Re: [U-Boot] [PATCH v2] imx: imx7 Support for Manufacturing Protection

2016-02-11 Thread Otavio Salvador 
On Wed, Feb 10, 2016 at 9:54 AM, Ulises Cardenas  wrote:
> i.MX7 has an a protection feature for Manufacturing process.
> This feature uses assymetric encryption to sign and verify
> authenticated software handled between parties. This command
> is enables the use of such feature.

s/is enables/enables/

> The private key is unique and generated once per device.
> And it is stored in secure memory and only accessible by CAAM.
> Therefore, the public key generation and signature functions
> are the only functions available for the user.
>
> Command usage:
> mfgprot 0 - prints out the public key for the device.
> mfgprot 1 - signs and prints out a sample data.
>
> This is only a working example for the signature function, and
> is intended to be used as a canvas for user-specific cases.
>
> Signed-off-by: Ulises Cardenas 

Why this is just an example? Couldn't we better integrate so user
could pass addresses for checking?

-- 
Otavio Salvador O.S. Systems
http://www.ossystems.com.brhttp://code.ossystems.com.br
Mobile: +55 (53) 9981-7854Mobile: +1 (347) 903-9750
___
U-Boot mailing list
U-Boot@lists.denx.de
http://lists.denx.de/mailman/listinfo/u-boot

[U-Boot] [PATCH v2] imx: imx7 Support for Manufacturing Protection

2016-02-10 Thread Ulises Cardenas 
i.MX7 has an a protection feature for Manufacturing process.
This feature uses assymetric encryption to sign and verify
authenticated software handled between parties. This command
is enables the use of such feature.

The private key is unique and generated once per device.
And it is stored in secure memory and only accessible by CAAM.
Therefore, the public key generation and signature functions
are the only functions available for the user.

Command usage:
mfgprot 0 - prints out the public key for the device.
mfgprot 1 - signs and prints out a sample data.

This is only a working example for the signature function, and
is intended to be used as a canvas for user-specific cases.

Signed-off-by: Ulises Cardenas 
---

Changes for v2:
- removed genenerate_mppubk and generate_mpsign
  due to redundancy

 arch/arm/imx-common/Makefile  |   1 +
 arch/arm/imx-common/cmd_mfgprot.c |  63 +
 drivers/crypto/fsl/Makefile   |   4 +
 drivers/crypto/fsl/fsl_mfgprot.c  | 286 ++
 include/fsl_sec.h |  12 ++
 5 files changed, 366 insertions(+)
 create mode 100644 arch/arm/imx-common/cmd_mfgprot.c
 create mode 100644 drivers/crypto/fsl/fsl_mfgprot.c

diff --git a/arch/arm/imx-common/Makefile b/arch/arm/imx-common/Makefile
index e7190c3..8563150 100644
--- a/arch/arm/imx-common/Makefile
+++ b/arch/arm/imx-common/Makefile
@@ -22,6 +22,7 @@ ifeq ($(SOC),$(filter $(SOC),mx7))
 obj-y  += cpu.o
 obj-$(CONFIG_SYS_I2C_MXC) += i2c-mxv7.o
 obj-$(CONFIG_SYSCOUNTER_TIMER) += syscounter.o
+obj-$(CONFIG_CMD_MFGPROT) += cmd_mfgprot.o
 endif
 ifeq ($(SOC),$(filter $(SOC),mx6 mx7))
 obj-y  += cache.o init.o
diff --git a/arch/arm/imx-common/cmd_mfgprot.c 
b/arch/arm/imx-common/cmd_mfgprot.c
new file mode 100644
index 000..83e95d3
--- /dev/null
+++ b/arch/arm/imx-common/cmd_mfgprot.c
@@ -0,0 +1,63 @@
+/*
+ * Copyright 2016 NXP Semiconductors.
+ *
+ * SPDX-License-Identifier: GPL-2.0+
+ *
+ * Command for manufacturing protection
+ */
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+DECLARE_GLOBAL_DATA_PTR;
+
+/**
+ * do_mfgprot() - Handle the "mfgprogt" command-line command
+ * @cmdtp:  Command data struct pointer
+ * @flag:   Command flag
+ * @argc:   Command-line argument count
+ * @argv:   Array of command-line arguments
+ *
+ * Returns zero on success, CMD_RET_USAGE in case of misuse and negative
+ * on error.
+ */
+static int do_mfgprot(cmd_tbl_t *cmdtp, int flag, int argc, char *const argv[])
+{
+   uint32_t sel;
+   int ret = 0;
+
+   u32 jr_size = 4;
+   u32 out_jr_size = sec_in32(CONFIG_SYS_FSL_JR0_ADDR + 0x102c);
+   if (out_jr_size != jr_size) {
+   hab_caam_clock_enable(1);
+   sec_init();
+   }
+
+   sel = simple_strtoul(argv[1], NULL, 10);
+   switch (sel) {
+   case 0:
+   ret = gen_mppubk();
+   break;
+   case 1:
+   ret = sign_mppubk();
+   break;
+   }
+   return ret;
+}
+
+/***/
+static char mfgprot_help_text[] =
+   "mp 0: prints out the public key for MP\n"
+   "mp 1: prints out an exmple signature for MP\n";
+
+U_BOOT_CMD(
+   mfgprot, 2, 1, do_mfgprot,
+   "Manufacturing Protection\n",
+   mfgprot_help_text
+);
diff --git a/drivers/crypto/fsl/Makefile b/drivers/crypto/fsl/Makefile
index fd736cf..6d6903b 100644
--- a/drivers/crypto/fsl/Makefile
+++ b/drivers/crypto/fsl/Makefile
@@ -8,3 +8,7 @@ obj-y += sec.o
 obj-$(CONFIG_FSL_CAAM) += jr.o fsl_hash.o jobdesc.o error.o
 obj-$(CONFIG_CMD_BLOB)$(CONFIG_CMD_DEKBLOB) += fsl_blob.o
 obj-$(CONFIG_RSA_FREESCALE_EXP) += fsl_rsa.o
+
+ifdef CONFIG_MX7
+obj-$(CONFIG_CMD_MFGPROT) += fsl_mfgprot.o
+endif
diff --git a/drivers/crypto/fsl/fsl_mfgprot.c b/drivers/crypto/fsl/fsl_mfgprot.c
new file mode 100644
index 000..967dbc4
--- /dev/null
+++ b/drivers/crypto/fsl/fsl_mfgprot.c
@@ -0,0 +1,286 @@
+/*
+ * Copyright 2014 Freescale Semiconductor, Inc.
+ *
+ * SPDX-License-Identifier:GPL-2.0+
+ *
+ */
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include "jobdesc.h"
+#include "desc.h"
+#include "jr.h"
+
+
+/** Job Descriptor Header command - add length in words */
+#define HAB_ENG_CAAM_CMD_JOBHDR0xB080UL
+#define HAB_ENG_CAAM_CMD_JOBHDR_START_SHIFT16 /**< START INDEX field */
+#define HAB_ENG_CAAM_CMD_JOBHDR_START_WIDTH6 /**< START INDEX field */
+
+#define HAB_MASK(LBL)  \
+   uint32_t)1 << (LBL##_WIDTH)) - 1) << (LBL##_SHIFT))
+
+#define HAB_INSERT_BITS(val, LBL)  \
+   (((uint32_t)(val) << LBL##_SHIFT) & HAB_MASK(LBL))
+
+/** @name MPPUBK protocol data block
+ *  @{
+ */
+#define HAB_ENG_CAAM_MPPUBK_SGF(1UL<<31)   /**< Message SG 
flag */
+#define HAB_ENG_CAAM_MPPUBK_CSEL_SHIFT 17  /**< Curve selection */
+#define HAB_ENG_CAAM_MPPUBK_CSEL_WIDTH 4