| Age | Commit message (Collapse) | Author |
|---|
|
If wanna to use linux remoteproc to start Mcore, `run prepare_mcore`.
It does not matter to add it if using U-Boot bootaux to start mcore.
So this bootargs could be default added with U-Boot start or Linux
start.
Reviewed-by: Jacky Bai <ping.bai@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
|
|
Add new interface check_timing to video bridge uclass. For bridge device
who may update timing needs to implement the callback. So host device can
sync the timing with the bridge.
Signed-off-by: Ye Li <ye.li@nxp.com>
|
|
Add block ctrl driver to handle the reset and clock gate in mediamix
Signed-off-by: Ye Li <ye.li@nxp.com>
|
|
Nicolas Bidron and Nicolas Guigo reported the two bugs below:
"
----------BUG 1----------
In compiled versions of U-Boot that define CONFIG_IP_DEFRAG, a value of
`ip->ip_len` (IP packet header's Total Length) higher than `IP_HDR_SIZE`
and strictly lower than `IP_HDR_SIZE+8` will lead to a value for `len`
comprised between `0` and `7`. This will ultimately result in a
truncated division by `8` resulting value of `0` forcing the hole
metadata and fragment to point to the same location. The subsequent
memcopy will overwrite the hole metadata with the fragment data. Through
a second fragment, this can be exploited to write to an arbitrary offset
controlled by that overwritten hole metadata value.
This bug is only exploitable locally as it requires crafting two packets
the first of which would most likely be dropped through routing due to
its unexpectedly low Total Length. However, this bug can potentially be
exploited to root linux based embedded devices locally.
```C
static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp)
{
static uchar pkt_buff[IP_PKTSIZE] __aligned(PKTALIGN);
static u16 first_hole, total_len;
struct hole *payload, *thisfrag, *h, *newh;
struct ip_udp_hdr *localip = (struct ip_udp_hdr *)pkt_buff;
uchar *indata = (uchar *)ip;
int offset8, start, len, done = 0;
u16 ip_off = ntohs(ip->ip_off);
/* payload starts after IP header, this fragment is in there */
payload = (struct hole *)(pkt_buff + IP_HDR_SIZE);
offset8 = (ip_off & IP_OFFS);
thisfrag = payload + offset8;
start = offset8 * 8;
len = ntohs(ip->ip_len) - IP_HDR_SIZE;
```
The last line of the previous excerpt from `u-boot/net/net.c` shows how
the attacker can control the value of `len` to be strictly lower than
`8` by issuing a packet with `ip_len` between `21` and `27`
(`IP_HDR_SIZE` has a value of `20`).
Also note that `offset8` here is `0` which leads to `thisfrag = payload`.
```C
} else if (h >= thisfrag) {
/* overlaps with initial part of the hole: move this hole */
newh = thisfrag + (len / 8);
*newh = *h;
h = newh;
if (h->next_hole)
payload[h->next_hole].prev_hole = (h - payload);
if (h->prev_hole)
payload[h->prev_hole].next_hole = (h - payload);
else
first_hole = (h - payload);
} else {
```
Lower down the same function, execution reaches the above code path.
Here, `len / 8` evaluates to `0` leading to `newh = thisfrag`. Also note
that `first_hole` here is `0` since `h` and `payload` point to the same
location.
```C
/* finally copy this fragment and possibly return whole packet */
memcpy((uchar *)thisfrag, indata + IP_HDR_SIZE, len);
```
Finally, in the above excerpt the `memcpy` overwrites the hole metadata
since `thisfrag` and `h` both point to the same location. The hole
metadata is effectively overwritten with arbitrary data from the
fragmented IP packet data. If `len` was crafted to be `6`, `last_byte`,
`next_hole`, and `prev_hole` of the `first_hole` can be controlled by
the attacker.
Finally the arbitrary offset write occurs through a second fragment that
only needs to be crafted to write data in the hole pointed to by the
previously controlled hole metadata (`next_hole`) from the first packet.
### Recommendation
Handle cases where `len` is strictly lower than 8 by preventing the
overwrite of the hole metadata during the memcpy of the fragment. This
could be achieved by either:
* Moving the location where the hole metadata is stored when `len` is
lower than `8`.
* Or outright rejecting fragmented IP datagram with a Total Length
(`ip_len`) lower than 28 bytes which is the minimum valid fragmented IP
datagram size (as defined as the minimum fragment of 8 octets in the IP
Specification Document:
[RFC791](https://datatracker.ietf.org/doc/html/rfc791) page 25).
----------BUG 2----------
In compiled versions of U-Boot that define CONFIG_IP_DEFRAG, a value of
`ip->ip_len` (IP packet header's Total Length) lower than `IP_HDR_SIZE`
will lead to a negative value for `len` which will ultimately result in
a buffer overflow during the subsequent `memcpy` that uses `len` as it's
`count` parameter.
This bug is only exploitable on local ethernet as it requires crafting
an invalid packet to include an unexpected `ip_len` value in the IP UDP
header that's lower than the minimum accepted Total Length of a packet
(21 as defined in the IP Specification Document:
[RFC791](https://datatracker.ietf.org/doc/html/rfc791)). Such packet
would in all likelihood be dropped while being routed to its final
destination through most routing equipment and as such requires the
attacker to be in a local position in order to be exploited.
```C
static struct ip_udp_hdr *__net_defragment(struct ip_udp_hdr *ip, int *lenp)
{
static uchar pkt_buff[IP_PKTSIZE] __aligned(PKTALIGN);
static u16 first_hole, total_len;
struct hole *payload, *thisfrag, *h, *newh;
struct ip_udp_hdr *localip = (struct ip_udp_hdr *)pkt_buff;
uchar *indata = (uchar *)ip;
int offset8, start, len, done = 0;
u16 ip_off = ntohs(ip->ip_off);
/* payload starts after IP header, this fragment is in there */
payload = (struct hole *)(pkt_buff + IP_HDR_SIZE);
offset8 = (ip_off & IP_OFFS);
thisfrag = payload + offset8;
start = offset8 * 8;
len = ntohs(ip->ip_len) - IP_HDR_SIZE;
```
The last line of the previous excerpt from `u-boot/net/net.c` shows
where the underflow to a negative `len` value occurs if `ip_len` is set
to a value strictly lower than 20 (`IP_HDR_SIZE` being 20). Also note
that in the above excerpt the `pkt_buff` buffer has a size of
`CONFIG_NET_MAXDEFRAG` which defaults to 16 KB but can range from 1KB to
64 KB depending on configurations.
```C
/* finally copy this fragment and possibly return whole packet */
memcpy((uchar *)thisfrag, indata + IP_HDR_SIZE, len);
```
In the above excerpt the `memcpy` overflows the destination by
attempting to make a copy of nearly 4 gigabytes in a buffer that's
designed to hold `CONFIG_NET_MAXDEFRAG` bytes at most which leads to a DoS.
### Recommendation
Stop processing of the packet if `ip_len` is lower than 21 (as defined
by the minimum length of a data carrying datagram in the IP
Specification Document:
[RFC791](https://datatracker.ietf.org/doc/html/rfc791) page 34)."
Add a check for ip_len lesser than 28 and stop processing the packet
in this case.
Such a check covers the two reported bugs.
Reported-by: Nicolas Bidron <nicolas.bidron@nccgroup.com>
Signed-off-by: Fabio Estevam <festevam@denx.de>
(cherry picked from commit b85d130ea0cac152c21ec38ac9417b31d41b5552)
|
|
Run jh_mmcboot/jh_netboot and then can run Jailhouse.
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Alice Guo <alice.guo@nxp.com>
|
|
Add board codes and defconfig for i.MX93 11x11 EVK board.
Supported functions:
UART, USB host/gadget/typc/pd, I2C, DDR, clock, SD/eMMC,
eQoS, FEC, GPIO, IO Expander, PMIC.
Signed-off-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
|
|
Add the DTSi file and DT header files for i.MX93 SoC
Signed-off-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Alice Guo <alice.guo@nxp.com>
|
|
Add bootaux command to support on-demand booting M33 from u-boot.
It kicks M33 via ATF by "bootaux 0x201e0000 0"
Signed-off-by: Peng Fan <peng.fan@nxp.com>
|
|
i.MX9 shares same register layout as i.MX7ULP, so
add the i.MX9 define here.
Signed-off-by: Peng Fan <peng.fan@nxp.com>
|
|
Add dual bootloader support for imx8q platforms.
Change-Id: I8ba5e74e1a442c0210725c07e869eab3c82a60dc
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Delete a blank space from mmcpart variable
Signed-off-by: Ye Li <ye.li@nxp.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
|
|
Enlarge the spl max limits to fix build break.
Change-Id: I828bb00aeab3f7236d83d251922a4829af2d196a
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Enable related configs to support the rollback index check
in single bootloader case.
Change-Id: I836a39fdf4b67e6358af8ef5db0cba489d271d43
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Add support to check the rollback index of next stage images (ATF,
TEE, u-boot proper) in SPL to harden the security. And because there
is no backup bootloader image to fall back to so the board would hang
in SPL if rollback index is rejected.
Change-Id: I4c7d1f084dd5b3d37899a9e4c4755c03145542c7
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Currently we don't support sha384/512 for the X.509
certificate To-Be-Signed contents. Moreover if we come across such a
hash we skip the check and approve the image, although the image
might needs to be rejected.
It's worth noting here that efi_hash_regions() can now be reused from
efi_signature_lookup_digest() and add sha348/512 support there as well
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
|
|
The init can parse 'androidboot.boot_devices' and use its value
as the boot device directly. This commit reads from the device tree
and passes the correct 'androidboot.boot_devices' according to
current boot device so we can get rid of the hack in init.
Change-Id: I31accc254e32e55dfbd92e356b7c2357ff3098c2
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
SR-IR ACS has a RSA1024 test, so add RSA1024 support in U-Boot.
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
|
|
Guard the get_board_serial() for imx8ulp with CONFIG_SERIAL_TAG to
align with other platforms.
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Add configs to support imx8/imx8m/imx8ulp reference boards, each platform
has specific header files include.
Test: sanity test on imx8/imx8m/imx8ulp platforms.
Change-Id: I05708fbc108a78ac9b3415cb782bf1013e2f7012
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
The boot security patch level should be set in bootloader
and it will be returned in the TEE enforced authorization
list.
After building with the "BOOT_SECURITY_PATCH" set, the boot
security patch level would be set as a vbmeta property and
would be saved in the vbmeta struct in boot image.
This commit would parse the boot security patch level (which
is in YYYY-MM-DD format) and pass it to keymaster TA.
Test: Set and get boot security patch level &&
VtsHalKeymasterV4_0Target module run
Change-Id: Iac75579c680e8b80b28d3a82cd17cbcd8a93509e
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 8816d0a5327fc5dc1e2460db8185d39e5b2dd9ce)
|
|
This commit supports booting with boot header v4.
Main updates in boot header v4:
boot image:
1. "boot signature" would be added to the boot image
to help attest the GKI boot image signed by Google.
vendor boot image:
1. multiple ramdisk are supported. This commit will only
support one default ramdisk loading for now.
2. bootconfig are supported. All build time and run time
androidboot.* parameters should be removed from bootargs
and should be concatenated right after the ramdisk.
Test: boots with boot header v3 and v4.
