Tegra186: add SE support to generate SHA256 of TZRAM

The BL3-1 firmware code is stored in TZSRAM on Tegra186 platforms. This
memory loses power when we enter System Suspend and so its contents are
stored to TZDRAM, before entry. This opens up an attack vector where the
TZDRAM contents might be tampered with when we are in the System Suspend
mode. To mitigate this attack the SE engine calculates the hash of entire
TZSRAM and stores it in PMC scratch, before we copy data to TZDRAM. The
WB0 code will validate the TZDRAM and match the hash with the one in PMC
scratch.

This patch adds driver for the SE engine, with APIs to calculate the hash
and store SE SHA256 hash-result to PMC scratch registers.

Change-Id: Ib487d5629225d3d99bd35d44f0402d6d3cf27ddf
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>

plat/nvidia/tegra/include/drivers/security_engine.h

@@ -1,6 +1,6 @@
 /*
  * Copyright (c) 2017-2020, ARM Limited and Contributors. All rights reserved.
- * Copyright (c) 2017, NVIDIA CORPORATION.  All rights reserved.
+ * Copyright (c) 2017-2020, NVIDIA CORPORATION.  All rights reserved.
  *
  * SPDX-License-Identifier: BSD-3-Clause
  */
@@ -55,5 +55,6 @@ void tegra_se_init(void);
 int tegra_se_suspend(void);
 void tegra_se_resume(void);
 int tegra_se_save_tzram(void);
+int32_t tegra_se_save_sha256_hash(uint64_t bl31_base, uint32_t src_len_inbyte);
 
 #endif /* SECURITY_ENGINE_H */

plat/nvidia/tegra/include/t186/tegra_def.h

@@ -246,6 +246,7 @@
  * Tegra scratch registers constants
  ******************************************************************************/
 #define TEGRA_SCRATCH_BASE		U(0x0C390000)
+#define  SECURE_SCRATCH_RSV0_HI		U(0x654)
 #define  SECURE_SCRATCH_RSV1_LO		U(0x658)
 #define  SECURE_SCRATCH_RSV1_HI		U(0x65C)
 #define  SECURE_SCRATCH_RSV6		U(0x680)
@@ -255,6 +256,15 @@
 #define  SECURE_SCRATCH_RSV53_HI	U(0x7FC)
 #define  SECURE_SCRATCH_RSV55_LO	U(0x808)
 #define  SECURE_SCRATCH_RSV55_HI	U(0x80C)
+#define  SECURE_SCRATCH_RSV63_LO	U(0x848)
+#define  SECURE_SCRATCH_RSV63_HI	U(0x84C)
+#define  SECURE_SCRATCH_RSV64_LO	U(0x850)
+#define  SECURE_SCRATCH_RSV64_HI	U(0x854)
+#define  SECURE_SCRATCH_RSV65_LO	U(0x858)
+#define  SECURE_SCRATCH_RSV65_HI	U(0x85c)
+#define  SECURE_SCRATCH_RSV66_LO	U(0x860)
+#define  SECURE_SCRATCH_RSV66_HI	U(0x864)
+#define  SECURE_SCRATCH_RSV68_LO	U(0x870)
 
