Merge patch series "aspeed: ast2700: Add Caliptra ECDSA driver"

Chia-Wei Wang <chiawei_wang@aspeedtech.com> says:

Aspeed AST2700 SoCs integrates the Caliptra secure IP, where an ECDSA384
signature verification HW interface is exported for SoC crypto needs.

This patch series firstly extends the FIT image signing/verify common
code to support the ECDSA384 algorithm. For better convenience, the
device tree for ECDSA public key storage is also revised by referring
to RSA implementations.

After the FIT common code revision, the driver is implemented for
AST2700 to leverage the Caliptra ECDSA384 signature verification.

These are verified by signed FIT images with the algorithm "sha384,ecdsa384".

Link: https://lore.kernel.org/r/20241014095620.216936-1-chiawei_wang@aspeedtech.com

7 files changed, 215 insertions, 4 deletions

diff --git a/boot/image-fit-sig.c b/boot/image-fit-sig.c
index 35873b1fb0e..a121de60ae2 100644
--- a/boot/image-fit-sig.c
+++ b/boot/image-fit-sig.c
@@ -95,7 +95,7 @@ static int fit_image_setup_verify(struct image_sign_info *info,
 	info->required_keynode = required_keynode;
 	printf("%s:%s", algo_name, info->keyname);
 
-	if (!info->checksum || !info->crypto || !info->padding) {
+	if (!info->checksum || !info->crypto) {
 		*err_msgp = "Unknown signature algorithm";
 		return -1;
 	}
diff --git a/drivers/crypto/aspeed/Kconfig b/drivers/crypto/aspeed/Kconfig
index 473e3e5a863..6efcd7da738 100644
--- a/drivers/crypto/aspeed/Kconfig
+++ b/drivers/crypto/aspeed/Kconfig
@@ -28,3 +28,13 @@ config ASPEED_CPTRA_SHA
 
