Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / lk / 8bcdd97960f0bd590d270ea49735331bbf215d5a^! / .
commit8bcdd97960f0bd590d270ea49735331bbf215d5a[log] [tgz]
authorMayank Grover <groverm@codeaurora.org>Fri Dec 02 14:58:07 2016 +0530
committerMayank Grover <groverm@codeaurora.org>Wed Dec 07 16:23:43 2016 +0530
tree54dfe137603b1de97966af87315461e9b4c40c30
parentd6a79aed15bfd7a181ca0e787832bf844dfb4f95 [diff]
platform: msm_shared: add secure boot identification check.

Check secure boot identification for secure devices.

Change-Id: I7b3110a0cf13cdbe83274372a4a4f8387807c6dc

diff --git a/platform/msm_shared/scm.c b/platform/msm_shared/scm.c
index 403441c..b544201 100644
--- a/platform/msm_shared/scm.c
+++ b/platform/msm_shared/scm.c

@@ -55,6 +55,15 @@
                                    SCM_MASK_IRQS | \
                                    ((n) & 0xf))
 
+#define SECBOOT_FUSE_BIT                  0
+#define SECBOOT_FUSE_SHK_BIT              1
+#define SECBOOT_FUSE_DEBUG_DISABLED_BIT   2
+#define SECBOOT_FUSE_ANTI_ROLLBACK_BIT    3
+#define SECBOOT_FUSE_FEC_ENABLED_BIT      4
+#define SECBOOT_FUSE_RPMB_ENABLED_BIT     5
+#define SECBOOT_FUSE_DEBUG_RE_ENABLED_BIT 6
+#define CHECK_BIT(var, pos) ((var) & (1 << (pos)))
+
 /* SCM interface as per ARM spec present? */
 bool scm_arm_support;
 static bool scm_initialized;
@@ -1244,7 +1253,7 @@
 	return 0;
 }
 
-static bool secure_boot_enabled = true;
+static bool secure_boot_enabled = false;
 static bool wdog_debug_fuse_disabled = true;
 
 void scm_check_boot_fuses()
@@ -1265,14 +1274,16 @@
 		resp[0] = scm_ret.x1;
 	}
 
-
-	/* Parse Bit 0 and Bit 2 of the response */
-	if(!ret) {
-		/* Bit 0 - SECBOOT_ENABLE_CHECK */
-		if(resp[0] & 0x1)
-			secure_boot_enabled = false;
+	if (!ret) {
+		/* Check for secure device: Bit#0 = 0, Bit#1 = 0 Bit#2 = 0 , Bit#5 = 0 , Bit#6 = 1 */
+        	if (!CHECK_BIT(resp[0], SECBOOT_FUSE_BIT) && !CHECK_BIT(resp[0], SECBOOT_FUSE_SHK_BIT) &&
+        		!CHECK_BIT(resp[0], SECBOOT_FUSE_DEBUG_DISABLED_BIT) &&
+        		!CHECK_BIT(resp[0], SECBOOT_FUSE_RPMB_ENABLED_BIT) &&
+        		CHECK_BIT(resp[0], SECBOOT_FUSE_DEBUG_RE_ENABLED_BIT)) {
+        		secure_boot_enabled = true;
+        	}
 		/* Bit 2 - DEBUG_DISABLE_CHECK */
-		if(resp[0] & 0x4)
+		if (CHECK_BIT(resp[0], SECBOOT_FUSE_DEBUG_DISABLED_BIT))
 			wdog_debug_fuse_disabled = false;
 	} else
 		dprintf(CRITICAL, "scm call to check secure boot fuses failed\n");