1 // SPDX-License-Identifier: GPL-2.0+ 2 /* 3 * Copyright (C) 2018 Xilinx, Inc. 4 */ 5 6 #include <common.h> 7 #include <asm/io.h> 8 #include <asm/arch/hardware.h> 9 #include <asm/arch/sys_proto.h> 10 #include <malloc.h> 11 #include <u-boot/md5.h> 12 #include <u-boot/rsa.h> 13 #include <u-boot/rsa-mod-exp.h> 14 #include <u-boot/sha256.h> 15 #include <zynqpl.h> 16 #include <fpga.h> 17 #include <zynq_bootimg.h> 18 19 DECLARE_GLOBAL_DATA_PTR; 20 21 #ifdef CONFIG_CMD_ZYNQ_RSA 22 23 #define ZYNQ_EFUSE_RSA_ENABLE_MASK 0x400 24 #define ZYNQ_ATTRIBUTE_PL_IMAGE_MASK 0x20 25 #define ZYNQ_ATTRIBUTE_CHECKSUM_TYPE_MASK 0x7000 26 #define ZYNQ_ATTRIBUTE_RSA_PRESENT_MASK 0x8000 27 #define ZYNQ_ATTRIBUTE_RSA_PART_OWNER_MASK 0x30000 28 29 #define ZYNQ_RSA_MODULAR_SIZE 256 30 #define ZYNQ_RSA_MODULAR_EXT_SIZE 256 31 #define ZYNQ_RSA_EXPO_SIZE 64 32 #define ZYNQ_RSA_SPK_SIGNATURE_SIZE 256 33 #define ZYNQ_RSA_PARTITION_SIGNATURE_SIZE 256 34 #define ZYNQ_RSA_SIGNATURE_SIZE 0x6C0 35 #define ZYNQ_RSA_HEADER_SIZE 4 36 #define ZYNQ_RSA_MAGIC_WORD_SIZE 60 37 #define ZYNQ_RSA_PART_OWNER_UBOOT 1 38 #define ZYNQ_RSA_ALIGN_PPK_START 64 39 40 #define WORD_LENGTH_SHIFT 2 41 42 static u8 *ppkmodular; 43 static u8 *ppkmodularex; 44 45 struct zynq_rsa_public_key { 46 uint len; /* Length of modulus[] in number of u32 */ 47 u32 n0inv; /* -1 / modulus[0] mod 2^32 */ 48 u32 *modulus; /* modulus as little endian array */ 49 u32 *rr; /* R^2 as little endian array */ 50 }; 51 52 static struct zynq_rsa_public_key public_key; 53 54 static struct partition_hdr part_hdr[ZYNQ_MAX_PARTITION_NUMBER]; 55 56 /* 57 * Extract the primary public key components from already autheticated FSBL 58 */ 59 static void zynq_extract_ppk(u32 fsbl_len) 60 { 61 u32 padsize; 62 u8 *ppkptr; 63 64 debug("%s\n", __func__); 65 66 /* 67 * Extract the authenticated PPK from OCM i.e at end of the FSBL 68 */ 69 ppkptr = (u8 *)(fsbl_len + ZYNQ_OCM_BASEADDR); 70 padsize = ((u32)ppkptr % ZYNQ_RSA_ALIGN_PPK_START); 71 if (padsize) 72 ppkptr += (ZYNQ_RSA_ALIGN_PPK_START - padsize); 73 74 ppkptr += ZYNQ_RSA_HEADER_SIZE; 75 76 ppkptr += ZYNQ_RSA_MAGIC_WORD_SIZE; 77 78 ppkmodular = (u8 *)ppkptr; 79 ppkptr += ZYNQ_RSA_MODULAR_SIZE; 80 ppkmodularex = (u8 *)ppkptr; 81 ppkptr += ZYNQ_RSA_MODULAR_EXT_SIZE; 82 } 83 84 /* 85 * Calculate the inverse(-1 / modulus[0] mod 2^32 ) for the PPK 86 */ 87 static u32 zynq_calc_inv(void) 88 { 89 u32 modulus = public_key.modulus[0]; 90 u32 tmp = BIT(1); 91 u32 inverse; 92 93 inverse = modulus & BIT(0); 94 95 while (tmp) { 96 inverse *= 2 - modulus * inverse; 97 tmp *= tmp; 98 } 99 100 return ~(inverse - 1); 101 } 102 103 /* 104 * Recreate the signature by padding the bytes and verify with hash value 105 */ 106 static int zynq_pad_and_check(u8 *signature, u8 *hash) 107 { 108 u8 padding[] = {0x30, 0x31, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, 109 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 110 0x20}; 111 u8 *pad_ptr = signature + 256; 112 u32 pad = 202; 113 u32 ii; 114 115 /* 116 * Re-Create PKCS#1v1.5 Padding 117 * MSB ----------------------------------------------------LSB 118 * 0x0 || 0x1 || 0xFF(for 202 bytes) || 0x0 || T_padding || SHA256 Hash 119 */ 120 if (*--pad_ptr != 0 || *--pad_ptr != 1) 121 return -1; 122 123 for (ii = 0; ii < pad; ii++) { 124 if (*--pad_ptr != 0xFF) 125 return -1; 126 } 127 128 if (*--pad_ptr != 0) 129 return -1; 130 131 for (ii = 0; ii < sizeof(padding); ii++) { 132 if (*--pad_ptr != padding[ii]) 133 return -1; 134 } 135 136 for (ii = 0; ii < 32; ii++) { 137 if (*--pad_ptr != hash[ii]) 138 return -1; 139 } 140 return 0; 141 } 142 143 /* 144 * Verify and extract the hash value from signature using the public key 145 * and compare it with calculated hash value. 146 */ 147 static int zynq_rsa_verify_key(const struct zynq_rsa_public_key *key, 148 const u8 *sig, const u32 sig_len, const u8 *hash) 149 { 150 int status; 151 void *buf; 152 153 if (!key || !sig || !hash) 154 return -1; 155 156 if (sig_len != (key->len * sizeof(u32))) { 157 printf("Signature is of incorrect length %d\n", sig_len); 158 return -1; 159 } 160 161 /* Sanity check for stack size */ 162 if (sig_len > ZYNQ_RSA_SPK_SIGNATURE_SIZE) { 163 printf("Signature length %u exceeds maximum %d\n", sig_len, 164 ZYNQ_RSA_SPK_SIGNATURE_SIZE); 165 return -1; 166 } 167 168 buf = malloc(sig_len); 169 if (!buf) 170 return -1; 171 172 memcpy(buf, sig, sig_len); 173 174 status = zynq_pow_mod((u32 *)key, (u32 *)buf); 175 if (status == -1) { 176 free(buf); 177 return status; 178 } 179 180 status = zynq_pad_and_check((u8 *)buf, (u8 *)hash); 181 182 free(buf); 183 return status; 184 } 185 186 /* 187 * Authenticate the partition 188 */ 189 static int zynq_authenticate_part(u8 *buffer, u32 size) 190 { 191 u8 hash_signature[32]; 192 u8 *spk_modular; 193 u8 *spk_modular_ex; 194 u8 *signature_ptr; 195 u32 status; 196 197 debug("%s\n", __func__); 198 199 signature_ptr = (u8 *)(buffer + size - ZYNQ_RSA_SIGNATURE_SIZE); 200 201 signature_ptr += ZYNQ_RSA_HEADER_SIZE; 202 203 signature_ptr += ZYNQ_RSA_MAGIC_WORD_SIZE; 204 205 ppkmodular = (u8 *)signature_ptr; 206 signature_ptr += ZYNQ_RSA_MODULAR_SIZE; 207 ppkmodularex = signature_ptr; 208 signature_ptr += ZYNQ_RSA_MODULAR_EXT_SIZE; 209 signature_ptr += ZYNQ_RSA_EXPO_SIZE; 210 211 sha256_csum_wd((const unsigned char *)signature_ptr, 212 (ZYNQ_RSA_MODULAR_EXT_SIZE + ZYNQ_RSA_EXPO_SIZE + 213 ZYNQ_RSA_MODULAR_SIZE), 214 (unsigned char *)hash_signature, 0x1000); 215 216 spk_modular = (u8 *)signature_ptr; 