 	  Enabling this allows the use of SHA operations in hardware. Note that only
 	  SHA384 and SHA512 are supported by Caliptra 1.0.
+
+config ASPEED_CPTRA_ECDSA
+	bool "Caliptra ECDSA384 signature verifier for Aspeed SoCs"
+	depends on ECDSA_VERIFY || SPL_ECDSA_VERIFY
+	help
+	  Select this option to enable a driver for using the ECDSA384_SIGNATURE_VERIFY
+	  feature of Caliptra, which is integrated in AST27xx BMC SoCs.
+
+	  Enabling this allows the use of ECDSA384 signature verification in hardware.
+	  Note that only ECDSA384 is supported by Caliptra.
diff --git a/drivers/crypto/aspeed/Makefile b/drivers/crypto/aspeed/Makefile
index 570587e744f..00def358ddf 100644
--- a/drivers/crypto/aspeed/Makefile
+++ b/drivers/crypto/aspeed/Makefile
@@ -1,3 +1,4 @@
 obj-$(CONFIG_ASPEED_HACE) += aspeed_hace.o
 obj-$(CONFIG_ASPEED_ACRY) += aspeed_acry.o
 obj-$(CONFIG_ASPEED_CPTRA_SHA) += cptra_sha.o
+obj-$(CONFIG_ASPEED_CPTRA_ECDSA) += cptra_ecdsa.o
diff --git a/drivers/crypto/aspeed/cptra_ecdsa.c b/drivers/crypto/aspeed/cptra_ecdsa.c
new file mode 100644
index 00000000000..4b70d89def7
--- /dev/null
+++ b/drivers/crypto/aspeed/cptra_ecdsa.c
@@ -0,0 +1,184 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright 2024 ASPEED Technology Inc.
+ */
+#include <asm/io.h>
+#include <config.h>
+#include <crypto/ecdsa-uclass.h>
+#include <dm.h>
+#include <linux/bitfield.h>
+#include <linux/bitops.h>
+#include <linux/iopoll.h>
+#include <malloc.h>
+#include <u-boot/ecdsa.h>
+
+/* SCU register offsets */
+#define SCU1_CPTRA				0x130
+#define   SCU1_CPTRA_RDY_FOR_RT	BIT(18)
+
+/* CPTRA MBOX register offsets */
+#define CPTRA_MBOX_LOCK			0x00
+#define CPTRA_MBOX_USER			0x04
+#define CPTRA_MBOX_CMD			0x08
+#define CPTRA_MBOX_DLEN			0x0c
+#define CPTRA_MBOX_DATAIN		0x10
+#define CPTRA_MBOX_DATAOUT		0x14
+#define CPTRA_MBOX_EXEC			0x18
+#define CPTRA_MBOX_STS			0x1c
+#define   CPTRA_MBOX_STS_SOC_LOCK	BIT(9)
+#define   CPTRA_MBOX_STS_FSM_PS		GENMASK(8, 6)
+#define   CPTRA_MBOX_STS_PS		GENMASK(3, 0)
+#define CPTRA_MBOX_UNLOCK		0x20
+
+#define CPTRA_ECDSA_SIG_LEN	96	/* ECDSA384 */
+#define CPTRA_ECDSA_SHA_LEN	48	/* SHA384 */
+
+#define CPTRA_MBCMD_ECDSA384_SIGNATURE_VERIFY	0x53494756
+
+enum cptra_mbox_sts {
+	CPTRA_MBSTS_CMD_BUSY,
+	CPTRA_MBSTS_DATA_READY,
+	CPTRA_MBSTS_CMD_COMPLETE,
+	CPTRA_MBSTS_CMD_FAILURE,
+};
+
+enum cptra_mbox_fsm {
+	CPTRA_MBFSM_IDLE,
+	CPTRA_MBFSM_RDY_FOR_CMD,
+	CPTRA_MBFSM_RDY_FOR_DLEN,
+	CPTRA_MBFSM_RDY_FOR_DATA,
+	CPTRA_MBFSM_EXEC_UC,
+	CPTRA_MBFSM_EXEC_SOC,
+	CPTRA_MBFSM_ERROR,
+};
+
+struct cptra_ecdsa {
+	void *regs;
+};
+
+static uint32_t mbox_csum(uint32_t csum, uint8_t *data, uint32_t dlen)
+{
+	uint32_t i;
+
+	for (i = 0; i < dlen; ++i)
+		csum -= data[i];
+
+	return csum;
+}
+
+static int cptra_ecdsa_verify(struct udevice *dev, const struct ecdsa_public_key *pubkey,
+			      const void *hash, size_t hash_len,
+			      const void *signature, size_t sig_len)
+{
+	struct cptra_ecdsa *ce;
+	uint8_t *x, *y, *r, *s;
+	uint32_t cmd, csum;
+	uint32_t reg, sts;
+	uint32_t *p32;
+	int i;
+
+	if (hash_len != CPTRA_ECDSA_SHA_LEN || sig_len != CPTRA_ECDSA_SIG_LEN)
+		return -EINVAL;
+
+	if ((strcmp(pubkey->curve_name, "secp384r1") && strcmp(pubkey->curve_name, "prime384v1")) ||
+	    pubkey->size_bits != ((CPTRA_ECDSA_SIG_LEN / 2) << 3))
+		return -EINVAL;
+
+	ce = dev_get_priv(dev);
+
+	/* get CPTRA MBOX lock */
+	if (readl_poll_timeout(ce->regs + CPTRA_MBOX_LOCK, reg, reg == 0, 1000000))
+		return -EBUSY;
+
+	/* check MBOX is ready for command */
+	sts = readl(ce->regs + CPTRA_MBOX_STS);
+	if (FIELD_GET(CPTRA_MBOX_STS_FSM_PS, sts) != CPTRA_MBFSM_RDY_FOR_CMD)
+		return -EACCES;
+
+	/* init mbox parameters */
+	cmd = CPTRA_MBCMD_ECDSA384_SIGNATURE_VERIFY;
+	csum = 0;
+	x = (uint8_t *)pubkey->x;
+	y = (uint8_t *)pubkey->y;
+	r = (uint8_t *)signature;
+	s = (uint8_t *)signature + (CPTRA_ECDSA_SIG_LEN / 2);
+
+	/* calculate checksum */
+	csum = mbox_csum(csum, (uint8_t *)&cmd, sizeof(cmd));
+	csum = mbox_csum(csum, x, CPTRA_ECDSA_SIG_LEN / 2);
+	csum = mbox_csum(csum, y, CPTRA_ECDSA_SIG_LEN / 2);
+	csum = mbox_csum(csum, r, CPTRA_ECDSA_SIG_LEN / 2);
+	csum = mbox_csum(csum, s, CPTRA_ECDSA_SIG_LEN / 2);
+
+	/* write command, data length */
+	writel(cmd, ce->regs + CPTRA_MBOX_CMD);
+	writel(sizeof(csum) + (CPTRA_ECDSA_SIG_LEN << 1), ce->regs + CPTRA_MBOX_DLEN);
+
+	/* write ECDSA384_SIGNATURE_VERIFY command parameters */
+	writel(csum, ce->regs + CPTRA_MBOX_DATAIN);
+
+	for (i = 0, p32 = (uint32_t *)x; i < ((CPTRA_ECDSA_SIG_LEN / 2) / sizeof(*p32)); ++i)
+		writel(p32[i], ce->regs + CPTRA_MBOX_DATAIN);
+
+	for (i = 0, p32 = (uint32_t *)y; i < ((CPTRA_ECDSA_SIG_LEN / 2) / sizeof(*p32)); ++i)
+		writel(p32[i], ce->regs + CPTRA_MBOX_DATAIN);
+
+	for (i = 0, p32 = (uint32_t *)r; i < ((CPTRA_ECDSA_SIG_LEN / 2) / sizeof(*p32)); ++i)
+		writel(p32[i], ce->regs + CPTRA_MBOX_DATAIN);
+
+	for (i = 0, p32 = (uint32_t *)s; i < ((CPTRA_ECDSA_SIG_LEN / 2) / sizeof(*p32)); ++i)
+		writel(p32[i], ce->regs + CPTRA_MBOX_DATAIN);
+
+	/* trigger mbox command */
+	writel(0x1, ce->regs + CPTRA_MBOX_EXEC);
+
+	/* poll for result */
+	while (1) {
+		sts = FIELD_GET(CPTRA_MBOX_STS_PS, readl(ce->regs + CPTRA_MBOX_STS));
+		if (sts != CPTRA_MBSTS_CMD_BUSY)
+			break;
+	}
+
+	/* unlock mbox */
+	writel(0x0, ce->regs + CPTRA_MBOX_EXEC);
+
+	return (sts == CPTRA_MBSTS_CMD_FAILURE) ? sts : 0;
+}
+
+static int cptra_ecdsa_probe(struct udevice *dev)
+{
+	struct cptra_ecdsa *ce = dev_get_priv(dev);
+
+	ce->regs = (void *)devfdt_get_addr(dev);
+	if (ce->regs == (void *)FDT_ADDR_T_NONE) {
+		debug("cannot map Caliptra mailbox registers\n");
+		return -EINVAL;
+	}
+
+	return 0;
+}
+
+static int cptra_ecdsa_remove(struct udevice *dev)
+{
+	return 0;
+}
+
+static const struct ecdsa_ops cptra_ecdsa_ops = {
+	.verify = cptra_ecdsa_verify,
+};
+
+static const struct udevice_id cptra_ecdsa_ids[] = {
+	{ .compatible = "aspeed,ast2700-cptra-ecdsa" },
+	{ }
+};
+
+U_BOOT_DRIVER(aspeed_cptra_ecdsa) = {
+	.name = "aspeed_cptra_ecdsa",
+	.id = UCLASS_ECDSA,
+	.of_match = cptra_ecdsa_ids,
+	.ops = &cptra_ecdsa_ops,
+	.probe = cptra_ecdsa_probe,
+	.remove = cptra_ecdsa_remove,
+	.priv_auto = sizeof(struct cptra_ecdsa),
+	.flags = DM_FLAG_PRE_RELOC,
+};
diff --git a/include/u-boot/ecdsa.h b/include/u-boot/ecdsa.h
index 8f9f5e7d6e7..f0ac0f327e9 100644
--- a/include/u-boot/ecdsa.h
+++ b/include/u-boot/ecdsa.h
@@ -65,6 +65,7 @@ int ecdsa_verify(struct image_sign_info *info,
 /** @} */
 
