]> Git Repo - J-u-boot.git/blame - cmd/avb.c
projects / J-u-boot.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
watchdog: kconfig: Enable designware for rk3399
[J-u-boot.git] / cmd / avb.c
CommitLineData
60b2f9e7
IO		 1
2/*
3 * (C) Copyright 2018, Linaro Limited
4 *
5 * SPDX-License-Identifier: GPL-2.0+
6 */
7
8#include <avb_verify.h>
9#include <command.h>
9fb625ce 10#include <env.h>
60b2f9e7
IO		 11#include <image.h>
12#include <malloc.h>
13#include <mmc.h>
14
15#define AVB_BOOTARGS "avb_bootargs"
16static struct AvbOps *avb_ops;
17
60b2f9e7
IO		 18int do_avb_init(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
19{
20 unsigned long mmc_dev;
21
22 if (argc != 2)
23 return CMD_RET_USAGE;
24
25 mmc_dev = simple_strtoul(argv[1], NULL, 16);
26
27 if (avb_ops)
28 avb_ops_free(avb_ops);
29
30 avb_ops = avb_ops_alloc(mmc_dev);
31 if (avb_ops)
32 return CMD_RET_SUCCESS;
33
6d89902d
JW		 34 printf("Failed to initialize avb2\n");
35
60b2f9e7
IO		 36 return CMD_RET_FAILURE;
37}
38
39int do_avb_read_part(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
40{
41 const char *part;
42 s64 offset;
43 size_t bytes, bytes_read = 0;
44 void *buffer;
45
46 if (!avb_ops) {
47 printf("AVB 2.0 is not initialized, please run 'avb init'\n");
48 return CMD_RET_USAGE;
49 }
50
51 if (argc != 5)
52 return CMD_RET_USAGE;
53
54 part = argv[1];
55 offset = simple_strtoul(argv[2], NULL, 16);
56 bytes = simple_strtoul(argv[3], NULL, 16);
57 buffer = (void *)simple_strtoul(argv[4], NULL, 16);
58
59 if (avb_ops->read_from_partition(avb_ops, part, offset, bytes,
60 buffer, &bytes_read) ==
61 AVB_IO_RESULT_OK) {
62 printf("Read %zu bytes\n", bytes_read);
63 return CMD_RET_SUCCESS;
64 }
65
6d89902d
JW		 66 printf("Failed to read from partition\n");
67
60b2f9e7
IO		 68 return CMD_RET_FAILURE;
69}
70
71int do_avb_read_part_hex(cmd_tbl_t *cmdtp, int flag, int argc,
72 char *const argv[])
73{
74 const char *part;
75 s64 offset;
76 size_t bytes, bytes_read = 0;
77 char *buffer;
78
79 if (!avb_ops) {
80 printf("AVB 2.0 is not initialized, please run 'avb init'\n");
81 return CMD_RET_USAGE;
82 }
83
84 if (argc != 4)
85 return CMD_RET_USAGE;
86
87 part = argv[1];
88 offset = simple_strtoul(argv[2], NULL, 16);
89 bytes = simple_strtoul(argv[3], NULL, 16);
90
91 buffer = malloc(bytes);
92 if (!buffer) {
93 printf("Failed to tlb_allocate buffer for data\n");
94 return CMD_RET_FAILURE;
95 }
96 memset(buffer, 0, bytes);
97
98 if (avb_ops->read_from_partition(avb_ops, part, offset, bytes, buffer,
99 &bytes_read) == AVB_IO_RESULT_OK) {
100 printf("Requested %zu, read %zu bytes\n", bytes, bytes_read);
101 printf("Data: ");
102 for (int i = 0; i < bytes_read; i++)
103 printf("%02X", buffer[i]);
104
105 printf("\n");
106
107 free(buffer);
108 return CMD_RET_SUCCESS;
109 }
110
6d89902d
JW		 111 printf("Failed to read from partition\n");
112
60b2f9e7
IO		 113 free(buffer);
114 return CMD_RET_FAILURE;
115}
116
117int do_avb_write_part(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
118{
119 const char *part;
120 s64 offset;
121 size_t bytes;
122 void *buffer;
123
124 if (!avb_ops) {
125 printf("AVB 2.0 is not initialized, run 'avb init' first\n");
126 return CMD_RET_FAILURE;
127 }
128
129 if (argc != 5)
130 return CMD_RET_USAGE;
131
132 part = argv[1];
133 offset = simple_strtoul(argv[2], NULL, 16);
134 bytes = simple_strtoul(argv[3], NULL, 16);
135 buffer = (void *)simple_strtoul(argv[4], NULL, 16);
136
137 if (avb_ops->write_to_partition(avb_ops, part, offset, bytes, buffer) ==
138 AVB_IO_RESULT_OK) {