217 signature_ptr += ZYNQ_RSA_MODULAR_SIZE; 218 spk_modular_ex = (u8 *)signature_ptr; 219 signature_ptr += ZYNQ_RSA_MODULAR_EXT_SIZE; 220 signature_ptr += ZYNQ_RSA_EXPO_SIZE; 221 222 public_key.len = ZYNQ_RSA_MODULAR_SIZE / sizeof(u32); 223 public_key.modulus = (u32 *)ppkmodular; 224 public_key.rr = (u32 *)ppkmodularex; 225 public_key.n0inv = zynq_calc_inv(); 226 227 status = zynq_rsa_verify_key(&public_key, signature_ptr, 228 ZYNQ_RSA_SPK_SIGNATURE_SIZE, 229 hash_signature); 230 if (status) 231 return status; 232 233 signature_ptr += ZYNQ_RSA_SPK_SIGNATURE_SIZE; 234 235 sha256_csum_wd((const unsigned char *)buffer, 236 (size - ZYNQ_RSA_PARTITION_SIGNATURE_SIZE), 237 (unsigned char *)hash_signature, 0x1000); 238 239 public_key.len = ZYNQ_RSA_MODULAR_SIZE / sizeof(u32); 240 public_key.modulus = (u32 *)spk_modular; 241 public_key.rr = (u32 *)spk_modular_ex; 242 public_key.n0inv = zynq_calc_inv(); 243 244 return zynq_rsa_verify_key(&public_key, (u8 *)signature_ptr, 245 ZYNQ_RSA_PARTITION_SIGNATURE_SIZE, 246 (u8 *)hash_signature); 247 } 248 249 /* 250 * Parses the partition header and verfies the authenticated and 251 * encrypted image. 252 */ 253 static int zynq_verify_image(u32 src_ptr) 254 { 255 u32 silicon_ver, image_base_addr, status; 256 u32 partition_num = 0; 257 u32 efuseval, srcaddr, size, fsbl_len; 258 struct partition_hdr *hdr_ptr; 259 u32 part_data_len, part_img_len, part_attr; 260 u32 part_load_addr, part_dst_addr, part_chksum_offset; 261 u32 part_start_addr, part_total_size, partitioncount; 262 bool encrypt_part_flag = false; 263 bool part_chksum_flag = false; 264 bool signed_part_flag = false; 265 266 image_base_addr = src_ptr; 267 268 silicon_ver = zynq_get_silicon_version(); 269 270 /* RSA not supported in silicon versions 1.0 and 2.0 */ 271 if (silicon_ver == 0 || silicon_ver == 1) 272 return -1; 273 274 zynq_get_partition_info(image_base_addr, &fsbl_len, 275 &part_hdr[0]); 276 277 /* Extract ppk if efuse was blown Otherwise return error */ 278 efuseval = readl(&efuse_base->status); 279 if (!(efuseval & ZYNQ_EFUSE_RSA_ENABLE_MASK)) 280 return -1; 281 282 zynq_extract_ppk(fsbl_len); 283 284 partitioncount = zynq_get_part_count(&part_hdr[0]); 285 286 /* 287 * As the first two partitions are related to fsbl, 288 * we can ignore those two in bootimage and the below 289 * code doesn't need to validate it as fsbl is already 290 * done by now 291 */ 292 if (partitioncount <= 2 || 293 partitioncount > ZYNQ_MAX_PARTITION_NUMBER) 294 return -1; 295 296 while (partition_num < partitioncount) { 297 if (((part_hdr[partition_num].partitionattr & 298 ZYNQ_ATTRIBUTE_RSA_PART_OWNER_MASK) >> 16) != 299 ZYNQ_RSA_PART_OWNER_UBOOT) { 300 printf("UBOOT is not Owner for partition %d\n", 301 partition_num); 302 partition_num++; 303 continue; 304 } 305 hdr_ptr = &part_hdr[partition_num]; 306 status = zynq_validate_hdr(hdr_ptr); 307 if (status) 308 return status; 309 310 part_data_len = hdr_ptr->datawordlen; 311 part_img_len = hdr_ptr->imagewordlen; 312 part_attr = hdr_ptr->partitionattr; 313 part_load_addr = hdr_ptr->loadaddr; 314 part_chksum_offset = hdr_ptr->checksumoffset; 315 part_start_addr = hdr_ptr->partitionstart; 316 part_total_size = hdr_ptr->partitionwordlen; 317 318 if (part_data_len != part_img_len) { 319 debug("Encrypted\n"); 320 encrypt_part_flag = true; 321 } 322 323 if (part_attr & ZYNQ_ATTRIBUTE_CHECKSUM_TYPE_MASK) 324 part_chksum_flag = true; 325 326 if (part_attr & ZYNQ_ATTRIBUTE_RSA_PRESENT_MASK) { 327 debug("RSA Signed\n"); 328 signed_part_flag = true; 329 size = part_total_size << WORD_LENGTH_SHIFT; 330 } else { 331 size = part_img_len; 332 } 333 334 if (!signed_part_flag && !part_chksum_flag) { 335 printf("Partition not signed & no chksum\n"); 336 partition_num++; 337 continue; 338 } 339 340 srcaddr = image_base_addr + 341 (part_start_addr << WORD_LENGTH_SHIFT); 342 343 /* 344 * This validation is just for PS DDR. 345 * TODO: Update this for PL DDR check as well. 346 */ 347 if (part_load_addr < gd->bd->bi_dram[0].start && 348 ((part_load_addr + part_data_len) > 349 (gd->bd->bi_dram[0].start + 350 gd->bd->bi_dram[0].size))) { 351 printf("INVALID_LOAD_ADDRESS_FAIL\n"); 352 return -1; 353 } 354 355 if (part_attr & ZYNQ_ATTRIBUTE_PL_IMAGE_MASK) 356 part_load_addr = srcaddr; 357 else 358 memcpy((u32 *)part_load_addr, (u32 *)srcaddr, 359 size); 360 361 if (part_chksum_flag) { 362 part_chksum_offset = image_base_addr + 363 (part_chksum_offset << 364 WORD_LENGTH_SHIFT); 365 status = zynq_validate_partition(part_load_addr, 366 (part_total_size << 367 WORD_LENGTH_SHIFT), 368 part_chksum_offset); 369 if (status != 0) { 370 printf("PART_CHKSUM_FAIL\n"); 371 return -1; 372 } 373 debug("Partition Validation Done\n"); 374 } 375 376 if (signed_part_flag) { 377 status = zynq_authenticate_part((u8 *)part_load_addr, 378 size); 379 if (status != 0) { 380 printf("AUTHENTICATION_FAIL\n"); 381 return -1; 382 } 383 debug("Authentication Done\n"); 384 } 385 386 if (encrypt_part_flag) { 387 debug("DECRYPTION\n"); 388 389 part_dst_addr = part_load_addr; 390 391 if (part_attr & ZYNQ_ATTRIBUTE_PL_IMAGE_MASK) { 392 partition_num++; 393 continue; 394 } 395 396 status = zynq_decrypt_load(part_load_addr, 397 part_img_len, 398 part_dst_addr, 399 part_data_len); 400 if (status != 0) { 401 printf("DECRYPTION_FAIL\n"); 402 return -1; 403 } 404 } 405 partition_num++; 406 } 407 408 return 0; 409 } 410 411 static int do_zynq_rsa(cmd_tbl_t *cmdtp, int flag, int argc, 412 char * const argv[]) 413 { 414 u32 src_ptr; 415 char *endp; 416 417 src_ptr = simple_strtoul(argv[2], &endp, 16); 418 if (*argv[2] == 0 || *endp != 0) 419 return CMD_RET_USAGE; 420 if (zynq_verify_image(src_ptr)) 421 return CMD_RET_FAILURE; 422 423 return CMD_RET_SUCCESS; 424 } 425 #endif 426 427 #ifdef CONFIG_CMD_ZYNQ_AES 428 static int zynq_decrypt_image(cmd_tbl_t *cmdtp, int flag, int argc, 429 char * const argv[]) 430 { 431 char *endp; 432 u32 srcaddr, srclen, dstaddr, dstlen; 433 int status; 434 435 srcaddr = simple_strtoul(argv[2], &endp, 16); 436 if (*argv[2] == 0 || *endp != 0) 437 return CMD_RET_USAGE; 438 srclen = simple_strtoul(argv[3], &endp, 16); 439 if (*argv[3] == 0 || *endp != 0) 440 return CMD_RET_USAGE; 441 dstaddr = simple_strtoul(argv[4], &endp, 16); 442 if (*argv[4] == 0 || *endp != 0) 443 return CMD_RET_USAGE; 444 dstlen = simple_strtoul(argv[5], &endp, 16); 445 if (*argv[5] == 0 || *endp != 0) 446 return CMD_RET_USAGE; 447 448 /* 449 * Roundup source and destination lengths to 450 * word size 451 */ 452 if (srclen % 4) 453 srclen = roundup(srclen, 4); 454 if (dstlen % 4) 455 dstlen = roundup(dstlen, 4); 456 457 status = zynq_decrypt_load(srcaddr, srclen >> 2, dstaddr, dstlen >> 2); 458 if (status != 0) 459 return CMD_RET_FAILURE; 460 461 return CMD_RET_SUCCESS; 462 } 463 #endif 464 465 static cmd_tbl_t zynq_commands[] = { 466 #ifdef CONFIG_CMD_ZYNQ_RSA 467 U_BOOT_CMD_MKENT(rsa, 3, 1, do_zynq_rsa, "", ""), 468 #endif 469 #ifdef CONFIG_CMD_ZYNQ_AES 470 U_BOOT_CMD_MKENT(aes, 6, 1, zynq_decrypt_image, "", ""), 471 #endif 472 }; 473 474 static int do_zynq(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[]) 475 { 476 cmd_tbl_t *zynq_cmd; 477 int ret; 478 479 if (!ARRAY_SIZE(zynq_commands)) { 480 puts("No zynq specific command enabled\n"); 481 return CMD_RET_USAGE; 482 } 483 484 if (argc < 2) 485 return CMD_RET_USAGE; 486 zynq_cmd = find_cmd_tbl(argv[1], zynq_commands, 487 ARRAY_SIZE(zynq_commands)); 488 if (!zynq_cmd || argc != zynq_cmd->maxargs) 489 return CMD_RET_USAGE; 490 491 ret = zynq_cmd->cmd(zynq_cmd, flag, argc, argv); 492 493 return cmd_process_error(zynq_cmd, ret); 494 } 495 496 #ifdef CONFIG_SYS_LONGHELP 497 static char zynq_help_text[] = 498 "" 499 #ifdef CONFIG_CMD_ZYNQ_RSA 500 "rsa <baseaddr> - Verifies the authenticated and encrypted\n" 501 " zynq images and loads them back to load\n" 502 " addresses as specified in BOOT image(BOOT.BIN)\n" 503 #endif 504 #ifdef CONFIG_CMD_ZYNQ_AES 505 "aes <srcaddr> <srclen> <dstaddr> <dstlen>\n" 506 " - Decrypts the encrypted image present in source\n" 507 " address and places the decrypted image at\n" 508 " destination address\n" 509 #endif 510 ; 511 #endif 512 513 U_BOOT_CMD(zynq, 6, 0, do_zynq, 514 "Zynq specific commands", zynq_help_text 515 ); 516