Eric Lee / smarc-uboot

18 May, 2020

6 commits

  • 2380630c9   MA-15575-3 Add support for oemlock 1.0 hal ... Browse Code »

    Add commands to read oem device unlock state from
    trusty avb app. Use the oem device unlock state to
    determine if the device can be unlocked instead of
    the state in persistdata part.

    Test: Read oem device unlock state from avb app.

    Change-Id: Ifccaa788ba0f681c2b3a47151c8474e8da5a2559
    Signed-off-by: Ji Luo
    (cherry picked from commit c6eaf8e32987f120c0c5441ea39aa0f39a65b50d)

    Ji Luo
     
  • 4bab52fe8   MA-15321-3 Support secure unlock feature ... Browse Code »

    Decrypt and verify the secure credential in keymaster TA, unlock
    operation can only be allowed after secure credential verify pass.

    Since the mppubk can only be generated on hab closed imx8q, so secure
    unlock feature can only supported when hab is closed.

    Test: secure unlock credential verify on hab closed imx8mm_evk.

    Change-Id: I1ab5e24df28d1e75ff853de3adf29f34da1d0a71
    Signed-off-by: Ji Luo
    (cherry picked from commit 631149fc0fc8ce035311949db643c2708e41435a)

    Ji Luo
     
  • 1411f5bb8   MA-15151 Limit some hwcrypto commands within bootloader ... Browse Code »

    It can be dangerous to export some hwcrypto commands to Linux,
    add commands to limit some commands within bootloader.

    Test: hwcrypto commands can't be used after locking boot state.

    Change-Id: Ib0a96a87f661778c133178840d8dccf49f151c22
    Signed-off-by: Ji Luo
    (cherry picked from commit 3fc3f521957677b1f363624494ed866985a25505)

    Ji Luo
     
  • 0532229ce   MA-15017 Add new command to generate bkek from trusty ... Browse Code »

    Add new command to generate bkek from trusty.

    Test: generate and dump bkek.

    Change-Id: I6b2a30b87c755eecd00ced7c53cfb86e432040de
    Signed-off-by: Ji Luo
    (cherry picked from commit 6c1087c030de491a12b7f1be9d332f30ba27d183)

    Ji Luo
     
  • 6ada408d7   MA-15142 Support secure attestation provision ... Browse Code »

    In host end, need encrypt the attestation keys and certs
    by manufacture protection public key though AES-128-ECB.
    Then use below 4 set of commands to provision encrypted
    RSA attestation and EC attestation:
    * $fastboot stage atte_rsa_key.bin
    * $fastboot oem set-rsa-atte-key-enc
    * $fastboot stage atte_rsa_cert.bin
    * $fastboot oem append-rsa-atte-cert-enc
    * $fastboot stage atte_ec_key.bin
    * $fastboot oem set-ec-atte-key-enc
    * $fastboot stage atte_ec_cert.bin
    * $fastboot oem append-ec-atte-cert-enc

    Change-Id: I8a7c64004a17f7dde89f28c3123a2e2b1a6d3346
    Signed-off-by: Haoran.Wang
    (cherry picked from commit 58965915dd69050429142d3d180c75e98ad14788)

    Haoran.Wang
     
  • 6b09b4240   MA-15019-1 Support Manufacture Protection public key generation ... Browse Code »

    Add new keymaster commands to get Manufacure Production key (mppubk).
    Since the mppubk can only be generated in OEM CLOSED imx8q board, so
    we can only use this command when the board is HAB/AHAB closed.

    Commands to extract the mppubk:
    * $fastboot oem get-mppubk
    * $fastboot get_staged mppubk.bin

    Test: Generate and dump the mppubk.bin

    Change-Id: Idc59e78ca6345497e744162664b8293f50d1eda4
    Signed-off-by: Ji Luo
    (cherry picked from commit 52300d644a275dfa4fe73ecb51601a8efaff8ab7)

    Ji Luo
     

27 Apr, 2020

1 commit

  • 8c955dd97   MLK-18591-4 android: iot: Import ql-tipc lib for Trusty OS ... Browse Code »

    The lib provided ql-tipc communication channel with
    Trusty OS.
    Also the AVB, Keymaster, hwcrypto and SecureStorage service
    tipc client implement in this lib.

    Change-Id: I0ab1ec9ee1b6f272b960c2e944008283c2c9249a
    Signed-off-by: Haoran.Wang
    (cherry picked from commit 8fb370dd80fbb293b58115d2e7fc4970813773c7)
    (cherry picked from commit 0ccdd527a794c2b450658980361a7857ce7495c9)
    (cherry picked from commit ffca28682c5a9375c29b3036a156aff190341960)

    Haoran.Wang