000D) +/*! Invalid KDF Context size. */ +#define CC_BSV_CRYPTO_ILLEGAL_KDF_CONTEXT_ERROR (CC_BSV_CRYPTO_ERROR + 0x0000000E) +/*! Invalid CCM key. */ +#define CC_BSV_CCM_INVALID_KEY_ERROR (CC_BSV_CRYPTO_ERROR + 0x0000000f) +/*! Invalid CCM Nonce. */ +#define CC_BSV_CCM_INVALID_NONCE_ERROR (CC_BSV_CRYPTO_ERROR + 0x00000010) +/*! Invalid CCM associated data. */ +#define CC_BSV_CCM_INVALID_ASSOC_DATA_ERROR (CC_BSV_CRYPTO_ERROR + 0x00000011) +/*! Invalid CCM text data. */ +#define CC_BSV_CCM_INVALID_TEXT_DATA_ERROR (CC_BSV_CRYPTO_ERROR + 0x00000012) +/*! Invalid CCM-MAC buffer. */ +#define CC_BSV_CCM_INVALID_MAC_BUF_ERROR (CC_BSV_CRYPTO_ERROR + 0x00000013) +/*! CCM-MAC comparison failed. */ +#define CC_BSV_CCM_TAG_LENGTH_ERROR (CC_BSV_CRYPTO_ERROR + 0x00000014) +/*! CCM-MAC comparison failed. */ +#define CC_BSV_CCM_MAC_INVALID_ERROR (CC_BSV_CRYPTO_ERROR + 0x00000015) +/*! Illegal flow mode. */ +#define CC_BSV_CRYPTO_INVALID_FLOW_MODE_ERROR (CC_BSV_CRYPTO_ERROR + 0x00000016) + +#ifdef __cplusplus +} +#endif + +#endif + +/** +@} + */ + + + diff --git a/include/drivers/arm/cryptocell/713/cc_address_defs.h b/include/drivers/arm/cryptocell/713/cc_address_defs.h new file mode 100644 index 0000000..0abc15c --- /dev/null +++ b/include/drivers/arm/cryptocell/713/cc_address_defs.h @@ -0,0 +1,50 @@ +/* + * Copyright (c) 2017-2020 ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef _CC_ADDRESS_DEFS_H +#define _CC_ADDRESS_DEFS_H + +/*! +@file +@brief This file contains general definitions. +*/ + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include "cc_pal_types.h" + +/************************ Defines ******************************/ + +/** + * Address types within CC + */ +/*! Definition of DMA address type, can be 32 bits or 64 bits according to CryptoCell's HW. */ +typedef uint64_t CCDmaAddr_t; +/*! Definition of CryptoCell address type, can be 32 bits or 64 bits according to platform. */ +typedef uint64_t CCAddr_t; +/*! Definition of CC SRAM address type, can be 32 bits according to CryptoCell's HW. */ +typedef uint32_t CCSramAddr_t; + +/* + * CCSramAddr_t is being cast into pointer type which can be 64 bit. + */ +/*! Definition of MACRO that casts SRAM addresses to pointer types. */ +#define CCSramAddr2Ptr(sramAddr) ((uintptr_t)sramAddr) + +#ifdef __cplusplus +} +#endif + +#endif + +/** + @} + */ + + diff --git a/include/drivers/arm/cryptocell/713/cc_boot_defs.h b/include/drivers/arm/cryptocell/713/cc_boot_defs.h new file mode 100644 index 0000000..4d29a6d --- /dev/null +++ b/include/drivers/arm/cryptocell/713/cc_boot_defs.h @@ -0,0 +1,52 @@ +/* + * Copyright (c) 2017-2020 ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef _CC_BOOT_DEFS_H +#define _CC_BOOT_DEFS_H + +/*! + @file + @brief This file contains general definitions of types and enums of Boot APIs. + */ + +#ifdef __cplusplus +extern "C" +{ +#endif + +/*! Version counters value. */ +typedef enum { + + CC_SW_VERSION_TRUSTED = 0, /*!< Trusted counter. */ + CC_SW_VERSION_NON_TRUSTED, /*!< Non trusted counter. */ + CC_SW_VERSION_MAX = 0x7FFFFFFF /*!< Reserved */ +} CCSbSwVersionId_t; + +/*! The hash boot key definition. */ +typedef enum { + CC_SB_HASH_BOOT_KEY_0_128B = 0, /*!< Hbk0: 128-bit truncated SHA-256 digest of PubKB0. Used by ICV */ + CC_SB_HASH_BOOT_KEY_1_128B = 1, /*!< Hbk1: 128-bit truncated SHA-256 digest of PubKB1. Used by OEM */ + CC_SB_HASH_BOOT_KEY_256B = 2, /*!< Hbk: 256-bit SHA-256 digest of public key. */ + CC_SB_HASH_BOOT_NOT_USED = 0xF, /*!< Hbk is not used. */ + CC_SB_HASH_MAX_NUM = 0x7FFFFFFF, /*!< Reserved. */ +} CCSbPubKeyIndexType_t; + +/*! Chip state. */ +typedef enum { + CHIP_STATE_NOT_INITIALIZED = 0, /*! Chip is not initialized. */ + CHIP_STATE_TEST = 1, /*! Chip is in Production state. */ + CHIP_STATE_PRODUCTION = 2, /*! Chip is in Production state. */ + CHIP_STATE_ERROR = 3, /*! Chip is in Error state. */ +} CCBsvChipState_t; +#ifdef __cplusplus +} +#endif + +#endif /*_CC_BOOT_DEFS_H */ + +/** +@} + */ diff --git a/include/drivers/arm/cryptocell/713/cc_pal_types.h b/include/drivers/arm/cryptocell/713/cc_pal_types.h new file mode 100644 index 0000000..4ab3960 --- /dev/null +++ b/include/drivers/arm/cryptocell/713/cc_pal_types.h @@ -0,0 +1,100 @@ +/* + * Copyright (c) 2017-2020 ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef CC_PAL_TYPES_H +#define CC_PAL_TYPES_H + +/*! +@file +@brief This file contains platform-dependent definitions and types of the PAL layer. + +@defgroup cc_pal_types CryptoCell platform-dependent PAL layer definitions and types +@{ +@ingroup cc_pal + + @{ + @ingroup cc_pal + @} +*/ + +#include "cc_pal_types_plat.h" + +/*! Definition of Boolean type.*/ +typedef enum { + /*! Boolean false.*/ + CC_FALSE = 0, + /*! Boolean true.*/ + CC_TRUE = 1 +} CCBool_t; + +/*! Success. */ +#define CC_SUCCESS 0UL +/*! Failure. */ +#define CC_FAIL 1UL + +/*! Success (OK). */ +#define CC_OK 0 + +/*! This macro handles unused parameters in the code, to avoid compilation warnings. */ +#define CC_UNUSED_PARAM(prm) ((void)prm) + +/*! The maximal uint32 value.*/ +#define CC_MAX_UINT32_VAL (0xFFFFFFFF) + + +/* Minimal and Maximal macros */ +#ifdef min +/*! Definition for minimal calculation. */ +#define CC_MIN(a,b) min( a , b ) +#else +/*! Definition for minimal calculation. */ +#define CC_MIN( a , b ) ( ( (a) < (b) ) ? (a) : (b) ) +#endif + +#ifdef max +/*! Definition for maximal calculation. */ +#define CC_MAX(a,b) max( a , b ) +#else +/*! Definition for maximal calculation.. */ +#define CC_MAX( a , b ) ( ( (a) > (b) ) ? (a) : (b) ) +#endif + +/*! This macro calculates the number of full Bytes from bits, where seven bits are one Byte. */ +#define CALC_FULL_BYTES(numBits) ((numBits)/CC_BITS_IN_BYTE + (((numBits) & (CC_BITS_IN_BYTE-1)) > 0)) +/*! This macro calculates the number of full 32-bit words from bits where 31 bits are one word. */ +#define CALC_FULL_32BIT_WORDS(numBits) ((numBits)/CC_BITS_IN_32BIT_WORD + (((numBits) & (CC_BITS_IN_32BIT_WORD-1)) > 0)) +/*! This macro calculates the number of full 32-bit words from Bytes where three Bytes are one word. */ +#define CALC_32BIT_WORDS_FROM_BYTES(sizeBytes) ((sizeBytes)/CC_32BIT_WORD_SIZE + (((sizeBytes) & (CC_32BIT_WORD_SIZE-1)) > 