diff options
author | Ji Luo <ji.luo@nxp.com> | 2018-08-26 10:09:14 +0800 |
---|---|---|
committer | faqiang.zhu <faqiang.zhu@nxp.com> | 2018-11-12 09:18:37 +0800 |
commit | aebefa8046bb01b9a4f0f86e2c34bec2847a287a (patch) | |
tree | d86254887fec69137a38c83916c1fec838bd976f /lib | |
parent | c14e9d4e276c408db200a632029a8193944348f3 (diff) |
[iot] Support command 'oem at-disable-unlock-vboot'
Device will be locked permanently after disabling the unlcok vboot, store
the disable unlock vboot status into fuse. Since the fuse write operation
is irreversible so config 'CONFIG_AVB_FUSE' is disabled by default, user
need to add this config manually and run this command again.
Test: Disable unlock vboot bit is set after enabling "CONFIG_AVB_FUSE",
device was locked permanently after running this command. This is
verified on both imx7d_pico and AIY.
Change-Id: Iad8991a238763b1d662e33cba65f0b9eb44e97ef
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/avb/fsl/fsl_avbkey.c | 41 |
1 files changed, 40 insertions, 1 deletions
diff --git a/lib/avb/fsl/fsl_avbkey.c b/lib/avb/fsl/fsl_avbkey.c index 5ac88a3bb33..18fd9d36f5c 100644 --- a/lib/avb/fsl/fsl_avbkey.c +++ b/lib/avb/fsl/fsl_avbkey.c @@ -48,7 +48,7 @@ #define RESULT_OK 0 #ifndef CONFIG_SPL_BUILD -#if defined(CONFIG_AVB_ATX) && !defined(CONFIG_ARM64) +#if defined(CONFIG_AVB_ATX) static int fsl_fuse_ops(uint32_t *buffer, uint32_t length, uint32_t offset, const uint8_t read) { @@ -300,6 +300,45 @@ bool perm_attr_are_fused(void) #endif } +bool at_unlock_vboot_is_disabled(void) +{ + uint32_t unlock_vboot_status; + + if (fsl_fuse_read(&unlock_vboot_status, 1, + UNLOCK_VBOOT_STATUS_OFFSET_IN_WORD)) { + printf("Read at unlock vboot status error!\n"); + return false; + } + + if (unlock_vboot_status & (1 << UNLOCK_VBOOT_STATUS_OFFSET_IN_BIT)) + return true; + else + return false; +} + +int at_disable_vboot_unlock(void) +{ + uint32_t unlock_vboot_status = 0; + + /* Read the status first */ + if (fsl_fuse_read(&unlock_vboot_status, 1, + UNLOCK_VBOOT_STATUS_OFFSET_IN_WORD)) { + ERR("Read unlock vboot status error!\n"); + return -1; + } + + /* Set the disable unlock vboot bit */ + unlock_vboot_status |= (1 << UNLOCK_VBOOT_STATUS_OFFSET_IN_BIT); + + /* Write disable unlock vboot bit to fuse */ + if (fsl_fuse_write(&unlock_vboot_status, 1, + UNLOCK_VBOOT_STATUS_OFFSET_IN_WORD)) { + ERR("Write unlock vboot status fail!\n"); + return -1; + } + + return 0; +} /* Reads permanent |attributes| data. There are no restrictions on where this * data is stored. On success, returns AVB_IO_RESULT_OK and populates * |attributes|. |