[PATCH v3 0/3] add habv4 support for i.MX6

[PATCH v3 0/3] add habv4 support for i.MX6

[Marc Kleine-Budde]

Hello,

this series adds support for HABv4 signed images. The last patch add code to
decode HAB events, which is usefull during development.

Tested on $CUSTOMER's i.MX6 solo.

Changes since v2:
- [PATCH v3 2/3] images: add HABv4 support for i.MX6:
  fix typos
  add missing depends on ARCH_IMX6
  renamed Makefile
  improved commentsin habv4-imx28.csf.in
- [PATCH v3 3/3] habv4: add High Assurance Boot v4:
  habv4_get_rvt(): make use of cpu_is_ rather than IS_ENABLED(CONFIG_ARCH_)
  provide static inline wrapper for habv4_get_status()

Marc


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

[PATCH v3 1/3] imx-image: add option to prepare image for HAB signing

[Marc Kleine-Budde]

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 scripts/imx/imx-image.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/scripts/imx/imx-image.c b/scripts/imx/imx-image.c
index cff1997573ac..25ea4d8d1b94 100644
--- a/scripts/imx/imx-image.c
+++ b/scripts/imx/imx-image.c
@@ -33,6 +33,7 @@
 
 #define MAX_DCD 1024
 #define HEADER_LEN 0x1000	/* length of the blank area + IVT + DCD */
+#define CSF_LEN 0x2000		/* length of the CSF (needed for HAB) */
 
 static uint32_t image_load_addr;
 static uint32_t image_dcd_offset;
@@ -41,6 +42,7 @@ static int curdcd;
 static int header_version;
 static int cpu_type;
 static int add_barebox_header;
+static int prepare_sign;
 
 /*
  * ============================================================================
@@ -194,6 +196,11 @@ static int add_header_v2(void *buf, int offset, uint32_t loadaddr, uint32_t imag
 	hdr->boot_data.start	= loadaddr;
 	hdr->boot_data.size	= imagesize;
 
+	if (prepare_sign) {
+		hdr->csf = loadaddr + imagesize;
+		hdr->boot_data.size += CSF_LEN;
+	}
+
 	hdr->dcd_header.tag	= TAG_DCD_HEADER;
 	hdr->dcd_header.length	= htobe16(sizeof(uint32_t) + dcdsize);
 	hdr->dcd_header.version	= DCD_VERSION;
@@ -214,6 +221,7 @@ static void usage(const char *prgname)
 		"-b           add barebox header to image. If used, barebox recognizes\n"
 		"             the image as regular barebox image which can be used as\n"
 		"             second stage image\n"
+		"-p           prepare image for signing\n"
 		"-h           this help\n", prgname);
 	exit(1);
 }
@@ -655,7 +663,7 @@ int main(int argc, char *argv[])
 	int dcd_only = 0;
 	int now = 0;
 
-	while ((opt = getopt(argc, argv, "c:hf:o:bd")) != -1) {
+	while ((opt = getopt(argc, argv, "c:hf:o:bdp")) != -1) {
 		switch (opt) {
 		case 'c':
 			configfile = optarg;
@@ -672,6 +680,9 @@ int main(int argc, char *argv[])
 		case 'd':
 			dcd_only = 1;
 			break;
+		case 'p':
+			prepare_sign = 1;
+			break;
 		case 'h':
 			usage(argv[0]);
 		default:
-- 
2.1.4


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

[PATCH v3 2/3] images: add HABv4 support for i.MX6

[Marc Kleine-Budde]

This patch adds high assurance boot support (HABv4) image generation to
barebox, currently tested on i.MX6 only.

In order to build a signed barebox image, add a new image target to
images/Makefile.imx as illustrated in the diff below:

- - - a/images/Makefile.imx
+ + + b/images/Makefile.imx
@@ -163,10 +163,14 @@ image-$(CONFIG_MACH_SABRELITE) += barebox-freescale-imx6dl-sabrelite.img
 pblx-$(CONFIG_MACH_SABRESD) += start_imx6q_sabresd
 CFG_start_imx6q_sabresd.pblx.imximg = $(board)/freescale-mx6-sabresd/flash-header-mx6-sabresd.imxcfg
 FILE_barebox-freescale-imx6q-sabresd.img = start_imx6q_sabresd.pblx.imximg
 image-$(CONFIG_MACH_SABRESD) += barebox-freescale-imx6q-sabresd.img

+CSF_start_imx6q_sabresd.pblx.imximg = $(havb4_imx6csf)
+FILE_barebox-freescale-imx6q-sabresd-signed.img = start_imx6q_sabresd.pblx.imximg.signed
+image-$(CONFIG_MACH_SABRESD) += barebox-freescale-imx6q-sabresd-signed.img
+

Here the default i.MX6 CSF file $(havb4_imx6csf) is used, it's generated during
build on from the template "scripts/habv4/habv4-imx6.csf.in". You can configure
the paths to the SRK table and certificates via: System Type -> i.MX specific
settings -> HABv4 support.

The proprietary tool "cst" by Freescale tool is expected in the PATH.

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 arch/arm/mach-imx/Kconfig        | 40 +++++++++++++++++++++++++++++++++
 images/.gitignore                |  2 ++
 images/Makefile                  |  3 ++-
 images/Makefile.imxhabv4         | 48 ++++++++++++++++++++++++++++++++++++++++
 scripts/habv4/gencsf.sh          | 47 +++++++++++++++++++++++++++++++++++++++
 scripts/habv4/habv4-imx28.csf.in | 33 +++++++++++++++++++++++++++
 scripts/habv4/habv4-imx6.csf.in  | 37 +++++++++++++++++++++++++++++++
 7 files changed, 209 insertions(+), 1 deletion(-)
 create mode 100644 images/Makefile.imxhabv4
 create mode 100755 scripts/habv4/gencsf.sh
 create mode 100644 scripts/habv4/habv4-imx28.csf.in
 create mode 100644 scripts/habv4/habv4-imx6.csf.in

diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig
index 477207e646cd..caeb5a3b5aa1 100644
--- a/arch/arm/mach-imx/Kconfig
+++ b/arch/arm/mach-imx/Kconfig
@@ -676,6 +676,46 @@ config IMX_OCOTP_WRITE
 		mw -l -d /dev/imx-ocotp 0x8C 0x00001234
 		mw -l -d /dev/imx-ocotp 0x88 0x56789ABC
 
+config HABV4
+	tristate "HABv4 support"
+	depends on ARCH_IMX6
+	help
+	  High Assurance Boot, as found on i.MX28/i.MX6.
+
+if HABV4
+
+config HABV4_TABLE_BIN
+	string "Path to SRK table"
+	default "../crts/SRK_1_2_3_4_table.bin"
+	help
+	  Path to the Super Root Key (SRK) table, produced by the
+	  Freescale Code Signing Tool (cst).
+
+	  This file will be inserted into the Command Sequence File
+	  (CSF) when using the CSF template that comes with barebox.
+
+config HABV4_CSF_CRT_PEM
+	string "Path to CSF certificate"
+	default "../crts/CSF1_1_sha256_4096_65537_v3_usr_crt.pem"
+	help
+	  Path to the Command Sequence File (CSF) certificate, produced by the
+	  Freescale Public Key Infrastructure (PKI) script.
+
+	  This file will be inserted into the Command Sequence File
+	  (CSF) when using the CSF template that comes with barebox.
+
+config HABV4_IMG_CRT_PEM
+	string "Path to IMG certificate"
+	default "../crts/IMG_1_sha256_4096_65537_v3_usr_crt.pem"
+	help
+	  Path to the Image certificate, produced by the Freescale
+	  Public Key Infrastructure (PKI) script.
+
+	  This file will be inserted into the Command Sequence File
+	  (CSF) when using the CSF template that comes with barebox.
+
+endif
+
 endmenu
 
 endif
diff --git a/images/.gitignore b/images/.gitignore
index c5377d9f6531..b5004fe48fd6 100644
--- a/images/.gitignore
+++ b/images/.gitignore
@@ -3,6 +3,8 @@
 *.pblb
 *.img
 *.imximg
+*.imximg.prep
+*.imximg.signed
 *.map
 *.src
 *.kwbimg
diff --git a/images/Makefile b/images/Makefile
index 7c3aaf762767..1b188a1d2060 100644
--- a/images/Makefile
+++ b/images/Makefile
@@ -99,11 +99,12 @@ $(obj)/%.img: $(obj)/$$(FILE_$$(@F))
 
