otp.c - OpenGrok cross reference for /openbmc/u-boot/cmd/otp.c

Deleted Added

sdiffudifftextold (a3dcef30..)new (e7e21c44..)

otp.c (a3dcef3036395613e9aa4ea4b3b97dee8d51952d)	otp.c (e7e21c4455937427b95934f61c48824737c20816)
1// SPDX-License-Identifier: GPL-2.0+ 2/* 3 * Copyright 2021 Aspeed Technology Inc. 4 */ 5 6#include <stdlib.h> 7#include <common.h> 8#include <console.h> 9#include <bootretry.h> 10#include <cli.h> 11#include <command.h> 12#include <console.h> 13#include <malloc.h> 14#include <inttypes.h> 15#include <mapmem.h> 16#include <asm/io.h> 17#include <linux/compiler.h> 18#include <linux/iopoll.h>	1// SPDX-License-Identifier: GPL-2.0+ 2/* 3 * Copyright 2021 Aspeed Technology Inc. 4 */ 5 6#include <stdlib.h> 7#include <common.h> 8#include <console.h> 9#include <bootretry.h> 10#include <cli.h> 11#include <command.h> 12#include <console.h> 13#include <malloc.h> 14#include <inttypes.h> 15#include <mapmem.h> 16#include <asm/io.h> 17#include <linux/compiler.h> 18#include <linux/iopoll.h>
	19#include <u-boot/sha256.h>
19#include <u-boot/sha512.h>	20#include <u-boot/sha512.h>
	21#include <u-boot/rsa.h> 22#include <u-boot/rsa-mod-exp.h> 23#include <dm.h>
20#include "otp_info.h" 21 22DECLARE_GLOBAL_DATA_PTR; 23 24#define OTP_VER "2.0.0" 25 26#define OTP_PASSWD 0x349fe38a 27#define RETRY 20 --- 8 unchanged lines hidden (view full) --- 36#define OTP_PROG_SKIP 1 37 38#define OTP_KEY_TYPE_RSA_PUB 1 39#define OTP_KEY_TYPE_RSA_PRIV 2 40#define OTP_KEY_TYPE_AES 3 41#define OTP_KEY_TYPE_VAULT 4 42#define OTP_KEY_TYPE_HMAC 5 43	24#include "otp_info.h" 25 26DECLARE_GLOBAL_DATA_PTR; 27 28#define OTP_VER "2.0.0" 29 30#define OTP_PASSWD 0x349fe38a 31#define RETRY 20 --- 8 unchanged lines hidden (view full) --- 40#define OTP_PROG_SKIP 1 41 42#define OTP_KEY_TYPE_RSA_PUB 1 43#define OTP_KEY_TYPE_RSA_PRIV 2 44#define OTP_KEY_TYPE_AES 3 45#define OTP_KEY_TYPE_VAULT 4 46#define OTP_KEY_TYPE_HMAC 5 47
	48#define OTP_LIT_END 0 49#define OTP_BIG_END 1 50
44#define OTP_BASE 0x1e6f2000 45#define OTP_PROTECT_KEY OTP_BASE 46#define OTP_COMMAND OTP_BASE + 0x4 47#define OTP_TIMING OTP_BASE + 0x8 48#define OTP_ADDR OTP_BASE + 0x10 49#define OTP_STATUS OTP_BASE + 0x14 50#define OTP_COMPARE_1 OTP_BASE + 0x20 51#define OTP_COMPARE_2 OTP_BASE + 0x24 52#define OTP_COMPARE_3 OTP_BASE + 0x28 53#define OTP_COMPARE_4 OTP_BASE + 0x2c 54#define SW_REV_ID0 OTP_BASE + 0x68 55#define SW_REV_ID1 OTP_BASE + 0x6c 56#define SEC_KEY_NUM OTP_BASE + 0x78 57 58#define OTP_MAGIC "SOCOTP"	51#define OTP_BASE 0x1e6f2000 52#define OTP_PROTECT_KEY OTP_BASE 53#define OTP_COMMAND OTP_BASE + 0x4 54#define OTP_TIMING OTP_BASE + 0x8 55#define OTP_ADDR OTP_BASE + 0x10 56#define OTP_STATUS OTP_BASE + 0x14 57#define OTP_COMPARE_1 OTP_BASE + 0x20 58#define OTP_COMPARE_2 OTP_BASE + 0x24 59#define OTP_COMPARE_3 OTP_BASE + 0x28 60#define OTP_COMPARE_4 OTP_BASE + 0x2c 61#define SW_REV_ID0 OTP_BASE + 0x68 62#define SW_REV_ID1 OTP_BASE + 0x6c 63#define SEC_KEY_NUM OTP_BASE + 0x78 64 65#define OTP_MAGIC "SOCOTP"
59#define CHECKSUM_LEN 32	66#define CHECKSUM_LEN 64
