Loading security/pfe/Kconfig +0 −13 Original line number Diff line number Diff line Loading @@ -25,17 +25,4 @@ config PFK Information is used when file is encrypted later using ICE or dm crypto engine config PFK_WRAPPED_KEY_SUPPORTED bool "Per-File-Key driver with wrapped key support" depends on SECURITY depends on SECURITY_SELINUX depends on QSEECOM depends on PFK default n help Adds wrapped key support in PFK driver. Instead of setting the key directly from vold, it unwraps the key in a secure environment and sets the key in ICE. This is because the key is not directly available in HLOS and needs to be unwrapped in a secure environment. endmenu security/pfe/Makefile +0 −1 Original line number Diff line number Diff line Loading @@ -5,7 +5,6 @@ ccflags-y += -Isecurity/selinux -Isecurity/selinux/include ccflags-y += -Ifs/ext4 ccflags-y += -Ifs/crypto ccflags-y += -Idrivers/misc obj-$(CONFIG_PFT) += pft.o obj-$(CONFIG_PFK) += pfk.o pfk_kc.o pfk_ice.o pfk_ext4.o security/pfe/pfk_ice.c +42 −164 Original line number Diff line number Diff line Loading @@ -24,7 +24,7 @@ #include <soc/qcom/qseecomi.h> #include <crypto/ice.h> #include "pfk_ice.h" #include "qseecom_kernel.h" /**********************************/ /** global definitions **/ Loading Loading @@ -55,120 +55,48 @@ TZ_SYSCALL_CREATE_PARAM_ID_1( \ TZ_SYSCALL_PARAM_TYPE_VAL) #define CONTEXT_SIZE 0x1000 #define KEYMASTER_UTILS_CMD_ID 0x200UL #define KEYMASTER_SET_ICE_KEY (KEYMASTER_UTILS_CMD_ID + 18UL) #define KEYMASTER_CLEAR_ICE_KEY (KEYMASTER_UTILS_CMD_ID + 19UL) #define ICE_KEY_SIZE 32 #define ICE_SALT_SIZE 32 static uint8_t ice_key[ICE_KEY_SIZE]; static uint8_t ice_salt[ICE_KEY_SIZE]; static struct qseecom_handle *qhandle; static int set_wrapped_key(uint32_t index, const uint8_t *key, const uint8_t *salt) { int ret = 0; u32 set_req_len = 0; u32 set_rsp_len = 0; struct pfk_ice_key_req *set_req_buf; struct pfk_ice_key_rsp *set_rsp_buf; memcpy(ice_key, key, sizeof(ice_key)); memcpy(ice_salt, salt, sizeof(ice_salt)); if (!qhandle) { ret = qseecom_start_app(&qhandle, "keymaster64", CONTEXT_SIZE); if (ret) { pr_err("Qseecom start app failed\n"); return ret; } } set_req_buf = (struct pfk_ice_key_req *) qhandle->sbuf; set_req_buf->cmd_id = KEYMASTER_SET_ICE_KEY; set_req_buf->index = index; set_req_buf->ice_key_offset = sizeof(struct pfk_ice_key_req); set_req_buf->ice_key_size = ICE_KEY_SIZE; set_req_buf->ice_salt_offset = set_req_buf->ice_key_offset + set_req_buf->ice_key_size; set_req_buf->ice_salt_size = ICE_SALT_SIZE; memcpy((uint8_t *) set_req_buf + set_req_buf->ice_key_offset, ice_key, set_req_buf->ice_key_size); memcpy((uint8_t *) set_req_buf + set_req_buf->ice_salt_offset, ice_salt, set_req_buf->ice_salt_size); set_req_len = sizeof(struct pfk_ice_key_req) + set_req_buf->ice_key_size + set_req_buf->ice_salt_size; set_rsp_buf = (struct pfk_ice_key_rsp *) (qhandle->sbuf + set_req_len); set_rsp_len = sizeof(struct pfk_ice_key_rsp); ret = qseecom_send_command(qhandle, set_req_buf, set_req_len, set_rsp_buf, set_rsp_len); if (ret) pr_err("%s: Set wrapped key error: Status %d\n", __func__, set_rsp_buf->ret); return ret; } static int clear_wrapped_key(uint32_t index) { int ret = 0; u32 clear_req_len = 0; u32 clear_rsp_len = 0; struct pfk_ice_key_req *clear_req_buf; struct pfk_ice_key_rsp *clear_rsp_buf; clear_req_buf = (struct pfk_ice_key_req *) qhandle->sbuf; memset(clear_req_buf, 0, sizeof(qhandle->sbuf)); clear_req_buf->cmd_id = KEYMASTER_CLEAR_ICE_KEY; clear_req_buf->index = index; clear_req_len = sizeof(struct pfk_ice_key_req); clear_rsp_buf = (struct pfk_ice_key_rsp *) (qhandle->sbuf + QSEECOM_ALIGN(clear_req_len)); clear_rsp_len = sizeof(struct pfk_ice_key_rsp); ret = qseecom_send_command(qhandle, clear_req_buf, clear_req_len, clear_rsp_buf, clear_rsp_len); if (ret) pr_err("%s: Clear wrapped key error: Status %d\n", __func__, clear_rsp_buf->ret); return ret; } static int set_key(uint32_t index, const uint8_t *key, const uint8_t *salt) int qti_pfk_ice_set_key(uint32_t index, uint8_t *key, uint8_t *salt, char *storage_type) { struct scm_desc desc = {0}; int ret = 0; uint32_t smc_id = 0; int ret, ret1; char *tzbuf_key = (char *)ice_key; char *tzbuf_salt = (char *)ice_salt; char *s_type = storage_type; uint32_t smc_id = 0; u32 tzbuflen_key = sizeof(ice_key); u32 tzbuflen_salt = sizeof(ice_salt); if (index < MIN_ICE_KEY_INDEX || index > MAX_ICE_KEY_INDEX) { pr_err("%s Invalid index %d\n", __func__, index); return -EINVAL; } if (!key || !salt) { pr_err("%s Invalid key/salt\n", __func__); return -EINVAL; } if (!tzbuf_key || !tzbuf_salt) { pr_err("%s No Memory\n", __func__); return -ENOMEM; } if (s_type == NULL) { pr_err("%s Invalid Storage type\n", __func__); return -EINVAL; } memset(tzbuf_key, 0, tzbuflen_key); memset(tzbuf_salt, 0, tzbuflen_salt); memcpy(ice_key, key, sizeof(ice_key)); memcpy(ice_salt, salt, sizeof(ice_salt)); memcpy(ice_key, key, tzbuflen_key); memcpy(ice_salt, salt, tzbuflen_salt); dmac_flush_range(tzbuf_key, tzbuf_key + tzbuflen_key); dmac_flush_range(tzbuf_salt, tzbuf_salt + tzbuflen_salt); Loading @@ -182,64 +110,13 @@ static int set_key(uint32_t index, const uint8_t *key, const uint8_t *salt) desc.args[3] = virt_to_phys(tzbuf_salt); desc.args[4] = tzbuflen_salt; ret = scm_call2(smc_id, &desc); if (ret) pr_err("%s:SCM call Error: 0x%x\n", __func__, ret); return ret; } static int clear_key(uint32_t index) { struct scm_desc desc = {0}; int ret = 0; uint32_t smc_id = 0; smc_id = TZ_ES_INVALIDATE_ICE_KEY_ID; desc.arginfo = TZ_ES_INVALIDATE_ICE_KEY_PARAM_ID; desc.args[0] = index; ret = scm_call2(smc_id, &desc); if (ret) pr_err("%s:SCM call Error: 0x%x\n", __func__, ret); return ret; } int qti_pfk_ice_set_key(uint32_t index, uint8_t *key, uint8_t *salt, char *storage_type) { int ret = 0, ret1 = 0; char *s_type = storage_type; if (index < MIN_ICE_KEY_INDEX || index > MAX_ICE_KEY_INDEX) { pr_err("%s Invalid index %d\n", __func__, index); return -EINVAL; } if (!key || !salt) { pr_err("%s Invalid key/salt\n", __func__); return -EINVAL; } if (s_type == NULL) { pr_err("%s Invalid Storage type\n", __func__); return -EINVAL; } ret = qcom_ice_setup_ice_hw((const char *)s_type, true); if (ret) { pr_err("%s: could not enable clocks: %d\n", __func__, ret); goto