[PATCH 25/41] imx: ele_ahab: Add ahab_sec_fuse_prog command

Peng Fan (OSS) peng.fan at oss.nxp.com
Mon Jan 23 10:16:44 CET 2023


From: Peng Fan <peng.fan at nxp.com>

Add ahab_sec_fuse_prog command to support burn secure fuse.
Before running the command, user needs to sign the fuse container in
format mentioned in ELE API and have loaded the container to specified
address passed to ahab_sec_fuse_prog

Signed-off-by: Ye Li <ye.li at nxp.com>
Signed-off-by: Peng Fan <peng.fan at nxp.com>
---
 arch/arm/include/asm/mach-imx/ele_api.h |  2 ++
 arch/arm/mach-imx/ele_ahab.c            | 38 +++++++++++++++++++++++++
 drivers/misc/sentinel/ele_api.c         | 31 ++++++++++++++++++++
 3 files changed, 71 insertions(+)

diff --git a/arch/arm/include/asm/mach-imx/ele_api.h b/arch/arm/include/asm/mach-imx/ele_api.h
index cfcbc38a1c0..6bed18933a0 100644
--- a/arch/arm/include/asm/mach-imx/ele_api.h
+++ b/arch/arm/include/asm/mach-imx/ele_api.h
@@ -144,5 +144,7 @@ int ele_get_info(struct ele_get_info_data *info, u32 *response);
 int ele_get_fw_status(u32 *status, u32 *response);
 int ele_release_m33_trout(void);
 int ele_get_events(u32 *events, u32 *events_cnt, u32 *response);
+int ele_write_secure_fuse(ulong signed_msg_blk, u32 *response);
+
 
 #endif
diff --git a/arch/arm/mach-imx/ele_ahab.c b/arch/arm/mach-imx/ele_ahab.c
index 79852b0b4c7..47902043baa 100644
--- a/arch/arm/mach-imx/ele_ahab.c
+++ b/arch/arm/mach-imx/ele_ahab.c
@@ -564,6 +564,38 @@ static int do_ahab_status(struct cmd_tbl *cmdtp, int flag, int argc,
 	return 0;
 }
 
+static int do_sec_fuse_prog(struct cmd_tbl *cmdtp, int flag, int argc,
+			     char *const argv[])
+{
+	ulong addr;
+	u32 header, response;
+
+	if (argc < 2)
+		return CMD_RET_USAGE;
+
+	addr = simple_strtoul(argv[1], NULL, 16);
+	header = *(u32 *)addr;
+
+	if ((header & 0xff0000ff) != 0x89000000) {
+		printf("Wrong Signed message block format, header 0x%x\n", header);
+		return CMD_RET_FAILURE;
+	}
+
+	header = (header & 0xffff00) >> 8;
+
+	printf("Signed Message block at 0x%lx, size 0x%x\n", addr, header);
+	flush_dcache_range(addr, addr + header - 1);
+
+	if (ele_write_secure_fuse(addr, &response)) {
+		printf("Program secure fuse failed, response 0x%x\n", response);
+		return CMD_RET_FAILURE;
+	}
+
+	printf("Program secure fuse completed, response 0x%x\n", response);
+
+	return CMD_RET_SUCCESS;
+}
+
 U_BOOT_CMD(auth_cntr, CONFIG_SYS_MAXARGS, 1, do_authenticate,
 	   "autenticate OS container via AHAB",
 	   "addr\n"
@@ -584,3 +616,9 @@ U_BOOT_CMD(ahab_status, CONFIG_SYS_MAXARGS, 1, do_ahab_status,
 	   "display AHAB lifecycle only",
 	   ""
 );
+
+U_BOOT_CMD(ahab_sec_fuse_prog, CONFIG_SYS_MAXARGS, 1, do_sec_fuse_prog,
+	   "Program secure fuse via signed message block",
+	   "addr\n"
+	   "addr - Signed message block for secure fuse\n"
+);
diff --git a/drivers/misc/sentinel/ele_api.c b/drivers/misc/sentinel/ele_api.c
index 7a4e1b7823b..bf75baa1ca0 100644
--- a/drivers/misc/sentinel/ele_api.c
+++ b/drivers/misc/sentinel/ele_api.c
@@ -490,3 +490,34 @@ int ele_get_events(u32 *events, u32 *events_cnt, u32 *response)
 
 	return ret;
 }
+
+int ele_write_secure_fuse(ulong signed_msg_blk, u32 *response)
+{
+	struct udevice *dev = gd->arch.s400_dev;
+	int size = sizeof(struct ele_msg);
+	struct ele_msg msg;
+	int ret;
+
+	if (!dev) {
+		printf("ele dev is not initialized\n");
+		return -ENODEV;
+	}
+
+	msg.version = ELE_VERSION;
+	msg.tag = ELE_CMD_TAG;
+	msg.size = 3;
+	msg.command = ELE_WRITE_SECURE_FUSE_REQ;
+
+	msg.data[0] = upper_32_bits(signed_msg_blk);
+	msg.data[1] = lower_32_bits(signed_msg_blk);
+
+	ret = misc_call(dev, false, &msg, size, &msg, size);
+	if (ret)
+		printf("Error: %s: ret %d, response 0x%x, failed fuse row index %u\n",
+		       __func__, ret, msg.data[0], msg.data[1]);
+
+	if (response)
+		*response = msg.data[0];
+
+	return ret;
+}
-- 
2.36.0



More information about the U-Boot mailing list