diff options
author | Raul Cardenas <Ulises.Cardenas@freescale.com> | 2015-02-27 11:22:06 -0600 |
---|---|---|
committer | Stefano Babic <sbabic@denx.de> | 2015-03-02 09:57:06 +0100 |
commit | 0200020bc2b8192c31dc57c600865267f51bface (patch) | |
tree | 77e47e958773096b7cb53c20a0c6a1f4d83e46d8 /include | |
parent | b5cd10b911f632f74e1211ef786989781d2a1ca1 (diff) | |
download | u-boot-imx-0200020bc2b8192c31dc57c600865267f51bface.zip u-boot-imx-0200020bc2b8192c31dc57c600865267f51bface.tar.gz u-boot-imx-0200020bc2b8192c31dc57c600865267f51bface.tar.bz2 |
imx6: Added DEK blob generator command
Freescale's SEC block has built-in Data Encryption
Key(DEK) Blob Protocol which provides a method for
protecting a DEK for non-secure memory storage.
SEC block protects data in a data structure called
a Secret Key Blob, which provides both confidentiality
and integrity protection.
Every time the blob encapsulation is executed,
a AES-256 key is randomly generated to encrypt the DEK.
This key is encrypted with the OTP Secret key
from SoC. The resulting blob consists of the encrypted
AES-256 key, the encrypted DEK, and a 16-bit MAC.
During decapsulation, the reverse process is performed
to get back the original DEK. A caveat to the blob
decapsulation process, is that the DEK is decrypted
in secure-memory and can only be read by FSL SEC HW.
The DEK is used to decrypt data during encrypted boot.
Commands added
--------------
dek_blob - encapsulating DEK as a cryptgraphic blob
Commands Syntax
---------------
dek_blob src dst len
Encapsulate and create blob of a len-bits DEK at
address src and store the result at address dst.
Signed-off-by: Raul Cardenas <Ulises.Cardenas@freescale.com>
Signed-off-by: Nitin Garg <nitin.garg@freescale.com>
Signed-off-by: Ulises Cardenas <ulises.cardenas@freescale.com>
Signed-off-by: Ulises Cardenas-B45798 <Ulises.Cardenas@freescale.com>
Diffstat (limited to 'include')
-rw-r--r-- | include/fsl_sec.h | 78 |
1 files changed, 75 insertions, 3 deletions
diff --git a/include/fsl_sec.h b/include/fsl_sec.h index b6e6f04..dbfae68 100644 --- a/include/fsl_sec.h +++ b/include/fsl_sec.h @@ -135,7 +135,7 @@ typedef struct ccsr_sec { #define CONFIG_JRSTARTR_JR0 0x00000001 struct jr_regs { -#ifdef CONFIG_SYS_FSL_SEC_LE +#if defined(CONFIG_SYS_FSL_SEC_LE) && !defined(CONFIG_MX6) u32 irba_l; u32 irba_h; #else @@ -148,7 +148,7 @@ struct jr_regs { u32 irsa; u32 rsvd3; u32 irja; -#ifdef CONFIG_SYS_FSL_SEC_LE +#if defined(CONFIG_SYS_FSL_SEC_LE) && !defined(CONFIG_MX6) u32 orba_l; u32 orba_h; #else @@ -180,7 +180,7 @@ struct jr_regs { * related information */ struct sg_entry { -#ifdef CONFIG_SYS_FSL_SEC_LE +#ifdef defined(CONFIG_SYS_FSL_SEC_LE) && !defined(CONFIG_MX6) uint32_t addr_lo; /* Memory Address - lo */ uint16_t addr_hi; /* Memory Address of start of buffer - hi */ uint16_t reserved_zero; @@ -201,7 +201,79 @@ struct sg_entry { #define SG_ENTRY_OFFSET_SHIFT 0 }; +#ifdef CONFIG_MX6 +/* CAAM Job Ring 0 Registers */ +/* Secure Memory Partition Owner register */ +#define SMCSJR_PO (3 << 6) +/* JR Allocation Error */ +#define SMCSJR_AERR (3 << 12) +/* Secure memory partition 0 page 0 owner register */ +#define CAAM_SMPO_0 CONFIG_SYS_FSL_SEC_ADDR + 0x1FBC +/* Secure memory command register */ +#define CAAM_SMCJR0 CONFIG_SYS_FSL_SEC_ADDR + 0x10f4 +/* Secure memory command status register */ +#define CAAM_SMCSJR0 CONFIG_SYS_FSL_SEC_ADDR + 0x10fc +/* Secure memory access permissions register */ +#define CAAM_SMAPJR0(y) (CONFIG_SYS_FSL_SEC_ADDR + 0x1104 + y*16) +/* Secure memory access group 2 register */ +#define CAAM_SMAG2JR0(y) (CONFIG_SYS_FSL_SEC_ADDR + 0x1108 + y*16) +/* Secure memory access group 1 register */ +#define CAAM_SMAG1JR0(y) (CONFIG_SYS_FSL_SEC_ADDR + 0x110C + y*16) + +/* Commands and macros for secure memory */ +#define CMD_PAGE_ALLOC 0x1 +#define CMD_PAGE_DEALLOC 0x2 +#define CMD_PART_DEALLOC 0x3 +#define CMD_INQUIRY 0x5 +#define CMD_COMPLETE (3 << 14) +#define PAGE_AVAILABLE 0 +#define PAGE_OWNED (3 << 6) +#define PAGE(x) (x << 16) +#define PARTITION(x) (x << 8) +#define PARTITION_OWNER(x) (0x3 << (x*2)) + +/* Address of secure 4kbyte pages */ +#define SEC_MEM_PAGE0 CAAM_ARB_BASE_ADDR +#define SEC_MEM_PAGE1 (CAAM_ARB_BASE_ADDR + 0x1000) +#define SEC_MEM_PAGE2 (CAAM_ARB_BASE_ADDR + 0x2000) +#define SEC_MEM_PAGE3 (CAAM_ARB_BASE_ADDR + 0x3000) + +#define JR_MID 2 /* Matches ROM configuration */ +#define KS_G1 (1 << JR_MID) /* CAAM only */ +#define PERM 0x0000B008 /* Clear on release, lock SMAP + * lock SMAG group 1 Blob */ + +#define BLOB_SIZE(x) (x + 32 + 16) /* Blob buffer size */ + +/* HAB WRAPPED KEY header */ +#define WRP_HDR_SIZE 0x08 +#define HDR_TAG 0x81 +#define HDR_PAR 0x41 +/* HAB WRAPPED KEY Data */ +#define HAB_MOD 0x66 +#define HAB_ALG 0x55 +#define HAB_FLG 0x00 + +/* Partition and Page IDs */ +#define PARTITION_1 1 +#define PAGE_1 1 + +#define ERROR_IN_PAGE_ALLOC 1 +#define ECONSTRJDESC -1 + +#endif + int sec_init(void); + +/* blob_dek: + * Encapsulates the src in a secure blob and stores it dst + * @src: reference to the plaintext + * @dst: reference to the output adrress + * @len: size in bytes of src + * @return: 0 on success, error otherwise + */ +int blob_dek(const u8 *src, u8 *dst, u8 len); + #endif #endif /* __FSL_SEC_H */ |