[v2 2/6] arm: socfpga: soc64: Support Vendor Authorized Boot (VAB)

Tan, Ley Foon ley.foon.tan at intel.com
Mon Jan 18 09:50:34 CET 2021 


> -----Original Message-----
> From: Lim, Elly Siew Chin <elly.siew.chin.lim at intel.com>
> Sent: Monday, January 18, 2021 4:03 PM
> To: Tan, Ley Foon <ley.foon.tan at intel.com>; u-boot at lists.denx.de
> Cc: Marek Vasut <marex at denx.de>; See, Chin Liang
> <chin.liang.see at intel.com>; Simon Goldschmidt
> <simon.k.r.goldschmidt at gmail.com>; Chee, Tien Fong
> <tien.fong.chee at intel.com>; Westergreen, Dalon
> <dalon.westergreen at intel.com>; Simon Glass <sjg at chromium.org>; Gan,
> Yau Wai <yau.wai.gan at intel.com>
> Subject: RE: [v2 2/6] arm: socfpga: soc64: Support Vendor Authorized Boot
> (VAB)
> 
> Hi Ley Foon,
> 
> > -----Original Message-----
> > From: Tan, Ley Foon <ley.foon.tan at intel.com>
> > Sent: Monday, January 18, 2021 3:29 PM
> > To: Lim, Elly Siew Chin <elly.siew.chin.lim at intel.com>;
> > u-boot at lists.denx.de
> > Cc: Marek Vasut <marex at denx.de>; See, Chin Liang
> > <chin.liang.see at intel.com>; Simon Goldschmidt
> > <simon.k.r.goldschmidt at gmail.com>; Chee, Tien Fong
> > <tien.fong.chee at intel.com>; Westergreen, Dalon
> > <dalon.westergreen at intel.com>; Simon Glass <sjg at chromium.org>; Gan,
> > Yau Wai <yau.wai.gan at intel.com>
> > Subject: RE: [v2 2/6] arm: socfpga: soc64: Support Vendor Authorized
> > Boot
> > (VAB)
> >
> >
> >
> > > -----Original Message-----
> > > From: Lim, Elly Siew Chin <elly.siew.chin.lim at intel.com>
> > > Sent: Thursday, January 7, 2021 6:04 PM
> > > To: u-boot at lists.denx.de
> > > Cc: Marek Vasut <marex at denx.de>; Tan, Ley Foon
> > > <ley.foon.tan at intel.com>; See, Chin Liang
> > > <chin.liang.see at intel.com>; Simon Goldschmidt
> > > <simon.k.r.goldschmidt at gmail.com>; Chee, Tien Fong
> > > <tien.fong.chee at intel.com>; Westergreen, Dalon
> > > <dalon.westergreen at intel.com>; Simon Glass <sjg at chromium.org>; Gan,
> > > Yau Wai <yau.wai.gan at intel.com>; Lim, Elly Siew Chin
> > > <elly.siew.chin.lim at intel.com>
> > > Subject: [v2 2/6] arm: socfpga: soc64: Support Vendor Authorized
> > > Boot
> > > (VAB)
> > >
> > > Vendor Authorized Boot is a security feature for authenticating the
> > > images such as U-Boot, ARM trusted Firmware, Linux kernel, device
> > > tree blob and etc loaded from FIT. After those images are loaded
> > > from FIT, the VAB certificate and signature block appended at the
> > > end of each image are sent to Secure Device Manager (SDM) for
> authentication.
> > > U-Boot will validate the
> > > SHA384 of the image against the SHA384 hash stored in the VAB
> > > certificate before sending the image to SDM for authentication.
> > >
> > > Signed-off-by: Siew Chin Lim <elly.siew.chin.lim at intel.com>
> > >
> > > ---
> > > v2
> > > ---
> > > - Renamed SECURE_VAB_AUTH* to SOCFPGA_SECURE_VAB_AUTH*
> > > - Changes in secure_vab.c
> > >   - Changed to use SZ_1K for 1024
> > >   - Updated comment in secure_vab.c of "... the certificate for T"
> > >   - The code will report error before end of the function if reach
> > >     maximum retry.
> > >   - In board_prep_linux function, only execute linux_qspi_enable
> > >     command if it exists in enviroment variable. It is optional.
