summaryrefslogtreecommitdiffstats
path: root/commands/hab.c
blob: 97a1701fa55144101ca708d51d473e38344e8b4e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
// SPDX-License-Identifier: GPL-2.0-only

#include <common.h>
#include <command.h>
#include <complete.h>
#include <fs.h>
#include <fcntl.h>
#include <getopt.h>
#include <linux/ctype.h>
#include <errno.h>
#include <hab.h>

static int do_hab(int argc, char *argv[])
{
	int opt, ret, i;
	char *srkhashfile = NULL, *srkhash = NULL;
	unsigned flags = 0;
	u8 srk[SRK_HASH_SIZE];
	int lockdown = 0, info = 0;

	while ((opt = getopt(argc, argv, "s:fpx:li")) > 0) {
		switch (opt) {
		case 's':
			srkhashfile = optarg;
			break;
		case 'f':
			flags |= IMX_SRK_HASH_FORCE;
			break;
		case 'p':
			flags |= IMX_SRK_HASH_WRITE_PERMANENT;
			break;
		case 'x':
			srkhash = optarg;
			break;
		case 'l':
			lockdown = 1;
			break;
		case 'i':
			info = 1;
			break;
		default:
			return COMMAND_ERROR_USAGE;
		}
	}

	if (!info && !lockdown && !srkhashfile && !srkhash) {
		printf("Nothing to do\n");
		return COMMAND_ERROR_USAGE;
	}

	if (info) {
		ret = imx_hab_read_srk_hash(srk);
		if (ret)
			return ret;

		printf("Current SRK hash: ");
		for (i = 0; i < SRK_HASH_SIZE; i++)
			printf("%02x", srk[i]);
		printf("\n");

		if (imx_hab_device_locked_down())
			printf("secure mode\n");
		else
			printf("devel mode\n");

		return 0;
	}

	if (srkhashfile && srkhash) {
		printf("-s and -x options may not be given together\n");
		return COMMAND_ERROR_USAGE;
	}

	if (srkhashfile) {
		ret = imx_hab_write_srk_hash_file(srkhashfile, flags);
		if (ret)
			return ret;
	} else if (srkhash) {
		ret = imx_hab_write_srk_hash_hex(srkhash, flags);
		if (ret)
			return ret;
	}

	if (lockdown) {
		ret = imx_hab_lockdown_device(flags);
		if (ret)
			return ret;
		printf("Device successfully locked down\n");
	}

	return 0;
}

BAREBOX_CMD_HELP_START(hab)
BAREBOX_CMD_HELP_TEXT("Handle i.MX HAB (High Assurance Boot)")
BAREBOX_CMD_HELP_TEXT("")
BAREBOX_CMD_HELP_OPT ("-s <file>",  "Burn Super Root Key hash from <file>")
BAREBOX_CMD_HELP_OPT ("-x <sha256>",  "Burn Super Root Key hash from hex string")
BAREBOX_CMD_HELP_OPT ("-i",  "Print HAB info")
BAREBOX_CMD_HELP_OPT ("-f",  "Force. Write even when a key is already written")
BAREBOX_CMD_HELP_OPT ("-l",  "Lockdown device. Dangerous! After executing only signed images can be booted")
BAREBOX_CMD_HELP_OPT ("-p",  "Permanent. Really burn fuses. Be careful!")
BAREBOX_CMD_HELP_END

BAREBOX_CMD_START(hab)
	.cmd		= do_hab,
	BAREBOX_CMD_DESC("Handle i.MX HAB")
	BAREBOX_CMD_OPTS("sxfp")
	BAREBOX_CMD_GROUP(CMD_GRP_HWMANIP)
	BAREBOX_CMD_HELP(cmd_hab_help)
BAREBOX_CMD_END