From: Lucas Stach <l.stach@pengutronix.de>
To: Fabian Pflug <f.pflug@pengutronix.de>,
Marco Felsch <m.felsch@pengutronix.de>,
BAREBOX <barebox@lists.infradead.org>
Subject: Re: [PATCH v2 4/4] commands: hab: extend by field_return fuse burn
Date: Fri, 19 Dec 2025 11:03:22 +0100 [thread overview]
Message-ID: <c48ea48c64f4cd653e1f77f90377f82aa4b8c198.camel@pengutronix.de> (raw)
In-Reply-To: <20251219-v2025-11-0-topic-imx6-field-return-v2-4-2696ac61ae2d@pengutronix.de>
Am Freitag, dem 19.12.2025 um 10:06 +0100 schrieb Fabian Pflug:
> Extend hab command with an additional parameter to burn the field return
> fuse.
> Since there is now a convenient way to burn the field return fuse, give
> a hint at the Kconfig option about this, as it already describes what to
> do in order to burn the fuse to make it complete.
>
> Signed-off-by: Fabian Pflug <f.pflug@pengutronix.de>
> ---
> arch/arm/mach-imx/Kconfig | 6 +++++-
> commands/hab.c | 24 ++++++++++++++++++++----
> 2 files changed, 25 insertions(+), 5 deletions(-)
>
> diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig
> index 5f50d1a823..5fea0bbbca 100644
> --- a/arch/arm/mach-imx/Kconfig
> +++ b/arch/arm/mach-imx/Kconfig
> @@ -926,13 +926,17 @@ config HABV4_CSF_UNLOCK_UID
> feature. This value must match the per device UNIQUE_ID fuses.
>
> The below example shows the expected format. The UNIQUE_ID is
> - queried by Linux via:
> + printed during boot by barebox:
> + i.MX___ unique ID: 7766554433221100
> + or it can be queried by Linux via:
> - cat /sys/devices/soc0/serial_number
> 7766554433221100
>
> So this value have to be set:
> - 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77
>
> + Afterwards, the `hab -p -r` command can be used to burn the fuse.
> +
> config HABV4_IMG_CRT_PEM
> string "Path to IMG certificate"
> default "../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem"
> diff --git a/commands/hab.c b/commands/hab.c
> index 8ae943a4c8..1e168af4b9 100644
> --- a/commands/hab.c
> +++ b/commands/hab.c
> @@ -16,9 +16,9 @@ static int do_hab(int argc, char *argv[])
> char *srkhashfile = NULL, *srkhash = NULL;
> unsigned flags = 0;
> u8 srk[SRK_HASH_SIZE];
> - int lockdown = 0, info = 0;
> + int lockdown = 0, info = 0, field_return = 0;
>
> - while ((opt = getopt(argc, argv, "s:fpx:li")) > 0) {
> + while ((opt = getopt(argc, argv, "s:fpx:lir")) > 0) {
> switch (opt) {
> case 's':
> srkhashfile = optarg;
> @@ -38,12 +38,15 @@ static int do_hab(int argc, char *argv[])
> case 'i':
> info = 1;
> break;
> + case 'r':
> + field_return = 1;
> + break;
> default:
> return COMMAND_ERROR_USAGE;
> }
> }
>
> - if (!info && !lockdown && !srkhashfile && !srkhash) {
> + if (!info && !lockdown && !srkhashfile && !srkhash && !field_return) {
> printf("Nothing to do\n");
> return COMMAND_ERROR_USAGE;
> }
> @@ -94,7 +97,19 @@ static int do_hab(int argc, char *argv[])
> printf("Device successfully locked down\n");
> }
>
> - return 0;
> + if (field_return) {
> + ret = imx_hab_field_return(flags & IMX_SRK_HASH_WRITE_PERMANENT);
> + if (ret == -EINVAL && IS_ENABLED(CONFIG_HABV4_CSF_UNLOCK_FIELD_RETURN))
> + printf("Field-return burn failed, check HABV4_CSF_UNLOCK_UID!\n");
> + else if (ret == -EINVAL && !IS_ENABLED(CONFIG_HABV4_CSF_UNLOCK_FIELD_RETURN))
> + printf("Field-return burn failed because CONFIG_HABV4_CSF_UNLOCK_FIELD_RETURN=n\n");
> + else if (ret)
> + printf("Field-return burn failed\n");
> + else
> + printf("Field return fuse successfully burnt\n");
> + }
> +
> + return ret;
> }
>
> BAREBOX_CMD_HELP_START(hab)
> @@ -105,6 +120,7 @@ BAREBOX_CMD_HELP_OPT ("-x <sha256>", "Burn Super Root Key hash from hex string"
> BAREBOX_CMD_HELP_OPT ("-i", "Print HAB info")
> BAREBOX_CMD_HELP_OPT ("-f", "Force. Write even when a key is already written")
> BAREBOX_CMD_HELP_OPT ("-l", "Lockdown device. Dangerous! After executing only signed images can be booted")
> +BAREBOX_CMD_HELP_OPT ("-r", "Field Return. Dangerous! After executing signed images are disabled forever.")
Not an expert on this, but IIRC after the field return fuse is blown
the ROM still accepts signed images, just all access to SoC device keys
is disabled.
Regards,
Lucas
> BAREBOX_CMD_HELP_OPT ("-p", "Permanent. Really burn fuses. Be careful!")
> BAREBOX_CMD_HELP_END
>
>
prev parent reply other threads:[~2025-12-19 10:03 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-19 9:06 [PATCH v2 0/4] i.mx: hab/ocotop: extend field return to i.MX6 Fabian Pflug
2025-12-19 9:06 ` [PATCH v2 1/4] arm: mach-imx6: use kconfig for field return Fabian Pflug
2025-12-19 9:14 ` Ahmad Fatoum
2025-12-19 10:06 ` Marco Felsch
2025-12-19 9:06 ` [PATCH v2 2/4] nvmem: ocotp: extend support to query the sticky bit Fabian Pflug
2025-12-19 9:06 ` [PATCH v2 3/4] i.MX: HAB: extend field_return support to imx6 Fabian Pflug
2025-12-19 9:56 ` Marco Felsch
2025-12-19 9:06 ` [PATCH v2 4/4] commands: hab: extend by field_return fuse burn Fabian Pflug
2025-12-19 9:57 ` Marco Felsch
2025-12-19 10:03 ` Lucas Stach [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c48ea48c64f4cd653e1f77f90377f82aa4b8c198.camel@pengutronix.de \
--to=l.stach@pengutronix.de \
--cc=barebox@lists.infradead.org \
--cc=f.pflug@pengutronix.de \
--cc=m.felsch@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox