1 /* 2 * ASPEED Hash and Crypto Engine 3 * 4 * Copyright (c) 2024 Seagate Technology LLC and/or its Affiliates 5 * Copyright (C) 2021 IBM Corp. 6 * 7 * Joel Stanley <joel@jms.id.au> 8 * 9 * SPDX-License-Identifier: GPL-2.0-or-later 10 */ 11 12 #include "qemu/osdep.h" 13 #include "qemu/log.h" 14 #include "qemu/error-report.h" 15 #include "hw/misc/aspeed_hace.h" 16 #include "qapi/error.h" 17 #include "migration/vmstate.h" 18 #include "crypto/hash.h" 19 #include "hw/qdev-properties.h" 20 #include "hw/irq.h" 21 22 #define R_CRYPT_CMD (0x10 / 4) 23 24 #define R_STATUS (0x1c / 4) 25 #define HASH_IRQ BIT(9) 26 #define CRYPT_IRQ BIT(12) 27 #define TAG_IRQ BIT(15) 28 29 #define R_HASH_SRC (0x20 / 4) 30 #define R_HASH_DEST (0x24 / 4) 31 #define R_HASH_KEY_BUFF (0x28 / 4) 32 #define R_HASH_SRC_LEN (0x2c / 4) 33 34 #define R_HASH_CMD (0x30 / 4) 35 /* Hash algorithm selection */ 36 #define HASH_ALGO_MASK (BIT(4) | BIT(5) | BIT(6)) 37 #define HASH_ALGO_MD5 0 38 #define HASH_ALGO_SHA1 BIT(5) 39 #define HASH_ALGO_SHA224 BIT(6) 40 #define HASH_ALGO_SHA256 (BIT(4) | BIT(6)) 41 #define HASH_ALGO_SHA512_SERIES (BIT(5) | BIT(6)) 42 /* SHA512 algorithm selection */ 43 #define SHA512_HASH_ALGO_MASK (BIT(10) | BIT(11) | BIT(12)) 44 #define HASH_ALGO_SHA512_SHA512 0 45 #define HASH_ALGO_SHA512_SHA384 BIT(10) 46 #define HASH_ALGO_SHA512_SHA256 BIT(11) 47 #define HASH_ALGO_SHA512_SHA224 (BIT(10) | BIT(11)) 48 /* HMAC modes */ 49 #define HASH_HMAC_MASK (BIT(7) | BIT(8)) 50 #define HASH_DIGEST 0 51 #define HASH_DIGEST_HMAC BIT(7) 52 #define HASH_DIGEST_ACCUM BIT(8) 53 #define HASH_HMAC_KEY (BIT(7) | BIT(8)) 54 /* Cascaded operation modes */ 55 #define HASH_ONLY 0 56 #define HASH_ONLY2 BIT(0) 57 #define HASH_CRYPT_THEN_HASH BIT(1) 58 #define HASH_HASH_THEN_CRYPT (BIT(0) | BIT(1)) 59 /* Other cmd bits */ 60 #define HASH_IRQ_EN BIT(9) 61 #define HASH_SG_EN BIT(18) 62 #define CRYPT_IRQ_EN BIT(12) 63 /* Scatter-gather data list */ 64 #define SG_LIST_LEN_SIZE 4 65 #define SG_LIST_LEN_MASK 0x0FFFFFFF 66 #define SG_LIST_LEN_LAST BIT(31) 67 #define SG_LIST_ADDR_SIZE 4 68 #define SG_LIST_ADDR_MASK 0x7FFFFFFF 69 #define SG_LIST_ENTRY_SIZE (SG_LIST_LEN_SIZE + SG_LIST_ADDR_SIZE) 70 71 static const struct { 72 uint32_t mask; 73 QCryptoHashAlgo algo; 74 } hash_algo_map[] = { 75 { HASH_ALGO_MD5, QCRYPTO_HASH_ALGO_MD5 }, 76 { HASH_ALGO_SHA1, QCRYPTO_HASH_ALGO_SHA1 }, 77 { HASH_ALGO_SHA224, QCRYPTO_HASH_ALGO_SHA224 }, 78 { HASH_ALGO_SHA256, QCRYPTO_HASH_ALGO_SHA256 }, 79 { HASH_ALGO_SHA512_SERIES | HASH_ALGO_SHA512_SHA512, 80 QCRYPTO_HASH_ALGO_SHA512 }, 81 { HASH_ALGO_SHA512_SERIES | HASH_ALGO_SHA512_SHA384, 82 QCRYPTO_HASH_ALGO_SHA384 }, 83 { HASH_ALGO_SHA512_SERIES | HASH_ALGO_SHA512_SHA256, 84 QCRYPTO_HASH_ALGO_SHA256 }, 85 }; 86 87 static int hash_algo_lookup(uint32_t reg) 88 { 89 int i; 90 91 reg &= HASH_ALGO_MASK | SHA512_HASH_ALGO_MASK; 92 93 for (i = 0; i < ARRAY_SIZE(hash_algo_map); i++) { 94 if (reg == hash_algo_map[i].mask) { 95 return hash_algo_map[i].algo; 96 } 97 } 98 99 return -1; 100 } 101 102 /** 103 * Check whether the request contains padding message. 104 * 105 * @param s aspeed hace state object 106 * @param iov iov of current request 107 * @param req_len length of the current request 108 * @param total_msg_len length of all acc_mode requests(excluding padding msg) 109 * @param pad_offset start offset of padding message 110 */ 111 static bool has_padding(AspeedHACEState *s, struct iovec *iov, 112 hwaddr req_len, uint32_t *total_msg_len, 113 uint32_t *pad_offset) 114 { 115 *total_msg_len = (uint32_t)(ldq_be_p(iov->iov_base + req_len - 8) / 8); 116 /* 117 * SG_LIST_LEN_LAST asserted in the request length doesn't mean it is the 118 * last request. The last request should contain padding message. 119 * We check whether message contains padding by 120 * 1. Get total message length. If the current message contains 121 * padding, the last 8 bytes are total message length. 122 * 2. Check whether the total message length is valid. 123 * If it is valid, the value should less than or equal to 124 * total_req_len. 125 * 3. Current request len - padding_size to get padding offset. 126 * The padding message's first byte should be 0x80 127 */ 128 if (*total_msg_len <= s->total_req_len) { 129 uint32_t padding_size = s->total_req_len - *total_msg_len; 130 uint8_t *padding = iov->iov_base; 131 132 if (padding_size > req_len) { 133 return false; 134 } 135 136 *pad_offset = req_len - padding_size; 137 if (padding[*pad_offset] == 0x80) { 138 return true; 139 } 140 } 141 142 return false; 143 } 144 145 static int reconstruct_iov(AspeedHACEState *s, struct iovec *iov, int id, 146 uint32_t *pad_offset) 147 { 148 int i, iov_count; 149 if (*pad_offset != 0) { 150 s->iov_cache[s->iov_count].iov_base = iov[id].iov_base; 151 s->iov_cache[s->iov_count].iov_len = *pad_offset; 152 ++s->iov_count; 153 } 154 for (i = 0; i < s->iov_count; i++) { 155 iov[i].iov_base = s->iov_cache[i].iov_base; 156 iov[i].iov_len = s->iov_cache[i].iov_len; 157 } 158 iov_count = s->iov_count; 159 s->iov_count = 0; 160 s->total_req_len = 0; 161 return iov_count; 162 } 163 164 static void do_hash_operation(AspeedHACEState *s, int algo, bool sg_mode, 165 bool acc_mode) 166 { 167 struct iovec iov[ASPEED_HACE_MAX_SG]; 168 uint32_t total_msg_len; 169 uint32_t pad_offset; 170 g_autofree uint8_t *digest_buf = NULL; 171 size_t digest_len = 0; 172 bool sg_acc_mode_final_request = false; 173 int i; 174 void *haddr; 175 Error *local_err = NULL; 176 177 if (acc_mode && s->hash_ctx == NULL) { 178 s->hash_ctx = qcrypto_hash_new(algo, &local_err); 179 if (s->hash_ctx == NULL) { 180 qemu_log_mask(LOG_GUEST_ERROR, "qcrypto hash failed : %s", 181 error_get_pretty(local_err)); 182 error_free(local_err); 183 return; 184 } 185 } 186 187 if (sg_mode) { 188 uint32_t len = 0; 189 190 for (i = 0; !(len & SG_LIST_LEN_LAST); i++) { 191 uint32_t addr, src; 192 hwaddr plen; 193 194 if (i == ASPEED_HACE_MAX_SG) { 195 qemu_log_mask(LOG_GUEST_ERROR, 196 "aspeed_hace: guest failed to set end of sg list marker\n"); 197 break; 198 } 199 200 src = s->regs[R_HASH_SRC] + (i * SG_LIST_ENTRY_SIZE); 201 202 len = address_space_ldl_le(&s->dram_as, src, 203 MEMTXATTRS_UNSPECIFIED, NULL); 204 205 addr = address_space_ldl_le(&s->dram_as, src + SG_LIST_LEN_SIZE, 206 MEMTXATTRS_UNSPECIFIED, NULL); 207 addr &= SG_LIST_ADDR_MASK; 208 209 plen = len & SG_LIST_LEN_MASK; 210 haddr = address_space_map(&s->dram_as, addr, &plen, false, 211 MEMTXATTRS_UNSPECIFIED); 212 if (haddr == NULL) { 213 qemu_log_mask(LOG_GUEST_ERROR, 214 "%s: qcrypto failed\n", __func__); 215 return; 216 } 217 iov[i].iov_base = haddr; 218 if (acc_mode) { 219 s->total_req_len += plen; 220 221 if (has_padding(s, &iov[i], plen, &total_msg_len, 222 &pad_offset)) { 223 /* Padding being present indicates the final request */ 224 sg_acc_mode_final_request = true; 225 iov[i].iov_len = pad_offset; 226 } else { 227 iov[i].iov_len = plen; 228 } 229 } else { 230 iov[i].iov_len = plen; 231 } 232 } 233 } else { 234 hwaddr len = s->regs[R_HASH_SRC_LEN]; 235 236 haddr = address_space_map(&s->dram_as, s->regs[R_HASH_SRC], 237 &len, false, MEMTXATTRS_UNSPECIFIED); 238 if (haddr == NULL) { 239 qemu_log_mask(LOG_GUEST_ERROR, "%s: qcrypto failed\n", __func__); 240 return; 241 } 242 iov[0].iov_base = haddr; 243 iov[0].iov_len = len; 244 i = 1; 245 246 if (s->iov_count) { 247 /* 248 * In aspeed sdk kernel driver, sg_mode is disabled in hash_final(). 249 * Thus if we received a request with sg_mode disabled, it is 250 * required to check whether cache is empty. If no, we should 251 * combine cached iov and the current iov. 252 */ 253 s->total_req_len += len; 254 if (has_padding(s, iov, len, &total_msg_len, &pad_offset)) { 255 i = reconstruct_iov(s, iov, 0, &pad_offset); 256 } 257 } 258 } 259 260 if (acc_mode) { 261 if (qcrypto_hash_updatev(s->hash_ctx, iov, i, &local_err) < 0) { 262 qemu_log_mask(LOG_GUEST_ERROR, "qcrypto hash update failed : %s", 263 error_get_pretty(local_err)); 264 error_free(local_err); 265 return; 266 } 267 268 if (sg_acc_mode_final_request) { 269 if (qcrypto_hash_finalize_bytes(s->hash_ctx, &digest_buf, 270 &digest_len, &local_err)) { 271 qemu_log_mask(LOG_GUEST_ERROR, 272 "qcrypto hash finalize failed : %s", 273 error_get_pretty(local_err)); 274 error_free(local_err); 275 local_err = NULL; 276 } 277 278 qcrypto_hash_free(s->hash_ctx); 279 280 s->hash_ctx = NULL; 281 s->iov_count = 0; 282 s->total_req_len = 0; 283 } 284 } else if (qcrypto_hash_bytesv(algo, iov, i, &digest_buf, 285 &digest_len, &local_err) < 0) { 286 qemu_log_mask(LOG_GUEST_ERROR, "qcrypto hash bytesv failed : %s", 287 error_get_pretty(local_err)); 288 error_free(local_err); 289 return; 290 } 291 292 if (address_space_write(&s->dram_as, s->regs[R_HASH_DEST], 