HI Patrick On 9/15/22 18:11, Patrick Delaunay wrote: > Update the command stm32key to support several keys selected by > key name and managed by the new sub-command: > > stm32key list > stm32key select [<key>] > stm32key read -a > > This patch doesn't change the STM32MP15 behavior, only PKH is > supported, but it is a preliminary patch for STM32MP13 support. > > Signed-off-by: Patrick Delaunay <[email protected]> > --- > > arch/arm/mach-stm32mp/cmd_stm32key.c | 195 ++++++++++++++++++++------- > 1 file changed, 149 insertions(+), 46 deletions(-) > > diff --git a/arch/arm/mach-stm32mp/cmd_stm32key.c > b/arch/arm/mach-stm32mp/cmd_stm32key.c > index 68f9b1a9a59..4eac56082db 100644 > --- a/arch/arm/mach-stm32mp/cmd_stm32key.c > +++ b/arch/arm/mach-stm32mp/cmd_stm32key.c > @@ -15,9 +15,37 @@ > #define STM32_OTP_CLOSE_ID 0 > #define STM32_OTP_CLOSE_MASK BIT(6) > > -/* HASH of key: 8 OTPs, starting with OTP24) */ > -#define STM32_OTP_HASH_KEY_START 24 > -#define STM32_OTP_HASH_KEY_SIZE 8 > +/* PKH is the first element of the key list */ > +#define STM32KEY_PKH 0 > + > +struct stm32key { > + char *name; > + char *desc; > + u8 start; > + u8 size; > +}; > + > +const struct stm32key stm32mp15_list[] = { > + [STM32KEY_PKH] = { > + .name = "PKH", > + .desc = "Hash of the ECC Public Key (ECDSA is the > authentication algorithm)", > + .start = 24, > + .size = 8, > + } > +}; > + > +/* index of current selected key in stm32key list, 0 = PKH by default */ > +static u8 stm32key_index; > + > +static u8 get_key_nb(void) > +{ > + return ARRAY_SIZE(stm32mp15_list); > +} > + > +static const struct stm32key *get_key(u8 index) > +{ > + return &stm32mp15_list[index]; > +} > > #define BSEC_LOCK_ERROR (-1) > #define BSEC_LOCK_PERM BIT(0) > @@ -33,26 +61,25 @@ static int get_misc_dev(struct udevice **dev) > return ret; > } > > -static void read_hash_value(u32 addr) > +static void read_key_value(const struct stm32key *key, u32 addr) > { > int i; > > - printf("Read KEY at 0x%x\n", addr); > - for (i = 0; i < STM32_OTP_HASH_KEY_SIZE; i++) { > - printf("OTP value %i: %x\n", STM32_OTP_HASH_KEY_START + i, > - __be32_to_cpu(*(u32 *)addr)); > + for (i = 0; i < key->size; i++) { > + printf("%s OTP %i: [%08x] %08x\n", key->name, key->start + i, > + addr, __be32_to_cpu(*(u32 *)addr)); > addr += 4; > } > } > > -static int read_hash_otp(struct udevice *dev, bool print, bool *locked) > +static int read_key_otp(struct udevice *dev, const struct stm32key *key, > bool print, bool *locked) > { > int i, word, ret; > - int nb_invalid = 0, nb_zero = 0, nb_lock = 0; > + int nb_invalid = 0, nb_zero = 0, nb_lock = 0, nb_lock_err = 0; > u32 val, lock; > bool status; > > - for (i = 0, word = STM32_OTP_HASH_KEY_START; i < > STM32_OTP_HASH_KEY_SIZE; i++, word++) { > + for (i = 0, word = key->start; i < key->size; i++, word++) { > ret = misc_read(dev, STM32_BSEC_OTP(word), &val, 4); > if (ret != 4) > val = ~0x0; > @@ -60,29 +87,33 @@ static int read_hash_otp(struct udevice *dev, bool print, > bool *locked) > if (ret != 4) > lock = BSEC_LOCK_ERROR; > if (print) > - printf("OTP HASH %i: %x lock : %x\n", word, val, lock); > + printf("%s OTP %i: %08x lock : %08x\n", key->name, > word, val, lock); > if (val == ~0x0) > nb_invalid++; > else if (val == 0x0) > nb_zero++; > if (lock & BSEC_LOCK_PERM) > nb_lock++; > + if (lock & BSEC_LOCK_ERROR) > + nb_lock_err++; > } > > - status = (nb_lock == STM32_OTP_HASH_KEY_SIZE); > + status = nb_lock_err || (nb_lock == key->size); > if (locked) > *locked = status; > - if (!status && print) > - printf("Hash of key is not locked!\n"); > + if (nb_lock_err && print) > + printf("%s lock is invalid!\n", key->name); > + else if (!status && print) > + printf("%s is not locked!