MA-13629 [Trusty] Add commands to set vbmeta public key

Add commands to write/read vbmeta public key to/from secure storage. The vbmeta public key can only be set once. Comands to set the public key: fastboot stage <path-to-your-public-key> fastboot oem set-public-key Test: build and boot on imx8qxp_mek. Change-Id: Id3ad4aa5aacef4fc8443f6a2d6ccb931310970ca Signed-off-by: Ji Luo <ji.luo@nxp.com>

MA-13629 [Trusty] Add commands to set vbmeta public key
Add commands to write/read vbmeta public key to/from secure storage. The vbmeta public key can only be set once. Comands to set the public key: fastboot stage <path-to-your-public-key> fastboot oem set-public-key Test: build and boot on imx8qxp_mek. Change-Id: Id3ad4aa5aacef4fc8443f6a2d6ccb931310970ca Signed-off-by: Ji Luo <ji.luo@nxp.com>
Ji Luo
1 parent 6192aff568
Showing 8 changed files with 91 additions and 4 deletions Side-by-side Diff
drivers/usb/gadget/f_fastboot.c
include/fsl_avb.h
include/fsl_fastboot.h
include/interface/avb/avb.h
include/trusty/avb.h
lib/avb/fsl/fsl_avb.c
lib/avb/fsl/fsl_avbkey.c
lib/trusty/ql-tipc/avb.c
@@ -3761,8 +3761,14 @@
 			strcpy(response, "FAILset rpmb key failed!");
 		} else
 			strcpy(response, "OKAY");
+	} else if (endswith(cmd, FASTBOOT_SET_VBMETA_PUBLIC_KEY)) {
+		if (avb_set_public_key(interface.transfer_buffer,
+					download_bytes))
+			strcpy(response, "FAILcan't set public key!");
+		else
+			strcpy(response, "OKAY");
 	}
-#endif
+#endif /* CONFIG_ANDROID_AUTO_SUPPORT */
 #endif /* CONFIG_IMX_TRUSTY_OS */
 	else if (endswith(cmd, "unlock_critical")) {
 		strcpy(response, "OKAY");
@@ -265,5 +265,8 @@
  
 /* disable at unlock vboot */
 int at_disable_vboot_unlock(void);
+
+/* Set vbmeta public key */
+int avb_set_public_key(uint8_t *staged_buffer, uint32_t size);
 #endif /* __FSL_AVB_H__ */
@@ -83,8 +83,11 @@
 #define FASTBOOT_PARTITION_FBMISC "fbmisc"
 #endif
  
+#ifdef CONFIG_IMX_TRUSTY_OS
 #ifdef CONFIG_ANDROID_AUTO_SUPPORT
 #define FASTBOOT_SET_RPMB_KEY "set-rpmb-key"
+#define FASTBOOT_SET_VBMETA_PUBLIC_KEY "set-public-key"
+#endif
 #endif
  
 #if defined(CONFIG_AVB_ATX) || defined(CONFIG_ANDROID_AUTO_SUPPORT)
@@ -42,6 +42,8 @@
     READ_LOCK_STATE            = (5 << AVB_REQ_SHIFT),
     WRITE_LOCK_STATE           = (6 << AVB_REQ_SHIFT),
     LOCK_BOOT_STATE            = (7 << AVB_REQ_SHIFT),
+    READ_VBMETA_PUBLIC_KEY     = (8 << AVB_REQ_SHIFT),
+    WRITE_VBMETA_PUBLIC_KEY    = (9 << AVB_REQ_SHIFT),
 };
  
 /**
@@ -78,6 +78,24 @@
  */
 int trusty_write_permanent_attributes(uint8_t *attributes, uint32_t size);
 /*
+ * Send request to secure side to read vbmeta public key.
+ *
+ * Copies public key received by secure side to |publickey|. If |size| does not
+ * match the size returned by the secure side, an error is returned. Returns one
+ * of trusty_err.
+ *
+ * @publickey:   caller allocated buffer
+ * @size:        size of |publickey|
+ */
+int trusty_read_vbmeta_public_key(uint8_t *publickey, uint32_t size);
+/*
+ * Send request to secure side to write vbmeta public key. Public key
+ * can only be written to storage once.
+ *
+ * Returns one of trusty_err.
+ */
+int trusty_write_vbmeta_public_key(uint8_t *publickey, uint32_t size);
+/*
  * Send request to secure side to read device lock state from RPMB.
  *
  * Returns one of trusty_err.
@@ -20,8 +20,8 @@
 #include "fsl_atx_attributes.h"
  
