From patchwork Fri Jan 12 12:40:10 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
X-Patchwork-Id: 124326
Delivered-To: patch@linaro.org
Received: by 10.140.22.227 with SMTP id 90csp2023689qgn;
 Fri, 12 Jan 2018 04:52:21 -0800 (PST)
X-Google-Smtp-Source: ACJfBosQaLxM/KtEhG9cJxjfAJR2g25fbtXQwRBJSg7WnVTvGHq0Q0v6KWRTZ8Xm9mV1Va832ir3
X-Received: by 10.80.214.136 with SMTP id r8mr35282393edi.288.1515761541232; 
 Fri, 12 Jan 2018 04:52:21 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1515761541; cv=none;
 d=google.com; s=arc-20160816;
 b=pPpLTyeFnIiquZH+50NqVJyzuSmXk7qN79Erkd7WRY/VNvmlfdelKafgUdSeS6PfZM
 WwnhCGHzMtdzc3ZxabFC4MdNRbcy3YCvWXVT9w6cT4ci8XKN9/SW4R/I52zOzqDo+kqD
 3HRjd5C2pqdlOINjvIW6I6bmGRgwgONbV+asTMbVMGYelW9GdtFxJ0UYs9IrtxmL2bAH
 9Kbmmkwx3KcVCkZH9WadKN4NbIuDDtuJlsn2ebeABwARJxVtXDnm1iprKOWoxyZzBz4S
 JemWLl5VEKUbWREdka5feR35ImgARLOhz7tkZ+a7vGWVrjYo6ZbMLFvxdTwvLMgCDfw6
 g2Ng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=sender:errors-to:content-transfer-encoding:mime-version
 :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
 :list-id:precedence:subject:cc:references:in-reply-to:message-id
 :date:to:from:dkim-signature:arc-authentication-results;
 bh=s5M9WlGKOZDYk9OT3z4efCGPo3RG52896jV6gNsas/g=;
 b=FGi7qGCrPFTVQQOW0/QszegOqD4odipNXbbPjU6DS86pw19cFSo0NL5+GjBrh2lmab
 rdkxEilkwbLdtxtr9vLgukch/Gdt370gjoU2idiMAgsNuNb3BqG/PlHSTLnsdyr3Yy0v
 1quwFf7tbXYRHVPRlQAAncb98YNRVmvUEeVDzsUXPfvYYzN1sAPRtAnxlsW1bCnyGEgu
 GRzrFKfqd2LLfCvddhqfKc1yYSlG4JkkOYtyhv0gzJQqLf65bBUC9GEyl4jsdzeL8nyq
 3LhUJHbzeBaYuRJy7c76Sshfe/JNV7hK13mEbnZUsG4T7JQHa6spx7zgwjGyjfKBeANO
 cWRA==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=neutral (body hash did not verify) header.i=@linaro.org
 header.s=google header.b=VVl+h+aa; 
 spf=pass (google.com: best guess record for domain of
 u-boot-bounces@lists.denx.de designates 81.169.180.215 as
 permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <u-boot-bounces@lists.denx.de>
Received: from lists.denx.de (dione.denx.de. [81.169.180.215])
 by mx.google.com with ESMTP id 7si2868207edj.364.2018.01.12.04.52.20; 
 Fri, 12 Jan 2018 04:52:21 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
 u-boot-bounces@lists.denx.de designates 81.169.180.215 as
 permitted sender) client-ip=81.169.180.215; 
Authentication-Results: mx.google.com;
 dkim=neutral (body hash did not verify) header.i=@linaro.org
 header.s=google header.b=VVl+h+aa; 
 spf=pass (google.com: best guess record for domain of
 u-boot-bounces@lists.denx.de designates 81.169.180.215 as
 permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: by lists.denx.de (Postfix, from userid 105)
 id D2C53C221F6; Fri, 12 Jan 2018 12:46:27 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-0.0 required=5.0 tests=RCVD_IN_MSPIKE_H3,
 RCVD_IN_MSPIKE_WL,
 T_DKIM_INVALID autolearn=unavailable autolearn_force=no
 version=3.4.0
Received: from lists.denx.de (localhost [IPv6:::1])
 by lists.denx.de (Postfix) with ESMTP id C8AC9C22215;
 Fri, 12 Jan 2018 12:41:42 +0000 (UTC)
Received: by lists.denx.de (Postfix, from userid 105)
 id 96DA9C22150; Fri, 12 Jan 2018 12:40:46 +0000 (UTC)
Received: from mail-wm0-f66.google.com (mail-wm0-f66.google.com [74.125.82.66])
 by lists.denx.de (Postfix) with ESMTPS id 0AD64C22189
 for <u-boot@lists.denx.de>; Fri, 12 Jan 2018 12:40:43 +0000 (UTC)
Received: by mail-wm0-f66.google.com with SMTP id i11so11511938wmf.4
 for <u-boot@lists.denx.de>; Fri, 12 Jan 2018 04:40:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=kJT4MeabAy1PzlYCSEqB9wWTQNibd+Fvvu5gADL50HE=;
 b=VVl+h+aaiSM6jlSv7x9sZCpaDEChrCrYaBuVWAxbyZw76W4U8HWjLHJIePAqvmde/a
 do/T5JazEsQiz4rzzbnqG9K7Ara5Ioiir1xUf76x7UTT2Mh2ZjPOIHswS54mdiJH25vq
 jdBlAlKABV57e2gG1XZxMuvh8iYFPuIueMPYw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=kJT4MeabAy1PzlYCSEqB9wWTQNibd+Fvvu5gADL50HE=;
 b=Mez7KBB9veTvDcUoBS4hpkAnR2kJTTHDrtDNt6oxlAGP7o/tjTfnBuhCV/Rbyt0fYB
 A+cuv3L36xhqYhMG1nthpTqdmpY8NPVNXFIMvvApwgnSZFEmkJGQVKMkybarfx/thIP9
 jljqXk8vEuSiduDW6MOYWd/ktNueHni4CyIbJG2EseglVGH7RT+BRMiMLMqs1jzNvYES
 ro2Ac1337V/8SW3Rm3in8Gz0AuWyKKuoti/ymgEzgm5NgU8JQlaWPCfuQyu6DC0E8chV
 fOfGsKm3dr5Zh9detunOdJAHoh2HYAE4JT1aTa1cVUVibVaXgNyy8H0IZL3c5InMnqN/
 1okQ==
X-Gm-Message-State: AKwxytfkmn5Gq3L538CiT9MKShrJkKBuCeu9i8h9MluCFt2aFyc1olf4
 fGFl/lkZ3cZ76HbQ7CVQGSjeMLqiAiI=
X-Received: by 10.80.181.93 with SMTP id z29mr2165216edd.223.1515760842547; 
 Fri, 12 Jan 2018 04:40:42 -0800 (PST)
Received: from localhost.localdomain ([109.255.42.2])
 by smtp.gmail.com with ESMTPSA id
 w2sm13893585edb.4.2018.01.12.04.40.41
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Fri, 12 Jan 2018 04:40:42 -0800 (PST)
From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
To: u-boot@lists.denx.de,
	brenomatheus@gmail.com
Date: Fri, 12 Jan 2018 12:40:10 +0000
Message-Id: <1515760819-15116-17-git-send-email-bryan.odonoghue@linaro.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1515760819-15116-1-git-send-email-bryan.odonoghue@linaro.org>
References: <1515760819-15116-1-git-send-email-bryan.odonoghue@linaro.org>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Subject: [U-Boot] [PATCH v6 16/25] arm: imx: hab: Add a hab_rvt_check_target
 to image auth
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <http://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
MIME-Version: 1.0
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

