summaryrefslogtreecommitdiff
path: root/include
diff options
context:
space:
mode:
authorRaul Cardenas <Ulises.Cardenas@freescale.com>2015-02-27 11:22:06 -0600
committerStefano Babic <sbabic@denx.de>2015-03-02 09:57:06 +0100
commit0200020bc2b8192c31dc57c600865267f51bface (patch)
tree77e47e958773096b7cb53c20a0c6a1f4d83e46d8 /include
parentb5cd10b911f632f74e1211ef786989781d2a1ca1 (diff)
downloadu-boot-imx-0200020bc2b8192c31dc57c600865267f51bface.zip
u-boot-imx-0200020bc2b8192c31dc57c600865267f51bface.tar.gz
u-boot-imx-0200020bc2b8192c31dc57c600865267f51bface.tar.bz2
imx6: Added DEK blob generator command
Freescale's SEC block has built-in Data Encryption Key(DEK) Blob Protocol which provides a method for protecting a DEK for non-secure memory storage. SEC block protects data in a data structure called a Secret Key Blob, which provides both confidentiality and integrity protection. Every time the blob encapsulation is executed, a AES-256 key is randomly generated to encrypt the DEK. This key is encrypted with the OTP Secret key from SoC. The resulting blob consists of the encrypted AES-256 key, the encrypted DEK, and a 16-bit MAC. During decapsulation, the reverse process is performed to get back the original DEK. A caveat to the blob decapsulation process, is that the DEK is decrypted in secure-memory and can only be read by FSL SEC HW. The DEK is used to decrypt data during encrypted boot. Commands added -------------- dek_blob - encapsulating DEK as a cryptgraphic blob Commands Syntax --------------- dek_blob src dst len Encapsulate and create blob of a len-bits DEK at address src and store the result at address dst. Signed-off-by: Raul Cardenas <Ulises.Cardenas@freescale.com> Signed-off-by: Nitin Garg <nitin.garg@freescale.com> Signed-off-by: Ulises Cardenas <ulises.cardenas@freescale.com> Signed-off-by: Ulises Cardenas-B45798 <Ulises.Cardenas@freescale.com>
Diffstat (limited to 'include')
-rw-r--r--include/fsl_sec.h78
1 files changed, 75 insertions, 3 deletions
diff --git a/include/fsl_sec.h b/include/fsl_sec.h
index b6e6f04..dbfae68 100644
--- a/include/fsl_sec.h
+++ b/include/fsl_sec.h
@@ -135,7 +135,7 @@ typedef struct ccsr_sec {
#define CONFIG_JRSTARTR_JR0 0x00000001
struct jr_regs {
-#ifdef CONFIG_SYS_FSL_SEC_LE
+#if defined(CONFIG_SYS_FSL_SEC_LE) && !defined(CONFIG_MX6)
u32 irba_l;
u32 irba_h;
#else
@@ -148,7 +148,7 @@ struct jr_regs {
u32 irsa;
u32 rsvd3;
u32 irja;
-#ifdef CONFIG_SYS_FSL_SEC_LE
+#if defined(CONFIG_SYS_FSL_SEC_LE) && !defined(CONFIG_MX6)
u32 orba_l;
u32 orba_h;
#else
@@ -180,7 +180,7 @@ struct jr_regs {
* related information
*/
struct sg_entry {
-#ifdef CONFIG_SYS_FSL_SEC_LE
+#ifdef defined(CONFIG_SYS_FSL_SEC_LE) && !defined(CONFIG_MX6)
uint32_t addr_lo; /* Memory Address - lo */
uint16_t addr_hi; /* Memory Address of start of buffer - hi */
uint16_t reserved_zero;
@@ -201,7 +201,79 @@ struct sg_entry {
#define SG_ENTRY_OFFSET_SHIFT 0
};
+#ifdef CONFIG_MX6
+/* CAAM Job Ring 0 Registers */
+/* Secure Memory Partition Owner register */
+#define SMCSJR_PO (3 << 6)
+/* JR Allocation Error */
+#define SMCSJR_AERR (3 << 12)
+/* Secure memory partition 0 page 0 owner register */
+#define CAAM_SMPO_0 CONFIG_SYS_FSL_SEC_ADDR + 0x1FBC
+/* Secure memory command register */
+#define CAAM_SMCJR0 CONFIG_SYS_FSL_SEC_ADDR + 0x10f4
+/* Secure memory command status register */
+#define CAAM_SMCSJR0 CONFIG_SYS_FSL_SEC_ADDR + 0x10fc
+/* Secure memory access permissions register */
+#define CAAM_SMAPJR0(y) (CONFIG_SYS_FSL_SEC_ADDR + 0x1104 + y*16)
+/* Secure memory access group 2 register */
+#define CAAM_SMAG2JR0(y) (CONFIG_SYS_FSL_SEC_ADDR + 0x1108 + y*16)
+/* Secure memory access group 1 register */
+#define CAAM_SMAG1JR0(y) (CONFIG_SYS_FSL_SEC_ADDR + 0x110C + y*16)
+
+/* Commands and macros for secure memory */
+#define CMD_PAGE_ALLOC 0x1
+#define CMD_PAGE_DEALLOC 0x2
+#define CMD_PART_DEALLOC 0x3
+#define CMD_INQUIRY 0x5
+#define CMD_COMPLETE (3 << 14)
+#define PAGE_AVAILABLE 0
+#define PAGE_OWNED (3 << 6)
+#define PAGE(x) (x << 16)
+#define PARTITION(x) (x << 8)
+#define PARTITION_OWNER(x) (0x3 << (x*2))
+
+/* Address of secure 4kbyte pages */
+#define SEC_MEM_PAGE0 CAAM_ARB_BASE_ADDR
+#define SEC_MEM_PAGE1 (CAAM_ARB_BASE_ADDR + 0x1000)
+#define SEC_MEM_PAGE2 (CAAM_ARB_BASE_ADDR + 0x2000)
+#define SEC_MEM_PAGE3 (CAAM_ARB_BASE_ADDR + 0x3000)
+
+#define JR_MID 2 /* Matches ROM configuration */
+#define KS_G1 (1 << JR_MID) /* CAAM only */
+#define PERM 0x0000B008 /* Clear on release, lock SMAP
+ * lock SMAG group 1 Blob */
+
+#define BLOB_SIZE(x) (x + 32 + 16) /* Blob buffer size */
+
+/* HAB WRAPPED KEY header */
+#define WRP_HDR_SIZE 0x08
+#define HDR_TAG 0x81
+#define HDR_PAR 0x41
+/* HAB WRAPPED KEY Data */
+#define HAB_MOD 0x66
+#define HAB_ALG 0x55
+#define HAB_FLG 0x00
+
+/* Partition and Page IDs */
+#define PARTITION_1 1
+#define PAGE_1 1
+
+#define ERROR_IN_PAGE_ALLOC 1
+#define ECONSTRJDESC -1
+
+#endif
+
int sec_init(void);
+
+/* blob_dek:
+ * Encapsulates the src in a secure blob and stores it dst
+ * @src: reference to the plaintext
+ * @dst: reference to the output adrress
+ * @len: size in bytes of src
+ * @return: 0 on success, error otherwise
+ */
+int blob_dek(const u8 *src, u8 *dst, u8 len);
+
#endif
#endif /* __FSL_SEC_H */