17 Jan, 2021
1 commit
-
Refine the dependency of some configs to make it
easier to add/modify android config files.Test: builds.
Change-Id: Iccb044dadc7ce1e0b839bf83e2e9157e718f286c
Signed-off-by: Ji Luo
(cherry picked from commit 86f4f99a367bbc0ef99d4ab2a0b4078babfbfbd2)
08 Jan, 2021
3 commits
-
Locating the misc partition by ID can help reduce the boot
time but error may happen if the ID of the misc partition
is changed. Moving the misc partition to the start of the
GPT and locate the partition by name is another option but
it will break the backward compatibility as the GPT is
changed.part_get_info_by_name() will loop the PTE and return the
matched partition info, but it will cost much time as it
will reload the whole PTE from storage in each loop.This commit provides part_get_info_efi_by_name() to support
return the partition info by name without reloading the whole
PTE.Test: A/B slot switch in dual bootloader.
Change-Id: I13cb2a7b3217f73aecc2aec6e06abc0d6e8abcdd
Signed-off-by: Ji Luo
(cherry picked from commit cd8f603f0d977ed73f0d0b44437c5c68fcebde25) -
This commit fixes Coverity Issue: 11468195, avoid
uninitialized value using.Test: AVB check.
Change-Id: I04eb8faafd6c9a9fec1aeae0b29edc6940251094
Signed-off-by: Ji Luo
(cherry picked from commit 742cc182bf9d0d0a7c8cecdac2a328e5c0bd64cb) -
The device IDs are provisioned from bootloader, this commit
add commands to provision the deivce IDs:
$ fastboot oem append-device-idTest: Device IDs provision and attest.
Change-Id: Id3c737d3da02f7ba463e51b0525f3cb9bcf0c6d1
Signed-off-by: Ji Luo
(cherry picked from commit 7575ac07ac625c35269868511297385a69c96196)
11 Dec, 2020
2 commits
-
The keymaster client won't be initialized if the rpmb
key is not set, return early with error in such case
to avoid panic.Test: provision attestation keys & certs on boards without
rpmb key set.Change-Id: I6f908aecafd15ab390629cb89b090c9ee817ba1e
Signed-off-by: Ji Luo
(cherry picked from commit b999b03c3eb153a99b481e42315e048653247107) -
blk_dwrite() will write data in blocks, padding the keyslot_package
struct to one block to avoid redundant data write.Test: RPMB key set.
Change-Id: I326d7f4394d15e6e22b12c3abd6a5e2de18920cc
Signed-off-by: Ji Luo
(cherry picked from commit 8a0deb19628d2752b516fbce00fc1b988f2e78b5)
09 Nov, 2020
1 commit
-
GCC for arm32 doesn't support division between signed
and unsigned integer. Clean up the code to use 'long'
for both arm32 and arm64 platforms.Test: build on 7ulp and 8mm.
Change-Id: I21c23b1948994558237b27bfe7452e78e3d45172
Signed-off-by: Ji Luo
(cherry picked from commit 2062183df063e0653e9e88a690764647702af7dd)
06 Nov, 2020
1 commit
-
AVB verify should fail for GKI boot image but we should allow it
continue to boot in UNLOCKED state. In such case, we should not
update the stored rollback index.This commit will update the rollback index only when the AVB
verify is OK to prevent rollback index check error.Test: boots.
Signed-off-by: Ji Luo
Change-Id: I82678d288edd4df6de40a1ca863ed36d3b3658a8
(cherry picked from commit ea48b544581d630bc031a7968a90b2fcf328424a)
30 Oct, 2020
3 commits
-
The 'offset' can be negative number passed from fsl_read_from_partition_multi(),
don't covert 'blksz' to 'uint64_t' as it will cause overflow when the 'offset'
is negative number.Test: mmc blk read with 'offset < 0'.
Signed-off-by: Ji Luo
Change-Id: Id1ce8e0c748dd280d70c1722cc7d17cc9646a4bb
(cherry picked from commit 077b448679b9ad2891495c7344ba99a6c10a59fb) -
Set the initial 'source_slot' in 'misc_virtual_ab_message' as
the current slot. At the same time, add slot checks before
erase data if virtual A/B is enabled.Test: virtual A/B update and erase.
Signed-off-by: Ji Luo
Change-Id: I84896335a95d9188b85e114037b470b3f4e7a209
(cherry picked from commit a522c2245c3e58adbbcb99c43e0917ce315cc1aa) -
To use dynamic partition feature in Android, recovery ramdisk is used to
mount the logical partitions and boot up Android.Define a configuration item "CONFIG_ANDROID_DYNAMIC_PARTITION", use it
to control the bootargs and whether ramdisk should be loaded instead of
"CONFIG_ANDROID_AUTO" because now Android auto also use dynamic
partition feature now.Move the definition of function "fastboot_setup_system_boot_args" under
the macro "CONFIG_CMD_BOOTA" to avoid build warnings.Signed-off-by: faqiang.zhu
Change-Id: I0b1cfe6120fc939e7f1a1eb600d8176c81edf129
(cherry picked from commit 972ccff86796e2b7f9a444d09550cd5e393cd93e)
19 Oct, 2020
2 commits
-
Add config "CONFIG_LOAD_KEY_FROM_RPMB" to decide loading the
avb public key from RPMB storage or building it statically.Test: AVB verify.
Signed-off-by: Ji Luo
Change-Id: I1ca09c28bbfa18dd00aa28405389b382e09fe07e
(cherry picked from commit 5a7973e8f42e54b3cd8ce15624478dcbe19c49fd) -
Disable unused dts and configs for imx8q to reduce the boot time.
The 'part_get_info_by_name' can be very time consuming as it will
loop through all the GPT entries to find the matched partition,
specify the number of 'misc' partition and use 'part_get_info' to
load the partition info directly will save much time.With this patch, about 300ms can be save for imx8qm, about 350ms
can be saved for imx8qxp.Test: boot tests.
Signed-off-by: Ji Luo
Change-Id: I66bc7e002caea62754b670d0a30860a23a17ff61
(cherry picked from commit d25c0c7b9de22abd6c326975199c86c943e742cf)
26 Aug, 2020
7 commits
-
Fix Coverity Issue 10473672. Add "%d" in the trusty_error() to
fix extra argument issue.Signed-off-by: Ji Luo
Change-Id: Iee2f5a9f4cd6e13f8a284affd4a8af5a92cfd055
(cherry picked from commit f4c8c33cbbaedb2f0f00f299a51803947803a647) -
Fix Coverity Issue 10473659. Add "__func__" and "rc" to pass
correct parameter to printf.Signed-off-by: Ji Luo
Change-Id: I72e30250827ad0c48e079a7048bdb40773c17a96
(cherry picked from commit ed061b4a21a24d8deb36561e0bfe2343e2ce45c8) -
Fix Coverity Issue 10473658, 10473663, 10473664 and 10473668. Use "%lu"
for "uint64_t" and "unsigned long" parameter in printf to fix the type
mismatch issue.Signed-off-by: Ji Luo
Change-Id: Ic1642ab4d5aecee9676b65582b04eaca4c16d3c2Signed-off-by: Ji Luo
Change-Id: Ic82c18ce09d99d47609a8258f08696b6c43bbe6a
(cherry picked from commit dbe7dbbcc3858d5236403a37d3e32be379c4b3f1) -
Fix Coverity Issue 10473656. Use "%s" instead of "%" to
print the function name.Signed-off-by: Ji Luo
Change-Id: I3158b2504a2be0330eb982d279811ca88935a902
(cherry picked from commit 4339a489b8f24b35d2e59084e7ce42de27f28461) -
Fix Coverity Issue 2690361. Fix unintentional integer overflow by
casting the pte->length to type 'uint64_t'.Signed-off-by: Ji Luo
Change-Id: I4536e733c82cb31bbd7da0ee916e7698850c3b81
(cherry picked from commit 3a332c5264b1cdb5aa026bcb6fd4afad69c0d19b) -
As we have to support GKI and non-GKI at the same time, it will be
a must to decide if the GKI is enabled or not at run-time.This commit will decide the GKI is enabled if the parition "vendor_boot"
is found in the GPT.This commit also make some cleanup to make the code more readable and
easier to maintain.Test: boots on Android and Anroid Auto.
Signed-off-by: Ji Luo
Change-Id: I6068bbaa60f5d76049b6ff0a892b5b8ca2c2f86b
(cherry picked from commit b39f7532ab524408550b8b2827bb42ab38159033) -
A 'misc_virtual_ab_message' struct will be stored at the 32kB offset
in misc partition, which will be used to record the virtual A/B update
status.Bootloader should take care of this status, some operations must be
restricted. This commit will:
1. Restrict erase/flash operations to "misc", "userdata" or
"metadata" partitions if the merge status are "SNAPSHOTTED" or
"MERGING".
2. Restrict slot switch if the merge status is "MERGING".
3. Output a warning in slot switch if the merge status is "SNAPSHOTTED".
4. Set the merge status as "CANCELLED" if image flash happen.Test: 1. fastboot erase/flash "userdata", "misc", "metadata" after virtual
A/B update
2. slot switch after virtual A/B updateSigned-off-by: Ji Luo
Change-Id: I33f0041c5e76913d3970d943cad52353e0ac5f2d
(cherry picked from commit 30df087bfc5e31413473f85dfefaa7176bc394a8)
16 Jul, 2020
4 commits
-
The old boot control logic and misc data struct is based on the
'external/avb/libavb_ab' library which is already marked as
deprecated and won't be maintained by google anymore:commit 37f5946d0e1159273eff61dd8041377fedbf55a9
Author: David Zeuthen
Date: Wed Sep 20 15:02:32 2017 -0400Deprecate libavb_ab and bootctrl.avb code.
This code was already marked as experimental in anticipation of being
removed in the future. Officially deprecate it and set Jun 1 2018 as
the date it will be removed. This should give users of the code ample
time to fork/migrate.To keep using the code AVB_AB_I_UNDERSTAND_LIBAVB_AB_IS_DEPRECATED
must be defined.The reason for deprecating this code is twofold:
- Its policy was optimized for devices without a display with
e.g. automatic fallback to the other slot if a slot fails to
boot. Since most A/B stacks in Android devices don't work this
way this code is confusing.- There are no known active users, no good test coverage for the
bootctrl.avb code, and no plans to use it.When the code is removed we'll provide an easy transition path by
keeping (but renaming) the |ab_ops| member in AvbOps.Change-Id: Id5e090a2048076d36ccca2e1c4cb55e226b8b43d
Google has provided a new boot control v1.1 implementation under
'hardware/interfaces/boot/1.1/default' which uses a new misc data struct defined
in the 'include/android_bootloader_message.h'. This commit adds a new boot control
implementation in bootloader, which combines the new misc data struct and inherit
some flow in 'libavb_ab', the old 'libavb_ab' library will be removed.Test: boot/slot switch/retry count test on single&dual bootloader.
Signed-off-by: Ji Luo
Change-Id: I0fa1ee8562c83afec549c8f6aad7a26a2214f626
(cherry picked from commit 29aafaf065d1688201d014213052863ec9d18e9c) -
The handle_rpmb flag should indicate whether the call will invoke
RPMB callbacks, which has been removed by below commit:
commit dfd911856d31fd91eb4e3c1edb1d691723c6edaf
Author: Roberto Pereira
Date: Thu Nov 2 15:09:20 2017 -0700ql-tipc: trusty_ipc: Change ipc polling to be per device
This allows ipc devices to provide service callbacks (e.g. rpmb) transparently
to the application instead of needing to have prior knowledge of the expected
request and having to poll the individual services' channels separately.Change-Id: I3257ae5e429f4a0c279f070d750b56c5600c38d5
Sync the change for hwcrypto, it will help remove some build warnings.
Test: builds and boots with trusty.
Signed-off-by: Ji Luo
Change-Id: I696b13d9d509d5983c934df5ee6fb36e46f4c884
(cherry picked from commit 8812d39018c23cc26afa43a97acf27427979c90c) -
This commit eliminate the annoying build warning logs.
Test: builds with buildman.
Signed-off-by: Ji Luo
Change-Id: Ia335dafe3f4c0eab08e011215b9de5d2974b8d0c
(cherry picked from commit 85e0d429d19b8f9a62369a5f20e088644c488b1e) -
Trusty binary will be integrated into the dom0 bootloader, need to check
rpmb keyslot for trusty. Use software sha256 calculation method in avb
verify as we still have issues to use physical address in domu
bootloader.Test: boots xen with android.
Signed-off-by: Ji Luo
Change-Id: Ie7da9196ad6947157111665efd420bf4381385d6
(cherry picked from commit 4030462cb99e1dc67f7ee28f391ddd5c21938878)
16 Jun, 2020
16 commits
-
GKI(Generic Kernel Image) would require the boot header v3 and vendor
boot support, all device specific info are moved to vendor_boot partition
,the boot header v3 will not be compatible with earlier version(0/1/2).This commit adds support for boot header v3 and vendor boot, it would
concatenate the generic ramdisk and vendor ramdisk to generate the
final ramdisk passed to kernel.Test: boots with or without boot header v3 and vendor boot support.
Signed-off-by: Ji Luo
Change-Id: Ib3298ae46bfc728aa4a34909d372eff6cc86ca70 -
The main memory contents can spontaneously come to the cache due to
the speculative memory access by the CPU, this may cause coherency
problem if this happens during the DMA operaion is on-going.Invalidate the dcache range after DMA opeartion but before the main
memory read to avoid coherency problem.Test: reboot test.
Change-Id: I93824deab9285b5478669e0a311e0b338bf02f8a
Signed-off-by: Ji Luo -
According to the spec of android wear, the device MUST provides a
bootloader menu for debugging purpose.This commit implements a simple bootloader menu based on imx7ulp_evk
revb board, the menu will show when booting with 'VOL+' key pressed,
users can press "VOL+" to choose the item, then press "ONOFF" key to
confirm.Test: bootloader menu show on imx7ulp_evk revb.
Change-Id: I80638a43afa17e312e633b05888c62440380b42b
Signed-off-by: Ji Luo -
According to the google boot flow, an orange warning should
be displayed on UNLOCKED device to reminder the users of the
potential risks.This commit will show an orange warning logo and warning text
on the screen, it shall be dismissed after 3 seconds, users
can also skip it by pressing the ON-OFF button.Config 'CONFIG_AVB_WARNING_LOGO_COLS' and 'CONFIG_AVB_WARNING_LOGO_ROWS'
define the (x, y) position of the warning logo, its default
value is for 1080*720 resolution display and can be overridden.Test: Orange warning logo show on all imx8m/imx8q platfroms.
Change-Id: I607edb3da039b47ddfac681f855834d8da187af8
Signed-off-by: Ji Luo -
Only check the bootloader rollback index and trusty keyslot package
for rpmb key flashed boards.Test: boots on boards without rpmb key.
Change-Id: I130e4d906c0f08d602eac820ec5612214e01ff55
Signed-off-by: Ji Luo -
dynamic partition feature is not enabled on automotive, so there is
system partition in GPT, uboot for automotive need to get the info of
this partition to generate the correct bootargs.And also, there is no commandline descriptor as "dm=***" in vbmeta image
for standard Android after dynamic partition feature is enabled, so
there is no need to use "strstr" to eleminate this from the bootargs.Change-Id: I51b3b92f5a22550602335cfc212831b263526f42
Signed-off-by: faqiang.zhu -
To enable dynamic partition feature, system partition will be a logic
parition in "super" partition, uboot can't access system partition
anymore.In i.MX Android use case, only vbmeta partition is used to verify other
imags. boot and system are not used. so there is no need to access
system partition to get avb device info, remove system partition from
avb lib.Now, standard Android will boot with ramdisk in boot.img, there is no
need to provide root info to kernel for standard Android. so only
Android Auto will provide this info.Change-Id: I99a43eb8f7aa1dc635e3937c93266f881c9b3655
Signed-off-by: faqiang.zhu
(cherry picked from commit 3a2418a1cc097cd956347fc12b0b4e0566652bfd) -
Only limited heap memory is available on imx8q platforms due
to some memory is reserved for m4 image. Commit cd67414 will
free avb verify data and thus help decrease the heap memory
consumption.But when the device is locked, avb will try to verify one slot
first, it will continue to verify another if the first slot
returns failure. Function load_full_partition() will alloc memory
to load boot/dtbo images from heap (which is a big and continuous
memory region), this memory will be freed if the first slot returns
verify failure. but because part of the continous memory region
will be used in following verify process, even total available memory
is enough, u-boot can't find a continous memory region to load the
boot/dtbo image for another slot and will return error "Failed to
allocate memory".Instead, this commit use fixed memory region start from 96MB offset of
CONFIG_FASTBOOT_BUF_ADDR to load the boot/dtbo images.Test: slot verify and A/B slot switch.