293 MEMTXATTRS_UNSPECIFIED, 294 digest_buf, digest_len)) { 295 qemu_log_mask(LOG_GUEST_ERROR, 296 "aspeed_hace: address space write failed\n"); 297 } 298 299 for (; i > 0; i--) { 300 address_space_unmap(&s->dram_as, iov[i - 1].iov_base, 301 iov[i - 1].iov_len, false, 302 iov[i - 1].iov_len); 303 } 304 305 /* 306 * Set status bits to indicate completion. Testing shows hardware sets 307 * these irrespective of HASH_IRQ_EN. 308 */ 309 s->regs[R_STATUS] |= HASH_IRQ; 310 } 311 312 static uint64_t aspeed_hace_read(void *opaque, hwaddr addr, unsigned int size) 313 { 314 AspeedHACEState *s = ASPEED_HACE(opaque); 315 316 addr >>= 2; 317 318 if (addr >= ASPEED_HACE_NR_REGS) { 319 qemu_log_mask(LOG_GUEST_ERROR, 320 "%s: Out-of-bounds read at offset 0x%" HWADDR_PRIx "\n", 321 __func__, addr << 2); 322 return 0; 323 } 324 325 return s->regs[addr]; 326 } 327 328 static void aspeed_hace_write(void *opaque, hwaddr addr, uint64_t data, 329 unsigned int size) 330 { 331 AspeedHACEState *s = ASPEED_HACE(opaque); 332 AspeedHACEClass *ahc = ASPEED_HACE_GET_CLASS(s); 333 334 addr >>= 2; 335 336 if (addr >= ASPEED_HACE_NR_REGS) { 337 qemu_log_mask(LOG_GUEST_ERROR, 338 "%s: Out-of-bounds write at offset 0x%" HWADDR_PRIx "\n", 339 __func__, addr << 2); 340 return; 341 } 342 343 switch (addr) { 344 case R_STATUS: 345 if (data & HASH_IRQ) { 346 data &= ~HASH_IRQ; 347 348 if (s->regs[addr] & HASH_IRQ) { 349 qemu_irq_lower(s->irq); 350 } 351 } 352 if (ahc->raise_crypt_interrupt_workaround) { 353 if (data & CRYPT_IRQ) { 354 data &= ~CRYPT_IRQ; 355 356 if (s->regs[addr] & CRYPT_IRQ) { 357 qemu_irq_lower(s->irq); 358 } 359 } 360 } 361 break; 362 case R_HASH_SRC: 363 data &= ahc->src_mask; 364 break; 365 case R_HASH_DEST: 366 data &= ahc->dest_mask; 367 break; 368 case R_HASH_KEY_BUFF: 369 data &= ahc->key_mask; 370 break; 371 case R_HASH_SRC_LEN: 372 data &= 0x0FFFFFFF; 373 break; 374 case R_HASH_CMD: { 375 int algo; 376 data &= ahc->hash_mask; 377 378 if ((data & HASH_DIGEST_HMAC)) { 379 qemu_log_mask(LOG_UNIMP, 380 "%s: HMAC mode not implemented\n", 381 __func__); 382 } 383 if (data & BIT(1)) { 384 qemu_log_mask(LOG_UNIMP, 385 "%s: Cascaded mode not implemented\n", 386 __func__); 387 } 388 algo = hash_algo_lookup(data); 389 if (algo < 0) { 390 qemu_log_mask(LOG_GUEST_ERROR, 391 "%s: Invalid hash algorithm selection 0x%"PRIx64"\n", 392 __func__, data & ahc->hash_mask); 393 break; 394 } 395 do_hash_operation(s, algo, data & HASH_SG_EN, 396 ((data & HASH_HMAC_MASK) == HASH_DIGEST_ACCUM)); 397 398 if (data & HASH_IRQ_EN) { 399 qemu_irq_raise(s->irq); 400 } 401 break; 402 } 403 case R_CRYPT_CMD: 404 qemu_log_mask(LOG_UNIMP, "%s: Crypt commands not implemented\n", 405 __func__); 406 if (ahc->raise_crypt_interrupt_workaround) { 407 s->regs[R_STATUS] |= CRYPT_IRQ; 408 if (data & CRYPT_IRQ_EN) { 409 qemu_irq_raise(s->irq); 410 } 411 } 412 break; 413 default: 414 break; 415 } 416 417 s->regs[addr] = data; 418 } 419 420 static const MemoryRegionOps aspeed_hace_ops = { 421 .read = aspeed_hace_read, 422 .write = aspeed_hace_write, 423 .endianness = DEVICE_LITTLE_ENDIAN, 424 .valid = { 425 .min_access_size = 1, 426 .max_access_size = 4, 427 }, 428 }; 429 430 static void aspeed_hace_reset(DeviceState *dev) 431 { 432 struct AspeedHACEState *s = ASPEED_HACE(dev); 433 434 if (s->hash_ctx != NULL) { 435 qcrypto_hash_free(s->hash_ctx); 436 s->hash_ctx = NULL; 437 } 438 439 memset(s->regs, 0, sizeof(s->regs)); 440 s->iov_count = 0; 441 s->total_req_len = 0; 442 } 443 444 static void aspeed_hace_realize(DeviceState *dev, Error **errp) 445 { 446 AspeedHACEState *s = ASPEED_HACE(dev); 447 SysBusDevice *sbd = SYS_BUS_DEVICE(dev); 448 449 sysbus_init_irq(sbd, &s->irq); 450 451 memory_region_init_io(&s->iomem, OBJECT(s), &aspeed_hace_ops, s, 452 TYPE_ASPEED_HACE, 0x1000); 453 454 if (!s->dram_mr) { 455 error_setg(errp, TYPE_ASPEED_HACE ": 'dram' link not set"); 456 return; 457 } 458 459 address_space_init(&s->dram_as, s->dram_mr, "dram"); 460 461 sysbus_init_mmio(sbd, &s->iomem); 462 } 463 464 static const Property aspeed_hace_properties[] = { 465 DEFINE_PROP_LINK("dram", AspeedHACEState, dram_mr, 466 TYPE_MEMORY_REGION, MemoryRegion *), 467 }; 468 469 470 static const VMStateDescription vmstate_aspeed_hace = { 471 .name = TYPE_ASPEED_HACE, 472 .version_id = 1, 473 .minimum_version_id = 1, 474 .fields = (const VMStateField[]) { 475 VMSTATE_UINT32_ARRAY(regs, AspeedHACEState, ASPEED_HACE_NR_REGS), 476 VMSTATE_UINT32(total_req_len, AspeedHACEState), 477 VMSTATE_UINT32(iov_count, AspeedHACEState), 478 VMSTATE_END_OF_LIST(), 479 } 480 }; 481 482 static void aspeed_hace_class_init(ObjectClass *klass, void *data) 483 { 484 DeviceClass *dc = DEVICE_CLASS(klass); 485 486 dc->realize = aspeed_hace_realize; 487 device_class_set_legacy_reset(dc, aspeed_hace_reset); 488 device_class_set_props(dc, aspeed_hace_properties); 489 dc->vmsd = &vmstate_aspeed_hace; 490 } 491 492 static const TypeInfo aspeed_hace_info = { 493 .name = TYPE_ASPEED_HACE, 494 .parent = TYPE_SYS_BUS_DEVICE, 495 .instance_size = sizeof(AspeedHACEState), 496 .class_init = aspeed_hace_class_init, 497 .class_size = sizeof(AspeedHACEClass) 498 }; 499 500 static void aspeed_ast2400_hace_class_init(ObjectClass *klass, void *data) 501 { 502 DeviceClass *dc = DEVICE_CLASS(klass); 503 AspeedHACEClass *ahc = ASPEED_HACE_CLASS(klass); 504 505 dc->desc = "AST2400 Hash and Crypto Engine"; 506 507 ahc->src_mask = 0x0FFFFFFF; 508 ahc->dest_mask = 0x0FFFFFF8; 509 ahc->key_mask = 0x0FFFFFC0; 510 ahc->hash_mask = 0x000003ff; /* No SG or SHA512 modes */ 511 } 512 513 static const TypeInfo aspeed_ast2400_hace_info = { 514 .name = TYPE_ASPEED_AST2400_HACE, 515 .parent = TYPE_ASPEED_HACE, 516 .class_init = aspeed_ast2400_hace_class_init, 517 }; 518 519 static void aspeed_ast2500_hace_class_init(ObjectClass *klass, void *data) 520 { 521 DeviceClass *dc = DEVICE_CLASS(klass); 522 AspeedHACEClass *ahc = ASPEED_HACE_CLASS(klass); 523 524 dc->desc = "AST2500 Hash and Crypto Engine"; 525 526 ahc->src_mask = 0x3fffffff; 527 ahc->dest_mask = 0x3ffffff8; 528 ahc->key_mask = 0x3FFFFFC0; 529 ahc->hash_mask = 0x000003ff; /* No SG or SHA512 modes */ 530 } 531 532 static const TypeInfo aspeed_ast2500_hace_info = { 533 .name = TYPE_ASPEED_AST2500_HACE, 534 .parent = TYPE_ASPEED_HACE, 535 .class_init = aspeed_ast2500_hace_class_init, 536 }; 537 538 static void aspeed_ast2600_hace_class_init(ObjectClass *klass, void *data) 539 { 540 DeviceClass *dc = DEVICE_CLASS(klass); 541 AspeedHACEClass *ahc = ASPEED_HACE_CLASS(klass); 542 543 dc->desc = "AST2600 Hash and Crypto Engine"; 544 545 ahc->src_mask = 0x7FFFFFFF; 546 ahc->dest_mask = 0x7FFFFFF8; 547 ahc->key_mask = 0x7FFFFFF8; 548 ahc->hash_mask = 0x00147FFF; 549 } 550 551 static const TypeInfo aspeed_ast2600_hace_info = { 552 .name = TYPE_ASPEED_AST2600_HACE, 553 .parent = TYPE_ASPEED_HACE, 554 .class_init = aspeed_ast2600_hace_class_init, 555 }; 556 557 static void aspeed_ast1030_hace_class_init(ObjectClass *klass, void *data) 558 { 559 DeviceClass *dc = DEVICE_CLASS(klass); 560 AspeedHACEClass *ahc = ASPEED_HACE_CLASS(klass); 561 562 dc->desc = "AST1030 Hash and Crypto Engine"; 563 564 ahc->src_mask = 0x7FFFFFFF; 565 ahc->dest_mask = 0x7FFFFFF8; 566 ahc->key_mask = 0x7FFFFFF8; 567 ahc->hash_mask = 0x00147FFF; 568 } 569 570 static const TypeInfo aspeed_ast1030_hace_info = { 571 .name = TYPE_ASPEED_AST1030_HACE, 572 .parent = TYPE_ASPEED_HACE, 573 .class_init = aspeed_ast1030_hace_class_init, 574 }; 575 576 static void aspeed_ast2700_hace_class_init(ObjectClass *klass, void *data) 577 { 578 DeviceClass *dc = DEVICE_CLASS(klass); 579 AspeedHACEClass *ahc = ASPEED_HACE_CLASS(klass); 580 581 dc->desc = "AST2700 Hash and Crypto Engine"; 582 583 ahc->src_mask = 0x7FFFFFFF; 584 ahc->dest_mask = 0x7FFFFFF8; 585 ahc->key_mask = 0x7FFFFFF8; 586 ahc->hash_mask = 0x00147FFF; 587 588 /* 589 * Currently, it does not support the CRYPT command. Instead, it only 590 * sends an interrupt to notify the firmware that the crypt command 591 * has completed. It is a temporary workaround. 592 */ 593 ahc->raise_crypt_interrupt_workaround = true; 594 } 595 596 static const TypeInfo aspeed_ast2700_hace_info = { 597 .name = TYPE_ASPEED_AST2700_HACE, 598 .parent = TYPE_ASPEED_HACE, 599 .class_init = aspeed_ast2700_hace_class_init, 600 }; 601 602 static void aspeed_hace_register_types(void) 603 { 604 type_register_static(&aspeed_ast2400_hace_info); 605 type_register_static(&aspeed_ast2500_hace_info); 606 type_register_static(&aspeed_ast2600_hace_info); 607 type_register_static(&aspeed_ast1030_hace_info); 608 type_register_static(&aspeed_ast2700_hace_info); 609 type_register_static(&aspeed_hace_info); 610 } 611 612 type_init(aspeed_hace_register_types); 613