1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3 * (C) Copyright 2015 Google, Inc
4 * Written by Simon Glass <sjg@chromium.org>
5 *
6 * (C) 2017 Theobroma Systems Design und Consulting GmbH
7 *
8 * Helper functions for Rockchip images
9 */
10
11 #include "imagetool.h"
12 #include <image.h>
13 #include <rc4.h>
14 #include "mkimage.h"
15 #include "rkcommon.h"
16
17 enum {
18 RK_SIGNATURE = 0x0ff0aa55,
19 };
20
21 /**
22 * struct header0_info - header block for boot ROM
23 *
24 * This is stored at SD card block 64 (where each block is 512 bytes, or at
25 * the start of SPI flash. It is encoded with RC4.
26 *
27 * @signature: Signature (must be RKSD_SIGNATURE)
28 * @disable_rc4: 0 to use rc4 for boot image, 1 to use plain binary
29 * @init_offset: Offset in blocks of the SPL code from this header
30 * block. E.g. 4 means 2KB after the start of this header.
31 * Other fields are not used by U-Boot
32 */
33 struct header0_info {
34 uint32_t signature;
35 uint8_t reserved[4];
36 uint32_t disable_rc4;
37 uint16_t init_offset;
38 uint8_t reserved1[492];
39 uint16_t init_size;
40 uint16_t init_boot_size;
41 uint8_t reserved2[2];
42 };
43
44 /**
45 * struct header1_info
46 */
47 struct header1_info {
48 uint32_t magic;
49 };
50
51 /**
52 * struct spl_info - spl info for each chip
53 *
54 * @imagename: Image name(passed by "mkimage -n")
55 * @spl_hdr: Boot ROM requires a 4-bytes spl header
56 * @spl_size: Spl size(include extra 4-bytes spl header)
57 * @spl_rc4: RC4 encode the SPL binary (same key as header)
58 */
59
60 struct spl_info {
61 const char *imagename;
62 const char *spl_hdr;
63 const uint32_t spl_size;
64 const bool spl_rc4;
65 };
66
67 static struct spl_info spl_infos[] = {
68 { "px30", "RK33", 0x2800, false },
69 { "rk3036", "RK30", 0x1000, false },
70 { "rk3128", "RK31", 0x1800, false },
71 { "rk3188", "RK31", 0x8000 - 0x800, true },
72 { "rk322x", "RK32", 0x8000 - 0x1000, false },
73 { "rk3288", "RK32", 0x8000, false },
74 { "rk3308", "RK33", 0x40000 - 0x1000, false},
75 { "rk3328", "RK32", 0x8000 - 0x1000, false },
76 { "rk3368", "RK33", 0x8000 - 0x1000, false },
77 { "rk3399", "RK33", 0x30000 - 0x2000, false },
78 { "rv1108", "RK11", 0x1800, false },
79 };
80
81 /**
82 * struct spl_params - spl params parsed in check_params()
83 *
84 * @init_file: Init data file path
85 * @init_size: Aligned size of init data in bytes
86 * @boot_file: Boot data file path
87 * @boot_size: Aligned size of boot data in bytes
88 */
89
90 struct spl_params {
91 char *init_file;
92 uint32_t init_size;
93 char *boot_file;
94 uint32_t boot_size;
95 };
96
97 static struct spl_params spl_params = { 0 };
98
99 static unsigned char rc4_key[16] = {
100 124, 78, 3, 4, 85, 5, 9, 7,
101 45, 44, 123, 56, 23, 13, 23, 17
102 };
103
rkcommon_get_spl_info(char * imagename)104 static struct spl_info *rkcommon_get_spl_info(char *imagename)
105 {
106 int i;
107
108 if (!imagename)
109 return NULL;
110
111 for (i = 0; i < ARRAY_SIZE(spl_infos); i++)
112 if (!strncmp(imagename, spl_infos[i].imagename, 6))
113 return spl_infos + i;
114
115 return NULL;
116 }
117
rkcommon_get_aligned_size(struct image_tool_params * params,const char * fname)118 static int rkcommon_get_aligned_size(struct image_tool_params *params,
119 const char *fname)
120 {
121 int size;
122
123 size = imagetool_get_filesize(params, fname);
124 if (size < 0)
125 return -1;
126
127 /*
128 * Pad to a 2KB alignment, as required for init/boot size by the ROM
129 * (see https://lists.denx.de/pipermail/u-boot/2017-May/293268.html)
130 */
131 return ROUND(size, RK_SIZE_ALIGN);
132 }
133
rkcommon_check_params(struct image_tool_params * params)134 int rkcommon_check_params(struct image_tool_params *params)
135 {
136 int i, size;
137
138 /*
139 * If this is a operation (list or extract), the don't require
140 * imagename to be set.
141 */
142 if (params->lflag || params->iflag)
143 return EXIT_SUCCESS;
144
145 if (!rkcommon_get_spl_info(params->imagename))
146 goto err_spl_info;
147
148 spl_params.init_file = params->datafile;
149
150 spl_params.boot_file = strchr(spl_params.init_file, ':');
151 if (spl_params.boot_file) {
152 *spl_params.boot_file = '\0';
153 spl_params.boot_file += 1;
154 }
155
156 size = rkcommon_get_aligned_size(params, spl_params.init_file);
157 if (size < 0)
158 return EXIT_FAILURE;
159 spl_params.init_size = size;
160
161 /* Boot file is optional, and only for back-to-bootrom functionality. */
162 if (spl_params.boot_file) {
163 size = rkcommon_get_aligned_size(params, spl_params.boot_file);
164 if (size < 0)
165 return EXIT_FAILURE;
166 spl_params.boot_size = size;
167 }
168
169 if (spl_params.init_size > rkcommon_get_spl_size(params)) {
170 fprintf(stderr,
171 "Error: SPL image is too large (size %#x than %#x)\n",
172 spl_params.init_size, rkcommon_get_spl_size(params));
173 return EXIT_FAILURE;
174 }
175
176 return EXIT_SUCCESS;
177
178 err_spl_info:
179 fprintf(stderr, "ERROR: imagename (%s) is not supported!\n",
180 params->imagename ? params->imagename : "NULL");
181
182 fprintf(stderr, "Available imagename:");
183 for (i = 0; i < ARRAY_SIZE(spl_infos); i++)
184 fprintf(stderr, "\t%s", spl_infos[i].imagename);
185 fprintf(stderr, "\n");
186
187 return EXIT_FAILURE;
188 }
189
rkcommon_get_spl_hdr(struct image_tool_params * params)190 const char *rkcommon_get_spl_hdr(struct image_tool_params *params)
191 {
192 struct spl_info *info = rkcommon_get_spl_info(params->imagename);
193
194 /*
195 * info would not be NULL, because of we checked params before.
196 */
197 return info->spl_hdr;
198 }
199
200
rkcommon_get_spl_size(struct image_tool_params * params)201 int rkcommon_get_spl_size(struct image_tool_params *params)
202 {
203 struct spl_info *info = rkcommon_get_spl_info(params->imagename);
204
205 /*
206 * info would not be NULL, because of we checked params before.
207 */
208 return info->spl_size;
209 }
210
rkcommon_need_rc4_spl(struct image_tool_params * params)211 bool rkcommon_need_rc4_spl(struct image_tool_params *params)
212 {
213 struct spl_info *info = rkcommon_get_spl_info(params->imagename);
214
215 /*
216 * info would not be NULL, because of we checked params before.
217 */
218 return info->spl_rc4;
219 }
220
rkcommon_set_header0(void * buf,struct image_tool_params * params)221 static void rkcommon_set_header0(void *buf, struct image_tool_params *params)
222 {
223 struct header0_info *hdr = buf;
224 uint32_t init_boot_size;
225
226 memset(buf, '\0', RK_INIT_OFFSET * RK_BLK_SIZE);
227 hdr->signature = cpu_to_le32(RK_SIGNATURE);
228 hdr->disable_rc4 = cpu_to_le32(!rkcommon_need_rc4_spl(params));
229 hdr->init_offset = cpu_to_le16(RK_INIT_OFFSET);
230 hdr->init_size = cpu_to_le16(spl_params.init_size / RK_BLK_SIZE);
231
232 /*
233 * init_boot_size needs to be set, as it is read by the BootROM
234 * to determine the size of the next-stage bootloader (e.g. U-Boot
235 * proper), when used with the back-to-bootrom functionality.
236 *
237 * see https://lists.denx.de/pipermail/u-boot/2017-May/293267.html
238 * for a more detailed explanation by Andy Yan
239 */
240 if (spl_params.boot_file)
241 init_boot_size = spl_params.init_size + spl_params.boot_size;
242 else
243 init_boot_size = spl_params.init_size + RK_MAX_BOOT_SIZE;
244 hdr->init_boot_size = cpu_to_le16(init_boot_size / RK_BLK_SIZE);
245
246 rc4_encode(buf, RK_BLK_SIZE, rc4_key);
247 }
248
rkcommon_set_header(void * buf,struct stat * sbuf,int ifd,struct image_tool_params * params)249 void rkcommon_set_header(void *buf, struct stat *sbuf, int ifd,
250 struct image_tool_params *params)
251 {
252 struct header1_info *hdr = buf + RK_SPL_HDR_START;
253
254 rkcommon_set_header0(buf, params);
255
256 /* Set up the SPL name (i.e. copy spl_hdr over) */
257 memcpy(&hdr->magic, rkcommon_get_spl_hdr(params), RK_SPL_HDR_SIZE);
258
259 if (rkcommon_need_rc4_spl(params))
260 rkcommon_rc4_encode_spl(buf, RK_SPL_HDR_START,
261 spl_params.init_size);
262
263 if (spl_params.boot_file) {
264 if (rkcommon_need_rc4_spl(params))
265 rkcommon_rc4_encode_spl(buf + RK_SPL_HDR_START,
266 spl_params.init_size,
267 spl_params.boot_size);
268 }
269 }
270
rkcommon_offset_to_spi(unsigned offset)271 static inline unsigned rkcommon_offset_to_spi(unsigned offset)
272 {
273 /*
274 * While SD/MMC images use a flat addressing, SPI images are padded
275 * to use the first 2K of every 4K sector only.
276 */
277 return ((offset & ~0x7ff) << 1) + (offset & 0x7ff);
278 }
279
rkcommon_parse_header(const void * buf,struct header0_info * header0,struct spl_info ** spl_info)280 static int rkcommon_parse_header(const void *buf, struct header0_info *header0,
281 struct spl_info **spl_info)
282 {
283 unsigned hdr1_offset;
284 struct header1_info *hdr1_sdmmc, *hdr1_spi;
285 int i;
286
287 if (spl_info)
288 *spl_info = NULL;
289
290 /*
291 * The first header (hdr0) is always RC4 encoded, so try to decrypt
292 * with the well-known key.
293 */
294 memcpy((void *)header0, buf, sizeof(struct header0_info));
295 rc4_encode((void *)header0, sizeof(struct header0_info), rc4_key);
296
297 if (le32_to_cpu(header0->signature) != RK_SIGNATURE)
298 return -EPROTO;
299
300 /* We don't support RC4 encoded image payloads here, yet... */
301 if (le32_to_cpu(header0->disable_rc4) == 0)
302 return -ENOSYS;
303
304 hdr1_offset = le16_to_cpu(header0->init_offset) * RK_BLK_SIZE;
305 hdr1_sdmmc = (struct header1_info *)(buf + hdr1_offset);
306 hdr1_spi = (struct header1_info *)(buf +
307 rkcommon_offset_to_spi(hdr1_offset));
308
309 for (i = 0; i < ARRAY_SIZE(spl_infos); i++) {
310 if (!memcmp(&hdr1_sdmmc->magic, spl_infos[i].spl_hdr,
311 RK_SPL_HDR_SIZE)) {
312 if (spl_info)
313 *spl_info = &spl_infos[i];
314 return IH_TYPE_RKSD;
315 } else if (!memcmp(&hdr1_spi->magic, spl_infos[i].spl_hdr,
316 RK_SPL_HDR_SIZE)) {
317 if (spl_info)
318 *spl_info = &spl_infos[i];
319 return IH_TYPE_RKSPI;
320 }
321 }
322
323 return -1;
324 }
325
rkcommon_verify_header(unsigned char * buf,int size,struct image_tool_params * params)326 int rkcommon_verify_header(unsigned char *buf, int size,
327 struct image_tool_params *params)
328 {
329 struct header0_info header0;
330 struct spl_info *img_spl_info, *spl_info;
331 int ret;
332
333 ret = rkcommon_parse_header(buf, &header0, &img_spl_info);
334
335 /* If this is the (unimplemented) RC4 case, then rewrite the result */
336 if (ret == -ENOSYS)
337 return 0;
338
339 if (ret < 0)
340 return ret;
341
342 /*
343 * If no 'imagename' is specified via the commandline (e.g. if this is
344 * 'dumpimage -l' w/o any further constraints), we accept any spl_info.
