[iot] Support fastboot variable 'at-vboot-state'

Add support for fastboot variable 'at-vboot-state', it's composed by 6 sub-variable: 'bootloader-locked', 'bootloader-min-versions', 'avb-perm-attr-set', 'avb-locked', 'avb-unlock-disabled' and 'avb-min-versions'. Test: All 'at-vboot-state' variables are returned correctly on imx7d_pico and AIY. Change-Id: Ibb855cbcc7c41657af62dafb98a96c4dfb96ef22 Signed-off-by: Ji Luo <ji.luo@nxp.com>
2018-08-26 19:46:16 +08:00 · 2018-08-26 19:46:16 +08:00 · b57739cac7
parent aebefa8046
commit b57739cac7
6 changed files with 222 additions and 7 deletions
--- a/arch/arm/mach-imx/imx8m/soc.c
+++ b/arch/arm/mach-imx/imx8m/soc.c
@ -28,7 +28,7 @@
 DECLARE_GLOBAL_DATA_PTR;
-#if defined(CONFIG_SECURE_BOOT)
+#if defined(CONFIG_SECURE_BOOT) || defined(CONFIG_AVB_ATX)
 struct imx_sec_config_fuse_t const imx_sec_config_fuse = {
 	.bank = 1,
 	.word = 3,
--- a/arch/arm/mach-imx/mx7/soc.c
+++ b/arch/arm/mach-imx/mx7/soc.c
@ -97,7 +97,7 @@ static void isolate_resource(void)
 }
 #endif
-#if defined(CONFIG_SECURE_BOOT)
+#if defined(CONFIG_SECURE_BOOT) || defined(CONFIG_AVB_ATX)
 struct imx_sec_config_fuse_t const imx_sec_config_fuse = {
 	.bank = 1,
 	.word = 3,
--- a/drivers/usb/gadget/f_fastboot.c
+++ b/drivers/usb/gadget/f_fastboot.c
@ -75,6 +75,8 @@ extern void trusty_os_init(void);
 #ifdef CONFIG_ANDROID_THINGS_SUPPORT
 #include <asm-generic/gpio.h>
 #include <asm/mach-imx/gpio.h>
 #include "../lib/avb/fsl/fsl_avbkey.h"
 #include "../arch/arm/include/asm/mach-imx/hab.h"
 #endif
 #define FASTBOOT_VERSION		"0.4"
@ -155,6 +157,22 @@ char *fastboot_common_var[FASTBOOT_COMMON_VAR_NUM] = {
 #endif
 };
 /* at-vboot-state variable list */
 #ifdef CONFIG_AVB_ATX
 #define AT_VBOOT_STATE_VAR_NUM 6
 extern struct imx_sec_config_fuse_t const imx_sec_config_fuse;
 extern int fuse_read(u32 bank, u32 word, u32 *val);
 char *fastboot_at_vboot_state_var[AT_VBOOT_STATE_VAR_NUM] = {
 	"bootloader-locked",
 	"bootloader-min-versions",
 	"avb-perm-attr-set",
 	"avb-locked",
 	"avb-unlock-disabled",
 	"avb-min-versions"
 };
 #endif
 /* Boot metric variables */
 boot_metric metrics = {
 	.bll_1 = 0,
@ -2957,7 +2975,7 @@ int get_imx8m_baseboard_id(void);
 static int get_single_var(char *cmd, char *response)
 {
 	char *str = cmd;
-	size_t chars_left;
+	int chars_left;
 	const char *s;
 	struct mmc *mmc;
 	int mmc_dev_no;
@ -3085,6 +3103,138 @@ static int get_single_var(char *cmd, char *response)
 		} else
 			snprintf(response + strlen(response), chars_left, "0x%x", baseboard_id);
 	}
 #endif
 #ifdef CONFIG_AVB_ATX
 	else if (!strcmp_l1("bootloader-locked", cmd)) {
 		/* Below is basically copied from is_hab_enabled() */
