1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
// SPDX-License-Identifier: GPL-2.0-only
#include <common.h>
#include <command.h>
#include <complete.h>
#include <fs.h>
#include <fcntl.h>
#include <getopt.h>
#include <linux/ctype.h>
#include <errno.h>
#include <hab.h>
static int do_hab(int argc, char *argv[])
{
int opt, ret, i;
char *srkhashfile = NULL, *srkhash = NULL;
unsigned flags = 0;
u8 srk[SRK_HASH_SIZE];
int lockdown = 0, info = 0;
while ((opt = getopt(argc, argv, "s:fpx:li")) > 0) {
switch (opt) {
case 's':
srkhashfile = optarg;
break;
case 'f':
flags |= IMX_SRK_HASH_FORCE;
break;
case 'p':
flags |= IMX_SRK_HASH_WRITE_PERMANENT;
break;
case 'x':
srkhash = optarg;
break;
case 'l':
lockdown = 1;
break;
case 'i':
info = 1;
break;
default:
return COMMAND_ERROR_USAGE;
}
}
if (!info && !lockdown && !srkhashfile && !srkhash) {
printf("Nothing to do\n");
return COMMAND_ERROR_USAGE;
}
if (info) {
ret = imx_hab_read_srk_hash(srk);
if (ret)
return ret;
printf("Current SRK hash: ");
for (i = 0; i < SRK_HASH_SIZE; i++)
printf("%02x", srk[i]);
printf("\n");
if (imx_hab_device_locked_down())
printf("secure mode\n");
else
printf("devel mode\n");
return 0;
}
if (srkhashfile && srkhash) {
printf("-s and -x options may not be given together\n");
return COMMAND_ERROR_USAGE;
}
if (srkhashfile) {
ret = imx_hab_write_srk_hash_file(srkhashfile, flags);
if (ret)
return ret;
} else if (srkhash) {
ret = imx_hab_write_srk_hash_hex(srkhash, flags);
if (ret)
return ret;
}
if (lockdown) {
ret = imx_hab_lockdown_device(flags);
if (ret)
return ret;
printf("Device successfully locked down\n");
}
return 0;
}
BAREBOX_CMD_HELP_START(hab)
BAREBOX_CMD_HELP_TEXT("Handle i.MX HAB (High Assurance Boot)")
BAREBOX_CMD_HELP_TEXT("")
BAREBOX_CMD_HELP_OPT ("-s <file>", "Burn Super Root Key hash from <file>")
BAREBOX_CMD_HELP_OPT ("-x <sha256>", "Burn Super Root Key hash from hex string")
BAREBOX_CMD_HELP_OPT ("-i", "Print HAB info")
BAREBOX_CMD_HELP_OPT ("-f", "Force. Write even when a key is already written")
BAREBOX_CMD_HELP_OPT ("-l", "Lockdown device. Dangerous! After executing only signed images can be booted")
BAREBOX_CMD_HELP_OPT ("-p", "Permanent. Really burn fuses. Be careful!")
BAREBOX_CMD_HELP_END
BAREBOX_CMD_START(hab)
.cmd = do_hab,
BAREBOX_CMD_DESC("Handle i.MX HAB")
BAREBOX_CMD_OPTS("sxfp")
BAREBOX_CMD_GROUP(CMD_GRP_HWMANIP)
BAREBOX_CMD_HELP(cmd_hab_help)
BAREBOX_CMD_END
|