345 */
346 if (params->imagename == NULL)
347 return 0;
348
349 /* Match the 'imagename' against the 'spl_hdr' found */
350 spl_info = rkcommon_get_spl_info(params->imagename);
351 if (spl_info && img_spl_info)
352 return strcmp(spl_info->spl_hdr, img_spl_info->spl_hdr);
353
354 return -ENOENT;
355 }
356
rkcommon_print_header(const void * buf)357 void rkcommon_print_header(const void *buf)
358 {
359 struct header0_info header0;
360 struct spl_info *spl_info;
361 uint8_t image_type;
362 int ret, boot_size, init_size;
363
364 ret = rkcommon_parse_header(buf, &header0, &spl_info);
365
366 /* If this is the (unimplemented) RC4 case, then fail silently */
367 if (ret == -ENOSYS)
368 return;
369
370 if (ret < 0) {
371 fprintf(stderr, "Error: image verification failed\n");
372 return;
373 }
374
375 image_type = ret;
376
377 printf("Image Type: Rockchip %s (%s) boot image\n",
378 spl_info->spl_hdr,
379 (image_type == IH_TYPE_RKSD) ? "SD/MMC" : "SPI");
380 init_size = le16_to_cpu(header0.init_size) * RK_BLK_SIZE;
381 printf("Init Data Size: %d bytes\n", init_size);
382
383 boot_size = le16_to_cpu(header0.init_boot_size) * RK_BLK_SIZE - init_size;
384 if (boot_size != RK_MAX_BOOT_SIZE)
385 printf("Boot Data Size: %d bytes\n", boot_size);
386 }
387
rkcommon_rc4_encode_spl(void * buf,unsigned int offset,unsigned int size)388 void rkcommon_rc4_encode_spl(void *buf, unsigned int offset, unsigned int size)
389 {
390 unsigned int remaining = size;
391
392 while (remaining > 0) {
393 int step = (remaining > RK_BLK_SIZE) ? RK_BLK_SIZE : remaining;
394
395 rc4_encode(buf + offset, step, rc4_key);
396 offset += RK_BLK_SIZE;
397 remaining -= step;
398 }
399 }
400
rkcommon_vrec_header(struct image_tool_params * params,struct image_type_params * tparams)401 int rkcommon_vrec_header(struct image_tool_params *params,
402 struct image_type_params *tparams)
403 {
404 /*
405 * The SPL image looks as follows:
406 *
407 * 0x0 header0 (see rkcommon.c)
408 * 0x800 spl_name ('RK30', ..., 'RK33')
409 * (start of the payload for AArch64 payloads: we expect the
410 * first 4 bytes to be available for overwriting with our
411 * spl_name)
412 * 0x804 first instruction to be executed
413 * (start of the image/payload for 32bit payloads)
414 *
415 * For AArch64 (ARMv8) payloads, natural alignment (8-bytes) is
416 * required for its sections (so the image we receive needs to
417 * have the first 4 bytes reserved for the spl_name). Reserving
418 * these 4 bytes is done using the BOOT0_HOOK infrastructure.
419 *
420 * The header is always at 0x800 (as we now use a payload
421 * prepadded using the boot0 hook for all targets): the first
422 * 4 bytes of these images can safely be overwritten using the
423 * boot magic.
