From: Ye Li Date: Mon, 30 Jan 2023 10:39:52 +0000 (+0800) Subject: imx: ahab: Move imx9 and imx8ulp AHAB support together X-Git-Tag: baikal/mips/sdk6.2~4^2~3^2~175^2~16^2~68 X-Git-Url: https://git.baikalelectronics.ru/?a=commitdiff_plain;h=8c7d5462a59d681547d3b2ab23c59841e0b83b92;p=uboot.git imx: ahab: Move imx9 and imx8ulp AHAB support together Use common file ele_ahab.c for i.MX9 and iMX8ULP AHAB support, since both of them use same sentinel ELE APIs Signed-off-by: Ye Li Reviewed-by: Peng Fan --- diff --git a/arch/arm/include/asm/arch-imx8ulp/imx-regs.h b/arch/arm/include/asm/arch-imx8ulp/imx-regs.h index 9a5d76e210..a038cc1df3 100644 --- a/arch/arm/include/asm/arch-imx8ulp/imx-regs.h +++ b/arch/arm/include/asm/arch-imx8ulp/imx-regs.h @@ -63,6 +63,8 @@ #define FEC_QUIRK_ENET_MAC +#define IMG_CONTAINER_BASE (0x22010000UL) + #if !(defined(__KERNEL_STRICT_NAMES) || defined(__ASSEMBLY__)) #include diff --git a/arch/arm/include/asm/arch-imx9/imx-regs.h b/arch/arm/include/asm/arch-imx9/imx-regs.h index f575805c7d..065fd1f96d 100644 --- a/arch/arm/include/asm/arch-imx9/imx-regs.h +++ b/arch/arm/include/asm/arch-imx9/imx-regs.h @@ -40,6 +40,8 @@ #define SRC_MIX_SLICE_FUNC_STAT_ISO_STAT BIT(4) #define SRC_MIX_SLICE_FUNC_STAT_MEM_STAT BIT(12) +#define IMG_CONTAINER_BASE (0x80000000UL) + #define BCTRL_GPR_ENET_QOS_INTF_MODE_MASK GENMASK(3, 1) #define BCTRL_GPR_ENET_QOS_INTF_SEL_MII (0x0 << 1) #define BCTRL_GPR_ENET_QOS_INTF_SEL_RMII (0x4 << 1) diff --git a/arch/arm/mach-imx/Makefile b/arch/arm/mach-imx/Makefile index 4dfc60eedc..9bcb23c4da 100644 --- a/arch/arm/mach-imx/Makefile +++ b/arch/arm/mach-imx/Makefile @@ -77,6 +77,10 @@ ifeq ($(CONFIG_SPL_BUILD),y) obj-$(CONFIG_SPL_LOAD_IMX_CONTAINER) += image-container.o parse-container.o endif +ifeq ($(SOC),$(filter $(SOC),imx8ulp imx9)) +obj-$(CONFIG_AHAB_BOOT) += ele_ahab.o +endif + PLUGIN = board/$(BOARDDIR)/plugin ifeq ($(CONFIG_USE_IMXIMG_PLUGIN),y) diff --git a/arch/arm/mach-imx/ele_ahab.c b/arch/arm/mach-imx/ele_ahab.c new file mode 100644 index 0000000000..da8c99b8b0 --- /dev/null +++ b/arch/arm/mach-imx/ele_ahab.c @@ -0,0 +1,579 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Copyright 2022 NXP + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +DECLARE_GLOBAL_DATA_PTR; + +#define IMG_CONTAINER_END_BASE (IMG_CONTAINER_BASE + 0xFFFFUL) + +#define AHAB_MAX_EVENTS 8 + +static char *ele_ipc_str[] = { + "IPC = MU RTD (0x1)\n", + "IPC = MU APD (0x2)\n", + "IPC = INVALID\n", + NULL +}; + +static char *ele_status_str[] = { + "STA = ELE_SUCCESS_IND (0xD6)\n", + "STA = ELE_FAILURE_IND (0x29)\n", + "STA = INVALID\n", + NULL +}; + +static char *ele_cmd_str[] = { + "CMD = ELE_PING_REQ (0x01)\n", + "CMD = ELE_FW_AUTH_REQ (0x02)\n", + "CMD = ELE_RESTART_RST_TIMER_REQ (0x04)\n", + "CMD = ELE_DUMP_DEBUG_BUFFER_REQ (0x21)\n", + "CMD = ELE_OEM_CNTN_AUTH_REQ (0x87)\n", + "CMD = ELE_VERIFY_IMAGE_REQ (0x88)\n", + "CMD = ELE_RELEASE_CONTAINER_REQ (0x89)\n", + "CMD = ELE_WRITE_SECURE_FUSE_REQ (0x91)\n", + "CMD = ELE_FWD_LIFECYCLE_UP_REQ (0x95)\n", + "CMD = ELE_READ_FUSE_REQ (0x97)\n", + "CMD = ELE_GET_FW_VERSION_REQ (0x9D)\n", + "CMD = ELE_RET_LIFECYCLE_UP_REQ (0xA0)\n", + "CMD = ELE_GET_EVENTS_REQ (0xA2)\n", + "CMD = ELE_ENABLE_PATCH_REQ (0xC3)\n", + "CMD = ELE_RELEASE_RDC_REQ (0xC4)\n", + "CMD = ELE_GET_FW_STATUS_REQ (0xC5)\n", + "CMD = ELE_ENABLE_OTFAD_REQ (0xC6)\n", + "CMD = ELE_RESET_REQ (0xC7)\n", + "CMD = ELE_UPDATE_OTP_CLKDIV_REQ (0xD0)\n", + "CMD = ELE_POWER_DOWN_REQ (0xD1)\n", + "CMD = ELE_ENABLE_APC_REQ (0xD2)\n", + "CMD = ELE_ENABLE_RTC_REQ (0xD3)\n", + "CMD = ELE_DEEP_POWER_DOWN_REQ (0xD4)\n", + "CMD = ELE_STOP_RST_TIMER_REQ (0xD5)\n", + "CMD = ELE_WRITE_FUSE_REQ (0xD6)\n", + "CMD = ELE_RELEASE_CAAM_REQ (0xD7)\n", + "CMD = ELE_RESET_A35_CTX_REQ (0xD8)\n", + "CMD = ELE_MOVE_TO_UNSECURED_REQ (0xD9)\n", + "CMD = ELE_GET_INFO_REQ (0xDA)\n", + "CMD = ELE_ATTEST_REQ (0xDB)\n", + "CMD = ELE_RELEASE_PATCH_REQ (0xDC)\n", + "CMD = ELE_OTP_SEQ_SWITH_REQ (0xDD)\n", + "CMD = INVALID\n", + NULL +}; + +static char *ele_ind_str[] = { + "IND = ELE_ROM_PING_FAILURE_IND (0x0A)\n", + "IND = ELE_FW_PING_FAILURE_IND (0x1A)\n", + "IND = ELE_BAD_SIGNATURE_FAILURE_IND (0xF0)\n", + "IND = ELE_BAD_HASH_FAILURE_IND (0xF1)\n", + "IND = ELE_INVALID_LIFECYCLE_IND (0xF2)\n", + "IND = ELE_PERMISSION_DENIED_FAILURE_IND (0xF3)\n", + "IND = ELE_INVALID_MESSAGE_FAILURE_IND (0xF4)\n", + "IND = ELE_BAD_VALUE_FAILURE_IND (0xF5)\n", + "IND = ELE_BAD_FUSE_ID_FAILURE_IND (0xF6)\n", + "IND = ELE_BAD_CONTAINER_FAILURE_IND (0xF7)\n", + "IND = ELE_BAD_VERSION_FAILURE_IND (0xF8)\n", + "IND = ELE_INVALID_KEY_FAILURE_IND (0xF9)\n", + "IND = ELE_BAD_KEY_HASH_FAILURE_IND (0xFA)\n", + "IND = ELE_NO_VALID_CONTAINER_FAILURE_IND (0xFB)\n", + "IND = ELE_BAD_CERTIFICATE_FAILURE_IND (0xFC)\n", + "IND = ELE_BAD_UID_FAILURE_IND (0xFD)\n", + "IND = ELE_BAD_MONOTONIC_COUNTER_FAILURE_IND (0xFE)\n", + "IND = ELE_MUST_SIGNED_FAILURE_IND (0xE0)\n", + "IND = ELE_NO_AUTHENTICATION_FAILURE_IND (0xEE)\n", + "IND = ELE_BAD_SRK_SET_FAILURE_IND (0xEF)\n", + "IND = ELE_UNALIGNED_PAYLOAD_FAILURE_IND (0xA6)\n", + "IND = ELE_WRONG_SIZE_FAILURE_IND (0xA7)\n", + "IND = ELE_ENCRYPTION_FAILURE_IND (0xA8)\n", + "IND = ELE_DECRYPTION_FAILURE_IND (0xA9)\n", + "IND = ELE_OTP_PROGFAIL_FAILURE_IND (0xAA)\n", + "IND = ELE_OTP_LOCKED_FAILURE_IND (0xAB)\n", + "IND = ELE_OTP_INVALID_IDX_FAILURE_IND (0xAD)\n", + "IND = ELE_TIME_OUT_FAILURE_IND (0xB0)\n", + "IND = ELE_BAD_PAYLOAD_FAILURE_IND (0xB1)\n", + "IND = ELE_WRONG_ADDRESS_FAILURE_IND (0xB4)\n", + "IND = ELE_DMA_FAILURE_IND (0xB5)\n", + "IND = ELE_DISABLED_FEATURE_FAILURE_IND (0xB6)\n", + "IND = ELE_MUST_ATTEST_FAILURE_IND (0xB7)\n", + "IND = ELE_RNG_NOT_STARTED_FAILURE_IND (0xB8)\n", + "IND = ELE_CRC_ERROR_IND (0xB9)\n", + "IND = ELE_AUTH_SKIPPED_OR_FAILED_FAILURE_IND (0xBB)\n", + "IND = ELE_INCONSISTENT_PAR_FAILURE_IND (0xBC)\n", + "IND = ELE_RNG_INST_FAILURE_FAILURE_IND (0xBD)\n", + "IND = ELE_LOCKED_REG_FAILURE_IND (0xBE)\n", + "IND = ELE_BAD_ID_FAILURE_IND (0xBF)\n", + "IND = ELE_INVALID_OPERATION_FAILURE_IND (0xC0)\n", + "IND = ELE_NON_SECURE_STATE_FAILURE_IND (0xC1)\n", + "IND = ELE_MSG_TRUNCATED_IND (0xC2)\n", + "IND = ELE_BAD_IMAGE_NUM_FAILURE_IND (0xC3)\n", + "IND = ELE_BAD_IMAGE_ADDR_FAILURE_IND (0xC4)\n", + "IND = ELE_BAD_IMAGE_PARAM_FAILURE_IND (0xC5)\n", + "IND = ELE_BAD_IMAGE_TYPE_FAILURE_IND (0xC6)\n", + "IND = ELE_CORRUPTED_SRK_FAILURE_IND (0xD0)\n", + "IND = ELE_OUT_OF_MEMORY_IND (0xD1)\n", + "IND = ELE_CSTM_FAILURE_IND (0xCF)\n", + "IND = ELE_OLD_VERSION_FAILURE_IND (0xCE)\n", + "IND = ELE_WRONG_BOOT_MODE_FAILURE_IND (0xCD)\n", + "IND = ELE_APC_ALREADY_ENABLED_FAILURE_IND (0xCB)\n", + "IND = ELE_RTC_ALREADY_ENABLED_FAILURE_IND (0xCC)\n", + "IND = ELE_ABORT_IND (0xFF)\n", + "IND = INVALID\n", + NULL +}; + +static u8 ele_cmd[] = { + ELE_PING_REQ, + ELE_FW_AUTH_REQ, + ELE_RESTART_RST_TIMER_REQ, + ELE_DUMP_DEBUG_BUFFER_REQ, + ELE_OEM_CNTN_AUTH_REQ, + ELE_VERIFY_IMAGE_REQ, + ELE_RELEASE_CONTAINER_REQ, + ELE_WRITE_SECURE_FUSE_REQ, + ELE_FWD_LIFECYCLE_UP_REQ, + ELE_READ_FUSE_REQ, + ELE_GET_FW_VERSION_REQ, + ELE_RET_LIFECYCLE_UP_REQ, + ELE_GET_EVENTS_REQ, + ELE_ENABLE_PATCH_REQ, + ELE_RELEASE_RDC_REQ, + ELE_GET_FW_STATUS_REQ, + ELE_ENABLE_OTFAD_REQ, + ELE_RESET_REQ, + ELE_UPDATE_OTP_CLKDIV_REQ, + ELE_POWER_DOWN_REQ, + ELE_ENABLE_APC_REQ, + ELE_ENABLE_RTC_REQ, + ELE_DEEP_POWER_DOWN_REQ, + ELE_STOP_RST_TIMER_REQ, + ELE_WRITE_FUSE_REQ, + ELE_RELEASE_CAAM_REQ, + ELE_RESET_A35_CTX_REQ, + ELE_MOVE_TO_UNSECURED_REQ, + ELE_GET_INFO_REQ, + ELE_ATTEST_REQ, + ELE_RELEASE_PATCH_REQ, + ELE_OTP_SEQ_SWITH_REQ +}; + +static u8 ele_ind[] = { + ELE_ROM_PING_FAILURE_IND, + ELE_FW_PING_FAILURE_IND, + ELE_BAD_SIGNATURE_FAILURE_IND, + ELE_BAD_HASH_FAILURE_IND, + ELE_INVALID_LIFECYCLE_IND, + ELE_PERMISSION_DENIED_FAILURE_IND, + ELE_INVALID_MESSAGE_FAILURE_IND, + ELE_BAD_VALUE_FAILURE_IND, + ELE_BAD_FUSE_ID_FAILURE_IND, + ELE_BAD_CONTAINER_FAILURE_IND, + ELE_BAD_VERSION_FAILURE_IND, + ELE_INVALID_KEY_FAILURE_IND, + ELE_BAD_KEY_HASH_FAILURE_IND, + ELE_NO_VALID_CONTAINER_FAILURE_IND, + ELE_BAD_CERTIFICATE_FAILURE_IND, + ELE_BAD_UID_FAILURE_IND, + ELE_BAD_MONOTONIC_COUNTER_FAILURE_IND, + ELE_MUST_SIGNED_FAILURE_IND, + ELE_NO_AUTHENTICATION_FAILURE_IND, + ELE_BAD_SRK_SET_FAILURE_IND, + ELE_UNALIGNED_PAYLOAD_FAILURE_IND, + ELE_WRONG_SIZE_FAILURE_IND, + ELE_ENCRYPTION_FAILURE_IND, + ELE_DECRYPTION_FAILURE_IND, + ELE_OTP_PROGFAIL_FAILURE_IND, + ELE_OTP_LOCKED_FAILURE_IND, + ELE_OTP_INVALID_IDX_FAILURE_IND, + ELE_TIME_OUT_FAILURE_IND, + ELE_BAD_PAYLOAD_FAILURE_IND, + ELE_WRONG_ADDRESS_FAILURE_IND, + ELE_DMA_FAILURE_IND, + ELE_DISABLED_FEATURE_FAILURE_IND, + ELE_MUST_ATTEST_FAILURE_IND, + ELE_RNG_NOT_STARTED_FAILURE_IND, + ELE_CRC_ERROR_IND, + ELE_AUTH_SKIPPED_OR_FAILED_FAILURE_IND, + ELE_INCONSISTENT_PAR_FAILURE_IND, + ELE_RNG_INST_FAILURE_FAILURE_IND, + ELE_LOCKED_REG_FAILURE_IND, + ELE_BAD_ID_FAILURE_IND, + ELE_INVALID_OPERATION_FAILURE_IND, + ELE_NON_SECURE_STATE_FAILURE_IND, + ELE_MSG_TRUNCATED_IND, + ELE_BAD_IMAGE_NUM_FAILURE_IND, + ELE_BAD_IMAGE_ADDR_FAILURE_IND, + ELE_BAD_IMAGE_PARAM_FAILURE_IND, + ELE_BAD_IMAGE_TYPE_FAILURE_IND, + ELE_CORRUPTED_SRK_FAILURE_IND, + ELE_OUT_OF_MEMORY_IND, + ELE_CSTM_FAILURE_IND, + ELE_OLD_VERSION_FAILURE_IND, + ELE_WRONG_BOOT_MODE_FAILURE_IND, + ELE_APC_ALREADY_ENABLED_FAILURE_IND, + ELE_RTC_ALREADY_ENABLED_FAILURE_IND, + ELE_ABORT_IND +}; + +static u8 ele_ipc[] = { + ELE_IPC_MU_RTD, + ELE_IPC_MU_APD +}; + +static u8 ele_status[] = { + ELE_SUCCESS_IND, + ELE_FAILURE_IND +}; + +static inline u32 get_idx(u8 *list, u8 tgt, u32 size) +{ + u32 i; + + for (i = 0; i < size; i++) { + if (list[i] == tgt) + return i; + } + + return i; /* last str is invalid */ +} + +static void display_ahab_auth_ind(u32 event) +{ + u8 resp_ind = (event >> 8) & 0xff; + + printf("%s\n", ele_ind_str[get_idx(ele_ind, resp_ind, ARRAY_SIZE(ele_ind))]); +} + +int ahab_auth_cntr_hdr(struct container_hdr *container, u16 length) +{ + int err; + u32 resp; + + memcpy((void *)IMG_CONTAINER_BASE, (const void *)container, + ALIGN(length, CONFIG_SYS_CACHELINE_SIZE)); + + flush_dcache_range(IMG_CONTAINER_BASE, + IMG_CONTAINER_BASE + ALIGN(length, CONFIG_SYS_CACHELINE_SIZE) - 1); + + err = ahab_auth_oem_ctnr(IMG_CONTAINER_BASE, &resp); + if (err) { + printf("Authenticate container hdr failed, return %d, resp 0x%x\n", + err, resp); + display_ahab_auth_ind(resp); + } + + return err; +} + +int ahab_auth_release(void) +{ + int err; + u32 resp; + + err = ahab_release_container(&resp); + if (err) { + printf("Error: release container failed, resp 0x%x!\n", resp); + display_ahab_auth_ind(resp); + } + + return err; +} + +int ahab_verify_cntr_image(struct boot_img_t *img, int image_index) +{ + int err; + u32 resp; + + err = ahab_verify_image(image_index, &resp); + if (err) { + printf("Authenticate img %d failed, return %d, resp 0x%x\n", + image_index, err, resp); + display_ahab_auth_ind(resp); + + return -EIO; + } + + return 0; +} + +static inline bool check_in_dram(ulong addr) +{ + int i; + struct bd_info *bd = gd->bd; + + for (i = 0; i < CONFIG_NR_DRAM_BANKS; ++i) { + if (bd->bi_dram[i].size) { + if (addr >= bd->bi_dram[i].start && + addr < (bd->bi_dram[i].start + bd->bi_dram[i].size)) + return true; + } + } + + return false; +} + +int authenticate_os_container(ulong addr) +{ + struct container_hdr *phdr; + int i, ret = 0; + int err; + u16 length; + struct boot_img_t *img; + unsigned long s, e; + + if (addr % 4) { + puts("Error: Image's address is not 4 byte aligned\n"); + return -EINVAL; + } + + if (!check_in_dram(addr)) { + puts("Error: Image's address is invalid\n"); + return -EINVAL; + } + + phdr = (struct container_hdr *)addr; + if (phdr->tag != 0x87 || phdr->version != 0x0) { + printf("Error: Wrong container header\n"); + return -EFAULT; + } + + if (!phdr->num_images) { + printf("Error: Wrong container, no image found\n"); + return -EFAULT; + } + + length = phdr->length_lsb + (phdr->length_msb << 8); + + debug("container length %u\n", length); + + err = ahab_auth_cntr_hdr(phdr, length); + if (err) { + ret = -EIO; + goto exit; + } + + debug("Verify images\n"); + + /* Copy images to dest address */ + for (i = 0; i < phdr->num_images; i++) { + img = (struct boot_img_t *)(addr + + sizeof(struct container_hdr) + + i * sizeof(struct boot_img_t)); + + debug("img %d, dst 0x%x, src 0x%lx, size 0x%x\n", + i, (uint32_t)img->dst, img->offset + addr, img->size); + + memcpy((void *)img->dst, (const void *)(img->offset + addr), + img->size); + + s = img->dst & ~(CONFIG_SYS_CACHELINE_SIZE - 1); + e = ALIGN(img->dst + img->size, CONFIG_SYS_CACHELINE_SIZE) - 1; + + flush_dcache_range(s, e); + + ret = ahab_verify_cntr_image(img, i); + if (ret) + goto exit; + } + +exit: + debug("ahab_auth_release, 0x%x\n", ret); + ahab_auth_release(); + + return ret; +} + +static int do_authenticate(struct cmd_tbl *cmdtp, int flag, int argc, + char *const argv[]) +{ + ulong addr; + + if (argc < 2) + return CMD_RET_USAGE; + + addr = simple_strtoul(argv[1], NULL, 16); + + printf("Authenticate OS container at 0x%lx\n", addr); + + if (authenticate_os_container(addr)) + return CMD_RET_FAILURE; + + return CMD_RET_SUCCESS; +} + +static void display_life_cycle(u32 lc) +{ + printf("Lifecycle: 0x%08X, ", lc); + switch (lc) { + case 0x1: + printf("BLANK\n\n"); + break; + case 0x2: + printf("FAB\n\n"); + break; + case 0x4: + printf("NXP Provisioned\n\n"); + break; + case 0x8: + printf("OEM Open\n\n"); + break; + case 0x10: + printf("OEM Secure World Closed\n\n"); + break; + case 0x20: + printf("OEM closed\n\n"); + break; + case 0x40: + printf("Field Return OEM\n\n"); + break; + case 0x80: + printf("Field Return NXP\n\n"); + break; + case 0x100: + printf("OEM Locked\n\n"); + break; + case 0x200: + printf("BRICKED\n\n"); + break; + default: + printf("Unknown\n\n"); + break; + } +} + +static int confirm_close(void) +{ + puts("Warning: Please ensure your sample is in NXP closed state, " + "OEM SRK hash has been fused, \n" + " and you are able to boot a signed image successfully " + "without any SECO events reported.\n" + " If not, your sample will be unrecoverable.\n" + "\nReally perform this operation? \n"); + + if (confirm_yesno()) + return 1; + + puts("Ahab close aborted\n"); + return 0; +} + +static int do_ahab_close(struct cmd_tbl *cmdtp, int flag, int argc, + char *const argv[]) +{ + int err; + u32 resp; + + if (!confirm_close()) + return -EACCES; + + err = ahab_forward_lifecycle(8, &resp); + if (err != 0) { + printf("Error in forward lifecycle to OEM closed\n"); + return -EIO; + } + + printf("Change to OEM closed successfully\n"); + + return 0; +} + +int ahab_dump(void) +{ + u32 buffer[32]; + int ret, i = 0; + + do { + ret = ahab_dump_buffer(buffer, 32); + if (ret < 0) { + printf("Error in dump AHAB log\n"); + return -EIO; + } + + if (ret == 1) + break; + for (i = 0; i < ret; i++) + printf("0x%x\n", buffer[i]); + } while (ret >= 21); + + return 0; +} + +static int do_ahab_dump(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[]) +{ + return ahab_dump(); +} + +static void display_event(u32 event) +{ + printf("\n\t0x%08x\n", event); + printf("\t%s", ele_ipc_str[get_idx(ele_ipc, + (event >> 24) & 0xFF, ARRAY_SIZE(ele_ipc))]); + printf("\t%s", ele_cmd_str[get_idx(ele_cmd, + (event >> 16) & 0xFF, ARRAY_SIZE(ele_cmd))]); + printf("\t%s", ele_ind_str[get_idx(ele_ind, + (event >> 8) & 0xFF, ARRAY_SIZE(ele_ind))]); + printf("\t%s", ele_status_str[get_idx(ele_status, + event & 0xFF, ARRAY_SIZE(ele_status))]); +} + +static int do_ahab_status(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[]) +{ + u32 lc, i; + u32 events[AHAB_MAX_EVENTS]; + u32 cnt = AHAB_MAX_EVENTS; + int ret; + + lc = readl(FSB_BASE_ADDR + 0x41c); + lc &= 0x3ff; + + display_life_cycle(lc); + + ret = ahab_get_events(events, &cnt, NULL); + if (ret) { + printf("Get ELE EVENTS error %d\n", ret); + return CMD_RET_FAILURE; + } + + if (!cnt) { + puts("\n\tNo Events Found!\n"); + return 0; + } + + for (i = 0; i < cnt; i++) + display_event(events[i]); + + return 0; +} + +U_BOOT_CMD(auth_cntr, CONFIG_SYS_MAXARGS, 1, do_authenticate, + "autenticate OS container via AHAB", + "addr\n" + "addr - OS container hex address\n" +); + +U_BOOT_CMD(ahab_close, CONFIG_SYS_MAXARGS, 1, do_ahab_close, + "Change AHAB lifecycle to OEM closed", + "" +); + +U_BOOT_CMD(ahab_dump, CONFIG_SYS_MAXARGS, 1, do_ahab_dump, + "Dump AHAB log for debug", + "" +); + +U_BOOT_CMD(ahab_status, CONFIG_SYS_MAXARGS, 1, do_ahab_status, + "display AHAB lifecycle only", + "" +); diff --git a/arch/arm/mach-imx/imx8ulp/ahab.c b/arch/arm/mach-imx/imx8ulp/ahab.c deleted file mode 100644 index 87c4c66a08..0000000000 --- a/arch/arm/mach-imx/imx8ulp/ahab.c +++ /dev/null @@ -1,345 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0+ -/* - * Copyright 2020 NXP - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -DECLARE_GLOBAL_DATA_PTR; - -#define IMG_CONTAINER_BASE (0x22010000UL) -#define IMG_CONTAINER_END_BASE (IMG_CONTAINER_BASE + 0xFFFFUL) - -#define AHAB_NO_AUTHENTICATION_IND 0xee -#define AHAB_BAD_KEY_HASH_IND 0xfa -#define AHAB_INVALID_KEY_IND 0xf9 -#define AHAB_BAD_SIGNATURE_IND 0xf0 -#define AHAB_BAD_HASH_IND 0xf1 - -static void display_ahab_auth_ind(u32 event) -{ - u8 resp_ind = (event >> 8) & 0xff; - - switch (resp_ind) { - case AHAB_NO_AUTHENTICATION_IND: - printf("AHAB_NO_AUTHENTICATION_IND (0x%02X)\n\n", resp_ind); - break; - case AHAB_BAD_KEY_HASH_IND: - printf("AHAB_BAD_KEY_HASH_IND (0x%02X)\n\n", resp_ind); - break; - case AHAB_INVALID_KEY_IND: - printf("AHAB_INVALID_KEY_IND (0x%02X)\n\n", resp_ind); - break; - case AHAB_BAD_SIGNATURE_IND: - printf("AHAB_BAD_SIGNATURE_IND (0x%02X)\n\n", resp_ind); - break; - case AHAB_BAD_HASH_IND: - printf("AHAB_BAD_HASH_IND (0x%02X)\n\n", resp_ind); - break; - default: - printf("Unknown Indicator (0x%02X)\n\n", resp_ind); - break; - } -} - -int ahab_auth_cntr_hdr(struct container_hdr *container, u16 length) -{ - int err; - u32 resp; - - memcpy((void *)IMG_CONTAINER_BASE, (const void *)container, - ALIGN(length, CONFIG_SYS_CACHELINE_SIZE)); - - flush_dcache_range(IMG_CONTAINER_BASE, - IMG_CONTAINER_BASE + ALIGN(length, CONFIG_SYS_CACHELINE_SIZE) - 1); - - err = ahab_auth_oem_ctnr(IMG_CONTAINER_BASE, &resp); - if (err) { - printf("Authenticate container hdr failed, return %d, resp 0x%x\n", - err, resp); - display_ahab_auth_ind(resp); - } - - return err; -} - -int ahab_auth_release(void) -{ - int err; - u32 resp; - - err = ahab_release_container(&resp); - if (err) { - printf("Error: release container failed, resp 0x%x!\n", resp); - display_ahab_auth_ind(resp); - } - - return err; -} - -int ahab_verify_cntr_image(struct boot_img_t *img, int image_index) -{ - int err; - u32 resp; - - err = ahab_verify_image(image_index, &resp); - if (err) { - printf("Authenticate img %d failed, return %d, resp 0x%x\n", - image_index, err, resp); - display_ahab_auth_ind(resp); - return -EIO; - } - - return 0; -} - -static inline bool check_in_dram(ulong addr) -{ - int i; - struct bd_info *bd = gd->bd; - - for (i = 0; i < CONFIG_NR_DRAM_BANKS; ++i) { - if (bd->bi_dram[i].size) { - if (addr >= bd->bi_dram[i].start && - addr < (bd->bi_dram[i].start + bd->bi_dram[i].size)) - return true; - } - } - - return false; -} - -int authenticate_os_container(ulong addr) -{ - struct container_hdr *phdr; - int i, ret = 0; - int err; - u16 