1 /* 2 * QEMU Apple AES device emulation 3 * 4 * Copyright © 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved. 5 * 6 * This work is licensed under the terms of the GNU GPL, version 2 or later. 7 * See the COPYING file in the top-level directory. 8 * 9 * SPDX-License-Identifier: GPL-2.0-or-later 10 */ 11 12 #include "qemu/osdep.h" 13 #include "trace.h" 14 #include "crypto/hash.h" 15 #include "crypto/aes.h" 16 #include "crypto/cipher.h" 17 #include "hw/irq.h" 18 #include "hw/sysbus.h" 19 #include "hw/vmapple/vmapple.h" 20 #include "migration/vmstate.h" 21 #include "qemu/cutils.h" 22 #include "qemu/log.h" 23 #include "qemu/module.h" 24 #include "system/dma.h" 25 26 OBJECT_DECLARE_SIMPLE_TYPE(AESState, APPLE_AES) 27 28 #define MAX_FIFO_SIZE 9 29 30 #define CMD_KEY 0x1 31 #define CMD_KEY_CONTEXT_SHIFT 27 32 #define CMD_KEY_CONTEXT_MASK (0x1 << CMD_KEY_CONTEXT_SHIFT) 33 #define CMD_KEY_SELECT_MAX_IDX 0x7 34 #define CMD_KEY_SELECT_SHIFT 24 35 #define CMD_KEY_SELECT_MASK (CMD_KEY_SELECT_MAX_IDX << CMD_KEY_SELECT_SHIFT) 36 #define CMD_KEY_KEY_LEN_NUM 4u 37 #define CMD_KEY_KEY_LEN_SHIFT 22 38 #define CMD_KEY_KEY_LEN_MASK ((CMD_KEY_KEY_LEN_NUM - 1u) << CMD_KEY_KEY_LEN_SHIFT) 39 #define CMD_KEY_ENCRYPT_SHIFT 20 40 #define CMD_KEY_ENCRYPT_MASK (0x1 << CMD_KEY_ENCRYPT_SHIFT) 41 #define CMD_KEY_BLOCK_MODE_SHIFT 16 42 #define CMD_KEY_BLOCK_MODE_MASK (0x3 << CMD_KEY_BLOCK_MODE_SHIFT) 43 #define CMD_IV 0x2 44 #define CMD_IV_CONTEXT_SHIFT 26 45 #define CMD_IV_CONTEXT_MASK (0x3 << CMD_KEY_CONTEXT_SHIFT) 46 #define CMD_DSB 0x3 47 #define CMD_SKG 0x4 48 #define CMD_DATA 0x5 49 #define CMD_DATA_KEY_CTX_SHIFT 27 50 #define CMD_DATA_KEY_CTX_MASK (0x1 << CMD_DATA_KEY_CTX_SHIFT) 51 #define CMD_DATA_IV_CTX_SHIFT 25 52 #define CMD_DATA_IV_CTX_MASK (0x3 << CMD_DATA_IV_CTX_SHIFT) 53 #define CMD_DATA_LEN_MASK 0xffffff 54 #define CMD_STORE_IV 0x6 55 #define CMD_STORE_IV_ADDR_MASK 0xffffff 56 #define CMD_WRITE_REG 0x7 57 #define CMD_FLAG 0x8 58 #define CMD_FLAG_STOP_MASK BIT(26) 59 #define CMD_FLAG_RAISE_IRQ_MASK BIT(27) 60 #define CMD_FLAG_INFO_MASK 0xff 61 #define CMD_MAX 0x10 62 63 #define CMD_SHIFT 28 64 65 #define REG_STATUS 0xc 66 #define REG_STATUS_DMA_READ_RUNNING BIT(0) 67 #define REG_STATUS_DMA_READ_PENDING BIT(1) 68 #define REG_STATUS_DMA_WRITE_RUNNING BIT(2) 69 #define REG_STATUS_DMA_WRITE_PENDING BIT(3) 70 #define REG_STATUS_BUSY BIT(4) 71 #define REG_STATUS_EXECUTING BIT(5) 72 #define REG_STATUS_READY BIT(6) 73 #define REG_STATUS_TEXT_DPA_SEEDED BIT(7) 74 #define REG_STATUS_UNWRAP_DPA_SEEDED BIT(8) 75 76 #define REG_IRQ_STATUS 0x18 77 #define REG_IRQ_STATUS_INVALID_CMD BIT(2) 78 #define REG_IRQ_STATUS_FLAG BIT(5) 79 #define REG_IRQ_ENABLE 0x1c 80 #define REG_WATERMARK 0x20 81 #define REG_Q_STATUS 0x24 82 #define REG_FLAG_INFO 0x30 83 #define REG_FIFO 0x200 84 85 static const uint32_t key_lens[CMD_KEY_KEY_LEN_NUM] = { 86 [0] = 16, 87 [1] = 24, 88 [2] = 32, 89 [3] = 64, 90 }; 91 92 typedef struct Key { 93 uint32_t key_len; 94 uint8_t key[32]; 95 } Key; 96 97 typedef struct IV { 98 uint32_t iv[4]; 99 } IV; 100 101 static Key builtin_keys[CMD_KEY_SELECT_MAX_IDX + 1] = { 102 [1] = { 103 .key_len = 32, 104 .key = { 0x1 }, 105 }, 106 [2] = { 107 .key_len = 32, 108 .key = { 0x2 }, 109 }, 110 [3] = { 111 .key_len = 32, 112 .key = { 0x3 }, 113 } 114 }; 115 116 struct AESState { 117 SysBusDevice parent_obj; 118 119 qemu_irq irq; 120 MemoryRegion iomem1; 121 MemoryRegion iomem2; 122 AddressSpace *as; 123 124 uint32_t status; 125 uint32_t q_status; 126 uint32_t irq_status; 127 uint32_t irq_enable; 128 uint32_t watermark; 129 uint32_t flag_info; 130 uint32_t fifo[MAX_FIFO_SIZE]; 131 uint32_t fifo_idx; 132 Key key[2]; 133 IV iv[4]; 134 bool is_encrypt; 135 QCryptoCipherMode block_mode; 136 }; 137 138 static void aes_update_irq(AESState *s) 139 { 140 qemu_set_irq(s->irq, !!(s->irq_status & s->irq_enable)); 141 } 142 143 static uint64_t aes1_read(void *opaque, hwaddr offset, unsigned size) 144 { 145 AESState *s = opaque; 146 uint64_t res = 0; 147 148 switch (offset) { 149 case REG_STATUS: 150 res = s->status; 151 break; 152 case REG_IRQ_STATUS: 153 res = s->irq_status; 154 break; 155 case REG_IRQ_ENABLE: 156 res = s->irq_enable; 157 break; 158 case REG_WATERMARK: 159 res = s->watermark; 160 break; 161 case REG_Q_STATUS: 162 res = s->q_status; 163 break; 164 case REG_FLAG_INFO: 165 res = s->flag_info; 166 break; 167 168 default: 169 qemu_log_mask(LOG_UNIMP, "%s: Unknown AES MMIO offset %" PRIx64 "\n", 170 __func__, offset); 171 break; 172 } 173 174 trace_aes_read(offset, res); 175 176 return res; 177 } 178 179 static void fifo_append(AESState *s, uint64_t val) 180 { 181 if (s->fifo_idx == MAX_FIFO_SIZE) { 182 /* Exceeded the FIFO. Bail out */ 183 return; 184 } 185 186 s->fifo[s->fifo_idx++] = val; 187 } 188 189 static bool has_payload(AESState *s, uint32_t elems) 190 { 191 return s->fifo_idx >= elems + 1; 192 } 193 194 static bool cmd_key(AESState *s) 195 { 196 uint32_t cmd = s->fifo[0]; 197 uint32_t key_select = (cmd & CMD_KEY_SELECT_MASK) >> CMD_KEY_SELECT_SHIFT; 198 uint32_t ctxt = (cmd & CMD_KEY_CONTEXT_MASK) >> CMD_KEY_CONTEXT_SHIFT; 199 uint32_t key_len; 200 201 switch ((cmd & CMD_KEY_BLOCK_MODE_MASK) >> CMD_KEY_BLOCK_MODE_SHIFT) { 202 case 0: 203 s->block_mode = QCRYPTO_CIPHER_MODE_ECB; 204 break; 205 case 1: 206 s->block_mode = QCRYPTO_CIPHER_MODE_CBC; 207 break; 208 default: 209 return false; 210 } 211 212 s->is_encrypt = cmd & CMD_KEY_ENCRYPT_MASK; 213 key_len = key_lens[(cmd & CMD_KEY_KEY_LEN_MASK) >> CMD_KEY_KEY_LEN_SHIFT]; 214 215 if (key_select) { 216 trace_aes_cmd_key_select_builtin(ctxt, key_select, 217 s->is_encrypt ? "en" : "de", 218 QCryptoCipherMode_str(s->block_mode)); 219 s->key[ctxt] = builtin_keys[key_select]; 220 } else { 221 trace_aes_cmd_key_select_new(ctxt, key_len, 222 s->is_encrypt ? "en" : "de", 223 QCryptoCipherMode_str(s->block_mode)); 224 if (key_len > sizeof(s->key[ctxt].key)) { 225 return false; 226 } 227 if (!has_payload(s, key_len / sizeof(uint32_t))) { 228 /* wait for payload */ 229 qemu_log_mask(LOG_GUEST_ERROR, "%s: No payload\n", __func__); 230 return false; 231 } 232 memcpy(&s->key[ctxt].key, &s->fifo[1], key_len); 233 s->key[ctxt].key_len = key_len; 234 } 235 236 return true; 237 } 238 239 static bool cmd_iv(AESState *s) 240 { 241 uint32_t cmd = s->fifo[0]; 242 uint32_t ctxt = (cmd & CMD_IV_CONTEXT_MASK) >> CMD_IV_CONTEXT_SHIFT; 243 244 if (!has_payload(s, 4)) { 245 /* wait for payload */ 246 return false; 247 } 248 memcpy(&s->iv[ctxt].iv, &s->fifo[1], sizeof(s->iv[ctxt].iv)); 249 trace_aes_cmd_iv(ctxt, s->fifo[1], s->fifo[2], s->fifo[3], s->fifo[4]); 250 251 return true; 252 } 253 254 static void dump_data(const char *desc, const void *p, size_t len) 255 { 256 static const size_t MAX_LEN = 0x1000; 257 char hex[MAX_LEN * 2 + 1] = ""; 258 259 if (len > MAX_LEN) { 260 return; 261 } 262 263 qemu_hexdump_to_buffer(hex, sizeof(hex), p, len); 264 trace_aes_dump_data(desc, hex); 265 } 266 267 static bool cmd_data(AESState *s) 268 { 269 uint32_t cmd = s->fifo[0]; 270 uint32_t ctxt_iv = 0; 271 uint32_t ctxt_key = (cmd & CMD_DATA_KEY_CTX_MASK) >> CMD_DATA_KEY_CTX_SHIFT; 272 uint32_t len = cmd & CMD_DATA_LEN_MASK; 273 uint64_t src_addr = s->fifo[2]; 274 uint64_t dst_addr = s->fifo[3]; 275 QCryptoCipherAlgo alg; 276 g_autoptr(QCryptoCipher) cipher = NULL; 277 g_autoptr(GByteArray) src = NULL; 278 g_autoptr(GByteArray) dst = NULL; 279 MemTxResult r; 280 281 src_addr |= ((uint64_t)s->fifo[1] << 16) & 0xffff00000000ULL; 282 dst_addr |= ((uint64_t)s->fifo[1] << 32) & 0xffff00000000ULL; 283 284 trace_aes_cmd_data(ctxt_key, ctxt_iv, src_addr, dst_addr, len); 285 286 if (!has_payload(s, 3)) { 287 /* wait for payload */ 288 qemu_log_mask(LOG_GUEST_ERROR, "%s: No payload\n", __func__); 289 return false; 290 } 291 292 if (ctxt_key >= ARRAY_SIZE(s->key) || 293 ctxt_iv >= ARRAY_SIZE(s->iv)) { 294 qemu_log_mask(LOG_GUEST_ERROR, "%s: Invalid key or iv\n", __func__); 295 return false; 296 } 297 298 src = g_byte_array_sized_new(len); 299 g_byte_array_set_size(src, len); 300 dst = g_byte_array_sized_new(len); 301 g_byte_array_set_size(dst, len); 302 303 r = dma_memory_read(s->as, src_addr, src->data, len, MEMTXATTRS_UNSPECIFIED); 304 if (r != MEMTX_OK) { 305 qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA read of %"PRIu32" bytes " 306 "from 0x%"PRIx64" failed. (r=%d)\n", 307 __func__, len, src_addr, r); 308 return false; 309 } 310 311 dump_data("cmd_data(): src_data=", src->data, len); 312 313 switch (s->key[ctxt_key].key_len) { 314 case 128 / 8: 315 alg = QCRYPTO_CIPHER_ALGO_AES_128; 316 break; 317 case 192 / 8: 318 alg = QCRYPTO_CIPHER_ALGO_AES_192; 319 break; 320 case 256 / 8: 321 alg = QCRYPTO_CIPHER_ALGO_AES_256; 322 break; 323 default: 324 qemu_log_mask(LOG_GUEST_ERROR, "%s: Invalid key length\n", __func__); 325 return false; 326 } 327 cipher = qcrypto_cipher_new(alg, s->block_mode, 328 s->key[ctxt_key].key, 329 s->key[ctxt_key].key_len, NULL); 330 if (!cipher) { 331 qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to create cipher object\n", 332 __func__); 333 return false; 334 } 335 if (s->block_mode != QCRYPTO_CIPHER_MODE_ECB) { 336 if (qcrypto_cipher_setiv(cipher, (void *)s->iv[ctxt_iv].iv, 337 sizeof(s->iv[ctxt_iv].iv), NULL) != 0) { 338 qemu_log_mask(LOG_GUEST_ERROR, "%s: Failed to set IV\n", __func__); 339 return false; 340 } 341 } 342 if (s->is_encrypt) { 343 if (qcrypto_cipher_encrypt(cipher, src->data, dst->data, len, NULL) != 0) { 344 qemu_log_mask(LOG_GUEST_ERROR, "%s: Encryption failed\n", __func__); 345 return false; 346 } 347 } else { 348 if (qcrypto_cipher_decrypt(cipher, src->data, dst->data, len, NULL) != 0) { 349 qemu_log_mask(LOG_GUEST_ERROR, "%s: Decryption failed\n", __func__); 350 return false; 351 } 352 } 353 354 dump_data("cmd_data(): dst_data=", dst->data, len); 355 r = dma_memory_write(s->as, dst_addr, dst->data, len, MEMTXATTRS_UNSPECIFIED); 356 if (r != MEMTX_OK) { 357 qemu_log_mask(LOG_GUEST_ERROR, "%s: DMA write of %"PRIu32" bytes " 358 "to 0x%"PRIx64" failed. (r=%d)\n", 359 __func__, len, src_addr, r); 360 return false; 361 } 362 363 return true; 364 } 365 366 static bool cmd_store_iv(AESState *s) 367 { 368 uint32_t cmd = s->fifo[0]; 369 uint32_t ctxt = (cmd & CMD_IV_CONTEXT_MASK) >> CMD_IV_CONTEXT_SHIFT; 370 uint64_t addr = s->fifo[1]; 371 MemTxResult dma_result; 372 373 if (!has_payload(s, 1)) { 374 qemu_log_mask(LOG_GUEST_ERROR, "%s: No payload\n", __func__); 375 return false; 376 } 377 378 if (ctxt >= ARRAY_SIZE(s->iv)) { 379 qemu_log_mask(LOG_GUEST_ERROR, 380 "%s: Invalid context. ctxt = %u, allowed: 0..%zu\n", 381 __func__, ctxt, ARRAY_SIZE(s->iv) - 1); 382 return false; 383 } 384 385 addr |= ((uint64_t)cmd << 32) & 0xff00000000ULL; 386 dma_result = dma_memory_write(&address_space_memory, addr, 387 &s->iv[ctxt].iv, sizeof(s->iv[ctxt].iv), 388 MEMTXATTRS_UNSPECIFIED); 389 390 trace_aes_cmd_store_iv(ctxt, addr, s->iv[ctxt].iv[0], s->iv[ctxt].iv[1], 391 s->iv[ctxt].iv[2], s->iv[ctxt].iv[3]); 392 393 return dma_result == MEMTX_OK; 394 } 395 396 static bool cmd_flag(AESState *s) 397 { 398 uint32_t cmd = s->fifo[0]; 399 uint32_t raise_irq = cmd & CMD_FLAG_RAISE_IRQ_MASK; 400 401 /* We always process data when it's coming in, so fire an IRQ immediately */ 402 if (raise_irq) { 403 s->irq_status |= REG_IRQ_STATUS_FLAG; 404 } 405 406 s->flag_info = cmd & CMD_FLAG_INFO_MASK; 407 408 trace_aes_cmd_flag(!!raise_irq, s->flag_info); 409 410 return true; 411 } 412 413 static void fifo_process(AESState *s) 414 { 415 uint32_t cmd = s->fifo[0] >> CMD_SHIFT; 416 bool success = false; 417 418 if (!s->fifo_idx) { 419 return; 420 } 421 422 switch (cmd) { 423 case CMD_KEY: 424 success = cmd_key(s); 425 break; 426 case CMD_IV: 427 success = cmd_iv(s); 428 break; 429 case CMD_DATA: 430 success = cmd_data(s); 431 break; 432 case CMD_STORE_IV: 433 success = cmd_store_iv(s); 434 break; 435 case CMD_FLAG: 436 success = cmd_flag(s); 437 break; 438 default: 439 s->irq_status |= REG_IRQ_STATUS_INVALID_CMD; 440 break; 441 } 442 443 if (success) { 444 s->fifo_idx = 0; 445 } 446 447 trace_aes_fifo_process(cmd, success); 448 } 449 450 static void aes1_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) 451 { 452 AESState *s = opaque; 453 454 trace_aes_write(offset, val); 455 456 switch (offset) { 457 case REG_IRQ_STATUS: 458 s->irq_status &= ~val; 459 break; 460 case REG_IRQ_ENABLE: 461 s->irq_enable = val; 462 break; 463 case REG_FIFO: 464 fifo_append(s, val); 465 fifo_process(s); 466 break; 467 default: 468 qemu_log_mask(LOG_UNIMP, 469 "%s: Unknown AES MMIO offset %"PRIx64", data %"PRIx64"\n", 470 __func__, offset, val); 471 return; 472 } 473 474 aes_update_irq(s); 475 } 476 477 static const MemoryRegionOps aes1_ops = { 478 .read = aes1_read, 479 .write = aes1_write, 480 .endianness = DEVICE_NATIVE_ENDIAN, 481 .valid = { 482 .min_access_size = 4, 483 .max_access_size = 8, 484 }, 485 .impl = { 486 .min_access_size = 4, 487 .max_access_size = 4, 488 }, 489 }; 490 491 static uint64_t aes2_read(void *opaque, hwaddr offset, unsigned size) 492 { 493 uint64_t res = 0; 494 495 switch (offset) { 496 case 0: 497 res = 0; 498 break; 499 default: 500 qemu_log_mask(LOG_UNIMP, 501 "%s: Unknown AES MMIO 2 offset %"PRIx64"\n", 502 __func__, offset); 503 break; 504 } 505 506 trace_aes_2_read(offset, res); 507 508 return res; 509 } 510 511 static void aes2_write(void *opaque, hwaddr offset, uint64_t val, unsigned size) 512 { 513 trace_aes_2_write(offset, val); 514 515 switch (offset) { 516 default: 517 qemu_log_mask(LOG_UNIMP, 518 "%s: Unknown AES MMIO 2 offset %"PRIx64", data %"PRIx64"\n", 519 __func__, offset, val); 520 return; 521 } 522 } 523 524 static const MemoryRegionOps aes2_ops = { 525 .read = aes2_read, 526 .write = aes2_write, 527 .endianness = DEVICE_NATIVE_ENDIAN, 528 .valid = { 529 .min_access_size = 4, 530 .max_access_size = 8, 531 }, 532 .impl = { 533 .min_access_size = 4, 534 .max_access_size = 4, 535 }, 536 }; 537 538 static void aes_reset(Object *obj, ResetType type) 539 { 540 AESState *s = APPLE_AES(obj); 541 542 s->status = 0x3f80; 543 s->q_status = 2; 544 s->irq_status = 0; 545 s->irq_enable = 0; 546 s->watermark = 0; 547 } 548 549 static void aes_init(Object *obj) 550 { 551 AESState *s = APPLE_AES(obj); 552 553 memory_region_init_io(&s->iomem1, obj, &aes1_ops, s, TYPE_APPLE_AES, 0x4000); 554 memory_region_init_io(&s->iomem2, obj, &aes2_ops, s, TYPE_APPLE_AES, 0x4000); 555 sysbus_init_mmio(SYS_BUS_DEVICE(s), &s->iomem1); 556 sysbus_init_mmio(SYS_BUS_DEVICE(s), &s->iomem2); 557 sysbus_init_irq(SYS_BUS_DEVICE(s), &s->irq); 558 s->as = &address_space_memory; 559 } 560 561 static void aes_class_init(ObjectClass *klass, void *data) 562 { 563 ResettableClass *rc = RESETTABLE_CLASS(klass); 564 565 rc->phases.hold = aes_reset; 566 } 567 568 static const TypeInfo aes_info = { 569 .name = TYPE_APPLE_AES, 570 .parent = TYPE_SYS_BUS_DEVICE, 571 .instance_size = sizeof(AESState), 572 .class_init = aes_class_init, 573 .instance_init = aes_init, 574 }; 575 576 static void aes_register_types(void) 577 { 578 type_register_static(&aes_info); 579 } 580 581 type_init(aes_register_types) 582