i.MX: hab: Add HAB fusebox related convenience functions / command

Secure boot with HAB requires handling of the super root key hash
and actually locking down the device. The related information is
stored in the i.MX fusebox device (IIM on older SoCs, OCOTP on newer
SoCs). This patch adds several convenience functions to store and
read the super root key hash and to lock down a SoC. Also we add
a command to do this from the command line.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>

1 files changed, 21 insertions, 0 deletions

diff --git a/include/hab.h b/include/hab.h
index 818d7ca1c5..fb7149ef53 100644
--- a/include/hab.h
+++ b/include/hab.h
@@ -41,4 +41,25 @@ static inline int imx25_hab_get_status(void)
 }
 #endif
 
+#define SRK_HASH_SIZE	32
+
+/* Force writing of key, even when a key is already written */
+#define IMX_SRK_HASH_FORCE		(1 << 0)
+/* Permanently write fuses, without this flag only the shadow registers
+ * are written.
+ */
+#define IMX_SRK_HASH_WRITE_PERMANENT	(1 << 1)
+/* When writing the super root key hash, also burn the write protection
+ * fuses so that the key hash can not be modified.
+ */
+#define IMX_SRK_HASH_WRITE_LOCK		(1 << 2)
+
+bool imx_hab_srk_hash_valid(const void *buf);
+int imx_hab_write_srk_hash(const void *buf, unsigned flags);
+int imx_hab_write_srk_hash_hex(const char *srkhash, unsigned flags);
+int imx_hab_write_srk_hash_file(const char *filename, unsigned flags);
+int imx_hab_read_srk_hash(void *buf);
+int imx_hab_lockdown_device(unsigned flags);
+int imx_hab_device_locked_down(void);
+
 #endif /* __HABV4_H */