trusted_dcp.c 8.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * Copyright (C) 2021 sigma star gmbh
  4. */
  5. #include <crypto/aead.h>
  6. #include <crypto/aes.h>
  7. #include <crypto/algapi.h>
  8. #include <crypto/gcm.h>
  9. #include <crypto/skcipher.h>
  10. #include <keys/trusted-type.h>
  11. #include <linux/key-type.h>
  12. #include <linux/module.h>
  13. #include <linux/printk.h>
  14. #include <linux/random.h>
  15. #include <linux/scatterlist.h>
  16. #include <soc/fsl/dcp.h>
  17. #define DCP_BLOB_VERSION 1
  18. #define DCP_BLOB_AUTHLEN 16
  19. /**
  20. * DOC: dcp blob format
  21. *
  22. * The Data Co-Processor (DCP) provides hardware-bound AES keys using its
  23. * AES encryption engine only. It does not provide direct key sealing/unsealing.
  24. * To make DCP hardware encryption keys usable as trust source, we define
  25. * our own custom format that uses a hardware-bound key to secure the sealing
  26. * key stored in the key blob.
  27. *
  28. * Whenever a new trusted key using DCP is generated, we generate a random 128-bit
  29. * blob encryption key (BEK) and 128-bit nonce. The BEK and nonce are used to
  30. * encrypt the trusted key payload using AES-128-GCM.
  31. *
  32. * The BEK itself is encrypted using the hardware-bound key using the DCP's AES
  33. * encryption engine with AES-128-ECB. The encrypted BEK, generated nonce,
  34. * BEK-encrypted payload and authentication tag make up the blob format together
  35. * with a version number, payload length and authentication tag.
  36. */
  37. /**
  38. * struct dcp_blob_fmt - DCP BLOB format.
  39. *
  40. * @fmt_version: Format version, currently being %1.
  41. * @blob_key: Random AES 128 key which is used to encrypt @payload,
  42. * @blob_key itself is encrypted with OTP or UNIQUE device key in
  43. * AES-128-ECB mode by DCP.
  44. * @nonce: Random nonce used for @payload encryption.
  45. * @payload_len: Length of the plain text @payload.
  46. * @payload: The payload itself, encrypted using AES-128-GCM and @blob_key,
  47. * GCM auth tag of size DCP_BLOB_AUTHLEN is attached at the end of it.
  48. *
  49. * The total size of a DCP BLOB is sizeof(struct dcp_blob_fmt) + @payload_len +
  50. * DCP_BLOB_AUTHLEN.
  51. */
  52. struct dcp_blob_fmt {
  53. __u8 fmt_version;
  54. __u8 blob_key[AES_KEYSIZE_128];
  55. __u8 nonce[AES_KEYSIZE_128];
  56. __le32 payload_len;
  57. __u8 payload[];
  58. } __packed;
  59. static bool use_otp_key;
  60. module_param_named(dcp_use_otp_key, use_otp_key, bool, 0);
  61. MODULE_PARM_DESC(dcp_use_otp_key, "Use OTP instead of UNIQUE key for sealing");
  62. static bool skip_zk_test;
  63. module_param_named(dcp_skip_zk_test, skip_zk_test, bool, 0);
  64. MODULE_PARM_DESC(dcp_skip_zk_test, "Don't test whether device keys are zero'ed");
  65. static unsigned int calc_blob_len(unsigned int payload_len)
  66. {
  67. return sizeof(struct dcp_blob_fmt) + payload_len + DCP_BLOB_AUTHLEN;
  68. }
  69. static int do_dcp_crypto(u8 *in, u8 *out, bool do_encrypt)
  70. {
  71. struct skcipher_request *req = NULL;
  72. struct scatterlist src_sg, dst_sg;
  73. struct crypto_skcipher *tfm;
  74. u8 paes_key[DCP_PAES_KEYSIZE];
  75. DECLARE_CRYPTO_WAIT(wait);
  76. int res = 0;
  77. if (use_otp_key)
  78. paes_key[0] = DCP_PAES_KEY_OTP;
  79. else
  80. paes_key[0] = DCP_PAES_KEY_UNIQUE;
  81. tfm = crypto_alloc_skcipher("ecb-paes-dcp", CRYPTO_ALG_INTERNAL,
  82. CRYPTO_ALG_INTERNAL);
  83. if (IS_ERR(tfm)) {
  84. res = PTR_ERR(tfm);
  85. tfm = NULL;
  86. goto out;
  87. }
  88. req = skcipher_request_alloc(tfm, GFP_NOFS);
  89. if (!req) {
  90. res = -ENOMEM;
  91. goto out;
  92. }
  93. skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
  94. CRYPTO_TFM_REQ_MAY_SLEEP,
  95. crypto_req_done, &wait);
  96. res = crypto_skcipher_setkey(tfm, paes_key, sizeof(paes_key));
  97. if (res < 0)
  98. goto out;
  99. sg_init_one(&src_sg, in, AES_KEYSIZE_128);
  100. sg_init_one(&dst_sg, out, AES_KEYSIZE_128);
  101. skcipher_request_set_crypt(req, &src_sg, &dst_sg, AES_KEYSIZE_128,
  102. NULL);
  103. if (do_encrypt)
  104. res = crypto_wait_req(crypto_skcipher_encrypt(req), &wait);
  105. else
  106. res = crypto_wait_req(crypto_skcipher_decrypt(req), &wait);
  107. out:
  108. skcipher_request_free(req);
  109. crypto_free_skcipher(tfm);
  110. return res;
  111. }
  112. static int do_aead_crypto(u8 *in, u8 *out, size_t len, u8 *key, u8 *nonce,
  113. bool do_encrypt)
  114. {
  115. struct aead_request *aead_req = NULL;
  116. struct scatterlist src_sg, dst_sg;
  117. struct crypto_aead *aead;
  118. int ret;
  119. DECLARE_CRYPTO_WAIT(wait);
  120. aead = crypto_alloc_aead("gcm(aes)", 0, CRYPTO_ALG_ASYNC);
  121. if (IS_ERR(aead)) {
  122. ret = PTR_ERR(aead);
  123. goto out;
  124. }
  125. ret = crypto_aead_setauthsize(aead, DCP_BLOB_AUTHLEN);
  126. if (ret < 0) {
  127. pr_err("Can't set crypto auth tag len: %d\n", ret);
  128. goto free_aead;
  129. }
  130. aead_req = aead_request_alloc(aead, GFP_KERNEL);
  131. if (!aead_req) {
  132. ret = -ENOMEM;
  133. goto free_aead;
  134. }
  135. sg_init_one(&src_sg, in, len);
  136. if (do_encrypt) {
  137. /*
  138. * If we encrypt our buffer has extra space for the auth tag.
  139. */
  140. sg_init_one(&dst_sg, out, len + DCP_BLOB_AUTHLEN);
  141. } else {
  142. sg_init_one(&dst_sg, out, len);
  143. }
  144. aead_request_set_crypt(aead_req, &src_sg, &dst_sg, len, nonce);
  145. aead_request_set_callback(aead_req, CRYPTO_TFM_REQ_MAY_SLEEP,
  146. crypto_req_done, &wait);
  147. aead_request_set_ad(aead_req, 0);
  148. if (crypto_aead_setkey(aead, key, AES_KEYSIZE_128)) {
  149. pr_err("Can't set crypto AEAD key\n");
  150. ret = -EINVAL;
  151. goto free_req;
  152. }
  153. if (do_encrypt)
  154. ret = crypto_wait_req(crypto_aead_encrypt(aead_req), &wait);
  155. else
  156. ret = crypto_wait_req(crypto_aead_decrypt(aead_req), &wait);
  157. free_req:
  158. aead_request_free(aead_req);
  159. free_aead:
  160. crypto_free_aead(aead);
  161. out:
  162. return ret;
  163. }
  164. static int decrypt_blob_key(u8 *encrypted_key, u8 *plain_key)
  165. {
  166. return do_dcp_crypto(encrypted_key, plain_key, false);
  167. }
  168. static int encrypt_blob_key(u8 *plain_key, u8 *encrypted_key)
  169. {
  170. return do_dcp_crypto(plain_key, encrypted_key, true);
  171. }
  172. static int trusted_dcp_seal(struct trusted_key_payload *p, char *datablob)
  173. {
  174. struct dcp_blob_fmt *b = (struct dcp_blob_fmt *)p->blob;
  175. int blen, ret;
  176. u8 *plain_blob_key;
  177. blen = calc_blob_len(p->key_len);
  178. if (blen > MAX_BLOB_SIZE)
  179. return -E2BIG;
  180. plain_blob_key = kmalloc(AES_KEYSIZE_128, GFP_KERNEL);
  181. if (!plain_blob_key)
  182. return -ENOMEM;
  183. b->fmt_version = DCP_BLOB_VERSION;
  184. get_random_bytes(b->nonce, AES_KEYSIZE_128);
  185. get_random_bytes(plain_blob_key, AES_KEYSIZE_128);
  186. ret = do_aead_crypto(p->key, b->payload, p->key_len, plain_blob_key,
  187. b->nonce, true);
  188. if (ret) {
  189. pr_err("Unable to encrypt blob payload: %i\n", ret);
  190. goto out;
  191. }
  192. ret = encrypt_blob_key(plain_blob_key, b->blob_key);
  193. if (ret) {
  194. pr_err("Unable to encrypt blob key: %i\n", ret);
  195. goto out;
  196. }
  197. put_unaligned_le32(p->key_len, &b->payload_len);
  198. p->blob_len = blen;
  199. ret = 0;
  200. out:
  201. memzero_explicit(plain_blob_key, AES_KEYSIZE_128);
  202. kfree(plain_blob_key);
  203. return ret;
  204. }
  205. static int trusted_dcp_unseal(struct trusted_key_payload *p, char *datablob)
  206. {
  207. struct dcp_blob_fmt *b = (struct dcp_blob_fmt *)p->blob;
  208. int blen, ret;
  209. u8 *plain_blob_key = NULL;
  210. if (b->fmt_version != DCP_BLOB_VERSION) {
  211. pr_err("DCP blob has bad version: %i, expected %i\n",
  212. b->fmt_version, DCP_BLOB_VERSION);
  213. ret = -EINVAL;
  214. goto out;
  215. }
  216. p->key_len = le32_to_cpu(b->payload_len);
  217. blen = calc_blob_len(p->key_len);
  218. if (blen != p->blob_len) {
  219. pr_err("DCP blob has bad length: %i != %i\n", blen,
  220. p->blob_len);
  221. ret = -EINVAL;
  222. goto out;
  223. }
  224. plain_blob_key = kmalloc(AES_KEYSIZE_128, GFP_KERNEL);
  225. if (!plain_blob_key) {
  226. ret = -ENOMEM;
  227. goto out;
  228. }
  229. ret = decrypt_blob_key(b->blob_key, plain_blob_key);
  230. if (ret) {
  231. pr_err("Unable to decrypt blob key: %i\n", ret);
  232. goto out;
  233. }
  234. ret = do_aead_crypto(b->payload, p->key, p->key_len + DCP_BLOB_AUTHLEN,
  235. plain_blob_key, b->nonce, false);
  236. if (ret) {
  237. pr_err("Unwrap of DCP payload failed: %i\n", ret);
  238. goto out;
  239. }
  240. ret = 0;
  241. out:
  242. if (plain_blob_key) {
  243. memzero_explicit(plain_blob_key, AES_KEYSIZE_128);
  244. kfree(plain_blob_key);
  245. }
  246. return ret;
  247. }
  248. static int test_for_zero_key(void)
  249. {
  250. /*
  251. * Encrypting a plaintext of all 0x55 bytes will yield
  252. * this ciphertext in case the DCP test key is used.
  253. */
  254. static const u8 bad[] = {0x9a, 0xda, 0xe0, 0x54, 0xf6, 0x3d, 0xfa, 0xff,
  255. 0x5e, 0xa1, 0x8e, 0x45, 0xed, 0xf6, 0xea, 0x6f};
  256. void *buf = NULL;
  257. int ret = 0;
  258. if (skip_zk_test)
  259. goto out;
  260. buf = kmalloc(AES_BLOCK_SIZE, GFP_KERNEL);
  261. if (!buf) {
  262. ret = -ENOMEM;
  263. goto out;
  264. }
  265. memset(buf, 0x55, AES_BLOCK_SIZE);
  266. ret = do_dcp_crypto(buf, buf, true);
  267. if (ret)
  268. goto out;
  269. if (memcmp(buf, bad, AES_BLOCK_SIZE) == 0) {
  270. pr_warn("Device neither in secure nor trusted mode!\n");
  271. ret = -EINVAL;
  272. }
  273. out:
  274. kfree(buf);
  275. return ret;
  276. }
  277. static int trusted_dcp_init(void)
  278. {
  279. int ret;
  280. if (use_otp_key)
  281. pr_info("Using DCP OTP key\n");
  282. ret = test_for_zero_key();
  283. if (ret) {
  284. pr_warn("Test for zero'ed keys failed: %i\n", ret);
  285. return -EINVAL;
  286. }
  287. return register_key_type(&key_type_trusted);
  288. }
  289. static void trusted_dcp_exit(void)
  290. {
  291. unregister_key_type(&key_type_trusted);
  292. }
  293. struct trusted_key_ops dcp_trusted_key_ops = {
  294. .exit = trusted_dcp_exit,
  295. .init = trusted_dcp_init,
  296. .seal = trusted_dcp_seal,
  297. .unseal = trusted_dcp_unseal,
  298. .migratable = 0,
  299. };