initialize potential uninitialized variable with the type of"char*" to
be NULL in AVB. That "hashtree_error_mode" in code is manually specified
with a known value, the cases listed cover all potential value of
"hashtree_error_mode"
explicitly do a type cast for memcpy parameters.
Change-Id: Ie5d234422a273d6dab75585bd0d8eb81583707ca
Signed-off-by: faqiang.zhu <faqiang.zhu@nxp.com>
Trusty is not supported for xen so we don't need to check
the keyslot package or rollback index in spl. Reassign the
dram address for spl and u-boot to avoid conflicts.
Support serial init functions to enable debug console
in spl when xen is running.
Test: Boot and A/B slot switch on imx8qm_mek.
Change-Id: If6829252f1ec2e32255f951715c8747181951fd0
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Fix resource leak in libavb, coverity issue:
CID 5899691: Resource leak (RESOURCE_LEAK) leaked_storage: Variable
hash_out going out of scope leaks the storage it points to.
CID 5899689: Resource leak (RESOURCE_LEAK) leaked_storage: Variable
hash_buf going out of scope leaks the storage it points to.
CID 5899688: Uninitialized pointer read (UNINIT) uninit_use: Using
uninitialized value digest.
CID 5899692: Structurally dead code (UNREACHABLE) unreachable: This
code cannot be reached: goto out;
Test: Coverity scan pass.
Change-Id: If8e26fdd383c32a9160775006621830b42c0f07e
Signed-off-by: Luo Ji <ji.luo@nxp.com>
The hash buffer is allocated on stack if we don't use
CAAM to accelerate the hash calculation, don't free
the hash buffer in such case.
Test: Boot ok on imx8qm.
Change-Id: I3b3dcc0e8359848b4f9c58c802d51f0a76931e5e
Signed-off-by: Ji Luo <ji.luo@nxp.com>
The A/B slot is chosen at spl stage and should be kept up to
u-boot stage. Decrease slot retry count will cause slot switch
when the slot only has one chance left.
Set the 'bootloader_verified' flag when current slot is running the last
chance at spl, u-boot will treat the slot as bootable if the
'reserved' flag is set even the retry count exhausted.
Test: Slot not switch during 7 times reboot try.
Change-Id: I7ae84b2ce683300a1bb332606cd58e48483214ea
Signed-off-by: Ji Luo <ji.luo@nxp.com>
During AVB verify, CAAM will be invoked to calculate the hash
of boot.img and dtbo.img. ALLOC_CACHE_ALIGN_BUFFER() supports
allocate cache aligned buffer on *stack*, which may cause
'dirty' dcache data be flushed to dram after CAAM operations
complete.
Use memalign() to allocate cache aligned buffer on *heap* to
fix this issue.
Test: 1200 times reboot test on imx8qm and 2300 times reboot
on imx8qxp.
Change-Id: I8f86248df318093d44a46dcab76306377898766e
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Open configs to add trusty os support for imx8q xen
build. The rpmb keyslot package must be checked and
copied to secure memory before trusty os boot.
Change-Id: I66201783fa8439f2685377c10f257f064057dcfa
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Support dual bootloader feature for imx8q which uses the
container format. Move the A/B slot select and verify to
SPL stage, the bootloader rollback index will be stored
at the last 8K bytes of eMMC rpmb storage.
Test: Boot and rbindex verify pass on imx8q.
Change-Id: I0a48210f65984a083037a0cd3f9558951029ed7d
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Sometimes we need to set random rpmb key which is invisible
except for the device.
Generate the random key with hwcrypto interface and support
fastboot command "fastboot oem set-rpmb-random-key" to set it.
Test: build and boot on imx8q.
Change-Id: I44e1b6b091366d8ffceb1159fc65c17610ce5243
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Open configs to enable trusty for imx8mm_evk and also
add new config imx8mm_evk_android_trusty_defconfig based
on imx8mm_evk_android_defconfig.
Test: Trusty starts ok.
Change-Id: Iaea90de21f886ed23082a5e8e8d2fa7fb139a9cb
Signed-off-by: Ji Luo <ji.luo@nxp.com>
This will reduce some image size for Android Auto.
Test: build and boot on imx8qm_mek.
Change-Id: I023801a542f83398126d5af23c0a1eb2080c5063
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Add commands to write/read vbmeta public key to/from secure
storage. The vbmeta public key can only be set once.
Comands to set the public key:
fastboot stage <path-to-your-public-key>
fastboot oem set-public-key
Test: build and boot on imx8qxp_mek.
Change-Id: Id3ad4aa5aacef4fc8443f6a2d6ccb931310970ca
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Secure storage is ready in trusty so we should read/write the rollback
index from rpmb.
But for borads without rpmb key, read/write the rpmb will fail and will
block the following avb verify process. In this case, check if the rpmb
key has been set and always return AVB_IO_RESULT_OK for the boards without
rpmb key.
Test: build and boot pass on imx8qm_mek.
Change-Id: I10c438e56d049ae97ebedfc446c8202642630d8b
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Too many macros are used in fsl_avbkey.c and
make it difficult to maintain.
This patch made some refine by:
1. Move all avb/atx operations to fsl_avb.c.
2. Refine the functions logic.
3. Drop some unsupported conditions/functions.
Test: build and boot on
imx8qm_mek/imx8mq_evk/imx6qp_sabresd/imx7d_pico/imx8m_aiy.
Change-Id: I5c99732acfc47d53cdf188d69223983777e577f4
Signed-off-by: Luo Ji <ji.luo@nxp.com>
The rollback index should be updated when avb verify pass
and the slot has been marked as successful, update the
rollback index also for those enabled dual bootloader
feature.
This commit also fix some configs condition issue so
read/write rollback index with trusty will work.
Test: rollback index updated successfully on
imx7d_pico and AIY.
Change-Id: I2344d6462249d8d88f0622d331cdeffc7e12f885
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Add support for fastboot variable 'at-vboot-state', it's composed
by 6 sub-variable: 'bootloader-locked', 'bootloader-min-versions',
'avb-perm-attr-set', 'avb-locked', 'avb-unlock-disabled' and
'avb-min-versions'.
Test: All 'at-vboot-state' variables are returned
correctly on imx7d_pico and AIY.
Change-Id: Ibb855cbcc7c41657af62dafb98a96c4dfb96ef22
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Device will be locked permanently after disabling the unlcok vboot, store
the disable unlock vboot status into fuse. Since the fuse write operation
is irreversible so config 'CONFIG_AVB_FUSE' is disabled by default, user
need to add this config manually and run this command again.
Test: Disable unlock vboot bit is set after enabling "CONFIG_AVB_FUSE",
device was locked permanently after running this command. This is
verified on both imx7d_pico and AIY.
Change-Id: Iad8991a238763b1d662e33cba65f0b9eb44e97ef
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Supoort "fastboot oem at-lock-vboot" command for Android
Things, this command can only be called after perm-attr
have been fused.
Test: build and boot ok on imx7d_pico and AIY.
Change-Id: Ifcfeb2a38d88c5d12b46a1d9ea61b182ae2e7bcb
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Add fastboot commands "fastboot oem at-get-vboot-unlock-challenge"
and "fastboot oem at-unlock-vboot" to support the authenticated
unlock feature for Android Things devices. Use software random
numbers generator to generate the 16 bytes random challenge, it
should be replaced with hardware encrypted random generator when
the TEE part is ready.
Test: Generate unlock challenge by:
./avbtool make_atx_unlock_credential
--output=atx_unlock_credential.bin
--intermediate_key_certificate=atx_pik_certificate.bin
--unlock_key_certificate=atx_puk_certificate.bin
--challenge=my_generated_challenge.bin
--unlock_key=testkey_atx_puk.pem
validated the unlock credential successfully on imx7d_pico
and AIY.
Change-Id: I4b8cee87c9e96924169479b65020a081136681f6
Signed-off-by: Ji Luo <ji.luo@nxp.com>
RPMB storage proxy service will return fail if the rpmb key is not
correct, we should not return early here if the rpmb key has not
been set because we still need to initialize the hwcrypto service
to generate the rpmb key blob.
This commit also adds more hint when set the rpmb key.
