[4/4] imx: hab: Provide hab_auth_img_or_fail command

Message ID 1520616949-11879-5-git-send-email-bryan.odonoghue@linaro.org
State New
Headers show
Series
  • imx: hab: Add helper functions for scripted HAB auth
Related show

Commit Message

Bryan O'Donoghue March 9, 2018, 5:35 p.m.
This patch adds hab_auth_img_or_fail() a command line function that
encapsulates a common usage of authenticate and failover, namely if
authenticate image fails, then drop to BootROM USB recovery mode.

For secure-boot systems, this type of locked down behavior is important to
ensure no unsigned images can be run.

It's possible to script this logic but, when done over and over again the
environment starts get very complex and repetitive, reducing that script
repetition down to a command line function makes sense.

Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Cc: Utkarsh Gupta <utkarsh.gupta@nxp.com>
Cc: Breno Lima <breno.lima@nxp.com>
Cc: Fabio Estevam <fabio.estevam@nxp.com>
---
 arch/arm/mach-imx/hab.c | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

Comments

Breno Matheus Lima March 15, 2018, 5:15 p.m. | #1
Hi Bryan,

2018-03-09 14:35 GMT-03:00 Bryan O'Donoghue <bryan.odonoghue@linaro.org>:
> This patch adds hab_auth_img_or_fail() a command line function that
> encapsulates a common usage of authenticate and failover, namely if
> authenticate image fails, then drop to BootROM USB recovery mode.
>
> For secure-boot systems, this type of locked down behavior is important to
> ensure no unsigned images can be run.
>
> It's possible to script this logic but, when done over and over again the
> environment starts get very complex and repetitive, reducing that script
> repetition down to a command line function makes sense.
>
> Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
> Cc: Utkarsh Gupta <utkarsh.gupta@nxp.com>
> Cc: Breno Lima <breno.lima@nxp.com>
> Cc: Fabio Estevam <fabio.estevam@nxp.com>
> ---
>  arch/arm/mach-imx/hab.c | 26 ++++++++++++++++++++++++++
>  1 file changed, 26 insertions(+)
>
> diff --git a/arch/arm/mach-imx/hab.c b/arch/arm/mach-imx/hab.c
> index 0c18b2e..61ccdeb 100644
> --- a/arch/arm/mach-imx/hab.c
> +++ b/arch/arm/mach-imx/hab.c
> @@ -366,6 +366,22 @@ static int do_hab_get_ivt_addr(cmd_tbl_t *cmdtp, int flag, int argc,
>         return CMD_RET_SUCCESS;
>  }
>
> +static int do_authenticate_image_or_failover(cmd_tbl_t *cmdtp, int flag,
> +                                            int argc, char * const argv[])
> +{
> +       if (!imx_hab_is_enabled())
> +               goto done;

It would be nice to return CMD_RET_USAGE on this case, or maybe print
something like "Secure boot disabled". If I run in a non HAB enabled
board I get the following output:

=> hab_auth_img_or_fail <addr> <length> <ivt_offset>
=>

We may also need to add the following here:

if (argc < 4)
       return CMD_RET_USAGE;

If I run this command without any parameter the code is wrongly
executed, and the system goes to USB recovery mode.

Thanks,
Breno Lima
Bryan O'Donoghue March 17, 2018, 11:06 a.m. | #2
On 15/03/18 17:15, Breno Matheus Lima wrote:
> If I run this command without any parameter the code is wrongly
> executed, and the system goes to USB recovery mode.

Oops.

I'll fix that so.

---
bod

Patch

diff --git a/arch/arm/mach-imx/hab.c b/arch/arm/mach-imx/hab.c
index 0c18b2e..61ccdeb 100644
--- a/arch/arm/mach-imx/hab.c
+++ b/arch/arm/mach-imx/hab.c
@@ -366,6 +366,22 @@  static int do_hab_get_ivt_addr(cmd_tbl_t *cmdtp, int flag, int argc,
 	return CMD_RET_SUCCESS;
 }
 
+static int do_authenticate_image_or_failover(cmd_tbl_t *cmdtp, int flag,
+					     int argc, char * const argv[])
+{
+	if (!imx_hab_is_enabled())
+		goto done;
+
+	if (do_authenticate_image(NULL, flag, argc, argv) != CMD_RET_SUCCESS) {
+		fprintf(stderr, "authentication fail -> %s %s %s %s\n",
+			argv[0], argv[1], argv[2], argv[3]);
+		do_hab_failsafe(0, 0, 1, NULL);
+	};
+
+done:
+	return CMD_RET_SUCCESS;
+}
+
 U_BOOT_CMD(
 		hab_status, CONFIG_SYS_MAXARGS, 1, do_hab_status,
 		"display HAB status",
@@ -395,6 +411,16 @@  U_BOOT_CMD(
 		"ivt_offset - hex offset of IVT in the image"
 	  );
 
+U_BOOT_CMD(
+		hab_auth_img_or_fail, 4, 0,
+		do_authenticate_image_or_failover,
+		"authenticate image via HAB on failure drop to USB BootROM mode",
+		"addr length ivt_offset\n"
+		"addr - image hex address\n"
+		"length - image hex length\n"
+		"ivt_offset - hex offset of IVT in the image"
+	  );
+
 #endif /* !defined(CONFIG_SPL_BUILD) */
 
 /* Get CSF Header length */