139 printf("Wrote %zu bytes\n", bytes);
140 return CMD_RET_SUCCESS;
141 }
142
6d89902d
JW		 143 printf("Failed to write in partition\n");
144
60b2f9e7
IO		 145 return CMD_RET_FAILURE;
146}
147
148int do_avb_read_rb(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
149{
150 size_t index;
151 u64 rb_idx;
152
153 if (!avb_ops) {
154 printf("AVB 2.0 is not initialized, run 'avb init' first\n");
155 return CMD_RET_FAILURE;
156 }
157
158 if (argc != 2)
159 return CMD_RET_USAGE;
160
161 index = (size_t)simple_strtoul(argv[1], NULL, 16);
162
163 if (avb_ops->read_rollback_index(avb_ops, index, &rb_idx) ==
164 AVB_IO_RESULT_OK) {
ab2d7382 165 printf("Rollback index: %llx\n", rb_idx);
60b2f9e7
IO		 166 return CMD_RET_SUCCESS;
167 }
6d89902d
JW		 168
169 printf("Failed to read rollback index\n");
170
60b2f9e7
IO		 171 return CMD_RET_FAILURE;
172}
173
174int do_avb_write_rb(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
175{
176 size_t index;
177 u64 rb_idx;
178
179 if (!avb_ops) {
180 printf("AVB 2.0 is not initialized, run 'avb init' first\n");
181 return CMD_RET_FAILURE;
182 }
183
184 if (argc != 3)
185 return CMD_RET_USAGE;
186
187 index = (size_t)simple_strtoul(argv[1], NULL, 16);
188 rb_idx = simple_strtoul(argv[2], NULL, 16);
189
190 if (avb_ops->write_rollback_index(avb_ops, index, rb_idx) ==
191 AVB_IO_RESULT_OK)
192 return CMD_RET_SUCCESS;
193
6d89902d
JW		 194 printf("Failed to write rollback index\n");
195
60b2f9e7
IO		 196 return CMD_RET_FAILURE;
197}
198
199int do_avb_get_uuid(cmd_tbl_t *cmdtp, int flag,
200 int argc, char * const argv[])
201{
202 const char *part;
203 char buffer[UUID_STR_LEN + 1];
204
205 if (!avb_ops) {
206 printf("AVB 2.0 is not initialized, run 'avb init' first\n");
207 return CMD_RET_FAILURE;
208 }
209
210 if (argc != 2)
211 return CMD_RET_USAGE;
212
213 part = argv[1];
214
215 if (avb_ops->get_unique_guid_for_partition(avb_ops, part, buffer,
216 UUID_STR_LEN + 1) ==
217 AVB_IO_RESULT_OK) {
218 printf("'%s' UUID: %s\n", part, buffer);
219 return CMD_RET_SUCCESS;
220 }
221
6d89902d
JW		 222 printf("Failed to read UUID\n");
223
60b2f9e7
IO		 224 return CMD_RET_FAILURE;
225}
226
227int do_avb_verify_part(cmd_tbl_t *cmdtp, int flag,
228 int argc, char *const argv[])
229{
bb43c278 230 const char * const requested_partitions[] = {"boot", NULL};
60b2f9e7
IO		 231 AvbSlotVerifyResult slot_result;
232 AvbSlotVerifyData *out_data;
5d4fd877
IO		 233 char *cmdline;
234 char *extra_args;
965ec3ca 235 char *slot_suffix = "";
60b2f9e7
IO		 236
237 bool unlocked = false;
238 int res = CMD_RET_FAILURE;
239
240 if (!avb_ops) {
241 printf("AVB 2.0 is not initialized, run 'avb init' first\n");
242 return CMD_RET_FAILURE;
243 }
244
965ec3ca 245 if (argc < 1 || argc > 2)
60b2f9e7
IO		 246 return CMD_RET_USAGE;
247
965ec3ca
SP		 248 if (argc == 2)
249 slot_suffix = argv[1];
250
60b2f9e7
IO		 251 printf("## Android Verified Boot 2.0 version %s\n",
252 avb_version_string());
253
254 if (avb_ops->read_is_device_unlocked(avb_ops, &unlocked) !=
255 AVB_IO_RESULT_OK) {
256 printf("Can't determine device lock state.\n");
257 return CMD_RET_FAILURE;
258 }
259
260 slot_result =
261 avb_slot_verify(avb_ops,
262 requested_partitions,
965ec3ca 263 slot_suffix,
60b2f9e7
IO		 264 unlocked,
265 AVB_HASHTREE_ERROR_MODE_RESTART_AND_INVALIDATE,
266 &out_data);
267
268 switch (slot_result) {
269 case AVB_SLOT_VERIFY_RESULT_OK:
5d4fd877
IO		 270 /* Until we don't have support of changing unlock states, we
271 * assume that we are by default in locked state.