 #define FSL_AVB_DEV "mmc"
+#define AVB_MAX_BUFFER_LENGTH 2048
  
-
 static struct blk_desc *fs_dev_desc = NULL;
 static struct blk_desc *get_mmc_desc(void) {
 	extern int mmc_get_env_dev(void);
  
  
@@ -604,11 +604,27 @@
 	assert(ops != NULL && out_is_trusted != NULL);
 	*out_is_trusted = false;
  
+#if defined(CONFIG_IMX_TRUSTY_OS) && defined(CONFIG_ANDROID_AUTO_SUPPORT)
+	uint8_t public_key_buf[AVB_MAX_BUFFER_LENGTH];
+	if (trusty_read_vbmeta_public_key(public_key_buf,
+						public_key_length) != 0) {
+		ERR("Read public key error\n");
+		/* We're not going to return error code here because it will
+		 * abort the following avb verify process even we allow the
+		 * verification error. Return AVB_IO_RESULT_OK and keep the
+		 * 'out_is_trusted' as false, avb will handle the error
+		 * depends on the 'allow_verification_error' flag.
+		 */
+		return AVB_IO_RESULT_OK;
+	}
+
+	if (memcmp(public_key_buf, public_key_data, public_key_length)) {
+#else
 	/* match given public key */
 	if (memcmp(fsl_public_key, public_key_data, public_key_length)) {
-		ret = AVB_IO_RESULT_ERROR_IO;
+#endif
 		ERR("public key not match\n");
-		return AVB_IO_RESULT_ERROR_IO;
+		return AVB_IO_RESULT_OK;
 	}
  
 	*out_is_trusted = true;
@@ -15,6 +15,7 @@
 #include <mapmem.h>
  
 #include <fsl_avb.h>
+#include "trusty/avb.h"
 #ifdef CONFIG_IMX_TRUSTY_OS
 #include <trusty/libtipc.h>
 #endif
@@ -1126,6 +1127,21 @@
 	}
  
 	return ret;
+}
+
+int avb_set_public_key(uint8_t *staged_buffer, uint32_t size) {
+
+	if ((staged_buffer == NULL) || (size <= 0)) {
+		ERR("Error. Get null staged_buffer\n");
+		return -1;
+	}
+	if (trusty_write_vbmeta_public_key(staged_buffer, size)) {
+		ERR("Error. Failed to write vbmeta public key into secure storage\n");
+		return -1;
+	} else
+		printf("Set vbmeta public key successfully!\n");
+
+	return 0;
 }
 #endif /* CONFIG_IMX_TRUSTY_OS && CONFIG_ANDROID_AUTO_SUPPORT */
 #endif /* CONFIG_SPL_BUILD */
@@ -220,6 +220,29 @@
                        NULL);
 }
  
