Siva Durga Prasad Paladugu | e460352 | 2018-06-26 15:02:19 +0530 | [diff] [blame] | 1 | // SPDX-License-Identifier: GPL-2.0+ |
| 2 | /* |
| 3 | * Copyright (C) 2018 Xilinx, Inc. |
| 4 | */ |
| 5 | |
| 6 | #include <common.h> |
| 7 | #include <asm/io.h> |
| 8 | #include <asm/arch/hardware.h> |
| 9 | #include <asm/arch/sys_proto.h> |
| 10 | #include <malloc.h> |
| 11 | #include <u-boot/md5.h> |
| 12 | #include <u-boot/rsa.h> |
| 13 | #include <u-boot/rsa-mod-exp.h> |
| 14 | #include <u-boot/sha256.h> |
| 15 | #include <zynqpl.h> |
| 16 | #include <fpga.h> |
| 17 | #include <zynq_bootimg.h> |
| 18 | |
| 19 | DECLARE_GLOBAL_DATA_PTR; |
| 20 | |
| 21 | #ifdef CONFIG_CMD_ZYNQ_RSA |
| 22 | |
| 23 | #define ZYNQ_EFUSE_RSA_ENABLE_MASK 0x400 |
| 24 | #define ZYNQ_ATTRIBUTE_PL_IMAGE_MASK 0x20 |
| 25 | #define ZYNQ_ATTRIBUTE_CHECKSUM_TYPE_MASK 0x7000 |
| 26 | #define ZYNQ_ATTRIBUTE_RSA_PRESENT_MASK 0x8000 |
| 27 | #define ZYNQ_ATTRIBUTE_RSA_PART_OWNER_MASK 0x30000 |
| 28 | |
| 29 | #define ZYNQ_RSA_MODULAR_SIZE 256 |
| 30 | #define ZYNQ_RSA_MODULAR_EXT_SIZE 256 |
| 31 | #define ZYNQ_RSA_EXPO_SIZE 64 |
| 32 | #define ZYNQ_RSA_SPK_SIGNATURE_SIZE 256 |
| 33 | #define ZYNQ_RSA_PARTITION_SIGNATURE_SIZE 256 |
| 34 | #define ZYNQ_RSA_SIGNATURE_SIZE 0x6C0 |
| 35 | #define ZYNQ_RSA_HEADER_SIZE 4 |
| 36 | #define ZYNQ_RSA_MAGIC_WORD_SIZE 60 |
| 37 | #define ZYNQ_RSA_PART_OWNER_UBOOT 1 |
| 38 | #define ZYNQ_RSA_ALIGN_PPK_START 64 |
| 39 | |
| 40 | #define WORD_LENGTH_SHIFT 2 |
| 41 | |
| 42 | static u8 *ppkmodular; |
| 43 | static u8 *ppkmodularex; |
| 44 | |
| 45 | struct zynq_rsa_public_key { |
| 46 | uint len; /* Length of modulus[] in number of u32 */ |
| 47 | u32 n0inv; /* -1 / modulus[0] mod 2^32 */ |
| 48 | u32 *modulus; /* modulus as little endian array */ |
| 49 | u32 *rr; /* R^2 as little endian array */ |
| 50 | }; |
| 51 | |
| 52 | static struct zynq_rsa_public_key public_key; |
| 53 | |
| 54 | static struct partition_hdr part_hdr[ZYNQ_MAX_PARTITION_NUMBER]; |
| 55 | |
| 56 | /* |
| 57 | * Extract the primary public key components from already autheticated FSBL |
| 58 | */ |
| 59 | static void zynq_extract_ppk(u32 fsbl_len) |
| 60 | { |
| 61 | u32 padsize; |
| 62 | u8 *ppkptr; |
| 63 | |
| 64 | debug("%s\n", __func__); |
| 65 | |
| 66 | /* |
| 67 | * Extract the authenticated PPK from OCM i.e at end of the FSBL |
| 68 | */ |
| 69 | ppkptr = (u8 *)(fsbl_len + ZYNQ_OCM_BASEADDR); |
| 70 | padsize = ((u32)ppkptr % ZYNQ_RSA_ALIGN_PPK_START); |
| 71 | if (padsize) |
| 72 | ppkptr += (ZYNQ_RSA_ALIGN_PPK_START - padsize); |
| 73 | |
| 74 | ppkptr += ZYNQ_RSA_HEADER_SIZE; |
| 75 | |
| 76 | ppkptr += ZYNQ_RSA_MAGIC_WORD_SIZE; |
| 77 | |
| 78 | ppkmodular = (u8 *)ppkptr; |
| 79 | ppkptr += ZYNQ_RSA_MODULAR_SIZE; |
| 80 | ppkmodularex = (u8 *)ppkptr; |
