From: Ion Agorria <ion@agorria.com>
Date: Mon, 16 Dec 2024 16:03:38 +0000 (+0100)
Subject: crypto: tegra: Add Tegra AES engine driver
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b01f0a7c1d9d43a38a729723ad76fce74a5fa24b;p=thirdparty%2Fu-boot.git

crypto: tegra: Add Tegra AES engine driver

This driver allows using Tegra AES engines within BSEV and BSEA blocks to
encrypt and decrypt data using different AES algorithms.

One use case is allowing u-boot to self update by using the already loaded
AES key in the engine's SBK slot by the bootrom.

Particular care must be taken as chainloaded u-boot's may not have the SBK
slot loaded as the vendor bootloader erases it before leaving it.

Signed-off-by: Ion Agorria <ion@agorria.com>
---

diff --git a/arch/arm/include/asm/arch-tegra/crypto.h b/arch/arm/include/asm/arch-tegra/crypto.h
index 7646163b97b..73e8365a57d 100644
--- a/arch/arm/include/asm/arch-tegra/crypto.h
+++ b/arch/arm/include/asm/arch-tegra/crypto.h
@@ -7,6 +7,8 @@
 #ifndef _CRYPTO_H_
 #define _CRYPTO_H_
 
+#define TEGRA_AES_SLOT_SBK		0
+
 /**
  * Sign a block of data
  *
diff --git a/drivers/crypto/Kconfig b/drivers/crypto/Kconfig
index d26f87364f9..0d58e3910fe 100644
--- a/drivers/crypto/Kconfig
+++ b/drivers/crypto/Kconfig
@@ -10,4 +10,6 @@ source "drivers/crypto/aspeed/Kconfig"
 
 source "drivers/crypto/nuvoton/Kconfig"
 
+source "drivers/crypto/tegra/Kconfig"
+
 endmenu
diff --git a/drivers/crypto/Makefile b/drivers/crypto/Makefile
index 2bd99fc2763..e4a4482b7f3 100644
--- a/drivers/crypto/Makefile
+++ b/drivers/crypto/Makefile
@@ -10,3 +10,4 @@ obj-y += fsl/
 obj-y += hash/
 obj-y += aspeed/
 obj-y += nuvoton/
+obj-y += tegra/
diff --git a/drivers/crypto/tegra/Kconfig b/drivers/crypto/tegra/Kconfig
new file mode 100644
index 00000000000..b027609307b
--- /dev/null
+++ b/drivers/crypto/tegra/Kconfig
@@ -0,0 +1,7 @@
+config TEGRA_AES
+	bool "Support the Tegra AES"
+	depends on DM_AES
+	help
+	  This provides a means to encrypt and decrypt data using the Tegra
+	  Bit Stream Engine for Video/Audio. Also may provide a mean to
+	  encrypt/decrypt/sign using already loaded device SBK.
diff --git a/drivers/crypto/tegra/Makefile b/drivers/crypto/tegra/Makefile
new file mode 100644
index 00000000000..a118350fd11
--- /dev/null
+++ b/drivers/crypto/tegra/Makefile
@@ -0,0 +1,3 @@
+# SPDX-License-Identifier: GPL-2.0+
+
+obj-$(CONFIG_$(PHASE_)TEGRA_AES) += tegra_aes.o
diff --git a/drivers/crypto/tegra/tegra_aes.c b/drivers/crypto/tegra/tegra_aes.c
new file mode 100644
index 00000000000..7b374c757ba
--- /dev/null
+++ b/drivers/crypto/tegra/tegra_aes.c
@@ -0,0 +1,591 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Driver for NVIDIA Tegra AES hardware engine residing inside the Bit Stream Engine
+ * for Video (BSEV) hardware block and Bit Stream Engine for Audio (BSEA).
+ *
+ * The programming sequence for this engine is with the help of commands which travel
+ * via a command queue residing between the CPU and the BSEV/BSEA block.
