summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorUtkarsh Gupta <utkarsh.gupta@nxp.com>2018-02-20 01:19:25 +0000
committerStefano Babic <sbabic@denx.de>2018-02-22 14:35:57 +0100
commit20fa1dd386c891f7d6477e7d442dda76af6c765b (patch)
treecdf335306d754e7f64bdd271b7bb7afd7d9d6474
parented286bc80e9d237dd1732ced037427e7d9a277a0 (diff)
imx: hab: Check if CSF contains deprecated commands
Write, Check and Set MID commands have been deprecated from the Code Signing Tool (CST) v2.3.3 and will not be implemented in newer versions of HAB, hence the following features are no longer available: - Write Data - Clear Mask - Set Mask - Check All Clear - Check All Set - Check Any Clear - Check Any Set - Set MID The inappropriate use of Write Data command may lead to an incorrect authentication boot flow. Since no specific application has been identified that requires the use of any of these features, it is highly recommended to add this check. Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com> Signed-off-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
-rw-r--r--arch/arm/include/asm/mach-imx/hab.h4
-rw-r--r--arch/arm/mach-imx/hab.c20
2 files changed, 24 insertions, 0 deletions
diff --git a/arch/arm/include/asm/mach-imx/hab.h b/arch/arm/include/asm/mach-imx/hab.h
index bb732030e9..93475a61da 100644
--- a/arch/arm/include/asm/mach-imx/hab.h
+++ b/arch/arm/include/asm/mach-imx/hab.h
@@ -189,6 +189,10 @@ typedef void hapi_clock_init_t(void);
#define HAB_CID_UBOOT 1 /**< UBOOT Caller ID*/
#define HAB_CMD_HDR 0xD4 /* CSF Header */
+#define HAB_CMD_WRT_DAT 0xCC /* Write Data command tag */
+#define HAB_CMD_CHK_DAT 0xCF /* Check Data command tag */
+#define HAB_CMD_SET 0xB1 /* Set command tag */
+#define HAB_PAR_MID 0x01 /* MID parameter value */
#define IVT_SIZE 0x20
#define CSF_PAD_SIZE 0x2000
diff --git a/arch/arm/mach-imx/hab.c b/arch/arm/mach-imx/hab.c
index 7f66965af5..79e8bf6979 100644
--- a/arch/arm/mach-imx/hab.c
+++ b/arch/arm/mach-imx/hab.c
@@ -518,6 +518,26 @@ static bool csf_is_valid(struct ivt *ivt, ulong start_addr, size_t bytes)
}
do {
+ struct hab_hdr *cmd;
+
+ cmd = (struct hab_hdr *)&csf_hdr[offset];
+
+ switch (cmd->tag) {
+ case (HAB_CMD_WRT_DAT):
+ puts("Error: Deprecated write command found\n");
+ return false;
+ case (HAB_CMD_CHK_DAT):
+ puts("Error: Deprecated check command found\n");
+ return false;
+ case (HAB_CMD_SET):
+ if (cmd->par == HAB_PAR_MID) {
+ puts("Error: Deprecated Set MID command found\n");
+ return false;
+ }
+ default:
+ break;
+ }
+
cmd_hdr_len = get_csf_cmd_hdr_len(&csf_hdr[offset]);
if (!cmd_hdr_len) {
puts("Error: Invalid command length\n");