08 Jan, 2021
1 commit
-
The device IDs are provisioned from bootloader, this commit
add commands to provision the deivce IDs:
$ fastboot oem append-device-idTest: Device IDs provision and attest.
Change-Id: Id3c737d3da02f7ba463e51b0525f3cb9bcf0c6d1
Signed-off-by: Ji Luo
(cherry picked from commit 7575ac07ac625c35269868511297385a69c96196)
11 Dec, 2020
1 commit
-
The keymaster client won't be initialized if the rpmb
key is not set, return early with error in such case
to avoid panic.Test: provision attestation keys & certs on boards without
rpmb key set.Change-Id: I6f908aecafd15ab390629cb89b090c9ee817ba1e
Signed-off-by: Ji Luo
(cherry picked from commit b999b03c3eb153a99b481e42315e048653247107)
19 Oct, 2020
1 commit
-
Disable unused dts and configs for imx8q to reduce the boot time.
The 'part_get_info_by_name' can be very time consuming as it will
loop through all the GPT entries to find the matched partition,
specify the number of 'misc' partition and use 'part_get_info' to
load the partition info directly will save much time.With this patch, about 300ms can be save for imx8qm, about 350ms
can be saved for imx8qxp.Test: boot tests.
Signed-off-by: Ji Luo
Change-Id: I66bc7e002caea62754b670d0a30860a23a17ff61
(cherry picked from commit d25c0c7b9de22abd6c326975199c86c943e742cf)
26 Aug, 2020
4 commits
-
Fix Coverity Issue 10473672. Add "%d" in the trusty_error() to
fix extra argument issue.Signed-off-by: Ji Luo
Change-Id: Iee2f5a9f4cd6e13f8a284affd4a8af5a92cfd055
(cherry picked from commit f4c8c33cbbaedb2f0f00f299a51803947803a647) -
Fix Coverity Issue 10473659. Add "__func__" and "rc" to pass
correct parameter to printf.Signed-off-by: Ji Luo
Change-Id: I72e30250827ad0c48e079a7048bdb40773c17a96
(cherry picked from commit ed061b4a21a24d8deb36561e0bfe2343e2ce45c8) -
Fix Coverity Issue 10473658, 10473663, 10473664 and 10473668. Use "%lu"
for "uint64_t" and "unsigned long" parameter in printf to fix the type
mismatch issue.Signed-off-by: Ji Luo
Change-Id: Ic1642ab4d5aecee9676b65582b04eaca4c16d3c2Signed-off-by: Ji Luo
Change-Id: Ic82c18ce09d99d47609a8258f08696b6c43bbe6a
(cherry picked from commit dbe7dbbcc3858d5236403a37d3e32be379c4b3f1) -
Fix Coverity Issue 10473656. Use "%s" instead of "%" to
print the function name.Signed-off-by: Ji Luo
Change-Id: I3158b2504a2be0330eb982d279811ca88935a902
(cherry picked from commit 4339a489b8f24b35d2e59084e7ce42de27f28461)
16 Jul, 2020
2 commits
-
The handle_rpmb flag should indicate whether the call will invoke
RPMB callbacks, which has been removed by below commit:
commit dfd911856d31fd91eb4e3c1edb1d691723c6edaf
Author: Roberto Pereira
Date: Thu Nov 2 15:09:20 2017 -0700ql-tipc: trusty_ipc: Change ipc polling to be per device
This allows ipc devices to provide service callbacks (e.g. rpmb) transparently
to the application instead of needing to have prior knowledge of the expected
request and having to poll the individual services' channels separately.Change-Id: I3257ae5e429f4a0c279f070d750b56c5600c38d5
Sync the change for hwcrypto, it will help remove some build warnings.
Test: builds and boots with trusty.
Signed-off-by: Ji Luo
Change-Id: I696b13d9d509d5983c934df5ee6fb36e46f4c884
(cherry picked from commit 8812d39018c23cc26afa43a97acf27427979c90c) -
This commit eliminate the annoying build warning logs.
Test: builds with buildman.