424 */
425 tparams->header_size = RK_SPL_HDR_START;
426
427 /* Allocate, clear and install the header */
428 tparams->hdr = malloc(tparams->header_size);
429 if (!tparams->hdr) {
430 fprintf(stderr, "%s: Can't alloc header: %s\n",
431 params->cmdname, strerror(errno));
432 exit(EXIT_FAILURE);
433 }
434 memset(tparams->hdr, 0, tparams->header_size);
435
436 /*
437 * We need to store the original file-size (i.e. before padding), as
438 * imagetool does not set this during its adjustment of file_size.
439 */
440 params->orig_file_size = tparams->header_size +
441 spl_params.init_size + spl_params.boot_size;
442
443 params->file_size = ROUND(params->orig_file_size, RK_SIZE_ALIGN);
444
445 /* Ignoring pad len, since we are using our own copy_image() */
446 return 0;
447 }
448
pad_file(struct image_tool_params * params,int ifd,int pad)449 static int pad_file(struct image_tool_params *params, int ifd, int pad)
450 {
451 uint8_t zeros[4096];
452
453 memset(zeros, 0, sizeof(zeros));
454
455 while (pad > 0) {
456 int todo = sizeof(zeros);
457
458 if (todo > pad)
459 todo = pad;
460 if (write(ifd, (char *)&zeros, todo) != todo) {
461 fprintf(stderr, "%s: Write error on %s: %s\n",
462 params->cmdname, params->imagefile,
463 strerror(errno));
464 return -1;
465 }
466 pad -= todo;
467 }
468
469 return 0;
470 }
471
copy_file(struct image_tool_params * params,int ifd,const char * file,int padded_size)472 static int copy_file(struct image_tool_params *params, int ifd,
473 const char *file, int padded_size)
474 {
475 int dfd;
476 struct stat sbuf;
477 unsigned char *ptr;
478 int size;
479
480 if (params->vflag)
481 fprintf(stderr, "Adding Image %s\n", file);
482
483 dfd = open(file, O_RDONLY | O_BINARY);
484 if (dfd < 0) {
485 fprintf(stderr, "%s: Can't open %s: %s\n",
486 params->cmdname, file, strerror(errno));
487 return -1;
488 }
489
490 if (fstat(dfd, &sbuf) < 0) {
491 fprintf(stderr, "%s: Can't stat %s: %s\n",
492 params->cmdname, file, strerror(errno));
493 goto err_close;
494 }
495
496 if (params->vflag)
497 fprintf(stderr, "Size %u(pad to %u)\n",
498 (int)sbuf.st_size, padded_size);
499
500 ptr = mmap(0, sbuf.st_size, PROT_READ, MAP_SHARED, dfd, 0);
501 if (ptr == MAP_FAILED) {
502 fprintf(stderr, "%s: Can't read %s: %s\n",
503 params->cmdname, file, strerror(errno));
504 goto err_munmap;
505 }
506
507 size = sbuf.st_size;
508 if (write(ifd, ptr, size) != size) {
509 fprintf(stderr, "%s: Write error on %s: %s\n",
510 params->cmdname, params->imagefile, strerror(errno));
511 goto err_munmap;
512 }
513
514 munmap((void *)ptr, sbuf.st_size);
515 close(dfd);
516 return pad_file(params, ifd, padded_size - size);
517
518 err_munmap:
519 munmap((void *)ptr, sbuf.st_size);
520 err_close:
521 close(dfd);
522 return -1;
523 }
524
rockchip_copy_image(int ifd,struct image_tool_params * params)525 int rockchip_copy_image(int ifd, struct image_tool_params *params)
526 {
527 int ret;
528
529 ret = copy_file(params, ifd, spl_params.init_file,
530 spl_params.init_size);
531 if (ret)
532 return ret;
533
534 if (spl_params.boot_file) {
535 ret = copy_file(params, ifd, spl_params.boot_file,
536 spl_params.boot_size);
537 if (ret)
538 return ret;
539 }
540
541 return pad_file(params, ifd,
542 params->file_size - params->orig_file_size);
543 }
544