[PATCH RFC 3/3] commands: implement rksecure command

[Michael Tretter <m.tretter@pengutronix.de>]

The rksecure command allows the user to read the current status of
secure boot of a Rockchip board. Furthermore, it allows to burn a
Public Root Key hash and enable secure boot on rk3588 via the Rockchip
Secure Boot PTA.

The command and its options are inspired by the hab command for i.MX
SoCs.

Signed-off-by: Michael Tretter <m.tretter@pengutronix.de>
---
 commands/Kconfig    |   9 +++
 commands/Makefile   |   1 +
 commands/rksecure.c | 155 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 165 insertions(+)

diff --git a/commands/Kconfig b/commands/Kconfig
index 76e56835f625..f94c7278e72e 100644
--- a/commands/Kconfig
+++ b/commands/Kconfig
@@ -2328,6 +2328,15 @@ config CMD_K3_KEYWRITER
 	help
 	  The K3 keywriter command provides support for fusing TI AM62Lx SoCs
 
+config CMD_RKSECURE
+	bool
+	depends on OPTEE_RKSECURE
+	select PRINTF_HEXSTR
+	prompt "Rockchip Secure Boot"
+	help
+	  The rksecure command allows to retrieve information about and enable
+	  secure boot for Rockchip rk3588 SoCs.
+
 # end Hardware manipulation commands
 endmenu
 
diff --git a/commands/Makefile b/commands/Makefile
index d92adc7138a3..2563efb12f4e 100644
--- a/commands/Makefile
+++ b/commands/Makefile
@@ -172,4 +172,5 @@ obj-$(CONFIG_CMD_HOST)		+= host.o
 obj-$(CONFIG_CMD_DMSETUP)	+= dmsetup.o
 obj-$(CONFIG_CMD_VERITYSETUP)	+= veritysetup.o
 obj-$(CONFIG_CMD_SCONFIG)	+= sconfig.o
+obj-$(CONFIG_CMD_RKSECURE)	+= rksecure.o
 UBSAN_SANITIZE_ubsan.o := y
diff --git a/commands/rksecure.c b/commands/rksecure.c
new file mode 100644
index 000000000000..e9b7e204c1bd
--- /dev/null
+++ b/commands/rksecure.c
@@ -0,0 +1,155 @@
+// SPDX-License-Identifier: GPL-2.0-only
+
+#include <common.h>
+
+#include <command.h>
+#include <crypto/sha.h>
+#include <errno.h>
+#include <getopt.h>
+#include <libfile.h>
+#include <linux/kstrtox.h>
+
+#include <rk_secure_boot.h>
+
+static int rksecure_write_hash_hex(const char *hex, u32 key_size_bits)
+{
+	int ret;
+	u8 digest[SHA256_DIGEST_SIZE];
+
+	if (strlen(hex) != SHA256_DIGEST_SIZE * 2) {
+		pr_err("%s has wrong size: Expected %d characters\n",
+		       hex, SHA256_DIGEST_SIZE * 2);
+		return -EINVAL;
+	}
+
+	ret = hex2bin(digest, hex, SHA256_DIGEST_SIZE);
+	if (ret < 0) {
+		pr_err("Failed to parse hash %s\n", hex);
+		return -EINVAL;
+	}
+
+	return rk_secure_boot_burn_hash(digest, key_size_bits);
+}
+
+static int rksecure_write_hash_file(const char *filename, u32 key_size_bits)
+{
+	int ret;
+	size_t size;
+	void *digest;
+
+	ret = read_file_2(filename, &size, &digest, SHA256_DIGEST_SIZE + 1);
+	if (ret)
+		return ret;
+	if (size != SHA256_DIGEST_SIZE) {
+		pr_err("%s has wrong size: Expected %d bytes\n",
+		       filename, SHA256_DIGEST_SIZE);
+		return -EINVAL;
+	}
+
+	ret = rk_secure_boot_burn_hash(digest, key_size_bits);
+
+	free(digest);
+
+	return ret;
+}
+
+static int rksecure_print_info(void)
+{
+	struct rk_secure_boot_info info;
+	int ret;
+
+	ret = rk_secure_boot_get_info(&info);
+	if (ret)
+		pr_err("Failed to read secure boot info\n");
+		return ret;
+
+	printf("Public Root Key hash: %*phN\n"
+	       "Secure boot: %s\n"
+	       "Simulation: %s\n",
+	       (int)sizeof(info.hash), info.hash,
+	       info.lockdown ? "enabled" : "disabled",
+	       info.simulation ? "enabled" : "disabled");
+
+	return 0;
+}
+
+static int do_rksecure(int argc, char *argv[])
+{
+	int opt;
+	int ret;
+	char *hashfile = NULL;
+	char *hash = NULL;
+	int lockdown = 0;
+	int info = 0;
+	int key_size_bits = 0;
+
+	while ((opt = getopt(argc, argv, "s:x:b:li")) > 0) {
+		switch (opt) {
+		case 's':
+			hashfile = optarg;
+			break;
+		case 'x':
+			hash = optarg;
+			break;
+		case 'b':
+			kstrtouint(optarg, 10, &key_size_bits);
+			break;
+		case 'l':
+			lockdown = 1;
+			break;
+		case 'i':
+			info = 1;
+			break;
+		default:
+			return COMMAND_ERROR_USAGE;
+		}
+	}
+
+	if (!info && !lockdown && !hashfile && !hash)
+		return COMMAND_ERROR_USAGE;
+
+	if (info)
+		return rksecure_print_info();
+
+	if (hashfile && hash) {
+		printf("-s and -x options may not be given together\n");
+		return COMMAND_ERROR_USAGE;
+	}
+
+	if (hashfile) {
+		ret = rksecure_write_hash_file(hashfile, key_size_bits);
+		if (ret)
+			return ret;
+	} else if (hash) {
+		ret = rksecure_write_hash_hex(hash, key_size_bits);
+		if (ret)
+			return ret;
+	}
+
+	if (lockdown) {
+		ret = rk_secure_boot_lockdown_device();
+		if (ret)
+			return ret;
+		printf("Device successfully locked down\n");
+	}
+
+	return 0;
+}
+
+BAREBOX_CMD_HELP_START(rksecure)
+BAREBOX_CMD_HELP_TEXT("Manage Rockchip Secure Boot")
+BAREBOX_CMD_HELP_TEXT("")
+BAREBOX_CMD_HELP_OPT ("-i",		"Print info about secure boot status")
+BAREBOX_CMD_HELP_OPT ("-s <file>",	"Burn Super Root Key hash from <file>")
+BAREBOX_CMD_HELP_OPT ("-x <sha256>",	"Burn Super Root Key hash from hex string")
+BAREBOX_CMD_HELP_OPT ("-b <bits>",	"Bit length of signing key")
+BAREBOX_CMD_HELP_OPT ("-l",		"Lockdown device. Dangerous! After executing only signed images can be booted")
+BAREBOX_CMD_HELP_END
+
+BAREBOX_CMD_START(rksecure)
+	.cmd = do_rksecure,
+	BAREBOX_CMD_DESC("Manage Rockchip Secure Boot")
+	BAREBOX_CMD_OPTS("isxbl")
+	BAREBOX_CMD_GROUP(CMD_GRP_HWMANIP)
+	BAREBOX_CMD_HELP(cmd_rksecure_help)
+BAREBOX_CMD_END

-- 
2.47.3