24 Dec, 2018
2 commits
-
Sometimes we need to set random rpmb key which is invisible
except for the device.
Generate the random key with hwcrypto interface and support
fastboot command "fastboot oem set-rpmb-random-key" to set it.Test: build and boot on imx8q.
Change-Id: I44e1b6b091366d8ffceb1159fc65c17610ce5243
Signed-off-by: Ji Luo -
Add new hwcrypto command to support rng generation with CAAM.
Test: rng generated on imx8qxp_mek.
Change-Id: I756f3e99423f0f9dfc2bcd30117a3f96e9f5f2f7
Signed-off-by: Ji Luo
12 Dec, 2018
1 commit
-
Open configs to enable trusty for imx8mm_evk and also
add new config imx8mm_evk_android_trusty_defconfig based
on imx8mm_evk_android_defconfig.Test: Trusty starts ok.
Change-Id: Iaea90de21f886ed23082a5e8e8d2fa7fb139a9cb
Signed-off-by: Ji Luo
10 Dec, 2018
1 commit
-
Print the func name instead of null buffer.
Test: boot on imx8qm_mek.
Change-Id: I883a9cebb2981b7e2451c00ed27000baf40097bf
Signed-off-by: Ji Luo
05 Dec, 2018
1 commit
-
This will reduce some image size for Android Auto.
Test: build and boot on imx8qm_mek.
Change-Id: I023801a542f83398126d5af23c0a1eb2080c5063
Signed-off-by: Ji Luo
04 Dec, 2018
2 commits
-
Add commands to write/read vbmeta public key to/from secure
storage. The vbmeta public key can only be set once.
Comands to set the public key:
fastboot stage
fastboot oem set-public-keyTest: build and boot on imx8qxp_mek.
Change-Id: Id3ad4aa5aacef4fc8443f6a2d6ccb931310970ca
Signed-off-by: Ji Luo -
Secure storage is ready in trusty so we should read/write the rollback
index from rpmb.
But for borads without rpmb key, read/write the rpmb will fail and will
block the following avb verify process. In this case, check if the rpmb
key has been set and always return AVB_IO_RESULT_OK for the boards without
rpmb key.Test: build and boot pass on imx8qm_mek.
Change-Id: I10c438e56d049ae97ebedfc446c8202642630d8b
Signed-off-by: Ji Luo
22 Nov, 2018
1 commit
-
Too many macros are used in fsl_avbkey.c and
make it difficult to maintain.
This patch made some refine by:
1. Move all avb/atx operations to fsl_avb.c.
2. Refine the functions logic.
3. Drop some unsupported conditions/functions.Test: build and boot on
imx8qm_mek/imx8mq_evk/imx6qp_sabresd/imx7d_pico/imx8m_aiy.Change-Id: I5c99732acfc47d53cdf188d69223983777e577f4
Signed-off-by: Luo Ji
21 Nov, 2018
1 commit
-
Pass "androidboot.keystore=trusty" for trusty backed keymaster
service, pass "androidboot.keystore=software" for software
keymaster service.Test: boot pass on imx8qm_mek.
Change-Id: I9fa38c15a7c10aef09ab29b0e9859b690e3e7a41
Signed-off-by: Ji Luo
12 Nov, 2018
14 commits
-
Commit "ql-tipc: trusty_ipc: Change ipc polling to be per device" removes
rpmb_storage_proxy_poll() call in avb_do_tipc() which will return early
if the rpmb proxy service isn't initialized properly, this will make boards
hang if the rpmb key is not set.
Skip initializing AVB and Keymaster client if the rpmb key hasn't been
set, but keep the hwcrypto client initialization since we need it to
generate the rpmb key blob.Test: Build and boot ok on imx8q.
Change-Id: I1ead849e812da55edae8b739d9ae56a7d4951af4
Signed-off-by: Ji Luo -
The rollback index should be updated when avb verify pass
and the slot has been marked as successful, update the
rollback index also for those enabled dual bootloader
feature.
This commit also fix some configs condition issue so
read/write rollback index with trusty will work.Test: rollback index updated successfully on
imx7d_pico and AIY.Change-Id: I2344d6462249d8d88f0622d331cdeffc7e12f885
Signed-off-by: Ji Luo -
Add support for fastboot variable 'at-vboot-state', it's composed
by 6 sub-variable: 'bootloader-locked', 'bootloader-min-versions',
'avb-perm-attr-set', 'avb-locked', 'avb-unlock-disabled' and
'avb-min-versions'.Test: All 'at-vboot-state' variables are returned
correctly on imx7d_pico and AIY.Change-Id: Ibb855cbcc7c41657af62dafb98a96c4dfb96ef22
Signed-off-by: Ji Luo -
Device will be locked permanently after disabling the unlcok vboot, store
the disable unlock vboot status into fuse. Since the fuse write operation
is irreversible so config 'CONFIG_AVB_FUSE' is disabled by default, user
need to add this config manually and run this command again.Test: Disable unlock vboot bit is set after enabling "CONFIG_AVB_FUSE",
device was locked permanently after running this command. This is
verified on both imx7d_pico and AIY.Change-Id: Iad8991a238763b1d662e33cba65f0b9eb44e97ef
Signed-off-by: Ji Luo -
Supoort "fastboot oem at-lock-vboot" command for Android
Things, this command can only be called after perm-attr
have been fused.Test: build and boot ok on imx7d_pico and AIY.
