From patchwork Sun Jul 12 22:05:35 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Iuliana Prodan X-Patchwork-Id: 11658421 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E1D1D17CC for ; Sun, 12 Jul 2020 22:06:00 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C939120672 for ; Sun, 12 Jul 2020 22:06:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729533AbgGLWF7 (ORCPT ); Sun, 12 Jul 2020 18:05:59 -0400 Received: from inva020.nxp.com ([92.121.34.13]:48372 "EHLO inva020.nxp.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729020AbgGLWF7 (ORCPT ); Sun, 12 Jul 2020 18:05:59 -0400 Received: from inva020.nxp.com (localhost [127.0.0.1]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id DB8B41A0B1D; Mon, 13 Jul 2020 00:05:54 +0200 (CEST) Received: from inva024.eu-rdc02.nxp.com (inva024.eu-rdc02.nxp.com [134.27.226.22]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id CD5B41A0D0D; Mon, 13 Jul 2020 00:05:54 +0200 (CEST) Received: from lorenz.ea.freescale.net (lorenz.ea.freescale.net [10.171.71.5]) by inva024.eu-rdc02.nxp.com (Postfix) with ESMTP id 6E95E204BE; Mon, 13 Jul 2020 00:05:54 +0200 (CEST) From: Iuliana Prodan To: Herbert Xu , Horia Geanta , Aymen Sghaier Cc: "David S. Miller" , Silvano Di Ninno , Franck Lenormand , linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, linux-imx , Iuliana Prodan Subject: [PATCH 1/2] crypto: caam - add tag object functionality Date: Mon, 13 Jul 2020 01:05:35 +0300 Message-Id: <1594591536-531-2-git-send-email-iuliana.prodan@nxp.com> X-Mailer: git-send-email 2.1.0 In-Reply-To: <1594591536-531-1-git-send-email-iuliana.prodan@nxp.com> References: <1594591536-531-1-git-send-email-iuliana.prodan@nxp.com> X-Virus-Scanned: ClamAV using ClamSMTP Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org A tag object represents the metadata (or simply a header/configuration) and the actual data (e.g. black key) obtained from hardware. Add functionality to tag an object with metadata: - validate metadata: check tag object header; - retrieve metadata: get tag object header configuration, black key configuration or tag object data. This API expects that the object (the actual data) from a tag object to be a buffer (defined by address and size). Signed-off-by: Franck LENORMAND Signed-off-by: Iuliana Prodan Signed-off-by: Horia Geantă --- drivers/crypto/caam/Kconfig | 9 +++ drivers/crypto/caam/Makefile | 1 + drivers/crypto/caam/desc.h | 4 +- drivers/crypto/caam/tag_object.c | 129 +++++++++++++++++++++++++++++++++++++++ drivers/crypto/caam/tag_object.h | 99 ++++++++++++++++++++++++++++++ 5 files changed, 241 insertions(+), 1 deletion(-) create mode 100644 drivers/crypto/caam/tag_object.c create mode 100644 drivers/crypto/caam/tag_object.h diff --git a/drivers/crypto/caam/Kconfig b/drivers/crypto/caam/Kconfig index bc35aa0..73368d8 100644 --- a/drivers/crypto/caam/Kconfig +++ b/drivers/crypto/caam/Kconfig @@ -149,6 +149,15 @@ config CRYPTO_DEV_FSL_CAAM_RNG_API Selecting this will register the SEC4 hardware rng to the hw_random API for supplying the kernel entropy pool. +config CRYPTO_DEV_FSL_CAAM_TK_API + bool "Register tagged key cryptography implementations with Crypto API" + depends on CRYPTO_DEV_FSL_CAAM_CRYPTO_API + help + Selecting this will register algorithms supporting tagged key. + + Tagged keys are keys that contain metadata indicating what + they are and how to handle them. + endif # CRYPTO_DEV_FSL_CAAM_JR endif # CRYPTO_DEV_FSL_CAAM diff --git a/drivers/crypto/caam/Makefile b/drivers/crypto/caam/Makefile index 68d5cc0..192a88e 100644 --- a/drivers/crypto/caam/Makefile +++ b/drivers/crypto/caam/Makefile @@ -16,6 +16,7 @@ obj-$(CONFIG_CRYPTO_DEV_FSL_CAAM_AHASH_API_DESC) += caamhash_desc.o caam-y := ctrl.o caam_jr-y := jr.o key_gen.o +caam_jr-$(CONFIG_CRYPTO_DEV_FSL_CAAM_TK_API) += tag_object.o caam_jr-$(CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API) += caamalg.o caam_jr-$(CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_QI) += caamalg_qi.o caam_jr-$(CONFIG_CRYPTO_DEV_FSL_CAAM_AHASH_API) += caamhash.o diff --git a/drivers/crypto/caam/desc.h b/drivers/crypto/caam/desc.h index e134709..3001a8d 100644 --- a/drivers/crypto/caam/desc.h +++ b/drivers/crypto/caam/desc.h @@ -152,7 +152,7 @@ * with the TDKEK if TK is set */ #define KEY_ENC 0x00400000 - +#define KEY_ENC_OFFSET 22 /* * No Write Back - Do not allow key to be FIFO STOREd */ @@ -162,11 +162,13 @@ * Enhanced Encryption of Key */ #define KEY_EKT 0x00100000 +#define KEY_EKT_OFFSET 20 /* * Encrypted with Trusted Key */ #define KEY_TK 0x00008000 +#define KEY_TK_OFFSET 15 /* * KDEST - Key Destination: 0 - class key register, diff --git a/drivers/crypto/caam/tag_object.c b/drivers/crypto/caam/tag_object.c new file mode 100644 index 00000000..55f41e9 --- /dev/null +++ b/drivers/crypto/caam/tag_object.c @@ -0,0 +1,129 @@ +// SPDX-License-Identifier: (GPL-2.0+ OR BSD-3-Clause) +/* + * Copyright 2018-2020 NXP + */ + +#include +#include +#include + +#include "tag_object.h" +#include "desc.h" + +/** + * is_black_key - Check if the tag object header is a black key + * @header: The tag object header configuration + * + * Return: True if is a black key, false otherwise + */ +bool is_black_key(const struct header_conf *header) +{ + u32 type = header->type; + /* Check type and color bitfields from tag object type */ + return (type & (BIT(TAG_OBJ_COLOR_OFFSET) | + BIT(TAG_OBJ_TYPE_OFFSET))) == BIT(TAG_OBJ_COLOR_OFFSET); +} +EXPORT_SYMBOL(is_black_key); + +/** + * is_valid_header_conf - Check if the header configuration is valid + * @header: The header configuration + * + * Return: True if the header of the tag object configuration, + * has the TAG_OBJECT_MAGIC number and a valid type, + * false otherwise + */ +bool is_valid_header_conf(const struct header_conf *header) +{ + return (header->_magic_number == TAG_OBJECT_MAGIC); +} + +/** + * get_tag_object_header_conf - Retrieve the address of tag object + * header configuration + * @buffer: Buffer containing the tag object + * @size: The size of buffer + * @header: Returned tag object header configuration + * + * Return: '0' on success, error code otherwise + */ +int get_tag_object_header_conf(const void *buffer, size_t size, + struct header_conf **header) +{ + bool valid; + + /* Retrieve the tag object */ + struct tagged_object *tag_obj = (struct tagged_object *)buffer; + + /* Check if one can retrieve the tag object header configuration */ + if (size < TAG_OVERHEAD_SIZE) + return -EINVAL; + + /* Check tag object header configuration */ + valid = is_valid_header_conf(&tag_obj->header); + + /* Retrieve the tag object header configuration address */ + *header = &tag_obj->header; + + return valid ? 0 : -EINVAL; +} +EXPORT_SYMBOL(get_tag_object_header_conf); + +/** + * get_key_conf - Retrieve the key configuration, + * meaning the length of the black key and + * the KEY command parameters needed for CAAM + * @header: The tag object header configuration + * @real_len: Key length + * @load_param: Load parameters for KEY command: + * - indicator for encrypted keys: plaintext or black + * - indicator for encryption mode: AES-ECB or AES-CCM + * - indicator for encryption keys: JDKEK or TDKEK + */ +void get_key_conf(const struct header_conf *header, + u32 *real_len, u32 *load_param) +{ + *real_len = header->real_len; + /* Based on the color of the key, set key encryption bit (ENC) */ + *load_param = ((header->type >> TAG_OBJ_COLOR_OFFSET) & + TAG_OBJ_COLOR_MASK) << KEY_ENC_OFFSET; + /* + * For red keys, the TK and EKT bits are ignored. + * So we set them anyway, to be valid when the key is black. + */ + *load_param |= ((header->type >> TAG_OBJ_TK_OFFSET) & + TAG_OBJ_TK_MASK) << KEY_TK_OFFSET; + *load_param |= ((header->type >> TAG_OBJ_EKT_OFFSET) & + TAG_OBJ_EKT_MASK) << KEY_EKT_OFFSET; +} +EXPORT_SYMBOL(get_key_conf); + +/** + * get_tagged_data - Retrieve the address of the data and size + * of the tagged object + * @tagged_object: Pointer to tag object + * @tagged_object_size: The tagged object size + * @data: Returned the address of the data from + * the tagged object + * @data_size: Returned the size of the data from the + * tagged object + * + * Return: '0' on success, error code otherwise + */ +int get_tagged_data(const void *tagged_object, size_t tagged_object_size, + const void **data, u32 *data_size) +{ + /* Retrieve the tag object */ + struct tagged_object *tag_obj = (struct tagged_object *)tagged_object; + /* Check if one can retrieve the data from the tagged object */ + if (tagged_object_size < TAG_OVERHEAD_SIZE) + return -EINVAL; + + /* Retrieve the address of the data/object from the tagged object */ + *data = &tag_obj->object; + /* Retrieve the size of the data from the tagged object */ + *data_size = tagged_object_size - TAG_OVERHEAD_SIZE; + + return 0; +} +EXPORT_SYMBOL(get_tagged_data); diff --git a/drivers/crypto/caam/tag_object.h b/drivers/crypto/caam/tag_object.h new file mode 100644 index 00000000..9950c02 --- /dev/null +++ b/drivers/crypto/caam/tag_object.h @@ -0,0 +1,99 @@ +/* SPDX-License-Identifier: (GPL-2.0+ OR BSD-3-Clause) */ +/* + * Copyright 2018-2020 NXP + */ + +#ifndef _TAG_OBJECT_H_ +#define _TAG_OBJECT_H_ + +#include +#include + +/** + * Magic number to identify the tag object structure + * 0x54 = 'T' + * 0x61 = 'a' + * 0x67 = 'g' + * 0x4f = 'O' + */ +#define TAG_OBJECT_MAGIC 0x5461674f +#define TAG_MIN_SIZE (2 * sizeof(struct header_conf)) +#define TAG_OVERHEAD_SIZE sizeof(struct header_conf) + +/* + * Tag object type is a bitfield: + * + * EKT: Encrypted Key Type (AES-ECB or AES-CCM) + * TK: Trusted Key (use Job Descriptor Key Encryption Key (JDKEK) + * or Trusted Descriptor Key Encryption Key (TDKEK) to + * decrypt the key to be loaded into a Key Register). + * + *| Denomination | Security state | Memory | EKT | TK | Type | Color | + *| ------------ | -------------- | ------- | --- | ----- | ---- | ----- | + *| bit(s) | 5-6 | 4 | 3 | 2 | 1 | 0 | + *| option 0 | non-secure | general | ECB | JDKEK | key | red | + *| option 1 | secure | secure | CCM | TDKEK | blob | black | + *| option 2 | trusted | | | | | | + * + * CAAM supports two different Black Key encapsulation schemes, + * one intended for quick decryption (uses AES-ECB encryption), + * and another intended for high assurance (uses AES-CCM encryption). + * + * CAAM implements both Trusted and normal (non-Trusted) Black Keys, + * which are encrypted with different key-encryption keys. + * Both Trusted and normal Descriptors are allowed to encrypt or decrypt + * normal Black Keys, but only Trusted Descriptors are allowed to + * encrypt or decrypt Trusted Black Keys. + */ +#define TAG_OBJ_COLOR_OFFSET 0 +#define TAG_OBJ_COLOR_MASK 0x1 +#define TAG_OBJ_TYPE_OFFSET 1 +#define TAG_OBJ_TK_OFFSET 2 +#define TAG_OBJ_TK_MASK 0x1 +#define TAG_OBJ_EKT_OFFSET 3 +#define TAG_OBJ_EKT_MASK 0x1 +#define TAG_OBJ_MEM_OFFSET 4 +#define TAG_OBJ_SEC_STATE_OFFSET 5 + +/** + * struct header_conf - Header configuration structure, which represents + * the metadata (or simply a header) applied to the + * actual data (e.g. black key) + * @_magic_number : A magic number to identify the structure + * @version : The version of the data contained (e.g. tag object) + * @type : The type of data contained (e.g. black key, blob, etc.) + * @real_len : Length of the object to be loaded by CAAM + */ +struct header_conf { + u32 _magic_number; + u32 version; + u32 type; + u32 real_len; +}; + +/** + * struct tagged_object - Tag object structure, which represents the metadata + * (or simply a header) and the actual data + * (e.g. black key) obtained from hardware + * @tag : The configuration of the data (e.g. header) + * @object : The actual data (e.g. black key) + */ +struct tagged_object { + struct header_conf header; + char object; +}; + +bool is_black_key(const struct header_conf * const header); + +bool is_valid_header_conf(const struct header_conf *header); + +int get_tag_object_header_conf(const void *buffer, size_t buffer_size, + struct header_conf **header); + +void get_key_conf(const struct header_conf *header, + u32 *real_len, u32 *load_param); + +int get_tagged_data(const void *buffer, size_t buffer_size, + const void **data, u32 *data_size); + +#endif /* _TAG_OBJECT_H_ */ From patchwork Sun Jul 12 22:05:36 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Iuliana Prodan X-Patchwork-Id: 11658423 X-Patchwork-Delegate: herbert@gondor.apana.org.au Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B254A17C5 for ; Sun, 12 Jul 2020 22:06:06 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 9DD3A20720 for ; Sun, 12 Jul 2020 22:06:06 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729545AbgGLWGC (ORCPT ); Sun, 12 Jul 2020 18:06:02 -0400 Received: from inva020.nxp.com ([92.121.34.13]:48418 "EHLO inva020.nxp.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729249AbgGLWGA (ORCPT ); Sun, 12 Jul 2020 18:06:00 -0400 Received: from inva020.nxp.com (localhost [127.0.0.1]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id CFA831A0D09; Mon, 13 Jul 2020 00:05:58 +0200 (CEST) Received: from inva024.eu-rdc02.nxp.com (inva024.eu-rdc02.nxp.com [134.27.226.22]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id C25901A0CFD; Mon, 13 Jul 2020 00:05:58 +0200 (CEST) Received: from lorenz.ea.freescale.net (lorenz.ea.freescale.net [10.171.71.5]) by inva024.eu-rdc02.nxp.com (Postfix) with ESMTP id 4F9A7204BE; Mon, 13 Jul 2020 00:05:58 +0200 (CEST) From: Iuliana Prodan To: Herbert Xu , Horia Geanta , Aymen Sghaier Cc: "David S. Miller" , Silvano Di Ninno , Franck Lenormand , linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, linux-imx , Iuliana Prodan Subject: [PATCH 2/2] crypto: caam - support tagged keys for skcipher algorithms Date: Mon, 13 Jul 2020 01:05:36 +0300 Message-Id: <1594591536-531-3-git-send-email-iuliana.prodan@nxp.com> X-Mailer: git-send-email 2.1.0 In-Reply-To: <1594591536-531-1-git-send-email-iuliana.prodan@nxp.com> References: <1594591536-531-1-git-send-email-iuliana.prodan@nxp.com> X-Virus-Scanned: ClamAV using ClamSMTP Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Tagged keys are keys that contain metadata indicating what they are and how to handle them using tag_object API. Add support, for tagged keys, to skcipher algorithms by adding new transformations, with _tk_ prefix to distinguish between plaintext and tagged keys. For job descriptors a new option (key_cmd_opt) was added for KEY command. Tagged keys can be loaded using only a KEY command with ENC=1 and the proper setting of the EKT bit. The EKT bit in the KEY command indicates which encryption algorithm (AES-ECB or AES-CCM) should be used to decrypt the key. These options will be kept in key_cmd_opt. The tk_ transformations can be used directly by their name: struct sockaddr_alg sa = { .salg_family = AF_ALG, .salg_type = "skcipher", /* this selects the symmetric cipher */ .salg_name = "tk(cbc(aes))" /* this is the cipher name */ }; or for dm-crypt, e.g. using dmsetup: dmsetup -v create encrypted --table "0 $(blockdev --getsz /dev/mmcblk2p10) crypt capi:tk(cbc(aes))-plain :32:logon:seckey 0 /dev/mmcblk2p10 0 1 sector_size:512". Signed-off-by: Franck LENORMAND Signed-off-by: Iuliana Prodan --- drivers/crypto/caam/caamalg.c | 107 +++++++++++++++++++++++++++++++++++-- drivers/crypto/caam/caamalg_desc.c | 28 ++++++++-- drivers/crypto/caam/desc_constr.h | 4 ++ 3 files changed, 131 insertions(+), 8 deletions(-) diff --git a/drivers/crypto/caam/caamalg.c b/drivers/crypto/caam/caamalg.c index b2f9882..9e4206f 100644 --- a/drivers/crypto/caam/caamalg.c +++ b/drivers/crypto/caam/caamalg.c @@ -3,7 +3,7 @@ * caam - Freescale FSL CAAM support for crypto API * * Copyright 2008-2011 Freescale Semiconductor, Inc. - * Copyright 2016-2019 NXP + * Copyright 2016-2020 NXP * * Based on talitos crypto API driver. * @@ -58,6 +58,10 @@ #include "caamalg_desc.h" #include +#ifdef CONFIG_CRYPTO_DEV_FSL_CAAM_TK_API +#include "tag_object.h" +#endif /* CONFIG_CRYPTO_DEV_FSL_CAAM_TK_API */ + /* * crypto alg */ @@ -84,6 +88,7 @@ struct caam_alg_entry { bool rfc3686; bool geniv; bool nodkp; + bool support_tagged_key; }; struct caam_aead_alg { @@ -736,9 +741,16 @@ static int skcipher_setkey(struct crypto_skcipher *skcipher, const u8 *key, print_hex_dump_debug("key in @"__stringify(__LINE__)": ", DUMP_PREFIX_ADDRESS, 16, 4, key, keylen, 1); - ctx->cdata.keylen = keylen; - ctx->cdata.key_virt = key; - ctx->cdata.key_inline = true; + /* + * If the algorithm has support for tagged key, + * this is already set in tk_skcipher_setkey(). + * Otherwise, set here the algorithm details. + */ + if (!alg->caam.support_tagged_key) { + ctx->cdata.keylen = keylen; + ctx->cdata.key_virt = key; + ctx->cdata.key_inline = true; + } /* skcipher_encrypt shared descriptor */ desc = ctx->sh_desc_enc; @@ -816,6 +828,56 @@ static int arc4_skcipher_setkey(struct crypto_skcipher *skcipher, return skcipher_setkey(skcipher, key, keylen, 0); } +#ifdef CONFIG_CRYPTO_DEV_FSL_CAAM_TK_API +static int tk_skcipher_setkey(struct crypto_skcipher *skcipher, + const u8 *key, unsigned int keylen) +{ + struct caam_ctx *ctx = crypto_skcipher_ctx(skcipher); + struct device *jrdev = ctx->jrdev; + struct header_conf *header; + int ret; + + ctx->cdata.keylen = keylen; + ctx->cdata.key_virt = key; + ctx->cdata.key_inline = true; + + /* Retrieve the address of the tag object configuration */ + ret = get_tag_object_header_conf(ctx->cdata.key_virt, + ctx->cdata.keylen, &header); + if (ret) { + dev_err(jrdev, + "unable to get tag object header configuration\n"); + return ret; + } + + /* Check if the tag object header is a black key */ + if (!is_black_key(header)) { + dev_err(jrdev, + "tagged key provided is not a black key\n"); + return -EINVAL; + } + + /* Retrieve the black key configuration */ + get_key_conf(header, + &ctx->cdata.key_real_len, + &ctx->cdata.key_cmd_opt); + + /* + * Retrieve the address of the data + * and size of the tagged object + */ + ret = get_tagged_data(ctx->cdata.key_virt, ctx->cdata.keylen, + &ctx->cdata.key_virt, &ctx->cdata.keylen); + if (ret) { + dev_err(jrdev, + "unable to get data from tagged object\n"); + return ret; + } + + return skcipher_setkey(skcipher, key, keylen, 0); +} +#endif /* CONFIG_CRYPTO_DEV_FSL_CAAM_TK_API */ + static int des_skcipher_setkey(struct crypto_skcipher *skcipher, const u8 *key, unsigned int keylen) { @@ -1833,6 +1895,25 @@ static struct caam_skcipher_alg driver_algs[] = { }, .caam.class1_alg_type = OP_ALG_ALGSEL_AES | OP_ALG_AAI_CBC, }, +#ifdef CONFIG_CRYPTO_DEV_FSL_CAAM_TK_API + { + .skcipher = { + .base = { + .cra_name = "tk(cbc(aes))", + .cra_driver_name = "tk-cbc-aes-caam", + .cra_blocksize = AES_BLOCK_SIZE, + }, + .setkey = tk_skcipher_setkey, + .encrypt = skcipher_encrypt, + .decrypt = skcipher_decrypt, + .min_keysize = TAG_MIN_SIZE, + .max_keysize = CAAM_MAX_KEY_SIZE, + .ivsize = AES_BLOCK_SIZE, + }, + .caam.class1_alg_type = OP_ALG_ALGSEL_AES | OP_ALG_AAI_CBC, + .caam.support_tagged_key = true, + }, +#endif /* CONFIG_CRYPTO_DEV_FSL_CAAM_TK_API */ { .skcipher = { .base = { @@ -1952,6 +2033,24 @@ static struct caam_skcipher_alg driver_algs[] = { }, .caam.class1_alg_type = OP_ALG_ALGSEL_AES | OP_ALG_AAI_ECB, }, +#ifdef CONFIG_CRYPTO_DEV_FSL_CAAM_TK_API + { + .skcipher = { + .base = { + .cra_name = "tk(ecb(aes))", + .cra_driver_name = "tk-ecb-aes-caam", + .cra_blocksize = AES_BLOCK_SIZE, + }, + .setkey = tk_skcipher_setkey, + .encrypt = skcipher_encrypt, + .decrypt = skcipher_decrypt, + .min_keysize = TAG_MIN_SIZE, + .max_keysize = CAAM_MAX_KEY_SIZE, + }, + .caam.class1_alg_type = OP_ALG_ALGSEL_AES | OP_ALG_AAI_ECB, + .caam.support_tagged_key = true, + }, +#endif /* CONFIG_CRYPTO_DEV_FSL_CAAM_TK_API */ { .skcipher = { .base = { diff --git a/drivers/crypto/caam/caamalg_desc.c b/drivers/crypto/caam/caamalg_desc.c index d6c5818..447f7a5 100644 --- a/drivers/crypto/caam/caamalg_desc.c +++ b/drivers/crypto/caam/caamalg_desc.c @@ -1389,8 +1389,18 @@ void cnstr_shdsc_skcipher_encap(u32 * const desc, struct alginfo *cdata, JUMP_COND_SHRD); /* Load class1 key only */ - append_key_as_imm(desc, cdata->key_virt, cdata->keylen, - cdata->keylen, CLASS_1 | KEY_DEST_CLASS_REG); + if (IS_ENABLED(CONFIG_CRYPTO_DEV_FSL_CAAM_TK_API) && + cdata->key_cmd_opt) + /* + * Black keys can be loaded using only a KEY command + * with ENC=1 and the proper setting of the EKT bit. + */ + append_key_as_imm(desc, cdata->key_virt, cdata->keylen, + cdata->key_real_len, CLASS_1 | + KEY_DEST_CLASS_REG | cdata->key_cmd_opt); + else + append_key_as_imm(desc, cdata->key_virt, cdata->keylen, + cdata->keylen, CLASS_1 | KEY_DEST_CLASS_REG); /* Load nonce into CONTEXT1 reg */ if (is_rfc3686) { @@ -1464,8 +1474,18 @@ void cnstr_shdsc_skcipher_decap(u32 * const desc, struct alginfo *cdata, JUMP_COND_SHRD); /* Load class1 key only */ - append_key_as_imm(desc, cdata->key_virt, cdata->keylen, - cdata->keylen, CLASS_1 | KEY_DEST_CLASS_REG); + if (IS_ENABLED(CONFIG_CRYPTO_DEV_FSL_CAAM_TK_API) && + cdata->key_cmd_opt) + /* + * Black keys can be loaded using only a KEY command + * with ENC=1 and the proper setting of the EKT bit. + */ + append_key_as_imm(desc, cdata->key_virt, cdata->keylen, + cdata->key_real_len, CLASS_1 | + KEY_DEST_CLASS_REG | cdata->key_cmd_opt); + else + append_key_as_imm(desc, cdata->key_virt, cdata->keylen, + cdata->keylen, CLASS_1 | KEY_DEST_CLASS_REG); /* Load nonce into CONTEXT1 reg */ if (is_rfc3686) { diff --git a/drivers/crypto/caam/desc_constr.h b/drivers/crypto/caam/desc_constr.h index 62ce642..93b2ab0 100644 --- a/drivers/crypto/caam/desc_constr.h +++ b/drivers/crypto/caam/desc_constr.h @@ -500,6 +500,8 @@ do { \ * @key_virt: virtual address where algorithm key resides * @key_inline: true - key can be inlined in the descriptor; false - key is * referenced by the descriptor + * @key_real_len: size of the key to be loaded by the CAAM + * @key_cmd_opt: optional parameters for KEY command */ struct alginfo { u32 algtype; @@ -508,6 +510,8 @@ struct alginfo { dma_addr_t key_dma; const void *key_virt; bool key_inline; + u32 key_real_len; + u32 key_cmd_opt; }; /**