1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Qualcomm ICE (Inline Crypto Engine) support.
4 *
5 * Copyright (c) 2013-2019, The Linux Foundation. All rights reserved.
6 * Copyright (c) 2019, Google LLC
7 * Copyright (c) 2023, Linaro Limited
8 */
9
10 #include <linux/bitfield.h>
11 #include <linux/cleanup.h>
12 #include <linux/clk.h>
13 #include <linux/delay.h>
14 #include <linux/device.h>
15 #include <linux/iopoll.h>
16 #include <linux/of.h>
17 #include <linux/of_platform.h>
18 #include <linux/platform_device.h>
19
20 #include <linux/firmware/qcom/qcom_scm.h>
21
22 #include <soc/qcom/ice.h>
23
24 #define AES_256_XTS_KEY_SIZE 64
25
26 /* QCOM ICE registers */
27 #define QCOM_ICE_REG_VERSION 0x0008
28 #define QCOM_ICE_REG_FUSE_SETTING 0x0010
29 #define QCOM_ICE_REG_BIST_STATUS 0x0070
30 #define QCOM_ICE_REG_ADVANCED_CONTROL 0x1000
31
32 /* BIST ("built-in self-test") status flags */
33 #define QCOM_ICE_BIST_STATUS_MASK GENMASK(31, 28)
34
35 #define QCOM_ICE_FUSE_SETTING_MASK 0x1
36 #define QCOM_ICE_FORCE_HW_KEY0_SETTING_MASK 0x2
37 #define QCOM_ICE_FORCE_HW_KEY1_SETTING_MASK 0x4
38
39 #define qcom_ice_writel(engine, val, reg) \
40 writel((val), (engine)->base + (reg))
41
42 #define qcom_ice_readl(engine, reg) \
43 readl((engine)->base + (reg))
44
45 struct qcom_ice {
46 struct device *dev;
47 void __iomem *base;
48 struct device_link *link;
49
50 struct clk *core_clk;
51 };
52
qcom_ice_check_supported(struct qcom_ice * ice)53 static bool qcom_ice_check_supported(struct qcom_ice *ice)
54 {
55 u32 regval = qcom_ice_readl(ice, QCOM_ICE_REG_VERSION);
56 struct device *dev = ice->dev;
57 int major = FIELD_GET(GENMASK(31, 24), regval);
58 int minor = FIELD_GET(GENMASK(23, 16), regval);
59 int step = FIELD_GET(GENMASK(15, 0), regval);
60
61 /* For now this driver only supports ICE version 3 and 4. */
62 if (major != 3 && major != 4) {
63 dev_warn(dev, "Unsupported ICE version: v%d.%d.%d\n",
64 major, minor, step);
65 return false;
66 }
67
68 dev_info(dev, "Found QC Inline Crypto Engine (ICE) v%d.%d.%d\n",
69 major, minor, step);
70
71 /* If fuses are blown, ICE might not work in the standard way. */
72 regval = qcom_ice_readl(ice, QCOM_ICE_REG_FUSE_SETTING);
73 if (regval & (QCOM_ICE_FUSE_SETTING_MASK |
74 QCOM_ICE_FORCE_HW_KEY0_SETTING_MASK |
75 QCOM_ICE_FORCE_HW_KEY1_SETTING_MASK)) {
76 dev_warn(dev, "Fuses are blown; ICE is unusable!\n");
77 return false;
78 }
79
80 return true;
81 }
82
qcom_ice_low_power_mode_enable(struct qcom_ice * ice)83 static void qcom_ice_low_power_mode_enable(struct qcom_ice *ice)
84 {
85 u32 regval;
86
87 regval = qcom_ice_readl(ice, QCOM_ICE_REG_ADVANCED_CONTROL);
88
89 /* Enable low power mode sequence */
90 regval |= 0x7000;
91 qcom_ice_writel(ice, regval, QCOM_ICE_REG_ADVANCED_CONTROL);
92 }
93
qcom_ice_optimization_enable(struct qcom_ice * ice)94 static void qcom_ice_optimization_enable(struct qcom_ice *ice)
95 {
96 u32 regval;
97
98 /* ICE Optimizations Enable Sequence */
99 regval = qcom_ice_readl(ice, QCOM_ICE_REG_ADVANCED_CONTROL);
100 regval |= 0xd807100;
101 /* ICE HPG requires delay before writing */
102 udelay(5);
103 qcom_ice_writel(ice, regval, QCOM_ICE_REG_ADVANCED_CONTROL);
104 udelay(5);
105 }
106
107 /*
108 * Wait until the ICE BIST (built-in self-test) has completed.
109 *
110 * This may be necessary before ICE can be used.
111 * Note that we don't really care whether the BIST passed or failed;
112 * we really just want to make sure that it isn't still running. This is
113 * because (a) the BIST is a FIPS compliance thing that never fails in
114 * practice, (b) ICE is documented to reject crypto requests if the BIST
115 * fails, so we needn't do it in software too, and (c) properly testing
116 * storage encryption requires testing the full storage stack anyway,
117 * and not relying on hardware-level self-tests.
118 */
qcom_ice_wait_bist_status(struct qcom_ice * ice)119 static int qcom_ice_wait_bist_status(struct qcom_ice *ice)
120 {
121 u32 regval;
122 int err;
123
124 err = readl_poll_timeout(ice->base + QCOM_ICE_REG_BIST_STATUS,
125 regval, !(regval & QCOM_ICE_BIST_STATUS_MASK),
126 50, 5000);
127 if (err)
128 dev_err(ice->dev, "Timed out waiting for ICE self-test to complete\n");
129
130 return err;
131 }
132
qcom_ice_enable(struct qcom_ice * ice)133 int qcom_ice_enable(struct qcom_ice *ice)
134 {
135 qcom_ice_low_power_mode_enable(ice);
136 qcom_ice_optimization_enable(ice);
137
138 return qcom_ice_wait_bist_status(ice);
139 }
140 EXPORT_SYMBOL_GPL(qcom_ice_enable);
141
qcom_ice_resume(struct qcom_ice * ice)142 int qcom_ice_resume(struct qcom_ice *ice)
143 {
144 struct device *dev = ice->dev;
145 int err;
146
147 err = clk_prepare_enable(ice->core_clk);
148 if (err) {
149 dev_err(dev, "failed to enable core clock (%d)\n",
150 err);
151 return err;
152 }
153
154 return qcom_ice_wait_bist_status(ice);
155 }
156 EXPORT_SYMBOL_GPL(qcom_ice_resume);
157
qcom_ice_suspend(struct qcom_ice * ice)158 int qcom_ice_suspend(struct qcom_ice *ice)
159 {
160 clk_disable_unprepare(ice->core_clk);
161
162 return 0;
163 }
164 EXPORT_SYMBOL_GPL(qcom_ice_suspend);
165
qcom_ice_program_key(struct qcom_ice * ice,u8 algorithm_id,u8 key_size,const u8 crypto_key[],u8 data_unit_size,int slot)166 int qcom_ice_program_key(struct qcom_ice *ice,
167 u8 algorithm_id, u8 key_size,
168 const u8 crypto_key[], u8 data_unit_size,
169 int slot)
170 {
171 struct device *dev = ice->dev;
172 union {
173 u8 bytes[AES_256_XTS_KEY_SIZE];
174 u32 words[AES_256_XTS_KEY_SIZE / sizeof(u32)];
175 } key;
176 int i;
177 int err;
178
179 /* Only AES-256-XTS has been tested so far. */
180 if (algorithm_id != QCOM_ICE_CRYPTO_ALG_AES_XTS ||
181 key_size != QCOM_ICE_CRYPTO_KEY_SIZE_256) {
182 dev_err_ratelimited(dev,
183 "Unhandled crypto capability; algorithm_id=%d, key_size=%d\n",
184 algorithm_id, key_size);
185 return -EINVAL;
186 }
187
188 memcpy(key.bytes, crypto_key, AES_256_XTS_KEY_SIZE);
189
190 /* The SCM call requires that the key words are encoded in big endian */
191 for (i = 0; i < ARRAY_SIZE(key.words); i++)
192 __cpu_to_be32s(&key.words[i]);
193
194 err = qcom_scm_ice_set_key(slot, key.bytes, AES_256_XTS_KEY_SIZE,
195 QCOM_SCM_ICE_CIPHER_AES_256_XTS,
196 data_unit_size);
197
198 memzero_explicit(&key, sizeof(key));
199
200 return err;
201 }
202 EXPORT_SYMBOL_GPL(qcom_ice_program_key);
203
qcom_ice_evict_key(struct qcom_ice * ice,int slot)204 int qcom_ice_evict_key(struct qcom_ice *ice, int slot)