 		struct imx_sec_config_fuse_t *fuse =
 			(struct imx_sec_config_fuse_t *)&imx_sec_config_fuse;
 		uint32_t reg;
 		int ret;
 		/* Read the secure boot status from fuse. */
 		ret = fuse_read(fuse->bank, fuse->word, &reg);
 		if (ret) {
 			printf("\nSecure boot fuse read error!\n");
 			strncat(response, "Secure boot fuse read error!", chars_left);
 			return -1;
 		}
 		/* Check if the secure boot bit is enabled */
 		if ((reg & 0x2000000) == 0x2000000)
 			strncat(response, "1", chars_left);
 		else
 			strncat(response, "0", chars_left);
 	} else if (!strcmp_l1("bootloader-min-versions", cmd)) {
 #ifndef CONFIG_ARM64
 		/* We don't support bootloader rbindex protection for
 		 * ARM32(like imx7d) and the format is: "bootloader,tee". */
 		strncat(response, "-1,-1", chars_left);
 #elif defined(CONFIG_DUAL_BOOTLOADER)
 		/* Rbindex protection for bootloader is supported only when the
 		 * 'dual bootloader' feature is enabled. U-boot will get the rbindx
 		 * from RAM which is passed by spl because we can only get the rbindex
 		 * at spl stage. The format in this case is: "spl,atf,tee,u-boot".
 		 */
 		struct bl_rbindex_package *bl_rbindex;
 		uint32_t rbindex;
 		bl_rbindex = (struct bl_rbindex_package *)BL_RBINDEX_LOAD_ADDR;
 		if (!strncmp(bl_rbindex->magic, BL_RBINDEX_MAGIC,
 				BL_RBINDEX_MAGIC_LEN)) {
 			rbindex = bl_rbindex->rbindex;
 			snprintf(response + strlen(response), chars_left,
 					"-1,%d,%d,%d",rbindex, rbindex, rbindex);
 		} else {
 			printf("Error bootloader rbindex magic!\n");
 			strncat(response, "Get bootloader rbindex fail!", chars_left);
 			return -1;
 		}
 #else
 		/* Return -1 for all partition if 'dual bootloader' feature
 		 * is not enabled */
 		strncat(response, "-1,-1,-1,-1", chars_left);
 #endif
 	} else if (!strcmp_l1("avb-perm-attr-set", cmd)) {
 		if (perm_attr_are_fused())
 			strncat(response, "1", chars_left);
 		else
 			strncat(response, "0", chars_left);
 	} else if (!strcmp_l1("avb-locked", cmd)) {
 		FbLockState status;
 		status = fastboot_get_lock_stat();
 		if (status == FASTBOOT_LOCK)
 			strncat(response, "1", chars_left);
 		else if (status == FASTBOOT_UNLOCK)
 			strncat(response, "0", chars_left);
 		else {
 			printf("Get lock state error!\n");
 			strncat(response, "Get lock state failed!", chars_left);
 			return -1;
 		}
 	} else if (!strcmp_l1("avb-unlock-disabled", cmd)) {
 		if (at_unlock_vboot_is_disabled())
 			strncat(response, "1", chars_left);
 		else
 			strncat(response, "0", chars_left);
 	} else if (!strcmp_l1("avb-min-versions", cmd)) {
 		int i = 0;
 		/* rbindex location/value can be very large
 		 * number so we reserve enough space here.
 		 */
 		char buffer[35];
 		uint32_t rbindex_location[AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS + 2];
 		uint32_t location;
 		uint64_t rbindex;
 		memset(buffer, '\0', sizeof(buffer));
 		/* Set rbindex locations. */
 		for (i = 0; i < AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS; i++)
 			rbindex_location[i] = i;
 		/* Set Android Things key version rbindex locations */
 		rbindex_location[AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS]
 						= AVB_ATX_PIK_VERSION_LOCATION;
 		rbindex_location[AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS + 1]
 						= AVB_ATX_PSK_VERSION_LOCATION;
 		/* Read rollback index and set the reponse*/
 		for (i = 0; i < AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS + 2; i++) {
 			location = rbindex_location[i];
 			if (fsl_avb_ops.read_rollback_index(&fsl_avb_ops,
 								location, &rbindex)
 								!= AVB_IO_RESULT_OK) {
 				printf("Read rollback index error!\n");
 				snprintf(response, sizeof(response),
 					"INFOread rollback index error when get avb-min-versions");
 				return -1;
 			}
 			/* Generate the "location:value" pair */
 			snprintf(buffer, sizeof(buffer), "%d:%lld", location, rbindex);
 			if (i != AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS + 1)
 				strncat(buffer, ",", strlen(","));
 			if ((chars_left - (int)strlen(buffer)) >= 0) {
 				strncat(response, buffer, strlen(buffer));
 				chars_left -= strlen(buffer);
 			} else {
 				strncat(response, buffer, chars_left);
 				/* reponse buffer is full, send it first */
 				fastboot_tx_write_more(response);
 				/* reset the reponse buffer for next round */
 				memset(response, '\0', sizeof(response));
 				strncpy(response, "INFO", 5);
 				/* Copy left strings from 'buffer' to 'response' */
 				strncat(response, buffer + chars_left, strlen(buffer));
 				chars_left = FASTBOOT_RESPONSE_LEN -
 						strlen(response) - 1;
 			}
 		}
 	}
 #endif
 	else {
 		char envstr[32];
@ -3108,10 +3258,10 @@ static void cb_getvar(struct usb_ep *ep, struct usb_request *req)
 	int status = 0;
 	int count = 0;
 	char *cmd = req->buf;
-	char var_name[FASTBOOT_RESPONSE_LEN - 1];
+	char var_name[FASTBOOT_RESPONSE_LEN];
 	char partition_base_name[MAX_PTN][16];
 	char slot_suffix[2][5] = {"a","b"};
-	char response[FASTBOOT_RESPONSE_LEN - 1];
+	char response[FASTBOOT_RESPONSE_LEN];
 	strsep(&cmd, ":");
 	if (!cmd) {
@ -3122,7 +3272,7 @@ static void cb_getvar(struct usb_ep *ep, struct usb_request *req)
 	if (!strcmp_l1("all", cmd)) {
-		memset(response, '\0', FASTBOOT_RESPONSE_LEN - 1);
+		memset(response, '\0', FASTBOOT_RESPONSE_LEN);
 		/* get common variables */
@ -3132,6 +3282,14 @@ static void cb_getvar(struct usb_ep *ep, struct usb_request *req)
 			fastboot_tx_write_more(response);
 		}
 		/* get at-vboot-state variables */
 #ifdef CONFIG_AVB_ATX
 		for (n = 0; n < AT_VBOOT_STATE_VAR_NUM; n++) {
 			snprintf(response, sizeof(response), "INFO%s:", fastboot_at_vboot_state_var[n]);
 			get_single_var(fastboot_at_vboot_state_var[n], response);
 			fastboot_tx_write_more(response);
 		}
 #endif
 		/* get partition type */
