1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
|
From d2e808b0dcca1b5e850274f770775c355ae36c48 Mon Sep 17 00:00:00 2001
From: Biwen Li <biwen.li@nxp.com>
Date: Tue, 30 Oct 2018 18:27:03 +0800
Subject: [PATCH 34/40] platfrom-security: support layerscape
This is an integrated patch of platform-security for
layerscape
Signed-off-by: Sahil Malhotra <sahil.malhotra@nxp.com>
Signed-off-by: Udit Agarwal <udit.agarwal@nxp.com>
Signed-off-by: Biwen Li <biwen.li@nxp.com>
---
Documentation/security/keys/secure-key.rst | 67 ++
MAINTAINERS | 12 +
drivers/tee/optee/Kconfig | 8 +
drivers/tee/optee/core.c | 2 +-
include/keys/secure-type.h | 33 +
security/keys/Kconfig | 11 +
security/keys/Makefile | 5 +
security/keys/encrypted-keys/Makefile | 2 +
security/keys/encrypted-keys/encrypted.c | 13 +-
security/keys/encrypted-keys/encrypted.h | 13 +
.../keys/encrypted-keys/masterkey_secure.c | 37 ++
security/keys/secure_key.c | 339 ++++++++++
security/keys/securekey_desc.c | 608 ++++++++++++++++++
security/keys/securekey_desc.h | 141 ++++
14 files changed, 1288 insertions(+), 3 deletions(-)
create mode 100644 Documentation/security/keys/secure-key.rst
create mode 100644 include/keys/secure-type.h
create mode 100644 security/keys/encrypted-keys/masterkey_secure.c
create mode 100644 security/keys/secure_key.c
create mode 100644 security/keys/securekey_desc.c
create mode 100644 security/keys/securekey_desc.h
--- /dev/null
+++ b/Documentation/security/keys/secure-key.rst
@@ -0,0 +1,67 @@
+==========
+Secure Key
+==========
+
+Secure key is the new type added to kernel key ring service.
+Secure key is a symmetric type key of minimum length 32 bytes
+and with maximum possible length to be 128 bytes. It is produced
+in kernel using the CAAM crypto engine. Userspace can only see
+the blob for the corresponding key. All the blobs are displayed
+or loaded in hex ascii.
+
+Secure key can be created on platforms which supports CAAM
+hardware block. Secure key can also be used as a master key to
+create the encrypted keys along with the existing key types in
+kernel.
+
+Secure key uses CAAM hardware to generate the key and blobify its
+content for userspace. Generated blobs are tied up with the hardware
+secret key stored in CAAM, hence the same blob will not be able to
+de-blobify with the different secret key on another machine.
+
+Usage::
+
+ keyctl add secure <name> "new <keylen>" <ring>
+ keyctl load secure <name> "load <hex_blob>" <ring>
+ keyctl print <key_id>
+
+"keyctl add secure" option will create the random data of the
+specified key len using CAAM and store it as a key in kernel.
+Key contents will be displayed as blobs to the user in hex ascii.
+User can input key len from 32 bytes to 128 bytes.
+
+"keyctl load secure" option will load the blob contents. In kernel,
+key will be deirved using input blob and CAAM, along with the secret
+key stored in CAAM.
+
+"keyctl print" will return the hex string of the blob corresponding to
+key_id. Returned blob will be of key_len + 48 bytes. Extra 48 bytes are
+the header bytes added by the CAAM.
+
+Example of secure key usage::
+
+1. Create the secure key with name kmk-master of length 32 bytes::
+
+ $ keyctl add secure kmk-master "new 32" @u
+ 46001928
+
+ $keyctl show
+ Session Keyring
+ 1030783626 --alswrv 0 65534 keyring: _uid_ses.0
+ 695927745 --alswrv 0 65534 \_ keyring: _uid.0
+ 46001928 --als-rv 0 0 \_ secure: kmk-master
+
+2. Print the blob contents for the kmk-master key::
+
+ $ keyctl print 46001928
+ d9743445b640f3d59c1670dddc0bc9c2
+ 34fc9aab7dd05c965e6120025012f029b
+ 07faa4776c4f6ed02899e35a135531e9a
+ 6e5c2b51132f9d5aef28f68738e658296
+ 3fe583177cfe50d2542b659a13039
+
+ $ keyctl pipe 46001928 > secure_key.blob
+
+3. Load the blob in the user key ring::
+
+ $ keyctl load secure kmk-master "load 'cat secure_key.blob'" @u
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -7646,6 +7646,18 @@ F: include/keys/trusted-type.h
F: security/keys/trusted.c
F: security/keys/trusted.h
+KEYS-SECURE
+M: Udit Agarwal <udit.agarwal@nxp.com>
+R: Sahil Malhotra <sahil.malhotra@nxp.com>
+L: linux-security-module@vger.kernel.org
+L: keyrings@vger.kernel.org
+S: Supported
+F: include/keys/secure-type.h
+F: security/keys/secure_key.c
+F: security/keys/securekey_desc.c
+F: security/keys/securekey_desc.h
+F: security/keys/encrypted-keys/masterkey_secure.c
+
KEYS/KEYRINGS:
M: David Howells <dhowells@redhat.com>
L: keyrings@vger.kernel.org
--- a/drivers/tee/optee/Kconfig
+++ b/drivers/tee/optee/Kconfig
@@ -6,3 +6,11 @@ config OPTEE
help
This implements the OP-TEE Trusted Execution Environment (TEE)
driver.
+
+config OPTEE_SHM_NUM_PRIV_PAGES
+ int "Private Shared Memory Pages"
+ default 1
+ depends on OPTEE
+ help
+ This sets the number of private shared memory pages to be
+ used by OP-TEE TEE driver.
--- a/drivers/tee/optee/core.c
+++ b/drivers/tee/optee/core.c
@@ -31,7 +31,7 @@
#define DRIVER_NAME "optee"
-#define OPTEE_SHM_NUM_PRIV_PAGES 1
+#define OPTEE_SHM_NUM_PRIV_PAGES CONFIG_OPTEE_SHM_NUM_PRIV_PAGES
/**
* optee_from_msg_param() - convert from OPTEE_MSG parameters to
--- /dev/null
+++ b/include/keys/secure-type.h
@@ -0,0 +1,33 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (C) 2018 NXP.
+ *
+ */
+
+#ifndef _KEYS_SECURE_TYPE_H
+#define _KEYS_SECURE_TYPE_H
+
+#include <linux/key.h>
+#include <linux/rcupdate.h>
+
+/* Minimum key size to be used is 32 bytes and maximum key size fixed
+ * is 128 bytes.
+ * Blob size to be kept is Maximum key size + blob header added by CAAM.
+ */
+
+#define MIN_KEY_SIZE 32
+#define MAX_KEY_SIZE 128
+#define BLOB_HEADER_SIZE 48
+
+#define MAX_BLOB_SIZE (MAX_KEY_SIZE + BLOB_HEADER_SIZE)
+
+struct secure_key_payload {
+ struct rcu_head rcu;
+ unsigned int key_len;
+ unsigned int blob_len;
+ unsigned char key[MAX_KEY_SIZE + 1];
+ unsigned char blob[MAX_BLOB_SIZE];
+};
+
+extern struct key_type key_type_secure;
+#endif
--- a/security/keys/Kconfig
+++ b/security/keys/Kconfig
@@ -71,6 +71,17 @@ config TRUSTED_KEYS
If you are unsure as to whether this is required, answer N.
+config SECURE_KEYS
+ tristate "SECURE_KEYS"
+ depends on KEYS && CRYPTO_DEV_FSL_CAAM && CRYPTO_DEV_FSL_CAAM_JR
+ help
+ This option provide support for creating secure-type key and blobs
+ in kernel. Secure keys are random number symmetric keys generated
+ from CAAM. The CAAM creates the blobs for the random key.
+ Userspace will only be able to see the blob.
+
+ If you are unsure as to whether this is required, answer N.
+
config ENCRYPTED_KEYS
tristate "ENCRYPTED KEYS"
depends on KEYS
--- a/security/keys/Makefile
+++ b/security/keys/Makefile
@@ -28,4 +28,9 @@ obj-$(CONFIG_KEY_DH_OPERATIONS) += dh.o
#
obj-$(CONFIG_BIG_KEYS) += big_key.o
obj-$(CONFIG_TRUSTED_KEYS) += trusted.o
+CFLAGS_secure_key.o += -I$(obj)/../../drivers/crypto/caam/
+CFLAGS_securekey_desc.o += -I$(obj)/../../drivers/crypto/caam/
+obj-$(CONFIG_SECURE_KEYS) += securekey.o
+securekey-y := securekey_desc.o \
+ secure_key.o
obj-$(CONFIG_ENCRYPTED_KEYS) += encrypted-keys/
--- a/security/keys/encrypted-keys/Makefile
+++ b/security/keys/encrypted-keys/Makefile
@@ -7,5 +7,7 @@ obj-$(CONFIG_ENCRYPTED_KEYS) += encrypte
encrypted-keys-y := encrypted.o ecryptfs_format.o
masterkey-$(CONFIG_TRUSTED_KEYS) := masterkey_trusted.o
+masterkey-$(CONFIG_SECURE_KEYS) := masterkey_secure.o
masterkey-$(CONFIG_TRUSTED_KEYS)-$(CONFIG_ENCRYPTED_KEYS) := masterkey_trusted.o
+masterkey-$(CONFIG_SECURE_KEYS)-$(CONFIG_ENCRYPTED_KEYS) := masterkey_secure.o
encrypted-keys-y += $(masterkey-y) $(masterkey-m-m)
--- a/security/keys/encrypted-keys/encrypted.c
+++ b/security/keys/encrypted-keys/encrypted.c
@@ -39,6 +39,7 @@
#include "ecryptfs_format.h"
static const char KEY_TRUSTED_PREFIX[] = "trusted:";
+static const char KEY_SECURE_PREFIX[] = "secure:";
static const char KEY_USER_PREFIX[] = "user:";
static const char hash_alg[] = "sha256";
static const char hmac_alg[] = "hmac(sha256)";
@@ -49,6 +50,7 @@ static unsigned int ivsize;
static int blksize;
#define KEY_TRUSTED_PREFIX_LEN (sizeof (KEY_TRUSTED_PREFIX) - 1)
+#define KEY_SECURE_PREFIX_LEN (sizeof(KEY_SECURE_PREFIX) - 1)
#define KEY_USER_PREFIX_LEN (sizeof (KEY_USER_PREFIX) - 1)
#define KEY_ECRYPTFS_DESC_LEN 16
#define HASH_SIZE SHA256_DIGEST_SIZE
@@ -125,7 +127,7 @@ static int valid_ecryptfs_desc(const cha
/*
* valid_master_desc - verify the 'key-type:desc' of a new/updated master-key
*
- * key-type:= "trusted:" | "user:"
+ * key-type:= "trusted:" | "user:" | "secure:"
* desc:= master-key description
*
* Verify that 'key-type' is valid and that 'desc' exists. On key update,
@@ -140,6 +142,8 @@ static int valid_master_desc(const char
if (!strncmp(new_desc, KEY_TRUSTED_PREFIX, KEY_TRUSTED_PREFIX_LEN))
prefix_len = KEY_TRUSTED_PREFIX_LEN;
+ else if (!strncmp(new_desc, KEY_SECURE_PREFIX, KEY_SECURE_PREFIX_LEN))
+ prefix_len = KEY_SECURE_PREFIX_LEN;
else if (!strncmp(new_desc, KEY_USER_PREFIX, KEY_USER_PREFIX_LEN))
prefix_len = KEY_USER_PREFIX_LEN;
else
@@ -358,7 +362,7 @@ static int calc_hmac(u8 *digest, const u
enum derived_key_type { ENC_KEY, AUTH_KEY };
-/* Derive authentication/encryption key from trusted key */
+/* Derive authentication/encryption key from trusted/secure key */
static int get_derived_key(u8 *derived_key, enum derived_key_type key_type,
const u8 *master_key, size_t master_keylen)
{
@@ -429,6 +433,11 @@ static struct key *request_master_key(st
mkey = request_trusted_key(epayload->master_desc +
KEY_TRUSTED_PREFIX_LEN,
master_key, master_keylen);
+ } else if (!strncmp(epayload->master_desc, KEY_SECURE_PREFIX,
+ KEY_SECURE_PREFIX_LEN)) {
+ mkey = request_secure_key(epayload->master_desc +
+ KEY_SECURE_PREFIX_LEN,
+ master_key, master_keylen);
} else if (!strncmp(epayload->master_desc, KEY_USER_PREFIX,
KEY_USER_PREFIX_LEN)) {
mkey = request_user_key(epayload->master_desc +
--- a/security/keys/encrypted-keys/encrypted.h
+++ b/security/keys/encrypted-keys/encrypted.h
@@ -16,6 +16,19 @@ static inline struct key *request_truste
}
#endif
+#if defined(CONFIG_SECURE_KEYS)
+extern struct key *request_secure_key(const char *secure_desc,
+ const u8 **master_key,
+ size_t *master_keylen);
+#else
+static inline struct key *request_secure_key(const char *secure_desc,
+ const u8 **master_key,
+ size_t *master_keylen)
+{
+ return ERR_PTR(-EOPNOTSUPP);
+}
+#endif
+
#if ENCRYPTED_DEBUG
static inline void dump_master_key(const u8 *master_key, size_t master_keylen)
{
--- /dev/null
+++ b/security/keys/encrypted-keys/masterkey_secure.c
@@ -0,0 +1,37 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2018 NXP.
+ *
+ */
+
+#include <linux/uaccess.h>
+#include <linux/module.h>
+#include <linux/err.h>
+#include <keys/secure-type.h>
+#include <keys/encrypted-type.h>
+#include "encrypted.h"
+
+/*
+ * request_secure_key - request the secure key
+ *
+ * Secure keys and their blobs are derived from CAAM hardware.
+ * Userspace manages secure key-type data, but key data is not
+ * visible in plain form. It is presented as blobs.
+ */
+struct key *request_secure_key(const char *secure_desc,
+ const u8 **master_key, size_t *master_keylen)
+{
+ struct secure_key_payload *spayload;
+ struct key *skey;
+
+ skey = request_key(&key_type_secure, secure_desc, NULL);
+ if (IS_ERR(skey))
+ goto error;
+
+ down_read(&skey->sem);
+ spayload = skey->payload.data[0];
+ *master_key = spayload->key;
+ *master_keylen = spayload->key_len;
+error:
+ return skey;
+}
--- /dev/null
+++ b/security/keys/secure_key.c
@@ -0,0 +1,339 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (C) 2018 NXP
+ * Secure key is generated using NXP CAAM hardware block. CAAM generates the
+ * random number (used as a key) and creates its blob for the user.
+ */
+
+#include <linux/slab.h>
+#include <linux/parser.h>
+#include <linux/string.h>
+#include <linux/key-type.h>
+#include <linux/rcupdate.h>
+#include <keys/secure-type.h>
+#include <linux/completion.h>
+
+#include "securekey_desc.h"
+
+static const char hmac_alg[] = "hmac(sha1)";
+static const char hash_alg[] = "sha1";
+
+static struct crypto_shash *hashalg;
+static struct crypto_shash *hmacalg;
+
+enum {
+ error = -1,
+ new_key,
+ load_blob,
+};
+
+static const match_table_t key_tokens = {
+ {new_key, "new"},
+ {load_blob, "load"},
+ {error, NULL}
+};
+
+static struct secure_key_payload *secure_payload_alloc(struct key *key)
+{
+ struct secure_key_payload *sec_key = NULL;
+ int ret = 0;
+
+ ret = key_payload_reserve(key, sizeof(*sec_key));
+ if (ret < 0)
+ goto out;
+
+ sec_key = kzalloc(sizeof(*sec_key), GFP_KERNEL);
+ if (!sec_key)
+ goto out;
+
+out:
+ return sec_key;
+}
+
+/*
+ * parse_inputdata - parse the keyctl input data and fill in the
+ * payload structure for key or its blob.
+ * param[in]: data pointer to the data to be parsed for creating key.
+ * param[in]: p pointer to secure key payload structure to fill parsed data
+ * On success returns 0, otherwise -EINVAL.
+ */
+static int parse_inputdata(char *data, struct secure_key_payload *p)
+{
+ substring_t args[MAX_OPT_ARGS];
+ long keylen = 0;
+ int ret = -EINVAL;
+ int key_cmd = -EINVAL;
+ char *c = NULL;
+
+ c = strsep(&data, " \t");
+ if (!c) {
+ ret = -EINVAL;
+ goto out;
+ }
+
+ /* Get the keyctl command i.e. new_key or load_blob etc */
+ key_cmd = match_token(c, key_tokens, args);
+
+ switch (key_cmd) {
+ case new_key:
+ /* first argument is key size */
+ c = strsep(&data, " \t");
+ if (!c) {
+ ret = -EINVAL;
+ goto out;
+ }
+
+ ret = kstrtol(c, 10, &keylen);
+ if (ret < 0 || keylen < MIN_KEY_SIZE ||
+ keylen > MAX_KEY_SIZE) {
+ ret = -EINVAL;
+ goto out;
+ }
+
+ p->key_len = keylen;
+ ret = new_key;
+
+ break;
+ case load_blob:
+ /* first argument is blob data for CAAM*/
+ c = strsep(&data, " \t");
+ if (!c) {
+ ret = -EINVAL;
+ goto out;
+ }
+
+ /* Blob_len = No of characters in blob/2 */
+ p->blob_len = strlen(c) / 2;
+ if (p->blob_len > MAX_BLOB_SIZE) {
+ ret = -EINVAL;
+ goto out;
+ }
+
+ ret = hex2bin(p->blob, c, p->blob_len);
+ if (ret < 0) {
+ ret = -EINVAL;
+ goto out;
+ }
+ ret = load_blob;
+
+ break;
+ case error:
+ ret = -EINVAL;
+ break;
+ }
+
+out:
+ return ret;
+}
+
+/*
+ * secure_instantiate - create a new secure type key.
+ * Supports the operation to generate a new key. A random number
+ * is generated from CAAM as key data and the corresponding red blob
+ * is formed and stored as key_blob.
+ * Also supports the operation to load the blob and key is derived using
+ * that blob from CAAM.
+ * On success, return 0. Otherwise return errno.
+ */
+static int secure_instantiate(struct key *key,
+ struct key_preparsed_payload *prep)
+{
+ struct secure_key_payload *payload = NULL;
+ size_t datalen = prep->datalen;
+ char *data = NULL;
+ int key_cmd = 0;
+ int ret = 0;
+ enum sk_req_type sk_op_type;
+ struct device *dev = NULL;
+
+ if (datalen <= 0 || datalen > 32767 || !prep->data) {
+ ret = -EINVAL;
+ goto out;
+ }
+
+ data = kmalloc(datalen + 1, GFP_KERNEL);
+ if (!data) {
+ ret = -ENOMEM;
+ goto out;
+ }
+
+ memcpy(data, prep->data, datalen);
+ data[datalen] = '\0';
+
+ payload = secure_payload_alloc(key);
+ if (!payload) {
+ ret = -ENOMEM;
+ goto out;
+ }
+
+ /* Allocate caam job ring for operation to be performed from CAAM */
+ dev = caam_jr_alloc();
+ if (!dev) {
+ pr_info("caam_jr_alloc failed\n");
+ ret = -ENODEV;
+ goto out;
+ }
+
+ key_cmd = parse_inputdata(data, payload);
+ if (key_cmd < 0) {
+ ret = key_cmd;
+ goto out;
+ }
+
+ switch (key_cmd) {
+ case load_blob:
+ /*
+ * Red blob decryption to be done for load operation
+ * to derive the key.
+ */
+ sk_op_type = sk_red_blob_dec;
+ ret = key_deblob(payload, sk_op_type, dev);
+ if (ret != 0) {
+ pr_info("secure_key: key_blob decap fail (%d)\n", ret);
+ goto out;
+ }
+ break;
+ case new_key:
+ /* Get Random number from caam of the specified length */
+ sk_op_type = sk_get_random;
+ ret = caam_get_random(payload, sk_op_type, dev);
+ if (ret != 0) {
+ pr_info("secure_key: get_random fail (%d)\n", ret);
+ goto out;
+ }
+
+ /* Generate red blob of key random bytes with CAAM */
+ sk_op_type = sk_red_blob_enc;
+ ret = key_blob(payload, sk_op_type, dev);
+ if (ret != 0) {
+ pr_info("secure_key: key_blob encap fail (%d)\n", ret);
+ goto out;
+ }
+ break;
+ default:
+ ret = -EINVAL;
+ goto out;
+ }
+out:
+ if (data)
+ kzfree(data);
+ if (dev)
+ caam_jr_free(dev);
+
+ if (!ret)
+ rcu_assign_keypointer(key, payload);
+ else
+ kzfree(payload);
+
+ return ret;
+}
+
+/*
+ * secure_read - copy the blob data to userspace in hex.
+ * param[in]: key pointer to key struct
+ * param[in]: buffer pointer to user data for creating key
+ * param[in]: buflen is the length of the buffer
+ * On success, return to userspace the secure key data size.
+ */
+static long secure_read(const struct key *key, char __user *buffer,
+ size_t buflen)
+{
+ const struct secure_key_payload *p = NULL;
+ char *ascii_buf;
+ char *bufp;
+ int i;
+
+ p = dereference_key_locked(key);
+ if (!p)
+ return -EINVAL;
+
+ if (buffer && buflen >= 2 * p->blob_len) {
+ ascii_buf = kmalloc(2 * p->blob_len, GFP_KERNEL);
+ if (!ascii_buf)
+ return -ENOMEM;
+
+ bufp = ascii_buf;
+ for (i = 0; i < p->blob_len; i++)
+ bufp = hex_byte_pack(bufp, p->blob[i]);
+ if (copy_to_user(buffer, ascii_buf, 2 * p->blob_len) != 0) {
+ kzfree(ascii_buf);
+ return -EFAULT;
+ }
+ kzfree(ascii_buf);
+ }
+ return 2 * p->blob_len;
+}
+
+/*
+ * secure_destroy - clear and free the key's payload
+ */
+static void secure_destroy(struct key *key)
+{
+ kzfree(key->payload.data[0]);
+}
+
+struct key_type key_type_secure = {
+ .name = "secure",
+ .instantiate = secure_instantiate,
+ .destroy = secure_destroy,
+ .read = secure_read,
+};
+EXPORT_SYMBOL_GPL(key_type_secure);
+
+static void secure_shash_release(void)
+{
+ if (hashalg)
+ crypto_free_shash(hashalg);
+ if (hmacalg)
+ crypto_free_shash(hmacalg);
+}
+
+static int __init secure_shash_alloc(void)
+{
+ int ret;
+
+ hmacalg = crypto_alloc_shash(hmac_alg, 0, CRYPTO_ALG_ASYNC);
+ if (IS_ERR(hmacalg)) {
+ pr_info("secure_key: could not allocate crypto %s\n",
+ hmac_alg);
+ return PTR_ERR(hmacalg);
+ }
+
+ hashalg = crypto_alloc_shash(hash_alg, 0, CRYPTO_ALG_ASYNC);
+ if (IS_ERR(hashalg)) {
+ pr_info("secure_key: could not allocate crypto %s\n",
+ hash_alg);
+ ret = PTR_ERR(hashalg);
+ goto hashalg_fail;
+ }
+
+ return 0;
+
+hashalg_fail:
+ crypto_free_shash(hmacalg);
+ return ret;
+}
+
+static int __init init_secure_key(void)
+{
+ int ret;
+
+ ret = secure_shash_alloc();
+ if (ret < 0)
+ return ret;
+
+ ret = register_key_type(&key_type_secure);
+ if (ret < 0)
+ secure_shash_release();
+ return ret;
+}
+
+static void __exit cleanup_secure_key(void)
+{
+ secure_shash_release();
+ unregister_key_type(&key_type_secure);
+}
+
+late_initcall(init_secure_key);
+module_exit(cleanup_secure_key);
+
+MODULE_LICENSE("GPL");
--- /dev/null
+++ b/security/keys/securekey_desc.c
@@ -0,0 +1,608 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2018 NXP
+ *
+ */
+
+#include <keys/secure-type.h>
+#include "securekey_desc.h"
+
+/* key modifier for blob encapsulation & decapsulation descriptor */
+u8 key_modifier[] = "SECURE_KEY";
+u32 key_modifier_len = 10;
+
+void caam_sk_rng_desc(struct sk_req *skreq, struct sk_desc *skdesc)
+{
+ struct sk_fetch_rnd_data *fetch_rnd_data = NULL;
+ struct random_desc *rnd_desc = NULL;
+ size_t len = 0;
+ u32 *desc = skreq->hwdesc;
+
+ init_job_desc(desc, 0);
+
+ fetch_rnd_data = &skreq->req_u.sk_fetch_rnd_data;
+ rnd_desc = &skdesc->dma_u.random_descp;
+ len = fetch_rnd_data->key_len;
+
+ /* command 0x82500000 */
+ append_cmd(desc, CMD_OPERATION | OP_TYPE_CLASS1_ALG |
+ OP_ALG_ALGSEL_RNG);
+ /* command 0x60340000 | len */
+ append_cmd(desc, CMD_FIFO_STORE | FIFOST_TYPE_RNGSTORE | len);
+ append_ptr(desc, rnd_desc->rnd_data);
+}
+
+void caam_sk_redblob_encap_desc(struct sk_req *skreq, struct sk_desc *skdesc)
+{
+ struct redblob_encap_desc *red_blob_desc =
+ &skdesc->dma_u.redblob_encapdesc;
+ struct sk_red_blob_encap *red_blob_req =
+ &skreq->req_u.sk_red_blob_encap;
+ u32 *desc = skreq->hwdesc;
+
+ init_job_desc(desc, 0);
+
+ /* Load class 2 key with key modifier. */
+ append_key_as_imm(desc, key_modifier, key_modifier_len,
+ key_modifier_len, CLASS_2 | KEY_DEST_CLASS_REG);
+
+ /* SEQ IN PTR Command. */
+ append_seq_in_ptr(desc, red_blob_desc->in_data, red_blob_req->data_sz,
+ 0);
+
+ /* SEQ OUT PTR Command. */
+ append_seq_out_ptr(desc, red_blob_desc->redblob,
+ red_blob_req->redblob_sz, 0);
+
+ /* RedBlob encapsulation PROTOCOL Command. */
+ append_operation(desc, OP_TYPE_ENCAP_PROTOCOL | OP_PCLID_BLOB);
+}
+
+/* void caam_sk_redblob_decap_desc(struct sk_req *skreq, struct sk_desc *skdesc)
+ * brief CAAM Descriptor creator from redblob to plaindata.
+ * param[in] skreq Pointer to secure key request structure
+ * param[in] skdesc Pointer to secure key descriptor structure
+ */
+void caam_sk_redblob_decap_desc(struct sk_req *skreq, struct sk_desc *skdesc)
+{
+ struct redblob_decap_desc *red_blob_desc =
+ &skdesc->dma_u.redblob_decapdesc;
+ struct sk_red_blob_decap *red_blob_req =
+ &skreq->req_u.sk_red_blob_decap;
+ u32 *desc = skreq->hwdesc;
+
+ init_job_desc(desc, 0);
+
+ /* Load class 2 key with key modifier. */
+ append_key_as_imm(desc, key_modifier, key_modifier_len,
+ key_modifier_len, CLASS_2 | KEY_DEST_CLASS_REG);
+
+ /* SEQ IN PTR Command. */
+ append_seq_in_ptr(desc, red_blob_desc->redblob,
+ red_blob_req->redblob_sz, 0);
+
+ /* SEQ OUT PTR Command. */
+ append_seq_out_ptr(desc, red_blob_desc->out_data,
+ red_blob_req->data_sz, 0);
+
+ /* RedBlob decapsulation PROTOCOL Command. */
+ append_operation(desc, OP_TYPE_DECAP_PROTOCOL | OP_PCLID_BLOB);
+}
+
+/* int caam_sk_get_random_map(struct device *dev, struct sk_req *req,
+ * struct sk_desc *skdesc)
+ * brief DMA map the buffer virtual pointers to physical address.
+ * param[in] dev Pointer to job ring device structure
+ * param[in] req Pointer to secure key request structure
+ * param[in] skdesc Pointer to secure key descriptor structure
+ * return 0 on success, error value otherwise.
+ */
+int caam_sk_get_random_map(struct device *dev, struct sk_req *req,
+ struct sk_desc *skdesc)
+{
+ struct sk_fetch_rnd_data *fetch_rnd_data;
+ struct random_desc *rnd_desc;
+
+ fetch_rnd_data = &req->req_u.sk_fetch_rnd_data;
+ rnd_desc = &skdesc->dma_u.random_descp;
+
+ rnd_desc->rnd_data = dma_map_single(dev, fetch_rnd_data->data,
+ fetch_rnd_data->key_len, DMA_FROM_DEVICE);
+
+ if (dma_mapping_error(dev, rnd_desc->rnd_data)) {
+ dev_err(dev, "Unable to map memory\n");
+ goto sk_random_map_fail;
+ }
+ return 0;
+
+sk_random_map_fail:
+ return -ENOMEM;
+}
+
+/* int caam_sk_redblob_encap_map(struct device *dev, struct sk_req *req,
+ * struct sk_desc *skdesc)
+ * brief DMA map the buffer virtual pointers to physical address.
+ * param[in] dev Pointer to job ring device structure
+ * param[in] req Pointer to secure key request structure
+ * param[in] skdesc Pointer to secure key descriptor structure
+ * return 0 on success, error value otherwise.
+ */
+int caam_sk_redblob_encap_map(struct device *dev, struct sk_req *req,
+ struct sk_desc *skdesc)
+{
+ struct sk_red_blob_encap *red_blob_encap;
+ struct redblob_encap_desc *red_blob_desc;
+
+ red_blob_encap = &req->req_u.sk_red_blob_encap;
+ red_blob_desc = &skdesc->dma_u.redblob_encapdesc;
+
+ red_blob_desc->in_data = dma_map_single(dev, red_blob_encap->data,
+ red_blob_encap->data_sz, DMA_TO_DEVICE);
+ if (dma_mapping_error(dev, red_blob_desc->in_data)) {
+ dev_err(dev, "Unable to map memory\n");
+ goto sk_data_fail;
+ }
+
+ red_blob_desc->redblob = dma_map_single(dev, red_blob_encap->redblob,
+ red_blob_encap->redblob_sz, DMA_FROM_DEVICE);
+ if (dma_mapping_error(dev, red_blob_desc->redblob)) {
+ dev_err(dev, "Unable to map memory\n");
+ goto sk_redblob_fail;
+ }
+
+ return 0;
+
+sk_redblob_fail:
+ dma_unmap_single(dev, red_blob_desc->in_data, red_blob_encap->data_sz,
+ DMA_TO_DEVICE);
+sk_data_fail:
+ return -ENOMEM;
+}
+
+/* static int caam_sk_redblob_decap_map(struct device *dev,
+ * struct sk_req *req,
+ * struct sk_desc *skdesc)
+ * brief DMA map the buffer virtual pointers to physical address.
+ * param[in] dev Pointer to job ring device structure
+ * param[in] req Pointer to secure key request structure
+ * param[in] skdesc Pointer to secure key descriptor structure
+ * return 0 on success, error value otherwise.
+ */
+int caam_sk_redblob_decap_map(struct device *dev, struct sk_req *req,
+ struct sk_desc *skdesc)
+{
+ struct sk_red_blob_decap *red_blob_decap;
+ struct redblob_decap_desc *red_blob_desc;
+
+ red_blob_decap = &req->req_u.sk_red_blob_decap;
+ red_blob_desc = &skdesc->dma_u.redblob_decapdesc;
+
+ red_blob_desc->redblob = dma_map_single(dev, red_blob_decap->redblob,
+ red_blob_decap->redblob_sz, DMA_TO_DEVICE);
+ if (dma_mapping_error(dev, red_blob_desc->redblob)) {
+ dev_err(dev, "Unable to map memory\n");
+ goto sk_redblob_fail;
+ }
+
+ red_blob_desc->out_data = dma_map_single(dev, red_blob_decap->data,
+ red_blob_decap->data_sz, DMA_FROM_DEVICE);
+ if (dma_mapping_error(dev, red_blob_desc->out_data)) {
+ dev_err(dev, "Unable to map memory\n");
+ goto sk_data_fail;
+ }
+
+ return 0;
+
+sk_data_fail:
+ dma_unmap_single(dev, red_blob_desc->redblob,
+ red_blob_decap->redblob_sz, DMA_TO_DEVICE);
+sk_redblob_fail:
+ return -ENOMEM;
+}
+
+/* @fn void securekey_unmap(struct device *dev,
+ * struct sk_desc *skdesc, struct sk_req *req)
+ * @brief DMA unmap the buffer pointers.
+ * @param[in] dev Pointer to job ring device structure
+ * @param[in] skdesc Pointer to secure key descriptor structure
+ * @param[in] req Pointer to secure key request structure
+ */
+void securekey_unmap(struct device *dev,
+ struct sk_desc *skdesc, struct sk_req *req)
+{
+
+ switch (req->type) {
+ case sk_get_random:
+ {
+ struct sk_fetch_rnd_data *fetch_rnd_data;
+ struct random_desc *rnd_desc;
+
+ fetch_rnd_data = &req->req_u.sk_fetch_rnd_data;
+ rnd_desc = &skdesc->dma_u.random_descp;
+
+ /* Unmap Descriptor buffer pointers. */
+ dma_unmap_single(dev, rnd_desc->rnd_data,
+ fetch_rnd_data->key_len,
+ DMA_FROM_DEVICE);
+ break;
+ }
+ case sk_red_blob_enc:
+ {
+ struct sk_red_blob_encap *red_blob_encap;
+ struct redblob_encap_desc *red_blob_desc;
+
+ red_blob_encap = &req->req_u.sk_red_blob_encap;
+ red_blob_desc = &skdesc->dma_u.redblob_encapdesc;
+
+ /* Unmap Descriptor buffer pointers. */
+ dma_unmap_single(dev, red_blob_desc->in_data,
+ red_blob_encap->data_sz,
+ DMA_TO_DEVICE);
+
+ dma_unmap_single(dev, red_blob_desc->redblob,
+ red_blob_encap->redblob_sz,
+ DMA_FROM_DEVICE);
+
+ break;
+ }
+ case sk_red_blob_dec:
+ {
+ struct sk_red_blob_decap *red_blob_decap;
+ struct redblob_decap_desc *red_blob_desc;
+
+ red_blob_decap = &req->req_u.sk_red_blob_decap;
+ red_blob_desc = &skdesc->dma_u.redblob_decapdesc;
+
+ /* Unmap Descriptor buffer pointers. */
+ dma_unmap_single(dev, red_blob_desc->redblob,
+ red_blob_decap->redblob_sz,
+ DMA_TO_DEVICE);
+
+ dma_unmap_single(dev, red_blob_desc->out_data,
+ red_blob_decap->data_sz,
+ DMA_FROM_DEVICE);
+
+ break;
+ }
+ default:
+ dev_err(dev, "Unable to find request type\n");
+ break;
+ }
+ kfree(skdesc);
+}
+
+/* int caam_securekey_desc_init(struct device *dev, struct sk_req *req)
+ * brief CAAM Descriptor creator for secure key operations.
+ * param[in] dev Pointer to job ring device structure
+ * param[in] req Pointer to secure key request structure
+ * return 0 on success, error value otherwise.
+ */
+int caam_securekey_desc_init(struct device *dev, struct sk_req *req)
+{
+ struct sk_desc *skdesc = NULL;
+ int ret = 0;
+
+ switch (req->type) {
+ case sk_get_random:
+ {
+ skdesc = kmalloc(sizeof(*skdesc), GFP_DMA);
+ if (!skdesc) {
+ ret = -ENOMEM;
+ goto out;
+ }
+ skdesc->req_type = req->type;
+
+ if (caam_sk_get_random_map(dev, req, skdesc)) {
+ dev_err(dev, "caam get_random map fail\n");
+ ret = -ENOMEM;
+ goto out;
+ }
+ caam_sk_rng_desc(req, skdesc);
+ break;
+ }
+ case sk_red_blob_enc:
+ {
+ skdesc = kmalloc(sizeof(*skdesc), GFP_DMA);
+ if (!skdesc) {
+ ret = -ENOMEM;
+ goto out;
+ }
+
+ skdesc->req_type = req->type;
+
+ if (caam_sk_redblob_encap_map(dev, req, skdesc)) {
+ dev_err(dev, "caam redblob_encap map fail\n");
+ ret = -ENOMEM;
+ goto out;
+ }
+
+ /* Descriptor function to create redblob from data. */
+ caam_sk_redblob_encap_desc(req, skdesc);
+ break;
+ }
+
+ case sk_red_blob_dec:
+ {
+ skdesc = kmalloc(sizeof(*skdesc), GFP_DMA);
+ if (!skdesc) {
+ ret = -ENOMEM;
+ goto out;
+ }
+
+ skdesc->req_type = req->type;
+
+ if (caam_sk_redblob_decap_map(dev, req, skdesc)) {
+ dev_err(dev, "caam redblob_decap map fail\n");
+ ret = -ENOMEM;
+ goto out;
+ }
+
+ /* Descriptor function to decap data from redblob. */
+ caam_sk_redblob_decap_desc(req, skdesc);
+ break;
+ }
+ default:
+ pr_debug("Unknown request type\n");
+ ret = -EINVAL;
+ goto out;
+ }
+
+ req->desc_pointer = (void *)skdesc;
+
+out:
+ return ret;
+}
+
+/* static void caam_op_done (struct device *dev, u32 *desc, u32 ret,
+ * void *context)
+ * brief callback function to be called when descriptor executed.
+ * param[in] dev Pointer to device structure
+ * param[in] desc descriptor pointer
+ * param[in] ret return status of Job submitted
+ * param[in] context void pointer
+ */
+static void caam_op_done(struct device *dev, u32 *desc, u32 ret,
+ void *context)
+{
+ struct sk_req *req = context;
+
+ if (ret) {
+ dev_err(dev, "caam op done err: %x\n", ret);
+ /* print the error source name. */
+ caam_jr_strstatus(dev, ret);
+ }
+ /* Call securekey_unmap function for unmapping the buffer pointers. */
+ securekey_unmap(dev, req->desc_pointer, req);
+
+ req->ret = ret;
+ complete(&req->comp);
+}
+
+
+/* static int sk_job_submit(struct device *jrdev, struct sk_req *req)
+ * brief Enqueue a Job descriptor to Job ring and wait until SEC returns.
+ * param[in] jrdev Pointer to job ring device structure
+ * param[in] req Pointer to secure key request structure
+ * return 0 on success, error value otherwise.
+ */
+static int sk_job_submit(struct device *jrdev, struct sk_req *req)
+{
+ int ret;
+
+ init_completion(&req->comp);
+
+ /* caam_jr_enqueue function for Enqueue a job descriptor */
+ ret = caam_jr_enqueue(jrdev, req->hwdesc, caam_op_done, req);
+ if (!ret)
+ wait_for_completion_interruptible(&req->comp);
+
+ ret = req->ret;
+ return ret;
+}
+
+/* caam_get_random(struct secure_key_payload *p, enum sk_req_type fetch_rnd,
+ * struct device *dev)
+ * Create the random number of the specified length using CAAM block
+ * param[in]: out pointer to place the random bytes
+ * param[in]: length for the random data bytes.
+ * param[in]: dev Pointer to job ring device structure
+ * If operation is successful return 0, otherwise error.
+ */
+int caam_get_random(struct secure_key_payload *p, enum sk_req_type fetch_rnd,
+ struct device *dev)
+{
+ struct sk_fetch_rnd_data *fetch_rnd_data = NULL;
+ struct sk_req *req = NULL;
+ int ret = 0;
+ void *temp = NULL;
+
+ req = kmalloc(sizeof(struct sk_req), GFP_DMA);
+ if (!req) {
+ ret = -ENOMEM;
+ goto out;
+ }
+
+ req->type = fetch_rnd;
+ fetch_rnd_data = &(req->req_u.sk_fetch_rnd_data);
+
+ /* initialise with key length */
+ fetch_rnd_data->key_len = p->key_len;
+
+ temp = kmalloc(fetch_rnd_data->key_len, GFP_DMA);
+ if (!temp) {
+ ret = -ENOMEM;
+ goto out;
+ }
+ fetch_rnd_data->data = temp;
+
+ ret = caam_securekey_desc_init(dev, req);
+
+ if (ret) {
+ pr_info("caam_securekey_desc_init failed\n");
+ goto out;
+ }
+
+ ret = sk_job_submit(dev, req);
+ if (!ret) {
+ /*Copy output to key buffer. */
+ memcpy(p->key, fetch_rnd_data->data, p->key_len);
+ } else {
+ ret = -EINVAL;
+ }
+
+out:
+ if (req)
+ kfree(req);
+
+ if (temp)
+ kfree(temp);
+
+ return ret;
+}
+EXPORT_SYMBOL(caam_get_random);
+
+/* key_deblob(struct secure_key_payload *p, enum sk_req_type decap_type
+ * struct device *dev)
+ * Deblobify the blob to get the key data and fill in secure key payload struct
+ * param[in] p pointer to the secure key payload
+ * param[in] decap_type operation to be done.
+ * param[in] dev dev Pointer to job ring device structure
+ * If operation is successful return 0, otherwise error.
+ */
+int key_deblob(struct secure_key_payload *p, enum sk_req_type decap_type,
+ struct device *dev)
+{
+ unsigned int blob_len;
+ struct sk_red_blob_decap *d_blob;
+ struct sk_req *req = NULL;
+ int total_sz = 0, *temp = NULL, ret = 0;
+
+ req = kmalloc(sizeof(struct sk_req), GFP_DMA);
+ if (!req) {
+ ret = -ENOMEM;
+ goto out;
+ }
+
+ d_blob = &(req->req_u.sk_red_blob_decap);
+ blob_len = p->blob_len;
+ req->type = decap_type;
+
+ /*
+ * Red blob size is the blob_len filled in payload struct
+ * Data_sz i.e. key is the blob_len - blob header size
+ */
+
+ d_blob->redblob_sz = blob_len;
+ d_blob->data_sz = blob_len - (SK_BLOB_KEY_SZ + SK_BLOB_MAC_SZ);
+ total_sz = d_blob->data_sz + d_blob->redblob_sz;
+
+ temp = kmalloc(total_sz, GFP_DMA);
+ if (!temp) {
+ ret = -ENOMEM;
+ goto out;
+ }
+
+ req->mem_pointer = temp;
+ d_blob->redblob = temp;
+ d_blob->data = d_blob->redblob + d_blob->redblob_sz;
+ memcpy(d_blob->redblob, p->blob, blob_len);
+
+ ret = caam_securekey_desc_init(dev, req);
+
+ if (ret) {
+ pr_info("caam_securekey_desc_init: Failed\n");
+ goto out;
+ }
+
+ ret = sk_job_submit(dev, req);
+ if (!ret) {
+ /*Copy output to key buffer. */
+ p->key_len = d_blob->data_sz;
+ memcpy(p->key, d_blob->data, p->key_len);
+ } else {
+ ret = -EINVAL;
+ }
+
+out:
+ if (temp)
+ kfree(temp);
+ if (req)
+ kfree(req);
+ return ret;
+}
+EXPORT_SYMBOL(key_deblob);
+
+/* key_blob(struct secure_key_payload *p, enum sk_req_type encap_type,
+ * struct device *dev)
+ * To blobify the key data to get the blob. This blob can only be seen by
+ * userspace.
+ * param[in] p pointer to the secure key payload
+ * param[in] decap_type operation to be done.
+ * param[in] dev dev Pointer to job ring device structure
+ * If operation is successful return 0, otherwise error.
+ */
+int key_blob(struct secure_key_payload *p, enum sk_req_type encap_type,
+ struct device *dev)
+{
+ unsigned int key_len;
+ struct sk_red_blob_encap *k_blob;
+ struct sk_req *req = NULL;
+ int total_sz = 0, *temp = NULL, ret = 0;
+
+ req = kmalloc(sizeof(struct sk_req), GFP_DMA);
+ if (!req) {
+ ret = -ENOMEM;
+ goto out;
+ }
+
+ key_len = p->key_len;
+
+ req->type = encap_type;
+ k_blob = &(req->req_u.sk_red_blob_encap);
+
+ /*
+ * Data_sz i.e. key len and the corresponding blob_len is
+ * key_len + BLOB header size.
+ */
+
+ k_blob->data_sz = key_len;
+ k_blob->redblob_sz = key_len + SK_BLOB_KEY_SZ + SK_BLOB_MAC_SZ;
+ total_sz = k_blob->data_sz + k_blob->redblob_sz;
+
+ temp = kmalloc(total_sz, GFP_DMA);
+ if (!temp) {
+ ret = -ENOMEM;
+ goto out;
+ }
+
+ req->mem_pointer = temp;
+ k_blob->data = temp;
+
+ k_blob->redblob = k_blob->data + k_blob->data_sz;
+ memcpy(k_blob->data, p->key, key_len);
+
+ ret = caam_securekey_desc_init(dev, req);
+
+ if (ret) {
+ pr_info("caam_securekey_desc_init failed\n");
+ goto out;
+ }
+
+ ret = sk_job_submit(dev, req);
+ if (!ret) {
+ /*Copy output to key buffer. */
+ p->blob_len = k_blob->redblob_sz;
+ memcpy(p->blob, k_blob->redblob, p->blob_len);
+ } else {
+ ret = -EINVAL;
+ }
+
+out:
+ if (temp)
+ kfree(req->mem_pointer);
+ if (req)
+ kfree(req);
+ return ret;
+
+}
+EXPORT_SYMBOL(key_blob);
--- /dev/null
+++ b/security/keys/securekey_desc.h
@@ -0,0 +1,141 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright 2018 NXP
+ *
+ */
+#ifndef _SECUREKEY_DESC_H_
+#define _SECUREKEY_DESC_H_
+
+#include "compat.h"
+#include "regs.h"
+#include "intern.h"
+#include "desc.h"
+#include "desc_constr.h"
+#include "jr.h"
+#include "error.h"
+#include "pdb.h"
+
+#define SK_BLOB_KEY_SZ 32 /* Blob key size. */
+#define SK_BLOB_MAC_SZ 16 /* Blob MAC size. */
+
+/*
+ * brief defines different kinds of operations supported by this module.
+ */
+enum sk_req_type {
+ sk_get_random,
+ sk_red_blob_enc,
+ sk_red_blob_dec,
+};
+
+
+/*
+ * struct random_des
+ * param[out] rnd_data output buffer for random data.
+ */
+struct random_desc {
+ dma_addr_t rnd_data;
+};
+
+/* struct redblob_encap_desc
+ * details Structure containing dma address for redblob encapsulation.
+ * param[in] in_data input data to redblob encap descriptor.
+ * param[out] redblob output buffer for redblob.
+ */
+struct redblob_encap_desc {
+ dma_addr_t in_data;
+ dma_addr_t redblob;
+};
+
+/* struct redblob_decap_desc
+ * details Structure containing dma address for redblob decapsulation.
+ * param[in] redblob input buffer to redblob decap descriptor.
+ * param[out] out_data output data from redblob decap descriptor.
+ */
+struct redblob_decap_desc {
+ dma_addr_t redblob;
+ dma_addr_t out_data;
+};
+
+/* struct sk_desc
+ * details Structure for securekey descriptor creation.
+ * param[in] req_type operation supported.
+ * param[in] dma_u union of struct for supported operation.
+ */
+struct sk_desc {
+ u32 req_type;
+ union {
+ struct redblob_encap_desc redblob_encapdesc;
+ struct redblob_decap_desc redblob_decapdesc;
+ struct random_desc random_descp;
+ } dma_u;
+};
+
+/* struct sk_fetch_rnd_data
+ * decriptor structure containing key length.
+ */
+struct sk_fetch_rnd_data {
+ void *data;
+ size_t key_len;
+};
+
+/* struct sk_red_blob_encap
+ * details Structure containing buffer pointers for redblob encapsulation.
+ * param[in] data Input data.
+ * param[in] data_sz size of Input data.
+ * param[out] redblob output buffer for redblob.
+ * param[in] redblob_sz size of redblob.
+ */
+struct sk_red_blob_encap {
+ void *data;
+ uint32_t data_sz;
+ void *redblob;
+ uint32_t redblob_sz;
+};
+
+/* struct sk_red_blob_decap
+ * details Structure containing buffer pointers for redblob decapsulation.
+ * param[in] redblob Input redblob.
+ * param[in] redblob_sz size of redblob.
+ * param[out] data output buffer for data.
+ * param[in] data_sz size of output data.
+ */
+struct sk_red_blob_decap {
+ void *redblob;
+ uint32_t redblob_sz;
+ void *data;
+ uint32_t data_sz;
+};
+
+/* struct sk_req
+ * details Structure for securekey request creation.
+ * param[in] type operation supported.
+ * param[in] req_u union of struct for supported operation.
+ * param[out] ret return status of CAAM operation.
+ * param[in] mem_pointer memory pointer for allocated kernel memory.
+ * param[in] desc_pointer Pointer to securekey descriptor creation structure.
+ * param[in] comp struct completion object.
+ * param[in] hwdesc contains descriptor instructions.
+ */
+struct sk_req {
+ enum sk_req_type type;
+ void *arg;
+ union {
+ struct sk_red_blob_encap sk_red_blob_encap;
+ struct sk_red_blob_decap sk_red_blob_decap;
+ struct sk_fetch_rnd_data sk_fetch_rnd_data;
+ } req_u;
+ int ret;
+ void *mem_pointer;
+ void *desc_pointer;
+ struct completion comp;
+ u32 hwdesc[MAX_CAAM_DESCSIZE];
+};
+
+int caam_get_random(struct secure_key_payload *p, enum sk_req_type fetch_rnd,
+ struct device *dev);
+int key_blob(struct secure_key_payload *p, enum sk_req_type encap_type,
+ struct device *dev);
+int key_deblob(struct secure_key_payload *p, enum sk_req_type decap_type,
+ struct device *dev);
+
+#endif /*_SECUREKEY_DESC_H_*/
|