length; - struct boot_img_t *img; - unsigned long s, e; - - if (addr % 4) { - puts("Error: Image's address is not 4 byte aligned\n"); - return -EINVAL; - } - - if (!check_in_dram(addr)) { - puts("Error: Image's address is invalid\n"); - return -EINVAL; - } - - phdr = (struct container_hdr *)addr; - if (phdr->tag != 0x87 || phdr->version != 0x0) { - printf("Error: Wrong container header\n"); - return -EFAULT; - } - - if (!phdr->num_images) { - printf("Error: Wrong container, no image found\n"); - return -EFAULT; - } - - length = phdr->length_lsb + (phdr->length_msb << 8); - - debug("container length %u\n", length); - - err = ahab_auth_cntr_hdr(phdr, length); - if (err) { - ret = -EIO; - goto exit; - } - - debug("Verify images\n"); - - /* Copy images to dest address */ - for (i = 0; i < phdr->num_images; i++) { - img = (struct boot_img_t *)(addr + - sizeof(struct container_hdr) + - i * sizeof(struct boot_img_t)); - - debug("img %d, dst 0x%x, src 0x%lx, size 0x%x\n", - i, (uint32_t)img->dst, img->offset + addr, img->size); - - memcpy((void *)img->dst, (const void *)(img->offset + addr), img->size); - - s = img->dst & ~(CONFIG_SYS_CACHELINE_SIZE - 1); - e = ALIGN(img->dst + img->size, CONFIG_SYS_CACHELINE_SIZE) - 1; - - flush_dcache_range(s, e); - - ret = ahab_verify_cntr_image(img, i); - if (ret) - goto exit; - } - -exit: - debug("ahab_auth_release, 0x%x\n", ret); - ahab_auth_release(); - - return ret; -} - -static int do_authenticate(struct cmd_tbl *cmdtp, int flag, int argc, - char *const argv[]) -{ - ulong addr; - - if (argc < 2) - return CMD_RET_USAGE; - - addr = simple_strtoul(argv[1], NULL, 16); - - printf("Authenticate OS container at 0x%lx\n", addr); - - if (authenticate_os_container(addr)) - return CMD_RET_FAILURE; - - return CMD_RET_SUCCESS; -} - -static void display_life_cycle(u32 lc) -{ - printf("Lifecycle: 0x%08X, ", lc); - switch (lc) { - case 0x1: - printf("BLANK\n\n"); - break; - case 0x2: - printf("FAB\n\n"); - break; - case 0x4: - printf("NXP Provisioned\n\n"); - break; - case 0x8: - printf("OEM Open\n\n"); - break; - case 0x10: - printf("OEM Secure World Closed\n\n"); - break; - case 0x20: - printf("OEM closed\n\n"); - break; - case 0x40: - printf("Field Return OEM\n\n"); - break; - case 0x80: - printf("Field Return NXP\n\n"); - break; - case 0x100: - printf("OEM Locked\n\n"); - break; - case 0x200: - printf("BRICKED\n\n"); - break; - default: - printf("Unknown\n\n"); - break; - } -} - -static int confirm_close(void) -{ - puts("Warning: Please ensure your sample is in NXP closed state, " - "OEM SRK hash has been fused, \n" - " and you are able to boot a signed image successfully " - "without any SECO events reported.\n" - " If not, your sample will be unrecoverable.\n" - "\nReally perform this operation? \n"); - - if (confirm_yesno()) - return 1; - - puts("Ahab close aborted\n"); - return 0; -} - -static int do_ahab_close(struct cmd_tbl *cmdtp, int flag, int argc, - char *const argv[]) -{ - int err; - u32 resp; - - if (!confirm_close()) - return -EACCES; - - err = ahab_forward_lifecycle(8, &resp); - if (err != 0) { - printf("Error in forward lifecycle to OEM closed\n"); - return -EIO; - } - - printf("Change to OEM closed successfully\n"); - - return 0; -} - -int ahab_dump(void) -{ - u32 buffer[32]; - int ret, i = 0; - - do { - ret = ahab_dump_buffer(buffer, 32); - if (ret < 0) { - printf("Error in dump AHAB log\n"); - return -EIO; - } - - if (ret == 1) - break; - - for (i = 0; i < ret; i++) - printf("0x%x\n", buffer[i]); - } while (ret >= 21); - - return 0; -} - -static int do_ahab_dump(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[]) -{ - return ahab_dump(); -} - -static int do_ahab_status(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[]) -{ - u32 lc; - - lc = readl(FSB_BASE_ADDR + 0x41c); - lc &= 0x3f; - - display_life_cycle(lc); - return 0; -} - -U_BOOT_CMD(auth_cntr, CONFIG_SYS_MAXARGS, 1, do_authenticate, - "autenticate OS container via AHAB", - "addr\n" - "addr - OS container hex address\n" -); - -U_BOOT_CMD(ahab_close, CONFIG_SYS_MAXARGS, 1, do_ahab_close, - "Change AHAB lifecycle to OEM closed", - "" -); - -U_BOOT_CMD(ahab_dump, CONFIG_SYS_MAXARGS, 1, do_ahab_dump, - "Dump AHAB log for debug", - "" -); - -U_BOOT_CMD(ahab_status, CONFIG_SYS_MAXARGS, 1, do_ahab_status, - "display AHAB lifecycle only", - "" -); diff --git a/arch/arm/mach-imx/imx9/Makefile b/arch/arm/mach-imx/imx9/Makefile index 6d038a60c6..e1b09ab534 100644 --- a/arch/arm/mach-imx/imx9/Makefile +++ b/arch/arm/mach-imx/imx9/Makefile @@ -4,7 +4,6 @@ obj-y += lowlevel_init.o obj-y += soc.o clock.o clock_root.o trdc.o -obj-$(CONFIG_AHAB_BOOT) += ahab.o #ifndef CONFIG_SPL_BUILD obj-y += imx_bootaux.o diff --git a/arch/arm/mach-imx/imx9/ahab.c b/arch/arm/mach-imx/imx9/ahab.c deleted file mode 100644 index ac69975fc7..0000000000 --- a/arch/arm/mach-imx/imx9/ahab.c +++ /dev/null @@ -1,580 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0+ -/* - * Copyright 2022 NXP - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -DECLARE_GLOBAL_DATA_PTR; - -#define IMG_CONTAINER_BASE (0x80000000UL) -#define IMG_CONTAINER_END_BASE (IMG_CONTAINER_BASE + 0xFFFFUL) - -#define AHAB_MAX_EVENTS 8 - -static char *ele_ipc_str[] = { - "IPC = MU RTD (0x1)\n", - "IPC = MU APD (0x2)\n", - "IPC = INVALID\n", - NULL -}; - -static char *ele_status_str[] = { - "STA = ELE_SUCCESS_IND (0xD6)\n", - "STA = ELE_FAILURE_IND (0x29)\n", - "STA = INVALID\n", - NULL -}; - -static char *ele_cmd_str[] = { - "CMD = ELE_PING_REQ (0x01)\n", - "CMD = ELE_FW_AUTH_REQ (0x02)\n", - "CMD = ELE_RESTART_RST_TIMER_REQ (0x04)\n", - "CMD = ELE_DUMP_DEBUG_BUFFER_REQ (0x21)\n", - "CMD = ELE_OEM_CNTN_AUTH_REQ (0x87)\n", - "CMD = ELE_VERIFY_IMAGE_REQ (0x88)\n", - "CMD = ELE_RELEASE_CONTAINER_REQ (0x89)\n", - "CMD = ELE_WRITE_SECURE_FUSE_REQ (0x91)\n", - "CMD = ELE_FWD_LIFECYCLE_UP_REQ (0x95)\n", - "CMD = ELE_READ_FUSE_REQ (0x97)\n", - "CMD = ELE_GET_FW_VERSION_REQ (0x9D)\n", - "CMD = ELE_RET_LIFECYCLE_UP_REQ (0xA0)\n", - "CMD = ELE_GET_EVENTS_REQ (0xA2)\n", - "CMD = ELE_ENABLE_PATCH_REQ (0xC3)\n", - "CMD = ELE_RELEASE_RDC_REQ (0xC4)\n", - "CMD = ELE_GET_FW_STATUS_REQ (0xC5)\n", - "CMD = ELE_ENABLE_OTFAD_REQ (0xC6)\n", - "CMD = ELE_RESET_REQ (0xC7)\n", - "CMD = ELE_UPDATE_OTP_CLKDIV_REQ (0xD0)\n", - "CMD = ELE_POWER_DOWN_REQ (0xD1)\n", - "CMD = ELE_ENABLE_APC_REQ (0xD2)\n", - "CMD = ELE_ENABLE_RTC_REQ (0xD3)\n", - "CMD = ELE_DEEP_POWER_DOWN_REQ (0xD4)\n", - "CMD = ELE_STOP_RST_TIMER_REQ (0xD5)\n", - "CMD = ELE_WRITE_FUSE_REQ (0xD6)\n", - "CMD = ELE_RELEASE_CAAM_REQ (0xD7)\n", - "CMD = ELE_RESET_A35_CTX_REQ (0xD8)\n", - "CMD = ELE_MOVE_TO_UNSECURED_REQ (0xD9)\n", - "CMD = ELE_GET_INFO_REQ (0xDA)\n", - "CMD = ELE_ATTEST_REQ (0xDB)\n", - "CMD = ELE_RELEASE_PATCH_REQ (0xDC)\n", - "CMD = ELE_OTP_SEQ_SWITH_REQ (0xDD)\n", - "CMD = INVALID\n", - NULL -}; - -static char *ele_ind_str[] = { - "IND = ELE_ROM_PING_FAILURE_IND (0x0A)\n", - "IND = ELE_FW_PING_FAILURE_IND (0x1A)\n", - "IND = ELE_BAD_SIGNATURE_FAILURE_IND (0xF0)\n", - "IND = ELE_BAD_HASH_FAILURE_IND (0xF1)\n", - "IND = ELE_INVALID_LIFECYCLE_IND (0xF2)\n", - "IND = ELE_PERMISSION_DENIED_FAILURE_IND (0xF3)\n", - "IND = ELE_INVALID_MESSAGE_FAILURE_IND (0xF4)\n", - "IND = ELE_BAD_VALUE_FAILURE_IND (0xF5)\n", - "IND = ELE_BAD_FUSE_ID_FAILURE_IND (0xF6)\n", - "IND = ELE_BAD_CONTAINER_FAILURE_IND (0xF7)\n", - "IND = ELE_BAD_VERSION_FAILURE_IND (0xF8)\n", - "IND = ELE_INVALID_KEY_FAILURE_IND (0xF9)\n", - "IND = ELE_BAD_KEY_HASH_FAILURE_IND (0xFA)\n", - "IND = ELE_NO_VALID_CONTAINER_FAILURE_IND (0xFB)\n", - "IND = ELE_BAD_CERTIFICATE_FAILURE_IND (0xFC)\n", - "IND = ELE_BAD_UID_FAILURE_IND (0xFD)\n", - "IND = ELE_BAD_MONOTONIC_COUNTER_FAILURE_IND (0xFE)\n", - "IND = ELE_MUST_SIGNED_FAILURE_IND (0xE0)\n", - "IND = ELE_NO_AUTHENTICATION_FAILURE_IND (0xEE)\n", - "IND = ELE_BAD_SRK_SET_FAILURE_IND (0xEF)\n", - "IND = ELE_UNALIGNED_PAYLOAD_FAILURE_IND (0xA6)\n", - "IND = ELE_WRONG_SIZE_FAILURE_IND (0xA7)\n", - "IND = ELE_ENCRYPTION_FAILURE_IND (0xA8)\n", - "IND = ELE_DECRYPTION_FAILURE_IND (0xA9)\n", - "IND = ELE_OTP_PROGFAIL_FAILURE_IND (0xAA)\n", - "IND = ELE_OTP_LOCKED_FAILURE_IND (0xAB)\n", - "IND = ELE_OTP_INVALID_IDX_FAILURE_IND (0xAD)\n", - "IND = ELE_TIME_OUT_FAILURE_IND (0xB0)\n", - "IND = ELE_BAD_PAYLOAD_FAILURE_IND (0xB1)\n", - "IND = ELE_WRONG_ADDRESS_FAILURE_IND (0xB4)\n", - "IND = ELE_DMA_FAILURE_IND (0xB5)\n", - "IND = ELE_DISABLED_FEATURE_FAILURE_IND (0xB6)\n", - "IND = ELE_MUST_ATTEST_FAILURE_IND (0xB7)\n", - "IND = ELE_RNG_NOT_STARTED_FAILURE_IND (0xB8)\n", - "IND = ELE_CRC_ERROR_IND (0xB9)\n", - "IND = ELE_AUTH_SKIPPED_OR_FAILED_FAILURE_IND (0xBB)\n", - "IND = ELE_INCONSISTENT_PAR_FAILURE_IND (0xBC)\n", - "IND = ELE_RNG_INST_FAILURE_FAILURE_IND (0xBD)\n", - "IND = ELE_LOCKED_REG_FAILURE_IND (0xBE)\n", - "IND = ELE_BAD_ID_FAILURE_IND (0xBF)\n", - "IND = ELE_INVALID_OPERATION_FAILURE_IND (0xC0)\n", - "IND = ELE_NON_SECURE_STATE_FAILURE_IND (0xC1)\n", - "IND = ELE_MSG_TRUNCATED_IND (0xC2)\n", - "IND = ELE_BAD_IMAGE_NUM_FAILURE_IND (0xC3)\n", - "IND = ELE_BAD_IMAGE_ADDR_FAILURE_IND (0xC4)\n", - "IND = ELE_BAD_IMAGE_PARAM_FAILURE_IND (0xC5)\n", - "IND = ELE_BAD_IMAGE_TYPE_FAILURE_IND (0xC6)\n", - "IND = ELE_CORRUPTED_SRK_FAILURE_IND (0xD0)\n", - "IND = ELE_OUT_OF_MEMORY_IND (0xD1)\n", - "IND = ELE_CSTM_FAILURE_IND (0xCF)\n", - "IND = ELE_OLD_VERSION_FAILURE_IND (0xCE)\n", - "IND = ELE_WRONG_BOOT_MODE_FAILURE_IND (0xCD)\n", - "IND = ELE_APC_ALREADY_ENABLED_FAILURE_IND (0xCB)\n", - "IND = ELE_RTC_ALREADY_ENABLED_FAILURE_IND (0xCC)\n", - "IND = ELE_ABORT_IND (0xFF)\n", - "IND = INVALID\n", - NULL -}; - -static u8 ele_cmd[] = { - ELE_PING_REQ, - ELE_FW_AUTH_REQ, - ELE_RESTART_RST_TIMER_REQ, - ELE_DUMP_DEBUG_BUFFER_REQ, - ELE_OEM_CNTN_AUTH_REQ, - ELE_VERIFY_IMAGE_REQ, - ELE_RELEASE_CONTAINER_REQ, - ELE_WRITE_SECURE_FUSE_REQ, - ELE_FWD_LIFECYCLE_UP_REQ, - ELE_READ_FUSE_REQ, - ELE_GET_FW_VERSION_REQ, - ELE_RET_LIFECYCLE_UP_REQ, - ELE_GET_EVENTS_REQ, - ELE_ENABLE_PATCH_REQ, - ELE_RELEASE_RDC_REQ, - ELE_GET_FW_STATUS_REQ, - ELE_ENABLE_OTFAD_REQ, - ELE_RESET_REQ, - ELE_UPDATE_OTP_CLKDIV_REQ, - ELE_POWER_DOWN_REQ, - ELE_ENABLE_APC_REQ, - ELE_ENABLE_RTC_REQ, - ELE_DEEP_POWER_DOWN_REQ, - ELE_STOP_RST_TIMER_REQ, - ELE_WRITE_FUSE_REQ, - ELE_RELEASE_CAAM_REQ, - ELE_RESET_A35_CTX_REQ, - ELE_MOVE_TO_UNSECURED_REQ, - ELE_GET_INFO_REQ, - ELE_ATTEST_REQ, - ELE_RELEASE_PATCH_REQ, - ELE_OTP_SEQ_SWITH_REQ -}; - -static u8 ele_ind[] = { - ELE_ROM_PING_FAILURE_IND, - ELE_FW_PING_FAILURE_IND, - ELE_BAD_SIGNATURE_FAILURE_IND, - ELE_BAD_HASH_FAILURE_IND, - ELE_INVALID_LIFECYCLE_IND, - ELE_PERMISSION_DENIED_FAILURE_IND, - ELE_INVALID_MESSAGE_FAILURE_IND, - ELE_BAD_VALUE_FAILURE_IND, - ELE_BAD_FUSE_ID_FAILURE_IND, - ELE_BAD_CONTAINER_FAILURE_IND, - ELE_BAD_VERSION_FAILURE_IND, - ELE_INVALID_KEY_FAILURE_IND, - ELE_BAD_KEY_HASH_FAILURE_IND, - ELE_NO_VALID_CONTAINER_FAILURE_IND, - ELE_BAD_CERTIFICATE_FAILURE_IND, - ELE_BAD_UID_FAILURE_IND, - ELE_BAD_MONOTONIC_COUNTER_FAILURE_IND, - ELE_MUST_SIGNED_FAILURE_IND, - ELE_NO_AUTHENTICATION_FAILURE_IND, - ELE_BAD_SRK_SET_FAILURE_IND, - ELE_UNALIGNED_PAYLOAD_FAILURE_IND, - ELE_WRONG_SIZE_FAILURE_IND, - ELE_ENCRYPTION_FAILURE_IND, - ELE_DECRYPTION_FAILURE_IND, - ELE_OTP_PROGFAIL_FAILURE_IND, - ELE_OTP_LOCKED_FAILURE_IND, - ELE_OTP_INVALID_IDX_FAILURE_IND, - ELE_TIME_OUT_FAILURE_IND, - ELE_BAD_PAYLOAD_FAILURE_IND, - ELE_WRONG_ADDRESS_FAILURE_IND, - ELE_DMA_FAILURE_IND, - ELE_DISABLED_FEATURE_FAILURE_IND, - ELE_MUST_ATTEST_FAILURE_IND, - ELE_RNG_NOT_STARTED_FAILURE_IND, - ELE_CRC_ERROR_IND, - ELE_AUTH_SKIPPED_OR_FAILED_FAILURE_IND, - ELE_INCONSISTENT_PAR_FAILURE_IND, - ELE_RNG_INST_FAILURE_FAILURE_IND, - ELE_LOCKED_REG_FAILURE_IND, - ELE_BAD_ID_FAILURE_IND, - ELE_INVALID_OPERATION_FAILURE_IND, - ELE_NON_SECURE_STATE_FAILURE_IND, - ELE_MSG_TRUNCATED_IND, - ELE_BAD_IMAGE_NUM_FAILURE_IND, - ELE_BAD_IMAGE_ADDR_FAILURE_IND, - ELE_BAD_IMAGE_PARAM_FAILURE_IND, - ELE_BAD_IMAGE_TYPE_FAILURE_IND, - ELE_CORRUPTED_SRK_FAILURE_IND, - ELE_OUT_OF_MEMORY_IND, - ELE_CSTM_FAILURE_IND, - ELE_OLD_VERSION_FAILURE_IND, - ELE_WRONG_BOOT_MODE_FAILURE_IND, - ELE_APC_ALREADY_ENABLED_FAILURE_IND, - ELE_RTC_ALREADY_ENABLED_FAILURE_IND, - ELE_ABORT_IND -}; - -static u8 ele_ipc[] = { - ELE_IPC_MU_RTD, - ELE_IPC_MU_APD -}; - -static u8 ele_status[] = { - ELE_SUCCESS_IND, - ELE_FAILURE_IND -}; - -static inline u32 get_idx(u8 *list, u8 tgt, u32 size) -{ - u32 i; - - for (i = 0; i < size; i++) { - if (list[i] == tgt) - return i; - } - - return i; /* last str is invalid */ -} - -static void display_ahab_auth_ind(u32 event) -{ - u8 resp_ind = (event >> 8) & 0xff; - - printf("%s\n", ele_ind_str[get_idx(ele_ind, resp_ind, ARRAY_SIZE(ele_ind))]); -} - -int ahab_auth_cntr_hdr(struct container_hdr *container, u16 length) -{ - int err; - u32 resp; - - memcpy((void *)IMG_CONTAINER_BASE, (const void *)container, - ALIGN(length, CONFIG_SYS_CACHELINE_SIZE)); - - flush_dcache_range(IMG_CONTAINER_BASE, - IMG_CONTAINER_BASE + ALIGN(length, CONFIG_SYS_CACHELINE_SIZE) - 1); - - err = ahab_auth_oem_ctnr(IMG_CONTAINER_BASE, &resp); - if (err) { - printf("Authenticate container hdr failed, return %d, resp 0x%x\n", - err, resp); - display_ahab_auth_ind(resp); - } - - return err; -} - -int ahab_auth_release(void) -{ - int err; - u32 resp; - - err = ahab_release_container(&resp); - if (err) { - printf("Error: release container failed, resp 0x%x!\n", resp); - display_ahab_auth_ind(resp); - } - - return err; -} - -int ahab_verify_cntr_image(struct boot_img_t *img, int image_index) -{ - int err; - u32 resp; - - err = ahab_verify_image(image_index, &resp); - if (err) { - printf("Authenticate img %d failed, return %d, resp 0x%x\n", - image_index, err, resp); - display_ahab_auth_ind(resp); - - return -EIO; - } - - return 0; -} - -static inline bool check_in_dram(ulong addr) -{ - int i; - struct bd_info *bd = gd->bd; - - for (i = 0; i < CONFIG_NR_DRAM_BANKS; ++i) { - if (bd->bi_dram[i].size) { - if (addr >= bd->bi_dram[i].start && - addr < (bd->bi_dram[i].start + bd->bi_dram[i].size)) - return true; - } - } - - return false; -} - -int authenticate_os_container(ulong addr) -{ - struct container_hdr *phdr; - int i, ret = 0; - int err; - u16 length; - struct boot_img_t *img; - unsigned long s, e; - - if (addr % 4) { - puts("Error: Image's address is not 4 byte aligned\n"); - return -EINVAL; - } - - if (!check_in_dram(addr)) { - puts("Error: Image's address is invalid\n"); - return -EINVAL; - } - - phdr = (struct container_hdr *)addr; - if (phdr->tag != 0x87 || phdr->version != 0x0) { - printf("Error: Wrong container header\n"); - return -EFAULT; - } - - if (!phdr->num_images) { - printf("Error: Wrong container, no image found\n"); - return -EFAULT; - } - - length = phdr->length_lsb + (phdr->length_msb << 8); - - debug("container length %u\n", length); - - err = ahab_auth_cntr_hdr(phdr, length); - if (err) { - ret = -EIO; - goto exit; - } - - debug("Verify images\n"); - - /* Copy images to dest address */ - for (i = 0; i < phdr->num_images; i++) { - img = (struct boot_img_t *)(addr + - sizeof(struct container_hdr) + - i * sizeof(struct boot_img_t)); - - debug("img %d, dst 0x%x, src 0x%lx, size 0x%x\n", - i, (uint32_t)img->dst, img->offset + addr, img->size); - - memcpy((void *)img->dst, (const void *)(img->offset + addr), - img->size); - - s = img->dst & ~(CONFIG_SYS_CACHELINE_SIZE - 1); - e = ALIGN(img->dst + img->size, CONFIG_SYS_CACHELINE_SIZE) - 1; - - flush_dcache_range(s, e); - - ret = ahab_verify_cntr_image(img, i); - if (ret) - goto exit; - } - -exit: - debug("ahab_auth_release, 0x%x\n", ret); - ahab_auth_release(); - - return ret; -} - -static int do_authenticate(struct cmd_tbl *cmdtp, int flag, int argc, - char *const argv[]) -{ - ulong addr; - - if (argc < 2) - return CMD_RET_USAGE; - - addr = simple_strtoul(argv[1], NULL, 16); - - printf("Authenticate OS container at 0x%lx\n", addr); - - if (authenticate_os_container(addr)) - return CMD_RET_FAILURE; - - return CMD_RET_SUCCESS; -} - -static void display_life_cycle(u32 lc) -{ - printf("Lifecycle: 0x%08X, ", lc); - switch (lc) { - case 0x1: - printf("BLANK\n\n"); - break; - case 0x2: - printf("FAB\n\n"); - break; - case 0x4: - printf("NXP Provisioned\n\n"); - break; - case 0x8: - printf("OEM Open\n\n"); - break; - case 0x10: - printf("OEM Secure World Closed\n\n"); - break; - case 0x20: - printf("OEM closed\n\n"); - break; - case 0x40: - printf("Field Return OEM\n\n"); - break; - case 0x80: - printf("Field Return NXP\n\n"); - break; - case 0x100: - printf("OEM Locked\n\n"); - break; - case 0x200: - printf("BRICKED\n\n"); - break; - default: - printf("Unknown\n\n"); - break; - } -} - -static int confirm_close(void) -{ - puts("Warning: Please ensure your sample is in NXP closed state, " - "OEM SRK hash has been fused, \n" - " and you are able to boot a signed image successfully " - "without any SECO events reported.\n" - " If not, your sample will be unrecoverable.\n" - "\nReally perform this operation? \n"); - - if (confirm_yesno()) - return 1; - - puts("Ahab close aborted\n"); - return 0; -} - -static int do_ahab_close(struct cmd_tbl *cmdtp, int flag, int argc, - char *const argv[]) -{ - int err; - u32 resp; - - if (!confirm_close()) - return -EACCES; - - err = ahab_forward_lifecycle(8, &resp); - if (err != 0) { - printf("Error in forward lifecycle to OEM closed\n"); - return -EIO; - } - - printf("Change to OEM closed successfully\n"); - - return 0; -} - -int ahab_dump(void) -{ - u32 buffer[32]; - int ret, i = 0; - - do { - ret = ahab_dump_buffer(buffer, 32); - if (ret < 0) { - printf("Error in dump AHAB log\n"); - return -EIO; - } - - if (ret == 1) - break; - for (i = 0; i < ret; i++) - printf("0x%x\n", buffer[i]); - } while (ret >= 21); - - return 0; -} - -static int do_ahab_dump(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[]) -{ - return ahab_dump(); -} - -static void display_event(u32 event) -{ - printf("\n\t0x%08x\n", event); - printf("\t%s", ele_ipc_str[get_idx(ele_ipc, - (event >> 24) & 0xFF, ARRAY_SIZE(ele_ipc))]); - printf("\t%s", ele_cmd_str[get_idx(ele_cmd, - (event >> 16) & 0xFF, ARRAY_SIZE(ele_cmd))]); - printf("\t%s", ele_ind_str[get_idx(ele_ind, - (event >> 8) & 0xFF, ARRAY_SIZE(ele_ind))]); - printf("\t%s", ele_status_str[get_idx(ele_status, - event & 0xFF, ARRAY_SIZE(ele_status))]); -} - -static int do_ahab_status(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[]) -{ - u32 lc, i; - u32 events[AHAB_MAX_EVENTS]; - u32 cnt = AHAB_MAX_EVENTS; - int ret; - - lc = readl(FSB_BASE_ADDR + 0x41c); - lc &= 0x3ff; - - display_life_cycle(lc); - - ret = ahab_get_events(events, &cnt, NULL); - if (ret) { - printf("Get ELE EVENTS error %d\n", ret); - return CMD_RET_FAILURE; - } - - if (!cnt) { - puts("\n\tNo Events Found!\n"); - return 0; - } - - for (i = 0; i < cnt; i++) - display_event(events[i]); - - return 0; -} - -U_BOOT_CMD(auth_cntr, CONFIG_SYS_MAXARGS, 1, do_authenticate, - "autenticate OS container via AHAB", - "addr\n" - "addr - OS container hex address\n" -); - -U_BOOT_CMD(ahab_close, CONFIG_SYS_MAXARGS, 1, do_ahab_close, - "Change AHAB lifecycle to OEM closed", - "" -); - -U_BOOT_CMD(ahab_dump, CONFIG_SYS_MAXARGS, 1, do_ahab_dump, - "Dump AHAB log for debug", - "" -); - -U_BOOT_CMD(ahab_status, CONFIG_SYS_MAXARGS, 1, do_ahab_status, - "display AHAB lifecycle only", - "" -);