[PATCH u-boot v2019.04-aspeed-openbmc 0/5] OTP Fixes

[PATCH u-boot v2019.04-aspeed-openbmc 0/5] OTP Fixes

[Joel Stanley]

The v0.4.11 Aspeed SDK has reworked the OTP command, which breaks the
current OpenBMC eMMC SPL config by force-enabling the ACRY hardware for
RSA. It also pulls in the software version of the hashing algorithms
into u-boot proper. Both changes increase the code size.

This resolves both of those issues and further reduces the proper binary
size.

The patches are to be applied on top of a rebased version of the tree.
An example is provided here:

 https://github.com/shenki/u-boot/tree/v00.04.11-rebase

This will become the new v2019.04-aspeed-openbmc branch once these
patches are reviewed.

Joel Stanley (5):
  config/openbmc: Enable SHA384
  cmd/otp: Use any MOD_EXP driver
  cmd/otp: Depend on SHA variants
  cmd/otp: Use hashing API
  cmd/otp: Reduce size of otpkey

 cmd/otp.c                                  | 63 +++++++++-------------
 cmd/Kconfig                                |  7 +--
 configs/ast2600_openbmc_spl_emmc_defconfig |  2 +-
 3 files changed, 27 insertions(+), 45 deletions(-)

-- 
2.35.1

[PATCH u-boot v2019.04-aspeed-openbmc 1/5] config/openbmc: Enable SHA384

[Joel Stanley]

This is now required by the otp command.

Signed-off-by: Joel Stanley <joel@jms.id.au>
---
 configs/ast2600_openbmc_spl_emmc_defconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configs/ast2600_openbmc_spl_emmc_defconfig b/configs/ast2600_openbmc_spl_emmc_defconfig
index 8c2acb7e6efe..45c9fa162cd7 100644
--- a/configs/ast2600_openbmc_spl_emmc_defconfig
+++ b/configs/ast2600_openbmc_spl_emmc_defconfig
@@ -9,7 +9,6 @@ CONFIG_SPL_LDSCRIPT="arch/$(ARCH)/mach-aspeed/ast2600/u-boot-spl.lds"
 CONFIG_ARCH_ASPEED=y
 CONFIG_SYS_TEXT_BASE=0x81000000
 CONFIG_ASPEED_AST2600=y
-# CONFIG_ASPEED_LOADERS is not set
 CONFIG_SPL_GPIO_SUPPORT=y
 CONFIG_SPL_LIBCOMMON_SUPPORT=y
 CONFIG_SPL_LIBGENERIC_SUPPORT=y
@@ -134,4 +133,5 @@ CONFIG_WDT=y
 CONFIG_USE_TINY_PRINTF=y
 CONFIG_SPL_TINY_MEMSET=y
 CONFIG_TPM=y
+CONFIG_SHA384=y
 # CONFIG_EFI_LOADER is not set
-- 
2.35.1

[PATCH u-boot v2019.04-aspeed-openbmc 2/5] cmd/otp: Use any MOD_EXP driver

[Joel Stanley]

Instead of requesting the ACRY driver specifically, ask for the first
DM device that implements MOD_EXP.

Selecting RSA ensures that one of the MOD_EXP drivers will be built in.
On Aspeed platforms this will be either the ACRY or the software
implementation; Kconfig logic stops both from being built in.

Signed-off-by: Joel Stanley <joel@jms.id.au>
---
 cmd/otp.c   | 4 ++--
 cmd/Kconfig | 1 -
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/cmd/otp.c b/cmd/otp.c
index 4e901fbff996..049c217d6048 100644
--- a/cmd/otp.c
+++ b/cmd/otp.c
@@ -2642,9 +2642,9 @@ static int otp_verify_boot_image(phys_addr_t addr)
 	int i;
 	int pass = 0;
 
-	ret = uclass_get_device_by_driver(UCLASS_MOD_EXP, DM_GET_DRIVER(aspeed_acry), &mod_exp_dev);
+	ret = uclass_get_device(UCLASS_MOD_EXP, 0, &mod_exp_dev);
 	if (ret) {
-		printf("RSA engine: Can't find aspeed_acry\n");
+		printf("RSA: Can't find RSA driver\n");
 		return OTP_FAILURE;
 	}
 
diff --git a/cmd/Kconfig b/cmd/Kconfig
index 1df26de5ed23..ff90a5d99acc 100644
--- a/cmd/Kconfig
+++ b/cmd/Kconfig
@@ -622,7 +622,6 @@ config CMD_OTP
 	select SHA384
 	select SHA256
 	select RSA
-	select ASPEED_ACRY
         default y
 
 config CMD_RNG
-- 
2.35.1

[PATCH u-boot v2019.04-aspeed-openbmc 3/5] cmd/otp: Depend on SHA variants

[Joel Stanley]

Indicate which SHA algorithms are required by depending on them. Don't
select them, as this force enables the options.

Signed-off-by: Joel Stanley <joel@jms.id.au>
---
 cmd/Kconfig | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/cmd/Kconfig b/cmd/Kconfig
index ff90a5d99acc..8b90f0f23406 100644
--- a/cmd/Kconfig
+++ b/cmd/Kconfig
@@ -616,11 +616,9 @@ menu "Device access commands"
 
 config CMD_OTP
 	depends on ASPEED_AST2600
+	depends on SHA256 && SHA384 && SHA512
         bool "ASPEED otp program"
-	select SHA512_ALGO
-	select SHA512
-	select SHA384
-	select SHA256
+	select HASH
 	select RSA
         default y
 
-- 
2.35.1

[PATCH u-boot v2019.04-aspeed-openbmc 4/5] cmd/otp: Use hashing API

[Joel Stanley]

Instead of calling the hashing functions directly, which uses the
software implementation of the algorithms, use the hash API which
allows the use of the HACE driver.

Saves 12.5KB:

 Before=279327, After=266547, chg -4.58%

Signed-off-by: Joel Stanley <joel@jms.id.au>
---
 cmd/otp.c | 49 +++++++++++++++++--------------------------------
 1 file changed, 17 insertions(+), 32 deletions(-)

diff --git a/cmd/otp.c b/cmd/otp.c
index 049c217d6048..add70c841405 100644
--- a/cmd/otp.c
+++ b/cmd/otp.c
@@ -305,33 +305,6 @@ static int get_rid_num(u32 *rid)
 	return rid_num;
 }
 
-static void sb_sha256(u8 *src, u32 len, u8 *digest_ret)
-{
-	sha256_context ctx;
-
-	sha256_starts(&ctx);
-	sha256_update(&ctx, src, len);
-	sha256_finish(&ctx, digest_ret);
-}
-
-static void sb_sha384(u8 *src, u32 len, u8 *digest_ret)
-{
-	sha512_context ctx;
-
-	sha384_starts(&ctx);
-	sha384_update(&ctx, src, len);
-	sha384_finish(&ctx, digest_ret);
-}
-
-static void sb_sha512(u8 *src, u32 len, u8 *digest_ret)
-{
-	sha512_context ctx;
-
-	sha512_starts(&ctx);
-	sha512_update(&ctx, src, len);
-	sha512_finish(&ctx, digest_ret);
-}
-
 static u32 chip_version(void)
 {
 	u32 revid0, revid1;
@@ -1912,6 +1885,18 @@ static int otp_check_scu_image(struct otp_image_layout *image_layout, u32 *scu_p
 	return OTP_SUCCESS;
 }
 
+static void do_hash(const void *data, int data_len, const char *algo_name, uint8_t *value)
+{
+        struct hash_algo *algo;
+
+        if (hash_lookup_algo(algo_name, &algo)) {
+                debug("Unsupported hash alogrithm\n");
+                return;
+        }
+
+        algo->hash_func_ws(data, data_len, value, algo->chunk_size);
+}
+
 static int otp_verify_image(u8 *src_buf, u32 length, u8 *digest_buf, int version)
 {
 	u8 digest_ret[48];
@@ -1919,11 +1904,11 @@ static int otp_verify_image(u8 *src_buf, u32 length, u8 *digest_buf, int version
 
 	switch (version) {
 	case 1:
-		sb_sha256(src_buf, length, digest_ret);
+		do_hash(src_buf, length, "sha256", digest_ret);
 		digest_len = 32;
 		break;
 	case 2:
-		sb_sha384(src_buf, length, digest_ret);
+		do_hash(src_buf, length, "sha384", digest_ret);
 		digest_len = 48;
 		break;
 	default:
@@ -2549,13 +2534,13 @@ static int sb_sha(struct sb_info *si, u8 *sec_image, u32 sign_image_size, u8 *di
 		printf("otp verify does not support SHA224\n");
 		return OTP_FAILURE;
 	case 256:
-		sb_sha256(sec_image, sign_image_size, digest_ret);
+		do_hash(sec_image, sign_image_size, "sha256", digest_ret);
 		break;
 	case 384:
-		sb_sha384(sec_image, sign_image_size, digest_ret);
+		do_hash(sec_image, sign_image_size, "sha384", digest_ret);
 		break;
 	case 512:
-		sb_sha512(sec_image, sign_image_size, digest_ret);
+		do_hash(sec_image, sign_image_size, "sha512", digest_ret);
 		break;
 	default:
 		printf("SHA Algorithm is invalid\n");
-- 
2.35.1

[PATCH u-boot v2019.04-aspeed-openbmc 5/5] cmd/otp: Reduce size of otpkey

[Joel Stanley]

Don't store more information than is used. Saves 3KB.

  Function                                     old     new   delta
  _otp_print_key                               540     580     +40
  otp_verify_boot_image                       1276    1268      -8
  a2_key_type                                  640      40    -600
  a1_key_type                                  640      40    -600
  a3_key_type                                 1024      64    -960
  a0_key_type                                 1024      64    -960
  Total: Before=266547, After=263459, chg -1.16%

Signed-off-by: Joel Stanley <joel@jms.id.au>
---
This patch includes Zev's suggestion to make the bitfields unsigned:

 https://lore.kernel.org/openbmc/20220716090847.GC9659@packtop/

 cmd/otp.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/cmd/otp.c b/cmd/otp.c
index add70c841405..2df410dfd024 100644
--- a/cmd/otp.c
+++ b/cmd/otp.c
@@ -133,11 +133,11 @@ struct otpstrap_status {
 };
 
 struct otpkey_type {
-	int value;
-	int key_type;
-	int order;
-	int need_id;
-	char information[110];
+	unsigned int value: 4;
+	unsigned int key_type: 4;
+	unsigned int order: 1;
+	unsigned int need_id: 1;
+	char *information;
 };
 
 struct otp_pro_sts {
-- 
2.35.1