[iot] Support fastboot oem fuse at-perm-attr command

Support "fastboot oem fuse at-perm-attr" command for ATX. The perm_attr will be stored into RPMB which managed by Trusty OS. Modified permanent_attributes related AVB ops that support Trusty OS backed RPMB storage. Change-Id: Id6248570b4294fed3c45270064196bd6b9cf9208 Signed-off-by: Haoran.Wang <elven.wang@nxp.com>
2017-09-11 14:03:44 +08:00 · 2017-09-11 14:03:44 +08:00 · fd9eec336e
parent b92b0e1d49
commit fd9eec336e
4 changed files with 107 additions and 29 deletions
--- a/drivers/usb/gadget/f_fastboot.c
+++ b/drivers/usb/gadget/f_fastboot.c
@ -2983,7 +2983,7 @@ static int get_single_var(char *cmd, char *response)
 		if (s) {
 			strncat(response, s, chars_left);
 		} else {
-			sprintf(response,"FAILunknow variable:%s",cmd);
+			snprintf(response, chars_left, "FAILunknown variable:%s",cmd);
 			printf("WARNING: unknown variable: %s\n", cmd);
 			return -1;
 		}
@ -3165,46 +3165,59 @@ static FbLockState do_fastboot_lock(void)
 	return FASTBOOT_LOCK;
 }

+static bool endswith(char* s, char* subs) {
+	if (!s || !subs)
+		return false;
+	uint32_t len = strlen(s);
+	uint32_t sublen = strlen(subs);
+	if (len < sublen) {
+		return false;
+	}
+	if (strncmp(s + len - sublen, subs, sublen)) {
+		return false;
+	}
+	return true;
+}
+
 static void cb_flashing(struct usb_ep *ep, struct usb_request *req)
 {
 	char *cmd = req->buf;
 	char response[FASTBOOT_RESPONSE_LEN];
-	unsigned char len = strlen(cmd);
 	FbLockState status;
 	FbLockEnableResult result;
-
+	if (endswith(cmd, "lock_critical")) {
+		strcpy(response, "OKAY");
+	}
+#ifdef CONFIG_AVB_ATX
+	else if (endswith(cmd, FASTBOOT_AVB_AT_PERM_ATTR)) {
+		if (avb_atx_fuse_perm_attr(interface.transfer_buffer, download_bytes))
+			strcpy(response, "FAILInternal error!");
+		else
+			strcpy(response, "OKAY");
+	}
+#endif /* CONFIG_AVB_ATX */
 #ifdef CONFIG_ANDROID_THINGS_SUPPORT
-	if (!strncmp(cmd + len - strlen(FASTBOOT_BOOTLOADER_VBOOT_KEY),
-		    FASTBOOT_BOOTLOADER_VBOOT_KEY,
-		    strlen(FASTBOOT_BOOTLOADER_VBOOT_KEY))) {
+		else if (endswith(cmd, FASTBOOT_BOOTLOADER_VBOOT_KEY)) {
 		strcpy(response, "OKAY");
-	} else if (!strncmp(cmd + len - strlen("unlock_critical"),
-				"unlock_critical", strlen("unlock_critical"))) {
-#else
-	if (!strncmp(cmd + len - strlen("unlock_critical"),
-				"unlock_critical", strlen("unlock_critical"))) {
-#endif
+	}
+#endif /* CONFIG_ANDROID_THINGS_SUPPORT */
+	else if (endswith(cmd, "unlock_critical")) {
 		strcpy(response, "OKAY");
-	} else if (!strncmp(cmd + len - strlen("lock_critical"),
-				"lock_critical", strlen("lock_critical"))) {
-		strcpy(response, "OKAY");
-	} else if (!strncmp(cmd + len - strlen("unlock"),
-				"unlock", strlen("unlock"))) {
+	} else if (endswith(cmd, "unlock")) {
 		printf("flashing unlock.\n");
 		status = do_fastboot_unlock(false);
 		if (status != FASTBOOT_LOCK_ERROR)
 			strcpy(response, "OKAY");
 		else
-			strcpy(response, "FAIL unlock device failed.");
-	} else if (!strncmp(cmd + len - strlen("lock"), "lock", strlen("lock"))) {
+			strcpy(response, "FAILunlock device failed.");
+	} else if (endswith(cmd, "lock")) {
 		printf("flashing lock.\n");
 		status = do_fastboot_lock();
 		if (status != FASTBOOT_LOCK_ERROR)
 			strcpy(response, "OKAY");
 		else
-			strcpy(response, "FAIL lock device failed.");
-	} else if (!strncmp(cmd + len - strlen("get_unlock_ability"),
-				"get_unlock_ability", strlen("get_unlock_ability"))) {
+			strcpy(response, "FAILlock device failed.");
+	} else if (endswith(cmd, "get_unlock_ability")) {
 		result = fastboot_lock_enable();
 		if (result == FASTBOOT_UL_ENABLE) {
 			fastboot_tx_write_more("INFO1");
@ -3214,15 +3227,19 @@ static void cb_flashing(struct usb_ep *ep, struct usb_request *req)
 			strcpy(response, "OKAY");
 		} else {
 			printf("flashing get_unlock_ability fail!\n");
-			strcpy(response, "FAIL get unlock ability failed.");
+			strcpy(response, "FAILget unlock ability failed.");
 		}
 	} else {
 		printf("Unknown flashing command:%s\n", cmd);
-		strcpy(response, "FAIL command not defined");
+		strcpy(response, "FAILcommand not defined");
 	}
 	fastboot_tx_write_more(response);
 }

+#endif /* CONFIG_FASTBOOT_LOCK */
+
+#ifdef CONFIG_FSL_FASTBOOT
+#ifdef CONFIG_FASTBOOT_LOCK
 static int partition_table_valid(void)
 {
 	int status, mmc_no;
@ -3236,7 +3253,7 @@ static int partition_table_valid(void)
 		status = -1;
 	return (status == 0);
 }
-
+#endif
 #endif /* CONFIG_FASTBOOT_LOCK */

 #ifdef CONFIG_FASTBOOT_FLASH
@ -3268,7 +3285,7 @@ static void cb_flash(struct usb_ep *ep, struct usb_request *req)
 	} else if (status == FASTBOOT_LOCK_ERROR) {
 		pr_err("write lock status into device!\n");
 		fastboot_set_lock_stat(FASTBOOT_LOCK);
-		strcpy(response, "FAIL device is locked.");
+		strcpy(response, "FAILdevice is locked.");
 		fastboot_tx_write_str(response);
 		return;
 	}
@ -3327,7 +3344,7 @@ static void cb_erase(struct usb_ep *ep, struct usb_request *req)
 	} else if (status == FASTBOOT_LOCK_ERROR) {
 		pr_err("write lock status into device!\n");
 		fastboot_set_lock_stat(FASTBOOT_LOCK);
-		strcpy(response, "FAIL device is locked.");
+		strcpy(response, "FAILdevice is locked.");
 		fastboot_tx_write_str(response);
 		return;
 	}
@ -3786,6 +3803,12 @@ static const struct cmd_dispatch_info cmd_dispatch_info[] = {
 		.cb = cb_oem,
 	},
 #endif
+#ifdef CONFIG_AVB_ATX
+	{
+		.cmd = "stage",
+		.cb = cb_download,
+	},
+#endif
 };

 static void rx_handler_command(struct usb_ep *ep, struct usb_request *req)
--- a/include/fsl_avb.h
+++ b/include/fsl_avb.h
@ -219,4 +219,8 @@ AvbABFlowResult avb_single_flow(AvbABOps* ab_ops,
                            AvbSlotVerifyFlags flags,
                            AvbHashtreeErrorMode hashtree_error_mode,
                            AvbSlotVerifyData** out_data);
+
+/* Program ATX perm_attr into RPMB partition */
+int avb_atx_fuse_perm_attr(uint8_t *staged_buffer, uint32_t size);
+
 #endif /* __FSL_AVB_H__ */
--- a/include/fsl_fastboot.h
+++ b/include/fsl_fastboot.h
@ -81,7 +81,10 @@

 #ifdef CONFIG_ANDROID_THINGS_SUPPORT
 #define FASTBOOT_BOOTLOADER_VBOOT_KEY "fuse at-bootloader-vboot-key"
-#endif
+#ifdef CONFIG_AVB_ATX
+#define FASTBOOT_AVB_AT_PERM_ATTR "fuse at-perm-attr"
+#endif /* CONFIG_AVB_ATX */
+#endif /* CONFIG_ANDROID_THINGS_SUPPORT */

 enum {
    DEV_SATA,
--- a/lib/avb/fsl/fsl_avbkey.c
+++ b/lib/avb/fsl/fsl_avbkey.c
@ -184,12 +184,19 @@ static int sha256(unsigned char* data, int len, unsigned char* output) {
 static int permanent_attributes_sha256_hash(unsigned char* output) {
 	AvbAtxPermanentAttributes attributes;

+#ifdef CONFIG_IMX_TRUSTY_OS
+	if(trusty_read_permanent_attributes((uint8_t *)(&attributes),
+		sizeof(AvbAtxPermanentAttributes))) {
+		return RESULT_ERROR;
+	}
+#else
 	/* get permanent attributes */
 	attributes.version = fsl_version;
 	memcpy(attributes.product_root_public_key, fsl_product_root_public_key,
 			sizeof(fsl_product_root_public_key));
 	memcpy(attributes.product_id, fsl_atx_product_id,
 			sizeof(fsl_atx_product_id));
+#endif
 	/* calculate sha256(permanent attributes) hash */
 	if (sha256((unsigned char *)&attributes, sizeof(AvbAtxPermanentAttributes),
 			output) == RESULT_ERROR) {
@ -221,6 +228,7 @@ static int init_permanent_attributes_fuse(void) {

 	/* calculate sha256(permanent attributes) */
 	if (permanent_attributes_sha256_hash(sha256_hash) != RESULT_OK) {
+		printf("ERROR - calculating permanent attributes SHA256 error!\n");
 		return RESULT_ERROR;
 	}

@ -236,6 +244,37 @@ static int init_permanent_attributes_fuse(void) {
 }
 #endif

+#ifdef CONFIG_AVB_ATX
+int avb_atx_fuse_perm_attr(uint8_t *staged_buffer, uint32_t size) {
+
+	if (staged_buffer == NULL) {
+		ERR("Error. Get null staged_buffer\n");
+		return -1;
+	}
+	if (size != sizeof(AvbAtxPermanentAttributes)) {
+		ERR("Error. expect perm_attr length %d, but get %d.\n",
+		sizeof(AvbAtxPermanentAttributes), size);
+		return -1;
+	}
+#ifdef CONFIG_IMX_TRUSTY_OS
+	if (trusty_write_permanent_attributes(staged_buffer, size)) {
+		ERR("Error. Failed to write permanent attributes into secure storage\n");
+		return -1;
+	}
+	else
+		return init_permanent_attributes_fuse();
+#else
+	/*
+	 * TODO:
+	 * Need to handle this when no Trusty OS support.
+	 * But now every Android Things will have Trusty OS support.
+	 */
+	ERR("No Trusty OS enabled in bootloader.\n");
+	return 0;
+#endif
+}
+#endif
+
 #ifdef AVB_RPMB
 static int rpmb_read(struct mmc *mmc, uint8_t *buffer, size_t num_bytes, int64_t offset);
 static int rpmb_write(struct mmc *mmc, uint8_t *buffer, size_t num_bytes, int64_t offset);
@ -481,7 +520,7 @@ int init_avbkey(void) {
 	}
 	if (rpmb_init())
 		return RESULT_ERROR;
-#ifdef CONFIG_AVB_ATX
+#if defined(CONFIG_AVB_ATX) && !defined(CONFIG_IMX_TRUSTY_OS)
 	if (init_permanent_attributes_fuse())
 		return RESULT_ERROR;
 #endif
@ -1152,6 +1191,14 @@ fail:
 */
 AvbIOResult fsl_read_permanent_attributes(
    AvbAtxOps* atx_ops, AvbAtxPermanentAttributes* attributes) {
+#ifdef CONFIG_IMX_TRUSTY_OS
+	if (trusty_read_permanent_attributes((uint8_t *)attributes,
+			sizeof(AvbAtxPermanentAttributes))) {
+		ERR("Error. Failed to read permanent attributes from secure storage\n");
+		return AVB_IO_RESULT_ERROR_IO;
+	} else
+		return AVB_IO_RESULT_OK;
+#else
 	/* use hard code permanent attributes due to limited fuse and RPMB */
 	attributes->version = fsl_version;
 	memcpy(attributes->product_root_public_key, fsl_product_root_public_key,
@ -1160,6 +1207,7 @@ AvbIOResult fsl_read_permanent_attributes(
 	       sizeof(fsl_atx_product_id));

 	return AVB_IO_RESULT_OK;
+#endif /* CONFIG_IMX_TRUSTY_OS */
 }

 /* Reads a |hash| of permanent attributes. This hash MUST be retrieved from a