out; } if (pfk_wrapped_key_supported()) { pr_debug("%s: Setting wrapped key\n", __func__); ret = set_wrapped_key(index, key, salt); } else { pr_debug("%s: Setting keys with QSEE kernel\n", __func__); ret = set_key(index, key, salt); } ret = scm_call2(smc_id, &desc); if (ret) { pr_err("%s: Set Key Error: %d\n", __func__, ret); if (ret == -EBUSY) { Loading @@ -248,18 +125,18 @@ int qti_pfk_ice_set_key(uint32_t index, uint8_t *key, uint8_t *salt, goto out; } /* Try to invalidate the key to keep ICE in proper state */ if (pfk_wrapped_key_supported()) ret1 = clear_wrapped_key(index); else ret1 = clear_key(index); smc_id = TZ_ES_INVALIDATE_ICE_KEY_ID; desc.arginfo = TZ_ES_INVALIDATE_ICE_KEY_PARAM_ID; desc.args[0] = index; ret1 = scm_call2(smc_id, &desc); if (ret1) pr_err("%s: Invalidate key error: %d\n", __func__, ret); pr_err("%s: Invalidate Key Error: %d\n", __func__, ret1); } ret1 = qcom_ice_setup_ice_hw((const char *)s_type, false); if (ret) pr_err("%s: Error %d disabling clocks\n", __func__, ret); if (ret1) pr_err("%s: Error %d disabling clocks\n", __func__, ret1); out: return ret; Loading @@ -267,8 +144,11 @@ int qti_pfk_ice_set_key(uint32_t index, uint8_t *key, uint8_t *salt, int qti_pfk_ice_invalidate_key(uint32_t index, char *storage_type) { struct scm_desc desc = {0}; int ret = 0; uint32_t smc_id = 0; if (index < MIN_ICE_KEY_INDEX || index > MAX_ICE_KEY_INDEX) { pr_err("%s Invalid index %d\n", __func__, index); return -EINVAL; Loading @@ -279,22 +159,20 @@ int qti_pfk_ice_invalidate_key(uint32_t index, char *storage_type) return -EINVAL; } smc_id = TZ_ES_INVALIDATE_ICE_KEY_ID; desc.arginfo = TZ_ES_INVALIDATE_ICE_KEY_PARAM_ID; desc.args[0] = index; ret = qcom_ice_setup_ice_hw((const char *)storage_type, true); if (ret) { pr_err("%s: could not enable clocks: 0x%x\n", __func__, ret); return ret; } if (pfk_wrapped_key_supported()) { ret = clear_wrapped_key(index); pr_debug("%s: Clearing wrapped key\n", __func__); } else { pr_debug("%s: Clearing keys with QSEE kernel\n", __func__); ret = clear_key(index); } ret = scm_call2(smc_id, &desc); if (ret) pr_err("%s: Invalidate key error: %d\n", __func__, ret); pr_err("%s: Error: 0x%x\n", __func__, ret); if (qcom_ice_setup_ice_hw((const char *)storage_type, false)) pr_err("%s: could not disable clocks\n", __func__); Loading security/pfe/pfk_ice.h +0 −26 Original line number Diff line number Diff line Loading @@ -22,35 +22,9 @@ #include <linux/types.h> struct __attribute__ ((__packed__)) pfk_ice_key_req { uint32_t cmd_id; uint32_t index; uint32_t ice_key_offset; uint32_t ice_key_size; uint32_t ice_salt_offset; uint32_t ice_salt_size; }; struct __attribute__ ((__packed__)) pfk_ice_key_rsp { uint32_t ret; uint32_t cmd_id; }; int pfk_ice_init(void); int pfk_ice_deinit(void); #ifdef CONFIG_PFK_WRAPPED_KEY_SUPPORTED static inline bool pfk_wrapped_key_supported(void) { return true; } #else static inline bool pfk_wrapped_key_supported(void) { return false; } #endif int qti_pfk_ice_set_key(uint32_t index, uint8_t *key, uint8_t *salt, char *storage_type); int qti_pfk_ice_invalidate_key(uint32_t index, char *storage_type); Loading Loading
