MLK-24474: Add SECO API sc_seco_set_fips_mode

The SCFW API sc_seco_set_fips_mode allow to configure the
mode of the FIPS feature on SoC. This configuration is
performed on fuses and cannot be reverted.

Signed-off-by: Franck LENORMAND <franck.lenormand@nxp.com>
Acked-by: Anson Huang <anson.huang@nxp.com>
Acked-by: Ye Li <ye.li@nxp.com>

4 files changed, 54 insertions, 0 deletions

diff --git a/plat/imx/common/include/sci/sci.h b/plat/imx/common/include/sci/sci.h
index 2c45bb8b..71eb18e5 100644
--- a/plat/imx/common/include/sci/sci.h
+++ b/plat/imx/common/include/sci/sci.h
@@ -17,5 +17,6 @@
 #include <sci/svc/rm/sci_rm_api.h>
 #include <sci/svc/timer/sci_timer_api.h>
 #include <sci/svc/misc/sci_misc_api.h>
+#include <sci/svc/seco/sci_seco_api.h>
 
 #endif /* SCI_H */
diff --git a/plat/imx/common/include/sci/svc/seco/sci_seco_api.h b/plat/imx/common/include/sci/svc/seco/sci_seco_api.h
index b7a9342f..ea28c7be 100644
--- a/plat/imx/common/include/sci/svc/seco/sci_seco_api.h
+++ b/plat/imx/common/include/sci/svc/seco/sci_seco_api.h
@@ -771,6 +771,37 @@ sc_err_t sc_seco_secvio_config(sc_ipc_t ipc, uint8_t id, uint8_t access,
 sc_err_t sc_seco_secvio_dgo_config(sc_ipc_t ipc, uint8_t id,
 				   uint8_t access, uint32_t *data);
 
+/*!
+ * This function configures the SECO in FIPS mode
+ *
+ * Only the owner of the SC_R_SYSTEM resource or a partition with access
+ * permissions to SC_R_SYSTEM can do this.
+ *
+ * This function permanently configures the SECO in FIPS approved mode. When in
+ * FIPS approved mode the following services will be disabled and receive a
+ * failure response:
+ * - Encrypted boot is not supported
+ * - Attestation is not supported
+ * - Manufacturing protection is not supported
+ * - DTCP load
+ * - SHE services are not supported
+ * - Assign JR is not supported (all JRs owned by SECO)
+ *
+ * @param[in]     ipc         IPC handle
+ * @param[in]     mode        FIPS mode
+ * @param[out]    reason      pointer to return failure reason
+ *
+ * @return Returns and error code (SC_ERR_NONE = success).
+ *
+ * Return errors codes:
+ * - SC_ERR_UNAVAILABLE if SECO not available,
+ * - SC_ERR_NOACCESS if caller does not have SC_R_SYSTEM access,
+ * - SC_ERR_IPC if SECO response has bad header tag or size,
+ * - SC_ERR_VERSION if SECO response has bad version,
+ * - Others, see the [Security Service Detailed Description](\ref seco_err) section
+ */
+sc_err_t sc_seco_set_fips_mode(sc_ipc_t ipc, uint8_t mode, uint32_t *status);
+
 /* @} */
 
 #endif				/* SC_SECO_API_H */
diff --git a/plat/imx/common/sci/svc/seco/sci_seco_rpc.h b/plat/imx/common/sci/svc/seco/sci_seco_rpc.h
index 3688b6d7..ed3fc061 100644
--- a/plat/imx/common/sci/svc/seco/sci_seco_rpc.h
+++ b/plat/imx/common/sci/svc/seco/sci_seco_rpc.h
@@ -51,6 +51,7 @@
 #define SECO_FUNC_SECVIO_ENABLE 25U	/* Index for sc_seco_secvio_enable() RPC call */
 #define SECO_FUNC_SECVIO_CONFIG 26U	/* Index for sc_seco_secvio_config() RPC call */
 #define SECO_FUNC_SECVIO_DGO_CONFIG 27U	/* Index for sc_seco_secvio_dgo_config() RPC call */
+#define SECO_FUNC_SET_FIPS_MODE 29U /* Index for sc_seco_set_fips_mode() RPC call */
 /*@}*/
 
 /* Types */
diff --git a/plat/imx/common/sci/svc/seco/seco_rpc_clnt.c b/plat/imx/common/sci/svc/seco/seco_rpc_clnt.c
index 5b98ebd2..03923a69 100644
--- a/plat/imx/common/sci/svc/seco/seco_rpc_clnt.c
+++ b/plat/imx/common/sci/svc/seco/seco_rpc_clnt.c
@@ -626,4 +626,25 @@ sc_err_t sc_seco_secvio_dgo_config(sc_ipc_t ipc, uint8_t id, uint8_t access,
 	return err;
 }
 
+sc_err_t sc_seco_set_fips_mode(sc_ipc_t ipc, uint8_t mode, uint32_t *status)
+{
+	sc_rpc_msg_t msg;
+	sc_err_t err;
+
+	RPC_VER(&msg) = SC_RPC_VERSION;
+	RPC_SIZE(&msg) = 2U;
+	RPC_SVC(&msg) = U8(SC_RPC_SVC_SECO);
+	RPC_FUNC(&msg) = U8(SECO_FUNC_SET_FIPS_MODE);
+
+	RPC_U8(&msg, 0U) = mode;
+
+	sc_call_rpc(ipc, &msg, SC_FALSE);
+
+	if (status)
+		*status = (uint32_t)RPC_U32(&msg, 0U);
+
+	err = RPC_R8(&msg);
+	return (sc_err_t)err;
+}
+
 /**@}*/