M7350/kernel/security/pfe/pfk_kc.c

503 lines
11 KiB
C
Raw Normal View History

2024-09-09 08:57:42 +00:00
/*
* Copyright (c) 2015, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
* only version 2 as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*/
/*
* PFK Key Cache
*
* Key Cache used internally in PFK.
* The purpose of the cache is to save access time to QSEE
* when loading the keys.
* Currently the cache is the same size as the total number of keys that can
* be loaded to ICE. Since this number is relatively small, the alghoritms for
* cache eviction are simple, linear and based on last usage timestamp, i.e
* the node that will be evicted is the one with the oldest timestamp.
* Empty entries always have the oldest timestamp.
*
*/
#include <linux/mutex.h>
#include <linux/spinlock.h>
#include <crypto/ice.h>
#include <linux/errno.h>
#include <linux/string.h>
#include <linux/jiffies.h>
#include <linux/slab.h>
#include <linux/printk.h>
#include "pfk_kc.h"
#include "pfk_ice.h"
/** the first available index in ice engine */
#define PFK_KC_STARTING_INDEX 2
/** currently the only supported key and salt sizes */
#define PFK_KC_KEY_SIZE 32
#define PFK_KC_SALT_SIZE 32
/** Table size */
/* TODO replace by some constant from ice.h */
#define PFK_KC_TABLE_SIZE ((32) - (PFK_KC_STARTING_INDEX))
/** The maximum key and salt size */
#define PFK_MAX_KEY_SIZE PFK_KC_KEY_SIZE
#define PFK_MAX_SALT_SIZE PFK_KC_SALT_SIZE
static DEFINE_SPINLOCK(kc_lock);
static bool kc_ready;
struct kc_entry {
unsigned char key[PFK_MAX_KEY_SIZE];
size_t key_size;
unsigned char salt[PFK_MAX_SALT_SIZE];
size_t salt_size;
u64 time_stamp;
u32 key_index;
};
static struct kc_entry kc_table[PFK_KC_TABLE_SIZE] = {{{0}, 0, {0}, 0, 0, 0} };
/**
* pfk_min_time_entry() - update min time and update min entry
* @min_time: pointer to current min_time, might be updated with new value
* @time: time to compare minimum with
* @min_entry: ptr to ptr to current min_entry, might be updated with
* ptr to new entry
* @entry: will be the new min_entry if the time was updated
*
*
* Calculates the minimum between min_time and time. Replaces the min_time
* if time is less and replaces min_entry with entry
*
*/
static inline void pfk_min_time_entry(u64 *min_time, u64 time,
struct kc_entry **min_entry, struct kc_entry *entry)
{
if (time_before64(time, *min_time)) {
*min_time = time;
*min_entry = entry;
}
}
/**
* kc_is_ready() - driver is initialized and ready.
*
* Return: true if the key cache is ready.
*/
static inline bool kc_is_ready(void)
{
return kc_ready == true;
}
/**
* kc_find_key_at_index() - find kc entry starting at specific index
* @key: key to look for
* @key_size: the key size
* @salt: salt to look for
* @salt_size: the salt size
* @sarting_index: index to start search with, if entry found, updated with
* index of that entry
*
* Return entry or NULL in case of error
* Should be invoked under lock
*/
static struct kc_entry *kc_find_key_at_index(const unsigned char *key,
size_t key_size, const unsigned char *salt, size_t salt_size,
int *starting_index)
{
struct kc_entry *entry = NULL;
int i = 0;
for (i = *starting_index; i < PFK_KC_TABLE_SIZE; i++) {
entry = &(kc_table[i]);
if (NULL != salt) {
if (entry->salt_size != salt_size)
continue;
if (0 != memcmp(entry->salt, salt, salt_size))
continue;
}
if (entry->key_size != key_size)
continue;
if (0 == memcmp(entry->key, key, key_size)) {
*starting_index = i;
return entry;
}
}
return NULL;
}
/**
* kc_find_key() - find kc entry
* @key: key to look for
* @key_size: the key size
* @salt: salt to look for
* @salt_size: the salt size
*
* Return entry or NULL in case of error
* Should be invoked under lock
*/
static struct kc_entry *kc_find_key(const unsigned char *key, size_t key_size,
const unsigned char *salt, size_t salt_size)
{
int index = 0;
return kc_find_key_at_index(key, key_size, salt, salt_size, &index);
}
/**
* kc_find_oldest_entry() - finds the entry with minimal timestamp
*
* Returns entry with minimal timestamp. Empty entries have timestamp
* of 0, therefore they are returned first.
* Should always succeed, the returned entry should never be NULL
* Should be invoked under lock
*/
static struct kc_entry *kc_find_oldest_entry(void)
{
struct kc_entry *curr_min_entry = NULL;
struct kc_entry *entry = NULL;
u64 min_time = 0;
int i = 0;
min_time = kc_table[0].time_stamp;
curr_min_entry = &(kc_table[0]);
for (i = 0; i < PFK_KC_TABLE_SIZE; i++) {
entry = &(kc_table[i]);
if (!entry->time_stamp)
return entry;
pfk_min_time_entry(&min_time, entry->time_stamp,
&curr_min_entry, entry);
}
return curr_min_entry;
}
/**
* kc_update_timestamp() - updates timestamp of entry to current
*
* @entry: entry to update
*
* If system time can't be retrieved, timestamp will not be updated
* Should be invoked under lock
*/
static void kc_update_timestamp(struct kc_entry *entry)
{
if (!entry)
return;
entry->time_stamp = get_jiffies_64();
}
/**
* kc_clear_entry() - clear the key from entry and remove the key from ICE
*
* @entry: pointer to entry
*
* Securely wipe and release the key memory, remove the key from ICE
* Should be invoked under lock
*/
static void kc_clear_entry(struct kc_entry *entry)
{
if (!entry)
return;
memset(entry->key, 0, entry->key_size);
memset(entry->salt, 0, entry->salt_size);
entry->time_stamp = 0;
}
/**
* kc_replace_entry() - replaces the key in given entry and
* loads the new key to ICE
*
* @entry: entry to replace key in
* @key: key
* @key_size: key_size
* @salt: salt
* @salt_size: salt_size
*
* The previous key is securely released and wiped, the new one is loaded
* to ICE.
* Should be invoked under lock
*/
static int kc_replace_entry(struct kc_entry *entry, const unsigned char *key,
size_t key_size, const unsigned char *salt, size_t salt_size)
{
int ret = 0;
kc_clear_entry(entry);
memcpy(entry->key, key, key_size);
entry->key_size = key_size;
memcpy(entry->salt, salt, salt_size);
entry->salt_size = salt_size;
ret = qti_pfk_ice_set_key(entry->key_index, (uint8_t *) key,
(uint8_t *) salt);
if (ret != 0) {
ret = -EINVAL;
goto err;
}
kc_update_timestamp(entry);
return 0;
err:
kc_clear_entry(entry);
return ret;
}
/**
* pfk_kc_init() - init function
*
* Return 0 in case of success, error otherwise
*/
int pfk_kc_init(void)
{
int i = 0;
spin_lock(&kc_lock);
for (i = 0; i < PFK_KC_TABLE_SIZE; i++)
kc_table[i].key_index = PFK_KC_STARTING_INDEX + i;
spin_unlock(&kc_lock);
kc_ready = true;
return 0;
}
/**
* pfk_kc_denit() - deinit function
*
* Return 0 in case of success, error otherwise
*/
int pfk_kc_deinit(void)
{
pfk_kc_clear();
kc_ready = false;
return 0;
}
/**
* pfk_kc_load_key() - retrieve the key from cache or add it if it's not there
* return the ICE hw key index
* @key: pointer to the key
* @key_size: the size of the key
* @salt: pointer to the salt
* @salt_size: the size of the salt
* @key_index: the pointer to key_index where the output will be stored
*
* If key is present in cache, than the key_index will be retrieved from cache.
* If it is not present, the oldest entry from kc table will be evicted,
* the key will be loaded to ICE via QSEE to the index that is the evicted
* entry number and stored in cache
*
* Return 0 in case of success, error otherwise
*/
int pfk_kc_load_key(const unsigned char *key, size_t key_size,
const unsigned char *salt, size_t salt_size, u32 *key_index)
{
int ret = 0;
struct kc_entry *entry = NULL;
if (!kc_is_ready())
return -ENODEV;
if (!key || !salt || !key_index)
return -EPERM;
if (key_size != PFK_KC_KEY_SIZE)
return -EPERM;
if (salt_size != PFK_KC_SALT_SIZE)
return -EPERM;
spin_lock(&kc_lock);
entry = kc_find_key(key, key_size, salt, salt_size);
if (!entry) {
entry = kc_find_oldest_entry();
if (!entry) {
pr_err("internal error, there should always be an oldest entry\n");
spin_unlock(&kc_lock);
return -EINVAL;
}
pr_debug("didn't found key in cache, replacing entry with index %d\n",
entry->key_index);
ret = kc_replace_entry(entry, key, key_size, salt, salt_size);
if (ret) {
spin_unlock(&kc_lock);
return -EINVAL;
}
} else {
pr_debug("found key in cache, index %d\n", entry->key_index);
kc_update_timestamp(entry);
}
*key_index = entry->key_index;
spin_unlock(&kc_lock);
return 0;
}
/**
* pfk_kc_remove_key() - remove the key from cache and from ICE engine
* @key: pointer to the key
* @key_size: the size of the key
* @salt: pointer to the key
* @salt_size: the size of the key
*
* Return 0 in case of success, error otherwise (also in case of non
* (existing key)
*/
int pfk_kc_remove_key_with_salt(const unsigned char *key, size_t key_size,
const unsigned char *salt, size_t salt_size)
{
struct kc_entry *entry = NULL;
if (!kc_is_ready())
return -ENODEV;
if (!key)
return -EPERM;
if (!salt)
return -EPERM;
if (key_size != PFK_KC_KEY_SIZE)
return -EPERM;
if (salt_size != PFK_KC_SALT_SIZE)
return -EPERM;
spin_lock(&kc_lock);
entry = kc_find_key(key, key_size, salt, salt_size);
if (!entry) {
pr_err("key does not exist\n");
spin_unlock(&kc_lock);
return -EINVAL;
}
kc_clear_entry(entry);
spin_unlock(&kc_lock);
qti_pfk_ice_invalidate_key(entry->key_index);
return 0;
}
/**
* pfk_kc_remove_key() - remove the key from cache and from ICE engine
* when no salt is available. Will only search key part, if there are several,
* all will be removed
*
* @key: pointer to the key
* @key_size: the size of the key
*
* Return 0 in case of success, error otherwise (also in case of non
* (existing key)
*/
int pfk_kc_remove_key(const unsigned char *key, size_t key_size)
{
struct kc_entry *entry = NULL;
int index = 0;
int temp_indexes[PFK_KC_TABLE_SIZE] = {0};
int i = 0;
if (!kc_is_ready())
return -ENODEV;
if (!key)
return -EPERM;
if (key_size != PFK_KC_KEY_SIZE)
return -EPERM;
memset(temp_indexes, -1, sizeof(temp_indexes));
spin_lock(&kc_lock);
entry = kc_find_key_at_index(key, key_size, NULL, 0, &index);
if (!entry) {
pr_debug("key does not exist\n");
spin_unlock(&kc_lock);
return -EINVAL;
}
temp_indexes[i++] = entry->key_index;
kc_clear_entry(entry);
/* let's clean additional entries with the same key if there are any */
do {
entry = kc_find_key_at_index(key, key_size, NULL, 0, &index);
if (!entry)
break;
temp_indexes[i++] = entry->key_index;
kc_clear_entry(entry);
} while (true);
spin_unlock(&kc_lock);
for (i--; i >= 0 ; i--)
qti_pfk_ice_invalidate_key(temp_indexes[i]);
return 0;
}
/**
* pfk_kc_clear() - clear the table and remove all keys from ICE
*
*/
void pfk_kc_clear(void)
{
struct kc_entry *entry = NULL;
int i = 0;
if (!kc_is_ready())
return;
spin_lock(&kc_lock);
for (i = 0; i < PFK_KC_TABLE_SIZE; i++) {
entry = &(kc_table[i]);
kc_clear_entry(entry);
}
spin_unlock(&kc_lock);
for (i = 0; i < PFK_KC_TABLE_SIZE; i++)
qti_pfk_ice_invalidate_key(entry->key_index);
}