1 /* 2 * (C) Copyright 2015 Google, Inc 3 * Written by Simon Glass <sjg@chromium.org> 4 * 5 * (C) 2017 Theobroma Systems Design und Consulting GmbH 6 * 7 * SPDX-License-Identifier: GPL-2.0+ 8 * 9 * Helper functions for Rockchip images 10 */ 11 12 #include "imagetool.h" 13 #include <image.h> 14 #include <rc4.h> 15 #include "mkimage.h" 16 #include "rkcommon.h" 17 18 #define DIV_ROUND_UP(n, d) (((n) + (d) - 1) / (d)) 19 20 enum { 21 RK_SIGNATURE = 0x0ff0aa55, 22 }; 23 24 /** 25 * struct header0_info - header block for boot ROM 26 * 27 * This is stored at SD card block 64 (where each block is 512 bytes, or at 28 * the start of SPI flash. It is encoded with RC4. 29 * 30 * @signature: Signature (must be RKSD_SIGNATURE) 31 * @disable_rc4: 0 to use rc4 for boot image, 1 to use plain binary 32 * @init_offset: Offset in blocks of the SPL code from this header 33 * block. E.g. 4 means 2KB after the start of this header. 34 * Other fields are not used by U-Boot 35 */ 36 struct header0_info { 37 uint32_t signature; 38 uint8_t reserved[4]; 39 uint32_t disable_rc4; 40 uint16_t init_offset; 41 uint8_t reserved1[492]; 42 uint16_t init_size; 43 uint16_t init_boot_size; 44 uint8_t reserved2[2]; 45 }; 46 47 /** 48 * struct header1_info 49 */ 50 struct header1_info { 51 uint32_t magic; 52 }; 53 54 /** 55 * struct spl_info - spl info for each chip 56 * 57 * @imagename: Image name(passed by "mkimage -n") 58 * @spl_hdr: Boot ROM requires a 4-bytes spl header 59 * @spl_size: Spl size(include extra 4-bytes spl header) 60 * @spl_rc4: RC4 encode the SPL binary (same key as header) 61 * @spl_boot0: A new-style (ARM_SOC_BOOT0_HOOK) image that should 62 * have the boot magic (e.g. 'RK33') written to its first 63 * word. 64 */ 65 66 struct spl_info { 67 const char *imagename; 68 const char *spl_hdr; 69 const uint32_t spl_size; 70 const bool spl_rc4; 71 const bool spl_boot0; 72 }; 73 74 static struct spl_info spl_infos[] = { 75 { "rk3036", "RK30", 0x1000, false, false }, 76 { "rk3128", "RK31", 0x1800, false, false }, 77 { "rk3188", "RK31", 0x8000 - 0x800, true, false }, 78 { "rk322x", "RK32", 0x8000 - 0x1000, false, false }, 79 { "rk3288", "RK32", 0x8000, false, false }, 80 { "rk3328", "RK32", 0x8000 - 0x1000, false, false }, 81 { "rk3368", "RK33", 0x8000 - 0x1000, false, true }, 82 { "rk3399", "RK33", 0x30000 - 0x2000, false, true }, 83 { "rv1108", "RK11", 0x1800, false, false}, 84 }; 85 86 static unsigned char rc4_key[16] = { 87 124, 78, 3, 4, 85, 5, 9, 7, 88 45, 44, 123, 56, 23, 13, 23, 17 89 }; 90 91 static struct spl_info *rkcommon_get_spl_info(char *imagename) 92 { 93 int i; 94 95 if (!imagename) 96 return NULL; 97 98 for (i = 0; i < ARRAY_SIZE(spl_infos); i++) 99 if (!strncmp(imagename, spl_infos[i].imagename, 6)) 100 return spl_infos + i; 101 102 return NULL; 103 } 104 105 int rkcommon_check_params(struct image_tool_params *params) 106 { 107 int i; 108 109 if (rkcommon_get_spl_info(params->imagename) != NULL) 110 return EXIT_SUCCESS; 111 112 /* 113 * If this is a operation (list or extract), the don't require 114 * imagename to be set. 115 */ 116 if (params->lflag || params->iflag) 117 return EXIT_SUCCESS; 118 119 fprintf(stderr, "ERROR: imagename (%s) is not supported!\n", 120 params->imagename ? params->imagename : "NULL"); 121 122 fprintf(stderr, "Available imagename:"); 123 for (i = 0; i < ARRAY_SIZE(spl_infos); i++) 124 fprintf(stderr, "\t%s", spl_infos[i].imagename); 125 fprintf(stderr, "\n"); 126 127 return EXIT_FAILURE; 128 } 129 130 const char *rkcommon_get_spl_hdr(struct image_tool_params *params) 131 { 132 struct spl_info *info = rkcommon_get_spl_info(params->imagename); 133 134 /* 135 * info would not be NULL, because of we checked params before. 136 */ 137 return info->spl_hdr; 138 } 139 140 141 int rkcommon_get_spl_size(struct image_tool_params *params) 142 { 143 struct spl_info *info = rkcommon_get_spl_info(params->imagename); 144 145 /* 146 * info would not be NULL, because of we checked params before. 147 */ 148 return info->spl_size; 149 } 150 151 bool rkcommon_need_rc4_spl(struct image_tool_params *params) 152 { 153 struct spl_info *info = rkcommon_get_spl_info(params->imagename); 154 155 /* 156 * info would not be NULL, because of we checked params before. 157 */ 158 return info->spl_rc4; 159 } 160 161 bool rkcommon_spl_is_boot0(struct image_tool_params *params) 162 { 163 struct spl_info *info = rkcommon_get_spl_info(params->imagename); 164 165 /* 166 * info would not be NULL, because of we checked params before. 167 */ 168 return info->spl_boot0; 169 } 170 171 static void rkcommon_set_header0(void *buf, uint file_size, 172 struct image_tool_params *params) 173 { 174 struct header0_info *hdr = buf; 175 176 memset(buf, '\0', RK_INIT_OFFSET * RK_BLK_SIZE); 177 hdr->signature = RK_SIGNATURE; 178 hdr->disable_rc4 = !rkcommon_need_rc4_spl(params); 179 hdr->init_offset = RK_INIT_OFFSET; 180 181 hdr->init_size = DIV_ROUND_UP(file_size, RK_BLK_SIZE); 182 /* 183 * The init_size has to be a multiple of 4 blocks (i.e. of 2K) 184 * or the BootROM will not boot the image. 185 * 186 * Note: To verify that this is not a legacy constraint, we 187 * rechecked this against the RK3399 BootROM. 188 */ 189 hdr->init_size = ROUND(hdr->init_size, 4); 190 /* 191 * init_boot_size needs to be set, as it is read by the BootROM 192 * to determine the size of the next-stage bootloader (e.g. U-Boot 193 * proper), when used with the back-to-bootrom functionality. 194 * 195 * see https://lists.denx.de/pipermail/u-boot/2017-May/293267.html 196 * for a more detailed explanation by Andy Yan 197 */ 198 hdr->init_boot_size = hdr->init_size + RK_MAX_BOOT_SIZE / RK_BLK_SIZE; 199 200 rc4_encode(buf, RK_BLK_SIZE, rc4_key); 201 } 202 203 int rkcommon_set_header(void *buf, uint file_size, 204 struct image_tool_params *params) 205 { 206 struct header1_info *hdr = buf + RK_SPL_HDR_START; 207 208 if (file_size > rkcommon_get_spl_size(params)) 209 return -ENOSPC; 210 211 rkcommon_set_header0(buf, file_size, params); 212 213 /* Set up the SPL name (i.e. copy spl_hdr over) */ 214 memcpy(&hdr->magic, rkcommon_get_spl_hdr(params), RK_SPL_HDR_SIZE); 215 216 if (rkcommon_need_rc4_spl(params)) 217 rkcommon_rc4_encode_spl(buf, RK_SPL_HDR_START, 218 params->file_size - RK_SPL_HDR_START); 219 220 return 0; 221 } 222 223 static inline unsigned rkcommon_offset_to_spi(unsigned offset) 224 { 225 /* 226 * While SD/MMC images use a flat addressing, SPI images are padded 227 * to use the first 2K of every 4K sector only. 228 */ 229 return ((offset & ~0x7ff) << 1) + (offset & 0x7ff); 230 } 231 232 static int rkcommon_parse_header(const void *buf, struct header0_info *header0, 233 struct spl_info **spl_info) 234 { 235 unsigned hdr1_offset; 236 struct header1_info *hdr1_sdmmc, *hdr1_spi; 237 int i; 238 239 if (spl_info) 240 *spl_info = NULL; 241 242 /* 243 * The first header (hdr0) is always RC4 encoded, so try to decrypt 244 * with the well-known key. 245 */ 246 memcpy((void *)header0, buf, sizeof(struct header0_info)); 247 rc4_encode((void *)header0, sizeof(struct header0_info), rc4_key); 248 249 if (header0->signature != RK_SIGNATURE) 250 return -EPROTO; 251 252 /* We don't support RC4 encoded image payloads here, yet... */ 253 if (header0->disable_rc4 == 0) 254 return -ENOSYS; 255 256 hdr1_offset = header0->init_offset * RK_BLK_SIZE; 257 hdr1_sdmmc = (struct header1_info *)(buf + hdr1_offset); 258 hdr1_spi = (struct header1_info *)(buf + 259 rkcommon_offset_to_spi(hdr1_offset)); 260 261 for (i = 0; i < ARRAY_SIZE(spl_infos); i++) { 262 if (!memcmp(&hdr1_sdmmc->magic, spl_infos[i].spl_hdr, 4)) { 263 if (spl_info) 264 *spl_info = &spl_infos[i]; 265 return IH_TYPE_RKSD; 266 } else if (!memcmp(&hdr1_spi->magic, spl_infos[i].spl_hdr, 4)) { 267 if (spl_info) 268 *spl_info = &spl_infos[i]; 269 return IH_TYPE_RKSPI; 270 } 271 } 272 273 return -1; 274 } 275 276 int rkcommon_verify_header(unsigned char *buf, int size, 277 struct image_tool_params *params) 278 { 279 struct header0_info header0; 280 struct spl_info *img_spl_info, *spl_info; 281 int ret; 282 283 ret = rkcommon_parse_header(buf, &header0, &img_spl_info); 284 285 /* If this is the (unimplemented) RC4 case, then rewrite the result */ 286 if (ret == -ENOSYS) 287 return 0; 288 289 if (ret < 0) 290 return ret; 291 292 /* 293 * If no 'imagename' is specified via the commandline (e.g. if this is 294 * 'dumpimage -l' w/o any further constraints), we accept any spl_info. 295 */ 296 if (params->imagename == NULL) 297 return 0; 298 299 /* Match the 'imagename' against the 'spl_hdr' found */ 300 spl_info = rkcommon_get_spl_info(params->imagename); 301 if (spl_info && img_spl_info) 302 return strcmp(spl_info->spl_hdr, img_spl_info->spl_hdr); 303 304 return -ENOENT; 305 } 306 307 void rkcommon_print_header(const void *buf) 308 { 309 struct header0_info header0; 310 struct spl_info *spl_info; 311 uint8_t image_type; 312 int ret; 313 314 ret = rkcommon_parse_header(buf, &header0, &spl_info); 315 316 /* If this is the (unimplemented) RC4 case, then fail silently */ 317 if (ret == -ENOSYS) 318 return; 319 320 if (ret < 0) { 321 fprintf(stderr, "Error: image verification failed\n"); 322 return; 323 } 324 325 image_type = ret; 326 327 printf("Image Type: Rockchip %s (%s) boot image\n", 328 spl_info->spl_hdr, 329 (image_type == IH_TYPE_RKSD) ? "SD/MMC" : "SPI"); 330 printf("Data Size: %d bytes\n", header0.init_size * RK_BLK_SIZE); 331 } 332 333 void rkcommon_rc4_encode_spl(void *buf, unsigned int offset, unsigned int size) 334 { 335 unsigned int remaining = size; 336 337 while (remaining > 0) { 338 int step = (remaining > RK_BLK_SIZE) ? RK_BLK_SIZE : remaining; 339 340 rc4_encode(buf + offset, step, rc4_key); 341 offset += RK_BLK_SIZE; 342 remaining -= step; 343 } 344 } 345 346 int rkcommon_vrec_header(struct image_tool_params *params, 347 struct image_type_params *tparams, 348 unsigned int alignment) 349 { 350 unsigned int unpadded_size; 351 unsigned int padded_size; 352 353 /* 354 * The SPL image looks as follows: 355 * 356 * 0x0 header0 (see rkcommon.c) 357 * 0x800 spl_name ('RK30', ..., 'RK33') 358 * (start of the payload for AArch64 payloads: we expect the 359 * first 4 bytes to be available for overwriting with our 360 * spl_name) 361 * 0x804 first instruction to be executed 362 * (start of the image/payload for 32bit payloads) 363 * 364 * For AArch64 (ARMv8) payloads, natural alignment (8-bytes) is 365 * required for its sections (so the image we receive needs to 366 * have the first 4 bytes reserved for the spl_name). Reserving 367 * these 4 bytes is done using the BOOT0_HOOK infrastructure. 368 * 369 * Depending on this, the header is either 0x800 (if this is a 370 * 'boot0'-style payload, which has reserved 4 bytes at the 371 * beginning for the 'spl_name' and expects us to overwrite 372 * its first 4 bytes) or 0x804 bytes in length. 373 */ 374 if (rkcommon_spl_is_boot0(params)) 375 tparams->header_size = RK_SPL_HDR_START; 376 else 377 tparams->header_size = RK_SPL_HDR_START + 4; 378 379 /* Allocate, clear and install the header */ 380 tparams->hdr = malloc(tparams->header_size); 381 if (!tparams->hdr) 382 return -ENOMEM; 383 memset(tparams->hdr, 0, tparams->header_size); 384 385 /* 386 * If someone passed in 0 for the alignment, we'd better handle 387 * it correctly... 388 */ 389 if (!alignment) 390 alignment = 1; 391 392 unpadded_size = tparams->header_size + params->file_size; 393 padded_size = ROUND(unpadded_size, alignment); 394 395 return padded_size - unpadded_size; 396 } 397