crypto: atmel-ecc - introduce Microchip / Atmel ECC driver

Add ECDH support for ATECC508A (I2C) device.

The device features hardware acceleration for the NIST standard
P256 prime curve and supports the complete key life cycle from
private key generation to ECDH key agreement.

Random private key generation is supported internally within
the device to ensure that the private key can never be known
outside of the device. If the user wants to use its own private
keys, the driver will fallback to the ecdh software implementation.

Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

5 files changed, 937 insertions, 0 deletions

diff --git a/Documentation/devicetree/bindings/crypto/atmel-crypto.txt b/Documentation/devicetree/bindings/crypto/atmel-crypto.txt
index f2aab3dc2b52..7de1a9674c70 100644
--- a/Documentation/devicetree/bindings/crypto/atmel-crypto.txt
+++ b/Documentation/devicetree/bindings/crypto/atmel-crypto.txt
@@ -66,3 +66,16 @@ sha@f8034000 {
         dmas = <&dma1 2 17>;
         dma-names = "tx";
 };
+
+* Eliptic Curve Cryptography (I2C)
+
+Required properties:
+- compatible : must be "atmel,atecc508a".
+- reg: I2C bus address of the device.
+- clock-frequency: must be present in the i2c controller node.
+
+Example:
+atecc508a@C0 {
+        compatible = "atmel,atecc508a";
+        reg = <0xC0>;
+};
diff --git a/drivers/crypto/Kconfig b/drivers/crypto/Kconfig
index 5db825a469de..49397a9ae67c 100644
--- a/drivers/crypto/Kconfig
+++ b/drivers/crypto/Kconfig
@@ -525,6 +525,20 @@ config CRYPTO_DEV_ATMEL_SHA
           To compile this driver as a module, choose M here: the module
           will be called atmel-sha.
 
+config CRYPTO_DEV_ATMEL_ECC
+        tristate "Support for Microchip / Atmel ECC hw accelerator"
+        depends on ARCH_AT91 || COMPILE_TEST
+        depends on I2C
+        select CRYPTO_ECDH
+        select CRC16
+        help
+          Microhip / Atmel ECC hw accelerator.
+          Select this if you want to use the Microchip / Atmel module for
+          ECDH algorithm.
+
+          To compile this driver as a module, choose M here: the module
+          will be called atmel-ecc.
+
 config CRYPTO_DEV_CCP
         bool "Support for AMD Cryptographic Coprocessor"
         depends on ((X86 && PCI) || (ARM64 && (OF_ADDRESS || ACPI))) && HAS_IOMEM
diff --git a/drivers/crypto/Makefile b/drivers/crypto/Makefile
index 2c555a3393b2..de629165fde7 100644
--- a/drivers/crypto/Makefile
+++ b/drivers/crypto/Makefile
@@ -1,6 +1,7 @@
 obj-$(CONFIG_CRYPTO_DEV_ATMEL_AES) += atmel-aes.o
 obj-$(CONFIG_CRYPTO_DEV_ATMEL_SHA) += atmel-sha.o
 obj-$(CONFIG_CRYPTO_DEV_ATMEL_TDES) += atmel-tdes.o
+obj-$(CONFIG_CRYPTO_DEV_ATMEL_ECC) += atmel-ecc.o
 obj-$(CONFIG_CRYPTO_DEV_BFIN_CRC) += bfin_crc.o
 obj-$(CONFIG_CRYPTO_DEV_CAVIUM_ZIP) += cavium/
 obj-$(CONFIG_CRYPTO_DEV_CCP) += ccp/
diff --git a/drivers/crypto/atmel-ecc.c b/drivers/crypto/atmel-ecc.c
new file mode 100644
index 000000000000..66ab1021eba5
--- /dev/null
+++ b/drivers/crypto/atmel-ecc.c
@@ -0,0 +1,781 @@
+/*
+ * Microchip / Atmel ECC (I2C) driver.
+ *
+ * Copyright (c) 2017, Microchip Technology Inc.
