| Age | Commit message (Collapse) | Author |
|---|
|
Only limited heap memory is available on imx8q platforms due
to some memory is reserved for m4 image. Commit cd67414 will
free avb verify data and thus help decrease the heap memory
consumption.
But when the device is locked, avb will try to verify one slot
first, it will continue to verify another if the first slot
returns failure. Function load_full_partition() will alloc memory
to load boot/dtbo images from heap (which is a big and continuous
memory region), this memory will be freed if the first slot returns
verify failure. but because part of the continous memory region
will be used in following verify process, even total available memory
is enough, u-boot can't find a continous memory region to load the
boot/dtbo image for another slot and will return error "Failed to
allocate memory".
Instead, this commit use fixed memory region start from 96MB offset of
CONFIG_FASTBOOT_BUF_ADDR to load the boot/dtbo images.
Test: slot verify and A/B slot switch.
Change-Id: Ifc83bed5a6be37196c0fd109d942eaf9b07b6a74
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Address 0x8880_0000 is reserved for M4 image on imx8q, which
leaves limited memory region for the malloc pool. The avb
will consume much heap memory to verify the kernel and dtbo
image, memory conflicts may happen as the kernel/dtbo image
size is getting larger.
As the avb will load kernel/dtbo in every avb_slot_verify(), but
will only free the memory after both slots are checked(if needed).
And for trusty enabled platforms, extra heap memory will be used
to do the hash calculation.
This commit will free the slot memory once it's marked as unbootable
and will use fixed memory started from CONFIG_FASTBOOT_BUF_ADDR to
help store the data to do the hash calculation. With above change,
we get a chance to decrease the malloc pool size.
Test: boot on imx8qxp and imx8mn.
Change-Id: Id95b9becf6fa7fae4f120a4dc9e9a3ba90da578c
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Slot will be marked as "unbootable" state if error happens during
image load/verify process, this may cause the board never boot up
if some random failures happen (like eMMC/DRAM access error at some
critical temperature).
Check the "successful_boot" flag before marking the slot as "unbootable",
this will help ease the "no bootable slot" issue.
Test: slot switch on imx8qm_mek.
Change-Id: Idfcc5723aa233e9019365b792c48bf8a5dc99b96
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
We may need to enable the dual bootloader feature on non-trusty
platforms, skip the bootloader rollback index check in spl if
trusty is not enabled.
Don't generate rpmb key in spl, it should be generated in u-boot
proper with u-boot commands.
Test: dual bootloader on imx8mm.
Change-Id: Iac455e0140cd6f4472a66d267d9ba0d40df7102c
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
The A/B slot selection is moved to spl, it may lead to hang
if no bootable slots found. The only way to recover the board
is re-flash images with uuu tool, which is quite inconvenient
for some customers who can't enter serial download mode.
This patch will set "spl recovery mode" which will give us a
chance to re-flash images with fastboot commands.
Test: Enter spl recovery mode and flash images when no bootable
slots found.
Change-Id: I31278f5212bde7609fe2f49e77b3849e92c0c516
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
It can be dangerous to export some hwcrypto commands to Linux,
add commands to limit some commands within bootloader.
Test: hwcrypto commands can't be used after locking boot state.
Change-Id: Ib0a96a87f661778c133178840d8dccf49f151c22
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Add new command to generate bkek from trusty.
Test: generate and dump bkek.
Change-Id: I6b2a30b87c755eecd00ced7c53cfb86e432040de
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Add sha256 hmac support in u-boot.
Test: hmac calculation.
Change-Id: I0f1438fed8290620a1bb0663d19c21e20098eb5a
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
In host end, need encrypt the attestation keys and certs
by manufacture protection public key though AES-128-ECB.
Then use below 4 set of commands to provision encrypted
RSA attestation and EC attestation:
* $fastboot stage atte_rsa_key.bin
* $fastboot oem set-rsa-atte-key-enc
* $fastboot stage atte_rsa_cert.bin
* $fastboot oem append-rsa-atte-cert-enc
* $fastboot stage atte_ec_key.bin
* $fastboot oem set-ec-atte-key-enc
* $fastboot stage atte_ec_cert.bin
* $fastboot oem append-ec-atte-cert-enc
Change-Id: I8a7c64004a17f7dde89f28c3123a2e2b1a6d3346
Signed-off-by: Haoran.Wang <elven.wang@nxp.com>
|
|
Add new keymaster commands to get Manufacure Production key (mppubk).
Since the mppubk can only be generated in OEM CLOSED imx8q board, so
we can only this command when the board is HAB/AHAB closed.
Commands to extract the mppubk:
* $fastboot oem get-mppubk
* $fastboot get_staged mppubk.bin
Test: Generate and dump the mppubk.bin
Change-Id: Idc59e78ca6345497e744162664b8293f50d1eda4
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
initialize potential uninitialized variable with the type of"char*" to
be NULL in AVB. That "hashtree_error_mode" in code is manually specified
with a known value, the cases listed cover all potential value of
"hashtree_error_mode"
explicitly do a type cast for memcpy parameters.
Change-Id: Ie5d234422a273d6dab75585bd0d8eb81583707ca
Signed-off-by: faqiang.zhu <faqiang.zhu@nxp.com>
|
|
Fix coverity issues as:
CID 5899697: Dereference before null check (REVERSE_INULL)
CID 3616594: Unchecked return value (CHECKED_RETURN)
CID 3616598: Resource leak (RESOURCE_LEAK)
CID 3616591: Resource leak (RESOURCE_LEAK)
Test: Coverity scan pass.
Change-Id: I70abb41c3cd825c6eec43dc7e5baec716ae46680
Signed-off-by: Luo Ji <ji.luo@nxp.com>
|
|
Trusty is not supported for xen so we don't need to check
the keyslot package or rollback index in spl. Reassign the
dram address for spl and u-boot to avoid conflicts.
Support serial init functions to enable debug console
in spl when xen is running.
Test: Boot and A/B slot switch on imx8qm_mek.
Change-Id: If6829252f1ec2e32255f951715c8747181951fd0
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
|
|
Fix resource leak in libavb, coverity issue:
CID 5899691: Resource leak (RESOURCE_LEAK) leaked_storage: Variable
hash_out going out of scope leaks the storage it points to.
CID 5899689: Resource leak (RESOURCE_LEAK) leaked_storage: Variable
hash_buf going out of scope leaks the storage it points to.
CID 5899688: Uninitialized pointer read (UNINIT) uninit_use: Using
uninitialized value digest.
CID 5899692: Structurally dead code (UNREACHABLE) unreachable: This
code cannot be reached: goto out;
Test: Coverity scan pass.
Change-Id: If8e26fdd383c32a9160775006621830b42c0f07e
Signed-off-by: Luo Ji <ji.luo@nxp.com>
|
|
The hash buffer is allocated on stack if we don't use
CAAM to accelerate the hash calculation, don't free
the hash buffer in such case.
Test: Boot ok on imx8qm.
Change-Id: I3b3dcc0e8359848b4f9c58c802d51f0a76931e5e
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Grant user the permission to change the bootargs can be very
dangerous, so add config 'CONFIG_APPEND_BOOTARGS' to guard the
bootargs appending feature.
Test: bootargs can't be appended if "CONFIG_APPEND_BOOTARGS" is
not set.
Change-Id: I6d6879415ca251c806b56490290e5032aef24277
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
The A/B slot is chosen at spl stage and should be kept up to
u-boot stage. Decrease slot retry count will cause slot switch
when the slot only has one chance left.
Set the 'bootloader_verified' flag when current slot is running the last
chance at spl, u-boot will treat the slot as bootable if the
'reserved' flag is set even the retry count exhausted.
Test: Slot not switch during 7 times reboot try.
Change-Id: I7ae84b2ce683300a1bb332606cd58e48483214ea
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
During AVB verify, CAAM will be invoked to calculate the hash
of boot.img and dtbo.img. ALLOC_CACHE_ALIGN_BUFFER() supports
allocate cache aligned buffer on *stack*, which may cause
'dirty' dcache data be flushed to dram after CAAM operations
complete.
Use memalign() to allocate cache aligned buffer on *heap* to
fix this issue.
Test: 1200 times reboot test on imx8qm and 2300 times reboot
on imx8qxp.
Change-Id: I8f86248df318093d44a46dcab76306377898766e
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Open configs to add trusty os support for imx8q xen
build. The rpmb keyslot package must be checked and
copied to secure memory before trusty os boot.
Change-Id: I66201783fa8439f2685377c10f257f064057dcfa
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Support dual bootloader feature for imx8q which uses the
container format. Move the A/B slot select and verify to
SPL stage, the bootloader rollback index will be stored
at the last 8K bytes of eMMC rpmb storage.
Test: Boot and rbindex verify pass on imx8q.
Change-Id: I0a48210f65984a083037a0cd3f9558951029ed7d
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Pass the verified boot key hash to keymaster, it will be
treated as the root trust in keymaster service.
Also set the 'initialized' flag after initializing the
keymaster client or set keymaster boot parameters will fail.
Test: Pass CTS cases:
android.keystore.cts.KeyAttestationTest#testRsaAttestation
android.keystore.cts.KeyAttestationTest#testEcAttestation
Change-Id: I486b5493826160f42c61a3da0e6cd769df92254d
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Sometimes we need to set random rpmb key which is invisible
except for the device.
Generate the random key with hwcrypto interface and support
fastboot command "fastboot oem set-rpmb-random-key" to set it.
Test: build and boot on imx8q.
Change-Id: I44e1b6b091366d8ffceb1159fc65c17610ce5243
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Add new hwcrypto command to support rng generation with CAAM.
Test: rng generated on imx8qxp_mek.
Change-Id: I756f3e99423f0f9dfc2bcd30117a3f96e9f5f2f7
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Open configs to enable trusty for imx8mm_evk and also
add new config imx8mm_evk_android_trusty_defconfig based
on imx8mm_evk_android_defconfig.
Test: Trusty starts ok.
Change-Id: Iaea90de21f886ed23082a5e8e8d2fa7fb139a9cb
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Print the func name instead of null buffer.
Test: boot on imx8qm_mek.
Change-Id: I883a9cebb2981b7e2451c00ed27000baf40097bf
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
This will reduce some image size for Android Auto.
Test: build and boot on imx8qm_mek.
Change-Id: I023801a542f83398126d5af23c0a1eb2080c5063
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Add commands to write/read vbmeta public key to/from secure
storage. The vbmeta public key can only be set once.
Comands to set the public key:
fastboot stage <path-to-your-public-key>
fastboot oem set-public-key
Test: build and boot on imx8qxp_mek.
Change-Id: Id3ad4aa5aacef4fc8443f6a2d6ccb931310970ca
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Secure storage is ready in trusty so we should read/write the rollback
index from rpmb.
But for borads without rpmb key, read/write the rpmb will fail and will
block the following avb verify process. In this case, check if the rpmb
key has been set and always return AVB_IO_RESULT_OK for the boards without
rpmb key.
Test: build and boot pass on imx8qm_mek.
Change-Id: I10c438e56d049ae97ebedfc446c8202642630d8b
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Too many macros are used in fsl_avbkey.c and
make it difficult to maintain.
This patch made some refine by:
1. Move all avb/atx operations to fsl_avb.c.
2. Refine the functions logic.
3. Drop some unsupported conditions/functions.
Test: build and boot on
imx8qm_mek/imx8mq_evk/imx6qp_sabresd/imx7d_pico/imx8m_aiy.
Change-Id: I5c99732acfc47d53cdf188d69223983777e577f4
Signed-off-by: Luo Ji <ji.luo@nxp.com>
|
|
Pass "androidboot.keystore=trusty" for trusty backed keymaster
service, pass "androidboot.keystore=software" for software
keymaster service.
Test: boot pass on imx8qm_mek.
Change-Id: I9fa38c15a7c10aef09ab29b0e9859b690e3e7a41
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Commit "ql-tipc: trusty_ipc: Change ipc polling to be per device" removes
rpmb_storage_proxy_poll() call in avb_do_tipc() which will return early
if the rpmb proxy service isn't initialized properly, this will make boards
hang if the rpmb key is not set.
Skip initializing AVB and Keymaster client if the rpmb key hasn't been
set, but keep the hwcrypto client initialization since we need it to
generate the rpmb key blob.
Test: Build and boot ok on imx8q.
Change-Id: I1ead849e812da55edae8b739d9ae56a7d4951af4
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
The rollback index should be updated when avb verify pass
and the slot has been marked as successful, update the
rollback index also for those enabled dual bootloader
feature.
This commit also fix some configs condition issue so
read/write rollback index with trusty will work.
Test: rollback index updated successfully on
imx7d_pico and AIY.
Change-Id: I2344d6462249d8d88f0622d331cdeffc7e12f885
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Add support for fastboot variable 'at-vboot-state', it's composed
by 6 sub-variable: 'bootloader-locked', 'bootloader-min-versions',
'avb-perm-attr-set', 'avb-locked', 'avb-unlock-disabled' and
'avb-min-versions'.
Test: All 'at-vboot-state' variables are returned
correctly on imx7d_pico and AIY.
Change-Id: Ibb855cbcc7c41657af62dafb98a96c4dfb96ef22
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Device will be locked permanently after disabling the unlcok vboot, store
the disable unlock vboot status into fuse. Since the fuse write operation
is irreversible so config 'CONFIG_AVB_FUSE' is disabled by default, user
need to add this config manually and run this command again.
Test: Disable unlock vboot bit is set after enabling "CONFIG_AVB_FUSE",
device was locked permanently after running this command. This is
verified on both imx7d_pico and AIY.
Change-Id: Iad8991a238763b1d662e33cba65f0b9eb44e97ef
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Supoort "fastboot oem at-lock-vboot" command for Android
Things, this command can only be called after perm-attr
have been fused.
Test: build and boot ok on imx7d_pico and AIY.