60#define OTP_INC_DATA BIT(31) 61#define OTP_INC_CONFIG BIT(30) 62#define OTP_INC_STRAP BIT(29) 63#define OTP_ECC_EN BIT(28) 64#define OTP_INC_SCU_PRO BIT(25) 65#define OTP_REGION_SIZE(info) ((info >> 16) & 0xffff) 66#define OTP_REGION_OFFSET(info) (info & 0xffff) 67#define OTP_IMAGE_SIZE(info) (info & 0xffff) --- 55 unchanged lines hidden (view full) --- 123 int remain_times; 124 int writeable_option; 125 int protected; 126}; 127 128struct otpkey_type { 129 int value; 130 int key_type;	67#define OTP_INC_DATA BIT(31) 68#define OTP_INC_CONFIG BIT(30) 69#define OTP_INC_STRAP BIT(29) 70#define OTP_ECC_EN BIT(28) 71#define OTP_INC_SCU_PRO BIT(25) 72#define OTP_REGION_SIZE(info) ((info >> 16) & 0xffff) 73#define OTP_REGION_OFFSET(info) (info & 0xffff) 74#define OTP_IMAGE_SIZE(info) (info & 0xffff) --- 55 unchanged lines hidden (view full) --- 130 int remain_times; 131 int writeable_option; 132 int protected; 133}; 134 135struct otpkey_type { 136 int value; 137 int key_type;
	138 int order;
131 int need_id; 132 char information[110]; 133}; 134 135struct otp_pro_sts { 136 char mem_lock; 137 char pro_key_ret; 138 char pro_strap; --- 28 unchanged lines hidden (view full) --- 167 u8 conf_ignore; 168 u8 strap; 169 u8 strap_pro; 170 u8 strap_ignore; 171 u8 scu_pro; 172 u8 scu_pro_ignore; 173}; 174	139 int need_id; 140 char information[110]; 141}; 142 143struct otp_pro_sts { 144 char mem_lock; 145 char pro_key_ret; 146 char pro_strap; --- 28 unchanged lines hidden (view full) --- 175 u8 conf_ignore; 176 u8 strap; 177 u8 strap_pro; 178 u8 strap_ignore; 179 u8 scu_pro; 180 u8 scu_pro_ignore; 181}; 182
	183struct sb_info { 184 int header_offset; 185 int secure_region; 186 int rsa_algo; 187 int sha_algo; 188 int digest_len; 189 int retire_list[8]; 190 int enc_flag; 191}; 192 193struct key_list { 194 const struct otpkey_type *key_info; 195 int offset; 196 int id; 197 int retire; 198}; 199 200struct sb_header { 201 u32 aes_data_offset; 202 u32 enc_offset; 203 u32 sign_image_size; 204 u32 signature_offset; 205 u32 revision_low; 206 u32 revision_high; 207 u32 reserved; 208 u32 bl1_header_checksum; 209}; 210
175static struct otp_info_cb info_cb; 176 177static const struct otpkey_type a0_key_type[] = {	211static struct otp_info_cb info_cb; 212 213static const struct otpkey_type a0_key_type[] = {
178 {0, OTP_KEY_TYPE_AES, 0, "AES-256 as OEM platform key for image encryption/decryption"}, 179 {1, OTP_KEY_TYPE_VAULT, 0, "AES-256 as secret vault key"}, 180 {4, OTP_KEY_TYPE_HMAC, 1, "HMAC as encrypted OEM HMAC keys in Mode 1"}, 181 {8, OTP_KEY_TYPE_RSA_PUB, 1, "RSA-public as OEM DSS public keys in Mode 2"}, 182 {9, OTP_KEY_TYPE_RSA_PUB, 0, "RSA-public as SOC public key"}, 183 {10, OTP_KEY_TYPE_RSA_PUB, 0, "RSA-public as AES key decryption key"}, 184 {13, OTP_KEY_TYPE_RSA_PRIV, 0, "RSA-private as SOC private key"}, 185 {14, OTP_KEY_TYPE_RSA_PRIV, 0, "RSA-private as AES key decryption key"},	214 {0, OTP_KEY_TYPE_AES, OTP_LIT_END, 0, "AES-256 as OEM platform key for image encryption/decryption"}, 215 {1, OTP_KEY_TYPE_VAULT, OTP_LIT_END, 0, "AES-256 as secret vault key"}, 216 {4, OTP_KEY_TYPE_HMAC, OTP_LIT_END, 1, "HMAC as encrypted OEM HMAC keys in Mode 1"}, 217 {8, OTP_KEY_TYPE_RSA_PUB, OTP_LIT_END, 1, "RSA-public as OEM DSS public keys in Mode 2"}, 218 {9, OTP_KEY_TYPE_RSA_PUB, OTP_LIT_END, 0, "RSA-public as SOC public key"}, 219 {10, OTP_KEY_TYPE_RSA_PUB, OTP_LIT_END, 0, "RSA-public as AES key decryption key"}, 220 {13, OTP_KEY_TYPE_RSA_PRIV, OTP_LIT_END, 0, "RSA-private as SOC private key"}, 221 {14, OTP_KEY_TYPE_RSA_PRIV, OTP_LIT_END, 0, "RSA-private as AES key decryption key"},
186}; 187 188static const struct otpkey_type a1_key_type[] = {	222}; 223 224static const struct otpkey_type a1_key_type[] = {
