Commit 18b06286d28d78b04fcef7a4b3bd8324f789bf32
Committed by
Ye Li
1 parent
695402bb41
Exists in
smarc_8mq_lf_v2020.04
and in
4 other branches
MLK-22907-2 imx8: Add SECO manufacturing protection command support
i.MX8/8x devices support CAAM manufacturing protection through SECO APIs, SECO FW generates P-384 private key in every OEM closed boot. Add support for SECO enabled devices in mfgprot U-Boot command, the following commands are available: => mfgprot pubk => mfgprot sign <data_addr> <size> Signed-off-by: Breno Lima <breno.lima@nxp.com> (cherry picked from commit 1fdb9726fdc4642d0f24104ec2e4099d59569468)
Showing 4 changed files with 143 additions and 6 deletions Side-by-side Diff
arch/arm/mach-imx/Kconfig
... | ... | @@ -159,12 +159,26 @@ |
159 | 159 | |
160 | 160 | config FSL_MFGPROT |
161 | 161 | bool "Support the 'mfgprot' command" |
162 | - depends on IMX_HAB && ARCH_MX7 | |
162 | + depends on IMX_HAB || AHAB_BOOT | |
163 | + select IMX_CAAM_MFG_PROT if ARCH_MX7 | |
164 | + select IMX_SECO_MFG_PROT if ARCH_IMX8 | |
163 | 165 | help |
164 | 166 | This option enables the manufacturing protection command |
165 | 167 | which can be used has a protection feature for Manufacturing |
166 | 168 | process. With this tool is possible to authenticate the |
167 | 169 | chip to the OEM's server. |
170 | + | |
171 | +config IMX_CAAM_MFG_PROT | |
172 | + bool "Support the manufacturing protection with CAAM U-Boot driver" | |
173 | + help | |
174 | + This enables the manufacturing protection feature with the U-Boot | |
175 | + CAAM driver. This option is only available on iMX7D/S. | |
176 | + | |
177 | +config IMX_SECO_MFG_PROT | |
178 | + bool "Support the manufacturing protection with SECO API" | |
179 | + help | |
180 | + This enables the manufacturing protection feature with the SECO API. | |
181 | + This option is only available on iMX8/8x series. | |
168 | 182 | |
169 | 183 | config DBG_MONITOR |
170 | 184 | bool "Enable the AXI debug monitor" |
arch/arm/mach-imx/Makefile
arch/arm/mach-imx/cmd_mfgprot.c
... | ... | @@ -8,15 +8,19 @@ |
8 | 8 | * functions in supported i.MX devices. |
9 | 9 | */ |
10 | 10 | |
11 | -#include <asm/byteorder.h> | |
12 | -#include <asm/arch/clock.h> | |
13 | -#include <linux/compiler.h> | |
14 | 11 | #include <command.h> |
15 | 12 | #include <common.h> |
16 | 13 | #include <environment.h> |
17 | -#include <fsl_sec.h> | |
18 | 14 | #include <mapmem.h> |
19 | 15 | #include <memalign.h> |
16 | +#ifdef CONFIG_IMX_CAAM_MFG_PROT | |
17 | +#include <asm/arch/clock.h> | |
18 | +#include <fsl_sec.h> | |
19 | +#endif | |
20 | +#ifdef CONFIG_IMX_SECO_MFG_PROT | |
21 | +#include <asm/io.h> | |
22 | +#include <asm/arch/sci/sci.h> | |
23 | +#endif | |
20 | 24 | |
21 | 25 | DECLARE_GLOBAL_DATA_PTR; |
22 | 26 | |
... | ... | @@ -30,6 +34,8 @@ |
30 | 34 | * Returns zero on success, CMD_RET_USAGE in case of misuse and negative |
31 | 35 | * on error. |
32 | 36 | */ |
37 | +#ifdef CONFIG_IMX_CAAM_MFG_PROT | |
38 | + | |
33 | 39 | static int do_mfgprot(cmd_tbl_t *cmdtp, int flag, int argc, char *const argv[]) |
34 | 40 | { |
35 | 41 | u8 *m_ptr, *dgst_ptr, *c_ptr, *d_ptr, *dst_ptr; |
... | ... | @@ -135,6 +141,121 @@ |
135 | 141 | } |
136 | 142 | return ret; |
137 | 143 | } |
144 | +#endif /* CONFIG_IMX_CAAM_MFG_PROT */ | |
145 | + | |
146 | +#ifdef CONFIG_IMX_SECO_MFG_PROT | |
147 | + | |
148 | +#define FSL_CAAM_MP_PUBK_BYTES 96 | |
149 | +#define FSL_CAAM_MP_SIGN_BYTES 96 | |
150 | +#define SCU_SEC_SECURE_RAM_BASE (0x20800000UL) | |
151 | +#define SEC_SECURE_RAM_BASE (0x31800000UL) | |
152 | + | |
153 | +static int do_mfgprot(cmd_tbl_t *cmdtp, int flag, int argc, char *const argv[]) | |
154 | +{ | |
155 | + u8 *m_ptr, *sign_ptr, *dst_ptr; | |
156 | + char *pubk, *sign, *sel; | |
157 | + int m_size, i, ret; | |
