xref: /openbmc/u-boot/board/xilinx/zynq/cmds.c (revision 9450ab2b)
1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3  * Copyright (C) 2018 Xilinx, Inc.
4  */
5 
6 #include <common.h>
7 #include <asm/io.h>
8 #include <asm/arch/hardware.h>
9 #include <asm/arch/sys_proto.h>
10 #include <malloc.h>
11 #include <u-boot/md5.h>
12 #include <u-boot/rsa.h>
13 #include <u-boot/rsa-mod-exp.h>
14 #include <u-boot/sha256.h>
15 #include <zynqpl.h>
16 #include <fpga.h>
17 #include <zynq_bootimg.h>
18 
19 DECLARE_GLOBAL_DATA_PTR;
20 
21 #ifdef CONFIG_CMD_ZYNQ_RSA
22 
23 #define ZYNQ_EFUSE_RSA_ENABLE_MASK	0x400
24 #define ZYNQ_ATTRIBUTE_PL_IMAGE_MASK		0x20
25 #define ZYNQ_ATTRIBUTE_CHECKSUM_TYPE_MASK	0x7000
26 #define ZYNQ_ATTRIBUTE_RSA_PRESENT_MASK		0x8000
27 #define ZYNQ_ATTRIBUTE_RSA_PART_OWNER_MASK	0x30000
28 
29 #define ZYNQ_RSA_MODULAR_SIZE			256
30 #define ZYNQ_RSA_MODULAR_EXT_SIZE		256
31 #define ZYNQ_RSA_EXPO_SIZE			64
32 #define ZYNQ_RSA_SPK_SIGNATURE_SIZE		256
33 #define ZYNQ_RSA_PARTITION_SIGNATURE_SIZE	256
34 #define ZYNQ_RSA_SIGNATURE_SIZE			0x6C0
35 #define ZYNQ_RSA_HEADER_SIZE			4
36 #define ZYNQ_RSA_MAGIC_WORD_SIZE		60
37 #define ZYNQ_RSA_PART_OWNER_UBOOT		1
38 #define ZYNQ_RSA_ALIGN_PPK_START		64
39 
40 #define WORD_LENGTH_SHIFT	2
41 
42 static u8 *ppkmodular;
43 static u8 *ppkmodularex;
44 
45 struct zynq_rsa_public_key {
46 	uint len;		/* Length of modulus[] in number of u32 */
47 	u32 n0inv;		/* -1 / modulus[0] mod 2^32 */
48 	u32 *modulus;	/* modulus as little endian array */
49 	u32 *rr;		/* R^2 as little endian array */
50 };
51 
52 static struct zynq_rsa_public_key public_key;
53 
54 static struct partition_hdr part_hdr[ZYNQ_MAX_PARTITION_NUMBER];
55 
56 /*
57  * Extract the primary public key components from already autheticated FSBL
58  */
zynq_extract_ppk(u32 fsbl_len)59 static void zynq_extract_ppk(u32 fsbl_len)
60 {
61 	u32 padsize;
62 	u8 *ppkptr;
63 
64 	debug("%s\n", __func__);
65 
66 	/*
67 	 * Extract the authenticated PPK from OCM i.e at end of the FSBL
68 	 */
69 	ppkptr = (u8 *)(fsbl_len + ZYNQ_OCM_BASEADDR);
70 	padsize = ((u32)ppkptr % ZYNQ_RSA_ALIGN_PPK_START);
71 	if (padsize)
72 		ppkptr += (ZYNQ_RSA_ALIGN_PPK_START - padsize);
73 
74 	ppkptr += ZYNQ_RSA_HEADER_SIZE;
75 
76 	ppkptr += ZYNQ_RSA_MAGIC_WORD_SIZE;
77 
78 	ppkmodular = (u8 *)ppkptr;
79 	ppkptr += ZYNQ_RSA_MODULAR_SIZE;
80 	ppkmodularex = (u8 *)ppkptr;
81 	ppkptr += ZYNQ_RSA_MODULAR_EXT_SIZE;
82 }
83 
84 /*
85  * Calculate the inverse(-1 / modulus[0] mod 2^32 ) for the PPK
86  */
zynq_calc_inv(void)87 static u32 zynq_calc_inv(void)
88 {
89 	u32 modulus = public_key.modulus[0];
90 	u32 tmp = BIT(1);
91 	u32 inverse;
92 
93 	inverse = modulus & BIT(0);
94 
95 	while (tmp) {
96 		inverse *= 2 - modulus * inverse;
97 		tmp *= tmp;
98 	}
99 
100 	return ~(inverse - 1);
101 }
102 
103 /*
104  * Recreate the signature by padding the bytes and verify with hash value
105  */
zynq_pad_and_check(u8 * signature,u8 * hash)106 static int zynq_pad_and_check(u8 *signature, u8 *hash)
107 {