189 {1, OTP_KEY_TYPE_VAULT, 0, "AES-256 as secret vault key"}, 190 {2, OTP_KEY_TYPE_AES, 1, "AES-256 as OEM platform key for image encryption/decryption in Mode 2 or AES-256 as OEM DSS keys for Mode GCM"}, 191 {8, OTP_KEY_TYPE_RSA_PUB, 1, "RSA-public as OEM DSS public keys in Mode 2"}, 192 {10, OTP_KEY_TYPE_RSA_PUB, 0, "RSA-public as AES key decryption key"}, 193 {14, OTP_KEY_TYPE_RSA_PRIV, 0, "RSA-private as AES key decryption key"},	225 {1, OTP_KEY_TYPE_VAULT, OTP_LIT_END, 0, "AES-256 as secret vault key"}, 226 {2, OTP_KEY_TYPE_AES, OTP_LIT_END, 1, "AES-256 as OEM platform key for image encryption/decryption in Mode 2 or AES-256 as OEM DSS keys for Mode GCM"}, 227 {8, OTP_KEY_TYPE_RSA_PUB, OTP_LIT_END, 1, "RSA-public as OEM DSS public keys in Mode 2"}, 228 {10, OTP_KEY_TYPE_RSA_PUB, OTP_LIT_END, 0, "RSA-public as AES key decryption key"}, 229 {14, OTP_KEY_TYPE_RSA_PRIV, OTP_LIT_END, 0, "RSA-private as AES key decryption key"},
194}; 195 196static const struct otpkey_type a2_key_type[] = {	230}; 231 232static const struct otpkey_type a2_key_type[] = {
197 {1, OTP_KEY_TYPE_VAULT, 0, "AES-256 as secret vault key"}, 198 {2, OTP_KEY_TYPE_AES, 1, "AES-256 as OEM platform key for image encryption/decryption in Mode 2 or AES-256 as OEM DSS keys for Mode GCM"}, 199 {8, OTP_KEY_TYPE_RSA_PUB, 1, "RSA-public as OEM DSS public keys in Mode 2"}, 200 {10, OTP_KEY_TYPE_RSA_PUB, 0, "RSA-public as AES key decryption key"}, 201 {14, OTP_KEY_TYPE_RSA_PRIV, 0, "RSA-private as AES key decryption key"},	233 {1, OTP_KEY_TYPE_VAULT, OTP_LIT_END, 0, "AES-256 as secret vault key"}, 234 {2, OTP_KEY_TYPE_AES, OTP_LIT_END, 1, "AES-256 as OEM platform key for image encryption/decryption in Mode 2 or AES-256 as OEM DSS keys for Mode GCM"}, 235 {8, OTP_KEY_TYPE_RSA_PUB, OTP_LIT_END, 1, "RSA-public as OEM DSS public keys in Mode 2"}, 236 {10, OTP_KEY_TYPE_RSA_PUB, OTP_LIT_END, 0, "RSA-public as AES key decryption key"}, 237 {14, OTP_KEY_TYPE_RSA_PRIV, OTP_LIT_END, 0, "RSA-private as AES key decryption key"},
202}; 203 204static const struct otpkey_type a3_key_type[] = {	238}; 239 240static const struct otpkey_type a3_key_type[] = {
205 {1, OTP_KEY_TYPE_VAULT, 0, "AES-256 as secret vault key"}, 206 {2, OTP_KEY_TYPE_AES, 1, "AES-256 as OEM platform key for image encryption/decryption in Mode 2 or AES-256 as OEM DSS keys for Mode GCM"}, 207 {8, OTP_KEY_TYPE_RSA_PUB, 1, "RSA-public as OEM DSS public keys in Mode 2"}, 208 {9, OTP_KEY_TYPE_RSA_PUB, 1, "RSA-public as OEM DSS public keys in Mode 2(big endian)"}, 209 {10, OTP_KEY_TYPE_RSA_PUB, 0, "RSA-public as AES key decryption key"}, 210 {11, OTP_KEY_TYPE_RSA_PUB, 0, "RSA-public as AES key decryption key(big endian)"}, 211 {12, OTP_KEY_TYPE_RSA_PRIV, 0, "RSA-private as AES key decryption key"}, 212 {13, OTP_KEY_TYPE_RSA_PRIV, 0, "RSA-private as AES key decryption key(big endian)"},	241 {1, OTP_KEY_TYPE_VAULT, OTP_LIT_END, 0, "AES-256 as secret vault key"}, 242 {2, OTP_KEY_TYPE_AES, OTP_LIT_END, 1, "AES-256 as OEM platform key for image encryption/decryption in Mode 2 or AES-256 as OEM DSS keys for Mode GCM"}, 243 {8, OTP_KEY_TYPE_RSA_PUB, OTP_LIT_END, 1, "RSA-public as OEM DSS public keys in Mode 2"}, 244 {9, OTP_KEY_TYPE_RSA_PUB, OTP_BIG_END, 1, "RSA-public as OEM DSS public keys in Mode 2(big endian)"}, 245 {10, OTP_KEY_TYPE_RSA_PUB, OTP_LIT_END, 0, "RSA-public as AES key decryption key"}, 246 {11, OTP_KEY_TYPE_RSA_PUB, OTP_BIG_END, 0, "RSA-public as AES key decryption key(big endian)"}, 247 {12, OTP_KEY_TYPE_RSA_PRIV, OTP_LIT_END, 0, "RSA-private as AES key decryption key"}, 248 {13, OTP_KEY_TYPE_RSA_PRIV, OTP_BIG_END, 0, "RSA-private as AES key decryption key(big endian)"},