 #define SCRATCH_RESET_VECTOR_LO		SECURE_SCRATCH_RSV1_LO
 #define SCRATCH_RESET_VECTOR_HI		SECURE_SCRATCH_RSV1_HI

plat/nvidia/tegra/soc/t186/drivers/se/se.c

@@ -0,0 +1,278 @@
+/*
+ * Copyright (c) 2020, NVIDIA Corporation. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <assert.h>
+#include <drivers/delay_timer.h>
+#include <errno.h>
+#include <string.h>
+
+#include <bpmp_ipc.h>
+#include <pmc.h>
+#include <security_engine.h>
+#include <tegra186_private.h>
+#include <tegra_private.h>
+
+#include "se_private.h"
+
+/*******************************************************************************
+ * Constants and Macros
+ ******************************************************************************/
+#define SE0_MAX_BUSY_TIMEOUT_MS		U(100)	/* 100ms */
+#define BYTES_IN_WORD			U(4)
+#define SHA256_MAX_HASH_RESULT		U(7)
+#define SHA256_DST_SIZE			U(32)
+#define SHA_FIRST_OP			U(1)
+#define MAX_SHA_ENGINE_CHUNK_SIZE	U(0xFFFFFF)
+#define SHA256_MSG_LENGTH_ONETIME	U(0xffff)
+
+/*
+ * Check that SE operation has completed after kickoff
+ * This function is invoked after an SE operation has been started,
+ * and it checks the following conditions:
+ * 1. SE0_INT_STATUS = SE0_OP_DONE
+ * 2. SE0_STATUS = IDLE
+ * 3. SE0_ERR_STATUS is clean.
+ */
+static int32_t tegra_se_operation_complete(void)
+{
+	uint32_t val = 0U;
+
+	/* Read SE0 interrupt register to ensure H/W operation complete */
+	val = tegra_se_read_32(SE0_INT_STATUS_REG_OFFSET);
+	if (SE0_INT_OP_DONE(val) == SE0_INT_OP_DONE_CLEAR) {
+		ERROR("%s: Engine busy state too many times! val = 0x%x\n",
+			__func__, val);
+		return -ETIMEDOUT;
+	}
+
+	/* Read SE0 status idle to ensure H/W operation complete */
+	val = tegra_se_read_32(SE0_SHA_STATUS_0);
+	if (val != SE0_SHA_STATUS_IDLE) {
+		ERROR("%s: Idle state timeout! val = 0x%x\n", __func__,
+			val);
+		return -ETIMEDOUT;
+	}
+
+	/* Ensure that no errors are thrown during operation */
+	val = tegra_se_read_32(SE0_ERR_STATUS_REG_OFFSET);
+	if (val != SE0_ERR_STATUS_CLEAR) {
+		ERROR("%s: Error during SE operation! val = 0x%x",
+			__func__, val);
+		return -ENOTSUP;
+	}
+
+	return 0;
+}
+
+/*
+ * Security engine primitive normal operations
+ */
+static int32_t tegra_se_start_normal_operation(uint64_t src_addr,
+		uint32_t nbytes, uint32_t last_buf, uint32_t src_len_inbytes)
+{
+	int32_t ret = 0;
+	uint32_t val = 0U;
+	uint32_t src_in_lo;
+	uint32_t src_in_msb;
+	uint32_t src_in_hi;
+
+	if ((src_addr == 0UL) || (nbytes == 0U))
+		return -EINVAL;
+
+	src_in_lo = (uint32_t)src_addr;
+	src_in_msb = ((uint32_t)(src_addr >> 32U) & 0xffU);
+	src_in_hi = ((src_in_msb << SE0_IN_HI_ADDR_HI_0_MSB_SHIFT) |
+				(nbytes & 0xffffffU));
+
+	/* set SRC_IN_ADDR_LO and SRC_IN_ADDR_HI*/
+	tegra_se_write_32(SE0_IN_ADDR, src_in_lo);
+	tegra_se_write_32(SE0_IN_HI_ADDR_HI, src_in_hi);
+
+	val = tegra_se_read_32(SE0_INT_STATUS_REG_OFFSET);
+	if (val > 0U) {
+		tegra_se_write_32(SE0_INT_STATUS_REG_OFFSET, 0x00000U);
+	}
+
+	/* Enable SHA interrupt for SE0 Operation */
+	tegra_se_write_32(SE0_SHA_INT_ENABLE, 0x1aU);
+
+	/* flush to DRAM for SE to use the updated contents */
+	flush_dcache_range(src_addr, src_len_inbytes);
+
+	/* Start SHA256 operation */
+	if (last_buf == 1U) {
+		tegra_se_write_32(SE0_OPERATION_REG_OFFSET, SE0_OP_START |
+				SE0_UNIT_OPERATION_PKT_LASTBUF_FIELD);
+	} else {
+		tegra_se_write_32(SE0_OPERATION_REG_OFFSET, SE0_OP_START);
+	}
+
+	/* Wait for SE-operation to finish */
+	udelay(SE0_MAX_BUSY_TIMEOUT_MS * 100U);
+
+	/* Check SE0 operation status */
+	ret = tegra_se_operation_complete();
+	if (ret != 0) {
+		ERROR("SE operation complete Failed! 0x%x", ret);
+		return ret;
+	}
+
+	return 0;
+}
+
+static int32_t tegra_se_calculate_sha256_hash(uint64_t src_addr,
+						uint32_t src_len_inbyte)
+{
+	uint32_t val, last_buf, i;
+	int32_t ret = 0;
+	uint32_t operations;
+	uint64_t src_len_inbits;
+	uint32_t len_bits_msb;
+	uint32_t len_bits_lsb;
+	uint32_t number_of_operations, max_bytes, bytes_left, remaining_bytes;
+
+	if (src_len_inbyte > MAX_SHA_ENGINE_CHUNK_SIZE) {
+		ERROR("SHA input chunk size too big: 0x%x\n", src_len_inbyte);
+		return -EINVAL;
+	}
+
+	if (src_addr == 0UL) {
+		return -EINVAL;
+	}
+
+	/* number of bytes per operation */
+	max_bytes = SHA256_HASH_SIZE_BYTES * SHA256_MSG_LENGTH_ONETIME;
+
+	src_len_inbits = src_len_inbyte * 8U;
+	len_bits_msb = (uint32_t)(src_len_inbits >> 32U);
+	len_bits_lsb = (uint32_t)(src_len_inbits & 0xFFFFFFFF);
+
+	/* program SE0_CONFIG for SHA256 operation */
+	val = SE0_CONFIG_ENC_ALG_SHA | SE0_CONFIG_ENC_MODE_SHA256 |
+		SE0_CONFIG_DEC_ALG_NOP | SE0_CONFIG_DST_HASHREG;
+	tegra_se_write_32(SE0_SHA_CONFIG, val);
+
+	/* set SE0_SHA_MSG_LENGTH registers */
+	tegra_se_write_32(SE0_SHA_MSG_LENGTH_0, len_bits_lsb);
+	tegra_se_write_32(SE0_SHA_MSG_LEFT_0, len_bits_lsb);
+	tegra_se_write_32(SE0_SHA_MSG_LENGTH_1, len_bits_msb);
+
+	/* zero out unused SE0_SHA_MSG_LENGTH and SE0_SHA_MSG_LEFT */
+	tegra_se_write_32(SE0_SHA_MSG_LENGTH_2, 0U);
+	tegra_se_write_32(SE0_SHA_MSG_LENGTH_3, 0U);
+	tegra_se_write_32(SE0_SHA_MSG_LEFT_1, 0U);
+	tegra_se_write_32(SE0_SHA_MSG_LEFT_2, 0U);
+	tegra_se_write_32(SE0_SHA_MSG_LEFT_3, 0U);
+
+	number_of_operations = src_len_inbyte / max_bytes;
+	remaining_bytes = src_len_inbyte % max_bytes;
+	if (remaining_bytes > 0U) {
+		number_of_operations += 1U;
+	}
+
+	/*
+	 * 1. Operations == 1:	program SE0_SHA_TASK register to initiate SHA256
+	 *			hash generation by setting
+	 *			1(SE0_SHA_CONFIG_HW_INIT_HASH) to SE0_SHA_TASK
+	 *			and start SHA256-normal operation.
+	 * 2. 1 < Operations < number_of_operations: program SE0_SHA_TASK to
+	 *			0(SE0_SHA_CONFIG_HW_INIT_HASH_DISABLE) to load
+	 *			intermediate SHA256 digest result from
+	 *			HASH_RESULT register to continue SHA256
+	 *			generation and start SHA256-normal operation.
+	 * 3. Operations == number_of_operations: continue with step 2 and set
+	 *			max_bytes to bytes_left to process final
+	 *			hash-result generation and
+	 *			start SHA256-normal operation.
+	 */
+	bytes_left = src_len_inbyte;
+	for (operations = 1U; operations <= number_of_operations;
+								operations++) {
+		if (operations == SHA_FIRST_OP) {
+			val = SE0_SHA_CONFIG_HW_INIT_HASH;
+		} else {
+			/* Load intermediate SHA digest result to
+			 * SHA:HASH_RESULT(0..7) to continue the SHA
+			 * calculation and tell the SHA engine to use it.
+			 */
+			for (i = 0U; (i / BYTES_IN_WORD) <=
+				SHA256_MAX_HASH_RESULT; i += BYTES_IN_WORD) {
+				val = tegra_se_read_32(SE0_SHA_HASH_RESULT_0 +
+									i);
+				tegra_se_write_32(SE0_SHA_HASH_RESULT_0 + i,
+									val);
+			}
+			val = SE0_SHA_CONFIG_HW_INIT_HASH_DISABLE;
+			if (len_bits_lsb <= (max_bytes * 8U)) {
+				len_bits_lsb = (remaining_bytes * 8U);
+			} else {
+				len_bits_lsb -= (max_bytes * 8U);
+			}
+			tegra_se_write_32(SE0_SHA_MSG_LEFT_0, len_bits_lsb);
+		}
+		tegra_se_write_32(SE0_SHA_TASK_CONFIG, val);
+
+		max_bytes = (SHA256_HASH_SIZE_BYTES *
+						SHA256_MSG_LENGTH_ONETIME);
+		if (bytes_left < max_bytes) {
+			max_bytes = bytes_left;
+			last_buf = 1U;
+		} else {
+			bytes_left = bytes_left - max_bytes;
+			last_buf = 0U;
+		}
+		/* start operation */
+		ret = tegra_se_start_normal_operation(src_addr, max_bytes,
+					last_buf, src_len_inbyte);
+		if (ret != 0) {
+			ERROR("Error during SE operation! 0x%x", ret);
+			return -EINVAL;
+		}
+	}
+
+	return ret;
+}
+
+/*
+ * Handler to generate SHA256 and save SHA256 hash to PMC-Scratch register.
+ */
+int32_t tegra_se_save_sha256_hash(uint64_t bl31_base, uint32_t src_len_inbyte)
+{
+	int32_t ret = 0;
+	uint32_t val = 0U, hash_offset = 0U, scratch_offset = 0U, security;
+
+	/*
+	 * Set SE_SOFT_SETTINGS=SE_SECURE to prevent NS process to change SE
+	 * registers.
+	 */
+	security = tegra_se_read_32(SE0_SECURITY);
+	tegra_se_write_32(SE0_SECURITY, security | SE0_SECURITY_SE_SOFT_SETTING);
+
+	ret = tegra_se_calculate_sha256_hash(bl31_base, src_len_inbyte);
+	if (ret != 0L) {
+		ERROR("%s: SHA256 generation failed\n", __func__);
+		return ret;
+	}
+
+	/*
+	 * Reset SE_SECURE to previous value.
+	 */
+	tegra_se_write_32(SE0_SECURITY, security);
+
+	/* read SHA256_HASH_RESULT and save to PMC Scratch registers */
+	scratch_offset = SECURE_SCRATCH_TZDRAM_SHA256_HASH_START;
+	while (scratch_offset <= SECURE_SCRATCH_TZDRAM_SHA256_HASH_END) {
+
+		val = tegra_se_read_32(SE0_SHA_HASH_RESULT_0 + hash_offset);
+		mmio_write_32(TEGRA_SCRATCH_BASE + scratch_offset, val);
+
+		hash_offset += BYTES_IN_WORD;
+		scratch_offset += BYTES_IN_WORD;
+	}
+
+	return ret;
+}
+

