summaryrefslogtreecommitdiff
path: root/arch
diff options
context:
space:
mode:
authorSvyatoslav Ryhel <clamor95@gmail.com>2023-10-03 09:36:44 +0300
committerTom Rini <trini@konsulko.com>2023-11-03 12:37:15 -0400
commitf2cf7feb80889b6a777e470f6cc2ece4ac03374f (patch)
treede23b76a7f29f5fd5c310f08fadab1725c16defc /arch
parent8632091e1e15b67bbf05b48a5ae7e612d1db36fe (diff)
downloadu-boot-f2cf7feb80889b6a777e470f6cc2ece4ac03374f.tar.gz
u-boot-f2cf7feb80889b6a777e470f6cc2ece4ac03374f.tar.bz2
u-boot-f2cf7feb80889b6a777e470f6cc2ece4ac03374f.zip
ARM: tegra20: tegra30: support EBTUPDATE on non-encrypted devices
Re-crypt support was extended to devices without burnt SBK. In case SBK is not set, place from where it is read is filled with zeroes. This patch adds support for ebtupdate function to detect nosbk device and avoid crypto operations for it. Tested-by: Maksim Kurnosenko <asusx2@mail.ru> Signed-off-by: Svyatoslav Ryhel <clamor95@gmail.com>
Diffstat (limited to 'arch')
-rw-r--r--arch/arm/mach-tegra/tegra20/bct.c30
-rw-r--r--arch/arm/mach-tegra/tegra30/bct.c30
2 files changed, 40 insertions, 20 deletions
diff --git a/arch/arm/mach-tegra/tegra20/bct.c b/arch/arm/mach-tegra/tegra20/bct.c
index 5eb48990b6..b2c44f3d23 100644
--- a/arch/arm/mach-tegra/tegra20/bct.c
+++ b/arch/arm/mach-tegra/tegra20/bct.c
@@ -11,6 +11,9 @@
#include "bct.h"
#include "uboot_aes.h"
+/* Device with "sbk burned: false" will expose zero key */
+const u8 nosbk[AES128_KEY_LENGTH] = { 0 };
+
/*
* @param bct boot config table start in RAM
* @param ect bootloader start in RAM
@@ -23,22 +26,27 @@ static int bct_patch(u8 *bct, u8 *ebt, u32 ebt_size)
u8 ebt_hash[AES128_KEY_LENGTH] = { 0 };
u8 sbk[AES128_KEY_LENGTH] = { 0 };
u8 *bct_hash = bct;
+ bool encrypted;
int ret;
bct += BCT_HASH;
+ ebt_size = roundup(ebt_size, EBT_ALIGNMENT);
+
memcpy(sbk, (u8 *)(bct + BCT_LENGTH),
NVBOOT_CMAC_AES_HASH_LENGTH * 4);
- ret = decrypt_data_block(bct, BCT_LENGTH, sbk);
- if (ret)
- return 1;
+ encrypted = memcmp(&sbk, &nosbk, AES128_KEY_LENGTH);
- ebt_size = roundup(ebt_size, EBT_ALIGNMENT);
+ if (encrypted) {
+ ret = decrypt_data_block(bct, BCT_LENGTH, sbk);
+ if (ret)
+ return 1;
- ret = encrypt_data_block(ebt, ebt_size, sbk);
- if (ret)
- return 1;
+ ret = encrypt_data_block(ebt, ebt_size, sbk);
+ if (ret)
+ return 1;
+ }
ret = sign_enc_data_block(ebt, ebt_size, ebt_hash, sbk);
if (ret)
@@ -52,9 +60,11 @@ static int bct_patch(u8 *bct, u8 *ebt, u32 ebt_size)
bct_tbl->bootloader[0].load_addr = CONFIG_SPL_TEXT_BASE;
bct_tbl->bootloader[0].length = ebt_size;
- ret = encrypt_data_block(bct, BCT_LENGTH, sbk);
- if (ret)
- return 1;
+ if (encrypted) {
+ ret = encrypt_data_block(bct, BCT_LENGTH, sbk);
+ if (ret)
+ return 1;
+ }
ret = sign_enc_data_block(bct, BCT_LENGTH, bct_hash, sbk);
if (ret)
diff --git a/arch/arm/mach-tegra/tegra30/bct.c b/arch/arm/mach-tegra/tegra30/bct.c
index c56958da69..cff1a3e98d 100644
--- a/arch/arm/mach-tegra/tegra30/bct.c
+++ b/arch/arm/mach-tegra/tegra30/bct.c
@@ -11,6 +11,9 @@
#include "bct.h"
#include "uboot_aes.h"
+/* Device with "sbk burned: false" will expose zero key */
+const u8 nosbk[AES128_KEY_LENGTH] = { 0 };
+
/*
* @param bct boot config table start in RAM
* @param ect bootloader start in RAM
@@ -23,22 +26,27 @@ static int bct_patch(u8 *bct, u8 *ebt, u32 ebt_size)
u8 ebt_hash[AES128_KEY_LENGTH] = { 0 };
u8 sbk[AES128_KEY_LENGTH] = { 0 };
u8 *bct_hash = bct;
+ bool encrypted;
int ret;
bct += BCT_HASH;
+ ebt_size = roundup(ebt_size, EBT_ALIGNMENT);
+
memcpy(sbk, (u8 *)(bct + BCT_LENGTH),
NVBOOT_CMAC_AES_HASH_LENGTH * 4);
- ret = decrypt_data_block(bct, BCT_LENGTH, sbk);
- if (ret)
- return 1;
+ encrypted = memcmp(&sbk, &nosbk, AES128_KEY_LENGTH);
- ebt_size = roundup(ebt_size, EBT_ALIGNMENT);
+ if (encrypted) {
+ ret = decrypt_data_block(bct, BCT_LENGTH, sbk);
+ if (ret)
+ return 1;
- ret = encrypt_data_block(ebt, ebt_size, sbk);
- if (ret)
- return 1;
+ ret = encrypt_data_block(ebt, ebt_size, sbk);
+ if (ret)
+ return 1;
+ }
ret = sign_enc_data_block(ebt, ebt_size, ebt_hash, sbk);
if (ret)
@@ -52,9 +60,11 @@ static int bct_patch(u8 *bct, u8 *ebt, u32 ebt_size)
bct_tbl->bootloader[0].load_addr = CONFIG_SPL_TEXT_BASE;
bct_tbl->bootloader[0].length = ebt_size;
- ret = encrypt_data_block(bct, BCT_LENGTH, sbk);
- if (ret)
- return 1;
+ if (encrypted) {
+ ret = encrypt_data_block(bct, BCT_LENGTH, sbk);
+ if (ret)
+ return 1;
+ }
ret = sign_enc_data_block(bct, BCT_LENGTH, bct_hash, sbk);
if (ret)