Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / lk / df42d2f61440fb4aba48f2da51baff8ced29ffe8^! / . / app / aboot / mdtp.c
commitdf42d2f61440fb4aba48f2da51baff8ced29ffe8[log] [tgz]
authorAmit Blay <ablay@codeaurora.org>Tue Feb 03 16:37:09 2015 +0200
committerAmit Blay <ablay@codeaurora.org>Tue Feb 03 16:37:09 2015 +0200
tree695a9973286c017cfe6d9df6241baa89c2661d60
parent1c2ed721706888ddcafb9af29c5dc4540d837b17 [diff] [blame]
aboot: mdtp: perform verification depending on MDTP efuse

This commit add  support for reading the MDTP eFuse (or emulated
eFuse located in the MDTP partition) and performing DIP and firmware
verification only if the MDTP is enabled in the eFuse.

Change-Id: Iff04b3d18f9baba026ebf61cbeead37fa585a7bd

diff --git a/app/aboot/mdtp.c b/app/aboot/mdtp.c
index 7e12dfa..083bbf2 100644
--- a/app/aboot/mdtp.c
+++ b/app/aboot/mdtp.c

@@ -44,20 +44,17 @@
 #define DIP_ENCRYPT 0
 #define DIP_DECRYPT 1
 
-static int mdtp_tzbsp_get_provisioned_fuse();
-static int mdtp_tzbsp_set_provisioned_fuse();
-static int mdtp_tzbsp_dec_verify_DIP(DIP_t* enc_dip, DIP_t* dec_dip, uint32_t *verified);
-static int mdtp_tzbsp_enc_hash_DIP(DIP_t* dec_dip, DIP_t* enc_dip);
-
-unsigned block_size = 0;
+static int mdtp_tzbsp_dec_verify_DIP(DIP_t *enc_dip, DIP_t *dec_dip, uint32_t *verified);
+static int mdtp_tzbsp_enc_hash_DIP(DIP_t *dec_dip, DIP_t *enc_dip);
 
 /********************************************************************************/
 
 /* Read the DIP from EMMC */
-static int read_DIP(DIP_t* dip)
+static int read_DIP(DIP_t *dip)
 {
 	unsigned long long ptn = 0;
 	uint32_t actual_partition_size;
+	uint32_t block_size = mmc_get_device_blocksize();
 
 	int index = INVALID_PTN;
 
@@ -85,10 +82,11 @@
 }
 
 /* Store the DIP into the EMMC */
-static int write_DIP(DIP_t* dip)
+static int write_DIP(DIP_t *dip)
 {
 	unsigned long long ptn = 0;
 	uint32_t partition_size;
+	uint32_t block_size = mmc_get_device_blocksize();
 
 	int index = INVALID_PTN;
 
@@ -121,8 +119,8 @@
 /* Provision the DIP by storing the default DIP into the EMMC */
 static void provision_DIP()
 {
-	DIP_t* enc_dip;
-	DIP_t* dec_dip;
+	DIP_t *enc_dip;
+	DIP_t *dec_dip;
 	int ret;
 
 	enc_dip = malloc(sizeof(DIP_t));
@@ -171,13 +169,14 @@
 }
 
 /* Validate a hash calculated on entire given partition */
-static int verify_partition_single_hash(char* name, uint32_t size, DIP_hash_table_entry_t* hash_table)
+static int verify_partition_single_hash(char *name, uint32_t size, DIP_hash_table_entry_t *hash_table)
 {
 	SHA256_CTX sha256_ctx;
 	unsigned char digest[32]={0};
 	unsigned long long ptn = 0;
 	int index = INVALID_PTN;
 	unsigned char *buf = (unsigned char *)target_get_scratch_address();
+	uint32_t block_size = mmc_get_device_blocksize();
 	uint32_t actual_partition_size = ROUNDUP(size, block_size);
 
 	dprintf(INFO, "mdtp: verify_partition_single_hash: %s, %u\n", name, size);
@@ -218,11 +217,11 @@
 }
 
 /* Validate a hash table calculated per block of a given partition */
-static int verify_partition_block_hash(char* name,
+static int verify_partition_block_hash(char *name,
 								uint32_t size,
 								uint32_t total_num_blocks,
 								uint32_t verify_num_blocks,
-								DIP_hash_table_entry_t* hash_table,
+								DIP_hash_table_entry_t *hash_table,
 							    uint8_t *force_verify_block)
 {
 	SHA256_CTX sha256_ctx;
@@ -299,7 +298,7 @@
 }
 
 /* Verify a given partitinon */
-static int verify_partition(char* name,
+static int verify_partition(char *name,
 						uint32_t size,
 						mdtp_fwlock_mode_t hash_mode,
 						uint32_t total_num_blocks,
@@ -382,10 +381,11 @@
 static void validate_DIP_and_firmware()
 {
 	int ret;
-	DIP_t* enc_dip;
-	DIP_t* dec_dip;
+	DIP_t *enc_dip;
+	DIP_t *dec_dip;
 	uint32_t verified = 0;
 	verify_result_t verify_result;
+	uint32_t block_size = mmc_get_device_blocksize();
 
 	enc_dip = malloc(ROUNDUP(sizeof(DIP_t), block_size));
 	if (enc_dip == NULL)
@@ -461,22 +461,18 @@
 
 int mdtp_fwlock_verify_lock()
 {
-	int provisioned_fuse;
+	int ret;
+	bool enabled;
 
-	block_size = mmc_get_device_blocksize();
-
-	provisioned_fuse = mdtp_tzbsp_get_provisioned_fuse();
-	if(provisioned_fuse < 0)
+	ret = mdtp_fuse_get_enabled(&enabled);
+	if(ret)
 	{
-		dprintf(CRITICAL, "mdtp: mdtp_fwlock_verify_lock: ERROR, cannot get DIP_PROVISIONED fuse\n");
+		dprintf(CRITICAL, "mdtp: mdtp_fwlock_verify_lock: ERROR, cannot get enabled fuse\n");
 		return -1;
 	}
 
-	if (!provisioned_fuse)
-	{
-		provision_DIP();
-	}
-	else
+	/* Continue with Firmware Lock verification only if enabled by eFuse */
+	if (enabled)
 	{
 		validate_DIP_and_firmware();
 	}
@@ -486,22 +482,10 @@
 
 /********************************************************************************/
 
-/* Functions communicating with TZBSP */
-
-static int mdtp_tzbsp_get_provisioned_fuse()
-{
-	return 1;
-}
-
-static int mdtp_tzbsp_set_provisioned_fuse()
-{
-	return 0;
-}
-
 /* Decrypt a given DIP and verify its integrity */
-static int mdtp_tzbsp_dec_verify_DIP(DIP_t* enc_dip, DIP_t* dec_dip, uint32_t *verified)
+static int mdtp_tzbsp_dec_verify_DIP(DIP_t *enc_dip, DIP_t *dec_dip, uint32_t *verified)
 {
-	unsigned char* hash_p;
+	unsigned char *hash_p;
 	unsigned char hash[HASH_LEN];
 	SHA256_CTX sha256_ctx;
 	int ret;
@@ -538,9 +522,9 @@
 	return 0;
 }
 
-static int mdtp_tzbsp_enc_hash_DIP(DIP_t* dec_dip, DIP_t* enc_dip)
+static int mdtp_tzbsp_enc_hash_DIP(DIP_t *dec_dip, DIP_t *enc_dip)
 {
-	unsigned char* hash_p;
+	unsigned char *hash_p;
 	SHA256_CTX sha256_ctx;
 	int ret;