From nobody Mon Dec 1 22:07:32 2025 Received: from DU2PR03CU002.outbound.protection.outlook.com (mail-northeuropeazon11011057.outbound.protection.outlook.com [52.101.65.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C22CF3019D7; Fri, 28 Nov 2025 09:15:33 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.65.57 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764321336; cv=fail; b=OqJxD98FaVo1PDOKOHDMev5rbbpPevd0yFZ2M+b+9gHtZnp56AMU3RKZHZXUc7kstRskAFw0xx5hhv4vyg+nV8D6cDMoObksvD5+hZOHwmyjnIispmyeO/QSOa8aa6F9XiIvL/NO+Y+nK5V+Box0ekArXMEnyAeDBXNOdinEua0= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764321336; c=relaxed/simple; bh=EZo63DR0TPzM0/AImPfULgdxPzyS+J1tS61nsVGKXQw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=Zqaxp02MMQmZS56pSC84ctVJ7/J0M/bcR7HSFkRPh/7K2ywgSHvgIbYqJwS9THfi3n0SANATNvUjOBO7STXXW4C/tD04j6LUq7bqC7jpPTZCbMxKZpd4CSkWVquws/C6KEg1u4AiiZ0kZatpmENsR6tU6YyRD6qIsFA9yoq1qls= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com; spf=pass smtp.mailfrom=nxp.com; dkim=pass (2048-bit key) header.d=nxp.com header.i=@nxp.com header.b=O8TnpfqT; arc=fail smtp.client-ip=52.101.65.57 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nxp.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=nxp.com header.i=@nxp.com header.b="O8TnpfqT" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=EH5rzqM1THmifDnfUYNsV+8IN+r/jPV4v2quVnmD2kkLryqwAUbHVlu/wz2jlH8Uhjvdx+U4puvZaPSMvtMpPBgwdqI7oT8INjyUS16C4DW/7yJ0LS6ElFrIx9oE0YdObIiFaJaMwxLqv5eDBPjiEO85EE7CuikiKH+f1dc9XZG/NMQm7C6CGjicMTQswiNPPDPh8Ixb7E/elgq7OmY+uxEjVCazjUvn0/TKpsMMd5qA/eimGBYZ/7Z2ReM6cZT5/NWXsOVWb4Xxvpq71RAzX8nka6tf4wM2eahOzZ9tYpSFay5IFIFFODeU4JcArP4RYKtB0o1FAVvcx9AwecfR9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LyLSli6q6PvXLMpbs2Zcfbf90mxIIEQkLciE7/+Sr9E=; b=szJsd8tYc7nWs9gIc7/bECHmZjEXOYy6SkRvcokV7KrJSYhtKJntswrkVmqfoZCssnCOJYcunXW+9oY5NX/xWmVyREAZOhVcI1ObDTicrKJYBN6x8az+Ge26Hx1Aqd/ykWGagVQEVD6y08BE1UJdTbe9/T7IKbw57zn8lMBzfNbnkdupmufX9ntPuG0S9NBraEZGLdSURZWA0nbj59rI0IwVBFHRQwEhOiYbMkdBY2NS+mcKyNwyJaAgrYTzBX/Fm3o2PWE7J5ciWb7DMg3B/Lr5mFkuKxI9ovfPg2WTXugrIxNA4YvzqMe1J99rdlzq75XeSi3zt7Di5rrCLNF+eQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nxp.com; dmarc=pass action=none header.from=nxp.com; dkim=pass header.d=nxp.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LyLSli6q6PvXLMpbs2Zcfbf90mxIIEQkLciE7/+Sr9E=; b=O8TnpfqTEV3KCt9tQkJMiqFgY2veh7woBG4t1C1Wg5YittbCtV1Odn6eU+5sHvIWkdLvw3JBAINZ6nRIn9XRrt2dK5kBanLxHF1kZ5GNmclEdgplZvDBJd7UtCiydgdI8LzGfJcWY1Yqq1l/P7NoGYA83EwFlFqDYNhqFzVajDtX9f4VHbCYkw0wHRvVT9u1wpr2oYgrAWHu8envIjwQvh7CGMVKXVI3oqsD7ftUsRxQjkx8ddeomPURV5lZsbtDOWchv2nwNw/4LzmaMkfoMRoiudZmiP6bl12GXEALY8lRthScJZ6TlAnHOI+oaDv1cAz8EnROg9ThfIAONjwE1g== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nxp.com; Received: from DB9PR04MB9676.eurprd04.prod.outlook.com (2603:10a6:10:308::13) by DB9PR04MB8252.eurprd04.prod.outlook.com (2603:10a6:10:24d::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9366.17; Fri, 28 Nov 2025 09:15:30 +0000 Received: from DB9PR04MB9676.eurprd04.prod.outlook.com ([fe80::97c:438a:2968:465d]) by DB9PR04MB9676.eurprd04.prod.outlook.com ([fe80::97c:438a:2968:465d%4]) with mapi id 15.20.9366.009; Fri, 28 Nov 2025 09:15:29 +0000 From: Neeraj Sanjay Kale To: marcel@holtmann.org, luiz.dentz@gmail.com Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, amitkumar.karwar@nxp.com, sherry.sun@nxp.com, dmitrii.lebed@nxp.com, neeraj.sanjaykale@nxp.com Subject: [PATCH v2 01/11] Bluetooth: btnxpuart: Add firmware metadata parsing for secure interface Date: Fri, 28 Nov 2025 14:44:33 +0530 Message-ID: <20251128091443.2797316-2-neeraj.sanjaykale@nxp.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251128091443.2797316-1-neeraj.sanjaykale@nxp.com> References: <20251128091443.2797316-1-neeraj.sanjaykale@nxp.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: SI2PR01CA0007.apcprd01.prod.exchangelabs.com (2603:1096:4:191::11) To DB9PR04MB9676.eurprd04.prod.outlook.com (2603:10a6:10:308::13) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB9PR04MB9676:EE_|DB9PR04MB8252:EE_ X-MS-Office365-Filtering-Correlation-Id: e8330464-d5f6-4cd4-6717-08de2e5eacbe X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|19092799006|1800799024|376014|366016|52116014|38350700014; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?TniiF6ScsJlyA8st3g7Zn0XQbIUkDdQes0FrR1+EQtyh+AbgB5lBCM4cl8PK?= =?us-ascii?Q?r24fM+QXQtYPrSPD/ZoQXG9q+S9nk3L9yjfE8FBVTlwRk7wb1dp0GQkGLtIy?= =?us-ascii?Q?zXgXpWT7kcLS+G/4HCDNpq+1HgD6OlqYapEJ1QKxvHsPSQGkhDf7bnOxtsDw?= =?us-ascii?Q?sDOIny6oA2wergvU8egJbR4scOoQiQ45QxxhOcrXPqV6Z+C0bEb4uoN62mSm?= =?us-ascii?Q?apmw8aR21TioXd6lGOJagbWyssdH47M6mrhD9MjgcyFE/TU2sZqSWxAOGGrj?= =?us-ascii?Q?fn+uijSrC/E1Hio8e3HY3NWkTrMGjiBjfXjY3szME6GDs4cZi+qGhmDszkwB?= =?us-ascii?Q?V2Ght6qmeWDtQ3vEet8vqjngwCH52TkDhg8R+pKInzk1Pmv3evDkOS43U3M9?= =?us-ascii?Q?rQavOfLG2exNvb3OPTD506vPtKUd5cwXSVGw2rs+e0uwqOr4zwT+wqyz4+8q?= =?us-ascii?Q?z7iLhnxj8oXGk5uKK6sFWMdlYx9dZlw7mmcpybGTGyaKiTxks83QzV43lzcX?= =?us-ascii?Q?a2IQnD5aiZ5Nr4Ca2oPMo50JRebV6GOVj1/nq525bwBTy7QfMybEyEyhQSeq?= =?us-ascii?Q?6kk1hfvJ+aoGZJV6Tdp0zMaHKPVHqIFH6iwi9b4y4cD7QMyeN24Bb4ErCh+k?= =?us-ascii?Q?4nyjqcV8bOvrnwYNQ5os+4Bdx2NHdMBM76vCI/+zICeGuASdqswHSG0nVa2e?= =?us-ascii?Q?RyFqvLiCcTJ+EIspDH/1fxK4aaFy42no6rIJggHiSo6PYZmW5eXD3f5PgqHR?= =?us-ascii?Q?sk0hwIPaQo9F8Z0iCaFhsWOy/a7ibRELma7Kg7JLb1v8+RgboLnGxzT1CwDw?= =?us-ascii?Q?y9R4elID3ycqx0CaU+9PF9aUxaeQ+emhVlZ15dgcbF5wOFCHjeJEDM4BWLO7?= =?us-ascii?Q?7T70IyNjI6vYzz1P3CBRHo1m1FIGsMsq06rj/wwc+pSgwf3z7MWxNyQ6b5UR?= =?us-ascii?Q?ZTp4SGeitjmTOJG40Xu9K6ObpWsMHMYFT7B8FWbsIlUiswWTt5wUxXHCStGU?= =?us-ascii?Q?5CRUHdL0jo5sNBjt6wsq3quhXnO6AXbZTOxJ6dwf7NQpsbyoDllIfINwhBCV?= =?us-ascii?Q?nkf7itUdtduDjE4gsNdK484Xi7PWSNAjEkvKUlZEve8W49/NKSxQz/jMzqQc?= =?us-ascii?Q?MmwtRzq5sfSwjKXKmuZ2HC0m6RfCO0M9e+JA0590nbXT9ZwNFKG7K0NenfLQ?= =?us-ascii?Q?CmzXGbr03XV8ytEq8lfYARQhldMDtRq9qPEIU6pMYPEoY1u5uhpy7ChTiqqs?= =?us-ascii?Q?H/kRiPKR530gYVo+Tif1tHQ9gN4pQa8jK/ZT5CZjc3hzW2ZKxal+jBcyDV+r?= =?us-ascii?Q?uwBnjd0JLyjngS9SJOrqYAYExYYcOc9sanTVYRaoLA85j9QROeI7MNl6tmi0?= =?us-ascii?Q?q2qmG98hmVzmCotD9lQaYOyTRshvoWEjNb+Wr/isd0KqFXou2RpylSHNWQa7?= =?us-ascii?Q?3Fb/0eLmWhh9ppcL040X8/NGik+1NkDZmVgL1WKxJKmBn0oRFHSCyVSzKksK?= =?us-ascii?Q?gGt5zg+YWHJi22sGuRsq5zbxhgtH3fhxbWIc?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB9PR04MB9676.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(19092799006)(1800799024)(376014)(366016)(52116014)(38350700014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?V0ZcJ+0A55xBqGQUH5cEyHVp02G0EwVVY69KHcKZ3cPTGi89HSQhYQ0N3tEZ?= =?us-ascii?Q?Cze8aJWGzj4KXuDils0kt5EVnZ5dHcy4fTM9hSBo/ZPWB5U3kUrdTJHTbdrr?= =?us-ascii?Q?LBCvX4Ecz+HgI0UZAQ3FhNbcPlkmuol2fxh+DHdB2kticP3VKPn/o3mQR2QB?= =?us-ascii?Q?Mv7qGo2tfrC1g9WMlWrCqlgmVjWwg1/otQc2BwOfUVyZqTV4jdBO76iVr45u?= =?us-ascii?Q?CTGvoNQR6zdq99niwg7BfdZBKrEIaHqXhEXOxcR19sM/Jh0Le01M0ps2PthJ?= =?us-ascii?Q?cA6hM9G3yzQqjnRhq3fdSJ3qMOnNlRXvKOyDeJ+6hw/0WOEH47/MhMQarjJp?= =?us-ascii?Q?HxOFbZ+rYNG49/dJh5d0PNx7z9JGFUShpVMERFyVK4Lb16d6yM9M8ZA0a+RJ?= =?us-ascii?Q?smF7gmobu479swsratz6MWsedL1YAJYeA/IMIYegY+8dSa4FeldG8xsCqgTd?= =?us-ascii?Q?b9DuIfZNNSp1BnpJ7DH4m1l09f+a3gu/vdKz2YjoUbZuD3exU4m5kn7dWUWG?= =?us-ascii?Q?Gn+8GUMF+wK7gg2Nv6rTkXuD2US9dtTAWUNRJvhna5V/bfWORauPTl0oLXg9?= =?us-ascii?Q?MR8D99Jwhegv0h6xawVsOcL1wesvhPgWdy/JeLegAwRz5/l8+Kd6sL/SNQxm?= =?us-ascii?Q?njMSWvRK00dj41lXgRORIdcp4KuMAUry6UepIWZLF/JSOyG830nyxLxr9fJ4?= =?us-ascii?Q?V31OTi1h1roSKLtkCsx5mOxQIfgqSQxk8bu11MwbVV/ZCqGxn+UwpZqGRTZX?= =?us-ascii?Q?AfRPvaoRb+DzZzGHUhnbpYa39RWn0OOcg9mSaFVTVHGR9BGAVT5dB2Y36p62?= =?us-ascii?Q?62t/mRyuCJB+1JFONSEhq0SuL1GpF9t9V2kwF73SWd8Ld9K9thZbzghvJp50?= =?us-ascii?Q?ICLnuoJ+kjq6ldFMN3YCo90i7g0ojRwR47txlQkehNuuwUo49gIc+KxGNEvD?= =?us-ascii?Q?8MXVsvIddxWKSKn7/PIm5uGkb5E0KAINvGQecC2q2rGKPyTTyO14PPSzZOQ8?= =?us-ascii?Q?tfnM6CXu1y3o5iPqe1GPlU/ifap+DAVxeEXM1W+1ABtQaohDUxjKmAcZQEql?= =?us-ascii?Q?chCQMWN++guQkAXZZ8gUeEtbhhJu+Ag/RNaCUzTnhYZvXNSrXHgmqS7h/gxc?= =?us-ascii?Q?ePOVWC3b1ndYceEXgrSX8VcNs1JxSStRvoGQXTF6tRNDmYXPQCEGzUqJxe/l?= =?us-ascii?Q?BGjE3ccVNEiDnBXNUSZNU0WNiKlMnYAAHANydSCBtYqZQN8FQN8DTqPkkHR5?= =?us-ascii?Q?UfYd5yf2WkQCg6ryTUxT54bayb59lSPs1IvHE4mUDLLDbR+rZlwHRSOA2MK6?= =?us-ascii?Q?VCVpQGFjbr9hPIPeD1zNXtJCJYMhh3bTpXVLZNm8mjzygFhIyzV90wHwkp+3?= =?us-ascii?Q?e+1bLSz+BMRhRnd8vP4tUZG97pgszmmCzFS8+haIWSY35Ost9OEaleTfiXQf?= =?us-ascii?Q?Eodc0zCI8LFGZW90rsVgiSTxkyLrQmeXrU9A66qKcuV8f/lvAiQd0WYhL4rr?= =?us-ascii?Q?1eiWE6opAXWAYBhGy3ycYElZhurOWtOjpTP7mypAbXkY39yCbQ11KALAWatE?= =?us-ascii?Q?jFxVYYnt1IJmYp6qMb9ZBzCc/vEJIW/691ITsVm+ml6UgAFrPZNXFXs3rVUg?= =?us-ascii?Q?TQ=3D=3D?= X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: e8330464-d5f6-4cd4-6717-08de2e5eacbe X-MS-Exchange-CrossTenant-AuthSource: DB9PR04MB9676.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Nov 2025 09:15:29.6961 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 8y3OTR2KNLbqiw0svdAv3QRRyW5NQJpOmZZ5hnc4QbhE//vjuVXWnawEXSg7npYTfvd+Kc4itHOjXV/m7zyRUR/Movvr8/lEKh7MfUe4bLg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR04MB8252 Content-Type: text/plain; charset="utf-8" This adds support for parsing firmware metadata TLVs to extract FW UUID and ECDSA Public Key from FW metadata for secure interface authentication. Signed-off-by: Neeraj Sanjay Kale --- v2: Fix sparse warnings. (kernel test robot) --- drivers/bluetooth/btnxpuart.c | 133 ++++++++++++++++++++++++++++++++-- 1 file changed, 125 insertions(+), 8 deletions(-) diff --git a/drivers/bluetooth/btnxpuart.c b/drivers/bluetooth/btnxpuart.c index 3b1e9224e965..78a7651d55d6 100644 --- a/drivers/bluetooth/btnxpuart.c +++ b/drivers/bluetooth/btnxpuart.c @@ -15,6 +15,7 @@ #include #include #include +#include #include #include #include @@ -134,6 +135,14 @@ #define BT_CTRL_WAKEUP_METHOD_EXT_BREAK 0x04 #define BT_CTRL_WAKEUP_METHOD_RTS 0x05 =20 +/* FW Metadata */ +#define FW_METADATA_TLV_UUID 0x40 +#define FW_METADATA_TLV_ECDSA_KEY 0x50 +#define FW_METADATA_FLAG_BT 0x02 + +#define NXP_FW_UUID_SIZE 16 +#define NXP_FW_ECDSA_PUBKEY_SIZE 65 + struct ps_data { u8 target_ps_mode; /* ps mode to be set */ u8 cur_psmode; /* current ps_mode */ @@ -180,6 +189,11 @@ enum bootloader_param_change { changed }; =20 +struct btnxpuart_crypto { + u8 ecdsa_public[NXP_FW_ECDSA_PUBKEY_SIZE]; /* ECDSA public key, Authentic= ation*/ + u8 fw_uuid[NXP_FW_UUID_SIZE]; +}; + struct btnxpuart_dev { struct hci_dev *hdev; struct serdev_device *serdev; @@ -213,6 +227,7 @@ struct btnxpuart_dev { struct btnxpuart_data *nxp_data; struct reset_control *pdn; struct hci_uart hu; + struct btnxpuart_crypto crypto; }; =20 #define NXP_V1_FW_REQ_PKT 0xa5 @@ -362,6 +377,26 @@ union nxp_set_bd_addr_payload { u8 buf[8]; }; =20 +/* FW Meta Data */ +struct fw_metadata_hdr { + __le32 cmd; + __le32 addr; + __le32 len; + __le32 crc; +}; + +struct fw_metadata_tail { + __le32 len; + u8 magic[8]; + __le32 crc; +}; + +struct fw_metadata_tlv { + __le16 id; + __le16 flag; + __le32 len; +}; + static u8 crc8_table[CRC8_TABLE_SIZE]; =20 /* Default configurations */ @@ -1190,6 +1225,85 @@ static void nxp_handle_fw_download_error(struct hci_= dev *hdev, struct v3_data_re } } =20 +static u32 nxp_process_fw_metadata_tlv(struct hci_dev *hdev, char **payloa= d) +{ + struct btnxpuart_dev *nxpdev =3D hci_get_drvdata(hdev); + struct fw_metadata_tlv *tlv =3D (struct fw_metadata_tlv *)(*payload); + u32 ret =3D sizeof(*tlv) + le32_to_cpu(tlv->len); + + /* Process only BT specific metadata TLVs */ + if (!(le16_to_cpu(tlv->flag) & FW_METADATA_FLAG_BT)) + goto align_and_return; + + switch (le16_to_cpu(tlv->id)) { + case FW_METADATA_TLV_UUID: + if (le32_to_cpu(tlv->len) =3D=3D NXP_FW_UUID_SIZE) + memcpy(nxpdev->crypto.fw_uuid, + *payload + sizeof(*tlv), NXP_FW_UUID_SIZE); + break; + case FW_METADATA_TLV_ECDSA_KEY: + if (le32_to_cpu(tlv->len) =3D=3D NXP_FW_ECDSA_PUBKEY_SIZE) + memcpy(nxpdev->crypto.ecdsa_public, + *payload + sizeof(*tlv), NXP_FW_ECDSA_PUBKEY_SIZE); + break; + default: + bt_dev_err(hdev, "Unknown metadata TLV ID: 0x%x", le16_to_cpu(tlv->id)); + break; + } + +align_and_return: + /* Align the pointer to 4 byte structure alignment */ + ret =3D round_up(ret, 4); + *payload +=3D ret; + + return ret; +} + +static void nxp_process_fw_meta_data(struct hci_dev *hdev, const struct fi= rmware *fw) +{ + const char *metamagc =3D "metamagc"; + struct fw_metadata_hdr *hdr =3D NULL; + struct fw_metadata_tail *tail; + u32 hdr_crc =3D 0; + u32 payload_crc =3D 0; + char *payload; + u32 payload_len =3D 0; + + /* FW metadata should contain at least header and tail */ + if (fw->size < (sizeof(*hdr) + sizeof(*tail))) + return; + + tail =3D (struct fw_metadata_tail *)&fw->data[fw->size - sizeof(*tail)]; + + /* If tail doesn't contain the string "metamagc", this is invalid FW meta= data */ + if (memcmp(metamagc, tail->magic, strlen(metamagc))) + return; + + hdr =3D (struct fw_metadata_hdr *)&fw->data[fw->size - + sizeof(*tail) - + le32_to_cpu(tail->len)]; + + /* If metadata header isn't cmd24, this is invalid FW metadata */ + if (le32_to_cpu(hdr->cmd) !=3D 24) + return; + + /* If header CRC doesn't match, this is invalid FW metadata */ + hdr_crc =3D crc32_be(0, (u8 *)hdr, offsetof(struct fw_metadata_hdr, crc)); + if (hdr_crc !=3D le32_to_cpu(hdr->crc)) + return; + + /* If payload CRC doesn't match, this is invalid FW metadata */ + payload =3D (u8 *)hdr + sizeof(*hdr); + payload_crc =3D crc32_be(0, payload, le32_to_cpu(hdr->len) - 4); + if (payload_crc !=3D le32_to_cpu(tail->crc)) + return; + + payload_len =3D le32_to_cpu(hdr->len) - sizeof(*tail); + + while (payload_len > sizeof(struct fw_metadata_tlv)) + payload_len -=3D nxp_process_fw_metadata_tlv(hdev, &payload); +} + static int nxp_recv_fw_req_v3(struct hci_dev *hdev, struct sk_buff *skb) { struct btnxpuart_dev *nxpdev =3D hci_get_drvdata(hdev); @@ -1248,14 +1362,6 @@ static int nxp_recv_fw_req_v3(struct hci_dev *hdev, = struct sk_buff *skb) goto free_skb; } =20 - if (req->len =3D=3D 0) { - bt_dev_info(hdev, "FW Download Complete: %zu bytes", - nxpdev->fw->size); - clear_bit(BTNXPUART_FW_DOWNLOADING, &nxpdev->tx_state); - wake_up_interruptible(&nxpdev->fw_dnld_done_wait_q); - goto free_skb; - } - offset =3D __le32_to_cpu(req->offset); if (offset < nxpdev->fw_v3_offset_correction) { /* This scenario should ideally never occur. But if it ever does, @@ -1267,6 +1373,17 @@ static int nxp_recv_fw_req_v3(struct hci_dev *hdev, = struct sk_buff *skb) } =20 nxpdev->fw_dnld_v3_offset =3D offset - nxpdev->fw_v3_offset_correction; + + if (req->len =3D=3D 0) { + if (nxpdev->fw_dnld_v3_offset < nxpdev->fw->size) + nxp_process_fw_meta_data(hdev, nxpdev->fw); + bt_dev_info(hdev, "FW Download Complete: %u bytes.", + req->offset - nxpdev->fw_v3_offset_correction); + clear_bit(BTNXPUART_FW_DOWNLOADING, &nxpdev->tx_state); + wake_up_interruptible(&nxpdev->fw_dnld_done_wait_q); + goto free_skb; + } + serdev_device_write_buf(nxpdev->serdev, nxpdev->fw->data + nxpdev->fw_dnld_v3_offset, len); =20 --=20 2.43.0 From nobody Mon Dec 1 22:07:32 2025 Received: from DU2PR03CU002.outbound.protection.outlook.com (mail-northeuropeazon11011057.outbound.protection.outlook.com [52.101.65.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5F46130217F; Fri, 28 Nov 2025 09:15:36 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.65.57 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764321338; cv=fail; b=B6fbvCYUMUwbC/N1QAwALHO41KJq8XjWY90JWO+OKO2T9C8WijhVdncFbqJfuQe70LVLc3unuk7erytpquLR4Ff87qM3sSv87ZKELKKZ6OnYjm2fZ7BZVye5DIYPL9NlUniDvk3SBgpU2kLKHWhNwniLSatmCHMmRkvK/QyQt1U= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764321338; c=relaxed/simple; bh=jqzynD18vV/wXRhzRSmQBPYiCC+Ze0gsPQ8LS9o1Aa4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=Nz5RDRroPxZqVpHqtTVhIave5rOITltV1tl0zY7wZHbWjDqIL17hSc4ENQNCEXc28Nel1pLzMzzSvy12XhdhqJqCe3HqmH7ArA+bfA4dZxg92jRhJ3g3GgSyVjtCtLfLLZrexxFGchFrYgWCewTamOaP5k7xkwtUn/zBl83LStM= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com; spf=pass smtp.mailfrom=nxp.com; dkim=pass (2048-bit key) header.d=nxp.com header.i=@nxp.com header.b=E+N4+boO; arc=fail smtp.client-ip=52.101.65.57 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nxp.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=nxp.com header.i=@nxp.com header.b="E+N4+boO" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Kke8t7QnXU0vERTBWeVpX4eVDz+PRdHwIVnY0Rdy6+T1udM2RkPtRpEMF7dwN8BiM964pcNAK96ePt+MuPusWPF3UNebWTFEVbbiOzuPFF+02tvRhFmur4GyvyNsxqabs4rxPdLGJ3ag6JUosKnmNCYBBne0v+w7aOJCPqog2pt4tWt3VRvL4oaeQvq42u5CBcNpWVGTOkvN0XZMHCqRX2LgoDcotnR0gWhU81RM2NRfUH4cuxEDyr1rjClFB+WdlJ9C733C5sGNqEyY+fF9gquBpeCqvS6h3xr9O4AVhQkrjRdPOtkCbBl3UcLmpxZqCQ0CR/o6EQrpmyBjTaIYSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7McIxIWnUD2IYBKCvgtzIQ3QckPbhWiYEoP6n59s0GQ=; b=qQcQ9eRsBd+ooVEiWOLosFJS/SOjmHTsA2kwfHdS9FtBWRFokn+AiI03sqdrYN6jKDqb5cbMlZxHOTsEycKwQ9DGWNepM2V3GBY+EwqcYysDt9eS/ba7MwzQ64TizARoNpdrRlEB4yrGJ9DtqNA/5GQvS5CzvTmuPR5Pfbm6XDNPu/Ky0ojFwwTnMA+5fDPRM0xZmK9rBewSNW9BNbMLMZmwZmcWpTUfkbB1tdbALj6MBlQ7AIBUR3TVpa0ye0OyVZsgxETzJ0GnvkI0edS85eUr3ysRIpyQGmEZIEzs7QOlUH0VcCBdB/GijHltHoqP00MqYrCsZIa4HjqVnBRwfw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nxp.com; dmarc=pass action=none header.from=nxp.com; dkim=pass header.d=nxp.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7McIxIWnUD2IYBKCvgtzIQ3QckPbhWiYEoP6n59s0GQ=; b=E+N4+boOvCswZQedFYAK39NSVKrn3LAamB5flTZ/4dlNrkT04wjUpYTJOO1VNMyO7vuBq168bruzP+vwow7CJLl6m7aHzhgMV4tyfwQfWFAZLldjC8x8OlxmsUudhByhSe+YXMQLSX3iRO+Bo+B7kwwfCFCphPz62BkfU+h+6wIggxg5i+OQ/lgNSe/elUrLZU5Qlm2h5sxTejOytnmziudGdFvIK5AWfyf5UA/W74YA9IK3tEAF2nhUainQ0i7w1L6Bp62cIu1zLOBvdUJLZsMwSsMSH9AC+Yiu1NKySWtzf8OWcs378NcgqJbFLrt6V+WOyIPpdGAY4KSIah668g== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nxp.com; Received: from DB9PR04MB9676.eurprd04.prod.outlook.com (2603:10a6:10:308::13) by DB9PR04MB8252.eurprd04.prod.outlook.com (2603:10a6:10:24d::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9366.17; Fri, 28 Nov 2025 09:15:32 +0000 Received: from DB9PR04MB9676.eurprd04.prod.outlook.com ([fe80::97c:438a:2968:465d]) by DB9PR04MB9676.eurprd04.prod.outlook.com ([fe80::97c:438a:2968:465d%4]) with mapi id 15.20.9366.009; Fri, 28 Nov 2025 09:15:32 +0000 From: Neeraj Sanjay Kale To: marcel@holtmann.org, luiz.dentz@gmail.com Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, amitkumar.karwar@nxp.com, sherry.sun@nxp.com, dmitrii.lebed@nxp.com, neeraj.sanjaykale@nxp.com Subject: [PATCH v2 02/11] Bluetooth: btnxpuart: Print FW version and enable chip specific features Date: Fri, 28 Nov 2025 14:44:34 +0530 Message-ID: <20251128091443.2797316-3-neeraj.sanjaykale@nxp.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251128091443.2797316-1-neeraj.sanjaykale@nxp.com> References: <20251128091443.2797316-1-neeraj.sanjaykale@nxp.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: SI2PR01CA0007.apcprd01.prod.exchangelabs.com (2603:1096:4:191::11) To DB9PR04MB9676.eurprd04.prod.outlook.com (2603:10a6:10:308::13) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB9PR04MB9676:EE_|DB9PR04MB8252:EE_ X-MS-Office365-Filtering-Correlation-Id: 65b73e9c-de57-4834-7a06-08de2e5eae97 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|19092799006|1800799024|376014|366016|52116014|38350700014; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?C/MfMiU4aOiODKrmRWg5ALoUgnt7izdVa97zLj6r5yUgBqwO61p38hkkYk6U?= =?us-ascii?Q?xoSaXrQ8oP0Rh9/qZkmkSZcZJZEVveddtA04KCQZFBwcoMtlE9X9wAK4qaeX?= =?us-ascii?Q?TsPVVHIoyExBoAeZNFRJ4EN2TXyOsoWQ5eEHNmCKuPdeloxtdQgYC3JUGttA?= =?us-ascii?Q?ixv0/yR3iJ74hpn6sW0S4gB8OoJ4IeUYUZrTemNfRlqAab+yyAhM2o4UnX1l?= =?us-ascii?Q?ckt5DSFHWz79NgwKgPm1Tpv4g6uHVr4y8VvA7tSQaHNG31TcaprFN2/XvZp+?= =?us-ascii?Q?VqQ9bd5LvIfGxRz+u/r01ms8TyC1E7uRZenwkfGaBJFXtl558XCAUdEsVKpq?= =?us-ascii?Q?wC7BUs31bOYCrtYEc5n4YwaSKmPb6lALZ+gC1oJLliamLTi+fA5dF8W5BiTO?= =?us-ascii?Q?VeefNlX0Eg5zXroX2+FZE+CZVp4aMWfCFuMagiuRbkZy9vd92PjFG3/bQUGF?