\n", key->name); > > - if (nb_invalid == STM32_OTP_HASH_KEY_SIZE) { > + if (nb_invalid == key->size) { > if (print) > - printf("Hash of key is invalid!\n"); > + printf("%s is invalid!\n", key->name); > return -EINVAL; > } > - if (nb_zero == STM32_OTP_HASH_KEY_SIZE) { > + if (nb_zero == key->size) { > if (print) > - printf("Hash of key is free!\n"); > + printf("%s is free!\n", key->name); > return -ENOENT; > } > > @@ -113,33 +144,31 @@ static int read_close_status(struct udevice *dev, bool > print, bool *closed) > if (closed) > *closed = status; > if (print) > - printf("OTP %d: closed status: %d lock : %x\n", word, status, > lock); > + printf("OTP %d: closed status: %d lock : %08x\n", word, status, > lock); > > return result; > } > > -static int fuse_hash_value(struct udevice *dev, u32 addr, bool print) > +static int fuse_key_value(struct udevice *dev, const struct stm32key *key, > u32 addr, bool print) > { > u32 word, val; > int i, ret; > > - for (i = 0, word = STM32_OTP_HASH_KEY_START; > - i < STM32_OTP_HASH_KEY_SIZE; > - i++, word++, addr += 4) { > + for (i = 0, word = key->start; i < key->size; i++, word++, addr += 4) { > val = __be32_to_cpu(*(u32 *)addr); > if (print) > - printf("Fuse OTP %i : %x\n", word, val); > + printf("Fuse %s OTP %i : %08x\n", key->name, word, val); > > ret = misc_write(dev, STM32_BSEC_OTP(word), &val, 4); > if (ret != 4) { > - log_err("Fuse OTP %i failed\n", word); > + log_err("Fuse %s OTP %i failed\n", key->name, word); > return ret; > } > - /* on success, lock the OTP for HASH key */ > + /* on success, lock the OTP for the key */ > val = BSEC_LOCK_PERM; > ret = misc_write(dev, STM32_BSEC_LOCK(word), &val, 4); > if (ret != 4) { > - log_err("Lock OTP %i failed\n", word); > + log_err("Lock %s OTP %i failed\n", key->name, word); > return ret; > } > } > @@ -161,36 +190,99 @@ static int confirm_prog(void) > return 0; > } > > +static void display_key_info(const struct stm32key *key) > +{ > + printf("%s : %s\n", key->name, key->desc); > + printf("\tOTP%d..%d\n", key->start, key->start + key->size); > +} > + > +static int do_stm32key_list(struct cmd_tbl *cmdtp, int flag, int argc, char > *const argv[]) > +{ > + int i; > + > + for (i = 0; i < get_key_nb(); i++) > + display_key_info(get_key(i)); > + > + return CMD_RET_SUCCESS; > +} > + > +static int do_stm32key_select(struct cmd_tbl *cmdtp, int flag, int argc, > char *const argv[]) > +{ > + const struct stm32key *key; > + int i; > + > + if (argc == 1) { > + printf("Selected key:\n"); > + key = get_key(stm32key_index); > + display_key_info(key); > + return CMD_RET_SUCCESS; > + } > + > + for (i = 0; i < get_key_nb(); i++) { > + key = get_key(i); > + if (!strcmp(key->name, argv[1])) { > + printf("%s selected\n", key->name); > + stm32key_index = i; > + return CMD_RET_SUCCESS; > + } > + } > + > + printf("Unknown key %s\n", argv[1]); > + > + return CMD_RET_FAILURE; > +} > + > static int do_stm32key_read(struct cmd_tbl *cmdtp, int flag, int argc, char > *const argv[]) > { > + const struct stm32key *key; > struct udevice *dev; > u32 addr; > - int ret; > + int ret, i; > + int result; > > ret = get_misc_dev(&dev); > > if (argc == 1) { > if (ret) > return CMD_RET_FAILURE; > - read_hash_otp(dev, true, NULL); > - ret = read_close_status(dev, true, NULL); > + key = get_key(stm32key_index); > + ret = read_key_otp(dev, key, true, NULL); > + if (ret != -ENOENT) > + return CMD_RET_FAILURE; > + return CMD_RET_SUCCESS; > + } > + > + if (!strcmp("-a", argv[1])) { > if (ret) > return CMD_RET_FAILURE; > + result = CMD_RET_SUCCESS; > + for (i = 0; i < get_key_nb(); i++) { > + key = get_key(i); > + ret = read_key_otp(dev, key, true, NULL); > + if (ret != -ENOENT) > + result = CMD_RET_FAILURE; > + } > + ret = read_close_status(dev, true, NULL); > + if (ret) > + result = CMD_RET_FAILURE; > > - return