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Change-Id: I92ea8d593a91fc14b417774956b58a94cc7b3d81
(cherry picked from commit a9bbf7a1586404d691a302bd7fbe7eb99682e261)
|
|
The ID attestation is supported by default in Trusty
OS now, but the format of data is different with the
NXP implemented one. This commit abandons the NXP
implementation and sync the process and data format
with Trusty OS.
Test: ID provision and attestation.
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Change-Id: I87d4fe98125858cfac4a997c70fcb66826c5710a
(cherry picked from commit 2786fc57541bf15cd8e9855c68b84c6a6521d614)
|
|
Move the MCU RDC config to dts, it will be parsed by
SPL and stored in OCRAM_S, then the MCU RDC config will
be setup before MCU kicking.
Use HAB to verify the MCU image to guarantee its integrity.
Change-Id: I82dd378a6516b4d3cc47c5de2e403d817ba80256
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
(cherry picked from commit 2e972e4aa6c44eec0444d59d11c0a0c175699cf2)
|
|
This patch added Trusty OS in u-boot to handle
some snvs related operation.
Change-Id: Iba2b9e12381ce537b40959f14e831accbdecba8f
Signed-off-by: Haoran.Wang <elven.wang@nxp.com>
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit ea729b07661bf849cdbd6ca7c3f6c9948fd38dc7)
|
|
support widevine keybox provisioning via hwcrypto,
the keybox would be wrote into secure storage.
This commit supports two kinds of widevine keybox
provisioning: plain text keybox and encrypted keybox.
Command to provision the plain text keybox:
$ fastboot stage <path-to-plain-text-keybox>
$ fastboot oem provision-wv-keybox
Command to provision the encrypted text keybox:
$ fastboot stage <path-to-encrypted-keybox>
$ fastboot oem provision-wv-keybox-enc
Test: plain text/encrypted keybox provisioning on imx8mp.
Change-Id: I241afade415fc3e2b0a80d286b3cc4e8d702e620
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit d7a760613efbeeea83ca4b8d9949941050e15805)
|
|
According to the google boot flow, an orange warning should
be displayed on UNLOCKED device to reminder the users of the
potential risks.
This commit will show an orange warning logo and warning text
on the screen, it shall be dismissed after 3 seconds, users
can also skip it by pressing the ON-OFF button.
Config 'CONFIG_AVB_WARNING_LOGO_COLS' and 'CONFIG_AVB_WARNING_LOGO_ROWS'
define the (x, y) position of the warning logo, its default
value is for 1080*720 resolution display and can be overridden.
Test: Orange warning logo show on all imx8m/imx8q platfroms.
Change-Id: I607edb3da039b47ddfac681f855834d8da187af8
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 8ddefdb1186feb3580830fa04b588d3ee606cf81)
(cherry picked from commit fbd21482417c4dc3de16d1689fe899ad11764f71)
|
|
As the kernel image will get bigger after enabling some debug
tools, 64MB kernel max size is not enough. Load the dtb to the
address right after linux kernel instead of setting fixed offset
to the start of kernel image.
The "kernel_size" in boot image header is the physical size of
"Image" instead of the memory size which the linux requires to
boot.
Test: boots on imx8mp/imx8qm.
Change-Id: I5946c8530610ff0742f2a911aaeccf7636938b94
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Reviewed-by: Wang Haoran <elven.wang@nxp.com>
(cherry picked from commit c1f83790077516a64397467fce5880be0871f615)
(cherry picked from commit 27badbeb3b47c1151cc4d4eab3675ee839b5f716)
|
|
The BKEK will bind to the soc chip and we don't need to
store the encapsulated keyslot after using BKEK as the
rpmb key, which reduces the risk of losing the rpmb key.
This commit adds two commands to support derive the rpmb
key from BKEK and erase the rpmb storage (for debug purpose,
need support from trusty):
$ fastboot oem set-rpmb-hardware-key
$ fastboot oem erase-rpmb
Legacy keyslot way is still supported and boards programed
with keyslot can still work in compatible way. Command
to set provisioned rpmb key is changed to:
$ fastboot stage <rpmb-key>
$ fastboot oem set-rpmb-staged-key
Test: Key set and boot on imx8mn/imx8qxp.