272 * So in this case we can boot only when verification is
273 * successful; we also supply in cmdline GREEN boot state
274 */
60b2f9e7
IO		 275 printf("Verification passed successfully\n");
276
277 /* export additional bootargs to AVB_BOOTARGS env var */
5d4fd877
IO		 278
279 extra_args = avb_set_state(avb_ops, AVB_GREEN);
280 if (extra_args)
281 cmdline = append_cmd_line(out_data->cmdline,
282 extra_args);
283 else
284 cmdline = out_data->cmdline;
285
286 env_set(AVB_BOOTARGS, cmdline);
60b2f9e7
IO		 287
288 res = CMD_RET_SUCCESS;
289 break;
290 case AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION:
291 printf("Verification failed\n");
292 break;
293 case AVB_SLOT_VERIFY_RESULT_ERROR_IO:
294 printf("I/O error occurred during verification\n");
295 break;
296 case AVB_SLOT_VERIFY_RESULT_ERROR_OOM:
297 printf("OOM error occurred during verification\n");
298 break;
299 case AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA:
300 printf("Corrupted dm-verity metadata detected\n");
301 break;
302 case AVB_SLOT_VERIFY_RESULT_ERROR_UNSUPPORTED_VERSION:
303 printf("Unsupported version avbtool was used\n");
304 break;
305 case AVB_SLOT_VERIFY_RESULT_ERROR_ROLLBACK_INDEX:
306 printf("Checking rollback index failed\n");
307 break;
308 case AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED:
309 printf("Public key was rejected\n");
310 break;
311 default:
312 printf("Unknown error occurred\n");
313 }
314
315 return res;
316}
317
318int do_avb_is_unlocked(cmd_tbl_t *cmdtp, int flag,
319 int argc, char * const argv[])
320{
321 bool unlock;
322
323 if (!avb_ops) {
324 printf("AVB not initialized, run 'avb init' first\n");
325 return CMD_RET_FAILURE;
326 }
327
328 if (argc != 1) {
329 printf("--%s(-1)\n", __func__);
330 return CMD_RET_USAGE;
331 }
332
333 if (avb_ops->read_is_device_unlocked(avb_ops, &unlock) ==
334 AVB_IO_RESULT_OK) {
335 printf("Unlocked = %d\n", unlock);
336 return CMD_RET_SUCCESS;
337 }
338
6d89902d
JW		 339 printf("Can't determine device lock state.\n");
340
60b2f9e7
IO		 341 return CMD_RET_FAILURE;
342}
343
fc1fe01b
IO		 344int do_avb_read_pvalue(cmd_tbl_t *cmdtp, int flag, int argc,
345 char * const argv[])
346{
347 const char *name;
348 size_t bytes;
349 size_t bytes_read;
350 void *buffer;
351 char *endp;
352
353 if (!avb_ops) {
354 printf("AVB 2.0 is not initialized, run 'avb init' first\n");
355 return CMD_RET_FAILURE;
356 }
357
358 if (argc != 3)
359 return CMD_RET_USAGE;
360
361 name = argv[1];
362 bytes = simple_strtoul(argv[2], &endp, 10);
363 if (*endp && *endp != '\n')
364 return CMD_RET_USAGE;
365
366 buffer = malloc(bytes);
367 if (!buffer)
368 return CMD_RET_FAILURE;
369
370 if (avb_ops->read_persistent_value(avb_ops, name, bytes, buffer,
371 &bytes_read) == AVB_IO_RESULT_OK) {
97f3c097 372 printf("Read %zu bytes, value = %s\n", bytes_read,
fc1fe01b
IO		 373 (char *)buffer);
374 free(buffer);
375 return CMD_RET_SUCCESS;
376 }
377
378 printf("Failed to read persistent value\n");
379
380 free(buffer);
381
382 return CMD_RET_FAILURE;
383}
384
385int do_avb_write_pvalue(cmd_tbl_t *cmdtp, int flag, int argc,
386 char * const argv[])
387{
388 const char *name;