0)) +/*! This macro calculates the number of full 32-bit words from 64-bits dwords. */ +#define CALC_32BIT_WORDS_FROM_64BIT_DWORD(sizeWords) (sizeWords * CC_32BIT_WORD_IN_64BIT_DWORD) +/*! This macro rounds up bits to 32-bit words. */ +#define ROUNDUP_BITS_TO_32BIT_WORD(numBits) (CALC_FULL_32BIT_WORDS(numBits) * CC_BITS_IN_32BIT_WORD) +/*! This macro rounds up bits to Bytes. */ +#define ROUNDUP_BITS_TO_BYTES(numBits) (CALC_FULL_BYTES(numBits) * CC_BITS_IN_BYTE) +/*! This macro rounds up bytes to 32-bit words. */ +#define ROUNDUP_BYTES_TO_32BIT_WORD(sizeBytes) (CALC_32BIT_WORDS_FROM_BYTES(sizeBytes) * CC_32BIT_WORD_SIZE) +/*! This macro calculates the number Bytes from words. */ +#define CALC_WORDS_TO_BYTES(numwords) ((numwords)*CC_32BIT_WORD_SIZE) +/*! Definition of 1 KB in Bytes. */ +#define CC_1K_SIZE_IN_BYTES 1024 +/*! Definition of number of bits in a Byte. */ +#define CC_BITS_IN_BYTE 8 +/*! Definition of number of bits in a 32-bits word. */ +#define CC_BITS_IN_32BIT_WORD 32 +/*! Definition of number of Bytes in a 32-bits word. */ +#define CC_32BIT_WORD_SIZE 4 +/*! Definition of number of 32-bits words in a 64-bits dword. */ +#define CC_32BIT_WORD_IN_64BIT_DWORD 2 + + +#endif + +/** +@} + */ + + + diff --git a/include/drivers/arm/cryptocell/713/cc_pal_types_plat.h b/include/drivers/arm/cryptocell/713/cc_pal_types_plat.h new file mode 100644 index 0000000..9848472 --- /dev/null +++ b/include/drivers/arm/cryptocell/713/cc_pal_types_plat.h @@ -0,0 +1,25 @@ +/* + * Copyright (c) 2017-2020, ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +/*! @file +@brief This file contains basic type definitions that are platform-dependent. +*/ +#ifndef _CC_PAL_TYPES_PLAT_H +#define _CC_PAL_TYPES_PLAT_H +/* Host specific types for standard (ISO-C99) compilant platforms */ + +#include +#include + +typedef uint32_t CCStatus; + +#define CCError_t CCStatus +#define CC_INFINITE 0xFFFFFFFF + +#define CEXPORT_C +#define CIMPORT_C + +#endif /*_CC_PAL_TYPES_PLAT_H*/ diff --git a/include/drivers/arm/cryptocell/713/cc_pka_hw_plat_defs.h b/include/drivers/arm/cryptocell/713/cc_pka_hw_plat_defs.h new file mode 100644 index 0000000..1a1bce0 --- /dev/null +++ b/include/drivers/arm/cryptocell/713/cc_pka_hw_plat_defs.h @@ -0,0 +1,62 @@ +/* + * Copyright (c) 2017-2020 ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef _CC_PKA_HW_PLAT_DEFS_H +#define _CC_PKA_HW_PLAT_DEFS_H + +#ifdef __cplusplus +extern "C" +{ +#endif + + +#include "cc_pal_types.h" +/*! +@file +@brief Contains the enums and definitions that are used in the PKA code (definitions that are platform dependent). +*/ + +/*! The size of the PKA engine word. */ +#define CC_PKA_WORD_SIZE_IN_BITS 128 + +/*! The maximal supported size of modulus in RSA in bits. */ +#define CC_RSA_MAX_VALID_KEY_SIZE_VALUE_IN_BITS 4096 +/*! The maximal supported size of key-generation in RSA in bits. */ +#define CC_RSA_MAX_KEY_GENERATION_HW_SIZE_BITS 4096 + +/*! Secure boot/debug certificate RSA public modulus key size in bits. */ +#if (KEY_SIZE == 3072) + #define BSV_CERT_RSA_KEY_SIZE_IN_BITS 3072 +#else + #define