Re: [PATCH] nvmem: ocotp: add support to revoke keys

[Denis Osterland-Heim <denis.osterland@diehl.com>]

Hi,

It would be no problem to do it in a script.
I did it as a fist prove of concept.
My opinion is, that this hard coded implementation give stronger
guarantee that this code is really executed.

I would love to implement the HAB to check FIT signatures,
but with MMU enabled it will not work AFAIK and code requiring MMU disabled is not welcome.

This implementation allows you to utilize any fuse to revoke a key independent from HAB.
The 0x660 from the example is GP1.

Regards, Denis

Am Freitag, den 12.03.2021, 11:15 +0100 schrieb Rouven Czerwinski:
> Hello Denis,
>
> On Thu, 2021-03-11 at 17:07 +0000, Denis Osterland-Heim wrote:
> > From: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> >
> > Add device tree property 'barebox,key-revoke' with the syntax:
> > < key_phandle fuse_offset mask >
> >
> > An example:
> > signature {
> > key1: key-img1 { ... };
> > key2: key-srk1 { ... };
> > };
> > };
> > &ocotp {
> > barebox,key-revoke = <
> > &key1 0x660 1
> > &key2 0x6f0 1
> > > ;
> >
> > };
>
> I think using device tree properties for this is a bad idea. This
> should rather be implemented as a revoke argument to the hab command.
> Revocation can than be done within a bootup script during barebox
> start.
>
> Regards,
> Rouven
>
> > Signed-off-by: Denis Osterland-Heim <Denis.Osterland@diehl.com>
> > ---
> >  .../bindings/misc/fsl,imx-ocotp.rst           |  4 ++
> >  drivers/nvmem/ocotp.c                         | 37 ++++++++++++++++++-
> >  2 files changed, 39 insertions(+), 2 deletions(-)
> >
> > diff --git a/Documentation/devicetree/bindings/misc/fsl,imx-ocotp.rst b/Documentation/devicetree/bindings/misc/fsl,imx-ocotp.rst
> > index 202bb3aa0..63a6f5331 100644
> > --- a/Documentation/devicetree/bindings/misc/fsl,imx-ocotp.rst
> > +++ b/Documentation/devicetree/bindings/misc/fsl,imx-ocotp.rst
> > @@ -12,6 +12,9 @@ Optional properties:
> >    can be multiple entries in the form <&phandle regofs> to assign a MAC
> >    address to an Ethernet device.
> >
> > +* ``barebox,key-revoke``: Revoke (remove) key if bit is set. This can be multiple
> > +  entries in the form <&phandle regofs mask> to revoke a key if bit is set.
> > +
> >  Example:
> >
> >  .. code-block:: none
> > @@ -20,4 +23,5 @@ Example:
> >    compatible = "fsl,imx6q-ocotp";
> >    reg = <0x021bc000 0x4000>;
> >    barebox,provide-mac-address = <&fec 0x620>;
> > +  barebox,key-revoke = <&/signature/key-img1 0x6f0 1>;
> >    };
> > diff --git a/drivers/nvmem/ocotp.c b/drivers/nvmem/ocotp.c
> > index cee50955e..00ee6cd06 100644
> > --- a/drivers/nvmem/ocotp.c
> > +++ b/drivers/nvmem/ocotp.c
> > @@ -641,7 +641,7 @@ static struct regmap_bus imx_ocotp_regmap_bus = {
> >  .reg_read = imx_ocotp_reg_read,
> >  };
> >
> > -static void imx_ocotp_init_dt(struct ocotp_priv *priv)
> > +static void imx_ocotp_init_mac_dt(struct ocotp_priv *priv)
> >  {
> >  char mac[MAC_BYTES];
> >  const __be32 *prop;
> > @@ -673,6 +673,38 @@ static void imx_ocotp_init_dt(struct ocotp_priv *priv)
> >  }
> >  }
> >
> > +static void imx_ocotp_init_key_dt(struct ocotp_priv *priv)
> > +{
> > +const __be32 *prop;
> > +struct device_node *node = priv->dev.parent->device_node;
> > +int len;
> > +
> > +if (!node)
> > +return;
> > +
> > +prop = of_get_property(node, "barebox,key-revoke", &len);
> > +if (!prop)
> > +return;
> > +
> > +for (; len >= 3; len -= 3) {
> > +struct device_node *rnode;
> > +uint32_t phandle, offset, mask;
> > +unsigned val;
> > +
> > +phandle = be32_to_cpup(prop++);
> > +
> > +rnode = of_find_node_by_phandle(phandle);
> > +offset = be32_to_cpup(prop++);
> > +mask = be32_to_cpup(prop++);
> > +
> > +if (imx6_ocotp_read_one_u32(priv, OCOTP_OFFSET_TO_INDEX(offset), &val))
> > +continue;
> > +
> > +if (val & mask)
> > +of_delete_node(rnode);
> > +}
> > +}
> > +
> >  static int imx_ocotp_write(struct device_d *dev, const int offset,
> >      const void *val, int bytes)
> >  {
> > @@ -790,7 +822,8 @@ static int imx_ocotp_probe(struct device_d *dev)
> >  if (IS_ENABLED(CONFIG_MACHINE_ID))
> >  imx_ocotp_set_unique_machine_id();
> >
> > -imx_ocotp_init_dt(priv);
> > +imx_ocotp_init_mac_dt(priv);
> > +imx_ocotp_init_key_dt(priv);
> >
> >  dev_add_param_bool(&(priv->dev), "sense_enable", NULL, NULL, &priv->sense_enable, priv);
> >
> > --
> > 2.30.2
> >
> > Diehl Connectivity Solutions GmbH
> > Geschäftsführung: Horst Leonberger
> > Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
> > Nürnberg: HRB 32315
> >
> > ________________________________
> >
> > Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
> > Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
> > Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.
> >
> > - Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:
> >
> > https://www.diehl.com/group/de/transparenz-und-informationspflichten/
> >
> > The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
> > mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.
> >
> > - For general information on data protection and your respective rights please visit:
> >
> > https://www.diehl.com/group/en/transparency-and-information-obligations/
> >
> >
> >
> > _______________________________________________
> > barebox mailing list
> > barebox@lists.infradead.org
> > http://lists.infradead.org/mailman/listinfo/barebox
> >
>
>
Diehl Connectivity Solutions GmbH
Geschäftsführung: Horst Leonberger
Sitz der Gesellschaft: Nürnberg - Registergericht: Amtsgericht
Nürnberg: HRB 32315

________________________________

Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte Informationen.
Informieren Sie uns bitte, wenn Sie diese E-Mail faelschlicherweise erhalten haben. Bitte loeschen Sie in diesem Fall die Nachricht.
Jede unerlaubte Form der Reproduktion, Bekanntgabe, Aenderung, Verteilung und/oder Publikation dieser E-Mail ist strengstens untersagt.

- Informationen zum Datenschutz, insbesondere zu Ihren Rechten, erhalten Sie unter:

https://www.diehl.com/group/de/transparenz-und-informationspflichten/

The contents of the above mentioned e-mail is not legally binding. This e-mail contains confidential and/or legally protected information. Please inform us if you have received this e-mail by
mistake and delete it in such a case. Each unauthorized reproduction, disclosure, alteration, distribution and/or publication of this e-mail is strictly prohibited.

- For general information on data protection and your respective rights please visit:

https://www.diehl.com/group/en/transparency-and-information-obligations/


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox