optee_os: implement Optee-based environment encryption

https://onedigi.atlassian.net/browse/DUB-1079

Signed-off-by: Javier Viguera <javier.viguera@digi.com>

meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-os/0002-core-ccimx93-enable-AES_HUK-trusted-application.patch

@@ -0,0 +1,714 @@
+From: Javier Viguera <javier.viguera@digi.com>
+Date: Tue, 14 May 2024 15:33:17 +0200
+Subject: [PATCH] core: ccimx93: enable AES_HUK trusted application
+
+This provides the support for u-boot environment encryption.
+
+Signed-off-by: Javier Viguera <javier.viguera@digi.com>
+---
+ core/arch/arm/plat-imx/conf.mk      |   2 +
+ ta/aes_huk/Android.mk               |   4 +
+ ta/aes_huk/Makefile                 |  13 +
+ ta/aes_huk/aes_ta.c                 | 477 ++++++++++++++++++++++++++++
+ ta/aes_huk/include/aes_ta.h         |  82 +++++
+ ta/aes_huk/sub.mk                   |   3 +
+ ta/aes_huk/user_ta.mk               |   1 +
+ ta/aes_huk/user_ta_header_defines.h |  48 +++
+ 8 files changed, 630 insertions(+)
+ create mode 100644 ta/aes_huk/Android.mk
+ create mode 100644 ta/aes_huk/Makefile
+ create mode 100644 ta/aes_huk/aes_ta.c
+ create mode 100644 ta/aes_huk/include/aes_ta.h
+ create mode 100644 ta/aes_huk/sub.mk
+ create mode 100644 ta/aes_huk/user_ta.mk
+ create mode 100644 ta/aes_huk/user_ta_header_defines.h
+
+diff --git a/core/arch/arm/plat-imx/conf.mk b/core/arch/arm/plat-imx/conf.mk
+index 5e4c02e27d2e..40d0bb4116dd 100644
+--- a/core/arch/arm/plat-imx/conf.mk
++++ b/core/arch/arm/plat-imx/conf.mk
+@@ -456,12 +456,14 @@ endif
+ ifneq (,$(filter $(PLATFORM_FLAVOR),ccimx93dvk))
+ CFG_DDR_SIZE ?= 0x40000000
+ CFG_UART_BASE ?= UART6_BASE
++CFG_IN_TREE_EARLY_TAS += aes_huk/c2fad363-5d9f-4fc4-a417-555841e05745
+ endif
+ 
+ ifneq (,$(filter $(PLATFORM_FLAVOR),ccimx93dvk_a0))
+ CFG_DDR_SIZE ?= 0x40000000
+ CFG_UART_BASE ?= UART6_BASE
+ $(call force,CFG_SOC_REV_A0,y)
++CFG_IN_TREE_EARLY_TAS += aes_huk/c2fad363-5d9f-4fc4-a417-555841e05745
+ endif
+ 
+ # i.MX6 Solo/SL/SoloX/DualLite/Dual/Quad specific config
+diff --git a/ta/aes_huk/Android.mk b/ta/aes_huk/Android.mk
+new file mode 100644
+index 000000000000..931f8e4065c9
+--- /dev/null
++++ b/ta/aes_huk/Android.mk
+@@ -0,0 +1,4 @@
++LOCAL_PATH := $(call my-dir)
++
++local_module := 5dbac793-f574-4871-8ad3-04331ec17f24.ta
++include $(BUILD_OPTEE_MK)
+diff --git a/ta/aes_huk/Makefile b/ta/aes_huk/Makefile
+new file mode 100644
+index 000000000000..e41d9913e6ae
+--- /dev/null
++++ b/ta/aes_huk/Makefile
+@@ -0,0 +1,13 @@
++CFG_TEE_TA_LOG_LEVEL ?= 4
++CFG_TA_OPTEE_CORE_API_COMPAT_1_1=y
++
++# The UUID for the Trusted Application
++BINARY=c2fad363-5d9f-4fc4-a417-555841e05745
++
++-include $(TA_DEV_KIT_DIR)/mk/ta_dev_kit.mk
++
++ifeq ($(wildcard $(TA_DEV_KIT_DIR)/mk/ta_dev_kit.mk), )
++clean:
++	@echo 'Note: $$(TA_DEV_KIT_DIR)/mk/ta_dev_kit.mk not found, cannot clean TA'
++	@echo 'Note: TA_DEV_KIT_DIR=$(TA_DEV_KIT_DIR)'
++endif
+diff --git a/ta/aes_huk/aes_ta.c b/ta/aes_huk/aes_ta.c
+new file mode 100644
+index 000000000000..036d64b83478
+--- /dev/null
++++ b/ta/aes_huk/aes_ta.c
+@@ -0,0 +1,477 @@
++/*
++ * Copyright (c) 2017, Linaro Limited
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright notice,
++ * this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright notice,
++ * this list of conditions and the following disclaimer in the documentation
++ * and/or other materials provided with the distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
++ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
++ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
++ * POSSIBILITY OF SUCH DAMAGE.
++ */
++#include <inttypes.h>
++
++#include <pta_system.h>
++#include <tee_internal_api.h>
++#include <tee_internal_api_extensions.h>
++
++#include <aes_ta.h>
++
++#define AES128_KEY_BIT_SIZE		128
++#define AES128_KEY_BYTE_SIZE		(AES128_KEY_BIT_SIZE / 8)
++#define AES256_KEY_BIT_SIZE		256
++#define AES256_KEY_BYTE_SIZE		(AES256_KEY_BIT_SIZE / 8)
++
++/*
++ * Ciphering context: each opened session relates to a cipehring operation.
++ * - configure the AES flavour from a command.
++ * - load key from a command (here the key is provided by the REE)
++ * - reset init vector (here IV is provided by the REE)
++ * - cipher a buffer frame (here input and output buffers are non-secure)
++ */
++struct aes_cipher {
++	uint32_t algo;			/* AES flavour */
++	uint32_t mode;			/* Encode or decode */
++	uint32_t key_size;		/* AES key size in byte */
++	TEE_OperationHandle op_handle;	/* AES ciphering operation */
++	TEE_ObjectHandle key_handle;	/* transient object to load the key */
++};
++
++/*
++ * Few routines to convert IDs from TA API into IDs from OP-TEE.
++ */
++static TEE_Result ta2tee_algo_id(uint32_t param, uint32_t *algo)
++{
++	switch (param) {
++	case TA_AES_ALGO_ECB:
++		*algo = TEE_ALG_AES_ECB_NOPAD;
++		return TEE_SUCCESS;
++	case TA_AES_ALGO_CBC:
++		*algo = TEE_ALG_AES_CBC_NOPAD;
++		return TEE_SUCCESS;
++	case TA_AES_ALGO_CTR:
++		*algo = TEE_ALG_AES_CTR;
++		return TEE_SUCCESS;
++	default:
++		EMSG("Invalid algo %u", param);
++		return TEE_ERROR_BAD_PARAMETERS;
++	}
++}
++static TEE_Result ta2tee_key_size(uint32_t param, uint32_t *key_size)
++{
++	switch (param) {
++	case AES128_KEY_BYTE_SIZE:
++	case AES256_KEY_BYTE_SIZE:
++		*key_size = param;
++		return TEE_SUCCESS;
++	default:
++		EMSG("Invalid key size %u", param);
++		return TEE_ERROR_BAD_PARAMETERS;
++	}
++}
++static TEE_Result ta2tee_mode_id(uint32_t param, uint32_t *mode)
++{
++	switch (param) {
++	case TA_AES_MODE_ENCODE:
++		*mode = TEE_MODE_ENCRYPT;
++		return TEE_SUCCESS;
++	case TA_AES_MODE_DECODE:
++		*mode = TEE_MODE_DECRYPT;
++		return TEE_SUCCESS;
++	default:
++		EMSG("Invalid mode %u", param);
++		return TEE_ERROR_BAD_PARAMETERS;
++	}
++}
++
++/*
++ * Process command TA_AES_CMD_PREPARE. API in aes_ta.h
++ *
++ * Allocate resources required for the ciphering operation.
