From: Marco Felsch <m.felsch@pengutronix.de>
To: Sascha Hauer <s.hauer@pengutronix.de>,
BAREBOX <barebox@lists.infradead.org>
Cc: Marco Felsch <m.felsch@pengutronix.de>
Subject: [PATCH v2 5/9] i.MX: HAB: add imx_hab_revoke_key support
Date: Wed, 03 Jul 2024 19:20:22 +0200 [thread overview]
Message-ID: <20240703-v2024-05-0-topic-hab-v2-5-17419aa5d3a3@pengutronix.de> (raw)
In-Reply-To: <20240703-v2024-05-0-topic-hab-v2-0-17419aa5d3a3@pengutronix.de>
Add an helper to revoke an i.MX SRK key. At the moment the helper
supprts i.MX8M devices only, but adding support for other SoCs can be
done easily by providing the .revoke_key() hook.
Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
---
drivers/hab/hab.c | 45 ++++++++++++++++++++++++++++++++++++++++
include/hab.h | 1 +
include/mach/imx/ocotp-fusemap.h | 1 +
3 files changed, 47 insertions(+)
diff --git a/drivers/hab/hab.c b/drivers/hab/hab.c
index 28a091841a69..7c840303d395 100644
--- a/drivers/hab/hab.c
+++ b/drivers/hab/hab.c
@@ -231,6 +231,27 @@ static int imx8m_hab_device_locked_down_ocotp(void)
return v;
}
+static int imx8m_hab_revoke_key_ocotp(unsigned key_idx)
+{
+ int ret;
+
+ /* Prohibit revocation of last possible key */
+ if (key_idx >= 4)
+ return -EINVAL;
+
+ ret = imx_ocotp_srk_revoke_locked();
+ if (ret < 0)
+ return ret;
+
+ /* Return -EINVAL in case the SRK_REVOKE write is locked */
+ if (ret == 1)
+ return -EINVAL;
+
+ ret = imx_ocotp_write_field(MX8M_OCOTP_SRK_REVOKE, BIT(key_idx));
+
+ return ret;
+}
+
struct imx_hab_ops {
int (*write_srk_hash)(const u8 *srk, unsigned flags);
int (*read_srk_hash)(u8 *srk);
@@ -238,6 +259,7 @@ struct imx_hab_ops {
int (*lockdown_device)(unsigned flags);
int (*device_locked_down)(void);
int (*print_status)(void);
+ int (*revoke_key)(unsigned key_idx);
};
static struct imx_hab_ops imx_hab_ops_iim = {
@@ -265,6 +287,7 @@ static struct imx_hab_ops imx8m_hab_ops_ocotp = {
.device_locked_down = imx8m_hab_device_locked_down_ocotp,
.permanent_write_enable = imx_hab_permanent_write_enable_ocotp,
.print_status = imx8m_hab_print_status,
+ .revoke_key = imx8m_hab_revoke_key_ocotp,
};
static int imx_ahab_write_srk_hash(const u8 *__newsrk, unsigned flags)
@@ -536,3 +559,25 @@ static int init_imx_hab_print_status(void)
return 0;
}
postmmu_initcall(init_imx_hab_print_status);
+
+int imx_hab_revoke_key(unsigned key_idx, bool permanent)
+{
+ struct imx_hab_ops *ops = imx_get_hab_ops();
+ int ret;
+
+ if (!ops || !ops->revoke_key)
+ return -ENOSYS;
+
+ if (permanent) {
+ ret = ops->permanent_write_enable(1);
+ if (ret)
+ return ret;
+ }
+
+ ret = ops->revoke_key(key_idx);
+
+ if (permanent)
+ ops->permanent_write_enable(0);
+
+ return ret;
+}
diff --git a/include/hab.h b/include/hab.h
index 2cef3841d149..7a70c67f0488 100644
--- a/include/hab.h
+++ b/include/hab.h
@@ -51,5 +51,6 @@ int imx_hab_read_srk_hash(void *buf);
int imx_hab_lockdown_device(unsigned flags);
int imx_hab_device_locked_down(void);
int imx_hab_print_status(void);
+int imx_hab_revoke_key(unsigned key_idx, bool permanent);
#endif /* __HABV4_H */
diff --git a/include/mach/imx/ocotp-fusemap.h b/include/mach/imx/ocotp-fusemap.h
index c4f94e61e8f8..e6fa96b40ba9 100644
--- a/include/mach/imx/ocotp-fusemap.h
+++ b/include/mach/imx/ocotp-fusemap.h
@@ -57,5 +57,6 @@
#define MX8M_OCOTP_SRK_LOCK (OCOTP_WORD(0x400) | OCOTP_BIT(9) | OCOTP_WIDTH(1))
#define MX8M_OCOTP_SEC_CONFIG_1 (OCOTP_WORD(0x470) | OCOTP_BIT(25) | OCOTP_WIDTH(1))
#define MX8MQ_OCOTP_DIR_BT_DIS (OCOTP_WORD(0x470) | OCOTP_BIT(27) | OCOTP_WIDTH(1))
+#define MX8M_OCOTP_SRK_REVOKE (OCOTP_WORD(0x670) | OCOTP_BIT(0) | OCOTP_WIDTH(4))
#endif /* __MACH_IMX_OCOTP_FUSEMAP_H */
--
2.39.2
next prev parent reply other threads:[~2024-07-03 17:21 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-03 17:20 [PATCH v2 0/9] i.MX8M HAB and OCOTP additions and fixes Marco Felsch
2024-07-03 17:20 ` [PATCH v2 1/9] i.MX: HABv4: fix SRK_LOCK for i.MX8M devices Marco Felsch
2024-07-03 18:48 ` Ahmad Fatoum
2024-07-03 17:20 ` [PATCH v2 2/9] nvmem: ocotp: add support to get/set srk_revoke sticky bit Marco Felsch
2024-07-03 17:20 ` [PATCH v2 3/9] nvmem: ocotp: add support to query the field-return " Marco Felsch
2024-07-03 17:20 ` [PATCH v2 4/9] hab: convert flags to use BIT() macro Marco Felsch
2024-07-03 17:20 ` Marco Felsch [this message]
2024-07-03 17:20 ` [PATCH v2 6/9] i.MX: HABv4: add more i.MX8M fuse defines Marco Felsch
2024-07-03 17:20 ` [PATCH v2 7/9] i.MX8M: HABv4: add an option to allow key revocation Marco Felsch
2024-07-03 18:29 ` Ahmad Fatoum
2024-07-04 8:15 ` Marco Felsch
2024-07-30 8:27 ` Ahmad Fatoum
2024-07-30 10:38 ` Marco Felsch
2024-07-03 17:20 ` [PATCH v2 8/9] i.MX8M: HABv4: add option to allow burning the field-return fuse Marco Felsch
2024-07-03 17:20 ` [PATCH v2 9/9] i.MX: HAB: add imx_hab_field_return support Marco Felsch
2024-07-15 9:09 ` (subset) [PATCH v2 0/9] i.MX8M HAB and OCOTP additions and fixes Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240703-v2024-05-0-topic-hab-v2-5-17419aa5d3a3@pengutronix.de \
--to=m.felsch@pengutronix.de \
--cc=barebox@lists.infradead.org \
--cc=s.hauer@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox