1 files changed, 120 insertions, 0 deletions

diff --git a/commands/hab.c b/commands/hab.c
new file mode 100644
index 0000000000..0d7ee8e76c
--- /dev/null
+++ b/commands/hab.c
@@ -0,0 +1,120 @@
+/*
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation; version 2.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ */
+
+#include <common.h>
+#include <command.h>
+#include <complete.h>
+#include <fs.h>
+#include <fcntl.h>
+#include <getopt.h>
+#include <linux/ctype.h>
+#include <errno.h>
+#include <hab.h>
+
+static int do_hab(int argc, char *argv[])
+{
+	int opt, ret, i;
+	char *srkhashfile = NULL, *srkhash = NULL;
+	unsigned flags = 0;
+	u8 srk[SRK_HASH_SIZE];
+	int lockdown = 0, info = 0;
+
+	while ((opt = getopt(argc, argv, "s:fpx:li")) > 0) {
+		switch (opt) {
+		case 's':
+			srkhashfile = optarg;
+			break;
+		case 'f':
+			flags |= IMX_SRK_HASH_FORCE;
+			break;
+		case 'p':
+			flags |= IMX_SRK_HASH_WRITE_PERMANENT;
+			break;
+		case 'x':
+			srkhash = optarg;
+			break;
+		case 'l':
+			lockdown = 1;
+			break;
+		case 'i':
+			info = 1;
+			break;
+		default:
+			return COMMAND_ERROR_USAGE;
+		}
+	}
+
+	if (!info && !lockdown && !srkhashfile && !srkhash) {
+		printf("Nothing to do\n");
+		return COMMAND_ERROR_USAGE;
+	}
+
+	if (info) {
+		ret = imx_hab_read_srk_hash(srk);
+		if (ret)
+			return ret;
+
+		printf("Current SRK hash: ");
+		for (i = 0; i < SRK_HASH_SIZE; i++)
+			printf("%02x", srk[i]);
+		printf("\n");
+
+		if (imx_hab_device_locked_down())
+			printf("secure mode\n");
+		else
+			printf("devel mode\n");
+
+		return 0;
+	}
+
+	if (srkhashfile && srkhash) {
+		printf("-s and -x options may not be given together\n");
+		return COMMAND_ERROR_USAGE;
+	}
+
+	if (srkhashfile) {
+		ret = imx_hab_write_srk_hash_file(srkhashfile, flags);
+		if (ret)
+			return ret;
+	} else if (srkhash) {
+		ret = imx_hab_write_srk_hash_hex(srkhash, flags);
+		if (ret)
+			return ret;
+	}
+
+	if (lockdown) {
+		ret = imx_hab_lockdown_device(flags);
+		if (ret)
+			return ret;
+		printf("Device successfully locked down\n");
+	}
+
+	return 0;
+}
+
+BAREBOX_CMD_HELP_START(hab)
+BAREBOX_CMD_HELP_TEXT("Handle i.MX HAB (High Assurance Boot)")
+BAREBOX_CMD_HELP_TEXT("")
+BAREBOX_CMD_HELP_OPT ("-s <file>",  "Burn Super Root Key hash from <file>")
+BAREBOX_CMD_HELP_OPT ("-x <sha256>",  "Burn Super Root Key hash from hex string")
+BAREBOX_CMD_HELP_OPT ("-i",  "Print HAB info")
+BAREBOX_CMD_HELP_OPT ("-f",  "Force. Write even when a key is already written")
+BAREBOX_CMD_HELP_OPT ("-l",  "Lockdown device. Dangerous! After executing only signed images can be booted")
+BAREBOX_CMD_HELP_OPT ("-p",  "Permanent. Really burn fuses. Be careful!")
+BAREBOX_CMD_HELP_END
+
+BAREBOX_CMD_START(hab)
+	.cmd		= do_hab,
+	BAREBOX_CMD_DESC("Handle i.MX HAB")
+	BAREBOX_CMD_OPTS("sxfp")
+	BAREBOX_CMD_GROUP(CMD_GRP_HWMANIP)
+	BAREBOX_CMD_HELP(cmd_hab_help)
+BAREBOX_CMD_END