security/pfe/Kconfig +0 −13 Original line number Diff line number Diff line Loading @@ -25,17 +25,4 @@ config PFK Information is used when file is encrypted later using ICE or dm crypto engine config PFK_WRAPPED_KEY_SUPPORTED bool "Per-File-Key driver with wrapped key support" depends on SECURITY depends on SECURITY_SELINUX depends on QSEECOM depends on PFK default n help Adds wrapped key support in PFK driver. Instead of setting the key directly from vold, it unwraps the key in a secure environment and sets the key in ICE. This is because the key is not directly available in HLOS and needs to be unwrapped in a secure environment. endmenu
security/pfe/Makefile +0 −1 Original line number Diff line number Diff line Loading @@ -5,7 +5,6 @@ ccflags-y += -Isecurity/selinux -Isecurity/selinux/include ccflags-y += -Ifs/ext4 ccflags-y += -Ifs/crypto ccflags-y += -Idrivers/misc obj-$(CONFIG_PFT) += pft.o obj-$(CONFIG_PFK) += pfk.o pfk_kc.o pfk_ice.o pfk_ext4.o
security/pfe/pfk_ice.c +42 −164 Original line number Diff line number Diff line Loading @@ -24,7 +24,7 @@ #include <soc/qcom/qseecomi.h> #include <crypto/ice.h> #include "pfk_ice.h" #include "qseecom_kernel.h" /**********************************/ /** global definitions **/ Loading Loading @@ -55,120 +55,48 @@ TZ_SYSCALL_CREATE_PARAM_ID_1( \ TZ_SYSCALL_PARAM_TYPE_VAL) #define CONTEXT_SIZE 0x1000 #define KEYMASTER_UTILS_CMD_ID 0x200UL #define KEYMASTER_SET_ICE_KEY (KEYMASTER_UTILS_CMD_ID + 18UL) #define KEYMASTER_CLEAR_ICE_KEY (KEYMASTER_UTILS_CMD_ID + 19UL) #define ICE_KEY_SIZE 32 #define ICE_SALT_SIZE 32 static uint8_t ice_key[ICE_KEY_SIZE]; static uint8_t ice_salt[ICE_KEY_SIZE]; static struct qseecom_handle *qhandle; static int set_wrapped_key(uint32_t index, const uint8_t *key, const uint8_t *salt) { int ret = 0; u32 set_req_len = 0; u32 set_rsp_len = 0; struct pfk_ice_key_req *set_req_buf; struct pfk_ice_key_rsp *set_rsp_buf; memcpy(ice_key, key, sizeof(ice_key)); memcpy(ice_salt, salt, sizeof(ice_salt)); if (!qhandle) { ret = qseecom_start_app(&qhandle, "keymaster64", CONTEXT_SIZE); if (ret) { pr_err("Qseecom start app failed\n"); return ret; } } set_req_buf = (struct pfk_ice_key_req *) qhandle->sbuf; set_req_buf->cmd_id = KEYMASTER_SET_ICE_KEY; set_req_buf->index = index; set_req_buf->ice_key_offset = sizeof(struct pfk_ice_key_req); set_req_buf->ice_key_size = ICE_KEY_SIZE; set_req_buf->ice_salt_offset = set_req_buf->ice_key_offset + set_req_buf->ice_key_size; set_req_buf->ice_salt_size = ICE_SALT_SIZE; memcpy((uint8_t *) set_req_buf + set_req_buf->ice_key_offset, ice_key, set_req_buf->ice_key_size); memcpy((uint8_t *) set_req_buf + set_req_buf->ice_salt_offset, ice_salt, set_req_buf->ice_salt_size); set_req_len = sizeof(struct pfk_ice_key_req) + set_req_buf->ice_key_size + set_req_buf->ice_salt_size; set_rsp_buf = (struct pfk_ice_key_rsp *) (qhandle->sbuf + set_req_len); set_rsp_len = sizeof(struct pfk_ice_key_rsp); ret = qseecom_send_command(qhandle, set_req_buf, set_req_len, set_rsp_buf, set_rsp_len); if (ret) pr_err("%s: Set wrapped key error: Status %d\n", __func__, set_rsp_buf->ret); return