MA-15019-1 Support Manufacture Protection public key generation

Add new keymaster commands to get Manufacure Production key (mppubk).
Since the mppubk can only be generated in OEM CLOSED imx8q board, so
we can only this command when the board is HAB/AHAB closed.

Commands to extract the mppubk:
        * $fastboot oem get-mppubk
        * $fastboot get_staged mppubk.bin

Test: Generate and dump the mppubk.bin

Change-Id: Idc59e78ca6345497e744162664b8293f50d1eda4
Signed-off-by: Ji Luo <ji.luo@nxp.com>

8 files changed, 118 insertions, 2 deletions

diff --git a/arch/arm/mach-imx/imx8m/soc.c b/arch/arm/mach-imx/imx8m/soc.c
index ab138f3ed90..374d77f28b0 100644
--- a/arch/arm/mach-imx/imx8m/soc.c
+++ b/arch/arm/mach-imx/imx8m/soc.c
@@ -28,7 +28,7 @@
 
 DECLARE_GLOBAL_DATA_PTR;
 
-#if defined(CONFIG_SECURE_BOOT) || defined(CONFIG_AVB_ATX)
+#if defined(CONFIG_SECURE_BOOT) || defined(CONFIG_AVB_ATX) || defined(CONFIG_IMX_TRUSTY_OS)
 struct imx_sec_config_fuse_t const imx_sec_config_fuse = {
 	.bank = 1,
 	.word = 3,
diff --git a/drivers/usb/gadget/f_fastboot.c b/drivers/usb/gadget/f_fastboot.c
index 6ec6ebae266..bb36c9bf1b4 100644
--- a/drivers/usb/gadget/f_fastboot.c
+++ b/drivers/usb/gadget/f_fastboot.c
@@ -3867,6 +3867,14 @@ static void cb_flashing(struct usb_ep *ep, struct usb_request *req)
 			printf("Append ec attestation key successfully!\n");
 			strcpy(response, "OKAY");
 		}
+	}  else if (endswith(cmd, FASTBOOT_GET_MPPUBK)) {
+		if (fastboot_get_mppubk(interface.transfer_buffer, &download_bytes)) {
+			printf("ERROR Generate mppubk failed!\n");
+			strcpy(response, "FAILGenerate mppubk failed!");
+		} else {
+			printf("mppubk generated!\n");
+			strcpy(response, "OKAY");
+		}
 	}
 #ifndef CONFIG_AVB_ATX
 	else if (endswith(cmd, FASTBOOT_SET_RPMB_KEY)) {
diff --git a/include/fsl_avb.h b/include/fsl_avb.h
index 225f42ab096..7f2b46f20bc 100644
--- a/include/fsl_avb.h
+++ b/include/fsl_avb.h
@@ -271,4 +271,8 @@ int at_disable_vboot_unlock(void);
 
 /* Set vbmeta public key */
 int avb_set_public_key(uint8_t *staged_buffer, uint32_t size);
+
+/* Get manufacture protection  public key */
+int fastboot_get_mppubk(uint8_t *staged_buffer, uint32_t *size);
+
 #endif /* __FSL_AVB_H__ */
diff --git a/include/fsl_fastboot.h b/include/fsl_fastboot.h
index 2e70bef8158..1dff46ecb3d 100644
--- a/include/fsl_fastboot.h
+++ b/include/fsl_fastboot.h
@@ -88,6 +88,7 @@
 #define FASTBOOT_SET_RPMB_KEY "set-rpmb-key"
 #define FASTBOOT_SET_RPMB_RANDOM_KEY "set-rpmb-random-key"
 #define FASTBOOT_SET_VBMETA_PUBLIC_KEY "set-public-key"
+#define FASTBOOT_GET_MPPUBK  "get-mppubk"
 #endif
 
 #define FASTBOOT_SET_CA_RESP "at-set-ca-response"
diff --git a/include/interface/keymaster/keymaster.h b/include/interface/keymaster/keymaster.h
index a5e3e8b4c7b..ff5583496f3 100644
--- a/include/interface/keymaster/keymaster.h
+++ b/include/interface/keymaster/keymaster.h
@@ -62,7 +62,8 @@ enum keymaster_command {
     KM_ATAP_SET_CA_RESPONSE_UPDATE     = (0x6000 << KEYMASTER_REQ_SHIFT),
     KM_ATAP_SET_CA_RESPONSE_FINISH     = (0x7000 << KEYMASTER_REQ_SHIFT),
     KM_ATAP_READ_UUID                  = (0x8000 << KEYMASTER_REQ_SHIFT),
-    KM_SET_PRODUCT_ID                  = (0x9000 << KEYMASTER_REQ_SHIFT)
+    KM_SET_PRODUCT_ID                  = (0x9000 << KEYMASTER_REQ_SHIFT),
+    KM_GET_MPPUBK                      = (0xc000 << KEYMASTER_REQ_SHIFT)
 };
 
 typedef enum {
@@ -212,6 +213,15 @@ struct km_raw_buffer_resp {
 } TRUSTY_ATTR_PACKED;
 
 /**
+ * km_get_mppubk_resp - response format for mppubk buffer
+ */
+struct km_get_mppubk_resp {
+    int32_t error;
+    uint32_t data_size;
+    uint8_t data[64];
+} TRUSTY_ATTR_PACKED;
+
+/**
  * km_set_ca_response_begin_req - starts the process to set the ATAP CA Response
  *
  * @ca_response_size: total size of the CA Response message
diff --git a/include/trusty/keymaster.h b/include/trusty/keymaster.h
index eadb0d13196..6c8d2e94aea 100644
--- a/include/trusty/keymaster.h
+++ b/include/trusty/keymaster.h
@@ -127,4 +127,12 @@ int trusty_atap_read_uuid_str(char **uuid_p);
  */
 int trusty_set_product_id(const uint8_t *product_id, uint32_t size);
 
+/*
+ * trusty_get_mppubk is called to get the mppubk from trusty side.
+ *
+ * @mppubk: Pointer to the buffer which store the mppubk.
+ * @size:  Pointer to The size of mppubk.
+ */
+int trusty_get_mppubk(uint8_t *mppubk, uint32_t* size);
+
 #endif /* TRUSTY_KEYMASTER_H_ */
diff --git a/lib/avb/fsl/fsl_avbkey.c b/lib/avb/fsl/fsl_avbkey.c
index 63d51102f3f..d9c0a37dd18 100644
--- a/lib/avb/fsl/fsl_avbkey.c
+++ b/lib/avb/fsl/fsl_avbkey.c
@@ -25,6 +25,9 @@
 #include <memalign.h>
 #include "trusty/hwcrypto.h"
 #include "fsl_atx_attributes.h"
+#include <asm/mach-imx/hab.h>
+#include <asm/arch/sys_proto.h>
+#include <asm/mach-imx/sci/sci.h>
 
 #define INITFLAG_FUSE_OFFSET 0
 #define INITFLAG_FUSE_MASK 0x00000001
@@ -1060,6 +1063,28 @@ int at_disable_vboot_unlock(void)
 #endif /* CONFIG_AVB_ATX */
 
 #if defined(CONFIG_IMX_TRUSTY_OS) && !defined(CONFIG_AVB_ATX)
+
+DECLARE_GLOBAL_DATA_PTR;
+extern struct imx_sec_config_fuse_t const imx_sec_config_fuse;
+#define HAB_ENABLED_BIT (is_soc_type(MXC_SOC_IMX8M)? 0x2000000 : 0x2)
+
+/* Check hab status, this is basically copied from imx_hab_is_enabled() */
+bool hab_is_enabled(void)
+{
+	struct imx_sec_config_fuse_t *fuse =
+		(struct imx_sec_config_fuse_t *)&imx_sec_config_fuse;
+	uint32_t reg;
+	int ret;
+
+	ret = fuse_read(fuse->bank, fuse->word, &reg);
+	if (ret) {
+		puts("\nSecure boot fuse read error\n");
+		return ret;
+	}
+
+	return (reg & HAB_ENABLED_BIT) == HAB_ENABLED_BIT;
+}
+
 int do_rpmb_key_set(uint8_t *key, uint32_t key_size)
 {
 	int ret = 0;
@@ -1188,5 +1213,37 @@ int avb_set_public_key(uint8_t *staged_buffer, uint32_t size) {
 
 	return 0;
 }
+
+int fastboot_get_mppubk(uint8_t *staged_buffer, uint32_t *size) {
+
+#ifdef CONFIG_ARCH_IMX8
+	sc_err_t err;
+	uint16_t lc;
+	sc_ipc_t ipcHndl = gd->arch.ipc_channel_handle;
+
+	err = sc_seco_chip_info(ipcHndl, &lc, NULL, NULL, NULL);
+	if (err != SC_ERR_NONE) {
+		printf("Error in get lifecycle\n");
+		return -1;
+	}
+
+	if (lc != 0x80) {
+#else
+	if (!hab_is_enabled()) {
+#endif
+		ERR("Error. This command can only be used when hab is closed!!\n");
+		return -1;
+	}
+	if ((staged_buffer == NULL) || (size == NULL)) {
+		ERR("Error. Get null staged_buffer!\n");
+		return -1;
+	}
+	if (trusty_get_mppubk(staged_buffer, size)) {
+		ERR("Error. Failed to get mppubk!\n");
+		return -1;
+	}
+
+	return 0;
+}
 #endif /* CONFIG_IMX_TRUSTY_OS && !defind(CONFIG_AVB_ATX) */
 #endif /* CONFIG_SPL_BUILD */
diff --git a/lib/trusty/ql-tipc/keymaster.c b/lib/trusty/ql-tipc/keymaster.c
index eaa43e38744..0826002943e 100644
--- a/lib/trusty/ql-tipc/keymaster.c
+++ b/lib/trusty/ql-tipc/keymaster.c
@@ -480,3 +480,31 @@ int trusty_atap_read_uuid_str(char **uuid_p)
     }
     return rc;
 }
+
+int trusty_get_mppubk(uint8_t *mppubk, uint32_t *size)
+{
+    int rc = TRUSTY_ERR_GENERIC;
+    struct km_get_mppubk_resp resp;
+
+    rc = km_send_request(KM_GET_MPPUBK, NULL, 0);
+    if (rc < 0) {
+        trusty_error("failed to send km mppubk request\n", rc);
+        return rc;
+    }
+
+    rc = km_read_raw_response(KM_GET_MPPUBK, &resp, sizeof(resp));
+    if (rc < 0) {
+        trusty_error("%s: failed (%d) to read km mppubk response\n", __func__, rc);
+        return rc;
+    }
+
+    if (resp.data_size != 64) {
+        trusty_error("%s: Wrong mppubk size!\n", __func__);
+        return TRUSTY_ERR_GENERIC;
+    } else {
+        *size = resp.data_size;
+    }
+
+    memcpy(mppubk, resp.data, resp.data_size);
+    return TRUSTY_ERR_NONE;
+}