+ *
+ * The hardware key table length is 64 bytes and each key slot divided as follows:
+ * 1. Key - 32 bytes
+ * 2. Original IV - 16 bytes
+ * 3. Updated IV - 16 bytes
+ *
+ * The engine has 4 slots in T20/T30 in which 0th contains SBK loaded by bootrom,
+ * vendor bootloaders tend to clear this slot so that anything booted after can't
+ * use the SBK. This is relevant for U-Boot's chainloaded from these vendor bootloaders.
+ *
+ * Copyright (c) 2010-2011, NVIDIA Corporation
+ * Copyright (c) 2025, Ion Agorria.
+ */
+
+#include <dm.h>
+#include <asm/io.h>
+#include <malloc.h>
+#include <time.h>
+#include <linux/delay.h>
+#include <clk.h>
+#include <reset.h>
+#include <uboot_aes.h>
+
+#include <asm/arch-tegra/crypto.h>
+#include <asm/arch-tegra/fuse.h>
+
+/* Make sure pointers will fit register size for AES engine */
+static_assert(sizeof(void *) == sizeof(u32));
+
+#define IRAM_BASE				0x40000000
+
+#define TEGRA_AES_DMA_BUFFER_SIZE		(0x4000 / AES_BLOCK_LENGTH)
+#define TEGRA_AES_HW_MAX_KEY_LENGTH		AES256_KEY_LENGTH
+#define TEGRA_AES_HW_TABLE_LENGTH		(TEGRA_AES_HW_MAX_KEY_LENGTH + AES_BLOCK_LENGTH * 2)
+#define TEGRA_AES_IRAM_MAX_ADDR			(IRAM_BASE | TEGRA_AES_KEYTABLEADDR_FIELD)
+
+#define TEGRA_AES_BUSY_TIMEOUT_MS		1000
+
+/* Registers */
+#define TEGRA_AES_ICMDQUE_WR			0x000
+#define TEGRA_AES_CMDQUE_CONTROL		0x008
+#define TEGRA_AES_INTR_STATUS			0x018
+#define TEGRA_AES_INT_ENB			0x040
+#define TEGRA_AES_BSE_CFG			0x044
+#define TEGRA_AES_IRAM_ACCESS_CFG		0x0a0
+#define TEGRA_AES_SECURE_DEST_ADDR		0x100
+#define TEGRA_AES_SECURE_INPUT_SELECT		0x104
+#define TEGRA_AES_SECURE_CONFIG			0x108
+#define TEGRA_AES_SECURE_CONFIG_EXT		0x10c
+
+/* Register field macros */
+#define TEGRA_AES_ENGINE_BUSY_FIELD		BIT(0)
+#define TEGRA_AES_ICQ_EMPTY_FIELD		BIT(3)
+#define TEGRA_AES_DMA_BUSY_FIELD		BIT(23)
+#define TEGRA_AES_SECURE_KEY_SCH_DIS_FIELD	BIT(15)
+#define TEGRA_AES_KEYTABLEADDR_FIELD		(BIT(17) - 1)
+#define TEGRA_AES_SECURE_KEY_INDEX_SHIFT	20
+#define TEGRA_AES_SECURE_KEY_INDEX_FIELD	(0x1f << TEGRA_AES_SECURE_KEY_INDEX_SHIFT)
+#define TEGRA_AES_SECURE_CTR_CNT_SHIFT		16
+#define TEGRA_AES_SECURE_CTR_CNT_FIELD		(0xffff << TEGRA_AES_SECURE_CTR_CNT_SHIFT)
+#define TEGRA_AES_BSE_MODE_FIELD		0x1f
+#define TEGRA_AES_BSE_LITTLE_ENDIAN_FIELD	BIT(10)
+#define TEGRA_AES_CMDQ_OPCODE_SHIFT		26
+#define TEGRA_AES_CMDQ_CTRL_ICMDQEN_FIELD	BIT(1)
+#define TEGRA_AES_CMDQ_CTRL_SRC_STM_SEL_FIELD	BIT(4)
+#define TEGRA_AES_CMDQ_CTRL_DST_STM_SEL_FIELD	BIT(5)
+#define TEGRA_AES_SECURE_INPUT_ALG_SEL_SHIFT	28
+#define TEGRA_AES_SECURE_INPUT_KEY_LEN_SHIFT	16
+#define TEGRA_AES_SECURE_INPUT_IV_FIELD		BIT(10)
+#define TEGRA_AES_SECURE_INPUT_HASH_ENB_FIELD	BIT(2)
+#define TEGRA_AES_SECURE_CORE_SEL_SHIFT		9
+#define TEGRA_AES_SECURE_VCTRAM_SEL_SHIFT	7
+#define TEGRA_AES_SECURE_XOR_POS_SHIFT		3
+#define TEGRA_AES_INT_ERROR_MASK		0x6ff000
+
+/* Commands for BSEV/BSEA */
+#define TEGRA_AES_CMD_BLKSTARTENGINE		0x0e
+#define TEGRA_AES_CMD_DMASETUP			0x10
+#define TEGRA_AES_CMD_DMACOMPLETE		0x11
+#define TEGRA_AES_CMD_SETTABLE			0x15
+
+/* Flags for mode */
+#define TEGRA_AES_MODE_ENCRYPT			BIT(0)
+#define TEGRA_AES_MODE_CBC			BIT(1)
+#define TEGRA_AES_MODE_UPDATE_IV		BIT(2)
+#define TEGRA_AES_MODE_HASH			BIT(3)
+
+struct tegra_aes_priv {
+	void *regs;
+	void *iram_addr;
+
+	struct reset_ctl reset_ctl;
+	struct reset_ctl reset_ctl_vde;
+
+	struct clk *clk;
+	struct clk *clk_parent;
+
+	u8 current_key_size;
+	bool sbk_available;
+};
+
+static bool tegra_aes_is_busy(struct tegra_aes_priv *priv, bool dma_wait)
+{
+	u32 value = readl(priv->regs + TEGRA_AES_INTR_STATUS);
+	bool engine_busy = value & TEGRA_AES_ENGINE_BUSY_FIELD;
+	bool non_empty_queue = !(value & TEGRA_AES_ICQ_EMPTY_FIELD);
+	bool dma_busy = dma_wait && (value & TEGRA_AES_DMA_BUSY_FIELD);
+
+	log_debug("%s - e:%d q:%d dma:%d\n", __func__, engine_busy, non_empty_queue, dma_busy);
+
+	return engine_busy || non_empty_queue || dma_busy;
+}
+
+static u32 tegra_aes_check_error(struct tegra_aes_priv *priv)
+{
+	u32 value = readl(priv->regs + TEGRA_AES_INTR_STATUS) & TEGRA_AES_INT_ERROR_MASK;
+
+	if (value) {
+		writel(TEGRA_AES_INT_ERROR_MASK, priv->regs + TEGRA_AES_INTR_STATUS);
+		log_debug("%s 0x%x\n", __func__, value);
+	}
+
+	return value;
+}
+
+static int tegra_aes_wait_for_idle_dma(struct tegra_aes_priv *priv, bool dma_wait)
+{
+	ulong start = get_timer(0);
+
+	while (tegra_aes_is_busy(priv, dma_wait)) {
+		if (get_timer(start) > TEGRA_AES_BUSY_TIMEOUT_MS) {
+			log_err("%s: TIMEOUT!!!\n", __func__);
+			break;
+		}
+		mdelay(5);
+	}
+
+	if (tegra_aes_check_error(priv))
+		return -1;
+
+	return 0;
+}
+
+static int tegra_aes_wait_for_idle(struct tegra_aes_priv *priv)
+{
+	return tegra_aes_wait_for_idle_dma(priv, 1);
+}
+
+static int tegra_aes_configure(struct tegra_aes_priv *priv)
+{
+	u32 value;
+
+	if (tegra_aes_wait_for_idle(priv))
+		return -1;
+
+	/* IRAM config */
+	writel(0, priv->regs + TEGRA_AES_IRAM_ACCESS_CFG);
+
+	/* Reset interrupts bits, or engine will hang on next operation */
+	writel(0xFFFFFFFF, priv->regs + TEGRA_AES_INTR_STATUS);
+
+	/* Set interrupts */
+	writel(0, priv->regs + TEGRA_AES_INT_ENB);
+
+	/* Configure CMDQUE */