= =?us-ascii?Q?GRBPpv8PN7W++t0e2oHjb3gNXgPhwNjhmu+YHZXOszbajdFipDgwwZDVnPBW?= =?us-ascii?Q?NecPlJURBG5++pLczshq8g5+FTFWy8B+HZI3Q7ePtZyjKwuuSibQ2Ggz2cCB?= =?us-ascii?Q?zUD9ClX96Fw5I43jQyoPvtCqmRhl3SNZLv5wzTtmtirhqB5NPNQfAT2an2dO?= =?us-ascii?Q?44kblMlzLGc+bPnuD+W/LkwyqwAzF595oH/dfVtPCgQLLaNt77xl3shn4+Ph?= =?us-ascii?Q?fpbxKPIUZrfpkt0xjIIHlxMy/rs13GmdGCSJ+pwqxupPuU7fLf5PiROQZdAr?= =?us-ascii?Q?FNG6HCJoHzvIqn/9AgOr/eEv4LwrX3+JYse7LveHIOcbmoMCOx5XMCqp934K?= =?us-ascii?Q?bSOR3OyfOOXQIVnAz+KHAAkaDnPbm0gbVsYCAqmiYMMwPuAe/KQrcGXGlTlp?= =?us-ascii?Q?8pGJ2ema46zgZ7CTEromDRnYVth+LaqSkmZri0ctAxtjumph/LoVUqDzwxSV?= =?us-ascii?Q?8Z8d6l+dRAzXIJAoXbhmvMZTH6BUXR1gvlZjKFbSl1gkq8VIWC929ePOkYz9?= =?us-ascii?Q?epYhbh64xhf4b5ToChc+4sajs3vz52/LNhKIER6TynM2+vlO9wjHNdF2LnS1?= =?us-ascii?Q?HA4GtXkTEYs9wbvFxGym1KFu9taGUjlFTco3OsCchBK+ZC7v0lkmWEHkjWI7?= =?us-ascii?Q?q6pZmusfvlDDFpsgUsDqfjqfDu+/UdfAnLVbRiYQY+zKZm0I4Rja7lPzRpfJ?= =?us-ascii?Q?IF+1OK6WZOnsOVcLTTzY+oGSNBvohCAlojTx3S2BOymPEC1sLYd5b/BIZ6vF?= =?us-ascii?Q?81hL4ydakmEAdKKslUPhlFmJqc5lCh17yr4dP4pe8tdNJ3g5Zn6RQOmzTOEK?= =?us-ascii?Q?ztO3fmjFcYau+3mcIMFFpSYWXgyWF0HL1kCUaheLYs//N9SESGzz28CLmRJl?= =?us-ascii?Q?VKFiiA7WgeRa8Km/O1wO/bp1gxUj3AUs6P1iQpDphNNYJy3qHhyu/pAs7hHQ?= =?us-ascii?Q?QYjT5FnpPA8iGIXEl3AW+4r/yC+fG9tMg39VKjr/07KIDeM9RttqAQuZzMoW?= =?us-ascii?Q?cntmlglCOIGAyXGAgA1s0Q0BQh3Iq5khcgHx?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB9PR04MB9676.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(19092799006)(1800799024)(376014)(366016)(52116014)(38350700014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?EWAYCSUVIZm5OSOIGaC3LidB/p+ENDtzL+WnwqDTcKZU8onO4oyC+ZXYL0g+?= =?us-ascii?Q?EAVZLsQ/ANdDYqxayju9/FHMChV6+P05K72cdnR/0DSAKooVUum8kOKl0b6A?= =?us-ascii?Q?BmZhib/HdqMB0o9LOAm0TWGGXYkZ3Qh11cmAf/Fs2/rS7/zVawJsMv8KxNFW?= =?us-ascii?Q?+Tu6GXThd4rUT4UTlipZudOMu05/Tinl+AU8g9XzJcSQjYs7h9DQnNo8xMEx?= =?us-ascii?Q?cTP5Vb1xn4s1z8J2v+WrD0WHgkZMi54IEQcZ7JsW2u/vLl58RV/eOHSGfJ32?= =?us-ascii?Q?Ki5dWdaLHHMAaQi5lLEQ7zH6MsMQ3maUU/GZ6CldF0GfisG4P8D/FSriY2yH?= =?us-ascii?Q?GeOVCyPXx2HvL1h1Y17p9PS9BSqlJNboqec6W36oelwHAytJUuOnzhkQcCZK?= =?us-ascii?Q?UbHeKMY4eHsX2TWOpJ04xzNcMxEXppe7dVYFeuSUiLmTYhuGM3ME6HJm5nLT?= =?us-ascii?Q?VtsBOkPSFivkahvd7BZmv3CuTvrwoxiuF9YkPvf6b24wQcAM1PGPlR5DtrMw?= =?us-ascii?Q?CKWbMPJp/EDQ33aN5CjFuh3P7k9OTpCQTVUqA7UaAf+lGEpLkehrbR75T00F?= =?us-ascii?Q?1Egrt8ZlZ1zSVYM5R8MtM78oOJ5NRa5/fKK5vK/yxmBc3QW/IzZLGzaNrJjs?= =?us-ascii?Q?pHMhQ3qNrZ8Wn4PWsW4/NMK3hWtaxoYngH6sDS/dYV44fGV45oTSGB4yCs1R?= =?us-ascii?Q?S5l0hUh1eyC766EZd8ZI/xSMue+Nj/WA9voq5+Ygb4lr567bZXoSztH3Pirj?= =?us-ascii?Q?Ter/R6sfOGl3kJgb0eWJIAjASFMcTfA1iAaV2auxMHqx7wP7InZWHNbYbAmp?= =?us-ascii?Q?62oUcgKozwQqEMnMkG4c+vfVNCwp9TphL279+Wid/VhihWCYoD8SplYeMmlr?= =?us-ascii?Q?ojpvQUVTRYfIG+d2IU+ZCaFM4Al0NO9g11MhoPcW3n5gP8bNAB0Hql4j6Ads?= =?us-ascii?Q?wWH5E7SMT7DpNepmV2Pa3f5NIECl3RAtjsJxqrd7qR86krKYMJLl2DUhBeqj?= =?us-ascii?Q?A6CPqtmoF9wFFMMipnDvEteeS+D42l9n12B8kr+VlnjSHkgWfcbqaeNbMLux?= =?us-ascii?Q?dOn0VifSZY8onU5BiMg4oduM8IhTEWoFNDUozx18tYJmlUI66cVgFo9x6rqS?= =?us-ascii?Q?ArVi1MyP/syYnOB/33hQE33orsbtozZ2WqFAqtxvJQSYnB7q2d0Q9xcB3Pqo?= =?us-ascii?Q?i6JipeD37TPhIJw8AMIxL6Jo+q9l9Vx0nUlEVAKZ92M3oIBJZHAHU3XAiXOC?= =?us-ascii?Q?6HUuRN5EgZP/sPEBVvyzXkuBxVJ4iruL9ytS5Rfq8T3SboK5UqwWL+Ce6X3R?= =?us-ascii?Q?vtWkmfRPFCtrjDfE95KCX0kagCQlM9DWq1QtlZZ0/kFMMHQMmHSkOCsW5ajh?= =?us-ascii?Q?ZbTE76kpaEfViZajf9Q6yp99QDIaH7i19ZeKsgbUPFLavraSsGd3liK8o+Ln?= =?us-ascii?Q?8dDNyYXqdaxgCNRILecuN7IbkFAeEVVhHlEkjUTeg+xJ74LGi687jBEJEXhD?= =?us-ascii?Q?1Iwe+LmXLLAs0JwrO9l0HqAWnYfdWiRADmDjnAJ4sh6T63Nv5Tf3faqYTGev?= =?us-ascii?Q?z93yeMMpO3O4ONrBnxf2G+ieGuxwfFHD25HKhE66uBbNEoePKsJ/pfasHEQS?= =?us-ascii?Q?tA=3D=3D?= X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: 65b73e9c-de57-4834-7a06-08de2e5eae97 X-MS-Exchange-CrossTenant-AuthSource: DB9PR04MB9676.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Nov 2025 09:15:32.6112 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Q88TRQi3R+1AoKoJXumkEY41qhY985johz2SwvIznajlNAJqVR8D4eNRd3OrMQaLqwcAzmovBsw4OdTljm3IwGbra54cSRZSgc174KCDOVA= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR04MB8252 Content-Type: text/plain; charset="utf-8" This adds a print for FW version after FW is downloaded, and a way to enable chip specific features. Currently, secure interface feature is enabled for AW693 chipset. Signed-off-by: Neeraj Sanjay Kale --- drivers/bluetooth/btnxpuart.c | 46 +++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/drivers/bluetooth/btnxpuart.c b/drivers/bluetooth/btnxpuart.c index 78a7651d55d6..d2c79c462ebb 100644 --- a/drivers/bluetooth/btnxpuart.c +++ b/drivers/bluetooth/btnxpuart.c @@ -105,6 +105,8 @@ #define PS_STATE_SLEEP 1 =20 /* NXP Vendor Commands. Refer user manual UM11628 on nxp.com */ +/* Get FW version */ +#define HCI_NXP_GET_FW_VERSION 0xfc0f /* Set custom BD Address */ #define HCI_NXP_SET_BD_ADDR 0xfc22 /* Set Auto-Sleep mode */ @@ -227,6 +229,7 @@ struct btnxpuart_dev { struct btnxpuart_data *nxp_data; struct reset_control *pdn; struct hci_uart hu; + bool secure_interface; struct btnxpuart_crypto crypto; }; =20 @@ -1554,6 +1557,47 @@ static int nxp_set_bdaddr(struct hci_dev *hdev, cons= t bdaddr_t *bdaddr) return 0; } =20 +static void nxp_handle_chip_specific_features(struct hci_dev *hdev, u8 *ve= rsion) +{ + struct btnxpuart_dev *nxpdev =3D hci_get_drvdata(hdev); + + if (!version || strlen(version) =3D=3D 0) + return; + + if (!strncmp(version, "aw693n-V1", strlen("aw693n-V1"))) + nxpdev->secure_interface =3D true; +} + +static void nxp_get_fw_version(struct hci_dev *hdev) +{ + struct sk_buff *skb; + u8 version[100] =3D {0}; + u8 cmd =3D 0; + u8 *status; + + skb =3D nxp_drv_send_cmd(hdev, HCI_NXP_GET_FW_VERSION, 1, &cmd, true); + if (IS_ERR(skb)) { + bt_dev_err(hdev, "Failed to get firmware version (%ld)", + PTR_ERR(skb)); + return; + } + + status =3D skb_pull_data(skb, 1); + if (status) { + if (*status) { + bt_dev_err(hdev, "Error get FW version: %d", *status); + } else if (skb->len < 10 || skb->len >=3D 100) { + bt_dev_err(hdev, "Invalid FW version"); + } else { + memcpy(version, skb->data, skb->len); + bt_dev_info(hdev, "FW Version: %s", version); + nxp_handle_chip_specific_features(hdev, version); + } + } + + kfree_skb(skb); +} + /* NXP protocol */ static int nxp_setup(struct hci_dev *hdev) { @@ -1583,6 +1627,8 @@ static int nxp_setup(struct hci_dev *hdev) serdev_device_set_baudrate(nxpdev->serdev, nxpdev->fw_init_baudrate); nxpdev->current_baudrate =3D nxpdev->fw_init_baudrate; =20 + nxp_get_fw_version(hdev); + ps_init(hdev); =20 if (test_and_clear_bit(BTNXPUART_IR_IN_PROGRESS, &nxpdev->tx_state)) --=20 2.43.0 From nobody Mon Dec 1 22:07:32 2025 Received: from DU2PR03CU002.outbound.protection.outlook.com (mail-northeuropeazon11011057.outbound.protection.outlook.com [52.101.65.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BA6D7302140; Fri, 28 Nov 2025 09:15:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.65.57 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764321341; cv=fail; b=JFSaLjjU6OER4k8wNJGfRRpehKs8dIfESlSmwo13XPbB7qMz/p+WG0UIR1BQtjiKtK4WZwMs1LpUvDNBg9sG9hWgjyepa5sC9xD7+gO4Em8BdV1UFFgN4ubePE49+bEtZHJcL4nY9//MWecQah3cbvbqYIclc2qV+6fTv41maH4= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764321341; c=relaxed/simple; bh=ApzEgVOqSCAomKHfljdpSEfKHeKoAocR4OcABaAZT58=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=n/P+P97x6icTQvwrLoiSStaTqBY8jXj+060U4YGEFjoJLNGjw8zVkJj9yL7cfvadHUq1f00DPOSU/FI/lixUFRU4CyFP9DVc2a2BxklfFaqKGAs++Iut/py7eBnifVUrWqmOEEtwbh0kTaeAj0Y1zB6Orq4N7tJAswnTLy8+Etc= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com; spf=pass smtp.mailfrom=nxp.com; dkim=pass (2048-bit key) header.d=nxp.com header.i=@nxp.com header.b=TFyiqDbK; arc=fail smtp.client-ip=52.101.65.57 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nxp.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=nxp.com header.i=@nxp.com header.b="TFyiqDbK" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=knkLbbH7uYc0djCrO7RovoMXo8SdYaH1mc3YGya0/rhYOb5zT0QKhBIKTSKTSgU2AE5OTE9Ph6GWED4YWEGv+OkIlXUy4+h5ycGm+u4YGCJhkfYUkQzWoLIOAOsZH2cc5uMcnysuicA26TWocC53+Fr2LMyKcdorcV0biX2OjaKaysO/IH7VRL70hH/WFgXo+5uqkbC97Uv23a60NkmIFdFxcU1YIWI+U4Vycck5cYSsJVixClE64fyEZZrdzJEo/UApbdiv/Bx0ZdSzrf38I1SXIwUVM2JgFTMkUeBPp0D6KFzejRTS5TgNLp91DmOfoLba5AZlFYRGydL+NrqWwg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0H57CLjJxcYbsxsHvSk6V6Q3ZtgYOSMNIPE0Y/lelWY=; b=jQsZW2wULA0u/bwsZn+1Y1lGOKi/TLbaGxAPOJpYxc3Xv5GN7Wq4M6Kd4XQFC8bB1S6Kz7NQwbRPeIFInN98omKxNCGC1tyYeuLbB36373UooppfbP73Z4sCj9OeQcvR65kdt9CYImdMSwyKE/mTIY2BtGMpvJdAeVjwpLa+/aNjQWvaWRp5i0xfkDqQZCFUgDfgI5Vpikc4dC/XKhrLUqC8JJIpOUWyXEJxZaAXMVAT4vwzWEghq9XUDEsZWaLsaL1vvmJz+LHVwKbbyw19TnKEcJHroLcUCFfLSffe85RcoNNzf0lqPjvpDLqtDSMMBxxDBa2Z8xVX+oG7qU03BA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nxp.com; dmarc=pass action=none header.from=nxp.com; dkim=pass header.d=nxp.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0H57CLjJxcYbsxsHvSk6V6Q3ZtgYOSMNIPE0Y/lelWY=; b=TFyiqDbK2jh1a+uFU2tk8WbGEf3az4njLkZbRgXk+vCumK4nYuTPjXQenfeC75x3IMTbMv8QVrKvOfLsZAfGysyoo5PlWFP1Aw5TowN6VTpKsVIctSmxgpIYDGYJSPXRz2+40EPNmt1qIt9EG9F/6Fd9U88KisCtUjgyc0SMwT64NrYqLlSWxUTB9MbUxWAZTjSxO7cXvpGzRIqtbrih/b9ZARzkVFE1gPw3Sc3DFV/RoIrcRI1cVY59Bqm+1lRQItHADhLnklmqIIx/UCf9GnSVOIA6QwmR8Jzyvi22wsfFraiGtEKIK4A9gEBvcrVm9ncvXAbtSGKHVomuQ5OeaA== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nxp.com; Received: from DB9PR04MB9676.eurprd04.prod.outlook.com (2603:10a6:10:308::13) by DB9PR04MB8252.eurprd04.prod.outlook.com (2603:10a6:10:24d::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9366.17; Fri, 28 Nov 2025 09:15:35 +0000 Received: from DB9PR04MB9676.eurprd04.prod.outlook.com ([fe80::97c:438a:2968:465d]) by DB9PR04MB9676.eurprd04.prod.outlook.com ([fe80::97c:438a:2968:465d%4]) with mapi id 15.20.9366.009; Fri, 28 Nov 2025 09:15:35 +0000 From: Neeraj Sanjay Kale To: marcel@holtmann.org, luiz.dentz@gmail.com Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, amitkumar.karwar@nxp.com, sherry.sun@nxp.com, dmitrii.lebed@nxp.com, neeraj.sanjaykale@nxp.com Subject: [PATCH v2 03/11] Bluetooth: btnxpuart: Add secure interface TLS authentication support Date: Fri, 28 Nov 2025 14:44:35 +0530 Message-ID: <20251128091443.2797316-4-neeraj.sanjaykale@nxp.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251128091443.2797316-1-neeraj.sanjaykale@nxp.com> References: <20251128091443.2797316-1-neeraj.sanjaykale@nxp.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: SI2PR01CA0007.apcprd01.prod.exchangelabs.com (2603:1096:4:191::11) To DB9PR04MB9676.eurprd04.prod.outlook.com (2603:10a6:10:308::13) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB9PR04MB9676:EE_|DB9PR04MB8252:EE_ X-MS-Office365-Filtering-Correlation-Id: 02145246-57ea-430d-aa86-08de2e5eb04b X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|19092799006|1800799024|376014|366016|52116014|38350700014; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?AKN4u2I+qaDCR0SHaurYvTR9mIWnEsvCtJ+20Up89EI0YMQueAYQx2ATgr4d?= =?us-ascii?Q?eI/GoufDGkqootSL57pKBuqPz2o74SdHSOXtBqIcaZSbG9TXYueBpG3QnrWX?= =?us-ascii?Q?t+CoqmMnYTEEafeDacXjLOT7+kV3AqnoO+qbA94SscBAYULtRTQFHCJ/emIU?= =?us-ascii?Q?AXeHRfUGMvZUIPk3WYecZ+xmAKRxzo2oHfUg5MBpiu3rJHYJVOZ1Ur4gglmY?= =?us-ascii?Q?fsggHeB8Wm9iDe78lGKCRDpJcMfIHDYJBcsYI6YqYSNqWwnWkiWgvbCrs1wh?= =?us-ascii?Q?I1DwS4PYoaIykOqTOhc85V92xF0uYn4l4Jtnb1tkUWdfnOsVJdfTRH9nWpt+?= =?us-ascii?Q?wJGWm136YF5NnGVHj/pRL1GZZO0IcLhi0Gg4Z37MEJa3tFF/5ExALnij+OlS?= =?us-ascii?Q?Jn+GHzBsYvBLlQOxSuDf+9/GxVhzB8w8w7cxqbPvduoBl+9930P8L3XWO/yE?= =?us-ascii?Q?ePfXNLn1rE+MTYeJRmsvq9q6XSQ+RN5xCP2aPCLsuLoYSegquZZTVUFoLl0G?= =?us-ascii?Q?Ch2fJz2jdj6cp6glFGNPIetQU/Frcp6JBde5UyvwdXFUqXRIWmTy0+AZvGu2?= =?us-ascii?Q?CBOE3RE7lpYuuKKUjwGRmHc2bZFNPNgWQDZLG/iF8H/5+yh+fe8J5N6vz4lP?= =?us-ascii?Q?7VhKfapzYFpB/uLnbX43e9v2aOFmY4Pp03/GnW3dfKOECwaIEIwrPpQAHbDQ?= =?us-ascii?Q?TXpnxcB3OzTvv2DLMxBDeV34LPuZ5fzE3zGrid+09g+zSUcdWEmRQi5t5EPs?= =?us-ascii?Q?UQip3b7PNdjzAtOhuv/aj5plQXS6BkooYepDOsxls2bwKwJgki/pp8M7GRCt?= =?us-ascii?Q?BAdVrUrrN0ukMCLkXY0zCuqc45Kk89HvLlwRZNEASm5U/kEXJraruAJXI2tY?= =?us-ascii?Q?o3MmgUwQbJpaT70U3QB+RPr4gCgKps9x9elYiLA1kXrtieeYbYm2XMLr3Waj?= =?us-ascii?Q?XFFu4QKcjTJVmB1cGJMU/215q2x9XvX/sLhdHhcs0FuP6rw7c+clM6dDk6AQ?= =?us-ascii?Q?tWNmY4RYp4hYhf1mPt4S1bZHUqGOh8us7j8bwevfM1+CpmmHKk0b/GoNkNTi?= =?us-ascii?Q?N5JZJztjGyHMIcIQ38LboHk/Heu1ELC2QyRpeYbiJHQ05Y1VdwtfYkbqVHEq?= =?us-ascii?Q?OO0tjP58e1nEBQ6dcHpamFQGJBCYWCcotQvoPWOFJ+Ha++8BAKHL23BqUgzr?= =?us-ascii?Q?rodntnbzym5PO2hcEIOVtmw9tDL7C0mxHAxO3UBFXB+/KracBNI0p9ETZ0bS?= =?us-ascii?Q?RasWqe5ygoo9eudBtwzEux3MIHH8rXkpdo/+7m5/qRfHvHlU4hYi2B4AAC5P?= =?us-ascii?Q?HM/339mLOJjB1gAw2/TUCg0PjnJs6mZ2xGeBn3l5BYQ6JowBjCb0s60aIJ7k?= =?us-ascii?Q?AEW9adQcO26dD1Fb79/bftbTuJEcB6W1q0Sf/4kZuDB43tFdq+aHZkUE6pg5?= =?us-ascii?Q?n4SlWDel/H2RTpZNA3lBH96RYjeu+kFSm6deIX4VvstenTAZoU5uTrCJN/ZJ?= =?us-ascii?Q?qGjaGW/3/tSl03GHmMfuTl3g8Y8s+XNoNByN?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB9PR04MB9676.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(19092799006)(1800799024)(376014)(366016)(52116014)(38350700014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?aiUMzgK2s1CX5fieYgDETF1kDHSxZ8UkURd2xyLnrc3KeZCb5sRxlN3wd3G3?= =?us-ascii?Q?IwyqpelmRwelfeounConILM9DzCa2Kv2yebb53fM7G/I3/rBAz9tfKktI9/4?= =?us-ascii?Q?aSHGCYYEsBLmoQlsePejzlR9Zlt/xGZ+vC2C5UW+R9ZwiP7qllywu7tOCVfr?= =?us-ascii?Q?ZcjtVg7NaQKcqVpR2Ci+XNWMERryXDZCw1UO58i3riD73HgefG/6Wo48o9YA?= =?us-ascii?Q?IbjtybeKeAdvRnhaPoupIIqS7xMV3mqQWsy/i3YlsahaZNjiqssrinquMeb+?= =?us-ascii?Q?G/T3ciHepqonOj/upFTEI4mfYwqc6Pw3YsbuqRAF0QwN6NsUgDBSC/oVf/4j?= =?us-ascii?Q?9qwVzoqx1RQakvxuXaT+mZ80dRi0db8g7A1fFhzx/+HCcGk7lNFqQx7AMyEe?= =?us-ascii?Q?XE+Zu9DbVBBYV5FTtCGfNPasG9H/j7tchcqDN9FAyylpKzVp0MADF6dFmCjO?= =?us-ascii?Q?CwpIqVAdKZlTDs2WfA/ZZ+OfCdD3wudltYFp81m+p4YuIwdp1R4hbQAQ50YJ?= =?us-ascii?Q?2m/m8FyA1v/BK+wy/wPbvDkYopT9E4mwn7ZdtATS1uPdVjvN4aUhFfSAbk3i?= =?us-ascii?Q?3/owqSUabpdGq2VIwERup1yrITAh91RII6jdbrO0cjXuMQEFdS/0XFDE0tqj?= =?us-ascii?Q?i3y0YTvRkbkn+hbuOwsjkwAne/iHnn1u6ubLcKCrBmPEKrKIYFy6upZfOO5e?= =?us-ascii?Q?DeyKNEbYpVU4PzQRxxtRr8YDYaDisH7ZY7my6TVoyzuB9llVY9jvFZ5N7gzm?= =?us-ascii?Q?S+IDkLtURMAH72z+v2CGPEK9+GoAtoUVWNzIizPNrkXDxSxKverPwCl1DbSu?= =?us-ascii?Q?d0+FUJmb1NiACmP6wrzbnUQXQCOfJ/RI+NZktrWfBd/HPEX29OUrBlITKYpU?= =?us-ascii?Q?aTogD/NgiROujsHvISuIHqiIUYEvXubwPUSnlQScABsphfMY8wWvXchAFk0Z?= =?us-ascii?Q?vwXeQ5yRvoZAaqS3HZtpWphvLhvl/5vxjR+9JpM3d2FmlSRcO/WMVHOiJUep?= =?us-ascii?Q?WJIPABaWsVFFKiWIcINVs76CxEclfjfIjES3NXZTR/+6MuWQDUVkJ/8I5VkA?= =?us-ascii?Q?OCy68Gb/p3tMQdZZpon2TLfTOPAG+KxH6/hx5PSqQsKan1+FYW7qF0lq9sh6?= =?us-ascii?Q?zW4AFHNW/emdIBifKivI7H9A9ub2nNvfW2mtsML3k1U22eJOd9vhfDqQtgOM?= =?us-ascii?Q?CKTUsyk/0ZntjxAFVAexaVRN8l++BA7xY8HVJbhFqSKCb4v10NnE7Djky2VC?= =?us-ascii?Q?aBCI2+GPv3yTX0kwfRM/qLhUpGmB5bBSqaFmz+KyLS4U6uiIrObmD1523fWA?= =?us-ascii?Q?0XRFMTGiC66QJQ2EQYXlZuhcryGyZMMspGGdu5orbPb2EcUnI8ZJu02Ou93k?= =?us-ascii?Q?IW9ZTcCeB/xN/tdesjPbYLfFCn6FuJ1kgzNzr2aNncr3ZDnDTsLHauGW6wHF?= =?us-ascii?Q?rz/uBcNQREmZ+jNypnkjNzNJYx9pTfy2HLYj3+JmTplyNLrV3RqKtyz6uuB0?= =?us-ascii?Q?b+iLIj8kpNgYL9VNdXYfCEZZtdllH6ca7nCeGWJCPmvD2c1hoitcrwmGRZCU?= =?us-ascii?Q?1TLdz/TEjrXveNgvfx6Z1EiIr7tdBei16Cpp5X6cMKD6eGt+HnuVQR2ffYHX?= =?us-ascii?Q?fA=3D=3D?= X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: 02145246-57ea-430d-aa86-08de2e5eb04b X-MS-Exchange-CrossTenant-AuthSource: DB9PR04MB9676.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Nov 2025 09:15:35.5408 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: OIJK1JlJSvNzemfjcN3c3IdxiJj9gr4SVEvkAbr3NMfZeWCLV0bJpY9aXfXaayKNmqO+IYhH0f+5aEm1gkTZF6xAap31EUpqXbJHyPrqmNg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR04MB8252 Content-Type: text/plain; charset="utf-8" This includes a placeholder nxp_authenticate_device() function if the chip supports secure interface feature. Signed-off-by: Neeraj Sanjay Kale --- drivers/bluetooth/btnxpuart.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/drivers/bluetooth/btnxpuart.c b/drivers/bluetooth/btnxpuart.c index d2c79c462ebb..3455460d30f5 100644 --- a/drivers/bluetooth/btnxpuart.c +++ b/drivers/bluetooth/btnxpuart.c @@ -1598,6 +1598,23 @@ static void nxp_get_fw_version(struct hci_dev *hdev) kfree_skb(skb); } =20 +/* Secure Interface */ +static int nxp_authenticate_device(struct hci_dev *hdev) +{ + struct btnxpuart_dev *nxpdev =3D hci_get_drvdata(hdev); + int ret =3D 0; + + /* TODO: Implement actual TLS handshake protocol + * This will include: + * 1. Crypto allocation (SHA256, ECDH-P256) + * 2. Host/Device hello message exchange + * 3. Master secret and traffic key derivation + * 4. Proper error handling and cleanup + */ + + return ret; +} + /* NXP protocol */ static int nxp_setup(struct hci_dev *hdev) { @@ -1629,6 +1646,12 @@ static int nxp_setup(struct hci_dev *hdev) =20 nxp_get_fw_version(hdev); =20 + if (nxpdev->secure_interface) { + err =3D nxp_authenticate_device(hdev); + if (err) + return -EACCES; + } + ps_init(hdev); =20 if (test_and_clear_bit(BTNXPUART_IR_IN_PROGRESS, &nxpdev->tx_state)) --=20 2.43.0 From nobody Mon Dec 1 22:07:32 2025 Received: from DU2PR03CU002.outbound.protection.outlook.com (mail-northeuropeazon11011057.outbound.protection.outlook.com [52.101.65.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E4583303C8F; Fri, 28 Nov 2025 09:15:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.65.57 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764321343; cv=fail; b=lIy2yM8tIvwOtXUtDGk+JMkFaOBtz9RxmnoDl+qzMZtJITYKb8AsAwwD8W4bxDRAyoQs2CmZL91e1NIiDiuKmdrbWTn/SEgJnVpwoen1fXgbKzHp62IhfErW5CrKjCNNaE8WE7csX5pJkRmZiSIvwolHb2DlrUGGn5HKR5RSDMo= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764321343; c=relaxed/simple; bh=StiBQANQU7vt8NOjtin5XGV1VnO960B2HpkkBwalbpQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=XD+kM9+JQzf+IhUBk2tO/s5rgwPvRV3aQVgfxpk6XC1H30SgjKzNJvszQfoa6yt3HfGvF+H+MPuUP4GylfSWlV/MW9l9wIDF3yhXahvewEM+LAUC+SDgQjeNQmuW9f/E5ltt1BDshsaF4w8PqY50GpIT+4tgaxrLvOjlXKZx2O8= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com; spf=pass smtp.mailfrom=nxp.com; dkim=pass (2048-bit key) header.d=nxp.com header.i=@nxp.com header.b=Ulj7DHrz; arc=fail smtp.client-ip=52.101.65.57 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nxp.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=nxp.com header.i=@nxp.com header.b="Ulj7DHrz" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=dBr3LHhPY6Oniq8qwRh7nahw59hWhDaEmQ751n6w7R334hQNySV1CUqTJwSxkZcbrUqYERkKnQWNSxubjGLJmfba3CiJN/sdWGk1lr2SB69o3we2bseDQZeJ9uFeHEVJSkPw35gpRUegb6I6zMRBZfRTgA+cyLqWH+uXNf/KvYmNitF4jeyZzP0MSvtL53PqTyxJemRe0Ci/vqx2nUv5iguod90GmowCQqCVLd/7Q7I+YZ5+qMAsQopgz6NJhlnqFvLmSuJ0vkwcYcIoVOD1sM6Rv+fRLbNL20BSapC/EnNLXj8QHbP+La7hXwW8Mg4M7WNzvqz4zczM91DU9BsnSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1No6gPYUtemE3JSRUj6BRQbpjTe4PtRmpJnpoptkxBM=; b=i3103AB6EWETlZZ8KDa4tbSp4UCfq9g9M9+7qN+H+MZgYNw6veE4afuxv8D/axlIBxnLCh2i0D1kunlApfzi7ay2MlRr1sdJzLsCA2fCn5WOaXkXRvtz0B7cfw4Btwb6sbuV5h6TILUtWCAoXdKjjaS/hTXG+mtI2ikm3acpmFSo6Ex4cU23cwrGfFVoTsXy3L14DxQ3O6hMryUJ+Mow/OyH7KcQawX03DSuuKfMYULxkasnh4pVI8iWqIXorPIaYvubn1JzvROmMWQUvALyiKlG7qW2cwRUgiT7pec1EUzenvRISTcmxlzlMTt77fUJRGeCH1mbakuseg5dwToAaA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nxp.com; dmarc=pass action=none header.from=nxp.com; dkim=pass header.d=nxp.