[PATCH v3 0/1] Introduce fastboot oem board command

[PATCH v3 0/1] Introduce fastboot oem board command

[Alexey Romanov]

Changes V1 -> V2 [1]:
  - Added an example of using the command as requested
    by Sean Anderson [2].

Changes V2 -> V3 [3]:
  - Rebase over uboot/master.
  - Add documentation.
  - Remove example added in V2 [1].

Links:
    [1] https://lore.kernel.org/all/20231228152522.83291-1-avromanov@salutedevices.com/
    [2] https://lore.kernel.org/all/72ac233d-c18d-4f57-bc66-451fe0bd2997@seco.com/
    [3] https://lore.kernel.org/all/20240201092027.6258-1-avromanov@salutedevices.com/

Alexey Romanov (1):
  fastboot: introduce 'oem board' subcommand

 doc/android/fastboot.rst      | 18 ++++++++++++++++++
 drivers/fastboot/Kconfig      |  7 +++++++
 drivers/fastboot/fb_command.c | 30 ++++++++++++++++++++++++++++++
 include/fastboot.h            |  1 +
 4 files changed, 56 insertions(+)

-- 
2.34.1

[PATCH v3 1/1] fastboot: introduce 'oem board' subcommand

[Alexey Romanov]

Currently, fastboot protocol in U-Boot has no opportunity
to execute vendor custom code with verifed boot. This patch
introduce new fastboot subcommand fastboot oem board:<cmd>,
which allow to run custom oem_board function.

Default implementation is __weak. Vendor must redefine it in
board/ folder with his own logic.

For example, some vendors have their custom nand/emmc partition
flashing or erasing. Here some typical command for such use cases:

- flashing:

  $ fastboot stage bootloader.img
  $ fastboot oem board:write_bootloader

- erasing:

  $ fastboot oem board:erase_env

Signed-off-by: Alexey Romanov <avromanov@salutedevices.com>
---
 doc/android/fastboot.rst      | 18 ++++++++++++++++++
 drivers/fastboot/Kconfig      |  7 +++++++
 drivers/fastboot/fb_command.c | 30 ++++++++++++++++++++++++++++++
 include/fastboot.h            |  1 +
 4 files changed, 56 insertions(+)

diff --git a/doc/android/fastboot.rst b/doc/android/fastboot.rst
index 05d8f77759..2020590657 100644
--- a/doc/android/fastboot.rst
+++ b/doc/android/fastboot.rst
@@ -30,6 +30,7 @@ The following OEM commands are supported (if enabled):
 - ``oem bootbus``  - this executes ``mmc bootbus %x %s`` to configure eMMC
 - ``oem run`` - this executes an arbitrary U-Boot command
 - ``oem console`` - this dumps U-Boot console record buffer
+- ``oem board`` - this executes an custom board function which is defined by vendor
 
 Support for both eMMC and NAND devices is included.
 
@@ -246,6 +247,23 @@ including multiple commands (using e.g. ``;`` or ``&&``) and control structures
 (``if``, ``while``, etc.). The exit code of ``fastboot`` will reflect the exit
 code of the command you ran.
 
+Running Custom Vendor Code
+^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+U-Boot allows you to execute custom fastboot logic, which can be defined
+in board/ files. It can still be used for production devices with verified
+boot, because vendor define logic at compile time by overriding weak
+implementation of fastboot_oem_board() function. The attacker will
+not able to execute his commands / code. For example, this can be useful
+for custom flashing or erasing protocols::
+
+    $ fastboot stage bootloader.img
+    $ fastboot oem board:write_bootloader
+
+In this case, ``cmd_parameter`` argument of the function ``fastboot_oem_board()``
+will contain string "write_bootloader" and ``data`` argument is a pointer to
+fastboot input buffer, which containing the contents of bootloader.img file.
+
 References
 ----------
 
diff --git a/drivers/fastboot/Kconfig b/drivers/fastboot/Kconfig
index 5e5855a76c..937a39f54a 100644
--- a/drivers/fastboot/Kconfig
+++ b/drivers/fastboot/Kconfig
@@ -249,6 +249,13 @@ config FASTBOOT_CMD_OEM_CONSOLE
 	  Add support for the "oem console" command to input and read console
 	  record buffer.
 
+config FASTBOOT_OEM_BOARD
+	bool "Enable the 'oem board' command"
+	help
+	  This extends the fastboot protocol with an "oem board" command. This
+	  command allows running vendor custom code defined in board/ files.
+	  Otherwise, it will do nothing and send fastboot fail.
+
 endif # FASTBOOT
 
 endmenu
diff --git a/drivers/fastboot/fb_command.c b/drivers/fastboot/fb_command.c
index f95f4e4ae1..96c27afc60 100644
--- a/drivers/fastboot/fb_command.c
+++ b/drivers/fastboot/fb_command.c
@@ -42,6 +42,7 @@ static void oem_format(char *, char *);
 static void oem_partconf(char *, char *);
 static void oem_bootbus(char *, char *);
 static void oem_console(char *, char *);
+static void oem_board(char *, char *);
 static void run_ucmd(char *, char *);
 static void run_acmd(char *, char *);
 
@@ -113,6 +114,10 @@ static const struct {
 		.command = "oem console",
 		.dispatch = CONFIG_IS_ENABLED(FASTBOOT_CMD_OEM_CONSOLE, (oem_console), (NULL))
 	},
+	[FASTBOOT_COMMAND_OEM_BOARD] = {
+		.command = "oem board",
+		.dispatch = CONFIG_IS_ENABLED(FASTBOOT_OEM_BOARD, (oem_board), (NULL))
+	},
 	[FASTBOOT_COMMAND_UCMD] = {
 		.command = "UCmd",
 		.dispatch = CONFIG_IS_ENABLED(FASTBOOT_UUU_SUPPORT, (run_ucmd), (NULL))
@@ -542,3 +547,28 @@ static void __maybe_unused oem_console(char *cmd_parameter, char *response)
 	else
 		fastboot_response(FASTBOOT_MULTIRESPONSE_START, response, NULL);
 }
+
+/**
+ * fastboot_oem_board() - Execute the OEM board command. This is default
+ * weak implementation, which may be overwritten in board/ files.
+ *
+ * @cmd_parameter: Pointer to command parameter
+ * @data: Pointer to fastboot input buffer
+ * @size: Size of the fastboot input buffer
+ * @response: Pointer to fastboot response buffer
+ */
+void __weak fastboot_oem_board(char *cmd_parameter, void *data, u32 size, char *response)
+{
+	fastboot_fail("oem board function not defined", response);
+}
+
+/**
+ * oem_board() - Execute the OEM board command
+ *
+ * @cmd_parameter: Pointer to command parameter
+ * @response: Pointer to fastboot response buffer
+ */
+static void __maybe_unused oem_board(char *cmd_parameter, char *response)
+{
+	fastboot_oem_board(cmd_parameter, fastboot_buf_addr, image_size, response);
+}
diff --git a/include/fastboot.h b/include/fastboot.h
index 1e7920eb91..2ca1b907a5 100644
--- a/include/fastboot.h
+++ b/include/fastboot.h
@@ -48,6 +48,7 @@ enum {
 	FASTBOOT_COMMAND_OEM_BOOTBUS,
 	FASTBOOT_COMMAND_OEM_RUN,
 	FASTBOOT_COMMAND_OEM_CONSOLE,
+	FASTBOOT_COMMAND_OEM_BOARD,
 	FASTBOOT_COMMAND_ACMD,
 	FASTBOOT_COMMAND_UCMD,
 	FASTBOOT_COMMAND_COUNT
-- 
2.34.1

Re: [PATCH v3 1/1] fastboot: introduce 'oem board' subcommand

[Mattijs Korpershoek]

Hi Alexey,

Thank you for the patch.

On lun., avril 08, 2024 at 13:15, Alexey Romanov <avromanov@salutedevices.com> wrote:

> Currently, fastboot protocol in U-Boot has no opportunity
> to execute vendor custom code with verifed boot. This patch
> introduce new fastboot subcommand fastboot oem board:<cmd>,
> which allow to run custom oem_board function.
>
> Default implementation is __weak. Vendor must redefine it in
> board/ folder with his own logic.
>
> For example, some vendors have their custom nand/emmc partition
> flashing or erasing. Here some typical command for such use cases:
>
> - flashing:
>
>   $ fastboot stage bootloader.img
>   $ fastboot oem board:write_bootloader
>
> - erasing:
>
>   $ fastboot oem board:erase_env
>
> Signed-off-by: Alexey Romanov <avromanov@salutedevices.com>

Reviewed-by: Mattijs Korpershoek <mkorpershoek@baylibre.com>

Thank you for being patient on this topic!

I'll be awaiting 2 more days and will apply to the u-boot-dfu if no
other remarks have been made.


> ---
>  doc/android/fastboot.rst      | 18 ++++++++++++++++++
>  drivers/fastboot/Kconfig      |  7 +++++++
>  drivers/fastboot/fb_command.c | 30 ++++++++++++++++++++++++++++++
>  include/fastboot.h            |  1 +
>  4 files changed, 56 insertions(+)
>
> diff --git a/doc/android/fastboot.rst b/doc/android/fastboot.rst
> index 05d8f77759..2020590657 100644
> --- a/doc/android/fastboot.rst
> +++ b/doc/android/fastboot.rst
> @@ -30,6 +30,7 @@ The following OEM commands are supported (if enabled):
>  - ``oem bootbus``  - this executes ``mmc bootbus %x %s`` to configure eMMC
>  - ``oem run`` - this executes an arbitrary U-Boot command
>  - ``oem console`` - this dumps U-Boot console record buffer
> +- ``oem board`` - this executes an custom board function which is defined by vendor
>  
>  Support for both eMMC and NAND devices is included.
>  
> @@ -246,6 +247,23 @@ including multiple commands (using e.g. ``;`` or ``&&``) and control structures
>  (``if``, ``while``, etc.). The exit code of ``fastboot`` will reflect the exit
>  code of the command you ran.
>  
> +Running Custom Vendor Code
> +^^^^^^^^^^^^^^^^^^^^^^^^^^
> +
> +U-Boot allows you to execute custom fastboot logic, which can be defined
> +in board/ files. It can still be used for production devices with verified
> +boot, because vendor define logic at compile time by overriding weak
> +implementation of fastboot_oem_board() function. The attacker will
> +not able to execute his commands / code. For example, this can be useful
> +for custom flashing or erasing protocols::
> +
> +    $ fastboot stage bootloader.img
> +    $ fastboot oem board:write_bootloader
> +
> +In this case, ``cmd_parameter`` argument of the function ``fastboot_oem_board()``
> +will contain string "write_bootloader" and ``data`` argument is a pointer to
> +fastboot input buffer, which containing the contents of bootloader.img file.
> +
>  References
>  ----------
>  
> diff --git a/drivers/fastboot/Kconfig b/drivers/fastboot/Kconfig
> index 5e5855a76c..937a39f54a 100644
> --- a/drivers/fastboot/Kconfig
> +++ b/drivers/fastboot/Kconfig
> @@ -249,6 +249,13 @@ config FASTBOOT_CMD_OEM_CONSOLE
>  	  Add support for the "oem console" command to input and read console
>  	  record buffer.
>  
> +config FASTBOOT_OEM_BOARD
> +	bool "Enable the 'oem board' command"
> +	help
> +	  This extends the fastboot protocol with an "oem board" command. This
> +	  command allows running vendor custom code defined in board/ files.
> +	  Otherwise, it will do nothing and send fastboot fail.
> +
>  endif # FASTBOOT
>  
>  endmenu
> diff --git a/drivers/fastboot/fb_command.c b/drivers/fastboot/fb_command.c
> index f95f4e4ae1..96c27afc60 100644
> --- a/drivers/fastboot/fb_command.c
> +++ b/drivers/fastboot/fb_command.c
> @@ -42,6 +42,7 @@ static void oem_format(char *, char *);
>  static void oem_partconf(char *, char *);
>  static void oem_bootbus(char *, char *);
>  static void oem_console(char *, char *);
> +static void oem_board(char *, char *);
>  static void run_ucmd(char *, char *);
>  static void run_acmd(char *, char *);
>  
> @@ -113,6 +114,10 @@ static const struct {
>  		.command = "oem console",
>  		.dispatch = CONFIG_IS_ENABLED(FASTBOOT_CMD_OEM_CONSOLE, (oem_console), (NULL))
>  	},
> +	[FASTBOOT_COMMAND_OEM_BOARD] = {
> +		.command = "oem board",
> +		.dispatch = CONFIG_IS_ENABLED(FASTBOOT_OEM_BOARD, (oem_board), (NULL))
> +	},
>  	[FASTBOOT_COMMAND_UCMD] = {
>  		.command = "UCmd",
>  		.dispatch = CONFIG_IS_ENABLED(FASTBOOT_UUU_SUPPORT, (run_ucmd), (NULL))
> @@ -542,3 +547,28 @@ static void __maybe_unused oem_console(char *cmd_parameter, char *response)
>  	else
>  		fastboot_response(FASTBOOT_MULTIRESPONSE_START, response, NULL);
>  }
> +
> +/**
> + * fastboot_oem_board() - Execute the OEM board command. This is default
> + * weak implementation, which may be overwritten in board/ files.
> + *
> + * @cmd_parameter: Pointer to command parameter
> + * @data: Pointer to fastboot input buffer
> + * @size: Size of the fastboot input buffer
> + * @response: Pointer to fastboot response buffer
> + */
> +void __weak fastboot_oem_board(char *cmd_parameter, void *data, u32 size, char *response)
> +{
> +	fastboot_fail("oem board function not defined", response);
> +}
> +
> +/**
> + * oem_board() - Execute the OEM board command
> + *
> + * @cmd_parameter: Pointer to command parameter
> + * @response: Pointer to fastboot response buffer
> + */
> +static void __maybe_unused oem_board(char *cmd_parameter, char *response)
> +{
> +	fastboot_oem_board(cmd_parameter, fastboot_buf_addr, image_size, response);
> +}
> diff --git a/include/fastboot.h b/include/fastboot.h
> index 1e7920eb91..2ca1b907a5 100644
> --- a/include/fastboot.h
> +++ b/include/fastboot.h
> @@ -48,6 +48,7 @@ enum {
>  	FASTBOOT_COMMAND_OEM_BOOTBUS,
>  	FASTBOOT_COMMAND_OEM_RUN,
>  	FASTBOOT_COMMAND_OEM_CONSOLE,
> +	FASTBOOT_COMMAND_OEM_BOARD,
>  	FASTBOOT_COMMAND_ACMD,
>  	FASTBOOT_COMMAND_UCMD,
>  	FASTBOOT_COMMAND_COUNT
> -- 
> 2.34.1

Re: [PATCH v3 1/1] fastboot: introduce 'oem board' subcommand

[Quentin Schulz]

Hi Alexey,

On 4/8/24 12:15, Alexey Romanov wrote:
> Currently, fastboot protocol in U-Boot has no opportunity
> to execute vendor custom code with verifed boot. This patch
> introduce new fastboot subcommand fastboot oem board:<cmd>,
> which allow to run custom oem_board function.
> 
> Default implementation is __weak. Vendor must redefine it in
> board/ folder with his own logic.
> 
> For example, some vendors have their custom nand/emmc partition
> flashing or erasing. Here some typical command for such use cases:
> 
> - flashing:
> 
>    $ fastboot stage bootloader.img
>    $ fastboot oem board:write_bootloader
> 
> - erasing:
> 
>    $ fastboot oem board:erase_env
> 
> Signed-off-by: Alexey Romanov <avromanov@salutedevices.com>
> ---
>   doc/android/fastboot.rst      | 18 ++++++++++++++++++
>   drivers/fastboot/Kconfig      |  7 +++++++
>   drivers/fastboot/fb_command.c | 30 ++++++++++++++++++++++++++++++
>   include/fastboot.h            |  1 +
>   4 files changed, 56 insertions(+)
> 
> diff --git a/doc/android/fastboot.rst b/doc/android/fastboot.rst
> index 05d8f77759..2020590657 100644
> --- a/doc/android/fastboot.rst
> +++ b/doc/android/fastboot.rst
> @@ -30,6 +30,7 @@ The following OEM commands are supported (if enabled):
>   - ``oem bootbus``  - this executes ``mmc bootbus %x %s`` to configure eMMC
>   - ``oem run`` - this executes an arbitrary U-Boot command
>   - ``oem console`` - this dumps U-Boot console record buffer
> +- ``oem board`` - this executes an custom board function which is defined by vendor

s/an/a/

+the vendor? (missing "the")

>   
>   Support for both eMMC and NAND devices is included.
>   
> @@ -246,6 +247,23 @@ including multiple commands (using e.g. ``;`` or ``&&``) and control structures
>   (``if``, ``while``, etc.). The exit code of ``fastboot`` will reflect the exit
>   code of the command you ran.
>   
> +Running Custom Vendor Code
> +^^^^^^^^^^^^^^^^^^^^^^^^^^
> +
> +U-Boot allows you to execute custom fastboot logic, which can be defined
> +in board/ files. It can still be used for production devices with verified
> +boot, because vendor define logic at compile time by overriding weak

s/vendor define/the vendor defines/

Suggestion:

Replace "by overriding weak implementation of fastboot_oem_board()" with 
"by implementing fastboot_oem_board()", the weak symbol is an 
implementation detail I don't think we need to keep in the documentation?

> +implementation of fastboot_oem_board() function. The attacker will
> +not able to execute his commands / code. For example, this can be useful

+be able (missing be)

s/his/custom/ or s/his/their/

> +for custom flashing or erasing protocols::
> +
> +    $ fastboot stage bootloader.img
> +    $ fastboot oem board:write_bootloader
> +
> +In this case, ``cmd_parameter`` argument of the function ``fastboot_oem_board()``
> +will contain string "write_bootloader" and ``data`` argument is a pointer to
> +fastboot input buffer, which containing the contents of bootloader.img file.
> +

Either

-which (remove "which")

s/which containing/which contains/

Cheers,
Quentin

Re: [PATCH v3 0/1] Introduce fastboot oem board command

[Mattijs Korpershoek]

Hi,

On Mon, 08 Apr 2024 13:15:51 +0300, Alexey Romanov wrote:
> Changes V1 -> V2 [1]:
>   - Added an example of using the command as requested
>     by Sean Anderson [2].
> 
> Changes V2 -> V3 [3]:
>   - Rebase over uboot/master.
>   - Add documentation.
>   - Remove example added in V2 [1].
> 
> [...]

Thanks, Applied to https://source.denx.de/u-boot/custodians/u-boot-dfu (u-boot-dfu-next)

[1/1] fastboot: introduce 'oem board' subcommand
      https://source.denx.de/u-boot/custodians/u-boot-dfu/-/commit/78ae23de701bd65501079b4c39158f152bfbafa9

--
Mattijs