MA-15019-1 Support Manufacture Protection public key generation

Add new keymaster commands to get Manufacure Production key (mppubk).
Since the mppubk can only be generated in OEM CLOSED imx8q board, so
we can only use this command when the board is HAB/AHAB closed.

Commands to extract the mppubk:
        * $fastboot oem get-mppubk
        * $fastboot get_staged mppubk.bin

Test: Generate and dump the mppubk.bin

Change-Id: Idc59e78ca6345497e744162664b8293f50d1eda4
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 52300d644a275dfa4fe73ecb51601a8efaff8ab7)

2 files changed, 86 insertions, 0 deletions

diff --git a/lib/avb/fsl/fsl_avbkey.c b/lib/avb/fsl/fsl_avbkey.c
index 8f7f3d02ae..0dd24ff1fe 100644
--- a/lib/avb/fsl/fsl_avbkey.c
+++ b/lib/avb/fsl/fsl_avbkey.c
@@ -25,6 +25,11 @@
 #include <memalign.h>
 #include "trusty/hwcrypto.h"
 #include "fsl_atx_attributes.h"
+#include <asm/mach-imx/hab.h>
+#include <asm/arch/sys_proto.h>
+#ifdef CONFIG_ARCH_IMX8
+#include <asm/arch/sci/sci.h>
+#endif
 
 #if defined(CONFIG_SPL_BUILD)
 #include <spl.h>
@@ -1126,6 +1131,28 @@ int at_disable_vboot_unlock(void)
 #endif /* CONFIG_AVB_ATX */
 
 #if defined(CONFIG_IMX_TRUSTY_OS) && !defined(CONFIG_AVB_ATX)
+
+DECLARE_GLOBAL_DATA_PTR;
+extern struct imx_sec_config_fuse_t const imx_sec_config_fuse;
+#define HAB_ENABLED_BIT (is_soc_type(MXC_SOC_IMX8M)? 0x2000000 : 0x2)
+
+/* Check hab status, this is basically copied from imx_hab_is_enabled() */
+bool hab_is_enabled(void)
+{
+	struct imx_sec_config_fuse_t *fuse =
+		(struct imx_sec_config_fuse_t *)&imx_sec_config_fuse;
+	uint32_t reg;
+	int ret;
+
+	ret = fuse_read(fuse->bank, fuse->word, &reg);
+	if (ret) {
+		puts("\nSecure boot fuse read error\n");
+		return ret;
+	}
+
+	return (reg & HAB_ENABLED_BIT) == HAB_ENABLED_BIT;
+}
+
 int do_rpmb_key_set(uint8_t *key, uint32_t key_size)
 {
 	int ret = 0;
@@ -1254,5 +1281,36 @@ int avb_set_public_key(uint8_t *staged_buffer, uint32_t size) {
 
 	return 0;
 }
+
+int fastboot_get_mppubk(uint8_t *staged_buffer, uint32_t *size) {
+
+#ifdef CONFIG_ARCH_IMX8
+	sc_err_t err;
+	uint16_t lc;
+
+	err = sc_seco_chip_info(-1, &lc, NULL, NULL, NULL);
+	if (err != SC_ERR_NONE) {
+		printf("Error in get lifecycle\n");
+		return -1;
+	}
+
+	if (lc != 0x80) {
+#else
+	if (!hab_is_enabled()) {
+#endif
+		ERR("Error. This command can only be used when hab is closed!!\n");
+		return -1;
+	}
+	if ((staged_buffer == NULL) || (size == NULL)) {
+		ERR("Error. Get null staged_buffer!\n");
+		return -1;
+	}
+	if (trusty_get_mppubk(staged_buffer, size)) {
+		ERR("Error. Failed to get mppubk!\n");
+		return -1;
+	}
+
+	return 0;
+}
 #endif /* CONFIG_IMX_TRUSTY_OS && !defind(CONFIG_AVB_ATX) */
 #endif /* CONFIG_SPL_BUILD */
diff --git a/lib/trusty/ql-tipc/keymaster.c b/lib/trusty/ql-tipc/keymaster.c
index eaa43e3874..0826002943 100644
--- a/lib/trusty/ql-tipc/keymaster.c
+++ b/lib/trusty/ql-tipc/keymaster.c
@@ -480,3 +480,31 @@ int trusty_atap_read_uuid_str(char **uuid_p)
     }
     return rc;
 }
+
+int trusty_get_mppubk(uint8_t *mppubk, uint32_t *size)
+{
+    int rc = TRUSTY_ERR_GENERIC;
+    struct km_get_mppubk_resp resp;
+
+    rc = km_send_request(KM_GET_MPPUBK, NULL, 0);
+    if (rc < 0) {
+        trusty_error("failed to send km mppubk request\n", rc);
+        return rc;
+    }
+
+    rc = km_read_raw_response(KM_GET_MPPUBK, &resp, sizeof(resp));
+    if (rc < 0) {
+        trusty_error("%s: failed (%d) to read km mppubk response\n", __func__, rc);
+        return rc;
+    }
+
+    if (resp.data_size != 64) {
+        trusty_error("%s: Wrong mppubk size!\n", __func__);
+        return TRUSTY_ERR_GENERIC;
+    } else {
+        *size = resp.data_size;
+    }
+
+    memcpy(mppubk, resp.data, resp.data_size);
+    return TRUSTY_ERR_NONE;
+}