Documentation/qseecom.txt - manifest_repos/kernel - Git at Google

 Available APIs used in Sample App:

 QSClient - Client Application in Linux

 qseecom.ko is a loadable kernel module which acts as the QTI secure client
 in the non-secure world. It provides a sample interface for communication with
 the secure world(QSEE).

 Multiplication and Crypto functionalities are currently available in the sample
 app. Similarly an app can be written to support any required functionalities.

 For each platform, memory has been reserved in the QTI default device tree.
 For ipq806x, ipq6018, the region is fixed, while it can be changed for ipq807x
 and ipq40xx.

 Available APIs in kernel which can be reused/extended:

 (1) qti_scm_qseecom_notify	 -> to notify the load region of application
 (2) qti_scm_qseecom_load	 -> to load the libraries and application
 (3) qti_scm_qseecom_send_data	 -> to send data to perform operation
 (4) qti_scm_qseecom_unload	 -> to unload the application and libraries
 (5) qti_scm_tz_register_log_buf -> to register a log buf for sample app logs

 Refer to source code in drivers/misc/qseecom.c for re-using the above APIs. This
 can be modified or extended to support vendor applications.

 Sampleapp Usage Instructions:

 Note: We support only 64 bit sampleapp in ipq807x, ipq6018 platform.

 Across any platforms, apps can be loaded and functionalities can be performed
 securely from the non-secure world via the scm interface. Below are the steps
 to load a sample app and perform some basic operations:

 Before loading the sample app, the library required by sample app needs to be
 loaded.

 (1) To load sample app libraries

 This step can be skipped if its platform ipq8064 as we use a different
 framework. In ipq8064 platform, the libraries are in-built.

 This step is needed only for ipq807x, ipq6018, and ipq40xx platforms.

 Concatenate all the seg files into 1 segment file and feed it as
 input to sys/firmware/seg_file and feed the mdt file as input to
 sys/firmware/mdt_file as below:

 In platform ipq40xx, the common lib is divided into 4 segments
 whereas in platform ipq807x, the common lib is divided into 6 segments.

 cat cmnlib.b00 > cmnlib.b0x
 cat cmnlib.b01 >> cmnlib.b0x
 cat cmnlib.b02 >> cmnlib.b0x
 cat cmnlib.b03 >> cmnlib.b0x

 Below 2 steps are needed only if its platform ipq807x or ipq6018:

 cat cmnlib.b04 >> cmnlib.b0x
 cat cmnlib.b05 >> cmnlib.b0x

 Now cat the mdt and combined binary files to sysfs entries as below:

 cat cmnlib.mdt > /sys/firmware/mdt_file
 cat cmnlib.b0x > /sys/firmware/seg_file

 echo 0 > /sys/firmware/tzapp/load_start

 You will get a print saying you have successfully loaded app libraries.

 (2) To load sample app

 Concatenate all the seg files into 1 segment file and feed it as
 input to sys/firmware/seg_file and feed the mdt file as input to
 sys/firmware/mdt_file as below:

 In platform ipq8064 or ipq40xx, the sample app is divided into 4
 segments whereas in ipq807x, the sample app is divided into 7 segments

 cat sampleapp.b00 > sampleapp.b0x
 cat sampleapp.b01 >> sampleapp.b0x
 cat sampleapp.b02 >> sampleapp.b0x
 cat sampleapp.b03 >> sampleapp.b0x

 Below 3 steps are required if its platform ipq807x or ipq6018:

 cat sampleapp.b04 >> sampleapp.b0x
 cat sampleapp.b05 >> sampleapp.b0x
 cat sampleapp.b06 >> sampleapp.b0x

 Below step is required if its platform ipq6018:

 cat sampleapp.b07 >> sampleapp.b0x

 Now cat the mdt and combined binary files to sysfs entries as below:

 cat sampleapp.mdt > /sys/firmware/mdt_file
 cat sampleapp.b0x > /sys/firmware/seg_file

 echo 1 > /sys/firmware/tzapp/load_start

 (3) Perform operations required in the application

 The following mult. operations can be tested in all the platforms:

 To give input to Multiplication op:
 echo 100 > /sys/firmware/tzapp/basic_data

 To view Secure Multiplication output:
 cat /sys/firmware/tzapp/basic_data

 The following crypto operation can be tested in all platforms other
 than ipq806x:

 The "crypto" sysfs entry triggers the sample test encryption and decryption
 inside secure app and displays the result if the test has passed or failed.

 To test Crypto functionality:
 echo 1 > /sys/firmware/tzapp/crypto

 The following encrypt/decrypt operation can be tested only in
 ipq806x platform:

 To give input to Encryption:
 echo '6bc1bee22e409f9' > /sys/firmware/tzapp/encrypt

 To view encryption output:
 cat /sys/firmware/tzapp/encrypt

 To give input to Decryption:
 cat /sys/firmware/tzapp/encrypt > /sys/firmware/tzapp/decrypt

 To view decryption output:
 cat /sys/firmware/tzapp/decrypt

 (4) To unload the sampleapp

 echo 2 > /sys/firmware/tzapp/load_start

 The libraries used by sample app are automatically unloaded when the device
 driver is removed (i.e. during rmmod to remove the qseecom module).

 If the user doesn't unload the app, then the app is unloaded when the
 device driver is removed.

 Note: sampleapp logging has been enabled for QSEE sample app. To view the log at
 any point after loading the sample app from kernel, please use below command:

 cat /sys/firmware/tzapp/log_buf > log.txt

 QSEE APIs in ipq40xx:

 In ipq40xx, there are RSA and AES APIs available to perform crypto operations.
 The steps to use AES and RSA APIs are as below:

 RSA API:

 RSA Generate Key blob:
 (1) cat /sys/rsa_sec_key/rsa_generate > key_blob.txt

 RSA Import Key blob:
 (1) cat hex.dat > /sys/rsa_sec_key/rsa_import
 (2) cat /sys/rsa_sec_key/rsa_import > import_key_blob.txt

 Note:
 hex.dat contents must be a properly generated RSA vector.

 spec of the hex.dat file used in RSA Import Key blob:
 hex.dat size is 1066 bytes.

 1066 bytes split up:
 	528 bytes -> import modulus
 	2 bytes -> import modulus length in hexadecimal
 	5 bytes -> public exponent
 	1 byte -> public exponent length in hexadecimal
 	528 bytes -> private exponent
 	2 bytes -> private exponent length in hexadecimal

 public, private exponent can be any value other than 3
 modulus can be any value lesser than 4096

 RSA Sign data:
 (1) cat key_blob.txt > /sys/rsa_sec_key/rsa_key_blob
     or
     cat import_key_blob.txt > /sys/rsa_sec_key/rsa_key_blob
 (2) cat data.txt > /sys/rsa_sec_key/rsa_sign
 (3) cat /sys/rsa_sec_key/rsa_sign > signed_data.txt

 RSA Verification of Signature:
 (1) cat key_blob.txt > /sys/rsa_sec_key/rsa_key_blob
     or
     cat import_key_blob.txt > /sys/rsa_sec_key/rsa_key_blob
 (2) cat data.txt > /sys/rsa_sec_key/rsa_sign
 (3) cat signed_data.txt > /sys/rsa_sec_key/rsa_verify
 (4) cat /sys/rsa_sec_key/rsa_verify > verification_result.txt
 (5) cat verification_result.txt

 AES API:

 AES Generate Key blob:
 (1) cat /sys/sec_key/generate > key_blob.txt

 AES Import Key blob:
 (1) cat key.txt > /sys/sec_key/import
 (2) cat /sys/sec_key/import > imported_key_blob.txt

 AES Encrypt data:
 (1) cat key_blob.txt > /sys/sec_key/key_blob
     or
     cat imported_key_blob.txt > /sys/sec_key/key_blob
 (2) cat data.txt > /sys/sec_key/seal
 (3) cat /sys/sec_key/seal > encrypted_data.txt

 AES Decrypt data:
 (1) cat key_blob.txt > /sys/sec_key/key_blob
     or
     cat imported_key_blob.txt > /sys/sec_key/key_blob
 (2) cat encrypted_data.txt > /sys/sec_key/unseal

 Note:
 RSA generate functionality can take random amount of time to execute. This is
 because in this RSA algorithm we have to generate 2 random numbers with certain
 properties and then proceed. We can use the RSA import functionality if in case
 time is a concern.

 shk value is 0 by default in non-secure ipq40xx target systems.

 To make the keyblobs target dependent, shk values must be changed from default
 value in non-secure target systems.

 Without doing this, we will be able to encrypt in one board and decrypt in
 another board using the same keyblob.
	Available APIs used in Sample App:

	QSClient - Client Application in Linux

	qseecom.ko is a loadable kernel module which acts as the QTI secure client
	in the non-secure world. It provides a sample interface for communication with
	the secure world(QSEE).

	Multiplication and Crypto functionalities are currently available in the sample
	app. Similarly an app can be written to support any required functionalities.

	For each platform, memory has been reserved in the QTI default device tree.
	For ipq806x, ipq6018, the region is fixed, while it can be changed for ipq807x
	and ipq40xx.

	Available APIs in kernel which can be reused/extended:

	(1) qti_scm_qseecom_notify -> to notify the load region of application
	(2) qti_scm_qseecom_load -> to load the libraries and application
	(3) qti_scm_qseecom_send_data -> to send data to perform operation
	(4) qti_scm_qseecom_unload -> to unload the application and libraries
	(5) qti_scm_tz_register_log_buf -> to register a log buf for sample app logs

	Refer to source code in drivers/misc/qseecom.c for re-using the above APIs. This
	can be modified or extended to support vendor applications.

	Sampleapp Usage Instructions:

	Note: We support only 64 bit sampleapp in ipq807x, ipq6018 platform.

	Across any platforms, apps can be loaded and functionalities can be performed
	securely from the non-secure world via the scm interface. Below are the steps
	to load a sample app and perform some basic operations:

	Before loading the sample app, the library required by sample app needs to be
	loaded.

	(1) To load sample app libraries

	This step can be skipped if its platform ipq8064 as we use a different
	framework. In ipq8064 platform, the libraries are in-built.

	This step is needed only for ipq807x, ipq6018, and ipq40xx platforms.

	Concatenate all the seg files into 1 segment file and feed it as
	input to sys/firmware/seg_file and feed the mdt file as input to
	sys/firmware/mdt_file as below:

	In platform ipq40xx, the common lib is divided into 4 segments
	whereas in platform ipq807x, the common lib is divided into 6 segments.

	cat cmnlib.b00 > cmnlib.b0x
	cat cmnlib.b01 >> cmnlib.b0x
	cat cmnlib.b02 >> cmnlib.b0x
	cat cmnlib.b03 >> cmnlib.b0x

	Below 2 steps are needed only if its platform ipq807x or ipq6018:

	cat cmnlib.b04 >> cmnlib.b0x
	cat cmnlib.b05 >> cmnlib.b0x

	Now cat the mdt and combined binary files to sysfs entries as below:

	cat cmnlib.mdt > /sys/firmware/mdt_file
	cat cmnlib.b0x > /sys/firmware/seg_file

	echo 0 > /sys/firmware/tzapp/load_start

	You will get a print saying you have successfully loaded app libraries.

	(2) To load sample app

	Concatenate all the seg files into 1 segment file and feed it as
	input to sys/firmware/seg_file and feed the mdt file as input to
	sys/firmware/mdt_file as below:

	In platform ipq8064 or ipq40xx, the sample app is divided into 4
	segments whereas in ipq807x, the sample app is divided into 7 segments

	cat sampleapp.b00 > sampleapp.b0x
	cat sampleapp.b01 >> sampleapp.b0x
	cat sampleapp.b02 >> sampleapp.b0x
	cat sampleapp.b03 >> sampleapp.b0x

	Below 3 steps are required if its platform ipq807x or ipq6018:

	cat sampleapp.b04 >> sampleapp.b0x
	cat sampleapp.b05 >> sampleapp.b0x
	cat sampleapp.b06 >> sampleapp.b0x

	Below step is required if its platform ipq6018:

	cat sampleapp.b07 >> sampleapp.b0x

	Now cat the mdt and combined binary files to sysfs entries as below:

	cat sampleapp.mdt > /sys/firmware/mdt_file
	cat sampleapp.b0x > /sys/firmware/seg_file

	echo 1 > /sys/firmware/tzapp/load_start

	(3) Perform operations required in the application

	The following mult. operations can be tested in all the platforms:

	To give input to Multiplication op:
	echo 100 > /sys/firmware/tzapp/basic_data

	To view Secure Multiplication output:
	cat /sys/firmware/tzapp/basic_data

	The following crypto operation can be tested in all platforms other
	than ipq806x:

	The "crypto" sysfs entry triggers the sample test encryption and decryption
	inside secure app and displays the result if the test has passed or failed.