205 {
206 return qcom_scm_ice_invalidate_key(slot);
207 }
208 EXPORT_SYMBOL_GPL(qcom_ice_evict_key);
209
qcom_ice_create(struct device * dev,void __iomem * base)210 static struct qcom_ice *qcom_ice_create(struct device *dev,
211 void __iomem *base)
212 {
213 struct qcom_ice *engine;
214
215 if (!qcom_scm_is_available())
216 return ERR_PTR(-EPROBE_DEFER);
217
218 if (!qcom_scm_ice_available()) {
219 dev_warn(dev, "ICE SCM interface not found\n");
220 return NULL;
221 }
222
223 engine = devm_kzalloc(dev, sizeof(*engine), GFP_KERNEL);
224 if (!engine)
225 return ERR_PTR(-ENOMEM);
226
227 engine->dev = dev;
228 engine->base = base;
229
230 /*
231 * Legacy DT binding uses different clk names for each consumer,
232 * so lets try those first. If none of those are a match, it means
233 * the we only have one clock and it is part of the dedicated DT node.
234 * Also, enable the clock before we check what HW version the driver
235 * supports.
236 */
237 engine->core_clk = devm_clk_get_optional_enabled(dev, "ice_core_clk");
238 if (!engine->core_clk)
239 engine->core_clk = devm_clk_get_optional_enabled(dev, "ice");
240 if (!engine->core_clk)
241 engine->core_clk = devm_clk_get_enabled(dev, NULL);
242 if (IS_ERR(engine->core_clk))
243 return ERR_CAST(engine->core_clk);
244
245 if (!qcom_ice_check_supported(engine))
246 return ERR_PTR(-EOPNOTSUPP);
247
248 dev_dbg(dev, "Registered Qualcomm Inline Crypto Engine\n");
249
250 return engine;
251 }
252
253 /**
254 * of_qcom_ice_get() - get an ICE instance from a DT node
255 * @dev: device pointer for the consumer device
256 *
257 * This function will provide an ICE instance either by creating one for the
258 * consumer device if its DT node provides the 'ice' reg range and the 'ice'
259 * clock (for legacy DT style). On the other hand, if consumer provides a
260 * phandle via 'qcom,ice' property to an ICE DT, the ICE instance will already
261 * be created and so this function will return that instead.
262 *
263 * Return: ICE pointer on success, NULL if there is no ICE data provided by the
264 * consumer or ERR_PTR() on error.
265 */
of_qcom_ice_get(struct device * dev)266 struct qcom_ice *of_qcom_ice_get(struct device *dev)
267 {
268 struct platform_device *pdev = to_platform_device(dev);
269 struct qcom_ice *ice;
270 struct resource *res;
271 void __iomem *base;
272
273 if (!dev || !dev->of_node)
274 return ERR_PTR(-ENODEV);
275
276 /*
277 * In order to support legacy style devicetree bindings, we need
278 * to create the ICE instance using the consumer device and the reg
279 * range called 'ice' it provides.
280 */
281 res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "ice");
282 if (res) {
283 base = devm_ioremap_resource(&pdev->dev, res);
284 if (IS_ERR(base))
285 return ERR_CAST(base);
286
287 /* create ICE instance using consumer dev */
288 return qcom_ice_create(&pdev->dev, base);
289 }
290
291 /*
292 * If the consumer node does not provider an 'ice' reg range
293 * (legacy DT binding), then it must at least provide a phandle
294 * to the ICE devicetree node, otherwise ICE is not supported.
295 */
296 struct device_node *node __free(device_node) = of_parse_phandle(dev->of_node,
297 "qcom,ice", 0);
298 if (!node)
299 return NULL;
300
301 pdev = of_find_device_by_node(node);
302 if (!pdev) {
303 dev_err(dev, "Cannot find device node %s\n", node->name);
304 return ERR_PTR(-EPROBE_DEFER);
305 }
306
307 ice = platform_get_drvdata(pdev);
308 if (!ice) {
309 dev_err(dev, "Cannot get ice instance from %s\n",
310 dev_name(&pdev->dev));
311 platform_device_put(pdev);
312 return ERR_PTR(-EPROBE_DEFER);
313 }
314
315 ice->link = device_link_add(dev, &pdev->dev, DL_FLAG_AUTOREMOVE_SUPPLIER);
316 if (!ice->link) {
317 dev_err(&pdev->dev,
318 "Failed to create device link to consumer %s\n",
319 dev_name(dev));
320 platform_device_put(pdev);
321 ice = ERR_PTR(-EINVAL);
322 }
323
324 return ice;
325 }
326 EXPORT_SYMBOL_GPL(of_qcom_ice_get);
327
qcom_ice_put(const struct qcom_ice * ice)328 static void qcom_ice_put(const struct qcom_ice *ice)
329 {
330 struct platform_device *pdev = to_platform_device(ice->dev);
331
332 if (!platform_get_resource_byname(pdev, IORESOURCE_MEM, "ice"))
333 platform_device_put(pdev);
334 }
335
devm_of_qcom_ice_put(struct device * dev,void * res)336 static void devm_of_qcom_ice_put(struct device *dev, void *res)
337 {
338 qcom_ice_put(*(struct qcom_ice **)res);
339 }
340
341 /**
342 * devm_of_qcom_ice_get() - Devres managed helper to get an ICE instance from
343 * a DT node.
344 * @dev: device pointer for the consumer device.
345 *
346 * This function will provide an ICE instance either by creating one for the
347 * consumer device if its DT node provides the 'ice' reg range and the 'ice'
348 * clock (for legacy DT style). On the other hand, if consumer provides a
349 * phandle via 'qcom,ice' property to an ICE DT, the ICE instance will already
350 * be created and so this function will return that instead.
351 *
352 * Return: ICE pointer on success, NULL if there is no ICE data provided by the
353 * consumer or ERR_PTR() on error.
354 */
devm_of_qcom_ice_get(struct device * dev)355 struct qcom_ice *devm_of_qcom_ice_get(struct device *dev)
356 {
357 struct qcom_ice *ice, **dr;
358
359 dr = devres_alloc(devm_of_qcom_ice_put, sizeof(*dr), GFP_KERNEL);
360 if (!dr)
361 return ERR_PTR(-ENOMEM);
362
363 ice = of_qcom_ice_get(dev);
364 if (!IS_ERR_OR_NULL(ice)) {
365 *dr = ice;
366 devres_add(dev, dr);
367 } else {
368 devres_free(dr);
369 }
370
371 return ice;
372 }
373 EXPORT_SYMBOL_GPL(devm_of_qcom_ice_get);
374
qcom_ice_probe(struct platform_device * pdev)375 static int qcom_ice_probe(struct platform_device *pdev)
376 {
377 struct qcom_ice *engine;
378 void __iomem *base;
379
380 base = devm_platform_ioremap_resource(pdev, 0);
381 if (IS_ERR(base)) {
382 dev_warn(&pdev->dev, "ICE registers not found\n");
383 return PTR_ERR(base);
384 }
385
386 engine = qcom_ice_create(&pdev->dev, base);
387 if (IS_ERR(engine))
388 return PTR_ERR(engine);
389
390 platform_set_drvdata(pdev, engine);
391
392 return 0;
393 }
394
395 static const struct of_device_id qcom_ice_of_match_table[] = {
396 { .compatible = "qcom,inline-crypto-engine" },
397 { },
398 };
399 MODULE_DEVICE_TABLE(of, qcom_ice_of_match_table);
400
401 static struct platform_driver qcom_ice_driver = {
402 .probe = qcom_ice_probe,
403 .driver = {
404 .name = "qcom-ice",
405 .of_match_table = qcom_ice_of_match_table,
406 },
407 };
408
409 module_platform_driver(qcom_ice_driver);
410
411 MODULE_DESCRIPTION("Qualcomm Inline Crypto Engine driver");
412 MODULE_LICENSE("GPL");
413