Add more Nugget Core commands for firmware updates
This adds the commands needed to approve firmware updates:
* NUGGET_PARAM_ENABLE_UPDATE
Marks pending updates as valid, so that they will be
considered at the next boot.
* NUGGET_PARAM_CHANGE_UPDATE_PASSWORD
Changes the password required to enable updates, provided you
know the old password.
* NUGGET_PARAM_NUKE_FROM_ORBIT
Erases all user secrets, including the update password.
Change-Id: Ie38281df7a75c564395be502bb994469b8bbb099
Signed-off-by: Bill Richardson <wfrichar@google.com>
diff --git a/nugget/include/app_nugget.h b/nugget/include/app_nugget.h
index 683117b..f8245bf 100644
--- a/nugget/include/app_nugget.h
+++ b/nugget/include/app_nugget.h
@@ -85,6 +85,79 @@
NUGGET_REBOOT_HARD = 1,
};
+
+/*********
+ * Firmware updates are written to flash with invalid headers. If an update
+ * password exists, headers can only be marked valid by providing that
+ * password.
+ */
+
+/*
+ * An unassigned password is defined to be all 0xff, with a don't-care digest.
+ * Anything else must have a valid digest over all password bytes. The password
+ * length is chosen arbitrarily for now, but should always be a fixed size with
+ * all bytes used, to resist brute-force guesses.
+ */
+#define NUGGET_UPDATE_PASSWORD_LEN 32
+struct nugget_app_password {
+ uint32_t digest; /* first 4 bytes of sha1 of password (little endian) */
+ uint8_t password[NUGGET_UPDATE_PASSWORD_LEN];
+} __packed;
+
+
+enum NUGGET_ENABLE_HEADER {
+ NUGGET_ENABLE_HEADER_RO = 0x01,
+ NUGGET_ENABLE_HEADER_RW = 0x02,
+};
+struct nugget_app_enable_update {
+ struct nugget_app_password password;
+ uint8_t which_headers; /* bit 0 = RO, bit 1 = RW */
+};
+#define NUGGET_PARAM_ENABLE_UPDATE 0x0003
+/*
+ * Mark the specified image header(s) as valid, if the provided password
+ * matches.
+ *
+ * @param args struct nugget_app_enable_update
+ * @param arg_len sizeof(struct nugget_app_enable_update)
+ * @param reply <none>
+ * @param reply_len 0
+ *
+ * @errors APP_ERROR_BOGUS_ARGS
+ */
+
+
+struct nugget_app_change_update_password {
+ struct nugget_app_password old_password;
+ struct nugget_app_password new_password;
+};
+#define NUGGET_PARAM_CHANGE_UPDATE_PASSWORD 0x0004
+/*
+ * Change the update password.
+ *
+ * @param args struct nugget_app_change_update_password
+ * @param arg_len sizeof(struct nugget_app_change_update_password)
+ * @param reply <none>
+ * @param reply_len 0
+ *
+ * @errors APP_ERROR_BOGUS_ARGS
+ */
+
+
+#define NUGGET_PARAM_NUKE_FROM_ORBIT 0x0005
+#define ERASE_CONFIRMATION 0xc05fefee
+/*
+ * This will erase ALL user secrets and reboot.
+ *
+ * @param args uint32_t containing the ERASE_CONFIRMATION value
+ * @param arg_len sizeof(uint32_t)
+ * @param reply <none>
+ * @param reply_len 0
+ *
+ * @errors APP_ERROR_BOGUS_ARGS
+ */
+
+
/****************************************************************************/
/* Test related commands */
diff --git a/nugget/include/signed_header.h b/nugget/include/signed_header.h
index a2746ac..9ce33e6 100644
--- a/nugget/include/signed_header.h
+++ b/nugget/include/signed_header.h
@@ -7,6 +7,8 @@
/* This is citadel */
#define CHIP_C
+#define MAGIC_DEFAULT (-1u)
+#define MAGIC_VALID (-2u)
#ifdef __cplusplus
#include <endian.h>