core: arm: kernel: add runtime check for CE

Add runtime check during boot for supported ARMv8 Crypto Extensions. Core will panic if configuration enables an ARMv8 CE feature that the hardware does not support. Link: OP-TEE#6631 Acked-by: Etienne Carriere <etienne.carriere@foss.st.com> Signed-off-by: Igor Opaniuk <igor.opaniuk@foundries.io>
igoropaniuk · Feb 19, 2024 · d508b19 · d508b19
1 parent d89ded8
commit d508b19
Showing 1 changed file with 62 additions and 0 deletions.
diff --git a/core/arch/arm/kernel/boot.c b/core/arch/arm/kernel/boot.c
@@ -188,6 +188,61 @@ static void init_vfp_nsec(void)
 }
 #endif
 
+/*
+ * Check for supported Crypto Extensions (ARMv8 aarch32/aarch64)
+ * In case one of instructions is not supported false is returned.
+ */
+static bool check_cpuid_ce(void)
+{
+	if (!feat_aes_implemented() &&
+	    IS_ENABLED(CFG_CRYPTO_AES_ARM_CE)) {
+		EMSG("AES instructions are not supported");
+		return false;
+	}
+
+	if (!feat_sha1_implemented() &&
+	    IS_ENABLED(CFG_CRYPTO_SHA1_ARM_CE)) {
+		EMSG("SHA1 instructions are not supported");
+		return false;
+	}
+
+	if (!feat_sha256_implemented() &&
+	    IS_ENABLED(CFG_CRYPTO_SHA256_ARM_CE)) {
+		EMSG("SHA256 instructions are not supported");
+		return false;
+	}
+
+	if (IS_ENABLED(CFG_ARM32_core))
+		return true;
+
+	/* aarch64 specific instructions */
+	if (!feat_sha512_implemented() &&
+	    IS_ENABLED(CFG_CRYPTO_SHA512_ARM_CE)) {
+		EMSG("SHA512 instructions are not supported");
+		return false;
+	}
+
+	if (!feat_sha3_implemented() &&
+	    IS_ENABLED(CFG_CRYPTO_SHA3_ARM_CE)) {
+		EMSG("SHA3 instructions are not supported");
+		return false;
+	}
+
+	if (!feat_sm3_implemented() &&
+	    IS_ENABLED(CFG_CRYPTO_SM3_ARM_CE)) {
+		EMSG("SM3 instructions are not supported");
+		return false;
+	}
+
+	if (!feat_sm4_implemented() &&
+	    IS_ENABLED(CFG_CRYPTO_SM4_ARM_CE)) {
+		EMSG("SM4 instructions are not supported");
+		return false;
+	}
+
+	return true;
+}
+
 #if defined(CFG_WITH_VFP)
 
 #ifdef ARM32
@@ -1148,6 +1203,13 @@ static void init_primary(unsigned long pageable_part, unsigned long nsec_entry)
 	thread_set_exceptions(THREAD_EXCP_ALL);
 	primary_save_cntfrq();
 	init_vfp_sec();
+
+	if (IS_ENABLED(CFG_CRYPTO_WITH_CE) && !check_cpuid_ce()) {
+		EMSG("OP-TEE is built with CRYPTO_WITH_CE=y");
+		EMSG("But some CE instructions are not supported by CPU");
+		panic();
+	}
+
 	/*
 	 * Pager: init_runtime() calls thread_kernel_enable_vfp() so we must
 	 * set a current thread right now to avoid a chicken-and-egg problem