213}; 214 215static void buf_print(u8 buf, int len) 216{ 217 int i; 218 219 printf(" 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F\n"); 220 for (i = 0; i < len; i++) { --- 43 unchanged lines hidden* (view full) --- 264 } 265 } 266 if (ret) 267 return ret; 268 269 return rid_num; 270} 271	249}; 250 251static void buf_print(u8 buf, int len) 252{ 253 int i; 254 255 printf(" 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F\n"); 256 for (i = 0; i < len; i++) { --- 43 unchanged lines hidden* (view full) --- 300 } 301 } 302 if (ret) 303 return ret; 304 305 return rid_num; 306} 307
	308static void sb_sha256(u8 src, u32 len, u8 digest_ret) 309{ 310 sha256_context ctx; 311 312 sha256_starts(&ctx); 313 sha256_update(&ctx, src, len); 314 sha256_finish(&ctx, digest_ret); 315} 316 317static void sb_sha384(u8 src, u32 len, u8 digest_ret) 318{ 319 sha512_context ctx; 320 321 sha384_starts(&ctx); 322 sha384_update(&ctx, src, len); 323 sha384_finish(&ctx, digest_ret); 324} 325 326static void sb_sha512(u8 src, u32 len, u8 digest_ret) 327{ 328 sha512_context ctx; 329 330 sha512_starts(&ctx); 331 sha512_update(&ctx, src, len); 332 sha512_finish(&ctx, digest_ret); 333} 334
272static u32 chip_version(void) 273{ 274 u32 revid0, revid1; 275 276 revid0 = readl(ASPEED_REVISION_ID0); 277 revid1 = readl(ASPEED_REVISION_ID1); 278 279 if (revid0 == ID0_AST2600A0 && revid1 == ID1_AST2600A0) { --- 1552 unchanged lines hidden (view full) --- 1832 printf("Input [0x%X] = 0x%X\n", 28 + i, OTPSCU[i]); 1833 printf("Mask [0x%X] = 0x%X\n", 28 + i, ~OTPSCU_IGNORE[i]); 1834 return OTP_FAILURE; 1835 } 1836 } 1837 return OTP_SUCCESS; 1838} 1839	335static u32 chip_version(void) 336{ 337 u32 revid0, revid1; 338 339 revid0 = readl(ASPEED_REVISION_ID0); 340 revid1 = readl(ASPEED_REVISION_ID1); 341 342 if (revid0 == ID0_AST2600A0 && revid1 == ID1_AST2600A0) { --- 1552 unchanged lines hidden (view full) --- 1895 printf("Input [0x%X] = 0x%X\n", 28 + i, OTPSCU[i]); 1896 printf("Mask [0x%X] = 0x%X\n", 28 + i, ~OTPSCU_IGNORE[i]); 1897 return OTP_FAILURE; 1898 } 1899 } 1900 return OTP_SUCCESS; 1901} 1902
1840static int otp_verify_image(u8 src_buf, u32 length, u8 digest_buf)	1903static int otp_verify_image(u8 src_buf, u32 length, u8 digest_buf, int version)
1841{	1904{
1842 sha512_context ctx; 1843 u8 digest_ret[CHECKSUM_LEN];	1905 u8 digest_ret[48]; 1906 int digest_len;
1844	1907
1845 sha384_starts(&ctx); 1846 sha384_update(&ctx, src_buf, length); 1847 sha384_finish(&ctx, digest_ret);	1908 switch (version) { 1909 case 1: 1910 sb_sha256(src_buf, length, digest_ret); 1911 digest_len = 32; 1912 break; 1913 case 2: 1914 sb_sha384(src_buf, length, digest_ret); 1915 digest_len = 48; 1916 break; 1917 default: 1918 return OTP_FAILURE; 1919 }
1848	1920
1849 if (!memcmp(digest_buf, digest_ret, CHECKSUM_LEN))	1921 if (!memcmp(digest_buf, digest_ret, digest_len))
1850 return OTP_SUCCESS; 1851 return OTP_FAILURE; 1852} 1853 1854static int otp_prog_image(int addr, int nconfirm) 1855{ 1856 int ret; 1857 int image_soc_ver = 0; --- 61 unchanged lines hidden (view full) --- 1919 return OTP_FAILURE; 1920 } 1921 1922 if (image_soc_ver != info_cb.version) { 1923 printf("Image SOC version is not match to HW SOC version\n"); 1924 return OTP_FAILURE; 1925 } 1926	1922 return OTP_SUCCESS; 1923 return OTP_FAILURE; 1924} 1925 1926static int otp_prog_image(int addr, int nconfirm) 1927{ 1928 int ret; 1929 int image_soc_ver = 0; --- 61 unchanged lines hidden (view full) --- 1991 return OTP_FAILURE; 1992 } 1993 1994 if (image_soc_ver != info_cb.version) { 1995 printf("Image SOC version is not match to HW SOC version\n"); 1996 return OTP_FAILURE; 1997 } 1998