Signed-off-by: Ji Luo
Change-Id: Ia335dafe3f4c0eab08e011215b9de5d2974b8d0c
(cherry picked from commit 85e0d429d19b8f9a62369a5f20e088644c488b1e)
16 Jun, 2020
7 commits
-
The main memory contents can spontaneously come to the cache due to
the speculative memory access by the CPU, this may cause coherency
problem if this happens during the DMA operaion is on-going.Invalidate the dcache range after DMA opeartion but before the main
memory read to avoid coherency problem.Test: reboot test.
Change-Id: I93824deab9285b5478669e0a311e0b338bf02f8a
Signed-off-by: Ji Luo -
Add commands to read oem device unlock state from
trusty avb app. Use the oem device unlock state to
determine if the device can be unlocked instead of
the state in persistdata part.Test: Read oem device unlock state from avb app.
Change-Id: Ifccaa788ba0f681c2b3a47151c8474e8da5a2559
Signed-off-by: Ji Luo
(cherry picked from commit c6eaf8e32987f120c0c5441ea39aa0f39a65b50d) -
Decrypt and verify the secure credential in keymaster TA, unlock
operation can only be allowed after secure credential verify pass.Since the mppubk can only be generated on hab closed imx8q, so secure
unlock feature can only supported when hab is closed.Test: secure unlock credential verify on hab closed imx8mm_evk.
Change-Id: I1ab5e24df28d1e75ff853de3adf29f34da1d0a71
Signed-off-by: Ji Luo
(cherry picked from commit 631149fc0fc8ce035311949db643c2708e41435a) -
It can be dangerous to export some hwcrypto commands to Linux,
add commands to limit some commands within bootloader.Test: hwcrypto commands can't be used after locking boot state.
Change-Id: Ib0a96a87f661778c133178840d8dccf49f151c22
Signed-off-by: Ji Luo
(cherry picked from commit 3fc3f521957677b1f363624494ed866985a25505) -
Add new command to generate bkek from trusty.
Test: generate and dump bkek.
Change-Id: I6b2a30b87c755eecd00ced7c53cfb86e432040de
Signed-off-by: Ji Luo
(cherry picked from commit 6c1087c030de491a12b7f1be9d332f30ba27d183) -
In host end, need encrypt the attestation keys and certs
by manufacture protection public key though AES-128-ECB.
Then use below 4 set of commands to provision encrypted
RSA attestation and EC attestation:
* $fastboot stage atte_rsa_key.bin
* $fastboot oem set-rsa-atte-key-enc
* $fastboot stage atte_rsa_cert.bin
* $fastboot oem append-rsa-atte-cert-enc
* $fastboot stage atte_ec_key.bin
* $fastboot oem set-ec-atte-key-enc
* $fastboot stage atte_ec_cert.bin
* $fastboot oem append-ec-atte-cert-encChange-Id: I8a7c64004a17f7dde89f28c3123a2e2b1a6d3346
Signed-off-by: Haoran.Wang
(cherry picked from commit 58965915dd69050429142d3d180c75e98ad14788) -
Add new keymaster commands to get Manufacure Production key (mppubk).
Since the mppubk can only be generated in OEM CLOSED imx8q board, so
we can only use this command when the board is HAB/AHAB closed.Commands to extract the mppubk:
* $fastboot oem get-mppubk
* $fastboot get_staged mppubk.binTest: Generate and dump the mppubk.bin
Change-Id: Idc59e78ca6345497e744162664b8293f50d1eda4
Signed-off-by: Ji Luo
(cherry picked from commit 52300d644a275dfa4fe73ecb51601a8efaff8ab7)
06 May, 2020
1 commit
-
The lib provided ql-tipc communication channel with
Trusty OS.
Also the AVB, Keymaster, hwcrypto and SecureStorage service
tipc client implement in this lib.Change-Id: I0ab1ec9ee1b6f272b960c2e944008283c2c9249a
Signed-off-by: Haoran.Wang
(cherry picked from commit 8fb370dd80fbb293b58115d2e7fc4970813773c7)
(cherry picked from commit 0ccdd527a794c2b450658980361a7857ce7495c9)
(cherry picked from commit ffca28682c5a9375c29b3036a156aff190341960)