Extend hab command with an additional parameter to burn the field return fuse. Since there is now a convenient way to burn the field return fuse, give a hint at the Kconfig option about this, as it already describes what to do in order to burn the fuse to make it complete.
Reviewed-by: Marco Felsch <[email protected]> Signed-off-by: Fabian Pflug <[email protected]> --- arch/arm/mach-imx/Kconfig | 6 +++++- commands/hab.c | 24 ++++++++++++++++++++---- 2 files changed, 25 insertions(+), 5 deletions(-) diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig index 5f50d1a823..5fea0bbbca 100644 --- a/arch/arm/mach-imx/Kconfig +++ b/arch/arm/mach-imx/Kconfig @@ -926,13 +926,17 @@ config HABV4_CSF_UNLOCK_UID feature. This value must match the per device UNIQUE_ID fuses. The below example shows the expected format. The UNIQUE_ID is - queried by Linux via: + printed during boot by barebox: + i.MX___ unique ID: 7766554433221100 + or it can be queried by Linux via: - cat /sys/devices/soc0/serial_number 7766554433221100 So this value have to be set: - 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77 + Afterwards, the `hab -p -r` command can be used to burn the fuse. + config HABV4_IMG_CRT_PEM string "Path to IMG certificate" default "../crts/IMG1_1_sha256_4096_65537_v3_usr_crt.pem" diff --git a/commands/hab.c b/commands/hab.c index 8ae943a4c8..df045df470 100644 --- a/commands/hab.c +++ b/commands/hab.c @@ -16,9 +16,9 @@ static int do_hab(int argc, char *argv[]) char *srkhashfile = NULL, *srkhash = NULL; unsigned flags = 0; u8 srk[SRK_HASH_SIZE]; - int lockdown = 0, info = 0; + int lockdown = 0, info = 0, field_return = 0; - while ((opt = getopt(argc, argv, "s:fpx:li")) > 0) { + while ((opt = getopt(argc, argv, "s:fpx:lir")) > 0) { switch (opt) { case 's': srkhashfile = optarg; @@ -38,12 +38,15 @@ static int do_hab(int argc, char *argv[]) case 'i': info = 1; break; + case 'r': + field_return = 1; + break; default: return COMMAND_ERROR_USAGE; } } - if (!info && !lockdown && !srkhashfile && !srkhash) { + if (!info && !lockdown && !srkhashfile && !srkhash && !field_return) { printf("Nothing to do\n"); return COMMAND_ERROR_USAGE; } @@ -94,7 +97,19 @@ static int do_hab(int argc, char *argv[]) printf("Device successfully locked down\n"); } - return 0; + if (field_return) { + ret = imx_hab_field_return(flags & IMX_SRK_HASH_WRITE_PERMANENT); + if (ret == -EINVAL && IS_ENABLED(CONFIG_HABV4_CSF_UNLOCK_FIELD_RETURN)) + printf("Field-return burn failed, check HABV4_CSF_UNLOCK_UID!\n"); + else if (ret == -EINVAL && !IS_ENABLED(CONFIG_HABV4_CSF_UNLOCK_FIELD_RETURN)) + printf("Field-return burn failed because CONFIG_HABV4_CSF_UNLOCK_FIELD_RETURN=n\n"); + else if (ret) + printf("Field-return burn failed\n"); + else + printf("Field return fuse successfully burnt\n"); + } + + return ret; } BAREBOX_CMD_HELP_START(hab) @@ -105,6 +120,7 @@ BAREBOX_CMD_HELP_OPT ("-x <sha256>", "Burn Super Root Key hash from hex string" BAREBOX_CMD_HELP_OPT ("-i", "Print HAB info") BAREBOX_CMD_HELP_OPT ("-f", "Force. Write even when a key is already written") BAREBOX_CMD_HELP_OPT ("-l", "Lockdown device. Dangerous! After executing only signed images can be booted") +BAREBOX_CMD_HELP_OPT ("-r", "Field Return. Dangerous! Access to device keys will be disabled forever") BAREBOX_CMD_HELP_OPT ("-p", "Permanent. Really burn fuses. Be careful!") BAREBOX_CMD_HELP_END -- 2.47.3