plat/nvidia/tegra/soc/t186/drivers/se/se_private.h

@@ -0,0 +1,100 @@
+/*
+ * Copyright (c) 2020, NVIDIA Corporation. All rights reserved.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#ifndef SE_PRIVATE_H
+#define SE_PRIVATE_H
+
+#include <lib/utils_def.h>
+
+/* SE0 security register */
+#define SE0_SECURITY				U(0x18)
+#define SE0_SECURITY_SE_SOFT_SETTING		(((uint32_t)1) << 16U)
+
+/* SE0 config register */
+#define SE0_SHA_CONFIG				U(0x104)
+#define SE0_SHA_TASK_CONFIG			U(0x108)
+#define SE0_SHA_CONFIG_HW_INIT_HASH		((1U) << 0U)
+#define SE0_SHA_CONFIG_HW_INIT_HASH_DISABLE	U(0)
+
+#define SE0_CONFIG_ENC_ALG_SHIFT		U(12)
+#define SE0_CONFIG_ENC_ALG_SHA	\
+		(((uint32_t)3) << SE0_CONFIG_ENC_ALG_SHIFT)
+#define SE0_CONFIG_DEC_ALG_SHIFT		U(8)
+#define SE0_CONFIG_DEC_ALG_NOP	\
+		(((uint32_t)0) << SE0_CONFIG_DEC_ALG_SHIFT)
+#define SE0_CONFIG_DST_SHIFT			U(2)
+#define SE0_CONFIG_DST_HASHREG	\
+		(((uint32_t)1) << SE0_CONFIG_DST_SHIFT)
+#define SHA256_HASH_SIZE_BYTES			U(256)
+
+#define SE0_CONFIG_ENC_MODE_SHIFT		U(24)
+#define SE0_CONFIG_ENC_MODE_SHA256	\
+			(((uint32_t)5) << SE0_CONFIG_ENC_MODE_SHIFT)
+
+/* SHA input message length */
+#define SE0_SHA_MSG_LENGTH_0			U(0x11c)
+#define SE0_SHA_MSG_LENGTH_1			U(0x120)
+#define SE0_SHA_MSG_LENGTH_2			U(0x124)
+#define SE0_SHA_MSG_LENGTH_3			U(0x128)
+
+/* SHA input message left  */
+#define SE0_SHA_MSG_LEFT_0			U(0x12c)
+#define SE0_SHA_MSG_LEFT_1			U(0x130)
+#define SE0_SHA_MSG_LEFT_2			U(0x134)
+#define SE0_SHA_MSG_LEFT_3			U(0x138)
+
+/* SE Hash Result */
+#define SE0_SHA_HASH_RESULT_0			U(0x13c)
+
+/* SE OPERATION */
+#define SE0_OPERATION_REG_OFFSET		U(0x17c)
+#define SE0_UNIT_OPERATION_PKT_LASTBUF_SHIFT	U(16)
+#define SE0_UNIT_OPERATION_PKT_LASTBUF_FIELD	\
+		(((uint32_t)0x1) << SE0_UNIT_OPERATION_PKT_LASTBUF_SHIFT)
+#define SE0_OPERATION_SHIFT			U(0)
+#define SE0_OP_START	\
+		(((uint32_t)0x1) << SE0_OPERATION_SHIFT)
+
+/* SE Interrupt */
+#define SE0_SHA_INT_ENABLE			U(0x180)
+
+#define SE0_INT_STATUS_REG_OFFSET		U(0x184)
+#define SE0_INT_OP_DONE_SHIFT			U(4)
+#define SE0_INT_OP_DONE_CLEAR	\
+		(((uint32_t)0) << SE0_INT_OP_DONE_SHIFT)
+#define SE0_INT_OP_DONE(x)	\
+		((x) & (((uint32_t)0x1) << SE0_INT_OP_DONE_SHIFT))
+
+/* SE SHA status */
+#define SE0_SHA_STATUS_0			U(0x188)
+#define SE0_SHA_STATUS_IDLE			U(0)
+
+/* SE error status */
+#define SE0_ERR_STATUS_REG_OFFSET		U(0x18c)
+#define SE0_ERR_STATUS_CLEAR			U(0)
+#define SE0_IN_ADDR				U(0x10c)
+#define SE0_IN_HI_ADDR_HI			U(0x110)
+#define SE0_IN_HI_ADDR_HI_0_MSB_SHIFT		U(24)
+
+/* SE error status */
+#define SECURE_SCRATCH_TZDRAM_SHA256_HASH_START	SECURE_SCRATCH_RSV63_LO
+#define SECURE_SCRATCH_TZDRAM_SHA256_HASH_END	SECURE_SCRATCH_RSV66_HI
+
+/*******************************************************************************
+ * Inline functions definition
+ ******************************************************************************/
+
+static inline uint32_t tegra_se_read_32(uint32_t offset)
+{
+	return mmio_read_32((uint32_t)(TEGRA_SE0_BASE + offset));
+}
+
+static inline void tegra_se_write_32(uint32_t offset, uint32_t val)
+{
+	mmio_write_32(((uint32_t)(TEGRA_SE0_BASE + offset)), val);
+}
+
+#endif /* SE_PRIVATE_H */

plat/nvidia/tegra/soc/t186/plat_psci_handlers.c

@@ -6,6 +6,7 @@
  */
 
 #include <assert.h>
+#include <stdbool.h>
 #include <string.h>
 
 #include <arch.h>
@@ -19,9 +20,10 @@
 #include <lib/psci/psci.h>
 #include <plat/common/platform.h>
 
+#include <bpmp_ipc.h>
 #include <mce.h>
+#include <security_engine.h>
 #include <smmu.h>
-#include <stdbool.h>
 #include <t18x_ari.h>
 #include <tegra186_private.h>
 #include <tegra_private.h>
@@ -280,8 +282,33 @@ int32_t tegra_soc_pwr_domain_power_down_wfi(const psci_power_state_t *target_sta
 	uint8_t stateid_afflvl2 = pwr_domain_state[PLAT_MAX_PWR_LVL] &
 		TEGRA186_STATE_ID_MASK;
 	uint64_t val;
+	uint64_t src_len_in_bytes = (uint64_t)(((uintptr_t)(&__BL31_END__) -
+					(uintptr_t)BL31_BASE));
+	int32_t ret;
 
 	if (stateid_afflvl2 == PSTATE_ID_SOC_POWERDN) {
+		val = params_from_bl2->tzdram_base +
+		      tegra186_get_cpu_reset_handler_size();
+
+		/* Initialise communication channel with BPMP */
+		assert(tegra_bpmp_ipc_init() == 0);
+
+		/* Enable SE clock */
+		ret = tegra_bpmp_ipc_enable_clock(TEGRA_CLK_SE);
+		if (ret != 0) {
+			ERROR("Failed to enable clock\n");
+			return ret;
+		}
+
+		/*
+		 * Generate/save SHA256 of ATF during SC7 entry
+		 */
+		if (tegra_se_save_sha256_hash(BL31_BASE,
+					(uint32_t)src_len_in_bytes) != 0) {
+			ERROR("Hash calculation failed. Reboot\n");
+			(void)tegra_soc_prepare_system_reset();
+		}
+
 		/*
 		 * The TZRAM loses power when we enter system suspend. To
 		 * allow graceful exit from system suspend, we need to copy
@@ -291,6 +318,12 @@ int32_t tegra_soc_pwr_domain_power_down_wfi(const psci_power_state_t *target_sta
 			tegra186_get_cpu_reset_handler_size();
 		memcpy16((void *)(uintptr_t)val, (void *)(uintptr_t)BL31_BASE,
 			 (uintptr_t)BL31_END - (uintptr_t)BL31_BASE);
+
+		ret = tegra_bpmp_ipc_disable_clock(TEGRA_CLK_SE);
+		if (ret != 0) {
+			ERROR("Failed to disable clock\n");
+			return ret;
+		}
 	}
 
 	return PSCI_E_SUCCESS;

plat/nvidia/tegra/soc/t186/platform_t186.mk

@@ -51,6 +51,7 @@ BL31_SOURCES		+=	drivers/ti/uart/aarch64/16550_console.S	\
 				${SOC_DIR}/drivers/mce/ari.c		\
 				${SOC_DIR}/drivers/mce/nvg.c		\
 				${SOC_DIR}/drivers/mce/aarch64/nvg_helpers.S \
+				$(SOC_DIR)/drivers/se/se.c \
 				${SOC_DIR}/plat_memctrl.c		\
 				${SOC_DIR}/plat_psci_handlers.c		\
 				${SOC_DIR}/plat_setup.c			\