feat(stm32mp1): add the decryption support

Add the decryption support for STM32MP1 binaries.
Decryption is limited to the BL32 loaded images.

Limitation: STM32MP15 doesn't support the feature.

Change-Id: I96800bac7b22109f8471eb2953fc0dc269fc4fd1
Signed-off-by: Lionel Debieve <lionel.debieve@foss.st.com>

diff --git a/plat/st/common/bl2_io_storage.c b/plat/st/common/bl2_io_storage.c
index 72225848bc5f9fbe04c12697294cb72eb6fb3ce7..b271ed6d30655b6a10f1c26c3f4f726c12188c5b 100644 (file)
--- a/plat/st/common/bl2_io_storage.c
+++ b/plat/st/common/bl2_io_storage.c
@@ -14,6 +14,7 @@
 #include <drivers/fwu/fwu_metadata.h>
 #include <drivers/io/io_block.h>
 #include <drivers/io/io_driver.h>
+#include <drivers/io/io_encrypted.h>
 #include <drivers/io/io_fip.h>
 #include <drivers/io/io_memmap.h>
 #include <drivers/io/io_mtd.h>
@@ -48,6 +49,11 @@ uintptr_t storage_dev_handle;
 
 static const io_dev_connector_t *fip_dev_con;
 
+#ifndef DECRYPTION_SUPPORT_none
+static const io_dev_connector_t *enc_dev_con;
+uintptr_t enc_dev_handle;
+#endif
+
 #if STM32MP_SDMMC || STM32MP_EMMC
 static struct mmc_device_info mmc_info;
 
@@ -118,6 +124,29 @@ int open_fip(const uintptr_t spec)
        return io_dev_init(fip_dev_handle, (uintptr_t)FIP_IMAGE_ID);
 }
 
+#ifndef DECRYPTION_SUPPORT_none
+int open_enc_fip(const uintptr_t spec)
+{
+       int result;
+       uintptr_t local_image_handle;
+
+       result = io_dev_init(enc_dev_handle, (uintptr_t)ENC_IMAGE_ID);
+       if (result != 0) {
+               return result;
+       }
+
+       result = io_open(enc_dev_handle, spec, &local_image_handle);
+       if (result != 0) {
+               return result;
+       }
+
+       VERBOSE("Using encrypted FIP\n");
+       io_close(local_image_handle);
+
+       return 0;
+}
+#endif
+
 int open_storage(const uintptr_t spec)
 {
        return io_dev_init(storage_dev_handle, 0);
@@ -383,6 +412,15 @@ void stm32mp_io_setup(void)
        io_result = io_dev_open(fip_dev_con, (uintptr_t)NULL,
                                &fip_dev_handle);
 
+#ifndef DECRYPTION_SUPPORT_none
+       io_result = register_io_dev_enc(&enc_dev_con);
+       assert(io_result == 0);
+
+       io_result = io_dev_open(enc_dev_con, (uintptr_t)NULL,
+                               &enc_dev_handle);
+       assert(io_result == 0);
+#endif
+
        switch (boot_context->boot_interface_selected) {
 #if STM32MP_SDMMC
        case BOOT_API_CTX_BOOT_INTERFACE_SEL_FLASH_SD:

diff --git a/plat/st/common/include/stm32mp_io_storage.h b/plat/st/common/include/stm32mp_io_storage.h
index 989c890d43f1b7c63c617975dec97297eaaf4d39..3c04c4716b6da95a53dfb1d28ac72960547267c0 100644 (file)
--- a/plat/st/common/include/stm32mp_io_storage.h
+++ b/plat/st/common/include/stm32mp_io_storage.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2021, STMicroelectronics - All Rights Reserved
+ * Copyright (c) 2021-2022, STMicroelectronics - All Rights Reserved
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -13,11 +13,15 @@
 /* IO devices handle */
 extern uintptr_t storage_dev_handle;
 extern uintptr_t fip_dev_handle;
+extern uintptr_t enc_dev_handle;
 
 extern io_block_spec_t image_block_spec;
 
 /* Function declarations */
 int open_fip(const uintptr_t spec);
+#ifndef DECRYPTION_SUPPORT_none
+int open_enc_fip(const uintptr_t spec);
+#endif
 int open_storage(const uintptr_t spec);
 
 #endif /* STM32MP_IO_STORAGE_H */

diff --git a/plat/st/common/stm32mp_fconf_io.c b/plat/st/common/stm32mp_fconf_io.c
index 0b172c8c7e68d013b9b9f57f776aa13bdaed18d9..0b6cc789cb854ea6920ddc447747081c713168d9 100644 (file)
--- a/plat/st/common/stm32mp_fconf_io.c
+++ b/plat/st/common/stm32mp_fconf_io.c
@@ -42,6 +42,14 @@ struct plat_io_policy policies[MAX_NUMBER_IDS] = {
                .img_type_guid = STM32MP_FIP_GUID,
                .check = open_storage
        },
+#ifndef DECRYPTION_SUPPORT_none
+       [ENC_IMAGE_ID] = {
+               .dev_handle = &fip_dev_handle,
+               .image_spec = (uintptr_t)NULL,
+               .img_type_guid = NULL_GUID,
+               .check = open_fip
+       },
+#endif
 #if STM32MP_SDMMC || STM32MP_EMMC
        [GPT_IMAGE_ID] = {
                .dev_handle = &storage_dev_handle,
@@ -151,8 +159,20 @@ int fconf_populate_stm32mp_io_policies(uintptr_t config)
 
                uuid_ptr->uuid = uuid_helper.uuid_struct;
                policies[load_info[i].image_id].image_spec = (uintptr_t)uuid_ptr;
-               policies[load_info[i].image_id].dev_handle = &fip_dev_handle;
-               policies[load_info[i].image_id].check = open_fip;
+               switch (load_info[i].image_id) {
+#if ENCRYPT_BL32 && !defined(DECRYPTION_SUPPORT_none)
+               case BL32_IMAGE_ID:
+               case BL32_EXTRA1_IMAGE_ID:
+               case BL32_EXTRA2_IMAGE_ID:
+                       policies[load_info[i].image_id].dev_handle = &enc_dev_handle;
+                       policies[load_info[i].image_id].check = open_enc_fip;
+                       break;
+#endif
+               default:
+                       policies[load_info[i].image_id].dev_handle = &fip_dev_handle;
+                       policies[load_info[i].image_id].check = open_fip;
+                       break;
+               }
        }
 
        return 0;

diff --git a/plat/st/stm32mp1/platform.mk b/plat/st/stm32mp1/platform.mk
index def5eaeccf84a4aca8d78cb160f891e83a92f627..594fe0b32002c417e3b972307d72630be54a41e4 100644 (file)
--- a/plat/st/stm32mp1/platform.mk
+++ b/plat/st/stm32mp1/platform.mk
@@ -87,6 +87,11 @@ STM32MP15_OPTEE_RSV_SHM      :=      1
 $(eval $(call add_defines,STM32MP15_OPTEE_RSV_SHM))
 
 STM32MP_CRYPTO_ROM_LIB :=      1
+
+# Decryption support
+ifneq ($(DECRYPTION_SUPPORT),none)
+$(error "DECRYPTION_SUPPORT not supported on STM32MP15")
+endif
 endif
 
 # STM32 image header binary type for BL2
@@ -221,10 +226,10 @@ else
 # Add the build options to pack Trusted OS Extra1 and Trusted OS Extra2 images
 # in the FIP if the platform requires.
 ifneq ($(BL32_EXTRA1),)
-$(eval $(call TOOL_ADD_IMG,BL32_EXTRA1,--tos-fw-extra1))
+$(eval $(call TOOL_ADD_IMG,BL32_EXTRA1,--tos-fw-extra1,,$(ENCRYPT_BL32)))
 endif
 ifneq ($(BL32_EXTRA2),)
-$(eval $(call TOOL_ADD_IMG,BL32_EXTRA2,--tos-fw-extra2))
+$(eval $(call TOOL_ADD_IMG,BL32_EXTRA2,--tos-fw-extra2,,$(ENCRYPT_BL32)))
 endif
 endif
 endif
@@ -387,6 +392,10 @@ BL2_SOURCES                +=      drivers/io/io_block.c                                   \
                                drivers/st/crypto/stm32_hash.c                          \
                                plat/st/stm32mp1/bl2_plat_setup.c
 
+ifneq (${DECRYPTION_SUPPORT},none)
+BL2_SOURCES            +=      drivers/io/io_encrypted.c
+endif
+
 ifeq (${TRUSTED_BOARD_BOOT},1)
 AUTH_SOURCES           :=      drivers/auth/auth_mod.c                                 \
                                drivers/auth/crypto_mod.c                               \

diff --git a/plat/st/stm32mp1/stm32mp1_def.h b/plat/st/stm32mp1/stm32mp1_def.h
index 002b6aa6e75428b23beeb17b0802dbae549ac039..5d7c2ffea6f1e7df02578c0faa016e16d21656bc 100644 (file)
--- a/plat/st/stm32mp1/stm32mp1_def.h
+++ b/plat/st/stm32mp1/stm32mp1_def.h
@@ -451,6 +451,7 @@ enum ddr_type {
 #define MONOTONIC_OTP                  "monotonic_otp"
 #define UID_OTP                                "uid_otp"
 #define PKH_OTP                                "pkh_otp"
+#define ENCKEY_OTP                     "enckey_otp"
 #define BOARD_ID_OTP                   "board_id"
 
 /* OTP mask */