| 81 | ppkptr += ZYNQ_RSA_MODULAR_EXT_SIZE; |
| 82 | } |
| 83 | |
| 84 | /* |
| 85 | * Calculate the inverse(-1 / modulus[0] mod 2^32 ) for the PPK |
| 86 | */ |
| 87 | static u32 zynq_calc_inv(void) |
| 88 | { |
| 89 | u32 modulus = public_key.modulus[0]; |
| 90 | u32 tmp = BIT(1); |
| 91 | u32 inverse; |
| 92 | |
| 93 | inverse = modulus & BIT(0); |
| 94 | |
| 95 | while (tmp) { |
| 96 | inverse *= 2 - modulus * inverse; |
| 97 | tmp *= tmp; |
| 98 | } |
| 99 | |
| 100 | return ~(inverse - 1); |
| 101 | } |
| 102 | |
| 103 | /* |
| 104 | * Recreate the signature by padding the bytes and verify with hash value |
| 105 | */ |
| 106 | static int zynq_pad_and_check(u8 *signature, u8 *hash) |
| 107 | { |
| 108 | u8 padding[] = {0x30, 0x31, 0x30, 0x0D, 0x06, 0x09, 0x60, 0x86, 0x48, |
| 109 | 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, |
| 110 | 0x20}; |
| 111 | u8 *pad_ptr = signature + 256; |
| 112 | u32 pad = 202; |
| 113 | u32 ii; |
| 114 | |
| 115 | /* |
| 116 | * Re-Create PKCS#1v1.5 Padding |
| 117 | * MSB ----------------------------------------------------LSB |
| 118 | * 0x0 || 0x1 || 0xFF(for 202 bytes) || 0x0 || T_padding || SHA256 Hash |
| 119 | */ |
| 120 | if (*--pad_ptr != 0 || *--pad_ptr != 1) |
| 121 | return -1; |
| 122 | |
| 123 | for (ii = 0; ii < pad; ii++) { |
| 124 | if (*--pad_ptr != 0xFF) |
| 125 | return -1; |
| 126 | } |
| 127 | |
| 128 | if (*--pad_ptr != 0) |
| 129 | return -1; |
| 130 | |
| 131 | for (ii = 0; ii < sizeof(padding); ii++) { |
| 132 | if (*--pad_ptr != padding[ii]) |
| 133 | return -1; |
| 134 | } |
| 135 | |
| 136 | for (ii = 0; ii < 32; ii++) { |
| 137 | if (*--pad_ptr != hash[ii]) |
| 138 | return -1; |
| 139 | } |
| 140 | return 0; |
| 141 | } |
| 142 | |
| 143 | /* |
| 144 | * Verify and extract the hash value from signature using the public key |
| 145 | * and compare it with calculated hash value. |
| 146 | */ |
| 147 | static int zynq_rsa_verify_key(const struct zynq_rsa_public_key *key, |
| 148 | const u8 *sig, const u32 sig_len, const u8 *hash) |
| 149 | { |
| 150 | int status; |
| 151 | void *buf; |
| 152 | |
| 153 | if (!key || !sig || !hash) |
| 154 | return -1; |
| 155 | |
| 156 | if (sig_len != (key->len * sizeof(u32))) { |
| 157 | printf("Signature is of incorrect length %d\n", sig_len); |
| 158 | return -1; |
| 159 | } |
| 160 | |
| 161 | /* Sanity check for stack size */ |
| 162 | if (sig_len > ZYNQ_RSA_SPK_SIGNATURE_SIZE) { |
| 163 | printf("Signature length %u exceeds maximum %d\n", sig_len, |
| 164 | ZYNQ_RSA_SPK_SIGNATURE_SIZE); |
| 165 | return -1; |
| 166 | } |
| 167 | |
| 168 | buf = malloc(sig_len); |
| 169 | if (!buf) |
| 170 | return -1; |
| 171 | |
| 172 | memcpy(buf, sig, sig_len); |
| 173 | |
| 174 | status = zynq_pow_mod((u32 *)key, (u32 *)buf); |
| 175 | if (status == -1) { |
| 176 | free(buf); |
| 177 | return status; |
| 178 | } |
| 179 | |
| 180 | status = zynq_pad_and_check((u8 *)buf, (u8 *)hash); |
| 181 | |
| 182 | free(buf); |
| 183 | return status; |
| 184 | } |
| 185 | |
| 186 | /* |
| 187 | * Authenticate the partition |
| 188 | */ |
| 189 | static int zynq_authenticate_part(u8 *buffer, u32 size) |
| 190 | { |
| 191 | u8 hash_signature[32]; |
| 192 | u8 *spk_modular; |
| 193 | u8 *spk_modular_ex; |
| 194 | u8 *signature_ptr; |
| 195 | u32 status; |
| 196 | |
| 197 | debug("%s\n", __func__); |
| 198 | |
| 199 | signature_ptr = (u8 *)(buffer + size - ZYNQ_RSA_SIGNATURE_SIZE); |
| 200 | |
| 201 | signature_ptr += ZYNQ_RSA_HEADER_SIZE; |
| 202 | |
| 203 | signature_ptr += ZYNQ_RSA_MAGIC_WORD_SIZE; |
| 204 | |
| 205 | ppkmodular = (u8 *)signature_ptr; |
| 206 | signature_ptr += ZYNQ_RSA_MODULAR_SIZE; |
| 207 | ppkmodularex = signature_ptr; |
| 208 | signature_ptr += ZYNQ_RSA_MODULAR_EXT_SIZE; |
| 209 | signature_ptr += ZYNQ_RSA_EXPO_SIZE; |
| 210 | |
| 211 | sha256_csum_wd((const unsigned char *)signature_ptr, |
| 212 | (ZYNQ_RSA_MODULAR_EXT_SIZE + ZYNQ_RSA_EXPO_SIZE + |
| 213 | ZYNQ_RSA_MODULAR_SIZE), |
| 214 | (unsigned char *)hash_signature, 0x1000); |
| 215 | |
| 216 | spk_modular = (u8 *)signature_ptr; |
| 217 | signature_ptr += ZYNQ_RSA_MODULAR_SIZE; |
| 218 | spk_modular_ex = (u8 *)signature_ptr; |
| 219 | signature_ptr += ZYNQ_RSA_MODULAR_EXT_SIZE; |
| 220 | signature_ptr += ZYNQ_RSA_EXPO_SIZE; |
| 221 | |
| 222 | public_key.len = ZYNQ_RSA_MODULAR_SIZE / sizeof(u32); |
| 223 | public_key.modulus = (u32 *)ppkmodular; |
| 224 | public_key.rr = (u32 *)ppkmodularex; |
| 225 | public_key.n0inv = zynq_calc_inv(); |
| 226 | |
| 227 | status = zynq_rsa_verify_key(&public_key, signature_ptr, |
| 228 | ZYNQ_RSA_SPK_SIGNATURE_SIZE, |
| 229 | hash_signature); |
| 230 | if (status) |
| 231 | return status; |
| 232 | |
| 233 | signature_ptr += ZYNQ_RSA_SPK_SIGNATURE_SIZE; |
| 234 | |
| 235 | sha256_csum_wd((const unsigned char *)buffer, |
| 236 | (size - ZYNQ_RSA_PARTITION_SIGNATURE_SIZE), |
| 237 | (unsigned char *)hash_signature, 0x1000); |
| 238 | |
| 239 | public_key.len = ZYNQ_RSA_MODULAR_SIZE / sizeof(u32); |
| 240 | public_key.modulus = (u32 *)spk_modular; |
| 241 | public_key.rr = (u32 *)spk_modular_ex; |
| 242 | public_key.n0inv = zynq_calc_inv(); |
| 243 | |
| 244 | return zynq_rsa_verify_key(&public_key, (u8 *)signature_ptr, |
| 245 | ZYNQ_RSA_PARTITION_SIGNATURE_SIZE, |
| 246 | (u8 *)hash_signature); |
| 247 | } |
| 248 | |
| 249 | /* |
| 250 | * Parses the partition header and verfies the authenticated and |
| 251 | * encrypted image. |
| 252 | */ |
| 253 | static int zynq_verify_image(u32 src_ptr) |
| 254 | { |
| 255 | u32 silicon_ver, image_base_addr, status; |
| 256 | u32 partition_num = 0; |
| 257 | u32 efuseval, srcaddr, size, fsbl_len; |