+	value = readl(priv->regs + TEGRA_AES_CMDQUE_CONTROL);
+	value |= TEGRA_AES_CMDQ_CTRL_SRC_STM_SEL_FIELD |
+		 TEGRA_AES_CMDQ_CTRL_DST_STM_SEL_FIELD |
+		 TEGRA_AES_CMDQ_CTRL_ICMDQEN_FIELD;
+	writel(value, priv->regs + TEGRA_AES_CMDQUE_CONTROL);
+
+	value = readl(priv->regs + TEGRA_AES_SECURE_CONFIG_EXT);
+	value &= ~TEGRA_AES_SECURE_CTR_CNT_FIELD;
+	writel(value, priv->regs + TEGRA_AES_SECURE_CONFIG_EXT);
+
+	/* Configure BSE */
+	value = readl(priv->regs + TEGRA_AES_BSE_CFG);
+	value &= ~TEGRA_AES_BSE_MODE_FIELD;
+	value |= TEGRA_AES_BSE_LITTLE_ENDIAN_FIELD;
+	writel(value, priv->regs + TEGRA_AES_BSE_CFG);
+
+	return 0;
+}
+
+static int tegra_aes_select_key_slot(struct tegra_aes_priv *priv, u32 key_size, u8 slot)
+{
+	if (tegra_aes_wait_for_idle(priv))
+		return -1;
+
+	if (key_size < (AES128_KEY_LENGTH * 8) ||
+	    key_size > (TEGRA_AES_HW_MAX_KEY_LENGTH * 8))
+		return -EINVAL;
+
+	priv->current_key_size = key_size;
+
+	/* Select the key slot */
+	u32 value = readl(priv->regs + TEGRA_AES_SECURE_CONFIG);
+
+	value &= ~TEGRA_AES_SECURE_KEY_INDEX_FIELD;
+	value |= (slot << TEGRA_AES_SECURE_KEY_INDEX_SHIFT);
+	writel(value, priv->regs + TEGRA_AES_SECURE_CONFIG);
+
+	return 0;
+}
+
+static int tegra_aes_call_engine(struct tegra_aes_priv *priv, u8 *src, u8 *dst,
+				 u32 nblocks, u32 mode)
+{
+	u32 value;
+	const u32 ICMDQ_LENGTH = 4;
+	u32 cmdq[ICMDQ_LENGTH];
+
+	log_debug("%s: 0x%p -> 0x%p blocks %d mode 0x%x\n", __func__,
+		  src, dst, nblocks, mode);
+
+	if (!nblocks) {
+		log_warning("%s: called with 0 blocks!\n", __func__);
+		return -1;
+	}
+
+	if (tegra_aes_configure(priv))
+		return -1;
+
+	/* Configure Secure Input */
+	value = 1 << TEGRA_AES_SECURE_INPUT_ALG_SEL_SHIFT |
+		priv->current_key_size << TEGRA_AES_SECURE_INPUT_KEY_LEN_SHIFT;
+
+	if (mode & TEGRA_AES_MODE_UPDATE_IV)
+		value |= TEGRA_AES_SECURE_INPUT_IV_FIELD;
+	if (mode & TEGRA_AES_MODE_HASH)
+		value |= TEGRA_AES_SECURE_INPUT_HASH_ENB_FIELD;
+	if (mode & TEGRA_AES_MODE_CBC) {
+		value |= ((mode & TEGRA_AES_MODE_ENCRYPT) ? 2 : 3) <<
+			 TEGRA_AES_SECURE_XOR_POS_SHIFT;
+		value |= ((mode & TEGRA_AES_MODE_ENCRYPT) ? 2 : 3) <<
+			 TEGRA_AES_SECURE_VCTRAM_SEL_SHIFT;
+		value |= ((mode & TEGRA_AES_MODE_ENCRYPT) ? 1 : 0) <<
+			 TEGRA_AES_SECURE_CORE_SEL_SHIFT;
+	} else {
+		/* ECB */
+		value |= ((mode & TEGRA_AES_MODE_ENCRYPT) ? 1 : 0) <<
+			 TEGRA_AES_SECURE_CORE_SEL_SHIFT;
+	}
+
+	writel(value, priv->regs + TEGRA_AES_SECURE_INPUT_SELECT);
+
+	/* Set destination address (doing in-place at IRAM) */
+	writel((u32)priv->iram_addr, priv->regs + TEGRA_AES_SECURE_DEST_ADDR);
+
+	/* Copy src data to IRAM */
+	if (src != priv->iram_addr)
+		memcpy(priv->iram_addr, src, nblocks * AES_BLOCK_LENGTH);
+
+	/* Run ICMD commands */
+	cmdq[0] = TEGRA_AES_CMD_DMASETUP << TEGRA_AES_CMDQ_OPCODE_SHIFT;
+	cmdq[1] = (u32)priv->iram_addr;
+	cmdq[2] = TEGRA_AES_CMD_BLKSTARTENGINE << TEGRA_AES_CMDQ_OPCODE_SHIFT | (nblocks - 1);
+	cmdq[3] = TEGRA_AES_CMD_DMACOMPLETE << TEGRA_AES_CMDQ_OPCODE_SHIFT;
+
+	for (int i = 0; i < ICMDQ_LENGTH; i++) {
+		tegra_aes_wait_for_idle_dma(priv, (ICMDQ_LENGTH - 1) == i);
+		writel(cmdq[i], priv->regs + TEGRA_AES_ICMDQUE_WR);
+	}
+
+	if (tegra_aes_wait_for_idle(priv))
+		return -1;
+
+	/* Put the result from IRAM to destination if not hashing */
+	if (dst != priv->iram_addr && !(mode & TEGRA_AES_MODE_HASH))
+		memcpy(dst, priv->iram_addr, nblocks * AES_BLOCK_LENGTH);
+
+	return 0;
+}
+
+static int tegra_aes_process_blocks(struct udevice *dev, u8 *iv, u8 *src,
+				    u8 *dst, u32 num_aes_blocks, u32 mode)
+{
+	struct tegra_aes_priv *priv = dev_get_priv(dev);
+
+	log_debug("%s: 0x%p -> 0x%p blocks %d mode 0x%x\n",
+		  __func__, src, dst, num_aes_blocks, mode);
+
+	if (!num_aes_blocks) {
+		log_warning("%s: called with 0 blocks!\n", __func__);
+		return -1;
+	}
+
+	/* Load initial IV if CBC mode */
+	if (mode & TEGRA_AES_MODE_CBC) {
+		if (tegra_aes_call_engine(priv, iv, priv->iram_addr, 1, TEGRA_AES_MODE_CBC))
+			return -1;
+
+		/* Add update IV flag */
+		mode |= TEGRA_AES_MODE_UPDATE_IV;
+	}
+
+	/* Process blocks by calling engine several times per dma buffer size */
+	while (num_aes_blocks > 0) {
+		u32 blocks = min(num_aes_blocks, (u32)TEGRA_AES_DMA_BUFFER_SIZE);
+
+		if (tegra_aes_call_engine(priv, src, dst, blocks, mode))
+			return -1;
+
+		num_aes_blocks -= blocks;
+		src += blocks * AES_BLOCK_LENGTH;
+		dst += blocks * AES_BLOCK_LENGTH;
+	}
+
+	return 0;
+}
+
+static int tegra_aes_ops_available_key_slots(struct udevice *dev)
+{
+	return 4; /* 4 slots in Tegra20 and Tegra30 */
+}
+
+static int tegra_aes_ops_select_key_slot(struct udevice *dev, u32 key_size, u8 slot)
+{
+	struct tegra_aes_priv *priv = dev_get_priv(dev);
+
+	if (slot == TEGRA_AES_SLOT_SBK && !priv->sbk_available) {
+		log_warning("%s: SBK not available!\n", __func__);
+		return -1;
+	}
+
+	return tegra_aes_select_key_slot(priv, key_size, slot);
+}
+
+static int tegra_aes_ops_set_key_for_key_slot(struct udevice *dev, u32 key_size,
+					      u8 *key, u8 slot)
+{
+	struct tegra_aes_priv *priv = dev_get_priv(dev);
+	const u8 SUBCMD_CRYPTO_TABLE_SEL = 0x3;
+	const u8 SUBCMD_KEY_TABLE_SEL = 0x8;
+	const u8 CMDQ_KEYTABLEADDR_SHIFT = 0;
+	const u8 CMDQ_KEYTABLEID_SHIFT = 17;
+	const u8 CMDQ_TABLESEL_SHIFT = 24;
+	u32 value, addr;
+
+	log_debug("%s: slot %d\n", __func__, slot);
+
+	if (tegra_aes_configure(priv))
+		return -1;
+
+	if (key_size < (AES128_KEY_LENGTH * 8) ||
+	    key_size > (TEGRA_AES_HW_MAX_KEY_LENGTH * 8))
+		return -EINVAL;
+
+	if (slot == TEGRA_AES_SLOT_SBK)
+		log_debug("%s: SBK slot being set!\n", __func__);
+
+	/* Clear and copy data to IRAM */
+	memset(priv->iram_addr, 0, TEGRA_AES_HW_TABLE_LENGTH);
+	memcpy(priv->iram_addr, key, key_size / 8);
+
+	/* Mask the addr */
+	addr = ((u32)priv->iram_addr) & TEGRA_AES_KEYTABLEADDR_FIELD;
+
+	/* Command for engine to load AES key from IRAM */
+	value = TEGRA_AES_CMD_SETTABLE << TEGRA_AES_CMDQ_OPCODE_SHIFT |
+		SUBCMD_CRYPTO_TABLE_SEL << CMDQ_TABLESEL_SHIFT |
+		(SUBCMD_KEY_TABLE_SEL | slot) << CMDQ_KEYTABLEID_SHIFT |
+		addr << CMDQ_KEYTABLEADDR_SHIFT;
+	writel(value, priv->regs + TEGRA_AES_ICMDQUE_WR);
+
+	return tegra_aes_wait_for_idle(priv);
+}
+
+static int tegra_aes_ops_aes_ecb_encrypt(struct udevice *dev, u8 *src, u8 *dst,
+					 u32 num_aes_blocks)
+{
+	return tegra_aes_process_blocks(dev, NULL, src, dst, num_aes_blocks,
+					TEGRA_AES_MODE_ENCRYPT);
+}
+
+static int tegra_aes_ops_aes_ecb_decrypt(struct udevice *dev, u8 *src, u8 *dst,
+					 u32 num_aes_blocks)
+{
+	return tegra_aes_process_blocks(dev, NULL, src, dst, num_aes_blocks, 0);
+}
+
+static int tegra_aes_ops_aes_cbc_encrypt(struct udevice *dev, u8 *iv, u8 *src,
+					 u8 *dst, u32 num_aes_blocks)
+{
+	return tegra_aes_process_blocks(dev, iv, src, dst, num_aes_blocks,
+					TEGRA_AES_MODE_CBC | TEGRA_AES_MODE_ENCRYPT);
+}
+
+static int tegra_aes_ops_aes_cbc_decrypt(struct udevice *dev, u8 *iv, u8 *src,
+					 u8 *dst, u32 num_aes_blocks)
+{
+	return tegra_aes_process_blocks(dev, iv, src, dst, num_aes_blocks,
+					TEGRA_AES_MODE_CBC);
+}
+
+static void tegra_aes_test_loaded_sbk(struct udevice *dev)
+{
+	struct tegra_aes_priv *priv = dev_get_priv(dev);
+	enum fuse_operating_mode opmode = tegra_fuse_get_operation_mode();
+	const u8 ZERO_KEY_CIPHERTEXT[AES_BLOCK_LENGTH] = {
+		0x66, 0xe9, 0x4b, 0xd4, 0xef, 0x8a, 0x2c, 0x3b,
+		0x88, 0x4c, 0xfa, 0x59, 0xca, 0x34, 0x2b, 0x2e
+	};
+
+	/* Encrypt a zero block, we use ECB so that we only care about SBK and not the IV */
+	memset(priv->iram_addr, 0, AES_BLOCK_LENGTH);
+	tegra_aes_select_key_slot(priv, 128, TEGRA_AES_SLOT_SBK);
+	tegra_aes_call_engine(priv, priv->iram_addr, priv->iram_addr, 1, TEGRA_AES_MODE_ENCRYPT);
+
+	/* Evaluate the result of engine operation */
+	if (!memcmp(priv->iram_addr, AES_ZERO_BLOCK, AES_BLOCK_LENGTH)) {
+		log_err("%s: engine is not operational! (opmode 0x%x)\n", __func__, opmode);
+	} else if (!memcmp(priv->iram_addr, ZERO_KEY_CIPHERTEXT, AES_BLOCK_LENGTH)) {
+		if (opmode == MODE_ODM_PRODUCTION_SECURE) {
+			log_warning("%s: SBK is zero or is cleared from engine! (opmode 0x%x)\n",
+				    __func__, opmode);
+		} else {
+			log_debug("%s - SBK is zero and available! (opmode 0x%x)\n",
+				  __func__, opmode);
+			priv->sbk_available = true;
+		}
+	} else {
+		if (opmode == MODE_ODM_PRODUCTION_SECURE) {
+			log_debug("%s: SBK is available! (opmode 0x%x)\n", __func__, opmode);
+			priv->sbk_available = true;
+		} else {
+			log_warning("%s: SBK is not zero and should be! (opmode 0x%x)\n",
+				    __func__, opmode);
+		}
+	}
+}
+
+static int tegra_aes_hw_init(struct udevice *dev)
+{
+	struct tegra_aes_priv *priv = dev_get_priv(dev);
+	u32 value;
+	int ret;
+
+	if (priv->clk_parent) {
+		ret = reset_assert(&priv->reset_ctl_vde);
+		if (ret) {
+			log_debug("%s: VDE reset assert failed: %d\n", __func__, ret);
+			return ret;
+		}
+	}
+
+	ret = reset_assert(&priv->reset_ctl);
+	if (ret) {
+		log_debug("%s: BSE reset assert failed: %d\n", __func__, ret);
+		return ret;
+	}
+
+	if (priv->clk_parent) {
+		ret = clk_enable(priv->clk_parent);
+		if (ret) {
+			log_err("%s: VDE clock enable failed: %d\n", __func__, ret);
+			return ret;
+		}
+
+		ret = clk_set_rate(priv->clk_parent, 50 * 1000000);
+		if (IS_ERR_VALUE(ret)) {
+			log_err("%s: VDE clock set rate failed: %d\n", __func__, ret);
+			return ret;
+		}
+	}
+
+	ret = clk_enable(priv->clk);
+	if (ret) {
+		log_err("%s: BSE clock enable failed: %d\n", __func__, ret);
+		return ret;
+	}
+
+	if (priv->clk_parent) {
+		ret = reset_deassert(&priv->reset_ctl_vde);
+		if (ret) {
+			log_err("%s: VDE reset deassert failed: %d\n", __func__, ret);
+			return ret;
+		}
+	}
+
+	ret = reset_deassert(&priv->reset_ctl);
+	if (ret) {
+		log_err("%s: BSE reset deassert failed: %d\n", __func__, ret);
+		return ret;
+	}
+
+	/* Enable key schedule generation in hardware */
+	value = readl(priv->regs + TEGRA_AES_SECURE_CONFIG_EXT);
+	value &= ~TEGRA_AES_SECURE_KEY_SCH_DIS_FIELD;
+	writel(value, priv->regs + TEGRA_AES_SECURE_CONFIG_EXT);
+
+	/* Check if SBK is loaded in SBK slot or was erased */
+	priv->sbk_available = false;
+	tegra_aes_test_loaded_sbk(dev);
+
+	return 0;
+}
+
+static int tegra_aes_probe(struct udevice *dev)
+{
+	struct tegra_aes_priv *priv = dev_get_priv(dev);
+	fdt_size_t iram_size = 0;
+	u32 value;
+	int ret;
+
+	priv->current_key_size = AES128_KEY_LENGTH;
+
+	priv->regs = dev_read_addr_ptr(dev);
+	if (!priv->regs) {
+		log_err("%s: Cannot find aes reg address, binding failed\n", __func__);
+		return -EINVAL;
+	}
+
+	priv->iram_addr = devfdt_get_addr_size_name_ptr(dev, "iram-buffer", &iram_size);
+	if (!priv->iram_addr) {
+		log_debug("%s: Cannot find iram buffer address, binding failed\n", __func__);
+		return -EINVAL;
+	}
+
+	if (iram_size < TEGRA_AES_DMA_BUFFER_SIZE * AES_BLOCK_LENGTH) {
+		log_debug("%s: Unsupported iram buffer size: 0x%x required: 0x%x\n",
+			  __func__, iram_size, TEGRA_AES_DMA_BUFFER_SIZE);
+		return -EINVAL;
+	}
+
+	/* Make sure the IRAM address is kept block aligned and accessible for slot loading */
+	value = (uint32_t)priv->iram_addr;
+	if ((value & 0xFFF0000F) != IRAM_BASE || value > TEGRA_AES_IRAM_MAX_ADDR) {
+		log_debug("%s: iram buffer must be located inside iram,", __func__);
+		log_debug("AES block aligned and not above 0x%08x, current addr %p\n",
+			  (u32)TEGRA_AES_IRAM_MAX_ADDR, priv->iram_addr);
+		return -EINVAL;
+	}
+
+	ret = reset_get_by_name(dev, NULL, &priv->reset_ctl);
+	if (ret) {
+		log_debug("%s: failed to get BSE reset: %d\n", __func__, ret);
+		return ret;
+	}
+
+	priv->clk = devm_clk_get(dev, NULL);
+	if (IS_ERR(priv->clk)) {
+		log_err("%s: failed to get BSE clock: %d\n", __func__, ret);
+		return ret;
+	}
+
+	/* VDE clock and reset required by BSEV */
+	ret = reset_get_by_name(dev, "vde", &priv->reset_ctl_vde);
+	if (ret)
+		log_debug("%s: failed to get VDE reset: %d\n", __func__, ret);
+
+	priv->clk_parent = devm_clk_get(dev, "vde");
+	if (IS_ERR(priv->clk_parent))
+		log_debug("%s: failed to get BSE clock: %d\n", __func__, ret);
+
+	return tegra_aes_hw_init(dev);
+}
+
+static const struct aes_ops tegra_aes_ops = {
+	.available_key_slots = tegra_aes_ops_available_key_slots,
+	.select_key_slot = tegra_aes_ops_select_key_slot,
+	.set_key_for_key_slot = tegra_aes_ops_set_key_for_key_slot,
+	.aes_ecb_encrypt = tegra_aes_ops_aes_ecb_encrypt,
+	.aes_ecb_decrypt = tegra_aes_ops_aes_ecb_decrypt,
+	.aes_cbc_encrypt = tegra_aes_ops_aes_cbc_encrypt,
+	.aes_cbc_decrypt = tegra_aes_ops_aes_cbc_decrypt,
+};
+
+static const struct udevice_id tegra_aes_ids[] = {
+	{ .compatible = "nvidia,tegra20-bsea" },
+	{ .compatible = "nvidia,tegra20-bsev" },
+	{ .compatible = "nvidia,tegra30-bsea" },
+	{ .compatible = "nvidia,tegra30-bsev" },
+	{ }
+};
+
+U_BOOT_DRIVER(tegra_aes) = {
+	.name = "tegra_aes",
+	.id = UCLASS_AES,
+	.of_match = tegra_aes_ids,
+	.probe = tegra_aes_probe,
+	.ops = &tegra_aes_ops,
+	.priv_auto = sizeof(struct tegra_aes_priv),
+};