108 	u8 padding[] = {0x30, 0x31, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48,
109 			0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04,
110 			0x20};
111 	u8 *pad_ptr = signature + 256;
112 	u32 pad = 202;
113 	u32 ii;
114 
115 	/*
116 	 * Re-Create PKCS#1v1.5 Padding
117 	 * MSB  ----------------------------------------------------LSB
118 	 * 0x0 || 0x1 || 0xFF(for 202 bytes) || 0x0 || T_padding || SHA256 Hash
119 	 */
120 	if (*--pad_ptr != 0 || *--pad_ptr != 1)
121 		return -1;
122 
123 	for (ii = 0; ii < pad; ii++) {
124 		if (*--pad_ptr != 0xFF)
125 			return -1;
126 	}
127 
128 	if (*--pad_ptr != 0)
129 		return -1;
130 
131 	for (ii = 0; ii < sizeof(padding); ii++) {
132 		if (*--pad_ptr != padding[ii])
133 			return -1;
134 	}
135 
136 	for (ii = 0; ii < 32; ii++) {
137 		if (*--pad_ptr != hash[ii])
138 			return -1;
139 	}
140 	return 0;
141 }
142 
143 /*
144  * Verify and extract the hash value from signature using the public key
145  * and compare it with calculated hash value.
146  */
zynq_rsa_verify_key(const struct zynq_rsa_public_key * key,const u8 * sig,const u32 sig_len,const u8 * hash)147 static int zynq_rsa_verify_key(const struct zynq_rsa_public_key *key,
148 			       const u8 *sig, const u32 sig_len, const u8 *hash)
149 {
150 	int status;
151 	void *buf;
152 
153 	if (!key || !sig || !hash)
154 		return -1;
155 
156 	if (sig_len != (key->len * sizeof(u32))) {
157 		printf("Signature is of incorrect length %d\n", sig_len);
158 		return -1;
159 	}
160 
161 	/* Sanity check for stack size */
162 	if (sig_len > ZYNQ_RSA_SPK_SIGNATURE_SIZE) {
163 		printf("Signature length %u exceeds maximum %d\n", sig_len,
164 		       ZYNQ_RSA_SPK_SIGNATURE_SIZE);
165 		return -1;
166 	}
167 
168 	buf = malloc(sig_len);
169 	if (!buf)
170 		return -1;
171 
172 	memcpy(buf, sig, sig_len);
173 
174 	status = zynq_pow_mod((u32 *)key, (u32 *)buf);
175 	if (status == -1) {
176 		free(buf);
177 		return status;
178 	}
179 
180 	status = zynq_pad_and_check((u8 *)buf, (u8 *)hash);
181 
182 	free(buf);
183 	return status;
184 }
185 
186 /*
187  * Authenticate the partition
188  */
zynq_authenticate_part(u8 * buffer,u32 size)189 static int zynq_authenticate_part(u8 *buffer, u32 size)
190 {
191 	u8 hash_signature[32];
192 	u8 *spk_modular;
193 	u8 *spk_modular_ex;
194 	u8 *signature_ptr;
195 	u32 status;
196 
197 	debug("%s\n", __func__);
198 
199 	signature_ptr = (u8 *)(buffer + size - ZYNQ_RSA_SIGNATURE_SIZE);
200 
201 	signature_ptr += ZYNQ_RSA_HEADER_SIZE;
202 
203 	signature_ptr += ZYNQ_RSA_MAGIC_WORD_SIZE;
204 
205 	ppkmodular = (u8 *)signature_ptr;
206 	signature_ptr += ZYNQ_RSA_MODULAR_SIZE;
207 	ppkmodularex = signature_ptr;
208 	signature_ptr += ZYNQ_RSA_MODULAR_EXT_SIZE;
209 	signature_ptr += ZYNQ_RSA_EXPO_SIZE;
210 
211 	sha256_csum_wd((const unsigned char *)signature_ptr,
212 		       (ZYNQ_RSA_MODULAR_EXT_SIZE + ZYNQ_RSA_EXPO_SIZE +
213 		       ZYNQ_RSA_MODULAR_SIZE),
214 		       (unsigned char *)hash_signature, 0x1000);
215 
216 	spk_modular = (u8 *)signature_ptr;
217 	signature_ptr += ZYNQ_RSA_MODULAR_SIZE;
218 	spk_modular_ex = (u8 *)signature_ptr;
219 	signature_ptr += ZYNQ_RSA_MODULAR_EXT_SIZE;
220 	signature_ptr += ZYNQ_RSA_EXPO_SIZE;
221 
222 	public_key.len = ZYNQ_RSA_MODULAR_SIZE / sizeof(u32);
223 	public_key.modulus = (u32 *)ppkmodular;
224 	public_key.rr = (u32 *)ppkmodularex;
225 	public_key.n0inv = zynq_calc_inv();
226 
227 	status = zynq_rsa_verify_key(&public_key, signature_ptr,
228 				     ZYNQ_RSA_SPK_SIGNATURE_SIZE,
229 				     hash_signature);
230 	if (status)
231 		return status;
232 
233 	signature_ptr += ZYNQ_RSA_SPK_SIGNATURE_SIZE;
234 
235 	sha256_csum_wd((const unsigned char *)buffer,
236 		       (size - ZYNQ_RSA_PARTITION_SIGNATURE_SIZE),
237 		       (unsigned char *)hash_signature, 0x1000);
238 
239 	public_key.len = ZYNQ_RSA_MODULAR_SIZE / sizeof(u32);
240 	public_key.modulus = (u32 *)spk_modular;
241 	public_key.rr = (u32 *)spk_modular_ex;
242 	public_key.n0inv = zynq_calc_inv();
243 
244 	return zynq_rsa_verify_key(&public_key, (u8 *)signature_ptr,
245 				   ZYNQ_RSA_PARTITION_SIGNATURE_SIZE,
246 				   (u8 *)hash_signature);
247 }
248 
249 /*
250  * Parses the partition header and verfies the authenticated and
251  * encrypted image.
252  */
zynq_verify_image(u32 src_ptr)253 static int zynq_verify_image(u32 src_ptr)
254 {
255 	u32 silicon_ver, image_base_addr, status;
256 	u32 partition_num = 0;
257 	u32 efuseval, srcaddr, size, fsbl_len;
258 	struct partition_hdr *hdr_ptr;
259 	u32 part_data_len, part_img_len, part_attr;
260 	u32 part_load_addr, part_dst_addr, part_chksum_offset;
261 	u32 part_start_addr, part_total_size, partitioncount;
262 	bool encrypt_part_flag = false;
263 	bool part_chksum_flag = false;
264 	bool signed_part_flag = false;
265 
266 	image_base_addr = src_ptr;
267 
268 	silicon_ver = zynq_get_silicon_version();
269 
270 	/* RSA not supported in silicon versions 1.0 and 2.0 */
271 	if (silicon_ver == 0 || silicon_ver == 1)
272 		return -1;
273 
274 	zynq_get_partition_info(image_base_addr, &fsbl_len,
275 				&part_hdr[0]);
276 
277 	/* Extract ppk if efuse was blown Otherwise return error */
278 	efuseval = readl(&efuse_base->status);
279 	if (!(efuseval & ZYNQ_EFUSE_RSA_ENABLE_MASK))
280 		return -1;
281 
282 	zynq_extract_ppk(fsbl_len);
283 
284 	partitioncount = zynq_get_part_count(&part_hdr[0]);
285 
286 	/*
287 	 * As the first two partitions are related to fsbl,
288 	 * we can ignore those two in bootimage and the below
289 	 * code doesn't need to validate it as fsbl is already
290 	 * done by now
291 	 */
292 	if (partitioncount <= 2 ||
293 	    partitioncount > ZYNQ_MAX_PARTITION_NUMBER)
294 		return -1;
295 
296 	while (partition_num < partitioncount) {
297 		if (((part_hdr[partition_num].partitionattr &
298 		   ZYNQ_ATTRIBUTE_RSA_PART_OWNER_MASK) >> 16) !=
299 		   ZYNQ_RSA_PART_OWNER_UBOOT) {
300 			printf("UBOOT is not Owner for partition %d\n",
301 			       partition_num);
302 			partition_num++;
303 			continue;
304 		}
305 		hdr_ptr = &part_hdr[partition_num];
306 		status = zynq_validate_hdr(hdr_ptr);
307 		if (status)
308 			return status;
309 
310 		part_data_len = hdr_ptr->datawordlen;
311 		part_img_len = hdr_ptr->imagewordlen;
312 		part_attr = hdr_ptr->partitionattr;
313 		part_load_addr = hdr_ptr->loadaddr;
314 		part_chksum_offset = hdr_ptr->checksumoffset;
315 		part_start_addr = hdr_ptr->partitionstart;
316 		part_total_size = hdr_ptr->partitionwordlen;
317 
318 		if (part_data_len != part_img_len) {
319 			debug("Encrypted\n");
320 			encrypt_part_flag = true;
321 		}
322 
323 		if (part_attr & ZYNQ_ATTRIBUTE_CHECKSUM_TYPE_MASK)
324 			part_chksum_flag = true;
325 
326 		if (part_attr & ZYNQ_ATTRIBUTE_RSA_PRESENT_MASK) {
327 			debug("RSA Signed\n");
328 			signed_part_flag = true;
329 			size = part_total_size << WORD_LENGTH_SHIFT;
330 		} else {
331 			size = part_img_len;
332 		}
333 
334 		if (!signed_part_flag && !part_chksum_flag) {
335 			printf("Partition not signed & no chksum\n");
336 			partition_num++;
337 			continue;
338 		}
339 
340 		srcaddr = image_base_addr +
341 			  (part_start_addr << WORD_LENGTH_SHIFT);
342 
343 		/*
344 		 * This validation is just for PS DDR.
345 		 * TODO: Update this for PL DDR check as well.
346 		 */
347 		if (part_load_addr < gd->bd->bi_dram[0].start &&
348 		    ((part_load_addr + part_data_len) >
349 		    (gd->bd->bi_dram[0].start +
350 		     gd->bd->bi_dram[0].size))) {
351 			printf("INVALID_LOAD_ADDRESS_FAIL\n");
352 			return -1;
353 		}
354 
355 		if (part_attr & ZYNQ_ATTRIBUTE_PL_IMAGE_MASK)
356 			part_load_addr = srcaddr;
357 		else
358 			memcpy((u32 *)part_load_addr, (u32 *)srcaddr,
359 			       size);
360 
361 		if (part_chksum_flag) {
362 			part_chksum_offset = image_base_addr +
363 					     (part_chksum_offset <<
364 					     WORD_LENGTH_SHIFT);
365 			status = zynq_validate_partition(part_load_addr,
366 							 (part_total_size <<
367 							  WORD_LENGTH_SHIFT),
368 							 part_chksum_offset);
369 			if (status != 0) {
370 				printf("PART_CHKSUM_FAIL\n");
371 				return -1;
372 			}
373 			debug("Partition Validation Done\n");
374 		}
375 
376 		if (signed_part_flag) {
377 			status = zynq_authenticate_part((u8 *)part_load_addr,
378 							size);
379 			if (status != 0) {
380 				printf("AUTHENTICATION_FAIL\n");
381 				return -1;
382 			}
383 			debug("Authentication Done\n");
384 		}
385 
386 		if (encrypt_part_flag) {
387 			debug("DECRYPTION\n");
388 
389 			part_dst_addr = part_load_addr;
390 
391 			if (part_attr & ZYNQ_ATTRIBUTE_PL_IMAGE_MASK) {
392 				partition_num++;
393 				continue;
394 			}
395 
396 			status = zynq_decrypt_load(part_load_addr,
397 						   part_img_len,
398 						   part_dst_addr,
399 						   part_data_len);
400 			if (status != 0) {
401 				printf("DECRYPTION_FAIL\n");
402 				return -1;
403 			}
404 		}
405 		partition_num++;
406 	}
407 
408 	return 0;
409 }
410 
do_zynq_rsa(cmd_tbl_t * cmdtp,int flag,int argc,char * const argv[])411 static int do_zynq_rsa(cmd_tbl_t *cmdtp, int flag, int argc,
412 		       char * const argv[])
413 {
414 	u32 src_ptr;
415 	char *endp;