++ * During ciphering operation, when expect client can:
++ * - update the key materials (provided by client)
++ * - reset the initial vector (provided by client)
++ * - cipher an input buffer into an output buffer (provided by client)
++ */
++static TEE_Result alloc_resources(void *session, uint32_t param_types,
++				  TEE_Param params[4])
++{
++	const uint32_t exp_param_types =
++		TEE_PARAM_TYPES(TEE_PARAM_TYPE_VALUE_INPUT,
++				TEE_PARAM_TYPE_VALUE_INPUT,
++				TEE_PARAM_TYPE_VALUE_INPUT,
++				TEE_PARAM_TYPE_NONE);
++	struct aes_cipher *sess;
++	TEE_Attribute attr;
++	TEE_Result res;
++	char *key;
++
++	/* Get ciphering context from session ID */
++	DMSG("Session %p: get ciphering resources", session);
++	sess = (struct aes_cipher *)session;
++
++	/* Safely get the invocation parameters */
++	if (param_types != exp_param_types)
++		return TEE_ERROR_BAD_PARAMETERS;
++
++	res = ta2tee_algo_id(params[0].value.a, &sess->algo);
++	if (res != TEE_SUCCESS)
++		return res;
++
++	res = ta2tee_key_size(params[1].value.a, &sess->key_size);
++	if (res != TEE_SUCCESS)
++		return res;
++
++	res = ta2tee_mode_id(params[2].value.a, &sess->mode);
++	if (res != TEE_SUCCESS)
++		return res;
++
++	/*
++	 * Ready to allocate the resources which are:
++	 * - an operation handle, for an AES ciphering of given configuration
++	 * - a transient object that will be use to load the key materials
++	 *   into the AES ciphering operation.
++	 */
++
++	/* Free potential previous operation */
++	if (sess->op_handle != TEE_HANDLE_NULL)
++		TEE_FreeOperation(sess->op_handle);
++
++	/* Allocate operation: AES/CTR, mode and size from params */
++	res = TEE_AllocateOperation(&sess->op_handle,
++				    sess->algo,
++				    sess->mode,
++				    sess->key_size * 8);
++	if (res != TEE_SUCCESS) {
++		EMSG("Failed to allocate operation");
++		sess->op_handle = TEE_HANDLE_NULL;
++		goto err;
++	}
++
++	/* Free potential previous transient object */
++	if (sess->key_handle != TEE_HANDLE_NULL)
++		TEE_FreeTransientObject(sess->key_handle);
++
++	/* Allocate transient object according to target key size */
++	res = TEE_AllocateTransientObject(TEE_TYPE_AES,
++					  sess->key_size * 8,
++					  &sess->key_handle);
++	if (res != TEE_SUCCESS) {
++		EMSG("Failed to allocate transient object");
++		sess->key_handle = TEE_HANDLE_NULL;
++		goto err;
++	}
++
++	/*
++	 * When loading a key in the cipher session, set_aes_key()
++	 * will reset the operation and load a key. But we cannot
++	 * reset and operation that has no key yet (GPD TEE Internal
++	 * Core API Specification – Public Release v1.1.1, section
++	 * 6.2.5 TEE_ResetOperation). In consequence, we will load a
++	 * dummy key in the operation so that operation can be reset
++	 * when updating the key.
++	 */
++	key = TEE_Malloc(sess->key_size, 0);
++	if (!key) {
++		res = TEE_ERROR_OUT_OF_MEMORY;
++		goto err;
++	}
++
++	TEE_InitRefAttribute(&attr, TEE_ATTR_SECRET_VALUE, key, sess->key_size);
++
++	res = TEE_PopulateTransientObject(sess->key_handle, &attr, 1);
++	if (res != TEE_SUCCESS) {
++		EMSG("TEE_PopulateTransientObject failed, %x", res);
++		goto err;
++	}
++
++	res = TEE_SetOperationKey(sess->op_handle, sess->key_handle);
++	if (res != TEE_SUCCESS) {
++		EMSG("TEE_SetOperationKey failed %x", res);
++		goto err;
++	}
++
++	return res;
++
++err:
++	if (sess->op_handle != TEE_HANDLE_NULL)
++		TEE_FreeOperation(sess->op_handle);
++	sess->op_handle = TEE_HANDLE_NULL;
++
++	if (sess->key_handle != TEE_HANDLE_NULL)
++		TEE_FreeTransientObject(sess->key_handle);
++	sess->key_handle = TEE_HANDLE_NULL;
++
++	return res;
++}
++
++static TEE_Result derive_unique_key(uint8_t *key, uint16_t key_size,
++				    uint8_t *extra, uint16_t extra_size)
++{
++	TEE_TASessionHandle sess = TEE_HANDLE_NULL;
++	TEE_Param params[TEE_NUM_PARAMS] = { };
++	TEE_Result res = TEE_ERROR_GENERIC;
++	uint32_t ret_orig = 0;
++	uint32_t param_types = TEE_PARAM_TYPES(TEE_PARAM_TYPE_MEMREF_INPUT,
++					       TEE_PARAM_TYPE_MEMREF_OUTPUT,
++					       TEE_PARAM_TYPE_NONE,
++					       TEE_PARAM_TYPE_NONE);
++
++	res = TEE_OpenTASession(&(const TEE_UUID)PTA_SYSTEM_UUID,
++				TEE_TIMEOUT_INFINITE, 0, NULL, &sess,
++				&ret_orig);
++	if (res)
++		return res;
++
++	if (extra && extra_size) {
++		params[0].memref.buffer = extra;
++		params[0].memref.size = extra_size;
++	}
++
++	params[1].memref.buffer = key;
++	params[1].memref.size = key_size;
++
++	res = TEE_InvokeTACommand(sess, TEE_TIMEOUT_INFINITE,
++				  PTA_SYSTEM_DERIVE_TA_UNIQUE_KEY,
++				  param_types, params, &ret_orig);
++
++	TEE_CloseTASession(sess);
++
++	return res;
++}
++
++/*
++ * Process command TA_AES_CMD_SET_KEY. API in aes_ta.h
++ */
++static TEE_Result set_aes_key(void *session, uint32_t param_types,
++				TEE_Param params[4])
++{
++	const uint32_t exp_param_types =
++		TEE_PARAM_TYPES(TEE_PARAM_TYPE_VALUE_INPUT,
++				TEE_PARAM_TYPE_NONE,
++				TEE_PARAM_TYPE_NONE,
++				TEE_PARAM_TYPE_NONE);
++	struct aes_cipher *sess;
++	TEE_Attribute attr;
++	TEE_Result res;
++	uint32_t key_sz;
++	uint8_t *key;
++
++	/* Get ciphering context from session ID */
++	DMSG("Session %p: load key material", session);
++	sess = (struct aes_cipher *)session;
++
++	/* Safely get the invocation parameters */
++	if (param_types != exp_param_types)
++		return TEE_ERROR_BAD_PARAMETERS;
++
++	key_sz = params[0].value.a;
++	if (key_sz != sess->key_size) {
++		EMSG("Wrong key size %" PRIu32 ", expect %" PRIu32 " bytes",
++		     key_sz, sess->key_size);
++		return TEE_ERROR_BAD_PARAMETERS;
++	}
++
++	/* Request a derivate of the HUK */
++	key = TEE_Malloc(key_sz, 0);
++	if (!key)
++		return TEE_ERROR_OUT_OF_MEMORY;
++	res = derive_unique_key(key, key_sz, NULL, 0);
++	if (res) {
++		EMSG("derive_unique_key failed: returned %#" PRIx32, res);
++		return res;
++	}
++
++	/*
++	 * Load the key material into the configured operation
++	 * - create a secret key attribute with the key material
++	 *   TEE_InitRefAttribute()
++	 * - reset transient object and load attribute data
++	 *   TEE_ResetTransientObject()
++	 *   TEE_PopulateTransientObject()
++	 * - load the key (transient object) into the ciphering operation
++	 *   TEE_SetOperationKey()
++	 *
++	 * TEE_SetOperationKey() requires operation to be in "initial state".
++	 * We can use TEE_ResetOperation() to reset the operation but this
++	 * API cannot be used on operation with key(s) not yet set. Hence,
++	 * when allocating the operation handle, we load a dummy key.
++	 * Thus, set_key sequence always reset then set key on operation.
++	 */
++
++	TEE_InitRefAttribute(&attr, TEE_ATTR_SECRET_VALUE, key, key_sz);
++
++	TEE_ResetTransientObject(sess->key_handle);
++	res = TEE_PopulateTransientObject(sess->key_handle, &attr, 1);
++	if (res != TEE_SUCCESS) {
++		EMSG("TEE_PopulateTransientObject failed, %x", res);
++		return res;
++	}
++
++	TEE_ResetOperation(sess->op_handle);
++	res = TEE_SetOperationKey(sess->op_handle, sess->key_handle);
++	if (res != TEE_SUCCESS) {
++		EMSG("TEE_SetOperationKey failed %x", res);
++		return res;
++	}
++
++	return res;
++}
++
++/*
++ * Process command TA_AES_CMD_SET_IV. API in aes_ta.h
++ */
++static TEE_Result reset_aes_iv(void *session, uint32_t param_types,
++				TEE_Param params[4])
++{
++	const uint32_t exp_param_types =
++		TEE_PARAM_TYPES(TEE_PARAM_TYPE_MEMREF_INPUT,
++				TEE_PARAM_TYPE_NONE,
++				TEE_PARAM_TYPE_NONE,
++				TEE_PARAM_TYPE_NONE);
++	struct aes_cipher *sess;
++	size_t iv_sz;
++	char *iv;
++
++	/* Get ciphering context from session ID */
++	DMSG("Session %p: reset initial vector", session);
++	sess = (struct aes_cipher *)session;
++
++	/* Safely get the invocation parameters */
++	if (param_types != exp_param_types)
++		return TEE_ERROR_BAD_PARAMETERS;
++
++	iv = params[0].memref.buffer;
++	iv_sz = params[0].memref.size;
++
++	/*
++	 * Init cipher operation with the initialization vector.
++	 */
++	TEE_CipherInit(sess->op_handle, iv, iv_sz);
++
++	return TEE_SUCCESS;
++}
++
++/*
++ * Process command TA_AES_CMD_CIPHER. API in aes_ta.h
++ */
++static TEE_Result cipher_buffer(void *session, uint32_t param_types,
++				TEE_Param params[4])
++{
++	const uint32_t exp_param_types =
++		TEE_PARAM_TYPES(TEE_PARAM_TYPE_MEMREF_INPUT,
++				TEE_PARAM_TYPE_MEMREF_OUTPUT,
++				TEE_PARAM_TYPE_NONE,
++				TEE_PARAM_TYPE_NONE);
++	struct aes_cipher *sess;
++
++	/* Get ciphering context from session ID */
++	DMSG("Session %p: cipher buffer", session);
++	sess = (struct aes_cipher *)session;
++
++	/* Safely get the invocation parameters */
++	if (param_types != exp_param_types)
++		return TEE_ERROR_BAD_PARAMETERS;
++
++	if (params[1].memref.size < params[0].memref.size) {
++		EMSG("Bad sizes: in %zd, out %zd", params[0].memref.size,
++						 params[1].memref.size);
++		return TEE_ERROR_BAD_PARAMETERS;
++	}
++
++	if (sess->op_handle == TEE_HANDLE_NULL)
++		return TEE_ERROR_BAD_STATE;
++
++	/*
++	 * Process ciphering operation on provided buffers
++	 */
++	return TEE_CipherUpdate(sess->op_handle,
++				params[0].memref.buffer, params[0].memref.size,
++				params[1].memref.buffer, &params[1].memref.size);
++}
++
++TEE_Result TA_CreateEntryPoint(void)
++{
++	/* Nothing to do */
++	return TEE_SUCCESS;
++}
++
++void TA_DestroyEntryPoint(void)
++{
++	/* Nothing to do */
++}
++
++TEE_Result TA_OpenSessionEntryPoint(uint32_t __unused param_types,
++					TEE_Param __unused params[4],
++					void __unused **session)
++{
++	struct aes_cipher *sess;
++
++	/*
++	 * Allocate and init ciphering materials for the session.
++	 * The address of the structure is used as session ID for
++	 * the client.
++	 */
++	sess = TEE_Malloc(sizeof(*sess), 0);
++	if (!sess)
++		return TEE_ERROR_OUT_OF_MEMORY;
++
++	sess->key_handle = TEE_HANDLE_NULL;
++	sess->op_handle = TEE_HANDLE_NULL;
++
++	*session = (void *)sess;
++	DMSG("Session %p: newly allocated", *session);
++
++	return TEE_SUCCESS;
++}
++
++void TA_CloseSessionEntryPoint(void *session)
++{
++	struct aes_cipher *sess;
++
++	/* Get ciphering context from session ID */
++	DMSG("Session %p: release session", session);
++	sess = (struct aes_cipher *)session;
++
++	/* Release the session resources */
++	if (sess->key_handle != TEE_HANDLE_NULL)
++		TEE_FreeTransientObject(sess->key_handle);
++	if (sess->op_handle != TEE_HANDLE_NULL)
++		TEE_FreeOperation(sess->op_handle);
++	TEE_Free(sess);
++}
++
++TEE_Result TA_InvokeCommandEntryPoint(void *session,
++					uint32_t cmd,
++					uint32_t param_types,
++					TEE_Param params[4])
++{
++	switch (cmd) {
++	case TA_AES_CMD_PREPARE:
++		return alloc_resources(session, param_types, params);
++	case TA_AES_CMD_SET_KEY:
++		return set_aes_key(session, param_types, params);
++	case TA_AES_CMD_SET_IV:
++		return reset_aes_iv(session, param_types, params);
++	case TA_AES_CMD_CIPHER:
++		return cipher_buffer(session, param_types, params);
++	default:
++		EMSG("Command ID 0x%x is not supported", cmd);
++		return TEE_ERROR_NOT_SUPPORTED;
++	}
++}
+diff --git a/ta/aes_huk/include/aes_ta.h b/ta/aes_huk/include/aes_ta.h
+new file mode 100644
+index 000000000000..c07b4bc479ee
+--- /dev/null
++++ b/ta/aes_huk/include/aes_ta.h
+@@ -0,0 +1,82 @@
++/*
++ * Copyright (c) 2017, Linaro Limited
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright notice,
++ * this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright notice,
++ * this list of conditions and the following disclaimer in the documentation
++ * and/or other materials provided with the distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
++ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
++ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
++ * POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#ifndef __AES_TA_H__
++#define __AES_TA_H__
++
++/* UUID of the AES example trusted application */
++#define TA_AES_UUID \
++	{ 0xc2fad363, 0x5d9f, 0x4fc4, \
++		{ 0xa4, 0x17, 0x55, 0x58, 0x41, 0xe0, 0x57, 0x45 } }
++
++/*
++ * TA_AES_CMD_PREPARE - Allocate resources for the AES ciphering
++ * param[0] (value) a: TA_AES_ALGO_xxx, b: unused
++ * param[1] (value) a: key size in bytes, b: unused
++ * param[2] (value) a: TA_AES_MODE_ENCODE/_DECODE, b: unused
++ * param[3] unused
++ */
++#define TA_AES_CMD_PREPARE		0
++
++#define TA_AES_ALGO_ECB			0
++#define TA_AES_ALGO_CBC			1
++#define TA_AES_ALGO_CTR			2
++
++#define TA_AES_SIZE_128BIT		(128 / 8)
++#define TA_AES_SIZE_256BIT		(256 / 8)
++
++#define TA_AES_MODE_ENCODE		1
++#define TA_AES_MODE_DECODE		0
++
++/*
++ * TA_AES_CMD_SET_KEY - Allocate resources for the AES ciphering
++ * param[0] (memref) key data, size shall equal key length
++ * param[1] unused
++ * param[2] unused
++ * param[3] unused
++ */
++#define TA_AES_CMD_SET_KEY		1
++
++/*
++ * TA_AES_CMD_SET_IV - reset IV
++ * param[0] (memref) initial vector, size shall equal block length
++ * param[1] unused
++ * param[2] unused
++ * param[3] unused
++ */
++#define TA_AES_CMD_SET_IV		2
++
++/*
++ * TA_AES_CMD_CIPHER - Cipher input buffer into output buffer
++ * param[0] (memref) input buffer
++ * param[1] (memref) output buffer (shall be bigger than input buffer)
++ * param[2] unused
++ * param[3] unused
++ */
++#define TA_AES_CMD_CIPHER		3
++
++#endif /* __AES_TA_H */
+diff --git a/ta/aes_huk/sub.mk b/ta/aes_huk/sub.mk
+new file mode 100644
+index 000000000000..cfce14e6c119
+--- /dev/null
++++ b/ta/aes_huk/sub.mk
+@@ -0,0 +1,3 @@
++global-incdirs-y += include
++global-incdirs-y += .
++srcs-y += aes_ta.c
+diff --git a/ta/aes_huk/user_ta.mk b/ta/aes_huk/user_ta.mk
+new file mode 100644
+index 000000000000..d49d309558ba
+--- /dev/null
++++ b/ta/aes_huk/user_ta.mk
+@@ -0,0 +1 @@
++user-ta-uuid := c2fad363-5d9f-4fc4-a417-555841e05745
+diff --git a/ta/aes_huk/user_ta_header_defines.h b/ta/aes_huk/user_ta_header_defines.h
+new file mode 100644
+index 000000000000..9f944b8b9ab3
+--- /dev/null
++++ b/ta/aes_huk/user_ta_header_defines.h
+@@ -0,0 +1,48 @@
++/*
++ * Copyright (c) 2017, Linaro Limited
++ * All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright notice,
++ * this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright notice,
++ * this list of conditions and the following disclaimer in the documentation
++ * and/or other materials provided with the distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
++ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
++ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
++ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
++ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
++ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
++ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
++ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
++ * POSSIBILITY OF SUCH DAMAGE.
++ */
++
++/*
++ * The name of this file must not be modified
++ */
++
++#ifndef USER_TA_HEADER_DEFINES_H
++#define USER_TA_HEADER_DEFINES_H
++
++#include <aes_ta.h>
++
++#define TA_UUID				TA_AES_UUID
++
++#define TA_FLAGS			TA_FLAG_EXEC_DDR
++#define TA_STACK_SIZE			(2 * 1024)
++#define TA_DATA_SIZE			(32 * 1024)
++
++#define TA_CURRENT_TA_EXT_PROPERTIES \
++    { "gp.ta.description", USER_TA_PROP_TYPE_STRING, \
++        "Example of TA using an AES sequence" }, \
++    { "gp.ta.version", USER_TA_PROP_TYPE_U32, &(const uint32_t){ 0x0010 } }
++
++#endif /*USER_TA_HEADER_DEFINES_H*/

meta-digi-arm/dynamic-layers/freescale-layer/recipes-security/optee-imx/optee-os_4.0.0.imx.bb

@@ -9,6 +9,7 @@ SRC_URI = " \
     git://github.com/nxp-imx/imx-optee-os.git;protocol=https;branch=${SRCBRANCH} \
     file://0007-allow-setting-sysroot-for-clang.patch \
     file://0001-core-imx-support-ccimx93-dvk.patch \
+    file://0002-core-ccimx93-enable-AES_HUK-trusted-application.patch \
 "
 SRCBRANCH = "lf-6.1.55_2.2.0"
 # Tag: lf-6.1.55-2.2.0