From: Marco Felsch <m.felsch@pengutronix.de>
To: Fabian Pflug <f.pflug@pengutronix.de>
Cc: BAREBOX <barebox@lists.infradead.org>
Subject: Re: [PATCH v2 4/4] commands: hab: extend by field_return fuse burn
Date: Fri, 19 Dec 2025 10:57:50 +0100 [thread overview]
Message-ID: <20251219095750.vggtq6skpe5csi6p@pengutronix.de> (raw)
In-Reply-To: <20251219-v2025-11-0-topic-imx6-field-return-v2-4-2696ac61ae2d@pengutronix.de>
On 25-12-19, Fabian Pflug wrote:
> Extend hab command with an additional parameter to burn the field return
> fuse.
> Since there is now a convenient way to burn the field return fuse, give
> a hint at the Kconfig option about this, as it already describes what to
> do in order to burn the fuse to make it complete.
>
> Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
Reviewed-by: Marco Felsch <m.felsch@pengutronix.de>
> ---
> arch/arm/mach-imx/Kconfig | 6 +++++-
> commands/hab.c | 24 ++++++++++++++++++++----
> 2 files changed, 25 insertions(+), 5 deletions(-)
>
> diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig
> index 5f50d1a823..5fea0bbbca 100644
> --- a/arch/arm/mach-imx/Kconfig
> +++ b/arch/arm/mach-imx/Kconfig
> @@ -926,13 +926,17 @@ config HABV4_CSF_UNLOCK_UID
> feature. This value must match the per device UNIQUE_ID fuses.
>
> The below example shows the expected format. The UNIQUE_ID is
> - queried by Linux via:
> + printed during boot by barebox:
> + i.MX___ unique ID: 7766554433221100
> + or it can be queried by Linux via:
> - cat /sys/devices/soc0/serial_number
> 7766554433221100
>
> So this value have to be set:
> - 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77
>
> + Afterwards, the `hab -p -r` command can be used to burn the fuse.
> +
> config HABV4_IMG_CRT_PEM
> string "Path to IMG certificate"
> default "../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
> diff --git a/commands/hab.c b/commands/hab.c
> index 8ae943a4c8..1e168af4b9 100644
> --- a/commands/hab.c
> +++ b/commands/hab.c
> @@ -16,9 +16,9 @@ static int do_hab(int argc, char *argv[])
> char *srkhashfile = NULL, *srkhash = NULL;
> unsigned flags = 0;
> u8 srk[SRK_HASH_SIZE];
> - int lockdown = 0, info = 0;
> + int lockdown = 0, info = 0, field_return = 0;
>
> - while ((opt = getopt(argc, argv, "s:fpx:li")) > 0) {
> + while ((opt = getopt(argc, argv, "s:fpx:lir")) > 0) {
> switch (opt) {
> case 's':
> srkhashfile = optarg;
> @@ -38,12 +38,15 @@ static int do_hab(int argc, char *argv[])
> case 'i':
> info = 1;
> break;
> + case 'r':
> + field_return = 1;
> + break;
> default:
> return COMMAND_ERROR_USAGE;
> }
> }
>
> - if (!info && !lockdown && !srkhashfile && !srkhash) {
> + if (!info && !lockdown && !srkhashfile && !srkhash && !field_return) {
> printf("Nothing to do\n");
> return COMMAND_ERROR_USAGE;
> }
> @@ -94,7 +97,19 @@ static int do_hab(int argc, char *argv[])
> printf("Device successfully locked down\n");
> }
>
> - return 0;
> + if (field_return) {
> + ret = imx_hab_field_return(flags & IMX_SRK_HASH_WRITE_PERMANENT);
> + if (ret == -EINVAL && IS_ENABLED(CONFIG_HABV4_CSF_UNLOCK_FIELD_RETURN))
> + printf("Field-return burn failed, check HABV4_CSF_UNLOCK_UID!\n");
> + else if (ret == -EINVAL && !IS_ENABLED(CONFIG_HABV4_CSF_UNLOCK_FIELD_RETURN))
> + printf("Field-return burn failed because CONFIG_HABV4_CSF_UNLOCK_FIELD_RETURN=n\n");
> + else if (ret)
> + printf("Field-return burn failed\n");
> + else
> + printf("Field return fuse successfully burnt\n");
> + }
> +
> + return ret;
> }
>
> BAREBOX_CMD_HELP_START(hab)
> @@ -105,6 +120,7 @@ BAREBOX_CMD_HELP_OPT ("-x <sha256>", "Burn Super Root Key hash from hex string"
> BAREBOX_CMD_HELP_OPT ("-i", "Print HAB info")
> BAREBOX_CMD_HELP_OPT ("-f", "Force. Write even when a key is already written")
> BAREBOX_CMD_HELP_OPT ("-l", "Lockdown device. Dangerous! After executing only signed images can be booted")
> +BAREBOX_CMD_HELP_OPT ("-r", "Field Return. Dangerous! After executing signed images are disabled forever.")
> BAREBOX_CMD_HELP_OPT ("-p", "Permanent. Really burn fuses. Be careful!")
> BAREBOX_CMD_HELP_END
>
>
> --
> 2.47.3
>
>
--
#gernperDu
#CallMeByMyFirstName
Pengutronix e.K. | |
Steuerwalder Str. 21 | https://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-9 |
next prev parent reply other threads:[~2025-12-19 9:58 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-19 9:06 [PATCH v2 0/4] i.mx: hab/ocotop: extend field return to i.MX6 Fabian Pflug
2025-12-19 9:06 ` [PATCH v2 1/4] arm: mach-imx6: use kconfig for field return Fabian Pflug
2025-12-19 9:14 ` Ahmad Fatoum
2025-12-19 10:06 ` Marco Felsch
2025-12-19 9:06 ` [PATCH v2 2/4] nvmem: ocotp: extend support to query the sticky bit Fabian Pflug
2025-12-19 9:06 ` [PATCH v2 3/4] i.MX: HAB: extend field_return support to imx6 Fabian Pflug
2025-12-19 9:56 ` Marco Felsch
2025-12-19 9:06 ` [PATCH v2 4/4] commands: hab: extend by field_return fuse burn Fabian Pflug
2025-12-19 9:57 ` Marco Felsch [this message]
2025-12-19 10:03 ` Lucas Stach
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251219095750.vggtq6skpe5csi6p@pengutronix.de \
--to=m.felsch@pengutronix.de \
--cc=barebox@lists.infradead.org \
--cc=f.pflug@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox