Re: [PATCH 4/4] commands: hab: extend by field_return fuse burn

mail archive of the barebox mailing list
 help / color / mirror / Atom feed

From: Marco Felsch <m.felsch@pengutronix.de>
To: Fabian Pflug <f.pflug@pengutronix.de>
Cc: BAREBOX <barebox@lists.infradead.org>
Subject: Re: [PATCH 4/4] commands: hab: extend by field_return fuse burn
Date: Thu, 18 Dec 2025 21:03:28 +0100	[thread overview]
Message-ID: <20251218200328.rrbdzbslik7ztdjf@pengutronix.de> (raw)
In-Reply-To: <20251218-v2025-11-0-topic-imx6-field-return-v1-4-3781143198d6@pengutronix.de>

On 25-12-18, Fabian Pflug wrote:
> Extend hab command with an additional parameter to burn the field return
> fuse, but only if it is unlocked via the kconfig option.
> Without the kconfig option, the extra argument makes no sense, as it
> would not be possible to access the FIELD_RETURN fuse.
> 
> Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
> ---
>  arch/arm/mach-imx/Kconfig |  6 +++++-
>  commands/hab.c            | 20 +++++++++++++++++---
>  2 files changed, 22 insertions(+), 4 deletions(-)
> 
> diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig
> index 5f50d1a823..5fea0bbbca 100644
> --- a/arch/arm/mach-imx/Kconfig
> +++ b/arch/arm/mach-imx/Kconfig
> @@ -926,13 +926,17 @@ config HABV4_CSF_UNLOCK_UID
>            feature. This value must match the per device UNIQUE_ID fuses.
>  
>  	  The below example shows the expected format. The UNIQUE_ID is
> -	  queried by Linux via:
> +	  printed during boot by barebox:
> +	    i.MX___ unique ID: 7766554433221100
> +	  or it can be queried by Linux via:
>              - cat /sys/devices/soc0/serial_number
>  	      7766554433221100
>  
>  	  So this value have to be set:
>  	    - 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77
>  
> +	  Afterwards, the `hab -p -r` command can be used to burn the fuse.

This Kconfig update should be done in a separate patch or at least
mentioned within the commit message.

> +
>  config HABV4_IMG_CRT_PEM
>  	string "Path to IMG certificate"
>  	default "../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
> diff --git a/commands/hab.c b/commands/hab.c
> index 8ae943a4c8..435c20f4d3 100644
> --- a/commands/hab.c
> +++ b/commands/hab.c
> @@ -16,9 +16,9 @@ static int do_hab(int argc, char *argv[])
>  	char *srkhashfile = NULL, *srkhash = NULL;
>  	unsigned flags = 0;
>  	u8 srk[SRK_HASH_SIZE];
> -	int lockdown = 0, info = 0;
> +	int lockdown = 0, info = 0, field_return = 0;
>  
> -	while ((opt = getopt(argc, argv, "s:fpx:li")) > 0) {
> +	while ((opt = getopt(argc, argv, "s:fpx:lir")) > 0) {
>  		switch (opt) {
>  		case 's':
>  			srkhashfile = optarg;
> @@ -38,12 +38,16 @@ static int do_hab(int argc, char *argv[])
>  		case 'i':
>  			info = 1;
>  			break;
> +		case 'r':
> +			field_return = 1;
> +			break;
>  		default:
>  			return COMMAND_ERROR_USAGE;
>  		}
>  	}
>  
> -	if (!info && !lockdown && !srkhashfile && !srkhash) {
> +	if (!info && !lockdown && !srkhashfile && !srkhash &&
> +	    !(IS_ENABLED(CONFIG_HABV4_CSF_UNLOCK_FIELD_RETURN) && field_return)) {
		^
I would drop the CONFIG_HABV4_CSF_UNLOCK_FIELD_RETURN check here and
instead just check the: !field_return option...

