Age | Commit message (Collapse) | Author |
|
Currently we don't support sha384/512 for the X.509
certificate To-Be-Signed contents. Moreover if we come across such a
hash we skip the check and approve the image, although the image
might needs to be rejected.
It's worth noting here that efi_hash_regions() can now be reused from
efi_signature_lookup_digest() and add sha348/512 support there as well
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
|
|
EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS is a legacy flag and not
supported. Otherwise SR-IR ACS test will fail in some case.
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
|
|
SR-IR ACS has a RSA1024 test, so add RSA1024 support in U-Boot.
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
|
|
EFI_VARIABLE_AUTHENTICATED_WRITE_ACCESS should not be used, because
it is and old flag, stMM returns invalid flag, however ACS test
expect not support, so update it in U-Boot
Reviewed-by: Ye Li <ye.li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
|
|
Return the AHAB status (OEM CLOSED or not) for imx8ulp.
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Change-Id: I602bec992aeae39e92625aa090f5571d7cdc0f1c
(cherry picked from commit 85295dfa323a016f8e8dad209be94b5282c5a9bb)
|
|
The boot security patch level should be set in bootloader
and it will be returned in the TEE enforced authorization
list.
After building with the "BOOT_SECURITY_PATCH" set, the boot
security patch level would be set as a vbmeta property and
would be saved in the vbmeta struct in boot image.
This commit would parse the boot security patch level (which
is in YYYY-MM-DD format) and pass it to keymaster TA.
Test: Set and get boot security patch level &&
VtsHalKeymasterV4_0Target module run
Change-Id: Iac75579c680e8b80b28d3a82cd17cbcd8a93509e
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 8816d0a5327fc5dc1e2460db8185d39e5b2dd9ce)
|
|
Guard the mppubk extraction function so it can be
disabled for shipping images.
Test: run "fastboot oem get-mppubk" with the config
enabled and disabled.
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 10c3b9375de2cdcb01b37facd40845e27438cdd1)
Change-Id: I603b55fce00fc100bd42a574b1f9672c34045d7b
|
|
The ID attestation is supported by default in Trusty
OS now, but the format of data is different with the
NXP implemented one. This commit abandons the NXP
implementation and sync the process and data format
with Trusty OS.
Test: ID provision and attestation.
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Reviewed-by: Ye Li <ye.li@nxp.com>
Change-Id: I87d4fe98125858cfac4a997c70fcb66826c5710a
(cherry picked from commit 2786fc57541bf15cd8e9855c68b84c6a6521d614)
|
|
Make change to support trusty on imx8ulp.
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Change-Id: Ie3da6f6b1203d1b85a41609600613bdd8baa55c7
(cherry picked from commit 99e3b70f570db66a4228238f3192de57651c03a3)
|
|
This patch added Trusty OS in u-boot to handle
some snvs related operation.
Change-Id: Iba2b9e12381ce537b40959f14e831accbdecba8f
Signed-off-by: Haoran.Wang <elven.wang@nxp.com>
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit ea729b07661bf849cdbd6ca7c3f6c9948fd38dc7)
|
|
support widevine keybox provisioning via hwcrypto,
the keybox would be wrote into secure storage.
This commit supports two kinds of widevine keybox
provisioning: plain text keybox and encrypted keybox.
Command to provision the plain text keybox:
$ fastboot stage <path-to-plain-text-keybox>
$ fastboot oem provision-wv-keybox
Command to provision the encrypted text keybox:
$ fastboot stage <path-to-encrypted-keybox>
$ fastboot oem provision-wv-keybox-enc
Test: plain text/encrypted keybox provisioning on imx8mp.
Change-Id: I241afade415fc3e2b0a80d286b3cc4e8d702e620
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit d7a760613efbeeea83ca4b8d9949941050e15805)
|
|
According to the google boot flow, an orange warning should
be displayed on UNLOCKED device to reminder the users of the
potential risks.
This commit will show an orange warning logo and warning text
on the screen, it shall be dismissed after 3 seconds, users
can also skip it by pressing the ON-OFF button.
Config 'CONFIG_AVB_WARNING_LOGO_COLS' and 'CONFIG_AVB_WARNING_LOGO_ROWS'
define the (x, y) position of the warning logo, its default
value is for 1080*720 resolution display and can be overridden.
Test: Orange warning logo show on all imx8m/imx8q platfroms.
Change-Id: I607edb3da039b47ddfac681f855834d8da187af8
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 8ddefdb1186feb3580830fa04b588d3ee606cf81)
(cherry picked from commit fbd21482417c4dc3de16d1689fe899ad11764f71)
|
|
Use hard-code public key instead of reading it from RPMB
When "CONFIG_LOAD_KEY_FROM_RPMB" is setting to "n".
Test: Boots on imx8mp.
Change-Id: I701777a0cfe3790a4e38f2cbe858e1fbddc2552a
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Reviewed-by: Wang Haoran <elven.wang@nxp.com>
(cherry picked from commit 740eaa338b656b20611affb22572fe0a2253161d)
(cherry picked from commit acf95d07b8d85efa7091cd8a361275c03d78b2fe)
|
|
The BKEK will bind to the soc chip and we don't need to
store the encapsulated keyslot after using BKEK as the
rpmb key, which reduces the risk of losing the rpmb key.
This commit adds two commands to support derive the rpmb
key from BKEK and erase the rpmb storage (for debug purpose,
need support from trusty):
$ fastboot oem set-rpmb-hardware-key
$ fastboot oem erase-rpmb
Legacy keyslot way is still supported and boards programed
with keyslot can still work in compatible way. Command
to set provisioned rpmb key is changed to:
$ fastboot stage <rpmb-key>
$ fastboot oem set-rpmb-staged-key
Test: Key set and boot on imx8mn/imx8qxp.
Change-Id: Ifc88010fe8802d3550e42dff0bbd5a5e5ad922a3
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 0fd1b5e41645ac3f5c05ad82258df1645c59fb5a)
(cherry picked from commit 6a5125b9caf4c2e036853d8f53f8398c147758b3)
(cherry picked from commit ca4258ca0702e082ad975e08ee33fd05d518b690)
|
|
Refine the dependency of some configs to make it
easier to add/modify android config files.
Test: builds.
Change-Id: Iccb044dadc7ce1e0b839bf83e2e9157e718f286c
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 86f4f99a367bbc0ef99d4ab2a0b4078babfbfbd2)
(cherry picked from commit 8f3e86b52a27948ba1be1d93dae5e5a4c8a73a0a)
(cherry picked from commit ff17b410ea60f6450c2ef9342a5b9e55e1929470)
|
|
Locating the misc partition by ID can help reduce the boot
time but error may happen if the ID of the misc partition
is changed. Moving the misc partition to the start of the
GPT and locate the partition by name is another option but
it will break the backward compatibility as the GPT is
changed.
part_get_info_by_name() will loop the PTE and return the
matched partition info, but it will cost much time as it
will reload the whole PTE from storage in each loop.
This commit provides part_get_info_efi_by_name() to support
return the partition info by name without reloading the whole
PTE.
Test: A/B slot switch in dual bootloader.
Change-Id: I13cb2a7b3217f73aecc2aec6e06abc0d6e8abcdd
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit cd8f603f0d977ed73f0d0b44437c5c68fcebde25)
(cherry picked from commit d9972736dc0272377f89ccf528e8a873199c7903)
(cherry picked from commit 945bde8da972c30b87027b43a42b21035707fea7)
|
|
The device IDs are provisioned from bootloader, this commit
add commands to provision the deivce IDs:
$ fastboot oem append-device-id
Test: Device IDs provision and attest.
Change-Id: Id3c737d3da02f7ba463e51b0525f3cb9bcf0c6d1
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 7575ac07ac625c35269868511297385a69c96196)
(cherry picked from commit 7f300b1fc543d8f4cbe7329a78e31273678162a5)
(cherry picked from commit 9cef720d338cd24edcf59d957543a5ff82eef4ac)
|
|
The keymaster client won't be initialized if the rpmb
key is not set, return early with error in such case
to avoid panic.
Test: provision attestation keys & certs on boards without
rpmb key set.
Change-Id: I6f908aecafd15ab390629cb89b090c9ee817ba1e
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit b999b03c3eb153a99b481e42315e048653247107)
(cherry picked from commit 8e2cacff502629d88d5dd49baae3e547728e7af7)
(cherry picked from commit ca81aac985b80f614e422e1834ca209a50ad45b1)
|
|
blk_dwrite() will write data in blocks, padding the keyslot_package
struct to one block to avoid redundant data write.