+ * Author: Tudor Ambarus <tudor.ambarus@microchip.com>
+ *
+ * This software is licensed under the terms of the GNU General Public
+ * License version 2, as published by the Free Software Foundation, and
+ * may be copied, distributed, and modified under those terms.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ */
+
+#include <linux/bitrev.h>
+#include <linux/crc16.h>
+#include <linux/delay.h>
+#include <linux/device.h>
+#include <linux/err.h>
+#include <linux/errno.h>
+#include <linux/i2c.h>
+#include <linux/init.h>
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/of_device.h>
+#include <linux/scatterlist.h>
+#include <linux/slab.h>
+#include <linux/workqueue.h>
+#include <crypto/internal/kpp.h>
+#include <crypto/ecdh.h>
+#include <crypto/kpp.h>
+#include "atmel-ecc.h"
+
+/* Used for binding tfm objects to i2c clients. */
+struct atmel_ecc_driver_data {
+        struct list_head i2c_client_list;
+        spinlock_t i2c_list_lock;
+} ____cacheline_aligned;
+
+static struct atmel_ecc_driver_data driver_data;
+
+/**
+ * atmel_ecc_i2c_client_priv - i2c_client private data
+ * @client              : pointer to i2c client device
+ * @i2c_client_list_node: part of i2c_client_list
+ * @lock                : lock for sending i2c commands
+ * @wake_token          : wake token array of zeros
+ * @wake_token_sz       : size in bytes of the wake_token
+ * @tfm_count           : number of active crypto transformations on i2c client
+ *
+ * Reads and writes from/to the i2c client are sequential. The first byte
+ * transmitted to the device is treated as the byte size. Any attempt to send
+ * more than this number of bytes will cause the device to not ACK those bytes.
+ * After the host writes a single command byte to the input buffer, reads are
+ * prohibited until after the device completes command execution. Use a mutex
+ * when sending i2c commands.
+ */
+struct atmel_ecc_i2c_client_priv {
+        struct i2c_client *client;
+        struct list_head i2c_client_list_node;
+        struct mutex lock;
+        u8 wake_token[WAKE_TOKEN_MAX_SIZE];
+        size_t wake_token_sz;
+        atomic_t tfm_count ____cacheline_aligned;
+};
+
+/**
+ * atmel_ecdh_ctx - transformation context
+ * @client     : pointer to i2c client device
+ * @fallback   : used for unsupported curves or when user wants to use its own
+ *               private key.
+ * @public_key : generated when calling set_secret(). It's the responsibility
+ *               of the user to not call set_secret() while
+ *               generate_public_key() or compute_shared_secret() are in flight.
+ * @curve_id   : elliptic curve id
+ * @n_sz       : size in bytes of the n prime
+ * @do_fallback: true when the device doesn't support the curve or when the user
+ *               wants to use its own private key.
+ */
+struct atmel_ecdh_ctx {
+        struct i2c_client *client;
+        struct crypto_kpp *fallback;
+        const u8 *public_key;
+        unsigned int curve_id;
+        size_t n_sz;
+        bool do_fallback;
+};
+
+/**
+ * atmel_ecc_work_data - data structure representing the work
+ * @ctx : transformation context.
+ * @cbk : pointer to a callback function to be invoked upon completion of this
+ *        request. This has the form:
+ *        callback(struct atmel_ecc_work_data *work_data, void *areq, u8 status)
+ *        where:
+ *        @work_data: data structure representing the work
+ *        @areq     : optional pointer to an argument passed with the original
+ *                    request.
+ *        @status   : status returned from the device.
+ * @areq: optional pointer to a user argument for use at callback time.
+ * @work: describes the task to be executed.
+ * @cmd : structure used for communicating with the device.
+ */
+struct atmel_ecc_work_data {
+        struct atmel_ecdh_ctx *ctx;
+        void (*cbk)(struct atmel_ecc_work_data *work_data, void *areq,
+                    u8 status);
+        void *areq;
+        struct work_struct work;
+        struct atmel_ecc_cmd cmd;
+};
+
+static u16 atmel_ecc_crc16(u16 crc, const u8 *buffer, size_t len)
+{
+        return cpu_to_le16(bitrev16(crc16(crc, buffer, len)));
+}
+
+/**
+ * atmel_ecc_checksum() - Generate 16-bit CRC as required by ATMEL ECC.
+ * CRC16 verification of the count, opcode, param1, param2 and data bytes.
+ * The checksum is saved in little-endian format in the least significant
+ * two bytes of the command. CRC polynomial is 0x8005 and the initial register
+ * value should be zero.
+ *
+ * @cmd : structure used for communicating with the device.
+ */
+static void atmel_ecc_checksum(struct atmel_ecc_cmd *cmd)
+{
+        u8 *data = &cmd->count;
+        size_t len = cmd->count - CRC_SIZE;
+        u16 *crc16 = (u16 *)(data + len);
+
+        *crc16 = atmel_ecc_crc16(0, data, len);
+}
+
+static void atmel_ecc_init_read_cmd(struct atmel_ecc_cmd *cmd)
+{
+        cmd->word_addr = COMMAND;
+        cmd->opcode = OPCODE_READ;
+        /*
+         * Read the word from Configuration zone that contains the lock bytes
+         * (UserExtra, Selector, LockValue, LockConfig).
+         */
+        cmd->param1 = CONFIG_ZONE;
+        cmd->param2 = DEVICE_LOCK_ADDR;
+        cmd->count = READ_COUNT;
+
+        atmel_ecc_checksum(cmd);
+
+        cmd->msecs = MAX_EXEC_TIME_READ;
+        cmd->rxsize = READ_RSP_SIZE;
+}
+
+static void atmel_ecc_init_genkey_cmd(struct atmel_ecc_cmd *cmd, u16 keyid)
+{
+        cmd->word_addr = COMMAND;
+        cmd->count = GENKEY_COUNT;
+        cmd->opcode = OPCODE_GENKEY;
+        cmd->param1 = GENKEY_MODE_PRIVATE;
+        /* a random private key will be generated and stored in slot keyID */
+        cmd->param2 = cpu_to_le16(keyid);
+
+        atmel_ecc_checksum(cmd);
+
+        cmd->msecs = MAX_EXEC_TIME_GENKEY;
+        cmd->rxsize = GENKEY_RSP_SIZE;
+}
+
+static int atmel_ecc_init_ecdh_cmd(struct atmel_ecc_cmd *cmd,
+                                   struct scatterlist *pubkey)
+{
+        size_t copied;
+
+        cmd->word_addr = COMMAND;
+        cmd->count = ECDH_COUNT;
+        cmd->opcode = OPCODE_ECDH;
+        cmd->param1 = ECDH_PREFIX_MODE;
+        /* private key slot */
+        cmd->param2 = cpu_to_le16(DATA_SLOT_2);
+
+        /*
+         * The device only supports NIST P256 ECC keys. The public key size will
+         * always be the same. Use a macro for the key size to avoid unnecessary
+         * computations.
+         */
+        copied = sg_copy_to_buffer(pubkey, 1, cmd->data, ATMEL_ECC_PUBKEY_SIZE);
+        if (copied != ATMEL_ECC_PUBKEY_SIZE)
+                return -EINVAL;
+
+        atmel_ecc_checksum(cmd);
+
+        cmd->msecs = MAX_EXEC_TIME_ECDH;
+        cmd->rxsize = ECDH_RSP_SIZE;
+
+        return 0;
+}
+
+/*
+ * After wake and after execution of a command, there will be error, status, or
+ * result bytes in the device's output register that can be retrieved by the
+ * system. When the length of that group is four bytes, the codes returned are
+ * detailed in error_list.
+ */
+static int atmel_ecc_status(struct device *dev, u8 *status)
+{
+        size_t err_list_len = ARRAY_SIZE(error_list);
+        int i;
+        u8 err_id = status[1];
+
+        if (*status != STATUS_SIZE)
+                return 0;
+
+        if (err_id == STATUS_WAKE_SUCCESSFUL || err_id == STATUS_NOERR)
+                return 0;
+
+        for (i = 0; i < err_list_len; i++)
+                if (error_list[i].value == err_id)
+                        break;
+
+        /* if err_id is not in the error_list then ignore it */
+        if (i != err_list_len) {
+                dev_err(dev, "%02x: %s:\n", err_id, error_list[i].error_text);
+                return err_id;
+        }
+
+        return 0;
+}
+
+static int atmel_ecc_wakeup(struct i2c_client *client)
+{
+        struct atmel_ecc_i2c_client_priv *i2c_priv = i2c_get_clientdata(client);
+        u8 status[STATUS_RSP_SIZE];
+        int ret;
+
+        /*
+         * The device ignores any levels or transitions on the SCL pin when the
+         * device is idle, asleep or during waking up. Don't check for error
+         * when waking up the device.
+         */
+        i2c_master_send(client, i2c_priv->wake_token, i2c_priv->wake_token_sz);
+
+        /*
+         * Wait to wake the device. Typical execution times for ecdh and genkey
+         * are around tens of milliseconds. Delta is chosen to 50 microseconds.
+         */
+        usleep_range(TWHI_MIN, TWHI_MAX);
+
+        ret = i2c_master_recv(client, status, STATUS_SIZE);
+        if (ret < 0)
+                return ret;
+
+        return atmel_ecc_status(&client->dev, status);
+}
+
+static int atmel_ecc_sleep(struct i2c_client *client)
+{
+        u8 sleep = SLEEP_TOKEN;
+
+        return i2c_master_send(client, &sleep, 1);
+}
+
+static void atmel_ecdh_done(struct atmel_ecc_work_data *work_data, void *areq,
+                            u8 status)
+{
+        struct kpp_request *req = areq;
+        struct atmel_ecdh_ctx *ctx = work_data->ctx;
+        struct atmel_ecc_cmd *cmd = &work_data->cmd;
+        size_t copied;
+        size_t n_sz = ctx->n_sz;
+
+        if (status)
+                goto free_work_data;
+
+        /* copy the shared secret */
+        copied = sg_copy_from_buffer(req->dst, 1, &cmd->data[RSP_DATA_IDX],
+                                     n_sz);
+        if (copied != n_sz)
+                status = -EINVAL;
+
+        /* fall through */
+free_work_data:
+        kzfree(work_data);
+        kpp_request_complete(req, status);
+}
+
+/*
+ * atmel_ecc_send_receive() - send a command to the device and receive its
+ *                            response.
+ * @client: i2c client device
+ * @cmd   : structure used to communicate with the device
+ *
+ * After the device receives a Wake token, a watchdog counter starts within the
+ * device. After the watchdog timer expires, the device enters sleep mode
+ * regardless of whether some I/O transmission or command execution is in
+ * progress. If a command is attempted when insufficient time remains prior to
+ * watchdog timer execution, the device will return the watchdog timeout error
+ * code without attempting to execute the command. There is no way to reset the
+ * counter other than to put the device into sleep or idle mode and then
+ * wake it up again.
+ */
+static int atmel_ecc_send_receive(struct i2c_client *client,
+                                  struct atmel_ecc_cmd *cmd)
+{
+        struct atmel_ecc_i2c_client_priv *i2c_priv = i2c_get_clientdata(client);
+        int ret;
+
+        mutex_lock(&i2c_priv->lock);
+
+        ret = atmel_ecc_wakeup(client);
+        if (ret)
+                goto err;
+
+        /* send the command */
+        ret = i2c_master_send(client, (u8 *)cmd, cmd->count + WORD_ADDR_SIZE);
+        if (ret < 0)
+                goto err;
+
+        /* delay the appropriate amount of time for command to execute */
+        msleep(cmd->msecs);
+
+        /* receive the response */
+        ret = i2c_master_recv(client, cmd->data, cmd->rxsize);
+        if (ret < 0)
+                goto err;
+
+        /* put the device into low-power mode */
+        ret = atmel_ecc_sleep(client);
+        if (ret < 0)
+                goto err;
+
+        mutex_unlock(&i2c_priv->lock);
+        return atmel_ecc_status(&client->dev, cmd->data);
+err:
+        mutex_unlock(&i2c_priv->lock);
+        return ret;
+}
+
+static void atmel_ecc_work_handler(struct work_struct *work)
+{
+        struct atmel_ecc_work_data *work_data =
+                        container_of(work, struct atmel_ecc_work_data, work);
+        struct atmel_ecc_cmd *cmd = &work_data->cmd;
+        struct i2c_client *client = work_data->ctx->client;
+        u8 status;
+
+        status = atmel_ecc_send_receive(client, cmd);
+        work_data->cbk(work_data, work_data->areq, status);
+}
+
+static void atmel_ecc_enqueue(struct atmel_ecc_work_data *work_data,
+                              void (*cbk)(struct atmel_ecc_work_data *work_data,
+                                          void *areq, u8 status),
+                              void *areq)
+{
+        work_data->cbk = (void *)cbk;
+        work_data->areq = areq;
+
+        INIT_WORK(&work_data->work, atmel_ecc_work_handler);
+        schedule_work(&work_data->work);
+}
+
+static unsigned int atmel_ecdh_supported_curve(unsigned int curve_id)
+{
+        if (curve_id == ECC_CURVE_NIST_P256)
+                return ATMEL_ECC_NIST_P256_N_SIZE;
+
+        return 0;
+}
+
+/*
+ * A random private key is generated and stored in the device. The device
+ * returns the pair public key.
+ */
+static int atmel_ecdh_set_secret(struct crypto_kpp *tfm, const void *buf,
+                                 unsigned int len)
+{
+        struct atmel_ecdh_ctx *ctx = kpp_tfm_ctx(tfm);
+        struct atmel_ecc_cmd *cmd;
+        void *public_key;
+        struct ecdh params;
+        int ret = -ENOMEM;
+
+        /* free the old public key, if any */
+        kfree(ctx->public_key);
+        /* make sure you don't free the old public key twice */
+        ctx->public_key = NULL;
+
+        if (crypto_ecdh_decode_key(buf, len, &params) < 0) {
+                dev_err(&ctx->client->dev, "crypto_ecdh_decode_key failed\n");
+                return -EINVAL;
+        }
+
+        ctx->n_sz = atmel_ecdh_supported_curve(params.curve_id);
+        if (!ctx->n_sz || params.key_size) {
+                /* fallback to ecdh software implementation */
+                ctx->do_fallback = true;
+                return crypto_kpp_set_secret(ctx->fallback, buf, len);
+        }
+
+        cmd = kmalloc(sizeof(*cmd), GFP_KERNEL);
+        if (!cmd)
+                return -ENOMEM;
+
+        /*
+         * The device only supports NIST P256 ECC keys. The public key size will
+         * always be the same. Use a macro for the key size to avoid unnecessary
+         * computations.
