* [PATCH 7/7] stm32mp: cmd_stm32key: add subcommand close
@ 2021-07-01 13:21 Hexagon Email Recovery
0 siblings, 0 replies; 4+ messages in thread
From: Hexagon Email Recovery @ 2021-07-01 13:21 UTC (permalink / raw)
To: u-boot; +Cc: patrick.delaunay, patrice.chotard, uboot-stm32
This message could not be delivered immediately due to an internal mail routing issue.
The mail routing error has been resolved in the meantime.
We apologize for the delay in delivery and any inconvenience this may have caused.
In case of any questions please contact us via it@hexagon.com.
Original sender: patrick.delaunay@foss.st.com
Original delivery time: 28-Jun-2021 01:04 PM (UTC)
-----------------------------------------------------------------------------------------------------------------------
This email is not from Hexagon’s Office 365 instance. Please be careful while clicking links, opening attachments, or replying to this email. The expected sequence to close the device 1/ Load key in DDR with any supported load command 2/ Update OTP with key: STM32MP> stm32key read At this point the device is able to perform image authentication but non-authenticated images can still be used and executed. So it is the last moment to test boot with signed binary and check that the ROM code accepts them. 3/ Close the device: only signed binary will be accepted !! STM32MP> stm32key close Warning: Programming these OTP is an irreversible operation! This may brick your system if the HASH of key is invalid This command should be deactivated by default in real product. Signed-off-by: Patrick Delaunay --- arch/arm/mach-stm32mp/cmd_stm32key.c | 54 ++++++++++++++++++++++++++-- 1 file changed, 52 insertions(+), 2 deletions(-) diff --git a/arch/arm/mach-stm32mp/cmd_stm32key.c b/arch/arm/mach-stm32mp/cmd_stm32key.c index 8c8d476b65..50840b0f38 100644 --- a/arch/arm/mach-stm32mp/cmd_stm32key.c +++ b/arch/arm/mach-stm32mp/cmd_stm32key.c @@ -210,10 +210,60 @@ static int do_stm32key_fuse(struct cmd_tbl *cmdtp, int flag, int argc, char *con return CMD_RET_SUCCESS; } +static int do_stm32key_close(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[]) +{ + bool yes, lock, closed; + struct udevice *dev; + u32 val; + int ret; + + yes = false; + if (argc == 2) { + if (strcmp(argv[1], "-y")) + return CMD_RET_USAGE; + yes = true; + } + + ret = read_hash_otp(!yes, &lock, &closed); + if (ret) { + if (ret == -ENOENT) + printf("Error: OTP not programmed!\n"); + return CMD_RET_FAILURE; + } + + if (closed) { + printf("Error: already closed!\n"); + return CMD_RET_FAILURE; + } + + if (!lock) + printf("Warning: OTP not locked!\n"); + + if (!yes && !confirm_prog()) + return CMD_RET_FAILURE; + + ret = get_misc_dev(&dev); + if (ret) + return CMD_RET_FAILURE; + + val = STM32_OTP_CLOSE_MASK; + ret = misc_write(dev, STM32_BSEC_OTP(STM32_OTP_CLOSE_ID), &val, 4); + if (ret != 4) { + printf("Error: can't update OTP\n"); + return CMD_RET_FAILURE; + } + + printf("Device is closed !\n"); + + return CMD_RET_SUCCESS; +} + static char stm32key_help_text[] = "read []: Read the hash stored at addr in memory or in OTP\n" - "stm32key fuse [-y] : Fuse hash stored at addr in OTP\n"; + "stm32key fuse [-y] : Fuse hash stored at addr in OTP\n" + "stm32key close [-y] : Close the device, the hash stored in OTP\n"; U_BOOT_CMD_WITH_SUBCMDS(stm32key, "Fuse ST Hash key", stm32key_help_text, U_BOOT_SUBCMD_MKENT(read, 2, 0, do_stm32key_read), - U_BOOT_SUBCMD_MKENT(fuse, 3, 0, do_stm32key_fuse)); + U_BOOT_SUBCMD_MKENT(fuse, 3, 0, do_stm32key_fuse), + U_BOOT_SUBCMD_MKENT(close, 2, 0, do_stm32key_close)); -- 2.25.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 0/7] stm32mp: cmd_stm32key: updates
@ 2021-06-28 12:55 Patrick Delaunay
2021-06-28 12:56 ` [PATCH 7/7] stm32mp: cmd_stm32key: add subcommand close Patrick Delaunay
0 siblings, 1 reply; 4+ messages in thread
From: Patrick Delaunay @ 2021-06-28 12:55 UTC (permalink / raw)
To: u-boot; +Cc: Patrick Delaunay, Patrice Chotard, U-Boot STM32
Several improvements and protection on the command stm32key.
This command is used to experiment the secure boot on STM32MP15x;
the expected sequence to manually activate it with this U-Boot command is:
- Key generation with STM32 KeyGen tool
- Key registration: update and lock PKH in OTP (stm32key fuse)
- Perform image authentication of an image signed with
STM32 Signing tool and check that the ROM code accepted them
- Close the device, only signed binary will be accepted (stm32key close)
Warning: Make sure that a device with Secure boot enabled is used,
check the security field of the chip part number.
Otherwise the chip will be bricked and could not be used anymore.
This command is activated by default on STMicroelectronics evaluation
boards but these OTP can also be updated directly by customer
application or with Secure Secret Provisioning (SSP).
Patrick Delaunay (7):
stm32mp: configs: activate the command stm32key only for ST boards
stm32mp: cmd_stm32key: use sub command
stm32mp: cmd_stm32key: handle error in fuse_hash_value
stm32mp: cmd_stm32key: lock of PKH OTP after fuse
stm32mp: cmd_stm32key: add get_misc_dev function
stm32mp: cmd_stm32key: add read OTP subcommand
stm32mp: cmd_stm32key: add subcommand close
arch/arm/mach-stm32mp/Kconfig | 4 +-
arch/arm/mach-stm32mp/cmd_stm32key.c | 239 +++++++++++++++++++++++----
configs/stm32mp15_basic_defconfig | 1 +
configs/stm32mp15_trusted_defconfig | 1 +
4 files changed, 208 insertions(+), 37 deletions(-)
--
2.25.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 7/7] stm32mp: cmd_stm32key: add subcommand close
2021-06-28 12:55 [PATCH 0/7] stm32mp: cmd_stm32key: updates Patrick Delaunay
@ 2021-06-28 12:56 ` Patrick Delaunay
2021-07-01 7:36 ` Patrice CHOTARD
2021-07-16 8:28 ` Patrick DELAUNAY
0 siblings, 2 replies; 4+ messages in thread
From: Patrick Delaunay @ 2021-06-28 12:56 UTC (permalink / raw)
To: u-boot; +Cc: Patrick Delaunay, Patrice Chotard, U-Boot STM32
The expected sequence to close the device
1/ Load key in DDR with any supported load command
2/ Update OTP with key: STM32MP> stm32key read <addr>
At this point the device is able to perform image authentication but
non-authenticated images can still be used and executed.
So it is the last moment to test boot with signed binary and
check that the ROM code accepts them.
3/ Close the device: only signed binary will be accepted !!
STM32MP> stm32key close
Warning: Programming these OTP is an irreversible operation!
This may brick your system if the HASH of key is invalid
This command should be deactivated by default in real product.
Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
---
arch/arm/mach-stm32mp/cmd_stm32key.c | 54 ++++++++++++++++++++++++++--
1 file changed, 52 insertions(+), 2 deletions(-)
diff --git a/arch/arm/mach-stm32mp/cmd_stm32key.c b/arch/arm/mach-stm32mp/cmd_stm32key.c
index 8c8d476b65..50840b0f38 100644
--- a/arch/arm/mach-stm32mp/cmd_stm32key.c
+++ b/arch/arm/mach-stm32mp/cmd_stm32key.c
@@ -210,10 +210,60 @@ static int do_stm32key_fuse(struct cmd_tbl *cmdtp, int flag, int argc, char *con
return CMD_RET_SUCCESS;
}
+static int do_stm32key_close(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[])
+{
+ bool yes, lock, closed;
+ struct udevice *dev;
+ u32 val;
+ int ret;
+
+ yes = false;
+ if (argc == 2) {
+ if (strcmp(argv[1], "-y"))
+ return CMD_RET_USAGE;
+ yes = true;
+ }
+
+ ret = read_hash_otp(!yes, &lock, &closed);
+ if (ret) {
+ if (ret == -ENOENT)
+ printf("Error: OTP not programmed!\n");
+ return CMD_RET_FAILURE;
+ }
+
+ if (closed) {
+ printf("Error: already closed!\n");
+ return CMD_RET_FAILURE;
+ }
+
+ if (!lock)
+ printf("Warning: OTP not locked!\n");
+
+ if (!yes && !confirm_prog())
+ return CMD_RET_FAILURE;
+
+ ret = get_misc_dev(&dev);
+ if (ret)
+ return CMD_RET_FAILURE;
+
+ val = STM32_OTP_CLOSE_MASK;
+ ret = misc_write(dev, STM32_BSEC_OTP(STM32_OTP_CLOSE_ID), &val, 4);
+ if (ret != 4) {
+ printf("Error: can't update OTP\n");
+ return CMD_RET_FAILURE;
+ }
+
+ printf("Device is closed !\n");
+
+ return CMD_RET_SUCCESS;
+}
+
static char stm32key_help_text[] =
"read [<addr>]: Read the hash stored at addr in memory or in OTP\n"
- "stm32key fuse [-y] <addr> : Fuse hash stored at addr in OTP\n";
+ "stm32key fuse [-y] <addr> : Fuse hash stored at addr in OTP\n"
+ "stm32key close [-y] : Close the device, the hash stored in OTP\n";
U_BOOT_CMD_WITH_SUBCMDS(stm32key, "Fuse ST Hash key", stm32key_help_text,
U_BOOT_SUBCMD_MKENT(read, 2, 0, do_stm32key_read),
- U_BOOT_SUBCMD_MKENT(fuse, 3, 0, do_stm32key_fuse));
+ U_BOOT_SUBCMD_MKENT(fuse, 3, 0, do_stm32key_fuse),
+ U_BOOT_SUBCMD_MKENT(close, 2, 0, do_stm32key_close));
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 7/7] stm32mp: cmd_stm32key: add subcommand close
2021-06-28 12:56 ` [PATCH 7/7] stm32mp: cmd_stm32key: add subcommand close Patrick Delaunay
@ 2021-07-01 7:36 ` Patrice CHOTARD
2021-07-16 8:28 ` Patrick DELAUNAY
1 sibling, 0 replies; 4+ messages in thread
From: Patrice CHOTARD @ 2021-07-01 7:36 UTC (permalink / raw)
To: Patrick Delaunay, u-boot; +Cc: U-Boot STM32
Hi Patrick
On 6/28/21 2:56 PM, Patrick Delaunay wrote:
> The expected sequence to close the device
>
> 1/ Load key in DDR with any supported load command
> 2/ Update OTP with key: STM32MP> stm32key read <addr>
>
> At this point the device is able to perform image authentication but
> non-authenticated images can still be used and executed.
> So it is the last moment to test boot with signed binary and
> check that the ROM code accepts them.
>
> 3/ Close the device: only signed binary will be accepted !!
> STM32MP> stm32key close
>
> Warning: Programming these OTP is an irreversible operation!
> This may brick your system if the HASH of key is invalid
>
> This command should be deactivated by default in real product.
>
> Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
> ---
>
> arch/arm/mach-stm32mp/cmd_stm32key.c | 54 ++++++++++++++++++++++++++--
> 1 file changed, 52 insertions(+), 2 deletions(-)
>
> diff --git a/arch/arm/mach-stm32mp/cmd_stm32key.c b/arch/arm/mach-stm32mp/cmd_stm32key.c
> index 8c8d476b65..50840b0f38 100644
> --- a/arch/arm/mach-stm32mp/cmd_stm32key.c
> +++ b/arch/arm/mach-stm32mp/cmd_stm32key.c
> @@ -210,10 +210,60 @@ static int do_stm32key_fuse(struct cmd_tbl *cmdtp, int flag, int argc, char *con
> return CMD_RET_SUCCESS;
> }
>
> +static int do_stm32key_close(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[])
> +{
> + bool yes, lock, closed;
> + struct udevice *dev;
> + u32 val;
> + int ret;
> +
> + yes = false;
> + if (argc == 2) {
> + if (strcmp(argv[1], "-y"))
> + return CMD_RET_USAGE;
> + yes = true;
> + }
> +
> + ret = read_hash_otp(!yes, &lock, &closed);
> + if (ret) {
> + if (ret == -ENOENT)
> + printf("Error: OTP not programmed!\n");
> + return CMD_RET_FAILURE;
> + }
> +
> + if (closed) {
> + printf("Error: already closed!\n");
> + return CMD_RET_FAILURE;
> + }
> +
> + if (!lock)
> + printf("Warning: OTP not locked!\n");
> +
> + if (!yes && !confirm_prog())
> + return CMD_RET_FAILURE;
> +
> + ret = get_misc_dev(&dev);
> + if (ret)
> + return CMD_RET_FAILURE;
> +
> + val = STM32_OTP_CLOSE_MASK;
> + ret = misc_write(dev, STM32_BSEC_OTP(STM32_OTP_CLOSE_ID), &val, 4);
> + if (ret != 4) {
> + printf("Error: can't update OTP\n");
> + return CMD_RET_FAILURE;
> + }
> +
> + printf("Device is closed !\n");
> +
> + return CMD_RET_SUCCESS;
> +}
> +
> static char stm32key_help_text[] =
> "read [<addr>]: Read the hash stored at addr in memory or in OTP\n"
> - "stm32key fuse [-y] <addr> : Fuse hash stored at addr in OTP\n";
> + "stm32key fuse [-y] <addr> : Fuse hash stored at addr in OTP\n"
> + "stm32key close [-y] : Close the device, the hash stored in OTP\n";
>
> U_BOOT_CMD_WITH_SUBCMDS(stm32key, "Fuse ST Hash key", stm32key_help_text,
> U_BOOT_SUBCMD_MKENT(read, 2, 0, do_stm32key_read),
> - U_BOOT_SUBCMD_MKENT(fuse, 3, 0, do_stm32key_fuse));
> + U_BOOT_SUBCMD_MKENT(fuse, 3, 0, do_stm32key_fuse),
> + U_BOOT_SUBCMD_MKENT(close, 2, 0, do_stm32key_close));
>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Thanks
Patrice
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 7/7] stm32mp: cmd_stm32key: add subcommand close
2021-06-28 12:56 ` [PATCH 7/7] stm32mp: cmd_stm32key: add subcommand close Patrick Delaunay
2021-07-01 7:36 ` Patrice CHOTARD
@ 2021-07-16 8:28 ` Patrick DELAUNAY
1 sibling, 0 replies; 4+ messages in thread
From: Patrick DELAUNAY @ 2021-07-16 8:28 UTC (permalink / raw)
To: u-boot; +Cc: Patrice Chotard, U-Boot STM32
Hi,
On 6/28/21 2:56 PM, Patrick Delaunay wrote:
> The expected sequence to close the device
>
> 1/ Load key in DDR with any supported load command
> 2/ Update OTP with key: STM32MP> stm32key read <addr>
>
> At this point the device is able to perform image authentication but
> non-authenticated images can still be used and executed.
> So it is the last moment to test boot with signed binary and
> check that the ROM code accepts them.
>
> 3/ Close the device: only signed binary will be accepted !!
> STM32MP> stm32key close
>
> Warning: Programming these OTP is an irreversible operation!
> This may brick your system if the HASH of key is invalid
>
> This command should be deactivated by default in real product.
>
> Signed-off-by: Patrick Delaunay <patrick.delaunay@foss.st.com>
> ---
>
> arch/arm/mach-stm32mp/cmd_stm32key.c | 54 ++++++++++++++++++++++++++--
> 1 file changed, 52 insertions(+), 2 deletions(-)
>
Applied to u-boot-stm/master, thanks!
Regards
Patrick
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-07-16 8:29 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-01 13:21 [PATCH 7/7] stm32mp: cmd_stm32key: add subcommand close Hexagon Email Recovery
-- strict thread matches above, loose matches on Subject: below --
2021-06-28 12:55 [PATCH 0/7] stm32mp: cmd_stm32key: updates Patrick Delaunay
2021-06-28 12:56 ` [PATCH 7/7] stm32mp: cmd_stm32key: add subcommand close Patrick Delaunay
2021-07-01 7:36 ` Patrice CHOTARD
2021-07-16 8:28 ` Patrick DELAUNAY
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.