Test: RPMB key set.
Change-Id: I326d7f4394d15e6e22b12c3abd6a5e2de18920cc
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 8a0deb19628d2752b516fbce00fc1b988f2e78b5)
(cherry picked from commit baaa810e604aa3afd8cf9832a5b29828d6ffc6f4)
(cherry picked from commit 921c67e1dac7de63f274339510366af128bcba6b)
|
|
GCC for arm32 doesn't support division between signed
and unsigned integer. Clean up the code to use 'long'
for both arm32 and arm64 platforms.
Test: build on 7ulp and 8mm.
Change-Id: I21c23b1948994558237b27bfe7452e78e3d45172
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 2062183df063e0653e9e88a690764647702af7dd)
(cherry picked from commit 49aad2989b6256934b146c50af5cf26b7486d658)
(cherry picked from commit dee550412c2da98061a726e64781f75aa69ee38a)
|
|
AVB verify should fail for GKI boot image but we should allow it
continue to boot in UNLOCKED state. In such case, we should not
update the stored rollback index.
This commit will update the rollback index only when the AVB
verify is OK to prevent rollback index check error.
Test: boots.
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Change-Id: I82678d288edd4df6de40a1ca863ed36d3b3658a8
(cherry picked from commit ea48b544581d630bc031a7968a90b2fcf328424a)
(cherry picked from commit 8619089859b6c24f82a2f6fda9bd2c58c2e38851)
(cherry picked from commit 5893d8707dd66e0f36bc6dbd7c805cd20c05f725)
|
|
The 'offset' can be negative number passed from fsl_read_from_partition_multi(),
don't covert 'blksz' to 'uint64_t' as it will cause overflow when the 'offset'
is negative number.
Test: mmc blk read with 'offset < 0'.
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Change-Id: Id1ce8e0c748dd280d70c1722cc7d17cc9646a4bb
(cherry picked from commit 077b448679b9ad2891495c7344ba99a6c10a59fb)
(cherry picked from commit f927599650ba1fbdbe8f4887b970a4f003b0d277)
(cherry picked from commit 9533092f7557e2f728d5fc59836ceac19658291d)
|
|
Set the initial 'source_slot' in 'misc_virtual_ab_message' as
the current slot. At the same time, add slot checks before
erase data if virtual A/B is enabled.
Test: virtual A/B update and erase.
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Change-Id: I84896335a95d9188b85e114037b470b3f4e7a209
(cherry picked from commit a522c2245c3e58adbbcb99c43e0917ce315cc1aa)
(cherry picked from commit 40a1e64ded230e1c2b3d76cccaea1f910ed0d6d6)
(cherry picked from commit 582ffab8332b1270a3eba7faf9a1091b32b4cad3)
|
|
To use dynamic partition feature in Android, recovery ramdisk is used to
mount the logical partitions and boot up Android.
Define a configuration item "CONFIG_ANDROID_DYNAMIC_PARTITION", use it
to control the bootargs and whether ramdisk should be loaded instead of
"CONFIG_ANDROID_AUTO" because now Android auto also use dynamic
partition feature now.
Move the definition of function "fastboot_setup_system_boot_args" under
the macro "CONFIG_CMD_BOOTA" to avoid build warnings.
Signed-off-by: faqiang.zhu <faqiang.zhu@nxp.com>
Change-Id: I0b1cfe6120fc939e7f1a1eb600d8176c81edf129
(cherry picked from commit 972ccff86796e2b7f9a444d09550cd5e393cd93e)
(cherry picked from commit 7154723e8a43f06f27bab3692024f3579f4b78e4)
(cherry picked from commit c3dd6b105d62a68a0222ee9f892e7502ee6fe6ad)
|
|
Add config "CONFIG_LOAD_KEY_FROM_RPMB" to decide loading the
avb public key from RPMB storage or building it statically.
Test: AVB verify.
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Change-Id: I1ca09c28bbfa18dd00aa28405389b382e09fe07e
(cherry picked from commit 5a7973e8f42e54b3cd8ce15624478dcbe19c49fd)
(cherry picked from commit 29f15078f00ed862abf6ca9592e68815046a38f3)
(cherry picked from commit 29ed198ffe8f46715a7ccee21c2eb6f1d53392a5)
|
|
As we have to support GKI and non-GKI at the same time, it will be
a must to decide if the GKI is enabled or not at run-time.
