On 25-12-19, Fabian Pflug wrote: > Extend hab command with an additional parameter to burn the field return > fuse. > Since there is now a convenient way to burn the field return fuse, give > a hint at the Kconfig option about this, as it already describes what to > do in order to burn the fuse to make it complete. > > Signed-off-by: Fabian Pflug <[email protected]>
Reviewed-by: Marco Felsch <[email protected]> > --- > arch/arm/mach-imx/Kconfig | 6 +++++- > commands/hab.c | 24 ++++++++++++++++++++---- > 2 files changed, 25 insertions(+), 5 deletions(-) > > diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig > index 5f50d1a823..5fea0bbbca 100644 > --- a/arch/arm/mach-imx/Kconfig > +++ b/arch/arm/mach-imx/Kconfig > @@ -926,13 +926,17 @@ config HABV4_CSF_UNLOCK_UID > feature. This value must match the per device UNIQUE_ID fuses. > > The below example shows the expected format. The UNIQUE_ID is > - queried by Linux via: > + printed during boot by barebox: > + i.MX___ unique ID: 7766554433221100 > + or it can be queried by Linux via: > - cat /sys/devices/soc0/serial_number > 7766554433221100 > > So this value have to be set: > - 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 > > + Afterwards, the `hab -p -r` command can be used to burn the fuse. > + > config HABV4_IMG_CRT_PEM > string "Path to IMG certificate" > default "../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem" > diff --git a/commands/hab.c b/commands/hab.c > index 8ae943a4c8..1e168af4b9 100644 > --- a/commands/hab.c > +++ b/commands/hab.c > @@ -16,9 +16,9 @@ static int do_hab(int argc, char *argv[]) > char *srkhashfile = NULL, *srkhash = NULL; > unsigned flags = 0; > u8 srk[SRK_HASH_SIZE]; > - int lockdown = 0, info = 0; > + int lockdown = 0, info = 0, field_return = 0; > > - while ((opt = getopt(argc, argv, "s:fpx:li")) > 0) { > + while ((opt = getopt(argc, argv, "s:fpx:lir")) > 0) { > switch (opt) { > case 's': > srkhashfile = optarg; > @@ -38,12 +38,15 @@ static int do_hab(int argc, char *argv[]) > case 'i': > info = 1; > break; > + case 'r': > + field_return = 1; > + break; > default: > return COMMAND_ERROR_USAGE; > } > } > > - if (!info && !lockdown && !srkhashfile && !srkhash) { > + if (!info && !lockdown && !srkhashfile && !srkhash && !field_return) { > printf("Nothing to do\n"); > return COMMAND_ERROR_USAGE; > } > @@ -94,7 +97,19 @@ static int do_hab(int argc, char *argv[]) > printf("Device successfully locked down\n"); > } > > - return 0; > + if (field_return) { > + ret = imx_hab_field_return(flags & > IMX_SRK_HASH_WRITE_PERMANENT); > + if (ret == -EINVAL && > IS_ENABLED(CONFIG_HABV4_CSF_UNLOCK_FIELD_RETURN)) > + printf("Field-return burn failed, check > HABV4_CSF_UNLOCK_UID!\n"); > + else if (ret == -EINVAL && > !IS_ENABLED(CONFIG_HABV4_CSF_UNLOCK_FIELD_RETURN)) > + printf("Field-return burn failed because > CONFIG_HABV4_CSF_UNLOCK_FIELD_RETURN=n\n"); > + else if (ret) > + printf("Field-return burn failed\n"); > + else > + printf("Field return fuse successfully burnt\n"); > + } > + > + return ret; > } > > BAREBOX_CMD_HELP_START(hab) > @@ -105,6 +120,7 @@ BAREBOX_CMD_HELP_OPT ("-x <sha256>", "Burn Super Root > Key hash from hex string" > BAREBOX_CMD_HELP_OPT ("-i", "Print HAB info") > BAREBOX_CMD_HELP_OPT ("-f", "Force. Write even when a key is already > written") > BAREBOX_CMD_HELP_OPT ("-l", "Lockdown device. Dangerous! After executing > only signed images can be booted") > +BAREBOX_CMD_HELP_OPT ("-r", "Field Return. Dangerous! After executing > signed images are disabled forever.") > BAREBOX_CMD_HELP_OPT ("-p", "Permanent. Really burn fuses. Be careful!") > BAREBOX_CMD_HELP_END > > > -- > 2.47.3 > > -- #gernperDu #CallMeByMyFirstName Pengutronix e.K. | | Steuerwalder Str. 21 | https://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-9 |
