@@ -275,4 +275,10 @@ config QCOM_ICC_BWMON
the fixed bandwidth votes from cpufreq (CPU nodes) thus achieve high
memory throughput even with lower CPU frequencies.
+config QCOM_INLINE_CRYPTO_ENGINE
+ tristate
+ depends on SCSI_UFS_CRYPTO || MMC_CRYPTO
+ default y if SCSI_UFS_QCOM=y || MMC_SDHCI_MSM=y
+ select QCOM_SCM
+
endmenu
@@ -32,3 +32,4 @@ obj-$(CONFIG_QCOM_RPMHPD) += rpmhpd.o
obj-$(CONFIG_QCOM_RPMPD) += rpmpd.o
obj-$(CONFIG_QCOM_KRYO_L2_ACCESSORS) += kryo-l2-accessors.o
obj-$(CONFIG_QCOM_ICC_BWMON) += icc-bwmon.o
+obj-$(CONFIG_QCOM_INLINE_CRYPTO_ENGINE) += ice.o
new file mode 100644
@@ -0,0 +1,301 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Qualcomm ICE (Inline Crypto Engine) support.
+ *
+ * Copyright (c) 2013-2019, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2019, Google LLC
+ * Copyright (c) 2023, Linaro Limited
+ */
+
+#include <linux/clk.h>
+#include <linux/delay.h>
+#include <linux/iopoll.h>
+#include <linux/of_platform.h>
+
+#include <linux/firmware/qcom/qcom_scm.h>
+
+#include <soc/qcom/ice.h>
+
+#define AES_256_XTS_KEY_SIZE 64
+
+/* QCOM ICE registers */
+#define QCOM_ICE_REG_VERSION 0x0008
+#define QCOM_ICE_REG_FUSE_SETTING 0x0010
+
+/* QCOM ICE v2.X only */
+
+#define QCOM_ICE_REG_BIST_STATUS 0x0070
+#define QCOM_ICE_REG_ADVANCED_CONTROL 0x1000
+
+/* BIST ("built-in self-test"?) status flags */
+#define QCOM_ICE_BIST_STATUS_MASK GENMASK(31, 28)
+
+#define QCOM_ICE_FUSE_SETTING_MASK 0x1
+#define QCOM_ICE_FORCE_HW_KEY0_SETTING_MASK 0x2
+#define QCOM_ICE_FORCE_HW_KEY1_SETTING_MASK 0x4
+
+#define qcom_ice_writel(engine, val, reg) \
+ writel((val), (engine)->base + (reg))
+
+#define qcom_ice_readl(engine, reg) \
+ readl((engine)->base + (reg))
+
+/* Only one ICE instance is currently supported by HW */
+static bool qcom_ice_check_supported(struct qcom_ice *ice)
+{
+ u32 regval = qcom_ice_readl(ice, QCOM_ICE_REG_VERSION);
+ struct device *dev = ice->dev;
+ int major = FIELD_GET(GENMASK(31, 24), regval);
+ int minor = FIELD_GET(GENMASK(23, 16), regval);
+ int step = FIELD_GET(GENMASK(15, 0), regval);
+
+ /* For now this driver only supports ICE version 3. */
+ if (major != 3) {
+ dev_warn(dev, "Unsupported ICE version: v%d.%d.%d\n",
+ major, minor, step);
+ return false;
+ }
+
+ dev_info(dev, "Found QC Inline Crypto Engine (ICE) v%d.%d.%d\n",
+ major, minor, step);
+
+ /* If fuses are blown, ICE might not work in the standard way. */
+ regval = qcom_ice_readl(ice, QCOM_ICE_REG_FUSE_SETTING);
+ if (regval & (QCOM_ICE_FUSE_SETTING_MASK |
+ QCOM_ICE_FORCE_HW_KEY0_SETTING_MASK |
+ QCOM_ICE_FORCE_HW_KEY1_SETTING_MASK)) {
+ dev_warn(dev, "Fuses are blown; ICE is unusable!\n");
+ return false;
+ }
+
+ return true;
+}
+
+static void qcom_ice_low_power_mode_enable(struct qcom_ice *ice)
+{
+ u32 regval;
+
+ regval = qcom_ice_readl(ice, QCOM_ICE_REG_ADVANCED_CONTROL);
+
+ /* Enable low power mode sequence */
+ regval |= 0x7000;
+ qcom_ice_writel(ice, regval, QCOM_ICE_REG_ADVANCED_CONTROL);
+}
+
+static void qcom_ice_optimization_enable(struct qcom_ice *ice)
+{
+ u32 regval;
+
+ /* ICE Optimizations Enable Sequence */
+ regval = qcom_ice_readl(ice, QCOM_ICE_REG_ADVANCED_CONTROL);
+ regval |= 0xd807100;
+ /* ICE HPG requires delay before writing */
+ udelay(5);
+ qcom_ice_writel(ice, regval, QCOM_ICE_REG_ADVANCED_CONTROL);
+ udelay(5);
+}
+
+/*
+ * Wait until the ICE BIST (built-in self-test) has completed.
