diff options
author | Sascha Hauer <s.hauer@pengutronix.de> | 2017-04-07 09:59:29 +0200 |
---|---|---|
committer | Sascha Hauer <s.hauer@pengutronix.de> | 2017-04-07 09:59:29 +0200 |
commit | 80aaa2634ee0787e3304dce07f3dc83917a8a5c8 (patch) | |
tree | 94a5362df7baac9295402c9fbb59c2ed034614b1 /commands | |
parent | 4ef8ec1a48e2d4e459d4b2232970026bffaeb4aa (diff) | |
parent | 55b9bb15bf59ba10073e82663c37081415dac397 (diff) | |
download | barebox-80aaa2634ee0787e3304dce07f3dc83917a8a5c8.tar.gz barebox-80aaa2634ee0787e3304dce07f3dc83917a8a5c8.tar.xz |
Merge branch 'for-next/imx'
Diffstat (limited to 'commands')
-rw-r--r-- | commands/Kconfig | 5 | ||||
-rw-r--r-- | commands/Makefile | 1 | ||||
-rw-r--r-- | commands/hab.c | 120 |
3 files changed, 126 insertions, 0 deletions
diff --git a/commands/Kconfig b/commands/Kconfig index ab8e09aa45..35b7f43001 100644 --- a/commands/Kconfig +++ b/commands/Kconfig @@ -1930,6 +1930,11 @@ config CMD_WD_DEFAULT_TIMOUT 'wd' is done without a timeout value (which means the watchdog gets enabled and re-triggered with the default timeout value). +config CMD_HAB + bool + depends on HAB + prompt "High Assurance boot (hab)" + # end Hardware manipulation commands endmenu diff --git a/commands/Makefile b/commands/Makefile index ab59021562..edd713c6bd 100644 --- a/commands/Makefile +++ b/commands/Makefile @@ -87,6 +87,7 @@ obj-$(CONFIG_CMD_AUTOMOUNT) += automount.o obj-$(CONFIG_CMD_GLOBAL) += global.o obj-$(CONFIG_CMD_DMESG) += dmesg.o obj-$(CONFIG_CMD_BASENAME) += basename.o +obj-$(CONFIG_CMD_HAB) += hab.o obj-$(CONFIG_CMD_DIRNAME) += dirname.o obj-$(CONFIG_CMD_READLINK) += readlink.o obj-$(CONFIG_CMD_LET) += let.o diff --git a/commands/hab.c b/commands/hab.c new file mode 100644 index 0000000000..0d7ee8e76c --- /dev/null +++ b/commands/hab.c @@ -0,0 +1,120 @@ +/* + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation; version 2. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + */ + +#include <common.h> +#include <command.h> +#include <complete.h> +#include <fs.h> +#include <fcntl.h> +#include <getopt.h> +#include <linux/ctype.h> +#include <errno.h> +#include <hab.h> + +static int do_hab(int argc, char *argv[]) +{ + int opt, ret, i; + char *srkhashfile = NULL, *srkhash = NULL; + unsigned flags = 0; + u8 srk[SRK_HASH_SIZE]; + int lockdown = 0, info = 0; + + while ((opt = getopt(argc, argv, "s:fpx:li")) > 0) { + switch (opt) { + case 's': + srkhashfile = optarg; + break; + case 'f': + flags |= IMX_SRK_HASH_FORCE; + break; + case 'p': + flags |= IMX_SRK_HASH_WRITE_PERMANENT; + break; + case 'x': + srkhash = optarg; + break; + case 'l': + lockdown = 1; + break; + case 'i': + info = 1; + break; + default: + return COMMAND_ERROR_USAGE; + } + } + + if (!info && !lockdown && !srkhashfile && !srkhash) { + printf("Nothing to do\n"); + return COMMAND_ERROR_USAGE; + } + + if (info) { + ret = imx_hab_read_srk_hash(srk); + if (ret) + return ret; + + printf("Current SRK hash: "); + for (i = 0; i < SRK_HASH_SIZE; i++) + printf("%02x", srk[i]); + printf("\n"); + + if (imx_hab_device_locked_down()) + printf("secure mode\n"); + else + printf("devel mode\n"); + + return 0; + } + + if (srkhashfile && srkhash) { + printf("-s and -x options may not be given together\n"); + return COMMAND_ERROR_USAGE; + } + + if (srkhashfile) { + ret = imx_hab_write_srk_hash_file(srkhashfile, flags); + if (ret) + return ret; + } else if (srkhash) { + ret = imx_hab_write_srk_hash_hex(srkhash, flags); + if (ret) + return ret; + } + + if (lockdown) { + ret = imx_hab_lockdown_device(flags); + if (ret) + return ret; + printf("Device successfully locked down\n"); + } + + return 0; +} + +BAREBOX_CMD_HELP_START(hab) +BAREBOX_CMD_HELP_TEXT("Handle i.MX HAB (High Assurance Boot)") +BAREBOX_CMD_HELP_TEXT("") +BAREBOX_CMD_HELP_OPT ("-s <file>", "Burn Super Root Key hash from <file>") +BAREBOX_CMD_HELP_OPT ("-x <sha256>", "Burn Super Root Key hash from hex string") +BAREBOX_CMD_HELP_OPT ("-i", "Print HAB info") +BAREBOX_CMD_HELP_OPT ("-f", "Force. Write even when a key is already written") +BAREBOX_CMD_HELP_OPT ("-l", "Lockdown device. Dangerous! After executing only signed images can be booted") +BAREBOX_CMD_HELP_OPT ("-p", "Permanent. Really burn fuses. Be careful!") +BAREBOX_CMD_HELP_END + +BAREBOX_CMD_START(hab) + .cmd = do_hab, + BAREBOX_CMD_DESC("Handle i.MX HAB") + BAREBOX_CMD_OPTS("sxfp") + BAREBOX_CMD_GROUP(CMD_GRP_HWMANIP) + BAREBOX_CMD_HELP(cmd_hab_help) +BAREBOX_CMD_END |