summaryrefslogtreecommitdiffstats
path: root/commands/hab.c
diff options
context:
space:
mode:
authorSascha Hauer <s.hauer@pengutronix.de>2017-03-23 11:19:38 +0100
committerSascha Hauer <s.hauer@pengutronix.de>2017-04-04 08:44:29 +0200
commit9dc622d5622ceeedfc5e793a201cad029ff0f5ab (patch)
treeab76b409c306a42a62fb1a85db09d8122e9ac8f9 /commands/hab.c
parentf98666122e3456115cbb0cb8bd730a87183deb98 (diff)
downloadbarebox-9dc622d5622ceeedfc5e793a201cad029ff0f5ab.tar.gz
i.MX: hab: Add HAB fusebox related convenience functions / command
Secure boot with HAB requires handling of the super root key hash and actually locking down the device. The related information is stored in the i.MX fusebox device (IIM on older SoCs, OCOTP on newer SoCs). This patch adds several convenience functions to store and read the super root key hash and to lock down a SoC. Also we add a command to do this from the command line. Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Diffstat (limited to 'commands/hab.c')
-rw-r--r--commands/hab.c120
1 files changed, 120 insertions, 0 deletions
diff --git a/commands/hab.c b/commands/hab.c
new file mode 100644
index 0000000..0d7ee8e
--- /dev/null
+++ b/commands/hab.c
@@ -0,0 +1,120 @@
+/*
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; version 2.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ */
+
+#include <common.h>
+#include <command.h>
+#include <complete.h>
+#include <fs.h>
+#include <fcntl.h>
+#include <getopt.h>
+#include <linux/ctype.h>
+#include <errno.h>
+#include <hab.h>
+
+static int do_hab(int argc, char *argv[])
+{
+ int opt, ret, i;
+ char *srkhashfile = NULL, *srkhash = NULL;
+ unsigned flags = 0;
+ u8 srk[SRK_HASH_SIZE];
+ int lockdown = 0, info = 0;
+
+ while ((opt = getopt(argc, argv, "s:fpx:li")) > 0) {
+ switch (opt) {
+ case 's':
+ srkhashfile = optarg;
+ break;
+ case 'f':
+ flags |= IMX_SRK_HASH_FORCE;
+ break;
+ case 'p':
+ flags |= IMX_SRK_HASH_WRITE_PERMANENT;
+ break;
+ case 'x':
+ srkhash = optarg;
+ break;
+ case 'l':
+ lockdown = 1;
+ break;
+ case 'i':
+ info = 1;
+ break;
+ default:
+ return COMMAND_ERROR_USAGE;
+ }
+ }
+
+ if (!info && !lockdown && !srkhashfile && !srkhash) {
+ printf("Nothing to do\n");
+ return COMMAND_ERROR_USAGE;
+ }
+
+ if (info) {
+ ret = imx_hab_read_srk_hash(srk);
+ if (ret)
+ return ret;
+
+ printf("Current SRK hash: ");
+ for (i = 0; i < SRK_HASH_SIZE; i++)
+ printf("%02x", srk[i]);
+ printf("\n");
+
+ if (imx_hab_device_locked_down())
+ printf("secure mode\n");
+ else
+ printf("devel mode\n");
+
+ return 0;
+ }
+
+ if (srkhashfile && srkhash) {
+ printf("-s and -x options may not be given together\n");
+ return COMMAND_ERROR_USAGE;
+ }
+
+ if (srkhashfile) {
+ ret = imx_hab_write_srk_hash_file(srkhashfile, flags);
+ if (ret)
+ return ret;
+ } else if (srkhash) {
+ ret = imx_hab_write_srk_hash_hex(srkhash, flags);
+ if (ret)
+ return ret;
+ }
+
+ if (lockdown) {
+ ret = imx_hab_lockdown_device(flags);
+ if (ret)
+ return ret;
+ printf("Device successfully locked down\n");
+ }
+
+ return 0;
+}
+
+BAREBOX_CMD_HELP_START(hab)
+BAREBOX_CMD_HELP_TEXT("Handle i.MX HAB (High Assurance Boot)")
+BAREBOX_CMD_HELP_TEXT("")
+BAREBOX_CMD_HELP_OPT ("-s <file>", "Burn Super Root Key hash from <file>")
+BAREBOX_CMD_HELP_OPT ("-x <sha256>", "Burn Super Root Key hash from hex string")
+BAREBOX_CMD_HELP_OPT ("-i", "Print HAB info")
+BAREBOX_CMD_HELP_OPT ("-f", "Force. Write even when a key is already written")
+BAREBOX_CMD_HELP_OPT ("-l", "Lockdown device. Dangerous! After executing only signed images can be booted")
+BAREBOX_CMD_HELP_OPT ("-p", "Permanent. Really burn fuses. Be careful!")
+BAREBOX_CMD_HELP_END
+
+BAREBOX_CMD_START(hab)
+ .cmd = do_hab,
+ BAREBOX_CMD_DESC("Handle i.MX HAB")
+ BAREBOX_CMD_OPTS("sxfp")
+ BAREBOX_CMD_GROUP(CMD_GRP_HWMANIP)
+ BAREBOX_CMD_HELP(cmd_hab_help)
+BAREBOX_CMD_END