diff options
-rw-r--r-- | arch/arm/mach-imx/imx8m/soc.c | 2 | ||||
-rw-r--r-- | drivers/usb/gadget/f_fastboot.c | 8 | ||||
-rw-r--r-- | include/fsl_avb.h | 4 | ||||
-rw-r--r-- | include/fsl_fastboot.h | 1 | ||||
-rw-r--r-- | include/interface/keymaster/keymaster.h | 12 | ||||
-rw-r--r-- | include/trusty/keymaster.h | 8 | ||||
-rw-r--r-- | lib/avb/fsl/fsl_avbkey.c | 57 | ||||
-rw-r--r-- | lib/trusty/ql-tipc/keymaster.c | 28 |
8 files changed, 118 insertions, 2 deletions
diff --git a/arch/arm/mach-imx/imx8m/soc.c b/arch/arm/mach-imx/imx8m/soc.c index ab138f3ed90..374d77f28b0 100644 --- a/arch/arm/mach-imx/imx8m/soc.c +++ b/arch/arm/mach-imx/imx8m/soc.c @@ -28,7 +28,7 @@ DECLARE_GLOBAL_DATA_PTR; -#if defined(CONFIG_SECURE_BOOT) || defined(CONFIG_AVB_ATX) +#if defined(CONFIG_SECURE_BOOT) || defined(CONFIG_AVB_ATX) || defined(CONFIG_IMX_TRUSTY_OS) struct imx_sec_config_fuse_t const imx_sec_config_fuse = { .bank = 1, .word = 3, diff --git a/drivers/usb/gadget/f_fastboot.c b/drivers/usb/gadget/f_fastboot.c index 6ec6ebae266..bb36c9bf1b4 100644 --- a/drivers/usb/gadget/f_fastboot.c +++ b/drivers/usb/gadget/f_fastboot.c @@ -3867,6 +3867,14 @@ static void cb_flashing(struct usb_ep *ep, struct usb_request *req) printf("Append ec attestation key successfully!\n"); strcpy(response, "OKAY"); } + } else if (endswith(cmd, FASTBOOT_GET_MPPUBK)) { + if (fastboot_get_mppubk(interface.transfer_buffer, &download_bytes)) { + printf("ERROR Generate mppubk failed!\n"); + strcpy(response, "FAILGenerate mppubk failed!"); + } else { + printf("mppubk generated!\n"); + strcpy(response, "OKAY"); + } } #ifndef CONFIG_AVB_ATX else if (endswith(cmd, FASTBOOT_SET_RPMB_KEY)) { diff --git a/include/fsl_avb.h b/include/fsl_avb.h index 225f42ab096..7f2b46f20bc 100644 --- a/include/fsl_avb.h +++ b/include/fsl_avb.h @@ -271,4 +271,8 @@ int at_disable_vboot_unlock(void); /* Set vbmeta public key */ int avb_set_public_key(uint8_t *staged_buffer, uint32_t size); + +/* Get manufacture protection public key */ +int fastboot_get_mppubk(uint8_t *staged_buffer, uint32_t *size); + #endif /* __FSL_AVB_H__ */ diff --git a/include/fsl_fastboot.h b/include/fsl_fastboot.h index 2e70bef8158..1dff46ecb3d 100644 --- a/include/fsl_fastboot.h +++ b/include/fsl_fastboot.h @@ -88,6 +88,7 @@ #define FASTBOOT_SET_RPMB_KEY "set-rpmb-key" #define FASTBOOT_SET_RPMB_RANDOM_KEY "set-rpmb-random-key" #define FASTBOOT_SET_VBMETA_PUBLIC_KEY "set-public-key" +#define FASTBOOT_GET_MPPUBK "get-mppubk" #endif #define FASTBOOT_SET_CA_RESP "at-set-ca-response" diff --git a/include/interface/keymaster/keymaster.h b/include/interface/keymaster/keymaster.h index a5e3e8b4c7b..ff5583496f3 100644 --- a/include/interface/keymaster/keymaster.h +++ b/include/interface/keymaster/keymaster.h @@ -62,7 +62,8 @@ enum keymaster_command { KM_ATAP_SET_CA_RESPONSE_UPDATE = (0x6000 << KEYMASTER_REQ_SHIFT), KM_ATAP_SET_CA_RESPONSE_FINISH = (0x7000 << KEYMASTER_REQ_SHIFT), KM_ATAP_READ_UUID = (0x8000 << KEYMASTER_REQ_SHIFT), - KM_SET_PRODUCT_ID = (0x9000 << KEYMASTER_REQ_SHIFT) + KM_SET_PRODUCT_ID = (0x9000 << KEYMASTER_REQ_SHIFT), + KM_GET_MPPUBK = (0xc000 << KEYMASTER_REQ_SHIFT) }; typedef enum { @@ -212,6 +213,15 @@ struct km_raw_buffer_resp { } TRUSTY_ATTR_PACKED; /** + * km_get_mppubk_resp - response format for mppubk buffer + */ +struct km_get_mppubk_resp { + int32_t error; + uint32_t data_size; + uint8_t data[64]; +} TRUSTY_ATTR_PACKED; + +/** * km_set_ca_response_begin_req - starts the process to set the ATAP CA Response * * @ca_response_size: total size of the CA Response message diff --git a/include/trusty/keymaster.h b/include/trusty/keymaster.h index eadb0d13196..6c8d2e94aea 100644 --- a/include/trusty/keymaster.h +++ b/include/trusty/keymaster.h @@ -127,4 +127,12 @@ int trusty_atap_read_uuid_str(char **uuid_p); */ int trusty_set_product_id(const uint8_t *product_id, uint32_t size); +/* + * trusty_get_mppubk is called to get the mppubk from trusty side. + * + * @mppubk: Pointer to the buffer which store the mppubk. + * @size: Pointer to The size of mppubk. + */ +int trusty_get_mppubk(uint8_t *mppubk, uint32_t* size); + #endif /* TRUSTY_KEYMASTER_H_ */ diff --git a/lib/avb/fsl/fsl_avbkey.c b/lib/avb/fsl/fsl_avbkey.c index 63d51102f3f..d9c0a37dd18 100644 --- a/lib/avb/fsl/fsl_avbkey.c +++ b/lib/avb/fsl/fsl_avbkey.c @@ -25,6 +25,9 @@ #include <memalign.h> #include "trusty/hwcrypto.h" #include "fsl_atx_attributes.h" +#include <asm/mach-imx/hab.h> +#include <asm/arch/sys_proto.h> +#include <asm/mach-imx/sci/sci.h> #define INITFLAG_FUSE_OFFSET 0 #define INITFLAG_FUSE_MASK 0x00000001 @@ -1060,6 +1063,28 @@ int at_disable_vboot_unlock(void) #endif /* CONFIG_AVB_ATX */ #if defined(CONFIG_IMX_TRUSTY_OS) && !defined(CONFIG_AVB_ATX) + +DECLARE_GLOBAL_DATA_PTR; +extern struct imx_sec_config_fuse_t const imx_sec_config_fuse; +#define HAB_ENABLED_BIT (is_soc_type(MXC_SOC_IMX8M)? 0x2000000 : 0x2) + +/* Check hab status, this is basically copied from imx_hab_is_enabled() */ +bool hab_is_enabled(void) +{ + struct imx_sec_config_fuse_t *fuse = + (struct imx_sec_config_fuse_t *)&imx_sec_config_fuse; + uint32_t reg; + int ret; + + ret = fuse_read(fuse->bank, fuse->word, ®); + if (ret) { + puts("\nSecure boot fuse read error\n"); + return ret; + } + + return (reg & HAB_ENABLED_BIT) == HAB_ENABLED_BIT; +} + int do_rpmb_key_set(uint8_t *key, uint32_t key_size) { int ret = 0; @@ -1188,5 +1213,37 @@ int avb_set_public_key(uint8_t *staged_buffer, uint32_t size) { return 0; } + +int fastboot_get_mppubk(uint8_t *staged_buffer, uint32_t *size) { + +#ifdef CONFIG_ARCH_IMX8 + sc_err_t err; + uint16_t lc; + sc_ipc_t ipcHndl = gd->arch.ipc_channel_handle; + + err = sc_seco_chip_info(ipcHndl, &lc, NULL, NULL, NULL); + if (err != SC_ERR_NONE) { + printf("Error in get lifecycle\n"); + return -1; + } + + if (lc != 0x80) { +#else + if (!hab_is_enabled()) { +#endif + ERR("Error. This command can only be used when hab is closed!!\n"); + return -1; + } + if ((staged_buffer == NULL) || (size == NULL)) { + ERR("Error. Get null staged_buffer!\n"); + return -1; + } + if (trusty_get_mppubk(staged_buffer, size)) { + ERR("Error. Failed to get mppubk!\n"); + return -1; + } + + return 0; +} #endif /* CONFIG_IMX_TRUSTY_OS && !defind(CONFIG_AVB_ATX) */ #endif /* CONFIG_SPL_BUILD */ diff --git a/lib/trusty/ql-tipc/keymaster.c b/lib/trusty/ql-tipc/keymaster.c index eaa43e38744..0826002943e 100644 --- a/lib/trusty/ql-tipc/keymaster.c +++ b/lib/trusty/ql-tipc/keymaster.c @@ -480,3 +480,31 @@ int trusty_atap_read_uuid_str(char **uuid_p) } return rc; } + +int trusty_get_mppubk(uint8_t *mppubk, uint32_t *size) +{ + int rc = TRUSTY_ERR_GENERIC; + struct km_get_mppubk_resp resp; + + rc = km_send_request(KM_GET_MPPUBK, NULL, 0); + if (rc < 0) { + trusty_error("failed to send km mppubk request\n", rc); + return rc; + } + + rc = km_read_raw_response(KM_GET_MPPUBK, &resp, sizeof(resp)); + if (rc < 0) { + trusty_error("%s: failed (%d) to read km mppubk response\n", __func__, rc); + return rc; + } + + if (resp.data_size != 64) { + trusty_error("%s: Wrong mppubk size!\n", __func__); + return TRUSTY_ERR_GENERIC; + } else { + *size = resp.data_size; + } + + memcpy(mppubk, resp.data, resp.data_size); + return TRUSTY_ERR_NONE; +} |