MA-15575-3 Add support for oemlock 1.0 hal

Add commands to read oem device unlock state from
trusty avb app. Use the oem device unlock state to
determine if the device can be unlocked instead of
the state in persistdata part.

Test: Read oem device unlock state from avb app.

Change-Id: Ifccaa788ba0f681c2b3a47151c8474e8da5a2559
Signed-off-by: Ji Luo <ji.luo@nxp.com>

diff --git a/drivers/fastboot/fb_fsl/fastboot_lock_unlock.c b/drivers/fastboot/fb_fsl/fastboot_lock_unlock.c
index a6ca0e3..3d0d014 100644 (file)
--- a/drivers/fastboot/fb_fsl/fastboot_lock_unlock.c
+++ b/drivers/fastboot/fb_fsl/fastboot_lock_unlock.c
@@ -449,18 +449,28 @@ fail:
 
 }
 FbLockEnableResult fastboot_lock_enable() {
-       struct blk_desc *fs_dev_desc;
-       disk_partition_t fs_partition;
-       unsigned char *bdata;
-       int mmc_id;
-       FbLockEnableResult ret;
-
 #ifdef CONFIG_DUAL_BOOTLOADER
        /* Always allow unlock device in spl recovery mode. */
        if (is_spl_recovery())
                return FASTBOOT_UL_ENABLE;
 #endif
 
+#ifdef CONFIG_IMX_TRUSTY_OS
+       int ret;
+       uint8_t oem_device_unlock;
+
+       ret = trusty_read_oem_unlock_device_permission(&oem_device_unlock);
+       if (ret < 0)
+               return FASTBOOT_UL_ERROR;
+       else
+               return oem_device_unlock;
+#else /* CONFIG_IMX_TRUSTY_OS */
+       FbLockEnableResult ret;
+       struct blk_desc *fs_dev_desc;
+       disk_partition_t fs_partition;
+       unsigned char *bdata;
+       int mmc_id;
+
        bdata = (unsigned char *)memalign(ALIGN_BYTES, SECTOR_SIZE);
        if (bdata == NULL)
                return FASTBOOT_UL_ERROR;
@@ -500,6 +510,7 @@ FbLockEnableResult fastboot_lock_enable() {
 fail:
        free(bdata);
        return ret;
+#endif /* CONFIG_IMX_TRUSTY_OS */
 
 }
 #endif

diff --git a/include/interface/avb/avb.h b/include/interface/avb/avb.h
index 608f6af..f9da80c 100644 (file)
--- a/include/interface/avb/avb.h
+++ b/include/interface/avb/avb.h
@@ -44,6 +44,8 @@ enum avb_command {
     LOCK_BOOT_STATE            = (7 << AVB_REQ_SHIFT),
     READ_VBMETA_PUBLIC_KEY     = (8 << AVB_REQ_SHIFT),
     WRITE_VBMETA_PUBLIC_KEY    = (9 << AVB_REQ_SHIFT),
+    WRITE_OEM_UNLOCK_DEVICE_PERMISSION     = (10 << AVB_REQ_SHIFT),
+    READ_OEM_UNLOCK_DEVICE_PERMISSION      = (11 << AVB_REQ_SHIFT),
 };
 
 /**

diff --git a/include/trusty/avb.h b/include/trusty/avb.h
index daaac2c..0212807 100644 (file)
--- a/include/trusty/avb.h
+++ b/include/trusty/avb.h
@@ -116,5 +116,11 @@ int trusty_write_lock_state(uint8_t lock_state);
  * Returns one of trusty_err.
  */
 int trusty_lock_boot_state(void);
+/*
+ * Send request to secure side to read oem device unlock state from RPMB.
+ *
+ * Returns one of trusty_err.
+ */
+int trusty_read_oem_unlock_device_permission(uint8_t *lock_state);
 
 #endif /* TRUSTY_AVB_H_ */

diff --git a/lib/trusty/ql-tipc/avb.c b/lib/trusty/ql-tipc/avb.c
index 95b26fd..937cafc 100644 (file)
--- a/lib/trusty/ql-tipc/avb.c
+++ b/lib/trusty/ql-tipc/avb.c
@@ -260,3 +260,10 @@ int trusty_lock_boot_state(void)
 {
     return avb_do_tipc(LOCK_BOOT_STATE, NULL, 0, NULL, NULL);
 }
+
+int trusty_read_oem_unlock_device_permission(uint8_t *oem_device_unlock)
+{
+    uint32_t resp_size = sizeof(*oem_device_unlock);
+    return avb_do_tipc(READ_OEM_UNLOCK_DEVICE_PERMISSION, NULL, 0, oem_device_unlock,
+                       &resp_size);
+}