author | Mingyen Hung <mingyen.hung@amlogic.com> | 2019-10-18 02:33:14 (GMT) |
---|---|---|
committer | Tellen Yu <tellen.yu@amlogic.com> | 2019-12-13 07:45:26 (GMT) |
commit | ca7f1df4c9ac9122bb8422ede1ba08e7663440a5 (patch) | |
tree | 363462a1d4a6bfef9443993e20fd3dc0566c4a0b | |
parent | 220c358f4daa7b01662237f41cc974e2aa1b2848 (diff) | |
download | uboot-ca7f1df4c9ac9122bb8422ede1ba08e7663440a5.zip uboot-ca7f1df4c9ac9122bb8422ede1ba08e7663440a5.tar.gz uboot-ca7f1df4c9ac9122bb8422ede1ba08e7663440a5.tar.bz2 |
keymaster 4: Reroute keymaster boot params [2/5]
PD#SWPL-15144
Problem:
Reroute keymaster boot parameters through bootloader
Solution:
1. Send and store boot parameters into bl31 after finishing avb
verification.
2. Don't append boot_key_hash to kernel arguments, because
new mechanism will retrieve boot parameters from bl31 by
keymaster TA.
3. Current platforms which support this function are:
g12a, g12b, gxl, tl1, tm2, txlx
4. For platforms which don't support this function,
a fake function is implemented for compilation.
Verify:
Android Q + Franklin, Marconi, Dalton, Newton
Change-Id: I2765117efac5547673f006002c19198036fdc4ce
Signed-off-by: Mingyen Hung <mingyen.hung@amlogic.com>
25 files changed, 364 insertions, 8 deletions
diff --git a/arch/arm/cpu/armv8/axg/bl31_apis.c b/arch/arm/cpu/armv8/axg/bl31_apis.c index 060e62e..7859d06 100644 --- a/arch/arm/cpu/armv8/axg/bl31_apis.c +++ b/arch/arm/cpu/armv8/axg/bl31_apis.c @@ -42,6 +42,13 @@ long get_sharemem_info(unsigned long function_id) return function_id; } +int32_t set_boot_params(const keymaster_boot_params *boot_params) +{ + /* Fake function for the reason that set_boot_params is not + * supported for this platform */ + return -1; +} + #ifdef CONFIG_EFUSE int32_t meson_trustzone_efuse(struct efuse_hal_api_arg *arg) { diff --git a/arch/arm/cpu/armv8/g12a/bl31_apis.c b/arch/arm/cpu/armv8/g12a/bl31_apis.c index d88f8c1..19009af 100644 --- a/arch/arm/cpu/armv8/g12a/bl31_apis.c +++ b/arch/arm/cpu/armv8/g12a/bl31_apis.c @@ -42,6 +42,36 @@ long get_sharemem_info(unsigned long function_id) return function_id; } +int32_t set_boot_params(const keymaster_boot_params *boot_params) +{ + const unsigned cmd = SET_BOOT_PARAMS; + + if (!boot_params) + return -1; + + if (!sharemem_input_base) + sharemem_input_base = + get_sharemem_info(GET_SHARE_MEM_INPUT_BASE); + + memcpy((void *)sharemem_input_base, + (const void *)boot_params, sizeof(keymaster_boot_params)); + + asm __volatile__("" : : : "memory"); + register uint64_t x0 asm("x0") = cmd; + register uint64_t x1 asm("x1") = sizeof(keymaster_boot_params); + do { + asm volatile( + __asmeq("%0", "x0") + __asmeq("%1", "x0") + __asmeq("%2", "x1") + "smc #0\n" + : "=r"(x0) + : "r"(x0), "r"(x1)); + } while (0); + + return (!x0)? -1: 0; +} + #ifdef CONFIG_EFUSE int32_t meson_trustzone_efuse(struct efuse_hal_api_arg *arg) { diff --git a/arch/arm/cpu/armv8/g12b/bl31_apis.c b/arch/arm/cpu/armv8/g12b/bl31_apis.c index 5131591..7c6806c 100644 --- a/arch/arm/cpu/armv8/g12b/bl31_apis.c +++ b/arch/arm/cpu/armv8/g12b/bl31_apis.c @@ -42,6 +42,36 @@ long get_sharemem_info(unsigned long function_id) return function_id; } +int32_t set_boot_params(const keymaster_boot_params *boot_params) +{ + const unsigned cmd = SET_BOOT_PARAMS; + + if (!boot_params) + return -1; + + if (!sharemem_input_base) + sharemem_input_base = + get_sharemem_info(GET_SHARE_MEM_INPUT_BASE); + + memcpy((void *)sharemem_input_base, + (const void *)boot_params, sizeof(keymaster_boot_params)); + + asm __volatile__("" : : : "memory"); + register uint64_t x0 asm("x0") = cmd; + register uint64_t x1 asm("x1") = sizeof(keymaster_boot_params); + do { + asm volatile( + __asmeq("%0", "x0") + __asmeq("%1", "x0") + __asmeq("%2", "x1") + "smc #0\n" + : "=r"(x0) + : "r"(x0), "r"(x1)); + } while (0); + + return (!x0)? -1: 0; +} + #ifdef CONFIG_EFUSE int32_t meson_trustzone_efuse(struct efuse_hal_api_arg *arg) { diff --git a/arch/arm/cpu/armv8/gxb/bl31_apis.c b/arch/arm/cpu/armv8/gxb/bl31_apis.c index 208228c..ca0b09a 100644 --- a/arch/arm/cpu/armv8/gxb/bl31_apis.c +++ b/arch/arm/cpu/armv8/gxb/bl31_apis.c @@ -42,6 +42,13 @@ long get_sharemem_info(unsigned long function_id) return function_id; } +int32_t set_boot_params(const keymaster_boot_params *boot_params) +{ + /* Fake function for the reason that set_boot_params is not + * supported for this platform */ + return -1; +} + #ifdef CONFIG_EFUSE int32_t meson_trustzone_efuse(struct efuse_hal_api_arg *arg) { diff --git a/arch/arm/cpu/armv8/gxl/bl31_apis.c b/arch/arm/cpu/armv8/gxl/bl31_apis.c index 09ea653..4fb74ea 100644 --- a/arch/arm/cpu/armv8/gxl/bl31_apis.c +++ b/arch/arm/cpu/armv8/gxl/bl31_apis.c @@ -42,6 +42,36 @@ long get_sharemem_info(unsigned long function_id) return function_id; } +int32_t set_boot_params(const keymaster_boot_params *boot_params) +{ + const unsigned cmd = SET_BOOT_PARAMS; + + if (!boot_params) + return -1; + + if (!sharemem_input_base) + sharemem_input_base = + get_sharemem_info(GET_SHARE_MEM_INPUT_BASE); + + memcpy((void *)sharemem_input_base, + (const void *)boot_params, sizeof(keymaster_boot_params)); + + asm __volatile__("" : : : "memory"); + register uint64_t x0 asm("x0") = cmd; + register uint64_t x1 asm("x1") = sizeof(keymaster_boot_params); + do { + asm volatile( + __asmeq("%0", "x0") + __asmeq("%1", "x0") + __asmeq("%2", "x1") + "smc #0\n" + : "=r"(x0) + : "r"(x0), "r"(x1)); + } while (0); + + return (!x0)? -1: 0; +} + #ifdef CONFIG_EFUSE int32_t meson_trustzone_efuse(struct efuse_hal_api_arg *arg) { diff --git a/arch/arm/cpu/armv8/gxtvbb/bl31_apis.c b/arch/arm/cpu/armv8/gxtvbb/bl31_apis.c index 3037996..228936a 100644 --- a/arch/arm/cpu/armv8/gxtvbb/bl31_apis.c +++ b/arch/arm/cpu/armv8/gxtvbb/bl31_apis.c @@ -42,6 +42,13 @@ long get_sharemem_info(unsigned long function_id) return function_id; } +int32_t set_boot_params(const keymaster_boot_params *boot_params) +{ + /* Fake function for the reason that set_boot_params is not + * supported for this platform */ + return -1; +} + #ifdef CONFIG_EFUSE int32_t meson_trustzone_efuse(struct efuse_hal_api_arg *arg) { diff --git a/arch/arm/cpu/armv8/tl1/bl31_apis.c b/arch/arm/cpu/armv8/tl1/bl31_apis.c index 0d39f2a..3a9c43c 100644 --- a/arch/arm/cpu/armv8/tl1/bl31_apis.c +++ b/arch/arm/cpu/armv8/tl1/bl31_apis.c @@ -43,6 +43,36 @@ long get_sharemem_info(unsigned long function_id) return function_id; } +int32_t set_boot_params(const keymaster_boot_params *boot_params) +{ + const unsigned cmd = SET_BOOT_PARAMS; + + if (!boot_params) + return -1; + + if (!sharemem_input_base) + sharemem_input_base = + get_sharemem_info(GET_SHARE_MEM_INPUT_BASE); + + memcpy((void *)sharemem_input_base, + (const void *)boot_params, sizeof(keymaster_boot_params)); + + asm __volatile__("" : : : "memory"); + register uint64_t x0 asm("x0") = cmd; + register uint64_t x1 asm("x1") = sizeof(keymaster_boot_params); + do { + asm volatile( + __asmeq("%0", "x0") + __asmeq("%1", "x0") + __asmeq("%2", "x1") + "smc #0\n" + : "=r"(x0) + : "r"(x0), "r"(x1)); + } while (0); + + return (!x0)? -1: 0; +} + #ifdef CONFIG_EFUSE int32_t meson_trustzone_efuse(struct efuse_hal_api_arg *arg) { diff --git a/arch/arm/cpu/armv8/tm2/bl31_apis.c b/arch/arm/cpu/armv8/tm2/bl31_apis.c index 3b35d3f..217200c 100644 --- a/arch/arm/cpu/armv8/tm2/bl31_apis.c +++ b/arch/arm/cpu/armv8/tm2/bl31_apis.c @@ -42,6 +42,36 @@ long get_sharemem_info(unsigned long function_id) return function_id; } +int32_t set_boot_params(const keymaster_boot_params *boot_params) +{ + const unsigned cmd = SET_BOOT_PARAMS; + + if (!boot_params) + return -1; + + if (!sharemem_input_base) + sharemem_input_base = + get_sharemem_info(GET_SHARE_MEM_INPUT_BASE); + + memcpy((void *)sharemem_input_base, + (const void *)boot_params, sizeof(keymaster_boot_params)); + + asm __volatile__("" : : : "memory"); + register uint64_t x0 asm("x0") = cmd; + register uint64_t x1 asm("x1") = sizeof(keymaster_boot_params); + do { + asm volatile( + __asmeq("%0", "x0") + __asmeq("%1", "x0") + __asmeq("%2", "x1") + "smc #0\n" + : "=r"(x0) + : "r"(x0), "r"(x1)); + } while (0); + + return (!x0)? -1: 0; +} + #ifdef CONFIG_EFUSE int32_t meson_trustzone_efuse(struct efuse_hal_api_arg *arg) { diff --git a/arch/arm/cpu/armv8/txhd/bl31_apis.c b/arch/arm/cpu/armv8/txhd/bl31_apis.c index 091034e..7064b52 100644 --- a/arch/arm/cpu/armv8/txhd/bl31_apis.c +++ b/arch/arm/cpu/armv8/txhd/bl31_apis.c @@ -37,6 +37,13 @@ long get_sharemem_info(unsigned long function_id) return function_id; } +int32_t set_boot_params(const keymaster_boot_params *boot_params) +{ + /* Fake function for the reason that set_boot_params is not + * supported for this platform */ + return -1; +} + #ifdef CONFIG_EFUSE int32_t meson_trustzone_efuse(struct efuse_hal_api_arg *arg) { diff --git a/arch/arm/cpu/armv8/txl/bl31_apis.c b/arch/arm/cpu/armv8/txl/bl31_apis.c index 0bd14fc..b3f32e7 100644 --- a/arch/arm/cpu/armv8/txl/bl31_apis.c +++ b/arch/arm/cpu/armv8/txl/bl31_apis.c @@ -42,6 +42,13 @@ long get_sharemem_info(unsigned long function_id) return function_id; } +int32_t set_boot_params(const keymaster_boot_params *boot_params) +{ + /* Fake function for the reason that set_boot_params is not + * supported for this platform */ + return -1; +} + #ifdef CONFIG_EFUSE int32_t meson_trustzone_efuse(struct efuse_hal_api_arg *arg) { diff --git a/arch/arm/cpu/armv8/txlx/bl31_apis.c b/arch/arm/cpu/armv8/txlx/bl31_apis.c index 3d4fd92..f534827 100644 --- a/arch/arm/cpu/armv8/txlx/bl31_apis.c +++ b/arch/arm/cpu/armv8/txlx/bl31_apis.c @@ -42,6 +42,36 @@ long get_sharemem_info(unsigned long function_id) return function_id; } +int32_t set_boot_params(const keymaster_boot_params *boot_params) +{ + const unsigned cmd = SET_BOOT_PARAMS; + + if (!boot_params) + return -1; + + if (!sharemem_input_base) + sharemem_input_base = + get_sharemem_info(GET_SHARE_MEM_INPUT_BASE); + + memcpy((void *)sharemem_input_base, + (const void *)boot_params, sizeof(keymaster_boot_params)); + + asm __volatile__("" : : : "memory"); + register uint64_t x0 asm("x0") = cmd; + register uint64_t x1 asm("x1") = sizeof(keymaster_boot_params); + do { + asm volatile( + __asmeq("%0", "x0") + __asmeq("%1", "x0") + __asmeq("%2", "x1") + "smc #0\n" + : "=r"(x0) + : "r"(x0), "r"(x1)); + } while (0); + + return (!x0)? -1: 0; +} + #ifdef CONFIG_EFUSE int32_t meson_trustzone_efuse(struct efuse_hal_api_arg *arg) { diff --git a/arch/arm/include/asm/arch-axg/bl31_apis.h b/arch/arm/include/asm/arch-axg/bl31_apis.h index fdc1617..21710e4 100644 --- a/arch/arm/include/asm/arch-axg/bl31_apis.h +++ b/arch/arm/include/asm/arch-axg/bl31_apis.h @@ -92,6 +92,15 @@ #define SECURITY_KEY_GET_ENCTYPE 0x8200006B #define SECURITY_KEY_VERSION 0x8200006C +/* KEYMASTER */ +#define SHA256_DIGEST_SIZE 32 +typedef struct { + uint32_t device_locked; + uint32_t verified_boot_state; + uint8_t verified_boot_key[SHA256_DIGEST_SIZE]; + uint8_t verified_boot_hash[SHA256_DIGEST_SIZE]; +} keymaster_boot_params; + /* Secure HAL APIs */ #define TRUSTZONE_HAL_API_SRAM 0x400 @@ -146,4 +155,5 @@ void aml_system_off(void); void bl31_get_chipid(unsigned int *, unsigned int *, unsigned int *, unsigned int *); +int32_t set_boot_params(const keymaster_boot_params*); #endif diff --git a/arch/arm/include/asm/arch-g12a/bl31_apis.h b/arch/arm/include/asm/arch-g12a/bl31_apis.h index 9434f3e7..8fb0698 100644 --- a/arch/arm/include/asm/arch-g12a/bl31_apis.h +++ b/arch/arm/include/asm/arch-g12a/bl31_apis.h @@ -94,6 +94,17 @@ /*viu probe en*/ #define VIU_PREOBE_EN 0x82000080 + +/* KEYMASTER */ +#define SET_BOOT_PARAMS 0x82000072 +#define SHA256_DIGEST_SIZE 32 +typedef struct { + uint32_t device_locked; + uint32_t verified_boot_state; + uint8_t verified_boot_key[SHA256_DIGEST_SIZE]; + uint8_t verified_boot_hash[SHA256_DIGEST_SIZE]; +} keymaster_boot_params; + /* Secure HAL APIs */ #define TRUSTZONE_HAL_API_SRAM 0x400 @@ -149,4 +160,5 @@ void aml_system_off(void); void bl31_get_chipid(unsigned int *, unsigned int *, unsigned int *, unsigned int *); void set_viu_probe_enable(void); +int32_t set_boot_params(const keymaster_boot_params*); #endif diff --git a/arch/arm/include/asm/arch-g12b/bl31_apis.h b/arch/arm/include/asm/arch-g12b/bl31_apis.h index 9434f3e7..8fb0698 100644 --- a/arch/arm/include/asm/arch-g12b/bl31_apis.h +++ b/arch/arm/include/asm/arch-g12b/bl31_apis.h @@ -94,6 +94,17 @@ /*viu probe en*/ #define VIU_PREOBE_EN 0x82000080 + +/* KEYMASTER */ +#define SET_BOOT_PARAMS 0x82000072 +#define SHA256_DIGEST_SIZE 32 +typedef struct { + uint32_t device_locked; + uint32_t verified_boot_state; + uint8_t verified_boot_key[SHA256_DIGEST_SIZE]; + uint8_t verified_boot_hash[SHA256_DIGEST_SIZE]; +} keymaster_boot_params; + /* Secure HAL APIs */ #define TRUSTZONE_HAL_API_SRAM 0x400 @@ -149,4 +160,5 @@ void aml_system_off(void); void bl31_get_chipid(unsigned int *, unsigned int *, unsigned int *, unsigned int *); void set_viu_probe_enable(void); +int32_t set_boot_params(const keymaster_boot_params*); #endif diff --git a/arch/arm/include/asm/arch-gxb/bl31_apis.h b/arch/arm/include/asm/arch-gxb/bl31_apis.h index 2e54cb8..7f13431 100644 --- a/arch/arm/include/asm/arch-gxb/bl31_apis.h +++ b/arch/arm/include/asm/arch-gxb/bl31_apis.h @@ -81,6 +81,15 @@ #define SECURITY_KEY_GET_ENCTYPE 0x8200006B #define SECURITY_KEY_VERSION 0x8200006C +/* KEYMASTER */ +#define SHA256_DIGEST_SIZE 32 +typedef struct { + uint32_t device_locked; + uint32_t verified_boot_state; + uint8_t verified_boot_key[SHA256_DIGEST_SIZE]; + uint8_t verified_boot_hash[SHA256_DIGEST_SIZE]; +} keymaster_boot_params; + /* Secure HAL APIs */ #define TRUSTZONE_HAL_API_SRAM 0x400 @@ -133,4 +142,5 @@ void aml_system_off(void); void bl31_get_chipid(unsigned int *, unsigned int *, unsigned int *, unsigned int *); +int32_t set_boot_params(const keymaster_boot_params*); #endif diff --git a/arch/arm/include/asm/arch-gxl/bl31_apis.h b/arch/arm/include/asm/arch-gxl/bl31_apis.h index acf1bbc..742a8bc 100644 --- a/arch/arm/include/asm/arch-gxl/bl31_apis.h +++ b/arch/arm/include/asm/arch-gxl/bl31_apis.h @@ -82,6 +82,15 @@ #define SECURITY_KEY_GET_ENCTYPE 0x8200006B #define SECURITY_KEY_VERSION 0x8200006C +/* KEYMASTER */ +#define SET_BOOT_PARAMS 0x82000072 +#define SHA256_DIGEST_SIZE 32 +typedef struct { + uint32_t device_locked; + uint32_t verified_boot_state; + uint8_t verified_boot_key[SHA256_DIGEST_SIZE]; + uint8_t verified_boot_hash[SHA256_DIGEST_SIZE]; +} keymaster_boot_params; /* Secure HAL APIs */ #define TRUSTZONE_HAL_API_SRAM 0x400 @@ -137,4 +146,5 @@ void aml_system_off(void); void bl31_get_chipid(unsigned int *, unsigned int *, unsigned int *, unsigned int *); +int32_t set_boot_params(const keymaster_boot_params*); #endif diff --git a/arch/arm/include/asm/arch-gxtvbb/bl31_apis.h b/arch/arm/include/asm/arch-gxtvbb/bl31_apis.h index ac80275..f03f308 100644 --- a/arch/arm/include/asm/arch-gxtvbb/bl31_apis.h +++ b/arch/arm/include/asm/arch-gxtvbb/bl31_apis.h @@ -91,6 +91,15 @@ #define SECURITY_KEY_GET_ENCTYPE 0x8200006B #define SECURITY_KEY_VERSION 0x8200006C +/* KEYMASTER */ +#define SHA256_DIGEST_SIZE 32 +typedef struct { + uint32_t device_locked; + uint32_t verified_boot_state; + uint8_t verified_boot_key[SHA256_DIGEST_SIZE]; + uint8_t verified_boot_hash[SHA256_DIGEST_SIZE]; +} keymaster_boot_params; + /* Secure HAL APIs */ #define TRUSTZONE_HAL_API_SRAM 0x400 @@ -143,4 +152,5 @@ void aml_system_off(void); void bl31_get_chipid(unsigned int *, unsigned int *, unsigned int *, unsigned int *); +int32_t set_boot_params(const keymaster_boot_params*); #endif diff --git a/arch/arm/include/asm/arch-tl1/bl31_apis.h b/arch/arm/include/asm/arch-tl1/bl31_apis.h index 9434f3e7..8fb0698 100644 --- a/arch/arm/include/asm/arch-tl1/bl31_apis.h +++ b/arch/arm/include/asm/arch-tl1/bl31_apis.h @@ -94,6 +94,17 @@ /*viu probe en*/ #define VIU_PREOBE_EN 0x82000080 + +/* KEYMASTER */ +#define SET_BOOT_PARAMS 0x82000072 +#define SHA256_DIGEST_SIZE 32 +typedef struct { + uint32_t device_locked; + uint32_t verified_boot_state; + uint8_t verified_boot_key[SHA256_DIGEST_SIZE]; + uint8_t verified_boot_hash[SHA256_DIGEST_SIZE]; +} keymaster_boot_params; + /* Secure HAL APIs */ #define TRUSTZONE_HAL_API_SRAM 0x400 @@ -149,4 +160,5 @@ void aml_system_off(void); void bl31_get_chipid(unsigned int *, unsigned int *, unsigned int *, unsigned int *); void set_viu_probe_enable(void); +int32_t set_boot_params(const keymaster_boot_params*); #endif diff --git a/arch/arm/include/asm/arch-tm2/bl31_apis.h b/arch/arm/include/asm/arch-tm2/bl31_apis.h index 9434f3e7..8fb0698 100644 --- a/arch/arm/include/asm/arch-tm2/bl31_apis.h +++ b/arch/arm/include/asm/arch-tm2/bl31_apis.h @@ -94,6 +94,17 @@ /*viu probe en*/ #define VIU_PREOBE_EN 0x82000080 + +/* KEYMASTER */ +#define SET_BOOT_PARAMS 0x82000072 +#define SHA256_DIGEST_SIZE 32 +typedef struct { + uint32_t device_locked; + uint32_t verified_boot_state; + uint8_t verified_boot_key[SHA256_DIGEST_SIZE]; + uint8_t verified_boot_hash[SHA256_DIGEST_SIZE]; +} keymaster_boot_params; + /* Secure HAL APIs */ #define TRUSTZONE_HAL_API_SRAM 0x400 @@ -149,4 +160,5 @@ void aml_system_off(void); void bl31_get_chipid(unsigned int *, unsigned int *, unsigned int *, unsigned int *); void set_viu_probe_enable(void); +int32_t set_boot_params(const keymaster_boot_params*); #endif diff --git a/arch/arm/include/asm/arch-txhd/bl31_apis.h b/arch/arm/include/asm/arch-txhd/bl31_apis.h index 44275b6..66a0613 100644 --- a/arch/arm/include/asm/arch-txhd/bl31_apis.h +++ b/arch/arm/include/asm/arch-txhd/bl31_apis.h @@ -86,6 +86,15 @@ #define SECURITY_KEY_GET_ENCTYPE 0x8200006B #define SECURITY_KEY_VERSION 0x8200006C +/* KEYMASTER */ +#define SHA256_DIGEST_SIZE 32 +typedef struct { + uint32_t device_locked; + uint32_t verified_boot_state; + uint8_t verified_boot_key[SHA256_DIGEST_SIZE]; + uint8_t verified_boot_hash[SHA256_DIGEST_SIZE]; +} keymaster_boot_params; + /* Secure HAL APIs */ #define TRUSTZONE_HAL_API_SRAM 0x400 @@ -140,4 +149,5 @@ void aml_system_off(void); void bl31_get_chipid(unsigned int *, unsigned int *, unsigned int *, unsigned int *); +int32_t set_boot_params(const keymaster_boot_params*); #endif diff --git a/arch/arm/include/asm/arch-txl/bl31_apis.h b/arch/arm/include/asm/arch-txl/bl31_apis.h index fdc1617..21710e4 100644 --- a/arch/arm/include/asm/arch-txl/bl31_apis.h +++ b/arch/arm/include/asm/arch-txl/bl31_apis.h @@ -92,6 +92,15 @@ #define SECURITY_KEY_GET_ENCTYPE 0x8200006B #define SECURITY_KEY_VERSION 0x8200006C +/* KEYMASTER */ +#define SHA256_DIGEST_SIZE 32 +typedef struct { + uint32_t device_locked; + uint32_t verified_boot_state; + uint8_t verified_boot_key[SHA256_DIGEST_SIZE]; + uint8_t verified_boot_hash[SHA256_DIGEST_SIZE]; +} keymaster_boot_params; + /* Secure HAL APIs */ #define TRUSTZONE_HAL_API_SRAM 0x400 @@ -146,4 +155,5 @@ void aml_system_off(void); void bl31_get_chipid(unsigned int *, unsigned int *, unsigned int *, unsigned int *); +int32_t set_boot_params(const keymaster_boot_params*); #endif diff --git a/arch/arm/include/asm/arch-txlx/bl31_apis.h b/arch/arm/include/asm/arch-txlx/bl31_apis.h index fc0b932..8fb0698 100644 --- a/arch/arm/include/asm/arch-txlx/bl31_apis.h +++ b/arch/arm/include/asm/arch-txlx/bl31_apis.h @@ -93,7 +93,18 @@ #define SECURITY_KEY_VERSION 0x8200006C /*viu probe en*/ -#define VIU_PREOBE_EN 0x82000080 +#define VIU_PREOBE_EN 0x82000080 + +/* KEYMASTER */ +#define SET_BOOT_PARAMS 0x82000072 +#define SHA256_DIGEST_SIZE 32 +typedef struct { + uint32_t device_locked; + uint32_t verified_boot_state; + uint8_t verified_boot_key[SHA256_DIGEST_SIZE]; + uint8_t verified_boot_hash[SHA256_DIGEST_SIZE]; +} keymaster_boot_params; + /* Secure HAL APIs */ #define TRUSTZONE_HAL_API_SRAM 0x400 @@ -149,4 +160,5 @@ void aml_system_off(void); void bl31_get_chipid(unsigned int *, unsigned int *, unsigned int *, unsigned int *); void set_viu_probe_enable(void); +int32_t set_boot_params(const keymaster_boot_params*); #endif diff --git a/common/cmd_bootm.c b/common/cmd_bootm.c index ad122d3..c244521 100644 --- a/common/cmd_bootm.c +++ b/common/cmd_bootm.c @@ -235,12 +235,29 @@ int do_bootm(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[]) if (!bootargs) { bootargs = "\0"; } - if (is_device_unlocked()) - bootstate = bootstate_o; - else - bootstate = bootstate_g; if (out_data) { + keymaster_boot_params boot_params; + const int is_dev_unlocked = is_device_unlocked(); + + boot_params.device_locked = is_dev_unlocked? 0: 1; + if (is_dev_unlocked) { + bootstate = bootstate_o; + boot_params.verified_boot_state = 2; + } + else { + bootstate = bootstate_g; + boot_params.verified_boot_state = 0; + } + memcpy(boot_params.verified_boot_key, out_data->boot_key_hash, + sizeof(boot_params.verified_boot_key)); + memcpy(boot_params.verified_boot_hash, out_data->vbmeta_digest, + sizeof(boot_params.verified_boot_hash)); + + if (set_boot_params(&boot_params) < 0) { + printf("failed to set boot params.\n"); + } + newbootargs = malloc(strlen(bootargs) + strlen(out_data->cmdline) + strlen(bootstate) + 1 + 1 + 1); if (!newbootargs) { printf("failed to allocate buffer for bootarg\n"); diff --git a/include/libavb/avb_slot_verify.h b/include/libavb/avb_slot_verify.h index e8c733c..f6900fd 100644 --- a/include/libavb/avb_slot_verify.h +++ b/include/libavb/avb_slot_verify.h @@ -258,6 +258,7 @@ typedef struct { char* cmdline; uint64_t rollback_indexes[AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS]; uint8_t boot_key_hash[AVB_SHA256_DIGEST_SIZE]; + uint8_t vbmeta_digest[AVB_SHA256_DIGEST_SIZE]; } AvbSlotVerifyData; /* Frees a |AvbSlotVerifyData| including all data it points to. */ diff --git a/lib/libavb/avb_cmdline.c b/lib/libavb/avb_cmdline.c index 5831a8e..4af3d91 100644 --- a/lib/libavb/avb_cmdline.c +++ b/lib/libavb/avb_cmdline.c @@ -278,13 +278,16 @@ AvbSlotVerifyResult avb_append_options( slot_data->vbmeta_images[n].vbmeta_size); total_size += slot_data->vbmeta_images[n].vbmeta_size; } + avb_memcpy(slot_data->vbmeta_digest, + avb_sha256_final(&ctx), + AVB_SHA256_DIGEST_SIZE); if (!cmdline_append_option( slot_data, "androidboot.vbmeta.hash_alg", "sha256") || !cmdline_append_uint64_base10( slot_data, "androidboot.vbmeta.size", total_size) || !cmdline_append_hex(slot_data, "androidboot.vbmeta.digest", - avb_sha256_final(&ctx), + slot_data->vbmeta_digest, AVB_SHA256_DIGEST_SIZE)) { ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; goto out; @@ -369,7 +372,7 @@ AvbSlotVerifyResult avb_append_options( ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; goto out; } - +#if 0 if (!cmdline_append_hex(slot_data, "androidboot.vbmeta.bootkey_hash", slot_data->boot_key_hash, @@ -377,7 +380,7 @@ AvbSlotVerifyResult avb_append_options( ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; goto out; } - +#endif ret = AVB_SLOT_VERIFY_RESULT_OK; out: |