[PATCH v3 00/10] i.MX8M HAB and OCOTP additions and fixes

[PATCH v3 00/10] i.MX8M HAB and OCOTP additions and fixes

[Stefan Kerkmann]

Hi,

this fixes the HABv4 locking on i.MX8M devices and add additional
features like:
 - key revocation
 - field-return burning
 - additional security related fuse defintions
 - automatic locking of the gp5 eFuse on i.MX8MP SoCs

---
Changes in v3:
- added GP5_LOCK support for i.MX8MP devices
- renamed HABV4_CSF_UNLOCK_SRK_REVOKE to HABV4_CSF_SRK_REVOKE_UNLOCK
- adapted to HAB_CERTS_ENV
- Link to v2:
https://lore.barebox.org/20240703-v2024-05-0-topic-hab-v2-0-17419aa5d3a3@pengutronix.de

Changes in v2:
- Link to v1:
https://lore.barebox.org/barebox/Zmv2KyQq3ACxksc_@pengutronix.de/
- adapt patch-1 commit message
- make use of 'bool permanent' parameter instead of introducing new
  IMX_SRK_* flags.

To: Sascha Hauer <s.hauer@pengutronix.de>
To: open list:BAREBOX <barebox@lists.infradead.org>

---
Marco Felsch (8):
      nvmem: ocotp: add support to get/set srk_revoke sticky bit
      nvmem: ocotp: add support to query the field-return sticky bit
      hab: convert flags to use BIT() macro
      i.MX: HAB: add imx_hab_revoke_key support
      i.MX: HABv4: add more i.MX8M fuse defines
      i.MX8M: HABv4: add an option to allow key revocation
      i.MX8M: HABv4: add option to allow burning the field-return fuse
      i.MX: HAB: add imx_hab_field_return support

Stefan Kerkmann (2):
      i.mx8: ocotp: add GPx_LOCK defines
      hab: lock GP5 on i.MX8MP socs

 arch/arm/mach-imx/Kconfig            | 34 +++++++++++++
 drivers/hab/hab.c                    | 98 ++++++++++++++++++++++++++++++++++--
 drivers/nvmem/ocotp.c                | 79 +++++++++++++++++++++++++++++
 include/hab.h                        |  9 ++--
 include/mach/imx/habv4-imx8-gencsf.h | 13 +++++
 include/mach/imx/ocotp-fusemap.h     | 28 +++++++++++
 include/mach/imx/ocotp.h             |  3 ++
 scripts/Makefile.lib                 |  1 +
 8 files changed, 258 insertions(+), 7 deletions(-)
---
base-commit: fb590cfa8fea6906d3f78dd409856d350e24b582
change-id: 20240703-v2024-05-0-topic-hab-218bab0e829c

Best regards,
-- 
Stefan Kerkmann <s.kerkmann@pengutronix.de>

[PATCH v3 01/10] nvmem: ocotp: add support to get/set srk_revoke sticky bit

[Stefan Kerkmann]

From: Marco Felsch <m.felsch@pengutronix.de>

The i.MX8M* devices do have an sticky bit which indicates if the
srk_revoke fuse can be written. Add support to query and to set the lock
bit.

Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Signed-off-by: Stefan Kerkmann <s.kerkmann@pengutronix.de>
---
 drivers/nvmem/ocotp.c    | 55 ++++++++++++++++++++++++++++++++++++++++++++++++
 include/mach/imx/ocotp.h |  2 ++
 2 files changed, 57 insertions(+)

diff --git a/drivers/nvmem/ocotp.c b/drivers/nvmem/ocotp.c
index c282efefa82422dc16839c52b65d9dd829edd358..c0517980fb18870002be01ca3240d41d662e0231 100644
--- a/drivers/nvmem/ocotp.c
+++ b/drivers/nvmem/ocotp.c
@@ -52,6 +52,7 @@
 #define OCOTP_DATA			0x20
 #define OCOTP_READ_CTRL			0x30
 #define OCOTP_READ_FUSE_DATA		0x40
+#define OCOTP_SW_STICKY			0x50
 
 #define MX7_OCOTP_DATA0			0x20
 #define MX7_OCOTP_DATA1			0x30
@@ -89,6 +90,8 @@
 #define OCOTP_TIMING_STROBE_PROG	GENMASK(11, 0)
 #define OCOTP_TIMING_WAIT		GENMASK(27, 22)
 
+#define OCOTP_SW_STICKY_SRK_REVOKE_LOCK		BIT(1)
+
 #define OCOTP_READ_CTRL_READ_FUSE	BIT(1)
 
 #define OCOTP_OFFSET_TO_ADDR(o) (OCOTP_OFFSET_TO_INDEX(o) * 4)
@@ -147,6 +150,8 @@ struct imx_ocotp_data {
 	int (*set_timing)(struct ocotp_priv *priv);
 	int (*fuse_read)(struct ocotp_priv *priv, u32 addr, u32 *pdata);
 	int (*fuse_blow)(struct ocotp_priv *priv, u32 addr, u32 value);
+	bool (*srk_revoke_locked)(struct ocotp_priv *priv);
+	void (*lock_srk_revoke)(struct ocotp_priv *priv);
 	u8  mac_offsets[MAX_MAC_OFFSETS];
 	u8  mac_offsets_num;
 	struct imx8m_featctrl_data *feat;
@@ -273,6 +278,20 @@ static int imx6_ocotp_prepare(struct ocotp_priv *priv)
 	return 0;
 }
 
+static bool imx8m_srk_revoke_locked(struct ocotp_priv *priv)
+{
+	return readl(priv->base + OCOTP_SW_STICKY) & OCOTP_SW_STICKY_SRK_REVOKE_LOCK;
+}
+
+static void imx8m_lock_srk_revoke(struct ocotp_priv *priv)
+{
+	u32 val;
+
+	val = readl(priv->base + OCOTP_SW_STICKY);
+	val |= OCOTP_SW_STICKY_SRK_REVOKE_LOCK;
+	writel(val, priv->base + OCOTP_SW_STICKY);
+}
+
 static int imx6_fuse_read_addr(struct ocotp_priv *priv, u32 addr, u32 *pdata)
 {
 	const u32 bm_ctrl_error = priv->data->ctrl->bm_error;
@@ -625,6 +644,36 @@ int imx_ocotp_sense_enable(bool enable)
 	return old_value;
 }
 
+int imx_ocotp_srk_revoke_locked(void)
+{
+	int ret;
+
+	ret = imx_ocotp_ensure_probed();
+	if (ret)
+		return ret;
+
+	if (imx_ocotp->data->srk_revoke_locked)
+		return imx_ocotp->data->srk_revoke_locked(imx_ocotp);
+
+	return -ENOSYS;
+}
+
+int imx_ocotp_lock_srk_revoke(void)
+{
+	int ret;
+
+	ret = imx_ocotp_ensure_probed();
+	if (ret)
+		return ret;
+
+	if (imx_ocotp->data->lock_srk_revoke) {
+		imx_ocotp->data->lock_srk_revoke(imx_ocotp);
+		return 0;
+	}
+
+	return -ENOSYS;
+}
+
 static void imx_ocotp_format_mac(u8 *dst, const u8 *src,
 				 enum imx_ocotp_format_mac_direction dir)
 {
@@ -985,6 +1034,8 @@ static struct imx_ocotp_data imx8mp_ocotp_data = {
 	.set_timing = imx6_ocotp_set_timing,
 	.fuse_blow = imx6_fuse_blow_addr,
 	.fuse_read = imx6_fuse_read_addr,
+	.srk_revoke_locked = imx8m_srk_revoke_locked,
+	.lock_srk_revoke = imx8m_lock_srk_revoke,
 	.ctrl = &ocotp_ctrl_reg_8mp,
 };
 
@@ -1014,6 +1065,8 @@ static struct imx_ocotp_data imx8mm_ocotp_data = {
 	.set_timing = imx6_ocotp_set_timing,
 	.fuse_blow = imx6_fuse_blow_addr,
 	.fuse_read = imx6_fuse_read_addr,
+	.srk_revoke_locked = imx8m_srk_revoke_locked,
+	.lock_srk_revoke = imx8m_lock_srk_revoke,
 	.feat = &imx8mm_featctrl_data,
 	.ctrl = &ocotp_ctrl_reg_default,
 };
@@ -1032,6 +1085,8 @@ static struct imx_ocotp_data imx8mn_ocotp_data = {
 	.set_timing = imx6_ocotp_set_timing,
 	.fuse_blow = imx6_fuse_blow_addr,
 	.fuse_read = imx6_fuse_read_addr,
+	.srk_revoke_locked = imx8m_srk_revoke_locked,
+	.lock_srk_revoke = imx8m_lock_srk_revoke,
 	.feat = &imx8mn_featctrl_data,
 	.ctrl = &ocotp_ctrl_reg_default,
 };
diff --git a/include/mach/imx/ocotp.h b/include/mach/imx/ocotp.h
index 5f7b88f716a71544c9db919e3ef7b1d9917dc80b..7a516ff789b962b741782c888a47aaff8cb6e902 100644
--- a/include/mach/imx/ocotp.h
+++ b/include/mach/imx/ocotp.h
@@ -36,6 +36,8 @@ int imx_ocotp_read_field(uint32_t field, unsigned *value);
 int imx_ocotp_write_field(uint32_t field, unsigned value);
 int imx_ocotp_permanent_write(int enable);
 int imx_ocotp_sense_enable(bool enable);
+int imx_ocotp_srk_revoke_locked(void);
+int imx_ocotp_lock_srk_revoke(void);
 
 static inline u64 imx_ocotp_read_uid(void __iomem *ocotp)
 {

-- 
2.39.5

[PATCH v3 02/10] nvmem: ocotp: add support to query the field-return sticky bit

[Stefan Kerkmann]

From: Marco Felsch <m.felsch@pengutronix.de>

The i.MX8M* devices do have an sticky bit which indicates if the
field-return fuse can be written. Add support to query the lock bit.

To make it easy to read align the STICKY bit definitions as well.

Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Signed-off-by: Stefan Kerkmann <s.kerkmann@pengutronix.de>
---
 drivers/nvmem/ocotp.c    | 24 ++++++++++++++++++++++++
 include/mach/imx/ocotp.h |  1 +
 2 files changed, 25 insertions(+)

diff --git a/drivers/nvmem/ocotp.c b/drivers/nvmem/ocotp.c
index c0517980fb18870002be01ca3240d41d662e0231..87cc95a636f3d0127e401edb6ec99d206cac561b 100644
--- a/drivers/nvmem/ocotp.c
+++ b/drivers/nvmem/ocotp.c
@@ -91,6 +91,7 @@
 #define OCOTP_TIMING_WAIT		GENMASK(27, 22)
 
 #define OCOTP_SW_STICKY_SRK_REVOKE_LOCK		BIT(1)
+#define OCOTP_SW_STICKY_FIELD_RETURN_LOCK	BIT(2)
 
 #define OCOTP_READ_CTRL_READ_FUSE	BIT(1)
 
@@ -152,6 +153,7 @@ struct imx_ocotp_data {
 	int (*fuse_blow)(struct ocotp_priv *priv, u32 addr, u32 value);
 	bool (*srk_revoke_locked)(struct ocotp_priv *priv);
 	void (*lock_srk_revoke)(struct ocotp_priv *priv);
+	bool (*field_return_locked)(struct ocotp_priv *priv);
 	u8  mac_offsets[MAX_MAC_OFFSETS];
 	u8  mac_offsets_num;
 	struct imx8m_featctrl_data *feat;
@@ -292,6 +294,11 @@ static void imx8m_lock_srk_revoke(struct ocotp_priv *priv)
 	writel(val, priv->base + OCOTP_SW_STICKY);
 }
 
+static bool imx8m_field_return_locked(struct ocotp_priv *priv)
+{
+	return readl(priv->base + OCOTP_SW_STICKY) & OCOTP_SW_STICKY_FIELD_RETURN_LOCK;
+}
+
 static int imx6_fuse_read_addr(struct ocotp_priv *priv, u32 addr, u32 *pdata)
 {
 	const u32 bm_ctrl_error = priv->data->ctrl->bm_error;
@@ -674,6 +681,20 @@ int imx_ocotp_lock_srk_revoke(void)
 	return -ENOSYS;
 }
 
+int imx_ocotp_field_return_locked(void)
+{
+	int ret;
+
+	ret = imx_ocotp_ensure_probed();
+	if (ret)
+		return ret;
+
+	if (imx_ocotp->data->field_return_locked)
+		return imx_ocotp->data->field_return_locked(imx_ocotp);
+
+	return -ENOSYS;
+}
+
 static void imx_ocotp_format_mac(u8 *dst, const u8 *src,
 				 enum imx_ocotp_format_mac_direction dir)
 {
@@ -1036,6 +1057,7 @@ static struct imx_ocotp_data imx8mp_ocotp_data = {
 	.fuse_read = imx6_fuse_read_addr,
 	.srk_revoke_locked = imx8m_srk_revoke_locked,
 	.lock_srk_revoke = imx8m_lock_srk_revoke,
+	.field_return_locked = imx8m_field_return_locked,
 	.ctrl = &ocotp_ctrl_reg_8mp,
 };
 
@@ -1067,6 +1089,7 @@ static struct imx_ocotp_data imx8mm_ocotp_data = {
 	.fuse_read = imx6_fuse_read_addr,
 	.srk_revoke_locked = imx8m_srk_revoke_locked,
 	.lock_srk_revoke = imx8m_lock_srk_revoke,
+	.field_return_locked = imx8m_field_return_locked,
 	.feat = &imx8mm_featctrl_data,
 	.ctrl = &ocotp_ctrl_reg_default,
 };
@@ -1087,6 +1110,7 @@ static struct imx_ocotp_data imx8mn_ocotp_data = {
 	.fuse_read = imx6_fuse_read_addr,
 	.srk_revoke_locked = imx8m_srk_revoke_locked,
 	.lock_srk_revoke = imx8m_lock_srk_revoke,
+	.field_return_locked = imx8m_field_return_locked,
 	.feat = &imx8mn_featctrl_data,
 	.ctrl = &ocotp_ctrl_reg_default,
 };
diff --git a/include/mach/imx/ocotp.h b/include/mach/imx/ocotp.h
index 7a516ff789b962b741782c888a47aaff8cb6e902..e6f62a9da48ccc38818777e2e7c3f445fe880b3e 100644
--- a/include/mach/imx/ocotp.h
+++ b/include/mach/imx/ocotp.h
@@ -38,6 +38,7 @@ int imx_ocotp_permanent_write(int enable);
 int imx_ocotp_sense_enable(bool enable);
 int imx_ocotp_srk_revoke_locked(void);
 int imx_ocotp_lock_srk_revoke(void);
+int imx_ocotp_field_return_locked(void);
 
 static inline u64 imx_ocotp_read_uid(void __iomem *ocotp)
 {

-- 
2.39.5

[PATCH v3 03/10] hab: convert flags to use BIT() macro

[Stefan Kerkmann]

From: Marco Felsch <m.felsch@pengutronix.de>

Make use of the BIT() macro to define the flags, no functional change.

Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Signed-off-by: Stefan Kerkmann <s.kerkmann@pengutronix.de>
---
 include/hab.h | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/include/hab.h b/include/hab.h
index da79a8ffea36435c9520f9f72fc0f259bcc08926..2cef3841d149972faebcc51bd5c43fab03d1c6fa 100644
--- a/include/hab.h
+++ b/include/hab.h
@@ -7,6 +7,7 @@
 #define __HABV4_H
 
 #include <errno.h>
+#include <linux/bits.h>
 
 /* State definitions */
 enum habv4_state {
@@ -32,15 +33,15 @@ static inline int habv4_get_state(void)
 #define SRK_HASH_SIZE	32
 
 /* Force writing of key, even when a key is already written */
-#define IMX_SRK_HASH_FORCE		(1 << 0)
+#define IMX_SRK_HASH_FORCE		BIT(0)
 /* Permanently write fuses, without this flag only the shadow registers
  * are written.
  */
-#define IMX_SRK_HASH_WRITE_PERMANENT	(1 << 1)
+#define IMX_SRK_HASH_WRITE_PERMANENT	BIT(1)
 /* When writing the super root key hash, also burn the write protection
  * fuses so that the key hash can not be modified.
  */
-#define IMX_SRK_HASH_WRITE_LOCK		(1 << 2)
+#define IMX_SRK_HASH_WRITE_LOCK		BIT(2)
 
 bool imx_hab_srk_hash_valid(const void *buf);
 int imx_hab_write_srk_hash(const void *buf, unsigned flags);

-- 
2.39.5

[PATCH v3 04/10] i.MX: HAB: add imx_hab_revoke_key support

[Stefan Kerkmann]

From: Marco Felsch <m.felsch@pengutronix.de>

Add an helper to revoke an i.MX SRK key. At the moment the helper
supprts i.MX8M devices only, but adding support for other SoCs can be
done easily by providing the .revoke_key() hook.

Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Signed-off-by: Stefan Kerkmann <s.kerkmann@pengutronix.de>
---
 drivers/hab/hab.c                | 45 ++++++++++++++++++++++++++++++++++++++++
 include/hab.h                    |  1 +
 include/mach/imx/ocotp-fusemap.h |  1 +
 3 files changed, 47 insertions(+)

diff --git a/drivers/hab/hab.c b/drivers/hab/hab.c
index f684e9f1cc20ae09c39d52331c6529375e315137..b966410eacfea4763ac9959c17a552cb7580a6f4 100644
--- a/drivers/hab/hab.c
+++ b/drivers/hab/hab.c
@@ -231,6 +231,27 @@ static int imx8m_hab_device_locked_down_ocotp(void)
 	return v;
 }
 
+static int imx8m_hab_revoke_key_ocotp(unsigned key_idx)
+{
+	int ret;
+
+	/* Prohibit revocation of last possible key */
+	if (key_idx >= 4)
+		return -EINVAL;
+
+	ret = imx_ocotp_srk_revoke_locked();
+	if (ret < 0)
+		return ret;
+
+	/* Return -EINVAL in case the SRK_REVOKE write is locked */
+	if (ret == 1)
+		return -EINVAL;
+
+	ret = imx_ocotp_write_field(MX8M_OCOTP_SRK_REVOKE, BIT(key_idx));
+
+	return ret;
+}
+
 struct imx_hab_ops {
 	int (*write_srk_hash)(const u8 *srk, unsigned flags);
 	int (*read_srk_hash)(u8 *srk);
@@ -238,6 +259,7 @@ struct imx_hab_ops {
 	int (*lockdown_device)(unsigned flags);
 	int (*device_locked_down)(void);
 	int (*print_status)(void);
+	int (*revoke_key)(unsigned key_idx);
 };
 
 static struct imx_hab_ops imx_hab_ops_iim = {
@@ -265,6 +287,7 @@ static struct imx_hab_ops imx8m_hab_ops_ocotp = {
 	.device_locked_down = imx8m_hab_device_locked_down_ocotp,
 	.permanent_write_enable = imx_hab_permanent_write_enable_ocotp,
 	.print_status = imx8m_hab_print_status,
+	.revoke_key = imx8m_hab_revoke_key_ocotp,
 };
 
 static int imx_ahab_write_srk_hash(const u8 *__newsrk, unsigned flags)
@@ -538,3 +561,25 @@ static int init_imx_hab_print_status(void)
 	return 0;
 }
 postmmu_initcall(init_imx_hab_print_status);
+
+int imx_hab_revoke_key(unsigned key_idx, bool permanent)
+{
+	struct imx_hab_ops *ops = imx_get_hab_ops();
+	int ret;
+
+	if (!ops || !ops->revoke_key)
+		return -ENOSYS;
+
+	if (permanent) {
+		ret = ops->permanent_write_enable(1);
+		if (ret)
+			return ret;
+	}
+
+	ret = ops->revoke_key(key_idx);
+
+	if (permanent)
+		ops->permanent_write_enable(0);
+
+	return ret;
+}
diff --git a/include/hab.h b/include/hab.h
index 2cef3841d149972faebcc51bd5c43fab03d1c6fa..7a70c67f048819dec0581f7e7e130fe8477b6fc4 100644
--- a/include/hab.h
+++ b/include/hab.h
@@ -51,5 +51,6 @@ int imx_hab_read_srk_hash(void *buf);
 int imx_hab_lockdown_device(unsigned flags);
 int imx_hab_device_locked_down(void);
 int imx_hab_print_status(void);
+int imx_hab_revoke_key(unsigned key_idx, bool permanent);
 
 #endif /* __HABV4_H */
diff --git a/include/mach/imx/ocotp-fusemap.h b/include/mach/imx/ocotp-fusemap.h
index c4f94e61e8f8cc3ce2eb702e22ebe7d674c887fd..e6fa96b40ba915594eff1fad2e10b6653c74301b 100644
--- a/include/mach/imx/ocotp-fusemap.h
+++ b/include/mach/imx/ocotp-fusemap.h
@@ -57,5 +57,6 @@
 #define MX8M_OCOTP_SRK_LOCK		(OCOTP_WORD(0x400) | OCOTP_BIT(9) | OCOTP_WIDTH(1))
 #define MX8M_OCOTP_SEC_CONFIG_1		(OCOTP_WORD(0x470) | OCOTP_BIT(25) | OCOTP_WIDTH(1))
 #define MX8MQ_OCOTP_DIR_BT_DIS		(OCOTP_WORD(0x470) | OCOTP_BIT(27) | OCOTP_WIDTH(1))
+#define MX8M_OCOTP_SRK_REVOKE		(OCOTP_WORD(0x670) | OCOTP_BIT(0) | OCOTP_WIDTH(4))
 
 #endif /* __MACH_IMX_OCOTP_FUSEMAP_H */

-- 
2.39.5

[PATCH v3 05/10] i.MX: HABv4: add more i.MX8M fuse defines

[Stefan Kerkmann]

From: Marco Felsch <m.felsch@pengutronix.de>

Add more common i.MX8M fuse defines so they can be reused by board code.

Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Signed-off-by: Stefan Kerkmann <s.kerkmann@pengutronix.de>
---
 include/mach/imx/ocotp-fusemap.h | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/include/mach/imx/ocotp-fusemap.h b/include/mach/imx/ocotp-fusemap.h
index e6fa96b40ba915594eff1fad2e10b6653c74301b..1aece9195ff9a60739d84dfef02c86657f77da0b 100644
--- a/include/mach/imx/ocotp-fusemap.h
+++ b/include/mach/imx/ocotp-fusemap.h
@@ -55,8 +55,18 @@
 #define OCOTP_PAD_SETTINGS		(OCOTP_WORD(0x6d0) | OCOTP_BIT(0) | OCOTP_WIDTH(6))
 /* i.MX8M moved the security related fuses */
 #define MX8M_OCOTP_SRK_LOCK		(OCOTP_WORD(0x400) | OCOTP_BIT(9) | OCOTP_WIDTH(1))
+#define MX8M_OCOTP_SJC_RESP_LOCK	(OCOTP_WORD(0x400) | OCOTP_BIT(10) | OCOTP_WIDTH(1))
+#define MX8M_OCOTP_USB_ID_LOCK		(OCOTP_WORD(0x400) | OCOTP_BIT(12) | OCOTP_WIDTH(2))
+#define MX8M_OCOTP_KTE			(OCOTP_WORD(0x470) | OCOTP_BIT(20) | OCOTP_WIDTH(1))
+#define MX8M_OCOTP_SJC_DISABLE		(OCOTP_WORD(0x470) | OCOTP_BIT(21) | OCOTP_WIDTH(1))
+#define MX8M_OCOTP_JTAG_SMODE		(OCOTP_WORD(0x470) | OCOTP_BIT(22) | OCOTP_WIDTH(2))
 #define MX8M_OCOTP_SEC_CONFIG_1		(OCOTP_WORD(0x470) | OCOTP_BIT(25) | OCOTP_WIDTH(1))
+#define MX8M_OCOTP_JTAG_HEO		(OCOTP_WORD(0x470) | OCOTP_BIT(26) | OCOTP_WIDTH(1))
 #define MX8MQ_OCOTP_DIR_BT_DIS		(OCOTP_WORD(0x470) | OCOTP_BIT(27) | OCOTP_WIDTH(1))
+#define MX8M_OCOTP_FORCE_COLD_BOOT	(OCOTP_WORD(0x470) | OCOTP_BIT(29) | OCOTP_WIDTH(1))
+#define MX8M_OCOTP_TZASC_EN		(OCOTP_WORD(0x480) | OCOTP_BIT(11) | OCOTP_WIDTH(1))
+#define MX8MP_OCOTP_ROM_NO_LOG		(OCOTP_WORD(0x480) | OCOTP_BIT(22) | OCOTP_WIDTH(1))
+#define MX8M_OCOTP_RECOVERY_SDMMC_BOOT_DIS	(OCOTP_WORD(0x490) | OCOTP_BIT(23) | OCOTP_WIDTH(1))
 #define MX8M_OCOTP_SRK_REVOKE		(OCOTP_WORD(0x670) | OCOTP_BIT(0) | OCOTP_WIDTH(4))
 
 #endif /* __MACH_IMX_OCOTP_FUSEMAP_H */

-- 
2.39.5

[PATCH v3 06/10] i.MX8M: HABv4: add an option to allow key revocation

[Stefan Kerkmann]

From: Marco Felsch <m.felsch@pengutronix.de>

The HAB code needs an special [Unlock] instruction to keep the
SRK_REVOKE fuse bank unlocked. This is required if a key needs to be
revoked.

Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Signed-off-by: Stefan Kerkmann <s.kerkmann@pengutronix.de>
---
 arch/arm/mach-imx/Kconfig            | 8 ++++++++
 include/mach/imx/habv4-imx8-gencsf.h | 6 ++++++
 2 files changed, 14 insertions(+)

diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig
index d1f8dc795b578fafd2bd2b4c1e59b85430668af7..c8a439b8a0b11fa168419ce77d7ee83fa86f2298 100644
--- a/arch/arm/mach-imx/Kconfig
+++ b/arch/arm/mach-imx/Kconfig
@@ -830,6 +830,14 @@ config HABV4_QSPI
 	help
 	  Enable this option to build signed QSPI/FlexSPI images.
 
+config HABV4_CSF_SRK_REVOKE_UNLOCK
+	depends on HABV4
+	bool "Unlock SRK revocation"
+	help
+	  Enable this option to instruct the HAB code to not lock
+	  the SRK_REVOKE_LOCK sticky bit. This is required for key
+	  revocation. Don't enable this if you are unsure.
+
 config HAB_CERTS_ENV
 	depends on HAB
 	bool "Specify certificates in environment"
diff --git a/include/mach/imx/habv4-imx8-gencsf.h b/include/mach/imx/habv4-imx8-gencsf.h
index 5f92ceceab00bcb740fc288c050be23e1ed307c2..b3d29f5896881ba2abeaa6d4b297a031240fac99 100644
--- a/include/mach/imx/habv4-imx8-gencsf.h
+++ b/include/mach/imx/habv4-imx8-gencsf.h
@@ -36,6 +36,12 @@ hab [Unlock]
 hab Engine = CAAM
 hab Features = RNG, MID
 
+#if defined(CONFIG_HABV4_CSF_SRK_REVOKE_UNLOCK)
+hab [Unlock]
+hab Engine = OCOTP
+hab Features = SRK REVOKE
+#endif
+
 hab [Install Key]
 /* verification key index in key store (0, 2...4) */
 hab Verification index = 0

-- 
2.39.5

[PATCH v3 07/10] i.MX8M: HABv4: add option to allow burning the field-return fuse

[Stefan Kerkmann]

From: Marco Felsch <m.felsch@pengutronix.de>

This adds the required Kconfig options which need to be enabled and
correctly set to build a custom device specific barebox image which can
be used to burn the FIELD_RETURN fuse.

The CST tool can't handle quoted UID strings so we need to define it on
the cmdline by using the -D switch. This removes the quotes within the
CSF file and the CST is happy.

Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Signed-off-by: Stefan Kerkmann <s.kerkmann@pengutronix.de>
---
 arch/arm/mach-imx/Kconfig            | 26 ++++++++++++++++++++++++++
 include/mach/imx/habv4-imx8-gencsf.h |  7 +++++++
 scripts/Makefile.lib                 |  1 +
 3 files changed, 34 insertions(+)

diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig
index c8a439b8a0b11fa168419ce77d7ee83fa86f2298..779b986b872cac0126a006a592d72a462b46b5db 100644
--- a/arch/arm/mach-imx/Kconfig
+++ b/arch/arm/mach-imx/Kconfig
@@ -838,6 +838,16 @@ config HABV4_CSF_SRK_REVOKE_UNLOCK
 	  the SRK_REVOKE_LOCK sticky bit. This is required for key
 	  revocation. Don't enable this if you are unsure.
 
+config HABV4_CSF_UNLOCK_FIELD_RETURN
+	depends on HABV4
+	bool "Unlock field return"
+	help
+	  Enable this option to instruct the HAB code to not lock
+	  the FIELD_RETURN_LOCK sticky bit. This is required to be
+	  able to fuse the FIELD_RETURN fuse. It is also required
+	  that the CONFIG_HABV4_CSF_UNLOCK_UID is set correct as
+	  well.
+
 config HAB_CERTS_ENV
 	depends on HAB
 	bool "Specify certificates in environment"
@@ -858,6 +868,7 @@ config HAB_CERTS_ENV
 
 	  CONFIG_HABV4_TABLE_BIN
 	  CONFIG_HABV4_CSF_CRT_PEM
+	  CONFIG_HABV4_CSF_UNLOCK_UID
 	  CONFIG_HABV4_IMG_CRT_PEM
 
 config HABV4_SRK_INDEX
@@ -892,6 +903,21 @@ config HABV4_CSF_CRT_PEM
 	  This file will be inserted into the Command Sequence File
 	  (CSF) when using the CSF template that comes with barebox.
 
+config HABV4_CSF_UNLOCK_UID
+	depends on HABV4 && HABV4_CSF_UNLOCK_FIELD_RETURN
+	string "CSF Unlock UID"
+	help
+	  Device specific 64-bit UID Required to unlock the field-return
+          feature. This value must match the per device UNIQUE_ID fuses.
+
+	  The below example shows the expected format. The UNIQUE_ID is
+	  queried by Linux via:
+            - cat /sys/devices/soc0/serial_number
+	      7766554433221100
+
+	  So this value have to be set:
+	    - 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77
+
 config HABV4_IMG_CRT_PEM
 	string "Path to IMG certificate"
 	default "../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
diff --git a/include/mach/imx/habv4-imx8-gencsf.h b/include/mach/imx/habv4-imx8-gencsf.h
index b3d29f5896881ba2abeaa6d4b297a031240fac99..480f88fa9552c51fd94e8f11a1ddc03a544f8081 100644
--- a/include/mach/imx/habv4-imx8-gencsf.h
+++ b/include/mach/imx/habv4-imx8-gencsf.h
@@ -42,6 +42,13 @@ hab Engine = OCOTP
 hab Features = SRK REVOKE
 #endif
 
+#if defined(CONFIG_HABV4_CSF_UNLOCK_FIELD_RETURN)
+hab [Unlock]
+hab Engine = OCOTP
+hab Features = FIELD RETURN
+hab UID = HABV4_CSF_UNLOCK_UID
+#endif
+
 hab [Install Key]
 /* verification key index in key store (0, 2...4) */
 hab Verification index = 0
diff --git a/scripts/Makefile.lib b/scripts/Makefile.lib
index 0f4e7307cb41dfe938a0bcef4117b396c1ae469f..5616acf3413d9709d703ac8ed90b0d72885603ce 100644
--- a/scripts/Makefile.lib
+++ b/scripts/Makefile.lib
@@ -565,6 +565,7 @@ imxcfg_cpp_flags  = -Wp,-MD,$(depfile) -nostdinc -x assembler-with-cpp \
       $(call overwrite-hab-env,CONFIG_HABV3_IMG_CRT_DER) \
       $(call overwrite-hab-env,CONFIG_HABV4_TABLE_BIN) \
       $(call overwrite-hab-env,CONFIG_HABV4_CSF_CRT_PEM) \
+      $(call overwrite-hab-env,CONFIG_HABV4_CSF_UNLOCK_UID) \
       $(call overwrite-hab-env,CONFIG_HABV4_IMG_CRT_PEM) \
       $(call overwrite-fit-env,CONFIG_BOOTM_FITIMAGE_PUBKEY) \
 

-- 
2.39.5

[PATCH v3 08/10] i.MX: HAB: add imx_hab_field_return support

[Stefan Kerkmann]

From: Marco Felsch <m.felsch@pengutronix.de>

Add a convenient helper to burn the field-return fuse which wraps the
platform specific hook. At the moment only i.MX8M devices are supported.
Adding support for other platforms can be done by providing the platform
specific hook.

Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
Signed-off-by: Stefan Kerkmann <s.kerkmann@pengutronix.de>
---
 drivers/hab/hab.c                | 41 ++++++++++++++++++++++++++++++++++++++++
 include/hab.h                    |  1 +
 include/mach/imx/ocotp-fusemap.h |  1 +
 3 files changed, 43 insertions(+)

diff --git a/drivers/hab/hab.c b/drivers/hab/hab.c
index b966410eacfea4763ac9959c17a552cb7580a6f4..0f0c8766f069697944570290cb5796430ddae125 100644
--- a/drivers/hab/hab.c
+++ b/drivers/hab/hab.c
@@ -252,6 +252,23 @@ static int imx8m_hab_revoke_key_ocotp(unsigned key_idx)
 	return ret;
 }
 
+static int imx8m_hab_field_return_ocotp(void)
+{
+	int ret;
+
+	ret = imx_ocotp_field_return_locked();
+	if (ret < 0)
+		return ret;
+
+	/* Return -EINVAL in case the FIELD_RETURN write is locked */
+	if (ret == 1)
+		return -EINVAL;
+
+	ret = imx_ocotp_write_field(MX8M_OCOTP_FIELD_RETURN, 1);
+
+	return ret;
+}
+
 struct imx_hab_ops {
 	int (*write_srk_hash)(const u8 *srk, unsigned flags);
 	int (*read_srk_hash)(u8 *srk);
@@ -260,6 +277,7 @@ struct imx_hab_ops {
 	int (*device_locked_down)(void);
 	int (*print_status)(void);
 	int (*revoke_key)(unsigned key_idx);
+	int (*field_return)(void);
 };
 
 static struct imx_hab_ops imx_hab_ops_iim = {
@@ -288,6 +306,7 @@ static struct imx_hab_ops imx8m_hab_ops_ocotp = {
 	.permanent_write_enable = imx_hab_permanent_write_enable_ocotp,
 	.print_status = imx8m_hab_print_status,
 	.revoke_key = imx8m_hab_revoke_key_ocotp,
+	.field_return = imx8m_hab_field_return_ocotp,
 };
 
 static int imx_ahab_write_srk_hash(const u8 *__newsrk, unsigned flags)
@@ -583,3 +602,25 @@ int imx_hab_revoke_key(unsigned key_idx, bool permanent)
 
 	return ret;
 }
+
+int imx_hab_field_return(bool permanent)
+{
+	struct imx_hab_ops *ops = imx_get_hab_ops();
+	int ret;
+
+	if (!ops || !ops->field_return)
+		return -ENOSYS;
+
+	if (permanent) {
+		ret = ops->permanent_write_enable(1);
+		if (ret)
+			return ret;
+	}
+
+	ret = ops->field_return();
+
+	if (permanent)
+		ops->permanent_write_enable(0);
+
+	return ret;
+}
diff --git a/include/hab.h b/include/hab.h
index 7a70c67f048819dec0581f7e7e130fe8477b6fc4..393cf0513e0cbbf4040dc624b26e4a297a1f50e4 100644
--- a/include/hab.h
+++ b/include/hab.h
@@ -52,5 +52,6 @@ int imx_hab_lockdown_device(unsigned flags);
 int imx_hab_device_locked_down(void);
 int imx_hab_print_status(void);
 int imx_hab_revoke_key(unsigned key_idx, bool permanent);
+int imx_hab_field_return(bool permanent);
 
 #endif /* __HABV4_H */
diff --git a/include/mach/imx/ocotp-fusemap.h b/include/mach/imx/ocotp-fusemap.h
index 1aece9195ff9a60739d84dfef02c86657f77da0b..37f1ee8298c2ae47406c6ae58b73f1eba9effed8 100644
--- a/include/mach/imx/ocotp-fusemap.h
+++ b/include/mach/imx/ocotp-fusemap.h
@@ -67,6 +67,7 @@
 #define MX8M_OCOTP_TZASC_EN		(OCOTP_WORD(0x480) | OCOTP_BIT(11) | OCOTP_WIDTH(1))
 #define MX8MP_OCOTP_ROM_NO_LOG		(OCOTP_WORD(0x480) | OCOTP_BIT(22) | OCOTP_WIDTH(1))
 #define MX8M_OCOTP_RECOVERY_SDMMC_BOOT_DIS	(OCOTP_WORD(0x490) | OCOTP_BIT(23) | OCOTP_WIDTH(1))
+#define MX8M_OCOTP_FIELD_RETURN		(OCOTP_WORD(0x630) | OCOTP_BIT(0) | OCOTP_WIDTH(1))
 #define MX8M_OCOTP_SRK_REVOKE		(OCOTP_WORD(0x670) | OCOTP_BIT(0) | OCOTP_WIDTH(4))
 
 #endif /* __MACH_IMX_OCOTP_FUSEMAP_H */

-- 
2.39.5

[PATCH v3 09/10] i.mx8: ocotp: add GPx_LOCK defines

[Stefan Kerkmann]

The GPx_LOCK registers changed position in the fuse map from the i.MX6
series and derivates to the i.MX8 series with i.MX8MP being different
again.

The defines have been derived from:

IMX8MNRM Rev. 2 (i.MX8MN)
IMX8MPRM Rev. 3 (i.MX8MP)
IMX8MMRM Rev. 3 (i.MX8MM)

Signed-off-by: Stefan Kerkmann <s.kerkmann@pengutronix.de>
---
 include/mach/imx/ocotp-fusemap.h | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/include/mach/imx/ocotp-fusemap.h b/include/mach/imx/ocotp-fusemap.h
index 37f1ee8298c2ae47406c6ae58b73f1eba9effed8..3c961998b0fc4bd374331342baaa2051163309ae 100644
--- a/include/mach/imx/ocotp-fusemap.h
+++ b/include/mach/imx/ocotp-fusemap.h
@@ -12,6 +12,22 @@
 #define OCOTP_MAC_ADDR_LOCK		(OCOTP_WORD(0x400) | OCOTP_BIT(8) | OCOTP_WIDTH(2))
 #define OCOTP_GP1_LOCK			(OCOTP_WORD(0x400) | OCOTP_BIT(10) | OCOTP_WIDTH(2))
 #define OCOTP_GP2_LOCK			(OCOTP_WORD(0x400) | OCOTP_BIT(12) | OCOTP_WIDTH(2))
+
+/* available on i.MX8 */
+#define MX8M_OCOTP_GP1_LOCK		(OCOTP_WORD(0x400) | OCOTP_BIT(20) | OCOTP_WIDTH(2))
+#define MX8M_OCOTP_GP2_LOCK		(OCOTP_WORD(0x400) | OCOTP_BIT(22) | OCOTP_WIDTH(2))
+#define MX8M_OCOTP_GP5_LOCK		(OCOTP_WORD(0x400) | OCOTP_BIT(24) | OCOTP_WIDTH(2))
+
+/* available on i.MX8MP */
+#define MX8MP_OCOTP_GP1_LOCK	MX8M_OCOTP_GP1_LOCK
+#define MX8MP_OCOTP_GP2_LOCK	MX8M_OCOTP_GP2_LOCK
+#define MX8MP_OCOTP_GP4_LOCK	(OCOTP_WORD(0x410) | OCOTP_BIT(4)  | OCOTP_WIDTH(2))
+#define MX8MP_OCOTP_GP5_LOCK	(OCOTP_WORD(0x410) | OCOTP_BIT(8)  | OCOTP_WIDTH(2))
+#define MX8MP_OCOTP_GP6_LOCK	(OCOTP_WORD(0x410) | OCOTP_BIT(10) | OCOTP_WIDTH(2))
+#define MX8MP_OCOTP_GP7_LOCK	(OCOTP_WORD(0x410) | OCOTP_BIT(12) | OCOTP_WIDTH(2))
+#define MX8MP_OCOTP_GP8_LOCK	(OCOTP_WORD(0x410) | OCOTP_BIT(14) | OCOTP_WIDTH(2))
+#define MX8MP_OCOTP_GP9_LOCK	(OCOTP_WORD(0x410) | OCOTP_BIT(16) | OCOTP_WIDTH(2))
+
 #define OCOTP_SRK_LOCK			(OCOTP_WORD(0x400) | OCOTP_BIT(14) | OCOTP_WIDTH(1))
 #define OCOTP_ANALOG_LOCK		(OCOTP_WORD(0x400) | OCOTP_BIT(18) | OCOTP_WIDTH(2))
 #define OCOTP_MISC_CONF_LOCK		(OCOTP_WORD(0x400) | OCOTP_BIT(22) | OCOTP_WIDTH(1))

-- 
2.39.5

[PATCH v3 10/10] hab: lock GP5 on i.MX8MP socs

[Stefan Kerkmann]

This change locks down the GP5 eFuses against modification on i.MX8MP
SoCs. To cite the i.MX8MP reference manual (Rev. 3):

  The GP5_LOCK eFuse locks the upper 64 bits of the 128-bit UNIQUE_ID
  (UID) eFuse field. The users must program the GP5_LOCK eFuse to b'11
  (WP+OP), thereby locking the upper 64-bit UID eFuse field. For devices
  shipped with date codes 2435 and later, the GP5_LOCK has been
  programmed to b'11 by NXP in production. Only devices with date codes
  prior to 2435 should be programmed to update the GP5_LOCK eFuse to
  b'11.

Signed-off-by: Stefan Kerkmann <s.kerkmann@pengutronix.de>
---
 drivers/hab/hab.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/drivers/hab/hab.c b/drivers/hab/hab.c
index 0f0c8766f069697944570290cb5796430ddae125..7fb759c152379dda2d43f139baf1aa6cf2051234 100644
--- a/drivers/hab/hab.c
+++ b/drivers/hab/hab.c
@@ -200,11 +200,15 @@ static int imx8m_hab_lockdown_device_ocotp(unsigned flags)
 	if (ret < 0)
 		return ret;
 
-	/* Only i.MX8MQ requires fusing of DIR_BT_DIS */
-	if (!cpu_is_mx8mq())
-		return ret;
+	/* Lock upper 64bit of the 128bit UNIQUE_ID eFuse field on i.MX8MP */
+	if (cpu_is_mx8mp())
+		return imx_ocotp_write_field(MX8MP_OCOTP_GP5_LOCK, 0b11);
 
-	return imx_ocotp_write_field(MX8MQ_OCOTP_DIR_BT_DIS, 1);
+	/* Only i.MX8MQ requires fusing of DIR_BT_DIS */
+	if (cpu_is_mx8mq())
+		return imx_ocotp_write_field(MX8MQ_OCOTP_DIR_BT_DIS, 1);
+
+	return 0;
 }
 
 static int imx6_hab_device_locked_down_ocotp(void)

-- 
2.39.5

Re: [PATCH v3 00/10] i.MX8M HAB and OCOTP additions and fixes

[Sascha Hauer]

On Thu, 23 Jan 2025 15:56:05 +0100, Stefan Kerkmann wrote:
> this fixes the HABv4 locking on i.MX8M devices and add additional
> features like:
>  - key revocation
>  - field-return burning
>  - additional security related fuse defintions
>  - automatic locking of the gp5 eFuse on i.MX8MP SoCs
> 
> [...]

Applied, thanks!

[01/10] nvmem: ocotp: add support to get/set srk_revoke sticky bit
        https://git.pengutronix.de/cgit/barebox/commit/?id=5b39c1064607 (link may not be stable)
[02/10] nvmem: ocotp: add support to query the field-return sticky bit
        https://git.pengutronix.de/cgit/barebox/commit/?id=df4871b9fd7a (link may not be stable)
[03/10] hab: convert flags to use BIT() macro
        https://git.pengutronix.de/cgit/barebox/commit/?id=76020dfb4d1b (link may not be stable)
[04/10] i.MX: HAB: add imx_hab_revoke_key support
        https://git.pengutronix.de/cgit/barebox/commit/?id=1cf409e48bb7 (link may not be stable)
[05/10] i.MX: HABv4: add more i.MX8M fuse defines
        https://git.pengutronix.de/cgit/barebox/commit/?id=e92b769fc7e2 (link may not be stable)
[06/10] i.MX8M: HABv4: add an option to allow key revocation
        https://git.pengutronix.de/cgit/barebox/commit/?id=e0602f983ce4 (link may not be stable)
[07/10] i.MX8M: HABv4: add option to allow burning the field-return fuse
        https://git.pengutronix.de/cgit/barebox/commit/?id=a499b77f25b0 (link may not be stable)
[08/10] i.MX: HAB: add imx_hab_field_return support
        https://git.pengutronix.de/cgit/barebox/commit/?id=79241ac489e5 (link may not be stable)
[09/10] i.mx8: ocotp: add GPx_LOCK defines
        https://git.pengutronix.de/cgit/barebox/commit/?id=6cc096461cb9 (link may not be stable)
[10/10] hab: lock GP5 on i.MX8MP socs
        https://git.pengutronix.de/cgit/barebox/commit/?id=33f78b77d667 (link may not be stable)

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>