+int trusty_read_vbmeta_public_key(uint8_t *publickey, uint32_t size)
+{
+    uint8_t resp_buf[AVB_MAX_BUFFER_LENGTH];
+    uint32_t resp_size = AVB_MAX_BUFFER_LENGTH;
+    int rc = avb_do_tipc(READ_VBMETA_PUBLIC_KEY, NULL, 0, resp_buf,
+                         &resp_size);
+    if (rc != 0) {
+        return rc;
+    }
+    /* ensure caller passed size matches size returned by Trusty */
+    if (size != resp_size) {
+        return TRUSTY_ERR_INVALID_ARGS;
+    }
+    trusty_memcpy(publickey, resp_buf, resp_size);
+    return rc;
+}
+
+int trusty_write_vbmeta_public_key(uint8_t *publickey, uint32_t size)
+{
+    return avb_do_tipc(WRITE_VBMETA_PUBLIC_KEY, publickey, size, NULL,
+                       NULL);
+}
+
 int trusty_read_lock_state(uint8_t *lock_state)
 {
     uint32_t resp_size = sizeof(*lock_state);
...	...	@@ -3761,8 +3761,14 @@
3761	3761	strcpy(response, "FAILset rpmb key failed!");
3762	3762	} else
3763	3763	strcpy(response, "OKAY");
	3764	+ } else if (endswith(cmd, FASTBOOT_SET_VBMETA_PUBLIC_KEY)) {
	3765	+ if (avb_set_public_key(interface.transfer_buffer,
	3766	+ download_bytes))
	3767	+ strcpy(response, "FAILcan't set public key!");
	3768	+ else
	3769	+ strcpy(response, "OKAY");
3764	3770	}
3765		-#endif
	3771	+#endif /* CONFIG_ANDROID_AUTO_SUPPORT */
3766	3772	#endif /* CONFIG_IMX_TRUSTY_OS */
3767	3773	else if (endswith(cmd, "unlock_critical")) {
3768	3774	strcpy(response, "OKAY");
...	...	@@ -265,5 +265,8 @@
265	265
266	266	/* disable at unlock vboot */
267	267	int at_disable_vboot_unlock(void);
	268	+
	269	+/* Set vbmeta public key */
	270	+int avb_set_public_key(uint8_t *staged_buffer, uint32_t size);
268	271	#endif /* __FSL_AVB_H__ */
...	...	@@ -83,8 +83,11 @@
83	83	#define FASTBOOT_PARTITION_FBMISC "fbmisc"
84	84	#endif
85	85
	86	+#ifdef CONFIG_IMX_TRUSTY_OS
86	87	#ifdef CONFIG_ANDROID_AUTO_SUPPORT
87	88	#define FASTBOOT_SET_RPMB_KEY "set-rpmb-key"
	89	+#define FASTBOOT_SET_VBMETA_PUBLIC_KEY "set-public-key"
	90	+#endif
88	91	#endif
89	92
90	93	#if defined(CONFIG_AVB_ATX) \|\| defined(CONFIG_ANDROID_AUTO_SUPPORT)
...	...	@@ -42,6 +42,8 @@
42	42	READ_LOCK_STATE = (5 << AVB_REQ_SHIFT),
43	43	WRITE_LOCK_STATE = (6 << AVB_REQ_SHIFT),
44	44	LOCK_BOOT_STATE = (7 << AVB_REQ_SHIFT),
	45	+ READ_VBMETA_PUBLIC_KEY = (8 << AVB_REQ_SHIFT),
	46	+ WRITE_VBMETA_PUBLIC_KEY = (9 << AVB_REQ_SHIFT),
45	47	};
46	48
47	49	/**
...	...	@@ -78,6 +78,24 @@
78	78	*/
79	79	int trusty_write_permanent_attributes(uint8_t *attributes, uint32_t size);
80	80	/*
	81	+ * Send request to secure side to read vbmeta public key.
	82	+ *
	83	+ * Copies public key received by secure side to \|publickey\|. If \|size\| does not
	84	+ * match the size returned by the secure side, an error is returned. Returns one
	85	+ * of trusty_err.
	86	+ *
	87	+ * @publickey: caller allocated buffer
	88	+ * @size: size of \|publickey\|
	89	+ */
	90	+int trusty_read_vbmeta_public_key(uint8_t *publickey, uint32_t size);
	91	+/*
	92	+ * Send request to secure side to write vbmeta public key. Public key
	93	+ * can only be written to storage once.
	94	+ *
	95	+ * Returns one of trusty_err.
	96	+ */
	97	+int trusty_write_vbmeta_public_key(uint8_t *publickey, uint32_t size);
	98	+/*
81	99	* Send request to secure side to read device lock state from RPMB.
82	100	*
83	101	* Returns one of trusty_err.
...	...	@@ -20,8 +20,8 @@
20	20	#include "fsl_atx_attributes.h"
21	21
22	22	#define FSL_AVB_DEV "mmc"
	23	+#define AVB_MAX_BUFFER_LENGTH 2048
23	24
24		-
25	25	static struct blk_desc *fs_dev_desc = NULL;
26	26	static struct blk_desc *get_mmc_desc(void) {
27	27	extern int mmc_get_env_dev(void);
28	28
29	29
...	...	@@ -604,11 +604,27 @@
604	604	assert(ops != NULL && out_is_trusted != NULL);
605	605	*out_is_trusted = false;
606	606
	607	+#if defined(CONFIG_IMX_TRUSTY_OS) && defined(CONFIG_ANDROID_AUTO_SUPPORT)
	608	+ uint8_t public_key_buf[AVB_MAX_BUFFER_LENGTH];
	609	+ if (trusty_read_vbmeta_public_key(public_key_buf,
	610	+ public_key_length) != 0) {
	611	+ ERR("Read public key error\n");
	612	+ /* We're not going to return error code here because it will
	613	+ * abort the following avb verify process even we allow the
	614	+ * verification error. Return AVB_IO_RESULT_OK and keep the
	615	+ * 'out_is_trusted' as false, avb will handle the error
	616	+ * depends on the 'allow_verification_error' flag.
	617	+ */
	618	+ return AVB_IO_RESULT_OK;
	619	+ }
	620	+
	621	+ if (memcmp(public_key_buf, public_key_data, public_key_length)) {
	622	+#else
607	623	/* match given public key */
608	624	if (memcmp(fsl_public_key, public_key_data, public_key_length)) {
609		- ret = AVB_IO_RESULT_ERROR_IO;
	625	+#endif
610	626	ERR("public key not match\n");
611		- return AVB_IO_RESULT_ERROR_IO;
	627	+ return AVB_IO_RESULT_OK;
612	628	}
613	629
614	630	*out_is_trusted = true;
...	...	@@ -15,6 +15,7 @@
15	15	#include <mapmem.h>
16	16
17	17	#include <fsl_avb.h>
	18	+#include "trusty/avb.h"
18	19	#ifdef CONFIG_IMX_TRUSTY_OS
19	20	#include <trusty/libtipc.h>
20	21	#endif
...	...	@@ -1126,6 +1127,21 @@
1126	1127	}
1127	1128
1128	1129	return ret;
	1130	+}
	1131	+
	1132	+int avb_set_public_key(uint8_t *staged_buffer, uint32_t size) {
	1133	+
	1134	+ if ((staged_buffer == NULL) \|\| (size <= 0)) {
	1135	+ ERR("Error. Get null staged_buffer\n");
	1136	+ return -1;
	1137	+ }
	1138	+ if (trusty_write_vbmeta_public_key(staged_buffer, size)) {
	1139	+ ERR("Error. Failed to write vbmeta public key into secure storage\n");
	1140	+ return -1;
	1141	+ } else
	1142	+ printf("Set vbmeta public key successfully!\n");
	1143	+
	1144	+ return 0;
1129	1145	}
1130	1146	#endif /* CONFIG_IMX_TRUSTY_OS && CONFIG_ANDROID_AUTO_SUPPORT */
1131	1147	#endif /* CONFIG_SPL_BUILD */
...	...	@@ -220,6 +220,29 @@
220	220	NULL);
221	221	}
222	222
	223	+int trusty_read_vbmeta_public_key(uint8_t *publickey, uint32_t size)
	224	+{
	225	+ uint8_t resp_buf[AVB_MAX_BUFFER_LENGTH];
	226	+ uint32_t resp_size = AVB_MAX_BUFFER_LENGTH;
	227	+ int rc = avb_do_tipc(READ_VBMETA_PUBLIC_KEY, NULL, 0, resp_buf,
	228	+ &resp_size);
	229	+ if (rc != 0) {
	230	+ return rc;
	231	+ }
	232	+ /* ensure caller passed size matches size returned by Trusty */
	233	+ if (size != resp_size) {
	234	+ return TRUSTY_ERR_INVALID_ARGS;
	235	+ }
	236	+ trusty_memcpy(publickey, resp_buf, resp_size);
	237	+ return rc;
	238	+}
	239	+
	240	+int trusty_write_vbmeta_public_key(uint8_t *publickey, uint32_t size)
	241	+{
	242	+ return avb_do_tipc(WRITE_VBMETA_PUBLIC_KEY, publickey, size, NULL,
	243	+ NULL);
	244	+}
	245	+
223	246	int trusty_read_lock_state(uint8_t *lock_state)
224	247	{
225	248	uint32_t resp_size = sizeof(*lock_state);