>  		printf("Nothing to do\n");
>  		return COMMAND_ERROR_USAGE;
>  	}
> @@ -94,6 +98,13 @@ static int do_hab(int argc, char *argv[])
>  		printf("Device successfully locked down\n");
>  	}
>  
> +	if (IS_ENABLED(CONFIG_HABV4_CSF_UNLOCK_FIELD_RETURN) && field_return) {

same here..

	if (field_return) {

> +		ret = imx_hab_field_return(flags & IMX_SRK_HASH_WRITE_PERMANENT);
> +		if (ret)
> +			return ret;

and instead check the return value here. If -EINVAL is returned, the
sticky bit is still locked because either the CSF SOC_UID is wrong or
the CONFIG_HABV4_CSF_UNLOCK_FIELD_RETURN wasn't enabled at all.
Therefore:

		if (ret) {
			if (ret == -EINVAL && IS_ENABLED(CONFIG_HABV4_CSF_UNLOCK_FIELD_RETURN))
				printf("Field-return burn failed, check HABV4_CSF_UNLOCK_UID!\n");
			else if (ret == -EINVAL && !IS_ENABLED(CONFIG_HABV4_CSF_UNLOCK_FIELD_RETURN))
				printf("Field-return burn failed because CONFIG_HABV4_CSF_UNLOCK_FIELD_RETURN=n\n");
			else
				printf("Field-return burn failed\n");

			return ret;
		}

> +		printf("Field return fuse successfully burnt\n");
> +	}
> +
>  	return 0;
>  }
>  
> @@ -105,6 +116,9 @@ BAREBOX_CMD_HELP_OPT ("-x <sha256>",  "Burn Super Root Key hash from hex string"
>  BAREBOX_CMD_HELP_OPT ("-i",  "Print HAB info")
>  BAREBOX_CMD_HELP_OPT ("-f",  "Force. Write even when a key is already written")
>  BAREBOX_CMD_HELP_OPT ("-l",  "Lockdown device. Dangerous! After executing only signed images can be booted")
> +#ifdef CONFIG_HABV4_CSF_UNLOCK_FIELD_RETURN

IMHO we shouldn't add conditional compilation here.

Regards,
  Marco


> +BAREBOX_CMD_HELP_OPT ("-r",  "Field Return. Dangerous! After executing signed images are disabled forever.")
> +#endif // CONFIG_HABV4_CSF_UNLOCK_FIELD_RETURN
>  BAREBOX_CMD_HELP_OPT ("-p",  "Permanent. Really burn fuses. Be careful!")
>  BAREBOX_CMD_HELP_END
>  
> 
> -- 
> 2.47.3
> 
> 

-- 
#gernperDu 
#CallMeByMyFirstName

Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | https://www.pengutronix.de/ |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-9    |

     prev parent reply	other threads:[~2025-12-18 20:04 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-12-18 17:36 [PATCH 0/4] i.mx: hab/ocotop: extend field return to i.MX6 Fabian Pflug
2025-12-18 17:36 ` [PATCH 1/4] arm: mach-imx6: use kconfig for field return Fabian Pflug
2025-12-18 19:12   ` Marco Felsch
2025-12-18 17:36 ` [PATCH 2/4] nvmem: ocotp: extend support to query the sticky bit Fabian Pflug
2025-12-18 19:16   ` Marco Felsch
2025-12-18 17:36 ` [PATCH 3/4] i.MX: HAB: extend field_return support to imx6 Fabian Pflug
2025-12-18 19:23   ` Marco Felsch
2025-12-18 17:36 ` [PATCH 4/4] commands: hab: extend by field_return fuse burn Fabian Pflug
2025-12-18 20:03   ` Marco Felsch [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20251218200328.rrbdzbslik7ztdjf@pengutronix.de \
    --to=m.felsch@pengutronix.de \
    --cc=barebox@lists.infradead.org \
    --cc=f.pflug@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox