Commit e60cfff7 authored by Yu Shan's avatar Yu Shan Committed by Luo Ji

[iot] Support fastboot oem fuse at-perm-attr command

Support "fastboot oem fuse at-perm-attr" command for
ATX. The perm_attr will be stored into RPMB which
managed by Trusty OS.
Modified permanent_attributes related AVB ops that
support Trusty OS backed RPMB storage.

Change-Id: Id6248570b4294fed3c45270064196bd6b9cf9208
Signed-off-by: default avatarHaoran.Wang <elven.wang@nxp.com>
parent 77742af4
......@@ -2950,7 +2950,7 @@ static int get_single_var(char *cmd, char *response)
if (s) {
strncat(response, s, chars_left);
} else {
sprintf(response,"FAILunknow variable:%s",cmd);
snprintf(response, chars_left, "FAILunknown variable:%s",cmd);
printf("WARNING: unknown variable: %s\n", cmd);
return -1;
}
......@@ -3288,46 +3288,59 @@ static FbLockState do_fastboot_lock(void)
return FASTBOOT_LOCK;
}
static bool endswith(char* s, char* subs) {
if (!s || !subs)
return false;
uint32_t len = strlen(s);
uint32_t sublen = strlen(subs);
if (len < sublen) {
return false;
}
if (strncmp(s + len - sublen, subs, sublen)) {
return false;
}
return true;
}
static void cb_flashing(struct usb_ep *ep, struct usb_request *req)
{
char *cmd = req->buf;
char response[FASTBOOT_RESPONSE_LEN];
unsigned char len = strlen(cmd);
FbLockState status;
FbLockEnableResult result;
#ifdef CONFIG_ANDROID_THINGS_SUPPORT
if (!strncmp(cmd + len - strlen(FASTBOOT_BOOTLOADER_VBOOT_KEY),
FASTBOOT_BOOTLOADER_VBOOT_KEY,
strlen(FASTBOOT_BOOTLOADER_VBOOT_KEY))) {
if (endswith(cmd, "lock_critical")) {
strcpy(response, "OKAY");
} else if (!strncmp(cmd + len - strlen("unlock_critical"),
"unlock_critical", strlen("unlock_critical"))) {
#else
if (!strncmp(cmd + len - strlen("unlock_critical"),
"unlock_critical", strlen("unlock_critical"))) {
#endif
}
#ifdef CONFIG_AVB_ATX
else if (endswith(cmd, FASTBOOT_AVB_AT_PERM_ATTR)) {
if (avb_atx_fuse_perm_attr(interface.transfer_buffer, download_bytes))
strcpy(response, "FAILInternal error!");
else
strcpy(response, "OKAY");
}
#endif /* CONFIG_AVB_ATX */
#ifdef CONFIG_ANDROID_THINGS_SUPPORT
else if (endswith(cmd, FASTBOOT_BOOTLOADER_VBOOT_KEY)) {
strcpy(response, "OKAY");
} else if (!strncmp(cmd + len - strlen("lock_critical"),
"lock_critical", strlen("lock_critical"))) {
}
#endif /* CONFIG_ANDROID_THINGS_SUPPORT */
else if (endswith(cmd, "unlock_critical")) {
strcpy(response, "OKAY");
} else if (!strncmp(cmd + len - strlen("unlock"),
"unlock", strlen("unlock"))) {
} else if (endswith(cmd, "unlock")) {
printf("flashing unlock.\n");
status = do_fastboot_unlock(false);
if (status != FASTBOOT_LOCK_ERROR)
strcpy(response, "OKAY");
else
strcpy(response, "FAIL unlock device failed.");
} else if (!strncmp(cmd + len - strlen("lock"), "lock", strlen("lock"))) {
strcpy(response, "FAILunlock device failed.");
} else if (endswith(cmd, "lock")) {
printf("flashing lock.\n");
status = do_fastboot_lock();
if (status != FASTBOOT_LOCK_ERROR)
strcpy(response, "OKAY");
