MA-15321-3 Support secure unlock feature

Decrypt and verify the secure credential in keymaster TA, unlock
operation can only be allowed after secure credential verify pass.

Since the mppubk can only be generated on hab closed imx8q, so secure
unlock feature can only supported when hab is closed.

Test: secure unlock credential verify on hab closed imx8mm_evk.

Change-Id: I1ab5e24df28d1e75ff853de3adf29f34da1d0a71
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 631149fc0fc8ce035311949db643c2708e41435a)

1 files changed, 16 insertions, 1 deletions

diff --git a/include/interface/keymaster/keymaster.h b/include/interface/keymaster/keymaster.h
index 1b1fc633154..c98442d757e 100644
--- a/include/interface/keymaster/keymaster.h
+++ b/include/interface/keymaster/keymaster.h
@@ -65,7 +65,8 @@ enum keymaster_command {
     KM_SET_PRODUCT_ID                  = (0x9000 << KEYMASTER_REQ_SHIFT),
     KM_SET_ATTESTATION_KEY_ENC         = (0xa000 << KEYMASTER_REQ_SHIFT),
     KM_APPEND_ATTESTATION_CERT_CHAIN_ENC = (0xb000 << KEYMASTER_REQ_SHIFT),
-    KM_GET_MPPUBK                      = (0xc000 << KEYMASTER_REQ_SHIFT)
+    KM_GET_MPPUBK                      = (0xc000 << KEYMASTER_REQ_SHIFT),
+    KM_VERIFY_SECURE_UNLOCK            = (0xd000 << KEYMASTER_REQ_SHIFT)
 };
 
 typedef enum {
@@ -224,6 +225,20 @@ struct km_get_mppubk_resp {
 } TRUSTY_ATTR_PACKED;
 
 /**
+ * km_secure_unlock_data - represents the secure unlock data
+ *
+ * @serial_size: size of |serial_data|
+ * @serial_data: serial_data (serial number)
+ * @credential_size: size of |credential_data|
+ * @credential_data: credential data
+ */
+struct km_secure_unlock_data {
+    uint32_t serial_size;
+    const uint8_t *serial_data;
+    uint32_t credential_size;
+    const uint8_t *credential_data;
+} TRUSTY_ATTR_PACKED;
+/**
  * km_set_ca_response_begin_req - starts the process to set the ATAP CA Response
  *
  * @ca_response_size: total size of the CA Response message