+ *
+ * This may be necessary before ICE can be used.
+ * Note that we don't really care whether the BIST passed or failed;
+ * we really just want to make sure that it isn't still running. This is
+ * because (a) the BIST is a FIPS compliance thing that never fails in
+ * practice, (b) ICE is documented to reject crypto requests if the BIST
+ * fails, so we needn't do it in software too, and (c) properly testing
+ * storage encryption requires testing the full storage stack anyway,
+ * and not relying on hardware-level self-tests.
+ */
+static int qcom_ice_wait_bist_status(struct qcom_ice *ice)
+{
+ u32 regval;
+ int err;
+
+ err = readl_poll_timeout(ice->base + QCOM_ICE_REG_BIST_STATUS,
+ regval, !(regval & QCOM_ICE_BIST_STATUS_MASK),
+ 50, 5000);
+ if (err)
+ dev_err(ice->dev,
+ "Timed out waiting for ICE self-test to complete\n");
+ return err;
+}
+
+int qcom_ice_resume(struct qcom_ice *ice)
+{
+ struct device *dev = ice->dev;
+ int err;
+
+ if (!ice)
+ return 0;
+
+ err = qcom_ice_wait_bist_status(ice);
+ if (err) {
+ dev_err(dev, "BIST status error (%d)\n", err);
+ return err;
+ }
+
+ return 0;
+}
+EXPORT_SYMBOL_GPL(qcom_ice_resume);
+
+int qcom_ice_enable(struct qcom_ice *ice)
+{
+ if (!ice)
+ return 0;
+
+ qcom_ice_low_power_mode_enable(ice);
+ qcom_ice_optimization_enable(ice);
+
+ return qcom_ice_resume(ice);
+}
+EXPORT_SYMBOL_GPL(qcom_ice_enable);
+
+int qcom_ice_program_key(struct qcom_ice *ice, u8 crypto_cap_idx,
+ u8 algorithm_id, u8 key_size,
+ const u8 crypto_key[], u8 data_unit_size,
+ int slot)
+{
+ struct device *dev;
+ union {
+ u8 bytes[AES_256_XTS_KEY_SIZE];
+ u32 words[AES_256_XTS_KEY_SIZE / sizeof(u32)];
+ } key;
+ int i;
+ int err;
+
+ if (!ice)
+ return 0;
+
+ dev = ice->dev;
+
+ /* Only AES-256-XTS has been tested so far. */
+ if (algorithm_id != QCOM_ICE_CRYPTO_ALG_AES_XTS ||
+ key_size != QCOM_ICE_CRYPTO_KEY_SIZE_256) {
+ dev_err_ratelimited(dev,
+ "Unhandled crypto capability; algorithm_id=%d, key_size=%d\n",
+ algorithm_id, key_size);
+ return -EINVAL;
+ }
+
+ memcpy(key.bytes, crypto_key, AES_256_XTS_KEY_SIZE);
+
+ /*
+ * The SCM call byte-swaps the 32-bit words of the key.
+ * So we have to do the same, in order for the final key be correct.
+ */
+ for (i = 0; i < ARRAY_SIZE(key.words); i++)
+ __cpu_to_be32s(&key.words[i]);
+
+ err = qcom_scm_ice_set_key(slot, key.bytes, AES_256_XTS_KEY_SIZE,
+ QCOM_SCM_ICE_CIPHER_AES_256_XTS,
+ data_unit_size);
+
+ memzero_explicit(&key, sizeof(key));
+
+ return err;
+}
+EXPORT_SYMBOL_GPL(qcom_ice_program_key);
+
+int qcom_ice_evict_key(struct qcom_ice *ice, int slot)
+{
+ if (!ice)
+ return 0;
+
+ return qcom_scm_ice_invalidate_key(slot);
+}
+EXPORT_SYMBOL_GPL(qcom_ice_evict_key);
+
+struct qcom_ice *of_qcom_ice_get(struct device *dev)
+{
+ struct platform_device *pdev;
+ struct qcom_ice *ice = ERR_PTR(-EPROBE_DEFER);
+ struct device_node *node;
+
+ if (!dev || !dev->of_node)
+ return ERR_PTR(-ENODEV);
+
+ node = of_parse_phandle(dev->of_node, "qcom,ice", 0);
+ if (!node) {
+ ice = NULL;
+ goto out;
+ }
+
+ pdev = of_find_device_by_node(node);
+ if (!pdev) {
+ dev_err(dev, "Cannot find device node %s\n", node->name);
+ goto out;
+ }
+
+ ice = platform_get_drvdata(pdev);
+ if (!ice) {
+ dev_err(dev, "Cannot get ice\n");
+ put_device(&pdev->dev);
+ return ERR_PTR(-ENODEV);
+ }
+
+out:
+ of_node_put(node);
+
+ return ice;
+}
+EXPORT_SYMBOL_GPL(of_qcom_ice_get);
+
+static int qcom_ice_probe(struct platform_device *pdev)
+{
+ struct device *dev = &pdev->dev;
+ struct device_node *np = dev->of_node;
+ struct qcom_ice *engine;
+
+ if (!qcom_scm_is_available())
+ return -EPROBE_DEFER;
+
+ if (!qcom_scm_ice_available()) {
+ dev_warn(dev, "ICE SCM interface not found\n");
+ return 0;
+ }
+
+ engine = devm_kzalloc(dev, sizeof(*engine), GFP_KERNEL);
+ if (!engine)
+ return -ENOMEM;
+
+ engine->dev = dev;
+ engine->np = np;
+
+ engine->base = devm_platform_ioremap_resource(pdev, 0);
+ if (IS_ERR(engine->base))
+ return PTR_ERR(engine->base);
+
+ engine->core_clk = devm_clk_get_enabled(dev, NULL);
+ if (IS_ERR(engine->core_clk))
+ return dev_err_probe(dev, PTR_ERR(engine->core_clk),
+ "failed to get and enable core clk\n");
+
+ if (!qcom_ice_check_supported(engine))
+ return -EOPNOTSUPP;
+
+ platform_set_drvdata(pdev, engine);
+
+ dev_dbg(dev, "Registered Qualcomm Inline Crypto Engine\n");
+
+ return 0;
+}
+
+static const struct of_device_id qcom_ice_of_match_table[] = {
+ { .compatible = "qcom,inline-crypto-engine" },
+ { },
+};
+MODULE_DEVICE_TABLE(of, qcom_ice_of_match_table);
+
+static struct platform_driver qcom_ice_driver = {
+ .probe = qcom_ice_probe,
+ .driver = {
+ .name = "qcom-ice",
+ .of_match_table = qcom_ice_of_match_table,
+ },
+};
+
+module_platform_driver(qcom_ice_driver);
+
+MODULE_DESCRIPTION("Qualcomm Inline Crypto Engine driver");
+MODULE_LICENSE("GPL");
new file mode 100644
@@ -0,0 +1,65 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/*
+ * Copyright (c) 2023, Linaro Limited
+ */
+
+#ifndef __QCOM_ICE_H__
+#define __QCOM_ICE_H__
+
+#include <linux/err.h>
+
+struct qcom_ice {
+ struct device *dev;
+ struct device_node *np;
+ void __iomem *base;
+
+ struct clk *core_clk;
+};
+
+enum qcom_ice_crypto_key_size {
+ QCOM_ICE_CRYPTO_KEY_SIZE_INVALID = 0x0,
+ QCOM_ICE_CRYPTO_KEY_SIZE_128 = 0x1,
+ QCOM_ICE_CRYPTO_KEY_SIZE_192 = 0x2,
+ QCOM_ICE_CRYPTO_KEY_SIZE_256 = 0x3,
+ QCOM_ICE_CRYPTO_KEY_SIZE_512 = 0x4,
+};
+
+enum qcom_ice_crypto_alg {
+ QCOM_ICE_CRYPTO_ALG_AES_XTS = 0x0,
+ QCOM_ICE_CRYPTO_ALG_BITLOCKER_AES_CBC = 0x1,
+ QCOM_ICE_CRYPTO_ALG_AES_ECB = 0x2,
+ QCOM_ICE_CRYPTO_ALG_ESSIV_AES_CBC = 0x3,
+};
+
+#if IS_ENABLED(CONFIG_QCOM_INLINE_CRYPTO_ENGINE)
+int qcom_ice_enable(struct qcom_ice *ice);
+int qcom_ice_resume(struct qcom_ice *ice);
+struct qcom_ice *of_qcom_ice_get(struct device *dev);
+int qcom_ice_program_key(struct qcom_ice *ice, u8 crypto_cap_idx,
+ u8 algorithm_id, u8 key_size,
+ const u8 crypto_key[], u8 data_unit_size,
+ int slot);
+int qcom_ice_evict_key(struct qcom_ice *ice, int slot);
+#else
+static inline int qcom_ice_enable(struct qcom_ice *ice) { return 0; }
+static inline int qcom_ice_resume(struct qcom_ice *ice) { return 0; }
+
+static inline struct qcom_ice *of_qcom_ice_get(struct device *dev)
+{
+ return NULL;
+}
+
+static inline int qcom_ice_program_key(struct qcom_ice *ice, u8 crypto_cap_idx,
+ u8 algorithm_id, u8 key_size,
+ const u8 crypto_key[], u8 data_unit_size,
+ int slot)
+{
+ return 0;
+}
+
+static inline int qcom_ice_evict_key(struct qcom_ice *ice, int slot)
+{
+ return 0;
+}
+#endif /* CONFIG_QCOM_INLINE_CRYPTO_ENGINE */
+#endif /* __QCOM_ICE_H__ */