389 const char *value;
390
391 if (!avb_ops) {
392 printf("AVB 2.0 is not initialized, run 'avb init' first\n");
393 return CMD_RET_FAILURE;
394 }
395
396 if (argc != 3)
397 return CMD_RET_USAGE;
398
399 name = argv[1];
400 value = argv[2];
401
402 if (avb_ops->write_persistent_value(avb_ops, name, strlen(value) + 1,
403 (const uint8_t *)value) ==
404 AVB_IO_RESULT_OK) {
97f3c097 405 printf("Wrote %zu bytes\n", strlen(value) + 1);
fc1fe01b
IO		 406 return CMD_RET_SUCCESS;
407 }
408
409 printf("Failed to write persistent value\n");
410
411 return CMD_RET_FAILURE;
412}
413
60b2f9e7
IO		 414static cmd_tbl_t cmd_avb[] = {
415 U_BOOT_CMD_MKENT(init, 2, 0, do_avb_init, "", ""),
416 U_BOOT_CMD_MKENT(read_rb, 2, 0, do_avb_read_rb, "", ""),
417 U_BOOT_CMD_MKENT(write_rb, 3, 0, do_avb_write_rb, "", ""),
418 U_BOOT_CMD_MKENT(is_unlocked, 1, 0, do_avb_is_unlocked, "", ""),
419 U_BOOT_CMD_MKENT(get_uuid, 2, 0, do_avb_get_uuid, "", ""),
420 U_BOOT_CMD_MKENT(read_part, 5, 0, do_avb_read_part, "", ""),
421 U_BOOT_CMD_MKENT(read_part_hex, 4, 0, do_avb_read_part_hex, "", ""),
422 U_BOOT_CMD_MKENT(write_part, 5, 0, do_avb_write_part, "", ""),
965ec3ca 423 U_BOOT_CMD_MKENT(verify, 2, 0, do_avb_verify_part, "", ""),
fc1fe01b
IO		 424#ifdef CONFIG_OPTEE_TA_AVB
425 U_BOOT_CMD_MKENT(read_pvalue, 3, 0, do_avb_read_pvalue, "", ""),
426 U_BOOT_CMD_MKENT(write_pvalue, 3, 0, do_avb_write_pvalue, "", ""),
427#endif
60b2f9e7
IO		 428};
429
430static int do_avb(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
431{
432 cmd_tbl_t *cp;
433
434 cp = find_cmd_tbl(argv[1], cmd_avb, ARRAY_SIZE(cmd_avb));
435
436 argc--;
437 argv++;
438
439 if (!cp || argc > cp->maxargs)
440 return CMD_RET_USAGE;
441
442 if (flag == CMD_FLAG_REPEAT)
443 return CMD_RET_FAILURE;
444
445 return cp->cmd(cmdtp, flag, argc, argv);
446}
447
448U_BOOT_CMD(
449 avb, 29, 0, do_avb,
450 "Provides commands for testing Android Verified Boot 2.0 functionality",
451 "init <dev> - initialize avb2 for <dev>\n"
452 "avb read_rb <num> - read rollback index at location <num>\n"
453 "avb write_rb <num> <rb> - write rollback index <rb> to <num>\n"
454 "avb is_unlocked - returns unlock status of the device\n"
455 "avb get_uuid <partname> - read and print uuid of partition <part>\n"
456 "avb read_part <partname> <offset> <num> <addr> - read <num> bytes from\n"
457 " partition <partname> to buffer <addr>\n"
458 "avb read_part_hex <partname> <offset> <num> - read <num> bytes from\n"
459 " partition <partname> and print to stdout\n"
460 "avb write_part <partname> <offset> <num> <addr> - write <num> bytes to\n"
461 " <partname> by <offset> using data from <addr>\n"
fc1fe01b
IO		 462#ifdef CONFIG_OPTEE_TA_AVB
463 "avb read_pvalue <name> <bytes> - read a persistent value <name>\n"
464 "avb write_pvalue <name> <value> - write a persistent value <name>\n"
465#endif
965ec3ca 466 "avb verify [slot_suffix] - run verification process using hash data\n"
60b2f9e7 467 " from vbmeta structure\n"
965ec3ca 468 " [slot_suffix] - _a, _b, etc (if vbmeta partition is slotted)\n"
60b2f9e7 469 );
Empty description
This page took 0.17216 seconds and 4 git commands to generate.