ret; } static int clear_wrapped_key(uint32_t index) { int ret = 0; u32 clear_req_len = 0; u32 clear_rsp_len = 0; struct pfk_ice_key_req *clear_req_buf; struct pfk_ice_key_rsp *clear_rsp_buf; clear_req_buf = (struct pfk_ice_key_req *) qhandle->sbuf; memset(clear_req_buf, 0, sizeof(qhandle->sbuf)); clear_req_buf->cmd_id = KEYMASTER_CLEAR_ICE_KEY; clear_req_buf->index = index; clear_req_len = sizeof(struct pfk_ice_key_req); clear_rsp_buf = (struct pfk_ice_key_rsp *) (qhandle->sbuf + QSEECOM_ALIGN(clear_req_len)); clear_rsp_len = sizeof(struct pfk_ice_key_rsp); ret = qseecom_send_command(qhandle, clear_req_buf, clear_req_len, clear_rsp_buf, clear_rsp_len); if (ret) pr_err("%s: Clear wrapped key error: Status %d\n", __func__, clear_rsp_buf->ret); return ret; } static int set_key(uint32_t index, const uint8_t *key, const uint8_t *salt) int qti_pfk_ice_set_key(uint32_t index, uint8_t *key, uint8_t *salt, char *storage_type) { struct scm_desc desc = {0}; int ret = 0; uint32_t smc_id = 0; int ret, ret1; char *tzbuf_key = (char *)ice_key; char *tzbuf_salt = (char *)ice_salt; char *s_type = storage_type; uint32_t smc_id = 0; u32 tzbuflen_key = sizeof(ice_key); u32 tzbuflen_salt = sizeof(ice_salt); if (index < MIN_ICE_KEY_INDEX || index > MAX_ICE_KEY_INDEX) { pr_err("%s Invalid index %d\n", __func__, index); return -EINVAL; } if (!key || !salt) { pr_err("%s Invalid key/salt\n", __func__); return -EINVAL; } if (!tzbuf_key || !tzbuf_salt) { pr_err("%s No Memory\n", __func__); return -ENOMEM; } if (s_type == NULL) { pr_err("%s Invalid Storage type\n", __func__); return -EINVAL; } memset(tzbuf_key, 0, tzbuflen_key); memset(tzbuf_salt, 0, tzbuflen_salt); memcpy(ice_key, key, sizeof(ice_key)); memcpy(ice_salt, salt, sizeof(ice_salt)); memcpy(ice_key, key, tzbuflen_key); memcpy(ice_salt, salt, tzbuflen_salt); dmac_flush_range(tzbuf_key, tzbuf_key + tzbuflen_key); dmac_flush_range(tzbuf_salt, tzbuf_salt + tzbuflen_salt); Loading @@ -182,64 +110,13 @@ static int set_key(uint32_t index, const uint8_t *key, const uint8_t *salt) desc.args[3] = virt_to_phys(tzbuf_salt); desc.args[4] = tzbuflen_salt; ret = scm_call2(smc_id, &desc); if (ret) pr_err("%s:SCM call Error: 0x%x\n", __func__, ret); return ret; } static int clear_key(uint32_t index) { struct scm_desc desc = {0}; int ret = 0; uint32_t smc_id = 0; smc_id = TZ_ES_INVALIDATE_ICE_KEY_ID; desc.arginfo = TZ_ES_INVALIDATE_ICE_KEY_PARAM_ID; desc.args[0] = index; ret = scm_call2(smc_id, &desc); if (ret) pr_err("%s:SCM call Error: 0x%x\n", __func__, ret); return ret; } int qti_pfk_ice_set_key(uint32_t index, uint8_t *key, uint8_t *salt, char *storage_type) { int ret = 0, ret1 = 0; char *s_type = storage_type; if (index < MIN_ICE_KEY_INDEX || index > MAX_ICE_KEY_INDEX) { pr_err("%s Invalid index %d\n", __func__, index); return -EINVAL; } if (!key || !salt) { pr_err("%s Invalid key/salt\n", __func__); return -EINVAL; } if (s_type == NULL) { pr_err("%s Invalid Storage type\n", __func__); return -EINVAL; } ret = qcom_ice_setup_ice_hw((const char *)s_type, true); if (ret) { pr_err("%s: could not enable clocks: %d\n", __func__, ret); goto