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1No6gPYUtemE3JSRUj6BRQbpjTe4PtRmpJnpoptkxBM=; b=Ulj7DHrzI7JgbcNMVSyJ8NiZBaIHkXJSoyBqVWBMtbI1uycA83m4kL2Y+WSv96WlOQEsulIg8keoJTd1ba5Dy36QrFiZphQFjfqnS+HyiutXThS3ICUiW6Q/nLXcmV5dqcKe8Zknl6nso8SodKaFu/wy9F/AQE62aa8y0mJ7/0Jk9RT+UihRd07HA+lEWMTul2UFrN9BGjuYBRQ6wgSFTbtwOe3D8i9442a0LkHXAzgQ/lMwphSNy8zr6yi3mICIFLqzIdTuHF0ZdQK1BI/EZNNEFG05tZqVUzhB0wjO5vqhCYwv+TP56y8Eom68hGRrS62hyfYWknSDbaPb6bQmeg== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nxp.com; Received: from DB9PR04MB9676.eurprd04.prod.outlook.com (2603:10a6:10:308::13) by DB9PR04MB8252.eurprd04.prod.outlook.com (2603:10a6:10:24d::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9366.17; Fri, 28 Nov 2025 09:15:39 +0000 Received: from DB9PR04MB9676.eurprd04.prod.outlook.com ([fe80::97c:438a:2968:465d]) by DB9PR04MB9676.eurprd04.prod.outlook.com ([fe80::97c:438a:2968:465d%4]) with mapi id 15.20.9366.009; Fri, 28 Nov 2025 09:15:38 +0000 From: Neeraj Sanjay Kale To: marcel@holtmann.org, luiz.dentz@gmail.com Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, amitkumar.karwar@nxp.com, sherry.sun@nxp.com, dmitrii.lebed@nxp.com, neeraj.sanjaykale@nxp.com Subject: [PATCH v2 04/11] Bluetooth: btnxpuart: Implement TLS authentication crypto framework Date: Fri, 28 Nov 2025 14:44:36 +0530 Message-ID: <20251128091443.2797316-5-neeraj.sanjaykale@nxp.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251128091443.2797316-1-neeraj.sanjaykale@nxp.com> References: <20251128091443.2797316-1-neeraj.sanjaykale@nxp.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: SI2PR01CA0007.apcprd01.prod.exchangelabs.com (2603:1096:4:191::11) To DB9PR04MB9676.eurprd04.prod.outlook.com (2603:10a6:10:308::13) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB9PR04MB9676:EE_|DB9PR04MB8252:EE_ X-MS-Office365-Filtering-Correlation-Id: b48ae484-8f4a-4216-d210-08de2e5eb20f X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|19092799006|1800799024|376014|366016|52116014|38350700014; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?hqxM7ExKynOsju3XgoYXeXeBAsrsBuU1WKw3aa4Qmw1Gy4sc/Yl+ir5hPwZU?= =?us-ascii?Q?hqSd7TcbGWfbJZfEUaTaD34b48+f/ce+d5KM0jWpUOpQ7qP3aD4YQgpDvPw4?= =?us-ascii?Q?sKzPf7EPHXL1WO7WvS0YH05OQDKjn+Gx/JcNviytDKNkUrtne4xOMFhNZ2KN?= =?us-ascii?Q?9r5i5Azx1PGVkIPsCvj/XC7C8G4G4ruWkvdySdqEzRusmnh9f3NeXD0q5TB1?= =?us-ascii?Q?tH5BzDVtPrvGVcmtvXmEqpRTiyxY+BkRkZVMisD9u9T7+huraLNvCXv72J8b?= =?us-ascii?Q?4eWHyxo2MJ9VoiJ5plV+3txPT1fqkZrfBbYpg6Cw4isJoEr8KkX09/mFqFMw?= =?us-ascii?Q?ZllUhGNWzX1qaaQnjXXmDM3gJNfZb4tBbIgmwqpNmMRmzo3xq8o3WdOgHupj?= =?us-ascii?Q?QZhEAZKA7qJdJwcWBcDPraRRIL1nRkTVawpxicQeYgMkcPRCGAMfQ4QmZH22?= =?us-ascii?Q?by60Lj8sK5EKhB76+CmGQnJjnIHYgXpx/2c9U2BqK1K2AfYueCA3dknbI/a/?= =?us-ascii?Q?/ZtgPKlfzH7UMtTeJkCPiJvvrg+oMG6kuqAn/HFEhDV6WJpom4rhf1sYhN7I?= =?us-ascii?Q?T3pkrGTViQb4304QwQVbQBiItrsCyrDiA6WXsEbGi/2F33QXXvVULsO/SmwM?= =?us-ascii?Q?GZjPPLwOEZmMFqSKpSh3CpNy43LcTnhA6xgIiuNXNIY8eO3Fnrd6/cv+URIw?= =?us-ascii?Q?CAirBaH1pQmcvpuzl6MZt9L2MF84gsjOPE0a3FuEE/QAlDUdbM4Vv6zVE19m?= =?us-ascii?Q?8onidTEakUHeut7bIeQzQb4DYTtjTu8Ia+cmsC4ak1oiuFJqyHVvwYF2bHHd?= =?us-ascii?Q?MfQwelMlohyMZafURvE8CckGCA0O7ZcchzRefV5jNL/35TNA4EG/xM6XHNPp?= =?us-ascii?Q?UGFmjJCFHSp7TnCC8DHVUiiJ9FZSitgfDTEMZY9ZLNF+PaRL+sgAXUhfAEen?= =?us-ascii?Q?eZHI/3fRYep1z/L+I9sWGXHDdPcsouOhnPdJNvXUwqI6g5ycqPM9DR1RXohi?= =?us-ascii?Q?qY0evxiOQz8EJfqgOBDr7qP51HRpGKgVQ4sFED9Es/lc6pYsE6/jZp91D19Q?= =?us-ascii?Q?yr4IyXMu+3rOasLr83J5QjhL+NOOSTqUGa5piWUM+UqyYAJ8dBFy9KOZGjjS?= =?us-ascii?Q?gqmvsKGVNo+UcJ0djDmFxw7swXeOquXL80sPu9MsIPtiIybvlafnEeAwJ2zu?= =?us-ascii?Q?OM1vwjUzqkmHEOQeFipx5QLzOcIswSTQpA4jgej3I8z4Ds3cXHWXt726b2Cq?= =?us-ascii?Q?UZYZQa13O1cZxxRS3RvT1OADNR64+T6DEOsVP7idYtuVlRMLgWZ3Qgy6hKz/?= =?us-ascii?Q?TdeT4uh2+kVdtWGOAkgyRo5B+2T+VhLBN2hKRTRDIjbJ9Ws0+1XSppt11TwS?= =?us-ascii?Q?DxXxrX3Wjsr/1vPSDq73/0xyjbB4AdYMdIfa9IzhHnb3qYbypbX53Q42mYze?= =?us-ascii?Q?hlMGGRIZejDm1STCj6K0kNyRntzPo4Z35MS+lwlba0S9v9CBuH+QhXdAstRl?= =?us-ascii?Q?0rJV4VZjtDiN7difDTGYia4/08USnCw0jJF9?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB9PR04MB9676.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(19092799006)(1800799024)(376014)(366016)(52116014)(38350700014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?7hTgfqEiLh1qwdnHQudus+Ulo/+dYIxPT5YBtNoZvi7XDxmz5s/KpBcIRv5y?= =?us-ascii?Q?RIgzDhVeMxPd8ym74Qrys2+v2TvlL42lPqw5t5zAF9kt0j1IL+XDvslSMZD1?= =?us-ascii?Q?ux7p0L8c4v0nqFoiLl9YZMcdAtx/n2E8KVymU8TryO/xOnv5Zzsk7U7Gp2bQ?= =?us-ascii?Q?ITqir1S+//ye7qklmfmiXpgsMHqw6rq6hAuGJaj5enDTH/plppnZbLzgnJgv?= =?us-ascii?Q?+J+sMmoUaXvmGMb0Ynd3iP7iz0vF2exLn7xuJ3TRW44bXv6QCmFaFVN6GqMB?= =?us-ascii?Q?YI6R+spC4xAEB9HGcXhULiDtrKmEFNAxGSArKgoWMzljIovm84LIl0W1PneN?= =?us-ascii?Q?HupHbB5P2y6/KBmsJVmACLc5iRsNdagSas8jgcNhSHAMk2WaBqGcBXRfRAWn?= =?us-ascii?Q?bvHbfHHSBBr5UMUPkt0JJyxJ2uoEHShXkX0Sj6ZEsQqOc60mQm1666ALNUhv?= =?us-ascii?Q?yR1vC5ZKQZrb0yFljbjvi/zcBR4wwTizcDW1F7i1kU3/lB09MTFcRew5laet?= =?us-ascii?Q?Dci9gFJ0m0Md8HrxIc5cSk6zh2d3z7R90qzG6DW/bnKiJP5f4PyfFENiX2xP?= =?us-ascii?Q?aGrb8QRvkZGFv0ujfetmYY+c9GypexfI3TOGKSJXTiYAq5faNL5c7pRwe96o?= =?us-ascii?Q?mXUyOuaMN8dewGR1dQedhZUO43seuUXBQ7SgZl8velih9pS+BM41oon6SwZX?= =?us-ascii?Q?WpBOVOlpASzzZWdCLXBo7yvZz/OiUsRPUrci3H+MGG7SQ9OKEIYPDFzq822b?= =?us-ascii?Q?Qp4HZIw+r6BIDnaCr2hW2uOQC4o65gepCv3HN766uwfxnHKYS2vrWyDEL0Vn?= =?us-ascii?Q?ro+H/KGWLKi+n4XZNDpPge6/B8CYwP+dQEO5XKT1MeJJUVqsHUn1MdN/t4R7?= =?us-ascii?Q?cUypDqmg3PGB6T4mQ3NTp65NGXjQJ6T7SFEBf0uv+6ZJ/P71FubjIXuqKQqY?= =?us-ascii?Q?RtIBwCBxz+qJbWDQbh+OES3ogOLWjwovmg289NoIW2h7NxwMQDR85G8J1wsS?= =?us-ascii?Q?nAvwk5kZ+1/6M3giuySRm46jPFoF2UKnZ5Hegc4IYi+ptYKleH2+hSW45gKX?= =?us-ascii?Q?pC1i9FMY5qTx66SyNn214a8uafSMvwv5p29FJqoqCsVU5XaOyHd7nrJJVpH0?= =?us-ascii?Q?hy9YitBxr09BMKufeEtp/T5uLZUbGU7NCcHKRPJzvDCXq33A86XhVOB2kZpQ?= =?us-ascii?Q?uznwaeSPs76vZ2ecxGaZ6samO/n4SkeR+spXO+I0tLRT9YQex8+/OkWQJlVk?= =?us-ascii?Q?SW6Ih22XL9C7SctI/Cau2kA5Ljd5fWDxY+uW2Ejp/ZkJ0bX4KWbdHm0o7cJK?= =?us-ascii?Q?geT+iETDP+rxiAEUUa1EmWvx3PiIbWUmka8LrysiyunhFDU3ARHsGV2iu87Z?= =?us-ascii?Q?i9q/0yq48OYF9cr55w/ldcc5M00SxCSBqXF7R31fmvCThCw7NvwNG0Bj9siz?= =?us-ascii?Q?TUkI21dBffQfJolqe0Dtcwr4WEKxuq8zwEgTWH1A+CMbxJ73PPchLG/JnY1E?= =?us-ascii?Q?qSmHmHn6SQzNYZy5ZVOWdy3ncAMrjwX+iFnBe3y//LORdGrcgFoCiQ4yLBw4?= =?us-ascii?Q?e/OE/1clJm05Tmz4QcytF5J4J3xV4uu4DTt/dguBE3DIhlvKOse+ABZEfxuZ?= =?us-ascii?Q?WA=3D=3D?= X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: b48ae484-8f4a-4216-d210-08de2e5eb20f X-MS-Exchange-CrossTenant-AuthSource: DB9PR04MB9676.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Nov 2025 09:15:38.4522 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: MumUox4HJJrXC7VUOVDVZHfYVU+1/MNzI5cVIiCgj/cUXEZ/rmbi/xWjQ28CWJUZwb+OrwXPubkBXsYNPCdn2y6spDmxG+yZutTZrFQk2EM= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR04MB8252 Content-Type: text/plain; charset="utf-8" This adds nxp_authenticate_device() function that sets up cryptographic resources for TLS handshake authentication. Allocates SHA256 hash and ECDH-P256 key exchange with proper cleanup after handshake completion to maintain only traffic keys. Signed-off-by: Neeraj Sanjay Kale --- drivers/bluetooth/btnxpuart.c | 48 ++++++++++++++++++++++++++++++++--- 1 file changed, 44 insertions(+), 4 deletions(-) diff --git a/drivers/bluetooth/btnxpuart.c b/drivers/bluetooth/btnxpuart.c index 3455460d30f5..7c94d8ab94f3 100644 --- a/drivers/bluetooth/btnxpuart.c +++ b/drivers/bluetooth/btnxpuart.c @@ -22,6 +22,11 @@ #include #include =20 +#include +#include +#include +#include + #include #include =20 @@ -192,6 +197,9 @@ enum bootloader_param_change { }; =20 struct btnxpuart_crypto { + struct crypto_shash *tls_handshake_hash_tfm; + struct shash_desc *tls_handshake_hash_desc; + struct crypto_kpp *kpp; u8 ecdsa_public[NXP_FW_ECDSA_PUBKEY_SIZE]; /* ECDSA public key, Authentic= ation*/ u8 fw_uuid[NXP_FW_UUID_SIZE]; }; @@ -1602,16 +1610,48 @@ static void nxp_get_fw_version(struct hci_dev *hdev) static int nxp_authenticate_device(struct hci_dev *hdev) { struct btnxpuart_dev *nxpdev =3D hci_get_drvdata(hdev); + size_t desc_size =3D 0; int ret =3D 0; =20 + nxpdev->crypto.tls_handshake_hash_tfm =3D crypto_alloc_shash("sha256", 0,= 0); + if (IS_ERR(nxpdev->crypto.tls_handshake_hash_tfm)) + return PTR_ERR(nxpdev->crypto.tls_handshake_hash_tfm); + + desc_size =3D sizeof(struct shash_desc) + + crypto_shash_descsize(nxpdev->crypto.tls_handshake_hash_tfm); + nxpdev->crypto.tls_handshake_hash_desc =3D kzalloc(desc_size, GFP_KERNEL); + if (!nxpdev->crypto.tls_handshake_hash_desc) { + ret =3D -ENOMEM; + goto free_tfm; + } + + nxpdev->crypto.kpp =3D crypto_alloc_kpp("ecdh-nist-p256", 0, 0); + if (IS_ERR(nxpdev->crypto.kpp)) { + ret =3D PTR_ERR(nxpdev->crypto.kpp); + goto free_desc; + } + + nxpdev->crypto.tls_handshake_hash_desc->tfm =3D nxpdev->crypto.tls_handsh= ake_hash_tfm; + crypto_shash_init(nxpdev->crypto.tls_handshake_hash_desc); + /* TODO: Implement actual TLS handshake protocol * This will include: - * 1. Crypto allocation (SHA256, ECDH-P256) - * 2. Host/Device hello message exchange - * 3. Master secret and traffic key derivation - * 4. Proper error handling and cleanup + * 1. Host/Device hello message exchange + * 2. Master secret and traffic key derivation */ =20 +free_kpp: + crypto_free_kpp(nxpdev->crypto.kpp); + nxpdev->crypto.kpp =3D NULL; +free_desc: + kfree(nxpdev->crypto.tls_handshake_hash_desc); + nxpdev->crypto.tls_handshake_hash_desc =3D NULL; +free_tfm: + crypto_free_shash(nxpdev->crypto.tls_handshake_hash_tfm); + nxpdev->crypto.tls_handshake_hash_tfm =3D NULL; + if (ret) + bt_dev_err(hdev, "Device Authentication failed: %d", ret); + return ret; } =20 --=20 2.43.0 From nobody Mon Dec 1 22:07:32 2025 Received: from DU2PR03CU002.outbound.protection.outlook.com (mail-northeuropeazon11011057.outbound.protection.outlook.com [52.101.65.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1FB683043C1; Fri, 28 Nov 2025 09:15:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.65.57 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764321346; cv=fail; b=FdQYORt1CCZHFtqIctQzRYBk2ZjlP+0VS8qCOJsBj//hfqtITQp4tHbN9rXvgLoMN1TtyDWCbUa/mtUsUOglmqPknRsmI7GGZ2YL3oJ9egVdn89Z4vwlJ6jn1NMGoOCxh8cEkt1Obdyz5NsAFDpnREgLvLeVev1hhRxDhQXGdKo= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764321346; c=relaxed/simple; bh=kuW6D77+qQAlG7p9fmOjlK5DM8ij1Ty2Fgov5zgcUs8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=eZjWC417EYwlGSx6J4IWzziRGdzAUDyvk/KT0ie5/SIhjcfxBmMt41A4a8D1Z8qFIftx9BlSy08DDo5lf5UF44AN8GwACQNGj6WKaf0NggtfeL8+TlKRA1raQrnOIIux1FBlKWE7SfbInWYjVsIajvfUAzNpVC09Pmv86x5ZoX4= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com; spf=pass smtp.mailfrom=nxp.com; dkim=pass (2048-bit key) header.d=nxp.com header.i=@nxp.com header.b=DTf95gE+; arc=fail smtp.client-ip=52.101.65.57 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nxp.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=nxp.com header.i=@nxp.com header.b="DTf95gE+" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=UtPif8+TD2CSU8GJICBHpBG8J5xTuh73Wu7x9H7QtXFwAnxM8fTHMOvr+gcMSQuC09U+oArztXeDEN4Bm/noGV2NHiluVNCYO2wwVODBjNGsueuupYEFzHet/B1laB8tq+IGF20c+g/wVwoadSFb9YvPVb2j1G7jExaEjHOWqsTX1xDO8wb1YpTdyqnisVea6DU01Rv/kRVS3bxDDZbk/n7Ri0WVqxyspNAEt1lf7mO6IlatHVCRbo+9Rzd1rK2gdLg4m+Qv/t58+2I+J+jLZl7BaQN8SuyLSISeaLK40F3lYoHhRLp+xgERvdbiiXfgZdavOD59YzSnZGHcmGfbMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3Hv+RQnhYmcKQmQwtxr1nHWT5U1rIu5dXRon8Kc573E=; b=MBBR8Gf6NqKiUK3yYHiM7Aq6Mc7BUqEkLqhzb+GMSGLtcRI/MwrwY72ML+H96WcqdGy4PfqoXkq1MIzA1sSrFG/7gToPRGGU4nN/k3KTW0GL9L/A4BuJMpiEPSkSCUkk7YEkAhhlg6Iq/NVgTeedD9VJ+xaUFWNZlnf3FevN99C/oXbgA5RxHHBkLMRKRQ4BOI/+0O6nXWqsmD/w8+KgX/OKuCyypzvqYc5zw79ydRO2EUbNGy+c/VZ4Xt6y8Jf4FrYuWe6x7GV4SFRb14CxSecEP6khJy5qwblWM23b49GxiBgCko2Em1HnowBHDDAUlicHB/Qsan0xt4JEu1Ey0g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nxp.com; dmarc=pass action=none header.from=nxp.com; dkim=pass header.d=nxp.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3Hv+RQnhYmcKQmQwtxr1nHWT5U1rIu5dXRon8Kc573E=; b=DTf95gE+lZZupa+2Gs0u2Wl4zSj2C8p1mi3NgDW+GmSmLaNcPXt7tIkO3Ofl5gKefL9f2rNeyDpuoa2yiPorCB71OrEjqFZ+n/0glJKANLcgkddAGqHRIlcktTIBLcqh55qLcCCxOl+pfXee4jh204Z5qBTz+yCHod2trMogjVOWWgAzNEZi0aUjEqmpKkK1FANw50YX6tm7MjP4ZJE2MS2W3fe8RDhgg8Ud0Fzs9TOUc/N3RRmsJxBGoXxoVmaFzJPcYzyIel0jo/2kuzXRo7tu1zBpf8Ka+Jkw/1cw3+NI9Nu3etfvUeRZwPcheIYlFpydIqRWZiELXpIpdP52OQ== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nxp.com; Received: from DB9PR04MB9676.eurprd04.prod.outlook.com (2603:10a6:10:308::13) by DB9PR04MB8252.eurprd04.prod.outlook.com (2603:10a6:10:24d::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9366.17; Fri, 28 Nov 2025 09:15:42 +0000 Received: from DB9PR04MB9676.eurprd04.prod.outlook.com ([fe80::97c:438a:2968:465d]) by DB9PR04MB9676.eurprd04.prod.outlook.com ([fe80::97c:438a:2968:465d%4]) with mapi id 15.20.9366.009; Fri, 28 Nov 2025 09:15:42 +0000 From: Neeraj Sanjay Kale To: marcel@holtmann.org, luiz.dentz@gmail.com Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, amitkumar.karwar@nxp.com, sherry.sun@nxp.com, dmitrii.lebed@nxp.com, neeraj.sanjaykale@nxp.com Subject: [PATCH v2 05/11] Bluetooth: btnxpuart: Add TLS host hello handshake implementation Date: Fri, 28 Nov 2025 14:44:37 +0530 Message-ID: <20251128091443.2797316-6-neeraj.sanjaykale@nxp.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251128091443.2797316-1-neeraj.sanjaykale@nxp.com> References: <20251128091443.2797316-1-neeraj.sanjaykale@nxp.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: SI2PR01CA0007.apcprd01.prod.exchangelabs.com (2603:1096:4:191::11) To DB9PR04MB9676.eurprd04.prod.outlook.com (2603:10a6:10:308::13) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB9PR04MB9676:EE_|DB9PR04MB8252:EE_ X-MS-Office365-Filtering-Correlation-Id: 7f8c9433-e015-4cd2-765a-08de2e5eb3f5 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|19092799006|1800799024|376014|366016|52116014|38350700014; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?onOP7s8JO8iAf/FhQTVDfkKNbUjXjtbAEB03RtZej7PEt8Bb+I/Xh7oMeXf5?= =?us-ascii?Q?+QF68JCpUvqsr3SN6m6bN+IHsSnkL0zvx9SgoZzAf+zmFq9sf0bdzbExBdpg?= =?us-ascii?Q?t0KlOKM7ct5jPYXuJpj25paW3oDa8Q5sLxP0m2jjq6ggYDrHdk87OsqN7aMh?= =?us-ascii?Q?pJZC3WehTX/EsLjIvWOdchWxLpdg+abPtGwk1UOiJEtMCtCWVk0ACzeBH9kN?= =?us-ascii?Q?ns863jiAATU17+JzEQ6CqUZ3Trapz/WNsTzEUC/OBCEnHcgbLv0RT90oJbOP?= =?us-ascii?Q?Rzsy/WvLcbxOVJPcKV0GVe2qMvFie7glbLMpkTT6V7WAIs3TEKWpOeihsdOH?= =?us-ascii?Q?QAhcdNJX7//yDpGHsgny9rIEvay1vfzjzyYCYaZyxuT7xbGOzENjOCK3/Ivm?= =?us-ascii?Q?0GKoCRo7vfZCTIQ5VHvvs86qypt18b0Wg+DL+Z4lp+r7Vmq5MKwZUAyeHAhJ?= =?us-ascii?Q?7mPPOHbOfcyRGZmSVXZ8y5Adnwzv4G/m7IHh+dlGjLs3RNN3pCHKn+cl7GtN?= =?us-ascii?Q?5LZ631Jq3S0t9kQSrkLBy22twQjnCnM1JEYIwc0HAxgIf7uCghHwRRq5iapI?= =?us-ascii?Q?8vJ1+cwlKeCTbC46n3kTgx/pOkGULdAzdmEyAopzutz1b0x+2fdQE01qjHpX?= =?us-ascii?Q?djGu2zYq9wMwKTDRcsO3c8/q3AB7bPQIqOWho8z8m/IWeNHtE/i31Q2RUpuT?= =?us-ascii?Q?oSln3kShJ5QQbvWi0VGg5Jt6UmWfKgNDclPPOFGMmqovdDQH/qTu6vls35LN?= =?us-ascii?Q?CSOXVc8lqDeONTw74AoftnIsLExGYzvVMvniTIJUrgrWW8nVX0wnOnrs2sT2?= =?us-ascii?Q?ls0cInEjtTRACe+NCtEcvD1xXY4WjrwIgTZXAWwZCpvvsmaUX9xIxcUKQiPg?= =?us-ascii?Q?A6dvXkR01RpLdaSAiAGQc3q7Csejf6sCzpYhVeIhunbpJGpieByIDGeBUlis?= =?us-ascii?Q?TjpcW12z6LXSrg6hWyIh3J6ZtfcbRekwPa4yfH7X78S1y0OKZ5GANwC8qltT?= =?us-ascii?Q?+53LffUkYjVTy6gkQtZEN+kb07mt/Unvrtpw41Iz1kBndxYxuReDE76APjZx?= =?us-ascii?Q?3PRJBShKSQXxab8qelznMgdzG5PyjNW0NrOo9wx9D01ae3jyL83O3i50Qo8X?= =?us-ascii?Q?1Axrumg2AnYvYoDJL9DIByoGwP2FcVGNMAJOTw0xaHXuLmPSQBpFej31tmvm?= =?us-ascii?Q?6A2s6ihYqJdeoofQ5wMSdBgxu89HO1QhZKzd3Mz3OELERRWEnZ39+KcmB4iF?= =?us-ascii?Q?uDxldSd5wqV63w9TuTPMr1EuCKsfHXMwUhu11odkisRDXpmMW7ze3xQEVrq+?= =?us-ascii?Q?A6VGWC8ea1iPT4bHpiXY537WY68RKKPxjmByDDpeVu7OnoDKbbM6H+HJZ0wm?= =?us-ascii?Q?VepiUyYKrYCAg09SqWWqFocDVlS4bKx+qVfEEH1sJrIvVC8WEPssiYt1e6RA?= =?us-ascii?Q?ORRsOeTy8y05xy8DlS2KhTbkRdKNwFsggoyUnXfeWXte0IRDhlTXR0T5Pivj?= =?us-ascii?Q?Jl2juHMVt58wm9QP3IH8QIQL0Fc0IbBoBcYK?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB9PR04MB9676.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(19092799006)(1800799024)(376014)(366016)(52116014)(38350700014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?U4gq/larUGhRh2WdYHSPdysp6DUS2+BPlqCCJNSPQ21oA2rDLck8xQHZflBX?= =?us-ascii?Q?3rIqW79yamovsBs79EAklx+aLbw9L7chMysg52bom3SDpeAu8tXg7BIwEfKL?= =?us-ascii?Q?oEwiPGci//wgnawPjJNmwCK6f4PrVHjNKMHMGehGXJPcpPEjz3lGd/r/DS83?= =?us-ascii?Q?WHjkclimavEp5rMbP2c+SbFN5jWp+SLJD56qaY/Y5hA2IUYQkWZQwwTr11Ub?= =?us-ascii?Q?Mbl9UxXuoLbM6w3cixmiY9ELHaKlI/iPVlXpeNZT4T/A55z45HnXt17ybtB1?= =?us-ascii?Q?ngmk/1WCQk7NZrSEPfrG1kQ/yhBUzhPnLZHE58k8Ld8hk68ih5rpbokjj7TF?= =?us-ascii?Q?RKtifmpj9B+g0jGc58nsjwQ6uK2bz4R19ULqnPsPQ+FAWkR/c+r3SqSbY5wN?= =?us-ascii?Q?AwRJg34uqjRvNb9WnWZSVceiFJHEJmW1b02m/5u85eC30ICWRmnUd2ffT62c?= =?us-ascii?Q?vcCQ8xKydHid3HK4FTYF7pGKHSWiCsqvDqhq9Z8Mx7uj2T+jbFHVbzQSz4IA?= =?us-ascii?Q?s3cuL+xw7r5SEyA2ap09mSG/jb7NDeQhlioIVVt96Rsmji0qUKfzMAOoDGkK?= =?us-ascii?Q?J6PjcDgfAtil5gjuHwzyM3UB+c7NAvnp/UMw2O4KbFAMJ02/t8eTEiF6wA6M?= =?us-ascii?Q?EbiDIUdmew+GgudbpNt1HVDHE4xuzjTOwtFnXg88CGzMts9eJmkiv6pIuj4V?= =?us-ascii?Q?NkTuKNcjuA1SYWnBp+ov/3L3GNLXj/zpr2iAE4WbPLvervLlurTPF3jB1OOD?= =?us-ascii?Q?6xXx4aNx4h61yITN9lAdVqMlbRfpli4RW+nrH6zNeUfFhYW2H5GlUyh3B1BE?= =?us-ascii?Q?9TCRQWbyCHYrppkFVrNpw2LYxRvi54ChmXU/YUCm/lId/qqRcM6yr8zEuI39?= =?us-ascii?Q?GwpPFrJv7xsIrXIGreTJKdhRLbCZVS/uE78Td5LmoaaDf0imYM5x785qthFu?= =?us-ascii?Q?jBXi7ygCQ3M4d1g8U4mq/GCFdWOunCt09g5W9OYy6wrEPKeFzQ3jCSLy1gWt?= =?us-ascii?Q?KDvL0C8Sdo3GqG/Ku25KqoQQH7H9fmOob8c8i3dvz/lyp5Uf6z0rlfhf26vD?= =?us-ascii?Q?/BrIR42ahXRWH4ULcrJG0GuSaxooT5A95PDxQvkqgq3GQcfF+gAKgxttTpec?= =?us-ascii?Q?gZhoFBDcRokfdrW2zrxCNThfRiMO0SN3fPbpVmw+0ww/CtrFJEUpQLqrHVBL?= =?us-ascii?Q?QWoVQeEe+S7/nXD8cQyWFnRK1pgAFiHcDYJT2Ne+Y+wdETdlZtkaEOVo//dl?= =?us-ascii?Q?uKWmOiKPlCxtXnvTF8of5eDwNeH7FbFN/islqMKBQ+M000m06UmG+BOf/ao+?= =?us-ascii?Q?5L5+A9wfw5pedLcvAooNlGSZVLIHYkqmY2FOCNL5xWu8wAPh1+W3aTiNwoK0?= =?us-ascii?Q?LQJ+00Dj3q7daEVidzgtkNJwP4dXIiUkUyEx7kpExG9THk/R5hain0GERsNM?= =?us-ascii?Q?rPYRxQOM+/tMG+ABE2anOWHZ3qRpp038G7acMjRKr/BJ+caOKk2/GB/DoCoK?= =?us-ascii?Q?fSp88Sqcwz4ZsoTkRE875v5/q6QFi/OI0bC5EUnSbBrBYeJi+9Gt7k/zqo8X?= =?us-ascii?Q?12mOjQYUdxhh0U8IZapBgmm0ZPCyJ0ty2fPladRGJhQYDa3d5rWPMiS8xSdQ?= =?us-ascii?Q?Ag=3D=3D?= X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7f8c9433-e015-4cd2-765a-08de2e5eb3f5 X-MS-Exchange-CrossTenant-AuthSource: DB9PR04MB9676.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Nov 2025 09:15:42.0423 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 59kFeBpfvCFsOQNhRcePg3y4s7StcvMY6si6GjBJ2EoypTefUpVBhGaTjp4j4LpEj6+ATERetx18qFo/fimCPjB6KIM5vAZVP4/z64PoxrE= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR04MB8252 Content-Type: text/plain; charset="utf-8" Implement TLS handshake initiation for secure interface authentication. Includes ECDH public key generation, host hello message creation, and handshake hash computation for secure chip authentication. Signed-off-by: Neeraj Sanjay Kale --- drivers/bluetooth/btnxpuart.c | 189 +++++++++++++++++++++++++++++++++- 1 file changed, 188 insertions(+), 1 deletion(-) diff --git a/drivers/bluetooth/btnxpuart.c b/drivers/bluetooth/btnxpuart.c index 7c94d8ab94f3..8208b0748f97 100644 --- a/drivers/bluetooth/btnxpuart.c +++ b/drivers/bluetooth/btnxpuart.c @@ -26,6 +26,7 @@ #include #include #include +#include =20 #include #include @@ -124,6 +125,8 @@ #define HCI_NXP_IND_RESET 0xfcfc /* Bluetooth vendor command: Trigger FW dump */ #define HCI_NXP_TRIGGER_DUMP 0xfe91 +/* Bluetooth vendor command: Secure Host Interface */ +#define HCI_NXP_SHI_ENCRYPT 0xfe9c =20 /* Bluetooth Power State : Vendor cmd params */ #define BT_PS_ENABLE 0x02 @@ -388,6 +391,55 @@ union nxp_set_bd_addr_payload { u8 buf[8]; }; =20 +/* Secure Host Interface */ +#define NXP_TLS_MAGIC 0x43b826f3 +#define NXP_TLS_VERSION 1 + +#define NXP_TLS_ECDH_PUBLIC_KEY_SIZE 64 + +enum nxp_tls_signature_algorithm { + NXP_TLS_ECDSA_SECP256R1_SHA256 =3D 0x0403, +}; + +enum nxp_tls_key_exchange_type { + NXP_TLS_ECDHE_SECP256R1 =3D 0x0017, +}; + +enum nxp_tls_cipher_suite { + NXP_TLS_AES_128_GCM_SHA256 =3D 0x1301, +}; + +enum nxp_tls_message_id { + NXP_TLS_HOST_HELLO =3D 1, + NXP_TLS_DEVICE_HELLO =3D 2, + NXP_TLS_HOST_FINISHED =3D 3, +}; + +struct nxp_tls_message_hdr { + __le32 magic; + __le16 len; + u8 message_id; + u8 protocol_version; +}; + +struct nxp_tls_host_hello { + struct nxp_tls_message_hdr hdr; + __le16 sig_alg; + __le16 key_exchange_type; + __le16 cipher_suite; + __le16 reserved; + u8 random[32]; + u8 pubkey[NXP_TLS_ECDH_PUBLIC_KEY_SIZE]; /* ECDHE */ +}; + +union nxp_tls_host_hello_payload { + struct { + u8 msg_type; + struct nxp_tls_host_hello host_hello; + } __packed; + u8 buf[113]; +}; + /* FW Meta Data */ struct fw_metadata_hdr { __le32 cmd; @@ -1607,10 +1659,137 @@ static void nxp_get_fw_version(struct hci_dev *hde= v) } =20 /* Secure Interface */ +static int nxp_generate_ecdh_public_key(struct crypto_kpp *tfm, u8 public_= key[64]) +{ + DECLARE_CRYPTO_WAIT(result); + struct kpp_request *req; + u8 *tmp; + struct scatterlist dst; + int err; + + tmp =3D kzalloc(64, GFP_KERNEL); + if (!tmp) + return -ENOMEM; + + req =3D kpp_request_alloc(tfm, GFP_KERNEL); + if (!req) { + err =3D -ENOMEM; + goto free_tmp; + } + + sg_init_one(&dst, tmp, 64); + kpp_request_set_input(req, NULL, 0); + kpp_request_set_output(req, &dst, 64); + kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, + crypto_req_done, &result); + + err =3D crypto_kpp_generate_public_key(req); + err =3D crypto_wait_req(err, &result); + if (err < 0) + goto free_all; + + memcpy(public_key, tmp, 64); + +free_all: + kpp_request_free(req); +free_tmp: + kfree(tmp); + return err; +} + +static inline void nxp_tls_hdr_init(struct nxp_tls_message_hdr *hdr, size_= t len, + enum nxp_tls_message_id id) +{ + hdr->magic =3D cpu_to_le32(NXP_TLS_MAGIC); + hdr->len =3D cpu_to_le16((u16)len); + hdr->message_id =3D (u8)id; + hdr->protocol_version =3D NXP_TLS_VERSION; +} + +static struct sk_buff *nxp_host_do_hello(struct hci_dev *hdev) +{ + struct btnxpuart_dev *nxpdev =3D hci_get_drvdata(hdev); + union nxp_tls_host_hello_payload tls_hello; + struct nxp_tls_host_hello *host_hello =3D &tls_hello.host_hello; + struct ecdh p =3D {0}; + u8 *buf =3D NULL; + unsigned int buf_len; + struct sk_buff *skb; + int ret; + + nxp_tls_hdr_init(&host_hello->hdr, sizeof(*host_hello), NXP_TLS_HOST_HELL= O); + + host_hello->sig_alg =3D cpu_to_le16(NXP_TLS_ECDSA_SECP256R1_SHA256); + host_hello->key_exchange_type =3D cpu_to_le16(NXP_TLS_ECDHE_SECP256R1); + host_hello->cipher_suite =3D cpu_to_le16(NXP_TLS_AES_128_GCM_SHA256); + + get_random_bytes(host_hello->random, sizeof(host_hello->random)); + + /* Generate random private key */ + p.key_size =3D 32; + p.key =3D kzalloc(p.key_size, GFP_KERNEL); + if (!p.key) + return ERR_PTR(-ENOMEM); + + get_random_bytes(p.key, p.key_size); + + buf_len =3D crypto_ecdh_key_len(&p); + buf =3D kzalloc(buf_len, GFP_KERNEL); + if (!buf) { + ret =3D -ENOMEM; + goto free_key; + } + + ret =3D crypto_ecdh_encode_key(buf, buf_len, &p); + if (ret) { + bt_dev_err(hdev, "crypto_ecdh_encode_key() failed"); + goto free_buf; + } + + ret =3D crypto_kpp_set_secret(nxpdev->crypto.kpp, buf, buf_len); + if (ret) { + bt_dev_err(hdev, "crypto_kpp_set_secret() failed"); + goto free_buf; + } + + ret =3D nxp_generate_ecdh_public_key(nxpdev->crypto.kpp, host_hello->pubk= ey); + if (ret) { + bt_dev_err(hdev, "Failed to generate ECDH public key: %d", ret); + goto free_buf; + } + + ret =3D crypto_shash_update(nxpdev->crypto.tls_handshake_hash_desc, + (u8 *)host_hello, sizeof(*host_hello)); + if (ret) { + bt_dev_err(hdev, "Failed to update handshake hash: %d", ret); + goto free_buf; + } + + tls_hello.msg_type =3D 0; + + skb =3D __hci_cmd_sync(hdev, HCI_NXP_SHI_ENCRYPT, sizeof(tls_hello), + tls_hello.buf, HCI_CMD_TIMEOUT); + if (IS_ERR(skb)) { + bt_dev_err(hdev, "Host Hello command failed: %ld", PTR_ERR(skb)); + ret =3D PTR_ERR(skb); + } + +free_buf: + kfree(buf); +free_key: + memset(p.key, 0, p.key_size); + kfree(p.key); + if (ret) + return ERR_PTR(ret); + else + return skb; +} + static int nxp_authenticate_device(struct hci_dev *hdev) { struct btnxpuart_dev *nxpdev =3D hci_get_drvdata(hdev); size_t desc_size =3D 0; + struct sk_buff *skb; int ret =3D 0; =20 nxpdev->crypto.tls_handshake_hash_tfm =3D crypto_alloc_shash("sha256", 0,= 0); @@ -1634,12 +1813,20 @@ static int nxp_authenticate_device(struct hci_dev *= hdev) nxpdev->crypto.tls_handshake_hash_desc->tfm =3D nxpdev->crypto.tls_handsh= ake_hash_tfm; crypto_shash_init(nxpdev->crypto.tls_handshake_hash_desc); =20 + skb =3D nxp_host_do_hello(hdev); + if (IS_ERR(skb)) { + ret =3D PTR_ERR(skb); + goto free_kpp; + } + /* TODO: Implement actual TLS handshake protocol * This will include: - * 1. Host/Device hello message exchange + * 1. Handle Device hello message exchange * 2. Master secret and traffic key derivation */ =20 +free_skb: + kfree_skb(skb); free_kpp: crypto_free_kpp(nxpdev->crypto.kpp); nxpdev->crypto.kpp =3D NULL; --=20 2.43.0 From nobody Mon Dec 1 22:07:32 2025 Received: from DU2PR03CU002.outbound.protection.outlook.com (mail-northeuropeazon11011057.outbound.protection.outlook.com [52.101.65.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 61755305048; Fri, 28 Nov 2025 09:15:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.65.57 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764321348; cv=fail; b=qugPt45/TllbgrmPdVjJmZuFM0pWEu7qSMj5uSgX0iyHhvjeYgeS7HjR9qQqD0y9jMmLMoXtXi3tM6C/aAWh+GhZXrScQcHkqXj6KugP6q6/EAw7SxS2iu9popoMRVgKfYVovdCsZZIeZAFIXbgFcKhtkbGVFoJpviglJy8qw2M= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764321348; c=relaxed/simple; bh=ye9EU0r8LOlBRe44yt+ZlLuYEmuViRwODUTcXZuCoWo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=FElVKOCqod7kcjvY97iOL4cBP6nTs9HN49WGi5QUGTqiPi8N33VnEYrVEzYwCxt8ON4NbxjY48dwddR94wmqpApDYRAHPIHvjpH05HuY9JKmHuyGPdVd03QMcDv7BlVHYydUsdcZMy/uUeT7Gva+HuQbI31FPvhck9Rj3GESv7E= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com; spf=pass smtp.mailfrom=nxp.com; dkim=pass (2048-bit key) header.d=nxp.com header.i=@nxp.com header.b=F1QP88Rq; arc=fail smtp.client-ip=52.101.65.57 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nxp.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=nxp.com header.i=@nxp.com header.b="F1QP88Rq" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=illGoEdCudmTGgKR2eeG8SbzpdA8YQPbF0g+G2m1ffZxMihm10/074p42sLHGqxWQth3YqhV97kDf3BlFRDUEZTeSdlx4I07VMbF5AYu1XZAYSPoDU+VcB6AloVZUcnPfy8BiLWnn4+3DGpQpHncflg+C3U2tHYNy2B+TPR44EQjFKgt3285XpWwnlbg7VhUSBGG3zZq27PhDNR6qGU235kzWYMx7tog0Q3hVcqZ6OYhTWQV2eAwHf03vSFAu35B9SwUy6QryeaoWfPIhN0gLD9fv0ZDlnnUJttz2KjLSQIs6hbNPGvMf6EVO7WOD4rVyYegngxspI9wNrlSkpVS9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=FqqPyr8idqf0atEypc+loE/0FiFAY1+CeRMM5A45LGM=; b=ltZaIMN5oAh8Dw196d0OePI39I1HmzBLvjUx/eXe2efKyxNxElDqBFuJWhzBSVd9+CIMM5DgKzVYjn/z7cUlr6WIN8/BQ/VsOEbBM6AzbN6S6tvuxscJpmfZ9PFQFWtznfxO99Bpm22mq7WhbCgCBhtC0iaxeD+dgQKn+mbqdUUXzaGF5lqQ68mdpzzlF0G1YXRArUAwEe2wR9zbjCBf1p0VC1kBSmQW/TX4I8n7FLbrH2xNKPzdNxsbPkO2s9aIVHIE2zuvWNTyLEVV4r5zf8T0dIoENYoZjpF5wPBn5Tu76ia0b6ePOramZK7yPO9erjWR6J3evOQ+a4M2o5tVMg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nxp.com; dmarc=pass action=none header.from=nxp.com; dkim=pass header.d=nxp.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FqqPyr8idqf0atEypc+loE/0FiFAY1+CeRMM5A45LGM=; b=F1QP88RqR0cb+Gs4nGa34ULVWWP2OPGAmedcoSLbTlW9ViDw/rG2xG2HnNC+eI3CV4Hu4ZzxYrhW+w7O/vR3Wq62gVQjvWuY+8xku0i0rVkIwdAGEG1umfHx0XEajSHOCfJuIBTlDOemQ2tRJ7+sfGsX/VT5cYjsjh/KNxNaT1g6n2/rn5OKWLgYJEUcYc/5JxG76CxtctCITZXmwa48F89a4Qz3BZ+9fMzMF9lhwRRJPp6fmZjuhDKpeAfJjomCyfLzGhHeymt7jRVuJpcd1Yv+0CGp6e6w7IcrzsWiJoPST7ePsrNdfSiOamS7VmsYP95FtSXuqAlrjIeA+9QxNw== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nxp.com; Received: from DB9PR04MB9676.eurprd04.prod.outlook.com (2603:10a6:10:308::13) by DB9PR04MB8252.eurprd04.prod.outlook.com (2603:10a6:10:24d::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9366.17; Fri, 28 Nov 2025 09:15:45 +0000 Received: from DB9PR04MB9676.eurprd04.prod.outlook.com ([fe80::97c:438a:2968:465d]) by DB9PR04MB9676.eurprd04.prod.outlook.com ([fe80::97c:438a:2968:465d%4]) with mapi id 15.20.9366.009; Fri, 28 Nov 2025 09:15:45 +0000 From: Neeraj Sanjay Kale To: marcel@holtmann.org, luiz.dentz@gmail.com Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, amitkumar.karwar@nxp.com, sherry.sun@nxp.com, dmitrii.lebed@nxp.com, neeraj.sanjaykale@nxp.com Subject: [PATCH v2 06/11] Bluetooth: btnxpuart: Add TLS device hello processing Date: Fri, 28 Nov 2025 14:44:38 +0530 Message-ID: <20251128091443.2797316-7-neeraj.sanjaykale@nxp.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251128091443.2797316-1-neeraj.sanjaykale@nxp.com> References: <20251128091443.2797316-1-neeraj.sanjaykale@nxp.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: SI2PR01CA0007.apcprd01.prod.exchangelabs.com (2603:1096:4:191::11) To DB9PR04MB9676.eurprd04.prod.outlook.com (2603:10a6:10:308::13) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB9PR04MB9676:EE_|DB9PR04MB8252:EE_ X-MS-Office365-Filtering-Correlation-Id: 9b6cffd8-4f7e-4ea0-4f00-08de2e5eb5ea X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|19092799006|1800799024|376014|366016|52116014|38350700014; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?6OVhDUmjuYIkncd5Bpe/DbydVQMrxm7lVsTPEyaNSG/Mk/AnsxO7tnKPoXnS?= =?us-ascii?Q?WxxkUCy9L6US7HnXIf6Bo5WW5z7LVM2/++YMoKAbyxw6xv8vAPV4KmKWP+BT?= =?us-ascii?Q?XAoJ5f6zH7s0JGVXPcECuXiN31wlo93vILh+Pn7mE0xApCle+/ebN3jcBxQp?= =?us-ascii?Q?qWyk3mpKjw9IrbPw6vGqJBKspejXInwet6XrPW+3Mmcpmm0kUQ18iYWpTdtq?= =?us-ascii?Q?RaxhkalFM+ikePNVvjQ1kj2MOpfrlBNtF9MhEOl/o3FRi7SV8Zp+4JapAKjv?= =?us-ascii?Q?hsIMvYaTeiUX47B3kw0EIWmxHH+qRodc8KZq6HytHCu5WPlZ7zF3W1uQpAMj?= =?us-ascii?Q?PePia/V5+VUTm2AwktSXed8yoKxydAJCH3RlWQBSGLzhdK+6c5RYZb3P2B42?= =?us-ascii?Q?Hf8yMEHwQ50XYkhjoMK1ecpz3QSv0Up6PMaoo6q8bsP6qqiih51XYNi69kF8?= =?us-ascii?Q?Wb8FGD159ryn7Q/oT8khmnUxeMNPDgvR+RwH04riP7F7uGzotrm8tv2zEJWY?= =?us-ascii?Q?ttNkzdmWLlNuJ07DCrUOWmPB2hviy7WxsDEOfzLTh71bdf0S1B+E3B4J24lk?= =?us-ascii?Q?ADUAlNJXu4tLAqt4PZor0ncEJDTW2cR4efY6tGxKdezHB7MWmYHFODZV9DHy?= =?us-ascii?Q?up8UtAaJslz1ZuWKsw5yVBT74fwsgoohpK77XQu7iqTajAEgoWKVuyJbRzkj?= =?us-ascii?Q?MbHU8r+Hf6T1Ss+RRpPzXfYVvUoGSqfpNrFOehl5/8/ehFtKQKfkTXxrQvdD?= =?us-ascii?Q?M1xm+PlzRm43SUVVvT9eT+x2v6MqlkVoxPRn9X2PgUuuEU5jMXILtGzrauYD?= =?us-ascii?Q?76qMgPqmk2rP8m38pB20X3/BMg/7UbwszqiRyW02RxeknA1vAna7KTL8V50K?= =?us-ascii?Q?xGukwjRxXVr4eHEks2/f09S/m724bg/uqU6jvgUdqdaUIqr2QrS/1uk5HS3C?= =?us-ascii?Q?v/qI5QuLkpAG+dF/8jpAKcwWzsqnieH01dNeJKUq8ytJyxiD24D14P1f2C02?= =?us-ascii?Q?wbXd+blKpnyP5yRNcTmyaNhP3GzswV+vPyn/JcK98QwWPiNKgLCtQTncUD/I?= =?us-ascii?Q?9xyyVsM7XLlTD0LfPc4OztgpsLxW5RDx553BXL1J5KxanAuD3C4LmBxrffWb?= =?us-ascii?Q?aZRlqc+Qg2fkm308x5iSw+CzRcDLJFSj/6Uy7ZT3LkWJa+kwHJ2qAuzbjZJP?= =?us-ascii?Q?UHJxP/TIPW4owTYU/EALToCy41zAn2k5v8BYMlIcY9NwfLFEmjl+7GE8xMgg?= =?us-ascii?Q?FSnDrdSh0RRAuszwkNPtADryEiCkrhojzivmovMhJM/5GGbr5WiQereMssP+?= =?us-ascii?Q?nKYz5wduQkvh1K3/r1mr8HB3/WnCZck/TFWa6tkdrGVm+ZvnJ/x78Ui6Zcze?= =?us-ascii?Q?wL5DJ5WhSAmpaFfsZ56tEvO5MHd2QmHMwEKB3Z8VD4u/yUo4Ui7qFjRGBo9B?= =?us-ascii?Q?8VO3IDnx9j5Bg9EGekomIm0mrheOBY8I+HQ69ZeDiQh/AxodM/v8pxChojWv?= =?us-ascii?Q?xONk/2LMggATK0XVaDe1pQFAt1M0gZTdvJTX?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB9PR04MB9676.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(19092799006)(1800799024)(376014)(366016)(52116014)(38350700014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?a8q7EOm6KGihGGJF4nUzm9JVk2InQ6lVGHQkCCd/GnGGPhKAxUaZBqWP2A0a?= =?us-ascii?Q?yVvV9N7xPV7LbSD8rwJF+zPyhpOL/61qfMO0Zmllt3fO4+xc3Vmn659SzqEt?= =?us-ascii?Q?LI29qdjwsrEQAsUxvaqVqp4T85srysVSa/c4+Ke0o50xFuzu27SklMxetpk4?= =?us-ascii?Q?xaTtIAi3QK4gysDRkgoUCJSkulVzV3dpr6UKD3mfK9h9UGdOYV/QzBpHp+xh?= =?us-ascii?Q?mtMFUBnyEo1WnPrh6D7r2fZ8cdD4KaMw2ZrxHS1vp5U++WSRj6e57lngSGDn?= =?us-ascii?Q?c9r4fdHe+gdUoke112NNclR9mIJE9AwbG+khBtnoI7T0aUeYgZTTSRk+u1Cu?= =?us-ascii?Q?FNMqqm5mW2Uj4GkOjVqVf6inn3Rk01pIZL/SNAiclAeyFO8m02ODIatSS/pX?= =?us-ascii?Q?0GwgEvGj1TQBxuVSM495nfCbjFTTLsG/T48nMFgs11xLeTB853zIv2ii97W5?= =?us-ascii?Q?hN2JKtl3Ta1tXeMenwGbq+hbsU2a1hS6n0BlbWrM2RwayMbdEweioxHnbEV3?= =?us-ascii?Q?qi0kyUVv6LKfVRR2Z+S1VcNJqp2JYF73WhTVr7ntt96Jryl6YT7UvLNjh6ID?= =?us-ascii?Q?KaFWyAYFngWn1so0bVsixrcE7H7GZqGRzuB+VkYJhFPbEPNiJqVkbaAWqYW3?= =?us-ascii?Q?8GOVzdXXqUyHpF2znhvbiFmREu2QigYHhtpzzddUOKGfEw/Ovct/KFy9cgbO?= =?us-ascii?Q?/ymVFHb3SQ9CPZGdmwVaqWuWYD6XQFpdxuWjUspOwkBTkiFMg5jgxeu8w9VJ?= =?us-ascii?Q?qc4CP2KmeXS843SKQlzJPjzKfIztgOAvk0ohR9AL5EMgh6ssedXVi7qIxel4?= =?us-ascii?Q?B2XSczFLsL8ppzDbqXm4DVtDMdacgcxHu7n7WNrURX2sbWSt8nP/RiPByhvl?= =?us-ascii?Q?CnUNeuvmI4fogXvxJmv3Qalxt/7+rfAMHZgZiM9d11JtGIOUAF39pKr9LYLq?= =?us-ascii?Q?j5n47KOWf84RaWbGaRYsppRvDpSt0VDYOml6PPhP5B/Jnx/kslX7LmvQGcXI?= =?us-ascii?Q?P7Z87hxZnbRHuiET+SOp/9xIhUCwRzgEK3itPggcaP8lrSdBX/P/jNQOriRr?= =?us-ascii?Q?LxXWo63f1JxwuXfEnqOCqYOnByKoKb8QLcz3iOdfSN9yxW+HD1rpCGVw5dV7?= =?us-ascii?Q?x31PahZuVdmmdG+a5ZzRkzPai4SyraBkfZc6tZ8AC2y8nUiCjCJHAxHRwHvy?= =?us-ascii?Q?yv52A5KvbVvOKOjY5jfcEH7ZEKN4ZwNGTbRELs/EIgbJqkkAThVbGOaAbQeo?= =?us-ascii?Q?gPf5g9W460e7/wLGv3PxjFAg35GoLPUspmIdpgE2lnkovFm0RThw+LAuJ5vk?= =?us-ascii?Q?5LwGY/4jtwWC4CLmjbD6cZa8xWOFqoSeFwzwLIRPFNlVA/dpv7SB/8G5vawr?= =?us-ascii?Q?zZfVLrw25UXWQgnh8f+N7txY2IWTO95W6Q4O0bvIF1x6xn6/xMhFzhkbq9Pw?= =?us-ascii?Q?beRJqp4MKKGNW/v9BpGS3hz6JBpCh+5dVtAAW5/RonE+CUkBRbmOpLFvDXNo?= =?us-ascii?Q?1zmqBd/uMBCt1L96J1g1tmpQCZpCVCRXJztStRfCSqS7CQNKpA0GY7KUsEnd?= =?us-ascii?Q?7revpDOdz4ADP6DyvpV1v5C+H+BsY7ki/LGrrqiwWdYTsXCaEHyoaL9zy155?= =?us-ascii?Q?Ow=3D=3D?= X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9b6cffd8-4f7e-4ea0-4f00-08de2e5eb5ea X-MS-Exchange-CrossTenant-AuthSource: DB9PR04MB9676.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Nov 2025 09:15:45.0747 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: X2nmVQOQ7KCQQkEo3OvI0NAGk63Y9o0F/czMatC0xpzMSBwL82ja1mUjDFa3bVryyTf3MjHys8qd1Q+AqEr2eyZrzfYKEeDaFvBoffiOrLw= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR04MB8252 Content-Type: text/plain; charset="utf-8" This implements device hello message processing to derive handshake traffic secrets: - Add HKDF-SHA256 functions for TLS 1.3 traffic secret derivation following RFC 5869/8446 - Extract device ECDH public key and compute shared secret using KPP API with host private key and device public key - Derive handshake traffic secret from ECDH shared secret following TLS 1.3 key schedule - Validate device hello message and update handshake hash state The handshake traffic secret enables decryption of the device_finish portion within the device_hello message. Signed-off-by: Neeraj Sanjay Kale --- drivers/bluetooth/btnxpuart.c | 274 +++++++++++++++++++++++++++++++++- 1 file changed, 270 insertions(+), 4 deletions(-) diff --git a/drivers/bluetooth/btnxpuart.c b/drivers/bluetooth/btnxpuart.c index 8208b0748f97..0e71f68a408e 100644 --- a/drivers/bluetooth/btnxpuart.c +++ b/drivers/bluetooth/btnxpuart.c @@ -150,8 +150,9 @@ #define FW_METADATA_TLV_ECDSA_KEY 0x50 #define FW_METADATA_FLAG_BT 0x02 =20 -#define NXP_FW_UUID_SIZE 16 -#define NXP_FW_ECDSA_PUBKEY_SIZE 65 +#define NXP_FW_UUID_SIZE 16 +#define NXP_FW_ECDH_PUBKEY_SIZE 64 +#define NXP_FW_ECDSA_PUBKEY_SIZE 65 =20 struct ps_data { u8 target_ps_mode; /* ps mode to be set */ @@ -203,8 +204,11 @@ struct btnxpuart_crypto { struct crypto_shash *tls_handshake_hash_tfm; struct shash_desc *tls_handshake_hash_desc; struct crypto_kpp *kpp; + uint8_t ecdh_public[NXP_FW_ECDH_PUBKEY_SIZE]; /* ECDH public key, Key neg= otiation */ u8 ecdsa_public[NXP_FW_ECDSA_PUBKEY_SIZE]; /* ECDSA public key, Authentic= ation*/ u8 fw_uuid[NXP_FW_UUID_SIZE]; + u8 handshake_h2_hash[SHA256_DIGEST_SIZE]; + u8 handshake_secret[SHA256_DIGEST_SIZE]; }; =20 struct btnxpuart_dev { @@ -396,6 +400,11 @@ union nxp_set_bd_addr_payload { #define NXP_TLS_VERSION 1 =20 #define NXP_TLS_ECDH_PUBLIC_KEY_SIZE 64 +#define NXP_DEVICE_UUID_LEN 16 +#define NXP_ENC_AUTH_TAG_SIZE 16 + +#define NXP_TLS_LABEL(str) str, strlen(str) +#define NXP_TLS_DEVICE_HS_TS_LABEL NXP_TLS_LABEL("D HS TS") =20 enum nxp_tls_signature_algorithm { NXP_TLS_ECDSA_SECP256R1_SHA256 =3D 0x0403, @@ -440,6 +449,38 @@ union nxp_tls_host_hello_payload { u8 buf[113]; }; =20 +struct nxp_tls_device_info { + __le16 chip_id; + __le16 device_flags; + u8 reserved[4]; + u8 uuid[NXP_DEVICE_UUID_LEN]; +}; + +struct nxp_tls_signature { + u8 sig[64]; /* P-256 ECDSA signature, two points */ +}; + +struct nxp_tls_finished { + u8 verify_data[32]; +}; + +struct nxp_tls_device_hello { + struct nxp_tls_message_hdr hdr; + __le32 reserved; + u8 random[32]; + u8 pubkey[NXP_TLS_ECDH_PUBLIC_KEY_SIZE]; + /* Encrypted portion */ + struct { + struct nxp_tls_device_info device_info; + struct nxp_tls_signature device_handshake_sig; /* TLS Certificate Veri= fy */ + struct nxp_tls_finished device_finished; + } enc; + u8 auth_tag[NXP_ENC_AUTH_TAG_SIZE]; /* Auth tag for the encrypted porti= on */ +}; + +#define DEVICE_HELLO_SIG_CUTOFF_POS \ + offsetof(struct nxp_tls_device_hello, enc) + /* FW Meta Data */ struct fw_metadata_hdr { __le32 cmd; @@ -1698,7 +1739,7 @@ static int nxp_generate_ecdh_public_key(struct crypto= _kpp *tfm, u8 public_key[64 } =20 static inline void nxp_tls_hdr_init(struct nxp_tls_message_hdr *hdr, size_= t len, - enum nxp_tls_message_id id) + enum nxp_tls_message_id id) { hdr->magic =3D cpu_to_le32(NXP_TLS_MAGIC); hdr->len =3D cpu_to_le16((u16)len); @@ -1785,11 +1826,222 @@ static struct sk_buff *nxp_host_do_hello(struct hc= i_dev *hdev) return skb; } =20 +static int nxp_crypto_shash_final(struct shash_desc *desc, u8 *out) +{ + struct shash_desc *desc_tmp =3D kzalloc(sizeof(struct shash_desc) + + crypto_shash_descsize(desc->tfm), + GFP_KERNEL); + + if (!desc_tmp) + return -ENOMEM; + + crypto_shash_export(desc, desc_tmp); + crypto_shash_final(desc, out); + crypto_shash_import(desc, desc_tmp); + kfree(desc_tmp); + + return 0; +} + +static int nxp_compute_shared_secret(struct crypto_kpp *tfm, const u8 publ= ic_key[64], u8 secret[32]) +{ + DECLARE_CRYPTO_WAIT(result); + struct kpp_request *req; + struct scatterlist src, dst; + int err; + + req =3D kpp_request_alloc(tfm, GFP_KERNEL); + if (!req) { + pr_err("Failed to allocate memory for KPP request\n"); + return -ENOMEM; + } + + sg_init_one(&src, public_key, 64); + sg_init_one(&dst, secret, 32); + kpp_request_set_input(req, &src, 64); + kpp_request_set_output(req, &dst, 32); + kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, + crypto_req_done, &result); + err =3D crypto_kpp_compute_shared_secret(req); + err =3D crypto_wait_req(err, &result); + if (err < 0) { + pr_err("alg: ecdh: compute shared secret failed. err %d\n", err); + goto free_all; + } + +free_all: + kpp_request_free(req); + return err; +} + +static int nxp_hkdf_sha256_extract(const void *salt, size_t salt_len, + const void *ikm, size_t ikm_len, + u8 result[SHA256_DIGEST_SIZE]) +{ + struct crypto_shash *tfm; + struct shash_desc *desc; + u8 zeroes[SHA256_DIGEST_SIZE] =3D {0}; + int ret =3D 0; + + tfm =3D crypto_alloc_shash("hmac(sha256)", 0, 0); + if (IS_ERR(tfm)) + return PTR_ERR(tfm); + + desc =3D kzalloc(sizeof(*desc) + crypto_shash_descsize(tfm), GFP_KERNEL); + if (!desc) { + crypto_free_shash(tfm); + return -ENOMEM; + } + + desc->tfm =3D tfm; + + /* RFC 5869: If salt is empty, use HashLen zero octets */ + if (salt_len =3D=3D 0) + ret =3D crypto_shash_setkey(tfm, zeroes, SHA256_DIGEST_SIZE); + else + ret =3D crypto_shash_setkey(tfm, salt, salt_len); + + if (ret) + goto cleanup; + + ret =3D crypto_shash_init(desc); + if (ret) + goto cleanup; + + ret =3D crypto_shash_update(desc, ikm, ikm_len); + if (ret) + goto cleanup; + + ret =3D crypto_shash_final(desc, result); + +cleanup: + kfree(desc); + crypto_free_shash(tfm); + return ret; +} + +static int nxp_hkdf_expand_label(const u8 secret[SHA256_DIGEST_SIZE], + const char *label, size_t label_size, + u8 *context, size_t context_size, + void *output, size_t output_size) +{ + struct crypto_shash *tfm =3D crypto_alloc_shash("hmac(sha256)", 0, 0); + struct shash_desc *desc =3D kzalloc(sizeof(*desc) + crypto_shash_descsize= (tfm), + GFP_KERNEL); + u8 hmac_out[SHA256_DIGEST_SIZE]; + u16 length =3D output_size; + u8 one =3D 0x01; + + if (IS_ERR(tfm)) { + pr_err("Failed to alloc shash for HMAC\n"); + return -ENOMEM; + } + + if (!desc) { + crypto_free_shash(tfm); + return -ENOMEM; + } + + crypto_shash_setkey(tfm, secret, SHA256_DIGEST_SIZE); + desc->tfm =3D tfm; + + crypto_shash_init(desc); + crypto_shash_update(desc, (u8 *)&length, sizeof(length)); + crypto_shash_update(desc, label, label_size); + + if (context && context_size > 0) + crypto_shash_update(desc, context, context_size); + + /* RFC 5869: HKDF-Expand counter starts at 0x01 */ + crypto_shash_update(desc, &one, sizeof(one)); + crypto_shash_final(desc, hmac_out); + + memcpy(output, hmac_out, output_size); + + kfree(desc); + crypto_free_shash(tfm); + return 0; +} + +static int nxp_hkdf_derive_secret(u8 secret[32], const char *label, size_t= label_size, + u8 context[SHA256_DIGEST_SIZE], + u8 output[SHA256_DIGEST_SIZE]) +{ + return nxp_hkdf_expand_label(secret, label, label_size, context, SHA256_D= IGEST_SIZE, + output, SHA256_DIGEST_SIZE); +} + +static int nxp_process_device_hello(struct hci_dev *hdev, struct nxp_tls_d= evice_hello *msg) +{ + struct btnxpuart_dev *nxpdev =3D hci_get_drvdata(hdev); + struct nxp_tls_message_hdr *hdr; + u8 hs_traffic_secret[SHA256_DIGEST_SIZE]; + u8 *shared_secret =3D NULL; + int ret; + + if (!msg) + return -EINVAL; + + hdr =3D &msg->hdr; + + if (le32_to_cpu(hdr->magic) !=3D NXP_TLS_MAGIC || + le16_to_cpu(hdr->len) !=3D sizeof(*msg) || + hdr->message_id !=3D NXP_TLS_DEVICE_HELLO || + hdr->protocol_version !=3D NXP_TLS_VERSION) { + bt_dev_err(hdev, "Invalid device hello header"); + return -EINVAL; + } + + shared_secret =3D kzalloc(32, GFP_KERNEL); + if (!shared_secret) + return -ENOMEM; + + ret =3D crypto_shash_update(nxpdev->crypto.tls_handshake_hash_desc, (u8 *= )msg, + DEVICE_HELLO_SIG_CUTOFF_POS); + if (ret) + goto fail; + + ret =3D nxp_crypto_shash_final(nxpdev->crypto.tls_handshake_hash_desc, + nxpdev->crypto.handshake_h2_hash); + if (ret) + goto fail; + + memcpy(nxpdev->crypto.ecdh_public, msg->pubkey, NXP_FW_ECDH_PUBKEY_SIZE); + + ret =3D nxp_compute_shared_secret(nxpdev->crypto.kpp, nxpdev->crypto.ecdh= _public, + shared_secret); + if (ret) + goto fail; + + ret =3D nxp_hkdf_sha256_extract(NULL, 0, shared_secret, 32, + nxpdev->crypto.handshake_secret); + if (ret) + goto fail; + + ret =3D nxp_hkdf_derive_secret(nxpdev->crypto.handshake_secret, + NXP_TLS_DEVICE_HS_TS_LABEL, + nxpdev->crypto.handshake_h2_hash, + hs_traffic_secret); + if (ret) + goto fail; + + /* TODO: Verify Signature in Device Hello using ECDSA Public Key + * extracted from the FW metadata. + */ + +fail: + memset(shared_secret, 0, 32); + kfree(shared_secret); + return ret; +} + static int nxp_authenticate_device(struct hci_dev *hdev) { struct btnxpuart_dev *nxpdev =3D hci_get_drvdata(hdev); + struct nxp_tls_device_hello *device_hello; size_t desc_size =3D 0; struct sk_buff *skb; + u8 *status; int ret =3D 0; =20 nxpdev->crypto.tls_handshake_hash_tfm =3D crypto_alloc_shash("sha256", 0,= 0); @@ -1819,9 +2071,23 @@ static int nxp_authenticate_device(struct hci_dev *h= dev) goto free_kpp; } =20 + status =3D skb_pull_data(skb, 1); + if (*status) + goto free_skb; + + if (skb->len !=3D sizeof(struct nxp_tls_device_hello)) { + bt_dev_err(hdev, "Invalid Device Hello Length: %d", skb->len); + goto free_skb; + } + + device_hello =3D skb_pull_data(skb, sizeof(*device_hello)); + ret =3D nxp_process_device_hello(hdev, device_hello); + if (ret) + goto free_skb; + /* TODO: Implement actual TLS handshake protocol * This will include: - * 1. Handle Device hello message exchange + * 1. Send Host Finish TLS message * 2. Master secret and traffic key derivation */ =20 --=20 2.43.0 From nobody Mon Dec 1 22:07:32 2025 Received: from DU2PR03CU002.outbound.protection.outlook.com (mail-northeuropeazon11011070.outbound.protection.outlook.com [52.101.65.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AFAB730275E; Fri, 28 Nov 2025 09:15:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=52.101.65.70 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764321354; cv=fail; b=QJSnrq/Jv/oVERP1n5s6pF9FiDwNEyzBp8iy4oj4liVQ3JFuEBeUNP3NL6v+jub7WQhEwJzgo3gjfqhXF0aEUes8B1pvvFB/XA+6VgAUPhVr41LiToIccipGhpQH13S9cicrlFwJKAEbSvNAVlkE0Frwdxdw6xyUB/6yYhG/Fog= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764321354; c=relaxed/simple; bh=IGWO6NoGxkaNaAj3nk9Pwgo/oxIJu7cVi4x3Q1GMOSQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=Ju7+6C0lga0N+taAkjlq95G88XiWqetplKYvi2o6f0FJqLshEebAQG9kPtmwDYoHzrQFGQNiFSuJIvpmvcx8qwqBWsCN/QJ6QzWwlqXQvyqJexyK0cHqt7NiJLgxMATaa27ZvMl73CZ14+Tfx2WSPtME1F0w3lBeyLGjBdeVuOw= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com; spf=pass smtp.mailfrom=nxp.com; dkim=pass (2048-bit key) header.d=nxp.com header.i=@nxp.com header.b=HmyFVd8r; arc=fail smtp.client-ip=52.101.65.70 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nxp.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=nxp.com header.i=@nxp.com header.b="HmyFVd8r" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=tUtuZxJx7LFXI+onAGlabDU00fHbxuJPT9yhe66CuZG1UDRJDmDBZCRL84LhAqhTDOdL6rLKAQBucTAniuG9IdDWYNKW5+hU5WEmALr12WzWeWdF7+F3he+wgAB71ZpDNycyod/k347bkUrvb6vEvOshSBZURPb+8/FLC76adnGdDFliW06p0pS0+PIiqGWtPNMMGoU0F2wx2oAjuSzIX7eDJrmQV0O8oK3cEu+/b9Jn72TB0dmbZ2ZqUBRqXgTlQyxudGA9RzgYU6QFud3kkBZexP3DzVtPOuMgSIEKS6xWizDgBnpAbrrt1mULuMIHQyWPsjzVqYfwZgGljJ72Sw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=vtJI53yQlAlHMiWfYSdkyUiGhEbLBlPp91w/jJcr92c=; b=witwkKcuDYnpwH+TBc7trJ5AUZYbbacloaPZHsctOgJiXmSuIAmrKcpyFfAz+x3hdt7tcJMslBLEIPUjzC/473rT5kzukg7Y1Ji/mv1aLSsUQN5YMc3HkyJ8qqDpTt0HYSXNqWqhyP61Nh74XppjCcedVxSFPz1nfgvrI3UalLqTNU/ocKso1Z4i7GHbQibz7aOLn1w0Pcke62+Kt2eQ5Ojw4SPV5ZPo91pcjElx83/EgkZUm0o38KaDHYzisR37F0DmAKftt3KrywfKdnzbXNEQf87SDKngppB+jKtUPi1JNWS0yAxLmPOrmg3BzJ/Dl6mTW5n3ljpxZUDuCZYy5A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nxp.com; dmarc=pass action=none header.from=nxp.com; dkim=pass header.d=nxp.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vtJI53yQlAlHMiWfYSdkyUiGhEbLBlPp91w/jJcr92c=; b=HmyFVd8rATY11ZgJBSsKY+LGgBH7Ey0gy+7CDt0GLYqszPNqAsyeBjXNTyL43rSHRFeNUSOMBBTvPh7TnYVMeIGtGxYFfpw52eR47dERkRavhwaHoD4oSrJSifz9tOGd2BKUX5mWbt/TbXOteY8VtN+I5E0hb/Bxavn9c6KvkcNnGjLAeC3Nd0Tyrf3TPeCJfYRoQdQMcrk8x2nyQj4SpwaVJl6gCoF4r5KzF0ZfQZMmwWBI3gSeZhyGGYSib7mEx3uYSbA2Tl9a2dpPfDOLnI8l8lqaubrZf57RuScLcS9KwFRFo12hR4VzqLjdsZQDrZ3Q6tRxyux5gO1P5TR68g== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nxp.com; Received: from DB9PR04MB9676.eurprd04.prod.outlook.com (2603:10a6:10:308::13) by AS5PR04MB9998.eurprd04.prod.outlook.com (2603:10a6:20b:67e::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9366.16; Fri, 28 Nov 2025 09:15:49 +0000 Received: from DB9PR04MB9676.eurprd04.prod.outlook.com ([fe80::97c:438a:2968:465d]) by DB9PR04MB9676.eurprd04.prod.outlook.com ([fe80::97c:438a:2968:465d%4]) with mapi id 15.20.9366.009; Fri, 28 Nov 2025 09:15:48 +0000 From: Neeraj Sanjay Kale To: marcel@holtmann.org, luiz.dentz@gmail.com Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, amitkumar.karwar@nxp.com, sherry.sun@nxp.com, dmitrii.lebed@nxp.com, neeraj.sanjaykale@nxp.com Subject: [PATCH v2 07/11] Bluetooth: btnxpuart: Add device authentication Date: Fri, 28 Nov 2025 14:44:39 +0530 Message-ID: <20251128091443.2797316-8-neeraj.sanjaykale@nxp.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251128091443.2797316-1-neeraj.sanjaykale@nxp.com> References: <20251128091443.2797316-1-neeraj.sanjaykale@nxp.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: SI2PR01CA0007.apcprd01.prod.exchangelabs.com (2603:1096:4:191::11) To DB9PR04MB9676.eurprd04.prod.outlook.com (2603:10a6:10:308::13) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB9PR04MB9676:EE_|AS5PR04MB9998:EE_ X-MS-Office365-Filtering-Correlation-Id: 326ec4ce-311f-4166-29eb-08de2e5eb7c9 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|366016|52116014|1800799024|19092799006|38350700014; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?dtyocH1fzLpp3Kyv1APSy6RnmEWKXlxdd4Mi4/91PR2g0L7bDyOSKIsRzZuk?= =?us-ascii?Q?NNEjONfDG67z2ro8UzVO1ewDDzleA8jeQGSK18MVpWJxVDj2Z132HRUSpLFy?= =?us-ascii?Q?shooy4/phfvP2oeQHaaVOnfgItvbv3AdlKhUMCOJ7XkBe9UoUuor39QTlDnq?= =?us-ascii?Q?B0zVKSGWb0edJSlXj9ZejsXP90rbQfHzgiwWX5s+WrAVh+9oOaZjWxlWi5IA?= =?us-ascii?Q?g1v1HIxNtEtpS/fNRY40MThpe6a3ZzhvmrbKOzjRZ9zw2uvzFVCMK9aXoJKN?= =?us-ascii?Q?YNrSPknt6quWavP5UosvNC8PEjfuvWe+V1AhHerOgw0cey6ajZEyW5AQuDIl?= =?us-ascii?Q?X4bVi+UM55bgB/So0LO6qFNo/uQ4BF0B7ergGAzqyICccEBGJK0do0wic1eQ?= =?us-ascii?Q?ODwyBuvm7RTMen3+QOJl5VscQ1snParzge/XDX1OmphFD9yFY4DaSmAP0CZ5?= =?us-ascii?Q?M3FTGwsZk+MqSBp/U3+Nl1nmLYu2fqlTwZnp4tDevfYb62hIbhiDNk/3ol05?= =?us-ascii?Q?jqwEueUDI9tdrZ9AGvvxTnn7vY00GJz6od1xPw4KTu3IaCrR/gxsjXmG8uOz?= =?us-ascii?Q?gUpUcYdOdzTrXJKzhZo6xCElMJNec9ZTdpcP3uI5Gh9mxPd9Dbi+cUPr/F4W?= =?us-ascii?Q?EHYBhoXjS5RhPV/drvWR4pFecypy8Y8smeSGeX0ijyDmznI3xqXYK4h3diu7?= =?us-ascii?Q?tcBB12fIQa+eZ58XSaq0JIKvcmwgm1ZmEK7iiDl1A1RGGepnrSZQct4qZpjL?= =?us-ascii?Q?3J41l9NTP1kRW5pg5wdlXIWtNfW3h6TkvHYXU80La2iFrS0RlXFMq1p7Wi31?= =?us-ascii?Q?Uxd/137fSsqSer+R8ijVspTGTAGUL78RmEK5BvwU9l9K1qycaMzbubpDEMsL?= =?us-ascii?Q?kZoR1v1mcrCR5nKcM+MNFQt1kylzEBmGt7V0BdvQUkDvvc3FxswNhR3z4Ehz?= =?us-ascii?Q?lzRmIRg4tMJawF82e1fc7zZIXpqD7D0HVsKooLOkzLRpaMb/5ab/2nxCHtGw?= =?us-ascii?Q?Zjcw1vbHt904hIVuw/Ib6G8VA36ABZAsY5yVcD8NdbjPvQpEwAamrv8gm0+E?= =?us-ascii?Q?/zCJNTIzDaO1flBTYBbnPCsrOTulw4T7aP30/A4DtVfpSLHNWzYMfbLWRCCR?= =?us-ascii?Q?r6Lc7Jw350A5eO/uRDya9x6xCyhm/JV+rlfNWg9wOeMtFwZ4sRa3yu6crijL?= =?us-ascii?Q?2bUJzPnDyG0cvQs3vXk0AfttqYP9xnOloEqDFJM6O3EH0fSugljIlztJgun3?= =?us-ascii?Q?PW8vbiCs0jDQ++9zywKA5IgVI6QMqLYSOwJXsl1CZfwxOAd0wkvH7RZaaTGD?= =?us-ascii?Q?kCFhoAd6C8xVPlCBXW1NsZ52U8uM0PemN2ZQ78ptNM3chobNYiR+dwRWWuQl?= =?us-ascii?Q?sNqcA6T4peYtotKzOKpRklaKN8Zth5gPwaX7UsQL7vpGmpwoLxfD+qVcE4wy?= =?us-ascii?Q?iXzINupjGfEPByrS/Qg2gsi/NqWg5ypDAZJ4W5UvULX2ADdZbNpIU03RKqiB?= =?us-ascii?Q?bcNn56Cjs9oyMwQGdxNU1J+uR58lrbT4sI0p?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB9PR04MB9676.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(52116014)(1800799024)(19092799006)(38350700014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?AvNWjzSxG9zLmG0hXT7LtcC7qiN606IApwH2qJ4/8Qrvsp+8nvIZDfReZRV0?= =?us-ascii?Q?2qEdgzvj9RewESXQXxTi3VTfbkjuxhxI6+PNXcK6xQITZwehmDFT/fZA1J1Z?= =?us-ascii?Q?yQPz/ZwppmZbc5aOVwScWSSJ3bNO9YZn7odm2jBq7Yw9WqjdOMQcCHQwLdWp?= =?us-ascii?Q?kSV9JuYjG6up5PFvJfju/BlvJos2Yrmt0czq1xWxRaUHMmlUzieZDhrJPe3A?= =?us-ascii?Q?qjCdi3zicYcxh19KXzPUK3jhMh9FTkatVkY8LiUlBr9PLvji07jImKWsrEc+?= =?us-ascii?Q?TDS+R9foFyx2T4lHFX0KXGtwy1NExUpurAnUWGr068k2GYBAGQYZPtK78eH6?= =?us-ascii?Q?u+Z8I/kRLla+WNUYKWRUYK4NXAHy+GW+VDuMQe8b9BgFEfPjA28vHK46SoVc?= =?us-ascii?Q?zILHbLMNp3j0+dV90lVGn3OCSZorJjModna996cEYt8JWsYQmfcd7xKJpQap?= =?us-ascii?Q?Xi7H0Q1REObw+2/I6TX4dixZHN8u2trEa3fp977zPBxmp2cetpcEwvhXvmrv?= =?us-ascii?Q?AenL1od/xP1BaWhYN817fiHP93DuRixr2CJ+5kkZtxyitUOb2ZqMkiheGNhm?= =?us-ascii?Q?fvhJlSaahGwPNog8Qe1DeckpL/+sO7PYJ36d/dkrpleOdHyL4gwt6yGNQM4y?= =?us-ascii?Q?Sq3YR9NaMjthwxRDFyZ/MVnteMX7PxsTQHFx6WveTCJgJEH/xrDSqeFReX1p?= =?us-ascii?Q?qy4TmA1TnelkKXjpxKaJeoLXsWS8XqFa1/Mri0nrcInA0lfrqE/DYQvtCXKD?= =?us-ascii?Q?YL8YLSn1lYpqRVeb+SNTNCovZ4r3Uq1q+D+UfRIiNROf2arI2yw4htJ8LShH?= =?us-ascii?Q?iQAxev/qKGX6c3qgXX5mil8qpWBZDk88Wkq7A8+HIdCcnQfQA8yWts3gjAlm?= =?us-ascii?Q?LR48qUgT+zcTsBtRvRZTCJlKFPy24fdlCQxDu+uWiPa3etkSDDOochVUSrRi?= =?us-ascii?Q?PhVUU1fgiesqz944hzHqiWHKqE/tNMhu9hKlF36dqhMOIA5z9yP8qRKds/JK?= =?us-ascii?Q?zCsWWfeKHTS5wU9NEWaRSZ9cRE1gSs7t1LaZMq0vD4E6jnt9uoTQq/g6ljRH?= =?us-ascii?Q?JRNQQeUgduBQSLTKWjjmnU8lXjcireCMbJ2iHxC56DrRa+0i5FBEdhr61jwM?= =?us-ascii?Q?leHPdvxAuzXghGbVnNXMdj528eKptehHo8xeVS1BvU1NUPNr92OupNF4KzL1?= =?us-ascii?Q?8L/+nW3UxCZmbs2TyVa3sZ880lugmBRxf++UYgqMhwZsqGQ7NUWgKYKRsgi1?= =?us-ascii?Q?GL3XkreBMlPPHftxbtBSEhvB46M9KbGXWt01F67ECFnTih+ALugsch7gQglk?= =?us-ascii?Q?TwDEXE5v42Idt8pDWHzssKQ20wxA3ErBk3sPtHn62Xq4ifLm1VZnHLOuGI41?= =?us-ascii?Q?ucM6Q3+Vvtu86sfKZZzGDxcKO850LcZ2gOQzjClzvgBDuU9slxvQDeAFWElv?= =?us-ascii?Q?0n8WaDrmszOu79OMscl6cA7OJIi9AgQ1PjemnGio1vNaiyO5mLOAvRYcAMA2?= =?us-ascii?Q?FGIVN+dEeE5plUNFK+BWwI8uhB3hYX4BSnFQ7McwdJAGCcoxI5138iq14XvB?= =?us-ascii?Q?9EWKJ5hu3Vo+jffk0HRuHWQacngBUDqWBH3dNNHDubhfnMS54NSMiYDSGUnU?= =?us-ascii?Q?KQ=3D=3D?= X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: 326ec4ce-311f-4166-29eb-08de2e5eb7c9 X-MS-Exchange-CrossTenant-AuthSource: DB9PR04MB9676.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Nov 2025 09:15:48.2338 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: MK2bdEsnieZSIbztOGJNMNssvEx5eSr91eJxr7viy1ccMHnkb1YZM/f15BnjwVlTBBJgi4EEi6Q0dehEiTxA3IQFDcsRtXfxI16MOWL2bYk= X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS5PR04MB9998 Content-Type: text/plain; charset="utf-8" This implements secure device authentication during TLS 1.3-like handshake with ECDSA signature verification. The authentication flow: - Derive handshake traffic secret from ECDH shared secret - Decrypt device hello encrypted section using AES-GCM with traffic secret - Extract ECDSA public key from firmware metadata for verification - Verify device handshake signature to authenticate device identity - Validate device finished message using calculated verify data - Clear handshake traffic secret after successful authentication This ensures only devices with valid private keys can complete the handshake. Key components added: - AES-GCM encrypt/decrypt with traffic secret derived keys - ECDSA P-256 signature verification using kernel crypto API - X9.62 to P1363 signature format conversion - TLS 1.3 finished message verification - Secure memory cleanup of cryptographic material Signed-off-by: Neeraj Sanjay Kale --- v2: Fix sparse warnings. (kernel test robot) --- drivers/bluetooth/btnxpuart.c | 504 +++++++++++++++++++++++++++++++++- 1 file changed, 499 insertions(+), 5 deletions(-) diff --git a/drivers/bluetooth/btnxpuart.c b/drivers/bluetooth/btnxpuart.c index 0e71f68a408e..9ed4cece7e42 100644 --- a/drivers/bluetooth/btnxpuart.c +++ b/drivers/bluetooth/btnxpuart.c @@ -27,6 +27,12 @@ #include #include #include +#include +#include +#include +#include +#include +#include =20 #include #include @@ -204,11 +210,13 @@ struct btnxpuart_crypto { struct crypto_shash *tls_handshake_hash_tfm; struct shash_desc *tls_handshake_hash_desc; struct crypto_kpp *kpp; - uint8_t ecdh_public[NXP_FW_ECDH_PUBKEY_SIZE]; /* ECDH public key, Key neg= otiation */ + u8 ecdh_public[NXP_FW_ECDH_PUBKEY_SIZE]; /* ECDH public key, Key negotiat= ion */ u8 ecdsa_public[NXP_FW_ECDSA_PUBKEY_SIZE]; /* ECDSA public key, Authentic= ation*/ u8 fw_uuid[NXP_FW_UUID_SIZE]; u8 handshake_h2_hash[SHA256_DIGEST_SIZE]; u8 handshake_secret[SHA256_DIGEST_SIZE]; + struct completion completion; + int decrypt_result; }; =20 struct btnxpuart_dev { @@ -405,6 +413,10 @@ union nxp_set_bd_addr_payload { =20 #define NXP_TLS_LABEL(str) str, strlen(str) #define NXP_TLS_DEVICE_HS_TS_LABEL NXP_TLS_LABEL("D HS TS") +#define NXP_TLS_KEYING_IV_LABEL NXP_TLS_LABEL("iv") +#define NXP_TLS_KEYING_KEY_LABEL NXP_TLS_LABEL("key") +#define NXP_TLS_FINISHED_LABEL NXP_TLS_LABEL("finished") +#define NXP_TLS_HOST_HS_TS_LABEL NXP_TLS_LABEL("H HS TS") =20 enum nxp_tls_signature_algorithm { NXP_TLS_ECDSA_SECP256R1_SHA256 =3D 0x0403, @@ -478,9 +490,42 @@ struct nxp_tls_device_hello { u8 auth_tag[NXP_ENC_AUTH_TAG_SIZE]; /* Auth tag for the encrypted porti= on */ }; =20 +struct nxp_tls_data_add { + u8 version; /* NXP_TLS_VERSION */ + u8 reserved[5]; /* zeroes */ + __le16 len; +}; + +struct nxp_tls_host_finished { + struct nxp_tls_message_hdr hdr; + __le32 reserved; + /* Encrypted portion */ + struct { + struct nxp_tls_signature reserved2; + struct nxp_tls_finished host_finished; + } enc; + u8 auth_tag[NXP_ENC_AUTH_TAG_SIZE]; /* Auth tag for the encrypted porti= on */ +}; + +union nxp_tls_host_finished_payload { + struct { + u8 msg_type; + struct nxp_tls_host_finished host_finished; + } __packed; + u8 buf[125]; +}; + #define DEVICE_HELLO_SIG_CUTOFF_POS \ offsetof(struct nxp_tls_device_hello, enc) =20 +#define DEVICE_HELLO_FINISHED_ENC_CUTOFF_POS \ + (offsetof(struct nxp_tls_device_hello, enc.device_finished) - \ + DEVICE_HELLO_SIG_CUTOFF_POS) + + +#define HOST_FINISHED_CUTOFF_POS \ + offsetof(struct nxp_tls_host_finished, enc.host_finished) + /* FW Meta Data */ struct fw_metadata_hdr { __le32 cmd; @@ -1700,6 +1745,38 @@ static void nxp_get_fw_version(struct hci_dev *hdev) } =20 /* Secure Interface */ +static int nxp_get_pub_key(struct hci_dev *hdev, + const struct nxp_tls_device_info *device_info, + u8 ecdsa_pub_key[NXP_FW_ECDSA_PUBKEY_SIZE]) +{ + struct btnxpuart_dev *nxpdev =3D hci_get_drvdata(hdev); + const char *fw_name; + + if (ecdsa_pub_key[0] =3D=3D 0x04) + return 0; + + fw_name =3D nxp_get_fw_name_from_chipid(hdev, + le16_to_cpu(device_info->chip_id), + le16_to_cpu(device_info->device_flags)); + if (nxp_request_firmware(hdev, fw_name, NULL)) + return -ENOENT; + + nxp_process_fw_meta_data(hdev, nxpdev->fw); + release_firmware(nxpdev->fw); + memset(nxpdev->fw_name, 0, sizeof(nxpdev->fw_name)); + + if (memcmp(nxpdev->crypto.fw_uuid, device_info->uuid, 16) || + nxpdev->crypto.ecdsa_public[0] !=3D 0x04) { + bt_dev_err(hdev, + "UUID check failed while trying to read ECDSA public key from FW."); + return -EBADF; + } + + memcpy(ecdsa_pub_key, nxpdev->crypto.ecdsa_public, 65); + + return 0; +} + static int nxp_generate_ecdh_public_key(struct crypto_kpp *tfm, u8 public_= key[64]) { DECLARE_CRYPTO_WAIT(result); @@ -1971,6 +2048,320 @@ static int nxp_hkdf_derive_secret(u8 secret[32], co= nst char *label, size_t label output, SHA256_DIGEST_SIZE); } =20 +/* + * The digital signature is computed over the concatenation of: + * - A string that consists of octet 32 (0x20) repeated 64 times + * - The context string + * - A single 0 byte which serves as the separator + * - The content to be signed + */ +static int nxp_handshake_sig_hash(const u8 transcript_hash[SHA256_DIGEST_S= IZE], + const char *context, size_t context_len, + u8 output_hash[SHA256_DIGEST_SIZE]) +{ + struct crypto_shash *tfm; + struct shash_desc *desc; + const u8 zero =3D 0; + + tfm =3D crypto_alloc_shash("sha256", 0, 0); + if (IS_ERR(tfm)) + return PTR_ERR(tfm); + + desc =3D kzalloc(sizeof(*desc) + crypto_shash_descsize(tfm), GFP_KERNEL); + if (!desc) { + crypto_free_shash(tfm); + return -ENOMEM; + } + + desc->tfm =3D tfm; + + memset(output_hash, 0x20, SHA256_DIGEST_SIZE); + + crypto_shash_init(desc); + /* 2x hash size =3D block size of 0x20 */ + crypto_shash_update(desc, output_hash, SHA256_DIGEST_SIZE); + crypto_shash_update(desc, output_hash, SHA256_DIGEST_SIZE); + + crypto_shash_update(desc, context, context_len); + crypto_shash_update(desc, &zero, sizeof(zero)); + + crypto_shash_update(desc, transcript_hash, SHA256_DIGEST_SIZE); + crypto_shash_final(desc, output_hash); + + kfree(desc); + crypto_free_shash(tfm); + return 0; +} + + +static void nxp_aead_complete(void *req, int err) +{ + struct btnxpuart_crypto *crypto =3D req; + + crypto->decrypt_result =3D err; + complete(&crypto->completion); +} + +static int nxp_aes_gcm_decrypt(struct hci_dev *hdev, void *buf, size_t siz= e, + u8 auth_tag[16], u8 key[AES_KEYSIZE_128], + u8 iv[GCM_AES_IV_SIZE]) +{ + struct btnxpuart_dev *nxpdev =3D hci_get_drvdata(hdev); + struct crypto_aead *tfm; + struct aead_request *req; + struct scatterlist src, dst; + struct nxp_tls_data_add aad =3D { + .version =3D NXP_TLS_VERSION, + .len =3D cpu_to_le16((u16)size) + }; + u8 *ciphertext; + u8 *plaintext; + int ret =3D 0; + + ciphertext =3D kzalloc(sizeof(aad) + size + NXP_ENC_AUTH_TAG_SIZE, + GFP_KERNEL); + if (!ciphertext) + return -ENOMEM; + + plaintext =3D kzalloc(size + NXP_ENC_AUTH_TAG_SIZE, GFP_KERNEL); + if (!plaintext) { + ret =3D -ENOMEM; + goto free_ciphertext; + } + + memcpy(ciphertext, &aad, sizeof(aad)); + memcpy(ciphertext + sizeof(aad), buf, size); + memcpy(ciphertext + sizeof(aad) + size, auth_tag, NXP_ENC_AUTH_TAG_SIZE); + + tfm =3D crypto_alloc_aead("gcm(aes)", 0, 0); + if (IS_ERR(tfm)) { + ret =3D PTR_ERR(tfm); + goto free_plaintext; + } + + crypto_aead_setkey(tfm, key, AES_KEYSIZE_128); + crypto_aead_setauthsize(tfm, NXP_ENC_AUTH_TAG_SIZE); + + req =3D aead_request_alloc(tfm, GFP_KERNEL); + if (!req) { + ret =3D -ENOMEM; + goto free_tfm; + } + + sg_init_one(&src, ciphertext, sizeof(aad) + size + NXP_ENC_AUTH_TAG_SIZE); + sg_init_one(&dst, plaintext, size + NXP_ENC_AUTH_TAG_SIZE); + init_completion(&nxpdev->crypto.completion); + + aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, + nxp_aead_complete, &nxpdev->crypto); + aead_request_set_crypt(req, &src, &dst, size + NXP_ENC_AUTH_TAG_SIZE, iv); + aead_request_set_ad(req, sizeof(aad)); + + ret =3D crypto_aead_decrypt(req); + if (ret =3D=3D -EINPROGRESS || ret =3D=3D -EBUSY) { + wait_for_completion(&nxpdev->crypto.completion); + ret =3D nxpdev->crypto.decrypt_result; + } + if (!ret) + memcpy(buf, plaintext + sizeof(aad), size); + + aead_request_free(req); +free_tfm: + crypto_free_aead(tfm); +free_plaintext: + kfree(plaintext); +free_ciphertext: + kfree(ciphertext); + return ret; +} + +static int nxp_aes_gcm_encrypt(struct hci_dev *hdev, void *buf, size_t siz= e, u8 auth_tag[16], + u8 key[AES_KEYSIZE_128], u8 iv[GCM_AES_IV_SIZE]) +{ + struct btnxpuart_dev *nxpdev =3D hci_get_drvdata(hdev); + struct crypto_aead *tfm; + struct aead_request *req; + struct scatterlist src, dst; + struct nxp_tls_data_add aad =3D { + .version =3D NXP_TLS_VERSION, + .len =3D cpu_to_le16((u16)size) + }; + u8 *ciphertext; + u8 *plaintext; + int ret =3D 0; + + ciphertext =3D kzalloc(sizeof(aad) + size + NXP_ENC_AUTH_TAG_SIZE, + GFP_KERNEL); + if (!ciphertext) + return -ENOMEM; + + plaintext =3D kzalloc(size + NXP_ENC_AUTH_TAG_SIZE, GFP_KERNEL); + if (!plaintext) { + ret =3D -ENOMEM; + goto free_ciphertext; + } + + memcpy(plaintext, &aad, sizeof(aad)); + memcpy(plaintext + sizeof(aad), buf, size); + + tfm =3D crypto_alloc_aead("gcm(aes)", 0, 0); + if (IS_ERR(tfm)) { + ret =3D PTR_ERR(tfm); + goto free_plaintext; + } + + crypto_aead_setkey(tfm, key, AES_KEYSIZE_128); + crypto_aead_setauthsize(tfm, NXP_ENC_AUTH_TAG_SIZE); + + req =3D aead_request_alloc(tfm, GFP_KERNEL); + if (!req) { + ret =3D -ENOMEM; + goto free_tfm; + } + + sg_init_one(&src, plaintext, size + NXP_ENC_AUTH_TAG_SIZE); + sg_init_one(&dst, ciphertext, sizeof(aad) + size + NXP_ENC_AUTH_TAG_SIZE); + init_completion(&nxpdev->crypto.completion); + + aead_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, + nxp_aead_complete, &nxpdev->crypto); + aead_request_set_crypt(req, &src, &dst, size, iv); + aead_request_set_ad(req, sizeof(aad)); + + ret =3D crypto_aead_encrypt(req); + if (ret =3D=3D -EINPROGRESS || ret =3D=3D -EBUSY) { + wait_for_completion(&nxpdev->crypto.completion); + ret =3D nxpdev->crypto.decrypt_result; + } + if (!ret) { + memcpy(buf, ciphertext + sizeof(aad), size); + memcpy(auth_tag, ciphertext + size + sizeof(aad), NXP_ENC_AUTH_TAG_SIZE); + } + + aead_request_free(req); +free_tfm: + crypto_free_aead(tfm); +free_plaintext: + kfree(plaintext); +free_ciphertext: + kfree(ciphertext); + return ret; +} + +static int nxp_handshake_decrypt_verify(struct hci_dev *hdev, void *buf, s= ize_t size, + u8 auth_tag[16], + u8 traffic_secret[SHA256_DIGEST_SIZE]) +{ + u8 key[AES_KEYSIZE_128] =3D {0}; + u8 iv[GCM_AES_IV_SIZE] =3D {0}; + + nxp_hkdf_expand_label(traffic_secret, NXP_TLS_KEYING_KEY_LABEL, NULL, 0, + key, AES_KEYSIZE_128); + nxp_hkdf_expand_label(traffic_secret, NXP_TLS_KEYING_IV_LABEL, NULL, 0, + iv, GCM_AES_IV_SIZE); + + return nxp_aes_gcm_decrypt(hdev, buf, size, auth_tag, key, iv); +} + +static int nxp_handshake_encrypt(struct hci_dev *hdev, void *buf, + size_t size, u8 auth_tag[16], + u8 traffic_secret[SHA256_DIGEST_SIZE]) +{ + u8 key[AES_KEYSIZE_128] =3D {0}; + u8 iv[GCM_AES_IV_SIZE] =3D {0}; + + nxp_hkdf_expand_label(traffic_secret, NXP_TLS_KEYING_KEY_LABEL, NULL, + 0, key, AES_KEYSIZE_128); + nxp_hkdf_expand_label(traffic_secret, NXP_TLS_KEYING_IV_LABEL, NULL, + 0, iv, GCM_AES_IV_SIZE); + + return nxp_aes_gcm_encrypt(hdev, buf, size, auth_tag, key, iv); +} + +static int nxp_p256_ecdsa_verify(const u8 sig[64], const u8 pub[65], + const u8 *hash, size_t hash_len) +{ + struct public_key_signature sig_info =3D {0}; + struct public_key pub_key =3D {0}; + int ret; + + sig_info.s =3D (u8 *)sig; + sig_info.s_size =3D 64; + sig_info.digest =3D (u8 *)hash; + sig_info.digest_size =3D hash_len; + sig_info.pkey_algo =3D "ecdsa"; + sig_info.hash_algo =3D "sha256"; + sig_info.encoding =3D "p1363"; + + pub_key.key =3D (void *)pub; + pub_key.keylen =3D 65; + pub_key.algo =3D OID_id_ecPublicKey; + pub_key.key_is_private =3D false; + pub_key.pkey_algo =3D "ecdsa-nist-p256"; + pub_key.id_type =3D NULL; + + ret =3D public_key_verify_signature(&pub_key, &sig_info); + if (ret) + pr_err("ECDSA signature verification failed: %d\n", ret); + + return ret; +} + +static int nxp_device_hello_sig_verify(struct hci_dev *hdev, struct nxp_tl= s_device_hello *msg) +{ + struct btnxpuart_dev *nxpdev =3D hci_get_drvdata(hdev); + u8 hash_sig[SHA256_DIGEST_SIZE]; + + nxp_handshake_sig_hash(nxpdev->crypto.handshake_h2_hash, + "D HS SIG", 8, hash_sig); + return nxp_p256_ecdsa_verify(msg->enc.device_handshake_sig.sig, + nxpdev->crypto.ecdsa_public, + hash_sig, SHA256_DIGEST_SIZE); +} + +static int nxp_write_finished(struct hci_dev *hdev, + const u8 hs_traffic_secret[SHA256_DIGEST_SIZE], + u8 verify_data[SHA256_DIGEST_SIZE]) +{ + struct btnxpuart_dev *nxpdev =3D hci_get_drvdata(hdev); + u8 transcript_hash[SHA256_DIGEST_SIZE]; + u8 finished_key[SHA256_DIGEST_SIZE]; + int ret =3D 0; + + ret =3D nxp_crypto_shash_final(nxpdev->crypto.tls_handshake_hash_desc, + transcript_hash); + if (ret) + return ret; + + ret =3D nxp_hkdf_expand_label(hs_traffic_secret, NXP_TLS_FINISHED_LABEL, + NULL, 0, finished_key, sizeof(finished_key)); + if (ret) + return ret; + + nxp_hkdf_sha256_extract(finished_key, SHA256_DIGEST_SIZE, transcript_hash, + SHA256_DIGEST_SIZE, verify_data); + + return 0; +} + +static int nxp_verify_device_finished(struct hci_dev *hdev, + struct nxp_tls_device_hello *msg, + const u8 hs_traffic_secret[SHA256_DIGEST_SIZE]) +{ + u8 verify_data[SHA256_DIGEST_SIZE] =3D {0}; + int ret =3D 0; + + ret =3D nxp_write_finished(hdev, hs_traffic_secret, verify_data); + if (ret) + return ret; + + if (memcmp(verify_data, msg->enc.device_finished.verify_data, + SHA256_DIGEST_SIZE)) + return -EBADMSG; + + return 0; +} + static int nxp_process_device_hello(struct hci_dev *hdev, struct nxp_tls_d= evice_hello *msg) { struct btnxpuart_dev *nxpdev =3D hci_get_drvdata(hdev); @@ -2025,9 +2416,51 @@ static int nxp_process_device_hello(struct hci_dev *= hdev, struct nxp_tls_device_ if (ret) goto fail; =20 - /* TODO: Verify Signature in Device Hello using ECDSA Public Key - * extracted from the FW metadata. + ret =3D nxp_handshake_decrypt_verify(hdev, &msg->enc, sizeof(msg->enc), + msg->auth_tag, hs_traffic_secret); + if (ret) + goto fail; + + /* + * Verify ECDSA signature handshake_sig using Device's public key from FW= metadata. + * + * This is the key point where Device authentication happens: + * - Host generates a random (HostHello.random) + * - Device signs the entire handshake (incl. Host's random) with its + * private key (DeviceHello.device_handshake_sig) + * - Host now verifies ECDSA signature generated by device using Device's + * public key + * + * Only the device that possesses the proper private key could sign the + * Host's random. + * If the device is an impostor and does not pose a valid private key, + * the handshake will fail at this point. */ + ret =3D nxp_get_pub_key(hdev, &msg->enc.device_info, nxpdev->crypto.ecdsa= _public); + if (ret) + goto fail; + + ret =3D nxp_device_hello_sig_verify(hdev, msg); + if (ret) + goto fail; + + ret =3D crypto_shash_update(nxpdev->crypto.tls_handshake_hash_desc, + (u8 *)&msg->enc, + DEVICE_HELLO_FINISHED_ENC_CUTOFF_POS); + if (ret) + goto fail; + + ret =3D nxp_verify_device_finished(hdev, msg, hs_traffic_secret); + if (ret) + goto fail; + + ret =3D crypto_shash_update(nxpdev->crypto.tls_handshake_hash_desc, + (u8 *)&msg->enc.device_finished, + sizeof(msg->enc.device_finished)); + if (ret) + goto fail; + + memset(hs_traffic_secret, 0, SHA256_DIGEST_SIZE); =20 fail: memset(shared_secret, 0, 32); @@ -2035,6 +2468,64 @@ static int nxp_process_device_hello(struct hci_dev *= hdev, struct nxp_tls_device_ return ret; } =20 +static int nxp_host_do_finished(struct hci_dev *hdev) +{ + struct btnxpuart_dev *nxpdev =3D hci_get_drvdata(hdev); + union nxp_tls_host_finished_payload finished; + struct nxp_tls_host_finished *msg =3D &finished.host_finished; + u8 hs_traffic_secret[SHA256_DIGEST_SIZE]; + struct sk_buff *skb; + u8 *status; + int ret =3D 0; + + memset(msg, 0, sizeof(*msg)); + nxp_tls_hdr_init(&msg->hdr, sizeof(*msg), NXP_TLS_HOST_FINISHED); + + crypto_shash_update(nxpdev->crypto.tls_handshake_hash_desc, + (u8 *)msg, HOST_FINISHED_CUTOFF_POS); + + ret =3D nxp_hkdf_derive_secret(nxpdev->crypto.handshake_secret, + NXP_TLS_HOST_HS_TS_LABEL, + nxpdev->crypto.handshake_h2_hash, + hs_traffic_secret); + if (ret) + return ret; + + ret =3D nxp_write_finished(hdev, hs_traffic_secret, + msg->enc.host_finished.verify_data); + if (ret) + return ret; + + crypto_shash_update(nxpdev->crypto.tls_handshake_hash_desc, + (u8 *)&msg->enc.host_finished, sizeof(msg->enc.host_finished)); + + nxp_handshake_encrypt(hdev, &msg->enc, sizeof(msg->enc), + msg->auth_tag, hs_traffic_secret); + + finished.msg_type =3D 0x01; + + skb =3D __hci_cmd_sync(hdev, HCI_NXP_SHI_ENCRYPT, + sizeof(finished), finished.buf, + HCI_CMD_TIMEOUT); + if (IS_ERR(skb)) { + bt_dev_err(hdev, "Host Finished error %ld", PTR_ERR(skb)); + return PTR_ERR(skb); + } + status =3D skb_pull_data(skb, 1); + if (!status) { + ret =3D -EIO; + goto fail; + } + if (*status) { + ret =3D -EIO; + bt_dev_err(hdev, "Host Finished status error: %d", *status); + } + +fail: + kfree_skb(skb); + return ret; +} + static int nxp_authenticate_device(struct hci_dev *hdev) { struct btnxpuart_dev *nxpdev =3D hci_get_drvdata(hdev); @@ -2085,10 +2576,13 @@ static int nxp_authenticate_device(struct hci_dev *= hdev) if (ret) goto free_skb; =20 + ret =3D nxp_host_do_finished(hdev); + if (ret) + goto free_skb; + /* TODO: Implement actual TLS handshake protocol * This will include: - * 1. Send Host Finish TLS message - * 2. Master secret and traffic key derivation + * 1. Master secret and traffic key derivation */ =20 free_skb: --=20 2.43.0 From nobody Mon Dec 1 22:07:32 2025 Received: from MRWPR03CU001.outbound.protection.outlook.com (mail-francesouthazon11011018.outbound.protection.outlook.com [40.107.130.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E3202305962; Fri, 28 Nov 2025 09:15:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.107.130.18 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764321356; cv=fail; b=nFNGWp9twhdwbKMaDfs4QinBVFlOoezOuC2MW5HdL8Q/90Bvarjk576Bs2VYRI5nNZ1bfjx4WLssZ24E2gvI0OcybFtPGnYoWcsksZSWEp2rw2zATjS2IEvjnvlPB6PCJYDGcwfEfNLZp9wVoZ84XMgNNO55All7QeUEkLDSm+4= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764321356; c=relaxed/simple; bh=CmaiCwS45Me+s454rXQi2XdQHRTBGAPTV4b19nqDUGk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=YcWQElti1c8+OKH1pbUqr4BWfhapk8ulrMaGnXKtj1omqBbo7g1R2bQmxLQhlwLSNJV+eYLDeYSzJhA5yCyfvLhOS//aEI6pvxOCmdF/nxJm2YaQwnRh6gke2Uk8wjpXUFQefQGvCsT/ANNWLQ7YzX8SNFu82WdHPgedqlB2eHc= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com; spf=pass smtp.mailfrom=nxp.com; dkim=pass (2048-bit key) header.d=nxp.com header.i=@nxp.com header.b=Yj6aoWU/; arc=fail smtp.client-ip=40.107.130.18 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nxp.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=nxp.com header.i=@nxp.com header.b="Yj6aoWU/" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=LvhT8lyD8fn52D+arrThUbDvjOO/kQrEtX79dWbYTsPhKsXfpiwEwUkHg7Ys9QLCYDgrtqOTvhmWem8jiXN7+RusbHwd05nn8N1lcAzEKfN+/LiNiS57E/MYqvK3jcN30fSfdJIzPPkfgCGQKDKqxPqbE4t+DpZc15gH+AP6K2jplpeXI8aYDuJeinAPks/neiOrmMOhHc8d36czKdxLtd5hN1PVrLSIGWTVpw0/sS+6aKZYhwF19oEOVUpdROMP8Q5/f7sV3lnhIDD80tzVU39w5ZKoXYPRBs4EXIv+AuUeDAO1hAlnRmEN7uO4F7ZhDcXdZheQYMcuAs5fYNCnJw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tvyUPpjImRls9SVxtFgJP0Ji0abVMi7jLMTMOCKM3I8=; b=lewnfZG5J8c4NaLwSKz4ukjPLK3OXrEoypYN7JgVw7fLsXfD84zN0P0lmgj8t828I4qIRG80Wt5BYDdwIJ3YOXyZTwFgKhr4npkIKnd55HVrhKQda8L1tEW2M7ttUuuv7wVuioOuA/kBvRo7HadWcigUU/McWhhyK0yHOUOTDhFkAihAe+QvPUrlEJYkx0ku9eU/Se1t46ULD8RRg4JEsnSuPI73aSMY76x8KUp5C3kYheusaPrv2jqdZh0J5olzw1O37KCYMJMNnCxMszLuhY5QZ4uJuBgO0MJJFNFQZvA+QsPi6ygq1NckM+e4EpgnSkB20TlweKJRHDkDeg5dqQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nxp.com; dmarc=pass action=none header.from=nxp.com; dkim=pass header.d=nxp.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tvyUPpjImRls9SVxtFgJP0Ji0abVMi7jLMTMOCKM3I8=; b=Yj6aoWU/Fw+SPL+tKcrR06aGRNUomV+gMYJp1m9pDPCEO3zOjd8ObeFtjD0TiIDOdsaP+cbT1ZuRgmU7psit89c25zXl3+1YdSlMM6Q4wc+MCk9yKj9Vu1ZAKmCXt/7FlR5yjhMISsY+7D/AbGvWm5ttVdAAkuMJuMq2i0G/f74l48vmhFkn/kBlR9tgKpiIhfcUsiMkqmllH0uMujR20GZ1G0MDckIYRV+ZBfiYlGjRLIjhRgDww63W674WXB2OQxmc0rer4+hogMWh77SHmFn/lWzykUnz7e2II6tgnILCTLXIrIg2VQpcDXaRJOPrECnK86x0N4lsioT1lOL1qg== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nxp.com; Received: from DB9PR04MB9676.eurprd04.prod.outlook.com (2603:10a6:10:308::13) by DB9PR04MB8252.eurprd04.prod.outlook.com (2603:10a6:10:24d::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9366.17; Fri, 28 Nov 2025 09:15:51 +0000 Received: from DB9PR04MB9676.eurprd04.prod.outlook.com ([fe80::97c:438a:2968:465d]) by DB9PR04MB9676.eurprd04.prod.outlook.com ([fe80::97c:438a:2968:465d%4]) with mapi id 15.20.9366.009; Fri, 28 Nov 2025 09:15:51 +0000 From: Neeraj Sanjay Kale To: marcel@holtmann.org, luiz.dentz@gmail.com Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, amitkumar.karwar@nxp.com, sherry.sun@nxp.com, dmitrii.lebed@nxp.com, neeraj.sanjaykale@nxp.com Subject: [PATCH v2 08/11] Bluetooth: btnxpuart: Derive traffic keys from TLS 1.3 handshake Date: Fri, 28 Nov 2025 14:44:40 +0530 Message-ID: <20251128091443.2797316-9-neeraj.sanjaykale@nxp.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251128091443.2797316-1-neeraj.sanjaykale@nxp.com> References: <20251128091443.2797316-1-neeraj.sanjaykale@nxp.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: SI2PR01CA0007.apcprd01.prod.exchangelabs.com (2603:1096:4:191::11) To DB9PR04MB9676.eurprd04.prod.outlook.com (2603:10a6:10:308::13) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB9PR04MB9676:EE_|DB9PR04MB8252:EE_ X-MS-Office365-Filtering-Correlation-Id: f8ead2e8-148b-42c9-f3f5-08de2e5eb99f X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|19092799006|1800799024|376014|366016|52116014|38350700014; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?Y4Fn2SVtQud/Aoly8v4zRTTRSUP8zcJCXd6xjXpsYf9+FrLVzA8foiv4kS0l?= =?us-ascii?Q?BT4ZAn+i3N5YKbCQAD6VAyz+oH9Vc14A0VcrHJznnEQvaYFTz4LWV4cfk+Bp?= =?us-ascii?Q?uS5kscv7AP2QToUGWzmH8uG4SwKFLz9SRKUzhqONEvSXk0wTupKlXMUXa2Sg?= =?us-ascii?Q?kc8G/d2K1SQk2bPi4d/5o/XNleR/LjN9sRotBlKJ1ms/aOt8XdU+C3/21uwE?= =?us-ascii?Q?Y9Q0ZlaYrPFK8ZqdkKqRgkLRKLW1nPVwMF/9yDZUxuO/duLYKDsOrfBlpmBs?= =?us-ascii?Q?yCql6m0+xqJwe12MvSUyVosqFo7sLzdy+9Eo/qvoJSbgdV4MEH0FqtlrFqcr?= =?us-ascii?Q?7J0OwgdmerLDGGSqrs4nCDbRJALEQLrZaRcP2DOd9c4Lh0eAOsCp16Uf68Uy?= =?us-ascii?Q?k4f39mcXjeLEelPaRSpKMNvT7WejLsiwSr/WzOUMV6bK28m1aKK+4dbLVi7G?= =?us-ascii?Q?RCLgO0JsHfQkMThL4XsFFG4hfU16nxqXsElE3anWyb2Paf238gUqWW1gkJij?= =?us-ascii?Q?dqcBwA8aE+ntKDy7EHXs+ztbkkr7Oj/thhjLR7aNUMWg+036w6u2We5vuUag?= =?us-ascii?Q?XO4ekCjJmZg1G2CqKeoq3o1bgjKfLkHmA/jJmabPtlcplIP9fpz5QOh3R7pP?= =?us-ascii?Q?ywkbgsURYLqOiqYbBxVuhRRfmW1hQxuq9HwvOQFXljjTNQ5LqONCJhfZ7gOa?= =?us-ascii?Q?wuNoWbB7oyGPU0PATpLMUeAJ2KS5Jco8orruwqBS/VKChQ8YiRGcp/9YwZkl?= =?us-ascii?Q?LUAu5F4nOR9YPSQ2kGre9EGHYAjyGJG5M27GFg+ewCzJ62hmgvK4NTRFjXkj?= =?us-ascii?Q?T7y782hViKXSnoJOnBQ4fxTmDphVphorF4AhZ5XtEQ/mpqciAcF/7jvKGssv?= =?us-ascii?Q?vl2/RFphZszHkxQ48fKCKl4mTOvy0Q6j3KJdkCpAmmxtluX8BlOAyjVEW9UM?= =?us-ascii?Q?6IfmdIGMhKTUn9u9wMunzgocWGb8t3cbbEba8kzBv6romKzM18EDCQjO/Q1S?= =?us-ascii?Q?BylYGY70Z3Jv/kfly2yXz4QPhD8HSP38oQs+DXDhgRytb0+WiBc9+IGrU14z?= =?us-ascii?Q?Bd5kYnlSJZyLjXs4DczllJMotz0JPgUgTcc0qqSiGV35THeMktSkKKtCvTGI?= =?us-ascii?Q?XAVzUE7YZd2yTlodDtoKwjhfY6dexJfWoDyX0tlv05vkIs+RK9FTEKc+rChO?= =?us-ascii?Q?18ImQfSVe/CTGu62lqYaC3b1O+B5hRD5LTXIUvwbhzfApSDIWZ++wA+Ccrky?= =?us-ascii?Q?6Jz4BdV/8WN91ocpWI8IqN5nn0ezTIZYTdH6Fuke8T45JFafJK4IZarsGm3z?= =?us-ascii?Q?SLUt+b1isJclLeWM/Bd3fK9uBXaItv9mhkOmwgoSqxAcuW9l2Y0LwC6B+iES?= =?us-ascii?Q?x6Yl+UiYi5Cima1dqmCIgNSxZ2a/O6Odv0v5DuIaW9kEwWV2M7wdyIdWBF3b?= =?us-ascii?Q?aL0VTZtP3so3qJQBcfl9xcuExrJ77EtDyBO8tF0dEQqaIRNcZaxOE6HlOFyQ?= =?us-ascii?Q?p6y2BOrASPRy5L8M5kXmNpHIisBn3ldu9P9c?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB9PR04MB9676.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(19092799006)(1800799024)(376014)(366016)(52116014)(38350700014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?P2B5irTPp8Hs5iVQ3bqHwKMkNQZA5FzM2/Vp4NQaAM0EqBJaHZuOBxjDjuEc?= =?us-ascii?Q?jDMtYqiEqdx6uZxypI8tOgtUPfSur+2LMoMQ6wqTaZIwz0/GYGJ3ebwxmc6R?= =?us-ascii?Q?Ai6W4YqcJHCtItaZawOb1djF1nrbN88qk9GPy2QZPZWWxx3jY3QPDckVh3xF?= =?us-ascii?Q?99IliAhdvGm0VBl76j1+NGaJXl8U/XKLhleqkQwI+/NCh0zaQz5q/j9qO5t3?= =?us-ascii?Q?iFoK9YJDMQH4av917DlyEzDbavCd3lRdJeFM8pDtzoIB2WqJMP48p4/smSSm?= =?us-ascii?Q?tSkRhujtLWGftGjy31EdNrengNJ0DuTT4YGMneFhQTxpkQKJ54tMHmLD4jsk?= =?us-ascii?Q?5PQKzDwHsiAg6pliXZQtUxriTR2gsjfKINbzNLxrdK+7PrXoUaIeG7mpJEU1?= =?us-ascii?Q?Hh+H0IZ0tabI+BFDnFIKTy2wojnKXGpLGxlgiNShpDis0WljSCkwXuYfI0YW?= =?us-ascii?Q?4ZacTMeZW/79jrgoaD8tgERcKgcg68Bv+z9z2P5DsYiUGhNCl7Xn8FjCdfFJ?= =?us-ascii?Q?k7PH7havNbzSguuUiDyOWxYV1R7+due6pKoQzDMXo8vl4g1ghdJnJ/SH7DA7?= =?us-ascii?Q?fB4d5JOovrr7si9G7D5HziM9k8dgYcdBjgiH3T38Odn83tNBRc+o6z20egdt?= =?us-ascii?Q?murJNn7sLw8emDsCeMLjMWdkv/mKm/IzI+jD/q6kkKoA88/A1bfPaWBHsj/3?= =?us-ascii?Q?vrYG8QxkzODaZYYH74+kHMFcQPTn2ps56xw3ZEdNG3hmTove+j8A0dbOMWZ2?= =?us-ascii?Q?o/nn+IaVe68vdtXXRKZEmMkb8xvZHpry5+LUEOKUYQmb11wkxk1ByIsuwHPu?= =?us-ascii?Q?KRxW1ax0Z8ugOuLo26fSqmKPRh6rY576mZfDuoc3S3AZChYhdLS+YvYacBYc?= =?us-ascii?Q?sNkegL6FgoRMKuzkSu7Eqt6k/nNqL5aSvDaAyF3Lh1EJGvvHTI328JB34UQR?= =?us-ascii?Q?gLnbJd3vFNwor+g46vh1gXRil7YG1xMe5Q3R+Xl1o14PY25jrLUjXwx7aqPH?= =?us-ascii?Q?btKUvqHkEkalo7yGVWQe+0PTjxqcCjKS9yE4reagg7jzmT/CCr6MMtQzZxvN?= =?us-ascii?Q?Wu/jfcQijbA/SY9ndWKkl9l53Ff7ARYSN74o5VQ040Tf54xoNsVa16xh2X2w?= =?us-ascii?Q?xR6DyVOAlHmtD2Vv3qLaWRb/9ICTv+1GmchNSJvNWRBemWLPypoaqsdxCQTo?= =?us-ascii?Q?HurjG4V2vTyGMyzjw9NzArlg5mYutyL3Oo/FuAo8XZX5daBmW9XsLgOAOqHD?= =?us-ascii?Q?nE6kf+AeuUddnXjDoXTy/f8ioZMY0EQxuW6KezFe0mzcY85Nlc3LE8c3GGsT?= =?us-ascii?Q?x0Wh/S+tI5D9HATUWzCEckzLcVUiluG8uEwnbR0Qnd7DINQ+csXU46CdqrKj?= =?us-ascii?Q?4WiXJ9+KOtzHNC50N6PeK/YAXbC+MUkchqmVDNiWF0KT+G1AUSjpdGz700wy?= =?us-ascii?Q?2DdXsx7bJp4EZwd898HlmSr7tNzqe0alCd4Lv8fEV3y9ga2sr+SM7uSEPH/G?= =?us-ascii?Q?encRj0SPIxlrZCY4krn3s9RfggwIv14zh2tP51Ub8zGlGRHeD2nDrJtnjLlE?= =?us-ascii?Q?tlLxqjYaCN3e9gXb3q6FXKf2XIssjoCXjInKX1weOjaABf9cfeeJsF9HWV2q?= =?us-ascii?Q?Bg=3D=3D?= X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: f8ead2e8-148b-42c9-f3f5-08de2e5eb99f X-MS-Exchange-CrossTenant-AuthSource: DB9PR04MB9676.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Nov 2025 09:15:51.1072 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: ETRgU05dp/4YtVbJMEcGHogjgMM07P8HSg/AcRfKXqOV83tnSQ6XKDD60wtgsjzwAowZL0vaCeOlLrI4dJIprKOfdxBfpGXPvSWoyPoWx18= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR04MB8252 Content-Type: text/plain; charset="utf-8" This completes the TLS handshake implementation by adding master secret derivation and traffic key generation. These traffic keys will be used to encrypt/decrypt sensitive HCI commands, response and events. Signed-off-by: Neeraj Sanjay Kale --- drivers/bluetooth/btnxpuart.c | 88 +++++++++++++++++++++++++++++++++-- 1 file changed, 84 insertions(+), 4 deletions(-) diff --git a/drivers/bluetooth/btnxpuart.c b/drivers/bluetooth/btnxpuart.c index 9ed4cece7e42..cabed02e0964 100644 --- a/drivers/bluetooth/btnxpuart.c +++ b/drivers/bluetooth/btnxpuart.c @@ -206,6 +206,16 @@ enum bootloader_param_change { changed }; =20 +struct nxp_tls_traffic_keys { + u8 h2d_secret[SHA256_DIGEST_SIZE]; + u8 d2h_secret[SHA256_DIGEST_SIZE]; + /* These keys below should be used for message encryption/decryption */ + u8 h2d_iv[GCM_AES_IV_SIZE]; + u8 h2d_key[AES_KEYSIZE_128]; + u8 d2h_iv[GCM_AES_IV_SIZE]; + u8 d2h_key[AES_KEYSIZE_128]; +}; + struct btnxpuart_crypto { struct crypto_shash *tls_handshake_hash_tfm; struct shash_desc *tls_handshake_hash_desc; @@ -215,8 +225,10 @@ struct btnxpuart_crypto { u8 fw_uuid[NXP_FW_UUID_SIZE]; u8 handshake_h2_hash[SHA256_DIGEST_SIZE]; u8 handshake_secret[SHA256_DIGEST_SIZE]; + u8 master_secret[SHA256_DIGEST_SIZE]; struct completion completion; int decrypt_result; + struct nxp_tls_traffic_keys keys; }; =20 struct btnxpuart_dev { @@ -416,7 +428,10 @@ union nxp_set_bd_addr_payload { #define NXP_TLS_KEYING_IV_LABEL NXP_TLS_LABEL("iv") #define NXP_TLS_KEYING_KEY_LABEL NXP_TLS_LABEL("key") #define NXP_TLS_FINISHED_LABEL NXP_TLS_LABEL("finished") +#define NXP_TLS_DERIVED_LABEL NXP_TLS_LABEL("derived") #define NXP_TLS_HOST_HS_TS_LABEL NXP_TLS_LABEL("H HS TS") +#define NXP_TLS_D_AP_TS_LABEL NXP_TLS_LABEL("D AP TS") +#define NXP_TLS_H_AP_TS_LABEL NXP_TLS_LABEL("H AP TS") =20 enum nxp_tls_signature_algorithm { NXP_TLS_ECDSA_SECP256R1_SHA256 =3D 0x0403, @@ -2526,6 +2541,71 @@ static int nxp_host_do_finished(struct hci_dev *hdev) return ret; } =20 +static void nxp_handshake_derive_master_secret(u8 master_secret[SHA256_DIG= EST_SIZE], + u8 handshake_secret[SHA256_DIGEST_SIZE]) +{ + u8 zeros[SHA256_DIGEST_SIZE] =3D {0}; + u8 dhs[SHA256_DIGEST_SIZE]; + + /* Derive intermediate secret */ + nxp_hkdf_expand_label(handshake_secret, NXP_TLS_DERIVED_LABEL, + NULL, 0, dhs, sizeof(dhs)); + /* Extract master secret from derived handshake secret */ + nxp_hkdf_sha256_extract(dhs, SHA256_DIGEST_SIZE, zeros, + sizeof(zeros), master_secret); + + memset(dhs, 0, sizeof(dhs)); +} + +static int nxp_handshake_derive_traffic_keys(struct hci_dev *hdev) +{ + struct btnxpuart_dev *nxpdev =3D hci_get_drvdata(hdev); + struct nxp_tls_traffic_keys *keys =3D &nxpdev->crypto.keys; + u8 hash[SHA256_DIGEST_SIZE]; + int ret =3D 0; + + ret =3D crypto_shash_final(nxpdev->crypto.tls_handshake_hash_desc, hash); + if (ret) + return ret; + + ret =3D nxp_hkdf_derive_secret(nxpdev->crypto.master_secret, + NXP_TLS_D_AP_TS_LABEL, hash, keys->d2h_secret); + if (ret) + return ret; + + ret =3D nxp_hkdf_expand_label(keys->d2h_secret, + NXP_TLS_KEYING_KEY_LABEL, NULL, 0, + keys->d2h_key, AES_KEYSIZE_128); + if (ret) + return ret; + + ret =3D nxp_hkdf_expand_label(keys->d2h_secret, + NXP_TLS_KEYING_IV_LABEL, NULL, 0, + keys->d2h_iv, GCM_AES_IV_SIZE); + if (ret) + return ret; + + ret =3D nxp_hkdf_derive_secret(nxpdev->crypto.master_secret, + NXP_TLS_H_AP_TS_LABEL, hash, keys->h2d_secret); + if (ret) + return ret; + + ret =3D nxp_hkdf_expand_label(keys->h2d_secret, + NXP_TLS_KEYING_KEY_LABEL, NULL, 0, + keys->h2d_key, AES_KEYSIZE_128); + if (ret) + return ret; + + ret =3D nxp_hkdf_expand_label(keys->h2d_secret, + NXP_TLS_KEYING_IV_LABEL, NULL, 0, + keys->h2d_iv, GCM_AES_IV_SIZE); + if (ret) + return ret; + + memset(hash, 0, sizeof(hash)); + return ret; +} + static int nxp_authenticate_device(struct hci_dev *hdev) { struct btnxpuart_dev *nxpdev =3D hci_get_drvdata(hdev); @@ -2580,10 +2660,10 @@ static int nxp_authenticate_device(struct hci_dev *= hdev) if (ret) goto free_skb; =20 - /* TODO: Implement actual TLS handshake protocol - * This will include: - * 1. Master secret and traffic key derivation - */ + nxp_handshake_derive_master_secret(nxpdev->crypto.master_secret, + nxpdev->crypto.handshake_secret); + + nxp_handshake_derive_traffic_keys(hdev); =20 free_skb: kfree_skb(skb); --=20 2.43.0 From nobody Mon Dec 1 22:07:32 2025 Received: from MRWPR03CU001.outbound.protection.outlook.com (mail-francesouthazon11011018.outbound.protection.outlook.com [40.107.130.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A3A62305E3B; Fri, 28 Nov 2025 09:15:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.107.130.18 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764321358; cv=fail; b=rkRDNZ5RktdfGvFOk5SyJZN6sfDLnjHXsaAl61II7jizeKIoeBEXUjxvJVWMWc7cdSVwUYrtRP4HaQzt1MksM26lxa9NOjdsBLaDJnd0l2ghoiytbx5c2yosplmS/Nr7saXBUIvorsWbu/CQxKkfWRHu4v9kcmzagFBZvP/Fp6g= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764321358; c=relaxed/simple; bh=MWhA2gh+XBoFj+Ck1/Hr91rPrUZ98eyGvCaYZWcV7OI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=YSOipowWyuaAeHHTcAUpGVBU4EymLuhRG6Bs97fQNHmgUCJ8L2docLSHLIaq78GgFCIzU1CWiuvOqyiyB5p97iqb5Xs94DNRr9nj8ga8m0fAqjKXogX3o+A/9WDg5EokipiOltrPn1TyYWLaGsKKyPb0Sa5v/Q6P2Fvog/gXmE4= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com; spf=pass smtp.mailfrom=nxp.com; dkim=pass (2048-bit key) header.d=nxp.com header.i=@nxp.com header.b=WjYb4LCT; arc=fail smtp.client-ip=40.107.130.18 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nxp.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=nxp.com header.i=@nxp.com header.b="WjYb4LCT" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ltLCufKWRMyTXMklC1qtIMpWY5/yjbprsDkTauO9vfOIamK8pClUWKPg2KOWB+SgiZR1ATZHlCijXnbdX4mkC+OynIg++unP05OJ1JyNd+lxHzHKsqJ3sEPmgNuhAi+nkwW2iNiCHSCN9U1UjgbYrb8tBv+fyDKgA52OShVFQAUC1JUo1+2VjTrUJtSHgIljS0W2sqcsHbbgIjWbsmltdS49vEN3Y/z7PyC0Fr3pDyCvKkdQmK5YECtF6gMuFG9HEcj6/cy/xsILFTOFpJgCf6qFvq5dI+XcGutsLFXNKoQPZfljhcNG6+oNPvQ5vPjQvIxgeX84p8NVh+OhzG2NoQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3LzgoS5MjdutMLtDtQCIrAgjtRl8ZGvBSRk6aaJ+YRU=; b=zKTjC6TgiPuutRuZ9MawK1NXzgkbyfBqWkSijyq4O9cB1c0EiU9B+fl8j61AZV/GsCqs4S9tLy2sG7osJlBZAhcO+YWFImv37hpfBar5Jte+pQL+llfntq6ALxTQq/b3AvnK00i2lciqs0JJykfRjHwKC8V72H0PT/No+XJYyKCa0fzth+5voyIICuxeW6Sb7zwQc8An4KWgjwlul1E9B2sv0L86UKDD0Kp+d2Ah6lZwB1v0C70OEql8GGLAvwbMK7UGKZn9ZCo1pguGtc7L2RT3SQFfSfqm0R1U5ARbQweLHga+/zkgUwOmyUziavWFCv3wdeE/fSMgkgQQl2f2BQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nxp.com; dmarc=pass action=none header.from=nxp.com; dkim=pass header.d=nxp.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3LzgoS5MjdutMLtDtQCIrAgjtRl8ZGvBSRk6aaJ+YRU=; b=WjYb4LCTG0I9xYFWIYObguFte2yCw/G1/BwL5RsIuWD0JyVdSzq3Ky1YbC+mTjTg/nSvIrrGRiMvPkT9OjcIP7kFUIYgjczvmqr9SZEiVxv8oHzYop4G7hHkoCuJ118OhdVRZUkWRYbI4fRFetxSOvhSWWpckjmrvJk8QHCxUpskDC7fiQ9DZqEmoxs+evcAA7j4Jq5dXdXUkvjTtd9mSraZVCj+IB6K/ziudFl9NSG6ssRh319P6ExwwNtlmfiQHueTvPmU/404ounFZpNeQf5gUeFSzAMSHX2i5Lkvi1p61n1aj+6OU0v0WcqnaRifcD9SQ9NUHLpMLlSGnFLvog== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nxp.com; Received: from DB9PR04MB9676.eurprd04.prod.outlook.com (2603:10a6:10:308::13) by DB9PR04MB8252.eurprd04.prod.outlook.com (2603:10a6:10:24d::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9366.17; Fri, 28 Nov 2025 09:15:54 +0000 Received: from DB9PR04MB9676.eurprd04.prod.outlook.com ([fe80::97c:438a:2968:465d]) by DB9PR04MB9676.eurprd04.prod.outlook.com ([fe80::97c:438a:2968:465d%4]) with mapi id 15.20.9366.009; Fri, 28 Nov 2025 09:15:54 +0000 From: Neeraj Sanjay Kale To: marcel@holtmann.org, luiz.dentz@gmail.com Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, amitkumar.karwar@nxp.com, sherry.sun@nxp.com, dmitrii.lebed@nxp.com, neeraj.sanjaykale@nxp.com Subject: [PATCH v2 09/11] Bluetooth: btnxpuart: Add command encryption for sensitive HCI commands Date: Fri, 28 Nov 2025 14:44:41 +0530 Message-ID: <20251128091443.2797316-10-neeraj.sanjaykale@nxp.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251128091443.2797316-1-neeraj.sanjaykale@nxp.com> References: <20251128091443.2797316-1-neeraj.sanjaykale@nxp.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: SI2PR01CA0007.apcprd01.prod.exchangelabs.com (2603:1096:4:191::11) To DB9PR04MB9676.eurprd04.prod.outlook.com (2603:10a6:10:308::13) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB9PR04MB9676:EE_|DB9PR04MB8252:EE_ X-MS-Office365-Filtering-Correlation-Id: d4deb8f4-6a31-4d03-6bbf-08de2e5ebb50 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|19092799006|1800799024|376014|366016|52116014|38350700014; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?3ionOYAihNyVpg6yvc8tJZm8tW385xXIUF5xM2kpQsDIb0H9g/BYycXqgept?= =?us-ascii?Q?oGFZW6u8cn0pqOy3ae3UfF4n4QuQNZwhtc9Wq5y1+0IvXZOGyeX+TprahKLU?= =?us-ascii?Q?JGNdt+ph6oZRbuTn4DEQSJVTejUHGAvdmHtnySfrJUhWbJtyJUzqmnQ/hjjl?= =?us-ascii?Q?YZxtQ6c08T9Rr1JEf5z2vjyMCD8XcOLU3lOKOxNKhN3hVuo4DLELnN103vLk?= =?us-ascii?Q?K6RtSwRuSCm0fLPqm1lFieQDDu7ojH8LkvVwvQisHyiGXoqdscxTg/H6SI/I?= =?us-ascii?Q?jTMP/tF7wiJP1mrDiazyxNz0oZIN9OY9ad3f8GALWIdMtml2vXi1DduZz8xY?= =?us-ascii?Q?bdrwkuRWfWd7cXZj7v4+IlaN5HJ1gJbfc34YgA/y19J8HdrXmUz8VUqCE9km?= =?us-ascii?Q?XDA7DG7GYUwI8UbJzwQ9UdtRxvCQx4mU8s3vpYztZ5GBxCp3Fa88+mGWlIhp?= =?us-ascii?Q?qu0WvCNycuJPv1u5wVO/s7/5cntWo8wpy9q9sFvm9i5g+BkaF8wvdqkCBDbE?= =?us-ascii?Q?jPYWM3MXNzqyPFA69+o4etQsfE0NrbNW2o9IX26Z019JZoE2VvgIA+e4gx0J?= =?us-ascii?Q?W7eocLEKKItlCDR0GOdzKC2X9d8H335MBvBoWbRRcXnnd2nVb6NYKA5Y/0Wh?= =?us-ascii?Q?5tVRkVOoUKzfptmlnkAcn8ty/dJdmume7VYmABgP2Mly3J97CP2eFnEpuWip?= =?us-ascii?Q?NwJWGd25VCCLUWYrK8OZWV9WVdSsEmoekWvxuo0/w58pfZs5/2ms12Y582TV?= =?us-ascii?Q?EsYdyIJcWymV9iw6JTyFMYsx7ZlKCwXy0TFJa1lK6HQ8xf7C3NaEldbvDvee?= =?us-ascii?Q?vvY/+P11IHIQl2cqCB8VwR2yr2oZ6aBtyitk4qGJefHYiwHUDPfFpO0cQnMe?= =?us-ascii?Q?/d10ZIW/cnaOMGXJxOaGUXdY2SKoWAIj4wQsZjh6km9kjYnTFxhkN1XJDofu?= =?us-ascii?Q?2AY8Z8fDcylAPU0Qs9DX+96bKMvoFuOOA1cANkN4uQf6gTf0BZYSNsP19vTW?= =?us-ascii?Q?PYYZO/MUXC2Uf71nWUQ9nnNAy6APv/tVE9qJDjm7W8qKlJWAmxtcadYCK2ez?= =?us-ascii?Q?OikV5s4Cz5FHeDFV1Wn4klrikwAzqXpLden6sbCJKYMwRJZfQ7zf5mnYHGdx?= =?us-ascii?Q?9hK4/EnKWNDs30zIg/KDQ5BtQPcEmN4bbuq9X4D/JS/6muhs0I1faS8H2grj?= =?us-ascii?Q?VadbUPtaogrcjZi6+8zARrZOteYBie31jQmya4SGEa8bIENoMweDja9AOGSn?= =?us-ascii?Q?m5MRAMlLuQpd40HN7Rud+20dBdAUDVV8AjsjDLSuARLUfJrNzKhOcK9yvd28?= =?us-ascii?Q?SL9dUIa2Sk1n2UEkspm91YfeKH49nu134V0jkhvbUpRFFsmuNXNW0guf0W3L?= =?us-ascii?Q?N5eVodVAf5U3hyci0Y/1jxaMh+OJPLpz+N6jvjBXf4J1wMfadHyGVSkDyjU7?= =?us-ascii?Q?aBHUuNLxLXI+CqwOQLJZbdYJkwBCOzPFC/wn/ZQLF6WSBnM5a3HArWIqWZEp?= =?us-ascii?Q?uYXgy5LHGsAq+xKZVkkMGYLKBxQ8vRLhY4AE?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB9PR04MB9676.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(19092799006)(1800799024)(376014)(366016)(52116014)(38350700014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?z1u8m/7J256ncLc+DMuINDkL3+Z0Cdgq0e5M6ZoOGCi8ukvZgafK/kyAoZsC?= =?us-ascii?Q?g1sUPmQzrZWK+Ycdj6THc+daU1rf4tAUUh/S9D0TC2f1lMFitu/NNLlZfx0L?= =?us-ascii?Q?k6SmYuYNNG+sYmTx4e94LJI7gjuM5XHVdDX+3NN2ynjBusx4vFPd2haI8JLF?= =?us-ascii?Q?qt1gUDT4p6w9McUwpe7wmjbwvQSeoOtOVTZAo+L0vdyEFqYnaLxqF0AHPvGk?= =?us-ascii?Q?K627INNfgl0dIDFbPK0V+BR1vRKaAHpEpy3Ijnpf4dEwqu2RRscasoRqga4l?= =?us-ascii?Q?QdAAO4odSEBxgA2EQlRJ/vl84kPffEdGEpPYiH6V7Uq7LKNi809yur0XrKg3?= =?us-ascii?Q?sHExDNC/DnY93vluSWSmTZR9WTNGkBtEsfzGeIidaNlI2k8rh4xjqPoz4EIY?= =?us-ascii?Q?h5XdA2GM2c4mfxLqwo5/xyAwvYLBMlGEY5PK5h6IQR8sCxFRFKwGHTYvUq74?= =?us-ascii?Q?C1NGXzwY6nInYuPMao3C1cMOjosW+lS7oYf13PDgYlyzrO+aqEpLArXAAxOK?= =?us-ascii?Q?vBPHS37MqD9ktF+dyUzhRaa0/TyNEB4ihVwv9g9PYmnwSzGk/Y0xLec7hHyr?= =?us-ascii?Q?LIGqbEd0XxiHeQivzr35Vl5jS2YvnbsAm4RvwH5AlQRH3IalmDRa1so+XaRu?= =?us-ascii?Q?QxRVmnEk++vOogoQJ84nQQiEapPw1sFl4EkcyMQrsw9NNwHoQY/9NXk/MOOO?= =?us-ascii?Q?mlnolWt3DuARBpkh4C2zzFL7kSEAC/U3h4KgJHXvKm0vsdN1q0SE59iixNrs?= =?us-ascii?Q?Lnd2xbzMpm0NWyqRvcylX/nmfN9fqmavjXqvfzhNUKda7QMl3hrPl54miBRP?= =?us-ascii?Q?yWqyJGh2EnOaIwM0g81e79PHk1ZPaVdfq0K8q/3tJWUWLpYIOx4uXttNDs9+?= =?us-ascii?Q?5gII4ErfAqPB3vl3RWYf8TEXqgl/TzlcLChqLqMetsGU9jr7XyGkStlalZS3?= =?us-ascii?Q?S9azMl8MfC6UUYhZV4YWvxtPpUVMS6gJNTXQm8qoeCbmfv3FDBfjZRdBLkJZ?= =?us-ascii?Q?pukxXqFqpOZyToWiCqOGKMfZIePLoDS9Aw3USBBO9xNtTrs+xqMRpl/WnHyh?= =?us-ascii?Q?k28iluE97H5PBYGJtl3l5DBaTtSer3j7I5pVfzwJecM5kHAMQ3MtZFO89U3J?= =?us-ascii?Q?nwUfaPkrEeHdb+UEV7aRJkM3ZiElJTnQ08HSAOZ9Z9/4R5N93W5kfdtdM6sy?= =?us-ascii?Q?wvJHEe8Cmww+b/MANXvsYOJl43zkV5YZ1Mi59Op96iDPDit/YfM0gkbSD1hK?= =?us-ascii?Q?jZJ7LGFf6KV4i861/hal9ZcjIYA7CwBn4cfcp5eZornHb5nrPfBFix9DSvkB?= =?us-ascii?Q?CNCzgT+i7NY/DdQI1aMfE2eTDueQandeetHy3xJSFWyNNXvd2pV6n56aLaKy?= =?us-ascii?Q?p9i4iDUG0aPK7RwQVUIFzZjwqxreHDXNl/DRW1vuK/P4rSZ5ekurog9s0ELS?= =?us-ascii?Q?IiPaW/HBPew83V4SaNyTJtcVh9igDitFDg9ei914zBIm+fDTLmWZwwaoP8HX?= =?us-ascii?Q?+IhOdybhzrtjZLCbODz39zTquMvQpxsX1LIv1t56L949rFTeR8HwRsN99Nxr?= =?us-ascii?Q?bc5jW1Cv3Mzo8B6pMBvmvz8zGppoDkyKfmbf1lWRnw+1167zXeEfy1l/5dhe?= =?us-ascii?Q?Tw=3D=3D?= X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: d4deb8f4-6a31-4d03-6bbf-08de2e5ebb50 X-MS-Exchange-CrossTenant-AuthSource: DB9PR04MB9676.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Nov 2025 09:15:54.0649 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 1aYlu89Gg3h6uCD3nX8twE2CirbEbQUbjktMtKo1RaW+f3+CHscyGr4x67TpEZLLH9ZOLMz3x8RNWmKuWyf1ht+SIpks7gbGUaPaInu9C00= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR04MB8252 Content-Type: text/plain; charset="utf-8" This adds support for command encryption for sensitive HCI commands when secure interface is enabled. This commands containt sensitive data such as Link Key in plain text over UART lines. AES-GCM encryption is used to encrypt sensitive commands using encryption key and IV derived from traffic keys. Signed-off-by: Neeraj Sanjay Kale --- v2: Fix cocci warnings. (kernel test robot) --- drivers/bluetooth/btnxpuart.c | 81 +++++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) diff --git a/drivers/bluetooth/btnxpuart.c b/drivers/bluetooth/btnxpuart.c index cabed02e0964..e2be9012ef58 100644 --- a/drivers/bluetooth/btnxpuart.c +++ b/drivers/bluetooth/btnxpuart.c @@ -159,6 +159,7 @@ #define NXP_FW_UUID_SIZE 16 #define NXP_FW_ECDH_PUBKEY_SIZE 64 #define NXP_FW_ECDSA_PUBKEY_SIZE 65 +#define NXP_MAX_ENCRYPT_CMD_LEN 256 =20 struct ps_data { u8 target_ps_mode; /* ps mode to be set */ @@ -226,6 +227,7 @@ struct btnxpuart_crypto { u8 handshake_h2_hash[SHA256_DIGEST_SIZE]; u8 handshake_secret[SHA256_DIGEST_SIZE]; u8 master_secret[SHA256_DIGEST_SIZE]; + u64 enc_seq_no; struct completion completion; int decrypt_result; struct nxp_tls_traffic_keys keys; @@ -2682,6 +2684,71 @@ static int nxp_authenticate_device(struct hci_dev *h= dev) return ret; } =20 +static void nxp_data_calc_nonce(u8 iv[GCM_AES_IV_SIZE], u64 seq_no, + u8 nonce[GCM_AES_IV_SIZE]) +{ + u64 tmp; + + /* XOR sequence number with IV to create unique nonce */ + memcpy(&tmp, iv, sizeof(tmp)); + tmp ^=3D seq_no; + memcpy(nonce, &tmp, sizeof(tmp)); + memcpy(nonce + sizeof(tmp), iv + sizeof(tmp), + GCM_AES_IV_SIZE - sizeof(tmp)); +} + +static struct sk_buff *nxp_crypto_encrypt_cmd(struct hci_dev *hdev, + struct sk_buff *skb) +{ + struct btnxpuart_dev *nxpdev =3D hci_get_drvdata(hdev); + __le16 vendor_opcode =3D __cpu_to_le16(HCI_NXP_SHI_ENCRYPT); + u8 nonce[GCM_AES_IV_SIZE]; + u8 tag[NXP_ENC_AUTH_TAG_SIZE]; + u8 *enc_data; + u8 sub_opcode =3D 0x10; + int ret; + u32 plen, enc_data_len; + struct nxp_tls_traffic_keys *keys =3D &nxpdev->crypto.keys; + + if (skb->len > NXP_MAX_ENCRYPT_CMD_LEN) { + bt_dev_err(hdev, "Invalid skb->len: %d", skb->len); + return skb; + } + + nxp_data_calc_nonce(keys->h2d_iv, nxpdev->crypto.enc_seq_no, nonce); + + enc_data_len =3D skb->len; + enc_data =3D kmemdup(skb->data, skb->len, GFP_KERNEL); + if (!enc_data) + return skb; + + ret =3D nxp_aes_gcm_encrypt(hdev, enc_data, enc_data_len, tag, + keys->h2d_key, nonce); + if (ret) { + kfree(enc_data); + return skb; + } + + kfree_skb(skb); + + plen =3D enc_data_len + NXP_ENC_AUTH_TAG_SIZE + 1; + skb =3D bt_skb_alloc(plen, GFP_ATOMIC); + if (!skb) { + kfree(enc_data); + return ERR_PTR(-ENOMEM); + } + hci_skb_pkt_type(skb) =3D HCI_COMMAND_PKT; + skb_put_data(skb, &vendor_opcode, 2); + skb_put_data(skb, &plen, 1); + skb_put_data(skb, &sub_opcode, 1); + skb_put_data(skb, enc_data, enc_data_len); + skb_put_data(skb, tag, NXP_ENC_AUTH_TAG_SIZE); + + nxpdev->crypto.enc_seq_no++; + kfree(enc_data); + return skb; +} + /* NXP protocol */ static int nxp_setup(struct hci_dev *hdev) { @@ -2885,6 +2952,20 @@ static int nxp_enqueue(struct hci_dev *hdev, struct = sk_buff *skb) goto free_skb; } break; + case HCI_OP_LINK_KEY_REPLY: + case HCI_OP_LE_START_ENC: + case HCI_OP_LE_LTK_REPLY: + case HCI_OP_LE_ADD_TO_RESOLV_LIST: + if (nxpdev->secure_interface) { + /* Re-alloc skb and encrypt sensitive command + * and payload. Command complete event + * won't be encrypted. + */ + skb =3D nxp_crypto_encrypt_cmd(hdev, skb); + if (IS_ERR(skb)) + return PTR_ERR(skb); + } + break; default: break; } --=20 2.43.0 From nobody Mon Dec 1 22:07:32 2025 Received: from MRWPR03CU001.outbound.protection.outlook.com (mail-francesouthazon11011018.outbound.protection.outlook.com [40.107.130.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0E1F43064A9; Fri, 28 Nov 2025 09:15:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.107.130.18 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764321361; cv=fail; b=kLOlbJMk50k9TmdEUCEQvIozP8NcfhpGg8LdcPtoD+46ctKzverf1dXtK0c9AhKo+8bZZeooBmJ/1PJfh5JLwLC1+xKVTD5YiON9eLu+1pqogxQ19NdxxI4HB7us4KlbImQwpHIinlTWIJz9/QJNWvcyYCAccea7aI/PILHnP+E= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764321361; c=relaxed/simple; bh=ld4dHDieVhoBGqbVfX8kCxn2nSEbC/++Mj81SmoKolc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=jDK8F6IX8a+m5lfCVKBJ41XS6PTDjmKaM6fWHLjCwYpDmkx0W4Il87livYjHup93jHblFeJ4sNRh7eyqB6O5bKHmpTUJM9Oy9dkjArdlt8wq9OTTgopLQt42k6nUX5hOo1A27QUAz/VwEHYSRyQtDbhOcV51MWcRaO8lNwXF5BU= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com; spf=pass smtp.mailfrom=nxp.com; dkim=pass (2048-bit key) header.d=nxp.com header.i=@nxp.com header.b=k1xmx2kJ; arc=fail smtp.client-ip=40.107.130.18 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nxp.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=nxp.com header.i=@nxp.com header.b="k1xmx2kJ" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ZaMKRStUsDeZPDksnQlAS70nPtGiLiwH4DW2NAHL51EKyJ6BDMszpEEaB/0/aADBe7zi3vdf3V2gC5ad4LAkAH2qkjXVyi65YX0JQ0VlDJyznqedZ+DMidUqGkmIGEq4B7TJSHMrGmQv8TlpYpTZsVNQfMopLpG15O7L5Hh2onVLlapwowFxmDAmBOB1R5qv2HYDEe8AgcJHfL6MEwWBVKZVzaNiJ4k23IEqtByzk0xSnznAgZWgeL87NoBhJgk52KojoKnQgzkzOj5f5/N3nMdzX4kl3KYWhS7QCGHEDUwUq3Elcv6/QMjSFhz7YulPUDxIr+sdDqIc4TXTvnuNIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=3zrUldR48FnQ2brLH2Y+7JdmbdO2K2Z1rocNuExRmEA=; b=hLckh1Poe6iMamWI1ebJy6fkUujEbQkBgdcizfIBYApmRWt3C6FhmboYLNuB9+tv9QzYmnr+PwPvWyvjsnGlgMXIK5YQKJ9enuI7RemMmeTO0VgV1/j42Fj3niO/i4tD9/Cc0hi7yfsE8nQyVqbkYjsdibh+UD15rflHcqZk8Zd0AeNhE+iRWWyWtNBS5gxTjnx+EtO4Tqzf7rMNf8HYshrarzYnNpy/ltPTLufwCME4hWLpod7MtHnSoYLuJ6hM/5W/AOYRf8Z1PbM+ptWzwwkHu497Rt7sXCimQkD30sUdM2CY+AdfHsBJ9c+k5HEBA7dEOo7Vsva+aXyABvhmoQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nxp.com; dmarc=pass action=none header.from=nxp.com; dkim=pass header.d=nxp.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3zrUldR48FnQ2brLH2Y+7JdmbdO2K2Z1rocNuExRmEA=; b=k1xmx2kJ73ymuWKCekVb/3/EDY1XUOiTlJRPoPCDTqv/91q5O1yyFvBgfynhJTGC/roHT9K0UHytcNidqdROTrTKAYD9tKjCyf+4LNZiycVx4uyZkA5EuS6/6T3DyR64wKihl1TX3MiL9nY4FYdh25qvNPio6ndbfGSc6YcubqR9GG5GVTsQELnH1HYEpp16Y3O6sV3MUn5cXhgIGwufw84QgGYuynMA4VxHSjDxYWHWVOIElY3SAL5bnFto2EecqHm0UHbH2pQji8XrMyPFCdtHe3lmEtv4IG6i2lh7dbKLIc/RprblZn+WVy+rJ7/3LV+jTZDZT9FwL8tKwGMCbQ== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nxp.com; Received: from DB9PR04MB9676.eurprd04.prod.outlook.com (2603:10a6:10:308::13) by DB9PR04MB8252.eurprd04.prod.outlook.com (2603:10a6:10:24d::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9366.17; Fri, 28 Nov 2025 09:15:57 +0000 Received: from DB9PR04MB9676.eurprd04.prod.outlook.com ([fe80::97c:438a:2968:465d]) by DB9PR04MB9676.eurprd04.prod.outlook.com ([fe80::97c:438a:2968:465d%4]) with mapi id 15.20.9366.009; Fri, 28 Nov 2025 09:15:57 +0000 From: Neeraj Sanjay Kale To: marcel@holtmann.org, luiz.dentz@gmail.com Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, amitkumar.karwar@nxp.com, sherry.sun@nxp.com, dmitrii.lebed@nxp.com, neeraj.sanjaykale@nxp.com Subject: [PATCH v2 10/11] Bluetooth: btnxpuart: Add encrypted event handling Date: Fri, 28 Nov 2025 14:44:42 +0530 Message-ID: <20251128091443.2797316-11-neeraj.sanjaykale@nxp.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251128091443.2797316-1-neeraj.sanjaykale@nxp.com> References: <20251128091443.2797316-1-neeraj.sanjaykale@nxp.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: SI2PR01CA0007.apcprd01.prod.exchangelabs.com (2603:1096:4:191::11) To DB9PR04MB9676.eurprd04.prod.outlook.com (2603:10a6:10:308::13) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB9PR04MB9676:EE_|DB9PR04MB8252:EE_ X-MS-Office365-Filtering-Correlation-Id: 4c1230c0-1457-4a56-1ca3-08de2e5ebd1a X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|19092799006|1800799024|376014|366016|52116014|38350700014; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?ottbVAxA+DvVpCU/FKdz+aI5o13hRi0meOn5aHo/+2U9mPhAs13q7bbu4Sb2?= =?us-ascii?Q?JsrU8qJxa0cYwOuhYqr4597rscyIkvB8awxpVb0dpRl8o2pFwKScnnv2gYr8?= =?us-ascii?Q?Uk4SxnwQBwRMr/KLQUHb/bqP3+nRKe9wAGTlSPsXfMFV0Hatr1fy2rzMKqve?= =?us-ascii?Q?SUijOZZW7C/3P6pYWwQbkLBtTH/1ZGyG96GoEYvWGyJ6gdEUosbhYAaUtuHI?= =?us-ascii?Q?4rRsteCH4F9NSiOcGVuyQ4r/a24lVrgELOO2Vud83FcePu4+tT22lfes+kVC?= =?us-ascii?Q?wt8Ht9lF8uSingYIBf9ezl1B1gHzHK7SNV5hC8ZZqeaJ5H2LU+cd6oZtXdf8?= =?us-ascii?Q?wbHRHeXOaejU59uHorTpamMNCGwTeglEbBLlCcveMP+1iAdmoBYsc5NVM3RM?= =?us-ascii?Q?p4iCJnzdnnK/8239rYlTHntXgDGgj3OysMJCPegiscezq5j+3bpTXcGz8OQO?= =?us-ascii?Q?LdsgMLMN6l3tAEFF3iGNtvTA096x2tUmd0xJjGQ1Rz0KzAf2voZAesxsEsP6?= =?us-ascii?Q?N1XySHFqvowKJcpjmnQlIYVRAGNArwmQN1/ooy7vBllWww7sZgySEL0hQEsY?= =?us-ascii?Q?dt9mFl9cQ7r/4sI4IEMHTREVqlLviwwOUHykAjhHSRG50XxkjEEt9P3D2puL?= =?us-ascii?Q?aWoR3F85HQzTAAgqSEi0hJtnGaVZPAmp03Yb4rGZsQOweBTMaCDkaqgWrpSU?= =?us-ascii?Q?+naftHgz+/3Ik+vPDn8Mr+wgCJbK5v1p1qg6n9A52jy1f4b+D+BeGQCfNoCs?= =?us-ascii?Q?uPVjMEL74pTFva7o1AR3/GUuMtL1jf12+p8x7Ff2ZPMK5WxrIr20exDH+6FY?= =?us-ascii?Q?bQ5AxWpcTTyYN6yCln4OLCxDeO8f4DmbecSn+Nig1WrYb+yTKkiymUX9UAHl?= =?us-ascii?Q?zyPFhj7f9glVsVuXj1Iqa+wpVvwMZLOSGJWD+Ia7Cu99esT9Mp8MTEp70Z20?= =?us-ascii?Q?pN/OpL/Snqq117bQnwTsg+l8F+j0arsFCPVUxhsqOEY5nB19HI1rUE2pMR1z?= =?us-ascii?Q?479/P0W1CoAZDsMj78AIw5aNIBZTFtjpbRNIXVtCK3W4PbMrsmTimhguNRd1?= =?us-ascii?Q?8DfNK/rLqvi1tpaS9lM3AyNZjKneH7NDe5HqSuDrvsuC6CI3gcHwFAvmcZnv?= =?us-ascii?Q?CMvZNAjoOUvypWz2WyVxHSi6f6KUBfj24mZwUZjdF/8xszrhCskgBn+j38xU?= =?us-ascii?Q?yYSCMYtBXTSegPgPcowF7MWCvvPpVGF8s3WHvE7XwpoLgBqm286q2hX59xiN?= =?us-ascii?Q?MbNDRuNFx23AIObnwZsR04bm0ToJFS1ssY9Mj9vxF+t1PrAHjEirggG+hkYW?= =?us-ascii?Q?/BIdJMX5ufk3yUsUfDK32s0qjQEG7rJRqG+wmcYHBcHLmWFADjediFRz3biY?= =?us-ascii?Q?gwcScZTCeY5qsxWgCzEIlLiks2wG8eaXp0CQz+nWk2iCPQcwkIf87ESvBPKS?= =?us-ascii?Q?f68vl8xRZZqMzwNOmrialDEhjXzJ4qyJom/du5wjrMxOZkCjxpJfakxTJs45?= =?us-ascii?Q?QQK2/xuGlG08rqdprp5TIHJE7xV6AzVaE6HM?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB9PR04MB9676.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(19092799006)(1800799024)(376014)(366016)(52116014)(38350700014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?bZNP1IoMGCe7K4K3ygYGDcC2FxplHB7k9kP2+wmBXXmVaA5ZLew0h5oHBWie?= =?us-ascii?Q?/IQWFf1efrj6sULAIV7S/mRLW6f2ZfQxcaeXIC+ckD/75pzS28WpeuVqaJnO?= =?us-ascii?Q?gvd2H/KoISbXkOLJXCKC1R1clHprvdegZajmwnedCN2j71++z0Qi4mhSe6CL?= =?us-ascii?Q?qFo4yyMpnO2gur+wrBxHmYwCTGfTlbg9Lxc80opMbI2Uc3ZigOo9TmfnyhBc?= =?us-ascii?Q?NoN/vozbUJGYHLVQFwKdgMy/o67p4UWbwkPOCjTtpI3fnGU6EkGBTrKVA4BK?= =?us-ascii?Q?OayNhnEO3hr3crNFzV7R5VSdAb0JUE1STQBYVls1ah5C54Q9pKrga0Q+5wwq?= =?us-ascii?Q?jDuHXGRY/EtdhA+MGBz1y+0MZR//zF3LsAZL49umxmr7c8j9Yedrq47T3cNW?= =?us-ascii?Q?uXuyHx/Xzxc2sJ8aIhSFg4VCmaogmVpiDTp19g9SlB/+oB+wlI5+LVsPVD6N?= =?us-ascii?Q?2nJ7Ap5urIohLtN/jm5FV+Tny6NZpy5spGFnbBFrAEMhVixO5+exPCeeL5QF?= =?us-ascii?Q?uRnKOovr09oaIlKSbKnf7DtuWBq2HM4VOCs6AIphCK3pITWjOROYYncBer7I?= =?us-ascii?Q?sURoTd2dgKSfMdAEpI0aUmmgYdpnuUpsN49rZqkHQUajFQddJfFLwr6rtfrQ?= =?us-ascii?Q?rnhX26fW1UKJTkYLKN87qCyvtTWcmbeE4LuNXCadC7+Cy3nX0IzpQ25q0ESH?= =?us-ascii?Q?ZPICDHZXBtMZSk4HEiOKfyoAOiA5FMc5cFbulzY44DHoIrCLuh6riwyqWFG/?= =?us-ascii?Q?IFS7S4LtOdkMWTs66Dmdik+GtaZHb6Z1ZE+BvsHYYQpD9uf5DBCbL2hHNEZp?= =?us-ascii?Q?zg78KuVpLycFzHeH9QLFolYxAKV68ZLyPJ23dcPP3JuFPmEj9buTgzon5vOc?= =?us-ascii?Q?g9JK+s00iiOdkq4IkKa53VOlZsXPg6aPgFNLJ7FIv+pObIoDcS9WEZGASMip?= =?us-ascii?Q?qOJ00yuAyyWZYedYIOlDBLcTPOx8AsLtx+0ulUgg6YhkPPCzWHpgKiY4BeVq?= =?us-ascii?Q?slMSg+XvVD7n+jHF6KUMiP6RvHeO966EgicEDN05/w4FRbmkOU2zR0w8Fgzg?= =?us-ascii?Q?k5zvn0Z0ANWper4FRB2HcNE6Keh7gR+oOG13rGRpFiqKPg6KHZbMD5HeSyjp?= =?us-ascii?Q?dzelyL2XM8l7azsh/wxQBv1eAOV2zO7qbl3Igm0TWWHDZI6nxigXzgEyqFoU?= =?us-ascii?Q?hKSlqb7s53aNEI8Jpxx93xIzA/kf4CPjTqOMRXSCBjO62BiqIWKhltyideZD?= =?us-ascii?Q?mg2CxuZrrvWox1W4LctxdQBtbhqWUeROHmDVLpj9HILdNyiOcjAzbxw8r/As?= =?us-ascii?Q?7Va1+cIp2CZtMQmvrz7uCVoUisa7eX7HVVskmqmdZHTuKWBTBiVECmX6R+M6?= =?us-ascii?Q?tI4pq7zYarAn/1lgYSRbx/6w8cWkRzo1p5Ku3CK/eiRFsYPbJvZvGTgNLucg?= =?us-ascii?Q?prbqHP59rqveneABAnkPsrwZfxRzolmlhPwmnrhx4WuDDoXlLkhX5pusmIIL?= =?us-ascii?Q?mE9vu2DkV7xfGSPuay/SyKFHr3xGTgvehyGja3JcbiqczCGFdH+fmt46JQyU?= =?us-ascii?Q?XAd5mVGzL3xRu9MO/a2XYrxzWzQeFOhs7ES+WeLltl1pWHQ4ux6ivAyzTHmr?= =?us-ascii?Q?8w=3D=3D?= X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4c1230c0-1457-4a56-1ca3-08de2e5ebd1a X-MS-Exchange-CrossTenant-AuthSource: DB9PR04MB9676.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Nov 2025 09:15:56.9879 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: xcoRUaVivE/97briqnK2ISZbSMdB+/Ju7Vy42QQNxXJQP4sgUuSoKNQhEApGbo3ADEWvnYj33iHKinWCjaFotbdfIij2Zta/pTBSzZ0izDQ= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR04MB8252 Content-Type: text/plain; charset="utf-8" This adds support for receiving and decrypting vendor events from secure NXP chip and forwarding the decrypted sensitive HCI events to the BT stack. The NXP BT chip encrypts the Link Key Notification event that is usually sent in plaintext over UART lines. Signed-off-by: Neeraj Sanjay Kale --- drivers/bluetooth/btnxpuart.c | 99 ++++++++++++++++++++++++++++++++++- 1 file changed, 98 insertions(+), 1 deletion(-) diff --git a/drivers/bluetooth/btnxpuart.c b/drivers/bluetooth/btnxpuart.c index e2be9012ef58..115f727c2572 100644 --- a/drivers/bluetooth/btnxpuart.c +++ b/drivers/bluetooth/btnxpuart.c @@ -228,6 +228,7 @@ struct btnxpuart_crypto { u8 handshake_secret[SHA256_DIGEST_SIZE]; u8 master_secret[SHA256_DIGEST_SIZE]; u64 enc_seq_no; + u64 dec_seq_no; struct completion completion; int decrypt_result; struct nxp_tls_traffic_keys keys; @@ -2749,6 +2750,102 @@ static struct sk_buff *nxp_crypto_encrypt_cmd(struc= t hci_dev *hdev, return skb; } =20 +static int nxp_crypto_event(struct hci_dev *hdev, struct sk_buff *skb) +{ + struct btnxpuart_dev *nxpdev =3D hci_get_drvdata(hdev); + int ciphertext_size; + u8 *ciphertext; + u8 aes_gcm_tag[NXP_ENC_AUTH_TAG_SIZE]; + u8 nonce[GCM_AES_IV_SIZE]; + int ret; + struct sk_buff *event_skb; + struct nxp_tls_traffic_keys *keys =3D &nxpdev->crypto.keys; + + if (skb->len < NXP_ENC_AUTH_TAG_SIZE) { + bt_dev_err(hdev, "Encrypted event too short: %d", skb->len); + return -EINVAL; + } + ciphertext_size =3D skb->len - NXP_ENC_AUTH_TAG_SIZE; + ciphertext =3D kzalloc(ciphertext_size, GFP_KERNEL); + if (!ciphertext) + return -ENOMEM; + + memcpy(ciphertext, skb->data, ciphertext_size); + memcpy(aes_gcm_tag, skb->data + ciphertext_size, NXP_ENC_AUTH_TAG_SIZE); + + nxp_data_calc_nonce(keys->d2h_iv, nxpdev->crypto.dec_seq_no, nonce); + + ret =3D nxp_aes_gcm_decrypt(hdev, ciphertext, ciphertext_size, + aes_gcm_tag, keys->d2h_key, nonce); + if (ret) { + kfree(ciphertext); + return ret; + } + + event_skb =3D bt_skb_alloc(ciphertext_size, GFP_ATOMIC); + if (!event_skb) { + kfree(ciphertext); + return -ENOMEM; + } + + hci_skb_pkt_type(event_skb) =3D HCI_EVENT_PKT; + skb_put_data(event_skb, ciphertext, ciphertext_size); + + nxpdev->crypto.dec_seq_no++; + + kfree(ciphertext); + + /* Inject Decrypted Event to upper stack */ + return hci_recv_frame(hdev, event_skb); +} + +static int nxp_process_vendor_event(struct hci_dev *hdev, struct sk_buff *= skb) +{ + struct btnxpuart_dev *nxpdev =3D hci_get_drvdata(hdev); + struct hci_event_hdr *vendor_event_hdr; + u8 *vendor_sub_event; + + vendor_event_hdr =3D (struct hci_event_hdr *)skb_pull_data(skb, + sizeof(*vendor_event_hdr)); + if (!vendor_event_hdr) + goto free_skb; + + if (!vendor_event_hdr->plen) + goto free_skb; + + vendor_sub_event =3D skb_pull_data(skb, 1); + if (!vendor_sub_event) + goto free_skb; + + switch (*vendor_sub_event) { + case 0x23: + break; // Power Save Enable/Disable vendor response. Can be ignored. + case 0xe3: + if (nxpdev->secure_interface) + nxp_crypto_event(hdev, skb); + else + bt_dev_warn(hdev, "Unexpected encrypted event"); + break; + default: + bt_dev_err(hdev, "Unknown vendor event subtype: %d", *vendor_sub_event); + break; + } + +free_skb: + kfree_skb(skb); + return 0; +} + +static int nxp_recv_event_frame(struct hci_dev *hdev, struct sk_buff *skb) +{ + u8 event =3D hci_event_hdr(skb)->evt; + + if (event =3D=3D 0xff) + return nxp_process_vendor_event(hdev, skb); + else + return hci_recv_frame(hdev, skb); +} + /* NXP protocol */ static int nxp_setup(struct hci_dev *hdev) { @@ -3076,7 +3173,7 @@ static int btnxpuart_flush(struct hci_dev *hdev) static const struct h4_recv_pkt nxp_recv_pkts[] =3D { { H4_RECV_ACL, .recv =3D nxp_recv_acl_pkt }, { H4_RECV_SCO, .recv =3D hci_recv_frame }, - { H4_RECV_EVENT, .recv =3D hci_recv_frame }, + { H4_RECV_EVENT, .recv =3D nxp_recv_event_frame }, { H4_RECV_ISO, .recv =3D hci_recv_frame }, { NXP_RECV_CHIP_VER_V1, .recv =3D nxp_recv_chip_ver_v1 }, { NXP_RECV_FW_REQ_V1, .recv =3D nxp_recv_fw_req_v1 }, --=20 2.43.0 From nobody Mon Dec 1 22:07:32 2025 Received: from MRWPR03CU001.outbound.protection.outlook.com (mail-francesouthazon11011018.outbound.protection.outlook.com [40.107.130.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A3DF1303A05; Fri, 28 Nov 2025 09:16:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.107.130.18 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764321363; cv=fail; b=nnD5Ue3kyqEBIJTfGG+nCmhvSaVphdkRriyC3fcXuq0M/V//8aScvzxmWZInwngIwSeDLnUieV3xp8PtlEZWkjSEInqRCooEm7JttwHU5WU4Z1/em2b9iX0driSwycW/UG0TpPzPefDgX2/67A2zDUuYcFidfgDxeWJ7+LkM2e0= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764321363; c=relaxed/simple; bh=km4rF4bUyuzo0BOALXZNdiZPw+ibd8um95ktiwdxCBo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: Content-Type:MIME-Version; b=CihifRICMThHMbZdaCz0ZBD64Yhx4p6gtIPsRTB/CrPWNh8gyQSmPkF+EEha2hvQH9U0XVntODMA1/wQA1cZfKSuqaweeTEB3H93JEgXOzRPdBqibWDhljDu21LC/IlSCbRqqG5C5UmQKnyQzfTaeJc+rKXFa1VyJHvKdn1WdNE= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com; spf=pass smtp.mailfrom=nxp.com; dkim=pass (2048-bit key) header.d=nxp.com header.i=@nxp.com header.b=oOXJwAxM; arc=fail smtp.client-ip=40.107.130.18 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=nxp.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=nxp.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=nxp.com header.i=@nxp.com header.b="oOXJwAxM" ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=IjSwdCQ8tUgTUl5RU4FQCxs9P4rmrAlvvPh6nDjwOXbsBHrVb84+X3+XQbJdOxfzZjHF3XRmeI5br++RjX8G5jgBZ4Th8h3OkBZf6yLexQaiDVtgJnvgv9Yl+fvCiBJx8cRxEfOpn5VWhn1kOFXs1VB7r/f5Vt3X8+E6E+uY1zXir9I8OUrP9lhisy/OzdFucHIA4Pmn5vPvv91g5pdGDyOkEpca6qory6LE1cb/ltZSe4VSDmxABMZEeojJiiEcawj2NZSPb/UoVyzKpt1EJGyi5p7veiSpw20asF+ahP7giDgMMKnI/qcyl8JUw69oh8BJUqfcDkKA8MT5go48aQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qmk5HxOxbST06yXZAnFLte9/3JclGzg5IaB5E33aOb4=; b=xRYMX9DoP1UCrkcPJ2nlVGgltZO4YZv5sffZRFmkPZtXfUY6Il7e0Xsb+wFz0QOv3s38tcuPmt3a1ci7rqht25IImGlOMdccwmkilZUESDmf7KBKorUi0xJPnb13sMl3Qj2dqO910iMuDMSK9c1KmC8unJwt2uu2fwJK6GYmDwKrS1ghIsKjfcZzNsLr3RIJMIza2CxuYYwhQBu8U3xsF4vU+tYxSpV9gAeA5jVOZqq25xy3tOUaOJu4bX/AYjmN0j67Wb/ZU1y1tlV1UcLTqXUDQdiwewze/NICkScAlNFfP+Nsm7gi9srZg/5NeOA8sSdT0wcd8gpfZzPrIR/doQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nxp.com; dmarc=pass action=none header.from=nxp.com; dkim=pass header.d=nxp.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qmk5HxOxbST06yXZAnFLte9/3JclGzg5IaB5E33aOb4=; b=oOXJwAxMYsiiZIjUMJGSUB22yl8+UvJIofM69CAdp3VGE/8kE/X+0FcyQM+nts/Jmyp34GrfncuVs9rm7rwdLs+1nDalRrQgOi8U8dBqAxT4fN0k4bnlsjhWrVdXcTYVjj5V3tk2BoThROwaFiOmyT3T9W6WGk1rmw8OrZ8PYcUuptu9BkhbagaTv/GaefSvmPwuUAH0XoGF0biCGiAIWs+4vxf1UhWfR+GDsOQ3RS8iuVKDFUeNiDB6gepuquP+sxhiCnv/C/3Qx+ol37e1gU8PhNHeKU8MY6aHND4F5qsE8M273nPs3dd7dYW/4uf89W8bqUq2OEBgzKy8cmm7SA== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nxp.com; Received: from DB9PR04MB9676.eurprd04.prod.outlook.com (2603:10a6:10:308::13) by DB9PR04MB8252.eurprd04.prod.outlook.com (2603:10a6:10:24d::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9366.17; Fri, 28 Nov 2025 09:16:00 +0000 Received: from DB9PR04MB9676.eurprd04.prod.outlook.com ([fe80::97c:438a:2968:465d]) by DB9PR04MB9676.eurprd04.prod.outlook.com ([fe80::97c:438a:2968:465d%4]) with mapi id 15.20.9366.009; Fri, 28 Nov 2025 09:16:00 +0000 From: Neeraj Sanjay Kale To: marcel@holtmann.org, luiz.dentz@gmail.com Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, amitkumar.karwar@nxp.com, sherry.sun@nxp.com, dmitrii.lebed@nxp.com, neeraj.sanjaykale@nxp.com Subject: [PATCH v2 11/11] Bluetooth: btnxpuart: Select crypto algorithms for secure interface Date: Fri, 28 Nov 2025 14:44:43 +0530 Message-ID: <20251128091443.2797316-12-neeraj.sanjaykale@nxp.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251128091443.2797316-1-neeraj.sanjaykale@nxp.com> References: <20251128091443.2797316-1-neeraj.sanjaykale@nxp.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: SI2PR01CA0007.apcprd01.prod.exchangelabs.com (2603:1096:4:191::11) To DB9PR04MB9676.eurprd04.prod.outlook.com (2603:10a6:10:308::13) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB9PR04MB9676:EE_|DB9PR04MB8252:EE_ X-MS-Office365-Filtering-Correlation-Id: ef9499bf-7edc-4427-a3f9-08de2e5ebed7 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|19092799006|1800799024|376014|366016|52116014|38350700014; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?lWtmfEk2yAL5HX9KTBHXU3JBFg3f9kQr1xgR8EICiuuto3L6B62sTUxxToeu?= =?us-ascii?Q?qXWkP4XKRhdrA5V5YAxsR1rVg6gp8A3QJCBnycGSvHzhD9Xcz6x0BX8Tmc+e?= =?us-ascii?Q?gIFMlWyvIetYlxewoe+Ztgvc7WF3heS2PUz3/LCOC8VSbt53daX8w2+hMsIy?= =?us-ascii?Q?otIm0N5Jc+YAfls0xw4Ch0b98acsLxm3zJvglzLv6LxZdFb6VPNAoLfF83ds?= =?us-ascii?Q?xG70QoMRkH7Cjta8LbxdQtlKnoG93WaK+cPPZZa6p0+3TMICRjFOT/b8XOmM?= =?us-ascii?Q?2vl7A01idwM5IYazSRZCL/NQaMFOoywPXJ1iniaJKvjgFtlcxGAcsVADvRxo?= =?us-ascii?Q?psR8Sh2VMz2sm8riTkjrNR/hKzv+LRuTsTulv5aHMOQLgJWBC3ZIqJjj79ny?= =?us-ascii?Q?3/Pilu2jEGra0YHClR9HtF11oXhAWUQa6kblsRAOIdp7Zwz++zOfLvNv99p1?= =?us-ascii?Q?69vhyqJE0N3blBDbuMDzknwhf7ulBReNm9yyXWAkVjNGPupU1c4QzbzGZVH7?= =?us-ascii?Q?LIvzUjvj14uwp4dDJW22EaeduXUe1sc3oOeX8ZWUo8fPq0ursNZZX/pM7HOd?= =?us-ascii?Q?1jemsZus5EIeOmhpznTw5yyb95Zu44rzGTQwXm2/DEbRbYY9ZD83WK5xkN36?= =?us-ascii?Q?xFUWFw7Igq+8pAyKFntVsi+/8fHGbpiliAT8XVrCYvtMq2Fs/mSnYB9EFwOR?= =?us-ascii?Q?h95Gux5DedGbzYtMoV2Qrr5A4p5GMsrADBvqJVZa52KFN7go5RZnV6CCILq4?= =?us-ascii?Q?uUAdiUetQivgvanLB7vdjPMvuES+RefPX4O0dLAvC590Su8xzvm/edp6V51H?= =?us-ascii?Q?wmbDdI5E9C8Q+2bnrWXgZKwtbEhYLGYqu/We2S74Pi+6HI1LY4p+UNUN7wSB?= =?us-ascii?Q?zTxgQCqD+9MLYQy3cayzY9nnbp9cA5Z1ooVa1BJGI79FIMeM6dh+mrbeob42?= =?us-ascii?Q?5R8PwjVo0kiFzR+Nedc0Oez0mh+j91Paw71fkAT/Q9V7rlmOZ3dobH/JdZBG?= =?us-ascii?Q?tbtOpUhGZ6wSHkzc3oOnf0ULQhF/agodZSmjyUZrFmT54qbHNhj9bhI+kW9U?= =?us-ascii?Q?NckRLt4M94L+AkZhclqe2lDngxqM4dDsNZW0QlnaN8UTcWzEvTDpBOysYI3n?= =?us-ascii?Q?Tr/65GqD+KD8zzOxE9eAKAynrzb5V91IsIoAnEKgv/ImQdyGP0I5gHgnZH5Z?= =?us-ascii?Q?p3WnFR6tbPwIVPmR3HfuuZRexNIB7QURiJ8wXn4Hw+P0UjUbCUOKr7fqapmQ?= =?us-ascii?Q?3rMlytvR6IQeqFupDq1aLLd3S9U28btYec1o4jpl9V2hbDkzlnq66uw12aYF?= =?us-ascii?Q?2Jplc2rj1oxwYPiN+0FuTrmeHmske9i9MHvxJ42KZSmZ/fhWGAt9URk1DaZj?= =?us-ascii?Q?D7lSzFP2ueRXE/1uTarnKvVB4KF6q/Mm67sdOz67GYWfGOBT65ceEtQuzLUp?= =?us-ascii?Q?2Z6CRxC7BUoWmTUy/9xAf/IwhScT8RrsLvYj7gyjpZsAlyq7RefscdCVFOvO?= =?us-ascii?Q?BO1AHLkL3AOaa3kbH2jMnGkK3pKH1ap7ycoO?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB9PR04MB9676.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(19092799006)(1800799024)(376014)(366016)(52116014)(38350700014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?OeGyefYHUMk21YiImpwOX3bBwaFRRoSr9PXuQV0C3W8uzhLJw4tOQETBIfRs?= =?us-ascii?Q?mPN9M7kXkmClwlMqIDXAC2OdRZpdCK9NVvrHR/av2JH6qwc4MiISUH8rBCQb?= =?us-ascii?Q?1EXgzVj2TLhuAmBd6AeojJZVxD7HbrMsDM1diWMN4b49jIeC7hX7OcbQtyr5?= =?us-ascii?Q?KQgt6yl71KP2yyJn7JDRLAJwJsfp1dEMs1lD17P3trD0yufmrWImiGQ2Lm18?= =?us-ascii?Q?7jX9mvr13+DpWlNCYnJCDoVawquvK+tFPxII/xmkoLgKqcq2rBkX8E411rFl?= =?us-ascii?Q?hwl3YDHguxLumsPi2eiwHCpV02ItZlIZWBOxY8gemQIYKZoveVXbcBGHK6gI?= =?us-ascii?Q?+xZmWFyFqxwWSfh963BygZ7rW8h5A4fNByCeiXFIVFv9+Voi4aBjS9VcEPKa?= =?us-ascii?Q?1czE2WMQccDQwZ3tVZJ29aLZnVHPZaeYtKgw6H07VUiBLjxH/13tRqes+Uhx?= =?us-ascii?Q?lpJSIS1UIF6CRhqTlh9To0YkaAHHtgdZsZw/VNRPQMt0zF1WNaFhElDXf9sl?= =?us-ascii?Q?BntM7LS8DMMYcbspM+JWViNcX/CHoMnFGGDx0dsFJy3HQt7x/9b82XWi4l0g?= =?us-ascii?Q?dSSUJ0wfkYpuqEbRbvj8JU9xyDWYubrs0sA6TAcw1LiZCvc+s/HD589dHPoZ?= =?us-ascii?Q?gVY4GNT7z3CmKLEJ7LxbWBD6Id6kKX+m66bhTtDDqQIBctlcHd3qrWxI4nWH?= =?us-ascii?Q?Iqcxbt9yhKEmy+QFQxkkrSjREIuT8lvgigClJwW27DQdA5XXDF/OSN0o5bt2?= =?us-ascii?Q?aoUQ7ybuiXtjFDNgGNnmbt6rsVDZ+thX4aTtyfebtl9mvihmiVkWNTsaK+Aj?= =?us-ascii?Q?N+06lvz1/bmwTt9cQIUcYmzi/NrsWgf2P828Ldi46r/Z2zjOvaDSvayOTfAP?= =?us-ascii?Q?MbITHu8OVeQPqtxD+l3P56iXw3dtLpPxhEXArRwcV/F+cEYqd2TCXjCTiHuU?= =?us-ascii?Q?gn6kUwP071BeBwYserYd3oOwfxV+D8wz8hLVH2U1oxk9RDUhhc1ownXUBcFD?= =?us-ascii?Q?LpOsDmXZ8LRPstd637tcVhonLfm2XTuh/vOXuDPjEDfiqCbUXKnLSLJCMRR2?= =?us-ascii?Q?xNWkDHXBJfwoyQa3KTyblj/kf5bTI8kCkmo2TLBlPjSge/nhUjzCW6uNIMpB?= =?us-ascii?Q?oc1LqGVS2oJQtZGJNZbgQtL30o+FAc91FA9QgKnSRM0cJDdUSDvE10WNUvFp?= =?us-ascii?Q?K+HaFs2SJAUiKJfpKx0WOVlKVwznPY+yC3ibqGlr2v2STMpWs2saAO1goKdw?= =?us-ascii?Q?uzlm9WWw9D1u5eBuniNwgI/kS6n9G3JW4fG0wfFpQwmrUF0CrdGWkMBNCAb7?= =?us-ascii?Q?i8exrDDwSntkRX+/AKXqK3axljgrpjB490ZSaquPgXaLfiAMGpcWG2feZjO0?= =?us-ascii?Q?1nS7Zhbjlhq/vEEkquSFI/gi3mtrhBtBMe/tLL3vQfoC3sQr47NVAjv+TcCQ?= =?us-ascii?Q?jQxZ7NR1HHdpS4bW4dqZ0p8zzzQlbcmvZ+jvUsI70E5ykqsfnu9EIDao4iFw?= =?us-ascii?Q?cNy2SeMUYkSQpma0BpXRsgydwOwDfr9r7cyvIEB8UuNsgf1/reDA/E3/9bWw?= =?us-ascii?Q?xxaaV9UCAPvdxNjhQVWPTqFeaLiU6mfj+WhBpexTJ+V5Mp9WnXY/lEFb5Nyo?= =?us-ascii?Q?xg=3D=3D?= X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: ef9499bf-7edc-4427-a3f9-08de2e5ebed7 X-MS-Exchange-CrossTenant-AuthSource: DB9PR04MB9676.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Nov 2025 09:16:00.0051 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: aNVcFE6brZqb2nNjzoEHZgCHQzUre6K1nOoFKcLaMkxz/TIo8vn6WcPRDLMBI4vFH90Pu7LOo2ezPAB2q13g7p1aKoKThstmdFyV7csHgx8= X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR04MB8252 Content-Type: text/plain; charset="utf-8" This adds crypto dependencies (ECDSA, ECDH, AES-GCM, SHA256, HMAC) needed for TLS-based secure host interface authentication and encryption. Signed-off-by: Neeraj Sanjay Kale --- drivers/bluetooth/Kconfig | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/bluetooth/Kconfig b/drivers/bluetooth/Kconfig index c5d45cf91f88..ccbd2e13977e 100644 --- a/drivers/bluetooth/Kconfig +++ b/drivers/bluetooth/Kconfig @@ -493,6 +493,13 @@ config BT_NXPUART select BT_HCIUART_H4 select CRC32 select CRC8 + select CRYPTO + select CRYPTO_ECDSA + select CRYPTO_ECDH + select CRYPTO_AES + select CRYPTO_GCM + select CRYPTO_SHA256 + select CRYPTO_HMAC help NXP is serial driver required for NXP Bluetooth devices with UART interface. --=20 2.43.0