1927 if (OTPTOOL_VERSION_MAJOR(otp_header->otptool_ver) != OTPTOOL_COMPT_VERSION) { 1928 printf("OTP image is not generated by otptool v2.x.x\n");	1999 switch (OTPTOOL_VERSION_MAJOR(otp_header->otptool_ver)) { 2000 case 1: 2001 printf("WARNING: OTP image is not generated by otptool v2.x.x\n"); 2002 printf("Please use the latest version of otptool to generate OTP image\n"); 2003 ret = otp_verify_image(buf, image_size, checksum, 1); 2004 break; 2005 case 2: 2006 ret = otp_verify_image(buf, image_size, checksum, 2); 2007 break; 2008 default: 2009 printf("OTP image version is not supported\n");
1929 return OTP_FAILURE; 1930 } 1931	2010 return OTP_FAILURE; 2011 } 2012
1932 if (otp_verify_image(buf, image_size, checksum)) {	2013 if (ret) {
1933 printf("checksum is invalid\n"); 1934 return OTP_FAILURE; 1935 } 1936 1937 if (info_cb.pro_sts.mem_lock) { 1938 printf("OTP memory is locked\n"); 1939 return OTP_FAILURE; 1940 } --- 393 unchanged lines hidden (view full) --- 2334 if (krb_or & (1 << retire_id)) { 2335 printf("SUCCESS\n"); 2336 return OTP_SUCCESS; 2337 } 2338 printf("FAILED\n"); 2339 return OTP_FAILURE; 2340} 2341	2014 printf("checksum is invalid\n"); 2015 return OTP_FAILURE; 2016 } 2017 2018 if (info_cb.pro_sts.mem_lock) { 2019 printf("OTP memory is locked\n"); 2020 return OTP_FAILURE; 2021 } --- 393 unchanged lines hidden (view full) --- 2415 if (krb_or & (1 << retire_id)) { 2416 printf("SUCCESS\n"); 2417 return OTP_SUCCESS; 2418 } 2419 printf("FAILED\n"); 2420 return OTP_FAILURE; 2421} 2422
	2423static int parse_config(struct sb_info si) 2424{ 2425 int i; 2426 u32 cfg0, cfg3, cfg4; 2427 u32 sb_mode; 2428 u32 key_retire; 2429 u32 rsa_len; 2430 u32 sha_len; 2431 2432 otp_read_conf(0, &cfg0); 2433 otp_read_conf(3, &cfg3); 2434 otp_read_conf(4, &cfg4); 2435 2436 sb_mode = (cfg0 >> 7) & 0x1; 2437 si->enc_flag = (cfg0 >> 27) & 0x1; 2438 key_retire = (cfg4 & 0x7f) \| ((cfg4 >> 16) & 0x7f); 2439 2440 if ((cfg0 >> 16) & 0x3f) 2441 si->secure_region = 1; 2442 else 2443 si->secure_region = 0; 2444 2445 si->header_offset = cfg3 & 0xffff; 2446 if (si->header_offset == 0) 2447 si->header_offset = 0x20; 2448 2449 for (i = 0; i < 8; i++) { 2450 if ((key_retire >> i) & 0x1) 2451 si->retire_list[i] = 1; 2452 else 2453 si->retire_list[i] = 0; 2454 } 2455 2456 if (sb_mode == 0) { 2457 printf("Mode GCM is not supported.\n"); 2458 return OTP_FAILURE; 2459 } 2460 2461 if (si->enc_flag) 2462 printf("Algorithm: AES_RSA_SHA\n"); 2463 else 2464 printf("Algorithm: RSA_SHA\n"); 2465 2466 rsa_len = (cfg0 >> 10) & 0x3; 2467 sha_len = (cfg0 >> 12) & 0x3; 2468 2469 if (rsa_len == 0) { 2470 si->rsa_algo = 1024; 2471 printf("RSA length: 1024\n"); 2472 } else if (rsa_len == 1) { 2473 si->rsa_algo = 2048; 2474 printf("RSA length: 2048\n"); 2475 } else if (rsa_len == 2) { 2476 si->rsa_algo = 3072; 2477 printf("RSA length: 3072\n"); 2478 } else { 2479 si->rsa_algo = 4096; 2480 printf("RSA length: 4096\n"); 2481 } 2482 if (sha_len == 0) { 2483 si->sha_algo = 224; 2484 si->digest_len = 28; 2485 printf("HASH length: 224\n"); 2486 } else if (sha_len == 1) { 2487 si->sha_algo = 256; 2488 si->digest_len = 32; 2489 printf("HASH length: 256\n"); 2490 } else if (sha_len == 2) { 2491 si->sha_algo = 384; 2492 si->digest_len = 48; 2493 printf("HASH length: 384\n"); 2494 } else { 2495 si->sha_algo = 512; 2496 si->digest_len = 64; 2497 printf("HASH length: 512\n"); 2498 } 2499 return OTP_SUCCESS; 2500} 2501 2502static void parse_data(struct key_list kl, int key_num, struct sb_info si, u32 data) 2503{ 2504 const struct otpkey_type key_info_array = info_cb.key_info; 2505 int i, j; 2506 int id = 0; 2507 u32 h; 2508 u32 t; 2509 2510 key_num = 0; 2511 for (i = 0; i < 16; i++) { 2512 h = data[i]; 2513 t = (h >> 14) & 0xf; 2514 for (j = 0; j < info_cb.key_info_len; j++) { 2515 if (t == key_info_array[j].value) { 2516 kl[key_num].key_info = &key_info_array[j]; 2517 kl[key_num].offset = h & 0x1ff8; 2518 id = h & 0x7; 2519 kl[key_num].id = id; 2520 if (si->retire_list[id] == 1) 2521 kl[key_num].retire = 1; 2522 else 2523 kl[key_num].retire = 0; 2524 (key_num)++; 2525 break; 2526 } 2527 } 2528 if ((data[i] >> 13) & 1) 2529 break; 2530 } 2531} 2532 2533static int sb_sha(struct sb_info si, u8 sec_image, u32 sign_image_size, u8 digest_ret) 2534{ 2535 switch (si->sha_algo) { 2536 case 224: 2537 printf("otp verify does not support SHA224\n"); 2538 return OTP_FAILURE; 2539 case 256: 2540 sb_sha256(sec_image, sign_image_size, digest_ret); 2541 break; 2542 case 384: 2543 sb_sha384(sec_image, sign_image_size, digest_ret); 2544 break; 2545 case 512: 2546 sb_sha512(sec_image, sign_image_size, digest_ret); 2547 break; 2548 default: 2549 printf("SHA Algorithm is invalid\n"); 2550 return OTP_FAILURE; 2551 } 2552 return 0; 2553} 2554 2555static int mode2_verify(u8 sec_image, u32 sign_image_size, 2556 u8 signature, u8 rsa_m, 2557 int order, u8 digest, 2558 struct sb_info si, struct udevice mod_exp_dev) 2559{ 2560 struct key_prop prop; 2561 u8 rsa_e[3] = "\x01\x00\x01"; 2562 u8 sign_ret[512]; 2563 u8 rsa_m_rev[512]; 2564 u8 signature_rev[512]; 2565 u8 tmp; 2566 u32 rsa_len = si->rsa_algo / 8; 2567 int i; 2568 int ret; 2569 2570 memset(&prop, 0, sizeof(struct key_prop)); 2571 2572 if (order == OTP_LIT_END) { 2573 memset(rsa_m_rev, 0, 512); 2574 memset(signature_rev, 0, 512); 2575 for (i = 0; i < rsa_len; i++) { 2576 rsa_m_rev[i] = rsa_m[rsa_len - 1 - i]; 2577 signature_rev[i] = signature[rsa_len - 1 - i]; 2578 } 2579 prop.modulus = rsa_m_rev; 2580 prop.num_bits = si->rsa_algo; 2581 prop.public_exponent = rsa_e; 2582 prop.exp_len = 3; 2583 ret = rsa_mod_exp(mod_exp_dev, signature_rev, rsa_len, &prop, sign_ret); 2584 } else { 2585 prop.modulus = rsa_m; 2586 prop.num_bits = si->rsa_algo; 2587 prop.public_exponent = rsa_e; 2588 prop.exp_len = 3; 2589 ret = rsa_mod_exp(mod_exp_dev, signature, rsa_len, &prop, sign_ret); 2590 } 2591 2592 if (ret) { 2593 printf("rsa_mod_exp error: %d\n", ret); 2594 return OTP_FAILURE; 2595 } 2596 2597 if (order == OTP_LIT_END) { 2598 for (i = 0; i < rsa_len / 2; i++) { 2599 tmp = sign_ret[i]; 2600 sign_ret[i] = sign_ret[rsa_len - 1 - i]; 2601 sign_ret[rsa_len - 1 - i] = tmp; 2602 } 2603 ret = memcmp(digest, sign_ret, si->digest_len); 2604 } else { 2605 ret = memcmp(digest, sign_ret + (rsa_len - si->digest_len), si->digest_len); 2606 } 2607 2608 if (ret) 2609 return OTP_FAILURE; 2610 return 0; 2611} 2612 2613static int otp_verify_boot_image(phys_addr_t addr) 2614{ 2615 struct udevice mod_exp_dev; 2616 struct sb_info si; 2617 struct key_list kl[16]; 2618 struct sb_header sh; 2619 u32 data[2048]; 2620 u8 digest[64]; 2621 u8 sec_image; 2622 u8 signature; 2623 u8 key; 2624 u32 otp_rid[2]; 2625 u32 sw_rid[2]; 2626 u64 otp_rid64 = (u64 )otp_rid; 2627 u64 sw_rid64 = (u64 )sw_rid; 2628 int key_num; 2629 int ret; 2630 int i; 2631 int pass = 0; 2632 2633 ret = uclass_get_device_by_driver(UCLASS_MOD_EXP, DM_GET_DRIVER(aspeed_acry), &mod_exp_dev); 2634 if (ret) { 2635 printf("RSA engine: Can't find aspeed_acry\n"); 2636 return OTP_FAILURE; 2637 } 2638 2639 for (i = 0; i < 2048 ; i += 2) 2640 otp_read_data(i, &data[i]); 2641 if (parse_config(&si)) 2642 return OTP_FAILURE; 2643 parse_data(kl, &key_num, &si, data); 2644 otp_read_conf(10, &otp_rid[0]); 2645 otp_read_conf(11, &otp_rid[1]); 2646 2647 sec_image = (u8 )addr; 2648 sh = (struct sb_header )(sec_image + si.header_offset); 2649 signature = sec_image + sh->signature_offset; 2650 2651 if (si.secure_region) 2652 printf("WARNING: Secure Region is enabled, the verification may not correct.\n"); 2653 2654 if (sh->sign_image_size % 512) { 2655 printf("ERROR: The sign_image_size should be 512 bytes aligned\n"); 2656 return OTP_FAILURE; 2657 } 2658 2659 printf("Check revision ID: "); 2660 2661 sw_rid[0] = sh->revision_low; 2662 sw_rid[1] = sh->revision_high; 2663 2664 if (otp_rid64 > sw_rid64) { 2665 printf("FAIL\n"); 2666 printf("Header revision_low: %x\n", sh->revision_low); 2667 printf("Header revision_high: %x\n", sh->revision_high); 2668 printf("OTP revision_low: %x\n", otp_rid[0]); 2669 printf("OTP revision_high: %x\n", otp_rid[1]); 2670 return OTP_FAILURE; 2671 } 2672 printf("PASS\n"); 2673 2674 printf("Check secure image header: "); 2675 if (((sh->aes_data_offset + sh->enc_offset + sh->sign_image_size + 2676 sh->signature_offset + sh->revision_high + sh->revision_low + 2677 sh->reserved + sh->bl1_header_checksum) & 0xffffffff) != 0) { 2678 printf("FAIL\n"); 2679 printf("aes_data_offset: %x\n", sh->aes_data_offset); 2680 printf("enc_offset: %x\n", sh->enc_offset); 2681 printf("sign_image_size: %x\n", sh->sign_image_size); 2682 printf("signature_offset: %x\n", sh->signature_offset); 2683 printf("revision_high: %x\n", sh->revision_high); 2684 printf("revision_low: %x\n", sh->revision_low); 2685 printf("reserved: %x\n", sh->reserved); 2686 printf("bl1_header_checksum: %x\n", sh->bl1_header_checksum); 2687 return OTP_FAILURE; 2688 } 2689 printf("PASS\n"); 2690 2691 ret = sb_sha(&si, sec_image, sh->sign_image_size, digest); 2692 if (ret) 2693 return OTP_FAILURE; 2694 2695 printf("Verifying secure image\n"); 2696 for (i = 0; i < key_num; i++) { 2697 if (kl[i].key_info->key_type != OTP_KEY_TYPE_RSA_PUB) 2698 continue; 2699 printf(" Key %d\n", kl[i].id); 2700 if (kl[i].retire) { 2701 printf(" Key %d is retired.\n", kl[i].id); 2702 continue; 2703 } 2704 key = (u8 )data + kl[i].offset; 2705 if (!mode2_verify(sec_image, sh->sign_image_size, 2706 signature, key, kl[i].key_info->order, digest, 2707 &si, mod_exp_dev)) { 2708 pass = 1; 2709 break; 2710 } 2711 } 2712 if (pass) { 2713 printf(" OEM DSS RSA public keys\n"); 2714 printf(" ID: %d\n", kl[i].id); 2715 if (kl[i].key_info->order == OTP_BIG_END) 2716 printf(" Big endian\n"); 2717 else 2718 printf(" Little endian\n"); 2719 printf("Verify secure image: PASS\n"); 2720 return OTP_SUCCESS; 2721 } 2722 printf("Verify secure image: FAIL\n"); 2723 return OTP_FAILURE; 2724} 2725