 #define ECDSA256_BYTES	(256 / 8)
+#define ECDSA384_BYTES	(384 / 8)
 #define ECDSA521_BYTES	((521 + 7) / 8)
 
 #endif
diff --git a/lib/ecdsa/ecdsa-verify.c b/lib/ecdsa/ecdsa-verify.c
index 4d1835b598a..629b662cf6c 100644
--- a/lib/ecdsa/ecdsa-verify.c
+++ b/lib/ecdsa/ecdsa-verify.c
@@ -22,8 +22,10 @@ static int ecdsa_key_size(const char *curve_name)
 {
 	if (!strcmp(curve_name, "prime256v1"))
 		return 256;
-	else
-		return 0;
+	else if (!strcmp(curve_name, "secp384r1"))
+		return 384;
+
+	return 0;
 }
 
 static int fdt_get_key(struct ecdsa_public_key *key, const void *fdt, int node)
@@ -121,12 +123,18 @@ int ecdsa_verify(struct image_sign_info *info,
 	return ecdsa_verify_hash(dev, info, hash, sig, sig_len);
 }
 
-U_BOOT_CRYPTO_ALGO(ecdsa) = {
+U_BOOT_CRYPTO_ALGO(ecdsa256) = {
 	.name = "ecdsa256",
 	.key_len = ECDSA256_BYTES,
 	.verify = ecdsa_verify,
 };
 
+U_BOOT_CRYPTO_ALGO(ecdsa384) = {
+	.name = "ecdsa384",
+	.key_len = ECDSA384_BYTES,
+	.verify = ecdsa_verify,
+};
+
 /*
  * uclass definition for ECDSA API
  *
diff --git a/tools/image-sig-host.c b/tools/image-sig-host.c
index 21b4fa5d39d..5285263c616 100644
--- a/tools/image-sig-host.c
+++ b/tools/image-sig-host.c
@@ -77,6 +77,13 @@ struct crypto_algo crypto_algos[] = {
 		.verify = ecdsa_verify,
 	},
 	{
+		.name = "ecdsa384",
+		.key_len = ECDSA384_BYTES,
+		.sign = ecdsa_sign,
+		.add_verify_data = ecdsa_add_verify_data,
+		.verify = ecdsa_verify,
+	},
+	{
 		.name = "secp521r1",
 		.key_len = ECDSA521_BYTES,
 		.sign = ecdsa_sign,