/* * QEMU Apple AES device emulation * * Copyright © 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved. * * This work is licensed under the terms of the GNU GPL, version 2 or later. * See the COPYING file in the top-level directory. * * SPDX-License-Identifier: GPL-2.0-or-later */ #include "qemu/osdep.h" #include "trace.h" #include "crypto/hash.h" #include "crypto/aes.h" #include "crypto/cipher.h" #include "hw/irq.h" #include "hw/sysbus.h" #include "hw/vmapple/vmapple.h" #include "migration/vmstate.h" #include "qemu/cutils.h" #include "qemu/log.h" #include "qemu/module.h" #include "system/dma.h" OBJECT_DECLARE_SIMPLE_TYPE(AESState, APPLE_AES) #define MAX_FIFO_SIZE 9 #define CMD_KEY 0x1 #define CMD_KEY_CONTEXT_SHIFT 27 #define CMD_KEY_CONTEXT_MASK (0x1 << CMD_KEY_CONTEXT_SHIFT) #define CMD_KEY_SELECT_MAX_IDX 0x7 #define CMD_KEY_SELECT_SHIFT 24 #define CMD_KEY_SELECT_MASK (CMD_KEY_SELECT_MAX_IDX << CMD_KEY_SELECT_SHIFT) #define CMD_KEY_KEY_LEN_NUM 4u #define CMD_KEY_KEY_LEN_SHIFT 22 #define CMD_KEY_KEY_LEN_MASK ((CMD_KEY_KEY_LEN_NUM - 1u) << CMD_KEY_KEY_LEN_SHIFT) #define CMD_KEY_ENCRYPT_SHIFT 20 #define CMD_KEY_ENCRYPT_MASK (0x1 << CMD_KEY_ENCRYPT_SHIFT) #define CMD_KEY_BLOCK_MODE_SHIFT 16 #define CMD_KEY_BLOCK_MODE_MASK (0x3 << CMD_KEY_BLOCK_MODE_SHIFT) #define CMD_IV 0x2 #define CMD_IV_CONTEXT_SHIFT 26 #define CMD_IV_CONTEXT_MASK (0x3 << CMD_KEY_CONTEXT_SHIFT) #define CMD_DSB 0x3 #define CMD_SKG 0x4 #define CMD_DATA 0x5 #define CMD_DATA_KEY_CTX_SHIFT 27 #define CMD_DATA_KEY_CTX_MASK (0x1 << CMD_DATA_KEY_CTX_SHIFT) #define CMD_DATA_IV_CTX_SHIFT 25 #define CMD_DATA_IV_CTX_MASK (0x3 << CMD_DATA_IV_CTX_SHIFT) #define CMD_DATA_LEN_MASK 0xffffff #define CMD_STORE_IV 0x6 #define CMD_STORE_IV_ADDR_MASK 0xffffff #define CMD_WRITE_REG 0x7 #define CMD_FLAG 0x8 #define CMD_FLAG_STOP_MASK BIT(26) #define CMD_FLAG_RAISE_IRQ_MASK BIT(27) #define CMD_FLAG_INFO_MASK 0xff #define CMD_MAX 0x10 #define CMD_SHIFT 28 #define REG_STATUS 0xc #define REG_STATUS_DMA_READ_RUNNING BIT(0) #define REG_STATUS_DMA_READ_PENDING BIT(1) #define REG_STATUS_DMA_WRITE_RUNNING BIT(2) #define REG_STATUS_DMA_WRITE_PENDING BIT(3) #define REG_STATUS_BUSY BIT(4) #define REG_STATUS_EXECUTING BIT(5) #define REG_STATUS_READY BIT(6) #define REG_STATUS_TEXT_DPA_SEEDED BIT(7) #define REG_STATUS_UNWRAP_DPA_SEEDED BIT(8) #define REG_IRQ_STATUS 0x18 #define REG_IRQ_STATUS_INVALID_CMD BIT(2) #define REG_IRQ_STATUS_FLAG BIT(5) #define REG_IRQ_ENABLE 0x1c #define REG_WATERMARK 0x20 #define REG_Q_STATUS 0x24 #define REG_FLAG_INFO 0x30 #define REG_FIFO 0x200 static const uint32_t key_lens[CMD_KEY_KEY_LEN_NUM] = { [0] = 16, [1] = 24, [2] = 32, [3] = 64, }; typedef struct Key { uint32_t key_len; uint8_t key[32]; } Key; typedef struct IV { uint32_t iv[4]; } IV; static Key builtin_keys[CMD_KEY_SELECT_MAX_IDX + 1] = { [1] = { .key_len = 32, .key = { 0x1 }, }, [2] = { .key_len = 32, .key = { 0x2 }, }, [3] = { .key_len = 32, .key = { 0x3 }, } }; struct AESState { SysBusDevice parent_obj; qemu_irq irq; MemoryRegion iomem1; MemoryRegion iomem2; AddressSpace *as; uint32_t status; uint32_t q_status; uint32_t irq_status; uint32_t irq_enable; uint32_t watermark; uint32_t flag_info; uint32_t fifo[MAX_FIFO_SIZE]; uint32_t fifo_idx; Key key[2]; IV iv[4]; bool is_encrypt; QCryptoCipherMode block_mode; }; static void aes_update_irq(AESState *s) { qemu_set_irq(s->irq, !!(s->irq_status & s->irq_enable)); } static uint64_t aes1_read(void *opaque, hwaddr offset, unsigned size) { AESState *s = opaque; uint64_t res = 0; switch (offset) { case REG_STATUS: res = s->status; break; case REG_IRQ_STATUS: res = s->irq_status; break; case REG_IRQ_ENABLE: res = s->irq_enable; break; case REG_WATERMARK: res = s->watermark; break; case REG_Q_STATUS: res = s->q_status; break; case REG_FLAG_INFO: res = s->flag_info; break; default: qemu_log_mask(LOG_UNIMP, "%s: Unknown AES MMIO offset %" PRIx64 "\n", __func__, offset); break; } trace_aes_read(offset, res); return res; } static void fifo_append(AESState *s, uint64_t val) { if (s->fifo_idx == MAX_FIFO_SIZE) { /* Exceeded the FIFO. Bail out */ return; } s->fifo[s->fifo_idx++] = val; } static bool has_payload(AESState *s, uint32_t elems) { return s->fifo_idx >= elems + 1; } static bool cmd_key(AESState *s) { uint32_t cmd = s->fifo[0]; uint32_t key_select = (cmd & CMD_KEY_SELECT_MASK) >> CMD_KEY_SELECT_SHIFT; uint32_t ctxt = (cmd & CMD_KEY_CONTEXT_MASK) >> CMD_KEY_CONTEXT_SHIFT; uint32_t key_len; switch ((cmd & CMD_KEY_BLOCK_MODE_MASK) >> CMD_KEY_BLOCK_MODE_SHIFT) { case 0: s->block_mode = QCRYPTO_CIPHER_MODE_ECB; break; case 1: s->block_mode = QCRYPTO_CIPHER_MODE_CBC; break; default: return false; } s->is_encrypt = cmd & CMD_KEY_ENCRYPT_MASK; key_len = key_lens[(cmd & CMD_KEY_KEY_LEN_MASK) >> CMD_KEY_KEY_LEN_SHIFT]; if (key_select) { trace_aes_cmd_key_select_builtin(ctxt, key_select, s->is_encrypt ? "en" : "de", QCryptoCipherMode_str(s->block_mode)); s->key[ctxt] = builtin_keys[key_select]; } else { trace_aes_cmd_key_select_new(ctxt, key_len, s->is_encrypt ? "en" : "de", QCryptoCipherMode_str(s->block_mode)); if (key_len > sizeof(s->key[ctxt].key)) { return false; } if (!has_payload(s, key_len / sizeof(uint32_t))) { /* wait for payload */ qemu_log_mask(LOG_GUEST_ERROR, "%s: No payload\n", __func__); return false; } memcpy(&s->key[ctxt].key, &s->fifo[1], key_len); s->key[ctxt].key_len = key_len; } return true; } static bool cmd_iv(AESState *s) { uint32_t cmd = s->fifo[0]; uint32_t ctxt = (cmd & CMD_IV_CONTEXT_MASK) >> CMD_IV_CONTEXT_SHIFT; if (!has_payload(s, 4)) { /* wait for payload */ return false; } memcpy(&s->iv[ctxt].iv, &s->fifo[1], sizeof(s->iv[ctxt].iv)); trace_aes_cmd_iv(ctxt, s->fifo[1], s->fifo[2], s->fifo[3], s->fifo[4]); return true; } static void dump_data(const char *desc, const void *p, size_t len) { static const size_t MAX_LEN = 0x1000; char hex[MAX_LEN * 2 + 1] = ""; if (len > MAX_LEN) { return; } qemu_hexdump_to_buffer(hex, sizeof(hex), p, len); trace_aes_dump_data(desc, hex); } static bool cmd_data(AESState *s) { uint32_t cmd = s->fifo[0]; uint32_t ctxt_iv = 0; uint32_t ctxt_key = (cmd & CMD_DATA_KEY_CTX_MASK) >> CMD_DATA_KEY_CTX_SHIFT; uint32_t len = cmd & CMD_DATA_LEN_MASK; uint64_t src_addr = s->fifo[2]; uint64_t dst_addr = s->fifo[3]; QCryptoCipherAlgo alg; g_autoptr(QCryptoCipher) cipher = NULL; g_autoptr(GByteArray) src = NULL; g_autoptr(GByteArray) dst = NULL; MemTxResult r; src_addr |= ((uint64_t)s->fifo[1] << 16) & 0xffff00000000ULL; dst_addr |= ((uint64_t)s->fifo[1] << 32) & 0xffff00000000ULL; trace_aes_cmd_data(ctxt_key, ctxt_iv, src_addr, dst_addr, len); if (!has_payload(s, 3)) { /* wait for payload */ qemu_log_mask(LOG_GUEST_ERROR, "%s: No payload\n", __func__); return false; } if (ctxt_key >= ARRAY_SIZE(s->key) || ctxt_iv >= ARRAY_SIZE(s->iv)) { qemu_log_mask(LOG_GUEST_ERROR, "%s: Invalid key or iv\n", __func__); return false; } src = g_byte_array_sized_new(len); g_byte_array_set_size(src, len); dst = g_byte_array_sized_new(len); g_byte_array_set_size(dst, len); r = dma_memory_read(s->as, src_addr, src->data, len, MEMTXATTRS_UNSPECIFIED); if (r != MEMTX_OK) { qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA read of %"PRIu32" bytes " "from 0x%"PRIx64" failed. (r=%d)\n", __func__, len, src_addr, r); return false; } dump_data("cmd_data(): src_data=", src->data, len); switch (s->key[ctxt_key].key_len) { case 128 / 8: alg = QCRYPTO_CIPHER_ALGO_AES_128; break; case 192 / 8: alg = QCRYPTO_CIPHER_ALGO_AES_192; break; case 256 / 8: alg = QCRYPTO_CIPHER_ALGO_AES_256; break; default: qemu_log_mask(LOG_GUEST_ERROR, "%s: Invalid key length\n", __func__); return false; } cipher = qcrypto_cipher_new(alg, s->block_mode, s->key[ctxt_key].key, s->key[ctxt_key].key_len, NULL); if (!cipher) { qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to create cipher object\n", __func__); return false; } if (s->block_mode != QCRYPTO_CIPHER_MODE_ECB) { if (qcrypto_cipher_setiv(cipher, (void *)s->iv[ctxt_iv].iv, sizeof(s->iv[ctxt_iv].iv), NULL) != 0) { qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to set IV\n", __func__); return false; } } if (s->is_encrypt) { if (qcrypto_cipher_encrypt(cipher, src->data, dst->data, len, NULL) != 0) { qemu_log_mask(LOG_GUEST_ERROR, "%s: Encryption failed\n", __func__); return false; } } else { if (qcrypto_cipher_decrypt(cipher, src->data, dst->data, len, NULL) != 0) { qemu_log_mask(LOG_GUEST_ERROR, "%s: Decryption failed\n", __func__); return false; } } dump_data("cmd_data(): dst_data=", dst->data, len); r = dma_memory_write(s->as, dst_addr, dst->data, len, MEMTXATTRS_UNSPECIFIED); if (r != MEMTX_OK) { qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA write of %"PRIu32" bytes " "to 0x%"PRIx64" failed. (r=%d)\n", __func__, len, src_addr, r); return false; } return true; } static bool cmd_store_iv(AESState *s) { uint32_t cmd = s->fifo[0]; uint32_t ctxt = (cmd & CMD_IV_CONTEXT_MASK) >> CMD_IV_CONTEXT_SHIFT; uint64_t addr = s->fifo[1]; MemTxResult dma_result; if (!has_payload(s, 1)) { qemu_log_mask(LOG_GUEST_ERROR, "%s: No payload\n", __func__); return false; } if (ctxt >= ARRAY_SIZE(s->iv)) { qemu_log_mask(LOG_GUEST_ERROR, "%s: Invalid context. ctxt = %u, allowed: 0..%zu\n", __func__, ctxt, ARRAY_SIZE(s->iv) - 1); return false; } addr |= ((uint64_t)cmd << 32) & 0xff00000000ULL; dma_result = dma_memory_write(&address_space_memory, addr, &s->iv[ctxt].iv, sizeof(s->iv[ctxt].iv), MEMTXATTRS_UNSPECIFIED); trace_aes_cmd_store_iv(ctxt, addr, s->iv[ctxt].iv[0], s->iv[ctxt].iv[1], s->iv[ctxt].iv[2], s->iv[ctxt].iv[3]); return dma_result == MEMTX_OK; } static bool cmd_flag(AESState *s) { uint32_t cmd = s->fifo[0]; uint32_t raise_irq = cmd & CMD_FLAG_RAISE_IRQ_MASK; /* We always process data when it's coming in, so fire an IRQ immediately */ if (raise_irq) { s->irq_status |= REG_IRQ_STATUS_FLAG; } s->flag_info = cmd & CMD_FLAG_INFO_MASK; trace_aes_cmd_flag(!!raise_irq, s->flag_info); return true; } static void fifo_process(AESState *s) { uint32_t cmd = s->fifo[0] >> CMD_SHIFT; bool success = false; if (!s->fifo_idx) { return; } switch (cmd) { case CMD_KEY: success = cmd_key(s); break; case CMD_IV: success = cmd_iv(s); break; case CMD_DATA: success = cmd_data(s); break; case CMD_STORE_IV: success = cmd_store_iv(s); break; case CMD_FLAG: success = cmd_flag(s); break; default: s->irq_status |= REG_IRQ_STATUS_INVALID_CMD; break; } if (success) { s->fifo_idx = 0; } trace_aes_fifo_process(cmd, success); } static void aes1_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) { AESState *s = opaque; trace_aes_write(offset, val); switch (offset) { case REG_IRQ_STATUS: s->irq_status &= ~val; break; case REG_IRQ_ENABLE: s->irq_enable = val; break; case REG_FIFO: fifo_append(s, val); fifo_process(s); break; default: qemu_log_mask(LOG_UNIMP, "%s: Unknown AES MMIO offset %"PRIx64", data %"PRIx64"\n", __func__, offset, val); return; } aes_update_irq(s); } static const MemoryRegionOps aes1_ops = { .read = aes1_read, .write = aes1_write, .endianness = DEVICE_NATIVE_ENDIAN, .valid = { .min_access_size = 4, .max_access_size = 8, }, .impl = { .min_access_size = 4, .max_access_size = 4, }, }; static uint64_t aes2_read(void *opaque, hwaddr offset, unsigned size) { uint64_t res = 0; switch (offset) { case 0: res = 0; break; default: qemu_log_mask(LOG_UNIMP, "%s: Unknown AES MMIO 2 offset %"PRIx64"\n", __func__, offset); break; } trace_aes_2_read(offset, res); return res; } static void aes2_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) { trace_aes_2_write(offset, val); switch (offset) { default: qemu_log_mask(LOG_UNIMP, "%s: Unknown AES MMIO 2 offset %"PRIx64", data %"PRIx64"\n", __func__, offset, val); return; } } static const MemoryRegionOps aes2_ops = { .read = aes2_read, .write = aes2_write, .endianness = DEVICE_NATIVE_ENDIAN, .valid = { .min_access_size = 4, .max_access_size = 8, }, .impl = { .min_access_size = 4, .max_access_size = 4, }, }; static void aes_reset(Object *obj, ResetType type) { AESState *s = APPLE_AES(obj); s->status = 0x3f80; s->q_status = 2; s->irq_status = 0; s->irq_enable = 0; s->watermark = 0; } static void aes_init(Object *obj) { AESState *s = APPLE_AES(obj); memory_region_init_io(&s->iomem1, obj, &aes1_ops, s, TYPE_APPLE_AES, 0x4000); memory_region_init_io(&s->iomem2, obj, &aes2_ops, s, TYPE_APPLE_AES, 0x4000); sysbus_init_mmio(SYS_BUS_DEVICE(s), &s->iomem1); sysbus_init_mmio(SYS_BUS_DEVICE(s), &s->iomem2); sysbus_init_irq(SYS_BUS_DEVICE(s), &s->irq); s->as = &address_space_memory; } static void aes_class_init(ObjectClass *klass, void *data) { ResettableClass *rc = RESETTABLE_CLASS(klass); rc->phases.hold = aes_reset; } static const TypeInfo aes_info = { .name = TYPE_APPLE_AES, .parent = TYPE_SYS_BUS_DEVICE, .instance_size = sizeof(AESState), .class_init = aes_class_init, .instance_init = aes_init, }; static void aes_register_types(void) { type_register_static(&aes_info); } type_init(aes_register_types)