> > > ---
> > >  arch/arm/mach-socfpga/Kconfig                    |  15 ++
> > >  arch/arm/mach-socfpga/Makefile                   |   2 +
> > >  arch/arm/mach-socfpga/include/mach/mailbox_s10.h |   1 +
> > >  arch/arm/mach-socfpga/include/mach/secure_vab.h  |  63 ++++++++
> > >  arch/arm/mach-socfpga/secure_vab.c               | 193
> > > +++++++++++++++++++++++
> > >  common/Kconfig.boot                              |   2 +-
> > >  6 files changed, 275 insertions(+), 1 deletion(-)  create mode
> > > 100644 arch/arm/mach-socfpga/include/mach/secure_vab.h
> > >  create mode 100644 arch/arm/mach-socfpga/secure_vab.c
> > >
> > > diff --git a/arch/arm/mach-socfpga/Kconfig b/arch/arm/mach-
> > > socfpga/Kconfig index 9b1abdaabd..0c35406232 100644
> > > --- a/arch/arm/mach-socfpga/Kconfig
> > > +++ b/arch/arm/mach-socfpga/Kconfig
> > > @@ -6,6 +6,21 @@ config ERR_PTR_OFFSET  config NR_DRAM_BANKS
> > >  	default 1
> > >
> > > +config SOCFPGA_SECURE_VAB_AUTH
> > > +	bool "Enable boot image authentication with Secure Device
> > > Manager"
> > > +	depends on TARGET_SOCFPGA_AGILEX
> > > +	select FIT_IMAGE_POST_PROCESS
> > > +	select SHA384
> > > +	select SHA512_ALGO
> > > +	select SPL_FIT_IMAGE_POST_PROCESS
> > > +	help
> > > +	 All images loaded from FIT will be authenticated by Secure Device
> > > +	 Manager.
> > > +
> > > +config SOCFPGA_SECURE_VAB_AUTH_ALLOW_NON_FIT_IMAGE
> > > +	bool "Allow non-FIT VAB signed images"
> > > +	depends on SOCFPGA_SECURE_VAB_AUTH
> > > +
> > >  config SPL_SIZE_LIMIT
> > >  	default 0x10000 if TARGET_SOCFPGA_GEN5
> > >
> > > diff --git a/arch/arm/mach-socfpga/Makefile b/arch/arm/mach-
> > > socfpga/Makefile index 82b681d870..1f1e21766d 100644
> > > --- a/arch/arm/mach-socfpga/Makefile
> > > +++ b/arch/arm/mach-socfpga/Makefile
> > > @@ -4,6 +4,7 @@
> > >  # Wolfgang Denk, DENX Software Engineering, wd at denx.de.
> > >  #
> > >  # Copyright (C) 2012-2017 Altera Corporation <www.altera.com>
> > > +# Copyright (C) 2017-2020 Intel Corporation <www.intel.com>
> > >
> > >  obj-y	+= board.o
> > >  obj-y	+= clock_manager.o
> > > @@ -47,6 +48,7 @@ obj-y	+= mailbox_s10.o
> > >  obj-y	+= misc_s10.o
> > >  obj-y	+= mmu-arm64_s10.o
> > >  obj-y	+= reset_manager_s10.o
> > > +obj-$(CONFIG_SOCFPGA_SECURE_VAB_AUTH)	+= secure_vab.o
> > >  obj-y	+= system_manager_s10.o
> > >  obj-y	+= timer_s10.o
> > >  obj-y	+= wrap_pinmux_config_s10.o
> > > diff --git a/arch/arm/mach-socfpga/include/mach/mailbox_s10.h
> > > b/arch/arm/mach-socfpga/include/mach/mailbox_s10.h
> > > index 4d783119ea..fbaf11597e 100644
> > > --- a/arch/arm/mach-socfpga/include/mach/mailbox_s10.h
> > > +++ b/arch/arm/mach-socfpga/include/mach/mailbox_s10.h
> > > @@ -118,6 +118,7 @@ enum ALT_SDM_MBOX_RESP_CODE {
> > >  #define MBOX_RECONFIG_MSEL	7
> > >  #define MBOX_RECONFIG_DATA	8
> > >  #define MBOX_RECONFIG_STATUS	9
> > > +#define MBOX_VAB_SRC_CERT		11
> > >  #define MBOX_QSPI_OPEN		50
> > >  #define MBOX_QSPI_CLOSE		51
> > >  #define MBOX_QSPI_DIRECT	59
> > > diff --git a/arch/arm/mach-socfpga/include/mach/secure_vab.h
> > > b/arch/arm/mach-socfpga/include/mach/secure_vab.h
> > > new file mode 100644
> > > index 0000000000..42588588e8
> > > --- /dev/null
> > > +++ b/arch/arm/mach-socfpga/include/mach/secure_vab.h
> > > @@ -0,0 +1,63 @@
> > > +/* SPDX-License-Identifier: GPL-2.0
> > > + *
> > > + * Copyright (C) 2020 Intel Corporation <www.intel.com>
> > > + *
> > > + */
> > > +
> > > +#ifndef	_SECURE_VAB_H_
> > > +#define	_SECURE_VAB_H_
> > > +
> > > +#include <linux/sizes.h>
> > > +#include <linux/stddef.h>
> > > +#include <u-boot/sha512.h>
> > > +
> > > +#define VAB_DATA_SZ			64
> > > +
> > > +#define SDM_CERT_MAGIC_NUM		0x25D04E7F
> > > +#define FCS_HPS_VAB_MAGIC_NUM		0xD0564142
> > > +
> > > +#define MAX_CERT_SIZE			(SZ_4K)
> > > +
> > > +/*
> > > + * struct fcs_hps_vab_certificate_data
> > > + * @vab_cert_magic_num: VAB Certificate Magic Word (0xD0564142)
> > > + * @flags: TBD
> > > + * @fcs_data: Data words being certificate signed.