Add a hab_rvt_check_target() step to authenticate_image() as a sanity
check for the target memory region authenticate_image() will run over,
prior to making the BootROM authentication callback itself.

This check is recommended by the HAB documentation so it makes sense to
adhere to the guidance and perform that check as directed.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Stefano Babic <sbabic@denx.de>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Albert Aribaud <albert.u.boot@aribaud.net>
Cc: Sven Ebenfeld <sven.ebenfeld@gmail.com>
Cc: George McCollister <george.mccollister@gmail.com>
Cc: Breno Matheus Lima <brenomatheus@gmail.com>
Tested-by: Breno Lima <breno.lima@nxp.com>
Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
---
 arch/arm/mach-imx/hab.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/arch/arm/mach-imx/hab.c b/arch/arm/mach-imx/hab.c
index 2a18ea2..079423a 100644
--- a/arch/arm/mach-imx/hab.c
+++ b/arch/arm/mach-imx/hab.c
@@ -437,12 +437,15 @@ int authenticate_image(uint32_t ddr_start, uint32_t image_size,
 	hab_rvt_authenticate_image_t *hab_rvt_authenticate_image;
 	hab_rvt_entry_t *hab_rvt_entry;
 	hab_rvt_exit_t *hab_rvt_exit;
+	hab_rvt_check_target_t *hab_rvt_check_target;
 	struct ivt *ivt;
 	struct ivt_header *ivt_hdr;
+	enum hab_status status;
 
 	hab_rvt_authenticate_image = hab_rvt_authenticate_image_p;
 	hab_rvt_entry = hab_rvt_entry_p;
 	hab_rvt_exit = hab_rvt_exit_p;
+	hab_rvt_check_target = hab_rvt_check_target_p;
 
 	if (!is_hab_enabled()) {
 		puts("hab fuse not enabled\n");
@@ -478,6 +481,12 @@ int authenticate_image(uint32_t ddr_start, uint32_t image_size,
 		goto hab_caam_clock_disable;
 	}
 
+	status = hab_rvt_check_target(HAB_TGT_MEMORY, (void *)ddr_start, bytes);
+	if (status != HAB_SUCCESS) {
+		printf("HAB check target 0x%08x-0x%08x fail\n",
+		       ddr_start, ddr_start + bytes);
+		goto hab_caam_clock_disable;
+	}
 #ifdef DEBUG
 	printf("\nivt_offset = 0x%x, ivt addr = 0x%x\n", ivt_offset, ivt_addr);
 	printf("ivt entry = 0x%08x, dcd = 0x%08x, csf = 0x%08x\n", ivt->entry,