[iot] Support authenticated unlock

Add fastboot commands "fastboot oem at-get-vboot-unlock-challenge"
and "fastboot oem at-unlock-vboot" to support the authenticated
unlock feature for Android Things devices. Use software random
numbers generator to generate the 16 bytes random challenge, it
should be replaced with hardware encrypted random generator when
the TEE part is ready.

Test: Generate unlock challenge by:
        ./avbtool make_atx_unlock_credential
        --output=atx_unlock_credential.bin
        --intermediate_key_certificate=atx_pik_certificate.bin
        --unlock_key_certificate=atx_puk_certificate.bin
        --challenge=my_generated_challenge.bin
        --unlock_key=testkey_atx_puk.pem
      validated the unlock credential successfully on imx7d_pico
      and AIY.

Change-Id: I4b8cee87c9e96924169479b65020a081136681f6
Signed-off-by: Ji Luo <ji.luo@nxp.com>

3 files changed, 21 insertions, 3 deletions

diff --git a/include/configs/imx8mq_evk_androidthings.h b/include/configs/imx8mq_evk_androidthings.h
index 02344560454..184a9ed4b3e 100644
--- a/include/configs/imx8mq_evk_androidthings.h
+++ b/include/configs/imx8mq_evk_androidthings.h
@@ -10,7 +10,6 @@
 #define CONFIG_CMD_READ
 
 #define CONFIG_ANDROID_AB_SUPPORT
-#define CONFIG_AVB_SUPPORT
 #define CONFIG_SUPPORT_EMMC_RPMB
 #define CONFIG_SYSTEM_RAMDISK_SUPPORT
 #define CONFIG_AVB_FUSE_BANK_SIZEW 0
@@ -51,6 +50,10 @@
 #define TEE_LOAD_ADDR_1G 0x7e000000
 #define TEE_LOAD_ADDR_3G 0xfe000000
 
+
+#define KEYSLOT_HWPARTITION_ID   2
+#define KEYSLOT_BLKS             0x1FFF
+
 #ifdef CONFIG_SPL_BUILD
 
 #define CONFIG_SPL_SHA256
@@ -64,8 +67,6 @@
 #define BOOTLOADER_RBIDX_START   0x1F000
 #define BOOTLOADER_RBIDX_LEN     0x08
 #define BOOTLOADER_RBIDX_INITVAL 0
-#define KEYSLOT_HWPARTITION_ID   2
-#define KEYSLOT_BLKS             0x1FFF
 #endif
 
 #else
diff --git a/include/fsl_avb.h b/include/fsl_avb.h
index 20db2674d28..2964b799d36 100644
--- a/include/fsl_avb.h
+++ b/include/fsl_avb.h
@@ -236,6 +236,14 @@ AvbABFlowResult avb_flow_dual_uboot(AvbABOps* ab_ops,
                                     AvbSlotVerifyFlags flags,
                                     AvbHashtreeErrorMode hashtree_error_mode,
                                     AvbSlotVerifyData** out_data);
+/* Generates |num_bytes| random bytes and stores them in |output|,
+ * which must point to a buffer large enough to store the bytes.
+ *
+ * Returns AVB_IO_RESULT_OK on success, otherwise an error code.
+ */
+AvbIOResult fsl_get_random(AvbAtxOps* atx_ops,
+				size_t num_bytes,
+				uint8_t* output);
 
 /* Program ATX perm_attr into RPMB partition */
 int avb_atx_fuse_perm_attr(uint8_t *staged_buffer, uint32_t size);
@@ -243,4 +251,11 @@ int avb_atx_fuse_perm_attr(uint8_t *staged_buffer, uint32_t size);
 /* Initialize rpmb key with the staged key */
 int fastboot_set_rpmb_key(uint8_t *staged_buf, uint32_t key_size);
 
+/* Generate ATX unlock challenge */
+int avb_atx_get_unlock_challenge(struct AvbAtxOps* atx_ops,
+				uint8_t *upload_buffer, uint32_t *size);
+/* Verify ATX unlock credential */
+int avb_atx_verify_unlock_credential(struct AvbAtxOps* atx_ops,
+					uint8_t *staged_buffer);
+
 #endif /* __FSL_AVB_H__ */
diff --git a/include/fsl_fastboot.h b/include/fsl_fastboot.h
index b033aaee91b..c3fd85eb386 100644
--- a/include/fsl_fastboot.h
+++ b/include/fsl_fastboot.h
@@ -96,6 +96,8 @@
 #define FASTBOOT_BOOTLOADER_VBOOT_KEY "fuse at-bootloader-vboot-key"
 #ifdef CONFIG_AVB_ATX
 #define FASTBOOT_AVB_AT_PERM_ATTR "fuse at-perm-attr"
+#define FASTBOOT_AT_UNLOCK_VBOOT "at-unlock-vboot"
+#define FASTBOOT_AT_GET_UNLOCK_CHALLENGE "at-get-vboot-unlock-challenge"
 #endif /* CONFIG_AVB_ATX */
 #endif /* CONFIG_ANDROID_THINGS_SUPPORT */