AMD ASU Support #7517
AMD ASU Support #7517
Conversation
Add support for the AMD Application Security Unit (ASU), the on-chip Hardware Security Module (HSM) for Versal Gen 2. The ASU manages all device-level security services for user applications, extending beyond accelerator-centric tasks. Its firmware also exposes several software-based cryptographic primitives, including: - Key transfer - RSA authentication (multiple padding schemes) - HMAC - Key Derivation Function (KDF) - Key wrap / unwrap Co-developed-by: Akshay Belsare <[email protected]> Signed-off-by: Akshay Belsare <[email protected]> Signed-off-by: Harsh Jain <[email protected]>
Add support for following Hash algorithms SHA-256, SHA-384, SHA-512, SHA3-256, SHA3-384, SHA3-512 Signed-off-by: Harsh Jain <[email protected]>
| #define ASU_MODULE_SHA2_ID 1U | ||
| #define ASU_MODULE_SHA3_ID 2U | ||
|
|
||
| struct asu_client_params { |
There was a problem hiding this comment.
What is an ASU Client? Is it a piece of hardware?
There was a problem hiding this comment.
ASU Client is the code interacting with the ASU Firmware.
There was a problem hiding this comment.
So, ASU Client is the driver? Doesn't that make the client part redundant?
Edit: Keep this as is, if it makes more sense to you.
There was a problem hiding this comment.
@jenswi-linaro
The ASU Client is shared code that interfaces with the firmware and exposes a general API set for crypto drivers to use.
| { | ||
| struct asu_hash_ctx *asu_hashctx; | ||
|
|
||
| if (!ctx) |
There was a problem hiding this comment.
This is entry point for Driver. not NULL is preventive check of input data.
| asu_hashctx->module, NULL); | ||
| if (ret) | ||
| break; | ||
| asu_hashctx->shastart = 0; |
There was a problem hiding this comment.
Is this a valid value for shastart?
I was wondering if we could avoid the break by checking ret in the loop-condition
while (remaining && !ret)
Can setting shastart = 0 be done unconditionally at the beginning of the loop?
There was a problem hiding this comment.
Is this a valid value for shastart?
Yes, It's like flag, Setting it to 1 tell Hardware that it is 1st update request. Subsequent update requests should not set this flag.
Can setting shastart = 0 be done unconditionally at the beginning of the loop?
No, We are initialising it to "ASU_SHA_START" in asu_hash_initialize.
TEE_DigestDoFinal() API re-init context in final callback to use it for later operation. Driver cannot allocate the unique id in init. Move Alloc/free of unique IDs to ctx_allocate/ctx_free callbacks Signed-off-by: Harsh Jain <[email protected]>
User can request digest size less than size of algorithm but fw validates the digest size and expects it to match with algorithm digest size. Update driver to copy hash based on len received in user request. Signed-off-by: Harsh Jain <[email protected]>
Update files as per review comments Signed-off-by: Akshay Belsare <[email protected]>
Akshay-Belsare
force-pushed
the
amd_asu_support
branch
from
310ad49 to
da406d7
Compare
Address further review comments. Signed-off-by: Harsh Jain <[email protected]>
5 participants
Add support for the AMD Application Security Unit (ASU), the on-chip
Hardware Security Module (HSM) for Versal Gen 2.
The ASU manages all device-level security services for user
applications, extending beyond accelerator-centric tasks.
Its firmware also exposes several software-based cryptographic
primitives, including:
- Key transfer
- RSA authentication (multiple padding schemes)
- HMAC
- Key Derivation Function (KDF)
- Key wrap / unwrap