416 
417 	src_ptr = simple_strtoul(argv[2], &endp, 16);
418 	if (*argv[2] == 0 || *endp != 0)
419 		return CMD_RET_USAGE;
420 	if (zynq_verify_image(src_ptr))
421 		return CMD_RET_FAILURE;
422 
423 	return CMD_RET_SUCCESS;
424 }
425 #endif
426 
427 #ifdef CONFIG_CMD_ZYNQ_AES
zynq_decrypt_image(cmd_tbl_t * cmdtp,int flag,int argc,char * const argv[])428 static int zynq_decrypt_image(cmd_tbl_t *cmdtp, int flag, int argc,
429 			      char * const argv[])
430 {
431 	char *endp;
432 	u32 srcaddr, srclen, dstaddr, dstlen;
433 	int status;
434 
435 	srcaddr = simple_strtoul(argv[2], &endp, 16);
436 	if (*argv[2] == 0 || *endp != 0)
437 		return CMD_RET_USAGE;
438 	srclen = simple_strtoul(argv[3], &endp, 16);
439 	if (*argv[3] == 0 || *endp != 0)
440 		return CMD_RET_USAGE;
441 	dstaddr = simple_strtoul(argv[4], &endp, 16);
442 	if (*argv[4] == 0 || *endp != 0)
443 		return CMD_RET_USAGE;
444 	dstlen = simple_strtoul(argv[5], &endp, 16);
445 	if (*argv[5] == 0 || *endp != 0)
446 		return CMD_RET_USAGE;
447 
448 	/*
449 	 * Roundup source and destination lengths to
450 	 * word size
451 	 */
452 	if (srclen % 4)
453 		srclen = roundup(srclen, 4);
454 	if (dstlen % 4)
455 		dstlen = roundup(dstlen, 4);
456 
457 	status = zynq_decrypt_load(srcaddr, srclen >> 2, dstaddr, dstlen >> 2);
458 	if (status != 0)
459 		return CMD_RET_FAILURE;
460 
461 	return CMD_RET_SUCCESS;
462 }
463 #endif
464 
465 static cmd_tbl_t zynq_commands[] = {
466 #ifdef CONFIG_CMD_ZYNQ_RSA
467 	U_BOOT_CMD_MKENT(rsa, 3, 1, do_zynq_rsa, "", ""),
468 #endif
469 #ifdef CONFIG_CMD_ZYNQ_AES
470 	U_BOOT_CMD_MKENT(aes, 6, 1, zynq_decrypt_image, "", ""),
471 #endif
472 };
473 
do_zynq(cmd_tbl_t * cmdtp,int flag,int argc,char * const argv[])474 static int do_zynq(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
475 {
476 	cmd_tbl_t *zynq_cmd;
477 	int ret;
478 
479 	if (!ARRAY_SIZE(zynq_commands)) {
480 		puts("No zynq specific command enabled\n");
481 		return CMD_RET_USAGE;
482 	}
483 
484 	if (argc < 2)
485 		return CMD_RET_USAGE;
486 	zynq_cmd = find_cmd_tbl(argv[1], zynq_commands,
487 				ARRAY_SIZE(zynq_commands));
488 	if (!zynq_cmd || argc != zynq_cmd->maxargs)
489 		return CMD_RET_USAGE;
490 
491 	ret = zynq_cmd->cmd(zynq_cmd, flag, argc, argv);
492 
493 	return cmd_process_error(zynq_cmd, ret);
494 }
495 
496 #ifdef CONFIG_SYS_LONGHELP
497 static char zynq_help_text[] =
498 	""
499 #ifdef CONFIG_CMD_ZYNQ_RSA
500 	"rsa <baseaddr>  - Verifies the authenticated and encrypted\n"
501 	"                  zynq images and loads them back to load\n"
502 	"                  addresses as specified in BOOT image(BOOT.BIN)\n"
503 #endif
504 #ifdef CONFIG_CMD_ZYNQ_AES
505 	"aes <srcaddr> <srclen> <dstaddr> <dstlen>\n"
506 	"                - Decrypts the encrypted image present in source\n"
507 	"                  address and places the decrypted image at\n"
508 	"                  destination address\n"
509 #endif
510 	;
511 #endif
512 
513 U_BOOT_CMD(zynq,	6,	0,	do_zynq,
514 	   "Zynq specific commands", zynq_help_text
515 );
516