Change-Id: Ifcfeb2a38d88c5d12b46a1d9ea61b182ae2e7bcb
Signed-off-by: Ji Luo -
Add fastboot commands "fastboot oem at-get-vboot-unlock-challenge"
and "fastboot oem at-unlock-vboot" to support the authenticated
unlock feature for Android Things devices. Use software random
numbers generator to generate the 16 bytes random challenge, it
should be replaced with hardware encrypted random generator when
the TEE part is ready.Test: Generate unlock challenge by:
./avbtool make_atx_unlock_credential
--output=atx_unlock_credential.bin
--intermediate_key_certificate=atx_pik_certificate.bin
--unlock_key_certificate=atx_puk_certificate.bin
--challenge=my_generated_challenge.bin
--unlock_key=testkey_atx_puk.pem
validated the unlock credential successfully on imx7d_pico
and AIY.Change-Id: I4b8cee87c9e96924169479b65020a081136681f6
Signed-off-by: Ji Luo -
for Android Things, sha256 is caculated with software, for Android Auto,
sha256 is caculated with CAAM hardware module. so use macro to seperate
the code about hardware crypto service.Change-Id: Ibf4cad2c98240ab2c826869e9cb28ad09bded2f6
Signed-off-by: faqiang.zhu -
Align the callback to ARM64 environment for
Trusty OS.TEST: AIY-3G & AIY-1G board's TIPC and AVB handler
works.Change-Id: I65806f56267a4a9278db04a462e351da181618cc
Signed-off-by: Haoran.Wang -
Change-Id: I1c800fe39b5999169edd6e2acb9f66e557a3a86e
-
Obtaining the memory attributes can be done indepentently of the
bootloader environment and is now done by the ipc layer.Updated u-boot example to reflect this.
Change-Id: I8e649a1367ba02981419c43aac6e55b469dcf651
-
Changed trusty_membuf_alloc and trusty_membuf_free to trusty_alloc_pages and
trusty_free_pages. The memory allocated by these functions is intended
to be shared with the secure world so it should be inherently page based.Updated u-boot sysdeps and trusty_ipc_dev_create/shutdown to use these
new functionsChange-Id: Ica1aa5b0cb50eba6ce18914d048e731133d94c4f
-
Change-Id: I4b52d9ba71c9d4fa959f19ee7d741c46dcdef09a
-
This allows ipc devices to provide service callbacks (e.g. rpmb) transparently
to the application instead of needing to have prior knowledge of the expected
request and having to poll the individual services' channels separately.Change-Id: I3257ae5e429f4a0c279f070d750b56c5600c38d5
-
trusty_encode_page_info now also supports EL2 and EL3 in 64-bit environments
and PL1 and PL2 in 32-bitChange-Id: I296212ae7a1f0b276279819523a13eb1cfaf2a26
09 Nov, 2018
1 commit
-
RPMB storage proxy service will return fail if the rpmb key is not
correct, we should not return early here if the rpmb key has not
been set because we still need to initialize the hwcrypto service
to generate the rpmb key blob.
This commit also adds more hint when set the rpmb key.Change-Id: I8ee59e4e277b545283d63b1070e671d508dbe0c2
Signed-off-by: Luo Ji
03 Nov, 2018
4 commits
-
Generate the key blob and store it to the last block of boot1 partition
after setting the rpmb key. The key blob should be checked in spl and be
passed to Trusty OS if it's valid. If the key blob are damaged, RPMB
storage proxy service will return fail and should make the device hang.Test: Build and boot ok on imx8qm/qxp.
Change-Id: Ia274cd72109ab6ae15920e91b2a2008e1f1e667c
Signed-off-by: Ji Luo -
Add new hwcrypto tipc command and handler to generate blob with
CAAM.Test: Message exchange with trusty and blob encapsulate/decapsulate ok.
Change-Id: I925b47cb3e22eeddf4c89e84a9c994d2f30423fe
Signed-off-by: Ji Luo -
Use CAAM to accelerate SHA256 hash calculation in AVB,
this will reduce u-boot boot time, about 570ms can be
saved for imx8qxp.Test: Build and boot ok for imx8qxp.
Change-Id: Idbbd781e5ad8e7d6cd8865190d7547c165d02190
Signed-off-by: Ji Luo -
Add new service 'hwcrypto' to handle CAAM related work
with Trusty OS. Add tipc interface to accelerate hash
calculation with CAAM.Test: Service connect and message exchange with Trusty OS
are ok.Change-Id: Ia870c3ad2ff30af987f327a9777a8b32f53593db
Signed-off-by: Ji Luo
12 Oct, 2018
1 commit
-
Add fastboot command "fastboot oem set-rpmb-key" to program the rpmb
key which should be staged first.
Usage:
1. fastboot stage my-rpmb-key.bin
2. fastboot oem set-rpmb-keyTest: rpmb key programed successfully on imx8qxp.
Change-Id: I95474a6367eb8ef0db16bb38680975b8c45b84f1
Signed-off-by: Ji Luo
13 Sep, 2018
2 commits
-
Assign security features to specific config.
Now, use AVB_RPMB to enable RPMB stored rollback
index.After this refine,
for imx6/7/8 Android release, use no AVB_RPMB,
for imx6/7 AndroidThings, use AVB_RPMB.This patch also fix below build error for imx6/7:
vendor/nxp-opensource/uboot-imx/lib/avb/fsl/fsl_avbkey.c:711:2: error:
implicit declaration of function 'fsl_fuse_read'
[-Werror=implicit-function-declaration]
if (fsl_fuse_read((uint32_t *)blob, RPMBKEY_FUSE_LENW,
RPMBKEY_FUSE_OFFSET)){Change-Id: I734479f0627901f372f4b211b2e710bd103eb244
Signed-off-by: Haoran.Wang -
In some situation, like uuu, the current mmc device
won't return the correct value. Avoid the NULL
pointer in secure storage proxy which may cause
panic.Change-Id: Ie24afc270fec0b0977dee71b7fc44fe94876e410
Signed-off-by: Haoran.Wang
12 Sep, 2018
2 commits
-
This patch fix the bug that when keymaster tipc not
initialized the access will make uboot panic.Change-Id: I6500219061ce69103c5f98750eaa5ace4854efea
Signed-off-by: Haoran.Wang -
Align the callback to ARM64 environment for
Trusty OS.TEST: AIY-3G & AIY-1G board's TIPC and AVB handler
works.Change-Id: I65806f56267a4a9278db04a462e351da181618cb
Signed-off-by: Haoran.Wang
22 Aug, 2018
2 commits
-
Some redundant codes are added after cherry-picking android
related commits from imx_v2017.03, remove them in this commit.Test: build and boot pass on imx6q_sabresd.
Signed-off-by: Ji Luo
-
Blob buffer size is 48 bytes larger than the plain text buffer,
set correct range when flush the dcache. Also use cache aligned
buffer for the blob/plain_text to avoid failure in CAAM.Change-Id: I3b377cfeb8f5bd9c76233827b2c9c7bd0d788c9b
Signed-off-by: Ji Luo
21 Aug, 2018
3 commits
-
Sometimes we don't need to dump the whole partition table when
some partition can't be found, only dump the partition table
when it's needed.Test: Build and boot ok.
Change-Id: I52407f0117b73f4b3656fe2435b08dfc7a349939
Signed-off-by: Ji Luo -
The RPMB keyslot is stored in last block of boot1 partition which
is easily erased or tampered, set power-on write protection for this
partition to prevent corruption.Test: Power-on write protection works as expected on imx8m.
Change-Id: I7aadaed81ff81de680da9b20049f163a982e3d57
Signed-off-by: Luo Ji -
Bootloader image take fit format and the rollback index for bootloader
is stored at the "rbindex" node, SPL will read the rollback index for
bootloader and compare it with the one stored in RPMB. The stored
rollback index will be updated only when current slot pass the verify
and has been marked as successful.Bug:109947126
Test: Rollback index protection feature works fine for imx8m.Change-Id: Ic12db4571287fbcb99e5eba0127e0b09378fa5d6
Signed-off-by: Luo Ji
20 Aug, 2018
2 commits
-
A/B switch logic will be moved to SPL stage if dual bootloader
feature is enable, in such case, we just need to verify single
slot which is selected in SPL stage.Test: verify and boot ok for imx8m.
Change-Id: Iafe0d2d4aea1c178551940808416eec4a3547259
Signed-off-by: Luo Ji -
Move the A/B slot check to SPL, the A/B slot switch
workflow is just like what we have in libavb_ab.Test: A/B select works fine on imx8m.
Change-Id: Ie3d827a9be0298b491bf2bc8d48833597fd70e90
Signed-off-by: Luo Ji