Change-Id: Ifcfeb2a38d88c5d12b46a1d9ea61b182ae2e7bcb
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Add fastboot commands "fastboot oem at-get-vboot-unlock-challenge"
and "fastboot oem at-unlock-vboot" to support the authenticated
unlock feature for Android Things devices. Use software random
numbers generator to generate the 16 bytes random challenge, it
should be replaced with hardware encrypted random generator when
the TEE part is ready.
Test: Generate unlock challenge by:
./avbtool make_atx_unlock_credential
--output=atx_unlock_credential.bin
--intermediate_key_certificate=atx_pik_certificate.bin
--unlock_key_certificate=atx_puk_certificate.bin
--challenge=my_generated_challenge.bin
--unlock_key=testkey_atx_puk.pem
validated the unlock credential successfully on imx7d_pico
and AIY.
Change-Id: I4b8cee87c9e96924169479b65020a081136681f6
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
for Android Things, sha256 is caculated with software, for Android Auto,
sha256 is caculated with CAAM hardware module. so use macro to seperate
the code about hardware crypto service.
Change-Id: Ibf4cad2c98240ab2c826869e9cb28ad09bded2f6
Signed-off-by: faqiang.zhu <faqiang.zhu@nxp.com>
|
|
Align the callback to ARM64 environment for
Trusty OS.
TEST: AIY-3G & AIY-1G board's TIPC and AVB handler
works.
Change-Id: I65806f56267a4a9278db04a462e351da181618cc
Signed-off-by: Haoran.Wang <elven.wang@nxp.com>
|
|
Change-Id: I1c800fe39b5999169edd6e2acb9f66e557a3a86e
|
|
Obtaining the memory attributes can be done indepentently of the
bootloader environment and is now done by the ipc layer.
Updated u-boot example to reflect this.
Change-Id: I8e649a1367ba02981419c43aac6e55b469dcf651
|
|
Changed trusty_membuf_alloc and trusty_membuf_free to trusty_alloc_pages and
trusty_free_pages. The memory allocated by these functions is intended
to be shared with the secure world so it should be inherently page based.
Updated u-boot sysdeps and trusty_ipc_dev_create/shutdown to use these
new functions
Change-Id: Ica1aa5b0cb50eba6ce18914d048e731133d94c4f
|
|
Change-Id: I4b52d9ba71c9d4fa959f19ee7d741c46dcdef09a
|
|
This allows ipc devices to provide service callbacks (e.g. rpmb) transparently
to the application instead of needing to have prior knowledge of the expected
request and having to poll the individual services' channels separately.
Change-Id: I3257ae5e429f4a0c279f070d750b56c5600c38d5
|
|
trusty_encode_page_info now also supports EL2 and EL3 in 64-bit environments
and PL1 and PL2 in 32-bit
Change-Id: I296212ae7a1f0b276279819523a13eb1cfaf2a26
|
|
RPMB storage proxy service will return fail if the rpmb key is not
correct, we should not return early here if the rpmb key has not
been set because we still need to initialize the hwcrypto service
to generate the rpmb key blob.
This commit also adds more hint when set the rpmb key.
Change-Id: I8ee59e4e277b545283d63b1070e671d508dbe0c2
Signed-off-by: Luo Ji <ji.luo@nxp.com>
|
|
Generate the key blob and store it to the last block of boot1 partition
after setting the rpmb key. The key blob should be checked in spl and be
passed to Trusty OS if it's valid. If the key blob are damaged, RPMB
storage proxy service will return fail and should make the device hang.
Test: Build and boot ok on imx8qm/qxp.
Change-Id: Ia274cd72109ab6ae15920e91b2a2008e1f1e667c
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Add new hwcrypto tipc command and handler to generate blob with
CAAM.
Test: Message exchange with trusty and blob encapsulate/decapsulate ok.
Change-Id: I925b47cb3e22eeddf4c89e84a9c994d2f30423fe
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Use CAAM to accelerate SHA256 hash calculation in AVB,
this will reduce u-boot boot time, about 570ms can be
saved for imx8qxp.
Test: Build and boot ok for imx8qxp.
Change-Id: Idbbd781e5ad8e7d6cd8865190d7547c165d02190
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Add new service 'hwcrypto' to handle CAAM related work
with Trusty OS. Add tipc interface to accelerate hash
calculation with CAAM.
Test: Service connect and message exchange with Trusty OS
are ok.
Change-Id: Ia870c3ad2ff30af987f327a9777a8b32f53593db
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
|
Add fastboot command "fastboot oem set-rpmb-key" to program the rpmb
key which should be staged first.
Usage:
1. fastboot stage my-rpmb-key.bin
2. fastboot oem set-rpmb-key
Test: rpmb key programed successfully on imx8qxp.
Change-Id: I95474a6367eb8ef0db16bb38680975b8c45b84f1
Signed-off-by: Ji Luo <ji.luo@nxp.com>
|