Change-Id: Ifc88010fe8802d3550e42dff0bbd5a5e5ad922a3
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 0fd1b5e41645ac3f5c05ad82258df1645c59fb5a)
(cherry picked from commit 6a5125b9caf4c2e036853d8f53f8398c147758b3)
(cherry picked from commit ca4258ca0702e082ad975e08ee33fd05d518b690)
|
|
AOSP adds command 'KM_CLEAR_ATTESTATION_CERT_CHAIN' to clear
the attestation cert chain, but its ID will conflict with
'KM_SET_ATTESTATION_KEY_ENC'. This commit will reorder the
keymaster commands to avoid conflicts.
Test: ID attestation provision.
Change-Id: I0046b5bee4e0ffea3bdcff31859452da53d8e50d
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit e19aa1c26047dc719e7561695100dac807925ae7)
(cherry picked from commit b9a1bcaea22da0491df322b36740d7498e39cd38)
(cherry picked from commit fe937af1aaa05a211e0af67d52c2ced0e944b9f5)
|
|
Locating the misc partition by ID can help reduce the boot
time but error may happen if the ID of the misc partition
is changed. Moving the misc partition to the start of the
GPT and locate the partition by name is another option but
it will break the backward compatibility as the GPT is
changed.
part_get_info_by_name() will loop the PTE and return the
matched partition info, but it will cost much time as it
will reload the whole PTE from storage in each loop.
This commit provides part_get_info_efi_by_name() to support
return the partition info by name without reloading the whole
PTE.
Test: A/B slot switch in dual bootloader.
Change-Id: I13cb2a7b3217f73aecc2aec6e06abc0d6e8abcdd
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit cd8f603f0d977ed73f0d0b44437c5c68fcebde25)
(cherry picked from commit d9972736dc0272377f89ccf528e8a873199c7903)
(cherry picked from commit 945bde8da972c30b87027b43a42b21035707fea7)
|
|
The device IDs are provisioned from bootloader, this commit
add commands to provision the deivce IDs:
$ fastboot oem append-device-id
Test: Device IDs provision and attest.
Change-Id: Id3c737d3da02f7ba463e51b0525f3cb9bcf0c6d1
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 7575ac07ac625c35269868511297385a69c96196)
(cherry picked from commit 7f300b1fc543d8f4cbe7329a78e31273678162a5)
(cherry picked from commit 9cef720d338cd24edcf59d957543a5ff82eef4ac)
|
|
Add support for 'fastboot snapshot-update cancel', it cancels
the snapshot update process so erase/update partitions can
proceed.
Test: run 'fastboot snapshot-update cancel'.
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Change-Id: Ic1dfaf09a27fecf6e14b7149aeb5e0a9a1d220c9
(cherry picked from commit 3074fbf88b1b654026608574b94fdd58426ae493)
(cherry picked from commit 18c6b24524b13b3c6c5c1d7db2043159a784fccc)
(cherry picked from commit e84fae5a9caea3e3ad1dda84f29125742ebd0fd1)
|
|
If a partition is not less than 4GB, to avoid the overflow issue when
calculate the partition size in bytes, change the value of partition
length in block size to the type of "unsigned long".
Change-Id: Ifa4ddb5169fcb02822ef152a6c70d01b5d3cf50d
Signed-off-by: faqiang.zhu <faqiang.zhu@nxp.com>
(cherry picked from commit c4e9be08d90ca59531542c97bd8fe16eab2ab099)
(cherry picked from commit 6c1471828256f5c95d3043099fcc00906726fdd3)
(cherry picked from commit 900872464c2d8cb1862ac1d2a413d631bce64213)
|
|
A 'misc_virtual_ab_message' struct will be stored at the 32kB offset
in misc partition, which will be used to record the virtual A/B update
status.
Bootloader should take care of this status, some operations must be
restricted. This commit will:
1. Restrict erase/flash operations to "misc", "userdata" or
"metadata" partitions if the merge status are "SNAPSHOTTED" or
"MERGING".
2. Restrict slot switch if the merge status is "MERGING".
3. Output a warning in slot switch if the merge status is "SNAPSHOTTED".
4. Set the merge status as "CANCELLED" if image flash happen.
Test: 1. fastboot erase/flash "userdata", "misc", "metadata" after virtual
A/B update
2. slot switch after virtual A/B update
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Change-Id: I33f0041c5e76913d3970d943cad52353e0ac5f2d
(cherry picked from commit 30df087bfc5e31413473f85dfefaa7176bc394a8)
(cherry picked from commit 7fd03bcc8f1fc094362c11d71cf740ac9b5724c1)
(cherry picked from commit 97495e9189afc4a26e6e03fd8ac7389f445c590e)
|
|
metadata partition is used in some functions like apex, userdata
checkpoint to store files, mark it as ext4 partition so it can be
formated with "fastboot format metadata" command and be mounted when
executing first stage init.
Change-Id: Id22b39d71e6823d3a284f3df00959a6d748ab9c7
Signed-off-by: faqiang.zhu <faqiang.zhu@nxp.com>
(cherry picked from commit 4f42888967a0354a0dd222ad7b01761450a1713b)
(cherry picked from commit a69157bee180974eb4ee89b0847473bd6538d2a0)
(cherry picked from commit 881f5a44e3eb80ac2b3c1ba08c7bf544330c0039)
|
|
The old boot control logic and misc data struct is based on the
'external/avb/libavb_ab' library which is already marked as
deprecated and won't be maintained by google anymore:
commit 37f5946d0e1159273eff61dd8041377fedbf55a9
Author: David Zeuthen <zeuthen@google.com>
Date: Wed Sep 20 15:02:32 2017 -0400
Deprecate libavb_ab and bootctrl.avb code.
This code was already marked as experimental in anticipation of being
removed in the future. Officially deprecate it and set Jun 1 2018 as
the date it will be removed. This should give users of the code ample
time to fork/migrate.
To keep using the code AVB_AB_I_UNDERSTAND_LIBAVB_AB_IS_DEPRECATED
must be defined.
The reason for deprecating this code is twofold:
- Its policy was optimized for devices without a display with
e.g. automatic fallback to the other slot if a slot fails to
boot. Since most A/B stacks in Android devices don't work this
way this code is confusing.
- There are no known active users, no good test coverage for the
bootctrl.avb code, and no plans to use it.
When the code is removed we'll provide an easy transition path by
keeping (but renaming) the |ab_ops| member in AvbOps.
Change-Id: Id5e090a2048076d36ccca2e1c4cb55e226b8b43d
Google has provided a new boot control v1.1 implementation under
'hardware/interfaces/boot/1.1/default' which uses a new misc data struct defined
in the 'include/android_bootloader_message.h'. This commit adds a new boot control
implementation in bootloader, which combines the new misc data struct and inherit
some flow in 'libavb_ab', the old 'libavb_ab' library will be removed.
Test: boot/slot switch/retry count test on single&dual bootloader.
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Change-Id: I0fa1ee8562c83afec549c8f6aad7a26a2214f626
(cherry picked from commit 29aafaf065d1688201d014213052863ec9d18e9c)
(cherry picked from commit f5cda163c1559480a43e75869747a50787fd0ee1)
(cherry picked from commit a45dca90ff92f548f157f8739a76f249ca8241cb)
|
|
This commit eliminate the annoying build warning logs.
Test: builds with buildman.
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Change-Id: Ia335dafe3f4c0eab08e011215b9de5d2974b8d0c
(cherry picked from commit 85e0d429d19b8f9a62369a5f20e088644c488b1e)
(cherry picked from commit 52471735760a8d3a410f88c144910a07a161028d)
(cherry picked from commit c0ed4a68aecf0cf67d61c72c273fcd655682366f)
|
|
GKI(Generic Kernel Image) would require the boot header v3 and vendor
boot support, all device specific info are moved to vendor_boot partition
,the boot header v3 will not be compatible with earlier version(0/1/2).
This commit adds support for boot header v3 and vendor boot, it would
concatenate the generic ramdisk and vendor ramdisk to generate the
final ramdisk passed to kernel.
Test: boots with or without boot header v3 and vendor boot support.
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Change-Id: Ib3298ae46bfc728aa4a34909d372eff6cc86ca70
(cherry picked from commit c3854f270a19e7d57b996e6074d692ab9bc88c32)
|
|
Android implement the userspace fastboot in Android Recovery.
Follow Google's spec, added below 2 fastboot command support:
* fastboot getvar is-userspace
* fastboot reboot fastboot
TEST: fastboot commands.
Change-Id: Ib6047413be0a45b3c00626cdb8594809eb8a2b6b
Signed-off-by: Haoran.Wang <elven.wang@nxp.com>
(cherry picked from commit 314bded076dfc3e544cc7094ce3f6c4c330be4dd)
(cherry picked from commit 89e63a8f1b20dfe5633f4d854aeb6d712b3ccaa4)
(cherry picked from commit e85a5f856e7819eff2c4ba8da9490a03f5edd346)
|
|
Refine trusty logs output to make it more
simple.
Test: boots.
Change-Id: Id94fc245206c5f78e0dbcb0baf5db6475c9f744d
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit a50b4fca22111fe7b85b5584ff317db55d664c50)
(cherry picked from commit c17f0cb30c23ed6dab7312cec88707cb355e91a3)
(cherry picked from commit 9dd25cbbba17c4193a95e19a68c06071bcd93323)
|
|
Add commands to read oem device unlock state from
trusty avb app. Use the oem device unlock state to
determine if the device can be unlocked instead of
the state in persistdata part.
Test: Read oem device unlock state from avb app.
Change-Id: Ifccaa788ba0f681c2b3a47151c8474e8da5a2559
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit c6eaf8e32987f120c0c5441ea39aa0f39a65b50d)
(cherry picked from commit 8b58afda1cd1f91048504b48b95260e930a37326)
(cherry picked from commit dc2acac3cdfe0ca77747e9c435e3f140acc07705)
|
|
Decrypt and verify the secure credential in keymaster TA, unlock
operation can only be allowed after secure credential verify pass.
Since the mppubk can only be generated on hab closed imx8q, so secure
unlock feature can only supported when hab is closed.
Test: secure unlock credential verify on hab closed imx8mm_evk.
Change-Id: I1ab5e24df28d1e75ff853de3adf29f34da1d0a71
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 631149fc0fc8ce035311949db643c2708e41435a)
(cherry picked from commit 063d358ab4bbfea998e0c975f31724757243545a)
(cherry picked from commit 5980e3882093c522723aa6a3af6f85fb5b8a47c1)
|
|
Add commands to support extract serial number from device.
Commands:
$ fastboot oem get-serial-number
$ fastboot get_staged <path-to-serial-number>
Test: serial number upload on imx8mm.
Change-Id: I5c905ab797d4fd28d76c8403914f191eaf2ef687
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 250ef119c1dc02908046113893df5eeb9ef40605)
(cherry picked from commit e4790456a5b19c4a108dc5b9ec02e81ee8e2752b)
|
|
The A/B slot selection is moved to spl, it may lead to hang
if no bootable slots found. The only way to recover the board
is re-flash images with uuu tool, which is quite inconvenient
for some customers who can't enter serial download mode.
This patch will set "spl recovery mode" which will give us a
chance to re-flash images with fastboot commands.
Test: Enter spl recovery mode and flash images when no bootable
slots found.
Change-Id: I31278f5212bde7609fe2f49e77b3849e92c0c516
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 46cc755cf3f42422ee1d7783394e14e8125df2b6)
(cherry picked from commit 047f09ef2ef33657d76fd92d8f5599e00158cd6b)
(cherry picked from commit e96b68d22e89e4031d1117ab347f042577c5c8f1)
|
|
It can be dangerous to export some hwcrypto commands to Linux,
add commands to limit some commands within bootloader.
Test: hwcrypto commands can't be used after locking boot state.
Change-Id: Ib0a96a87f661778c133178840d8dccf49f151c22
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 3fc3f521957677b1f363624494ed866985a25505)
(cherry picked from commit 38f9975064dbd6b9c7183a5e7fc54a099a56e973)
(cherry picked from commit 62f2b87290750c91f29e0d573bf8560134415b39)
|
|
Add new command to generate bkek from trusty.
Test: generate and dump bkek.
Change-Id: I6b2a30b87c755eecd00ced7c53cfb86e432040de
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 6c1087c030de491a12b7f1be9d332f30ba27d183)
(cherry picked from commit 02f0cd1484bc8883d784e08ea9c8fd2e9fc7dd3d)
(cherry picked from commit 2ad901636baf6678c6a1e42d51e7fd1d1772c316)
|
|
Add sha256 hmac support in u-boot.
Test: hmac calculation.
Change-Id: I0f1438fed8290620a1bb0663d19c21e20098eb5a
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from 1e06de6ef23c1ae9d51383f3c57bb045ea180c03)
(cherry picked from 3fc7a485b5098bec7fa22184da28a937a407192e)
|
|
In host end, need encrypt the attestation keys and certs
by manufacture protection public key though AES-128-ECB.
Then use below 4 set of commands to provision encrypted
RSA attestation and EC attestation:
* $fastboot stage atte_rsa_key.bin
* $fastboot oem set-rsa-atte-key-enc
* $fastboot stage atte_rsa_cert.bin
* $fastboot oem append-rsa-atte-cert-enc
* $fastboot stage atte_ec_key.bin
* $fastboot oem set-ec-atte-key-enc
* $fastboot stage atte_ec_cert.bin
* $fastboot oem append-ec-atte-cert-enc
Change-Id: I8a7c64004a17f7dde89f28c3123a2e2b1a6d3346
Signed-off-by: Haoran.Wang <elven.wang@nxp.com>
(cherry picked from commit 58965915dd69050429142d3d180c75e98ad14788)
(cherry picked from commit 55669422dc8e2094f95d92075b69fc2f0a3b409c)
|
|
Add new keymaster commands to get Manufacure Production key (mppubk).
Since the mppubk can only be generated in OEM CLOSED imx8q board, so
we can only use this command when the board is HAB/AHAB closed.
Commands to extract the mppubk:
* $fastboot oem get-mppubk
* $fastboot get_staged mppubk.bin
Test: Generate and dump the mppubk.bin
Change-Id: Idc59e78ca6345497e744162664b8293f50d1eda4
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 52300d644a275dfa4fe73ecb51601a8efaff8ab7)
(cherry picked from commit 7320c7c0efacfb7706e85bfe82d11ac6c2e5b61f)
|
|
new imx8mn chips have Cortex-M7 inside, not like any other existing
multi-core i.MX MPU, users may manually flash mcu firmware with
fastboot, partition name need to be specified at the same time, so the
mcu firmware partition name need to be changed. related enum and
variable names are also modified.
Change-Id: Ia801e76fb3a20d0074dbbc1433258358c1a53907
Signed-off-by: faqiang.zhu <faqiang.zhu@nxp.com>
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit dc25b7b27fa5c2293d09789a338a1aed2e3a010f)
(cherry picked from commit 74da26c497c9a4d28e9fc153a543ada3f2b9cc0d)
|
