Commit 52300d644a275dfa4fe73ecb51601a8efaff8ab7
1 parent
c5151ab339
Exists in
smarc_8mm-imx_v2019.04_4.19.35_1.1.0
and in
1 other branch
MA-15019-1 Support Manufacture Protection public key generation
Add new keymaster commands to get Manufacure Production key (mppubk). Since the mppubk can only be generated in OEM CLOSED imx8q board, so we can only use this command when the board is HAB/AHAB closed. Commands to extract the mppubk: * $fastboot oem get-mppubk * $fastboot get_staged mppubk.bin Test: Generate and dump the mppubk.bin Change-Id: Idc59e78ca6345497e744162664b8293f50d1eda4 Signed-off-by: Ji Luo <ji.luo@nxp.com>
Showing 8 changed files with 119 additions and 2 deletions Side-by-side Diff
arch/arm/mach-imx/imx8m/soc.c
... | ... | @@ -28,7 +28,7 @@ |
28 | 28 | |
29 | 29 | DECLARE_GLOBAL_DATA_PTR; |
30 | 30 | |
31 | -#if defined(CONFIG_SECURE_BOOT) || defined(CONFIG_AVB_ATX) | |
31 | +#if defined(CONFIG_SECURE_BOOT) || defined(CONFIG_AVB_ATX) || defined(CONFIG_IMX_TRUSTY_OS) | |
32 | 32 | struct imx_sec_config_fuse_t const imx_sec_config_fuse = { |
33 | 33 | .bank = 1, |
34 | 34 | .word = 3, |
drivers/fastboot/fb_fsl/fb_fsl_command.c
... | ... | @@ -542,6 +542,14 @@ |
542 | 542 | printf("Append ec attestation key successfully!\n"); |
543 | 543 | strcpy(response, "OKAY"); |
544 | 544 | } |
545 | + } else if (endswith(cmd, FASTBOOT_GET_MPPUBK)) { | |
546 | + if (fastboot_get_mppubk(fastboot_buf_addr, &fastboot_bytes_received)) { | |
547 | + printf("ERROR Generate mppubk failed!\n"); | |
548 | + strcpy(response, "FAILGenerate mppubk failed!"); | |
549 | + } else { | |
550 | + printf("mppubk generated!\n"); | |
551 | + strcpy(response, "OKAY"); | |
552 | + } | |
545 | 553 | } |
546 | 554 | #ifndef CONFIG_AVB_ATX |
547 | 555 | else if (endswith(cmd, FASTBOOT_SET_RPMB_KEY)) { |
include/fb_fsl.h
... | ... | @@ -95,6 +95,7 @@ |
95 | 95 | #define FASTBOOT_SET_EC_ATTESTATION_KEY "set-ec-atte-key" |
96 | 96 | #define FASTBOOT_APPEND_RSA_ATTESTATION_CERT "append-rsa-atte-cert" |
97 | 97 | #define FASTBOOT_APPEND_EC_ATTESTATION_CERT "append-ec-atte-cert" |
98 | +#define FASTBOOT_GET_MPPUBK "get-mppubk" | |
98 | 99 | #endif |
99 | 100 | |
100 | 101 | #ifdef CONFIG_ANDROID_THINGS_SUPPORT |
include/fsl_avb.h
... | ... | @@ -271,5 +271,9 @@ |
271 | 271 | |
272 | 272 | /* Set vbmeta public key */ |
273 | 273 | int avb_set_public_key(uint8_t *staged_buffer, uint32_t size); |
274 | + | |
275 | +/* Get manufacture protection public key */ | |
276 | +int fastboot_get_mppubk(uint8_t *staged_buffer, uint32_t *size); | |
277 | + | |
274 | 278 | #endif /* __FSL_AVB_H__ */ |
include/interface/keymaster/keymaster.h
... | ... | @@ -62,7 +62,8 @@ |
62 | 62 | KM_ATAP_SET_CA_RESPONSE_UPDATE = (0x6000 << KEYMASTER_REQ_SHIFT), |
63 | 63 | KM_ATAP_SET_CA_RESPONSE_FINISH = (0x7000 << KEYMASTER_REQ_SHIFT), |
64 | 64 | KM_ATAP_READ_UUID = (0x8000 << KEYMASTER_REQ_SHIFT), |
65 | - KM_SET_PRODUCT_ID = (0x9000 << KEYMASTER_REQ_SHIFT) | |
65 | + KM_SET_PRODUCT_ID = (0x9000 << KEYMASTER_REQ_SHIFT), | |
66 | + KM_GET_MPPUBK = (0xc000 << KEYMASTER_REQ_SHIFT) | |
66 | 67 | }; |
67 | 68 | |
68 | 69 | typedef enum { |
... | ... | @@ -209,6 +210,15 @@ |
209 | 210 | int32_t error; |
210 | 211 | uint32_t data_size; |
211 | 212 | int8_t data[0]; |
213 | +} TRUSTY_ATTR_PACKED; | |
214 | + | |
215 | +/** | |
216 | + * km_get_mppubk_resp - response format for mppubk buffer | |
217 | + */ | |
218 | +struct km_get_mppubk_resp { | |
219 | + int32_t error; | |
220 | + uint32_t data_size; | |
221 | + uint8_t data[64]; | |
212 | 222 | } TRUSTY_ATTR_PACKED; |
213 | 223 | |
214 | 224 | /** |
include/trusty/keymaster.h
... | ... | @@ -127,5 +127,13 @@ |
127 | 127 | */ |
128 | 128 | int trusty_set_product_id(const uint8_t *product_id, uint32_t size); |
129 | 129 | |
130 | +/* | |
131 | + * trusty_get_mppubk is called to get the mppubk from trusty side. | |
132 | + * | |
133 | + * @mppubk: Pointer to the buffer which store the mppubk. | |
134 | + * @size: Pointer to The size of mppubk. | |
135 | + */ | |
136 | +int trusty_get_mppubk(uint8_t *mppubk, uint32_t* size); | |
137 | + | |
130 | 138 | #endif /* TRUSTY_KEYMASTER_H_ */ |
lib/avb/fsl/fsl_avbkey.c
... | ... | @@ -25,6 +25,11 @@ |
25 | 25 | #include <memalign.h> |
26 | 26 | #include "trusty/hwcrypto.h" |
27 | 27 | #include "fsl_atx_attributes.h" |
28 | +#include <asm/mach-imx/hab.h> | |
29 | +#include <asm/arch/sys_proto.h> | |
30 | +#ifdef CONFIG_ARCH_IMX8 | |
31 | +#include <asm/arch/sci/sci.h> | |
32 | +#endif | |
28 | 33 | |
29 | 34 | #if defined(CONFIG_SPL_BUILD) |
30 | 35 | #include <spl.h> |
... | ... | @@ -1126,6 +1131,28 @@ |
1126 | 1131 | #endif /* CONFIG_AVB_ATX */ |
1127 | 1132 | |
1128 | 1133 | #if defined(CONFIG_IMX_TRUSTY_OS) && !defined(CONFIG_AVB_ATX) |
1134 | + | |
1135 | +DECLARE_GLOBAL_DATA_PTR; | |
1136 | +extern struct imx_sec_config_fuse_t const imx_sec_config_fuse; | |
1137 | +#define HAB_ENABLED_BIT (is_soc_type(MXC_SOC_IMX8M)? 0x2000000 : 0x2) | |
1138 | + | |
1139 | +/* Check hab status, this is basically copied from imx_hab_is_enabled() */ | |
1140 | +bool hab_is_enabled(void) | |
1141 | +{ | |
1142 | + struct imx_sec_config_fuse_t *fuse = | |
1143 | + (struct imx_sec_config_fuse_t *)&imx_sec_config_fuse; | |
1144 | + uint32_t reg; | |
1145 | + int ret; | |
1146 | + | |
1147 | + ret = fuse_read(fuse->bank, fuse->word, ®); | |
1148 | + if (ret) { | |
1149 | + puts("\nSecure boot fuse read error\n"); | |
1150 | + return ret; | |
1151 | + } | |
1152 | + | |
1153 | + return (reg & HAB_ENABLED_BIT) == HAB_ENABLED_BIT; | |
1154 | +} | |
1155 | + | |
1129 | 1156 | int do_rpmb_key_set(uint8_t *key, uint32_t key_size) |
1130 | 1157 | { |
1131 | 1158 | int ret = 0; |
... | ... | @@ -1251,6 +1278,37 @@ |
1251 | 1278 | return -1; |
1252 | 1279 | } else |
1253 | 1280 | printf("Set vbmeta public key successfully!\n"); |
1281 | + | |
1282 | + return 0; | |
1283 | +} | |
1284 | + | |
1285 | +int fastboot_get_mppubk(uint8_t *staged_buffer, uint32_t *size) { | |
1286 | + | |
1287 | +#ifdef CONFIG_ARCH_IMX8 | |
1288 | + sc_err_t err; | |
1289 | + uint16_t lc; | |
1290 | + | |
1291 | + err = sc_seco_chip_info(-1, &lc, NULL, NULL, NULL); | |
1292 | + if (err != SC_ERR_NONE) { | |
1293 | + printf("Error in get lifecycle\n"); | |
1294 | + return -1; | |
1295 | + } | |
1296 | + | |
1297 | + if (lc != 0x80) { | |
1298 | +#else | |
1299 | + if (!hab_is_enabled()) { | |
1300 | +#endif | |
1301 | + ERR("Error. This command can only be used when hab is closed!!\n"); | |
1302 | + return -1; | |
1303 | + } | |
1304 | + if ((staged_buffer == NULL) || (size == NULL)) { | |
1305 | + ERR("Error. Get null staged_buffer!\n"); | |
1306 | + return -1; | |
1307 | + } | |
1308 | + if (trusty_get_mppubk(staged_buffer, size)) { | |
1309 | + ERR("Error. Failed to get mppubk!\n"); | |
1310 | + return -1; | |
1311 | + } | |
1254 | 1312 | |
1255 | 1313 | return 0; |
1256 | 1314 | } |
lib/trusty/ql-tipc/keymaster.c
... | ... | @@ -480,4 +480,32 @@ |
480 | 480 | } |
481 | 481 | return rc; |
482 | 482 | } |
483 | + | |
484 | +int trusty_get_mppubk(uint8_t *mppubk, uint32_t *size) | |
485 | +{ | |
486 | + int rc = TRUSTY_ERR_GENERIC; | |
487 | + struct km_get_mppubk_resp resp; | |
488 | + | |
489 | + rc = km_send_request(KM_GET_MPPUBK, NULL, 0); | |
490 | + if (rc < 0) { | |
491 | + trusty_error("failed to send km mppubk request\n", rc); | |
492 | + return rc; | |
493 | + } | |
494 | + | |
495 | + rc = km_read_raw_response(KM_GET_MPPUBK, &resp, sizeof(resp)); | |
496 | + if (rc < 0) { | |
497 | + trusty_error("%s: failed (%d) to read km mppubk response\n", __func__, rc); | |
498 | + return rc; | |
499 | + } | |
500 | + | |
501 | + if (resp.data_size != 64) { | |
502 | + trusty_error("%s: Wrong mppubk size!\n", __func__); | |
503 | + return TRUSTY_ERR_GENERIC; | |
504 | + } else { | |
505 | + *size = resp.data_size; | |
506 | + } | |
507 | + | |
508 | + memcpy(mppubk, resp.data, resp.data_size); | |
509 | + return TRUSTY_ERR_NONE; | |
510 | +} |
-
mentioned in commit 6b09b4
-
mentioned in commit 6b09b4
-
mentioned in commit 854e4d
-
mentioned in commit 854e4d
-
mentioned in commit 6bdc7d
-
mentioned in commit 6bdc7d
-
mentioned in commit 854e4d
-
mentioned in commit 6bdc7d
-
mentioned in commit 6bdc7d
-
mentioned in commit 6bdc7d
-
mentioned in commit 6bdc7d
-
mentioned in commit 271d7d