	To test Crypto functionality:
	echo 1 > /sys/firmware/tzapp/crypto

	The following encrypt/decrypt operation can be tested only in
	ipq806x platform:

	To give input to Encryption:
	echo '6bc1bee22e409f9' > /sys/firmware/tzapp/encrypt

	To view encryption output:
	cat /sys/firmware/tzapp/encrypt

	To give input to Decryption:
	cat /sys/firmware/tzapp/encrypt > /sys/firmware/tzapp/decrypt

	To view decryption output:
	cat /sys/firmware/tzapp/decrypt

	(4) To unload the sampleapp

	echo 2 > /sys/firmware/tzapp/load_start

	The libraries used by sample app are automatically unloaded when the device
	driver is removed (i.e. during rmmod to remove the qseecom module).

	If the user doesn't unload the app, then the app is unloaded when the
	device driver is removed.

	Note: sampleapp logging has been enabled for QSEE sample app. To view the log at
	any point after loading the sample app from kernel, please use below command:

	cat /sys/firmware/tzapp/log_buf > log.txt

	QSEE APIs in ipq40xx:

	In ipq40xx, there are RSA and AES APIs available to perform crypto operations.
	The steps to use AES and RSA APIs are as below:

	RSA API:

	RSA Generate Key blob:
	(1) cat /sys/rsa_sec_key/rsa_generate > key_blob.txt

	RSA Import Key blob:
	(1) cat hex.dat > /sys/rsa_sec_key/rsa_import
	(2) cat /sys/rsa_sec_key/rsa_import > import_key_blob.txt

	Note:
	hex.dat contents must be a properly generated RSA vector.

	spec of the hex.dat file used in RSA Import Key blob:
	hex.dat size is 1066 bytes.

	1066 bytes split up:
	528 bytes -> import modulus
	2 bytes -> import modulus length in hexadecimal
	5 bytes -> public exponent
	1 byte -> public exponent length in hexadecimal
	528 bytes -> private exponent
	2 bytes -> private exponent length in hexadecimal

	public, private exponent can be any value other than 3
	modulus can be any value lesser than 4096

	RSA Sign data:
	(1) cat key_blob.txt > /sys/rsa_sec_key/rsa_key_blob
	or
	cat import_key_blob.txt > /sys/rsa_sec_key/rsa_key_blob
	(2) cat data.txt > /sys/rsa_sec_key/rsa_sign
	(3) cat /sys/rsa_sec_key/rsa_sign > signed_data.txt

	RSA Verification of Signature:
	(1) cat key_blob.txt > /sys/rsa_sec_key/rsa_key_blob
	or
	cat import_key_blob.txt > /sys/rsa_sec_key/rsa_key_blob
	(2) cat data.txt > /sys/rsa_sec_key/rsa_sign
	(3) cat signed_data.txt > /sys/rsa_sec_key/rsa_verify
	(4) cat /sys/rsa_sec_key/rsa_verify > verification_result.txt
	(5) cat verification_result.txt

	AES API:

	AES Generate Key blob:
	(1) cat /sys/sec_key/generate > key_blob.txt

	AES Import Key blob:
	(1) cat key.txt > /sys/sec_key/import
	(2) cat /sys/sec_key/import > imported_key_blob.txt

	AES Encrypt data:
	(1) cat key_blob.txt > /sys/sec_key/key_blob
	or
	cat imported_key_blob.txt > /sys/sec_key/key_blob
	(2) cat data.txt > /sys/sec_key/seal
	(3) cat /sys/sec_key/seal > encrypted_data.txt

	AES Decrypt data:
	(1) cat key_blob.txt > /sys/sec_key/key_blob
	or
	cat imported_key_blob.txt > /sys/sec_key/key_blob
	(2) cat encrypted_data.txt > /sys/sec_key/unseal

	Note:
	RSA generate functionality can take random amount of time to execute. This is
	because in this RSA algorithm we have to generate 2 random numbers with certain
	properties and then proceed. We can use the RSA import functionality if in case
	time is a concern.

	shk value is 0 by default in non-secure ipq40xx target systems.

	To make the keyblobs target dependent, shk values must be changed from default
	value in non-secure target systems.

	Without doing this, we will be able to encrypt in one board and decrypt in
	another board using the same keyblob.