cmd_aes: Add clear key support in u-boot

Adding support for clearing an existing derived key. Change-Id: I6e6c8718696aa7ae29cf9ec0429b9c90c074f62d Signed-off-by: Hariharan K <quic_harihk@quicinc.com>
2025-12-10 07:44:53 +01:00 · 2024-06-17 16:39:56 +05:30 · 2024-06-17 16:39:56 +05:30 · 96b17b1392
commit 96b17b1392
parent fc2a063d53
3 changed files with 72 additions and 0 deletions
--- a/arch/arm/cpu/armv7/qca/common/scm.c
+++ b/arch/arm/cpu/armv7/qca/common/scm.c
@ -817,6 +817,25 @@ int qca_scm_call_crypto_v8(u32 svc_id, u32 cmd_id, u32 *addr, u32 val)
        return ret;
 }

+int qca_scm_call_clear_key(u32 svc_id, u32 cmd_id, u32 key_handle)
+{
+	int ret = 0;
+	__le32 scm_ret;
+	struct qca_scm_desc desc = {0};
+
+	desc.arginfo = QCA_SCM_ARGS(1, SCM_VAL);
+
+	desc.args[0] = key_handle;
+
+	ret = scm_call_64(svc_id, cmd_id, &desc);
+	scm_ret = desc.ret[0];
+
+	if (!ret)
+		return le32_to_cpu(scm_ret);
+
+	return ret;
+}
+
 int qca_scm_call_write(u32 svc_id, u32 cmd_id, u32 *addr, u32 val)
 {
 	int ret = 0;
@ -906,6 +925,18 @@ int qca_scm_crypto(int cmd_id, void *req_ptr, uint32_t req_size)
        return ret;
 }

+int qca_scm_clear_key(uint32_t key_handle, u32 cmd_id)
+{
+	int ret;
+
+	if (is_scm_armv8())
+		ret = qca_scm_call_clear_key(SCM_SVC_CRYPTO, cmd_id, key_handle);
+	else
+		ret = -ENOTSUPP;
+
+	return ret;
+}
+
 /**
 * qca_scm_is_feature_available() - Check if a given feature is enabled by TZ,
 *                   and its version if enabled.
--- a/arch/arm/include/asm/arch-qca-common/scm.h
+++ b/arch/arm/include/asm/arch-qca-common/scm.h
@ -136,6 +136,7 @@ int qca_scm_call_write(u32, u32, u32 *, u32);
 int qca_scm_call_read(u32, u32, u32 *, u32*);
 long qca_scm_is_feature_available(u32);
 int qca_scm_crypto(int, void *, u32);
+int qca_scm_clear_key(u32, u32);
 int qca_scm_sdi(void);
 int qca_scm_dload(u32);
 int qca_scm_fuseipq(u32, u32, void *, size_t);
--- a/common/cmd_aes.c
+++ b/common/cmd_aes.c
@ -25,6 +25,7 @@ enum tz_crypto_service_aes_cmd_t {
 #ifdef CONFIG_IPQ_DERIVE_KEY
 	TZ_CRYPTO_SERVICE_AES_DERIVE_KEY_ID = 0x9,
 	TZ_CRYPTO_SERVICE_AES_DERIVE_128_KEY_ID = 0xE,
+	TZ_CRYPTO_SERVICE_AES_CLEAR_KEY_ID = 0xA,
 #endif
 };

@ -268,6 +269,45 @@ U_BOOT_CMD(
        "<bindings_data> <context_data address> <context data len>"
 );

+/**
+ * do_clear_aes_key() - Handle the "clear_key" command-line command
+ *
+ * @cmdtp:      Command data struct pointer
+ * @flag:       Command flag
+ * @argc:       Command-line argument count
+ * @argv:       Array of command-line arguments
+ *
+ * Returns zero on success, CMD_RET_USAGE in case of misuse and negative
+ * on error.
+ */
+
+static int do_clear_aes_key(cmd_tbl_t *cmdtp, int flag, int argc, char *const argv[])
+{
+	int ret;
+	uint32_t key_handle;
+
+	if (argc != 2) {
+		return CMD_RET_USAGE;
+	}
+
+	key_handle = simple_strtoul(argv[1], NULL, 10);
+
+	ret = qca_scm_clear_key(key_handle, TZ_CRYPTO_SERVICE_AES_CLEAR_KEY_ID);
+	if (!ret)
+          	printf("AES key = %u cleared successfully\n",key_handle);
+	else
+          	printf("AES key clear failed with err %d\n",ret);
+
+	return ret ? CMD_RET_FAILURE:CMD_RET_SUCCESS;
+}
+
+/***************************************************/
+U_BOOT_CMD(
+        clear_aes_key, 2, 0, do_clear_aes_key,
+	"Clear AES 256 key in TME-L based systems",
+	"Clear key: clear_aes_key <key_handle>"
+);
+
 #endif

 /**