From da08277907ed466933a14933cad2449e4ebf4ffe Mon Sep 17 00:00:00 2001 From: "ji.luo" Date: Sat, 2 Sep 2017 17:55:12 +0800 Subject: MA-10337-1 Support ATX in u-boot This patch did: 1.Hard code the permanent attribute into u-boot. 2.Store first 112 bits of sha256(permanent attribute) hash into fuse. (CONFIG_AVB_FUSE was removed because it's an irreversible operation) 3.Implement platform-specific operations defined in avb_atx_ops.h. Change-Id: I65de9860e7c5ca1f7ebfbd87300faee0ccacaac3 Signed-off-by: ji.luo --- drivers/usb/gadget/f_fastboot.c | 26 ++- include/configs/mx6ul_nxpu_iopb_android_things.h | 7 +- include/configs/mx6ul_spriot_android_things.h | 11 +- include/configs/pico-imx6dl_android_things.h | 2 +- include/configs/pico-imx7dandroidthings.h | 13 +- include/configs/picosom-imx6ul_android_things.h | 7 +- lib/avb/fsl/fsl_atx_attributes.h | 152 ++++++++++++++++ lib/avb/fsl/fsl_avbkey.c | 212 +++++++++++++++++++++-- lib/avb/fsl/fsl_avbkey.h | 13 +- 9 files changed, 417 insertions(+), 26 deletions(-) mode change 100755 => 100644 drivers/usb/gadget/f_fastboot.c create mode 100644 lib/avb/fsl/fsl_atx_attributes.h mode change 100755 => 100644 lib/avb/fsl/fsl_avbkey.c diff --git a/drivers/usb/gadget/f_fastboot.c b/drivers/usb/gadget/f_fastboot.c old mode 100755 new mode 100644 index 4b16c41abb..849e800d34 --- a/drivers/usb/gadget/f_fastboot.c +++ b/drivers/usb/gadget/f_fastboot.c @@ -914,7 +914,7 @@ static lbaint_t mmc_sparse_write(struct sparse_storage *info, fill_buf_num_blks = SPARSE_FILL_BUF_SIZE / info->blksz; data = memalign(CONFIG_SYS_CACHELINE_SIZE, fill_buf_num_blks * info->blksz); - + while (blkcnt) { if (blkcnt > fill_buf_num_blks) @@ -929,14 +929,14 @@ static lbaint_t mmc_sparse_write(struct sparse_storage *info, blk += cnt; blkcnt -= cnt; buffer = (void *)((unsigned long)buffer + cnt * info->blksz); - + } free(data); } else { ret = blk_dwrite(dev_desc, blk, blkcnt, buffer); } - + return ret; } @@ -1039,7 +1039,7 @@ static void process_flash_mmc(const char *cmdbuf) struct blk_desc *dev_desc; disk_partition_t info; struct sparse_storage sparse; - + mmc_no = fastboot_devinfo.dev_id; printf("sparse flash target is MMC:%d\n", mmc_no); @@ -1861,12 +1861,25 @@ static AvbABOps fsl_avb_ab_ops = { .write_ab_metadata = fsl_write_ab_metadata, .ops = NULL }; - +#ifdef CONFIG_AVB_ATX +static AvbAtxOps fsl_avb_atx_ops = { + .ops = NULL, + .read_permanent_attributes = fsl_read_permanent_attributes, + .read_permanent_attributes_hash = fsl_read_permanent_attributes_hash +}; +#endif static AvbOps fsl_avb_ops = { .ab_ops = &fsl_avb_ab_ops, +#ifdef CONFIG_AVB_ATX + .atx_ops = &fsl_avb_atx_ops, +#endif .read_from_partition = fsl_read_from_partition_multi, .write_to_partition = fsl_write_to_partition, +#ifdef CONFIG_AVB_ATX + .validate_vbmeta_public_key = avb_atx_validate_vbmeta_public_key, +#else .validate_vbmeta_public_key = fsl_validate_vbmeta_public_key_rpmb, +#endif .read_rollback_index = fsl_read_rollback_index_rpmb, .write_rollback_index = fsl_write_rollback_index_rpmb, .read_is_device_unlocked = fsl_read_is_device_unlocked, @@ -1948,6 +1961,9 @@ void fastboot_setup(void) parameters_setup(); #ifdef CONFIG_AVB_SUPPORT fsl_avb_ab_ops.ops = &fsl_avb_ops; +#ifdef CONFIG_AVB_ATX + fsl_avb_atx_ops.ops = &fsl_avb_ops; +#endif #endif } diff --git a/include/configs/mx6ul_nxpu_iopb_android_things.h b/include/configs/mx6ul_nxpu_iopb_android_things.h index f50a38b1e0..fe31b49cf3 100644 --- a/include/configs/mx6ul_nxpu_iopb_android_things.h +++ b/include/configs/mx6ul_nxpu_iopb_android_things.h @@ -1,6 +1,7 @@ /* * Copyright (C) 2015-2016 Freescale Semiconductor, Inc. + * Copyright 2017 NXP * * SPDX-License-Identifier: GPL-2.0+ */ @@ -19,6 +20,10 @@ #define KEYSLOT_HWPARTITION_ID 2 #endif +#ifdef CONFIG_AVB_ATX +#define PERMANENT_ATTRIBUTE_HASH_OFFSET 32 +#endif + #ifdef CONFIG_IMX_TRUSTY_OS #define NON_SECURE_FASTBOOT #define TRUSTY_KEYSLOT_PACKAGE @@ -39,7 +44,6 @@ #define CONFIG_SHA256 #define CONFIG_AVB_SUPPORT -#define CONFIG_AVB_FUSE #ifdef CONFIG_AVB_SUPPORT #ifdef CONFIG_SYS_MALLOC_LEN #undef CONFIG_SYS_MALLOC_LEN @@ -53,3 +57,4 @@ #endif #endif +/* __MX6UL_NXPU_IOPB_ANDROID_THINGS_H */ diff --git a/include/configs/mx6ul_spriot_android_things.h b/include/configs/mx6ul_spriot_android_things.h index 4e3c3cd574..67682f9b10 100644 --- a/include/configs/mx6ul_spriot_android_things.h +++ b/include/configs/mx6ul_spriot_android_things.h @@ -1,14 +1,19 @@ /* * Copyright (C) 2015-2016 Freescale Semiconductor, Inc. + * Copyright 2017 NXP * * SPDX-License-Identifier: GPL-2.0+ */ -#ifndef __PICOSOM_IMX6UL_ANDROID_THINGS_H -#define __PICOSOM_IMX6UL_ANDROID_THINGS_H +#ifndef __MX6UL_SPRIOT_ANDROID_THINGS_H +#define __MX6UL_SPRIOT_ANDROID_THINGS_H #include "mx_android_common.h" +#ifdef CONFIG_AVB_ATX +#define PERMANENT_ATTRIBUTE_HASH_OFFSET 32 +#endif + #define AVB_RPMB #ifdef AVB_RPMB #define KEYSLOT_BLKS 0xFFF @@ -30,7 +35,6 @@ #define CONFIG_AVB_SUPPORT #define CONFIG_SYSTEM_RAMDISK_SUPPORT -#define CONFIG_AVB_FUSE #ifdef CONFIG_AVB_SUPPORT #ifdef CONFIG_SYS_MALLOC_LEN @@ -46,3 +50,4 @@ #endif #endif +/* __MX6UL_SPRIOT_ANDROID_THINGS_H */ diff --git a/include/configs/pico-imx6dl_android_things.h b/include/configs/pico-imx6dl_android_things.h index 3e95e312da..a2b1cc7c0b 100755 --- a/include/configs/pico-imx6dl_android_things.h +++ b/include/configs/pico-imx6dl_android_things.h @@ -23,7 +23,6 @@ #define CONFIG_AVB_SUPPORT #define CONFIG_SYSTEM_RAMDISK_SUPPORT -#define CONFIG_AVB_FUSE #ifdef CONFIG_AVB_SUPPORT #ifdef CONFIG_SYS_MALLOC_LEN @@ -39,3 +38,4 @@ #endif #endif +/* __PICO_IMX6DL_ANDROID_THINGS_H */ diff --git a/include/configs/pico-imx7dandroidthings.h b/include/configs/pico-imx7dandroidthings.h index 1fe6dbd3be..64b6ff5e69 100644 --- a/include/configs/pico-imx7dandroidthings.h +++ b/include/configs/pico-imx7dandroidthings.h @@ -1,5 +1,6 @@ /* * Copyright (C) 2016 Freescale Semiconductor, Inc. + * Copyright 2017 NXP * * SPDX-License-Identifier: GPL-2.0+ */ @@ -12,6 +13,10 @@ #define TEE_HWPARTITION_ID 2 #define TRUSTY_OS_MMC_BLKS 0xFFF +#ifdef CONFIG_AVB_ATX +#define PERMANENT_ATTRIBUTE_HASH_OFFSET 0 +#endif + #define AVB_RPMB #ifdef AVB_RPMB #define KEYSLOT_BLKS 0xFFF @@ -63,10 +68,10 @@ /* infact 7D have no enough bits * set this size to 0 will disable * program/read FUSE */ -#define CONFIG_AVB_FUSE_BANK_SIZEW 0 -#define CONFIG_AVB_FUSE_BANK_START 0 -#define CONFIG_AVB_FUSE_BANK_END 0 +#define CONFIG_AVB_FUSE_BANK_SIZEW 4 +#define CONFIG_AVB_FUSE_BANK_START 14 +#define CONFIG_AVB_FUSE_BANK_END 14 #endif #endif - +/* __PICO_IMX7DANDROIDTHINGS_H */ diff --git a/include/configs/picosom-imx6ul_android_things.h b/include/configs/picosom-imx6ul_android_things.h index 461141c2d3..a0c580a6a1 100644 --- a/include/configs/picosom-imx6ul_android_things.h +++ b/include/configs/picosom-imx6ul_android_things.h @@ -1,6 +1,7 @@ /* * Copyright (C) 2015-2016 Freescale Semiconductor, Inc. + * Copyright 2017 NXP * * SPDX-License-Identifier: GPL-2.0+ */ @@ -8,6 +9,10 @@ #ifndef __PICOSOM_IMX6UL_ANDROID_THINGS_H #define __PICOSOM_IMX6UL_ANDROID_THINGS_H +#ifdef CONFIG_AVB_ATX +#define PERMANENT_ATTRIBUTE_HASH_OFFSET 32 +#endif + #define AVB_RPMB #ifdef AVB_RPMB #define KEYSLOT_BLKS 0xFFF @@ -38,7 +43,6 @@ #define CONFIG_AVB_SUPPORT #define CONFIG_SYSTEM_RAMDISK_SUPPORT -#define CONFIG_AVB_FUSE #ifdef CONFIG_AVB_SUPPORT #ifdef CONFIG_SYS_MALLOC_LEN @@ -55,3 +59,4 @@ #endif +/* __PICOSOM_IMX6UL_ANDROID_THINGS_H */ diff --git a/lib/avb/fsl/fsl_atx_attributes.h b/lib/avb/fsl/fsl_atx_attributes.h new file mode 100644 index 0000000000..8f4fc48469 --- /dev/null +++ b/lib/avb/fsl/fsl_atx_attributes.h @@ -0,0 +1,152 @@ +/* + * Copyright 2017 NXP + * + * SPDX-License-Identifier: GPL-2.0+ + */ + +#ifndef __FSL_ATX_ATTRIBUTES_H__ +#define __FSL_ATX_ATTRIBUTES_H__ + +#define fsl_version 1 +/* This product_id is generated from + * extern/avb/test/data/atx_product_id.bin */ +unsigned char fsl_atx_product_id[] = { + 0x3f,0x38,0x9c,0xcb,0xbe,0x56,0xcc,0x3d, + 0x0b,0xd0,0xbb,0x35,0x01,0x85,0xa7,0xd2 +}; +/* This product_root_public_key is generated form + * extern/avb/test/data/testkey_atx_prk.pem */ +unsigned char fsl_product_root_public_key[] = { + 0x00,0x00,0x10,0x00,0x9f,0x35,0xef,0x65, + 0xc3,0x29,0x4c,0x23,0x16,0x10,0xac,0x32, + 0xc1,0x3c,0xd5,0xc5,0xab,0xa1,0xd9,0xe7, + 0x13,0x3f,0x7e,0xd1,0xe6,0x61,0x5d,0xa3, + 0xa1,0x60,0xda,0x57,0x4b,0xb2,0xe6,0x0f, + 0xe1,0x50,0xbf,0x47,0xff,0x09,0xaf,0xcd, + 0x49,0x2d,0x82,0x33,0x76,0xa1,0xfe,0x28, + 0x5f,0x89,0x62,0xb3,0xc0,0xf1,0x11,0xaf, + 0x15,0x09,0x27,0xdb,0xeb,0x06,0x01,0xa2, + 0xf8,0xb7,0xd7,0x9c,0xe4,0x88,0x3a,0x86, + 0x05,0x02,0x20,0x69,0xb2,0x36,0x4c,0x3e, + 0x25,0x03,0xed,0xfc,0x0c,0x6b,0x1b,0x0a, + 0x04,0x9c,0xce,0x7f,0x83,0x82,0x60,0xd9, + 0x52,0x7e,0xc4,0x35,0x7b,0x1c,0xe6,0x64, + 0x9c,0x17,0xec,0x81,0xe7,0x9c,0x0c,0x8b, + 0x4b,0x7e,0x48,0xbe,0x00,0x98,0xa8,0x20, + 0x10,0x4c,0x9b,0xd1,0x16,0x5b,0x25,0xe9, + 0x4e,0x61,0xda,0x7c,0x63,0x80,0x8f,0xa4, + 0xac,0x74,0xee,0xa8,0x06,0xac,0x26,0xd5, + 0x71,0x6f,0xaa,0x73,0x20,0x9c,0x7f,0xcd, + 0x73,0xd4,0xa9,0xa0,0x7e,0x5a,0xb5,0x61, + 0xb0,0x88,0xb0,0xdd,0xdb,0x6b,0x79,0xd1, + 0x5a,0x9e,0x54,0x49,0x55,0xc6,0x89,0x76, + 0x7a,0xc6,0x78,0x99,0xdc,0xc9,0x00,0x5d, + 0x20,0xf5,0xfc,0x8f,0x39,0x46,0xf3,0x02, + 0x96,0x0d,0x9b,0xfb,0xbc,0xd5,0xcf,0x5a, + 0x4f,0xc4,0xb8,0x0b,0xd0,0xf3,0x19,0x3c, + 0x74,0x04,0xd5,0x94,0x2c,0x19,0x15,0x64, + 0xbf,0x53,0x67,0x97,0x7b,0x9e,0xc6,0xe0, + 0xfb,0x29,0x5b,0x90,0xad,0x04,0x8a,0xd8, + 0x5b,0xdf,0x69,0x09,0xe4,0xa5,0xe9,0xd9, + 0x0f,0xc4,0xff,0xae,0xb7,0x44,0x12,0xae, + 0xad,0x03,0x97,0xb8,0xda,0xd7,0x60,0x37, + 0x15,0xf2,0xb9,0xdb,0x10,0xf6,0xe2,0x26, + 0x48,0x7e,0x3e,0x3e,0xc3,0x67,0xd3,0xa6, + 0x02,0xf7,0xbc,0x60,0xed,0x45,0xdf,0x37, + 0xef,0xf9,0xea,0x97,0x5f,0x37,0xb4,0xeb, + 0xb4,0x91,0x6c,0x39,0x4d,0xed,0x52,0x15, + 0x39,0x47,0x59,0x62,0xde,0x32,0x55,0xe1, + 0xd4,0x15,0x58,0x7d,0x52,0x41,0x12,0x78, + 0xee,0x9f,0x0d,0xc8,0x5e,0x34,0x91,0xf9, + 0xe7,0x4c,0x1e,0xe7,0x2f,0x90,0x7f,0xbb, + 0xf8,0x99,0x3e,0xc9,0x79,0xab,0x01,0xdb, + 0x24,0x39,0xe3,0xb4,0xc9,0x52,0x73,0xdb, + 0x65,0x42,0xa5,0x2e,0x43,0x56,0xa0,0x33, + 0x8c,0x1a,0xb7,0xa1,0xed,0x5c,0xd0,0x14, + 0x93,0x8d,0x23,0x78,0x93,0xcb,0x3a,0x03, + 0x1f,0xbb,0xc6,0x7b,0xcd,0x51,0x4e,0xaa, + 0x14,0x01,0xe9,0x03,0x27,0x13,0xe2,0xb2, + 0xf8,0x36,0xc6,0xe3,0xc3,0x7f,0xb5,0x74, + 0x20,0x5e,0x17,0xaa,0x25,0x07,0x9b,0x60, + 0xda,0x83,0x98,0xb5,0x55,0xae,0x1b,0x7a, + 0xc1,0x1f,0x49,0x72,0xe2,0xcb,0x6a,0x11, + 0x77,0xdf,0x3f,0xc0,0x9f,0x8f,0x33,0xc7, + 0x10,0x17,0x8c,0xfc,0xd5,0xb7,0x5f,0x5e, + 0xb2,0xe3,0x7b,0x2e,0xdc,0xc7,0x34,0xdb, + 0x31,0xb0,0xdc,0x5d,0x14,0x98,0xb6,0x1a, + 0x2a,0xd4,0xb4,0x04,0x2c,0xf0,0x68,0x1c, + 0x91,0x60,0x28,0xa5,0x3b,0x01,0x98,0xb6, + 0x1e,0x6e,0xaa,0x35,0x89,0xc7,0x94,0xaa, + 0x9e,0xf0,0x11,0x52,0x0f,0x28,0xa1,0x3d, + 0xd3,0x17,0xb5,0x08,0xd8,0x7a,0x41,0xf9, + 0x07,0xe2,0x87,0x36,0xcd,0x86,0x3e,0x79, + 0x99,0x73,0x50,0x21,0x30,0x00,0xd2,0xf3, + 0x88,0x60,0x32,0x59,0x58,0x2f,0x55,0x93, + 0x86,0x56,0x9a,0x96,0xb9,0xf8,0xbf,0x24, + 0xc4,0xba,0xea,0xa4,0x73,0xb0,0x0c,0xa6, + 0xdb,0x09,0x2d,0x0a,0x36,0x3f,0x80,0xe6, + 0x85,0x7a,0xf3,0x01,0x90,0x3a,0xc6,0xee, + 0x2d,0xa8,0xce,0xb4,0x3f,0x3a,0xa6,0xa3, + 0xaf,0xb9,0x21,0xef,0x40,0x6f,0xf4,0x7f, + 0x78,0x25,0x55,0x39,0x53,0x67,0x53,0x56, + 0x8d,0x81,0xaf,0x63,0x97,0x68,0x86,0x75, + 0x66,0x14,0x1e,0xa6,0x63,0x1e,0x02,0xd0, + 0x41,0xd8,0x78,0x75,0x0d,0x76,0x77,0xfa, + 0x9c,0xc5,0xcc,0x54,0x06,0x25,0x53,0x95, + 0xeb,0x4b,0x7c,0xb4,0xc8,0xbb,0x5d,0x6b, + 0x6e,0xf0,0xd7,0x8d,0x3f,0xdf,0x93,0x4c, + 0x30,0x5b,0x02,0xf5,0x0e,0x49,0x87,0x60, + 0x5f,0x19,0x06,0x24,0x3d,0x5d,0x97,0x37, + 0x61,0xef,0x3e,0x0b,0x9e,0x85,0x1c,0x1a, + 0xa6,0x53,0x91,0xd2,0x2c,0x18,0x7c,0x8f, + 0x5b,0x4a,0xd5,0xdd,0xd9,0x8a,0xc3,0x92, + 0x19,0x54,0x39,0xde,0x33,0xa1,0xe1,0x37, + 0x60,0x3c,0x3b,0x3b,0xc5,0xed,0x1b,0xef, + 0x28,0xf5,0xdf,0x44,0x91,0xa3,0x1e,0x69, + 0x6a,0x35,0x85,0x6e,0x26,0x46,0x22,0x4d, + 0x87,0x92,0x44,0x6b,0x96,0xdb,0x75,0xfe, + 0x76,0x03,0x60,0xf7,0xfd,0x90,0x55,0x7d, + 0x6e,0xd7,0xaa,0x44,0x05,0xc7,0x23,0x37, + 0x12,0xa8,0xd4,0xb2,0x2b,0xed,0x41,0x5f, + 0x23,0x38,0x7c,0x16,0xe6,0x16,0xd3,0x10, + 0x19,0x12,0xcc,0x8b,0x6e,0xcd,0xd6,0xa6, + 0x39,0x8a,0x1b,0x24,0x3f,0x4d,0x6f,0xa6, + 0x00,0x7c,0xa0,0xa1,0x4a,0xfd,0xcd,0x68, + 0x50,0x76,0xc8,0x68,0x9d,0xeb,0xdf,0x24, + 0x39,0xaf,0x77,0xb2,0xb6,0xaf,0xb6,0x34, + 0x61,0x37,0x6a,0xfd,0xc7,0x6d,0x02,0x9f, + 0x29,0xd5,0x45,0xf4,0x89,0xd8,0x8c,0x5c, + 0xd3,0x31,0xa0,0x58,0x19,0x54,0x33,0x46, + 0x92,0xbc,0x1e,0x4b,0x14,0xac,0x73,0xa5, + 0x09,0x9f,0xb6,0x2b,0x2b,0x73,0x6b,0x83, + 0x86,0x13,0x6e,0x03,0xf7,0xe0,0x7d,0x81, + 0x47,0x18,0x08,0xea,0x09,0x10,0x24,0x61, + 0x6d,0x09,0x1d,0xb8,0x8e,0xba,0x04,0x4d, + 0xcc,0xe6,0xff,0x28,0x27,0x86,0x38,0x01, + 0x86,0xbe,0xf0,0x5b,0xf8,0x1a,0xd6,0xde, + 0xbe,0xf9,0x3b,0x76,0x3f,0x85,0x82,0x22, + 0x92,0x4b,0xe0,0x76,0x15,0xb2,0x57,0x5a, + 0xb0,0x64,0xde,0xce,0x93,0xb8,0x9f,0x25, + 0x53,0x8c,0x5e,0xdf,0x29,0x4e,0x50,0x69, + 0xfb,0x7e,0x33,0xcb,0x0e,0x28,0x01,0x6c, + 0xab,0xfa,0xd8,0x88,0x02,0xbc,0xf2,0xb1, + 0x0e,0x2f,0x6d,0x1c,0x8d,0xe4,0x11,0x23, + 0xcc,0x67,0x94,0x7b,0xf7,0x8a,0xf3,0x68, + 0x52,0xe4,0x82,0x25,0x86,0xc6,0x72,0x19, + 0x77,0x80,0x28,0xe3,0x86,0xc8,0x8a,0xea, + 0x3d,0x54,0x2f,0x0b,0x64,0x0a,0xc5,0x12, + 0x8c,0xb2,0x07,0x72,0x1b,0x09,0x9f,0x32, + 0xbd,0xa3,0xb0,0x0c,0x95,0xc8,0x4d,0xe5, + 0xd7,0x20,0xdb,0xf8,0x34,0x2a,0x9d,0x91, + 0x58,0x38,0x7a,0x9c,0xe0,0xa3,0x0f,0x40, + 0x9d,0xff,0xeb,0x4b,0xe2,0x16,0x94,0x32, + 0xce,0xe8,0x52,0x75,0x49,0xf4,0x71,0x13, + 0xbc,0x59,0x7d,0x9a,0xe8,0x60,0x29,0x58, + 0x1a,0x14,0x94,0xe6,0x37,0x23,0xad,0xfe, + 0x0b,0xf0,0x63,0x60,0x4f,0x5d,0x10,0x91, + 0xf2,0x50,0x8e,0x0b,0x4a,0x47,0xc9,0x0c, + 0x1f,0xdc,0x94,0x75,0x25,0x52,0x99,0xfc +}; + +#endif +/* __FSL_ATX_ATTRIBUTES_H__ */ diff --git a/lib/avb/fsl/fsl_avbkey.c b/lib/avb/fsl/fsl_avbkey.c old mode 100755 new mode 100644 index 8cb15d6200..ff55a3a169 --- a/lib/avb/fsl/fsl_avbkey.c +++ b/lib/avb/fsl/fsl_avbkey.c @@ -1,7 +1,8 @@ /* * Copyright (C) 2016 Freescale Semiconductor, Inc. - * + * Copyright 2017 NXP * SPDX-License-Identifier: GPL-2.0+ + * */ #include @@ -9,10 +10,13 @@ #include #include #include +#include +#include #include #include "fsl_avbkey.h" #include "fsl_public_key.h" +#include "fsl_atx_attributes.h" #include "utils.h" #include "debug.h" @@ -27,6 +31,15 @@ #define RPMBKEY_FUSE_LENW (RPMBKEY_FUSE_LEN / 4) #define RPMBKEY_BLOB_LEN ((RPMBKEY_LENGTH) + (CAAM_PAD)) +#ifdef CONFIG_AVB_ATX +#define ATX_FUSE_BANK_NUM 4 +#define ATX_FUSE_BANK_MASK 0xFFFF +#define ATX_HASH_LENGTH 14 +#endif + +#define RESULT_ERROR -1 +#define RESULT_OK 0 + static int mmc_dev_no = -1; static struct mmc *get_mmc(void) { @@ -63,11 +76,7 @@ static int fsl_fuse_ops(uint32_t *buffer, uint32_t length, uint32_t offset, for (i = 0; i < cnt; i++) { VDEBUG("cur: bank=%d, word=%d\n",bs, ws); if (read) { -#ifdef CONFIG_AVB_FUSE if (fuse_sense(bs, ws, buffer)) { -#else - if (fuse_read(bs, ws, buffer)) { -#endif ERR("read fuse bank %d, word %d error\n", bs, ws); return -1; } @@ -111,6 +120,77 @@ static int fsl_fuse_write(const uint32_t *buffer, uint32_t length, uint32_t offs ); } +#if defined(AVB_RPMB) && defined(CONFIG_AVB_ATX) +static int sha256(unsigned char* data, int len, unsigned char* output) { + struct hash_algo *algo; + void *buf; + + if (hash_lookup_algo("sha256", &algo)) { + printf("error in lookup sha256 algo!\n"); + return RESULT_ERROR; + } + buf = map_sysmem((ulong)data, len); + algo->hash_func_ws(buf, len, output, algo->chunk_size); + unmap_sysmem(buf); + + return algo->digest_size; +} + +static int permanent_attributes_sha256_hash(unsigned char* output) { + AvbAtxPermanentAttributes attributes; + + /* get permanent attributes */ + attributes.version = fsl_version; + memcpy(attributes.product_root_public_key, fsl_product_root_public_key, + sizeof(fsl_product_root_public_key)); + memcpy(attributes.product_id, fsl_atx_product_id, + sizeof(fsl_atx_product_id)); + /* calculate sha256(permanent attributes) hash */ + if (sha256((unsigned char *)&attributes, sizeof(AvbAtxPermanentAttributes), + output) == RESULT_ERROR) { + printf("ERROR - calculate permanent attributes hash error"); + return RESULT_ERROR; + } + + return RESULT_OK; +} + +static int init_permanent_attributes_fuse(void) { + uint8_t sha256_hash[AVB_SHA256_DIGEST_SIZE]; + uint32_t buffer[ATX_FUSE_BANK_NUM]; + int num = 0; + + /* read first 112 bits of sha256(permanent attributes) from fuse */ + if (fsl_fuse_read(buffer, ATX_FUSE_BANK_NUM, PERMANENT_ATTRIBUTE_HASH_OFFSET)) { + printf("ERROR - read permanent attributes hash from fuse error\n"); + return RESULT_ERROR; + } + /* only take the lower 2 bytes of the last bank */ + buffer[ATX_FUSE_BANK_NUM - 1] &= ATX_FUSE_BANK_MASK; + + /* return RESULT_OK if fuse has been initialized before */ + for (num = 0; num < ATX_FUSE_BANK_NUM; num++) { + if (buffer[num]) + return RESULT_OK; + } + + /* calculate sha256(permanent attributes) */ + if (permanent_attributes_sha256_hash(sha256_hash) != RESULT_OK) { + return RESULT_ERROR; + } + + /* write first 112 bits of sha256(permanent attributes) into fuse */ + memset(buffer, 0, sizeof(buffer)); + memcpy(buffer, sha256_hash, ATX_HASH_LENGTH); + if (fsl_fuse_write(buffer, ATX_FUSE_BANK_NUM, PERMANENT_ATTRIBUTE_HASH_OFFSET)) { + printf("ERROR - write permanent attributes hash to fuse error\n"); + return RESULT_ERROR; + } + + return RESULT_OK; +} +#endif + #ifdef AVB_RPMB static int rpmb_read(struct mmc *mmc, uint8_t *buffer, size_t num_bytes, int64_t offset); static int rpmb_write(struct mmc *mmc, uint8_t *buffer, size_t num_bytes, int64_t offset); @@ -156,6 +236,28 @@ static int rpmb_init(void) { } offset += AVB_RBIDX_ALIGN; } +#ifdef CONFIG_AVB_ATX + /* init rollback index for Android Things key versions */ + offset = ATX_RBIDX_START; + rbidx_len = ATX_RBIDX_LEN; + rbidx = malloc(rbidx_len); + if (rbidx == NULL) + return -1; + memset(rbidx, 0, rbidx_len); + *(uint64_t *)rbidx = ATX_RBIDX_INITVAL; + for (i = 0; i < AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS; i++) { + tag = &hdr.atx_rbk_tags[i]; + tag->flag = ATX_RBIDX_FLAG; + tag->offset = offset; + tag->len = rbidx_len; + if (rpmb_write(mmc_dev, rbidx, tag->len, tag->offset) != 0) { + ERR("write ATX_RBKIDX RPMB error\n"); + free(rbidx); + return -1; + } + offset += ATX_RBIDX_ALIGN; + } +#endif free(rbidx); /* init hdr */ @@ -333,9 +435,13 @@ int init_avbkey(void) { gen_rpmb_key(&kp); } if (rpmb_init()) - return -1; + return RESULT_ERROR; +#ifdef CONFIG_AVB_ATX + if (init_permanent_attributes_fuse()) + return RESULT_ERROR; +#endif fill_secure_keyslot_package(&kp); - return 0; + return RESULT_OK; } #endif @@ -822,13 +928,22 @@ AvbIOResult fsl_read_rollback_index_rpmb(AvbOps* ops, size_t rollback_index_slot uint64_t *extract_idx = NULL; struct mmc *mmc_dev; AvbIOResult ret; +#ifdef CONFIG_AVB_ATX + static const uint32_t kTypeMask = 0xF000; + static const unsigned int kTypeShift = 12; +#endif assert(ops != NULL && out_rollback_index != NULL); *out_rollback_index = ~0; DEBUGAVB("[rpmb] read rollback slot: %zu\n", rollback_index_slot); + /* check if the rollback index location exceed the limit */ +#ifdef CONFIG_AVB_ATX + if ((rollback_index_slot & ~kTypeMask) >= AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS) +#else if (rollback_index_slot >= AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS) +#endif return AVB_IO_RESULT_ERROR_IO; if ((mmc_dev = get_mmc()) == NULL) { @@ -845,8 +960,18 @@ AvbIOResult fsl_read_rollback_index_rpmb(AvbOps* ops, size_t rollback_index_slot ERR("magic not match\n"); return AVB_IO_RESULT_ERROR_IO; } - + /* choose rollback index type */ +#ifdef CONFIG_AVB_ATX + if ((rollback_index_slot & kTypeMask) >> kTypeShift) { + /* rollback index for Android Things key versions */ + rbk = &hdr.atx_rbk_tags[rollback_index_slot & ~kTypeMask]; + } else { + /* rollback index for vbmeta */ + rbk = &hdr.rbk_tags[rollback_index_slot & ~kTypeMask]; + } +#else rbk = &hdr.rbk_tags[rollback_index_slot]; +#endif extract_idx = malloc(rbk->len); if (extract_idx == NULL) return AVB_IO_RESULT_ERROR_OOM; @@ -888,13 +1013,21 @@ AvbIOResult fsl_write_rollback_index_rpmb(AvbOps* ops, size_t rollback_index_slo uint64_t *plain_idx = NULL; struct mmc *mmc_dev; AvbIOResult ret; +#ifdef CONFIG_AVB_ATX + static const uint32_t kTypeMask = 0xF000; + static const unsigned int kTypeShift = 12; +#endif DEBUGAVB("[rpmb] write to rollback slot: (%zu, %" PRIu64 ")\n", rollback_index_slot, rollback_index); assert(ops != NULL); - + /* check if the rollback index location exceed the limit */ +#ifdef CONFIG_AVB_ATX + if ((rollback_index_slot & ~kTypeMask) >= AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS) +#else if (rollback_index_slot >= AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS) +#endif return AVB_IO_RESULT_ERROR_IO; if ((mmc_dev = get_mmc()) == NULL) { @@ -911,8 +1044,18 @@ AvbIOResult fsl_write_rollback_index_rpmb(AvbOps* ops, size_t rollback_index_slo ERR("magic not match\n"); return AVB_IO_RESULT_ERROR_IO; } - + /* choose rollback index type */ +#ifdef CONFIG_AVB_ATX + if ((rollback_index_slot & kTypeMask) >> kTypeShift) { + /* rollback index for Android Things key versions */ + rbk = &hdr.atx_rbk_tags[rollback_index_slot & ~kTypeMask]; + } else { + /* rollback index for vbmeta */ + rbk = &hdr.rbk_tags[rollback_index_slot & ~kTypeMask]; + } +#else rbk = &hdr.rbk_tags[rollback_index_slot]; +#endif plain_idx = malloc(rbk->len); if (plain_idx == NULL) return AVB_IO_RESULT_ERROR_OOM; @@ -931,3 +1074,52 @@ fail: free(plain_idx); return ret; } + +#if defined(AVB_RPMB) && defined(CONFIG_AVB_ATX) +/* Reads permanent |attributes| data. There are no restrictions on where this + * data is stored. On success, returns AVB_IO_RESULT_OK and populates + * |attributes|. + */ +AvbIOResult fsl_read_permanent_attributes( + AvbAtxOps* atx_ops, AvbAtxPermanentAttributes* attributes) { + /* use hard code permanent attributes due to limited fuse and RPMB */ + attributes->version = fsl_version; + memcpy(attributes->product_root_public_key, fsl_product_root_public_key, + sizeof(fsl_product_root_public_key)); + memcpy(attributes->product_id, fsl_atx_product_id, sizeof(fsl_atx_product_id)); + + return AVB_IO_RESULT_OK; +} + +/* Reads a |hash| of permanent attributes. This hash MUST be retrieved from a + * permanently read-only location (e.g. fuses) when a device is LOCKED. On + * success, returned AVB_IO_RESULT_OK and populates |hash|. + */ +AvbIOResult fsl_read_permanent_attributes_hash( + AvbAtxOps* atx_ops, uint8_t hash[AVB_SHA256_DIGEST_SIZE]) { + uint8_t sha256_hash_buf[AVB_SHA256_DIGEST_SIZE]; + uint32_t sha256_hash_fuse[ATX_FUSE_BANK_NUM]; + + /* read first 112 bits of sha256(permanent attributes) from fuse */ + if (fsl_fuse_read(sha256_hash_fuse, ATX_FUSE_BANK_NUM, + PERMANENT_ATTRIBUTE_HASH_OFFSET)) { + printf("ERROR - read permanent attributes hash from fuse error\n"); + return AVB_IO_RESULT_ERROR_IO; + } + /* only take the lower 2 bytes of last bank */ + sha256_hash_fuse[ATX_FUSE_BANK_NUM - 1] &= ATX_FUSE_BANK_MASK; + + /* calculate sha256(permanent attributes) */ + if (permanent_attributes_sha256_hash(sha256_hash_buf) != RESULT_OK) { + return AVB_IO_RESULT_ERROR_IO; + } + /* check if the sha256(permanent attributes) hash match */ + if (memcmp(sha256_hash_fuse, sha256_hash_buf, ATX_HASH_LENGTH)) { + printf("ERROR - sha256(permanent attributes) does not match\n"); + return AVB_IO_RESULT_ERROR_IO; + } + + memcpy(hash, sha256_hash_buf, AVB_SHA256_DIGEST_SIZE); + return AVB_IO_RESULT_OK; +} +#endif diff --git a/lib/avb/fsl/fsl_avbkey.h b/lib/avb/fsl/fsl_avbkey.h index 3b4c61f0cd..c04b480776 100644 --- a/lib/avb/fsl/fsl_avbkey.h +++ b/lib/avb/fsl/fsl_avbkey.h @@ -19,6 +19,13 @@ #define AVB_RBIDX_LEN 0x08 #define AVB_RBIDX_INITVAL 0 +#ifdef CONFIG_AVB_ATX +#define ATX_RBIDX_FLAG 0xEFEF +#define ATX_RBIDX_START 0x22000 +#define ATX_RBIDX_ALIGN 0x1000 +#define ATX_RBIDX_LEN 0x08 +#define ATX_RBIDX_INITVAL 0 +#endif #define AVB_KBLB_MAGIC "\0KBLB!" #define AVB_KBLB_MAGIC_LEN 6 @@ -36,8 +43,12 @@ struct kblb_hdr { char magic[AVB_KBLB_MAGIC_LEN]; /* public key keyblb tag */ kblb_tag_t pubk_tag; - /* rollback index keyblb tag */ + /* vbmeta rollback index keyblb tag */ kblb_tag_t rbk_tags[AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS]; +#ifdef CONFIG_AVB_ATX + /* Android Things key versions rollback index keyblb tag */ + kblb_tag_t atx_rbk_tags[AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS]; +#endif }; typedef struct kblb_hdr kblb_hdr_t; -- cgit v1.2.3