This commit reads the 'header_version' in boot header to decide if
GKI is enabled.
This commit also make some cleanup to make the code more readable and
easier to maintain.
Test: boots on Android and Anroid Auto.
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Change-Id: I6068bbaa60f5d76049b6ff0a892b5b8ca2c2f86b
(cherry picked from commit b39f7532ab524408550b8b2827bb42ab38159033)
(cherry picked from commit 93ea85fcd20d616bc137a76a371ee6799c5ca07a)
(cherry picked from commit 5f6211db2dd2c3c43d9e94657c8d881ef8bca5c5)
|
|
A 'misc_virtual_ab_message' struct will be stored at the 32kB offset
in misc partition, which will be used to record the virtual A/B update
status.
Bootloader should take care of this status, some operations must be
restricted. This commit will:
1. Restrict erase/flash operations to "misc", "userdata" or
"metadata" partitions if the merge status are "SNAPSHOTTED" or
"MERGING".
2. Restrict slot switch if the merge status is "MERGING".
3. Output a warning in slot switch if the merge status is "SNAPSHOTTED".
4. Set the merge status as "CANCELLED" if image flash happen.
Test: 1. fastboot erase/flash "userdata", "misc", "metadata" after virtual
A/B update
2. slot switch after virtual A/B update
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Change-Id: I33f0041c5e76913d3970d943cad52353e0ac5f2d
(cherry picked from commit 30df087bfc5e31413473f85dfefaa7176bc394a8)
(cherry picked from commit 7fd03bcc8f1fc094362c11d71cf740ac9b5724c1)
(cherry picked from commit 97495e9189afc4a26e6e03fd8ac7389f445c590e)
|
|
The old boot control logic and misc data struct is based on the
'external/avb/libavb_ab' library which is already marked as
deprecated and won't be maintained by google anymore:
commit 37f5946d0e1159273eff61dd8041377fedbf55a9
Author: David Zeuthen <zeuthen@google.com>
Date: Wed Sep 20 15:02:32 2017 -0400
Deprecate libavb_ab and bootctrl.avb code.
This code was already marked as experimental in anticipation of being
removed in the future. Officially deprecate it and set Jun 1 2018 as
the date it will be removed. This should give users of the code ample
time to fork/migrate.
To keep using the code AVB_AB_I_UNDERSTAND_LIBAVB_AB_IS_DEPRECATED
must be defined.
The reason for deprecating this code is twofold:
- Its policy was optimized for devices without a display with
e.g. automatic fallback to the other slot if a slot fails to
boot. Since most A/B stacks in Android devices don't work this
way this code is confusing.
- There are no known active users, no good test coverage for the
bootctrl.avb code, and no plans to use it.
When the code is removed we'll provide an easy transition path by
keeping (but renaming) the |ab_ops| member in AvbOps.
Change-Id: Id5e090a2048076d36ccca2e1c4cb55e226b8b43d
Google has provided a new boot control v1.1 implementation under
'hardware/interfaces/boot/1.1/default' which uses a new misc data struct defined
in the 'include/android_bootloader_message.h'. This commit adds a new boot control
implementation in bootloader, which combines the new misc data struct and inherit
some flow in 'libavb_ab', the old 'libavb_ab' library will be removed.
Test: boot/slot switch/retry count test on single&dual bootloader.
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Change-Id: I0fa1ee8562c83afec549c8f6aad7a26a2214f626
(cherry picked from commit 29aafaf065d1688201d014213052863ec9d18e9c)
(cherry picked from commit f5cda163c1559480a43e75869747a50787fd0ee1)
(cherry picked from commit a45dca90ff92f548f157f8739a76f249ca8241cb)
|
|
The handle_rpmb flag should indicate whether the call will invoke
RPMB callbacks, which has been removed by below commit:
commit dfd911856d31fd91eb4e3c1edb1d691723c6edaf
Author: Roberto Pereira <rpere@google.com>
Date: Thu Nov 2 15:09:20 2017 -0700
ql-tipc: trusty_ipc: Change ipc polling to be per device
This allows ipc devices to provide service callbacks (e.g. rpmb) transparently
to the application instead of needing to have prior knowledge of the expected
request and having to poll the individual services' channels separately.
Change-Id: I3257ae5e429f4a0c279f070d750b56c5600c38d5
Sync the change for hwcrypto, it will help remove some build warnings.
Test: builds and boots with trusty.
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Change-Id: I696b13d9d509d5983c934df5ee6fb36e46f4c884
(cherry picked from commit 8812d39018c23cc26afa43a97acf27427979c90c)
(cherry picked from commit e79c079bd3f10d4fd80d33edeae184d53f80f706)
(cherry picked from commit 8842c52d58c34a627f54b7999cec6bdbda1903b4)
|
|
This commit eliminate the annoying build warning logs.
Test: builds with buildman.
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Change-Id: Ia335dafe3f4c0eab08e011215b9de5d2974b8d0c
(cherry picked from commit 85e0d429d19b8f9a62369a5f20e088644c488b1e)
(cherry picked from commit 52471735760a8d3a410f88c144910a07a161028d)
(cherry picked from commit c0ed4a68aecf0cf67d61c72c273fcd655682366f)
|
|
GKI(Generic Kernel Image) would require the boot header v3 and vendor
boot support, all device specific info are moved to vendor_boot partition
,the boot header v3 will not be compatible with earlier version(0/1/2).
This commit adds support for boot header v3 and vendor boot, it would
concatenate the generic ramdisk and vendor ramdisk to generate the
final ramdisk passed to kernel.
Test: boots with or without boot header v3 and vendor boot support.
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Change-Id: Ib3298ae46bfc728aa4a34909d372eff6cc86ca70
(cherry picked from commit c3854f270a19e7d57b996e6074d692ab9bc88c32)
|
|
The main memory contents can spontaneously come to the cache due to
the speculative memory access by the CPU, this may cause coherency
problem if this happens during the DMA operaion is on-going.
Invalidate the dcache range after DMA opeartion but before the main
memory read to avoid coherency problem.
Test: reboot test.
Change-Id: I93824deab9285b5478669e0a311e0b338bf02f8a
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 4cd1d087111dd3b4ddaad33ef4862f7ac1ab1b34)
(cherry picked from commit ee720d8d69d4d3e97d2daea9b91f8d076ffb05b0)
|
|
Only check the bootloader rollback index and trusty keyslot package
for rpmb key flashed boards.
Test: boots on boards without rpmb key.
Change-Id: I130e4d906c0f08d602eac820ec5612214e01ff55
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry pick from commit bb0c880bb2cd5d9414b4c167eac546682a5d5ccc)
(cherry pick from commit b05bacf279a65d8d98754adc0492209e90f1790f)
|
|
To enable dynamic partition feature, system partition will be a logic
parition in "super" partition, uboot can't access system partition
anymore.
In i.MX Android use case, only vbmeta partition is used to verify other
imags. boot and system are not used. so there is no need to access
system partition to get avb device info, remove system partition from
avb lib for standard android.
Now, standard Android will boot with ramdisk in boot.img, there is no
need to provide root info to kernel for standard Android. so only
Android Auto will provide this info.
Change-Id: I99a43eb8f7aa1dc635e3937c93266f881c9b3655
Signed-off-by: faqiang.zhu <faqiang.zhu@nxp.com>
(cherry picked from commit 3a2418a1cc097cd956347fc12b0b4e0566652bfd)
(cherry picked from commit 133644540d6e5c89cc6e8109b2bf3ac6a9b897d1)
(cherry picked from commit 10a635bbbbfe36ab39ed77c84fe8d30000c638f5)
|
|
When the device is locked, avb will try to verify one slot
first, it will continue to verify another if the first slot
returns failure. Function load_full_partition() will alloc memory
to load boot/dtbo images from heap (which is a big and continuous
memory region), this memory will be freed if the first slot returns
verify failure. but because part of the continous memory region
will be used in following verify process, even total available memory
is enough, u-boot can't find a continous memory region to load the
boot/dtbo image for another slot and will return error "Failed to
allocate memory".
Instead, this commit use fixed memory region start from 96MB offset of
CONFIG_FASTBOOT_BUF_ADDR to load the boot/dtbo images.
Test: slot verify and A/B slot switch.
