diff mbox series

[33/37] imx: caam: new u-boot command to set PRIBLOB bitfield from CAAM SCFGR register to 0x3

Message ID 20210325093036.3270101-34-peng.fan@oss.nxp.com
State Accepted
Commit 613cf239ed490f900b8f822df4a2d5a1a27d7a47
Delegated to: Stefano Babic
Headers show
Series imx: hab/caam new feature and update | expand

Commit Message

Peng Fan (OSS) March 25, 2021, 9:30 a.m. UTC 
From: Clement Le Marquis <clement.lemarquis@nxp.com>

It is highly recommended to set the PRIBLOB bitfield to 0x3 once your
encrypted boot image has booted up, this prevents the generation of new
blobs that can be used to decrypt an encrypted boot image. The PRIBLOB is
a sticky type bit and cannot be changed until the next power on reset.

Add the set_priblob_bitfield U-Boot command to prevent the generation of
new blobs.

Signed-off-by: Clement Le Marquis <clement.lemarquis@nxp.com>
Acked-by: Ye Li <Ye.Li@nxp.com>
Signed-off-by: Peng Fan <peng.fan@nxp.com>
---
 arch/arm/mach-imx/Kconfig   |  7 +++++++
 arch/arm/mach-imx/Makefile  |  1 +
 arch/arm/mach-imx/priblob.c | 33 +++++++++++++++++++++++++++++++++
 3 files changed, 41 insertions(+)
 create mode 100644 arch/arm/mach-imx/priblob.c
diff mbox series

Patch

diff --git a/arch/arm/mach-imx/Kconfig b/arch/arm/mach-imx/Kconfig
index ca06c1eaaf..27b0b081ad 100644
--- a/arch/arm/mach-imx/Kconfig
+++ b/arch/arm/mach-imx/Kconfig
@@ -81,6 +81,13 @@  config CMD_DEKBLOB
 	  creates a blob of data. See also CMD_BLOB and doc/imx/habv4/* for
 	  more information.
 
+config CMD_PRIBLOB
+	bool "Support the set_priblob_bitfield command"
+	depends on HAS_CAAM && IMX_HAB
+	help
+	  This option enables the priblob command which can be used
+		to set the priblob setting to 0x3.
+
 config CMD_HDMIDETECT
 	bool "Support the 'hdmidet' command"
 	help
diff --git a/arch/arm/mach-imx/Makefile b/arch/arm/mach-imx/Makefile
index 63b3549d20..82aa39dee7 100644
--- a/arch/arm/mach-imx/Makefile
+++ b/arch/arm/mach-imx/Makefile
@@ -30,6 +30,7 @@  obj-$(CONFIG_SYS_I2C_MXC) += i2c-mxv7.o
 endif
 ifeq ($(SOC),$(filter $(SOC),mx7 mx6 mxs imx8m imx8 imxrt))
 obj-y	+= misc.o
+obj-$(CONFIG_CMD_PRIBLOB) += priblob.o
 obj-$(CONFIG_SPL_BUILD)	+= spl.o
 endif
 ifeq ($(SOC),$(filter $(SOC),mx7))
diff --git a/arch/arm/mach-imx/priblob.c b/arch/arm/mach-imx/priblob.c
new file mode 100644
index 0000000000..e253eddfdc
--- /dev/null
+++ b/arch/arm/mach-imx/priblob.c
@@ -0,0 +1,33 @@ 
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright 2018 NXP
+ */
+
+/*
+ * Boot command to get and set the PRIBLOB bitfield form the SCFGR register
+ * of the CAAM IP. It is recommended to set this bitfield to 3 once your
+ * encrypted boot image is ready, to prevent the generation of blobs usable
+ * to decrypt an encrypted boot image.
+ */
+
+#include <asm/io.h>
+#include <common.h>
+#include <command.h>
+#include "../drivers/crypto/fsl_caam_internal.h"
+
+int do_priblob_write(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
+{
+	writel((readl(CAAM_SCFGR) & 0xFFFFFFFC) | 3, CAAM_SCFGR);
+	printf("New priblob setting = 0x%x\n", readl(CAAM_SCFGR) & 0x3);
+
+	return 0;
+}
+
+U_BOOT_CMD(
+	set_priblob_bitfield, 1, 0, do_priblob_write,
+	"Set the PRIBLOB bitfield to 3",
+	"<value>\n"
+	"    - Write 3 in PRIBLOB bitfield of SCFGR regiter of CAAM IP.\n"
+	"    Prevent the generation of blobs usable to decrypt an\n"
+	"    encrypted boot image."
+);