+         */
+        public_key = kmalloc(ATMEL_ECC_PUBKEY_SIZE, GFP_KERNEL);
+        if (!public_key)
+                goto free_cmd;
+
+        ctx->do_fallback = false;
+        ctx->curve_id = params.curve_id;
+
+        atmel_ecc_init_genkey_cmd(cmd, DATA_SLOT_2);
+
+        ret = atmel_ecc_send_receive(ctx->client, cmd);
+        if (ret)
+                goto free_public_key;
+
+        /* save the public key */
+        memcpy(public_key, &cmd->data[RSP_DATA_IDX], ATMEL_ECC_PUBKEY_SIZE);
+        ctx->public_key = public_key;
+
+        kfree(cmd);
+        return 0;
+
+free_public_key:
+        kfree(public_key);
+free_cmd:
+        kfree(cmd);
+        return ret;
+}
+
+static int atmel_ecdh_generate_public_key(struct kpp_request *req)
+{
+        struct crypto_kpp *tfm = crypto_kpp_reqtfm(req);
+        struct atmel_ecdh_ctx *ctx = kpp_tfm_ctx(tfm);
+        size_t copied;
+        int ret = 0;
+
+        if (ctx->do_fallback) {
+                kpp_request_set_tfm(req, ctx->fallback);
+                return crypto_kpp_generate_public_key(req);
+        }
+
+        /* public key was saved at private key generation */
+        copied = sg_copy_from_buffer(req->dst, 1, ctx->public_key,
+                                     ATMEL_ECC_PUBKEY_SIZE);
+        if (copied != ATMEL_ECC_PUBKEY_SIZE)
+                ret = -EINVAL;
+
+        return ret;
+}
+
+static int atmel_ecdh_compute_shared_secret(struct kpp_request *req)
+{
+        struct crypto_kpp *tfm = crypto_kpp_reqtfm(req);
+        struct atmel_ecdh_ctx *ctx = kpp_tfm_ctx(tfm);
+        struct atmel_ecc_work_data *work_data;
+        gfp_t gfp;
+        int ret;
+
+        if (ctx->do_fallback) {
+                kpp_request_set_tfm(req, ctx->fallback);
+                return crypto_kpp_compute_shared_secret(req);
+        }
+
+        gfp = (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) ? GFP_KERNEL :
+                                                             GFP_ATOMIC;
+
+        work_data = kmalloc(sizeof(*work_data), gfp);
+        if (!work_data)
+                return -ENOMEM;
+
+        work_data->ctx = ctx;
+
+        ret = atmel_ecc_init_ecdh_cmd(&work_data->cmd, req->src);
+        if (ret)
+                goto free_work_data;
+
+        atmel_ecc_enqueue(work_data, atmel_ecdh_done, req);
+
+        return -EINPROGRESS;
+
+free_work_data:
+        kfree(work_data);
+        return ret;
+}
+
+struct i2c_client *atmel_ecc_i2c_client_alloc(void)
+{
+        struct atmel_ecc_i2c_client_priv *i2c_priv, *min_i2c_priv = NULL;
+        struct i2c_client *client = ERR_PTR(-ENODEV);
+        int min_tfm_cnt = INT_MAX;
+        int tfm_cnt;
+
+        spin_lock(&driver_data.i2c_list_lock);
+
+        if (list_empty(&driver_data.i2c_client_list)) {
+                spin_unlock(&driver_data.i2c_list_lock);
+                return ERR_PTR(-ENODEV);
+        }
+
+        list_for_each_entry(i2c_priv, &driver_data.i2c_client_list,
+                            i2c_client_list_node) {
+                tfm_cnt = atomic_read(&i2c_priv->tfm_count);
+                if (tfm_cnt < min_tfm_cnt) {
+                        min_tfm_cnt = tfm_cnt;
+                        min_i2c_priv = i2c_priv;
+                }
+                if (!min_tfm_cnt)
+                        break;
+        }
+
+        if (min_i2c_priv) {
+                atomic_inc(&min_i2c_priv->tfm_count);
+                client = min_i2c_priv->client;
+        }
+
+        spin_unlock(&driver_data.i2c_list_lock);
+
+        return client;
+}
+
+void atmel_ecc_i2c_client_free(struct i2c_client *client)
+{
+        struct atmel_ecc_i2c_client_priv *i2c_priv = i2c_get_clientdata(client);
+
+        atomic_dec(&i2c_priv->tfm_count);
+}
+
+static int atmel_ecdh_init_tfm(struct crypto_kpp *tfm)
+{
+        const char *alg = kpp_alg_name(tfm);
+        struct crypto_kpp *fallback;
+        struct atmel_ecdh_ctx *ctx = kpp_tfm_ctx(tfm);
+
+        ctx->client = atmel_ecc_i2c_client_alloc();
+        if (IS_ERR(ctx->client)) {
+                pr_err("tfm - i2c_client binding failed\n");
+                return PTR_ERR(ctx->client);
+        }
+
+        fallback = crypto_alloc_kpp(alg, 0, CRYPTO_ALG_NEED_FALLBACK);
+        if (IS_ERR(fallback)) {
+                dev_err(&ctx->client->dev, "Failed to allocate transformation for '%s': %ld\n",
+                        alg, PTR_ERR(fallback));
+                return PTR_ERR(fallback);
+        }
+
+        crypto_kpp_set_flags(fallback, crypto_kpp_get_flags(tfm));
+
+        dev_info(&ctx->client->dev, "Using '%s' as fallback implementation.\n",
+                 crypto_tfm_alg_driver_name(crypto_kpp_tfm(fallback)));
+
+        ctx->fallback = fallback;
+
+        return 0;
+}
+
+static void atmel_ecdh_exit_tfm(struct crypto_kpp *tfm)
+{
+        struct atmel_ecdh_ctx *ctx = kpp_tfm_ctx(tfm);
+
+        kfree(ctx->public_key);
+        crypto_free_kpp(ctx->fallback);
+        atmel_ecc_i2c_client_free(ctx->client);
+}
+
+static unsigned int atmel_ecdh_max_size(struct crypto_kpp *tfm)
+{
+        struct atmel_ecdh_ctx *ctx = kpp_tfm_ctx(tfm);
+
+        if (ctx->fallback)
+                return crypto_kpp_maxsize(ctx->fallback);
+
+        /*
+         * The device only supports NIST P256 ECC keys. The public key size will
+         * always be the same. Use a macro for the key size to avoid unnecessary
+         * computations.
+         */
+        return ATMEL_ECC_PUBKEY_SIZE;
+}
+
+static struct kpp_alg atmel_ecdh = {
+        .set_secret = atmel_ecdh_set_secret,
+        .generate_public_key = atmel_ecdh_generate_public_key,
+        .compute_shared_secret = atmel_ecdh_compute_shared_secret,
+        .init = atmel_ecdh_init_tfm,
+        .exit = atmel_ecdh_exit_tfm,
+        .max_size = atmel_ecdh_max_size,
+        .base = {
+                .cra_flags = CRYPTO_ALG_NEED_FALLBACK,
+                .cra_name = "ecdh",
+                .cra_driver_name = "atmel-ecdh",
+                .cra_priority = ATMEL_ECC_PRIORITY,
+                .cra_module = THIS_MODULE,
+                .cra_ctxsize = sizeof(struct atmel_ecdh_ctx),
+        },
+};
+
+static inline size_t atmel_ecc_wake_token_sz(u32 bus_clk_rate)
+{
+        u32 no_of_bits = DIV_ROUND_UP(TWLO_USEC * bus_clk_rate, USEC_PER_SEC);
+
+        /* return the size of the wake_token in bytes */
+        return DIV_ROUND_UP(no_of_bits, 8);
+}
+
+static int device_sanity_check(struct i2c_client *client)
+{
+        struct atmel_ecc_cmd *cmd;
+        int ret;
+
+        cmd = kmalloc(sizeof(*cmd), GFP_KERNEL);
+        if (!cmd)
+                return -ENOMEM;
+
+        atmel_ecc_init_read_cmd(cmd);
+
+        ret = atmel_ecc_send_receive(client, cmd);
+        if (ret)
+                goto free_cmd;
+
+        /*
+         * It is vital that the Configuration, Data and OTP zones be locked
+         * prior to release into the field of the system containing the device.
+         * Failure to lock these zones may permit modification of any secret
+         * keys and may lead to other security problems.
+         */
+        if (cmd->data[LOCK_CONFIG_IDX] || cmd->data[LOCK_VALUE_IDX]) {
+                dev_err(&client->dev, "Configuration or Data and OTP zones are unlocked!\n");
+                ret = -ENOTSUPP;
+        }
+
+        /* fall through */
+free_cmd:
+        kfree(cmd);
+        return ret;
+}
+
+static int atmel_ecc_probe(struct i2c_client *client,
+                           const struct i2c_device_id *id)
+{
+        struct atmel_ecc_i2c_client_priv *i2c_priv;
+        struct device *dev = &client->dev;
+        int ret;
+        u32 bus_clk_rate;
+
+        if (!i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) {
+                dev_err(dev, "I2C_FUNC_I2C not supported\n");
+                return -ENODEV;
+        }
+
+        ret = of_property_read_u32(client->adapter->dev.of_node,
+                                   "clock-frequency", &bus_clk_rate);
+        if (ret) {
+                dev_err(dev, "of: failed to read clock-frequency property\n");
+                return ret;
+        }
+
+        if (bus_clk_rate > 1000000L) {
+                dev_err(dev, "%d exceeds maximum supported clock frequency (1MHz)\n",
+                        bus_clk_rate);
+                return -EINVAL;
+        }
+
+        i2c_priv = devm_kmalloc(dev, sizeof(*i2c_priv), GFP_KERNEL);
+        if (!i2c_priv)
+                return -ENOMEM;
+
+        i2c_priv->client = client;
+        mutex_init(&i2c_priv->lock);
+
+        /*
+         * WAKE_TOKEN_MAX_SIZE was calculated for the maximum bus_clk_rate -
+         * 1MHz. The previous bus_clk_rate check ensures us that wake_token_sz
+         * will always be smaller than or equal to WAKE_TOKEN_MAX_SIZE.
+         */
+        i2c_priv->wake_token_sz = atmel_ecc_wake_token_sz(bus_clk_rate);
+
+        memset(i2c_priv->wake_token, 0, sizeof(i2c_priv->wake_token));
+
+        atomic_set(&i2c_priv->tfm_count, 0);
+
+        i2c_set_clientdata(client, i2c_priv);
+
+        ret = device_sanity_check(client);
+        if (ret)
+                return ret;
+
+        spin_lock(&driver_data.i2c_list_lock);
+        list_add_tail(&i2c_priv->i2c_client_list_node,
+                      &driver_data.i2c_client_list);
+        spin_unlock(&driver_data.i2c_list_lock);
+
+        ret = crypto_register_kpp(&atmel_ecdh);
+        if (ret) {
+                spin_lock(&driver_data.i2c_list_lock);
+                list_del(&i2c_priv->i2c_client_list_node);
+                spin_unlock(&driver_data.i2c_list_lock);
+
+                dev_err(dev, "%s alg registration failed\n",
+                        atmel_ecdh.base.cra_driver_name);
+        } else {
+                dev_info(dev, "atmel ecc algorithms registered in /proc/crypto\n");
+        }
+
+        return ret;
+}
+
+static int atmel_ecc_remove(struct i2c_client *client)
+{
+        struct atmel_ecc_i2c_client_priv *i2c_priv = i2c_get_clientdata(client);
+
+        /* Return EBUSY if i2c client already allocated. */
+        if (atomic_read(&i2c_priv->tfm_count)) {
+                dev_err(&client->dev, "Device is busy\n");
+                return -EBUSY;
+        }
+
+        crypto_unregister_kpp(&atmel_ecdh);
+
+        spin_lock(&driver_data.i2c_list_lock);
+        list_del(&i2c_priv->i2c_client_list_node);
+        spin_unlock(&driver_data.i2c_list_lock);
+
+        return 0;
+}
+
+#ifdef CONFIG_OF
+static const struct of_device_id atmel_ecc_dt_ids[] = {
+        {
+                .compatible = "atmel,atecc508a",
+        }, {
+                /* sentinel */
+        }
+};
+MODULE_DEVICE_TABLE(of, atmel_ecc_dt_ids);
+#endif
+
+static const struct i2c_device_id atmel_ecc_id[] = {
+        { "atecc508a", 0 },
+        { }
+};
+MODULE_DEVICE_TABLE(i2c, atmel_ecc_id);
+
+static struct i2c_driver atmel_ecc_driver = {
+        .driver = {
+                .name   = "atmel-ecc",
+                .of_match_table = of_match_ptr(atmel_ecc_dt_ids),
+        },
+        .probe          = atmel_ecc_probe,
+        .remove         = atmel_ecc_remove,
+        .id_table       = atmel_ecc_id,
+};
+
+static int __init atmel_ecc_init(void)
+{
+        spin_lock_init(&driver_data.i2c_list_lock);
+        INIT_LIST_HEAD(&driver_data.i2c_client_list);
+        return i2c_add_driver(&atmel_ecc_driver);
+}
+
+static void __exit atmel_ecc_exit(void)
+{
+        flush_scheduled_work();
+        i2c_del_driver(&atmel_ecc_driver);
+}
+
+module_init(atmel_ecc_init);
+module_exit(atmel_ecc_exit);
+
+MODULE_AUTHOR("Tudor Ambarus <tudor.ambarus@microchip.com>");
+MODULE_DESCRIPTION("Microchip / Atmel ECC (I2C) driver");
+MODULE_LICENSE("GPL v2");
diff --git a/drivers/crypto/atmel-ecc.h b/drivers/crypto/atmel-ecc.h
new file mode 100644
index 000000000000..25232c8abcc2
--- /dev/null
+++ b/drivers/crypto/atmel-ecc.h
@@ -0,0 +1,128 @@
+/*
+ * Copyright (c) 2017, Microchip Technology Inc.
+ * Author: Tudor Ambarus <tudor.ambarus@microchip.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+ * more details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#ifndef __ATMEL_ECC_H__
+#define __ATMEL_ECC_H__
+
+#define ATMEL_ECC_PRIORITY              300
+
+#define COMMAND                         0x03 /* packet function */
+#define SLEEP_TOKEN                     0x01
+#define WAKE_TOKEN_MAX_SIZE             8
+
+/* Definitions of Data and Command sizes */
+#define WORD_ADDR_SIZE                  1
+#define COUNT_SIZE                      1
+#define CRC_SIZE                        2
+#define CMD_OVERHEAD_SIZE               (COUNT_SIZE + CRC_SIZE)
+
+/* size in bytes of the n prime */
+#define ATMEL_ECC_NIST_P256_N_SIZE      32
+#define ATMEL_ECC_PUBKEY_SIZE           (2 * ATMEL_ECC_NIST_P256_N_SIZE)
+
+#define STATUS_RSP_SIZE                 4
+#define ECDH_RSP_SIZE                   (32 + CMD_OVERHEAD_SIZE)
+#define GENKEY_RSP_SIZE                 (ATMEL_ECC_PUBKEY_SIZE + \
+                                         CMD_OVERHEAD_SIZE)
+#define READ_RSP_SIZE                   (4 + CMD_OVERHEAD_SIZE)
+#define MAX_RSP_SIZE                    GENKEY_RSP_SIZE
+
+/**
+ * atmel_ecc_cmd - structure used for communicating with the device.
+ * @word_addr: indicates the function of the packet sent to the device. This
+ *             byte should have a value of COMMAND for normal operation.
+ * @count    : number of bytes to be transferred to (or from) the device.
+ * @opcode   : the command code.
+ * @param1   : the first parameter; always present.
+ * @param2   : the second parameter; always present.
+ * @data     : optional remaining input data. Includes a 2-byte CRC.
+ * @rxsize   : size of the data received from i2c client.
+ * @msecs    : command execution time in milliseconds
+ */
+struct atmel_ecc_cmd {
+        u8 word_addr;
+        u8 count;
+        u8 opcode;
+        u8 param1;
+        u16 param2;
+        u8 data[MAX_RSP_SIZE];
+        u8 msecs;
+        u16 rxsize;
+} __packed;
+
+/* Status/Error codes */
+#define STATUS_SIZE                     0x04
+#define STATUS_NOERR                    0x00
+#define STATUS_WAKE_SUCCESSFUL          0x11
+
+static const struct {
+        u8 value;
+        const char *error_text;
+} error_list[] = {
+        { 0x01, "CheckMac or Verify miscompare" },
+        { 0x03, "Parse Error" },
+        { 0x05, "ECC Fault" },
+        { 0x0F, "Execution Error" },
+        { 0xEE, "Watchdog about to expire" },
+        { 0xFF, "CRC or other communication error" },
+};
+
+/* Definitions for eeprom organization */
+#define CONFIG_ZONE                     0
+
+/* Definitions for Indexes common to all commands */
+#define RSP_DATA_IDX                    1 /* buffer index of data in response */
+#define DATA_SLOT_2                     2 /* used for ECDH private key */
+
+/* Definitions for the device lock state */
+#define DEVICE_LOCK_ADDR                0x15
+#define LOCK_VALUE_IDX                  (RSP_DATA_IDX + 2)
+#define LOCK_CONFIG_IDX                 (RSP_DATA_IDX + 3)
+
+/*
+ * Wake High delay to data communication (microseconds). SDA should be stable
+ * high for this entire duration.
+ */
+#define TWHI_MIN                        1500
+#define TWHI_MAX                        1550
+
+/* Wake Low duration */
+#define TWLO_USEC                       60
+
+/* Command execution time (milliseconds) */
+#define MAX_EXEC_TIME_ECDH              58
+#define MAX_EXEC_TIME_GENKEY            115
+#define MAX_EXEC_TIME_READ              1
+
+/* Command opcode */
+#define OPCODE_ECDH                     0x43
+#define OPCODE_GENKEY                   0x40
+#define OPCODE_READ                     0x02
+
+/* Definitions for the READ Command */
+#define READ_COUNT                      7
+
+/* Definitions for the GenKey Command */
+#define GENKEY_COUNT                    7
+#define GENKEY_MODE_PRIVATE             0x04
+
+/* Definitions for the ECDH Command */
+#define ECDH_COUNT                      71
+#define ECDH_PREFIX_MODE                0x00
+
+#endif /* __ATMEL_ECC_H__ */