out; } if (pfk_wrapped_key_supported()) { pr_debug("%s: Setting wrapped key\n", __func__); ret = set_wrapped_key(index, key, salt); } else { pr_debug("%s: Setting keys with QSEE kernel\n", __func__); ret = set_key(index, key, salt); } ret = scm_call2(smc_id, &desc); if (ret) { pr_err("%s: Set Key Error: %d\n", __func__, ret); if (ret == -EBUSY) { Loading @@ -248,18 +125,18 @@ int qti_pfk_ice_set_key(uint32_t index, uint8_t *key, uint8_t *salt, goto out; } /* Try to invalidate the key to keep ICE in proper state */ if (pfk_wrapped_key_supported()) ret1 = clear_wrapped_key(index); else ret1 = clear_key(index); smc_id = TZ_ES_INVALIDATE_ICE_KEY_ID; desc.arginfo = TZ_ES_INVALIDATE_ICE_KEY_PARAM_ID; desc.args[0] = index; ret1 = scm_call2(smc_id, &desc); if (ret1) pr_err("%s: Invalidate key error: %d\n", __func__, ret); pr_err("%s: Invalidate Key Error: %d\n", __func__, ret1); } ret1 = qcom_ice_setup_ice_hw((const char *)s_type, false); if (ret) pr_err("%s: Error %d disabling clocks\n", __func__, ret); if (ret1) pr_err("%s: Error %d disabling clocks\n", __func__, ret1); out: return ret; Loading @@ -267,8 +144,11 @@ int qti_pfk_ice_set_key(uint32_t index, uint8_t *key, uint8_t *salt, int qti_pfk_ice_invalidate_key(uint32_t index, char *storage_type) { struct scm_desc desc = {0}; int ret = 0; uint32_t smc_id = 0; if (index < MIN_ICE_KEY_INDEX || index > MAX_ICE_KEY_INDEX) { pr_err("%s Invalid index %d\n", __func__, index); return -EINVAL; Loading @@ -279,22 +159,20 @@ int qti_pfk_ice_invalidate_key(uint32_t index, char *storage_type) return -EINVAL; } smc_id = TZ_ES_INVALIDATE_ICE_KEY_ID; desc.arginfo = TZ_ES_INVALIDATE_ICE_KEY_PARAM_ID; desc.args[0] = index; ret = qcom_ice_setup_ice_hw((const char *)storage_type, true); if (ret) { pr_err("%s: could not enable clocks: 0x%x\n", __func__, ret); return ret; } if (pfk_wrapped_key_supported()) { ret = clear_wrapped_key(index); pr_debug("%s: Clearing wrapped key\n", __func__); } else { pr_debug("%s: Clearing keys with QSEE kernel\n", __func__); ret = clear_key(index); } ret = scm_call2(smc_id, &desc); if (ret) pr_err("%s: Invalidate key error: %d\n", __func__, ret); pr_err("%s: Error: 0x%x\n", __func__, ret); if (qcom_ice_setup_ice_hw((const char *)storage_type, false)) pr_err("%s: could not disable clocks\n", __func__); Loading
security/pfe/pfk_ice.h +0 −26 Original line number Diff line number Diff line Loading @@ -22,35 +22,9 @@ #include <linux/types.h> struct __attribute__ ((__packed__)) pfk_ice_key_req { uint32_t cmd_id; uint32_t index; uint32_t ice_key_offset; uint32_t ice_key_size; uint32_t ice_salt_offset; uint32_t ice_salt_size; }; struct __attribute__ ((__packed__)) pfk_ice_key_rsp { uint32_t ret; uint32_t cmd_id; }; int pfk_ice_init(void); int pfk_ice_deinit(void); #ifdef CONFIG_PFK_WRAPPED_KEY_SUPPORTED static inline bool pfk_wrapped_key_supported(void) { return true; } #else static inline bool pfk_wrapped_key_supported(void) { return false; } #endif int qti_pfk_ice_set_key(uint32_t index, uint8_t *key, uint8_t *salt, char *storage_type); int qti_pfk_ice_invalidate_key(uint32_t index, char *storage_type); Loading
