mirrors/u-boot
1
0
Fork 0
mirror of https://source.denx.de/u-boot/u-boot.git synced 2026-05-04 12:21:03 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

ARM: tegra20: tegra30: support EBTUPDATE on non-encrypted devices

Browse Source 
Re-crypt support was extended to devices without burnt SBK. In case
SBK is not set, place from where it is read is filled with zeroes.
This patch adds support for ebtupdate function to detect nosbk device
and avoid crypto operations for it.

Tested-by: Maksim Kurnosenko <asusx2@mail.ru>
Signed-off-by: Svyatoslav Ryhel <clamor95@gmail.com>
This commit is contained in:
Svyatoslav Ryhel 2023-10-03 09:36:44 +03:00 committed by Tom Rini
parent 8632091e1e
commit f2cf7feb80
2 changed files with 40 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
arch/arm/mach-tegra/tegra20/bct.c
View File

@ -11,6 +11,9 @@
#include "bct.h"
#include "uboot_aes.h"
/* Device with "sbk burned: false" will expose zero key */
const u8 nosbk[AES128_KEY_LENGTH] = { 0 };
/*
* @param bct boot config table start in RAM
* @param ect bootloader start in RAM
@ -23,22 +26,27 @@ static int bct_patch(u8 *bct, u8 *ebt, u32 ebt_size)
u8 ebt_hash[AES128_KEY_LENGTH] = { 0 };
u8 sbk[AES128_KEY_LENGTH] = { 0 };
u8 *bct_hash = bct;
bool encrypted;
int ret;
bct += BCT_HASH;
ebt_size = roundup(ebt_size, EBT_ALIGNMENT);
memcpy(sbk, (u8 *)(bct + BCT_LENGTH),
NVBOOT_CMAC_AES_HASH_LENGTH * 4);
ret = decrypt_data_block(bct, BCT_LENGTH, sbk);
if (ret)
return 1;
encrypted = memcmp(&sbk, &nosbk, AES128_KEY_LENGTH);
ebt_size = roundup(ebt_size, EBT_ALIGNMENT);
if (encrypted) {
ret = decrypt_data_block(bct, BCT_LENGTH, sbk);
if (ret)
return 1;
ret = encrypt_data_block(ebt, ebt_size, sbk);
if (ret)
return 1;
ret = encrypt_data_block(ebt, ebt_size, sbk);
if (ret)
return 1;
}
ret = sign_enc_data_block(ebt, ebt_size, ebt_hash, sbk);
if (ret)
@ -52,9 +60,11 @@ static int bct_patch(u8 *bct, u8 *ebt, u32 ebt_size)
bct_tbl->bootloader[0].load_addr = CONFIG_SPL_TEXT_BASE;
bct_tbl->bootloader[0].length = ebt_size;
ret = encrypt_data_block(bct, BCT_LENGTH, sbk);
if (ret)
return 1;
if (encrypted) {
ret = encrypt_data_block(bct, BCT_LENGTH, sbk);
if (ret)
return 1;
}
ret = sign_enc_data_block(bct, BCT_LENGTH, bct_hash, sbk);
if (ret)

30
arch/arm/mach-tegra/tegra30/bct.c
View File

@ -11,6 +11,9 @@
#include "bct.h"
#include "uboot_aes.h"
/* Device with "sbk burned: false" will expose zero key */
const u8 nosbk[AES128_KEY_LENGTH] = { 0 };
/*
* @param bct boot config table start in RAM
* @param ect bootloader start in RAM
@ -23,22 +26,27 @@ static int bct_patch(u8 *bct, u8 *ebt, u32 ebt_size)
u8 ebt_hash[AES128_KEY_LENGTH] = { 0 };
u8 sbk[AES128_KEY_LENGTH] = { 0 };
u8 *bct_hash = bct;
bool encrypted;
int ret;
bct += BCT_HASH;
ebt_size = roundup(ebt_size, EBT_ALIGNMENT);
memcpy(sbk, (u8 *)(bct + BCT_LENGTH),
NVBOOT_CMAC_AES_HASH_LENGTH * 4);
ret = decrypt_data_block(bct, BCT_LENGTH, sbk);
if (ret)
return 1;
encrypted = memcmp(&sbk, &nosbk, AES128_KEY_LENGTH);
ebt_size = roundup(ebt_size, EBT_ALIGNMENT);
if (encrypted) {
ret = decrypt_data_block(bct, BCT_LENGTH, sbk);
if (ret)
return 1;
ret = encrypt_data_block(ebt, ebt_size, sbk);
if (ret)
return 1;
ret = encrypt_data_block(ebt, ebt_size, sbk);
if (ret)
return 1;
}
ret = sign_enc_data_block(ebt, ebt_size, ebt_hash, sbk);
if (ret)
@ -52,9 +60,11 @@ static int bct_patch(u8 *bct, u8 *ebt, u32 ebt_size)
bct_tbl->bootloader[0].load_addr = CONFIG_SPL_TEXT_BASE;
bct_tbl->bootloader[0].length = ebt_size;
ret = encrypt_data_block(bct, BCT_LENGTH, sbk);
if (ret)
return 1;
if (encrypted) {
ret = encrypt_data_block(bct, BCT_LENGTH, sbk);
if (ret)
return 1;
}
ret = sign_enc_data_block(bct, BCT_LENGTH, bct_hash, sbk);
if (ret)