> > > + * @cert_sign_keychain: Certificate Signing Keychain  */ struct
> > > +fcs_hps_vab_certificate_data {
> > > +	u32 vab_cert_magic_num;		/* offset 0x10 */
> > > +	u32 flags;
> > > +	u8 rsvd0_1[8];
> > > +	u8 fcs_sha384[SHA384_SUM_LEN];	/* offset 0x20 */
> > > +};
> > > +
> > > +/*
> > > + * struct fcs_hps_vab_certificate_header
> > > + * @cert_magic_num: Certificate Magic Word (0x25D04E7F)
> > > + * @cert_data_sz: size of this certificate header (0x80)
> > > + *	Includes magic number all the way to the certificate
> > > + *      signing keychain (excludes cert. signing keychain)
> > > + * @cert_ver: Certificate Version
> > > + * @cert_type: Certificate Type
> > > + * @data: VAB HPS Image Certificate data  */ struct
> > > +fcs_hps_vab_certificate_header {
> > > +	u32 cert_magic_num;		/* offset 0 */
> > > +	u32 cert_data_sz;
> > > +	u32 cert_ver;
> > > +	u32 cert_type;
> > > +	struct fcs_hps_vab_certificate_data d;	/* offset 0x10 */
> > > +	/* keychain starts at offset 0x50 */ };
> > > +
> > > +#define VAB_CERT_HEADER_SIZE	sizeof(struct
> > > fcs_hps_vab_certificate_header)
> > > +#define VAB_CERT_MAGIC_OFFSET	offsetof \
> > > +				(struct fcs_hps_vab_certificate_header, d)
> > > +#define VAB_CERT_FIT_SHA384_OFFSET	offsetof \
> > > +					(struct fcs_hps_vab_certificate_data,
> > > \
> > > +					 fcs_sha384[0])
> > > +
> > > +int socfpga_vendor_authentication(void **p_image, size_t *p_size);
> > > +
> > > +#endif /* _SECURE_VAB_H_ */
> > > diff --git a/arch/arm/mach-socfpga/secure_vab.c b/arch/arm/mach-
> > > socfpga/secure_vab.c new file mode 100644 index
> > > 0000000000..ea1109611a
> > > --- /dev/null
> > > +++ b/arch/arm/mach-socfpga/secure_vab.c
> > > @@ -0,0 +1,193 @@
> > > +// SPDX-License-Identifier: GPL-2.0
> > > +/*
> > > + * Copyright (C) 2020 Intel Corporation <www.intel.com>
> > > + *
> > > + */
> > > +
> > > +#include <common.h>
> > Sort alphanumerically.
> >
> > > +#include <asm/arch/mailbox_s10.h>
> > > +#include <asm/arch/secure_vab.h>
> > > +#include <asm/arch/smc_api.h>
> > > +#include <asm/unaligned.h>
> > > +#include <exports.h>
> > > +#include <hang.h>
> > > +#include <image.h>
> > > +#include <linux/errno.h>
> > > +#include <linux/intel-smc.h>
> > > +#include <log.h>
> > > +
> > > +	/*
> > > +	 * Compare the SHA384 found in certificate against the SHA384
> > > +	 * calculated from image
> > > +	 */
> > > +	if (memcmp(hash384, cert_hash_ptr, SHA384_SUM_LEN)) {
> > > +		puts("SHA384 not match!\n");
> > > +		return -EKEYREJECTED;
> > > +	}
> > > +
> > > +	mbox_data_addr = img_addr + img_sz - sizeof(u32);
> > > +	/* Size in word (32bits) */
> > > +	mbox_data_sz = (ALIGN(*p_size - img_sz, 4)) >> 2;
> > Change 4 to sizeof().
> >
> >
> > [...]
> >
> > > +
> > > +	debug("ret = 0x%08x, resp = 0x%08x, resp_len = %d\n", ret, resp,
> > > +	      resp_len);
> > > +
> > > +	if (ret) {
> > > +		/*
> > > +		 * Unsupported mailbox command or device not in the
> > > +		 * owned/secure state
> > > +		 */
> > > +		if (ret == MBOX_RESP_UNKNOWN ||
> > > +		    ret ==
> > > MBOX_RESP_NOT_ALLOWED_UNDER_SECURITY_SETTINGS) {
> > > +			/* SDM bypass authentication */
> > > +			printf("%s 0x%016llx (%ld bytes)\n",
> > > +			       "Image Authentication bypassed at address",
> > > +			       img_addr, img_sz);
> > > +			return 0;
> > > +		}
> > Should we continue boot if MBOX_RESP_UNKNOWN? That mean user can
> > bypass authentication when mailbox error?
> >
> 
> Yes, per my understand from Jeremy before, we should allow HPS to boot if
> the FW is old version which does not support VAB.
> 
That mean people can purposely use old FW to bypass authentication? I think we need rethink if want support this case.


Regards
Ley Foon

More information about the U-Boot mailing list