 		for (n = 0; n < g_pcount; n++) {
 			snprintf(response, sizeof(response), "INFOpartition-type:%s:", g_ptable[n].name);
@ -3191,7 +3349,35 @@ static void cb_getvar(struct usb_ep *ep, struct usb_request *req)
 		fastboot_tx_write_more(response);
 		return;
-	} else {
+	}
 #ifdef CONFIG_AVB_ATX
 	else if (!strcmp_l1("at-vboot-state", cmd)) {
 			/* get at-vboot-state variables */
 		for (n = 0; n < AT_VBOOT_STATE_VAR_NUM; n++) {
 			snprintf(response, sizeof(response), "INFO%s:", fastboot_at_vboot_state_var[n]);
 			get_single_var(fastboot_at_vboot_state_var[n], response);
 			fastboot_tx_write_more(response);
 		}
 		strncpy(response, "OKAY", 5);
 		fastboot_tx_write_more(response);
 		return;
 	} else if ((!strcmp_l1("bootloader-locked", cmd)) ||
 			(!strcmp_l1("bootloader-min-versions", cmd)) ||
 			(!strcmp_l1("avb-perm-attr-set", cmd)) ||
 			(!strcmp_l1("avb-locked", cmd)) ||
 			(!strcmp_l1("avb-unlock-disabled", cmd)) ||
 			(!strcmp_l1("avb-min-versions", cmd))) {
 		printf("Can't get this variable alone, get 'at-vboot-state' instead!\n");
 		snprintf(response, sizeof(response),
 			"FAILCan't get this variable alone, get 'at-vboot-state' instead.");
 		fastboot_tx_write_str(response);
 		return;
 	}
 #endif
 	else {
 		strncpy(response, "OKAY", 5);
 		status = get_single_var(cmd, response);
--- a/include/configs/imx8mq_evk_androidthings.h
+++ b/include/configs/imx8mq_evk_androidthings.h
@ -32,6 +32,13 @@
 #define CONFIG_ANDROID_RECOVERY
 /* Use below address to store the bootloader rbindex,
 * it's 4k offset to CONFIG_SYS_SPL_PTE_RAM_BASE
 * */
 #if defined(CONFIG_AVB_ATX) && defined(CONFIG_DUAL_BOOTLOADER)
 #define BL_RBINDEX_LOAD_ADDR 0x4157F000
 #endif
 #define CONFIG_CMD_BOOTA
 #define CONFIG_SUPPORT_RAW_INITRD
 #define CONFIG_SERIAL_TAG
--- a/lib/avb/fsl/fsl_avb_ab_flow.c
+++ b/lib/avb/fsl/fsl_avb_ab_flow.c
@ -208,6 +208,9 @@ static int spl_verify_rbidx(struct mmc *mmc, AvbABSlotData *slot,
 	kblb_hdr_t hdr;
 	kblb_tag_t *rbk;
 	uint64_t extract_idx;
 #ifdef CONFIG_AVB_ATX
 	struct bl_rbindex_package *bl_rbindex;
 #endif
 	/* Make sure rollback index has been initialized before verify */
 	if (rpmb_init()) {
@ -241,6 +244,16 @@ static int spl_verify_rbidx(struct mmc *mmc, AvbABSlotData *slot,
 			return -1;
 		}
 #ifdef CONFIG_AVB_ATX
 		/* Pass bootloader rbindex to u-boot here. */
 		bl_rbindex = (struct bl_rbindex_package *)BL_RBINDEX_LOAD_ADDR;
 		memcpy(bl_rbindex->magic, BL_RBINDEX_MAGIC, BL_RBINDEX_MAGIC_LEN);
 		if (slot->successful_boot != 0)
 			bl_rbindex->rbindex = spl_image->rbindex;
 		else
 			bl_rbindex->rbindex = extract_idx;
 #endif
 		return 0;
 	} else {
 		printf("Rollback index verify rejected!\n");
--- a/lib/avb/fsl/fsl_avbkey.h
+++ b/lib/avb/fsl/fsl_avbkey.h
@ -31,6 +31,15 @@
 #define AVB_KBLB_MAGIC "\0KBLB!"
 #define AVB_KBLB_MAGIC_LEN 6
 #if defined(CONFIG_AVB_ATX) && defined(CONFIG_DUAL_BOOTLOADER)
 #define BL_RBINDEX_MAGIC "BL_RBINDEX" 
 #define BL_RBINDEX_MAGIC_LEN 11
 struct bl_rbindex_package {
 	char magic[BL_RBINDEX_MAGIC_LEN];
 	uint32_t rbindex;
 };
 #endif
 #ifdef CONFIG_ANDROID_AUTO_SUPPORT
 #define RPMB_KEY_MAGIC "RPMB"
 #endif