Commit d2275a5926ac2ff7e9f656ac7803de010b51e870
Committed by
Ji Luo
Ji Luo
1 parent
aceb62dbfb
Exists in
smarc_8mm-imx_v2018.03_4.14.98_2.0.0_ga
and in
5 other branches
[iot] Return full zero hash if fuse not initialized
Part of permanent attributes hash was stored in fuse for security reason, however, the write operation of fuse was disabled by default because it was an irreversible operation. Returning AVB_IO_RESULT_ERROR_IO will stop following AVB process and won't pass dm-verity related commandlines to kernel, in such case, board will fail to boot even in unlock state. Returning AVB_IO_RESULT_OK and full zero permanent attributes hash when the fuse haven't been initialized, let the lock/unlock policy in libavb to handle the mismatch errors. Test: imx7d_pico boot successfully with dm-verity feature. Change-Id: I6bcf58ff8ce71859fa2d85c86572ea6de1c3a0df Signed-off-by: Luo Ji <ji.luo@nxp.com>
Showing 1 changed file with 6 additions and 3 deletions Side-by-side Diff
lib/avb/fsl/fsl_avbkey.c
| ... | ... | @@ -1162,13 +1162,16 @@ |
| 1162 | 1162 | if (permanent_attributes_sha256_hash(sha256_hash_buf) != RESULT_OK) { |
| 1163 | 1163 | return AVB_IO_RESULT_ERROR_IO; |
| 1164 | 1164 | } |
| 1165 | - /* check if the sha256(permanent attributes) hash match */ | |
| 1165 | + /* check if the sha256(permanent attributes) hash match the calculated one, | |
| 1166 | + * if not match, just return all zeros hash. | |
| 1167 | + */ | |
| 1166 | 1168 | if (memcmp(sha256_hash_fuse, sha256_hash_buf, ATX_HASH_LENGTH)) { |
| 1167 | 1169 | printf("ERROR - sha256(permanent attributes) does not match\n"); |
| 1168 | - return AVB_IO_RESULT_ERROR_IO; | |
| 1170 | + memset(hash, 0, AVB_SHA256_DIGEST_SIZE); | |
| 1171 | + } else { | |
| 1172 | + memcpy(hash, sha256_hash_buf, AVB_SHA256_DIGEST_SIZE); | |
| 1169 | 1173 | } |
| 1170 | 1174 | |
| 1171 | - memcpy(hash, sha256_hash_buf, AVB_SHA256_DIGEST_SIZE); | |
| 1172 | 1175 | return AVB_IO_RESULT_OK; |
| 1173 | 1176 | } |
| 1174 | 1177 |