| 258 | struct partition_hdr *hdr_ptr; |
| 259 | u32 part_data_len, part_img_len, part_attr; |
| 260 | u32 part_load_addr, part_dst_addr, part_chksum_offset; |
| 261 | u32 part_start_addr, part_total_size, partitioncount; |
| 262 | bool encrypt_part_flag = false; |
| 263 | bool part_chksum_flag = false; |
| 264 | bool signed_part_flag = false; |
| 265 | |
| 266 | image_base_addr = src_ptr; |
| 267 | |
| 268 | silicon_ver = zynq_get_silicon_version(); |
| 269 | |
| 270 | /* RSA not supported in silicon versions 1.0 and 2.0 */ |
| 271 | if (silicon_ver == 0 || silicon_ver == 1) |
| 272 | return -1; |
| 273 | |
| 274 | zynq_get_partition_info(image_base_addr, &fsbl_len, |
| 275 | &part_hdr[0]); |
| 276 | |
| 277 | /* Extract ppk if efuse was blown Otherwise return error */ |
| 278 | efuseval = readl(&efuse_base->status); |
| 279 | if (!(efuseval & ZYNQ_EFUSE_RSA_ENABLE_MASK)) |
| 280 | return -1; |
| 281 | |
| 282 | zynq_extract_ppk(fsbl_len); |
| 283 | |
| 284 | partitioncount = zynq_get_part_count(&part_hdr[0]); |
| 285 | |
| 286 | /* |
| 287 | * As the first two partitions are related to fsbl, |
| 288 | * we can ignore those two in bootimage and the below |
| 289 | * code doesn't need to validate it as fsbl is already |
| 290 | * done by now |
| 291 | */ |
| 292 | if (partitioncount <= 2 || |
| 293 | partitioncount > ZYNQ_MAX_PARTITION_NUMBER) |
| 294 | return -1; |
| 295 | |
| 296 | while (partition_num < partitioncount) { |
| 297 | if (((part_hdr[partition_num].partitionattr & |
| 298 | ZYNQ_ATTRIBUTE_RSA_PART_OWNER_MASK) >> 16) != |
| 299 | ZYNQ_RSA_PART_OWNER_UBOOT) { |
| 300 | printf("UBOOT is not Owner for partition %d\n", |
| 301 | partition_num); |
| 302 | partition_num++; |
| 303 | continue; |
| 304 | } |
| 305 | hdr_ptr = &part_hdr[partition_num]; |
| 306 | status = zynq_validate_hdr(hdr_ptr); |
| 307 | if (status) |
| 308 | return status; |
| 309 | |
| 310 | part_data_len = hdr_ptr->datawordlen; |
| 311 | part_img_len = hdr_ptr->imagewordlen; |
| 312 | part_attr = hdr_ptr->partitionattr; |
| 313 | part_load_addr = hdr_ptr->loadaddr; |
| 314 | part_chksum_offset = hdr_ptr->checksumoffset; |
| 315 | part_start_addr = hdr_ptr->partitionstart; |
| 316 | part_total_size = hdr_ptr->partitionwordlen; |
| 317 | |
| 318 | if (part_data_len != part_img_len) { |
| 319 | debug("Encrypted\n"); |
| 320 | encrypt_part_flag = true; |
| 321 | } |
| 322 | |
| 323 | if (part_attr & ZYNQ_ATTRIBUTE_CHECKSUM_TYPE_MASK) |
| 324 | part_chksum_flag = true; |
| 325 | |
| 326 | if (part_attr & ZYNQ_ATTRIBUTE_RSA_PRESENT_MASK) { |
| 327 | debug("RSA Signed\n"); |
| 328 | signed_part_flag = true; |
| 329 | size = part_total_size << WORD_LENGTH_SHIFT; |
| 330 | } else { |
| 331 | size = part_img_len; |
| 332 | } |
| 333 | |
| 334 | if (!signed_part_flag && !part_chksum_flag) { |
| 335 | printf("Partition not signed & no chksum\n"); |
| 336 | partition_num++; |
| 337 | continue; |
| 338 | } |
| 339 | |
| 340 | srcaddr = image_base_addr + |
| 341 | (part_start_addr << WORD_LENGTH_SHIFT); |
| 342 | |
| 343 | /* |
| 344 | * This validation is just for PS DDR. |
| 345 | * TODO: Update this for PL DDR check as well. |
| 346 | */ |
| 347 | if (part_load_addr < gd->bd->bi_dram[0].start && |
| 348 | ((part_load_addr + part_data_len) > |
| 349 | (gd->bd->bi_dram[0].start + |
| 350 | gd->bd->bi_dram[0].size))) { |
| 351 | printf("INVALID_LOAD_ADDRESS_FAIL\n"); |
| 352 | return -1; |
| 353 | } |
| 354 | |
| 355 | if (part_attr & ZYNQ_ATTRIBUTE_PL_IMAGE_MASK) |
| 356 | part_load_addr = srcaddr; |
| 357 | else |
| 358 | memcpy((u32 *)part_load_addr, (u32 *)srcaddr, |
| 359 | size); |
| 360 | |
| 361 | if (part_chksum_flag) { |
| 362 | part_chksum_offset = image_base_addr + |
| 363 | (part_chksum_offset << |
| 364 | WORD_LENGTH_SHIFT); |
| 365 | status = zynq_validate_partition(part_load_addr, |
| 366 | (part_total_size << |
| 367 | WORD_LENGTH_SHIFT), |
| 368 | part_chksum_offset); |
| 369 | if (status != 0) { |
| 370 | printf("PART_CHKSUM_FAIL\n"); |
| 371 | return -1; |
| 372 | } |
| 373 | debug("Partition Validation Done\n"); |
| 374 | } |
| 375 | |
| 376 | if (signed_part_flag) { |
| 377 | status = zynq_authenticate_part((u8 *)part_load_addr, |
| 378 | size); |
| 379 | if (status != 0) { |
| 380 | printf("AUTHENTICATION_FAIL\n"); |
| 381 | return -1; |
| 382 | } |
| 383 | debug("Authentication Done\n"); |
| 384 | } |
| 385 | |
| 386 | if (encrypt_part_flag) { |
| 387 | debug("DECRYPTION\n"); |
| 388 | |
| 389 | part_dst_addr = part_load_addr; |
| 390 | |
| 391 | if (part_attr & ZYNQ_ATTRIBUTE_PL_IMAGE_MASK) { |
| 392 | partition_num++; |
| 393 | continue; |
| 394 | } |
| 395 | |
| 396 | status = zynq_decrypt_load(part_load_addr, |
| 397 | part_img_len, |
| 398 | part_dst_addr, |
| 399 | part_data_len); |
| 400 | if (status != 0) { |
| 401 | printf("DECRYPTION_FAIL\n"); |
| 402 | return -1; |
| 403 | } |
| 404 | } |
| 405 | partition_num++; |
| 406 | } |
| 407 | |
| 408 | return 0; |
| 409 | } |
| 410 | |
| 411 | static int do_zynq_rsa(cmd_tbl_t *cmdtp, int flag, int argc, |
| 412 | char * const argv[]) |
| 413 | { |
| 414 | u32 src_ptr; |
| 415 | char *endp; |
| 416 | |
| 417 | src_ptr = simple_strtoul(argv[2], &endp, 16); |
| 418 | if (*argv[2] == 0 || *endp != 0) |
| 419 | return CMD_RET_USAGE; |
| 420 | if (zynq_verify_image(src_ptr)) |
| 421 | return CMD_RET_FAILURE; |
| 422 | |
| 423 | return CMD_RET_SUCCESS; |
| 424 | } |
| 425 | #endif |
| 426 | |
| 427 | #ifdef CONFIG_CMD_ZYNQ_AES |
| 428 | static int zynq_decrypt_image(cmd_tbl_t *cmdtp, int flag, int argc, |
| 429 | char * const argv[]) |
| 430 | { |