Change-Id: I8ee59e4e277b545283d63b1070e671d508dbe0c2
Signed-off-by: Luo Ji <ji.luo@nxp.com>
Generate the key blob and store it to the last block of boot1 partition
after setting the rpmb key. The key blob should be checked in spl and be
passed to Trusty OS if it's valid. If the key blob are damaged, RPMB
storage proxy service will return fail and should make the device hang.
Test: Build and boot ok on imx8qm/qxp.
Change-Id: Ia274cd72109ab6ae15920e91b2a2008e1f1e667c
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Use CAAM to accelerate SHA256 hash calculation in AVB,
this will reduce u-boot boot time, about 570ms can be
saved for imx8qxp.
Test: Build and boot ok for imx8qxp.
Change-Id: Idbbd781e5ad8e7d6cd8865190d7547c165d02190
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Add fastboot command "fastboot oem set-rpmb-key" to program the rpmb
key which should be staged first.
Usage:
1. fastboot stage my-rpmb-key.bin
2. fastboot oem set-rpmb-key
Test: rpmb key programed successfully on imx8qxp.
Change-Id: I95474a6367eb8ef0db16bb38680975b8c45b84f1
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Assign security features to specific config.
Now, use AVB_RPMB to enable RPMB stored rollback
index.
After this refine,
for imx6/7/8 Android release, use no AVB_RPMB,
for imx6/7 AndroidThings, use AVB_RPMB.
This patch also fix below build error for imx6/7:
vendor/nxp-opensource/uboot-imx/lib/avb/fsl/fsl_avbkey.c:711:2: error:
implicit declaration of function 'fsl_fuse_read'
[-Werror=implicit-function-declaration]
if (fsl_fuse_read((uint32_t *)blob, RPMBKEY_FUSE_LENW,
RPMBKEY_FUSE_OFFSET)){
Change-Id: I734479f0627901f372f4b211b2e710bd103eb244
Signed-off-by: Haoran.Wang <elven.wang@nxp.com>
Blob buffer size is 48 bytes larger than the plain text buffer,
set correct range when flush the dcache. Also use cache aligned
buffer for the blob/plain_text to avoid failure in CAAM.
Change-Id: I3b377cfeb8f5bd9c76233827b2c9c7bd0d788c9b
Signed-off-by: Ji Luo <ji.luo@nxp.com>
Sometimes we don't need to dump the whole partition table when
some partition can't be found, only dump the partition table
when it's needed.
Test: Build and boot ok.
Change-Id: I52407f0117b73f4b3656fe2435b08dfc7a349939
Signed-off-by: Ji Luo <ji.luo@nxp.com>
The RPMB keyslot is stored in last block of boot1 partition which
is easily erased or tampered, set power-on write protection for this
partition to prevent corruption.
Test: Power-on write protection works as expected on imx8m.
Change-Id: I7aadaed81ff81de680da9b20049f163a982e3d57
Signed-off-by: Luo Ji <ji.luo@nxp.com>
Bootloader image take fit format and the rollback index for bootloader
is stored at the "rbindex" node, SPL will read the rollback index for
bootloader and compare it with the one stored in RPMB. The stored
rollback index will be updated only when current slot pass the verify
and has been marked as successful.
Bug:109947126
Test: Rollback index protection feature works fine for imx8m.
Change-Id: Ic12db4571287fbcb99e5eba0127e0b09378fa5d6
Signed-off-by: Luo Ji <ji.luo@nxp.com>
A/B switch logic will be moved to SPL stage if dual bootloader
feature is enable, in such case, we just need to verify single
slot which is selected in SPL stage.
Test: verify and boot ok for imx8m.
Change-Id: Iafe0d2d4aea1c178551940808416eec4a3547259
Signed-off-by: Luo Ji <ji.luo@nxp.com>
Move the A/B slot check to SPL, the A/B slot switch
workflow is just like what we have in libavb_ab.
Test: A/B select works fine on imx8m.
Change-Id: Ie3d827a9be0298b491bf2bc8d48833597fd70e90
Signed-off-by: Luo Ji <ji.luo@nxp.com>
Fix the null dereferenced issues from converity scan results.
issue id:
3618300:Dereference after null check
3618364:Dereference after null check
3618463:Dereference after null check
3618470:Explicit null dereferenced
3618520:Dereference after null check
Test: issue fixed by converity scan.
Change-Id: I577ed094a1f9b493de61b84827c0e1157a4fbd2f
Signed-off-by: Luo Ji <ji.luo@nxp.com>
'calc_sha256' should only be valid when CONFIG_IMX_TRUSTY_OS
is defined. Error message is like below:
error: label 'calc_sha256' defined but not used
[-Werror=unused-label]
Test: build pass with or without CONFIG_IMX_TRUSTY_OS enabled.
Change-Id: I0938e641596cb9faccd0c64f7c03d526dab3b7d4
Signed-off-by: Luo Ji <ji.luo@nxp.com>
Reviewed-on: http://androidsource.ap.freescale.net/project/4932
Reviewed-by: Wang Haoran <elven.wang@nxp.com>
For the device under development, the perm attr
not fused will break unlock ATX/AVB process and
make dm-verity parameters not output for kernel.
Use hard code one if Trusty OS didn't get the
perm attr.
Bug:93961668
Test: Verify kernel command line contains avb information.
Change-Id: Idd55dde79eed793dccdd7319600fbd04e11ca12d
Signed-off-by: Haoran.Wang <elven.wang@nxp.com>
Since Trusty OS will hand RPMB so no touch
the RPMB partition.
Change-Id: I07ed0e4a024171f6b353b038723ccd6e66a00d54
Signed-off-by: Haoran.Wang <elven.wang@nxp.com>
Support "fastboot oem fuse at-perm-attr" command for
ATX. The perm_attr will be stored into RPMB which
managed by Trusty OS.
Modified permanent_attributes related AVB ops that
support Trusty OS backed RPMB storage.
Change-Id: Id6248570b4294fed3c45270064196bd6b9cf9208
Signed-off-by: Haoran.Wang <elven.wang@nxp.com>
Use Trusty OS AVB manager handle RollbackIndex and
lock status into RPMB partition.
Change-Id: Idfe7234cfa31b2169af59b64e00f028542c49240
Signed-off-by: Haoran.Wang <elven.wang@nxp.com>
Part of permanent attributes hash was stored in
fuse for security reason, however, the write
operation of fuse was disabled by default because
it was an irreversible operation. Returning
AVB_IO_RESULT_ERROR_IO will stop following
AVB process and won't pass dm-verity related
commandlines to kernel, in such case, board
will fail to boot even in unlock state.
Returning AVB_IO_RESULT_OK and full zero
permanent attributes hash when the fuse
haven't been initialized, let the lock/unlock
policy in libavb to handle the mismatch errors.
Test: imx7d_pico boot successfully with dm-verity feature.
Change-Id: I6bcf58ff8ce71859fa2d85c86572ea6de1c3a0df
Signed-off-by: Luo Ji <ji.luo@nxp.com>
This commit did:
1. Sync AVB lib with external/avb, head of commit is:
commit 6d5326a945c2d17d5d0e7718d5cb97663c3b33a2
Author: Neal Ostrem <nealo@google.com>
Date: Tue Apr 24 13:09:45 2018 -0700
Merge fix/changes required after merge from AOSP ToT.
Change library name to one used by AT.
Test: Built successfully and unit tests pass.
Change-Id: I5e5fc9a6010d96cfecfc6faf0858ba930cba65a0
2. Change product id in ATX to be full zeros to sync with
external/avb.
3. Fix build errors and implement ops fsl_set_key_version.
4. Move most nxp modified code to lib/avb/fsl/.
Test: build and boot successfully for imx7d_pico and imx8m_phanbell.
Change-Id: I199a035fe8267b10955299a4b745458d40a2e754
Signed-off-by: Luo Ji <ji.luo@nxp.com>
Type mismatch will cause some build warnings and they will be treated
as errors when '-Werror' is specified. Fix the error logs loke below:
error: cast from pointer to integer of different size
[-Werror=pointer-to-int-cast]
Test: build pass for evk_imx8mm
Change-Id: I48489815c8310c659a5c7c860433c4a93cb0dc66
Signed-off-by: Luo Ji <ji.luo@nxp.com>
faqiang.zhu
Luo Ji
Haoran.Wang
Yu Shan
Ye Li