From 8d0bde12b759bd4f95f48ad88de8da6fc278b8f4 Mon Sep 17 00:00:00 2001 From: Igor Opaniuk Date: Sat, 27 Jan 2024 21:20:21 +0100 Subject: [PATCH] core: arm: kernel: add runtime check for CE Add runtime check during boot for supported ARMv8 Crypto Extensions. Link: https://github.com/OP-TEE/optee_os/issues/6631 Signed-off-by: Igor Opaniuk --- core/arch/arm/kernel/boot.c | 61 +++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) diff --git a/core/arch/arm/kernel/boot.c b/core/arch/arm/kernel/boot.c index 5eaf67ff529..f2d72890a8b 100644 --- a/core/arch/arm/kernel/boot.c +++ b/core/arch/arm/kernel/boot.c @@ -188,6 +188,60 @@ static void init_vfp_nsec(void) } #endif +/* + * Check for supported Crypto Extensions (ARMv8 aarch32/aarch64) + * In case one of instructions is not supported false is returned. + */ +static bool check_cpuid_ce(void) { + if (!feat_aes_implemented() && + IS_ENABLED(CFG_CRYPTO_AES_ARM_CE)) { + EMSG("AES instructions are not supported"); + return false; + } + + if (!feat_sha1_implemented() && + IS_ENABLED(CFG_CRYPTO_SHA1_ARM_CE)) { + EMSG("SHA1 instructions are not supported"); + return false; + } + + if (!feat_sha256_implemented() + IS_ENABLED(CFG_CRYPTO_SHA256_ARM_CE)) { + EMSG("SHA256 instructions are not supported"); + return false; + } + + if (IS_ENABLED(CFG_ARM32_core)) + return true; + + /* aarch64 specific instructions */ + if (!feat_sha512_implemented() && + IS_ENABLED(CFG_CRYPTO_SHA512_ARM_CE)) { + EMSG("SHA512 instructions are not supported"); + return false; + } + + if (!feat_sha3_implemented() && + IS_ENABLED(CFG_CRYPTO_SHA3_ARM_CE)) { + EMSG("SHA3 instructions are not supported"); + return false; + } + + if (!feat_sm3_implemented() && + IS_ENABLED(CFG_CRYPTO_SM3_ARM_CE)) { + EMSG("SM3 instructions are not supported"); + return false; + } + + if (!feat_sm4_implemented() && + IS_ENABLED(CFG_CRYPTO_SM4_ARM_CE)) { + EMSG("SM4 instructions are not supported"); + return false; + } + + return true; +} + #if defined(CFG_WITH_VFP) #ifdef ARM32 @@ -1148,6 +1202,13 @@ static void init_primary(unsigned long pageable_part, unsigned long nsec_entry) thread_set_exceptions(THREAD_EXCP_ALL); primary_save_cntfrq(); init_vfp_sec(); + + if (IS_ENABLED(CFG_CRYPTO_WITH_CE) && !check_cpuid_ce()) { + EMSG("OP-TEE is built with CRYPTO_WITH_CE=y"); + EMSG("But some CE instructions are not supported by CPU"); + panic(); + } + /* * Pager: init_runtime() calls thread_kernel_enable_vfp() so we must * set a current thread right now to avoid a chicken-and-egg problem