Commit 18b06286d28d78b04fcef7a4b3bd8324f789bf32
Committed by
Ye Li
Ye Li
1 parent
695402bb41
Exists in
smarc_8mq_lf_v2020.04
and in
4 other branches
MLK-22907-2 imx8: Add SECO manufacturing protection command support
i.MX8/8x devices support CAAM manufacturing protection through SECO APIs, SECO FW generates P-384 private key in every OEM closed boot. Add support for SECO enabled devices in mfgprot U-Boot command, the following commands are available: => mfgprot pubk => mfgprot sign <data_addr> <size> Signed-off-by: Breno Lima <breno.lima@nxp.com> (cherry picked from commit 1fdb9726fdc4642d0f24104ec2e4099d59569468)
Showing 4 changed files with 143 additions and 6 deletions Side-by-side Diff
arch/arm/mach-imx/Kconfig
| ... | ... | @@ -159,12 +159,26 @@ |
| 159 | 159 | |
| 160 | 160 | config FSL_MFGPROT |
| 161 | 161 | bool "Support the 'mfgprot' command" |
| 162 | - depends on IMX_HAB && ARCH_MX7 | |
| 162 | + depends on IMX_HAB || AHAB_BOOT | |
| 163 | + select IMX_CAAM_MFG_PROT if ARCH_MX7 | |
| 164 | + select IMX_SECO_MFG_PROT if ARCH_IMX8 | |
| 163 | 165 | help |
| 164 | 166 | This option enables the manufacturing protection command |
| 165 | 167 | which can be used has a protection feature for Manufacturing |
| 166 | 168 | process. With this tool is possible to authenticate the |
| 167 | 169 | chip to the OEM's server. |
| 170 | + | |
| 171 | +config IMX_CAAM_MFG_PROT | |
| 172 | + bool "Support the manufacturing protection with CAAM U-Boot driver" | |
| 173 | + help | |
| 174 | + This enables the manufacturing protection feature with the U-Boot | |
| 175 | + CAAM driver. This option is only available on iMX7D/S. | |
| 176 | + | |
| 177 | +config IMX_SECO_MFG_PROT | |
| 178 | + bool "Support the manufacturing protection with SECO API" | |
| 179 | + help | |
| 180 | + This enables the manufacturing protection feature with the SECO API. | |
| 181 | + This option is only available on iMX8/8x series. | |
| 168 | 182 | |
| 169 | 183 | config DBG_MONITOR |
| 170 | 184 | bool "Enable the AXI debug monitor" |
arch/arm/mach-imx/Makefile
arch/arm/mach-imx/cmd_mfgprot.c
| ... | ... | @@ -8,15 +8,19 @@ |
| 8 | 8 | * functions in supported i.MX devices. |
| 9 | 9 | */ |
| 10 | 10 | |
| 11 | -#include <asm/byteorder.h> | |
| 12 | -#include <asm/arch/clock.h> | |
| 13 | -#include <linux/compiler.h> | |
| 14 | 11 | #include <command.h> |
| 15 | 12 | #include <common.h> |
| 16 | 13 | #include <environment.h> |
| 17 | -#include <fsl_sec.h> | |
| 18 | 14 | #include <mapmem.h> |
| 19 | 15 | #include <memalign.h> |
| 16 | +#ifdef CONFIG_IMX_CAAM_MFG_PROT | |
| 17 | +#include <asm/arch/clock.h> | |
| 18 | +#include <fsl_sec.h> | |
| 19 | +#endif | |
| 20 | +#ifdef CONFIG_IMX_SECO_MFG_PROT | |
| 21 | +#include <asm/io.h> | |
| 22 | +#include <asm/arch/sci/sci.h> | |
| 23 | +#endif | |
| 20 | 24 | |
| 21 | 25 | DECLARE_GLOBAL_DATA_PTR; |
| 22 | 26 | |
| ... | ... | @@ -30,6 +34,8 @@ |
| 30 | 34 | * Returns zero on success, CMD_RET_USAGE in case of misuse and negative |
| 31 | 35 | * on error. |
| 32 | 36 | */ |
| 37 | +#ifdef CONFIG_IMX_CAAM_MFG_PROT | |
| 38 | + | |
| 33 | 39 | static int do_mfgprot(cmd_tbl_t *cmdtp, int flag, int argc, char *const argv[]) |
| 34 | 40 | { |
| 35 | 41 | u8 *m_ptr, *dgst_ptr, *c_ptr, *d_ptr, *dst_ptr; |
| ... | ... | @@ -135,6 +141,121 @@ |
| 135 | 141 | } |
| 136 | 142 | return ret; |
| 137 | 143 | } |
| 144 | +#endif /* CONFIG_IMX_CAAM_MFG_PROT */ | |
| 145 | + | |
| 146 | +#ifdef CONFIG_IMX_SECO_MFG_PROT | |
| 147 | + | |
| 148 | +#define FSL_CAAM_MP_PUBK_BYTES 96 | |
| 149 | +#define FSL_CAAM_MP_SIGN_BYTES 96 | |
| 150 | +#define SCU_SEC_SECURE_RAM_BASE (0x20800000UL) | |
| 151 | +#define SEC_SECURE_RAM_BASE (0x31800000UL) | |
| 152 | + | |
| 153 | +static int do_mfgprot(cmd_tbl_t *cmdtp, int flag, int argc, char *const argv[]) | |
| 154 | +{ | |
| 155 | + u8 *m_ptr, *sign_ptr, *dst_ptr; | |
| 156 | + char *pubk, *sign, *sel; | |
| 157 | + int m_size, i, ret; | |
| 158 | + u32 m_addr; | |
| 159 | + | |
| 160 | + pubk = "pubk"; | |
| 161 | + sign = "sign"; | |
| 162 | + sel = argv[1]; | |
| 163 | + | |
| 164 | + if (!sel) | |
| 165 | + return CMD_RET_USAGE; | |
| 166 | + | |
| 167 | + if (strcmp(sel, pubk) == 0) { | |
| 168 | + dst_ptr = malloc_cache_aligned(FSL_CAAM_MP_PUBK_BYTES); | |
| 169 | + if (!dst_ptr) | |
| 170 | + return -ENOMEM; | |
| 171 | + | |
| 172 | + puts("\nGenerating Manufacturing Protection Public Key\n"); | |
| 173 | + | |
| 174 | + ret = sc_seco_get_mp_key(-1, SCU_SEC_SECURE_RAM_BASE, | |
| 175 | + FSL_CAAM_MP_PUBK_BYTES); | |
| 176 | + if (ret) { | |
| 177 | + printf("SECO get MP key failed, return %d\n", ret); | |
| 178 | + ret = -EIO; | |
| 179 | + free(dst_ptr); | |
| 180 | + return ret; | |
| 181 | + } | |
| 182 | + | |
| 183 | + memcpy((void *)dst_ptr, (const void *)SEC_SECURE_RAM_BASE, | |
| 184 | + ALIGN(FSL_CAAM_MP_PUBK_BYTES, | |
| 185 | + CONFIG_SYS_CACHELINE_SIZE)); | |
| 186 | + | |
| 187 | + /* Output results */ | |
| 188 | + puts("\nPublic key:\n"); | |
| 189 | + for (i = 0; i < FSL_CAAM_MP_PUBK_BYTES; i++) | |
| 190 | + printf("%02X", (dst_ptr)[i]); | |
| 191 | + puts("\n"); | |
| 192 | + free(dst_ptr); | |
| 193 | + | |
| 194 | + } else if (strcmp(sel, sign) == 0) { | |
| 195 | + if (argc != 4) | |
| 196 | + return CMD_RET_USAGE; | |
| 197 | + | |
| 198 | + m_addr = simple_strtoul(argv[2], NULL, 16); | |
| 199 | + m_size = simple_strtoul(argv[3], NULL, 10); | |
| 200 | + m_ptr = map_physmem(m_addr, m_size, MAP_NOCACHE); | |
| 201 | + if (!m_ptr) | |
| 202 | + return -ENOMEM; | |
| 203 | + | |
| 204 | + sign_ptr = malloc_cache_aligned(FSL_CAAM_MP_SIGN_BYTES); | |
| 205 | + if (!sign_ptr) { | |
| 206 | + ret = -ENOMEM; | |
| 207 | + goto free_m; | |
| 208 | + } | |
| 209 | + | |
| 210 | + memcpy((void *)SEC_SECURE_RAM_BASE, (const void *)m_ptr, | |
| 211 | + ALIGN(m_size, CONFIG_SYS_CACHELINE_SIZE)); | |
| 212 | + | |
| 213 | + puts("\nSigning message with SECO MP signature function\n"); | |
| 214 | + | |
| 215 | + ret = sc_seco_get_mp_sign(-1, SCU_SEC_SECURE_RAM_BASE, m_size, | |
| 216 | + SCU_SEC_SECURE_RAM_BASE + 0x1000, | |
| 217 | + FSL_CAAM_MP_SIGN_BYTES); | |
| 218 | + | |
| 219 | + if (ret) { | |
| 220 | + printf("SECO get MP signature failed, return %d\n", | |
| 221 | + ret); | |
| 222 | + ret = -EIO; | |
| 223 | + goto free_sign; | |
| 224 | + } | |
| 225 | + | |
| 226 | + memcpy((void *)sign_ptr, (const void *)SEC_SECURE_RAM_BASE | |
| 227 | + + 0x1000, ALIGN(FSL_CAAM_MP_SIGN_BYTES, | |
| 228 | + CONFIG_SYS_CACHELINE_SIZE)); | |
| 229 | + | |
| 230 | + /* Output results */ | |
| 231 | + puts("\nMessage: "); | |
| 232 | + for (i = 0; i < m_size; i++) | |
| 233 | + printf("%02X", (m_ptr)[i]); | |
| 234 | + puts("\n"); | |
| 235 | + | |
| 236 | + puts("\nSignature:\n"); | |
| 237 | + puts("c:\n"); | |
| 238 | + for (i = 0; i < FSL_CAAM_MP_SIGN_BYTES / 2; i++) | |
| 239 | + printf("%02X", (sign_ptr)[i]); | |
| 240 | + puts("\n"); | |
| 241 | + | |
| 242 | + puts("d:\n"); | |
| 243 | + for (i = FSL_CAAM_MP_SIGN_BYTES / 2; i < FSL_CAAM_MP_SIGN_BYTES; | |
| 244 | + i++) | |
| 245 | + printf("%02X", (sign_ptr)[i]); | |
| 246 | + puts("\n"); | |
| 247 | + | |
| 248 | +free_sign: | |
| 249 | + free(sign_ptr); | |
| 250 | +free_m: | |
| 251 | + unmap_sysmem(m_ptr); | |
| 252 | + | |
| 253 | + } else { | |
| 254 | + return CMD_RET_USAGE; | |
| 255 | + } | |
| 256 | + return ret; | |
| 257 | +} | |
| 258 | +#endif /* CONFIG_IMX_SECO_MFG_PROT */ | |
| 138 | 259 | |
| 139 | 260 | /***************************************************/ |
| 140 | 261 | static char mfgprot_help_text[] = |
drivers/crypto/fsl/Makefile
| ... | ... | @@ -6,5 +6,5 @@ |
| 6 | 6 | obj-$(CONFIG_FSL_CAAM) += jr.o fsl_hash.o jobdesc.o error.o |
| 7 | 7 | obj-$(CONFIG_CMD_BLOB)$(CONFIG_IMX_CAAM_DEK_ENCAP) += fsl_blob.o |
| 8 | 8 | obj-$(CONFIG_RSA_FREESCALE_EXP) += fsl_rsa.o |
| 9 | -obj-$(CONFIG_FSL_MFGPROT) += fsl_mfgprot.o | |
| 9 | +obj-$(CONFIG_IMX_CAAM_MFG_PROT) += fsl_mfgprot.o |
-
mentioned in commit 7996d1