2342static int do_otpread(cmd_tbl_t cmdtp, int flag, int argc, char const argv[]) 2343{ 2344 u32 offset, count; 2345 int ret; 2346 2347 if (argc == 4) { 2348 offset = simple_strtoul(argv[2], NULL, 16); 2349 count = simple_strtoul(argv[3], NULL, 16); --- 484 unchanged lines hidden (view full) --- 2834 return CMD_RET_USAGE; 2835 ret = otp_retire_key(retire_id, force); 2836 2837 if (ret) 2838 return CMD_RET_FAILURE; 2839 return CMD_RET_SUCCESS; 2840} 2841	2726static int do_otpread(cmd_tbl_t cmdtp, int flag, int argc, char const argv[]) 2727{ 2728 u32 offset, count; 2729 int ret; 2730 2731 if (argc == 4) { 2732 offset = simple_strtoul(argv[2], NULL, 16); 2733 count = simple_strtoul(argv[3], NULL, 16); --- 484 unchanged lines hidden (view full) --- 3218 return CMD_RET_USAGE; 3219 ret = otp_retire_key(retire_id, force); 3220 3221 if (ret) 3222 return CMD_RET_FAILURE; 3223 return CMD_RET_SUCCESS; 3224} 3225
	3226static int do_otpverify(cmd_tbl_t cmdtp, int flag, int argc, char const argv[]) 3227{ 3228 phys_addr_t addr; 3229 int ret; 3230 3231 if (argc == 2) { 3232 addr = simple_strtoul(argv[1], NULL, 16); 3233 ret = otp_verify_boot_image(addr); 3234 } else { 3235 return CMD_RET_USAGE; 3236 } 3237 3238 if (ret == OTP_SUCCESS) 3239 return CMD_RET_SUCCESS; 3240 else if (ret == OTP_FAILURE) 3241 return CMD_RET_FAILURE; 3242 else 3243 return CMD_RET_USAGE; 3244} 3245
2842static cmd_tbl_t cmd_otp[] = { 2843 U_BOOT_CMD_MKENT(version, 1, 0, do_otpver, "", ""), 2844 U_BOOT_CMD_MKENT(read, 4, 0, do_otpread, "", ""), 2845 U_BOOT_CMD_MKENT(info, 3, 0, do_otpinfo, "", ""), 2846 U_BOOT_CMD_MKENT(prog, 3, 0, do_otpprog, "", ""), 2847 U_BOOT_CMD_MKENT(pb, 6, 0, do_otppb, "", ""), 2848 U_BOOT_CMD_MKENT(protect, 3, 0, do_otpprotect, "", ""), 2849 U_BOOT_CMD_MKENT(scuprotect, 4, 0, do_otp_scuprotect, "", ""), 2850 U_BOOT_CMD_MKENT(cmp, 3, 0, do_otpcmp, "", ""), 2851 U_BOOT_CMD_MKENT(update, 3, 0, do_otpupdate, "", ""), 2852 U_BOOT_CMD_MKENT(rid, 1, 0, do_otprid, "", ""), 2853 U_BOOT_CMD_MKENT(retire, 3, 0, do_otpretire, "", ""),	3246static cmd_tbl_t cmd_otp[] = { 3247 U_BOOT_CMD_MKENT(version, 1, 0, do_otpver, "", ""), 3248 U_BOOT_CMD_MKENT(read, 4, 0, do_otpread, "", ""), 3249 U_BOOT_CMD_MKENT(info, 3, 0, do_otpinfo, "", ""), 3250 U_BOOT_CMD_MKENT(prog, 3, 0, do_otpprog, "", ""), 3251 U_BOOT_CMD_MKENT(pb, 6, 0, do_otppb, "", ""), 3252 U_BOOT_CMD_MKENT(protect, 3, 0, do_otpprotect, "", ""), 3253 U_BOOT_CMD_MKENT(scuprotect, 4, 0, do_otp_scuprotect, "", ""), 3254 U_BOOT_CMD_MKENT(cmp, 3, 0, do_otpcmp, "", ""), 3255 U_BOOT_CMD_MKENT(update, 3, 0, do_otpupdate, "", ""), 3256 U_BOOT_CMD_MKENT(rid, 1, 0, do_otprid, "", ""), 3257 U_BOOT_CMD_MKENT(retire, 3, 0, do_otpretire, "", ""),
	3258 U_BOOT_CMD_MKENT(verify, 2, 0, do_otpverify, "", ""),
2854}; 2855 2856static int do_ast_otp(cmd_tbl_t cmdtp, int flag, int argc, char const argv[]) 2857{ 2858 struct otp_pro_sts pro_sts; 2859 cmd_tbl_t cp; 2860 u32 ver; 2861 int ret; --- 93 unchanged lines hidden (view full) --- 2955 "otp prog [o] <addr>\n" 2956 "otp pb conf\|data [o] <otp_dw_offset> <bit_offset> <value>\n" 2957 "otp pb strap [o] <bit_offset> <value>\n" 2958 "otp protect [o] <bit_offset>\n" 2959 "otp scuprotect [o] <scu_offset> <bit_offset>\n" 2960 "otp update [o] <revision_id>\n" 2961 "otp rid\n" 2962 "otp retire [o] <key_id>\n"	3259}; 3260 3261static int do_ast_otp(cmd_tbl_t cmdtp, int flag, int argc, char const argv[]) 3262{ 3263 struct otp_pro_sts pro_sts; 3264 cmd_tbl_t cp; 3265 u32 ver; 3266 int ret; --- 93 unchanged lines hidden (view full) --- 3360 "otp prog [o] <addr>\n" 3361 "otp pb conf\|data [o] <otp_dw_offset> <bit_offset> <value>\n" 3362 "otp pb strap [o] <bit_offset> <value>\n" 3363 "otp protect [o] <bit_offset>\n" 3364 "otp scuprotect [o] <scu_offset> <bit_offset>\n" 3365 "otp update [o] <revision_id>\n" 3366 "otp rid\n" 3367 "otp retire [o] <key_id>\n"
	3368 "otp verify <addr>\n"
2963 );	3369 );