158 | + u32 m_addr; | |
159 | + | |
160 | + pubk = "pubk"; | |
161 | + sign = "sign"; | |
162 | + sel = argv[1]; | |
163 | + | |
164 | + if (!sel) | |
165 | + return CMD_RET_USAGE; | |
166 | + | |
167 | + if (strcmp(sel, pubk) == 0) { | |
168 | + dst_ptr = malloc_cache_aligned(FSL_CAAM_MP_PUBK_BYTES); | |
169 | + if (!dst_ptr) | |
170 | + return -ENOMEM; | |
171 | + | |
172 | + puts("\nGenerating Manufacturing Protection Public Key\n"); | |
173 | + | |
174 | + ret = sc_seco_get_mp_key(-1, SCU_SEC_SECURE_RAM_BASE, | |
175 | + FSL_CAAM_MP_PUBK_BYTES); | |
176 | + if (ret) { | |
177 | + printf("SECO get MP key failed, return %d\n", ret); | |
178 | + ret = -EIO; | |
179 | + free(dst_ptr); | |
180 | + return ret; | |
181 | + } | |
182 | + | |
183 | + memcpy((void *)dst_ptr, (const void *)SEC_SECURE_RAM_BASE, | |
184 | + ALIGN(FSL_CAAM_MP_PUBK_BYTES, | |
185 | + CONFIG_SYS_CACHELINE_SIZE)); | |
186 | + | |
187 | + /* Output results */ | |
188 | + puts("\nPublic key:\n"); | |
189 | + for (i = 0; i < FSL_CAAM_MP_PUBK_BYTES; i++) | |
190 | + printf("%02X", (dst_ptr)[i]); | |
191 | + puts("\n"); | |
192 | + free(dst_ptr); | |
193 | + | |
194 | + } else if (strcmp(sel, sign) == 0) { | |
195 | + if (argc != 4) | |
196 | + return CMD_RET_USAGE; | |
197 | + | |
198 | + m_addr = simple_strtoul(argv[2], NULL, 16); | |
199 | + m_size = simple_strtoul(argv[3], NULL, 10); | |
200 | + m_ptr = map_physmem(m_addr, m_size, MAP_NOCACHE); | |
201 | + if (!m_ptr) | |
202 | + return -ENOMEM; | |
203 | + | |
204 | + sign_ptr = malloc_cache_aligned(FSL_CAAM_MP_SIGN_BYTES); | |
205 | + if (!sign_ptr) { | |
206 | + ret = -ENOMEM; | |
207 | + goto free_m; | |
208 | + } | |
209 | + | |
210 | + memcpy((void *)SEC_SECURE_RAM_BASE, (const void *)m_ptr, | |
211 | + ALIGN(m_size, CONFIG_SYS_CACHELINE_SIZE)); | |
212 | + | |
213 | + puts("\nSigning message with SECO MP signature function\n"); | |
214 | + | |
215 | + ret = sc_seco_get_mp_sign(-1, SCU_SEC_SECURE_RAM_BASE, m_size, | |
216 | + SCU_SEC_SECURE_RAM_BASE + 0x1000, | |
217 | + FSL_CAAM_MP_SIGN_BYTES); | |
218 | + | |
219 | + if (ret) { | |
220 | + printf("SECO get MP signature failed, return %d\n", | |
221 | + ret); | |
222 | + ret = -EIO; | |
223 | + goto free_sign; | |
224 | + } | |
225 | + | |
226 | + memcpy((void *)sign_ptr, (const void *)SEC_SECURE_RAM_BASE | |
227 | + + 0x1000, ALIGN(FSL_CAAM_MP_SIGN_BYTES, | |
228 | + CONFIG_SYS_CACHELINE_SIZE)); | |
229 | + | |
230 | + /* Output results */ | |
231 | + puts("\nMessage: "); | |
232 | + for (i = 0; i < m_size; i++) | |
233 | + printf("%02X", (m_ptr)[i]); | |
234 | + puts("\n"); | |
235 | + | |
236 | + puts("\nSignature:\n"); | |
237 | + puts("c:\n"); | |
238 | + for (i = 0; i < FSL_CAAM_MP_SIGN_BYTES / 2; i++) | |
239 | + printf("%02X", (sign_ptr)[i]); | |
240 | + puts("\n"); | |
241 | + | |
242 | + puts("d:\n"); | |
243 | + for (i = FSL_CAAM_MP_SIGN_BYTES / 2; i < FSL_CAAM_MP_SIGN_BYTES; | |
244 | + i++) | |
245 | + printf("%02X", (sign_ptr)[i]); | |
246 | + puts("\n"); | |
247 | + | |
248 | +free_sign: | |
249 | + free(sign_ptr); | |
250 | +free_m: | |
251 | + unmap_sysmem(m_ptr); | |
252 | + | |
253 | + } else { | |
254 | + return CMD_RET_USAGE; | |
255 | + } | |
256 | + return ret; | |
257 | +} | |
258 | +#endif /* CONFIG_IMX_SECO_MFG_PROT */ | |
138 | 259 | |
139 | 260 | /***************************************************/ |
140 | 261 | static char mfgprot_help_text[] = |
drivers/crypto/fsl/Makefile
... | ... | @@ -6,5 +6,5 @@ |
6 | 6 | obj-$(CONFIG_FSL_CAAM) += jr.o fsl_hash.o jobdesc.o error.o |
7 | 7 | obj-$(CONFIG_CMD_BLOB)$(CONFIG_IMX_CAAM_DEK_ENCAP) += fsl_blob.o |
8 | 8 | obj-$(CONFIG_RSA_FREESCALE_EXP) += fsl_rsa.o |
9 | -obj-$(CONFIG_FSL_MFGPROT) += fsl_mfgprot.o | |
9 | +obj-$(CONFIG_IMX_CAAM_MFG_PROT) += fsl_mfgprot.o |
-
mentioned in commit 7996d1