Age | Commit message (Collapse) | Author |
|
It can be dangerous to export some hwcrypto commands to Linux,
add commands to limit some commands within bootloader.
Test: hwcrypto commands can't be used after locking boot state.
Change-Id: Ib0a96a87f661778c133178840d8dccf49f151c22
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Add new command to generate bkek from trusty.
Test: generate and dump bkek.
Change-Id: I6b2a30b87c755eecd00ced7c53cfb86e432040de
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
In host end, need encrypt the attestation keys and certs
by manufacture protection public key though AES-128-ECB.
Then use below 4 set of commands to provision encrypted
RSA attestation and EC attestation:
* $fastboot stage atte_rsa_key.bin
* $fastboot oem set-rsa-atte-key-enc
* $fastboot stage atte_rsa_cert.bin
* $fastboot oem append-rsa-atte-cert-enc
* $fastboot stage atte_ec_key.bin
* $fastboot oem set-ec-atte-key-enc
* $fastboot stage atte_ec_cert.bin
* $fastboot oem append-ec-atte-cert-enc
Change-Id: I8a7c64004a17f7dde89f28c3123a2e2b1a6d3346
Signed-off-by: Haoran.Wang <elven.wang@nxp.com>
|
|
Add new keymaster commands to get Manufacure Production key (mppubk).
Since the mppubk can only be generated in OEM CLOSED imx8q board, so
we can only this command when the board is HAB/AHAB closed.
Commands to extract the mppubk:
* $fastboot oem get-mppubk
* $fastboot get_staged mppubk.bin
Test: Generate and dump the mppubk.bin
Change-Id: Idc59e78ca6345497e744162664b8293f50d1eda4
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Pass the verified boot key hash to keymaster, it will be
treated as the root trust in keymaster service.
Also set the 'initialized' flag after initializing the
keymaster client or set keymaster boot parameters will fail.
Test: Pass CTS cases:
android.keystore.cts.KeyAttestationTest#testRsaAttestation
android.keystore.cts.KeyAttestationTest#testEcAttestation
Change-Id: I486b5493826160f42c61a3da0e6cd769df92254d
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Add new hwcrypto command to support rng generation with CAAM.
Test: rng generated on imx8qxp_mek.
Change-Id: I756f3e99423f0f9dfc2bcd30117a3f96e9f5f2f7
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Open configs to enable trusty for imx8mm_evk and also
add new config imx8mm_evk_android_trusty_defconfig based
on imx8mm_evk_android_defconfig.
Test: Trusty starts ok.
Change-Id: Iaea90de21f886ed23082a5e8e8d2fa7fb139a9cb
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Print the func name instead of null buffer.
Test: boot on imx8qm_mek.
Change-Id: I883a9cebb2981b7e2451c00ed27000baf40097bf
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Add commands to write/read vbmeta public key to/from secure
storage. The vbmeta public key can only be set once.
Comands to set the public key:
fastboot stage <path-to-your-public-key>
fastboot oem set-public-key
Test: build and boot on imx8qxp_mek.
Change-Id: Id3ad4aa5aacef4fc8443f6a2d6ccb931310970ca
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Pass "androidboot.keystore=trusty" for trusty backed keymaster
service, pass "androidboot.keystore=software" for software
keymaster service.
Test: boot pass on imx8qm_mek.
Change-Id: I9fa38c15a7c10aef09ab29b0e9859b690e3e7a41
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Commit "ql-tipc: trusty_ipc: Change ipc polling to be per device" removes
rpmb_storage_proxy_poll() call in avb_do_tipc() which will return early
if the rpmb proxy service isn't initialized properly, this will make boards
hang if the rpmb key is not set.
Skip initializing AVB and Keymaster client if the rpmb key hasn't been
set, but keep the hwcrypto client initialization since we need it to
generate the rpmb key blob.
Test: Build and boot ok on imx8q.
Change-Id: I1ead849e812da55edae8b739d9ae56a7d4951af4
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
for Android Things, sha256 is caculated with software, for Android Auto,
sha256 is caculated with CAAM hardware module. so use macro to seperate
the code about hardware crypto service.
Change-Id: Ibf4cad2c98240ab2c826869e9cb28ad09bded2f6
Signed-off-by: faqiang.zhu <faqiang.zhu@nxp.com>
|
|
Change-Id: I1c800fe39b5999169edd6e2acb9f66e557a3a86e
|
|
Obtaining the memory attributes can be done indepentently of the
bootloader environment and is now done by the ipc layer.
Updated u-boot example to reflect this.
Change-Id: I8e649a1367ba02981419c43aac6e55b469dcf651
|
|
Changed trusty_membuf_alloc and trusty_membuf_free to trusty_alloc_pages and
trusty_free_pages. The memory allocated by these functions is intended
to be shared with the secure world so it should be inherently page based.
Updated u-boot sysdeps and trusty_ipc_dev_create/shutdown to use these
new functions
Change-Id: Ica1aa5b0cb50eba6ce18914d048e731133d94c4f
|
|
Change-Id: I4b52d9ba71c9d4fa959f19ee7d741c46dcdef09a
|
|
This allows ipc devices to provide service callbacks (e.g. rpmb) transparently
to the application instead of needing to have prior knowledge of the expected
request and having to poll the individual services' channels separately.
Change-Id: I3257ae5e429f4a0c279f070d750b56c5600c38d5
|
|
trusty_encode_page_info now also supports EL2 and EL3 in 64-bit environments
and PL1 and PL2 in 32-bit
Change-Id: I296212ae7a1f0b276279819523a13eb1cfaf2a26
|
|
RPMB storage proxy service will return fail if the rpmb key is not
correct, we should not return early here if the rpmb key has not
been set because we still need to initialize the hwcrypto service
to generate the rpmb key blob.
This commit also adds more hint when set the rpmb key.
Change-Id: I8ee59e4e277b545283d63b1070e671d508dbe0c2
Signed-off-by: Luo Ji <ji.luo@nxp.com>
|
|
Generate the key blob and store it to the last block of boot1 partition
after setting the rpmb key. The key blob should be checked in spl and be
passed to Trusty OS if it's valid. If the key blob are damaged, RPMB
storage proxy service will return fail and should make the device hang.
Test: Build and boot ok on imx8qm/qxp.
Change-Id: Ia274cd72109ab6ae15920e91b2a2008e1f1e667c
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Add new hwcrypto tipc command and handler to generate blob with
CAAM.
Test: Message exchange with trusty and blob encapsulate/decapsulate ok.
Change-Id: I925b47cb3e22eeddf4c89e84a9c994d2f30423fe
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Add new service 'hwcrypto' to handle CAAM related work
with Trusty OS. Add tipc interface to accelerate hash
calculation with CAAM.
Test: Service connect and message exchange with Trusty OS
are ok.
Change-Id: Ia870c3ad2ff30af987f327a9777a8b32f53593db
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
In some situation, like uuu, the current mmc device
won't return the correct value. Avoid the NULL
pointer in secure storage proxy which may cause
panic.
Change-Id: Ie24afc270fec0b0977dee71b7fc44fe94876e410
Signed-off-by: Haoran.Wang <elven.wang@nxp.com>
|
|
This patch fix the bug that when keymaster tipc not
initialized the access will make uboot panic.
Change-Id: I6500219061ce69103c5f98750eaa5ace4854efea
Signed-off-by: Haoran.Wang <elven.wang@nxp.com>
|
|
Align the callback to ARM64 environment for
Trusty OS.
TEST: AIY-3G & AIY-1G board's TIPC and AVB handler
works.
Change-Id: I65806f56267a4a9278db04a462e351da181618cb
Signed-off-by: Haoran.Wang <elven.wang@nxp.com>
|
|
Fix build warnings in u-boot.
Change-Id: I1944657d2d89a03c0d2303a22a09538dfaa5fd2c
Signed-off-by: Luo Ji <ji.luo@nxp.com>
|
|
Add API and IPC calls to read the ATAP certificate UUID from keymaster.
Also rename const local variables to the standard convention.
This cherry-picked the CL 649562 from trusty/external/trusty.
Bug: 76211194
Change-Id: I98ab68180c3855e07884994dc20b879f0b59965d
Signed-off-by: Haoran.Wang <elven.wang@nxp.com>
|
|
Refine ql-tipc Makefile to pass the u-boot
build which use uboot.mk.
Change-Id: I678eebdd8b5e5702a59b20b9580592dbaa78aa90
Signed-off-by: Haoran.Wang <elven.wang@nxp.com>
|
|
Update to commit bb39a2b12dce8b6c9df9012faf231648de795e6d
List of changes:
bb39a2b ql-tipc: Support ATAP operations from bootloader
62b8d61 ql-tipc: Move serialization code to keymaster_serializable
8283307 avoid dead loop if tipc is closed by peer
cf3f7f5 [ql-tipc] Refactor U-boot rpmb_storage_send
4b1d74d Make logging more readable
Test: build + manual TIPC tests
Change-Id: Ib2c0e7a4a8313b6e62c1fe4f58b923c0c2d3f695
|
|
The lib provided ql-tipc communication channel with
Trusty OS.
Also the AVB, Keymaster and SecureStorage service
tipc client implement in this lib.
Change-Id: I0ab1ec9ee1b6f272b960c2e944008283c2c9249a
Signed-off-by: Haoran.Wang <elven.wang@nxp.com>
(cherry picked from commit 8fb370dd80fbb293b58115d2e7fc4970813773c7)
|