[PATCH v2 09/14] ARM: k3: add support for authenticating images against the ROM API

mail archive of the barebox mailing list
 help / color / mirror / Atom feed

From: Sascha Hauer <s.hauer@pengutronix.de>
To: "open list:BAREBOX" <barebox@lists.infradead.org>
Subject: [PATCH v2 09/14] ARM: k3: add support for authenticating images against the ROM API
Date: Tue, 11 Mar 2025 13:25:22 +0100	[thread overview]
Message-ID: <20250311-am625-secure-v2-9-3cbbfa092346@pengutronix.de> (raw)
In-Reply-To: <20250311-am625-secure-v2-0-3cbbfa092346@pengutronix.de>

This adds support for authenticating an image against the K3 ROM API.
Also included in this patch is a new command for testing the
authentication.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 arch/arm/mach-k3/Kconfig  |  7 ++++
 arch/arm/mach-k3/common.c | 99 +++++++++++++++++++++++++++++++++++++++++++++++
 include/mach/k3/common.h  |  1 +
 3 files changed, 107 insertions(+)

diff --git a/arch/arm/mach-k3/Kconfig b/arch/arm/mach-k3/Kconfig
index 561ad1dac4..37d5155577 100644
--- a/arch/arm/mach-k3/Kconfig
+++ b/arch/arm/mach-k3/Kconfig
@@ -37,4 +37,11 @@ config MACH_BEAGLEPLAY
 	help
 	  Say Y here if you are using a TI AM62x based BeaglePlay board
 
+config ARCH_K3_COMMAND_AUTHENTICATE
+	bool "k3_authenticate_image command"
+	depends on COMMAND_SUPPORT
+	help
+	  Add k3_authenticate_image command to test authenticating images
+	  against the K3 ROM API.
+
 endmenu
diff --git a/arch/arm/mach-k3/common.c b/arch/arm/mach-k3/common.c
index 8dc9d3bc9e..a324e2d5f6 100644
--- a/arch/arm/mach-k3/common.c
+++ b/arch/arm/mach-k3/common.c
@@ -1,6 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0-only
 #include <of.h>
 #include <io.h>
+#include <dma.h>
 #include <deep-probe.h>
 #include <init.h>
 #include <envfs.h>
@@ -8,11 +9,15 @@
 #include <stdio.h>
 #include <xfuncs.h>
 #include <malloc.h>
+#include <command.h>
+#include <getopt.h>
+#include <libfile.h>
 #include <pm_domain.h>
 #include <bootsource.h>
 #include <linux/bits.h>
 #include <linux/bitfield.h>
 #include <mach/k3/common.h>
+#include <soc/ti/ti_sci_protocol.h>
 
 static const struct of_device_id k3_of_match[] = {
 	{
@@ -334,3 +339,97 @@ static int omap_env_init(void)
 	return 0;
 }
 late_initcall(omap_env_init);
+
+int k3_authenticate_image(void **buf, size_t *size)
+{
+	const struct ti_sci_handle *ti_sci;
+	u64 image_addr;
+	int ret;
+	unsigned int s = *size;
+
+	ti_sci = ti_sci_get_handle(NULL);
+	if (IS_ERR(ti_sci))
+		return -EINVAL;
+
+	image_addr = dma_map_single(NULL, *buf, *size, DMA_BIDIRECTIONAL);
+
+	ret = ti_sci->ops.proc_ops.proc_auth_boot_image(ti_sci, &image_addr, &s);
+
+	dma_unmap_single(NULL, image_addr, *size, DMA_BIDIRECTIONAL);
+
+	if (ret)
+		*size = 0;
+	else
+		*size = s;
+
+	return ret;
+}
+
+#ifdef CONFIG_ARCH_K3_COMMAND_AUTHENTICATE
+static int do_k3_authenticate_image(int argc, char *argv[])
+{
+	void *buf;
+	size_t size;
+	int ret;
+	int opt;
+	const char *outfile = NULL;
+	const char *filename;
+
+	while ((opt = getopt(argc, argv, "o:")) > 0) {
+		switch (opt) {
+		case 'o':
+			outfile = optarg;
+			break;
+		}
+	}
+
+	argc -= optind;
+
+	if (argc == 0)
+		return COMMAND_ERROR_USAGE;
+
+	filename = argv[0];
+
+	ret = read_file_2(filename, &size, &buf, FILESIZE_MAX);
+	if (ret)
+		return ret;
+
+	ret = k3_authenticate_image(&buf, &size);
+	if (ret) {
+		printf("authenticating %s failed: %pe\n", filename, ERR_PTR(ret));
+		ret = COMMAND_ERROR;
+		goto err;
+	}
+
+	printf("%s successfully authenticated\n", filename);
+
+	if (outfile) {
+		ret = write_file(outfile, buf, size);
+		if (ret) {
+			printf("Failed to write output file: %pe\n", ERR_PTR(ret));
+			goto err;
+		}
+	}
+
+	ret = 0;
+err:
+	free(buf);
+
+	return ret;
+}
+
+BAREBOX_CMD_HELP_START(k3_authenticate_image)
+BAREBOX_CMD_HELP_TEXT("Authenticate image with K3 ROM API")
+BAREBOX_CMD_HELP_TEXT("")
+BAREBOX_CMD_HELP_TEXT("Options:")
+BAREBOX_CMD_HELP_OPT ("-o <out>",  "store unpacked authenticated image in <out>")
+BAREBOX_CMD_HELP_END
+
+BAREBOX_CMD_START(k3_authenticate_image)
+	.cmd = do_k3_authenticate_image,
+	BAREBOX_CMD_DESC("authenticate file with K3 ROM API")
+	BAREBOX_CMD_OPTS("[-o <out>] file")
+	BAREBOX_CMD_GROUP(CMD_GRP_MISC)
+	BAREBOX_CMD_HELP(k3_authenticate_image)
+BAREBOX_CMD_END
+#endif
diff --git a/include/mach/k3/common.h b/include/mach/k3/common.h
index 871e9f39e3..94c5fba19d 100644
--- a/include/mach/k3/common.h
+++ b/include/mach/k3/common.h
@@ -13,6 +13,7 @@ bool k3_boot_is_emmc(void);
 u64 am625_sdram_size(void);
 void am625_register_dram(void);
 void am625_enable_32k_crystal(void);
+int k3_authenticate_image(void **buf, size_t *size);
 
 #define K3_EMMC_BOOTPART_TIBOOT3_BIN_SIZE	SZ_1M
 

-- 
2.39.5

next prev parent reply	other threads:[~2025-03-11 12:42 UTC|newest]

Thread overview: 26+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-03-11 12:25 [PATCH v2 00/14] am625: support secure loading of full barebox Sascha Hauer
2025-03-11 12:25 ` [PATCH v2 01/14] firmware: always generate sha256sum Sascha Hauer
2025-03-11 13:13   ` Marco Felsch
2025-03-11 12:25 ` [PATCH v2 02/14] firmware: add function to verify next image Sascha Hauer
2025-03-11 13:19   ` Marco Felsch
2025-03-11 12:25 ` [PATCH v2 03/14] ARM: k3: r5: drop loading of separate binaries Sascha Hauer
2025-03-11 13:20   ` Marco Felsch
2025-03-11 12:25 ` [PATCH v2 04/14] ARM: k3: r5: add proper error handling Sascha Hauer
2025-03-11 13:21   ` Marco Felsch
2025-03-11 12:25 ` [PATCH v2 05/14] fip: rework fip_image_open() Sascha Hauer
2025-03-11 13:42   ` Marco Felsch
2025-03-12 11:02     ` Sascha Hauer
2025-03-12 11:45       ` Marco Felsch
2025-03-11 12:25 ` [PATCH v2 06/14] fip: fix wrong function call Sascha Hauer
2025-03-11 12:25 ` [PATCH v2 07/14] fip: add function to calculate a sha256 over FIP image Sascha Hauer
2025-03-11 13:43   ` Marco Felsch
2025-03-11 12:25 ` [PATCH v2 08/14] ARM: am625: support hash verification of full barebox Sascha Hauer
2025-03-11 13:44   ` Marco Felsch
2025-03-11 12:25 ` Sascha Hauer [this message]
2025-03-11 12:25 ` [PATCH v2 10/14] ARM: k3: r5: delete fip image when it can't be opened Sascha Hauer
2025-03-11 12:25 ` [PATCH v2 11/14] ARM: k3: r5: Allow to authenticate next image by ROM API Sascha Hauer
2025-03-11 12:25 ` [PATCH v2 12/14] scripts/k3img: remove temporary files Sascha Hauer
2025-03-11 12:25 ` [PATCH v2 13/14] scripts: add k3sign Sascha Hauer
2025-03-11 12:25 ` [PATCH v2 14/14] ARM: k3: r5: select HAS_INSECURE_DEFAULTS when necessary Sascha Hauer
2025-03-11 13:46   ` Marco Felsch
2025-03-12 10:22 ` [PATCH v2 00/14] am625: support secure loading of full barebox Sascha Hauer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250311-am625-secure-v2-9-3cbbfa092346@pengutronix.de \
    --to=s.hauer@pengutronix.de \
    --cc=barebox@lists.infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox