core: arm: kernel: add runtime check for CE

Add runtime check during boot for supported ARMv8 Crypto Extensions. Core will panic if configuration enables an ARMv8 CE feature that the hardware does not support. Link: #6631 Acked-by: Etienne Carriere <[email protected]> Signed-off-by: Igor Opaniuk <[email protected]>
OP-TEE · Feb 21, 2024 · d195d5c · d195d5c
1 parent 07881e9
commit d195d5c
Showing 1 changed file with 57 additions and 0 deletions.
diff --git a/core/arch/arm/kernel/boot.c b/core/arch/arm/kernel/boot.c
@@ -188,6 +188,59 @@ static void init_vfp_nsec(void)
 }
 #endif
 
+static void check_crypto_extensions(void)
+{
+	bool ce_supported = true;
+
+	if (!feat_aes_implemented() &&
+	    IS_ENABLED(CFG_CRYPTO_AES_ARM_CE)) {
+		EMSG("AES instructions are not supported");
+		ce_supported = false;
+	}
+
+	if (!feat_sha1_implemented() &&
+	    IS_ENABLED(CFG_CRYPTO_SHA1_ARM_CE)) {
+		EMSG("SHA1 instructions are not supported");
+		ce_supported = false;
+	}
+
+	if (!feat_sha256_implemented() &&
+	    IS_ENABLED(CFG_CRYPTO_SHA256_ARM_CE)) {
+		EMSG("SHA256 instructions are not supported");
+		ce_supported = false;
+	}
+
+	/* Check aarch64 specific instructions */
+	if (IS_ENABLED(CFG_ARM64_core)) {
+		if (!feat_sha512_implemented() &&
+		    IS_ENABLED(CFG_CRYPTO_SHA512_ARM_CE)) {
+			EMSG("SHA512 instructions are not supported");
+			ce_supported = false;
+		}
+
+		if (!feat_sha3_implemented() &&
+		    IS_ENABLED(CFG_CRYPTO_SHA3_ARM_CE)) {
+			EMSG("SHA3 instructions are not supported");
+			ce_supported = false;
+		}
+
+		if (!feat_sm3_implemented() &&
+		    IS_ENABLED(CFG_CRYPTO_SM3_ARM_CE)) {
+			EMSG("SM3 instructions are not supported");
+			ce_supported = false;
+		}
+
+		if (!feat_sm4_implemented() &&
+		    IS_ENABLED(CFG_CRYPTO_SM4_ARM_CE)) {
+			EMSG("SM4 instructions are not supported");
+			ce_supported = false;
+		}
+	}
+
+	if (!ce_supported)
+		panic("HW doesn't support CE instructions");
+}
+
 #if defined(CFG_WITH_VFP)
 
 #ifdef ARM32
@@ -1148,6 +1201,10 @@ static void init_primary(unsigned long pageable_part, unsigned long nsec_entry)
 	thread_set_exceptions(THREAD_EXCP_ALL);
 	primary_save_cntfrq();
 	init_vfp_sec();
+
+	if (IS_ENABLED(CFG_CRYPTO_WITH_CE))
+		check_crypto_extensions();
+
 	/*
 	 * Pager: init_runtime() calls thread_kernel_enable_vfp() so we must
 	 * set a current thread right now to avoid a chicken-and-egg problem