BSV_CERT_RSA_KEY_SIZE_IN_BITS 2048 +#endif +/*! Secure boot/debug certificate RSA public modulus key size in bytes. */ +#define BSV_CERT_RSA_KEY_SIZE_IN_BYTES (BSV_CERT_RSA_KEY_SIZE_IN_BITS/CC_BITS_IN_BYTE) +/*! Secure boot/debug certificate RSA public modulus key size in words. */ +#define BSV_CERT_RSA_KEY_SIZE_IN_WORDS (BSV_CERT_RSA_KEY_SIZE_IN_BITS/CC_BITS_IN_32BIT_WORD) + +/*! The maximal count of extra bits in PKA operations. */ +#define PKA_EXTRA_BITS 8 +/*! The number of memory registers in PKA operations. */ +#define PKA_MAX_COUNT_OF_PHYS_MEM_REGS 32 + +/*! Size of buffer for Barrett modulus tag in words. */ +#define RSA_PKA_BARRETT_MOD_TAG_BUFF_SIZE_IN_WORDS 5 +/*! Size of buffer for Barrett modulus tag in bytes. */ +#define RSA_PKA_BARRETT_MOD_TAG_BUFF_SIZE_IN_BYTES (RSA_PKA_BARRETT_MOD_TAG_BUFF_SIZE_IN_WORDS*CC_32BIT_WORD_SIZE) + + + +#ifdef __cplusplus +} +#endif + +#endif //_CC_PKA_HW_PLAT_DEFS_H + +/** + @} + */ + diff --git a/include/drivers/arm/cryptocell/713/cc_sec_defs.h b/include/drivers/arm/cryptocell/713/cc_sec_defs.h new file mode 100644 index 0000000..8fb698f --- /dev/null +++ b/include/drivers/arm/cryptocell/713/cc_sec_defs.h @@ -0,0 +1,70 @@ +/* + * Copyright (c) 2017-2020 ARM Limited and Contributors. All rights reserved. + * + * SPDX-License-Identifier: BSD-3-Clause + */ + +#ifndef _CC_SEC_DEFS_H +#define _CC_SEC_DEFS_H + +/*! +@file +@brief This file contains general definitions and types. +*/ + + +#ifdef __cplusplus +extern "C" +{ +#endif + +#include "cc_pal_types.h" + +/*! Hashblock size in words. */ +#define HASH_BLOCK_SIZE_IN_WORDS 16 +/*! Hash - SHA2 results in words. */ +#define HASH_RESULT_SIZE_IN_WORDS 8 +/*! Hash - SHA2 results in bytes. */ +#define HASH_RESULT_SIZE_IN_BYTES 32 + +/*! Definition for hash result array. */ +typedef uint32_t CCHashResult_t[HASH_RESULT_SIZE_IN_WORDS]; + +/*! Definition for converting pointer to Host address. */ +#define CONVERT_TO_ADDR(ptr) (unsigned long)ptr + +/*! Definition for converting pointer to SRAM address. */ +#define CONVERT_TO_SRAM_ADDR(ptr) (0xFFFFFFFF & ptr) + +/*! The data size of the signed SW image, in bytes. */ +/*!\internal ContentCertImageRecord_t includes: HS(8W) + 64-b dstAddr(2W) + imgSize(1W) + isCodeEncUsed(1W) */ +#define SW_REC_SIGNED_DATA_SIZE_IN_BYTES 48 + +/*! The data size of the unsigned SW image, in bytes. */ +/*!\internal CCSbSwImgAddData_t includes: 64-b srcAddr(2W)*/ +#define SW_REC_NONE_SIGNED_DATA_SIZE_IN_BYTES 8 + +/*! The additional data size - storage address and length of the unsigned SW image, in words. */ +#define SW_REC_NONE_SIGNED_DATA_SIZE_IN_WORDS SW_REC_NONE_SIGNED_DATA_SIZE_IN_BYTES/CC_32BIT_WORD_SIZE + +/*! The additional data section size, in bytes. */ +#define CC_SB_MAX_SIZE_ADDITIONAL_DATA_BYTES 128 + +/*! Indication of whether or not to load the SW image to memory. */ +#define CC_SW_COMP_NO_MEM_LOAD_INDICATION 0xFFFFFFFFFFFFFFFFUL + +/*! Indication of product version, stored in certificate version field. */ +#define CC_SB_CERT_VERSION_PROJ_PRD 0x713 + +#ifdef __cplusplus +} +#endif + +#endif + +/** +@} + */ + + +