core: arm: kernel: add runtime check for CE

Add runtime check during boot for supported ARMv8 Crypto Extensions. Link: OP-TEE#6631 Signed-off-by: Igor Opaniuk <[email protected]>
igoropaniuk · Feb 17, 2024 · aedb585 · aedb585
1 parent 8959be1
commit aedb585
Showing 1 changed file with 62 additions and 0 deletions.
diff --git a/core/arch/arm/kernel/boot.c b/core/arch/arm/kernel/boot.c
@@ -188,6 +188,61 @@ static void init_vfp_nsec(void)
 }
 #endif
 
+/*
+ * Check for supported Crypto Extensions (ARMv8 aarch32/aarch64)
+ * In case one of instructions is not supported false is returned.
+ */
+static bool check_cpuid_ce(void)
+{
+	if (!feat_aes_implemented() &&
+	    IS_ENABLED(CFG_CRYPTO_AES_ARM_CE)) {
+		EMSG("AES instructions are not supported");
+		return false;
+	}
+
+	if (!feat_sha1_implemented() &&
+	    IS_ENABLED(CFG_CRYPTO_SHA1_ARM_CE)) {
+		EMSG("SHA1 instructions are not supported");
+		return false;
+	}
+
+	if (!feat_sha256_implemented() &&
+	    IS_ENABLED(CFG_CRYPTO_SHA256_ARM_CE)) {
+		EMSG("SHA256 instructions are not supported");
+		return false;
+	}
+
+	if (IS_ENABLED(CFG_ARM32_core))
+		return true;
+
+	/* aarch64 specific instructions */
+	if (!feat_sha512_implemented() &&
+	    IS_ENABLED(CFG_CRYPTO_SHA512_ARM_CE)) {
+		EMSG("SHA512 instructions are not supported");
+		return false;
+	}
+
+	if (!feat_sha3_implemented() &&
+	    IS_ENABLED(CFG_CRYPTO_SHA3_ARM_CE)) {
+		EMSG("SHA3 instructions are not supported");
+		return false;
+	}
+
+	if (!feat_sm3_implemented() &&
+	    IS_ENABLED(CFG_CRYPTO_SM3_ARM_CE)) {
+		EMSG("SM3 instructions are not supported");
+		return false;
+	}
+
+	if (!feat_sm4_implemented() &&
+	    IS_ENABLED(CFG_CRYPTO_SM4_ARM_CE)) {
+		EMSG("SM4 instructions are not supported");
+		return false;
+	}
+
+	return true;
+}
+
 #if defined(CFG_WITH_VFP)
 
 #ifdef ARM32
@@ -1148,6 +1203,13 @@ static void init_primary(unsigned long pageable_part, unsigned long nsec_entry)
 	thread_set_exceptions(THREAD_EXCP_ALL);
 	primary_save_cntfrq();
 	init_vfp_sec();
+
+	if (IS_ENABLED(CFG_CRYPTO_WITH_CE) && !check_cpuid_ce()) {
+		EMSG("OP-TEE is built with CRYPTO_WITH_CE=y");
+		EMSG("But some CE instructions are not supported by CPU");
+		panic();
+	}
+
 	/*
 	 * Pager: init_runtime() calls thread_kernel_enable_vfp() so we must
 	 * set a current thread right now to avoid a chicken-and-egg problem