Change-Id: Ifc83bed5a6be37196c0fd109d942eaf9b07b6a74
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit d13752e831957fb84c71f8ca24fd1979d3605cde)
(cherry picked from commit 11f79ca63338a00960e90763d4764956907fdcb5)
(cherry picked from commit c9e9af7549662633d70d48cb8d55845a066d9bc0)
|
|
Slot will be marked as "unbootable" state if error happens during
image load/verify process, this may cause the board never boot up
if some random failures happen (like eMMC/DRAM access error at some
critical temperature).
Check the "successful_boot" flag before marking the slot as "unbootable",
this will help ease the "no bootable slot" issue.
Test: slot switch on imx8qm_mek.
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 6db8ebe2224ab6656e8e798288bd1b3c0472c0c0)
(cherry picked from commit b64a9dcd87da333265c2ac4da2be8a735186b77e)
(cherry picked from commit d3510370046c603872c24db24a07c784c3fe960e)
Change-Id: Ib060b11cc6687a3bacd09cecda7dd925beba6316
|
|
Add commands to read oem device unlock state from
trusty avb app. Use the oem device unlock state to
determine if the device can be unlocked instead of
the state in persistdata part.
Test: Read oem device unlock state from avb app.
Change-Id: Ifccaa788ba0f681c2b3a47151c8474e8da5a2559
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit c6eaf8e32987f120c0c5441ea39aa0f39a65b50d)
(cherry picked from commit 8b58afda1cd1f91048504b48b95260e930a37326)
(cherry picked from commit dc2acac3cdfe0ca77747e9c435e3f140acc07705)
|
|
Don't skip vbmeta public key verify for non-trusty
platforms.
Test: boot on imx8mm.
Change-Id: I4712e5dd6e5c8848468e9d85c6b38eb5fb11377f
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 9b8264c89ccb3e9179a438e428ad79d72c7efe9b)
(cherry picked from commit 75d9dfb2474d03bd83a5b4d3f03d0a5cea6ea25d)
(cherry picked from commit cb6582267a1d7659af5d12ae49fc088546cdef5a)
|
|
Decrypt and verify the secure credential in keymaster TA, unlock
operation can only be allowed after secure credential verify pass.
Since the mppubk can only be generated on hab closed imx8q, so secure
unlock feature can only supported when hab is closed.
Test: secure unlock credential verify on hab closed imx8mm_evk.
Change-Id: I1ab5e24df28d1e75ff853de3adf29f34da1d0a71
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 631149fc0fc8ce035311949db643c2708e41435a)
(cherry picked from commit 063d358ab4bbfea998e0c975f31724757243545a)
(cherry picked from commit 5980e3882093c522723aa6a3af6f85fb5b8a47c1)
|
|
The A/B slot selection is moved to spl, it may lead to hang
if no bootable slots found. The only way to recover the board
is re-flash images with uuu tool, which is quite inconvenient
for some customers who can't enter serial download mode.
This patch will set "spl recovery mode" which will give us a
chance to re-flash images with fastboot commands.
Test: Enter spl recovery mode and flash images when no bootable
slots found.
Change-Id: I31278f5212bde7609fe2f49e77b3849e92c0c516
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 46cc755cf3f42422ee1d7783394e14e8125df2b6)
(cherry picked from commit 047f09ef2ef33657d76fd92d8f5599e00158cd6b)
(cherry picked from commit e96b68d22e89e4031d1117ab347f042577c5c8f1)
|
|
It can be dangerous to export some hwcrypto commands to Linux,
add commands to limit some commands within bootloader.
Test: hwcrypto commands can't be used after locking boot state.
Change-Id: Ib0a96a87f661778c133178840d8dccf49f151c22
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 3fc3f521957677b1f363624494ed866985a25505)
(cherry picked from commit 38f9975064dbd6b9c7183a5e7fc54a099a56e973)
(cherry picked from commit 62f2b87290750c91f29e0d573bf8560134415b39)
|
|
Add new command to generate bkek from trusty.
Test: generate and dump bkek.
Change-Id: I6b2a30b87c755eecd00ced7c53cfb86e432040de
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 6c1087c030de491a12b7f1be9d332f30ba27d183)
(cherry picked from commit 02f0cd1484bc8883d784e08ea9c8fd2e9fc7dd3d)
(cherry picked from commit 2ad901636baf6678c6a1e42d51e7fd1d1772c316)
|
|
Add sha256 hmac support in u-boot.
Test: hmac calculation.
Change-Id: I0f1438fed8290620a1bb0663d19c21e20098eb5a
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from 1e06de6ef23c1ae9d51383f3c57bb045ea180c03)
(cherry picked from 3fc7a485b5098bec7fa22184da28a937a407192e)
|
|
In host end, need encrypt the attestation keys and certs
by manufacture protection public key though AES-128-ECB.
Then use below 4 set of commands to provision encrypted
RSA attestation and EC attestation:
* $fastboot stage atte_rsa_key.bin
* $fastboot oem set-rsa-atte-key-enc
* $fastboot stage atte_rsa_cert.bin
* $fastboot oem append-rsa-atte-cert-enc
* $fastboot stage atte_ec_key.bin
* $fastboot oem set-ec-atte-key-enc
* $fastboot stage atte_ec_cert.bin
* $fastboot oem append-ec-atte-cert-enc
Change-Id: I8a7c64004a17f7dde89f28c3123a2e2b1a6d3346
Signed-off-by: Haoran.Wang <elven.wang@nxp.com>
(cherry picked from commit 58965915dd69050429142d3d180c75e98ad14788)
(cherry picked from commit 55669422dc8e2094f95d92075b69fc2f0a3b409c)
|
|
Add new keymaster commands to get Manufacure Production key (mppubk).
Since the mppubk can only be generated in OEM CLOSED imx8q board, so
we can only use this command when the board is HAB/AHAB closed.
Commands to extract the mppubk:
* $fastboot oem get-mppubk
* $fastboot get_staged mppubk.bin
Test: Generate and dump the mppubk.bin
Change-Id: Idc59e78ca6345497e744162664b8293f50d1eda4
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 52300d644a275dfa4fe73ecb51601a8efaff8ab7)
(cherry picked from commit 7320c7c0efacfb7706e85bfe82d11ac6c2e5b61f)
|
|
This patch adds mmc device id remap function in spl to get the
correct device id.
Test: boot on imx8mm with trusty enabled.
Change-Id: I41c46494326d9eb2658d2cda692968fb895d0292
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit c079188d06b3669df7836e1b8c6126558b1fa39e)
(cherry picked from commit 1597b96ee023c5b2de9eea6cc198d2f4b3404fda)
|
|
This commit enables dual bootloader feature for imx8m/imx8q, but
as commit 'a2018ab' already brings in some dual bootloader codes
when enabling fastboot support, so this commit won't be a complete
and standalone patch to introduce the dual bootloader feature.
This commit will do the following:
1. clean up dual bootloader flow and add missing implementation.
2. Merge the dual bootloader entry for fit and container to one
function 'mmc_load_image_raw_sector_dual_uboot'.
Change-Id: Ic9410a48092cc05de599dd897fc912177e2a1fe1
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit d00da7c6e2d3b0ed5f3f93eb98d841d1b7a114ca)
|
|
Driver Module may be used in SPL, with CONFIG_BLK enabled for U-Boot,
CONFIG_SPL_BLK will be enabled, struct mmc definition will be different.
comply with that mmc struct definition in fsl_avbkey.c file to handle
conditions when DM is used in SPL.
Change-Id: I632600556e764b25228ba467a5e5141cf3fc3dfe
Signed-off-by: faqiang.zhu <faqiang.zhu@nxp.com>
(cherry picked from commit de905a8a3c6dfdf9241a188b2e22c76dbef851c1)
|
|
libavb is now under the directory of lib/, not lib/avb/ as before, to
adapt to this change, some modifications are made:
1. header file inclusion change, including parameter of -I option in
Makefile
2. remove fsl_avb_sysdeps_uboot.c as the functions have been defined in
avb_sysdeps_posix.c.
Change-Id: I4216e3ddb4e3e810783e4f46b953eda510c2627b
Signed-off-by: faqiang.zhu <faqiang.zhu@nxp.com>
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry pick from 58010b99560eea2027dd39909eb5b35404e6030e)
|
|
modified caam descriptor to support black key blob.
Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
(cherry picked from commit b218e498e802c2c8546b11830240075753adbb36)
|