1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Copyright (C) 2020 Intel Corporation <www.intel.com>
4 *
5 */
6
7 #include <asm/arch/mailbox_s10.h>
8 #include <asm/arch/secure_vab.h>
9 #include <asm/arch/smc_api.h>
10 #include <asm/unaligned.h>
11 #include <common.h>
12 #include <exports.h>
13 #include <linux/errno.h>
14 #include <linux/intel-smc.h>
15 #include <log.h>
16
17 #define CHUNKSZ_PER_WD_RESET (256 * SZ_1K)
18
19 /*
20 * Read the length of the VAB certificate from the end of image
21 * and calculate the actual image size (excluding the VAB certificate).
22 */
get_img_size(u8 * img_buf,size_t img_buf_sz)23 static size_t get_img_size(u8 *img_buf, size_t img_buf_sz)
24 {
25 u8 *img_buf_end = img_buf + img_buf_sz;
26 u32 cert_sz = get_unaligned_le32(img_buf_end - sizeof(u32));
27 u8 *p = img_buf_end - cert_sz - sizeof(u32);
28
29 /* Ensure p is pointing within the img_buf */
30 if (p < img_buf || p > (img_buf_end - VAB_CERT_HEADER_SIZE))
31 return 0;
32
33 if (get_unaligned_le32(p) == SDM_CERT_MAGIC_NUM)
34 return (size_t)(p - img_buf);
35
36 return 0;
37 }
38
39 /*
40 * Vendor Authorized Boot (VAB) is a security feature for authenticating
41 * the images such as U-Boot, ARM trusted Firmware, Linux kernel,
42 * device tree blob and etc loaded from FIT. User can also trigger
43 * the VAB authentication from U-Boot command.
44 *
45 * This function extracts the VAB certificate and signature block
46 * appended at the end of the image, then send to Secure Device Manager
47 * (SDM) for authentication. This function will validate the SHA384
48 * of the image against the SHA384 hash stored in the VAB certificate
49 * before sending the VAB certificate to SDM for authentication.
50 *
51 * RETURN
52 * 0 if authentication success or
53 * if authentication is not required and bypassed on a non-secure device
54 * negative error code if authentication fail
55 */
socfpga_vendor_authentication(void ** p_image,size_t * p_size)56 int socfpga_vendor_authentication(void **p_image, size_t *p_size)
57 {
58 int retry_count = 20;
59 u8 hash384[SHA384_SUM_LEN];
60 u64 img_addr, mbox_data_addr;
61 size_t img_sz, mbox_data_sz;
62 u8 *cert_hash_ptr, *mbox_relocate_data_addr;
63 u32 resp = 0, resp_len = 1;
64 int ret;
65
66 img_addr = (uintptr_t)*p_image;
67
68 debug("Authenticating image at address 0x%016llx (%ld bytes)\n",
69 img_addr, *p_size);
70
71 img_sz = get_img_size((u8 *)img_addr, *p_size);
72 debug("img_sz = %ld\n", img_sz);
73
74 if (!img_sz) {
75 puts("VAB certificate not found in image!\n");
76 return -ENOKEY;
77 }
78
79 if (!IS_ALIGNED(img_sz, sizeof(u32))) {
80 printf("Image size (%ld bytes) not aliged to 4 bytes!\n",
81 img_sz);
82 return -EBFONT;
83 }
84
85 /* Generate HASH384 from the image */
86 sha384_csum_wd((u8 *)img_addr, img_sz, hash384, CHUNKSZ_PER_WD_RESET);
87
88 cert_hash_ptr = (u8 *)(img_addr + img_sz + VAB_CERT_MAGIC_OFFSET +
89 VAB_CERT_FIT_SHA384_OFFSET);
90
91 /*
92 * Compare the SHA384 found in certificate against the SHA384
93 * calculated from image
94 */
95 if (memcmp(hash384, cert_hash_ptr, SHA384_SUM_LEN)) {
96 puts("SHA384 not match!\n");
97 return -EKEYREJECTED;
98 }
99
100 mbox_data_addr = img_addr + img_sz - sizeof(u32);
101 /* Size in word (32bits) */
102 mbox_data_sz = (ALIGN(*p_size - img_sz, sizeof(u32))) >> 2;
103
104 debug("mbox_data_addr = 0x%016llx\n", mbox_data_addr);
105 debug("mbox_data_sz = %ld words\n", mbox_data_sz);
106
107 /*
108 * Relocate certificate to first memory block before trigger SMC call
109 * to send mailbox command because ATF only able to access first
110 * memory block.
111 */
112 mbox_relocate_data_addr = (u8 *)malloc(mbox_data_sz * sizeof(u32));
113 if (!mbox_relocate_data_addr) {
114 puts("Out of memory for VAB certificate relocation!\n");
115 return -ENOMEM;
116 }
117
118 memcpy(mbox_relocate_data_addr, (u8 *)mbox_data_addr, mbox_data_sz * sizeof(u32));
119 *(u32 *)mbox_relocate_data_addr = 0;
120
121 debug("mbox_relocate_data_addr = 0x%p\n", mbox_relocate_data_addr);
122
123 do {
124 if (!IS_ENABLED(CONFIG_SPL_BUILD) && IS_ENABLED(CONFIG_SPL_ATF)) {
125 /* Invoke SMC call to ATF to send the VAB certificate to SDM */
126 ret = smc_send_mailbox(MBOX_VAB_SRC_CERT, mbox_data_sz,
127 (u32 *)mbox_relocate_data_addr, 0, &resp_len,
128 &resp);
129 } else {
130 /* Send the VAB certficate to SDM for authentication */
131 ret = mbox_send_cmd(MBOX_ID_UBOOT, MBOX_VAB_SRC_CERT,
132 MBOX_CMD_DIRECT, mbox_data_sz,
133 (u32 *)mbox_relocate_data_addr, 0, &resp_len,
134 &resp);
135 }
136 /* If SDM is not available, just delay 50ms and retry again */
137 if (ret == MBOX_RESP_DEVICE_BUSY)
138 mdelay(50);
139 else
140 break;
141 } while (--retry_count);
142
143 /* Free the relocate certificate memory space */
144 free(mbox_relocate_data_addr);
145
146 /* Exclude the size of the VAB certificate from image size */
147 *p_size = img_sz;
148
149 debug("ret = 0x%08x, resp = 0x%08x, resp_len = %d\n", ret, resp,
150 resp_len);
151
152 if (ret) {
153 /*
154 * Unsupported mailbox command or device not in the
155 * owned/secure state
156 */
157 if (ret == MBOX_RESP_NOT_ALLOWED_UNDER_SECURITY_SETTINGS) {
158 /* SDM bypass authentication */
159 printf("%s 0x%016llx (%ld bytes)\n",
160 "Image Authentication bypassed at address",
161 img_addr, img_sz);
162 return 0;
163 }
164 puts("VAB certificate authentication failed in SDM");
165 if (ret == MBOX_RESP_DEVICE_BUSY) {
166 puts(" (SDM busy timeout)\n");
167 return -ETIMEDOUT;
168 } else if (ret == MBOX_RESP_UNKNOWN) {
169 puts(" (Not supported)\n");
170 return -ESRCH;
171 }
172 puts("\n");
173 return -EKEYREJECTED;
174 } else {
175 /* If Certificate Process Status has error */
176 if (resp) {
177 puts("VAB certificate process failed\n");
178 return -ENOEXEC;
179 }
180 }
181
182 printf("%s 0x%016llx (%ld bytes)\n",
183 "Image Authentication passed at address", img_addr, img_sz);
184
185 return 0;
186 }
187