| 431 | char *endp; |
| 432 | u32 srcaddr, srclen, dstaddr, dstlen; |
| 433 | int status; |
| 434 | |
| 435 | srcaddr = simple_strtoul(argv[2], &endp, 16); |
| 436 | if (*argv[2] == 0 || *endp != 0) |
| 437 | return CMD_RET_USAGE; |
| 438 | srclen = simple_strtoul(argv[3], &endp, 16); |
| 439 | if (*argv[3] == 0 || *endp != 0) |
| 440 | return CMD_RET_USAGE; |
| 441 | dstaddr = simple_strtoul(argv[4], &endp, 16); |
| 442 | if (*argv[4] == 0 || *endp != 0) |
| 443 | return CMD_RET_USAGE; |
| 444 | dstlen = simple_strtoul(argv[5], &endp, 16); |
| 445 | if (*argv[5] == 0 || *endp != 0) |
| 446 | return CMD_RET_USAGE; |
| 447 | |
| 448 | /* |
| 449 | * Roundup source and destination lengths to |
| 450 | * word size |
| 451 | */ |
| 452 | if (srclen % 4) |
| 453 | srclen = roundup(srclen, 4); |
| 454 | if (dstlen % 4) |
| 455 | dstlen = roundup(dstlen, 4); |
| 456 | |
| 457 | status = zynq_decrypt_load(srcaddr, srclen >> 2, dstaddr, dstlen >> 2); |
| 458 | if (status != 0) |
| 459 | return CMD_RET_FAILURE; |
| 460 | |
| 461 | return CMD_RET_SUCCESS; |
| 462 | } |
| 463 | #endif |
| 464 | |
| 465 | static cmd_tbl_t zynq_commands[] = { |
| 466 | #ifdef CONFIG_CMD_ZYNQ_RSA |
| 467 | U_BOOT_CMD_MKENT(rsa, 3, 1, do_zynq_rsa, "", ""), |
| 468 | #endif |
| 469 | #ifdef CONFIG_CMD_ZYNQ_AES |
| 470 | U_BOOT_CMD_MKENT(aes, 6, 1, zynq_decrypt_image, "", ""), |
| 471 | #endif |
| 472 | }; |
| 473 | |
| 474 | static int do_zynq(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[]) |
| 475 | { |
| 476 | cmd_tbl_t *zynq_cmd; |
| 477 | int ret; |
| 478 | |
| 479 | if (!ARRAY_SIZE(zynq_commands)) { |
| 480 | puts("No zynq specific command enabled\n"); |
| 481 | return CMD_RET_USAGE; |
| 482 | } |
| 483 | |
| 484 | if (argc < 2) |
| 485 | return CMD_RET_USAGE; |
| 486 | zynq_cmd = find_cmd_tbl(argv[1], zynq_commands, |
| 487 | ARRAY_SIZE(zynq_commands)); |
| 488 | if (!zynq_cmd || argc != zynq_cmd->maxargs) |
| 489 | return CMD_RET_USAGE; |
| 490 | |
| 491 | ret = zynq_cmd->cmd(zynq_cmd, flag, argc, argv); |
| 492 | |
| 493 | return cmd_process_error(zynq_cmd, ret); |
| 494 | } |
| 495 | |
| 496 | static char zynq_help_text[] = |
| 497 | "" |
| 498 | #ifdef CONFIG_CMD_ZYNQ_RSA |
| 499 | "rsa <baseaddr> - Verifies the authenticated and encrypted\n" |
| 500 | " zynq images and loads them back to load\n" |
| 501 | " addresses as specified in BOOT image(BOOT.BIN)\n" |
| 502 | #endif |
| 503 | #ifdef CONFIG_CMD_ZYNQ_AES |
| 504 | "aes <srcaddr> <srclen> <dstaddr> <dstlen>\n" |
| 505 | " - Decrypts the encrypted image present in source\n" |
| 506 | " address and places the decrypted image at\n" |
| 507 | " destination address\n" |
| 508 | #endif |
| 509 | ; |
| 510 | |
| 511 | U_BOOT_CMD(zynq, 6, 0, do_zynq, |
| 512 | "Zynq specific commands", zynq_help_text |
| 513 | ); |