From dc2acac3cdfe0ca77747e9c435e3f140acc07705 Mon Sep 17 00:00:00 2001 From: Ji Luo Date: Tue, 8 Oct 2019 21:22:24 +0800 Subject: [PATCH] MA-15575-3 Add support for oemlock 1.0 hal Add commands to read oem device unlock state from trusty avb app. Use the oem device unlock state to determine if the device can be unlocked instead of the state in persistdata part. Test: Read oem device unlock state from avb app. Change-Id: Ifccaa788ba0f681c2b3a47151c8474e8da5a2559 Signed-off-by: Ji Luo (cherry picked from commit c6eaf8e32987f120c0c5441ea39aa0f39a65b50d) (cherry picked from commit 8b58afda1cd1f91048504b48b95260e930a37326) --- .../fastboot/fb_fsl/fastboot_lock_unlock.c | 23 ++++++++++++++----- include/interface/avb/avb.h | 2 ++ include/trusty/avb.h | 6 +++++ lib/Kconfig | 5 ++++ lib/trusty/ql-tipc/avb.c | 7 ++++++ 5 files changed, 37 insertions(+), 6 deletions(-) diff --git a/drivers/fastboot/fb_fsl/fastboot_lock_unlock.c b/drivers/fastboot/fb_fsl/fastboot_lock_unlock.c index 19fefd7ceb..12c5c6b648 100644 --- a/drivers/fastboot/fb_fsl/fastboot_lock_unlock.c +++ b/drivers/fastboot/fb_fsl/fastboot_lock_unlock.c @@ -449,18 +449,28 @@ fail: } FbLockEnableResult fastboot_lock_enable() { - struct blk_desc *fs_dev_desc; - struct disk_partition fs_partition; - unsigned char *bdata; - int mmc_id; - FbLockEnableResult ret; - #ifdef CONFIG_DUAL_BOOTLOADER /* Always allow unlock device in spl recovery mode. */ if (is_spl_recovery()) return FASTBOOT_UL_ENABLE; #endif +#if defined(CONFIG_IMX_TRUSTY_OS) || defined(CONFIG_TRUSTY_UNLOCK_PERMISSION) + int ret; + uint8_t oem_device_unlock; + + ret = trusty_read_oem_unlock_device_permission(&oem_device_unlock); + if (ret < 0) + return FASTBOOT_UL_ERROR; + else + return oem_device_unlock; +#else /* CONFIG_IMX_TRUSTY_OS */ + FbLockEnableResult ret; + struct blk_desc *fs_dev_desc; + struct disk_partition fs_partition; + unsigned char *bdata; + int mmc_id; + bdata = (unsigned char *)memalign(ALIGN_BYTES, SECTOR_SIZE); if (bdata == NULL) return FASTBOOT_UL_ERROR; @@ -500,6 +510,7 @@ FbLockEnableResult fastboot_lock_enable() { fail: free(bdata); return ret; +#endif /* CONFIG_IMX_TRUSTY_OS */ } #endif diff --git a/include/interface/avb/avb.h b/include/interface/avb/avb.h index 608f6afc40..f9da80c21d 100644 --- a/include/interface/avb/avb.h +++ b/include/interface/avb/avb.h @@ -44,6 +44,8 @@ enum avb_command { LOCK_BOOT_STATE = (7 << AVB_REQ_SHIFT), READ_VBMETA_PUBLIC_KEY = (8 << AVB_REQ_SHIFT), WRITE_VBMETA_PUBLIC_KEY = (9 << AVB_REQ_SHIFT), + WRITE_OEM_UNLOCK_DEVICE_PERMISSION = (10 << AVB_REQ_SHIFT), + READ_OEM_UNLOCK_DEVICE_PERMISSION = (11 << AVB_REQ_SHIFT), }; /** diff --git a/include/trusty/avb.h b/include/trusty/avb.h index daaac2cae5..0212807824 100644 --- a/include/trusty/avb.h +++ b/include/trusty/avb.h @@ -116,5 +116,11 @@ int trusty_write_lock_state(uint8_t lock_state); * Returns one of trusty_err. */ int trusty_lock_boot_state(void); +/* + * Send request to secure side to read oem device unlock state from RPMB. + * + * Returns one of trusty_err. + */ +int trusty_read_oem_unlock_device_permission(uint8_t *lock_state); #endif /* TRUSTY_AVB_H_ */ diff --git a/lib/Kconfig b/lib/Kconfig index 9ffae36b1a..e16db5e49e 100644 --- a/lib/Kconfig +++ b/lib/Kconfig @@ -366,6 +366,11 @@ config AT_AUTHENTICATE_UNLOCK config SECURE_UNLOCK bool "Enable secure unlock for Android devices, it can only be enabled on HAB closed board" + +config TRUSTY_UNLOCK_PERMISSION + bool "Support unlock permission protection in trusty" + depends on IMX_TRUSTY_OS + endmenu menu "Hashing Support" diff --git a/lib/trusty/ql-tipc/avb.c b/lib/trusty/ql-tipc/avb.c index 95b26fd2f8..937cafc910 100644 --- a/lib/trusty/ql-tipc/avb.c +++ b/lib/trusty/ql-tipc/avb.c @@ -260,3 +260,10 @@ int trusty_lock_boot_state(void) { return avb_do_tipc(LOCK_BOOT_STATE, NULL, 0, NULL, NULL); } + +int trusty_read_oem_unlock_device_permission(uint8_t *oem_device_unlock) +{ + uint32_t resp_size = sizeof(*oem_device_unlock); + return avb_do_tipc(READ_OEM_UNLOCK_DEVICE_PERMISSION, NULL, 0, oem_device_unlock, + &resp_size); +} -- 2.17.1