Change-Id: Ifc83bed5a6be37196c0fd109d942eaf9b07b6a74
Signed-off-by: Ji Luo
(cherry picked from commit d13752e831957fb84c71f8ca24fd1979d3605cde) -
Address 0x8880_0000 is reserved for M4 image on imx8q, which
leaves limited memory region for the malloc pool. The avb
will consume much heap memory to verify the kernel and dtbo
image, memory conflicts may happen as the kernel/dtbo image
size is getting larger.As the avb will load kernel/dtbo in every avb_slot_verify(), but
will only free the memory after both slots are checked(if needed).
And for trusty enabled platforms, extra heap memory will be used
to do the hash calculation.This commit will free the slot memory once it's marked as unbootable
and will use fixed memory started from CONFIG_FASTBOOT_BUF_ADDR to
help store the data to do the hash calculation. With above change,
we get a chance to decrease the malloc pool size.Test: boot on imx8qxp and imx8mm.
Change-Id: Ia5cdaf9962ae1cb8b8e9bee5305205ec6d90b84a
Signed-off-by: Ji Luo
(cherry picked from commit 0a299eb1a4c8c929d069cb4a0d58a096c04f09f7) -
Guard oem unlock permission protection feature with new config
'CONFIG_TRUSTY_UNLOCK_PERMISSION', so we can enable or disable
it as needed.Test: build and boot on imx8mm.
Signed-off-by: Ji Luo
(cherry picked from commit c664d8e8b94e9b6f66b2bf04d1be47e9b8a22978)Change-Id: If1db4b46ecac21b8f187854531704eaff2df30c4
-
Slot will be marked as "unbootable" state if error happens during
image load/verify process, this may cause the board never boot up
if some random failures happen (like eMMC/DRAM access error at some
critical temperature).Check the "successful_boot" flag before marking the slot as "unbootable",
this will help ease the "no bootable slot" issue.Test: slot switch on imx8qm_mek.
Signed-off-by: Ji Luo
(cherry picked from commit 6db8ebe2224ab6656e8e798288bd1b3c0472c0c0)Change-Id: Ib060b11cc6687a3bacd09cecda7dd925beba6316
-
Add commands to read oem device unlock state from
trusty avb app. Use the oem device unlock state to
determine if the device can be unlocked instead of
the state in persistdata part.Test: Read oem device unlock state from avb app.
Change-Id: Ifccaa788ba0f681c2b3a47151c8474e8da5a2559
Signed-off-by: Ji Luo
(cherry picked from commit c6eaf8e32987f120c0c5441ea39aa0f39a65b50d) -
Don't skip vbmeta public key verify for non-trusty
platforms.Test: boot on imx8mm.
Change-Id: I4712e5dd6e5c8848468e9d85c6b38eb5fb11377f
Signed-off-by: Ji Luo
(cherry picked from commit 9b8264c89ccb3e9179a438e428ad79d72c7efe9b) -
Decrypt and verify the secure credential in keymaster TA, unlock
operation can only be allowed after secure credential verify pass.Since the mppubk can only be generated on hab closed imx8q, so secure
unlock feature can only supported when hab is closed.Test: secure unlock credential verify on hab closed imx8mm_evk.
Change-Id: I1ab5e24df28d1e75ff853de3adf29f34da1d0a71
Signed-off-by: Ji Luo
(cherry picked from commit 631149fc0fc8ce035311949db643c2708e41435a) -
MMC device id remap function "board_mmc_get_env_dev()" was
removed in u-boot v2019 because we add the mmc device aliases
in dts file. But we still need to remap the mmc device id in
spl or read/write rpmb keyslot package will fail.This patch adds mmc device id remap function in spl to get the
correct device id.Test: boot on imx8mm with trusty enabled.
Change-Id: I41c46494326d9eb2658d2cda692968fb895d0292
Signed-off-by: Ji Luo
(cherry picked from commit c079188d06b3669df7836e1b8c6126558b1fa39e) -
The A/B slot selection is moved to spl, it may lead to hang
if no bootable slots found. The only way to recover the board
is re-flash images with uuu tool, which is quite inconvenient
for some customers who can't enter serial download mode.This patch will set "spl recovery mode" which will give us a
chance to re-flash images with fastboot commands.Test: Enter spl recovery mode and flash images when no bootable
slots found.Change-Id: I31278f5212bde7609fe2f49e77b3849e92c0c516
Signed-off-by: Ji Luo
(cherry picked from commit 46cc755cf3f42422ee1d7783394e14e8125df2b6)