 include $(srctree)/images/Makefile.am33xx
 include $(srctree)/images/Makefile.imx
+include $(srctree)/images/Makefile.imxhabv4
 include $(srctree)/images/Makefile.mvebu
+include $(srctree)/images/Makefile.mxs
 include $(srctree)/images/Makefile.rockchip
 include $(srctree)/images/Makefile.socfpga
 include $(srctree)/images/Makefile.tegra
-include $(srctree)/images/Makefile.mxs
 
 targets += $(image-y) pbl.lds barebox.x barebox.z
 targets += $(patsubst %,%.pblx,$(pblx-y))
diff --git a/images/Makefile.imxhabv4 b/images/Makefile.imxhabv4
new file mode 100644
index 000000000000..9eb953841794
--- /dev/null
+++ b/images/Makefile.imxhabv4
@@ -0,0 +1,48 @@
+# -*-makefile-*-
+#
+# barebox image generation Makefile for HABv4 images
+#
+
+# default csf templates
+havb4_imx6csf = $(srctree)/scripts/habv4/habv4-imx6.csf.in
+habv4_imx2csf = $(srctree)/scripts/habv4/habv4-imx28.csf.in
+
+# %.imximg.prep - Convert in i.MX image, with preparation for signature
+# ----------------------------------------------------------------
+quiet_cmd_imx_prep_image = IMX-PREP-IMG $@
+      cmd_imx_prep_image = $(CPP) $(imxcfg_cpp_flags) -o $(imximg-tmp) $(word 2,$^) ; \
+			   $< -o $@ -b -c $(imximg-tmp) -p -f $(word 3,$^)
+
+.SECONDEXPANSION:
+$(obj)/%.imximg.prep: $(objtree)/scripts/imx/imx-image $$(CFG_%.imximg) $(obj)/%
+	$(call if_changed,imx_prep_image)
+
+# %.habv4.csf - create Command Sequence File from template
+# ----------------------------------------------------------------
+quiet_cmd_csf = CSF     $@
+      cmd_csf = TABLE_BIN=$(CONFIG_HABV4_TABLE_BIN) \
+		CSF_CRT_PEM=$(CONFIG_HABV4_CSF_CRT_PEM) \
+		IMG_CRT_PEM=$(CONFIG_HABV4_IMG_CRT_PEM) \
+		$< -f $(word 2,$^) -c $(word 3,$^) -i $(word 4,$^) -o $@
+
+.SECONDEXPANSION:
+$(obj)/%.habv4.csf: $(srctree)/scripts/habv4/gencsf.sh $(obj)/%.prep $$(CFG_%) $$(CSF_%)
+	$(call if_changed,csf)
+
+# %.habv4.sig - create signature and pad to 0x2000
+# ----------------------------------------------------------------
+CST = cst
+quiet_cmd_habv4_sig = HAB4SIG $@
+      cmd_habv4_sig = $(CST) -o $(imximg-tmp) < $(word 2,$^) > /dev/null; \
+		      $(OBJCOPY) -I binary -O binary --pad-to 0x2000 --gap-fill=0x5a $(imximg-tmp) $@
+
+$(obj)/%.habv4.sig: $(obj)/%.prep $(obj)/%.habv4.csf
+	$(call if_changed,habv4_sig)
+
+# %.imximg.signed - concatenate bootloader and signature
+# ----------------------------------------------------------------
+quiet_cmd_cat = CAT     $@
+      cmd_cat = cat $^ > $@
+
+$(obj)/%.imximg.signed: $(obj)/%.imximg.prep $(obj)/%.imximg.habv4.sig
+	$(call if_changed,cat)
diff --git a/scripts/habv4/gencsf.sh b/scripts/habv4/gencsf.sh
new file mode 100755
index 000000000000..2c1c34add43a
--- /dev/null
+++ b/scripts/habv4/gencsf.sh
@@ -0,0 +1,47 @@
+#!/bin/sh
+
+set -e
+
+while getopts "f:c:i:o:" opt; do
+    case $opt in
+	f)
+	    file=$OPTARG
+	    ;;
+	c)
+	    cfg=$OPTARG
+	    ;;
+	i)
+	    in=$OPTARG
+	    ;;
+	o)
+	    out=$OPTARG
+	    ;;
+	\?)
+	    echo "Invalid option: -$OPTARG" >&2
+	    exit 1
+	;;
+    esac
+done
+
+if [ ! -e $file -o ! -e $cfg -o ! -e $in ]; then
+    echo "file not found!"
+    exit 1
+fi
+
+#
+# extract and set as shell vars:
+# loadaddr=
+# dcdofs=
+#
+eval $(sed -n -e "s/^[[:space:]]*\(loadaddr\|dcdofs\)[[:space:]]*\(0x[0-9]*\)/\1=\2/p" $cfg)
+
+length=$(stat -c '%s' $file)
+
+sed -e "s:@TABLE_BIN@:$TABLE_BIN:" \
+    -e "s:@CSF_CRT_PEM@:$CSF_CRT_PEM:" \
+    -e "s:@IMG_CRT_PEM@:$IMG_CRT_PEM:" \
+    -e "s:@LOADADDR@:$loadaddr:" \
+    -e "s:@OFFSET@:0:" \
+    -e "s:@LENGTH@:$length:" \
+    -e "s:@FILE@:$file:" \
+    $in > $out
diff --git a/scripts/habv4/habv4-imx28.csf.in b/scripts/habv4/habv4-imx28.csf.in
new file mode 100644
index 000000000000..5efd25b1e57a
--- /dev/null
+++ b/scripts/habv4/habv4-imx28.csf.in
@@ -0,0 +1,33 @@
+[Header]
+Version = 4.0
+Hash Algorithm = sha256
+Engine Configuration = 0
+Certificate Format = X509
+Signature Format = CMS
+Engine = DCP
+
+[Install SRK]
+File = "@TABLE_BIN@"
+# SRK index within SRK-Table 0..3
+Source index = 0
+
+[Install CSFK]
+File = "@CSF_CRT_PEM@"
+
+[Authenticate CSF]
+
+[Install Key]
+# verification key index in key store (0, 2...5)
+Verification index = 0
+# target key index in key store (2...5)
+Target index = 2
+File = "@IMG_CRT_PEM@"
+
+[Authenticate Data]
+# verification key index in key store (2...5)
+Verification index = 2
+# "starting load address in memory"
+# "starting offset within the source file"
+# "length (in bytes)"
+# "file (binary)"
+Blocks = @LOADADDR@ @OFFSET@ @LENGTH@ "@FILE@"
diff --git a/scripts/habv4/habv4-imx6.csf.in b/scripts/habv4/habv4-imx6.csf.in
new file mode 100644
index 000000000000..11a5db94946c
--- /dev/null
+++ b/scripts/habv4/habv4-imx6.csf.in
@@ -0,0 +1,37 @@
+[Header]
+Version = 4.1
+Hash Algorithm = sha256
+Engine Configuration = 0
+Certificate Format = X509
+Signature Format = CMS
+Engine = CAAM
+
+[Install SRK]
+File = "@TABLE_BIN@"
+# SRK index within SRK-Table 0..3
+Source index = 0
+
+[Install CSFK]
+File = "@CSF_CRT_PEM@"
+
+[Authenticate CSF]
+
+[Unlock]
+Engine = CAAM
+Features = RNG
+
+[Install Key]
+# verification key index in key store (0, 2...5)
+Verification index = 0
+# target key index in key store (2...5)
+Target index = 2
+File = "@IMG_CRT_PEM@"
+
+[Authenticate Data]
+# verification key index in key store (2...5)
+Verification index = 2
+# "starting load address in memory"
+# "starting offset within the source file"
+# "length (in bytes)"
+# "file (binary)"
+Blocks = @LOADADDR@ @OFFSET@ @LENGTH@ "@FILE@"
-- 
2.1.4


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

[PATCH v3 3/3] habv4: add High Assurance Boot v4

[Marc Kleine-Budde]

This patch adds the code to check the HAB ROM for failures during development.
Add a cal to "habv4_get_status();" to your board file, to get the current
system state from the ROM.

_NOTE_: On i.MX6 this has to happen before barebox starts the MMU, because the
        HAB ROM vector table is placed at 0x94, which is not accessible after the
	MMU has setup the zero page.

This patch contains code ported from u-boot patches [1][2] by Shaojun Wang [3]
which were found in the "Mx28 Secure Boot" and "Mx6 HAB (High Assurance Boot)"
thread on the freescale community forum [4][5].

[1] https://community.freescale.com/servlet/JiveServlet/download/370047-269174/0001-enable-mx28-u-boot-hab.patch.txt.zip
[1] https://community.freescale.com/servlet/JiveServlet/download/96451-11-266175/0001-u-boot-enable-mx6-hab.patch.zip
[2] https://community.freescale.com/people/ShaojunWang
[3] https://community.freescale.com/thread/317254
[3] https://community.freescale.com/docs/DOC-96451

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 drivers/Makefile       |   1 +
 drivers/habv4/Makefile |   1 +
 drivers/habv4/habv4.c  | 237 +++++++++++++++++++++++++++++++++++++++++++++++++
 include/habv4.h        |  30 +++++++
 4 files changed, 269 insertions(+)
 create mode 100644 drivers/habv4/Makefile
 create mode 100644 drivers/habv4/habv4.c
 create mode 100644 include/habv4.h

diff --git a/drivers/Makefile b/drivers/Makefile
index 7ef5e90d80cf..3afbb61b2d3b 100644
--- a/drivers/Makefile
+++ b/drivers/Makefile
@@ -30,3 +30,4 @@ obj-$(CONFIG_PCI) += pci/
 obj-y += rtc/
 obj-$(CONFIG_FIRMWARE) += firmware/
 obj-$(CONFIG_GENERIC_PHY) += phy/
+obj-$(CONFIG_HABV4) += habv4/
diff --git a/drivers/habv4/Makefile b/drivers/habv4/Makefile
new file mode 100644
index 000000000000..40b3253147dd
--- /dev/null
+++ b/drivers/habv4/Makefile
@@ -0,0 +1 @@
+obj-y += habv4.o
diff --git a/drivers/habv4/habv4.c b/drivers/habv4/habv4.c
new file mode 100644
index 000000000000..5ace0def2a14
--- /dev/null
+++ b/drivers/habv4/habv4.c
@@ -0,0 +1,237 @@
+/*
+ * Copyright (C) 2014, 2015 Marc Kleine-Budde <mkl@pengutronix.de>
+ * Copyright (C) 2010 Freescale Semiconductor, Inc.
+ *
+ * See file CREDITS for list of people who contributed to this
+ * project.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of
+ * the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+
+#define pr_fmt(fmt)  "HABv4: " fmt
+
+#include <common.h>
+#include <habv4.h>
+#include <types.h>
+
+#include <mach/generic.h>
+
+#define HABV4_RVT_IMX28 0xffff8af8
+#define HABV4_RVT_IMX6 0x00000094
+
+enum hab_tag {
+	HAB_TAG_IVT = 0xd1,		/* Image Vector Table */
+	HAB_TAG_DCD = 0xd2,		/* Device Configuration Data */
+	HAB_TAG_CSF = 0xd4,		/* Command Sequence File */
+	HAB_TAG_CRT = 0xd7, 		/* Certificate */
+	HAB_TAG_SIG = 0xd8,		/* Signature */
+	HAB_TAG_EVT = 0xdb,		/* Event */
+	HAB_TAG_RVT = 0xdd,		/* ROM Vector Table */
+	HAB_TAG_WRP = 0x81,		/* Wrapped Key */
+	HAB_TAG_MAC = 0xac,		/* Message Authentication Code */
+};
+
+/* Status definitions */
+enum hab_status {
+	HAB_STATUS_ANY = 0x00,		/* Match any status in report_event */
+	HAB_STATUS_FAILURE = 0x33,	/* Operation failed */
+	HAB_STATUS_WARNING = 0x69,	/* Operation completed with warning */
+	HAB_STATUS_SUCCESS = 0xf0,	/* Operation completed successfully */
+};
+
+/* Security Configuration definitions */
+enum hab_config {
+	HAB_CONFIG_FAB = 0x00,		/* Un-programmed IC */
+	HAB_CONFIG_RETURN = 0x33,	/* Field Return IC */
+	HAB_CONFIG_OPEN = 0xf0,		/* Non-secure IC */
+	HAB_CONFIG_CLOSED = 0xcc,	/* Secure IC */
+};
+
+/* State definitions */
+enum hab_state {
+	HAB_STATE_INITIAL = 0x33,	/* Initialising state (transitory) */
+	HAB_STATE_CHECK = 0x55,		/* Check state (non-secure) */
+	HAB_STATE_NONSECURE = 0x66,	/* Non-secure state */
+	HAB_STATE_TRUSTED = 0x99,	/* Trusted state */
+	HAB_STATE_SECURE = 0xaa,	/* Secure state */
+	HAB_STATE_FAIL_SOFT = 0xcc,	/* Soft fail state */
+	HAB_STATE_FAIL_HARD = 0xff,	/* Hard fail state (terminal) */
+	HAB_STATE_NONE = 0xf0,		/* No security state machine */
+};
+
+enum hab_target {
+	HAB_TARGET_MEMORY = 0x0f,	/* Check memory white list */
+	HAB_TARGET_PERIPHERAL = 0xf0,	/* Check peripheral white list*/
+	HAB_TARGET_ANY = 0x55,		/* Check memory & peripheral white list */
+};
+
+enum hab_assertion {
+	HAB_ASSERTION_BLOCK = 0x0,	/* Check if memory is authenticated after CSF */
+};
+
+struct hab_header {
+	uint8_t tag;
+	uint16_t len;			/* len including the header */
+	uint8_t par;
+} __packed;
+
+typedef enum hab_status hab_loader_callback_fn(void **start, uint32_t *bytes, const void *boot_data);
+
+struct habv4_rvt {
+	struct hab_header header;
+	enum hab_status (*entry)(void);
+	enum hab_status (*exit)(void);
+	enum hab_status (*check_target)(enum hab_target target, const void *start, uint32_t bytes);
+	void *(*authenticate_image)(uint8_t cid, uint32_t ivt_offset, void **start, uint32_t *bytes, hab_loader_callback_fn *loader);
+	enum hab_status (*run_dcd)(const void *dcd);
+	enum hab_status (*run_csf)(const void *csf, uint8_t cid);
+	enum hab_status (*assert)(enum hab_assertion assertion, const void *data, uint32_t count);
+	enum hab_status (*report_event)(enum hab_status status, uint32_t index, void *event, uint32_t *bytes);
+	enum hab_status (*report_status)(enum hab_config *config, enum hab_state *state);
+	void (*failsafe)(void);
+} __packed;
+
+static const struct habv4_rvt *__rvt;
+
+static inline const struct habv4_rvt *habv4_get_rvt(void)
+{
+	if (__rvt)
+		return __rvt;
+
+	if (cpu_is_mx28())
+		__rvt = (void *)HABV4_RVT_IMX28;
+	else if (cpu_is_mx6())
+		__rvt = (void *)HABV4_RVT_IMX6;
+
+	if (__rvt->header.tag != HAB_TAG_RVT) {
+		pr_err("ERROR - RVT not found!\n");
+		return NULL;
+	}
+
+	pr_info("Found RVT v%d.%d\n", __rvt->header.par >> 4,
+		__rvt->header.par & 0xf);
+
+	return __rvt;
+}
+
+static const char *habv4_get_status_str(enum hab_status status)
+{
+	switch (status) {
+	case HAB_STATUS_ANY:
+		return "Match any status in report_event"; break;
+	case HAB_STATUS_FAILURE:
+		return "Operation failed"; break;
+	case HAB_STATUS_WARNING:
+		return "Operation completed with warning"; break;
+	case HAB_STATUS_SUCCESS:
+		return "Operation completed successfully"; break;
+	}
+
+	return "<unknown>";
+}
+
+static const char *habv4_get_config_str(enum hab_config config)
+{
+	switch (config) {
+	case HAB_CONFIG_FAB:
+		return "Un-programmed IC"; break;
+	case HAB_CONFIG_RETURN:
+		return "Field Return IC"; break;
+	case HAB_CONFIG_OPEN:
+		return "Non-secure IC"; break;
+	case HAB_CONFIG_CLOSED:
+		return "Secure IC"; break;
+	}
+
+	return "<unknown>";
+}
+
+static const char *habv4_get_state_str(enum hab_state state)
+{
+	switch (state) {
+	case HAB_STATE_INITIAL:
+		return "Initialising state (transitory)"; break;
+	case HAB_STATE_CHECK:
+		return "Check state (non-secure)"; break;
+	case HAB_STATE_NONSECURE:
+		return "Non-secure state"; break;
+	case HAB_STATE_TRUSTED:
+		return "Trusted state"; break;
+	case HAB_STATE_SECURE:
+		return "Secure state"; break;
+	case HAB_STATE_FAIL_SOFT:
+		return "Soft fail state"; break;
+	case HAB_STATE_FAIL_HARD:
+		return "Hard fail state (terminal)"; break;
+	case HAB_STATE_NONE:
+		return "No security state machine"; break;
+	}
+
+	return "<unknown>";
+}
+
+static void habv4_display_event(uint8_t *data, uint32_t len)
+{
+	unsigned int i;
+
+	if (data && len) {
+		for (i = 0; i < len; i++) {
+			if (i == 0)
+				printf(" %02x", data[i]);
+			else if ((i % 8) == 0)
+				printf("\n %02x", data[i]);
+			else if ((i % 4) == 0)
+				printf("  %02x", data[i]);
+			else
+				printf(" %02x", data[i]);
+		}
+	}
+	printf("\n\n");
+}
+
+int habv4_get_status(void)
+{
+	const struct habv4_rvt *rvt = habv4_get_rvt();
+	uint8_t data[256];
+	uint32_t len = sizeof(data);
+	uint32_t index = 0;
+	enum hab_status status;
+	enum hab_config config = 0x0;
+	enum hab_state state = 0x0;
+
+	if (!rvt)
+		return -ENODEV;
+
+	status = rvt->report_status(&config, &state);
+	pr_info("Status: %s (0x%02x)\n", habv4_get_status_str(status), status);
+	pr_info("Config: %s (0x%02x)\n", habv4_get_config_str(config), config);
+	pr_info("State: %s (0x%02x)\n",	habv4_get_state_str(state), state);
+
+	if (status == HAB_STATUS_SUCCESS) {
+		pr_info("No HAB Failure Events Found!\n\n");
+		return 0;
+	}
+
+	while (rvt->report_event(HAB_STATUS_FAILURE, index, data, &len) == HAB_STATUS_SUCCESS) {
+		printf("-------- HAB Event %d --------\n"
+		       "event data:\n", index);
+
+		habv4_display_event(data, len);
+		len = sizeof(data);
+		index++;
+	}
+
+	/* Check reason for stopping */
+	if (rvt->report_event(HAB_STATUS_ANY, index, NULL, &len) == HAB_STATUS_SUCCESS)
+		pr_err("ERROR: Recompile with larger event data buffer (at least %d bytes)\n\n", len);
+
+	return -EPERM;
+}
diff --git a/include/habv4.h b/include/habv4.h
new file mode 100644
index 000000000000..fb6ed99d8207
--- /dev/null
+++ b/include/habv4.h
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) 2014, 2015 Marc Kleine-Budde <mkl@pengutronix.de>
+ *
+ * See file CREDITS for list of people who contributed to this
+ * project.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; either version 2 of
+ * the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ */
+
+#ifndef __HABV4_H
+#define __HABV4_H
+
+#ifdef CONFIG_HABV4
+int habv4_get_status(void);
+#else
+static inline int habv4_get_status()
+{
+	return -EPERM;
+}
+#endif
+
+#endif /* __HABV4_H */
-- 
2.1.4


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

Re: [PATCH v3 0/3] add habv4 support for i.MX6

[Sascha Hauer]

On Mon, Apr 13, 2015 at 02:27:00PM +0200, Marc Kleine-Budde wrote:
> Hello,
> 
> this series adds support for HABv4 signed images. The last patch add code to
> decode HAB events, which is usefull during development.
> 
> Tested on $CUSTOMER's i.MX6 solo.
> 
> Changes since v2:
> - [PATCH v3 2/3] images: add HABv4 support for i.MX6:
>   fix typos
>   add missing depends on ARCH_IMX6
>   renamed Makefile
>   improved commentsin habv4-imx28.csf.in
> - [PATCH v3 3/3] habv4: add High Assurance Boot v4:
>   habv4_get_rvt(): make use of cpu_is_ rather than IS_ENABLED(CONFIG_ARCH_)
>   provide static inline wrapper for habv4_get_status()

Applied, thanks

Sascha

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox