Eric Lee / smarc-uboot

12
Download as
Browse Code ยป

Commit 52300d644a275dfa4fe73ecb51601a8efaff8ab7

Authored by Ji Luo
1 parent c5151ab339
Exists in smarc_8mm-imx_v2019.04_4.19.35_1.1.0 and in 1 other branch smarc_8m-imx_v2019.04_4.19.35_1.1.0

MA-15019-1 Support Manufacture Protection public key generation 

Add new keymaster commands to get Manufacure Production key (mppubk).
Since the mppubk can only be generated in OEM CLOSED imx8q board, so
we can only use this command when the board is HAB/AHAB closed.

Commands to extract the mppubk:
        * $fastboot oem get-mppubk
        * $fastboot get_staged mppubk.bin

Test: Generate and dump the mppubk.bin

Change-Id: Idc59e78ca6345497e744162664b8293f50d1eda4
Signed-off-by: Ji Luo <ji.luo@nxp.com>

Showing 8 changed files with 119 additions and 2 deletions Side-by-side Diff

arch/arm/mach-imx/imx8m/soc.c
Diff comments   View file @ 52300d6
... ... @@ -28,7 +28,7 @@
28 28  
29 29 DECLARE_GLOBAL_DATA_PTR;
30 30  
31   -#if defined(CONFIG_SECURE_BOOT) || defined(CONFIG_AVB_ATX)
  31 +#if defined(CONFIG_SECURE_BOOT) || defined(CONFIG_AVB_ATX) || defined(CONFIG_IMX_TRUSTY_OS)
32 32 struct imx_sec_config_fuse_t const imx_sec_config_fuse = {
33 33 .bank = 1,
34 34 .word = 3,
drivers/fastboot/fb_fsl/fb_fsl_command.c
Diff comments   View file @ 52300d6
... ... @@ -542,6 +542,14 @@
542 542 printf("Append ec attestation key successfully!\n");
543 543 strcpy(response, "OKAY");
544 544 }
  545 + } else if (endswith(cmd, FASTBOOT_GET_MPPUBK)) {
  546 + if (fastboot_get_mppubk(fastboot_buf_addr, &fastboot_bytes_received)) {
  547 + printf("ERROR Generate mppubk failed!\n");
  548 + strcpy(response, "FAILGenerate mppubk failed!");
  549 + } else {
  550 + printf("mppubk generated!\n");
  551 + strcpy(response, "OKAY");
  552 + }
545 553 }
546 554 #ifndef CONFIG_AVB_ATX
547 555 else if (endswith(cmd, FASTBOOT_SET_RPMB_KEY)) {
... ... @@ -95,6 +95,7 @@
95 95 #define FASTBOOT_SET_EC_ATTESTATION_KEY "set-ec-atte-key"
96 96 #define FASTBOOT_APPEND_RSA_ATTESTATION_CERT "append-rsa-atte-cert"
97 97 #define FASTBOOT_APPEND_EC_ATTESTATION_CERT "append-ec-atte-cert"
  98 +#define FASTBOOT_GET_MPPUBK "get-mppubk"
98 99 #endif
99 100  
100 101 #ifdef CONFIG_ANDROID_THINGS_SUPPORT
... ... @@ -271,5 +271,9 @@
271 271  
272 272 /* Set vbmeta public key */
273 273 int avb_set_public_key(uint8_t *staged_buffer, uint32_t size);
  274 +
  275 +/* Get manufacture protection public key */
  276 +int fastboot_get_mppubk(uint8_t *staged_buffer, uint32_t *size);
  277 +
274 278 #endif /* __FSL_AVB_H__ */
include/interface/keymaster/keymaster.h
Diff comments   View file @ 52300d6
... ... @@ -62,7 +62,8 @@
62 62 KM_ATAP_SET_CA_RESPONSE_UPDATE = (0x6000 << KEYMASTER_REQ_SHIFT),
63 63 KM_ATAP_SET_CA_RESPONSE_FINISH = (0x7000 << KEYMASTER_REQ_SHIFT),
64 64 KM_ATAP_READ_UUID = (0x8000 << KEYMASTER_REQ_SHIFT),
65   - KM_SET_PRODUCT_ID = (0x9000 << KEYMASTER_REQ_SHIFT)
  65 + KM_SET_PRODUCT_ID = (0x9000 << KEYMASTER_REQ_SHIFT),
  66 + KM_GET_MPPUBK = (0xc000 << KEYMASTER_REQ_SHIFT)
66 67 };
67 68  
68 69 typedef enum {
... ... @@ -209,6 +210,15 @@
209 210 int32_t error;
210 211 uint32_t data_size;
211 212 int8_t data[0];
  213 +} TRUSTY_ATTR_PACKED;
  214 +
  215 +/**
  216 + * km_get_mppubk_resp - response format for mppubk buffer
  217 + */
  218 +struct km_get_mppubk_resp {
  219 + int32_t error;
  220 + uint32_t data_size;
  221 + uint8_t data[64];
212 222 } TRUSTY_ATTR_PACKED;
213 223  
214 224 /**
include/trusty/keymaster.h
Diff comments   View file @ 52300d6
... ... @@ -127,5 +127,13 @@
127 127 */
128 128 int trusty_set_product_id(const uint8_t *product_id, uint32_t size);
129 129  
  130 +/*
