]> git.dujemihanovic.xyz Git - u-boot.git/commitdiff
stm32mp1: key: add stm32key command
authorPatrick Delaunay <patrick.delaunay@st.com>
Fri, 5 Jul 2019 15:20:17 +0000 (17:20 +0200)
committerPatrick Delaunay <patrick.delaunay@st.com>
Fri, 12 Jul 2019 09:18:53 +0000 (11:18 +0200)
Add dedicated command to register in fuse a public hash
key provided by keygen tool.

Signed-off-by: Patrick Delaunay <patrick.delaunay@st.com>
arch/arm/mach-stm32mp/Kconfig
arch/arm/mach-stm32mp/Makefile
arch/arm/mach-stm32mp/cmd_stm32key.c [new file with mode: 0644]

index 9c5c93c79add1b1146564c64c2aabdfcf094e465..d13d76e7b723aded7655f878889008840b24741c 100644 (file)
@@ -90,6 +90,14 @@ config STM32_ETZPC
        help
          Say y to enable STM32 Extended TrustZone Protection
 
+config CMD_STM32KEY
+       bool "command stm32key to fuse public key hash"
+       default y
+       depends on CMD_FUSE
+       help
+               fuse public key hash in corresponding fuse used to authenticate
+               binary.
+
 config BOOTSTAGE_STASH_ADDR
        default 0xC3000000
 
index e59bd819006f6d5cc7485ae957ec64fe58cdb9ea..77450604b0fcb304763758f09aeeab340a435cc0 100644 (file)
@@ -11,6 +11,7 @@ ifdef CONFIG_SPL_BUILD
 obj-y += spl.o
 else
 obj-y += bsec.o
+obj-$(CONFIG_CMD_STM32KEY) += cmd_stm32key.o
 ifndef CONFIG_STM32MP1_TRUSTED
 obj-$(CONFIG_SYSRESET) += cmd_poweroff.o
 endif
diff --git a/arch/arm/mach-stm32mp/cmd_stm32key.c b/arch/arm/mach-stm32mp/cmd_stm32key.c
new file mode 100644 (file)
index 0000000..f1f26e7
--- /dev/null
@@ -0,0 +1,101 @@
+// SPDX-License-Identifier: GPL-2.0+ OR BSD-3-Clause
+/*
+ * Copyright (C) 2019, STMicroelectronics - All Rights Reserved
+ */
+
+#include <common.h>
+#include <command.h>
+#include <console.h>
+#include <misc.h>
+#include <dm/device.h>
+#include <dm/uclass.h>
+
+#define STM32_OTP_HASH_KEY_START 24
+#define STM32_OTP_HASH_KEY_SIZE 8
+
+static void read_hash_value(u32 addr)
+{
+       int i;
+
+       for (i = 0; i < STM32_OTP_HASH_KEY_SIZE; i++) {
+               printf("OTP value %i: %x\n", STM32_OTP_HASH_KEY_START + i,
+                      __be32_to_cpu(*(u32 *)addr));
+               addr += 4;
+       }
+}
+
+static void fuse_hash_value(u32 addr, bool print)
+{
+       struct udevice *dev;
+       u32 word, val;
+       int i, ret;
+
+       ret = uclass_get_device_by_driver(UCLASS_MISC,
+                                         DM_GET_DRIVER(stm32mp_bsec),
+                                         &dev);
+       if (ret) {
+               pr_err("Can't find stm32mp_bsec driver\n");
+               return;
+       }
+
+       for (i = 0; i < STM32_OTP_HASH_KEY_SIZE; i++) {
+               if (print)
+                       printf("Fuse OTP %i : %x\n",
+                              STM32_OTP_HASH_KEY_START + i,
+                              __be32_to_cpu(*(u32 *)addr));
+
+               word = STM32_OTP_HASH_KEY_START + i;
+               val = __be32_to_cpu(*(u32 *)addr);
+               misc_write(dev, STM32_BSEC_OTP(word), &val, 4);
+
+               addr += 4;
+       }
+}
+
+static int confirm_prog(void)
+{
+       puts("Warning: Programming fuses is an irreversible operation!\n"
+                       "         This may brick your system.\n"
+                       "         Use this command only if you are sure of what you are doing!\n"
+                       "\nReally perform this fuse programming? <y/N>\n");
+
+       if (confirm_yesno())
+               return 1;
+
+       puts("Fuse programming aborted\n");
+       return 0;
+}
+
+static int do_stm32key(cmd_tbl_t *cmdtp, int flag, int argc,
+                      char * const argv[])
+{
+       u32 addr;
+       const char *op = argc >= 2 ? argv[1] : NULL;
+       int confirmed = argc > 3 && !strcmp(argv[2], "-y");
+
+       argc -= 2 + confirmed;
+       argv += 2 + confirmed;
+
+       if (argc < 1)
+               return CMD_RET_USAGE;
+
+       addr = simple_strtoul(argv[0], NULL, 16);
+       if (!addr)
+               return CMD_RET_USAGE;
+
+       if (!strcmp(op, "read"))
+               read_hash_value(addr);
+
+       if (!strcmp(op, "fuse")) {
+               if (!confirmed && !confirm_prog())
+                       return CMD_RET_FAILURE;
+               fuse_hash_value(addr, !confirmed);
+       }
+
+       return CMD_RET_SUCCESS;
+}
+
+U_BOOT_CMD(stm32key, 4, 1, do_stm32key,
+          "Fuse ST Hash key",
+          "read <addr>: Read the hash store at addr in memory\n"
+          "stm32key fuse [-y] <addr> : Fuse hash store at addr in otp\n");