diff options
author | Ji Luo <ji.luo@nxp.com> | 2021-02-05 08:43:13 +0800 |
---|---|---|
committer | Ji Luo <ji.luo@nxp.com> | 2022-04-18 16:40:10 +0800 |
commit | a4186233f88154c38af1704f26aad2c1f34a4e07 (patch) | |
tree | 493cabe8ab5fe75f804717f07dd142abdf31e7a3 /include | |
parent | 04d62202b5693233e08738496600019fc5195b8c (diff) |
MA-18680-2 Support derive rpmb key from BKEK
The BKEK will bind to the soc chip and we don't need to
store the encapsulated keyslot after using BKEK as the
rpmb key, which reduces the risk of losing the rpmb key.
This commit adds two commands to support derive the rpmb
key from BKEK and erase the rpmb storage (for debug purpose,
need support from trusty):
$ fastboot oem set-rpmb-hardware-key
$ fastboot oem erase-rpmb
Legacy keyslot way is still supported and boards programed
with keyslot can still work in compatible way. Command
to set provisioned rpmb key is changed to:
$ fastboot stage <rpmb-key>
$ fastboot oem set-rpmb-staged-key
Test: Key set and boot on imx8mn/imx8qxp.
Change-Id: Ifc88010fe8802d3550e42dff0bbd5a5e5ad922a3
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 0fd1b5e41645ac3f5c05ad82258df1645c59fb5a)
(cherry picked from commit 6a5125b9caf4c2e036853d8f53f8398c147758b3)
(cherry picked from commit ca4258ca0702e082ad975e08ee33fd05d518b690)
Diffstat (limited to 'include')
-rw-r--r-- | include/fb_fsl.h | 5 | ||||
-rw-r--r-- | include/fsl_avb.h | 6 | ||||
-rw-r--r-- | include/interface/storage/storage.h | 3 | ||||
-rw-r--r-- | include/trusty/rpmb.h | 10 |
4 files changed, 19 insertions, 5 deletions
diff --git a/include/fb_fsl.h b/include/fb_fsl.h index 8e2f1c487a..a0018169ef 100644 --- a/include/fb_fsl.h +++ b/include/fb_fsl.h @@ -86,9 +86,10 @@ #ifdef CONFIG_IMX_TRUSTY_OS #ifndef CONFIG_AVB_ATX -#define FASTBOOT_SET_RPMB_KEY "set-rpmb-key" -#define FASTBOOT_SET_RPMB_RANDOM_KEY "set-rpmb-random-key" +#define FASTBOOT_SET_RPMB_STAGED_KEY "set-rpmb-staged-key" +#define FASTBOOT_SET_RPMB_HARDWARE_KEY "set-rpmb-hardware-key" #define FASTBOOT_SET_VBMETA_PUBLIC_KEY "set-public-key" +#define FASTBOOT_ERASE_RPMB "erase-rpmb" #endif #define FASTBOOT_SET_CA_RESP "at-set-ca-response" diff --git a/include/fsl_avb.h b/include/fsl_avb.h index 0eaa842cf1..9c7cfe059d 100644 --- a/include/fsl_avb.h +++ b/include/fsl_avb.h @@ -172,10 +172,10 @@ AvbIOResult fsl_get_random(AvbAtxOps* atx_ops, int avb_atx_fuse_perm_attr(uint8_t *staged_buffer, uint32_t size); /* Initialize rpmb key with the staged key */ -int fastboot_set_rpmb_key(uint8_t *staged_buf, uint32_t key_size); +int fastboot_set_rpmb_staged_key(uint8_t *staged_buf, uint32_t key_size); -/* Initialize rpmb key with random key which is generated by caam rng */ -int fastboot_set_rpmb_random_key(void); +/* Initialize rpmb key with hardware key which is derived from BKEK */ +int fastboot_set_rpmb_hardware_key(void); /* Generate ATX unlock challenge */ int avb_atx_get_unlock_challenge(struct AvbAtxOps* atx_ops, diff --git a/include/interface/storage/storage.h b/include/interface/storage/storage.h index e4f7f83656..4d524984e6 100644 --- a/include/interface/storage/storage.h +++ b/include/interface/storage/storage.h @@ -56,6 +56,9 @@ enum storage_cmd { /* transaction support */ STORAGE_END_TRANSACTION = 9 << STORAGE_REQ_SHIFT, + + STORAGE_RPMB_KEY_SET = 12 << STORAGE_REQ_SHIFT, + STORAGE_RPMB_ERASE_ALL = 13 << STORAGE_REQ_SHIFT, }; /** diff --git a/include/trusty/rpmb.h b/include/trusty/rpmb.h index e29a608a4b..810b8a1d7f 100644 --- a/include/trusty/rpmb.h +++ b/include/trusty/rpmb.h @@ -75,4 +75,14 @@ void *rpmb_storage_get_ctx(void); */ void rpmb_storage_put_ctx(void *dev); +/* + * Set rpmb key by secure side. + */ +int storage_set_rpmb_key(void); + +/* + * Erase rpmb storage by secure side. + */ +int storage_erase_rpmb(void); + #endif /* TRUSTY_RPMB_H_ */ |