CMD_RET_SUCCESS; > + return result; > } > > addr = hextoul(argv[1], NULL); > if (!addr) > return CMD_RET_USAGE; > > - read_hash_value(addr); > + key = get_key(stm32key_index); > + printf("Read %s at 0x%08x\n", key->name, addr); > + read_key_value(key, addr); > > return CMD_RET_SUCCESS; > } > > static int do_stm32key_fuse(struct cmd_tbl *cmdtp, int flag, int argc, char > *const argv[]) > { > + const struct stm32key *key = get_key(stm32key_index); > struct udevice *dev; > u32 addr; > int ret; > @@ -213,28 +305,34 @@ static int do_stm32key_fuse(struct cmd_tbl *cmdtp, int > flag, int argc, char *con > if (ret) > return CMD_RET_FAILURE; > > - if (read_hash_otp(dev, !yes, &lock) != -ENOENT) { > + if (read_key_otp(dev, key, !yes, &lock) != -ENOENT) { > printf("Error: can't fuse again the OTP\n"); > return CMD_RET_FAILURE; > } > if (lock) { > - printf("Error: PKH is locked\n"); > + printf("Error: %s is locked\n", key->name); > return CMD_RET_FAILURE; > } > > + if (!yes) { > + printf("Writing %s with\n", key->name); > + read_key_value(key, addr); > + } > + > if (!yes && !confirm_prog()) > return CMD_RET_FAILURE; > > - if (fuse_hash_value(dev, addr, !yes)) > + if (fuse_key_value(dev, key, addr, !yes)) > return CMD_RET_FAILURE; > > - printf("Hash key updated !\n"); > + printf("%s updated !\n", key->name); > > return CMD_RET_SUCCESS; > } > > static int do_stm32key_close(struct cmd_tbl *cmdtp, int flag, int argc, char > *const argv[]) > { > + const struct stm32key *key; > bool yes, lock, closed; > struct udevice *dev; > u32 val; > @@ -260,14 +358,15 @@ static int do_stm32key_close(struct cmd_tbl *cmdtp, int > flag, int argc, char *co > } > > /* check PKH status before to close */ > - ret = read_hash_otp(dev, !yes, &lock); > + key = get_key(STM32KEY_PKH); > + ret = read_key_otp(dev, key, !yes, &lock); > if (ret) { > if (ret == -ENOENT) > - printf("Error: OTP not programmed!\n"); > + printf("Error: %s not programmed!\n", key->name); > return CMD_RET_FAILURE; > } > if (!lock) > - printf("Warning: OTP not locked!\n"); > + printf("Warning: %s not locked!\n", key->name); > > if (!yes && !confirm_prog()) > return CMD_RET_FAILURE; > @@ -275,7 +374,7 @@ static int do_stm32key_close(struct cmd_tbl *cmdtp, int > flag, int argc, char *co > val = STM32_OTP_CLOSE_MASK; > ret = misc_write(dev, STM32_BSEC_OTP(STM32_OTP_CLOSE_ID), &val, 4); > if (ret != 4) { > - printf("Error: can't update OTP\n"); > + printf("Error: can't update OTP %d\n", STM32_OTP_CLOSE_ID); > return CMD_RET_FAILURE; > } > > @@ -285,11 +384,15 @@ static int do_stm32key_close(struct cmd_tbl *cmdtp, int > flag, int argc, char *co > } > > static char stm32key_help_text[] = > - "read [<addr>]: Read the hash stored at addr in memory or in OTP\n" > - "stm32key fuse [-y] <addr> : Fuse hash stored at addr in OTP\n" > - "stm32key close [-y] : Close the device, the hash stored in OTP\n"; > - > -U_BOOT_CMD_WITH_SUBCMDS(stm32key, "Fuse ST Hash key", stm32key_help_text, > + "list : list the supported key with description\n" > + "stm32key select [<key>] : Select the key identified by <key> or > display the key used for read/fuse command\n" > + "stm32key read [<addr> | -a ] : Read the curent key at <addr> or > current / all (-a) key in OTP\n" > + "stm32key fuse [-y] <addr> : Fuse the current key at addr in OTP\n" > + "stm32key close [-y] : Close the device\n"; > + > +U_BOOT_CMD_WITH_SUBCMDS(stm32key, "Manage key on STM32", stm32key_help_text, > + U_BOOT_SUBCMD_MKENT(list, 1, 0, do_stm32key_list), > + U_BOOT_SUBCMD_MKENT(select, 2, 0, do_stm32key_select), > U_BOOT_SUBCMD_MKENT(read, 2, 0, do_stm32key_read), > U_BOOT_SUBCMD_MKENT(fuse, 3, 0, do_stm32key_fuse), > U_BOOT_SUBCMD_MKENT(close, 2, 0, do_stm32key_close)); Reviewed-by: Patrice Chotard <[email protected]>
Thanks Patrice