  131 + * trusty_get_mppubk is called to get the mppubk from trusty side.
  132 + *
  133 + * @mppubk: Pointer to the buffer which store the mppubk.
  134 + * @size: Pointer to The size of mppubk.
  135 + */
  136 +int trusty_get_mppubk(uint8_t *mppubk, uint32_t* size);
  137 +
130 138 #endif /* TRUSTY_KEYMASTER_H_ */
lib/avb/fsl/fsl_avbkey.c
Diff comments   View file @ 52300d6
... ... @@ -25,6 +25,11 @@
25 25 #include <memalign.h>
26 26 #include "trusty/hwcrypto.h"
27 27 #include "fsl_atx_attributes.h"
  28 +#include <asm/mach-imx/hab.h>
  29 +#include <asm/arch/sys_proto.h>
  30 +#ifdef CONFIG_ARCH_IMX8
  31 +#include <asm/arch/sci/sci.h>
  32 +#endif
28 33  
29 34 #if defined(CONFIG_SPL_BUILD)
30 35 #include <spl.h>
... ... @@ -1126,6 +1131,28 @@
1126 1131 #endif /* CONFIG_AVB_ATX */
1127 1132  
1128 1133 #if defined(CONFIG_IMX_TRUSTY_OS) && !defined(CONFIG_AVB_ATX)
  1134 +
  1135 +DECLARE_GLOBAL_DATA_PTR;
  1136 +extern struct imx_sec_config_fuse_t const imx_sec_config_fuse;
  1137 +#define HAB_ENABLED_BIT (is_soc_type(MXC_SOC_IMX8M)? 0x2000000 : 0x2)
  1138 +
  1139 +/* Check hab status, this is basically copied from imx_hab_is_enabled() */
  1140 +bool hab_is_enabled(void)
  1141 +{
  1142 + struct imx_sec_config_fuse_t *fuse =
  1143 + (struct imx_sec_config_fuse_t *)&imx_sec_config_fuse;
  1144 + uint32_t reg;
  1145 + int ret;
  1146 +
  1147 + ret = fuse_read(fuse->bank, fuse->word, &reg);
  1148 + if (ret) {
  1149 + puts("\nSecure boot fuse read error\n");
  1150 + return ret;
  1151 + }
  1152 +
  1153 + return (reg & HAB_ENABLED_BIT) == HAB_ENABLED_BIT;
  1154 +}
  1155 +
1129 1156 int do_rpmb_key_set(uint8_t *key, uint32_t key_size)
1130 1157 {
1131 1158 int ret = 0;
... ... @@ -1251,6 +1278,37 @@
1251 1278 return -1;
1252 1279 } else
1253 1280 printf("Set vbmeta public key successfully!\n");
  1281 +
  1282 + return 0;
  1283 +}
  1284 +
  1285 +int fastboot_get_mppubk(uint8_t *staged_buffer, uint32_t *size) {
  1286 +
  1287 +#ifdef CONFIG_ARCH_IMX8
  1288 + sc_err_t err;
  1289 + uint16_t lc;
  1290 +
  1291 + err = sc_seco_chip_info(-1, &lc, NULL, NULL, NULL);
  1292 + if (err != SC_ERR_NONE) {
  1293 + printf("Error in get lifecycle\n");
  1294 + return -1;
  1295 + }
  1296 +
  1297 + if (lc != 0x80) {
  1298 +#else
  1299 + if (!hab_is_enabled()) {
  1300 +#endif
  1301 + ERR("Error. This command can only be used when hab is closed!!\n");
  1302 + return -1;
  1303 + }
  1304 + if ((staged_buffer == NULL) || (size == NULL)) {
  1305 + ERR("Error. Get null staged_buffer!\n");
  1306 + return -1;
  1307 + }
  1308 + if (trusty_get_mppubk(staged_buffer, size)) {
  1309 + ERR("Error. Failed to get mppubk!\n");
  1310 + return -1;
  1311 + }
1254 1312  
1255 1313 return 0;
1256 1314 }
lib/trusty/ql-tipc/keymaster.c
Diff comments   View file @ 52300d6
... ... @@ -480,4 +480,32 @@
480 480 }
481 481 return rc;
482 482 }
  483 +
  484 +int trusty_get_mppubk(uint8_t *mppubk, uint32_t *size)
  485 +{
  486 + int rc = TRUSTY_ERR_GENERIC;
  487 + struct km_get_mppubk_resp resp;
  488 +
  489 + rc = km_send_request(KM_GET_MPPUBK, NULL, 0);
  490 + if (rc < 0) {
  491 + trusty_error("failed to send km mppubk request\n", rc);
  492 + return rc;
  493 + }
  494 +
  495 + rc = km_read_raw_response(KM_GET_MPPUBK, &resp, sizeof(resp));
  496 + if (rc < 0) {
  497 + trusty_error("%s: failed (%d) to read km mppubk response\n", __func__, rc);
  498 + return rc;
  499 + }
  500 +
  501 + if (resp.data_size != 64) {
  502 + trusty_error("%s: Wrong mppubk size!\n", __func__);
  503 + return TRUSTY_ERR_GENERIC;
  504 + } else {
  505 + *size = resp.data_size;
  506 + }
  507 +
  508 + memcpy(mppubk, resp.data, resp.data_size);
  509 + return TRUSTY_ERR_NONE;
  510 +}