Message ID | 1519089566-17147-4-git-send-email-brenomatheus@gmail.com |
---|---|
State | Accepted |
Commit | 20fa1dd386c891f7d6477e7d442dda76af6c765b |
Delegated to: | Stefano Babic |
Headers | show |
Series | [U-Boot,1/5] imx: hab: Keep CAAM clock enabled after authenticating additional images | expand |
On Mon, Feb 19, 2018 at 10:19 PM, Breno Lima <brenomatheus@gmail.com> wrote: > From: Utkarsh Gupta <utkarsh.gupta@nxp.com> > > Write, Check and Set MID commands have been deprecated from the Code > Signing Tool (CST) v2.3.3 and will not be implemented in newer versions > of HAB, hence the following features are no longer available: > > - Write Data > - Clear Mask > - Set Mask > - Check All Clear > - Check All Set > - Check Any Clear > - Check Any Set > - Set MID > > The inappropriate use of Write Data command may lead to an incorrect > authentication boot flow. Since no specific application has been identified > that requires the use of any of these features, it is highly recommended to > add this check. > > Signed-off-by: Utkarsh Gupta <utkarsh.gupta@nxp.com> > Signed-off-by: Breno Lima <breno.lima@nxp.com> Reviewed-by: Fabio Estevam <fabio.estevam@nxp.com>
diff --git a/arch/arm/include/asm/mach-imx/hab.h b/arch/arm/include/asm/mach-imx/hab.h index bb73203..93475a6 100644 --- a/arch/arm/include/asm/mach-imx/hab.h +++ b/arch/arm/include/asm/mach-imx/hab.h @@ -189,6 +189,10 @@ typedef void hapi_clock_init_t(void); #define HAB_CID_UBOOT 1 /**< UBOOT Caller ID*/ #define HAB_CMD_HDR 0xD4 /* CSF Header */ +#define HAB_CMD_WRT_DAT 0xCC /* Write Data command tag */ +#define HAB_CMD_CHK_DAT 0xCF /* Check Data command tag */ +#define HAB_CMD_SET 0xB1 /* Set command tag */ +#define HAB_PAR_MID 0x01 /* MID parameter value */ #define IVT_SIZE 0x20 #define CSF_PAD_SIZE 0x2000 diff --git a/arch/arm/mach-imx/hab.c b/arch/arm/mach-imx/hab.c index 7f66965..79e8bf6 100644 --- a/arch/arm/mach-imx/hab.c +++ b/arch/arm/mach-imx/hab.c @@ -518,6 +518,26 @@ static bool csf_is_valid(struct ivt *ivt, ulong start_addr, size_t bytes) } do { + struct hab_hdr *cmd; + + cmd = (struct hab_hdr *)&csf_hdr[offset]; + + switch (cmd->tag) { + case (HAB_CMD_WRT_DAT): + puts("Error: Deprecated write command found\n"); + return false; + case (HAB_CMD_CHK_DAT): + puts("Error: Deprecated check command found\n"); + return false; + case (HAB_CMD_SET): + if (cmd->par == HAB_PAR_MID) { + puts("Error: Deprecated Set MID command found\n"); + return false; + } + default: + break; + } + cmd_hdr_len = get_csf_cmd_hdr_len(&csf_hdr[offset]); if (!cmd_hdr_len) { puts("Error: Invalid command length\n");