else
strcpy(response, "FAIL lock device failed.");
} else if (!strncmp(cmd + len - strlen("get_unlock_ability"),
"get_unlock_ability", strlen("get_unlock_ability"))) {
strcpy(response, "FAILlock device failed.");
} else if (endswith(cmd, "get_unlock_ability")) {
result = fastboot_lock_enable();
if (result == FASTBOOT_UL_ENABLE) {
fastboot_tx_write_more("INFO1");
......@@ -3337,16 +3350,16 @@ static void cb_flashing(struct usb_ep *ep, struct usb_request *req)
strcpy(response, "OKAY");
} else {
printf("flashing get_unlock_ability fail!\n");
strcpy(response, "FAIL get unlock ability failed.");
strcpy(response, "FAILget unlock ability failed.");
}
} else {
printf("Unknown flashing command:%s\n", cmd);
strcpy(response, "FAIL command not defined");
strcpy(response, "FAILcommand not defined");
}
fastboot_tx_write_more(response);
}
#endif
#endif /* CONFIG_FASTBOOT_LOCK */
#ifdef CONFIG_FSL_FASTBOOT
#ifdef CONFIG_FASTBOOT_LOCK
......@@ -3388,14 +3401,14 @@ static void cb_flash(struct usb_ep *ep, struct usb_request *req)
if (status == FASTBOOT_LOCK) {
error("device is LOCKed!\n");
strcpy(response, "FAIL device is locked.");
strcpy(response, "FAILdevice is locked.");
fastboot_tx_write_str(response);
return;
} else if (status == FASTBOOT_LOCK_ERROR) {
error("write lock status into device!\n");
fastboot_set_lock_stat(FASTBOOT_LOCK);
strcpy(response, "FAIL device is locked.");
strcpy(response, "FAILdevice is locked.");
fastboot_tx_write_str(response);
return;
}
......@@ -3450,13 +3463,13 @@ static void cb_erase(struct usb_ep *ep, struct usb_request *req)
status = fastboot_get_lock_stat();
if (status == FASTBOOT_LOCK) {
error("device is LOCKed!\n");
strcpy(response, "FAIL device is locked.");
strcpy(response, "FAILdevice is locked.");
fastboot_tx_write_str(response);
return;
} else if (status == FASTBOOT_LOCK_ERROR) {
error("write lock status into device!\n");
fastboot_set_lock_stat(FASTBOOT_LOCK);
strcpy(response, "FAIL device is locked.");
strcpy(response, "FAILdevice is locked.");
fastboot_tx_write_str(response);
return;
}
......@@ -3616,6 +3629,12 @@ static const struct cmd_dispatch_info cmd_dispatch_info[] = {
.cb = cb_run_uboot_acmd,
},
#endif
#ifdef CONFIG_AVB_ATX
{
.cmd = "stage",
.cb = cb_download,
},
#endif
};
static void rx_handler_command(struct usb_ep *ep, struct usb_request *req)
......
......@@ -219,4 +219,8 @@ AvbABFlowResult avb_single_flow(AvbABOps* ab_ops,
AvbSlotVerifyFlags flags,
AvbHashtreeErrorMode hashtree_error_mode,
AvbSlotVerifyData** out_data);
/* Program ATX perm_attr into RPMB partition */
int avb_atx_fuse_perm_attr(uint8_t *staged_buffer, uint32_t size);
#endif /* __FSL_AVB_H__ */
......@@ -81,7 +81,10 @@
#ifdef CONFIG_ANDROID_THINGS_SUPPORT
#define FASTBOOT_BOOTLOADER_VBOOT_KEY "fuse at-bootloader-vboot-key"
#endif
#ifdef CONFIG_AVB_ATX
#define FASTBOOT_AVB_AT_PERM_ATTR "fuse at-perm-attr"
#endif /* CONFIG_AVB_ATX */
#endif /* CONFIG_ANDROID_THINGS_SUPPORT */
enum {
DEV_SATA,
......
......@@ -184,12 +184,19 @@ static int sha256(unsigned char* data, int len, unsigned char* output) {
static int permanent_attributes_sha256_hash(unsigned char* output) {
AvbAtxPermanentAttributes attributes;
#ifdef CONFIG_IMX_TRUSTY_OS
if(trusty_read_permanent_attributes((uint8_t *)(&attributes),
sizeof(AvbAtxPermanentAttributes))) {
return RESULT_ERROR;
}
#else
/* get permanent attributes */
attributes.version = fsl_version;
memcpy(attributes.product_root_public_key, fsl_product_root_public_key,
sizeof(fsl_product_root_public_key));
memcpy(attributes.product_id, fsl_atx_product_id,
sizeof(fsl_atx_product_id));
#endif
/* calculate sha256(permanent attributes) hash */
if (sha256((unsigned char *)&attributes, sizeof(AvbAtxPermanentAttributes),
output) == RESULT_ERROR) {
......@@ -221,6 +228,7 @@ static int init_permanent_attributes_fuse(void) {
/* calculate sha256(permanent attributes) */
if (permanent_attributes_sha256_hash(sha256_hash) != RESULT_OK) {
printf("ERROR - calculating permanent attributes SHA256 error!\n");
return RESULT_ERROR;
}
......@@ -236,6 +244,37 @@ static int init_permanent_attributes_fuse(void) {
}
#endif
#ifdef CONFIG_AVB_ATX
int avb_atx_fuse_perm_attr(uint8_t *staged_buffer, uint32_t size) {
if (staged_buffer == NULL) {
ERR("Error. Get null staged_buffer\n");
return -1;
}
if (size != sizeof(AvbAtxPermanentAttributes)) {
ERR("Error. expect perm_attr length %d, but get %d.\n",
sizeof(AvbAtxPermanentAttributes), size);
return -1;
}
#ifdef CONFIG_IMX_TRUSTY_OS
if (trusty_write_permanent_attributes(staged_buffer, size)) {
ERR("Error. Failed to write permanent attributes into secure storage\n");
return -1;
}
else
return init_permanent_attributes_fuse();
#else
/*
* TODO:
* Need to handle this when no Trusty OS support.
* But now every Android Things will have Trusty OS support.
*/
ERR("No Trusty OS enabled in bootloader.\n");
return 0;
#endif
}
#endif
#ifdef AVB_RPMB
static int rpmb_read(struct mmc *mmc, uint8_t *buffer, size_t num_bytes, int64_t offset);
static int rpmb_write(struct mmc *mmc, uint8_t *buffer, size_t num_bytes, int64_t offset);
......@@ -481,7 +520,7 @@ int init_avbkey(void) {
}
if (rpmb_init())
return RESULT_ERROR;
#ifdef CONFIG_AVB_ATX
#if defined(CONFIG_AVB_ATX) && !defined(CONFIG_IMX_TRUSTY_OS)
if (init_permanent_attributes_fuse())
return RESULT_ERROR;
#endif
......@@ -1149,6 +1188,14 @@ fail:
*/
AvbIOResult fsl_read_permanent_attributes(
AvbAtxOps* atx_ops, AvbAtxPermanentAttributes* attributes) {
#ifdef CONFIG_IMX_TRUSTY_OS
if (trusty_read_permanent_attributes((uint8_t *)attributes,
sizeof(AvbAtxPermanentAttributes))) {
ERR("Error. Failed to read permanent attributes from secure storage\n");
return AVB_IO_RESULT_ERROR_IO;
} else
return AVB_IO_RESULT_OK;
#else
/* use hard code permanent attributes due to limited fuse and RPMB */
attributes->version = fsl_version;
memcpy(attributes->product_root_public_key, fsl_product_root_public_key,
......@@ -1157,6 +1204,7 @@ AvbIOResult fsl_read_permanent_attributes(
sizeof(fsl_atx_product_id));
return AVB_IO_RESULT_OK;
#endif /* CONFIG_IMX_TRUSTY_OS */
}
/* Reads a |hash| of permanent attributes. This hash MUST be retrieved from a
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment